From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2578CA0C48; Tue, 20 Jul 2021 15:11:03 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C10054114B; Tue, 20 Jul 2021 15:10:21 +0200 (CEST) Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2077.outbound.protection.outlook.com [40.107.237.77]) by mails.dpdk.org (Postfix) with ESMTP id 196CC41141 for ; Tue, 20 Jul 2021 15:10:19 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c42nzzi3zg9s5Qojnb4aXaX1j/pSUZfRyjhdgVP+olOlq5zUMrxo0auD595ReTKnWu7SqaT9ZGNRynLMRIKnWxX9bseEXpL1b6AEUn107kBHU+mo0FJ7Eg5nn06Pn0xe/RQun1xk73IM1PY3xwg2mDm4TJH73TUfZyZP3Advur3+zgQyuLCMa+Gre6KH1K+lhTAiiYKL5lnbjC8d5pYM8tByzj4JdxMZVv80jW0rAqPbLZRvCONJMZJp3PNqmMWNZqL/7WRPyn7VHvCgJlHV4OseuN5UqnCo2jxHxMxm6xPwmoWnxcax1ewdQoEuTXD2MW6W9MPWTC1nOxCs/724/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BHPLk++vz0lxj+CAvFDYWqIhO0Q2xR37u49j/3I5/3I=; b=dKRF1FI/lVymC+Lie1wc3k6jR6SlHandZg+LnoYLlahg7x4blLZ2rg1RkAKAk3vuad0bKL0/u8MWZ7JeLHNdUl4tnCLZ+sFgCVpKc/wLV7+Ghu/1PWf1cB/plb7+WFB/1BPnDfUPW8wAKxMXUkkFK2BYAPGdluistcShTeKIkTT89wcEs9Scy6a/rAoAVTJtyIZxtKEn8XmyOa5ah/aF9QjRf9Dz29YMriJzsPenZDDnbkgOEYmBtTjuSjCnksvox2rXPAJWyngjRCkBqBW/0U6JPeVur+JLWSXfIW258paPUzYmn6egpRtnOuPEynmrd9o63NO2fOwau0aGjTwttw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.112.34) smtp.rcpttodomain=dpdk.org smtp.mailfrom=nvidia.com; dmarc=pass (p=quarantine sp=none pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BHPLk++vz0lxj+CAvFDYWqIhO0Q2xR37u49j/3I5/3I=; b=tDK5v0xqVRpCbx2fcFfdfPRPk4XbjlIu1jOtN1qvi7ut6uEk1VugtD+UhuRLAXcA00VFar9+IRr7wlYGNLS/vMbQoXu6NdETW0wPfXEZXcMSDSu6pTtKR3SUdGtLxvqD4p7+jr+tdLyxJVSL6NS+56QuRLm35IzNqvPkOYckhe2czIpq9Mat7n8Aq6rhN+VdparJgkrgys5oiAUsD15jOPbcK0RDxzDp/9+VflkS7Snn/YPzRb91wBm4VMzFWnZ9jjiwi9bsO7mVxMEFywk64FZMnBTPIq4UXxffPJgcTLplgSamNPtHfoLfGaacjLW3e1D/GACsO7aWhYJDeY3zDQ== Received: from MW4P221CA0029.NAMP221.PROD.OUTLOOK.COM (2603:10b6:303:8b::34) by MN2PR12MB3230.namprd12.prod.outlook.com (2603:10b6:208:108::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.25; Tue, 20 Jul 2021 13:10:17 +0000 Received: from CO1NAM11FT036.eop-nam11.prod.protection.outlook.com (2603:10b6:303:8b:cafe::57) by MW4P221CA0029.outlook.office365.com (2603:10b6:303:8b::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.31 via Frontend Transport; Tue, 20 Jul 2021 13:10:17 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.112.34) smtp.mailfrom=nvidia.com; dpdk.org; dkim=none (message not signed) header.d=none;dpdk.org; dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.112.34 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.112.34; helo=mail.nvidia.com; Received: from mail.nvidia.com (216.228.112.34) by CO1NAM11FT036.mail.protection.outlook.com (10.13.174.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4331.21 via Frontend Transport; Tue, 20 Jul 2021 13:10:17 +0000 Received: from nvidia.com (172.20.187.6) by HQMAIL107.nvidia.com (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 20 Jul 2021 13:10:15 +0000 From: Suanming Mou To: , CC: , , Date: Tue, 20 Jul 2021 16:09:36 +0300 Message-ID: <20210720130944.5407-8-suanmingm@nvidia.com> X-Mailer: git-send-email 2.18.1 In-Reply-To: <20210720130944.5407-1-suanmingm@nvidia.com> References: <20210408204849.9543-1-shirik@nvidia.com> <20210720130944.5407-1-suanmingm@nvidia.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [172.20.187.6] X-ClientProxiedBy: HQMAIL101.nvidia.com (172.20.187.10) To HQMAIL107.nvidia.com (172.20.187.13) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c9ca7357-0182-4004-c264-08d94b7fb85b X-MS-TrafficTypeDiagnostic: MN2PR12MB3230: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:117; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: rc0tDaWKXYZ/2akcolfxnYCDPQmV3+yPe9igyQ5tGCZBl5vI2RQaptMo4OoaS+kIvLk8F7sibuv5sF78WM1VpM45/gDku/EenH7HJLx90D8KxRl9eVVupMMrA8hQTNgEw6yHwphzqsxYGud6AsOoMC30QmJUwGqQG0el5Pu9+Kfd0j8gwmrYh6YGz2rDRyR1zdzgl6oBxhKO/VY1iE0BFOKYMqrZiW0jgHSRfWshGGfBdsfG4Mz03tOqtWtlHkWV7RQLSvmKH65mtjPbDO7QoctQIT8ucHPPc5vePqKmuI1UE3SxLmFXN93K0n3VWyXPYtm9xWF0CLlxawFcmnM8EDWTT2eLTlPQamfKfbgemHmfzPB01FADAYn8u8IptAzHRM5h7g2ekglIRZVU5nYf8O3eyLPLmu/AEPzICAqtiXaodrpKi1oLw16cosSLkB02INC2w0XQPjBYO+sS6f4dQ7+Msw9ELVXJB11D3BYDOe10QmzvWFwfGb2+Ka6CTuTmuDhx6RxV+Sghv4tz9zgZPBx4yweoAJ4E1r2+053fRuiNqrOQvllgeKKjmGGJ9YtN4+VX17mG5tvMMY9ePAFABED7ZStxRe/873q4+7vRXnt7P8DB8JXVntwyGv3HdQ3UCq5tSEfEeaa1W9M9HhJHaNXEM3El6Ea+7W6M3fnhazDB+JzSYlzqO7G17VIJqOSXOF+PNIM6yka/nEzPZrv2EQ== X-Forefront-Antispam-Report: CIP:216.228.112.34; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:schybrid03.nvidia.com; CAT:NONE; SFS:(4636009)(346002)(136003)(39860400002)(376002)(396003)(46966006)(36840700001)(426003)(5660300002)(26005)(2616005)(336012)(16526019)(55016002)(356005)(1076003)(82310400003)(316002)(2906002)(7696005)(36906005)(110136005)(54906003)(186003)(36756003)(4326008)(70586007)(478600001)(6666004)(83380400001)(47076005)(82740400003)(6286002)(36860700001)(86362001)(8676002)(8936002)(7636003)(70206006); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2021 13:10:17.4487 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c9ca7357-0182-4004-c264-08d94b7fb85b X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.112.34]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT036.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR12MB3230 Subject: [dpdk-dev] [PATCH v9 07/15] crypto/mlx5: create login object using DevX X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Shiri Kuzin To work with crypto engines that are marked with wrapped_import_method, a login session is required. A crypto login object needs to be created using DevX. The crypto login object contains: - The credential pointer. - The import_KEK pointer to be used for all secured information communicated in crypto commands (key fields), including the provided credential in this command. - The credential secret, wrapped by the import_KEK indicated in this command. Size includes 8 bytes IV for wrapping. Added devargs for the required login values: - wcs_file - path to the file containing the credential. - import_kek_id - the import KEK pointer. - credential_id - the credential pointer. Create the login DevX object in pci_probe function and destroy it in pci_remove. Destroying the crypto login object means logout. Signed-off-by: Shiri Kuzin Acked-by: Matan Azrad --- doc/guides/cryptodevs/mlx5.rst | 60 +++++++++++++++++ drivers/crypto/mlx5/mlx5_crypto.c | 103 ++++++++++++++++++++++++++++++ drivers/crypto/mlx5/mlx5_crypto.h | 7 ++ 3 files changed, 170 insertions(+) diff --git a/doc/guides/cryptodevs/mlx5.rst b/doc/guides/cryptodevs/mlx5.rst index c41db95d40..c316bfdc58 100644 --- a/doc/guides/cryptodevs/mlx5.rst +++ b/doc/guides/cryptodevs/mlx5.rst @@ -44,6 +44,51 @@ To get the best performances: Enabling librte_crypto_mlx5 causes DPDK applications to be linked against libibverbs. +In order to move the device to crypto operational mode, credential and KEK +(Key Encrypting Key) should be set as the first step. +The credential will be used by the software in order to perform crypto login, and the KEK is +the AES Key Wrap Algorithm (rfc3394) key that will be used for sensitive data +wrapping. +The credential and the AES-XTS keys should be provided to the hardware, as ciphertext +encrypted by the KEK. + +When crypto engines are defined to work in wrapped import method, they come out +of the factory in Commissioning mode, and thus, cannot be used for crypto operations +yet. A dedicated tool is used for changing the mode from Commissioning to +Operational, while setting the first import_KEK and credential in plaintext. +The mlxreg dedicated tool should be used as follows: + +- Set CRYPTO_OPERATIONAL register to set the device in crypto operational mode. + + The input to this tool is: + The first credential in plaintext, 40B. + The first import_KEK in plaintext: kek size 0 for 16B or 1 for 32B, kek data. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get + + The "wrapped_crypto_operational" value will be "0x00000000". + The command to set the register should be executed only once, and all the + values mentioned above should be specified in the same command. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL + --set "credential[0]=0x10000000, credential[1]=0x10000000, kek[0]=0x00000000" + + All values not specified will remain 0. + "wrapped_crypto_going_to_commissioning" and "wrapped_crypto_operational" + should not be specified. + + All the device ports should set it in order to move to operational mode. + +- Query CRYPTO_OPERATIONAL register to make sure the device is in Operational + mode. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get + The "wrapped_crypto_operational" value will be "0x00000001" if the mode was + successfully changed to operational mode. + Driver options -------------- @@ -53,6 +98,21 @@ Driver options Select the class of the driver that should probe the device. `crypto` for the mlx5 crypto driver. +- ``wcs_file`` parameter [string] - mandatory + + File path including only the wrapped credential in string format of hexadecimal + numbers, represent 48 bytes (8 bytes IV added by the AES key wrap algorithm). + +- ``import_kek_id`` parameter [int] + + The identifier of the KEK, default value is 0 represents the operational + register import_kek.. + +- ``credential_id`` parameter [int] + + The identifier of the credential, default value is 0 represents the operational + register credential. + Supported NICs -------------- diff --git a/drivers/crypto/mlx5/mlx5_crypto.c b/drivers/crypto/mlx5/mlx5_crypto.c index 9416590aba..a16578b3af 100644 --- a/drivers/crypto/mlx5/mlx5_crypto.c +++ b/drivers/crypto/mlx5/mlx5_crypto.c @@ -455,6 +455,101 @@ mlx5_crypto_hw_global_prepare(struct mlx5_crypto_priv *priv) return 0; } + +static int +mlx5_crypto_args_check_handler(const char *key, const char *val, void *opaque) +{ + struct mlx5_crypto_devarg_params *devarg_prms = opaque; + struct mlx5_devx_crypto_login_attr *attr = &devarg_prms->login_attr; + unsigned long tmp; + FILE *file; + int ret; + int i; + + if (strcmp(key, "class") == 0) + return 0; + if (strcmp(key, "wcs_file") == 0) { + file = fopen(val, "rb"); + if (file == NULL) { + rte_errno = ENOTSUP; + return -rte_errno; + } + for (i = 0 ; i < MLX5_CRYPTO_CREDENTIAL_SIZE ; i++) { + ret = fscanf(file, "%02hhX", &attr->credential[i]); + if (ret <= 0) { + fclose(file); + DRV_LOG(ERR, + "Failed to read credential from file."); + rte_errno = EINVAL; + return -rte_errno; + } + } + fclose(file); + devarg_prms->login_devarg = true; + return 0; + } + errno = 0; + tmp = strtoul(val, NULL, 0); + if (errno) { + DRV_LOG(WARNING, "%s: \"%s\" is an invalid integer.", key, val); + return -errno; + } + if (strcmp(key, "import_kek_id") == 0) + attr->session_import_kek_ptr = (uint32_t)tmp; + else if (strcmp(key, "credential_id") == 0) + attr->credential_pointer = (uint32_t)tmp; + else + DRV_LOG(WARNING, "Invalid key %s.", key); + return 0; +} + +static struct mlx5_devx_obj * +mlx5_crypto_config_login(struct rte_devargs *devargs, + struct ibv_context *ctx) +{ + /* + * Set credential pointer and session import KEK pointer to a default + * value of 0. + */ + struct mlx5_crypto_devarg_params login = { + .login_devarg = false, + .login_attr = { + .credential_pointer = 0, + .session_import_kek_ptr = 0, + } + }; + struct rte_kvargs *kvlist; + + if (devargs == NULL) { + DRV_LOG(ERR, + "No login devargs in order to enable crypto operations in the device."); + rte_errno = EINVAL; + return NULL; + } + kvlist = rte_kvargs_parse(devargs->args, NULL); + if (kvlist == NULL) { + DRV_LOG(ERR, "Failed to parse devargs."); + rte_errno = EINVAL; + return NULL; + } + if (rte_kvargs_process(kvlist, NULL, mlx5_crypto_args_check_handler, + &login) != 0) { + DRV_LOG(ERR, "Devargs handler function Failed."); + rte_kvargs_free(kvlist); + rte_errno = EINVAL; + return NULL; + } + rte_kvargs_free(kvlist); + if (login.login_devarg == false) { + DRV_LOG(ERR, + "No login credential devarg in order to enable crypto operations " + "in the device."); + rte_errno = EINVAL; + return NULL; + } + return mlx5_devx_cmd_create_crypto_login_obj(ctx, &login.login_attr); +} + /** * Callback for memory event. * @@ -510,6 +605,7 @@ mlx5_crypto_pci_probe(struct rte_pci_driver *pci_drv, struct ibv_device *ibv; struct rte_cryptodev *crypto_dev; struct ibv_context *ctx; + struct mlx5_devx_obj *login; struct mlx5_crypto_priv *priv; struct mlx5_hca_attr attr = { 0 }; struct rte_cryptodev_pmd_init_params init_params = { @@ -548,6 +644,11 @@ mlx5_crypto_pci_probe(struct rte_pci_driver *pci_drv, rte_errno = ENOTSUP; return -ENOTSUP; } + login = mlx5_crypto_config_login(pci_dev->device.devargs, ctx); + if (login == NULL) { + DRV_LOG(ERR, "Failed to configure login."); + return -rte_errno; + } crypto_dev = rte_cryptodev_pmd_create(ibv->name, &pci_dev->device, &init_params); if (crypto_dev == NULL) { @@ -564,6 +665,7 @@ mlx5_crypto_pci_probe(struct rte_pci_driver *pci_drv, crypto_dev->driver_id = mlx5_crypto_driver_id; priv = crypto_dev->data->dev_private; priv->ctx = ctx; + priv->login_obj = login; priv->pci_dev = pci_dev; priv->crypto_dev = crypto_dev; if (mlx5_crypto_hw_global_prepare(priv) != 0) { @@ -612,6 +714,7 @@ mlx5_crypto_pci_remove(struct rte_pci_device *pdev) mlx5_mr_release_cache(&priv->mr_scache); mlx5_crypto_hw_global_release(priv); rte_cryptodev_pmd_destroy(priv->crypto_dev); + claim_zero(mlx5_devx_cmd_destroy(priv->login_obj)); claim_zero(mlx5_glue->close_device(priv->ctx)); } return 0; diff --git a/drivers/crypto/mlx5/mlx5_crypto.h b/drivers/crypto/mlx5/mlx5_crypto.h index af292ed19f..9df982b23e 100644 --- a/drivers/crypto/mlx5/mlx5_crypto.h +++ b/drivers/crypto/mlx5/mlx5_crypto.h @@ -29,6 +29,7 @@ struct mlx5_crypto_priv { struct mlx5_hlist *dek_hlist; /* Dek hash list. */ struct rte_cryptodev_config dev_config; struct mlx5_mr_share_cache mr_scache; /* Global shared MR cache. */ + struct mlx5_devx_obj *login_obj; }; struct mlx5_crypto_qp { @@ -48,6 +49,12 @@ struct mlx5_crypto_dek { bool size_is_48; /* Whether the key\data size is 48 bytes or not. */ } __rte_cache_aligned; + +struct mlx5_crypto_devarg_params { + bool login_devarg; + struct mlx5_devx_crypto_login_attr login_attr; +}; + int mlx5_crypto_dek_destroy(struct mlx5_crypto_priv *priv, struct mlx5_crypto_dek *dek); -- 2.25.1