From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 426A3A0C43; Thu, 30 Sep 2021 19:03:04 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 65FE341103; Thu, 30 Sep 2021 19:02:42 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 34BBE410FE for ; Thu, 30 Sep 2021 19:02:01 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18UDg7xh025495 for ; Thu, 30 Sep 2021 10:02:00 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=pfpt0220; bh=3C7JS0SZAP+CpdmvI3wl1lC6/B1bmiyLcOBi6SAv9WY=; b=eQpFWy0cHGyQak42hqOOgJW+P4g0X7HNPrNn8E3Ovjpq1quvzwdW8D7Dx5ZAaD5i8UdJ +YayYSzMSuDK6jLVTlBh0Me2Cwn+CYrJ/AtC0nrvekB5LNB6Lx0tAeW3Rhpv4Ikt9tXz JANwpPm5dCRkslBc29h4pSirmngovCYOLSnVqHrDdoN7rRjxqcrsO2ThijrRBtZ0kBS/ 0Z1EJubNAkxEvXPJUxHRKB2n62dKkxZ24z1Fo55dsdAtUc7oUfDO934vpr7AnqMQuGkR 5ptxbnkZOSlSKntheNZlCJ5892WbtzkpaUcyMiKGZesm4GPhiMJ/GVX04tEghfaY85l6 xA== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com with ESMTP id 3bdebtgym4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Thu, 30 Sep 2021 10:01:59 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Thu, 30 Sep 2021 10:01:58 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Thu, 30 Sep 2021 10:01:58 -0700 Received: from hyd1588t430.marvell.com (unknown [10.29.52.204]) by maili.marvell.com (Postfix) with ESMTP id 77EBF3F7068; Thu, 30 Sep 2021 10:01:56 -0700 (PDT) From: Nithin Dabilpuram To: , Nithin Dabilpuram , "Kiran Kumar K" , Sunil Kumar Kori , Satha Rao CC: , Srujana Challa Date: Thu, 30 Sep 2021 22:30:59 +0530 Message-ID: <20210930170113.29030-15-ndabilpuram@marvell.com> X-Mailer: git-send-email 2.8.4 In-Reply-To: <20210930170113.29030-1-ndabilpuram@marvell.com> References: <20210902021505.17607-1-ndabilpuram@marvell.com> <20210930170113.29030-1-ndabilpuram@marvell.com> MIME-Version: 1.0 Content-Type: text/plain X-Proofpoint-ORIG-GUID: Ntg1Bd4ra65zc37Gr2AXRYWe8QLmtJH4 X-Proofpoint-GUID: Ntg1Bd4ra65zc37Gr2AXRYWe8QLmtJH4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-30_06,2021-09-30_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v2 14/28] common/cnxk: support anti-replay check in SW for cn9k X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Srujana Challa Adds anti replay SW implementation for cn9k platform. Signed-off-by: Srujana Challa --- drivers/common/cnxk/cnxk_security_ar.h | 184 +++++++++++++++++++++++++++++++++ 1 file changed, 184 insertions(+) create mode 100644 drivers/common/cnxk/cnxk_security_ar.h diff --git a/drivers/common/cnxk/cnxk_security_ar.h b/drivers/common/cnxk/cnxk_security_ar.h new file mode 100644 index 0000000..6bc517c --- /dev/null +++ b/drivers/common/cnxk/cnxk_security_ar.h @@ -0,0 +1,184 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CNXK_SECURITY_AR_H__ +#define __CNXK_SECURITY_AR_H__ + +#include + +#include "cnxk_security.h" + +#define CNXK_ON_AR_WIN_SIZE_MAX 1024 + +/* u64 array size to fit anti replay window bits */ +#define AR_WIN_ARR_SZ \ + (PLT_ALIGN_CEIL(CNXK_ON_AR_WIN_SIZE_MAX, BITS_PER_LONG_LONG) / \ + BITS_PER_LONG_LONG) + +#define WORD_SHIFT 6 +#define WORD_SIZE (1 << WORD_SHIFT) +#define WORD_MASK (WORD_SIZE - 1) + +#define IPSEC_ANTI_REPLAY_FAILED (-1) + +struct cnxk_on_ipsec_ar { + rte_spinlock_t lock; + uint32_t winb; + uint32_t wint; + uint64_t base; /**< base of the anti-replay window */ + uint64_t window[AR_WIN_ARR_SZ]; /**< anti-replay window */ +}; + +static inline int +cnxk_on_anti_replay_check(uint64_t seq, struct cnxk_on_ipsec_ar *ar, + uint32_t winsz) +{ + uint64_t ex_winsz = winsz + WORD_SIZE; + uint64_t *window = &ar->window[0]; + uint64_t seqword, shiftwords; + uint64_t base = ar->base; + uint32_t winb = ar->winb; + uint32_t wint = ar->wint; + uint64_t winwords; + uint64_t bit_pos; + uint64_t shift; + uint64_t *wptr; + uint64_t tmp; + + winwords = ex_winsz >> WORD_SHIFT; + if (winsz > 64) + goto slow_shift; + /* Check if the seq is the biggest one yet */ + if (likely(seq > base)) { + shift = seq - base; + if (shift < winsz) { /* In window */ + /* + * If more than 64-bit anti-replay window, + * use slow shift routine + */ + wptr = window + (shift >> WORD_SHIFT); + *wptr <<= shift; + *wptr |= 1ull; + } else { + /* No special handling of window size > 64 */ + wptr = window + ((winsz - 1) >> WORD_SHIFT); + /* + * Zero out the whole window (especially for + * bigger than 64b window) till the last 64b word + * as the incoming sequence number minus + * base sequence is more than the window size. + */ + while (window != wptr) + *window++ = 0ull; + /* + * Set the last bit (of the window) to 1 + * as that corresponds to the base sequence number. + * Now any incoming sequence number which is + * (base - window size - 1) will pass anti-replay check + */ + *wptr = 1ull; + } + /* + * Set the base to incoming sequence number as + * that is the biggest sequence number seen yet + */ + ar->base = seq; + return 0; + } + + bit_pos = base - seq; + + /* If seq falls behind the window, return failure */ + if (bit_pos >= winsz) + return IPSEC_ANTI_REPLAY_FAILED; + + /* seq is within anti-replay window */ + wptr = window + ((winsz - bit_pos - 1) >> WORD_SHIFT); + bit_pos &= WORD_MASK; + + /* Check if this is a replayed packet */ + if (*wptr & ((1ull) << bit_pos)) + return IPSEC_ANTI_REPLAY_FAILED; + + /* mark as seen */ + *wptr |= ((1ull) << bit_pos); + return 0; + +slow_shift: + if (likely(seq > base)) { + uint32_t i; + + shift = seq - base; + if (unlikely(shift >= winsz)) { + /* + * shift is bigger than the window, + * so just zero out everything + */ + for (i = 0; i < winwords; i++) + window[i] = 0; +winupdate: + /* Find out the word */ + seqword = ((seq - 1) % ex_winsz) >> WORD_SHIFT; + + /* Find out the bit in the word */ + bit_pos = (seq - 1) & WORD_MASK; + + /* + * Set the bit corresponding to sequence number + * in window to mark it as received + */ + window[seqword] |= (1ull << (63 - bit_pos)); + + /* wint and winb range from 1 to ex_winsz */ + ar->wint = ((wint + shift - 1) % ex_winsz) + 1; + ar->winb = ((winb + shift - 1) % ex_winsz) + 1; + + ar->base = seq; + return 0; + } + + /* + * New sequence number is bigger than the base but + * it's not bigger than base + window size + */ + + shiftwords = ((wint + shift - 1) >> WORD_SHIFT) - + ((wint - 1) >> WORD_SHIFT); + if (unlikely(shiftwords)) { + tmp = (wint + WORD_SIZE - 1) / WORD_SIZE; + for (i = 0; i < shiftwords; i++) { + tmp %= winwords; + window[tmp++] = 0; + } + } + + goto winupdate; + } + + /* Sequence number is before the window */ + if (unlikely((seq + winsz) <= base)) + return IPSEC_ANTI_REPLAY_FAILED; + + /* Sequence number is within the window */ + + /* Find out the word */ + seqword = ((seq - 1) % ex_winsz) >> WORD_SHIFT; + + /* Find out the bit in the word */ + bit_pos = (seq - 1) & WORD_MASK; + + /* Check if this is a replayed packet */ + if (window[seqword] & (1ull << (63 - bit_pos))) + return IPSEC_ANTI_REPLAY_FAILED; + + /* + * Set the bit corresponding to sequence number + * in window to mark it as received + */ + window[seqword] |= (1ull << (63 - bit_pos)); + + return 0; +} + +#endif /* __CNXK_SECURITY_AR_H__ */ -- 2.8.4