AES-NI required in future versions?



  • I dimly remember reading somewhere, that the 2.4.x series is the last that will run on hardware without crypto instructions, i.e. AES-NI support.

    Now, recently one of my devices died, so I'm faced with the choice of either buying a new one, or simply running the routing aspect on a VM.

    The VM would be faster and cheaper than renting rack space, however the VM has no AES-NI support, at least none that pfSense recognizes.

    Problem is, will I be in a dead-end a few versions down the road, when I'm stuck with not being able to upgrade for lack of AES-NI in the VM?



  • What vm doesnt have aes ni?
    And why a vm is a problem if the problem needs to be addressed sometime in the future?




  • Rebel Alliance Developer Netgate

    It's not looking likely that we'll require AES-NI for 2.5, but we haven't even started work on 2.5 yet. Even IF it's a requirement, it would be at least a year past the 2.5 release before support stopped.

    https://www.reddit.com/r/PFSENSE/comments/9t25jr/love_pfsense_beware_of_netgate_hardware/e8tk6w2/



  • @jimp - thanks for that update. I have a feeling the edited highlights of your reddit feed may become my Christmas reading list.



  • @netblues said in AES-NI required in future versions?:

    What vm doesnt have aes ni?
    And why a vm is a problem if the problem needs to be addressed sometime in the future?

    It's an issue, because I right now must decide between getting new hardware (old one broken), or a much more cost effective cloud solution, which however doesn't seem to support AES-NI.
    As for what VM exactly that is, I don't know, it's a third party cloud service. Here's what pfSense reports:

    BIOS Vendor: Seabios
    Version: 0.5.1
    Release Date: Mon Jan 1 2007
    Version 2.4.4-RELEASE-p1 (amd64)
    built on Mon Nov 26 11:40:26 EST 2018
    FreeBSD 11.2-RELEASE-p4

    The system is on the latest version.
    Version information updated at Fri Dec 21 16:58:09 UTC 2018
    CPU Type QEMU Virtual CPU version (cpu64-rhel6)
    2 CPUs: 2 package(s)
    AES-NI CPU Crypto: No
    Kernel PTI Enabled



  • I am running this on Proxmox and true AMD processors and if that is your case too, the trick you won't find in any blog or faq is this:

    Westmere E56xx/L56xx/X56xx (Nehalem-C)
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (active)

    Force the CPU into Westmere -mode - yes, although the CPU is true AMD, voila, the AES-NI will be recognized.



  • @rcfa said in AES-NI required in future versions?:

    @netblues said in AES-NI required in future versions?:

    What vm doesnt have aes ni?
    And why a vm is a problem if the problem needs to be addressed sometime in the future?

    It's an issue, because I right now must decide between getting new hardware (old one broken), or a much more cost effective cloud solution, which however doesn't seem to support AES-NI.
    As for what VM exactly that is, I don't know, it's a third party cloud service. Here's what pfSense reports:

    BIOS Vendor: Seabios
    Version: 0.5.1
    Release Date: Mon Jan 1 2007
    Version 2.4.4-RELEASE-p1 (amd64)
    built on Mon Nov 26 11:40:26 EST 2018
    FreeBSD 11.2-RELEASE-p4

    The system is on the latest version.
    Version information updated at Fri Dec 21 16:58:09 UTC 2018
    CPU Type QEMU Virtual CPU version (cpu64-rhel6)
    2 CPUs: 2 package(s)
    AES-NI CPU Crypto: No
    Kernel PTI Enabled

    This is an old centos kvm. Newer versions do support aes-ni for pf

    User admin@192.168.127.9 (Local Database)
    System pfSense
    Netgate Device ID: 80ac1f808c8db45cd977
    BIOS Vendor: Seabios
    Version: 0.5.1
    Release Date: Sat Jan 1 2011
    Version 2.4.4-RELEASE-p1 (amd64)
    built on Mon Nov 26 11:40:26 EST 2018
    FreeBSD 11.2-RELEASE-p4

    The system is on the latest version.
    Version information updated at Sat Dec 22 14:20:42 EET 2018
    CPU Type Westmere E56xx/L56xx/X56xx (IBRS update)
    4 CPUs: 4 package(s)
    AES-NI CPU Crypto: Yes (active)
    Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
    Kernel PTI Enabled
    Uptime 12 Days 07 Hours 40 Minutes 03 Seconds
    Current date/time
    Sat Dec 22 15:04:55 EET 2018



  • @tsmalmbe @netblues Thanks. I'm not in charge of configuring the actual host system or hypervisor, so I likely can't do that.
    But it's very useful to know this exists for future reference, and maybe the hosting provided can use this, too.


Log in to reply