The current generation of Intel® QuickAssist Technology devices
are not designed to run in an untrusted environment because of the
following issues reported in the release notes in
https://01.org/intel-quickassist-technology:
QATE-39220 - GEN - Intel® QAT API submissions with bad addresses that
trigger DMA to invalid or unmapped addresses can cause a
platform hang
QATE-7495 - GEN - An incorrectly formatted request to Intel® QAT can
hang the entire Intel® QAT Endpoint
This patch adds the following QAT devices to the blocklist: DH895XCC,
C3XXX and C62X.
Signed-off-by: Giovanni Cabiddu <[email protected]>
---
drivers/vfio/pci/vfio_pci.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index ea5904ca6cbf..dcac5408c764 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -75,6 +75,21 @@ static inline bool vfio_vga_disabled(void)
static bool vfio_pci_dev_in_blocklist(struct pci_dev *pdev)
{
+ switch (pdev->vendor) {
+ case PCI_VENDOR_ID_INTEL:
+ switch (pdev->device) {
+ case PCI_DEVICE_ID_INTEL_QAT_C3XXX:
+ case PCI_DEVICE_ID_INTEL_QAT_C3XXX_VF:
+ case PCI_DEVICE_ID_INTEL_QAT_C62X:
+ case PCI_DEVICE_ID_INTEL_QAT_C62X_VF:
+ case PCI_DEVICE_ID_INTEL_QAT_DH895XCC:
+ case PCI_DEVICE_ID_INTEL_QAT_DH895XCC_VF:
+ return true;
+ default:
+ return false;
+ }
+ }
+
return false;
}
--
2.26.2
On Wed, Jul 01, 2020 at 12:03:00PM +0100, Giovanni Cabiddu wrote:
> The current generation of Intel? QuickAssist Technology devices
> are not designed to run in an untrusted environment because of the
> following issues reported in the release notes in
> https://01.org/intel-quickassist-technology:
It would be nice if this link were directly clickable, e.g., if there
were no trailing ":" or something.
And it would be even better if it went to a specific doc that
described these issues. I assume these are errata, and it's not easy
to figure out which doc mentions them.
> QATE-39220 - GEN - Intel? QAT API submissions with bad addresses that
> trigger DMA to invalid or unmapped addresses can cause a
> platform hang
> QATE-7495 - GEN - An incorrectly formatted request to Intel? QAT can
> hang the entire Intel? QAT Endpoint
>
> This patch adds the following QAT devices to the blocklist: DH895XCC,
> C3XXX and C62X.
>
> Signed-off-by: Giovanni Cabiddu <[email protected]>
> ---
> drivers/vfio/pci/vfio_pci.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
> index ea5904ca6cbf..dcac5408c764 100644
> --- a/drivers/vfio/pci/vfio_pci.c
> +++ b/drivers/vfio/pci/vfio_pci.c
> @@ -75,6 +75,21 @@ static inline bool vfio_vga_disabled(void)
>
> static bool vfio_pci_dev_in_blocklist(struct pci_dev *pdev)
> {
> + switch (pdev->vendor) {
> + case PCI_VENDOR_ID_INTEL:
> + switch (pdev->device) {
> + case PCI_DEVICE_ID_INTEL_QAT_C3XXX:
> + case PCI_DEVICE_ID_INTEL_QAT_C3XXX_VF:
> + case PCI_DEVICE_ID_INTEL_QAT_C62X:
> + case PCI_DEVICE_ID_INTEL_QAT_C62X_VF:
> + case PCI_DEVICE_ID_INTEL_QAT_DH895XCC:
> + case PCI_DEVICE_ID_INTEL_QAT_DH895XCC_VF:
> + return true;
> + default:
> + return false;
> + }
> + }
> +
> return false;
> }
>
> --
> 2.26.2
>
On Fri, Jul 10, 2020 at 10:37:45AM -0500, Bjorn Helgaas wrote:
> On Fri, Jul 10, 2020 at 04:08:19PM +0100, Giovanni Cabiddu wrote:
> > On Wed, Jul 01, 2020 at 04:28:12PM -0500, Bjorn Helgaas wrote:
> > > On Wed, Jul 01, 2020 at 12:03:00PM +0100, Giovanni Cabiddu wrote:
> > > > The current generation of Intel? QuickAssist Technology devices
> > > > are not designed to run in an untrusted environment because of the
> > > > following issues reported in the release notes in
> > > > https://01.org/intel-quickassist-technology:
> > >
> > > It would be nice if this link were directly clickable, e.g., if there
> > > were no trailing ":" or something.
> > >
> > > And it would be even better if it went to a specific doc that
> > > described these issues. I assume these are errata, and it's not easy
> > > to figure out which doc mentions them.
> > Sure. I will fix the commit message in the next revision and point to the
> > actual document:
> > https://01.org/sites/default/files/downloads/336211-015-qatsoftwareforlinux-rn-hwv1.7-final.pdf
>
> Since URLs tend to go stale, please also include the Intel document
> number and title.
Oh, and is "01.org" really the right place for that? It looks like an
Intel document, so I'd expect it to be somewhere on intel.com.
I'm still a little confused. That doc seems to be about *software*
and Linux software in particular. But when you said these "devices
are not designed to run in an untrusted environment", I thought you
meant there was some *hardware* design issue that caused a problem.
Bjorn
On Fri, 10 Jul 2020 10:44:33 -0500
Bjorn Helgaas <[email protected]> wrote:
> On Fri, Jul 10, 2020 at 10:37:45AM -0500, Bjorn Helgaas wrote:
> > On Fri, Jul 10, 2020 at 04:08:19PM +0100, Giovanni Cabiddu wrote:
> > > On Wed, Jul 01, 2020 at 04:28:12PM -0500, Bjorn Helgaas wrote:
> > > > On Wed, Jul 01, 2020 at 12:03:00PM +0100, Giovanni Cabiddu wrote:
> > > > > The current generation of Intel® QuickAssist Technology devices
> > > > > are not designed to run in an untrusted environment because of the
> > > > > following issues reported in the release notes in
> > > > > https://01.org/intel-quickassist-technology:
> > > >
> > > > It would be nice if this link were directly clickable, e.g., if there
> > > > were no trailing ":" or something.
> > > >
> > > > And it would be even better if it went to a specific doc that
> > > > described these issues. I assume these are errata, and it's not easy
> > > > to figure out which doc mentions them.
> > > Sure. I will fix the commit message in the next revision and point to the
> > > actual document:
> > > https://01.org/sites/default/files/downloads/336211-015-qatsoftwareforlinux-rn-hwv1.7-final.pdf
> >
> > Since URLs tend to go stale, please also include the Intel document
> > number and title.
>
> Oh, and is "01.org" really the right place for that? It looks like an
> Intel document, so I'd expect it to be somewhere on intel.com.
>
> I'm still a little confused. That doc seems to be about *software*
> and Linux software in particular. But when you said these "devices
> are not designed to run in an untrusted environment", I thought you
> meant there was some *hardware* design issue that caused a problem.
There seems to be a fair bit of hardware errata in the doc too, see:
3.1.2 QATE-7495 - GEN - An incorrectly formatted request to Intel® QAT can
hang the entire Intel® QAT Endpoint
3.1.9 QATE-39220 - GEN - QAT API submissions with bad addresses that
trigger DMA to invalid or unmapped addresses can cause a platform
hang
3.1.17 QATE-52389 - SR-IOV -Huge pages may not be compatible with QAT
VF usage
3.1.19 QATE-60953 - GEN – Intel® QAT API submissions with bad addresses
that trigger DMA to invalid or unmapped addresses can impact QAT
service availability
Thanks,
Alex
On Fri, Jul 10, 2020 at 10:10:34AM -0600, Alex Williamson wrote:
> On Fri, 10 Jul 2020 10:44:33 -0500
> Bjorn Helgaas <[email protected]> wrote:
>
> > On Fri, Jul 10, 2020 at 10:37:45AM -0500, Bjorn Helgaas wrote:
> > > On Fri, Jul 10, 2020 at 04:08:19PM +0100, Giovanni Cabiddu wrote:
> > > > On Wed, Jul 01, 2020 at 04:28:12PM -0500, Bjorn Helgaas wrote:
> > > > > On Wed, Jul 01, 2020 at 12:03:00PM +0100, Giovanni Cabiddu wrote:
> > > > > > The current generation of Intel® QuickAssist Technology devices
> > > > > > are not designed to run in an untrusted environment because of the
> > > > > > following issues reported in the release notes in
> > > > > > https://01.org/intel-quickassist-technology:
> > > > >
> > > > > It would be nice if this link were directly clickable, e.g., if there
> > > > > were no trailing ":" or something.
> > > > >
> > > > > And it would be even better if it went to a specific doc that
> > > > > described these issues. I assume these are errata, and it's not easy
> > > > > to figure out which doc mentions them.
> > > > Sure. I will fix the commit message in the next revision and point to the
> > > > actual document:
> > > > https://01.org/sites/default/files/downloads/336211-015-qatsoftwareforlinux-rn-hwv1.7-final.pdf
> > >
> > > Since URLs tend to go stale, please also include the Intel document
> > > number and title.
> >
> > Oh, and is "01.org" really the right place for that? It looks like an
> > Intel document, so I'd expect it to be somewhere on intel.com.
> >
> > I'm still a little confused. That doc seems to be about *software*
> > and Linux software in particular. But when you said these "devices
> > are not designed to run in an untrusted environment", I thought you
> > meant there was some *hardware* design issue that caused a problem.
Yes, the problem is in hardware.
> There seems to be a fair bit of hardware errata in the doc too, see:
>
> 3.1.2 QATE-7495 - GEN - An incorrectly formatted request to Intel® QAT can
> hang the entire Intel® QAT Endpoint
>
> 3.1.9 QATE-39220 - GEN - QAT API submissions with bad addresses that
> trigger DMA to invalid or unmapped addresses can cause a platform
> hang
>
> 3.1.17 QATE-52389 - SR-IOV -Huge pages may not be compatible with QAT
> VF usage
>
> 3.1.19 QATE-60953 - GEN – Intel® QAT API submissions with bad addresses
> that trigger DMA to invalid or unmapped addresses can impact QAT
> service availability
Correct, that document contains errata for both the QAT HW and the
current software.
Regards,
--
Giovanni