pfSense

Description:
On the Netgate 2100 (and potentially other ARM-based Marvell Armada 3720 devices) running pfSense Plus (verified on 23.05.01), there is a documented race condition between the GELI (.eli) encrypted swap initialization and the SafeXcel cryptographic driver (safexcel.ko).
When GELI is enabled for swap in /etc/fstab, it often initializes before the SafeXcel driver can register its cryptographic hooks with the Open Crypto Framework (OCF). This results in the SafeXcel hardware being "attached" but "inactive" for VPN offloading, forcing the system to fall back to software encryption without notifying the user.

Request:
Implement a kernel or system-level check during the boot sequence, or parse fstab file after to check for .eli. If both SafeXcel and GELI swap are enabled, and SafeXcel fails to register its algorithms (AES-CBC, SHA, etc.), a clear warning should be generated in the System Logs (dmesg/clog).

Example Warning Message:
"WARNING: SafeXcel hardware accelerator failed to register algorithms. This is likely due to a resource conflict with GELI encrypted swap. Hardware acceleration for VPN may be disabled."

"WARNING: Some ciphers are locked into arm8crypto for use with .eli for encrypted swap partition"

Benefit:
This would save users and support staff hours of troubleshooting "invisible" hardware acceleration failures where the driver appears loaded (kldstat) but the hardware interrupts remain at zero during traffic.
Workaround currently used:
Disabling GELI swap and adding hint.armv8crypto.0.disabled="1" to loader.conf.local