doc: update VFIO usage in qat crypto guide
This patch marks the old igb-uio driver as unsecure when used with the QAT PMD and updates all examples to recommend using VFIO-PCI instead. It also mentions security issues with the QAT CPM and provides information about the new VFIO-PCI parameter 'disable_denylist' available in Linux kernels 5.9 and later. Signed-off-by: Adam Dybkowski <adamx.dybkowski@intel.com> Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
This commit is contained in:
parent
8809f78c7d
commit
3cc4d996fa
@ -435,7 +435,7 @@ Check that the VFs are available for use. For example ``lspci -d:37c9`` should
|
||||
list 48 VF devices available for a ``C62x`` device.
|
||||
|
||||
To complete the installation follow the instructions in
|
||||
`Binding the available VFs to the DPDK UIO driver`_.
|
||||
`Binding the available VFs to the vfio-pci driver`_.
|
||||
|
||||
.. Note::
|
||||
|
||||
@ -506,7 +506,8 @@ Confirm the presence of 48 VF devices - 16 per PF::
|
||||
lspci -d:37c9
|
||||
|
||||
|
||||
To complete the installation - follow instructions in `Binding the available VFs to the DPDK UIO driver`_.
|
||||
To complete the installation - follow instructions in
|
||||
`Binding the available VFs to the vfio-pci driver`_.
|
||||
|
||||
.. Note::
|
||||
|
||||
@ -556,10 +557,21 @@ To complete the installation - follow instructions in `Binding the available VFs
|
||||
sudo yum install kernel-devel-`uname -r`
|
||||
|
||||
|
||||
Binding the available VFs to the DPDK UIO driver
|
||||
Binding the available VFs to the vfio-pci driver
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Unbind the VFs from the stock driver so they can be bound to the uio driver.
|
||||
Note:
|
||||
|
||||
* Please note that due to security issues, the usage of older DPDK igb-uio
|
||||
driver is not recommended. This document shows how to use the more secure
|
||||
vfio-pci driver.
|
||||
* If QAT fails to bind to vfio-pci on Linux kernel 5.9+, please see the
|
||||
QATE-39220 and QATE-7495 issues in
|
||||
`01.org doc <https://01.org/sites/default/files/downloads/336211-015-qatsoftwareforlinux-rn-hwv1.7-final.pdf>`_
|
||||
which details the constraint about trusted guests and add `disable_denylist=1`
|
||||
to the vfio-pci params to use QAT. See also `this patch description <https://lkml.org/lkml/2020/7/23/1155>`_.
|
||||
|
||||
Unbind the VFs from the stock driver so they can be bound to the vfio-pci driver.
|
||||
|
||||
For an Intel(R) QuickAssist Technology DH895xCC device
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
@ -567,10 +579,10 @@ For an Intel(R) QuickAssist Technology DH895xCC device
|
||||
The unbind command below assumes ``BDFs`` of ``03:01.00-03:04.07``, if your
|
||||
VFs are different adjust the unbind command below::
|
||||
|
||||
cd to the top-level DPDK directory
|
||||
for device in $(seq 1 4); do \
|
||||
for fn in $(seq 0 7); do \
|
||||
echo -n 0000:03:0${device}.${fn} > \
|
||||
/sys/bus/pci/devices/0000\:03\:0${device}.${fn}/driver/unbind; \
|
||||
usertools/dpdk-devbind.py -u 0000:03:0${device}.${fn}; \
|
||||
done; \
|
||||
done
|
||||
|
||||
@ -581,16 +593,12 @@ The unbind command below assumes ``BDFs`` of ``1a:01.00-1a:02.07``,
|
||||
``3d:01.00-3d:02.07`` and ``3f:01.00-3f:02.07``, if your VFs are different
|
||||
adjust the unbind command below::
|
||||
|
||||
cd to the top-level DPDK directory
|
||||
for device in $(seq 1 2); do \
|
||||
for fn in $(seq 0 7); do \
|
||||
echo -n 0000:1a:0${device}.${fn} > \
|
||||
/sys/bus/pci/devices/0000\:1a\:0${device}.${fn}/driver/unbind; \
|
||||
|
||||
echo -n 0000:3d:0${device}.${fn} > \
|
||||
/sys/bus/pci/devices/0000\:3d\:0${device}.${fn}/driver/unbind; \
|
||||
|
||||
echo -n 0000:3f:0${device}.${fn} > \
|
||||
/sys/bus/pci/devices/0000\:3f\:0${device}.${fn}/driver/unbind; \
|
||||
usertools/dpdk-devbind.py -u 0000:1a:0${device}.${fn}; \
|
||||
usertools/dpdk-devbind.py -u 0000:3d:0${device}.${fn}; \
|
||||
usertools/dpdk-devbind.py -u 0000:3f:0${device}.${fn}; \
|
||||
done; \
|
||||
done
|
||||
|
||||
@ -600,31 +608,29 @@ For Intel(R) QuickAssist Technology C3xxx or 200xx or D15xx device
|
||||
The unbind command below assumes ``BDFs`` of ``01:01.00-01:02.07``, if your
|
||||
VFs are different adjust the unbind command below::
|
||||
|
||||
cd to the top-level DPDK directory
|
||||
for device in $(seq 1 2); do \
|
||||
for fn in $(seq 0 7); do \
|
||||
echo -n 0000:01:0${device}.${fn} > \
|
||||
/sys/bus/pci/devices/0000\:01\:0${device}.${fn}/driver/unbind; \
|
||||
usertools/dpdk-devbind.py -u 0000:01:0${device}.${fn}; \
|
||||
done; \
|
||||
done
|
||||
|
||||
Bind to the DPDK uio driver
|
||||
Bind to the vfio-pci driver
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Install the DPDK igb_uio driver, bind the VF PCI Device id to it and use lspci
|
||||
to confirm the VF devices are now in use by igb_uio kernel driver,
|
||||
Load the vfio-pci driver, bind the VF PCI Device id to it using the
|
||||
``dpdk-devbind.py`` script then use the ``--status`` option
|
||||
to confirm the VF devices are now in use by vfio-pci kernel driver,
|
||||
e.g. for the C62x device::
|
||||
|
||||
modprobe uio
|
||||
insmod igb_uio.ko
|
||||
echo "8086 37c9" > /sys/bus/pci/drivers/igb_uio/new_id
|
||||
lspci -vvd:37c9
|
||||
|
||||
|
||||
Another way to bind the VFs to the DPDK UIO driver is by using the
|
||||
``dpdk-devbind.py`` script::
|
||||
|
||||
cd to the top-level DPDK directory
|
||||
./usertools/dpdk-devbind.py -b igb_uio 0000:03:01.1
|
||||
modprobe vfio-pci
|
||||
usertools/dpdk-devbind.py -b vfio-pci 0000:03:01.1
|
||||
usertools/dpdk-devbind.py --status
|
||||
|
||||
Use ``modprobe vfio-pci disable_denylist=1`` from kernel 5.9 onwards.
|
||||
See note in the section `Binding the available VFs to the vfio-pci driver`_
|
||||
above.
|
||||
|
||||
Testing
|
||||
~~~~~~~
|
||||
|
Loading…
x
Reference in New Issue
Block a user