1.. SPDX-License-Identifier: BSD-3-Clause 2 Copyright(c) 2015-2019 Intel Corporation. 3 4Intel(R) QuickAssist (QAT) Crypto Poll Mode Driver 5================================================== 6 7QAT documentation consists of three parts: 8 9* Details of the symmetric and asymmetric crypto services below. 10* Details of the :doc:`compression service <../compressdevs/qat_comp>` 11 in the compressdev drivers section. 12* Details of building the common QAT infrastructure and the PMDs to support the 13 above services. See :ref:`building_qat` below. 14 15 16Symmetric Crypto Service on QAT 17------------------------------- 18 19The QAT symmetric crypto PMD (hereafter referred to as `QAT SYM [PMD]`) provides 20poll mode crypto driver support for the following hardware accelerator devices: 21 22* ``Intel QuickAssist Technology DH895xCC`` 23* ``Intel QuickAssist Technology C62x`` 24* ``Intel QuickAssist Technology C3xxx`` 25* ``Intel QuickAssist Technology 200xx`` 26* ``Intel QuickAssist Technology D15xx`` 27* ``Intel QuickAssist Technology C4xxx`` 28* ``Intel QuickAssist Technology 4xxx`` 29 30 31Features 32~~~~~~~~ 33 34The QAT SYM PMD has support for: 35 36Cipher algorithms: 37 38* ``RTE_CRYPTO_CIPHER_3DES_CBC`` 39* ``RTE_CRYPTO_CIPHER_3DES_CTR`` 40* ``RTE_CRYPTO_CIPHER_AES128_CBC`` 41* ``RTE_CRYPTO_CIPHER_AES192_CBC`` 42* ``RTE_CRYPTO_CIPHER_AES256_CBC`` 43* ``RTE_CRYPTO_CIPHER_AES128_CTR`` 44* ``RTE_CRYPTO_CIPHER_AES192_CTR`` 45* ``RTE_CRYPTO_CIPHER_AES256_CTR`` 46* ``RTE_CRYPTO_CIPHER_AES_XTS`` 47* ``RTE_CRYPTO_CIPHER_SNOW3G_UEA2`` 48* ``RTE_CRYPTO_CIPHER_NULL`` 49* ``RTE_CRYPTO_CIPHER_KASUMI_F8`` 50* ``RTE_CRYPTO_CIPHER_DES_CBC`` 51* ``RTE_CRYPTO_CIPHER_AES_DOCSISBPI`` 52* ``RTE_CRYPTO_CIPHER_DES_DOCSISBPI`` 53* ``RTE_CRYPTO_CIPHER_ZUC_EEA3`` 54 55Hash algorithms: 56 57* ``RTE_CRYPTO_AUTH_SHA1`` 58* ``RTE_CRYPTO_AUTH_SHA1_HMAC`` 59* ``RTE_CRYPTO_AUTH_SHA224`` 60* ``RTE_CRYPTO_AUTH_SHA224_HMAC`` 61* ``RTE_CRYPTO_AUTH_SHA256`` 62* ``RTE_CRYPTO_AUTH_SHA256_HMAC`` 63* ``RTE_CRYPTO_AUTH_SHA384`` 64* ``RTE_CRYPTO_AUTH_SHA384_HMAC`` 65* ``RTE_CRYPTO_AUTH_SHA512`` 66* ``RTE_CRYPTO_AUTH_SHA512_HMAC`` 67* ``RTE_CRYPTO_AUTH_SHA3_224`` 68* ``RTE_CRYPTO_AUTH_SHA3_256`` 69* ``RTE_CRYPTO_AUTH_SHA3_384`` 70* ``RTE_CRYPTO_AUTH_SHA3_512`` 71* ``RTE_CRYPTO_AUTH_AES_XCBC_MAC`` 72* ``RTE_CRYPTO_AUTH_SNOW3G_UIA2`` 73* ``RTE_CRYPTO_AUTH_MD5_HMAC`` 74* ``RTE_CRYPTO_AUTH_NULL`` 75* ``RTE_CRYPTO_AUTH_KASUMI_F9`` 76* ``RTE_CRYPTO_AUTH_AES_GMAC`` 77* ``RTE_CRYPTO_AUTH_ZUC_EIA3`` 78* ``RTE_CRYPTO_AUTH_AES_CMAC`` 79 80Supported AEAD algorithms: 81 82* ``RTE_CRYPTO_AEAD_AES_GCM`` 83* ``RTE_CRYPTO_AEAD_AES_CCM`` 84* ``RTE_CRYPTO_AEAD_CHACHA20_POLY1305`` 85 86Protocol offloads: 87 88* ``RTE_SECURITY_PROTOCOL_DOCSIS`` 89 90Supported Chains 91~~~~~~~~~~~~~~~~ 92 93All the usual chains are supported and also some mixed chains: 94 95.. table:: Supported hash-cipher chains for wireless digest-encrypted cases 96 97 +------------------+-----------+-------------+----------+----------+ 98 | Cipher algorithm | NULL AUTH | SNOW3G UIA2 | ZUC EIA3 | AES CMAC | 99 +==================+===========+=============+==========+==========+ 100 | NULL CIPHER | Y | 2&3 | 2&3 | Y | 101 +------------------+-----------+-------------+----------+----------+ 102 | SNOW3G UEA2 | 2&3 | 1&2&3 | 2&3 | 2&3 | 103 +------------------+-----------+-------------+----------+----------+ 104 | ZUC EEA3 | 2&3 | 2&3 | 2&3 | 2&3 | 105 +------------------+-----------+-------------+----------+----------+ 106 | AES CTR | 1&2&3 | 2&3 | 2&3 | Y | 107 +------------------+-----------+-------------+----------+----------+ 108 109* The combinations marked as "Y" are supported on all QAT hardware versions. 110* The combinations marked as "2&3" are supported on GEN2 and GEN3 QAT hardware only. 111* The combinations marked as "1&2&3" are supported on GEN1, GEN2 and GEN3 QAT hardware only. 112 113 114Limitations 115~~~~~~~~~~~ 116 117* Only supports the session-oriented API implementation (session-less APIs are not supported). 118* SNOW 3G (UEA2), KASUMI (F8) and ZUC (EEA3) supported only if cipher length and offset fields are byte-multiple. 119* SNOW 3G (UIA2) and ZUC (EIA3) supported only if hash length and offset fields are byte-multiple. 120* No BSD support as BSD QAT kernel driver not available. 121* ZUC EEA3/EIA3 is not supported by dh895xcc devices 122* Maximum additional authenticated data (AAD) for GCM is 240 bytes long and must be passed to the device in a buffer rounded up to the nearest block-size multiple (x16) and padded with zeros. 123* Queue-pairs are thread-safe on Intel CPUs but Queues are not (that is, within a single 124 queue-pair all enqueues to the TX queue must be done from one thread and all dequeues 125 from the RX queue must be done from one thread, but enqueues and dequeues may be done 126 in different threads.) 127* A GCM limitation exists, but only in the case where there are multiple 128 generations of QAT devices on a single platform. 129 To optimise performance, the GCM crypto session should be initialised for the 130 device generation to which the ops will be enqueued. Specifically if a GCM 131 session is initialised on a GEN2 device, but then attached to an op enqueued 132 to a GEN3 device, it will work but cannot take advantage of hardware 133 optimisations in the GEN3 device. And if a GCM session is initialised on a 134 GEN3 device, then attached to an op sent to a GEN1/GEN2 device, it will not be 135 enqueued to the device and will be marked as failed. The simplest way to 136 mitigate this is to use the PCI allowlist to avoid mixing devices of different 137 generations in the same process if planning to use for GCM. 138* The mixed algo feature on GEN2 is not supported by all kernel drivers. Check 139 the notes under the Available Kernel Drivers table below for specific details. 140* Out-of-place is not supported for combined Crypto-CRC DOCSIS security 141 protocol. 142* ``RTE_CRYPTO_CIPHER_DES_DOCSISBPI`` is not supported for combined Crypto-CRC 143 DOCSIS security protocol. 144* Multi-segment buffers are not supported for combined Crypto-CRC DOCSIS 145 security protocol. 146 147Extra notes on KASUMI F9 148~~~~~~~~~~~~~~~~~~~~~~~~ 149 150When using KASUMI F9 authentication algorithm, the input buffer must be 151constructed according to the 152`3GPP KASUMI specification <http://cryptome.org/3gpp/35201-900.pdf>`_ 153(section 4.4, page 13). The input buffer has to have COUNT (4 bytes), 154FRESH (4 bytes), MESSAGE and DIRECTION (1 bit) concatenated. After the DIRECTION 155bit, a single '1' bit is appended, followed by between 0 and 7 '0' bits, so that 156the total length of the buffer is multiple of 8 bits. Note that the actual 157message can be any length, specified in bits. 158 159Once this buffer is passed this way, when creating the crypto operation, 160length of data to authenticate "op.sym.auth.data.length" must be the length 161of all the items described above, including the padding at the end. 162Also, offset of data to authenticate "op.sym.auth.data.offset" 163must be such that points at the start of the COUNT bytes. 164 165Asymmetric Crypto Service on QAT 166-------------------------------- 167 168The QAT asymmetric crypto PMD (hereafter referred to as `QAT ASYM [PMD]`) provides 169poll mode crypto driver support for the following hardware accelerator devices: 170 171* ``Intel QuickAssist Technology DH895xCC`` 172* ``Intel QuickAssist Technology C62x`` 173* ``Intel QuickAssist Technology C3xxx`` 174* ``Intel QuickAssist Technology D15xx`` 175* ``Intel QuickAssist Technology C4xxx`` 176* ``Intel QuickAssist Technology 4xxx`` 177* ``Intel QuickAssist Technology 401xxx`` 178 179The QAT ASYM PMD has support for: 180 181* ``RTE_CRYPTO_ASYM_XFORM_MODEX`` 182* ``RTE_CRYPTO_ASYM_XFORM_MODINV`` 183* ``RTE_CRYPTO_ASYM_XFORM_RSA`` 184* ``RTE_CRYPTO_ASYM_XFORM_ECDSA`` 185* ``RTE_CRYPTO_ASYM_XFORM_ECPM`` 186* ``RTE_CRYPTO_ASYM_XFORM_ECDH`` 187 188Limitations 189~~~~~~~~~~~ 190 191* Big integers longer than 4096 bits are not supported. 192* Queue-pairs are thread-safe on Intel CPUs but Queues are not (that is, within a single 193 queue-pair all enqueues to the TX queue must be done from one thread and all dequeues 194 from the RX queue must be done from one thread, but enqueues and dequeues may be done 195 in different threads.) 196* RSA-2560, RSA-3584 are not supported 197 198.. _building_qat: 199 200Building PMDs on QAT 201-------------------- 202 203A QAT device can host multiple acceleration services: 204 205* symmetric cryptography 206* data compression 207* asymmetric cryptography 208 209These services are provided to DPDK applications via PMDs which register to 210implement the corresponding cryptodev and compressdev APIs. The PMDs use 211common QAT driver code which manages the QAT PCI device. They also depend on a 212QAT kernel driver being installed on the platform, see :ref:`qat_kernel` below. 213 214 215Configuring and Building the DPDK QAT PMDs 216~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 217 218 219Further information on configuring, building and installing DPDK is described 220:doc:`here <../linux_gsg/build_dpdk>`. 221 222.. _building_qat_config: 223 224Build Configuration 225~~~~~~~~~~~~~~~~~~~ 226 227These are the build configuration options affecting QAT, and their default values: 228 229.. code-block:: console 230 231 RTE_PMD_QAT_MAX_PCI_DEVICES=48 232 RTE_PMD_QAT_COMP_IM_BUFFER_SIZE=65536 233 234Both QAT SYM PMD and QAT ASYM PMD have an external dependency on libcrypto, so are not 235built by default. 236 237The QAT compressdev PMD has no external dependencies, so is built by default. 238 239The number of VFs per PF varies - see table below. If multiple QAT packages are 240installed on a platform then RTE_PMD_QAT_MAX_PCI_DEVICES should be 241adjusted to the number of VFs which the QAT common code will need to handle. 242 243.. Note:: 244 245 There are separate config items (not QAT-specific) for max cryptodevs 246 RTE_CRYPTO_MAX_DEVS and max compressdevs RTE_COMPRESS_MAX_DEVS, 247 if necessary these should be adjusted to handle the total of QAT and other 248 devices which the process will use. In particular for crypto, where each 249 QAT VF may expose two crypto devices, sym and asym, it may happen that the 250 number of devices will be bigger than MAX_DEVS and the process will show an error 251 during PMD initialisation. To avoid this problem RTE_CRYPTO_MAX_DEVS may be 252 increased or -a, allow domain:bus:devid:func option may be used. 253 254 255QAT compression PMD needs intermediate buffers to support Deflate compression 256with Dynamic Huffman encoding. RTE_PMD_QAT_COMP_IM_BUFFER_SIZE 257specifies the size of a single buffer, the PMD will allocate a multiple of these, 258plus some extra space for associated meta-data. For GEN2 devices, 20 buffers are 259allocated while for GEN1 devices, 12 buffers are allocated, plus 1472 bytes overhead. 260 261.. Note:: 262 263 If the compressed output of a Deflate operation using Dynamic Huffman 264 Encoding is too big to fit in an intermediate buffer, then the 265 operation will be split into smaller operations and their results will 266 be merged afterwards. 267 This is not possible if any checksum calculation was requested - in such 268 case the code falls back to fixed compression. 269 To avoid this less performant case, applications should configure 270 the intermediate buffer size to be larger than the expected input data size 271 (compressed output size is usually unknown, so the only option is to make 272 larger than the input size). 273 274 275Running QAT PMD with insecure crypto algorithms 276~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 277 278A few insecure crypto algorithms are deprecated from QAT drivers. 279This needs to be reflected in DPDK QAT PMD. 280DPDK QAT PMD has by default disabled all the insecure crypto algorithms from Gen 1, 2, 3 and 4. 281A PMD devarg is used to enable the capability. 282 283- qat_legacy_capa 284 285To use this feature the user must set the devarg on process start as a device additional devarg:: 286 287 -a b1:01.2,qat_legacy_capa=1 288 289 290Running QAT PMD with minimum threshold for burst size 291~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 292 293If only a small number or packets can be enqueued. Each enqueue causes an expensive MMIO write. 294These MMIO write occurrences can be optimised by setting any of the following parameters: 295 296- qat_sym_enq_threshold 297- qat_asym_enq_threshold 298- qat_comp_enq_threshold 299 300When any of these parameters is set rte_cryptodev_enqueue_burst function will 301return 0 (thereby avoiding an MMIO) if the device is congested and number of packets 302possible to enqueue is smaller. 303To use this feature the user must set the parameter on process start as a device additional parameter:: 304 305 -a 03:01.1,qat_sym_enq_threshold=32,qat_comp_enq_threshold=16 306 307All parameters can be used with the same device regardless of order. Parameters are separated 308by comma. When the same parameter is used more than once first occurrence of the parameter 309is used. 310Maximum threshold that can be set is 32. 311 312 313Running QAT PMD with Cipher-CRC offload feature 314~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 315 316Support has been added to the QAT symmetric crypto PMD for combined Cipher-CRC offload, 317primarily for the Crypto-CRC DOCSIS security protocol, on GEN2/GEN3/GEN4 QAT devices. 318 319The following devarg enables a Cipher-CRC offload capability check to determine 320if the feature is supported on the QAT device. 321 322- qat_sym_cipher_crc_enable 323 324When enabled, a capability check for the combined Cipher-CRC offload feature is triggered 325to the QAT firmware during queue pair initialization. If supported by the firmware, 326any subsequent runtime Crypto-CRC DOCSIS security protocol requests handled by the QAT PMD 327are offloaded to the QAT device by setting up the content descriptor and request accordingly. 328If not supported, the CRC is calculated by the QAT PMD using the NET CRC API. 329 330To use this feature the user must set the devarg on process start as a device additional devarg:: 331 332 -a 03:01.1,qat_sym_cipher_crc_enable=1 333 334 335Running QAT PMD with Intel IPSEC MB library for symmetric precomputes function 336~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 337 338The QAT PMD use Openssl library for partial hash calculation in symmetirc precomputes function by 339default, the following parameter is allow QAT PMD switch over to multi-buffer job API if Intel 340IPSEC MB library installed on system. 341 342- qat_ipsec_mb_lib 343 344To use this feature the user must set the parameter on process start as a device additional parameter:: 345 346 -a 03:01.1,qat_ipsec_mb_lib=1 347 348 349Device and driver naming 350~~~~~~~~~~~~~~~~~~~~~~~~ 351 352* The qat cryptodev symmetric crypto driver name is "crypto_qat". 353* The qat cryptodev asymmetric crypto driver name is "crypto_qat_asym". 354 355The "rte_cryptodev_devices_get()" returns the devices exposed by either of these drivers. 356 357* Each qat sym crypto device has a unique name, in format 358 "<pci bdf>_<service>", e.g. "0000:41:01.0_qat_sym". 359* Each qat asym crypto device has a unique name, in format 360 "<pci bdf>_<service>", e.g. "0000:41:01.0_qat_asym". 361 This name can be passed to "rte_cryptodev_get_dev_id()" to get the device_id. 362 363.. Note:: 364 365 The cryptodev driver name is passed to the dpdk-test-crypto-perf tool in the "-devtype" parameter. 366 367 The qat crypto device name is in the format of the worker parameter passed to the crypto scheduler. 368 369* The qat compressdev driver name is "compress_qat". 370 The rte_compressdev_devices_get() returns the devices exposed by this driver. 371 372* Each qat compression device has a unique name, in format 373 <pci bdf>_<service>, e.g. "0000:41:01.0_qat_comp". 374 This name can be passed to rte_compressdev_get_dev_id() to get the device_id. 375 376.. _qat_kernel: 377 378Dependency on the QAT kernel driver 379~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 380 381To use QAT an SRIOV-enabled QAT kernel driver is required. The VF 382devices created and initialised by this driver will be used by the QAT PMDs. 383 384Instructions for installation are below, but first an explanation of the 385relationships between the PF/VF devices and the PMDs visible to 386DPDK applications. 387 388Each QuickAssist PF device exposes a number of VF devices. Each VF device can 389enable one symmetric cryptodev PMD and/or one asymmetric cryptodev PMD and/or 390one compressdev PMD. 391These QAT PMDs share the same underlying device and pci-mgmt code, but are 392enumerated independently on their respective APIs and appear as independent 393devices to applications. 394 395.. Note:: 396 397 Each VF can only be used by one DPDK process. It is not possible to share 398 the same VF across multiple processes, even if these processes are using 399 different acceleration services. 400 401 Conversely one DPDK process can use one or more QAT VFs and can expose both 402 cryptodev and compressdev instances on each of those VFs. 403 404 405Available kernel drivers 406~~~~~~~~~~~~~~~~~~~~~~~~ 407 408Kernel drivers for each device for each service are listed in the following table. (Scroll right 409to see the full table) 410 411 412.. _table_qat_pmds_drivers: 413 414.. table:: QAT device generations, devices and drivers 415 416 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 417 | S | A | C | Gen | Device | Driver/ver | Kernel Module | Pci Driver | PF Did | #PFs | VF Did | VFs/PF | 418 +=====+=====+=====+=====+==========+===============+===============+============+========+======+========+========+ 419 | Yes | No | No | 1 | DH895xCC | linux/4.4+ | qat_dh895xcc | dh895xcc | 435 | 1 | 443 | 32 | 420 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 421 | Yes | Yes | No | " | " | IDZ/4.12.0+ | " | " | " | " | " | " | 422 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 423 | Yes | Yes | Yes | " | " | IDZ/4.13.0+ | " | " | " | " | " | " | 424 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 425 | Yes | No | No | 2 | C62x | linux/4.5+ | qat_c62x | c6xx | 37c8 | 3 | 37c9 | 16 | 426 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 427 | Yes | Yes | Yes | " | " | IDZ/4.12.0+ | " | " | " | " | " | " | 428 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 429 | Yes | No | No | 2 | C3xxx | linux/4.5+ | qat_c3xxx | c3xxx | 19e2 | 1 | 19e3 | 16 | 430 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 431 | Yes | Yes | Yes | " | " | IDZ/4.12.0+ | " | " | " | " | " | " | 432 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 433 | Yes | No | No | 2 | 200xx | p | qat_200xx | 200xx | 18ee | 1 | 18ef | 16 | 434 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 435 | Yes | No | No | 2 | D15xx | p | qat_d15xx | d15xx | 6f54 | 1 | 6f55 | 16 | 436 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 437 | Yes | Yes | No | 3 | C4xxx | p | qat_c4xxx | c4xxx | 18a0 | 1 | 18a1 | 128 | 438 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 439 | Yes | Yes | No | 4 | 4xxx | linux/5.11+ | qat_4xxx | 4xxx | 4940 | 4 | 4941 | 16 | 440 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 441 | Yes | Yes | Yes | 4 | 4xxx | linux/5.17+ | qat_4xxx | 4xxx | 4940 | 4 | 4941 | 16 | 442 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 443 | Yes | No | No | 4 | 4xxx | IDZ/ N/A | qat_4xxx | 4xxx | 4940 | 4 | 4941 | 16 | 444 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 445 | Yes | Yes | Yes | 4 | 401xxx | linux/5.19+ | qat_401xxx | 4xxx | 4942 | 2 | 4943 | 16 | 446 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 447 | Yes | No | No | 4 | 401xxx | IDZ/ N/A | qat_401xxx | 4xxx | 4942 | 2 | 4943 | 16 | 448 +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+ 449 450* Note: Symmetric mixed crypto algorithms feature on Gen 2 works only with IDZ driver version 4.9.0+ 451 452The first 3 columns indicate the service: 453 454* S = Symmetric crypto service (via cryptodev API) 455* A = Asymmetric crypto service (via cryptodev API) 456* C = Compression service (via compressdev API) 457 458The ``Driver`` column indicates either the Linux kernel version in which 459support for this device was introduced or a driver available on Intel Developer Zone (IDZ). 460There are both linux in-tree and IDZ kernel drivers available for some 461devices. p = release pending. 462 463If you are running on a kernel which includes a driver for your device, see 464`Installation using kernel.org driver`_ below. Otherwise see 465`Installation using IDZ QAT driver`_. 466 467.. note:: 468 469 The asymmetric service is not supported by DPDK QAT PMD for the Gen 3 platform. 470 The actual crypto services enabled on the system depend 471 on QAT driver capabilities and hardware slice configuration. 472 473Installation using kernel.org driver 474~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 475 476The examples below are based on the C62x device, if you have a different device 477use the corresponding values in the above table. 478 479In BIOS ensure that SRIOV is enabled and either: 480 481* Disable VT-d or 482* Enable VT-d and set ``"intel_iommu=on iommu=pt"`` in the grub file. 483 484Check that the QAT driver is loaded on your system, by executing:: 485 486 lsmod | grep qa 487 488You should see the kernel module for your device listed, e.g.:: 489 490 qat_c62x 5626 0 491 intel_qat 82336 1 qat_c62x 492 493Next, you need to expose the Virtual Functions (VFs) using the sysfs file system. 494 495First find the BDFs (Bus-Device-Function) of the physical functions (PFs) of 496your device, e.g.:: 497 498 lspci -d:37c8 499 500You should see output similar to:: 501 502 1a:00.0 Co-processor: Intel Corporation Device 37c8 503 3d:00.0 Co-processor: Intel Corporation Device 37c8 504 3f:00.0 Co-processor: Intel Corporation Device 37c8 505 506Enable the VFs for each PF by echoing the number of VFs per PF to the pci driver:: 507 508 echo 16 > /sys/bus/pci/drivers/c6xx/0000:1a:00.0/sriov_numvfs 509 echo 16 > /sys/bus/pci/drivers/c6xx/0000:3d:00.0/sriov_numvfs 510 echo 16 > /sys/bus/pci/drivers/c6xx/0000:3f:00.0/sriov_numvfs 511 512Check that the VFs are available for use. For example ``lspci -d:37c9`` should 513list 48 VF devices available for a ``C62x`` device. 514 515To complete the installation follow the instructions in 516`Binding the available VFs to the vfio-pci driver`_. 517 518.. Note:: 519 520 If the QAT kernel modules are not loaded and you see an error like ``Failed 521 to load MMP firmware qat_895xcc_mmp.bin`` in kernel logs, this may be as a 522 result of not using a distribution, but just updating the kernel directly. 523 524 Download firmware from the `kernel firmware repo 525 <http://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/tree/>`_. 526 527 Copy qat binaries to ``/lib/firmware``:: 528 529 cp qat_895xcc.bin /lib/firmware 530 cp qat_895xcc_mmp.bin /lib/firmware 531 532 Change to your linux source root directory and start the qat kernel modules:: 533 534 insmod ./drivers/crypto/qat/qat_common/intel_qat.ko 535 insmod ./drivers/crypto/qat/qat_dh895xcc/qat_dh895xcc.ko 536 537.. Note:: 538 539 If you see the following warning in ``/var/log/messages`` it can be ignored: 540 ``IOMMU should be enabled for SR-IOV to work correctly``. 541 542 543Installation using IDZ QAT driver 544~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 545 546Download the latest QuickAssist Technology Driver from `Intel Developer Zone 547<https://developer.intel.com/quickassist>`_. 548Consult the *Quick Start Guide* at the same URL for further information. 549 550The steps below assume you are: 551 552* Building on a platform with one ``C62x`` device. 553* Using package ``qat1.7.l.4.2.0-000xx.tar.gz``. 554* On Fedora26 kernel ``4.11.11-300.fc26.x86_64``. 555 556In the BIOS ensure that SRIOV is enabled and VT-d is disabled. 557 558Uninstall any existing QAT driver, for example by running: 559 560* ``./installer.sh uninstall`` in the directory where originally installed. 561 562 563Build and install the SRIOV-enabled QAT driver:: 564 565 mkdir /QAT 566 cd /QAT 567 568 # Copy the package to this location and unpack 569 tar zxof qat1.7.l.4.2.0-000xx.tar.gz 570 571 ./configure --enable-icp-sriov=host 572 make install 573 574You can use ``cat /sys/kernel/debug/qat<your device type and bdf>/version/fw`` to confirm the driver is correctly installed and is using firmware version 4.2.0. 575You can use ``lspci -d:37c9`` to confirm the presence of the 16 VF devices available per ``C62x`` PF. 576 577Confirm the driver is correctly installed and is using firmware version 4.2.0:: 578 579 cat /sys/kernel/debug/qat<your device type and bdf>/version/fw 580 581 582Confirm the presence of 48 VF devices - 16 per PF:: 583 584 lspci -d:37c9 585 586 587To complete the installation - follow instructions in 588`Binding the available VFs to the vfio-pci driver`_. 589 590.. Note:: 591 592 If using a later kernel and the build fails with an error relating to 593 ``strict_stroul`` not being available apply the following patch: 594 595 .. code-block:: diff 596 597 /QAT/QAT1.6/quickassist/utilities/downloader/Target_CoreLibs/uclo/include/linux/uclo_platform.h 598 + #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,18,5) 599 + #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (kstrtoul((str), (base), (num))) printk("Error strtoull convert %s\n", str); } 600 + #else 601 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,38) 602 #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (strict_strtoull((str), (base), (num))) printk("Error strtoull convert %s\n", str); } 603 #else 604 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25) 605 #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; strict_strtoll((str), (base), (num));} 606 #else 607 #define STR_TO_64(str, base, num, endPtr) \ 608 do { \ 609 if (str[0] == '-') \ 610 { \ 611 *(num) = -(simple_strtoull((str+1), &(endPtr), (base))); \ 612 }else { \ 613 *(num) = simple_strtoull((str), &(endPtr), (base)); \ 614 } \ 615 } while(0) 616 + #endif 617 #endif 618 #endif 619 620 621.. Note:: 622 623 If the build fails due to missing header files you may need to do following:: 624 625 sudo yum install zlib-devel 626 sudo yum install openssl-devel 627 sudo yum install libudev-devel 628 629.. Note:: 630 631 If the build or install fails due to mismatching kernel sources you may need to do the following:: 632 633 sudo yum install kernel-headers-`uname -r` 634 sudo yum install kernel-src-`uname -r` 635 sudo yum install kernel-devel-`uname -r` 636 637.. Note:: 638 639 If the build fails on newer GCC versions (such as GCC 12) with an error relating to 640 ``-lc`` not being found, apply the following patch: 641 642 .. code-block:: diff 643 644 /QAT/quickassist/lookaside/access_layer/src/Makefile 645 cd $(ICP_FINAL_OUTPUT_DIR);\ 646 cmd="$(LINKER) $(LIB_SHARED_FLAGS) -o \ 647 $(LIB_SHARED) $(ADDITIONAL_OBJECTS) $(ADDITIONAL_LIBS) *.o -lpthread -ludev \ 648 - -Bstatic -L$(ADF_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL) \ 649 - -ladf_user -L$(OSAL_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL)/ \ 650 - -losal -Bdynamic -lc"; \ 651 + -Bstatic -L$(ADF_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL) \ 652 + -ladf_user -L$(OSAL_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL)/ \ 653 + -losal -Bdynamic -L/lib/x86_64-linux-gnu/ -lc"; \ 654 echo "$$cmd"; \ 655 $$cmd 656 657 Followed by this patch: 658 659 .. code-block:: diff 660 661 /QAT/quickassist/build_system/build_files/OS/linux_common_user_space_rules.mk 662 @echo 'Creating shared library ${LIB_SHARED}'; \ 663 cd $($(PROG_ACY)_FINAL_OUTPUT_DIR);\ 664 - echo $(LINKER) $(LIB_SHARED_FLAGS) -o $@ $(OBJECTS) $(ADDITIONAL_OBJECTS) -lc;\ 665 - $(LINKER) $(LIB_SHARED_FLAGS) -o $@ $(OBJECTS) $(ADDITIONAL_OBJECTS) -lc ; 666 + echo $(LINKER) $(LIB_SHARED_FLAGS) -o $@ $(OBJECTS) $(ADDITIONAL_OBJECTS) \ 667 + -L/lib/x86_64-linux-gnu/ -lc;\ 668 + $(LINKER) $(LIB_SHARED_FLAGS) -o $@ $(OBJECTS) $(ADDITIONAL_OBJECTS) \ 669 + -L/lib/x86_64-linux-gnu/ -lc ; 670 671 672Binding the available VFs to the vfio-pci driver 673~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 674 675Note: 676 677* Please note that due to security issues, the usage of older DPDK igb_uio 678 driver is not recommended. This document shows how to use the more secure 679 vfio-pci driver. 680* If QAT fails to bind to vfio-pci on Linux kernel 5.9+, please see the 681 QATE-39220 and QATE-7495 issues in 682 `IDZ doc <https://cdrdv2.intel.com/v1/dl/getContent/710057?explicitVersion=true>`_ 683 which details the constraint about trusted guests and add `disable_denylist=1` 684 to the vfio-pci params to use QAT. See also `this patch description <https://lkml.org/lkml/2020/7/23/1155>`_. 685 686Unbind the VFs from the stock driver so they can be bound to the vfio-pci driver. 687 688For an Intel(R) QuickAssist Technology DH895xCC device 689^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 690 691The unbind command below assumes ``BDFs`` of ``03:01.00-03:04.07``, if your 692VFs are different adjust the unbind command below:: 693 694 cd to the top-level DPDK directory 695 for device in $(seq 1 4); do \ 696 for fn in $(seq 0 7); do \ 697 usertools/dpdk-devbind.py -u 0000:03:0${device}.${fn}; \ 698 done; \ 699 done 700 701For an Intel(R) QuickAssist Technology C62x device 702^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 703 704The unbind command below assumes ``BDFs`` of ``1a:01.00-1a:02.07``, 705``3d:01.00-3d:02.07`` and ``3f:01.00-3f:02.07``, if your VFs are different 706adjust the unbind command below:: 707 708 cd to the top-level DPDK directory 709 for device in $(seq 1 2); do \ 710 for fn in $(seq 0 7); do \ 711 usertools/dpdk-devbind.py -u 0000:1a:0${device}.${fn}; \ 712 usertools/dpdk-devbind.py -u 0000:3d:0${device}.${fn}; \ 713 usertools/dpdk-devbind.py -u 0000:3f:0${device}.${fn}; \ 714 done; \ 715 done 716 717For Intel(R) QuickAssist Technology C3xxx or 200xx or D15xx device 718^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 719 720The unbind command below assumes ``BDFs`` of ``01:01.00-01:02.07``, if your 721VFs are different adjust the unbind command below:: 722 723 cd to the top-level DPDK directory 724 for device in $(seq 1 2); do \ 725 for fn in $(seq 0 7); do \ 726 usertools/dpdk-devbind.py -u 0000:01:0${device}.${fn}; \ 727 done; \ 728 done 729 730Bind to the vfio-pci driver 731^^^^^^^^^^^^^^^^^^^^^^^^^^^ 732 733Load the vfio-pci driver, bind the VF PCI Device id to it using the 734``dpdk-devbind.py`` script then use the ``--status`` option 735to confirm the VF devices are now in use by vfio-pci kernel driver, 736e.g. for the C62x device:: 737 738 cd to the top-level DPDK directory 739 modprobe vfio-pci 740 usertools/dpdk-devbind.py -b vfio-pci 0000:03:01.1 741 usertools/dpdk-devbind.py --status 742 743Use ``modprobe vfio-pci disable_denylist=1`` from kernel 5.9 onwards. 744See note in the section `Binding the available VFs to the vfio-pci driver`_ 745above. 746 747Testing 748~~~~~~~ 749 750QAT SYM crypto PMD can be tested by running the test application:: 751 752 cd ./<build_dir>/app/test 753 ./dpdk-test -l1 -n1 -a <your qat bdf> 754 RTE>>cryptodev_qat_autotest 755 756QAT ASYM crypto PMD can be tested by running the test application:: 757 758 cd ./<build_dir>/app/test 759 ./dpdk-test -l1 -n1 -a <your qat bdf> 760 RTE>>cryptodev_qat_asym_autotest 761 762QAT compression PMD can be tested by running the test application:: 763 764 cd ./<build_dir>/app/test 765 ./dpdk-test -l1 -n1 -a <your qat bdf> 766 RTE>>compressdev_autotest 767 768 769Debugging 770~~~~~~~~~ 771 772There are 2 sets of trace available via the dynamic logging feature: 773 774* pmd.qat.dp exposes trace on the data-path. 775* pmd.qat.general exposes all other trace. 776 777pmd.qat exposes both sets of traces. 778They can be enabled using the log-level option (where 8=maximum log level) on 779the process cmdline, e.g. using any of the following:: 780 781 --log-level="pmd.qat.general,8" 782 --log-level="pmd.qat.dp,8" 783 --log-level="pmd.qat,8" 784 785.. Note:: 786 787 The global RTE_LOG_DP_LEVEL overrides data-path trace so must be set to 788 RTE_LOG_DEBUG to see all the trace. This variable is in config/rte_config.h 789 for meson build. 790 Also the dynamic global log level overrides both sets of trace, so e.g. no 791 QAT trace would display in this case:: 792 793 --log-level="7" --log-level="pmd.qat.general,8" 794