Kunpeng Acceleration Engine. Developer Guide. Issue 13 Date HUAWEI TECHNOLOGIES CO., LTD.

Developer Guide

Issue 13

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

Contents

1 Overview...1

2 Logical Architecture... 3

3 Installation, Upgrade, and Uninstallation...5

3.1 Installing the KAE Software... 5

3.1.1 Introduction... 5

3.1.2 Preparing for Installation... 7

3.1.3 Installing OpenSSL... 11

3.1.4 Installing the KAE Software Using RPM Packages...13

3.1.5 Installing the KAE Software Using DEB Packages...17

3.1.6 Installing the KAE Software Package Using Source Code... 21

3.2 Operations After Installation... 25

3.2.1 Testing the Performance of the OpenSSL and the KAE... 25

3.2.2 zlib Compression Library Test...27

3.3 Upgrading the KAE Software... 28

3.3.1 Upgrading the KAE Software Using RPM Packages... 28

3.3.2 Upgrading the KAE Software Using DEB Packages... 30

3.4 Uninstalling the KAE Software... 32

3.4.1 Uninstalling the KAE Software Installed Using RPM Packages... 32

3.4.2 Uninstalling the KAE Software Installed Using DEB Packages... 33

3.4.3 Uninstalling the KAE Software Installed Using Source Code... 36

4 Application Cases... 37

4.1 KAE Applications... 37

4.1.1 KAE Usage Description... 37

4.1.2 Example Code for the KAE... 38

4.1.3 Using KAE in the OpenSSL Configuration File openssl.cnf... 38

4.1.4 Nginx Applications Accelerated by KAE...39

4.1.5 dm-crypt-based Transparent Partition or Drive Encryption...40

4.1.6 Using the KAE on a KVM... 43

4.1.7 Using the KAE on Docker... 45

4.1.8 MD5 Hardware Acceleration Tuning...46

4.2 Using the zlib Library...46

5.1 Querying Accelerator Log Information...47

6 Troubleshooting...49

6.1 Initialization Failure...49

6.2 Failed to Identify Accelerator Devices After the KAE Installed... 50

6.3 Failed to Upgrade The Accelerator Driver... 51

6.4 Failed to Identify the Related Interface Symbols After the OpenSSL of a New Version Is Installed on the Operating System...52

A Appendix... 53

A.1 Terms... 53

A.2 Acronyms and Abbreviations... 54

1

Overview

Kunpeng accelerator engine (KAE) is a hardware acceleration solution provided by the TaiShan 200 server based on the Kunpeng 920 processor. It includes KAE encryption and decryption as well as KAEzip, which are used to accelerate SSL/TLS applications and data compression, respectively. Therefore, it can significantly reduce processor consumption and improve the processor efficiency. In addition, the KAE shields the internal processing details from the application layer. Users can quickly migrate services through the standard OpenSSL and zlib interfaces.

KAE Encryption and Decryption

The KAE encryption and decryption module uses the Kunpeng hardware acceleration module to implement the RSA, SM3, SM4, DH, MD5, and AES algorithms. It provides high-performance symmetric and asymmetric encryption/ decryption algorithms based on the lossless user-mode driver framework.

Compatible with OpenSSL 1.1.1a and later versions, it supports the synchronous and asynchronous mechanisms.

Currently, KAE supports the following algorithms:

● Digest algorithms SM3 and MD5, supporting asynchronous models.

● Symmetric encryption algorithm SM4, supporting asynchronous models and CTR, XTS, CBC, ECB, and OFB modes.

● Symmetric encryption algorithm AES, supporting asynchronous models and ECB, CTR, XTS, and CBC modes.

● Asymmetric algorithm RSA, supporting asynchronous models and key sizes 1024, 2048, 3072, and 4096.

● Key negotiation algorithm DH, supporting asynchronous models and key sizes 768, 1024, 1536, 2048, 3072, and 4096.

KAEzip

KAEzip is the compression module of the KAE. It uses the Kunpeng hardware acceleration module to implement the deflate algorithm and works with the lossless user-mode driver framework to provide an interface for high-performance compression in Gzip or zlib format.

● Supported algorithm: deflate ● Supported mode: synchronous

● Maximum compression bandwidth of a single Kunpeng 920 processor: 7 GBit/s; maximum decompression bandwidth of a single Kunpeng 920 processor: 8 GBit/s

● Supported compression ratio: approximately equal to 2, which is the same as that of the zlib 1.2.11 interface.

The KAE improves application performance in different scenarios. For example, in web service applications, the KAE accelerates handshake connections using the RSA algorithm; in smart security applications, the KAE accelerates the SM4 symmetric encryption and decryption algorithm to accelerate video stream data storage; in distributed storage applications, the zlib library accelerates data compression and decompression.

NO TE

2

Logical Architecture

Figure 2-1 shows the logical architecture of the KAE.

● TaiShan hardware products include chip accelerator, BIOS, and BMC subsystems.

● The accelerator driver subsystem is a core and provides a unified driver interface for each accelerator module to the upper layer.

● The application library subsystem for OpenSSL and zlib libraries provides standard interfaces for upper-layer applications.

● The application system is for upper-layer or user-plane applications, including big data and web applications.

Table 2-1 Subsystem functions

Subsystem Function Description

Chip accelerator

subsystem This subsystem is integrated into the Kunpeng 920processor. It provides accelerator capabilities register interfaces for the upper layer. This subsystem is a hardware implemented by the accelerator and is not directly

presented to users.

BIOS subsystem The BIOS software system of boards determines the modules to be initialized based on the license and reports the advanced configuration and power interface (ACPI) table of the accelerator to the kernel for the accelerator driver subsystem to process.

BMC subsystem This is a BMC software system, which manages accelerator licenses for servers.

Accelerator driver

subsystem This is the core part of the system and provides a unifieddriver interface for each accelerator module to the upper layer.

Application library

subsystem: This subsystem consists of the OpenSSL accelerator engineand zlib replacement library, and provides standard interfaces to the upper layer.

Application

3

Installation, Upgrade, and

Uninstallation

3.1 Installing the KAE Software 3.2 Operations After Installation 3.3 Upgrading the KAE Software 3.4 Uninstalling the KAE Software

3.1 Installing the KAE Software

3.1.1 Introduction

There are three modes to install the KAE software: Using RPM Packages, Using dpkg Packages, and Using Source Code. Select one of them.

Using RPM Packages

Installation

Description Supported System Pros and Cons

To facilitate operations, RPM installation

packages for some commercial OSs are provided. The RPM tool can be used to manage Linux suites. You can run the rpm --help command to obtain the help information.

CentOS 7.6 4.14.0-115.el7a.

Installation

Description Supported System Pros and Cons

Kylin 4.0.2 (juniper) 4.15.0-70-generic version

Kylin release 4.0.2 (SP2) 4.19.36-vhulk1907.1.0.h403.ky4.aarch64 version

UniKylin Linux release 3(Core) 4.18.0-80.ky3.kb21.hw.aarch64 version openEuler 20.03 LTS 4.19.90-2003.4.0.0036.oe1.aarch64 version

Using dpkg Packages

Description Supported System Pros and Cons

To facilitate operations, dpkg installation

packages for some commercial OSs are provided. You can run the dpkg --help command to obtain more help information about the dpkg tool.

Kylin 4.0.2 (juniper)

4.15.0-70-generic version ● Advantages: Afterinstallation, you can use the KAE software without compiling source code. ● Disadvantages: Only certain OS types are supported. Kylin release 4.0.2 (SP2) 4.19.36-vhulk1907.1.0.h403.ky4.aarch64 version Ubuntu 18.04.1 LTS 4.15.0-29-generic version

Using Source Code

Installation

Description Supported System Pros and Cons

You can run the configure command to configure compilation and installation, the make command to compile the source code, and the make

CentOS 7.6 4.14.0-115.el7a.

Installation

Description Supported System Pros and Cons

install command to

install the KAE. NeoKylin7.6 4.14.0-115.5.1.el7a.06.aarch64 version ● Disadvantages:The operation is complex and extra configurations are required. BCLinux-R7-U6-Server-aarch64 version Kylin 4.0.2 (juniper) 4.15.0-70-generic version Kylin release 4.0.2 (SP2) 4.19.36-vhulk1907.1.0.h403.ky4.aarch64 version

UniKylin Linux release 3(Core) 4.18.0-80.ky3.kb21.hw.aarch64 version Ubuntu 18.04.1 LTS 4.15.0-29-generic version openEuler 20.03 LTS 4.19.90-2003.4.0.0036.oe1.aarch64 version

3.1.2 Preparing for Installation

Environment Requirements

● The KAE function is enabled on TaiShan 200 servers.

NO TE

To use the accelerator in the non-virtualization scenario, you need to disable the SMMU. For details, see BIOS Parameter Reference (Kunpeng 920 Processor). ● CPU: Kunpeng 920 processor

● The iBMC V365 or later is used. ● The BIOS V105 or later is used. ● One of the following OSs is used:

– CentOS 7.6 4.14.0-115.el7a.0.1.aarch64 version – SUSE 15.1 4.12.14-195-default.aarch64 version

– EulerOS 2.8 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 version – NeoKylin7.6 4.14.0-115.5.1.el7a.06.aarch64 version

– BCLinux-R7-U6-Server-aarch64 version – Kylin 4.0.2 (juniper) 4.15.0-70-generic version

– Ubuntu 18.04.1 LTS 4.15.0-29-generic version

– openEuler 20.03 LTS 4.19.90-2003.4.0.0036.oe1.aarch64 version ● The SSH remote login tool has been installed on the local PC.

Obtaining a License

Before installing the KAE, you need to install a license. The OS can identify the accelerator device only after the license is installed successfully.

NO TE

The hardware acceleration engine of TaiShan K series servers is enabled by default. You do not need to apply for a license.

For details about how to apply for and use a license, see Huawei Server iBMC License User Guide.

Run the lspci command to check whether an accelerator exists in the OS.

lspci | grep HPRE

79:00.0 Network and computing encryption device: Huawei Technologies Co., Ltd. HiSilicon HPRE Engine (rev 21)

b9:00.0 Network and computing encryption device: Huawei Technologies Co., Ltd. HiSilicon HPRE Engine (rev 21)

lspci | grep RDE

78:01.0 RAID bus controller: Huawei Technologies Co., Ltd. HiSilicon RDE Engine (rev 21) b8:01.0 RAID bus controller: Huawei Technologies Co., Ltd. HiSilicon RDE Engine (rev 21) lspci | grep ZIP

75:00.0 Processing accelerators: Huawei Technologies Co., Ltd. HiSilicon ZIP Engine (rev 21) b5:00.0 Processing accelerators: Huawei Technologies Co., Ltd. HiSilicon ZIP Engine (rev 21) lspci | grep SEC

76:00.0 Network and computing encryption device: Huawei Technologies Co., Ltd. HiSilicon SEC Engine (rev 21)

b6:00.0 Network and computing encryption device: Huawei Technologies Co., Ltd. HiSilicon SEC Engine (rev 21)

NO TE

The accelerator description queried by running the lspci command varies depending on the OS. In addition to filtering by keywords, you can also check whether the following

accelerator SBDF information exists.

Obtaining Software

NO TE

Download software packages listed in Table 3-1 or Table 3-2.

Table 3-1 OS-specific RPM or DEB software packages for the KAE

Software Package Description How to Obtain

uacce-version number-1.OS type.aarch64.rpm uacce-version number-1.OS type.aarch64.deb Unified accelerator framework, including the uacce.ko and hisi_qm.ko kernel modules

1. Access the KAE source code page through the following address:

Software Package Description How to Obtain hisi_hpre-version number-1.OS type.aarch64.rpm hisi_hpre-version number-1.OS type.aarch64.deb kunpengcompute /KAE

2. Find and click Releases on the KAE source code page, as shown in

Figure 3-1. The Releases page is displayed. 3. On the Releases

page, select and download the RPM or DEB package of the corresponding versions, as shown in Figure 3-2. Dependency: uacce RPM package Coverage: hisi_hpre.ko kernel module

Support: RSA and DH algorithms hisi_sec2-version number-1.OS type.aarch64.rpm hisi_sec2-version number-1.OS type.aarch64.deb Dependency: uacce RPM package Coverage: hisi_sec2.ko kernel module Support: AES, MD5, SM3, and SM4 algorithms hisi_rde-version number-1.OS type.aarch64.rpm hisi_rde-version number-1.OS type.aarch64.deb Dependency: uacce RPM package Coverage: hisi_rde.ko kernel module

Support: FLEX EC algorithm hisi_zip-version number-1.OS type.aarch64.rpm hisi_zip-version number-1.OS type.aarch64.deb Dependency: uacce RPM package Coverage: hisi_zip.ko kernel module

Supported: zlib and gzip libwd-version number-1.OS type.aarch64.rpm libwd-version number-1.OS type.aarch64.deb

Coverage: libwd.so dynamic link library

This framework provides interfaces for the KAE.

libkae-version number-1.OS type.aarch64.rpm libkae-version number-1.OS type.aarch64.deb Dependency: libwd RPM package Coverage: libkae.so dynamic library Support: SM3, SM4, RSA, AES, MD5, and DH algorithms libkaezip-version number-1.OS type.aarch64.rpm libkaezip-version number-1.OS type.aarch64.deb Dependency: libwd RPM or DEB package Coverage: libkaezip.so dynamic library

Figure 3-1 KAE source package page

Table 3-2 Source packages for the KAE

Source Package Description How to Obtain

KAE This package contains all

OpenSSL-related code and the KAE. ● https://github.com/ kunpengcompute/K AE ● https://github.com/ kunpengcompute/ KAEdriver ● https://github.com/ kunpengcompute/ KAEzip

KAEdriver This package contains the KAE driver code, kernel modules such as uacce, hpre, zip, rde, and sec2, and user-mode driver libwd.

KAEzip This package contains the

zlib patch, which provides file compression and decompression algorithms.

3.1.3 Installing OpenSSL

Prerequisites

● The kernel-devel matching the system version has been installed. Query the current kernel version.

uname -r

● perl and bzip2 have been installed.

Query the version numbers of perl and bzip2.

perl --version bzip2 --version

● The GCC and Make tools have been installed. The performance data varies with the GCC version. Recommended versions are GCC 7.4.1 or later and Make 3.82 or later.

Query the versions of GCC and Make.

gcc --version make --version

● Automake, Autoconf, and Libtool have been installed. Query the versions of Automake, Autoconf, and Libtool.

automake --version autoconf --version libtool --version

NO TE

The default commands used to install software vary depending on the OS used. CentOS and EulerOS use the Yum tool, and SUSE uses the Zypper tool. Ensure that the system has been connected to the network or the image source has been configured. The following uses SUSE as an example to describe how to install GCC. The installation method is the same for other operating systems.

1. Mount the operation image.

mount -o loop /dev/sr0 /mnt

2. Configure the local Zypper image source.

zypper ar file:///mnt local

3. Install GCC.

zypper install gcc

Procedure

Step 1 Use the SSH remote login tool to copy the OpenSSL source package to a directory on the server. The OpenSSL version must be 1.1.1a or later.

NO TE

The OpenSSL source package can be downloaded from https://www.openssl.org/ source/old/1.1.1/.

Step 2 Use SSH to log in to the Linux CLI.

Step 3 Compile and install OpenSSL in the directory where the OpenSSL source code is stored. The following uses the default directory /usr/local.

./config -Wl,-rpath,/usr/local/lib

NO TE

This command automatically generates a Makefile based on the compilation platform and environment. You can use ./config --prefix to specify the installation path and use -Wl and

-rpath to specify the paths of the libcrypto and libssl libraries on which OpenSSL depends.

make

make install

The OpenSSL is installed in /usr/local by default. For details, see the README file in the OpenSSL source code directory.

----End

Setting Environment Variables

Run the following command to export the environment variables. If you specified the installation directory, use the actual installation directory instead of /usr/ local/lib/engines-1.1:

export OPENSSL_ENGINES=/usr/local/lib/engines-1.1

NO TE

By default, this environment variable is mounted to the engine path of OpenSSL.

Verifying the Installation

Step 2 View the OpenSSL version.

./openssl version

If the following information is displayed, the installation is successful.

OpenSSL 1.1.1a 20 Nov 2018

----End

3.1.4 Installing the KAE Software Using RPM Packages

Prerequisites

● You have downloaded the RPM package corresponding to the specified operating system from https://github.com/kunpengcompute/KAE/releases. ● Install the RPM package on an OS of the specified version. If the installation

fails, use the source code to install the accelerator software. ● The RPM tool is available.

● OpenSSL 1.1.1a or later has been successfully installed. For details, see 3.1.3 Installing OpenSSL.

Procedure

NO TE

The hisi_hpre, hisi_sec2, hisi_rde, and hisi_zip driver software packages depend on the uacce software package, and the libkaezip and libkae engine software package depend on the libwd software package.

● If only the RSA and DH algorithms need to be accelerated, you are advised to install only the uacce, hisi_hpre, libwd, and libkae software packages.

● If only AES, MD5, SM3, and SM4 need to be accelerated, you are advised to install only the uacce, hisi_sec2, libwd, and libkae software packages.

● If only the zlib library compression algorithm needs to be accelerated, you are advised to install only the uacce, hisi_zip, libwd, and libkaezip software packages.

For details about the algorithm functions provided by RPM, see Table 3-1.

Step 1 Use SSH to copy the KAE software package to a customized directory. Step 2 Use SSH to log in to the Linux CLI as the root user.

Step 3 Install the accelerator driver software package.

NO TE

If OpenSSL has been installed using the preceding default method, run the rpm -ivh *.rpm command to install all KAE software packages. Otherwise, go to Step 4 to perform the installation.

rpm -ivh *.rpm

Preparing... ################################# [100%] checking installed modules

Updating / installing...

1:uacce-1.0.1-1.centos7.6 ################################# [ 14%] modules installed

2:libwd-1.0.1-1.centos7.6 ################################# [ 29%] 3:libkae-1.0.1-1.centos7.6 ################################# [ 43%] checking installed modules

checking installed modules

5:hisi_rde-1.0.1-1.centos7.6 ################################# [ 71%] modules installed

checking installed modules

6:hisi_sec2-1.0.1-1.centos7.6 ################################# [ 86%] modules installed

checking installed modules

7:hisi_zip-1.0.1-1.centos7.6 ################################# [100%] modules installed

Step 4 Follow the following example to install the uacce-1.0.1 software package. If the RPM software has been installed in Step 3, skip this step.

rpm -ivh uacce-1.0.1-1.centos7.6.aarch64.rpm

Preparing... ################################# [100%] checking installed modules

Updating / installing...

1:uacce-1.0.1-1.centos7.6 ################################# [100%] modules installed

Install the hisi_hpre hisi_sec2, hisi_rde, and hisi_zip driver software packages and the libwd and libkae engine software packages in sequence. When installing the libkae software package, you need to use --prefix to specify the OpenSSL engine installation path.

rpm -ivh libkae-1.0.1-1.centos7.6.aarch64.rpm --prefix=/usr/local/openssl/lib/engines-1.1

NO TE

--prefix=/usr/local/openssl/lib/engines-1.1: the OpenSSL installation path is /usr/local/ openssl.

Preparing... ################################# [100%] Updating / installing...

1:libkae-1.0.1-1.centos7.6 ################################# [100%]

Step 5 Check whether the RPM software is installed in the system.

[root@localhost rpm]# rpm -ql uacce

/lib/modules/4.14.0-115.el7a.0.1.aarch64/extra/hisi_qm.ko /lib/modules/4.14.0-115.el7a.0.1.aarch64/extra/uacce.ko [root@localhost rpm]#

[root@localhost rpm]# rpm -ql hisi_sec2 hisi_hpre hisi_rde hisi_zip /lib/modules/4.14.0-115.el7a.0.1.aarch64/extra/hisi_sec2.ko /etc/modproe.d/hisi_sec2.conf /lib/modules/4.14.0-115.el7a.0.1.aarch64/extra/hisi_hpre.ko /etc/modproe.d/hisi_hpre.conf /lib/modules/4.14.0-115.el7a.0.1.aarch64/extra/hisi_rde.ko /etc/modproe.d/hisi_rde.conf /lib/modules/4.14.0-115.el7a.0.1.aarch64/extra/hisi_zip.ko /etc/modproe.d/hisi_zip.conf

[root@localhost rpm]# [root@localhost rpm]# ls -al /lib/modules/`uname -r`/extra total 3672

drwxr-xr-x. 2 root root 118 Nov 17 21:56 . drwxr-xr-x. 7 root root 4096 Nov 17 21:56 ..

-rw-r--r--. 1 root root 681104 Nov 12 17:32 hisi_hpre.ko -rw-r--r--. 1 root root 618888 Nov 12 17:32 hisi_qm.ko -rw-r--r--. 1 root root 844728 Nov 12 17:32 hisi_rde.ko -rw-r--r--. 1 root root 729304 Nov 12 17:32 hisi_sec2.ko -rw-r--r--. 1 root root 396784 Nov 12 17:32 hisi_zip.ko -rw-r--r--. 1 root root 467160 Nov 12 17:32 uacce.ko [root@localhost rpm]# ls -al /etc/modprobe.d/ total 36

drwxr-xr-x. 2 root root 140 Nov 17 21:56 . drwxr-xr-x. 127 root root 8192 Nov 17 22:14 ..

-rw-r--r--. 1 root root 674 Jul 4 2018 tuned.conf [root@localhost rpm]#

Step 6 Restart the system or manually load the accelerator drivers to the kernel in

sequence using commands, and check whether the drivers are successfully loaded. 1. Query the uacce driver module that has been loaded to the kernel.

lsmod | grep uacce

2. Load the uacce driver.

modprobe uacce

3. Load the hisi_sec2 driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_sec2.conf.

modprobe hisi_sec2

4. Load the hisi_hpre driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_hpre.conf.

modprobe hisi_hpre

5. Load the hisi_rde driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_rde.conf.

modprobe hisi_rde

6. Load the hisi_zip driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_zip.conf.

modprobe hisi_zip

7. Query the uacce driver module that has been loaded to the kernel again.

lsmod | grep uacce

If the preceding modules are displayed, the loading is successful.

uacce 36864 3 hisi_sec2,hisi_qm,hisi_hpre,hisi_rde,hisi_zip

If the SUSE OS is used, perform the following operations.

NO TE

● Before loading external drivers to the SUSE OS, configure the

/etc/modprobe.d/10-unsupported-modules.conf file and set allow_unsupported_modules to 1.

● The KAE code consists of the kernel driver, user-mode driver, KAE, and zlib library. The kernel driver and user-mode driver are mandatory. Install the KAE and zlib library based on actual requirements.

----End

(Optional) Setting Environment Variables

If the environment variables have been set according to 3.1.3 Installing OpenSSL, skip this step. Otherwise, run the following command to export the environment variables. If you specified the installation path, change /usr/local/lib/engines-1.1 to the actual installation path.

export OPENSSL_ENGINES=/usr/local/lib/engines-1.1

NO TE

By default, this environment variable is mounted to the engine path of OpenSSL. You can also specify a user-defined path.

Verifying the Installation

Step 1 View the KAE software package.

If the following information is displayed, the installation is successful. hisi_rde-1.0.1-1.centos7.6.aarch64 hisi_sec2-1.0.1-1.centos7.6.aarch64 uacce-1.0.1-1.centos7.6.aarch64 hisi_hpre-1.0.1-1.centos7.6.aarch64 hisi_zip-1.0.1-1.centos7.6.aarch64

Step 2 Check the accelerator device in the virtual file system.

ls -al /sys/class/uacce/ total 0

lrwxrwxrwx. 1 root root 0 Nov 14 03:45 hisi_hpre-2 -> ../../devices/pci0000:78/0000:78:00.0/0000:79:00.0/ uacce/hisi_hpre-2

lrwxrwxrwx. 1 root root 0 Nov 14 03:45 hisi_hpre-3 -> ../../devices/pci0000:b8/0000:b8:00.0/0000:b9:00.0/ uacce/hisi_hpre-3

lrwxrwxrwx. 1 root root 0 Nov 17 22:09 hisi_rde-4 -> ../../devices/pci0000:78/0000:78:01.0/uacce/hisi_rde-4 lrwxrwxrwx. 1 root root 0 Nov 17 22:09 hisi_rde-5 -> ../../devices/pci0000:b8/0000:b8:01.0/uacce/hisi_rde-5 lrwxrwxrwx. 1 root root 0 Nov 14 08:39 hisi_sec-0 -> ../../devices/pci0000:74/0000:74:01.0/0000:76:00.0/ uacce/hisi_sec-0

lrwxrwxrwx. 1 root root 0 Nov 14 08:39 hisi_sec-1 -> ../../devices/pci0000:b4/0000:b4:01.0/0000:b6:00.0/ uacce/hisi_sec-1

lrwxrwxrwx. 1 root root 0 Nov 17 22:09 hisi_zip-6 -> ../../devices/pci0000:74/0000:74:00.0/0000:75:00.0/ uacce/hisi_zip-6

lrwxrwxrwx. 1 root root 0 Nov 17 22:09 hisi_zip-7 -> ../../devices/pci0000:b4/0000:b4:00.0/0000:b5:00.0/ uacce/hisi_zip-7

Step 3 Check whether the accelerator has taken effect. The following uses RSA performance verification as an example.

cd /usr/local/bin/ ./openssl speed rsa2048 sign verify sign/s verify/s

rsa 2048 bits 0.001381s 0.000035s 724.1 28601.0 ./openssl speed -engine kae rsa2048

engine "kae" set.

sign verify sign/s verify/s

rsa 2048 bits 0.000175s 0.000021s 5730.1 46591.8

NO TE

The command output shows that the RSA performance is greatly improved after the KAE is specified. In addition, during the execution of the RSA performance command, you can view the hardware queue resources of the hisi_hpre device on a new terminal. Similarly, you can view the hardware queue resource usage of the hisi_sec2 device using the SM3/SM4 algorithm.

cat /sys/class/uacce/hisi_hpre-*/attrs/available_instances

If the value changes from 256 to 255, the RSA algorithm consumes a hardware unit queue of the HPRE accelerator, indicating that the KAE has taken effect.

256 255

Step 4 (Optional) Check whether the zlib accelerator takes effect. If the hisi_zip software is not installed, skip this step. Run the ldd command to check whether the zlib library is linked to libwd and libkaezip.

ldd /usr/local/kaezip/lib/libz.so.1.2.11

If the following information is displayed, the zlib library is successfully installed. You can also run the ldd command to check whether libwd and libkaezip are used.

3.1.5 Installing the KAE Software Using DEB Packages

Prerequisites

● You have downloaded the DEB package corresponding to the specified operating system from https://github.com/kunpengcompute/KAE/releases. ● Install the DEB packages on an OS of the specified version. If the installation

fails, use the source code to install the KAE software. ● The DPKG tool is available.

● OpenSSL 1.1.1a or later has been successfully installed. For details, see 3.1.3 Installing OpenSSL.

Procedure

NO TE

The hisi_hpre, hisi_sec2, hisi_rde, and hisi_zip driver software packages depend on uacce software package, and the libkae and libkaezip engine software package depend on the libwd software package.

● If only the RSA and DH algorithms need to be accelerated, you are advised to install only the uacce, hisi_hpre, libwd, and libkae software packages.

● If only AES, MD5, SM3, and SM4 (commercial cryptography algorithms mandated by the State Cryptographic Administration to be used within China) need to be accelerated, you are advised to install only the uacce, hisi_sec2, libwd, and libkae software packages. ● If only the zlib library compression algorithm needs to be accelerated, you are advised

to install only the uacce, hisi_zip, libwd, and libkaezip software packages.

For details about the algorithm functions provided by each software package, see 3.1.1 Introduction.

Step 1 Use SSH to copy the KAE software package to a customized directory. Step 2 Use SSH to log in to the Linux CLI as the root user.

Step 3 Install the accelerator driver package. For example, you can run the dpkg -i *.deb command to install all KAE software packages.

dpkg -i *.deb

Step 4 (Optional) If the DEB software has been installed in Step 3, skip this step. You can install a software package separately. The following example shows how to install the uacce-1.3.1 package.

dpkg -i uacce-1.3.1-1.ubuntu18.04.arm64.deb uacce modules installed

Install the hisi_hpre, hisi_sec2, hisi_rde, and hisi_zip driver software packages and the libwd, libkae, and libkaezip engine software packages in sequence. Install the libwd package before installing the libkae or libkaezip engine package.

Step 5 Check whether the DEB packages have been installed in the system.

[root@localhost deb]# dpkg -L uacce /. /lib /lib/modules /lib/modules/4.15.0-70-generic /lib/modules/4.15.0-70-generic/extra /lib/modules/4.15.0-70-generic/extra/uacce.ko /lib/modules/4.15.0-70-generic/extra/hisi_qm.ko

/. /lib /lib/modules /lib/modules/4.15.0-70-generic /lib/modules/4.15.0-70-generic/extra /lib/modules/4.15.0-70-generic/extra/hisi_sec2.ko /etc /etc/modprobe.d /etc/modprobe.d/hisi_sec2.conf /. /lib /lib/modules /lib/modules/4.15.0-70-generic /lib/modules/4.15.0-70-generic/extra /lib/modules/4.15.0-70-generic/extra/hisi_hpre.ko /etc /etc/modprobe.d /etc/modprobe.d/hisi_hpre.conf /. /lib /lib/modules /lib/modules/4.15.0-70-generic /lib/modules/4.15.0-70-generic/extra /lib/modules/4.15.0-70-generic/extra/hisi_rde.ko /etc /etc/modprobe.d /etc/modprobe.d/hisi_rde.conf /. /lib /lib/modules /lib/modules/4.15.0-70-generic /lib/modules/4.15.0-70-generic/extra /lib/modules/4.15.0-70-generic/extra/hisi_zip.ko /etc /etc/modprobe.d /etc/modprobe.d/hisi_zip.conf

[root@localhost deb]# ls -al /lib/modules/`uname -r`/extra total 348

drwxr-xr-x 2 root root 4096 Apr 15 17:12 . drwxr-xr-x 6 root root 4096 Apr 15 17:12 ..

-rw-r--r-- 1 root root 49080 Apr 15 09:15 hisi_hpre.ko -rw-r--r-- 1 root root 85728 Apr 15 09:15 hisi_qm.ko -rw-r--r-- 1 root root 59720 Apr 15 09:15 hisi_rde.ko -rw-r--r-- 1 root root 65536 Apr 15 09:15 hisi_sec2.ko -rw-r--r-- 1 root root 42600 Apr 15 09:15 hisi_zip.ko -rw-r--r-- 1 root root 40408 Apr 15 09:15 uacce.ko [root@localhost deb]# ls -al /etc/modprobe.d/ total 52

drwxr-xr-x 2 root root 4096 Apr 15 17:12 . drwxr-xr-x 94 root root 4096 Apr 15 09:15 ..

-rw-r--r-- 1 root root 325 Jan 28 2018 blacklist-ath_pci.conf -rw-r--r-- 1 root root 1667 Nov 13 2018 blacklist.conf -rw-r--r-- 1 root root 210 Jan 28 2018 blacklist-firewire.conf -rw-r--r-- 1 root root 697 Jan 28 2018 blacklist-framebuffer.conf -rw-r--r-- 1 root root 583 Jan 28 2018 blacklist-rare-network.conf -rw-r--r-- 1 root root 45 Apr 15 09:15 hisi_hpre.conf

-rw-r--r-- 1 root root 44 Apr 15 09:15 hisi_rde.conf -rw-r--r-- 1 root root 61 Apr 15 09:15 hisi_sec2.conf -rw-r--r-- 1 root root 44 Apr 15 09:15 hisi_zip.conf -rw-r--r-- 1 root root 347 Jan 28 2018 iwlwifi.conf -rw-r--r-- 1 root root 379 Jul 2 2018 mdadm.conf

Step 6 Restart the system or manually load the accelerator drivers to the kernel in

sequence using commands, and check whether the drivers are successfully loaded. 1. Query the driver module that has been loaded to the kernel.

2. Load the uacce driver.

modprobe uacce

3. Load the hisi_sec2 driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_sec2.conf.

modprobe hisi_sec2

4. Load the hisi_hpre driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_hpre.conf.

modprobe hisi_hpre

5. Load the hisi_rde driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_rde.conf.

modprobe hisi_rde

6. Load the hisi_zip driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_zip.conf.

modprobe hisi_zip

7. Query the driver module that has been loaded to the kernel again.

lsmod | grep uacce lsmod | grep hisi_qm

If the following information is displayed, the loading is successful.

uacce 28672 1 hisi_qm

hisi_qm 65536 4 hisi_sec2,hisi_zip,hisi_hpre,hisi_rde uacce 28672 1 hisi_qm

NO TE

The KAE code consists of the kernel driver, user-mode driver, KAE, and zlib library. The kernel driver and user-mode driver are mandatory. Install the KAE and zlib library based on actual requirements.

----End

(Optional) Setting Environment Variables

If the environment variables have been set according to 3.1.3 Installing OpenSSL, skip this step. Otherwise, run the following command to export the environment variables. If you specified the installation path, change /usr/local/lib/engines-1.1 to the actual installation path.

export OPENSSL_ENGINES=/usr/local/lib/engines-1.1

NO TE

By default, this environment variable is mounted to the engine path of OpenSSL. You can also specify a user-defined path.

Verifying the Installation

Step 1 View the KAE software package.

dpkg -s uacce hisi-sec2 hisi-hpre hisi-zip hisi-rde

The query result is as follows:

Package: uacce

Status: install ok installed Priority: optional Section: utils Installed-Size: 512

Maintainer: HiSilicon Tech. Co., Ltd. Architecture: arm64

Version: 1.3.1

URL: https://support.huawei.com Package: hisi-sec2

Status: install ok installed Priority: optional Section: utils Installed-Size: 512

Maintainer: HiSilicon Tech. Co., Ltd. Architecture: arm64

Version: 1.3.1

Description: This package contains the Huawei Hisilicon SEC Accelerator Driver. URL: https://support.huawei.com

Package: hisi-hpre Status: install ok installed Priority: optional Section: utils Installed-Size: 512

Maintainer: HiSilicon Tech. Co., Ltd. Architecture: arm64

Version: 1.3.1

Description: This package contains the Huawei Hisilicon HPRE Accelerator Driver. URL: https://support.huawei.com

Package: hisi-zip Status: install ok installed Priority: optional Section: utils Installed-Size: 512

Maintainer: HiSilicon Tech. Co., Ltd. Architecture: arm64

Version: 1.3.1

Description: This package contains the Huawei Hisilicon ZIP Accelerator Driver. URL: https://support.huawei.com

Package: hisi-rde Status: install ok installed Priority: optional Section: utils Installed-Size: 512

Maintainer: HiSilicon Tech. Co., Ltd. Architecture: arm64

Version: 1.3.1

Description: This package contains the Huawei Hisilicon RDE Accelerator Driver. URL: https://support.huawei.com

Step 2 Check the accelerator device in the /sys/ directory.

ls -al /sys/class/uacce/

The query result is as follows:

total 0

drwxr-xr-x 2 root root 0 Apr 15 17:42 . drwxr-xr-x 65 root root 0 Apr 15 16:49 ..

lrwxrwxrwx 1 root root 0 Apr 15 17:42 hisi_hpre-0 -> ../../devices/pci0000:78/0000:78:00.0/0000:79:00.0/ uacce/hisi_hpre-0

lrwxrwxrwx 1 root root 0 Apr 15 17:42 hisi_hpre-1 -> ../../devices/pci0000:b8/0000:b8:00.0/0000:b9:00.0/ uacce/hisi_hpre-1

lrwxrwxrwx 1 root root 0 Apr 15 17:42 hisi_rde-4 -> ../../devices/pci0000:78/0000:78:01.0/uacce/hisi_rde-4 lrwxrwxrwx 1 root root 0 Apr 15 17:42 hisi_rde-5 -> ../../devices/pci0000:b8/0000:b8:01.0/uacce/hisi_rde-5 lrwxrwxrwx 1 root root 0 Apr 15 17:42 hisi_sec2-2 -> ../../devices/pci0000:74/0000:74:01.0/0000:76:00.0/ uacce/hisi_sec2-2

lrwxrwxrwx 1 root root 0 Apr 15 17:42 hisi_sec2-3 -> ../../devices/pci0000:b4/0000:b4:01.0/0000:b6:00.0/ uacce/hisi_sec2-3

lrwxrwxrwx 1 root root 0 Apr 15 17:42 hisi_zip-6 -> ../../devices/pci0000:74/0000:74:00.0/0000:75:00.0/ uacce/hisi_zip-6

Step 3 Run the OpenSSL command to check whether the accelerator takes effect. The following uses the RSA performance as an example. The command is as follows:

[root@localhost deb]# cd /usr/local/bin/ [root@localhost bin]# ./openssl speed rsa2048 sign verify sign/s verify/s rsa 2048 bits 0.001381s 0.000035s 724.1 28601.0 [root@localhost bin]# ./openssl speed -engine kae rsa2048 engine "kae" set.

sign verify sign/s verify/s

rsa 2048 bits 0.000175s 0.000021s 5730.1 46591.8

NO TE

The command output shows that the RSA performance is greatly improved after the KAE is specified. In addition, during the execution of the RSA performance command, you can view the hardware queue resources of the hpre device on a new terminal.

cat /sys/class/uacce/hisi_hpre-*/attrs/available_instances

If the value changes from 256 to 255, the RSA algorithm consumes a hardware unit queue of the HPRE accelerator, indicating that the KAE has taken effect.

256 255

Step 4 (Optional) Check whether the KAE for the zlib library has taken effect. If the hisi_zip software is not installed, skip this step. Run the ldd command to check whether the zlib library is linked to libwd and libkaezip.

ldd /usr/local/kaezip/lib/libz.so.1.2.11

If the following information is displayed, the zlib library is successfully installed. You can also run the ldd command to check whether libwd and libkaezip are used.

linux-vdso.so.1 => (0x0000ffff80280000) libc.so.6 => /lib64/libc.so.6 (0x0000ffff80080000) libwd.so.1 => /lib64/libwd.so.1 (0x0000ffff80040000) /lib/ld-linux-aarch64.so.1 (0x0000ffff80290000) libkaezip.so => /usr/local/kaezip/lib/libkaezip.so (0x0000ffff80830000) ----End

3.1.6 Installing the KAE Software Package Using Source Code

Prerequisites

● You have downloaded the source package.

The download path for the KAE is https://github.com/kunpengcompute/ KAE.

The download path for the KAEdriver is https://github.com/ kunpengcompute/KAEdriver.

The download path of KAEzip is https://github.com/kunpengcompute/ KAEzip.

● The system environment meets the requirements described in 3.1.2 Preparing for Installation.

● OpenSSL 1.1.1a or later has been successfully installed. For details, see 3.1.3 Installing OpenSSL.

Procedure

NO TE

The code contains the kernel driver, user-mode driver, OpenSSL-based KAE, and zlib library. The kernel driver and user-mode driver are mandatory. Install the KAE and zlib library based on actual requirements.

Step 2 Use SSH to log in to the Linux CLI as the root user. Step 3 Install the kernel driver.

In the directory that stores the KAEdriver, run the following commands:

cd kae_driver make make install

The accelerator driver compile to generate uacce.ko, hisi_qm.ko, hisi_sec2.ko, hisi_hpre.ko, hisi_zip.ko and hisi_rde.ko. The installation path is lib/modules/ `uname -r`/extra.

NO TE

The SUSE and CentOS kernel directory is /lib/modules/`uname -r`/, and the driver installation path is /lib/modules/`uname -r`/extra. Run the `uname -r` command to obtain the current kernel information. If other OSs do not use this directory, modify the kernel directory specified by install in the Makefile file.

install:

Changed $(shell mkdir -p /lib/modules/`uname -r`/extra) to $(shell mkdir -p kernel directory/extra).

Step 4 Install the user-mode driver.

Compile and install the Warpdrive driver development library in the KAEdriver directory. cd warpdriver sh autogen.sh ./configure make make install

The --prefix option can be added to the ./configure compilation command to specify the location where the user-mode driver needs to be installed. The dynamic library file of the user-mode driver is libwd.so. The default installation path of warpdrive is /usr/local. The dynamic library file is in /usr/local/lib.

NO TE

The KAE needs to use the OpenSSL dynamic library and warpdrive dynamic library. The installation path of the warpdrive source code must be the same as that of OpenSSL so that the KAE can locate the two dynamic libraries through LD_LIBRARY_PATH.

Step 5 Restart the system or manually load the accelerator drivers to the kernel in

sequence using commands, and check whether the drivers are successfully loaded. 1. Query the uacce driver module that has been loaded to the kernel.

lsmod | grep uacce

2. Load the uacce driver.

modprobe uacce

3. Load the hisi_sec2 driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_sec2.conf.

4. Load the hisi_hpre driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_hpre.conf.

modprobe hisi_hpre

5. Load the hisi_rde driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_rde.conf.

modprobe hisi_rde

6. Load the hisi_zip driver to the kernel based on the configuration file in /etc/ modprobe.d/hisi_zip.conf.

modprobe hisi_zip

7. Query the uacce driver module that has been loaded to the kernel again.

lsmod | grep uacce

If the preceding modules are displayed, the loading is successful.

uacce 36864 3 hisi_sec2,hisi_qm,hisi_hpre,hisi_rde,hisi_zip

If the SUSE OS is used, perform the following operations.

NO TE

● Before loading external drivers to the SUSE OS, configure

/etc/modprobe.d/10-unsupported-modules.conf and set allow_unsupported_modules to 1. Step 6 Compile and install the accelerator KAE.

cd KAE

chmod +x configure ./configure

make clean && make make install

You can add the --prefix option to the ./configure compilation command to specify the installation path of the KAE. The dynamic library file of the KAE is libkae.so.

You are advised to install the KAE in default mode. The default installation path is /usr/local. The dynamic library file is in /usr/local/lib/engines-1.1.

NO TE

If libwd and OpenSSL are not installed in default mode, run the following command to specify the installation paths of OpenSSL and libwd:

./configure --openssl_path=/usr/local/openssl –wd_path=/usr/local/libwd

In this command, /usr/local/openssl and /usr/local/libwd are examples of OpenSSL and libwd installation paths, respectively.

Step 7 (Optional) Compile and install the zlib compression library.

1. Download zlib-1.2.11.tar.gz from the zlib official website and copy it to KAEzip/open_source.

2. Perform compilation and installation.

cd KAEzip sh setup.sh install

The zlib library is installed in /usr/local/kaezip. ----End

(Optional) Setting Environment Variables

variables. If you specified the installation path, change /usr/local/lib/engines-1.1 to the actual installation path.

export OPENSSL_ENGINES=/usr/local/lib/engines-1.1

NO TE

By default, this environment variable is mounted to the engine path of OpenSSL. You can also specify a user-defined path.

Verifying the Installation

Step 1 Run the cd command to go to the /usr/local/lib directory or a user-defined directory.

Step 2 Check the soft connection status.

1. Check the status of the libwd soft connection.

ls -al /usr/local/lib/ |grep libwd

If the command output shows the soft link and the .so files, the libwd is successfully installed.

lrwxrwxrwx. 1 root root 14 Jun 25 11:16 libwd.so -> libwd.so.1.0.1 lrwxrwxrwx. 1 root root 14 Jun 25 11:16 libwd.so.0 -> libwd.so.1.0.1 -rwxr-xr-x. 1 root root 137280 Jun 24 11:37 libwd.so.1.0.1

2. Check the soft connection status of the KAE.

ls -al /usr/local/lib/engines-1.1/

If the command output shows the soft connection and the SO files, the KAE is successfully installed.

lrwxrwxrwx. 1 root root 48 Jun 25 11:21 kae.so -> /usr/local/openssl/lib/engines-1.1/kae.so.1.0.1 lrwxrwxrwx. 1 root root 48 Jun 25 11:21 kae.so.0 -> /usr/local/openssl/lib/engines-1.1/kae.so.1.0.1 -rwxr-xr-x. 1 root root 212192 Jun 24 11:37 kae.so.1.0.1

3. Check the soft connection status of the zlib library.

ll /usr/local/zlib/lib

If the command output shows the soft link and the .so files, the zlib library is successfully installed.

-rw-r-r-. 1 root root 161162 Jul 10 12:54 libz.a

lrwxrwxrwx. 1 root root 14 Jul 10 12:54 libz.so -> libz.so.1.2.11 lrwxrwxrwx. 1 root root 14 Jul 10 12:54 libz.so.1 -> libz.so.1.2.11 -rwxr-xr-x. 1 root root 146656 Jul 10 12:54 libz.so.1.2.11

Step 3 Check the accelerator device in the virtual file system.

ls -al /sys/class/uacce/

The output is displayed as follows:

total 0

lrwxrwxrwx. 1 root root 0 Nov 14 03:45 hisi_hpre-2 -> ../../devices/pci0000:78/0000:78:00.0/0000:79:00.0/ uacce/hisi_hpre-2

lrwxrwxrwx. 1 root root 0 Nov 14 03:45 hisi_hpre-3 -> ../../devices/pci0000:b8/0000:b8:00.0/0000:b9:00.0/ uacce/hisi_hpre-3

lrwxrwxrwx. 1 root root 0 Nov 17 22:09 hisi_rde-4 -> ../../devices/pci0000:78/0000:78:01.0/uacce/hisi_rde-4 lrwxrwxrwx. 1 root root 0 Nov 17 22:09 hisi_rde-5 -> ../../devices/pci0000:b8/0000:b8:01.0/uacce/hisi_rde-5 lrwxrwxrwx. 1 root root 0 Nov 14 08:39 hisi_sec-0 -> ../../devices/pci0000:74/0000:74:01.0/0000:76:00.0/ uacce/hisi_sec-0

lrwxrwxrwx. 1 root root 0 Nov 14 08:39 hisi_sec-1 -> ../../devices/pci0000:b4/0000:b4:01.0/0000:b6:00.0/ uacce/hisi_sec-1

lrwxrwxrwx. 1 root root 0 Nov 17 22:09 hisi_zip-6 -> ../../devices/pci0000:74/0000:74:00.0/0000:75:00.0/ uacce/hisi_zip-6

lrwxrwxrwx. 1 root root 0 Nov 17 22:09 hisi_zip-7 -> ../../devices/pci0000:b4/0000:b4:00.0/0000:b5:00.0/ uacce/hisi_zip-7

[root@localhost rpm]# cd /usr/local/bin/ [root@localhost bin]# ./openssl speed rsa2048 sign verify sign/s verify/s rsa 2048 bits 0.001381s 0.000035s 724.1 28601.0 [root@localhost bin]# ./openssl speed -engine kae rsa2048 engine "kae" set.

sign verify sign/s verify/s

rsa 2048 bits 0.000175s 0.000021s 5730.1 46591.8

NO TE

The command output shows that the RSA performance is greatly improved after the KAE is specified. In addition, during the execution of the RSA performance command, you can view the hardware queue resources of the hpre device on a new terminal.

cat /sys/class/uacce/hisi_hpre-*/attrs/available_instances

If the value changes from 256 to 255, the RSA algorithm consumes a hardware unit queue of the HPRE accelerator, indicating that the KAE has taken effect.

256 255

Step 5 (Optional) Check whether the zlib accelerator takes effect. If the hisi_zip software is not installed, skip this step. Run the ldd command to check whether the zlib library is linked to the libwd library.

ldd /usr/local/zlib/lib/libz.so.1.2.11

If the following information is displayed, the zlib library is successfully installed. You can also run the ldd command to check whether the libwd library is used.

linux-vdso.so.1 => (0x0000ffff80280000) libc.so.6 => /lib64/libc.so.6 (0x0000ffff80080000) libwd.so.1 => /lib64/libwd.so.1 (0x0000ffff80040000) /lib/ld-linux-aarch64.so.1 (0x0000ffff80290000)

----End

3.2 Operations After Installation

3.2.1 Testing the Performance of the OpenSSL and the KAE

NO TE

The following test case data is from the native CentOS 7.6.

Testing the RSA Performance

● Use the OpenSSL software algorithm to test the RSA performance.

./openssl speed -elapsed rsa2048

The command output is as follows:

...

sign verify sign/s verify/s

rsa 2048 bits 0.001384s 0.000035s 724.1 28365.8.

● Use the KAE to test the RSA performance.

./openssl speed -elapsed -engine kae rsa2048

The command output is as follows:

....

sign verify sign/s verify/s

NO TE

After KAE acceleration, the signature performance is improved from 724.1 sign/s to 2819 sign/s.

Testing the Asynchronous RSA Performance

● Use the OpenSSL software algorithm to test the asynchronous RSA performance.

./openssl speed -elapsed -async_jobs 36 rsa2048

The command output is as follows:

....

sign verify sign/s verify/s rsa 2048 bits 0.001318s 0.000032s 735.7 28555

● Use the KAE to test the asynchronous RSA performance. The command output is as follows:

linux-rmw4:/usr/local/bin # ./openssl speed -engine kae -elapsed -async_jobs 36 rsa2048 ....

sign verify sign/s verify/s

rsa 2048 bits 0.000018s 0.000009s 54384.1 105317.0

NO TE

After KAE acceleration, the asynchronous RSA signature performance is improved from 735.7 sign/s to 54384.1 sign/s.

Testing the Performance in SM4 CBC Mode

● Use the OpenSSL software algorithm to test the performance of the SM4 CBC mode.

./openssl speed -elapsed -evp sm4-cbc

The command output is as follows:

You have chosen to measure elapsed time instead of user CPU time. ....

Doing sm4-cbc for 3s on 10240 size blocks: 2196 sm4-cbc's in 3.00s ....

type 51200 bytes 102400 bytes1048576 bytes2097152 bytes4194304 bytes8388608 bytes sm4-cbc 82312.53k 85196.80k 85284.18k 85000.85k 85284.18k 85261.26k

● Use the KAE to test the performance of the SM4 CBC mode.

./openssl speed -elapsed -engine kae -evp sm4-cbc

The command output is as follows:

engine "kae" set.

You have chosen to measure elapsed time instead of user CPU time. ...

Doing sm4-cbc for 3s on 1048576 size blocks: 11409 sm4-cbc's in 3.00s ...

type 51200 bytes 102400 bytes1048576 bytes2097152 bytes4194304 bytes8388608 bytes sm4-cbc 383317.33k 389427.20k 395313.15k 392954.73k 394264.58k 394264.58k

NO TE

After KAE acceleration, the performance increases from 82312.53 kbit/s to 383317.33 kbit/s in SM4 CBC mode when the input data block size is 8 MB.

Testing the Performance in SM3 Mode

● Use the OpenSSL software algorithm to test the SM3 mode performance.

./openssl speed -elapsed -evp sm3

The result is as follows:

....

type 51200 bytes 102400 bytes1048576 bytes2097152 bytes4194304 bytes8388608 bytes sm3 50568.53k 52428.80k 52428.80k 52428.80k 52428.80k 52428.80k

● Use the KAE to test the SM3 mode performance.

./openssl speed -elapsed -engine kae -evp sm3

The result is as follows:

engine "kae" set.

You have chosen to measure elapsed time instead of user CPU time. Doing sm3 for 3s on 102400 size blocks: 19540 sm3's in 3.00s ....

type 51200 bytes 102400 bytes 1048576 bytes 2097152 bytes 4194304 bytes 8388608 bytes sm3 648243.20k 666965.33k 677030.57k 678778.20k 676681.05k 668292.44k

NO TE

After KAE acceleration, the performance increases from 52428.80 kbit/s to 668292.44 kbit/s using the SM3 algorithm when the input data block size is 8 MB.

Testing the Asynchronous Performance of the AES Algorithm in CBC Mode

● Use the OpenSSL software algorithm to test the asynchronous performance of the AES algorithm in CBC mode.

./openssl speed -elapsed -evp aes-128-cbc -async_jobs 4

The command output is as follows:

You have chosen to measure elapsed time instead of user CPU time. Doing aes-128-cbc for 3s on 51200 size blocks: 65773 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 102400 size blocks: 32910 aes-128-cbc's in 3.00s ....

type 51200 bytes 102400 bytes1048576 bytes2097152 bytes4194304 bytes8388608 bytes aes-128-cbc 1122525.87k 1123328.00k 1120578.22k 1121277.27k 1119879.17k 1115684.86k

● Use the KAE to test the asynchronous performance of the AES algorithm in CBC mode.

./openssl speed -elapsed -evp aes-128-cbc -async_jobs 4 -engine kae

The output is displayed as follows:

engine "kae" set.

You have chosen to measure elapsed time instead of user CPU time.

Doing aes-128-cbc for 3s on 51200 size blocks: 219553 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 102400 size blocks: 117093 aes-128-cbc's in 3.00s ....

type 51200 bytes 102400 bytes1048576 bytes2097152 bytes4194304 bytes8388608 bytes aes-128-cbc 3747037.87k 3996774.40k 1189085.18k 1196774.74k 1196979.11k 1199570.94k

NO TE

● The OpenSSL test data length is defined in the lengths_list array of the speed.c file (the speed.c file is in the app directory of the OpenSSL source package, for example,

openssl-1.1.1a/apps/speed.c). Testers can modify the data here, compile and install

OpenSSL by referring to 3.1.3 Installing OpenSSL and perform the test. That is how the length of the test data (such as 51,200 bytes and 102,400 bytes) is calculated.

● The AES algorithm supports only asynchronous usage when the data length is 256 KB or less.

● After KAE acceleration, the performance increases from 1,123,328.00 kbit/s to 3,996,774.40 kbit/s using the AES algorithm when the input data block size is 100 KB.

3.2.2 zlib Compression Library Test

1. Go to the zlib-1.2.11 directory.

cd KAEzip/open_source/zlib-1.2.11

2. Test the zlib library functions.

Compile the performance test tool in the test directory to test the library performance. Set the LD_LIBRARY_PATH to use the zlib library during the performance test.

export LD_LIBRARY_PATH=/usr/local/kaezip/lib:$ LD_LIBRARY_PATH cd KAEzip/test make [root@localhost test]#./kaezip_perf usage: -m: multi process -l: stream length(KB) -n: loop times -d: compress or decompress example: ./kaezip_perf -m 2 -l 1024 -n 1000 ./kaezip_perf -d -m 2 -l 1024 -n 1000 default input parameter used

kaezip perf input parameter: multi process 2, stream length: 1024(KB), loop times: 1000 kaezip compress perf result:

time used: 509004 us, speed = 4.024 GB/s [root@localhost test]# ./kaezip_perf -d

kaezip perf parameter: multi process 2, stream length: 1024(KB), loop times: 1000 kaezip decompress perf result:

time used: 810318 us, speed = 2.527 GB/s

3.3 Upgrading the KAE Software

3.3.1 Upgrading the KAE Software Using RPM Packages

NO TE

If the KAE installed using the source code does not involve upgrade operations, skip this section.

Scenarios

Run the rpm -Uvh command to upgrade the KAE software.

Procedure

Step 1 Download the latest KAE software package.

Step 2 Use SSH to log in to the Linux CLI as the root user.

Step 3 In the directory where the software package is stored, upgrade the accelerator driver package and engine library package.

rpm -Uvh *.rpm

The following command output is displayed:

Preparing... ################################# [100%] checking installed modules

uacce modules start to install Updating / installing...

1:uacce-1.2.1-1.centos7.6 ################################# [ 7%] uacce modules installed

2:libwd-1.2.1-1.centos7.6 ################################# [ 14%] 3:libkae-1.2.1-1.centos7.6 ################################# [ 21%] checking installed modules

4:hisi_hpre-1.2.1-1.centos7.6 ################################# [ 29%] hisi_hpre modules installed

checking installed modules hisi_rde modules start to install

5:hisi_rde-1.2.1-1.centos7.6 ################################# [ 36%] hisi_rde modules installed

checking installed modules hisi_sec2 modules start to install

6:hisi_sec2-1.2.1-1.centos7.6 ################################# [ 43%] hisi_sec2 modules installed

checking installed modules hisi_zip modules start to install

7:hisi_zip-1.2.1-1.centos7.6 ################################# [ 50%] hisi_zip modules installed

Cleaning up / removing...

8:libkae-1.2.0-1.centos7.6 ################################# [ 57%] 9:hisi_zip-1.2.0-1.centos7.6 ################################# [ 64%] hisi_zip modules uninstalled

10:hisi_sec2-1.2.0-1.centos7.6 ################################# [ 71%] hisi_sec2 modules uninstalled

11:hisi_rde-1.2.0-1.centos7.6 ################################# [ 79%] hisi_rde modules uninstalled

12:hisi_hpre-1.2.0-1.centos7.6 ################################# [ 86%] hisi_hpre modules uninstalled

13:uacce-1.2.0-1.centos7.6 ################################# [ 93%] uacce modules uninstalled

14:libwd-1.2.0-1.centos7.6 ################################# [100%]

Step 4 Restart the system or manually uninstall the driver of the old version using the CLI, and then load the driver of the new version. Check whether the driver is successfully loaded.

1. Uninstall the old driver.

a. Query the drivers that have been loaded to the kernel.

lsmod | grep uacce

The following command output is displayed:

uacce 262144 5 hisi_zip,hisi_rde,hisi_hpre,hisi_sec2,hisi_qm

b. Uninstall the drivers of the old version in sequence.

rmmod hisi_hpre rmmod hisi_sec2 rmmod hisi_rde rmmod hisi_zip rmmod hisi_qm rmmod uacce

c. Run the following command again. If no result is displayed, the old version is uninstalled successfully.

lsmod | grep uacce

2. Load the new drivers. a. Load the uacce driver.

modprobe uacce

b. Load the hisi_sec2 driver to the kernel based on the configuration file in /etc/modprobe.d/hisi_sec2.conf.

modprobe hisi_sec2

c. Load the hisi_hpre driver to the kernel based on the configuration file in /etc/modprobe.d/hisi_hpre.conf.

modprobe hisi_hpre

d. Load the hisi_rde driver to the kernel based on the configuration file in /etc/modprobe.d/hisi_rde.conf.

modprobe hisi_rde

modprobe hisi_zip

f. Query the loaded drivers.

lsmod | grep uacce

If the following information is displayed, the loading is successful.

uacce 36864 3 hisi_sec2,hisi_qm,hisi_hpre,hisi_rde,hisi_zip

Step 5 Run the rpm -qa | grep command to check the software version after the upgrade.

rpm -qa uacce hisi_sec2 hisi_hpre hisi_zip hisi_rde

If the version number after the upgrade is displayed, the upgrade is successful.

hisi_rde-1.2.1-1.centos7.6.aarch64 hisi_sec2-1.2.1-1.centos7.6.aarch64 uacce-1.2.1-1.centos7.6.aarch64 hisi_hpre-1.2.1-1.centos7.6.aarch64 hisi_zip-1.2.1-1.centos7.6.aarch64 ----End

3.3.2 Upgrading the KAE Software Using DEB Packages

Scenarios

Use DEB packages to upgrade the KAE software.

Procedure

Step 1 Download the latest KAE software package.

Step 2 Use SSH to log in to the Linux CLI as the root user. Step 3 Uninstall the KAE software package.

NO TE

Due to the dependency relationships, the hisi_hpre, hisi_sec2, hisi_rde, and hisi_zip driver packages must be uninstalled before the uacce driver package is uninstalled. The libkae engine package must be uninstalled before the libwd driver package is uninstalled.

dpkg -r hisi-sec2

Step 4 In the directory where the software package is stored, reinstall the accelerator driver package and engine library package.

dpkg -i *.deb

Step 5 Restart the system or manually uninstall the driver of the old version using the CLI, and then load the driver of the new version. Check whether the driver is successfully loaded.

1. Uninstall the old driver.

a. Query the drivers that have been loaded to the kernel.

lsmod | grep uacce

The following command output is displayed:

uacce 262144 5 hisi_zip,hisi_rde,hisi_hpre,hisi_sec2,hisi_qm

b. Uninstall the drivers of the old version in sequence.

rmmod hisi_qm rmmod uacce

c. Run the following command again. If no result is displayed, the old version is uninstalled successfully.

lsmod | grep uacce

2. Load the new drivers. a. Load the uacce driver.

modprobe uacce

b. Load the hisi_sec2 driver to the kernel based on the configuration file in /etc/modprobe.d/hisi_sec2.conf.

modprobe hisi_sec2

c. Load the hisi_hpre driver to the kernel based on the configuration file in /etc/modprobe.d/hisi_hpre.conf.

modprobe hisi_hpre

d. Load the hisi_rde driver to the kernel based on the configuration file in /etc/modprobe.d/hisi_rde.conf.

modprobe hisi_rde

e. Load the hisi_zip driver to the kernel based on the configuration file in /etc/modprobe.d/hisi_zip.conf.

modprobe hisi_zip

f. Query the loaded drivers.

lsmod | grep uacce

If the following information is displayed, the loading is successful.

uacce 36864 3 hisi_sec2,hisi_qm,hisi_hpre,hisi_rde,hisi_zip

Step 6 Run the dpkg -s command to check the software version after the upgrade.

dpkg -s uacce hisi-sec2 hisi-hpre hisi-zip hisi-rde

If the version number after the upgrade is displayed, the upgrade is successful.

Package: uacce

Status: install ok installed Priority: optional Section: utils Installed-Size: 512

Maintainer: HiSilicon Tech. Co., Ltd. Architecture: arm64

Version: 1.3.1

Description: This package contains the Unified/User-space-access-intended Accelerator Framework. URL: https://support.huawei.com

Package: hisi-sec2 Status: install ok installed Priority: optional Section: utils Installed-Size: 512

Maintainer: HiSilicon Tech. Co., Ltd. Architecture: arm64

Version: 1.3.1

Description: This package contains the Huawei Hisilicon SEC Accelerator Driver. URL: https://support.huawei.com

Package: hisi-hpre Status: install ok installed Priority: optional Section: utils Installed-Size: 512

Maintainer: HiSilicon Tech. Co., Ltd. Architecture: arm64

Version: 1.3.1

Package: hisi-zip Status: install ok installed Priority: optional Section: utils Installed-Size: 512

Maintainer: HiSilicon Tech. Co., Ltd. Architecture: arm64

Version: 1.3.1

Description: This package contains the Huawei Hisilicon ZIP Accelerator Driver. URL: https://support.huawei.com

Package: hisi-rde Status: install ok installed Priority: optional Section: utils Installed-Size: 512

Maintainer: HiSilicon Tech. Co., Ltd. Architecture: arm64

Version: 1.3.1

Description: This package contains the Huawei Hisilicon RDE Accelerator Driver. URL: https://support.huawei.com

----End

3.4 Uninstalling the KAE Software

3.4.1 Uninstalling the KAE Software Installed Using RPM

Packages

Scenarios

Uninstall the KAE software that is installed using RPM packages if you do not need to use the KAE software or you want to install a new version of the KAE software.

Procedure

Step 1 Use SSH to log in to the Linux CLI as the root user.

Step 2 Uninstall the KAE software and check the uninstallation result. 1. Uninstall the KAE software package.

Run the rpm -e software package name command. For example, run the following command to uninstall hisi_sec2.

rpm -e hisi_sec2

NO TE

Due to the dependency relationships, the hisi_hpre, hisi_sec2, hisi_rde, and hisi_zip driver packages must be uninstalled before the uacce driver package is uninstalled. The libkae engine package must be uninstalled before the libwd driver package is uninstalled.

2. Check whether the uninstallation is successful.

Run the rpm -qa |grep software package name command. For example, run the following command to check whether hisi_sec2 is uninstalled.

NO TE

The following uninstalls all KAE software packages:

[root@localhost output]# rpm -e hisi_hpre hisi_hpre modules uninstalled

[root@localhost output]# rpm -e hisi_sec2 hisi_sec2 modules uninstalled

[root@localhost output]# rpm -e hisi_zip hisi_zip modules uninstalled

[root@localhost output]# rpm -e hisi_rde hisi_rde modules uninstalled

[root@localhost output]#

[root@localhost output]# rpm -e uacce uacce modules uninstalling

uacce modules uninstalled

[root@localhost output]# rpm -e libwd libkae libkaezip [root@localhost output]#

[root@localhost output]# rpm -qa uacce hisi_hpre hisi_sec2 hisi_rde hisi_zip [root@localhost output]# rpm -qa libwd libkae libkaezip

Step 3 Restart the system or use commands to manually uninstall the accelerator drivers loaded to the kernel, and check whether the drivers are successfully uninstalled.

[root@localhost rpm]# lsmod | grep uacce

uacce 36864 3 hisi_sec2,hisi_qm,hisi_hpre,hisi_rde,hisi_zip [root@localhost output]# lsmod | grep uacce

uacce 262144 5 hisi_zip,hisi_rde,hisi_hpre,hisi_sec2,hisi_qm [root@localhost output]#

[root@localhost output]# rmmod hisi_hpre [root@localhost output]# rmmod hisi_sec2 [root@localhost output]# rmmod hisi_rde [root@localhost output]# rmmod hisi_zip [root@localhost output]# rmmod hisi_qm [root@localhost output]# rmmod uacce [root@localhost output]# lsmod | grep uacce [root@localhost output]#

----End

3.4.2 Uninstalling the KAE Software Installed Using DEB

Packages

Scenarios

Uninstall the KAE software that is installed using DEB packages if you do not need to use the KAE software or you want to install a new version of the KAE software.

Procedure

Step 1 Use SSH to log in to the Linux CLI as the root user.

Step 2 Uninstall the KAE software package and check the uninstallation result. 1. Uninstall the KAE software package.

Run the dpkg -r software package name command. For example, run the following command to uninstall hisi_sec2.

NO TE

Due to the dependency relationships, the hisi_hpre, hisi_sec2, hisi_rde, and hisi_zip driver packages must be uninstalled before the uacce driver package is uninstalled. The libkae engine package must be uninstalled before the libwd driver package is uninstalled.

2. Run the following command to check whether the software is successfully uninstalled.

Run the dpkg -L software package name command. For example, run the following command to check whether hisi_sec2 is successfully uninstalled:

NO TE

The following uninstalls all KAE software packages:

[root@localhost output]# dpkg -r hisi-hpre

(Reading database ... 79192 files and directories currently installed.) Removing hisi-hpre (1.3.2) ...

hisi_hpre modules uninstalling hisi_hpre modules uninstalled

[root@localhost output]# dpkg -r hisi-sec2

(Reading database ... 79190 files and directories currently installed.) Removing hisi-sec2 (1.3.2) ...

hisi_sec2 modules uninstalling hisi_sec2 modules uninstalled

[root@localhost output]# dpkg -r hisi-zip

(Reading database ... 79188 files and directories currently installed.) Removing hisi-zip (1.3.2) ...

hisi_zip modules uninstalling hisi_zip modules uninstalled

[root@localhost output]# dpkg -r hisi-rde

(Reading database ... 79186 files and directories currently installed.) Removing hisi-rde (1.3.2) ...

hisi_rde modules uninstalling hisi_rde modules uninstalled

[root@localhost output]# dpkg -r uacce

(Reading database ... 79184 files and directories currently installed.) Removing uacce (1.3.2) ...

uacce modules uninstalling uacce modules uninstalled

[root@localhost output]# dpkg -r libwd libkae libkaezip

(Reading database ... 79181 files and directories currently installed.) Removing libkae (1.3.2) ...

Removing libkaezip (1.3.2) ... Removing libwd (1.3.2) ...

Processing triggers for libc-bin (2.27-3ubuntu1) ...

[root@localhost output]# dpkg -L uacce hisi-hpre hisi-sec2 hisi-rde hisi-zip Package 'uacce' does not contain any files (!)

Package 'hisi-hpre' does not contain any files (!) Package 'hisi-sec2' does not contain any files (!) Package 'hisi-rde' does not contain any files (!) Package 'hisi-zip' does not contain any files (!) [root@localhost output]# dpkg -Llibwd libkae libkaezip /usr /usr/local /usr/local/include /usr /usr/local /usr/local/lib /usr/local/lib/engines-1.1

Package 'libkaezip' does not contain any files (!) [root@localhost output]#

Step 3 Restart the system or use commands to manually uninstall the accelerator drivers loaded to the kernel, and check whether the drivers are successfully uninstalled.

[root@localhost rpm]# lsmod | grep uacce

uacce 36864 3 hisi_sec2,hisi_qm,hisi_hpre,hisi_rde,hisi_zip [root@localhost output]# lsmod | grep uacce

uacce 262144 5 hisi_zip,hisi_rde,hisi_hpre,hisi_sec2,hisi_qm [root@localhost output]#