![QAT Algorithms
Symmetric cryptography functions include: cipher operations (AES, DES, 3DES,
ARC4); wireless (Kasumi, Snow 3G, ZUC (QAT1.7+)); hash/authenticate
operations (SHA-1, MD5; SHA-2 [SHA-224, SHA-256, SHA-384, SHA-512], SHA-
3 (QAT1.7+)); authentication (HMAC, AES-XCBC, AES-CCM); AES-XTS (QAT1.6+)
Public Key functions include: RSA operation; Diffie-Hellman operation; digital
signature standard operation; key derivation operation; elliptic curve
cryptography (ECDSA and ECDH); and prime number testing.
Compression/decompression includes: DEFLATE/INFLATE](https://image.slidesharecdn.com/qatlabmarch18w09qatexternallabrev13-180327011007/85/Intel-QuickAssist-Technology-Introduction-Applications-and-Lab-Including-OpenSSL-NGINX-and-HAProxy-8-320.jpg)
![Low Level APIs for Accessing Services
API When to use OS environments supported
Intel® QuickAssist
Technology
Traditional
• Original API, recommended for most cases
• Can be used to access all services and features
• Linux
• FreeBSD
Intel® QuickAssist
Technology Data
Plane
• Optimized for data plane applications (reduced
offload cost) by using physical addressing,
supporting batching and MMIO amortization, etc.
• Supports a subset of symmetric crypto and
compression
• Constraints: asynchronous only, polling only, not
thread-safe, no support for stateful operation
• Linux user space
• FreeBSD
DPDK cryptodev • For DPDK applications, e.g. IPsec
• Offers DPDK PMD-like semantics, e.g. buffers
passed as mbufs, batch submission, etc.
• Supports symmetric crypto only1
• DPDK
[1] May be extended for other services in future](https://image.slidesharecdn.com/qatlabmarch18w09qatexternallabrev13-180327011007/85/Intel-QuickAssist-Technology-Introduction-Applications-and-Lab-Including-OpenSSL-NGINX-and-HAProxy-21-320.jpg)
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including OpenSSL, NGINX, and HAProxy
- 1. Joel Auernheimer, Application Engineer, Communications Infrastructure Division
- 2. Agenda QAT: Overview QAT: Applications QAT: Call to Action Questions and advanced topics
- 4. Intel® QuickAssist Technology Overview QAT provides security (encryption) HW acceleration and compression HW acceleration QAT makes use of a set of APIs to abstract out the hardware, so the same application can run on multiple generations of QAT hardware Customers can also make use of patches that we have provided to popular open source software, so they can minimize or eliminate their effort to learn the API
- 5. Supported Hardware Intel® Communications Chipset 89xx series (formerly known as Cave Creek and Coleto Creek) (PCH+QAT or QAT endpoint only), plus add-in cards (QAT1.5 and QAT1.6) Intel® Atom™ Processor C2000 Product Family for Communications Infrastructure (SoC) (QAT1.5) Intel® C62x Chipset, plus add-in cards (QAT1.7) Intel® Atom™ Processor C3000 Product Family (QAT1.7) Intel® Xeon® Processor D Family (QAT1.7) And more More information (including performance numbers) is available in the product briefs on ark.intel.com https://networkbuilders.intel.com/blog/securing-networks-billions-of-things-exabytes-of- data-with-100-gbps-of-performance
- 6. Getting Started with QAT Follow our “Quick Start Guide” at https://01.org/intel-quickassist-technology Step 1: Get QAT hardware Step 2: Get acquainted with the available resources – Intel® QuickAssist Technology Main - www.intel.com/quickassist – Intel® QuickAssist Technology 01.org Technical Collateral & Applications - https://01.org/intel-quickassist-technology – To Learn how to use Intel® QuickAssist Technology and run example code, review our tutorial videos on Intel Developer Zone –Intel® QuickAssist Technology Technical Getting Started Tutorials - https://software.intel.com/en-us/networking/quickassist Step 3: Follow our Getting Started Guide – Find the correct Getting Started Guide: – For released products: https://01.org/intel-quickassist-technology – Follow the instructions to install the QAT software and run the performance sample code
- 7. Offloading to QAT frees up CPU cores! QAT endpoints show up as a PCIe Device Exposes request/response ring interface User application allocates memory and puts input data (including payload, keys...) in DRAM QAT API is called API handles DMA, etc Poll or interrupt for result Take advantage of QAT parallelism
- 8. QAT Algorithms Symmetric cryptography functions include: cipher operations (AES, DES, 3DES, ARC4); wireless (Kasumi, Snow 3G, ZUC (QAT1.7+)); hash/authenticate operations (SHA-1, MD5; SHA-2 [SHA-224, SHA-256, SHA-384, SHA-512], SHA- 3 (QAT1.7+)); authentication (HMAC, AES-XCBC, AES-CCM); AES-XTS (QAT1.6+) Public Key functions include: RSA operation; Diffie-Hellman operation; digital signature standard operation; key derivation operation; elliptic curve cryptography (ECDSA and ECDH); and prime number testing. Compression/decompression includes: DEFLATE/INFLATE
- 9. Selected QAT Documentation Using Intel® Virtualization Technology (Intel® VT) with Intel® QuickAssist Technology Application Note Using Intel® QuickAssist Technology in Linux Container and Docker Intel® QuickAssist Technology API Programmer's Guide Intel® QuickAssist Technology Cryptographic API Reference Manual Intel® QuickAssist Technology Data Compression API Reference Manual Intel® QuickAssist Technology - Performance Optimization Guide Intel® QuickAssist Technology Software for Linux* - Programmer's Guide
- 10. Intel® QuickAssist Technology - Proof-Points • F5 BIG-IP Solution Brief w/QuickAssist - http://www.intel.com/content/www/us/en/data-center/xeon-e5-v3-f5-networks-scale- performance-solution-brief.html • IBM v7000Z w/QuickAssist: - http://www.intel.com/content/www/us/en/storage/ibm-storwize-v7000-quick-assist- technology-video.html
- 11. QAT:Applications
- 12. Intel® QuickAssist Technology Applications OpenSSL, for asynchronous accelerators, with QAT_engine: https://github.com/intel/QAT_Engine/ NGINX: https://github.com/intel/asynch_mode_nginx HAProxy: http://www.haproxy.org/ QATzip: https://github.com/intel/QATzip Hadoop (via QATzip) DPDK cryptodev
- 13. DPDK Crypto Stack DPDK exposes symmetric crypto services via the cryptodev API – Supports software and hardware (offload) implementations – One stop shop for best of Intel crypto on DPDK – Provides Poll Mode Drivers for Intel® QuickAssist Technology Upstreamed to DPDK.org Used by IPsec sample application QAT PMD cryptodev cryptodev API AES-NI PMD, … ethdev Ethernet PMD ethdev API Sample Application, e.g. IPsec cryptodev producer APIethdev producer API QAT driver (in-tree) User Space Kernel Space
- 14. CALL TO ACTION Follow our “Quick Start Guide” at https://01.org/intel-quickassist-technology Step 1: Get QAT hardware Step 2: Get acquainted with the available resources – Intel® QuickAssist Technology Main - www.intel.com/quickassist – Intel® QuickAssist Technology 01.org Technical Collateral & Applications - https://01.org/intel-quickassist-technology – To Learn how to use Intel® QuickAssist Technology and run example code, review our tutorial videos on Intel Developer Zone –Intel® QuickAssist Technology Technical Getting Started Tutorials - https://software.intel.com/en-us/networking/quickassist Step 3: Follow our Getting Started Guide – Find the correct Getting Started Guide: – For released products: https://01.org/intel-quickassist-technology – Follow the instructions to install the QAT software and run the performance sample code
- 15. Questions???
- 16. Knowledge Check and advanced topics T/F: QAT is part of all CPUs? Explain: QAT is a “black box” Explain: QAT can operate in “endpoint-only mode” Where is the QAT documentation? What software works with QAT out of the box? Where are the configuration files located? Why are configuration files needed? Under what conditions might I see less than Intel’s best performance numbers for a particular product? How do I upgrade QAT firmware?
- 17. Knowledge Check and advanced topics (cont’d) How do I show that QAT is working on a particular platform? What Linux kernels are supported?
- 18. Operating System Support Linux • Fully validated on RHEL 7.x • Smoke-tested on various versions of RHEL, CentOS, Fedora, SUSE, Ubuntu FreeBSD 10, 11
- 19. Service Instances At the Intel® QuickAssist Technology API, we abstract queue pairs using the concept of service instances To use a service, an application must first get a handle to a service instance Corresponds to one or more queue pairs – A data compression instance contains 1 queue pair – By default, a cryptographic instance contains 2 queue pairs, one for each sub-service of crypto (symmetric crypto, public key crypto) Configurable Items (via config file) Queue depth (for each queue) Number of instances per device (limited by available rings), for example: – One per address space (e.g. user space processes) – One per software or hardware thread (logical core), to avoid contention
- 20. DMA-able Memory Memory passed to Intel® QuickAssist Technology hardware must be DMA’able Physically contiguous (can also deal with SGLs) Physically addressed – If VT-d is enabled (e.g. in virtualized system), then Intel IOMMU will translate to host physical addresses as needed Pinned (i.e. locked, guaranteed resident in physical memory) Intel provides a User Space DMA-able Memory (USDM) component (kernel driver and corresponding user space library) which Allocates/frees DMA-able memory, mapped to user space Performs virtual to physical address translation on memory allocated by this library This component is used by the sample code supplied with the user space library.
- 21. Low Level APIs for Accessing Services API When to use OS environments supported Intel® QuickAssist Technology Traditional • Original API, recommended for most cases • Can be used to access all services and features • Linux • FreeBSD Intel® QuickAssist Technology Data Plane • Optimized for data plane applications (reduced offload cost) by using physical addressing, supporting batching and MMIO amortization, etc. • Supports a subset of symmetric crypto and compression • Constraints: asynchronous only, polling only, not thread-safe, no support for stateful operation • Linux user space • FreeBSD DPDK cryptodev • For DPDK applications, e.g. IPsec • Offers DPDK PMD-like semantics, e.g. buffers passed as mbufs, batch submission, etc. • Supports symmetric crypto only1 • DPDK [1] May be extended for other services in future
- 22. Memory Buffer Types Flat Buffers (defined in the file cpa.h) “Traditional” API: CpaFlatBuffer – pData is a virtual address “Data Plane” API: CpaPhysFlatBuffer – pData is a physical address Buffer Lists (also defined in cpa.h) “Traditional” API: CpaBufferList – pMetaData is allocated by user (first call cpaCyBufferListGetMetaSize), and populated by implementation to point to a CpaPhysBufferList (used by Intel® QuickAssist Technology device) “Data Plane” API: CpaPhysBufferList