AES-NI Support not enabled on AES-NI CPU with AES-NI enabled in BIOS

  • I'm running pfSense 2.4 on a SuperMicro X8STi-F motherboard, Xeon X5687 CPU (supports AES-NI: ), with AES-NI [Enabled] in the BIOS.

    To get the AES-NI option in the BIOS, I first had to downgrade it first (R2.0 had AES-NI removed, running R1.0c).

    However, now that I do have AES-NI support enabled in the BIOS, pfSense/FreeBSD does not recognize it.

    [2.4.0-RELEASE][admin@pfSense.lan]/: dmesg | head -12 | tail -4
    CPU: Intel(R) Xeon(R) CPU           X5687  @ 3.60GHz (3582.07-MHz K8-class CPU) 
    Origin="GenuineIntel"  Id=0x206c2  Family=0x6  Model=0x2c  Stepping=2
    Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x9ee3fd<sse3,dtes64,mon,ds_cpl,vmx,smx,est,tm2,ssse3,cx16,xtpr,pdcm,pcid,dca,sse4.1,sse4.2,popcnt></sse3,dtes64,mon,ds_cpl,vmx,smx,est,tm2,ssse3,cx16,xtpr,pdcm,pcid,dca,sse4.1,sse4.2,popcnt></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>
    [2.4.0-RELEASE][admin@pfSense.lan]/: kldunload aesni
    [2.4.0-RELEASE][admin@pfSense.lan]/: kldload -v aesni
    Loaded aesni, id=6
    [2.4.0-RELEASE][admin@pfSense.lan]/: dmesg | tail -2
    padlock0: No ACE support.
    aesni0: No AESNI support.

    Am I missing something here? Could it be something that I could fix without buying a different motherboard? Has anyone confirmed AES-NI support on a SuperMicro X8STi-F?

  • This is a BIOS issue, nothing pfSense can do about it. Maybe if you contact Supermicro directly they can tell you more, or perhaps fix the BIOS.

  • Rebel Alliance Developer Netgate

    Definitely a board or BIOS issue. It should be showing AESNI in the CPU features list and it isn't there.

  • what happens if you upgrade the bios? maybe they just took out the option to turn it off, since that's a silly option anyway. :)

  • If a the current BIOS revision doesn't have AES-NI it can be two things:

    • They forgot it, oops! (could be a BIOS issue or a BIOS microcode/BSP package issue)
    • They turned it off because they couldn't make it work (i.e. unsafe, unreliable, crashes)

  • try a different bios update

    does windows 7/8/10 find it in cpu-z?