From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id CE51AA0547; Thu, 29 Apr 2021 17:49:21 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 0892041363; Thu, 29 Apr 2021 17:49:08 +0200 (CEST) Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2061.outbound.protection.outlook.com [40.107.94.61]) by mails.dpdk.org (Postfix) with ESMTP id 9154F4135B for ; Thu, 29 Apr 2021 17:49:06 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jg3lOSNSnCpXXPKj3o0RzIPu4UGI6NaMn0Vpclm3czf07lGUSjqMP/NuZK/4JJOmRp34vkppKNwMtClUwh2eLvZIYIbVa0VtDG6yDmge5Gq+OK9IDBva73oDVw5HOk7clisCloui9yC/nPO14B8a7YZYz8x9veJV7IWQucRPthJmHJNGSJ5SRf3nIzrKU+8eo0gH0vLAMz13f07/VB151XopSkKkEqM917EhwB1CwtiakHahO3n81HtJshu/MsrkU5tW2fPAKSw5zszkOgg1CUtBuoVDDOZE7bVKcW97DKnOhDvfStbkGYMEFXJwWSYkEaBH/xrYSOvC0hwsaaf95A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pJZZmMU93XFAimwQSz/daGBLoWI/n/Qoqci/0M5/JxM=; b=DsBR/lK6B+4pb/OIKC6GfAP/xmcwdc6G6oIDg+MZtzus/92ci2cUCwZ94OE5llr18I5sk7qEQ+FKTWPENxyCkSW2B/fpdOLO9U4jLZm1PhNgQHotElbbEh+vqHy2frUC3xFIVCXXXRtWtK1OOTnbMRcdQZVQbNm6UR2b6pPaJU9JkSG5VO+UjRhf6fvPbXMuflfEzP/u2YXPt3KVlS67o74rDY9kD2RwW1oZWNoXBnO2+md3rimPH6/VnFmFqodU2WZm3AxRYucc2T3P+Nq40enIjxvM9ibQ7gaO2QWR3Bx5bk8AE/D126SbpELooZ7HlkD8I7X+em7ob8//8Ib+RQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.112.34) smtp.rcpttodomain=marvell.com smtp.mailfrom=nvidia.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pJZZmMU93XFAimwQSz/daGBLoWI/n/Qoqci/0M5/JxM=; b=ObmUnLOdQex9zmQHB8U2nYpq1TUNU6Zi/oNnH4R0lcaT+Jp/Q/bjLblu82rnoSgG3sC1L8Zt7wV8fpMEhwSl0pQLb07dXJkYcOTCKrd+Xju+z3ZddN5Xcdz39zd/tgxrW6Z930hCMP6QJWXwBf6wtgHGwbH8XcVTZ0ktb/F71OVbVt3G7E8Lp2MTm0riDXejCoVPI+3hGdtFrS2yYCmHmE1RsBkeDkyitE8AQ9YC59Ae8lC2sn8ows3ZqjHBKzuxW8XUQwbY0pE9Ue8zsVu94ltsQIJPsX/Er6RS3Ddl/aOBvqnvvuqIi1snwLJp8xaHfBcyk1Y0UFv2d2lzvWJybg== Received: from MW4PR03CA0035.namprd03.prod.outlook.com (2603:10b6:303:8e::10) by CY4PR12MB1143.namprd12.prod.outlook.com (2603:10b6:903:38::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.22; Thu, 29 Apr 2021 15:49:04 +0000 Received: from CO1NAM11FT020.eop-nam11.prod.protection.outlook.com (2603:10b6:303:8e:cafe::74) by MW4PR03CA0035.outlook.office365.com (2603:10b6:303:8e::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.27 via Frontend Transport; Thu, 29 Apr 2021 15:49:04 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.112.34) smtp.mailfrom=nvidia.com; marvell.com; dkim=none (message not signed) header.d=none;marvell.com; dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.112.34 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.112.34; helo=mail.nvidia.com; Received: from mail.nvidia.com (216.228.112.34) by CO1NAM11FT020.mail.protection.outlook.com (10.13.174.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4087.27 via Frontend Transport; Thu, 29 Apr 2021 15:49:04 +0000 Received: from nvidia.com (172.20.145.6) by HQMAIL107.nvidia.com (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 29 Apr 2021 15:49:02 +0000 From: Matan Azrad To: CC: , , , "Shiri Kuzin" Date: Thu, 29 Apr 2021 18:47:12 +0300 Message-ID: <20210429154712.2820159-16-matan@nvidia.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210429154712.2820159-1-matan@nvidia.com> References: <20210408204849.9543-1-shirik@nvidia.com> <20210429154712.2820159-1-matan@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [172.20.145.6] X-ClientProxiedBy: HQMAIL107.nvidia.com (172.20.187.13) To HQMAIL107.nvidia.com (172.20.187.13) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 66ef60c5-ea9d-4042-964c-08d90b265117 X-MS-TrafficTypeDiagnostic: CY4PR12MB1143: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: edAPmZRR4pAF6Arces34rUf/EAFmjLAI86Mp07J7y1eMi5wtNIvEUh34a8bREoo6O49D01pW7PzjgoKgidNmuqncvXypNzMmSXqM6bXX80N5L9B8KE6Wn6keiGhJac3lDB2Xhsagm0nF/Ty+7NGFnYfI++oLUwvfcNljVgdRQwk4emHu6kRvCU+NPFhzQCR2Yn+DbCm+UVl14FZU0aggoG+JBAm36E5BhNoGX2vtDRyZFkjeJOpMxkxbnNbyP+Xu0C9vD6SGMLW5ndIzIEx9YNx9iR5I8ZeB5M9m9cO/VxvUjcfmx+oJco/WCW6m0R2NV44qwTeJBnVLY79e5tW7VCZrRklryHwRlmm2uAwXvMCd60EqXqgrp/GtaSUbKuUa06ewBit6bUSd9N9zZP4Bz0PIkOqfC42W8tRAG1bKG2KoNXmryjA5hVMt2EaS0Acy7EUvaJZpNnXj8uGwq8k5w+7jsTFo7QjhVcjXUnPf1WEspAUrxgXfLzHxwEdPJsziOfyHBcOwdegRRTeIuHZlv9rcNMHYpYWqGBifBfDBMoQyk9762B/JBrsxV2ZASZq02GwJg9M4gW3E0imKMndgNi0xuoavkwxtuDF+zcarXx7tgMl8zx9mshP9uk1zB/PYntqiXx1xHoMuGlEjUMmNBxfYHMHrRbslgXOGiZTNnkM= X-Forefront-Antispam-Report: CIP:216.228.112.34; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:schybrid03.nvidia.com; CAT:NONE; SFS:(4636009)(346002)(136003)(39860400002)(376002)(396003)(46966006)(36840700001)(54906003)(36860700001)(82310400003)(36906005)(47076005)(36756003)(316002)(336012)(8936002)(2906002)(6916009)(83380400001)(82740400003)(30864003)(356005)(186003)(1076003)(6666004)(16526019)(4326008)(26005)(478600001)(2616005)(7696005)(6286002)(8676002)(55016002)(70586007)(426003)(5660300002)(86362001)(107886003)(70206006)(7636003); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2021 15:49:04.5659 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 66ef60c5-ea9d-4042-964c-08d90b265117 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.112.34]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT020.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR12MB1143 Subject: [dpdk-dev] [PATCH v2 15/15] crypto/mlx5: set feature flags and capabilities X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Shiri Kuzin Add the supported capabilities to the crypto driver. Add supported feature flags. Add crypto driver documentation. Signed-off-by: Shiri Kuzin Signed-off-by: Matan Azrad --- doc/guides/cryptodevs/features/mlx5.ini | 37 ++++++ doc/guides/cryptodevs/index.rst | 1 + doc/guides/cryptodevs/mlx5.rst | 152 ++++++++++++++++++++++++ doc/guides/rel_notes/release_21_05.rst | 5 + drivers/crypto/mlx5/mlx5_crypto.c | 39 +++++- 5 files changed, 231 insertions(+), 3 deletions(-) create mode 100644 doc/guides/cryptodevs/features/mlx5.ini create mode 100644 doc/guides/cryptodevs/mlx5.rst diff --git a/doc/guides/cryptodevs/features/mlx5.ini b/doc/guides/cryptodevs/features/mlx5.ini new file mode 100644 index 0000000000..a89526add0 --- /dev/null +++ b/doc/guides/cryptodevs/features/mlx5.ini @@ -0,0 +1,37 @@ +; +; Features of a mlx5 crypto driver. +; +; Refer to default.ini for the full list of available PMD features. +; +[Features] +Symmetric crypto = Y +HW Accelerated = Y +In Place SGL = Y +OOP SGL In SGL Out = Y +OOP SGL In LB Out = Y +OOP LB In SGL Out = Y +OOP LB In LB Out = Y +Cipher multiple data units = Y +Cipher wrapped key = Y + +; +; Supported crypto algorithms of a mlx5 crypto driver. +; +[Cipher] +AES XTS (128) = Y +AES XTS (256) = Y + +; +; Supported authentication algorithms of a mlx5 crypto driver. +; +[Auth] + +; +; Supported AEAD algorithms of a mlx5 crypto driver. +; +[AEAD] + +; +; Supported Asymmetric algorithms of a mlx5 crypto driver. +; +[Asymmetric] diff --git a/doc/guides/cryptodevs/index.rst b/doc/guides/cryptodevs/index.rst index 279f56a002..747409c441 100644 --- a/doc/guides/cryptodevs/index.rst +++ b/doc/guides/cryptodevs/index.rst @@ -22,6 +22,7 @@ Crypto Device Drivers octeontx octeontx2 openssl + mlx5 mvsam nitrox null diff --git a/doc/guides/cryptodevs/mlx5.rst b/doc/guides/cryptodevs/mlx5.rst new file mode 100644 index 0000000000..4ccec78be8 --- /dev/null +++ b/doc/guides/cryptodevs/mlx5.rst @@ -0,0 +1,152 @@ +.. SPDX-License-Identifier: BSD-3-Clause + Copyright 2021 Mellanox Technologies, Ltd + +.. include:: + +MLX5 Crypto Driver +================== + +The MLX5 crypto driver library +(**librte_crypto_mlx5**) provides support for **Mellanox ConnectX-6** +family adapters. + +Overview +-------- + +The device can provide disk encryption services, allowing data encryption +and decryption towards a disk. Having all encryption/decryption +operations done in a single device can reduce cost and overheads of the related +FIPS certification, as ConnectX-6 is FIPS 140-2 level-2 ready. +The encryption cipher is AES-XTS of 256/512 key size. + +MKEY is a memory region object in the hardware, that holds address translation information and +attributes per memory area. Its ID must be tied to addresses provided to the hardware. +The encryption operations are performed with MKEY read\write transactions, when +the MKEY is configured to perform crypto operations. + +The encryption does not require text to be aligned to the AES block size (128b). + +In order to move the device to crypto operational mode, credential and KEK +(Key Encrypting Key) should be set as the first step. +The credential will be used by the software in order to perform crypto login, and the KEK is +the AES Key Wrap Algorithm (rfc3394) key that will be used for sensitive data +wrapping. +The credential and the AES-XTS keys should be provided to the hardware, as ciphertext +encrypted by the KEK. + +A keytag (64 bits) should be appended to the AES-XTS keys (before wrapping), +and will be validated when the hardware attempts to access it. + +For security reasons and to increase robustness, this driver only deals with virtual +memory addresses. The way resources allocations are handled by the kernel, +combined with hardware specifications that allow handling virtual memory +addresses directly, ensure that DPDK applications cannot access random +physical memory (or memory that does not belong to the current process). + +The PMD uses libibverbs and libmlx5 to access the device firmware or to +access the hardware components directly. +There are different levels of objects and bypassing abilities. +To get the best performances: + +- Verbs is a complete high-level generic API. +- Direct Verbs is a device-specific API. +- DevX allows to access firmware objects. + +Enabling librte_crypto_mlx5 causes DPDK applications to be linked against +libibverbs. + +Mellanox mlx5 PCI device can be probed by a number of different PCI devices, such as +net / vDPA / RegEx. To select the crypto PMD, ``class=crypto`` +should be specified as a device parameter. The crypto device can be probed and +used with other Mellanox classes by adding more options in the class. +For example: ``class=net:crypto`` will probe both the net PMD and the crypto +PMD. + +When crypto engines are defined to work in wrapped import method, they come out +of the factory in Commissioning mode, and thus, cannot be used for crypto operations +yet. A dedicated tool is used for changing the mode from Commissioning to +Operational, while setting the first import_KEK and credential in plaintext. +The mlxreg dedicated tool should be used as follows: + +- Set CRYPTO_OPERATIONAL register to set the device in crypto operational mode. + + The input to this tool is: + The first credential in plaintext, 40B. + The first import_KEK in plaintext: kek size 0 for 16B or 1 for 32B, kek data. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get + + The "wrapped_crypto_operational" value will be "0x00000000". + The command to set the register should be executed only once, and all the + values mentioned above should be specified in the same command. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL + --set "credential[0]=0x10000000, credential[1]=0x10000000, kek[0]=0x00000000" + + All values not specified will remain 0. + "wrapped_crypto_going_to_commissioning" and "wrapped_crypto_operational" + should not be specified. + + All the device ports should set it in order to move to operational mode. + +- Query CRYPTO_OPERATIONAL register to make sure the device is in Operational + mode. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get + The "wrapped_crypto_operational" value will be "0x00000001" if the mode was + successfully changed to operational mode. + + +Driver options +-------------- + +- ``class`` parameter [string] + + Select the class of the driver that should probe the device. + `crypto` for the mlx5 crypto driver. + +- ``wcs_file`` parameter [string] - mandatory + + File path including only the wrapped credential in string format of hexadecimal + numbers, represent 48 bytes (8 bytes IV added by the AES key wrap algorithm). + +- ``import_kek_id`` parameter [int] + + The identifier of the KEK, default value is 0 represents the operational + register import_kek.. + +- ``credential_id`` parameter [int] + + The identifier of the credential, default value is 0 represents the operational + register credential. + +- ``max_segs_num`` parameter [int] + + Maximum number of mbuf chain segments(src or dest), default value is 8. + +- ``keytag`` parameter [int] + + The plaintext of the keytag appanded to the AES-XTS keys, default value is 0. + + +Limitations +----------- + +- AES-XTS keys provided in Xform must include keytag and should be wrappend. +- The supported data-unit lengths are: 512B, 1KB, 1MB. In case the `dataunit_len` + is not provided in the cipher Xform, the OP length is limitted to the above values. + + +Supported NICs +-------------- + +* Mellanox\ |reg| ConnectX\ |reg|-6 200G MCX654106A-HCAT (2x200G) + +Prerequisites +------------- + +- Mellanox OFED version: **5.3** + see :doc:`../../nics/mlx5` guide for more Mellanox OFED details. diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 133a0dbbf2..dc508fc63c 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -273,6 +273,11 @@ New Features * Added support for crypto adapter forward mode in octeontx2 event and crypto device driver. +* **Added support for Nvidia crypto device driver.** + + * Added mlx5 crypto driver to support AES-XTS cipher operations. + the first device to support it is ConnectX-6. + Removed Items ------------- diff --git a/drivers/crypto/mlx5/mlx5_crypto.c b/drivers/crypto/mlx5/mlx5_crypto.c index af8985939e..c2e75905fd 100644 --- a/drivers/crypto/mlx5/mlx5_crypto.c +++ b/drivers/crypto/mlx5/mlx5_crypto.c @@ -22,6 +22,14 @@ #define MLX5_CRYPTO_LOG_NAME pmd.crypto.mlx5 #define MLX5_CRYPTO_MAX_QPS 1024 #define MLX5_CRYPTO_MAX_SEGS 56 +#define MLX5_CRYPTO_FEATURE_FLAGS \ + (RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_HW_ACCELERATED | \ + RTE_CRYPTODEV_FF_IN_PLACE_SGL | RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | \ + RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | \ + RTE_CRYPTODEV_FF_OOP_LB_IN_SGL_OUT | \ + RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT | \ + RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY | \ + RTE_CRYPTODEV_FF_CIPHER_MULTIPLE_DATA_UNITS) TAILQ_HEAD(mlx5_crypto_privs, mlx5_crypto_priv) mlx5_crypto_priv_list = TAILQ_HEAD_INITIALIZER(mlx5_crypto_priv_list); @@ -31,8 +39,32 @@ int mlx5_crypto_logtype; uint8_t mlx5_crypto_driver_id; -const struct rte_cryptodev_capabilities - mlx5_crypto_caps[RTE_CRYPTO_OP_TYPE_UNDEFINED]; +const struct rte_cryptodev_capabilities mlx5_crypto_caps[] = { + { /* AES XTS */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER, + {.cipher = { + .algo = RTE_CRYPTO_CIPHER_AES_XTS, + .block_size = 16, + .key_size = { + .min = 32, + .max = 64, + .increment = 32 + }, + .iv_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + .dataunit_set = + RTE_CRYPTO_CIPHER_DATA_UNIT_LEN_512_BYTES | + RTE_CRYPTO_CIPHER_DATA_UNIT_LEN_4096_BYTES, + }, } + }, } + }, +}; + static const char mlx5_crypto_drv_name[] = RTE_STR(MLX5_CRYPTO_DRIVER_NAME); @@ -67,7 +99,7 @@ mlx5_crypto_dev_infos_get(struct rte_cryptodev *dev, RTE_SET_USED(dev); if (dev_info != NULL) { dev_info->driver_id = mlx5_crypto_driver_id; - dev_info->feature_flags = 0; + dev_info->feature_flags = MLX5_CRYPTO_FEATURE_FLAGS; dev_info->capabilities = mlx5_crypto_caps; dev_info->max_nb_queue_pairs = MLX5_CRYPTO_MAX_QPS; dev_info->min_mbuf_headroom_req = 0; @@ -954,6 +986,7 @@ mlx5_crypto_pci_probe(struct rte_pci_driver *pci_drv, crypto_dev->dev_ops = &mlx5_crypto_ops; crypto_dev->dequeue_burst = mlx5_crypto_dequeue_burst; crypto_dev->enqueue_burst = mlx5_crypto_enqueue_burst; + crypto_dev->feature_flags = MLX5_CRYPTO_FEATURE_FLAGS; crypto_dev->driver_id = mlx5_crypto_driver_id; priv = crypto_dev->data->dev_private; priv->ctx = ctx; -- 2.25.1