Openssl support Intel QT
-
Good morning,
from a quick check it seems that PfSense (21.05.2) openssl libraries are not compiled with Intel QT support:
openssl engine -v qatengine
4371072000: error: 25066067: DSO support routines: dlfcn_load: could not load the shared library: / var / jenkins / workspace / pfSense-img-build / BUILD_NODE / amd64 / OS_MAJOR_VERSION / freebsd12 / PLATFORM / aws / sources / FreeBSD-src crypto / openssl / crypto / dso / dso_dlfcn.c: 118: filename (/usr/lib/engines/qatengine.so): Cannot open "/usr/lib/engines/qatengine.so"
34371072000: error: 25070067: DSO support routines: DSO_load: could not load the shared library: / var / jenkins / workspace / pfSense-img-build / BUILD_NODE / amd64 / OS_MAJOR_VERSION / freebsd12 / PLATFORM / aws / sources / FreeBSD-src / crypto / openssl / crypto / dso / dso_lib.c: 162:
34371072000: error: 260B6084: engine routines: dynamic_load: dso not found: / var / jenkins / workspace / pfSense-img-build / BUILD_NODE / amd64 / OS_MAJOR_VERSION / freebsd12 / PLATFORM / aws / sources / FreeBSD-src / openspto / crypto crypto / engine / eng_dyn.c: 414:
34371072000: error: 2606A074: engine routines: ENGINE_by_id: no such engine: / var / jenkins / workspace / pfSense-img-build / BUILD_NODE / amd64 / OS_MAJOR_VERSION / freebsd12 / PLATFORM / aws / sources / FreeBSypto / opensypto / opensypto / crypto crypto / engine / eng_list.c: 334: id = qatengineIt's correct ?
I need to use Intel QT acceleration in openssl and consequently in OpenVPN.
Thanks
-
That is correct. OpenSSL, and hence OpenVPN, cannot use the QAT driver.
Steve
-
Thanks Steve,
but is possible to compile openssl to include Intel QT acceleration ?
https://www.intel.com/content/www/us/en/developer/articles/guide/building-software-acceleration-features-in-the-intel-qat-engine-for-openssl.html
-
Hello,
I observe the same limitation of the compiled openssl library on my new atom netgate device.
We can also see the driver is loaded (see below).
Apparently the QAT driver has been included in FreeBSD 13 recently.A few indications on how to compile the QAT engine and make it work for openSSL 1.1.1 would be appreciated ! (is it possible to build such engine on a vanilla FreeBSD virtual machine ?, or will it be possible with the future virtual machine distribution of PfSense Plus / existing CE ?)
Or is it simply not worth the time/effort : in that case should IPSec or wireguard be prefered to OpenVPN today on atom netgate devices ?
[21.05.2-RELEASE][xxx@pfSense.xxx]/root: kldstat
Id Refs Address Size Name
1 30 0xffffffff80200000 3aec178 kernel
2 2 0xffffffff83cee000 a448 opensolaris.ko
3 1 0xffffffff83cf9000 3bce70 zfs.ko
4 3 0xffffffff84321000 4fe0 gpiobus.ko
5 1 0xffffffff84326000 4a0 gpioled.ko
6 1 0xffffffff84327000 12c0 cordbuc.ko
7 1 0xffffffff84329000 1000 cpuctl.ko
8 1 0xffffffff8432a000 b28 coretemp.ko
9 1 0xffffffff8432b000 146e0 qat.ko
10 1 0xffffffff84340000 9f521 qat_c3xxxfw.ko -
It probably isn't worth the time and effort, at least until DCO arrives. There would likely be some development required.
I've never seen anyone do that, as far as I'm aware there is no way to have OpenSSL use the existing QAT driver. It's currently IPSec only.Steve
