[PATCH 0/5] Fixes and improvements to cnxk crypto PMDs

[PATCH 0/5] Fixes and improvements to cnxk crypto PMDs

[Anoob Joseph]

Add AES-GMAC and AH mode support in CN9K and CN10K crypto PMDs. Also use
a timeout for SA CTX write operations.

Anoob Joseph (3):
  crypto/cnxk: remove redundant return
  common/cnxk: add timeout for ctx write operation
  crypto/cnxk: use set ctx operation for session destroy

Archana Muniganti (2):
  crypto/cnxk: support AH mode
  crypto/cnxk: support AES-GMAC

 doc/guides/cryptodevs/cnxk.rst                    |   4 +
 doc/guides/rel_notes/release_22_07.rst            |   5 +
 drivers/common/cnxk/cnxk_security.c               |  69 +++++++------
 drivers/common/cnxk/roc_cpt.c                     |  31 ++++--
 drivers/common/cnxk/roc_platform.h                |   7 +-
 drivers/crypto/cnxk/cn10k_ipsec.c                 |  49 ++++++++--
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h          |   3 +-
 drivers/crypto/cnxk/cn9k_ipsec.c                  | 112 ++++++++++++++--------
 drivers/crypto/cnxk/cnxk_cryptodev.h              |   4 +-
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c |  69 +++++++++++++
 drivers/crypto/cnxk/cnxk_ipsec.h                  |  76 +++++++++++----
 drivers/crypto/cnxk/cnxk_se.h                     |  13 +--
 12 files changed, 320 insertions(+), 122 deletions(-)

-- 
2.7.4

[PATCH 1/5] crypto/cnxk: support AH mode

[Anoob Joseph]

From: Archana Muniganti <marchana@marvell.com>

Added IPsec AH mode support in CN9K and CN10K PMD

Signed-off-by: Archana Muniganti <marchana@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
---
 doc/guides/cryptodevs/cnxk.rst                    |  2 +
 doc/guides/rel_notes/release_22_07.rst            |  4 ++
 drivers/common/cnxk/cnxk_security.c               | 61 ++++++++--------
 drivers/crypto/cnxk/cn10k_ipsec.c                 |  2 +-
 drivers/crypto/cnxk/cn9k_ipsec.c                  | 85 +++++++++++++----------
 drivers/crypto/cnxk/cnxk_cryptodev.h              |  2 +-
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 44 ++++++++++++
 drivers/crypto/cnxk/cnxk_ipsec.h                  | 73 ++++++++++++++-----
 8 files changed, 188 insertions(+), 85 deletions(-)

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 46431dd..19c4a8b 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -252,6 +252,7 @@ CN9XX Features supported
 * Tunnel mode
 * Transport mode(IPv4)
 * UDP Encapsulation
+* AH
 
 AEAD algorithms
 +++++++++++++++
@@ -284,6 +285,7 @@ CN10XX Features supported
 * Tunnel mode
 * Transport mode
 * UDP Encapsulation
+* AH
 
 AEAD algorithms
 +++++++++++++++
diff --git a/doc/guides/rel_notes/release_22_07.rst b/doc/guides/rel_notes/release_22_07.rst
index 42a5f2d..68857d4 100644
--- a/doc/guides/rel_notes/release_22_07.rst
+++ b/doc/guides/rel_notes/release_22_07.rst
@@ -55,6 +55,10 @@ New Features
      Also, make sure to start the actual text at the margin.
      =======================================================
 
+* **Updated Marvell cnxk crypto PMD.**
+
+  * Added AH mode support in lookaside protocol (IPsec) for CN9K & CN10K.
+
 
 Removed Items
 -------------
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index ec808c0..afefbd2 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -57,25 +57,23 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 			      struct rte_crypto_sym_xform *crypto_xfrm)
 {
 	struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
-	const uint8_t *key;
+	const uint8_t *key = NULL;
 	uint32_t *tmp_salt;
 	uint64_t *tmp_key;
-	int length, i;
+	int i, length = 0;
 
 	/* Set direction */
-	switch (ipsec_xfrm->direction) {
-	case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
+	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+		w2->s.dir = ROC_IE_SA_DIR_OUTBOUND;
+	else
 		w2->s.dir = ROC_IE_SA_DIR_INBOUND;
+
+	if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		auth_xfrm = crypto_xfrm;
 		cipher_xfrm = crypto_xfrm->next;
-		break;
-	case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
-		w2->s.dir = ROC_IE_SA_DIR_OUTBOUND;
+	} else {
 		cipher_xfrm = crypto_xfrm;
 		auth_xfrm = crypto_xfrm->next;
-		break;
-	default:
-		return -EINVAL;
 	}
 
 	/* Set protocol - ESP vs AH */
@@ -119,18 +117,23 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 			return -ENOTSUP;
 		}
 	} else {
-		switch (cipher_xfrm->cipher.algo) {
-		case RTE_CRYPTO_CIPHER_NULL:
-			w2->s.enc_type = ROC_IE_OT_SA_ENC_NULL;
-			break;
-		case RTE_CRYPTO_CIPHER_AES_CBC:
-			w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
-			break;
-		case RTE_CRYPTO_CIPHER_AES_CTR:
-			w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CTR;
-			break;
-		default:
-			return -ENOTSUP;
+		if (cipher_xfrm != NULL) {
+			switch (cipher_xfrm->cipher.algo) {
+			case RTE_CRYPTO_CIPHER_NULL:
+				w2->s.enc_type = ROC_IE_OT_SA_ENC_NULL;
+				break;
+			case RTE_CRYPTO_CIPHER_AES_CBC:
+				w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
+				break;
+			case RTE_CRYPTO_CIPHER_AES_CTR:
+				w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CTR;
+				break;
+			default:
+				return -ENOTSUP;
+			}
+
+			key = cipher_xfrm->cipher.key.data;
+			length = cipher_xfrm->cipher.key.length;
 		}
 
 		switch (auth_xfrm->auth.algo) {
@@ -169,8 +172,6 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 		     i++)
 			tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 
-		key = cipher_xfrm->cipher.key.data;
-		length = cipher_xfrm->cipher.key.length;
 	}
 
 	/* Set encapsulation type */
@@ -179,11 +180,13 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 
 	w2->s.spi = ipsec_xfrm->spi;
 
-	/* Copy encryption key */
-	memcpy(cipher_key, key, length);
-	tmp_key = (uint64_t *)cipher_key;
-	for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++)
-		tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+	if (key != NULL && length != 0) {
+		/* Copy encryption key */
+		memcpy(cipher_key, key, length);
+		tmp_key = (uint64_t *)cipher_key;
+		for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++)
+			tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+	}
 
 	/* Set AES key length */
 	if (w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CBC ||
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 15ebd57..0c9e244 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -74,7 +74,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
 		if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			sa->iv_offset = crypto_xfrm->aead.iv.offset;
 			sa->iv_length = crypto_xfrm->aead.iv.length;
-		} else {
+		} else if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 			sa->iv_offset = crypto_xfrm->cipher.iv.offset;
 			sa->iv_length = crypto_xfrm->cipher.iv.length;
 		}
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index 737bafd..eaa3698 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -120,18 +120,19 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
 	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
 	int aes_key_len = 0;
 
-	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
-		ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
-		cipher_xform = crypto_xform;
-		auth_xform = crypto_xform->next;
-	} else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
-		ctl->direction = ROC_IE_SA_DIR_INBOUND;
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		auth_xform = crypto_xform;
 		cipher_xform = crypto_xform->next;
 	} else {
-		return -EINVAL;
+		cipher_xform = crypto_xform;
+		auth_xform = crypto_xform->next;
 	}
 
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+		ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
+	else
+		ctl->direction = ROC_IE_SA_DIR_INBOUND;
+
 	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
 		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
 			ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
@@ -167,21 +168,23 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
 			return -ENOTSUP;
 		}
 	} else {
-		switch (cipher_xform->cipher.algo) {
-		case RTE_CRYPTO_CIPHER_NULL:
-			ctl->enc_type = ROC_IE_ON_SA_ENC_NULL;
-			break;
-		case RTE_CRYPTO_CIPHER_AES_CBC:
-			ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
-			aes_key_len = cipher_xform->cipher.key.length;
-			break;
-		case RTE_CRYPTO_CIPHER_AES_CTR:
-			ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR;
-			aes_key_len = cipher_xform->cipher.key.length;
-			break;
-		default:
-			plt_err("Unsupported cipher algorithm");
-			return -ENOTSUP;
+		if (cipher_xform != NULL) {
+			switch (cipher_xform->cipher.algo) {
+			case RTE_CRYPTO_CIPHER_NULL:
+				ctl->enc_type = ROC_IE_ON_SA_ENC_NULL;
+				break;
+			case RTE_CRYPTO_CIPHER_AES_CBC:
+				ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
+				aes_key_len = cipher_xform->cipher.key.length;
+				break;
+			case RTE_CRYPTO_CIPHER_AES_CTR:
+				ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR;
+				aes_key_len = cipher_xform->cipher.key.length;
+				break;
+			default:
+				plt_err("Unsupported cipher algorithm");
+				return -ENOTSUP;
+			}
 		}
 
 		switch (auth_xform->auth.algo) {
@@ -267,15 +270,23 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
 	int cipher_key_len = 0;
 	int ret;
 
+	ret = ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl);
+	if (ret)
+		return ret;
+
+	if (ipsec->esn.value) {
+		common_sa->esn_low = ipsec->esn.low;
+		common_sa->esn_hi = ipsec->esn.hi;
+	}
+
+	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
+		return 0;
+
 	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
 		cipher_xform = crypto_xform->next;
 	else
 		cipher_xform = crypto_xform;
 
-	ret = ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl);
-	if (ret)
-		return ret;
-
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 		if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
 			memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);
@@ -289,11 +300,6 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
 	if (cipher_key_len != 0)
 		memcpy(common_sa->cipher_key, cipher_key, cipher_key_len);
 
-	if (ipsec->esn.value) {
-		common_sa->esn_low = ipsec->esn.low;
-		common_sa->esn_hi = ipsec->esn.hi;
-	}
-
 	return 0;
 }
 
@@ -303,9 +309,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 			  struct rte_crypto_sym_xform *crypto_xform,
 			  struct rte_security_session *sec_sess)
 {
-	struct rte_crypto_sym_xform *auth_xform = crypto_xform->next;
 	struct roc_ie_on_ip_template *template = NULL;
 	struct roc_cpt *roc_cpt = qp->lf.roc_cpt;
+	struct rte_crypto_sym_xform *auth_xform;
 	union roc_on_ipsec_outb_param1 param1;
 	struct cnxk_cpt_inst_tmpl *inst_tmpl;
 	struct roc_ie_on_outb_sa *out_sa;
@@ -338,6 +344,11 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 	if (ipsec->esn.value)
 		sa->esn = ipsec->esn.value;
 
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH)
+		auth_xform = crypto_xform;
+	else
+		auth_xform = crypto_xform->next;
+
 	ret = fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa);
 	if (ret)
 		return ret;
@@ -381,7 +392,10 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 		template->ip4.udp_src = rte_be_to_cpu_16(4500);
 		template->ip4.udp_dst = rte_be_to_cpu_16(4500);
 	} else {
-		ip4->next_proto_id = IPPROTO_ESP;
+		if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
+			ip4->next_proto_id = IPPROTO_AH;
+		else
+			ip4->next_proto_id = IPPROTO_ESP;
 	}
 
 	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
@@ -480,7 +494,7 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 		if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			sa->cipher_iv_off = crypto_xform->aead.iv.offset;
 			sa->cipher_iv_len = crypto_xform->aead.iv.length;
-		} else {
+		} else if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 			sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
 			sa->cipher_iv_len = crypto_xform->cipher.iv.length;
 		}
@@ -621,7 +635,8 @@ cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec,
 	    ipsec->life.packets_soft_limit != 0)
 		return -ENOTSUP;
 
-	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) {
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT &&
+	    ipsec->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH) {
 		enum rte_crypto_sym_xform_type type = crypto->type;
 
 		if (type == RTE_CRYPTO_SYM_XFORM_AEAD) {
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index 16e7572..542c93b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -12,7 +12,7 @@
 
 #define CNXK_CPT_MAX_CAPS	 34
 #define CNXK_SEC_CRYPTO_MAX_CAPS 11
-#define CNXK_SEC_MAX_CAPS	 5
+#define CNXK_SEC_MAX_CAPS	 9
 #define CNXK_AE_EC_ID_MAX	 8
 /**
  * Device private data
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 5cb27aa..efd53db 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -988,6 +988,50 @@ static const struct rte_security_capability sec_caps_templ[] = {
 		},
 		.crypto_capabilities = NULL,
 	},
+	{	/* IPsec Lookaside Protocol AH Tunnel Ingress */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_AH,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+			.options = { 0 },
+		},
+		.crypto_capabilities = NULL,
+	},
+	{	/* IPsec Lookaside Protocol AH Tunnel Egress */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_AH,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+			.options = { 0 },
+		},
+		.crypto_capabilities = NULL,
+	},
+	{	/* IPsec Lookaside Protocol AH Transport Ingress */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_AH,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+			.options = { 0 },
+		},
+		.crypto_capabilities = NULL,
+	},
+	{	/* IPsec Lookaside Protocol AH Transport Egress */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_AH,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+			.options = { 0 },
+		},
+		.crypto_capabilities = NULL,
+	},
 	{
 		.action = RTE_SECURITY_ACTION_TYPE_NONE
 	}
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index f50d9fa..1524217 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -122,28 +122,63 @@ cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 		return ipsec_xform_aead_verify(ipsec_xform, crypto_xform);
 
-	if (crypto_xform->next == NULL)
-		return -EINVAL;
-
-	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
-		/* Ingress */
-		if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
-		    crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
-			return -EINVAL;
-		auth_xform = crypto_xform;
-		cipher_xform = crypto_xform->next;
+	if (ipsec_xform->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) {
+		if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+			/* Ingress */
+			auth_xform = crypto_xform;
+			cipher_xform = crypto_xform->next;
+
+			if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+				return -EINVAL;
+
+			if ((cipher_xform != NULL) && ((cipher_xform->type !=
+			    RTE_CRYPTO_SYM_XFORM_CIPHER) ||
+			    (cipher_xform->cipher.algo !=
+			    RTE_CRYPTO_CIPHER_NULL)))
+				return -EINVAL;
+		} else {
+				/* Egress */
+			if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+				cipher_xform = crypto_xform;
+				auth_xform = crypto_xform->next;
+
+				if (auth_xform == NULL ||
+				    cipher_xform->cipher.algo !=
+				    RTE_CRYPTO_CIPHER_NULL)
+					return -EINVAL;
+			} else if (crypto_xform->type ==
+				   RTE_CRYPTO_SYM_XFORM_AUTH)
+				auth_xform = crypto_xform;
+			else
+				return -EINVAL;
+		}
 	} else {
-		/* Egress */
-		if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
-		    crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+		if (crypto_xform->next == NULL)
 			return -EINVAL;
-		cipher_xform = crypto_xform;
-		auth_xform = crypto_xform->next;
-	}
 
-	ret = ipsec_xform_cipher_verify(cipher_xform);
-	if (ret)
-		return ret;
+		if (ipsec_xform->direction ==
+		    RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+			/* Ingress */
+			if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+			    crypto_xform->next->type !=
+				    RTE_CRYPTO_SYM_XFORM_CIPHER)
+				return -EINVAL;
+			auth_xform = crypto_xform;
+			cipher_xform = crypto_xform->next;
+		} else {
+			/* Egress */
+			if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+			    crypto_xform->next->type !=
+				    RTE_CRYPTO_SYM_XFORM_AUTH)
+				return -EINVAL;
+			cipher_xform = crypto_xform;
+			auth_xform = crypto_xform->next;
+		}
+
+		ret = ipsec_xform_cipher_verify(cipher_xform);
+		if (ret)
+			return ret;
+	}
 
 	return ipsec_xform_auth_verify(auth_xform);
 }
-- 
2.7.4

[PATCH 2/5] crypto/cnxk: support AES-GMAC

[Anoob Joseph]

From: Archana Muniganti <marchana@marvell.com>

Added lookaside IPsec AES-GMAC support in CNXK PMD.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
---
 doc/guides/cryptodevs/cnxk.rst                    |  2 ++
 doc/guides/rel_notes/release_22_07.rst            |  1 +
 drivers/common/cnxk/cnxk_security.c               |  8 ++++++
 drivers/crypto/cnxk/cn10k_ipsec.c                 |  3 ++
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h          |  3 +-
 drivers/crypto/cnxk/cn9k_ipsec.c                  | 35 ++++++++++++++++-------
 drivers/crypto/cnxk/cnxk_cryptodev.h              |  2 +-
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 25 ++++++++++++++++
 drivers/crypto/cnxk/cnxk_ipsec.h                  |  3 ++
 9 files changed, 70 insertions(+), 12 deletions(-)

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 19c4a8b..baf0e3c 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -274,6 +274,7 @@ Auth algorithms
 * SHA384-192-HMAC
 * SHA512-256-HMAC
 * AES-XCBC-96
+* AES-GMAC
 
 CN10XX Features supported
 ~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -308,3 +309,4 @@ Auth algorithms
 * SHA384-192-HMAC
 * SHA512-256-HMAC
 * AES-XCBC-96
+* AES-GMAC
diff --git a/doc/guides/rel_notes/release_22_07.rst b/doc/guides/rel_notes/release_22_07.rst
index 68857d4..a5ac90d 100644
--- a/doc/guides/rel_notes/release_22_07.rst
+++ b/doc/guides/rel_notes/release_22_07.rst
@@ -58,6 +58,7 @@ New Features
 * **Updated Marvell cnxk crypto PMD.**
 
   * Added AH mode support in lookaside protocol (IPsec) for CN9K & CN10K.
+  * Added AES-GMAC support in lookaside protocol (IPsec) for CN9K & CN10K.
 
 
 Removed Items
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index afefbd2..69a962d 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -155,6 +155,14 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
 			w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128;
 			break;
+		case RTE_CRYPTO_AUTH_AES_GMAC:
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_GMAC;
+			key = auth_xfrm->auth.key.data;
+			length = auth_xfrm->auth.key.length;
+			memcpy(salt_key, &ipsec_xfrm->salt, 4);
+			tmp_salt = (uint32_t *)salt_key;
+			*tmp_salt = rte_be_to_cpu_32(*tmp_salt);
+			break;
 		default:
 			return -ENOTSUP;
 		}
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 0c9e244..3a2bf0f 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -77,6 +77,9 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
 		} else if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 			sa->iv_offset = crypto_xfrm->cipher.iv.offset;
 			sa->iv_length = crypto_xfrm->cipher.iv.length;
+		} else {
+			sa->iv_offset = crypto_xfrm->auth.iv.offset;
+			sa->iv_length = crypto_xfrm->auth.iv.length;
 		}
 	}
 #else
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index f2d8122..66cfe6c 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -65,7 +65,8 @@ process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop,
 
 #ifdef LA_IPSEC_DEBUG
 	if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
-		if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM)
+		if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
+		    sess->out_sa.w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC)
 			ipsec_po_sa_aes_gcm_iv_set(sess, cop);
 		else
 			ipsec_po_sa_iv_set(sess, cop);
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index eaa3698..82b8dae 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -211,6 +211,7 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
 			break;
 		case RTE_CRYPTO_AUTH_AES_GMAC:
 			ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC;
+			aes_key_len = auth_xform->auth.key.length;
 			break;
 		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
 			ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128;
@@ -265,7 +266,7 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
 		     struct rte_crypto_sym_xform *crypto_xform,
 		     struct roc_ie_on_common_sa *common_sa)
 {
-	struct rte_crypto_sym_xform *cipher_xform;
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
 	const uint8_t *cipher_key;
 	int cipher_key_len = 0;
 	int ret;
@@ -279,13 +280,13 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
 		common_sa->esn_hi = ipsec->esn.hi;
 	}
 
-	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
-		return 0;
-
-	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+		auth_xform = crypto_xform;
 		cipher_xform = crypto_xform->next;
-	else
+	} else {
 		cipher_xform = crypto_xform;
+		auth_xform = crypto_xform->next;
+	}
 
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 		if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
@@ -293,8 +294,16 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
 		cipher_key = crypto_xform->aead.key.data;
 		cipher_key_len = crypto_xform->aead.key.length;
 	} else {
-		cipher_key = cipher_xform->cipher.key.data;
-		cipher_key_len = cipher_xform->cipher.key.length;
+		if (cipher_xform) {
+			cipher_key = cipher_xform->cipher.key.data;
+			cipher_key_len = cipher_xform->cipher.key.length;
+		}
+
+		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+			memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);
+			cipher_key = auth_xform->auth.key.data;
+			cipher_key_len = auth_xform->auth.key.length;
+		}
 	}
 
 	if (cipher_key_len != 0)
@@ -358,7 +367,8 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 		return ret;
 
 	if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||
-	    ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL) {
+	    ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL ||
+	    ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) {
 		template = &out_sa->aes_gcm.template;
 		ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
 	} else {
@@ -453,6 +463,7 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 		auth_key_len = auth_xform->auth.key.length;
 
 		switch (auth_xform->auth.algo) {
+		case RTE_CRYPTO_AUTH_AES_GMAC:
 		case RTE_CRYPTO_AUTH_NULL:
 			break;
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
@@ -497,6 +508,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 		} else if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 			sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
 			sa->cipher_iv_len = crypto_xform->cipher.iv.length;
+		} else {
+			sa->cipher_iv_off = crypto_xform->auth.iv.offset;
+			sa->cipher_iv_len = crypto_xform->auth.iv.length;
 		}
 	}
 #else
@@ -553,7 +567,8 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
 		return ret;
 
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD ||
-	    auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL) {
+	    auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL ||
+	    auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
 		ctx_len = offsetof(struct roc_ie_on_inb_sa,
 				   sha1_or_gcm.hmac_key[0]);
 	} else {
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index 542c93b..fe2904b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -11,7 +11,7 @@
 #include "roc_cpt.h"
 
 #define CNXK_CPT_MAX_CAPS	 34
-#define CNXK_SEC_CRYPTO_MAX_CAPS 11
+#define CNXK_SEC_CRYPTO_MAX_CAPS 12
 #define CNXK_SEC_MAX_CAPS	 9
 #define CNXK_AE_EC_ID_MAX	 8
 /**
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index efd53db..98b002d 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -835,6 +835,31 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
 			}, }
 		}, }
 	},
+	{	/* AES GMAC (AUTH) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_AES_GMAC,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.digest_size = {
+					.min = 8,
+					.max = 16,
+					.increment = 4
+				},
+				.iv_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
 };
 
 static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index 1524217..171ea27 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -59,6 +59,9 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
 	} else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA512_HMAC) {
 		if (keylen == 64)
 			return 0;
+	} else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+		if (keylen >= 16 && keylen <= 32)
+			return 0;
 	}
 
 	if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC &&
-- 
2.7.4

[PATCH 3/5] crypto/cnxk: remove redundant return

[Anoob Joseph]

The function doesn't return error. Remove return.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 drivers/crypto/cnxk/cnxk_se.h | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index e988d57..ce7ca2e 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -2047,7 +2047,7 @@ prepare_iov_from_pkt(struct rte_mbuf *pkt, struct roc_se_iov_ptr *iovec,
 	return 0;
 }
 
-static __rte_always_inline uint32_t
+static __rte_always_inline void
 prepare_iov_from_pkt_inplace(struct rte_mbuf *pkt,
 			     struct roc_se_fc_params *param, uint32_t *flags)
 {
@@ -2070,7 +2070,7 @@ prepare_iov_from_pkt_inplace(struct rte_mbuf *pkt,
 
 		param->bufs[0].vaddr = seg_data;
 		param->bufs[0].size = seg_size;
-		return 0;
+		return;
 	}
 	iovec = param->src_iov;
 	iovec->bufs[index].vaddr = seg_data;
@@ -2094,7 +2094,7 @@ prepare_iov_from_pkt_inplace(struct rte_mbuf *pkt,
 	}
 
 	iovec->buf_cnt = index;
-	return 0;
+	return;
 }
 
 static __rte_always_inline int
@@ -2254,12 +2254,7 @@ fill_fc_params(struct rte_crypto_op *cop, struct cnxk_se_sess *sess,
 		 */
 		fc_params.dst_iov = fc_params.src_iov = (void *)src;
 
-		if (unlikely(prepare_iov_from_pkt_inplace(m_src, &fc_params,
-							  &flags))) {
-			plt_dp_err("Prepare inplace src iov failed");
-			ret = -EINVAL;
-			goto err_exit;
-		}
+		prepare_iov_from_pkt_inplace(m_src, &fc_params, &flags);
 
 	} else {
 		/* Out of place processing */
-- 
2.7.4

[PATCH 4/5] common/cnxk: add timeout for ctx write operation

[Anoob Joseph]

Add busy wait and polling for ctx write operation rather than waiting
with 1 ms delay.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 drivers/common/cnxk/roc_cpt.c      | 31 +++++++++++++++++++++----------
 drivers/common/cnxk/roc_platform.h |  7 ++++---
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
index b3a3649..742723a 100644
--- a/drivers/common/cnxk/roc_cpt.c
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -915,9 +915,9 @@ roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr, void *sa_cptr,
 		  uint16_t sa_len)
 {
 	uintptr_t lmt_base = lf->lmt_base;
+	union cpt_res_s res, *hw_res;
 	uint64_t lmt_arg, io_addr;
 	struct cpt_inst_s *inst;
-	union cpt_res_s *res;
 	uint16_t lmt_id;
 	uint64_t *dptr;
 	int i;
@@ -927,8 +927,8 @@ roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr, void *sa_cptr,
 
 	memset(inst, 0, sizeof(struct cpt_inst_s));
 
-	res = plt_zmalloc(sizeof(*res), ROC_CPT_RES_ALIGN);
-	if (res == NULL) {
+	hw_res = plt_zmalloc(sizeof(*hw_res), ROC_CPT_RES_ALIGN);
+	if (hw_res == NULL) {
 		plt_err("Couldn't allocate memory for result address");
 		return -ENOMEM;
 	}
@@ -936,7 +936,7 @@ roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr, void *sa_cptr,
 	dptr = plt_zmalloc(sa_len, 8);
 	if (dptr == NULL) {
 		plt_err("Couldn't allocate memory for SA dptr");
-		plt_free(res);
+		plt_free(hw_res);
 		return -ENOMEM;
 	}
 
@@ -944,8 +944,8 @@ roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr, void *sa_cptr,
 		dptr[i] = plt_cpu_to_be_64(((uint64_t *)sa_dptr)[i]);
 
 	/* Fill CPT_INST_S for WRITE_SA microcode op */
-	res->cn10k.compcode = CPT_COMP_NOT_DONE;
-	inst->res_addr = (uint64_t)res;
+	hw_res->cn10k.compcode = CPT_COMP_NOT_DONE;
+	inst->res_addr = (uint64_t)hw_res;
 	inst->dptr = (uint64_t)dptr;
 	inst->w4.s.param2 = sa_len >> 3;
 	inst->w4.s.dlen = sa_len;
@@ -959,14 +959,25 @@ roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr, void *sa_cptr,
 	io_addr = lf->io_addr | ROC_CN10K_CPT_INST_DW_M1 << 4;
 
 	roc_lmt_submit_steorl(lmt_arg, io_addr);
-	plt_wmb();
+	plt_io_wmb();
+
+	/* Use 1 min timeout for the poll */
+	const uint64_t timeout = plt_tsc_cycles() + 60 * plt_tsc_hz();
 
 	/* Wait until CPT instruction completes */
-	while (res->cn10k.compcode == CPT_COMP_NOT_DONE)
-		plt_delay_ms(1);
+	do {
+		res.u64[0] = __atomic_load_n(&hw_res->u64[0], __ATOMIC_RELAXED);
+		if (unlikely(plt_tsc_cycles() > timeout))
+			break;
+	} while (res.cn10k.compcode == CPT_COMP_NOT_DONE);
 
-	plt_free(res);
 	plt_free(dptr);
+	plt_free(hw_res);
+
+	if (res.cn10k.compcode != CPT_COMP_WARN) {
+		plt_err("Write SA operation timed out");
+		return -ETIMEDOUT;
+	}
 
 	return 0;
 }
diff --git a/drivers/common/cnxk/roc_platform.h b/drivers/common/cnxk/roc_platform.h
index 28004b1..86987ae 100644
--- a/drivers/common/cnxk/roc_platform.h
+++ b/drivers/common/cnxk/roc_platform.h
@@ -184,9 +184,10 @@
 #define plt_memzone_reserve_aligned(name, len, flags, align)                   \
 	rte_memzone_reserve_aligned((name), (len), 0, (flags), (align))
 
-#define plt_tsc_hz   rte_get_tsc_hz
-#define plt_delay_ms rte_delay_ms
-#define plt_delay_us rte_delay_us
+#define plt_tsc_hz     rte_get_tsc_hz
+#define plt_tsc_cycles rte_get_tsc_cycles
+#define plt_delay_ms   rte_delay_ms
+#define plt_delay_us   rte_delay_us
 
 #define plt_lcore_id rte_lcore_id
 
-- 
2.7.4

[PATCH 5/5] crypto/cnxk: use set ctx operation for session destroy

[Anoob Joseph]

Usage of flush and invalidate would involve delays to account for flush
delay. Use set_ctx operation instead. When set_ctx fails, fall back to
flush + invalidate scheme.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 drivers/crypto/cnxk/cn10k_ipsec.c | 44 ++++++++++++++++++++++++++++++++-------
 1 file changed, 37 insertions(+), 7 deletions(-)

diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 3a2bf0f..d6ff134 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -333,6 +333,8 @@ cn10k_sec_session_destroy(void *dev, struct rte_security_session *sec_sess)
 	struct cn10k_ipsec_sa *sa;
 	struct cnxk_cpt_qp *qp;
 	struct roc_cpt_lf *lf;
+	void *sa_dptr = NULL;
+	int ret;
 
 	sess = get_sec_session_private_data(sec_sess);
 	if (sess == NULL)
@@ -349,16 +351,44 @@ cn10k_sec_session_destroy(void *dev, struct rte_security_session *sec_sess)
 	/* Trigger CTX flush to write dirty data back to DRAM */
 	roc_cpt_lf_ctx_flush(lf, &sa->in_sa, false);
 
-	/* Wait for 1 ms so that flush is complete */
-	rte_delay_ms(1);
+	ret = -1;
 
-	w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
-	w2->s.valid = 0;
+	if (sa->is_outbound) {
+		sa_dptr = plt_zmalloc(sizeof(struct roc_ot_ipsec_outb_sa), 8);
+		if (sa_dptr != NULL) {
+			roc_ot_ipsec_outb_sa_init(sa_dptr);
 
-	plt_atomic_thread_fence(__ATOMIC_SEQ_CST);
+			ret = roc_cpt_ctx_write(
+				lf, sa_dptr, &sa->out_sa,
+				sizeof(struct roc_ot_ipsec_outb_sa));
+		}
+	} else {
+		sa_dptr = plt_zmalloc(sizeof(struct roc_ot_ipsec_inb_sa), 8);
+		if (sa_dptr != NULL) {
+			roc_ot_ipsec_inb_sa_init(sa_dptr, false);
+
+			ret = roc_cpt_ctx_write(
+				lf, sa_dptr, &sa->in_sa,
+				sizeof(struct roc_ot_ipsec_inb_sa));
+		}
+	}
 
-	/* Trigger CTX reload to fetch new data from DRAM */
-	roc_cpt_lf_ctx_reload(lf, &sa->in_sa);
+	plt_free(sa_dptr);
+
+	if (ret) {
+		/* MC write_ctx failed. Attempt reload of CTX */
+
+		/* Wait for 1 ms so that flush is complete */
+		rte_delay_ms(1);
+
+		w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
+		w2->s.valid = 0;
+
+		plt_atomic_thread_fence(__ATOMIC_SEQ_CST);
+
+		/* Trigger CTX reload to fetch new data from DRAM */
+		roc_cpt_lf_ctx_reload(lf, &sa->in_sa);
+	}
 
 	sess_mp = rte_mempool_from_obj(sess);
 
-- 
2.7.4

RE: [PATCH 2/5] crypto/cnxk: support AES-GMAC

[Akhil Goyal]

> Subject: [PATCH 2/5] crypto/cnxk: support AES-GMAC
> 
> From: Archana Muniganti <marchana@marvell.com>
> 
> Added lookaside IPsec AES-GMAC support in CNXK PMD.
> 
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> Acked-by: Anoob Joseph <anoobj@marvell.com>
> ---
>  doc/guides/cryptodevs/cnxk.rst                    |  2 ++

Update in .ini files missing.

>  doc/guides/rel_notes/release_22_07.rst            |  1 +
>  drivers/common/cnxk/cnxk_security.c               |  8 ++++++
>  drivers/crypto/cnxk/cn10k_ipsec.c                 |  3 ++
>  drivers/crypto/cnxk/cn10k_ipsec_la_ops.h          |  3 +-
>  drivers/crypto/cnxk/cn9k_ipsec.c                  | 35 ++++++++++++++++-------
>  drivers/crypto/cnxk/cnxk_cryptodev.h              |  2 +-
>  drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 25 ++++++++++++++++
>  drivers/crypto/cnxk/cnxk_ipsec.h                  |  3 ++
>  9 files changed, 70 insertions(+), 12 deletions(-)
> 

RE: [PATCH 2/5] crypto/cnxk: support AES-GMAC

[Anoob Joseph]

Hi Akhil,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Thursday, April 28, 2022 2:00 PM
> To: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>
> Cc: Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; dev@dpdk.org
> Subject: RE: [PATCH 2/5] crypto/cnxk: support AES-GMAC
> 
> > Subject: [PATCH 2/5] crypto/cnxk: support AES-GMAC
> >
> > From: Archana Muniganti <marchana@marvell.com>
> >
> > Added lookaside IPsec AES-GMAC support in CNXK PMD.
> >
> > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > Acked-by: Anoob Joseph <anoobj@marvell.com>
> > ---
> >  doc/guides/cryptodevs/cnxk.rst                    |  2 ++
> 
> Update in .ini files missing.

[Anoob] The .ini file is only listing symmetric & asymmetric capabilities. This patch is adding AES-GMAC with IPsec (ie, lookaside protocol). AES-GMAC with lookaside crypto is already supported and ini file reflects the same as well.

https://elixir.bootlin.com/dpdk/latest/source/doc/guides/cryptodevs/features/cn10k.ini
 
> 
> >  doc/guides/rel_notes/release_22_07.rst            |  1 +
> >  drivers/common/cnxk/cnxk_security.c               |  8 ++++++
> >  drivers/crypto/cnxk/cn10k_ipsec.c                 |  3 ++
> >  drivers/crypto/cnxk/cn10k_ipsec_la_ops.h          |  3 +-
> >  drivers/crypto/cnxk/cn9k_ipsec.c                  | 35 ++++++++++++++++-------
> >  drivers/crypto/cnxk/cnxk_cryptodev.h              |  2 +-
> >  drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 25 ++++++++++++++++
> >  drivers/crypto/cnxk/cnxk_ipsec.h                  |  3 ++
> >  9 files changed, 70 insertions(+), 12 deletions(-)
> >

RE: [PATCH 2/5] crypto/cnxk: support AES-GMAC

[Akhil Goyal]

> > Update in .ini files missing.
> 
> [Anoob] The .ini file is only listing symmetric & asymmetric capabilities. This
> patch is adding AES-GMAC with IPsec (ie, lookaside protocol). AES-GMAC with
> lookaside crypto is already supported and ini file reflects the same as well.
> 
> https://elixir.bootlin.com/dpdk/latest/source/doc/guides/cryptodevs/features/
> cn10k.ini
> 
Ah! Missed that, but we need to add another table in .ini for security in future.
Series Acked-by: Akhil Goyal <gakhil@marvell.com>

Applied to dpdk-next-crypto

Thanks.