AES-NI Support not enabled on AES-NI CPU with AES-NI enabled in BIOS
-
I'm running pfSense 2.4 on a SuperMicro X8STi-F motherboard, Xeon X5687 CPU (supports AES-NI: https://ark.intel.com/products/52578/Intel-Xeon-Processor-X5687-12M-Cache-3_60-GHz-6_40-GTs-Intel-QPI ), with AES-NI [Enabled] in the BIOS.
To get the AES-NI option in the BIOS, I first had to downgrade it first (R2.0 had AES-NI removed, running R1.0c).
However, now that I do have AES-NI support enabled in the BIOS, pfSense/FreeBSD does not recognize it.
[2.4.0-RELEASE][admin@pfSense.lan]/: dmesg | head -12 | tail -4 CPU: Intel(R) Xeon(R) CPU X5687 @ 3.60GHz (3582.07-MHz K8-class CPU) Origin="GenuineIntel" Id=0x206c2 Family=0x6 Model=0x2c Stepping=2 Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x9ee3fd<sse3,dtes64,mon,ds_cpl,vmx,smx,est,tm2,ssse3,cx16,xtpr,pdcm,pcid,dca,sse4.1,sse4.2,popcnt></sse3,dtes64,mon,ds_cpl,vmx,smx,est,tm2,ssse3,cx16,xtpr,pdcm,pcid,dca,sse4.1,sse4.2,popcnt></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>
[2.4.0-RELEASE][admin@pfSense.lan]/: kldunload aesni [2.4.0-RELEASE][admin@pfSense.lan]/: kldload -v aesni Loaded aesni, id=6 [2.4.0-RELEASE][admin@pfSense.lan]/: dmesg | tail -2 padlock0: No ACE support. aesni0: No AESNI support.
Am I missing something here? Could it be something that I could fix without buying a different motherboard? Has anyone confirmed AES-NI support on a SuperMicro X8STi-F?
http://www.supermicro.com/products/motherboard/Xeon3000/X58/X8STi-F.cfm
-
This is a BIOS issue, nothing pfSense can do about it. Maybe if you contact Supermicro directly they can tell you more, or perhaps fix the BIOS.
-
Definitely a board or BIOS issue. It should be showing AESNI in the CPU features list and it isn't there.
-
what happens if you upgrade the bios? maybe they just took out the option to turn it off, since that's a silly option anyway. :)
-
If a the current BIOS revision doesn't have AES-NI it can be two things:
- They forgot it, oops! (could be a BIOS issue or a BIOS microcode/BSP package issue)
- They turned it off because they couldn't make it work (i.e. unsafe, unreliable, crashes)
-
try a different bios update
does windows 7/8/10 find it in cpu-z?