From 10f885ae8e8a3f0ce51db54695d6c1e2e189f7e1 Mon Sep 17 00:00:00 2001
From: "data-plane-api(Azure Pipelines)"
 <data-plane-api@users.noreply.github.com>
Date: Mon, 18 Jul 2022 17:53:12 +0000
Subject: [PATCH] contrib: add QAT private key provider. (#21984)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Next generation Intel® QAT support with Intel® Xeon® Scalable processors
will feature an Intel® QAT cryptography and compression acceleration
engine.

QAT private key provider extension will use qatlib library
(https://github.com/intel/qatlib) to accelerate RSA operations in
handshakes. The extension will look a bit like the existing cryptomb
private key provider. The use case is to move the expensive
cryptographic operations away from the CPU to the accelerator device,
leaving CPU cycles for other use.

Support for Intel® QAT is already present in the mainline Linux kernel
and in Kubernetes device plugins (to expose the device files to
containers). There are previous generations of Intel QAT® hardware
devices, but they are not supported by this extension.

Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>

Mirrored from https://github.com/envoyproxy/envoy @ 9447ff5bfa8081fc2ddd5918b8ee9c1fd6720c7a
---
 BUILD                                         |  1 +
 .../private_key_providers/qat/v3alpha/BUILD   | 12 ++++++
 .../qat/v3alpha/qat.proto                     | 40 +++++++++++++++++++
 versioning/BUILD                              |  1 +
 4 files changed, 54 insertions(+)
 create mode 100644 contrib/envoy/extensions/private_key_providers/qat/v3alpha/BUILD
 create mode 100644 contrib/envoy/extensions/private_key_providers/qat/v3alpha/qat.proto

diff --git a/BUILD b/BUILD
index f63b87a6..ddebad21 100644
--- a/BUILD
+++ b/BUILD
@@ -88,6 +88,7 @@ proto_library(
         "//contrib/envoy/extensions/matching/input_matchers/hyperscan/v3alpha:pkg",
         "//contrib/envoy/extensions/network/connection_balance/dlb/v3alpha:pkg",
         "//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg",
+        "//contrib/envoy/extensions/private_key_providers/qat/v3alpha:pkg",
         "//contrib/envoy/extensions/vcl/v3alpha:pkg",
         "//envoy/admin/v3:pkg",
         "//envoy/config/accesslog/v3:pkg",
diff --git a/contrib/envoy/extensions/private_key_providers/qat/v3alpha/BUILD b/contrib/envoy/extensions/private_key_providers/qat/v3alpha/BUILD
new file mode 100644
index 00000000..1c1a6f6b
--- /dev/null
+++ b/contrib/envoy/extensions/private_key_providers/qat/v3alpha/BUILD
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/contrib/envoy/extensions/private_key_providers/qat/v3alpha/qat.proto b/contrib/envoy/extensions/private_key_providers/qat/v3alpha/qat.proto
new file mode 100644
index 00000000..e5c58e11
--- /dev/null
+++ b/contrib/envoy/extensions/private_key_providers/qat/v3alpha/qat.proto
@@ -0,0 +1,40 @@
+syntax = "proto3";
+
+package envoy.extensions.private_key_providers.qat.v3alpha;
+
+import "envoy/config/core/v3/base.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/sensitive.proto";
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.private_key_providers.qat.v3alpha";
+option java_outer_classname = "QatProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/private_key_providers/qat/v3alpha";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: `QAT` private key provider]
+// [#extension: envoy.tls.key_providers.qat]
+
+// This message specifies how the private key provider is configured.
+// The private key provider provides RSA sign and decrypt operation
+// hardware acceleration.
+
+message QatPrivateKeyMethodConfig {
+  // Private key to use in the private key provider. If set to inline_bytes or
+  // inline_string, the value needs to be the private key in PEM format.
+  config.core.v3.DataSource private_key = 1 [(udpa.annotations.sensitive) = true];
+
+  // How long to wait before polling the hardware accelerator after a
+  // request has been submitted there. Having a small value leads to
+  // quicker answers from the hardware but causes more polling loop
+  // spins, leading to potentially larger CPU usage. The duration needs
+  // to be set to a value greater than or equal to 1 millisecond.
+  google.protobuf.Duration poll_delay = 2 [(validate.rules).duration = {
+    required: true
+    gte {nanos: 1000000}
+  }];
+}
diff --git a/versioning/BUILD b/versioning/BUILD
index e394bb91..8807cf60 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -25,6 +25,7 @@ proto_library(
         "//contrib/envoy/extensions/matching/input_matchers/hyperscan/v3alpha:pkg",
         "//contrib/envoy/extensions/network/connection_balance/dlb/v3alpha:pkg",
         "//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg",
+        "//contrib/envoy/extensions/private_key_providers/qat/v3alpha:pkg",
         "//contrib/envoy/extensions/vcl/v3alpha:pkg",
         "//envoy/admin/v3:pkg",
         "//envoy/config/accesslog/v3:pkg",