[dpdk-dev] [PATCH 1/8] crypto/dpaa_sec: fix to set PDCP capability flags

[dpdk-dev] [PATCH 1/8] crypto/dpaa_sec: fix to set PDCP capability flags

[Hemant Agrawal]

set the pdcp capa_flags to 0 by default.

Fixes: a1173d55598c ("crypto/dpaa_sec: support PDCP offload")

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index c10ec1007..29ffe5631 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -712,6 +712,7 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
 		.protocol = RTE_SECURITY_PROTOCOL_PDCP,
 		.pdcp = {
 			.domain = RTE_SECURITY_PDCP_MODE_DATA,
+			.capa_flags = 0
 		},
 		.crypto_capabilities = dpaa_pdcp_capabilities
 	},
@@ -720,6 +721,7 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
 		.protocol = RTE_SECURITY_PROTOCOL_PDCP,
 		.pdcp = {
 			.domain = RTE_SECURITY_PDCP_MODE_CONTROL,
+			.capa_flags = 0
 		},
 		.crypto_capabilities = dpaa_pdcp_capabilities
 	},
-- 
2.17.1

[dpdk-dev] [PATCH 2/8] crypto/dpaa2_sec: add check for the session validity

[Hemant Agrawal]

Check if the session is not null during processing.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 52e522e4a..87220044a 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1368,6 +1368,9 @@ build_sec_fd(struct rte_crypto_op *op,
 	else
 		return -1;
 
+	if (!sess)
+		return -1;
+
 	/* Any of the buffer is segmented*/
 	if (!rte_pktmbuf_is_contiguous(op->sym->m_src) ||
 		  ((op->sym->m_dst != NULL) &&
-- 
2.17.1

[dpdk-dev] [PATCH 3/8] crypto/dpaa_sec: add check for the session validity

[Hemant Agrawal]

Check if the session is not null during processing.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 632ce9fdc..aeee74ff3 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -1773,6 +1773,14 @@ dpaa_sec_enqueue_burst(void *qp, struct rte_crypto_op **ops,
 				nb_ops = loop;
 				goto send_pkts;
 			}
+
+			if (!ses) {
+				DPAA_SEC_DP_ERR("session not available");
+				frames_to_send = loop;
+				nb_ops = loop;
+				goto send_pkts;
+			}
+
 			if (unlikely(!ses->qp[rte_lcore_id() % MAX_DPAA_CORES])) {
 				if (dpaa_sec_attach_sess_q(qp, ses)) {
 					frames_to_send = loop;
-- 
2.17.1

[dpdk-dev] [PATCH 4/8] crypto/dpaa2_sec: adding NULL cipher or NULL auth

[Hemant Agrawal]

These are supported when using protocol offload mode or in chain mode.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 20 +++++++---
 drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h   | 41 +++++++++++++++++++++
 2 files changed, 55 insertions(+), 6 deletions(-)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 87220044a..7652c7431 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1837,6 +1837,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
 
 	flc = &priv->flc_desc[0].flc;
 
+	session->ctxt_type = DPAA2_SEC_CIPHER;
 	session->cipher_key.data = rte_zmalloc(NULL, xform->cipher.key.length,
 			RTE_CACHE_LINE_SIZE);
 	if (session->cipher_key.data == NULL) {
@@ -1973,6 +1974,7 @@ dpaa2_sec_auth_init(struct rte_cryptodev *dev,
 	priv->fle_pool = dev_priv->fle_pool;
 	flc = &priv->flc_desc[DESC_INITFINAL].flc;
 
+	session->ctxt_type = DPAA2_SEC_AUTH;
 	session->auth_key.data = rte_zmalloc(NULL, xform->auth.key.length,
 			RTE_CACHE_LINE_SIZE);
 	if (session->auth_key.data == NULL) {
@@ -2481,27 +2483,33 @@ dpaa2_sec_set_session_parameters(struct rte_cryptodev *dev,
 
 	/* Cipher Only */
 	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
-		session->ctxt_type = DPAA2_SEC_CIPHER;
 		ret = dpaa2_sec_cipher_init(dev, xform, session);
 
 	/* Authentication Only */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next == NULL) {
-		session->ctxt_type = DPAA2_SEC_AUTH;
 		ret = dpaa2_sec_auth_init(dev, xform, session);
 
 	/* Cipher then Authenticate */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		session->ext_params.aead_ctxt.auth_cipher_text = true;
-		ret = dpaa2_sec_aead_chain_init(dev, xform, session);
-
+		if (xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+			ret = dpaa2_sec_auth_init(dev, xform, session);
+		else if (xform->next->auth.algo == RTE_CRYPTO_AUTH_NULL)
+			ret = dpaa2_sec_cipher_init(dev, xform, session);
+		else
+			ret = dpaa2_sec_aead_chain_init(dev, xform, session);
 	/* Authenticate then Cipher */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 		session->ext_params.aead_ctxt.auth_cipher_text = false;
-		ret = dpaa2_sec_aead_chain_init(dev, xform, session);
-
+		if (xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
+			ret = dpaa2_sec_cipher_init(dev, xform, session);
+		else if (xform->next->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+			ret = dpaa2_sec_auth_init(dev, xform, session);
+		else
+			ret = dpaa2_sec_aead_chain_init(dev, xform, session);
 	/* AEAD operation for AES-GCM kind of Algorithms */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD &&
 		   xform->next == NULL) {
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
index 648bf8045..64e340cde 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
@@ -200,6 +200,27 @@ typedef struct dpaa2_sec_session_entry {
 } dpaa2_sec_session;
 
 static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
+	{	/* NULL (AUTH) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = { 0 }
+			}, },
+		}, },
+	},
 	{	/* MD5 HMAC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
@@ -356,6 +377,26 @@ static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
 			}, }
 		}, }
 	},
+	{	/* NULL (CIPHER) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				}
+			}, },
+		}, }
+	},
 	{	/* AES CBC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
-- 
2.17.1

[dpdk-dev] [PATCH 5/8] crypto/dpaa_sec: adding NULL cipher or NULL auth

[Hemant Agrawal]

These are supported when using protocol offload mode or when
in chain mode.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.c | 33 ++++++++++++++++++------
 drivers/crypto/dpaa_sec/dpaa_sec.h | 41 ++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 8 deletions(-)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index aeee74ff3..20b6e355a 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2037,6 +2037,7 @@ dpaa_sec_cipher_init(struct rte_cryptodev *dev __rte_unused,
 		     struct rte_crypto_sym_xform *xform,
 		     dpaa_sec_session *session)
 {
+	session->ctxt = DPAA_SEC_CIPHER;
 	session->cipher_alg = xform->cipher.algo;
 	session->iv.length = xform->cipher.iv.length;
 	session->iv.offset = xform->cipher.iv.offset;
@@ -2086,6 +2087,7 @@ dpaa_sec_auth_init(struct rte_cryptodev *dev __rte_unused,
 		   struct rte_crypto_sym_xform *xform,
 		   dpaa_sec_session *session)
 {
+	session->ctxt = DPAA_SEC_AUTH;
 	session->auth_alg = xform->auth.algo;
 	session->auth_key.data = rte_zmalloc(NULL, xform->auth.key.length,
 					     RTE_CACHE_LINE_SIZE);
@@ -2158,6 +2160,7 @@ dpaa_sec_chain_init(struct rte_cryptodev *dev __rte_unused,
 	struct rte_crypto_cipher_xform *cipher_xform;
 	struct rte_crypto_auth_xform *auth_xform;
 
+	session->ctxt = DPAA_SEC_CIPHER_HASH;
 	if (session->auth_cipher_text) {
 		cipher_xform = &xform->cipher;
 		auth_xform = &xform->next->auth;
@@ -2359,6 +2362,7 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	struct dpaa_sec_dev_private *internals = dev->data->dev_private;
 	dpaa_sec_session *session = sess;
 	uint32_t i;
+	int ret;
 
 	PMD_INIT_FUNC_TRACE();
 
@@ -2374,23 +2378,26 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	/* Cipher Only */
 	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
 		session->auth_alg = RTE_CRYPTO_AUTH_NULL;
-		session->ctxt = DPAA_SEC_CIPHER;
-		dpaa_sec_cipher_init(dev, xform, session);
+		ret = dpaa_sec_cipher_init(dev, xform, session);
 
 	/* Authentication Only */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next == NULL) {
 		session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
 		session->ctxt = DPAA_SEC_AUTH;
-		dpaa_sec_auth_init(dev, xform, session);
+		ret = dpaa_sec_auth_init(dev, xform, session);
 
 	/* Cipher then Authenticate */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		if (xform->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
-			session->ctxt = DPAA_SEC_CIPHER_HASH;
 			session->auth_cipher_text = 1;
-			dpaa_sec_chain_init(dev, xform, session);
+			if (xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+				ret = dpaa_sec_auth_init(dev, xform, session);
+			else if (xform->next->auth.algo == RTE_CRYPTO_AUTH_NULL)
+				ret = dpaa_sec_cipher_init(dev, xform, session);
+			else
+				ret = dpaa_sec_chain_init(dev, xform, session);
 		} else {
 			DPAA_SEC_ERR("Not supported: Auth then Cipher");
 			return -EINVAL;
@@ -2399,9 +2406,14 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 		if (xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT) {
-			session->ctxt = DPAA_SEC_CIPHER_HASH;
 			session->auth_cipher_text = 0;
-			dpaa_sec_chain_init(dev, xform, session);
+			if (xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
+				ret = dpaa_sec_cipher_init(dev, xform, session);
+			else if (xform->next->cipher.algo
+					== RTE_CRYPTO_CIPHER_NULL)
+				ret = dpaa_sec_auth_init(dev, xform, session);
+			else
+				ret = dpaa_sec_chain_init(dev, xform, session);
 		} else {
 			DPAA_SEC_ERR("Not supported: Auth then Cipher");
 			return -EINVAL;
@@ -2410,12 +2422,17 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	/* AEAD operation for AES-GCM kind of Algorithms */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD &&
 		   xform->next == NULL) {
-		dpaa_sec_aead_init(dev, xform, session);
+		ret = dpaa_sec_aead_init(dev, xform, session);
 
 	} else {
 		DPAA_SEC_ERR("Invalid crypto type");
 		return -EINVAL;
 	}
+	if (ret) {
+		DPAA_SEC_ERR("unable to init session");
+		goto err1;
+	}
+
 	rte_spinlock_lock(&internals->lock);
 	for (i = 0; i < MAX_DPAA_CORES; i++) {
 		session->inq[i] = dpaa_sec_attach_rxq(internals);
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index 29ffe5631..039cce8e9 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -218,6 +218,27 @@ struct dpaa_sec_op_ctx {
 };
 
 static const struct rte_cryptodev_capabilities dpaa_sec_capabilities[] = {
+	{	/* NULL (AUTH) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = { 0 }
+			}, },
+		}, },
+	},
 	{	/* MD5 HMAC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
@@ -374,6 +395,26 @@ static const struct rte_cryptodev_capabilities dpaa_sec_capabilities[] = {
 			}, }
 		}, }
 	},
+	{	/* NULL (CIPHER) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				}
+			}, },
+		}, }
+	},
 	{	/* AES CBC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
-- 
2.17.1

[dpdk-dev] [PATCH 6/8] crypto/dpaa2_sec: add AES-GCM support for lookaside case

[Hemant Agrawal]

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 34 +++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 7652c7431..ba9ba4bd7 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2550,12 +2550,40 @@ dpaa2_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
 
 	switch (aead_xform->algo) {
 	case RTE_CRYPTO_AEAD_AES_GCM:
-		aeaddata->algtype = OP_ALG_ALGSEL_AES;
+		switch (session->digest_length) {
+		case 8:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_GCM8;
+			break;
+		case 12:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_GCM12;
+			break;
+		case 16:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_GCM16;
+			break;
+		default:
+			DPAA2_SEC_ERR("Crypto: Undefined GCM digest %d",
+				      session->digest_length);
+			return -1;
+		}
 		aeaddata->algmode = OP_ALG_AAI_GCM;
 		session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
 		break;
 	case RTE_CRYPTO_AEAD_AES_CCM:
-		aeaddata->algtype = OP_ALG_ALGSEL_AES;
+		switch (session->digest_length) {
+		case 8:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_CCM8;
+			break;
+		case 12:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_CCM12;
+			break;
+		case 16:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_CCM16;
+			break;
+		default:
+			DPAA2_SEC_ERR("Crypto: Undefined CCM digest %d",
+				      session->digest_length);
+			return -1;
+		}
 		aeaddata->algmode = OP_ALG_AAI_CCM;
 		session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
 		break;
@@ -2764,6 +2792,8 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 		aead_xform = &conf->crypto_xform->aead;
 		ret = dpaa2_sec_ipsec_aead_init(aead_xform,
 					session, &cipherdata);
+		authdata.keylen = 0;
+		authdata.algtype = 0;
 	} else {
 		DPAA2_SEC_ERR("XFORM not specified");
 		ret = -EINVAL;
-- 
2.17.1

[dpdk-dev] [PATCH 7/8] crypto/dpaa_sec: add AES-GCM support for lookaside case

[Hemant Agrawal]

This patch add support for AES-128-GCM, when used in
proto lookaside mode.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.c | 296 ++++++++++++++++++++---------
 1 file changed, 207 insertions(+), 89 deletions(-)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 20b6e355a..e86a1e3b7 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session *ses)
 	cipherdata.algtype = ses->cipher_key.alg;
 	cipherdata.algmode = ses->cipher_key.algmode;
 
-	authdata.key = (size_t)ses->auth_key.data;
-	authdata.keylen = ses->auth_key.length;
-	authdata.key_enc_flags = 0;
-	authdata.key_type = RTA_DATA_IMM;
-	authdata.algtype = ses->auth_key.alg;
-	authdata.algmode = ses->auth_key.algmode;
+	if (ses->auth_key.length) {
+		authdata.key = (size_t)ses->auth_key.data;
+		authdata.keylen = ses->auth_key.length;
+		authdata.key_enc_flags = 0;
+		authdata.key_type = RTA_DATA_IMM;
+		authdata.algtype = ses->auth_key.alg;
+		authdata.algmode = ses->auth_key.algmode;
+	}
 
 	cdb->sh_desc[0] = cipherdata.keylen;
 	cdb->sh_desc[1] = authdata.keylen;
@@ -2523,33 +2525,79 @@ dpaa_sec_sym_session_clear(struct rte_cryptodev *dev,
 
 #ifdef RTE_LIBRTE_SECURITY
 static int
-dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
-			   struct rte_security_session_conf *conf,
-			   void *sess)
+dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
+			dpaa_sec_session *session)
 {
-	struct dpaa_sec_dev_private *internals = dev->data->dev_private;
-	struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
-	struct rte_crypto_auth_xform *auth_xform = NULL;
-	struct rte_crypto_cipher_xform *cipher_xform = NULL;
-	dpaa_sec_session *session = (dpaa_sec_session *)sess;
-	uint32_t i;
-
 	PMD_INIT_FUNC_TRACE();
 
-	memset(session, 0, sizeof(dpaa_sec_session));
-	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
-		cipher_xform = &conf->crypto_xform->cipher;
-		if (conf->crypto_xform->next)
-			auth_xform = &conf->crypto_xform->next->auth;
-	} else {
-		auth_xform = &conf->crypto_xform->auth;
-		if (conf->crypto_xform->next)
-			cipher_xform = &conf->crypto_xform->next->cipher;
+	session->aead_key.data = rte_zmalloc(NULL, aead_xform->key.length,
+					       RTE_CACHE_LINE_SIZE);
+	if (session->aead_key.data == NULL && aead_xform->key.length > 0) {
+		DPAA_SEC_ERR("No Memory for aead key");
+		return -1;
 	}
-	session->proto_alg = conf->protocol;
-	session->ctxt = DPAA_SEC_IPSEC;
+	memcpy(session->aead_key.data, aead_xform->key.data,
+	       aead_xform->key.length);
+
+	session->digest_length = aead_xform->digest_length;
+	session->aead_key.length = aead_xform->key.length;
+
+	switch (aead_xform->algo) {
+	case RTE_CRYPTO_AEAD_AES_GCM:
+		switch (session->digest_length) {
+		case 8:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8;
+			break;
+		case 12:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_GCM12;
+			break;
+		case 16:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_GCM16;
+			break;
+		default:
+			DPAA_SEC_ERR("Crypto: Undefined GCM digest %d",
+				     session->digest_length);
+			return -1;
+		}
+		session->aead_key.algmode = OP_ALG_AAI_GCM;
+		session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
+		break;
+	case RTE_CRYPTO_AEAD_AES_CCM:
+		switch (session->digest_length) {
+		case 8:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_CCM8;
+			break;
+		case 12:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_CCM12;
+			break;
+		case 16:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_CCM16;
+			break;
+		default:
+			DPAA_SEC_ERR("Crypto: Undefined CCM digest %d",
+				     session->digest_length);
+			return -1;
+		}
+		session->aead_key.algmode = OP_ALG_AAI_CCM;
+		session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
+		break;
+	default:
+		DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u",
+			      aead_xform->algo);
+		return -1;
+	}
+	session->dir = (aead_xform->op == RTE_CRYPTO_AEAD_OP_ENCRYPT) ?
+				DIR_ENC : DIR_DEC;
+
+	return 0;
+}
 
-	if (cipher_xform && cipher_xform->algo != RTE_CRYPTO_CIPHER_NULL) {
+static int
+dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
+	struct rte_crypto_auth_xform *auth_xform,
+	dpaa_sec_session *session)
+{
+	if (cipher_xform) {
 		session->cipher_key.data = rte_zmalloc(NULL,
 						       cipher_xform->key.length,
 						       RTE_CACHE_LINE_SIZE);
@@ -2558,31 +2606,10 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 			DPAA_SEC_ERR("No Memory for cipher key");
 			return -ENOMEM;
 		}
+
+		session->cipher_key.length = cipher_xform->key.length;
 		memcpy(session->cipher_key.data, cipher_xform->key.data,
 				cipher_xform->key.length);
-		session->cipher_key.length = cipher_xform->key.length;
-
-		switch (cipher_xform->algo) {
-		case RTE_CRYPTO_CIPHER_NULL:
-			session->cipher_key.alg = OP_PCL_IPSEC_NULL;
-			break;
-		case RTE_CRYPTO_CIPHER_AES_CBC:
-			session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
-			session->cipher_key.algmode = OP_ALG_AAI_CBC;
-			break;
-		case RTE_CRYPTO_CIPHER_3DES_CBC:
-			session->cipher_key.alg = OP_PCL_IPSEC_3DES;
-			session->cipher_key.algmode = OP_ALG_AAI_CBC;
-			break;
-		case RTE_CRYPTO_CIPHER_AES_CTR:
-			session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
-			session->cipher_key.algmode = OP_ALG_AAI_CTR;
-			break;
-		default:
-			DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
-				cipher_xform->algo);
-			goto out;
-		}
 		session->cipher_alg = cipher_xform->algo;
 	} else {
 		session->cipher_key.data = NULL;
@@ -2590,54 +2617,18 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 		session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
 	}
 
-	if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) {
+	if (auth_xform) {
 		session->auth_key.data = rte_zmalloc(NULL,
 						auth_xform->key.length,
 						RTE_CACHE_LINE_SIZE);
 		if (session->auth_key.data == NULL &&
 				auth_xform->key.length > 0) {
 			DPAA_SEC_ERR("No Memory for auth key");
-			rte_free(session->cipher_key.data);
 			return -ENOMEM;
 		}
+		session->auth_key.length = auth_xform->key.length;
 		memcpy(session->auth_key.data, auth_xform->key.data,
 				auth_xform->key.length);
-		session->auth_key.length = auth_xform->key.length;
-
-		switch (auth_xform->algo) {
-		case RTE_CRYPTO_AUTH_NULL:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
-			session->digest_length = 0;
-			break;
-		case RTE_CRYPTO_AUTH_MD5_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA1_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA224_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_160;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA256_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA384_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA512_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		default:
-			DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
-				auth_xform->algo);
-			goto out;
-		}
 		session->auth_alg = auth_xform->algo;
 	} else {
 		session->auth_key.data = NULL;
@@ -2645,6 +2636,133 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 		session->auth_alg = RTE_CRYPTO_AUTH_NULL;
 	}
 
+	switch (session->auth_alg) {
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_AES_CMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96;
+		break;
+	case RTE_CRYPTO_AUTH_NULL:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
+		break;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+	case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+	case RTE_CRYPTO_AUTH_SNOW3G_UIA2:
+	case RTE_CRYPTO_AUTH_SHA1:
+	case RTE_CRYPTO_AUTH_SHA256:
+	case RTE_CRYPTO_AUTH_SHA512:
+	case RTE_CRYPTO_AUTH_SHA224:
+	case RTE_CRYPTO_AUTH_SHA384:
+	case RTE_CRYPTO_AUTH_MD5:
+	case RTE_CRYPTO_AUTH_AES_GMAC:
+	case RTE_CRYPTO_AUTH_KASUMI_F9:
+	case RTE_CRYPTO_AUTH_AES_CBC_MAC:
+	case RTE_CRYPTO_AUTH_ZUC_EIA3:
+		DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
+			      session->auth_alg);
+		return -1;
+	default:
+		DPAA_SEC_ERR("Crypto: Undefined Auth specified %u",
+			      session->auth_alg);
+		return -1;
+	}
+
+	switch (session->cipher_alg) {
+	case RTE_CRYPTO_CIPHER_AES_CBC:
+		session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
+		session->cipher_key.algmode = OP_ALG_AAI_CBC;
+		break;
+	case RTE_CRYPTO_CIPHER_3DES_CBC:
+		session->cipher_key.alg = OP_PCL_IPSEC_3DES;
+		session->cipher_key.algmode = OP_ALG_AAI_CBC;
+		break;
+	case RTE_CRYPTO_CIPHER_AES_CTR:
+		session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
+		session->cipher_key.algmode = OP_ALG_AAI_CTR;
+		break;
+	case RTE_CRYPTO_CIPHER_NULL:
+		session->cipher_key.alg = OP_PCL_IPSEC_NULL;
+		break;
+	case RTE_CRYPTO_CIPHER_SNOW3G_UEA2:
+	case RTE_CRYPTO_CIPHER_ZUC_EEA3:
+	case RTE_CRYPTO_CIPHER_3DES_ECB:
+	case RTE_CRYPTO_CIPHER_AES_ECB:
+	case RTE_CRYPTO_CIPHER_KASUMI_F8:
+		DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
+			      session->cipher_alg);
+		return -1;
+	default:
+		DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u",
+			      session->cipher_alg);
+		return -1;
+	}
+
+	return 0;
+}
+
+static int
+dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
+			   struct rte_security_session_conf *conf,
+			   void *sess)
+{
+	struct dpaa_sec_dev_private *internals = dev->data->dev_private;
+	struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
+	struct rte_crypto_auth_xform *auth_xform = NULL;
+	struct rte_crypto_cipher_xform *cipher_xform = NULL;
+	struct rte_crypto_aead_xform *aead_xform = NULL;
+	dpaa_sec_session *session = (dpaa_sec_session *)sess;
+	uint32_t i;
+	int ret;
+
+	PMD_INIT_FUNC_TRACE();
+
+	memset(session, 0, sizeof(dpaa_sec_session));
+	session->proto_alg = conf->protocol;
+	session->ctxt = DPAA_SEC_IPSEC;
+
+	if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+		cipher_xform = &conf->crypto_xform->cipher;
+		if (conf->crypto_xform->next)
+			auth_xform = &conf->crypto_xform->next->auth;
+		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+					session);
+	} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+		auth_xform = &conf->crypto_xform->auth;
+		if (conf->crypto_xform->next)
+			cipher_xform = &conf->crypto_xform->next->cipher;
+		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+					session);
+	} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		aead_xform = &conf->crypto_xform->aead;
+		ret = dpaa_sec_ipsec_aead_init(aead_xform, session);
+	} else {
+		DPAA_SEC_ERR("XFORM not specified");
+		ret = -EINVAL;
+		goto out;
+	}
+	if (ret) {
+		DPAA_SEC_ERR("Failed to process xform");
+		goto out;
+	}
+
 	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 		if (ipsec_xform->tunnel.type ==
 				RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
-- 
2.17.1

[dpdk-dev] [PATCH 8/8] test/cryptodev: enable additional cases for dpaax

[Hemant Agrawal]

This patch enables short buffer cases for dpaax_sec pmds

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 app/test/test_cryptodev_aes_test_vectors.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/app/test/test_cryptodev_aes_test_vectors.h b/app/test/test_cryptodev_aes_test_vectors.h
index 54a8082cf..52666522d 100644
--- a/app/test/test_cryptodev_aes_test_vectors.h
+++ b/app/test/test_cryptodev_aes_test_vectors.h
@@ -1605,6 +1605,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.feature_mask = BLOCKCIPHER_TEST_FEATURE_OOP,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
 			BLOCKCIPHER_TEST_TARGET_PMD_QAT |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX
 	},
 		{
@@ -1716,6 +1718,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_13,
 		.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1777,6 +1781,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_13,
 		.op_mask = BLOCKCIPHER_TEST_OP_AUTH_VERIFY_DEC,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1806,6 +1812,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_12,
 		.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1835,6 +1843,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_12,
 		.op_mask = BLOCKCIPHER_TEST_OP_AUTH_VERIFY_DEC,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1954,6 +1964,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
 		.feature_mask = BLOCKCIPHER_TEST_FEATURE_OOP,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_QAT |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX
 	},
-- 
2.17.1

[dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags

[Hemant Agrawal]

set the pdcp capa_flags to 0 by default.

Fixes: a1173d55598c ("crypto/dpaa_sec: support PDCP offload")

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index 684950d6d..32dc8268c 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -714,6 +714,7 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
 		.protocol = RTE_SECURITY_PROTOCOL_PDCP,
 		.pdcp = {
 			.domain = RTE_SECURITY_PDCP_MODE_DATA,
+			.capa_flags = 0
 		},
 		.crypto_capabilities = dpaa_pdcp_capabilities
 	},
@@ -722,6 +723,7 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
 		.protocol = RTE_SECURITY_PROTOCOL_PDCP,
 		.pdcp = {
 			.domain = RTE_SECURITY_PDCP_MODE_CONTROL,
+			.capa_flags = 0
 		},
 		.crypto_capabilities = dpaa_pdcp_capabilities
 	},
-- 
2.17.1

[dpdk-dev] [PATCH v2 02/13] crypto/dpaa2_sec: add check for the session validity

[Hemant Agrawal]

Check if the session is not null during processing.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 6d59e73e9..70207818b 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1368,6 +1368,9 @@ build_sec_fd(struct rte_crypto_op *op,
 	else
 		return -1;
 
+	if (!sess)
+		return -1;
+
 	/* Any of the buffer is segmented*/
 	if (!rte_pktmbuf_is_contiguous(op->sym->m_src) ||
 		  ((op->sym->m_dst != NULL) &&
-- 
2.17.1

[dpdk-dev] [PATCH v2 03/13] crypto/dpaa_sec: add check for the session validity

[Hemant Agrawal]

Check if the session is not null during processing.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 31fe092ce..8704fe33d 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -1773,6 +1773,14 @@ dpaa_sec_enqueue_burst(void *qp, struct rte_crypto_op **ops,
 				nb_ops = loop;
 				goto send_pkts;
 			}
+
+			if (!ses) {
+				DPAA_SEC_DP_ERR("session not available");
+				frames_to_send = loop;
+				nb_ops = loop;
+				goto send_pkts;
+			}
+
 			if (unlikely(!ses->qp[rte_lcore_id() % MAX_DPAA_CORES])) {
 				if (dpaa_sec_attach_sess_q(qp, ses)) {
 					frames_to_send = loop;
-- 
2.17.1

[dpdk-dev] [PATCH v2 04/13] crypto/dpaa2_sec: adding NULL cipher or NULL auth

[Hemant Agrawal]

These are supported when using protocol offload mode or in chain mode.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 22 +++++++----
 drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h   | 41 +++++++++++++++++++++
 2 files changed, 56 insertions(+), 7 deletions(-)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 70207818b..6c2faa69a 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  *
  *   Copyright (c) 2016 Freescale Semiconductor, Inc. All rights reserved.
- *   Copyright 2016-2018 NXP
+ *   Copyright 2016-2019 NXP
  *
  */
 
@@ -1837,6 +1837,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
 
 	flc = &priv->flc_desc[0].flc;
 
+	session->ctxt_type = DPAA2_SEC_CIPHER;
 	session->cipher_key.data = rte_zmalloc(NULL, xform->cipher.key.length,
 			RTE_CACHE_LINE_SIZE);
 	if (session->cipher_key.data == NULL) {
@@ -1973,6 +1974,7 @@ dpaa2_sec_auth_init(struct rte_cryptodev *dev,
 	priv->fle_pool = dev_priv->fle_pool;
 	flc = &priv->flc_desc[DESC_INITFINAL].flc;
 
+	session->ctxt_type = DPAA2_SEC_AUTH;
 	session->auth_key.data = rte_zmalloc(NULL, xform->auth.key.length,
 			RTE_CACHE_LINE_SIZE);
 	if (session->auth_key.data == NULL) {
@@ -2481,27 +2483,33 @@ dpaa2_sec_set_session_parameters(struct rte_cryptodev *dev,
 
 	/* Cipher Only */
 	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
-		session->ctxt_type = DPAA2_SEC_CIPHER;
 		ret = dpaa2_sec_cipher_init(dev, xform, session);
 
 	/* Authentication Only */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next == NULL) {
-		session->ctxt_type = DPAA2_SEC_AUTH;
 		ret = dpaa2_sec_auth_init(dev, xform, session);
 
 	/* Cipher then Authenticate */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		session->ext_params.aead_ctxt.auth_cipher_text = true;
-		ret = dpaa2_sec_aead_chain_init(dev, xform, session);
-
+		if (xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+			ret = dpaa2_sec_auth_init(dev, xform, session);
+		else if (xform->next->auth.algo == RTE_CRYPTO_AUTH_NULL)
+			ret = dpaa2_sec_cipher_init(dev, xform, session);
+		else
+			ret = dpaa2_sec_aead_chain_init(dev, xform, session);
 	/* Authenticate then Cipher */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 		session->ext_params.aead_ctxt.auth_cipher_text = false;
-		ret = dpaa2_sec_aead_chain_init(dev, xform, session);
-
+		if (xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
+			ret = dpaa2_sec_cipher_init(dev, xform, session);
+		else if (xform->next->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+			ret = dpaa2_sec_auth_init(dev, xform, session);
+		else
+			ret = dpaa2_sec_aead_chain_init(dev, xform, session);
 	/* AEAD operation for AES-GCM kind of Algorithms */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD &&
 		   xform->next == NULL) {
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
index b97dacbcb..528b64ef8 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
@@ -200,6 +200,27 @@ typedef struct dpaa2_sec_session_entry {
 } dpaa2_sec_session;
 
 static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
+	{	/* NULL (AUTH) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = { 0 }
+			}, },
+		}, },
+	},
 	{	/* MD5 HMAC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
@@ -356,6 +377,26 @@ static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
 			}, }
 		}, }
 	},
+	{	/* NULL (CIPHER) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				}
+			}, },
+		}, }
+	},
 	{	/* AES CBC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
-- 
2.17.1

[dpdk-dev] [PATCH v2 05/13] crypto/dpaa_sec: adding NULL cipher or NULL auth

[Hemant Agrawal]

These are supported when using protocol offload mode or when
in chain mode.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.c | 33 ++++++++++++++++++------
 drivers/crypto/dpaa_sec/dpaa_sec.h | 41 ++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 8 deletions(-)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 8704fe33d..ce7860b24 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2037,6 +2037,7 @@ dpaa_sec_cipher_init(struct rte_cryptodev *dev __rte_unused,
 		     struct rte_crypto_sym_xform *xform,
 		     dpaa_sec_session *session)
 {
+	session->ctxt = DPAA_SEC_CIPHER;
 	session->cipher_alg = xform->cipher.algo;
 	session->iv.length = xform->cipher.iv.length;
 	session->iv.offset = xform->cipher.iv.offset;
@@ -2086,6 +2087,7 @@ dpaa_sec_auth_init(struct rte_cryptodev *dev __rte_unused,
 		   struct rte_crypto_sym_xform *xform,
 		   dpaa_sec_session *session)
 {
+	session->ctxt = DPAA_SEC_AUTH;
 	session->auth_alg = xform->auth.algo;
 	session->auth_key.data = rte_zmalloc(NULL, xform->auth.key.length,
 					     RTE_CACHE_LINE_SIZE);
@@ -2158,6 +2160,7 @@ dpaa_sec_chain_init(struct rte_cryptodev *dev __rte_unused,
 	struct rte_crypto_cipher_xform *cipher_xform;
 	struct rte_crypto_auth_xform *auth_xform;
 
+	session->ctxt = DPAA_SEC_CIPHER_HASH;
 	if (session->auth_cipher_text) {
 		cipher_xform = &xform->cipher;
 		auth_xform = &xform->next->auth;
@@ -2359,6 +2362,7 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	struct dpaa_sec_dev_private *internals = dev->data->dev_private;
 	dpaa_sec_session *session = sess;
 	uint32_t i;
+	int ret;
 
 	PMD_INIT_FUNC_TRACE();
 
@@ -2374,23 +2378,26 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	/* Cipher Only */
 	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
 		session->auth_alg = RTE_CRYPTO_AUTH_NULL;
-		session->ctxt = DPAA_SEC_CIPHER;
-		dpaa_sec_cipher_init(dev, xform, session);
+		ret = dpaa_sec_cipher_init(dev, xform, session);
 
 	/* Authentication Only */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next == NULL) {
 		session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
 		session->ctxt = DPAA_SEC_AUTH;
-		dpaa_sec_auth_init(dev, xform, session);
+		ret = dpaa_sec_auth_init(dev, xform, session);
 
 	/* Cipher then Authenticate */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		if (xform->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
-			session->ctxt = DPAA_SEC_CIPHER_HASH;
 			session->auth_cipher_text = 1;
-			dpaa_sec_chain_init(dev, xform, session);
+			if (xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+				ret = dpaa_sec_auth_init(dev, xform, session);
+			else if (xform->next->auth.algo == RTE_CRYPTO_AUTH_NULL)
+				ret = dpaa_sec_cipher_init(dev, xform, session);
+			else
+				ret = dpaa_sec_chain_init(dev, xform, session);
 		} else {
 			DPAA_SEC_ERR("Not supported: Auth then Cipher");
 			return -EINVAL;
@@ -2399,9 +2406,14 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 		if (xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT) {
-			session->ctxt = DPAA_SEC_CIPHER_HASH;
 			session->auth_cipher_text = 0;
-			dpaa_sec_chain_init(dev, xform, session);
+			if (xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
+				ret = dpaa_sec_cipher_init(dev, xform, session);
+			else if (xform->next->cipher.algo
+					== RTE_CRYPTO_CIPHER_NULL)
+				ret = dpaa_sec_auth_init(dev, xform, session);
+			else
+				ret = dpaa_sec_chain_init(dev, xform, session);
 		} else {
 			DPAA_SEC_ERR("Not supported: Auth then Cipher");
 			return -EINVAL;
@@ -2410,12 +2422,17 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	/* AEAD operation for AES-GCM kind of Algorithms */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD &&
 		   xform->next == NULL) {
-		dpaa_sec_aead_init(dev, xform, session);
+		ret = dpaa_sec_aead_init(dev, xform, session);
 
 	} else {
 		DPAA_SEC_ERR("Invalid crypto type");
 		return -EINVAL;
 	}
+	if (ret) {
+		DPAA_SEC_ERR("unable to init session");
+		goto err1;
+	}
+
 	rte_spinlock_lock(&internals->lock);
 	for (i = 0; i < MAX_DPAA_CORES; i++) {
 		session->inq[i] = dpaa_sec_attach_rxq(internals);
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index 32dc8268c..3ecc7eae5 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -218,6 +218,27 @@ struct dpaa_sec_op_ctx {
 };
 
 static const struct rte_cryptodev_capabilities dpaa_sec_capabilities[] = {
+	{	/* NULL (AUTH) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = { 0 }
+			}, },
+		}, },
+	},
 	{	/* MD5 HMAC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
@@ -374,6 +395,26 @@ static const struct rte_cryptodev_capabilities dpaa_sec_capabilities[] = {
 			}, }
 		}, }
 	},
+	{	/* NULL (CIPHER) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				}
+			}, },
+		}, }
+	},
 	{	/* AES CBC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
-- 
2.17.1

[dpdk-dev] [PATCH v2 06/13] crypto/dpaa2_sec: add AES-GCM support for lookaside case

[Hemant Agrawal]

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 96 ++++++++++++++++++++-
 1 file changed, 92 insertions(+), 4 deletions(-)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 6c2faa69a..c6b6444aa 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2550,12 +2550,40 @@ dpaa2_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
 
 	switch (aead_xform->algo) {
 	case RTE_CRYPTO_AEAD_AES_GCM:
-		aeaddata->algtype = OP_ALG_ALGSEL_AES;
+		switch (session->digest_length) {
+		case 8:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_GCM8;
+			break;
+		case 12:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_GCM12;
+			break;
+		case 16:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_GCM16;
+			break;
+		default:
+			DPAA2_SEC_ERR("Crypto: Undefined GCM digest %d",
+				      session->digest_length);
+			return -1;
+		}
 		aeaddata->algmode = OP_ALG_AAI_GCM;
 		session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
 		break;
 	case RTE_CRYPTO_AEAD_AES_CCM:
-		aeaddata->algtype = OP_ALG_ALGSEL_AES;
+		switch (session->digest_length) {
+		case 8:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_CCM8;
+			break;
+		case 12:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_CCM12;
+			break;
+		case 16:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_CCM16;
+			break;
+		default:
+			DPAA2_SEC_ERR("Crypto: Undefined CCM digest %d",
+				      session->digest_length);
+			return -1;
+		}
 		aeaddata->algmode = OP_ALG_AAI_CCM;
 		session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
 		break;
@@ -2723,8 +2751,6 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 	struct rte_crypto_aead_xform *aead_xform = NULL;
 	dpaa2_sec_session *session = (dpaa2_sec_session *)sess;
 	struct ctxt_priv *priv;
-	struct ipsec_encap_pdb encap_pdb;
-	struct ipsec_decap_pdb decap_pdb;
 	struct alginfo authdata, cipherdata;
 	int bufsize;
 	struct sec_flow_context *flc;
@@ -2764,6 +2790,8 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 		aead_xform = &conf->crypto_xform->aead;
 		ret = dpaa2_sec_ipsec_aead_init(aead_xform,
 					session, &cipherdata);
+		authdata.keylen = 0;
+		authdata.algtype = 0;
 	} else {
 		DPAA2_SEC_ERR("XFORM not specified");
 		ret = -EINVAL;
@@ -2779,10 +2807,37 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 		uint8_t *hdr = NULL;
 		struct ip ip4_hdr;
 		struct rte_ipv6_hdr ip6_hdr;
+		struct ipsec_encap_pdb encap_pdb;
 
 		flc->dhr = SEC_FLC_DHR_OUTBOUND;
 		/* For Sec Proto only one descriptor is required. */
 		memset(&encap_pdb, 0, sizeof(struct ipsec_encap_pdb));
+
+		/* copy algo specific data to PDB */
+		switch (cipherdata.algtype) {
+		case OP_PCL_IPSEC_AES_GCM8:
+		case OP_PCL_IPSEC_AES_GCM12:
+		case OP_PCL_IPSEC_AES_GCM16:
+			memcpy(encap_pdb.gcm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+			break;
+		case OP_PCL_IPSEC_AES_CCM8:
+			encap_pdb.ccm.ccm_opt = 0x5B;
+			memcpy(encap_pdb.ccm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+			break;
+		case OP_PCL_IPSEC_AES_CCM12:
+			encap_pdb.ccm.ccm_opt = 0x6B;
+			memcpy(encap_pdb.ccm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+			break;
+		case OP_PCL_IPSEC_AES_CCM16:
+			encap_pdb.ccm.ccm_opt = 0x7B;
+			memcpy(encap_pdb.ccm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+			break;
+		}
+
 		encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) |
 			PDBOPTS_ESP_OIHI_PDB_INL |
 			PDBOPTS_ESP_IVSRC |
@@ -2839,8 +2894,41 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 				hdr, &cipherdata, &authdata);
 	} else if (ipsec_xform->direction ==
 			RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		struct ipsec_decap_pdb decap_pdb;
+
 		flc->dhr = SEC_FLC_DHR_INBOUND;
 		memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
+		/* copy algo specific data to PDB */
+		switch (cipherdata.algtype) {
+		case OP_PCL_IPSEC_AES_GCM8:
+		case OP_PCL_IPSEC_AES_GCM12:
+		case OP_PCL_IPSEC_AES_GCM16:
+			memcpy(decap_pdb.gcm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+			break;
+		case OP_PCL_IPSEC_AES_CCM8:
+			decap_pdb.ccm.ccm_opt = 0x5B;
+			/* CCM salt length is 3 bytes, left shift 8 bits */
+			ipsec_xform->salt >>= 8;
+			memcpy(decap_pdb.ccm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+			break;
+		case OP_PCL_IPSEC_AES_CCM12:
+			decap_pdb.ccm.ccm_opt = 0x6B;
+			/* CCM salt length is 3 bytes, left shift 8 bits */
+			ipsec_xform->salt >>= 8;
+			memcpy(decap_pdb.ccm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+			break;
+		case OP_PCL_IPSEC_AES_CCM16:
+			decap_pdb.ccm.ccm_opt = 0x7B;
+			/* CCM salt length is 3 bytes, left shift 8 bits */
+			ipsec_xform->salt >>= 8;
+			memcpy(decap_pdb.ccm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+			break;
+		}
+
 		decap_pdb.options = (ipsec_xform->tunnel.type ==
 				RTE_SECURITY_IPSEC_TUNNEL_IPV4) ?
 				sizeof(struct ip) << 16 :
-- 
2.17.1

[dpdk-dev] [PATCH v2 07/13] crypto/dpaa_sec: add AES-GCM support for lookaside case

[Hemant Agrawal]

This patch add support for AES-128-GCM, when used in
proto lookaside mode.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.c | 331 ++++++++++++++++++++---------
 1 file changed, 233 insertions(+), 98 deletions(-)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index ce7860b24..24a5a7239 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session *ses)
 	cipherdata.algtype = ses->cipher_key.alg;
 	cipherdata.algmode = ses->cipher_key.algmode;
 
-	authdata.key = (size_t)ses->auth_key.data;
-	authdata.keylen = ses->auth_key.length;
-	authdata.key_enc_flags = 0;
-	authdata.key_type = RTA_DATA_IMM;
-	authdata.algtype = ses->auth_key.alg;
-	authdata.algmode = ses->auth_key.algmode;
+	if (ses->auth_key.length) {
+		authdata.key = (size_t)ses->auth_key.data;
+		authdata.keylen = ses->auth_key.length;
+		authdata.key_enc_flags = 0;
+		authdata.key_type = RTA_DATA_IMM;
+		authdata.algtype = ses->auth_key.alg;
+		authdata.algmode = ses->auth_key.algmode;
+	}
 
 	cdb->sh_desc[0] = cipherdata.keylen;
 	cdb->sh_desc[1] = authdata.keylen;
@@ -2523,33 +2525,98 @@ dpaa_sec_sym_session_clear(struct rte_cryptodev *dev,
 
 #ifdef RTE_LIBRTE_SECURITY
 static int
-dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
-			   struct rte_security_session_conf *conf,
-			   void *sess)
+dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
+			struct rte_security_ipsec_xform *ipsec_xform,
+			dpaa_sec_session *session)
 {
-	struct dpaa_sec_dev_private *internals = dev->data->dev_private;
-	struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
-	struct rte_crypto_auth_xform *auth_xform = NULL;
-	struct rte_crypto_cipher_xform *cipher_xform = NULL;
-	dpaa_sec_session *session = (dpaa_sec_session *)sess;
-	uint32_t i;
-
 	PMD_INIT_FUNC_TRACE();
 
-	memset(session, 0, sizeof(dpaa_sec_session));
-	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
-		cipher_xform = &conf->crypto_xform->cipher;
-		if (conf->crypto_xform->next)
-			auth_xform = &conf->crypto_xform->next->auth;
-	} else {
-		auth_xform = &conf->crypto_xform->auth;
-		if (conf->crypto_xform->next)
-			cipher_xform = &conf->crypto_xform->next->cipher;
+	session->aead_key.data = rte_zmalloc(NULL, aead_xform->key.length,
+					       RTE_CACHE_LINE_SIZE);
+	if (session->aead_key.data == NULL && aead_xform->key.length > 0) {
+		DPAA_SEC_ERR("No Memory for aead key");
+		return -1;
 	}
-	session->proto_alg = conf->protocol;
-	session->ctxt = DPAA_SEC_IPSEC;
+	memcpy(session->aead_key.data, aead_xform->key.data,
+	       aead_xform->key.length);
 
-	if (cipher_xform && cipher_xform->algo != RTE_CRYPTO_CIPHER_NULL) {
+	session->digest_length = aead_xform->digest_length;
+	session->aead_key.length = aead_xform->key.length;
+
+	switch (aead_xform->algo) {
+	case RTE_CRYPTO_AEAD_AES_GCM:
+		switch (session->digest_length) {
+		case 8:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8;
+			break;
+		case 12:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_GCM12;
+			break;
+		case 16:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_GCM16;
+			break;
+		default:
+			DPAA_SEC_ERR("Crypto: Undefined GCM digest %d",
+				     session->digest_length);
+			return -1;
+		}
+		if (session->dir == DIR_ENC) {
+			memcpy(session->encap_pdb.gcm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+		} else {
+			memcpy(session->decap_pdb.gcm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+		}
+		session->aead_key.algmode = OP_ALG_AAI_GCM;
+		session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
+		break;
+	case RTE_CRYPTO_AEAD_AES_CCM:
+		switch (session->digest_length) {
+		case 8:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_CCM8;
+			session->encap_pdb.ccm.ccm_opt = 0x5B;
+			session->decap_pdb.ccm.ccm_opt = 0x5B;
+			break;
+		case 12:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_CCM12;
+			session->encap_pdb.ccm.ccm_opt = 0x6B;
+			session->decap_pdb.ccm.ccm_opt = 0x6B;
+			break;
+		case 16:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_CCM16;
+			session->encap_pdb.ccm.ccm_opt = 0x7B;
+			session->decap_pdb.ccm.ccm_opt = 0x7B;
+			break;
+		default:
+			DPAA_SEC_ERR("Crypto: Undefined CCM digest %d",
+				     session->digest_length);
+			return -1;
+		}
+		if (session->dir == DIR_ENC) {
+			/* todo CCM salt length is 3 bytes, left shift 8 bits */
+			memcpy(session->encap_pdb.ccm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+		} else {
+			memcpy(session->decap_pdb.ccm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+		}
+		session->aead_key.algmode = OP_ALG_AAI_CCM;
+		session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
+		break;
+	default:
+		DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u",
+			      aead_xform->algo);
+		return -1;
+	}
+	return 0;
+}
+
+static int
+dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
+	struct rte_crypto_auth_xform *auth_xform,
+	dpaa_sec_session *session)
+{
+	if (cipher_xform) {
 		session->cipher_key.data = rte_zmalloc(NULL,
 						       cipher_xform->key.length,
 						       RTE_CACHE_LINE_SIZE);
@@ -2558,31 +2625,10 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 			DPAA_SEC_ERR("No Memory for cipher key");
 			return -ENOMEM;
 		}
+
+		session->cipher_key.length = cipher_xform->key.length;
 		memcpy(session->cipher_key.data, cipher_xform->key.data,
 				cipher_xform->key.length);
-		session->cipher_key.length = cipher_xform->key.length;
-
-		switch (cipher_xform->algo) {
-		case RTE_CRYPTO_CIPHER_NULL:
-			session->cipher_key.alg = OP_PCL_IPSEC_NULL;
-			break;
-		case RTE_CRYPTO_CIPHER_AES_CBC:
-			session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
-			session->cipher_key.algmode = OP_ALG_AAI_CBC;
-			break;
-		case RTE_CRYPTO_CIPHER_3DES_CBC:
-			session->cipher_key.alg = OP_PCL_IPSEC_3DES;
-			session->cipher_key.algmode = OP_ALG_AAI_CBC;
-			break;
-		case RTE_CRYPTO_CIPHER_AES_CTR:
-			session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
-			session->cipher_key.algmode = OP_ALG_AAI_CTR;
-			break;
-		default:
-			DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
-				cipher_xform->algo);
-			goto out;
-		}
 		session->cipher_alg = cipher_xform->algo;
 	} else {
 		session->cipher_key.data = NULL;
@@ -2590,54 +2636,18 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 		session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
 	}
 
-	if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) {
+	if (auth_xform) {
 		session->auth_key.data = rte_zmalloc(NULL,
 						auth_xform->key.length,
 						RTE_CACHE_LINE_SIZE);
 		if (session->auth_key.data == NULL &&
 				auth_xform->key.length > 0) {
 			DPAA_SEC_ERR("No Memory for auth key");
-			rte_free(session->cipher_key.data);
 			return -ENOMEM;
 		}
+		session->auth_key.length = auth_xform->key.length;
 		memcpy(session->auth_key.data, auth_xform->key.data,
 				auth_xform->key.length);
-		session->auth_key.length = auth_xform->key.length;
-
-		switch (auth_xform->algo) {
-		case RTE_CRYPTO_AUTH_NULL:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
-			session->digest_length = 0;
-			break;
-		case RTE_CRYPTO_AUTH_MD5_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA1_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA224_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_160;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA256_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA384_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA512_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		default:
-			DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
-				auth_xform->algo);
-			goto out;
-		}
 		session->auth_alg = auth_xform->algo;
 	} else {
 		session->auth_key.data = NULL;
@@ -2645,12 +2655,142 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 		session->auth_alg = RTE_CRYPTO_AUTH_NULL;
 	}
 
+	switch (session->auth_alg) {
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_AES_CMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96;
+		break;
+	case RTE_CRYPTO_AUTH_NULL:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
+		break;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+	case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+	case RTE_CRYPTO_AUTH_SNOW3G_UIA2:
+	case RTE_CRYPTO_AUTH_SHA1:
+	case RTE_CRYPTO_AUTH_SHA256:
+	case RTE_CRYPTO_AUTH_SHA512:
+	case RTE_CRYPTO_AUTH_SHA224:
+	case RTE_CRYPTO_AUTH_SHA384:
+	case RTE_CRYPTO_AUTH_MD5:
+	case RTE_CRYPTO_AUTH_AES_GMAC:
+	case RTE_CRYPTO_AUTH_KASUMI_F9:
+	case RTE_CRYPTO_AUTH_AES_CBC_MAC:
+	case RTE_CRYPTO_AUTH_ZUC_EIA3:
+		DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
+			      session->auth_alg);
+		return -1;
+	default:
+		DPAA_SEC_ERR("Crypto: Undefined Auth specified %u",
+			      session->auth_alg);
+		return -1;
+	}
+
+	switch (session->cipher_alg) {
+	case RTE_CRYPTO_CIPHER_AES_CBC:
+		session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
+		session->cipher_key.algmode = OP_ALG_AAI_CBC;
+		break;
+	case RTE_CRYPTO_CIPHER_3DES_CBC:
+		session->cipher_key.alg = OP_PCL_IPSEC_3DES;
+		session->cipher_key.algmode = OP_ALG_AAI_CBC;
+		break;
+	case RTE_CRYPTO_CIPHER_AES_CTR:
+		session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
+		session->cipher_key.algmode = OP_ALG_AAI_CTR;
+		break;
+	case RTE_CRYPTO_CIPHER_NULL:
+		session->cipher_key.alg = OP_PCL_IPSEC_NULL;
+		break;
+	case RTE_CRYPTO_CIPHER_SNOW3G_UEA2:
+	case RTE_CRYPTO_CIPHER_ZUC_EEA3:
+	case RTE_CRYPTO_CIPHER_3DES_ECB:
+	case RTE_CRYPTO_CIPHER_AES_ECB:
+	case RTE_CRYPTO_CIPHER_KASUMI_F8:
+		DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
+			      session->cipher_alg);
+		return -1;
+	default:
+		DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u",
+			      session->cipher_alg);
+		return -1;
+	}
+
+	return 0;
+}
+
+static int
+dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
+			   struct rte_security_session_conf *conf,
+			   void *sess)
+{
+	struct dpaa_sec_dev_private *internals = dev->data->dev_private;
+	struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
+	struct rte_crypto_auth_xform *auth_xform = NULL;
+	struct rte_crypto_cipher_xform *cipher_xform = NULL;
+	struct rte_crypto_aead_xform *aead_xform = NULL;
+	dpaa_sec_session *session = (dpaa_sec_session *)sess;
+	uint32_t i;
+	int ret;
+
+	PMD_INIT_FUNC_TRACE();
+
+	memset(session, 0, sizeof(dpaa_sec_session));
+	session->proto_alg = conf->protocol;
+	session->ctxt = DPAA_SEC_IPSEC;
+
+	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+		session->dir = DIR_ENC;
+	else
+		session->dir = DIR_DEC;
+
+	if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+		cipher_xform = &conf->crypto_xform->cipher;
+		if (conf->crypto_xform->next)
+			auth_xform = &conf->crypto_xform->next->auth;
+		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+					session);
+	} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+		auth_xform = &conf->crypto_xform->auth;
+		if (conf->crypto_xform->next)
+			cipher_xform = &conf->crypto_xform->next->cipher;
+		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+					session);
+	} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		aead_xform = &conf->crypto_xform->aead;
+		ret = dpaa_sec_ipsec_aead_init(aead_xform,
+					ipsec_xform, session);
+	} else {
+		DPAA_SEC_ERR("XFORM not specified");
+		ret = -EINVAL;
+		goto out;
+	}
+	if (ret) {
+		DPAA_SEC_ERR("Failed to process xform");
+		goto out;
+	}
+
 	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 		if (ipsec_xform->tunnel.type ==
 				RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
-			memset(&session->encap_pdb, 0,
-				sizeof(struct ipsec_encap_pdb) +
-				sizeof(session->ip4_hdr));
 			session->ip4_hdr.ip_v = IPVERSION;
 			session->ip4_hdr.ip_hl = 5;
 			session->ip4_hdr.ip_len = rte_cpu_to_be_16(
@@ -2673,9 +2813,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 			session->encap_pdb.ip_hdr_len = sizeof(struct ip);
 		} else if (ipsec_xform->tunnel.type ==
 				RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
-			memset(&session->encap_pdb, 0,
-				sizeof(struct ipsec_encap_pdb) +
-				sizeof(session->ip6_hdr));
 			session->ip6_hdr.vtc_flow = rte_cpu_to_be_32(
 				DPAA_IPv6_DEFAULT_VTC_FLOW |
 				((ipsec_xform->tunnel.ipv6.dscp <<
@@ -2707,10 +2844,9 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 		if (ipsec_xform->options.esn)
 			session->encap_pdb.options |= PDBOPTS_ESP_ESN;
 		session->encap_pdb.spi = ipsec_xform->spi;
-		session->dir = DIR_ENC;
+
 	} else if (ipsec_xform->direction ==
 			RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
-		memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
 		if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
 			session->decap_pdb.options = sizeof(struct ip) << 16;
 		else
@@ -2744,7 +2880,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 							PDBOPTS_ESP_ARS128;
 			}
 		}
-		session->dir = DIR_DEC;
 	} else
 		goto out;
 	rte_spinlock_lock(&internals->lock);
-- 
2.17.1

[dpdk-dev] [PATCH v2 08/13] test/cryptodev: enable additional cases for dpaax

[Hemant Agrawal]

This patch enables short buffer and 12 bit IV AES-CTR cases
for dpaax_sec pmds.

Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 app/test/test_cryptodev_aes_test_vectors.h | 24 +++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev_aes_test_vectors.h b/app/test/test_cryptodev_aes_test_vectors.h
index 54a8082cf..9afa3aef8 100644
--- a/app/test/test_cryptodev_aes_test_vectors.h
+++ b/app/test/test_cryptodev_aes_test_vectors.h
@@ -1605,6 +1605,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.feature_mask = BLOCKCIPHER_TEST_FEATURE_OOP,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
 			BLOCKCIPHER_TEST_TARGET_PMD_QAT |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX
 	},
 		{
@@ -1716,6 +1718,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_13,
 		.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1777,6 +1781,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_13,
 		.op_mask = BLOCKCIPHER_TEST_OP_AUTH_VERIFY_DEC,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1806,6 +1812,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_12,
 		.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1835,6 +1843,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_12,
 		.op_mask = BLOCKCIPHER_TEST_OP_AUTH_VERIFY_DEC,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1954,6 +1964,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
 		.feature_mask = BLOCKCIPHER_TEST_FEATURE_OOP,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_QAT |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX
 	},
@@ -2400,7 +2412,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
 		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
 			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
-			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
 	},
 	{
 		.test_descr = "AES-192-CTR Encryption (12-byte IV)",
@@ -2408,7 +2422,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
 		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
 			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
-			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
 	},
 	{
 		.test_descr = "AES-256-CTR Encryption (12-byte IV)",
@@ -2416,7 +2432,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
 		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
 			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
-			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
 	},
 	{
 		.test_descr = "AES-128-XTS Encryption (16-byte plaintext)",
-- 
2.17.1

[dpdk-dev] [PATCH v2 09/13] crypto/dpaa2_sec: enable warning with truncated sha256

[Hemant Agrawal]

This patch throw the warning when using truncted digest
len for SHA256 case.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 4 ++++
 drivers/crypto/dpaa_sec/dpaa_sec.c          | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index c6b6444aa..32e6c71a9 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2660,6 +2660,10 @@ dpaa2_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
 	case RTE_CRYPTO_AUTH_SHA256_HMAC:
 		authdata->algtype = OP_PCL_IPSEC_HMAC_SHA2_256_128;
 		authdata->algmode = OP_ALG_AAI_HMAC;
+		if (session->digest_length != 16)
+			DPAA2_SEC_WARN(
+			"+++Using sha256-hmac truncated len is non-standard,"
+			"it will not work with lookaside proto");
 		break;
 	case RTE_CRYPTO_AUTH_SHA384_HMAC:
 		authdata->algtype = OP_PCL_IPSEC_HMAC_SHA2_384_192;
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 24a5a7239..aec5af1c5 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2667,6 +2667,10 @@ dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
 	case RTE_CRYPTO_AUTH_SHA256_HMAC:
 		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
 		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		if (session->digest_length != 16)
+			DPAA_SEC_WARN(
+			"+++Using sha256-hmac truncated len is non-standard,"
+			"it will not work with lookaside proto");
 		break;
 	case RTE_CRYPTO_AUTH_SHA384_HMAC:
 		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
-- 
2.17.1

[dpdk-dev] [PATCH v2 10/13] crypto/dpaa2_sec: remove unwanted context type check

[Hemant Agrawal]

From: Gagandeep Singh <g.singh@nxp.com>

This patch remove redundant checks.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 32e6c71a9..4a1887c4c 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1585,18 +1585,13 @@ sec_fd_to_mbuf(const struct qbman_fd *fd)
 
 #ifdef RTE_LIBRTE_SECURITY
 	if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
-		dpaa2_sec_session *sess = (dpaa2_sec_session *)
-			get_sec_session_private_data(op->sym->sec_session);
-		if (sess->ctxt_type == DPAA2_SEC_IPSEC ||
-				sess->ctxt_type == DPAA2_SEC_PDCP) {
-			uint16_t len = DPAA2_GET_FD_LEN(fd);
-			dst->pkt_len = len;
-			while (dst->next != NULL) {
-				len -= dst->data_len;
-				dst = dst->next;
-			}
-			dst->data_len = len;
+		uint16_t len = DPAA2_GET_FD_LEN(fd);
+		dst->pkt_len = len;
+		while (dst->next != NULL) {
+			len -= dst->data_len;
+			dst = dst->next;
 		}
+		dst->data_len = len;
 	}
 #endif
 	DPAA2_SEC_DP_DEBUG("mbuf %p BMAN buf addr %p,"
-- 
2.17.1

[dpdk-dev] [PATCH v2 11/13] crypto/dpaa_sec: use macros in queue attach and detach

[Hemant Agrawal]

From: Gagandeep Singh <g.singh@nxp.com>

Align the cleanup and allocation for the queues.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index aec5af1c5..f7c5b5183 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2303,7 +2303,7 @@ dpaa_sec_attach_rxq(struct dpaa_sec_dev_private *qi)
 {
 	unsigned int i;
 
-	for (i = 0; i < qi->max_nb_sessions * MAX_DPAA_CORES; i++) {
+	for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
 		if (qi->inq_attach[i] == 0) {
 			qi->inq_attach[i] = 1;
 			return &qi->inq[i];
@@ -2319,9 +2319,10 @@ dpaa_sec_detach_rxq(struct dpaa_sec_dev_private *qi, struct qman_fq *fq)
 {
 	unsigned int i;
 
-	for (i = 0; i < qi->max_nb_sessions; i++) {
+	for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
 		if (&qi->inq[i] == fq) {
-			qman_retire_fq(fq, NULL);
+			if (qman_retire_fq(fq, NULL) != 0)
+				DPAA_SEC_WARN("Queue is not retired\n");
 			qman_oos_fq(fq);
 			qi->inq_attach[i] = 0;
 			return 0;
@@ -3456,7 +3457,7 @@ dpaa_sec_dev_init(struct rte_cryptodev *cryptodev)
 
 	flags = QMAN_FQ_FLAG_LOCKED | QMAN_FQ_FLAG_DYNAMIC_FQID |
 		QMAN_FQ_FLAG_TO_DCPORTAL;
-	for (i = 0; i < MAX_DPAA_CORES * internals->max_nb_sessions; i++) {
+	for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
 		/* create rx qman fq for sessions*/
 		ret = qman_create_fq(0, flags, &internals->inq[i]);
 		if (unlikely(ret != 0)) {
-- 
2.17.1

[dpdk-dev] [PATCH v2 12/13] crypto/dpaa2_sec: use aes-ctr initial counter as 1

[Hemant Agrawal]

From: Vakul Garg <vakul.garg@nxp.com>

As per RFC3686, the initial aes-ctr counter value should be '1' for use
in ipsec. The patches changes SEC descriptor for using correct counter
value. In addition, it drops a redundant parameter for passing IV while
creating the descriptor.

Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
---
 drivers/common/dpaax/caamflib/desc/algo.h   | 21 +++++++++++++--------
 drivers/crypto/caam_jr/caam_jr.c            |  1 -
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c |  8 ++++----
 drivers/crypto/dpaa_sec/dpaa_sec.c          |  1 -
 4 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/drivers/common/dpaax/caamflib/desc/algo.h b/drivers/common/dpaax/caamflib/desc/algo.h
index 83dbb80ce..345bb5b3f 100644
--- a/drivers/common/dpaax/caamflib/desc/algo.h
+++ b/drivers/common/dpaax/caamflib/desc/algo.h
@@ -289,12 +289,12 @@ cnstr_shdsc_snow_f9(uint32_t *descbuf, bool ps, bool swap,
 static inline int
 cnstr_shdsc_blkcipher(uint32_t *descbuf, bool ps, bool swap,
 		      enum rta_share_type share,
-		      struct alginfo *cipherdata, uint8_t *iv,
+		      struct alginfo *cipherdata,
 		      uint32_t ivlen, uint8_t dir)
 {
 	struct program prg;
 	struct program *p = &prg;
-	uint32_t iv_off = 0;
+	uint32_t iv_off = 0, counter;
 	const bool need_dk = (dir == DIR_DEC) &&
 			     (cipherdata->algtype == OP_ALG_ALGSEL_AES) &&
 			     (cipherdata->algmode == OP_ALG_AAI_CBC);
@@ -336,12 +336,17 @@ cnstr_shdsc_blkcipher(uint32_t *descbuf, bool ps, bool swap,
 	if (cipherdata->algmode == OP_ALG_AAI_CTR)
 		iv_off = 16;
 
-	if (iv)
-		/* IV load, convert size */
-		LOAD(p, (uintptr_t)iv, CONTEXT1, iv_off, ivlen, IMMED | COPY);
-	else
-		/* IV is present first before the actual message */
-		SEQLOAD(p, CONTEXT1, iv_off, ivlen, 0);
+	/* IV is present first before the actual message */
+	SEQLOAD(p, CONTEXT1, iv_off, ivlen, 0);
+
+	/* If IV len is less than 16 bytes, set 'counter' as 1 */
+	if (cipherdata->algmode == OP_ALG_AAI_CTR && ivlen < 16) {
+		counter = 1;
+		if (!swap)
+			counter = swab32(1);
+
+		LOAD(p, counter, CONTEXT1, (iv_off + ivlen), 16 - ivlen, IMMED);
+	}
 
 	MATHB(p, SEQINSZ, SUB, MATH2, VSEQINSZ, 4, 0);
 	MATHB(p, SEQINSZ, SUB, MATH2, VSEQOUTSZ, 4, 0);
diff --git a/drivers/crypto/caam_jr/caam_jr.c b/drivers/crypto/caam_jr/caam_jr.c
index d1da9a64c..8aaa3d45f 100644
--- a/drivers/crypto/caam_jr/caam_jr.c
+++ b/drivers/crypto/caam_jr/caam_jr.c
@@ -336,7 +336,6 @@ caam_jr_prep_cdb(struct caam_jr_session *ses)
 		shared_desc_len = cnstr_shdsc_blkcipher(
 						cdb->sh_desc, true,
 						swap, SHR_NEVER, &alginfo_c,
-						NULL,
 						ses->iv.length,
 						ses->dir);
 	} else if (is_auth_only(ses)) {
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 4a1887c4c..7368fc248 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1861,7 +1861,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
 		cipherdata.algmode = OP_ALG_AAI_CBC;
 		session->cipher_alg = RTE_CRYPTO_CIPHER_AES_CBC;
 		bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
-						SHR_NEVER, &cipherdata, NULL,
+						SHR_NEVER, &cipherdata,
 						session->iv.length,
 						session->dir);
 		break;
@@ -1870,7 +1870,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
 		cipherdata.algmode = OP_ALG_AAI_CBC;
 		session->cipher_alg = RTE_CRYPTO_CIPHER_3DES_CBC;
 		bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
-						SHR_NEVER, &cipherdata, NULL,
+						SHR_NEVER, &cipherdata,
 						session->iv.length,
 						session->dir);
 		break;
@@ -1879,7 +1879,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
 		cipherdata.algmode = OP_ALG_AAI_CTR;
 		session->cipher_alg = RTE_CRYPTO_CIPHER_AES_CTR;
 		bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
-						SHR_NEVER, &cipherdata, NULL,
+						SHR_NEVER, &cipherdata,
 						session->iv.length,
 						session->dir);
 		break;
@@ -1888,7 +1888,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
 		cipherdata.algmode = OP_ALG_AAI_CTR;
 		session->cipher_alg = RTE_CRYPTO_CIPHER_3DES_CTR;
 		bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
-						SHR_NEVER, &cipherdata, NULL,
+						SHR_NEVER, &cipherdata,
 						session->iv.length,
 						session->dir);
 		break;
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index f7c5b5183..c52593746 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -478,7 +478,6 @@ dpaa_sec_prep_cdb(dpaa_sec_session *ses)
 			shared_desc_len = cnstr_shdsc_blkcipher(
 					cdb->sh_desc, true,
 					swap, SHR_NEVER, &alginfo_c,
-					NULL,
 					ses->iv.length,
 					ses->dir);
 			break;
-- 
2.17.1

[dpdk-dev] [PATCH v2 13/13] crypto/dpaa_sec: enable ipsec aes-ctr to use nonce

[Hemant Agrawal]

From: Vakul Garg <vakul.garg@nxp.com>

The protocol aware ipsec descriptor has been modified to
use ctr_initial value of 1 and salt configured for ipsec SA.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
---
 drivers/common/dpaax/caamflib/desc/ipsec.h  | 18 ++++++++----------
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c |  8 ++++++++
 drivers/crypto/dpaa_sec/dpaa_sec.c          | 12 ++++++++++--
 3 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/drivers/common/dpaax/caamflib/desc/ipsec.h b/drivers/common/dpaax/caamflib/desc/ipsec.h
index f33c68cc9..cf6fa4252 100644
--- a/drivers/common/dpaax/caamflib/desc/ipsec.h
+++ b/drivers/common/dpaax/caamflib/desc/ipsec.h
@@ -256,14 +256,14 @@ struct ipsec_encap_cbc {
 
 /**
  * struct ipsec_encap_ctr - PDB part for IPsec CTR encapsulation
- * @ctr_nonce: 4-byte array nonce
+ * @ctr_nonce: 4-byte nonce
  * @ctr_initial: initial count constant
  * @iv: initialization vector
  */
 struct ipsec_encap_ctr {
-	uint8_t ctr_nonce[4];
+	uint32_t ctr_nonce;
 	uint32_t ctr_initial;
-	uint64_t iv;
+	uint8_t iv[8];
 };
 
 /**
@@ -346,10 +346,9 @@ __rta_copy_ipsec_encap_pdb(struct program *program,
 		break;
 
 	case OP_PCL_IPSEC_AES_CTR:
-		rta_copy_data(program, pdb->ctr.ctr_nonce,
-			      sizeof(pdb->ctr.ctr_nonce));
+		rta_copy_data(program, (uint8_t *)&pdb->ctr.ctr_nonce, 4);
 		__rta_out32(program, pdb->ctr.ctr_initial);
-		__rta_out64(program, true, pdb->ctr.iv);
+		rta_copy_data(program, pdb->ctr.iv, sizeof(pdb->ctr.iv));
 		break;
 
 	case OP_PCL_IPSEC_AES_CCM8:
@@ -386,11 +385,11 @@ struct ipsec_decap_cbc {
 
 /**
  * struct ipsec_decap_ctr - PDB part for IPsec CTR decapsulation
- * @ctr_nonce: 4-byte array nonce
+ * @ctr_nonce: 4-byte nonce
  * @ctr_initial: initial count constant
  */
 struct ipsec_decap_ctr {
-	uint8_t ctr_nonce[4];
+	uint32_t ctr_nonce;
 	uint32_t ctr_initial;
 };
 
@@ -464,8 +463,7 @@ __rta_copy_ipsec_decap_pdb(struct program *program,
 		break;
 
 	case OP_PCL_IPSEC_AES_CTR:
-		rta_copy_data(program, pdb->ctr.ctr_nonce,
-			      sizeof(pdb->ctr.ctr_nonce));
+		rta_copy_data(program, (uint8_t *)&pdb->ctr.ctr_nonce, 4);
 		__rta_out32(program, pdb->ctr.ctr_initial);
 		break;
 
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 7368fc248..e774b379a 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2814,6 +2814,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 
 		/* copy algo specific data to PDB */
 		switch (cipherdata.algtype) {
+		case OP_PCL_IPSEC_AES_CTR:
+			encap_pdb.ctr.ctr_initial = 0x00000001;
+			encap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+			break;
 		case OP_PCL_IPSEC_AES_GCM8:
 		case OP_PCL_IPSEC_AES_GCM12:
 		case OP_PCL_IPSEC_AES_GCM16:
@@ -2899,6 +2903,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 		memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
 		/* copy algo specific data to PDB */
 		switch (cipherdata.algtype) {
+		case OP_PCL_IPSEC_AES_CTR:
+			decap_pdb.ctr.ctr_initial = 0x00000001;
+			decap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+			break;
 		case OP_PCL_IPSEC_AES_GCM8:
 		case OP_PCL_IPSEC_AES_GCM12:
 		case OP_PCL_IPSEC_AES_GCM16:
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index c52593746..59f6097bb 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2614,6 +2614,7 @@ dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
 static int
 dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
 	struct rte_crypto_auth_xform *auth_xform,
+	struct rte_security_ipsec_xform *ipsec_xform,
 	dpaa_sec_session *session)
 {
 	if (cipher_xform) {
@@ -2720,6 +2721,13 @@ dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
 	case RTE_CRYPTO_CIPHER_AES_CTR:
 		session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
 		session->cipher_key.algmode = OP_ALG_AAI_CTR;
+		if (session->dir == DIR_ENC) {
+			session->encap_pdb.ctr.ctr_initial = 0x00000001;
+			session->encap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+		} else {
+			session->decap_pdb.ctr.ctr_initial = 0x00000001;
+			session->decap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+		}
 		break;
 	case RTE_CRYPTO_CIPHER_NULL:
 		session->cipher_key.alg = OP_PCL_IPSEC_NULL;
@@ -2771,13 +2779,13 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 		if (conf->crypto_xform->next)
 			auth_xform = &conf->crypto_xform->next->auth;
 		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
-					session);
+					ipsec_xform, session);
 	} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		auth_xform = &conf->crypto_xform->auth;
 		if (conf->crypto_xform->next)
 			cipher_xform = &conf->crypto_xform->next->cipher;
 		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
-					session);
+					ipsec_xform, session);
 	} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 		aead_xform = &conf->crypto_xform->aead;
 		ret = dpaa_sec_ipsec_aead_init(aead_xform,
-- 
2.17.1

[dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags

[Hemant Agrawal]

set the pdcp capa_flags to 0 by default.

Fixes: a1173d55598c ("crypto/dpaa_sec: support PDCP offload")

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index c10ec1007..29ffe5631 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -712,6 +712,7 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
 		.protocol = RTE_SECURITY_PROTOCOL_PDCP,
 		.pdcp = {
 			.domain = RTE_SECURITY_PDCP_MODE_DATA,
+			.capa_flags = 0
 		},
 		.crypto_capabilities = dpaa_pdcp_capabilities
 	},
@@ -720,6 +721,7 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
 		.protocol = RTE_SECURITY_PROTOCOL_PDCP,
 		.pdcp = {
 			.domain = RTE_SECURITY_PDCP_MODE_CONTROL,
+			.capa_flags = 0
 		},
 		.crypto_capabilities = dpaa_pdcp_capabilities
 	},
-- 
2.17.1

[dpdk-dev] [PATCH v3 02/13] crypto/dpaa2_sec: add check for the session validity

[Hemant Agrawal]

Check if the session is not null during processing.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index b04890a48..7d51112c5 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1365,6 +1365,9 @@ build_sec_fd(struct rte_crypto_op *op,
 	else
 		return -1;
 
+	if (!sess)
+		return -1;
+
 	/* Any of the buffer is segmented*/
 	if (!rte_pktmbuf_is_contiguous(op->sym->m_src) ||
 		  ((op->sym->m_dst != NULL) &&
-- 
2.17.1

[dpdk-dev] [PATCH v3 03/13] crypto/dpaa_sec: add check for the session validity

[Hemant Agrawal]

Check if the session is not null during processing.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 6c186338f..343a565a2 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -1773,6 +1773,14 @@ dpaa_sec_enqueue_burst(void *qp, struct rte_crypto_op **ops,
 				nb_ops = loop;
 				goto send_pkts;
 			}
+
+			if (!ses) {
+				DPAA_SEC_DP_ERR("session not available");
+				frames_to_send = loop;
+				nb_ops = loop;
+				goto send_pkts;
+			}
+
 			if (unlikely(!ses->qp[rte_lcore_id() % MAX_DPAA_CORES])) {
 				if (dpaa_sec_attach_sess_q(qp, ses)) {
 					frames_to_send = loop;
-- 
2.17.1

[dpdk-dev] [PATCH v3 04/13] crypto/dpaa2_sec: adding NULL cipher or NULL auth

[Hemant Agrawal]

These are supported when using protocol offload mode or in chain mode.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 22 +++++++----
 drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h   | 41 +++++++++++++++++++++
 2 files changed, 56 insertions(+), 7 deletions(-)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 7d51112c5..dd80e6dc5 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  *
  *   Copyright (c) 2016 Freescale Semiconductor, Inc. All rights reserved.
- *   Copyright 2016-2018 NXP
+ *   Copyright 2016-2019 NXP
  *
  */
 
@@ -1834,6 +1834,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
 
 	flc = &priv->flc_desc[0].flc;
 
+	session->ctxt_type = DPAA2_SEC_CIPHER;
 	session->cipher_key.data = rte_zmalloc(NULL, xform->cipher.key.length,
 			RTE_CACHE_LINE_SIZE);
 	if (session->cipher_key.data == NULL) {
@@ -1970,6 +1971,7 @@ dpaa2_sec_auth_init(struct rte_cryptodev *dev,
 	priv->fle_pool = dev_priv->fle_pool;
 	flc = &priv->flc_desc[DESC_INITFINAL].flc;
 
+	session->ctxt_type = DPAA2_SEC_AUTH;
 	session->auth_key.data = rte_zmalloc(NULL, xform->auth.key.length,
 			RTE_CACHE_LINE_SIZE);
 	if (session->auth_key.data == NULL) {
@@ -2478,27 +2480,33 @@ dpaa2_sec_set_session_parameters(struct rte_cryptodev *dev,
 
 	/* Cipher Only */
 	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
-		session->ctxt_type = DPAA2_SEC_CIPHER;
 		ret = dpaa2_sec_cipher_init(dev, xform, session);
 
 	/* Authentication Only */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next == NULL) {
-		session->ctxt_type = DPAA2_SEC_AUTH;
 		ret = dpaa2_sec_auth_init(dev, xform, session);
 
 	/* Cipher then Authenticate */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		session->ext_params.aead_ctxt.auth_cipher_text = true;
-		ret = dpaa2_sec_aead_chain_init(dev, xform, session);
-
+		if (xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+			ret = dpaa2_sec_auth_init(dev, xform, session);
+		else if (xform->next->auth.algo == RTE_CRYPTO_AUTH_NULL)
+			ret = dpaa2_sec_cipher_init(dev, xform, session);
+		else
+			ret = dpaa2_sec_aead_chain_init(dev, xform, session);
 	/* Authenticate then Cipher */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 		session->ext_params.aead_ctxt.auth_cipher_text = false;
-		ret = dpaa2_sec_aead_chain_init(dev, xform, session);
-
+		if (xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
+			ret = dpaa2_sec_cipher_init(dev, xform, session);
+		else if (xform->next->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+			ret = dpaa2_sec_auth_init(dev, xform, session);
+		else
+			ret = dpaa2_sec_aead_chain_init(dev, xform, session);
 	/* AEAD operation for AES-GCM kind of Algorithms */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD &&
 		   xform->next == NULL) {
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
index 662559422..c10fbf8dd 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
@@ -200,6 +200,27 @@ typedef struct dpaa2_sec_session_entry {
 } dpaa2_sec_session;
 
 static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
+	{	/* NULL (AUTH) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = { 0 }
+			}, },
+		}, },
+	},
 	{	/* MD5 HMAC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
@@ -356,6 +377,26 @@ static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
 			}, }
 		}, }
 	},
+	{	/* NULL (CIPHER) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				}
+			}, },
+		}, }
+	},
 	{	/* AES CBC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
-- 
2.17.1

[dpdk-dev] [PATCH v3 05/13] crypto/dpaa_sec: adding NULL cipher or NULL auth

[Hemant Agrawal]

These are supported when using protocol offload mode or when
in chain mode.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.c | 33 ++++++++++++++++++------
 drivers/crypto/dpaa_sec/dpaa_sec.h | 41 ++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 8 deletions(-)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 343a565a2..0ef17ee00 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2037,6 +2037,7 @@ dpaa_sec_cipher_init(struct rte_cryptodev *dev __rte_unused,
 		     struct rte_crypto_sym_xform *xform,
 		     dpaa_sec_session *session)
 {
+	session->ctxt = DPAA_SEC_CIPHER;
 	session->cipher_alg = xform->cipher.algo;
 	session->iv.length = xform->cipher.iv.length;
 	session->iv.offset = xform->cipher.iv.offset;
@@ -2086,6 +2087,7 @@ dpaa_sec_auth_init(struct rte_cryptodev *dev __rte_unused,
 		   struct rte_crypto_sym_xform *xform,
 		   dpaa_sec_session *session)
 {
+	session->ctxt = DPAA_SEC_AUTH;
 	session->auth_alg = xform->auth.algo;
 	session->auth_key.data = rte_zmalloc(NULL, xform->auth.key.length,
 					     RTE_CACHE_LINE_SIZE);
@@ -2158,6 +2160,7 @@ dpaa_sec_chain_init(struct rte_cryptodev *dev __rte_unused,
 	struct rte_crypto_cipher_xform *cipher_xform;
 	struct rte_crypto_auth_xform *auth_xform;
 
+	session->ctxt = DPAA_SEC_CIPHER_HASH;
 	if (session->auth_cipher_text) {
 		cipher_xform = &xform->cipher;
 		auth_xform = &xform->next->auth;
@@ -2359,6 +2362,7 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	struct dpaa_sec_dev_private *internals = dev->data->dev_private;
 	dpaa_sec_session *session = sess;
 	uint32_t i;
+	int ret;
 
 	PMD_INIT_FUNC_TRACE();
 
@@ -2374,23 +2378,26 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	/* Cipher Only */
 	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
 		session->auth_alg = RTE_CRYPTO_AUTH_NULL;
-		session->ctxt = DPAA_SEC_CIPHER;
-		dpaa_sec_cipher_init(dev, xform, session);
+		ret = dpaa_sec_cipher_init(dev, xform, session);
 
 	/* Authentication Only */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next == NULL) {
 		session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
 		session->ctxt = DPAA_SEC_AUTH;
-		dpaa_sec_auth_init(dev, xform, session);
+		ret = dpaa_sec_auth_init(dev, xform, session);
 
 	/* Cipher then Authenticate */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		if (xform->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
-			session->ctxt = DPAA_SEC_CIPHER_HASH;
 			session->auth_cipher_text = 1;
-			dpaa_sec_chain_init(dev, xform, session);
+			if (xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+				ret = dpaa_sec_auth_init(dev, xform, session);
+			else if (xform->next->auth.algo == RTE_CRYPTO_AUTH_NULL)
+				ret = dpaa_sec_cipher_init(dev, xform, session);
+			else
+				ret = dpaa_sec_chain_init(dev, xform, session);
 		} else {
 			DPAA_SEC_ERR("Not supported: Auth then Cipher");
 			return -EINVAL;
@@ -2399,9 +2406,14 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
 		   xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 		if (xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT) {
-			session->ctxt = DPAA_SEC_CIPHER_HASH;
 			session->auth_cipher_text = 0;
-			dpaa_sec_chain_init(dev, xform, session);
+			if (xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
+				ret = dpaa_sec_cipher_init(dev, xform, session);
+			else if (xform->next->cipher.algo
+					== RTE_CRYPTO_CIPHER_NULL)
+				ret = dpaa_sec_auth_init(dev, xform, session);
+			else
+				ret = dpaa_sec_chain_init(dev, xform, session);
 		} else {
 			DPAA_SEC_ERR("Not supported: Auth then Cipher");
 			return -EINVAL;
@@ -2410,12 +2422,17 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
 	/* AEAD operation for AES-GCM kind of Algorithms */
 	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD &&
 		   xform->next == NULL) {
-		dpaa_sec_aead_init(dev, xform, session);
+		ret = dpaa_sec_aead_init(dev, xform, session);
 
 	} else {
 		DPAA_SEC_ERR("Invalid crypto type");
 		return -EINVAL;
 	}
+	if (ret) {
+		DPAA_SEC_ERR("unable to init session");
+		goto err1;
+	}
+
 	rte_spinlock_lock(&internals->lock);
 	for (i = 0; i < MAX_DPAA_CORES; i++) {
 		session->inq[i] = dpaa_sec_attach_rxq(internals);
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index 29ffe5631..039cce8e9 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -218,6 +218,27 @@ struct dpaa_sec_op_ctx {
 };
 
 static const struct rte_cryptodev_capabilities dpaa_sec_capabilities[] = {
+	{	/* NULL (AUTH) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = { 0 }
+			}, },
+		}, },
+	},
 	{	/* MD5 HMAC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
@@ -374,6 +395,26 @@ static const struct rte_cryptodev_capabilities dpaa_sec_capabilities[] = {
 			}, }
 		}, }
 	},
+	{	/* NULL (CIPHER) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				}
+			}, },
+		}, }
+	},
 	{	/* AES CBC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
-- 
2.17.1

[dpdk-dev] [PATCH v3 06/13] crypto/dpaa2_sec: add AES-GCM support for lookaside case

[Hemant Agrawal]

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 60 +++++++++++++++++++--
 1 file changed, 56 insertions(+), 4 deletions(-)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index dd80e6dc5..173ec8095 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2547,12 +2547,40 @@ dpaa2_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
 
 	switch (aead_xform->algo) {
 	case RTE_CRYPTO_AEAD_AES_GCM:
-		aeaddata->algtype = OP_ALG_ALGSEL_AES;
+		switch (session->digest_length) {
+		case 8:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_GCM8;
+			break;
+		case 12:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_GCM12;
+			break;
+		case 16:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_GCM16;
+			break;
+		default:
+			DPAA2_SEC_ERR("Crypto: Undefined GCM digest %d",
+				      session->digest_length);
+			return -1;
+		}
 		aeaddata->algmode = OP_ALG_AAI_GCM;
 		session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
 		break;
 	case RTE_CRYPTO_AEAD_AES_CCM:
-		aeaddata->algtype = OP_ALG_ALGSEL_AES;
+		switch (session->digest_length) {
+		case 8:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_CCM8;
+			break;
+		case 12:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_CCM12;
+			break;
+		case 16:
+			aeaddata->algtype = OP_PCL_IPSEC_AES_CCM16;
+			break;
+		default:
+			DPAA2_SEC_ERR("Crypto: Undefined CCM digest %d",
+				      session->digest_length);
+			return -1;
+		}
 		aeaddata->algmode = OP_ALG_AAI_CCM;
 		session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
 		break;
@@ -2720,8 +2748,6 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 	struct rte_crypto_aead_xform *aead_xform = NULL;
 	dpaa2_sec_session *session = (dpaa2_sec_session *)sess;
 	struct ctxt_priv *priv;
-	struct ipsec_encap_pdb encap_pdb;
-	struct ipsec_decap_pdb decap_pdb;
 	struct alginfo authdata, cipherdata;
 	int bufsize;
 	struct sec_flow_context *flc;
@@ -2761,6 +2787,8 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 		aead_xform = &conf->crypto_xform->aead;
 		ret = dpaa2_sec_ipsec_aead_init(aead_xform,
 					session, &cipherdata);
+		authdata.keylen = 0;
+		authdata.algtype = 0;
 	} else {
 		DPAA2_SEC_ERR("XFORM not specified");
 		ret = -EINVAL;
@@ -2776,10 +2804,22 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 		uint8_t *hdr = NULL;
 		struct ip ip4_hdr;
 		struct rte_ipv6_hdr ip6_hdr;
+		struct ipsec_encap_pdb encap_pdb;
 
 		flc->dhr = SEC_FLC_DHR_OUTBOUND;
 		/* For Sec Proto only one descriptor is required. */
 		memset(&encap_pdb, 0, sizeof(struct ipsec_encap_pdb));
+
+		/* copy algo specific data to PDB */
+		switch (cipherdata.algtype) {
+		case OP_PCL_IPSEC_AES_GCM8:
+		case OP_PCL_IPSEC_AES_GCM12:
+		case OP_PCL_IPSEC_AES_GCM16:
+			memcpy(encap_pdb.gcm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+			break;
+		}
+
 		encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) |
 			PDBOPTS_ESP_OIHI_PDB_INL |
 			PDBOPTS_ESP_IVSRC |
@@ -2836,8 +2876,20 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 				hdr, &cipherdata, &authdata);
 	} else if (ipsec_xform->direction ==
 			RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		struct ipsec_decap_pdb decap_pdb;
+
 		flc->dhr = SEC_FLC_DHR_INBOUND;
 		memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
+		/* copy algo specific data to PDB */
+		switch (cipherdata.algtype) {
+		case OP_PCL_IPSEC_AES_GCM8:
+		case OP_PCL_IPSEC_AES_GCM12:
+		case OP_PCL_IPSEC_AES_GCM16:
+			memcpy(decap_pdb.gcm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+			break;
+		}
+
 		decap_pdb.options = (ipsec_xform->tunnel.type ==
 				RTE_SECURITY_IPSEC_TUNNEL_IPV4) ?
 				sizeof(struct ip) << 16 :
-- 
2.17.1

[dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: add AES-GCM support for lookaside case

[Hemant Agrawal]

This patch add support for AES-128-GCM, when used in
proto lookaside mode.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.c | 309 ++++++++++++++++++++---------
 1 file changed, 211 insertions(+), 98 deletions(-)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 0ef17ee00..27a31d065 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session *ses)
 	cipherdata.algtype = ses->cipher_key.alg;
 	cipherdata.algmode = ses->cipher_key.algmode;
 
-	authdata.key = (size_t)ses->auth_key.data;
-	authdata.keylen = ses->auth_key.length;
-	authdata.key_enc_flags = 0;
-	authdata.key_type = RTA_DATA_IMM;
-	authdata.algtype = ses->auth_key.alg;
-	authdata.algmode = ses->auth_key.algmode;
+	if (ses->auth_key.length) {
+		authdata.key = (size_t)ses->auth_key.data;
+		authdata.keylen = ses->auth_key.length;
+		authdata.key_enc_flags = 0;
+		authdata.key_type = RTA_DATA_IMM;
+		authdata.algtype = ses->auth_key.alg;
+		authdata.algmode = ses->auth_key.algmode;
+	}
 
 	cdb->sh_desc[0] = cipherdata.keylen;
 	cdb->sh_desc[1] = authdata.keylen;
@@ -2523,33 +2525,76 @@ dpaa_sec_sym_session_clear(struct rte_cryptodev *dev,
 
 #ifdef RTE_LIBRTE_SECURITY
 static int
-dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
-			   struct rte_security_session_conf *conf,
-			   void *sess)
+dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
+			struct rte_security_ipsec_xform *ipsec_xform,
+			dpaa_sec_session *session)
 {
-	struct dpaa_sec_dev_private *internals = dev->data->dev_private;
-	struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
-	struct rte_crypto_auth_xform *auth_xform = NULL;
-	struct rte_crypto_cipher_xform *cipher_xform = NULL;
-	dpaa_sec_session *session = (dpaa_sec_session *)sess;
-	uint32_t i;
-
 	PMD_INIT_FUNC_TRACE();
 
-	memset(session, 0, sizeof(dpaa_sec_session));
-	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
-		cipher_xform = &conf->crypto_xform->cipher;
-		if (conf->crypto_xform->next)
-			auth_xform = &conf->crypto_xform->next->auth;
-	} else {
-		auth_xform = &conf->crypto_xform->auth;
-		if (conf->crypto_xform->next)
-			cipher_xform = &conf->crypto_xform->next->cipher;
+	session->aead_key.data = rte_zmalloc(NULL, aead_xform->key.length,
+					       RTE_CACHE_LINE_SIZE);
+	if (session->aead_key.data == NULL && aead_xform->key.length > 0) {
+		DPAA_SEC_ERR("No Memory for aead key");
+		return -1;
 	}
-	session->proto_alg = conf->protocol;
-	session->ctxt = DPAA_SEC_IPSEC;
+	memcpy(session->aead_key.data, aead_xform->key.data,
+	       aead_xform->key.length);
+
+	session->digest_length = aead_xform->digest_length;
+	session->aead_key.length = aead_xform->key.length;
+
+	switch (aead_xform->algo) {
+	case RTE_CRYPTO_AEAD_AES_GCM:
+		switch (session->digest_length) {
+		case 8:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8;
+			break;
+		case 12:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_GCM12;
+			break;
+		case 16:
+			session->aead_key.alg = OP_PCL_IPSEC_AES_GCM16;
+			break;
+		default:
+			DPAA_SEC_ERR("Crypto: Undefined GCM digest %d",
+				     session->digest_length);
+			return -1;
+		}
+		if (session->dir == DIR_ENC) {
+			memcpy(session->encap_pdb.gcm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+		} else {
+			memcpy(session->decap_pdb.gcm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+		}
+		session->aead_key.algmode = OP_ALG_AAI_GCM;
+		session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
+		break;
+		if (session->dir == DIR_ENC) {
+			/* todo CCM salt length is 3 bytes, left shift 8 bits */
+			memcpy(session->encap_pdb.ccm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+		} else {
+			memcpy(session->decap_pdb.ccm.salt,
+				(uint8_t *)&(ipsec_xform->salt), 4);
+		}
+		session->aead_key.algmode = OP_ALG_AAI_CCM;
+		session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
+		break;
+	default:
+		DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u",
+			      aead_xform->algo);
+		return -1;
+	}
+	return 0;
+}
 
-	if (cipher_xform && cipher_xform->algo != RTE_CRYPTO_CIPHER_NULL) {
+static int
+dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
+	struct rte_crypto_auth_xform *auth_xform,
+	dpaa_sec_session *session)
+{
+	if (cipher_xform) {
 		session->cipher_key.data = rte_zmalloc(NULL,
 						       cipher_xform->key.length,
 						       RTE_CACHE_LINE_SIZE);
@@ -2558,31 +2603,10 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 			DPAA_SEC_ERR("No Memory for cipher key");
 			return -ENOMEM;
 		}
+
+		session->cipher_key.length = cipher_xform->key.length;
 		memcpy(session->cipher_key.data, cipher_xform->key.data,
 				cipher_xform->key.length);
-		session->cipher_key.length = cipher_xform->key.length;
-
-		switch (cipher_xform->algo) {
-		case RTE_CRYPTO_CIPHER_NULL:
-			session->cipher_key.alg = OP_PCL_IPSEC_NULL;
-			break;
-		case RTE_CRYPTO_CIPHER_AES_CBC:
-			session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
-			session->cipher_key.algmode = OP_ALG_AAI_CBC;
-			break;
-		case RTE_CRYPTO_CIPHER_3DES_CBC:
-			session->cipher_key.alg = OP_PCL_IPSEC_3DES;
-			session->cipher_key.algmode = OP_ALG_AAI_CBC;
-			break;
-		case RTE_CRYPTO_CIPHER_AES_CTR:
-			session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
-			session->cipher_key.algmode = OP_ALG_AAI_CTR;
-			break;
-		default:
-			DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
-				cipher_xform->algo);
-			goto out;
-		}
 		session->cipher_alg = cipher_xform->algo;
 	} else {
 		session->cipher_key.data = NULL;
@@ -2590,54 +2614,18 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 		session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
 	}
 
-	if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) {
+	if (auth_xform) {
 		session->auth_key.data = rte_zmalloc(NULL,
 						auth_xform->key.length,
 						RTE_CACHE_LINE_SIZE);
 		if (session->auth_key.data == NULL &&
 				auth_xform->key.length > 0) {
 			DPAA_SEC_ERR("No Memory for auth key");
-			rte_free(session->cipher_key.data);
 			return -ENOMEM;
 		}
+		session->auth_key.length = auth_xform->key.length;
 		memcpy(session->auth_key.data, auth_xform->key.data,
 				auth_xform->key.length);
-		session->auth_key.length = auth_xform->key.length;
-
-		switch (auth_xform->algo) {
-		case RTE_CRYPTO_AUTH_NULL:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
-			session->digest_length = 0;
-			break;
-		case RTE_CRYPTO_AUTH_MD5_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA1_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA224_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_160;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA256_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA384_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		case RTE_CRYPTO_AUTH_SHA512_HMAC:
-			session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
-			session->auth_key.algmode = OP_ALG_AAI_HMAC;
-			break;
-		default:
-			DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
-				auth_xform->algo);
-			goto out;
-		}
 		session->auth_alg = auth_xform->algo;
 	} else {
 		session->auth_key.data = NULL;
@@ -2645,12 +2633,142 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 		session->auth_alg = RTE_CRYPTO_AUTH_NULL;
 	}
 
+	switch (session->auth_alg) {
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
+		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_AES_CMAC:
+		session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96;
+		break;
+	case RTE_CRYPTO_AUTH_NULL:
+		session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
+		break;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+	case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+	case RTE_CRYPTO_AUTH_SNOW3G_UIA2:
+	case RTE_CRYPTO_AUTH_SHA1:
+	case RTE_CRYPTO_AUTH_SHA256:
+	case RTE_CRYPTO_AUTH_SHA512:
+	case RTE_CRYPTO_AUTH_SHA224:
+	case RTE_CRYPTO_AUTH_SHA384:
+	case RTE_CRYPTO_AUTH_MD5:
+	case RTE_CRYPTO_AUTH_AES_GMAC:
+	case RTE_CRYPTO_AUTH_KASUMI_F9:
+	case RTE_CRYPTO_AUTH_AES_CBC_MAC:
+	case RTE_CRYPTO_AUTH_ZUC_EIA3:
+		DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
+			      session->auth_alg);
+		return -1;
+	default:
+		DPAA_SEC_ERR("Crypto: Undefined Auth specified %u",
+			      session->auth_alg);
+		return -1;
+	}
+
+	switch (session->cipher_alg) {
+	case RTE_CRYPTO_CIPHER_AES_CBC:
+		session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
+		session->cipher_key.algmode = OP_ALG_AAI_CBC;
+		break;
+	case RTE_CRYPTO_CIPHER_3DES_CBC:
+		session->cipher_key.alg = OP_PCL_IPSEC_3DES;
+		session->cipher_key.algmode = OP_ALG_AAI_CBC;
+		break;
+	case RTE_CRYPTO_CIPHER_AES_CTR:
+		session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
+		session->cipher_key.algmode = OP_ALG_AAI_CTR;
+		break;
+	case RTE_CRYPTO_CIPHER_NULL:
+		session->cipher_key.alg = OP_PCL_IPSEC_NULL;
+		break;
+	case RTE_CRYPTO_CIPHER_SNOW3G_UEA2:
+	case RTE_CRYPTO_CIPHER_ZUC_EEA3:
+	case RTE_CRYPTO_CIPHER_3DES_ECB:
+	case RTE_CRYPTO_CIPHER_AES_ECB:
+	case RTE_CRYPTO_CIPHER_KASUMI_F8:
+		DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
+			      session->cipher_alg);
+		return -1;
+	default:
+		DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u",
+			      session->cipher_alg);
+		return -1;
+	}
+
+	return 0;
+}
+
+static int
+dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
+			   struct rte_security_session_conf *conf,
+			   void *sess)
+{
+	struct dpaa_sec_dev_private *internals = dev->data->dev_private;
+	struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
+	struct rte_crypto_auth_xform *auth_xform = NULL;
+	struct rte_crypto_cipher_xform *cipher_xform = NULL;
+	struct rte_crypto_aead_xform *aead_xform = NULL;
+	dpaa_sec_session *session = (dpaa_sec_session *)sess;
+	uint32_t i;
+	int ret;
+
+	PMD_INIT_FUNC_TRACE();
+
+	memset(session, 0, sizeof(dpaa_sec_session));
+	session->proto_alg = conf->protocol;
+	session->ctxt = DPAA_SEC_IPSEC;
+
+	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+		session->dir = DIR_ENC;
+	else
+		session->dir = DIR_DEC;
+
+	if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+		cipher_xform = &conf->crypto_xform->cipher;
+		if (conf->crypto_xform->next)
+			auth_xform = &conf->crypto_xform->next->auth;
+		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+					session);
+	} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+		auth_xform = &conf->crypto_xform->auth;
+		if (conf->crypto_xform->next)
+			cipher_xform = &conf->crypto_xform->next->cipher;
+		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+					session);
+	} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		aead_xform = &conf->crypto_xform->aead;
+		ret = dpaa_sec_ipsec_aead_init(aead_xform,
+					ipsec_xform, session);
+	} else {
+		DPAA_SEC_ERR("XFORM not specified");
+		ret = -EINVAL;
+		goto out;
+	}
+	if (ret) {
+		DPAA_SEC_ERR("Failed to process xform");
+		goto out;
+	}
+
 	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 		if (ipsec_xform->tunnel.type ==
 				RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
-			memset(&session->encap_pdb, 0,
-				sizeof(struct ipsec_encap_pdb) +
-				sizeof(session->ip4_hdr));
 			session->ip4_hdr.ip_v = IPVERSION;
 			session->ip4_hdr.ip_hl = 5;
 			session->ip4_hdr.ip_len = rte_cpu_to_be_16(
@@ -2673,9 +2791,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 			session->encap_pdb.ip_hdr_len = sizeof(struct ip);
 		} else if (ipsec_xform->tunnel.type ==
 				RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
-			memset(&session->encap_pdb, 0,
-				sizeof(struct ipsec_encap_pdb) +
-				sizeof(session->ip6_hdr));
 			session->ip6_hdr.vtc_flow = rte_cpu_to_be_32(
 				DPAA_IPv6_DEFAULT_VTC_FLOW |
 				((ipsec_xform->tunnel.ipv6.dscp <<
@@ -2707,10 +2822,9 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 		if (ipsec_xform->options.esn)
 			session->encap_pdb.options |= PDBOPTS_ESP_ESN;
 		session->encap_pdb.spi = ipsec_xform->spi;
-		session->dir = DIR_ENC;
+
 	} else if (ipsec_xform->direction ==
 			RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
-		memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
 		if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
 			session->decap_pdb.options = sizeof(struct ip) << 16;
 		else
@@ -2718,7 +2832,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 					sizeof(struct rte_ipv6_hdr) << 16;
 		if (ipsec_xform->options.esn)
 			session->decap_pdb.options |= PDBOPTS_ESP_ESN;
-		session->dir = DIR_DEC;
 	} else
 		goto out;
 	rte_spinlock_lock(&internals->lock);
-- 
2.17.1

[dpdk-dev] [PATCH v3 08/13] test/cryptodev: enable additional cases for dpaax

[Hemant Agrawal]

This patch enables short buffer and 12 bit IV AES-CTR cases
for dpaax_sec pmds.

Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 app/test/test_cryptodev_aes_test_vectors.h | 24 +++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev_aes_test_vectors.h b/app/test/test_cryptodev_aes_test_vectors.h
index 54a8082cf..9afa3aef8 100644
--- a/app/test/test_cryptodev_aes_test_vectors.h
+++ b/app/test/test_cryptodev_aes_test_vectors.h
@@ -1605,6 +1605,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.feature_mask = BLOCKCIPHER_TEST_FEATURE_OOP,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
 			BLOCKCIPHER_TEST_TARGET_PMD_QAT |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX
 	},
 		{
@@ -1716,6 +1718,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_13,
 		.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1777,6 +1781,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_13,
 		.op_mask = BLOCKCIPHER_TEST_OP_AUTH_VERIFY_DEC,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1806,6 +1812,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_12,
 		.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1835,6 +1843,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.test_data = &aes_test_data_12,
 		.op_mask = BLOCKCIPHER_TEST_OP_AUTH_VERIFY_DEC,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
 			BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1954,6 +1964,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
 		.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
 		.feature_mask = BLOCKCIPHER_TEST_FEATURE_OOP,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+			BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
 			BLOCKCIPHER_TEST_TARGET_PMD_QAT |
 			BLOCKCIPHER_TEST_TARGET_PMD_NITROX
 	},
@@ -2400,7 +2412,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
 		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
 			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
-			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
 	},
 	{
 		.test_descr = "AES-192-CTR Encryption (12-byte IV)",
@@ -2408,7 +2422,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
 		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
 			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
-			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
 	},
 	{
 		.test_descr = "AES-256-CTR Encryption (12-byte IV)",
@@ -2416,7 +2432,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
 		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
 		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
 			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
-			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+			    BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+				BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
 	},
 	{
 		.test_descr = "AES-128-XTS Encryption (16-byte plaintext)",
-- 
2.17.1

[dpdk-dev] [PATCH v3 09/13] crypto/dpaa2_sec: enable warning with truncated sha256

[Hemant Agrawal]

This patch throw the warning when using truncted digest
len for SHA256 case.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 4 ++++
 drivers/crypto/dpaa_sec/dpaa_sec.c          | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 173ec8095..668832f16 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2657,6 +2657,10 @@ dpaa2_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
 	case RTE_CRYPTO_AUTH_SHA256_HMAC:
 		authdata->algtype = OP_PCL_IPSEC_HMAC_SHA2_256_128;
 		authdata->algmode = OP_ALG_AAI_HMAC;
+		if (session->digest_length != 16)
+			DPAA2_SEC_WARN(
+			"+++Using sha256-hmac truncated len is non-standard,"
+			"it will not work with lookaside proto");
 		break;
 	case RTE_CRYPTO_AUTH_SHA384_HMAC:
 		authdata->algtype = OP_PCL_IPSEC_HMAC_SHA2_384_192;
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 27a31d065..e729ed7db 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2645,6 +2645,10 @@ dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
 	case RTE_CRYPTO_AUTH_SHA256_HMAC:
 		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
 		session->auth_key.algmode = OP_ALG_AAI_HMAC;
+		if (session->digest_length != 16)
+			DPAA_SEC_WARN(
+			"+++Using sha256-hmac truncated len is non-standard,"
+			"it will not work with lookaside proto");
 		break;
 	case RTE_CRYPTO_AUTH_SHA384_HMAC:
 		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
-- 
2.17.1

[dpdk-dev] [PATCH v3 10/13] crypto/dpaa2_sec: remove unwanted context type check

[Hemant Agrawal]

From: Gagandeep Singh <g.singh@nxp.com>

This patch remove redundant checks.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 668832f16..96753caad 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1582,18 +1582,13 @@ sec_fd_to_mbuf(const struct qbman_fd *fd)
 
 #ifdef RTE_LIBRTE_SECURITY
 	if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
-		dpaa2_sec_session *sess = (dpaa2_sec_session *)
-			get_sec_session_private_data(op->sym->sec_session);
-		if (sess->ctxt_type == DPAA2_SEC_IPSEC ||
-				sess->ctxt_type == DPAA2_SEC_PDCP) {
-			uint16_t len = DPAA2_GET_FD_LEN(fd);
-			dst->pkt_len = len;
-			while (dst->next != NULL) {
-				len -= dst->data_len;
-				dst = dst->next;
-			}
-			dst->data_len = len;
+		uint16_t len = DPAA2_GET_FD_LEN(fd);
+		dst->pkt_len = len;
+		while (dst->next != NULL) {
+			len -= dst->data_len;
+			dst = dst->next;
 		}
+		dst->data_len = len;
 	}
 #endif
 	DPAA2_SEC_DP_DEBUG("mbuf %p BMAN buf addr %p,"
-- 
2.17.1

[dpdk-dev] [PATCH v3 11/13] crypto/dpaa_sec: use macros in queue attach and detach

[Hemant Agrawal]

From: Gagandeep Singh <g.singh@nxp.com>

Align the cleanup and allocation for the queues.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
 drivers/crypto/dpaa_sec/dpaa_sec.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index e729ed7db..990708de4 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2303,7 +2303,7 @@ dpaa_sec_attach_rxq(struct dpaa_sec_dev_private *qi)
 {
 	unsigned int i;
 
-	for (i = 0; i < qi->max_nb_sessions * MAX_DPAA_CORES; i++) {
+	for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
 		if (qi->inq_attach[i] == 0) {
 			qi->inq_attach[i] = 1;
 			return &qi->inq[i];
@@ -2319,9 +2319,10 @@ dpaa_sec_detach_rxq(struct dpaa_sec_dev_private *qi, struct qman_fq *fq)
 {
 	unsigned int i;
 
-	for (i = 0; i < qi->max_nb_sessions; i++) {
+	for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
 		if (&qi->inq[i] == fq) {
-			qman_retire_fq(fq, NULL);
+			if (qman_retire_fq(fq, NULL) != 0)
+				DPAA_SEC_WARN("Queue is not retired\n");
 			qman_oos_fq(fq);
 			qi->inq_attach[i] = 0;
 			return 0;
@@ -3408,7 +3409,7 @@ dpaa_sec_dev_init(struct rte_cryptodev *cryptodev)
 
 	flags = QMAN_FQ_FLAG_LOCKED | QMAN_FQ_FLAG_DYNAMIC_FQID |
 		QMAN_FQ_FLAG_TO_DCPORTAL;
-	for (i = 0; i < MAX_DPAA_CORES * internals->max_nb_sessions; i++) {
+	for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
 		/* create rx qman fq for sessions*/
 		ret = qman_create_fq(0, flags, &internals->inq[i]);
 		if (unlikely(ret != 0)) {
-- 
2.17.1

[dpdk-dev] [PATCH v3 12/13] crypto/dpaa2_sec: use aes-ctr initial counter as 1

[Hemant Agrawal]

From: Vakul Garg <vakul.garg@nxp.com>

As per RFC3686, the initial aes-ctr counter value should be '1' for use
in ipsec. The patches changes SEC descriptor for using correct counter
value. In addition, it drops a redundant parameter for passing IV while
creating the descriptor.

Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
---
 drivers/common/dpaax/caamflib/desc/algo.h   | 21 +++++++++++++--------
 drivers/crypto/caam_jr/caam_jr.c            |  1 -
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c |  8 ++++----
 drivers/crypto/dpaa_sec/dpaa_sec.c          |  1 -
 4 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/drivers/common/dpaax/caamflib/desc/algo.h b/drivers/common/dpaax/caamflib/desc/algo.h
index 83dbb80ce..345bb5b3f 100644
--- a/drivers/common/dpaax/caamflib/desc/algo.h
+++ b/drivers/common/dpaax/caamflib/desc/algo.h
@@ -289,12 +289,12 @@ cnstr_shdsc_snow_f9(uint32_t *descbuf, bool ps, bool swap,
 static inline int
 cnstr_shdsc_blkcipher(uint32_t *descbuf, bool ps, bool swap,
 		      enum rta_share_type share,
-		      struct alginfo *cipherdata, uint8_t *iv,
+		      struct alginfo *cipherdata,
 		      uint32_t ivlen, uint8_t dir)
 {
 	struct program prg;
 	struct program *p = &prg;
-	uint32_t iv_off = 0;
+	uint32_t iv_off = 0, counter;
 	const bool need_dk = (dir == DIR_DEC) &&
 			     (cipherdata->algtype == OP_ALG_ALGSEL_AES) &&
 			     (cipherdata->algmode == OP_ALG_AAI_CBC);
@@ -336,12 +336,17 @@ cnstr_shdsc_blkcipher(uint32_t *descbuf, bool ps, bool swap,
 	if (cipherdata->algmode == OP_ALG_AAI_CTR)
 		iv_off = 16;
 
-	if (iv)
-		/* IV load, convert size */
-		LOAD(p, (uintptr_t)iv, CONTEXT1, iv_off, ivlen, IMMED | COPY);
-	else
-		/* IV is present first before the actual message */
-		SEQLOAD(p, CONTEXT1, iv_off, ivlen, 0);
+	/* IV is present first before the actual message */
+	SEQLOAD(p, CONTEXT1, iv_off, ivlen, 0);
+
+	/* If IV len is less than 16 bytes, set 'counter' as 1 */
+	if (cipherdata->algmode == OP_ALG_AAI_CTR && ivlen < 16) {
+		counter = 1;
+		if (!swap)
+			counter = swab32(1);
+
+		LOAD(p, counter, CONTEXT1, (iv_off + ivlen), 16 - ivlen, IMMED);
+	}
 
 	MATHB(p, SEQINSZ, SUB, MATH2, VSEQINSZ, 4, 0);
 	MATHB(p, SEQINSZ, SUB, MATH2, VSEQOUTSZ, 4, 0);
diff --git a/drivers/crypto/caam_jr/caam_jr.c b/drivers/crypto/caam_jr/caam_jr.c
index d1da9a64c..8aaa3d45f 100644
--- a/drivers/crypto/caam_jr/caam_jr.c
+++ b/drivers/crypto/caam_jr/caam_jr.c
@@ -336,7 +336,6 @@ caam_jr_prep_cdb(struct caam_jr_session *ses)
 		shared_desc_len = cnstr_shdsc_blkcipher(
 						cdb->sh_desc, true,
 						swap, SHR_NEVER, &alginfo_c,
-						NULL,
 						ses->iv.length,
 						ses->dir);
 	} else if (is_auth_only(ses)) {
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 96753caad..46925be5f 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1858,7 +1858,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
 		cipherdata.algmode = OP_ALG_AAI_CBC;
 		session->cipher_alg = RTE_CRYPTO_CIPHER_AES_CBC;
 		bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
-						SHR_NEVER, &cipherdata, NULL,
+						SHR_NEVER, &cipherdata,
 						session->iv.length,
 						session->dir);
 		break;
@@ -1867,7 +1867,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
 		cipherdata.algmode = OP_ALG_AAI_CBC;
 		session->cipher_alg = RTE_CRYPTO_CIPHER_3DES_CBC;
 		bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
-						SHR_NEVER, &cipherdata, NULL,
+						SHR_NEVER, &cipherdata,
 						session->iv.length,
 						session->dir);
 		break;
@@ -1876,7 +1876,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
 		cipherdata.algmode = OP_ALG_AAI_CTR;
 		session->cipher_alg = RTE_CRYPTO_CIPHER_AES_CTR;
 		bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
-						SHR_NEVER, &cipherdata, NULL,
+						SHR_NEVER, &cipherdata,
 						session->iv.length,
 						session->dir);
 		break;
@@ -1885,7 +1885,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
 		cipherdata.algmode = OP_ALG_AAI_CTR;
 		session->cipher_alg = RTE_CRYPTO_CIPHER_3DES_CTR;
 		bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
-						SHR_NEVER, &cipherdata, NULL,
+						SHR_NEVER, &cipherdata,
 						session->iv.length,
 						session->dir);
 		break;
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 990708de4..2c1915fec 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -478,7 +478,6 @@ dpaa_sec_prep_cdb(dpaa_sec_session *ses)
 			shared_desc_len = cnstr_shdsc_blkcipher(
 					cdb->sh_desc, true,
 					swap, SHR_NEVER, &alginfo_c,
-					NULL,
 					ses->iv.length,
 					ses->dir);
 			break;
-- 
2.17.1

[dpdk-dev] [PATCH v3 13/13] crypto/dpaa_sec: enable ipsec aes-ctr to use nonce

[Hemant Agrawal]

From: Vakul Garg <vakul.garg@nxp.com>

The protocol aware ipsec descriptor has been modified to
use ctr_initial value of 1 and salt configured for ipsec SA.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
---
 drivers/common/dpaax/caamflib/desc/ipsec.h  | 18 ++++++++----------
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c |  8 ++++++++
 drivers/crypto/dpaa_sec/dpaa_sec.c          | 12 ++++++++++--
 3 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/drivers/common/dpaax/caamflib/desc/ipsec.h b/drivers/common/dpaax/caamflib/desc/ipsec.h
index f33c68cc9..cf6fa4252 100644
--- a/drivers/common/dpaax/caamflib/desc/ipsec.h
+++ b/drivers/common/dpaax/caamflib/desc/ipsec.h
@@ -256,14 +256,14 @@ struct ipsec_encap_cbc {
 
 /**
  * struct ipsec_encap_ctr - PDB part for IPsec CTR encapsulation
- * @ctr_nonce: 4-byte array nonce
+ * @ctr_nonce: 4-byte nonce
  * @ctr_initial: initial count constant
  * @iv: initialization vector
  */
 struct ipsec_encap_ctr {
-	uint8_t ctr_nonce[4];
+	uint32_t ctr_nonce;
 	uint32_t ctr_initial;
-	uint64_t iv;
+	uint8_t iv[8];
 };
 
 /**
@@ -346,10 +346,9 @@ __rta_copy_ipsec_encap_pdb(struct program *program,
 		break;
 
 	case OP_PCL_IPSEC_AES_CTR:
-		rta_copy_data(program, pdb->ctr.ctr_nonce,
-			      sizeof(pdb->ctr.ctr_nonce));
+		rta_copy_data(program, (uint8_t *)&pdb->ctr.ctr_nonce, 4);
 		__rta_out32(program, pdb->ctr.ctr_initial);
-		__rta_out64(program, true, pdb->ctr.iv);
+		rta_copy_data(program, pdb->ctr.iv, sizeof(pdb->ctr.iv));
 		break;
 
 	case OP_PCL_IPSEC_AES_CCM8:
@@ -386,11 +385,11 @@ struct ipsec_decap_cbc {
 
 /**
  * struct ipsec_decap_ctr - PDB part for IPsec CTR decapsulation
- * @ctr_nonce: 4-byte array nonce
+ * @ctr_nonce: 4-byte nonce
  * @ctr_initial: initial count constant
  */
 struct ipsec_decap_ctr {
-	uint8_t ctr_nonce[4];
+	uint32_t ctr_nonce;
 	uint32_t ctr_initial;
 };
 
@@ -464,8 +463,7 @@ __rta_copy_ipsec_decap_pdb(struct program *program,
 		break;
 
 	case OP_PCL_IPSEC_AES_CTR:
-		rta_copy_data(program, pdb->ctr.ctr_nonce,
-			      sizeof(pdb->ctr.ctr_nonce));
+		rta_copy_data(program, (uint8_t *)&pdb->ctr.ctr_nonce, 4);
 		__rta_out32(program, pdb->ctr.ctr_initial);
 		break;
 
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 46925be5f..555730519 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2811,6 +2811,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 
 		/* copy algo specific data to PDB */
 		switch (cipherdata.algtype) {
+		case OP_PCL_IPSEC_AES_CTR:
+			encap_pdb.ctr.ctr_initial = 0x00000001;
+			encap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+			break;
 		case OP_PCL_IPSEC_AES_GCM8:
 		case OP_PCL_IPSEC_AES_GCM12:
 		case OP_PCL_IPSEC_AES_GCM16:
@@ -2881,6 +2885,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 		memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
 		/* copy algo specific data to PDB */
 		switch (cipherdata.algtype) {
+		case OP_PCL_IPSEC_AES_CTR:
+			decap_pdb.ctr.ctr_initial = 0x00000001;
+			decap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+			break;
 		case OP_PCL_IPSEC_AES_GCM8:
 		case OP_PCL_IPSEC_AES_GCM12:
 		case OP_PCL_IPSEC_AES_GCM16:
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 2c1915fec..b0fa74540 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2592,6 +2592,7 @@ dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
 static int
 dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
 	struct rte_crypto_auth_xform *auth_xform,
+	struct rte_security_ipsec_xform *ipsec_xform,
 	dpaa_sec_session *session)
 {
 	if (cipher_xform) {
@@ -2698,6 +2699,13 @@ dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
 	case RTE_CRYPTO_CIPHER_AES_CTR:
 		session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
 		session->cipher_key.algmode = OP_ALG_AAI_CTR;
+		if (session->dir == DIR_ENC) {
+			session->encap_pdb.ctr.ctr_initial = 0x00000001;
+			session->encap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+		} else {
+			session->decap_pdb.ctr.ctr_initial = 0x00000001;
+			session->decap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+		}
 		break;
 	case RTE_CRYPTO_CIPHER_NULL:
 		session->cipher_key.alg = OP_PCL_IPSEC_NULL;
@@ -2749,13 +2757,13 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 		if (conf->crypto_xform->next)
 			auth_xform = &conf->crypto_xform->next->auth;
 		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
-					session);
+					ipsec_xform, session);
 	} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		auth_xform = &conf->crypto_xform->auth;
 		if (conf->crypto_xform->next)
 			cipher_xform = &conf->crypto_xform->next->cipher;
 		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
-					session);
+					ipsec_xform, session);
 	} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 		aead_xform = &conf->crypto_xform->aead;
 		ret = dpaa_sec_ipsec_aead_init(aead_xform,
-- 
2.17.1

Re: [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags

[Akhil Goyal]

> -----Original Message-----
> From: Hemant Agrawal <hemant.agrawal@nxp.com>
> Sent: Wednesday, November 6, 2019 10:47 AM
> To: dev@dpdk.org
> Cc: Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags
> 
> set the pdcp capa_flags to 0 by default.
> 
> Fixes: a1173d55598c ("crypto/dpaa_sec: support PDCP offload")
> 
> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> ---
Series Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

Series Applied to dpdk-next-crypto

Thanks.

Re: [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: add AES-GCM support for lookaside case

[Hemant Agrawal]

Hi Akhil,
	

> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Hemant Agrawal
> Sent: Wednesday, November 6, 2019 10:47 AM
> To: dev@dpdk.org
> Cc: Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: add AES-GCM
> support for lookaside case
> 
> This patch add support for AES-128-GCM, when used in proto lookaside
> mode.
> 
> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> ---
>  drivers/crypto/dpaa_sec/dpaa_sec.c | 309 ++++++++++++++++++++---------
>  1 file changed, 211 insertions(+), 98 deletions(-)
> 
> diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c
> b/drivers/crypto/dpaa_sec/dpaa_sec.c
> index 0ef17ee00..27a31d065 100644
> --- a/drivers/crypto/dpaa_sec/dpaa_sec.c
> +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
> @@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session
> *ses)
>  	cipherdata.algtype = ses->cipher_key.alg;
>  	cipherdata.algmode = ses->cipher_key.algmode;
> 
> -	authdata.key = (size_t)ses->auth_key.data;
> -	authdata.keylen = ses->auth_key.length;
> -	authdata.key_enc_flags = 0;
> -	authdata.key_type = RTA_DATA_IMM;
> -	authdata.algtype = ses->auth_key.alg;
> -	authdata.algmode = ses->auth_key.algmode;
> +	if (ses->auth_key.length) {
> +		authdata.key = (size_t)ses->auth_key.data;
> +		authdata.keylen = ses->auth_key.length;
> +		authdata.key_enc_flags = 0;
> +		authdata.key_type = RTA_DATA_IMM;
> +		authdata.algtype = ses->auth_key.alg;
> +		authdata.algmode = ses->auth_key.algmode;
> +	}
> 
>  	cdb->sh_desc[0] = cipherdata.keylen;
>  	cdb->sh_desc[1] = authdata.keylen;
> @@ -2523,33 +2525,76 @@ dpaa_sec_sym_session_clear(struct
> rte_cryptodev *dev,
> 
>  #ifdef RTE_LIBRTE_SECURITY
>  static int
> -dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
> -			   struct rte_security_session_conf *conf,
> -			   void *sess)
> +dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
> +			struct rte_security_ipsec_xform *ipsec_xform,
> +			dpaa_sec_session *session)
>  {
> -	struct dpaa_sec_dev_private *internals = dev->data->dev_private;
> -	struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
> -	struct rte_crypto_auth_xform *auth_xform = NULL;
> -	struct rte_crypto_cipher_xform *cipher_xform = NULL;
> -	dpaa_sec_session *session = (dpaa_sec_session *)sess;
> -	uint32_t i;
> -
>  	PMD_INIT_FUNC_TRACE();
> 
> -	memset(session, 0, sizeof(dpaa_sec_session));
> -	if (ipsec_xform->direction ==
> RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
> -		cipher_xform = &conf->crypto_xform->cipher;
> -		if (conf->crypto_xform->next)
> -			auth_xform = &conf->crypto_xform->next->auth;
> -	} else {
> -		auth_xform = &conf->crypto_xform->auth;
> -		if (conf->crypto_xform->next)
> -			cipher_xform = &conf->crypto_xform->next-
> >cipher;
> +	session->aead_key.data = rte_zmalloc(NULL, aead_xform-
> >key.length,
> +					       RTE_CACHE_LINE_SIZE);
> +	if (session->aead_key.data == NULL && aead_xform->key.length >
> 0) {
> +		DPAA_SEC_ERR("No Memory for aead key");
> +		return -1;
>  	}
> -	session->proto_alg = conf->protocol;
> -	session->ctxt = DPAA_SEC_IPSEC;
> +	memcpy(session->aead_key.data, aead_xform->key.data,
> +	       aead_xform->key.length);
> +
> +	session->digest_length = aead_xform->digest_length;
> +	session->aead_key.length = aead_xform->key.length;
> +
> +	switch (aead_xform->algo) {
> +	case RTE_CRYPTO_AEAD_AES_GCM:
> +		switch (session->digest_length) {
> +		case 8:
> +			session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8;
> +			break;
> +		case 12:
> +			session->aead_key.alg =
> OP_PCL_IPSEC_AES_GCM12;
> +			break;
> +		case 16:
> +			session->aead_key.alg =
> OP_PCL_IPSEC_AES_GCM16;
> +			break;
> +		default:
> +			DPAA_SEC_ERR("Crypto: Undefined GCM digest
> %d",
> +				     session->digest_length);
> +			return -1;
> +		}
> +		if (session->dir == DIR_ENC) {
> +			memcpy(session->encap_pdb.gcm.salt,
> +				(uint8_t *)&(ipsec_xform->salt), 4);
> +		} else {
> +			memcpy(session->decap_pdb.gcm.salt,
> +				(uint8_t *)&(ipsec_xform->salt), 4);
> +		}
> +		session->aead_key.algmode = OP_ALG_AAI_GCM;
> +		session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
> +		break;


[Hemant] There is a merge error. I see that you have already applied it. 
Can you remove following line from the patch.
>>> start here.
> +		if (session->dir == DIR_ENC) {
> +			/* todo CCM salt length is 3 bytes, left shift 8 bits */
> +			memcpy(session->encap_pdb.ccm.salt,
> +				(uint8_t *)&(ipsec_xform->salt), 4);
> +		} else {
> +			memcpy(session->decap_pdb.ccm.salt,
> +				(uint8_t *)&(ipsec_xform->salt), 4);
> +		}
> +		session->aead_key.algmode = OP_ALG_AAI_CCM;
> +		session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
> +		break;
>>> end here.

> +	default:
> +		DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u",
> +			      aead_xform->algo);
> +		return -1;
> +	}
> +	return 0;
> +}
> 
> -	if (cipher_xform && cipher_xform->algo !=
> RTE_CRYPTO_CIPHER_NULL) {
> +static int
> +dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform
> *cipher_xform,
> +	struct rte_crypto_auth_xform *auth_xform,
> +	dpaa_sec_session *session)
> +{
> +	if (cipher_xform) {
>  		session->cipher_key.data = rte_zmalloc(NULL,
>  						       cipher_xform-
> >key.length,
>  						       RTE_CACHE_LINE_SIZE);
> @@ -2558,31 +2603,10 @@ dpaa_sec_set_ipsec_session(__rte_unused
> struct rte_cryptodev *dev,
>  			DPAA_SEC_ERR("No Memory for cipher key");
>  			return -ENOMEM;
>  		}
> +
> +		session->cipher_key.length = cipher_xform->key.length;
>  		memcpy(session->cipher_key.data, cipher_xform-
> >key.data,
>  				cipher_xform->key.length);
> -		session->cipher_key.length = cipher_xform->key.length;
> -
> -		switch (cipher_xform->algo) {
> -		case RTE_CRYPTO_CIPHER_NULL:
> -			session->cipher_key.alg = OP_PCL_IPSEC_NULL;
> -			break;
> -		case RTE_CRYPTO_CIPHER_AES_CBC:
> -			session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
> -			session->cipher_key.algmode = OP_ALG_AAI_CBC;
> -			break;
> -		case RTE_CRYPTO_CIPHER_3DES_CBC:
> -			session->cipher_key.alg = OP_PCL_IPSEC_3DES;
> -			session->cipher_key.algmode = OP_ALG_AAI_CBC;
> -			break;
> -		case RTE_CRYPTO_CIPHER_AES_CTR:
> -			session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
> -			session->cipher_key.algmode = OP_ALG_AAI_CTR;
> -			break;
> -		default:
> -			DPAA_SEC_ERR("Crypto: Unsupported Cipher alg
> %u",
> -				cipher_xform->algo);
> -			goto out;
> -		}
>  		session->cipher_alg = cipher_xform->algo;
>  	} else {
>  		session->cipher_key.data = NULL;
> @@ -2590,54 +2614,18 @@ dpaa_sec_set_ipsec_session(__rte_unused
> struct rte_cryptodev *dev,
>  		session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
>  	}
> 
> -	if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) {
> +	if (auth_xform) {
>  		session->auth_key.data = rte_zmalloc(NULL,
>  						auth_xform->key.length,
>  						RTE_CACHE_LINE_SIZE);
>  		if (session->auth_key.data == NULL &&
>  				auth_xform->key.length > 0) {
>  			DPAA_SEC_ERR("No Memory for auth key");
> -			rte_free(session->cipher_key.data);
>  			return -ENOMEM;
>  		}
> +		session->auth_key.length = auth_xform->key.length;
>  		memcpy(session->auth_key.data, auth_xform->key.data,
>  				auth_xform->key.length);
> -		session->auth_key.length = auth_xform->key.length;
> -
> -		switch (auth_xform->algo) {
> -		case RTE_CRYPTO_AUTH_NULL:
> -			session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_NULL;
> -			session->digest_length = 0;
> -			break;
> -		case RTE_CRYPTO_AUTH_MD5_HMAC:
> -			session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_MD5_96;
> -			session->auth_key.algmode = OP_ALG_AAI_HMAC;
> -			break;
> -		case RTE_CRYPTO_AUTH_SHA1_HMAC:
> -			session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA1_96;
> -			session->auth_key.algmode = OP_ALG_AAI_HMAC;
> -			break;
> -		case RTE_CRYPTO_AUTH_SHA224_HMAC:
> -			session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA1_160;
> -			session->auth_key.algmode = OP_ALG_AAI_HMAC;
> -			break;
> -		case RTE_CRYPTO_AUTH_SHA256_HMAC:
> -			session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_256_128;
> -			session->auth_key.algmode = OP_ALG_AAI_HMAC;
> -			break;
> -		case RTE_CRYPTO_AUTH_SHA384_HMAC:
> -			session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_384_192;
> -			session->auth_key.algmode = OP_ALG_AAI_HMAC;
> -			break;
> -		case RTE_CRYPTO_AUTH_SHA512_HMAC:
> -			session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_512_256;
> -			session->auth_key.algmode = OP_ALG_AAI_HMAC;
> -			break;
> -		default:
> -			DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
> -				auth_xform->algo);
> -			goto out;
> -		}
>  		session->auth_alg = auth_xform->algo;
>  	} else {
>  		session->auth_key.data = NULL;
> @@ -2645,12 +2633,142 @@ dpaa_sec_set_ipsec_session(__rte_unused
> struct rte_cryptodev *dev,
>  		session->auth_alg = RTE_CRYPTO_AUTH_NULL;
>  	}
> 
> +	switch (session->auth_alg) {
> +	case RTE_CRYPTO_AUTH_SHA1_HMAC:
> +		session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
> +		session->auth_key.algmode = OP_ALG_AAI_HMAC;
> +		break;
> +	case RTE_CRYPTO_AUTH_MD5_HMAC:
> +		session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
> +		session->auth_key.algmode = OP_ALG_AAI_HMAC;
> +		break;
> +	case RTE_CRYPTO_AUTH_SHA256_HMAC:
> +		session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_256_128;
> +		session->auth_key.algmode = OP_ALG_AAI_HMAC;
> +		break;
> +	case RTE_CRYPTO_AUTH_SHA384_HMAC:
> +		session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_384_192;
> +		session->auth_key.algmode = OP_ALG_AAI_HMAC;
> +		break;
> +	case RTE_CRYPTO_AUTH_SHA512_HMAC:
> +		session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_512_256;
> +		session->auth_key.algmode = OP_ALG_AAI_HMAC;
> +		break;
> +	case RTE_CRYPTO_AUTH_AES_CMAC:
> +		session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96;
> +		break;
> +	case RTE_CRYPTO_AUTH_NULL:
> +		session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
> +		break;
> +	case RTE_CRYPTO_AUTH_SHA224_HMAC:
> +	case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
> +	case RTE_CRYPTO_AUTH_SNOW3G_UIA2:
> +	case RTE_CRYPTO_AUTH_SHA1:
> +	case RTE_CRYPTO_AUTH_SHA256:
> +	case RTE_CRYPTO_AUTH_SHA512:
> +	case RTE_CRYPTO_AUTH_SHA224:
> +	case RTE_CRYPTO_AUTH_SHA384:
> +	case RTE_CRYPTO_AUTH_MD5:
> +	case RTE_CRYPTO_AUTH_AES_GMAC:
> +	case RTE_CRYPTO_AUTH_KASUMI_F9:
> +	case RTE_CRYPTO_AUTH_AES_CBC_MAC:
> +	case RTE_CRYPTO_AUTH_ZUC_EIA3:
> +		DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
> +			      session->auth_alg);
> +		return -1;
> +	default:
> +		DPAA_SEC_ERR("Crypto: Undefined Auth specified %u",
> +			      session->auth_alg);
> +		return -1;
> +	}
> +
> +	switch (session->cipher_alg) {
> +	case RTE_CRYPTO_CIPHER_AES_CBC:
> +		session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
> +		session->cipher_key.algmode = OP_ALG_AAI_CBC;
> +		break;
> +	case RTE_CRYPTO_CIPHER_3DES_CBC:
> +		session->cipher_key.alg = OP_PCL_IPSEC_3DES;
> +		session->cipher_key.algmode = OP_ALG_AAI_CBC;
> +		break;
> +	case RTE_CRYPTO_CIPHER_AES_CTR:
> +		session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
> +		session->cipher_key.algmode = OP_ALG_AAI_CTR;
> +		break;
> +	case RTE_CRYPTO_CIPHER_NULL:
> +		session->cipher_key.alg = OP_PCL_IPSEC_NULL;
> +		break;
> +	case RTE_CRYPTO_CIPHER_SNOW3G_UEA2:
> +	case RTE_CRYPTO_CIPHER_ZUC_EEA3:
> +	case RTE_CRYPTO_CIPHER_3DES_ECB:
> +	case RTE_CRYPTO_CIPHER_AES_ECB:
> +	case RTE_CRYPTO_CIPHER_KASUMI_F8:
> +		DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
> +			      session->cipher_alg);
> +		return -1;
> +	default:
> +		DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u",
> +			      session->cipher_alg);
> +		return -1;
> +	}
> +
> +	return 0;
> +}
> +
> +static int
> +dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
> +			   struct rte_security_session_conf *conf,
> +			   void *sess)
> +{
> +	struct dpaa_sec_dev_private *internals = dev->data->dev_private;
> +	struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
> +	struct rte_crypto_auth_xform *auth_xform = NULL;
> +	struct rte_crypto_cipher_xform *cipher_xform = NULL;
> +	struct rte_crypto_aead_xform *aead_xform = NULL;
> +	dpaa_sec_session *session = (dpaa_sec_session *)sess;
> +	uint32_t i;
> +	int ret;
> +
> +	PMD_INIT_FUNC_TRACE();
> +
> +	memset(session, 0, sizeof(dpaa_sec_session));
> +	session->proto_alg = conf->protocol;
> +	session->ctxt = DPAA_SEC_IPSEC;
> +
> +	if (ipsec_xform->direction ==
> RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
> +		session->dir = DIR_ENC;
> +	else
> +		session->dir = DIR_DEC;
> +
> +	if (conf->crypto_xform->type ==
> RTE_CRYPTO_SYM_XFORM_CIPHER) {
> +		cipher_xform = &conf->crypto_xform->cipher;
> +		if (conf->crypto_xform->next)
> +			auth_xform = &conf->crypto_xform->next->auth;
> +		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
> +					session);
> +	} else if (conf->crypto_xform->type ==
> RTE_CRYPTO_SYM_XFORM_AUTH) {
> +		auth_xform = &conf->crypto_xform->auth;
> +		if (conf->crypto_xform->next)
> +			cipher_xform = &conf->crypto_xform->next-
> >cipher;
> +		ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
> +					session);
> +	} else if (conf->crypto_xform->type ==
> RTE_CRYPTO_SYM_XFORM_AEAD) {
> +		aead_xform = &conf->crypto_xform->aead;
> +		ret = dpaa_sec_ipsec_aead_init(aead_xform,
> +					ipsec_xform, session);
> +	} else {
> +		DPAA_SEC_ERR("XFORM not specified");
> +		ret = -EINVAL;
> +		goto out;
> +	}
> +	if (ret) {
> +		DPAA_SEC_ERR("Failed to process xform");
> +		goto out;
> +	}
> +
>  	if (ipsec_xform->direction ==
> RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
>  		if (ipsec_xform->tunnel.type ==
>  				RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
> -			memset(&session->encap_pdb, 0,
> -				sizeof(struct ipsec_encap_pdb) +
> -				sizeof(session->ip4_hdr));
>  			session->ip4_hdr.ip_v = IPVERSION;
>  			session->ip4_hdr.ip_hl = 5;
>  			session->ip4_hdr.ip_len = rte_cpu_to_be_16( @@ -
> 2673,9 +2791,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct
> rte_cryptodev *dev,
>  			session->encap_pdb.ip_hdr_len = sizeof(struct ip);
>  		} else if (ipsec_xform->tunnel.type ==
>  				RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
> -			memset(&session->encap_pdb, 0,
> -				sizeof(struct ipsec_encap_pdb) +
> -				sizeof(session->ip6_hdr));
>  			session->ip6_hdr.vtc_flow = rte_cpu_to_be_32(
>  				DPAA_IPv6_DEFAULT_VTC_FLOW |
>  				((ipsec_xform->tunnel.ipv6.dscp <<
> @@ -2707,10 +2822,9 @@ dpaa_sec_set_ipsec_session(__rte_unused struct
> rte_cryptodev *dev,
>  		if (ipsec_xform->options.esn)
>  			session->encap_pdb.options |= PDBOPTS_ESP_ESN;
>  		session->encap_pdb.spi = ipsec_xform->spi;
> -		session->dir = DIR_ENC;
> +
>  	} else if (ipsec_xform->direction ==
>  			RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
> -		memset(&session->decap_pdb, 0, sizeof(struct
> ipsec_decap_pdb));
>  		if (ipsec_xform->tunnel.type ==
> RTE_SECURITY_IPSEC_TUNNEL_IPV4)
>  			session->decap_pdb.options = sizeof(struct ip) << 16;
>  		else
> @@ -2718,7 +2832,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct
> rte_cryptodev *dev,
>  					sizeof(struct rte_ipv6_hdr) << 16;
>  		if (ipsec_xform->options.esn)
>  			session->decap_pdb.options |= PDBOPTS_ESP_ESN;
> -		session->dir = DIR_DEC;
>  	} else
>  		goto out;
>  	rte_spinlock_lock(&internals->lock);
> --
> 2.17.1

Re: [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: add AES-GCM support for lookaside case

[Akhil Goyal]

> 
> Hi Akhil,
> 
> 
> [Hemant] There is a merge error. I see that you have already applied it.
> Can you remove following line from the patch.
> >>> start here.
> > +		if (session->dir == DIR_ENC) {
> > +			/* todo CCM salt length is 3 bytes, left shift 8 bits */
> > +			memcpy(session->encap_pdb.ccm.salt,
> > +				(uint8_t *)&(ipsec_xform->salt), 4);
> > +		} else {
> > +			memcpy(session->decap_pdb.ccm.salt,
> > +				(uint8_t *)&(ipsec_xform->salt), 4);
> > +		}
> > +		session->aead_key.algmode = OP_ALG_AAI_CCM;
> > +		session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
> > +		break;
> >>> end here.
> 

done