QAT driver

[John Baldwin]

On 10/27/20 2:15 PM, Rick Macklem wrote:
> Mark Johnston wrote:
>> On Tue, Oct 27, 2020 at 04:32:40AM +0000, Rick Macklem wrote:
> [stuff snipped]
>>> Can it be made to work with the KERN_TLS in head?
>>> (KERN_TLS works fine for me using the ktls_ocf and aesni modules.)
>>> I think it is only head and requires the patched OpenSSL3 that jhb@
>>> currently has.
>>
>> I hadn't looked at ktls_ocf.c before but at a glance it looks like it
>> can make use of any hardware or software opencrypto driver that supports
>> the requested algorithms.  The qat(4) port implements the algorithms
>> referenced by ktls_ocf_try().
> Well, if you were inspired to try it out, the basic doc for NFS-over-TLS is here:
> https://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt
> (Same file is in base/projects/nfs-over-tls on subversion.)
> For someone who is used to building/running head kernels, it should be
> pretty straightforward.
> 
> You could become the first tester in the whole wide world;-) rick
> ps: Although the NFS code uses it in the kernel, I think that an application
>      that uses OpenSSL's SSL_read()/SSL_write via a patched OpenSSL library,
>      has the encrypt/decrypt done in the kernel and the userspace library
>      code just does socket I/O with unencrypted data.
> pss: Hopefully jhb@ will correct me if I got this wrong.
> 
>> I know nothing about it, except that it seems to work well, doing
>> the TLS application data records in the kernel for a TCP socket
>> enabled by the patched OpenSSL library.
>> I've cc'd jhb@, so hopefully he can let us know what it needs?

qat(4) should work with KERN_TLS.  I've used ccr(4) with the KERN_TLS
bits many times.  It is a good throughput test, though you will need
a fast network connection to really push it (e.g. with ccr(4) I've
done about 50 Gbps of TLS traffic using nginx with the KTLS patches
to use sendfile, so that requires a 100G NIC and/or two 40G NICs.)

-- 
John Baldwin