From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0050.outbound.protection.outlook.com [104.47.0.50]) by dpdk.org (Postfix) with ESMTP id 4FB9F1B115 for ; Mon, 22 Oct 2018 16:18:04 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rJKxSWPZZXdC1WC8WxDj+pbeOlQgrVPcI2gHCu47CeU=; b=mIikioieVv6x+Or0j0UhNsUaeAQc6BOqUfVLeA6mD5DGOondULiyCDtvZPLBiJpitUVjFpm8PVrHoNrmGJe5Kxm4Rfd9XSPUVdz54CyF0VoFqeffOdMr89XB0D4aIBRU5kRVKBew3RiS4qPLG2KBrvbXp6uMqgZMN76xp6fVjos= Received: from HE1PR04MB1530.eurprd04.prod.outlook.com (10.164.48.20) by HE1PR04MB1372.eurprd04.prod.outlook.com (10.163.175.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1250.30; Mon, 22 Oct 2018 14:18:01 +0000 Received: from HE1PR04MB1530.eurprd04.prod.outlook.com ([fe80::95cd:198:d5c5:59a4]) by HE1PR04MB1530.eurprd04.prod.outlook.com ([fe80::95cd:198:d5c5:59a4%5]) with mapi id 15.20.1250.028; Mon, 22 Oct 2018 14:18:01 +0000 From: Gagandeep Singh To: "dev@dpdk.org" , Akhil Goyal CC: Hemant Agrawal , Gagandeep Singh Thread-Topic: [PATCH v4 13/15] crypto/caam_jr: add security offload Thread-Index: AQHUahIK23/MsBgIf0u8TKH2HaRNjg== Date: Mon, 22 Oct 2018 14:18:01 +0000 Message-ID: <20181022141657.4727-14-g.singh@nxp.com> References: <20181022133021.11264-1-g.singh@nxp.com> <20181022141657.4727-1-g.singh@nxp.com> In-Reply-To: <20181022141657.4727-1-g.singh@nxp.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BM1PR0101CA0025.INDPRD01.PROD.OUTLOOK.COM (2603:1096:b00:1a::11) To HE1PR04MB1530.eurprd04.prod.outlook.com (2a01:111:e400:59a8::20) authentication-results: spf=none (sender IP is ) smtp.mailfrom=G.Singh@nxp.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [14.142.187.166] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; HE1PR04MB1372; 6:B6XuECLLSLtj+lPXZkF3NoUkbgH9+UjmYNXCxgdLyzYD31824f8dU2+qCvOrKrpSBeHLBHQISwWSZLZ8IW+8O2N1zzXXKcGBtiswOlLooukD3O0VKdOuc9CIjbeUfrHOX0c8bDiUSqazkL0iGpPdPUO0lC/wwi3bkVKK63CckbC4ENIHkjk06VLcKB7dvQt6MO9xkIiNCeMECPqAOSlF8FBE2CMF9qMneSETN6np3ofwhx1GkSRgQ/sbZGwqKr9M9QAcRjOCd1IN+0FrUMOHqpwrZX/lqpN9aIdMLCUUY08SGgV1CyI3YEommZeY7hPMJWsVN7rxcAbK//JdcQ9Tw4VMa90w1WJrSZDfDZkUQ7KxHhBW3bYziCbpHYREBIX173ONDxFUpW4qEt4udHJ4T74hlDFu9dcloFYaDY79yzXkEYalE/+6QFb+NrLQJ18D+5vPdwcpGIPxuTaSGqshkg==; 5:qzGYXClWjYFsMmA5vB16IRgiJ3p8vqUSSP5chRK5LuulqqfQeifWQTnCv5TTAtBPoA086h3oxMhLviawBSIeDo582M8A906BwBTV2R9Ykg5pt0B3okXPrecZrwg6AborvcgoOtsqTRQM1VkiEx2PnREY+adidKWz3Ba9x8DZdoo=; 7:ni6gvpZc6/depFeNVwtGTHLEgyaHly7DtVoKfkeEcbR7nYFyA73BYrOtvpPZgD1JUyjcaIKhg1a7ewOcJ1fuQ+zma9ddi6M2PnwEBRBeFOKh9OifNaP7WLzQmR8hKQq1m/jEU6A1G3yZ55V4aZHS+3BLOOkD/VHwod7TyN+fen5yhQ/uuwzhh8MNU4hHlM0uVhePsMiYLRSsIltmRVI4XDV/BRgdA6JTXnEIFPK/RX1B6skXMIGSO7mrp5p1zDEy x-ms-office365-filtering-correlation-id: aaa93a5e-4ab8-4149-cb9c-08d638292c7d x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:HE1PR04MB1372; x-ms-traffictypediagnostic: HE1PR04MB1372: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(192374486261705)(185117386973197); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(3231355)(944501410)(52105095)(10201501046)(93006095)(93001095)(6055026)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:HE1PR04MB1372; BCL:0; PCL:0; RULEID:; SRVR:HE1PR04MB1372; x-forefront-prvs: 08331F819E x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(376002)(396003)(366004)(136003)(39860400002)(346002)(189003)(199004)(4326008)(52116002)(446003)(8936002)(2501003)(55236004)(486006)(2906002)(72206003)(102836004)(1076002)(6486002)(2616005)(99286004)(5660300001)(6436002)(476003)(11346002)(186003)(14454004)(81166006)(5250100002)(3846002)(8676002)(81156014)(68736007)(256004)(6116002)(97736004)(14444005)(86362001)(6636002)(105586002)(106356001)(6506007)(386003)(478600001)(305945005)(4744004)(15650500001)(6512007)(7736002)(2900100001)(110136005)(54906003)(53936002)(71190400001)(71200400001)(25786009)(316002)(66066001)(26005)(53946003)(78486010)(76176011)(36756003)(579004)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR04MB1372; H:HE1PR04MB1530.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: kaKQVUMeeyIbVx85cey/Dl3JdQUsuX6Ri6ndBDl5PZNpGADEUJ9YscIB3J+BKKl7jiWJ+Vh1TNgr9nojnj06571+WEGNtELAssJJwe1p9FFlrd0kz0CFU4FzBgfts/B2wsHGXB8ZR48bWet+vsIXX2uukYIZOrxzu69m3jy4nArkfAuGP7brPqIYP/OBCB57qVZtoke2b46YT6rVvGbIVaD+kCDnJkYGAk+xQmBN4QhApydVwqW3iseH2BWSJCytpxH4jotgNiUj0rO+fQG6YMDHWhkdhvTrqc441Ybw3G+GKy9sJW73oa2lXf6O43FCgCaAdHJGBlee9izd3GPTY16iVjzMdOQj7ogRdA0PQLA= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: aaa93a5e-4ab8-4149-cb9c-08d638292c7d X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Oct 2018 14:18:01.7916 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR04MB1372 Subject: [dpdk-dev] [PATCH v4 13/15] crypto/caam_jr: add security offload X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Oct 2018 14:18:04 -0000 From: Hemant Agrawal This patch provides the support for protocol offload to the hardware. following security operations are added: - session_create - session_destroy - capabilities_get Signed-off-by: Hemant Agrawal Signed-off-by: Gagandeep Singh Acked-by: Akhil Goyal --- drivers/crypto/caam_jr/caam_jr.c | 425 +++++++++++++++++- drivers/crypto/caam_jr/caam_jr_capabilities.c | 36 ++ drivers/crypto/caam_jr/caam_jr_capabilities.h | 8 + drivers/crypto/caam_jr/caam_jr_hw.c | 3 + drivers/crypto/caam_jr/caam_jr_pvt.h | 10 + drivers/crypto/caam_jr/caam_jr_uio.c | 3 + 6 files changed, 483 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/caam_jr/caam_jr.c b/drivers/crypto/caam_jr/caam= _jr.c index c89d76dab..1c18453e4 100644 --- a/drivers/crypto/caam_jr/caam_jr.c +++ b/drivers/crypto/caam_jr/caam_jr.c @@ -14,6 +14,9 @@ #include #include #include +#ifdef RTE_LIBRTE_SECURITY +#include +#endif #include =20 #include @@ -26,7 +29,6 @@ /* RTA header files */ #include #include -#include #include =20 #define CAAM_JR_DBG 0 @@ -185,8 +187,21 @@ is_auth_cipher(struct caam_jr_session *ses) { PMD_INIT_FUNC_TRACE(); return ((ses->cipher_alg !=3D RTE_CRYPTO_CIPHER_NULL) && - (ses->auth_alg !=3D RTE_CRYPTO_AUTH_NULL)); + (ses->auth_alg !=3D RTE_CRYPTO_AUTH_NULL) +#ifdef RTE_LIBRTE_SECURITY + && (ses->proto_alg !=3D RTE_SECURITY_PROTOCOL_IPSEC) +#endif + ); +} + +#ifdef RTE_LIBRTE_SECURITY +static inline int +is_proto_ipsec(struct caam_jr_session *ses) +{ + PMD_INIT_FUNC_TRACE(); + return (ses->proto_alg =3D=3D RTE_SECURITY_PROTOCOL_IPSEC); } +#endif =20 static inline int is_encode(struct caam_jr_session *ses) @@ -211,27 +226,63 @@ caam_auth_alg(struct caam_jr_session *ses, struct alg= info *alginfo_a) ses->digest_length =3D 0; break; case RTE_CRYPTO_AUTH_MD5_HMAC: +#ifdef RTE_LIBRTE_SECURITY + alginfo_a->algtype =3D + (ses->proto_alg =3D=3D RTE_SECURITY_PROTOCOL_IPSEC) ? + OP_PCL_IPSEC_HMAC_MD5_96 : OP_ALG_ALGSEL_MD5; +#else alginfo_a->algtype =3D OP_ALG_ALGSEL_MD5; +#endif alginfo_a->algmode =3D OP_ALG_AAI_HMAC; break; case RTE_CRYPTO_AUTH_SHA1_HMAC: +#ifdef RTE_LIBRTE_SECURITY + alginfo_a->algtype =3D + (ses->proto_alg =3D=3D RTE_SECURITY_PROTOCOL_IPSEC) ? + OP_PCL_IPSEC_HMAC_SHA1_96 : OP_ALG_ALGSEL_SHA1; +#else alginfo_a->algtype =3D OP_ALG_ALGSEL_SHA1; +#endif alginfo_a->algmode =3D OP_ALG_AAI_HMAC; break; case RTE_CRYPTO_AUTH_SHA224_HMAC: +#ifdef RTE_LIBRTE_SECURITY + alginfo_a->algtype =3D + (ses->proto_alg =3D=3D RTE_SECURITY_PROTOCOL_IPSEC) ? + OP_PCL_IPSEC_HMAC_SHA1_160 : OP_ALG_ALGSEL_SHA224; +#else alginfo_a->algtype =3D OP_ALG_ALGSEL_SHA224; +#endif alginfo_a->algmode =3D OP_ALG_AAI_HMAC; break; case RTE_CRYPTO_AUTH_SHA256_HMAC: +#ifdef RTE_LIBRTE_SECURITY + alginfo_a->algtype =3D + (ses->proto_alg =3D=3D RTE_SECURITY_PROTOCOL_IPSEC) ? + OP_PCL_IPSEC_HMAC_SHA2_256_128 : OP_ALG_ALGSEL_SHA256; +#else alginfo_a->algtype =3D OP_ALG_ALGSEL_SHA256; +#endif alginfo_a->algmode =3D OP_ALG_AAI_HMAC; break; case RTE_CRYPTO_AUTH_SHA384_HMAC: +#ifdef RTE_LIBRTE_SECURITY + alginfo_a->algtype =3D + (ses->proto_alg =3D=3D RTE_SECURITY_PROTOCOL_IPSEC) ? + OP_PCL_IPSEC_HMAC_SHA2_384_192 : OP_ALG_ALGSEL_SHA384; +#else alginfo_a->algtype =3D OP_ALG_ALGSEL_SHA384; +#endif alginfo_a->algmode =3D OP_ALG_AAI_HMAC; break; case RTE_CRYPTO_AUTH_SHA512_HMAC: +#ifdef RTE_LIBRTE_SECURITY + alginfo_a->algtype =3D + (ses->proto_alg =3D=3D RTE_SECURITY_PROTOCOL_IPSEC) ? + OP_PCL_IPSEC_HMAC_SHA2_512_256 : OP_ALG_ALGSEL_SHA512; +#else alginfo_a->algtype =3D OP_ALG_ALGSEL_SHA512; +#endif alginfo_a->algmode =3D OP_ALG_AAI_HMAC; break; default: @@ -247,15 +298,33 @@ caam_cipher_alg(struct caam_jr_session *ses, struct a= lginfo *alginfo_c) case RTE_CRYPTO_CIPHER_NULL: break; case RTE_CRYPTO_CIPHER_AES_CBC: +#ifdef RTE_LIBRTE_SECURITY + alginfo_c->algtype =3D + (ses->proto_alg =3D=3D RTE_SECURITY_PROTOCOL_IPSEC) ? + OP_PCL_IPSEC_AES_CBC : OP_ALG_ALGSEL_AES; +#else alginfo_c->algtype =3D OP_ALG_ALGSEL_AES; +#endif alginfo_c->algmode =3D OP_ALG_AAI_CBC; break; case RTE_CRYPTO_CIPHER_3DES_CBC: +#ifdef RTE_LIBRTE_SECURITY + alginfo_c->algtype =3D + (ses->proto_alg =3D=3D RTE_SECURITY_PROTOCOL_IPSEC) ? + OP_PCL_IPSEC_3DES : OP_ALG_ALGSEL_3DES; +#else alginfo_c->algtype =3D OP_ALG_ALGSEL_3DES; +#endif alginfo_c->algmode =3D OP_ALG_AAI_CBC; break; case RTE_CRYPTO_CIPHER_AES_CTR: +#ifdef RTE_LIBRTE_SECURITY + alginfo_c->algtype =3D + (ses->proto_alg =3D=3D RTE_SECURITY_PROTOCOL_IPSEC) ? + OP_PCL_IPSEC_AES_CTR : OP_ALG_ALGSEL_AES; +#else alginfo_c->algtype =3D OP_ALG_ALGSEL_AES; +#endif alginfo_c->algmode =3D OP_ALG_AAI_CTR; break; default: @@ -419,6 +488,24 @@ caam_jr_prep_cdb(struct caam_jr_session *ses) cdb->sh_desc[0] =3D 0; cdb->sh_desc[1] =3D 0; cdb->sh_desc[2] =3D 0; +#ifdef RTE_LIBRTE_SECURITY + if (is_proto_ipsec(ses)) { + if (ses->dir =3D=3D DIR_ENC) { + shared_desc_len =3D cnstr_shdsc_ipsec_new_encap( + cdb->sh_desc, + true, swap, SHR_SERIAL, + &ses->encap_pdb, + (uint8_t *)&ses->ip4_hdr, + &alginfo_c, &alginfo_a); + } else if (ses->dir =3D=3D DIR_DEC) { + shared_desc_len =3D cnstr_shdsc_ipsec_new_decap( + cdb->sh_desc, + true, swap, SHR_SERIAL, + &ses->decap_pdb, + &alginfo_c, &alginfo_a); + } + } else { +#endif /* Auth_only_len is set as 0 here and it will be * overwritten in fd for each packet. */ @@ -426,6 +513,9 @@ caam_jr_prep_cdb(struct caam_jr_session *ses) true, swap, &alginfo_c, &alginfo_a, ses->iv.length, 0, ses->digest_length, ses->dir); +#ifdef RTE_LIBRTE_SECURITY + } +#endif } =20 if (shared_desc_len < 0) { @@ -601,6 +691,28 @@ hw_poll_job_ring(struct sec_job_ring_t *job_ring, } #endif } +#ifdef RTE_LIBRTE_SECURITY + if (ctx->op->sess_type =3D=3D RTE_CRYPTO_OP_SECURITY_SESSION) { + struct ip *ip4_hdr; + + if (ctx->op->sym->m_dst) { + /*TODO check for ip header or other*/ + ip4_hdr =3D (struct ip *) + rte_pktmbuf_mtod(ctx->op->sym->m_dst, char*); + ctx->op->sym->m_dst->pkt_len =3D + rte_be_to_cpu_16(ip4_hdr->ip_len); + ctx->op->sym->m_dst->data_len =3D + rte_be_to_cpu_16(ip4_hdr->ip_len); + } else { + ip4_hdr =3D (struct ip *) + rte_pktmbuf_mtod(ctx->op->sym->m_src, char*); + ctx->op->sym->m_src->pkt_len =3D + rte_be_to_cpu_16(ip4_hdr->ip_len); + ctx->op->sym->m_src->data_len =3D + rte_be_to_cpu_16(ip4_hdr->ip_len); + } + } +#endif *ops =3D ctx->op; caam_jr_op_ending(ctx); ops++; @@ -1260,6 +1372,52 @@ build_cipher_auth(struct rte_crypto_op *op, struct c= aam_jr_session *ses) =20 return ctx; } + +#ifdef RTE_LIBRTE_SECURITY +static inline struct caam_jr_op_ctx * +build_proto(struct rte_crypto_op *op, struct caam_jr_session *ses) +{ + struct rte_crypto_sym_op *sym =3D op->sym; + struct caam_jr_op_ctx *ctx =3D NULL; + phys_addr_t src_start_addr, dst_start_addr; + struct sec_cdb *cdb; + uint64_t sdesc_offset; + struct sec_job_descriptor_t *jobdescr; + + PMD_INIT_FUNC_TRACE(); + ctx =3D caam_jr_alloc_ctx(ses); + if (!ctx) + return NULL; + ctx->op =3D op; + + src_start_addr =3D rte_pktmbuf_iova(sym->m_src); + if (sym->m_dst) + dst_start_addr =3D rte_pktmbuf_iova(sym->m_dst); + else + dst_start_addr =3D src_start_addr; + + cdb =3D ses->cdb; + sdesc_offset =3D (size_t) ((char *)&cdb->sh_desc - (char *)cdb); + + jobdescr =3D (struct sec_job_descriptor_t *) ctx->jobdes.desc; + + SEC_JD_INIT(jobdescr); + SEC_JD_SET_SD(jobdescr, + (phys_addr_t)(caam_jr_dma_vtop(cdb)) + sdesc_offset, + cdb->sh_hdr.hi.field.idlen); + + /* output */ + SEC_JD_SET_OUT_PTR(jobdescr, (uint64_t)dst_start_addr, 0, + sym->m_src->buf_len - sym->m_src->data_off); + /* input */ + SEC_JD_SET_IN_PTR(jobdescr, (uint64_t)src_start_addr, 0, + sym->m_src->pkt_len); + sym->m_src->packet_type &=3D ~RTE_PTYPE_L4_MASK; + + return ctx; +} +#endif + static int caam_jr_enqueue_op(struct rte_crypto_op *op, struct caam_jr_qp *qp) { @@ -1275,6 +1433,13 @@ caam_jr_enqueue_op(struct rte_crypto_op *op, struct = caam_jr_qp *qp) get_sym_session_private_data(op->sym->session, cryptodev_driver_id); break; +#ifdef RTE_LIBRTE_SECURITY + case RTE_CRYPTO_OP_SECURITY_SESSION: + ses =3D (struct caam_jr_session *) + get_sec_session_private_data( + op->sym->sec_session); + break; +#endif default: CAAM_JR_DP_ERR("sessionless crypto op not supported"); qp->tx_errs++; @@ -1296,6 +1461,10 @@ caam_jr_enqueue_op(struct rte_crypto_op *op, struct = caam_jr_qp *qp) ctx =3D build_auth_only(op, ses); else if (is_cipher_only(ses)) ctx =3D build_cipher_only(op, ses); +#ifdef RTE_LIBRTE_SECURITY + else if (is_proto_ipsec(ses)) + ctx =3D build_proto(op, ses); +#endif } else { if (is_auth_cipher(ses)) ctx =3D build_cipher_auth_sg(op, ses); @@ -1666,6 +1835,229 @@ caam_jr_sym_session_clear(struct rte_cryptodev *dev= , } } =20 +#ifdef RTE_LIBRTE_SECURITY +static int +caam_jr_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, + struct rte_security_session_conf *conf, + void *sess) +{ + struct sec_job_ring_t *internals =3D dev->data->dev_private; + struct rte_security_ipsec_xform *ipsec_xform =3D &conf->ipsec; + struct rte_crypto_auth_xform *auth_xform; + struct rte_crypto_cipher_xform *cipher_xform; + struct caam_jr_session *session =3D (struct caam_jr_session *)sess; + + PMD_INIT_FUNC_TRACE(); + + if (ipsec_xform->direction =3D=3D RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + cipher_xform =3D &conf->crypto_xform->cipher; + auth_xform =3D &conf->crypto_xform->next->auth; + } else { + auth_xform =3D &conf->crypto_xform->auth; + cipher_xform =3D &conf->crypto_xform->next->cipher; + } + session->proto_alg =3D conf->protocol; + session->cipher_key.data =3D rte_zmalloc(NULL, + cipher_xform->key.length, + RTE_CACHE_LINE_SIZE); + if (session->cipher_key.data =3D=3D NULL && + cipher_xform->key.length > 0) { + CAAM_JR_ERR("No Memory for cipher key\n"); + return -ENOMEM; + } + + session->cipher_key.length =3D cipher_xform->key.length; + session->auth_key.data =3D rte_zmalloc(NULL, + auth_xform->key.length, + RTE_CACHE_LINE_SIZE); + if (session->auth_key.data =3D=3D NULL && + auth_xform->key.length > 0) { + CAAM_JR_ERR("No Memory for auth key\n"); + rte_free(session->cipher_key.data); + return -ENOMEM; + } + session->auth_key.length =3D auth_xform->key.length; + memcpy(session->cipher_key.data, cipher_xform->key.data, + cipher_xform->key.length); + memcpy(session->auth_key.data, auth_xform->key.data, + auth_xform->key.length); + + switch (auth_xform->algo) { + case RTE_CRYPTO_AUTH_SHA1_HMAC: + session->auth_alg =3D RTE_CRYPTO_AUTH_SHA1_HMAC; + break; + case RTE_CRYPTO_AUTH_MD5_HMAC: + session->auth_alg =3D RTE_CRYPTO_AUTH_MD5_HMAC; + break; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + session->auth_alg =3D RTE_CRYPTO_AUTH_SHA256_HMAC; + break; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + session->auth_alg =3D RTE_CRYPTO_AUTH_SHA384_HMAC; + break; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + session->auth_alg =3D RTE_CRYPTO_AUTH_SHA512_HMAC; + break; + case RTE_CRYPTO_AUTH_AES_CMAC: + session->auth_alg =3D RTE_CRYPTO_AUTH_AES_CMAC; + break; + case RTE_CRYPTO_AUTH_NULL: + session->auth_alg =3D RTE_CRYPTO_AUTH_NULL; + break; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + case RTE_CRYPTO_AUTH_SNOW3G_UIA2: + case RTE_CRYPTO_AUTH_SHA1: + case RTE_CRYPTO_AUTH_SHA256: + case RTE_CRYPTO_AUTH_SHA512: + case RTE_CRYPTO_AUTH_SHA224: + case RTE_CRYPTO_AUTH_SHA384: + case RTE_CRYPTO_AUTH_MD5: + case RTE_CRYPTO_AUTH_AES_GMAC: + case RTE_CRYPTO_AUTH_KASUMI_F9: + case RTE_CRYPTO_AUTH_AES_CBC_MAC: + case RTE_CRYPTO_AUTH_ZUC_EIA3: + CAAM_JR_ERR("Crypto: Unsupported auth alg %u\n", + auth_xform->algo); + goto out; + default: + CAAM_JR_ERR("Crypto: Undefined Auth specified %u\n", + auth_xform->algo); + goto out; + } + + switch (cipher_xform->algo) { + case RTE_CRYPTO_CIPHER_AES_CBC: + session->cipher_alg =3D RTE_CRYPTO_CIPHER_AES_CBC; + break; + case RTE_CRYPTO_CIPHER_3DES_CBC: + session->cipher_alg =3D RTE_CRYPTO_CIPHER_3DES_CBC; + break; + case RTE_CRYPTO_CIPHER_AES_CTR: + session->cipher_alg =3D RTE_CRYPTO_CIPHER_AES_CTR; + break; + case RTE_CRYPTO_CIPHER_NULL: + case RTE_CRYPTO_CIPHER_SNOW3G_UEA2: + case RTE_CRYPTO_CIPHER_3DES_ECB: + case RTE_CRYPTO_CIPHER_AES_ECB: + case RTE_CRYPTO_CIPHER_KASUMI_F8: + CAAM_JR_ERR("Crypto: Unsupported Cipher alg %u\n", + cipher_xform->algo); + goto out; + default: + CAAM_JR_ERR("Crypto: Undefined Cipher specified %u\n", + cipher_xform->algo); + goto out; + } + + if (ipsec_xform->direction =3D=3D RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + memset(&session->encap_pdb, 0, sizeof(struct ipsec_encap_pdb) + + sizeof(session->ip4_hdr)); + session->ip4_hdr.ip_v =3D IPVERSION; + session->ip4_hdr.ip_hl =3D 5; + session->ip4_hdr.ip_len =3D rte_cpu_to_be_16( + sizeof(session->ip4_hdr)); + session->ip4_hdr.ip_tos =3D ipsec_xform->tunnel.ipv4.dscp; + session->ip4_hdr.ip_id =3D 0; + session->ip4_hdr.ip_off =3D 0; + session->ip4_hdr.ip_ttl =3D ipsec_xform->tunnel.ipv4.ttl; + session->ip4_hdr.ip_p =3D (ipsec_xform->proto =3D=3D + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? IPPROTO_ESP + : IPPROTO_AH; + session->ip4_hdr.ip_sum =3D 0; + session->ip4_hdr.ip_src =3D ipsec_xform->tunnel.ipv4.src_ip; + session->ip4_hdr.ip_dst =3D ipsec_xform->tunnel.ipv4.dst_ip; + session->ip4_hdr.ip_sum =3D calc_chksum((uint16_t *) + (void *)&session->ip4_hdr, + sizeof(struct ip)); + + session->encap_pdb.options =3D + (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | + PDBOPTS_ESP_OIHI_PDB_INL | + PDBOPTS_ESP_IVSRC | + PDBHMO_ESP_ENCAP_DTTL; + session->encap_pdb.spi =3D ipsec_xform->spi; + session->encap_pdb.ip_hdr_len =3D sizeof(struct ip); + + session->dir =3D DIR_ENC; + } else if (ipsec_xform->direction =3D=3D + RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); + session->decap_pdb.options =3D sizeof(struct ip) << 16; + session->dir =3D DIR_DEC; + } else + goto out; + session->ctx_pool =3D internals->ctx_pool; + + return 0; +out: + rte_free(session->auth_key.data); + rte_free(session->cipher_key.data); + memset(session, 0, sizeof(struct caam_jr_session)); + return -1; +} + +static int +caam_jr_security_session_create(void *dev, + struct rte_security_session_conf *conf, + struct rte_security_session *sess, + struct rte_mempool *mempool) +{ + void *sess_private_data; + struct rte_cryptodev *cdev =3D (struct rte_cryptodev *)dev; + int ret; + + PMD_INIT_FUNC_TRACE(); + if (rte_mempool_get(mempool, &sess_private_data)) { + CAAM_JR_ERR("Couldn't get object from session mempool"); + return -ENOMEM; + } + + switch (conf->protocol) { + case RTE_SECURITY_PROTOCOL_IPSEC: + ret =3D caam_jr_set_ipsec_session(cdev, conf, + sess_private_data); + break; + case RTE_SECURITY_PROTOCOL_MACSEC: + return -ENOTSUP; + default: + return -EINVAL; + } + if (ret !=3D 0) { + CAAM_JR_ERR("failed to configure session parameters"); + /* Return session to mempool */ + rte_mempool_put(mempool, sess_private_data); + return ret; + } + + set_sec_session_private_data(sess, sess_private_data); + + return ret; +} + +/* Clear the memory of session so it doesn't leave key material behind */ +static int +caam_jr_security_session_destroy(void *dev __rte_unused, + struct rte_security_session *sess) +{ + PMD_INIT_FUNC_TRACE(); + void *sess_priv =3D get_sec_session_private_data(sess); + + struct caam_jr_session *s =3D (struct caam_jr_session *)sess_priv; + + if (sess_priv) { + struct rte_mempool *sess_mp =3D rte_mempool_from_obj(sess_priv); + + rte_free(s->cipher_key.data); + rte_free(s->auth_key.data); + memset(sess, 0, sizeof(struct caam_jr_session)); + set_sec_session_private_data(sess, NULL); + rte_mempool_put(sess_mp, sess_priv); + } + return 0; +} +#endif + static int caam_jr_dev_configure(struct rte_cryptodev *dev, struct rte_cryptodev_config *config __rte_unused) @@ -1757,6 +2149,16 @@ static struct rte_cryptodev_ops caam_jr_ops =3D { .sym_session_clear =3D caam_jr_sym_session_clear }; =20 +#ifdef RTE_LIBRTE_SECURITY +static struct rte_security_ops caam_jr_security_ops =3D { + .session_create =3D caam_jr_security_session_create, + .session_update =3D NULL, + .session_stats_get =3D NULL, + .session_destroy =3D caam_jr_security_session_destroy, + .set_pkt_metadata =3D NULL, + .capabilities_get =3D caam_jr_get_security_capabilities +}; +#endif =20 /* @brief Flush job rings of any processed descs. * The processed descs are silently dropped, @@ -1976,6 +2378,9 @@ caam_jr_dev_init(const char *name, struct rte_cryptodev_pmd_init_params *init_params) { struct rte_cryptodev *dev; +#ifdef RTE_LIBRTE_SECURITY + struct rte_security_ctx *security_instance; +#endif struct uio_job_ring *job_ring; char str[RTE_CRYPTODEV_NAME_MAX_LEN]; =20 @@ -2045,6 +2450,22 @@ caam_jr_dev_init(const char *name, return 0; } =20 +#ifdef RTE_LIBRTE_SECURITY + /*TODO free it during teardown*/ + security_instance =3D rte_malloc("caam_jr", + sizeof(struct rte_security_ctx), 0); + if (security_instance =3D=3D NULL) { + CAAM_JR_ERR("memory allocation failed\n"); + //todo error handling. + goto cleanup2; + } + + security_instance->device =3D (void *)dev; + security_instance->ops =3D &caam_jr_security_ops; + security_instance->sess_cnt =3D 0; + dev->security_ctx =3D security_instance; +#endif + RTE_LOG(INFO, PMD, "%s cryptodev init\n", dev->data->name); =20 return 0; diff --git a/drivers/crypto/caam_jr/caam_jr_capabilities.c b/drivers/crypto= /caam_jr/caam_jr_capabilities.c index 92aa429cc..eacea7db3 100644 --- a/drivers/crypto/caam_jr/caam_jr_capabilities.c +++ b/drivers/crypto/caam_jr/caam_jr_capabilities.c @@ -225,6 +225,42 @@ static const struct rte_cryptodev_capabilities caam_jr= _capabilities[] =3D { RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST() }; =20 +#ifdef RTE_LIBRTE_SECURITY +static const struct rte_security_capability caam_jr_security_cap[] =3D { + { /* IPsec Lookaside Protocol offload ESP Transport Egress */ + .action =3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol =3D RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec =3D { + .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode =3D RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction =3D RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .options =3D { 0 } + }, + .crypto_capabilities =3D caam_jr_capabilities + }, + { /* IPsec Lookaside Protocol offload ESP Tunnel Ingress */ + .action =3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol =3D RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec =3D { + .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode =3D RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction =3D RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + .options =3D { 0 } + }, + .crypto_capabilities =3D caam_jr_capabilities + }, + { + .action =3D RTE_SECURITY_ACTION_TYPE_NONE + } +}; + +const struct rte_security_capability * +caam_jr_get_security_capabilities(void *device __rte_unused) +{ + return caam_jr_security_cap; +} +#endif + const struct rte_cryptodev_capabilities * caam_jr_get_cryptodev_capabilities(void) { diff --git a/drivers/crypto/caam_jr/caam_jr_capabilities.h b/drivers/crypto= /caam_jr/caam_jr_capabilities.h index 7a94013e5..d3169b7e9 100644 --- a/drivers/crypto/caam_jr/caam_jr_capabilities.h +++ b/drivers/crypto/caam_jr/caam_jr_capabilities.h @@ -6,8 +6,16 @@ #define CAAM_JR_CAPABILITIES_H =20 #include +#ifdef RTE_LIBRTE_SECURITY +#include +#endif =20 /* Get cryptodev capabilities */ const struct rte_cryptodev_capabilities * caam_jr_get_cryptodev_capabilities(void); +#ifdef RTE_LIBRTE_SECURITY +/* Get security capabilities */ +const struct rte_security_capability * +caam_jr_get_security_capabilities(void *device); +#endif #endif diff --git a/drivers/crypto/caam_jr/caam_jr_hw.c b/drivers/crypto/caam_jr/c= aam_jr_hw.c index 80602b702..c6833185b 100644 --- a/drivers/crypto/caam_jr/caam_jr_hw.c +++ b/drivers/crypto/caam_jr/caam_jr_hw.c @@ -9,6 +9,9 @@ #include #include #include +#ifdef RTE_LIBRTE_SECURITY +#include +#endif =20 #include #include diff --git a/drivers/crypto/caam_jr/caam_jr_pvt.h b/drivers/crypto/caam_jr/= caam_jr_pvt.h index 333a192d9..c2d35ecd2 100644 --- a/drivers/crypto/caam_jr/caam_jr_pvt.h +++ b/drivers/crypto/caam_jr/caam_jr_pvt.h @@ -5,6 +5,8 @@ #ifndef CAAM_JR_PVT_H #define CAAM_JR_PVT_H =20 +#include + /* NXP CAAM JR PMD device name */ =20 #define CAAM_JR_ALG_UNSUPPORT (-1) @@ -110,6 +112,9 @@ struct caam_jr_session { enum rte_crypto_cipher_algorithm cipher_alg; /* Cipher Algorithm*/ enum rte_crypto_auth_algorithm auth_alg; /* Authentication Algorithm*/ enum rte_crypto_aead_algorithm aead_alg; /* AEAD Algorithm*/ +#ifdef RTE_LIBRTE_SECURITY + enum rte_security_session_protocol proto_alg; /* Security Algorithm*/ +#endif union { struct { uint8_t *data; /* pointer to key data */ @@ -132,6 +137,11 @@ struct caam_jr_session { } iv; /* Initialisation vector parameters */ uint16_t auth_only_len; /* Length of data for Auth only */ uint32_t digest_length; +#ifdef RTE_LIBRTE_SECURITY + struct ipsec_encap_pdb encap_pdb; + struct ip ip4_hdr; + struct ipsec_decap_pdb decap_pdb; +#endif struct caam_jr_qp *qp; struct sec_cdb *cdb; /* cmd block associated with qp */ struct rte_mempool *ctx_pool; /* session mempool for caam_jr_op_ctx */ diff --git a/drivers/crypto/caam_jr/caam_jr_uio.c b/drivers/crypto/caam_jr/= caam_jr_uio.c index d6aec3e4c..58d86f961 100644 --- a/drivers/crypto/caam_jr/caam_jr_uio.c +++ b/drivers/crypto/caam_jr/caam_jr_uio.c @@ -16,6 +16,9 @@ #include #include #include +#ifdef RTE_LIBRTE_SECURITY +#include +#endif =20 #include #include --=20 2.17.1