* [PATCH 0/1] Adding vfio load params for certain QAT cards @ 2024-09-16 4:14 Patrick Robb 2024-09-16 4:14 ` [PATCH 1/1] tests/cryptodev_common.py Supporting vfio denylist for QAT Patrick Robb 0 siblings, 1 reply; 5+ messages in thread From: Patrick Robb @ 2024-09-16 4:14 UTC (permalink / raw) To: david.marchand; +Cc: dts, Patrick Robb In adding a QAT 8970 card to testing at the UNH Community Lab, we learned that certain QAT cards are not meant to run in an untrusted environment, and require a particular linux configuration. Namely, that disable denylist be enabled for vfio, and that unsame iommu mode be enabled. You can read more at this commit: https://github.com/torvalds/linux/commit/50173329c8cc0c892eaa7a9d0f0692ac39cd7b04 Patrick Robb (1): tests/cryptodev_common.py Supporting vfio denylist for QAT tests/cryptodev_common.py | 4 ++++ 1 file changed, 4 insertions(+) -- 2.25.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/1] tests/cryptodev_common.py Supporting vfio denylist for QAT 2024-09-16 4:14 [PATCH 0/1] Adding vfio load params for certain QAT cards Patrick Robb @ 2024-09-16 4:14 ` Patrick Robb 2024-09-16 9:30 ` David Marchand 0 siblings, 1 reply; 5+ messages in thread From: Patrick Robb @ 2024-09-16 4:14 UTC (permalink / raw) To: david.marchand; +Cc: dts, Patrick Robb DH895XCC, C3XXX, and C62X QuickAssist cards are not designed to run in an untrusted environment. Consequently, this patch adds commands to the cryptodev_perf testsuite for loading the vfio driver with disable_denylist enabled and enabling unsame iommu mode. Signed-off-by: Patrick Robb <probb@iol.unh.edu> --- tests/cryptodev_common.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/cryptodev_common.py b/tests/cryptodev_common.py index b550b46869df..37483c51e3e7 100644 --- a/tests/cryptodev_common.py +++ b/tests/cryptodev_common.py @@ -15,6 +15,10 @@ def bind_qat_device(test_case, driver="igb_uio"): if "crypto_dev_id" in conf.suite_cfg: dev_id = conf.suite_cfg["crypto_dev_id"] + if dev_id in ["37c8", "435", "19e2"]: + test_case.dut.send_expect('modprobe -r vfio_iommu_type1; modprobe -r vfio_pci; modprobe -r vfio_virqfd; modprobe -r vfio', '# ', 5) + test_case.dut.send_expect('modprobe vfio-pci disable_denylist=1 enable_sriov=1', '# ', 5) + test_case.dut.send_expect('echo "1" | tee /sys/module/vfio/parameters/enable_unsafe_noiommu_mode', '# ', 5) test_case.logger.info( "specified the qat hardware device id in cfg: {}".format(dev_id) ) -- 2.25.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] tests/cryptodev_common.py Supporting vfio denylist for QAT 2024-09-16 4:14 ` [PATCH 1/1] tests/cryptodev_common.py Supporting vfio denylist for QAT Patrick Robb @ 2024-09-16 9:30 ` David Marchand 2024-09-17 4:21 ` Patrick Robb 0 siblings, 1 reply; 5+ messages in thread From: David Marchand @ 2024-09-16 9:30 UTC (permalink / raw) To: Patrick Robb; +Cc: dts On Mon, Sep 16, 2024 at 6:15 AM Patrick Robb <probb@iol.unh.edu> wrote: > > DH895XCC, C3XXX, and C62X QuickAssist cards are not designed to run > in an untrusted environment. Consequently, this patch adds commands > to the cryptodev_perf testsuite for loading the vfio driver > with disable_denylist enabled and enabling unsame iommu mode. For interested parties, here is the kernel commit: https://git.kernel.org/linus/50173329c8cc I am not entirely confident with this patch, for the reasons below. > > Signed-off-by: Patrick Robb <probb@iol.unh.edu> > --- > tests/cryptodev_common.py | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/tests/cryptodev_common.py b/tests/cryptodev_common.py > index b550b46869df..37483c51e3e7 100644 > --- a/tests/cryptodev_common.py > +++ b/tests/cryptodev_common.py > @@ -15,6 +15,10 @@ def bind_qat_device(test_case, driver="igb_uio"): > > if "crypto_dev_id" in conf.suite_cfg: > dev_id = conf.suite_cfg["crypto_dev_id"] > + if dev_id in ["37c8", "435", "19e2"]: Usually, PCI ids are represented on 4 chars, leading 0 included, so I would expect 0435. Do you have such hw and did you test with it? > + test_case.dut.send_expect('modprobe -r vfio_iommu_type1; modprobe -r vfio_pci; modprobe -r vfio_virqfd; modprobe -r vfio', '# ', 5) > + test_case.dut.send_expect('modprobe vfio-pci disable_denylist=1 enable_sriov=1', '# ', 5) While I do understand the disable_denylist option, the enable_sriov= part seems a different topic... Why is sriov needed in this test? > + test_case.dut.send_expect('echo "1" | tee /sys/module/vfio/parameters/enable_unsafe_noiommu_mode', '# ', 5) This helps in systems that do not have a IOMMU (or an emulated one for virtual machines). I suspect forcing noiommu will break setups with a hw iommu as DPDK will force PA when noiommu is detected. > test_case.logger.info( > "specified the qat hardware device id in cfg: {}".format(dev_id) > ) > -- > 2.25.1 > -- David Marchand ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] tests/cryptodev_common.py Supporting vfio denylist for QAT 2024-09-16 9:30 ` David Marchand @ 2024-09-17 4:21 ` Patrick Robb 2024-09-18 9:57 ` Juraj Linkeš 0 siblings, 1 reply; 5+ messages in thread From: Patrick Robb @ 2024-09-17 4:21 UTC (permalink / raw) To: David Marchand; +Cc: dts, Dharmik Jayesh Thakkar On Mon, Sep 16, 2024 at 5:30 AM David Marchand <david.marchand@redhat.com> wrote: > > On Mon, Sep 16, 2024 at 6:15 AM Patrick Robb <probb@iol.unh.edu> wrote: > > > > > > diff --git a/tests/cryptodev_common.py b/tests/cryptodev_common.py > > index b550b46869df..37483c51e3e7 100644 > > --- a/tests/cryptodev_common.py > > +++ b/tests/cryptodev_common.py > > @@ -15,6 +15,10 @@ def bind_qat_device(test_case, driver="igb_uio"): > > > > if "crypto_dev_id" in conf.suite_cfg: > > dev_id = conf.suite_cfg["crypto_dev_id"] > > + if dev_id in ["37c8", "435", "19e2"]: > > Usually, PCI ids are represented on 4 chars, leading 0 included, so I > would expect 0435. > Do you have such hw and did you test with it? I agree that 3 char id is strange. This was some months ago, but I believe I grabbed the dev ids from https://doc.dpdk.org/guides/cryptodevs/qat.html#available-kernel-drivers based on the kernel commit you posted above. This website, which I usually use when adding a new PCI device to legacy dts, https://devicehunt.com/view/type/pci/vendor/8086/device/0435 suggests that the correct id is 0435. If this sounds right to you, I can submit a new version of this series with the 0 added, and a dpdk/doc patch for the page I included above (presuming that the id in the table is actually wrong). In terms of testing, yes we do have a c62x / 37c8 card (qat 8970), and this commit did "fix" the testsuite for that card. I included the other two cards because even though I didn't have the hardware to test the change, I felt that my reading of the linux kernel commit above indicated it was appropriate to sumit this change, even without having run it on the specific hardware. Please let me know if this is inappropriate. > > > > + test_case.dut.send_expect('modprobe -r vfio_iommu_type1; modprobe -r vfio_pci; modprobe -r vfio_virqfd; modprobe -r vfio', '# ', 5) > > + test_case.dut.send_expect('modprobe vfio-pci disable_denylist=1 enable_sriov=1', '# ', 5) > > While I do understand the disable_denylist option, the enable_sriov= > part seems a different topic... > Why is sriov needed in this test? > I believe the enable_sriov requirement comes from the fact that this testsuite is running from virtual functons on the QAT card. You can find an example similar to how we set those up here: https://doc.dpdk.org/guides/cryptodevs/qat.html#binding-the-available-vfs-to-the-vfio-pci-driver However, these specific options for the QAT cards in question came from Dharmik Thakkar (ARM) so I'm CCing him here as I think he is more of an authority on the subject than I am. https://inbox.dpdk.org/ci/AS4PR08MB755371CDAF5C105050D64850F7CDA@AS4PR08MB7553.eurprd08.prod.outlook.com/ > > > + test_case.dut.send_expect('echo "1" | tee /sys/module/vfio/parameters/enable_unsafe_noiommu_mode', '# ', 5) > > This helps in systems that do not have a IOMMU (or an emulated one for > virtual machines). > I suspect forcing noiommu will break setups with a hw iommu as DPDK > will force PA when noiommu is detected. This is an ARM Neoverse N-1 Ampere Mt. Jade system, which appears to have IOMMU: ``` probb@arm-ampere-dut:~$ sudo dmesg | grep -i IOMMU [31804.426192] c6xxvf 0000:03:01.0: Adding to iommu group 59 [31804.473157] c6xxvf 0000:03:01.1: Adding to iommu group 60 [31804.533436] c6xxvf 0000:03:01.2: Adding to iommu group 61 [31804.577145] c6xxvf 0000:03:01.3: Adding to iommu group 62 [31804.621197] c6xxvf 0000:03:01.4: Adding to iommu group 63 [31804.665133] c6xxvf 0000:03:01.5: Adding to iommu group 64 ``` But, I guess this is another question for Dharmik I think, who suggested the enable_unsafe_no_iommu_mode setting and again is more knowledgeable on the subject than I am. However, I am happy to test this with enable_unsafe_noiommu_mode=0. I'll give it a whirl now and report back. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] tests/cryptodev_common.py Supporting vfio denylist for QAT 2024-09-17 4:21 ` Patrick Robb @ 2024-09-18 9:57 ` Juraj Linkeš 0 siblings, 0 replies; 5+ messages in thread From: Juraj Linkeš @ 2024-09-18 9:57 UTC (permalink / raw) To: Patrick Robb, David Marchand; +Cc: dts, Dharmik Jayesh Thakkar On 17. 9. 2024 6:21, Patrick Robb wrote: > On Mon, Sep 16, 2024 at 5:30 AM David Marchand > <david.marchand@redhat.com> wrote: >> >> On Mon, Sep 16, 2024 at 6:15 AM Patrick Robb <probb@iol.unh.edu> wrote: >>> >>> >>> diff --git a/tests/cryptodev_common.py b/tests/cryptodev_common.py >>> index b550b46869df..37483c51e3e7 100644 >>> --- a/tests/cryptodev_common.py >>> +++ b/tests/cryptodev_common.py >>> @@ -15,6 +15,10 @@ def bind_qat_device(test_case, driver="igb_uio"): >>> >>> if "crypto_dev_id" in conf.suite_cfg: >>> dev_id = conf.suite_cfg["crypto_dev_id"] >>> + if dev_id in ["37c8", "435", "19e2"]: >> >> Usually, PCI ids are represented on 4 chars, leading 0 included, so I >> would expect 0435. >> Do you have such hw and did you test with it? > > I agree that 3 char id is strange. > > This was some months ago, but I believe I grabbed the dev ids from > https://doc.dpdk.org/guides/cryptodevs/qat.html#available-kernel-drivers > based on the kernel commit you posted above. > > This website, which I usually use when adding a new PCI device to > legacy dts, https://devicehunt.com/view/type/pci/vendor/8086/device/0435 > suggests that the correct id is 0435. If this sounds right to you, I > can submit a new version of this series with the 0 added, and a > dpdk/doc patch for the page I included above (presuming that the id in > the table is actually wrong). > > In terms of testing, yes we do have a c62x / 37c8 card (qat 8970), and > this commit did "fix" the testsuite for that card. I included the > other two cards because even though I didn't have the hardware to test > the change, I felt that my reading of the linux kernel commit above > indicated it was appropriate to sumit this change, even without having > run it on the specific hardware. Please let me know if this is > inappropriate. > The best is to check the device itself. These ID's can be found under: /sys/bus/pci/devices/<pci>/ The four IDs are: device vendor subsystem_device subsystem_vendor and I believe you're looking for device, but it seems you don't actually have the hardware. In that case, you can also consult https://pci-ids.ucw.cz/v2.2/pci.ids, which says: 0435 DH895XCC Series QAT And that it is from: 8086 Intel Corporation So that seems to match the device. You should definitely add the 0, I'd say DTS is looking in /sys/bus/pci/devices/<pci>/device and it's going to be there. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-09-18 9:57 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-09-16 4:14 [PATCH 0/1] Adding vfio load params for certain QAT cards Patrick Robb 2024-09-16 4:14 ` [PATCH 1/1] tests/cryptodev_common.py Supporting vfio denylist for QAT Patrick Robb 2024-09-16 9:30 ` David Marchand 2024-09-17 4:21 ` Patrick Robb 2024-09-18 9:57 ` Juraj Linkeš
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).