From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9D107A0A02; Tue, 4 May 2021 23:11:12 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 07CC741163; Tue, 4 May 2021 23:09:55 +0200 (CEST) Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2043.outbound.protection.outlook.com [40.107.223.43]) by mails.dpdk.org (Postfix) with ESMTP id 0598141152 for ; Tue, 4 May 2021 23:09:53 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nSUjiQsMwrQPzreo9W1ED14PYAyXdpS5cLBU/lsTM3KMknHAs0cVnGfc7N3GS18RDPdsGmTG+M7q/8XqFp/xk5Fy6CkdzPexe0CXvPyErpQviB9WeHRZBLwGGGj1z0LLSo/yZg84dmfczqnKGqdHkwWFcPLfuY6h6ISb5LV7jAc4FXXBZnjj8z4vE3TIlmv0/8s0DtTeIcpuZC9VRRmVKJktXE3GFhb2mLXcOqGnFqb08saPHb4a26EPJre+c2hne0XZRvdoyfx8kpW42NHogDnLp11bIRrUrpyb3DctA4MA1BbLCxo2y3PeRqq5ssHkBsLbzahJBiufBNRncwo9gA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5h98WhJ/+ursyUwYwamnXK41FwvpQNhCaRPcWNWwN54=; b=A+ziV/TS7Z4YAiknDfezGXkRTHsTWSFJmSSSWnXLTe1AKlvn9KiQ5E+LJQ4M6acbxCfV/IHnvbvRlkHTasGZTxZ5yhDm12sJ3BH+SLDub8xmFc2C+RmZpv3VZIuXoEr/d2Zs/Db2mHBv26gNdVfkF36VaPVQToV/tQqMuPmp6P4Ila8L2oHzWtN+54nhxVWEbcvx0lWM0GleksxNGJhhHiCyGlhoiuI/qD01IWLQoUXzMCf7HUF3FvGTuB1bKebcECF3ugozRmZnO727G83OKesK8Th5SKcQGKOqLd/nQzokQIQ/RJK2gevxLFaEq4WqtQ6MbZEWFbQvEQ4U8HlOdw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.112.34) smtp.rcpttodomain=monjalon.net smtp.mailfrom=nvidia.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5h98WhJ/+ursyUwYwamnXK41FwvpQNhCaRPcWNWwN54=; b=DomfQRRNL6043vRb83V3ZEaI6R2IACaOi2BlUQdQrlSJEejnS7ErZGhlhiODA6vqJ/JWy1lfsE5yFl5iEoHHBmPIRxCAsPydLtgTK4yNyDFRv3owYqW3ToWupCUy/xahTd/LDDbBHMjRBEzB/RbH+jBqqMnNzaNi9E5nZdo+f3Z5ZtCB+/DYw2UGA8r2DXsN/Bm1LL2RHuIq2Kr3eJHmBa9NXWuUFUN83ijf48kBFhXjPA+bZpa8fXo2df+UXBqCQEQ9dKAKjI55XIknb/JufydhougYahNFL9TkawQros4u1IaF/mMe7QemwTKqk5hWRFk9NyjwNarIkEFjT6RtSA== Received: from MWHPR1201CA0019.namprd12.prod.outlook.com (2603:10b6:301:4a::29) by DM5PR12MB1275.namprd12.prod.outlook.com (2603:10b6:3:75::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.40; Tue, 4 May 2021 21:09:50 +0000 Received: from CO1NAM11FT049.eop-nam11.prod.protection.outlook.com (2603:10b6:301:4a:cafe::81) by MWHPR1201CA0019.outlook.office365.com (2603:10b6:301:4a::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.25 via Frontend Transport; Tue, 4 May 2021 21:09:50 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.112.34) smtp.mailfrom=nvidia.com; monjalon.net; dkim=none (message not signed) header.d=none;monjalon.net; dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.112.34 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.112.34; helo=mail.nvidia.com; Received: from mail.nvidia.com (216.228.112.34) by CO1NAM11FT049.mail.protection.outlook.com (10.13.175.50) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4087.27 via Frontend Transport; Tue, 4 May 2021 21:09:49 +0000 Received: from nvidia.com (172.20.145.6) by HQMAIL107.nvidia.com (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 4 May 2021 21:09:47 +0000 From: Matan Azrad To: CC: , , , "Thomas Monjalon" , Shiri Kuzin Date: Wed, 5 May 2021 00:08:57 +0300 Message-ID: <20210504210857.3398397-16-matan@nvidia.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210504210857.3398397-1-matan@nvidia.com> References: <20210429154712.2820159-1-matan@nvidia.com> <20210504210857.3398397-1-matan@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [172.20.145.6] X-ClientProxiedBy: HQMAIL111.nvidia.com (172.20.187.18) To HQMAIL107.nvidia.com (172.20.187.13) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: feea2eec-f2b2-4e1e-3a88-08d90f40f441 X-MS-TrafficTypeDiagnostic: DM5PR12MB1275: X-LD-Processed: 43083d15-7273-40c1-b7db-39efd9ccc17a,ExtAddr X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: rWJbzBNN29Qa2H7pPNATaoXmdKyCeSTj5oQBgAk0LjJcV1EzI6hoc4+bX2W/FfPbD8fM1kJDp7GaC24UVnHvMBtln/NBTHX1N+JYj/v/DG+ncaxDCf4RHEm/if+sNF3btfIj3xhgyH3VIQo6kXjAdnnUz6mmXxEiNDAKdu4RjLM+NZoYOEWrkXxxF2BAOE8l1ZmeO1tVejna8vxneK814u6s+CNaJGDKxLAgr+diBi9277yeKhUiUur7yhk4+3jbRNXpFpGUm20RmdKEuuyn3bdiabXf+f+IKre43H2qHWOhi2HPvZ0yRuE3NBK+CNgvmF/5DnHwP6MnsMGvjSJU3VC9GcodhB4ygqfvPcAvtJMzaH5iOQEORGdOPLiXOn99pZOdMLMoQNFgoJPL8lRAsz11FHjBx7ao5gdeiWqg058MKpNvvh1tPD/nEkt4InDFJPQCBKipfZimaCH0omYiG0SaoGJF0o5AbTJ7vDTj7mGpziS/SwJLYs3H79iKWftVk1aauwAybMG5MhNpqn6bMqR0tecVsBcSm1pETgaRYeWO6QbgZ1UQVN5sHoDPX7VmIGqVv1ZF1mr9xRpeZ6cDeVpkeeN4DNJ189a0D/zyxyjH9sqOUr8KbTF7hra/7ReOYrCP/otMRCeUNvNrho3oxVm1vb8/eLfWWt4tFH/J9ac= X-Forefront-Antispam-Report: CIP:216.228.112.34; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:schybrid03.nvidia.com; CAT:NONE; SFS:(4636009)(39860400002)(346002)(396003)(136003)(376002)(36840700001)(46966006)(7696005)(36906005)(36756003)(55016002)(2906002)(4326008)(5660300002)(83380400001)(70206006)(478600001)(16526019)(30864003)(107886003)(6666004)(8936002)(426003)(186003)(36860700001)(26005)(336012)(47076005)(316002)(2616005)(54906003)(1076003)(6286002)(6916009)(82740400003)(86362001)(356005)(82310400003)(70586007)(7636003)(8676002); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 May 2021 21:09:49.8545 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: feea2eec-f2b2-4e1e-3a88-08d90f40f441 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.112.34]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT049.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1275 Subject: [dpdk-dev] [PATCH v3 15/15] crypto/mlx5: set feature flags and capabilities X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Shiri Kuzin Add the supported capabilities to the crypto driver. Add supported feature flags. Add crypto driver documentation. Signed-off-by: Shiri Kuzin Signed-off-by: Matan Azrad --- doc/guides/cryptodevs/features/mlx5.ini | 37 ++++++ doc/guides/cryptodevs/index.rst | 1 + doc/guides/cryptodevs/mlx5.rst | 152 ++++++++++++++++++++++++ doc/guides/rel_notes/release_21_05.rst | 5 + drivers/crypto/mlx5/mlx5_crypto.c | 39 +++++- 5 files changed, 231 insertions(+), 3 deletions(-) create mode 100644 doc/guides/cryptodevs/features/mlx5.ini create mode 100644 doc/guides/cryptodevs/mlx5.rst diff --git a/doc/guides/cryptodevs/features/mlx5.ini b/doc/guides/cryptodevs/features/mlx5.ini new file mode 100644 index 0000000000..a89526add0 --- /dev/null +++ b/doc/guides/cryptodevs/features/mlx5.ini @@ -0,0 +1,37 @@ +; +; Features of a mlx5 crypto driver. +; +; Refer to default.ini for the full list of available PMD features. +; +[Features] +Symmetric crypto = Y +HW Accelerated = Y +In Place SGL = Y +OOP SGL In SGL Out = Y +OOP SGL In LB Out = Y +OOP LB In SGL Out = Y +OOP LB In LB Out = Y +Cipher multiple data units = Y +Cipher wrapped key = Y + +; +; Supported crypto algorithms of a mlx5 crypto driver. +; +[Cipher] +AES XTS (128) = Y +AES XTS (256) = Y + +; +; Supported authentication algorithms of a mlx5 crypto driver. +; +[Auth] + +; +; Supported AEAD algorithms of a mlx5 crypto driver. +; +[AEAD] + +; +; Supported Asymmetric algorithms of a mlx5 crypto driver. +; +[Asymmetric] diff --git a/doc/guides/cryptodevs/index.rst b/doc/guides/cryptodevs/index.rst index 279f56a002..747409c441 100644 --- a/doc/guides/cryptodevs/index.rst +++ b/doc/guides/cryptodevs/index.rst @@ -22,6 +22,7 @@ Crypto Device Drivers octeontx octeontx2 openssl + mlx5 mvsam nitrox null diff --git a/doc/guides/cryptodevs/mlx5.rst b/doc/guides/cryptodevs/mlx5.rst new file mode 100644 index 0000000000..4ccec78be8 --- /dev/null +++ b/doc/guides/cryptodevs/mlx5.rst @@ -0,0 +1,152 @@ +.. SPDX-License-Identifier: BSD-3-Clause + Copyright 2021 Mellanox Technologies, Ltd + +.. include:: + +MLX5 Crypto Driver +================== + +The MLX5 crypto driver library +(**librte_crypto_mlx5**) provides support for **Mellanox ConnectX-6** +family adapters. + +Overview +-------- + +The device can provide disk encryption services, allowing data encryption +and decryption towards a disk. Having all encryption/decryption +operations done in a single device can reduce cost and overheads of the related +FIPS certification, as ConnectX-6 is FIPS 140-2 level-2 ready. +The encryption cipher is AES-XTS of 256/512 key size. + +MKEY is a memory region object in the hardware, that holds address translation information and +attributes per memory area. Its ID must be tied to addresses provided to the hardware. +The encryption operations are performed with MKEY read\write transactions, when +the MKEY is configured to perform crypto operations. + +The encryption does not require text to be aligned to the AES block size (128b). + +In order to move the device to crypto operational mode, credential and KEK +(Key Encrypting Key) should be set as the first step. +The credential will be used by the software in order to perform crypto login, and the KEK is +the AES Key Wrap Algorithm (rfc3394) key that will be used for sensitive data +wrapping. +The credential and the AES-XTS keys should be provided to the hardware, as ciphertext +encrypted by the KEK. + +A keytag (64 bits) should be appended to the AES-XTS keys (before wrapping), +and will be validated when the hardware attempts to access it. + +For security reasons and to increase robustness, this driver only deals with virtual +memory addresses. The way resources allocations are handled by the kernel, +combined with hardware specifications that allow handling virtual memory +addresses directly, ensure that DPDK applications cannot access random +physical memory (or memory that does not belong to the current process). + +The PMD uses libibverbs and libmlx5 to access the device firmware or to +access the hardware components directly. +There are different levels of objects and bypassing abilities. +To get the best performances: + +- Verbs is a complete high-level generic API. +- Direct Verbs is a device-specific API. +- DevX allows to access firmware objects. + +Enabling librte_crypto_mlx5 causes DPDK applications to be linked against +libibverbs. + +Mellanox mlx5 PCI device can be probed by a number of different PCI devices, such as +net / vDPA / RegEx. To select the crypto PMD, ``class=crypto`` +should be specified as a device parameter. The crypto device can be probed and +used with other Mellanox classes by adding more options in the class. +For example: ``class=net:crypto`` will probe both the net PMD and the crypto +PMD. + +When crypto engines are defined to work in wrapped import method, they come out +of the factory in Commissioning mode, and thus, cannot be used for crypto operations +yet. A dedicated tool is used for changing the mode from Commissioning to +Operational, while setting the first import_KEK and credential in plaintext. +The mlxreg dedicated tool should be used as follows: + +- Set CRYPTO_OPERATIONAL register to set the device in crypto operational mode. + + The input to this tool is: + The first credential in plaintext, 40B. + The first import_KEK in plaintext: kek size 0 for 16B or 1 for 32B, kek data. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get + + The "wrapped_crypto_operational" value will be "0x00000000". + The command to set the register should be executed only once, and all the + values mentioned above should be specified in the same command. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL + --set "credential[0]=0x10000000, credential[1]=0x10000000, kek[0]=0x00000000" + + All values not specified will remain 0. + "wrapped_crypto_going_to_commissioning" and "wrapped_crypto_operational" + should not be specified. + + All the device ports should set it in order to move to operational mode. + +- Query CRYPTO_OPERATIONAL register to make sure the device is in Operational + mode. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get + The "wrapped_crypto_operational" value will be "0x00000001" if the mode was + successfully changed to operational mode. + + +Driver options +-------------- + +- ``class`` parameter [string] + + Select the class of the driver that should probe the device. + `crypto` for the mlx5 crypto driver. + +- ``wcs_file`` parameter [string] - mandatory + + File path including only the wrapped credential in string format of hexadecimal + numbers, represent 48 bytes (8 bytes IV added by the AES key wrap algorithm). + +- ``import_kek_id`` parameter [int] + + The identifier of the KEK, default value is 0 represents the operational + register import_kek.. + +- ``credential_id`` parameter [int] + + The identifier of the credential, default value is 0 represents the operational + register credential. + +- ``max_segs_num`` parameter [int] + + Maximum number of mbuf chain segments(src or dest), default value is 8. + +- ``keytag`` parameter [int] + + The plaintext of the keytag appanded to the AES-XTS keys, default value is 0. + + +Limitations +----------- + +- AES-XTS keys provided in Xform must include keytag and should be wrappend. +- The supported data-unit lengths are: 512B, 1KB, 1MB. In case the `dataunit_len` + is not provided in the cipher Xform, the OP length is limitted to the above values. + + +Supported NICs +-------------- + +* Mellanox\ |reg| ConnectX\ |reg|-6 200G MCX654106A-HCAT (2x200G) + +Prerequisites +------------- + +- Mellanox OFED version: **5.3** + see :doc:`../../nics/mlx5` guide for more Mellanox OFED details. diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 0970a2331a..9030fd8b98 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -275,6 +275,11 @@ New Features * Added support for crypto adapter forward mode in octeontx2 event and crypto device driver. +* **Added support for Nvidia crypto device driver.** + + * Added mlx5 crypto driver to support AES-XTS cipher operations. + the first device to support it is ConnectX-6. + Removed Items ------------- diff --git a/drivers/crypto/mlx5/mlx5_crypto.c b/drivers/crypto/mlx5/mlx5_crypto.c index 896ca60866..f318ff4682 100644 --- a/drivers/crypto/mlx5/mlx5_crypto.c +++ b/drivers/crypto/mlx5/mlx5_crypto.c @@ -22,6 +22,14 @@ #define MLX5_CRYPTO_LOG_NAME pmd.crypto.mlx5 #define MLX5_CRYPTO_MAX_QPS 1024 #define MLX5_CRYPTO_MAX_SEGS 56 +#define MLX5_CRYPTO_FEATURE_FLAGS \ + (RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_HW_ACCELERATED | \ + RTE_CRYPTODEV_FF_IN_PLACE_SGL | RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | \ + RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | \ + RTE_CRYPTODEV_FF_OOP_LB_IN_SGL_OUT | \ + RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT | \ + RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY | \ + RTE_CRYPTODEV_FF_CIPHER_MULTIPLE_DATA_UNITS) TAILQ_HEAD(mlx5_crypto_privs, mlx5_crypto_priv) mlx5_crypto_priv_list = TAILQ_HEAD_INITIALIZER(mlx5_crypto_priv_list); @@ -31,8 +39,32 @@ int mlx5_crypto_logtype; uint8_t mlx5_crypto_driver_id; -const struct rte_cryptodev_capabilities - mlx5_crypto_caps[RTE_CRYPTO_OP_TYPE_UNDEFINED]; +const struct rte_cryptodev_capabilities mlx5_crypto_caps[] = { + { /* AES XTS */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER, + {.cipher = { + .algo = RTE_CRYPTO_CIPHER_AES_XTS, + .block_size = 16, + .key_size = { + .min = 32, + .max = 64, + .increment = 32 + }, + .iv_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + .dataunit_set = + RTE_CRYPTO_CIPHER_DATA_UNIT_LEN_512_BYTES | + RTE_CRYPTO_CIPHER_DATA_UNIT_LEN_4096_BYTES, + }, } + }, } + }, +}; + static const char mlx5_crypto_drv_name[] = RTE_STR(MLX5_CRYPTO_DRIVER_NAME); @@ -67,7 +99,7 @@ mlx5_crypto_dev_infos_get(struct rte_cryptodev *dev, RTE_SET_USED(dev); if (dev_info != NULL) { dev_info->driver_id = mlx5_crypto_driver_id; - dev_info->feature_flags = 0; + dev_info->feature_flags = MLX5_CRYPTO_FEATURE_FLAGS; dev_info->capabilities = mlx5_crypto_caps; dev_info->max_nb_queue_pairs = MLX5_CRYPTO_MAX_QPS; dev_info->min_mbuf_headroom_req = 0; @@ -954,6 +986,7 @@ mlx5_crypto_pci_probe(struct rte_pci_driver *pci_drv, crypto_dev->dev_ops = &mlx5_crypto_ops; crypto_dev->dequeue_burst = mlx5_crypto_dequeue_burst; crypto_dev->enqueue_burst = mlx5_crypto_enqueue_burst; + crypto_dev->feature_flags = MLX5_CRYPTO_FEATURE_FLAGS; crypto_dev->driver_id = mlx5_crypto_driver_id; priv = crypto_dev->data->dev_private; priv->ctx = ctx; -- 2.25.1