Added CryptoMB private key provider.

[ipuustin]

Commit Message:

Intel's IPP (Integrated Performance Primitives) crypto library has support for multi-buffer crypto operations (see https://github.com/intel/ipp-crypto/tree/develop/sources/ippcp/crypto_mb). Briefly, multi-buffer
cryptography is implemented with AVX-512 IFMA instructions using a SIMD (single instruction, multiple data) mechanism. Up to eight RSA or ECDSA operations are gathered together into a buffer and processed at the same time, providing potentially improved performance. The AVX-512 instructions are available on recently launched 3rd generation Xeon Scalable server processors (Ice Lake server) processors.

This commit adds a private key provider to accelerate RSA and ECDSA crypto operations on recent Intel Xeon processors. Every worker thread has a queue of up-to-eight crypto operations. When the queue is full or when the timer is triggered, the queue is processed and all the pending handshakes are notified.

The potential performance benefit depends on many factors: the size of the cpuset Envoy is running on, incoming traffic pattern, encryption type (RSA or ECDSA), and key size. In my own testing I saw the biggest performance increase when long RSA keys were used on an Envoy running in a fairly limited environment serving lots of new incoming TLS requests.

Additional Description:

One new dependency is introduced: Intel’s ipp-crypto library. The library has to be patched at the moment in order to make it compile against BoringSSL and Bazel build system. The ipp-crypto team has indicated that they will accept the patches and release them in future ipp-crypto versions.

Basic end-to-end tests are provided, and a fake library interface is included for testing on systems without the required AVX-512 instruction set.

Risk Level: Medium (TLS security feature, not enabled by default)
Testing: unit tests, integration tests
Docs Changes: API interface is documented
Release Notes: N/A
Platform Specific Features: Requires Intel 3rd generation Xeon Scalable server processor for the AVX-512 IFMA instruction set.
Fixes: #15871

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
envoyproxy/api-shepherds assignee is @lizan
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).

🐱

Caused by: #17124 was opened by ipuustin.

see: more, trace.

[moderation]

Remove hardcoded version strip_prefix = "ipp-crypto-ippcp_{version}",

[ipuustin]

Fixed.

[moderation]

Remove hardcoded version urls = ["https://github.com/intel/ipp-crypto/archive/ippcp_{version}.tar.gz"],

[ipuustin]

Fixed.

[moderation]

Results from OSSF Scorecard. Scores need improving based on https://github.com/envoyproxy/envoy/blob/main/DEPENDENCY_POLICY.md#new-external-dependencies

RESULTS
-------
Repo: github.com/intel/ipp-crypto
Active: Fail 10
Automatic-Dependency-Update: Fail 3
Binary-Artifacts: Fail 10
Branch-Protection: Fail 10
CI-Tests: Fail 10
CII-Best-Practices: Fail 10
Code-Review: Pass 10
Contributors: Fail 10
Frozen-Deps: Fail 5
Fuzzing: Fail 10
Packaging: Fail 0
Pull-Requests: Fail 10
SAST: Fail 10
Security-Policy: Pass 10
Signed-Releases: Fail 0
Signed-Tags: Fail 10
Token-Permissions: Pass 10

[lizan]

api review

[lizan]

use DataSource.

[ipuustin]

Fixed.

[lizan]

Any chance these patches can be in ipp-crypto repo directly instead of series of patch ended up here?

[htuch]

I'm quite uncomfortable adding these patches. We are really trying to push back against this, since it makes it very hard to bump in response to CVEs, in particular in security sensitive libraries like this. See further rationale in https://docs.google.com/presentation/d/14uotwhgyo5pb0AXJN_D3a69vchRtAjFRG01jHmdZ-G4/edit#slide=id.ga0aa5b53ee_0_1754.

Can we merge these patches upstream first?

[ipuustin]

I got commitment from the ipp-crypto team that the patches will be part of their next release. I'll ask if the patches could be made part of their development branch already, so that this PR could depend on that before the release is out.

[ggreenway]

I'd prefer to not merge this PR until these patches are committed to the upstream dependency, even if that means using a non-release-branch as the dependency temporarily.

[ipuustin]

Ok, ipp-crypto added the required changes to the development branch, and their plan is to include the patches in 2021.4 release of ipp-crypto. I made the PR point to the development branch and removed the custom patch files.

I did some work to improve the testing coverage, but it may be that the 96% line coverage target is difficult to reach, because tests use a custom software-only implementation of the relevant AVX-512 accelerated functions. See https://storage.googleapis.com/envoy-pr/13aeb26/coverage/source/extensions/private_key_providers/cryptomb/index.html for current coverage situation.

[htuch]

google.protobuf.Duration? If for some reason this doesn't work here, please name the field poll_delay_us or poll_delay_micros.

[ipuustin]

Fixed.

[snowp]

Do we have an assigned sponsor for this extension? As per the extension policy these kind of extensions will need someone shepherding this (especially due to the complexity of this PR) PR

cc @ggreenway @lizan @htuch since ya'll have been somewhat involved in reviewing this already

Since there seems to be some identified delays here around making sure the necessary patches are upstreamed it might be that the contrib/ extension system will have landed by then, at which point we can be a bit more lax about sponsorship requirements

[htuch]

I don't have the cycles right now to be able to sponsor this (but super cool extension). @ipuustin what is your thought on a contrib/ vs. core Envoy extension here?

[ggreenway]

I think this is a good candidate for contrib, and if it receives significant interest/usage, I may sponsor moving it into core at that time.

[htuch]

@ipuustin should we go with contrib/ and close this PR?

[ipuustin]

@htuch Sorry for the delay answering this (I was travelling and am still out of office :-). I now read through the contrib proposal and I think it sounds a good match for CryptoMB private key provider. The extension is clearly relevant only to people who have access to supported hardware. I think that people with that hardware and who are also processing large amounts of TLS requests can find the extension in contrib and take it into use.

Do you know what's the timeline for contrib infrastructure work? And will it be possible to enable particular contrib extensions in Envoy builds just from bazel command line, or will it require file changes?

@ggreenway Thanks for considering to sponsor this extension in the future!

[lizan]

/lgtm api

api lgtm

[htuch]

@mattklein123 is working on contrib/ right now, tracked at #14078.

[ggreenway]

Waiting for /contrib

/wait

[ipuustin]

Let's continue in contrib: #17826