Security 101: QorIQ 安全加速器产品简介 FTF-DES-N1856 严礽田 ( JT Yen ) 亚太区资深应用工程部经理 SEPTEMBER, 2016
1 1 议程 / AGENDA 安全引擎 恩智浦 Digital Networking 安全引擎的发展史 LS1012A 和 LS2088A 内建的 SEC 引擎架构 SoC 集成优势 SEC 的启用 RTA (Run-Time Assembler) 描述符语言 SEC 的驱动程序和 API Linux 内核和用户空间驱动程序和 API 安全中间件 IPSec SSL/TLS
安全引擎 2
恩智浦网络安全引擎的发展史 阶段 1 加密协处理器 阶段 2 集成加密加速引擎 阶段 3 集成安全协议引擎和可信架构 (v1.0 和 2.0) DPAA1 平台集成 阶段 4 可信架构 (v2.1 和 v3) DPAA2 平台集成 MPC190 MPC185 MPC184 MPC180 SEC1.x 8272 885 SEC2.x 85xx 83xx 81xx SEC3.x P2020 P1022 P1021 P1025 P1020 SEC4.x P5040 BSC9132 T4240 P4080 BSC9131 T2080 P3041 P5020 T1040 P2041 P1010 T1024 专业协处理器 C291 C292 C293 B4860 SEC5.x LS1088A LS2085A LS1043A LS1012A LS1021A 3 阶段 1 S1 系列协处理器 飞思卡尔安全技术通过安全协处理器产品线推向商业网络市场 阶段 2 PowerQUICC 1, 2 PowerQUICC 2 Pro 处理器 将安全 IP 集成至飞思卡尔通信处理器产品中 阶段 3 QorIQ 处理器包含 P T 和 B 系列 持续改进集成 IP 的功能和性能, 开发可信架构 扩展 SEC 5.0 的性能至 40 Gbps+ 重新推出强化版的协处理器产品线 (C29x) 集成 SEC IP 至 DPAA1 架构之内 阶段 4 QorIQ 处理器包含 LS 系列 集成到基于 ARM 平台的器件 增强可信架构的功能 ; 集成 SEC IP 至 DPAA2 架构之内
可扩展安全性能 QorIQ SoC 的 IPsec 性能 SEC 4 T4240 40 Gbps SEC 5 LS208x 20 Gbps SEC 4 P408x 15 Gbps SEC 4 P5040/T208x 15 Gbps SEC 3.x P102x, P202x 1.5-2 Gbps SEC 5 LS1012, LS1021 3 Gbps SEC 4 PSC913x 4 Gbps SEC 4 P204x, P3041, P1023 5 Gbps SEC 4/5 T104x, LS1043 6 Gbps 4
SEC 5 LS1021A & LS1012A 内 SEC 引擎的架构 (1) Public Key Hardware Accelerator (PKHA) RSA and Diffie-Hellman (to 4096b) Elliptic curve cryptography (1024b) Supports Run Time Equalization (1) Random Number generator (RNG) NIST Certified RNGB in P1010, RNG4 in PSC9131 (1) Message Digest Hardware Accelerators (MDHA) SHA-1, SHA-2 256,384,512-bit digests MD5 128-bit digest HMAC with all algorithms (1) Advanced Encryption Standard Accelerators (AESA) Key lengths of 128-, 192-, and 256-bit ECB, CBC, CTR, CCM, GCM, CMAC, XCBC, OFB, CFB, and XTS Supports LTE 128-EEA2 / 128-EIA2 Job Ring I/F Job Queue Controller Descriptor Controller DMA RTIC (1) Data Encryption Standard Accelerators (DESA) DES, 3DES (2K, 3K) ECB, CBC, OFB modes CHAs (1) CRC Unit CRC32, CRC32C, 802.16e OFDMA CRC PKHA RNG MDHA AESA DESA Header & Trailer off-load for the following Security Protocols: IPSec, SSL/TLS, SRTP, Wifi, MACSEC 5
GbE GbE PCIe 2.0 SATA 3.0 LS1012A 中的 SEC 集成 ARM Cortex-A53 32KB L1-D 32KB L1-I 256KB L2 128KB SRAM 64-bit 16-bit DDR2/3 DDR3L Memory Controller Secure Boot SEC 可以通过在 ARM A53 或 PPFE 上运行的软件直接调用 Trust Zone Sec Monitor Power Management 2x SD 3.0/SDIO/eMMC 2x I2C 5x I2S SEC CCI-400 Coherent Interconnect PPFE QSPI, 1x SPI 2x UART GPIO, JTAG 1x USB3.0 + PHY 1x USB2.0 3-Lane 6GHz SERDES 6
SEC 5 LS2088A 内 SEC 引擎的架构 (1) Public Key Hardware Accelerator (PKHA) RSA and Diffie-Hellman (to 4096b) Elliptic curve cryptography (1024b) Supports Run Time Equalization (1) Random Number Generators (RNG4) NIST Certified (6) Snow 3G Hardware Accelerators (STHA) Implements Snow 3.0 Keystream Generator f8 encryption per ETSI/SAGE 128-UEA2 (and 128-EEA1) f9 authentication per ETSI/SAGE 128-UIA2 (and 128-EIA1) (6) ZUC Hardware Accelerators (ZHA) Implements ZUC Keystream Generator (per spec v1.5) Authentication per ETSI/SAGE 128-EIA3 (spec v 1.5) Encryption per ETSI/SAGE 128-EEA3 (spec v 1.5) (6) Kasumi F8/F9 Hardware Accelerators (KFHA) F8, F9 as required for 3GPP A5/3 for GSM and EDGE, GEA-3 for GPRS Job Ring I/F Queue Interface Job Queue Controller Descriptor Controllers AIOP Interface DMA RTIC (6) Message Digest Hardware Accelerators (MDHA) SHA-1, SHA-2 256,384,512-bit digests MD5 128-bit digest HMAC with all algorithms (6) Advanced Encryption Standard Accelerators (AESA) Key lengths of 128-, 192-, and 256-bit ECB, CBC, CTR, CCM, GCM, CMAC, XCBC, OFB, CFB, and XTS Supports LTE 128-EEA2 / 128-EIA2 (6) Data Encryption Standard Accelerators (DESA) DES, 3DES (2K, 3K) ECB, CBC, OFB modes CHAs PKHA RNG4 STHA ZHA KFHA MDHA AESA DESA (6) CRC Unit CRC32, CRC32C, 802.16e OFDMA CRC Header 7 PUBLIC & Trailer off-load USE for the following Security Protocols: IPSec, SSL/TLS, 3G RLC, PDCP, SRTP, Wi-Fi, MACSEC
PCIe PCIe PCIe PCIe SATA 3.0 SATA 3.0 LS2088A 中的 SEC 集成 ARM A72 ARM A72 ARM A72 ARM A72 ARM A72 ARM A72 ARM A72 ARM A72 32KB 48KB 32KB 48KB L1-D 32KB L1-I 48KBL1-D 32KB L1-I 48KB L1-D L1-I L1-D L1-I 1MB Banked L2 1MB Banked L2 32KB 48KB 32KB 48KB L1-D 32KB L1-I 48KBL1-D 32KB L1-I 48KB L1-D L1-I L1-D L1-I 1MB Banked L2 1MB Banked L2 1MB Platform Cache 64-bit DDR2/3 DDR4 Memory Controller 64-bit DDR2/3 DDR4 Memory Controller Secure Boot Trust Zone Coherency Fabric Flash Controller Power Management SDXC/eMMC 2x DUART 4x I2C SPI, GPIO, JTAG 2x USB3.0 + PHY DCE PME Management Complex SEC Queue/ Buffer Mgr. SMMU Advanced IO Processor (AIOP) SMMU PEB Memory WRIOP 8x1/10 + 8x1 SRIOV EP SMMU 32-bit DDR4 Memory Controller 8 SEC 可以通过在 ARM A72 或 AIOP 上运行的软件直接调用 8-Lane 10GHz SERDES 8-Lane 10GHz SERDES
SEC 引擎 可编程的硬件加速器 DECO (Descriptor Controller) SEC 引擎的 大脑 执行描述符 搬动数据 密钥和上下文到 CHA 来执行运算 简单的布尔运算 实现单通 (1-pass) 的加密 + 完整检测 ( 包含全状态协议处理 ) 灵活支持新 / 自定义协议 CHA (Crypto Hardware Accelerator) 加密硬件加速器 特定算法加密引擎 可以是每个 DECO 一个, 或由多个 DECO 共享 最新的 CHA 支持 Side Channel Resistance Arbiter Arbiter DECO DECO Descriptor Buffer AESA DESA KFHA MDHA CRCA Arbiter Arbiter 决定性能的主要因素 1 - DECO 的数量 2 - CHA 的数量 3 SEC 的运算频率 Arbiter Arbiter PKHA ZUCE ZUCA RNG SNOWF8 SNOWF9 9
SEC 架构的优势 能单独处理不同协议 和单通 (1-pass) 加密和身份验证功能 ( 如 AES-HMAC-SHA-2) CPU 可以在 SEC 处理数据包时并行执行其他任务 CPU 可定时收集结果 CPU 使用加密指令操作 在双通 (2-pass) 处理时, 无协议加速, 无法进行非加密的运算 协议处理 协议处理 SEC 驱动程序 下一个数据包协议处理 SEC 驱动程序, 轮询或 INT# 出口处理 SEC DMA 协议处理, 加密 + 哈希 基本上内核无暇处理其它的事务 出口处理 每个内核 : Alg 1 - 加密 每个内核 : Alg 2 哈希, 身份验证 10
SEC 协议处理示例 :IPsec ESP Tunnel Encrypt ( 隧道加密 ) Input Frame: Crypto: Payload Class 1 单通 (1-pass): 加密 + 身份验证 Payload padding Pad Len N Encrypted Payload padding Pad Len N Class 2 SPI Seq# Opt IV Payload padding Pad Len N Opt ESN Authenticate Output Frame: New IP Header SPI Seq# Esp header Opt IV Payload padding Pad Len N ICV SEC 添加 ESP 头文件 IV ESP 尾部和 HMAC (ICV) 还添加外部头文件 ( 最高 128B) 计算 IP 头文件长度字段, 不计算头文件校验和 11
集成 SEC 引擎的优势 降低 BOM 成本和减少电路板空间 有效性能的提升 o 连接至 SoC 上最宽 最快的总线, 而不是外接外设总线 o 直接访问内部缓存 RAM o 无专用 IO 管脚或额外 IO 电源 加速器认证 o NIST RNG entropy 分析 o NIST 加密算法验证 集成可信架构 (Trust Architecture) 集成 (Security 201 会提供更多信息 ) o 硬件强制虚拟化 ;SEC 针对每个 VM 提供 私有 加密加速器 o 基于设备安全状态使用 特殊 密钥 o 可信描述符执行 - SEC 描述符可以签名 12
启用 SEC: 描述符 (DESCRIPTOR) 13
SEC 描述符 (Descriptor) 描述符 SEC 引擎的功能 语言 描述符类型 o 作业描述符 (Job Descriptor) 针对单次无状态操作 o 共享描述符 (Shared Descriptor) 针对基于流的操作 o 可信描述符 - 实施执行安全 o 内联 (In-line) 作业描述符 - 高级编程原语 o 替换 (Replacement) 作业描述符 - 高级编程原语运算 操作 o 条件循环 (Conditional Loops) o 例程调用 (Routine Calls) o 跳至其他描述符 (Jump to other descriptor) o 数学运算 o 加密运算 o 数据移动运算 static inline int cnstr_shdsc_blkcipher(uint32_t *descbuf, bool ps, struct alginfo *cipherdata, uint8_t *iv, uint32_t ivlen, uint8_t dir) { struct program prg; struct program *p = &prg; PROGRAM_CNTXT_INIT(p, descbuf, 0); PROGRAM_CNTXT_INIT(p, descbuf, 0); } SHR_HDR(p, SHR_ALWAYS, 1, 0); KEY(p, KEY1, cipherdata->key_enc_flags, cipherdata->key, cipherdata->keylen, INLINE_KEY(cipherdata)); ALG_OPERATION(p, OP_ALG_ALGSEL_AES, OP_ALG_AAI_CBC, OP_ALG_AS_INITFINAL, 0, dir); MATHB(p, SEQINSZ, SUB, MATH2, VSEQINSZ, 4, 0); MATHB(p, SEQINSZ, SUB, MATH2, VSEQOUTSZ, 4, 0); LOAD(p, context, CONTEXT1, 0, 8, IMMED); SEQFIFOLOAD(p, MSG1, 0, VLF LAST1); SEQFIFOSTORE(p, MSG, 0, 0, VLF); return PROGRAM_FINALIZE(p); Descriptor for AES-CBC operations 14
主要描述符类型 作业 (Job) 描述符和共享 (Shared) 描述符 作业描述符 你好! 我是一个独立式作业描述符我们从未见过面让我来告诉你有关处理这个数据包的所有信息 带共享描述符的作业描述符 你好! 我是一个基本作业描述符让我来描述数据包并将你推荐给我的朋友, 也就是共享描述符 你好! 我是一个共享描述符我们之前见过面 作业描述符可全面定义要执行的工作, 或者可以引用包含大量处理指令和上下文的共享描述符 15
SEC Run-Time-Assembler (RTA) - 构建描述符的工具 RTA 特性 o 提供开发 SEC 描述符的 API o 内建描述符库 + 现成可用的 RTA 描述符 o 提供描述符的测试套件 RTA 优势 o 可以在不同环境中重复使用 o 软件占用空间小 o 各个器件有相对应的描述符库 o 支持自行开发的参考型代码 o 易于集成到应用中 16
安全引擎 驱动程序和 API 17
使用 SEC 驱动程序 : 易用性 vs. 性能 专注于易用性或性能的 API 现有的标准 API 内核 Linux Crypto API 用户空间 OpenSSL EVP API 高性能 API 用户空间 DPDK, ODP API 性能 Highest Performance Flow-aware Least Intrusive, Standard Flow-agnostic 如何达到高性能 + 易用的目标? NXP 提供优化中间层软件 (IPSEC 和 OPenSSL) ASF IPsec with ESP Tunnel/Transport offload OpenSSL with handshake and record-layer offload 中间层软件直接支持标准协议 API PF_KEY/XFRM compatible Open-SSL API 客户无需了解相关 SEC API 的细节 Asynchronous Proto-aware No alloc DPDK, ODP API 1-pass HW alloc Synchronous Linux Crypto API 2-pass SW alloc OpenSSL EVP API 简单易用 18
SEC 在不同环境下的驱动和 APIs Customer Middle-ware Applications Customer Offloading Applications Service Layer API ASF Crypto API NXP & Customer Middleware & Applications Crypto- Dev API Linux Crypto API OpenSSL EVP API NXP & Customer Middleware & Applications ARM Crypto-Ext ODP/DPDK Crypto User-space API* NXP & Customer Middleware & Applications Linux Crypto API Kernel SEC driver ARM Crypto-Ext QEMU OpenSSL EVP API Crypto-Dev API Guest vhost API sec rta dpseci NXP & Customer Middleware & Applications SEC User-space API* User-space SEC driver sec rta dpseci VFIO Guest VFIO API ARM Crypto-Ext Customer Driver & API Bare-metal RTOS NXP AIOP Service Layer LS2 AIOP Kernel SEC driver Qman* DPSECI Job-Ring PEX Linux Kernel User-space SEC driver* Qman* SEC RTA Lib DPSECI Linux User-space Kernel vhost-crypto kernel Linux Crypt API SEC driver VFIO KVM Virtualization (KVM) dpseci VFIO 19
Linux 内核 (Crypto API) 系统集成 Customer Applications Apache Nginx NXP Upstream done NXP Drivers upstream pending OpenSSL SSL API Handshake Record Layer IKE Daemon Raccoon StrongSwan zpool/dataset Encrypted File System NXP Drivers OpenSSL Lib-crypto/EVP API Set-key Crypto-Dev API libzfs cryptsetup API Crypto-Dev /dev/crypto Linux NW Stack PF_KEY/Net-Link API IPsec XFRM Routing, ARP /dev/zfs Open-zfs (checksum offload) LUKS Interface DM-Crypt Linux Crypto API pkc_host_api caam_jr caam_qi dpaa2_caam Kernel SEC driver PCIe SEC-C29x JR Qman SEC RTA Lib SEC-non DPAA SEC-DPAA1 DPSECI SEC-DPAA2 20
SEC 用户空间驱动程序 + APIs 标准 API 用户空间 Crypto APIs o ODP Crypto API (IPSec, PDCP, SSL Customer Control IKE O/S Control Raccoon Linux Integ Customer Applications Custom O/S Applications Apache Nginx etc.) VortiQa Mobility Customer data-path GPP-DAK Customer SSL OpenSSL o DPDK Crypto APIs (IPSec, PDCP, SSL etc.) GTP PDCP IPSec/SSL/ Other Cust API NF-API IPSec SSL API Handshake/ Record Layer OpenSSL API Handshake/ Record Layer o EVP API (SSL, IKE) User-Space Engn Lib-crypto/EVP API Cryptodev Engn 恩智浦利用专有的硬件加速器来支持更 多的协议卸载 o 正在努力使其成为标准功能的一部分 ODP/ DPDK API 2-pass Cipher, hash 1-pass aead DPAA1 driver Qman v1 SEC DPAA 1.x SEC RTA Lib Extensions Protocol PKCS ipsec, ssl DPAA2 driver QMan v2 SEC DPAA 2.x RSA, DSA Cryptodev Kernel SEC driver 21
IPSEC 22
Crypto-Dev OpenSSL EVP API IPsec: Native Linux Linux 内核 IPsec o 支持 native data-path o 通过标准 Linux crypto API 调用 SEC 引擎 o 提供标准 PF_KEY/Net-Link 接口来配置数据路径 Raccoon/StrongSwan IKE Daemon Set-key Linux NW Stack PF_KEY/Net-Link API 性能 o 优于软件加密库 ~20-30 倍 o 支持异步 单通和双通卸载 控制路径 o Setkey for manual SA setup o Raccoon/StrongSwan IKE daemons for auto SA setup ( 通过 OpenSSL 卸载至 SEC 引擎 ) Kernel SEC driver Job- Ring IPsec XFRM Linux Crypto API Qman SEC RTA Lib * SEC Dpseci Routing, ARP Ethernet driver Ethernet 23
Crypto-Dev OpenSSL EVP API IPsec: Native Linux + ASF ASF (Application Specific Fast-Path) o 用于特定的 DPAA1 和非 DPAA 平台 o 优化 IPsec 数据路径 o 通过 ASF crypto API 调用 SEC 引擎 o 无缝集成至 Linux native IPsec o 可集成至其他 IPsec 堆栈 - 提供协议级别的 ASF-API 性能 o 高于 native Linux IPsec 2 倍至 3 倍 o 优化的流缓存 (flow caching) IPsec 处理 o 利用异步 flow-aware 协议卸载 就地处理来提升性能 o 利用 DPAA QM 来做包的分发 控制路径 o 内部无缝集成至 Linux native IPsec 不需要特殊的改动 o 支持 Setkey Raccoon StrongSwan Raccoon/StrongSwan IKE Daemon Linux NW Stack PF_KEY/Net-Link API IPsec XFRM ASF Crypto API Kernel SEC driver QMan SEC RTA Lib * SEC Set-key Routing, ARP Application Specific Fast-Path Linux Crypto Job- Ring IPsec ASF-API Routing, ARP Ethernet driver Ethernet 24
Throughtput Increase Throughtput Increase IPsec: 性能对比 Native Linux vs. ASF IPsec performance data for ESP-Tunnel-mode using AES-128 + SHA1 IPSec Performance LS1021ATWR IPSec Performance T1040D4RDB 2500 4.0 4500 3.5 2000 1500 1000 500 3.5 3.0 2.5 2.0 1.5 1.0 0.5 4000 3500 3000 2500 2000 1500 1000 500 3.0 2.5 2.0 1.5 1.0 0.5 25 0 0.0 0 82 408 1442 82 408 1442 Packet size Packet size LS1021ATWR T1040D4RDB 相比 Linux,ASF 的性能最多可提高 4 倍 IPSec running on ASF Native IPSec 0.0
SSL/TLS 26
SSL: 现况 标准 OpenSSL with Cryptodev OpenSSL 27 o 主要是位于用户空间的一个加密库 o SEC 引擎前端可直接卸载至用户空间 (eng_cryptodev) Crypto-Dev o Linux 内核模块 ( 类似于 af_alg) 将 crypto primitives 从内核导出至用户空间 o 构建于现有 Linux Crypto API 的基础上 o 连接至 OpenSSL libcrypto 层 解决方案的优势 o 提供标准 OpenSSL API o 无缝集成 Apache/Nginx 等 SSL 应用 缺点 o 使用同步接口 (synchronous interface) o 无协议感知 (no protocol awareness) o 无流感知 (no flow awareness) OpenSSL PEX C29x Apache Handshake Linux Crypto API Kernel SEC driver JR Customer Applications Crypto-Dev API Crypto-Dev Qman SEC RTA Lib SEC OpenSSL SSL API Lib-crypto/EVP API dpseci Nginx Record Layer Linux Stack Sockets TCP/IP Ethernet driver Ethernet
SSL: 未来 通过用户空间驱动程序来优化 OpenSSL Customer Applications 为何完全移至用户空间内处理? Apache Nginx o 没有上下文切换的开销 o 没有缓存复制的开销 OpenSSL SSL API 需要用户空间驱动程序 o SEC 驱动程序 o 用户空间 HW Abstraction - 通过映射地址区域 (UIO) 直接连接硬件 辅助开发 o 恩智浦 OpenSSL 引擎 与 OpenSSL 引擎子系统连接的插件模块 (plug-in) 允许与现有用户空间应用无缝集成 OpenSSL Handshake Lib-crypto/EVP API NXP OpenSSL Engine SEC User-space API User-space SEC driver JR Qman dpseci SEC RTA Lib Record Layer Linux Stack Sockets TCP/IP Ethernet driver SEC Ethernet 28
总结 恩智浦的 QorIQ 处理器集成了可扩展的安全引擎产品组合 o 支持各种广泛的算法和协议 o 专为高性能 / 低功率而设计 恩智浦提供各种安全卸载的选项 o 同时支持内核和用户空间的驱动程序 o 同时支持标准易用的 API 和以性能导向为主的 API o 优化和提升 IPSEC 和 OpenSSL 等中间件的性能 o 提供标准配置接口 29
资源 1. Linux SEC drivers a. Kernel Upstream kernel.org b. Kernel with NXP extensions NXP SDK 2. Linux IPsec with integrated SEC drivers a. Kernel Upstream SEC running on Job Ring Interface kernel.org b. Kernel with NXP extension NXP SDK 3. OpenSSL (including NXP extensions) NXP SDK 4. Cryptodev module (including NXP extension) - NXP SDK 5. ASF IPSec delivered as a part of NXP SDK 6. Deeper dive presentations FTF-NET-N1883 - Deep Dive into ODP and DPDK for QorIQ LS2088A and LS1088A FTF-NET-N1882 - Harnessing the Power of Layerscape Programmable Packet Engine FTF-NET-N1844 - KVM Virtualization: Leveraging I/O Virtualization on QorIQ Platforms for VNFs 30
资源 Linux SEC drivers Kernel Upstream kernel.org Kernel with NXP extensions NXP SDK Linux IPsec with integrated SEC drivers Kernel Upstream SEC running on Job Ring Interface kernel.org Kernel with NXP extension NXP SDK OpenSSL (including NXP extensions) NXP SDK Cryptodev module (including NXP extension) - NXP SDK ASF IPSec delivered as a part of NXP SDK 31
Software Products and Services Development Tools CodeWarrior Runtime Products VortiQa Software Solutions Accelerate Customer Time-to-Market Solutions Reference IOT Gateway OpenWRT+ Integration Services Security Consulting Hardened Linux Deliver Commercial Software, Support, Services and Solutions Simplify Software Engagement with NXP Linux Commercial Support 32 Services Find us online at www.nxp.com/networking-services Performance Tuning Create Success!
ATTRIBUTION STATEMENT NXP, the NXP logo, NXP SECURE CONNECTIONS FOR A SMARTER WORLD, CoolFlux, EMBRACE, GREENCHIP, HITAG, I2C BUS, ICODE, JCOP, LIFE VIBES, MIFARE, MIFARE Classic, MIFARE DESFire, MIFARE Plus, MIFARE FleX, MANTIS, MIFARE ULTRALIGHT, MIFARE4MOBILE, MIGLO, NTAG, ROADLINK, SMARTLX, SMARTMX, STARPLUG, TOPFET, TrenchMOS, UCODE, Freescale, the Freescale logo, AltiVec, C 5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C Ware, the Energy Efficient Solutions logo, Kinetis, Layerscape, MagniV, mobilegt, PEG, PowerQUICC, Processor Expert, QorIQ, QorIQ Qonverge, Ready Play, SafeAssure, the SafeAssure logo, StarCore, Symphony, VortiQa, Vybrid, Airfast, BeeKit, BeeStack, CoreNet, Flexis, MXC, Platform in a Package, QUICC Engine, SMARTMOS, Tower, TurboLink, and UMEMS are trademarks of NXP B.V. All other product or service names are the property of their respective owners. ARM, AMBA, ARM Powered, Artisan, Cortex, Jazelle, Keil, SecurCore, Thumb, TrustZone, and μvision are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. ARM7, ARM9, ARM11, big.little, CoreLink, CoreSight, DesignStart, Mali, mbed, NEON, POP, Sensinode, Socrates, ULINK and Versatile are trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. 2015 2016 NXP B.V. 34
Platform specific LS-Bus Res-Mgr Framework API Layer Applications NXP QorIQ ODP Support(FTF-NET-N1883) PKTIO, Crypto, Classifier, Runtime services ODP Applications ODP Applications PKTIO, Queue IO, Crypto, Classifier, Runtime services Resource-mgmt, discovery, Eth-config Crypto-PAC AIOP Mgmt & Comm NW-services KNI, L2. L3 ODP API Extended API Offload* IO & Acceleration Queue, Scheduler Classifier Crypto PKTIO Resource Mgmt* Run-Time Services Timers Memory Buffers Sync NW Services* Routing ARP KNI DPAA 2 SEC PME VFIO Arch/ ARM DPAA 1 AIOP 35
ODP execution flow (Crypto Subsystem) Provide ciphering, authentication, random number generation Basic concepts: sessions & operations Session Crypto Protocol - IPSec, PDCP* Operations AES-CBC/GCM, 3DES-CBC, ZUC-E/A, SNOW F8/F9, HMAC-SHA*/MD5 NXP supports async operations with HW accelerator 36
NXP ODP Crypto Offloading Functionality Usage domain ODP API Availability Interface support Platform Support AES_CBC, DES Ciphers algos ODP v 1.4.1 * SDK 2.0 CAAM-QI / DPSECI DPAA1, DPAA2 SHA1, SHA2. MD5 Authenticated algos ODP v 1.4.1 * SDK 2.0 CAAM-QI / DPSECI DPAA1, DPAA2 IPSec(AES-CBC-HMAC-SHA1) IPSec 1 pass offload ODP v 1.4.1 * SDK 2.0 CAAM-QI / DPSECI DPAA1, DPAA2 IPSec(3DES-CBC-HMAC-MD5) IPSec 1 pass offload ODP v 1.4.1 * SDK 2.0 CAAM-QI / DPSECI DPAA1, DPAA2 Next tls1.0 (AES-CBC-HMAC-SHA1) SSL/TLS ODP v 2.0 * SDK 2.1 + CAAM-QI / DPSECI DPAA1, DPAA2 tls1.2 (AES-CBC-HMAC-SHA256) SSL/TLS ODP v 2.0 * SDK 2.1 + CAAM-QI / DPSECI DPAA1, DPAA2 tls1.2(aes-gcm-sha256) SSL/TLS ODP v 2.0 * SDK 2.1 + CAAM-QI / DPSECI DPAA1, DPAA2 PDCP (SNOW_F8, ZUC, SNOW_F9, AES-CTR) Wireless backhaul ODP v 2.0 * SDK 2.1 + CAAM-QI / DPSECI DPAA2 * with NXP extensions 37
Platform specific PEX LS-Bus Res-Mgr Framework API Layer Applications QorIQ DPDK Support (FTF-NET-N1883) DPDK Applications Customer NXP support DPDK.org DPDK API Ethernet Poll-mode Drivers IO & Acceleration Crypto Drivers Resource Mgmt Run-Time Services EAL Timers Memory Buffers Sync Network Services Kernel NW Interface Intel NICs DPAA 2 DPAA 1 inic Intel QAT SEC VFIO Arch/ x86 Arch/ Power8 Arch/ Tilera Arch/ ARMv8 38
DPDK Crypto Subsystem Session-less Mode For each job, software defines; The data to be operated upon (input buffers, lengths, offsets) The output buffers to hold results The cryptographic operations to be performed Keys & context for the cryptographic operations Session Oriented Mode For each job, software defines; The data to be operated upon (input buffers, lengths, offsets) The output buffers to hold results Cryptographic operations, keys & context are defined at session establishment time, and referenced for each job Supports virtual and physical crypto devices Virtual Device (Software Implementation) Intel AES-NI/vector operations ARM NEON instructions * Physical Device (Hardware Accelerated) QAT DPAA-CAAM* DPAA2-CAAM* Test Applications L2fwd with crypto ipsec forward application 39
DPDK Crypto APIs device creation and configuration rte_cryptodev_configure, rte_cryptodev_queue_pair_setup device capabilities. rte_cryptodev_info_get Pool creations rte_crypto_op_pool_create, rte_crypto_op_alloc Session Management rte_cryptodev_sym_session_create rte_cryptodev_sym_session_free Packet operations rte_cryptodev_enqueue_burst rte_cryptodev_dequeue_burst 40
SEC Virtualization (FTF-NET-N1844) NXP & Customer Middleware & Applications OpenSSL EVP API NXP & Customer Middleware & Applications OpenSSL EVP API NXP & Customer Middleware & Applications NXP & Customer Middleware & Applications NXP & Customer Middleware & Applications Crypto-Dev API Linux Crypto API Crypto-Dev API Linux Crypto API SEC User-space API* DPDK Cryto-API* OPNFV g-api Kernel SEC driver virtio-crypto drv Guest virtio-crypto Kernel SEC driver dpaa2_caam SEC RTA Lib (Inline-Append)* Guest dpseci User-space SEC driver SEC RTA Lib dpseci VFIO Guest User-space SEC driver virtio-crypto Guest User-space SEC driver virtio-ipsec Guest QEMU vhost-crypto caam_jr vhost-kernel Linux Crypt API caam_qi dpaa2_caam SEC RTA Lib KVM Kernel SEC driver VFIO API VFIO vhost-crypto user space DPDK Crypto-API* SEC RTA Lib DPSECI VFIO JR Qman DPSECI vhost-user vhost-crypto vhost-ipsec user space SEC User-Space API SEC RTA Lib DPSECI VFIO vhost-ipsec 41 SEC-DPAA1 SEC-DPAA2 Virtualization (KVM)
SEC Virtualization options and offering Functionality/Support Usage domain Availability Interface Platform Support virtio-crypto kernel driver Generic functionality offloading PoC-2015 virtio-crypto ALL vhost-crypto kernel virtio-crypto back-end PoC-2015 crypto-api ALL dpaa2_caam kernel driver for direct assignment SEC direct assignment to KVM guest SDK 2.0 DPSECI DPAA2 virtio-ipsec standardization with OPNFV Generic virtio-ipsec device PoC-2015 DPSECI DPAA2 dpdk virtio driver virtio-crypto user space driver for DPDK SDK 2.1+ Virtio-crypto DPAA1, DPAA2 dpdk-vhost DPDK backend vhost for crypto operations SDK 2.1+ CAAM-QI, DPSECI DPAA1, DPAA2 virtio-crypto device standardization OASIS Virtio-crypto standardization OASIS milestone Generic DPAA1, DPAA2 virtio-crypto kernel driver updates dpdk virtio driver updates Next Kernel driver update based on virtio-crypto standard DPDK virtio-crypto driver updates based on virtiocrypto standard OASIS milestone+ CAAM-QI, DPSECI DPAA1, DPAA2 OASIS milestone+ CAAM-QI, DPSECI DPAA1, DPAA2 Virtio-crypto standardization has been started in the OASIS forum. NXP and Huawei are working together to define the virtiocrypto device. As standard functionalities planned to be supported - Standard Crypto operations(ciphers, digest, hmac) - 1 pass stateless offloading 42