Intel® QuickAssist Technology(QAT) OpenSSL* Engine

Installation

The QAT_Engine can be installed by either:

• Installing from pre-built packages

• Installing from source code

Distributions such as Fedora 34+, RHEL 9.1+, CentOS 9 Stream and Ubunutu 24.04 each include qatengine packages within their repositories.

Important

The instructions here are to be used when using QAT_Engine with qatlib.

If using the out-of-tree QAT package, refer to the latest installation instructions available at:

QAT_Engine GitHub repository.

Installing from Packages

This section outlines the installation of QAT_Engine using package managers.

Instructions cover:

• Ubuntu 24.04

• RPM (RPM Package Manager)

Ubuntu 24.04

Note

To install QAT_Engine on older versions of Ubuntu, you must manually compile and install it from the source code.

See the Installing from Sources section for instructions on installing from source.

1. Install the qat_sw libraries by running the below command:

   sudo -E apt install -y libippcp11 libcrypto-mb11 libippcp-dev libcrypto-mb-dev libipsec-mb1 libipsec-mb-dev
   

2. Install the QAT_Engine library by running the below command:

   sudo -E apt install -y qatengine
   

RPM

1. Install the QAT_Engine library by running the below command:

   sudo dnf -y install qatengine
   

   Important

   It is not currently possible to install QAT_Engine with support for qat_sw when installing from RPM packages.

   Only qat_hw is currently supported.

   If qat_sw support is needed, proceed to the Installing from Sources instructions.

Installing from Sources

1. Install the package dependencies by running the below command:

   For RPM-based distros:

   sudo dnf install -y autoconf automake libtool cmake openssl-devel pkg-config nasm
   

   For Ubuntu and other Debian-based distros, install these dependencies:

   sudo apt install -y autoconf automake libtool cmake pkg-config nasm libusdm-dev
   

2. Optional: Install IPP-crypto from the downloaded source.

   This is required for qat_sw.

   cd ~
   git clone https://github.com/intel/ipp-crypto.git
   cd ipp-crypto
   git checkout ippcp_2021.7.1
   cd sources/ippcp/crypto_mb
   cmake . -Bbuild -DCMAKE_INSTALL_PREFIX=/usr
   cd build
   make -j
   sudo make install
   

3. Optional: Install IPSec MB from the downloaded source.

   This is required for qat_sw.

   cd ~
   git clone https://github.com/intel/intel-ipsec-mb.git
   cd intel-ipsec-mb
   git checkout v1.3
   make -j
   sudo make install NOLDCONFIG=y
   

4. Obtain the source package for QAT_Engine by running the following commands:

   cd ~
   git clone https://github.com/intel/QAT_Engine.git
   cd QAT_Engine/
   

5. Configure the QAT_Engine library by running the below commands:

   Important

   If qatlib was installed from source files, the header files are located in a different directory than the QAT_Engine expects. Use the following command to address this issue.

   sudo ln -s /usr/local/include/qat /usr/include/qat
   

   To include support for qat_sw and qat_hw:

   ./autogen.sh
   ./configure --enable-qat_sw
   

   Note

   Refer to QAT_Engine documentation for details on qat_hw and qat_sw co-existence.

   To include support for just qat_hw:

   ./autogen.sh
   ./configure
   

6. Build and install the QAT_Engine library by running the following commands:

   make clean
   make -j
   sudo make install
   

Configuration

At least one QAT endpoint needs to have asymmetric/symmetric (asym;sym) services enabled to utilize QAT_Engine.

Refer to the following sections for details on configuring qatlib.

• Managed Mode (when qat service is enabled)

• Standalone Mode (without service)

Verify QAT_Engine is enabled

The following command can be used to verify QAT_Engine is functional and provide details on the configuration.

openssl engine -t -c -v qatengine

If QAT_Engine was setup with default configuration and just qat_hw path enabled, the output will look like:

  (qatengine) Reference implementation of QAT crypto engine(qat_hw) v1.0.0
[RSA, AES-128-CBC-HMAC-SHA256, AES-256-CBC-HMAC-SHA256, ChaCha20-Poly1305, SHA3-256, SHA3-384, SHA3-512]
    [ available ]
    ENABLE_EXTERNAL_POLLING, POLL, SET_INSTANCE_FOR_THREAD,
    GET_NUM_OP_RETRIES, SET_MAX_RETRY_COUNT, SET_INTERNAL_POLL_INTERVAL,
    GET_EXTERNAL_POLLING_FD, ENABLE_EVENT_DRIVEN_POLLING_MODE,
    GET_NUM_CRYPTO_INSTANCES, DISABLE_EVENT_DRIVEN_POLLING_MODE,
    SET_EPOLL_TIMEOUT, SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD,
    ENABLE_INLINE_POLLING, ENABLE_HEURISTIC_POLLING,
    GET_NUM_REQUESTS_IN_FLIGHT, INIT_ENGINE, SET_CONFIGURATION_SECTION_NAME,
    ENABLE_SW_FALLBACK, HEARTBEAT_POLL, DISABLE_QAT_OFFLOAD, HW_ALGO_BITMAP

If both qat_hw and qat_sw are enabled, the output will look like:

  (qatengine) Reference implementation of QAT crypto engine(qat_hw & qat_sw) v1.0.0
[RSA, AES-128-CBC-HMAC-SHA256, AES-256-CBC-HMAC-SHA256, ChaCha20-Poly1305, SHA3-256, SHA3-384, SHA3-512]
    [ available ]
    ENABLE_EXTERNAL_POLLING, POLL, SET_INSTANCE_FOR_THREAD,
    GET_NUM_OP_RETRIES, SET_MAX_RETRY_COUNT, SET_INTERNAL_POLL_INTERVAL,
    GET_EXTERNAL_POLLING_FD, ENABLE_EVENT_DRIVEN_POLLING_MODE,
    GET_NUM_CRYPTO_INSTANCES, DISABLE_EVENT_DRIVEN_POLLING_MODE,
    SET_EPOLL_TIMEOUT, SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD,
    ENABLE_INLINE_POLLING, ENABLE_HEURISTIC_POLLING,
    GET_NUM_REQUESTS_IN_FLIGHT, INIT_ENGINE, SET_CONFIGURATION_SECTION_NAME,
    ENABLE_SW_FALLBACK, HEARTBEAT_POLL, DISABLE_QAT_OFFLOAD, HW_ALGO_BITMAP,
    SW_ALGO_BITMAP

Important

If errors are reported that indicate multi-buffer libraries are missing, this can be addressed by adding /usr/lib to the LD_LIBRARY_PATH

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib

Testing with OpenSSL Speed

The following OpenSSL Speed commands can be used to verify stack is functional.

qat_hw tests

In the tests below, OpenSSL speed is invoked three times.

• Asynchronous using QAT_Engine

• Synchronous using QAT_Engine

• Default OpenSSL software

RSA 2K

openssl speed -engine qatengine -elapsed -async_jobs 72 rsa2048
openssl speed -engine qatengine -elapsed rsa2048
openssl speed -elapsed rsa2048

ECDH Compute Key

openssl speed -engine qatengine -elapsed -async_jobs 36 ecdh
openssl speed -engine qatengine -elapsed ecdh
openssl speed -elapsed ecdh

Chained Cipher: aes-128-cbc-hmac-sha1

openssl speed -engine qatengine -elapsed -async_jobs 128 -multi 2 -evp aes-128-cbc-hmac-sha1
openssl speed -engine qatengine -elapsed -multi 2 -evp aes-128-cbc-hmac-sha1
openssl speed -elapsed -multi 2 -evp aes-128-cbc-hmac-sha1

qat_sw tests (Intel(R) Crypto Multi-buffer library)

In the tests below, OpenSSL speed is invoked two times.

• QAT_Engine using Crypto Multi-buffer library

• Default OpenSSL software

RSA2K

openssl speed -engine qatengine -elapsed -async_jobs 8 rsa2048
openssl speed -elapsed rsa2048

ECDH X25519

openssl speed -engine qatengine -elapsed -async_jobs 8 ecdhx25519
openssl speed -elapsed ecdhx25519

ECDH P-256

openssl speed -engine qatengine -elapsed -async_jobs 8 ecdhp256
openssl speed -elapsed ecdhp256

ECDSA P-256

openssl speed -engine qatengine -elapsed -async_jobs 8 ecdsap256
openssl speed -elapsed  ecdsap256

ECDH P-384

openssl speed -engine qatengine -elapsed -async_jobs 8 ecdhp384
openssl speed -elapsed ecdhp384

ECDSA P-384

openssl speed -engine qatengine -elapsed -async_jobs 8 ecdsap384
openssl speed -elapsed ecdsap384

qat_sw tests (Intel(R) Multi-Buffer Crypto for IPsec)

In the tests below, OpenSSL speed is invoked two times.

• QAT_Engine using Multi-Buffer Crypto for IPsec

• Default OpenSSL software

AES-128-GCM

openssl speed -engine qatengine -elapsed -evp aes-128-gcm
openssl speed -elapsed -evp aes-128-gcm

AES-192-GCM

openssl speed -engine qatengine -elapsed -evp aes-192-gcm
openssl speed -elapsed -evp aes-192-gcm

AES-256-GCM

openssl speed -engine qatengine -elapsed -evp aes-256-gcm
openssl speed -elapsed -evp aes-256-gcm