[dpdk-dev] [PATCH 0/3] Add user specified IV with lookaside IPsec

[dpdk-dev] [PATCH 0/3] Add user specified IV with lookaside IPsec

[Anoob Joseph]

Add support for using user provided IV with lookaside protocol (IPsec). Using
this option, application can provide IV to be used per operation. This
option can be used for knownn vector tests (which is otherwise impossible
due to random nature of IV) as well as if application wishes to use its
own random generator source.

Depends on
1. http://patches.dpdk.org/project/dpdk/list/?series=18253

Anoob Joseph (2):
  security: support user specified IV
  test/crypto: add outbound known vector tests

Tejasree Kondoj (1):
  crypto/cnxk: add IV in SA in lookaside IPsec debug mode

 app/test/test_cryptodev.c                         | 44 +++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c          | 16 ++++++++-
 drivers/crypto/cnxk/cn10k_ipsec.c                 | 16 +++++++++
 drivers/crypto/cnxk/cn10k_ipsec.h                 |  2 ++
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h          | 24 +++++++++++++
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 16 ++++++++-
 drivers/crypto/cnxk/meson.build                   |  6 ++++
 lib/security/rte_security.h                       | 14 ++++++++
 8 files changed, 136 insertions(+), 2 deletions(-)

-- 
2.7.4

[dpdk-dev] [PATCH 1/3] security: support user specified IV

[Anoob Joseph]

Enable user to provide IV to be used per security operation. This
would be used with lookaside protocol offload for comparing
against known vectors.

By default, PMD would generate IV internally and would be random.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 lib/security/rte_security.h | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 88d31de..b4b6776 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -181,6 +181,20 @@ struct rte_security_ipsec_sa_options {
 	 * * 0: Disable per session security statistics collection for this SA.
 	 */
 	uint32_t stats : 1;
+
+	/** Disable IV generation in PMD
+	 *
+	 * * 1: Disable IV generation in PMD. When disabled, IV provided in
+	 *      rte_crypto_op will be used by the PMD.
+	 *
+	 * * 0: Enable IV generation in PMD. When enabled, PMD generated random
+	 *      value would be used and application is not required to provide
+	 *      IV.
+	 *
+	 * Note: For inline cases, IV generation would always need to be handled
+	 * by the PMD.
+	 */
+	uint32_t iv_gen_disable : 1;
 };
 
 /** IPSec security association direction */
-- 
2.7.4

[dpdk-dev] [PATCH 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode

[Anoob Joseph]

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding IV in SA in lookaside IPsec debug mode. It helps
to verify lookaside PMD using known outbound vectors in
lookaside autotest.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/cnxk/cn10k_ipsec.c                 | 16 +++++++++++++++
 drivers/crypto/cnxk/cn10k_ipsec.h                 |  2 ++
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h          | 24 +++++++++++++++++++++++
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 16 ++++++++++++++-
 drivers/crypto/cnxk/meson.build                   |  6 ++++++
 5 files changed, 63 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 1d567bf..3ce25f2 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -110,6 +110,22 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 
 	sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa);
 
+#ifdef LA_IPSEC_DEBUG
+	/* Use IV from application in debug mode */
+	if (ipsec_xfrm->options.iv_gen_disable == 1) {
+		out_sa->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
+		if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+			sa->iv_offset = crypto_xfrm->aead.iv.offset;
+			sa->iv_length = crypto_xfrm->aead.iv.length;
+		}
+	}
+#else
+	if (ipsec_xfrm->options.iv_gen_disable != 0) {
+		plt_err("Application provided IV not supported");
+		return -ENOTSUP;
+	}
+#endif
+
 	/* Get Rlen calculation data */
 	ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm);
 	if (ret)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 668282f..25fc2ee 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -20,6 +20,8 @@ struct cn10k_ipsec_sa {
 	};
 	/** Pre-populated CPT inst words */
 	struct cnxk_cpt_inst_tmpl inst;
+	uint16_t iv_offset;
+	uint8_t iv_length;
 	uint8_t partial_len;
 	uint8_t roundup_len;
 	uint8_t roundup_byte;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 1e9ebb5..1c142d2 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -23,6 +23,25 @@ ipsec_po_out_rlen_get(struct cn10k_ipsec_sa *sess, uint32_t plen)
 	return sess->partial_len + enc_payload_len;
 }
 
+static inline void
+ipsec_po_sa_iv_set(struct cn10k_ipsec_sa *sess, struct rte_crypto_op *cop)
+{
+	uint8_t *iv = &sess->out_sa.iv.s.iv_dbg1[0];
+	uint32_t *tmp_iv;
+
+	memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
+	       4);
+	tmp_iv = (uint32_t *)iv;
+	*tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+
+	iv = &sess->out_sa.iv.s.iv_dbg2[0];
+	memcpy(iv,
+	       rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset + 4),
+	       4);
+	tmp_iv = (uint32_t *)iv;
+	*tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+}
+
 static __rte_always_inline int
 process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 		struct cpt_inst_s *inst)
@@ -43,6 +62,11 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 		return -ENOMEM;
 	}
 
+#ifdef LA_IPSEC_DEBUG
+	if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA)
+		ipsec_po_sa_iv_set(sess, cop);
+#endif
+
 	/* Prepare CPT instruction */
 	inst->w4.u64 = sess->inst.w4;
 	inst->w4.s.dlen = dlen;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index ab37f9c..8ec1e9d 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -776,7 +776,21 @@ static const struct rte_security_capability sec_caps_templ[] = {
 			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
-			.options = { 0 }
+			.options = {
+				.esn = 0,
+				.udp_encap = 0,
+				.copy_dscp = 0,
+				.copy_flabel = 0,
+				.copy_df = 0,
+				.dec_ttl = 0,
+				.ecn = 0,
+				.stats = 0,
+#ifdef LA_IPSEC_DEBUG
+				.iv_gen_disable = 1,
+#else
+				.iv_gen_disable = 0,
+#endif
+			}
 		},
 		.crypto_capabilities = NULL,
 		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build
index c56d6cf..1694e05 100644
--- a/drivers/crypto/cnxk/meson.build
+++ b/drivers/crypto/cnxk/meson.build
@@ -23,3 +23,9 @@ sources = files(
 deps += ['bus_pci', 'common_cnxk', 'security']
 
 includes += include_directories('../../../lib/net')
+
+if get_option('buildtype').contains('debug')
+    cflags += [ '-DLA_IPSEC_DEBUG' ]
+else
+    cflags += [ '-ULA_IPSEC_DEBUG' ]
+endif
-- 
2.7.4

[dpdk-dev] [PATCH 3/3] test/crypto: add outbound known vector tests

[Anoob Joseph]

Add outbound known vector tests. The tests would be skipped on PMDs
which do not support IV provided by application.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                | 44 ++++++++++++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 16 +++++++++++-
 2 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 71e6c1a..dfc49e0 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8975,6 +8975,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 		ut_params->op->sym->m_src = ut_params->ibuf;
 		ut_params->op->sym->m_dst = NULL;
 
+		/* Copy IV in crypto operation when IV generation is disabled */
+		if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+		    ipsec_xform.options.iv_gen_disable == 1) {
+			uint8_t *iv = rte_crypto_op_ctod_offset(ut_params->op,
+								uint8_t *,
+								IV_OFFSET);
+			int len;
+
+			if (td[i].aead)
+				len = td[i].xform.aead.aead.iv.length;
+			else
+				len = td[i].xform.chain.cipher.cipher.iv.length;
+
+			memcpy(iv, td[i].iv.data, len);
+		}
+
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
@@ -9012,6 +9028,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 }
 
 static int
+test_ipsec_proto_known_vec(const void *test_data)
+{
+	struct ipsec_test_data td_outb;
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	memcpy(&td_outb, test_data, sizeof(td_outb));
+
+	/* Disable IV gen to be able to test with known vectors */
+	td_outb.ipsec_xform.options.iv_gen_disable = 1;
+
+	return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags);
+}
+
+static int
 test_ipsec_proto_known_vec_inb(const void *td_outb)
 {
 	struct ipsec_test_flags flags;
@@ -14003,6 +14035,18 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 	.setup = ipsec_proto_testsuite_setup,
 	.unit_test_cases = {
 		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_192_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
 			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 78c7f3a..a0b37e7 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -76,6 +76,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 		return -ENOTSUP;
 	}
 
+	if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) &&
+	    (ipsec_xform->options.iv_gen_disable == 1) &&
+	    (sec_cap->ipsec.options.iv_gen_disable != 1)) {
+		if (!silent)
+			RTE_LOG(INFO, USER1,
+				"Application provided IV is not supported\n");
+		return -ENOTSUP;
+	}
+
 	return 0;
 }
 
@@ -160,9 +169,11 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
 
 		td->xform.aead.aead.algo = param1->alg.aead;
 		td->xform.aead.aead.key.length = param1->key_length;
+
+		if (flags->iv_gen)
+			td->ipsec_xform.options.iv_gen_disable = 0;
 	}
 
-	RTE_SET_USED(flags);
 	RTE_SET_USED(param2);
 }
 
@@ -183,6 +194,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 			int icv_pos = td_inb[i].input_text.len - 4;
 			td_inb[i].input_text.data[icv_pos] += 1;
 		}
+
+		/* Clear outbound specific flags */
+		td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
 	}
 }
 
-- 
2.7.4

[dpdk-dev] [PATCH v2 0/3] Add user specified IV with lookaside IPsec

[Anoob Joseph]

Add support for using user provided IV with lookaside protocol (IPsec). Using
this option, application can provide IV to be used per operation. This
option can be used for knownn vector tests (which is otherwise impossible
due to random nature of IV) as well as if application wishes to use its
own random generator source.

Depends on
http://patches.dpdk.org/project/dpdk/list/?series=18642

Changes in v2:
- Updated crypto/cnxk patch to handle non-aes-gcm cases
- Rebased on v3 of lookaside IPsec tests

Anoob Joseph (2):
  security: support user specified IV
  test/crypto: add outbound known vector tests

Tejasree Kondoj (1):
  crypto/cnxk: add IV in SA in lookaside IPsec debug mode

 app/test/test_cryptodev.c                         | 44 +++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c          | 16 ++++++++-
 doc/guides/rel_notes/release_21_11.rst            |  5 +++
 drivers/crypto/cnxk/cn10k_ipsec.c                 | 16 +++++++++
 drivers/crypto/cnxk/cn10k_ipsec.h                 |  2 ++
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h          | 44 +++++++++++++++++++++++
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 29 +++++++++++++--
 drivers/crypto/cnxk/meson.build                   |  6 ++++
 lib/security/rte_security.h                       | 14 ++++++++
 9 files changed, 173 insertions(+), 3 deletions(-)

-- 
2.7.4

[dpdk-dev] [PATCH v2 1/3] security: support user specified IV

[Anoob Joseph]

Enable user to provide IV to be used per security operation. This
would be used with lookaside protocol offload for comparing
against known vectors.

By default, PMD would generate IV internally and would be random.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 doc/guides/rel_notes/release_21_11.rst |  5 +++++
 lib/security/rte_security.h            | 14 ++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 83da727..a1813bd 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -105,6 +105,11 @@ API Changes
    Also, make sure to start the actual text at the margin.
    =======================================================
 
+* security: add IPsec SA option to disable IV generation
+
+  * Added IPsec SA option to disable IV generation to allow known vector
+    tests as well as usage of application provided IV on supported PMDs.
+
 
 ABI Changes
 -----------
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 88d31de..b4b6776 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -181,6 +181,20 @@ struct rte_security_ipsec_sa_options {
 	 * * 0: Disable per session security statistics collection for this SA.
 	 */
 	uint32_t stats : 1;
+
+	/** Disable IV generation in PMD
+	 *
+	 * * 1: Disable IV generation in PMD. When disabled, IV provided in
+	 *      rte_crypto_op will be used by the PMD.
+	 *
+	 * * 0: Enable IV generation in PMD. When enabled, PMD generated random
+	 *      value would be used and application is not required to provide
+	 *      IV.
+	 *
+	 * Note: For inline cases, IV generation would always need to be handled
+	 * by the PMD.
+	 */
+	uint32_t iv_gen_disable : 1;
 };
 
 /** IPSec security association direction */
-- 
2.7.4

Re: [dpdk-dev] [PATCH v2 1/3] security: support user specified IV

[Akhil Goyal]

> Enable user to provide IV to be used per security operation. This
> would be used with lookaside protocol offload for comparing
> against known vectors.
> 
> By default, PMD would generate IV internally and would be random.
> 
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>

[dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode

[Anoob Joseph]

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding IV in SA in lookaside IPsec debug mode. It helps
to verify lookaside PMD using known outbound vectors in
lookaside autotest.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/cnxk/cn10k_ipsec.c                 | 16 +++++++++
 drivers/crypto/cnxk/cn10k_ipsec.h                 |  2 ++
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h          | 44 +++++++++++++++++++++++
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 29 +++++++++++++--
 drivers/crypto/cnxk/meson.build                   |  6 ++++
 5 files changed, 95 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 5c57cf2..ebb2a7e 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -57,6 +57,22 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 
 	sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa);
 
+#ifdef LA_IPSEC_DEBUG
+	/* Use IV from application in debug mode */
+	if (ipsec_xfrm->options.iv_gen_disable == 1) {
+		out_sa->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
+		if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+			sa->iv_offset = crypto_xfrm->aead.iv.offset;
+			sa->iv_length = crypto_xfrm->aead.iv.length;
+		}
+	}
+#else
+	if (ipsec_xfrm->options.iv_gen_disable != 0) {
+		plt_err("Application provided IV not supported");
+		return -ENOTSUP;
+	}
+#endif
+
 	/* Get Rlen calculation data */
 	ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm);
 	if (ret)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index bc52c60..6f974b7 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -21,6 +21,8 @@ struct cn10k_ipsec_sa {
 	/** Pre-populated CPT inst words */
 	struct cnxk_cpt_inst_tmpl inst;
 	uint16_t max_extended_len;
+	uint16_t iv_offset;
+	uint8_t iv_length;
 };
 
 struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index fe91638..862476a 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -12,6 +12,41 @@
 #include "cn10k_ipsec.h"
 #include "cnxk_cryptodev.h"
 
+static inline void
+ipsec_po_sa_iv_set(struct cn10k_ipsec_sa *sess, struct rte_crypto_op *cop)
+{
+	uint64_t *iv = &sess->out_sa.iv.u64[0];
+	uint64_t *tmp_iv;
+
+	memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
+	       16);
+	tmp_iv = (uint64_t *)iv;
+	*tmp_iv = rte_be_to_cpu_64(*tmp_iv);
+
+	tmp_iv = (uint64_t *)(iv + 1);
+	*tmp_iv = rte_be_to_cpu_64(*tmp_iv);
+}
+
+static inline void
+ipsec_po_sa_aes_gcm_iv_set(struct cn10k_ipsec_sa *sess,
+			   struct rte_crypto_op *cop)
+{
+	uint8_t *iv = &sess->out_sa.iv.s.iv_dbg1[0];
+	uint32_t *tmp_iv;
+
+	memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
+	       4);
+	tmp_iv = (uint32_t *)iv;
+	*tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+
+	iv = &sess->out_sa.iv.s.iv_dbg2[0];
+	memcpy(iv,
+	       rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset + 4),
+	       4);
+	tmp_iv = (uint32_t *)iv;
+	*tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+}
+
 static __rte_always_inline int
 process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 		struct cpt_inst_s *inst)
@@ -24,6 +59,15 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 		return -ENOMEM;
 	}
 
+#ifdef LA_IPSEC_DEBUG
+	if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
+		if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM)
+			ipsec_po_sa_aes_gcm_iv_set(sess, cop);
+		else
+			ipsec_po_sa_iv_set(sess, cop);
+	}
+#endif
+
 	/* Prepare CPT instruction */
 	inst->w4.u64 = sess->inst.w4;
 	inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index c4f7824..4b97639 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -807,7 +807,7 @@ static const struct rte_security_capability sec_caps_templ[] = {
 			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
-			.options = { 0 }
+			.options = { 0 },
 		},
 		.crypto_capabilities = NULL,
 	},
@@ -818,7 +818,7 @@ static const struct rte_security_capability sec_caps_templ[] = {
 			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
-			.options = { 0 }
+			.options = { 0 },
 		},
 		.crypto_capabilities = NULL,
 	},
@@ -913,6 +913,24 @@ cnxk_sec_caps_update(struct rte_security_capability *sec_cap)
 	sec_cap->ipsec.options.udp_encap = 1;
 }
 
+static void
+cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
+{
+	if (sec_cap->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+#ifdef LA_IPSEC_DEBUG
+		sec_cap->ipsec.options.iv_gen_disable = 1;
+#endif
+	}
+}
+
+static void
+cn9k_sec_caps_update(struct rte_security_capability *sec_cap)
+{
+	if (sec_cap->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		sec_cap->ipsec.options.iv_gen_disable = 1;
+	}
+}
+
 void
 cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
 {
@@ -928,6 +946,13 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
 		vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps;
 
 		cnxk_sec_caps_update(&vf->sec_caps[i]);
+
+		if (roc_model_is_cn10k())
+			cn10k_sec_caps_update(&vf->sec_caps[i]);
+
+		if (roc_model_is_cn9k())
+			cn9k_sec_caps_update(&vf->sec_caps[i]);
+
 	}
 }
 
diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build
index e40d132..437d208 100644
--- a/drivers/crypto/cnxk/meson.build
+++ b/drivers/crypto/cnxk/meson.build
@@ -24,3 +24,9 @@ sources = files(
 deps += ['bus_pci', 'common_cnxk', 'security', 'eventdev']
 
 includes += include_directories('../../../lib/net')
+
+if get_option('buildtype').contains('debug')
+    cflags += [ '-DLA_IPSEC_DEBUG' ]
+else
+    cflags += [ '-ULA_IPSEC_DEBUG' ]
+endif
-- 
2.7.4

Re: [dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode

[Akhil Goyal]

> From: Tejasree Kondoj <ktejasree@marvell.com>
> 
> Adding IV in SA in lookaside IPsec debug mode. It helps
> to verify lookaside PMD using known outbound vectors in
> lookaside autotest.
> 
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

[dpdk-dev] [PATCH v2 3/3] test/crypto: add outbound known vector tests

[Anoob Joseph]

Add outbound known vector tests. The tests would be skipped on PMDs
which do not support IV provided by application.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 app/test/test_cryptodev.c                | 44 ++++++++++++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 16 +++++++++++-
 2 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index b7c5270..1024f93 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8978,6 +8978,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 		ut_params->op->sym->m_src = ut_params->ibuf;
 		ut_params->op->sym->m_dst = NULL;
 
+		/* Copy IV in crypto operation when IV generation is disabled */
+		if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+		    ipsec_xform.options.iv_gen_disable == 1) {
+			uint8_t *iv = rte_crypto_op_ctod_offset(ut_params->op,
+								uint8_t *,
+								IV_OFFSET);
+			int len;
+
+			if (td[i].aead)
+				len = td[i].xform.aead.aead.iv.length;
+			else
+				len = td[i].xform.chain.cipher.cipher.iv.length;
+
+			memcpy(iv, td[i].iv.data, len);
+		}
+
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
@@ -9015,6 +9031,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 }
 
 static int
+test_ipsec_proto_known_vec(const void *test_data)
+{
+	struct ipsec_test_data td_outb;
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	memcpy(&td_outb, test_data, sizeof(td_outb));
+
+	/* Disable IV gen to be able to test with known vectors */
+	td_outb.ipsec_xform.options.iv_gen_disable = 1;
+
+	return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags);
+}
+
+static int
 test_ipsec_proto_known_vec_inb(const void *td_outb)
 {
 	struct ipsec_test_flags flags;
@@ -14018,6 +14050,18 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 	.setup = ipsec_proto_testsuite_setup,
 	.unit_test_cases = {
 		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_192_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
 			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 5b54996..f371b15 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -77,6 +77,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 		return -ENOTSUP;
 	}
 
+	if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) &&
+	    (ipsec_xform->options.iv_gen_disable == 1) &&
+	    (sec_cap->ipsec.options.iv_gen_disable != 1)) {
+		if (!silent)
+			RTE_LOG(INFO, USER1,
+				"Application provided IV is not supported\n");
+		return -ENOTSUP;
+	}
+
 	return 0;
 }
 
@@ -161,9 +170,11 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
 
 		td->xform.aead.aead.algo = param1->alg.aead;
 		td->xform.aead.aead.key.length = param1->key_length;
+
+		if (flags->iv_gen)
+			td->ipsec_xform.options.iv_gen_disable = 0;
 	}
 
-	RTE_SET_USED(flags);
 	RTE_SET_USED(param2);
 }
 
@@ -187,6 +198,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 
 		if (flags->udp_encap)
 			td_inb[i].ipsec_xform.options.udp_encap = 1;
+
+		/* Clear outbound specific flags */
+		td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
 	}
 }
 
-- 
2.7.4

Re: [dpdk-dev] [PATCH v2 3/3] test/crypto: add outbound known vector tests

[Akhil Goyal]

> Add outbound known vector tests. The tests would be skipped on PMDs
> which do not support IV provided by application.
> 
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>

[dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec

[Anoob Joseph]

Add support for using user provided IV with lookaside protocol (IPsec). Using
this option, application can provide IV to be used per operation. This
option can be used for knownn vector tests (which is otherwise impossible
due to random nature of IV) as well as if application wishes to use its
own random generator source.

Depends on
http://patches.dpdk.org/project/dpdk/list/?series=18642

Changes in v3:
- Moved release notes update to ABI section instead of API section

Changes in v2:
- Updated crypto/cnxk patch to handle non-aes-gcm cases
- Rebased on v3 of lookaside IPsec tests

Anoob Joseph (2):
  security: support user specified IV
  test/crypto: add outbound known vector tests

Tejasree Kondoj (1):
  crypto/cnxk: add IV in SA in lookaside IPsec debug mode

 app/test/test_cryptodev.c                         | 44 +++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c          | 16 ++++++++-
 doc/guides/rel_notes/release_21_11.rst            |  5 +++
 drivers/crypto/cnxk/cn10k_ipsec.c                 | 16 +++++++++
 drivers/crypto/cnxk/cn10k_ipsec.h                 |  2 ++
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h          | 44 +++++++++++++++++++++++
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 29 +++++++++++++--
 drivers/crypto/cnxk/meson.build                   |  6 ++++
 lib/security/rte_security.h                       | 14 ++++++++
 9 files changed, 173 insertions(+), 3 deletions(-)

-- 
2.7.4

[dpdk-dev] [PATCH v3 1/3] security: support user specified IV

[Anoob Joseph]

Enable user to provide IV to be used per security operation. This
would be used with lookaside protocol offload for comparing
against known vectors.

By default, PMD would generate IV internally and would be random.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
 doc/guides/rel_notes/release_21_11.rst |  5 +++++
 lib/security/rte_security.h            | 14 ++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 411fa95..9b14c84 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -118,6 +118,11 @@ ABI Changes
    Also, make sure to start the actual text at the margin.
    =======================================================
 
+* security: add IPsec SA option to disable IV generation
+
+  * Added IPsec SA option to disable IV generation to allow known vector
+    tests as well as usage of application provided IV on supported PMDs.
+
 
 Known Issues
 ------------
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 88d31de..b4b6776 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -181,6 +181,20 @@ struct rte_security_ipsec_sa_options {
 	 * * 0: Disable per session security statistics collection for this SA.
 	 */
 	uint32_t stats : 1;
+
+	/** Disable IV generation in PMD
+	 *
+	 * * 1: Disable IV generation in PMD. When disabled, IV provided in
+	 *      rte_crypto_op will be used by the PMD.
+	 *
+	 * * 0: Enable IV generation in PMD. When enabled, PMD generated random
+	 *      value would be used and application is not required to provide
+	 *      IV.
+	 *
+	 * Note: For inline cases, IV generation would always need to be handled
+	 * by the PMD.
+	 */
+	uint32_t iv_gen_disable : 1;
 };
 
 /** IPSec security association direction */
-- 
2.7.4

Re: [dpdk-dev] [PATCH v3 1/3] security: support user specified IV

[Ananyev, Konstantin]

> 
> Enable user to provide IV to be used per security operation. This
> would be used with lookaside protocol offload for comparing
> against known vectors.
> 
> By default, PMD would generate IV internally and would be random.
> 
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Acked-by: Akhil Goyal <gakhil@marvell.com>
> ---
>  doc/guides/rel_notes/release_21_11.rst |  5 +++++
>  lib/security/rte_security.h            | 14 ++++++++++++++
>  2 files changed, 19 insertions(+)
> 
> diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
> index 411fa95..9b14c84 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -118,6 +118,11 @@ ABI Changes
>     Also, make sure to start the actual text at the margin.
>     =======================================================
> 
> +* security: add IPsec SA option to disable IV generation
> +
> +  * Added IPsec SA option to disable IV generation to allow known vector
> +    tests as well as usage of application provided IV on supported PMDs.
> +
> 
>  Known Issues
>  ------------
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index 88d31de..b4b6776 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -181,6 +181,20 @@ struct rte_security_ipsec_sa_options {
>  	 * * 0: Disable per session security statistics collection for this SA.
>  	 */
>  	uint32_t stats : 1;
> +
> +	/** Disable IV generation in PMD
> +	 *
> +	 * * 1: Disable IV generation in PMD. When disabled, IV provided in
> +	 *      rte_crypto_op will be used by the PMD.
> +	 *
> +	 * * 0: Enable IV generation in PMD. When enabled, PMD generated random
> +	 *      value would be used and application is not required to provide
> +	 *      IV.
> +	 *
> +	 * Note: For inline cases, IV generation would always need to be handled
> +	 * by the PMD.
> +	 */
> +	uint32_t iv_gen_disable : 1;
>  };
> 
>  /** IPSec security association direction */
> --

Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

> 2.7.4

[dpdk-dev] [PATCH v3 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode

[Anoob Joseph]

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding IV in SA in lookaside IPsec debug mode. It helps
to verify lookaside PMD using known outbound vectors in
lookaside autotest.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/crypto/cnxk/cn10k_ipsec.c                 | 16 +++++++++
 drivers/crypto/cnxk/cn10k_ipsec.h                 |  2 ++
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h          | 44 +++++++++++++++++++++++
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 29 +++++++++++++--
 drivers/crypto/cnxk/meson.build                   |  6 ++++
 5 files changed, 95 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 5c57cf2..ebb2a7e 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -57,6 +57,22 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 
 	sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa);
 
+#ifdef LA_IPSEC_DEBUG
+	/* Use IV from application in debug mode */
+	if (ipsec_xfrm->options.iv_gen_disable == 1) {
+		out_sa->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
+		if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+			sa->iv_offset = crypto_xfrm->aead.iv.offset;
+			sa->iv_length = crypto_xfrm->aead.iv.length;
+		}
+	}
+#else
+	if (ipsec_xfrm->options.iv_gen_disable != 0) {
+		plt_err("Application provided IV not supported");
+		return -ENOTSUP;
+	}
+#endif
+
 	/* Get Rlen calculation data */
 	ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm);
 	if (ret)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index bc52c60..6f974b7 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -21,6 +21,8 @@ struct cn10k_ipsec_sa {
 	/** Pre-populated CPT inst words */
 	struct cnxk_cpt_inst_tmpl inst;
 	uint16_t max_extended_len;
+	uint16_t iv_offset;
+	uint8_t iv_length;
 };
 
 struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index fe91638..862476a 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -12,6 +12,41 @@
 #include "cn10k_ipsec.h"
 #include "cnxk_cryptodev.h"
 
+static inline void
+ipsec_po_sa_iv_set(struct cn10k_ipsec_sa *sess, struct rte_crypto_op *cop)
+{
+	uint64_t *iv = &sess->out_sa.iv.u64[0];
+	uint64_t *tmp_iv;
+
+	memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
+	       16);
+	tmp_iv = (uint64_t *)iv;
+	*tmp_iv = rte_be_to_cpu_64(*tmp_iv);
+
+	tmp_iv = (uint64_t *)(iv + 1);
+	*tmp_iv = rte_be_to_cpu_64(*tmp_iv);
+}
+
+static inline void
+ipsec_po_sa_aes_gcm_iv_set(struct cn10k_ipsec_sa *sess,
+			   struct rte_crypto_op *cop)
+{
+	uint8_t *iv = &sess->out_sa.iv.s.iv_dbg1[0];
+	uint32_t *tmp_iv;
+
+	memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
+	       4);
+	tmp_iv = (uint32_t *)iv;
+	*tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+
+	iv = &sess->out_sa.iv.s.iv_dbg2[0];
+	memcpy(iv,
+	       rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset + 4),
+	       4);
+	tmp_iv = (uint32_t *)iv;
+	*tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+}
+
 static __rte_always_inline int
 process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 		struct cpt_inst_s *inst)
@@ -24,6 +59,15 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 		return -ENOMEM;
 	}
 
+#ifdef LA_IPSEC_DEBUG
+	if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
+		if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM)
+			ipsec_po_sa_aes_gcm_iv_set(sess, cop);
+		else
+			ipsec_po_sa_iv_set(sess, cop);
+	}
+#endif
+
 	/* Prepare CPT instruction */
 	inst->w4.u64 = sess->inst.w4;
 	inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index c4f7824..4b97639 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -807,7 +807,7 @@ static const struct rte_security_capability sec_caps_templ[] = {
 			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
-			.options = { 0 }
+			.options = { 0 },
 		},
 		.crypto_capabilities = NULL,
 	},
@@ -818,7 +818,7 @@ static const struct rte_security_capability sec_caps_templ[] = {
 			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
-			.options = { 0 }
+			.options = { 0 },
 		},
 		.crypto_capabilities = NULL,
 	},
@@ -913,6 +913,24 @@ cnxk_sec_caps_update(struct rte_security_capability *sec_cap)
 	sec_cap->ipsec.options.udp_encap = 1;
 }
 
+static void
+cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
+{
+	if (sec_cap->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+#ifdef LA_IPSEC_DEBUG
+		sec_cap->ipsec.options.iv_gen_disable = 1;
+#endif
+	}
+}
+
+static void
+cn9k_sec_caps_update(struct rte_security_capability *sec_cap)
+{
+	if (sec_cap->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		sec_cap->ipsec.options.iv_gen_disable = 1;
+	}
+}
+
 void
 cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
 {
@@ -928,6 +946,13 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
 		vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps;
 
 		cnxk_sec_caps_update(&vf->sec_caps[i]);
+
+		if (roc_model_is_cn10k())
+			cn10k_sec_caps_update(&vf->sec_caps[i]);
+
+		if (roc_model_is_cn9k())
+			cn9k_sec_caps_update(&vf->sec_caps[i]);
+
 	}
 }
 
diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build
index e40d132..437d208 100644
--- a/drivers/crypto/cnxk/meson.build
+++ b/drivers/crypto/cnxk/meson.build
@@ -24,3 +24,9 @@ sources = files(
 deps += ['bus_pci', 'common_cnxk', 'security', 'eventdev']
 
 includes += include_directories('../../../lib/net')
+
+if get_option('buildtype').contains('debug')
+    cflags += [ '-DLA_IPSEC_DEBUG' ]
+else
+    cflags += [ '-ULA_IPSEC_DEBUG' ]
+endif
-- 
2.7.4

[dpdk-dev] [PATCH v3 3/3] test/crypto: add outbound known vector tests

[Anoob Joseph]

Add outbound known vector tests. The tests would be skipped on PMDs
which do not support IV provided by application.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_cryptodev.c                | 44 ++++++++++++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 16 +++++++++++-
 2 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index fefab3c..dd68080 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8978,6 +8978,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 		ut_params->op->sym->m_src = ut_params->ibuf;
 		ut_params->op->sym->m_dst = NULL;
 
+		/* Copy IV in crypto operation when IV generation is disabled */
+		if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+		    ipsec_xform.options.iv_gen_disable == 1) {
+			uint8_t *iv = rte_crypto_op_ctod_offset(ut_params->op,
+								uint8_t *,
+								IV_OFFSET);
+			int len;
+
+			if (td[i].aead)
+				len = td[i].xform.aead.aead.iv.length;
+			else
+				len = td[i].xform.chain.cipher.cipher.iv.length;
+
+			memcpy(iv, td[i].iv.data, len);
+		}
+
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
@@ -9015,6 +9031,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 }
 
 static int
+test_ipsec_proto_known_vec(const void *test_data)
+{
+	struct ipsec_test_data td_outb;
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	memcpy(&td_outb, test_data, sizeof(td_outb));
+
+	/* Disable IV gen to be able to test with known vectors */
+	td_outb.ipsec_xform.options.iv_gen_disable = 1;
+
+	return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags);
+}
+
+static int
 test_ipsec_proto_known_vec_inb(const void *td_outb)
 {
 	struct ipsec_test_flags flags;
@@ -14019,6 +14051,18 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 	.setup = ipsec_proto_testsuite_setup,
 	.unit_test_cases = {
 		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_192_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
 			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 5b54996..f371b15 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -77,6 +77,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 		return -ENOTSUP;
 	}
 
+	if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) &&
+	    (ipsec_xform->options.iv_gen_disable == 1) &&
+	    (sec_cap->ipsec.options.iv_gen_disable != 1)) {
+		if (!silent)
+			RTE_LOG(INFO, USER1,
+				"Application provided IV is not supported\n");
+		return -ENOTSUP;
+	}
+
 	return 0;
 }
 
@@ -161,9 +170,11 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
 
 		td->xform.aead.aead.algo = param1->alg.aead;
 		td->xform.aead.aead.key.length = param1->key_length;
+
+		if (flags->iv_gen)
+			td->ipsec_xform.options.iv_gen_disable = 0;
 	}
 
-	RTE_SET_USED(flags);
 	RTE_SET_USED(param2);
 }
 
@@ -187,6 +198,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 
 		if (flags->udp_encap)
 			td_inb[i].ipsec_xform.options.udp_encap = 1;
+
+		/* Clear outbound specific flags */
+		td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
 	}
 }
 
-- 
2.7.4

Re: [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec

[Akhil Goyal]

> Add support for using user provided IV with lookaside protocol (IPsec). Using
> this option, application can provide IV to be used per operation. This
> option can be used for knownn vector tests (which is otherwise impossible
> due to random nature of IV) as well as if application wishes to use its
> own random generator source.
> 
> Depends on
> http://patches.dpdk.org/project/dpdk/list/?series=18642
Applied to dpdk-next-crypto

Thanks.