FreeBSD VF drivers?

ohmantics · ‎07-31-2025

If I'm not mistaken, the drivers in the FreeBSD tree do not have VF support for c3xxx or c62x, just the PF versions. (All of them are available in the Linux tree.)

I'd like to have passed a few VFs into a pfSense guest and kept some for ZFS on the host and possibly other guest applications (DoH, DNSSEC, TLS for SMTP/IMAP, TLS for HTTP proxy).

Are these missing drivers forthcoming?

DiegoV_Intel · ‎07-31-2025

Hi,

Developing efforts in FreeBSD for Intel QAT have been focused on the out-of-tree driver. The latest version is from couple of years ago though, so there is currently not active developing for FreeBSD.

The out-of-tree driver supports VFs. You can get it from Intel® QuickAssist Technology Driver for FreeBSD* - HW Version 1.X

Regards,

Diego V.

ohmantics · ‎07-31-2025

How does this driver compare with the version that's shipped in pfSense, as that's arguably the single most popular user of QAT on FreeBSD?

DiegoV_Intel · ‎08-07-2025

Hi,

I'm currently looking internally for a FreeBSD expert that can help answer this inquiry from a more detailed perspective. The main difference is the support for Virtual Functions, but let me confirm if there are other considerations to keep in mind between both versions.

Regards,

Diego V.

DiegoV_Intel · ‎08-08-2025

Hi,

Just confirmed that the difference between the drivers is indeed related to virtualization support (Virtual Functions support). The FreeBSD upstream QAT driver does not include support for VFs. VF support is available only through the out-of-tree driver.

Regards,

Diego V.

ohmantics · ‎08-08-2025

The in-tree driver has updated support for 4xxx VF. Is there any chance the c3xxx VF support will be merged?

If not, is there any issue with me or somebody else merging in the relevant code from the out-of-tree driver to the tree? It looks largely mechanical to do.

DiegoV_Intel · ‎08-11-2025

Hi,

Yes, the in-tree driver indeed supports VF for 4xxx. This however is a different driver specifically for the hardware 4xxx, so merging it with c3xxx is not possible.

On a side note, you can merge the relevant code from the out-of-tree driver to the in-tree on your own. This would be considered as a "non-supported" configuration though, so basically it would be up to you to make it work.

The reason why VF support was not added in first place to the in-tree driver for this hardware was due to security reasons that prevented to upstream the VF drivers. You can see more details here [PATCH v5 3/5] vfio/pci: Add QAT devices to denylist and in the QAT Release Notes for Linux (specific issues to look at are mentioned in the first link).

The out-of-tree driver includes VF support with couple of warnings noted in each release note (Linux and FreeBSD) that state the following:

The Intel ® QAT device should not be exposed (via Single-root Input/Output Virtualization (SR-IOV)) to untrusted guests.
The Intel ® QAT device should not be exposed (via the "user space direct" deployment model) to untrusted users.

So although upstreaming the driver is not a challenge by itself, the reason why it wasn't done was because there was not "approval" to upstream it. That's also why the out-of-tree driver is the recommended option for virtualization implementations.

If you choose to start this journey, you would need to be sure from a security standpoint your use case is not vulnerable to the untrusted user scenario described and apply the changes locally only.

Regards,
Diego V.

ohmantics · ‎08-11-2025

Many thanks for the details.

1. Why does the Linux in-tree QAT driver set include these VF drivers but FreeBSD doesn't? (It looks substantially easier to override that one function instead of integrating the entire c3xxxvf driver.)

2. pfSense is based on FreeBSD 15.0-CURRENT, which isn't formally released. They appear to fork and stabilize for their own release schedule instead of basing on RELEASE builds. Does the published out-of-tree driver release try to track CURRENT or will any user trying this find themselves doing a bunch of driver debugging?

3. All of these security issues are resolved with the 4xxx design (and presumably any later hardware as well)?

Alex

DiegoV_Intel · ‎08-12-2025

Hi,

The QAT Linux in-tree driver supports VFs due to the development done for 4xxx. This however is specifically for the hardware 4xxx. You can learn more about it in the following resources:

Regarding to the out-of-tree driver for FreeBSD, this one is supported only with FreeBSD v13.0 (as noted in the Intel® QuickAssist Technology Software for FreeBSD* - Release Notes). So I'd say yes, there will be a bunch of driver debugging.

Lastly, you are right about the security issues resolved with 4xxx design. I cannot confirm if this will be the case for later hardware since currently this is the only one available with in-tree support for VFs, but it makes sense to assume newer hardware will also have VFs support with in-tree (if an in-tree driver is ever available for such newer hardware).

Regards,

Diego V.

ohmantics · ‎08-15-2025

Thank you for the detailed answers. Needless to say I'm very disappointed.

This is the third piece of QAT hardware I've bought (DH8910, C627, C3908) with the expectation of using these features and not a single one has delivered on the promised features. Intel has also rapidly abandoned support for each which cannot be picked up by open source development because the important parts are undocumented and closed source. I guess I should lower my expectations for Intel products to work as advertised.

DiegoV_Intel · ‎08-18-2025

Hi,

I totally understand the disappointment, however the advertised features should be supported by the out-of-tree drivers.

For these hardware versions that you pointed out, the in-tree support is limited if we compare it with the out-of-tree drivers, therefore the general recommendation is to use the out-of-tree drivers as they include the latest features developed around QAT.

On the other hand, we should also consider the fact that these hardware versions have become quite old if we compare them to the newest QAT hardware options available (Intel Xeon Gen 4th Processors and newer). The Intel® QuickAssist Adapter 8960 and Intel® QuickAssist Adapter 8970 products (c62x) for instance, were launched 7 years ago. At that time, the development effort was focused on out-of-tree drivers (mainly for Linux as is the most demanded OS). But even the hardware was launched several years ago, the out-of-tree Linux driver is still updated from time to time (the most recent update was on April 2025).

The focus on the in-tree driver development was for 4xxx hardware, although the out-of-tree driver was also the one where most of the development was happening, but in this case, the in-tree driver has slowly been adding the features found in the out-of-tree driver version. As commented, this was specifically for the 4xxx hardware as this one is the newer QAT hardware and uses a different driver compared to the previous hardware versions.

Although this doesn't really address your desire of using FreeBSD with in-tree QAT driver in the hardware mentioned above, I hope it at least adds some more context around the driver development history and available options.

Regards,

Diego V.