AES-NI CPU Crypto: No

maverickws

Hi all, thanks in advance for your help.

My pfSense has an Intel Celeron 3865U (w/ AES-NI)
After 2.5.0 upgrade, I get this:

Could anyone explain why I have "AES-NI CPU Crypto: No"?

Definitions under System > Advanced > Miscellaneous:
Cryptographic Hardware: AES-NI and BSD Crypto device (aesni, cryptodev) as was before, I tried AES-NI only but the same result.

Derelict

@maverickws Is there any BIOS setting to enable/disable AES-NI? Is it enabled?

stephenw10

Are you saying it showed as present in 2.4.5p1?

Does the CPU report it supports it at boot? For exmaple:

Features2=0x43d8e3bf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,TSCDLT,AESNI,RDRAND>

Steve

maverickws

@Derelict I can't confirm right now about the BIOS Setting, (can't take the router down) but as I mentioned on the previous version it showed 'Yes (Active)'

@stephenw10 I'm sorry where can I check that? Thank you.

Derelict

@maverickws in the dmesg.boot log usually.

maverickws

@derelict the dmesg.boot file at /var/log is empty.
I actually did grep -rni 'Features2' /var/log/ also it comes with zero results (using Features alone also)

Derelict

@maverickws You will want to look at /var/log/dmesg.boot for a CPU stanza similar to this:

CPU: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz (2200.07-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x506f1  Family=0x6  Model=0x5f  Stepping=1
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x4ff8ebbf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,RDRAND>
  AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
  AMD Features2=0x101<LAHF,Prefetch>
  Structured Extended Features=0x2294e283<FSGSBASE,TSCADJ,SMEP,ERMS,NFPUSG,MPX,PQE,RDSEED,SMAP,CLFLUSHOPT,PROCTRACE,SHA>
  Structured Extended Features3=0x2c000000<IBPB,STIBP,ARCH_CAP>
  XSAVE Features=0xf<XSAVEOPT,XSAVEC,XINUSE,XSAVES>
  IA32_ARCH_CAPS=0x1<RDCL_NO>
  VT-x: (disabled in BIOS) PAT,HLT,MTF,PAUSE,EPT,UG,VPID,VID,PostIntr
  TSC: P-state invariant, performance statistics

maverickws

Sorry guys but my dmesg.boot is empty.

[2.5.0-RELEASE][admin@pfSense.domain.io]/var/log: pwd
/var/log
[2.5.0-RELEASE][admin@pfSense.domain.io]/var/log: ls -la dmesg.boot
-rw-r--r--  1 root  wheel  0 Feb 19 16:54 dmesg.boot
[2.5.0-RELEASE][admin@pfSense.domain.io]/var/log: cat /var/log/dmesg.boot 
[2.5.0-RELEASE][admin@pfSense.domain.io]/var/log: 

I'll have to take a look after next reboot. unless you can point some other way to get that info

stephenw10

Hmmm, weird.

It might still be in dmesg in the buffer if you rebooted recently.

Or in the system logs from the last boot.

Steve

Bob.Dig

If you delete logs it will clear that too and will report AES:No.
That behavior was "fixed" in 2.4.5p1, but came back with 2.5.

stephenw10

Ah. Hmm

Was there a bug for that? Not seeing one...

maverickws

The uptime is since the 2.5.0 update so 14 days uptime.

With grep looking for the CPU model (3865U) I don't get anything so I'd say its not on the system log.
I have to wait a few hours until I can reboot.

Bob.Dig

@stephenw10 No, just me posting it here. And there is one.

stephenw10

There is a current bug for it though: https://redmine.pfsense.org/issues/11428

Looks like that's what you're seeing. It's a gui bug, you would still be able to load the module and use the instructions.

Steve

maverickws

man looking at that bug and reading this:

Updated by Jim Pingle 15 days ago

Subject changed from CPU Type, some information disappear on 2.5.0 RC to CPU core details disappear after resetting log files
Priority changed from Normal to Very Low
Target version changed from 2.6.0 to Future

Very low and future really got my hopes up.

maverickws

By the way I'm sorry if this remark may seem stupid but,

what is the point of adding an OS Boot tab under
Status > System Logs > System > OS Boot

if the log is emptied??
I didn't manually reset any log files so I assume this is automatic. So its like a new tab to be empty?

stephenw10

It should not be emptied. That should only be manual.

This is the first report of this I've seen because most people never reset the logs.

Steve

maverickws

@stephenw10 I never reset the logs either.

Anyway this is my home office pfsense. I have a couple more virtualized on Xen, they have 3 days uptime. I'll keep an eye on them and let know if the same happens.

maverickws

Hello again,
As promised I rebooted our router late last night and now dmesg.boot is correctly populated, and the System Information correctly displays AES-NI CPU Crypto: Yes (Active):

Features2=0x4ffaebbf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,RDRAND>

stephenw10

Hmm, not sure why you ended up with no logs then. That is the reason for the missing CPU data though.

Steve