pfsense on Hyper-V and hardware crypto

  • Hi, I’m running pfsense as a guest on Hyper-V/Windows Server 2016. On my dashboard, it’s says that AES-NI is available and active, however, when I setup my OpenVPN client, the only option I see for Hardware Cryto is Intel RDRAND Engine. Is that the same as hardware AES-NI? If not, should I select that or select No Hardware Acceleration?

    Thank you!

  • LAYER 8

    yes you should select that

  • RDRAND the same as AES-NI? On some forums it says there should be an option for “AES-NI CPU-based Acceleration“

    Thank you!

  • LAYER 8

    no it's not the same, RDRAND returns random numbers that are supplied by a cryptographically secure, Deterministic Random Bit Generator (DRBG).
    to make it short it's a random number generator.
    you can check for AESNI presence from the terminal/console for example with

    dmesg | head -12 | tail -4

    CPU: Westmere E56xx/L56xx/X56xx (IBRS update) (2393.99-MHz K8-class CPU)
    Origin="GenuineIntel" Id=0x206c1 Family=0x6 Model=0x2c Stepping=1

    if it is present it will automatically be used by openssl

  • Maybe it’s because I’m running it as a hyper-v guest, but when I do that, I get :

    SRAT: Ignoring memory at addr 0x100000000
    SRAT: Ignoring memory at addr 0x1000000000
    SRAT: Ignoring memory at addr 0x10000200000
    SRAT: Ignoring memory at addr 0x20000200000

  • LAYER 8

    dmesg | grep AESNI -a5

  • Awesome thanks! AES-NI is listed under features2 and so it’s being used even though that’s not an option I select under the openvpn client setup?

  • LAYER 8

    you can test it with
    AES-NI enable:

    openssl speed -elapsed -evp aes-128-ecb

    AES-NI disabled

    env OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc

  • Thank you for your patience! If I run the second command line to test the Disabled speed, do I need to do anything to revert back to enabled?

  • LAYER 8

    yes sorry, reboot or a simple

    env OPENSSL_ia32cap=""

    will do the trick

  • Thank you!

Log in to reply