1.. SPDX-License-Identifier: GPL-2.0+ 2 3================================================================= 4Linux Base Driver for the Intel(R) Ethernet Controller 800 Series 5================================================================= 6 7Intel ice Linux driver. 8Copyright(c) 2018-2021 Intel Corporation. 9 10Contents 11======== 12 13- Overview 14- Identifying Your Adapter 15- Important Notes 16- Additional Features & Configurations 17- Performance Optimization 18 19 20The associated Virtual Function (VF) driver for this driver is iavf. 21 22Driver information can be obtained using ethtool and lspci. 23 24For questions related to hardware requirements, refer to the documentation 25supplied with your Intel adapter. All hardware requirements listed apply to use 26with Linux. 27 28This driver supports XDP (Express Data Path) and AF_XDP zero-copy. Note that 29XDP is blocked for frame sizes larger than 3KB. 30 31 32Identifying Your Adapter 33======================== 34For information on how to identify your adapter, and for the latest Intel 35network drivers, refer to the Intel Support website: 36https://www.intel.com/support 37 38 39Important Notes 40=============== 41 42Packet drops may occur under receive stress 43------------------------------------------- 44Devices based on the Intel(R) Ethernet Controller 800 Series are designed to 45tolerate a limited amount of system latency during PCIe and DMA transactions. 46If these transactions take longer than the tolerated latency, it can impact the 47length of time the packets are buffered in the device and associated memory, 48which may result in dropped packets. These packets drops typically do not have 49a noticeable impact on throughput and performance under standard workloads. 50 51If these packet drops appear to affect your workload, the following may improve 52the situation: 53 541) Make sure that your system's physical memory is in a high-performance 55 configuration, as recommended by the platform vendor. A common 56 recommendation is for all channels to be populated with a single DIMM 57 module. 582) In your system's BIOS/UEFI settings, select the "Performance" profile. 593) Your distribution may provide tools like "tuned," which can help tweak 60 kernel settings to achieve better standard settings for different workloads. 61 62 63Configuring SR-IOV for improved network security 64------------------------------------------------ 65In a virtualized environment, on Intel(R) Ethernet Network Adapters that 66support SR-IOV, the virtual function (VF) may be subject to malicious behavior. 67Software-generated layer two frames, like IEEE 802.3x (link flow control), IEEE 68802.1Qbb (priority based flow-control), and others of this type, are not 69expected and can throttle traffic between the host and the virtual switch, 70reducing performance. To resolve this issue, and to ensure isolation from 71unintended traffic streams, configure all SR-IOV enabled ports for VLAN tagging 72from the administrative interface on the PF. This configuration allows 73unexpected, and potentially malicious, frames to be dropped. 74 75See "Configuring VLAN Tagging on SR-IOV Enabled Adapter Ports" later in this 76README for configuration instructions. 77 78 79Do not unload port driver if VF with active VM is bound to it 80------------------------------------------------------------- 81Do not unload a port's driver if a Virtual Function (VF) with an active Virtual 82Machine (VM) is bound to it. Doing so will cause the port to appear to hang. 83Once the VM shuts down, or otherwise releases the VF, the command will 84complete. 85 86 87Additional Features and Configurations 88====================================== 89 90ethtool 91------- 92The driver utilizes the ethtool interface for driver configuration and 93diagnostics, as well as displaying statistical information. The latest ethtool 94version is required for this functionality. Download it at: 95https://kernel.org/pub/software/network/ethtool/ 96 97NOTE: The rx_bytes value of ethtool does not match the rx_bytes value of 98Netdev, due to the 4-byte CRC being stripped by the device. The difference 99between the two rx_bytes values will be 4 x the number of Rx packets. For 100example, if Rx packets are 10 and Netdev (software statistics) displays 101rx_bytes as "X", then ethtool (hardware statistics) will display rx_bytes as 102"X+40" (4 bytes CRC x 10 packets). 103 104 105Viewing Link Messages 106--------------------- 107Link messages will not be displayed to the console if the distribution is 108restricting system messages. In order to see network driver link messages on 109your console, set dmesg to eight by entering the following:: 110 111 # dmesg -n 8 112 113NOTE: This setting is not saved across reboots. 114 115 116Dynamic Device Personalization 117------------------------------ 118Dynamic Device Personalization (DDP) allows you to change the packet processing 119pipeline of a device by applying a profile package to the device at runtime. 120Profiles can be used to, for example, add support for new protocols, change 121existing protocols, or change default settings. DDP profiles can also be rolled 122back without rebooting the system. 123 124The DDP package loads during device initialization. The driver looks for 125``intel/ice/ddp/ice.pkg`` in your firmware root (typically ``/lib/firmware/`` 126or ``/lib/firmware/updates/``) and checks that it contains a valid DDP package 127file. 128 129NOTE: Your distribution should likely have provided the latest DDP file, but if 130ice.pkg is missing, you can find it in the linux-firmware repository or from 131intel.com. 132 133If the driver is unable to load the DDP package, the device will enter Safe 134Mode. Safe Mode disables advanced and performance features and supports only 135basic traffic and minimal functionality, such as updating the NVM or 136downloading a new driver or DDP package. Safe Mode only applies to the affected 137physical function and does not impact any other PFs. See the "Intel(R) Ethernet 138Adapters and Devices User Guide" for more details on DDP and Safe Mode. 139 140NOTES: 141 142- If you encounter issues with the DDP package file, you may need to download 143 an updated driver or DDP package file. See the log messages for more 144 information. 145 146- The ice.pkg file is a symbolic link to the default DDP package file. 147 148- You cannot update the DDP package if any PF drivers are already loaded. To 149 overwrite a package, unload all PFs and then reload the driver with the new 150 package. 151 152- Only the first loaded PF per device can download a package for that device. 153 154You can install specific DDP package files for different physical devices in 155the same system. To install a specific DDP package file: 156 1571. Download the DDP package file you want for your device. 158 1592. Rename the file ice-xxxxxxxxxxxxxxxx.pkg, where 'xxxxxxxxxxxxxxxx' is the 160 unique 64-bit PCI Express device serial number (in hex) of the device you 161 want the package downloaded on. The filename must include the complete 162 serial number (including leading zeros) and be all lowercase. For example, 163 if the 64-bit serial number is b887a3ffffca0568, then the file name would be 164 ice-b887a3ffffca0568.pkg. 165 166 To find the serial number from the PCI bus address, you can use the 167 following command:: 168 169 # lspci -vv -s af:00.0 | grep -i Serial 170 Capabilities: [150 v1] Device Serial Number b8-87-a3-ff-ff-ca-05-68 171 172 You can use the following command to format the serial number without the 173 dashes:: 174 175 # lspci -vv -s af:00.0 | grep -i Serial | awk '{print $7}' | sed s/-//g 176 b887a3ffffca0568 177 1783. Copy the renamed DDP package file to 179 ``/lib/firmware/updates/intel/ice/ddp/``. If the directory does not yet 180 exist, create it before copying the file. 181 1824. Unload all of the PFs on the device. 183 1845. Reload the driver with the new package. 185 186NOTE: The presence of a device-specific DDP package file overrides the loading 187of the default DDP package file (ice.pkg). 188 189 190Intel(R) Ethernet Flow Director 191------------------------------- 192The Intel Ethernet Flow Director performs the following tasks: 193 194- Directs receive packets according to their flows to different queues 195- Enables tight control on routing a flow in the platform 196- Matches flows and CPU cores for flow affinity 197 198NOTE: This driver supports the following flow types: 199 200- IPv4 201- TCPv4 202- UDPv4 203- SCTPv4 204- IPv6 205- TCPv6 206- UDPv6 207- SCTPv6 208 209Each flow type supports valid combinations of IP addresses (source or 210destination) and UDP/TCP/SCTP ports (source and destination). You can supply 211only a source IP address, a source IP address and a destination port, or any 212combination of one or more of these four parameters. 213 214NOTE: This driver allows you to filter traffic based on a user-defined flexible 215two-byte pattern and offset by using the ethtool user-def and mask fields. Only 216L3 and L4 flow types are supported for user-defined flexible filters. For a 217given flow type, you must clear all Intel Ethernet Flow Director filters before 218changing the input set (for that flow type). 219 220 221Flow Director Filters 222--------------------- 223Flow Director filters are used to direct traffic that matches specified 224characteristics. They are enabled through ethtool's ntuple interface. To enable 225or disable the Intel Ethernet Flow Director and these filters:: 226 227 # ethtool -K <ethX> ntuple <off|on> 228 229NOTE: When you disable ntuple filters, all the user programmed filters are 230flushed from the driver cache and hardware. All needed filters must be re-added 231when ntuple is re-enabled. 232 233To display all of the active filters:: 234 235 # ethtool -u <ethX> 236 237To add a new filter:: 238 239 # ethtool -U <ethX> flow-type <type> src-ip <ip> [m <ip_mask>] dst-ip <ip> 240 [m <ip_mask>] src-port <port> [m <port_mask>] dst-port <port> [m <port_mask>] 241 action <queue> 242 243 Where: 244 <ethX> - the Ethernet device to program 245 <type> - can be ip4, tcp4, udp4, sctp4, ip6, tcp6, udp6, sctp6 246 <ip> - the IP address to match on 247 <ip_mask> - the IPv4 address to mask on 248 NOTE: These filters use inverted masks. 249 <port> - the port number to match on 250 <port_mask> - the 16-bit integer for masking 251 NOTE: These filters use inverted masks. 252 <queue> - the queue to direct traffic toward (-1 discards the 253 matched traffic) 254 255To delete a filter:: 256 257 # ethtool -U <ethX> delete <N> 258 259 Where <N> is the filter ID displayed when printing all the active filters, 260 and may also have been specified using "loc <N>" when adding the filter. 261 262EXAMPLES: 263 264To add a filter that directs packet to queue 2:: 265 266 # ethtool -U <ethX> flow-type tcp4 src-ip 192.168.10.1 dst-ip \ 267 192.168.10.2 src-port 2000 dst-port 2001 action 2 [loc 1] 268 269To set a filter using only the source and destination IP address:: 270 271 # ethtool -U <ethX> flow-type tcp4 src-ip 192.168.10.1 dst-ip \ 272 192.168.10.2 action 2 [loc 1] 273 274To set a filter based on a user-defined pattern and offset:: 275 276 # ethtool -U <ethX> flow-type tcp4 src-ip 192.168.10.1 dst-ip \ 277 192.168.10.2 user-def 0x4FFFF action 2 [loc 1] 278 279 where the value of the user-def field contains the offset (4 bytes) and 280 the pattern (0xffff). 281 282To match TCP traffic sent from 192.168.0.1, port 5300, directed to 192.168.0.5, 283port 80, and then send it to queue 7:: 284 285 # ethtool -U enp130s0 flow-type tcp4 src-ip 192.168.0.1 dst-ip 192.168.0.5 286 src-port 5300 dst-port 80 action 7 287 288To add a TCPv4 filter with a partial mask for a source IP subnet:: 289 290 # ethtool -U <ethX> flow-type tcp4 src-ip 192.168.0.0 m 0.255.255.255 dst-ip 291 192.168.5.12 src-port 12600 dst-port 31 action 12 292 293NOTES: 294 295For each flow-type, the programmed filters must all have the same matching 296input set. For example, issuing the following two commands is acceptable:: 297 298 # ethtool -U enp130s0 flow-type ip4 src-ip 192.168.0.1 src-port 5300 action 7 299 # ethtool -U enp130s0 flow-type ip4 src-ip 192.168.0.5 src-port 55 action 10 300 301Issuing the next two commands, however, is not acceptable, since the first 302specifies src-ip and the second specifies dst-ip:: 303 304 # ethtool -U enp130s0 flow-type ip4 src-ip 192.168.0.1 src-port 5300 action 7 305 # ethtool -U enp130s0 flow-type ip4 dst-ip 192.168.0.5 src-port 55 action 10 306 307The second command will fail with an error. You may program multiple filters 308with the same fields, using different values, but, on one device, you may not 309program two tcp4 filters with different matching fields. 310 311The ice driver does not support matching on a subportion of a field, thus 312partial mask fields are not supported. 313 314 315Flex Byte Flow Director Filters 316------------------------------- 317The driver also supports matching user-defined data within the packet payload. 318This flexible data is specified using the "user-def" field of the ethtool 319command in the following way: 320 321.. table:: 322 323 ============================== ============================ 324 ``31 28 24 20 16`` ``15 12 8 4 0`` 325 ``offset into packet payload`` ``2 bytes of flexible data`` 326 ============================== ============================ 327 328For example, 329 330:: 331 332 ... user-def 0x4FFFF ... 333 334tells the filter to look 4 bytes into the payload and match that value against 3350xFFFF. The offset is based on the beginning of the payload, and not the 336beginning of the packet. Thus 337 338:: 339 340 flow-type tcp4 ... user-def 0x8BEAF ... 341 342would match TCP/IPv4 packets which have the value 0xBEAF 8 bytes into the 343TCP/IPv4 payload. 344 345Note that ICMP headers are parsed as 4 bytes of header and 4 bytes of payload. 346Thus to match the first byte of the payload, you must actually add 4 bytes to 347the offset. Also note that ip4 filters match both ICMP frames as well as raw 348(unknown) ip4 frames, where the payload will be the L3 payload of the IP4 349frame. 350 351The maximum offset is 64. The hardware will only read up to 64 bytes of data 352from the payload. The offset must be even because the flexible data is 2 bytes 353long and must be aligned to byte 0 of the packet payload. 354 355The user-defined flexible offset is also considered part of the input set and 356cannot be programmed separately for multiple filters of the same type. However, 357the flexible data is not part of the input set and multiple filters may use the 358same offset but match against different data. 359 360 361RSS Hash Flow 362------------- 363Allows you to set the hash bytes per flow type and any combination of one or 364more options for Receive Side Scaling (RSS) hash byte configuration. 365 366:: 367 368 # ethtool -N <ethX> rx-flow-hash <type> <option> 369 370 Where <type> is: 371 tcp4 signifying TCP over IPv4 372 udp4 signifying UDP over IPv4 373 tcp6 signifying TCP over IPv6 374 udp6 signifying UDP over IPv6 375 And <option> is one or more of: 376 s Hash on the IP source address of the Rx packet. 377 d Hash on the IP destination address of the Rx packet. 378 f Hash on bytes 0 and 1 of the Layer 4 header of the Rx packet. 379 n Hash on bytes 2 and 3 of the Layer 4 header of the Rx packet. 380 381 382Accelerated Receive Flow Steering (aRFS) 383---------------------------------------- 384Devices based on the Intel(R) Ethernet Controller 800 Series support 385Accelerated Receive Flow Steering (aRFS) on the PF. aRFS is a load-balancing 386mechanism that allows you to direct packets to the same CPU where an 387application is running or consuming the packets in that flow. 388 389NOTES: 390 391- aRFS requires that ntuple filtering is enabled via ethtool. 392- aRFS support is limited to the following packet types: 393 394 - TCP over IPv4 and IPv6 395 - UDP over IPv4 and IPv6 396 - Nonfragmented packets 397 398- aRFS only supports Flow Director filters, which consist of the 399 source/destination IP addresses and source/destination ports. 400- aRFS and ethtool's ntuple interface both use the device's Flow Director. aRFS 401 and ntuple features can coexist, but you may encounter unexpected results if 402 there's a conflict between aRFS and ntuple requests. See "Intel(R) Ethernet 403 Flow Director" for additional information. 404 405To set up aRFS: 406 4071. Enable the Intel Ethernet Flow Director and ntuple filters using ethtool. 408 409:: 410 411 # ethtool -K <ethX> ntuple on 412 4132. Set up the number of entries in the global flow table. For example: 414 415:: 416 417 # NUM_RPS_ENTRIES=16384 418 # echo $NUM_RPS_ENTRIES > /proc/sys/net/core/rps_sock_flow_entries 419 4203. Set up the number of entries in the per-queue flow table. For example: 421 422:: 423 424 # NUM_RX_QUEUES=64 425 # for file in /sys/class/net/$IFACE/queues/rx-*/rps_flow_cnt; do 426 # echo $(($NUM_RPS_ENTRIES/$NUM_RX_QUEUES)) > $file; 427 # done 428 4294. Disable the IRQ balance daemon (this is only a temporary stop of the service 430 until the next reboot). 431 432:: 433 434 # systemctl stop irqbalance 435 4365. Configure the interrupt affinity. 437 438 See ``/Documentation/core-api/irq/irq-affinity.rst`` 439 440 441To disable aRFS using ethtool:: 442 443 # ethtool -K <ethX> ntuple off 444 445NOTE: This command will disable ntuple filters and clear any aRFS filters in 446software and hardware. 447 448Example Use Case: 449 4501. Set the server application on the desired CPU (e.g., CPU 4). 451 452:: 453 454 # taskset -c 4 netserver 455 4562. Use netperf to route traffic from the client to CPU 4 on the server with 457 aRFS configured. This example uses TCP over IPv4. 458 459:: 460 461 # netperf -H <Host IPv4 Address> -t TCP_STREAM 462 463 464Enabling Virtual Functions (VFs) 465-------------------------------- 466Use sysfs to enable virtual functions (VF). 467 468For example, you can create 4 VFs as follows:: 469 470 # echo 4 > /sys/class/net/<ethX>/device/sriov_numvfs 471 472To disable VFs, write 0 to the same file:: 473 474 # echo 0 > /sys/class/net/<ethX>/device/sriov_numvfs 475 476The maximum number of VFs for the ice driver is 256 total (all ports). To check 477how many VFs each PF supports, use the following command:: 478 479 # cat /sys/class/net/<ethX>/device/sriov_totalvfs 480 481Note: You cannot use SR-IOV when link aggregation (LAG)/bonding is active, and 482vice versa. To enforce this, the driver checks for this mutual exclusion. 483 484 485Displaying VF Statistics on the PF 486---------------------------------- 487Use the following command to display the statistics for the PF and its VFs:: 488 489 # ip -s link show dev <ethX> 490 491NOTE: The output of this command can be very large due to the maximum number of 492possible VFs. 493 494The PF driver will display a subset of the statistics for the PF and for all 495VFs that are configured. The PF will always print a statistics block for each 496of the possible VFs, and it will show zero for all unconfigured VFs. 497 498 499Configuring VLAN Tagging on SR-IOV Enabled Adapter Ports 500-------------------------------------------------------- 501To configure VLAN tagging for the ports on an SR-IOV enabled adapter, use the 502following command. The VLAN configuration should be done before the VF driver 503is loaded or the VM is booted. The VF is not aware of the VLAN tag being 504inserted on transmit and removed on received frames (sometimes called "port 505VLAN" mode). 506 507:: 508 509 # ip link set dev <ethX> vf <id> vlan <vlan id> 510 511For example, the following will configure PF eth0 and the first VF on VLAN 10:: 512 513 # ip link set dev eth0 vf 0 vlan 10 514 515 516Enabling a VF link if the port is disconnected 517---------------------------------------------- 518If the physical function (PF) link is down, you can force link up (from the 519host PF) on any virtual functions (VF) bound to the PF. 520 521For example, to force link up on VF 0 bound to PF eth0:: 522 523 # ip link set eth0 vf 0 state enable 524 525Note: If the command does not work, it may not be supported by your system. 526 527 528Setting the MAC Address for a VF 529-------------------------------- 530To change the MAC address for the specified VF:: 531 532 # ip link set <ethX> vf 0 mac <address> 533 534For example:: 535 536 # ip link set <ethX> vf 0 mac 00:01:02:03:04:05 537 538This setting lasts until the PF is reloaded. 539 540NOTE: Assigning a MAC address for a VF from the host will disable any 541subsequent requests to change the MAC address from within the VM. This is a 542security feature. The VM is not aware of this restriction, so if this is 543attempted in the VM, it will trigger MDD events. 544 545 546Trusted VFs and VF Promiscuous Mode 547----------------------------------- 548This feature allows you to designate a particular VF as trusted and allows that 549trusted VF to request selective promiscuous mode on the Physical Function (PF). 550 551To set a VF as trusted or untrusted, enter the following command in the 552Hypervisor:: 553 554 # ip link set dev <ethX> vf 1 trust [on|off] 555 556NOTE: It's important to set the VF to trusted before setting promiscuous mode. 557If the VM is not trusted, the PF will ignore promiscuous mode requests from the 558VF. If the VM becomes trusted after the VF driver is loaded, you must make a 559new request to set the VF to promiscuous. 560 561Once the VF is designated as trusted, use the following commands in the VM to 562set the VF to promiscuous mode. 563 564For promiscuous all:: 565 566 # ip link set <ethX> promisc on 567 Where <ethX> is a VF interface in the VM 568 569For promiscuous Multicast:: 570 571 # ip link set <ethX> allmulticast on 572 Where <ethX> is a VF interface in the VM 573 574NOTE: By default, the ethtool private flag vf-true-promisc-support is set to 575"off," meaning that promiscuous mode for the VF will be limited. To set the 576promiscuous mode for the VF to true promiscuous and allow the VF to see all 577ingress traffic, use the following command:: 578 579 # ethtool --set-priv-flags <ethX> vf-true-promisc-support on 580 581The vf-true-promisc-support private flag does not enable promiscuous mode; 582rather, it designates which type of promiscuous mode (limited or true) you will 583get when you enable promiscuous mode using the ip link commands above. Note 584that this is a global setting that affects the entire device. However, the 585vf-true-promisc-support private flag is only exposed to the first PF of the 586device. The PF remains in limited promiscuous mode regardless of the 587vf-true-promisc-support setting. 588 589Next, add a VLAN interface on the VF interface. For example:: 590 591 # ip link add link eth2 name eth2.100 type vlan id 100 592 593Note that the order in which you set the VF to promiscuous mode and add the 594VLAN interface does not matter (you can do either first). The result in this 595example is that the VF will get all traffic that is tagged with VLAN 100. 596 597 598Malicious Driver Detection (MDD) for VFs 599---------------------------------------- 600Some Intel Ethernet devices use Malicious Driver Detection (MDD) to detect 601malicious traffic from the VF and disable Tx/Rx queues or drop the offending 602packet until a VF driver reset occurs. You can view MDD messages in the PF's 603system log using the dmesg command. 604 605- If the PF driver logs MDD events from the VF, confirm that the correct VF 606 driver is installed. 607- To restore functionality, you can manually reload the VF or VM or enable 608 automatic VF resets. 609- When automatic VF resets are enabled, the PF driver will immediately reset 610 the VF and reenable queues when it detects MDD events on the receive path. 611- If automatic VF resets are disabled, the PF will not automatically reset the 612 VF when it detects MDD events. 613 614To enable or disable automatic VF resets, use the following command:: 615 616 # ethtool --set-priv-flags <ethX> mdd-auto-reset-vf on|off 617 618 619MAC and VLAN Anti-Spoofing Feature for VFs 620------------------------------------------ 621When a malicious driver on a Virtual Function (VF) interface attempts to send a 622spoofed packet, it is dropped by the hardware and not transmitted. 623 624NOTE: This feature can be disabled for a specific VF:: 625 626 # ip link set <ethX> vf <vf id> spoofchk {off|on} 627 628 629Jumbo Frames 630------------ 631Jumbo Frames support is enabled by changing the Maximum Transmission Unit (MTU) 632to a value larger than the default value of 1500. 633 634Use the ifconfig command to increase the MTU size. For example, enter the 635following where <ethX> is the interface number:: 636 637 # ifconfig <ethX> mtu 9000 up 638 639Alternatively, you can use the ip command as follows:: 640 641 # ip link set mtu 9000 dev <ethX> 642 # ip link set up dev <ethX> 643 644This setting is not saved across reboots. 645 646 647NOTE: The maximum MTU setting for jumbo frames is 9702. This corresponds to the 648maximum jumbo frame size of 9728 bytes. 649 650NOTE: This driver will attempt to use multiple page sized buffers to receive 651each jumbo packet. This should help to avoid buffer starvation issues when 652allocating receive packets. 653 654NOTE: Packet loss may have a greater impact on throughput when you use jumbo 655frames. If you observe a drop in performance after enabling jumbo frames, 656enabling flow control may mitigate the issue. 657 658 659Speed and Duplex Configuration 660------------------------------ 661In addressing speed and duplex configuration issues, you need to distinguish 662between copper-based adapters and fiber-based adapters. 663 664In the default mode, an Intel(R) Ethernet Network Adapter using copper 665connections will attempt to auto-negotiate with its link partner to determine 666the best setting. If the adapter cannot establish link with the link partner 667using auto-negotiation, you may need to manually configure the adapter and link 668partner to identical settings to establish link and pass packets. This should 669only be needed when attempting to link with an older switch that does not 670support auto-negotiation or one that has been forced to a specific speed or 671duplex mode. Your link partner must match the setting you choose. 1 Gbps speeds 672and higher cannot be forced. Use the autonegotiation advertising setting to 673manually set devices for 1 Gbps and higher. 674 675Speed, duplex, and autonegotiation advertising are configured through the 676ethtool utility. For the latest version, download and install ethtool from the 677following website: 678 679 https://kernel.org/pub/software/network/ethtool/ 680 681To see the speed configurations your device supports, run the following:: 682 683 # ethtool <ethX> 684 685Caution: Only experienced network administrators should force speed and duplex 686or change autonegotiation advertising manually. The settings at the switch must 687always match the adapter settings. Adapter performance may suffer or your 688adapter may not operate if you configure the adapter differently from your 689switch. 690 691 692Data Center Bridging (DCB) 693-------------------------- 694NOTE: The kernel assumes that TC0 is available, and will disable Priority Flow 695Control (PFC) on the device if TC0 is not available. To fix this, ensure TC0 is 696enabled when setting up DCB on your switch. 697 698DCB is a configuration Quality of Service implementation in hardware. It uses 699the VLAN priority tag (802.1p) to filter traffic. That means that there are 8 700different priorities that traffic can be filtered into. It also enables 701priority flow control (802.1Qbb) which can limit or eliminate the number of 702dropped packets during network stress. Bandwidth can be allocated to each of 703these priorities, which is enforced at the hardware level (802.1Qaz). 704 705DCB is normally configured on the network using the DCBX protocol (802.1Qaz), a 706specialization of LLDP (802.1AB). The ice driver supports the following 707mutually exclusive variants of DCBX support: 708 7091) Firmware-based LLDP Agent 7102) Software-based LLDP Agent 711 712In firmware-based mode, firmware intercepts all LLDP traffic and handles DCBX 713negotiation transparently for the user. In this mode, the adapter operates in 714"willing" DCBX mode, receiving DCB settings from the link partner (typically a 715switch). The local user can only query the negotiated DCB configuration. For 716information on configuring DCBX parameters on a switch, please consult the 717switch manufacturer's documentation. 718 719In software-based mode, LLDP traffic is forwarded to the network stack and user 720space, where a software agent can handle it. In this mode, the adapter can 721operate in either "willing" or "nonwilling" DCBX mode and DCB configuration can 722be both queried and set locally. This mode requires the FW-based LLDP Agent to 723be disabled. 724 725NOTE: 726 727- You can enable and disable the firmware-based LLDP Agent using an ethtool 728 private flag. Refer to the "FW-LLDP (Firmware Link Layer Discovery Protocol)" 729 section in this README for more information. 730- In software-based DCBX mode, you can configure DCB parameters using software 731 LLDP/DCBX agents that interface with the Linux kernel's DCB Netlink API. We 732 recommend using OpenLLDP as the DCBX agent when running in software mode. For 733 more information, see the OpenLLDP man pages and 734 https://github.com/intel/openlldp. 735- The driver implements the DCB netlink interface layer to allow the user space 736 to communicate with the driver and query DCB configuration for the port. 737- iSCSI with DCB is not supported. 738 739 740FW-LLDP (Firmware Link Layer Discovery Protocol) 741------------------------------------------------ 742Use ethtool to change FW-LLDP settings. The FW-LLDP setting is per port and 743persists across boots. 744 745To enable LLDP:: 746 747 # ethtool --set-priv-flags <ethX> fw-lldp-agent on 748 749To disable LLDP:: 750 751 # ethtool --set-priv-flags <ethX> fw-lldp-agent off 752 753To check the current LLDP setting:: 754 755 # ethtool --show-priv-flags <ethX> 756 757NOTE: You must enable the UEFI HII "LLDP Agent" attribute for this setting to 758take effect. If "LLDP AGENT" is set to disabled, you cannot enable it from the 759OS. 760 761 762Flow Control 763------------ 764Ethernet Flow Control (IEEE 802.3x) can be configured with ethtool to enable 765receiving and transmitting pause frames for ice. When transmit is enabled, 766pause frames are generated when the receive packet buffer crosses a predefined 767threshold. When receive is enabled, the transmit unit will halt for the time 768delay specified when a pause frame is received. 769 770NOTE: You must have a flow control capable link partner. 771 772Flow Control is disabled by default. 773 774Use ethtool to change the flow control settings. 775 776To enable or disable Rx or Tx Flow Control:: 777 778 # ethtool -A <ethX> rx <on|off> tx <on|off> 779 780Note: This command only enables or disables Flow Control if auto-negotiation is 781disabled. If auto-negotiation is enabled, this command changes the parameters 782used for auto-negotiation with the link partner. 783 784Note: Flow Control auto-negotiation is part of link auto-negotiation. Depending 785on your device, you may not be able to change the auto-negotiation setting. 786 787NOTE: 788 789- The ice driver requires flow control on both the port and link partner. If 790 flow control is disabled on one of the sides, the port may appear to hang on 791 heavy traffic. 792- You may encounter issues with link-level flow control (LFC) after disabling 793 DCB. The LFC status may show as enabled but traffic is not paused. To resolve 794 this issue, disable and reenable LFC using ethtool:: 795 796 # ethtool -A <ethX> rx off tx off 797 # ethtool -A <ethX> rx on tx on 798 799 800NAPI 801---- 802 803This driver supports NAPI (Rx polling mode). 804 805See :ref:`Documentation/networking/napi.rst <napi>` for more information. 806 807MACVLAN 808------- 809This driver supports MACVLAN. Kernel support for MACVLAN can be tested by 810checking if the MACVLAN driver is loaded. You can run 'lsmod | grep macvlan' to 811see if the MACVLAN driver is loaded or run 'modprobe macvlan' to try to load 812the MACVLAN driver. 813 814NOTE: 815 816- In passthru mode, you can only set up one MACVLAN device. It will inherit the 817 MAC address of the underlying PF (Physical Function) device. 818 819 820IEEE 802.1ad (QinQ) Support 821--------------------------- 822The IEEE 802.1ad standard, informally known as QinQ, allows for multiple VLAN 823IDs within a single Ethernet frame. VLAN IDs are sometimes referred to as 824"tags," and multiple VLAN IDs are thus referred to as a "tag stack." Tag stacks 825allow L2 tunneling and the ability to segregate traffic within a particular 826VLAN ID, among other uses. 827 828NOTES: 829 830- Receive checksum offloads and VLAN acceleration are not supported for 802.1ad 831 (QinQ) packets. 832 833- 0x88A8 traffic will not be received unless VLAN stripping is disabled with 834 the following command:: 835 836 # ethtool -K <ethX> rxvlan off 837 838- 0x88A8/0x8100 double VLANs cannot be used with 0x8100 or 0x8100/0x8100 VLANS 839 configured on the same port. 0x88a8/0x8100 traffic will not be received if 840 0x8100 VLANs are configured. 841 842- The VF can only transmit 0x88A8/0x8100 (i.e., 802.1ad/802.1Q) traffic if: 843 844 1) The VF is not assigned a port VLAN. 845 2) spoofchk is disabled from the PF. If you enable spoofchk, the VF will 846 not transmit 0x88A8/0x8100 traffic. 847 848- The VF may not receive all network traffic based on the Inner VLAN header 849 when VF true promiscuous mode (vf-true-promisc-support) and double VLANs are 850 enabled in SR-IOV mode. 851 852The following are examples of how to configure 802.1ad (QinQ):: 853 854 # ip link add link eth0 eth0.24 type vlan proto 802.1ad id 24 855 # ip link add link eth0.24 eth0.24.371 type vlan proto 802.1Q id 371 856 857 Where "24" and "371" are example VLAN IDs. 858 859 860Tunnel/Overlay Stateless Offloads 861--------------------------------- 862Supported tunnels and overlays include VXLAN, GENEVE, and others depending on 863hardware and software configuration. Stateless offloads are enabled by default. 864 865To view the current state of all offloads:: 866 867 # ethtool -k <ethX> 868 869 870UDP Segmentation Offload 871------------------------ 872Allows the adapter to offload transmit segmentation of UDP packets with 873payloads up to 64K into valid Ethernet frames. Because the adapter hardware is 874able to complete data segmentation much faster than operating system software, 875this feature may improve transmission performance. 876In addition, the adapter may use fewer CPU resources. 877 878NOTE: 879 880- The application sending UDP packets must support UDP segmentation offload. 881 882To enable/disable UDP Segmentation Offload, issue the following command:: 883 884 # ethtool -K <ethX> tx-udp-segmentation [off|on] 885 886 887GNSS module 888----------- 889Requires kernel compiled with CONFIG_GNSS=y or CONFIG_GNSS=m. 890Allows user to read messages from the GNSS hardware module and write supported 891commands. If the module is physically present, a GNSS device is spawned: 892``/dev/gnss<id>``. 893The protocol of write command is dependent on the GNSS hardware module as the 894driver writes raw bytes by the GNSS object to the receiver through i2c. Please 895refer to the hardware GNSS module documentation for configuration details. 896 897 898Firmware (FW) logging 899--------------------- 900The driver supports FW logging via the debugfs interface on PF 0 only. The FW 901running on the NIC must support FW logging; if the FW doesn't support FW logging 902the 'fwlog' file will not get created in the ice debugfs directory. 903 904Module configuration 905~~~~~~~~~~~~~~~~~~~~ 906Firmware logging is configured on a per module basis. Each module can be set to 907a value independent of the other modules (unless the module 'all' is specified). 908The modules will be instantiated under the 'fwlog/modules' directory. 909 910The user can set the log level for a module by writing to the module file like 911this:: 912 913 # echo <log_level> > /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/modules/<module> 914 915where 916 917* log_level is a name as described below. Each level includes the 918 messages from the previous/lower level 919 920 * none 921 * error 922 * warning 923 * normal 924 * verbose 925 926* module is a name that represents the module to receive events for. The 927 module names are 928 929 * general 930 * ctrl 931 * link 932 * link_topo 933 * dnl 934 * i2c 935 * sdp 936 * mdio 937 * adminq 938 * hdma 939 * lldp 940 * dcbx 941 * dcb 942 * xlr 943 * nvm 944 * auth 945 * vpd 946 * iosf 947 * parser 948 * sw 949 * scheduler 950 * txq 951 * rsvd 952 * post 953 * watchdog 954 * task_dispatch 955 * mng 956 * synce 957 * health 958 * tsdrv 959 * pfreg 960 * mdlver 961 * all 962 963The name 'all' is special and allows the user to set all of the modules to the 964specified log_level or to read the log_level of all of the modules. 965 966Example usage to configure the modules 967^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 968 969To set a single module to 'verbose':: 970 971 # echo verbose > /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/modules/link 972 973To set multiple modules then issue the command multiple times:: 974 975 # echo verbose > /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/modules/link 976 # echo warning > /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/modules/ctrl 977 # echo none > /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/modules/dcb 978 979To set all the modules to the same value:: 980 981 # echo normal > /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/modules/all 982 983To read the log_level of a specific module (e.g. module 'general'):: 984 985 # cat /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/modules/general 986 987To read the log_level of all the modules:: 988 989 # cat /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/modules/all 990 991Enabling FW log 992~~~~~~~~~~~~~~~ 993Configuring the modules indicates to the FW that the configured modules should 994generate events that the driver is interested in, but it **does not** send the 995events to the driver until the enable message is sent to the FW. To do this 996the user can write a 1 (enable) or 0 (disable) to 'fwlog/enable'. An example 997is:: 998 999 # echo 1 > /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/enable 1000 1001Retrieving FW log data 1002~~~~~~~~~~~~~~~~~~~~~~ 1003The FW log data can be retrieved by reading from 'fwlog/data'. The user can 1004write any value to 'fwlog/data' to clear the data. The data can only be cleared 1005when FW logging is disabled. The FW log data is a binary file that is sent to 1006Intel and used to help debug user issues. 1007 1008An example to read the data is:: 1009 1010 # cat /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/data > fwlog.bin 1011 1012An example to clear the data is:: 1013 1014 # echo 0 > /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/data 1015 1016Changing how often the log events are sent to the driver 1017~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1018The driver receives FW log data from the Admin Receive Queue (ARQ). The 1019frequency that the FW sends the ARQ events can be configured by writing to 1020'fwlog/nr_messages'. The range is 1-128 (1 means push every log message, 128 1021means push only when the max AQ command buffer is full). The suggested value is 102210. The user can see what the value is configured to by reading 1023'fwlog/nr_messages'. An example to set the value is:: 1024 1025 # echo 50 > /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/nr_messages 1026 1027Configuring the amount of memory used to store FW log data 1028~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1029The driver stores FW log data within the driver. The default size of the memory 1030used to store the data is 1MB. Some use cases may require more or less data so 1031the user can change the amount of memory that is allocated for FW log data. 1032To change the amount of memory then write to 'fwlog/log_size'. The value must be 1033one of: 128K, 256K, 512K, 1M, or 2M. FW logging must be disabled to change the 1034value. An example of changing the value is:: 1035 1036 # echo 128K > /sys/kernel/debug/ice/0000\:18\:00.0/fwlog/log_size 1037 1038 1039Performance Optimization 1040======================== 1041Driver defaults are meant to fit a wide variety of workloads, but if further 1042optimization is required, we recommend experimenting with the following 1043settings. 1044 1045 1046Rx Descriptor Ring Size 1047----------------------- 1048To reduce the number of Rx packet discards, increase the number of Rx 1049descriptors for each Rx ring using ethtool. 1050 1051 Check if the interface is dropping Rx packets due to buffers being full 1052 (rx_dropped.nic can mean that there is no PCIe bandwidth):: 1053 1054 # ethtool -S <ethX> | grep "rx_dropped" 1055 1056 If the previous command shows drops on queues, it may help to increase 1057 the number of descriptors using 'ethtool -G':: 1058 1059 # ethtool -G <ethX> rx <N> 1060 Where <N> is the desired number of ring entries/descriptors 1061 1062 This can provide temporary buffering for issues that create latency while 1063 the CPUs process descriptors. 1064 1065 1066Interrupt Rate Limiting 1067----------------------- 1068This driver supports an adaptive interrupt throttle rate (ITR) mechanism that 1069is tuned for general workloads. The user can customize the interrupt rate 1070control for specific workloads, via ethtool, adjusting the number of 1071microseconds between interrupts. 1072 1073To set the interrupt rate manually, you must disable adaptive mode:: 1074 1075 # ethtool -C <ethX> adaptive-rx off adaptive-tx off 1076 1077For lower CPU utilization: 1078 1079 Disable adaptive ITR and lower Rx and Tx interrupts. The examples below 1080 affect every queue of the specified interface. 1081 1082 Setting rx-usecs and tx-usecs to 80 will limit interrupts to about 1083 12,500 interrupts per second per queue:: 1084 1085 # ethtool -C <ethX> adaptive-rx off adaptive-tx off rx-usecs 80 tx-usecs 80 1086 1087For reduced latency: 1088 1089 Disable adaptive ITR and ITR by setting rx-usecs and tx-usecs to 0 1090 using ethtool:: 1091 1092 # ethtool -C <ethX> adaptive-rx off adaptive-tx off rx-usecs 0 tx-usecs 0 1093 1094Per-queue interrupt rate settings: 1095 1096 The following examples are for queues 1 and 3, but you can adjust other 1097 queues. 1098 1099 To disable Rx adaptive ITR and set static Rx ITR to 10 microseconds or 1100 about 100,000 interrupts/second, for queues 1 and 3:: 1101 1102 # ethtool --per-queue <ethX> queue_mask 0xa --coalesce adaptive-rx off 1103 rx-usecs 10 1104 1105 To show the current coalesce settings for queues 1 and 3:: 1106 1107 # ethtool --per-queue <ethX> queue_mask 0xa --show-coalesce 1108 1109Bounding interrupt rates using rx-usecs-high: 1110 1111 :Valid Range: 0-236 (0=no limit) 1112 1113 The range of 0-236 microseconds provides an effective range of 4,237 to 1114 250,000 interrupts per second. The value of rx-usecs-high can be set 1115 independently of rx-usecs and tx-usecs in the same ethtool command, and is 1116 also independent of the adaptive interrupt moderation algorithm. The 1117 underlying hardware supports granularity in 4-microsecond intervals, so 1118 adjacent values may result in the same interrupt rate. 1119 1120 The following command would disable adaptive interrupt moderation, and allow 1121 a maximum of 5 microseconds before indicating a receive or transmit was 1122 complete. However, instead of resulting in as many as 200,000 interrupts per 1123 second, it limits total interrupts per second to 50,000 via the rx-usecs-high 1124 parameter. 1125 1126 :: 1127 1128 # ethtool -C <ethX> adaptive-rx off adaptive-tx off rx-usecs-high 20 1129 rx-usecs 5 tx-usecs 5 1130 1131 1132Virtualized Environments 1133------------------------ 1134In addition to the other suggestions in this section, the following may be 1135helpful to optimize performance in VMs. 1136 1137 Using the appropriate mechanism (vcpupin) in the VM, pin the CPUs to 1138 individual LCPUs, making sure to use a set of CPUs included in the 1139 device's local_cpulist: ``/sys/class/net/<ethX>/device/local_cpulist``. 1140 1141 Configure as many Rx/Tx queues in the VM as available. (See the iavf driver 1142 documentation for the number of queues supported.) For example:: 1143 1144 # ethtool -L <virt_interface> rx <max> tx <max> 1145 1146 1147Support 1148======= 1149For general information, go to the Intel support website at: 1150https://www.intel.com/support/ 1151 1152If an issue is identified with the released source code on a supported kernel 1153with a supported adapter, email the specific information related to the issue 1154to intel-wired-lan@lists.osuosl.org. 1155 1156 1157Trademarks 1158========== 1159Intel is a trademark or registered trademark of Intel Corporation or its 1160subsidiaries in the United States and/or other countries. 1161 1162* Other names and brands may be claimed as the property of others. 1163