(Solved) Intel QAT driver with WireGuard support
-
I was not really knowing where to place this question, either it can be WireGuard and Hardware related looking. So I hope
it is not the false section here in the forum.crypto/qat: add chacha-poly in ucs spc mode from 2021
So I was thinking why not asking if there is or will be a way
to Intel QAT support for WireGuard perhaps under pfSense (FreeBSD) too?Will be there a way using the Intel QAT driver and/or the DPDK to realize it?
-
It's not yet possible with the current QAT driver but potentially it could be.
Steve
-
@stephenw10 Thanks for clear that up for me!
-
That was a great question Dobby. I’d gift you some clothing if I could. Looking forward to this possibly being implemented in the future!
-
pfSense is using FreeBSD
|---> Intel QAT Driver is supporting ChaCha-Poly
|--->CryptoDev system is using the driver
|---> WireGuard is using the CryptoDev system
|---> DPDK was used to code the WireGuard packet -
I'm writing that in February 2023, and was wondering if the QAT driver in pfSense 23.01 can accelerate WireGuard...
Thanks!
-
It cannot because the QAT driver there doesn't yet support any of the QAT hardware that supports chacha-poly. Namely Gen3 or above. But obviously even once that driver arrives you would still require Gen3 QAT hardware to actually accelerate it.
Steve
-
S stephenw10 referenced this topic on Feb 21, 2023, 3:31 PM
-
@stephenw10 we actually have work slated for pfSense Plus 23.05 based on Intel’s IPSec-MBlibrary which uses SSE 4.2, AVX, AVX2, AVX-512 (including AVX-VNNI) to accelerate AES-CBC, AES-GCM, SHA, SHA2 (and variants), SHA3, and ChaCha20/Poly1305.
We have years of experience with this library in TNSR.
We have included working implementations for ARM64, including ARM’s NEON instructions. AES-CBC isn’t currently implemented for ARM64, but we’ll get to it.
The work “takes over” the existing implementations of these transforms in FreeBSD’s OCF, so all applications get accelerated once you load the module.
Remember that OpenVPN DCO and IPsec can both use ChaCha20/Poly1305. Netgate also did this work.
These are both faster than Wireguard when using ChaCha20/poly1305, and much faster when using AES-GCM.
There are papers about our work on IPsec-MB and OpenVPN DCO being presented at AsiaBSDCon 2023.
-
@jwt This is really interesting, but one thing eludes me. Is this still QAT gen3 only or are there parts of chacha20/poly1305 that can be accelerated on Gen2 hardware (like in the SG-x100 appliances)? As I read your statement you are not really using QAT for acceleration in the library but rather more advanced processor instructions.
In other words: Will the current Atom appliance boxes see hardware acceleration benefits in wireguard from this work/module in 23.05?
-
@keyser no QAT here. Just CPU.
The current atom boxes are what they are. The QAT in them doesn’t have any way to accelerate chacha20/poly1305.
They do, however, support SSE and AES-NI (and the SHA instructions).
A pair of SG-8200s were connected using their primary 10Gbps SFP network port. The iperf3 systems were connected to their secondary 10Gbps port.
OpenVPN AES-256-GCM w/DCO
OCF-async 1.50gbps
IIMB-async 2.50gbps
QAT 3.18gbpsIPsec AES-128-GCM
OCF-async 1.55gbps
IIMB-async 1.64gbps
QAT 1.70gbpsWireguard (ChaCha20-Poly1305
OCF-async 1.50gbps
IIMB-async 2.05gbpsNewer Atoms (Gracemont) support VAES and AVX2. Using VPP (like tnsr) and a 40|-left aligned paragraphG card in a reference board, Intel has shown 14.99gbps on a single core for IPSec using AES-128-GCM using trex as a load generator.
I mentioned it above, but we also support ARM64.
-
Just here to report that enabling IPsec-MB on 23.05 has reduced the CPU usage quite a bit on my 5100 when using Wireguard.
-
@SebM said in (Solved) Intel QAT driver with WireGuard support:
Just here to report that enabling IPsec-MB on 23.05 has reduced the CPU usage quite a bit on my 5100 when using Wireguard.
Same throughput or higher?