• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

23.09d - Is QAT Broken?

Scheduled Pinned Locked Moved Plus 23.09 Development Snapshots (Retired)
86 Posts 10 Posters 19.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jaltman @stephenw10
    last edited by Oct 8, 2023, 5:58 PM

    @stephenw10 said in 23.09d - Is QAT Broken?:

    Mmm, as I read it OpenSSL requires the qat engine module to use it in user mode. Interesting that it does use it in 23.05... 🤔

    OpenSSL 1.1.x also requires the QAT Engine in order to support use of QuickAssist. The Intel QAT Engine for OpenSSL was developed against OpenSSL 1.1 on FreeBSD 12.4. However, that release doesn't package or ship the engine.

    I have seen no evidence on my 4100 when running 23.05.1 that QAT is being used by userspace. There is a small increase in the qat counters in kernel but I cannot believe that they are result of any userspace cryptographic or compression or signing operations.

    1 Reply Last reply Reply Quote 0
    • J
      jaltman @RobbieTT
      last edited by Oct 8, 2023, 6:03 PM

      @RobbieTT said in 23.09d - Is QAT Broken?:

      [23.05.1-RELEASE] /root: openssl engine
      (devcrypto) /dev/crypto engine

      It is possible that QAT on 23.05.1 is triggered for random number generation since /dev/crypto operates in kernel and has access to QAT. Any such usage would not be for encryption, compression or signing of actual network traffic.

      1 Reply Last reply Reply Quote 0
      • J
        jaltman @RobbieTT
        last edited by jaltman Oct 8, 2023, 6:29 PM Oct 8, 2023, 6:07 PM

        @RobbieTT said in 23.09d - Is QAT Broken?:

        I have no difficulty replicating the QAT interrupts on 23.05.1. They don't increment by themselves, only when the firewall is doing a relevant task eg TLS/SSL. A simple DoT Dig that is forwarded is enough to increment, as will a curl, package update etc. Not sure I am believed though, for reasons that escape me.

        I believe that the interrupts occur because I see them as well. I do not believe that it has anything to do with use of QAT to encrypt, sign, or compress network traffic because I understand how QAT plugs into OpenSSL libcrypto and none of nginx, apache, curl, sshd, ssh, kerberos, etc that rely upon libcrypto for encryption, signing and compression primitives would contain any internal code to call into the QAT driver.

        libz also has to be built custom in order to make use of QAT.

        J 1 Reply Last reply Oct 8, 2023, 7:52 PM Reply Quote 0
        • J
          jaltman @jaltman
          last edited by Oct 8, 2023, 7:52 PM

          I've sent private mail to Bernard Spil, the maintainer of OpenSSL for FreeBSD, asking him if and how QAT is supported in the FreeBSD builds.
          I will report on his response when I receive it.

          R 1 Reply Last reply Oct 8, 2023, 8:29 PM Reply Quote 1
          • R
            RobbieTT @jaltman
            last edited by Oct 8, 2023, 8:29 PM

            @jaltman That would be enormously helpful - thank you. 👍

            ☕️

            J 1 Reply Last reply Oct 8, 2023, 9:02 PM Reply Quote 0
            • S
              stephenw10 Netgate Administrator
              last edited by Oct 8, 2023, 8:47 PM

              Mmm, if it was supported in user-space I would expect to be able to see it very easily when using OpenVPN without DCO mode. With DCO is uses the kernel-mode crypto framework.

              1 Reply Last reply Reply Quote 0
              • J
                jaltman @RobbieTT
                last edited by Oct 8, 2023, 9:02 PM

                @RobbieTT Bernard confirms QAT functionality has never been packaged by him for FreeBSD. He suggests that someone else should build it and submit a ports request.

                He wants whoever supports it to have hardware on which to test it.

                J 1 Reply Last reply Oct 9, 2023, 11:45 AM Reply Quote 0
                • J
                  jaltman @jaltman
                  last edited by Oct 9, 2023, 11:45 AM

                  @jaltman Moin Rahman did the earlier work on QAT support for the kernel and OpenSSL engine as one of his former employers was interested. However, that company went in a different direction leveraging programmable NICs instead after Intel abandoned the dedicated QAT add-on boards during the FreeBSD 13 time frame.

                  1 Reply Last reply Reply Quote 0
                  • J
                    jimp Rebel Alliance Developer Netgate @RobbieTT
                    last edited by jimp Oct 9, 2023, 1:30 PM Oct 9, 2023, 1:29 PM

                    @RobbieTT said in 23.09d - Is QAT Broken?:

                    @jimp said in 23.09d - Is QAT Broken?:
                    Jim, the 4xxx message could be linked to an errata elsewhere in pfSense as it has been missed from one of the lists. It is included in the actual FW lists though. There was a post on this subject a few days ago which @stephenw10 covered. Of course, being a later QAT generation, it will have key differences to the earlier generations QAT in the C3xxx and probably adds a brace of expanded capabilities.

                    The message saying userspace QAT only supported on 4xxx is from FreeBSD, not pfSense.

                    https://github.com/freebsd/freebsd-src/blob/3523f0677ef514fe72710033c73cc58517b9cda8/sys/dev/qat/qat_common/adf_cfg_device.c#L700

                    The man pages you linked to makes no mention of userspace being limited to 4xxx either and it is grouped in the same list as the C3xxx. That does not make it untrue either, just less than clear.

                    Try setting a loader.conf.local tunable for dev.qat.0.cfg_mode="ks;us" yourself and see.

                    You can't compare 23.05.1 directly because it did not have that tunable so I don't get where your assertion is coming from that it had both enabled there. Your shell output doesn't show that. There is nothing in the 23.05.1 output showing userspace.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    R 1 Reply Last reply Oct 9, 2023, 1:41 PM Reply Quote 0
                    • R
                      RobbieTT @jimp
                      last edited by Oct 9, 2023, 1:41 PM

                      @jimp said in 23.09d - Is QAT Broken?:

                      You can't compare 23.05.1 directly because it did not have that tunable so I don't get where your assertion is coming from that it had both enabled there. Your shell output doesn't show that. There is nothing in the 23.05.1 output showing userspace.

                      Understood but the man pages lists ks;us as the default and the absence of an explicit command to demure from that usually equals that the default is set. Apologies if this is not the case.

                      ☕️

                      J 1 Reply Last reply Oct 9, 2023, 1:50 PM Reply Quote 0
                      • J
                        jimp Rebel Alliance Developer Netgate @RobbieTT
                        last edited by Oct 9, 2023, 1:50 PM

                        @RobbieTT said in 23.09d - Is QAT Broken?:

                        @jimp said in 23.09d - Is QAT Broken?:

                        You can't compare 23.05.1 directly because it did not have that tunable so I don't get where your assertion is coming from that it had both enabled there. Your shell output doesn't show that. There is nothing in the 23.05.1 output showing userspace.

                        Understood but the man pages lists ks;us as the default and the absence of an explicit command to demure from that usually equals that the default is set. Apologies if this is not the case.

                        The man page is not complete/accurate there. It's only the default on 4xxx devices as well, for all others it defaults to kernel only.

                        https://github.com/freebsd/freebsd-src/blob/main/sys/dev/qat/qat_common/adf_cfg.c#L37

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        R 1 Reply Last reply Oct 9, 2023, 2:15 PM Reply Quote 1
                        • R
                          RobbieTT @jimp
                          last edited by Oct 9, 2023, 2:15 PM

                          @jimp said in 23.09d - Is QAT Broken?:

                          The man page is not complete/accurate there.

                          I didn't stand a chance. Back to the cup of tea.

                          ☕️

                          M 1 Reply Last reply Oct 12, 2023, 6:28 PM Reply Quote 0
                          • M
                            marcosm Netgate @RobbieTT
                            last edited by Oct 12, 2023, 6:28 PM

                            @RobbieTT said in 23.09d - Is QAT Broken?:

                            @jimp said in 23.09d - Is QAT Broken?:

                            The man page is not complete/accurate there.

                            I didn't stand a chance. Back to the cup of tea.

                            ☕️

                            There are many nuances indeed! It's a good discussion to have, and the civil approach is appreciated :)

                            B 1 Reply Last reply Oct 17, 2023, 7:03 PM Reply Quote 3
                            • B
                              bcdouglas @marcosm
                              last edited by Oct 17, 2023, 7:03 PM

                              @marcosm said in 23.09d - Is QAT Broken?:

                              @RobbieTT said in 23.09d - Is QAT Broken?:

                              @jimp said in 23.09d - Is QAT Broken?:

                              The man page is not complete/accurate there.

                              I didn't stand a chance. Back to the cup of tea.

                              ☕️

                              There are many nuances indeed! It's a good discussion to have, and the civil approach is appreciated :)

                              Yes, thank you for a civil discussion @marcosm and @stephenw10. I don't know why these conversations often become aggressive with users trying to provide input to netgate. Thanks @marcosm and @stephenw10 .

                              R 1 Reply Last reply Oct 17, 2023, 7:14 PM Reply Quote 0
                              • R
                                RobbieTT @bcdouglas
                                last edited by RobbieTT Oct 17, 2023, 7:15 PM Oct 17, 2023, 7:14 PM

                                @bcdouglas
                                Sounds like I am being admonished; if so I will take it on the chin. It was not my intent to cause waves but clearly something unintended was triggered.

                                As users we don't always have the technical language for this kind of discourse but all I can say is that I did my best to read-into the topic to try and understand the apparent changes or limitations, only to find gaps in the documentation.

                                Threads such as this may put-off others from providing feedback but it shouldn't. Please set this aside and do comment when you think something does not make sense. Nothing can move forward without feedback.

                                Anyway, I'll take the thumping on this one.

                                B 1 Reply Last reply Oct 18, 2023, 5:30 PM Reply Quote 1
                                • S
                                  stephenw10 Netgate Administrator
                                  last edited by Oct 17, 2023, 7:28 PM

                                  I really don't think there was any issue here. Reading back I think there was a misunderstanding earlier on but in general this was a useful discussion. No admonishment required! 😉

                                  R 1 Reply Last reply Oct 24, 2023, 1:55 PM Reply Quote 4
                                  • B
                                    bcdouglas @RobbieTT
                                    last edited by Oct 18, 2023, 5:30 PM

                                    @RobbieTT Not from me. The conversations from the Netgate side often take a weird turn when users try to ask honest questions and help.

                                    1 Reply Last reply Reply Quote 1
                                    • D Djbower1 referenced this topic on Oct 24, 2023, 1:14 PM
                                    • R
                                      RobbieTT @stephenw10
                                      last edited by Oct 24, 2023, 1:55 PM

                                      @stephenw10

                                      No observable change in functionality with the newly-enabled QAT 200xx devices (tested on an Xeon D-1536NT with 23.09.b.20231020.0600 installed) from that of the C3xxx series on the same beta load.

                                      ☕️

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        stephenw10 Netgate Administrator
                                        last edited by Oct 24, 2023, 2:21 PM

                                        The change we made there should now recognise that device as QAT capable on the dashboard. It should also load the qat module if it's not already.
                                        However the driver itself already worked with the hardware so if it was loaded then the kernel could already use it for kernel mode crypto.

                                        R 1 Reply Last reply Oct 24, 2023, 2:25 PM Reply Quote 0
                                        • R
                                          RobbieTT @stephenw10
                                          last edited by Oct 24, 2023, 2:25 PM

                                          @stephenw10
                                          It does show correctly and I have provided feedback on issue #14844. 👍

                                          ☕️

                                          1 Reply Last reply Reply Quote 1
                                          • S sandie referenced this topic on Nov 11, 2023, 11:00 AM
                                          72 out of 86
                                          • First post
                                            72/86
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received