SlideShare a Scribd company logo

Symmetric Crypto for DPDK - Declan Doherty

Download as PPTX, PDF
H
harryvanhaaren

The document describes the DPDK symmetric cryptography framework. It includes APIs for scheduling crypto workloads using mbuf bursts, crypto primitives like cipher and hash algorithms, crypto transforms, session management, crypto operations, operation pools, and implemented PMDs like the AES-NI multi-buffer PMD and QAT PMD. Performance tests show the QAT PMD achieving higher throughput than the AES-NI multi-buffer PMD for AES128_CBC_SHA256_HMAC. Future work includes adding asymmetric crypto and an accelerated IPsec solution.

Technology
1 of 20
Downloaded 60 times
1
2
3
4
Most read
5
6
7
8
Most read
9
10
11
Most read
12
13
14
15
16
17
18
19
20
Userspace 2015 | Dublin A Symmetric Cryptography framework for DPDK
project scope • mbuf burst oriented APIs for enqueuing and dequeuing of cryptographic workloads on devices. • Creation of a symmetric Crypto API and device framework which is independent of the crypto device implementation. • Support for chaining of crypto cipher and hash transforms in a single operation request. • Session based and session-less crypto operations.
scheduling crypto workloads • Fundamentally the DPDK crypto framework supports the scheduling of symmetric crypto operations using a mbuf burst oriented asynchronous APIs in the same vain as our ethdev rx/tx burst functions. uint16_t rte_cryptodev_enqueue_burst (uint8_t dev_id, uint16_t qp_id, struct rte_mbuf **pkts, int16_t nb_pkts); uint16_t rte_cryptodev_dequeue_burst (uint8_t dev_id, uint16_t qp_id, struct rte_mbuf **pkts, uint16_t nb_pkts); • A new crypto operation pointer has been added to the mbuf structure and a new offload flag PKT_TX_CRYPTO_OP which have to be set in the mbuf before a crypto operation can be requested.
crypto primitives /** Symmetric Cipher Algorithms */ enum rte_crypto_cipher_algorithm { RTE_CRYPTO_SYM_CIPHER_NULL, RTE_CRYPTO_SYM_CIPHER_AES_CBC, RTE_CRYPTO_SYM_CIPHER_AES_GCM, ... } /** Symmetric Cipher Direction */ enum rte_crypto_cipher_operation { RTE_CRYPTO_SYM_CIPHER_OP_ENCRYPT, RTE_CRYPTO_SYM_CIPHER_OP_DECRYPT } /** Symmetric Authentication / Hash Algorithms */ enum rte_crypto_auth_algorithm { RTE_CRYPTO_SYM_HASH_NONE, RTE_CRYPTO_SYM_HASH_SHA1, RTE_CRYPTO_SYM_HASH_SHA1_HMAC, RTE_CRYPTO_SYM_HASH_SHA224, …. } /** Symmetric Authentication / Hash Operations */ enum rte_crypto_auth_operation { RTE_CRYPTO_SYM_HASH_OP_DIGEST_VERIFY, RTE_CRYPTO_SYM_HASH_OP_DIGEST_GENERATE }
crypto transforms /**Crypto transform structure. */ struct rte_crypto_xform { struct rte_crypto_xform *next; enum rte_crypto_xform_type type; union { struct rte_crypto_auth_xform auth; struct rte_crypto_cipher_xform cipher; }; }; /** Authentication Transform parameters */ struct rte_crypto_auth_xform { enum rte_crypto_auth_operation op; enum rte_crypto_auth_algorithm algo; struct rte_crypto_key key; uint32_t digest_length; uint32_t add_auth_data_length; }; /** Cipher Transform parameters */ struct rte_crypto_cipher_xform { enum rte_crypto_cipher_operation op; enum rte_crypto_cipher_algorithm algo; struct rte_crypto_key key; };
session management • Sessions are used to manage information such as expand cipher keys and HMAC IPADs and OPADs, which need to calculated for a particular crypto operation, but are immutable on a packet to packet basis for a flow. • Crypto sessions cache this immutable data in a optimal way for the underlying PMD and this allows further acceleration of the offload of crypto workloads. struct rte_cryptodev_session * rte_cryptodev_session_create(uint8_t dev_id, struct rte_crypto_xform *xform); struct rte_cryptodev_session * rte_cryptodev_session_free(struct rte_cryptodev_session *session);
session pool management • The crypto device framework provides a set of session pool management APIs for the creation and freeing of the sessions • The framework also provides hooks so the PMDs can pass the amount of memory required for that PMDs private session parameters, as well as initialization functions for the configuration of the session parameters and freeing function so the PMD can managed the memory on destruction of a session • Sessions created on a particular device can only be used on crypto devices of the same type, and if you try to use a session on a device different to that on which it was created then the crypto operation will fail
crypto operations • Crypto operation data structures must be attached to each mbuf which you wish to apply a crypto transform to. • It specifies the offsets and length of the data into the mbuf payload which is to be operated on. • It contains pointers to IV, digest and additional authentication data, set as required, which can be in the mbuf or at a different memory location. When using a hw accelerators the physical addresses must be set for these parameters. • Finally the crypto operation contains either a pointer to the crypto session or in the case of a session-less operation a pointer to the first element of a xform chain.
crypto operations mbuf header headroommbuf header headroom payload xform xform sess ptr cipher data offset/len IV data/len auth data offset/len digest data/len header Private session data Data DigestIV mbuf crypto_op cryptodev_session We can pre allocate xform structs if we are using session-less operations add data/len
operation pools • As crypto operations are assigned on a per packet basis, and therefore need to be allocated in the data path. We have create some pktmbuf like functions for managing per allocated crypto operations mempools. • Note that the pool create function takes a nb_xforms parameter, this can be used to allocate memory for xform chains if you are planning on using session-less operations. struct rte_mempool *rte_crypto_op_pool_create (const char *name, unsigned nb_ops, unsigned cache_size, unsigned nb_xforms, int socket_id); struct rte_crypto_op_data *rte_crypto_op_alloc (struct rte_mempool *mp); void rte_crypto_op_free (struct rte_crypto_op_data *op);
session-less operations • This allows crypto operations to be submitted to a crypto device without the need to have created a cached session. struct rte_crypto_op_data * rte_crypto_op_alloc_sessionless (struct rte_mempool *mp, unsigned nb_xforms); • Returns crypto op with session-less flag set and transform chain pointers setup. • User is required to set transform type and populate the parameters needed. crypto_op->xform->type = RTE_CRYPTO_XFORM_CIPHER crypto_op->xform->next->type = RTE_CRYPTO_XFORM_HASH
Implemented PMD’s
AES-NI multi-buffer PMD • A purely software based PMD. • Takes advantage of Advanced Encryption Standard New Instructions (AES-NI) instructions to improve the speed of performing AES encryption and decryption on core. • The PMD is a light weight wrapper around the multi-buffer library • It also leverages the vectorised instructions to further accelerate both cipher and authenatication processing. • Whitepaper: http://www.intel.com/content/www/us/en/intelligent-systems/intel- technology/fast-multi-buffer-ipsec-implementations-ia-processors-paper.html • Download: https://downloadcenter.intel.com/download/22972
QAT PMD • PMD is a data path driver for Intel’s QuickAssist Technology specificly supporting the DH89xx series (Coleto Creek) of accelerators. • Provides up to 50 Gbps of bulk crypto. • Cryptographic Primitives Supported • Symmetric ciphers: AES, 3DES/DES, RC4, Kasumi, Snow3G … • Message Digest/Hash (MD5, SHA1, SHA2) and Authentication (HMAC, AES-XCBC) • Algorithm Chaining (One Cipher and one Hash in a single operation) and Authenticated Encryption (AES-GCM, AES-CCM) • Public key cryptography: RSA, DSA, DH, ECDSA, ECDH • Data Compression Primitives Supported • Compression and Decompression • Algorithms: Deflate (LZ77 plus Huffman coding with gzip or zlib header) • Stateful and stateless compression and decompression
QAT PMD • Still requires the PF kernel driver • Enabling SR-IOV on the QAT device to expose multiple VFs. • Can support up to 32 VFs. • Supports 2 queue pairs per VF. • Reserved space to allow compression and asymmetric queue pairs to be added at a later date. 64 queue pairs - each VF has 2 symmetric queue pairs. IA Symmetric crypto DH895x Symmetric Service Arbiter (WRR) 0 1 VF0 62 63 VF31
Performance
Throughput performance • Created performance tests to the examples/test applications to allow measurement of baseline performance on your platform. • RTE>>cryptodev_qat_perftest • RTE>>cryptodev_aesni_mb_perftest • Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz • Intel® QuickAssist Adapter 8950 (PCIe Gen 3 x8)
Single core throughput test 0 500 1000 1500 2000 2500 Packet Size AES128_CBC_SHA256_HMAC Throughput (Gbps) AES-NI Multi buffer QAT
Future Work
future work • Adding asymmetric crypto to data path. • Development of an DPDK accelerated IPsec solution based on the BSD kernel stack.

More Related Content

PDF
Blazing Performance with Flame Graphs
Brendan Gregg
 
PDF
Hopper アーキテクチャで、変わること、変わらないこと
NVIDIA Japan
 
DOCX
Huawei cisco command conversion
james Omara
 
PDF
SeaweedFS introduction
chrislusf
 
PDF
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Michelle Holley
 
PDF
initramfsについて
Kazuhiro Nishiyama
 
PDF
Tensorflow lite for microcontroller
Rouyun Pan
 
PDF
Intel(r) Quick Assist Technology Overview
Michelle Holley
 
Blazing Performance with Flame Graphs
Brendan Gregg
 
Hopper アーキテクチャで、変わること、変わらないこと
NVIDIA Japan
 
Huawei cisco command conversion
james Omara
 
SeaweedFS introduction
chrislusf
 
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Michelle Holley
 
initramfsについて
Kazuhiro Nishiyama
 
Tensorflow lite for microcontroller
Rouyun Pan
 
Intel(r) Quick Assist Technology Overview
Michelle Holley
 

What's hot (20)

PPTX
Cloud resilience, provisioning
Integral university, India
 
PDF
Q4.11: Using GCC Auto-Vectorizer
Linaro
 
PDF
NEDIA_SNIA_CXL_講演資料.pdf
Yasunori Goto
 
PDF
Arquitetura de Memoria do PostgreSQL
Raul Oliveira
 
PDF
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
Preferred Networks
 
PDF
Java Performance Analysis on Linux with Flame Graphs
Brendan Gregg
 
PDF
Introduction to TensorFlow Lite
Koan-Sin Tan
 
ODP
Dpdk performance
Stephen Hemminger
 
PPTX
Accelerating TensorFlow with RDMA for high-performance deep learning
DataWorks Summit
 
PDF
分布式Key Value Store漫谈
Tim Y
 
PDF
Magnum IO GPUDirect Storage 最新情報
NVIDIA Japan
 
PDF
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
Raphaël PINSON
 
PDF
Velocity 2015 linux perf tools
Brendan Gregg
 
PDF
Intel DPDK Step by Step instructions
Hisaki Ohara
 
PDF
VXLAN and FRRouting
Faisal Reza
 
PDF
BPF Internals (eBPF)
Brendan Gregg
 
PPTX
Module 1: ConfD Technical Introduction
Tail-f Systems
 
KEY
High Performance Weibo QCon Beijing 2011
Tim Y
 
PPTX
快快樂樂學 Angular 2 開發框架
Will Huang
 
PDF
Kubernetes networking
Sim Janghoon
 
Cloud resilience, provisioning
Integral university, India
 
Q4.11: Using GCC Auto-Vectorizer
Linaro
 
NEDIA_SNIA_CXL_講演資料.pdf
Yasunori Goto
 
Arquitetura de Memoria do PostgreSQL
Raul Oliveira
 
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
Preferred Networks
 
Java Performance Analysis on Linux with Flame Graphs
Brendan Gregg
 
Introduction to TensorFlow Lite
Koan-Sin Tan
 
Dpdk performance
Stephen Hemminger
 
Accelerating TensorFlow with RDMA for high-performance deep learning
DataWorks Summit
 
分布式Key Value Store漫谈
Tim Y
 
Magnum IO GPUDirect Storage 最新情報
NVIDIA Japan
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
Raphaël PINSON
 
Velocity 2015 linux perf tools
Brendan Gregg
 
Intel DPDK Step by Step instructions
Hisaki Ohara
 
VXLAN and FRRouting
Faisal Reza
 
BPF Internals (eBPF)
Brendan Gregg
 
Module 1: ConfD Technical Introduction
Tail-f Systems
 
High Performance Weibo QCon Beijing 2011
Tim Y
 
快快樂樂學 Angular 2 開發框架
Will Huang
 
Kubernetes networking
Sim Janghoon
 
Ad

Similar to Symmetric Crypto for DPDK - Declan Doherty (20)

PDF
DPDK Summit 2015 - Intel - Keith Wiles
Jim St. Leger
 
PDF
DPDK Integration: A Product's Journey - Roger B. Melton
harryvanhaaren
 
PDF
LF_DPDK17_rte_raw_device: implementing programmable accelerators using generi...
LF_DPDK
 
PDF
DDS-Security 1.2 - What's New? Stronger security for long-running systems
Gerardo Pardo-Castellote
 
PPTX
Introduction to DPDK
Kernel TLV
 
PPTX
Dpdk: rte_security: An update and introducing PDCP
Hemant Agrawal
 
PDF
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
James Morris
 
PPT
Security via Java
Bahaa Zaid
 
PDF
DPDK In Depth
Kernel TLV
 
PPTX
The n00bs guide to ovs dpdk
markdgray
 
PDF
Dpdk 2019-ipsec-eventdev
Hemant Agrawal
 
PPTX
Crypto academy
Paul Gillingwater, MBA
 
PPTX
High Performance Networking Leveraging the DPDK and Growing Community
6WIND
 
PDF
Software Attacks on Hardware Wallets
Priyanka Aash
 
PDF
Practical real-time operating system security for the masses
Milosch Meriac
 
PDF
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 
PPTX
Q1 Memory Fabric Forum: About MindShare Training
Memory Fabric Forum
 
PDF
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue
 
PDF
SFO15-200: Linux kernel generic TEE driver
Linaro
 
PDF
DPDK IPSec Security Gateway Application
Michelle Holley
 
DPDK Summit 2015 - Intel - Keith Wiles
Jim St. Leger
 
DPDK Integration: A Product's Journey - Roger B. Melton
harryvanhaaren
 
LF_DPDK17_rte_raw_device: implementing programmable accelerators using generi...
LF_DPDK
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
Gerardo Pardo-Castellote
 
Introduction to DPDK
Kernel TLV
 
Dpdk: rte_security: An update and introducing PDCP
Hemant Agrawal
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
James Morris
 
Security via Java
Bahaa Zaid
 
DPDK In Depth
Kernel TLV
 
The n00bs guide to ovs dpdk
markdgray
 
Dpdk 2019-ipsec-eventdev
Hemant Agrawal
 
Crypto academy
Paul Gillingwater, MBA
 
High Performance Networking Leveraging the DPDK and Growing Community
6WIND
 
Software Attacks on Hardware Wallets
Priyanka Aash
 
Practical real-time operating system security for the masses
Milosch Meriac
 
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 
Q1 Memory Fabric Forum: About MindShare Training
Memory Fabric Forum
 
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue
 
SFO15-200: Linux kernel generic TEE driver
Linaro
 
DPDK IPSec Security Gateway Application
Michelle Holley
 
Ad

More from harryvanhaaren (12)

PDF
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
harryvanhaaren
 
PDF
Performance Lessons learned in vRouter - Stephen Hemminger
harryvanhaaren
 
PDF
Dpdk Validation - Liu, Yong
harryvanhaaren
 
PPTX
Packet Framework - Cristian Dumitrescu
harryvanhaaren
 
PDF
Project growth & Next steps - Thomas monjalon
harryvanhaaren
 
PDF
Hotplug and Virtio - Tetsuya Mukawa
harryvanhaaren
 
PDF
Generic Resource Manager - László Vadkerti, András Kovács
harryvanhaaren
 
PDF
TRex Traffic Generator - Hanoch Haim
harryvanhaaren
 
PDF
OVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
harryvanhaaren
 
PDF
DPDK Architecture Musings - Andy Harvey
harryvanhaaren
 
PDF
OpenDataPlane - Bill Fischofer
harryvanhaaren
 
PDF
Hyperscan - Mohammad Abdul Awal
harryvanhaaren
 
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
harryvanhaaren
 
Performance Lessons learned in vRouter - Stephen Hemminger
harryvanhaaren
 
Dpdk Validation - Liu, Yong
harryvanhaaren
 
Packet Framework - Cristian Dumitrescu
harryvanhaaren
 
Project growth & Next steps - Thomas monjalon
harryvanhaaren
 
Hotplug and Virtio - Tetsuya Mukawa
harryvanhaaren
 
Generic Resource Manager - László Vadkerti, András Kovács
harryvanhaaren
 
TRex Traffic Generator - Hanoch Haim
harryvanhaaren
 
OVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
harryvanhaaren
 
DPDK Architecture Musings - Andy Harvey
harryvanhaaren
 
OpenDataPlane - Bill Fischofer
harryvanhaaren
 
Hyperscan - Mohammad Abdul Awal
harryvanhaaren
 

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Approach and Philosophy of On baking technology
30anthuong17
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 

Symmetric Crypto for DPDK - Declan Doherty

  • 1. Userspace 2015 | Dublin A Symmetric Cryptography framework for DPDK
  • 2. project scope • mbuf burst oriented APIs for enqueuing and dequeuing of cryptographic workloads on devices. • Creation of a symmetric Crypto API and device framework which is independent of the crypto device implementation. • Support for chaining of crypto cipher and hash transforms in a single operation request. • Session based and session-less crypto operations.
  • 3. scheduling crypto workloads • Fundamentally the DPDK crypto framework supports the scheduling of symmetric crypto operations using a mbuf burst oriented asynchronous APIs in the same vain as our ethdev rx/tx burst functions. uint16_t rte_cryptodev_enqueue_burst (uint8_t dev_id, uint16_t qp_id, struct rte_mbuf **pkts, int16_t nb_pkts); uint16_t rte_cryptodev_dequeue_burst (uint8_t dev_id, uint16_t qp_id, struct rte_mbuf **pkts, uint16_t nb_pkts); • A new crypto operation pointer has been added to the mbuf structure and a new offload flag PKT_TX_CRYPTO_OP which have to be set in the mbuf before a crypto operation can be requested.
  • 4. crypto primitives /** Symmetric Cipher Algorithms */ enum rte_crypto_cipher_algorithm { RTE_CRYPTO_SYM_CIPHER_NULL, RTE_CRYPTO_SYM_CIPHER_AES_CBC, RTE_CRYPTO_SYM_CIPHER_AES_GCM, ... } /** Symmetric Cipher Direction */ enum rte_crypto_cipher_operation { RTE_CRYPTO_SYM_CIPHER_OP_ENCRYPT, RTE_CRYPTO_SYM_CIPHER_OP_DECRYPT } /** Symmetric Authentication / Hash Algorithms */ enum rte_crypto_auth_algorithm { RTE_CRYPTO_SYM_HASH_NONE, RTE_CRYPTO_SYM_HASH_SHA1, RTE_CRYPTO_SYM_HASH_SHA1_HMAC, RTE_CRYPTO_SYM_HASH_SHA224, …. } /** Symmetric Authentication / Hash Operations */ enum rte_crypto_auth_operation { RTE_CRYPTO_SYM_HASH_OP_DIGEST_VERIFY, RTE_CRYPTO_SYM_HASH_OP_DIGEST_GENERATE }
  • 5. crypto transforms /**Crypto transform structure. */ struct rte_crypto_xform { struct rte_crypto_xform *next; enum rte_crypto_xform_type type; union { struct rte_crypto_auth_xform auth; struct rte_crypto_cipher_xform cipher; }; }; /** Authentication Transform parameters */ struct rte_crypto_auth_xform { enum rte_crypto_auth_operation op; enum rte_crypto_auth_algorithm algo; struct rte_crypto_key key; uint32_t digest_length; uint32_t add_auth_data_length; }; /** Cipher Transform parameters */ struct rte_crypto_cipher_xform { enum rte_crypto_cipher_operation op; enum rte_crypto_cipher_algorithm algo; struct rte_crypto_key key; };
  • 6. session management • Sessions are used to manage information such as expand cipher keys and HMAC IPADs and OPADs, which need to calculated for a particular crypto operation, but are immutable on a packet to packet basis for a flow. • Crypto sessions cache this immutable data in a optimal way for the underlying PMD and this allows further acceleration of the offload of crypto workloads. struct rte_cryptodev_session * rte_cryptodev_session_create(uint8_t dev_id, struct rte_crypto_xform *xform); struct rte_cryptodev_session * rte_cryptodev_session_free(struct rte_cryptodev_session *session);
  • 7. session pool management • The crypto device framework provides a set of session pool management APIs for the creation and freeing of the sessions • The framework also provides hooks so the PMDs can pass the amount of memory required for that PMDs private session parameters, as well as initialization functions for the configuration of the session parameters and freeing function so the PMD can managed the memory on destruction of a session • Sessions created on a particular device can only be used on crypto devices of the same type, and if you try to use a session on a device different to that on which it was created then the crypto operation will fail
  • 8. crypto operations • Crypto operation data structures must be attached to each mbuf which you wish to apply a crypto transform to. • It specifies the offsets and length of the data into the mbuf payload which is to be operated on. • It contains pointers to IV, digest and additional authentication data, set as required, which can be in the mbuf or at a different memory location. When using a hw accelerators the physical addresses must be set for these parameters. • Finally the crypto operation contains either a pointer to the crypto session or in the case of a session-less operation a pointer to the first element of a xform chain.
  • 9. crypto operations mbuf header headroommbuf header headroom payload xform xform sess ptr cipher data offset/len IV data/len auth data offset/len digest data/len header Private session data Data DigestIV mbuf crypto_op cryptodev_session We can pre allocate xform structs if we are using session-less operations add data/len
  • 10. operation pools • As crypto operations are assigned on a per packet basis, and therefore need to be allocated in the data path. We have create some pktmbuf like functions for managing per allocated crypto operations mempools. • Note that the pool create function takes a nb_xforms parameter, this can be used to allocate memory for xform chains if you are planning on using session-less operations. struct rte_mempool *rte_crypto_op_pool_create (const char *name, unsigned nb_ops, unsigned cache_size, unsigned nb_xforms, int socket_id); struct rte_crypto_op_data *rte_crypto_op_alloc (struct rte_mempool *mp); void rte_crypto_op_free (struct rte_crypto_op_data *op);
  • 11. session-less operations • This allows crypto operations to be submitted to a crypto device without the need to have created a cached session. struct rte_crypto_op_data * rte_crypto_op_alloc_sessionless (struct rte_mempool *mp, unsigned nb_xforms); • Returns crypto op with session-less flag set and transform chain pointers setup. • User is required to set transform type and populate the parameters needed. crypto_op->xform->type = RTE_CRYPTO_XFORM_CIPHER crypto_op->xform->next->type = RTE_CRYPTO_XFORM_HASH
  • 13. AES-NI multi-buffer PMD • A purely software based PMD. • Takes advantage of Advanced Encryption Standard New Instructions (AES-NI) instructions to improve the speed of performing AES encryption and decryption on core. • The PMD is a light weight wrapper around the multi-buffer library • It also leverages the vectorised instructions to further accelerate both cipher and authenatication processing. • Whitepaper: http://www.intel.com/content/www/us/en/intelligent-systems/intel- technology/fast-multi-buffer-ipsec-implementations-ia-processors-paper.html • Download: https://downloadcenter.intel.com/download/22972
  • 14. QAT PMD • PMD is a data path driver for Intel’s QuickAssist Technology specificly supporting the DH89xx series (Coleto Creek) of accelerators. • Provides up to 50 Gbps of bulk crypto. • Cryptographic Primitives Supported • Symmetric ciphers: AES, 3DES/DES, RC4, Kasumi, Snow3G … • Message Digest/Hash (MD5, SHA1, SHA2) and Authentication (HMAC, AES-XCBC) • Algorithm Chaining (One Cipher and one Hash in a single operation) and Authenticated Encryption (AES-GCM, AES-CCM) • Public key cryptography: RSA, DSA, DH, ECDSA, ECDH • Data Compression Primitives Supported • Compression and Decompression • Algorithms: Deflate (LZ77 plus Huffman coding with gzip or zlib header) • Stateful and stateless compression and decompression
  • 15. QAT PMD • Still requires the PF kernel driver • Enabling SR-IOV on the QAT device to expose multiple VFs. • Can support up to 32 VFs. • Supports 2 queue pairs per VF. • Reserved space to allow compression and asymmetric queue pairs to be added at a later date. 64 queue pairs - each VF has 2 symmetric queue pairs. IA Symmetric crypto DH895x Symmetric Service Arbiter (WRR) 0 1 VF0 62 63 VF31
  • 17. Throughput performance • Created performance tests to the examples/test applications to allow measurement of baseline performance on your platform. • RTE>>cryptodev_qat_perftest • RTE>>cryptodev_aesni_mb_perftest • Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz • Intel® QuickAssist Adapter 8950 (PCIe Gen 3 x8)
  • 18. Single core throughput test 0 500 1000 1500 2000 2500 Packet Size AES128_CBC_SHA256_HMAC Throughput (Gbps) AES-NI Multi buffer QAT
  • 20. future work • Adding asymmetric crypto to data path. • Development of an DPDK accelerated IPsec solution based on the BSD kernel stack.