AES-NI required in future versions?
-
I dimly remember reading somewhere, that the 2.4.x series is the last that will run on hardware without crypto instructions, i.e. AES-NI support.
Now, recently one of my devices died, so I'm faced with the choice of either buying a new one, or simply running the routing aspect on a VM.
The VM would be faster and cheaper than renting rack space, however the VM has no AES-NI support, at least none that pfSense recognizes.
Problem is, will I be in a dead-end a few versions down the road, when I'm stuck with not being able to upgrade for lack of AES-NI in the VM?
-
What vm doesnt have aes ni?
And why a vm is a problem if the problem needs to be addressed sometime in the future? -
Here pfSense 2.5 and AES-NI.
-
It's not looking likely that we'll require AES-NI for 2.5, but we haven't even started work on 2.5 yet. Even IF it's a requirement, it would be at least a year past the 2.5 release before support stopped.
https://www.reddit.com/r/PFSENSE/comments/9t25jr/love_pfsense_beware_of_netgate_hardware/e8tk6w2/
-
@jimp - thanks for that update. I have a feeling the edited highlights of your reddit feed may become my Christmas reading list.
-
@netblues said in AES-NI required in future versions?:
What vm doesnt have aes ni?
And why a vm is a problem if the problem needs to be addressed sometime in the future?It's an issue, because I right now must decide between getting new hardware (old one broken), or a much more cost effective cloud solution, which however doesn't seem to support AES-NI.
As for what VM exactly that is, I don't know, it's a third party cloud service. Here's what pfSense reports:BIOS Vendor: Seabios
Version: 0.5.1
Release Date: Mon Jan 1 2007
Version 2.4.4-RELEASE-p1 (amd64)
built on Mon Nov 26 11:40:26 EST 2018
FreeBSD 11.2-RELEASE-p4The system is on the latest version.
Version information updated at Fri Dec 21 16:58:09 UTC 2018
CPU Type QEMU Virtual CPU version (cpu64-rhel6)
2 CPUs: 2 package(s)
AES-NI CPU Crypto: No
Kernel PTI Enabled -
I am running this on Proxmox and true AMD processors and if that is your case too, the trick you won't find in any blog or faq is this:
Westmere E56xx/L56xx/X56xx (Nehalem-C)
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)Force the CPU into Westmere -mode - yes, although the CPU is true AMD, voila, the AES-NI will be recognized.
Security Consultant at Mint Security Ltd - www.mintsecurity.fi
-
@rcfa said in AES-NI required in future versions?:
@netblues said in AES-NI required in future versions?:
What vm doesnt have aes ni?
And why a vm is a problem if the problem needs to be addressed sometime in the future?It's an issue, because I right now must decide between getting new hardware (old one broken), or a much more cost effective cloud solution, which however doesn't seem to support AES-NI.
As for what VM exactly that is, I don't know, it's a third party cloud service. Here's what pfSense reports:BIOS Vendor: Seabios
Version: 0.5.1
Release Date: Mon Jan 1 2007
Version 2.4.4-RELEASE-p1 (amd64)
built on Mon Nov 26 11:40:26 EST 2018
FreeBSD 11.2-RELEASE-p4The system is on the latest version.
Version information updated at Fri Dec 21 16:58:09 UTC 2018
CPU Type QEMU Virtual CPU version (cpu64-rhel6)
2 CPUs: 2 package(s)
AES-NI CPU Crypto: No
Kernel PTI EnabledThis is an old centos kvm. Newer versions do support aes-ni for pf
User admin@192.168.127.9 (Local Database)
System pfSense
Netgate Device ID: 80ac1f808c8db45cd977
BIOS Vendor: Seabios
Version: 0.5.1
Release Date: Sat Jan 1 2011
Version 2.4.4-RELEASE-p1 (amd64)
built on Mon Nov 26 11:40:26 EST 2018
FreeBSD 11.2-RELEASE-p4The system is on the latest version.
Version information updated at Sat Dec 22 14:20:42 EET 2018
CPU Type Westmere E56xx/L56xx/X56xx (IBRS update)
4 CPUs: 4 package(s)
AES-NI CPU Crypto: Yes (active)
Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
Kernel PTI Enabled
Uptime 12 Days 07 Hours 40 Minutes 03 Seconds
Current date/time
Sat Dec 22 15:04:55 EET 2018 -
