Feature #16755
closed
Feature Request: Log Warning for GELI (.eli) and SafeXcel Driver Conflict on ARM (Netgate 2100)
0%
Description
Description:
On the Netgate 2100 (and potentially other ARM-based Marvell Armada 3720 devices) running pfSense Plus (verified on 23.05.01), there is a documented race condition between the GELI (.eli) encrypted swap initialization and the SafeXcel cryptographic driver (safexcel.ko).
When GELI is enabled for swap in /etc/fstab, it often initializes before the SafeXcel driver can register its cryptographic hooks with the Open Crypto Framework (OCF). This results in the SafeXcel hardware being "attached" but "inactive" for VPN offloading, forcing the system to fall back to software encryption without notifying the user.
Request:
Implement a kernel or system-level check during the boot sequence, or parse fstab file after to check for .eli. If both SafeXcel and GELI swap are enabled, and SafeXcel fails to register its algorithms (AES-CBC, SHA, etc.), a clear warning should be generated in the System Logs (dmesg/clog).
Example Warning Message:
"WARNING: SafeXcel hardware accelerator failed to register algorithms. This is likely due to a resource conflict with GELI encrypted swap. Hardware acceleration for VPN may be disabled."
"WARNING: Some ciphers are locked into arm8crypto for use with .eli for encrypted swap partition"
Benefit:
This would save users and support staff hours of troubleshooting "invisible" hardware acceleration failures where the driver appears loaded (kldstat) but the hardware interrupts remain at zero during traffic.
Workaround currently used:
Disabling GELI swap and adding hint.armv8crypto.0.disabled="1" to loader.conf.local
Updated by Jim Pingle 7 days ago
- Status changed from New to Rejected
We do not officially support GELI encryption, users choosing to use it are doing so at their own risk.
Updated by Jonathan Lee 6 days ago
Thanks for the clarification, I understand that GELI is not part of the supported configuration.
That said, the behavior observed here is not specific to GELI itself, but rather that a crypto driver can attach successfully while failing to register any algorithms with the crypto framework, without any indication to the user. This makes it difficult to distinguish between a functional and non-functional hardware accelerator.
Even outside of GELI use, having some visibility (e.g., a warning when a driver registers zero algorithms) could help with diagnosing hardware crypto issues more generally.
I appreciate you taking a look regardless.
Updated by Jonathan Lee 6 days ago
Again, thank you for the clarification regarding GELI support.
I understand that GELI-encrypted swap is not officially supported in pfSense. My experience was that, because FreeBSD itself does support GELI, it was reasonable to assume it could be used here. This discrepancy caused confusion: the SafeXcel hardware appeared loaded, but encryption offload was inactive, and it took significant time to pinpoint that GELI swap was interacting with hardware crypto resources.
Even if GELI usage remains unsupported, adding a warning or log message when a crypto driver attaches but fails to register algorithms could help users and support staff more quickly identify similar issues in the future.
Proposed warning:
WARNING: Using GELI-encrypted swap with hardware crypto is unsupported
and may cause instability or loss of hardware acceleration functionality.