AES-NI support
-
it's written on the dashboard
CPU Type AES-NI CPU Crypto: Yes (active)
-
-
how did you turn it off?
Cryptographic Hardware option only load or unload a kernel modules, it does not turn off anything -
@kiokoman said in AES-NI support:
how did you turn it off?
Cryptographic Hardware option only load or unload a kernel modules, it does not turn off anythingI remember to have to turn it on manually, too.
System - Advanced - Miscellaneous -
@dealornodeal said in AES-NI support:
Cool.
I turned it off and it still showing Active. Probably need a reboot.
Thx
Pretty sure the Dashboard just shows that the CPU has the feature, whether enabled for crypto or not.
-
kldunload aesni
CPU Type Intel(R) Xeon(R) CPU E5-2430L v2 @ 2.40GHz
4 CPUs: 4 package(s) x 1 core(s)
AES-NI CPU Crypto: Yes (inactive)kldload aesni
CPU Type Intel(R) Xeon(R) CPU E5-2430L v2 @ 2.40GHz
4 CPUs: 4 package(s) x 1 core(s)
AES-NI CPU Crypto: Yes (active)dmesg
padlock0: No ACE support. aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> on motherboard
crypto module is built inside the kernel
you can apparently test withopenssl speed -evp aes-256-cbc
but i see no difference with or without the aesni module
[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: openssl speed -evp aes-256-cbc Doing aes-256-cbc for 3s on 16 size blocks: 25635572 aes-256-cbc's in 2.93s Doing aes-256-cbc for 3s on 64 size blocks: 7211635 aes-256-cbc's in 2.96s Doing aes-256-cbc for 3s on 256 size blocks: 1911772 aes-256-cbc's in 2.98s Doing aes-256-cbc for 3s on 1024 size blocks: 474858 aes-256-cbc's in 2.90s Doing aes-256-cbc for 3s on 8192 size blocks: 60395 aes-256-cbc's in 2.98s Doing aes-256-cbc for 3s on 16384 size blocks: 32297 aes-256-cbc's in 2.97s OpenSSL 1.1.1h-freebsd 22 Sep 2020 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-256-cbc 140004.40k 155877.87k 163992.00k 167764.39k 165782.06k 178241.36k
-
@kiokoman said in AES-NI support:
but i see no difference with or without the aesni module
That is because OpenSSL has built-in instructions to talk to AES-NI, if CPU supports it it will be used.
So for OpenVPN, which uses OpenSSL for crypto operations, there is no need to select any crypto in the GUI.Testing with AES-NI:
openssl speed -elapsed -evp aes-256-gcm -multi 8
Testing without AES-NI:
env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-gcm -multi 8
-
not correct .. if CPU was designed to support AES doesn't really mean it supported on the machine/device. It's covered deeper, on the firmware level of your device in the BIOS.
-
Then let me phrase that differently.
If AES-NI is available, OpenSSL will use it.
-
I've read somewhere that TrueCrypt can confirm availability but no time to try
-
-
right