[dpdk-users] Question on H/W acceleration (using Intel QAT Card) via the openssl (libcrypto* Sample Patch applied)

Chinmaya Dwibedy ckdwibedy at gmail.com
Mon Jun 13 15:57:19 CEST 2016
Previous message: [dpdk-users] hash lookup docs
Next message: [dpdk-users] Issue with ipsec-secgw sample application on VM using Intel QAT device (pass-through mode)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,


I have installed strongswan-5.4.0 on  two VMs (Fedora20). Configured one to
be IKE Initiator and another to be IKE responder. Note that, each VM has an
exclusive access to an Intel QAT card (PCI pass-through mode).

I have configured, build  and   installed latest Intel driver
(qatmux.l.2.6.0-60) (downloaded from
https://01.org/packet-processing/intel%C2%AE-quickassist-technology-drivers-and-patches)
on both the VMs.  Started the driver and checked via #service qat_service
status and found that, it detects 1 acceleration device(s) in the system.



[root at vpn-server openssl-async]# service qat_service status

There is 1 acceleration device(s) in the system:

 icp_dev0 - type=dh895xcc, inst_id=0, node_id=0,  bdf=00:05:0, #accel=6,
#engines=12, state=up

[root at vpn-server openssl-async]#



[root at vpn-server openssl-async]# lspci -nn | grep 0435

00:05.0 Co-processor [0b40]: Intel Corporation Coleto Creek PCIe Endpoint
[8086:0435]

[root at vpn-server openssl-async]#



The system log (#dmesg) shows the below

[22962.608222] Reading config file.

[22962.610567] Starting acceleration device icp_dev0.

[22962.611441] Resetting device icp_dev0

[22962.746049] qat_1_6_adf 0000:00:05.0: irq 45 for MSI/MSI-X

[22962.746069] qat_1_6_adf 0000:00:05.0: irq 46 for MSI/MSI-X

[22962.746085] qat_1_6_adf 0000:00:05.0: irq 47 for MSI/MSI-X

[22962.746102] qat_1_6_adf 0000:00:05.0: irq 48 for MSI/MSI-X

[22962.746118] qat_1_6_adf 0000:00:05.0: irq 49 for MSI/MSI-X

[22962.746135] qat_1_6_adf 0000:00:05.0: irq 50 for MSI/MSI-X

[22962.746151] qat_1_6_adf 0000:00:05.0: irq 51 for MSI/MSI-X

[22962.746167] qat_1_6_adf 0000:00:05.0: irq 52 for MSI/MSI-X

[22962.746183] qat_1_6_adf 0000:00:05.0: irq 53 for MSI/MSI-X

[22962.746200] qat_1_6_adf 0000:00:05.0: irq 54 for MSI/MSI-X

[22962.746216] qat_1_6_adf 0000:00:05.0: irq 55 for MSI/MSI-X

[22962.746232] qat_1_6_adf 0000:00:05.0: irq 56 for MSI/MSI-X

[22962.746250] qat_1_6_adf 0000:00:05.0: irq 57 for MSI/MSI-X

[22962.746267] qat_1_6_adf 0000:00:05.0: irq 58 for MSI/MSI-X

[22962.746283] qat_1_6_adf 0000:00:05.0: irq 59 for MSI/MSI-X

[22962.746301] qat_1_6_adf 0000:00:05.0: irq 60 for MSI/MSI-X

[22962.746321] qat_1_6_adf 0000:00:05.0: irq 61 for MSI/MSI-X

[22962.746337] qat_1_6_adf 0000:00:05.0: irq 62 for MSI/MSI-X

[22962.746353] qat_1_6_adf 0000:00:05.0: irq 63 for MSI/MSI-X

[22962.746372] qat_1_6_adf 0000:00:05.0: irq 64 for MSI/MSI-X

[22962.746389] qat_1_6_adf 0000:00:05.0: irq 65 for MSI/MSI-X

[22962.746405] qat_1_6_adf 0000:00:05.0: irq 66 for MSI/MSI-X

[22962.746421] qat_1_6_adf 0000:00:05.0: irq 67 for MSI/MSI-X

[22962.746437] qat_1_6_adf 0000:00:05.0: irq 68 for MSI/MSI-X

[22962.746453] qat_1_6_adf 0000:00:05.0: irq 69 for MSI/MSI-X

[22962.746469] qat_1_6_adf 0000:00:05.0: irq 70 for MSI/MSI-X

[22962.746485] qat_1_6_adf 0000:00:05.0: irq 71 for MSI/MSI-X

[22962.746501] qat_1_6_adf 0000:00:05.0: irq 72 for MSI/MSI-X

[22962.746517] qat_1_6_adf 0000:00:05.0: irq 73 for MSI/MSI-X

[22962.746533] qat_1_6_adf 0000:00:05.0: irq 74 for MSI/MSI-X

[22962.746549] qat_1_6_adf 0000:00:05.0: irq 75 for MSI/MSI-X

[22962.746565] qat_1_6_adf 0000:00:05.0: irq 76 for MSI/MSI-X

[22962.746583] qat_1_6_adf 0000:00:05.0: irq 77 for MSI/MSI-X

[22963.563548] Started AE 0

[22963.564401] Started AE 1

[22963.564657] Started AE 2

[22963.564919] Started AE 3

[22963.565184] Started AE 4

[22963.565438] Started AE 5

[22963.565689] Started AE 6

[22963.565947] Started AE 7

[22963.566210] Started AE 8

[22963.566463] Started AE 9

[22963.566713] Started AE 10

[22963.566980] Started AE 11



Also downloaded the libcrypto* Sample Patch for Intel® QuickAssist
Technology (from the aforesaid web link) , configured, build and installed
OpenSSL on both the VMs. Verified the installation is correct as it
displays added engine with (qat) as the name.



[root at vpn-client openssl-async]# ./apps/openssl engine

(rsax) RSAX engine support

(rdrand) Intel RDRAND engine

(dynamic) Dynamic engine loading support

(4758cca) IBM 4758 CCA hardware engine support

(aep) Aep hardware engine support

(atalla) Atalla hardware engine support

(cswift) CryptoSwift hardware engine support

(chil) CHIL hardware engine support

(nuron) Nuron hardware engine support

(sureware) SureWare hardware engine support

(ubsec) UBSEC hardware engine support

(qat) Reference implementation of QAT crypto engine

(gost) Reference implementation of GOST engine

[root at vpn-client openssl-async]#

[root at vpn-client openssl-async]# lsmod | grep qa

qat_mem                13358  0

icp_qa_al            1425346  1

[root at vpn-client openssl-async]#

[root at vpn-client openssl-async]# openssl

OpenSSL> version

OpenSSL 1.0.1m 19 Mar 2015 - QAT package 0.4.9-009

OpenSSL>


I have used the following flags i.e. --disable-gmp --enable-openssl (to
benefit from acceleration)  while configuring strongswan. Upon running
Charon found that , Child SA (ESP) is getting established.  I have not sent
any traffic through ESP tunnel.



[root at vpn-client openssl-async]# ipsec statusall

Status of IKE charon daemon (strongSwan 5.4.0, Linux
3.12.9-301.fc20.x86_64, x86_64):

  uptime: 47 minutes, since Jun 13 13:01:47 2016

  malloc: sbrk 2428928, mmap 0, used 360048, free 2068880

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0

  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
socket-default stroke vici updown xauth-generic error-notify

Listening IP addresses:

  10.0.151.23

Connections:

       vpn_c:  10.0.151.23...10.0.151.22  IKEv2

       vpn_c:   local:  [10.0.151.23] uses pre-shared key authentication

       vpn_c:   remote: [10.0.151.22] uses pre-shared key authentication

       vpn_c:   child:  dynamic === dynamic TUNNEL

Security Associations (1 up, 0 connecting):

       vpn_c[1]: ESTABLISHED 47 minutes ago,
10.0.151.23[10.0.151.23]...10.0.151.22[10.0.151.22]

       vpn_c[1]: IKEv2 SPIs: c8b3468a8f6eeb92_i* dc0a64d1e308b957_r,
rekeying disabled

       vpn_c[1]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072

       vpn_c{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c52cae74_i
c5099dc5_o

       vpn_c{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
disabled

       vpn_c{1}:   10.0.151.23/32 === 10.0.151.22/32

[root at vpn-client openssl-async]#



So here come my questions:

1)      How can I confirm that singling traffic (not data traffic)
encryption gets  accelerated or not ?

2)      How can I measure the benefit of acceleration?

Regards,

Chinmaya
Previous message: [dpdk-users] hash lookup docs
Next message: [dpdk-users] Issue with ipsec-secgw sample application on VM using Intel QAT device (pass-through mode)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the users mailing list