• Some mini computers ships without AES-Ni due to export limitations.
    How can I understand / doublecheck that my pfsense device really using AES-NI ?
    I am asking because this option requires manual set up.

  • LAYER 8

    it's written on the dashboard

    CPU Type
    AES-NI CPU Crypto: Yes (active)
    

  • @kiokoman

    Cool.

    I turned it off and it still showing Active. Probably need a reboot.

    Thx

  • LAYER 8

    how did you turn it off?
    Cryptographic Hardware option only load or unload a kernel modules, it does not turn off anything


  • @kiokoman said in AES-NI support:

    how did you turn it off?
    Cryptographic Hardware option only load or unload a kernel modules, it does not turn off anything

    I remember to have to turn it on manually, too.
    System - Advanced - Miscellaneous


  • @dealornodeal said in AES-NI support:

    @kiokoman

    Cool.

    I turned it off and it still showing Active. Probably need a reboot.

    Thx

    Pretty sure the Dashboard just shows that the CPU has the feature, whether enabled for crypto or not.

  • LAYER 8

    kldunload aesni
    

    CPU Type Intel(R) Xeon(R) CPU E5-2430L v2 @ 2.40GHz
    4 CPUs: 4 package(s) x 1 core(s)
    AES-NI CPU Crypto: Yes (inactive)

    kldload aesni
    

    CPU Type Intel(R) Xeon(R) CPU E5-2430L v2 @ 2.40GHz
    4 CPUs: 4 package(s) x 1 core(s)
    AES-NI CPU Crypto: Yes (active)

    dmesg
    
    padlock0: No ACE support.
    aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> on motherboard
    

    crypto module is built inside the kernel
    you can apparently test with

    openssl speed -evp aes-256-cbc
    

    but i see no difference with or without the aesni module

    [2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: openssl speed -evp aes-256-cbc
    Doing aes-256-cbc for 3s on 16 size blocks: 25635572 aes-256-cbc's in 2.93s
    Doing aes-256-cbc for 3s on 64 size blocks: 7211635 aes-256-cbc's in 2.96s
    Doing aes-256-cbc for 3s on 256 size blocks: 1911772 aes-256-cbc's in 2.98s
    Doing aes-256-cbc for 3s on 1024 size blocks: 474858 aes-256-cbc's in 2.90s
    Doing aes-256-cbc for 3s on 8192 size blocks: 60395 aes-256-cbc's in 2.98s
    Doing aes-256-cbc for 3s on 16384 size blocks: 32297 aes-256-cbc's in 2.97s
    OpenSSL 1.1.1h-freebsd  22 Sep 2020
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: clang
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
    aes-256-cbc     140004.40k   155877.87k   163992.00k   167764.39k   165782.06k   178241.36k
    

  • @kiokoman said in AES-NI support:

    but i see no difference with or without the aesni module

    That is because OpenSSL has built-in instructions to talk to AES-NI, if CPU supports it it will be used.
    So for OpenVPN, which uses OpenSSL for crypto operations, there is no need to select any crypto in the GUI.

    Testing with AES-NI:

    openssl speed -elapsed -evp aes-256-gcm -multi 8
    

    Testing without AES-NI:

    env OPENSSL_ia32cap=0 openssl speed -elapsed -evp aes-256-gcm -multi 8
    

  • @Pippin

    not correct .. if CPU was designed to support AES doesn't really mean it supported on the machine/device. It's covered deeper, on the firmware level of your device in the BIOS.


  • Then let me phrase that differently.

    If AES-NI is available, OpenSSL will use it.


  • @Pippin

    I've read somewhere that TrueCrypt can confirm availability but no time to try


  • @kiokoman @Pippin

    .. if I get this right CPU may encrypt data without aes-ni enabled but does this job significantly slower than with aes-ni

  • LAYER 8

    right