Hardware Crypto Support Missing AES-GCM?

tman222

Hi all,

I recently upgraded to 23.05 from 23.01 on an Intel Xeon D-1518 based system and enabled Enable IPsec Multi-Buffer (IPsec-MB) Cryptographic Acceleration and rebooted.

In the Dashboard under the CPU Type section I now see:

AES-NI CPU Crypto: Yes (active)
IPsec-MB Crypto: Yes (active)
QAT Crypto: No

Then under the Hardware Crypto section I see:

AES-CBC,AES-CCM,ChaCha20-Poly1305,AES-ICM,AES-XTS

Shouldn't AES-GCM be listed as well or is that only hardware supported if there is QAT support? Thanks in advance for your help.

tman222

Looks like I see the same on another system as well that has been upgraded to 23.05 and IPsec-MB support has been enabled - this one has an Intel i3-10100 CPU.

SteveITS

@tman222 FWIW, on a Netgate 2100:

CPU Type 	ARM Cortex-A53 r0p4
2 CPUs :
IPsec-MB Crypto: Yes (inactive)
SafeXcel Crypto: Yes (active)
Hardware crypto 	AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS,SHA1,SHA256,SHA384,SHA512

tman222

Thanks @SteveITS - if you enable IPsec-MB how does the Hardware Crypto list change?

SteveITS

@tman222 It's there just not in use by anything. On the 2100 there are only two options for crypto:

I can't set to None because it requires a reboot and my wife's in a video meeting.

I understand my post may not be particularly helpful for your issue. :)

mcury

Just for comparison purposes, this is a SG-4100:

tman222

Thanks guys!

I went ahead and ran dmesg | grep aes and see the following on both systems:

aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS>

So it does look like AES-GCM is supported. Any idea why it is not showing up in the UI under Hardware Crypto? Is there any other way to check to see if it's properly supported/enabled (in case this is just a UI bug)? Thanks again.

tman222

Cryptographic options currently enabled on both systems:

mcury

@tman222 said in Hardware Crypto Support Missing AES-GCM?:

So it does look like AES-GCM is supported. Any idea why it is not showing up in the UI under Hardware Crypto? Is there any other way to check to see if it's properly supported/enabled (in case this is just a UI bug)? Thanks again.

Try this: /usr/bin/openssl engine -t -c

More info: https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html

tman222

@mcury - thanks for the suggestion, but unfortunately running that command didn't show too much beyond that the /dev/crypto and Intel RDRAND engines are available.

I also ran kldstat and see that the aesni.ko, iimb.ko, and cryptodev.ko modules are loaded.

Could this be UI bug? Is there any other way to check? Thanks again.

mcury

@tman222 said in Hardware Crypto Support Missing AES-GCM?:

Could this be UI bug? Is there any other way to check? Thanks again.

I think so.
I've also upgraded from 23.01 to 23.05 and the IPsec MB wasn't showing.

After that upgrade, I decided to use a SSD and not the eMMC, I had to reinstall my system, so did a 23.05 clean install.

After that, IPsec MB became available in the GUI.

So, not sure if this is a bug but after a clean 23.05 install, GUI started to show the other options.

Here is what jimp said about this:
https://forum.netgate.com/topic/180341/surprise-swap-and-ipsec-mb-crypto?_=1685031490197

tman222

Thanks @mcury - I'll wait for others to hopefully chime in on this as well, otherwise I'll go ahead and raise a ticket on Redmine.

@jimp @stephenw10 - any ideas on this?

Thanks again for your help.

pst

@tman222 I think I found the problem.

In /usr/local/www/includes/functions.inc.php, function crypto_accel_get_algs() the code to handle duplicates in the arrays seems to be broken, which leads to exclusion of algorithms that are included in both CPU and IIMB. That the algorithms comes out unsorted is also an indication the logic is broken.

I changed the function to look like this, which works as expected. Unfortunately I can't provide a diff as I forgot to take a backup...

function crypto_accel_get_algs($crypto)
{
        $algs = [];

        foreach ($crypto['accel'] as $accel) {
                /* skip these... */
                if (!$accel['present'] || !$accel['enabled'])
                        continue;

                $algs = array_merge($algs, $accel['algs']);
        }

        /* return early */
        if (empty($algs))
                return (gettext('Inactive'));

        /* sort alphabetically */
        ksort($algs);

        /* now flip back so keys become values, done twice to remove duplicates */
        $algs = array_flip($algs);
        $algs = array_flip($algs);

        /* format and return the algs string */
        return (implode(',', $algs));
}

GUI now shows:

tman222

Thanks @pst - this look like it could be fixed via simple patch to that PHP function. Do you want to go ahead and raise a Redmine bug report on this (since you already figured out the fix) so that the Netgate developers can see it? Thanks again.

pst

@tman222 Yes, I can create a bug report

tman222

@pst said in Hardware Crypto Support Missing AES-GCM?:

@tman222 Yes, I can create a bug report

Thanks @pst - can you post the link here to the Redmine ticket once done? Thanks again for all your help with figuring this out.

pst

@tman222 https://redmine.pfsense.org/issues/14417

jackyaz

Thanks for this! I've created a patch file here in case it helps anyone!

https://gist.githubusercontent.com/jackyaz/1fc79ab30dba254af73a85e48551a1e4/raw/e3f241e8109904196d6563bb000042d521bccbc6/crypto_algs_dashboard.patch