pfSense will support Intel Quickassist, what about OPNsense?

[cwegh]

Hi all

pfSense and OPNsense supports CPUs that have AES-NI as an on-die cryptographic accelerators. On ARM-based systems, the additional load from AES operations will be offloaded to those on-die cryptographic accelerators, such as the one found on our SG-1000. ARM v8 CPUs include instructions like AES-NI that can be used to increase performance of the AES algorithm on these platforms. Information from pfSense: https://www.netgate.com/blog/more-on-aes-ni.html

Besides AES-NI some CPUs, such as the Atom C3xx series, also have Intel QuickAssist as an extra offloading chip for encryption (and compression but not relevant in this context) --> https://www.servethehome.com/intel-quickassist-technology-and-openssl-setup-insights-and-initial-benchmarks/ and https://www.servethehome.com/intel-quickassist-at-40gbe-speeds-ipsec-vpn-testing/


Question: I was wondering if the OPNsense team has any plans that this also will become available in OPNsense? I am unable to find concrete information on this (so not assumptions or rumors).


Somewhere the coming year I will upgrade to 1 gigabit internet. I am also setting up my network with an always-on VPN, routing all internet traffic through an OpenVPN tunnel. I have a firewall appliance with a C3558 board so I can leverage QuickAssist in the future.


Having QuickAssist available to avoid too much load on the CPU will become a requirement at a certain point (AES-NI is sufficient for now). Of course I can still use the CPU but that will stress the hardware and will impact longevity but also more power usage.

More background information:

The QAT driver is available in FreeBSD --> https://www.freebsd.org/cgi/man.cgi?query=qat&apropos=0&sektion=0&manpath=FreeBSD+13.0-current&arch=default&format=html

pfSense Plus also supports this from version 21.02: Support for Intel® QuickAssist Technology, also known as QAT.

• QAT accelerates cryptographic and hashing operations on supported hardware, and can be used to accelerate IPsec, OpenVPN, and other OpenCrypto Framework-aware software.
• Supported hardware includes many C3000 and C2000 systems sold by Netgate and some other types of built-in QAT support and add-on cards.

pfSense will also make this available in pfSense CE somewhere this year on 3rd party hardware.

[Patrick M. Hausen]

HISTORY
     The qat driver first appeared in FreeBSD 13.0.

Which implies as soon as OPNsense upgrades to Free/HardenedBSD 13, the support will be there. If not in the UI, you can always set a tunable to load the driver as described in the manpage.

[cwegh]

Thanks, that is good intel. Looking to the roadmap (https://opnsense.org/about/road-map/), this would be not earlier than the January 2022 release?

[franco]

Yes, current plan is 22.1.


Cheers,
Franco

[jbattermann]

Raising my hand here as well - QAT support in OPNSense would be very nice indeed. No pressure or anything, but just to indicate that there's at least one additional user that might appreciate it once >= 22.1 comes around.

[skyjam]

Yes, current plan is 22.1.

@franco: any update, now that 22.1 is out?

[skyjam]

OPNsense 22.1.1_3-amd64

According to https://www.freebsd.org/cgi/man.cgi?query=qat I added the loader.conf data to tunables.

I have a Sophos SG 125 Rev.3, powered by Intel Atom C3508.
So I added

• qat_load => YES
• qat_c3xxxfw_load => YES

After a reboot, dmesg gives me:

Code: [Select]

qat0: <Intel C3000 QuickAssist PF> mem 0xdd240000-0xdd27ffff,0xdd200000-0xdd23ffff irq 18 at device 0.0 on pci1
Does it work? No Idea... I can tell my IPSEC tunnel is working...

[mimugmail]

There is some work to be done

https://github.com/opnsense/core/issues/5559

[franco]

It's really just "kldload" and that's it. As for:

> Does it work? No Idea... I can tell my IPSEC tunnel is working...

It's AESNI all over again.


Cheers,
Franco

[mimugmail]

Oh cool, so the issue is just for labeling and boot loading?

[franco]

It's done.

https://github.com/opnsense/core/commit/db686a85
https://github.com/opnsense/core/commit/dd4512aa


Cheers,
Franco

[mimugmail]

Thx! And you removed AES-NI because systems with AES-NI-only without QAT will use it anyway?

[franco]

AESNI is now part of the FreeBSD GENERIC kernel. No use to load the module, see

https://cgit.freebsd.org/src/commit/?id=074a91f746bd


Cheers,
Franco

[mimugmail]

I thought I follow the development close enough Thx

[zz00mm]

Atom C3758 QAT support
OPNsense 2.1.2 shows the following:

kldstat -v | grep qat
20    1 0xffffffff82904000    16308 qat.ko (/boot/kernel/qat.ko)
                541 pci/qat
21    1 0xffffffff8291b000    a13f8 qat_c3xxxfw.ko (/boot/kernel/qat_c3xxxfw.ko)
                542 qat_c3xxxfw_fw

dmesg | grep qat
qat0: <Intel C3000 QuickAssist PF> mem 0xdf340000-0xdf37ffff,0xdf300000-0xdf33ffff at device 0.0 on pci1


So it see's it, it has been selected under System -> Settings -> Misc -> Hardware acceleration.

As Franco said earlier, Does it work? No Idea... I can tell my IPSEC tunnel is working...


 the openVPN client connections to ProtonVPN are up and working.