Abstract: Intel® QuickAssist Technology improves performance and efficiency across the data center and other computing platforms by handling the compute-intensive operations of bulk cryptography, public key cryptography, and data compression. In this course, we will give an overview of the technology along with the summary of resources to get started with integrating Intel® QAT into your platform solutions. We will also demonstrate using Intel® QAT with applications such as OpenSSL, NGINX, and HAProxy, with a hands-on lab.
Speaker Bios:
Joel Auernheimer, a Platform Application Engineer at Intel, has been focused on enabling customers to integrate Intel® QuickAssist Technology in their platform solutions. Joel is a native of Phoenix, Arizona and enjoys hiking, basketball, soccer, singing, and spending time with friends and family.
Joel Schuetze has been with Intel since 1996. For the last 9+ years he has worked as Platform Application Engineer supporting customers with Intel QuickAssist Technology.
4. Intel® QuickAssist Technology Overview
QAT provides security (encryption) HW acceleration and compression HW
acceleration
QAT makes use of a set of APIs to abstract out the hardware, so the same
application can run on multiple generations of QAT hardware
Customers can also make use of patches that we have provided to popular
open source software, so they can minimize or eliminate their effort to learn the
API
5. Supported Hardware
Intel® Communications Chipset 89xx series (formerly known as Cave Creek and Coleto Creek)
(PCH+QAT or QAT endpoint only), plus add-in cards (QAT1.5 and QAT1.6)
Intel® Atom™ Processor C2000 Product Family for Communications Infrastructure (SoC)
(QAT1.5)
Intel® C62x Chipset, plus add-in cards (QAT1.7)
Intel® Atom™ Processor C3000 Product Family (QAT1.7)
Intel® Xeon® Processor D Family (QAT1.7)
And more
More information (including performance numbers) is available in the product briefs on
ark.intel.com
https://networkbuilders.intel.com/blog/securing-networks-billions-of-things-exabytes-of-
data-with-100-gbps-of-performance
6. Getting Started with QAT
Follow our “Quick Start Guide” at https://01.org/intel-quickassist-technology
Step 1: Get QAT hardware
Step 2: Get acquainted with the available resources
– Intel® QuickAssist Technology Main - www.intel.com/quickassist
– Intel® QuickAssist Technology 01.org Technical Collateral & Applications -
https://01.org/intel-quickassist-technology
– To Learn how to use Intel® QuickAssist Technology and run example code, review our
tutorial videos on Intel Developer Zone –Intel® QuickAssist Technology Technical Getting
Started Tutorials - https://software.intel.com/en-us/networking/quickassist
Step 3: Follow our Getting Started Guide
– Find the correct Getting Started Guide:
– For released products: https://01.org/intel-quickassist-technology
– Follow the instructions to install the QAT software and run the performance sample code
7. Offloading to QAT frees up CPU cores!
QAT endpoints show up as a PCIe Device
Exposes request/response ring interface
User application allocates memory and puts input data (including payload,
keys...) in DRAM
QAT API is called
API handles DMA, etc
Poll or interrupt for result
Take advantage of QAT parallelism
8. QAT Algorithms
Symmetric cryptography functions include: cipher operations (AES, DES, 3DES,
ARC4); wireless (Kasumi, Snow 3G, ZUC (QAT1.7+)); hash/authenticate
operations (SHA-1, MD5; SHA-2 [SHA-224, SHA-256, SHA-384, SHA-512], SHA-
3 (QAT1.7+)); authentication (HMAC, AES-XCBC, AES-CCM); AES-XTS (QAT1.6+)
Public Key functions include: RSA operation; Diffie-Hellman operation; digital
signature standard operation; key derivation operation; elliptic curve
cryptography (ECDSA and ECDH); and prime number testing.
Compression/decompression includes: DEFLATE/INFLATE
9. Selected QAT Documentation
Using Intel® Virtualization Technology (Intel® VT) with Intel® QuickAssist
Technology Application Note
Using Intel® QuickAssist Technology in Linux Container and Docker
Intel® QuickAssist Technology API Programmer's Guide
Intel® QuickAssist Technology Cryptographic API Reference Manual
Intel® QuickAssist Technology Data Compression API Reference Manual
Intel® QuickAssist Technology - Performance Optimization Guide
Intel® QuickAssist Technology Software for Linux* - Programmer's Guide
13. DPDK Crypto Stack
DPDK exposes symmetric crypto services
via the cryptodev API
– Supports software and hardware
(offload) implementations
– One stop shop for best of Intel crypto
on DPDK
– Provides Poll Mode Drivers for Intel®
QuickAssist Technology
Upstreamed to DPDK.org
Used by IPsec sample application
QAT PMD
cryptodev
cryptodev API
AES-NI PMD, …
ethdev
Ethernet PMD
ethdev API
Sample Application, e.g. IPsec
cryptodev producer APIethdev producer API
QAT driver (in-tree)
User Space
Kernel Space
14. CALL TO ACTION
Follow our “Quick Start Guide” at https://01.org/intel-quickassist-technology
Step 1: Get QAT hardware
Step 2: Get acquainted with the available resources
– Intel® QuickAssist Technology Main - www.intel.com/quickassist
– Intel® QuickAssist Technology 01.org Technical Collateral & Applications -
https://01.org/intel-quickassist-technology
– To Learn how to use Intel® QuickAssist Technology and run example code, review our
tutorial videos on Intel Developer Zone –Intel® QuickAssist Technology Technical Getting
Started Tutorials - https://software.intel.com/en-us/networking/quickassist
Step 3: Follow our Getting Started Guide
– Find the correct Getting Started Guide:
– For released products: https://01.org/intel-quickassist-technology
– Follow the instructions to install the QAT software and run the performance sample code
16. Knowledge Check and advanced topics
T/F: QAT is part of all CPUs?
Explain: QAT is a “black box”
Explain: QAT can operate in “endpoint-only mode”
Where is the QAT documentation?
What software works with QAT out of the box?
Where are the configuration files located? Why are configuration files needed?
Under what conditions might I see less than Intel’s best performance numbers for a
particular product?
How do I upgrade QAT firmware?
17. Knowledge Check and advanced topics (cont’d)
How do I show that QAT is working on a particular platform?
What Linux kernels are supported?
18. Operating System Support
Linux
• Fully validated on RHEL 7.x
• Smoke-tested on various versions of RHEL, CentOS, Fedora, SUSE, Ubuntu
FreeBSD 10, 11
19. Service Instances
At the Intel® QuickAssist Technology API, we abstract queue pairs using the concept of service
instances
To use a service, an application must first get a handle to a service instance
Corresponds to one or more queue pairs
– A data compression instance contains 1 queue pair
– By default, a cryptographic instance contains 2 queue pairs, one for each sub-service of crypto
(symmetric crypto, public key crypto)
Configurable Items (via config file)
Queue depth (for each queue)
Number of instances per device (limited by available rings), for example:
– One per address space (e.g. user space processes)
– One per software or hardware thread (logical core), to avoid contention
20. DMA-able Memory
Memory passed to Intel® QuickAssist Technology hardware must be DMA’able
Physically contiguous (can also deal with SGLs)
Physically addressed
– If VT-d is enabled (e.g. in virtualized system), then Intel IOMMU will translate to host physical addresses as needed
Pinned (i.e. locked, guaranteed resident in physical memory)
Intel provides a User Space DMA-able Memory (USDM) component (kernel driver and corresponding user
space library) which
Allocates/frees DMA-able memory, mapped to user space
Performs virtual to physical address translation on memory allocated by this library
This component is used by the sample code supplied with the user space library.
21. Low Level APIs for Accessing Services
API When to use OS environments supported
Intel® QuickAssist
Technology
Traditional
• Original API, recommended for most cases
• Can be used to access all services and features
• Linux
• FreeBSD
Intel® QuickAssist
Technology Data
Plane
• Optimized for data plane applications (reduced
offload cost) by using physical addressing,
supporting batching and MMIO amortization, etc.
• Supports a subset of symmetric crypto and
compression
• Constraints: asynchronous only, polling only, not
thread-safe, no support for stateful operation
• Linux user space
• FreeBSD
DPDK cryptodev • For DPDK applications, e.g. IPsec
• Offers DPDK PMD-like semantics, e.g. buffers
passed as mbufs, batch submission, etc.
• Supports symmetric crypto only1
• DPDK
[1] May be extended for other services in future
22. Memory Buffer Types
Flat Buffers (defined in the file cpa.h)
“Traditional” API: CpaFlatBuffer
– pData is a virtual address
“Data Plane” API: CpaPhysFlatBuffer
– pData is a physical address
Buffer Lists (also defined in cpa.h)
“Traditional” API: CpaBufferList
– pMetaData is allocated by user (first
call cpaCyBufferListGetMetaSize), and
populated by implementation to point
to a CpaPhysBufferList (used by Intel®
QuickAssist Technology device)
“Data Plane” API: CpaPhysBufferList