* [dpdk-dev] [PATCH v2 02/13] crypto/dpaa2_sec: add check for the session validity
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 03/13] crypto/dpaa_sec: " Hemant Agrawal
` (11 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
Check if the session is not null during processing.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 6d59e73e9..70207818b 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1368,6 +1368,9 @@ build_sec_fd(struct rte_crypto_op *op,
else
return -1;
+ if (!sess)
+ return -1;
+
/* Any of the buffer is segmented*/
if (!rte_pktmbuf_is_contiguous(op->sym->m_src) ||
((op->sym->m_dst != NULL) &&
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v2 03/13] crypto/dpaa_sec: add check for the session validity
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 02/13] crypto/dpaa2_sec: add check for the session validity Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 04/13] crypto/dpaa2_sec: adding NULL cipher or NULL auth Hemant Agrawal
` (10 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
Check if the session is not null during processing.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 31fe092ce..8704fe33d 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -1773,6 +1773,14 @@ dpaa_sec_enqueue_burst(void *qp, struct rte_crypto_op **ops,
nb_ops = loop;
goto send_pkts;
}
+
+ if (!ses) {
+ DPAA_SEC_DP_ERR("session not available");
+ frames_to_send = loop;
+ nb_ops = loop;
+ goto send_pkts;
+ }
+
if (unlikely(!ses->qp[rte_lcore_id() % MAX_DPAA_CORES])) {
if (dpaa_sec_attach_sess_q(qp, ses)) {
frames_to_send = loop;
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v2 04/13] crypto/dpaa2_sec: adding NULL cipher or NULL auth
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 02/13] crypto/dpaa2_sec: add check for the session validity Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 03/13] crypto/dpaa_sec: " Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 05/13] crypto/dpaa_sec: " Hemant Agrawal
` (9 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
These are supported when using protocol offload mode or in chain mode.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 22 +++++++----
drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 41 +++++++++++++++++++++
2 files changed, 56 insertions(+), 7 deletions(-)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 70207818b..6c2faa69a 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1,7 +1,7 @@
/* SPDX-License-Identifier: BSD-3-Clause
*
* Copyright (c) 2016 Freescale Semiconductor, Inc. All rights reserved.
- * Copyright 2016-2018 NXP
+ * Copyright 2016-2019 NXP
*
*/
@@ -1837,6 +1837,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
flc = &priv->flc_desc[0].flc;
+ session->ctxt_type = DPAA2_SEC_CIPHER;
session->cipher_key.data = rte_zmalloc(NULL, xform->cipher.key.length,
RTE_CACHE_LINE_SIZE);
if (session->cipher_key.data == NULL) {
@@ -1973,6 +1974,7 @@ dpaa2_sec_auth_init(struct rte_cryptodev *dev,
priv->fle_pool = dev_priv->fle_pool;
flc = &priv->flc_desc[DESC_INITFINAL].flc;
+ session->ctxt_type = DPAA2_SEC_AUTH;
session->auth_key.data = rte_zmalloc(NULL, xform->auth.key.length,
RTE_CACHE_LINE_SIZE);
if (session->auth_key.data == NULL) {
@@ -2481,27 +2483,33 @@ dpaa2_sec_set_session_parameters(struct rte_cryptodev *dev,
/* Cipher Only */
if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
- session->ctxt_type = DPAA2_SEC_CIPHER;
ret = dpaa2_sec_cipher_init(dev, xform, session);
/* Authentication Only */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
xform->next == NULL) {
- session->ctxt_type = DPAA2_SEC_AUTH;
ret = dpaa2_sec_auth_init(dev, xform, session);
/* Cipher then Authenticate */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
session->ext_params.aead_ctxt.auth_cipher_text = true;
- ret = dpaa2_sec_aead_chain_init(dev, xform, session);
-
+ if (xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+ ret = dpaa2_sec_auth_init(dev, xform, session);
+ else if (xform->next->auth.algo == RTE_CRYPTO_AUTH_NULL)
+ ret = dpaa2_sec_cipher_init(dev, xform, session);
+ else
+ ret = dpaa2_sec_aead_chain_init(dev, xform, session);
/* Authenticate then Cipher */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
session->ext_params.aead_ctxt.auth_cipher_text = false;
- ret = dpaa2_sec_aead_chain_init(dev, xform, session);
-
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
+ ret = dpaa2_sec_cipher_init(dev, xform, session);
+ else if (xform->next->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+ ret = dpaa2_sec_auth_init(dev, xform, session);
+ else
+ ret = dpaa2_sec_aead_chain_init(dev, xform, session);
/* AEAD operation for AES-GCM kind of Algorithms */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD &&
xform->next == NULL) {
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
index b97dacbcb..528b64ef8 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
@@ -200,6 +200,27 @@ typedef struct dpaa2_sec_session_entry {
} dpaa2_sec_session;
static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
+ { /* NULL (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_NULL,
+ .block_size = 1,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .iv_size = { 0 }
+ }, },
+ }, },
+ },
{ /* MD5 HMAC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
@@ -356,6 +377,26 @@ static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
}, }
}, }
},
+ { /* NULL (CIPHER) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ {.cipher = {
+ .algo = RTE_CRYPTO_CIPHER_NULL,
+ .block_size = 1,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .iv_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ }
+ }, },
+ }, }
+ },
{ /* AES CBC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v2 05/13] crypto/dpaa_sec: adding NULL cipher or NULL auth
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (2 preceding siblings ...)
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 04/13] crypto/dpaa2_sec: adding NULL cipher or NULL auth Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 06/13] crypto/dpaa2_sec: add AES-GCM support for lookaside case Hemant Agrawal
` (8 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
These are supported when using protocol offload mode or when
in chain mode.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 33 ++++++++++++++++++------
drivers/crypto/dpaa_sec/dpaa_sec.h | 41 ++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 8 deletions(-)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 8704fe33d..ce7860b24 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2037,6 +2037,7 @@ dpaa_sec_cipher_init(struct rte_cryptodev *dev __rte_unused,
struct rte_crypto_sym_xform *xform,
dpaa_sec_session *session)
{
+ session->ctxt = DPAA_SEC_CIPHER;
session->cipher_alg = xform->cipher.algo;
session->iv.length = xform->cipher.iv.length;
session->iv.offset = xform->cipher.iv.offset;
@@ -2086,6 +2087,7 @@ dpaa_sec_auth_init(struct rte_cryptodev *dev __rte_unused,
struct rte_crypto_sym_xform *xform,
dpaa_sec_session *session)
{
+ session->ctxt = DPAA_SEC_AUTH;
session->auth_alg = xform->auth.algo;
session->auth_key.data = rte_zmalloc(NULL, xform->auth.key.length,
RTE_CACHE_LINE_SIZE);
@@ -2158,6 +2160,7 @@ dpaa_sec_chain_init(struct rte_cryptodev *dev __rte_unused,
struct rte_crypto_cipher_xform *cipher_xform;
struct rte_crypto_auth_xform *auth_xform;
+ session->ctxt = DPAA_SEC_CIPHER_HASH;
if (session->auth_cipher_text) {
cipher_xform = &xform->cipher;
auth_xform = &xform->next->auth;
@@ -2359,6 +2362,7 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
struct dpaa_sec_dev_private *internals = dev->data->dev_private;
dpaa_sec_session *session = sess;
uint32_t i;
+ int ret;
PMD_INIT_FUNC_TRACE();
@@ -2374,23 +2378,26 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
/* Cipher Only */
if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
session->auth_alg = RTE_CRYPTO_AUTH_NULL;
- session->ctxt = DPAA_SEC_CIPHER;
- dpaa_sec_cipher_init(dev, xform, session);
+ ret = dpaa_sec_cipher_init(dev, xform, session);
/* Authentication Only */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
xform->next == NULL) {
session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
session->ctxt = DPAA_SEC_AUTH;
- dpaa_sec_auth_init(dev, xform, session);
+ ret = dpaa_sec_auth_init(dev, xform, session);
/* Cipher then Authenticate */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
if (xform->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
- session->ctxt = DPAA_SEC_CIPHER_HASH;
session->auth_cipher_text = 1;
- dpaa_sec_chain_init(dev, xform, session);
+ if (xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+ ret = dpaa_sec_auth_init(dev, xform, session);
+ else if (xform->next->auth.algo == RTE_CRYPTO_AUTH_NULL)
+ ret = dpaa_sec_cipher_init(dev, xform, session);
+ else
+ ret = dpaa_sec_chain_init(dev, xform, session);
} else {
DPAA_SEC_ERR("Not supported: Auth then Cipher");
return -EINVAL;
@@ -2399,9 +2406,14 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
if (xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT) {
- session->ctxt = DPAA_SEC_CIPHER_HASH;
session->auth_cipher_text = 0;
- dpaa_sec_chain_init(dev, xform, session);
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
+ ret = dpaa_sec_cipher_init(dev, xform, session);
+ else if (xform->next->cipher.algo
+ == RTE_CRYPTO_CIPHER_NULL)
+ ret = dpaa_sec_auth_init(dev, xform, session);
+ else
+ ret = dpaa_sec_chain_init(dev, xform, session);
} else {
DPAA_SEC_ERR("Not supported: Auth then Cipher");
return -EINVAL;
@@ -2410,12 +2422,17 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
/* AEAD operation for AES-GCM kind of Algorithms */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD &&
xform->next == NULL) {
- dpaa_sec_aead_init(dev, xform, session);
+ ret = dpaa_sec_aead_init(dev, xform, session);
} else {
DPAA_SEC_ERR("Invalid crypto type");
return -EINVAL;
}
+ if (ret) {
+ DPAA_SEC_ERR("unable to init session");
+ goto err1;
+ }
+
rte_spinlock_lock(&internals->lock);
for (i = 0; i < MAX_DPAA_CORES; i++) {
session->inq[i] = dpaa_sec_attach_rxq(internals);
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index 32dc8268c..3ecc7eae5 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -218,6 +218,27 @@ struct dpaa_sec_op_ctx {
};
static const struct rte_cryptodev_capabilities dpaa_sec_capabilities[] = {
+ { /* NULL (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_NULL,
+ .block_size = 1,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .iv_size = { 0 }
+ }, },
+ }, },
+ },
{ /* MD5 HMAC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
@@ -374,6 +395,26 @@ static const struct rte_cryptodev_capabilities dpaa_sec_capabilities[] = {
}, }
}, }
},
+ { /* NULL (CIPHER) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ {.cipher = {
+ .algo = RTE_CRYPTO_CIPHER_NULL,
+ .block_size = 1,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .iv_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ }
+ }, },
+ }, }
+ },
{ /* AES CBC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v2 06/13] crypto/dpaa2_sec: add AES-GCM support for lookaside case
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (3 preceding siblings ...)
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 05/13] crypto/dpaa_sec: " Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 07/13] crypto/dpaa_sec: " Hemant Agrawal
` (7 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 96 ++++++++++++++++++++-
1 file changed, 92 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 6c2faa69a..c6b6444aa 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2550,12 +2550,40 @@ dpaa2_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
switch (aead_xform->algo) {
case RTE_CRYPTO_AEAD_AES_GCM:
- aeaddata->algtype = OP_ALG_ALGSEL_AES;
+ switch (session->digest_length) {
+ case 8:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_GCM8;
+ break;
+ case 12:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_GCM12;
+ break;
+ case 16:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_GCM16;
+ break;
+ default:
+ DPAA2_SEC_ERR("Crypto: Undefined GCM digest %d",
+ session->digest_length);
+ return -1;
+ }
aeaddata->algmode = OP_ALG_AAI_GCM;
session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
break;
case RTE_CRYPTO_AEAD_AES_CCM:
- aeaddata->algtype = OP_ALG_ALGSEL_AES;
+ switch (session->digest_length) {
+ case 8:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_CCM8;
+ break;
+ case 12:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_CCM12;
+ break;
+ case 16:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_CCM16;
+ break;
+ default:
+ DPAA2_SEC_ERR("Crypto: Undefined CCM digest %d",
+ session->digest_length);
+ return -1;
+ }
aeaddata->algmode = OP_ALG_AAI_CCM;
session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
break;
@@ -2723,8 +2751,6 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
struct rte_crypto_aead_xform *aead_xform = NULL;
dpaa2_sec_session *session = (dpaa2_sec_session *)sess;
struct ctxt_priv *priv;
- struct ipsec_encap_pdb encap_pdb;
- struct ipsec_decap_pdb decap_pdb;
struct alginfo authdata, cipherdata;
int bufsize;
struct sec_flow_context *flc;
@@ -2764,6 +2790,8 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
aead_xform = &conf->crypto_xform->aead;
ret = dpaa2_sec_ipsec_aead_init(aead_xform,
session, &cipherdata);
+ authdata.keylen = 0;
+ authdata.algtype = 0;
} else {
DPAA2_SEC_ERR("XFORM not specified");
ret = -EINVAL;
@@ -2779,10 +2807,37 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
uint8_t *hdr = NULL;
struct ip ip4_hdr;
struct rte_ipv6_hdr ip6_hdr;
+ struct ipsec_encap_pdb encap_pdb;
flc->dhr = SEC_FLC_DHR_OUTBOUND;
/* For Sec Proto only one descriptor is required. */
memset(&encap_pdb, 0, sizeof(struct ipsec_encap_pdb));
+
+ /* copy algo specific data to PDB */
+ switch (cipherdata.algtype) {
+ case OP_PCL_IPSEC_AES_GCM8:
+ case OP_PCL_IPSEC_AES_GCM12:
+ case OP_PCL_IPSEC_AES_GCM16:
+ memcpy(encap_pdb.gcm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ break;
+ case OP_PCL_IPSEC_AES_CCM8:
+ encap_pdb.ccm.ccm_opt = 0x5B;
+ memcpy(encap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ break;
+ case OP_PCL_IPSEC_AES_CCM12:
+ encap_pdb.ccm.ccm_opt = 0x6B;
+ memcpy(encap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ break;
+ case OP_PCL_IPSEC_AES_CCM16:
+ encap_pdb.ccm.ccm_opt = 0x7B;
+ memcpy(encap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ break;
+ }
+
encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) |
PDBOPTS_ESP_OIHI_PDB_INL |
PDBOPTS_ESP_IVSRC |
@@ -2839,8 +2894,41 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
hdr, &cipherdata, &authdata);
} else if (ipsec_xform->direction ==
RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+ struct ipsec_decap_pdb decap_pdb;
+
flc->dhr = SEC_FLC_DHR_INBOUND;
memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
+ /* copy algo specific data to PDB */
+ switch (cipherdata.algtype) {
+ case OP_PCL_IPSEC_AES_GCM8:
+ case OP_PCL_IPSEC_AES_GCM12:
+ case OP_PCL_IPSEC_AES_GCM16:
+ memcpy(decap_pdb.gcm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ break;
+ case OP_PCL_IPSEC_AES_CCM8:
+ decap_pdb.ccm.ccm_opt = 0x5B;
+ /* CCM salt length is 3 bytes, left shift 8 bits */
+ ipsec_xform->salt >>= 8;
+ memcpy(decap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ break;
+ case OP_PCL_IPSEC_AES_CCM12:
+ decap_pdb.ccm.ccm_opt = 0x6B;
+ /* CCM salt length is 3 bytes, left shift 8 bits */
+ ipsec_xform->salt >>= 8;
+ memcpy(decap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ break;
+ case OP_PCL_IPSEC_AES_CCM16:
+ decap_pdb.ccm.ccm_opt = 0x7B;
+ /* CCM salt length is 3 bytes, left shift 8 bits */
+ ipsec_xform->salt >>= 8;
+ memcpy(decap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ break;
+ }
+
decap_pdb.options = (ipsec_xform->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV4) ?
sizeof(struct ip) << 16 :
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v2 07/13] crypto/dpaa_sec: add AES-GCM support for lookaside case
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (4 preceding siblings ...)
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 06/13] crypto/dpaa2_sec: add AES-GCM support for lookaside case Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 08/13] test/cryptodev: enable additional cases for dpaax Hemant Agrawal
` (6 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
This patch add support for AES-128-GCM, when used in
proto lookaside mode.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 331 ++++++++++++++++++++---------
1 file changed, 233 insertions(+), 98 deletions(-)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index ce7860b24..24a5a7239 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session *ses)
cipherdata.algtype = ses->cipher_key.alg;
cipherdata.algmode = ses->cipher_key.algmode;
- authdata.key = (size_t)ses->auth_key.data;
- authdata.keylen = ses->auth_key.length;
- authdata.key_enc_flags = 0;
- authdata.key_type = RTA_DATA_IMM;
- authdata.algtype = ses->auth_key.alg;
- authdata.algmode = ses->auth_key.algmode;
+ if (ses->auth_key.length) {
+ authdata.key = (size_t)ses->auth_key.data;
+ authdata.keylen = ses->auth_key.length;
+ authdata.key_enc_flags = 0;
+ authdata.key_type = RTA_DATA_IMM;
+ authdata.algtype = ses->auth_key.alg;
+ authdata.algmode = ses->auth_key.algmode;
+ }
cdb->sh_desc[0] = cipherdata.keylen;
cdb->sh_desc[1] = authdata.keylen;
@@ -2523,33 +2525,98 @@ dpaa_sec_sym_session_clear(struct rte_cryptodev *dev,
#ifdef RTE_LIBRTE_SECURITY
static int
-dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
- struct rte_security_session_conf *conf,
- void *sess)
+dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
+ struct rte_security_ipsec_xform *ipsec_xform,
+ dpaa_sec_session *session)
{
- struct dpaa_sec_dev_private *internals = dev->data->dev_private;
- struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
- struct rte_crypto_auth_xform *auth_xform = NULL;
- struct rte_crypto_cipher_xform *cipher_xform = NULL;
- dpaa_sec_session *session = (dpaa_sec_session *)sess;
- uint32_t i;
-
PMD_INIT_FUNC_TRACE();
- memset(session, 0, sizeof(dpaa_sec_session));
- if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
- cipher_xform = &conf->crypto_xform->cipher;
- if (conf->crypto_xform->next)
- auth_xform = &conf->crypto_xform->next->auth;
- } else {
- auth_xform = &conf->crypto_xform->auth;
- if (conf->crypto_xform->next)
- cipher_xform = &conf->crypto_xform->next->cipher;
+ session->aead_key.data = rte_zmalloc(NULL, aead_xform->key.length,
+ RTE_CACHE_LINE_SIZE);
+ if (session->aead_key.data == NULL && aead_xform->key.length > 0) {
+ DPAA_SEC_ERR("No Memory for aead key");
+ return -1;
}
- session->proto_alg = conf->protocol;
- session->ctxt = DPAA_SEC_IPSEC;
+ memcpy(session->aead_key.data, aead_xform->key.data,
+ aead_xform->key.length);
- if (cipher_xform && cipher_xform->algo != RTE_CRYPTO_CIPHER_NULL) {
+ session->digest_length = aead_xform->digest_length;
+ session->aead_key.length = aead_xform->key.length;
+
+ switch (aead_xform->algo) {
+ case RTE_CRYPTO_AEAD_AES_GCM:
+ switch (session->digest_length) {
+ case 8:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8;
+ break;
+ case 12:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_GCM12;
+ break;
+ case 16:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_GCM16;
+ break;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined GCM digest %d",
+ session->digest_length);
+ return -1;
+ }
+ if (session->dir == DIR_ENC) {
+ memcpy(session->encap_pdb.gcm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ } else {
+ memcpy(session->decap_pdb.gcm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ }
+ session->aead_key.algmode = OP_ALG_AAI_GCM;
+ session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
+ break;
+ case RTE_CRYPTO_AEAD_AES_CCM:
+ switch (session->digest_length) {
+ case 8:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_CCM8;
+ session->encap_pdb.ccm.ccm_opt = 0x5B;
+ session->decap_pdb.ccm.ccm_opt = 0x5B;
+ break;
+ case 12:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_CCM12;
+ session->encap_pdb.ccm.ccm_opt = 0x6B;
+ session->decap_pdb.ccm.ccm_opt = 0x6B;
+ break;
+ case 16:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_CCM16;
+ session->encap_pdb.ccm.ccm_opt = 0x7B;
+ session->decap_pdb.ccm.ccm_opt = 0x7B;
+ break;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined CCM digest %d",
+ session->digest_length);
+ return -1;
+ }
+ if (session->dir == DIR_ENC) {
+ /* todo CCM salt length is 3 bytes, left shift 8 bits */
+ memcpy(session->encap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ } else {
+ memcpy(session->decap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ }
+ session->aead_key.algmode = OP_ALG_AAI_CCM;
+ session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
+ break;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u",
+ aead_xform->algo);
+ return -1;
+ }
+ return 0;
+}
+
+static int
+dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
+ struct rte_crypto_auth_xform *auth_xform,
+ dpaa_sec_session *session)
+{
+ if (cipher_xform) {
session->cipher_key.data = rte_zmalloc(NULL,
cipher_xform->key.length,
RTE_CACHE_LINE_SIZE);
@@ -2558,31 +2625,10 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
DPAA_SEC_ERR("No Memory for cipher key");
return -ENOMEM;
}
+
+ session->cipher_key.length = cipher_xform->key.length;
memcpy(session->cipher_key.data, cipher_xform->key.data,
cipher_xform->key.length);
- session->cipher_key.length = cipher_xform->key.length;
-
- switch (cipher_xform->algo) {
- case RTE_CRYPTO_CIPHER_NULL:
- session->cipher_key.alg = OP_PCL_IPSEC_NULL;
- break;
- case RTE_CRYPTO_CIPHER_AES_CBC:
- session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
- session->cipher_key.algmode = OP_ALG_AAI_CBC;
- break;
- case RTE_CRYPTO_CIPHER_3DES_CBC:
- session->cipher_key.alg = OP_PCL_IPSEC_3DES;
- session->cipher_key.algmode = OP_ALG_AAI_CBC;
- break;
- case RTE_CRYPTO_CIPHER_AES_CTR:
- session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
- session->cipher_key.algmode = OP_ALG_AAI_CTR;
- break;
- default:
- DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
- cipher_xform->algo);
- goto out;
- }
session->cipher_alg = cipher_xform->algo;
} else {
session->cipher_key.data = NULL;
@@ -2590,54 +2636,18 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
}
- if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) {
+ if (auth_xform) {
session->auth_key.data = rte_zmalloc(NULL,
auth_xform->key.length,
RTE_CACHE_LINE_SIZE);
if (session->auth_key.data == NULL &&
auth_xform->key.length > 0) {
DPAA_SEC_ERR("No Memory for auth key");
- rte_free(session->cipher_key.data);
return -ENOMEM;
}
+ session->auth_key.length = auth_xform->key.length;
memcpy(session->auth_key.data, auth_xform->key.data,
auth_xform->key.length);
- session->auth_key.length = auth_xform->key.length;
-
- switch (auth_xform->algo) {
- case RTE_CRYPTO_AUTH_NULL:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
- session->digest_length = 0;
- break;
- case RTE_CRYPTO_AUTH_MD5_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA1_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA224_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_160;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA256_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA384_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA512_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- default:
- DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
- auth_xform->algo);
- goto out;
- }
session->auth_alg = auth_xform->algo;
} else {
session->auth_key.data = NULL;
@@ -2645,12 +2655,142 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
session->auth_alg = RTE_CRYPTO_AUTH_NULL;
}
+ switch (session->auth_alg) {
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_AES_CMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96;
+ break;
+ case RTE_CRYPTO_AUTH_NULL:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
+ break;
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+ case RTE_CRYPTO_AUTH_SNOW3G_UIA2:
+ case RTE_CRYPTO_AUTH_SHA1:
+ case RTE_CRYPTO_AUTH_SHA256:
+ case RTE_CRYPTO_AUTH_SHA512:
+ case RTE_CRYPTO_AUTH_SHA224:
+ case RTE_CRYPTO_AUTH_SHA384:
+ case RTE_CRYPTO_AUTH_MD5:
+ case RTE_CRYPTO_AUTH_AES_GMAC:
+ case RTE_CRYPTO_AUTH_KASUMI_F9:
+ case RTE_CRYPTO_AUTH_AES_CBC_MAC:
+ case RTE_CRYPTO_AUTH_ZUC_EIA3:
+ DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
+ session->auth_alg);
+ return -1;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined Auth specified %u",
+ session->auth_alg);
+ return -1;
+ }
+
+ switch (session->cipher_alg) {
+ case RTE_CRYPTO_CIPHER_AES_CBC:
+ session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
+ session->cipher_key.algmode = OP_ALG_AAI_CBC;
+ break;
+ case RTE_CRYPTO_CIPHER_3DES_CBC:
+ session->cipher_key.alg = OP_PCL_IPSEC_3DES;
+ session->cipher_key.algmode = OP_ALG_AAI_CBC;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CTR:
+ session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
+ session->cipher_key.algmode = OP_ALG_AAI_CTR;
+ break;
+ case RTE_CRYPTO_CIPHER_NULL:
+ session->cipher_key.alg = OP_PCL_IPSEC_NULL;
+ break;
+ case RTE_CRYPTO_CIPHER_SNOW3G_UEA2:
+ case RTE_CRYPTO_CIPHER_ZUC_EEA3:
+ case RTE_CRYPTO_CIPHER_3DES_ECB:
+ case RTE_CRYPTO_CIPHER_AES_ECB:
+ case RTE_CRYPTO_CIPHER_KASUMI_F8:
+ DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
+ session->cipher_alg);
+ return -1;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u",
+ session->cipher_alg);
+ return -1;
+ }
+
+ return 0;
+}
+
+static int
+dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
+ struct rte_security_session_conf *conf,
+ void *sess)
+{
+ struct dpaa_sec_dev_private *internals = dev->data->dev_private;
+ struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
+ struct rte_crypto_auth_xform *auth_xform = NULL;
+ struct rte_crypto_cipher_xform *cipher_xform = NULL;
+ struct rte_crypto_aead_xform *aead_xform = NULL;
+ dpaa_sec_session *session = (dpaa_sec_session *)sess;
+ uint32_t i;
+ int ret;
+
+ PMD_INIT_FUNC_TRACE();
+
+ memset(session, 0, sizeof(dpaa_sec_session));
+ session->proto_alg = conf->protocol;
+ session->ctxt = DPAA_SEC_IPSEC;
+
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+ session->dir = DIR_ENC;
+ else
+ session->dir = DIR_DEC;
+
+ if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+ cipher_xform = &conf->crypto_xform->cipher;
+ if (conf->crypto_xform->next)
+ auth_xform = &conf->crypto_xform->next->auth;
+ ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+ session);
+ } else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ auth_xform = &conf->crypto_xform->auth;
+ if (conf->crypto_xform->next)
+ cipher_xform = &conf->crypto_xform->next->cipher;
+ ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+ session);
+ } else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ aead_xform = &conf->crypto_xform->aead;
+ ret = dpaa_sec_ipsec_aead_init(aead_xform,
+ ipsec_xform, session);
+ } else {
+ DPAA_SEC_ERR("XFORM not specified");
+ ret = -EINVAL;
+ goto out;
+ }
+ if (ret) {
+ DPAA_SEC_ERR("Failed to process xform");
+ goto out;
+ }
+
if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
if (ipsec_xform->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
- memset(&session->encap_pdb, 0,
- sizeof(struct ipsec_encap_pdb) +
- sizeof(session->ip4_hdr));
session->ip4_hdr.ip_v = IPVERSION;
session->ip4_hdr.ip_hl = 5;
session->ip4_hdr.ip_len = rte_cpu_to_be_16(
@@ -2673,9 +2813,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
session->encap_pdb.ip_hdr_len = sizeof(struct ip);
} else if (ipsec_xform->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
- memset(&session->encap_pdb, 0,
- sizeof(struct ipsec_encap_pdb) +
- sizeof(session->ip6_hdr));
session->ip6_hdr.vtc_flow = rte_cpu_to_be_32(
DPAA_IPv6_DEFAULT_VTC_FLOW |
((ipsec_xform->tunnel.ipv6.dscp <<
@@ -2707,10 +2844,9 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
if (ipsec_xform->options.esn)
session->encap_pdb.options |= PDBOPTS_ESP_ESN;
session->encap_pdb.spi = ipsec_xform->spi;
- session->dir = DIR_ENC;
+
} else if (ipsec_xform->direction ==
RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
- memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
session->decap_pdb.options = sizeof(struct ip) << 16;
else
@@ -2744,7 +2880,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
PDBOPTS_ESP_ARS128;
}
}
- session->dir = DIR_DEC;
} else
goto out;
rte_spinlock_lock(&internals->lock);
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v2 08/13] test/cryptodev: enable additional cases for dpaax
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (5 preceding siblings ...)
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 07/13] crypto/dpaa_sec: " Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 09/13] crypto/dpaa2_sec: enable warning with truncated sha256 Hemant Agrawal
` (5 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
This patch enables short buffer and 12 bit IV AES-CTR cases
for dpaax_sec pmds.
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
app/test/test_cryptodev_aes_test_vectors.h | 24 +++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/app/test/test_cryptodev_aes_test_vectors.h b/app/test/test_cryptodev_aes_test_vectors.h
index 54a8082cf..9afa3aef8 100644
--- a/app/test/test_cryptodev_aes_test_vectors.h
+++ b/app/test/test_cryptodev_aes_test_vectors.h
@@ -1605,6 +1605,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.feature_mask = BLOCKCIPHER_TEST_FEATURE_OOP,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
BLOCKCIPHER_TEST_TARGET_PMD_QAT |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX
},
{
@@ -1716,6 +1718,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.test_data = &aes_test_data_13,
.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1777,6 +1781,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.test_data = &aes_test_data_13,
.op_mask = BLOCKCIPHER_TEST_OP_AUTH_VERIFY_DEC,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1806,6 +1812,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.test_data = &aes_test_data_12,
.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1835,6 +1843,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.test_data = &aes_test_data_12,
.op_mask = BLOCKCIPHER_TEST_OP_AUTH_VERIFY_DEC,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1954,6 +1964,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
.feature_mask = BLOCKCIPHER_TEST_FEATURE_OOP,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_QAT |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX
},
@@ -2400,7 +2412,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
- BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+ BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
},
{
.test_descr = "AES-192-CTR Encryption (12-byte IV)",
@@ -2408,7 +2422,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
- BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+ BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
},
{
.test_descr = "AES-256-CTR Encryption (12-byte IV)",
@@ -2416,7 +2432,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
- BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+ BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
},
{
.test_descr = "AES-128-XTS Encryption (16-byte plaintext)",
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v2 09/13] crypto/dpaa2_sec: enable warning with truncated sha256
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (6 preceding siblings ...)
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 08/13] test/cryptodev: enable additional cases for dpaax Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 10/13] crypto/dpaa2_sec: remove unwanted context type check Hemant Agrawal
` (4 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
This patch throw the warning when using truncted digest
len for SHA256 case.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 4 ++++
drivers/crypto/dpaa_sec/dpaa_sec.c | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index c6b6444aa..32e6c71a9 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2660,6 +2660,10 @@ dpaa2_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
case RTE_CRYPTO_AUTH_SHA256_HMAC:
authdata->algtype = OP_PCL_IPSEC_HMAC_SHA2_256_128;
authdata->algmode = OP_ALG_AAI_HMAC;
+ if (session->digest_length != 16)
+ DPAA2_SEC_WARN(
+ "+++Using sha256-hmac truncated len is non-standard,"
+ "it will not work with lookaside proto");
break;
case RTE_CRYPTO_AUTH_SHA384_HMAC:
authdata->algtype = OP_PCL_IPSEC_HMAC_SHA2_384_192;
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 24a5a7239..aec5af1c5 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2667,6 +2667,10 @@ dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
case RTE_CRYPTO_AUTH_SHA256_HMAC:
session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ if (session->digest_length != 16)
+ DPAA_SEC_WARN(
+ "+++Using sha256-hmac truncated len is non-standard,"
+ "it will not work with lookaside proto");
break;
case RTE_CRYPTO_AUTH_SHA384_HMAC:
session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v2 10/13] crypto/dpaa2_sec: remove unwanted context type check
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (7 preceding siblings ...)
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 09/13] crypto/dpaa2_sec: enable warning with truncated sha256 Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 11/13] crypto/dpaa_sec: use macros in queue attach and detach Hemant Agrawal
` (3 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
From: Gagandeep Singh <g.singh@nxp.com>
This patch remove redundant checks.
Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 32e6c71a9..4a1887c4c 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1585,18 +1585,13 @@ sec_fd_to_mbuf(const struct qbman_fd *fd)
#ifdef RTE_LIBRTE_SECURITY
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- dpaa2_sec_session *sess = (dpaa2_sec_session *)
- get_sec_session_private_data(op->sym->sec_session);
- if (sess->ctxt_type == DPAA2_SEC_IPSEC ||
- sess->ctxt_type == DPAA2_SEC_PDCP) {
- uint16_t len = DPAA2_GET_FD_LEN(fd);
- dst->pkt_len = len;
- while (dst->next != NULL) {
- len -= dst->data_len;
- dst = dst->next;
- }
- dst->data_len = len;
+ uint16_t len = DPAA2_GET_FD_LEN(fd);
+ dst->pkt_len = len;
+ while (dst->next != NULL) {
+ len -= dst->data_len;
+ dst = dst->next;
}
+ dst->data_len = len;
}
#endif
DPAA2_SEC_DP_DEBUG("mbuf %p BMAN buf addr %p,"
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v2 11/13] crypto/dpaa_sec: use macros in queue attach and detach
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (8 preceding siblings ...)
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 10/13] crypto/dpaa2_sec: remove unwanted context type check Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 12/13] crypto/dpaa2_sec: use aes-ctr initial counter as 1 Hemant Agrawal
` (2 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
From: Gagandeep Singh <g.singh@nxp.com>
Align the cleanup and allocation for the queues.
Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index aec5af1c5..f7c5b5183 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2303,7 +2303,7 @@ dpaa_sec_attach_rxq(struct dpaa_sec_dev_private *qi)
{
unsigned int i;
- for (i = 0; i < qi->max_nb_sessions * MAX_DPAA_CORES; i++) {
+ for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
if (qi->inq_attach[i] == 0) {
qi->inq_attach[i] = 1;
return &qi->inq[i];
@@ -2319,9 +2319,10 @@ dpaa_sec_detach_rxq(struct dpaa_sec_dev_private *qi, struct qman_fq *fq)
{
unsigned int i;
- for (i = 0; i < qi->max_nb_sessions; i++) {
+ for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
if (&qi->inq[i] == fq) {
- qman_retire_fq(fq, NULL);
+ if (qman_retire_fq(fq, NULL) != 0)
+ DPAA_SEC_WARN("Queue is not retired\n");
qman_oos_fq(fq);
qi->inq_attach[i] = 0;
return 0;
@@ -3456,7 +3457,7 @@ dpaa_sec_dev_init(struct rte_cryptodev *cryptodev)
flags = QMAN_FQ_FLAG_LOCKED | QMAN_FQ_FLAG_DYNAMIC_FQID |
QMAN_FQ_FLAG_TO_DCPORTAL;
- for (i = 0; i < MAX_DPAA_CORES * internals->max_nb_sessions; i++) {
+ for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
/* create rx qman fq for sessions*/
ret = qman_create_fq(0, flags, &internals->inq[i]);
if (unlikely(ret != 0)) {
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v2 12/13] crypto/dpaa2_sec: use aes-ctr initial counter as 1
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (9 preceding siblings ...)
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 11/13] crypto/dpaa_sec: use macros in queue attach and detach Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 13/13] crypto/dpaa_sec: enable ipsec aes-ctr to use nonce Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
From: Vakul Garg <vakul.garg@nxp.com>
As per RFC3686, the initial aes-ctr counter value should be '1' for use
in ipsec. The patches changes SEC descriptor for using correct counter
value. In addition, it drops a redundant parameter for passing IV while
creating the descriptor.
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
---
drivers/common/dpaax/caamflib/desc/algo.h | 21 +++++++++++++--------
drivers/crypto/caam_jr/caam_jr.c | 1 -
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 8 ++++----
drivers/crypto/dpaa_sec/dpaa_sec.c | 1 -
4 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/drivers/common/dpaax/caamflib/desc/algo.h b/drivers/common/dpaax/caamflib/desc/algo.h
index 83dbb80ce..345bb5b3f 100644
--- a/drivers/common/dpaax/caamflib/desc/algo.h
+++ b/drivers/common/dpaax/caamflib/desc/algo.h
@@ -289,12 +289,12 @@ cnstr_shdsc_snow_f9(uint32_t *descbuf, bool ps, bool swap,
static inline int
cnstr_shdsc_blkcipher(uint32_t *descbuf, bool ps, bool swap,
enum rta_share_type share,
- struct alginfo *cipherdata, uint8_t *iv,
+ struct alginfo *cipherdata,
uint32_t ivlen, uint8_t dir)
{
struct program prg;
struct program *p = &prg;
- uint32_t iv_off = 0;
+ uint32_t iv_off = 0, counter;
const bool need_dk = (dir == DIR_DEC) &&
(cipherdata->algtype == OP_ALG_ALGSEL_AES) &&
(cipherdata->algmode == OP_ALG_AAI_CBC);
@@ -336,12 +336,17 @@ cnstr_shdsc_blkcipher(uint32_t *descbuf, bool ps, bool swap,
if (cipherdata->algmode == OP_ALG_AAI_CTR)
iv_off = 16;
- if (iv)
- /* IV load, convert size */
- LOAD(p, (uintptr_t)iv, CONTEXT1, iv_off, ivlen, IMMED | COPY);
- else
- /* IV is present first before the actual message */
- SEQLOAD(p, CONTEXT1, iv_off, ivlen, 0);
+ /* IV is present first before the actual message */
+ SEQLOAD(p, CONTEXT1, iv_off, ivlen, 0);
+
+ /* If IV len is less than 16 bytes, set 'counter' as 1 */
+ if (cipherdata->algmode == OP_ALG_AAI_CTR && ivlen < 16) {
+ counter = 1;
+ if (!swap)
+ counter = swab32(1);
+
+ LOAD(p, counter, CONTEXT1, (iv_off + ivlen), 16 - ivlen, IMMED);
+ }
MATHB(p, SEQINSZ, SUB, MATH2, VSEQINSZ, 4, 0);
MATHB(p, SEQINSZ, SUB, MATH2, VSEQOUTSZ, 4, 0);
diff --git a/drivers/crypto/caam_jr/caam_jr.c b/drivers/crypto/caam_jr/caam_jr.c
index d1da9a64c..8aaa3d45f 100644
--- a/drivers/crypto/caam_jr/caam_jr.c
+++ b/drivers/crypto/caam_jr/caam_jr.c
@@ -336,7 +336,6 @@ caam_jr_prep_cdb(struct caam_jr_session *ses)
shared_desc_len = cnstr_shdsc_blkcipher(
cdb->sh_desc, true,
swap, SHR_NEVER, &alginfo_c,
- NULL,
ses->iv.length,
ses->dir);
} else if (is_auth_only(ses)) {
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 4a1887c4c..7368fc248 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1861,7 +1861,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
cipherdata.algmode = OP_ALG_AAI_CBC;
session->cipher_alg = RTE_CRYPTO_CIPHER_AES_CBC;
bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
- SHR_NEVER, &cipherdata, NULL,
+ SHR_NEVER, &cipherdata,
session->iv.length,
session->dir);
break;
@@ -1870,7 +1870,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
cipherdata.algmode = OP_ALG_AAI_CBC;
session->cipher_alg = RTE_CRYPTO_CIPHER_3DES_CBC;
bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
- SHR_NEVER, &cipherdata, NULL,
+ SHR_NEVER, &cipherdata,
session->iv.length,
session->dir);
break;
@@ -1879,7 +1879,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
cipherdata.algmode = OP_ALG_AAI_CTR;
session->cipher_alg = RTE_CRYPTO_CIPHER_AES_CTR;
bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
- SHR_NEVER, &cipherdata, NULL,
+ SHR_NEVER, &cipherdata,
session->iv.length,
session->dir);
break;
@@ -1888,7 +1888,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
cipherdata.algmode = OP_ALG_AAI_CTR;
session->cipher_alg = RTE_CRYPTO_CIPHER_3DES_CTR;
bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
- SHR_NEVER, &cipherdata, NULL,
+ SHR_NEVER, &cipherdata,
session->iv.length,
session->dir);
break;
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index f7c5b5183..c52593746 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -478,7 +478,6 @@ dpaa_sec_prep_cdb(dpaa_sec_session *ses)
shared_desc_len = cnstr_shdsc_blkcipher(
cdb->sh_desc, true,
swap, SHR_NEVER, &alginfo_c,
- NULL,
ses->iv.length,
ses->dir);
break;
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v2 13/13] crypto/dpaa_sec: enable ipsec aes-ctr to use nonce
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (10 preceding siblings ...)
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 12/13] crypto/dpaa2_sec: use aes-ctr initial counter as 1 Hemant Agrawal
@ 2019-11-01 17:51 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-01 17:51 UTC (permalink / raw)
To: dev, akhil.goyal
From: Vakul Garg <vakul.garg@nxp.com>
The protocol aware ipsec descriptor has been modified to
use ctr_initial value of 1 and salt configured for ipsec SA.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
---
drivers/common/dpaax/caamflib/desc/ipsec.h | 18 ++++++++----------
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 8 ++++++++
drivers/crypto/dpaa_sec/dpaa_sec.c | 12 ++++++++++--
3 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/drivers/common/dpaax/caamflib/desc/ipsec.h b/drivers/common/dpaax/caamflib/desc/ipsec.h
index f33c68cc9..cf6fa4252 100644
--- a/drivers/common/dpaax/caamflib/desc/ipsec.h
+++ b/drivers/common/dpaax/caamflib/desc/ipsec.h
@@ -256,14 +256,14 @@ struct ipsec_encap_cbc {
/**
* struct ipsec_encap_ctr - PDB part for IPsec CTR encapsulation
- * @ctr_nonce: 4-byte array nonce
+ * @ctr_nonce: 4-byte nonce
* @ctr_initial: initial count constant
* @iv: initialization vector
*/
struct ipsec_encap_ctr {
- uint8_t ctr_nonce[4];
+ uint32_t ctr_nonce;
uint32_t ctr_initial;
- uint64_t iv;
+ uint8_t iv[8];
};
/**
@@ -346,10 +346,9 @@ __rta_copy_ipsec_encap_pdb(struct program *program,
break;
case OP_PCL_IPSEC_AES_CTR:
- rta_copy_data(program, pdb->ctr.ctr_nonce,
- sizeof(pdb->ctr.ctr_nonce));
+ rta_copy_data(program, (uint8_t *)&pdb->ctr.ctr_nonce, 4);
__rta_out32(program, pdb->ctr.ctr_initial);
- __rta_out64(program, true, pdb->ctr.iv);
+ rta_copy_data(program, pdb->ctr.iv, sizeof(pdb->ctr.iv));
break;
case OP_PCL_IPSEC_AES_CCM8:
@@ -386,11 +385,11 @@ struct ipsec_decap_cbc {
/**
* struct ipsec_decap_ctr - PDB part for IPsec CTR decapsulation
- * @ctr_nonce: 4-byte array nonce
+ * @ctr_nonce: 4-byte nonce
* @ctr_initial: initial count constant
*/
struct ipsec_decap_ctr {
- uint8_t ctr_nonce[4];
+ uint32_t ctr_nonce;
uint32_t ctr_initial;
};
@@ -464,8 +463,7 @@ __rta_copy_ipsec_decap_pdb(struct program *program,
break;
case OP_PCL_IPSEC_AES_CTR:
- rta_copy_data(program, pdb->ctr.ctr_nonce,
- sizeof(pdb->ctr.ctr_nonce));
+ rta_copy_data(program, (uint8_t *)&pdb->ctr.ctr_nonce, 4);
__rta_out32(program, pdb->ctr.ctr_initial);
break;
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 7368fc248..e774b379a 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2814,6 +2814,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
/* copy algo specific data to PDB */
switch (cipherdata.algtype) {
+ case OP_PCL_IPSEC_AES_CTR:
+ encap_pdb.ctr.ctr_initial = 0x00000001;
+ encap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+ break;
case OP_PCL_IPSEC_AES_GCM8:
case OP_PCL_IPSEC_AES_GCM12:
case OP_PCL_IPSEC_AES_GCM16:
@@ -2899,6 +2903,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
/* copy algo specific data to PDB */
switch (cipherdata.algtype) {
+ case OP_PCL_IPSEC_AES_CTR:
+ decap_pdb.ctr.ctr_initial = 0x00000001;
+ decap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+ break;
case OP_PCL_IPSEC_AES_GCM8:
case OP_PCL_IPSEC_AES_GCM12:
case OP_PCL_IPSEC_AES_GCM16:
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index c52593746..59f6097bb 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2614,6 +2614,7 @@ dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
static int
dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
struct rte_crypto_auth_xform *auth_xform,
+ struct rte_security_ipsec_xform *ipsec_xform,
dpaa_sec_session *session)
{
if (cipher_xform) {
@@ -2720,6 +2721,13 @@ dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
case RTE_CRYPTO_CIPHER_AES_CTR:
session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
session->cipher_key.algmode = OP_ALG_AAI_CTR;
+ if (session->dir == DIR_ENC) {
+ session->encap_pdb.ctr.ctr_initial = 0x00000001;
+ session->encap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+ } else {
+ session->decap_pdb.ctr.ctr_initial = 0x00000001;
+ session->decap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+ }
break;
case RTE_CRYPTO_CIPHER_NULL:
session->cipher_key.alg = OP_PCL_IPSEC_NULL;
@@ -2771,13 +2779,13 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
if (conf->crypto_xform->next)
auth_xform = &conf->crypto_xform->next->auth;
ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
- session);
+ ipsec_xform, session);
} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
auth_xform = &conf->crypto_xform->auth;
if (conf->crypto_xform->next)
cipher_xform = &conf->crypto_xform->next->cipher;
ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
- session);
+ ipsec_xform, session);
} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
aead_xform = &conf->crypto_xform->aead;
ret = dpaa_sec_ipsec_aead_init(aead_xform,
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (11 preceding siblings ...)
2019-11-01 17:51 ` [dpdk-dev] [PATCH v2 13/13] crypto/dpaa_sec: enable ipsec aes-ctr to use nonce Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 02/13] crypto/dpaa2_sec: add check for the session validity Hemant Agrawal
` (12 more replies)
12 siblings, 13 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
set the pdcp capa_flags to 0 by default.
Fixes: a1173d55598c ("crypto/dpaa_sec: support PDCP offload")
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index c10ec1007..29ffe5631 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -712,6 +712,7 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
.protocol = RTE_SECURITY_PROTOCOL_PDCP,
.pdcp = {
.domain = RTE_SECURITY_PDCP_MODE_DATA,
+ .capa_flags = 0
},
.crypto_capabilities = dpaa_pdcp_capabilities
},
@@ -720,6 +721,7 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
.protocol = RTE_SECURITY_PROTOCOL_PDCP,
.pdcp = {
.domain = RTE_SECURITY_PDCP_MODE_CONTROL,
+ .capa_flags = 0
},
.crypto_capabilities = dpaa_pdcp_capabilities
},
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 02/13] crypto/dpaa2_sec: add check for the session validity
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 03/13] crypto/dpaa_sec: " Hemant Agrawal
` (11 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
Check if the session is not null during processing.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index b04890a48..7d51112c5 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1365,6 +1365,9 @@ build_sec_fd(struct rte_crypto_op *op,
else
return -1;
+ if (!sess)
+ return -1;
+
/* Any of the buffer is segmented*/
if (!rte_pktmbuf_is_contiguous(op->sym->m_src) ||
((op->sym->m_dst != NULL) &&
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 03/13] crypto/dpaa_sec: add check for the session validity
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 02/13] crypto/dpaa2_sec: add check for the session validity Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 04/13] crypto/dpaa2_sec: adding NULL cipher or NULL auth Hemant Agrawal
` (10 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
Check if the session is not null during processing.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 6c186338f..343a565a2 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -1773,6 +1773,14 @@ dpaa_sec_enqueue_burst(void *qp, struct rte_crypto_op **ops,
nb_ops = loop;
goto send_pkts;
}
+
+ if (!ses) {
+ DPAA_SEC_DP_ERR("session not available");
+ frames_to_send = loop;
+ nb_ops = loop;
+ goto send_pkts;
+ }
+
if (unlikely(!ses->qp[rte_lcore_id() % MAX_DPAA_CORES])) {
if (dpaa_sec_attach_sess_q(qp, ses)) {
frames_to_send = loop;
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 04/13] crypto/dpaa2_sec: adding NULL cipher or NULL auth
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 02/13] crypto/dpaa2_sec: add check for the session validity Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 03/13] crypto/dpaa_sec: " Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 05/13] crypto/dpaa_sec: " Hemant Agrawal
` (9 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
These are supported when using protocol offload mode or in chain mode.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 22 +++++++----
drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 41 +++++++++++++++++++++
2 files changed, 56 insertions(+), 7 deletions(-)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 7d51112c5..dd80e6dc5 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1,7 +1,7 @@
/* SPDX-License-Identifier: BSD-3-Clause
*
* Copyright (c) 2016 Freescale Semiconductor, Inc. All rights reserved.
- * Copyright 2016-2018 NXP
+ * Copyright 2016-2019 NXP
*
*/
@@ -1834,6 +1834,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
flc = &priv->flc_desc[0].flc;
+ session->ctxt_type = DPAA2_SEC_CIPHER;
session->cipher_key.data = rte_zmalloc(NULL, xform->cipher.key.length,
RTE_CACHE_LINE_SIZE);
if (session->cipher_key.data == NULL) {
@@ -1970,6 +1971,7 @@ dpaa2_sec_auth_init(struct rte_cryptodev *dev,
priv->fle_pool = dev_priv->fle_pool;
flc = &priv->flc_desc[DESC_INITFINAL].flc;
+ session->ctxt_type = DPAA2_SEC_AUTH;
session->auth_key.data = rte_zmalloc(NULL, xform->auth.key.length,
RTE_CACHE_LINE_SIZE);
if (session->auth_key.data == NULL) {
@@ -2478,27 +2480,33 @@ dpaa2_sec_set_session_parameters(struct rte_cryptodev *dev,
/* Cipher Only */
if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
- session->ctxt_type = DPAA2_SEC_CIPHER;
ret = dpaa2_sec_cipher_init(dev, xform, session);
/* Authentication Only */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
xform->next == NULL) {
- session->ctxt_type = DPAA2_SEC_AUTH;
ret = dpaa2_sec_auth_init(dev, xform, session);
/* Cipher then Authenticate */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
session->ext_params.aead_ctxt.auth_cipher_text = true;
- ret = dpaa2_sec_aead_chain_init(dev, xform, session);
-
+ if (xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+ ret = dpaa2_sec_auth_init(dev, xform, session);
+ else if (xform->next->auth.algo == RTE_CRYPTO_AUTH_NULL)
+ ret = dpaa2_sec_cipher_init(dev, xform, session);
+ else
+ ret = dpaa2_sec_aead_chain_init(dev, xform, session);
/* Authenticate then Cipher */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
session->ext_params.aead_ctxt.auth_cipher_text = false;
- ret = dpaa2_sec_aead_chain_init(dev, xform, session);
-
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
+ ret = dpaa2_sec_cipher_init(dev, xform, session);
+ else if (xform->next->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+ ret = dpaa2_sec_auth_init(dev, xform, session);
+ else
+ ret = dpaa2_sec_aead_chain_init(dev, xform, session);
/* AEAD operation for AES-GCM kind of Algorithms */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD &&
xform->next == NULL) {
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
index 662559422..c10fbf8dd 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
@@ -200,6 +200,27 @@ typedef struct dpaa2_sec_session_entry {
} dpaa2_sec_session;
static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
+ { /* NULL (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_NULL,
+ .block_size = 1,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .iv_size = { 0 }
+ }, },
+ }, },
+ },
{ /* MD5 HMAC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
@@ -356,6 +377,26 @@ static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
}, }
}, }
},
+ { /* NULL (CIPHER) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ {.cipher = {
+ .algo = RTE_CRYPTO_CIPHER_NULL,
+ .block_size = 1,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .iv_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ }
+ }, },
+ }, }
+ },
{ /* AES CBC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 05/13] crypto/dpaa_sec: adding NULL cipher or NULL auth
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (2 preceding siblings ...)
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 04/13] crypto/dpaa2_sec: adding NULL cipher or NULL auth Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 06/13] crypto/dpaa2_sec: add AES-GCM support for lookaside case Hemant Agrawal
` (8 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
These are supported when using protocol offload mode or when
in chain mode.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 33 ++++++++++++++++++------
drivers/crypto/dpaa_sec/dpaa_sec.h | 41 ++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 8 deletions(-)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 343a565a2..0ef17ee00 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2037,6 +2037,7 @@ dpaa_sec_cipher_init(struct rte_cryptodev *dev __rte_unused,
struct rte_crypto_sym_xform *xform,
dpaa_sec_session *session)
{
+ session->ctxt = DPAA_SEC_CIPHER;
session->cipher_alg = xform->cipher.algo;
session->iv.length = xform->cipher.iv.length;
session->iv.offset = xform->cipher.iv.offset;
@@ -2086,6 +2087,7 @@ dpaa_sec_auth_init(struct rte_cryptodev *dev __rte_unused,
struct rte_crypto_sym_xform *xform,
dpaa_sec_session *session)
{
+ session->ctxt = DPAA_SEC_AUTH;
session->auth_alg = xform->auth.algo;
session->auth_key.data = rte_zmalloc(NULL, xform->auth.key.length,
RTE_CACHE_LINE_SIZE);
@@ -2158,6 +2160,7 @@ dpaa_sec_chain_init(struct rte_cryptodev *dev __rte_unused,
struct rte_crypto_cipher_xform *cipher_xform;
struct rte_crypto_auth_xform *auth_xform;
+ session->ctxt = DPAA_SEC_CIPHER_HASH;
if (session->auth_cipher_text) {
cipher_xform = &xform->cipher;
auth_xform = &xform->next->auth;
@@ -2359,6 +2362,7 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
struct dpaa_sec_dev_private *internals = dev->data->dev_private;
dpaa_sec_session *session = sess;
uint32_t i;
+ int ret;
PMD_INIT_FUNC_TRACE();
@@ -2374,23 +2378,26 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
/* Cipher Only */
if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
session->auth_alg = RTE_CRYPTO_AUTH_NULL;
- session->ctxt = DPAA_SEC_CIPHER;
- dpaa_sec_cipher_init(dev, xform, session);
+ ret = dpaa_sec_cipher_init(dev, xform, session);
/* Authentication Only */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
xform->next == NULL) {
session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
session->ctxt = DPAA_SEC_AUTH;
- dpaa_sec_auth_init(dev, xform, session);
+ ret = dpaa_sec_auth_init(dev, xform, session);
/* Cipher then Authenticate */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
if (xform->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
- session->ctxt = DPAA_SEC_CIPHER_HASH;
session->auth_cipher_text = 1;
- dpaa_sec_chain_init(dev, xform, session);
+ if (xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+ ret = dpaa_sec_auth_init(dev, xform, session);
+ else if (xform->next->auth.algo == RTE_CRYPTO_AUTH_NULL)
+ ret = dpaa_sec_cipher_init(dev, xform, session);
+ else
+ ret = dpaa_sec_chain_init(dev, xform, session);
} else {
DPAA_SEC_ERR("Not supported: Auth then Cipher");
return -EINVAL;
@@ -2399,9 +2406,14 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
if (xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT) {
- session->ctxt = DPAA_SEC_CIPHER_HASH;
session->auth_cipher_text = 0;
- dpaa_sec_chain_init(dev, xform, session);
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
+ ret = dpaa_sec_cipher_init(dev, xform, session);
+ else if (xform->next->cipher.algo
+ == RTE_CRYPTO_CIPHER_NULL)
+ ret = dpaa_sec_auth_init(dev, xform, session);
+ else
+ ret = dpaa_sec_chain_init(dev, xform, session);
} else {
DPAA_SEC_ERR("Not supported: Auth then Cipher");
return -EINVAL;
@@ -2410,12 +2422,17 @@ dpaa_sec_set_session_parameters(struct rte_cryptodev *dev,
/* AEAD operation for AES-GCM kind of Algorithms */
} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD &&
xform->next == NULL) {
- dpaa_sec_aead_init(dev, xform, session);
+ ret = dpaa_sec_aead_init(dev, xform, session);
} else {
DPAA_SEC_ERR("Invalid crypto type");
return -EINVAL;
}
+ if (ret) {
+ DPAA_SEC_ERR("unable to init session");
+ goto err1;
+ }
+
rte_spinlock_lock(&internals->lock);
for (i = 0; i < MAX_DPAA_CORES; i++) {
session->inq[i] = dpaa_sec_attach_rxq(internals);
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index 29ffe5631..039cce8e9 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -218,6 +218,27 @@ struct dpaa_sec_op_ctx {
};
static const struct rte_cryptodev_capabilities dpaa_sec_capabilities[] = {
+ { /* NULL (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_NULL,
+ .block_size = 1,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .iv_size = { 0 }
+ }, },
+ }, },
+ },
{ /* MD5 HMAC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
@@ -374,6 +395,26 @@ static const struct rte_cryptodev_capabilities dpaa_sec_capabilities[] = {
}, }
}, }
},
+ { /* NULL (CIPHER) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ {.cipher = {
+ .algo = RTE_CRYPTO_CIPHER_NULL,
+ .block_size = 1,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .iv_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ }
+ }, },
+ }, }
+ },
{ /* AES CBC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 06/13] crypto/dpaa2_sec: add AES-GCM support for lookaside case
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (3 preceding siblings ...)
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 05/13] crypto/dpaa_sec: " Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: " Hemant Agrawal
` (7 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 60 +++++++++++++++++++--
1 file changed, 56 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index dd80e6dc5..173ec8095 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2547,12 +2547,40 @@ dpaa2_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
switch (aead_xform->algo) {
case RTE_CRYPTO_AEAD_AES_GCM:
- aeaddata->algtype = OP_ALG_ALGSEL_AES;
+ switch (session->digest_length) {
+ case 8:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_GCM8;
+ break;
+ case 12:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_GCM12;
+ break;
+ case 16:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_GCM16;
+ break;
+ default:
+ DPAA2_SEC_ERR("Crypto: Undefined GCM digest %d",
+ session->digest_length);
+ return -1;
+ }
aeaddata->algmode = OP_ALG_AAI_GCM;
session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
break;
case RTE_CRYPTO_AEAD_AES_CCM:
- aeaddata->algtype = OP_ALG_ALGSEL_AES;
+ switch (session->digest_length) {
+ case 8:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_CCM8;
+ break;
+ case 12:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_CCM12;
+ break;
+ case 16:
+ aeaddata->algtype = OP_PCL_IPSEC_AES_CCM16;
+ break;
+ default:
+ DPAA2_SEC_ERR("Crypto: Undefined CCM digest %d",
+ session->digest_length);
+ return -1;
+ }
aeaddata->algmode = OP_ALG_AAI_CCM;
session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
break;
@@ -2720,8 +2748,6 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
struct rte_crypto_aead_xform *aead_xform = NULL;
dpaa2_sec_session *session = (dpaa2_sec_session *)sess;
struct ctxt_priv *priv;
- struct ipsec_encap_pdb encap_pdb;
- struct ipsec_decap_pdb decap_pdb;
struct alginfo authdata, cipherdata;
int bufsize;
struct sec_flow_context *flc;
@@ -2761,6 +2787,8 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
aead_xform = &conf->crypto_xform->aead;
ret = dpaa2_sec_ipsec_aead_init(aead_xform,
session, &cipherdata);
+ authdata.keylen = 0;
+ authdata.algtype = 0;
} else {
DPAA2_SEC_ERR("XFORM not specified");
ret = -EINVAL;
@@ -2776,10 +2804,22 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
uint8_t *hdr = NULL;
struct ip ip4_hdr;
struct rte_ipv6_hdr ip6_hdr;
+ struct ipsec_encap_pdb encap_pdb;
flc->dhr = SEC_FLC_DHR_OUTBOUND;
/* For Sec Proto only one descriptor is required. */
memset(&encap_pdb, 0, sizeof(struct ipsec_encap_pdb));
+
+ /* copy algo specific data to PDB */
+ switch (cipherdata.algtype) {
+ case OP_PCL_IPSEC_AES_GCM8:
+ case OP_PCL_IPSEC_AES_GCM12:
+ case OP_PCL_IPSEC_AES_GCM16:
+ memcpy(encap_pdb.gcm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ break;
+ }
+
encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) |
PDBOPTS_ESP_OIHI_PDB_INL |
PDBOPTS_ESP_IVSRC |
@@ -2836,8 +2876,20 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
hdr, &cipherdata, &authdata);
} else if (ipsec_xform->direction ==
RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+ struct ipsec_decap_pdb decap_pdb;
+
flc->dhr = SEC_FLC_DHR_INBOUND;
memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
+ /* copy algo specific data to PDB */
+ switch (cipherdata.algtype) {
+ case OP_PCL_IPSEC_AES_GCM8:
+ case OP_PCL_IPSEC_AES_GCM12:
+ case OP_PCL_IPSEC_AES_GCM16:
+ memcpy(decap_pdb.gcm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ break;
+ }
+
decap_pdb.options = (ipsec_xform->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV4) ?
sizeof(struct ip) << 16 :
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: add AES-GCM support for lookaside case
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (4 preceding siblings ...)
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 06/13] crypto/dpaa2_sec: add AES-GCM support for lookaside case Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-07 8:48 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 08/13] test/cryptodev: enable additional cases for dpaax Hemant Agrawal
` (6 subsequent siblings)
12 siblings, 1 reply; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch add support for AES-128-GCM, when used in
proto lookaside mode.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 309 ++++++++++++++++++++---------
1 file changed, 211 insertions(+), 98 deletions(-)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 0ef17ee00..27a31d065 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session *ses)
cipherdata.algtype = ses->cipher_key.alg;
cipherdata.algmode = ses->cipher_key.algmode;
- authdata.key = (size_t)ses->auth_key.data;
- authdata.keylen = ses->auth_key.length;
- authdata.key_enc_flags = 0;
- authdata.key_type = RTA_DATA_IMM;
- authdata.algtype = ses->auth_key.alg;
- authdata.algmode = ses->auth_key.algmode;
+ if (ses->auth_key.length) {
+ authdata.key = (size_t)ses->auth_key.data;
+ authdata.keylen = ses->auth_key.length;
+ authdata.key_enc_flags = 0;
+ authdata.key_type = RTA_DATA_IMM;
+ authdata.algtype = ses->auth_key.alg;
+ authdata.algmode = ses->auth_key.algmode;
+ }
cdb->sh_desc[0] = cipherdata.keylen;
cdb->sh_desc[1] = authdata.keylen;
@@ -2523,33 +2525,76 @@ dpaa_sec_sym_session_clear(struct rte_cryptodev *dev,
#ifdef RTE_LIBRTE_SECURITY
static int
-dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
- struct rte_security_session_conf *conf,
- void *sess)
+dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
+ struct rte_security_ipsec_xform *ipsec_xform,
+ dpaa_sec_session *session)
{
- struct dpaa_sec_dev_private *internals = dev->data->dev_private;
- struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
- struct rte_crypto_auth_xform *auth_xform = NULL;
- struct rte_crypto_cipher_xform *cipher_xform = NULL;
- dpaa_sec_session *session = (dpaa_sec_session *)sess;
- uint32_t i;
-
PMD_INIT_FUNC_TRACE();
- memset(session, 0, sizeof(dpaa_sec_session));
- if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
- cipher_xform = &conf->crypto_xform->cipher;
- if (conf->crypto_xform->next)
- auth_xform = &conf->crypto_xform->next->auth;
- } else {
- auth_xform = &conf->crypto_xform->auth;
- if (conf->crypto_xform->next)
- cipher_xform = &conf->crypto_xform->next->cipher;
+ session->aead_key.data = rte_zmalloc(NULL, aead_xform->key.length,
+ RTE_CACHE_LINE_SIZE);
+ if (session->aead_key.data == NULL && aead_xform->key.length > 0) {
+ DPAA_SEC_ERR("No Memory for aead key");
+ return -1;
}
- session->proto_alg = conf->protocol;
- session->ctxt = DPAA_SEC_IPSEC;
+ memcpy(session->aead_key.data, aead_xform->key.data,
+ aead_xform->key.length);
+
+ session->digest_length = aead_xform->digest_length;
+ session->aead_key.length = aead_xform->key.length;
+
+ switch (aead_xform->algo) {
+ case RTE_CRYPTO_AEAD_AES_GCM:
+ switch (session->digest_length) {
+ case 8:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8;
+ break;
+ case 12:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_GCM12;
+ break;
+ case 16:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_GCM16;
+ break;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined GCM digest %d",
+ session->digest_length);
+ return -1;
+ }
+ if (session->dir == DIR_ENC) {
+ memcpy(session->encap_pdb.gcm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ } else {
+ memcpy(session->decap_pdb.gcm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ }
+ session->aead_key.algmode = OP_ALG_AAI_GCM;
+ session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
+ break;
+ if (session->dir == DIR_ENC) {
+ /* todo CCM salt length is 3 bytes, left shift 8 bits */
+ memcpy(session->encap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ } else {
+ memcpy(session->decap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ }
+ session->aead_key.algmode = OP_ALG_AAI_CCM;
+ session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
+ break;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u",
+ aead_xform->algo);
+ return -1;
+ }
+ return 0;
+}
- if (cipher_xform && cipher_xform->algo != RTE_CRYPTO_CIPHER_NULL) {
+static int
+dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
+ struct rte_crypto_auth_xform *auth_xform,
+ dpaa_sec_session *session)
+{
+ if (cipher_xform) {
session->cipher_key.data = rte_zmalloc(NULL,
cipher_xform->key.length,
RTE_CACHE_LINE_SIZE);
@@ -2558,31 +2603,10 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
DPAA_SEC_ERR("No Memory for cipher key");
return -ENOMEM;
}
+
+ session->cipher_key.length = cipher_xform->key.length;
memcpy(session->cipher_key.data, cipher_xform->key.data,
cipher_xform->key.length);
- session->cipher_key.length = cipher_xform->key.length;
-
- switch (cipher_xform->algo) {
- case RTE_CRYPTO_CIPHER_NULL:
- session->cipher_key.alg = OP_PCL_IPSEC_NULL;
- break;
- case RTE_CRYPTO_CIPHER_AES_CBC:
- session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
- session->cipher_key.algmode = OP_ALG_AAI_CBC;
- break;
- case RTE_CRYPTO_CIPHER_3DES_CBC:
- session->cipher_key.alg = OP_PCL_IPSEC_3DES;
- session->cipher_key.algmode = OP_ALG_AAI_CBC;
- break;
- case RTE_CRYPTO_CIPHER_AES_CTR:
- session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
- session->cipher_key.algmode = OP_ALG_AAI_CTR;
- break;
- default:
- DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
- cipher_xform->algo);
- goto out;
- }
session->cipher_alg = cipher_xform->algo;
} else {
session->cipher_key.data = NULL;
@@ -2590,54 +2614,18 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
}
- if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) {
+ if (auth_xform) {
session->auth_key.data = rte_zmalloc(NULL,
auth_xform->key.length,
RTE_CACHE_LINE_SIZE);
if (session->auth_key.data == NULL &&
auth_xform->key.length > 0) {
DPAA_SEC_ERR("No Memory for auth key");
- rte_free(session->cipher_key.data);
return -ENOMEM;
}
+ session->auth_key.length = auth_xform->key.length;
memcpy(session->auth_key.data, auth_xform->key.data,
auth_xform->key.length);
- session->auth_key.length = auth_xform->key.length;
-
- switch (auth_xform->algo) {
- case RTE_CRYPTO_AUTH_NULL:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
- session->digest_length = 0;
- break;
- case RTE_CRYPTO_AUTH_MD5_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA1_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA224_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_160;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA256_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA384_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA512_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- default:
- DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
- auth_xform->algo);
- goto out;
- }
session->auth_alg = auth_xform->algo;
} else {
session->auth_key.data = NULL;
@@ -2645,12 +2633,142 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
session->auth_alg = RTE_CRYPTO_AUTH_NULL;
}
+ switch (session->auth_alg) {
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_AES_CMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96;
+ break;
+ case RTE_CRYPTO_AUTH_NULL:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
+ break;
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+ case RTE_CRYPTO_AUTH_SNOW3G_UIA2:
+ case RTE_CRYPTO_AUTH_SHA1:
+ case RTE_CRYPTO_AUTH_SHA256:
+ case RTE_CRYPTO_AUTH_SHA512:
+ case RTE_CRYPTO_AUTH_SHA224:
+ case RTE_CRYPTO_AUTH_SHA384:
+ case RTE_CRYPTO_AUTH_MD5:
+ case RTE_CRYPTO_AUTH_AES_GMAC:
+ case RTE_CRYPTO_AUTH_KASUMI_F9:
+ case RTE_CRYPTO_AUTH_AES_CBC_MAC:
+ case RTE_CRYPTO_AUTH_ZUC_EIA3:
+ DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
+ session->auth_alg);
+ return -1;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined Auth specified %u",
+ session->auth_alg);
+ return -1;
+ }
+
+ switch (session->cipher_alg) {
+ case RTE_CRYPTO_CIPHER_AES_CBC:
+ session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
+ session->cipher_key.algmode = OP_ALG_AAI_CBC;
+ break;
+ case RTE_CRYPTO_CIPHER_3DES_CBC:
+ session->cipher_key.alg = OP_PCL_IPSEC_3DES;
+ session->cipher_key.algmode = OP_ALG_AAI_CBC;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CTR:
+ session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
+ session->cipher_key.algmode = OP_ALG_AAI_CTR;
+ break;
+ case RTE_CRYPTO_CIPHER_NULL:
+ session->cipher_key.alg = OP_PCL_IPSEC_NULL;
+ break;
+ case RTE_CRYPTO_CIPHER_SNOW3G_UEA2:
+ case RTE_CRYPTO_CIPHER_ZUC_EEA3:
+ case RTE_CRYPTO_CIPHER_3DES_ECB:
+ case RTE_CRYPTO_CIPHER_AES_ECB:
+ case RTE_CRYPTO_CIPHER_KASUMI_F8:
+ DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
+ session->cipher_alg);
+ return -1;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u",
+ session->cipher_alg);
+ return -1;
+ }
+
+ return 0;
+}
+
+static int
+dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
+ struct rte_security_session_conf *conf,
+ void *sess)
+{
+ struct dpaa_sec_dev_private *internals = dev->data->dev_private;
+ struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
+ struct rte_crypto_auth_xform *auth_xform = NULL;
+ struct rte_crypto_cipher_xform *cipher_xform = NULL;
+ struct rte_crypto_aead_xform *aead_xform = NULL;
+ dpaa_sec_session *session = (dpaa_sec_session *)sess;
+ uint32_t i;
+ int ret;
+
+ PMD_INIT_FUNC_TRACE();
+
+ memset(session, 0, sizeof(dpaa_sec_session));
+ session->proto_alg = conf->protocol;
+ session->ctxt = DPAA_SEC_IPSEC;
+
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+ session->dir = DIR_ENC;
+ else
+ session->dir = DIR_DEC;
+
+ if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+ cipher_xform = &conf->crypto_xform->cipher;
+ if (conf->crypto_xform->next)
+ auth_xform = &conf->crypto_xform->next->auth;
+ ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+ session);
+ } else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ auth_xform = &conf->crypto_xform->auth;
+ if (conf->crypto_xform->next)
+ cipher_xform = &conf->crypto_xform->next->cipher;
+ ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+ session);
+ } else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ aead_xform = &conf->crypto_xform->aead;
+ ret = dpaa_sec_ipsec_aead_init(aead_xform,
+ ipsec_xform, session);
+ } else {
+ DPAA_SEC_ERR("XFORM not specified");
+ ret = -EINVAL;
+ goto out;
+ }
+ if (ret) {
+ DPAA_SEC_ERR("Failed to process xform");
+ goto out;
+ }
+
if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
if (ipsec_xform->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
- memset(&session->encap_pdb, 0,
- sizeof(struct ipsec_encap_pdb) +
- sizeof(session->ip4_hdr));
session->ip4_hdr.ip_v = IPVERSION;
session->ip4_hdr.ip_hl = 5;
session->ip4_hdr.ip_len = rte_cpu_to_be_16(
@@ -2673,9 +2791,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
session->encap_pdb.ip_hdr_len = sizeof(struct ip);
} else if (ipsec_xform->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
- memset(&session->encap_pdb, 0,
- sizeof(struct ipsec_encap_pdb) +
- sizeof(session->ip6_hdr));
session->ip6_hdr.vtc_flow = rte_cpu_to_be_32(
DPAA_IPv6_DEFAULT_VTC_FLOW |
((ipsec_xform->tunnel.ipv6.dscp <<
@@ -2707,10 +2822,9 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
if (ipsec_xform->options.esn)
session->encap_pdb.options |= PDBOPTS_ESP_ESN;
session->encap_pdb.spi = ipsec_xform->spi;
- session->dir = DIR_ENC;
+
} else if (ipsec_xform->direction ==
RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
- memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
session->decap_pdb.options = sizeof(struct ip) << 16;
else
@@ -2718,7 +2832,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
sizeof(struct rte_ipv6_hdr) << 16;
if (ipsec_xform->options.esn)
session->decap_pdb.options |= PDBOPTS_ESP_ESN;
- session->dir = DIR_DEC;
} else
goto out;
rte_spinlock_lock(&internals->lock);
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: add AES-GCM support for lookaside case
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: " Hemant Agrawal
@ 2019-11-07 8:48 ` Hemant Agrawal
2019-11-07 10:07 ` Akhil Goyal
0 siblings, 1 reply; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-07 8:48 UTC (permalink / raw)
To: Hemant Agrawal, dev; +Cc: Akhil Goyal
Hi Akhil,
> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Hemant Agrawal
> Sent: Wednesday, November 6, 2019 10:47 AM
> To: dev@dpdk.org
> Cc: Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: add AES-GCM
> support for lookaside case
>
> This patch add support for AES-128-GCM, when used in proto lookaside
> mode.
>
> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> ---
> drivers/crypto/dpaa_sec/dpaa_sec.c | 309 ++++++++++++++++++++---------
> 1 file changed, 211 insertions(+), 98 deletions(-)
>
> diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c
> b/drivers/crypto/dpaa_sec/dpaa_sec.c
> index 0ef17ee00..27a31d065 100644
> --- a/drivers/crypto/dpaa_sec/dpaa_sec.c
> +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
> @@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session
> *ses)
> cipherdata.algtype = ses->cipher_key.alg;
> cipherdata.algmode = ses->cipher_key.algmode;
>
> - authdata.key = (size_t)ses->auth_key.data;
> - authdata.keylen = ses->auth_key.length;
> - authdata.key_enc_flags = 0;
> - authdata.key_type = RTA_DATA_IMM;
> - authdata.algtype = ses->auth_key.alg;
> - authdata.algmode = ses->auth_key.algmode;
> + if (ses->auth_key.length) {
> + authdata.key = (size_t)ses->auth_key.data;
> + authdata.keylen = ses->auth_key.length;
> + authdata.key_enc_flags = 0;
> + authdata.key_type = RTA_DATA_IMM;
> + authdata.algtype = ses->auth_key.alg;
> + authdata.algmode = ses->auth_key.algmode;
> + }
>
> cdb->sh_desc[0] = cipherdata.keylen;
> cdb->sh_desc[1] = authdata.keylen;
> @@ -2523,33 +2525,76 @@ dpaa_sec_sym_session_clear(struct
> rte_cryptodev *dev,
>
> #ifdef RTE_LIBRTE_SECURITY
> static int
> -dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
> - struct rte_security_session_conf *conf,
> - void *sess)
> +dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
> + struct rte_security_ipsec_xform *ipsec_xform,
> + dpaa_sec_session *session)
> {
> - struct dpaa_sec_dev_private *internals = dev->data->dev_private;
> - struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
> - struct rte_crypto_auth_xform *auth_xform = NULL;
> - struct rte_crypto_cipher_xform *cipher_xform = NULL;
> - dpaa_sec_session *session = (dpaa_sec_session *)sess;
> - uint32_t i;
> -
> PMD_INIT_FUNC_TRACE();
>
> - memset(session, 0, sizeof(dpaa_sec_session));
> - if (ipsec_xform->direction ==
> RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
> - cipher_xform = &conf->crypto_xform->cipher;
> - if (conf->crypto_xform->next)
> - auth_xform = &conf->crypto_xform->next->auth;
> - } else {
> - auth_xform = &conf->crypto_xform->auth;
> - if (conf->crypto_xform->next)
> - cipher_xform = &conf->crypto_xform->next-
> >cipher;
> + session->aead_key.data = rte_zmalloc(NULL, aead_xform-
> >key.length,
> + RTE_CACHE_LINE_SIZE);
> + if (session->aead_key.data == NULL && aead_xform->key.length >
> 0) {
> + DPAA_SEC_ERR("No Memory for aead key");
> + return -1;
> }
> - session->proto_alg = conf->protocol;
> - session->ctxt = DPAA_SEC_IPSEC;
> + memcpy(session->aead_key.data, aead_xform->key.data,
> + aead_xform->key.length);
> +
> + session->digest_length = aead_xform->digest_length;
> + session->aead_key.length = aead_xform->key.length;
> +
> + switch (aead_xform->algo) {
> + case RTE_CRYPTO_AEAD_AES_GCM:
> + switch (session->digest_length) {
> + case 8:
> + session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8;
> + break;
> + case 12:
> + session->aead_key.alg =
> OP_PCL_IPSEC_AES_GCM12;
> + break;
> + case 16:
> + session->aead_key.alg =
> OP_PCL_IPSEC_AES_GCM16;
> + break;
> + default:
> + DPAA_SEC_ERR("Crypto: Undefined GCM digest
> %d",
> + session->digest_length);
> + return -1;
> + }
> + if (session->dir == DIR_ENC) {
> + memcpy(session->encap_pdb.gcm.salt,
> + (uint8_t *)&(ipsec_xform->salt), 4);
> + } else {
> + memcpy(session->decap_pdb.gcm.salt,
> + (uint8_t *)&(ipsec_xform->salt), 4);
> + }
> + session->aead_key.algmode = OP_ALG_AAI_GCM;
> + session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
> + break;
[Hemant] There is a merge error. I see that you have already applied it.
Can you remove following line from the patch.
>>> start here.
> + if (session->dir == DIR_ENC) {
> + /* todo CCM salt length is 3 bytes, left shift 8 bits */
> + memcpy(session->encap_pdb.ccm.salt,
> + (uint8_t *)&(ipsec_xform->salt), 4);
> + } else {
> + memcpy(session->decap_pdb.ccm.salt,
> + (uint8_t *)&(ipsec_xform->salt), 4);
> + }
> + session->aead_key.algmode = OP_ALG_AAI_CCM;
> + session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
> + break;
>>> end here.
> + default:
> + DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u",
> + aead_xform->algo);
> + return -1;
> + }
> + return 0;
> +}
>
> - if (cipher_xform && cipher_xform->algo !=
> RTE_CRYPTO_CIPHER_NULL) {
> +static int
> +dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform
> *cipher_xform,
> + struct rte_crypto_auth_xform *auth_xform,
> + dpaa_sec_session *session)
> +{
> + if (cipher_xform) {
> session->cipher_key.data = rte_zmalloc(NULL,
> cipher_xform-
> >key.length,
> RTE_CACHE_LINE_SIZE);
> @@ -2558,31 +2603,10 @@ dpaa_sec_set_ipsec_session(__rte_unused
> struct rte_cryptodev *dev,
> DPAA_SEC_ERR("No Memory for cipher key");
> return -ENOMEM;
> }
> +
> + session->cipher_key.length = cipher_xform->key.length;
> memcpy(session->cipher_key.data, cipher_xform-
> >key.data,
> cipher_xform->key.length);
> - session->cipher_key.length = cipher_xform->key.length;
> -
> - switch (cipher_xform->algo) {
> - case RTE_CRYPTO_CIPHER_NULL:
> - session->cipher_key.alg = OP_PCL_IPSEC_NULL;
> - break;
> - case RTE_CRYPTO_CIPHER_AES_CBC:
> - session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
> - session->cipher_key.algmode = OP_ALG_AAI_CBC;
> - break;
> - case RTE_CRYPTO_CIPHER_3DES_CBC:
> - session->cipher_key.alg = OP_PCL_IPSEC_3DES;
> - session->cipher_key.algmode = OP_ALG_AAI_CBC;
> - break;
> - case RTE_CRYPTO_CIPHER_AES_CTR:
> - session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
> - session->cipher_key.algmode = OP_ALG_AAI_CTR;
> - break;
> - default:
> - DPAA_SEC_ERR("Crypto: Unsupported Cipher alg
> %u",
> - cipher_xform->algo);
> - goto out;
> - }
> session->cipher_alg = cipher_xform->algo;
> } else {
> session->cipher_key.data = NULL;
> @@ -2590,54 +2614,18 @@ dpaa_sec_set_ipsec_session(__rte_unused
> struct rte_cryptodev *dev,
> session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
> }
>
> - if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) {
> + if (auth_xform) {
> session->auth_key.data = rte_zmalloc(NULL,
> auth_xform->key.length,
> RTE_CACHE_LINE_SIZE);
> if (session->auth_key.data == NULL &&
> auth_xform->key.length > 0) {
> DPAA_SEC_ERR("No Memory for auth key");
> - rte_free(session->cipher_key.data);
> return -ENOMEM;
> }
> + session->auth_key.length = auth_xform->key.length;
> memcpy(session->auth_key.data, auth_xform->key.data,
> auth_xform->key.length);
> - session->auth_key.length = auth_xform->key.length;
> -
> - switch (auth_xform->algo) {
> - case RTE_CRYPTO_AUTH_NULL:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_NULL;
> - session->digest_length = 0;
> - break;
> - case RTE_CRYPTO_AUTH_MD5_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_MD5_96;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - case RTE_CRYPTO_AUTH_SHA1_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA1_96;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - case RTE_CRYPTO_AUTH_SHA224_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA1_160;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - case RTE_CRYPTO_AUTH_SHA256_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_256_128;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - case RTE_CRYPTO_AUTH_SHA384_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_384_192;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - case RTE_CRYPTO_AUTH_SHA512_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_512_256;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - default:
> - DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
> - auth_xform->algo);
> - goto out;
> - }
> session->auth_alg = auth_xform->algo;
> } else {
> session->auth_key.data = NULL;
> @@ -2645,12 +2633,142 @@ dpaa_sec_set_ipsec_session(__rte_unused
> struct rte_cryptodev *dev,
> session->auth_alg = RTE_CRYPTO_AUTH_NULL;
> }
>
> + switch (session->auth_alg) {
> + case RTE_CRYPTO_AUTH_SHA1_HMAC:
> + session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
> + session->auth_key.algmode = OP_ALG_AAI_HMAC;
> + break;
> + case RTE_CRYPTO_AUTH_MD5_HMAC:
> + session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
> + session->auth_key.algmode = OP_ALG_AAI_HMAC;
> + break;
> + case RTE_CRYPTO_AUTH_SHA256_HMAC:
> + session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_256_128;
> + session->auth_key.algmode = OP_ALG_AAI_HMAC;
> + break;
> + case RTE_CRYPTO_AUTH_SHA384_HMAC:
> + session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_384_192;
> + session->auth_key.algmode = OP_ALG_AAI_HMAC;
> + break;
> + case RTE_CRYPTO_AUTH_SHA512_HMAC:
> + session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_512_256;
> + session->auth_key.algmode = OP_ALG_AAI_HMAC;
> + break;
> + case RTE_CRYPTO_AUTH_AES_CMAC:
> + session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96;
> + break;
> + case RTE_CRYPTO_AUTH_NULL:
> + session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
> + break;
> + case RTE_CRYPTO_AUTH_SHA224_HMAC:
> + case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
> + case RTE_CRYPTO_AUTH_SNOW3G_UIA2:
> + case RTE_CRYPTO_AUTH_SHA1:
> + case RTE_CRYPTO_AUTH_SHA256:
> + case RTE_CRYPTO_AUTH_SHA512:
> + case RTE_CRYPTO_AUTH_SHA224:
> + case RTE_CRYPTO_AUTH_SHA384:
> + case RTE_CRYPTO_AUTH_MD5:
> + case RTE_CRYPTO_AUTH_AES_GMAC:
> + case RTE_CRYPTO_AUTH_KASUMI_F9:
> + case RTE_CRYPTO_AUTH_AES_CBC_MAC:
> + case RTE_CRYPTO_AUTH_ZUC_EIA3:
> + DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
> + session->auth_alg);
> + return -1;
> + default:
> + DPAA_SEC_ERR("Crypto: Undefined Auth specified %u",
> + session->auth_alg);
> + return -1;
> + }
> +
> + switch (session->cipher_alg) {
> + case RTE_CRYPTO_CIPHER_AES_CBC:
> + session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
> + session->cipher_key.algmode = OP_ALG_AAI_CBC;
> + break;
> + case RTE_CRYPTO_CIPHER_3DES_CBC:
> + session->cipher_key.alg = OP_PCL_IPSEC_3DES;
> + session->cipher_key.algmode = OP_ALG_AAI_CBC;
> + break;
> + case RTE_CRYPTO_CIPHER_AES_CTR:
> + session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
> + session->cipher_key.algmode = OP_ALG_AAI_CTR;
> + break;
> + case RTE_CRYPTO_CIPHER_NULL:
> + session->cipher_key.alg = OP_PCL_IPSEC_NULL;
> + break;
> + case RTE_CRYPTO_CIPHER_SNOW3G_UEA2:
> + case RTE_CRYPTO_CIPHER_ZUC_EEA3:
> + case RTE_CRYPTO_CIPHER_3DES_ECB:
> + case RTE_CRYPTO_CIPHER_AES_ECB:
> + case RTE_CRYPTO_CIPHER_KASUMI_F8:
> + DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
> + session->cipher_alg);
> + return -1;
> + default:
> + DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u",
> + session->cipher_alg);
> + return -1;
> + }
> +
> + return 0;
> +}
> +
> +static int
> +dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
> + struct rte_security_session_conf *conf,
> + void *sess)
> +{
> + struct dpaa_sec_dev_private *internals = dev->data->dev_private;
> + struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
> + struct rte_crypto_auth_xform *auth_xform = NULL;
> + struct rte_crypto_cipher_xform *cipher_xform = NULL;
> + struct rte_crypto_aead_xform *aead_xform = NULL;
> + dpaa_sec_session *session = (dpaa_sec_session *)sess;
> + uint32_t i;
> + int ret;
> +
> + PMD_INIT_FUNC_TRACE();
> +
> + memset(session, 0, sizeof(dpaa_sec_session));
> + session->proto_alg = conf->protocol;
> + session->ctxt = DPAA_SEC_IPSEC;
> +
> + if (ipsec_xform->direction ==
> RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
> + session->dir = DIR_ENC;
> + else
> + session->dir = DIR_DEC;
> +
> + if (conf->crypto_xform->type ==
> RTE_CRYPTO_SYM_XFORM_CIPHER) {
> + cipher_xform = &conf->crypto_xform->cipher;
> + if (conf->crypto_xform->next)
> + auth_xform = &conf->crypto_xform->next->auth;
> + ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
> + session);
> + } else if (conf->crypto_xform->type ==
> RTE_CRYPTO_SYM_XFORM_AUTH) {
> + auth_xform = &conf->crypto_xform->auth;
> + if (conf->crypto_xform->next)
> + cipher_xform = &conf->crypto_xform->next-
> >cipher;
> + ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
> + session);
> + } else if (conf->crypto_xform->type ==
> RTE_CRYPTO_SYM_XFORM_AEAD) {
> + aead_xform = &conf->crypto_xform->aead;
> + ret = dpaa_sec_ipsec_aead_init(aead_xform,
> + ipsec_xform, session);
> + } else {
> + DPAA_SEC_ERR("XFORM not specified");
> + ret = -EINVAL;
> + goto out;
> + }
> + if (ret) {
> + DPAA_SEC_ERR("Failed to process xform");
> + goto out;
> + }
> +
> if (ipsec_xform->direction ==
> RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
> if (ipsec_xform->tunnel.type ==
> RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
> - memset(&session->encap_pdb, 0,
> - sizeof(struct ipsec_encap_pdb) +
> - sizeof(session->ip4_hdr));
> session->ip4_hdr.ip_v = IPVERSION;
> session->ip4_hdr.ip_hl = 5;
> session->ip4_hdr.ip_len = rte_cpu_to_be_16( @@ -
> 2673,9 +2791,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct
> rte_cryptodev *dev,
> session->encap_pdb.ip_hdr_len = sizeof(struct ip);
> } else if (ipsec_xform->tunnel.type ==
> RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
> - memset(&session->encap_pdb, 0,
> - sizeof(struct ipsec_encap_pdb) +
> - sizeof(session->ip6_hdr));
> session->ip6_hdr.vtc_flow = rte_cpu_to_be_32(
> DPAA_IPv6_DEFAULT_VTC_FLOW |
> ((ipsec_xform->tunnel.ipv6.dscp <<
> @@ -2707,10 +2822,9 @@ dpaa_sec_set_ipsec_session(__rte_unused struct
> rte_cryptodev *dev,
> if (ipsec_xform->options.esn)
> session->encap_pdb.options |= PDBOPTS_ESP_ESN;
> session->encap_pdb.spi = ipsec_xform->spi;
> - session->dir = DIR_ENC;
> +
> } else if (ipsec_xform->direction ==
> RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
> - memset(&session->decap_pdb, 0, sizeof(struct
> ipsec_decap_pdb));
> if (ipsec_xform->tunnel.type ==
> RTE_SECURITY_IPSEC_TUNNEL_IPV4)
> session->decap_pdb.options = sizeof(struct ip) << 16;
> else
> @@ -2718,7 +2832,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct
> rte_cryptodev *dev,
> sizeof(struct rte_ipv6_hdr) << 16;
> if (ipsec_xform->options.esn)
> session->decap_pdb.options |= PDBOPTS_ESP_ESN;
> - session->dir = DIR_DEC;
> } else
> goto out;
> rte_spinlock_lock(&internals->lock);
> --
> 2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: add AES-GCM support for lookaside case
2019-11-07 8:48 ` Hemant Agrawal
@ 2019-11-07 10:07 ` Akhil Goyal
0 siblings, 0 replies; 37+ messages in thread
From: Akhil Goyal @ 2019-11-07 10:07 UTC (permalink / raw)
To: Hemant Agrawal, dev
>
> Hi Akhil,
>
>
> [Hemant] There is a merge error. I see that you have already applied it.
> Can you remove following line from the patch.
> >>> start here.
> > + if (session->dir == DIR_ENC) {
> > + /* todo CCM salt length is 3 bytes, left shift 8 bits */
> > + memcpy(session->encap_pdb.ccm.salt,
> > + (uint8_t *)&(ipsec_xform->salt), 4);
> > + } else {
> > + memcpy(session->decap_pdb.ccm.salt,
> > + (uint8_t *)&(ipsec_xform->salt), 4);
> > + }
> > + session->aead_key.algmode = OP_ALG_AAI_CCM;
> > + session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
> > + break;
> >>> end here.
>
done
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 08/13] test/cryptodev: enable additional cases for dpaax
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (5 preceding siblings ...)
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: " Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 09/13] crypto/dpaa2_sec: enable warning with truncated sha256 Hemant Agrawal
` (5 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch enables short buffer and 12 bit IV AES-CTR cases
for dpaax_sec pmds.
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
app/test/test_cryptodev_aes_test_vectors.h | 24 +++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/app/test/test_cryptodev_aes_test_vectors.h b/app/test/test_cryptodev_aes_test_vectors.h
index 54a8082cf..9afa3aef8 100644
--- a/app/test/test_cryptodev_aes_test_vectors.h
+++ b/app/test/test_cryptodev_aes_test_vectors.h
@@ -1605,6 +1605,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.feature_mask = BLOCKCIPHER_TEST_FEATURE_OOP,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
BLOCKCIPHER_TEST_TARGET_PMD_QAT |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX
},
{
@@ -1716,6 +1718,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.test_data = &aes_test_data_13,
.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1777,6 +1781,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.test_data = &aes_test_data_13,
.op_mask = BLOCKCIPHER_TEST_OP_AUTH_VERIFY_DEC,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1806,6 +1812,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.test_data = &aes_test_data_12,
.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1835,6 +1843,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.test_data = &aes_test_data_12,
.op_mask = BLOCKCIPHER_TEST_OP_AUTH_VERIFY_DEC,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_ARMV8 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_MVSAM |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX |
@@ -1954,6 +1964,8 @@ static const struct blockcipher_test_case aes_chain_test_cases[] = {
.op_mask = BLOCKCIPHER_TEST_OP_ENC_AUTH_GEN,
.feature_mask = BLOCKCIPHER_TEST_FEATURE_OOP,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC |
BLOCKCIPHER_TEST_TARGET_PMD_QAT |
BLOCKCIPHER_TEST_TARGET_PMD_NITROX
},
@@ -2400,7 +2412,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
- BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+ BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
},
{
.test_descr = "AES-192-CTR Encryption (12-byte IV)",
@@ -2408,7 +2422,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
- BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+ BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
},
{
.test_descr = "AES-256-CTR Encryption (12-byte IV)",
@@ -2416,7 +2432,9 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB |
BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX |
- BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2
+ BLOCKCIPHER_TEST_TARGET_PMD_OCTEONTX2 |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA2_SEC |
+ BLOCKCIPHER_TEST_TARGET_PMD_DPAA_SEC
},
{
.test_descr = "AES-128-XTS Encryption (16-byte plaintext)",
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 09/13] crypto/dpaa2_sec: enable warning with truncated sha256
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (6 preceding siblings ...)
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 08/13] test/cryptodev: enable additional cases for dpaax Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 10/13] crypto/dpaa2_sec: remove unwanted context type check Hemant Agrawal
` (4 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch throw the warning when using truncted digest
len for SHA256 case.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 4 ++++
drivers/crypto/dpaa_sec/dpaa_sec.c | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 173ec8095..668832f16 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2657,6 +2657,10 @@ dpaa2_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
case RTE_CRYPTO_AUTH_SHA256_HMAC:
authdata->algtype = OP_PCL_IPSEC_HMAC_SHA2_256_128;
authdata->algmode = OP_ALG_AAI_HMAC;
+ if (session->digest_length != 16)
+ DPAA2_SEC_WARN(
+ "+++Using sha256-hmac truncated len is non-standard,"
+ "it will not work with lookaside proto");
break;
case RTE_CRYPTO_AUTH_SHA384_HMAC:
authdata->algtype = OP_PCL_IPSEC_HMAC_SHA2_384_192;
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 27a31d065..e729ed7db 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2645,6 +2645,10 @@ dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
case RTE_CRYPTO_AUTH_SHA256_HMAC:
session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ if (session->digest_length != 16)
+ DPAA_SEC_WARN(
+ "+++Using sha256-hmac truncated len is non-standard,"
+ "it will not work with lookaside proto");
break;
case RTE_CRYPTO_AUTH_SHA384_HMAC:
session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 10/13] crypto/dpaa2_sec: remove unwanted context type check
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (7 preceding siblings ...)
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 09/13] crypto/dpaa2_sec: enable warning with truncated sha256 Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 11/13] crypto/dpaa_sec: use macros in queue attach and detach Hemant Agrawal
` (3 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
From: Gagandeep Singh <g.singh@nxp.com>
This patch remove redundant checks.
Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 668832f16..96753caad 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1582,18 +1582,13 @@ sec_fd_to_mbuf(const struct qbman_fd *fd)
#ifdef RTE_LIBRTE_SECURITY
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- dpaa2_sec_session *sess = (dpaa2_sec_session *)
- get_sec_session_private_data(op->sym->sec_session);
- if (sess->ctxt_type == DPAA2_SEC_IPSEC ||
- sess->ctxt_type == DPAA2_SEC_PDCP) {
- uint16_t len = DPAA2_GET_FD_LEN(fd);
- dst->pkt_len = len;
- while (dst->next != NULL) {
- len -= dst->data_len;
- dst = dst->next;
- }
- dst->data_len = len;
+ uint16_t len = DPAA2_GET_FD_LEN(fd);
+ dst->pkt_len = len;
+ while (dst->next != NULL) {
+ len -= dst->data_len;
+ dst = dst->next;
}
+ dst->data_len = len;
}
#endif
DPAA2_SEC_DP_DEBUG("mbuf %p BMAN buf addr %p,"
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 11/13] crypto/dpaa_sec: use macros in queue attach and detach
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (8 preceding siblings ...)
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 10/13] crypto/dpaa2_sec: remove unwanted context type check Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 12/13] crypto/dpaa2_sec: use aes-ctr initial counter as 1 Hemant Agrawal
` (2 subsequent siblings)
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
From: Gagandeep Singh <g.singh@nxp.com>
Align the cleanup and allocation for the queues.
Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index e729ed7db..990708de4 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2303,7 +2303,7 @@ dpaa_sec_attach_rxq(struct dpaa_sec_dev_private *qi)
{
unsigned int i;
- for (i = 0; i < qi->max_nb_sessions * MAX_DPAA_CORES; i++) {
+ for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
if (qi->inq_attach[i] == 0) {
qi->inq_attach[i] = 1;
return &qi->inq[i];
@@ -2319,9 +2319,10 @@ dpaa_sec_detach_rxq(struct dpaa_sec_dev_private *qi, struct qman_fq *fq)
{
unsigned int i;
- for (i = 0; i < qi->max_nb_sessions; i++) {
+ for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
if (&qi->inq[i] == fq) {
- qman_retire_fq(fq, NULL);
+ if (qman_retire_fq(fq, NULL) != 0)
+ DPAA_SEC_WARN("Queue is not retired\n");
qman_oos_fq(fq);
qi->inq_attach[i] = 0;
return 0;
@@ -3408,7 +3409,7 @@ dpaa_sec_dev_init(struct rte_cryptodev *cryptodev)
flags = QMAN_FQ_FLAG_LOCKED | QMAN_FQ_FLAG_DYNAMIC_FQID |
QMAN_FQ_FLAG_TO_DCPORTAL;
- for (i = 0; i < MAX_DPAA_CORES * internals->max_nb_sessions; i++) {
+ for (i = 0; i < RTE_DPAA_MAX_RX_QUEUE; i++) {
/* create rx qman fq for sessions*/
ret = qman_create_fq(0, flags, &internals->inq[i]);
if (unlikely(ret != 0)) {
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 12/13] crypto/dpaa2_sec: use aes-ctr initial counter as 1
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (9 preceding siblings ...)
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 11/13] crypto/dpaa_sec: use macros in queue attach and detach Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 13/13] crypto/dpaa_sec: enable ipsec aes-ctr to use nonce Hemant Agrawal
2019-11-06 13:09 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Akhil Goyal
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
From: Vakul Garg <vakul.garg@nxp.com>
As per RFC3686, the initial aes-ctr counter value should be '1' for use
in ipsec. The patches changes SEC descriptor for using correct counter
value. In addition, it drops a redundant parameter for passing IV while
creating the descriptor.
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
---
drivers/common/dpaax/caamflib/desc/algo.h | 21 +++++++++++++--------
drivers/crypto/caam_jr/caam_jr.c | 1 -
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 8 ++++----
drivers/crypto/dpaa_sec/dpaa_sec.c | 1 -
4 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/drivers/common/dpaax/caamflib/desc/algo.h b/drivers/common/dpaax/caamflib/desc/algo.h
index 83dbb80ce..345bb5b3f 100644
--- a/drivers/common/dpaax/caamflib/desc/algo.h
+++ b/drivers/common/dpaax/caamflib/desc/algo.h
@@ -289,12 +289,12 @@ cnstr_shdsc_snow_f9(uint32_t *descbuf, bool ps, bool swap,
static inline int
cnstr_shdsc_blkcipher(uint32_t *descbuf, bool ps, bool swap,
enum rta_share_type share,
- struct alginfo *cipherdata, uint8_t *iv,
+ struct alginfo *cipherdata,
uint32_t ivlen, uint8_t dir)
{
struct program prg;
struct program *p = &prg;
- uint32_t iv_off = 0;
+ uint32_t iv_off = 0, counter;
const bool need_dk = (dir == DIR_DEC) &&
(cipherdata->algtype == OP_ALG_ALGSEL_AES) &&
(cipherdata->algmode == OP_ALG_AAI_CBC);
@@ -336,12 +336,17 @@ cnstr_shdsc_blkcipher(uint32_t *descbuf, bool ps, bool swap,
if (cipherdata->algmode == OP_ALG_AAI_CTR)
iv_off = 16;
- if (iv)
- /* IV load, convert size */
- LOAD(p, (uintptr_t)iv, CONTEXT1, iv_off, ivlen, IMMED | COPY);
- else
- /* IV is present first before the actual message */
- SEQLOAD(p, CONTEXT1, iv_off, ivlen, 0);
+ /* IV is present first before the actual message */
+ SEQLOAD(p, CONTEXT1, iv_off, ivlen, 0);
+
+ /* If IV len is less than 16 bytes, set 'counter' as 1 */
+ if (cipherdata->algmode == OP_ALG_AAI_CTR && ivlen < 16) {
+ counter = 1;
+ if (!swap)
+ counter = swab32(1);
+
+ LOAD(p, counter, CONTEXT1, (iv_off + ivlen), 16 - ivlen, IMMED);
+ }
MATHB(p, SEQINSZ, SUB, MATH2, VSEQINSZ, 4, 0);
MATHB(p, SEQINSZ, SUB, MATH2, VSEQOUTSZ, 4, 0);
diff --git a/drivers/crypto/caam_jr/caam_jr.c b/drivers/crypto/caam_jr/caam_jr.c
index d1da9a64c..8aaa3d45f 100644
--- a/drivers/crypto/caam_jr/caam_jr.c
+++ b/drivers/crypto/caam_jr/caam_jr.c
@@ -336,7 +336,6 @@ caam_jr_prep_cdb(struct caam_jr_session *ses)
shared_desc_len = cnstr_shdsc_blkcipher(
cdb->sh_desc, true,
swap, SHR_NEVER, &alginfo_c,
- NULL,
ses->iv.length,
ses->dir);
} else if (is_auth_only(ses)) {
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 96753caad..46925be5f 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1858,7 +1858,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
cipherdata.algmode = OP_ALG_AAI_CBC;
session->cipher_alg = RTE_CRYPTO_CIPHER_AES_CBC;
bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
- SHR_NEVER, &cipherdata, NULL,
+ SHR_NEVER, &cipherdata,
session->iv.length,
session->dir);
break;
@@ -1867,7 +1867,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
cipherdata.algmode = OP_ALG_AAI_CBC;
session->cipher_alg = RTE_CRYPTO_CIPHER_3DES_CBC;
bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
- SHR_NEVER, &cipherdata, NULL,
+ SHR_NEVER, &cipherdata,
session->iv.length,
session->dir);
break;
@@ -1876,7 +1876,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
cipherdata.algmode = OP_ALG_AAI_CTR;
session->cipher_alg = RTE_CRYPTO_CIPHER_AES_CTR;
bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
- SHR_NEVER, &cipherdata, NULL,
+ SHR_NEVER, &cipherdata,
session->iv.length,
session->dir);
break;
@@ -1885,7 +1885,7 @@ dpaa2_sec_cipher_init(struct rte_cryptodev *dev,
cipherdata.algmode = OP_ALG_AAI_CTR;
session->cipher_alg = RTE_CRYPTO_CIPHER_3DES_CTR;
bufsize = cnstr_shdsc_blkcipher(priv->flc_desc[0].desc, 1, 0,
- SHR_NEVER, &cipherdata, NULL,
+ SHR_NEVER, &cipherdata,
session->iv.length,
session->dir);
break;
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 990708de4..2c1915fec 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -478,7 +478,6 @@ dpaa_sec_prep_cdb(dpaa_sec_session *ses)
shared_desc_len = cnstr_shdsc_blkcipher(
cdb->sh_desc, true,
swap, SHR_NEVER, &alginfo_c,
- NULL,
ses->iv.length,
ses->dir);
break;
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* [dpdk-dev] [PATCH v3 13/13] crypto/dpaa_sec: enable ipsec aes-ctr to use nonce
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (10 preceding siblings ...)
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 12/13] crypto/dpaa2_sec: use aes-ctr initial counter as 1 Hemant Agrawal
@ 2019-11-06 5:17 ` Hemant Agrawal
2019-11-06 13:09 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Akhil Goyal
12 siblings, 0 replies; 37+ messages in thread
From: Hemant Agrawal @ 2019-11-06 5:17 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
From: Vakul Garg <vakul.garg@nxp.com>
The protocol aware ipsec descriptor has been modified to
use ctr_initial value of 1 and salt configured for ipsec SA.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
---
drivers/common/dpaax/caamflib/desc/ipsec.h | 18 ++++++++----------
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 8 ++++++++
drivers/crypto/dpaa_sec/dpaa_sec.c | 12 ++++++++++--
3 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/drivers/common/dpaax/caamflib/desc/ipsec.h b/drivers/common/dpaax/caamflib/desc/ipsec.h
index f33c68cc9..cf6fa4252 100644
--- a/drivers/common/dpaax/caamflib/desc/ipsec.h
+++ b/drivers/common/dpaax/caamflib/desc/ipsec.h
@@ -256,14 +256,14 @@ struct ipsec_encap_cbc {
/**
* struct ipsec_encap_ctr - PDB part for IPsec CTR encapsulation
- * @ctr_nonce: 4-byte array nonce
+ * @ctr_nonce: 4-byte nonce
* @ctr_initial: initial count constant
* @iv: initialization vector
*/
struct ipsec_encap_ctr {
- uint8_t ctr_nonce[4];
+ uint32_t ctr_nonce;
uint32_t ctr_initial;
- uint64_t iv;
+ uint8_t iv[8];
};
/**
@@ -346,10 +346,9 @@ __rta_copy_ipsec_encap_pdb(struct program *program,
break;
case OP_PCL_IPSEC_AES_CTR:
- rta_copy_data(program, pdb->ctr.ctr_nonce,
- sizeof(pdb->ctr.ctr_nonce));
+ rta_copy_data(program, (uint8_t *)&pdb->ctr.ctr_nonce, 4);
__rta_out32(program, pdb->ctr.ctr_initial);
- __rta_out64(program, true, pdb->ctr.iv);
+ rta_copy_data(program, pdb->ctr.iv, sizeof(pdb->ctr.iv));
break;
case OP_PCL_IPSEC_AES_CCM8:
@@ -386,11 +385,11 @@ struct ipsec_decap_cbc {
/**
* struct ipsec_decap_ctr - PDB part for IPsec CTR decapsulation
- * @ctr_nonce: 4-byte array nonce
+ * @ctr_nonce: 4-byte nonce
* @ctr_initial: initial count constant
*/
struct ipsec_decap_ctr {
- uint8_t ctr_nonce[4];
+ uint32_t ctr_nonce;
uint32_t ctr_initial;
};
@@ -464,8 +463,7 @@ __rta_copy_ipsec_decap_pdb(struct program *program,
break;
case OP_PCL_IPSEC_AES_CTR:
- rta_copy_data(program, pdb->ctr.ctr_nonce,
- sizeof(pdb->ctr.ctr_nonce));
+ rta_copy_data(program, (uint8_t *)&pdb->ctr.ctr_nonce, 4);
__rta_out32(program, pdb->ctr.ctr_initial);
break;
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 46925be5f..555730519 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2811,6 +2811,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
/* copy algo specific data to PDB */
switch (cipherdata.algtype) {
+ case OP_PCL_IPSEC_AES_CTR:
+ encap_pdb.ctr.ctr_initial = 0x00000001;
+ encap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+ break;
case OP_PCL_IPSEC_AES_GCM8:
case OP_PCL_IPSEC_AES_GCM12:
case OP_PCL_IPSEC_AES_GCM16:
@@ -2881,6 +2885,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
/* copy algo specific data to PDB */
switch (cipherdata.algtype) {
+ case OP_PCL_IPSEC_AES_CTR:
+ decap_pdb.ctr.ctr_initial = 0x00000001;
+ decap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+ break;
case OP_PCL_IPSEC_AES_GCM8:
case OP_PCL_IPSEC_AES_GCM12:
case OP_PCL_IPSEC_AES_GCM16:
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 2c1915fec..b0fa74540 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2592,6 +2592,7 @@ dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
static int
dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
struct rte_crypto_auth_xform *auth_xform,
+ struct rte_security_ipsec_xform *ipsec_xform,
dpaa_sec_session *session)
{
if (cipher_xform) {
@@ -2698,6 +2699,13 @@ dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
case RTE_CRYPTO_CIPHER_AES_CTR:
session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
session->cipher_key.algmode = OP_ALG_AAI_CTR;
+ if (session->dir == DIR_ENC) {
+ session->encap_pdb.ctr.ctr_initial = 0x00000001;
+ session->encap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+ } else {
+ session->decap_pdb.ctr.ctr_initial = 0x00000001;
+ session->decap_pdb.ctr.ctr_nonce = ipsec_xform->salt;
+ }
break;
case RTE_CRYPTO_CIPHER_NULL:
session->cipher_key.alg = OP_PCL_IPSEC_NULL;
@@ -2749,13 +2757,13 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
if (conf->crypto_xform->next)
auth_xform = &conf->crypto_xform->next->auth;
ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
- session);
+ ipsec_xform, session);
} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
auth_xform = &conf->crypto_xform->auth;
if (conf->crypto_xform->next)
cipher_xform = &conf->crypto_xform->next->cipher;
ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
- session);
+ ipsec_xform, session);
} else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
aead_xform = &conf->crypto_xform->aead;
ret = dpaa_sec_ipsec_aead_init(aead_xform,
--
2.17.1
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags Hemant Agrawal
` (11 preceding siblings ...)
2019-11-06 5:17 ` [dpdk-dev] [PATCH v3 13/13] crypto/dpaa_sec: enable ipsec aes-ctr to use nonce Hemant Agrawal
@ 2019-11-06 13:09 ` Akhil Goyal
12 siblings, 0 replies; 37+ messages in thread
From: Akhil Goyal @ 2019-11-06 13:09 UTC (permalink / raw)
To: Hemant Agrawal, dev
> -----Original Message-----
> From: Hemant Agrawal <hemant.agrawal@nxp.com>
> Sent: Wednesday, November 6, 2019 10:47 AM
> To: dev@dpdk.org
> Cc: Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH v3 01/13] crypto/dpaa_sec: fix to set PDCP capability flags
>
> set the pdcp capa_flags to 0 by default.
>
> Fixes: a1173d55598c ("crypto/dpaa_sec: support PDCP offload")
>
> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> ---
Series Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Series Applied to dpdk-next-crypto
Thanks.
^ permalink raw reply [flat|nested] 37+ messages in thread