pfSense: AES-NI Hardware Crypto Acceleration in KVM

Monday, May 9 2016 · Lesezeit: 2 Minuten · 366 Wörter · Tags: pfSense Achtung! Dieser Artikel ist älter als ein Jahr. Der Inhalt ist möglicherweise nicht mehr aktuell!

I already mentioned that I’m using pfSense as firewall and router as a KVM guest. I wanted to connect the place where I live with the place of my grandparents over a site-to-site VPN using OpenVPN. For this purpose I’ve bought a PcEngines APU.1D4. A test in my local gigabit LAN was very low HD Streaming, but the APU.1D4 was not the bottleneck.

No delegation of hardware features

I found the bottleneck on my KVM hostsystem. The configured CPU for the pfSense machine was the QEMU CPU. I have configured this for most machines to reduce overhead simulating a „real“ CPU. But the QEMU CPU ist not capable of delegation hardware features like AES-NI, SSE, etc.

I’ve changed the settings to emulate a „Sandy Bridge“ processor which afterwards is recognized an an E3 processor.

After a reboot 

dmesg reported the following:

After the switch nearly all CPU features from the hostsystem are available in the FreeBSD based system. Also the needed AES-NI feature. You can test with OpenSSL  if the AES-NI feature can be used:

The kernel module cryptodev (at least it’s called a kernel module in the BSD environment) can be used by OpenSSL. But before we can start another speed test we have to inform pfSense to use hardware features.

pfSense settings

Maybe you have to tell pfSense to use hardware acceleration. At least in my setup the change was not automatically recognised. Select via web GUI System -> Advanced -> Miscellaneous in the category „Cryptographic Hardware Acceleration“ the option „AES-NI CPU-based Acceleration (aesni)“ and save the changes.

After a reboot should every service using cryptographic function use AES-NI.

Speedtest

The speedtest afterwards was done with AES-128-CBC, because that’s what I wanted to use for my VPN. The results are pretty awesome:

Without EVP API:

With EVP API:

Now the bottleneck was gone and speeds up to 120 MBit/s were possible.

Further Reading:

• Stackoverflow: „Different performance of openssl speed on the same hardware with AES 256 (EVP and non EVP API)“

  Especially this answer: http://security.stackexchange.com/a/35042

• FreeBSD Man Page of cryptodev

• pfSense Doc: „Are cryptographic accelerators supported“

Update: 2015-06-09

You can now see in the web GUI on the dashboard the possible crypto hardware features:

Du hast einen Kommentar, einen Wunsch oder eine Verbesserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg) Zurück