Embed Size (px)
Citation preview
PUBLIC USE
严礽田 ( JT Yen )
亚太区资深应用工程部经理SEPTEMBER, 2016
FTF-DES-N1856
Security 101:QorIQ安全加速器产品简介
PUBLIC USE1 PUBLIC USE1
议程 / AGENDA• 安全引擎
−恩智浦 Digital Networking 安全引擎的发展史
− LS1012A 和 LS2088A 内建的SEC引擎架构
− SoC集成优势
• SEC 的启用
− RTA (Run-Time Assembler) –描述符语言
• SEC 的驱动程序和 API
− Linux® 内核和用户空间驱动程序和 API
• 安全中间件
− IPSec
− SSL/TLS
PUBLIC USE2
安全引擎
PUBLIC USE3
恩智浦网络安全引擎的发展史阶段1加密
协处理器
阶段2集成加密加速引擎
阶段3集成安全协议引擎和可信架构(v1.0和2.0)
DPAA1平台集成
阶段4可信架构(v2.1和v3)
DPAA2平台集成
SEC4.x SEC5.x
SEC1.x
SEC2.x
SEC3.x
专业协处理器
• 阶段1 – S1 系列协处理器
− 飞思卡尔安全技术通过安全协处理器产品线推向商业网络市场
• 阶段2 – PowerQUICC 1, 2、PowerQUICC 2 Pro处理器
− 将安全IP集成至飞思卡尔通信处理器产品中
• 阶段3 – QorIQ处理器包含P、T和B系列
− 持续改进集成IP的功能和性能,开发可信架构。扩展SEC 5.0的性能至40 Gbps+。重新推出强化版的协处理器产品线(C29x)。集成SEC IP至DPAA1架构之内。
• 阶段4 – QorIQ处理器包含LS系列
− 集成到基于ARM®平台的器件。增强可信架构的功能;集成SEC IP 至DPAA2架构之内。
MPC190
MPC185
MPC184
MPC180
8272
C291 C292 C293885
85xx
83xx
81xx
P2020
P1022
P1021
P1025
P1020
P1010P2041
P3041
P4080
P5020
P5040
BSC9131
BSC9132
T1040
T1024
T2080
T4240
B4860
LS1021A
LS1012A
LS1043A
LS2085A
LS1088A
PUBLIC USE4
SEC 3.xP102x, P202x
1.5-2 Gbps
SEC 5LS1012,
LS1021
3 Gbps
SEC 4PSC913x
4 Gbps
SEC 4P204x, P3041,
P1023
5 Gbps
SEC 4/5T104x,
LS1043
6 Gbps
SEC 4P408x
15 Gbps
SEC 4P5040/T208x
15 Gbps
SEC 4T4240
40 Gbps
SEC 5LS208x
20 Gbps
可扩展安全性能
QorIQ SoC的IPsec性能
PUBLIC USE5
SEC 5LS1021A & LS1012A 内 SEC 引擎的架构(1) Public Key Hardware Accelerator (PKHA)
•RSA and Diffie-Hellman (to 4096b)•Elliptic curve cryptography (1024b)•Supports Run Time Equalization
(1) Random Number generator (RNG)•NIST Certified•RNGB in P1010, RNG4 in PSC9131
(1) Message Digest Hardware Accelerators (MDHA)•SHA-1, SHA-2 256,384,512-bit digests• MD5 128-bit digest•HMAC with all algorithms
(1) Advanced Encryption Standard Accelerators (AESA)•Key lengths of 128-, 192-, and 256-bit• ECB, CBC, CTR, CCM, GCM, CMAC, XCBC, OFB, CFB, and XTS• Supports LTE 128-EEA2 / 128-EIA2
(1) Data Encryption Standard Accelerators (DESA)•DES, 3DES (2K, 3K)•ECB, CBC, OFB modes
(1) CRC Unit•CRC32, CRC32C, 802.16e OFDMA CRC
Header & Trailer off-load for the following Security Protocols:•IPSec, SSL/TLS, SRTP, Wifi, MACSEC
DESAAESA
Job Queue
Controller
Descriptor
Controller
CHAs
DM
AR
TIC
Job Ring I/F
MDHAPKHA RNG
PUBLIC USE6
CCI-400 Coherent Interconnect
Secure Boot
Trust Zone
Power Management
2x SD 3.0/SDIO/eMMC
2x I2C
5x I2S
QSPI, 1x SPI
2x UART
64-bit
DDR2/3
Memory
Controller
16-bit
DDR3L
Memory
Controller
128KB
SRAM
GPIO, JTAG
SEC
256KB L2
ARM
Cortex-A53
32KB
L1-D
32KB
L1-I
1x USB3.0 + PHY3-Lane 6GHz SERDES
PC
Ie 2
.0
PPFE
SA
TA
3.0
Gb
E
Gb
E
1x USB2.0
Sec Monitor
SEC可以通过在ARM
A53或PPFE上运行的软件直接调用。
LS1012A中的SEC集成
PUBLIC USE7
SEC 5LS2088A 内 SEC 引擎的架构(1) Public Key Hardware Accelerator (PKHA)
• RSA and Diffie-Hellman (to 4096b)• Elliptic curve cryptography (1024b)• Supports Run Time Equalization
(1) Random Number Generators (RNG4)• NIST Certified
(6) Snow 3G Hardware Accelerators (STHA) • Implements Snow 3.0 Keystream Generator• f8 encryption per ETSI/SAGE 128-UEA2 (and 128-EEA1)• f9 authentication per ETSI/SAGE 128-UIA2 (and 128-EIA1)
(6) ZUC Hardware Accelerators (ZHA) • Implements ZUC Keystream Generator (per spec v1.5)• Authentication per ETSI/SAGE 128-EIA3 (spec v 1.5)• Encryption per ETSI/SAGE 128-EEA3 (spec v 1.5)
(6) Kasumi F8/F9 Hardware Accelerators (KFHA)• F8 , F9 as required for 3GPP• A5/3 for GSM and EDGE, GEA-3 for GPRS
(6) Message Digest Hardware Accelerators (MDHA)• SHA-1, SHA-2 256,384,512-bit digests • MD5 128-bit digest• HMAC with all algorithms
(6) Advanced Encryption Standard Accelerators (AESA)• Key lengths of 128-, 192-, and 256-bit• ECB, CBC, CTR, CCM, GCM, CMAC, XCBC, OFB, CFB, and XTS• Supports LTE 128-EEA2 / 128-EIA2
(6) Data Encryption Standard Accelerators (DESA)• DES, 3DES (2K, 3K) • ECB, CBC, OFB modes
(6) CRC Unit• CRC32, CRC32C, 802.16e OFDMA CRC
Header & Trailer off-load for the following Security Protocols:•IPSec, SSL/TLS, 3G RLC, PDCP, SRTP, Wi-Fi, MACSEC
Job Queue
Controller
Descriptor
Controllers
DM
AR
TIC
Queue
Interface
Job Ring I/F
DESAAESA
CHAs
MDHAPKHA
STHARNG4
KFHAZHA
AIOP
Interface
PUBLIC USE8
Coherency Fabric
SMMU SMMU
Secure Boot
Trust Zone
Flash Controller
Power Management
SDXC/eMMC
2x DUART
4x I2C
SPI, GPIO, JTAG
SMMU
64-bit
DDR2/3
Memory
Controller
64-bit
DDR4
Memory
Controller
1MB
Platform
Cache
2x USB3.0 + PHY
Queue/
Buffer
Mgr.
SECDCE
8-Lane 10GHz
SERDES
8-Lane 10GHz
SERDES
8x1/10 + 8x1
PME
64-bit
DDR2/3
Memory
Controller
64-bit
DDR4
Memory
Controller
WRIOP
PEB Memory
PC
Ie
PC
Ie
PC
IeP
CIe
SRIOVEP
SA
TA
3.0
SA
TA
3.0
1MB Banked L2
ARM A72
32KB
L1-D
48KB
L1-I
ARM A72
32KB
L1-D
48KB
L1-I
Management
Complex
1MB Banked L2
ARM A72
32KB
L1-D
48KB
L1-I
ARM A72
32KB
L1-D
48KB
L1-I1MB Banked L2
ARM A72
32KB
L1-D
48KB
L1-I
ARM A72
32KB
L1-D
48KB
L1-I
1MB Banked L2
ARM A72
32KB
L1-D
48KB
L1-I
ARM A72
32KB
L1-D
48KB
L1-I
Advanced
IO
Processor
(AIOP)
32-bit DDR4
Memory Controller
SEC可以通过在ARM A72或AIOP
上运行的软件直接调用。
LS2088A中的SEC集成
PUBLIC USE9
SEC引擎 –可编程的硬件加速器
• DECO (Descriptor Controller) – SEC引擎的“大脑”
−执行描述符
−搬动数据、密钥和上下文到CHA来执行运算
−简单的布尔运算
−实现单通 (1-pass) 的加密+完整检测(包含全状态协议处理)
−灵活支持新/自定义协议
• CHA (Crypto Hardware Accelerator) –加密硬件加速器
−特定算法加密引擎
−可以是每个DECO一个,或由多个DECO共享
−最新的CHA支持 Side Channel Resistance
KFHA
MDHA
CRCA
AESA
DESA
DECODescriptor
Buffer
Arbiter
ZUCE
Arbiter
ZUCA
Arbiter
RNG
Arbiter
SNOWF8
Arbiter
SNOWF9
Arbiter
PKHA
决定性能的主要因素1 - DECO的数量2 - CHA的数量3 – SEC的运算频率
DECO
PUBLIC USE10
SEC架构的优势
• 能单独处理不同协议、和单通 (1-pass) 加密和身份验证功能(如AES-HMAC-SHA-2)
• CPU可以在SEC处理数据包时并行执行其他任务。CPU可定时收集结果。
协议处理
每个内核:Alg 1 -加密
出口处理
基本上内核无暇处理其它的事务
每个内核:Alg 2 –哈希,身份验证
SEC驱动程序
SEC DMA、协议处理,
加密 + 哈希
下一个数据包协议处理
出口处理
SEC驱动程序,
轮询或INT#
协议处理
• CPU使用加密指令操作。在双通 (2-pass) 处理时,无协议加速,无法进行非加密的运算。
PUBLIC USE11
Input Frame:
Output Frame:
New IP Header SPI Seq#Opt
IVPayload padding
Pad
LenICVN
Payload
Esp header
Encrypted
Payload paddingPad
LenN
Payload paddingPad
LenNSPI Seq#
Opt
IVOpt ESN
Authenticate
Class 1
Class 2Payload paddingPad
LenN
Input Frame:
Output Frame:
New IP Header SPI Seq#Opt
IVPayload padding
Pad
LenICVN
Payload
Esp header
Encrypted
Payload paddingPad
LenN
Payload paddingPad
LenNSPI Seq#
Opt
IVOpt ESN
Authenticate
Crypto:
Class 1
Class 2Payload paddingPad
LenN
SEC协议处理示例:IPsec ESP Tunnel Encrypt (隧道加密)
单通(1-pass):加密 +身份验证
SEC添加ESP头文件、IV、ESP尾部和HMAC (ICV)。还添加外部头文件(最高128B)。计算IP头文件长度字段,不计算头文件校验和。
PUBLIC USE12
集成SEC引擎的优势
• 降低BOM成本和减少电路板空间
• 有效性能的提升
o连接至SoC上最宽、最快的总线,而不是外接外设总线
o直接访问内部缓存、RAM
o无专用IO管脚或额外IO电源
• 加速器认证
oNIST RNG entropy 分析
oNIST加密算法验证
• 集成可信架构 (Trust Architecture) 集成(Security 201会提供更多信息)
o硬件强制虚拟化;SEC针对每个VM提供“私有”加密加速器
o基于设备安全状态使用“特殊”密钥
o可信描述符执行 - SEC描述符可以签名
PUBLIC USE13
启用SEC:描述符(DESCRIPTOR)
PUBLIC USE14
SEC 描述符 (Descriptor)• 描述符 – SEC引擎的功能“语言”
• 描述符类型
o作业描述符(Job Descriptor) – 针对单次无状态操作
o共享描述符(Shared Descriptor) – 针对基于流的操作
o可信描述符 - 实施执行安全
o内联 (In-line) 作业描述符 -高级编程原语
o替换 (Replacement) 作业描述符 -高级编程原语运算
• 操作
o条件循环 (Conditional Loops)
o例程调用 (Routine Calls)
o跳至其他描述符 (Jump to other descriptor)
o数学运算
o加密运算
o数据移动运算
static inline int cnstr_shdsc_blkcipher(uint32_t *descbuf, bool ps,
struct alginfo *cipherdata,
uint8_t *iv,
uint32_t ivlen, uint8_t dir)
{
struct program prg;
struct program *p = &prg;
PROGRAM_CNTXT_INIT(p, descbuf, 0);
PROGRAM_CNTXT_INIT(p, descbuf, 0);
SHR_HDR(p, SHR_ALWAYS, 1, 0);
KEY(p, KEY1, cipherdata->key_enc_flags, cipherdata->key,
cipherdata->keylen, INLINE_KEY(cipherdata));
ALG_OPERATION(p, OP_ALG_ALGSEL_AES, OP_ALG_AAI_CBC,
OP_ALG_AS_INITFINAL, 0, dir);
MATHB(p, SEQINSZ, SUB, MATH2, VSEQINSZ, 4, 0);
MATHB(p, SEQINSZ, SUB, MATH2, VSEQOUTSZ, 4, 0);
LOAD(p, context, CONTEXT1, 0, 8, IMMED);
SEQFIFOLOAD(p, MSG1, 0, VLF | LAST1);
SEQFIFOSTORE(p, MSG, 0, 0, VLF);
return PROGRAM_FINALIZE(p);
}
Descriptor for AES-CBC operations
PUBLIC USE15
主要描述符类型 –作业 (Job) 描述符和共享 (Shared) 描述符
作业描述符可全面定义要执行的工作,或者可以引用包含大量处理指令和上下文的共享描述符
作业描述符 带共享描述符的作业描述符
你好!我是一个基本作业描述符让我来描述数据包并将你推荐给我的朋友,也就是共享描述符
你好!我是一个共享描述符我们之前见过面
你好!
我是一个
独立式
作业描述符
我们从未见过面
让我来告诉你
有关处理这个数据包
的所有信息
PUBLIC USE16
SEC Run-Time-Assembler (RTA) - 构建描述符的工具
• RTA 特性
o提供开发 SEC 描述符的 API
o内建描述符库 + 现成可用的RTA描述符
o提供描述符的测试套件
• RTA优势
o可以在不同环境中重复使用
o软件占用空间小
o各个器件有相对应的描述符库
o支持自行开发的参考型代码
o易于集成到应用中
PUBLIC USE17
安全引擎驱动程序和API
PUBLIC USE18
2-pass
使用SEC驱动程序:易用性 vs. 性能
专注于易用性或性能的API
• 现有的标准API
• 内核— Linux® Crypto API
• 用户空间— OpenSSL EVP API
• 高性能API
• 用户空间 — DPDK, ODP API
如何达到高性能+易用的目标?
• NXP 提供优化中间层软件(IPSEC 和 OPenSSL)
• ASF — IPsec with ESP Tunnel/Transport offload
• OpenSSL with handshake and record-layer offload
• 中间层软件直接支持标准协议API
• PF_KEY/XFRM compatible
• Open-SSL API
• 客户无需了解相关SEC API 的细节
Flow-aware Flow-agnostic
Asynchronous Synchronous
Proto-aware 1-pass
No alloc SW allocHW alloc
Highest
Performance
Least
Intrusive,
Standard
DPDK, ODP API Linux
Crypto APIOpenSSL
EVP API
性能
简单易用
PUBLIC USE19
SEC 在不同环境下的驱动和APIs
Linux User-spaceLinux Kernel
Kernel SEC driver
Job-RingQman*
PEX
ASF Crypto
API
Crypto-
Dev API
ODP/DPDK Crypto
User-space API*
OpenSSL EVP API
Bare-metal
RTOS
Customer
Middle-ware
Applications
Customer
Driver
& API
DPSECI
User-space SEC
driver*
Qman* DPSECI
NXP & Customer
Middleware &
Applications
LS2 AIOP
Customer
Offloading
Applications
NXP AIOP
Service Layer
Virtualization (KVM)
Guest
Kernel SEC driver
dpseci
sec rta
Linux Crypto API
Crypto-Dev API
OpenSSL EVP API
KVM
VFIO
Guest
User-space SEC driver
dpseci
sec rta
SEC User-space API*
NXP & Customer
Middleware & Applications NXP & Customer
Middleware
& Applications
VFIO APIvhost API
SEC driver
dpseci
QEMU
VFIO
VFIO
Linux Crypt API
Linux Crypto
API
NXP & Customer
Middleware &
Applications
Kernelvhost-crypto
kernel
SEC RTA Lib
Service Layer
API
ARM
Crypto-ExtARM
Crypto-Ext
ARM
Crypto-Ext
PUBLIC USE20
Linux ®内核 (Crypto API) –系统集成
Linux ® Crypto API
Crypto-Dev API
Crypto-Dev
/dev/crypto
OpenSSL ® Lib-crypto/EVP API
OpenSSL ®
Handshake Record Layer
Customer Applications
Apache Nginx
SSL API
SEC-C29x
Kernel SEC driver
SEC RTA Lib
JRPCIe
DM-Crypt
Encrypted File Systemzpool/datasetIKE Daemon
Set-key
Linux NW Stack
Routing,
ARPIPsec XFRM
PF_KEY/Net-Link API
Open-zfs
(checksum offload)
Raccoon
StrongSwan
/dev/zfs
cryptsetup API
Qman DPSECI
SEC-non DPAA SEC-DPAA2
pkc_host_api caam_jr caam_qi dpaa2_caam
LUKS Interface
libzfs
NXP Upstream done
NXP Drivers
NXP Drivers upstream
pending
SEC-DPAA1
PUBLIC USE21
SEC用户空间驱动程序 + APIs
• 标准 API 用户空间 Crypto APIs
oODP Crypto API (IPSec, PDCP, SSL
etc.)
oDPDK Crypto APIs (IPSec, PDCP,
SSL etc.)
oEVP API (SSL, IKE)
• 恩智浦利用专有的硬件加速器来支持更
多的协议卸载
o正在努力使其成为标准功能的一部分
O/S Control
Customer SSL
SEC – DPAA
2.x
OpenSSL
Lib-crypto/EVP API
O/S Applications
Apache Nginx
OpenSSL API
Handshake/
Record Layer
SSL API
2-passCipher, hash
1-pass aead
Protocol ipsec, ssl
PKCS
RSA, DSA
Handshake/
Record Layer
Customer
Applications
Custom
ODP/ DPDK API
Customer
data-path
IPSec/SSL/
Other
Cust API
GPP-DAK
IPSec
NF-API
Customer
ControlRaccoon
IKE Linux Integ
DPAA2 driver
QMan v2
Crypto-
dev
VortiQa
Mobility
GTP
PDCP
Cryptodev EngnUser-Space Engn
Kernel
SEC
driver
Extensions
SEC – DPAA
1.x
DPAA1 driver
Qman v1
SEC RTA Lib
PUBLIC USE22
IPSEC
PUBLIC USE23
IPsec: Native Linux®
• Linux®内核 IPsec
o支持 native data-path
o通过标准Linux crypto API调用SEC引擎
o提供标准PF_KEY/Net-Link接口来配置数据路径
• 性能
o优于软件加密库 ~20-30倍
o支持异步、单通和双通卸载
• 控制路径
oSetkey for manual SA setup
oRaccoon/StrongSwan IKE daemons for auto SA setup (通过OpenSSL卸载至SEC引擎)
Kernel SEC driver
SEC RTA Lib *
Job-
Ring
Linux Crypto API
Ethernet
driver
EthernetSEC
Linux NW Stack
Routing, ARPIPsec XFRM
Raccoon/StrongSwan
PF_KEY/Net-Link API
IKE Daemon Set-key
Op
en
SS
L
EV
P A
PI
Cry
pto
-De
v
Qman Dpseci
PUBLIC USE24
IPsec: Native Linux + ASF
• ASF (Application Specific Fast-Path)
o 用于特定的DPAA1和非DPAA平台
o 优化IPsec数据路径
o 通过ASF crypto API调用SEC引擎
o 无缝集成至Linux ® native IPsec
o 可集成至其他IPsec堆栈 -提供协议级别的ASF-API
• 性能
o 高于 native Linux ® IPsec 2倍至3倍
o 优化的流缓存 (flow caching)、IPsec处理
o 利用异步、flow-aware、协议卸载、就地处理来提升性能
o 利用 DPAA QM来做包的分发
• 控制路径
o 内部无缝集成至Linux native IPsec → 不需要特殊的改动
o 支持Setkey、Raccoon、StrongSwan
Kernel SEC driver
SEC RTA Lib *
QMan
ASF Crypto
API
Ethernet
driver
EthernetSEC
Linux NW Stack
Routing,
ARPIPsec XFRM
Raccoon/StrongSwan
PF_KEY/Net-Link
API
IKE Daemon Set-key
Application Specific Fast-Path
IPsec Routing, ARP
ASF-API
Op
en
SS
L
EV
P A
PI
Cry
pto
-De
v
Job-
Ring
Linux
Crypto
PUBLIC USE25
IPsec: 性能对比— Native Linux® vs. ASFIPsec performance data for ESP-Tunnel-mode using AES-128 + SHA1
相比Linux,ASF的性能最多可提高4倍
T1040D4RDB
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
0
500
1000
1500
2000
2500
82 408 1442
Incre
ase
Thro
ughtp
ut
Packet size
IPSec Performance LS1021ATWR
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
0
500
1000
1500
2000
2500
3000
3500
4000
4500
82 408 1442
Incre
ase
Thro
ughtp
ut
Packet size
IPSec Performance T1040D4RDB
LS1021ATWR
IPSec running on ASF
Native IPSec
PUBLIC USE26
SSL/TLS
PUBLIC USE27
C29x
SSL: 现况 –标准 OpenSSL with Cryptodev
• OpenSSL
o主要是位于用户空间的一个加密库
o SEC引擎前端可直接卸载至用户空间(eng_cryptodev)
• Crypto-Dev
o Linux ®内核模块(类似于af_alg)–将 crypto primitives 从内核导出至用户空间
o构建于现有Linux® Crypto API 的基础上
o连接至OpenSSL libcrypto层
• 解决方案的优势
o提供标准OpenSSL API
o无缝集成Apache/Nginx等SSL应用
• 缺点
o使用同步接口 (synchronous interface)
o无协议感知 (no protocol awareness)
o无流感知 (no flow awareness)
Kernel SEC driver
Qman dpseci
OpenSSL
SEC RTA Lib
JR
Linux Crypto API
Ethernet
driver
EthernetSEC
Linux Stack
TCP/IP
Crypto-Dev API
Crypto-Dev
OpenSSL Lib-crypto/EVP API
Sockets
Handshake Record Layer
Customer Applications
Apache Nginx
SSL API
PEX
PUBLIC USE28
Ethernet
driver
Linux Stack
SSL:未来 –通过用户空间驱动程序来优化 OpenSSL
User-space SEC driver
Qman dpseci
OpenSSL
SEC RTA Lib
JR
EthernetSEC
OpenSSL Lib-crypto/EVP API
Handshake Record Layer
Customer Applications
Apache Nginx
SSL API
NXP OpenSSL Engine
SEC User-space API
• 为何完全移至用户空间内处理?
o没有上下文切换的开销
o没有缓存复制的开销
• 需要用户空间驱动程序
oSEC驱动程序
o用户空间 HW Abstraction -通过映射地址区域(UIO)直接连接硬件
• 辅助开发
o恩智浦OpenSSL引擎 –与OpenSSL引擎子系统连接的插件模块(plug-in)。允许与现有用户空间应用无缝集成
TCP/IP
Sockets
PUBLIC USE29
总结
• 恩智浦的QorIQ处理器集成了可扩展的安全引擎产品组合
o 支持各种广泛的算法和协议
o 专为高性能/低功率而设计
• 恩智浦提供各种安全卸载的选项
o 同时支持内核和用户空间的驱动程序
o 同时支持标准易用的API和以性能导向为主的API
o 优化和提升IPSEC和OpenSSL等中间件的性能
o 提供标准配置接口
PUBLIC USE30
1. Linux SEC drivers
a. Kernel Upstream – kernel.org
b. Kernel with NXP extensions – NXP SDK
2. Linux IPsec with integrated SEC drivers
a. Kernel Upstream – SEC running on Job Ring Interface kernel.org
b. Kernel with NXP extension – NXP SDK
3. OpenSSL (including NXP extensions) – NXP SDK
4. Cryptodev module (including NXP extension) - NXP SDK
5. ASF IPSec – delivered as a part of NXP SDK
6. Deeper dive presentations
• FTF-NET-N1883 - Deep Dive into ODP and DPDK for QorIQ LS2088A and LS1088A
• FTF-NET-N1882 - Harnessing the Power of Layerscape Programmable Packet Engine
• FTF-NET-N1844 - KVM Virtualization: Leveraging I/O Virtualization on QorIQ Platforms for VNFs
资源
PUBLIC USE31
资源
• Linux SEC drivers
− Kernel Upstream – kernel.org
− Kernel with NXP extensions – NXP SDK
• Linux IPsec with integrated SEC drivers
− Kernel Upstream – SEC running on Job Ring Interface kernel.org
− Kernel with NXP extension – NXP SDK
• OpenSSL (including NXP extensions) – NXP SDK
• Cryptodev module (including NXP extension) - NXP SDK
• ASF IPSec – delivered as a part of NXP SDK
PUBLIC USE32
Linux® Services
Integration
Services
Development Tools
Solutions
Reference
Runtime Products
Software Products and Services
Deliver Commercial Software, Support, Services and Solutions
Create Success!
Simplify Software Engagement with NXP
Find us online at www.nxp.com/networking-services
Accelerate Customer Time-to-Market
• Security
Consulting
• Hardened
Linux
• IOT
Gateway
• OpenWRT+
• CodeWarrior• VortiQa Software
Solutions
• Commercial
Support• Performance Tuning
PUBLIC USE34
ATTRIBUTION STATEMENT
NXP, the NXP logo, NXP SECURE CONNECTIONS FOR A SMARTER WORLD, CoolFlux, EMBRACE, GREENCHIP, HITAG, I2C BUS, ICODE, JCOP, LIFE VIBES, MIFARE, MIFARE Classic, MIFARE
DESFire, MIFARE Plus, MIFARE FleX, MANTIS, MIFARE ULTRALIGHT, MIFARE4MOBILE, MIGLO, NTAG, ROADLINK, SMARTLX, SMARTMX, STARPLUG, TOPFET, TrenchMOS, UCODE, Freescale,
the Freescale logo, AltiVec, C 5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C Ware, the Energy Efficient Solutions logo, Kinetis, Layerscape, MagniV, mobileGT, PEG, PowerQUICC, Processor Expert,
QorIQ, QorIQ Qonverge, Ready Play, SafeAssure, the SafeAssure logo, StarCore, Symphony, VortiQa, Vybrid, Airfast, BeeKit, BeeStack, CoreNet, Flexis, MXC, Platform in a Package, QUICC Engine,
SMARTMOS, Tower, TurboLink, and UMEMS are trademarks of NXP B.V. All other product or service names are the property of their respective owners. ARM, AMBA, ARM Powered, Artisan, Cortex,
Jazelle, Keil, SecurCore, Thumb, TrustZone, and μVision are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. ARM7, ARM9, ARM11, big.LITTLE, CoreLink,
CoreSight, DesignStart, Mali, mbed, NEON, POP, Sensinode, Socrates, ULINK and Versatile are trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. Oracle and
Java are registered trademarks of Oracle and/or its affiliates. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks
licensed by Power.org. © 2015–2016 NXP B.V.
PUBLIC USE35
NXP QorIQ ODP Support(FTF-NET-N1883)
IO & Acceleration
Classifier Crypto PKTIO
Run-Time Services
Timers
Buffers
Resource
Mgmt*
VFIO
LS
-BusDPAA 2
SEC
AIOP
Offload*
PME
Queue, Scheduler
ODP Applications
Fra
me
wo
rkP
latf
orm
sp
ecific
Sync
NW
Services*
AP
I L
aye
rPKTIO, Crypto, Classifier,
Runtime services
Resource-mgmt,
discovery, Eth-config
Crypto-PAC
AIOP Mgmt & Comm
NW-services – KNI, L2. L3
ODP Applications
PKTIO, Queue IO, Crypto,
Classifier, Runtime services
Extended API
Arch/ ARM
DPAA 1
Re
s-M
gr
ODP API
Memory Routing
ARP
KNI
Ap
plic
atio
ns
PUBLIC USE36
ODP execution flow (Crypto Subsystem)
• Provide ciphering, authentication, random number generation
• Basic concepts: sessions & operations
− Session
Crypto
Protocol - IPSec, PDCP*
− Operations
AES-CBC/GCM, 3DES-CBC, ZUC-E/A, SNOW F8/F9, HMAC-SHA*/MD5
• NXP supports asyncoperations with HW accelerator
PUBLIC USE37
NXP ODP Crypto
Offloading Functionality Usage domain ODP API Availability Interface support Platform Support
AES_CBC, DES Ciphers algos ODP v 1.4.1 * SDK 2.0 CAAM-QI / DPSECI DPAA1, DPAA2
SHA1, SHA2. MD5 Authenticated algos ODP v 1.4.1 * SDK 2.0 CAAM-QI / DPSECI DPAA1, DPAA2
IPSec(AES-CBC-HMAC-SHA1) IPSec – 1 pass offload ODP v 1.4.1 * SDK 2.0 CAAM-QI / DPSECI DPAA1, DPAA2
IPSec(3DES-CBC-HMAC-MD5) IPSec – 1 pass offload ODP v 1.4.1 * SDK 2.0 CAAM-QI / DPSECI DPAA1, DPAA2
Next
tls1.0 (AES-CBC-HMAC-SHA1) SSL/TLS ODP v 2.0 * SDK 2.1 + CAAM-QI / DPSECI DPAA1, DPAA2
tls1.2 (AES-CBC-HMAC-SHA256) SSL/TLS ODP v 2.0 * SDK 2.1 + CAAM-QI / DPSECI DPAA1, DPAA2
tls1.2(AES-GCM-SHA256) SSL/TLS ODP v 2.0 * SDK 2.1 + CAAM-QI / DPSECI DPAA1, DPAA2
PDCP (SNOW_F8, ZUC, SNOW_F9,
AES-CTR)
Wireless backhaul ODP v 2.0 * SDK 2.1 + CAAM-QI / DPSECI DPAA2
* with NXP extensions
PUBLIC USE38
QorIQ DPDK ® Support (FTF-NET-N1883)NXP support
DPDK.org
Customer
IO & Acceleration Run-Time Services
Timers
Buffers
Resource
Mgmt
VFIO
LS
-BusDPAA 2
SEC
Intel NICs
Ethernet
Poll-mode Drivers
Fra
me
wo
rkP
latf
orm
sp
ecific
Sync
Network
Services
AP
I L
aye
r
DPDK ® Applications
Arch/ ARMv8
DPAA 1
Res-M
gr
DPDK ® API
Memory Kernel
NW
Interface
Ap
plic
atio
ns
Crypto
Drivers
Intel QAT
PE
X
EAL
Arch/ x86
Arch/ Power8
Arch/ Tilera
iNIC
PUBLIC USE39
DPDK Crypto Subsystem
• Session-less Mode
− For each job, software defines;
The data to be operated upon (input buffers, lengths, offsets)
The output buffers to hold results
The cryptographic operations to be performed
Keys & context for the cryptographic operations
• Session Oriented Mode
− For each job, software defines;
The data to be operated upon (input buffers, lengths, offsets)
The output buffers to hold results
− Cryptographic operations, keys & context are defined at session establishment time, and referenced for each job
• Supports virtual and physical crypto devices
− Virtual Device (Software Implementation)
Intel AES-NI/vector operations
ARM NEON instructions *
− Physical Device (Hardware Accelerated)
QAT
DPAA-CAAM*
DPAA2-CAAM*
• Test Applications
− L2fwd with crypto
− ipsec forward application
PUBLIC USE40
DPDK Crypto APIs
• device creation and configuration
rte_cryptodev_configure, rte_cryptodev_queue_pair_setup
• device capabilities.
rte_cryptodev_info_get
• Pool creations
rte_crypto_op_pool_create, rte_crypto_op_alloc
• Session Management
rte_cryptodev_sym_session_create
rte_cryptodev_sym_session_free
• Packet operations
rte_cryptodev_enqueue_burst
rte_cryptodev_dequeue_burst
PUBLIC USE41
SEC Virtualization (FTF-NET-N1844)
Virtualization (KVM)
KVM
VFIO APIvhost-cryptoQEMU
Guest
User-space SEC driver
dpseci
SEC RTA Lib
SEC User-space API*
NXP & Customer
Middleware & Applications
VFIO
vhost-kernel
Linux Crypt API
JR Qman DPSECI
SEC RTA Lib
SEC-DPAA1 SEC-DPAA2
Kernel
SEC drivercaam_qi dpaa2_caamcaam_jr
Guest
Kernel SEC driver
SEC RTA Lib
(Inline-Append)*
Linux Crypto API
Crypto-Dev API
OpenSSL EVP API
NXP & Customer
Middleware & Applications
dpaa2_caam
dpseci
Guest
Kernel SEC driver
Linux Crypto API
Crypto-Dev API
OpenSSL EVP API
NXP & Customer
Middleware & Applications
virtio-crypto drv
virtio-crypto
Guest
User-space SEC driver
DPDK Cryto-API*
NXP & Customer
Middleware & Applications
virtio-crypto
Guest
User-space SEC driver
OPNFV g-api
NXP & Customer
Middleware & Applications
virtio-ipsec
vhost-crypto user space
SEC RTA Lib
vhost-user
DPSECI
DPDK Crypto-API* vhost-crypto
VFIO
vhost-ipsec user space
SEC RTA Lib
DPSECI
vhost-ipsec
VFIO
VFIO
SEC User-Space
API
PUBLIC USE42
SEC Virtualization options and offering
Functionality/Support Usage domain Availability Interface Platform Support
virtio-crypto kernel driver Generic functionality offloading PoC-2015 virtio-crypto ALL
vhost-crypto kernel virtio-crypto back-end PoC-2015 crypto-API ALL
dpaa2_caam kernel driver for direct
assignment
SEC direct assignment to KVM guest SDK 2.0 DPSECI DPAA2
virtio-ipsec standardization with OPNFV Generic virtio-ipsec device PoC-2015 DPSECI DPAA2
Next
dpdk virtio driver virtio-crypto user space driver for DPDK SDK 2.1+ Virtio-crypto DPAA1, DPAA2
dpdk-vhost DPDK backend vhost for crypto operations SDK 2.1+ CAAM-QI, DPSECI DPAA1, DPAA2
virtio-crypto device standardization OASIS Virtio-crypto standardization OASIS milestone Generic DPAA1, DPAA2
virtio-crypto kernel driver updates Kernel driver update based on virtio-crypto
standard
OASIS milestone+ CAAM-QI, DPSECI DPAA1, DPAA2
dpdk virtio driver updates DPDK virtio-crypto driver updates based on virtio-
crypto standard
OASIS milestone+ CAAM-QI, DPSECI DPAA1, DPAA2
Virtio-crypto standardization has been started in the OASIS forum. NXP and Huawei are working together to define the virtio-
crypto device.
As standard functionalities planned to be supported
- Standard Crypto operations(ciphers, digest, hmac)
- 1 pass stateless offloading
