How to find out if my CPU is AES-NI capable ?



  • How to find out if my CPU is AES-NI capable ?

    I am using Linux. Which command should I use ?



  • cat /proc/cpuinfo



  • @Pippin:

    cat /proc/cpuinfo

    Sorry I made a mistake while asking the question. I use LInux on the client PC. I am using pfSense on the router. How do I find out if my  CPU is  AES-NI capable from the pfSense web interface ?



  • dmesg | grep -i cpu

    In my case AMD GX-412TC

    Then enter 'AMD GX-412TC info' into Google, should give you all the info you need.



  • @marjohn56:

    dmesg | grep -i cpu

    In my case AMD GX-412TC

    Then enter 'AMD GX-412TC info' into Google, should give you all the info you need.

    I am a total newbie. Where do I type

    dmesg | grep -i cpu
    ```??


  • If you have enabled ssh you can shell into pfsense and run it from there or you can run it from Diagnostics/Command Prompt.



  • @marjohn56:

    If you have enabled ssh you can shell into pfsense and run it from there or you can run it from Diagnostics/Command Prompt.

    This is the output

     CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 5600+ (2913.32-MHz K8-class CPU)
    FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
     cpu0 (BSP): APIC ID:  0
     cpu1 (AP): APIC ID:  1
    cpu0: <acpi cpu="">on acpi0
    cpu1: <acpi cpu="">on acpi0
    powernow0: <powernow! k8="">on cpu0
    powernow1: <powernow! k8="">on cpu1
    SMP: AP CPU #1 Launched!</powernow!></powernow!></acpi></acpi> 
    

    Googled and found this info

    http://www.cpu-world.com/CPUs/K8/AMD-Athlon%2064%20X2%205600+%20-%20ADA5600IAA6CZ%20(ADA5600CZBOX).html

    Cant find AES-NI anywhere so its not AES-NI capable ? Or do I need to do more searching ?



  • @security_paranoid:

    Cant find AES-NI anywhere so its not AES-NI capable ? Or do I need to do more searching ?

    It's an old proc, see this on wiki.

    https://en.wikipedia.org/wiki/AES_instruction_set



  • @marjohn56:

    @security_paranoid:

    Cant find AES-NI anywhere so its not AES-NI capable ? Or do I need to do more searching ?

    It's an old proc, see this on wiki.

    https://en.wikipedia.org/wiki/AES_instruction_set

    Thanks for that link.

    Just curious what will you do when pfSense drops support for non AES-NI processors ?

    WIll you buy new hardware or move to a different firewall ? I am really frustrated with this development.



  • Mine supports it. PCEngines APU2C4



  • @marjohn56:

    Mine supports it. PCEngines APU2C4

    You are really lucky. I guess I will have to move to IPcop.



  • Or just replace your hardware.

    Pfsense 2.4 and previous versions will still work anyway.



  • @marjohn56:

    Or just replace your hardware.

    Pfsense 2.4 and previous versions will still work anyway.

    I don't have the cash right now. If I run an old version of pfSense dont you think that will be a security risk?



  • @security_paranoid:

    @marjohn56:

    Or just replace your hardware.

    Pfsense 2.4 and previous versions will still work anyway.

    I don't have the cash right now. If I run an old version of pfSense dont you think that will be a security risk?

    No I don't, Quote "The purpose of the instruction set is to improve the speed of applications performing encryption and decryption using the Advanced Encryption Standard (AES)"

    In other words it speeds up certain functions, the same functions are still carried in software/firmware if you do not have AES, it's just more processor intensive.

    Using AES you can do away with those software/firmware routines and it's all handled by the processor.

    Even if you cannot upgrade to 2.5 pfSense will still be secure.



  • There is still some considerable time until 2.5 is here and 2.4 is no longer supported, by which time you may be able to upgrade.



  • @fredfox_uk:

    There is still some considerable time until 2.5 is here and 2.4 is no longer supported, by which time you may be able to upgrade.

    Thats good news.


  • Banned

    At least in 2.4.0 BETA, you just look on your dashboard now  8).

    Cost wise this requirement has (IMO) been blown way out of proportion where home users are concerned.

    Very few home users have any need for a CPU exceeding the capabilities of a modern SoC celeron.
    You can pick those up new today for $55 (that's motherboard + CPU), so in 2-3 years when this requirement is actually relevant, you will probably be able to pick one up for <$30.

    For those home users that do need a powerful system, AES-NI has been around for something like a decade now. eBay is literally full of old SFF desktops from office buildings.

    http://www.ebay.com/itm/Lenovo-ThinkCentre-M91p-SSF-i5-2400-3-1GHz-8-GB-500GB-Windows-10-Free-Ship-/252930866220?hash=item3ae3dabc2c:g:Jd0AAOSwaeRZEzw-

    Just going off the CPU I use on pfSense and a quick eBay search, $120 gets you an i5-2400 (virtually the same passmark as an i3-7100[not that passmark is a great comparison, but you get the general idea]) with 8GB RAM and a HDD. Add $15 for an i340-t2 and you're set for probably 95%+ of home use scenarios for pfSense. This of course assumes that you are starting out with nothing, and it's today's prices. These things aren't getting more expensive.

    All that is to say that you do not need to spend a lot of money to get AES-NI, it's old tech by now.



  • Banned

    @security_paranoid:

    Thanks for that link.

    Just curious what will you do when pfSense drops support for non AES-NI processors ?

    WIll you buy new hardware or move to a different firewall ? I am really frustrated with this development.

    Well my hope is they will change their mind, because it's clearly an incorrect decision. After that, My first plan is to hack it in there, because the developers would have to go out of their way to remove support, so it shouldn't be too hard to add it back in. The second is to move to another firewall. It's too bad, I wanted to support the project via Gold, and was literally going to buy it the week the news hit.


  • Banned

    You would go to all that effort to avoid spending a few bucks on a cpu from the last decade?



  • Bizarre…

    It's called evolution...



  • @security_paranoid:

    Just curious what will you do when pfSense drops support for non AES-NI processors ?

    WIll you buy new hardware…

    Yes of course, but only when I need to.



  • @security_paranoid:

    I don't have the cash right now.

    Well you have about 2 years or so to save up so start saving.



  • @security_paranoid:

    I don't have the cash right now.

    That's not a problem because you don't need it now. You have years to save up for more modern hardware.

    Why are you worrying now about something that will happen in a pretty distant future? Your (and mine) old firewall hardware may already have failed and been replaced when the lack of AES-NI is even starting to become an issue.

    Relax!


  • Galactic Empire Netgate

    @apple4ever:

    It's too bad, I wanted to support the project via Gold, and was literally going to buy it the week the news hit.

    Buy a supported CPU instead.



  • 2 years is long enough for me to but new hardware.

    Thanks for your replies.