1.. SPDX-License-Identifier: BSD-3-Clause 2 Copyright(c) 2015-2019 Intel Corporation. 3 4Intel(R) QuickAssist (QAT) Crypto Poll Mode Driver 5================================================== 6 7QAT documentation consists of three parts: 8 9* Details of the symmetric and asymmetric crypto services below. 10* Details of the :doc:`compression service <../compressdevs/qat_comp>` 11 in the compressdev drivers section. 12* Details of building the common QAT infrastructure and the PMDs to support the 13 above services. See :ref:`building_qat` below. 14 15 16Symmetric Crypto Service on QAT 17------------------------------- 18 19The QAT symmetric crypto PMD (hereafter referred to as `QAT SYM [PMD]`) provides 20poll mode crypto driver support for the following hardware accelerator devices: 21 22* ``Intel QuickAssist Technology DH895xCC`` 23* ``Intel QuickAssist Technology C62x`` 24* ``Intel QuickAssist Technology C3xxx`` 25* ``Intel QuickAssist Technology 200xx`` 26* ``Intel QuickAssist Technology D15xx`` 27* ``Intel QuickAssist Technology C4xxx`` 28* ``Intel QuickAssist Technology 4xxx`` 29* ``Intel QuickAssist Technology 300xx`` 30* ``Intel QuickAssist Technology 420xx`` 31* ``Intel QuickAssist Technology apfxx`` 32 33 34Features 35~~~~~~~~ 36 37The QAT SYM PMD has support for: 38 39Cipher algorithms: 40 41* ``RTE_CRYPTO_CIPHER_3DES_CBC`` 42* ``RTE_CRYPTO_CIPHER_3DES_CTR`` 43* ``RTE_CRYPTO_CIPHER_AES128_CBC`` 44* ``RTE_CRYPTO_CIPHER_AES192_CBC`` 45* ``RTE_CRYPTO_CIPHER_AES256_CBC`` 46* ``RTE_CRYPTO_CIPHER_AES128_CTR`` 47* ``RTE_CRYPTO_CIPHER_AES192_CTR`` 48* ``RTE_CRYPTO_CIPHER_AES256_CTR`` 49* ``RTE_CRYPTO_CIPHER_AES_XTS`` 50* ``RTE_CRYPTO_CIPHER_SNOW3G_UEA2`` 51* ``RTE_CRYPTO_CIPHER_NULL`` 52* ``RTE_CRYPTO_CIPHER_KASUMI_F8`` 53* ``RTE_CRYPTO_CIPHER_DES_CBC`` 54* ``RTE_CRYPTO_CIPHER_AES_DOCSISBPI`` 55* ``RTE_CRYPTO_CIPHER_DES_DOCSISBPI`` 56* ``RTE_CRYPTO_CIPHER_ZUC_EEA3`` 57 58Hash algorithms: 59 60* ``RTE_CRYPTO_AUTH_SHA1`` 61* ``RTE_CRYPTO_AUTH_SHA1_HMAC`` 62* ``RTE_CRYPTO_AUTH_SHA224`` 63* ``RTE_CRYPTO_AUTH_SHA224_HMAC`` 64* ``RTE_CRYPTO_AUTH_SHA256`` 65* ``RTE_CRYPTO_AUTH_SHA256_HMAC`` 66* ``RTE_CRYPTO_AUTH_SHA384`` 67* ``RTE_CRYPTO_AUTH_SHA384_HMAC`` 68* ``RTE_CRYPTO_AUTH_SHA512`` 69* ``RTE_CRYPTO_AUTH_SHA512_HMAC`` 70* ``RTE_CRYPTO_AUTH_SHA3_224`` 71* ``RTE_CRYPTO_AUTH_SHA3_256`` 72* ``RTE_CRYPTO_AUTH_SHA3_384`` 73* ``RTE_CRYPTO_AUTH_SHA3_512`` 74* ``RTE_CRYPTO_AUTH_AES_XCBC_MAC`` 75* ``RTE_CRYPTO_AUTH_SNOW3G_UIA2`` 76* ``RTE_CRYPTO_AUTH_MD5_HMAC`` 77* ``RTE_CRYPTO_AUTH_NULL`` 78* ``RTE_CRYPTO_AUTH_KASUMI_F9`` 79* ``RTE_CRYPTO_AUTH_AES_GMAC`` 80* ``RTE_CRYPTO_AUTH_ZUC_EIA3`` 81* ``RTE_CRYPTO_AUTH_AES_CMAC`` 82* ``RTE_CRYPTO_AUTH_SM3`` 83* ``RTE_CRYPTO_AUTH_SM3_HMAC`` 84 85Supported AEAD algorithms: 86 87* ``RTE_CRYPTO_AEAD_AES_GCM`` 88* ``RTE_CRYPTO_AEAD_AES_CCM`` 89* ``RTE_CRYPTO_AEAD_CHACHA20_POLY1305`` 90 91Protocol offloads: 92 93* ``RTE_SECURITY_PROTOCOL_DOCSIS`` 94 95Supported Chains 96~~~~~~~~~~~~~~~~ 97 98All the usual chains are supported and also some mixed chains: 99 100.. table:: Supported hash-cipher chains for wireless digest-encrypted cases 101 102 +------------------+-----------+-------------+----------+----------+ 103 | Cipher algorithm | NULL AUTH | SNOW3G UIA2 | ZUC EIA3 | AES CMAC | 104 +==================+===========+=============+==========+==========+ 105 | NULL CIPHER | Y | 2&3 | 2&3 | Y | 106 +------------------+-----------+-------------+----------+----------+ 107 | SNOW3G UEA2 | 2&3 | 1&2&3 | 2&3 | 2&3 | 108 +------------------+-----------+-------------+----------+----------+ 109 | ZUC EEA3 | 2&3 | 2&3 | 2&3 | 2&3 | 110 +------------------+-----------+-------------+----------+----------+ 111 | AES CTR | 1&2&3 | 2&3 | 2&3 | Y | 112 +------------------+-----------+-------------+----------+----------+ 113 114* The combinations marked as "Y" are supported on all QAT hardware versions. 115* The combinations marked as "2&3" are supported on GEN2 and GEN3 QAT hardware only. 116* The combinations marked as "1&2&3" are supported on GEN1, GEN2 and GEN3 QAT hardware only. 117 118 119Limitations 120~~~~~~~~~~~ 121 122* Only supports the session-oriented API implementation (session-less APIs are not supported). 123* SNOW 3G (UEA2), KASUMI (F8) and ZUC (EEA3) supported only if cipher length and offset fields are byte-multiple. 124* SNOW 3G (UIA2) and ZUC (EIA3) supported only if hash length and offset fields are byte-multiple. 125* No BSD support as BSD QAT kernel driver not available. 126* ZUC EEA3/EIA3 is not supported by dh895xcc devices 127* Maximum additional authenticated data (AAD) for GCM is 240 bytes long and must be passed to the device in a buffer rounded up to the nearest block-size multiple (x16) and padded with zeros. 128* Queue-pairs are thread-safe on Intel CPUs but Queues are not (that is, within a single 129 queue-pair all enqueues to the TX queue must be done from one thread and all dequeues 130 from the RX queue must be done from one thread, but enqueues and dequeues may be done 131 in different threads.) 132* A GCM limitation exists, but only in the case where there are multiple 133 generations of QAT devices on a single platform. 134 To optimise performance, the GCM crypto session should be initialised for the 135 device generation to which the ops will be enqueued. Specifically if a GCM 136 session is initialised on a GEN2 device, but then attached to an op enqueued 137 to a GEN3 device, it will work but cannot take advantage of hardware 138 optimisations in the GEN3 device. And if a GCM session is initialised on a 139 GEN3 device, then attached to an op sent to a GEN1/GEN2 device, it will not be 140 enqueued to the device and will be marked as failed. The simplest way to 141 mitigate this is to use the PCI allowlist to avoid mixing devices of different 142 generations in the same process if planning to use for GCM. 143* The mixed algo feature on GEN2 is not supported by all kernel drivers. Check 144 the notes under the Available Kernel Drivers table below for specific details. 145* Out-of-place is not supported for combined Crypto-CRC DOCSIS security 146 protocol. 147* ``RTE_CRYPTO_CIPHER_DES_DOCSISBPI`` is not supported for combined Crypto-CRC 148 DOCSIS security protocol. 149* Multi-segment buffers are not supported for combined Crypto-CRC DOCSIS 150 security protocol. 151 152Extra notes on KASUMI F9 153~~~~~~~~~~~~~~~~~~~~~~~~ 154 155When using KASUMI F9 authentication algorithm, the input buffer must be 156constructed according to the 157`3GPP KASUMI specification <http://cryptome.org/3gpp/35201-900.pdf>`_ 158(section 4.4, page 13). The input buffer has to have COUNT (4 bytes), 159FRESH (4 bytes), MESSAGE and DIRECTION (1 bit) concatenated. After the DIRECTION 160bit, a single '1' bit is appended, followed by between 0 and 7 '0' bits, so that 161the total length of the buffer is multiple of 8 bits. Note that the actual 162message can be any length, specified in bits. 163 164Once this buffer is passed this way, when creating the crypto operation, 165length of data to authenticate "op.sym.auth.data.length" must be the length 166of all the items described above, including the padding at the end. 167Also, offset of data to authenticate "op.sym.auth.data.offset" 168must be such that points at the start of the COUNT bytes. 169 170Asymmetric Crypto Service on QAT 171-------------------------------- 172 173The QAT asymmetric crypto PMD (hereafter referred to as `QAT ASYM [PMD]`) provides 174poll mode crypto driver support for the following hardware accelerator devices: 175 176* ``Intel QuickAssist Technology DH895xCC`` 177* ``Intel QuickAssist Technology C62x`` 178* ``Intel QuickAssist Technology C3xxx`` 179* ``Intel QuickAssist Technology D15xx`` 180* ``Intel QuickAssist Technology C4xxx`` 181* ``Intel QuickAssist Technology 4xxx`` 182* ``Intel QuickAssist Technology 401xxx`` 183* ``Intel QuickAssist Technology 300xx`` 184* ``Intel QuickAssist Technology 420xx`` 185 186The QAT ASYM PMD has support for: 187 188* ``RTE_CRYPTO_ASYM_XFORM_MODEX`` 189* ``RTE_CRYPTO_ASYM_XFORM_MODINV`` 190* ``RTE_CRYPTO_ASYM_XFORM_RSA`` 191* ``RTE_CRYPTO_ASYM_XFORM_ECDSA`` 192* ``RTE_CRYPTO_ASYM_XFORM_ECPM`` 193* ``RTE_CRYPTO_ASYM_XFORM_ECDH`` 194* ``RTE_CRYPTO_ASYM_XFORM_SM2`` 195 196Limitations 197~~~~~~~~~~~ 198 199* Big integers longer than 4096 bits are not supported. 200* Queue-pairs are thread-safe on Intel CPUs but Queues are not (that is, within a single 201 queue-pair all enqueues to the TX queue must be done from one thread and all dequeues 202 from the RX queue must be done from one thread, but enqueues and dequeues may be done 203 in different threads.) 204* RSA-2560, RSA-3584 are not supported 205 206.. _building_qat: 207 208Building PMDs on QAT 209-------------------- 210 211A QAT device can host multiple acceleration services: 212 213* symmetric cryptography 214* data compression 215* asymmetric cryptography 216 217These services are provided to DPDK applications via PMDs which register to 218implement the corresponding cryptodev and compressdev APIs. The PMDs use 219common QAT driver code which manages the QAT PCI device. They also depend on a 220QAT kernel driver being installed on the platform, see :ref:`qat_kernel` below. 221 222 223Configuring and Building the DPDK QAT PMDs 224~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 225 226 227Further information on configuring, building and installing DPDK is described 228:doc:`here <../linux_gsg/build_dpdk>`. 229 230.. _building_qat_config: 231 232Build Configuration 233~~~~~~~~~~~~~~~~~~~ 234 235These are the build configuration options affecting QAT, and their default values: 236 237.. code-block:: console 238 239 RTE_PMD_QAT_MAX_PCI_DEVICES=48 240 RTE_PMD_QAT_COMP_IM_BUFFER_SIZE=65536 241 242Both QAT SYM PMD and QAT ASYM PMD have an external dependency on libcrypto, so are not 243built by default. 244 245Ubuntu 246 247.. code-block:: console 248 249 apt install libssl-dev 250 251RHEL 252 253.. code-block:: console 254 255 dnf install openssl-devel 256 257The QAT compressdev PMD has no external dependencies, so is built by default. 258 259The number of VFs per PF varies - see table below. If multiple QAT packages are 260installed on a platform then RTE_PMD_QAT_MAX_PCI_DEVICES should be 261adjusted to the number of VFs which the QAT common code will need to handle. 262 263.. Note:: 264 265 There are separate config items (not QAT-specific) for max cryptodevs 266 RTE_CRYPTO_MAX_DEVS and max compressdevs RTE_COMPRESS_MAX_DEVS, 267 if necessary these should be adjusted to handle the total of QAT and other 268 devices which the process will use. In particular for crypto, where each 269 QAT VF may expose two crypto devices, sym and asym, it may happen that the 270 number of devices will be bigger than MAX_DEVS and the process will show an error 271 during PMD initialisation. To avoid this problem RTE_CRYPTO_MAX_DEVS may be 272 increased or -a, allow domain:bus:devid:func option may be used. 273 274 275QAT compression PMD needs intermediate buffers to support Deflate compression 276with Dynamic Huffman encoding. RTE_PMD_QAT_COMP_IM_BUFFER_SIZE 277specifies the size of a single buffer, the PMD will allocate a multiple of these, 278plus some extra space for associated meta-data. For GEN2 devices, 20 buffers are 279allocated while for GEN1 devices, 12 buffers are allocated, plus 1472 bytes overhead. 280 281.. Note:: 282 283 If the compressed output of a Deflate operation using Dynamic Huffman 284 Encoding is too big to fit in an intermediate buffer, then the 285 operation will be split into smaller operations and their results will 286 be merged afterwards. 287 This is not possible if any checksum calculation was requested - in such 288 case the code falls back to fixed compression. 289 To avoid this less performant case, applications should configure 290 the intermediate buffer size to be larger than the expected input data size 291 (compressed output size is usually unknown, so the only option is to make 292 larger than the input size). 293 294 295Running QAT PMD with insecure crypto algorithms 296~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 297 298A few insecure crypto algorithms are deprecated from QAT drivers. 299This needs to be reflected in DPDK QAT PMD. 300DPDK QAT PMD has by default disabled all the insecure crypto algorithms from Gen 1, 2, 3 and 4. 301A PMD devarg is used to enable the capability. 302 303- qat_legacy_capa 304 305To use this feature the user must set the devarg on process start as a device additional devarg:: 306 307 -a b1:01.2,qat_legacy_capa=1 308 309 310Running QAT PMD with minimum threshold for burst size 311~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 312 313If only a small number or packets can be enqueued. Each enqueue causes an expensive MMIO write. 314These MMIO write occurrences can be optimised by setting any of the following parameters: 315 316- qat_sym_enq_threshold 317- qat_asym_enq_threshold 318- qat_comp_enq_threshold 319 320When any of these parameters is set rte_cryptodev_enqueue_burst function will 321return 0 (thereby avoiding an MMIO) if the device is congested and number of packets 322possible to enqueue is smaller. 323To use this feature the user must set the parameter on process start as a device additional parameter:: 324 325 -a 03:01.1,qat_sym_enq_threshold=32,qat_comp_enq_threshold=16 326 327All parameters can be used with the same device regardless of order. Parameters are separated 328by comma. When the same parameter is used more than once first occurrence of the parameter 329is used. 330Maximum threshold that can be set is 32. 331 332 333Running QAT PMD with Cipher-CRC offload feature 334~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 335 336Support has been added to the QAT symmetric crypto PMD for combined Cipher-CRC offload, 337primarily for the Crypto-CRC DOCSIS security protocol, on GEN2/GEN3/GEN4 QAT devices. 338 339The following devarg enables a Cipher-CRC offload capability check to determine 340if the feature is supported on the QAT device. 341 342- qat_sym_cipher_crc_enable 343 344When enabled, a capability check for the combined Cipher-CRC offload feature is triggered 345to the QAT firmware during queue pair initialization. If supported by the firmware, 346any subsequent runtime Crypto-CRC DOCSIS security protocol requests handled by the QAT PMD 347are offloaded to the QAT device by setting up the content descriptor and request accordingly. 348If not supported, the CRC is calculated by the QAT PMD using the NET CRC API. 349 350To use this feature the user must set the devarg on process start as a device additional devarg:: 351 352 -a 03:01.1,qat_sym_cipher_crc_enable=1 353 354 355Running QAT PMD with Intel IPsec MB library for symmetric precomputes function 356~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 357 358The QAT PMD uses Intel IPsec MB library for partial hash calculation 359in symmetric precomputes function by default, 360the minimum required version of IPsec MB library is v1.4. 361If this version of IPsec is not met, it will fallback to use OpenSSL. 362ARM will always default to using OpenSSL 363as ARM IPsec MB does not support the necessary algorithms. 364 365 366Device and driver naming 367~~~~~~~~~~~~~~~~~~~~~~~~ 368 369* The qat cryptodev symmetric crypto driver name is "crypto_qat". 370* The qat cryptodev asymmetric crypto driver name is "crypto_qat_asym". 371 372The "rte_cryptodev_devices_get()" returns the devices exposed by either of these drivers. 373 374* Each qat sym crypto device has a unique name, in format 375 "<pci bdf>_<service>", e.g. "0000:41:01.0_qat_sym". 376* Each qat asym crypto device has a unique name, in format 377 "<pci bdf>_<service>", e.g. "0000:41:01.0_qat_asym". 378 This name can be passed to "rte_cryptodev_get_dev_id()" to get the device_id. 379 380.. Note:: 381 382 The cryptodev driver name is passed to the dpdk-test-crypto-perf tool in the "-devtype" parameter. 383 384 The qat crypto device name is in the format of the worker parameter passed to the crypto scheduler. 385 386* The qat compressdev driver name is "compress_qat". 387 The rte_compressdev_devices_get() returns the devices exposed by this driver. 388 389* Each qat compression device has a unique name, in format 390 <pci bdf>_<service>, e.g. "0000:41:01.0_qat_comp". 391 This name can be passed to rte_compressdev_get_dev_id() to get the device_id. 392 393 394Running QAT on Aarch64 based Ampere Altra platform 395~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 396 397Requires Linux kernel v6.0+. 398See also `this kernel patch <https://lkml.org/lkml/2022/6/17/328>`_. 399 400 401.. _qat_kernel: 402 403Dependency on the QAT kernel driver 404~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 405 406To use QAT an SRIOV-enabled QAT kernel driver is required. The VF 407devices created and initialised by this driver will be used by the QAT PMDs. 408 409Instructions for installation are below, but first an explanation of the 410relationships between the PF/VF devices and the PMDs visible to 411DPDK applications. 412 413Each QuickAssist PF device exposes a number of VF devices. Each VF device can 414enable one symmetric cryptodev PMD and/or one asymmetric cryptodev PMD and/or 415one compressdev PMD. 416These QAT PMDs share the same underlying device and pci-mgmt code, but are 417enumerated independently on their respective APIs and appear as independent 418devices to applications. 419 420.. Note:: 421 422 Each VF can only be used by one DPDK process. It is not possible to share 423 the same VF across multiple processes, even if these processes are using 424 different acceleration services. 425 426 Conversely one DPDK process can use one or more QAT VFs and can expose both 427 cryptodev and compressdev instances on each of those VFs. 428 429 430Available kernel drivers 431~~~~~~~~~~~~~~~~~~~~~~~~ 432 433Kernel drivers for each device for each service are listed in the following table. (Scroll right 434to see the full table) 435 436 437.. _table_qat_pmds_drivers: 438 439.. table:: QAT device generations, devices and drivers 440 441 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 442 | S | A | C | Gen | Device | Driver/ver | Kernel Module | Pci Driver | PF Did | #PFs | VF Did | VFs/PF | 443 +=====+=====+=====+=====+==========+===============+===============+============+========+======+========+========+ 444 | Yes | No | No | 1 | DH895xCC | linux/4.4+ | qat_dh895xcc | dh895xcc | 435 | 1 | 443 | 32 | 445 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 446 | Yes | Yes | No | " | " | IDZ/4.12.0+ | " | " | " | " | " | " | 447 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 448 | Yes | Yes | Yes | " | " | IDZ/4.13.0+ | " | " | " | " | " | " | 449 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 450 | Yes | No | No | 2 | C62x | linux/4.5+ | qat_c62x | c6xx | 37c8 | 3 | 37c9 | 16 | 451 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 452 | Yes | Yes | Yes | " | " | IDZ/4.12.0+ | " | " | " | " | " | " | 453 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 454 | Yes | No | No | 2 | C3xxx | linux/4.5+ | qat_c3xxx | c3xxx | 19e2 | 1 | 19e3 | 16 | 455 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 456 | Yes | Yes | Yes | " | " | IDZ/4.12.0+ | " | " | " | " | " | " | 457 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 458 | Yes | No | No | 2 | 200xx | p | qat_200xx | 200xx | 18ee | 1 | 18ef | 16 | 459 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 460 | Yes | No | No | 2 | D15xx | p | qat_d15xx | d15xx | 6f54 | 1 | 6f55 | 16 | 461 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 462 | Yes | Yes | No | 3 | C4xxx | p | qat_c4xxx | c4xxx | 18a0 | 1 | 18a1 | 128 | 463 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 464 | Yes | Yes | No | 4 | 4xxx | linux/5.11+ | qat_4xxx | 4xxx | 4940 | 4 | 4941 | 16 | 465 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 466 | Yes | Yes | Yes | 4 | 4xxx | linux/5.17+ | qat_4xxx | 4xxx | 4940 | 4 | 4941 | 16 | 467 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 468 | Yes | No | No | 4 | 4xxx | IDZ/ N/A | qat_4xxx | 4xxx | 4940 | 4 | 4941 | 16 | 469 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 470 | Yes | Yes | Yes | 4 | 401xxx | linux/5.19+ | qat_4xxx | 4xxx | 4942 | 2 | 4943 | 16 | 471 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 472 | Yes | No | No | 4 | 401xxx | IDZ/ N/A | qat_4xxx | 4xxx | 4942 | 2 | 4943 | 16 | 473 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 474 | Yes | Yes | Yes | 4 | 402xx | linux/6.4+ | qat_4xxx | 4xxx | 4944 | 2 | 4945 | 16 | 475 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 476 | Yes | No | No | 4 | 402xx | IDZ/ N/A | qat_4xxx | 4xxx | 4944 | 2 | 4945 | 16 | 477 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 478 | Yes | Yes | Yes | 5 | 420xx | linux/6.8+ | qat_420xx | 420xx | 4946 | 2 | 4947 | 16 | 479 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 480 481* Note: Symmetric mixed crypto algorithms feature on Gen 2 works only with IDZ driver version 4.9.0+ 482 483The first 3 columns indicate the service: 484 485* S = Symmetric crypto service (via cryptodev API) 486* A = Asymmetric crypto service (via cryptodev API) 487* C = Compression service (via compressdev API) 488 489The ``Driver`` column indicates either the Linux kernel version in which 490support for this device was introduced or a driver available on Intel Developer Zone (IDZ). 491There are both linux in-tree and IDZ kernel drivers available for some 492devices. p = release pending. 493 494If you are running on a kernel which includes a driver for your device, see 495`Installation using kernel.org driver`_ below. Otherwise see 496`Installation using IDZ QAT driver`_. 497 498.. note:: 499 500 The asymmetric service is not supported by DPDK QAT PMD for the Gen 3 platform. 501 The actual crypto services enabled on the system depend 502 on QAT driver capabilities and hardware slice configuration. 503 504Installation using kernel.org driver 505~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 506 507The examples below are based on the C62x device, if you have a different device 508use the corresponding values in the above table. 509 510In BIOS ensure that SRIOV is enabled and either: 511 512* Disable VT-d or 513* Enable VT-d and set ``"intel_iommu=on iommu=pt"`` in the grub file. 514 515Check that the QAT driver is loaded on your system, by executing:: 516 517 lsmod | grep qa 518 519You should see the kernel module for your device listed, e.g.:: 520 521 qat_c62x 5626 0 522 intel_qat 82336 1 qat_c62x 523 524Next, you need to expose the Virtual Functions (VFs) using the sysfs file system. 525 526First find the BDFs (Bus-Device-Function) of the physical functions (PFs) of 527your device, e.g.:: 528 529 lspci -d:37c8 530 531You should see output similar to:: 532 533 1a:00.0 Co-processor: Intel Corporation Device 37c8 534 3d:00.0 Co-processor: Intel Corporation Device 37c8 535 3f:00.0 Co-processor: Intel Corporation Device 37c8 536 537Enable the VFs for each PF by echoing the number of VFs per PF to the pci driver:: 538 539 echo 16 > /sys/bus/pci/drivers/c6xx/0000:1a:00.0/sriov_numvfs 540 echo 16 > /sys/bus/pci/drivers/c6xx/0000:3d:00.0/sriov_numvfs 541 echo 16 > /sys/bus/pci/drivers/c6xx/0000:3f:00.0/sriov_numvfs 542 543Check that the VFs are available for use. For example ``lspci -d:37c9`` should 544list 48 VF devices available for a ``C62x`` device. 545 546To complete the installation follow the instructions in 547`Binding the available VFs to the vfio-pci driver`_. 548 549.. Note:: 550 551 If the QAT kernel modules are not loaded and you see an error like ``Failed 552 to load MMP firmware qat_895xcc_mmp.bin`` in kernel logs, this may be as a 553 result of not using a distribution, but just updating the kernel directly. 554 555 Download firmware from the `kernel firmware repo 556 <http://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/tree/>`_. 557 558 Copy qat binaries to ``/lib/firmware``:: 559 560 cp qat_895xcc.bin /lib/firmware 561 cp qat_895xcc_mmp.bin /lib/firmware 562 563 Change to your linux source root directory and start the qat kernel modules:: 564 565 insmod ./drivers/crypto/qat/qat_common/intel_qat.ko 566 insmod ./drivers/crypto/qat/qat_dh895xcc/qat_dh895xcc.ko 567 568.. Note:: 569 570 If you see the following warning in ``/var/log/messages`` it can be ignored: 571 ``IOMMU should be enabled for SR-IOV to work correctly``. 572 573 574Installation using IDZ QAT driver 575~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 576 577Download the latest QuickAssist Technology Driver from `Intel Developer Zone 578<https://developer.intel.com/quickassist>`_. 579Consult the *Quick Start Guide* at the same URL for further information. 580 581The steps below assume you are: 582 583* Building on a platform with one ``C62x`` device. 584* Using package ``qat1.7.l.4.2.0-000xx.tar.gz``. 585* On Fedora26 kernel ``4.11.11-300.fc26.x86_64``. 586 587In the BIOS ensure that SRIOV is enabled and VT-d is disabled. 588 589Uninstall any existing QAT driver, for example by running: 590 591* ``./installer.sh uninstall`` in the directory where originally installed. 592 593 594Build and install the SRIOV-enabled QAT driver:: 595 596 mkdir /QAT 597 cd /QAT 598 599 # Copy the package to this location and unpack 600 tar zxof qat1.7.l.4.2.0-000xx.tar.gz 601 602 ./configure --enable-icp-sriov=host 603 make install 604 605You can use ``cat /sys/kernel/debug/qat<your device type and bdf>/version/fw`` to confirm the driver is correctly installed and is using firmware version 4.2.0. 606You can use ``lspci -d:37c9`` to confirm the presence of the 16 VF devices available per ``C62x`` PF. 607 608Confirm the driver is correctly installed and is using firmware version 4.2.0:: 609 610 cat /sys/kernel/debug/qat<your device type and bdf>/version/fw 611 612 613Confirm the presence of 48 VF devices - 16 per PF:: 614 615 lspci -d:37c9 616 617 618To complete the installation - follow instructions in 619`Binding the available VFs to the vfio-pci driver`_. 620 621.. Note:: 622 623 If using a later kernel and the build fails with an error relating to 624 ``strict_stroul`` not being available apply the following patch: 625 626 .. code-block:: diff 627 628 /QAT/QAT1.6/quickassist/utilities/downloader/Target_CoreLibs/uclo/include/linux/uclo_platform.h 629 + #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,18,5) 630 + #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (kstrtoul((str), (base), (num))) printk("Error strtoull convert %s\n", str); } 631 + #else 632 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,38) 633 #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (strict_strtoull((str), (base), (num))) printk("Error strtoull convert %s\n", str); } 634 #else 635 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25) 636 #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; strict_strtoll((str), (base), (num));} 637 #else 638 #define STR_TO_64(str, base, num, endPtr) \ 639 do { \ 640 if (str[0] == '-') \ 641 { \ 642 *(num) = -(simple_strtoull((str+1), &(endPtr), (base))); \ 643 }else { \ 644 *(num) = simple_strtoull((str), &(endPtr), (base)); \ 645 } \ 646 } while(0) 647 + #endif 648 #endif 649 #endif 650 651 652.. Note:: 653 654 If the build fails due to missing header files you may need to do following:: 655 656 sudo yum install zlib-devel 657 sudo yum install openssl-devel 658 sudo yum install libudev-devel 659 660.. Note:: 661 662 If the build or install fails due to mismatching kernel sources you may need to do the following:: 663 664 sudo yum install kernel-headers-`uname -r` 665 sudo yum install kernel-src-`uname -r` 666 sudo yum install kernel-devel-`uname -r` 667 668.. Note:: 669 670 If the build fails on newer GCC versions (such as GCC 12) with an error relating to 671 ``-lc`` not being found, apply the following patch: 672 673 .. code-block:: diff 674 675 /QAT/quickassist/lookaside/access_layer/src/Makefile 676 cd $(ICP_FINAL_OUTPUT_DIR);\ 677 cmd="$(LINKER) $(LIB_SHARED_FLAGS) -o \ 678 $(LIB_SHARED) $(ADDITIONAL_OBJECTS) $(ADDITIONAL_LIBS) *.o -lpthread -ludev \ 679 - -Bstatic -L$(ADF_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL) \ 680 - -ladf_user -L$(OSAL_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL)/ \ 681 - -losal -Bdynamic -lc"; \ 682 + -Bstatic -L$(ADF_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL) \ 683 + -ladf_user -L$(OSAL_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL)/ \ 684 + -losal -Bdynamic -L/lib/x86_64-linux-gnu/ -lc"; \ 685 echo "$$cmd"; \ 686 $$cmd 687 688 Followed by this patch: 689 690 .. code-block:: diff 691 692 /QAT/quickassist/build_system/build_files/OS/linux_common_user_space_rules.mk 693 @echo 'Creating shared library ${LIB_SHARED}'; \ 694 cd $($(PROG_ACY)_FINAL_OUTPUT_DIR);\ 695 - echo $(LINKER) $(LIB_SHARED_FLAGS) -o $@ $(OBJECTS) $(ADDITIONAL_OBJECTS) -lc;\ 696 - $(LINKER) $(LIB_SHARED_FLAGS) -o $@ $(OBJECTS) $(ADDITIONAL_OBJECTS) -lc ; 697 + echo $(LINKER) $(LIB_SHARED_FLAGS) -o $@ $(OBJECTS) $(ADDITIONAL_OBJECTS) \ 698 + -L/lib/x86_64-linux-gnu/ -lc;\ 699 + $(LINKER) $(LIB_SHARED_FLAGS) -o $@ $(OBJECTS) $(ADDITIONAL_OBJECTS) \ 700 + -L/lib/x86_64-linux-gnu/ -lc ; 701 702 703Binding the available VFs to the vfio-pci driver 704~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 705 706Note: 707 708* Please note that due to security issues, the usage of older DPDK igb_uio 709 driver is not recommended. This document shows how to use the more secure 710 vfio-pci driver. 711* If QAT fails to bind to vfio-pci on Linux kernel 5.9+, please see the 712 QATE-39220 and QATE-7495 issues in 713 `IDZ doc <https://cdrdv2.intel.com/v1/dl/getContent/710057?explicitVersion=true>`_ 714 which details the constraint about trusted guests and add `disable_denylist=1` 715 to the vfio-pci params to use QAT. See also `this patch description <https://lkml.org/lkml/2020/7/23/1155>`_. 716 717Unbind the VFs from the stock driver so they can be bound to the vfio-pci driver. 718 719For an Intel(R) QuickAssist Technology DH895xCC device 720^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 721 722The unbind command below assumes ``BDFs`` of ``03:01.00-03:04.07``, if your 723VFs are different adjust the unbind command below:: 724 725 cd to the top-level DPDK directory 726 for device in $(seq 1 4); do \ 727 for fn in $(seq 0 7); do \ 728 usertools/dpdk-devbind.py -u 0000:03:0${device}.${fn}; \ 729 done; \ 730 done 731 732For an Intel(R) QuickAssist Technology C62x device 733^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 734 735The unbind command below assumes ``BDFs`` of ``1a:01.00-1a:02.07``, 736``3d:01.00-3d:02.07`` and ``3f:01.00-3f:02.07``, if your VFs are different 737adjust the unbind command below:: 738 739 cd to the top-level DPDK directory 740 for device in $(seq 1 2); do \ 741 for fn in $(seq 0 7); do \ 742 usertools/dpdk-devbind.py -u 0000:1a:0${device}.${fn}; \ 743 usertools/dpdk-devbind.py -u 0000:3d:0${device}.${fn}; \ 744 usertools/dpdk-devbind.py -u 0000:3f:0${device}.${fn}; \ 745 done; \ 746 done 747 748For Intel(R) QuickAssist Technology C3xxx or 200xx or D15xx device 749^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 750 751The unbind command below assumes ``BDFs`` of ``01:01.00-01:02.07``, if your 752VFs are different adjust the unbind command below:: 753 754 cd to the top-level DPDK directory 755 for device in $(seq 1 2); do \ 756 for fn in $(seq 0 7); do \ 757 usertools/dpdk-devbind.py -u 0000:01:0${device}.${fn}; \ 758 done; \ 759 done 760 761Bind to the vfio-pci driver 762^^^^^^^^^^^^^^^^^^^^^^^^^^^ 763 764Load the vfio-pci driver, bind the VF PCI Device id to it using the 765``dpdk-devbind.py`` script then use the ``--status`` option 766to confirm the VF devices are now in use by vfio-pci kernel driver, 767e.g. for the C62x device:: 768 769 cd to the top-level DPDK directory 770 modprobe vfio-pci 771 usertools/dpdk-devbind.py -b vfio-pci 0000:03:01.1 772 usertools/dpdk-devbind.py --status 773 774Use ``modprobe vfio-pci disable_denylist=1`` from kernel 5.9 onwards. 775See note in the section `Binding the available VFs to the vfio-pci driver`_ 776above. 777 778Testing 779~~~~~~~ 780 781QAT SYM crypto PMD can be tested by running the test application:: 782 783 cd ./<build_dir>/app/test 784 ./dpdk-test -l1 -n1 -a <your qat bdf> 785 RTE>>cryptodev_qat_autotest 786 787QAT ASYM crypto PMD can be tested by running the test application:: 788 789 cd ./<build_dir>/app/test 790 ./dpdk-test -l1 -n1 -a <your qat bdf> 791 RTE>>cryptodev_qat_asym_autotest 792 793QAT compression PMD can be tested by running the test application:: 794 795 cd ./<build_dir>/app/test 796 ./dpdk-test -l1 -n1 -a <your qat bdf> 797 RTE>>compressdev_autotest 798 799 800Debugging 801~~~~~~~~~ 802 803There are 2 sets of trace available via the dynamic logging feature: 804 805* pmd.qat.dp exposes trace on the data-path. 806* pmd.qat.general exposes all other trace. 807 808pmd.qat exposes both sets of traces. 809They can be enabled using the log-level option (where 8=maximum log level) on 810the process cmdline, e.g. using any of the following:: 811 812 --log-level="pmd.qat.general,8" 813 --log-level="pmd.qat.dp,8" 814 --log-level="pmd.qat,8" 815 816.. Note:: 817 818 The global RTE_LOG_DP_LEVEL overrides data-path trace so must be set to 819 RTE_LOG_DEBUG to see all the trace. This variable is in config/rte_config.h 820 for meson build. 821 Also the dynamic global log level overrides both sets of trace, so e.g. no 822 QAT trace would display in this case:: 823 824 --log-level="7" --log-level="pmd.qat.general,8" 825