From: Adam Dybkowski <adamx.dybkowski@intel.com>
To: dev@dpdk.org, akhil.goyal@nxp.com
Cc: fiona.trahe@intel.com, Adam Dybkowski <adamx.dybkowski@intel.com>
Subject: [dpdk-dev] [PATCH v4 1/1] doc: document vfio-pci usage with QAT PMD
Date: Mon, 12 Oct 2020 11:43:52 +0100
Message-ID: <20201012104352.19236-2-adamx.dybkowski@intel.com> (raw)
In-Reply-To: <20201012104352.19236-1-adamx.dybkowski@intel.com>
This patch marks the old igb-uio driver as unsecure when used
with the QAT PMD and updates all examples to recommend using
vfio-pci instead.
It also mentions security issues with the QAT CPM and provides
information about the new vfio-pci parameter 'disable_denylist'
available in Linux kernels 5.9 and later.
Signed-off-by: Adam Dybkowski <adamx.dybkowski@intel.com>
---
doc/guides/cryptodevs/qat.rst | 63 +++++++++++++++++++----------------
1 file changed, 34 insertions(+), 29 deletions(-)
diff --git a/doc/guides/cryptodevs/qat.rst b/doc/guides/cryptodevs/qat.rst
index e5d2cf499..dbbdec1c7 100644
--- a/doc/guides/cryptodevs/qat.rst
+++ b/doc/guides/cryptodevs/qat.rst
@@ -462,7 +462,7 @@ Check that the VFs are available for use. For example ``lspci -d:37c9`` should
list 48 VF devices available for a ``C62x`` device.
To complete the installation follow the instructions in
-`Binding the available VFs to the DPDK UIO driver`_.
+`Binding the available VFs to the vfio-pci driver`_.
.. Note::
@@ -534,7 +534,8 @@ Confirm the presence of 48 VF devices - 16 per PF::
lspci -d:37c9
-To complete the installation - follow instructions in `Binding the available VFs to the DPDK UIO driver`_.
+To complete the installation - follow instructions in
+`Binding the available VFs to the vfio-pci driver`_.
.. Note::
@@ -584,10 +585,21 @@ To complete the installation - follow instructions in `Binding the available VFs
sudo yum install kernel-devel-`uname -r`
-Binding the available VFs to the DPDK UIO driver
+Binding the available VFs to the vfio-pci driver
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Unbind the VFs from the stock driver so they can be bound to the uio driver.
+Note:
+
+* Please note that due to security issues, the usage of older DPDK igb-uio
+ driver is not recommended. This document shows how to use the more secure
+ vfio-pci driver.
+* If QAT fails to bind to vfio-pci on Linux kernel 5.9+, please see the
+ QATE-39220 and QATE-7495 issues in
+ `01.org doc <https://01.org/sites/default/files/downloads/336211-015-qatsoftwareforlinux-rn-hwv1.7-final.pdf>`_
+ which details the constraint about trusted guests and add `disable_denylist=1`
+ to the vfio-pci params to use QAT. See also `this patch description <https://lkml.org/lkml/2020/7/23/1155>`_.
+
+Unbind the VFs from the stock driver so they can be bound to the vfio-pci driver.
For an Intel(R) QuickAssist Technology DH895xCC device
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -595,10 +607,10 @@ For an Intel(R) QuickAssist Technology DH895xCC device
The unbind command below assumes ``BDFs`` of ``03:01.00-03:04.07``, if your
VFs are different adjust the unbind command below::
+ cd to the top-level DPDK directory
for device in $(seq 1 4); do \
for fn in $(seq 0 7); do \
- echo -n 0000:03:0${device}.${fn} > \
- /sys/bus/pci/devices/0000\:03\:0${device}.${fn}/driver/unbind; \
+ usertools/dpdk-devbind.py -u 0000:03:0${device}.${fn}; \
done; \
done
@@ -609,16 +621,12 @@ The unbind command below assumes ``BDFs`` of ``1a:01.00-1a:02.07``,
``3d:01.00-3d:02.07`` and ``3f:01.00-3f:02.07``, if your VFs are different
adjust the unbind command below::
+ cd to the top-level DPDK directory
for device in $(seq 1 2); do \
for fn in $(seq 0 7); do \
- echo -n 0000:1a:0${device}.${fn} > \
- /sys/bus/pci/devices/0000\:1a\:0${device}.${fn}/driver/unbind; \
-
- echo -n 0000:3d:0${device}.${fn} > \
- /sys/bus/pci/devices/0000\:3d\:0${device}.${fn}/driver/unbind; \
-
- echo -n 0000:3f:0${device}.${fn} > \
- /sys/bus/pci/devices/0000\:3f\:0${device}.${fn}/driver/unbind; \
+ usertools/dpdk-devbind.py -u 0000:1a:0${device}.${fn}; \
+ usertools/dpdk-devbind.py -u 0000:3d:0${device}.${fn}; \
+ usertools/dpdk-devbind.py -u 0000:3f:0${device}.${fn}; \
done; \
done
@@ -628,32 +636,29 @@ For Intel(R) QuickAssist Technology C3xxx or 200xx or D15xx device
The unbind command below assumes ``BDFs`` of ``01:01.00-01:02.07``, if your
VFs are different adjust the unbind command below::
+ cd to the top-level DPDK directory
for device in $(seq 1 2); do \
for fn in $(seq 0 7); do \
- echo -n 0000:01:0${device}.${fn} > \
- /sys/bus/pci/devices/0000\:01\:0${device}.${fn}/driver/unbind; \
+ usertools/dpdk-devbind.py -u 0000:01:0${device}.${fn}; \
done; \
done
-Bind to the DPDK uio driver
+Bind to the vfio-pci driver
^^^^^^^^^^^^^^^^^^^^^^^^^^^
-Install the DPDK igb_uio driver, bind the VF PCI Device id to it and use lspci
-to confirm the VF devices are now in use by igb_uio kernel driver,
+Load the vfio-pci driver, bind the VF PCI Device id to it using the
+``dpdk-devbind.py`` script then use the ``--status`` option
+to confirm the VF devices are now in use by vfio-pci kernel driver,
e.g. for the C62x device::
cd to the top-level DPDK directory
- modprobe uio
- insmod ./build/kmod/igb_uio.ko
- echo "8086 37c9" > /sys/bus/pci/drivers/igb_uio/new_id
- lspci -vvd:37c9
-
+ modprobe vfio-pci
+ usertools/dpdk-devbind.py -b vfio-pci 0000:03:01.1
+ usertools/dpdk-devbind.py --status
-Another way to bind the VFs to the DPDK UIO driver is by using the
-``dpdk-devbind.py`` script::
-
- cd to the top-level DPDK directory
- ./usertools/dpdk-devbind.py -b igb_uio 0000:03:01.1
+Use ``modprobe vfio-pci disable_denylist=1`` from kernel 5.9 onwards.
+See note in the section `Binding the available VFs to the vfio-pci driver`_
+above.
Testing
~~~~~~~
--
2.25.1
next prev parent reply other threads:[~2020-10-12 10:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-08 14:20 [dpdk-dev] [PATCH] " Adam Dybkowski
2020-09-08 16:00 ` Trahe, Fiona
2020-09-08 16:19 ` [dpdk-dev] [PATCH v2 0/1] " Adam Dybkowski
2020-09-08 16:19 ` [dpdk-dev] [PATCH v2 1/1] " Adam Dybkowski
2020-09-09 10:51 ` Burakov, Anatoly
2020-09-08 19:22 ` [dpdk-dev] [PATCH v2 0/1] " Mcnamara, John
2020-09-15 11:14 ` [dpdk-dev] [PATCH v3 " Adam Dybkowski
2020-09-15 11:14 ` [dpdk-dev] [PATCH v3 1/1] " Adam Dybkowski
2020-09-16 12:33 ` Burakov, Anatoly
2020-10-08 21:29 ` Akhil Goyal
2020-10-12 10:50 ` Dybkowski, AdamX
2020-10-12 10:43 ` [dpdk-dev] [PATCH v4 0/1] " Adam Dybkowski
2020-10-12 10:43 ` Adam Dybkowski [this message]
2020-10-13 14:10 ` [dpdk-dev] [PATCH v5 " Adam Dybkowski
2020-10-13 14:10 ` [dpdk-dev] [PATCH v5 1/1] " Adam Dybkowski
2020-10-28 11:05 ` Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201012104352.19236-2-adamx.dybkowski@intel.com \
--to=adamx.dybkowski@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=dev@dpdk.org \
--cc=fiona.trahe@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
DPDK patches and discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://inbox.dpdk.org/dev/0 dev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 dev dev/ https://inbox.dpdk.org/dev \
dev@dpdk.org
public-inbox-index dev
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://inbox.dpdk.org/inbox.dpdk.dev
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git