Proxmox - Issue Passthrough of Intel 4xxx QAT to pfSense

Operating Systems & Open Source
1

I’m struggling with passing through a QAT module on an Intel CPU to a VM and not sure what I might be missing.
The CPU in question has 2x QAT and is a Xeon Gold 5416S.
I can see the QAT modules in lspci and other outputs but no matter what I’ve tried so far nothing shows up in the GUI for passthrough.

I’ve tried a few different things, running latest version of Proxmox 8 and nothing seems to work. I can forcefully passthrough the QAT module by doing a manual passthrough but neither of the QAT devices in question show up in the dropdown list for the pfSense VM or any other VM for that matter under PCI Passthru.

# cat /etc/modprobe.d/vfio-pci.conf
options vfio-pci disable_denylist=1

lsmod | grep vfio
vfio_pci               16384  6
vfio_pci_core          86016  1 vfio_pci
irqbypass              12288  223 vfio_pci_core,kvm
vfio_iommu_type1       49152  3
vfio                   57344  25 vfio_pci_core,kvmgt,vfio_iommu_type1,vfio_pci
iommufd                77824  1 vfio

lsmod | grep qat
qat_4xxx               20480  0
intel_qat             258048  1 qat_4xxx
crc8                   12288  1 intel_qat
authenc                12288  1 intel_qat

lspci -knn
f3:00.0 Co-processor [0b40]: Intel Corporation 4xxx Series QAT [8086:4942] (rev 40)
        Subsystem: Intel Corporation 4xxx Series QAT [8086:0000]
        Kernel driver in use: vfio-pci
        Kernel modules: qat_4xxx
f5:00.0 Co-processor [0b40]: Intel Corporation Device [8086:2710]
        Subsystem: Intel Corporation Device [8086:0000]
f7:00.0 Co-processor [0b40]: Intel Corporation 4xxx Series QAT [8086:4942] (rev 40)
        Subsystem: Intel Corporation 4xxx Series QAT [8086:0000]
        Kernel driver in use: vfio-pci
        Kernel modules: qat_4xxx
f9:00.0 Co-processor [0b40]: Intel Corporation Device [8086:2710]
        Subsystem: Intel Corporation Device [8086:0000]
       
cat /etc/modprobe.d/pve-blacklist.conf
# This file contains a list of modules which are not supported by Proxmox VE

# nvidiafb see bugreport https://bugzilla.proxmox.com/show_bug.cgi?id=701
blacklist nvidiafb
blacklist qat_4xxx

I might even be doing it right on the Proxmox side of things because on the pfSense side of things I can see the qat module when doing pciconf:

pciconf -lv | grep qat
qat0@pci0:3:0:0:        class=0x0b4000 rev=0x40 hdr=0x00 vendor=0x8086 device=0x4942 subvendor=0x8086 subdevice=0x0000

But QAT in pfsense shows QAT Crypto: No
Even though I have go under System > Advanced > Misc, and set Crypto Hardware to Intel QAT

2

As far as I’m aware, you need pfSense Plus in order to get QAT - the community edition won’t support it, even though it appears in the GUI. Is it Plus you’re running?

3

Ah, also apparently limited to certain platforms (mostly the C-series Atoms)

image
image1096×321 43.5 KB

1 Like
4

Yah I’m running pfSense Plus in a VM

5

Ah, so it might not support the 4xxx yet.
I’ve seen plenty of people saying they got the add-in cards working on VMs with passthrough but nothing for the 4xxx present on the Intel Xeon 4th gen and up.

6

Some higher end xeons also work with sr iov so you can mux your qat.

Did you bind vfio pci to the qat pcie devices?

1 Like
7

Just wanted to close the loop on this. Apparently I wasn’t thinking clearly and was trying to passthrough the CPU accelerators as PCIe devices. It looks like, as of right now, pfsense Plus might not have QAT support for the Intel Xeon 4th and 5th gen scalable CPUs at this time.

8

Closing the loop completely with you both @ScottishTom and @wendell
Support for 4xxx is present in FreeBSD but not added yet to pfsense confirmed.

:slight_smile:
Thanks for the assist!

3 Likes