diff --git a/share/man/man4/qat.4 b/share/man/man4/qat.4 --- a/share/man/man4/qat.4 +++ b/share/man/man4/qat.4 @@ -1,6 +1,6 @@ .\" SPDX-License-Identifier: BSD-3-Clause -.\" Copyright(c) 2007-2022 Intel Corporation -.Dd May 16, 2025 +.\" Copyright(c) 2007-2025 Intel Corporation +.Dd June 2, 2025 .Dt QAT 4 .Os .Sh NAME @@ -108,6 +108,13 @@ Override the number of uio user space processes that can connect to the QAT device. Default: 2 +.It Va dev.qat.X.disable_safe_dc_mode +Override history buffer mitigation. +Disabled by default. +If enabled, decompression throughput increases but may result in a data leak if +.Va dev.qat.X.num_user_processes +is more than 1. +Enable this option only if your system is not prone to user data leaks. .El .Pp The following diff --git a/sys/conf/NOTES b/sys/conf/NOTES --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -2869,3 +2869,6 @@ # File system monitoring device filemon # file monitoring for make(1) meta-mode + +# Options for the Intel QuickAssist (QAT) driver. +options QAT_DISABLE_SAFE_DC_MODE # Disable QAT safe data compression mode (only for 4940 devices). diff --git a/sys/conf/options b/sys/conf/options --- a/sys/conf/options +++ b/sys/conf/options @@ -1014,3 +1014,6 @@ # This option is insecure except in controlled environments where the static # environment's contents are known to be safe. PRESERVE_EARLY_KENV opt_global.h + +# Options for the Intel QuickAssist (QAT) driver. +QAT_DISABLE_SAFE_DC_MODE opt_qat.h diff --git a/sys/contrib/dev/qat/qat_4xxx.bin b/sys/contrib/dev/qat/qat_4xxx.bin index 0000000000000000000000000000000000000000..0000000000000000000000000000000000000000 GIT binary patch literal 0 Hc$@disable_safe_dc_mode) + req.fw_flags = ICP_QAT_FW_INIT_DISABLE_SAFE_DC_MODE_FLAG; +#endif /* QAT_DISABLE_SAFE_DC_MODE */ if (adf_send_admin(accel_dev, &req, &resp, ae_mask)) { device_printf(GET_DEV(accel_dev), "Error sending init message\n"); diff --git a/sys/dev/qat/qat_hw/qat_4xxx/adf_drv.c b/sys/dev/qat/qat_hw/qat_4xxx/adf_drv.c --- a/sys/dev/qat/qat_hw/qat_4xxx/adf_drv.c +++ b/sys/dev/qat/qat_hw/qat_4xxx/adf_drv.c @@ -47,6 +47,74 @@ return ENXIO; } +#ifdef QAT_DISABLE_SAFE_DC_MODE +static int adf_4xxx_sysctl_disable_safe_dc_mode(SYSCTL_HANDLER_ARGS) +{ + struct adf_accel_dev *accel_dev = arg1; + int error, value = accel_dev->disable_safe_dc_mode; + + error = sysctl_handle_int(oidp, &value, 0, req); + if (error || !req->newptr) + return error; + + if (value != 1 && value != 0) + return EINVAL; + + if (adf_dev_started(accel_dev)) { + device_printf( + GET_DEV(accel_dev), + "QAT: configuration can only be changed in \"down\" device state\n"); + return EBUSY; + } + + accel_dev->disable_safe_dc_mode = (u8)value; + + return 0; +} + +static void +adf_4xxx_disable_safe_dc_sysctl_add(struct adf_accel_dev *accel_dev) +{ + struct sysctl_ctx_list *qat_sysctl_ctx; + struct sysctl_oid *qat_sysctl_tree; + + qat_sysctl_ctx = + device_get_sysctl_ctx(accel_dev->accel_pci_dev.pci_dev); + qat_sysctl_tree = + device_get_sysctl_tree(accel_dev->accel_pci_dev.pci_dev); + accel_dev->safe_dc_mode = + SYSCTL_ADD_OID(qat_sysctl_ctx, + SYSCTL_CHILDREN(qat_sysctl_tree), + OID_AUTO, + "disable_safe_dc_mode", + CTLTYPE_INT | CTLFLAG_WR | CTLFLAG_TUN | + CTLFLAG_SKIP, + accel_dev, + 0, + adf_4xxx_sysctl_disable_safe_dc_mode, + "LU", + "Disable QAT safe data compression mode"); +} + +static void +adf_4xxx_disable_safe_dc_sysctl_remove(struct adf_accel_dev *accel_dev) +{ + int ret; + struct sysctl_ctx_list *qat_sysctl_ctx = + device_get_sysctl_ctx(accel_dev->accel_pci_dev.pci_dev); + + ret = sysctl_ctx_entry_del(qat_sysctl_ctx, accel_dev->safe_dc_mode); + if (ret) { + device_printf(GET_DEV(accel_dev), "Failed to delete entry\n"); + } else { + ret = sysctl_remove_oid(accel_dev->safe_dc_mode, 1, 1); + if (ret) + device_printf(GET_DEV(accel_dev), + "Failed to delete oid\n"); + } +} +#endif /* QAT_DISABLE_SAFE_DC_MODE */ + static void adf_cleanup_accel(struct adf_accel_dev *accel_dev) { @@ -76,6 +144,9 @@ free(accel_dev->hw_device, M_QAT_4XXX); accel_dev->hw_device = NULL; } +#ifdef QAT_DISABLE_SAFE_DC_MODE + adf_4xxx_disable_safe_dc_sysctl_remove(accel_dev); +#endif /* QAT_DISABLE_SAFE_DC_MODE */ adf_cfg_dev_remove(accel_dev); adf_devmgr_rm_dev(accel_dev, NULL); } @@ -153,6 +224,10 @@ if (ret) goto out_err; +#ifdef QAT_DISABLE_SAFE_DC_MODE + adf_4xxx_disable_safe_dc_sysctl_add(accel_dev); +#endif /* QAT_DISABLE_SAFE_DC_MODE */ + pci_set_max_read_req(dev, 4096); ret = bus_dma_tag_create(bus_get_dma_tag(dev), diff --git a/sys/modules/qat/qat/Makefile b/sys/modules/qat/qat/Makefile --- a/sys/modules/qat/qat/Makefile +++ b/sys/modules/qat/qat/Makefile @@ -4,7 +4,7 @@ KMOD= qat SRCS+= qat_ocf.c qat_ocf_mem_pool.c qat_ocf_utils.c -SRCS+= device_if.h bus_if.h vnode_if.h pci_if.h cryptodev_if.h +SRCS+= device_if.h bus_if.h vnode_if.h pci_if.h cryptodev_if.h opt_qat.h CFLAGS+= ${LINUXKPI_INCLUDES} CFLAGS+= -I${SRCTOP}/sys/dev/qat/include @@ -17,6 +17,17 @@ CFLAGS+= -I${SRCTOP}/sys/dev/qat/qat_api/firmware/include CFLAGS+= -I${SRCTOP}/sys/dev/qat/qat_api/common/crypto/sym/include +.if !defined(KERNBUILDDIR) +CFLAGS+= -include opt_qat.h +MKDEP= -include opt_qat.h + +opt_qat.h: + :> ${.TARGET} +.if defined(QAT_DISABLE_SAFE_DC_MODE) && ${QAT_DISABLE_SAFE_DC_MODE} == "1" + @echo "#define QAT_DISABLE_SAFE_DC_MODE 1" >> ${.TARGET} +.endif +.endif + .include .if ${COMPILER_TYPE} == "clang" diff --git a/sys/modules/qat/qat_api/Makefile b/sys/modules/qat/qat_api/Makefile --- a/sys/modules/qat/qat_api/Makefile +++ b/sys/modules/qat/qat_api/Makefile @@ -60,7 +60,7 @@ SRCS+= qat_utils/src/QatUtilsSpinLock.c SRCS+= qat_utils/src/QatUtilsAtomic.c SRCS+= qat_utils/src/QatUtilsCrypto.c -SRCS+= bus_if.h cryptodev_if.h device_if.h pci_if.h vnode_if.h +SRCS+= bus_if.h cryptodev_if.h device_if.h pci_if.h vnode_if.h opt_qat.h CFLAGS+= -I${SRCTOP}/sys/dev/qat/qat_api/include CFLAGS+= -I${SRCTOP}/sys/dev/qat/qat_api/include/lac @@ -74,6 +74,17 @@ CFLAGS+= -I${SRCTOP}/sys/dev/qat/include/common CFLAGS+= ${LINUXKPI_INCLUDES} +.if !defined(KERNBUILDDIR) +CFLAGS+= -include opt_qat.h +MKDEP= -include opt_qat.h + +opt_qat.h: + :> ${.TARGET} +.if defined(QAT_DISABLE_SAFE_DC_MODE) && ${QAT_DISABLE_SAFE_DC_MODE} == "1" + @echo "#define QAT_DISABLE_SAFE_DC_MODE 1" >> ${.TARGET} +.endif +.endif + .include CWARNFLAGS+= -Wno-cast-qual diff --git a/sys/modules/qat/qat_common/Makefile b/sys/modules/qat/qat_common/Makefile --- a/sys/modules/qat/qat_common/Makefile +++ b/sys/modules/qat/qat_common/Makefile @@ -23,10 +23,21 @@ SRCS+= adf_freebsd_transport_debug.c adf_clock.c SRCS+= adf_freebsd_cnvnr_ctrs_dbg.c SRCS+= adf_freebsd_pfvf_ctrs_dbg.c -SRCS+= bus_if.h device_if.h pci_if.h vnode_if.h +SRCS+= bus_if.h device_if.h pci_if.h vnode_if.h opt_qat.h CFLAGS+= -I${SRCTOP}/sys/dev/qat/include CFLAGS+= -I${SRCTOP}/sys/dev/qat/include/common CFLAGS+= ${LINUXKPI_INCLUDES} +.if !defined(KERNBUILDDIR) +CFLAGS+= -include opt_qat.h +MKDEP= -include opt_qat.h + +opt_qat.h: + :> ${.TARGET} +.if defined(QAT_DISABLE_SAFE_DC_MODE) && ${QAT_DISABLE_SAFE_DC_MODE} == "1" + @echo "#define QAT_DISABLE_SAFE_DC_MODE 1" >> ${.TARGET} +.endif +.endif + .include diff --git a/sys/modules/qat/qat_hw/Makefile b/sys/modules/qat/qat_hw/Makefile --- a/sys/modules/qat/qat_hw/Makefile +++ b/sys/modules/qat/qat_hw/Makefile @@ -12,7 +12,7 @@ SRCS+= qat_c4xxx/adf_c4xxx_hw_data.c qat_c4xxx/adf_drv.c qat_c4xxx/adf_c4xxx_ae_config.c qat_c4xxx/adf_c4xxx_misc_error_stats.c SRCS+= qat_c4xxx/adf_c4xxx_pke_replay_stats.c qat_c4xxx/adf_c4xxx_ras.c qat_c4xxx/adf_c4xxx_res_part.c SRCS+= qat_c4xxx/adf_c4xxx_reset.c -SRCS+= device_if.h bus_if.h vnode_if.h pci_if.h cryptodev_if.h +SRCS+= device_if.h bus_if.h vnode_if.h pci_if.h cryptodev_if.h opt_qat.h CFLAGS+= ${LINUXKPI_INCLUDES} CFLAGS+= -I${SRCTOP}/sys/dev/qat/include @@ -25,4 +25,15 @@ CFLAGS+= -I${SRCTOP}/sys/dev/qat/qat_api/firmware/include CFLAGS+= -I${SRCTOP}/sys/dev/qat/qat_api/common/crypto/sym/include +.if !defined(KERNBUILDDIR) +CFLAGS+= -include opt_qat.h +MKDEP= -include opt_qat.h + +opt_qat.h: + :> ${.TARGET} +.if defined(QAT_DISABLE_SAFE_DC_MODE) && ${QAT_DISABLE_SAFE_DC_MODE} == "1" + @echo "#define QAT_DISABLE_SAFE_DC_MODE 1" >> ${.TARGET} +.endif +.endif + .include