Features/VirtioCrypto: Difference between revisions

From QEMU
No edit summary
(add some additional testing steps)
 
(34 intermediate revisions by one other user not shown)
Line 1: Line 1:
The virtio crypto device is a virtual crypto device, and is a kind of
The virtio crypto is a virtual crypto device as well as a kind of
virtual hardware accelerator for virtual machines. The encryption and
virtual hardware accelerator for virtual machines. The encryption and
decryption requests are placed in the data queue, and handled by the
decryption requests are placed in the data queue and handled by the
real crypto accelerators finally. The second queue is the control queue,
real crypto accelerators finally. The second queue is the control queue used to create or destroy sessions for symmetric algorithms and
which is used to create or destroy sessions for symmetric algorithms, and
control some advanced features in the future. The virtio crypto
control some advanced features in the future. The virtio crypto
device can provide seven crypto services: CIPHER, MAC, HASH, AEAD,
device provides the following crypto services: CIPHER, MAC, HASH, AEAD etc.
KDF, ASYM, PRIMITIVE.
 
== Feature maintainers ==
Gonglei: <arei.gonglei@huawei.com>


==Code==
==Code==
* Virtio specification: [https://stefanha.github.com/virtio HTML] or [https://github.com/stefanha/virtio virtio.git]
* Virtio-crypto specification: [https://github.com/gongleiarei/virtio Gonglei's virtio.git]
* Linux kernel: [https://github.com/stefanha/linux/tree/vsock stefanha's linux.git]
* Virtio-crypto linux driver: [https://github.com/gongleiarei/virtio-crypto-linux-driver Gonglei's virtio-crypto-linux-driver.git]
* QEMU: [https://github.com/stefanha/qemu/tree/vsock stefanha's qemu.git]
* QEMU: [https://github.com/gongleiarei/qemu/tree/virtio-crypto Gonglei's qemu.git]
* netcat-like utility: [https://github.com/stefanha/linux/blob/vsock-extras/nc-vsock.c nc-vsock]
* Cryptodev-linux: [http://cryptodev-linux.org/ Cryptodev-linux's website] Cryptodev-linux is implemented as a standalone module that requires no dependencies other than a stock linux kernel.


==Quickstart==
==Quickstart==
QEMU:
'''Host:'''
   $ git clone -b vsock https://github.com/stefanha/qemu
* Step 1: Build Qemu with '''gcrypt''' or '''nettle''' cryptography support
 
   $ git clone -b virtio-crypto https://github.com/gongleiarei/qemu
   $ cd qemu
   $ cd qemu
   $ ./configure --target-list=x86_64-softmmu
   $ ./configure --target-list=x86_64-softmmu
   $ make
   $ make


Linux:
* Step 2: Strat Qemu using the following parameters:
  $ git clone -b vsock https://github.com/stefanha/linux
  $ cd linux
  $ cp /boot/config-$(uname -r) .config
  $ make menuconfig # select CONFIG_VHOST_VSOCK=m and CONFIG_VIRTIO_VSOCKETS=m
  $ make install modules_install


To use vhost_vsock.ko you must boot into the new host kernel and modprobe vhost_vsock.
  $ qemu-system-x86_64 \
    [...] \
        -object cryptodev-backend-builtin,id=cryptodev0 \
        -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \
    [...]


The guest should also use the kernel so that modprobe virtio_transport can load the vsock guest driver.


For details on host and guest boot, see [https://github.com/stefanha/linux/blob/vsock-extras/go.sh go.sh].  Use nc-vsock 2 1234 inside the guest to connect to vsock port 1234 on the host.  Use nc-vsock -l 1234 on the host to listen on that port.
'''Guest:'''
* Step 1: get the newest virtio-crypto linux driver which was merged in Linux master tree.


==Testing==
  $ git clone https://github.com/torvalds/linux.git
The vhost-vsock-test qtest replays packets from a JSON file and verifies that the expected reply is received.
  $ make; make modules_install; make install
  $ reboot; # with the newest linux kernel


The JSON test file format is described in a [https://github.com/stefanha/qemu/blob/vsock/tests/vhost-vsock-test-data/README README].
* Step 2: use cryptodev-linux test the crypto functions


  $ cd qemu
==Testing==
  $ make -j4
Use the cryptodev-linux module to test the crypto functions in the guest.
  $ make tests/vhost-vsock-test
  $ sudo QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img MALLOC_PERTURB_=${MALLOC_PERTURB_:-$((RANDOM % 255 + 1))} gtester -k --verbose -m=quick tests/vhost-vsock-test -o /dev/stderr


Create and edit test cases in tests/vhost-vsock-test-data/*.json.
$ git clone https://github.com/cryptodev-linux/cryptodev-linux.git
$ cd cryptodev-linux
$ make; make install
$ insmod cryptodev.ko
$ cd tests
$ make
$ ./cipher -
requested cipher CRYPTO_AES_CBC, got cbc(aes) with driver virtio_crypto_aes_cbc
AES Test passed
requested cipher CRYPTO_AES_CBC, got cbc(aes) with driver virtio_crypto_aes_cbc
requested cipher CRYPTO_AES_CBC, got cbc(aes) with driver virtio_crypto_aes_cbc
Test passed
A simple benchmark in the cryptodev-linux module (synchronous encryption in the guest and no hardware accelerator in the host)
$ ./speed
  Testing AES-128-CBC cipher:
        Encrypting in chunks of 512 bytes: done. 85.10 MB in 5.00 secs: 17.02 MB/sec
        Encrypting in chunks of 1024 bytes: done. 162.98 MB in 5.00 secs: 32.59 MB/sec
        Encrypting in chunks of 2048 bytes: done. 292.93 MB in 5.00 secs: 58.58 MB/sec
        Encrypting in chunks of 4096 bytes: done. 500.77 MB in 5.00 secs: 100.14 MB/sec
        Encrypting in chunks of 8192 bytes: done. 766.14 MB in 5.00 secs: 153.20 MB/sec
        Encrypting in chunks of 16384 bytes: done. 1.05 GB in 5.00 secs: 0.21 GB/sec
        Encrypting in chunks of 32768 bytes: done. 1.31 GB in 5.00 secs: 0.26 GB/sec
        Encrypting in chunks of 65536 bytes: done. 1.51 GB in 5.00 secs: 0.30 GB/sec


==Links==
==Links==
* KVM Forum 2015 presentation: [http://vmsplice.net/~stefan/stefanha-kvm-forum-2015.pdf virtio-vsock: Zero-configuration host/guest communication] (pdf)
* China Linux Kernel Conference 2015 presentation: [https://privatewiki.opnfv.org/_media/dpacc/a_new_framework_of_cryptography_virtio_driver.pdf A new framework of cryptography virtio driver] (pdf)
* Connectathon 2016 presentation: [http://vmsplice.net/~stefan/stefanha-connectathon-2016.pdf NFS over virtio-vsock: Host/guest file sharing for virtual machines] (pdf)

Latest revision as of 19:41, 30 September 2023

The virtio crypto is a virtual crypto device as well as a kind of virtual hardware accelerator for virtual machines. The encryption and decryption requests are placed in the data queue and handled by the real crypto accelerators finally. The second queue is the control queue used to create or destroy sessions for symmetric algorithms and control some advanced features in the future. The virtio crypto device provides the following crypto services: CIPHER, MAC, HASH, AEAD etc.

Feature maintainers

Gonglei: <arei.gonglei@huawei.com>

Code

Quickstart

Host:

  • Step 1: Build Qemu with gcrypt or nettle cryptography support
 $ git clone -b virtio-crypto https://github.com/gongleiarei/qemu
 $ cd qemu
 $ ./configure --target-list=x86_64-softmmu
 $ make
  • Step 2: Strat Qemu using the following parameters:
 $ qemu-system-x86_64 \
   [...] \
       -object cryptodev-backend-builtin,id=cryptodev0 \
       -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \
   [...]


Guest:

  • Step 1: get the newest virtio-crypto linux driver which was merged in Linux master tree.
 $ git clone https://github.com/torvalds/linux.git
 $ make; make modules_install; make install
 $ reboot; # with the newest linux kernel
  • Step 2: use cryptodev-linux test the crypto functions

Testing

Use the cryptodev-linux module to test the crypto functions in the guest.

$ git clone https://github.com/cryptodev-linux/cryptodev-linux.git
$ cd cryptodev-linux
$ make; make install
$ insmod cryptodev.ko
$ cd tests
$ make
$ ./cipher -
requested cipher CRYPTO_AES_CBC, got cbc(aes) with driver virtio_crypto_aes_cbc
AES Test passed
requested cipher CRYPTO_AES_CBC, got cbc(aes) with driver virtio_crypto_aes_cbc
requested cipher CRYPTO_AES_CBC, got cbc(aes) with driver virtio_crypto_aes_cbc
Test passed

A simple benchmark in the cryptodev-linux module (synchronous encryption in the guest and no hardware accelerator in the host)

$ ./speed
 Testing AES-128-CBC cipher: 
       Encrypting in chunks of 512 bytes: done. 85.10 MB in 5.00 secs: 17.02 MB/sec
       Encrypting in chunks of 1024 bytes: done. 162.98 MB in 5.00 secs: 32.59 MB/sec
       Encrypting in chunks of 2048 bytes: done. 292.93 MB in 5.00 secs: 58.58 MB/sec
       Encrypting in chunks of 4096 bytes: done. 500.77 MB in 5.00 secs: 100.14 MB/sec
       Encrypting in chunks of 8192 bytes: done. 766.14 MB in 5.00 secs: 153.20 MB/sec
       Encrypting in chunks of 16384 bytes: done. 1.05 GB in 5.00 secs: 0.21 GB/sec
       Encrypting in chunks of 32768 bytes: done. 1.31 GB in 5.00 secs: 0.26 GB/sec
       Encrypting in chunks of 65536 bytes: done. 1.51 GB in 5.00 secs: 0.30 GB/sec

Links