From: Anoob Joseph <anoobj@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>, Thomas Monjalon <thomas@monjalon.net>
Cc: Anoob Joseph <anoobj@marvell.com>,
Jerin Jacob <jerinj@marvell.com>,
"Ankur Dwivedi" <adwivedi@marvell.com>,
Tejasree Kondoj <ktejasree@marvell.com>, <dev@dpdk.org>,
Srujana Challa <schalla@marvell.com>
Subject: [dpdk-dev] [PATCH v2 4/4] crypto/cnxk: add security capabilities
Date: Fri, 25 Jun 2021 11:45:08 +0530 [thread overview]
Message-ID: <1624601708-29991-5-git-send-email-anoobj@marvell.com> (raw)
In-Reply-To: <1624601708-29991-1-git-send-email-anoobj@marvell.com>
Add security capabilities supported by crypto cn10k PMD.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Srujana Challa <schalla@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/cryptodevs/cnxk.rst | 24 +++++
doc/guides/cryptodevs/features/cn10k.ini | 1 +
drivers/crypto/cnxk/cn10k_cryptodev.c | 1 +
drivers/crypto/cnxk/cnxk_cryptodev.h | 4 +
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 114 ++++++++++++++++++++++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +-
drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 3 +-
7 files changed, 154 insertions(+), 2 deletions(-)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 66b0b63..db949fa 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -185,6 +185,30 @@ running the test application:
./dpdk-test
RTE>>cryptodev_cn10k_autotest
+Lookaside IPsec Support
+-----------------------
+
+The OCTEON cnxk SoCs can accelerate IPsec traffic in lookaside protocol mode,
+with its **cryptographic accelerator (CPT)**. ``OCTEON cnxk crypto PMD`` implements
+this as an ``RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL`` offload.
+
+Refer to :doc:`../prog_guide/rte_security` for more details on protocol offloads.
+
+This feature can be tested with ipsec-secgw sample application.
+
+Supported OCTEON cnxk SoCs
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- CN10XX
+
+Features supported
+~~~~~~~~~~~~~~~~~~
+
+* IPv4
+* ESP
+* Tunnel mode
+* AES-128/192/256-GCM
+
Limitations
-----------
diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini
index 77c4a2d..b268f84 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -7,6 +7,7 @@
Symmetric crypto = Y
Sym operation chaining = Y
HW Accelerated = Y
+Protocol offload = Y
In Place SGL = Y
OOP SGL In LB Out = Y
OOP SGL In SGL Out = Y
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c
index cacf9c2..22ae810 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -99,6 +99,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT |
RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT |
RTE_CRYPTODEV_FF_SYM_SESSIONLESS |
+ RTE_CRYPTODEV_FF_SECURITY |
RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED;
cn10k_cpt_set_enqdeq_fns(dev);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index 03af4af..6760c13 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -6,6 +6,7 @@
#define _CNXK_CRYPTODEV_H_
#include <rte_cryptodev.h>
+#include <rte_security.h>
#include "roc_cpt.h"
@@ -19,6 +20,9 @@
struct cnxk_cpt_vf {
struct roc_cpt cpt;
struct rte_cryptodev_capabilities crypto_caps[CNXK_CPT_MAX_CAPS];
+ struct rte_cryptodev_capabilities
+ sec_crypto_caps[CNXK_SEC_CRYPTO_MAX_CAPS];
+ struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS];
};
int cnxk_cpt_eng_grp_add(struct roc_cpt *roc_cpt);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index a5195e8..d52fa89 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -3,6 +3,7 @@
*/
#include <rte_cryptodev.h>
+#include <rte_security.h>
#include "roc_api.h"
@@ -18,6 +19,15 @@
RTE_DIM(caps_##name)); \
} while (0)
+#define SEC_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name) \
+ do { \
+ if ((hw_caps[CPT_ENG_TYPE_SE].name) || \
+ (hw_caps[CPT_ENG_TYPE_IE].name) || \
+ (hw_caps[CPT_ENG_TYPE_AE].name)) \
+ sec_caps_add(cnxk_caps, cur_pos, sec_caps_##name, \
+ RTE_DIM(sec_caps_##name)); \
+ } while (0)
+
static const struct rte_cryptodev_capabilities caps_sha1_sha2[] = {
{ /* SHA1 */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
@@ -658,6 +668,69 @@ static const struct rte_cryptodev_capabilities caps_end[] = {
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
+static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
+ { /* AES GCM */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+ {.aead = {
+ .algo = RTE_CRYPTO_AEAD_AES_GCM,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 16,
+ .max = 16,
+ .increment = 0
+ },
+ .aad_size = {
+ .min = 8,
+ .max = 12,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
+};
+
+static const struct rte_security_capability sec_caps_templ[] = {
+ { /* IPsec Lookaside Protocol ESP Tunnel Ingress */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+ .ipsec = {
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+ .options = { 0 }
+ },
+ .crypto_capabilities = NULL,
+ .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+ },
+ { /* IPsec Lookaside Protocol ESP Tunnel Egress */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+ .ipsec = {
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+ .options = { 0 }
+ },
+ .crypto_capabilities = NULL,
+ .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+ },
+ {
+ .action = RTE_SECURITY_ACTION_TYPE_NONE
+ }
+};
+
static void
cpt_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos,
const struct rte_cryptodev_capabilities *caps, int nb_caps)
@@ -692,8 +765,49 @@ cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf)
return vf->crypto_caps;
}
+static void
+sec_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos,
+ const struct rte_cryptodev_capabilities *caps, int nb_caps)
+{
+ if (*cur_pos + nb_caps > CNXK_SEC_CRYPTO_MAX_CAPS)
+ return;
+
+ memcpy(&cnxk_caps[*cur_pos], caps, nb_caps * sizeof(caps[0]));
+ *cur_pos += nb_caps;
+}
+
+static void
+sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
+ union cpt_eng_caps *hw_caps)
+{
+ int cur_pos = 0;
+
+ SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes);
+
+ sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
+}
+
void
cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
{
+ unsigned long i;
+
crypto_caps_populate(vf->crypto_caps, vf->cpt.hw_caps);
+ sec_crypto_caps_populate(vf->sec_crypto_caps, vf->cpt.hw_caps);
+
+ PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps));
+ memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ));
+
+ for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++)
+ vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps;
+}
+
+const struct rte_security_capability *
+cnxk_crypto_sec_capabilities_get(void *device)
+{
+ struct rte_cryptodev *dev = device;
+ struct cnxk_cpt_vf *vf;
+
+ vf = dev->data->dev_private;
+ return vf->sec_caps;
}
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h
index 85f5ad2..fe07e43 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h
@@ -10,7 +10,7 @@
#include "cnxk_cryptodev.h"
/*
- * Initialize crypto capabilities for the device
+ * Initialize crypto and IPsec capabilities for the device
*
*/
void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf);
@@ -22,4 +22,11 @@ void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf);
const struct rte_cryptodev_capabilities *
cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf);
+/*
+ * Get security capabilities list for the device
+ *
+ */
+const struct rte_security_capability *
+cnxk_crypto_sec_capabilities_get(void *device);
+
#endif /* _CNXK_CRYPTODEV_CAPABILITIES_H_ */
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c
index f03d2ed..8d04d4b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c
@@ -7,6 +7,7 @@
#include <rte_security.h>
#include <rte_security_driver.h>
+#include "cnxk_cryptodev_capabilities.h"
#include "cnxk_cryptodev_sec.h"
/* Common security ops */
@@ -16,7 +17,7 @@ struct rte_security_ops cnxk_sec_ops = {
.session_get_size = NULL,
.set_pkt_metadata = NULL,
.get_userdata = NULL,
- .capabilities_get = NULL,
+ .capabilities_get = cnxk_crypto_sec_capabilities_get
};
int
--
2.7.4
next prev parent reply other threads:[~2021-06-25 6:16 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-02 17:10 [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph
2021-06-02 17:10 ` [dpdk-dev] [PATCH 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph
2021-06-16 20:14 ` Akhil Goyal
2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 0/4] Add rte_security in crypto_cn10k PMD Anoob Joseph
2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 1/4] crypto/cnxk: add security ctx skeleton Anoob Joseph
2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 2/4] crypto/cnxk: add security session ops Anoob Joseph
2021-06-25 6:15 ` [dpdk-dev] [PATCH v2 3/4] crypto/cnxk: add security handling in datapath ops Anoob Joseph
2021-06-25 6:15 ` Anoob Joseph [this message]
2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Anoob Joseph
2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 1/8] crypto/cnxk: add security ctx skeleton Anoob Joseph
2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 2/8] crypto/cnxk: add security session ops Anoob Joseph
2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 3/8] crypto/cnxk: add security handling in datapath ops Anoob Joseph
2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 4/8] crypto/cnxk: add security capabilities Anoob Joseph
2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 5/8] crypto/cnxk: add asymmetric session ops Anoob Joseph
2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 6/8] crypto/cnxk: add asymmetric datapath ops Anoob Joseph
2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 7/8] crypto/cnxk: add asymmetric capabilities Anoob Joseph
2021-06-29 7:34 ` [dpdk-dev] [PATCH v3 8/8] test/crypto: add cnxk for asymmetric cases Anoob Joseph
2021-06-29 19:52 ` [dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs Akhil Goyal
2021-06-02 17:11 ` [dpdk-dev] [PATCH 2/4] crypto/cnxk: add security capabilities Anoob Joseph
2021-06-02 17:11 ` [dpdk-dev] [PATCH 3/4] crypto/cnxk: add security session ops Anoob Joseph
2021-06-16 20:11 ` Akhil Goyal
2021-06-17 7:16 ` Anoob Joseph
2021-06-02 17:11 ` [dpdk-dev] [PATCH 4/4] crypto/cnxk: add security handling in datapath ops Anoob Joseph
2021-06-16 20:15 ` [dpdk-dev] [PATCH 0/4] Add rte_security in crypto_cn10k PMD Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1624601708-29991-5-git-send-email-anoobj@marvell.com \
--to=anoobj@marvell.com \
--cc=adwivedi@marvell.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
--cc=jerinj@marvell.com \
--cc=ktejasree@marvell.com \
--cc=schalla@marvell.com \
--cc=thomas@monjalon.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).