Add a private key provider to accelerate RSA and ECDSA crypto operations on recent Intel Xeon processors.

[ipuustin]

Title: Add a private key provider to accelerate RSA and ECDSA crypto operations on recent Intel Xeon processors.

Description:

Intel's IPP (Integrated Performance Primitives) crypto library has support for multi-buffer crypto operations. Briefly, multi-buffer cryptography is implemented with AVX-512 instructions using a SIMD (single instruction, multiple data) mechanism. Up to eight RSA or ECDSA operations are gathered together into a buffer and processed with a single instruction, providing potentially improved performance. The AVX-512 instructions are available on recently launched Intel Ice Lake Server processors.

We have an Envoy private key provider in the works which we would like to submit as a PR soon. There are a few opens which we would like to get feedback on:

1. Testing. The functionality can be tested only on the Xeon processors which support the instruction set. We can test this by adding tests which are only run on processors which have the required AVX512 instructions, or alternatively we can mock the library interface and just simulate running the crypto operations in parallel.
2. External dependency. One extra external dependency (ipp-crypto library) is added to Envoy build. The library itself is pretty straightforward, but it needed to be slightly patched in order for it to compile against BoringSSL instead of OpenSSL. We are however working with the ipp-crypto library team to get the patches merged upstream.

Relevant Links:

https://en.wikipedia.org/wiki/Integrated_Performance_Primitives
https://software.intel.com/content/www/us/en/develop/tools/oneapi/components/ipp.html

[snowp]

For testing is there any way we can run these tests in CI? Not sure how much control we have over processor types in CI. @lizan do you have thoughts on our options here?

@envoyproxy/dependency-shepherds for thoughts on adding the dependency.

[mattklein123]

If the dep is only uses by the extension I think it's OK with me, but will see if @htuch or @moderation have any concerns.

In terms of testing, we have other tests that check for hardware/OS compat before running, though it might be good to also mock to make sure we have good coverage as I'm not sure of CI status and it might change over time.

[lizan]

We don't have Xeon processor based CI runner today, but we can provision a few to the CI cluster.

[moderation]

Is the proposed dependency open-source? I couldn't see a link to a repo on the link provided and a "Get Access" button indicating the code is behind a wall. Would be interesting to run the ipp-crypto dependency through the dependency policy at https://github.com/envoyproxy/envoy/blob/main/DEPENDENCY_POLICY.md

[rojkov]

@moderation Here's the repo of the library https://github.com/intel/ipp-crypto

[ipuustin]

Thanks for the comments. It seems that writing a mock library for testing the multi-buffer operations using just regular crypto functions would be a good idea. I'll show the DEPENDENCY_POLICY.md list to the ipp-crypto team to get comments to the items there.

[htuch]

@ipuustin I'd definitely suggest adding a SECURITY.md and plan around how to handle security incidents for something this foundational to transport sec.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.