dell optiplex 3040 issues with aes-ni ?

wheelhouse20

im having issues trying to get AES-NI to work with dell optiplex 3040 SFF ,does any one else use one of these ?

Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (inactive)
QAT Crypto: No

stephenw10

How are you trying?

It looks like the CPU supports it and pfSense recognises that.

You probably just need to select it in System > Advanced > Miscellaneous in the 'Cryptographic Hardware' setting.

Steve

wheelhouse20

no matter what i change it states as Yes (inactive). i dont see any thing in the bios reguarding AES-NI so would of thought it would of been active maybe an defective motherboard .

Cybermaze

I am also running pfSense on an Dell OptiPlex 3040 SFF. My Dashboard lists the following:

CPU Type
Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz
Current: 1000 MHz, Max: 3700 MHz
4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
AES-NI CPU Crypto: Yes (active)
QAT Crypto: No

Hardware crypto
AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS

Please note, I'm not actively using encryption over a VPN or similar, so I can only tell you, what the Dashboard reports.

wheelhouse20

@cybermaze which bios is your motherboard using ?

stephenw10

You can check to see if the module loaded with kldstat.

If it's loaded and attached you should see in the system log something like:

Feb 22 01:51:50 	kernel 		aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS,SHA1,SHA256> on motherboard 

If not you might see an error in the boot log where it failed to attach.

Just disabling it in the BIOS will produce exactly what you're seeing though.

Steve

wheelhouse20

@stephenw10 said in dell optiplex 3040 issues with aes-ni ?:

Feb 22 01:51:50 kernel aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS,SHA1,SHA256> on motherboard

where do i see this> Feb 22 01:51:50 kernel aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS,SHA1,SHA256> on motherboard

stephenw10

In the system log when the driver attaches to the device (though really it's not a device!).
That's usually during boot but it will appear there after enabling AES-NI at runtime if it wasn't at boot.

Steve

wheelhouse20

@stephenw10

The only place i see AES-NI is in the Features2 part.

cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closed
cd0: 150.000MB/s transfers (SATA 1.x, UDMA6, ATAPI 12bytes, PIO 8192bytes)
cd0: Serial Number 
cd0: <PLDS DVD+-RW DU-8A5LH DD11> Removable CD-ROM SCSI device
cd0 at ahcich0 bus 0 scbus0 target 0 lun 0
ses0: ada0,pass1 in 'Slot 01', SATA Slot: scbus1 target 0
ses0: pass0,cd0 in 'Slot 00', SATA Slot: scbus0 target 0
ses0: SEMB SES Device
ses0: <AHCI SGPIO Enclosure 2.00 0001> SEMB S-E-S 2.00 device
ses0 at ahciem0 bus 0 scbus4 target 0 lun 0
ada0: 238475MB (488397168 512 byte sectors)
ada0: Command Queueing enabled
ada0: 300.000MB/s transfers (SATA 2.x, UDMA6, PIO 8192bytes)
ada0: Serial Number WD-WX11A51Z0729
ada0: <WDC WD2500BEVT-08A23T1 02.01A02> ATA8-ACS SATA 2.x device
ada0 at ahcich1 bus 0 scbus1 target 0 lun 0
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
Root mount waiting for: CAM
uhub0: 20 ports with 20 removable, self powered
Root mount waiting for: usbus0 CAM
uhub0: <0x8086 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0
ugen0.1: <0x8086 XHCI root HUB> at usbus0
Root mount waiting for: usbus0 CAM
Trying to mount root from zfs:pfSense/ROOT/default []...
Timecounters tick every 1.000 msec
ZFS storage pool version: features support (5000)
ZFS filesystem version: 5
est0: <Enhanced SpeedStep Frequency Control> on cpu0
orm0: <ISA Option ROM> at iomem 0xc0000-0xcffff pnpid ORM0000 on isa0
driver bug: Unable to set devclass (class: atkbdc devname: (unknown))
atkbd0: [GIANT-LOCKED]
kbd0 at atkbd0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
acpi_tz1: <Thermal Zone> on acpi0
acpi_tz0: <Thermal Zone> on acpi0
acpi_button1: <Power Button> on acpi0
acpi_button0: <Sleep Button> on acpi0
pci0: <memory> at device 31.2 (no driver attached)
isa0: <ISA bus> on isab0
isab0: <PCI-ISA bridge> at device 31.0 on pci0
ahciem0: <AHCI enclosure management bridge> on ahci0
ahcich3: <AHCI channel> at channel 3 on ahci0
ahcich2: <AHCI channel> at channel 2 on ahci0
ahcich1: <AHCI channel> at channel 1 on ahci0
ahcich0: <AHCI channel> at channel 0 on ahci0
ahci0: AHCI v1.31 with 4 6Gbps ports, Port Multiplier not supported
ahci0: <Intel Sunrise Point AHCI SATA controller> port 0xf090-0xf097,0xf080-0xf083,0xf060-0xf07f mem 0xf7414000-0xf7415fff,0xf7418000-0xf74180ff,0xf7417000-0xf74177ff irq 18 at device 23.0 on pci0
pci0: <simple comms> at device 22.0 (no driver attached)
usbus0: 5.0Gbps Super Speed USB v3.0
usbus0 on xhci0
usbus0: waiting for BIOS to give up control
xhci0: 32 bytes context size, 64-bit DMA
xhci0: <Intel Sunrise Point USB 3.0 controller> mem 0xf7400000-0xf740ffff irq 16 at device 20.0 on pci0
vgapci0: Boot video device
vgapci0: <VGA-compatible display> port 0xf000-0xf03f mem 0xf6000000-0xf6ffffff,0xe0000000-0xefffffff irq 17 at device 2.0 on pci0
em3: netmap queues/slots: TX 1/1024, RX 1/1024
em3: Ethernet address: 00:26:55:d8:ff:f2
em3: Using an MSI interrupt
em3: Using 1024 TX descriptors and 1024 RX descriptors
em3: EEPROM V5.12-2
em3: <Intel(R) PRO/1000 PT 82571EB/82571GB (Quad Copper)> port 0xd000-0xd01f mem 0xf7100000-0xf711ffff,0xf7000000-0xf707ffff irq 16 at device 0.1 on pci4
em2: netmap queues/slots: TX 1/1024, RX 1/1024
em2: Ethernet address: 00:26:55:d8:ff:f3
em2: Using an MSI interrupt
em2: Using 1024 TX descriptors and 1024 RX descriptors
em2: EEPROM V5.12-2
em2: <Intel(R) PRO/1000 PT 82571EB/82571GB (Quad Copper)> port 0xd020-0xd03f mem 0xf7120000-0xf713ffff,0xf7080000-0xf70fffff irq 17 at device 0.0 on pci4
pci4: <PCI bus> on pcib4
pcib4: <PCI-PCI bridge> at device 4.0 on pci2
em1: netmap queues/slots: TX 1/1024, RX 1/1024
em1: Ethernet address: 00:26:55:d8:ff:f0
em1: Using an MSI interrupt
em1: Using 1024 TX descriptors and 1024 RX descriptors
em1: EEPROM V5.12-2
em1: <Intel(R) PRO/1000 PT 82571EB/82571GB (Quad Copper)> port 0xe000-0xe01f mem 0xf7300000-0xf731ffff,0xf7200000-0xf727ffff irq 18 at device 0.1 on pci3
em0: netmap queues/slots: TX 1/1024, RX 1/1024
em0: Ethernet address: 00:26:55:d8:ff:f1
em0: Using an MSI interrupt
em0: Using 1024 TX descriptors and 1024 RX descriptors
em0: EEPROM V5.12-2
em0: <Intel(R) PRO/1000 PT 82571EB/82571GB (Quad Copper)> port 0xe020-0xe03f mem 0xf7320000-0xf733ffff,0xf7280000-0xf72fffff irq 19 at device 0.0 on pci3
pci3: <PCI bus> on pcib3
pcib3: <PCI-PCI bridge> at device 2.0 on pci2
pci2: <ACPI PCI bus> on pcib2
pcib2: <ACPI PCI-PCI bridge> at device 0.0 on pci1
pci1: <ACPI PCI bus> on pcib1
pcib1: <ACPI PCI-PCI bridge> irq 16 at device 1.0 on pci0
pci0: <ACPI PCI bus> on pcib0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1808-0x180b on acpi0
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "i8254" frequency 1193182 Hz quality 0
attimer0: <AT timer> port 0x40-0x43,0x50-0x53 irq 0 on acpi0
Event timer "RTC" frequency 32768 Hz quality 0
atrtc0: registered as a time-of-day clock, resolution 1.000000s
atrtc0: Warning: Couldn't map I/O.
atrtc0: <AT realtime clock> port 0x70-0x77 irq 8 on acpi0
Event timer "HPET4" frequency 24000000 Hz quality 440
Event timer "HPET3" frequency 24000000 Hz quality 440
Event timer "HPET2" frequency 24000000 Hz quality 440
Event timer "HPET1" frequency 24000000 Hz quality 440
Event timer "HPET" frequency 24000000 Hz quality 550
Timecounter "HPET" frequency 24000000 Hz quality 950
hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
cpu0: <ACPI CPU> on acpi0
unknown: memory range not supported
acpi0: Power Button (fixed)
acpi0: <DELL CBX3 > on motherboard
cryptosoft0: <software crypto> on motherboard
vtvga0: <VT VGA driver> on motherboard
nexus0
mlx5en: Mellanox Ethernet driver 3.6.0 (December 2020)
000.000056 [4344] netmap_init netmap: loaded module
WARNING: Device "spkr" is Giant locked and may be deleted before FreeBSD 14.0.
random: fast provider: "Intel Secure Key RNG"
random: registering fast source Intel Secure Key RNG
[ath_hal] loaded
kbd1 at kbdmux0
WARNING: Device "kbd" is Giant locked and may be deleted before FreeBSD 14.0.
module_register_init: MOD_LOAD (vesa, 0xffffffff8140a210, 0) error 19
WARNING: Device "pci" is Giant locked and may be deleted before FreeBSD 14.0.
WARNING: Device "g_ctl" is Giant locked and may be deleted before FreeBSD 14.0.
wlan: mac acl policy registered
module_register_init: MOD_LOAD (iwi_monitor_fw, 0xffffffff80760b50, 0) error 1
iwi_monitor: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
iwi_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi.LICENSE.
module_register_init: MOD_LOAD (iwi_ibss_fw, 0xffffffff80760aa0, 0) error 1
iwi_ibss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
iwi_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi.LICENSE.
module_register_init: MOD_LOAD (iwi_bss_fw, 0xffffffff807609f0, 0) error 1
iwi_bss: If you agree with the license, set legal.intel_iwi.license_ack=1 in /boot/loader.conf.
iwi_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_iwi.LICENSE.
module_register_init: MOD_LOAD (ipw_monitor_fw, 0xffffffff80739160, 0) error 1
ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw.LICENSE.
module_register_init: MOD_LOAD (ipw_ibss_fw, 0xffffffff807390b0, 0) error 1
ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw.LICENSE.
module_register_init: MOD_LOAD (ipw_bss_fw, 0xffffffff80739000, 0) error 1
ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw.LICENSE.
random: entropy device external interface
Timecounter "TSC-low" frequency 1596079057 Hz quality 1000
Launching APs: 1 3 2
ioapic0 <Version 2.0> irqs 0-119 on motherboard
random: unblocking device.
FreeBSD/SMP: 1 package(s) x 4 core(s)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
ACPI APIC Table: <DELL CBX3 >
Event timer "LAPIC" quality 600
avail memory = 8021995520 (7650 MB)
real memory = 8589934592 (8192 MB)
TSC: P-state invariant, performance statistics
VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
IA32_ARCH_CAPS=0xc04<RSBA>
XSAVE Features=0xf<XSAVEOPT,XSAVEC,XINUSE,XSAVES>
Structured Extended Features3=0xbc002e00<MCUOPT,MD_CLEAR,TSXFA,IBPB,STIBP,L1DFL,ARCH_CAP,SSBD>
Structured Extended Features=0x29c6fbf<FSGSBASE,TSCADJ,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,NFPUSG,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PROCTRACE>
AMD Features2=0x121<LAHF,ABM,Prefetch>
AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
Features2=0x7ffafbff<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Origin="GenuineIntel" Id=0x506e3 Family=0x6 Model=0x5e Stepping=3
CPU: Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (3192.16-MHz K8-class CPU)
VT(vga): resolution 640x480
FreeBSD clang version 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
FreeBSD 12.3-STABLE RELENG_2_6_0-n226742-1285d6d205f pfSense amd64
FreeBSD is a registered trademark of The FreeBSD Foundation.
The Regents of the University of California. All rights reserved.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
Copyright (c) 1992-2021 The FreeBSD Project.

stephenw10

Mmm, the most likely thing is it's disabled in the BIOS but you say there's no setting for it?

You see the module loaded i the kldstat output? There's nothing else required on the pfSense end.

Steve

wheelhouse20

@stephenw10 sorry im still learning, where do i need to look for the kldstat output ?

stephenw10

You can run kldstat from the webgui in Diag > Command Prompt.

Or you can run it from the command line like:

[22.01-RELEASE][admin@5100.stevew.lan]/root: kldstat
Id Refs Address                Size Name
 1   36 0xffffffff80200000  3aefff8 kernel
 2    1 0xffffffff83cf1000     1d00 sg5100.ko
 3    1 0xffffffff83cf3000   39ae70 zfs.ko
 4    2 0xffffffff8408e000     9860 opensolaris.ko
 5    1 0xffffffff84098000     3980 wbwd.ko
 6    2 0xffffffff8409c000     5d98 superio.ko
 7    1 0xffffffff84321000     1000 cpuctl.ko
 8    1 0xffffffff84322000     8e10 aesni.ko
 9    1 0xffffffff8432b000      bf8 coretemp.ko
10    1 0xffffffff8432c000    275c8 ipfw.ko
11    1 0xffffffff84354000    11aa8 dummynet.ko

Steve

wheelhouse20

@stephenw10 said in dell optiplex 3040 issues with aes-ni ?:

kldstat

this is what it gave me.

Id Refs Address Size Name
1 10 0xffffffff80200000 3aed878 kernel
2 1 0xffffffff83cee000 39adb0 zfs.ko
3 2 0xffffffff84089000 9860 opensolaris.ko

stephenw10

Hmm, so it's not loaded. What do you have set in Sys > Adv > Misc for crypto hardware?

Steve

wheelhouse20

@stephenw10 i have it set to AES-NI cpu based acceleration.

stephenw10

Hmm, OK try this:

cat /boot/loader.conf

You should see see the loader line that cause aes-ni to be loaded at boot.

You can also try manually loading it:

kldload aesni.ko

Steve

wheelhouse20

@stephenw10
Shell Output - cat /boot/loader.conf
autoboot_delay="3"
net.link.ifqmaxlen="128"

Shell Output - kldload aesni.ko
kldload: can't load aesni.ko: No such file or directory

maybe its some thing to do with dells bios or not supported.

stephenw10

Hmm try the full path:

kldload /boot/kernel/aesni.ko

You are running 2.5.2 or 2.6 I assume?

Steve

wheelhouse20

@stephenw10 Hello im running 2.6 i tried kldload /boot/kernel/aesni.ko and got this kldload: can't load /boot/kernel/aesni.ko: No such file or directory.
should i do a reinstall to see if it fixes the issue ?

thanks for you help

Paul

wheelhouse20

@stephenw10 i did a reinstall of 2.5.2 on a samsung ssd after playing a round in the bios and it cam up as active in the end , i ve now updated to 2.6 and still is showing as active.

Id Refs Address Size Name
1 20 0xffffffff80200000 3aed878 kernel
2 1 0xffffffff83cee000 3bd370 zfs.ko
3 2 0xffffffff840ac000 a448 opensolaris.ko
4 1 0xffffffff84321000 1000 cpuctl.ko
5 1 0xffffffff84322000 2150 acpi_wmi.ko
6 1 0xffffffff84325000 8e10 aesni.ko
7 1 0xffffffff8432e000 bf8 coretemp.ko

Thank you for your help

Paul