* [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD @ 2021-06-02 17:10 Anoob Joseph 2021-06-02 17:10 ` [dpdk-dev] [PATCH 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph ` (4 more replies) 0 siblings, 5 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-02 17:10 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Anoob Joseph, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev Add rte_security (lookaside protocol - IPsec) support in crypto_cn10k. IPsec operations can be offloaded to CPT's SE and IE engines, which can process IPsec protcol operations including atomic sequence number increment (for outbound operations) and anti replay window check (for inbound operations). Depends-on: series-17212 ("Add CPT in Marvell CNXK common driver") Depends-on: series-17213 ("Add Marvell CNXK crypto PMDs") Anoob Joseph (1): crypto/cnxk: add security capabilities Srujana Challa (1): crypto/cnxk: add security ctx skeleton Tejasree Kondoj (2): crypto/cnxk: add security session ops crypto/cnxk: add security handling in datapath ops drivers/crypto/cnxk/cn10k_cryptodev.c | 12 + drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 78 +++- drivers/crypto/cnxk/cn10k_ipsec.c | 520 ++++++++++++++++++++++ drivers/crypto/cnxk/cn10k_ipsec.h | 38 ++ drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 74 +++ drivers/crypto/cnxk/cnxk_cryptodev.h | 4 + drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 114 +++++ drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +- drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 48 ++ drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 + drivers/crypto/cnxk/cnxk_ipsec.h | 18 + drivers/crypto/cnxk/meson.build | 4 +- 12 files changed, 930 insertions(+), 3 deletions(-) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h create mode 100644 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH 1/4] crypto/cnxk: add security ctx skeleton 2021-06-02 17:10 [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph @ 2021-06-02 17:10 ` Anoob Joseph 2021-06-16 20:14 ` Akhil Goyal 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph 2021-06-02 17:11 ` [dpdk-dev] [PATCH 2/4] crypto/cnxk: add security capabilities Anoob Joseph ` (3 subsequent siblings) 4 siblings, 2 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-02 17:10 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Srujana Challa, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev, Anoob Joseph From: Srujana Challa <schalla@marvell.com> Add security ctx in cn10k crypto PMD. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/crypto/cnxk/cn10k_cryptodev.c | 10 +++++++ drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 47 ++++++++++++++++++++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 ++++++++++ drivers/crypto/cnxk/meson.build | 3 +- 4 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index ca3adea..b58d390 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -14,6 +14,7 @@ #include "cn10k_cryptodev_ops.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_capabilities.h" +#include "cnxk_cryptodev_sec.h" #include "roc_api.h" @@ -75,6 +76,11 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, plt_err("Failed to add engine group rc=%d", rc); goto dev_fini; } + + /* Create security context */ + rc = cnxk_crypto_sec_ctx_create(dev); + if (rc) + goto dev_fini; } cnxk_cpt_caps_populate(vf); @@ -87,6 +93,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | RTE_CRYPTODEV_FF_SYM_SESSIONLESS | + RTE_CRYPTODEV_FF_SECURITY | RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn10k_cpt_set_enqdeq_fns(dev); @@ -121,6 +128,9 @@ cn10k_cpt_pci_remove(struct rte_pci_device *pci_dev) if (dev == NULL) return -ENODEV; + /* Destroy security context */ + cnxk_crypto_sec_ctx_destroy(dev); + if (rte_eal_process_type() == RTE_PROC_PRIMARY) { vf = dev->data->dev_private; ret = roc_cpt_dev_fini(&vf->cpt); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c new file mode 100644 index 0000000..f03d2ed --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c @@ -0,0 +1,47 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#include <rte_cryptodev.h> +#include <rte_malloc.h> +#include <rte_security.h> +#include <rte_security_driver.h> + +#include "cnxk_cryptodev_sec.h" + +/* Common security ops */ +struct rte_security_ops cnxk_sec_ops = { + .session_create = NULL, + .session_destroy = NULL, + .session_get_size = NULL, + .set_pkt_metadata = NULL, + .get_userdata = NULL, + .capabilities_get = NULL, +}; + +int +cnxk_crypto_sec_ctx_create(struct rte_cryptodev *cdev) +{ + struct rte_security_ctx *ctx; + + ctx = rte_malloc("cnxk_cpt_dev_sec_ctx", + sizeof(struct rte_security_ctx), 0); + + if (ctx == NULL) + return -ENOMEM; + + /* Populate ctx */ + ctx->device = cdev; + ctx->ops = &cnxk_sec_ops; + ctx->sess_cnt = 0; + + cdev->security_ctx = ctx; + + return 0; +} + +void +cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *cdev) +{ + rte_free(cdev->security_ctx); +} diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.h b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h new file mode 100644 index 0000000..9ab0e9e --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CNXK_CRYPTODEV_SEC_H__ +#define __CNXK_CRYPTODEV_SEC_H__ + +#include <rte_cryptodev.h> + +int cnxk_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev); + +void cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *crypto_dev); + +#endif /* __CNXK_CRYPTODEV_SEC_H__ */ diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build index b0aa3c0..ab45483 100644 --- a/drivers/crypto/cnxk/meson.build +++ b/drivers/crypto/cnxk/meson.build @@ -17,6 +17,7 @@ sources = files( 'cnxk_cryptodev.c', 'cnxk_cryptodev_capabilities.c', 'cnxk_cryptodev_ops.c', + 'cnxk_cryptodev_sec.c', ) -deps += ['bus_pci', 'common_cnxk'] +deps += ['bus_pci', 'common_cnxk', 'security'] -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dpdk-dev] [PATCH 1/4] crypto/cnxk: add security ctx skeleton 2021-06-02 17:10 ` [dpdk-dev] [PATCH 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph @ 2021-06-16 20:14 ` Akhil Goyal 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph 1 sibling, 0 replies; 24+ messages in thread From: Akhil Goyal @ 2021-06-16 20:14 UTC (permalink / raw) To: Anoob Joseph, Thomas Monjalon Cc: Srujana Challa, Jerin Jacob Kollanukkaran, Ankur Dwivedi, Tejasree Kondoj, dev, Anoob Joseph > From: Srujana Challa <schalla@marvell.com> > > Add security ctx in cn10k crypto PMD. > > Signed-off-by: Anoob Joseph <anoobj@marvell.com> > Signed-off-by: Srujana Challa <schalla@marvell.com> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> > --- > drivers/crypto/cnxk/cn10k_cryptodev.c | 10 +++++++ > drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 47 > ++++++++++++++++++++++++++++++++ > drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 ++++++++++ > drivers/crypto/cnxk/meson.build | 3 +- > 4 files changed, 73 insertions(+), 1 deletion(-) > create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c > create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h > > diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c > b/drivers/crypto/cnxk/cn10k_cryptodev.c > index ca3adea..b58d390 100644 > --- a/drivers/crypto/cnxk/cn10k_cryptodev.c > +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c > @@ -14,6 +14,7 @@ > #include "cn10k_cryptodev_ops.h" > #include "cnxk_cryptodev.h" > #include "cnxk_cryptodev_capabilities.h" > +#include "cnxk_cryptodev_sec.h" > > #include "roc_api.h" > > @@ -75,6 +76,11 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv > __rte_unused, > plt_err("Failed to add engine group rc=%d", rc); > goto dev_fini; > } > + > + /* Create security context */ > + rc = cnxk_crypto_sec_ctx_create(dev); > + if (rc) > + goto dev_fini; > } > > cnxk_cpt_caps_populate(vf); > @@ -87,6 +93,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv > __rte_unused, > RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | > RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | > RTE_CRYPTODEV_FF_SYM_SESSIONLESS | > + RTE_CRYPTODEV_FF_SECURITY | > RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; Corresponding change in .ini file missing. Moreover, you should add it in Last patch of this series when your feature is complete. Both feature flag and documentation in .ini should be in same patch. ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v2 0/4] Add rte_security in crypto_cn10k PMD 2021-06-02 17:10 ` [dpdk-dev] [PATCH 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph 2021-06-16 20:14 ` Akhil Goyal @ 2021-06-25 6:15 ` Anoob Joseph 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph ` (4 more replies) 1 sibling, 5 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-25 6:15 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Anoob Joseph, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev Add rte_security (lookaside protocol - IPsec) support in crypto_cn10k. IPsec operations can be offloaded to CPT's SE and IE engines, which can process IPsec protcol operations including atomic sequence number increment (for outbound operations) and anti replay window check (for inbound operations). Depends-on: series-17482 ("Add CPT in Marvell CNXK common driver") Depends-on: series-17483 ("Add Marvell CNXK crypto PMDs") Changes in v2: - Rearranged capability additions & feature flag updates as suggested by Akhil - Rebased on v2 of dependant series Anoob Joseph (1): crypto/cnxk: add security capabilities Srujana Challa (1): crypto/cnxk: add security ctx skeleton Tejasree Kondoj (2): crypto/cnxk: add security session ops crypto/cnxk: add security handling in datapath ops doc/guides/cryptodevs/cnxk.rst | 24 ++ doc/guides/cryptodevs/features/cn10k.ini | 1 + drivers/crypto/cnxk/cn10k_cryptodev.c | 12 + drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 78 +++++- drivers/crypto/cnxk/cn10k_ipsec.c | 275 ++++++++++++++++++++++ drivers/crypto/cnxk/cn10k_ipsec.h | 36 +++ drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 74 ++++++ drivers/crypto/cnxk/cnxk_cryptodev.h | 4 + drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 114 +++++++++ drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +- drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 48 ++++ drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 ++ drivers/crypto/cnxk/cnxk_ipsec.h | 20 ++ drivers/crypto/cnxk/meson.build | 6 +- 14 files changed, 712 insertions(+), 3 deletions(-) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h create mode 100644 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v2 1/4] crypto/cnxk: add security ctx skeleton 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph @ 2021-06-25 6:15 ` Anoob Joseph 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 2/4] crypto/cnxk: add security session ops Anoob Joseph ` (3 subsequent siblings) 4 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-25 6:15 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Srujana Challa, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev, Anoob Joseph From: Srujana Challa <schalla@marvell.com> Add security ctx in cn10k crypto PMD. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/crypto/cnxk/cn10k_cryptodev.c | 9 ++++++ drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 47 ++++++++++++++++++++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 ++++++++++ drivers/crypto/cnxk/meson.build | 3 +- 4 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index 559aaef..ffe654c 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -14,6 +14,7 @@ #include "cn10k_cryptodev_ops.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_capabilities.h" +#include "cnxk_cryptodev_sec.h" #include "roc_api.h" @@ -77,6 +78,11 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, plt_err("Failed to add engine group rc=%d", rc); goto dev_fini; } + + /* Create security context */ + rc = cnxk_crypto_sec_ctx_create(dev); + if (rc) + goto dev_fini; } cnxk_cpt_caps_populate(vf); @@ -126,6 +132,9 @@ cn10k_cpt_pci_remove(struct rte_pci_device *pci_dev) if (dev == NULL) return -ENODEV; + /* Destroy security context */ + cnxk_crypto_sec_ctx_destroy(dev); + if (rte_eal_process_type() == RTE_PROC_PRIMARY) { vf = dev->data->dev_private; ret = roc_cpt_dev_fini(&vf->cpt); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c new file mode 100644 index 0000000..f03d2ed --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c @@ -0,0 +1,47 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#include <rte_cryptodev.h> +#include <rte_malloc.h> +#include <rte_security.h> +#include <rte_security_driver.h> + +#include "cnxk_cryptodev_sec.h" + +/* Common security ops */ +struct rte_security_ops cnxk_sec_ops = { + .session_create = NULL, + .session_destroy = NULL, + .session_get_size = NULL, + .set_pkt_metadata = NULL, + .get_userdata = NULL, + .capabilities_get = NULL, +}; + +int +cnxk_crypto_sec_ctx_create(struct rte_cryptodev *cdev) +{ + struct rte_security_ctx *ctx; + + ctx = rte_malloc("cnxk_cpt_dev_sec_ctx", + sizeof(struct rte_security_ctx), 0); + + if (ctx == NULL) + return -ENOMEM; + + /* Populate ctx */ + ctx->device = cdev; + ctx->ops = &cnxk_sec_ops; + ctx->sess_cnt = 0; + + cdev->security_ctx = ctx; + + return 0; +} + +void +cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *cdev) +{ + rte_free(cdev->security_ctx); +} diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.h b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h new file mode 100644 index 0000000..9ab0e9e --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CNXK_CRYPTODEV_SEC_H__ +#define __CNXK_CRYPTODEV_SEC_H__ + +#include <rte_cryptodev.h> + +int cnxk_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev); + +void cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *crypto_dev); + +#endif /* __CNXK_CRYPTODEV_SEC_H__ */ diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build index fa6be06..a2b461e 100644 --- a/drivers/crypto/cnxk/meson.build +++ b/drivers/crypto/cnxk/meson.build @@ -16,6 +16,7 @@ sources = files( 'cnxk_cryptodev.c', 'cnxk_cryptodev_capabilities.c', 'cnxk_cryptodev_ops.c', + 'cnxk_cryptodev_sec.c', ) -deps += ['bus_pci', 'common_cnxk'] +deps += ['bus_pci', 'common_cnxk', 'security'] -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v2 2/4] crypto/cnxk: add security session ops 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph @ 2021-06-25 6:15 ` Anoob Joseph 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 3/4] crypto/cnxk: add security handling in datapath ops Anoob Joseph ` (2 subsequent siblings) 4 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-25 6:15 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Tejasree Kondoj, Jerin Jacob, Ankur Dwivedi, dev, Anoob Joseph, Archana Muniganti, Srujana Challa From: Tejasree Kondoj <ktejasree@marvell.com> Add security session ops in cn10k crypto PMD. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Archana Muniganti <marchana@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/crypto/cnxk/cn10k_cryptodev.c | 2 + drivers/crypto/cnxk/cn10k_ipsec.c | 275 ++++++++++++++++++++++++++++++++++ drivers/crypto/cnxk/cn10k_ipsec.h | 36 +++++ drivers/crypto/cnxk/cnxk_ipsec.h | 20 +++ drivers/crypto/cnxk/meson.build | 3 + 5 files changed, 336 insertions(+) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index ffe654c..cacf9c2 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -12,6 +12,7 @@ #include "cn10k_cryptodev.h" #include "cn10k_cryptodev_ops.h" +#include "cn10k_ipsec.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_capabilities.h" #include "cnxk_cryptodev_sec.h" @@ -101,6 +102,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn10k_cpt_set_enqdeq_fns(dev); + cn10k_sec_ops_override(); return 0; diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c new file mode 100644 index 0000000..1d567bf --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -0,0 +1,275 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#include <rte_malloc.h> +#include <rte_cryptodev.h> +#include <rte_esp.h> +#include <rte_ip.h> +#include <rte_security.h> +#include <rte_security_driver.h> +#include <rte_udp.h> + +#include "cnxk_cryptodev.h" +#include "cnxk_ipsec.h" +#include "cnxk_security.h" +#include "cn10k_ipsec.h" + +#include "roc_api.h" + +static int +ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && + crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT) + return -EINVAL; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && + crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT) + return -EINVAL; + + if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + switch (crypto_xfrm->aead.key.length) { + case ROC_CPT_AES128_KEY_LEN: + case ROC_CPT_AES192_KEY_LEN: + case ROC_CPT_AES256_KEY_LEN: + break; + default: + return -EINVAL; + } + return 0; + } + + return -ENOTSUP; +} + +static int +cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) + return -EINVAL; + + if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) && + (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH)) + return -EINVAL; + + if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) && + (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)) + return -EINVAL; + + if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) && + (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6)) + return -EINVAL; + + if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) + return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm); + + return -ENOTSUP; +} + +static uint64_t +ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa) +{ + union cpt_inst_w7 w7; + + w7.u64 = 0; + w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE]; + w7.s.ctx_val = 1; + w7.s.cptr = (uint64_t)sa; + rte_mb(); + + return w7.u64; +} + +static int +cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sec_sess) +{ + struct roc_ot_ipsec_outb_sa *out_sa; + struct cnxk_ipsec_outb_rlens rlens; + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + union cpt_inst_w4 inst_w4; + int ret; + + sess = get_sec_session_private_data(sec_sess); + sa = &sess->sa; + out_sa = &sa->out_sa; + + memset(out_sa, 0, sizeof(struct roc_ot_ipsec_outb_sa)); + + /* Translate security parameters to SA */ + ret = cnxk_ot_ipsec_outb_sa_fill(out_sa, ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa); + + /* Get Rlen calculation data */ + ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + sa->partial_len = rlens.partial_len; + sa->roundup_byte = rlens.roundup_byte; + sa->roundup_len = rlens.roundup_len; + + /* pre-populate CPT INST word 4 */ + inst_w4.u64 = 0; + inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC; + inst_w4.s.param1 = 0; + sa->inst.w4 = inst_w4.u64; + + return 0; +} + +static int +cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sec_sess) +{ + struct roc_ot_ipsec_inb_sa *in_sa; + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + union cpt_inst_w4 inst_w4; + int ret; + + sess = get_sec_session_private_data(sec_sess); + sa = &sess->sa; + in_sa = &sa->in_sa; + + /* Translate security parameters to SA */ + ret = cnxk_ot_ipsec_inb_sa_fill(in_sa, ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + /* TODO add support for antireplay */ + sa->in_sa.w0.s.ar_win = 0; + + /* TODO add support for udp encap */ + + sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa); + + /* pre-populate CPT INST word 4 */ + inst_w4.u64 = 0; + inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC; + + /* Disable checksum verification for now */ + inst_w4.s.param1 = 7; + sa->inst.w4 = inst_w4.u64; + + return 0; +} + +static int +cn10k_ipsec_session_create(void *dev, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sess) +{ + struct rte_cryptodev *crypto_dev = dev; + struct roc_cpt *roc_cpt; + struct cnxk_cpt_vf *vf; + int ret; + + vf = crypto_dev->data->dev_private; + roc_cpt = &vf->cpt; + + if (crypto_dev->data->queue_pairs[0] == NULL) { + plt_err("Setup cpt queue pair before creating security session"); + return -EPERM; + } + + ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + return cn10k_ipsec_inb_sa_create(roc_cpt, ipsec_xfrm, + crypto_xfrm, sess); + else + return cn10k_ipsec_outb_sa_create(roc_cpt, ipsec_xfrm, + crypto_xfrm, sess); +} + +static int +cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf, + struct rte_security_session *sess, + struct rte_mempool *mempool) +{ + struct cn10k_sec_session *priv; + int ret; + + if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) + return -EINVAL; + + if (rte_security_dynfield_register() < 0) + return -ENOTSUP; + + if (rte_mempool_get(mempool, (void **)&priv)) { + plt_err("Could not allocate security session private data"); + return -ENOMEM; + } + + set_sec_session_private_data(sess, priv); + + priv->userdata = conf->userdata; + + if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) { + ret = -ENOTSUP; + goto mempool_put; + } + ret = cn10k_ipsec_session_create(device, &conf->ipsec, + conf->crypto_xform, sess); + if (ret) + goto mempool_put; + + return 0; + +mempool_put: + rte_mempool_put(mempool, priv); + set_sec_session_private_data(sess, NULL); + return ret; +} + +static int +cn10k_sec_session_destroy(void *device __rte_unused, + struct rte_security_session *sess) +{ + struct cn10k_sec_session *priv; + struct rte_mempool *sess_mp; + + priv = get_sec_session_private_data(sess); + + if (priv == NULL) + return 0; + + sess_mp = rte_mempool_from_obj(priv); + + set_sec_session_private_data(sess, NULL); + rte_mempool_put(sess_mp, priv); + + return 0; +} + +static unsigned int +cn10k_sec_session_get_size(void *device __rte_unused) +{ + return sizeof(struct cn10k_sec_session); +} + +/* Update platform specific security ops */ +void +cn10k_sec_ops_override(void) +{ + /* Update platform specific ops */ + cnxk_sec_ops.session_create = cn10k_sec_session_create; + cnxk_sec_ops.session_destroy = cn10k_sec_session_destroy; + cnxk_sec_ops.session_get_size = cn10k_sec_session_get_size; +} diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h new file mode 100644 index 0000000..668282f --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec.h @@ -0,0 +1,36 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CN10K_IPSEC_H__ +#define __CN10K_IPSEC_H__ + +#include <rte_security.h> + +#include "cnxk_ipsec.h" + +#define CN10K_IPSEC_SA_CTX_HDR_SIZE 1 + +struct cn10k_ipsec_sa { + union { + /** Inbound SA */ + struct roc_ot_ipsec_inb_sa in_sa; + /** Outbound SA */ + struct roc_ot_ipsec_outb_sa out_sa; + }; + /** Pre-populated CPT inst words */ + struct cnxk_cpt_inst_tmpl inst; + uint8_t partial_len; + uint8_t roundup_len; + uint8_t roundup_byte; +}; + +struct cn10k_sec_session { + struct cn10k_ipsec_sa sa; + void *userdata; + /**< Userdata registered by the application */ +} __rte_cache_aligned; + +void cn10k_sec_ops_override(void); + +#endif /* __CN10K_IPSEC_H__ */ diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h new file mode 100644 index 0000000..f6897a0 --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -0,0 +1,20 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ +#ifndef __CNXK_IPSEC_H__ +#define __CNXK_IPSEC_H__ + +#include <rte_security.h> +#include <rte_security_driver.h> + +#include "roc_api.h" + +extern struct rte_security_ops cnxk_sec_ops; + +struct cnxk_cpt_inst_tmpl { + uint64_t w2; + uint64_t w4; + uint64_t w7; +}; + +#endif /* __CNXK_IPSEC_H__ */ diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build index a2b461e..c56d6cf 100644 --- a/drivers/crypto/cnxk/meson.build +++ b/drivers/crypto/cnxk/meson.build @@ -13,6 +13,7 @@ sources = files( 'cn9k_cryptodev_ops.c', 'cn10k_cryptodev.c', 'cn10k_cryptodev_ops.c', + 'cn10k_ipsec.c', 'cnxk_cryptodev.c', 'cnxk_cryptodev_capabilities.c', 'cnxk_cryptodev_ops.c', @@ -20,3 +21,5 @@ sources = files( ) deps += ['bus_pci', 'common_cnxk', 'security'] + +includes += include_directories('../../../lib/net') -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v2 3/4] crypto/cnxk: add security handling in datapath ops 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 2/4] crypto/cnxk: add security session ops Anoob Joseph @ 2021-06-25 6:15 ` Anoob Joseph 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 4/4] crypto/cnxk: add security capabilities Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph 4 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-25 6:15 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Tejasree Kondoj, Jerin Jacob, Ankur Dwivedi, dev, Anoob Joseph, Srujana Challa From: Tejasree Kondoj <ktejasree@marvell.com> Add security handling in enqueue dequeue ops. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 78 ++++++++++++++++++++++++++++++- drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 74 +++++++++++++++++++++++++++++ 2 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c index 6207627..29525cd 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c @@ -4,9 +4,12 @@ #include <rte_cryptodev.h> #include <rte_cryptodev_pmd.h> +#include <rte_ip.h> #include "cn10k_cryptodev.h" #include "cn10k_cryptodev_ops.h" +#include "cn10k_ipsec_la_ops.h" +#include "cn10k_ipsec.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_ops.h" #include "cnxk_se.h" @@ -42,6 +45,38 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op) } static __rte_always_inline int __rte_hot +cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess, + struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = op->sym; + union roc_ot_ipsec_sa_word2 *w2; + struct cn10k_ipsec_sa *sa; + int ret; + + if (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) { + plt_dp_err("Out of place is not supported"); + return -ENOTSUP; + } + + if (unlikely(!rte_pktmbuf_is_contiguous(sym_op->m_src))) { + plt_dp_err("Scatter Gather mode is not supported"); + return -ENOTSUP; + } + + sa = &sess->sa; + w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2; + + if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND) + ret = process_outb_sa(op, sa, inst); + else { + infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND; + ret = process_inb_sa(op, sa, inst); + } + + return ret; +} + +static __rte_always_inline int __rte_hot cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op, struct cnxk_se_sess *sess, struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst) @@ -64,6 +99,7 @@ static inline int cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], struct cpt_inst_s inst[], struct cpt_inflight_req *infl_req) { + struct cn10k_sec_session *sec_sess; struct rte_crypto_sym_op *sym_op; struct cnxk_se_sess *sess; struct rte_crypto_op *op; @@ -79,7 +115,15 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], sym_op = op->sym; if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { - if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { + if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + sec_sess = get_sec_session_private_data( + sym_op->sec_session); + ret = cpt_sec_inst_fill(op, sec_sess, infl_req, + &inst[0]); + if (unlikely(ret)) + return 0; + w7 = sec_sess->sa.inst.w7; + } else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { sess = get_sym_session_private_data( sym_op->session, cn10k_cryptodev_driver_id); ret = cpt_sym_inst_fill(qp, op, sess, infl_req, @@ -196,6 +240,34 @@ cn10k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops) } static inline void +cn10k_cpt_sec_post_process(struct rte_crypto_op *cop, + struct cpt_inflight_req *infl_req) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m = sym_op->m_src; + struct rte_ipv6_hdr *ip6; + struct rte_ipv4_hdr *ip; + uint16_t m_len; + + if (infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND) { + ip = (struct rte_ipv4_hdr *)rte_pktmbuf_mtod(m, char *); + + if (((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) == + IPVERSION) { + m_len = rte_be_to_cpu_16(ip->total_length); + } else { + PLT_ASSERT(((ip->version_ihl & 0xf0) >> + RTE_IPV4_IHL_MULTIPLIER) == IPV6_VERSION); + ip6 = (struct rte_ipv6_hdr *)ip; + m_len = rte_be_to_cpu_16(ip6->payload_len) + + sizeof(struct rte_ipv6_hdr); + } + m->data_len = m_len; + m->pkt_len = m_len; + } +} + +static inline void cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, struct rte_crypto_op *cop, struct cpt_inflight_req *infl_req) @@ -219,6 +291,10 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { + if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + cn10k_cpt_sec_post_process(cop, infl_req); + return; + } /* Verify authentication data if required */ if (unlikely(infl_req->op_flags & diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h new file mode 100644 index 0000000..1e9ebb5 --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h @@ -0,0 +1,74 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CN10K_IPSEC_LA_OPS_H__ +#define __CN10K_IPSEC_LA_OPS_H__ + +#include <rte_crypto_sym.h> +#include <rte_security.h> + +#include "cn10k_cryptodev.h" +#include "cn10k_ipsec.h" +#include "cnxk_cryptodev.h" + +static __rte_always_inline int32_t +ipsec_po_out_rlen_get(struct cn10k_ipsec_sa *sess, uint32_t plen) +{ + uint32_t enc_payload_len; + + enc_payload_len = + RTE_ALIGN_CEIL(plen + sess->roundup_len, sess->roundup_byte); + + return sess->partial_len + enc_payload_len; +} + +static __rte_always_inline int +process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess, + struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m_src = sym_op->m_src; + uint32_t dlen, rlen, extend_tail; + char *mdata; + + dlen = rte_pktmbuf_pkt_len(m_src); + rlen = ipsec_po_out_rlen_get(sess, dlen); + + extend_tail = rlen - dlen; + + mdata = rte_pktmbuf_append(m_src, extend_tail); + if (unlikely(mdata == NULL)) { + plt_dp_err("Not enough tail room"); + return -ENOMEM; + } + + /* Prepare CPT instruction */ + inst->w4.u64 = sess->inst.w4; + inst->w4.s.dlen = dlen; + inst->dptr = rte_pktmbuf_iova(m_src); + inst->rptr = inst->dptr; + + return 0; +} + +static __rte_always_inline int +process_inb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sa, + struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m_src = sym_op->m_src; + uint32_t dlen; + + dlen = rte_pktmbuf_pkt_len(m_src); + + /* Prepare CPT instruction */ + inst->w4.u64 = sa->inst.w4; + inst->w4.s.dlen = dlen; + inst->dptr = rte_pktmbuf_iova(m_src); + inst->rptr = inst->dptr; + + return 0; +} + +#endif /* __CN10K_IPSEC_LA_OPS_H__ */ -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v2 4/4] crypto/cnxk: add security capabilities 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph ` (2 preceding siblings ...) 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 3/4] crypto/cnxk: add security handling in datapath ops Anoob Joseph @ 2021-06-25 6:15 ` Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph 4 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-25 6:15 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Anoob Joseph, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev, Srujana Challa Add security capabilities supported by crypto cn10k PMD. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- doc/guides/cryptodevs/cnxk.rst | 24 +++++ doc/guides/cryptodevs/features/cn10k.ini | 1 + drivers/crypto/cnxk/cn10k_cryptodev.c | 1 + drivers/crypto/cnxk/cnxk_cryptodev.h | 4 + drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 114 ++++++++++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +- drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 3 +- 7 files changed, 154 insertions(+), 2 deletions(-) diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index 66b0b63..db949fa 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -185,6 +185,30 @@ running the test application: ./dpdk-test RTE>>cryptodev_cn10k_autotest +Lookaside IPsec Support +----------------------- + +The OCTEON cnxk SoCs can accelerate IPsec traffic in lookaside protocol mode, +with its **cryptographic accelerator (CPT)**. ``OCTEON cnxk crypto PMD`` implements +this as an ``RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL`` offload. + +Refer to :doc:`../prog_guide/rte_security` for more details on protocol offloads. + +This feature can be tested with ipsec-secgw sample application. + +Supported OCTEON cnxk SoCs +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- CN10XX + +Features supported +~~~~~~~~~~~~~~~~~~ + +* IPv4 +* ESP +* Tunnel mode +* AES-128/192/256-GCM + Limitations ----------- diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini index 77c4a2d..b268f84 100644 --- a/doc/guides/cryptodevs/features/cn10k.ini +++ b/doc/guides/cryptodevs/features/cn10k.ini @@ -7,6 +7,7 @@ Symmetric crypto = Y Sym operation chaining = Y HW Accelerated = Y +Protocol offload = Y In Place SGL = Y OOP SGL In LB Out = Y OOP SGL In SGL Out = Y diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index cacf9c2..22ae810 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -99,6 +99,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | RTE_CRYPTODEV_FF_SYM_SESSIONLESS | + RTE_CRYPTODEV_FF_SECURITY | RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn10k_cpt_set_enqdeq_fns(dev); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index 03af4af..6760c13 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -6,6 +6,7 @@ #define _CNXK_CRYPTODEV_H_ #include <rte_cryptodev.h> +#include <rte_security.h> #include "roc_cpt.h" @@ -19,6 +20,9 @@ struct cnxk_cpt_vf { struct roc_cpt cpt; struct rte_cryptodev_capabilities crypto_caps[CNXK_CPT_MAX_CAPS]; + struct rte_cryptodev_capabilities + sec_crypto_caps[CNXK_SEC_CRYPTO_MAX_CAPS]; + struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS]; }; int cnxk_cpt_eng_grp_add(struct roc_cpt *roc_cpt); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index a5195e8..d52fa89 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -3,6 +3,7 @@ */ #include <rte_cryptodev.h> +#include <rte_security.h> #include "roc_api.h" @@ -18,6 +19,15 @@ RTE_DIM(caps_##name)); \ } while (0) +#define SEC_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name) \ + do { \ + if ((hw_caps[CPT_ENG_TYPE_SE].name) || \ + (hw_caps[CPT_ENG_TYPE_IE].name) || \ + (hw_caps[CPT_ENG_TYPE_AE].name)) \ + sec_caps_add(cnxk_caps, cur_pos, sec_caps_##name, \ + RTE_DIM(sec_caps_##name)); \ + } while (0) + static const struct rte_cryptodev_capabilities caps_sha1_sha2[] = { { /* SHA1 */ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, @@ -658,6 +668,69 @@ static const struct rte_cryptodev_capabilities caps_end[] = { RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST() }; +static const struct rte_cryptodev_capabilities sec_caps_aes[] = { + { /* AES GCM */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD, + {.aead = { + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 8 + }, + .digest_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + .aad_size = { + .min = 8, + .max = 12, + .increment = 4 + }, + .iv_size = { + .min = 12, + .max = 12, + .increment = 0 + } + }, } + }, } + }, +}; + +static const struct rte_security_capability sec_caps_templ[] = { + { /* IPsec Lookaside Protocol ESP Tunnel Ingress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + .options = { 0 } + }, + .crypto_capabilities = NULL, + .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA + }, + { /* IPsec Lookaside Protocol ESP Tunnel Egress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .options = { 0 } + }, + .crypto_capabilities = NULL, + .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA + }, + { + .action = RTE_SECURITY_ACTION_TYPE_NONE + } +}; + static void cpt_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, const struct rte_cryptodev_capabilities *caps, int nb_caps) @@ -692,8 +765,49 @@ cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf) return vf->crypto_caps; } +static void +sec_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, + const struct rte_cryptodev_capabilities *caps, int nb_caps) +{ + if (*cur_pos + nb_caps > CNXK_SEC_CRYPTO_MAX_CAPS) + return; + + memcpy(&cnxk_caps[*cur_pos], caps, nb_caps * sizeof(caps[0])); + *cur_pos += nb_caps; +} + +static void +sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[], + union cpt_eng_caps *hw_caps) +{ + int cur_pos = 0; + + SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes); + + sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end)); +} + void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) { + unsigned long i; + crypto_caps_populate(vf->crypto_caps, vf->cpt.hw_caps); + sec_crypto_caps_populate(vf->sec_crypto_caps, vf->cpt.hw_caps); + + PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps)); + memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ)); + + for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++) + vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps; +} + +const struct rte_security_capability * +cnxk_crypto_sec_capabilities_get(void *device) +{ + struct rte_cryptodev *dev = device; + struct cnxk_cpt_vf *vf; + + vf = dev->data->dev_private; + return vf->sec_caps; } diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h index 85f5ad2..fe07e43 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h @@ -10,7 +10,7 @@ #include "cnxk_cryptodev.h" /* - * Initialize crypto capabilities for the device + * Initialize crypto and IPsec capabilities for the device * */ void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf); @@ -22,4 +22,11 @@ void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf); const struct rte_cryptodev_capabilities * cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf); +/* + * Get security capabilities list for the device + * + */ +const struct rte_security_capability * +cnxk_crypto_sec_capabilities_get(void *device); + #endif /* _CNXK_CRYPTODEV_CAPABILITIES_H_ */ diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c index f03d2ed..8d04d4b 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c @@ -7,6 +7,7 @@ #include <rte_security.h> #include <rte_security_driver.h> +#include "cnxk_cryptodev_capabilities.h" #include "cnxk_cryptodev_sec.h" /* Common security ops */ @@ -16,7 +17,7 @@ struct rte_security_ops cnxk_sec_ops = { .session_get_size = NULL, .set_pkt_metadata = NULL, .get_userdata = NULL, - .capabilities_get = NULL, + .capabilities_get = cnxk_crypto_sec_capabilities_get }; int -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph ` (3 preceding siblings ...) 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 4/4] crypto/cnxk: add security capabilities Anoob Joseph @ 2021-06-29 7:34 ` Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 1/8] crypto/cnxk: add security ctx skeleton Anoob Joseph ` (8 more replies) 4 siblings, 9 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-29 7:34 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Anoob Joseph, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev Add rte_security (lookaside protocol - IPsec) support in crypto_cn10k. IPsec operations can be offloaded to CPT's SE and IE engines, which can process IPsec protcol operations including atomic sequence number increment (for outbound operations) and anti replay window check (for inbound operations). Add support for asymmetric operations in crypto cnxk PMDs. Following operations are supported, - RSA - DSA - ECDSA - ECPM - Modular Exponentation Anoob Joseph (2): crypto/cnxk: add security capabilities crypto/cnxk: add asymmetric capabilities Kiran Kumar K (3): crypto/cnxk: add asymmetric session ops crypto/cnxk: add asymmetric datapath ops test/crypto: add cnxk for asymmetric cases Srujana Challa (1): crypto/cnxk: add security ctx skeleton Tejasree Kondoj (2): crypto/cnxk: add security session ops crypto/cnxk: add security handling in datapath ops Changes in v3: - Rebased on dpdk-next-crypto ToT - Merged asymmetric & lookaside IPsec series Changes in v2: - Added documentation - Added asymmetric capabilities as separate patch app/test/test_cryptodev_asym.c | 30 + doc/guides/cryptodevs/cnxk.rst | 47 ++ doc/guides/cryptodevs/features/cn10k.ini | 14 + doc/guides/cryptodevs/features/cn9k.ini | 13 + doc/guides/rel_notes/release_21_08.rst | 4 + drivers/crypto/cnxk/cn10k_cryptodev.c | 14 + drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 111 ++- drivers/crypto/cnxk/cn10k_ipsec.c | 275 +++++++ drivers/crypto/cnxk/cn10k_ipsec.h | 36 + drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 74 ++ drivers/crypto/cnxk/cn9k_cryptodev.c | 4 +- drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 35 +- drivers/crypto/cnxk/cnxk_ae.h | 836 ++++++++++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev.h | 8 +- drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 170 +++++ drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +- drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 106 +++ drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 8 + drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 48 ++ drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 + drivers/crypto/cnxk/cnxk_ipsec.h | 20 + drivers/crypto/cnxk/meson.build | 6 +- 22 files changed, 1869 insertions(+), 13 deletions(-) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h create mode 100644 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h create mode 100644 drivers/crypto/cnxk/cnxk_ae.h create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v3 1/8] crypto/cnxk: add security ctx skeleton 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph @ 2021-06-29 7:34 ` Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 2/8] crypto/cnxk: add security session ops Anoob Joseph ` (7 subsequent siblings) 8 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-29 7:34 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Srujana Challa, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev, Anoob Joseph From: Srujana Challa <schalla@marvell.com> Add security ctx in cn10k crypto PMD. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/crypto/cnxk/cn10k_cryptodev.c | 9 ++++++ drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 47 ++++++++++++++++++++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 ++++++++++ drivers/crypto/cnxk/meson.build | 3 +- 4 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index 559aaef..ffe654c 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -14,6 +14,7 @@ #include "cn10k_cryptodev_ops.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_capabilities.h" +#include "cnxk_cryptodev_sec.h" #include "roc_api.h" @@ -77,6 +78,11 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, plt_err("Failed to add engine group rc=%d", rc); goto dev_fini; } + + /* Create security context */ + rc = cnxk_crypto_sec_ctx_create(dev); + if (rc) + goto dev_fini; } cnxk_cpt_caps_populate(vf); @@ -126,6 +132,9 @@ cn10k_cpt_pci_remove(struct rte_pci_device *pci_dev) if (dev == NULL) return -ENODEV; + /* Destroy security context */ + cnxk_crypto_sec_ctx_destroy(dev); + if (rte_eal_process_type() == RTE_PROC_PRIMARY) { vf = dev->data->dev_private; ret = roc_cpt_dev_fini(&vf->cpt); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c new file mode 100644 index 0000000..f03d2ed --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c @@ -0,0 +1,47 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#include <rte_cryptodev.h> +#include <rte_malloc.h> +#include <rte_security.h> +#include <rte_security_driver.h> + +#include "cnxk_cryptodev_sec.h" + +/* Common security ops */ +struct rte_security_ops cnxk_sec_ops = { + .session_create = NULL, + .session_destroy = NULL, + .session_get_size = NULL, + .set_pkt_metadata = NULL, + .get_userdata = NULL, + .capabilities_get = NULL, +}; + +int +cnxk_crypto_sec_ctx_create(struct rte_cryptodev *cdev) +{ + struct rte_security_ctx *ctx; + + ctx = rte_malloc("cnxk_cpt_dev_sec_ctx", + sizeof(struct rte_security_ctx), 0); + + if (ctx == NULL) + return -ENOMEM; + + /* Populate ctx */ + ctx->device = cdev; + ctx->ops = &cnxk_sec_ops; + ctx->sess_cnt = 0; + + cdev->security_ctx = ctx; + + return 0; +} + +void +cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *cdev) +{ + rte_free(cdev->security_ctx); +} diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.h b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h new file mode 100644 index 0000000..9ab0e9e --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CNXK_CRYPTODEV_SEC_H__ +#define __CNXK_CRYPTODEV_SEC_H__ + +#include <rte_cryptodev.h> + +int cnxk_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev); + +void cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *crypto_dev); + +#endif /* __CNXK_CRYPTODEV_SEC_H__ */ diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build index fa6be06..a2b461e 100644 --- a/drivers/crypto/cnxk/meson.build +++ b/drivers/crypto/cnxk/meson.build @@ -16,6 +16,7 @@ sources = files( 'cnxk_cryptodev.c', 'cnxk_cryptodev_capabilities.c', 'cnxk_cryptodev_ops.c', + 'cnxk_cryptodev_sec.c', ) -deps += ['bus_pci', 'common_cnxk'] +deps += ['bus_pci', 'common_cnxk', 'security'] -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v3 2/8] crypto/cnxk: add security session ops 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 1/8] crypto/cnxk: add security ctx skeleton Anoob Joseph @ 2021-06-29 7:34 ` Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 3/8] crypto/cnxk: add security handling in datapath ops Anoob Joseph ` (6 subsequent siblings) 8 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-29 7:34 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Tejasree Kondoj, Jerin Jacob, Ankur Dwivedi, dev, Anoob Joseph, Archana Muniganti, Srujana Challa From: Tejasree Kondoj <ktejasree@marvell.com> Add security session ops in cn10k crypto PMD. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Archana Muniganti <marchana@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/crypto/cnxk/cn10k_cryptodev.c | 2 + drivers/crypto/cnxk/cn10k_ipsec.c | 275 ++++++++++++++++++++++++++++++++++ drivers/crypto/cnxk/cn10k_ipsec.h | 36 +++++ drivers/crypto/cnxk/cnxk_ipsec.h | 20 +++ drivers/crypto/cnxk/meson.build | 3 + 5 files changed, 336 insertions(+) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index ffe654c..cacf9c2 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -12,6 +12,7 @@ #include "cn10k_cryptodev.h" #include "cn10k_cryptodev_ops.h" +#include "cn10k_ipsec.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_capabilities.h" #include "cnxk_cryptodev_sec.h" @@ -101,6 +102,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn10k_cpt_set_enqdeq_fns(dev); + cn10k_sec_ops_override(); return 0; diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c new file mode 100644 index 0000000..1d567bf --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -0,0 +1,275 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#include <rte_malloc.h> +#include <rte_cryptodev.h> +#include <rte_esp.h> +#include <rte_ip.h> +#include <rte_security.h> +#include <rte_security_driver.h> +#include <rte_udp.h> + +#include "cnxk_cryptodev.h" +#include "cnxk_ipsec.h" +#include "cnxk_security.h" +#include "cn10k_ipsec.h" + +#include "roc_api.h" + +static int +ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && + crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT) + return -EINVAL; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && + crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT) + return -EINVAL; + + if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + switch (crypto_xfrm->aead.key.length) { + case ROC_CPT_AES128_KEY_LEN: + case ROC_CPT_AES192_KEY_LEN: + case ROC_CPT_AES256_KEY_LEN: + break; + default: + return -EINVAL; + } + return 0; + } + + return -ENOTSUP; +} + +static int +cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) + return -EINVAL; + + if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) && + (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH)) + return -EINVAL; + + if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) && + (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)) + return -EINVAL; + + if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) && + (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6)) + return -EINVAL; + + if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) + return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm); + + return -ENOTSUP; +} + +static uint64_t +ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa) +{ + union cpt_inst_w7 w7; + + w7.u64 = 0; + w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE]; + w7.s.ctx_val = 1; + w7.s.cptr = (uint64_t)sa; + rte_mb(); + + return w7.u64; +} + +static int +cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sec_sess) +{ + struct roc_ot_ipsec_outb_sa *out_sa; + struct cnxk_ipsec_outb_rlens rlens; + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + union cpt_inst_w4 inst_w4; + int ret; + + sess = get_sec_session_private_data(sec_sess); + sa = &sess->sa; + out_sa = &sa->out_sa; + + memset(out_sa, 0, sizeof(struct roc_ot_ipsec_outb_sa)); + + /* Translate security parameters to SA */ + ret = cnxk_ot_ipsec_outb_sa_fill(out_sa, ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa); + + /* Get Rlen calculation data */ + ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + sa->partial_len = rlens.partial_len; + sa->roundup_byte = rlens.roundup_byte; + sa->roundup_len = rlens.roundup_len; + + /* pre-populate CPT INST word 4 */ + inst_w4.u64 = 0; + inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC; + inst_w4.s.param1 = 0; + sa->inst.w4 = inst_w4.u64; + + return 0; +} + +static int +cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sec_sess) +{ + struct roc_ot_ipsec_inb_sa *in_sa; + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + union cpt_inst_w4 inst_w4; + int ret; + + sess = get_sec_session_private_data(sec_sess); + sa = &sess->sa; + in_sa = &sa->in_sa; + + /* Translate security parameters to SA */ + ret = cnxk_ot_ipsec_inb_sa_fill(in_sa, ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + /* TODO add support for antireplay */ + sa->in_sa.w0.s.ar_win = 0; + + /* TODO add support for udp encap */ + + sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa); + + /* pre-populate CPT INST word 4 */ + inst_w4.u64 = 0; + inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC; + + /* Disable checksum verification for now */ + inst_w4.s.param1 = 7; + sa->inst.w4 = inst_w4.u64; + + return 0; +} + +static int +cn10k_ipsec_session_create(void *dev, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sess) +{ + struct rte_cryptodev *crypto_dev = dev; + struct roc_cpt *roc_cpt; + struct cnxk_cpt_vf *vf; + int ret; + + vf = crypto_dev->data->dev_private; + roc_cpt = &vf->cpt; + + if (crypto_dev->data->queue_pairs[0] == NULL) { + plt_err("Setup cpt queue pair before creating security session"); + return -EPERM; + } + + ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + return cn10k_ipsec_inb_sa_create(roc_cpt, ipsec_xfrm, + crypto_xfrm, sess); + else + return cn10k_ipsec_outb_sa_create(roc_cpt, ipsec_xfrm, + crypto_xfrm, sess); +} + +static int +cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf, + struct rte_security_session *sess, + struct rte_mempool *mempool) +{ + struct cn10k_sec_session *priv; + int ret; + + if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) + return -EINVAL; + + if (rte_security_dynfield_register() < 0) + return -ENOTSUP; + + if (rte_mempool_get(mempool, (void **)&priv)) { + plt_err("Could not allocate security session private data"); + return -ENOMEM; + } + + set_sec_session_private_data(sess, priv); + + priv->userdata = conf->userdata; + + if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) { + ret = -ENOTSUP; + goto mempool_put; + } + ret = cn10k_ipsec_session_create(device, &conf->ipsec, + conf->crypto_xform, sess); + if (ret) + goto mempool_put; + + return 0; + +mempool_put: + rte_mempool_put(mempool, priv); + set_sec_session_private_data(sess, NULL); + return ret; +} + +static int +cn10k_sec_session_destroy(void *device __rte_unused, + struct rte_security_session *sess) +{ + struct cn10k_sec_session *priv; + struct rte_mempool *sess_mp; + + priv = get_sec_session_private_data(sess); + + if (priv == NULL) + return 0; + + sess_mp = rte_mempool_from_obj(priv); + + set_sec_session_private_data(sess, NULL); + rte_mempool_put(sess_mp, priv); + + return 0; +} + +static unsigned int +cn10k_sec_session_get_size(void *device __rte_unused) +{ + return sizeof(struct cn10k_sec_session); +} + +/* Update platform specific security ops */ +void +cn10k_sec_ops_override(void) +{ + /* Update platform specific ops */ + cnxk_sec_ops.session_create = cn10k_sec_session_create; + cnxk_sec_ops.session_destroy = cn10k_sec_session_destroy; + cnxk_sec_ops.session_get_size = cn10k_sec_session_get_size; +} diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h new file mode 100644 index 0000000..668282f --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec.h @@ -0,0 +1,36 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CN10K_IPSEC_H__ +#define __CN10K_IPSEC_H__ + +#include <rte_security.h> + +#include "cnxk_ipsec.h" + +#define CN10K_IPSEC_SA_CTX_HDR_SIZE 1 + +struct cn10k_ipsec_sa { + union { + /** Inbound SA */ + struct roc_ot_ipsec_inb_sa in_sa; + /** Outbound SA */ + struct roc_ot_ipsec_outb_sa out_sa; + }; + /** Pre-populated CPT inst words */ + struct cnxk_cpt_inst_tmpl inst; + uint8_t partial_len; + uint8_t roundup_len; + uint8_t roundup_byte; +}; + +struct cn10k_sec_session { + struct cn10k_ipsec_sa sa; + void *userdata; + /**< Userdata registered by the application */ +} __rte_cache_aligned; + +void cn10k_sec_ops_override(void); + +#endif /* __CN10K_IPSEC_H__ */ diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h new file mode 100644 index 0000000..f6897a0 --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -0,0 +1,20 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ +#ifndef __CNXK_IPSEC_H__ +#define __CNXK_IPSEC_H__ + +#include <rte_security.h> +#include <rte_security_driver.h> + +#include "roc_api.h" + +extern struct rte_security_ops cnxk_sec_ops; + +struct cnxk_cpt_inst_tmpl { + uint64_t w2; + uint64_t w4; + uint64_t w7; +}; + +#endif /* __CNXK_IPSEC_H__ */ diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build index a2b461e..c56d6cf 100644 --- a/drivers/crypto/cnxk/meson.build +++ b/drivers/crypto/cnxk/meson.build @@ -13,6 +13,7 @@ sources = files( 'cn9k_cryptodev_ops.c', 'cn10k_cryptodev.c', 'cn10k_cryptodev_ops.c', + 'cn10k_ipsec.c', 'cnxk_cryptodev.c', 'cnxk_cryptodev_capabilities.c', 'cnxk_cryptodev_ops.c', @@ -20,3 +21,5 @@ sources = files( ) deps += ['bus_pci', 'common_cnxk', 'security'] + +includes += include_directories('../../../lib/net') -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v3 3/8] crypto/cnxk: add security handling in datapath ops 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 1/8] crypto/cnxk: add security ctx skeleton Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 2/8] crypto/cnxk: add security session ops Anoob Joseph @ 2021-06-29 7:34 ` Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 4/8] crypto/cnxk: add security capabilities Anoob Joseph ` (5 subsequent siblings) 8 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-29 7:34 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Tejasree Kondoj, Jerin Jacob, Ankur Dwivedi, dev, Anoob Joseph, Srujana Challa From: Tejasree Kondoj <ktejasree@marvell.com> Add security handling in enqueue dequeue ops. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 78 ++++++++++++++++++++++++++++++- drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 74 +++++++++++++++++++++++++++++ 2 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c index 1a30908..8005a25 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c @@ -4,9 +4,12 @@ #include <rte_cryptodev.h> #include <rte_cryptodev_pmd.h> +#include <rte_ip.h> #include "cn10k_cryptodev.h" #include "cn10k_cryptodev_ops.h" +#include "cn10k_ipsec_la_ops.h" +#include "cn10k_ipsec.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_ops.h" #include "cnxk_se.h" @@ -42,6 +45,38 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op) } static __rte_always_inline int __rte_hot +cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess, + struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = op->sym; + union roc_ot_ipsec_sa_word2 *w2; + struct cn10k_ipsec_sa *sa; + int ret; + + if (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) { + plt_dp_err("Out of place is not supported"); + return -ENOTSUP; + } + + if (unlikely(!rte_pktmbuf_is_contiguous(sym_op->m_src))) { + plt_dp_err("Scatter Gather mode is not supported"); + return -ENOTSUP; + } + + sa = &sess->sa; + w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2; + + if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND) + ret = process_outb_sa(op, sa, inst); + else { + infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND; + ret = process_inb_sa(op, sa, inst); + } + + return ret; +} + +static __rte_always_inline int __rte_hot cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op, struct cnxk_se_sess *sess, struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst) @@ -64,6 +99,7 @@ static inline int cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], struct cpt_inst_s inst[], struct cpt_inflight_req *infl_req) { + struct cn10k_sec_session *sec_sess; struct rte_crypto_sym_op *sym_op; struct cnxk_se_sess *sess; struct rte_crypto_op *op; @@ -79,7 +115,15 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], sym_op = op->sym; if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { - if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { + if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + sec_sess = get_sec_session_private_data( + sym_op->sec_session); + ret = cpt_sec_inst_fill(op, sec_sess, infl_req, + &inst[0]); + if (unlikely(ret)) + return 0; + w7 = sec_sess->sa.inst.w7; + } else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { sess = get_sym_session_private_data( sym_op->session, cn10k_cryptodev_driver_id); ret = cpt_sym_inst_fill(qp, op, sess, infl_req, @@ -196,6 +240,34 @@ cn10k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops) } static inline void +cn10k_cpt_sec_post_process(struct rte_crypto_op *cop, + struct cpt_inflight_req *infl_req) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m = sym_op->m_src; + struct rte_ipv6_hdr *ip6; + struct rte_ipv4_hdr *ip; + uint16_t m_len; + + if (infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND) { + ip = (struct rte_ipv4_hdr *)rte_pktmbuf_mtod(m, char *); + + if (((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) == + IPVERSION) { + m_len = rte_be_to_cpu_16(ip->total_length); + } else { + PLT_ASSERT(((ip->version_ihl & 0xf0) >> + RTE_IPV4_IHL_MULTIPLIER) == IPV6_VERSION); + ip6 = (struct rte_ipv6_hdr *)ip; + m_len = rte_be_to_cpu_16(ip6->payload_len) + + sizeof(struct rte_ipv6_hdr); + } + m->data_len = m_len; + m->pkt_len = m_len; + } +} + +static inline void cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, struct rte_crypto_op *cop, struct cpt_inflight_req *infl_req) @@ -219,6 +291,10 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { + if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + cn10k_cpt_sec_post_process(cop, infl_req); + return; + } /* Verify authentication data if required */ if (unlikely(infl_req->op_flags & diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h new file mode 100644 index 0000000..1e9ebb5 --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h @@ -0,0 +1,74 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CN10K_IPSEC_LA_OPS_H__ +#define __CN10K_IPSEC_LA_OPS_H__ + +#include <rte_crypto_sym.h> +#include <rte_security.h> + +#include "cn10k_cryptodev.h" +#include "cn10k_ipsec.h" +#include "cnxk_cryptodev.h" + +static __rte_always_inline int32_t +ipsec_po_out_rlen_get(struct cn10k_ipsec_sa *sess, uint32_t plen) +{ + uint32_t enc_payload_len; + + enc_payload_len = + RTE_ALIGN_CEIL(plen + sess->roundup_len, sess->roundup_byte); + + return sess->partial_len + enc_payload_len; +} + +static __rte_always_inline int +process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess, + struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m_src = sym_op->m_src; + uint32_t dlen, rlen, extend_tail; + char *mdata; + + dlen = rte_pktmbuf_pkt_len(m_src); + rlen = ipsec_po_out_rlen_get(sess, dlen); + + extend_tail = rlen - dlen; + + mdata = rte_pktmbuf_append(m_src, extend_tail); + if (unlikely(mdata == NULL)) { + plt_dp_err("Not enough tail room"); + return -ENOMEM; + } + + /* Prepare CPT instruction */ + inst->w4.u64 = sess->inst.w4; + inst->w4.s.dlen = dlen; + inst->dptr = rte_pktmbuf_iova(m_src); + inst->rptr = inst->dptr; + + return 0; +} + +static __rte_always_inline int +process_inb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sa, + struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m_src = sym_op->m_src; + uint32_t dlen; + + dlen = rte_pktmbuf_pkt_len(m_src); + + /* Prepare CPT instruction */ + inst->w4.u64 = sa->inst.w4; + inst->w4.s.dlen = dlen; + inst->dptr = rte_pktmbuf_iova(m_src); + inst->rptr = inst->dptr; + + return 0; +} + +#endif /* __CN10K_IPSEC_LA_OPS_H__ */ -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v3 4/8] crypto/cnxk: add security capabilities 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph ` (2 preceding siblings ...) 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 3/8] crypto/cnxk: add security handling in datapath ops Anoob Joseph @ 2021-06-29 7:34 ` Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 5/8] crypto/cnxk: add asymmetric session ops Anoob Joseph ` (4 subsequent siblings) 8 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-29 7:34 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Anoob Joseph, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev, Srujana Challa Add security capabilities supported by crypto cn10k PMD. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- doc/guides/cryptodevs/cnxk.rst | 24 +++++ doc/guides/cryptodevs/features/cn10k.ini | 1 + drivers/crypto/cnxk/cn10k_cryptodev.c | 1 + drivers/crypto/cnxk/cnxk_cryptodev.h | 4 + drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 114 ++++++++++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +- drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 3 +- 7 files changed, 154 insertions(+), 2 deletions(-) diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index 66b0b63..db949fa 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -185,6 +185,30 @@ running the test application: ./dpdk-test RTE>>cryptodev_cn10k_autotest +Lookaside IPsec Support +----------------------- + +The OCTEON cnxk SoCs can accelerate IPsec traffic in lookaside protocol mode, +with its **cryptographic accelerator (CPT)**. ``OCTEON cnxk crypto PMD`` implements +this as an ``RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL`` offload. + +Refer to :doc:`../prog_guide/rte_security` for more details on protocol offloads. + +This feature can be tested with ipsec-secgw sample application. + +Supported OCTEON cnxk SoCs +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- CN10XX + +Features supported +~~~~~~~~~~~~~~~~~~ + +* IPv4 +* ESP +* Tunnel mode +* AES-128/192/256-GCM + Limitations ----------- diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini index 77c4a2d..b268f84 100644 --- a/doc/guides/cryptodevs/features/cn10k.ini +++ b/doc/guides/cryptodevs/features/cn10k.ini @@ -7,6 +7,7 @@ Symmetric crypto = Y Sym operation chaining = Y HW Accelerated = Y +Protocol offload = Y In Place SGL = Y OOP SGL In LB Out = Y OOP SGL In SGL Out = Y diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index cacf9c2..22ae810 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -99,6 +99,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | RTE_CRYPTODEV_FF_SYM_SESSIONLESS | + RTE_CRYPTODEV_FF_SECURITY | RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn10k_cpt_set_enqdeq_fns(dev); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index 03af4af..6760c13 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -6,6 +6,7 @@ #define _CNXK_CRYPTODEV_H_ #include <rte_cryptodev.h> +#include <rte_security.h> #include "roc_cpt.h" @@ -19,6 +20,9 @@ struct cnxk_cpt_vf { struct roc_cpt cpt; struct rte_cryptodev_capabilities crypto_caps[CNXK_CPT_MAX_CAPS]; + struct rte_cryptodev_capabilities + sec_crypto_caps[CNXK_SEC_CRYPTO_MAX_CAPS]; + struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS]; }; int cnxk_cpt_eng_grp_add(struct roc_cpt *roc_cpt); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index a5195e8..d52fa89 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -3,6 +3,7 @@ */ #include <rte_cryptodev.h> +#include <rte_security.h> #include "roc_api.h" @@ -18,6 +19,15 @@ RTE_DIM(caps_##name)); \ } while (0) +#define SEC_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name) \ + do { \ + if ((hw_caps[CPT_ENG_TYPE_SE].name) || \ + (hw_caps[CPT_ENG_TYPE_IE].name) || \ + (hw_caps[CPT_ENG_TYPE_AE].name)) \ + sec_caps_add(cnxk_caps, cur_pos, sec_caps_##name, \ + RTE_DIM(sec_caps_##name)); \ + } while (0) + static const struct rte_cryptodev_capabilities caps_sha1_sha2[] = { { /* SHA1 */ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, @@ -658,6 +668,69 @@ static const struct rte_cryptodev_capabilities caps_end[] = { RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST() }; +static const struct rte_cryptodev_capabilities sec_caps_aes[] = { + { /* AES GCM */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD, + {.aead = { + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 8 + }, + .digest_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + .aad_size = { + .min = 8, + .max = 12, + .increment = 4 + }, + .iv_size = { + .min = 12, + .max = 12, + .increment = 0 + } + }, } + }, } + }, +}; + +static const struct rte_security_capability sec_caps_templ[] = { + { /* IPsec Lookaside Protocol ESP Tunnel Ingress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + .options = { 0 } + }, + .crypto_capabilities = NULL, + .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA + }, + { /* IPsec Lookaside Protocol ESP Tunnel Egress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .options = { 0 } + }, + .crypto_capabilities = NULL, + .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA + }, + { + .action = RTE_SECURITY_ACTION_TYPE_NONE + } +}; + static void cpt_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, const struct rte_cryptodev_capabilities *caps, int nb_caps) @@ -692,8 +765,49 @@ cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf) return vf->crypto_caps; } +static void +sec_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, + const struct rte_cryptodev_capabilities *caps, int nb_caps) +{ + if (*cur_pos + nb_caps > CNXK_SEC_CRYPTO_MAX_CAPS) + return; + + memcpy(&cnxk_caps[*cur_pos], caps, nb_caps * sizeof(caps[0])); + *cur_pos += nb_caps; +} + +static void +sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[], + union cpt_eng_caps *hw_caps) +{ + int cur_pos = 0; + + SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes); + + sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end)); +} + void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) { + unsigned long i; + crypto_caps_populate(vf->crypto_caps, vf->cpt.hw_caps); + sec_crypto_caps_populate(vf->sec_crypto_caps, vf->cpt.hw_caps); + + PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps)); + memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ)); + + for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++) + vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps; +} + +const struct rte_security_capability * +cnxk_crypto_sec_capabilities_get(void *device) +{ + struct rte_cryptodev *dev = device; + struct cnxk_cpt_vf *vf; + + vf = dev->data->dev_private; + return vf->sec_caps; } diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h index 85f5ad2..fe07e43 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h @@ -10,7 +10,7 @@ #include "cnxk_cryptodev.h" /* - * Initialize crypto capabilities for the device + * Initialize crypto and IPsec capabilities for the device * */ void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf); @@ -22,4 +22,11 @@ void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf); const struct rte_cryptodev_capabilities * cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf); +/* + * Get security capabilities list for the device + * + */ +const struct rte_security_capability * +cnxk_crypto_sec_capabilities_get(void *device); + #endif /* _CNXK_CRYPTODEV_CAPABILITIES_H_ */ diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c index f03d2ed..8d04d4b 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c @@ -7,6 +7,7 @@ #include <rte_security.h> #include <rte_security_driver.h> +#include "cnxk_cryptodev_capabilities.h" #include "cnxk_cryptodev_sec.h" /* Common security ops */ @@ -16,7 +17,7 @@ struct rte_security_ops cnxk_sec_ops = { .session_get_size = NULL, .set_pkt_metadata = NULL, .get_userdata = NULL, - .capabilities_get = NULL, + .capabilities_get = cnxk_crypto_sec_capabilities_get }; int -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v3 5/8] crypto/cnxk: add asymmetric session ops 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph ` (3 preceding siblings ...) 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 4/8] crypto/cnxk: add security capabilities Anoob Joseph @ 2021-06-29 7:34 ` Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 6/8] crypto/cnxk: add asymmetric datapath ops Anoob Joseph ` (3 subsequent siblings) 8 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-29 7:34 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Kiran Kumar K, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev From: Kiran Kumar K <kirankumark@marvell.com> Add asymmetric crypto session ops. Signed-off-by: Kiran Kumar K <kirankumark@marvell.com> --- doc/guides/cryptodevs/features/cn10k.ini | 13 ++ doc/guides/cryptodevs/features/cn9k.ini | 13 ++ drivers/crypto/cnxk/cn10k_cryptodev.c | 2 + drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 6 +- drivers/crypto/cnxk/cn9k_cryptodev.c | 4 +- drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 6 +- drivers/crypto/cnxk/cnxk_ae.h | 211 ++++++++++++++++++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev.h | 4 +- drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 106 +++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 8 ++ 10 files changed, 365 insertions(+), 8 deletions(-) create mode 100644 drivers/crypto/cnxk/cnxk_ae.h diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini index b268f84..f5552fe 100644 --- a/doc/guides/cryptodevs/features/cn10k.ini +++ b/doc/guides/cryptodevs/features/cn10k.ini @@ -5,6 +5,7 @@ ; [Features] Symmetric crypto = Y +Asymmetric crypto = Y Sym operation chaining = Y HW Accelerated = Y Protocol offload = Y @@ -65,3 +66,15 @@ AES GCM (128) = Y AES GCM (192) = Y AES GCM (256) = Y CHACHA20-POLY1305 = Y + +; +; Supported Asymmetric algorithms of the 'cn10k' crypto driver. +; +[Asymmetric] +RSA = Y +DSA = +Modular Exponentiation = Y +Modular Inversion = +Diffie-hellman = +ECDSA = Y +ECPM = Y diff --git a/doc/guides/cryptodevs/features/cn9k.ini b/doc/guides/cryptodevs/features/cn9k.ini index 7b310e6..d69dbe8 100644 --- a/doc/guides/cryptodevs/features/cn9k.ini +++ b/doc/guides/cryptodevs/features/cn9k.ini @@ -5,6 +5,7 @@ ; [Features] Symmetric crypto = Y +Asymmetric crypto = Y Sym operation chaining = Y HW Accelerated = Y In Place SGL = Y @@ -64,3 +65,15 @@ AES GCM (128) = Y AES GCM (192) = Y AES GCM (256) = Y CHACHA20-POLY1305 = Y + +; +; Supported Asymmetric algorithms of the 'cn9k' crypto driver. +; +[Asymmetric] +RSA = Y +DSA = +Modular Exponentiation = Y +Modular Inversion = +Diffie-hellman = +ECDSA = Y +ECPM = Y diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index 22ae810..10a621f 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -92,7 +92,9 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, dev->driver_id = cn10k_cryptodev_driver_id; dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO | + RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_HW_ACCELERATED | + RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT | RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING | RTE_CRYPTODEV_FF_IN_PLACE_SGL | RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT | diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c index 8005a25..aa615b2 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c @@ -426,8 +426,8 @@ struct rte_cryptodev_ops cn10k_cpt_ops = { .sym_session_clear = cnxk_cpt_sym_session_clear, /* Asymmetric crypto ops */ - .asym_session_get_size = NULL, - .asym_session_configure = NULL, - .asym_session_clear = NULL, + .asym_session_get_size = cnxk_ae_session_size_get, + .asym_session_configure = cnxk_ae_session_cfg, + .asym_session_clear = cnxk_ae_session_clear, }; diff --git a/drivers/crypto/cnxk/cn9k_cryptodev.c b/drivers/crypto/cnxk/cn9k_cryptodev.c index d3dc084..e74e739 100644 --- a/drivers/crypto/cnxk/cn9k_cryptodev.c +++ b/drivers/crypto/cnxk/cn9k_cryptodev.c @@ -83,6 +83,7 @@ cn9k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, cnxk_cpt_caps_populate(vf); dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO | + RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_HW_ACCELERATED | RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING | RTE_CRYPTODEV_FF_IN_PLACE_SGL | @@ -90,7 +91,8 @@ cn9k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | RTE_CRYPTODEV_FF_SYM_SESSIONLESS | - RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; + RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED | + RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT; cn9k_cpt_set_enqdeq_fns(dev); diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c index b939d99..6d1537b 100644 --- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c @@ -312,8 +312,8 @@ struct rte_cryptodev_ops cn9k_cpt_ops = { .sym_session_clear = cnxk_cpt_sym_session_clear, /* Asymmetric crypto ops */ - .asym_session_get_size = NULL, - .asym_session_configure = NULL, - .asym_session_clear = NULL, + .asym_session_get_size = cnxk_ae_session_size_get, + .asym_session_configure = cnxk_ae_session_cfg, + .asym_session_clear = cnxk_ae_session_clear, }; diff --git a/drivers/crypto/cnxk/cnxk_ae.h b/drivers/crypto/cnxk/cnxk_ae.h new file mode 100644 index 0000000..e3dd63b --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_ae.h @@ -0,0 +1,211 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef _CNXK_AE_H_ +#define _CNXK_AE_H_ + +#include <rte_common.h> +#include <rte_crypto_asym.h> +#include <rte_malloc.h> + +#include "roc_api.h" +#include "cnxk_cryptodev_ops.h" + +struct cnxk_ae_sess { + enum rte_crypto_asym_xform_type xfrm_type; + union { + struct rte_crypto_rsa_xform rsa_ctx; + struct rte_crypto_modex_xform mod_ctx; + struct roc_ae_ec_ctx ec_ctx; + }; + uint64_t *cnxk_fpm_iova; + struct roc_ae_ec_group **ec_grp; + uint64_t cpt_inst_w7; +}; + +static __rte_always_inline void +cnxk_ae_modex_param_normalize(uint8_t **data, size_t *len) +{ + size_t i; + + /* Strip leading NUL bytes */ + for (i = 0; i < *len; i++) { + if ((*data)[i] != 0) + break; + } + *data += i; + *len -= i; +} + +static __rte_always_inline int +cnxk_ae_fill_modex_params(struct cnxk_ae_sess *sess, + struct rte_crypto_asym_xform *xform) +{ + struct rte_crypto_modex_xform *ctx = &sess->mod_ctx; + size_t exp_len = xform->modex.exponent.length; + size_t mod_len = xform->modex.modulus.length; + uint8_t *exp = xform->modex.exponent.data; + uint8_t *mod = xform->modex.modulus.data; + + cnxk_ae_modex_param_normalize(&mod, &mod_len); + cnxk_ae_modex_param_normalize(&exp, &exp_len); + + if (unlikely(exp_len == 0 || mod_len == 0)) + return -EINVAL; + + if (unlikely(exp_len > mod_len)) + return -ENOTSUP; + + /* Allocate buffer to hold modexp params */ + ctx->modulus.data = rte_malloc(NULL, mod_len + exp_len, 0); + if (ctx->modulus.data == NULL) + return -ENOMEM; + + /* Set up modexp prime modulus and private exponent */ + memcpy(ctx->modulus.data, mod, mod_len); + ctx->exponent.data = ctx->modulus.data + mod_len; + memcpy(ctx->exponent.data, exp, exp_len); + + ctx->modulus.length = mod_len; + ctx->exponent.length = exp_len; + + return 0; +} + +static __rte_always_inline int +cnxk_ae_fill_rsa_params(struct cnxk_ae_sess *sess, + struct rte_crypto_asym_xform *xform) +{ + struct rte_crypto_rsa_priv_key_qt qt = xform->rsa.qt; + struct rte_crypto_rsa_xform *xfrm_rsa = &xform->rsa; + struct rte_crypto_rsa_xform *rsa = &sess->rsa_ctx; + size_t mod_len = xfrm_rsa->n.length; + size_t exp_len = xfrm_rsa->e.length; + size_t len = (mod_len / 2); + uint64_t total_size; + + /* Make sure key length used is not more than mod_len/2 */ + if (qt.p.data != NULL) + len = RTE_MIN(len, qt.p.length); + + /* Total size required for RSA key params(n,e,(q,dQ,p,dP,qInv)) */ + total_size = mod_len + exp_len + 5 * len; + + /* Allocate buffer to hold all RSA keys */ + rsa->n.data = rte_malloc(NULL, total_size, 0); + if (rsa->n.data == NULL) + return -ENOMEM; + + /* Set up RSA prime modulus and public key exponent */ + memcpy(rsa->n.data, xfrm_rsa->n.data, mod_len); + rsa->e.data = rsa->n.data + mod_len; + memcpy(rsa->e.data, xfrm_rsa->e.data, exp_len); + + /* Private key in quintuple format */ + if (len != 0) { + rsa->qt.q.data = rsa->e.data + exp_len; + memcpy(rsa->qt.q.data, qt.q.data, qt.q.length); + rsa->qt.dQ.data = rsa->qt.q.data + qt.q.length; + memcpy(rsa->qt.dQ.data, qt.dQ.data, qt.dQ.length); + rsa->qt.p.data = rsa->qt.dQ.data + qt.dQ.length; + memcpy(rsa->qt.p.data, qt.p.data, qt.p.length); + rsa->qt.dP.data = rsa->qt.p.data + qt.p.length; + memcpy(rsa->qt.dP.data, qt.dP.data, qt.dP.length); + rsa->qt.qInv.data = rsa->qt.dP.data + qt.dP.length; + memcpy(rsa->qt.qInv.data, qt.qInv.data, qt.qInv.length); + + rsa->qt.q.length = qt.q.length; + rsa->qt.dQ.length = qt.dQ.length; + rsa->qt.p.length = qt.p.length; + rsa->qt.dP.length = qt.dP.length; + rsa->qt.qInv.length = qt.qInv.length; + } + rsa->n.length = mod_len; + rsa->e.length = exp_len; + + return 0; +} + +static __rte_always_inline int +cnxk_ae_fill_ec_params(struct cnxk_ae_sess *sess, + struct rte_crypto_asym_xform *xform) +{ + struct roc_ae_ec_ctx *ec = &sess->ec_ctx; + + switch (xform->ec.curve_id) { + case RTE_CRYPTO_EC_GROUP_SECP192R1: + ec->curveid = ROC_AE_EC_ID_P192; + break; + case RTE_CRYPTO_EC_GROUP_SECP224R1: + ec->curveid = ROC_AE_EC_ID_P224; + break; + case RTE_CRYPTO_EC_GROUP_SECP256R1: + ec->curveid = ROC_AE_EC_ID_P256; + break; + case RTE_CRYPTO_EC_GROUP_SECP384R1: + ec->curveid = ROC_AE_EC_ID_P384; + break; + case RTE_CRYPTO_EC_GROUP_SECP521R1: + ec->curveid = ROC_AE_EC_ID_P521; + break; + default: + /* Only NIST curves (FIPS 186-4) are supported */ + return -EINVAL; + } + + return 0; +} + +static __rte_always_inline int +cnxk_ae_fill_session_parameters(struct cnxk_ae_sess *sess, + struct rte_crypto_asym_xform *xform) +{ + int ret; + + sess->xfrm_type = xform->xform_type; + + switch (xform->xform_type) { + case RTE_CRYPTO_ASYM_XFORM_RSA: + ret = cnxk_ae_fill_rsa_params(sess, xform); + break; + case RTE_CRYPTO_ASYM_XFORM_MODEX: + ret = cnxk_ae_fill_modex_params(sess, xform); + break; + case RTE_CRYPTO_ASYM_XFORM_ECDSA: + /* Fall through */ + case RTE_CRYPTO_ASYM_XFORM_ECPM: + ret = cnxk_ae_fill_ec_params(sess, xform); + break; + default: + return -ENOTSUP; + } + return ret; +} + +static inline void +cnxk_ae_free_session_parameters(struct cnxk_ae_sess *sess) +{ + struct rte_crypto_modex_xform *mod; + struct rte_crypto_rsa_xform *rsa; + + switch (sess->xfrm_type) { + case RTE_CRYPTO_ASYM_XFORM_RSA: + rsa = &sess->rsa_ctx; + if (rsa->n.data) + rte_free(rsa->n.data); + break; + case RTE_CRYPTO_ASYM_XFORM_MODEX: + mod = &sess->mod_ctx; + if (mod->modulus.data) + rte_free(mod->modulus.data); + break; + case RTE_CRYPTO_ASYM_XFORM_ECDSA: + /* Fall through */ + case RTE_CRYPTO_ASYM_XFORM_ECPM: + break; + default: + break; + } +} +#endif /* _CNXK_AE_H_ */ diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index 6760c13..5e38933 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -13,7 +13,7 @@ #define CNXK_CPT_MAX_CAPS 34 #define CNXK_SEC_CRYPTO_MAX_CAPS 4 #define CNXK_SEC_MAX_CAPS 3 - +#define CNXK_AE_EC_ID_MAX 5 /** * Device private data */ @@ -23,6 +23,8 @@ struct cnxk_cpt_vf { struct rte_cryptodev_capabilities sec_crypto_caps[CNXK_SEC_CRYPTO_MAX_CAPS]; struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS]; + uint64_t cnxk_fpm_iova[CNXK_AE_EC_ID_MAX]; + struct roc_ae_ec_group *ec_grp[CNXK_AE_EC_ID_MAX]; }; int cnxk_cpt_eng_grp_add(struct roc_cpt *roc_cpt); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c index 0d81785..7322539 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c @@ -8,11 +8,15 @@ #include "roc_cpt.h" +#include "cnxk_ae.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_ops.h" #include "cnxk_cryptodev_capabilities.h" #include "cnxk_se.h" +#define CNXK_CPT_MAX_ASYM_OP_NUM_PARAMS 5 +#define CNXK_CPT_MAX_ASYM_OP_MOD_LEN 1024 + static int cnxk_cpt_get_mlen(void) { @@ -31,6 +35,20 @@ cnxk_cpt_get_mlen(void) return len; } +static int +cnxk_cpt_asym_get_mlen(void) +{ + uint32_t len; + + /* To hold RPTR */ + len = sizeof(uint64_t); + + /* Get meta len for asymmetric operations */ + len += CNXK_CPT_MAX_ASYM_OP_NUM_PARAMS * CNXK_CPT_MAX_ASYM_OP_MOD_LEN; + + return len; +} + int cnxk_cpt_dev_config(struct rte_cryptodev *dev, struct rte_cryptodev_config *conf) @@ -54,6 +72,23 @@ cnxk_cpt_dev_config(struct rte_cryptodev *dev, return ret; } + if (dev->feature_flags & RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO) { + /* Initialize shared FPM table */ + ret = roc_ae_fpm_get(vf->cnxk_fpm_iova); + if (ret) { + plt_err("Could not get FPM table"); + return ret; + } + + /* Init EC grp table */ + ret = roc_ae_ec_grp_get(vf->ec_grp); + if (ret) { + plt_err("Could not get EC grp table"); + roc_ae_fpm_put(); + return ret; + } + } + return 0; } @@ -86,6 +121,11 @@ cnxk_cpt_dev_close(struct rte_cryptodev *dev) } } + if (dev->feature_flags & RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO) { + roc_ae_fpm_put(); + roc_ae_ec_grp_put(); + } + roc_cpt_dev_clear(&vf->cpt); return 0; @@ -128,6 +168,12 @@ cnxk_cpt_metabuf_mempool_create(const struct rte_cryptodev *dev, mlen = cnxk_cpt_get_mlen(); } + if (dev->feature_flags & RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO) { + + /* Get meta len required for asymmetric operations */ + mlen = RTE_MAX(mlen, cnxk_cpt_asym_get_mlen()); + } + cache_sz = RTE_MIN(RTE_MEMPOOL_CACHE_MAX_SIZE, nb_elements / 1.5); /* Allocate mempool */ @@ -549,3 +595,63 @@ cnxk_cpt_sym_session_clear(struct rte_cryptodev *dev, { return sym_session_clear(dev->driver_id, sess); } + +unsigned int +cnxk_ae_session_size_get(struct rte_cryptodev *dev __rte_unused) +{ + return sizeof(struct cnxk_ae_sess); +} + +void +cnxk_ae_session_clear(struct rte_cryptodev *dev, + struct rte_cryptodev_asym_session *sess) +{ + struct rte_mempool *sess_mp; + struct cnxk_ae_sess *priv; + + priv = get_asym_session_private_data(sess, dev->driver_id); + if (priv == NULL) + return; + + /* Free resources allocated in session_cfg */ + cnxk_ae_free_session_parameters(priv); + + /* Reset and free object back to pool */ + memset(priv, 0, cnxk_ae_session_size_get(dev)); + sess_mp = rte_mempool_from_obj(priv); + set_asym_session_private_data(sess, dev->driver_id, NULL); + rte_mempool_put(sess_mp, priv); +} + +int +cnxk_ae_session_cfg(struct rte_cryptodev *dev, + struct rte_crypto_asym_xform *xform, + struct rte_cryptodev_asym_session *sess, + struct rte_mempool *pool) +{ + struct cnxk_cpt_vf *vf = dev->data->dev_private; + struct roc_cpt *roc_cpt = &vf->cpt; + struct cnxk_ae_sess *priv; + union cpt_inst_w7 w7; + int ret; + + if (rte_mempool_get(pool, (void **)&priv)) + return -ENOMEM; + + memset(priv, 0, sizeof(struct cnxk_ae_sess)); + + ret = cnxk_ae_fill_session_parameters(priv, xform); + if (ret) { + rte_mempool_put(pool, priv); + return ret; + } + + w7.u64 = 0; + w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_AE]; + priv->cpt_inst_w7 = w7.u64; + priv->cnxk_fpm_iova = vf->cnxk_fpm_iova; + priv->ec_grp = vf->ec_grp; + set_asym_session_private_data(sess, dev->driver_id, priv); + + return 0; +} diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.h b/drivers/crypto/cnxk/cnxk_cryptodev_ops.h index 7995959..c317f40 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.h @@ -105,4 +105,12 @@ void cnxk_cpt_sym_session_clear(struct rte_cryptodev *dev, void sym_session_clear(int driver_id, struct rte_cryptodev_sym_session *sess); +unsigned int cnxk_ae_session_size_get(struct rte_cryptodev *dev __rte_unused); + +void cnxk_ae_session_clear(struct rte_cryptodev *dev, + struct rte_cryptodev_asym_session *sess); +int cnxk_ae_session_cfg(struct rte_cryptodev *dev, + struct rte_crypto_asym_xform *xform, + struct rte_cryptodev_asym_session *sess, + struct rte_mempool *pool); #endif /* _CNXK_CRYPTODEV_OPS_H_ */ -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v3 6/8] crypto/cnxk: add asymmetric datapath ops 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph ` (4 preceding siblings ...) 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 5/8] crypto/cnxk: add asymmetric session ops Anoob Joseph @ 2021-06-29 7:34 ` Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 7/8] crypto/cnxk: add asymmetric capabilities Anoob Joseph ` (2 subsequent siblings) 8 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-29 7:34 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Kiran Kumar K, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev From: Kiran Kumar K <kirankumark@marvell.com> Add asymmetric crypto datapath ops. Signed-off-by: Kiran Kumar K <kirankumark@marvell.com> --- drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 27 ++ drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 29 +- drivers/crypto/cnxk/cnxk_ae.h | 625 ++++++++++++++++++++++++++++++ 3 files changed, 679 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c index aa615b2..6d322a9 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c @@ -10,6 +10,7 @@ #include "cn10k_cryptodev_ops.h" #include "cn10k_ipsec_la_ops.h" #include "cn10k_ipsec.h" +#include "cnxk_ae.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_ops.h" #include "cnxk_se.h" @@ -100,7 +101,9 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], struct cpt_inst_s inst[], struct cpt_inflight_req *infl_req) { struct cn10k_sec_session *sec_sess; + struct rte_crypto_asym_op *asym_op; struct rte_crypto_sym_op *sym_op; + struct cnxk_ae_sess *ae_sess; struct cnxk_se_sess *sess; struct rte_crypto_op *op; uint64_t w7; @@ -148,6 +151,21 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], } w7 = sess->cpt_inst_w7; } + } else if (op->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) { + + if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { + asym_op = op->asym; + ae_sess = get_asym_session_private_data( + asym_op->session, cn10k_cryptodev_driver_id); + ret = cnxk_ae_enqueue(qp, op, infl_req, &inst[0], + ae_sess); + if (unlikely(ret)) + return 0; + w7 = ae_sess->cpt_inst_w7; + } else { + plt_dp_err("Not supported Asym op without session"); + return 0; + } } else { plt_dp_err("Unsupported op type"); return 0; @@ -303,6 +321,15 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, compl_auth_verify(cop, (uint8_t *)rsp[0], rsp[1]); } + } else if (cop->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) { + struct rte_crypto_asym_op *op = cop->asym; + uintptr_t *mdata = infl_req->mdata; + struct cnxk_ae_sess *sess; + + sess = get_asym_session_private_data( + op->session, cn10k_cryptodev_driver_id); + + cnxk_ae_post_process(cop, sess, (uint8_t *)mdata[0]); } } else { cop->status = RTE_CRYPTO_OP_STATUS_ERROR; diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c index 6d1537b..724965b 100644 --- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c @@ -7,6 +7,7 @@ #include "cn9k_cryptodev.h" #include "cn9k_cryptodev_ops.h" +#include "cnxk_ae.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_ops.h" #include "cnxk_se.h" @@ -65,11 +66,11 @@ static uint16_t cn9k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops) { struct cpt_inflight_req *infl_req; + struct rte_crypto_asym_op *asym_op; struct rte_crypto_sym_op *sym_op; uint16_t nb_allowed, count = 0; struct cnxk_cpt_qp *qp = qptr; struct pending_queue *pend_q; - struct cnxk_se_sess *sess; struct rte_crypto_op *op; struct cpt_inst_s inst; uint64_t lmt_status; @@ -95,6 +96,8 @@ cn9k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops) infl_req->op_flags = 0; if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { + struct cnxk_se_sess *sess; + if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { sym_op = op->sym; sess = get_sym_session_private_data( @@ -120,6 +123,20 @@ cn9k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops) op->sym->session); } } + inst.w7.u64 = sess->cpt_inst_w7; + } else if (op->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) { + struct cnxk_ae_sess *sess; + + ret = -EINVAL; + if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { + asym_op = op->asym; + sess = get_asym_session_private_data( + asym_op->session, + cn9k_cryptodev_driver_id); + ret = cnxk_ae_enqueue(qp, op, infl_req, &inst, + sess); + inst.w7.u64 = sess->cpt_inst_w7; + } } else { plt_dp_err("Unsupported op type"); break; @@ -134,7 +151,6 @@ cn9k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops) infl_req->res.cn9k.compcode = CPT_COMP_NOT_DONE; inst.res_addr = (uint64_t)&infl_req->res; - inst.w7.u64 = sess->cpt_inst_w7; do { /* Copy CPT command to LMTLINE */ @@ -189,6 +205,15 @@ cn9k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, struct rte_crypto_op *cop, compl_auth_verify(cop, (uint8_t *)rsp[0], rsp[1]); } + } else if (cop->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) { + struct rte_crypto_asym_op *op = cop->asym; + uintptr_t *mdata = infl_req->mdata; + struct cnxk_ae_sess *sess; + + sess = get_asym_session_private_data( + op->session, cn9k_cryptodev_driver_id); + + cnxk_ae_post_process(cop, sess, (uint8_t *)mdata[0]); } } else { cop->status = RTE_CRYPTO_OP_STATUS_ERROR; diff --git a/drivers/crypto/cnxk/cnxk_ae.h b/drivers/crypto/cnxk/cnxk_ae.h index e3dd63b..c752e62 100644 --- a/drivers/crypto/cnxk/cnxk_ae.h +++ b/drivers/crypto/cnxk/cnxk_ae.h @@ -208,4 +208,629 @@ cnxk_ae_free_session_parameters(struct cnxk_ae_sess *sess) break; } } + +static __rte_always_inline int +cnxk_ae_modex_prep(struct rte_crypto_op *op, struct roc_ae_buf_ptr *meta_buf, + struct rte_crypto_modex_xform *mod, struct cpt_inst_s *inst) +{ + uint32_t exp_len = mod->exponent.length; + uint32_t mod_len = mod->modulus.length; + struct rte_crypto_mod_op_param mod_op; + uint64_t total_key_len; + union cpt_inst_w4 w4; + uint32_t base_len; + uint32_t dlen; + uint8_t *dptr; + + mod_op = op->asym->modex; + + base_len = mod_op.base.length; + if (unlikely(base_len > mod_len)) { + op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + return -ENOTSUP; + } + + total_key_len = mod_len + exp_len; + + /* Input buffer */ + dptr = meta_buf->vaddr; + inst->dptr = (uintptr_t)dptr; + memcpy(dptr, mod->modulus.data, total_key_len); + dptr += total_key_len; + memcpy(dptr, mod_op.base.data, base_len); + dptr += base_len; + dlen = total_key_len + base_len; + + /* Setup opcodes */ + w4.s.opcode_major = ROC_AE_MAJOR_OP_MODEX; + w4.s.opcode_minor = ROC_AE_MINOR_OP_MODEX; + + w4.s.param1 = mod_len; + w4.s.param2 = exp_len; + w4.s.dlen = dlen; + + inst->w4.u64 = w4.u64; + inst->rptr = (uintptr_t)dptr; + + return 0; +} + +static __rte_always_inline void +cnxk_ae_rsa_prep(struct rte_crypto_op *op, struct roc_ae_buf_ptr *meta_buf, + struct rte_crypto_rsa_xform *rsa, + rte_crypto_param *crypto_param, struct cpt_inst_s *inst) +{ + struct rte_crypto_rsa_op_param rsa_op; + uint32_t mod_len = rsa->n.length; + uint32_t exp_len = rsa->e.length; + uint64_t total_key_len; + union cpt_inst_w4 w4; + uint32_t in_size; + uint32_t dlen; + uint8_t *dptr; + + rsa_op = op->asym->rsa; + total_key_len = mod_len + exp_len; + + /* Input buffer */ + dptr = meta_buf->vaddr; + inst->dptr = (uintptr_t)dptr; + memcpy(dptr, rsa->n.data, total_key_len); + dptr += total_key_len; + + in_size = crypto_param->length; + memcpy(dptr, crypto_param->data, in_size); + + dptr += in_size; + dlen = total_key_len + in_size; + + if (rsa_op.pad == RTE_CRYPTO_RSA_PADDING_NONE) { + /* Use mod_exp operation for no_padding type */ + w4.s.opcode_minor = ROC_AE_MINOR_OP_MODEX; + w4.s.param2 = exp_len; + } else { + if (rsa_op.op_type == RTE_CRYPTO_ASYM_OP_ENCRYPT) { + w4.s.opcode_minor = ROC_AE_MINOR_OP_PKCS_ENC; + /* Public key encrypt, use BT2*/ + w4.s.param2 = ROC_AE_CPT_BLOCK_TYPE2 | + ((uint16_t)(exp_len) << 1); + } else if (rsa_op.op_type == RTE_CRYPTO_ASYM_OP_VERIFY) { + w4.s.opcode_minor = ROC_AE_MINOR_OP_PKCS_DEC; + /* Public key decrypt, use BT1 */ + w4.s.param2 = ROC_AE_CPT_BLOCK_TYPE1; + } + } + + w4.s.opcode_major = ROC_AE_MAJOR_OP_MODEX; + + w4.s.param1 = mod_len; + w4.s.dlen = dlen; + + inst->w4.u64 = w4.u64; + inst->rptr = (uintptr_t)dptr; +} + +static __rte_always_inline void +cnxk_ae_rsa_crt_prep(struct rte_crypto_op *op, struct roc_ae_buf_ptr *meta_buf, + struct rte_crypto_rsa_xform *rsa, + rte_crypto_param *crypto_param, struct cpt_inst_s *inst) +{ + uint32_t qInv_len = rsa->qt.qInv.length; + struct rte_crypto_rsa_op_param rsa_op; + uint32_t dP_len = rsa->qt.dP.length; + uint32_t dQ_len = rsa->qt.dQ.length; + uint32_t p_len = rsa->qt.p.length; + uint32_t q_len = rsa->qt.q.length; + uint32_t mod_len = rsa->n.length; + uint64_t total_key_len; + union cpt_inst_w4 w4; + uint32_t in_size; + uint32_t dlen; + uint8_t *dptr; + + rsa_op = op->asym->rsa; + total_key_len = p_len + q_len + dP_len + dQ_len + qInv_len; + + /* Input buffer */ + dptr = meta_buf->vaddr; + inst->dptr = (uintptr_t)dptr; + memcpy(dptr, rsa->qt.q.data, total_key_len); + dptr += total_key_len; + + in_size = crypto_param->length; + memcpy(dptr, crypto_param->data, in_size); + + dptr += in_size; + dlen = total_key_len + in_size; + + if (rsa_op.pad == RTE_CRYPTO_RSA_PADDING_NONE) { + /*Use mod_exp operation for no_padding type */ + w4.s.opcode_minor = ROC_AE_MINOR_OP_MODEX_CRT; + } else { + if (rsa_op.op_type == RTE_CRYPTO_ASYM_OP_SIGN) { + w4.s.opcode_minor = ROC_AE_MINOR_OP_PKCS_ENC_CRT; + /* Private encrypt, use BT1 */ + w4.s.param2 = ROC_AE_CPT_BLOCK_TYPE1; + } else if (rsa_op.op_type == RTE_CRYPTO_ASYM_OP_DECRYPT) { + w4.s.opcode_minor = ROC_AE_MINOR_OP_PKCS_DEC_CRT; + /* Private decrypt, use BT2 */ + w4.s.param2 = ROC_AE_CPT_BLOCK_TYPE2; + } + } + + w4.s.opcode_major = ROC_AE_MAJOR_OP_MODEX; + + w4.s.param1 = mod_len; + w4.s.dlen = dlen; + + inst->w4.u64 = w4.u64; + inst->rptr = (uintptr_t)dptr; +} + +static __rte_always_inline int __rte_hot +cnxk_ae_enqueue_rsa_op(struct rte_crypto_op *op, + struct roc_ae_buf_ptr *meta_buf, + struct cnxk_ae_sess *sess, struct cpt_inst_s *inst) +{ + struct rte_crypto_rsa_op_param *rsa = &op->asym->rsa; + + switch (rsa->op_type) { + case RTE_CRYPTO_ASYM_OP_VERIFY: + cnxk_ae_rsa_prep(op, meta_buf, &sess->rsa_ctx, &rsa->sign, + inst); + break; + case RTE_CRYPTO_ASYM_OP_ENCRYPT: + cnxk_ae_rsa_prep(op, meta_buf, &sess->rsa_ctx, &rsa->message, + inst); + break; + case RTE_CRYPTO_ASYM_OP_SIGN: + cnxk_ae_rsa_crt_prep(op, meta_buf, &sess->rsa_ctx, + &rsa->message, inst); + break; + case RTE_CRYPTO_ASYM_OP_DECRYPT: + cnxk_ae_rsa_crt_prep(op, meta_buf, &sess->rsa_ctx, &rsa->cipher, + inst); + break; + default: + op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + return -EINVAL; + } + return 0; +} + +static __rte_always_inline void +cnxk_ae_ecdsa_sign_prep(struct rte_crypto_ecdsa_op_param *ecdsa, + struct roc_ae_buf_ptr *meta_buf, + uint64_t fpm_table_iova, struct roc_ae_ec_group *ec_grp, + uint8_t curveid, struct cpt_inst_s *inst) +{ + uint16_t message_len = ecdsa->message.length; + uint16_t pkey_len = ecdsa->pkey.length; + uint16_t p_align, k_align, m_align; + uint16_t k_len = ecdsa->k.length; + uint16_t order_len, prime_len; + uint16_t o_offset, pk_offset; + union cpt_inst_w4 w4; + uint16_t dlen; + uint8_t *dptr; + + prime_len = ec_grp->prime.length; + order_len = ec_grp->order.length; + + /* Truncate input length to curve prime length */ + if (message_len > prime_len) + message_len = prime_len; + m_align = RTE_ALIGN_CEIL(message_len, 8); + + p_align = RTE_ALIGN_CEIL(prime_len, 8); + k_align = RTE_ALIGN_CEIL(k_len, 8); + + /* Set write offset for order and private key */ + o_offset = prime_len - order_len; + pk_offset = prime_len - pkey_len; + + /* Input buffer */ + dptr = meta_buf->vaddr; + inst->dptr = (uintptr_t)dptr; + + /* + * Set dlen = sum(sizeof(fpm address), ROUNDUP8(scalar len, input len), + * ROUNDUP8(priv key len, prime len, order len)). + * Please note, private key, order cannot exceed prime + * length i.e 3 * p_align. + */ + dlen = sizeof(fpm_table_iova) + k_align + m_align + p_align * 3; + + memset(dptr, 0, dlen); + + *(uint64_t *)dptr = fpm_table_iova; + dptr += sizeof(fpm_table_iova); + + memcpy(dptr, ecdsa->k.data, k_len); + dptr += k_align; + + memcpy(dptr, ec_grp->prime.data, prime_len); + dptr += p_align; + + memcpy(dptr + o_offset, ec_grp->order.data, order_len); + dptr += p_align; + + memcpy(dptr + pk_offset, ecdsa->pkey.data, pkey_len); + dptr += p_align; + + memcpy(dptr, ecdsa->message.data, message_len); + dptr += m_align; + + /* Setup opcodes */ + w4.s.opcode_major = ROC_AE_MAJOR_OP_ECDSA; + w4.s.opcode_minor = ROC_AE_MINOR_OP_ECDSA_SIGN; + + w4.s.param1 = curveid | (message_len << 8); + w4.s.param2 = k_len; + w4.s.dlen = dlen; + + inst->w4.u64 = w4.u64; + inst->rptr = (uintptr_t)dptr; +} + +static __rte_always_inline void +cnxk_ae_ecdsa_verify_prep(struct rte_crypto_ecdsa_op_param *ecdsa, + struct roc_ae_buf_ptr *meta_buf, + uint64_t fpm_table_iova, + struct roc_ae_ec_group *ec_grp, uint8_t curveid, + struct cpt_inst_s *inst) +{ + uint32_t message_len = ecdsa->message.length; + uint16_t o_offset, r_offset, s_offset; + uint16_t qx_len = ecdsa->q.x.length; + uint16_t qy_len = ecdsa->q.y.length; + uint16_t r_len = ecdsa->r.length; + uint16_t s_len = ecdsa->s.length; + uint16_t order_len, prime_len; + uint16_t qx_offset, qy_offset; + uint16_t p_align, m_align; + union cpt_inst_w4 w4; + uint16_t dlen; + uint8_t *dptr; + + prime_len = ec_grp->prime.length; + order_len = ec_grp->order.length; + + /* Truncate input length to curve prime length */ + if (message_len > prime_len) + message_len = prime_len; + + m_align = RTE_ALIGN_CEIL(message_len, 8); + p_align = RTE_ALIGN_CEIL(prime_len, 8); + + /* Set write offset for sign, order and public key coordinates */ + o_offset = prime_len - order_len; + qx_offset = prime_len - qx_len; + qy_offset = prime_len - qy_len; + r_offset = prime_len - r_len; + s_offset = prime_len - s_len; + + /* Input buffer */ + dptr = meta_buf->vaddr; + inst->dptr = (uintptr_t)dptr; + + /* + * Set dlen = sum(sizeof(fpm address), ROUNDUP8(message len), + * ROUNDUP8(sign len(r and s), public key len(x and y coordinates), + * prime len, order len)). + * Please note sign, public key and order can not exceed prime length + * i.e. 6 * p_align + */ + dlen = sizeof(fpm_table_iova) + m_align + (6 * p_align); + + memset(dptr, 0, dlen); + + *(uint64_t *)dptr = fpm_table_iova; + dptr += sizeof(fpm_table_iova); + + memcpy(dptr + r_offset, ecdsa->r.data, r_len); + dptr += p_align; + + memcpy(dptr + s_offset, ecdsa->s.data, s_len); + dptr += p_align; + + memcpy(dptr, ecdsa->message.data, message_len); + dptr += m_align; + + memcpy(dptr + o_offset, ec_grp->order.data, order_len); + dptr += p_align; + + memcpy(dptr, ec_grp->prime.data, prime_len); + dptr += p_align; + + memcpy(dptr + qx_offset, ecdsa->q.x.data, qx_len); + dptr += p_align; + + memcpy(dptr + qy_offset, ecdsa->q.y.data, qy_len); + dptr += p_align; + + /* Setup opcodes */ + w4.s.opcode_major = ROC_AE_MAJOR_OP_ECDSA; + w4.s.opcode_minor = ROC_AE_MINOR_OP_ECDSA_VERIFY; + + w4.s.param1 = curveid | (message_len << 8); + w4.s.param2 = 0; + w4.s.dlen = dlen; + + inst->w4.u64 = w4.u64; + inst->rptr = (uintptr_t)dptr; +} + +static __rte_always_inline int __rte_hot +cnxk_ae_enqueue_ecdsa_op(struct rte_crypto_op *op, + struct roc_ae_buf_ptr *meta_buf, + struct cnxk_ae_sess *sess, uint64_t *fpm_iova, + struct roc_ae_ec_group **ec_grp, + struct cpt_inst_s *inst) +{ + struct rte_crypto_ecdsa_op_param *ecdsa = &op->asym->ecdsa; + uint8_t curveid = sess->ec_ctx.curveid; + + if (ecdsa->op_type == RTE_CRYPTO_ASYM_OP_SIGN) + cnxk_ae_ecdsa_sign_prep(ecdsa, meta_buf, fpm_iova[curveid], + ec_grp[curveid], curveid, inst); + else if (ecdsa->op_type == RTE_CRYPTO_ASYM_OP_VERIFY) + cnxk_ae_ecdsa_verify_prep(ecdsa, meta_buf, fpm_iova[curveid], + ec_grp[curveid], curveid, inst); + else { + op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + return -EINVAL; + } + return 0; +} + +static __rte_always_inline int +cnxk_ae_ecpm_prep(struct rte_crypto_ecpm_op_param *ecpm, + struct roc_ae_buf_ptr *meta_buf, + struct roc_ae_ec_group *ec_grp, uint8_t curveid, + struct cpt_inst_s *inst) +{ + uint16_t x1_len = ecpm->p.x.length; + uint16_t y1_len = ecpm->p.y.length; + uint16_t scalar_align, p_align; + uint16_t x1_offset, y1_offset; + uint16_t dlen, prime_len; + union cpt_inst_w4 w4; + uint8_t *dptr; + + prime_len = ec_grp->prime.length; + + /* Input buffer */ + dptr = meta_buf->vaddr; + inst->dptr = (uintptr_t)dptr; + + p_align = RTE_ALIGN_CEIL(prime_len, 8); + scalar_align = RTE_ALIGN_CEIL(ecpm->scalar.length, 8); + + /* + * Set dlen = sum(ROUNDUP8(input point(x and y coordinates), prime, + * scalar length), + * Please note point length is equivalent to prime of the curve + */ + dlen = 3 * p_align + scalar_align; + + x1_offset = prime_len - x1_len; + y1_offset = prime_len - y1_len; + + memset(dptr, 0, dlen); + + /* Copy input point, scalar, prime */ + memcpy(dptr + x1_offset, ecpm->p.x.data, x1_len); + dptr += p_align; + memcpy(dptr + y1_offset, ecpm->p.y.data, y1_len); + dptr += p_align; + memcpy(dptr, ecpm->scalar.data, ecpm->scalar.length); + dptr += scalar_align; + memcpy(dptr, ec_grp->prime.data, ec_grp->prime.length); + dptr += p_align; + + /* Setup opcodes */ + w4.s.opcode_major = ROC_AE_MAJOR_OP_ECC; + w4.s.opcode_minor = ROC_AE_MINOR_OP_ECC_UMP; + + w4.s.param1 = curveid; + w4.s.param2 = ecpm->scalar.length; + w4.s.dlen = dlen; + + inst->w4.u64 = w4.u64; + inst->rptr = (uintptr_t)dptr; + + return 0; +} + +static __rte_always_inline void +cnxk_ae_dequeue_rsa_op(struct rte_crypto_op *cop, uint8_t *rptr, + struct rte_crypto_rsa_xform *rsa_ctx) +{ + struct rte_crypto_rsa_op_param *rsa = &cop->asym->rsa; + + switch (rsa->op_type) { + case RTE_CRYPTO_ASYM_OP_ENCRYPT: + rsa->cipher.length = rsa_ctx->n.length; + memcpy(rsa->cipher.data, rptr, rsa->cipher.length); + break; + case RTE_CRYPTO_ASYM_OP_DECRYPT: + if (rsa->pad == RTE_CRYPTO_RSA_PADDING_NONE) { + rsa->message.length = rsa_ctx->n.length; + memcpy(rsa->message.data, rptr, rsa->message.length); + } else { + /* Get length of decrypted output */ + rsa->message.length = + rte_cpu_to_be_16(*((uint16_t *)rptr)); + /* + * Offset output data pointer by length field + * (2 bytes) and copy decrypted data. + */ + memcpy(rsa->message.data, rptr + 2, + rsa->message.length); + } + break; + case RTE_CRYPTO_ASYM_OP_SIGN: + rsa->sign.length = rsa_ctx->n.length; + memcpy(rsa->sign.data, rptr, rsa->sign.length); + break; + case RTE_CRYPTO_ASYM_OP_VERIFY: + if (rsa->pad == RTE_CRYPTO_RSA_PADDING_NONE) { + rsa->sign.length = rsa_ctx->n.length; + memcpy(rsa->sign.data, rptr, rsa->sign.length); + } else { + /* Get length of signed output */ + rsa->sign.length = + rte_cpu_to_be_16(*((uint16_t *)rptr)); + /* + * Offset output data pointer by length field + * (2 bytes) and copy signed data. + */ + memcpy(rsa->sign.data, rptr + 2, rsa->sign.length); + } + if (memcmp(rsa->sign.data, rsa->message.data, + rsa->message.length)) { + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + } + break; + default: + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + break; + } +} + +static __rte_always_inline void +cnxk_ae_dequeue_ecdsa_op(struct rte_crypto_ecdsa_op_param *ecdsa, uint8_t *rptr, + struct roc_ae_ec_ctx *ec, + struct roc_ae_ec_group **ec_grp) +{ + int prime_len = ec_grp[ec->curveid]->prime.length; + + if (ecdsa->op_type == RTE_CRYPTO_ASYM_OP_VERIFY) + return; + + /* Separate out sign r and s components */ + memcpy(ecdsa->r.data, rptr, prime_len); + memcpy(ecdsa->s.data, rptr + RTE_ALIGN_CEIL(prime_len, 8), prime_len); + ecdsa->r.length = prime_len; + ecdsa->s.length = prime_len; +} + +static __rte_always_inline void +cnxk_ae_dequeue_ecpm_op(struct rte_crypto_ecpm_op_param *ecpm, uint8_t *rptr, + struct roc_ae_ec_ctx *ec, + struct roc_ae_ec_group **ec_grp) +{ + int prime_len = ec_grp[ec->curveid]->prime.length; + + memcpy(ecpm->r.x.data, rptr, prime_len); + memcpy(ecpm->r.y.data, rptr + RTE_ALIGN_CEIL(prime_len, 8), prime_len); + ecpm->r.x.length = prime_len; + ecpm->r.y.length = prime_len; +} + +static __rte_always_inline void * +cnxk_ae_alloc_meta(struct roc_ae_buf_ptr *buf, + struct rte_mempool *cpt_meta_pool, + struct cpt_inflight_req *infl_req) +{ + uint8_t *mdata; + + if (unlikely(rte_mempool_get(cpt_meta_pool, (void **)&mdata) < 0)) + return NULL; + + buf->vaddr = mdata; + + infl_req->mdata = mdata; + infl_req->op_flags |= CPT_OP_FLAGS_METABUF; + + return mdata; +} + +static __rte_always_inline int32_t __rte_hot +cnxk_ae_enqueue(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op, + struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst, + struct cnxk_ae_sess *sess) +{ + struct cpt_qp_meta_info *minfo = &qp->meta_info; + struct rte_crypto_asym_op *asym_op = op->asym; + struct roc_ae_buf_ptr meta_buf; + uint64_t *mop; + void *mdata; + int ret; + + mdata = cnxk_ae_alloc_meta(&meta_buf, minfo->pool, infl_req); + if (mdata == NULL) + return -ENOMEM; + + /* Reserve 8B for RPTR */ + meta_buf.vaddr = PLT_PTR_ADD(mdata, sizeof(uint64_t)); + + switch (sess->xfrm_type) { + case RTE_CRYPTO_ASYM_XFORM_MODEX: + ret = cnxk_ae_modex_prep(op, &meta_buf, &sess->mod_ctx, inst); + if (unlikely(ret)) + goto req_fail; + break; + case RTE_CRYPTO_ASYM_XFORM_RSA: + ret = cnxk_ae_enqueue_rsa_op(op, &meta_buf, sess, inst); + if (unlikely(ret)) + goto req_fail; + break; + case RTE_CRYPTO_ASYM_XFORM_ECDSA: + ret = cnxk_ae_enqueue_ecdsa_op(op, &meta_buf, sess, + sess->cnxk_fpm_iova, + sess->ec_grp, inst); + if (unlikely(ret)) + goto req_fail; + break; + case RTE_CRYPTO_ASYM_XFORM_ECPM: + ret = cnxk_ae_ecpm_prep(&asym_op->ecpm, &meta_buf, + sess->ec_grp[sess->ec_ctx.curveid], + sess->ec_ctx.curveid, inst); + if (unlikely(ret)) + goto req_fail; + break; + default: + op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + ret = -EINVAL; + goto req_fail; + } + + mop = mdata; + mop[0] = inst->rptr; + return 0; + +req_fail: + rte_mempool_put(minfo->pool, infl_req->mdata); + return ret; +} + +static __rte_always_inline void +cnxk_ae_post_process(struct rte_crypto_op *cop, struct cnxk_ae_sess *sess, + uint8_t *rptr) +{ + struct rte_crypto_asym_op *op = cop->asym; + + switch (sess->xfrm_type) { + case RTE_CRYPTO_ASYM_XFORM_RSA: + cnxk_ae_dequeue_rsa_op(cop, rptr, &sess->rsa_ctx); + break; + case RTE_CRYPTO_ASYM_XFORM_MODEX: + op->modex.result.length = sess->mod_ctx.modulus.length; + memcpy(op->modex.result.data, rptr, op->modex.result.length); + break; + case RTE_CRYPTO_ASYM_XFORM_ECDSA: + cnxk_ae_dequeue_ecdsa_op(&op->ecdsa, rptr, &sess->ec_ctx, + sess->ec_grp); + break; + case RTE_CRYPTO_ASYM_XFORM_ECPM: + cnxk_ae_dequeue_ecpm_op(&op->ecpm, rptr, &sess->ec_ctx, + sess->ec_grp); + break; + default: + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + break; + } +} #endif /* _CNXK_AE_H_ */ -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v3 7/8] crypto/cnxk: add asymmetric capabilities 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph ` (5 preceding siblings ...) 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 6/8] crypto/cnxk: add asymmetric datapath ops Anoob Joseph @ 2021-06-29 7:34 ` Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 8/8] test/crypto: add cnxk for asymmetric cases Anoob Joseph 2021-06-29 19:52 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Akhil Goyal 8 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-29 7:34 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Anoob Joseph, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev Add asymmetric capabilities supported. Signed-off-by: Anoob Joseph <anoobj@marvell.com> --- doc/guides/cryptodevs/cnxk.rst | 6 +++ drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 56 +++++++++++++++++++++++ 2 files changed, 62 insertions(+) diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index db949fa..bbc6daa 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -67,6 +67,12 @@ AEAD algorithms: * ``RTE_CRYPTO_AEAD_AES_GCM`` * ``RTE_CRYPTO_AEAD_CHACHA20_POLY1305`` +Asymmetric Crypto Algorithms +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* ``RTE_CRYPTO_ASYM_XFORM_RSA`` +* ``RTE_CRYPTO_ASYM_XFORM_MODEX`` + Installation ------------ diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index d52fa89..ab37f9c 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -28,6 +28,61 @@ RTE_DIM(sec_caps_##name)); \ } while (0) +static const struct rte_cryptodev_capabilities caps_mul[] = { + { /* RSA */ + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC, + {.asym = { + .xform_capa = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA, + .op_types = ((1 << RTE_CRYPTO_ASYM_OP_SIGN) | + (1 << RTE_CRYPTO_ASYM_OP_VERIFY) | + (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) | + (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)), + {.modlen = { + .min = 17, + .max = 1024, + .increment = 1 + }, } + } + }, } + }, + { /* MOD_EXP */ + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC, + {.asym = { + .xform_capa = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX, + .op_types = 0, + {.modlen = { + .min = 17, + .max = 1024, + .increment = 1 + }, } + } + }, } + }, + { /* ECDSA */ + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC, + {.asym = { + .xform_capa = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_ECDSA, + .op_types = ((1 << RTE_CRYPTO_ASYM_OP_SIGN) | + (1 << RTE_CRYPTO_ASYM_OP_VERIFY)), + } + }, + } + }, + { /* ECPM */ + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC, + {.asym = { + .xform_capa = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_ECPM, + .op_types = 0 + } + }, + } + }, +}; + static const struct rte_cryptodev_capabilities caps_sha1_sha2[] = { { /* SHA1 */ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, @@ -748,6 +803,7 @@ crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[], { int cur_pos = 0; + CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, mul); CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2); CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, chacha20); CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, zuc_snow3g); -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH v3 8/8] test/crypto: add cnxk for asymmetric cases 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph ` (6 preceding siblings ...) 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 7/8] crypto/cnxk: add asymmetric capabilities Anoob Joseph @ 2021-06-29 7:34 ` Anoob Joseph 2021-06-29 19:52 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Akhil Goyal 8 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-29 7:34 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Kiran Kumar K, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev From: Kiran Kumar K <kirankumark@marvell.com> Adding autotest for cn9k and cn10k. Signed-off-by: Kiran Kumar K <kirankumark@marvell.com> --- app/test/test_cryptodev_asym.c | 30 ++++++++++++++++++++++++++++++ doc/guides/cryptodevs/cnxk.rst | 17 +++++++++++++++++ doc/guides/rel_notes/release_21_08.rst | 4 ++++ 3 files changed, 51 insertions(+) diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c index b36eec9..847b074 100644 --- a/app/test/test_cryptodev_asym.c +++ b/app/test/test_cryptodev_asym.c @@ -2390,6 +2390,34 @@ test_cryptodev_octeontx2_asym(void) return unit_test_suite_runner(&cryptodev_octeontx_asym_testsuite); } +static int +test_cryptodev_cn9k_asym(void) +{ + gbl_driver_id = rte_cryptodev_driver_id_get( + RTE_STR(CRYPTODEV_NAME_CN9K_PMD)); + if (gbl_driver_id == -1) { + RTE_LOG(ERR, USER1, "CN9K PMD must be loaded.\n"); + return TEST_FAILED; + } + + /* Use test suite registered for crypto_octeontx PMD */ + return unit_test_suite_runner(&cryptodev_octeontx_asym_testsuite); +} + +static int +test_cryptodev_cn10k_asym(void) +{ + gbl_driver_id = rte_cryptodev_driver_id_get( + RTE_STR(CRYPTODEV_NAME_CN10K_PMD)); + if (gbl_driver_id == -1) { + RTE_LOG(ERR, USER1, "CN10K PMD must be loaded.\n"); + return TEST_FAILED; + } + + /* Use test suite registered for crypto_octeontx PMD */ + return unit_test_suite_runner(&cryptodev_octeontx_asym_testsuite); +} + REGISTER_TEST_COMMAND(cryptodev_openssl_asym_autotest, test_cryptodev_openssl_asym); @@ -2400,3 +2428,5 @@ REGISTER_TEST_COMMAND(cryptodev_octeontx_asym_autotest, REGISTER_TEST_COMMAND(cryptodev_octeontx2_asym_autotest, test_cryptodev_octeontx2_asym); +REGISTER_TEST_COMMAND(cryptodev_cn9k_asym_autotest, test_cryptodev_cn9k_asym); +REGISTER_TEST_COMMAND(cryptodev_cn10k_asym_autotest, test_cryptodev_cn10k_asym); diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index bbc6daa..98c7118 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -191,6 +191,23 @@ running the test application: ./dpdk-test RTE>>cryptodev_cn10k_autotest +The asymmetric crypto operations on OCTEON cnxk crypto PMD may be verified by +running the test application: + +``CN9K`` + +.. code-block:: console + + ./dpdk-test + RTE>>cryptodev_cn9k_asym_autotest + +``CN10K`` + +.. code-block:: console + + ./dpdk-test + RTE>>cryptodev_cn10k_asym_autotest + Lookaside IPsec Support ----------------------- diff --git a/doc/guides/rel_notes/release_21_08.rst b/doc/guides/rel_notes/release_21_08.rst index 72652ac..cd51b49 100644 --- a/doc/guides/rel_notes/release_21_08.rst +++ b/doc/guides/rel_notes/release_21_08.rst @@ -59,6 +59,10 @@ New Features * Added cnxk crypto PMD which provides support for an integrated crypto driver for CN9K and CN10K series of SOCs. + * Added 'cn9k_crypto' PMD which supports symmetric & asymmetric + offloads + * Added 'cn10k_crypto' PMD which supports symmetric, asymmetric + and lookaside protocol (IPsec) offloads. Removed Items -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph ` (7 preceding siblings ...) 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 8/8] test/crypto: add cnxk for asymmetric cases Anoob Joseph @ 2021-06-29 19:52 ` Akhil Goyal 8 siblings, 0 replies; 24+ messages in thread From: Akhil Goyal @ 2021-06-29 19:52 UTC (permalink / raw) To: Anoob Joseph, Thomas Monjalon Cc: Anoob Joseph, Jerin Jacob Kollanukkaran, Ankur Dwivedi, Tejasree Kondoj, dev > > Add rte_security (lookaside protocol - IPsec) support in crypto_cn10k. > > IPsec operations can be offloaded to CPT's SE and IE engines, which > can process IPsec protcol operations including atomic sequence number > increment (for outbound operations) and anti replay window check (for > inbound operations). > > Add support for asymmetric operations in crypto cnxk PMDs. > Following operations are supported, > - RSA > - DSA > - ECDSA > - ECPM > - Modular Exponentation > Series Acked-by: Akhil Goyal <gakhil@marvell.com> Applied to dpdk-next-crypto Release notes and patch title/description updated while merging. ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH 2/4] crypto/cnxk: add security capabilities 2021-06-02 17:10 [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph 2021-06-02 17:10 ` [dpdk-dev] [PATCH 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph @ 2021-06-02 17:11 ` Anoob Joseph 2021-06-02 17:11 ` [dpdk-dev] [PATCH 3/4] crypto/cnxk: add security session ops Anoob Joseph ` (2 subsequent siblings) 4 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-02 17:11 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Anoob Joseph, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev, Srujana Challa Add security capabilities supported by crypto cn10k PMD. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/crypto/cnxk/cnxk_cryptodev.h | 4 + drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 114 ++++++++++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +- drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 3 +- 4 files changed, 128 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index dcbdc53..1568be3 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -6,6 +6,7 @@ #define _CNXK_CRYPTODEV_H_ #include <rte_cryptodev.h> +#include <rte_security.h> #include "roc_cpt.h" @@ -31,6 +32,9 @@ struct cnxk_cpt_vf { struct roc_cpt cpt; struct rte_cryptodev_capabilities crypto_caps[CNXK_CPT_MAX_CAPS]; + struct rte_cryptodev_capabilities + sec_crypto_caps[CNXK_SEC_CRYPTO_MAX_CAPS]; + struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS]; }; int cnxk_cpt_eng_grp_add(struct roc_cpt *roc_cpt); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index e627854..ab37f9c 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -3,6 +3,7 @@ */ #include <rte_cryptodev.h> +#include <rte_security.h> #include "roc_api.h" @@ -18,6 +19,15 @@ RTE_DIM(caps_##name)); \ } while (0) +#define SEC_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name) \ + do { \ + if ((hw_caps[CPT_ENG_TYPE_SE].name) || \ + (hw_caps[CPT_ENG_TYPE_IE].name) || \ + (hw_caps[CPT_ENG_TYPE_AE].name)) \ + sec_caps_add(cnxk_caps, cur_pos, sec_caps_##name, \ + RTE_DIM(sec_caps_##name)); \ + } while (0) + static const struct rte_cryptodev_capabilities caps_mul[] = { { /* RSA */ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC, @@ -713,6 +723,69 @@ static const struct rte_cryptodev_capabilities caps_end[] = { RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST() }; +static const struct rte_cryptodev_capabilities sec_caps_aes[] = { + { /* AES GCM */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD, + {.aead = { + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 8 + }, + .digest_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + .aad_size = { + .min = 8, + .max = 12, + .increment = 4 + }, + .iv_size = { + .min = 12, + .max = 12, + .increment = 0 + } + }, } + }, } + }, +}; + +static const struct rte_security_capability sec_caps_templ[] = { + { /* IPsec Lookaside Protocol ESP Tunnel Ingress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + .options = { 0 } + }, + .crypto_capabilities = NULL, + .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA + }, + { /* IPsec Lookaside Protocol ESP Tunnel Egress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .options = { 0 } + }, + .crypto_capabilities = NULL, + .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA + }, + { + .action = RTE_SECURITY_ACTION_TYPE_NONE + } +}; + static void cpt_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, const struct rte_cryptodev_capabilities *caps, int nb_caps) @@ -748,8 +821,49 @@ cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf) return vf->crypto_caps; } +static void +sec_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, + const struct rte_cryptodev_capabilities *caps, int nb_caps) +{ + if (*cur_pos + nb_caps > CNXK_SEC_CRYPTO_MAX_CAPS) + return; + + memcpy(&cnxk_caps[*cur_pos], caps, nb_caps * sizeof(caps[0])); + *cur_pos += nb_caps; +} + +static void +sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[], + union cpt_eng_caps *hw_caps) +{ + int cur_pos = 0; + + SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes); + + sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end)); +} + void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) { + unsigned long i; + crypto_caps_populate(vf->crypto_caps, vf->cpt.hw_caps); + sec_crypto_caps_populate(vf->sec_crypto_caps, vf->cpt.hw_caps); + + PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps)); + memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ)); + + for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++) + vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps; +} + +const struct rte_security_capability * +cnxk_crypto_sec_capabilities_get(void *device) +{ + struct rte_cryptodev *dev = device; + struct cnxk_cpt_vf *vf; + + vf = dev->data->dev_private; + return vf->sec_caps; } diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h index 85f5ad2..fe07e43 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h @@ -10,7 +10,7 @@ #include "cnxk_cryptodev.h" /* - * Initialize crypto capabilities for the device + * Initialize crypto and IPsec capabilities for the device * */ void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf); @@ -22,4 +22,11 @@ void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf); const struct rte_cryptodev_capabilities * cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf); +/* + * Get security capabilities list for the device + * + */ +const struct rte_security_capability * +cnxk_crypto_sec_capabilities_get(void *device); + #endif /* _CNXK_CRYPTODEV_CAPABILITIES_H_ */ diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c index f03d2ed..8d04d4b 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c @@ -7,6 +7,7 @@ #include <rte_security.h> #include <rte_security_driver.h> +#include "cnxk_cryptodev_capabilities.h" #include "cnxk_cryptodev_sec.h" /* Common security ops */ @@ -16,7 +17,7 @@ struct rte_security_ops cnxk_sec_ops = { .session_get_size = NULL, .set_pkt_metadata = NULL, .get_userdata = NULL, - .capabilities_get = NULL, + .capabilities_get = cnxk_crypto_sec_capabilities_get }; int -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH 3/4] crypto/cnxk: add security session ops 2021-06-02 17:10 [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph 2021-06-02 17:10 ` [dpdk-dev] [PATCH 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph 2021-06-02 17:11 ` [dpdk-dev] [PATCH 2/4] crypto/cnxk: add security capabilities Anoob Joseph @ 2021-06-02 17:11 ` Anoob Joseph 2021-06-16 20:11 ` Akhil Goyal 2021-06-02 17:11 ` [dpdk-dev] [PATCH 4/4] crypto/cnxk: add security handling in datapath ops Anoob Joseph 2021-06-16 20:15 ` [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD Akhil Goyal 4 siblings, 1 reply; 24+ messages in thread From: Anoob Joseph @ 2021-06-02 17:11 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Tejasree Kondoj, Jerin Jacob, Ankur Dwivedi, dev, Anoob Joseph, Archana Muniganti, Srujana Challa From: Tejasree Kondoj <ktejasree@marvell.com> Add security session ops in cn10k crypto PMD. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Archana Muniganti <marchana@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/crypto/cnxk/cn10k_cryptodev.c | 2 + drivers/crypto/cnxk/cn10k_ipsec.c | 520 ++++++++++++++++++++++++++++++++++ drivers/crypto/cnxk/cn10k_ipsec.h | 38 +++ drivers/crypto/cnxk/cnxk_ipsec.h | 18 ++ drivers/crypto/cnxk/meson.build | 3 +- 5 files changed, 580 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index b58d390..9517e62 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -12,6 +12,7 @@ #include "cn10k_cryptodev.h" #include "cn10k_cryptodev_ops.h" +#include "cn10k_ipsec.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_capabilities.h" #include "cnxk_cryptodev_sec.h" @@ -97,6 +98,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn10k_cpt_set_enqdeq_fns(dev); + cn10k_sec_ops_override(); return 0; diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c new file mode 100644 index 0000000..31be6e7 --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -0,0 +1,520 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#include <rte_malloc.h> +#include <rte_cryptodev.h> +#include <rte_esp.h> +#include <rte_ip.h> +#include <rte_security.h> +#include <rte_security_driver.h> +#include <rte_udp.h> + +#include "cnxk_cryptodev.h" +#include "cnxk_ipsec.h" +#include "cn10k_ipsec.h" + +#include "roc_api.h" +#include "roc_ie.h" + +static int +ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && + crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT) + return -EINVAL; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && + crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT) + return -EINVAL; + + if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + switch (crypto_xfrm->aead.key.length) { + case ROC_AES128_KEY_LEN: + case ROC_AES192_KEY_LEN: + case ROC_AES256_KEY_LEN: + break; + default: + return -EINVAL; + } + return 0; + } + + return -ENOTSUP; +} + +static int +cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) + return -EINVAL; + + if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) && + (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH)) + return -EINVAL; + + if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) && + (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)) + return -EINVAL; + + if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) && + (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6)) + return -EINVAL; + + if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) + return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm); + + return -ENOTSUP; +} + +static uint64_t +ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa) +{ + union cpt_inst_w7 w7; + + w7.u64 = 0; + w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE]; + w7.s.ctx_val = 1; + w7.s.cptr = (uint64_t)sa; + rte_mb(); + + return w7.u64; +} + +static int +ipsec_get_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa __rte_unused) +{ + + return offsetof(struct roc_ot_ipsec_inb_sa, ctx) + + offsetof(struct roc_ot_ipsec_inb_ctx_update_reg, ar_winbits) + 8; +} + +static int +ipsec_sa_inb_param_fill(struct roc_cpt *roc_cpt, struct cn10k_ipsec_sa *sa) +{ + /* TODO add support for antireplay */ + sa->in_sa.w0.s.ar_win = 0; + + /* TODO add support for udp encap */ + + sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa); + + return 0; +} + +static int +ipsec_sa_len_precalc(struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *xform, + struct cn10k_ipsec_sa *sa) +{ + if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) + sa->partial_len = sizeof(struct rte_ipv4_hdr); + else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) + sa->partial_len = sizeof(struct rte_ipv6_hdr); + else + return -EINVAL; + + if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) { + sa->partial_len += sizeof(struct rte_esp_hdr); + sa->roundup_len = sizeof(struct rte_esp_tail); + } else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) { + sa->partial_len += ROC_IE_AH_HDR_LEN; + } else { + return -EINVAL; + } + + if (ipsec->options.udp_encap) + sa->partial_len += sizeof(struct rte_udp_hdr); + + if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + sa->partial_len += ROC_IE_AES_GCM_IV_LEN; + sa->partial_len += ROC_IE_AES_GCM_MAC_LEN; + sa->roundup_byte = ROC_IE_AES_GCM_ROUNDUP_BYTE_LEN; + return 0; + } else { + return -EINVAL; + } + } + + return 0; +} + +static int +ipsec_sa_outb_param_fill(struct roc_cpt *roc_cpt, + struct cn10k_ipsec_sa *ipsec_sa, + struct rte_security_ipsec_xform *ipsec) +{ + struct roc_ot_ipsec_outb_sa *sa = &ipsec_sa->out_sa; + uint32_t *ip_addr; + + /* Set up tunnel header generation */ + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_4; + memcpy(&sa->outer_hdr.ipv4.src_addr, + &ipsec->tunnel.ipv4.src_ip, + sizeof(struct in_addr)); + ip_addr = (uint32_t *)&sa->outer_hdr.ipv4.src_addr; + *ip_addr = rte_be_to_cpu_32(*ip_addr); + memcpy(&sa->outer_hdr.ipv4.dst_addr, + &ipsec->tunnel.ipv4.dst_ip, + sizeof(struct in_addr)); + ip_addr = (uint32_t *)&sa->outer_hdr.ipv4.dst_addr; + *ip_addr = rte_be_to_cpu_32(*ip_addr); + + if (!ipsec->options.copy_df) { + sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = + ROC_IE_OT_SA_COPY_FROM_SA; + sa->w10.s.ipv4_df_or_ipv6_flw_lbl = + ipsec->tunnel.ipv4.df; + } else + sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = + ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; + + if (!ipsec->options.copy_dscp) { + sa->w2.s.dscp_src = ROC_IE_OT_SA_COPY_FROM_SA; + sa->w10.s.dscp = ipsec->tunnel.ipv4.dscp; + } else + sa->w2.s.dscp_src = + ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; + + } else if (ipsec->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_6; + memcpy(&sa->outer_hdr.ipv6.src_addr, + &ipsec->tunnel.ipv6.src_addr, + sizeof(struct in6_addr)); + memcpy(&sa->outer_hdr.ipv6.dst_addr, + &ipsec->tunnel.ipv6.dst_addr, + sizeof(struct in6_addr)); + + if (!ipsec->options.copy_flabel) { + sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = + ROC_IE_OT_SA_COPY_FROM_SA; + + sa->w10.s.ipv4_df_or_ipv6_flw_lbl = + ipsec->tunnel.ipv6.flabel; + } else + sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = + ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; + + if (!ipsec->options.copy_dscp) { + sa->w2.s.dscp_src = ROC_IE_OT_SA_COPY_FROM_SA; + sa->w10.s.dscp = ipsec->tunnel.ipv6.dscp; + } else + sa->w2.s.dscp_src = + ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; + } else { + return -EINVAL; + } + + } else { + return -EINVAL; + } + + ipsec_sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa); + + return 0; +} + +static void +ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, uint8_t *cipher_key, + uint8_t *salt_key, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + const uint8_t *key = NULL; + uint32_t *tmp_salt; + uint64_t *tmp_key; + uint32_t i; + int length = 0; + + /* Set direction */ + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + w2->s.dir = ROC_IE_OT_SA_DIR_INBOUND; + else + w2->s.dir = ROC_IE_OT_SA_DIR_OUTBOUND; + + /* Set protocol - ESP vs AH */ + if (ipsec_xfrm->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) + w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_ESP; + else + w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_AH; + + /* Set mode - transport vs tunnel */ + if (ipsec_xfrm->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) + w2->s.mode = ROC_IE_OT_SA_MODE_TRANSPORT; + else + w2->s.mode = ROC_IE_OT_SA_MODE_TUNNEL; + + /* Set encryption algorithm */ + if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + switch ((int)crypto_xfrm->aead.algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_GCM; + w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL; + memcpy(salt_key, &ipsec_xfrm->salt, ROC_SALT_LEN); + tmp_salt = (uint32_t *)salt_key; + *tmp_salt = rte_be_to_cpu_32(*tmp_salt); + break; + } + key = crypto_xfrm->aead.key.data; + length = crypto_xfrm->aead.key.length; + } + + w2->s.spi = ipsec_xfrm->spi; + + /* Copy encryption key */ + memcpy(cipher_key, key, length); + tmp_key = (uint64_t *)cipher_key; + for (i = 0; i < ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t); i++) + tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); + + switch (length) { + case ROC_AES128_KEY_LEN: + w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_128; + break; + case ROC_AES192_KEY_LEN: + w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_192; + break; + case ROC_AES256_KEY_LEN: + w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_256; + break; + } +} + +static int +cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sec_sess) +{ + struct roc_ot_ipsec_outb_sa *out_sa; + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + union cpt_inst_w4 inst_w4; + size_t offset; + int ret; + + sess = get_sec_session_private_data(sec_sess); + sa = &sess->sa; + out_sa = &sa->out_sa; + + memset(out_sa, 0, sizeof(struct roc_ot_ipsec_outb_sa)); + + ipsec_sa_common_param_fill((union roc_ot_ipsec_sa_word2 *)&out_sa->w2, + out_sa->cipher_key, out_sa->iv.s.salt, + ipsec_xfrm, crypto_xfrm); + + ret = ipsec_sa_outb_param_fill(roc_cpt, sa, ipsec_xfrm); + if (ret) + return ret; + + ret = ipsec_sa_len_precalc(ipsec_xfrm, crypto_xfrm, sa); + if (ret) + return ret; + + /* Set context offsets and sizes */ + + /* Set offset of hw_ctx in 8b units */ + offset = offsetof(struct roc_ot_ipsec_outb_sa, ctx); + out_sa->w0.s.hw_ctx_off = offset / ROC_CTX_UNIT_8B; + + /* Context push size for outbound spans up to and includes + * relevant keys, for example for AES-GCM it need not push beyond + * cipher_key field, for SHAx it need not push beyond + * hmac_opad_ipad field. + * TODO for now let's set it up to hw_ctx however it should be + * updated later + */ + out_sa->w0.s.ctx_push_size = out_sa->w0.s.hw_ctx_off; + /* Entire context size in 128b units */ + offset = sizeof(struct roc_ot_ipsec_outb_sa); + out_sa->w0.s.ctx_size = + PLT_ALIGN_CEIL(offset, ROC_CTX_UNIT_128B) / ROC_CTX_UNIT_128B - + 1; + /* There are 2 words prepended to the context */ + out_sa->w0.s.ctx_hdr_size = CN10K_IPSEC_SA_CTX_HDR_SIZE; + out_sa->w0.s.aop_valid = 1; + + /* pre-populate CPT INST word 4 */ + inst_w4.u64 = 0; + inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC; + inst_w4.s.param1 = 0; + sa->inst.w4 = inst_w4.u64; + + out_sa->w2.s.ipid_gen = 1; + + /* Enable SA */ + out_sa->w2.s.valid = 1; + + return 0; +} + +static int +cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sec_sess) +{ + struct roc_ot_ipsec_inb_sa *in_sa; + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + union cpt_inst_w4 inst_w4; + size_t offset; + + sess = get_sec_session_private_data(sec_sess); + sa = &sess->sa; + in_sa = &sa->in_sa; + + ipsec_sa_common_param_fill((union roc_ot_ipsec_sa_word2 *)&in_sa->w2, + in_sa->cipher_key, in_sa->w8.s.salt, + ipsec_xfrm, crypto_xfrm); + + ipsec_sa_inb_param_fill(roc_cpt, sa); + + /* Set context offsets and sizes */ + + /* Set offset of hw_ctx in 8b units */ + offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx); + in_sa->w0.s.hw_ctx_off = offset / ROC_CTX_UNIT_8B; + + /* Context push size for inbound spans up to hw_ctx including ar_base + * field, in 8b units + */ + in_sa->w0.s.ctx_push_size = in_sa->w0.s.hw_ctx_off + 1; + /* Entire context size in 128b units */ + in_sa->w0.s.ctx_size = PLT_ALIGN_CEIL(ipsec_get_inb_ctx_size(in_sa), + ROC_CTX_UNIT_128B) / + ROC_CTX_UNIT_128B - + 1; + /* There are 2 words prepended to the context */ + in_sa->w0.s.ctx_hdr_size = CN10K_IPSEC_SA_CTX_HDR_SIZE; + in_sa->w0.s.aop_valid = 1; + + /* pre-populate CPT INST word 4 */ + inst_w4.u64 = 0; + inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC; + + /* Disable checksum verification for now */ + inst_w4.s.param1 = 7; + sa->inst.w4 = inst_w4.u64; + + in_sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_4; + + /* Enable SA */ + in_sa->w2.s.valid = 1; + + return 0; +} + +static int +cn10k_ipsec_session_create(void *dev, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sess) +{ + struct rte_cryptodev *crypto_dev = dev; + struct roc_cpt *roc_cpt; + struct cnxk_cpt_vf *vf; + int ret; + + vf = crypto_dev->data->dev_private; + roc_cpt = &vf->cpt; + + if (crypto_dev->data->queue_pairs[0] == NULL) { + plt_err("Setup cpt queue pair before creating security session"); + return -EPERM; + } + + ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + return cn10k_ipsec_inb_sa_create(roc_cpt, ipsec_xfrm, + crypto_xfrm, sess); + else + return cn10k_ipsec_outb_sa_create(roc_cpt, ipsec_xfrm, + crypto_xfrm, sess); +} + +static int +cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf, + struct rte_security_session *sess, + struct rte_mempool *mempool) +{ + struct cn10k_sec_session *priv; + int ret; + + if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) + return -EINVAL; + + if (rte_security_dynfield_register() < 0) + return -ENOTSUP; + + if (rte_mempool_get(mempool, (void **)&priv)) { + plt_err("Could not allocate security session private data"); + return -ENOMEM; + } + + set_sec_session_private_data(sess, priv); + + priv->userdata = conf->userdata; + + if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) { + ret = -ENOTSUP; + goto mempool_put; + } + ret = cn10k_ipsec_session_create(device, &conf->ipsec, + conf->crypto_xform, sess); + if (ret) + goto mempool_put; + + return 0; + +mempool_put: + rte_mempool_put(mempool, priv); + set_sec_session_private_data(sess, NULL); + return ret; +} + +static int +cn10k_sec_session_destroy(void *device __rte_unused, + struct rte_security_session *sess) +{ + struct cn10k_sec_session *priv; + struct rte_mempool *sess_mp; + + priv = get_sec_session_private_data(sess); + + if (priv == NULL) + return 0; + + sess_mp = rte_mempool_from_obj(priv); + + set_sec_session_private_data(sess, NULL); + rte_mempool_put(sess_mp, priv); + + return 0; +} + +static unsigned int +cn10k_sec_session_get_size(void *device __rte_unused) +{ + return sizeof(struct cn10k_sec_session); +} + +/* Update platform specific security ops */ +void +cn10k_sec_ops_override(void) +{ + /* Update platform specific ops */ + cnxk_sec_ops.session_create = cn10k_sec_session_create; + cnxk_sec_ops.session_destroy = cn10k_sec_session_destroy; + cnxk_sec_ops.session_get_size = cn10k_sec_session_get_size; +} diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h new file mode 100644 index 0000000..6e36e67 --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec.h @@ -0,0 +1,38 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CN10K_IPSEC_H__ +#define __CN10K_IPSEC_H__ + +#include <rte_security.h> + +#include "roc_platform.h" +#include "roc_ie_ot.h" +#include "cnxk_ipsec.h" + +#define CN10K_IPSEC_SA_CTX_HDR_SIZE 1 + +struct cn10k_ipsec_sa { + union { + /** Inbound SA */ + struct roc_ot_ipsec_inb_sa in_sa; + /** Outbound SA */ + struct roc_ot_ipsec_outb_sa out_sa; + }; + /** Pre-populated CPT inst words */ + struct cnxk_cpt_inst_tmpl inst; + uint8_t partial_len; + uint8_t roundup_len; + uint8_t roundup_byte; +}; + +struct cn10k_sec_session { + struct cn10k_ipsec_sa sa; + void *userdata; + /**< Userdata registered by the application */ +} __rte_cache_aligned; + +void cn10k_sec_ops_override(void); + +#endif /* __CN10K_IPSEC_H__ */ diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h new file mode 100644 index 0000000..8b9500d --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -0,0 +1,18 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ +#ifndef __CNXK_IPSEC_H__ +#define __CNXK_IPSEC_H__ + +#include <rte_security.h> +#include <rte_security_driver.h> + +extern struct rte_security_ops cnxk_sec_ops; + +struct cnxk_cpt_inst_tmpl { + uint64_t w2; + uint64_t w4; + uint64_t w7; +}; + +#endif /* __CNXK_IPSEC_H__ */ diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build index ab45483..eea08fa 100644 --- a/drivers/crypto/cnxk/meson.build +++ b/drivers/crypto/cnxk/meson.build @@ -13,6 +13,7 @@ sources = files( 'cn9k_cryptodev_ops.c', 'cn10k_cryptodev.c', 'cn10k_cryptodev_ops.c', + 'cn10k_ipsec.c', 'cnxk_cpt_ops_helper.c', 'cnxk_cryptodev.c', 'cnxk_cryptodev_capabilities.c', @@ -20,4 +21,4 @@ sources = files( 'cnxk_cryptodev_sec.c', ) -deps += ['bus_pci', 'common_cnxk', 'security'] +deps += ['bus_pci', 'common_cnxk', 'security', 'rte_net'] -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dpdk-dev] [PATCH 3/4] crypto/cnxk: add security session ops 2021-06-02 17:11 ` [dpdk-dev] [PATCH 3/4] crypto/cnxk: add security session ops Anoob Joseph @ 2021-06-16 20:11 ` Akhil Goyal 2021-06-17 7:16 ` Anoob Joseph 0 siblings, 1 reply; 24+ messages in thread From: Akhil Goyal @ 2021-06-16 20:11 UTC (permalink / raw) To: Anoob Joseph, Thomas Monjalon Cc: Tejasree Kondoj, Jerin Jacob Kollanukkaran, Ankur Dwivedi, dev, Anoob Joseph, Archana Muniganti, Srujana Challa > diff --git a/drivers/crypto/cnxk/meson.build > b/drivers/crypto/cnxk/meson.build > index ab45483..eea08fa 100644 > --- a/drivers/crypto/cnxk/meson.build > +++ b/drivers/crypto/cnxk/meson.build > @@ -13,6 +13,7 @@ sources = files( > 'cn9k_cryptodev_ops.c', > 'cn10k_cryptodev.c', > 'cn10k_cryptodev_ops.c', > + 'cn10k_ipsec.c', > 'cnxk_cpt_ops_helper.c', > 'cnxk_cryptodev.c', > 'cnxk_cryptodev_capabilities.c', > @@ -20,4 +21,4 @@ sources = files( > 'cnxk_cryptodev_sec.c', > ) > > -deps += ['bus_pci', 'common_cnxk', 'security'] > +deps += ['bus_pci', 'common_cnxk', 'security', 'rte_net'] > -- This should be 'net' and not 'rte_net'. Do we really need this dependency? ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dpdk-dev] [PATCH 3/4] crypto/cnxk: add security session ops 2021-06-16 20:11 ` Akhil Goyal @ 2021-06-17 7:16 ` Anoob Joseph 0 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-17 7:16 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Tejasree Kondoj, Jerin Jacob Kollanukkaran, Ankur Dwivedi, dev, Archana Muniganti, Srujana Challa Hi Akhil, Please see inline. Thanks, Anoob > -----Original Message----- > From: Akhil Goyal <gakhil@marvell.com> > Sent: Thursday, June 17, 2021 1:41 AM > To: Anoob Joseph <anoobj@marvell.com>; Thomas Monjalon > <thomas@monjalon.net> > Cc: Tejasree Kondoj <ktejasree@marvell.com>; Jerin Jacob Kollanukkaran > <jerinj@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>; > dev@dpdk.org; Anoob Joseph <anoobj@marvell.com>; Archana Muniganti > <marchana@marvell.com>; Srujana Challa <schalla@marvell.com> > Subject: RE: [PATCH 3/4] crypto/cnxk: add security session ops > > > diff --git a/drivers/crypto/cnxk/meson.build > > b/drivers/crypto/cnxk/meson.build index ab45483..eea08fa 100644 > > --- a/drivers/crypto/cnxk/meson.build > > +++ b/drivers/crypto/cnxk/meson.build > > @@ -13,6 +13,7 @@ sources = files( > > 'cn9k_cryptodev_ops.c', > > 'cn10k_cryptodev.c', > > 'cn10k_cryptodev_ops.c', > > + 'cn10k_ipsec.c', > > 'cnxk_cpt_ops_helper.c', > > 'cnxk_cryptodev.c', > > 'cnxk_cryptodev_capabilities.c', @@ -20,4 +21,4 @@ sources = > > files( > > 'cnxk_cryptodev_sec.c', > > ) > > > > -deps += ['bus_pci', 'common_cnxk', 'security'] > > +deps += ['bus_pci', 'common_cnxk', 'security', 'rte_net'] > > -- > This should be 'net' and not 'rte_net'. > Do we really need this dependency? [Anoob] It was required since we had a dependency on rte_esp.h. But, as you said, we don't need to make it as dependency on 'net'. Something like, includes += include_directories('../../../lib/net') Is good enough. Will have this changed so. ^ permalink raw reply [flat|nested] 24+ messages in thread
* [dpdk-dev] [PATCH 4/4] crypto/cnxk: add security handling in datapath ops 2021-06-02 17:10 [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph ` (2 preceding siblings ...) 2021-06-02 17:11 ` [dpdk-dev] [PATCH 3/4] crypto/cnxk: add security session ops Anoob Joseph @ 2021-06-02 17:11 ` Anoob Joseph 2021-06-16 20:15 ` [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD Akhil Goyal 4 siblings, 0 replies; 24+ messages in thread From: Anoob Joseph @ 2021-06-02 17:11 UTC (permalink / raw) To: Akhil Goyal, Thomas Monjalon Cc: Tejasree Kondoj, Jerin Jacob, Ankur Dwivedi, dev, Anoob Joseph, Srujana Challa From: Tejasree Kondoj <ktejasree@marvell.com> Add security handling in enqueue dequeue ops. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Signed-off-by: Srujana Challa <schalla@marvell.com> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 78 ++++++++++++++++++++++++++++++- drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 74 +++++++++++++++++++++++++++++ 2 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c index 22704df..68093ea 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c @@ -4,9 +4,12 @@ #include <rte_cryptodev.h> #include <rte_cryptodev_pmd.h> +#include <rte_ip.h> #include "cn10k_cryptodev.h" #include "cn10k_cryptodev_ops.h" +#include "cn10k_ipsec_la_ops.h" +#include "cn10k_ipsec.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_ops.h" #include "cnxk_se.h" @@ -42,6 +45,38 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op) } static __rte_always_inline int __rte_hot +cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess, + struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = op->sym; + union roc_ot_ipsec_sa_word2 *w2; + struct cn10k_ipsec_sa *sa; + int ret; + + if (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) { + CPT_LOG_DP_ERR("Out of place is not supported"); + return -ENOTSUP; + } + + if (unlikely(!rte_pktmbuf_is_contiguous(sym_op->m_src))) { + CPT_LOG_DP_ERR("Scatter Gather mode is not supported"); + return -ENOTSUP; + } + + sa = &sess->sa; + w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2; + + if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND) + ret = process_outb_sa(op, sa, inst); + else { + infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND; + ret = process_inb_sa(op, sa, inst); + } + + return ret; +} + +static __rte_always_inline int __rte_hot cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op, struct cnxk_se_sess *sess, struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst) @@ -64,6 +99,7 @@ static inline int cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], struct cpt_inst_s inst[], struct cpt_inflight_req *infl_req) { + struct cn10k_sec_session *sec_sess; struct rte_crypto_sym_op *sym_op; struct cnxk_se_sess *sess; struct rte_crypto_op *op; @@ -79,7 +115,15 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], sym_op = op->sym; if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { - if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { + if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + sec_sess = get_sec_session_private_data( + sym_op->sec_session); + ret = cpt_sec_inst_fill(op, sec_sess, infl_req, + &inst[0]); + if (unlikely(ret)) + return 0; + w7 = sec_sess->sa.inst.w7; + } else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { sess = get_sym_session_private_data( sym_op->session, cn10k_cryptodev_driver_id); ret = cpt_sym_inst_fill(qp, op, sess, infl_req, @@ -196,6 +240,34 @@ cn10k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops) } static inline void +cn10k_cpt_sec_post_process(struct rte_crypto_op *cop, + struct cpt_inflight_req *infl_req) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m = sym_op->m_src; + struct rte_ipv6_hdr *ip6; + struct rte_ipv4_hdr *ip; + uint16_t m_len; + + if (infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND) { + ip = (struct rte_ipv4_hdr *)rte_pktmbuf_mtod(m, char *); + + if (((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) == + IPVERSION) { + m_len = rte_be_to_cpu_16(ip->total_length); + } else { + PLT_ASSERT(((ip->version_ihl & 0xf0) >> + RTE_IPV4_IHL_MULTIPLIER) == IPV6_VERSION); + ip6 = (struct rte_ipv6_hdr *)ip; + m_len = rte_be_to_cpu_16(ip6->payload_len) + + sizeof(struct rte_ipv6_hdr); + } + m->data_len = m_len; + m->pkt_len = m_len; + } +} + +static inline void cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, struct rte_crypto_op *cop, struct cpt_inflight_req *infl_req) @@ -219,6 +291,10 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { + if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + cn10k_cpt_sec_post_process(cop, infl_req); + return; + } /* Verify authentication data if required */ if (unlikely(infl_req->op_flags & diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h new file mode 100644 index 0000000..dc547d1 --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h @@ -0,0 +1,74 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CN10K_IPSEC_LA_OPS_H__ +#define __CN10K_IPSEC_LA_OPS_H__ + +#include <rte_crypto_sym.h> +#include <rte_security.h> + +#include "cn10k_cryptodev.h" +#include "cn10k_ipsec.h" +#include "cnxk_cryptodev.h" + +static __rte_always_inline int32_t +ipsec_po_out_rlen_get(struct cn10k_ipsec_sa *sess, uint32_t plen) +{ + uint32_t enc_payload_len; + + enc_payload_len = + RTE_ALIGN_CEIL(plen + sess->roundup_len, sess->roundup_byte); + + return sess->partial_len + enc_payload_len; +} + +static __rte_always_inline int +process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess, + struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m_src = sym_op->m_src; + uint32_t dlen, rlen, extend_tail; + char *mdata; + + dlen = rte_pktmbuf_pkt_len(m_src); + rlen = ipsec_po_out_rlen_get(sess, dlen); + + extend_tail = rlen - dlen; + + mdata = rte_pktmbuf_append(m_src, extend_tail); + if (unlikely(mdata == NULL)) { + CPT_LOG_DP_ERR("Not enough tail room"); + return -ENOMEM; + } + + /* Prepare CPT instruction */ + inst->w4.u64 = sess->inst.w4; + inst->w4.s.dlen = dlen; + inst->dptr = rte_pktmbuf_iova(m_src); + inst->rptr = inst->dptr; + + return 0; +} + +static __rte_always_inline int +process_inb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sa, + struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m_src = sym_op->m_src; + uint32_t dlen; + + dlen = rte_pktmbuf_pkt_len(m_src); + + /* Prepare CPT instruction */ + inst->w4.u64 = sa->inst.w4; + inst->w4.s.dlen = dlen; + inst->dptr = rte_pktmbuf_iova(m_src); + inst->rptr = inst->dptr; + + return 0; +} + +#endif /* __CN10K_IPSEC_LA_OPS_H__ */ -- 2.7.4 ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD 2021-06-02 17:10 [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph ` (3 preceding siblings ...) 2021-06-02 17:11 ` [dpdk-dev] [PATCH 4/4] crypto/cnxk: add security handling in datapath ops Anoob Joseph @ 2021-06-16 20:15 ` Akhil Goyal 4 siblings, 0 replies; 24+ messages in thread From: Akhil Goyal @ 2021-06-16 20:15 UTC (permalink / raw) To: Anoob Joseph, Thomas Monjalon Cc: Anoob Joseph, Jerin Jacob Kollanukkaran, Ankur Dwivedi, Tejasree Kondoj, dev > Add rte_security (lookaside protocol - IPsec) support in crypto_cn10k. > > IPsec operations can be offloaded to CPT's SE and IE engines, which > can process IPsec protcol operations including atomic sequence number > increment (for outbound operations) and anti replay window check (for > inbound operations). > > Depends-on: series-17212 ("Add CPT in Marvell CNXK common driver") > Depends-on: series-17213 ("Add Marvell CNXK crypto PMDs") > Do you need any update in the documentation of the PMD for this patchset. Please also update release notes appropriately. ^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2021-06-29 19:52 UTC | newest] Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-02 17:10 [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph 2021-06-02 17:10 ` [dpdk-dev] [PATCH 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph 2021-06-16 20:14 ` Akhil Goyal 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 2/4] crypto/cnxk: add security session ops Anoob Joseph 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 3/4] crypto/cnxk: add security handling in datapath ops Anoob Joseph 2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 4/4] crypto/cnxk: add security capabilities Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 1/8] crypto/cnxk: add security ctx skeleton Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 2/8] crypto/cnxk: add security session ops Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 3/8] crypto/cnxk: add security handling in datapath ops Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 4/8] crypto/cnxk: add security capabilities Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 5/8] crypto/cnxk: add asymmetric session ops Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 6/8] crypto/cnxk: add asymmetric datapath ops Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 7/8] crypto/cnxk: add asymmetric capabilities Anoob Joseph 2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 8/8] test/crypto: add cnxk for asymmetric cases Anoob Joseph 2021-06-29 19:52 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Akhil Goyal 2021-06-02 17:11 ` [dpdk-dev] [PATCH 2/4] crypto/cnxk: add security capabilities Anoob Joseph 2021-06-02 17:11 ` [dpdk-dev] [PATCH 3/4] crypto/cnxk: add security session ops Anoob Joseph 2021-06-16 20:11 ` Akhil Goyal 2021-06-17 7:16 ` Anoob Joseph 2021-06-02 17:11 ` [dpdk-dev] [PATCH 4/4] crypto/cnxk: add security handling in datapath ops Anoob Joseph 2021-06-16 20:15 ` [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD Akhil Goyal
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).