General question about AES-NI

Crotalus

Member

Thanks: 1
Messages: 88

#1
Please don't throw me off but I have a question about the base FreeBSD system. PfSense has announced that a future release will require a processor that is AES-NI compatible. It could be next year. The current PfSense version is based on FreeBSD 11.1-RELEASE-p6. My processor for that system is not AES-NI compatible. I have a 2.3 GHZ, 2 core, 2MB cache CELERON G1840, LGA1150 that works quite well for my home with very little power draw.

Does FreeBSD use the AES-NI instruction set? If so what use do they make of it? Could this also be a FreeBSD requirement in the future?

Just a little curious.
 
OP
OP
C

Crotalus

Member

Thanks: 1
Messages: 88

#3
I understand the encryption concept. So I take it that FreeBSD kernel does not use the instruction set. Only applications that might need the instruction set and then the driver has to be installed in order use them.

It appears that the Linux core has it built in where FreeBSD does not.
 

lebarondemerde

Daemon

Thanks: 690
Messages: 1,563

#4
I do not understood completely what you mean but you can rebuild the kernel with aesni(4) built-in instead of loading it as a module if you prefer.

This is a dedicated hardware encryption accelerator built-in in the most of modern x86 processors. It basically ---> accelerate the supported encryption algorithms.

So, if you need to use AES-XTS (for instance) for something like an encrypted swap slice, and your processor has AES-NI hardware which does support that cypher, that encryption-decryption process will be handled by the AES-NI builtin hardware - and a lot of faster than by the processor it self.

I do not know anything about pfSense but I guess they are trying to drop old hardware by enforcing AES-NI to be able to push some more "secure" (more encryption) features.
 
Top