Intel EP80579 User Manual
Intel® EP80579 Software for
Security Applications on Intel
QuickAssist Technology
Programmer’s Guide
August 2009
®
Order Number: 320183-004US
Legal Lines and Disclaimers
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR
OTHERWISE, TO ANY IN TELLEC TUA L PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL ’S TERMS AND CONDITIONS
OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING
TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE,
MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Intel products are not intended for
use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applications.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics
of any features or instructions marked “reserv ed” or “undefined.” Intel reserves these for fut ure definition and shall ha ve no responsibility whatsoever for
conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with
this information.
The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published
specifications. Current characterized errata are available on request.
Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.
Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-
4725, or by visiting Intel’s Web Site.
Any software source code reprinted in this document is furnished under a software license and may only be used or copied in accordance with the terms
of that license.
Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different
processor families. See http://www.intel.com/products/processor_number for details.
Code Names are only for use by Intel to identify products, platforms, programs, services, etc. (“products”) in development by Intel that have not been
made commercially available to the public, i.e., announced, launched or shipped. They are never to be used as “commercial” names for products. Also,
they are not intended to function as trademarks.
BunnyPeople, Celeron, Celeron Inside, Centrino, Centrino logo, Core Inside, FlashFile, i960, InstantIP, Intel, Intel logo, Intel386, Intel486, Inte l7 40 ,
IntelDX2, IntelDX4, IntelSX2, Intel Core, Intel Inside, Intel Inside logo, Intel. Leap ahead., Intel. Leap ahead. logo, Intel NetBurst, Intel NetMerge, In tel
NetStructure, Intel SingleDriver, Intel SpeedStep, Intel StrataFlash, Intel Viiv, Intel vPro, Intel XScale, Itanium, Itanium Inside, MCS, MMX, Oplus,
OverDrive, PDCharm, Pentium, Pentium Inside, skoool, Sound Mark, The Journey Inside, VTune, Xeon, and Xeon Inside are trademarks of Intel
Corporation in the U.S. and other countries.
*Other names and brands may be claimed as the property of others.
Copyright © 2009, Intel Corporation. All rights reserved.
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
PG August 2009
2 Order Number: 320183-004US
Contents—Security Software
Contents
1.0 Introduction..............................................................................................................7
1.1 What’s New in this Chapter...................................................................................7
1.2 About this Document ...........................................................................................7
1.3 Where to Find Current Software and Documentation................................................7
1.4 Related Information.............................................................................................8
1.4.1 Reference Documents............................................................... ................8
1.5 Glossary ............................................................................................................8
1.6 Features Supported in this Release......................................................................10
Part 1: Architectural Overview ......................................................11
2.0 Silicon Overview...................................................................................................... 12
2.1 What’s New in this Chapter................................................................................. 12
2.2 High Level Overview......................... .................................. .. .............................12
3.0 Software Overview ..................................................................................................14
3.1 What’s New in this Chapter................................................................................. 14
3.2 Shared Memory Allocation...................................... .. .......................................... 14
3.3 Logical View ......... ................................. .................................. .........................15
3.3.1 Acceleration Firmware Layer....................................................................15
3.3.2 Acceleration Access Layer and Acceleration APIs.........................................15
3.3.3 Infrastructure ........................................................................................16
3.3.4 Acceleration System Driver (ASD) ............................................................16
3.3.5 Shim Layers ..........................................................................................17
3.4 Development View.................... .. ................................. .. .................................. ..17
3.5 Process View ....................................................................................................18
3.6 Deployment View..............................................................................................18
®
4.0 Intel
4.1 What’s New in this Chapter ................................................................................20
4.2 Feature List......................................................................................................20
4.3 Intel
4.4 Lookaside Security Algorithms High Level Overview ...............................................23
5.0 QAT Access Layer Architecture Overview.................................................................29
5.1 What’s New in this Chapter................................................................................. 29
5.2 Overview .........................................................................................................29
6.0 Debug Component Architecture Overview................................................................30
6.1 What’s New in this Chapter................................................................................. 30
6.2 Overview .........................................................................................................30
6.3 Version Information...........................................................................................30
6.4 Liveness Detection ............................................................................................30
6.5 Data Structure Dump.........................................................................................31
7.0 ASD Module Architecture Overview..........................................................................32
7.1 What’s New in this Chapter................................................................................. 32
QuickAssist Technology Cryptographic API Architecture Overview................20
4.2.1 Symmetric Operations ............................................................................20
4.2.2 Random Number....................................................................................22
4.2.3 Public Key Operations .............................................................................22
®
QuickAssist Technology Cryptographic API Documentation.............................22
4.4.1 Lookaside Symmetric Overview............................................... ... .. .. ..........23
4.4.2 Key Generation........................... .. .. .................................. .. ...................26
4.4.3 Lookaside PKE Overview............................................................ .. .. .. ........ 26
4.4.4 Lookaside Random Overview ........................... .. .................................. .. ..28
August 2009 PG
Order Number: 320183-004US 3
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
Security Software—Contents
7.2 Overview..........................................................................................................32
7.3 Functional Description ........................................................................................32
7.3.1 Configuration .........................................................................................32
7.4 Boot Time Configuration Instructions....................................................................34
8.0 ASD Hardware Services ............................................................................................35
8.1 What’s New in this Chapter.................................................................................35
8.2 Overview..........................................................................................................35
8.3 Functional Description ........................................................................................35
8.3.1 Interrupt Management Services................................................................35
8.3.2 NCDRAM/CDRAM Interface.......................................................................38
Part 2: Using the API ....................................................................41
9.0 Introduction to Use Cases........................................................................................42
9.1 What’s New in this Chapter.................................................................................42
9.2 Use Cases.........................................................................................................42
9.2.1 Lookaside Acceleration Model ...................................................................42
10.0 Programming Model.................................................................................................43
10.1 What’s New in this Chapter .................................................................................43
10.2 Overview..........................................................................................................43
10.3 Intel
10.4 Other API Conventions .......................................................................................45
11.0 Debugging Applications ...........................................................................................48
11.1 What’s New in this Chapter .................................................................................48
11.2 Management Interface Layer (MIL) Introduction.....................................................48
11.3 MIL User Command Details.................................................................................49
11.4 APIs.................................................................................................................56
12.0 Using the Intel
12.1 What’s New in this Chapter .................................................................................58
12.2 Intel
12.3 Symmetric Cryptographic API Data Flow...............................................................61
®
QuickAssist Technology API Conventions .....................................................43
10.3.1 Memory Allocation and Ownership.............................................................43
10.3.2 Data Buffer Models .................................................................................44
10.3.3 Synchronous and Asynchronous Support....................................................44
10.3.4 Pre-Registration .....................................................................................45
10.4.1 Asynchronous API and Function Completion Callbacks..................................45
10.4.2 Memory Allocation and Ownership.............................................................46
10.4.3 Callback Data Structures .........................................................................46
10.4.4 Return Codes.................................... .................................. ...................47
11.2.1 Loading the MIL Application .....................................................................49
11.3.1 help......................................................................................................50
11.3.2 DebugEnable..........................................................................................50
11.3.3 DebugDisable.........................................................................................51
11.3.4 VersionDumpAll......................................................................................52
11.3.5 setHC <timeout>....................................................................................53
11.3.6 SystemHealthCheck................................................................................54
11.3.7 DataDump.............................................................................................55
11.3.8 SetFileName <filename>.........................................................................56
®
QuickAssist Technology Cryptographic API ....................................58
®
QuickAssist Technology Cryptographic API...................................................58
12.2.1 Modes of Operation.................................................................................60
12.2.2 Interrupt Operation.................................................................................60
12.2.3 Engine and Priority Support......................................................................61
12.2.4 Statistics ...............................................................................................61
®
EP80579 Software for Security Applications on Intel® QuickAssist Technology
Intel
PG August 2009
4 Order Number: 320183-004US
Contents—Security Software
12.4 Data Format..................................................................................................... 64
12.4.1 Flat Buffers ........................................................................................... 64
12.4.2 Buffer List .............................................................................................65
12.5 Memory Management ....................................................................... ... ..............65
12.6 Endianness and Alignment.............................................. ....................................66
12.7 High-Level API Flow...........................................................................................66
12.7.1 Cryptographic API Initialization and Shutdown............................................66
®
12.8 Intel
QuickAssist Technology Cryptographic API Data Flow.................................... 67
12.8.1 Completion of an Operation .................................................... ... .. .. .. ........ 67
12.8.2 Symmetric Operations ............................................................................ 67
12.8.3 Asymmetric Operations...........................................................................71
12.9 Using a Cryptographic Framework ....................................................................... 74
12.10 Accelerating Cryptographic Protocols....................................................................74
12.11 Error Handling ..................................................................................................75
A NPF Copyright Notice...............................................................................................76
Figures
1Intel® EP80579 Integrated Processor with Intel® QuickAssist Technology Block Diagram...13
2 Software for Intel® EP80579 Integrated Processor product line ...................................... 15
3 Acceleration Access Layer and Acceleration APIs ..........................................................16
4 Electronic Codebook (ECB) Mode................................................................................ 23
5 Cipher-Block Chaining (CBC) Mode.............................................................................24
6 Counter Mode.......................... .. .. ............................................................................24
7 ISR Sequence Diagram.............................................................................................37
8Intel
9Intel
10 Management Interface Layer Architecture Decomposition.............................................. 48
11 Sequence Diagram for DebugEnable Command............................................................50
12 Sequence Diagram for DebugDisable Command...........................................................51
13 Sequence Diagram for VersionDumpAll Command ........................................................ 52
14 Sequence Diagram for setHC Command......................................................................53
15 Sequence Diagram for SystemHealthCheck Command...................................................54
16 Sequence Diagram for DataDump Command ...............................................................55
17 Sequence Diagram for SetFileName Command............................................................. 56
18 Symmetric Asynchronous Intel
19 Symmetric Synchronous Intel
20 Flat Buffer Diagram..................................................................................................65
21 Buffer List Diagram ..................................................................................................65
22 NPF Copyright Notice....................................................................... .........................76
®
EP80579 Integrated Processor with Intel® QuickAssist Technology Block Diagram...39
®
EP80579 Integrated Processor Address Space ....................................................40
®
QuickAssist Technology Cryptographic API Data Flow ...... 62
®
QuickAssist Technology Cryptographic API Data Flow........ 63
Tables
1 Related Documents and Sample Code...........................................................................8
2 Reference Documents.................................................................................................8
3 Terms and Definitions................................................................................................. 8
4 Development View ...................................................................................................18
5 Deployment View.....................................................................................................19
6 Cryptographic System Resource Variables...................................................................33
7 Resource Variables.............................. .. .................................. .. ...............................33
8 QAT-AL ISR Primitives ..................... ................................. .. .. ... .................................36
9 Memory Region Definitions........................................................................................38
10 ACPI Shared RAM Methods............................................................. .. .........................40
11 Error Values for Other APIs .......................................................................................47
August 2009 PG
Order Number: 320183-004US 5
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
Security Software—Revision History
12 Debug APIs .............................................................................................................56
13 Cryptographic Common Interface Summary (icp_lac_cfg.h) ...........................................58
14 Cryptographic Instance Management Summary (cpa_cy_im.h) .......................................58
15 Cryptographic Symmetric Interface Summary (cpa_cy_sym.h).......................................59
16 Cryptographic Symmetric Key Interface Summary (cpa_cy_key.h)..................................59
17 Cryptographic Asymmetric Rand Interface Summary (cpa_cy_rand.h).............................59
18 Cryptographic Asymmetric RSA Interface Summary (cpa_cy_rsa.h).................................59
19 Cryptographic Asymmetric Diffie-Hellman Interface Summary (cpa_cy_dh.h) ...................59
21 Cryptographic Asymmetric Prime Interface Summary (cpa_cy_prime.h)...........................60
20 Cryptographic Asymmetric Large Numbers Interface Summary (cpa_cy_ln.h)...................60
22 Cryptographic API Status Values.................................................................................75
Revision History
Date Revision Description
August 2009 004
May 2009 003
November 2008 002
August 2008 001 Initial release of this document.
Added Note explaining cryptographic framework “shim” support (identified in “What’s New”
sections of chapters and with change bars).
The following sections were updated and noted with change bars:
• OCF shim is now supported on FreeBSD; modified Notes in Section 1.6, Section 3.3.5,
Section 12.9, and Section 12.10.
• Modified Table 7, “Resource Variables” on page 33.
•In Chapter 11.0, “Debugging Applications,” added Section 11.2.1 and Section 11.3.8.
• Deleted Resource Manager text from Section 3.6 and Section 8.3.1 (no change bars).
• Removed Software Error Notification section in Chapter 6 (no change bars).
• Other updates noted in “What’s New” sections of chapters and with change bars.
The following sections were updated and noted with change bars:
• Section 12.8.2.6: added details on key generation
• Other updates noted in “What’s New” sections of chapters and with change bars.
§ §
®
EP80579 Software for Security Applications on Intel® QuickAssist Technology
Intel
PG August 2009
6 Order Number: 320183-004US
Introduction—Security Software
1.0 Introduction
1.1 What’s New in this Chapter
Section 1.6: New Note explaining cryptographic framework “shim” support.
1.2 About this Document
The API Reference Manuals listed in Table 1 describe how the user can interface to the
®
EP80579 Software for Security Applications on Intel® QuickAssist Technology.
Intel
This document provides more information on how the APIs can be effectively used,
including an overview of the silicon, an overview of the software architecture, and
information on using the API to build an accelerated security appliance.
The following chapters are included in this document:
• Chapter 1.0, “Introduction” this chapter
• Part 1: “Architectural Overview”
— Chapter 2.0, “Silicon Overview”
— Chapter 3.0, “Software Overview”
®
— Chapter 4.0, “Intel
Overview”
— Chapter 5.0, “QAT Access Layer Architecture Overview”
— Chapter 6.0, “Debug Component Architecture Overview”
— Chapter 7.0, “ASD Module Architecture Overview”
— Chapter 8.0, “ASD Hardware Services”
• Part 2: “Using the API”
— Chapter 9.0, “Introduction to Use Cases”
— Chapter 10.0, “Programming Model”
— Chapter 11.0, “Debugging Applications”
— Chapter 12.0, “Using the Intel
— Appendix A, “NPF Copyright Notice”
QuickAssist Technology Cryptographic API Architecture
®
QuickAssist Technology Cryptographic API”
1.3 Where to Find Current Software and Documentation
The software release and associated collateral can be found on the Hardware Design
resource center.
1. In a web browser, go to http://www.intel.com/go/soc
2. For Software and pre-boot firmware: Click on “Tools & Software” tab.
3. For Documentation: Click on “Technical Documents” tab.
August 2009 PG
Order Number: 320183-004US 7
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
Security Software—Introduction
1.4 Related Information
Note: For convenience, in this document [GET_STARTED_GD] refers to either the Linux or
FreeBSD guide. Refer to the appropri ate gu i de fo r y o ur operating system.
Table 1. Related Documents and Sam ple Code
Ref Document Name
®
EP80579 Software for Security Applications on Intel®
[CRYPTO_API]
[GET_STARTED_GD]
[DEBUG_API]
[SAMPLE_CODE]
[OCF_CODE]
Intel
QuickAssist Technology Cryptographic API Reference Manual
®
EP80579 Software for Security Applications on Intel®
Intel
QuickAssist Technology for Linux* Getting Started Guide
®
EP80579 Software for Security Applications on Intel®
Intel
QuickAssist Technology for FreeBSD* Getting Started Guide
®
Intel
EP80579 Software on Intel® QuickAssist Technology Debug
Services API Reference Manual
After installation, sample code may be found here:
Acceleration/library/icp_crypto/look_aside_crypto/sample_code/
After installation, OCF Shim sample code may be found here:
Acceleration/shims/OCF_Shim/src/
1.4.1 Reference Documents
The following documents provide more information on certain topics beyond the scope
of this guide.
Table 2. Reference Documents
Reference Document Information
[4+1]
[NPF API]
[IA-32]
"The 4+1 View Model of Architecture" by Philippe B. Kruchten, Rational Software, Nov 1995,
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=469759
“NPF Software API Conventions Implementation Agreement”, Revision 2.0,
http://www.oiforum.com/public/documents/APIConventions2_IA.pdf
Note: See Appendix A, “NPF Copyri ght Notice” for more information.
®
64 and IA-32 Architectures Software Developer's Manuals
Intel
http://www.intel.com/products/processor/manuals/
Document
Number
320184
320182
320703
320185
N/A
N/A
1.5 Glossary
Table 3 lists the terms and acronyms used in this document.
Table 3. Terms and Definitions (Sheet 1 of 2)
Term Description
(A)RC4 Alleged RC4. A stream cipher, used in popular protocols such as SSL
ACPI Advanced Configuration and Power Interface
AES Advanced Encryption Standard
AIOC Acceleration and I/O Complex
APM Advanced Power Management
ASD Acceleration System Driver
ASU Acceleration Services Unit
®
EP80579 Software for Security Applications on Intel® QuickAssist Technology
Intel
PG August 2009
8 Order Number: 320183-004US
Introduction—Security Software
Table 3. Terms and Definitions (Sheet 2 of 2)
Term Description
CBC
CDRAM Coherent DRAM
CTR
DES Data Encryption Standard
DRAM Dynamic Random Access Memory
DSA Digital Signature Algorithm
DSS Digital Signature Standard
ECB Electronic Code Book
GbE Gigabit Ethernet
GCM Galois Counter Mode
HMAC Hashed Message Authenticate Code
IICH Integrated I/O Controller Hub
IMCH Integrated Memory Controller Hub
IPSec Internet Protocol Security
IV Initialization Vector
LA Lookaside, also called Cryptographic API
LAC Lookaside Crypto, also called Cryptographic API
MAC Me dia Access Control
MD5 Message Digest 5
MGF Mask Generation Function
NCDRAM Non-Coherent DRAM
NVRAM Non-Volatile Random Access memory
OCF OpenBSD Cryptographic Framework
OIF Optical Internetworking Forum, standards body for networking specifications
OSDRAM Operating System DRAM
PKCS Public Key Cryptography Standards
PKE Public Key Encryption
PKI Public Key Infrastructure
PRGA Pseudo-Random Generation Algorithm
QAT-AL Intel
RC4 See (A)RC4
RFC Request for Comments
RSA A public key encryption algorithm created by Rivest, Shamir, and Adleman
SHA Secure Hash Algorithm
SOC System on a chip
SSL Secure Sockets Layer
SSU Security Services Unit
TDM Time-Division Multiplexing
TLS Transport Layer Security (SSL successor)
Cipher Block Chaining mode. This is a mode of operation of a block cipher that
combines the ciphertext of one block with the plaintext of the next block.
Counter mode. This is a mode of operation of a block cipher that generates a
keystream block by encrypting successive values of a counter.
®
QuickAssist Technology Access Layer
August 2009 PG
Order Number: 320183-004US 9
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
1.6 Features Supported in this Release
The features provided by this software in this release are as follows:
• Acceleration of cryptographic operations using the “lookaside” model, via the
Cryptographic API. For more details, see Chapter 4.0, “Intel® QuickAssist
Technology Cryptographic API Architecture Overview.”
— Symmetric cryptographic operations supported include ciphers [AES, 3DES,
DES, (A)RC4] and message digest/hash for authentication (MD5, SHA-1, SHA-2
as well as HMAC).
— Asymmetric (public key) cryptographic operations such as modular
exponentiation to support RSA, Diffie-Hellman, DSA.
— “True” random number generation.
This allows for cryptographic protocols such as IPSec and SSL to offload computeintensive cryptographic operations, freeing up the IA core to execute higher-value
application code.
• Software is provided which adapts between the Cryptographic API and that
expected by the industry-standard OpenBSD Cryptographic Framework (OCF). This
OCF “shim” allows applications — such as Openswan* and OpenSSL* —which are
written to use the OCF APIs, to seamlessly take advantage of the cryptographic
acceleration engine.
Note: The EP80579 security software release package version 1.0.3 does not
support OpenBSD/FreeBSD Cryptographi c Framework (OCF), OCF-Linux, or
any open source projects such as Openswan*, OpenSSL*, or Racoon*. If
your application requires OCF, you must use security software package
version 1.0.2 which includes shim software to enable OCF support.
Security Software—Introduction
§ §
®
EP80579 Software for Security Applications on Intel® QuickAssist Technology
Intel
PG August 2009
10 Order Number: 320183-004US
Architectural Overview—Security Software
Part 1: Architectural Overview
This section contains the following chapters:
• Chapter 2.0, “Silicon Overview”
• Chapter 3.0, “Software Overview”
®
• Chapter 4.0, “Intel
• Chapter 5.0, “QAT Access Layer Architecture Overview”
• Chapter 6.0, “Debug Component Architecture Overview”
• Chapter 7.0, “ASD Module Architecture Overview”
• Chapter 8.0, “ASD Hardware Services”
QuickAssist Technology Cryptographic API Architecture Overview”
§ §
August 2009 PG
Order Number: 320183-004US 11
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
2.0 Silicon Overview
2.1 What’s New in this Chapter
No updates in this release.
2.2 High Level Overview
The Intel® EP80579 Integrated Processor is a System On a Chip (SOC), integrating the
®
Architecture core processor, the Integrated Memory Controller Hub (IMCH) and
Intel
the Integrated I/O Controller Hub (IICH) all on the same die. In addition, it has
integrated Intel
and packet processing. It also includes three gigabit Ethernet MACs, TDM interfaces,
and PCI Express. See Figure 1 for details.
• As an SOC, the EP80579 integrates the processor and chipset as follows:
— The IA-32 core is based on the Intel
1200MHz, with a 256 Kilobyte 2-way level 2 (L2) cache.
— The IMCH provides the main path to memory for the IA core and all peripher als
that perform coherent I/O (for example, the PCI express, the IICH, as well as
transactions from the Acceleration and I/O Complex to coherent memory).
— The IICH provides a set of PC platform-compatible I/O devices that include two
SATA 1.0/2.0, two USB 1.1/2.0 host controller supporting two USB ports, and
two serial 16550 compatible UART interfaces.
•The Intel
Complex (AIOC), are as follows:
— The Security Services Unit (SSU) provides acceleration of cryptographic
processing for most common symmetric cryptography (cipher algorithms such
as AES, 3DES, DES, (A)RC4, and messages digest/hash functions such as MD5,
SHA-1, SHA-2, HMAC, etc.); asymmetric cryptography (modular
exponentiation to support public key encryption such as RSA, Diffie-Hellman,
DSA); and true random number generation.
— The Acceleration Services Unit (ASU) includes packet processing acceleration
engines.
• Other components within the AIOC include:
— Three Gigabit Ethernet (GbE) media access controllers (MACs).
— Three High Speed Serial (HSS) interfaces that support up to 12 T1/E1 TDM
interfaces. These interfaces are driven by a Programmable I/O Unit (PIU). The
PIU is not part of the ASU. In Figure 1 on page 13, the PIU is shown as the TDM
Interface block.
— Although not shown explicitly in Figure 1, the AIOC also contains logic to allow
agents to access on-chip SRAM and external DRAM. Based on registers which
can be configured in the BIOS, this logic routes requests to external DRAM
either directly to the memory controller (to access non-coherent DRAM, or
NCDRAM); or through the IMCH for coherency with the IA processor’s L2 cache
(to access Coherent DRAM, or CDRAM). There is also a ring controller, which
®
QuickAssist Technology, which provides acceleration of cryptographic
®
QuickAssist T echnology components, housed in the Acceleration and I/O
Security Software—Silicon Overview
®
Pentium® M processor, and runs at 600-
®
EP80579 Software for Security Applications on Intel® QuickAssist Technology
Intel
PG August 2009
12 Order Number: 320183-004US
Silicon Overview—Security Software
provides 64 rings (circular buffers) that can be used for message passing
between software running on the IA core and firmware running on the ASU.
These features are described in detail in later sections of this document.
Figure 1. Intel® EP80579 Integrated Processor with Intel® QuickAssist Technology
Block Diagram
Acceleration
Ser v ic e s Un it
Security
Ser v ic e s Un it
(3DES, AES, (A)RC4,
MD5, SHA-x, PKE,
TRNG)
‡
‡
Local
Expansion
Bus
(16b @
80 MHz)
MDIO
(x1)
CAN
(x2)
SSP
(x1)
IEEE-1588
TDM
Interface
(12 E1/ T1)
GigE
‡
MAC
GigE
MAC
#2
#1
256 KB
ASU SRAM
Acceleration and I/O Compl ex ‡ Enabling software required.
IA Complex
IA-32 core
L2 Cache
IMCH
Transparent
PCI -to-P CI Br idge
(256 KB)
Memor y Controller HubFSB
EDMA
IICH
APIC, DMA, Timers, Watch Dog
Timer, RTC, HPET (x3)
PCI
Express
SPI
LPC1.1
SATA 2.0
(x2)
USB 2.0
(x2)
UART
GPIO
SMBus
(x2)
(x36)
(x2)
Interface
(x1)
(Gen1,
1x8, 2x4 or
2x1 root
complex)
Memor y Controller
(DDR-2 400/ 533/667/800 ,
64b with EC C)
GigE
MAC
#0
§ §
August 2009 PG
Order Number: 320183-004US 13
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
3.0 Software Overview
This chapter presents the high-level architecture of the Software for Intel® EP80579
Integrated Processor product line, using concepts from the "4+1 view model" of
software architecture, as described in [4+1]. These views are interpreted as follows:
• Section 3.3, “Logical View” on page 15 describes the collection of software
components in terms of their key responsibilities, interfaces, and dependencies.
• Section 3.4, “Development View” on page 17 describes the static organization of
the software in its development environment (that is, folders and files).
• Section 3.5, “Process View” on page 18 captures concurrency and synchronization
aspects of the architecture. This includes the mapping of software onto hardware,
reflecting the distributed aspect of the architecture; this is sometimes considered
part of the Physical or Deployment View.
• Section 3.6, “Deployment View” on page 18 describes the mapping of the software
into kernel modules.
• The architecture is illustrated with a few selected use cases or scenarios which
become a fifth view, the Scenario View. In this document, the Scenario View is
described in Part 2, “Using the API” on page 41.
Security Software—Software Overview
Before looking at these views, however, other concepts relevant to the architecture are
introduced:
• Section 3.2, “Shared Memory Allocation” on page 14 describes the concepts of
coherent and non-coherent DRAM.
3.1 What’s New in this Chapter
• Section 3.3.5: New Note explaining cryptographic framework “shim” support.
3.2 Shared Memory Allocation
Two regions of memory exist outside of the normal operating system DRAM, to
facilitate communications between the IA core and the EP80579 with QuickAssist
hardware. These are referred to as the coherent and non-coherent shared memory
regions.
These shared memory regions will be allocated from the available system memory,
starting at the address specified by the Top Of Low Memory (TOLM) register of the
Memory Controller Hub (MCH) downwards. The pre-boot firmware (BIOS) informs the
operating system of the location of the regions, and also configures the hardware to
properly decode the non-coherent memory space by writing the MENCBASE and
MENCLIMIT registers.
The base addresses for each of these regions will be determined by the firmware based
on available memory. Two EFI NVRAM (non-volatile RAM) v ariables are available for the
user to request a specific amount of space for each of these shared memory regions.
The firmware will make a best effort to accommodate the user’s request, but in the
®
EP80579 Software for Security Applications on Intel® QuickAssist Technology
Intel
PG August 2009
14 Order Number: 320183-004US
Software Overview—Security Software
event this is not possible, the firmware will determine the sizes of these regions and set
them accordingly. See Chapter 8.0, “ASD Hardware Services” for details on how this is
configured.
3.3 Logical View
At the highest level, the software components fall into the following “layers”, as
illustrated in Figure 2.
In this document, and for this release, only those layers highlighted in bold are
described in more detail.
Figure 2. Software for Intel
®
EP80579 Integrated Processor product line
Customer Application
OS Stack or Ecosystem Middleware Layer
Standard OS
Drivers and
PreBoot
Firmw a re
Custom Drivers
Hardw a re
Access A PIs
Hardw a re
Access
Libraries
Acceleration APIs
Acceleration Access Layer
Acceleration Firmw are La yer
Platform h ard w are
Shim Layers
Acceleration Su bsy stem
3.3.1 Acceleration Firmware Layer
This layer of the architecture is for firmware which runs on the ASU.
The only firmware running at this layer in this software release is the firmware driver
for the SSU, which runs on the ASU. This firmware is provided in binary format.
3.3.2 Acceleration Access Layer and Acceleration APIs
This layer of software runs on the IA core. It implements the configuration and control
of the Acceleration Firmware layer running on the ASU, and provides an Application
Programming Interface (API) for the rest of the system to interface with the
acceleration firmware.
Acceleration
System Driver
Infrastructure
Figure 3 shows the different components at this layer. The APIs are also shown to
highlight the mapping between APIs and the corresponding acceleration libraries.
August 2009 PG
Order Number: 320183-004US 15
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
Figure 3. Acceleration Access Layer and Acceleration APIs
Security Software—Software Overview
Cryptographic
(LAC) API
Lookaside
Crypto Access
Layer
QAT- AL
Infra stru ctu re
DCC
API
Debug
Infrastructure
The software components at this layer in the current release are as follows:
• Lookaside Crypto Access Layer: This component implements the Cryptographic API
(shown as LAC API in Figure 3). It manages the exchange of data and messages
between the Cryptographic API and the SSU driver firmware running on the ASU.
See Chapter 4.0, “Intel® QuickAssist Technology Cryptographic API Architecture
Overview” for more details.
• QAT Access Layer: This component implements the configuration and control of the
SSU driver firmware running on the ASU. It also provides an interface for the
Lookaside Crypto Access Layer to communicate with the SSU driver firmware. See
Chapter 5.0, “QAT Access Layer Architecture Overview” for more details.
• Debug Infrastructure: This component provides access to data which can be used
to help debug an application running on EP80579 with QuickAssist. It allows
version information to be queried, “liveness” of components to be polled, data
dumps to be generated which can be analyzed offline, and other debug-related
features. See Chapter 6.0, “Debug Component Architecture Overview” for more
details.
Note: The Data Dump feature is not supported in the current software release.
Most of the layers above also provide APIs. These are described in more detail in the
chapters which comprise Par t 2: “Using the API” on page 41.
3.3.3 Infrastructure
This layer consists of the following components:
• The Hardware Services Layer (HSL) component manages the low-level hardware
blocks required for communication with the ASU. This also provides an interface for
exchanging messages with the ASU via rings.
• The Operating System Abstraction Layer (OSAL) component provides OS-specific
services. It is used by many of the components to remove their dependency on a
particular OS and allow for easier porting to new OSes.
3.3.4 Acceleration System Driver (ASD)
The ASD is a system device driver which is responsible for loading firmware and
configuring all the components that comprise the EP80579 security software. It
initializes the Cryptographic API Library, providing it with all necessary information
about the enumeration of the Acceleration Services Unit and any Access libr ary specific
®
EP80579 Software for Security Applications on Intel® QuickAssist Technology
Intel
PG August 2009
16 Order Number: 320183-004US
Software Overview—Security Software
configuration parameters for example number of sessions to be supported, buffer pool
sizes, and so on. See Chapter 7.0, “ASD Module Architecture Overview” for more
details.
3.3.5 Shim Layers
Note: The EP80579 security software release package version 1.0.3 does not support
OpenBSD/FreeBSD Cryptographic Framework (OCF), OCF-Linux, or any open source
projects such as Openswan*, OpenSSL*, or Racoon*. If your application requires OCF,
you must use security software package version 1.0.2 which includes shim software to
enable OCF support.
This layer is intended for components which adapt, or “shim”, between the API pro vided
by EP80579 security software’s Acceleration API and that expected by industrystandard frameworks.
In this release, the only component in this layer is the OCF shim, which allows the
lookaside crypto acceleration engine to be plugged in underneath the OpenBSD*/
FreeBSD* Cryptographic Framework (OCF). OCF is a service virtualization layer that
facilitates asynchronous access to cryptographic hardware accelerators. OCF-Linux is a
port of this framework to Linux. It enables cryptographic acceleration in the
Openswan* and OpenSSL* software suites.
A driver has been created which enables the Cryptographic API features to be accessed
via OCF. All operations supported by OCF today are accelerated. Specifically, the
following operations provided by OCF are accelerated by the OCF shim:
• Symmetric/Secret Key Crypto
— Ciphers/Modes: NULL_CBC, DES_CBC, 3DES_CBC, AES_CBC, ARC4
— Hash/Message Digest Functions: MD5, MD5_HMAC, SHA1, SHA1_HMAC,
SHA2_256, SHA2_256_HMAC, SHA2_384, SHA2_384_HMAC, SHA2_512,
SHA2_512_HMAC
—Chained Algorithms
• Asymmetric/Public Key Crypto
— Diffie-Hellman: DH_COMPUTE_KEY
— RSA: MOD_EXP, MOD_EXP_CRT
— DSA: DSA_SIGN, DSA_VERIFY
•Random Number Generation
See the [GET_STARTED_GD] for your operating system for detailed information.
Further information on OCF-Linux can be found here: http://ocf-linux.sourceforge.net
3.4 Development View
Table 4 describ es the mapping between the software components described in
Section 3.3, “Logical View” on page 15, and the files and directories (folders) in which
they can be found.
August 2009 PG
Order Number: 320183-004US 17
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
Table 4. Development View
Software Component Directory
OCF Shim Acceleration/shims/OCF_Shim
Acceleration System Driver Acceleration/drivers/icp_asd
Lookaside Crypto Access Layer Acceleration/library/icp_crypto/look_aside_crypto
QAT Access Layer Acceleration/library/icp_crypto/QATAL
Debug Infrastructure Acceleration/library/icp_debug/DCC
Management Interface Module Acceleration/library/icp_debug/MIL
Hardware Abstraction Layer
(part of Hardware Services Layer)
Operating System Abstraction Layer Acceleration/library/icp_utils/OSAL
Firmware Driver for SSU Acceleration/firmware
3.5 Process View
This section describes the context in which the EP80579 security software code is
executed, which is important in terms of understanding concurrency, or where locking
may be required, for example.
Security Software—Software Overview
Acceleration/library/icp_services/RuntimeTargetLibrary
Code which implements the Acceleration APIs is library code, and is executed in the
context of whatever thread or interrupt context from which it is called. All of the
EP80579 security software APIs document the context in which they can be called,
specifically whether they may sleep and therefore are suitable for calling in a context
which may not sleep, such as ISRs or certain types of "bottom halves" including softirq
and tasklet. They also document whether they are thread-safe. Table 1, “Related
Documents and Sample Code” on page 8 lists the API documentation supported in this
release.
The remainder of EP80579 security software code runs in a well-defined context,
whether it is process context or some form of interrupt context as described below.
• Interrupt handlers are registered for all interrupts from devices managed by
EP80579 security software, specifically the GbE MACs, and the ring controller on
the ASU. This code runs in the ISR (interrupt top half) context.
• Many of the Acceleration APIs support one or both of asynchronous and
synchronous modes.
— In asynchronous mode: when the request has been carried out on the SSU, a
“function completion callback” is typically invoked in a non-sleeping bottom half
context (specifically, a tasklet, on Linux). For more on this topic, see
Section 10.0, “Programming Model” on page 43.
— In synchronous mode: when the request has been sent to the SSU, the calling
thread is blocked, pending on a wait queue. When the response is received
from the SSU, the calling thread is de-queued, and thereby unbocked.
3.6 Deployment View
Table 5 describes the mapping between the software components described in
Section 3.3, “Logical View” on page 15, and the kernel modules that are created by the
build system.
®
EP80579 Software for Security Applications on Intel® QuickAssist Technology
Intel
PG August 2009
18 Order Number: 320183-004US
Software Overview—Security Software
Table 5. Deploymen t View
Kernel Module Component
icp_asd.ko Acceleration System Driver
icp_crypto.ko
icp_debug.ko Debug Infrastructure
icp_debugmgmt.ko
icp_hal.ko Hardware Abstraction Layer
icp_ocf.ko OCF Shim
Lookaside Crypto Access Layer
QAT Access Layer
Management Interface Module
Note: This is an optional kernel module, needed only if you are using the
debugmgr command line utility described in Chapter 11.0,
“Debugging Applications.”
§ §
August 2009 PG
Order Number: 320183-004US 19
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
Security Software—Intel® QuickAssist Technology Cryptographic API Architecture Overview
4.0 Intel® QuickAssist Technology Cryptographic API Architecture Overview
4.1 What’s New in this Chapter
No updates in this release.
4.2 Feature List
The Intel® QuickAssist Technology Cryptographic API comprises two broad feature
areas in its API, they are the symmetric operations API and the public key cryptography
API.
4.2.1 Symmetric Operations
4.2.1.1 Cipher
EP80579 security software supports the following Cipher algorithms:
• AES (128-bit/192-bit/256-bit key size) in ECB, CBC and CTR modes. Block size for
data is 16 byte blocks.
• 3DES (192-bit key size) in ECB and CBC and CTR mode. Block size for data is
8bytes.
• DES (64-bit key size) in ECB and CBC mode. Block size for data is 8 bytes.
• ARC4 (stream cipher)
• NULL cipher with a minimum block size of 8 bytes
4.2.1.2 Hash/Authentication
EP80579 security software supports the following Hash/Authentication algorithms:
• Secure Hash Algorithm SHA-1, SHA-224/256/384/512.
• Authentication algorithms for Secure Hash supported HMAC-SHA-1, HMAC-SHA224/256/384/512
• Message Digest 5 (MD5) and HMAC-MD5
• Advanced Encryption Standard (AES) using 96-bit key in AES-XCBC mode to
produce AES-XCBC-MAC-96.
4.2.1.3 Partial Packets for Cipher and Hash/Authentication Commands
A partial packet is defined as a portion of a full packet. The caller issues a separate
request for each portion (partial packet) of the full packet. The size of data sent must
be a multiple of the underlying algorithm block size for cipher and hash requests except
for the final hash partial packet in which padding will be applied if it is not a block size.
The final result following completion of all the portions is equivalent to the case where
®
EP80579 Software for Security Applications on Intel® QuickAssist Technology
Intel
PG August 2009
20 Order Number: 320183-004US
®
Intel
QuickAssist Technology Cryptographic API Architecture Overview—Security Software
the operation is performed over the full packet in a single request. Partial-packet
support is provided for Lookaside Cipher and Hash/Authentication commands only.
Partial-packet support is not provided for any other commands.
The authentication result is not available until after the “final” operation has completed.
The user provided callback will be called in all the cases.
From a user’s perspective, partial packets allow the client to send data to be processed
when they receive it instead of buffering up an entire message. For example, consider
the scenario where a digest needs to be created across gigabytes of data which is being
accessed over a network interface. Rather than copying the entire data set to the
platform, then performing a hash operation across all of the data, the client application
could optimize this process by transferring blocks which are optimal for the network
interface, then sending these chunks to the Lookaside security service for processing as
they are received. This results in higher performance as the acceleration is being
utilized while the transfers are being processed.
4.2.1.4 Out-Of-Place Operation Support
An Out-of-Place operation is when the result of a symmetric operation is written to the
destination buffer. The destination buffer is a different physical location than the source
buffer.
Note: In the current release, Out-of-Place operations are supported for full packets only.
4.2.1.5 Combined Cipher Hash Commands (Algorithm-Chaining)
Chained commands perform a cipher and a hash/authentication operation on the same
input data. These commands are provided to allow more-optimal overall performance
by minimizing the number of memory reads/writes for applications that require both
cipher and hash/authentication operations on the same data. Only standard Cipher and
Standard Hash/Authentication can be chained.
The algorithms mentioned in the Cipher and Hash/Authentication sections can be
placed in any combination of one standard cipher and one standard hash / authenticate
command. Combined Cipher and Hash Commands do not support partial packets.
When performing an authentication/hash prior to a cipher operation using the
combined Cipher-Hash feature, the resultant MAC/digest produced by the
authentication/hash cannot be included in the same cipher operation. The result of the
authentication/hash operation will not be available for the cipher portion of the
operation. This makes this feature unsuitable for SSL type authenticate-then-encrypt
operations, where the MAC is included in the encryption.
4.2.1.6 Authenticated-Enc ryption Commands
Authenticated-Encryption commands perform chained cipher-and-authenticate
operations. As in the case of other chained operations, these commands are provided
to allow more-optimal overall performance by minimizing the number of memory
reads/writes for applications that require both cipher and authentication operations on
the same data.
The following Authenticated-Encryption algorithms are supported:
• AES algorithm in Galois/Counter mode (GCM)
• AES algorithm in Counter with CBC-MAC mode (CCM)
No partial packet support is provided for authentication encryption commands.
August 2009 PG
Order Number: 320183-004US 21
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
Security Software—Intel® QuickAssist Technology Cryptographic API Architecture Overview
4.2.1.7 Key Generation
EP80579 security software supports the following Key Generation operations:
•SSL/TLS Key Generation
•MGF Mask Generation
4.2.2 Random Number
EP80579 security software supports the following Random Number operations:
• Random Data Generation
• Random Data Generator Seed (performed automatically by the hardware)
4.2.3 Public Key Operations
4.2.3.1 Diffie-Hellman
EP80579 security software supports the following Diffie-Hellman operations:
• Public/Private Key Generation (for Diffie-Hellman phase 1)
• Shared Secret Key Generation (for Diffie-Hellman phase 2)
4.2.3.2 RSA
EP80579 security software supports the following RSA operations:
•RSA Key Generation
•RSA Encryption/Decryption
• RSA Signature Generation/Verification
4.2.3.3 DSA
EP80579 security software supports the following DSA operations:
• DSA P, G and Y parameter generation.
• DSA Signature Generation/Verification
4.2.3.4 Prime Number
EP80579 security software supports the following prime number operations:
• Prime Number Tests (using GCD, Miller-Rabin, Lucas and Fermat)
4.2.3.5 Large Number
EP80579 security software supports the following large number operations:
• Modular Exponentiation
•Modular Inversion
4.3 Intel® QuickAssist Technology Cryptographic API Documentation
Refer to [CRYPTO_API] for more information about the Intel® QuickAssist Technology
Cryptographic API.
®
EP80579 Software for Security Applications on Intel® QuickAssist Technology
Intel
PG August 2009
22 Order Number: 320183-004US
®
Intel
QuickAssist Technology Cryptographic API Architecture Overview—Security Software
4.4 Lookaside Security Algorithms High Level Overview
The following sections provide a high level overview of the algorithms supported by the
Cryptographic API library. It details the algorithms and tries to pull out key details of
the computations. For the reader who wants to get further details or specifics, it is
recommended to reference the relevant RFC.
4.4.1 Lookaside Symmetric Overview
A block cipher is a symmetric key cipher that operates on fixed-length groups of bits,
termed blocks, with an unvarying transformation. When encrypting, a block cipher
might take a (for example) 128-bit block of plaintext as input, and output a
corresponding 128-bit block of ciphertext. The exact transformation is controlled using
a second input — the secret key . Decryption is similar; the decryption algorithm takes a
128-bit block of ciphertext together with the secret key, and yields the original 128-bit
block of plaintext.
To encrypt messages longer than the block size (128 bits in the above example), a
mode of operation is used.
The simplest of the encryption modes is the electronic codebook (ECB) mode, in
which the message is split into blocks and each is encrypted separately, as shown in
Figure 4. The disadvantage of this method is that identical plaintext blocks are
encrypted to identical cipher text blocks; it does not hide data patterns. Thus, in some
senses it doesn't provide message confidentiality at all, and is not recommended for
cryptographic protocols.
Figure 4. Electronic Codebook (ECB) Mode
Plaintext block [0]
(64/128 bits)
Key
(64 bits for DE S
128, 192 and
256 bits for
AES)
Encryption
Ciphertext block
[0]
(64/128 bits)
In cipher-block chaining (CBC) mode, each block of plaintext is XORed with the
previous ciphertext block before being encrypted, as shown in Figure 5. This way, each
ciphertext block is dependent on all plaintext blocks up to that point.
Key
(64 bits for DES
128, 192 and
256 bits for
AES)
Plaintext blo ck [1]
(64/128 bits)
Encryption
Ciphertext block
[1]
(64/128 bits)
August 2009 PG
Order Number: 320183-004US 23
Intel® EP80579 Software for Security Applications on Intel® QuickAssist Technology
Loading...