Intel i5 2410M - no hardware crypto

MorgothV8

MorgothV8

Hi, I have a question with my new Lenovo E320 laptop.
I've changed CPU to i5 2410M (there was i3 2310M).
This i5 have AES-NI instructions set, but crypto module says:
Code: 
[justa@lap ~]$ uname -a
FreeBSD lap 11.0-CURRENT FreeBSD 11.0-CURRENT #0: Mon Oct 19 21:19:44 CEST 2015     root@lap:/usr/src/sys/amd64/compile/ZI  amd64
[justa@lap ~]$ dmesg | grep AES
Features2=0x1fbae3bf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX>
aesni0: <AES-CBC,AES-XTS,AES-GCM,AES-ICM> on motherboard
GEOM_ELI: Encryption: AES-XTS 256
GEOM_ELI: Encryption: AES-XTS 128
[justa@lap ~]$ dmesg | grep crypto
cryptosoft0: <software crypto> on motherboard
[justa@lap ~]$

Why is it "software crypto" not "hardware crypto" ??

Last time I had i5 on PC, with FreeBSD 9.X - it was detected as "hardware crypto" AFAIK
Can I do something with that?

Best Regards

Full dmesg.txt attached.
 

Attachments

MorgothV8 said:
Hi, I have a question with my new Lenovo E320 laptop.

Why is it "software crypto" not "hardware crypto" ??

Last time I had i5 on PC, with FreeBSD 9.X - it was dectected as "hardware crypto" AFAIK
Can I do something with that?

Best Regards

Full dmesg.txt attached
Click to expand...

Via motherboads also had a hardware crytographic capabilities there has been concern about "backdoors"
FreeBSD hardware crypto
 
Does it mean that I **cannot** use HW crypto from i5 on FreeBSD, or that it is not 100% safe and I can enable it by setting some special flag (Like kernel compilation option)?
 
MorgothV8 said:
Hi, I have a question with my new Lenovo E320 laptop.
I've changed CPU to i5 2410M (there was i3 2310M).
This i5 have AES-NI instructions set, but crypto module says:
Code: 
[justa@lap ~]$ uname -a
FreeBSD lap 11.0-CURRENT FreeBSD 11.0-CURRENT #0: Mon Oct 19 21:19:44 CEST 2015     root@lap:/usr/src/sys/amd64/compile/ZI  amd64
[justa@lap ~]$ dmesg | grep AES
Features2=0x1fbae3bf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX>
aesni0: <AES-CBC,AES-XTS,AES-GCM,AES-ICM> on motherboard
GEOM_ELI: Encryption: AES-XTS 256
GEOM_ELI: Encryption: AES-XTS 128
[justa@lap ~]$ dmesg | grep crypto
cryptosoft0: <software crypto> on motherboard
[justa@lap ~]$

Why is it "software crypto" not "hardware crypto" ??

Last time I had i5 on PC, with FreeBSD 9.X - it was dectected as "hardware crypto" AFAIK
Can I do something with that?

Best Regards

Full dmesg.txt attached
Click to expand...
I think you are fine. There always is a cryptosoft0 device for the algorithms that aesni0 does not support. See crypto(9):
Drivers register with the framework the algorithms they support, and provide entry
points (functions) the framework may call to establish, use, and tear
down sessions.
Click to expand...
 
Hmm, I'm 100% sure, I saw message "HARDWARE crypto" not "sortware crypto" on 9.X about 1,5 year ago, that was on PC not laptop and it was with desktop not mobile i5.
But that should not matter IMHO - current i5 has AES-NI - reported by kernel.
 
Grepping your dmesg output I get this:
Code: 
$ grep -i hardware ~/Downloads/dmesg.txt
GEOM_ELI:     Crypto: hardware
GEOM_ELI:     Crypto: hardware
 
Hmm OK one seems to be software and another hardware....
I'll try to make something like
/dev/md0.eli - and make stress test against unencrypted /dev/md0.
If such tricks are possible at all.
 
Hmm tested geli on raw md0 and here are results:
Code: 
[root@lap /home/justa]# mdconfig -a -t swap -s 10G
md0
[root@lap /home/justa]# dd if=/dev/md0 of=/dev/null bs=64M
160+0 records in
160+0 records out
10737418240 bytes transferred in 4.641164 secs (2313518476 bytes/sec)
[root@lap /home/justa]# geli init /dev/md0
Enter new passphrase:
Reenter new passphrase:
[root@lap /home/justa]# geli attach /dev/md0
Enter passphrase:
[root@lap /home/justa]# dd if=/dev/md0.eli of=/dev/null bs=64M
159+1 records in
159+1 records out
10737417728 bytes transferred in 35.368506 secs (303586974 bytes/sec)
[root@lap /home/justa]# geli detach /dev/md0
So RAM md0 --> null: 2,3 G/s
Encrypted RAM --> null: 303 M/s
And indeed it says GEOM_ELI: hardware, while "crypto software" on mother board.
Seems all is OK, 303 M/s is rather more that disk speed, so I'm ok with that i5 now.
 
MorgothV8, tobik is correct. You are using the AES-NI instructions on your CPU. From your dmesg(8) output:
Code: 
[...]
GEOM_ELI: Device ada0s1d.eli created.
GEOM_ELI: Encryption: AES-XTS 256
GEOM_ELI:  Crypto: hardware
[...]
GEOM_ELI: Device ada0s1b.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:  Crypto: hardware
[...]
tobik is also correct that the software cryptography device would be used for any algorithm not supported by the AES-NI instructions which, perhaps unsurprisingly, is anything that isn't AES including the cryptographic functions DES, 3DES and Blowfish or the hashing functions MD5, SHA1 and SHA2. Note this means if you enable data integrity verification on your GELI containers (which uses hashing functions) you will likely notice a drop in performance.
 
There is no drop.
I've installed system again from scratch - bacause previous setup was only for test.
I've enabled copies=3 atime=off compression=on dedup=off on bootpool (no geli)
On rest of the pool there is copies=1 compression=lz4 atime=off dedup=on (with geli)
Swap is the same size as RAM (16G) and is geli encrypted.
Already configured lot of ports and packages.
Only none of kde/gnome related are working due to dbus error (didn't investigated it yet), use fvwm as window manage and chromium as a browser.
BTW: I got used to Mac "Terminal.app" and xterm/rxvt is too "raw" for me (I mean I cannot copy+paste from chrome for instance), there is no right click menu for it etc etc.
Can You recommend some light weight terminal app with tabs, copy/paste (global - not only to another terminal by middle click), transparency and other cool things?
Terminal app choose is quiteimportant, it is my most used app of all the time (and then VIM)
 
worldi said:
According to Intel the i5-2410M does not support AES-NI.
Click to expand...
Apparently it's an optional feature that can be enabled by the OEM (found on http://www.cpu-world.com/CPUs/Core_i5/Intel-Core i5 Mobile i5-2410M AV8062700845406.html):
AES/AES-NI instructions are supported on i5-2410M (and i5-2415M) CPU if OEM provides processor configuration update via updated OEM BIOS.
Click to expand...

MorgothV8 said:
xterm/rxvt is too "raw" for me
Click to expand...
You should look at x11/rxvt-unicode again, because it does support transparency, tabs, and copy/paste (keys are Ctrl+Alt+c and Ctrl+Alt+v). The Arch Linux Wiki has a nice overview of what's possible with it: https://wiki.archlinux.org/index.php/Rxvt-unicode
 
I saw on intel page that i5-2410M doesn't support AES-NI, I saw on wiki that it does after bios upgrade.
Now I see on my own hardware it does.
 
You must log in or register to reply here.
Back
Top