xref: /dpdk/doc/guides/cryptodevs/qat.rst (revision da7e701151ea8b742d4c38ace3e4fefd1b4507fc) 
1..  SPDX-License-Identifier: BSD-3-Clause
2    Copyright(c) 2015-2019 Intel Corporation.
3
4Intel(R) QuickAssist (QAT) Crypto Poll Mode Driver
5==================================================
6
7QAT documentation consists of three parts:
8
9* Details of the symmetric and asymmetric crypto services below.
10* Details of the :doc:`compression service <../compressdevs/qat_comp>`
11  in the compressdev drivers section.
12* Details of building the common QAT infrastructure and the PMDs to support the
13  above services. See :ref:`building_qat` below.
14
15
16Symmetric Crypto Service on QAT
17-------------------------------
18
19The QAT symmetric crypto PMD (hereafter referred to as `QAT SYM [PMD]`) provides
20poll mode crypto driver support for the following hardware accelerator devices:
21
22* ``Intel QuickAssist Technology DH895xCC``
23* ``Intel QuickAssist Technology C62x``
24* ``Intel QuickAssist Technology C3xxx``
25* ``Intel QuickAssist Technology 200xx``
26* ``Intel QuickAssist Technology D15xx``
27* ``Intel QuickAssist Technology C4xxx``
28* ``Intel QuickAssist Technology 4xxx``
29
30
31Features
32~~~~~~~~
33
34The QAT SYM PMD has support for:
35
36Cipher algorithms:
37
38* ``RTE_CRYPTO_CIPHER_3DES_CBC``
39* ``RTE_CRYPTO_CIPHER_3DES_CTR``
40* ``RTE_CRYPTO_CIPHER_AES128_CBC``
41* ``RTE_CRYPTO_CIPHER_AES192_CBC``
42* ``RTE_CRYPTO_CIPHER_AES256_CBC``
43* ``RTE_CRYPTO_CIPHER_AES128_CTR``
44* ``RTE_CRYPTO_CIPHER_AES192_CTR``
45* ``RTE_CRYPTO_CIPHER_AES256_CTR``
46* ``RTE_CRYPTO_CIPHER_AES_XTS``
47* ``RTE_CRYPTO_CIPHER_SNOW3G_UEA2``
48* ``RTE_CRYPTO_CIPHER_NULL``
49* ``RTE_CRYPTO_CIPHER_KASUMI_F8``
50* ``RTE_CRYPTO_CIPHER_DES_CBC``
51* ``RTE_CRYPTO_CIPHER_AES_DOCSISBPI``
52* ``RTE_CRYPTO_CIPHER_DES_DOCSISBPI``
53* ``RTE_CRYPTO_CIPHER_ZUC_EEA3``
54
55Hash algorithms:
56
57* ``RTE_CRYPTO_AUTH_SHA1``
58* ``RTE_CRYPTO_AUTH_SHA1_HMAC``
59* ``RTE_CRYPTO_AUTH_SHA224``
60* ``RTE_CRYPTO_AUTH_SHA224_HMAC``
61* ``RTE_CRYPTO_AUTH_SHA256``
62* ``RTE_CRYPTO_AUTH_SHA256_HMAC``
63* ``RTE_CRYPTO_AUTH_SHA384``
64* ``RTE_CRYPTO_AUTH_SHA384_HMAC``
65* ``RTE_CRYPTO_AUTH_SHA512``
66* ``RTE_CRYPTO_AUTH_SHA512_HMAC``
67* ``RTE_CRYPTO_AUTH_SHA3_224``
68* ``RTE_CRYPTO_AUTH_SHA3_256``
69* ``RTE_CRYPTO_AUTH_SHA3_384``
70* ``RTE_CRYPTO_AUTH_SHA3_512``
71* ``RTE_CRYPTO_AUTH_AES_XCBC_MAC``
72* ``RTE_CRYPTO_AUTH_SNOW3G_UIA2``
73* ``RTE_CRYPTO_AUTH_MD5_HMAC``
74* ``RTE_CRYPTO_AUTH_NULL``
75* ``RTE_CRYPTO_AUTH_KASUMI_F9``
76* ``RTE_CRYPTO_AUTH_AES_GMAC``
77* ``RTE_CRYPTO_AUTH_ZUC_EIA3``
78* ``RTE_CRYPTO_AUTH_AES_CMAC``
79* ``RTE_CRYPTO_AUTH_SM3``
80* ``RTE_CRYPTO_AUTH_SM3_HMAC``
81
82Supported AEAD algorithms:
83
84* ``RTE_CRYPTO_AEAD_AES_GCM``
85* ``RTE_CRYPTO_AEAD_AES_CCM``
86* ``RTE_CRYPTO_AEAD_CHACHA20_POLY1305``
87
88Protocol offloads:
89
90* ``RTE_SECURITY_PROTOCOL_DOCSIS``
91
92Supported Chains
93~~~~~~~~~~~~~~~~
94
95All the usual chains are supported and also some mixed chains:
96
97.. table:: Supported hash-cipher chains for wireless digest-encrypted cases
98
99   +------------------+-----------+-------------+----------+----------+
100   | Cipher algorithm | NULL AUTH | SNOW3G UIA2 | ZUC EIA3 | AES CMAC |
101   +==================+===========+=============+==========+==========+
102   | NULL CIPHER      | Y         | 2&3         | 2&3      | Y        |
103   +------------------+-----------+-------------+----------+----------+
104   | SNOW3G UEA2      | 2&3       | 1&2&3       | 2&3      | 2&3      |
105   +------------------+-----------+-------------+----------+----------+
106   | ZUC EEA3         | 2&3       | 2&3         | 2&3      | 2&3      |
107   +------------------+-----------+-------------+----------+----------+
108   | AES CTR          | 1&2&3     | 2&3         | 2&3      | Y        |
109   +------------------+-----------+-------------+----------+----------+
110
111* The combinations marked as "Y" are supported on all QAT hardware versions.
112* The combinations marked as "2&3" are supported on GEN2 and GEN3 QAT hardware only.
113* The combinations marked as "1&2&3" are supported on GEN1, GEN2 and GEN3 QAT hardware only.
114
115
116Limitations
117~~~~~~~~~~~
118
119* Only supports the session-oriented API implementation (session-less APIs are not supported).
120* SNOW 3G (UEA2), KASUMI (F8) and ZUC (EEA3) supported only if cipher length and offset fields are byte-multiple.
121* SNOW 3G (UIA2) and ZUC (EIA3) supported only if hash length and offset fields are byte-multiple.
122* No BSD support as BSD QAT kernel driver not available.
123* ZUC EEA3/EIA3 is not supported by dh895xcc devices
124* Maximum additional authenticated data (AAD) for GCM is 240 bytes long and must be passed to the device in a buffer rounded up to the nearest block-size multiple (x16) and padded with zeros.
125* Queue-pairs are thread-safe on Intel CPUs but Queues are not (that is, within a single
126  queue-pair all enqueues to the TX queue must be done from one thread and all dequeues
127  from the RX queue must be done from one thread, but enqueues and dequeues may be done
128  in different threads.)
129* A GCM limitation exists, but only in the case where there are multiple
130  generations of QAT devices on a single platform.
131  To optimise performance, the GCM crypto session should be initialised for the
132  device generation to which the ops will be enqueued. Specifically if a GCM
133  session is initialised on a GEN2 device, but then attached to an op enqueued
134  to a GEN3 device, it will work but cannot take advantage of hardware
135  optimisations in the GEN3 device. And if a GCM session is initialised on a
136  GEN3 device, then attached to an op sent to a GEN1/GEN2 device, it will not be
137  enqueued to the device and will be marked as failed. The simplest way to
138  mitigate this is to use the PCI allowlist to avoid mixing devices of different
139  generations in the same process if planning to use for GCM.
140* The mixed algo feature on GEN2 is not supported by all kernel drivers. Check
141  the notes under the Available Kernel Drivers table below for specific details.
142* Out-of-place is not supported for combined Crypto-CRC DOCSIS security
143  protocol.
144* ``RTE_CRYPTO_CIPHER_DES_DOCSISBPI`` is not supported for combined Crypto-CRC
145  DOCSIS security protocol.
146* Multi-segment buffers are not supported for combined Crypto-CRC DOCSIS
147  security protocol.
148
149Extra notes on KASUMI F9
150~~~~~~~~~~~~~~~~~~~~~~~~
151
152When using KASUMI F9 authentication algorithm, the input buffer must be
153constructed according to the
154`3GPP KASUMI specification <http://cryptome.org/3gpp/35201-900.pdf>`_
155(section 4.4, page 13). The input buffer has to have COUNT (4 bytes),
156FRESH (4 bytes), MESSAGE and DIRECTION (1 bit) concatenated. After the DIRECTION
157bit, a single '1' bit is appended, followed by between 0 and 7 '0' bits, so that
158the total length of the buffer is multiple of 8 bits. Note that the actual
159message can be any length, specified in bits.
160
161Once this buffer is passed this way, when creating the crypto operation,
162length of data to authenticate "op.sym.auth.data.length" must be the length
163of all the items described above, including the padding at the end.
164Also, offset of data to authenticate "op.sym.auth.data.offset"
165must be such that points at the start of the COUNT bytes.
166
167Asymmetric Crypto Service on QAT
168--------------------------------
169
170The QAT asymmetric crypto PMD (hereafter referred to as `QAT ASYM [PMD]`) provides
171poll mode crypto driver support for the following hardware accelerator devices:
172
173* ``Intel QuickAssist Technology DH895xCC``
174* ``Intel QuickAssist Technology C62x``
175* ``Intel QuickAssist Technology C3xxx``
176* ``Intel QuickAssist Technology D15xx``
177* ``Intel QuickAssist Technology C4xxx``
178* ``Intel QuickAssist Technology 4xxx``
179* ``Intel QuickAssist Technology 401xxx``
180
181The QAT ASYM PMD has support for:
182
183* ``RTE_CRYPTO_ASYM_XFORM_MODEX``
184* ``RTE_CRYPTO_ASYM_XFORM_MODINV``
185* ``RTE_CRYPTO_ASYM_XFORM_RSA``
186* ``RTE_CRYPTO_ASYM_XFORM_ECDSA``
187* ``RTE_CRYPTO_ASYM_XFORM_ECPM``
188* ``RTE_CRYPTO_ASYM_XFORM_ECDH``
189* ``RTE_CRYPTO_ASYM_XFORM_SM2``
190
191Limitations
192~~~~~~~~~~~
193
194* Big integers longer than 4096 bits are not supported.
195* Queue-pairs are thread-safe on Intel CPUs but Queues are not (that is, within a single
196  queue-pair all enqueues to the TX queue must be done from one thread and all dequeues
197  from the RX queue must be done from one thread, but enqueues and dequeues may be done
198  in different threads.)
199* RSA-2560, RSA-3584 are not supported
200
201.. _building_qat:
202
203Building PMDs on QAT
204--------------------
205
206A QAT device can host multiple acceleration services:
207
208* symmetric cryptography
209* data compression
210* asymmetric cryptography
211
212These services are provided to DPDK applications via PMDs which register to
213implement the corresponding cryptodev and compressdev APIs. The PMDs use
214common QAT driver code which manages the QAT PCI device. They also depend on a
215QAT kernel driver being installed on the platform, see :ref:`qat_kernel` below.
216
217
218Configuring and Building the DPDK QAT PMDs
219~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
220
221
222Further information on configuring, building and installing DPDK is described
223:doc:`here <../linux_gsg/build_dpdk>`.
224
225.. _building_qat_config:
226
227Build Configuration
228~~~~~~~~~~~~~~~~~~~
229
230These are the build configuration options affecting QAT, and their default values:
231
232.. code-block:: console
233
234	RTE_PMD_QAT_MAX_PCI_DEVICES=48
235	RTE_PMD_QAT_COMP_IM_BUFFER_SIZE=65536
236
237Both QAT SYM PMD and QAT ASYM PMD have an external dependency on libcrypto, so are not
238built by default.
239
240Ubuntu
241
242.. code-block:: console
243
244   apt install libssl-dev
245
246RHEL
247
248.. code-block:: console
249
250   dnf install openssl-devel
251
252The QAT compressdev PMD has no external dependencies, so is built by default.
253
254The number of VFs per PF varies - see table below. If multiple QAT packages are
255installed on a platform then RTE_PMD_QAT_MAX_PCI_DEVICES should be
256adjusted to the number of VFs which the QAT common code will need to handle.
257
258.. Note::
259
260        There are separate config items (not QAT-specific) for max cryptodevs
261        RTE_CRYPTO_MAX_DEVS and max compressdevs RTE_COMPRESS_MAX_DEVS,
262        if necessary these should be adjusted to handle the total of QAT and other
263        devices which the process will use. In particular for crypto, where each
264        QAT VF may expose two crypto devices, sym and asym, it may happen that the
265        number of devices will be bigger than MAX_DEVS and the process will show an error
266        during PMD initialisation. To avoid this problem RTE_CRYPTO_MAX_DEVS may be
267        increased or -a, allow domain:bus:devid:func option may be used.
268
269
270QAT compression PMD needs intermediate buffers to support Deflate compression
271with Dynamic Huffman encoding. RTE_PMD_QAT_COMP_IM_BUFFER_SIZE
272specifies the size of a single buffer, the PMD will allocate a multiple of these,
273plus some extra space for associated meta-data. For GEN2 devices, 20 buffers are
274allocated while for GEN1 devices, 12 buffers are allocated, plus 1472 bytes overhead.
275
276.. Note::
277
278	If the compressed output of a Deflate operation using Dynamic Huffman
279	Encoding is too big to fit in an intermediate buffer, then the
280	operation will be split into smaller operations and their results will
281	be merged afterwards.
282	This is not possible if any checksum calculation was requested - in such
283	case the code falls back to fixed compression.
284	To avoid this less performant case, applications should configure
285	the intermediate buffer size to be larger than the expected input data size
286	(compressed output size is usually unknown, so the only option is to make
287	larger than the input size).
288
289
290Running QAT PMD with insecure crypto algorithms
291~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
292
293A few insecure crypto algorithms are deprecated from QAT drivers.
294This needs to be reflected in DPDK QAT PMD.
295DPDK QAT PMD has by default disabled all the insecure crypto algorithms from Gen 1, 2, 3 and 4.
296A PMD devarg is used to enable the capability.
297
298- qat_legacy_capa
299
300To use this feature the user must set the devarg on process start as a device additional devarg::
301
302  -a b1:01.2,qat_legacy_capa=1
303
304
305Running QAT PMD with minimum threshold for burst size
306~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
307
308If only a small number or packets can be enqueued. Each enqueue causes an expensive MMIO write.
309These MMIO write occurrences can be optimised by setting any of the following parameters:
310
311- qat_sym_enq_threshold
312- qat_asym_enq_threshold
313- qat_comp_enq_threshold
314
315When any of these parameters is set rte_cryptodev_enqueue_burst function will
316return 0 (thereby avoiding an MMIO) if the device is congested and number of packets
317possible to enqueue is smaller.
318To use this feature the user must set the parameter on process start as a device additional parameter::
319
320  -a 03:01.1,qat_sym_enq_threshold=32,qat_comp_enq_threshold=16
321
322All parameters can be used with the same device regardless of order. Parameters are separated
323by comma. When the same parameter is used more than once first occurrence of the parameter
324is used.
325Maximum threshold that can be set is 32.
326
327
328Running QAT PMD with Cipher-CRC offload feature
329~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
330
331Support has been added to the QAT symmetric crypto PMD for combined Cipher-CRC offload,
332primarily for the Crypto-CRC DOCSIS security protocol, on GEN2/GEN3/GEN4 QAT devices.
333
334The following devarg enables a Cipher-CRC offload capability check to determine
335if the feature is supported on the QAT device.
336
337- qat_sym_cipher_crc_enable
338
339When enabled, a capability check for the combined Cipher-CRC offload feature is triggered
340to the QAT firmware during queue pair initialization. If supported by the firmware,
341any subsequent runtime Crypto-CRC DOCSIS security protocol requests handled by the QAT PMD
342are offloaded to the QAT device by setting up the content descriptor and request accordingly.
343If not supported, the CRC is calculated by the QAT PMD using the NET CRC API.
344
345To use this feature the user must set the devarg on process start as a device additional devarg::
346
347 -a 03:01.1,qat_sym_cipher_crc_enable=1
348
349
350Running QAT PMD with Intel IPsec MB library for symmetric precomputes function
351~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
352
353The QAT PMD uses Intel IPsec MB library for partial hash calculation
354in symmetric precomputes function by default,
355the minimum required version of IPsec MB library is v1.4.
356If this version of IPsec is not met, it will fallback to use OpenSSL.
357ARM will always default to using OpenSSL
358as ARM IPsec MB does not support the necessary algorithms.
359
360
361Device and driver naming
362~~~~~~~~~~~~~~~~~~~~~~~~
363
364* The qat cryptodev symmetric crypto driver name is "crypto_qat".
365* The qat cryptodev asymmetric crypto driver name is "crypto_qat_asym".
366
367The "rte_cryptodev_devices_get()" returns the devices exposed by either of these drivers.
368
369* Each qat sym crypto device has a unique name, in format
370  "<pci bdf>_<service>", e.g. "0000:41:01.0_qat_sym".
371* Each qat asym crypto device has a unique name, in format
372  "<pci bdf>_<service>", e.g. "0000:41:01.0_qat_asym".
373  This name can be passed to "rte_cryptodev_get_dev_id()" to get the device_id.
374
375.. Note::
376
377	The cryptodev driver name is passed to the dpdk-test-crypto-perf tool in the "-devtype" parameter.
378
379	The qat crypto device name is in the format of the worker parameter passed to the crypto scheduler.
380
381* The qat compressdev driver name is "compress_qat".
382  The rte_compressdev_devices_get() returns the devices exposed by this driver.
383
384* Each qat compression device has a unique name, in format
385  <pci bdf>_<service>, e.g. "0000:41:01.0_qat_comp".
386  This name can be passed to rte_compressdev_get_dev_id() to get the device_id.
387
388
389Running QAT on Aarch64 based Ampere Altra platform
390~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
391
392Requires Linux kernel v6.0+.
393See also `this kernel patch <https://lkml.org/lkml/2022/6/17/328>`_.
394
395
396.. _qat_kernel:
397
398Dependency on the QAT kernel driver
399~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
400
401To use QAT an SRIOV-enabled QAT kernel driver is required. The VF
402devices created and initialised by this driver will be used by the QAT PMDs.
403
404Instructions for installation are below, but first an explanation of the
405relationships between the PF/VF devices and the PMDs visible to
406DPDK applications.
407
408Each QuickAssist PF device exposes a number of VF devices. Each VF device can
409enable one symmetric cryptodev PMD and/or one asymmetric cryptodev PMD and/or
410one compressdev PMD.
411These QAT PMDs share the same underlying device and pci-mgmt code, but are
412enumerated independently on their respective APIs and appear as independent
413devices to applications.
414
415.. Note::
416
417   Each VF can only be used by one DPDK process. It is not possible to share
418   the same VF across multiple processes, even if these processes are using
419   different acceleration services.
420
421   Conversely one DPDK process can use one or more QAT VFs and can expose both
422   cryptodev and compressdev instances on each of those VFs.
423
424
425Available kernel drivers
426~~~~~~~~~~~~~~~~~~~~~~~~
427
428Kernel drivers for each device for each service are listed in the following table. (Scroll right
429to see the full table)
430
431
432.. _table_qat_pmds_drivers:
433
434.. table:: QAT device generations, devices and drivers
435
436   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
437   | S   | A   | C   | Gen | Device   | Driver/ver    | Kernel Module | Pci Driver | PF Did | #PFs | VF Did | VFs/PF |
438   +=====+=====+=====+=====+==========+===============+===============+============+========+======+========+========+
439   | Yes | No  | No  | 1   | DH895xCC | linux/4.4+    | qat_dh895xcc  | dh895xcc   | 435    | 1    | 443    | 32     |
440   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
441   | Yes | Yes | No  | "   | "        | IDZ/4.12.0+   | "             | "          | "      | "    | "      | "      |
442   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
443   | Yes | Yes | Yes | "   | "        | IDZ/4.13.0+   | "             | "          | "      | "    | "      | "      |
444   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
445   | Yes | No  | No  | 2   | C62x     | linux/4.5+    | qat_c62x      | c6xx       | 37c8   | 3    | 37c9   | 16     |
446   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
447   | Yes | Yes | Yes | "   | "        | IDZ/4.12.0+   | "             | "          | "      | "    | "      | "      |
448   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
449   | Yes | No  | No  | 2   | C3xxx    | linux/4.5+    | qat_c3xxx     | c3xxx      | 19e2   | 1    | 19e3   | 16     |
450   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
451   | Yes | Yes | Yes | "   | "        | IDZ/4.12.0+   | "             | "          | "      | "    | "      | "      |
452   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
453   | Yes | No  | No  | 2   | 200xx    | p             | qat_200xx     | 200xx      | 18ee   | 1    | 18ef   | 16     |
454   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
455   | Yes | No  | No  | 2   | D15xx    | p             | qat_d15xx     | d15xx      | 6f54   | 1    | 6f55   | 16     |
456   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
457   | Yes | Yes | No  | 3   | C4xxx    | p             | qat_c4xxx     | c4xxx      | 18a0   | 1    | 18a1   | 128    |
458   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
459   | Yes | Yes | No  | 4   | 4xxx     | linux/5.11+   | qat_4xxx      | 4xxx       | 4940   | 4    | 4941   | 16     |
460   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
461   | Yes | Yes | Yes | 4   | 4xxx     | linux/5.17+   | qat_4xxx      | 4xxx       | 4940   | 4    | 4941   | 16     |
462   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
463   | Yes | No  | No  | 4   | 4xxx     | IDZ/ N/A      | qat_4xxx      | 4xxx       | 4940   | 4    | 4941   | 16     |
464   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
465   | Yes | Yes | Yes | 4   | 401xxx   | linux/5.19+   | qat_4xxx      | 4xxx       | 4942   | 2    | 4943   | 16     |
466   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
467   | Yes | No  | No  | 4   | 401xxx   | IDZ/ N/A      | qat_4xxx      | 4xxx       | 4942   | 2    | 4943   | 16     |
468   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
469   | Yes | Yes | Yes | 4   | 402xx    | linux/6.4+    | qat_4xxx      | 4xxx       | 4944   | 2    | 4945   | 16     |
470   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
471   | Yes | No  | No  | 4   | 402xx    | IDZ/ N/A      | qat_4xxx      | 4xxx       | 4944   | 2    | 4945   | 16     |
472   +-----+-----+-----+-----+----------+---------------+---------------+------------+--------+------+--------+--------+
473
474* Note: Symmetric mixed crypto algorithms feature on Gen 2 works only with IDZ driver version 4.9.0+
475
476The first 3 columns indicate the service:
477
478* S = Symmetric crypto service (via cryptodev API)
479* A = Asymmetric crypto service  (via cryptodev API)
480* C = Compression service (via compressdev API)
481
482The ``Driver`` column indicates either the Linux kernel version in which
483support for this device was introduced or a driver available on Intel Developer Zone (IDZ).
484There are both linux in-tree and IDZ kernel drivers available for some
485devices. p = release pending.
486
487If you are running on a kernel which includes a driver for your device, see
488`Installation using kernel.org driver`_ below. Otherwise see
489`Installation using IDZ QAT driver`_.
490
491.. note::
492
493   The asymmetric service is not supported by DPDK QAT PMD for the Gen 3 platform.
494   The actual crypto services enabled on the system depend
495   on QAT driver capabilities and hardware slice configuration.
496
497Installation using kernel.org driver
498~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
499
500The examples below are based on the C62x device, if you have a different device
501use the corresponding values in the above table.
502
503In BIOS ensure that SRIOV is enabled and either:
504
505* Disable VT-d or
506* Enable VT-d and set ``"intel_iommu=on iommu=pt"`` in the grub file.
507
508Check that the QAT driver is loaded on your system, by executing::
509
510    lsmod | grep qa
511
512You should see the kernel module for your device listed, e.g.::
513
514    qat_c62x               5626  0
515    intel_qat              82336  1 qat_c62x
516
517Next, you need to expose the Virtual Functions (VFs) using the sysfs file system.
518
519First find the BDFs (Bus-Device-Function) of the physical functions (PFs) of
520your device, e.g.::
521
522    lspci -d:37c8
523
524You should see output similar to::
525
526    1a:00.0 Co-processor: Intel Corporation Device 37c8
527    3d:00.0 Co-processor: Intel Corporation Device 37c8
528    3f:00.0 Co-processor: Intel Corporation Device 37c8
529
530Enable the VFs for each PF by echoing the number of VFs per PF to the pci driver::
531
532     echo 16 > /sys/bus/pci/drivers/c6xx/0000:1a:00.0/sriov_numvfs
533     echo 16 > /sys/bus/pci/drivers/c6xx/0000:3d:00.0/sriov_numvfs
534     echo 16 > /sys/bus/pci/drivers/c6xx/0000:3f:00.0/sriov_numvfs
535
536Check that the VFs are available for use. For example ``lspci -d:37c9`` should
537list 48 VF devices available for a ``C62x`` device.
538
539To complete the installation follow the instructions in
540`Binding the available VFs to the vfio-pci driver`_.
541
542.. Note::
543
544   If the QAT kernel modules are not loaded and you see an error like ``Failed
545   to load MMP firmware qat_895xcc_mmp.bin`` in kernel logs, this may be as a
546   result of not using a distribution, but just updating the kernel directly.
547
548   Download firmware from the `kernel firmware repo
549   <http://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/tree/>`_.
550
551   Copy qat binaries to ``/lib/firmware``::
552
553      cp qat_895xcc.bin /lib/firmware
554      cp qat_895xcc_mmp.bin /lib/firmware
555
556   Change to your linux source root directory and start the qat kernel modules::
557
558      insmod ./drivers/crypto/qat/qat_common/intel_qat.ko
559      insmod ./drivers/crypto/qat/qat_dh895xcc/qat_dh895xcc.ko
560
561.. Note::
562
563   If you see the following warning in ``/var/log/messages`` it can be ignored:
564   ``IOMMU should be enabled for SR-IOV to work correctly``.
565
566
567Installation using IDZ QAT driver
568~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
569
570Download the latest QuickAssist Technology Driver from `Intel Developer Zone
571<https://developer.intel.com/quickassist>`_.
572Consult the *Quick Start Guide* at the same URL for further information.
573
574The steps below assume you are:
575
576* Building on a platform with one ``C62x`` device.
577* Using package ``qat1.7.l.4.2.0-000xx.tar.gz``.
578* On Fedora26 kernel ``4.11.11-300.fc26.x86_64``.
579
580In the BIOS ensure that SRIOV is enabled and VT-d is disabled.
581
582Uninstall any existing QAT driver, for example by running:
583
584* ``./installer.sh uninstall`` in the directory where originally installed.
585
586
587Build and install the SRIOV-enabled QAT driver::
588
589    mkdir /QAT
590    cd /QAT
591
592    # Copy the package to this location and unpack
593    tar zxof qat1.7.l.4.2.0-000xx.tar.gz
594
595    ./configure --enable-icp-sriov=host
596    make install
597
598You can use ``cat /sys/kernel/debug/qat<your device type and bdf>/version/fw`` to confirm the driver is correctly installed and is using firmware version 4.2.0.
599You can use ``lspci -d:37c9`` to confirm the presence of the 16 VF devices available per ``C62x`` PF.
600
601Confirm the driver is correctly installed and is using firmware version 4.2.0::
602
603    cat /sys/kernel/debug/qat<your device type and bdf>/version/fw
604
605
606Confirm the presence of 48 VF devices - 16 per PF::
607
608    lspci -d:37c9
609
610
611To complete the installation - follow instructions in
612`Binding the available VFs to the vfio-pci driver`_.
613
614.. Note::
615
616   If using a later kernel and the build fails with an error relating to
617   ``strict_stroul`` not being available apply the following patch:
618
619   .. code-block:: diff
620
621      /QAT/QAT1.6/quickassist/utilities/downloader/Target_CoreLibs/uclo/include/linux/uclo_platform.h
622      + #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,18,5)
623      + #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (kstrtoul((str), (base), (num))) printk("Error strtoull convert %s\n", str); }
624      + #else
625      #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,38)
626      #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; if (strict_strtoull((str), (base), (num))) printk("Error strtoull convert %s\n", str); }
627      #else
628      #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)
629      #define STR_TO_64(str, base, num, endPtr) {endPtr=NULL; strict_strtoll((str), (base), (num));}
630      #else
631      #define STR_TO_64(str, base, num, endPtr)                                 \
632           do {                                                               \
633                 if (str[0] == '-')                                           \
634                 {                                                            \
635                      *(num) = -(simple_strtoull((str+1), &(endPtr), (base))); \
636                 }else {                                                      \
637                      *(num) = simple_strtoull((str), &(endPtr), (base));      \
638                 }                                                            \
639           } while(0)
640      + #endif
641      #endif
642      #endif
643
644
645.. Note::
646
647   If the build fails due to missing header files you may need to do following::
648
649      sudo yum install zlib-devel
650      sudo yum install openssl-devel
651      sudo yum install libudev-devel
652
653.. Note::
654
655   If the build or install fails due to mismatching kernel sources you may need to do the following::
656
657      sudo yum install kernel-headers-`uname -r`
658      sudo yum install kernel-src-`uname -r`
659      sudo yum install kernel-devel-`uname -r`
660
661.. Note::
662
663   If the build fails on newer GCC versions (such as GCC 12) with an error relating to
664   ``-lc`` not being found, apply the following patch:
665
666   .. code-block:: diff
667
668      /QAT/quickassist/lookaside/access_layer/src/Makefile
669      cd $(ICP_FINAL_OUTPUT_DIR);\
670      cmd="$(LINKER) $(LIB_SHARED_FLAGS) -o \
671        $(LIB_SHARED) $(ADDITIONAL_OBJECTS) $(ADDITIONAL_LIBS) *.o -lpthread -ludev \
672      - -Bstatic -L$(ADF_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL) \
673      - -ladf_user -L$(OSAL_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL)/ \
674      - -losal -Bdynamic -lc"; \
675      + -Bstatic -L$(ADF_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL) \
676      + -ladf_user -L$(OSAL_DIR)/src/build/$(ICP_OS)/$(ICP_OS_LEVEL)/ \
677      + -losal -Bdynamic -L/lib/x86_64-linux-gnu/ -lc"; \
678      echo "$$cmd"; \
679      $$cmd
680
681   Followed by this patch:
682
683   .. code-block:: diff
684
685      /QAT/quickassist/build_system/build_files/OS/linux_common_user_space_rules.mk
686      @echo 'Creating shared library ${LIB_SHARED}'; \
687      cd $($(PROG_ACY)_FINAL_OUTPUT_DIR);\
688      -  echo $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) -lc;\
689      -  $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) -lc ;
690      +  echo $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) \
691      +  -L/lib/x86_64-linux-gnu/ -lc;\
692      +  $(LINKER) $(LIB_SHARED_FLAGS) -o $@  $(OBJECTS) $(ADDITIONAL_OBJECTS) \
693      +  -L/lib/x86_64-linux-gnu/ -lc ;
694
695
696Binding the available VFs to the vfio-pci driver
697~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
698
699Note:
700
701* Please note that due to security issues, the usage of older DPDK igb_uio
702  driver is not recommended. This document shows how to use the more secure
703  vfio-pci driver.
704* If QAT fails to bind to vfio-pci on Linux kernel 5.9+, please see the
705  QATE-39220 and QATE-7495 issues in
706  `IDZ doc <https://cdrdv2.intel.com/v1/dl/getContent/710057?explicitVersion=true>`_
707  which details the constraint about trusted guests and add `disable_denylist=1`
708  to the vfio-pci params to use QAT. See also `this patch description <https://lkml.org/lkml/2020/7/23/1155>`_.
709
710Unbind the VFs from the stock driver so they can be bound to the vfio-pci driver.
711
712For an Intel(R) QuickAssist Technology DH895xCC device
713^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
714
715The unbind command below assumes ``BDFs`` of ``03:01.00-03:04.07``, if your
716VFs are different adjust the unbind command below::
717
718    cd to the top-level DPDK directory
719    for device in $(seq 1 4); do \
720        for fn in $(seq 0 7); do \
721            usertools/dpdk-devbind.py -u 0000:03:0${device}.${fn}; \
722        done; \
723    done
724
725For an Intel(R) QuickAssist Technology C62x device
726^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
727
728The unbind command below assumes ``BDFs`` of ``1a:01.00-1a:02.07``,
729``3d:01.00-3d:02.07`` and ``3f:01.00-3f:02.07``, if your VFs are different
730adjust the unbind command below::
731
732    cd to the top-level DPDK directory
733    for device in $(seq 1 2); do \
734        for fn in $(seq 0 7); do \
735            usertools/dpdk-devbind.py -u 0000:1a:0${device}.${fn}; \
736            usertools/dpdk-devbind.py -u 0000:3d:0${device}.${fn}; \
737            usertools/dpdk-devbind.py -u 0000:3f:0${device}.${fn}; \
738        done; \
739    done
740
741For Intel(R) QuickAssist Technology C3xxx or 200xx or D15xx device
742^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
743
744The unbind command below assumes ``BDFs`` of ``01:01.00-01:02.07``, if your
745VFs are different adjust the unbind command below::
746
747    cd to the top-level DPDK directory
748    for device in $(seq 1 2); do \
749        for fn in $(seq 0 7); do \
750            usertools/dpdk-devbind.py -u 0000:01:0${device}.${fn}; \
751        done; \
752    done
753
754Bind to the vfio-pci driver
755^^^^^^^^^^^^^^^^^^^^^^^^^^^
756
757Load the vfio-pci driver, bind the VF PCI Device id to it using the
758``dpdk-devbind.py`` script then use the ``--status`` option
759to confirm the VF devices are now in use by vfio-pci kernel driver,
760e.g. for the C62x device::
761
762    cd to the top-level DPDK directory
763    modprobe vfio-pci
764    usertools/dpdk-devbind.py -b vfio-pci 0000:03:01.1
765    usertools/dpdk-devbind.py --status
766
767Use ``modprobe vfio-pci disable_denylist=1`` from kernel 5.9 onwards.
768See note in the section `Binding the available VFs to the vfio-pci driver`_
769above.
770
771Testing
772~~~~~~~
773
774QAT SYM crypto PMD can be tested by running the test application::
775
776    cd ./<build_dir>/app/test
777    ./dpdk-test -l1 -n1 -a <your qat bdf>
778    RTE>>cryptodev_qat_autotest
779
780QAT ASYM crypto PMD can be tested by running the test application::
781
782    cd ./<build_dir>/app/test
783    ./dpdk-test -l1 -n1 -a <your qat bdf>
784    RTE>>cryptodev_qat_asym_autotest
785
786QAT compression PMD can be tested by running the test application::
787
788    cd ./<build_dir>/app/test
789    ./dpdk-test -l1 -n1 -a <your qat bdf>
790    RTE>>compressdev_autotest
791
792
793Debugging
794~~~~~~~~~
795
796There are 2 sets of trace available via the dynamic logging feature:
797
798* pmd.qat.dp exposes trace on the data-path.
799* pmd.qat.general exposes all other trace.
800
801pmd.qat exposes both sets of traces.
802They can be enabled using the log-level option (where 8=maximum log level) on
803the process cmdline, e.g. using any of the following::
804
805    --log-level="pmd.qat.general,8"
806    --log-level="pmd.qat.dp,8"
807    --log-level="pmd.qat,8"
808
809.. Note::
810
811    The global RTE_LOG_DP_LEVEL overrides data-path trace so must be set to
812    RTE_LOG_DEBUG to see all the trace. This variable is in config/rte_config.h
813    for meson build.
814    Also the dynamic global log level overrides both sets of trace, so e.g. no
815    QAT trace would display in this case::
816
817	--log-level="7" --log-level="pmd.qat.general,8"
818