pfsense on Hyper-V and hardware crypto

kiokoman

yes you should select that

Hammer8

Thanks...is RDRAND the same as AES-NI? On some forums it says there should be an option for “AES-NI CPU-based Acceleration“

Thank you!

kiokoman

no it's not the same, RDRAND returns random numbers that are supplied by a cryptographically secure, Deterministic Random Bit Generator (DRBG).
to make it short it's a random number generator.
you can check for AESNI presence from the terminal/console for example with

dmesg | head -12 | tail -4

CPU: Westmere E56xx/L56xx/X56xx (IBRS update) (2393.99-MHz K8-class CPU)
Origin="GenuineIntel" Id=0x206c1 Family=0x6 Model=0x2c Stepping=1
Features=0xf83fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,SSE2,SS>
Features2=0x83ba2223<SSE3,PCLMULQDQ,VMX,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,TSCDLT,AESNI,HV>

if it is present it will automatically be used by openssl

Hammer8

Maybe it’s because I’m running it as a hyper-v guest, but when I do that, I get :

SRAT: Ignoring memory at addr 0x100000000
SRAT: Ignoring memory at addr 0x1000000000
SRAT: Ignoring memory at addr 0x10000200000
SRAT: Ignoring memory at addr 0x20000200000

kiokoman

dmesg | grep AESNI -a5

Hammer8

Awesome thanks! AES-NI is listed under features2 and so it’s being used even though that’s not an option I select under the openvpn client setup?

kiokoman

yup,
you can test it with
AES-NI enable:

openssl speed -elapsed -evp aes-128-ecb

AES-NI disabled

env OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc

Hammer8

Thank you for your patience! If I run the second command line to test the Disabled speed, do I need to do anything to revert back to enabled?

kiokoman

yes sorry, reboot or a simple

env OPENSSL_ia32cap=""

will do the trick

Hammer8

Thank you!