Introduction

This project provides an extended Tengine working with asynchronous mode OpenSSL. With Intel® QuickAssist Technology(QAT) acceleration, the asynchronous mode Tengine can provide significant performance improvement.

Installation Instructions

Setup building environment

Set the following environmental variables:

ICP_ROOT is the directory where QAT driver source code is located
NGINX_INSTALL_DIR is the directory where nginx will be installed to
OPENSSL_LIB is the directory where the openssl has been installed to

For example:

$ export ICP_ROOT=/QAT/QAT1.6
$ export ICP_BUILD_OUTPUT=$ICP_ROOT/build
$ export OPENSSL_ROOT=/openssl
$ export OPENSSL_LIB=$OPENSSL_ROOT/.openssl
$ export LD_LIBRARY_PATH=$OPENSSL_ROOT/.openssl/lib
$ export OPENSSL_ENGINES=$OPENSSL_LIB/lib/engines-1.1
$ export NGINX_INSTALL_DIR=/tengine-installed/tengine-2.2.2

Build OpenSSL

$ cd /
$ git clone --branch OpenSSL_1_1_0f https://github.com/openssl/openssl.git
$ mv OpenSSL_1_1_0f openssl
$ cd openssl
$ mkdir .openssl
$ ./config --prefix=`pwd`/.openssl
$ make
$ make install

Build QAT driver

$ mkdir /QAT/
$ cd /QAT/
$ wget https://01.org/sites/default/files/page/qatmux.l.2.6.0-60.tgz
$ tar xzvf qatmux.l.2.6.0-60.tgz
$ ./installer.sh (choose 3)

Build QAT engine

$ cd /
$ git clone --branch v0.5.30 https://github.com/01org/QAT_Engine.git
$ cd /QAT_Engine-0.5.30/qat_contig_mem
$ make
$ make load
$ make test
$ cd /QAT_Engine-0.5.30
$ ./configure \
--with-qat_dir=$ICP_ROOT \
--with-openssl_dir=$OPENSSL_ROOT \
--with-openssl_install_dir=$OPENSSL_LIB
$ make
$ make install

Note: The kernel version needs to be greater than or equal to 3.1.0.7, need openssl-devel zlib-devel library.

More details instructions about QAT can be found on QAT engine github page.

Build Tengine

$ ./configure \
--prefix=$NGINX_INSTALL_DIR \
--with-http_ssl_module \
--with-openssl-async \
--with-cc-opt="-DNGX_SECURE_MEM -I$OPENSSL_LIB/include \
-Wno-error=deprecated-declarations" \
--with-ld-opt="-Wl,-rpath=$OPENSSL_LIB/lib -L$OPENSSL_LIB/lib"
$ make
$ make install

More details instructions about Async Mode Nginx can be found on Intel Async Mode Nginx github page.

Configuration

Tengine configuration
Async Mode Tengine provides new directives:


Directives
Syntax: ssl_async on | off;
Default: ssl_async off;
Context: http, server
Enables SSL/TLS asynchronous mode

For example, edit conf/nginx.conf

http {
……
server {
ssl_async on;
……
}
}
}

QAT driver configuration

The Intel® QAT OpenSSL* Engine comes with some example conf files to use with the Intel® QAT Driver. For Tengine integrated with Intel QAT CLC production, using below commands:

$ cp QAT_Engine/qat/config/dh89xxcc/multi_process_optimized/dh89xxcc_qa_dev0.conf /etc
$ service qat_service restart

For more details about QAT driver configuration, please refer to QAT engine github page

QAT engine enabling and configuration

QAT engine will be installed as a shared object into OpenSSL installed path and leveraging OpenSSL engine framework to be initialized and configured. Add configuration in $OPENSSL_LIB/ssl/openssl.cnf
Note: this configuration should be added on top of the file:

openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
qat = qat_section
[qat_section]
engine_id = qat
dynamic_path = /openssl/.openssl/lib/engines-1.1/qat.so
default_algorithms = ALL

Performance

Please refer to the White Paper: Intel® Quickassist Technology and OpenSSL-1.1.0:Performance.

Limitations

Nginx supports reload operation, when QAT hardware is involved for crypto offload, user should enure that there are enough number of qat instances. For example, the available qat instance number should be 2x equal or more than Nginx worker process number.
For example, in Nginx configuration file (nginx.conf) worker process number is configured as

worker_processes 16;

Then the instance configuration in QAT driver configuration file should be:

[SHIM]
NumberCyInstances = 1
NumberDcInstances = 0
NumProcesses = 32
LimitDevAccess = 1

Please refer to details QAT develop doc.