AES-NI support

Some mini computers ships without AES-Ni due to export limitations.
How can I understand / doublecheck that my pfsense device really using AES-NI ?
I am asking because this option requires manual set up.

kiokoman

it's written on the dashboard

CPU Type
AES-NI CPU Crypto: Yes (active)

@kiokoman

Cool.

I turned it off and it still showing Active. Probably need a reboot.

Thx

kiokoman

how did you turn it off?
Cryptographic Hardware option only load or unload a kernel modules, it does not turn off anything

Bob.Dig

@kiokoman said in AES-NI support:

how did you turn it off?
Cryptographic Hardware option only load or unload a kernel modules, it does not turn off anything

I remember to have to turn it on manually, too.
System - Advanced - Miscellaneous

provels

@dealornodeal said in AES-NI support:

@kiokoman

Cool.

I turned it off and it still showing Active. Probably need a reboot.

Thx

Pretty sure the Dashboard just shows that the CPU has the feature, whether enabled for crypto or not.

kiokoman

kldunload aesni

CPU Type Intel(R) Xeon(R) CPU E5-2430L v2 @ 2.40GHz
4 CPUs: 4 package(s) x 1 core(s)
AES-NI CPU Crypto: Yes (inactive)

kldload aesni

CPU Type Intel(R) Xeon(R) CPU E5-2430L v2 @ 2.40GHz
4 CPUs: 4 package(s) x 1 core(s)
AES-NI CPU Crypto: Yes (active)

dmesg

padlock0: No ACE support.
aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> on motherboard

crypto module is built inside the kernel
you can apparently test with

openssl speed -evp aes-256-cbc

but i see no difference with or without the aesni module

[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 25635572 aes-256-cbc's in 2.93s
Doing aes-256-cbc for 3s on 64 size blocks: 7211635 aes-256-cbc's in 2.96s
Doing aes-256-cbc for 3s on 256 size blocks: 1911772 aes-256-cbc's in 2.98s
Doing aes-256-cbc for 3s on 1024 size blocks: 474858 aes-256-cbc's in 2.90s
Doing aes-256-cbc for 3s on 8192 size blocks: 60395 aes-256-cbc's in 2.98s
Doing aes-256-cbc for 3s on 16384 size blocks: 32297 aes-256-cbc's in 2.97s
OpenSSL 1.1.1h-freebsd  22 Sep 2020
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-256-cbc     140004.40k   155877.87k   163992.00k   167764.39k   165782.06k   178241.36k

Pippin

@kiokoman said in AES-NI support:

but i see no difference with or without the aesni module

That is because OpenSSL has built-in instructions to talk to AES-NI, if CPU supports it it will be used.
So for OpenVPN, which uses OpenSSL for crypto operations, there is no need to select any crypto in the GUI.

Testing with AES-NI:

openssl speed -elapsed -evp aes-256-gcm -multi 8

Testing without AES-NI:

env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-gcm -multi 8

@Pippin

not correct .. if CPU was designed to support AES doesn't really mean it supported on the machine/device. It's covered deeper, on the firmware level of your device in the BIOS.

Pippin

Then let me phrase that differently.

If AES-NI is available, OpenSSL will use it.

@Pippin

I've read somewhere that TrueCrypt can confirm availability but no time to try

@kiokoman @Pippin

.. if I get this right CPU may encrypt data without aes-ni enabled but does this job significantly slower than with aes-ni

kiokoman

right