Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to validate that pfsense SG-2440 use AES-NI?

    Scheduled Pinned Locked Moved Hardware
    2 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      laped
      last edited by

      Running the following command doesn't list the AES-NI hardware engine like I expected:

      [2.2.2-RELEASE][root@pfSense.localdomain]/root: openssl engine
      (cryptodev) BSD cryptodev engine
      (rsax) RSAX engine support
      (rdrand) Intel RDRAND engine
      (dynamic) Dynamic engine loading support

      If i grep on dmesg I can see that AES-NI is detected.

      [2.2.2-RELEASE][root@pfSense.localdomain]/root: dmesg | grep -B10 -A10 aes
      da0: <generic ultra="" hs-combo="" 1.98="">Removable Direct Access SCSI-0 device
      da0: Serial Number 000000225001
      da0: 40.000MB/s transfers
      da0: 3648MB (7471104 512 byte sectors: 255H 63S/T 465C)
      da0: quirks=0x2 <no_6_byte>SMP: AP CPU #1 Launched!
      Timecounter "TSC" frequency 1750043526 Hz quality 1000
      Trying to mount root from ufs:/dev/ufsid/554a2fc78b92e8b2 [rw]…
      WARNING: /: TRIM flag on fs but disk does not support TRIM
      padlock0: No ACE support.
      aesni0: <aes-cbc,aes-xts,aes-gcm>on motherboard</aes-cbc,aes-xts,aes-gcm>
      igb0: link state changed to UP
      bridge0: link state changed to UP
      igb1: promiscuous mode enabled
      igb2: promiscuous mode enabled
      igb3: promiscuous mode enabled
      pflog0: promiscuous mode enabled
      igb2: link state changed to UP
      igb1: link state changed to UP
      igb1: link state changed to DOWN
      igb1: link state changed to UP

      The AES-NI module selected on the website, so iam unsure if it is used.

      So how can i validate this?

      Regards
      Lars Pedersen</no_6_byte></generic>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        With the aesni.ko module loaded it's part of cryptodev.

        : openssl engine -t -c
        (cryptodev) BSD cryptodev engine
         [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
             [ available ]
        (rsax) RSAX engine support
         [RSA]
             [ available ]
        (rdrand) Intel RDRAND engine
         [RAND]
             [ available ]
        (dynamic) Dynamic engine loading support
             [ unavailable ]
        
        

        OpenSSL on its own will find it and use it internally but that can be a bit more difficult to identify.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.