[strongSwan] Question on H/W acceleration (using Intel QAT Card) via the openssl plugin

Chinmaya Dwibedy Mon, 13 Jun 2016 06:57:00 -0700

Hi,


I have installedstrongswan-5.4.0 on  two VMs (Fedora20).Configured one to be 
IKE Initiator and another to be IKE responder. Note that, eachVM has an 
exclusive access to an Intel QAT card (PCI pass-through mode). I 
haveconfigured, build  and   installedlatest Intel driver (qatmux.l.2.6.0-60) 
(downloaded from 
https://01.org/packet-processing/intel%C2%AE-quickassist-technology-drivers-and-patches)on
 both the VMs.  Started the driver andchecked via #service qat_service status 
and foundthat, it detects 1 acceleration device(s) in the system.
 
[root@vpn-server openssl-async]#service qat_service status

There is 1 acceleration device(s) inthe system:

 icp_dev0 - type=dh895xcc, inst_id=0,node_id=0,  bdf=00:05:0, 
#accel=6,#engines=12, state=up

[root@vpn-server openssl-async]#


 
[root@vpn-server openssl-async]# lspci-nn | grep 0435

00:05.0 Co-processor [0b40]: IntelCorporation Coleto Creek PCIe Endpoint 
[8086:0435]

[root@vpn-server openssl-async]#


 
The system log (#dmesg) shows thebelow

[22962.608222] Reading config file.

[22962.610567] Starting accelerationdevice icp_dev0.

[22962.611441] Resetting deviceicp_dev0

[22962.746049] qat_1_6_adf0000:00:05.0: irq 45 for MSI/MSI-X

[22962.746069] qat_1_6_adf0000:00:05.0: irq 46 for MSI/MSI-X

[22962.746085] qat_1_6_adf0000:00:05.0: irq 47 for MSI/MSI-X

[22962.746102] qat_1_6_adf0000:00:05.0: irq 48 for MSI/MSI-X

[22962.746118] qat_1_6_adf0000:00:05.0: irq 49 for MSI/MSI-X

[22962.746135] qat_1_6_adf0000:00:05.0: irq 50 for MSI/MSI-X

[22962.746151] qat_1_6_adf0000:00:05.0: irq 51 for MSI/MSI-X

[22962.746167] qat_1_6_adf0000:00:05.0: irq 52 for MSI/MSI-X

[22962.746183] qat_1_6_adf0000:00:05.0: irq 53 for MSI/MSI-X

[22962.746200] qat_1_6_adf0000:00:05.0: irq 54 for MSI/MSI-X

[22962.746216] qat_1_6_adf0000:00:05.0: irq 55 for MSI/MSI-X

[22962.746232] qat_1_6_adf0000:00:05.0: irq 56 for MSI/MSI-X

[22962.746250] qat_1_6_adf0000:00:05.0: irq 57 for MSI/MSI-X

[22962.746267] qat_1_6_adf0000:00:05.0: irq 58 for MSI/MSI-X

[22962.746283] qat_1_6_adf0000:00:05.0: irq 59 for MSI/MSI-X

[22962.746301] qat_1_6_adf0000:00:05.0: irq 60 for MSI/MSI-X

[22962.746321] qat_1_6_adf0000:00:05.0: irq 61 for MSI/MSI-X

[22962.746337] qat_1_6_adf0000:00:05.0: irq 62 for MSI/MSI-X

[22962.746353] qat_1_6_adf0000:00:05.0: irq 63 for MSI/MSI-X

[22962.746372] qat_1_6_adf0000:00:05.0: irq 64 for MSI/MSI-X

[22962.746389] qat_1_6_adf0000:00:05.0: irq 65 for MSI/MSI-X

[22962.746405] qat_1_6_adf0000:00:05.0: irq 66 for MSI/MSI-X

[22962.746421] qat_1_6_adf0000:00:05.0: irq 67 for MSI/MSI-X

[22962.746437] qat_1_6_adf0000:00:05.0: irq 68 for MSI/MSI-X

[22962.746453] qat_1_6_adf0000:00:05.0: irq 69 for MSI/MSI-X

[22962.746469] qat_1_6_adf0000:00:05.0: irq 70 for MSI/MSI-X

[22962.746485] qat_1_6_adf0000:00:05.0: irq 71 for MSI/MSI-X

[22962.746501] qat_1_6_adf0000:00:05.0: irq 72 for MSI/MSI-X

[22962.746517] qat_1_6_adf0000:00:05.0: irq 73 for MSI/MSI-X

[22962.746533] qat_1_6_adf0000:00:05.0: irq 74 for MSI/MSI-X

[22962.746549] qat_1_6_adf 0000:00:05.0:irq 75 for MSI/MSI-X

[22962.746565] qat_1_6_adf0000:00:05.0: irq 76 for MSI/MSI-X

[22962.746583] qat_1_6_adf0000:00:05.0: irq 77 for MSI/MSI-X

[22963.563548] Started AE 0

[22963.564401] Started AE 1

[22963.564657] Started AE 2

[22963.564919] Started AE 3

[22963.565184] Started AE 4

[22963.565438] Started AE 5

[22963.565689] Started AE 6

[22963.565947] Started AE 7

[22963.566210] Started AE 8

[22963.566463] Started AE 9

[22963.566713] Started AE 10

[22963.566980] Started AE 11


 
Alsodownloaded the libcrypto* Sample Patch for Intel® QuickAssist 
Technology,configured, build and installed OpenSSL on both the VMs. Verified 
theinstallation is correct as it displays added engine with (qat) as the name.


[root@vpn-clientopenssl-async]# ./apps/openssl engine

(rsax)RSAX engine support

(rdrand)Intel RDRAND engine

(dynamic)Dynamic engine loading support

(4758cca)IBM 4758 CCA hardware engine support

(aep)Aep hardware engine support

(atalla)Atalla hardware engine support

(cswift)CryptoSwift hardware engine support

(chil)CHIL hardware engine support

(nuron)Nuron hardware engine support

(sureware)SureWare hardware engine support

(ubsec)UBSEC hardware engine support

(qat)Reference implementation of QAT crypto engine

(gost)Reference implementation of GOST engine

[root@vpn-clientopenssl-async]# 

[root@vpn-clientopenssl-async]# lsmod | grep qa

qat_mem                13358  0

icp_qa_al            1425346  1

[root@vpn-clientopenssl-async]#

[root@vpn-clientopenssl-async]# openssl

OpenSSL>version

OpenSSL1.0.1m 19 Mar 2015 - QAT package 0.4.9-009

OpenSSL>


I haveused the following flags i.e. --disable-gmp --enable-openssl (to benefit 
fromacceleration)  while configuring strongswan.Upon running Charon found that 
, Child SA (ESP) is getting established.  I have not sent any traffic through 
ESPtunnel. 


 
[root@vpn-clientopenssl-async]# ipsec statusall

Statusof IKE charon daemon (strongSwan 5.4.0, Linux 3.12.9-301.fc20.x86_64, 
x86_64):

  uptime: 47 minutes, since Jun 13 13:01:472016

  malloc: sbrk 2428928, mmap 0, used 360048,free 2068880

  worker threads: 11 of 16 idle, 5/0/0/0working, job queue: 0/0/0/0, scheduled: 0

  loaded plugins: charon aes des rc2 sha2 sha1md5 random nonce x509 revocation 
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12pgp dnskey sshkey pem openssl 
fips-prf xcbc cmac hmac ctr ccm gcm attrkernel-netlink resolve socket-default 
stroke vici updown xauth-genericerror-notify

ListeningIP addresses:

  10.0.151.23

Connections:

       vpn_c: 10.0.151.23...10.0.151.22  IKEv2

       vpn_c:  local:  [10.0.151.23] usespre-shared key authentication

       vpn_c:  remote: [10.0.151.22] uses pre-shared key authentication

       vpn_c:  child:  dynamic === dynamic TUNNEL

SecurityAssociations (1 up, 0 connecting):

       vpn_c[1]: ESTABLISHED 47 minutes 
ago,10.0.151.23[10.0.151.23]...10.0.151.22[10.0.151.22]

       vpn_c[1]: IKEv2 SPIs:c8b3468a8f6eeb92_i* dc0a64d1e308b957_r, rekeying 
disabled

       vpn_c[1]: IKE 
proposal:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072

       vpn_c{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs:c52cae74_i c5099dc5_o

       vpn_c{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0bytes_o, rekeying 
disabled

       vpn_c{1}:   10.0.151.23/32 === 10.0.151.22/32

[root@vpn-clientopenssl-async]#


 
So herecome my questions:
1)      Does strongSwanmake use of userland hardware encryption acceleration 
via the *openssl* plugin?

2)      How can Iconfirm that singling traffic (not data traffic) encryption 
gets  accelerated or not ?

3)      How can Imeasure the benefit of acceleration?


Regards,

Chinmaya

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Question on H/W acceleration (using Intel QAT Card) via the *openssl* plugin

Reply via email to

[strongSwan] Question on H/W acceleration (using Intel QAT Card) via the openssl plugin