23 Replies Latest reply on Jul 9, 2015 11:03 AM by SergioVillarreal

    QAT with openssl apache

    jnwangntu Green Belt

      Hello

           With reference to the page https://01.org/zh/packet-processing/intel%C2%AE-quickassist-technology-drivers-and-patches?langredirect=1

      I have installed Intel® QuickAssist Technology Driver (L.2.3.0-34) and openssl sample patch.

       

      It works fine if I use the commands below

           openssl s_server -state -cert /etc/apache/conf/ssl.crt/server.crt -key /etc/apache/conf/ssl.key/server.key -engine qat -WWW -accept 4411

      and for client  

          openssl s_client -state -host 10.71.42.5 -cipher RSA -port 443

       

       

      But if I use apache with mod-ssl SSLCryptoDevice qat, https connections will not work (tried on several web browsers)

       

      Is the sample code provided by Intel enough for us to run https with apache (version 2.2.11)?

      Or would I need modification to the code of apache ?

        • Re: QAT with openssl apache
          jc Brown Belt

          Hello Jianan Wang.

           

          Welcome to Intel® Embedded Community.

          We are checking your thread and will post an update as soon as possible.

           

          Regards.

          Josue.

          • Re: QAT with openssl apache
            jnwangntu Green Belt

            Hello jc

                thank you for the answer.  i am sorry to reply so late.

             

            Well this document(2008) Installing Accelerated OpenSSL* and Apache* on Linux*: App Note is similar to the thing what i want to do.

              

            With reference to  ARK | Intel® Atom™ Processor C2358 (1M Cache, 1.70 GHz) ,

             

            Advanced techonologies
            Intel® QuickAssist TechnologyYes

             

            I installed QAT driver from 01.org last year.

             

            And with reference to libcrypto* (OpenSSL*) Sample Patch for Intel® QuickAssist Technology (stable release 0.4.7-010)

            page 12 said "for Intel Atom processor c2000: please use multi_process_optimized/c2xxx_qa_dev*.conf"

             

            As i said at my first post. It worked fine with openssl s_server eninge qat but failed with apache https.

             

            Maybe as u said. the processor is no more supported in Intel® QuickAssist Technology Driver (L.2.3.0-34)

             

            Could u help me what i need now? Because i cant find any resource now.

             

            Regards,

            Jianan

              • Re: QAT with openssl apache
                jc Brown Belt

                Hello Jianan Wang.


                It is really important that you provide us the answer to question above:


                Which Chipset are you using?


                This software release is intended for platforms that contain:

                 

                - Intel® Communications Chipset 8900 to 8920 Series

                - Intel® Communications Chipset 8925 to 8955 Series

                 

                Best Regards.

                Josue.

                  • Re: QAT with openssl apache
                    jnwangntu Green Belt

                    Hello jc

                     

                    Thanks jc.

                     

                    With reference to ARK | Intel® Atom™ Processor C2358 (1M Cache, 1.70 GHz)

                     

                    I think chipset is c2xxx Series.

                     

                    Best Regards,

                    Jianan

                      • Re: QAT with openssl apache
                        jc Brown Belt

                        Hello Jianan Wang.


                        C2358 is your processor, please refer to Chipset Support — How to Identify Your Intel® Chipset.

                         

                        According to README,txt from libcrypto* (OpenSSL*) Sample Patch for Intel® QuickAssist Technology (stable release 0.4.7-010)


                        Successful operation of this release requires a software tool chain that  supports OpenSSL 1.0.1async, for example, Fedora 16. This release was

                        validated on the following:

                        * Operating system: Fedora 16 64-bit version

                        * Kernel: GNU/Linux 3.1

                        * Intel Communications Chipset 89xx Series Software for Linux version 1.3

                        or Intel Communications Chipset 895x Series Software for Linux version 0.5

                         

                        Best Regards.

                        Josue.

                          • Re: QAT with openssl apache
                            jnwangntu Green Belt

                            Hello JC

                             

                                Thanks.

                               

                                According to PDF here http://www.intel.com/newsroom/kits/atom/c2000/pdfs/Intel_Atom_C2000_for_Communications.pdf 

                             

                                The processor C2358 is integrated with Intel Quickassist technology. Its a hardware integrated in CPU. 

                             

                                We don't use another independent PCIE hardware card (which their chipset are 89xx or 895x).

                             

                                And we had tried kernel 2.6.37 and kernel 3.10. As u point out that this release was validated on federa and linux 3.1.

                               

                                Do you mean that it will not  be work in our architecture and software?

                             

                            Best Regards,

                            Jianan

                              • Re: QAT with openssl apache
                                jc Brown Belt

                                Hello Jianan Wang.

                                 

                                We still working on your question, please stay tuned.

                                 

                                Best Regards.

                                  • Re: QAT with openssl apache
                                    jc Brown Belt

                                    Hello Jianan Wang.


                                    We still investigating about your case, as soon as we get any update we will let you know.


                                    Best Regards.

                                    Josue.

                                      • Re: QAT with openssl apache
                                        jnwangntu Green Belt

                                        Hello JC

                                            

                                        Thank you for help.

                                         

                                        Best Regards,

                                        Jianan

                                          • Re: QAT with openssl apache
                                            jc Brown Belt

                                            Hello Jianan Wang.


                                            The Document Number: 476490-0.5 Apache* Sample Patch for Intel® QuickAssist Technology Application Note

                                            will be uploaded to EDC Library due to this documentation is classified as Intel Confidential; it requires a non-disclosure agreement between your company and Intel.

                                            You would need to apply for a Privilege account by visiting Intel.com

                                            You can find more information in the "Manage my account" section found on this page.

                                            Please use the company email address, not a personal one such as Yahoo, Gmail, etc.

                                            If you would like to be contacted by an Intel representative to assist you in the process, please let me know.

                                             

                                            Kind regards,

                                            Josue.

                                              • Re: QAT with openssl apache
                                                jnwangntu Green Belt

                                                Hello JC

                                                 

                                                I'm very excited about the possibility of solving this issue.

                                                 

                                                I will discuss this with my manager about this as soon as possible.

                                                 

                                                Thanks very much.

                                                 

                                                Regards,

                                                Jianan

                                                  • Re: QAT with openssl apache
                                                    LynnZ Brown Belt

                                                    Jianan, please let us know when you request an upgrade to Privileged.  If you company does not have a CNDA with Intel, we can connect you with someone who can assist in that process.  You can also contact EDC Support at edc.support@intel.com if you have log in or registration questions.  Thanks!  LynnZ

                                                      • Re: QAT with openssl apache
                                                        FranzCC Green Belt

                                                        Hi Lynn,

                                                        right now, we are evaluating a SMB crypto solution with Intel QAT. (and other vendors)

                                                        We are an austrian telecom and service provider.

                                                        The patches for linux are simply not working for any software other than openssl. (but linked to it).

                                                        I can provide details, if requested.

                                                        After reading the whole post, it seems, to get access to a working subset of software patches, you have to elevate our account.

                                                        Please send me a PM about the costs etc.

                                                        Is it enough to apply for an elevation and then ... ?

                                                         

                                                        Rgds.

                                                         

                                                        Franz

                                                          • Re: QAT with openssl apache
                                                            FranzCC Green Belt

                                                            Hi,

                                                            i now applied for a privileged acoount.

                                                            Problems with both patches (stable and development).

                                                             

                                                            CPU: Intel(R) Atom(TM) CPU  C2358  @ 1.74GHz

                                                            Number of DH89xxCC devices on the system:1

                                                            BDF=00:0b.0

                                                            C2xxx B0 device detected

                                                             

                                                            QAT:

                                                            qatmux.l.2.3.0-34

                                                             

                                                            SSH-CLIENT:

                                                            1.) Using aes-128-cbc with a patched version of openssh is not working (bad length).

                                                            2.) Using aes-128-ctr works, but is very slow compared to other vendors.

                                                            SSH-SERVER:

                                                            After trying to connect, a NULL Pointer exception occurs.

                                                             

                                                            un 26 11:17:44 localhost kernel: [   92.292842] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028

                                                            Jun 26 11:17:44 localhost kernel: [   92.301040] IP: [<ffffffffa02adef6>] QatCtrl_updateRingTable+0x136/0x2c0 [icp_qa_al]

                                                            Jun 26 11:17:44 localhost kernel: [   92.309141] PGD 0

                                                            Jun 26 11:17:44 localhost kernel: [   92.311248] Oops: 0002 [#1] SMP

                                                            Jun 26 11:17:44 localhost kernel: [   92.314670] CPU 0

                                                            Jun 26 11:17:44 localhost kernel: [   92.316541] Modules linked in: sha1_ssse3 sha1_generic icp_qa_al(O) zlib zlib_deflate sha256_generic sha512_generic binfmt_misc ext2 evdev coret

                                                            emp crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 aes_generic cryptd snd_pcm snd_page_alloc snd_timer snd psmouse soundcore serio_raw pcspkr button processor thermal_sys s

                                                            hpchp w83627ehf hwmon_vid fuse autofs4 ext4 crc16 jbd2 mbcache sg sd_mod crc_t10dif ahci libahci libata ehci_hcd usbcore scsi_mod usb_common igb i2c_algo_bit dca i2c_core [last unlo

                                                            aded: scsi_wait_scan]

                                                            Jun 26 11:17:44 localhost kernel: [   92.365721]

                                                            Jun 26 11:17:44 localhost kernel: [   92.367283] Pid: 969, comm: sshd Tainted: G           O 3.1.1-amd64 #1 Fedora 16 3.1.1 To be filled by O.E.M. To be filled by O.E.M./To

                                                            be filled by O.E.M.

                                                            Jun 26 11:17:44 localhost kernel: [   92.382661] RIP: 0010:[<ffffffffa02adef6>]  [<ffffffffa02adef6>] QatCtrl_updateRingTable+0x136/0x2c0 [icp_qa_al]

                                                            Jun 26 11:17:44 localhost kernel: [   92.393310] RSP: 0018:ffff88007979dc08  EFLAGS: 00010246

                                                            Jun 26 11:17:44 localhost kernel: [   92.398855] RAX: 000000000000000a RBX: ffff880079eabc00 RCX: 0000000000000000

                                                            Jun 26 11:17:44 localhost kernel: [   92.406298] RDX: 000000000000000a RSI: ffff8800375e4dc0 RDI: ffff880079eabc00

                                                            Jun 26 11:17:44 localhost kernel: [   92.413750] RBP: ffff8800375e4dc0 R08: 0000000000000004 R09: 0000000000000000

                                                            Jun 26 11:17:44 localhost kernel: [   92.421201] R10: ffff88007af9f3c0 R11: ffff88007af9f3c0 R12: 0000000000000004

                                                            Jun 26 11:17:44 localhost kernel: [   92.428636] R13: 0000000000000000 R14: ffff88007bae7f40 R15: ffff88007979dd0b

                                                            Jun 26 11:17:44 localhost kernel: [   92.436071] FS:  00007f57c0d2e700(0000) GS:ffff88007ee00000(0000) knlGS:0000000000000000

                                                            Jun 26 11:17:44 localhost kernel: [   92.444483] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033

                                                            Jun 26 11:17:44 localhost kernel: [   92.450469] CR2: 0000000000000028 CR3: 000000007987c000 CR4: 00000000001006f0

                                                            Jun 26 11:17:44 localhost kernel: [   92.457920] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

                                                            Jun 26 11:17:44 localhost kernel: [   92.465372] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400

                                                            Jun 26 11:17:44 localhost kernel: [   92.472824] Process sshd (pid: 969, threadinfo ffff88007979c000, task ffff8800374eb0c0)

                                                            Jun 26 11:17:44 localhost kernel: [   92.480890] Stack:

                                                            Jun 26 11:17:44 localhost kernel: [   92.482935]  0000000000000001 0000000000000001 ffff880079eabc00 000000000000000a

                                                            Jun 26 11:17:44 localhost kernel: [   92.490724]  0000000000000004 0000000000000000 ffff88007bae7f40 ffffffffa026973f

                                                            Jun 26 11:17:44 localhost kernel: [   92.498521]  0000000000000000 0000000000000000 0000000000000000 0000000000000000

                                                            Jun 26 11:17:44 localhost kernel: [   92.506354] Call Trace:

                                                            Jun 26 11:17:44 localhost kernel: [   92.508911]  [<ffffffffa026973f>] ? SalCtrl_QatRingInfoCb+0xcf/0x570 [icp_qa_al]

                                                            Jun 26 11:17:44 localhost kernel: [   92.516661]  [<ffffffffa02baffd>] ? adf_ring_ioc_create_handle.isra.0+0x74d/0xb60 [icp_qa_al]

                                                            Jun 26 11:17:44 localhost kernel: [   92.525586]  [<ffffffffa02bbe80>] ? adf_ring_ioctl+0xc0/0x3f0 [icp_qa_al]

                                                            Jun 26 11:17:44 localhost kernel: [   92.532676]  [<ffffffff811089d5>] ? do_vfs_ioctl+0x459/0x49a

                                                            Jun 26 11:17:44 localhost kernel: [   92.538574]  [<ffffffff81095f0b>] ? __call_rcu+0x21/0x12c

                                                            Jun 26 11:17:44 localhost kernel: [   92.544204]  [<ffffffff8110b448>] ? dput+0x27/0xee

                                                            Jun 26 11:17:44 localhost kernel: [   92.549222]  [<ffffffff810fc3be>] ? fput+0x17a/0x1a1

                                                            Jun 26 11:17:44 localhost kernel: [   92.554394]  [<ffffffff81108a61>] ? sys_ioctl+0x4b/0x72

                                                            Jun 26 11:17:44 localhost kernel: [   92.559853]  [<ffffffff810fa068>] ? filp_close+0x62/0x6a

                                                            Jun 26 11:17:44 localhost kernel: [   92.565417]  [<ffffffff813561b2>] ? system_call_fastpath+0x16/0x1b

                                                            Jun 26 11:17:44 localhost kernel: [   92.571867] Code: 85 e0 00 00 00 48 8b 4e 68 89 d0 c6 04 81 ff 48 8b 4e 68 c6 44 81 01 ff eb b6 0f 1f 00 85 c9 0f 85 88 00 00 00 48 8b 4e 70 89 d0 <c6> 04 81 fc 48 8b 4e 70 c6 44 81 01 fc 48 8b 76 70 e9 54 ff ff

                                                            Jun 26 11:17:44 localhost kernel: [   92.592672] RIP  [<ffffffffa02adef6>] QatCtrl_updateRingTable+0x136/0x2c0 [icp_qa_al]

                                                            Jun 26 11:17:44 localhost kernel: [   92.600869]  RSP <ffff88007979dc08>

                                                            Jun 26 11:17:44 localhost kernel: [   92.604508] CR2: 0000000000000028

                                                            Jun 26 11:17:44 localhost kernel: [   92.608012] ---[ end trace e0f6d9734311c107 ]---

                                                             

                                                             

                                                            Ring when sshd runs and dies: (ssh client binary works)

                                                            Ring Number:  0, Config:8, Base Addr: ffff880079490000 Head:  ec0, Tail:  ec0, Space: 4000, inflights:0, Name: Accel0AdminTx
                                                            Ring Number:  1, Config: 2008, Base Addr: ffff88007a354000 Head:  ec0, Tail:  ec0, Space: 4000, inflights:0, Name: Accel0AdminRx
                                                            Ring Number:  2, Config:6, Base Addr: ffff88007958b000 Head:   40, Tail:   40, Space: 1000, inflights:0, Name: Cy0RingAsymTx
                                                            Ring Number:  3, Config: 2006, Base Addr: ffff880036ba9000 Head:0, Tail:   40, Space:  fc0, inflights:0, Name: Cy0RingAsymRx
                                                            Ring Number:  4, Config:9, Base Addr: ffff880036af0000 Head:0, Tail:0, Space: 8000, inflights:0, Name: Cy0RingSymTxHi
                                                            Ring Number:  5, Config: 2009, Base Addr: ffff88007b948000 Head:0, Tail:0, Space: 8000, inflights:0, Name: Cy0RingSymRxHi
                                                            Ring Number:  6, Config:9, Base Addr: ffff88007a348000 Head:0, Tail:0, Space: 8000, inflights:0, Name: Cy0RingSymTxLo
                                                            Ring Number:  7, Config: 2009, Base Addr: ffff8800799a0000 Head:0, Tail:0, Space: 8000, inflights:0, Name: Cy0RingSymRxLo
                                                            Ring Number: 10, Config:9, Base Addr: ffff88007a340000 Head:0, Tail:0, Space: 8000, inflights:

                                                            0, Name: Cy0RingSymTxHi

                                                             

                                                             

                                                            It would be great to have a software patch, that works seamlessly with other userspace programs linked to it.

                                                             

                                                             

                                                            Rgds.

                                                            Franz

                                    • Re: QAT with openssl apache
                                      FranzCC Green Belt

                                      Hi,

                                      after searching the EDC Lib (with privileged access) i cannot find the document referenced by "JC" with the name:

                                      Document Number: 476490-0.5 Apache* Sample Patch for Intel® QuickAssist Technology Application Note

                                       


                                      It would be gread to test this particular patch.

                                      Perhaps you can give me a hint where to find the Note.

                                       

                                       

                                      Rgds.

                                       

                                      Franz