Open jeff-zheng-silc opened 1 year ago
@jdschuet could you please help here on the LKCF ?
You have highlighted the primary reason we do not have AES-GCM support in the LKCF - modern Xeon processors provide very good performance utilizing the AESNI instructions. Due to this, we have not prioritized the upstreaming of AES-GCM into LKCF.
Currently QAT only have AES-CBC enabled for the kernel LKCF. Would it be possible to add AES-GCM support as well?
cat /proc/crypto | grep qat
driver : qat-dh module : intel_qat driver : qat-rsa module : intel_qat driver : qat_aes_cbc_hmac_sha512 module : intel_qat driver : qat_aes_cbc_hmac_sha256 module : intel_qat driver : qat_aes_cbc_hmac_sha1 module : intel_qat driver : qat_aes_xts module : intel_qat driver : qat_aes_ctr module : intel_qat driver : qat_aes_cbc module : intel_qat
We understand modern Xeon processor have very good performance using the AESNI instruction sets. However on the Deverton C3000 SoC devices, the performance of AESNI based AES-GCM performance is still limited. We are seeing with software only the IPSec performance is only around 300-400 Mbps for AES-GCM. By using QAT through the LKCF, we can have around 1.5Gbps IPSec with AES-CBC. So we believe by enable AES-GCM in LKCF QAT driver, much better IPSec performance can be achieved.