[strongSwan] Question on H/W acceleration (using Intel QAT Card) via the *openssl* plugin

Chinmaya Dwibedy ckdwibedy at yahoo.com
Mon Jun 13 15:53:28 CEST 2016


Hi,


I have installedstrongswan-5.4.0 on  two VMs (Fedora20).Configured one to be IKE Initiator and another to be IKE responder. Note that, eachVM has an exclusive access to an Intel QAT card (PCI pass-through mode). I haveconfigured, build  and   installedlatest Intel driver (qatmux.l.2.6.0-60) (downloaded from https://01.org/packet-processing/intel%C2%AE-quickassist-technology-drivers-and-patches)on both the VMs.  Started the driver andchecked via #service qat_service status and foundthat, it detects 1 acceleration device(s) in the system.
 
[root at vpn-server openssl-async]#service qat_service status

There is 1 acceleration device(s) inthe system:

 icp_dev0 - type=dh895xcc, inst_id=0,node_id=0,  bdf=00:05:0, #accel=6,#engines=12, state=up

[root at vpn-server openssl-async]#


 
[root at vpn-server openssl-async]# lspci-nn | grep 0435

00:05.0 Co-processor [0b40]: IntelCorporation Coleto Creek PCIe Endpoint [8086:0435]

[root at vpn-server openssl-async]#


 
The system log (#dmesg) shows thebelow

[22962.608222] Reading config file.

[22962.610567] Starting accelerationdevice icp_dev0.

[22962.611441] Resetting deviceicp_dev0

[22962.746049] qat_1_6_adf0000:00:05.0: irq 45 for MSI/MSI-X

[22962.746069] qat_1_6_adf0000:00:05.0: irq 46 for MSI/MSI-X

[22962.746085] qat_1_6_adf0000:00:05.0: irq 47 for MSI/MSI-X

[22962.746102] qat_1_6_adf0000:00:05.0: irq 48 for MSI/MSI-X

[22962.746118] qat_1_6_adf0000:00:05.0: irq 49 for MSI/MSI-X

[22962.746135] qat_1_6_adf0000:00:05.0: irq 50 for MSI/MSI-X

[22962.746151] qat_1_6_adf0000:00:05.0: irq 51 for MSI/MSI-X

[22962.746167] qat_1_6_adf0000:00:05.0: irq 52 for MSI/MSI-X

[22962.746183] qat_1_6_adf0000:00:05.0: irq 53 for MSI/MSI-X

[22962.746200] qat_1_6_adf0000:00:05.0: irq 54 for MSI/MSI-X

[22962.746216] qat_1_6_adf0000:00:05.0: irq 55 for MSI/MSI-X

[22962.746232] qat_1_6_adf0000:00:05.0: irq 56 for MSI/MSI-X

[22962.746250] qat_1_6_adf0000:00:05.0: irq 57 for MSI/MSI-X

[22962.746267] qat_1_6_adf0000:00:05.0: irq 58 for MSI/MSI-X

[22962.746283] qat_1_6_adf0000:00:05.0: irq 59 for MSI/MSI-X

[22962.746301] qat_1_6_adf0000:00:05.0: irq 60 for MSI/MSI-X

[22962.746321] qat_1_6_adf0000:00:05.0: irq 61 for MSI/MSI-X

[22962.746337] qat_1_6_adf0000:00:05.0: irq 62 for MSI/MSI-X

[22962.746353] qat_1_6_adf0000:00:05.0: irq 63 for MSI/MSI-X

[22962.746372] qat_1_6_adf0000:00:05.0: irq 64 for MSI/MSI-X

[22962.746389] qat_1_6_adf0000:00:05.0: irq 65 for MSI/MSI-X

[22962.746405] qat_1_6_adf0000:00:05.0: irq 66 for MSI/MSI-X

[22962.746421] qat_1_6_adf0000:00:05.0: irq 67 for MSI/MSI-X

[22962.746437] qat_1_6_adf0000:00:05.0: irq 68 for MSI/MSI-X

[22962.746453] qat_1_6_adf0000:00:05.0: irq 69 for MSI/MSI-X

[22962.746469] qat_1_6_adf0000:00:05.0: irq 70 for MSI/MSI-X

[22962.746485] qat_1_6_adf0000:00:05.0: irq 71 for MSI/MSI-X

[22962.746501] qat_1_6_adf0000:00:05.0: irq 72 for MSI/MSI-X

[22962.746517] qat_1_6_adf0000:00:05.0: irq 73 for MSI/MSI-X

[22962.746533] qat_1_6_adf0000:00:05.0: irq 74 for MSI/MSI-X

[22962.746549] qat_1_6_adf 0000:00:05.0:irq 75 for MSI/MSI-X

[22962.746565] qat_1_6_adf0000:00:05.0: irq 76 for MSI/MSI-X

[22962.746583] qat_1_6_adf0000:00:05.0: irq 77 for MSI/MSI-X

[22963.563548] Started AE 0

[22963.564401] Started AE 1

[22963.564657] Started AE 2

[22963.564919] Started AE 3

[22963.565184] Started AE 4

[22963.565438] Started AE 5

[22963.565689] Started AE 6

[22963.565947] Started AE 7

[22963.566210] Started AE 8

[22963.566463] Started AE 9

[22963.566713] Started AE 10

[22963.566980] Started AE 11


 
Alsodownloaded the libcrypto* Sample Patch for Intel® QuickAssist Technology,configured, build and installed OpenSSL on both the VMs. Verified theinstallation is correct as it displays added engine with (qat) as the name.


[root at vpn-clientopenssl-async]# ./apps/openssl engine

(rsax)RSAX engine support

(rdrand)Intel RDRAND engine

(dynamic)Dynamic engine loading support

(4758cca)IBM 4758 CCA hardware engine support

(aep)Aep hardware engine support

(atalla)Atalla hardware engine support

(cswift)CryptoSwift hardware engine support

(chil)CHIL hardware engine support

(nuron)Nuron hardware engine support

(sureware)SureWare hardware engine support

(ubsec)UBSEC hardware engine support

(qat)Reference implementation of QAT crypto engine

(gost)Reference implementation of GOST engine

[root at vpn-clientopenssl-async]# 

[root at vpn-clientopenssl-async]# lsmod | grep qa

qat_mem                13358  0

icp_qa_al            1425346  1

[root at vpn-clientopenssl-async]#

[root at vpn-clientopenssl-async]# openssl

OpenSSL>version

OpenSSL1.0.1m 19 Mar 2015 - QAT package 0.4.9-009

OpenSSL>


I haveused the following flags i.e. --disable-gmp --enable-openssl (to benefit fromacceleration)  while configuring strongswan.Upon running Charon found that , Child SA (ESP) is getting established.  I have not sent any traffic through ESPtunnel. 


 
[root at vpn-clientopenssl-async]# ipsec statusall

Statusof IKE charon daemon (strongSwan 5.4.0, Linux 3.12.9-301.fc20.x86_64, x86_64):

  uptime: 47 minutes, since Jun 13 13:01:472016

  malloc: sbrk 2428928, mmap 0, used 360048,free 2068880

  worker threads: 11 of 16 idle, 5/0/0/0working, job queue: 0/0/0/0, scheduled: 0

  loaded plugins: charon aes des rc2 sha2 sha1md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac ctr ccm gcm attrkernel-netlink resolve socket-default stroke vici updown xauth-genericerror-notify

ListeningIP addresses:

  10.0.151.23

Connections:

       vpn_c: 10.0.151.23...10.0.151.22  IKEv2

       vpn_c:  local:  [10.0.151.23] usespre-shared key authentication

       vpn_c:  remote: [10.0.151.22] uses pre-shared key authentication

       vpn_c:  child:  dynamic === dynamic TUNNEL

SecurityAssociations (1 up, 0 connecting):

       vpn_c[1]: ESTABLISHED 47 minutes ago,10.0.151.23[10.0.151.23]...10.0.151.22[10.0.151.22]

       vpn_c[1]: IKEv2 SPIs:c8b3468a8f6eeb92_i* dc0a64d1e308b957_r, rekeying disabled

       vpn_c[1]: IKE proposal:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072

       vpn_c{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs:c52cae74_i c5099dc5_o

       vpn_c{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0bytes_o, rekeying disabled

       vpn_c{1}:   10.0.151.23/32 === 10.0.151.22/32

[root at vpn-clientopenssl-async]#


 
So herecome my questions:
1)      Does strongSwanmake use of userland hardware encryption acceleration via the *openssl* plugin?

2)      How can Iconfirm that singling traffic (not data traffic) encryption gets  accelerated or not ?

3)      How can Imeasure the benefit of acceleration?


Regards,

Chinmaya

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160613/9fffd13e/attachment-0001.html>


More information about the Users mailing list