I'm trying to set up a new system using EFI + GELI + UFS2 + encrypted root, with GELI configured to use AES-XTS 256 and HMAC/SHA256. After
This seems quite odd to me, as I would think the hardware and software crypto should produce identical results, differing only in the speed they achieve them. To double check things, I detached the partition, ran
Any idea why this would happen? Can anyone else replicate this?
dding over areas of the disk (start/end, to set up initial HMACs) and then newfsing, I noticed that GELI was not using hardware crypto, but software. After some reading on the forums here, I found that to get hardware crypto to work one has to detach, kldload aesni, and then reattach. This 'worked' in the sense that GELI now shows it's using hardware crypto; however, upon reattaching I got numerous "Failed to authenticate _____ bytes of data at offset ____." messages printed to the console.This seems quite odd to me, as I would think the hardware and software crypto should produce identical results, differing only in the speed they achieve them. To double check things, I detached the partition, ran
kldunload aesni, and reattached with software crypto again. No messages this time, so the HMACs were still valid with software (as that was being used when the data was written), and invalid when I switched to hardware.Any idea why this would happen? Can anyone else replicate this?