[dpdk-users] Question on H/W acceleration (using Intel QAT Card) via the openssl (libcrypto* Sample Patch applied)
Chinmaya Dwibedy
ckdwibedy at gmail.com
Mon Jun 13 15:57:19 CEST 2016
Hi,
I have installed strongswan-5.4.0 on two VMs (Fedora20). Configured one to
be IKE Initiator and another to be IKE responder. Note that, each VM has an
exclusive access to an Intel QAT card (PCI pass-through mode).
I have configured, build and installed latest Intel driver
(qatmux.l.2.6.0-60) (downloaded from
https://01.org/packet-processing/intel%C2%AE-quickassist-technology-drivers-and-patches)
on both the VMs. Started the driver and checked via #service qat_service
status and found that, it detects 1 acceleration device(s) in the system.
[root at vpn-server openssl-async]# service qat_service status
There is 1 acceleration device(s) in the system:
icp_dev0 - type=dh895xcc, inst_id=0, node_id=0, bdf=00:05:0, #accel=6,
#engines=12, state=up
[root at vpn-server openssl-async]#
[root at vpn-server openssl-async]# lspci -nn | grep 0435
00:05.0 Co-processor [0b40]: Intel Corporation Coleto Creek PCIe Endpoint
[8086:0435]
[root at vpn-server openssl-async]#
The system log (#dmesg) shows the below
[22962.608222] Reading config file.
[22962.610567] Starting acceleration device icp_dev0.
[22962.611441] Resetting device icp_dev0
[22962.746049] qat_1_6_adf 0000:00:05.0: irq 45 for MSI/MSI-X
[22962.746069] qat_1_6_adf 0000:00:05.0: irq 46 for MSI/MSI-X
[22962.746085] qat_1_6_adf 0000:00:05.0: irq 47 for MSI/MSI-X
[22962.746102] qat_1_6_adf 0000:00:05.0: irq 48 for MSI/MSI-X
[22962.746118] qat_1_6_adf 0000:00:05.0: irq 49 for MSI/MSI-X
[22962.746135] qat_1_6_adf 0000:00:05.0: irq 50 for MSI/MSI-X
[22962.746151] qat_1_6_adf 0000:00:05.0: irq 51 for MSI/MSI-X
[22962.746167] qat_1_6_adf 0000:00:05.0: irq 52 for MSI/MSI-X
[22962.746183] qat_1_6_adf 0000:00:05.0: irq 53 for MSI/MSI-X
[22962.746200] qat_1_6_adf 0000:00:05.0: irq 54 for MSI/MSI-X
[22962.746216] qat_1_6_adf 0000:00:05.0: irq 55 for MSI/MSI-X
[22962.746232] qat_1_6_adf 0000:00:05.0: irq 56 for MSI/MSI-X
[22962.746250] qat_1_6_adf 0000:00:05.0: irq 57 for MSI/MSI-X
[22962.746267] qat_1_6_adf 0000:00:05.0: irq 58 for MSI/MSI-X
[22962.746283] qat_1_6_adf 0000:00:05.0: irq 59 for MSI/MSI-X
[22962.746301] qat_1_6_adf 0000:00:05.0: irq 60 for MSI/MSI-X
[22962.746321] qat_1_6_adf 0000:00:05.0: irq 61 for MSI/MSI-X
[22962.746337] qat_1_6_adf 0000:00:05.0: irq 62 for MSI/MSI-X
[22962.746353] qat_1_6_adf 0000:00:05.0: irq 63 for MSI/MSI-X
[22962.746372] qat_1_6_adf 0000:00:05.0: irq 64 for MSI/MSI-X
[22962.746389] qat_1_6_adf 0000:00:05.0: irq 65 for MSI/MSI-X
[22962.746405] qat_1_6_adf 0000:00:05.0: irq 66 for MSI/MSI-X
[22962.746421] qat_1_6_adf 0000:00:05.0: irq 67 for MSI/MSI-X
[22962.746437] qat_1_6_adf 0000:00:05.0: irq 68 for MSI/MSI-X
[22962.746453] qat_1_6_adf 0000:00:05.0: irq 69 for MSI/MSI-X
[22962.746469] qat_1_6_adf 0000:00:05.0: irq 70 for MSI/MSI-X
[22962.746485] qat_1_6_adf 0000:00:05.0: irq 71 for MSI/MSI-X
[22962.746501] qat_1_6_adf 0000:00:05.0: irq 72 for MSI/MSI-X
[22962.746517] qat_1_6_adf 0000:00:05.0: irq 73 for MSI/MSI-X
[22962.746533] qat_1_6_adf 0000:00:05.0: irq 74 for MSI/MSI-X
[22962.746549] qat_1_6_adf 0000:00:05.0: irq 75 for MSI/MSI-X
[22962.746565] qat_1_6_adf 0000:00:05.0: irq 76 for MSI/MSI-X
[22962.746583] qat_1_6_adf 0000:00:05.0: irq 77 for MSI/MSI-X
[22963.563548] Started AE 0
[22963.564401] Started AE 1
[22963.564657] Started AE 2
[22963.564919] Started AE 3
[22963.565184] Started AE 4
[22963.565438] Started AE 5
[22963.565689] Started AE 6
[22963.565947] Started AE 7
[22963.566210] Started AE 8
[22963.566463] Started AE 9
[22963.566713] Started AE 10
[22963.566980] Started AE 11
Also downloaded the libcrypto* Sample Patch for Intel® QuickAssist
Technology (from the aforesaid web link) , configured, build and installed
OpenSSL on both the VMs. Verified the installation is correct as it
displays added engine with (qat) as the name.
[root at vpn-client openssl-async]# ./apps/openssl engine
(rsax) RSAX engine support
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support
(4758cca) IBM 4758 CCA hardware engine support
(aep) Aep hardware engine support
(atalla) Atalla hardware engine support
(cswift) CryptoSwift hardware engine support
(chil) CHIL hardware engine support
(nuron) Nuron hardware engine support
(sureware) SureWare hardware engine support
(ubsec) UBSEC hardware engine support
(qat) Reference implementation of QAT crypto engine
(gost) Reference implementation of GOST engine
[root at vpn-client openssl-async]#
[root at vpn-client openssl-async]# lsmod | grep qa
qat_mem 13358 0
icp_qa_al 1425346 1
[root at vpn-client openssl-async]#
[root at vpn-client openssl-async]# openssl
OpenSSL> version
OpenSSL 1.0.1m 19 Mar 2015 - QAT package 0.4.9-009
OpenSSL>
I have used the following flags i.e. --disable-gmp --enable-openssl (to
benefit from acceleration) while configuring strongswan. Upon running
Charon found that , Child SA (ESP) is getting established. I have not sent
any traffic through ESP tunnel.
[root at vpn-client openssl-async]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.4.0, Linux
3.12.9-301.fc20.x86_64, x86_64):
uptime: 47 minutes, since Jun 13 13:01:47 2016
malloc: sbrk 2428928, mmap 0, used 360048, free 2068880
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
socket-default stroke vici updown xauth-generic error-notify
Listening IP addresses:
10.0.151.23
Connections:
vpn_c: 10.0.151.23...10.0.151.22 IKEv2
vpn_c: local: [10.0.151.23] uses pre-shared key authentication
vpn_c: remote: [10.0.151.22] uses pre-shared key authentication
vpn_c: child: dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
vpn_c[1]: ESTABLISHED 47 minutes ago,
10.0.151.23[10.0.151.23]...10.0.151.22[10.0.151.22]
vpn_c[1]: IKEv2 SPIs: c8b3468a8f6eeb92_i* dc0a64d1e308b957_r,
rekeying disabled
vpn_c[1]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
vpn_c{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c52cae74_i
c5099dc5_o
vpn_c{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
disabled
vpn_c{1}: 10.0.151.23/32 === 10.0.151.22/32
[root at vpn-client openssl-async]#
So here come my questions:
1) How can I confirm that singling traffic (not data traffic)
encryption gets accelerated or not ?
2) How can I measure the benefit of acceleration?
Regards,
Chinmaya
More information about the users
mailing list