The purpose of this article is to find out if ESXi is able to detect AES/ AES-NI (in case of Intel), when it has been enabled from the BIOS .

• AES-NI refers to Advanced Encryption Standard (AES) New Instructions (NI).
• According to the Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 2A: Instruction Set Reference, A-L: CPUID instruction:
  - INPUT EAX = 01H: Returns Feature Information in ECX and EDX
  - OUTPUT ECX BIT 25: (AESNI) A value of 1 indicates that the processor supports the AESNI instruction extensions
• According to the AMD CPUID specification, it has the same behavior as Intel.

VMware ESXi 7.x, 8.x

To find if ESXi is detecting the AES from the BIOS, kindly follow the below step to obtain the 25th bit of ECX:

• Run the below command on the ESXi ssh:

esxcli hardware cpu cpuid raw list -c 0

Below is an example output:

 Leaf        Subleaf    EAX          EBX         ECX         EDX
----------  ----------  ----------  ----------  ----------  ----------
0x00000000  0x00000000  0x0000000d  0x68747541  0x444d4163  0x69746e65
0x00000001  0x00000000  0x00800f11  0x00080800  0x7ed8320b  0x178bfbff
...

It is bit 25 in ECX of leaf 1, column ECX in the row with leaf=1, subleaf=0, and check bit 25 (where the low-order bit is bit 0).

In the above example, 0x7ed8320b & (1 << 25) is nonzero, i.e the 25th bit from right side after converting from hexadecimal to binary is 1, so AES-NI is available on this host.

If the value of the bit is 0, that means AES is not detected and needs to be enabled from BIOS.