xref: /dpdk/doc/guides/cryptodevs/qat.rst (revision 0a081a5fd26fbdae00a34541924d798b6dd4a63e) 
1..  BSD LICENSE
2    Copyright(c) 2015-2016 Intel Corporation. All rights reserved.
3
4    Redistribution and use in source and binary forms, with or without
5    modification, are permitted provided that the following conditions
6    are met:
7
8    * Redistributions of source code must retain the above copyright
9    notice, this list of conditions and the following disclaimer.
10    * Redistributions in binary form must reproduce the above copyright
11    notice, this list of conditions and the following disclaimer in
12    the documentation and/or other materials provided with the
13    distribution.
14    * Neither the name of Intel Corporation nor the names of its
15    contributors may be used to endorse or promote products derived
16    from this software without specific prior written permission.
17
18    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19    "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21    A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22    OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26    THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29
30Intel(R) QuickAssist (QAT) Crypto Poll Mode Driver
31==================================================
32
33The QAT PMD provides poll mode crypto driver support for the following
34hardware accelerator devices:
35
36* ``Intel QuickAssist Technology DH895xCC``
37* ``Intel QuickAssist Technology C62x``
38* ``Intel QuickAssist Technology C3xxx``
39* ``Intel QuickAssist Technology D15xx``
40
41
42Features
43--------
44
45The QAT PMD has support for:
46
47Cipher algorithms:
48
49* ``RTE_CRYPTO_CIPHER_3DES_CBC``
50* ``RTE_CRYPTO_CIPHER_3DES_CTR``
51* ``RTE_CRYPTO_CIPHER_AES128_CBC``
52* ``RTE_CRYPTO_CIPHER_AES192_CBC``
53* ``RTE_CRYPTO_CIPHER_AES256_CBC``
54* ``RTE_CRYPTO_CIPHER_AES128_CTR``
55* ``RTE_CRYPTO_CIPHER_AES192_CTR``
56* ``RTE_CRYPTO_CIPHER_AES256_CTR``
57* ``RTE_CRYPTO_CIPHER_SNOW3G_UEA2``
58* ``RTE_CRYPTO_CIPHER_NULL``
59* ``RTE_CRYPTO_CIPHER_KASUMI_F8``
60* ``RTE_CRYPTO_CIPHER_DES_CBC``
61* ``RTE_CRYPTO_CIPHER_AES_DOCSISBPI``
62* ``RTE_CRYPTO_CIPHER_DES_DOCSISBPI``
63* ``RTE_CRYPTO_CIPHER_ZUC_EEA3``
64
65Hash algorithms:
66
67* ``RTE_CRYPTO_AUTH_SHA1_HMAC``
68* ``RTE_CRYPTO_AUTH_SHA224_HMAC``
69* ``RTE_CRYPTO_AUTH_SHA256_HMAC``
70* ``RTE_CRYPTO_AUTH_SHA384_HMAC``
71* ``RTE_CRYPTO_AUTH_SHA512_HMAC``
72* ``RTE_CRYPTO_AUTH_AES_XCBC_MAC``
73* ``RTE_CRYPTO_AUTH_SNOW3G_UIA2``
74* ``RTE_CRYPTO_AUTH_MD5_HMAC``
75* ``RTE_CRYPTO_AUTH_NULL``
76* ``RTE_CRYPTO_AUTH_KASUMI_F9``
77* ``RTE_CRYPTO_AUTH_AES_GMAC``
78* ``RTE_CRYPTO_AUTH_ZUC_EIA3``
79
80Supported AEAD algorithms:
81* ``RTE_CRYPTO_AEAD_AES_GCM``
82
83
84Limitations
85-----------
86
87* Only supports the session-oriented API implementation (session-less APIs are not supported).
88* SNOW 3G (UEA2), KASUMI (F8) and ZUC (EEA3) supported only if cipher length and offset fields are byte-multiple.
89* SNOW 3G (UIA2) and ZUC (EIA3) supported only if hash length and offset fields are byte-multiple.
90* No BSD support as BSD QAT kernel driver not available.
91* ZUC EEA3/EIA3 is not supported by dh895xcc devices
92* Maximum additional authenticated data (AAD) for GCM is 240 bytes long.
93* Queue pairs are not thread-safe (that is, within a single queue pair, RX and TX from different lcores is not supported).
94
95
96Installation
97------------
98
99To enable QAT in DPDK, follow the instructions for modifying the compile-time
100configuration file as described `here <http://dpdk.org/doc/guides/linux_gsg/build_dpdk.html>`_.
101
102Quick instructions are as follows:
103
104.. code-block:: console
105
106	cd to the top-level DPDK directory
107	make config T=x86_64-native-linuxapp-gcc
108	sed -i 's,\(CONFIG_RTE_LIBRTE_PMD_QAT\)=n,\1=y,' build/.config
109	make
110
111To use the DPDK QAT PMD an SRIOV-enabled QAT kernel driver is required. The VF
112devices exposed by this driver will be used by the QAT PMD. The devices and
113available kernel drivers and device ids are :
114
115.. _table_qat_pmds_drivers:
116
117.. table:: QAT device generations, devices and drivers
118
119   +-----+----------+--------+---------------+------------+--------+------+--------+--------+
120   | Gen | Device   | Driver | Kernel Module | Pci Driver | PF Did | #PFs | Vf Did | VFs/PF |
121   +=====+==========+========+===============+============+========+======+========+========+
122   | 1   | DH895xCC | 01.org | icp_qa_al     | n/a        | 435    | 1    | 443    | 32     |
123   +-----+----------+--------+---------------+------------+--------+------+--------+--------+
124   | 1   | DH895xCC | 4.4+   | qat_dh895xcc  | dh895xcc   | 435    | 1    | 443    | 32     |
125   +-----+----------+--------+---------------+------------+--------+------+--------+--------+
126   | 2   | C62x     | 4.5+   | qat_c62x      | c6xx       | 37c8   | 3    | 37c9   | 16     |
127   +-----+----------+--------+---------------+------------+--------+------+--------+--------+
128   | 2   | C3xxx    | 4.5+   | qat_c3xxx     | c3xxx      | 19e2   | 1    | 19e3   | 16     |
129   +-----+----------+--------+---------------+------------+--------+------+--------+--------+
130   | 2   | D15xx    | p      | qat_d15xx     | d15xx      | 6f54   | 1    | 6f55   | 16     |
131   +-----+----------+--------+---------------+------------+--------+------+--------+--------+
132
133
134The ``Driver`` column indicates either the Linux kernel version in which
135support for this device was introduced or a driver available on Intel's 01.org
136website. There are both linux and 01.org kernel drivers available for some
137devices. p = release pending.
138
139If you are running on a kernel which includes a driver for your device, see
140`Installation using kernel.org driver`_ below. Otherwise see
141`Installation using 01.org QAT driver`_.
142
143
144Installation using kernel.org driver
145------------------------------------
146
147The examples below are based on the C62x device, if you have a different device
148use the corresponding values in the above table.
149
150In BIOS ensure that SRIOV is enabled and either:
151
152* Disable VT-d or
153* Enable VT-d and set ``"intel_iommu=on iommu=pt"`` in the grub file.
154
155Check that the QAT driver is loaded on your system, by executing::
156
157    lsmod | grep qa
158
159You should see the kernel module for your device listed, e.g.::
160
161    qat_c62x               5626  0
162    intel_qat              82336  1 qat_c62x
163
164Next, you need to expose the Virtual Functions (VFs) using the sysfs file system.
165
166First find the BDFs (Bus-Device-Function) of the physical functions (PFs) of
167your device, e.g.::
168
169    lspci -d : 37c8
170
171You should see output similar to::
172
173    1a:00.0 Co-processor: Intel Corporation Device 37c8
174    3d:00.0 Co-processor: Intel Corporation Device 37c8
175    3f:00.0 Co-processor: Intel Corporation Device 37c8
176
177Enable the VFs for each PF by echoing the number of VFs per PF to the pci driver::
178
179     echo 16 > /sys/bus/pci/drivers/c6xx/0000:1a:00.0/sriov_numvfs
180     echo 16 > /sys/bus/pci/drivers/c6xx/0000:3d:00.0/sriov_numvfs
181     echo 16 > /sys/bus/pci/drivers/c6xx/0000:3f:00.0/sriov_numvfs
182
183Check that the VFs are available for use. For example ``lspci -d:37c9`` should
184list 48 VF devices available for a ``C62x`` device.
185
186To complete the installation follow the instructions in
187`Binding the available VFs to the DPDK UIO driver`_.
188
189.. Note::
190
191   If the QAT kernel modules are not loaded and you see an error like ``Failed
192   to load MMP firmware qat_895xcc_mmp.bin`` in kernel logs, this may be as a
193   result of not using a distribution, but just updating the kernel directly.
194
195   Download firmware from the `kernel firmware repo
196   <http://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/tree/>`_.
197
198   Copy qat binaries to ``/lib/firmware``::
199
200      cp qat_895xcc.bin /lib/firmware
201      cp qat_895xcc_mmp.bin /lib/firmware
202
203   Change to your linux source root directory and start the qat kernel modules::
204
205      insmod ./drivers/crypto/qat/qat_common/intel_qat.ko
206      insmod ./drivers/crypto/qat/qat_dh895xcc/qat_dh895xcc.ko
207
208
209.. Note::
210
211   If you see the following warning in ``/var/log/messages`` it can be ignored:
212   ``IOMMU should be enabled for SR-IOV to work correctly``.
213
214
215Installation using 01.org QAT driver
216------------------------------------
217
218Download the latest QuickAssist Technology Driver from `01.org
219<https://01.org/packet-processing/intel%C2%AE-quickassist-technology-drivers-and-patches>`_.
220Consult the *Getting Started Guide* at the same URL for further information.
221
222The steps below assume you are:
223
224* Building on a platform with one ``DH895xCC`` device.
225* Using package ``qatmux.l.2.3.0-34.tgz``.
226* On Fedora21 kernel ``3.17.4-301.fc21.x86_64``.
227
228In the BIOS ensure that SRIOV is enabled and VT-d is disabled.
229
230Uninstall any existing QAT driver, for example by running:
231
232* ``./installer.sh uninstall`` in the directory where originally installed.
233
234* or ``rmmod qat_dh895xcc; rmmod intel_qat``.
235
236Build and install the SRIOV-enabled QAT driver::
237
238    mkdir /QAT
239    cd /QAT
240
241    # Copy qatmux.l.2.3.0-34.tgz to this location
242    tar zxof qatmux.l.2.3.0-34.tgz
243
244    export ICP_WITHOUT_IOMMU=1
245    ./installer.sh install QAT1.6 host
246
247You can use ``cat /proc/icp_dh895xcc_dev0/version`` to confirm the driver is correctly installed.
248You can use ``lspci -d:443`` to confirm the  of the 32 VF devices available per ``DH895xCC`` device.
249
250To complete the installation - follow instructions in `Binding the available VFs to the DPDK UIO driver`_.
251
252.. Note::
253
254   If using a later kernel and the build fails with an error relating to
255   ``strict_stroul`` not being available apply the following patch:
256
257   .. code-block:: diff
258
259      /QAT/QAT1.6/quickassist/utilities/downloader/Target_CoreLibs/uclo/include/linux/uclo_platform.h
260      + #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,18,5)
261      + #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (kstrtoul((str), (base), (num))) printk("Error strtoull convert %s\n", str); }
262      + #else
263      #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,38)
264      #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (strict_strtoull((str), (base), (num))) printk("Error strtoull convert %s\n", str); }
265      #else
266      #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)
267      #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; strict_strtoll((str), (base), (num));}
268      #else
269      #define STR_TO_64(str, base, num, endPtr)                                 \
270           do {                                                               \
271                 if (str[0] == '-')                                           \
272                 {                                                            \
273                      *(num) = -(simple_strtoull((str+1), &(endPtr), (base))); \
274                 }else {                                                      \
275                      *(num) = simple_strtoull((str), &(endPtr), (base));      \
276                 }                                                            \
277           } while(0)
278      + #endif
279      #endif
280      #endif
281
282
283.. Note::
284
285   If the build fails due to missing header files you may need to do following::
286
287      sudo yum install zlib-devel
288      sudo yum install openssl-devel
289
290.. Note::
291
292   If the build or install fails due to mismatching kernel sources you may need to do the following::
293
294      sudo yum install kernel-headers-`uname -r`
295      sudo yum install kernel-src-`uname -r`
296      sudo yum install kernel-devel-`uname -r`
297
298
299Binding the available VFs to the DPDK UIO driver
300------------------------------------------------
301
302Unbind the VFs from the stock driver so they can be bound to the uio driver.
303
304For an Intel(R) QuickAssist Technology DH895xCC device
305~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
306
307The unbind command below assumes ``BDFs`` of ``03:01.00-03:04.07``, if your
308VFs are different adjust the unbind command below::
309
310    for device in $(seq 1 4); do \
311        for fn in $(seq 0 7); do \
312            echo -n 0000:03:0${device}.${fn} > \
313            /sys/bus/pci/devices/0000\:03\:0${device}.${fn}/driver/unbind; \
314        done; \
315    done
316
317For an Intel(R) QuickAssist Technology C62x device
318~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
319
320The unbind command below assumes ``BDFs`` of ``1a:01.00-1a:02.07``,
321``3d:01.00-3d:02.07`` and ``3f:01.00-3f:02.07``, if your VFs are different
322adjust the unbind command below::
323
324    for device in $(seq 1 2); do \
325        for fn in $(seq 0 7); do \
326            echo -n 0000:1a:0${device}.${fn} > \
327            /sys/bus/pci/devices/0000\:1a\:0${device}.${fn}/driver/unbind; \
328
329            echo -n 0000:3d:0${device}.${fn} > \
330            /sys/bus/pci/devices/0000\:3d\:0${device}.${fn}/driver/unbind; \
331
332            echo -n 0000:3f:0${device}.${fn} > \
333            /sys/bus/pci/devices/0000\:3f\:0${device}.${fn}/driver/unbind; \
334        done; \
335    done
336
337For Intel(R) QuickAssist Technology C3xxx or D15xx device
338~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
339
340The unbind command below assumes ``BDFs`` of ``01:01.00-01:02.07``, if your
341VFs are different adjust the unbind command below::
342
343    for device in $(seq 1 2); do \
344        for fn in $(seq 0 7); do \
345            echo -n 0000:01:0${device}.${fn} > \
346            /sys/bus/pci/devices/0000\:01\:0${device}.${fn}/driver/unbind; \
347        done; \
348    done
349
350Bind to the DPDK uio driver
351~~~~~~~~~~~~~~~~~~~~~~~~~~~
352
353Install the DPDK igb_uio driver, bind the VF PCI Device id to it and use lspci
354to confirm the VF devices are now in use by igb_uio kernel driver,
355e.g. for the C62x device::
356
357    cd to the top-level DPDK directory
358    modprobe uio
359    insmod ./build/kmod/igb_uio.ko
360    echo "8086 37c9" > /sys/bus/pci/drivers/igb_uio/new_id
361    lspci -vvd:37c9
362
363
364Another way to bind the VFs to the DPDK UIO driver is by using the
365``dpdk-devbind.py`` script::
366
367    cd to the top-level DPDK directory
368    ./usertools/dpdk-devbind.py -b igb_uio 0000:03:01.1
369
370
371Extra notes on KASUMI F9
372------------------------
373
374When using KASUMI F9 authentication algorithm, the input buffer must be
375constructed according to the 3GPP KASUMI specifications (section 4.4, page 13):
376`<http://cryptome.org/3gpp/35201-900.pdf>`_.
377Input buffer has to have COUNT (4 bytes), FRESH (4 bytes), MESSAGE and DIRECTION (1 bit)
378concatenated. After the DIRECTION bit, a single '1' bit is appended, followed by
379between 0 and 7 '0' bits, so that the total length of the buffer is multiple of 8 bits.
380Note that the actual message can be any length, specified in bits.
381
382Once this buffer is passed this way, when creating the crypto operation,
383length of data to authenticate (op.sym.auth.data.length) must be the length
384of all the items described above, including the padding at the end.
385Also, offset of data to authenticate (op.sym.auth.data.offset)
386must be such that points at the start of the COUNT bytes.
387