AIX

 View Only

Exploitation of In-Core Acceleration of POWER Processors for AIX

By Xinya Wang posted Thu February 18, 2021 01:46 PM

  

Secure computing is of growing interest to computer users. The AIX Operating System supports a number of security technologies, including encrypted file system (EFS), Internet Protocol Security (IPSec) and most recently Logical Volume Encryption (LV-Encryption, released in AIX 7.2.5). These use the Advanced Encryption Standard (AES) symmetric key algorithm for bulk data encryption. The system performance could benefit by off-loading the expensive cryptographic operations to on-chip accelerators or by using new crypto processor instructions (in-core) to accelerate these functions. These hardware accelerators can greatly reduce the CPU utilization and improve the performance of AIX applications which use crypto features.

Nest Accelerator (NX) and In-Core Acceleration

IBM POWER7+ is the first POWER processor to include Nest Accelerator (NX) for symmetric (shared key) cryptography. The accelerators are shared among the logical partitions (LPARs) under the control of the PowerVM Hypervisor, and accessed via Hypervisor call. The internal NX crypto API calls require extra pages of memory to perform the relevant Hypervisor calls. The overhead of NX calls makes them suitable for large size of data only. A tuning parameter (min_sz) for data size is implemented, to gate what minimal data size for NX accelerator operations.

The POWER8 processor provides a new set of VMX/VSX in-core symmetric cryptographic instructions that are aimed at improving performance of various crypto operations. In most circumstances, the in-core crypto instructions provide better performance with the lower latency and no extra page requirements. To be able to use the in-core crypto instructions in kernel, there is a small amount of overhead to save and restore the vector register content.

Advance Crypto Facility (ACF) in AIX

Advance Crypto Facility (ACF) is the AIX cryptographic framework that provides crypto services (APIs) for kernel and user space applications. It implemented all the supported crypto algorithms in software that can be replaced by other crypto providers, like crypto cards and hardware accelerations when the respective hardware acceleration is enabled.  The leverage of hardware acceleration is done in a manner transparent to the callers.

The ACF kernel services are implemented in pkcs11 device driver (kernel extension), providing services for other kernel subsystems like EFS, IPSec and LV-Encryption. User space applications can also use ACF kernel services by calling the AIX PKCS #11 subsystem library (/usr/lib/pkcs11/ibm_pkcs11.so).

The acfo Command

The acfo command can be used to display or modify the Advance Crypto Facility (ACF) tunables. The ACF tunables are used by the pkcs11 device driver to determine if the NX or In-Core crypto acceleration should be used in ACF kernel services. The pkcs11 device driver must be active while running acfo command.

Syntax of acfo

acfo [-d] | [-d -t <tunable_name>]

acfo -R

acfo -r <tunable_name>

acfo -p [-R | -r -t <tunable_name>] | [-t <tunable_name>=<value>]

acfo -t <tunable_name>=<value>

acfo [-h] | [-h -t <tunable_name>]

Tunable Parameters of acfo

Item

Description

nx_enabled

Value 1 means to enable ACF NX crypto acceleration. Value of 0 disables NX crypto acceleration.

If in_core_enabled is 1, NX crypto acceleration is disabled.

min_sz

Minimum data size (in bytes) suitable for ACF NX crypto acceleration.

Any request less than the minimum will use the software implementation instead.

This tunable is for NX acceleration only.

in_core_enabled

Value of 1 means In-Core crypto acceleration is enabled. 0 means not enabled.

This tunable precedes nx_enabled.














Examples of acfo

  1. To display all AFC tunables (name and current values):
# acfo -d
nx_enabled              : 1.
min_sz                  : 1024.
in_core_enabled         : 0.

 

  1. To enable in-core crypto acceleration persistently:

# acfo -p -t in_core_enabled=1

 

Currently AES is the only encryption algorithm that is supported by the NX and In-Core acceleration in pkcs11 kernel extension.

The NX acceleration is supported by POWER7+ onward. The In-Core acceleration is supported by POWER8 onward. You cannot turn on the crypto acceleration if the processor does not support it.

Persistent tunable values are stored using ODM database and read by the pkcs11 device driver at load time to initialize the tuned values.

Note

It is strongly recommended that admin does not turn on/off NX, or In-Core, acceleration while there are accelerated crypto operations going on in kernel. Instead, make the change permanently using the -p parameter of acfo command, then reboot the system to let the change taking effect.

0 comments
53 views

Permalink