xref: /dpdk/doc/guides/cryptodevs/qat.rst (revision 3a80d7fb2ecdd6e8e48e56e3726b26980fa2a089) 
1..  SPDX-License-Identifier: BSD-3-Clause
2    Copyright(c) 2015-2019 Intel Corporation.
3
4Intel(R) QuickAssist (QAT) Crypto Poll Mode Driver
5==================================================
6
7QAT documentation consists of three parts:
8
9* Details of the symmetric and asymmetric crypto services below.
10* Details of the :doc:`compression service <../compressdevs/qat_comp>`
11  in the compressdev drivers section.
12* Details of building the common QAT infrastructure and the PMDs to support the
13  above services. See :ref:`building_qat` below.
14
15
16Symmetric Crypto Service on QAT
17-------------------------------
18
19The QAT symmetric crypto PMD (hereafter referred to as `QAT SYM [PMD]`) provides
20poll mode crypto driver support for the following hardware accelerator devices:
21
22* ``Intel QuickAssist Technology DH895xCC``
23* ``Intel QuickAssist Technology C62x``
24* ``Intel QuickAssist Technology C3xxx``
25* ``Intel QuickAssist Technology 200xx``
26* ``Intel QuickAssist Technology D15xx``
27* ``Intel QuickAssist Technology C4xxx``
28* ``Intel QuickAssist Technology 4xxx``
29
30
31Features
32~~~~~~~~
33
34The QAT SYM PMD has support for:
35
36Cipher algorithms:
37
38* ``RTE_CRYPTO_CIPHER_3DES_CBC``
39* ``RTE_CRYPTO_CIPHER_3DES_CTR``
40* ``RTE_CRYPTO_CIPHER_AES128_CBC``
41* ``RTE_CRYPTO_CIPHER_AES192_CBC``
42* ``RTE_CRYPTO_CIPHER_AES256_CBC``
43* ``RTE_CRYPTO_CIPHER_AES128_CTR``
44* ``RTE_CRYPTO_CIPHER_AES192_CTR``
45* ``RTE_CRYPTO_CIPHER_AES256_CTR``
46* ``RTE_CRYPTO_CIPHER_AES_XTS``
47* ``RTE_CRYPTO_CIPHER_SNOW3G_UEA2``
48* ``RTE_CRYPTO_CIPHER_NULL``
49* ``RTE_CRYPTO_CIPHER_KASUMI_F8``
50* ``RTE_CRYPTO_CIPHER_DES_CBC``
51* ``RTE_CRYPTO_CIPHER_AES_DOCSISBPI``
52* ``RTE_CRYPTO_CIPHER_DES_DOCSISBPI``
53* ``RTE_CRYPTO_CIPHER_ZUC_EEA3``
54
55Hash algorithms:
56
57* ``RTE_CRYPTO_AUTH_SHA1``
58* ``RTE_CRYPTO_AUTH_SHA1_HMAC``
59* ``RTE_CRYPTO_AUTH_SHA224``
60* ``RTE_CRYPTO_AUTH_SHA224_HMAC``
61* ``RTE_CRYPTO_AUTH_SHA256``
62* ``RTE_CRYPTO_AUTH_SHA256_HMAC``
63* ``RTE_CRYPTO_AUTH_SHA384``
64* ``RTE_CRYPTO_AUTH_SHA384_HMAC``
65* ``RTE_CRYPTO_AUTH_SHA512``
66* ``RTE_CRYPTO_AUTH_SHA512_HMAC``
67* ``RTE_CRYPTO_AUTH_SHA3_224``
68* ``RTE_CRYPTO_AUTH_SHA3_256``
69* ``RTE_CRYPTO_AUTH_SHA3_384``
70* ``RTE_CRYPTO_AUTH_SHA3_512``
71* ``RTE_CRYPTO_AUTH_AES_XCBC_MAC``
72* ``RTE_CRYPTO_AUTH_SNOW3G_UIA2``
73* ``RTE_CRYPTO_AUTH_MD5_HMAC``
74* ``RTE_CRYPTO_AUTH_NULL``
75* ``RTE_CRYPTO_AUTH_KASUMI_F9``
76* ``RTE_CRYPTO_AUTH_AES_GMAC``
77* ``RTE_CRYPTO_AUTH_ZUC_EIA3``
78* ``RTE_CRYPTO_AUTH_AES_CMAC``
79
80Supported AEAD algorithms:
81
82* ``RTE_CRYPTO_AEAD_AES_GCM``
83* ``RTE_CRYPTO_AEAD_AES_CCM``
84* ``RTE_CRYPTO_AEAD_CHACHA20_POLY1305``
85
86Protocol offloads:
87
88* ``RTE_SECURITY_PROTOCOL_DOCSIS``
89
90Supported Chains
91~~~~~~~~~~~~~~~~
92
93All the usual chains are supported and also some mixed chains:
94
95.. table:: Supported hash-cipher chains for wireless digest-encrypted cases
96
97   +------------------+-----------+-------------+----------+----------+
98   | Cipher algorithm | NULL AUTH | SNOW3G UIA2 | ZUC EIA3 | AES CMAC |
99   +==================+===========+=============+==========+==========+
100   | NULL CIPHER      | Y         | 2&3         | 2&3      | Y        |
101   +------------------+-----------+-------------+----------+----------+
102   | SNOW3G UEA2      | 2&3       | 1&2&3       | 2&3      | 2&3      |
103   +------------------+-----------+-------------+----------+----------+
104   | ZUC EEA3         | 2&3       | 2&3         | 2&3      | 2&3      |
105   +------------------+-----------+-------------+----------+----------+
106   | AES CTR          | 1&2&3     | 2&3         | 2&3      | Y        |
107   +------------------+-----------+-------------+----------+----------+
108
109* The combinations marked as "Y" are supported on all QAT hardware versions.
110* The combinations marked as "2&3" are supported on GEN2 and GEN3 QAT hardware only.
111* The combinations marked as "1&2&3" are supported on GEN1, GEN2 and GEN3 QAT hardware only.
112
113
114Limitations
115~~~~~~~~~~~
116
117* Only supports the session-oriented API implementation (session-less APIs are not supported).
118* SNOW 3G (UEA2), KASUMI (F8) and ZUC (EEA3) supported only if cipher length and offset fields are byte-multiple.
119* SNOW 3G (UIA2) and ZUC (EIA3) supported only if hash length and offset fields are byte-multiple.
120* No BSD support as BSD QAT kernel driver not available.
121* ZUC EEA3/EIA3 is not supported by dh895xcc devices
122* Maximum additional authenticated data (AAD) for GCM is 240 bytes long and must be passed to the device in a buffer rounded up to the nearest block-size multiple (x16) and padded with zeros.
123* Queue-pairs are thread-safe on Intel CPUs but Queues are not (that is, within a single
124  queue-pair all enqueues to the TX queue must be done from one thread and all dequeues
125  from the RX queue must be done from one thread, but enqueues and dequeues may be done
126  in different threads.)
127* A GCM limitation exists, but only in the case where there are multiple
128  generations of QAT devices on a single platform.
129  To optimise performance, the GCM crypto session should be initialised for the
130  device generation to which the ops will be enqueued. Specifically if a GCM
131  session is initialised on a GEN2 device, but then attached to an op enqueued
132  to a GEN3 device, it will work but cannot take advantage of hardware
133  optimisations in the GEN3 device. And if a GCM session is initialised on a
134  GEN3 device, then attached to an op sent to a GEN1/GEN2 device, it will not be
135  enqueued to the device and will be marked as failed. The simplest way to
136  mitigate this is to use the PCI allowlist to avoid mixing devices of different
137  generations in the same process if planning to use for GCM.
138* The mixed algo feature on GEN2 is not supported by all kernel drivers. Check
139  the notes under the Available Kernel Drivers table below for specific details.
140* Out-of-place is not supported for combined Crypto-CRC DOCSIS security
141  protocol.
142* ``RTE_CRYPTO_CIPHER_DES_DOCSISBPI`` is not supported for combined Crypto-CRC
143  DOCSIS security protocol.
144* Multi-segment buffers are not supported for combined Crypto-CRC DOCSIS
145  security protocol.
146
147Extra notes on KASUMI F9
148~~~~~~~~~~~~~~~~~~~~~~~~
149
150When using KASUMI F9 authentication algorithm, the input buffer must be
151constructed according to the
152`3GPP KASUMI specification <http://cryptome.org/3gpp/35201-900.pdf>`_
153(section 4.4, page 13). The input buffer has to have COUNT (4 bytes),
154FRESH (4 bytes), MESSAGE and DIRECTION (1 bit) concatenated. After the DIRECTION
155bit, a single '1' bit is appended, followed by between 0 and 7 '0' bits, so that
156the total length of the buffer is multiple of 8 bits. Note that the actual
157message can be any length, specified in bits.
158
159Once this buffer is passed this way, when creating the crypto operation,
160length of data to authenticate "op.sym.auth.data.length" must be the length
161of all the items described above, including the padding at the end.
162Also, offset of data to authenticate "op.sym.auth.data.offset"
163must be such that points at the start of the COUNT bytes.
164
165Asymmetric Crypto Service on QAT
166--------------------------------
167
168The QAT asymmetric crypto PMD (hereafter referred to as `QAT ASYM [PMD]`) provides
169poll mode crypto driver support for the following hardware accelerator devices:
170
171* ``Intel QuickAssist Technology DH895xCC``
172* ``Intel QuickAssist Technology C62x``
173* ``Intel QuickAssist Technology C3xxx``
174* ``Intel QuickAssist Technology D15xx``
175* ``Intel QuickAssist Technology 4xxx``
176* ``Intel QuickAssist Technology 401xxx``
177
178The QAT ASYM PMD has support for:
179
180* ``RTE_CRYPTO_ASYM_XFORM_MODEX``
181* ``RTE_CRYPTO_ASYM_XFORM_MODINV``
182* ``RTE_CRYPTO_ASYM_XFORM_RSA``
183* ``RTE_CRYPTO_ASYM_XFORM_ECDSA``
184* ``RTE_CRYPTO_ASYM_XFORM_ECPM``
185* ``RTE_CRYPTO_ASYM_XFORM_ECDH``
186
187Limitations
188~~~~~~~~~~~
189
190* Big integers longer than 4096 bits are not supported.
191* Queue-pairs are thread-safe on Intel CPUs but Queues are not (that is, within a single
192  queue-pair all enqueues to the TX queue must be done from one thread and all dequeues
193  from the RX queue must be done from one thread, but enqueues and dequeues may be done
194  in different threads.)
195* RSA-2560, RSA-3584 are not supported
196
197.. _building_qat:
198
199Building PMDs on QAT
200--------------------
201
202A QAT device can host multiple acceleration services:
203
204* symmetric cryptography
205* data compression
206* asymmetric cryptography
207
208These services are provided to DPDK applications via PMDs which register to
209implement the corresponding cryptodev and compressdev APIs. The PMDs use
210common QAT driver code which manages the QAT PCI device. They also depend on a
211QAT kernel driver being installed on the platform, see :ref:`qat_kernel` below.
212
213
214Configuring and Building the DPDK QAT PMDs
215~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
216
217
218Further information on configuring, building and installing DPDK is described
219:doc:`here <../linux_gsg/build_dpdk>`.
220
221.. _building_qat_config:
222
223Build Configuration
224~~~~~~~~~~~~~~~~~~~
225
226These are the build configuration options affecting QAT, and their default values:
227
228.. code-block:: console
229
230	RTE_PMD_QAT_MAX_PCI_DEVICES=48
231	RTE_PMD_QAT_COMP_IM_BUFFER_SIZE=65536
232
233Both QAT SYM PMD and QAT ASYM PMD have an external dependency on libcrypto, so are not
234built by default.
235
236The QAT compressdev PMD has no external dependencies, so is built by default.
237
238The number of VFs per PF varies - see table below. If multiple QAT packages are
239installed on a platform then RTE_PMD_QAT_MAX_PCI_DEVICES should be
240adjusted to the number of VFs which the QAT common code will need to handle.
241
242.. Note::
243
244        There are separate config items (not QAT-specific) for max cryptodevs
245        RTE_CRYPTO_MAX_DEVS and max compressdevs RTE_COMPRESS_MAX_DEVS,
246        if necessary these should be adjusted to handle the total of QAT and other
247        devices which the process will use. In particular for crypto, where each
248        QAT VF may expose two crypto devices, sym and asym, it may happen that the
249        number of devices will be bigger than MAX_DEVS and the process will show an error
250        during PMD initialisation. To avoid this problem RTE_CRYPTO_MAX_DEVS may be
251        increased or -a, allow domain:bus:devid:func option may be used.
252
253
254QAT compression PMD needs intermediate buffers to support Deflate compression
255with Dynamic Huffman encoding. RTE_PMD_QAT_COMP_IM_BUFFER_SIZE
256specifies the size of a single buffer, the PMD will allocate a multiple of these,
257plus some extra space for associated meta-data. For GEN2 devices, 20 buffers are
258allocated while for GEN1 devices, 12 buffers are allocated, plus 1472 bytes overhead.
259
260.. Note::
261
262	If the compressed output of a Deflate operation using Dynamic Huffman
263	Encoding is too big to fit in an intermediate buffer, then the
264	operation will be split into smaller operations and their results will
265	be merged afterwards.
266	This is not possible if any checksum calculation was requested - in such
267	case the code falls back to fixed compression.
268	To avoid this less performant case, applications should configure
269	the intermediate buffer size to be larger than the expected input data size
270	(compressed output size is usually unknown, so the only option is to make
271	larger than the input size).
272
273
274Running QAT PMD with minimum threshold for burst size
275~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
276
277If only a small number or packets can be enqueued. Each enqueue causes an expensive MMIO write.
278These MMIO write occurrences can be optimised by setting any of the following parameters:
279
280- qat_sym_enq_threshold
281- qat_asym_enq_threshold
282- qat_comp_enq_threshold
283
284When any of these parameters is set rte_cryptodev_enqueue_burst function will
285return 0 (thereby avoiding an MMIO) if the device is congested and number of packets
286possible to enqueue is smaller.
287To use this feature the user must set the parameter on process start as a device additional parameter::
288
289  -a 03:01.1,qat_sym_enq_threshold=32,qat_comp_enq_threshold=16
290
291All parameters can be used with the same device regardless of order. Parameters are separated
292by comma. When the same parameter is used more than once first occurrence of the parameter
293is used.
294Maximum threshold that can be set is 32.
295
296Running QAT PMD with Intel IPSEC MB library for symmetric precomputes function
297~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
298
299The QAT PMD use Openssl library for partial hash calculation in symmetirc precomputes function by
300default, the following parameter is allow QAT PMD switch over to multi-buffer job API if Intel
301IPSEC MB library installed on system.
302
303- qat_ipsec_mb_lib
304
305To use this feature the user must set the parameter on process start as a device additional parameter::
306
307  -a 03:01.1,qat_ipsec_mb_lib=1
308
309
310Device and driver naming
311~~~~~~~~~~~~~~~~~~~~~~~~
312
313* The qat cryptodev symmetric crypto driver name is "crypto_qat".
314* The qat cryptodev asymmetric crypto driver name is "crypto_qat_asym".
315
316The "rte_cryptodev_devices_get()" returns the devices exposed by either of these drivers.
317
318* Each qat sym crypto device has a unique name, in format
319  "<pci bdf>_<service>", e.g. "0000:41:01.0_qat_sym".
320* Each qat asym crypto device has a unique name, in format
321  "<pci bdf>_<service>", e.g. "0000:41:01.0_qat_asym".
322  This name can be passed to "rte_cryptodev_get_dev_id()" to get the device_id.
323
324.. Note::
325
326	The cryptodev driver name is passed to the dpdk-test-crypto-perf tool in the "-devtype" parameter.
327
328	The qat crypto device name is in the format of the worker parameter passed to the crypto scheduler.
329
330* The qat compressdev driver name is "compress_qat".
331  The rte_compressdev_devices_get() returns the devices exposed by this driver.
332
333* Each qat compression device has a unique name, in format
334  <pci bdf>_<service>, e.g. "0000:41:01.0_qat_comp".
335  This name can be passed to rte_compressdev_get_dev_id() to get the device_id.
336
337.. _qat_kernel:
338
339Dependency on the QAT kernel driver
340~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
341
342To use QAT an SRIOV-enabled QAT kernel driver is required. The VF
343devices created and initialised by this driver will be used by the QAT PMDs.
344
345Instructions for installation are below, but first an explanation of the
346relationships between the PF/VF devices and the PMDs visible to
347DPDK applications.
348
349Each QuickAssist PF device exposes a number of VF devices. Each VF device can
350enable one symmetric cryptodev PMD and/or one asymmetric cryptodev PMD and/or
351one compressdev PMD.
352These QAT PMDs share the same underlying device and pci-mgmt code, but are
353enumerated independently on their respective APIs and appear as independent
354devices to applications.
355
356.. Note::
357
358   Each VF can only be used by one DPDK process. It is not possible to share
359   the same VF across multiple processes, even if these processes are using
360   different acceleration services.
361
362   Conversely one DPDK process can use one or more QAT VFs and can expose both
363   cryptodev and compressdev instances on each of those VFs.
364
365
366Available kernel drivers
367~~~~~~~~~~~~~~~~~~~~~~~~
368
369Kernel drivers for each device for each service are listed in the following table. (Scroll right
370to see the full table)
371
372
373.. _table_qat_pmds_drivers:
374
375.. table:: QAT device generations, devices and drivers
376
377   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
378   | S   | A   | C   | Gen | Device   | Driver/ver    | Kernel Module | Pci Driver | PF Did | #PFs | VF Did | VFs/PF |
379   +=====+=====+=====+=====+==========+===============+===============+============+========+======+========+========+
380   | Yes | No  | No  | 1   | DH895xCC | linux/4.4+    | qat_dh895xcc  | dh895xcc   | 435    | 1    | 443    | 32     |
381   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
382   | Yes | Yes | No  | "   | "        | IDZ/4.12.0+   | "             | "          | "      | "    | "      | "      |
383   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
384   | Yes | Yes | Yes | "   | "        | IDZ/4.13.0+   | "             | "          | "      | "    | "      | "      |
385   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
386   | Yes | No  | No  | 2   | C62x     | linux/4.5+    | qat_c62x      | c6xx       | 37c8   | 3    | 37c9   | 16     |
387   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
388   | Yes | Yes | Yes | "   | "        | IDZ/4.12.0+   | "             | "          | "      | "    | "      | "      |
389   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
390   | Yes | No  | No  | 2   | C3xxx    | linux/4.5+    | qat_c3xxx     | c3xxx      | 19e2   | 1    | 19e3   | 16     |
391   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
392   | Yes | Yes | Yes | "   | "        | IDZ/4.12.0+   | "             | "          | "      | "    | "      | "      |
393   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
394   | Yes | No  | No  | 2   | 200xx    | p             | qat_200xx     | 200xx      | 18ee   | 1    | 18ef   | 16     |
395   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
396   | Yes | No  | No  | 2   | D15xx    | p             | qat_d15xx     | d15xx      | 6f54   | 1    | 6f55   | 16     |
397   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
398   | Yes | No  | No  | 3   | C4xxx    | p             | qat_c4xxx     | c4xxx      | 18a0   | 1    | 18a1   | 128    |
399   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
400   | Yes | Yes | No  | 4   | 4xxx     | linux/5.11+   | qat_4xxx      | 4xxx       | 4940   | 4    | 4941   | 16     |
401   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
402   | Yes | Yes | Yes | 4   | 4xxx     | linux/5.17+   | qat_4xxx      | 4xxx       | 4940   | 4    | 4941   | 16     |
403   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
404   | Yes | No  | No  | 4   | 4xxx     | IDZ/ N/A      | qat_4xxx      | 4xxx       | 4940   | 4    | 4941   | 16     |
405   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
406   | Yes | Yes | Yes | 4   | 401xxx   | linux/5.19+   | qat_401xxx    | 4xxx       | 4942   | 2    | 4943   | 16     |
407   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
408   | Yes | No  | No  | 4   | 401xxx   | IDZ/ N/A      | qat_401xxx    | 4xxx       | 4942   | 2    | 4943   | 16     |
409   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
410
411* Note: Symmetric mixed crypto algorithms feature on Gen 2 works only with IDZ driver version 4.9.0+
412
413The first 3 columns indicate the service:
414
415* S = Symmetric crypto service (via cryptodev API)
416* A = Asymmetric crypto service  (via cryptodev API)
417* C = Compression service (via compressdev API)
418
419The ``Driver`` column indicates either the Linux kernel version in which
420support for this device was introduced or a driver available on Intel Developer Zone (IDZ).
421There are both linux in-tree and IDZ kernel drivers available for some
422devices. p = release pending.
423
424If you are running on a kernel which includes a driver for your device, see
425`Installation using kernel.org driver`_ below. Otherwise see
426`Installation using IDZ QAT driver`_.
427
428.. note::
429
430   The asymmetric service is not supported by DPDK QAT PMD for the Gen 3 platform.
431   The actual crypto services enabled on the system depend
432   on QAT driver capabilities and hardware slice configuration.
433
434Installation using kernel.org driver
435~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
436
437The examples below are based on the C62x device, if you have a different device
438use the corresponding values in the above table.
439
440In BIOS ensure that SRIOV is enabled and either:
441
442* Disable VT-d or
443* Enable VT-d and set ``"intel_iommu=on iommu=pt"`` in the grub file.
444
445Check that the QAT driver is loaded on your system, by executing::
446
447    lsmod | grep qa
448
449You should see the kernel module for your device listed, e.g.::
450
451    qat_c62x               5626  0
452    intel_qat              82336  1 qat_c62x
453
454Next, you need to expose the Virtual Functions (VFs) using the sysfs file system.
455
456First find the BDFs (Bus-Device-Function) of the physical functions (PFs) of
457your device, e.g.::
458
459    lspci -d:37c8
460
461You should see output similar to::
462
463    1a:00.0 Co-processor: Intel Corporation Device 37c8
464    3d:00.0 Co-processor: Intel Corporation Device 37c8
465    3f:00.0 Co-processor: Intel Corporation Device 37c8
466
467Enable the VFs for each PF by echoing the number of VFs per PF to the pci driver::
468
469     echo 16 > /sys/bus/pci/drivers/c6xx/0000:1a:00.0/sriov_numvfs
470     echo 16 > /sys/bus/pci/drivers/c6xx/0000:3d:00.0/sriov_numvfs
471     echo 16 > /sys/bus/pci/drivers/c6xx/0000:3f:00.0/sriov_numvfs
472
473Check that the VFs are available for use. For example ``lspci -d:37c9`` should
474list 48 VF devices available for a ``C62x`` device.
475
476To complete the installation follow the instructions in
477`Binding the available VFs to the vfio-pci driver`_.
478
479.. Note::
480
481   If the QAT kernel modules are not loaded and you see an error like ``Failed
482   to load MMP firmware qat_895xcc_mmp.bin`` in kernel logs, this may be as a
483   result of not using a distribution, but just updating the kernel directly.
484
485   Download firmware from the `kernel firmware repo
486   <http://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/tree/>`_.
487
488   Copy qat binaries to ``/lib/firmware``::
489
490      cp qat_895xcc.bin /lib/firmware
491      cp qat_895xcc_mmp.bin /lib/firmware
492
493   Change to your linux source root directory and start the qat kernel modules::
494
495      insmod ./drivers/crypto/qat/qat_common/intel_qat.ko
496      insmod ./drivers/crypto/qat/qat_dh895xcc/qat_dh895xcc.ko
497
498.. Note::
499
500   If you see the following warning in ``/var/log/messages`` it can be ignored:
501   ``IOMMU should be enabled for SR-IOV to work correctly``.
502
503
504Installation using IDZ QAT driver
505~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
506
507Download the latest QuickAssist Technology Driver from `Intel Developer Zone
508<https://developer.intel.com/quickassist>`_.
509Consult the *Quick Start Guide* at the same URL for further information.
510
511The steps below assume you are:
512
513* Building on a platform with one ``C62x`` device.
514* Using package ``qat1.7.l.4.2.0-000xx.tar.gz``.
515* On Fedora26 kernel ``4.11.11-300.fc26.x86_64``.
516
517In the BIOS ensure that SRIOV is enabled and VT-d is disabled.
518
519Uninstall any existing QAT driver, for example by running:
520
521* ``./installer.sh uninstall`` in the directory where originally installed.
522
523
524Build and install the SRIOV-enabled QAT driver::
525
526    mkdir /QAT
527    cd /QAT
528
529    # Copy the package to this location and unpack
530    tar zxof qat1.7.l.4.2.0-000xx.tar.gz
531
532    ./configure --enable-icp-sriov=host
533    make install
534
535You can use ``cat /sys/kernel/debug/qat<your device type and bdf>/version/fw`` to confirm the driver is correctly installed and is using firmware version 4.2.0.
536You can use ``lspci -d:37c9`` to confirm the presence of the 16 VF devices available per ``C62x`` PF.
537
538Confirm the driver is correctly installed and is using firmware version 4.2.0::
539
540    cat /sys/kernel/debug/qat<your device type and bdf>/version/fw
541
542
543Confirm the presence of 48 VF devices - 16 per PF::
544
545    lspci -d:37c9
546
547
548To complete the installation - follow instructions in
549`Binding the available VFs to the vfio-pci driver`_.
550
551.. Note::
552
553   If using a later kernel and the build fails with an error relating to
554   ``strict_stroul`` not being available apply the following patch:
555
556   .. code-block:: diff
557
558      /QAT/QAT1.6/quickassist/utilities/downloader/Target_CoreLibs/uclo/include/linux/uclo_platform.h
559      + #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,18,5)
560      + #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (kstrtoul((str), (base), (num))) printk("Error strtoull convert %s\n", str); }
561      + #else
562      #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,38)
563      #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (strict_strtoull((str), (base), (num))) printk("Error strtoull convert %s\n", str); }
564      #else
565      #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)
566      #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; strict_strtoll((str), (base), (num));}
567      #else
568      #define STR_TO_64(str, base, num, endPtr)                                 \
569           do {                                                               \
570                 if (str[0] == '-')                                           \
571                 {                                                            \
572                      *(num) = -(simple_strtoull((str+1), &(endPtr), (base))); \
573                 }else {                                                      \
574                      *(num) = simple_strtoull((str), &(endPtr), (base));      \
575                 }                                                            \
576           } while(0)
577      + #endif
578      #endif
579      #endif
580
581
582.. Note::
583
584   If the build fails due to missing header files you may need to do following::
585
586      sudo yum install zlib-devel
587      sudo yum install openssl-devel
588      sudo yum install libudev-devel
589
590.. Note::
591
592   If the build or install fails due to mismatching kernel sources you may need to do the following::
593
594      sudo yum install kernel-headers-`uname -r`
595      sudo yum install kernel-src-`uname -r`
596      sudo yum install kernel-devel-`uname -r`
597
598.. Note::
599
600   If the build fails on newer GCC versions (such as GCC 12) with an error relating to
601   ``-lc`` not being found, apply the following patch:
602
603   .. code-block:: diff
604
605      /QAT/quickassist/lookaside/access_layer/src/Makefile
606      cd $(ICP_FINAL_OUTPUT_DIR);\
607      cmd="$(LINKER) $(LIB_SHARED_FLAGS) -o \
608        $(LIB_SHARED) $(ADDITIONAL_OBJECTS) $(ADDITIONAL_LIBS) *.o -lpthread -ludev \
609      - -Bstatic -L$(ADF_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL) \
610      - -ladf_user -L$(OSAL_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL)/ \
611      - -losal -Bdynamic -lc"; \
612      + -Bstatic -L$(ADF_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL) \
613      + -ladf_user -L$(OSAL_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL)/ \
614      + -losal -Bdynamic -L/lib/x86_64-linux-gnu/ -lc"; \
615      echo "$$cmd"; \
616      $$cmd
617
618   Followed by this patch:
619
620   .. code-block:: diff
621
622      /QAT/quickassist/build_system/build_files/OS/linux_common_user_space_rules.mk
623      @echo 'Creating shared library ${LIB_SHARED}'; \
624      cd $($(PROG_ACY)_FINAL_OUTPUT_DIR);\
625      -  echo $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) -lc;\
626      -  $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) -lc ;
627      +  echo $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) \
628      +  -L/lib/x86_64-linux-gnu/ -lc;\
629      +  $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) \
630      +  -L/lib/x86_64-linux-gnu/ -lc ;
631
632
633Binding the available VFs to the vfio-pci driver
634~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
635
636Note:
637
638* Please note that due to security issues, the usage of older DPDK igb_uio
639  driver is not recommended. This document shows how to use the more secure
640  vfio-pci driver.
641* If QAT fails to bind to vfio-pci on Linux kernel 5.9+, please see the
642  QATE-39220 and QATE-7495 issues in
643  `IDZ doc <https://cdrdv2.intel.com/v1/dl/getContent/710057?explicitVersion=true>`_
644  which details the constraint about trusted guests and add `disable_denylist=1`
645  to the vfio-pci params to use QAT. See also `this patch description <https://lkml.org/lkml/2020/7/23/1155>`_.
646
647Unbind the VFs from the stock driver so they can be bound to the vfio-pci driver.
648
649For an Intel(R) QuickAssist Technology DH895xCC device
650^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
651
652The unbind command below assumes ``BDFs`` of ``03:01.00-03:04.07``, if your
653VFs are different adjust the unbind command below::
654
655    cd to the top-level DPDK directory
656    for device in $(seq 1 4); do \
657        for fn in $(seq 0 7); do \
658            usertools/dpdk-devbind.py -u 0000:03:0${device}.${fn}; \
659        done; \
660    done
661
662For an Intel(R) QuickAssist Technology C62x device
663^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
664
665The unbind command below assumes ``BDFs`` of ``1a:01.00-1a:02.07``,
666``3d:01.00-3d:02.07`` and ``3f:01.00-3f:02.07``, if your VFs are different
667adjust the unbind command below::
668
669    cd to the top-level DPDK directory
670    for device in $(seq 1 2); do \
671        for fn in $(seq 0 7); do \
672            usertools/dpdk-devbind.py -u 0000:1a:0${device}.${fn}; \
673            usertools/dpdk-devbind.py -u 0000:3d:0${device}.${fn}; \
674            usertools/dpdk-devbind.py -u 0000:3f:0${device}.${fn}; \
675        done; \
676    done
677
678For Intel(R) QuickAssist Technology C3xxx or 200xx or D15xx device
679^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
680
681The unbind command below assumes ``BDFs`` of ``01:01.00-01:02.07``, if your
682VFs are different adjust the unbind command below::
683
684    cd to the top-level DPDK directory
685    for device in $(seq 1 2); do \
686        for fn in $(seq 0 7); do \
687            usertools/dpdk-devbind.py -u 0000:01:0${device}.${fn}; \
688        done; \
689    done
690
691Bind to the vfio-pci driver
692^^^^^^^^^^^^^^^^^^^^^^^^^^^
693
694Load the vfio-pci driver, bind the VF PCI Device id to it using the
695``dpdk-devbind.py`` script then use the ``--status`` option
696to confirm the VF devices are now in use by vfio-pci kernel driver,
697e.g. for the C62x device::
698
699    cd to the top-level DPDK directory
700    modprobe vfio-pci
701    usertools/dpdk-devbind.py -b vfio-pci 0000:03:01.1
702    usertools/dpdk-devbind.py --status
703
704Use ``modprobe vfio-pci disable_denylist=1`` from kernel 5.9 onwards.
705See note in the section `Binding the available VFs to the vfio-pci driver`_
706above.
707
708Testing
709~~~~~~~
710
711QAT SYM crypto PMD can be tested by running the test application::
712
713    cd ./<build_dir>/app/test
714    ./dpdk-test -l1 -n1 -a <your qat bdf>
715    RTE>>cryptodev_qat_autotest
716
717QAT ASYM crypto PMD can be tested by running the test application::
718
719    cd ./<build_dir>/app/test
720    ./dpdk-test -l1 -n1 -a <your qat bdf>
721    RTE>>cryptodev_qat_asym_autotest
722
723QAT compression PMD can be tested by running the test application::
724
725    cd ./<build_dir>/app/test
726    ./dpdk-test -l1 -n1 -a <your qat bdf>
727    RTE>>compressdev_autotest
728
729
730Debugging
731~~~~~~~~~
732
733There are 2 sets of trace available via the dynamic logging feature:
734
735* pmd.qat.dp exposes trace on the data-path.
736* pmd.qat.general exposes all other trace.
737
738pmd.qat exposes both sets of traces.
739They can be enabled using the log-level option (where 8=maximum log level) on
740the process cmdline, e.g. using any of the following::
741
742    --log-level="pmd.qat.general,8"
743    --log-level="pmd.qat.dp,8"
744    --log-level="pmd.qat,8"
745
746.. Note::
747
748    The global RTE_LOG_DP_LEVEL overrides data-path trace so must be set to
749    RTE_LOG_DEBUG to see all the trace. This variable is in config/rte_config.h
750    for meson build.
751    Also the dynamic global log level overrides both sets of trace, so e.g. no
752    QAT trace would display in this case::
753
754	--log-level="7" --log-level="pmd.qat.general,8"
755