From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id A7161A0C4D;
	Wed,  1 Sep 2021 11:26:10 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 508304114A;
	Wed,  1 Sep 2021 11:25:52 +0200 (CEST)
Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com
 [67.231.148.174])
 by mails.dpdk.org (Postfix) with ESMTP id 185B74013F
 for <dev@dpdk.org>; Wed,  1 Sep 2021 11:25:47 +0200 (CEST)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1])
 by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18159puE026653
 for <dev@dpdk.org>; Wed, 1 Sep 2021 02:25:47 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;
 h=from : to : cc :
 subject : date : message-id : in-reply-to : references : mime-version :
 content-transfer-encoding : content-type; s=pfpt0220;
 bh=oriO321/StxWoWhGQWnGK/qhhAhhG6k0YNyW+/Jw8k0=;
 b=UuMf4zL+/h36eKnqfw5mQdk53Xc87NSfY7M4IoCVvuRmv4BVwa7jgV3y5dod3KbjzG9e
 TLaDS8BRvUNIEkkAux3oXTvszFhGEGWkybdYZ7B+un2PL9Nd9Rmi8Hx8RaNr7WGls/Xc
 i1epmKX3xAyK2GHiOVnQbEuemU5/orSJRLgjNkV5M6WulMvTOqcKE0RVRtMnhUpYHnYc
 drrSlthRdvVh9Dk5qujnPQSUXNqxeZxpeIBgAPrhGcpLa244kvkiIjghRWWtFp64P9px
 fwzuJnqUESKNwj+4IHzCnTbybR1gLjhA8TGHJizE5iqgG85GLosLgINSXhG3HGc87msM xw== 
Received: from dc5-exch02.marvell.com ([199.233.59.182])
 by mx0a-0016f401.pphosted.com with ESMTP id 3at34prygn-11
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT)
 for <dev@dpdk.org>; Wed, 01 Sep 2021 02:25:47 -0700
Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com
 (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18;
 Wed, 1 Sep 2021 02:25:33 -0700
Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com
 (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend
 Transport; Wed, 1 Sep 2021 02:25:33 -0700
Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11])
 by maili.marvell.com (Postfix) with ESMTP id 703AD3F708C;
 Wed,  1 Sep 2021 02:25:30 -0700 (PDT)
From: Tejasree Kondoj <ktejasree@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>
CC: Tejasree Kondoj <ktejasree@marvell.com>, Anoob Joseph <anoobj@marvell.com>,
 Ankur Dwivedi <adwivedi@marvell.com>, Archana Muniganti
 <marchana@marvell.com>, Srujana Challa <schalla@marvell.com>, "Nithin
 Dabilpuram" <ndabilpuram@marvell.com>,
 Jerin Jacob <jerinj@marvell.com>, <dev@dpdk.org>
Date: Wed, 1 Sep 2021 15:49:24 +0530
Message-ID: <20210901101930.29333-3-ktejasree@marvell.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20210901101930.29333-1-ktejasree@marvell.com>
References: <20210901101930.29333-1-ktejasree@marvell.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Proofpoint-ORIG-GUID: 3gHC4JuhCHCCuUiVNJPvIDkfSLjJx51p
X-Proofpoint-GUID: 3gHC4JuhCHCCuUiVNJPvIDkfSLjJx51p
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475
 definitions=2021-09-01_03,2021-08-31_01,2020-04-07_01
Subject: [dpdk-dev] [PATCH v2 2/8] crypto/cnxk: add lookaside IPsec
 AES-CBC-HMAC-SHA1 support
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Adding lookaside IPsec AES-CBC-HMAC-SHA1 support to cnxk driver.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/cnxk.rst                |  1 +
 doc/guides/rel_notes/release_21_11.rst        |  4 ++
 drivers/common/cnxk/cnxk_security.c           | 68 ++++++++++++++++++-
 drivers/crypto/cnxk/cn10k_ipsec.c             | 63 ++++++++++++++++-
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 44 ++++++++++++
 5 files changed, 176 insertions(+), 4 deletions(-)

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 98c7118d68..a40295c087 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -231,6 +231,7 @@ Features supported
 * ESP
 * Tunnel mode
 * AES-128/192/256-GCM
+* AES-128/192/256-CBC-SHA1-HMAC
 
 Limitations
 -----------
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index d707a554ef..130d676a11 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -55,6 +55,10 @@ New Features
      Also, make sure to start the actual text at the margin.
      =======================================================
 
+* **Updated Marvell cn10k_crypto PMD.**
+
+  * Added aes-cbc sha1-hmac in lookaside protocol (IPsec).
+
 
 Removed Items
 -------------
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 6c6728f570..fe64e70c81 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -6,12 +6,43 @@
 
 #include "cnxk_security.h"
 
+static void
+ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
+			 uint8_t *hmac_opad_ipad)
+{
+	const uint8_t *key = auth_xform->auth.key.data;
+	uint32_t length = auth_xform->auth.key.length;
+	uint8_t opad[128] = {[0 ... 127] = 0x5c};
+	uint8_t ipad[128] = {[0 ... 127] = 0x36};
+	uint32_t i;
+
+	/* HMAC OPAD and IPAD */
+	for (i = 0; i < 127 && i < length; i++) {
+		opad[i] = opad[i] ^ key[i];
+		ipad[i] = ipad[i] ^ key[i];
+	}
+
+	/* Precompute hash of HMAC OPAD and IPAD to avoid
+	 * per packet computation
+	 */
+	switch (auth_xform->auth.algo) {
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
+		roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]);
+		break;
+	default:
+		break;
+	}
+}
+
 static int
 ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 			      uint8_t *cipher_key, uint8_t *salt_key,
+			      uint8_t *hmac_opad_ipad,
 			      struct rte_security_ipsec_xform *ipsec_xfrm,
 			      struct rte_crypto_sym_xform *crypto_xfrm)
 {
+	struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
 	const uint8_t *key;
 	uint32_t *tmp_salt;
 	uint64_t *tmp_key;
@@ -21,9 +52,13 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 	switch (ipsec_xfrm->direction) {
 	case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
 		w2->s.dir = ROC_IE_OT_SA_DIR_INBOUND;
+		auth_xfrm = crypto_xfrm;
+		cipher_xfrm = crypto_xfrm->next;
 		break;
 	case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
 		w2->s.dir = ROC_IE_OT_SA_DIR_OUTBOUND;
+		cipher_xfrm = crypto_xfrm;
+		auth_xfrm = crypto_xfrm->next;
 		break;
 	default:
 		return -EINVAL;
@@ -70,7 +105,32 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 			return -ENOTSUP;
 		}
 	} else {
-		return -ENOTSUP;
+		switch (cipher_xfrm->cipher.algo) {
+		case RTE_CRYPTO_CIPHER_AES_CBC:
+			w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+
+		switch (auth_xfrm->auth.algo) {
+		case RTE_CRYPTO_AUTH_SHA1_HMAC:
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+
+		key = cipher_xfrm->cipher.key.data;
+		length = cipher_xfrm->cipher.key.length;
+
+		ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+
+		tmp_key = (uint64_t *)hmac_opad_ipad;
+		for (i = 0;
+		     i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t));
+		     i++)
+			tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 	}
 
 	/* Set encapsulation type */
@@ -129,7 +189,8 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
 
 	w2.u64 = 0;
 	rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->w8.s.salt,
-					   ipsec_xfrm, crypto_xfrm);
+					   sa->hmac_opad_ipad, ipsec_xfrm,
+					   crypto_xfrm);
 	if (rc)
 		return rc;
 
@@ -196,7 +257,8 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
 
 	w2.u64 = 0;
 	rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->iv.s.salt,
-					   ipsec_xfrm, crypto_xfrm);
+					   sa->hmac_opad_ipad, ipsec_xfrm,
+					   crypto_xfrm);
 	if (rc)
 		return rc;
 
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 1d567bf188..408a682b21 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -17,6 +17,37 @@
 
 #include "roc_api.h"
 
+static int
+ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
+{
+	if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		switch (xform->cipher.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static int
+ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform)
+{
+	uint16_t keylen = xform->auth.key.length;
+
+	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+		if (keylen >= 20 && keylen <= 64)
+			return 0;
+	}
+
+	return -ENOTSUP;
+}
+
 static int
 ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
 			struct rte_crypto_sym_xform *crypto_xfrm)
@@ -48,6 +79,9 @@ static int
 cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
 			 struct rte_crypto_sym_xform *crypto_xfrm)
 {
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	int ret;
+
 	if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
 	    (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
 		return -EINVAL;
@@ -67,7 +101,34 @@ cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
 	if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 		return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
 
-	return -ENOTSUP;
+	if (crypto_xfrm->next == NULL)
+		return -EINVAL;
+
+	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		/* Ingress */
+		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+		auth_xform = crypto_xfrm;
+		cipher_xform = crypto_xfrm->next;
+	} else {
+		/* Egress */
+		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+		cipher_xform = crypto_xfrm;
+		auth_xform = crypto_xfrm->next;
+	}
+
+	ret = ipsec_xform_cipher_verify(cipher_xform);
+	if (ret)
+		return ret;
+
+	ret = ipsec_xform_auth_verify(auth_xform);
+	if (ret)
+		return ret;
+
+	return 0;
 }
 
 static uint64_t
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index ab37f9c43b..47274b2c24 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -754,6 +754,49 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
 			}, }
 		}, }
 	},
+	{	/* AES CBC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+};
+
+static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
+	{	/* SHA1 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 20,
+					.max = 64,
+					.increment = 1
+				},
+				.digest_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				},
+			}, }
+		}, }
+	},
 };
 
 static const struct rte_security_capability sec_caps_templ[] = {
@@ -839,6 +882,7 @@ sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
 	int cur_pos = 0;
 
 	SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes);
+	SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2);
 
 	sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
 }
-- 
2.27.0