Hardware-based Acceleration for SM Algorithms
Kunpeng processors support SM cryptographic algorithms, including SM2, SM3, and SM4, for hardware-based encryption and decryption. This section describes how to use SM algorithms in cVMs.
Constraints
- virtCCA hardware-based acceleration with SM algorithms does not support stage 1 SMMU.
- The SMMU must be enabled in the BIOS. For details, see 2.
Importing the KAE License File
- Log in to the iBMC and choose > .
If no license is imported, Disabled is displayed for Kunpeng accelerator SEC Function, Kunpeng accelerator HPRE Function, Kunpeng accelerator RDE Function, and Kunpeng accelerator ZIP Function. To apply for a TEE license file, contact the Huawei service owner.
- Click Install and select the obtained KAE license file.
After the KAE license file is imported, the KAE feature enters the Enabled state and the license expiration date is displayed.
Compiling the Accelerator Driver
- Obtain the guest OS code.
- Compile the kernel.
make Image -j64
- After the compilation is complete, obtain the uacce.ko file from the drivers/misc/uacce directory and run the scp command to transfer the file to the VM.
scp uacce.ko root@xx.xx.xx.xx:/home/run
Replace the example IP address with the actual VM IP address.
Enabling the KAE in a VM
Modify the XML file of the started VM by following instructions in Starting a VM.
Change <qemu:arg value='tmm-guest,id=tmm0,sve-vector-length=128,num-pmu-counters=1'/> to <qemu:arg value='tmm-guest,id=tmm0,sve-vector-length=128,num-pmu-counters=1,kae=4'/>.
In kae=4, 4 indicates the number of VFs connected to the cVM. The value ranges from 0 to 11. Each VM can be connected to a maximum of 11 VFs and each physical machine supports a maximum of 48 VFs connected to VMs.
Compiling and Deploying the KAE Driver
- Pull the code.
git clone https://gitee.com/openeuler/virtCCA_driver.git
- Switch to the virtCCA_driver directory and perform the compilation.
cd virtCCA_driver && make
- Switch to the kae_driver directory, find hisi_plat_qm.ko, hisi_plat_sec.ko, and hisi_plat_hpre.ko, and run the scp command to upload them to the VM.
cd kae_driver scp hisi_plat_qm.ko root@xx.xx.xx.xx:/home/run scp hisi_plat_sec.ko root@xx.xx.xx.xx:/home/run scp hisi_plat_hpre.ko root@xx.xx.xx.xx:/home/run
Replace the example IP address with the actual VM IP address.
- Load the qm, sec, and hpre drivers in sequence.
Before performing this step, ensure that uacce.ko has been loaded.
insmod hisi_plat_qm.ko insmod hisi_plat_sec.ko insmod hisi_plat_hpre.ko
- Check whether the drivers have been registered with UACCE.
ll /sys/class/uacce/
Deploying the UADK
- Install the dependencies.
yum install gcc make kernel-devel libtool numactl-devel openssl-devel chrpath
If the OpenSSL version is 1.1.1 or later, use yum to install openssl-devel. To test the SM2 algorithm, choose OpenSSL 1.1.1.
- Pull the KAE code from the cVM.
git clone -b v2.0.3 https://gitee.com/kunpengcompute/KAE.git
KAE v2.0.3 does not support switchover to another OpenSSL version. To change the OpenSSL version, manually obtain the latest KAE code.
git clone -b kae2 https://gitee.com/kunpengcompute/KAE.git && cd KAE && git checkout f3712fa
- Perform the compilation and installation.
sh build.sh uadk sh build.sh engine
- Run the script to perform the test and generate the res.txt file.
export OPENSSL_ENGINES=/usr/local/lib/engines-1.1 sh KAE/KAEOpensslEngine/test/perf_test/openssl_perf.sh
To test the SM2 algorithm, run the following command to modify the test script to specify the packet length.
- Open the openssl_perf.sh file.
vim KAE/KAEOpensslEngine/test/perf_test/openssl_perf.sh
- Press i to enter the insert mode. In the SM2 algorithm test function function RSA_SYNC(), change the following content
SPEED=`taskset -c 0-63 $EXE speed -engine $ENGINE_NAME -elapsed -multi $MULTT I $ALG | tail -n 1 ` #hard
To:
SPEED=`taskset -c 0-63 $EXE speed -engine $ENGINE_NAME -elapsed -bytes 512 -multi $MULTT I $ALG | tail -n 1 ` #hard
- Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
- Open the openssl_perf.sh file.