* [dpdk-dev] [PATCH 1/8] common/cnxk: add hash generation APIs
2021-08-31 14:01 [dpdk-dev] [PATCH 0/8] add lookaside IPsec additional features Tejasree Kondoj
@ 2021-08-31 14:01 ` Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 2/8] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support Tejasree Kondoj
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Tejasree Kondoj @ 2021-08-31 14:01 UTC (permalink / raw)
To: Akhil Goyal
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev
Adding functions for hash generation that can be used
in hmac opad/ipad calculation.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
drivers/common/cnxk/meson.build | 1 +
drivers/common/cnxk/roc_api.h | 3 +
drivers/common/cnxk/roc_hash.c | 275 ++++++++++++++++++++++++++++++++
drivers/common/cnxk/roc_hash.h | 16 ++
drivers/common/cnxk/version.map | 3 +
5 files changed, 298 insertions(+)
create mode 100644 drivers/common/cnxk/roc_hash.c
create mode 100644 drivers/common/cnxk/roc_hash.h
diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 6a7849f31c..8a551d15d6 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -19,6 +19,7 @@ sources = files(
'roc_cpt.c',
'roc_cpt_debug.c',
'roc_dev.c',
+ 'roc_hash.c',
'roc_idev.c',
'roc_irq.c',
'roc_mbox.c',
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index 52cb2f2d79..9c06cfee9a 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -125,4 +125,7 @@
#include "roc_ie_ot.h"
#include "roc_se.h"
+/* HASH computation */
+#include "roc_hash.h"
+
#endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_hash.c b/drivers/common/cnxk/roc_hash.c
new file mode 100644
index 0000000000..092286e41e
--- /dev/null
+++ b/drivers/common/cnxk/roc_hash.c
@@ -0,0 +1,275 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (c) 2021 Marvell.
+ */
+
+#include "roc_api.h"
+
+#define lrot32(bits, word) (((word) << (bits)) | ((word) >> (32 - (bits))))
+#define rrot32(bits, word) lrot32(32 - (bits), word)
+#define lrot64(bits, word) (((word) << (bits)) | ((word) >> (64 - (bits))))
+#define rrot64(bits, word) lrot64(64 - (bits), word)
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void
+roc_hash_sha1_gen(uint8_t *msg, uint32_t *hash)
+{
+ const uint32_t _K[] = {/* Round Constants defined in SHA-1 */
+ 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6};
+
+ const uint32_t _H[] = {/* Initial Hash constants defined in SHA-1 */
+ 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476,
+ 0xC3D2E1F0};
+ int i;
+ uint32_t temp; /* Temporary word value */
+ uint32_t W[80]; /* Word sequence */
+ uint32_t A, B, C, D, E; /* Word buffers */
+
+ /* Initialize the first 16 words in the array W */
+ memcpy(&W[0], msg, 16 * sizeof(W[0]));
+
+ for (i = 0; i < 16; i++)
+ W[i] = htobe32(W[i]);
+
+ for (i = 16; i < 80; i++)
+ W[i] = lrot32(1, W[i - 3] ^ W[i - 8] ^ W[i - 14] ^ W[i - 16]);
+
+ A = _H[0];
+ B = _H[1];
+ C = _H[2];
+ D = _H[3];
+ E = _H[4];
+
+ for (i = 0; i < 80; i++) {
+ if (i >= 0 && i <= 19)
+ temp = ((B & C) | ((~B) & D)) + _K[0];
+ else if (i >= 20 && i <= 39)
+ temp = (B ^ C ^ D) + _K[1];
+ else if (i >= 40 && i <= 59)
+ temp = ((B & C) | (B & D) | (C & D)) + _K[2];
+ else if (i >= 60 && i <= 79)
+ temp = (B ^ C ^ D) + _K[3];
+
+ temp = lrot32(5, A) + temp + E + W[i];
+ E = D;
+ D = C;
+ C = lrot32(30, B);
+ B = A;
+ A = temp;
+ }
+
+ A += _H[0];
+ B += _H[1];
+ C += _H[2];
+ D += _H[3];
+ E += _H[4];
+ hash[0] = htobe32(A);
+ hash[1] = htobe32(B);
+ hash[2] = htobe32(C);
+ hash[3] = htobe32(D);
+ hash[4] = htobe32(E);
+}
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void
+roc_hash_sha256_gen(uint8_t *msg, uint32_t *hash)
+{
+ const uint32_t _K[] = {
+ /* Round Constants defined in SHA-256 */
+ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
+ 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
+ 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
+ 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
+ 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
+ 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
+ 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
+ 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+ 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
+ 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
+ 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
+ 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+ 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
+
+ const uint32_t _H[] = {/* Initial Hash constants defined in SHA-256 */
+ 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
+ 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
+ int i;
+ uint32_t temp[4], S0, S1; /* Temporary word value */
+ uint32_t W[64]; /* Word sequence */
+ uint32_t A, B, C, D, E, F, G, H; /* Word buffers */
+
+ /* Initialize the first 16 words in the array W */
+ memcpy(&W[0], msg, 16 * sizeof(W[0]));
+
+ for (i = 0; i < 16; i++)
+ W[i] = htobe32(W[i]);
+
+ for (i = 16; i < 64; i++) {
+ S0 = rrot32(7, W[i - 15]) ^ rrot32(18, W[i - 15]) ^
+ (W[i - 15] >> 3);
+ S1 = rrot32(17, W[i - 2]) ^ rrot32(19, W[i - 2]) ^
+ (W[i - 2] >> 10);
+ W[i] = W[i - 16] + S0 + W[i - 7] + S1;
+ }
+
+ A = _H[0];
+ B = _H[1];
+ C = _H[2];
+ D = _H[3];
+ E = _H[4];
+ F = _H[5];
+ G = _H[6];
+ H = _H[7];
+
+ for (i = 0; i < 64; i++) {
+ S1 = rrot32(6, E) ^ rrot32(11, E) ^ rrot32(25, E);
+ temp[0] = (E & F) ^ ((~E) & G);
+ temp[1] = H + S1 + temp[0] + _K[i] + W[i];
+ S0 = rrot32(2, A) ^ rrot32(13, A) ^ rrot32(22, A);
+ temp[2] = (A & B) ^ (A & C) ^ (B & C);
+ temp[3] = S0 + temp[2];
+
+ H = G;
+ G = F;
+ F = E;
+ E = D + temp[1];
+ D = C;
+ C = B;
+ B = A;
+ A = temp[1] + temp[3];
+ }
+
+ A += _H[0];
+ B += _H[1];
+ C += _H[2];
+ D += _H[3];
+ E += _H[4];
+ F += _H[5];
+ G += _H[6];
+ H += _H[7];
+ hash[0] = htobe32(A);
+ hash[1] = htobe32(B);
+ hash[2] = htobe32(C);
+ hash[3] = htobe32(D);
+ hash[4] = htobe32(E);
+ hash[5] = htobe32(F);
+ hash[6] = htobe32(G);
+ hash[7] = htobe32(H);
+}
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void
+roc_hash_sha512_gen(uint8_t *msg, uint64_t *hash, int hash_size)
+{
+ const uint64_t _K[] = {
+ /* Round Constants defined in SHA-512 */
+ 0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f,
+ 0xe9b5dba58189dbbc, 0x3956c25bf348b538, 0x59f111f1b605d019,
+ 0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242,
+ 0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
+ 0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235,
+ 0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3,
+ 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 0x2de92c6f592b0275,
+ 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
+ 0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f,
+ 0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725,
+ 0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc,
+ 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
+ 0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6,
+ 0x92722c851482353b, 0xa2bfe8a14cf10364, 0xa81a664bbc423001,
+ 0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218,
+ 0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8,
+ 0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99,
+ 0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb,
+ 0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc,
+ 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec,
+ 0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915,
+ 0xc67178f2e372532b, 0xca273eceea26619c, 0xd186b8c721c0c207,
+ 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba,
+ 0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b,
+ 0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc,
+ 0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a,
+ 0x5fcb6fab3ad6faec, 0x6c44198c4a475817};
+
+ const uint64_t _H384[] = {/* Initial Hash constants defined in SHA384 */
+ 0xcbbb9d5dc1059ed8, 0x629a292a367cd507,
+ 0x9159015a3070dd17, 0x152fecd8f70e5939,
+ 0x67332667ffc00b31, 0x8eb44a8768581511,
+ 0xdb0c2e0d64f98fa7, 0x47b5481dbefa4fa4};
+ const uint64_t _H512[] = {/* Initial Hash constants defined in SHA512 */
+ 0x6a09e667f3bcc908, 0xbb67ae8584caa73b,
+ 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1,
+ 0x510e527fade682d1, 0x9b05688c2b3e6c1f,
+ 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179};
+ int i;
+ uint64_t temp[4], S0, S1; /* Temporary word value */
+ uint64_t W[80]; /* Word sequence */
+ uint64_t A, B, C, D, E, F, G, H; /* Word buffers */
+ const uint64_t *_H = (hash_size == 384) ? _H384 : _H512;
+
+ /* Initialize the first 16 words in the array W */
+ memcpy(&W[0], msg, 16 * sizeof(W[0]));
+
+ for (i = 0; i < 16; i++)
+ W[i] = htobe64(W[i]);
+
+ for (i = 16; i < 80; i++) {
+ S0 = rrot64(1, W[i - 15]) ^ rrot64(8, W[i - 15]) ^
+ (W[i - 15] >> 7);
+ S1 = rrot64(19, W[i - 2]) ^ rrot64(61, W[i - 2]) ^
+ (W[i - 2] >> 6);
+ W[i] = W[i - 16] + S0 + W[i - 7] + S1;
+ }
+
+ A = _H[0];
+ B = _H[1];
+ C = _H[2];
+ D = _H[3];
+ E = _H[4];
+ F = _H[5];
+ G = _H[6];
+ H = _H[7];
+
+ for (i = 0; i < 80; i++) {
+ S1 = rrot64(14, E) ^ rrot64(18, E) ^ rrot64(41, E);
+ temp[0] = (E & F) ^ ((~E) & G);
+ temp[1] = H + S1 + temp[0] + _K[i] + W[i];
+ S0 = rrot64(28, A) ^ rrot64(34, A) ^ rrot64(39, A);
+ temp[2] = (A & B) ^ (A & C) ^ (B & C);
+ temp[3] = S0 + temp[2];
+
+ H = G;
+ G = F;
+ F = E;
+ E = D + temp[1];
+ D = C;
+ C = B;
+ B = A;
+ A = temp[1] + temp[3];
+ }
+
+ A += _H[0];
+ B += _H[1];
+ C += _H[2];
+ D += _H[3];
+ E += _H[4];
+ F += _H[5];
+ G += _H[6];
+ H += _H[7];
+ hash[0] = htobe64(A);
+ hash[1] = htobe64(B);
+ hash[2] = htobe64(C);
+ hash[3] = htobe64(D);
+ hash[4] = htobe64(E);
+ hash[5] = htobe64(F);
+ hash[6] = htobe64(G);
+ hash[7] = htobe64(H);
+}
diff --git a/drivers/common/cnxk/roc_hash.h b/drivers/common/cnxk/roc_hash.h
new file mode 100644
index 0000000000..1bc9222445
--- /dev/null
+++ b/drivers/common/cnxk/roc_hash.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (c) 2021 Marvell.
+ */
+
+#ifndef _ROC_HASH_H_
+#define _ROC_HASH_H_
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void __roc_api roc_hash_sha1_gen(uint8_t *msg, uint32_t *hash);
+void __roc_api roc_hash_sha256_gen(uint8_t *msg, uint32_t *hash);
+void __roc_api roc_hash_sha512_gen(uint8_t *msg, uint64_t *hash, int hash_size);
+
+#endif /* _ROC_HASH_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 2cbcc4b93a..34a844bfe8 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -64,6 +64,9 @@ INTERNAL {
roc_cpt_lmtline_init;
roc_cpt_rxc_time_cfg;
roc_error_msg_get;
+ roc_hash_sha1_gen;
+ roc_hash_sha256_gen;
+ roc_hash_sha512_gen;
roc_idev_cpt_get;
roc_idev_cpt_set;
roc_idev_lmt_base_addr_get;
--
2.27.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH 2/8] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support
2021-08-31 14:01 [dpdk-dev] [PATCH 0/8] add lookaside IPsec additional features Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 1/8] common/cnxk: add hash generation APIs Tejasree Kondoj
@ 2021-08-31 14:01 ` Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 3/8] crypto/cnxk: remove redundant code Tejasree Kondoj
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Tejasree Kondoj @ 2021-08-31 14:01 UTC (permalink / raw)
To: Akhil Goyal
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev
Adding lookaside IPsec AES-CBC-HMAC-SHA1 support to cnxk driver.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/cryptodevs/cnxk.rst | 1 +
doc/guides/rel_notes/release_21_11.rst | 4 ++
drivers/common/cnxk/cnxk_security.c | 68 ++++++++++++++++++-
drivers/crypto/cnxk/cn10k_ipsec.c | 63 ++++++++++++++++-
.../crypto/cnxk/cnxk_cryptodev_capabilities.c | 44 ++++++++++++
5 files changed, 176 insertions(+), 4 deletions(-)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 98c7118d68..a40295c087 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -231,6 +231,7 @@ Features supported
* ESP
* Tunnel mode
* AES-128/192/256-GCM
+* AES-128/192/256-CBC-SHA1-HMAC
Limitations
-----------
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index d707a554ef..0d9ce123aa 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -20,6 +20,10 @@ DPDK Release 21.11
make doc-guides-html
xdg-open build/doc/html/guides/rel_notes/release_21_11.html
+* **Updated Marvell cn10k_crypto PMD.**
+
+ * Added AES-CBC-SHA1-HMAC in lookaside protocol (IPsec).
+
New Features
------------
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 6c6728f570..fe64e70c81 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -6,12 +6,43 @@
#include "cnxk_security.h"
+static void
+ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
+ uint8_t *hmac_opad_ipad)
+{
+ const uint8_t *key = auth_xform->auth.key.data;
+ uint32_t length = auth_xform->auth.key.length;
+ uint8_t opad[128] = {[0 ... 127] = 0x5c};
+ uint8_t ipad[128] = {[0 ... 127] = 0x36};
+ uint32_t i;
+
+ /* HMAC OPAD and IPAD */
+ for (i = 0; i < 127 && i < length; i++) {
+ opad[i] = opad[i] ^ key[i];
+ ipad[i] = ipad[i] ^ key[i];
+ }
+
+ /* Precompute hash of HMAC OPAD and IPAD to avoid
+ * per packet computation
+ */
+ switch (auth_xform->auth.algo) {
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
+ roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]);
+ break;
+ default:
+ break;
+ }
+}
+
static int
ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
uint8_t *cipher_key, uint8_t *salt_key,
+ uint8_t *hmac_opad_ipad,
struct rte_security_ipsec_xform *ipsec_xfrm,
struct rte_crypto_sym_xform *crypto_xfrm)
{
+ struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
const uint8_t *key;
uint32_t *tmp_salt;
uint64_t *tmp_key;
@@ -21,9 +52,13 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
switch (ipsec_xfrm->direction) {
case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
w2->s.dir = ROC_IE_OT_SA_DIR_INBOUND;
+ auth_xfrm = crypto_xfrm;
+ cipher_xfrm = crypto_xfrm->next;
break;
case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
w2->s.dir = ROC_IE_OT_SA_DIR_OUTBOUND;
+ cipher_xfrm = crypto_xfrm;
+ auth_xfrm = crypto_xfrm->next;
break;
default:
return -EINVAL;
@@ -70,7 +105,32 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
return -ENOTSUP;
}
} else {
- return -ENOTSUP;
+ switch (cipher_xfrm->cipher.algo) {
+ case RTE_CRYPTO_CIPHER_AES_CBC:
+ w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
+ break;
+ default:
+ return -ENOTSUP;
+ }
+
+ switch (auth_xfrm->auth.algo) {
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1;
+ break;
+ default:
+ return -ENOTSUP;
+ }
+
+ key = cipher_xfrm->cipher.key.data;
+ length = cipher_xfrm->cipher.key.length;
+
+ ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+
+ tmp_key = (uint64_t *)hmac_opad_ipad;
+ for (i = 0;
+ i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t));
+ i++)
+ tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
}
/* Set encapsulation type */
@@ -129,7 +189,8 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
w2.u64 = 0;
rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->w8.s.salt,
- ipsec_xfrm, crypto_xfrm);
+ sa->hmac_opad_ipad, ipsec_xfrm,
+ crypto_xfrm);
if (rc)
return rc;
@@ -196,7 +257,8 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
w2.u64 = 0;
rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->iv.s.salt,
- ipsec_xfrm, crypto_xfrm);
+ sa->hmac_opad_ipad, ipsec_xfrm,
+ crypto_xfrm);
if (rc)
return rc;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 1d567bf188..408a682b21 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -17,6 +17,37 @@
#include "roc_api.h"
+static int
+ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
+{
+ if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+ switch (xform->cipher.key.length) {
+ case 16:
+ case 24:
+ case 32:
+ break;
+ default:
+ return -ENOTSUP;
+ }
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static int
+ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform)
+{
+ uint16_t keylen = xform->auth.key.length;
+
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+ if (keylen >= 20 && keylen <= 64)
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
static int
ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
struct rte_crypto_sym_xform *crypto_xfrm)
@@ -48,6 +79,9 @@ static int
cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
struct rte_crypto_sym_xform *crypto_xfrm)
{
+ struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+ int ret;
+
if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
(ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
return -EINVAL;
@@ -67,7 +101,34 @@ cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
- return -ENOTSUP;
+ if (crypto_xfrm->next == NULL)
+ return -EINVAL;
+
+ if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+ /* Ingress */
+ if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+ crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+ return -EINVAL;
+ auth_xform = crypto_xfrm;
+ cipher_xform = crypto_xfrm->next;
+ } else {
+ /* Egress */
+ if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+ crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+ return -EINVAL;
+ cipher_xform = crypto_xfrm;
+ auth_xform = crypto_xfrm->next;
+ }
+
+ ret = ipsec_xform_cipher_verify(cipher_xform);
+ if (ret)
+ return ret;
+
+ ret = ipsec_xform_auth_verify(auth_xform);
+ if (ret)
+ return ret;
+
+ return 0;
}
static uint64_t
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index ab37f9c43b..47274b2c24 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -754,6 +754,49 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
}, }
}, }
},
+ { /* AES CBC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ {.cipher = {
+ .algo = RTE_CRYPTO_CIPHER_AES_CBC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .iv_size = {
+ .min = 16,
+ .max = 16,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
+};
+
+static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
+ { /* SHA1 HMAC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+ .block_size = 64,
+ .key_size = {
+ .min = 20,
+ .max = 64,
+ .increment = 1
+ },
+ .digest_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ },
+ }, }
+ }, }
+ },
};
static const struct rte_security_capability sec_caps_templ[] = {
@@ -839,6 +882,7 @@ sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
int cur_pos = 0;
SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes);
+ SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2);
sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
}
--
2.27.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH 3/8] crypto/cnxk: remove redundant code
2021-08-31 14:01 [dpdk-dev] [PATCH 0/8] add lookaside IPsec additional features Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 1/8] common/cnxk: add hash generation APIs Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 2/8] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support Tejasree Kondoj
@ 2021-08-31 14:01 ` Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 4/8] crypto/cnxk: use rlen from CPT result with lookaside Tejasree Kondoj
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Tejasree Kondoj @ 2021-08-31 14:01 UTC (permalink / raw)
To: Akhil Goyal
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev
Removing redundant code in cn10k lookaside IPsec.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
drivers/crypto/cnxk/cn10k_ipsec.c | 5 -----
drivers/crypto/cnxk/cn10k_ipsec.h | 2 --
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 2 --
3 files changed, 9 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 408a682b21..944e0a7e3b 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -270,9 +270,6 @@ cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf,
if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
return -EINVAL;
- if (rte_security_dynfield_register() < 0)
- return -ENOTSUP;
-
if (rte_mempool_get(mempool, (void **)&priv)) {
plt_err("Could not allocate security session private data");
return -ENOMEM;
@@ -280,8 +277,6 @@ cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf,
set_sec_session_private_data(sess, priv);
- priv->userdata = conf->userdata;
-
if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) {
ret = -ENOTSUP;
goto mempool_put;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 668282f7aa..c30492e149 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -27,8 +27,6 @@ struct cn10k_ipsec_sa {
struct cn10k_sec_session {
struct cn10k_ipsec_sa sa;
- void *userdata;
- /**< Userdata registered by the application */
} __rte_cache_aligned;
void cn10k_sec_ops_override(void);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 47274b2c24..9430ca5d00 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -810,7 +810,6 @@ static const struct rte_security_capability sec_caps_templ[] = {
.options = { 0 }
},
.crypto_capabilities = NULL,
- .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
},
{ /* IPsec Lookaside Protocol ESP Tunnel Egress */
.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
@@ -822,7 +821,6 @@ static const struct rte_security_capability sec_caps_templ[] = {
.options = { 0 }
},
.crypto_capabilities = NULL,
- .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
},
{
.action = RTE_SECURITY_ACTION_TYPE_NONE
--
2.27.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH 4/8] crypto/cnxk: use rlen from CPT result with lookaside
2021-08-31 14:01 [dpdk-dev] [PATCH 0/8] add lookaside IPsec additional features Tejasree Kondoj
` (2 preceding siblings ...)
2021-08-31 14:01 ` [dpdk-dev] [PATCH 3/8] crypto/cnxk: remove redundant code Tejasree Kondoj
@ 2021-08-31 14:01 ` Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 5/8] crypto/cnxk: make IPsec verify functions common Tejasree Kondoj
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Tejasree Kondoj @ 2021-08-31 14:01 UTC (permalink / raw)
To: Akhil Goyal
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev
Use rlen from CPT result with lookaside operations
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 40 ++++++-----------------
drivers/crypto/cnxk/cn10k_ipsec.c | 4 +--
drivers/crypto/cnxk/cn10k_ipsec.h | 4 +--
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 28 ++--------------
4 files changed, 15 insertions(+), 61 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 15f66c2515..780a321cf7 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -48,7 +48,7 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
static __rte_always_inline int __rte_hot
cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
- struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
+ struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = op->sym;
union roc_ot_ipsec_sa_word2 *w2;
@@ -70,10 +70,8 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND)
ret = process_outb_sa(op, sa, inst);
- else {
- infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
+ else
ret = process_inb_sa(op, sa, inst);
- }
return ret;
}
@@ -122,8 +120,7 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
sec_sess = get_sec_session_private_data(
sym_op->sec_session);
- ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
- &inst[0]);
+ ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]);
if (unlikely(ret))
return 0;
w7 = sec_sess->sa.inst.w7;
@@ -334,30 +331,13 @@ cn10k_cpt_crypto_adapter_enqueue(uintptr_t tag_op, struct rte_crypto_op *op)
static inline void
cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
- struct cpt_inflight_req *infl_req)
+ struct cpt_cn10k_res_s *res)
{
- struct rte_crypto_sym_op *sym_op = cop->sym;
- struct rte_mbuf *m = sym_op->m_src;
- struct rte_ipv6_hdr *ip6;
- struct rte_ipv4_hdr *ip;
- uint16_t m_len;
-
- if (infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND) {
- ip = (struct rte_ipv4_hdr *)rte_pktmbuf_mtod(m, char *);
-
- if (((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) ==
- IPVERSION) {
- m_len = rte_be_to_cpu_16(ip->total_length);
- } else {
- PLT_ASSERT(((ip->version_ihl & 0xf0) >>
- RTE_IPV4_IHL_MULTIPLIER) == 6);
- ip6 = (struct rte_ipv6_hdr *)ip;
- m_len = rte_be_to_cpu_16(ip6->payload_len) +
- sizeof(struct rte_ipv6_hdr);
- }
- m->data_len = m_len;
- m->pkt_len = m_len;
- }
+ struct rte_mbuf *m = cop->sym->m_src;
+ const uint16_t m_len = res->rlen;
+
+ m->data_len = m_len;
+ m->pkt_len = m_len;
}
static inline void
@@ -385,7 +365,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- cn10k_cpt_sec_post_process(cop, infl_req);
+ cn10k_cpt_sec_post_process(cop, res);
return;
}
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 944e0a7e3b..98110872a3 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -176,9 +176,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
if (ret)
return ret;
- sa->partial_len = rlens.partial_len;
- sa->roundup_byte = rlens.roundup_byte;
- sa->roundup_len = rlens.roundup_len;
+ sa->max_extended_len = rlens.max_extended_len;
/* pre-populate CPT INST word 4 */
inst_w4.u64 = 0;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index c30492e149..bc52c60179 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -20,9 +20,7 @@ struct cn10k_ipsec_sa {
};
/** Pre-populated CPT inst words */
struct cnxk_cpt_inst_tmpl inst;
- uint8_t partial_len;
- uint8_t roundup_len;
- uint8_t roundup_byte;
+ uint16_t max_extended_len;
};
struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 1e9ebb594a..fe91638c99 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -12,40 +12,21 @@
#include "cn10k_ipsec.h"
#include "cnxk_cryptodev.h"
-static __rte_always_inline int32_t
-ipsec_po_out_rlen_get(struct cn10k_ipsec_sa *sess, uint32_t plen)
-{
- uint32_t enc_payload_len;
-
- enc_payload_len =
- RTE_ALIGN_CEIL(plen + sess->roundup_len, sess->roundup_byte);
-
- return sess->partial_len + enc_payload_len;
-}
-
static __rte_always_inline int
process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
- uint32_t dlen, rlen, extend_tail;
- char *mdata;
-
- dlen = rte_pktmbuf_pkt_len(m_src);
- rlen = ipsec_po_out_rlen_get(sess, dlen);
- extend_tail = rlen - dlen;
-
- mdata = rte_pktmbuf_append(m_src, extend_tail);
- if (unlikely(mdata == NULL)) {
+ if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) {
plt_dp_err("Not enough tail room");
return -ENOMEM;
}
/* Prepare CPT instruction */
inst->w4.u64 = sess->inst.w4;
- inst->w4.s.dlen = dlen;
+ inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
inst->dptr = rte_pktmbuf_iova(m_src);
inst->rptr = inst->dptr;
@@ -58,13 +39,10 @@ process_inb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sa,
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
- uint32_t dlen;
-
- dlen = rte_pktmbuf_pkt_len(m_src);
/* Prepare CPT instruction */
inst->w4.u64 = sa->inst.w4;
- inst->w4.s.dlen = dlen;
+ inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
inst->dptr = rte_pktmbuf_iova(m_src);
inst->rptr = inst->dptr;
--
2.27.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH 5/8] crypto/cnxk: make IPsec verify functions common
2021-08-31 14:01 [dpdk-dev] [PATCH 0/8] add lookaside IPsec additional features Tejasree Kondoj
` (3 preceding siblings ...)
2021-08-31 14:01 ` [dpdk-dev] [PATCH 4/8] crypto/cnxk: use rlen from CPT result with lookaside Tejasree Kondoj
@ 2021-08-31 14:01 ` Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 6/8] crypto/cnxk: support cn10k transport mode Tejasree Kondoj
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Tejasree Kondoj @ 2021-08-31 14:01 UTC (permalink / raw)
To: Akhil Goyal
Cc: Archana Muniganti, Anoob Joseph, Ankur Dwivedi, Srujana Challa,
Nithin Dabilpuram, Jerin Jacob, Tejasree Kondoj, dev
From: Archana Muniganti <marchana@marvell.com>
IPsec verify functions can be made common
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
drivers/crypto/cnxk/cn10k_ipsec.c | 116 +-----------------------------
drivers/crypto/cnxk/cnxk_ipsec.h | 113 +++++++++++++++++++++++++++++
2 files changed, 114 insertions(+), 115 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 98110872a3..5c57cf2818 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -17,120 +17,6 @@
#include "roc_api.h"
-static int
-ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
-{
- if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
- switch (xform->cipher.key.length) {
- case 16:
- case 24:
- case 32:
- break;
- default:
- return -ENOTSUP;
- }
- return 0;
- }
-
- return -ENOTSUP;
-}
-
-static int
-ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform)
-{
- uint16_t keylen = xform->auth.key.length;
-
- if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
- if (keylen >= 20 && keylen <= 64)
- return 0;
- }
-
- return -ENOTSUP;
-}
-
-static int
-ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
- struct rte_crypto_sym_xform *crypto_xfrm)
-{
- if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
- crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
- return -EINVAL;
-
- if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
- crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
- return -EINVAL;
-
- if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
- switch (crypto_xfrm->aead.key.length) {
- case ROC_CPT_AES128_KEY_LEN:
- case ROC_CPT_AES192_KEY_LEN:
- case ROC_CPT_AES256_KEY_LEN:
- break;
- default:
- return -EINVAL;
- }
- return 0;
- }
-
- return -ENOTSUP;
-}
-
-static int
-cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
- struct rte_crypto_sym_xform *crypto_xfrm)
-{
- struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
- int ret;
-
- if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
- (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
- return -EINVAL;
-
- if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
- (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
- return -EINVAL;
-
- if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
- (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
- return -EINVAL;
-
- if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
- (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
- return -EINVAL;
-
- if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
- return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
-
- if (crypto_xfrm->next == NULL)
- return -EINVAL;
-
- if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
- /* Ingress */
- if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
- crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
- return -EINVAL;
- auth_xform = crypto_xfrm;
- cipher_xform = crypto_xfrm->next;
- } else {
- /* Egress */
- if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
- crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
- return -EINVAL;
- cipher_xform = crypto_xfrm;
- auth_xform = crypto_xfrm->next;
- }
-
- ret = ipsec_xform_cipher_verify(cipher_xform);
- if (ret)
- return ret;
-
- ret = ipsec_xform_auth_verify(auth_xform);
- if (ret)
- return ret;
-
- return 0;
-}
-
static uint64_t
ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa)
{
@@ -245,7 +131,7 @@ cn10k_ipsec_session_create(void *dev,
return -EPERM;
}
- ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
+ ret = cnxk_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
if (ret)
return ret;
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index f6897a0e14..d1eb74ebbe 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -17,4 +17,117 @@ struct cnxk_cpt_inst_tmpl {
uint64_t w7;
};
+static inline int
+ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *crypto_xform)
+{
+ if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+ switch (crypto_xform->cipher.key.length) {
+ case 16:
+ case 24:
+ case 32:
+ break;
+ default:
+ return -ENOTSUP;
+ }
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static inline int
+ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
+{
+ uint16_t keylen = crypto_xform->auth.key.length;
+
+ if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+ if (keylen >= 20 && keylen <= 64)
+ return 0;
+ } else if (roc_model_is_cn9k() &&
+ (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) {
+ if (keylen >= 32 && keylen <= 64)
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static inline int
+ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xform,
+ struct rte_crypto_sym_xform *crypto_xform)
+{
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+ crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+ return -EINVAL;
+
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+ return -EINVAL;
+
+ if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+ switch (crypto_xform->aead.key.length) {
+ case 16:
+ case 24:
+ case 32:
+ break;
+ default:
+ return -EINVAL;
+ }
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static inline int
+cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
+ struct rte_crypto_sym_xform *crypto_xform)
+{
+ struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+ int ret;
+
+ if ((ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ (ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
+ return -EINVAL;
+
+ if ((ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
+ (ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
+ return -EINVAL;
+
+ if ((ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
+ (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
+ return -EINVAL;
+
+ if ((ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
+ (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
+ return -EINVAL;
+
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+ return ipsec_xform_aead_verify(ipsec_xform, crypto_xform);
+
+ if (crypto_xform->next == NULL)
+ return -EINVAL;
+
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+ /* Ingress */
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+ crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+ return -EINVAL;
+ auth_xform = crypto_xform;
+ cipher_xform = crypto_xform->next;
+ } else {
+ /* Egress */
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+ crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+ return -EINVAL;
+ cipher_xform = crypto_xform;
+ auth_xform = crypto_xform->next;
+ }
+
+ ret = ipsec_xform_cipher_verify(cipher_xform);
+ if (ret)
+ return ret;
+
+ return ipsec_xform_auth_verify(auth_xform);
+}
#endif /* __CNXK_IPSEC_H__ */
--
2.27.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH 6/8] crypto/cnxk: support cn10k transport mode
2021-08-31 14:01 [dpdk-dev] [PATCH 0/8] add lookaside IPsec additional features Tejasree Kondoj
` (4 preceding siblings ...)
2021-08-31 14:01 ` [dpdk-dev] [PATCH 5/8] crypto/cnxk: make IPsec verify functions common Tejasree Kondoj
@ 2021-08-31 14:01 ` Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 7/8] crypto/cnxk: support UDP encap with lookaside IPsec Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 8/8] common/cnxk: make IPsec defines common Tejasree Kondoj
7 siblings, 0 replies; 9+ messages in thread
From: Tejasree Kondoj @ 2021-08-31 14:01 UTC (permalink / raw)
To: Akhil Goyal
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev
Adding support for cn10k lookaside IPsec transport mode.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/cryptodevs/cnxk.rst | 1 +
doc/guides/rel_notes/release_21_11.rst | 1 +
drivers/crypto/cnxk/cnxk_cryptodev.h | 2 +-
.../crypto/cnxk/cnxk_cryptodev_capabilities.c | 22 +++++++++++++++++++
drivers/crypto/cnxk/cnxk_ipsec.h | 3 ++-
5 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index a40295c087..0dd71135da 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -230,6 +230,7 @@ Features supported
* IPv4
* ESP
* Tunnel mode
+* Transport mode
* AES-128/192/256-GCM
* AES-128/192/256-CBC-SHA1-HMAC
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 0d9ce123aa..4727698228 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -23,6 +23,7 @@ DPDK Release 21.11
* **Updated Marvell cn10k_crypto PMD.**
* Added AES-CBC-SHA1-HMAC in lookaside protocol (IPsec).
+ * Added transport mode in lookaside protocol (IPsec).
New Features
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index b3856f7eaa..8e051fa0fa 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -12,7 +12,7 @@
#define CNXK_CPT_MAX_CAPS 34
#define CNXK_SEC_CRYPTO_MAX_CAPS 4
-#define CNXK_SEC_MAX_CAPS 3
+#define CNXK_SEC_MAX_CAPS 5
#define CNXK_AE_EC_ID_MAX 8
/**
* Device private data
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 9430ca5d00..05bffa9759 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -822,6 +822,28 @@ static const struct rte_security_capability sec_caps_templ[] = {
},
.crypto_capabilities = NULL,
},
+ { /* IPsec Lookaside Protocol ESP Transport Ingress */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+ .ipsec = {
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+ .options = { 0 },
+ },
+ .crypto_capabilities = NULL,
+ },
+ { /* IPsec Lookaside Protocol ESP Transport Egress */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+ .ipsec = {
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+ .options = { 0 },
+ },
+ .crypto_capabilities = NULL,
+ },
{
.action = RTE_SECURITY_ACTION_TYPE_NONE
}
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index d1eb74ebbe..ff396179ca 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -98,7 +98,8 @@ cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
(ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
return -EINVAL;
- if ((ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
+ if ((ipsec_xform->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) &&
+ (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
(ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
return -EINVAL;
--
2.27.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH 7/8] crypto/cnxk: support UDP encap with lookaside IPsec
2021-08-31 14:01 [dpdk-dev] [PATCH 0/8] add lookaside IPsec additional features Tejasree Kondoj
` (5 preceding siblings ...)
2021-08-31 14:01 ` [dpdk-dev] [PATCH 6/8] crypto/cnxk: support cn10k transport mode Tejasree Kondoj
@ 2021-08-31 14:01 ` Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 8/8] common/cnxk: make IPsec defines common Tejasree Kondoj
7 siblings, 0 replies; 9+ messages in thread
From: Tejasree Kondoj @ 2021-08-31 14:01 UTC (permalink / raw)
To: Akhil Goyal
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev
Adding support for UDP encapsulation in lookaside IPsec.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/cryptodevs/cnxk.rst | 1 +
doc/guides/rel_notes/release_21_11.rst | 1 +
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 11 ++++++++++-
3 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 0dd71135da..1eb72282db 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -231,6 +231,7 @@ Features supported
* ESP
* Tunnel mode
* Transport mode
+* UDP Encapsulation
* AES-128/192/256-GCM
* AES-128/192/256-CBC-SHA1-HMAC
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 4727698228..7a9aa11119 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -24,6 +24,7 @@ DPDK Release 21.11
* Added AES-CBC-SHA1-HMAC in lookaside protocol (IPsec).
* Added transport mode in lookaside protocol (IPsec).
+ * Added UDP encapsulation in lookaside protocol (IPsec).
New Features
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 05bffa9759..c4f7824332 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -907,6 +907,12 @@ sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
}
+static void
+cnxk_sec_caps_update(struct rte_security_capability *sec_cap)
+{
+ sec_cap->ipsec.options.udp_encap = 1;
+}
+
void
cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
{
@@ -918,8 +924,11 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps));
memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ));
- for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++)
+ for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++) {
vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps;
+
+ cnxk_sec_caps_update(&vf->sec_caps[i]);
+ }
}
const struct rte_security_capability *
--
2.27.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH 8/8] common/cnxk: make IPsec defines common
2021-08-31 14:01 [dpdk-dev] [PATCH 0/8] add lookaside IPsec additional features Tejasree Kondoj
` (6 preceding siblings ...)
2021-08-31 14:01 ` [dpdk-dev] [PATCH 7/8] crypto/cnxk: support UDP encap with lookaside IPsec Tejasree Kondoj
@ 2021-08-31 14:01 ` Tejasree Kondoj
7 siblings, 0 replies; 9+ messages in thread
From: Tejasree Kondoj @ 2021-08-31 14:01 UTC (permalink / raw)
To: Akhil Goyal
Cc: Archana Muniganti, Anoob Joseph, Ankur Dwivedi, Srujana Challa,
Nithin Dabilpuram, Jerin Jacob, Tejasree Kondoj, dev
From: Archana Muniganti <marchana@marvell.com>
Make IPsec defines common and remove redundant macros.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
drivers/common/cnxk/cnxk_security.c | 24 +++++++++--------
drivers/common/cnxk/roc_api.h | 1 +
drivers/common/cnxk/roc_ie.h | 33 ++++++++++++++++-------
drivers/common/cnxk/roc_ie_on.h | 26 ------------------
drivers/common/cnxk/roc_ie_ot.h | 26 ------------------
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 4 ++-
6 files changed, 41 insertions(+), 73 deletions(-)
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index fe64e70c81..4f7fd1b3a0 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -6,6 +6,8 @@
#include "cnxk_security.h"
+#include "roc_api.h"
+
static void
ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
uint8_t *hmac_opad_ipad)
@@ -51,12 +53,12 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
/* Set direction */
switch (ipsec_xfrm->direction) {
case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
- w2->s.dir = ROC_IE_OT_SA_DIR_INBOUND;
+ w2->s.dir = ROC_IE_SA_DIR_INBOUND;
auth_xfrm = crypto_xfrm;
cipher_xfrm = crypto_xfrm->next;
break;
case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
- w2->s.dir = ROC_IE_OT_SA_DIR_OUTBOUND;
+ w2->s.dir = ROC_IE_SA_DIR_OUTBOUND;
cipher_xfrm = crypto_xfrm;
auth_xfrm = crypto_xfrm->next;
break;
@@ -67,10 +69,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
/* Set protocol - ESP vs AH */
switch (ipsec_xfrm->proto) {
case RTE_SECURITY_IPSEC_SA_PROTO_ESP:
- w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_ESP;
+ w2->s.protocol = ROC_IE_SA_PROTOCOL_ESP;
break;
case RTE_SECURITY_IPSEC_SA_PROTO_AH:
- w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_AH;
+ w2->s.protocol = ROC_IE_SA_PROTOCOL_AH;
break;
default:
return -EINVAL;
@@ -79,10 +81,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
/* Set mode - transport vs tunnel */
switch (ipsec_xfrm->mode) {
case RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT:
- w2->s.mode = ROC_IE_OT_SA_MODE_TRANSPORT;
+ w2->s.mode = ROC_IE_SA_MODE_TRANSPORT;
break;
case RTE_SECURITY_IPSEC_SA_MODE_TUNNEL:
- w2->s.mode = ROC_IE_OT_SA_MODE_TUNNEL;
+ w2->s.mode = ROC_IE_SA_MODE_TUNNEL;
break;
default:
return -EINVAL;
@@ -147,13 +149,13 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
switch (length) {
case ROC_CPT_AES128_KEY_LEN:
- w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_128;
+ w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
break;
case ROC_CPT_AES192_KEY_LEN:
- w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_192;
+ w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
break;
case ROC_CPT_AES256_KEY_LEN:
- w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_256;
+ w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
break;
default:
return -EINVAL;
@@ -271,7 +273,7 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
/* Tunnel header info */
switch (tunnel->type) {
case RTE_SECURITY_IPSEC_TUNNEL_IPV4:
- sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_4;
+ sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip,
sizeof(struct in_addr));
memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip,
@@ -302,7 +304,7 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
}
break;
case RTE_SECURITY_IPSEC_TUNNEL_IPV6:
- sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_6;
+ sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr,
sizeof(struct in6_addr));
memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr,
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index 9c06cfee9a..7dec8453b4 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -121,6 +121,7 @@
/* CPT microcode */
#include "roc_ae.h"
#include "roc_ae_fpm_tables.h"
+#include "roc_ie.h"
#include "roc_ie_on.h"
#include "roc_ie_ot.h"
#include "roc_se.h"
diff --git a/drivers/common/cnxk/roc_ie.h b/drivers/common/cnxk/roc_ie.h
index a330ea1b50..31b83948e1 100644
--- a/drivers/common/cnxk/roc_ie.h
+++ b/drivers/common/cnxk/roc_ie.h
@@ -5,15 +5,30 @@
#ifndef __ROC_IE_H__
#define __ROC_IE_H__
-/* CNXK IPSEC helper macros */
-#define ROC_IE_AH_HDR_LEN 12
-#define ROC_IE_AES_GCM_IV_LEN 8
-#define ROC_IE_AES_GCM_MAC_LEN 16
-#define ROC_IE_AES_CBC_IV_LEN 16
-#define ROC_IE_SHA1_HMAC_LEN 12
-#define ROC_IE_AUTH_KEY_LEN_MAX 64
+enum {
+ ROC_IE_SA_DIR_INBOUND = 0,
+ ROC_IE_SA_DIR_OUTBOUND = 1,
+};
-#define ROC_IE_AES_GCM_ROUNDUP_BYTE_LEN 4
-#define ROC_IE_AES_CBC_ROUNDUP_BYTE_LEN 16
+enum {
+ ROC_IE_SA_IP_VERSION_4 = 0,
+ ROC_IE_SA_IP_VERSION_6 = 1,
+};
+
+enum {
+ ROC_IE_SA_MODE_TRANSPORT = 0,
+ ROC_IE_SA_MODE_TUNNEL = 1,
+};
+
+enum {
+ ROC_IE_SA_PROTOCOL_AH = 0,
+ ROC_IE_SA_PROTOCOL_ESP = 1,
+};
+
+enum {
+ ROC_IE_SA_AES_KEY_LEN_128 = 1,
+ ROC_IE_SA_AES_KEY_LEN_192 = 2,
+ ROC_IE_SA_AES_KEY_LEN_256 = 3,
+};
#endif /* __ROC_IE_H__ */
diff --git a/drivers/common/cnxk/roc_ie_on.h b/drivers/common/cnxk/roc_ie_on.h
index 508654a9d8..222c298a53 100644
--- a/drivers/common/cnxk/roc_ie_on.h
+++ b/drivers/common/cnxk/roc_ie_on.h
@@ -18,32 +18,6 @@
/* Ucode completion codes */
#define ROC_IE_ONF_UCC_SUCCESS 0
-enum {
- ROC_IE_ON_SA_DIR_INBOUND = 0,
- ROC_IE_ON_SA_DIR_OUTBOUND = 1,
-};
-
-enum {
- ROC_IE_ON_SA_IP_VERSION_4 = 0,
- ROC_IE_ON_SA_IP_VERSION_6 = 1,
-};
-
-enum {
- ROC_IE_ON_SA_MODE_TRANSPORT = 0,
- ROC_IE_ON_SA_MODE_TUNNEL = 1,
-};
-
-enum {
- ROC_IE_ON_SA_PROTOCOL_AH = 0,
- ROC_IE_ON_SA_PROTOCOL_ESP = 1,
-};
-
-enum {
- ROC_IE_ON_SA_AES_KEY_LEN_128 = 1,
- ROC_IE_ON_SA_AES_KEY_LEN_192 = 2,
- ROC_IE_ON_SA_AES_KEY_LEN_256 = 3,
-};
-
enum {
ROC_IE_ON_SA_ENC_NULL = 0,
ROC_IE_ON_SA_ENC_DES_CBC = 1,
diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h
index aeb4be2971..3987a082a2 100644
--- a/drivers/common/cnxk/roc_ie_ot.h
+++ b/drivers/common/cnxk/roc_ie_ot.h
@@ -97,32 +97,6 @@ enum {
ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE = 1,
};
-enum {
- ROC_IE_OT_SA_DIR_INBOUND = 0,
- ROC_IE_OT_SA_DIR_OUTBOUND = 1,
-};
-
-enum {
- ROC_IE_OT_SA_IP_VERSION_4 = 0,
- ROC_IE_OT_SA_IP_VERSION_6 = 1,
-};
-
-enum {
- ROC_IE_OT_SA_MODE_TRANSPORT = 0,
- ROC_IE_OT_SA_MODE_TUNNEL = 1,
-};
-
-enum {
- ROC_IE_OT_SA_PROTOCOL_AH = 0,
- ROC_IE_OT_SA_PROTOCOL_ESP = 1,
-};
-
-enum {
- ROC_IE_OT_SA_AES_KEY_LEN_128 = 1,
- ROC_IE_OT_SA_AES_KEY_LEN_192 = 2,
- ROC_IE_OT_SA_AES_KEY_LEN_256 = 3,
-};
-
enum {
ROC_IE_OT_SA_ENC_NULL = 0,
ROC_IE_OT_SA_ENC_3DES_CBC = 2,
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 780a321cf7..28055aceed 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -16,6 +16,8 @@
#include "cnxk_cryptodev_ops.h"
#include "cnxk_se.h"
+#include "roc_api.h"
+
static inline struct cnxk_se_sess *
cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
{
@@ -68,7 +70,7 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
sa = &sess->sa;
w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
- if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND)
+ if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND)
ret = process_outb_sa(op, sa, inst);
else
ret = process_inb_sa(op, sa, inst);
--
2.27.0
^ permalink raw reply [flat|nested] 9+ messages in thread