Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    AES-NI support

    webGUI
    5
    13
    1023
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User last edited by

      Some mini computers ships without AES-Ni due to export limitations.
      How can I understand / doublecheck that my pfsense device really using AES-NI ?
      I am asking because this option requires manual set up.

      1 Reply Last reply Reply Quote 0
      • kiokoman
        kiokoman LAYER 8 last edited by

        it's written on the dashboard

        CPU Type
        AES-NI CPU Crypto: Yes (active)
        

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        ? 1 Reply Last reply Reply Quote 0
        • ?
          A Former User @kiokoman last edited by A Former User

          @kiokoman

          Cool.

          I turned it off and it still showing Active. Probably need a reboot.

          Thx

          provels 1 Reply Last reply Reply Quote 0
          • kiokoman
            kiokoman LAYER 8 last edited by kiokoman

            how did you turn it off?
            Cryptographic Hardware option only load or unload a kernel modules, it does not turn off anything

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            Bob.Dig 1 Reply Last reply Reply Quote 0
            • Bob.Dig
              Bob.Dig LAYER 8 @kiokoman last edited by Bob.Dig

              @kiokoman said in AES-NI support:

              how did you turn it off?
              Cryptographic Hardware option only load or unload a kernel modules, it does not turn off anything

              I remember to have to turn it on manually, too.
              System - Advanced - Miscellaneous

              Primitive Threat on Layer 8

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              1 Reply Last reply Reply Quote 0
              • provels
                provels @Guest last edited by

                @dealornodeal said in AES-NI support:

                @kiokoman

                Cool.

                I turned it off and it still showing Active. Probably need a reboot.

                Thx

                Pretty sure the Dashboard just shows that the CPU has the feature, whether enabled for crypto or not.

                Peder

                pfSense+ 22.05-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM (Fixed), 8GB VHDX (Dynamic)
                Packages : Cron, Mailreport, Notes, Nut, OpenVPN, pfBlockerNG-devel, RRD_Summary, Service Watchdog, System_Patches

                1 Reply Last reply Reply Quote 0
                • kiokoman
                  kiokoman LAYER 8 last edited by kiokoman

                  kldunload aesni
                  

                  CPU Type Intel(R) Xeon(R) CPU E5-2430L v2 @ 2.40GHz
                  4 CPUs: 4 package(s) x 1 core(s)
                  AES-NI CPU Crypto: Yes (inactive)

                  kldload aesni
                  

                  CPU Type Intel(R) Xeon(R) CPU E5-2430L v2 @ 2.40GHz
                  4 CPUs: 4 package(s) x 1 core(s)
                  AES-NI CPU Crypto: Yes (active)

                  dmesg
                  
                  padlock0: No ACE support.
                  aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> on motherboard
                  

                  crypto module is built inside the kernel
                  you can apparently test with

                  openssl speed -evp aes-256-cbc
                  

                  but i see no difference with or without the aesni module

                  [2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: openssl speed -evp aes-256-cbc
                  Doing aes-256-cbc for 3s on 16 size blocks: 25635572 aes-256-cbc's in 2.93s
                  Doing aes-256-cbc for 3s on 64 size blocks: 7211635 aes-256-cbc's in 2.96s
                  Doing aes-256-cbc for 3s on 256 size blocks: 1911772 aes-256-cbc's in 2.98s
                  Doing aes-256-cbc for 3s on 1024 size blocks: 474858 aes-256-cbc's in 2.90s
                  Doing aes-256-cbc for 3s on 8192 size blocks: 60395 aes-256-cbc's in 2.98s
                  Doing aes-256-cbc for 3s on 16384 size blocks: 32297 aes-256-cbc's in 2.97s
                  OpenSSL 1.1.1h-freebsd  22 Sep 2020
                  built on: reproducible build, date unspecified
                  options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
                  compiler: clang
                  The 'numbers' are in 1000s of bytes per second processed.
                  type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
                  aes-256-cbc     140004.40k   155877.87k   163992.00k   167764.39k   165782.06k   178241.36k
                  

                  ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                  Please do not use chat/PM to ask for help
                  we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                  Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                  1 Reply Last reply Reply Quote 0
                  • Pippin
                    Pippin last edited by

                    @kiokoman said in AES-NI support:

                    but i see no difference with or without the aesni module

                    That is because OpenSSL has built-in instructions to talk to AES-NI, if CPU supports it it will be used.
                    So for OpenVPN, which uses OpenSSL for crypto operations, there is no need to select any crypto in the GUI.

                    Testing with AES-NI:

                    openssl speed -elapsed -evp aes-256-gcm -multi 8
                    

                    Testing without AES-NI:

                    env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-gcm -multi 8
                    

                    I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                    Halton Arp

                    ? 1 Reply Last reply Reply Quote 3
                    • ?
                      A Former User @Pippin last edited by A Former User

                      @Pippin

                      not correct .. if CPU was designed to support AES doesn't really mean it supported on the machine/device. It's covered deeper, on the firmware level of your device in the BIOS.

                      1 Reply Last reply Reply Quote 0
                      • Pippin
                        Pippin last edited by

                        Then let me phrase that differently.

                        If AES-NI is available, OpenSSL will use it.

                        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                        Halton Arp

                        ? 2 Replies Last reply Reply Quote 0
                        • ?
                          A Former User @Pippin last edited by

                          @Pippin

                          I've read somewhere that TrueCrypt can confirm availability but no time to try

                          1 Reply Last reply Reply Quote 0
                          • ?
                            A Former User @Pippin last edited by A Former User

                            @kiokoman @Pippin

                            .. if I get this right CPU may encrypt data without aes-ni enabled but does this job significantly slower than with aes-ni

                            1 Reply Last reply Reply Quote 0
                            • kiokoman
                              kiokoman LAYER 8 last edited by

                              right

                              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                              Please do not use chat/PM to ask for help
                              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post