[dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features

[dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features

[Tejasree Kondoj]

This series adds cn10k lookaside IPsec AES-CBC-HMAC-SHA1, UDP encapsulation
and transport mode support along with common cnxk pmd changes.
The functionality has been tested with ipsec-secgw application running in
lookaside protocol offload mode.

v2:
* Fixed release notes

Archana Muniganti (2):
  crypto/cnxk: make IPsec verify functions common
  common/cnxk: make IPsec defines common

Tejasree Kondoj (6):
  common/cnxk: add hash generation APIs
  crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support
  crypto/cnxk: remove redundant code
  crypto/cnxk: use rlen from CPT result with lookaside
  crypto/cnxk: support cn10k transport mode
  crypto/cnxk: support UDP encap with lookaside IPsec

 doc/guides/cryptodevs/cnxk.rst                |   3 +
 doc/guides/rel_notes/release_21_11.rst        |   6 +
 drivers/common/cnxk/cnxk_security.c           |  92 +++++-
 drivers/common/cnxk/meson.build               |   1 +
 drivers/common/cnxk/roc_api.h                 |   4 +
 drivers/common/cnxk/roc_hash.c                | 275 ++++++++++++++++++
 drivers/common/cnxk/roc_hash.h                |  16 +
 drivers/common/cnxk/roc_ie.h                  |  33 ++-
 drivers/common/cnxk/roc_ie_on.h               |  26 --
 drivers/common/cnxk/roc_ie_ot.h               |  26 --
 drivers/common/cnxk/version.map               |   3 +
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c     |  44 +--
 drivers/crypto/cnxk/cn10k_ipsec.c             |  64 +---
 drivers/crypto/cnxk/cn10k_ipsec.h             |   6 +-
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h      |  28 +-
 drivers/crypto/cnxk/cnxk_cryptodev.h          |   2 +-
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  79 ++++-
 drivers/crypto/cnxk/cnxk_ipsec.h              | 114 ++++++++
 18 files changed, 620 insertions(+), 202 deletions(-)
 create mode 100644 drivers/common/cnxk/roc_hash.c
 create mode 100644 drivers/common/cnxk/roc_hash.h

-- 
2.27.0

[dpdk-dev] [PATCH v2 1/8] common/cnxk: add hash generation APIs

[Tejasree Kondoj]

Adding functions for hash generation that can be used
in hmac opad/ipad calculation.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/common/cnxk/meson.build |   1 +
 drivers/common/cnxk/roc_api.h   |   3 +
 drivers/common/cnxk/roc_hash.c  | 275 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_hash.h  |  16 ++
 drivers/common/cnxk/version.map |   3 +
 5 files changed, 298 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_hash.c
 create mode 100644 drivers/common/cnxk/roc_hash.h

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 6a7849f31c..8a551d15d6 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -19,6 +19,7 @@ sources = files(
         'roc_cpt.c',
         'roc_cpt_debug.c',
         'roc_dev.c',
+        'roc_hash.c',
         'roc_idev.c',
         'roc_irq.c',
         'roc_mbox.c',
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index 52cb2f2d79..9c06cfee9a 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -125,4 +125,7 @@
 #include "roc_ie_ot.h"
 #include "roc_se.h"
 
+/* HASH computation */
+#include "roc_hash.h"
+
 #endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_hash.c b/drivers/common/cnxk/roc_hash.c
new file mode 100644
index 0000000000..092286e41e
--- /dev/null
+++ b/drivers/common/cnxk/roc_hash.c
@@ -0,0 +1,275 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (c) 2021 Marvell.
+ */
+
+#include "roc_api.h"
+
+#define lrot32(bits, word) (((word) << (bits)) | ((word) >> (32 - (bits))))
+#define rrot32(bits, word) lrot32(32 - (bits), word)
+#define lrot64(bits, word) (((word) << (bits)) | ((word) >> (64 - (bits))))
+#define rrot64(bits, word) lrot64(64 - (bits), word)
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void
+roc_hash_sha1_gen(uint8_t *msg, uint32_t *hash)
+{
+	const uint32_t _K[] = {/* Round Constants defined in SHA-1   */
+			       0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6};
+
+	const uint32_t _H[] = {/* Initial Hash constants defined in SHA-1 */
+			       0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476,
+			       0xC3D2E1F0};
+	int i;
+	uint32_t temp;		/* Temporary word value */
+	uint32_t W[80];		/* Word sequence */
+	uint32_t A, B, C, D, E; /* Word buffers */
+
+	/* Initialize the first 16 words in the array W */
+	memcpy(&W[0], msg, 16 * sizeof(W[0]));
+
+	for (i = 0; i < 16; i++)
+		W[i] = htobe32(W[i]);
+
+	for (i = 16; i < 80; i++)
+		W[i] = lrot32(1, W[i - 3] ^ W[i - 8] ^ W[i - 14] ^ W[i - 16]);
+
+	A = _H[0];
+	B = _H[1];
+	C = _H[2];
+	D = _H[3];
+	E = _H[4];
+
+	for (i = 0; i < 80; i++) {
+		if (i >= 0 && i <= 19)
+			temp = ((B & C) | ((~B) & D)) + _K[0];
+		else if (i >= 20 && i <= 39)
+			temp = (B ^ C ^ D) + _K[1];
+		else if (i >= 40 && i <= 59)
+			temp = ((B & C) | (B & D) | (C & D)) + _K[2];
+		else if (i >= 60 && i <= 79)
+			temp = (B ^ C ^ D) + _K[3];
+
+		temp = lrot32(5, A) + temp + E + W[i];
+		E = D;
+		D = C;
+		C = lrot32(30, B);
+		B = A;
+		A = temp;
+	}
+
+	A += _H[0];
+	B += _H[1];
+	C += _H[2];
+	D += _H[3];
+	E += _H[4];
+	hash[0] = htobe32(A);
+	hash[1] = htobe32(B);
+	hash[2] = htobe32(C);
+	hash[3] = htobe32(D);
+	hash[4] = htobe32(E);
+}
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void
+roc_hash_sha256_gen(uint8_t *msg, uint32_t *hash)
+{
+	const uint32_t _K[] = {
+		/* Round Constants defined in SHA-256   */
+		0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
+		0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
+		0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
+		0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
+		0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
+		0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
+		0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
+		0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+		0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
+		0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
+		0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
+		0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+		0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
+
+	const uint32_t _H[] = {/* Initial Hash constants defined in SHA-256 */
+			       0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
+			       0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
+	int i;
+	uint32_t temp[4], S0, S1;	 /* Temporary word value */
+	uint32_t W[64];			 /* Word sequence */
+	uint32_t A, B, C, D, E, F, G, H; /* Word buffers */
+
+	/* Initialize the first 16 words in the array W */
+	memcpy(&W[0], msg, 16 * sizeof(W[0]));
+
+	for (i = 0; i < 16; i++)
+		W[i] = htobe32(W[i]);
+
+	for (i = 16; i < 64; i++) {
+		S0 = rrot32(7, W[i - 15]) ^ rrot32(18, W[i - 15]) ^
+		     (W[i - 15] >> 3);
+		S1 = rrot32(17, W[i - 2]) ^ rrot32(19, W[i - 2]) ^
+		     (W[i - 2] >> 10);
+		W[i] = W[i - 16] + S0 + W[i - 7] + S1;
+	}
+
+	A = _H[0];
+	B = _H[1];
+	C = _H[2];
+	D = _H[3];
+	E = _H[4];
+	F = _H[5];
+	G = _H[6];
+	H = _H[7];
+
+	for (i = 0; i < 64; i++) {
+		S1 = rrot32(6, E) ^ rrot32(11, E) ^ rrot32(25, E);
+		temp[0] = (E & F) ^ ((~E) & G);
+		temp[1] = H + S1 + temp[0] + _K[i] + W[i];
+		S0 = rrot32(2, A) ^ rrot32(13, A) ^ rrot32(22, A);
+		temp[2] = (A & B) ^ (A & C) ^ (B & C);
+		temp[3] = S0 + temp[2];
+
+		H = G;
+		G = F;
+		F = E;
+		E = D + temp[1];
+		D = C;
+		C = B;
+		B = A;
+		A = temp[1] + temp[3];
+	}
+
+	A += _H[0];
+	B += _H[1];
+	C += _H[2];
+	D += _H[3];
+	E += _H[4];
+	F += _H[5];
+	G += _H[6];
+	H += _H[7];
+	hash[0] = htobe32(A);
+	hash[1] = htobe32(B);
+	hash[2] = htobe32(C);
+	hash[3] = htobe32(D);
+	hash[4] = htobe32(E);
+	hash[5] = htobe32(F);
+	hash[6] = htobe32(G);
+	hash[7] = htobe32(H);
+}
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void
+roc_hash_sha512_gen(uint8_t *msg, uint64_t *hash, int hash_size)
+{
+	const uint64_t _K[] = {
+		/* Round Constants defined in SHA-512   */
+		0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f,
+		0xe9b5dba58189dbbc, 0x3956c25bf348b538, 0x59f111f1b605d019,
+		0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242,
+		0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
+		0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235,
+		0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3,
+		0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 0x2de92c6f592b0275,
+		0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
+		0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f,
+		0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725,
+		0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc,
+		0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
+		0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6,
+		0x92722c851482353b, 0xa2bfe8a14cf10364, 0xa81a664bbc423001,
+		0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218,
+		0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8,
+		0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99,
+		0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb,
+		0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc,
+		0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec,
+		0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915,
+		0xc67178f2e372532b, 0xca273eceea26619c, 0xd186b8c721c0c207,
+		0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba,
+		0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b,
+		0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc,
+		0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a,
+		0x5fcb6fab3ad6faec, 0x6c44198c4a475817};
+
+	const uint64_t _H384[] = {/* Initial Hash constants defined in SHA384 */
+				  0xcbbb9d5dc1059ed8, 0x629a292a367cd507,
+				  0x9159015a3070dd17, 0x152fecd8f70e5939,
+				  0x67332667ffc00b31, 0x8eb44a8768581511,
+				  0xdb0c2e0d64f98fa7, 0x47b5481dbefa4fa4};
+	const uint64_t _H512[] = {/* Initial Hash constants defined in SHA512 */
+				  0x6a09e667f3bcc908, 0xbb67ae8584caa73b,
+				  0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1,
+				  0x510e527fade682d1, 0x9b05688c2b3e6c1f,
+				  0x1f83d9abfb41bd6b, 0x5be0cd19137e2179};
+	int i;
+	uint64_t temp[4], S0, S1;	 /* Temporary word value */
+	uint64_t W[80];			 /* Word sequence */
+	uint64_t A, B, C, D, E, F, G, H; /* Word buffers */
+	const uint64_t *_H = (hash_size == 384) ? _H384 : _H512;
+
+	/* Initialize the first 16 words in the array W */
+	memcpy(&W[0], msg, 16 * sizeof(W[0]));
+
+	for (i = 0; i < 16; i++)
+		W[i] = htobe64(W[i]);
+
+	for (i = 16; i < 80; i++) {
+		S0 = rrot64(1, W[i - 15]) ^ rrot64(8, W[i - 15]) ^
+		     (W[i - 15] >> 7);
+		S1 = rrot64(19, W[i - 2]) ^ rrot64(61, W[i - 2]) ^
+		     (W[i - 2] >> 6);
+		W[i] = W[i - 16] + S0 + W[i - 7] + S1;
+	}
+
+	A = _H[0];
+	B = _H[1];
+	C = _H[2];
+	D = _H[3];
+	E = _H[4];
+	F = _H[5];
+	G = _H[6];
+	H = _H[7];
+
+	for (i = 0; i < 80; i++) {
+		S1 = rrot64(14, E) ^ rrot64(18, E) ^ rrot64(41, E);
+		temp[0] = (E & F) ^ ((~E) & G);
+		temp[1] = H + S1 + temp[0] + _K[i] + W[i];
+		S0 = rrot64(28, A) ^ rrot64(34, A) ^ rrot64(39, A);
+		temp[2] = (A & B) ^ (A & C) ^ (B & C);
+		temp[3] = S0 + temp[2];
+
+		H = G;
+		G = F;
+		F = E;
+		E = D + temp[1];
+		D = C;
+		C = B;
+		B = A;
+		A = temp[1] + temp[3];
+	}
+
+	A += _H[0];
+	B += _H[1];
+	C += _H[2];
+	D += _H[3];
+	E += _H[4];
+	F += _H[5];
+	G += _H[6];
+	H += _H[7];
+	hash[0] = htobe64(A);
+	hash[1] = htobe64(B);
+	hash[2] = htobe64(C);
+	hash[3] = htobe64(D);
+	hash[4] = htobe64(E);
+	hash[5] = htobe64(F);
+	hash[6] = htobe64(G);
+	hash[7] = htobe64(H);
+}
diff --git a/drivers/common/cnxk/roc_hash.h b/drivers/common/cnxk/roc_hash.h
new file mode 100644
index 0000000000..1bc9222445
--- /dev/null
+++ b/drivers/common/cnxk/roc_hash.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (c) 2021 Marvell.
+ */
+
+#ifndef _ROC_HASH_H_
+#define _ROC_HASH_H_
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void __roc_api roc_hash_sha1_gen(uint8_t *msg, uint32_t *hash);
+void __roc_api roc_hash_sha256_gen(uint8_t *msg, uint32_t *hash);
+void __roc_api roc_hash_sha512_gen(uint8_t *msg, uint64_t *hash, int hash_size);
+
+#endif /* _ROC_HASH_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 2cbcc4b93a..34a844bfe8 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -64,6 +64,9 @@ INTERNAL {
 	roc_cpt_lmtline_init;
 	roc_cpt_rxc_time_cfg;
 	roc_error_msg_get;
+	roc_hash_sha1_gen;
+	roc_hash_sha256_gen;
+	roc_hash_sha512_gen;
 	roc_idev_cpt_get;
 	roc_idev_cpt_set;
 	roc_idev_lmt_base_addr_get;
-- 
2.27.0

[dpdk-dev] [PATCH v2 2/8] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support

[Tejasree Kondoj]

Adding lookaside IPsec AES-CBC-HMAC-SHA1 support to cnxk driver.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/cnxk.rst                |  1 +
 doc/guides/rel_notes/release_21_11.rst        |  4 ++
 drivers/common/cnxk/cnxk_security.c           | 68 ++++++++++++++++++-
 drivers/crypto/cnxk/cn10k_ipsec.c             | 63 ++++++++++++++++-
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 44 ++++++++++++
 5 files changed, 176 insertions(+), 4 deletions(-)

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 98c7118d68..a40295c087 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -231,6 +231,7 @@ Features supported
 * ESP
 * Tunnel mode
 * AES-128/192/256-GCM
+* AES-128/192/256-CBC-SHA1-HMAC
 
 Limitations
 -----------
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index d707a554ef..130d676a11 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -55,6 +55,10 @@ New Features
      Also, make sure to start the actual text at the margin.
      =======================================================
 
+* **Updated Marvell cn10k_crypto PMD.**
+
+  * Added aes-cbc sha1-hmac in lookaside protocol (IPsec).
+
 
 Removed Items
 -------------
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 6c6728f570..fe64e70c81 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -6,12 +6,43 @@
 
 #include "cnxk_security.h"
 
+static void
+ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
+			 uint8_t *hmac_opad_ipad)
+{
+	const uint8_t *key = auth_xform->auth.key.data;
+	uint32_t length = auth_xform->auth.key.length;
+	uint8_t opad[128] = {[0 ... 127] = 0x5c};
+	uint8_t ipad[128] = {[0 ... 127] = 0x36};
+	uint32_t i;
+
+	/* HMAC OPAD and IPAD */
+	for (i = 0; i < 127 && i < length; i++) {
+		opad[i] = opad[i] ^ key[i];
+		ipad[i] = ipad[i] ^ key[i];
+	}
+
+	/* Precompute hash of HMAC OPAD and IPAD to avoid
+	 * per packet computation
+	 */
+	switch (auth_xform->auth.algo) {
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
+		roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]);
+		break;
+	default:
+		break;
+	}
+}
+
 static int
 ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 			      uint8_t *cipher_key, uint8_t *salt_key,
+			      uint8_t *hmac_opad_ipad,
 			      struct rte_security_ipsec_xform *ipsec_xfrm,
 			      struct rte_crypto_sym_xform *crypto_xfrm)
 {
+	struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
 	const uint8_t *key;
 	uint32_t *tmp_salt;
 	uint64_t *tmp_key;
@@ -21,9 +52,13 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 	switch (ipsec_xfrm->direction) {
 	case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
 		w2->s.dir = ROC_IE_OT_SA_DIR_INBOUND;
+		auth_xfrm = crypto_xfrm;
+		cipher_xfrm = crypto_xfrm->next;
 		break;
 	case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
 		w2->s.dir = ROC_IE_OT_SA_DIR_OUTBOUND;
+		cipher_xfrm = crypto_xfrm;
+		auth_xfrm = crypto_xfrm->next;
 		break;
 	default:
 		return -EINVAL;
@@ -70,7 +105,32 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 			return -ENOTSUP;
 		}
 	} else {
-		return -ENOTSUP;
+		switch (cipher_xfrm->cipher.algo) {
+		case RTE_CRYPTO_CIPHER_AES_CBC:
+			w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+
+		switch (auth_xfrm->auth.algo) {
+		case RTE_CRYPTO_AUTH_SHA1_HMAC:
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+
+		key = cipher_xfrm->cipher.key.data;
+		length = cipher_xfrm->cipher.key.length;
+
+		ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+
+		tmp_key = (uint64_t *)hmac_opad_ipad;
+		for (i = 0;
+		     i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t));
+		     i++)
+			tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 	}
 
 	/* Set encapsulation type */
@@ -129,7 +189,8 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
 
 	w2.u64 = 0;
 	rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->w8.s.salt,
-					   ipsec_xfrm, crypto_xfrm);
+					   sa->hmac_opad_ipad, ipsec_xfrm,
+					   crypto_xfrm);
 	if (rc)
 		return rc;
 
@@ -196,7 +257,8 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
 
 	w2.u64 = 0;
 	rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->iv.s.salt,
-					   ipsec_xfrm, crypto_xfrm);
+					   sa->hmac_opad_ipad, ipsec_xfrm,
+					   crypto_xfrm);
 	if (rc)
 		return rc;
 
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 1d567bf188..408a682b21 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -17,6 +17,37 @@
 
 #include "roc_api.h"
 
+static int
+ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
+{
+	if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		switch (xform->cipher.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static int
+ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform)
+{
+	uint16_t keylen = xform->auth.key.length;
+
+	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+		if (keylen >= 20 && keylen <= 64)
+			return 0;
+	}
+
+	return -ENOTSUP;
+}
+
 static int
 ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
 			struct rte_crypto_sym_xform *crypto_xfrm)
@@ -48,6 +79,9 @@ static int
 cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
 			 struct rte_crypto_sym_xform *crypto_xfrm)
 {
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	int ret;
+
 	if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
 	    (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
 		return -EINVAL;
@@ -67,7 +101,34 @@ cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
 	if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 		return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
 
-	return -ENOTSUP;
+	if (crypto_xfrm->next == NULL)
+		return -EINVAL;
+
+	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		/* Ingress */
+		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+		auth_xform = crypto_xfrm;
+		cipher_xform = crypto_xfrm->next;
+	} else {
+		/* Egress */
+		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+		cipher_xform = crypto_xfrm;
+		auth_xform = crypto_xfrm->next;
+	}
+
+	ret = ipsec_xform_cipher_verify(cipher_xform);
+	if (ret)
+		return ret;
+
+	ret = ipsec_xform_auth_verify(auth_xform);
+	if (ret)
+		return ret;
+
+	return 0;
 }
 
 static uint64_t
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index ab37f9c43b..47274b2c24 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -754,6 +754,49 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
 			}, }
 		}, }
 	},
+	{	/* AES CBC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+};
+
+static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
+	{	/* SHA1 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 20,
+					.max = 64,
+					.increment = 1
+				},
+				.digest_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				},
+			}, }
+		}, }
+	},
 };
 
 static const struct rte_security_capability sec_caps_templ[] = {
@@ -839,6 +882,7 @@ sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
 	int cur_pos = 0;
 
 	SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes);
+	SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2);
 
 	sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
 }
-- 
2.27.0

[dpdk-dev] [PATCH v2 3/8] crypto/cnxk: remove redundant code

[Tejasree Kondoj]

Removing redundant code in cn10k lookaside IPsec.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/cnxk/cn10k_ipsec.c                 | 5 -----
 drivers/crypto/cnxk/cn10k_ipsec.h                 | 2 --
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 2 --
 3 files changed, 9 deletions(-)

diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 408a682b21..944e0a7e3b 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -270,9 +270,6 @@ cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf,
 	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
 		return -EINVAL;
 
-	if (rte_security_dynfield_register() < 0)
-		return -ENOTSUP;
-
 	if (rte_mempool_get(mempool, (void **)&priv)) {
 		plt_err("Could not allocate security session private data");
 		return -ENOMEM;
@@ -280,8 +277,6 @@ cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf,
 
 	set_sec_session_private_data(sess, priv);
 
-	priv->userdata = conf->userdata;
-
 	if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) {
 		ret = -ENOTSUP;
 		goto mempool_put;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 668282f7aa..c30492e149 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -27,8 +27,6 @@ struct cn10k_ipsec_sa {
 
 struct cn10k_sec_session {
 	struct cn10k_ipsec_sa sa;
-	void *userdata;
-	/**< Userdata registered by the application */
 } __rte_cache_aligned;
 
 void cn10k_sec_ops_override(void);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 47274b2c24..9430ca5d00 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -810,7 +810,6 @@ static const struct rte_security_capability sec_caps_templ[] = {
 			.options = { 0 }
 		},
 		.crypto_capabilities = NULL,
-		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
 	},
 	{	/* IPsec Lookaside Protocol ESP Tunnel Egress */
 		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
@@ -822,7 +821,6 @@ static const struct rte_security_capability sec_caps_templ[] = {
 			.options = { 0 }
 		},
 		.crypto_capabilities = NULL,
-		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
 	},
 	{
 		.action = RTE_SECURITY_ACTION_TYPE_NONE
-- 
2.27.0

[dpdk-dev] [PATCH v2 4/8] crypto/cnxk: use rlen from CPT result with lookaside

[Tejasree Kondoj]

Use rlen from CPT result with lookaside operations

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 40 ++++++-----------------
 drivers/crypto/cnxk/cn10k_ipsec.c         |  4 +--
 drivers/crypto/cnxk/cn10k_ipsec.h         |  4 +--
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h  | 28 ++--------------
 4 files changed, 15 insertions(+), 61 deletions(-)

diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 15f66c2515..780a321cf7 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -48,7 +48,7 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
 
 static __rte_always_inline int __rte_hot
 cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
-		  struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
+		  struct cpt_inst_s *inst)
 {
 	struct rte_crypto_sym_op *sym_op = op->sym;
 	union roc_ot_ipsec_sa_word2 *w2;
@@ -70,10 +70,8 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
 
 	if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND)
 		ret = process_outb_sa(op, sa, inst);
-	else {
-		infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
+	else
 		ret = process_inb_sa(op, sa, inst);
-	}
 
 	return ret;
 }
@@ -122,8 +120,7 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
 		if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
 			sec_sess = get_sec_session_private_data(
 				sym_op->sec_session);
-			ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
-						&inst[0]);
+			ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]);
 			if (unlikely(ret))
 				return 0;
 			w7 = sec_sess->sa.inst.w7;
@@ -334,30 +331,13 @@ cn10k_cpt_crypto_adapter_enqueue(uintptr_t tag_op, struct rte_crypto_op *op)
 
 static inline void
 cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
-			   struct cpt_inflight_req *infl_req)
+			   struct cpt_cn10k_res_s *res)
 {
-	struct rte_crypto_sym_op *sym_op = cop->sym;
-	struct rte_mbuf *m = sym_op->m_src;
-	struct rte_ipv6_hdr *ip6;
-	struct rte_ipv4_hdr *ip;
-	uint16_t m_len;
-
-	if (infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND) {
-		ip = (struct rte_ipv4_hdr *)rte_pktmbuf_mtod(m, char *);
-
-		if (((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) ==
-		    IPVERSION) {
-			m_len = rte_be_to_cpu_16(ip->total_length);
-		} else {
-			PLT_ASSERT(((ip->version_ihl & 0xf0) >>
-				    RTE_IPV4_IHL_MULTIPLIER) == 6);
-			ip6 = (struct rte_ipv6_hdr *)ip;
-			m_len = rte_be_to_cpu_16(ip6->payload_len) +
-				sizeof(struct rte_ipv6_hdr);
-		}
-		m->data_len = m_len;
-		m->pkt_len = m_len;
-	}
+	struct rte_mbuf *m = cop->sym->m_src;
+	const uint16_t m_len = res->rlen;
+
+	m->data_len = m_len;
+	m->pkt_len = m_len;
 }
 
 static inline void
@@ -385,7 +365,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
 		cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
 		if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
 			if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
-				cn10k_cpt_sec_post_process(cop, infl_req);
+				cn10k_cpt_sec_post_process(cop, res);
 				return;
 			}
 
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 944e0a7e3b..98110872a3 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -176,9 +176,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 	if (ret)
 		return ret;
 
-	sa->partial_len = rlens.partial_len;
-	sa->roundup_byte = rlens.roundup_byte;
-	sa->roundup_len = rlens.roundup_len;
+	sa->max_extended_len = rlens.max_extended_len;
 
 	/* pre-populate CPT INST word 4 */
 	inst_w4.u64 = 0;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index c30492e149..bc52c60179 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -20,9 +20,7 @@ struct cn10k_ipsec_sa {
 	};
 	/** Pre-populated CPT inst words */
 	struct cnxk_cpt_inst_tmpl inst;
-	uint8_t partial_len;
-	uint8_t roundup_len;
-	uint8_t roundup_byte;
+	uint16_t max_extended_len;
 };
 
 struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 1e9ebb594a..fe91638c99 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -12,40 +12,21 @@
 #include "cn10k_ipsec.h"
 #include "cnxk_cryptodev.h"
 
-static __rte_always_inline int32_t
-ipsec_po_out_rlen_get(struct cn10k_ipsec_sa *sess, uint32_t plen)
-{
-	uint32_t enc_payload_len;
-
-	enc_payload_len =
-		RTE_ALIGN_CEIL(plen + sess->roundup_len, sess->roundup_byte);
-
-	return sess->partial_len + enc_payload_len;
-}
-
 static __rte_always_inline int
 process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 		struct cpt_inst_s *inst)
 {
 	struct rte_crypto_sym_op *sym_op = cop->sym;
 	struct rte_mbuf *m_src = sym_op->m_src;
-	uint32_t dlen, rlen, extend_tail;
-	char *mdata;
-
-	dlen = rte_pktmbuf_pkt_len(m_src);
-	rlen = ipsec_po_out_rlen_get(sess, dlen);
 
-	extend_tail = rlen - dlen;
-
-	mdata = rte_pktmbuf_append(m_src, extend_tail);
-	if (unlikely(mdata == NULL)) {
+	if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) {
 		plt_dp_err("Not enough tail room");
 		return -ENOMEM;
 	}
 
 	/* Prepare CPT instruction */
 	inst->w4.u64 = sess->inst.w4;
-	inst->w4.s.dlen = dlen;
+	inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
 	inst->dptr = rte_pktmbuf_iova(m_src);
 	inst->rptr = inst->dptr;
 
@@ -58,13 +39,10 @@ process_inb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sa,
 {
 	struct rte_crypto_sym_op *sym_op = cop->sym;
 	struct rte_mbuf *m_src = sym_op->m_src;
-	uint32_t dlen;
-
-	dlen = rte_pktmbuf_pkt_len(m_src);
 
 	/* Prepare CPT instruction */
 	inst->w4.u64 = sa->inst.w4;
-	inst->w4.s.dlen = dlen;
+	inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
 	inst->dptr = rte_pktmbuf_iova(m_src);
 	inst->rptr = inst->dptr;
 
-- 
2.27.0

[dpdk-dev] [PATCH v2 5/8] crypto/cnxk: make IPsec verify functions common

[Tejasree Kondoj]

From: Archana Muniganti <marchana@marvell.com>

IPsec verify functions can be made common

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 drivers/crypto/cnxk/cn10k_ipsec.c | 116 +-----------------------------
 drivers/crypto/cnxk/cnxk_ipsec.h  | 113 +++++++++++++++++++++++++++++
 2 files changed, 114 insertions(+), 115 deletions(-)

diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 98110872a3..5c57cf2818 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -17,120 +17,6 @@
 
 #include "roc_api.h"
 
-static int
-ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
-{
-	if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
-		switch (xform->cipher.key.length) {
-		case 16:
-		case 24:
-		case 32:
-			break;
-		default:
-			return -ENOTSUP;
-		}
-		return 0;
-	}
-
-	return -ENOTSUP;
-}
-
-static int
-ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform)
-{
-	uint16_t keylen = xform->auth.key.length;
-
-	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
-		if (keylen >= 20 && keylen <= 64)
-			return 0;
-	}
-
-	return -ENOTSUP;
-}
-
-static int
-ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
-			struct rte_crypto_sym_xform *crypto_xfrm)
-{
-	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
-	    crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
-		return -EINVAL;
-
-	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
-	    crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
-		return -EINVAL;
-
-	if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
-		switch (crypto_xfrm->aead.key.length) {
-		case ROC_CPT_AES128_KEY_LEN:
-		case ROC_CPT_AES192_KEY_LEN:
-		case ROC_CPT_AES256_KEY_LEN:
-			break;
-		default:
-			return -EINVAL;
-		}
-		return 0;
-	}
-
-	return -ENOTSUP;
-}
-
-static int
-cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
-			 struct rte_crypto_sym_xform *crypto_xfrm)
-{
-	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
-	int ret;
-
-	if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
-	    (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
-		return -EINVAL;
-
-	if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
-	    (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
-		return -EINVAL;
-
-	if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
-	    (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
-		return -EINVAL;
-
-	if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
-	    (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
-		return -EINVAL;
-
-	if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
-		return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
-
-	if (crypto_xfrm->next == NULL)
-		return -EINVAL;
-
-	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
-		/* Ingress */
-		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
-		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
-			return -EINVAL;
-		auth_xform = crypto_xfrm;
-		cipher_xform = crypto_xfrm->next;
-	} else {
-		/* Egress */
-		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
-		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
-			return -EINVAL;
-		cipher_xform = crypto_xfrm;
-		auth_xform = crypto_xfrm->next;
-	}
-
-	ret = ipsec_xform_cipher_verify(cipher_xform);
-	if (ret)
-		return ret;
-
-	ret = ipsec_xform_auth_verify(auth_xform);
-	if (ret)
-		return ret;
-
-	return 0;
-}
-
 static uint64_t
 ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa)
 {
@@ -245,7 +131,7 @@ cn10k_ipsec_session_create(void *dev,
 		return -EPERM;
 	}
 
-	ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
+	ret = cnxk_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
 	if (ret)
 		return ret;
 
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index f6897a0e14..d1eb74ebbe 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -17,4 +17,117 @@ struct cnxk_cpt_inst_tmpl {
 	uint64_t w7;
 };
 
+static inline int
+ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *crypto_xform)
+{
+	if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		switch (crypto_xform->cipher.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
+{
+	uint16_t keylen = crypto_xform->auth.key.length;
+
+	if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+		if (keylen >= 20 && keylen <= 64)
+			return 0;
+	} else if (roc_model_is_cn9k() &&
+		   (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) {
+		if (keylen >= 32 && keylen <= 64)
+			return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			struct rte_crypto_sym_xform *crypto_xform)
+{
+	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+	    crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+		return -EINVAL;
+
+	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+	    crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+		return -EINVAL;
+
+	if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+		switch (crypto_xform->aead.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -EINVAL;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			struct rte_crypto_sym_xform *crypto_xform)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	int ret;
+
+	if ((ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+	    (ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
+		return -EINVAL;
+
+	if ((ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
+	    (ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
+		return -EINVAL;
+
+	if ((ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
+	    (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
+		return -EINVAL;
+
+	if ((ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
+	    (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
+		return -EINVAL;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		return ipsec_xform_aead_verify(ipsec_xform, crypto_xform);
+
+	if (crypto_xform->next == NULL)
+		return -EINVAL;
+
+	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		/* Ingress */
+		if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+		auth_xform = crypto_xform;
+		cipher_xform = crypto_xform->next;
+	} else {
+		/* Egress */
+		if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+		cipher_xform = crypto_xform;
+		auth_xform = crypto_xform->next;
+	}
+
+	ret = ipsec_xform_cipher_verify(cipher_xform);
+	if (ret)
+		return ret;
+
+	return ipsec_xform_auth_verify(auth_xform);
+}
 #endif /* __CNXK_IPSEC_H__ */
-- 
2.27.0

[dpdk-dev] [PATCH v2 6/8] crypto/cnxk: support cn10k transport mode

[Tejasree Kondoj]

Adding support for cn10k lookaside IPsec transport mode.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/cnxk.rst                |  1 +
 doc/guides/rel_notes/release_21_11.rst        |  1 +
 drivers/crypto/cnxk/cnxk_cryptodev.h          |  2 +-
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 22 +++++++++++++++++++
 drivers/crypto/cnxk/cnxk_ipsec.h              |  3 ++-
 5 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index a40295c087..0dd71135da 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -230,6 +230,7 @@ Features supported
 * IPv4
 * ESP
 * Tunnel mode
+* Transport mode
 * AES-128/192/256-GCM
 * AES-128/192/256-CBC-SHA1-HMAC
 
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 130d676a11..0a024dda8f 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -58,6 +58,7 @@ New Features
 * **Updated Marvell cn10k_crypto PMD.**
 
   * Added aes-cbc sha1-hmac in lookaside protocol (IPsec).
+  * Added transport mode in lookaside protocol (IPsec).
 
 
 Removed Items
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index b3856f7eaa..8e051fa0fa 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -12,7 +12,7 @@
 
 #define CNXK_CPT_MAX_CAPS	 34
 #define CNXK_SEC_CRYPTO_MAX_CAPS 4
-#define CNXK_SEC_MAX_CAPS	 3
+#define CNXK_SEC_MAX_CAPS	 5
 #define CNXK_AE_EC_ID_MAX	 8
 /**
  * Device private data
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 9430ca5d00..05bffa9759 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -822,6 +822,28 @@ static const struct rte_security_capability sec_caps_templ[] = {
 		},
 		.crypto_capabilities = NULL,
 	},
+	{	/* IPsec Lookaside Protocol ESP Transport Ingress */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+			.options = { 0 },
+		},
+		.crypto_capabilities = NULL,
+	},
+	{	/* IPsec Lookaside Protocol ESP Transport Egress */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+			.options = { 0 },
+		},
+		.crypto_capabilities = NULL,
+	},
 	{
 		.action = RTE_SECURITY_ACTION_TYPE_NONE
 	}
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index d1eb74ebbe..ff396179ca 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -98,7 +98,8 @@ cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
 	    (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
 		return -EINVAL;
 
-	if ((ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
+	if ((ipsec_xform->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) &&
+	    (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
 	    (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
 		return -EINVAL;
 
-- 
2.27.0

[dpdk-dev] [PATCH v2 7/8] crypto/cnxk: support UDP encap with lookaside IPsec

[Tejasree Kondoj]

Adding support for UDP encapsulation in lookaside IPsec.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/cnxk.rst                    |  1 +
 doc/guides/rel_notes/release_21_11.rst            |  1 +
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 11 ++++++++++-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 0dd71135da..1eb72282db 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -231,6 +231,7 @@ Features supported
 * ESP
 * Tunnel mode
 * Transport mode
+* UDP Encapsulation
 * AES-128/192/256-GCM
 * AES-128/192/256-CBC-SHA1-HMAC
 
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 0a024dda8f..70dd1c52f7 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -59,6 +59,7 @@ New Features
 
   * Added aes-cbc sha1-hmac in lookaside protocol (IPsec).
   * Added transport mode in lookaside protocol (IPsec).
+  * Added UDP encapsulation in lookaside protocol (IPsec).
 
 
 Removed Items
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 05bffa9759..c4f7824332 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -907,6 +907,12 @@ sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
 	sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
 }
 
+static void
+cnxk_sec_caps_update(struct rte_security_capability *sec_cap)
+{
+	sec_cap->ipsec.options.udp_encap = 1;
+}
+
 void
 cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
 {
@@ -918,8 +924,11 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
 	PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps));
 	memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ));
 
-	for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++)
+	for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++) {
 		vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps;
+
+		cnxk_sec_caps_update(&vf->sec_caps[i]);
+	}
 }
 
 const struct rte_security_capability *
-- 
2.27.0

[dpdk-dev] [PATCH v2 8/8] common/cnxk: make IPsec defines common

[Tejasree Kondoj]

From: Archana Muniganti <marchana@marvell.com>

Make IPsec defines common and remove redundant macros.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 drivers/common/cnxk/cnxk_security.c       | 24 +++++++++--------
 drivers/common/cnxk/roc_api.h             |  1 +
 drivers/common/cnxk/roc_ie.h              | 33 ++++++++++++++++-------
 drivers/common/cnxk/roc_ie_on.h           | 26 ------------------
 drivers/common/cnxk/roc_ie_ot.h           | 26 ------------------
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c |  4 ++-
 6 files changed, 41 insertions(+), 73 deletions(-)

diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index fe64e70c81..4f7fd1b3a0 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -6,6 +6,8 @@
 
 #include "cnxk_security.h"
 
+#include "roc_api.h"
+
 static void
 ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
 			 uint8_t *hmac_opad_ipad)
@@ -51,12 +53,12 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 	/* Set direction */
 	switch (ipsec_xfrm->direction) {
 	case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
-		w2->s.dir = ROC_IE_OT_SA_DIR_INBOUND;
+		w2->s.dir = ROC_IE_SA_DIR_INBOUND;
 		auth_xfrm = crypto_xfrm;
 		cipher_xfrm = crypto_xfrm->next;
 		break;
 	case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
-		w2->s.dir = ROC_IE_OT_SA_DIR_OUTBOUND;
+		w2->s.dir = ROC_IE_SA_DIR_OUTBOUND;
 		cipher_xfrm = crypto_xfrm;
 		auth_xfrm = crypto_xfrm->next;
 		break;
@@ -67,10 +69,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 	/* Set protocol - ESP vs AH */
 	switch (ipsec_xfrm->proto) {
 	case RTE_SECURITY_IPSEC_SA_PROTO_ESP:
-		w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_ESP;
+		w2->s.protocol = ROC_IE_SA_PROTOCOL_ESP;
 		break;
 	case RTE_SECURITY_IPSEC_SA_PROTO_AH:
-		w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_AH;
+		w2->s.protocol = ROC_IE_SA_PROTOCOL_AH;
 		break;
 	default:
 		return -EINVAL;
@@ -79,10 +81,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 	/* Set mode - transport vs tunnel */
 	switch (ipsec_xfrm->mode) {
 	case RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT:
-		w2->s.mode = ROC_IE_OT_SA_MODE_TRANSPORT;
+		w2->s.mode = ROC_IE_SA_MODE_TRANSPORT;
 		break;
 	case RTE_SECURITY_IPSEC_SA_MODE_TUNNEL:
-		w2->s.mode = ROC_IE_OT_SA_MODE_TUNNEL;
+		w2->s.mode = ROC_IE_SA_MODE_TUNNEL;
 		break;
 	default:
 		return -EINVAL;
@@ -147,13 +149,13 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 
 	switch (length) {
 	case ROC_CPT_AES128_KEY_LEN:
-		w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_128;
+		w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
 		break;
 	case ROC_CPT_AES192_KEY_LEN:
-		w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_192;
+		w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
 		break;
 	case ROC_CPT_AES256_KEY_LEN:
-		w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_256;
+		w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
 		break;
 	default:
 		return -EINVAL;
@@ -271,7 +273,7 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
 	/* Tunnel header info */
 	switch (tunnel->type) {
 	case RTE_SECURITY_IPSEC_TUNNEL_IPV4:
-		sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_4;
+		sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
 		memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip,
 		       sizeof(struct in_addr));
 		memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip,
@@ -302,7 +304,7 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
 		}
 		break;
 	case RTE_SECURITY_IPSEC_TUNNEL_IPV6:
-		sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_6;
+		sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
 		memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr,
 		       sizeof(struct in6_addr));
 		memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr,
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index 9c06cfee9a..7dec8453b4 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -121,6 +121,7 @@
 /* CPT microcode */
 #include "roc_ae.h"
 #include "roc_ae_fpm_tables.h"
+#include "roc_ie.h"
 #include "roc_ie_on.h"
 #include "roc_ie_ot.h"
 #include "roc_se.h"
diff --git a/drivers/common/cnxk/roc_ie.h b/drivers/common/cnxk/roc_ie.h
index a330ea1b50..31b83948e1 100644
--- a/drivers/common/cnxk/roc_ie.h
+++ b/drivers/common/cnxk/roc_ie.h
@@ -5,15 +5,30 @@
 #ifndef __ROC_IE_H__
 #define __ROC_IE_H__
 
-/* CNXK IPSEC helper macros */
-#define ROC_IE_AH_HDR_LEN      12
-#define ROC_IE_AES_GCM_IV_LEN  8
-#define ROC_IE_AES_GCM_MAC_LEN 16
-#define ROC_IE_AES_CBC_IV_LEN  16
-#define ROC_IE_SHA1_HMAC_LEN   12
-#define ROC_IE_AUTH_KEY_LEN_MAX 64
+enum {
+	ROC_IE_SA_DIR_INBOUND = 0,
+	ROC_IE_SA_DIR_OUTBOUND = 1,
+};
 
-#define ROC_IE_AES_GCM_ROUNDUP_BYTE_LEN 4
-#define ROC_IE_AES_CBC_ROUNDUP_BYTE_LEN 16
+enum {
+	ROC_IE_SA_IP_VERSION_4 = 0,
+	ROC_IE_SA_IP_VERSION_6 = 1,
+};
+
+enum {
+	ROC_IE_SA_MODE_TRANSPORT = 0,
+	ROC_IE_SA_MODE_TUNNEL = 1,
+};
+
+enum {
+	ROC_IE_SA_PROTOCOL_AH = 0,
+	ROC_IE_SA_PROTOCOL_ESP = 1,
+};
+
+enum {
+	ROC_IE_SA_AES_KEY_LEN_128 = 1,
+	ROC_IE_SA_AES_KEY_LEN_192 = 2,
+	ROC_IE_SA_AES_KEY_LEN_256 = 3,
+};
 
 #endif /* __ROC_IE_H__ */
diff --git a/drivers/common/cnxk/roc_ie_on.h b/drivers/common/cnxk/roc_ie_on.h
index 508654a9d8..222c298a53 100644
--- a/drivers/common/cnxk/roc_ie_on.h
+++ b/drivers/common/cnxk/roc_ie_on.h
@@ -18,32 +18,6 @@
 /* Ucode completion codes */
 #define ROC_IE_ONF_UCC_SUCCESS 0
 
-enum {
-	ROC_IE_ON_SA_DIR_INBOUND = 0,
-	ROC_IE_ON_SA_DIR_OUTBOUND = 1,
-};
-
-enum {
-	ROC_IE_ON_SA_IP_VERSION_4 = 0,
-	ROC_IE_ON_SA_IP_VERSION_6 = 1,
-};
-
-enum {
-	ROC_IE_ON_SA_MODE_TRANSPORT = 0,
-	ROC_IE_ON_SA_MODE_TUNNEL = 1,
-};
-
-enum {
-	ROC_IE_ON_SA_PROTOCOL_AH = 0,
-	ROC_IE_ON_SA_PROTOCOL_ESP = 1,
-};
-
-enum {
-	ROC_IE_ON_SA_AES_KEY_LEN_128 = 1,
-	ROC_IE_ON_SA_AES_KEY_LEN_192 = 2,
-	ROC_IE_ON_SA_AES_KEY_LEN_256 = 3,
-};
-
 enum {
 	ROC_IE_ON_SA_ENC_NULL = 0,
 	ROC_IE_ON_SA_ENC_DES_CBC = 1,
diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h
index aeb4be2971..3987a082a2 100644
--- a/drivers/common/cnxk/roc_ie_ot.h
+++ b/drivers/common/cnxk/roc_ie_ot.h
@@ -97,32 +97,6 @@ enum {
 	ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE = 1,
 };
 
-enum {
-	ROC_IE_OT_SA_DIR_INBOUND = 0,
-	ROC_IE_OT_SA_DIR_OUTBOUND = 1,
-};
-
-enum {
-	ROC_IE_OT_SA_IP_VERSION_4 = 0,
-	ROC_IE_OT_SA_IP_VERSION_6 = 1,
-};
-
-enum {
-	ROC_IE_OT_SA_MODE_TRANSPORT = 0,
-	ROC_IE_OT_SA_MODE_TUNNEL = 1,
-};
-
-enum {
-	ROC_IE_OT_SA_PROTOCOL_AH = 0,
-	ROC_IE_OT_SA_PROTOCOL_ESP = 1,
-};
-
-enum {
-	ROC_IE_OT_SA_AES_KEY_LEN_128 = 1,
-	ROC_IE_OT_SA_AES_KEY_LEN_192 = 2,
-	ROC_IE_OT_SA_AES_KEY_LEN_256 = 3,
-};
-
 enum {
 	ROC_IE_OT_SA_ENC_NULL = 0,
 	ROC_IE_OT_SA_ENC_3DES_CBC = 2,
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 780a321cf7..28055aceed 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -16,6 +16,8 @@
 #include "cnxk_cryptodev_ops.h"
 #include "cnxk_se.h"
 
+#include "roc_api.h"
+
 static inline struct cnxk_se_sess *
 cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
 {
@@ -68,7 +70,7 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
 	sa = &sess->sa;
 	w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
 
-	if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND)
+	if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND)
 		ret = process_outb_sa(op, sa, inst);
 	else
 		ret = process_inb_sa(op, sa, inst);
-- 
2.27.0

Re: [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features

[Akhil Goyal]

> This series adds cn10k lookaside IPsec AES-CBC-HMAC-SHA1, UDP
> encapsulation
> and transport mode support along with common cnxk pmd changes.
> The functionality has been tested with ipsec-secgw application running in
> lookaside protocol offload mode.
> 
> v2:
> * Fixed release notes
> 
> Archana Muniganti (2):
>   crypto/cnxk: make IPsec verify functions common
>   common/cnxk: make IPsec defines common
> 
> Tejasree Kondoj (6):
>   common/cnxk: add hash generation APIs
>   crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support
>   crypto/cnxk: remove redundant code
>   crypto/cnxk: use rlen from CPT result with lookaside
>   crypto/cnxk: support cn10k transport mode
>   crypto/cnxk: support UDP encap with lookaside IPsec
> 
>  doc/guides/cryptodevs/cnxk.rst                |   3 +
>  doc/guides/rel_notes/release_21_11.rst        |   6 +
>  drivers/common/cnxk/cnxk_security.c           |  92 +++++-
>  drivers/common/cnxk/meson.build               |   1 +
>  drivers/common/cnxk/roc_api.h                 |   4 +
>  drivers/common/cnxk/roc_hash.c                | 275 ++++++++++++++++++
>  drivers/common/cnxk/roc_hash.h                |  16 +
>  drivers/common/cnxk/roc_ie.h                  |  33 ++-
>  drivers/common/cnxk/roc_ie_on.h               |  26 --
>  drivers/common/cnxk/roc_ie_ot.h               |  26 --
>  drivers/common/cnxk/version.map               |   3 +
>  drivers/crypto/cnxk/cn10k_cryptodev_ops.c     |  44 +--
>  drivers/crypto/cnxk/cn10k_ipsec.c             |  64 +---
>  drivers/crypto/cnxk/cn10k_ipsec.h             |   6 +-
>  drivers/crypto/cnxk/cn10k_ipsec_la_ops.h      |  28 +-
>  drivers/crypto/cnxk/cnxk_cryptodev.h          |   2 +-
>  .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  79 ++++-
>  drivers/crypto/cnxk/cnxk_ipsec.h              | 114 ++++++++
>  18 files changed, 620 insertions(+), 202 deletions(-)
>  create mode 100644 drivers/common/cnxk/roc_hash.c
>  create mode 100644 drivers/common/cnxk/roc_hash.h
> 
Series Acked-by: Akhil Goyal <gakhil@marvell.com>

Applied to dpdk-next-crypto

Thanks.