External Use
TM
Overview of Autonomous IPSec
with QorIQ T Series Processors
FTF-NET-F0111
A P R . 2 0 1 4
Ahmed Khan | Software FAE
Grigore Sebastian | Technical Manager
TM
External Use 4
Agenda
• Introduction to Freescale Datapath
• FMAN
• Autonomous IPSec (DPAA Offload)
− IPSec Offload Features
− IPSec Offload API
− Software development kit
• SEC Security Block
• IPSec Offload Performance
TM
External Use 5
Agenda
• Introduction to Freescale Datapath
• FMAN
• Autonomous IPSec (DPAA Offload)
− IPSec Offload Features
− IPSec Offload API
− Software development kit
• SEC Security Block
• IPSec Offload Performance
TM
External Use 6
Data Path Acceleration Architecture
• QMAN, BMAN are the ‘’Infrastructure’’ components
• Cores, FMAN, SEC, PME are the ‘’Workers’’ (Consumers/Producers)
• Note: QMAN acts as central DPAA exchange manager
Core Core Core
FMAN PCD
(Parse,
Classify,
Distribute)
Eth
SEC PME
QMAN BMAN
Pools/
buffers
FMan
Offline mode
FMan
Inline mode
TM
External Use 7
Freescale Datapath options
FMAN
DPAA
Data Path Cores
Power Core (1)
Power Core Control
Path Cores
Eth
SEC
PME
DCE (*)
PCD
Controller (2)
FMAN
(2) Autonomous:
Packets are received, processed
and sent within the FMAN. FMAN
controller can be programmed with
different autonomous applications.
(1) & (2) Semi Autonomous:
Packets are received by FMAN.
FMAN controller does part of
processing. Power cores do rest of
processing and send the result
packets out.
(1) Non-Autonomous:
Entire packet processing happens
within power cores with no help
from FMAN controller.
TM
External Use 8
FSL Datapath Options - depends on use case
DPAA Offload •Micro code based fast path
implementation in FMAN (use case for
P4080, P2041, B4860…)
•Micro code can reduce CPU usage.
•Leverage hardware accelerators.
•Protocol aware Crypto accelerator.
•Difficult to customize.
ASF •Integrated with Linux and
VortiQa networking Stack.
•Implementation is based
on Software, support
available for IPSec, NAT,
Firewall, IPv4/v6 etc.
•Available across the
QorIQ family- DPAA and
non-DPAA
•Used by networking/
wireless customers.
USDPAA •User space Frame
work and hardwired
Sample applications
to demonstrate
highest DPAA based
Soc performance.
• Allows Linux user
space processes to
have direct access to
DPAA.
•Lacks some
networking
functionality and stack
integration.
AIOP •Future- Layerscape (ARM based)
•Best combined: dedicated “C”
programmable HW core for
fastpath.
•Integrated with Linux and other
networking stacks.
Level of GPP Core offload
TM
External Use 9
Agenda
• Introduction to Freescale Datapath
• FMAN
• Autonomous IPSec (DPAA Offload)
− IPSec Offload Features
− IPSec Offload API
− Software development kit
• SEC Security Block
• IPSec Offload Performance
TM
External Use 10
Frame Manager (FMAN)
Frame Manager is responsible for
preprocessing and moving packets
into and out of the datapath
• Parsing
− Packet Parsing at wire speed
− Supports standard protocols parsing and
identification by HW (VLAN/IP/UDP/TCP/SCTP/PPPoE/PPP/MPLS/GRE/IPSec …)
− Supports non-standard UDF header parsing for
custom protocols
• Classification / Distribution
− Coarse classification based on Key
generation Hash and exact match lookup
− Supports wire speed of 2x 25Gbps
− Result is frame queue ID and policing
profile, if required
• Policing
− Two rate – three colour marking algorithm
(rfc 2968 & 4115)
− Up to 256 internal profiles
• General
− Supports offline PCD on frames extracted from QMAN
− Supports “Independent” mode for up to 100BT
− Per port egress rate limiting
− Statistics & Multicast support
− Support for IEEE1588 thru HW-Timestamping
Frame Manager
Parser
Shared Memory Frame/Context//Tables
storage
BMI
QMI (QMan I/F)
1GE 1GE 1GE 10GE 1GE
QMan
BMan
DMA
CoreNet Bridge
Keygen/
Coarse Classify/ Distribute
Policer
MACs
FPM Frame processing Mgr
SerDes
Packet/Frame In
CoreNet
TM
External Use 11
FMAN PCD (Parse/Classify/Distribute)
• Goals of FMAN PCD
• Distribute flows/frames such that each flow or group of flows is processed by selected core
or group of cores (Load balance and load spread)
Requires both Exact match and Hash based classification
• Pre-process as much as possible to save later Core/SW cycles
Identify & extract protocols and headers (Std and UDF)
Help Core/SW refine after coarse classification (ex: providing Key and Hashed key)
PCD
Core
Core/DPAA Accel.
FQ id#
Must ensure that all packets from
a given connection are enqueued
into the same queue
TM
External Use 12
Agenda
• Introduction to Freescale Datapath
• FMAN
• Autonomous IPSec (DPAA Offload)
− IPSec Offload Features
− IPSec Offload API
− Software development kit
• SEC Security Block
• IPSec Offload Performance
TM
External Use 13
IPSec Overview
• A Network layer security protocol developed by Internet Engineering Task
Force (IETF) providing:
− Authentication: to verify sources of IP packets
− Confidentiality: to protect integrity and/or confidentiality of packets
− Key Management: negotiation of cryptographic keys
• Applicable to use over LANs, across public & private WANs, VPN and for
the Internet.
• Two protocols providing different service models:
− AH
− ESP
• Modes
− Transport
− Tunnel
Tunnel Mode Router Router
Transport Mode
TM
External Use 14
Security Protocol – IPSec
TCP/UDP
stack
IPsec
Driver
SA Negotiation IKE IKE
TCP/UDP
stack
IPsec
Driver
Secure IP
Packets
Orig IP
Header TCP Data
BEFORE ENCAPSULATION
Orig IP
Header
ESP
Hdr TCP Data
TRANSPORT MODE
ESP
Trlr
ESP
Auth
Authenticated
Encrypted
New IP
Header
ESP
Hdr
Orig IP
Header TCP Data
TUNNEL MODE
ESP
Trlr
ESP
Auth
Authenticated
Encrypted
SA
P
air S
A P
air
• Internet Protocol Security (IPsec) has three elements:
− Key Management
Internet Key Exchange (IKE) provides key management and Security Association (SA) management.
− Authentication
Authentication Header (AH) provides authentication and integrity.
− Encryption
Encapsulating Security Payload (ESP) provides confidentiality, authentication, and integrity.
TM
External Use 15
Why Autonomous IPSec?
• Completely offloads CPU
− The data path application allows complete offload of IPSec data paths
− Relieving the cores from the tasks of submitting/ receiving frames to/from the SEC engine
• FMAN ucode performs better compare to traditional SW fast-path
− Lower latency to access DPAA acceleration services
• FMAN ucode is within DPAA
− Embedded within FMAN, direct interfaces to QMAN, BMAN, FMAN sub-blocks
• Provide custom offload support through Professional Services
TM
External Use 16
Auto IPSec Features
• ESP Tunnel mode Up to 512 flows.
• Protocol Stack supported: − Ethernet/ Stacked VLAN/ IP
• IPSec ESP modes: − Encryption with authentication (ESP)
− Authentication without encryption (AH)
• IPSec algorithms: − Authentication: HMAC-MD5-96, HMAC-SHA-1-96, AES-XCBC-MAC-96 and HMAC-SHA-
256/384/512.
− Encryption: DES CBC, 3DES CBC, AES-CBC 128/192/256, AES-CTR 128/192/256.
• Anti-replay support.
• Extended sequence numbers.
• Random IV generation for outbound traffic.
• IPSec ESP tunnel encapsulation and de-capsulation.
• Inbound Rule Validation
• ESP/Eth Padding
• strongSwan IKEv2
• CAPWAP/ DTLS
Header Manipulation Support
• NAT (Network Address and Port Translation)
• Forwarding
• Remove header manipulation
• Insert header manipulation
• Update header manipulation
• VLAN specific header manipulation (Insert, remove
QTags, update QTag VPri)
• MPLS specific header manipulation
Target Application
• Security appliances
• Wireless backhaul
• Edge/ Access
• Low-End gateways
TM
External Use 17 dTSec SRIO
Linux NW Stack-
IPSec XFRM
DPAA ETH
Network Driver
IKEv1,2
strongSwan
IP toolkit (ip,
tc, iptables)
User-
space
K
ern
el S
pa
ce
DPA Offloading
Control App
DPA Intermediate layer
DPA Classif
Table
DPA Classif
HManip
DPA Classif
MCast DPA IPSec DPA Stats
SoC
-Ha
rdw
are
DPAA
FMAN BMAN QMAN SEC RMAN
SEC DCL QMAN FQ FMAN PCD
FMAN QMAN BMAN SEC RMAN – Low Level Drivers Layer
dpa_offload lib
IOCTL IOCTL
FM-Lib
FMC (xml) DPA
-
USDPAA
APIs
Intermediate
Layer APIs
PCD Skeleton -
generated code
LLD APIs
TM
External Use 18
DPAA IPSec Outbound &Inbound path architecture
FMAN Port
SEC
(Encrypt/
Decrypt)
FQ
FQ
FQ
FQ
FQ
[ ... ]
SA#in1/out1
SA#in2/out2
SA#inn/outn
Table lookup:
Inbound:
3-tuple key
Outbound:
5-tuple key
SEC
error
checking
Table
lookup
Inbound
policy
verification
Hit
FQ
Miss
FQ
Miss
FQ
FQ
FQ
FQ
FQ
FQ
[ ... ]
[ ... ]
FQ
Error
FQ _create_sa()
_sa_add_policy()
Custom
Classifications
Custom
Classif.
DPA IPSEC
Inbound: IP
Reassembly
Outer IP
IP Frag Inner
Statistics
IP Frag
Outer IP
IP Reass
Inner IP
_init()
_init()
Pre-SEC Post-SEC
FMAN Port
Resource created outside the module
Resource shared by the module with upper layer
Resource created inside the module
Processing performed outside the module (APP)
TM
External Use 19
Classification in DPA IPSec Port (PCD)
• The DPA IPSec Port API requires 3 types of classification to be
implemented in order to function properly:
− Inbound Pre SEC – determine the correct SA to use for decryption based on:
IP Dest Addr + IP Next Proto + ESP SPI (3 tuple)
IP Dest Addr + IP Next Proto + ESP SPI + UDP Src Port + UDP Dest Port - for (NAT – T)
− Inbound Post SEC – perform inbound policy verification:
Determine the SA used for decryption using the associated flowID
Match frames against policies for that SA using a 5 tuple key = IP Src + IP Dest + IP Next
Proto + Src Port + Dest Port
TM
External Use 20
Classification in DPA IPSec Port (PCD)
− Outbound Pre SEC – determine the correct SA to use for encryption based on
the offloaded policies:
TCP, UDP and ICMP policies are supported
A 5 tuple key (IP Src + IP Dest + IP Next Proto + Src Port + Dest Port) is used to match
policies
For ICMP the Src Port and Dest Port fields are replaced with a padding value
− Outbound Post SEC the DPA IPSec Port API does not require any classification
to be implemented
• The DPA IPSec API sets a flowID on the frame queues where the
encrypted frames are enqueued that can be used for forwarding
TM
External Use 21
Linux User Space IPSec XFRM integration
Inbound flows
RX
Configuration
FMAN
SEC
RX port Classify by 3 tuple
IP Reassembly
OH port Inbound policy check
Classify by FlowID &
5-tuple,
Sec error checking
IP reassembly, IPFwd
FQ FQ FQ Decrypt
MAC
FQ
User Space
Kernel Space
XFRM
USDPAA
User Space
Frame Processing Apps
FQ
SADB SPDB
IPSec control tools package
(ipsec-tools, StrongSWAN)
config config
IPSec_offload
control
XFRM events
Legend
Control Path
Data Path
__create_sa()
FQ FQ
FQ FQ
FQ FQ FQ
_sa_add_policy()
Linux
Network
stack
Virtual
Interface (
(MACless)
FMAN ucode
TX port
TX
FQ
ipfw
d
TM
External Use 22
Linux User Space IPSec XFRM integration
Outbound flows
FMAN
SEC
User Space
Kernel Space
XFRM
USDPAA
User Space
Frame Processing Apps
SADB SPDB
IPsec control tools package
(ipsec-tools, strongSWAN)
config config
IPsec_offload
control
FQ Encrypt
TX port OH port Select TX Port
SEC error checking
IPFwd, IP Frag
FQ FQ FQ
FQ
Legend
Control Path
Data Path
_create_sa()
TX
OH port Classify by 5 tuple
IP fragmentation FQ
FQ FQ
FQ FQ
FQ FQ FQ
Configuration
Linux
Network
stack
Virtual
Interface
(MACless)
FMAN ucode
RX RX port Custom
Classification
MAC
_sa_add_policy() ipfwd
TM
External Use 23
Linux User Space IPSec XFRM integration – Non
IPSec traffic
RX
Configuration
FMAN
SEC
RX port Classify by 3 tuple
IP Reassembly
OH port Inbound policy check
Classify by FlowID &
5-tuple,
Sec error checking
IP reassembly, IPFwd
FQ FQ FQ Decrypt
MAC
FQ
User Space
Kernel Space
XFRM
USDPAA
User Space
Frame Processing Apps
FQ
SADB SPDB
IPSec control tools package
(ipsec-tools, StrongSWAN)
config config
IPSec_offload
control
XFRM events
Legend
Control Path
Data Path
__create_sa()
FQ FQ
FQ FQ
FQ FQ FQ
_sa_add_policy()
Linux
Network
stack
Virtual
Interface (
(MACless)
FMAN ucode
TX port
TX
FQ
ipfw
d
Non-IPSec traffic
TM
External Use 24
FMANv3 - microcode
• Autonomous processing
− IPSEC
− IP Reassembly
− IP Fragmentation
− Advanced statistics
− Padding Removal
• Header Manipulation
− Update/Add/Remove L2 header: SMAC, DMAC, VLAN, MPLS
− Update L3 IPv4/IPv6 header: TOS, Hop Limit, TTL, ID, Src, Dst
− Update L4 UDP/TCP header: Src, Dst
− Replace IPv4 IPv6
− L3/L4 Checksum update after modification
FMAN
SEC
FQ Encrypt
TX port OH port Select TX Port
SEC error checking
IP fragmentation
FQ FQ FQ _create_sa()
TX
OH port Classify by 5 tuple
IP fragmentation FQ
FQ FQ
TM
External Use 25
IPSec Offload Application
IPSec_offload
control
DPA Offload IPSec
Layer
init() module init
remove_sa() XFRM_MSG_DEL
SA
free() module
exit
create_sa(inbound) XFRM_MSG_NEW
SA
create_sa(outbound) XFRM_MSG_NEW
SA
Note: Virtual interface refers to an ethernet interface associated to an offline port
sa_add_policy()
sa_add_policy()
sa_remove_policy()
Interfaces to
Linux
TM
External Use 26
DPA Offload IPSec API
Function Params Returns Description dpa_ipsec_init () Only application specific parameters:
- list of ports’ details used by the offloading module
Error code Used by the upper layer to provide the mandatory initialization parameters. Creates queues, CCNodes and all other internal data structures.
dpa_ipsec_free() -Port handle Error code Releases all resources (HW and SW) used by the module.
dpa_ipsec_create_sa () -Port handle -SA params (crypto params, SPI) -SEC Work Queue, Buffer Pool -Outbound SA params:
-IP outer header -UDP header (for NAT-T case) -Forwarding info (FlowID assigned to this SA)
-Inbound SA params: -IP Dest Addr -UDP Src & Dest Port (for NAT- T case) -Anti Replay Window size
Error code Create the accelerated path for an IPSec flow that uses this SA to protect packets
dpa_ipsec_rekeying() -”Old” SA id -”New” SA id
SA handle Creates a new SA to replace the expired “old” SA.
dpa_ipsec_remove_sa() -SA id Error code Unregister an SA. dpa_ipsec_sa_add_policy() -SA id
-Policy selectors Error code Add a new rule for offloading policy lookup.
dpa_ipsec_sa_remove_policy() -SA id -Policy selectors (used for _sa_add_policy())
Error code Remove a rule for policy lookup.
TM
External Use 27
QorIQ™ Software Development Kits SDK 1.5
The QorIQ Linux SDK Software Package • U-Boot
• Firmware
• Linux kernel
• Linux kernel virtual machine (KVM)
• GNU tool chain
• Linux Applications
− Standard Open Source Applications
− Freescale-specific Applications
• DPAA Software Development Kit features
− User Space DPAA (USDPAA) with reference applications
Zero overhead environment for run-to-completion packet
processing in Linux user space
DPAA sample drivers
Frame manager initialization and configuration infrastructure
• Frame Manager Configuration (FMC) tool
• DPAA Offload and reference applications
• Yocto build tools
• Documentation
• Errata workarounds
• Platforms: P2,P3,P4, B4,T1,T2,T4
DPAA Offload and Reference
Applications • New offload capabilities for autonomous fast-path
data flows. The component contains IP Reassembly,
IP Fragmentation, IPSec, Header Manipulations,
Multi-Cast and more, Padding removal and
supporting IPv4 and IPv6
• It has dependencies by many of the SDK
components:
− Firmware
− FMAN driver, FMlib
− QMAN CEETM driver
− Linux Ethernet Driver
− SEC PDCP
− USDPAA
− FMC, XML
• USDPAA Offload reference applications
− Classifer demo , IPReassembly demo,
IPFragmentation demo, IPSec Offload demo.
• Documentation
• Supported Platforms: P4080,B4860,B4420,P2041
• SDK 1.6: Support for T4240 and T2080
TM
External Use 28
Agenda
• Introduction to Freescale Datapath
• FMAN
• Autonomous IPSec (DPAA Offload)
− IPSec Offload Features
− IPSec Offload API
− Software development kit
• SEC Security Block
• IPSec Offload Performance
TM
External Use 29
SEC Security Block - Version 5.0 • Public Key Hardware Accelerators (PKHA)
− RSA and Diffie-Hellman
− Elliptic curve cryptography
• Data Encryption Standard Accelerators (DESA)
− DES, 3DES (2K, 3K)
− ECB, CBC, OFB modes
• Advanced Encryption Standard Accelerators (AESA)
− Key lengths of 128-, 192-, and 256-bit
− ECB, CBC, CTR, CCM, GCM, CMAC,
− OFB, CFB, and XTS
• ARC Four Hardware Accelerators (AFHA)
− Compatible with RC4 algorithm
• Message Digest Hardware Accelerators (MDHA)
− SHA-1, SHA-2 256,384,512-bit digests
− MD5 128-bit digest
− HMAC with all algorithms
• Kasumi/F8 Hardware Accelerators (KFHA)
− F8 , F9 as required for 3GPP
− A5/3 for GSM and EDGE
− GEA-3 for GPRS
• Snow 3G Hardware Accelerators (STHA)
− Implements Snow 3.0
• ZUC Hardware Accelerators (ZHA)
− Implements 128-EEA3 & 128-EIA3
• CRC Unit
− Standard and user defined polynomials
• Random Number Generator, random IV generation
• Supports protocol processing for the following:
− IPSec
− 802.1ae (MACSEC)
− SSL/TLS/DTLS/CAPWAP
− 3GPP RLC
− LTE PDCP
− SRTP
− 802.11i (WiFi)
− 802.16e (WiMax)
TM
External Use 30
SEC 5.x Logical Block Diagram
Queue Interface Job Prep Logic
Job Queue Controller
DECO Pool
DECO 0
Descriptor
Buffer
DECO 7
R FDs
SP1 0 000
SP2 0 001
SP3 0 101
SP4 0 011
SP5 1 111
FQ FQ FQ FQ FQ
1 E E E D E
2 D E E D E
3 E E E E E
SP Status FQ ID List
Holding
Tank 0
Holding
Tank 7
Holding Tank Pool
Job Queues JR 0
JR 1
JR 2
JR 3 D
MA
Descriptor
Buffer
Watch
Dog
CCB 0 CCB 7
RTIC
Buffer
Mgr
Queue
Manager DDR/CoreNet (Shared Desc, Frame)
. . . . . . .
Arbiter
AFHA
Arbiter RNG
Arbiter Arbiter Arbiter
PKHA STHA f8
STHA f9
MDHA
CRCA
AESA
KFHA DESA
MDHA
CRCA
AESA
KFHA DESA
PKHA
PKHA AFHA
STHA f8
STHA f9
ZUEA
ZUCE ZUEA
ZUCE
. . . . . . .
DM
A
DM
A
Power
Architecture™
e6500 Core
• JQ Controller take inputs from:
− JR (Direct Mode)
− QI (DPAA Mode)
− RTIC
• DEscriptor COntroller
− 8x T4240
− 5x P4080
− 3x P3041/P2040
• CHA Control Block
• Crypto Hardware Accelerator (CHA)
− Dedicated CHAs
8x AESA, MDHA, CRCA, KFHA, DESA
− Pool CHAs
RNG, AFHA, PKHA, STHA, ZUCE, ZUCA
• Watch Dog Timer
− Monitors DECOs for prolonged inactivity
TM
External Use 31
A DECO is like a processor…
• RTA (Run Time Assembler)
− API for writing SEC descriptors
− Descriptor Library with ready to use
RTA descriptors
− Small software overhead
− Easy to integrate into Application
− Tests Suite for development
validation
• Descriptors are like short programs
• Descriptor command will cause the DECO to move or manipulate data
• The DECO starts processing once its descriptors are loaded into its
descriptor buffer. The total length of descriptor(s) must be <= 64 32b
words in order to fit into the descriptor buffer.
• Job Descriptor (JD) is Job specific
• Shared Descriptor (SD) is session related
How to develop descriptors??
PROGRAM_CNTXT_INIT(descbuf, 0);
SHR_HDR(SHR_ALWAYS, 1, 0);
{
MATHB(SEQINSZ, SUB, MATH2, VSEQINSZ, SIZE(4), 0);
ALG_OPERATION(OP_ALG_ALGSEL_CRC,
OP_ALG_AAI_802 | OP_ALG_AAI_DOC,
OP_ALG_AS_FINALIZE, 0, DIR_ENC);
SEQFIFOLOAD(MSG2, SIZE(32), WITH(VLF | LAST2));
SEQSTORE(CONTEXT2, 0, SIZE(4), 0);
}
*bufsize = PROGRAM_FINALIZE();
Descriptor example
TM
External Use 32
Agenda
• Introduction to Freescale Datapath
• FMAN
• Autonomous IPSec (DPAA Offload)
− IPSec Offload Features
− IPSec Offload API
− Software development kit
• SEC Security Block
• Auto IPSec Performance
TM
External Use 33
Performance Factors
• Factors that determine performance
− SEC block
SEC Version
Number of DECOs
• CHA’s
• Shared/Dedicated ones
Cryptographic Algorithm
• AES, DES, 3DES
− Use case
Feature enabled
IP Fragmentation/ Reassembly
− RISC Engine
Platform
SEC
Version
# DECOs/
CCB’s
Capacity
P4080-R1/R2/R3 4.0 5 10G
P3041/P5020/P2040 4.2 2 3G
T4240-R1/ R2 5.0 8 20G
P5040 5.2 4 10G
T2080 4 10G
B4860R1 5.3 3 5G
B4420 3 5G
T1040 5.4 2 4G
T1020 2 4G
TM
External Use 35
Summary
• Improve System performance by offloading
IPSec processing to Freescale DPAA.
• Leverages Freescale DPAA blocks such as
SEC, FMAN, DECOs, CHAs, QMAN and
BMAN.
• The key to this solution lies in a clever usage
of the FMAN PCD and ucode resources.
• Freescale can provide cutomized micro code
through FSL Professional Services.
TM
External Use 36
For Further Information
• URLs
− Public git:
http://git.freescale.com/git/cgit.cgi/ppc/sdk/flib.git/tree/sec
− SDK Info Center (online):
http://www.freescale.com/infocenter/index.jsp?topic=%2Fqoriq%2Findex.html
• Software and Tools Info Center QorIQ SDK Doc [Linux User Space] [USDPAA
Applications] [DPAA Offloading Applications Guide]
• Freescale SDK
− URL
http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=SDKLINUX
− SDK FLIB
• Professional Services http://www.freescale.com/webapp/sps/site/overview.jsp?code=CW_PROFESSIONAL
TM
External Use 37
Introducing The
QorIQ LS2 Family
Breakthrough,
software-defined
approach to advance
the world’s new
virtualized networks
New, high-performance architecture built with ease-of-use in mind Groundbreaking, flexible architecture that abstracts hardware complexity and
enables customers to focus their resources on innovation at the application level
Optimized for software-defined networking applications Balanced integration of CPU performance with network I/O and C-programmable
datapath acceleration that is right-sized (power/performance/cost) to deliver
advanced SoC technology for the SDN era
Extending the industry’s broadest portfolio of 64-bit multicore SoCs Built on the ARM® Cortex®-A57 architecture with integrated L2 switch enabling
interconnect and peripherals to provide a complete system-on-chip solution
TM
External Use 38
QorIQ LS2 Family Key Features
Unprecedented performance and
ease of use for smarter, more
capable networks
High performance cores with leading
interconnect and memory bandwidth
• 8x ARM Cortex-A57 cores, 2.0GHz, 4MB L2
cache, w Neon SIMD
• 1MB L3 platform cache w/ECC
• 2x 64b DDR4 up to 2.4GT/s
A high performance datapath designed
with software developers in mind
• New datapath hardware and abstracted
acceleration that is called via standard Linux
objects
• 40 Gbps Packet processing performance with
20Gbps acceleration (crypto, Pattern
Match/RegEx, Data Compression)
• Management complex provides all
init/setup/teardown tasks
Leading network I/O integration
• 8x1/10GbE + 8x1G, MACSec on up to 4x 1/10GbE
• Integrated L2 switching capability for cost savings
• 4 PCIe Gen3 controllers, 1 with SR-IOV support
• 2 x SATA 3.0, 2 x USB 3.0 with PHY
SDN/NFV
Switching
Data
Center
Wireless
Access
TM
External Use 39
See the LS2 Family First in the Tech Lab!
4 new demos built on QorIQ LS2 processors:
Performance Analysis Made Easy
Leave the Packet Processing To Us
Combining Ease of Use with Performance
Tools for Every Step of Your Design
TM
External Use 40
More Details
TM
External Use 41
DPAA Terminology (summary)
• Buffer – Unit of contiguous memory, allocated by software.
• Buffer Pool – a list of available buffers which have the same characteristics (size, addressability, accessibility)
• Frame – Buffer(s) that hold a data element (generally a packet)
− Frames can be single buffers or multiple buffers (using scatter/gather lists)
− a “simple frame” has one delimited data element
− “Compound frames” have more than one
• Frame Descriptor – Proxy structure used to enqueue frames. The Frame memory itself is not used by the Queue Manager
• Frame Queue – FIFO of related Frames
• Frame Queue Descriptor – Structure used to manage Frame Queues
• Work Queue – FIFO of Frame Queues (of same priority)
• Channel – Set of 8 prioritized Work Queues, with HW class scheduling
• Dedicated Channel -- a channel which supplies FQs to a single consumer.
• Pool Channel -- a channel which can be shared by multiple consumers
• Portal – HW interface used to access QMan facilities (e.g. Enqueue or Dequeue) for possibly multiple channels
B B B
B
B
B …
F =
FQ F F =
FQ FQ WQ =
FQ FQ
FQ FQ
…
0
7
Chan =
Chan
Chan
Porta
l
p
riority
TM
External Use 42
Glossary
AES Advance Encryption Standard
AH Authentication Header
CBC Cipher-Block Chaining
CCB CHA Control Block
CCM Counter with CBC-MAC
CHA Crypto Hardware Accelerator
DECO Descriptor Controller
DES Data Encryption Standard
DXLT Descriptor Translator Tool
ECB Electronic codebook
ESP Encapsulating Security Payload
GCM Galois/Counter Mode
IKE Internet Key Exchange
JQ Job Queue
JR Job Ring
QI Queue Interface
PDB Protocol Data Block
RTA Run-Time Assembly
SA Security Association
SP Security Policy
SSL Secure Socket Layer
FMAN Frame Manager
QMAN Queue Manager
BMAN Buffer Manager
CAPWAP Control And Provisioning of
Wireless Access Points
DTLS Datagram Transport Layer
Security
TM
External Use 43
Descriptors and Interfaces
• Job Descriptor – A descriptor, created by SW and submitted via a Job Ring for the purpose of performing a single SEC task. A Job Descriptor can reference a Shared Descriptor.
• Internal Job Descriptor – A descriptor, created by the Queue Interface or the RTIC, for the purpose of performing a single SEC task.
• Frame Descriptor – A standard DPAA descriptor defining the address of a buffer, the length of the data in the buffer, and optionally the offset from the start of the buffer to the data. An ‘upstream’ producer (typically software) submits Frame Descriptors to the SEC via the Queue Interface.
• Shared Descriptors - A descriptor created by SW with the expectation that it may be referenced by multiple job descriptors (possibly billions) sharing the same security context. SDs have session state, which the DECO updates as directed by the descriptor.
TM
External Use 44
Linux User Space QMan/BMan Portal Drivers
Portals mapped
directly into
application’s virtual
address space.
QMan
Queue
Manager
BMan
Buffer
Manager
QMan and BMan Access API
Library
QMan SW
Portal
BMan SW
Portal acquire,
release,
…
enqueue,
dequeue,
…
Linux User Space Application
No system call or
kernel context switch
to access a portal.
TM
© 2014 Freescale Semiconductor, Inc. | External Use
www.Freescale.com