AES Active although not enabled
-
Hi,
Very new to Pfsense, so please excuse this question if it sounds silly.
My dashboard shows:
AES-NI CPU Crypto: Yes (active)Although I haven't enabled it in System, Advanced, Misc, Cryptographic Hardware. Which is set to None.
Its was like this on install. Is this usual? As I needed to set this before but for some reason it showing active with out me changing any setting after fresh install. Pfsense 2.5.2.
Any help or opinion will be appreciated.
-
That only shows that the aes-ni driver module is loaded. It may not be actually in use.
The module is not unloaded if you set crypto hardware to none until the firewall is rebooted. Unless you manually unload it with kldunload.
Steve
-
@stephenw10 Thanks for your response, I got confused as on prior installs, I had to set it in System, Advanced, Misc, Cryptographic Hardware. As it wouldn't say Active until I changed the setting. But on this install it was automatically doing it. Really appreciate your response.
-
Hmm, well you can check the status of the module at the command line:
[2.5.2-RELEASE][admin@t70.stevew.lan]/root: kldstat Id Refs Address Size Name 1 16 0xffffffff80200000 3aea720 kernel 2 1 0xffffffff83ceb000 61c0 ichsmb.ko 3 3 0xffffffff83cf2000 2ef0 smbus.ko 4 1 0xffffffff83cf5000 2e60 smb.ko 5 1 0xffffffff83cf8000 1ae8 mdio.ko 6 1 0xffffffff83f21000 1000 cpuctl.ko 7 1 0xffffffff83f22000 8cb0 aesni.ko 8 1 0xffffffff83f2b000 b28 coretemp.ko
-
Id Refs Address Size Name
1 15 0xffffffff80200000 3aea720 kernel
2 1 0xffffffff83ceb000 ee98 aesni.ko
3 1 0xffffffff83cfb000 3bb7f0 zfs.ko
4 2 0xffffffff840b7000 a448 opensolaris.ko
5 1 0xffffffff844e6000 1000 cpuctl.koI don't know what any of this means but going to try and figure out what I'm looking at.
-
It's a list of the loaded kernel modules and it shows the aes-ni module is loaded. That's what the dashboard script looks at to determine whether or not to show 'active'.
Normally that module is not loaded at boot unless you have selected AES-NI for hardware crypto. But, as I said, it is not unloaded if you deselect it until you reboot.
Selecting it adds a line /boot/loader.conf. However if you have the customer file /boot/loader.conf.local you might have a line loading it there even if it's not selected in the gui.
Steve
-
@stephenw10 Thanks Steve for your help its much appreciated.
jkaay