# FreeBSD 9.0 AES NI support



## lalit (Jan 12, 2011)

Hi all,
I am using intel E5640 Xeon processor which support AESNI features. I have come to know from internet that FreeBSD 9.0 support AESNI. I enable the feature in kernel by adding following lines. 


```
options IPSEC
device crypto
device aesni
```

I tried to run IPSEC using ipsec-tools 0.7.3 but I did not notice any performance gain.

Here are the results:

* without IPSEC throughput over gbps link: 922 Mbps
* with IPSEC (without aesni) AES128 encryption *360-372* Mbps
* with IPSEC (with aesni) AES128 encryption *366-372* Mbps

*dmesg* command show that processor has the feature of aesni enabled.

Am I missing something? Please guide.


----------



## aragon (Jan 12, 2011)

I think you might need to add this to your kernel config too:


```
device cryptodev
```


----------



## lalit (Jan 14, 2011)

*Re. FreeBSD 9.0 AES NI support*

Thanks Aragon for you suggestion. 
I tried that but it did not solve my problem. Please tell me how to know that AESNI driver has successfully loaded? Is there there some other way to specify it in racoon.conf file to let the kernel use it ? Thanks


----------



## aragon (Jan 14, 2011)

lalit said:
			
		

> Please tell me how to know that AESNI driver has successfully loaded? Is there there some other way to specify it in racoon.conf file to let the kernel use it ? Thanks


Do you have a /dev/crypto?  If so, I think you can try the tools in /usr/src/tools/tools/crypto.  If not, your crypto device is probably not being recognised.

On one of my systems I also have this in boot time dmesg:


```
glxsb0: <AMD Geode LX Security Block (AES-128-CBC, RNG)> mem 0xa0000000-0xa0003fff irq 10 at device 1.2 on pci0
```


----------



## lalit (Jan 14, 2011)

aragon said:
			
		

> Do you have a /dev/crypto?  If so, I think you can try the tools in /usr/src/tools/tools/crypto.  If not, your crypto device is probably not being recognised.



Hi Aragon,

Here is output of [CMD=]cryptotest -va aes256[/CMD]

```
session = 0x0
device = aesni0
count = 1024, size = 2048
iv:
0000: 38 6e 33 35 61 37 36 33 74 30 32 6f 36 6f 6a 34
cleartext:
0000: 75 33 6a 62 69 6f 68 65 6e 74 32 21 6e 62 39 69
0010: 6f 61 6f 73 39 38 74 30 68 38 35 39 35 34 75 6a
0020: 37 68 74 37 75 61 39 32 6a 68 6f 74 74 34 73 39
0030: 62 75 30 61 31 74 68 62 34 74 6a 6e 31 34 74 35
cleartext:
0000: 75 33 6a 62 69 6f 68 65 6e 74 32 21 6e 62 39 69
0010: 6f 61 6f 73 39 38 74 30 68 38 35 39 35 34 75 6a
0020: 37 68 74 37 75 61 39 32 6a 68 6f 74 74 34 73 39
0030: 62 75 30 61 31 74 68 62 34 74 6a 6e 31 34 74 35
   0.015 sec,    2048 aes256 crypts,    2048 bytes, 287143424 byte/sec,  2190.7 Mb/sec
```

In device is showing aesni0. It means aesni driver is successfully loaded and being used by encryption algorithm. Then what is reasons for small throughput over IPSEC ?
Please guide if still I am missing something


----------



## sub_mesa (Jan 15, 2011)

I think you should get at least 2GiB/s or 2048MiB/s; not 2000 megabit which is ~274MiB/s. To me this looks like speeds achieved with software AES; not using the AES-NI available in newer Intel CPUs; some benchmarks on these:







URL: http://www.tomshardware.com/reviews/clarkdale-aes-ni-encryption,2538-5.html


----------

