intel / qat_engine Goto Github PK

Intel QuickAssist Technology( QAT) OpenSSL Engine (an OpenSSL Plug-In Engine) which provides cryptographic acceleration for both hardware and optimized software using Intel QuickAssist Technology enabled Intel platforms. https://developer.intel.com/quickassist

License: BSD 3-Clause "New" or "Revised" License

C 96.69% eC 0.01% Makefile 0.25% M4 0.87% Shell 0.39% SourcePawn 1.79%

openssl-engine

qat_engine's Introduction

Intel® QuickAssist Technology(QAT) OpenSSL* Engine

Intel® QuickAssist Technology OpenSSL* Engine (QAT_Engine) supports acceleration for both hardware as well as optimized software based on vectorized instructions. This change starting with the 3rd Generation Intel® Xeon® Scalable Processors family provides users more options to accelerate their workloads. The QAT OpenSSL* engine now supports the ability to accelerate from the stand OpenSSL* to basic Intel instruction set, to either Hardware acceleration path (via the qat_hw path) or via the optimized SW path (qat_sw lib). This document details the capabilities and interfaces for both internal libraries which maintaining the cohesiveness of being all packaged up with the QAT_Engine.

The image below illustrates the high-level software architecture of the QAT_Engine. Applications such as NGINX and HAProxy are common applications which interfaces to OpenSSL*. OpenSSL* is a toolkit for TLS/SSL protocols and has developed a modular system to plugin device-specific engines starting with version 1.1.0. As mentioned above, within the QAT_Engine are two separate internal entities by which acceleration can be performed. Depending on your particular use case, the QAT_Engine can be configured to meet your specific acceleration needs. This document details the capabilities of the QAT engine as well as the limitations. Both the hardware and software requirements are explained followed by detailed instructions how to install QAT_Engine. If you have any issues integrating the QAT_Engine, we’ve added a troubleshooting section.

Features

Features of the QAT_Engine are described here.

Limitations and Known Issues

Limitations and known issues for the QAT_Engine are described here.

Requirements

Installation Instructions

Installation consists of the following:

Install Prerequisites

Switch to Build the Intel® QuickAssist Technology OpenSSL* Engine - Example 5 and use the make depend target to clone and build the latest compatible versions of the dependant libraries automatically based on the target in the QAT Engine build configure.

qat_hw Prerequisites

Install the Intel® QuickAssist Technology Driver using instructions from the Getting Started Guide

Platform	Getting Started Guide
Intel® Xeon® with Intel® C62X Series Chipset Intel® Atom™ Processor with Intel&reg C3xx series Intel® Communications Chipset 8925 to 8955 Series	Intel® QAT Software for Linux* - Getting Started Guide Hardware v1.x CE Release
Intel® Xeon® Scalable Processor family with Intel® QAT Gen4/Gen4m	Intel® QAT Software for Linux* - Getting Started Guide Hardware v2.0

Other technical collaterals of the Intel® QuickAssist Technology driver can be found in the below page.

Intel® QuickAssist Technology

Contiguous memory driver

The Intel® QAT API requires many of the data structures (those that will be passed to the hardware) to be allocated in contiguous pinned memory in order to support DMA operations. You must either supply your own contiguous memory driver and make changes to the engine to make use of it or use one of the following drivers:

User Space DMA-able Memory (USDM) Component

The Intel® QAT Driver for QAT_HW comes with its own contiguous pinned memory driver that is compatible with the Intel® QAT OpenSSL* Engine. The USDM component is of a higher quality than the qat_contig_mem driver provided within the Intel® QAT OpenSSL* Engine, and is the preferred option. The USDM component is used by the Intel® QAT Driver itself, and also has the following additional features:

Support for virtualization
Support for configurable slab sizes
Support for configurable secure freeing of memory (overwrite with zeros)
Support for configurable slab caching
Support for newer kernels
Support for thread specific memory to avoid locks (QAT_HW Version 1.7 & 1.8 only)

The USDM component is located within the Intel® QAT Driver for QAT_HW source code in the following subdirectory: quickassist/utilities/libusdm_drv. As the USDM component is also used by the QAT_HW driver itself it will have already been built when the driver was built. It may also already be loaded as well, and you can check by running lsmod and looking for usdm_drv in the list. If not present it can be loaded as follows:

modprobe usdm_drv.ko

The USDM thread specific memory can be enabled in QAT_HW driver using the below configure flags in driver build which is only needed for multithreaded application for performance improvement. This is supported from version 4.20 of QAT_HW Version 1.7 driver only.

./configure --enable-icp-thread-specific-usdm --enable-128k-slab

Note: See Limitations and Known Issues for multithreaded limitations, including performance with OpenSSL.

Example contiguous memory driver - qat_contig_mem

This step is not required if using the default USDM driver above. The Intel® QAT OpenSSL* Engine comes with an example kernel space contiguous memory driver that can be used to try out operation of the engine. It is considered to be an example only and is not written to be a production quality driver. The use of the qat_contig_mem driver can be enabled using the configure option --enable-qat_hw_contig_mem that tells the build that the Intel® QAT OpenSSL* Engine should be compiled to use the qat_contig_mem component instead of the USDM memory driver above.

Building and loading the qat_contig_mem driver assuming:

The Intel® QAT OpenSSL* Engine was cloned to its own location at the root of the drive: /.

To build/install the qat_contig_mem driver follow these steps:

cd /QAT_Engine/qat_contig_mem
make
make load
make test

The expected output from make test should be something similar to the following:

seg mapped to 0x7f9eedd6e000, virtualAddress in seg 0xffff880ac9c0c000,
length 64
Hello world!
# PASS Verify for QAT Contig Mem Test

Shared Virtual Memory

QAT gen4 devices(4xxx) supports Shared Virtual Memory (SVM) that allows the use of unpinned user space memory avoiding the memcpy of buffers to pinned contiguous memory. The SVM support in the driver enables passing of virtual addresses to the QAT hardware for processing acceleration requests, i.e. addresses are the same virtual addresses used in the calling process supporting Zero-copy. This Support in the QAT Engine can be enabled dynamically by setting SvmEnabled = 1 and ATEnabled = 1 in the QAT PF and VF device's driver config file(s) along with other prerequistes mentioned below.

Prerequisites

The Following parameter needs to be enabled in BIOS and is supported only in QAT gen4 devices.

Support for Shared Virtual Memory with Intel IOMMU
Enable VT-d
Enable ATS

qat_sw Prerequisites

Verify qat_sw components are installed as described in Software requirements

Install OpenSSL* (Note this step is not required if OpenSSL* is already installed)

Build OpenSSL*

This step is not required if building the Intel® QAT OpenSSL* Engine against system prebuilt OpenSSL* . When using the prebuild system OpenSSL library the engine library is installed in the system OpenSSL engines directory.

Clone OpenSSL* from Github* at the following location:

git clone https://github.com/openssl/openssl.git

It is recommended to checkout and build against the OpenSSL* git tag specified in the Software Requirements section.

Due to the nature of the Intel® QAT OpenSSL* Engine being a dynamic engine it can only be used with shared library builds of OpenSSL*.

Note: It is not recommended to install the accelerated version of OpenSSL* as your default system library. If you do, you may find that acceleration is used unexpectedly by other applications on the system resulting in undesired/unsupported behaviour. The --prefix can be used with the ./config command to specify the location that make install will copy files to. Please see the OpenSSL* INSTALL file for full details on usage of the --prefix option.

With OpenSSL* version 1.1.0 and on, binaries are installed in standard directories by default, and the addition of runpath directories is not done automatically. If you wish to install OpenSSL* in a non-standard location (recommended), the runpath directories can be specified via the OpenSSL* Configure command, which recognises the arguments -rpath and -R to support user-added rpaths. For convenience, a Makefile variable LIBRPATH has also been added which is defined as the full path to a subdirectory of the installation directory. The subdirectory is named lib by default. If you do not wish to use LIBRPATH, the rpath can be specified directly. The syntax for specifying a rpath is as follows:

./config [options] -Wl,-rpath,\${LIBRPATH}

The -rpath can be replaced with -R for brevity. If you do not wish to use the built-in variable LIBRPATH, the syntax for specifying a rpath of /usr/local/ssl/lib for example would be:

./config [options] -Wl,-rpath,/usr/local/ssl/lib

Alternatively, you can specify the rpath by adding it to the environment variable LD_LIBRARY_PATH via the command:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:`RPATH`

where RPATH is the full path(s) to the shared libraries. This is not the preferred method though. ` The following example is assuming:

The OpenSSL* source was cloned from Github* to its own location at the root of the drive: /.
You want OpenSSL* to be installed to /usr/local/ssl.

An example build would be:

cd /openssl
./config --prefix=/usr/local/ssl -Wl,-rpath,\${LIBRPATH}
make depend (if recommended by the OpenSSL* build system)
make
make install

As the Intel® QAT OpenSSL* Engine will be built as a dynamic engine it is important to tell OpenSSL* where to find the dynamic engines at runtime. This is achieved by exporting the following environment variable (assuming the example paths above):

OpenSSL 1.1.1: export OPENSSL_ENGINES=/usr/local/ssl/lib/engines-1.1

OpenSSL 3.0: export OPENSSL_ENGINES=/usr/local/ssl/lib64/engines-3

Note: This variable will need to be present in the environment whenever the engine is used and not needed when provider is used.

Load/Initialize Engine using the OpenSSL* config file is located here

Further information on building OpenSSL* can be found in the INSTALL file distributed with the OpenSSL* source code or on the official OpenSSL* Wiki in the Compilation and Installation section: https://wiki.openssl.org/index.php/Compilation_and_Installation

Build the Intel® QuickAssist Technology OpenSSL* Engine

Clone the Github* repository containing the Intel® QAT OpenSSL* Engine:

git clone https://github.com/intel/QAT_Engine.git

When building it is possible to specify command line options that can be used to turn engine functionality on and off. The complete list of these options is available here.

The prerequisite to run autogen.sh is to have autotools (autoconf, automake, libtool and pkg-config) installed in the system.

cd /QAT_Engine
./autogen.sh

./autogen.sh will regenerate autoconf tools files.

Example Builds

Here are a few example builds that demonstrate how the Intel® QAT OpenSSL* Engine can be configured to use qat_hw and/or qat_sw.

Example 1: qat_hw target with OpenSSL\* built from source

The following example is assuming:

The Intel® QAT OpenSSL* Engine was cloned to its own location at the root of the drive: /.
The Intel® QAT Driver version 1.7 or 2.0 was unpacked within /QAT and using the USDM component.
OpenSSL* built from source is being used and installed to /usr/local/ssl.

To build and install the Intel® QAT OpenSSL* Engine:

cd /QAT_Engine
./configure \
--with-qat_hw_dir=/QAT \
--with-openssl_install_dir=/usr/local/ssl
make
make install

In the above example this will create the file qatengine.so and copy it to /usr/local/ssl/lib64/engines-3.

For building QAT Engine against qatlib(intree driver) from source which is installed to default location "/usr/local" use --with-qat_hw_dir=/usr/local or provide the path that is used in the prefix to build qatlib.

If qatlib is installed via RPM (both library and development headers) then -with-qat_hw_dir is not needed as qatengine automatically picks qatlib libraries and headers from the default location /usr/lib64.

Example 2: qat_hw target with Prebuilt OpenSSL\*

The following example is assuming:

The Intel® QAT OpenSSL* Engine was cloned to its own location at the root of the drive: /.
The Intel® QAT Driver was unpacked within /QAT and using the USDM component.
Prebuilt OpenSSL* (both library and devel RPM packages) are installed in the system and the OpenSSL* version is 3.0 or above.

To build and install the Intel® QAT OpenSSL* Engine:

cd /QAT_Engine
./configure  --with-qat_hw_dir=/QAT
make
make install

In the above example this will create the file qatengine.so and copy it to the engines dir of the system which can be checked using pkg-config --variable=enginesdir libcrypto.

Example 3: qat_hw + qat_sw target with Prebuilt OpenSSL\*

The following example is assuming:

The Intel® QAT OpenSSL* Engine was cloned to its own location at the root of the drive: /.
The Intel® QAT Driver was unpacked within /QAT and using the USDM component.
Intel® Multi-Buffer Crypto for IPsec Library was installed to the default path
OpenSSL* built from source is being used and installed to /usr/local/ssl.

To build and install the Intel® QAT OpenSSL* Engine:

cd /QAT_Engine
./configure \
--with-qat_hw_dir=/QAT \
--enable-qat_sw \
--with-openssl_install_dir=/usr/local/ssl
make
make install

In the above example this will create the file qatengine.so and copy it to /usr/local/ssl/lib64/engines-3.
AES-GCM operations are handled by qat_sw
Other cryptographic operations are handled by qat_hw

Example 4: qat_sw target with Prebuilt OpenSSL\*

The following example is assuming:

The Intel® QAT OpenSSL* Engine was cloned to its own location at the root of the drive: /.
The Intel® Crypto Multi-buffer library was installed to the default path (/usr/local).
The Intel® Multi-Buffer crypto for IPsec Library was installed to its default path (/usr/). (Optional if QAT SW AES-GCM support is not needed).
Prebuilt OpenSSL* from the system is used.

To build and install the Intel® QAT OpenSSL* Engine with QAT Software support:

cd /QAT_Engine
./configure --enable-qat_sw
make
make install

In the above example, --disable-qat_hw needs to be provided if the system has qatlib installed. Note : --enable-qat_sw checks crypto_mb and IPSec_MB libraries in its respective default path (/usr/local/lib and /usr/lib) or in the path provided in the config flag --with-qat_sw_crypto_mb_install_dir (for crypto_mb) and --with-qat_sw_ipsec_mb_install_dir (for ipsec_mb). If any of the libraries is not installed then their corresponding algorithm support is disabled (crypto_mb library for PKE algorithms and IPSec_mb library for AES-GCM).

Example 5: Using `make depend` for building dependant libraries and build QAT Engine

This QAT Engine supports building and installing the dependant libraries automatically when the make option make depend is specified before make which clones the latest release of dependant libraries (OpenSSL, QAT_HW(QAT1.7, QAT1.8 & QAT2.0 OOT Linux driver), QAT_SW(ipp-crypto & ipsec_mb) based on the flags enabled in the QAT Engine build configure.

cd /QAT_Engine
git submodule update --init
./configure \
--with-qat_hw_dir=/QAT \  #For QAT_HW supported platforms
--enable-qat_sw \ #For QAT_SW supported platforms
--with-openssl_install_dir=/usr/local/ssl # OpenSSL install path
make depend
make
make install

In the above example this will clone and install QAT Engine(qat_hw + qat_sw) along with their dependant libraries installed in the path specifed for QAT_HW and default path for QAT_SW (/usr/local for ipp-crypto & /usr for ipsec_mb) with qatengine.so library installed in the path /usr/local/ssl/lib64/engines-3. The dependant libaries are built and installed based on the QAT Engine build configure flags provided for qat_hw, qat_sw or qat_hw + qat_sw target using OpenSSL3.0.

Please note make depend target is not supported in FreeBSD OS, Virtualized environment, BoringSSL, BabaSSL and qatlib dependency build. The Dependant library versions used are updated in Software Requirements section and OpenSSL version is latest of 3.0

Enable plock optimization in QAT Engine for Multithread applications

Progressive Lock (plock) optimization in QAT Engine provides an alternative to pthread's rwlock as in Haproxy. This plock is an alternative to read/write locks in the pthread library and optimizes read/write locking with a series of atomic operations and there will be no more syscalls in case of contention. The benefit of plock is that it saves lot of CPU and improves performance with higher number of threads for multithread applications. In case of Haproxy, this can directly enabled in the Haproxy build with addition build flag "USE_PTHREAD_EMULATION=1".

Build Flag to enable plock optimization

QAT Engine generates dynamic libraries and currently enables Plock by preloading.

When compiling the qat engine, add the compilation option --enable-qat_plock, and the libplock.so will be generated. eg: ./configure --enable-qat_sw --enable-qat_plock --with-openssl_install_dir=${OPENSSL_INSTALL_DIR}
Set the environment variable ‘LD_PRELOAD’ to use the plock optimization. eg: export LD_PRELOAD = ${OPENSSL_INSTALL_DIR}/lib/engine-1.1/libplock.so Note: The LD_PRELOAD must be set before launching the multithread Application.

[For BoringSSL only] Build the Intel® QuickAssist Technology BoringSSL* Library

Please refer BoringSSL section for steps to build the Intel® QuickAssist Technology BoringSSL* library which supports RSA and ECDSA QAT Hardware and QAT Software Acceleration using BoringSSL.

Copy the Intel® QuickAssist Technology Driver config file(s)

Copy the Intel® QuickAssist Technology Driver config files for qat_hw

This step is not required for qat_sw target. The Intel® QAT OpenSSL* Engine includes example conf files to use with the Intel® QAT Driver. The Intel® QAT OpenSSL* Engine will not function with the default Intel® QAT Driver conf file because the default conf does not contain a [SHIM] section which the Intel® QAT OpenSSL* Engine requires by default. The default section name in the QAT OpenSSL* Engine can be modified if required by either using the engine ctrl command SET_CONFIGURATION_SECTION_NAME or by setting the environment variable "QAT_SECTION_NAME". The conf files are located at:

/path/to/qat_engine/qat_hw_config

The files are grouped by acceleration device(dh895xcc or c6xx or c3xxx or 200xx or c4xxx or 4xxx), please choose the files appropriate to your acceleration device only.

The files are also split into multi_process and multi_thread.

If your application runs one (or very few) processes, but has multiple threads in each process, each accessing the acceleration device, then you should pick the multi_thread config files. An example of this is a webserver that creates a new thread for each incoming connection.

If your application scales by creating new processes, then you should pick the multi_process config files. An example of this is an event driven application that runs as a single thread in an event loop. In this type of application it is usual for the application to create at least one new process for each cpu core you want to utilize.

For event driven polling based application, change the parameter Cy$nIsPolled=1 to Cy$nIsPolled=2 for each instances($n) in the respective config file to use event driven polling support. Event driven config files are only supported in Linux. Once you have decided which config file you should use, or created your own you should follow the procedure below to install it:

Stop the acceleration driver as described in the Section 3.4 Starting/Stopping the Acceleration software from the Getting Started Guide available in Intel® QuickAssist Technology Driver
Copy the appropriate .conf file to /etc for n number of QAT devices
Start the acceleration driver as described in the Section 3.4 Starting/Stopping the Acceleration software from the Getting Started Guide available in Intel® QuickAssist Technology Driver

Test the Intel® QuickAssist Technology OpenSSL* Engine

Run this command to verify the Intel® QAT OpenSSL* Engine is loaded correctly: This should not be used to determine QAT Engine capabilities as it will not display all the algorithms that are supported in QAT Engine.

cd /path/to/openssl_install/bin
./openssl engine -t -c -v qatengine

qat_hw target output will be:

(qatengine) Reference implementation of QAT crypto engine(qat_hw) <qatengine version>
 [RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256,
 AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, TLS1-PRF, HKDF, X25519, X448]
    [ available ]
    ENABLE_EXTERNAL_POLLING, POLL, SET_INSTANCE_FOR_THREAD,
    GET_NUM_OP_RETRIES, SET_MAX_RETRY_COUNT, SET_INTERNAL_POLL_INTERVAL,
    GET_EXTERNAL_POLLING_FD, ENABLE_EVENT_DRIVEN_POLLING_MODE,
    GET_NUM_CRYPTO_INSTANCES, DISABLE_EVENT_DRIVEN_POLLING_MODE,
    SET_EPOLL_TIMEOUT, SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD,
    ENABLE_INLINE_POLLING, ENABLE_HEURISTIC_POLLING,
    GET_NUM_REQUESTS_IN_FLIGHT, INIT_ENGINE, SET_CONFIGURATION_SECTION_NAME,
    ENABLE_SW_FALLBACK, HEARTBEAT_POLL, DISABLE_QAT_OFFLOAD

qat_sw target output will be:

(qatengine) Reference implementation of QAT crypto engine(qat_sw) <qatengine version>
 [RSA, id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, X25519]
     [ available ]
     ENABLE_EXTERNAL_POLLING, POLL, ENABLE_HEURISTIC_POLLING,
     GET_NUM_REQUESTS_IN_FLIGHT, INIT_ENGINE

Detailed information about the engine specific messages is available here. Also ./openssl engine -t -c -vvvv qatengine gives brief description about each ctrl command.

Testing the Intel® QuickAssist Technology OpenSSL* Engine using OpenSSL* speed utility

cd /path/to/openssl_install/bin

qat_hw

* RSA 2K
  * Asynchronous
  ./openssl speed -engine qatengine -elapsed -async_jobs 72 rsa2048
  * Synchronous
  ./openssl speed -engine qatengine -elapsed rsa2048
  * OpenSSL Software
  ./openssl speed -elapsed rsa2048
* ECDH Compute Key
  * Asynchronous
  ./openssl speed -engine qatengine -elapsed -async_jobs 36 ecdh
  * Synchronous
  ./openssl speed -engine qatengine -elapsed ecdh
  * OpenSSL Software
  ./openssl speed -elapsed ecdh
* Chained Cipher: aes-128-cbc-hmac-sha1
  * Asynchronous
  ./openssl speed -engine qatengine -elapsed -async_jobs 128 -multi 2 -evp aes-128-cbc-hmac-sha1
  * Synchronous
  ./openssl speed -engine qatengine -elapsed -multi 2 -evp aes-128-cbc-hmac-sha1
  * OpenSSL Software
  ./openssl speed -elapsed -multi 2 -evp aes-128-cbc-hmac-sha1

qat_sw (Intel(R) Crypto Multi-buffer library)

* RSA 2K
  ./openssl speed -engine qatengine -elapsed -async_jobs 8 rsa2048
* ECDH X25519
  ./openssl speed -engine qatengine -elapsed -async_jobs 8 ecdhx25519
* ECDH P-256
  ./openssl speed -engine qatengine -elapsed -async_jobs 8 ecdhp256
* ECDSA P-256
  ./openssl speed -engine qatengine -elapsed -async_jobs 8 ecdsap256
* ECDH P-384
  ./openssl speed -engine qatengine -elapsed -async_jobs 8 ecdhp384
* ECDSA P-384
  ./openssl speed -engine qatengine -elapsed -async_jobs 8 ecdsap384

qat_sw (Intel(R) Multi-Buffer Crypto for IPsec)

* AES-128-GCM
  ./openssl speed -engine qatengine -elapsed -evp aes-128-gcm
* AES-192-GCM
  ./openssl speed -engine qatengine -elapsed -evp aes-192-gcm
* AES-256-GCM
  ./openssl speed -engine qatengine -elapsed -evp aes-256-gcm

Testing the Intel® QuickAssist Technology OpenSSL* Engine using testapp utility

cd /path/to/qat_engine
make test
./testapp.sh QAT_HW (For testing algorithms supported by QAT_HW)
./testapp.sh QAT_SW (For testing algorithms supported by QAT_SW)

The testapp.sh script will run the corresponding functional tests supported by QAT_HW and QAT_SW. Please note that the QAT Engine should be built with that support for the tests.

Additional information for testapp tests available with the help option ./testapp -help

Troubleshooting

Troubleshooting information is available here.

Licensing Information

Licensing information is available here.

Legal

Legal information is available here.

qat_engine's People

Contributors

Stargazers

Watchers

Forkers

i10a muffo kong123456 agrandi ajmohan infohunter zhangyangisme mattlk13 aycs tytus64 omykolaichyk hjat2005 cnsdpyywq hngouveia01 huddy1985 9176324 tsukasabodewig oracle219 xxltomail aguamar elivesgm jinglu zmole945 iccsmart liuying1001 wenqianyu galsha iceskycn fishgege chuzirui ipuustin benishay bbc hxkcmp shawvi riveridea pingyucn qiangbei luckyqueen0928 lovkei tonezhang01 stevenfeixue easonfeng5870 subratlsahu chenff lvwq davidliremini xianlimei wsh993390188 lioncfliu flytoneptune yananzouyijun daweiq zspirate wy2609 haproxytech yeyunfeng-dev lovepooh-3- jmagnin outspace mveplus marcemq richzzp miss-bug aquaxp mythi lcmmhcc oldmikeyang jqk6 isabella232 xuyizhe1999 infiotinc hemabig romanheros hzhu15 pfl chenmodexiaocao liuqinfei cukiernik walidbarakat dongbinghua honggli ogbanga juewuer blackcounter brian-will hustliyilin alemorcuq cibervicho skullcrossbones cuericlee luiszee openluopworld gustavoaintel johnfial airob0t chengquan20110 aristotlelai rob-opsi heimafeitian

qat_engine's Issues

QAT heartbeat fail

Good morning.

Thank you for helping me develop the QAT project today.

Earlier I asked you about the question of Openssl 1.1.0 f + QAT ASYNC,
I have another question today.

Symptoms : /proc/icp_dh895xcc_dev0/heartbeat fail
driver = Intel qatmux.l.2.6.0-60
openssl= openssl-1.0.1m-async patch version

Confirmation result

lspci | grep QAT
03:00.0 Co-processor: Intel Corporation DH895XCC Series QAT (rev ff)

cat /proc/icp_dh895xcc_dev0/heartbeat
ERROR: Qat is not responding. Please restart the device

syslog
kernel: [2260339.545137] icp_qa_al err: put_msg_sync: Failed to receive an admin response from AE.
kernel: [2260339.545179] [error] QatCtrl_SendSyncMsg() - : AE failed to respond to admin cmd 7, status:-1
kernel: [2260339.545182] [error] QatCtrl_SendHeartbeat_dh895x() - : Send Heartbeat message SYNC failed.
kernel: [2260339.545184] [error] QatCtrl_Heartbeat() - : Heartbeat failed.
kernel: [2260339.545185] [error] QatCtrl_Heartbeat() - : Device needs to be restarted.

special note
1.
It didn't happen from scratch,
Every month, every 2 days ... Irregular occurrence...

No SSL data sent to QAT

heartbeat cycle time : 1~2 seconds

If you don't settle for ./adr_ctl reset,
Is that a problem with hardware?

Thank you !

Can not start up QuickAssist adapter on CentOS 7

Dear Team,
I apologize I am not sure I should send the issue here.
But I tried to sent on https://communities.intel.com/community/tech/wired/content and I can not find a catalog on 01.org. So I sent the issue https://01.org/forum/general-discussion/can-not-start-quickassist-adapter-centos-7 and here.

I am testing QuickAssist for SSL usage.
I have a QuickAssist 8950 adapter and installed on Dell R630.
I followed this document for installation:
https://01.org/sites/default/files/page/330750-005_qat_gsg.pdf
I added intel_iommu=off on GRUB2 and restart the server and the QAT driver installed without error.
But when comes to systemctl start qat_service, it reported can not start up the adapter and reported the error messages.
(For my network issue, I can not upload the images.)

So could you help me? Many thanks.

undefined symbol: SHA_Init in QAT 1.6 driver

Originally reported here #10 by @InfoHunter

QAT1.6 driver built with OpenSSL 1.1.0 or later will not be loaded due to a 'undefined reference to SHA_Init' problem. After I dig into OpenSSL 1.1.0, I have not found 'SHA_Init', the API is not there anymore.

The QAT1.6 driver I used is downloaded from 01org website, the latest one.

Under what circumstance would QAT do 'write(efd)'

In OpenSSL, the "e_dasync.so" using the cheat way by writing fd before it switch to dispatcher.So the dispatcher could use epoll_wait/select to detect the POLL_OUT signal.

I view the QAT_engine code, for example, in function 'qat_rsa_encrypt', when cpaCyRsaEncrypt returns CPA_STATUS_RETRY, then qat_wake_job calls 'write' and qat_pause_job calls ASYNC_pause_job to switch to dispatcher. Don't the QAT calls 'write' after it really have done the encryption/decryption ?

My Questions:
1: Under what circumstance would cpaCyRsaEncrypt return CPA_STATUS_RETRY ? I view the quickassist code:
if (flight > ring->max_requests_inflight) status = CPA_STATUS_RETRY;
Does that means the ring is full ?

2: Don't the QAT calls 'write' after it really have done the encryption/decryption ?

Question about 1.1.0f async performance (ex. eventfd)

We use Avalanche to measure SSL performance.
Measurement is a personal development proxy device,
developed using async mode using openssl1.1.0f + qat engine.

As a result, CPU usage rate improved compared with SYNC MODE,
When reaching about 9400 CPS, the phenomenon that the speed is delayed greatly occurs ((50% of CPU at this time) occurs).

Changed the eventfd (0, EFD_NONBLOCK) part to eventfd (0,0) on the original qat_engine, but will this part cause a problem?

When doing eventfd (0, EFD_NONBLOCK) and eventfd (0, 0), I do not know whether there is a performance difference.

It is a very important task.
Please help me.

Question about crypto functions such as qat_rsa_priv_dec()

Hi all~
I'm testing 8950 with nginx+qat_engine+openssl. I have a question about the crypto functions implemented in this engine, functions like qat_rsa_priv_dec().

In this function, qat_rsa_decrypt was called. Is qat_rsa_decrypt a synchronized function? Nginx should be totally non-blocked, how does this function work with nginx? Does that mean that the code is blocked when performing qat_rsa_decrypt?

Looking forward to your reply!
Thanks a lot.

Two QAT drivers are present with latest kernels and qat service fails to start.

This issue was originally reported as part of #8 by @tsenghu as follows:

We have decided to upgrade to Ubuntu 16.04/linux kernel 4.4.0-57-generic.
After linux is up, I see two drivers that is related to QAT.
One is qat_dh895xcc and another one is intel_qat.
After I inserted two drivers (icp_qa_al.ko and qat_contig_mem.ko) and try to run “service qat_service start”.
It failed to start.

about qat_engine_init

Hello steve, excuse me, but

#1 (comment)
@stevelinsell wrote on 28 Jun:

Yes, I have also encountered this issue a couple of weeks ago. The development team are addressing it during this development cycle which has just started so if all goes to plan you should expect a fix to be posted to here within the next two weeks.

When is the issue mentioned above fixed?
Please let me know the schedule, if possible.

Kind regards,

Tom.

Help: "Make" fails on Ubuntu 17.10

Hey Steve,
I tried to compile the Intel QAT 1.7 driver on Ubuntu 17.10 following the README file in the archive, as well as the provided PDF. Unfortunately the build failed with an error I was not able to interpret. This is most likely because I just started using Linux, but I try hard to improve and I would be very happy, if you could assist me doing this.

I installed all dependencies according to the README file.
I run ./configure
I run make

Thank you very much for your help.

Question about QAT hardware performance improvement.

Please help me on this question.
I make a nginx patch and do encrypted communication using ECDHE-RSA-AES256-GCM-SHA384.

A passable performance was given, but I did not expect it.

It seems to take time at qat_ecdh_compute_key called from qat_ec.c after I monitor callgraph using valgrind.
It is described to a source as follows:

/* Unsupported curve: X25519.

Detect and call it's software implementation.
*/

Does this not support it with the QAT hardware board?
Or do you support it in a road map? When is it?

In addition, it seems to take time in particular EC_POINT_get_affine_coordinates_GFp called from qat_ecdh_compute_key.
But EC_POINT_get_affine_coordinates_GFp is hardly called if I use OpenSSL 1.1.0 pre5 software not QAT.

I attach the results that I tried.

Results using QAT hardware
Results using only OpenSSL 1.1.0 pre5 software
Results screenshot of executing the kcachegrind

Kind regards,

Can't init QAT engine

I have questions on using QAT with openSSL on Atom C3708.

I was using
openSSL 1.1.0g
QAT1.7.Upstream.L.1.0.3_42
QAT Engine master build clone on Oct 5, probably 0.5.29

Here are the outputs:

ubuntu@atom-crb1:~/openssl-build/bin$ ./openssl speed -engine qat -elapsed -async_jobs 72 rsa2048
ADF_UIO_PROXY err: icp_adf_userProcessToStart: Cannot open /dev/qat_dev_processes file
[error] icp_sal_userStart() - : icp_adf_userProcessToStart failed

can't use that engine
139720415069952:error:8007D09C:lib(128):qat_engine_init:icp sal userstart fail:e_qat.c:290:
139720415069952:error:260B806D:engine routines:engine_table_register:init failed:crypto/engine/eng_table.c:125:
You have chosen to measure elapsed time instead of user CPU time.
Doing 2048 bit private rsa's for 10s: 2846 2048 bit private RSA's in 10.00s
Doing 2048 bit public rsa's for 10s: 98050 2048 bit public RSA's in 10.00s
OpenSSL 1.1.0g-dev xx XXX xxxx
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR=""/home/ubuntu/openssl-build/ssl"" -DENGINESDIR=""/home/ubuntu/openssl-build/lib/engines-1.1"" -Wa,--noexecstack
sign verify sign/s verify/s
rsa 2048 bits 0.003514s 0.000102s 284.6 9805.0

Question about NID_aes_128_cbc_hmac_sha1 in QAT_Egine

I find four ciphers may be supported by Qat_Engine.

static chained_info info[] = {
    {NID_aes_128_cbc_hmac_sha1, NULL, AES_KEY_SIZE_128},
    {NID_aes_128_cbc_hmac_sha256, NULL, AES_KEY_SIZE_128},
    {NID_aes_256_cbc_hmac_sha1, NULL, AES_KEY_SIZE_256},
    {NID_aes_256_cbc_hmac_sha256, NULL, AES_KEY_SIZE_256},
};

Is NID_aes_128_cbc_hmac_sha1 a AEAD cipher ?
And command openssl ciphers doesn't list any similar ciphers.
So, how to use openssl s_client to send such request that contain this cipher suit so that can invoke QAT_Engine?

QAT + OPENSSL 1.1.0f ASYNC performance

Hi !
I have a question about QAT + OPENSSL 1.1.0f async performance.

Once you've implemented QAT + OPENSSL 1.1.0f async, I've found that it's faster.

ex. ) ./openssl speed -engine qat -elapsed -async_jobs 72 rsa2048 (4 to 5 times better)

However, when testing the instrument(avalanche), it is confirmed that some sessions can not be processed if some CPS value or more (about 10000 CPS) goes on.

There are no problems with the setup.
ulimit -n
100000

cat /proc/sys/kernel/threads-max
257139

Do you have a history of instrument testing(avalanche) with QAT + openssl 1.1.0f async?

ps.
( QAT + openssl 1.1.0f sync mode = Normal processing)

thank you !

re-visit external epoll

Hi:
I know I have discussed this with you before. However, I was busy integrating openssl 1.1.0b into our product with QAT. I have not had time to address this issue I ran into.
To start with, the new ASYNC API works well and it really make my life earlier and I do see improvement in term of performance.
yes, I have enabled EXTERNAL polling using openssl.cfg and that works. The issue now is the response event send from driver to epoll handler is not reliable. When epoll is running internally, I use Ixia to generate traffic and it can sustain heavy traffic for long period of time. When in external mode, it failed during handshaking with just few connections. As far as I can tell, the only difference is one start the callback thread during qat init. In my case, I start callback thread after qat init.

Please advice
Tseng

Occasionally failed for OpenSSL with Nginx

I am testing QucikAssist with Nginx.

I install upstream driver and QAT Engine.
Followed the README file patched and compiled Nginx.
Configed OpenSSL.

When testing with curl and ab, there were occasionally failed.

In the README file there is "Known Issue", but I don't think this belongs to.

You can refer to attachment for detail of the error or configuration of Nginx and OpenSSL.

Thanks.

curl_error
nginx_error.log
nginx.conf.txt
openssl.cnf.txt

kernel warning

Hi.
I build QAT1.6 driver and QAT Engine 0.5.21.
When trying to run ./openssl speed -engine qat -elapsed -async_jobs 72 rsa2048
syslog displays these warnings:

Apr 24 11:45:37 kernel: [   92.235029] WARNING: CPU: 3 PID: 2516 at /build/linux-wXdoVv/linux-4.4.0/mm/mmap.c:1640 mmap_region+0x55b/0x650()
Apr 24 11:45:37 kernel: [   92.235030] Modules linked in: qat_contig_mem(OE) ipt_MASQUERADE nf_nat_masquerade_ipv4 xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack br_netfilter bridge stp llc aufs pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) icp_qa_al(OE) zlib joydev input_leds snd_usb_audio eeepc_wmi asus_wmi sparse_keymap hid_plantronics hid_generic snd_usbmidi_lib intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp usbhid hid kvm_intel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic kvm snd_hda_intel irqbypass snd_hda_codec binfmt_misc snd_hda_core crct10dif_pclmul crc32_pclmul snd_hwdep ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper snd_pcm cryptd serio_raw lpc_ich tpm_infineon 8250_fintek snd_seq_midi snd_seq_midi_event snd_rawmidi mei_me snd_seq snd_seq_device snd_timer snd soundcore mei shpchp acpi_pad mac_hid parport_pc ppdev lp parport autofs4 mxm_wmi i915 i2c_algo_bit drm_kms_helper psmouse syscopyarea sysfillrect sysimgblt ahci fb_sys_fops libahci drm r8169 mii video wmi fjes
Apr 24 11:45:37 kernel: [   92.235070] CPU: 3 PID: 2516 Comm: openssl Tainted: G           OE   4.4.0-72-generic #93-Ubuntu
Apr 24 11:45:37 kernel: [   92.235071] Hardware name: ASUS All Series/Z97-K, BIOS 2604 05/20/2015
Apr 24 11:45:37 kernel: [   92.235072]  0000000000000286 000000004507e18e ffff8803c491bd48 ffffffff813f82b3
Apr 24 11:45:37 kernel: [   92.235074]  0000000000000000 ffffffff81cd2908 ffff8803c491bd80 ffffffff81081302
Apr 24 11:45:37 kernel: [   92.235075]  ffff8800c9d73be8 00007faad8ca0000 0000000000000000 ffff8800c6d47d48
Apr 24 11:45:37 kernel: [   92.235077] Call Trace:
Apr 24 11:45:37 kernel: [   92.235081]  [<ffffffff813f82b3>] dump_stack+0x63/0x90
Apr 24 11:45:37 kernel: [   92.235083]  [<ffffffff81081302>] warn_slowpath_common+0x82/0xc0
Apr 24 11:45:37 kernel: [   92.235085]  [<ffffffff8108144a>] warn_slowpath_null+0x1a/0x20
Apr 24 11:45:37 kernel: [   92.235086]  [<ffffffff811c956b>] mmap_region+0x55b/0x650
Apr 24 11:45:37 kernel: [   92.235088]  [<ffffffff811c9993>] do_mmap+0x333/0x420
Apr 24 11:45:37 kernel: [   92.235090]  [<ffffffff811adebf>] vm_mmap_pgoff+0xaf/0xe0
Apr 24 11:45:37 kernel: [   92.235092]  [<ffffffff811c7d81>] SyS_mmap_pgoff+0x1c1/0x290
Apr 24 11:45:37 kernel: [   92.235096]  [<ffffffff8103406b>] SyS_mmap+0x1b/0x30
Apr 24 11:45:37 kernel: [   92.235099]  [<ffffffff8183c672>] entry_SYSCALL_64_fastpath+0x16/0x71
Apr 24 11:45:37 kernel: [   92.235100] ---[ end trace c915859e9ebb5592 ]---

what does that mean?

QAT in docker container

Hi :

I ran into issue when QAT is in linux docker.
the application crash after it allocated memory via qat_contig_mem interface.
here is the trace . I have added few printk in qat_contig_mem driver.
Initially, I did my dev in a non-docker environment, and it works great. Now, because the way our product is implemented, I need to run similar things in docker.

[ 1198.973933] Started AE 0
[ 1198.973938] Started AE 1
[ 1198.973942] Started AE 2
[ 1198.973946] Started AE 3
[ 1198.973950] Started AE 4
[ 1198.973954] Started AE 5
[ 1198.973958] Started AE 6
[ 1198.973962] Started AE 7
[ 1198.973966] Started AE 8
[ 1198.973970] Started AE 9
[ 1198.973974] Started AE 10
[ 1198.973978] Started AE 11
[ 1257.223597] qat_contig_mem: mem_open : qat_contig_mem: do_ictl : qat_contig_mem: do_ictl : memalloc virt 0000001fb4320000 phy ffff881fb4320000 len 20000
[ 1257.223623] qat_contig_mem: do_mmap: vm_start 00007ff1e0d42000 vm_end 00007ff1e0d82000 pfn 1fb4320 size 40000 page_Size 1000
[ 1257.223627] qat_contig_mem: do_mmap 1 : vm_start 00007ff1e0d60000 vm_end 00007ff1e0d80000 pfn 1fb4320 size 40000
[ 1257.223635] ------------[ cut here ]------------
[ 1257.223647] WARNING: CPU: 10 PID: 9888 at /build/linux-FyIZxz/linux-4.4.0/mm/mmap.c:1640 mmap_region+0x55b/0x650()
[ 1257.223649] Modules linked in: qat_contig_mem(OE) icp_qa_al(OE) xt_nat xt_tcpudp veth ipt_MASQUERADE nf_nat_masquerade_ipv4 xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter xt_conntrack nf_nat nf_conntrack br_netfilter bridge stp llc aufs iptable_mangle ip_tables x_tables intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp ipmi_ssif kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd joydev input_leds sb_edac edac_core mei_me mei shpchp ioatdma lpc_ich 8250_fintek ipmi_si ipmi_msghandler acpi_pad acpi_power_meter mac_hid sunrpc autofs4 hid_generic usbhid hid mxm_wmi ixgbe igb vxlan ip6_udp_tunnel dca udp_tunnel ahci ptp libahci pps_core megaraid_sas mdio i2c_algo_bit
[ 1257.223721] fjes wmi [last unloaded: icp_qa_al]
[ 1257.223728] CPU: 10 PID: 9888 Comm: nsproxy Tainted: G OE 4.4.0-77-generic #98-Ubuntu
[ 1257.223730] Hardware name: Netskope N1000/S2600WTTR, BIOS SE5C610.86B.01.01.0020.122820161512 12/28/2016
[ 1257.223733] 0000000000000286 000000000c9af1d9 ffff881fb4353d48 ffffffff813f8493
[ 1257.223738] 0000000000000000 ffffffff81cd3808 ffff881fb4353d80 ffffffff81081302
[ 1257.223741] ffff880c825a81c0 00007ff1e0d60000 0000000000000000 ffff88203203e320
[ 1257.223745] Call Trace:
[ 1257.223755] [] dump_stack+0x63/0x90
[ 1257.223764] [] warn_slowpath_common+0x82/0xc0
[ 1257.223768] [] warn_slowpath_null+0x1a/0x20
[ 1257.223771] [] mmap_region+0x55b/0x650
[ 1257.223775] [] do_mmap+0x333/0x420
[ 1257.223785] [] vm_mmap_pgoff+0xaf/0xe0
[ 1257.223790] [] SyS_mmap_pgoff+0x1c1/0x290
[ 1257.223800] [] SyS_mmap+0x1b/0x30
[ 1257.223810] [] entry_SYSCALL_64_fastpath+0x16/0x71
[ 1257.223813] ---[ end trace d4a34ce431bc2e7d ]---
[ 1257.223939] qat_contig_mem: do_ictl : qat_contig_mem: do_ictl : memalloc virt 0000001fb42a0000 phy ffff881fb42a0000 len 20000
[ 1257.223947] qat_contig_mem: do_mmap: vm_start 00007ff1e0d20000 vm_end 00007ff1e0d60000 pfn 1fb42a0 size 40000 page_Size 1000
[ 1257.223949] qat_contig_mem: do_mmap 1 : vm_start 00007ff1e0d40000 vm_end 00007ff1e0d60000 pfn 1fb42a0 size 40000

Please advice

tseng

question about qat instance

Hi
I'm using openssl 1.1.0e + dh8920 to do https things.
the application runs 1 process 4 threads + 4 logical instances, each thread use one specified logical instance, SSL connections are dispatched to 4 threads evenly by clientHello packet
ulimit -n 80000

this week, I got one strange issue:
To test the application‘stability, I use avalanche to generate 5300CPS https request，which almost reach the expected performance of dh8920 , the first 1 or 2 days, it works fine, the SSL connections on each threads is about 1500, But 1 or 2 days later, there's a peak(more than 80000) on one thread, which cause qat running out of its eventfd, and lead to failure.
this happens 3 times this week.
my question is: Is this normal when some instance/engine suddenly runs very slowly, OR anything may trigger this ? I'm adding logic to push SSL connetions to other threads if some thread got too many handing. I don't know if this will help, and I still worried that if one instance/engine runs slow, the total performance may drop heavily some time.

How to build QAT engine statically with OpenSSL

hi guys,

I am wondering how to build qat engine statically, since the documents provided by Intel all mention the way how to build the engine into qat.so and how to link it to OpenSSL dynamically. So is there a way to build an ".a" library or build qat engine into libcrypto.a so that I can link qat statically along with OpenSSL into my application. That would be very helpful in my scenario.

Hoping for responding asap, thanks!

how to use QAT Engine speed more Encryption Algorithm

I have installed QAT Engine，and The QAT engine now supports RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256 , TLS1-PRF in my system，How and where can I add support algorithms ?

nginx can not start with not-root user

nginx can not start with root user ,error log shows:
open qat_contig_mem: Permission denied
open qat_contig_mem: Permission denied
open qat_contig_mem: Permission denied
open qat_contig_mem: Permission denied
open qat_contig_mem: Permission denied
open qat_contig_mem: Permission denied
open qat_contig_mem: Permission denied
open qat_contig_mem: Permission denied
how fix this ?

qat_engine_init()] No crypto instances found

error log: error.zip

I setup dh8955 on centos 6.8(64bit) at HP DL360 Gen9,
software env: nginx-1.10.3+openssl-1.1.0e+QAT_Engine-0.5.22

the nginx error follow ,and happend it every day,
Very interesting is that every day around five o'clock, about 10 minutes after the normal.

so ,can anyone help me ,thanks.

[WARNING][e_qat.c:1009:qat_engine_init()] No crypto instances found
[WARNING][e_qat.c:1009:qat_engine_init()] No crypto instances found
[WARNING][e_qat.c:1009:qat_engine_init()] No crypto instances found
[WARNING][e_qat.c:1009:qat_engine_init()] No crypto instances found
[WARNING][e_qat.c:1009:qat_engine_init()] No crypto instances found
[WARNING][e_qat.c:1009:qat_engine_init()] No crypto instances found
[WARNING][e_qat.c:299:engine_init_child_at_fork_handler()] Failure in qat_engine_init function
[WARNING][e_qat.c:299:engine_init_child_at_fork_handler()] Failure in qat_engine_init function
[WARNING][e_qat.c:299:engine_init_child_at_fork_handler()] Failure in qat_engine_init function
[WARNING][e_qat.c:299:engine_init_child_at_fork_handler()] Failure in qat_engine_init function
[WARNING][e_qat.c:299:engine_init_child_at_fork_handler()] Failure in qat_engine_init function
[WARNING][e_qat.c:299:engine_init_child_at_fork_handler()] Failure in qat_engine_init function
[WARNING][e_qat.c:299:engine_init_child_at_fork_handler()] Failure in qat_engine_init function
[WARNING][e_qat.c:256:get_next_inst()] Failure in qat_engine_init function
[WARNING][qat_rsa.c:433:qat_rsa_decrypt()] Failed to get an instance
[WARNING][qat_rsa.c:1047:qat_rsa_priv_dec()] Failure in qat_rsa_decrypt
[WARNING][e_qat.c:1009:qat_engine_init()] No crypto instances found
[WARNING][e_qat.c:256:get_next_inst()] Failure in qat_engine_init function
[WARNING][qat_rsa.c:433:qat_rsa_decrypt()] Failed to get an instance
[WARNING][qat_rsa.c:1047:qat_rsa_priv_dec()] Failure in qat_rsa_decrypt

unknown option -nostatic

Running into this error when running make under /QAT_Engine.
Right after it tries to run perl /openssl/util/mkerr.pl

questions about QAT instances and nginx performance

Hi,
I've installed QAT and QAT_engine to test performance of the new Lewisburg ssl accelerate card.
We first tested it with the patched nginx-1.10.3 + openssl-1.1.0f + qat_engine with asynch mode and later will try to transplant it to a multi-thread platfrom.
Below is the testing server's info:
CPU: E5-2650 v3 @ 2.30GHz * 2 with hyperthreaded
ssl card: c6xx(PCIE card)
system: Linux ubuntu 3.19.0-15-generic
qat driver version: 1.7 (L.1.0.3-42)

Nginx test was running with 32 worker processes to fit the qat configuration and we got 41000+ CPS with cipher suite RSA2k+AES256-gcm-SHA384. The whole cpu usage is around 60% (the core binded with worker thread has 25% idle) but the CPS couldn't go further.
We also tried to change the qat config file to turn on the LimitDevAccess.

[SHIM]
NumberCyInstances = 1
NumberDcInstances = 0
#we will setup 40 nginx worker processes so set it to 14
NumProcesses = 14
LimitDevAccess = 1

Cy0Name = "UserCY0"
Cy0IsPolled = 1
Cy0CoreAffinity = 1

With the config file above we tested nginx with 40 worker processes and got 39000+ CPS result in the same testing environment with around 60% total cpu usage, which was lower than the 32 worker processes case. It seems that the performance goes worse with more worker processes.
Here are some questions:
First of all, is the performance result normal? It seems the bottle neck is not the CPU. And I got 110k RSA2k-sign ops result in openssl speed test so maybe the ssl card is still avaliable to do the cipher jobs?Are there any ways to check whether the ssl card is running in full load?

I wonder if the LimitDevAccess configuration will take bad influence on performance but I have to enable it to extend the NumProcesses. Are there any ways to extend the NumProcesses to fit the 40 worker processes of nginx? I've checked the qat document and found qat programer's guide describe an approach to increase the maximum num of processes in 4.3.2.2. I've tried to set "ServicesEnabled" to "asym;sym" but error happened when starting the qat_service.

Thanks

question about Qat Driver config files

Hi,
I'm using openssl 1.1.0e and qat engine to do https things.
acceleration device : dh8920

My application runs one process and 4 threads in the process. According to “Copy the correct Intel® Quickassist Technology Driver config files” chapter in README, I choose multi_thread_optimized config files, but the performance is really bad, TLS1.2 RSA2048-AES got only 1400 CPS(requests per second), but when switch to multi_process_optimized config files, the performance goes up to 5500 CPS .

nginx can not reload gracefully

I modified the nginx config , but can not reload gracefully .
I tried :nginx -s reload /kill -HUP $(cat pid) ,nginx will report following errors :

2017/07/18 15:25:21 [crit] 92260#0: *15 SSL_do_handshake() failed (SSL: error:8007F094:lib(128):qat_engine_init:icp sal userstart fail error:8008D044:lib(128):qat_prf_tls_derive:internal error) while SSL handshaking, client: 172.30.2.103, server: 0.0.0.0:443
[error] icp_sal_userStartMultiProcess() - : icp_adf_userProcessToStart failed

2017/07/18 15:25:22 [crit] 92260#0: *16 SSL_do_handshake() failed (SSL: error:8007F094:lib(128):qat_engine_init:icp sal userstart fail error:8008D044:lib(128):qat_prf_tls_derive:internal error) while SSL handshaking, client: 172.30.2.103, server: 0.0.0.0:443
[error] SalCtrl_ServiceEventInit() - : Failed to initialise all crypto instances
[error] SalCtrl_ServiceEventStart() - : Private data is NULL
[error] SalCtrl_ServiceEventInit() - : Failed to initialise all crypto instances
[error] SalCtrl_ServiceEventStart() - : Private data is NULL
[error] SalCtrl_AdfServicesStartedCheck() - : Sal Ctrl failed to start in given time

[error] do_userStart() - : Failed to start services

[error] SalCtrl_AdfServicesStartedCheck() - : Sal Ctrl failed to start in given time

[error] do_userStart() - : Failed to start services

using default config, but get error

cpu: Intel(R) Atom(TM) CPU C2558 @ 2.40GHz

current I compile the c2xxx driver, and make install the driver,
when I start a test using openssl, cmd like:
./openssl engine -t -c -vvv qat
the console output:
faild to start qat, I know why this does not work, since it need SHIM sectioin, so
I copy the qat_engine/qat/config/c2xxx/xxx.conf to /etc
then I restart the service:
cp c2xxx_qa_dev0.conf /etc/
cp: overwrite `/etc/c2xxx_qa_dev0.conf'? y
[root@charle multi_process_optimized]# service qat_service start
Processing file: /etc/c2xxx_qa_dev0.conf
Parity err reporting is disabled.
Error: failed to start device 0
There is 1 acceleration device(s) in the system:
icp_dev0 - type=c2xxx, inst_id=0, node_id=0, bdf=00:0b:0, #accel=1, #engines=1, state=down

But I got a message called failed to start device 0, could you tell me why this happened?
Thank you.
best regards

(qat) low performance in multi-thread app

i developed a multi-thread demo app which is almost the same with nginx
app: 32 worker threads VS nginx 32 worker process
app: worker handle accept4 and IO events VS nginx worker process handle accept4 and IO events (with accept_mutex off)

server information:
Xeon 2670(v2?) X2
with dh8950 device

test deployment mode:
sprient testcenter ------https--------nginx/app

nginx with qat can run over 15000+ connections per second HTTPS(RSA2048+AES256-SHA1) requests ( the whole cpu usage is less than 30%)

but when i switch to my app(with qat support), my app can run only 7800 connections perf second HTTPS(RSA2048+AES256-SHA1) requests( the whole cpu usage is almost 100%)

I can find some offical metric statistics that looks pretty , but i guess those statistics are tests in multi-process enviroment.

i am wondering if my app's result is normal? or there is some metric data to compare with ?

or there is multi-thread demo like nginx(qat) to follow ?

thanks

kernel: icp_qa_al err: createETHandle: Ring0 in Bank4 for service Cy0RingAsymTx already exists

i got error

icp_qa_al err: createETHandle: Ring0 in Bank4 for service Cy0RingAsymTx
already exists
icp_qa_al err: adf_ring_ioc_create_handle: icp_adf_transCreateHandle for
service Cy0RingAsymTx failed
icp_qa_al err: createETHandle: Ring0 in Bank2 for service Cy0RingAsymTx
already exists
icp_qa_al err: adf_ring_ioc_create_handle: icp_adf_transCreateHandle for
service Cy0RingAsymTx failed
in /var/log/messages
CentOS release 6.9 (Final)
nginx error.log
2017/12/01 00:37:21 [crit] 9978#9978: *7757696 SSL_do_handshake() failed (SSL: error:8007F0CA:lib(128):qat_engine_init:pthread create failure error:80078044:lib(128):qat_ecdh_compute_k
ey:internal error error:14179006:SSL routines:tls_construct_server_key_exchange:EVP lib) while SSL handshaking, client: 222.169.51.175, server: 0.0.0.0:443

what's error

A Segmention fault occurs

Actually I have found the cause(see comments in openssl/openssl#5221 ), but it seems that OpenSSL may take a long time to find the solution.
Please track.

SSL directive style in Nginx patch

Originally reported here #10 by @InfoHunter

For nginx-patch of async use of QAT, the problem is the patch does not support the following style of nginx configuration file:

listen 443 ssl;

it only supports the directive.

 ssl on;

And no document mentions this situation, and this really caused me lots of time to resolve the problem.

qat_engine_init error after reload nginx

Hi:
I run nginx-1.10.3 with qat_engine(0.5.22) and openssl 1.1.0b on centos 6.5.
When it reload (nginx -s reload)nginx after change nginx.conf, the error.log write a lot of error ,
but when I restart nginx services, the nginx is ok,
please help me , thks.

errorlog:
[WARNING][e_qat.c:993:qat_engine_init()] icp_sal_userStart failed
[WARNING][e_qat.c:256:get_next_inst()] Failure in qat_engine_init function
[WARNING][qat_rsa.c:433:qat_rsa_decrypt()] Failed to get an instance
[WARNING][qat_rsa.c:1047:qat_rsa_priv_dec()] Failure in qat_rsa_decrypt
2017/06/29 11:01:35 [crit] 11927#11927: *239209 SSL_do_handshake() failed (SSL: error:8007E094:lib(128):qat_engine_init:icp sal userstart fail error:8008E044:lib(128):qat_rsa_decrypt:internal error error:80090044:lib(128):qat_rsa_priv_dec:internal error error:1419F093:SSL routines:tls_process_cke_rsa:decryption failed) while SSL handshaking, client: 120.80.57.18, server: 0.0.0.0:443
[error] icp_sal_userStartMultiProcess() - : icp_adf_userProcessToStart failed

make the engine working

Dear all, I am working using the openssl with qat to en&decrypt the https ssl trasnmition, our cipher list is:

, when I load the qat engine ,it output the cipher chained list:
[RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256, AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, TLS1-PRF]

So, does the qat engine could working on ours cipher list?

Thanks all.

Best regards

About deleting OPENSSL_cleanse（）

Hello,

It is described in a nginx-1.6.2-async.l.0.1.0-008 document as follows:

Performance Optimization to OpenSSL (this is optional step)
This step is optional. During our testing, we've found OPENSSL_cleanse() to be the bottleneck limiting performance. OPENSSL_cleanse() is a type of memory scrubbing functionality that clears the memory that used to hold the keys. Customers that already use HW accelerators might have already come across this as a bottleneck and might already have it optimized in their systems. For customers that do not use HW accelerators they might not have this optimized already. We are currently evaluating different options to optimize the functionality.

I understood that I can delete OPENSSL_cleanse() because it is optional and unnecessary.
Is this same in OpenSSL1.1.0-pre5, too?
If it is a problem to delete, please advise a reason.

If a performance improves, I want to implement it like that.
I think that a performance improves around 2%.

Kind regards,

Tom.

'Make clean' cleans necessary files.

When I did make clean, e_qat_err.c and e_qat_err.h were purged.
.tools/Makefile.in includes command of purging e_qat_err files.

diff --git a/.tools/Makefile.in b/.tools/Makefile.in
index 7f021ba..f2c4927 100644
--- a/.tools/Makefile.in
+++ b/.tools/Makefile.in
@@ -801,7 +801,7 @@ uninstall-am: uninstall-includeHEADERS uninstall-libLTLIBRARIES


 mostlyclean-generic:
-       -rm -f *.obj lib tags core .pure .nfs* *.old *.bak fluff *.so *.sl *.dll e_qat_err*
+       -rm -f *.obj lib tags core .pure .nfs* *.old *.bak fluff *.so *.sl *.dll

        -rm -f $(with_openssl_install_dir)/lib/engines-1.1/qat.so

Should Makefile.am be changed too ?

QAT Engine can not work

OS : Centos 7.4
QAT Driver version 1.7
QAT Engine version 0.5.29

start service

[root@localhost bin]# service qat_service start
Stopping all devices.
Starting all devices.
Processing /etc/dh895xcc_dev0.conf
Checking status of all devices.
There is 1 QAT acceleration device(s) in the system:
 qat_dev0 - type: dh895xcc,  inst_id: 0,  bsf: 09:00.0,  #accel: 6 #engines: 12 state: up

start service syslog

Sep 21 18:58:58 localhost kernel: QAT: Stopping all acceleration devices.
Sep 21 18:58:58 localhost kernel: dh895xcc 0000:09:00.0: Starting acceleration device qat_dev0.
Sep 21 18:58:59 localhost kernel: dh895xcc 0000:09:00.0: qat_dev0 started 12 acceleration engines
Sep 21 18:58:59 localhost kernel: QAT: Could not find a device on node 1
Sep 21 18:58:59 localhost kernel: QAT: Could not find a device on node 1
Sep 21 18:58:59 localhost kernel: QAT: Could not find a device on node 1

./openssl speed -engine qat

[root@localhost bin]# ./openssl speed -engine qat
can't use that engine
139961552029504:error:8007D09F:lib(128):qat_engine_init:instance unavailable:e_qat.c:306:
139961552029504:error:260B806D:engine routines:engine_table_register:init failed:crypto/engine/eng_table.c:125:

syslog

Sep 21 18:59:45 localhost kernel: dh895xcc 0000:09:00.0: failed to get NumberCyInstances value from config!
Sep 21 18:59:45 localhost kernel: dh895xcc 0000:09:00.0: failed to get NumberDcInstances value from config!
Sep 21 18:59:45 localhost openssl: cpaCyGetNumInstances() - : Called with params (0x558a9b48[0])

User Space DMA-able Memory (USDM) Component Missing in qat driver source code

Hi,
The QAT_Engine ReadMe says it is necessary to build a contiguous pinned memory driver to get quickassist working. The default qat_contig_mem kernel module is not stable enough.

The upstream driver is recommended according to ReadMe: "The USDM component is located within the Upstream Intel® QuickAssist Technology Driver source code in the following subdirectory: quickassist/utilities/libusdm_drv".

But I cannot find the source code of this USDM component in the driver provided by 01.org.
I am not sure whether the software packages provided by 01.org is outdated.
Can anyone help with this issue?

King Regards.

William

QAT+Nginx failed to handle TLS request with ECDSA cert but succes with RSA cert

Hi all,
I'm try to use Intel QAT card to accelerate TLS traffic in docker, it could handle TLS request with RSA cert, but failed to handle TLS request with ECDSA cert. and related test bed as below:
OS: CentOS 7.2.1511 kernel 3.10.0-327.28.3.el7.x86_64
QAT card: DH895x Stepping A0
Driver: QAT1.6.L.2.6.0-65.tar.gz
Openssl: 1.1.0f
QAT Engine: QAT_Engine-0.5.29 compiled with <--enable-qat_debug --enable-qat_warnings --enable-qat_mem_debug --enable-qat_mem_warnings --with-qat_debug_file=/var/log/qat_engine.log --with-cc_opt="-DQAT_TESTS_LOG">
Nginx: 1.12.0 with ported Intel pacth nginx-1.10.3-async.l.0.3.0-002
Test Client: ab in httpd-tools-2.4.28-3
nginx ssl config is as below:
listen 192.168.1.26:443 ssl reuseport fastopen=1024 deferred;
server_name 192.168.1.26 "";
ssl_certificate /etc/nginx/certs/server_cert_ecdsa.crt;
ssl_certificate_key /etc/nginx/certs/server_cert_ecdsa.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL;
ssl_prefer_server_ciphers on;
ssl_asynch on;
here I deploy it as load balance:
client(ab+openssl) --->LB(nginx+openssl+QAT Engine) ---> server
when test with ab, ab will stuck and timeout, as it did not receive server_hello response. the ab output is as below:
Benchmarking 192.168.1.26 (be patient)...apr_pollset_poll: The timeout specified has expired (70007)
comparing the RSA cert case, it seem qat engine call back not trigger nginx epoll event, so at last timeout. I not sure it's Nginx issue or QAT Engine, and am taking time to dig it. please remove “.log” from file name for the first and last attached file.
Did anybody see similar issue? Any help is appreciated.
dh895xcc_qa_dev0.conf.txt
qat_crypto_ecdsa.log
qat_engine_ecdsa.log
nginx_error_ecdsa.log
tls_ecdsa.pcap.log

thread stuck when use external polling mode

Hi，
I'm working on using openssl1.1.0e and qat0.5.21 to do https things.
my project use DPDK , serveral fixed thread get packet from DPDK,and loop doing TCP/SSL handshake and https interaction asyncly，threads are fixed and cannot sleep， each thread occupies one single cpu core and use 100%
so I use qat in external polling mode ，but rather than call SSL_get_changed_async_fds to poll (Since poll fd need to sleep), I call SSL_xx periodically(for example ，SSL_do_handshake) and call ENGINE_ctrl_cmd(e, "POLL", 0, &poll_status, NULL, 0) in the same thread.

but this mode cannot work，the thread stucks，the stack is as follow：
#0 0x00007ffff7bced3d in read () from /lib/libpthread.so.0
#1 0x00007fffbf481577 in qat_pause_job () from /home/lim/test/https/openssl/lib/engines-1.1/qat.so
#2 0x00007fffbf4963a8 in qat_rsa_decrypt () from /home/lim/test/https/openssl/lib/engines-1.1/qat.so
#3 0x00007fffbf497f8d in qat_rsa_priv_dec () from /home/lim/test/https/openssl/lib/engines-1.1/qat.so
#4 0x00007fffd155ce2c in tls_process_client_key_exchange () from /home/lim/test/https/openssl/lib/libssl.so.1.1
#5 0x00007fffd15508bd in state_machine () from /home/lim/test/https/openssl/lib/libssl.so.1.1
#6 0x00007fffd1142064 in async_start_func () from /home/lim/test/https/openssl/lib/libcrypto.so.1.1

it stucks here
do {
if(op_done.job != NULL) {
/* If we get a failure on qat_pause_job then we will
not flag an error here and quit because we have
an asynchronous request in flight.
We don't want to start cleaning up data
structures that are still being used. If
qat_pause_job fails we will just yield and
loop around and try again until the request
completes and we can continue. */
if (qat_pause_job(op_done.job, 0) == 0)
pthread_yield();
} else {
pthread_yield();
}
}
while (!op_done.flag);

the cpaCyRsaDecrypt return success, but hang in qat_pause_job waiting for qat_rsaCallbackFn to wake up job, while qat_rsaCallbackFn must be trigger by ENGINE_ctrl_cmd(e, "POLL", 0, &poll_status, NULL, 0) in the same thread, deadloop! ...

the same mode works fine in old qat version(openssl 1.0.1 and async patch)

Is there any solutions? thanks
sorry,My English is bad, , if question is not described clear，Please point out ，thanks again

qat_engine in external polling

this does not work.
when in external polling mode, it failed to retrieve polling FD.
the issue is as follow:

after engine is inited, the eventPoll_ns is running. this thread needs to remove when external polling mode is enabled.
I have modified codes when external polling mode is enabled, it will first call qat_engine_finish before external_polling flag is set to one.
now, the issue is one of the qat instance is not running. I am still debugging this issue. If you can provide some suggestions, that is helpful.
thanks

Tseng

question about call QAT engine

hi,
I have installed QAT driver & QAT engine，and I can call QAT engine when I use openssl app.
Now , I want to call QAT engine to speed encryption and decryption when I call ssl in my program.
I have read some source code in openssl ,but didn‘t find a generic method.
I did not figure out whether to call the engine when use ssl.
I want to know how can I use QAT engine when I call ssl in my program?

Looking forward to your reply!
thanks!

SSL_write() fails and SSL_get_error returns SSL_ERROR_SYSCALL

Hi,

We are using Intel QAT engine. Openssl version: 1.0.1u, QAT package 0.4.11-056.

We are using QAT engine in event driven mode by calling:
ENGINE_ctrl_cmd( peng, "ENABLE_EVENT_DRIVEN_MODE", 0, NULL, NULL, 0 );
ENGINE_ctrl_cmd( peng, "ENABLE_POLLING", 0, NULL, NULL, 0 ) );

Application is multi threaded where each worker thread uses one instance of the QAT engine. We were comparing the performance of the application with and without QAT engine and found that the bandwidth achieved when using QAT engine is less than that achieved without QAT engine.

Currently, in case when QAT engine is enabled we are calling SSL_write() with third parameter as 2048 (i.e, 2KB) to write 2KB data at a time, where as this is 8KB when QAT is turned off.
When I change this length to 4KB or 8KB when QAT is enabled, then SSL_write() writes successfully few time (around 20 times) then it starts giving SSL_ERROR_SYSCALL. But there is absolutely no problem when we write only 2KB at a time, it will not return SSL_ERROR_SYSCALL anytime.

We poll the instance by calling
ENGINE_ctrl_cmd( gsQATEng.eng, "POLL", 0, &poll_status, NULL, 0 );
after every call to SSL_read and SSL_write to check if any pending request has response and handle it accordingly.

I am not getting why is SSL_write () failing when I use buffer > 2KB with error as SSL_ERROR_SYSCALL.

Please let me know if I am missing anything.

Thank you.

static library

Hi, i need to compile qat_engine in mode of static library, but i don't find corresponsive option in configuration.
Is there any way to do it?

Thanks,
Sam Lin

qat_dh_generate_key() Failed to allocated memory

Hi,
I am writing an HTTPS client/server application to test all ciphers from SSLv3 to TLSv1.2, but when I enabled all ciphers ( SSL_CTX_set_cipher_list(ssl_ctx, "ALL:eNULL");), It crashed in approxmately 10,000,000 connections done everytime, but the application works fine with software encryption/decryption, I turned debug on for QAT engine and OpenSSL, found the error message following:

ioctl_alloc_slab:876 ioctl call for mem allocation failed, ret = -1
[WARNING][qat_dh.c:299:qat_dh_generate_key()] Failed to allocate memory for pPV->pData
SSL error in qat_dh.c#300.
SSL error in ssl/statem/statem_srvr.c#1696.
SSL error in ssl/ssl_lib.c#1636.

My hardware/software info:
CPU: Intel Xeon E5-1650
RAM: 16G
Accelerator: Intel QAT 620
OS: Ubuntu 14.04 TLS (kernel 3.16.x)
driver: QAT1.7.Upstream.L.1.0.3_42.tar.gz (with USDM)
engine: QAT_Engine-0.5.29.tar.gz
OpenSSL 1.1.0f

question about QAT, Openssl 1.1.0e+Nginx 1.10.3

Dell R630 128GB E5-2660 v3 2.60GHz
Centos 7.2 kernel 3.10.0-327.36.3.el7.x86_64
Openssl1.1.0e + nginx1.10.3
dh895xcc_qa_dev0.conf, opensll.cnf, nginx.conf, those three conf files were used.

1, Openssl testing error, when I run openssl engine

/openssl engine
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support
139663619606336:error:0E079065:configuration file routines:def_load_bio:missing equal sign:crypto/conf/conf_def.c:294:line 1

2, After I setup Nginx following readme, it doesn't work.

Statistics for Qat Instance 0 |
+--------------------------------------------------+
| Firmware Requests[AE 0]: 0 |
| Firmware Responses[AE 0]: 0

Could anyone kindly give me some advice.
Many thanks.

openssl engine -t -c -vvvv qat can not run

version:
kernel:3.10.0-327.el7.x86_64
openssl-1.1.0e
qatmux.l.2.6.0-60.tgz

openssl engine -t -c -vvvv qat error log following:

140290782750528:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:113:filename(/opt/xyz/ssl/lib/engines-1.1/qat.so): /opt/xyz/QAT/QAT1.6/build/libicp_qa_al_s.so: undefined symbol: SHA_Init
140290782750528:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:161:
140290782750528:error:260B6084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:414:
140290782750528:error:260BC066:engine routines:int_engine_configure:engine configuration error:crypto/engine/eng_cnf.c:141:section=qat_section, name=dynamic_path, value=/opt/xyz/ssl/lib/engines-1.1/qat.so
140290782750528:error:0E07606D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:173:module=engines, value=engine_section, retcode=-1
140290782750528:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:113:filename(/opt/xyz/ssl/lib/engines-1.1/qat.so): /opt/xyz/QAT/QAT1.6/build/libicp_qa_al_s.so: undefined symbol: SHA_Init
140290782750528:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:161:
140290782750528:error:260B6084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:414:
140290782750528:error:2606A074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:339:id=q

/etc/dh895xcc_qa_dev0.conf have replaced the ssl section with following:

#############################################
# User Process Instance Section
##############################################
[SHIM]
NumberCyInstances = 1
NumberDcInstances = 0
NumProcesses = 32
LimitDevAccess = 0
# Crypto - User space
Cy0Name = "UserCY0"
Cy0IsPolled = 1
Cy0CoreAffinity = 1

openssl.cnf following:

[root@test-ssl ~]# cat /opt/xyz/ssl/ssl/openssl.cnf
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
qat = qat_section
[qat_section]
engine_id = qat
dynamic_path = /opt/xyz/ssl/lib/engines-1.1/qat.so
default_algorithms = RSA

Bug reports

Hi there,

Actually there are 2 issues I found in the QAT1.6 driver and the nginx-1.10.0 async patch, I don't know where else to post the issues, so I have to post them here in QAT Engine project. If this is not a correct place, pls help me moving them into the correct one.

QAT1.6 driver built with OpenSSL 1.1.0 or later will not be loaded due to a 'undefined reference to SHA_Init' problem. After I dig into OpenSSL 1.1.0, I have not found 'SHA_Init', the API is not there anymore. The QAT1.6 driver I used is downloaded from 01org website, the latest one.
For nginx-patch of async use of QAT, the problem is the patch does not support the following style of nginx configuration file: listen 443 ssl;, it only supports the ssl on; directive. And no document mentions this situation, and this really caused me lots of time to resolve the problem.

QAT_Engine for older OpenSSL version

Hi,

My server has the DH89xx QAT module, and I am trying to use them to offload the crypto operations for SSL/ TLS.
Currently, it's not possible for me to update to OpenSSL 1.1.0 (the server is using 1.0.1 atm).
As you stated at this thread "#30", there is a qat engine for openssl 1.0.1, right?
If so, could you please give me a link to it? I have tried to look for it on google for a while but no luck.
Another things, do you have any plan to add the support for aes-gcm at the near future?

Thank you in advance!

Question about qat_engine_init

I have a question about a source of e_qat.c.
Can you please help me on this issue?

I want to develop NGINX which accelerated SSL processing using QAT Engine and OpenSSL 1.1.0 pre5 by EVENT_DRIVEN.
It is described in a document as follows.:

It must be sent if required after engine creation but before engine initialization. It should not be sent after engine initialization.

I think that Engine initialization is Engine_init.
Because qat_engine_init which is called by Engine_init finished all in the following logics, after I can not acquire FD using GET_POLLIG_FD.

/* Work around for fork case, finish engine in parent process */
if(initiator_pid == 0) {
    qat_engine_finish(e);
    qat_inited = 0;
    keep_polling = 1;
}

In a qat_engine_init source comment, I think that this considers master/worker process like NGINX.

Because qat_engine_init is called from CRYPTO_THREAD_run_once(&engine_lock_init, do_engine_lock_init);, it is called only once.
In other words it is never called in worker because it is initialized in master.

How should I initialize it?

QAT Performance with OpenSSL speed

Hi,
I'm trying to use the QAT Engine on my server.
Following your installation instruction, I've successfully built and installed the engine with OpenSSL 1.1.0f.
But when I tried to run the speed command, the result is quite low in comparison with what is reported on the whitepaper.
Here is the result I got:
With RSA2048
[root@atca2b5 bin]# taskset -c 5 ./openssl speed -engine qat -elapsed -async_jobs 36 rsa2048
engine "qat" set.
You have chosen to measure elapsed time instead of user CPU time.
Doing 2048 bit private rsa's for 10s: 56206 2048 bit private RSA's in 10.01s
Doing 2048 bit public rsa's for 10s: 988618 2048 bit public RSA's in 10.00s
OpenSSL 1.1.0f 25 May 2017
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR=""/root/OpenSSL_1.1.0f/"" -DENGINESDIR=""/root/OpenSSL_1.1.0f/lib/engines-1.1"" -Wa,--noexecstack
sign verify sign/s verify/s
rsa 2048 bits 0.000178s 0.000010s 5615.0 98861.8

ECDSA-P256
sign verify sign/s verify/s
256 bit ecdsa (nistp256) 0.0001s 0.0002s 8123.2 4370.9

ECDH-P256
op op/s
256 bit ecdh (nistp256) 0.0001s 8617.1

My CPU: Intel(R) Xeon(R) CPU E5-2658 v2 @ 2.40GHz
QAT 8900 series
Config file is taken from multi_process_optimized directory.

The device used in the white paper is 8950 series, that might be the reason. But I do not expect the performance is such great difference. So I wonder if I did something wrong at the config stage.
Anyone have any idea about this?
Thank you in advance!

intel / qat_engine Goto Github PK

qat_engine's Introduction

Intel® QuickAssist Technology(QAT) OpenSSL* Engine

Features

Limitations and Known Issues

Requirements

Installation Instructions

Contiguous memory driver

User Space DMA-able Memory (USDM) Component

Example contiguous memory driver - qat_contig_mem

Shared Virtual Memory

Prerequisites

Build OpenSSL*

Build the Intel® QuickAssist Technology OpenSSL* Engine

Example Builds

Build Flag to enable plock optimization

Copy the Intel® QuickAssist Technology Driver config files for qat_hw

Test the Intel® QuickAssist Technology OpenSSL* Engine

Testing the Intel® QuickAssist Technology OpenSSL* Engine using OpenSSL* speed utility

Testing the Intel® QuickAssist Technology OpenSSL* Engine using testapp utility

Troubleshooting

Further Reading

Licensing Information

Legal

qat_engine's People

Contributors

Stargazers

Watchers

Forkers

qat_engine's Issues

ioctl_alloc_slab:876 ioctl call for mem allocation failed, ret = -1 [WARNING][qat_dh.c:299:qat_dh_generate_key()] Failed to allocate memory for pPV->pData SSL error in qat_dh.c#300. SSL error in ssl/statem/statem_srvr.c#1696. SSL error in ssl/ssl_lib.c#1636.

Recommend Projects

Recommend Topics

Recommend Org

ioctl_alloc_slab:876 ioctl call for mem allocation failed, ret = -1
[WARNING][qat_dh.c:299:qat_dh_generate_key()] Failed to allocate memory for pPV->pData
SSL error in qat_dh.c#300.
SSL error in ssl/statem/statem_srvr.c#1696.
SSL error in ssl/ssl_lib.c#1636.