From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 30D35A0532; Tue, 4 Feb 2020 12:19:00 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 3EF081C01B; Tue, 4 Feb 2020 12:18:39 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by dpdk.org (Postfix) with ESMTP id C7DD61BFAD for ; Tue, 4 Feb 2020 12:18:37 +0100 (CET) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 014BG0uD011421; Tue, 4 Feb 2020 03:18:37 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0818; bh=g5WVfdwHQQf91wea9NT9qr16X2zOZrmC3rBjKpIH/pM=; b=N92qrPgbo6EY2obWWb+YAojGbyTLBMOcAwBGVZMqorkODO+RAMa6LMruhRytfZ5zCUd0 MRYPlRe0GDp2keyKWBqzLvcBKTJzKOpxyXqSO70G0sv1nT4OhThLHsHkVQHP5eJRPJyW nvkCyeHzfWjv+sZSJo/D6IMFAyBEd8PVLUvL7IZiwAzHk9i2plM03XXuXpmBzdtCAPBQ U928GYZ4AGSjvG+kkA9rz5lIkL94mzqKOqTfN3CwrKeKpJE0yuQOF8GQ7xJ5ZK8Z1HtY hADdaK48CDVCEsdd8cfChE7PUFV9m0NjfDirIa4N7v8vm08EjFklpQSW5b+4QW56LN5P 2w== Received: from sc-exch03.marvell.com ([199.233.58.183]) by mx0b-0016f401.pphosted.com with ESMTP id 2xw9qukg1j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 04 Feb 2020 03:18:37 -0800 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by SC-EXCH03.marvell.com (10.93.176.83) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 4 Feb 2020 03:18:34 -0800 Received: from SC-EXCH01.marvell.com (10.93.176.81) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 4 Feb 2020 03:18:34 -0800 Received: from maili.marvell.com (10.93.176.43) by SC-EXCH01.marvell.com (10.93.176.81) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Tue, 4 Feb 2020 03:18:33 -0800 Received: from ajoseph83.caveonetworks.com (unknown [10.29.45.60]) by maili.marvell.com (Postfix) with ESMTP id 76AEE3F7068; Tue, 4 Feb 2020 03:18:29 -0800 (PST) From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Thomas Monjalon CC: Tejasree Kondoj , Jerin Jacob , Narayana Prasad , Kiran Kumar K , Nithin Dabilpuram , "Pavan Nikhilesh" , Ankur Dwivedi , Anoob Joseph , Archana Muniganti , Vamsi Attunuru , Lukasz Bartosik , Date: Tue, 4 Feb 2020 16:47:15 +0530 Message-ID: <1580815045-32132-6-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1580815045-32132-1-git-send-email-anoobj@marvell.com> References: <1580465035-30455-1-git-send-email-anoobj@marvell.com> <1580815045-32132-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-02-04_02:2020-02-04, 2020-02-04 signatures=0 Subject: [dpdk-dev] [PATCH v4 05/15] net/octeontx2: add security in eth dev configure X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Tejasree Kondoj Adding security in eth device configure. Signed-off-by: Ankur Dwivedi Signed-off-by: Anoob Joseph Signed-off-by: Archana Muniganti Signed-off-by: Tejasree Kondoj Signed-off-by: Vamsi Attunuru --- doc/guides/nics/octeontx2.rst | 20 +++++ doc/guides/rel_notes/release_20_02.rst | 9 ++ drivers/crypto/octeontx2/otx2_ipsec_fp.h | 55 +++++++++++++ drivers/net/octeontx2/Makefile | 3 + drivers/net/octeontx2/meson.build | 5 +- drivers/net/octeontx2/otx2_ethdev.c | 17 +++- drivers/net/octeontx2/otx2_ethdev.h | 2 + drivers/net/octeontx2/otx2_ethdev_devargs.c | 19 +++++ drivers/net/octeontx2/otx2_ethdev_sec.c | 122 ++++++++++++++++++++++++++++ drivers/net/octeontx2/otx2_ethdev_sec.h | 4 + 10 files changed, 254 insertions(+), 2 deletions(-) create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h diff --git a/doc/guides/nics/octeontx2.rst b/doc/guides/nics/octeontx2.rst index db62a45..fd4e455 100644 --- a/doc/guides/nics/octeontx2.rst +++ b/doc/guides/nics/octeontx2.rst @@ -38,6 +38,7 @@ Features of the OCTEON TX2 Ethdev PMD are: - IEEE1588 timestamping - HW offloaded `ethdev Rx queue` to `eventdev event queue` packet injection - Support Rx interrupt +- Inline IPsec processing support Prerequisites ------------- @@ -178,6 +179,17 @@ Runtime Config Options traffic on this port should be higig2 traffic only. Supported switch header types are "higig2" and "dsa". +- ``Max SPI for inbound inline IPsec`` (default ``1``) + + Max SPI supported for inbound inline IPsec processing can be specified by + ``ipsec_in_max_spi`` ``devargs`` parameter. + + For example:: + -w 0002:02:00.0,ipsec_in_max_spi=128 + + With the above configuration, application can enable inline IPsec processing + on 128 SAs (SPI 0-127). + .. note:: Above devarg parameters are configurable per device, user needs to pass the @@ -211,6 +223,14 @@ SDP interface support ~~~~~~~~~~~~~~~~~~~~~ OCTEON TX2 SDP interface support is limited to PF device, No VF support. +Inline Protocol Processing +~~~~~~~~~~~~~~~~~~~~~~~~~~ +``net_octeontx2`` pmd doesn't support the following features for packets to be +inline protocol processed. +- TSO offload +- VLAN/QinQ offload +- Fragmentation + Debugging Options ----------------- diff --git a/doc/guides/rel_notes/release_20_02.rst b/doc/guides/rel_notes/release_20_02.rst index d19a7f5..7b9139c 100644 --- a/doc/guides/rel_notes/release_20_02.rst +++ b/doc/guides/rel_notes/release_20_02.rst @@ -166,6 +166,15 @@ New Features armv8 crypto library is not used anymore. Library name is changed from armv8_crypto to AArch64crypto. +* **Added inline IPsec support to Marvell OCTEON TX2 PMD.** + + Added inline IPsec support to Marvell OCTEON TX2 PMD. With the feature, + applications would be able to offload entire IPsec offload to the hardware. + For the configured sessions, hardware will do the lookup and perform + decryption and IPsec transformation. For the outbound path, application + can submit a plain packet to the PMD, and it would be sent out on wire + after doing encryption and IPsec transformation of the packet. + Removed Items ------------- diff --git a/drivers/crypto/octeontx2/otx2_ipsec_fp.h b/drivers/crypto/octeontx2/otx2_ipsec_fp.h new file mode 100644 index 0000000..bf4181a --- /dev/null +++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h @@ -0,0 +1,55 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2020 Marvell International Ltd. + */ + +#ifndef __OTX2_IPSEC_FP_H__ +#define __OTX2_IPSEC_FP_H__ + +struct otx2_ipsec_fp_sa_ctl { + rte_be32_t spi : 32; + uint64_t exp_proto_inter_frag : 8; + uint64_t rsvd_42_40 : 3; + uint64_t esn_en : 1; + uint64_t rsvd_45_44 : 2; + uint64_t encap_type : 2; + uint64_t enc_type : 3; + uint64_t rsvd_48 : 1; + uint64_t auth_type : 4; + uint64_t valid : 1; + uint64_t direction : 1; + uint64_t outer_ip_ver : 1; + uint64_t inner_ip_ver : 1; + uint64_t ipsec_mode : 1; + uint64_t ipsec_proto : 1; + uint64_t aes_key_len : 2; +}; + +struct otx2_ipsec_fp_in_sa { + /* w0 */ + struct otx2_ipsec_fp_sa_ctl ctl; + + /* w1 */ + uint8_t nonce[4]; /* Only for AES-GCM */ + uint32_t unused; + + /* w2 */ + uint32_t esn_low; + uint32_t esn_hi; + + /* w3-w6 */ + uint8_t cipher_key[32]; + + /* w7-w12 */ + uint8_t hmac_key[48]; + + RTE_STD_C11 + union { + void *userdata; + uint64_t udata64; + }; + + uint64_t reserved1; + uint64_t reserved2; +}; + +#endif /* __OTX2_IPSEC_FP_H__ */ diff --git a/drivers/net/octeontx2/Makefile b/drivers/net/octeontx2/Makefile index 8649f89..0de43e3 100644 --- a/drivers/net/octeontx2/Makefile +++ b/drivers/net/octeontx2/Makefile @@ -10,7 +10,9 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_pmd_octeontx2.a CFLAGS += $(WERROR_FLAGS) +CFLAGS += -I$(RTE_SDK)/drivers/common/cpt CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2 +CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2 CFLAGS += -O3 @@ -56,5 +58,6 @@ SRCS-$(CONFIG_RTE_LIBRTE_OCTEONTX2_PMD) += \ LDLIBS += -lrte_common_octeontx2 -lrte_mempool_octeontx2 -lrte_eal -lrte_net LDLIBS += -lrte_ethdev -lrte_bus_pci -lrte_kvargs -lrte_mbuf -lrte_mempool -lm +LDLIBS += -lrte_cryptodev -lrte_eventdev -lrte_security include $(RTE_SDK)/mk/rte.lib.mk diff --git a/drivers/net/octeontx2/meson.build b/drivers/net/octeontx2/meson.build index dfbf99a..04cf58f 100644 --- a/drivers/net/octeontx2/meson.build +++ b/drivers/net/octeontx2/meson.build @@ -25,7 +25,7 @@ sources = files('otx2_rx.c', 'otx2_ethdev_devargs.c' ) -deps += ['bus_pci', 'cryptodev', 'security'] +deps += ['bus_pci', 'cryptodev', 'eventdev', 'security'] deps += ['common_octeontx2', 'mempool_octeontx2'] cflags += ['-flax-vector-conversions'] @@ -41,3 +41,6 @@ foreach flag: extra_flags cflags += flag endif endforeach + +includes += include_directories('../../common/cpt') +includes += include_directories('../../crypto/octeontx2') diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c index 7fd5254..e8ae779 100644 --- a/drivers/net/octeontx2/otx2_ethdev.c +++ b/drivers/net/octeontx2/otx2_ethdev.c @@ -339,6 +339,10 @@ nix_cq_rq_init(struct rte_eth_dev *eth_dev, struct otx2_eth_dev *dev, aq->op = NIX_AQ_INSTOP_INIT; aq->rq.sso_ena = 0; + + if (rxq->offloads & DEV_RX_OFFLOAD_SECURITY) + aq->rq.ipsech_ena = 1; + aq->rq.cq = qid; /* RQ to CQ 1:1 mapped */ aq->rq.spb_ena = 0; aq->rq.lpb_aura = npa_lf_aura_handle_to_aura(mp->pool_id); @@ -1612,6 +1616,7 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev) /* Free the resources allocated from the previous configure */ if (dev->configured == 1) { + otx2_eth_sec_fini(eth_dev); otx2_nix_rxchan_bpid_cfg(eth_dev, false); otx2_nix_vlan_fini(eth_dev); otx2_nix_mc_addr_list_uninstall(eth_dev); @@ -1722,10 +1727,15 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev) goto cq_fini; } + /* Enable security */ + rc = otx2_eth_sec_init(eth_dev); + if (rc) + goto cq_fini; + rc = otx2_nix_mc_addr_list_install(eth_dev); if (rc < 0) { otx2_err("Failed to install mc address list rc=%d", rc); - goto cq_fini; + goto sec_fini; } /* @@ -1761,6 +1771,8 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev) uninstall_mc_list: otx2_nix_mc_addr_list_uninstall(eth_dev); +sec_fini: + otx2_eth_sec_fini(eth_dev); cq_fini: oxt2_nix_unregister_cq_irqs(eth_dev); q_irq_fini: @@ -2350,6 +2362,9 @@ otx2_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool mbox_close) if (rc) otx2_err("Failed to cleanup npa lf, rc=%d", rc); + /* Disable security */ + otx2_eth_sec_fini(eth_dev); + /* Destroy security ctx */ otx2_eth_sec_ctx_destroy(eth_dev); diff --git a/drivers/net/octeontx2/otx2_ethdev.h b/drivers/net/octeontx2/otx2_ethdev.h index 3f3fdec..60b535a 100644 --- a/drivers/net/octeontx2/otx2_ethdev.h +++ b/drivers/net/octeontx2/otx2_ethdev.h @@ -324,6 +324,8 @@ struct otx2_eth_dev { bool mc_tbl_set; struct otx2_nix_mc_filter_tbl mc_fltr_tbl; bool sdp_link; /* SDP flag */ + /* Inline IPsec params */ + uint16_t ipsec_in_max_spi; } __rte_cache_aligned; struct otx2_eth_txq { diff --git a/drivers/net/octeontx2/otx2_ethdev_devargs.c b/drivers/net/octeontx2/otx2_ethdev_devargs.c index 04da1ab..a3f7598 100644 --- a/drivers/net/octeontx2/otx2_ethdev_devargs.c +++ b/drivers/net/octeontx2/otx2_ethdev_devargs.c @@ -64,6 +64,19 @@ parse_reta_size(const char *key, const char *value, void *extra_args) } static int +parse_ipsec_in_max_spi(const char *key, const char *value, void *extra_args) +{ + RTE_SET_USED(key); + uint32_t val; + + val = atoi(value); + + *(uint16_t *)extra_args = val; + + return 0; +} + +static int parse_flag(const char *key, const char *value, void *extra_args) { RTE_SET_USED(key); @@ -104,6 +117,7 @@ parse_switch_header_type(const char *key, const char *value, void *extra_args) } #define OTX2_RSS_RETA_SIZE "reta_size" +#define OTX2_IPSEC_IN_MAX_SPI "ipsec_in_max_spi" #define OTX2_SCL_ENABLE "scalar_enable" #define OTX2_MAX_SQB_COUNT "max_sqb_count" #define OTX2_FLOW_PREALLOC_SIZE "flow_prealloc_size" @@ -118,6 +132,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev) uint16_t flow_prealloc_size = 8; uint16_t switch_header_type = 0; uint16_t flow_max_priority = 3; + uint16_t ipsec_in_max_spi = 1; uint16_t scalar_enable = 0; struct rte_kvargs *kvlist; @@ -130,6 +145,8 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev) rte_kvargs_process(kvlist, OTX2_RSS_RETA_SIZE, &parse_reta_size, &rss_size); + rte_kvargs_process(kvlist, OTX2_IPSEC_IN_MAX_SPI, + &parse_ipsec_in_max_spi, &ipsec_in_max_spi); rte_kvargs_process(kvlist, OTX2_SCL_ENABLE, &parse_flag, &scalar_enable); rte_kvargs_process(kvlist, OTX2_MAX_SQB_COUNT, @@ -143,6 +160,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev) rte_kvargs_free(kvlist); null_devargs: + dev->ipsec_in_max_spi = ipsec_in_max_spi; dev->scalar_ena = scalar_enable; dev->max_sqb_count = sqb_count; dev->rss_info.rss_size = rss_size; @@ -157,6 +175,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev) RTE_PMD_REGISTER_PARAM_STRING(net_octeontx2, OTX2_RSS_RETA_SIZE "=<64|128|256>" + OTX2_IPSEC_IN_MAX_SPI "=<1-65535>" OTX2_SCL_ENABLE "=1" OTX2_MAX_SQB_COUNT "=<8-512>" OTX2_FLOW_PREALLOC_SIZE "=<1-32>" diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c index 80c5689..ed68152 100644 --- a/drivers/net/octeontx2/otx2_ethdev_sec.c +++ b/drivers/net/octeontx2/otx2_ethdev_sec.c @@ -3,10 +3,35 @@ */ #include +#include #include +#include #include +#include "otx2_ethdev.h" #include "otx2_ethdev_sec.h" +#include "otx2_ipsec_fp.h" + +#define ETH_SEC_MAX_PKT_LEN 1450 + +struct eth_sec_tag_const { + RTE_STD_C11 + union { + struct { + uint32_t rsvd_11_0 : 12; + uint32_t port : 8; + uint32_t event_type : 4; + uint32_t rsvd_31_24 : 8; + }; + uint32_t u32; + }; +}; + +static inline void +in_sa_mz_name_get(char *name, int size, uint16_t port) +{ + snprintf(name, size, "otx2_ipsec_in_sadb_%u", port); +} int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev) @@ -33,3 +58,100 @@ otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev) { rte_free(eth_dev->security_ctx); } + +static int +eth_sec_ipsec_cfg(struct rte_eth_dev *eth_dev, uint8_t tt) +{ + struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev); + uint16_t port = eth_dev->data->port_id; + struct nix_inline_ipsec_lf_cfg *req; + struct otx2_mbox *mbox = dev->mbox; + struct eth_sec_tag_const tag_const; + char name[RTE_MEMZONE_NAMESIZE]; + const struct rte_memzone *mz; + + in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port); + mz = rte_memzone_lookup(name); + if (mz == NULL) + return -EINVAL; + + req = otx2_mbox_alloc_msg_nix_inline_ipsec_lf_cfg(mbox); + req->enable = 1; + req->sa_base_addr = mz->iova; + + req->ipsec_cfg0.tt = tt; + + tag_const.u32 = 0; + tag_const.event_type = RTE_EVENT_TYPE_ETHDEV; + tag_const.port = port; + req->ipsec_cfg0.tag_const = tag_const.u32; + + req->ipsec_cfg0.sa_pow2_size = + rte_log2_u32(sizeof(struct otx2_ipsec_fp_in_sa)); + req->ipsec_cfg0.lenm1_max = ETH_SEC_MAX_PKT_LEN - 1; + + req->ipsec_cfg1.sa_idx_w = rte_log2_u32(dev->ipsec_in_max_spi); + req->ipsec_cfg1.sa_idx_max = dev->ipsec_in_max_spi - 1; + + return otx2_mbox_process(mbox); +} + +int +otx2_eth_sec_init(struct rte_eth_dev *eth_dev) +{ + const size_t sa_width = sizeof(struct otx2_ipsec_fp_in_sa); + struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev); + uint16_t port = eth_dev->data->port_id; + char name[RTE_MEMZONE_NAMESIZE]; + const struct rte_memzone *mz; + int mz_sz, ret; + uint16_t nb_sa; + + RTE_BUILD_BUG_ON(sa_width < 32 || sa_width > 512 || + !RTE_IS_POWER_OF_2(sa_width)); + + if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) && + !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY)) + return 0; + + nb_sa = dev->ipsec_in_max_spi; + mz_sz = nb_sa * sa_width; + in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port); + mz = rte_memzone_reserve_aligned(name, mz_sz, rte_socket_id(), + RTE_MEMZONE_IOVA_CONTIG, OTX2_ALIGN); + + if (mz == NULL) { + otx2_err("Could not allocate inbound SA DB"); + return -ENOMEM; + } + + memset(mz->addr, 0, mz_sz); + + ret = eth_sec_ipsec_cfg(eth_dev, SSO_TT_ORDERED); + if (ret < 0) { + otx2_err("Could not configure inline IPsec"); + goto sec_fini; + } + + return 0; + +sec_fini: + otx2_err("Could not configure device for security"); + otx2_eth_sec_fini(eth_dev); + return ret; +} + +void +otx2_eth_sec_fini(struct rte_eth_dev *eth_dev) +{ + struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev); + uint16_t port = eth_dev->data->port_id; + char name[RTE_MEMZONE_NAMESIZE]; + + if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) && + !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY)) + return; + + in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port); + rte_memzone_free(rte_memzone_lookup(name)); +} diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h index 4a925e9..60d4a29 100644 --- a/drivers/net/octeontx2/otx2_ethdev_sec.h +++ b/drivers/net/octeontx2/otx2_ethdev_sec.h @@ -11,4 +11,8 @@ int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev); void otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev); +int otx2_eth_sec_init(struct rte_eth_dev *eth_dev); + +void otx2_eth_sec_fini(struct rte_eth_dev *eth_dev); + #endif /* __OTX2_ETHDEV_SEC_H__ */ -- 2.7.4