xref: /dpdk/doc/guides/cryptodevs/qat.rst (revision 665b49c51639a10c553433bc2bcd85c7331c631e) 
1..  SPDX-License-Identifier: BSD-3-Clause
2    Copyright(c) 2015-2019 Intel Corporation.
3
4Intel(R) QuickAssist (QAT) Crypto Poll Mode Driver
5==================================================
6
7QAT documentation consists of three parts:
8
9* Details of the symmetric and asymmetric crypto services below.
10* Details of the :doc:`compression service <../compressdevs/qat_comp>`
11  in the compressdev drivers section.
12* Details of building the common QAT infrastructure and the PMDs to support the
13  above services. See :ref:`building_qat` below.
14
15
16Symmetric Crypto Service on QAT
17-------------------------------
18
19The QAT symmetric crypto PMD (hereafter referred to as `QAT SYM [PMD]`) provides
20poll mode crypto driver support for the following hardware accelerator devices:
21
22* ``Intel QuickAssist Technology DH895xCC``
23* ``Intel QuickAssist Technology C62x``
24* ``Intel QuickAssist Technology C3xxx``
25* ``Intel QuickAssist Technology 200xx``
26* ``Intel QuickAssist Technology D15xx``
27* ``Intel QuickAssist Technology C4xxx``
28* ``Intel QuickAssist Technology 4xxx``
29
30
31Features
32~~~~~~~~
33
34The QAT SYM PMD has support for:
35
36Cipher algorithms:
37
38* ``RTE_CRYPTO_CIPHER_3DES_CBC``
39* ``RTE_CRYPTO_CIPHER_3DES_CTR``
40* ``RTE_CRYPTO_CIPHER_AES128_CBC``
41* ``RTE_CRYPTO_CIPHER_AES192_CBC``
42* ``RTE_CRYPTO_CIPHER_AES256_CBC``
43* ``RTE_CRYPTO_CIPHER_AES128_CTR``
44* ``RTE_CRYPTO_CIPHER_AES192_CTR``
45* ``RTE_CRYPTO_CIPHER_AES256_CTR``
46* ``RTE_CRYPTO_CIPHER_AES_XTS``
47* ``RTE_CRYPTO_CIPHER_SNOW3G_UEA2``
48* ``RTE_CRYPTO_CIPHER_NULL``
49* ``RTE_CRYPTO_CIPHER_KASUMI_F8``
50* ``RTE_CRYPTO_CIPHER_DES_CBC``
51* ``RTE_CRYPTO_CIPHER_AES_DOCSISBPI``
52* ``RTE_CRYPTO_CIPHER_DES_DOCSISBPI``
53* ``RTE_CRYPTO_CIPHER_ZUC_EEA3``
54
55Hash algorithms:
56
57* ``RTE_CRYPTO_AUTH_SHA1``
58* ``RTE_CRYPTO_AUTH_SHA1_HMAC``
59* ``RTE_CRYPTO_AUTH_SHA224``
60* ``RTE_CRYPTO_AUTH_SHA224_HMAC``
61* ``RTE_CRYPTO_AUTH_SHA256``
62* ``RTE_CRYPTO_AUTH_SHA256_HMAC``
63* ``RTE_CRYPTO_AUTH_SHA384``
64* ``RTE_CRYPTO_AUTH_SHA384_HMAC``
65* ``RTE_CRYPTO_AUTH_SHA512``
66* ``RTE_CRYPTO_AUTH_SHA512_HMAC``
67* ``RTE_CRYPTO_AUTH_SHA3_224``
68* ``RTE_CRYPTO_AUTH_SHA3_256``
69* ``RTE_CRYPTO_AUTH_SHA3_384``
70* ``RTE_CRYPTO_AUTH_SHA3_512``
71* ``RTE_CRYPTO_AUTH_AES_XCBC_MAC``
72* ``RTE_CRYPTO_AUTH_SNOW3G_UIA2``
73* ``RTE_CRYPTO_AUTH_MD5_HMAC``
74* ``RTE_CRYPTO_AUTH_NULL``
75* ``RTE_CRYPTO_AUTH_KASUMI_F9``
76* ``RTE_CRYPTO_AUTH_AES_GMAC``
77* ``RTE_CRYPTO_AUTH_ZUC_EIA3``
78* ``RTE_CRYPTO_AUTH_AES_CMAC``
79
80Supported AEAD algorithms:
81
82* ``RTE_CRYPTO_AEAD_AES_GCM``
83* ``RTE_CRYPTO_AEAD_AES_CCM``
84* ``RTE_CRYPTO_AEAD_CHACHA20_POLY1305``
85
86Protocol offloads:
87
88* ``RTE_SECURITY_PROTOCOL_DOCSIS``
89
90Supported Chains
91~~~~~~~~~~~~~~~~
92
93All the usual chains are supported and also some mixed chains:
94
95.. table:: Supported hash-cipher chains for wireless digest-encrypted cases
96
97   +------------------+-----------+-------------+----------+----------+
98   | Cipher algorithm | NULL AUTH | SNOW3G UIA2 | ZUC EIA3 | AES CMAC |
99   +==================+===========+=============+==========+==========+
100   | NULL CIPHER      | Y         | 2&3         | 2&3      | Y        |
101   +------------------+-----------+-------------+----------+----------+
102   | SNOW3G UEA2      | 2&3       | 1&2&3       | 2&3      | 2&3      |
103   +------------------+-----------+-------------+----------+----------+
104   | ZUC EEA3         | 2&3       | 2&3         | 2&3      | 2&3      |
105   +------------------+-----------+-------------+----------+----------+
106   | AES CTR          | 1&2&3     | 2&3         | 2&3      | Y        |
107   +------------------+-----------+-------------+----------+----------+
108
109* The combinations marked as "Y" are supported on all QAT hardware versions.
110* The combinations marked as "2&3" are supported on GEN2 and GEN3 QAT hardware only.
111* The combinations marked as "1&2&3" are supported on GEN1, GEN2 and GEN3 QAT hardware only.
112
113
114Limitations
115~~~~~~~~~~~
116
117* Only supports the session-oriented API implementation (session-less APIs are not supported).
118* SNOW 3G (UEA2), KASUMI (F8) and ZUC (EEA3) supported only if cipher length and offset fields are byte-multiple.
119* SNOW 3G (UIA2) and ZUC (EIA3) supported only if hash length and offset fields are byte-multiple.
120* No BSD support as BSD QAT kernel driver not available.
121* ZUC EEA3/EIA3 is not supported by dh895xcc devices
122* Maximum additional authenticated data (AAD) for GCM is 240 bytes long and must be passed to the device in a buffer rounded up to the nearest block-size multiple (x16) and padded with zeros.
123* Queue-pairs are thread-safe on Intel CPUs but Queues are not (that is, within a single
124  queue-pair all enqueues to the TX queue must be done from one thread and all dequeues
125  from the RX queue must be done from one thread, but enqueues and dequeues may be done
126  in different threads.)
127* A GCM limitation exists, but only in the case where there are multiple
128  generations of QAT devices on a single platform.
129  To optimise performance, the GCM crypto session should be initialised for the
130  device generation to which the ops will be enqueued. Specifically if a GCM
131  session is initialised on a GEN2 device, but then attached to an op enqueued
132  to a GEN3 device, it will work but cannot take advantage of hardware
133  optimisations in the GEN3 device. And if a GCM session is initialised on a
134  GEN3 device, then attached to an op sent to a GEN1/GEN2 device, it will not be
135  enqueued to the device and will be marked as failed. The simplest way to
136  mitigate this is to use the PCI allowlist to avoid mixing devices of different
137  generations in the same process if planning to use for GCM.
138* The mixed algo feature on GEN2 is not supported by all kernel drivers. Check
139  the notes under the Available Kernel Drivers table below for specific details.
140* Out-of-place is not supported for combined Crypto-CRC DOCSIS security
141  protocol.
142* ``RTE_CRYPTO_CIPHER_DES_DOCSISBPI`` is not supported for combined Crypto-CRC
143  DOCSIS security protocol.
144* Multi-segment buffers are not supported for combined Crypto-CRC DOCSIS
145  security protocol.
146
147Extra notes on KASUMI F9
148~~~~~~~~~~~~~~~~~~~~~~~~
149
150When using KASUMI F9 authentication algorithm, the input buffer must be
151constructed according to the
152`3GPP KASUMI specification <http://cryptome.org/3gpp/35201-900.pdf>`_
153(section 4.4, page 13). The input buffer has to have COUNT (4 bytes),
154FRESH (4 bytes), MESSAGE and DIRECTION (1 bit) concatenated. After the DIRECTION
155bit, a single '1' bit is appended, followed by between 0 and 7 '0' bits, so that
156the total length of the buffer is multiple of 8 bits. Note that the actual
157message can be any length, specified in bits.
158
159Once this buffer is passed this way, when creating the crypto operation,
160length of data to authenticate "op.sym.auth.data.length" must be the length
161of all the items described above, including the padding at the end.
162Also, offset of data to authenticate "op.sym.auth.data.offset"
163must be such that points at the start of the COUNT bytes.
164
165Asymmetric Crypto Service on QAT
166--------------------------------
167
168The QAT asymmetric crypto PMD (hereafter referred to as `QAT ASYM [PMD]`) provides
169poll mode crypto driver support for the following hardware accelerator devices:
170
171* ``Intel QuickAssist Technology DH895xCC``
172* ``Intel QuickAssist Technology C62x``
173* ``Intel QuickAssist Technology C3xxx``
174* ``Intel QuickAssist Technology D15xx``
175* ``Intel QuickAssist Technology C4xxx``
176* ``Intel QuickAssist Technology 4xxx``
177* ``Intel QuickAssist Technology 401xxx``
178
179The QAT ASYM PMD has support for:
180
181* ``RTE_CRYPTO_ASYM_XFORM_MODEX``
182* ``RTE_CRYPTO_ASYM_XFORM_MODINV``
183* ``RTE_CRYPTO_ASYM_XFORM_RSA``
184* ``RTE_CRYPTO_ASYM_XFORM_ECDSA``
185* ``RTE_CRYPTO_ASYM_XFORM_ECPM``
186* ``RTE_CRYPTO_ASYM_XFORM_ECDH``
187
188Limitations
189~~~~~~~~~~~
190
191* Big integers longer than 4096 bits are not supported.
192* Queue-pairs are thread-safe on Intel CPUs but Queues are not (that is, within a single
193  queue-pair all enqueues to the TX queue must be done from one thread and all dequeues
194  from the RX queue must be done from one thread, but enqueues and dequeues may be done
195  in different threads.)
196* RSA-2560, RSA-3584 are not supported
197
198.. _building_qat:
199
200Building PMDs on QAT
201--------------------
202
203A QAT device can host multiple acceleration services:
204
205* symmetric cryptography
206* data compression
207* asymmetric cryptography
208
209These services are provided to DPDK applications via PMDs which register to
210implement the corresponding cryptodev and compressdev APIs. The PMDs use
211common QAT driver code which manages the QAT PCI device. They also depend on a
212QAT kernel driver being installed on the platform, see :ref:`qat_kernel` below.
213
214
215Configuring and Building the DPDK QAT PMDs
216~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
217
218
219Further information on configuring, building and installing DPDK is described
220:doc:`here <../linux_gsg/build_dpdk>`.
221
222.. _building_qat_config:
223
224Build Configuration
225~~~~~~~~~~~~~~~~~~~
226
227These are the build configuration options affecting QAT, and their default values:
228
229.. code-block:: console
230
231	RTE_PMD_QAT_MAX_PCI_DEVICES=48
232	RTE_PMD_QAT_COMP_IM_BUFFER_SIZE=65536
233
234Both QAT SYM PMD and QAT ASYM PMD have an external dependency on libcrypto, so are not
235built by default.
236
237The QAT compressdev PMD has no external dependencies, so is built by default.
238
239The number of VFs per PF varies - see table below. If multiple QAT packages are
240installed on a platform then RTE_PMD_QAT_MAX_PCI_DEVICES should be
241adjusted to the number of VFs which the QAT common code will need to handle.
242
243.. Note::
244
245        There are separate config items (not QAT-specific) for max cryptodevs
246        RTE_CRYPTO_MAX_DEVS and max compressdevs RTE_COMPRESS_MAX_DEVS,
247        if necessary these should be adjusted to handle the total of QAT and other
248        devices which the process will use. In particular for crypto, where each
249        QAT VF may expose two crypto devices, sym and asym, it may happen that the
250        number of devices will be bigger than MAX_DEVS and the process will show an error
251        during PMD initialisation. To avoid this problem RTE_CRYPTO_MAX_DEVS may be
252        increased or -a, allow domain:bus:devid:func option may be used.
253
254
255QAT compression PMD needs intermediate buffers to support Deflate compression
256with Dynamic Huffman encoding. RTE_PMD_QAT_COMP_IM_BUFFER_SIZE
257specifies the size of a single buffer, the PMD will allocate a multiple of these,
258plus some extra space for associated meta-data. For GEN2 devices, 20 buffers are
259allocated while for GEN1 devices, 12 buffers are allocated, plus 1472 bytes overhead.
260
261.. Note::
262
263	If the compressed output of a Deflate operation using Dynamic Huffman
264	Encoding is too big to fit in an intermediate buffer, then the
265	operation will be split into smaller operations and their results will
266	be merged afterwards.
267	This is not possible if any checksum calculation was requested - in such
268	case the code falls back to fixed compression.
269	To avoid this less performant case, applications should configure
270	the intermediate buffer size to be larger than the expected input data size
271	(compressed output size is usually unknown, so the only option is to make
272	larger than the input size).
273
274
275Running QAT PMD with minimum threshold for burst size
276~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
277
278If only a small number or packets can be enqueued. Each enqueue causes an expensive MMIO write.
279These MMIO write occurrences can be optimised by setting any of the following parameters:
280
281- qat_sym_enq_threshold
282- qat_asym_enq_threshold
283- qat_comp_enq_threshold
284
285When any of these parameters is set rte_cryptodev_enqueue_burst function will
286return 0 (thereby avoiding an MMIO) if the device is congested and number of packets
287possible to enqueue is smaller.
288To use this feature the user must set the parameter on process start as a device additional parameter::
289
290  -a 03:01.1,qat_sym_enq_threshold=32,qat_comp_enq_threshold=16
291
292All parameters can be used with the same device regardless of order. Parameters are separated
293by comma. When the same parameter is used more than once first occurrence of the parameter
294is used.
295Maximum threshold that can be set is 32.
296
297Running QAT PMD with Intel IPSEC MB library for symmetric precomputes function
298~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
299
300The QAT PMD use Openssl library for partial hash calculation in symmetirc precomputes function by
301default, the following parameter is allow QAT PMD switch over to multi-buffer job API if Intel
302IPSEC MB library installed on system.
303
304- qat_ipsec_mb_lib
305
306To use this feature the user must set the parameter on process start as a device additional parameter::
307
308  -a 03:01.1,qat_ipsec_mb_lib=1
309
310
311Device and driver naming
312~~~~~~~~~~~~~~~~~~~~~~~~
313
314* The qat cryptodev symmetric crypto driver name is "crypto_qat".
315* The qat cryptodev asymmetric crypto driver name is "crypto_qat_asym".
316
317The "rte_cryptodev_devices_get()" returns the devices exposed by either of these drivers.
318
319* Each qat sym crypto device has a unique name, in format
320  "<pci bdf>_<service>", e.g. "0000:41:01.0_qat_sym".
321* Each qat asym crypto device has a unique name, in format
322  "<pci bdf>_<service>", e.g. "0000:41:01.0_qat_asym".
323  This name can be passed to "rte_cryptodev_get_dev_id()" to get the device_id.
324
325.. Note::
326
327	The cryptodev driver name is passed to the dpdk-test-crypto-perf tool in the "-devtype" parameter.
328
329	The qat crypto device name is in the format of the worker parameter passed to the crypto scheduler.
330
331* The qat compressdev driver name is "compress_qat".
332  The rte_compressdev_devices_get() returns the devices exposed by this driver.
333
334* Each qat compression device has a unique name, in format
335  <pci bdf>_<service>, e.g. "0000:41:01.0_qat_comp".
336  This name can be passed to rte_compressdev_get_dev_id() to get the device_id.
337
338.. _qat_kernel:
339
340Dependency on the QAT kernel driver
341~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
342
343To use QAT an SRIOV-enabled QAT kernel driver is required. The VF
344devices created and initialised by this driver will be used by the QAT PMDs.
345
346Instructions for installation are below, but first an explanation of the
347relationships between the PF/VF devices and the PMDs visible to
348DPDK applications.
349
350Each QuickAssist PF device exposes a number of VF devices. Each VF device can
351enable one symmetric cryptodev PMD and/or one asymmetric cryptodev PMD and/or
352one compressdev PMD.
353These QAT PMDs share the same underlying device and pci-mgmt code, but are
354enumerated independently on their respective APIs and appear as independent
355devices to applications.
356
357.. Note::
358
359   Each VF can only be used by one DPDK process. It is not possible to share
360   the same VF across multiple processes, even if these processes are using
361   different acceleration services.
362
363   Conversely one DPDK process can use one or more QAT VFs and can expose both
364   cryptodev and compressdev instances on each of those VFs.
365
366
367Available kernel drivers
368~~~~~~~~~~~~~~~~~~~~~~~~
369
370Kernel drivers for each device for each service are listed in the following table. (Scroll right
371to see the full table)
372
373
374.. _table_qat_pmds_drivers:
375
376.. table:: QAT device generations, devices and drivers
377
378   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
379   | S   | A   | C   | Gen | Device   | Driver/ver    | Kernel Module | Pci Driver | PF Did | #PFs | VF Did | VFs/PF |
380   +=====+=====+=====+=====+==========+===============+===============+============+========+======+========+========+
381   | Yes | No  | No  | 1   | DH895xCC | linux/4.4+    | qat_dh895xcc  | dh895xcc   | 435    | 1    | 443    | 32     |
382   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
383   | Yes | Yes | No  | "   | "        | IDZ/4.12.0+   | "             | "          | "      | "    | "      | "      |
384   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
385   | Yes | Yes | Yes | "   | "        | IDZ/4.13.0+   | "             | "          | "      | "    | "      | "      |
386   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
387   | Yes | No  | No  | 2   | C62x     | linux/4.5+    | qat_c62x      | c6xx       | 37c8   | 3    | 37c9   | 16     |
388   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
389   | Yes | Yes | Yes | "   | "        | IDZ/4.12.0+   | "             | "          | "      | "    | "      | "      |
390   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
391   | Yes | No  | No  | 2   | C3xxx    | linux/4.5+    | qat_c3xxx     | c3xxx      | 19e2   | 1    | 19e3   | 16     |
392   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
393   | Yes | Yes | Yes | "   | "        | IDZ/4.12.0+   | "             | "          | "      | "    | "      | "      |
394   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
395   | Yes | No  | No  | 2   | 200xx    | p             | qat_200xx     | 200xx      | 18ee   | 1    | 18ef   | 16     |
396   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
397   | Yes | No  | No  | 2   | D15xx    | p             | qat_d15xx     | d15xx      | 6f54   | 1    | 6f55   | 16     |
398   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
399   | Yes | Yes | No  | 3   | C4xxx    | p             | qat_c4xxx     | c4xxx      | 18a0   | 1    | 18a1   | 128    |
400   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
401   | Yes | Yes | No  | 4   | 4xxx     | linux/5.11+   | qat_4xxx      | 4xxx       | 4940   | 4    | 4941   | 16     |
402   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
403   | Yes | Yes | Yes | 4   | 4xxx     | linux/5.17+   | qat_4xxx      | 4xxx       | 4940   | 4    | 4941   | 16     |
404   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
405   | Yes | No  | No  | 4   | 4xxx     | IDZ/ N/A      | qat_4xxx      | 4xxx       | 4940   | 4    | 4941   | 16     |
406   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
407   | Yes | Yes | Yes | 4   | 401xxx   | linux/5.19+   | qat_401xxx    | 4xxx       | 4942   | 2    | 4943   | 16     |
408   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
409   | Yes | No  | No  | 4   | 401xxx   | IDZ/ N/A      | qat_401xxx    | 4xxx       | 4942   | 2    | 4943   | 16     |
410   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
411
412* Note: Symmetric mixed crypto algorithms feature on Gen 2 works only with IDZ driver version 4.9.0+
413
414The first 3 columns indicate the service:
415
416* S = Symmetric crypto service (via cryptodev API)
417* A = Asymmetric crypto service  (via cryptodev API)
418* C = Compression service (via compressdev API)
419
420The ``Driver`` column indicates either the Linux kernel version in which
421support for this device was introduced or a driver available on Intel Developer Zone (IDZ).
422There are both linux in-tree and IDZ kernel drivers available for some
423devices. p = release pending.
424
425If you are running on a kernel which includes a driver for your device, see
426`Installation using kernel.org driver`_ below. Otherwise see
427`Installation using IDZ QAT driver`_.
428
429.. note::
430
431   The asymmetric service is not supported by DPDK QAT PMD for the Gen 3 platform.
432   The actual crypto services enabled on the system depend
433   on QAT driver capabilities and hardware slice configuration.
434
435Installation using kernel.org driver
436~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
437
438The examples below are based on the C62x device, if you have a different device
439use the corresponding values in the above table.
440
441In BIOS ensure that SRIOV is enabled and either:
442
443* Disable VT-d or
444* Enable VT-d and set ``"intel_iommu=on iommu=pt"`` in the grub file.
445
446Check that the QAT driver is loaded on your system, by executing::
447
448    lsmod | grep qa
449
450You should see the kernel module for your device listed, e.g.::
451
452    qat_c62x               5626  0
453    intel_qat              82336  1 qat_c62x
454
455Next, you need to expose the Virtual Functions (VFs) using the sysfs file system.
456
457First find the BDFs (Bus-Device-Function) of the physical functions (PFs) of
458your device, e.g.::
459
460    lspci -d:37c8
461
462You should see output similar to::
463
464    1a:00.0 Co-processor: Intel Corporation Device 37c8
465    3d:00.0 Co-processor: Intel Corporation Device 37c8
466    3f:00.0 Co-processor: Intel Corporation Device 37c8
467
468Enable the VFs for each PF by echoing the number of VFs per PF to the pci driver::
469
470     echo 16 > /sys/bus/pci/drivers/c6xx/0000:1a:00.0/sriov_numvfs
471     echo 16 > /sys/bus/pci/drivers/c6xx/0000:3d:00.0/sriov_numvfs
472     echo 16 > /sys/bus/pci/drivers/c6xx/0000:3f:00.0/sriov_numvfs
473
474Check that the VFs are available for use. For example ``lspci -d:37c9`` should
475list 48 VF devices available for a ``C62x`` device.
476
477To complete the installation follow the instructions in
478`Binding the available VFs to the vfio-pci driver`_.
479
480.. Note::
481
482   If the QAT kernel modules are not loaded and you see an error like ``Failed
483   to load MMP firmware qat_895xcc_mmp.bin`` in kernel logs, this may be as a
484   result of not using a distribution, but just updating the kernel directly.
485
486   Download firmware from the `kernel firmware repo
487   <http://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/tree/>`_.
488
489   Copy qat binaries to ``/lib/firmware``::
490
491      cp qat_895xcc.bin /lib/firmware
492      cp qat_895xcc_mmp.bin /lib/firmware
493
494   Change to your linux source root directory and start the qat kernel modules::
495
496      insmod ./drivers/crypto/qat/qat_common/intel_qat.ko
497      insmod ./drivers/crypto/qat/qat_dh895xcc/qat_dh895xcc.ko
498
499.. Note::
500
501   If you see the following warning in ``/var/log/messages`` it can be ignored:
502   ``IOMMU should be enabled for SR-IOV to work correctly``.
503
504
505Installation using IDZ QAT driver
506~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
507
508Download the latest QuickAssist Technology Driver from `Intel Developer Zone
509<https://developer.intel.com/quickassist>`_.
510Consult the *Quick Start Guide* at the same URL for further information.
511
512The steps below assume you are:
513
514* Building on a platform with one ``C62x`` device.
515* Using package ``qat1.7.l.4.2.0-000xx.tar.gz``.
516* On Fedora26 kernel ``4.11.11-300.fc26.x86_64``.
517
518In the BIOS ensure that SRIOV is enabled and VT-d is disabled.
519
520Uninstall any existing QAT driver, for example by running:
521
522* ``./installer.sh uninstall`` in the directory where originally installed.
523
524
525Build and install the SRIOV-enabled QAT driver::
526
527    mkdir /QAT
528    cd /QAT
529
530    # Copy the package to this location and unpack
531    tar zxof qat1.7.l.4.2.0-000xx.tar.gz
532
533    ./configure --enable-icp-sriov=host
534    make install
535
536You can use ``cat /sys/kernel/debug/qat<your device type and bdf>/version/fw`` to confirm the driver is correctly installed and is using firmware version 4.2.0.
537You can use ``lspci -d:37c9`` to confirm the presence of the 16 VF devices available per ``C62x`` PF.
538
539Confirm the driver is correctly installed and is using firmware version 4.2.0::
540
541    cat /sys/kernel/debug/qat<your device type and bdf>/version/fw
542
543
544Confirm the presence of 48 VF devices - 16 per PF::
545
546    lspci -d:37c9
547
548
549To complete the installation - follow instructions in
550`Binding the available VFs to the vfio-pci driver`_.
551
552.. Note::
553
554   If using a later kernel and the build fails with an error relating to
555   ``strict_stroul`` not being available apply the following patch:
556
557   .. code-block:: diff
558
559      /QAT/QAT1.6/quickassist/utilities/downloader/Target_CoreLibs/uclo/include/linux/uclo_platform.h
560      + #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,18,5)
561      + #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (kstrtoul((str), (base), (num))) printk("Error strtoull convert %s\n", str); }
562      + #else
563      #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,38)
564      #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (strict_strtoull((str), (base), (num))) printk("Error strtoull convert %s\n", str); }
565      #else
566      #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)
567      #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; strict_strtoll((str), (base), (num));}
568      #else
569      #define STR_TO_64(str, base, num, endPtr)                                 \
570           do {                                                               \
571                 if (str[0] == '-')                                           \
572                 {                                                            \
573                      *(num) = -(simple_strtoull((str+1), &(endPtr), (base))); \
574                 }else {                                                      \
575                      *(num) = simple_strtoull((str), &(endPtr), (base));      \
576                 }                                                            \
577           } while(0)
578      + #endif
579      #endif
580      #endif
581
582
583.. Note::
584
585   If the build fails due to missing header files you may need to do following::
586
587      sudo yum install zlib-devel
588      sudo yum install openssl-devel
589      sudo yum install libudev-devel
590
591.. Note::
592
593   If the build or install fails due to mismatching kernel sources you may need to do the following::
594
595      sudo yum install kernel-headers-`uname -r`
596      sudo yum install kernel-src-`uname -r`
597      sudo yum install kernel-devel-`uname -r`
598
599.. Note::
600
601   If the build fails on newer GCC versions (such as GCC 12) with an error relating to
602   ``-lc`` not being found, apply the following patch:
603
604   .. code-block:: diff
605
606      /QAT/quickassist/lookaside/access_layer/src/Makefile
607      cd $(ICP_FINAL_OUTPUT_DIR);\
608      cmd="$(LINKER) $(LIB_SHARED_FLAGS) -o \
609        $(LIB_SHARED) $(ADDITIONAL_OBJECTS) $(ADDITIONAL_LIBS) *.o -lpthread -ludev \
610      - -Bstatic -L$(ADF_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL) \
611      - -ladf_user -L$(OSAL_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL)/ \
612      - -losal -Bdynamic -lc"; \
613      + -Bstatic -L$(ADF_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL) \
614      + -ladf_user -L$(OSAL_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL)/ \
615      + -losal -Bdynamic -L/lib/x86_64-linux-gnu/ -lc"; \
616      echo "$$cmd"; \
617      $$cmd
618
619   Followed by this patch:
620
621   .. code-block:: diff
622
623      /QAT/quickassist/build_system/build_files/OS/linux_common_user_space_rules.mk
624      @echo 'Creating shared library ${LIB_SHARED}'; \
625      cd $($(PROG_ACY)_FINAL_OUTPUT_DIR);\
626      -  echo $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) -lc;\
627      -  $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) -lc ;
628      +  echo $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) \
629      +  -L/lib/x86_64-linux-gnu/ -lc;\
630      +  $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) \
631      +  -L/lib/x86_64-linux-gnu/ -lc ;
632
633
634Binding the available VFs to the vfio-pci driver
635~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
636
637Note:
638
639* Please note that due to security issues, the usage of older DPDK igb_uio
640  driver is not recommended. This document shows how to use the more secure
641  vfio-pci driver.
642* If QAT fails to bind to vfio-pci on Linux kernel 5.9+, please see the
643  QATE-39220 and QATE-7495 issues in
644  `IDZ doc <https://cdrdv2.intel.com/v1/dl/getContent/710057?explicitVersion=true>`_
645  which details the constraint about trusted guests and add `disable_denylist=1`
646  to the vfio-pci params to use QAT. See also `this patch description <https://lkml.org/lkml/2020/7/23/1155>`_.
647
648Unbind the VFs from the stock driver so they can be bound to the vfio-pci driver.
649
650For an Intel(R) QuickAssist Technology DH895xCC device
651^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
652
653The unbind command below assumes ``BDFs`` of ``03:01.00-03:04.07``, if your
654VFs are different adjust the unbind command below::
655
656    cd to the top-level DPDK directory
657    for device in $(seq 1 4); do \
658        for fn in $(seq 0 7); do \
659            usertools/dpdk-devbind.py -u 0000:03:0${device}.${fn}; \
660        done; \
661    done
662
663For an Intel(R) QuickAssist Technology C62x device
664^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
665
666The unbind command below assumes ``BDFs`` of ``1a:01.00-1a:02.07``,
667``3d:01.00-3d:02.07`` and ``3f:01.00-3f:02.07``, if your VFs are different
668adjust the unbind command below::
669
670    cd to the top-level DPDK directory
671    for device in $(seq 1 2); do \
672        for fn in $(seq 0 7); do \
673            usertools/dpdk-devbind.py -u 0000:1a:0${device}.${fn}; \
674            usertools/dpdk-devbind.py -u 0000:3d:0${device}.${fn}; \
675            usertools/dpdk-devbind.py -u 0000:3f:0${device}.${fn}; \
676        done; \
677    done
678
679For Intel(R) QuickAssist Technology C3xxx or 200xx or D15xx device
680^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
681
682The unbind command below assumes ``BDFs`` of ``01:01.00-01:02.07``, if your
683VFs are different adjust the unbind command below::
684
685    cd to the top-level DPDK directory
686    for device in $(seq 1 2); do \
687        for fn in $(seq 0 7); do \
688            usertools/dpdk-devbind.py -u 0000:01:0${device}.${fn}; \
689        done; \
690    done
691
692Bind to the vfio-pci driver
693^^^^^^^^^^^^^^^^^^^^^^^^^^^
694
695Load the vfio-pci driver, bind the VF PCI Device id to it using the
696``dpdk-devbind.py`` script then use the ``--status`` option
697to confirm the VF devices are now in use by vfio-pci kernel driver,
698e.g. for the C62x device::
699
700    cd to the top-level DPDK directory
701    modprobe vfio-pci
702    usertools/dpdk-devbind.py -b vfio-pci 0000:03:01.1
703    usertools/dpdk-devbind.py --status
704
705Use ``modprobe vfio-pci disable_denylist=1`` from kernel 5.9 onwards.
706See note in the section `Binding the available VFs to the vfio-pci driver`_
707above.
708
709Testing
710~~~~~~~
711
712QAT SYM crypto PMD can be tested by running the test application::
713
714    cd ./<build_dir>/app/test
715    ./dpdk-test -l1 -n1 -a <your qat bdf>
716    RTE>>cryptodev_qat_autotest
717
718QAT ASYM crypto PMD can be tested by running the test application::
719
720    cd ./<build_dir>/app/test
721    ./dpdk-test -l1 -n1 -a <your qat bdf>
722    RTE>>cryptodev_qat_asym_autotest
723
724QAT compression PMD can be tested by running the test application::
725
726    cd ./<build_dir>/app/test
727    ./dpdk-test -l1 -n1 -a <your qat bdf>
728    RTE>>compressdev_autotest
729
730
731Debugging
732~~~~~~~~~
733
734There are 2 sets of trace available via the dynamic logging feature:
735
736* pmd.qat.dp exposes trace on the data-path.
737* pmd.qat.general exposes all other trace.
738
739pmd.qat exposes both sets of traces.
740They can be enabled using the log-level option (where 8=maximum log level) on
741the process cmdline, e.g. using any of the following::
742
743    --log-level="pmd.qat.general,8"
744    --log-level="pmd.qat.dp,8"
745    --log-level="pmd.qat,8"
746
747.. Note::
748
749    The global RTE_LOG_DP_LEVEL overrides data-path trace so must be set to
750    RTE_LOG_DEBUG to see all the trace. This variable is in config/rte_config.h
751    for meson build.
752    Also the dynamic global log level overrides both sets of trace, so e.g. no
753    QAT trace would display in this case::
754
755	--log-level="7" --log-level="pmd.qat.general,8"
756