topic Re: QAT with openssl patch in Embedded Intel® Core™ Processors

QAT with openssl patch

idata — Tue, 05 May 2015 06:45:56 GMT

Hi Everyone,

I got a problem with QAT.

First of all, I can install QAT software successfully.

Then I installed the patch of openssl, the QAT status will be down.

I got the error messages like this:

The relevant environment is:

OS: fedora 17 x64

kernel: 3.3.4

CPU: ATOM C2358、C2518

QAT ver: QAT1.5.L.1.3.0_92

openssl ver: openssl-1.0.1c

openssl patch: libcrypto-openssl-1.0.1c-async.L.0.4.4-008

libcrypto-openssl-1.0.1c-qat.L.0.4.4-008

And I also tried the newest version of QAT (1.8.0) and openssl patch (0.4.7-010), but I got same error messages.

Please HELP.

Thanks a lot !

Best Regards,

Re: QAT with openssl patch

idata — Tue, 05 May 2015 08:11:30 GMT

Hello Leo Yeh,

Welcome to the Intel® Embedded Community.

We are working on getting an answer to your question. Have a great day and we'll be talking with you soon!

Regards,

Leon

Re: QAT with openssl patch

idata — Mon, 11 May 2015 07:42:02 GMT

Hello Leo Yeh,

I saw this on the release notes of the openssl patch 0.4.7-010.

This release was validated on the following:

* Operating system: Fedora 16 64-bit version

* Kernel: GNU/Linux 3.1

More information about software requirements can be found in Chapter 1.4 of the Application Note.

https://www-ssl.intel.com/content/www/us/en/embedded/technology/quickassist/libcrypto-open-ssl-qat-sample-patch-stable-release-0-4-7-010.html?wapkw=libcrypto*+%28openssl*%29+sample+patch+for+intel%c2%ae+quickassist+technology libcrypto* Sample Patch for Intel® QuickAssist Technology

Regards,

Leon

Re: QAT with openssl patch

idata — Mon, 11 May 2015 09:10:44 GMT

Hi Leon,

Thanks first.

Actually I tried this environment (fedora 17 x64 with 3.3.4 kernel) on the platform (C2758) before, and it works !

So I just moved the HDD to the platform (C2518), and it doesn't work...

So I don't get it...

Maybe it is a hardware issue or BIOS ?

Best regards,

Leo

Re: QAT with openssl patch

idata — Tue, 12 May 2015 09:02:19 GMT

Hello Leo Yeh,

Awesome!

It's great to hear that you managed to have it working on this environment (Fedora 17 x64, Kernel 3.3.4).

I would think that the issue would be more on the hardware rather that the BIOS let's say if they have the same BIOS.

The fact is both chips are still different even though both of them fall in the same family.

Regards,

Leon

Re: QAT with openssl patch

idata — Tue, 12 May 2015 10:21:20 GMT

Hi Leon,

Yeah I know.

According to the Intel website, the chip C2518 should support QAT , is that right ?

In fact, my point is why it doesn't work once we install the openssl patch...

Best regards,

Leo

Re: QAT with openssl patch

idata — Wed, 13 May 2015 02:36:33 GMT

Hi Leo Yeh,

Yes, C2518 support QAT and according to the application notes in https://www-ssl.intel.com/content/www/us/en/embedded/technology/quickassist/libcrypto-open-ssl-qat-sample-patch-stable-release-0-4-7-010.html?wapkw=libcrypto*+%28openssl*%29+sample+patch+for+intel%c2%ae+quickassist+technology libcrypto* Sample Patch for Intel® QuickAssist Technology

Successful operation of this release requires a software tool chain that supports OpenSSL 1.0.1async, for example, Fedora 16. This release was

validated on the following:

* Operating system: Fedora 16 64-bit version

* Kernel: GNU/Linux 3.1

* OpenSSL 1.0.1 asynch branch (based on OpenSSL 1.0.1j)

* Intel® Communications Chipset 89xx Series Software for Linux*: QATmux version 1.1 / QAT1.5 version 1.5 / QAT1.6 version 2.0

* Intel® Atom™ Processor C2000 Product Family for Communications Infrastructure Software for Linux* version 1.1

Have tried running it under this environment?

Regards,

Leon

Re: QAT with openssl patch

idata — Wed, 13 May 2015 10:20:14 GMT

Hi Leon,

I remember that I have tried you said.

However, I will double check and retry this environment.

If I get something, I will update the situation at here.

Thanks a lot !

Best regards,

Leo

Re: QAT with openssl patch

FSkal1 — Mon, 06 Jul 2015 07:32:34 GMT

Hi,

two weeks ago, i applied for privileged access for our company.

In the meantime i read the openssl patch and have some questions. (Hope this will be answered when having privileged access)

I have setup the exact environment, which should be support for the openssl patch, but ...

I read the README, which tells me to disable async_prf and enable

openssl speed works

Linking a third party works, but:

whenever a cipher will be initialized, the program will hang and the libcrypto call will fail, with active qat engine.

A thread problem then will be reported and the program terminates. (EINVAL (22) on pthread_mutex_lock)

There are some # define tweaks in the qat engine. e_qat.c shows, that there must be some threading issue:

# USE_PTHREAD_YIELD is commented. etc. etc.

Will try some combinations.

It would be great to have privileged access to ask some more questions about threading, polling etc.

Rgds.

Franz

Re: QAT with openssl patch

FSkal1 — Mon, 06 Jul 2015 08:04:20 GMT

Hi again,

please explain, why the Configure Script will be patched to disable ASYNCH and SYNCH DIGESTS ! (After Patch)

For me, it's pretty uselesse, when disabling the DIGEST functions.

What's the intention ?

Snip from the Configure (patched)

$cflags .= ' -I'.$icp_eng_qat_dir.' -I'.$icp_api_dir.' -I'.$icp_lac_api_dir.' -DOPENSSL_QAT_ASYNCH -DOPENSSL_DISABLE_QAT_DIGEST_ASYNCH -DOPENSSL_DISABLE_QAT_DIGEST_SYNCH -DOPENSSL_DISABLE_QAT_OFFLOAD_RAND -DOPENSSL_DISABLE_QAT_PRF_ASYNCH';

Rgds.

Franz

Re: QAT with openssl patch

Natalie_Z_Intel — Mon, 06 Jul 2015 18:14:28 GMT

Hi, Franz! You now have Privileged account on the EDC which allows you to access Intel Confidential content that is posted on the EDC. Hope this helps!

LynnZ

Re: QAT with openssl patch

idata — Wed, 08 Jul 2015 17:38:59 GMT

Thanks for bringing this to our attention, we are currently working on resolving this issue.

Thank You!

Re: QAT with openssl patch

STEVEN_L_Intel — Thu, 09 Jul 2015 21:48:59 GMT

Hi FranzCC,

Thankyou for the question regarding why Digest offload operations are disabled by default in the QAT OpenSSL patch.

Currently there are several reasons why digests are disabled by default:

1) The sort of small digest operations that make up typical SSL streams are quite efficient to perform on core, as such there is only marginal payback from offloading them to an accelerator.

2) There are some issues with the asynch stack implementation around performing cipher operations followed by digest operations. There is a section towards the end of the README.txt file supplied with the QAT OpenSSL patch that describes why digest operations have been disabled.

If you are running synchronously then it is perfectly safe to re-enable synchronous digest offload via the OPENSSL_ENABLE_QAT_DIGEST_SYNCH flag, although I would suggest you measure performance/cpu usage before and after enablement in order to determine whether you see any benefit from the digest offload in your use case.

Also if your application links straight to libCrypto and is not using the libSSL interfaces then it is perfectly safe to enable either synchronous or asynchronous digests as the issue lies in the libSSL asynchronous stack and not in the engine code.

One other point to note is that if you use ciphers AES128-SHA or AES256-SHA these result in calling more efficient implementations of what are called chained ciphers. In these particular cases you'll end up using:

NID_aes_128_cbc_hmac_sha1

NID_aes_256_cbc_hmac_sha1

In our engine these chained ciphers will offload both the cipher and digest operations in one go so are far more efficient (see qat_chain.c for further details).

Chained operations are unaffected by the issues above and will still be used whether offloaded digests are enabled or disabled as you cannot separate them from the cipher operation.

Hope that information is useful.

Kind Regards,

Steve.

Re: QAT with openssl patch

idata — Fri, 24 Jul 2015 01:35:36 GMT

Hi everyone,

i got the root cause.

that is, the C2358 has only one QAT engine for only one instance.

In the original conf, it uses cy0 and cy1 which is not matching in C2358 case.

so, just modified the file named c2xxx_qa_dev0.conf, and now it works!

thanks all !

Best Regards,

Re: QAT with openssl patch

idata — Fri, 24 Jul 2015 21:45:08 GMT

Hi Leo_Yeh,

Great to know you solved this issue. Thanks for posting the solution!

Best regards,

Jimmy.