QTLS: High-Performance TLS Asynchronous Offload Framework with Intel® QuickAssist Technology

QTLS is a high-performance TLS asynchronous offload framework based on Intel® QuickAssist Technology (QAT) accelerator to achieve efficient TLS offloading for the event-driven web architecture (e.g., Nginx).

QTLS re-engineers the TLS software stack to enable the asynchronous support for crypto operations in all the layers. The TLS offloading is divided into four phases: pre-processing, QAT response retrieval, async event notification and post-processing. In the pre-processing phase, the offload jobs are paused after crypto submission to return control to the application process. When QAT responses for crypto results are retrieved, the application process is notified by async events to resume the paused offload jobs and begin the post-processing phase. In this novel framework, CPU resources are fully utilized to handle concurrent connections. Multiple crypto operations from different TLS connections can be offloaded concurrently in one process/thread, which greatly increases the utilization of the parallel computation engines inside the QAT accelerator. To further enhance performance, QTLS is built with a heuristic polling scheme that leverages the application-level knowledge to achieve efficient and timely QAT response retrieval, and a kernel-bypass notification scheme that introduces an application-defined async queue to avoid expensive switches between user mode and kernel mode while delivering async events.

More details can be found in our PPoPP-2019 paper with the same title.

Notice:

• This artifact only covers the asynchronous offload mode and the heuristic polling scheme currently, which are also available as open source in Github. That's to say, only four configurations (SW, QAT+S, QAT+A and QAT+AH) can be evaluated with this artifact.
• The kernel-bypass notification scheme needs patches for QAT Engine, OpenSSL and Nginx, which are not fully prepared for open source currently.
• It's recommended to refer to our Github repositories for latest codes and guidelines.
  • Intel® QuickAssist Technology(QAT) OpenSSL Engine: https://github.com/intel/QAT_Engine/
  • Intel® QuickAssist Technology (QAT) Async Mode Nginx: https://github.com/intel/asynch_mode_nginx

Hardware requirements:

• Two physical servers (one as the tested server and one as the client)
• one of following acceleration devices installed in the tested server:
  • Intel® Xeon® with Intel® C62X Series Chipset
  • Intel® Communications Chipset 8925 to 8955 Series
  • Intel® Communications Chipset 8900 to 8920 Series

Software dependencies:

• GNU C Library version 2.23 or later
• OpenSSL 1.1.0e or later
• Validated in CentOS 7.3 with kernel 3.10.

Installation instructions for the tested server:

1. Intel QAT Driver
   • download newest driver and guideline from the QAT website: https://01.org/zh/packet-processing/intel®-quickassist-technology-drivers-and-patches
   • install driver according to the guideline
2.  OpenSSL (1.1.0e or later)
   • download from OpenSSL official site or Github
   • install openssl
3. QAT Engine
   • download from this artifact or from the corresponding Github repository
   • install QAT Engine and configure qat service according to its README
4. Async Mode Nginx
   • download from this artifact or from the corresponding Github repository
   • install Async Mode Nginx according to its README

Evaluation:

• Start Nginx in the tested server (modify Nginx conf file for different configurations, refer to the README of Async Mode Nginx for more details)
• Launch benchmarks (e.g., OpenSSL s_time, Apachebench) in the client server to evalute the TLS performance of the running Nginx in the tested server. Multiple benchmark processes may be needed to fully load the running Nginx.