From: Tejasree Kondoj <ktejasree@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>, Radu Nicolau <radu.nicolau@intel.com>
Cc: Tejasree Kondoj <ktejasree@marvell.com>,
Anoob Joseph <anoobj@marvell.com>,
Ankur Dwivedi <adwivedi@marvell.com>,
Jerin Jacob <jerinj@marvell.com>, <dev@dpdk.org>
Subject: [dpdk-dev] [PATCH 3/3] crypto/octeontx2: support lookaside IPv4 transport mode
Date: Mon, 15 Mar 2021 16:06:16 +0530 [thread overview]
Message-ID: <20210315103616.31364-4-ktejasree@marvell.com> (raw)
In-Reply-To: <20210315103616.31364-1-ktejasree@marvell.com>
Adding support for IPv4 lookaside IPsec transport mode.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/cryptodevs/octeontx2.rst | 1 +
drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 7 +-
drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 110 ++++++++++--------
drivers/crypto/octeontx2/otx2_cryptodev_sec.h | 4 +-
drivers/crypto/octeontx2/otx2_ipsec_po.h | 6 +
drivers/crypto/octeontx2/otx2_ipsec_po_ops.h | 8 +-
6 files changed, 76 insertions(+), 60 deletions(-)
diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index b30f98180a..811e61a1f6 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -179,6 +179,7 @@ Features supported
* IPv6
* ESP
* Tunnel mode
+* Transport mode(IPv4)
* ESN
* Anti-replay
* UDP Encapsulation
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index cec20b5c6d..c20170bcaa 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -928,7 +928,7 @@ otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp)
struct rte_mbuf *m = sym_op->m_src;
struct rte_ipv6_hdr *ip6;
struct rte_ipv4_hdr *ip;
- uint16_t m_len;
+ uint16_t m_len = 0;
int mdata_len;
char *data;
@@ -938,11 +938,12 @@ otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp)
if (word0->s.opcode.major == OTX2_IPSEC_PO_PROCESS_IPSEC_INB) {
data = rte_pktmbuf_mtod(m, char *);
- if (rsp[4] == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+ if (rsp[4] == OTX2_IPSEC_PO_TRANSPORT ||
+ rsp[4] == OTX2_IPSEC_PO_TUNNEL_IPV4) {
ip = (struct rte_ipv4_hdr *)(data +
OTX2_IPSEC_PO_INB_RPTR_HDR);
m_len = rte_be_to_cpu_16(ip->total_length);
- } else {
+ } else if (rsp[4] == OTX2_IPSEC_PO_TUNNEL_IPV6) {
ip6 = (struct rte_ipv6_hdr *)(data +
OTX2_IPSEC_PO_INB_RPTR_HDR);
m_len = rte_be_to_cpu_16(ip6->payload_len) +
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 8942ff1fac..6493ce8370 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -25,12 +25,15 @@ ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec,
{
struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
- if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
- lp->partial_len = sizeof(struct rte_ipv4_hdr);
- else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
- lp->partial_len = sizeof(struct rte_ipv6_hdr);
- else
- return -EINVAL;
+ lp->partial_len = 0;
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+ if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+ lp->partial_len = sizeof(struct rte_ipv4_hdr);
+ else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
+ lp->partial_len = sizeof(struct rte_ipv6_hdr);
+ else
+ return -EINVAL;
+ }
if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) {
lp->partial_len += sizeof(struct rte_esp_hdr);
@@ -203,7 +206,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
struct rte_security_session *sec_sess)
{
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
- struct otx2_ipsec_po_ip_template *template;
+ struct otx2_ipsec_po_ip_template *template = NULL;
const uint8_t *cipher_key, *auth_key;
struct otx2_sec_session_ipsec_lp *lp;
struct otx2_ipsec_po_sa_ctl *ctl;
@@ -229,10 +232,10 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
memset(sa, 0, sizeof(struct otx2_ipsec_po_out_sa));
/* Initialize lookaside ipsec private data */
+ lp->mode_type = OTX2_IPSEC_PO_TRANSPORT;
lp->ip_id = 0;
lp->seq_lo = 1;
lp->seq_hi = 0;
- lp->tunnel_type = ipsec->tunnel.type;
ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl);
if (ret)
@@ -242,46 +245,47 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
if (ret)
return ret;
- if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
- /* Start ip id from 1 */
- lp->ip_id = 1;
+ /* Start ip id from 1 */
+ lp->ip_id = 1;
+
+ if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
+ template = &sa->aes_gcm.template;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ aes_gcm.template) + sizeof(
+ sa->aes_gcm.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA1) {
+ template = &sa->sha1.template;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha1.template) + sizeof(
+ sa->sha1.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+ template = &sa->sha2.template;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha2.template) + sizeof(
+ sa->sha2.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ } else {
+ return -EINVAL;
+ }
+ ip = &template->ip4.ipv4_hdr;
+ if (ipsec->options.udp_encap) {
+ ip->next_proto_id = IPPROTO_UDP;
+ template->ip4.udp_src = rte_be_to_cpu_16(4500);
+ template->ip4.udp_dst = rte_be_to_cpu_16(4500);
+ } else {
+ ip->next_proto_id = IPPROTO_ESP;
+ }
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
-
- if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
- template = &sa->aes_gcm.template;
- ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
- aes_gcm.template) + sizeof(
- sa->aes_gcm.template.ip4);
- ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
- lp->ctx_len = ctx_len >> 3;
- } else if (ctl->auth_type ==
- OTX2_IPSEC_PO_SA_AUTH_SHA1) {
- template = &sa->sha1.template;
- ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
- sha1.template) + sizeof(
- sa->sha1.template.ip4);
- ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
- lp->ctx_len = ctx_len >> 3;
- } else if (ctl->auth_type ==
- OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
- template = &sa->sha2.template;
- ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
- sha2.template) + sizeof(
- sa->sha2.template.ip4);
- ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
- lp->ctx_len = ctx_len >> 3;
- } else {
- return -EINVAL;
- }
- ip = &template->ip4.ipv4_hdr;
- if (ipsec->options.udp_encap) {
- ip->next_proto_id = IPPROTO_UDP;
- template->ip4.udp_src = rte_be_to_cpu_16(4500);
- template->ip4.udp_dst = rte_be_to_cpu_16(4500);
- } else {
- ip->next_proto_id = IPPROTO_ESP;
- }
+ lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV4;
ip->version_ihl = RTE_IPV4_VHL_DEF;
ip->time_to_live = ipsec->tunnel.ipv4.ttl;
ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
@@ -294,6 +298,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
} else if (ipsec->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
+ lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV6;
if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
@@ -336,11 +341,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
sizeof(struct in6_addr));
memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,
sizeof(struct in6_addr));
- } else {
- return -EINVAL;
}
- } else {
- return -EINVAL;
}
cipher_xform = crypto_xform;
@@ -421,13 +422,20 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
if (ret)
return ret;
- lp->tunnel_type = ipsec->tunnel.type;
+ lp->mode_type = OTX2_IPSEC_PO_TRANSPORT;
+
auth_xform = crypto_xform;
cipher_xform = crypto_xform->next;
cipher_key_len = 0;
auth_key_len = 0;
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+ lp->mode_type = (ipsec->tunnel.type ==
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4) ?
+ OTX2_IPSEC_PO_TUNNEL_IPV4 :
+ OTX2_IPSEC_PO_TUNNEL_IPV6;
+
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
index 2849c1ab75..87f55c97fe 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
@@ -55,8 +55,8 @@ struct otx2_sec_session_ipsec_lp {
uint8_t iv_length;
/** Auth IV length in bytes */
uint8_t auth_iv_length;
- /** IPsec tunnel type */
- enum rte_security_ipsec_tunnel_type tunnel_type;
+ /** IPsec mode and tunnel type */
+ enum otx2_ipsec_po_mode_type mode_type;
};
int otx2_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev);
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index 8a672a38ea..faa434dae3 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -20,6 +20,12 @@
#define OTX2_IPSEC_PO_INB_RPTR_HDR 0x8
+enum otx2_ipsec_po_mode_type {
+ OTX2_IPSEC_PO_TRANSPORT = 1,
+ OTX2_IPSEC_PO_TUNNEL_IPV4,
+ OTX2_IPSEC_PO_TUNNEL_IPV6,
+};
+
enum otx2_ipsec_po_comp_e {
OTX2_IPSEC_PO_CC_SUCCESS = 0x00,
OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0,
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
index f4cab19811..58b199f4f3 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
@@ -26,7 +26,7 @@ otx2_ipsec_po_out_rlen_get(struct otx2_sec_session_ipsec_lp *sess,
static __rte_always_inline struct cpt_request_info *
alloc_request_struct(char *maddr, void *cop, int mdata_len,
- enum rte_security_ipsec_tunnel_type tunnel_type)
+ enum otx2_ipsec_po_mode_type mode_type)
{
struct cpt_request_info *req;
struct cpt_meta_info *meta;
@@ -48,7 +48,7 @@ alloc_request_struct(char *maddr, void *cop, int mdata_len,
op[1] = (uintptr_t)cop;
op[2] = (uintptr_t)req;
op[3] = mdata_len;
- op[4] = tunnel_type;
+ op[4] = mode_type;
return req;
}
@@ -89,7 +89,7 @@ process_outb_sa(struct rte_crypto_op *cop,
mdata += extend_tail; /* mdata follows encrypted data */
req = alloc_request_struct(mdata, (void *)cop, mdata_len,
- sess->tunnel_type);
+ sess->mode_type);
data = rte_pktmbuf_prepend(m_src, extend_head);
if (unlikely(data == NULL)) {
@@ -162,7 +162,7 @@ process_inb_sa(struct rte_crypto_op *cop,
}
req = alloc_request_struct(mdata, (void *)cop, mdata_len,
- sess->tunnel_type);
+ sess->mode_type);
/* Prepare CPT instruction */
word0.u64 = sess->ucmd_w0;
--
2.27.0
prev parent reply other threads:[~2021-03-15 9:40 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-15 10:36 [dpdk-dev] [PATCH 0/3] add lookaside IPsec UDP encapsulation and " Tejasree Kondoj
2021-03-15 10:36 ` [dpdk-dev] [PATCH 1/3] crypto/octeontx2: add UDP encapsulation support Tejasree Kondoj
2021-03-15 10:36 ` [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: " Tejasree Kondoj
2021-03-19 16:46 ` Ananyev, Konstantin
2021-03-23 8:02 ` Akhil Goyal
2021-03-23 14:29 ` Ananyev, Konstantin
2021-03-23 15:06 ` Akhil Goyal
2021-03-23 15:46 ` Ananyev, Konstantin
2021-03-23 17:54 ` Akhil Goyal
2021-03-24 9:45 ` Tejasree Kondoj
2021-03-24 10:39 ` Ananyev, Konstantin
2021-03-25 8:38 ` Tejasree Kondoj
2021-03-15 10:36 ` Tejasree Kondoj [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210315103616.31364-4-ktejasree@marvell.com \
--to=ktejasree@marvell.com \
--cc=adwivedi@marvell.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
--cc=jerinj@marvell.com \
--cc=radu.nicolau@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).