Add ability to disable auto engine init on fork.

Change-Id: Ibf5ba4859b5fd6d9efc265b73c84de28fdaae174
Signed-off-by: Steve Linsell <stevenx.linsell@intel.com>

.tools/Makefile.am

@@ -78,23 +78,24 @@ include_HEADERS = ${OPENSSL_COMMON_HDR} \
 
 CC = cc
 AM_CPPFLAGS = $(includes) $(include_enable_usdm) $(includes_driver) \
-				$(includes_enable_qat_mux)
+              $(includes_enable_qat_mux)
 
 AM_CFLAGS = $(cflags) $(cflags_cc_opt) $(cflags_enable_upstream_driver) \
-		$(cflags_qat_contig_mem) $(cflags_enable_multi_thread) \
-		$(cflags_enable_usdm) $(cflags_mux) $(enable_qat_rsa) \
-		$(enable_qat_ciphers) $(enable_qat_ecdh) $(enable_qat_ecdsa) \
-		$(enable_qat_dsa) $(enable_qat_dh) $(enable_qat_prf) \
-		$(enable_qat_small_pkt_offload) \
-		$(enable_qat_lenstra_protection) \
-		$(enable_qat_debug) $(enable_qat_warnings) \
-		$(enable_qat_mem_debug) $(enable_qat_mem_warnings) \
-		$(cflags_qat_debug_file)
+            $(cflags_qat_contig_mem) $(cflags_enable_multi_thread) \
+            $(cflags_enable_usdm) $(cflags_mux) $(enable_qat_rsa) \
+            $(enable_qat_ciphers) $(enable_qat_ecdh) $(enable_qat_ecdsa) \
+            $(enable_qat_dsa) $(enable_qat_dh) $(enable_qat_prf) \
+            $(enable_qat_small_pkt_offload) \
+            $(enable_qat_lenstra_protection) \
+            $(enable_qat_debug) $(enable_qat_warnings) \
+            $(enable_qat_mem_debug) $(enable_qat_mem_warnings) \
+            $(enable_qat_auto_engine_init_on_fork) \
+            $(cflags_qat_debug_file)
 
 libqat_la_LDFLAGS = $(QAT_SHARED_LIB_DEPS_LD) \
-					$(QAT_SHARED_LIB_DEPS_UPSTREAM_DRIVER) \
-					$(QAT_SHARED_LIB_DEPS_DRIVER) \
-					$(QAT_SHARED_LIB_DEPS_QAE_MEM)
+                    $(QAT_SHARED_LIB_DEPS_UPSTREAM_DRIVER) \
+                    $(QAT_SHARED_LIB_DEPS_DRIVER) \
+                    $(QAT_SHARED_LIB_DEPS_QAE_MEM)
 
 if QAT_OPENSSL_102
  ENGINE_LIB = $(with_openssl_install_dir)/lib/engines/libqat.so

.tools/configure.ac

@@ -172,8 +172,14 @@ AC_ARG_ENABLE(openssl_install_build_arch_path,
                              [Enable building QAT engine against packaged OpenSSL on, for example, a Debian system]))
 AC_SUBST(enable_openssl_install_build_arch_path)
 
+AC_ARG_ENABLE(qat_auto_engine_init_on_fork,
+              AS_HELP_STRING([--disable-qat_auto_engine_init_on_fork],
+                             [Disable auto initialization of the engine following a fork]))
+AC_SUBST(enable_qat_auto_engine_init_on_fork)
+
 # ERROR message if mandatory options are not provided
 
+
 if test "x$with_qat_dir" = "x"
 then
   AC_MSG_ERROR([--with-qat_dir is not set, set it to the path to the Intel Quickassist Technology Driver source code. e.g: --with-qat_dir=/path/to/qat_driver])
@@ -335,6 +341,15 @@ else
   AC_MSG_NOTICE([Disabling Memory Driver Warning Messages])
 fi
 
+if test "x$enable_qat_auto_engine_init_on_fork" = "xno"
+then
+  enable_qat_auto_engine_init_on_fork="-DOPENSSL_DISABLE_QAT_AUTO_ENGINE_INIT_ON_FORK"
+  AC_MSG_NOTICE([Auto engine init on fork disabled.])
+else
+  enable_qat_auto_engine_init_on_fork=""
+  AC_MSG_NOTICE([Auto Engine init on fork enabled (default).])
+fi
+
 # Check for memory driver and parse the CFLAGS for building library
 
 AC_ARG_WITH(includes, AS_HELP_STRING(), , includes="-I\$(with_openssl_dir)/include")

README.md

@@ -656,6 +656,18 @@ Description:
     passed in as Param 4. This message may be sent at any time after engine
     initialization.
 
+Message String: INIT_ENGINE
+Param 3:        0
+Param 4:        NULL
+Description:
+    This message is not normally necessary as the engine will get initialized
+    either via an ENGINE_init() call or automatically following a fork. This
+    message would only be used for performance reasons with an engine compiled
+    with --disable-qat_auto_engine_init_on_fork. In that case it may be
+    desirable to send this engine message in the child rather than wait for the
+    engine to be initialized automatically on the first offloaded crypto
+    request.
+
 Message String: SET_INTERNAL_POLL_INTERVAL
 Param 3:        unsigned long cast to a long
 Param 4:        NULL
@@ -978,15 +990,15 @@ Optional
     interface. You should only specify this option if using a mixture of
     hardware (disabled by default).
 
---disable-qat_lenstra_protection
-    Disable protection against Lenstra attack (CVE-2017-5681) (protection is
-    enabled by default). The RSA-CRT implementation in the Intel(R) QAT
-    OpenSSL* Engine, for OpenSSL* versions prior to v0.5.19, may allow remote
-    attackers to obtain private RSA keys by conducting a Lenstra side-channel
-    attack.  From version v0.5.19 onward, protection against this form of
-    attack is effected by performing a Verify/Encrypt operation after the
-    Sign/Decrypt operation, and if a failure is detected then re-running the
-    Sign/Decrypt operation using the CPU.
+--disable-qat_lenstra_protection/--enable-qat_lenstra_protection
+    Disable/Enable protection against Lenstra attack (CVE-2017-5681)
+    (protection is enabled by default). The RSA-CRT implementation in the
+    Intel(R) QAT OpenSSL* Engine, for OpenSSL* versions prior to v0.5.19,
+    may allow remote attackers to obtain private RSA keys by conducting a
+    Lenstra side-channel attack.  From version v0.5.19 onward, protection
+    against this form of attack is effected by performing a Verify/Encrypt
+    operation after the Sign/Decrypt operation, and if a failure is detected
+    then re-running the Sign/Decrypt operation using the CPU.
     However, future releases of Intel(R) QAT driver code or firmware may
     effect this protection instead, in which case the Intel(R) QAT OpenSSL*
     Engine code-based protection would no longer be required and this
@@ -998,34 +1010,48 @@ Optional
 --enable-qat_for_openssl_102
     Enable the Intel(R) QAT OpenSSL* Engine to build against OpenSSL* 1.0.2.
     Currently if using this build option, only synchronous RSA offload is
-    supported.
+    supported (default is to build for the OpenSSL* 1.1.1/master branch).
 
 --enable-qat_for_openssl_110
-    Enable the Intel(R) QAT OpenSSL* Engine to build against OpenSSL* 1.1.0.
+    Enable the Intel(R) QAT OpenSSL* Engine to build against OpenSSL* 1.1.0
+    (default is to build for the OpenSSL* 1.1.1/master branch).
 
 --enable-openssl_install_build_arch_path
-    Enable the Intel(R) QAT OpenSSL* Engine to build against a packaged pre-built
-    OpenSSL* that has either been pre-installed in your particular Linux distribution
-    or else that you have installed yourself.
-    For example, for a Debian* based distribution, the OpenSSL* package is either
-    pre-installed or else can be installed with the command:
+    Enable the Intel(R) QAT OpenSSL* Engine to build against a packaged
+    pre-built OpenSSL* that has either been pre-installed in your particular
+    Linux distribution or else that you have installed yourself.
+    For example, for a Debian* based distribution, the OpenSSL* package is
+    either pre-installed or else can be installed with the command:
     `apt-get install openssl`.
     This places both static and shared libraries associated with the OpenSSL*
-    package in directory /usr/lib/<architecture>,
-    where <architecture> is a description of the architecture the package is
-    intended to run on (for example, for an Intel(R) x86-based 64-bit architecture, GNU-compiled
-    it would be 'x86_64-linux-gnu').  In addition, for this example Debian* based distribution,
-    the OpenSSL* header files associated with the OpenSSL* package are placed in directory
+    package in directory /usr/lib/<architecture>, where <architecture> is a
+    description of the architecture the package is intended to run on (for
+    example, for an Intel(R) x86-based 64-bit architecture, GNU-compiled it
+    would be 'x86_64-linux-gnu').  In addition, for this example Debian* based
+    distribution, the OpenSSL* header files associated with the OpenSSL*
+    package are placed in directory
     `/usr/include/openssl`.
-    At the time of writing, for a recent Debian* based distribution such as `Ubuntu 18.04.1 LTS`,
-    the version of this packaged OpenSSL* is version `1.1.0g`.  Shared libraries corresponding
-    to this version of OpenSSL* for compiled engine code are placed in directory
-    `usr/lib/<architecture>/engines-1.1`, the `1.1` denoting that the version is in the `1.1.0`
-    series.
-    Use of this option ensures that the Intel(R) QAT OpenSSL* Engine shared library, resulting from
-    carrying out the Intel(R) QAT OpenSSL* Engine build and installation process, is placed in this
-    directory rather than the default.
-    This option is disabled by default.
+    At the time of writing, for a recent Debian* based distribution such as
+    `Ubuntu 18.04.1 LTS`, the version of this packaged OpenSSL* is version
+    `1.1.0g`.  Shared libraries corresponding to this version of OpenSSL* for
+    compiled engine code are placed in directory
+    `usr/lib/<architecture>/engines-1.1`, the `1.1` denoting that the version
+    is in the `1.1.X` series of API compatible releases.
+    Use of this option ensures that the Intel(R) QAT OpenSSL* Engine shared
+    library, resulting from carrying out the Intel(R) QAT OpenSSL* Engine build
+    and installation process, is placed in this directory rather than the
+    default. This option is disabled by default.
+
+--disable-qat_auto_engine_init_on_fork/--enable-qat_auto_engine_init_on_fork
+    Disable/Enable the engine from being initialized automatically following a
+    fork operation. This is useful in a situation where you want to tightly
+    control how many instances are being used for processes. For instance if an
+    application forks to start a process that does not utilize QAT currently
+    the default behaviour is for the engine to still automatically get started
+    in the child using up an engine instance. After using this flag either the
+    engine needs to be initialized manually using the engine message:
+    INIT_ENGINE or will automatically get initialized on the first QAT crypto
+    operation. The initialization on fork is enabled by default.
 
 --with-cc-opt="parameters"
     Sets additional parameters that will be added to the CFLAGS variable at

e_qat.c

@@ -537,6 +537,7 @@ int qat_engine_init(ENGINE *e)
 #define QAT_CMD_ENABLE_INLINE_POLLING (ENGINE_CMD_BASE + 12)
 #define QAT_CMD_ENABLE_HEURISTIC_POLLING (ENGINE_CMD_BASE + 13)
 #define QAT_CMD_GET_NUM_REQUESTS_IN_FLIGHT (ENGINE_CMD_BASE + 14)
+#define QAT_CMD_INIT_ENGINE (ENGINE_CMD_BASE + 15)
 
 static const ENGINE_CMD_DEFN qat_cmd_defns[] = {
     {
@@ -614,6 +615,11 @@ static const ENGINE_CMD_DEFN qat_cmd_defns[] = {
      "GET_NUM_REQUESTS_IN_FLIGHT",
      "Get the number of in-flight requests",
      ENGINE_CMD_FLAG_NUMERIC},
+    {
+     QAT_CMD_INIT_ENGINE,
+     "INIT_ENGINE",
+     "Initializes the engine if not already initialized",
+     ENGINE_CMD_FLAG_NO_INPUT},
     {0, NULL, NULL, 0}
 };
 
@@ -809,13 +815,21 @@ qat_engine_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void))
         }
         break;
 
+    case QAT_CMD_INIT_ENGINE:
+        DEBUG("Init engine\n");
+        if ((retVal = qat_engine_init(e)) == 0) {
+            WARN("Failure initializing engine\n");
+        }
+        break;
+
     default:
         WARN("CTRL command not implemented\n");
         retVal = 0;
         break;
     }
+
     if (!retVal) {
-     QATerr(QAT_F_QAT_ENGINE_CTRL, QAT_R_ENGINE_CTRL_CMD_FAILURE);
+        QATerr(QAT_F_QAT_ENGINE_CTRL, QAT_R_ENGINE_CTRL_CMD_FAILURE);
     }
     return retVal;
 }

qat_fork.c

@@ -79,6 +79,7 @@
 
 void engine_init_child_at_fork_handler(void)
 {
+#ifndef OPENSSL_DISABLE_QAT_AUTO_ENGINE_INIT_ON_FORK
     /* Reinitialise the engine */
     ENGINE* e = ENGINE_by_id(engine_qat_id);
     if (NULL == e) {
@@ -92,6 +93,7 @@ void engine_init_child_at_fork_handler(void)
         QATerr(QAT_F_ENGINE_INIT_CHILD_AT_FORK_HANDLER, QAT_R_ENGINE_INIT_FAILURE);
     }
     ENGINE_free(e);
+#endif
 }
 
 void engine_finish_before_fork_handler(void)