Embedded Intel® Core™ Processors
Communicate Intel® Core™ Hardware, Software, Firmware, Graphics Concerns

QAT with openssl apache

jwang1141
Novice
5,734 Views

Hello

With reference to the page https://01.org/zh/packet-processing/intel%C2%AE-quickassist-technology-drivers-and-patches?langredirect=1 https://01.org/zh/packet-processing/intel%C2%AE-quickassist-technology-drivers-and-patches?langredirect=1

I have installed https://01.org/sites/default/files/page/qatmux.l.2.3.0-34.tgz Intel® QuickAssist Technology Driver (L.2.3.0-34) and openssl sample patch.

It works fine if I use the commands below

openssl s_server -state -cert /etc/apache/conf/ssl.crt/server.crt -key /etc/apache/conf/ssl.key/server.key -engine qat -WWW -accept 4411

and for client

openssl s_client -state -host 10.71.42.5 -cipher RSA -port 443

But if I use apache with mod-ssl SSLCryptoDevice qat, https connections will not work (tried on several web browsers)

Is the sample code provided by Intel enough for us to run https with apache (version 2.2.11)?

Or would I need modification to the code of apache ?

23 Replies
Josue_C_Intel
Employee
1,818 Views

Hello Jianan Wang.

Welcome to Intel® Embedded Community.

We are checking your thread and will post an update as soon as possible.

Regards.

Josue.

0 Kudos
Josue_C_Intel
Employee
1,818 Views

Hello Jianan Wang.

Could you please provide us your processor's S-Spec number?

Regards.

Josue.

0 Kudos
jwang1141
Novice
1,818 Views

Hello jc

Thank you very much.

My processor is "Intel(R) Atom(TM) CPU C2358"

Regards,

Jianan

0 Kudos
Josue_C_Intel
Employee
1,818 Views

Hello Jianan Wang.

 

According to section 1.0 Description of Release from https://01.org/sites/default/files/page/330683-006_qat_relnotes.pdf Intel® QuickAssist Technology Software Package Version: QATmux.L.2.3.0-34 Release Notes

 

This software release is intended for platforms that contain:

- Intel® Communications Chipset 8900 to 8920 Series

- Intel® Communications Chipset 8925 to 8955 Series

Which Chipset are you using?

Please note that according to Table 2. Operating System Support: Intel® QuickAssist Accelerator software is validated on Fedora* 16

Please make sure to use the correct package version:

— "QAT1.5" for use with Intel® Communications Chipset 8900 to 8920 Series

— "QAT1.6" for use with Intel® Communications Chipset 8925 to 8955 Series

Best Regards.

Josue.

0 Kudos
jwang1141
Novice
1,818 Views

Hello jc

Sorry for double post. Could you please help me ?

This document(2008) http://www.intel.com.tw/content/www/tw/zh/intelligent-systems/tolapai/ep80579-openssl-apache-linux-appl-note.html Installing Accelerated OpenSSL* and Apache* on Linux*: App Note is similar to the thing what i want to do.

With reference to http://ark.intel.com/products/77978/Intel-Atom-Processor-C2358-1M-Cache-1_70-GHz ARK | Intel® Atom™ Processor C2358 (1M Cache, 1.70 GHz) ,

Advanced techonologiesIntel® QuickAssist TechnologyYes

I installed QAT driver from 01.org last year.

And with reference to https://01.org/sites/default/files/page/libcrypto_shim_0.4.7-010_withdocumentation.zip libcrypto* (OpenSSL*) Sample Patch for Intel® QuickAssist Technology (stable release 0.4.7-010)

page 12 said "for Intel Atom processor c2000: please use multi_process_optimized/c2xxx_qa_dev*.conf"

As i said at my first post. It worked fine with openssl s_server eninge qat but failed with apache https.

Maybe as u said. the processor is no more supported in https://01.org/sites/default/files/page/qatmux.l.2.3.0-34.tgz Intel® QuickAssist Technology Driver (L.2.3.0-34)

Could u help me what i need now? Because i cant find any resource now.

Regards,

Jianan

0 Kudos
jwang1141
Novice
1,818 Views

Hello jc

thank you for the answer. i am sorry to reply so late.

Well this document(2008) http://www.intel.com.tw/content/www/tw/zh/intelligent-systems/tolapai/ep80579-openssl-apache-linux-appl-note.html Installing Accelerated OpenSSL* and Apache* on Linux*: App Note is similar to the thing what i want to do.

With reference to http://ark.intel.com/products/77978/Intel-Atom-Processor-C2358-1M-Cache-1_70-GHz ARK | Intel® Atom™ Processor C2358 (1M Cache, 1.70 GHz) ,

Advanced techonologiesIntel® QuickAssist TechnologyYes

I installed QAT driver from 01.org last year.

And with reference to https://01.org/sites/default/files/page/libcrypto_shim_0.4.7-010_withdocumentation.zip libcrypto* (OpenSSL*) Sample Patch for Intel® QuickAssist Technology (stable release 0.4.7-010)

page 12 said "for Intel Atom processor c2000: please use multi_process_optimized/c2xxx_qa_dev*.conf"

As i said at my first post. It worked fine with openssl s_server eninge qat but failed with apache https.

Maybe as u said. the processor is no more supported in https://01.org/sites/default/files/page/qatmux.l.2.3.0-34.tgz Intel® QuickAssist Technology Driver (L.2.3.0-34)

Could u help me what i need now? Because i cant find any resource now.

Regards,

Jianan

0 Kudos
Josue_C_Intel
Employee
1,818 Views

Hello Jianan Wang.

 

It is really important that you provide us the answer to question above:

 

Which Chipset are you using?

 

This software release is intended for platforms that contain:

- Intel® Communications Chipset 8900 to 8920 Series

- Intel® Communications Chipset 8925 to 8955 Series

Best Regards.

Josue.

0 Kudos
jwang1141
Novice
1,818 Views

Hello jc

Thanks jc.

With reference to http://ark.intel.com/products/77978/Intel-Atom-Processor-C2358-1M-Cache-1_70-GHz ARK | Intel® Atom™ Processor C2358 (1M Cache, 1.70 GHz)

I think chipset is c2xxx Series.

Best Regards,

Jianan

0 Kudos
Josue_C_Intel
Employee
1,818 Views

Hello Jianan Wang.

 

C2358 is your processor, please refer to http://www.intel.com/support/graphics/sb/CS-009245.htm Chipset Support — How to Identify Your Intel® Chipset.

According to README,txt from https://01.org/sites/default/files/page/libcrypto_shim_0.4.7-010_withdocumentation.zip libcrypto* (OpenSSL*) Sample Patch for Intel® QuickAssist Technology (stable release 0.4.7-010)

 

Successful operation of this release requires a software tool chain that supports OpenSSL 1.0.1async, for example, Fedora 16. This release was

validated on the following:

* Operating system: Fedora 16 64-bit version

* Kernel: GNU/Linux 3.1

* Intel Communications Chipset 89xx Series Software for Linux version 1.3

or Intel Communications Chipset 895x Series Software for Linux version 0.5

Best Regards.

Josue.

0 Kudos
jwang1141
Novice
1,818 Views

Hello JC

Thanks.

According to PDF here http://www.intel.com/newsroom/kits/atom/c2000/pdfs/Intel_Atom_C2000_for_Communications.pdf http://www.intel.com/newsroom/kits/atom/c2000/pdfs/Intel_Atom_C2000_for_Communications.pdf

The processor C2358 is integrated with Intel Quickassist technology. Its a hardware integrated in CPU.

We don't use another independent PCIE hardware card (which their chipset are 89xx or 895x).

And we had tried kernel 2.6.37 and kernel 3.10. As u point out that this release was validated on federa and linux 3.1.

Do you mean that it will not be work in our architecture and software?

Best Regards,

Jianan

0 Kudos
Josue_C_Intel
Employee
1,818 Views

Hello Jianan Wang.

We still working on your question, please stay tuned.

Best Regards.

0 Kudos
Josue_C_Intel
Employee
1,818 Views

Hello Jianan Wang.

 

We still investigating about your case, as soon as we get any update we will let you know.

 

Best Regards.

Josue.

 

0 Kudos
jwang1141
Novice
1,818 Views

Hello JC

Thank you for help.

Best Regards,

Jianan

0 Kudos
Josue_C_Intel
Employee
1,818 Views

Hello Jianan Wang.

 

The Document Number: 476490-0.5 Apache* Sample Patch for Intel® QuickAssist Technology Application Note

will be uploaded to EDC Library due to this documentation is classified as Intel Confidential; it requires a non-disclosure agreement between your company and Intel.

You would need to apply for a Privilege account by visiting http://www.intel.com/ Intel.com

You can find more information in the "https://www-ssl.intel.com/content/www/us/en/intelligent-systems/embedded-design-center-contact-us.html Manage my account" section found on this page.

Please use the company email address, not a personal one such as Yahoo, Gmail, etc.

If you would like to be contacted by an Intel representative to assist you in the process, please let me know.

Kind regards,

Josue.

jwang1141
Novice
1,818 Views

Hello JC

I'm very excited about the possibility of solving this issue.

I will discuss this with my manager about this as soon as possible.

Thanks very much.

Regards,

Jianan

0 Kudos
Natalie_Z_Intel
Employee
1,818 Views

Jianan, please let us know when you request an upgrade to Privileged. If you company does not have a CNDA with Intel, we can connect you with someone who can assist in that process. You can also contact EDC Support at mailto:edc.support@intel.com edc.support@intel.com if you have log in or registration questions. Thanks! LynnZ

0 Kudos
FSkal1
Novice
1,818 Views

Hi Lynn,

right now, we are evaluating a SMB crypto solution with Intel QAT. (and other vendors)

We are an austrian telecom and service provider.

The patches for linux are simply not working for any software other than openssl. (but linked to it).

I can provide details, if requested.

After reading the whole post, it seems, to get access to a working subset of software patches, you have to elevate our account.

Please send me a PM about the costs etc.

Is it enough to apply for an elevation and then ... ?

Rgds.

Franz

0 Kudos
FSkal1
Novice
1,818 Views

Hi,

i now applied for a privileged acoount.

Problems with both patches (stable and development).

CPU: Intel(R) Atom(TM) CPU C2358 @ 1.74GHz

Number of DH89xxCC devices on the system:1

BDF=00:0b.0

C2xxx B0 device detected

QAT:

qatmux.l.2.3.0-34

SSH-CLIENT:

1.) Using aes-128-cbc with a patched version of openssh is not working (bad length).

2.) Using aes-128-ctr works, but is very slow compared to other vendors.

SSH-SERVER:

After trying to connect, a NULL Pointer exception occurs.

un 26 11:17:44 localhost kernel: [ 92.292842] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028

Jun 26 11:17:44 localhost kernel: [ 92.301040] IP: [] QatCtrl_updateRingTable+0x136/0x2c0 [icp_qa_al]

Jun 26 11:17:44 localhost kernel: [ 92.309141] PGD 0

Jun 26 11:17:44 localhost kernel: [ 92.311248] Oops: 0002 [# 1] SMP

Jun 26 11:17:44 localhost kernel: [ 92.314670] CPU 0

Jun 26 11:17:44 localhost kernel: [ 92.316541] Modules linked in: sha1_ssse3 sha1_generic icp_qa_al(O) zlib zlib_deflate sha256_generic sha512_generic binfmt_misc ext2 evdev coret

emp crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 aes_generic cryptd snd_pcm snd_page_alloc snd_timer snd psmouse soundcore serio_raw pcspkr button processor thermal_sys s

hpchp w83627ehf hwmon_vid fuse autofs4 ext4 crc16 jbd2 mbcache sg sd_mod crc_t10dif ahci libahci libata ehci_hcd usbcore scsi_mod usb_common igb i2c_algo_bit dca i2c_core [last unlo

aded: scsi_wait_scan]

Jun 26 11:17:44 localhost kernel: [ 92.365721]

Jun 26 11:17:44 localhost kernel: [ 92.367283] Pid: 969, comm: sshd Tainted: G O 3.1.1-amd64 # 1 Fedora 16 3.1.1 To be filled by O.E.M. To be filled by O.E.M./To

be filled by O.E.M.

Jun 26 11:17:44 localhost kernel: [ 92.382661] RIP: 0010:[] [] QatCtrl_updateRingTable+0x136/0x2c0 [icp_qa_al]

Jun 26 11:17:44 localhost kernel: [ 92.393310] RSP: 0018:ffff88007979dc08 EFLAGS: 00010246

Jun 26 11:17:44 localhost kernel: [ 92.398855] RAX: 000000000000000a RBX: ffff880079eabc00 RCX: 0000000000000000

Jun 26 11:17:44 localhost kernel: [ 92.406298] RDX: 000000000000000a RSI: ffff8800375e4dc0 RDI: ffff880079eabc00

Jun 26 11:17:44 localhost kernel: [ 92.413750] RBP: ffff8800375e4dc0 R08: 0000000000000004 R09: 0000000000000000

Jun 26 11:17:44 localhost kernel: [ 92.421201] R10: ffff88007af9f3c0 R11: ffff88007af9f3c0 R12: 0000000000000004

Jun 26 11:17:44 localhost kernel: [ 92.428636] R13: 0000000000000000 R14: ffff88007bae7f40 R15: ffff88007979dd0b

Jun 26 11:17:44 localhost kernel: [ 92.436071] FS: 00007f57c0d2e700(0000) GS:ffff88007ee00000(0000) knlGS:0000000000000000

Jun 26 11:17:44 localhost kernel: [ 92.444483] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

Jun 26 11:17:44 localhost kernel: [ 92.450469] CR2: 0000000000000028 CR3: 000000007987c000 CR4: 00000000001006f0

Jun 26 11:17:44 localhost kernel: [ 92.457920] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

Jun 26 11:17:44 localhost kernel: [ 92.465372] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400

Jun 26 11:17:44 localhost kernel: [ 92.472824] Process sshd (pid: 969, threadinfo ffff88007979c000, task ffff8800374eb0c0)

Jun 26 11:17:44 localhost kernel: [ 92.480890] Stack:

Jun 26 11:17:44 localhost kernel: [ 92.482935] 0000000000000001 0000000000000001 ffff880079eabc00 000000000000000a

Jun 26 11:17:44 localhost kernel: [ 92.490724] 0000000000000004 0000000000000000 ffff88007bae7f40 ffffffffa026973f

Jun 26 11:17:44 localhost kernel: [ 92.498521] 0000000000000000 0000000000000000 0000000000000000 0000000000000000

Jun 26 11:17:44 localhost kernel: [ 92.506354] Call Trace:

Jun 26 11:17:44 localhost kernel: [ 92.508911] [] ? SalCtrl_QatRingInfoCb+0xcf/0x570 [icp_qa_al]

Jun 26 11:17:44 localhost kernel: [ 92.516661] [] ? adf_ring_ioc_create_handle.isra.0+0x74d/0xb60 [icp_qa_al]

Jun 26 11:17:44 localhost kernel: [ 92.525586] [] ? adf_ring_ioctl+0xc0/0x3f0 [icp_qa_al]

Jun 26 11:17:44 localhost kernel: [ 92.532676] [] ? do_vfs_ioctl+0x459/0x49a

Jun 26 11:17:44 localhost kernel: [ 92.538574] [] ? __call_rcu+0x21/0x12c

Jun 26 11:17:44 localhost kernel: [ 92.544204] [] ? dput+0x27/0xee

Jun 26 11:17:44 localhost kernel: [ 92.549222] [] ? fput+0x17a/0x1a1

Jun 26 11:17:44 localhost kernel: [ 92.554394] [] ? sys_ioctl+0x4b/0x72

Jun 26 11:17:44 localhost kernel: [ 92.559853] [] ? filp_close+0x62/0x6a

Jun 26 11:17:44 localhost kernel: [ 92.565417] [] ? system_call_fastpath+0x16/0x1b

Jun 26 11:17:44 localhost kernel: [ 92.571867] Code: 85 e0 00 00 00 48 8b 4e 68 89 d0 c6 04 81 ff 48 8b 4e 68 c6 44 81 01 ff eb b6 0f 1f 00 85 c9 0f 85 88 00 00 00 48 8b 4e 70 89 d0 04 81 fc 48 8b 4e 70 c6 44 81 01 fc 48 8b 76 70 e9 54 ff ff

Jun 26 11:17:44 localhost kernel: [ 92.592672] RIP [] QatCtrl_updateRingTable+0x136/0x2c0 [icp_qa_al]

Jun 26 11:17:44 localhost kernel: [ 92.600869] RSP

Jun 26 11:17:44 localhost kernel: [ 92.604508] CR2: 0000000000000028

Jun 26 11:17:44 localhost kernel: [ 92.608012] ---[ end trace e0f6d9734311c107 ]---

Ring when sshd runs and dies: (ssh client binary works)

Ring Number: 0, Config:8, Base Addr: ffff880079490000 Head: ec0, Tail: ec0, Space: 4000, inflights:0, Name: Accel0AdminTxRing Number: 1, Config: 2008, Base Addr: ffff88007a354000 Head: ec0, Tail: ec0, Space: 4000, inflights:0, Name: Accel0AdminRxRing Number: 2, Config:6, Base Addr: ffff88007958b000 Head: 40, Tail: 40, Space: 1000, inflights:0, Name: Cy0RingAsymTxRing Number: 3, Config: 2006, Base Addr: ffff880036ba9000 Head:0, Tail: 40, Space: fc0, inflights:0, Name: Cy0RingAsymRxRing Number: 4, Config:9, Base Addr: ffff880036af0000 Head:0, Tail:0, Space: 8000, inflights:0, Name: Cy0RingSymTxHiRing Number: 5, Config: 2009, Base Addr: ffff88007b948000 Head:0, Tail:0, Space: 8000, inflights:0, Name: Cy0RingSymRxHiRing Number: 6, Config:9, Base Addr: ffff88007a348000 Head:0, Tail:0, Space: 8000, inflights:0, Name: Cy0RingSymTxLoRing Number: 7, Config: 2009, Base Addr: ffff8800799a0000 Head:0, Tail:0, Space: 8000, inflights:0, Name: Cy0RingSymRxLoRing Number: 10, Config:9, Base Addr: ffff88007a340000 Head:0, Tail:0, Space: 8000, inflights:

0, Name: Cy0RingSymTxHi

It would be great to have a software patch, that works seamlessly with other userspace programs linked to it.

Rgds.

Franz

0 Kudos
Gabriel_T_Intel
Employee
1,818 Views

Hello Franz,

Welcome to the Intel Embedded Technology.

Please let us know what Linux version are you using.

I recommend you to check the following link:

https://www-ssl.intel.com/content/www/us/en/embedded/technology/quickassist/overview.html https://www-ssl.intel.com/content/www/us/en/embedded/technology/quickassist/overview.html

Regards,

Gabriel Thomas.

0 Kudos
FSkal1
Novice
1,686 Views

Hello Gabriel,

after nearly 20 years of experience, i'm aware of all the fine manuals, howtos, readmes etc.

I'm sure, when having a privileged account, my questions will be answered.

Rgds.

Franz

0 Kudos
Reply