pfSense will support Intel Quickassist, what about OPNsense?

Started by cwegh, March 23, 2021, 09:42:38 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 23, 2021, 09:42:38 AM Last Edit: March 23, 2021, 09:44:09 AM by cwegh
Hi all

pfSense and OPNsense supports CPUs that have AES-NI as an on-die cryptographic accelerators. On ARM-based systems, the additional load from AES operations will be offloaded to those on-die cryptographic accelerators, such as the one found on our SG-1000. ARM v8 CPUs include instructions like AES-NI that can be used to increase performance of the AES algorithm on these platforms. Information from pfSense: https://www.netgate.com/blog/more-on-aes-ni.html

Besides AES-NI some CPUs, such as the Atom C3xx series, also have Intel QuickAssist as an extra offloading chip for encryption (and compression but not relevant in this context) --> https://www.servethehome.com/intel-quickassist-technology-and-openssl-setup-insights-and-initial-benchmarks/ and https://www.servethehome.com/intel-quickassist-at-40gbe-speeds-ipsec-vpn-testing/


Question: I was wondering if the OPNsense team has any plans that this also will become available in OPNsense? I am unable to find concrete information on this (so not assumptions or rumors).


Somewhere the coming year I will upgrade to 1 gigabit internet. I am also setting up my network with an always-on VPN, routing all internet traffic through an OpenVPN tunnel. I have a firewall appliance with a C3558 board so I can leverage QuickAssist in the future.


Having QuickAssist available to avoid too much load on the CPU will become a requirement at a certain point (AES-NI is sufficient for now). Of course I can still use the CPU but that will stress the hardware and will impact longevity but also more power usage.

More background information:

The QAT driver is available in FreeBSD --> https://www.freebsd.org/cgi/man.cgi?query=qat&apropos=0&sektion=0&manpath=FreeBSD+13.0-current&arch=default&format=html

pfSense Plus also supports this from version 21.02: Support for IntelĀ® QuickAssist Technology, also known as QAT.


       
  • QAT accelerates cryptographic and hashing operations on supported hardware, and can be used to accelerate IPsec, OpenVPN, and other OpenCrypto Framework-aware software.
  • Supported hardware includes many C3000 and C2000 systems sold by Netgate and some other types of built-in QAT support and add-on cards.
pfSense will also make this available in pfSense CE somewhere this year on 3rd party hardware.





March 23, 2021, 10:47:27 AM #1 Last Edit: March 23, 2021, 02:27:30 PM by pmhausen
QuoteHISTORY
     The qat driver first appeared in FreeBSD 13.0.

Which implies as soon as OPNsense upgrades to Free/HardenedBSD 13, the support will be there. If not in the UI, you can always set a tunable to load the driver as described in the manpage.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 23, 2021, 01:32:11 PM #2
Thanks, that is good intel. Looking to the roadmap (https://opnsense.org/about/road-map/), this would be not earlier than the January 2022 release?
March 23, 2021, 08:10:38 PM #3
Yes, current plan is 22.1.


Cheers,
Franco
August 20, 2021, 03:28:10 PM #4
Raising my hand here as well - QAT support in OPNSense would be very nice indeed. No pressure or anything, but just to indicate that there's at least one additional user that might appreciate it once >= 22.1 comes around.
February 21, 2022, 11:46:34 PM #5
Quote from: franco on March 23, 2021, 08:10:38 PM
Yes, current plan is 22.1.
@franco: any update, now that 22.1 is out?
February 22, 2022, 12:15:12 AM #6
OPNsense 22.1.1_3-amd64

According to https://www.freebsd.org/cgi/man.cgi?query=qat I added the loader.conf data to tunables.

I have a Sophos SG 125 Rev.3, powered by Intel Atom C3508.
So I added

  • qat_load => YES
  • qat_c3xxxfw_load => YES

After a reboot, dmesg gives me:
Code Select
qat0: <Intel C3000 QuickAssist PF> mem 0xdd240000-0xdd27ffff,0xdd200000-0xdd23ffff irq 18 at device 0.0 on pci1

Does it work? No Idea... I can tell my IPSEC tunnel is working...
February 22, 2022, 06:46:47 AM #7
There is some work to be done

https://github.com/opnsense/core/issues/5559
February 22, 2022, 07:53:57 AM #8
It's really just "kldload" and that's it. As for:

> Does it work? No Idea... I can tell my IPSEC tunnel is working...

It's AESNI all over again. ;)


Cheers,
Franco
February 22, 2022, 08:27:30 AM #9
Oh cool, so the issue is just for labeling and boot loading? :)
February 22, 2022, 09:18:59 AM #10
February 22, 2022, 05:46:52 PM #11
Thx! And you removed AES-NI because systems with AES-NI-only without QAT will use it anyway?
February 22, 2022, 08:39:50 PM #12
AESNI is now part of the FreeBSD GENERIC kernel. No use to load the module, see

https://cgit.freebsd.org/src/commit/?id=074a91f746bd


Cheers,
Franco
February 23, 2022, 07:06:30 AM #13
I thought I follow the development close enough :) Thx
March 02, 2022, 02:23:45 AM #14
Atom C3758 QAT support
OPNsense 2.1.2 shows the following:

kldstat -v | grep qat
20    1 0xffffffff82904000    16308 qat.ko (/boot/kernel/qat.ko)
                541 pci/qat
21    1 0xffffffff8291b000    a13f8 qat_c3xxxfw.ko (/boot/kernel/qat_c3xxxfw.ko)
                542 qat_c3xxxfw_fw

dmesg | grep qat
qat0: <Intel C3000 QuickAssist PF> mem 0xdf340000-0xdf37ffff,0xdf300000-0xdf33ffff at device 0.0 on pci1


So it see's it, it has been selected under System -> Settings -> Misc -> Hardware acceleration.

As Franco said earlier, Does it work? No Idea... I can tell my IPSEC tunnel is working...


the openVPN client connections to ProtonVPN are up and working.
Print
Go Up Pages1 2
User actions