From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 05250A0547; Thu, 28 Oct 2021 18:53:00 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id CE83841136; Thu, 28 Oct 2021 18:52:49 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 144914112E for ; Thu, 28 Oct 2021 18:52:47 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 19SA4fYf027655 for ; Thu, 28 Oct 2021 09:52:47 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=nhIRCr0iVCfZhiwAMW8+Z/7utwob7K7yoZvT5aAhNLQ=; b=QdEsHyEj9uLB7ylYVN+C8PgBeitZp3QMFEhjO05En9VDiZDDmI3FyBBEIWkqt+1zYrgW eR1kB1YHMHCp3evbR8N0O2ygE9vQoOxsNSILjxuKKK8GG9EymzIlawiFoLcF4HE2nv9Z Dwr/MhS4yBhFA6/XZRMbMBNZGGodD98hQbzZDP/YHaRXRJkFcQ0FpBtPA9m1oRUwJp1K /9PjyOCoEdj75n7fS6RGrDNFNOy1lT53niix+6wF0+mbmbmVONeg1GECSH0wAbjefQjY R8xV1upu1QVzFursC6XWT02A+lzGDf3eAVmxkJ8qdQcViBEf1q1KQSQ0kiE/NxPvagrx Pg== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 3byrpg261q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Thu, 28 Oct 2021 09:52:47 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Thu, 28 Oct 2021 09:52:44 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Thu, 28 Oct 2021 09:52:44 -0700 Received: from hyd1409.caveonetworks.com.com (unknown [10.29.45.15]) by maili.marvell.com (Postfix) with ESMTP id 0D0673F7065; Thu, 28 Oct 2021 09:52:42 -0700 (PDT) From: Archana Muniganti To: CC: Archana Muniganti , , , , Date: Thu, 28 Oct 2021 22:22:25 +0530 Message-ID: <20211028165228.14603-4-marchana@marvell.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20211028165228.14603-1-marchana@marvell.com> References: <20211028165228.14603-1-marchana@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-ORIG-GUID: 6MEv_I8Eft3dUXXa-wuGUTz36Du8uANi X-Proofpoint-GUID: 6MEv_I8Eft3dUXXa-wuGUTz36Du8uANi X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-10-28_04,2021-10-26_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH 3/6] crypto/cnxk: add cn9k ESN and anti-replay support X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adds ESN and anti-replay support for lookaside IPsec. Signed-off-by: Archana Muniganti Signed-off-by: Tejasree Kondoj --- doc/guides/cryptodevs/cnxk.rst | 2 + doc/guides/rel_notes/release_21_11.rst | 1 + drivers/common/cnxk/cnxk_security_ar.h | 21 +++++++++ drivers/crypto/cnxk/cn9k_ipsec.c | 17 ++++++++ drivers/crypto/cnxk/cn9k_ipsec.h | 5 +++ drivers/crypto/cnxk/cn9k_ipsec_la_ops.h | 58 +++++++++++++++++++++++++ 6 files changed, 104 insertions(+) diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index 709da56ca8..faad6a499d 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -248,6 +248,8 @@ CN9XX Features supported * Tunnel mode * UDP Encapsulation * AES-128/192/256-GCM +* ESN +* Anti-replay CN10XX Features supported ~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 6cc7b2579e..82cdff641a 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -213,6 +213,7 @@ New Features * Added support for CN98xx dual block. * Added inner checksum support in lookaside protocol (IPsec) for CN10K. * Added AES-CBC NULL auth support in lookaside protocol (IPsec) for CN10K. + * Added ESN and anti-replay support in lookaside protocol (IPsec) for CN9K. * **Added support for event crypto adapter on Marvell CN10K and CN9K.** diff --git a/drivers/common/cnxk/cnxk_security_ar.h b/drivers/common/cnxk/cnxk_security_ar.h index 6bc517c875..3ec4c296c2 100644 --- a/drivers/common/cnxk/cnxk_security_ar.h +++ b/drivers/common/cnxk/cnxk_security_ar.h @@ -30,6 +30,27 @@ struct cnxk_on_ipsec_ar { uint64_t window[AR_WIN_ARR_SZ]; /**< anti-replay window */ }; +static inline uint32_t +cnxk_on_anti_replay_get_seqh(uint32_t winsz, uint32_t seql, uint32_t esn_hi, + uint32_t esn_low) +{ + uint32_t win_low = esn_low - winsz + 1; + + if (esn_low > winsz - 1) { + /* Window is in one sequence number subspace */ + if (seql > win_low) + return esn_hi; + else + return esn_hi + 1; + } else { + /* Window is split across two sequence number subspaces */ + if (seql > win_low) + return esn_hi - 1; + else + return esn_hi; + } +} + static inline int cnxk_on_anti_replay_check(uint64_t seq, struct cnxk_on_ipsec_ar *ar, uint32_t winsz) diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c index a43864df0d..ca26d9289c 100644 --- a/drivers/crypto/cnxk/cn9k_ipsec.c +++ b/drivers/crypto/cnxk/cn9k_ipsec.c @@ -445,6 +445,7 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp, memset(sa, 0, sizeof(struct cn9k_ipsec_sa)); sa->dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS; + sa->replay_win_sz = ipsec->replay_win_sz; ret = fill_ipsec_common_sa(ipsec, crypto_xform, &in_sa->common_sa); if (ret) @@ -483,6 +484,22 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp, w7.s.cptr = rte_mempool_virt2iova(in_sa); inst_tmpl->w7 = w7.u64; + if (sa->replay_win_sz) { + if (sa->replay_win_sz > CNXK_ON_AR_WIN_SIZE_MAX) { + plt_err("Replay window size:%u is not supported", + sa->replay_win_sz); + return -ENOTSUP; + } + + /* Set window bottom to 1, base and top to size of window */ + sa->ar.winb = 1; + sa->ar.wint = sa->replay_win_sz; + sa->ar.base = sa->replay_win_sz; + + in_sa->common_sa.esn_low = 0; + in_sa->common_sa.esn_hi = 0; + } + return cn9k_cpt_enq_sa_write( sa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_INBOUND, ctx_len); } diff --git a/drivers/crypto/cnxk/cn9k_ipsec.h b/drivers/crypto/cnxk/cn9k_ipsec.h index 13d522ec6f..fc440d54ba 100644 --- a/drivers/crypto/cnxk/cn9k_ipsec.h +++ b/drivers/crypto/cnxk/cn9k_ipsec.h @@ -7,6 +7,7 @@ #include "cnxk_ipsec.h" #include "cnxk_security.h" +#include "cnxk_security_ar.h" struct cn9k_ipsec_sa { union { @@ -35,6 +36,10 @@ struct cn9k_ipsec_sa { uint32_t seq_hi; }; }; + /** Anti replay */ + struct cnxk_on_ipsec_ar ar; + /** Anti replay window size */ + uint32_t replay_win_sz; }; struct cn9k_sec_session { diff --git a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h index b7a88e1b35..2dc8913feb 100644 --- a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h +++ b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h @@ -6,9 +6,11 @@ #define __CN9K_IPSEC_LA_OPS_H__ #include +#include #include #include "cn9k_ipsec.h" +#include "cnxk_security_ar.h" static __rte_always_inline int32_t ipsec_po_out_rlen_get(struct cn9k_ipsec_sa *sa, uint32_t plen) @@ -21,6 +23,53 @@ ipsec_po_out_rlen_get(struct cn9k_ipsec_sa *sa, uint32_t plen) return sa->rlens.partial_len + enc_payload_len; } +static __rte_always_inline int +ipsec_antireplay_check(struct cn9k_ipsec_sa *sa, uint32_t win_sz, + struct rte_mbuf *m) +{ + uint32_t esn_low = 0, esn_hi = 0, seql = 0, seqh = 0; + struct roc_ie_on_common_sa *common_sa; + struct roc_ie_on_inb_sa *in_sa; + struct roc_ie_on_sa_ctl *ctl; + uint64_t seq_in_sa, seq = 0; + struct rte_esp_hdr *esp; + uint8_t esn; + int ret; + + in_sa = &sa->in_sa; + common_sa = &in_sa->common_sa; + ctl = &common_sa->ctl; + + esn = ctl->esn_en; + esn_low = rte_be_to_cpu_32(common_sa->esn_low); + esn_hi = rte_be_to_cpu_32(common_sa->esn_hi); + + esp = rte_pktmbuf_mtod_offset(m, void *, sizeof(struct rte_ipv4_hdr)); + seql = rte_be_to_cpu_32(esp->seq); + + if (!esn) { + seq = (uint64_t)seql; + } else { + seqh = cnxk_on_anti_replay_get_seqh(win_sz, seql, esn_hi, + esn_low); + seq = ((uint64_t)seqh << 32) | seql; + } + + if (unlikely(seq == 0)) + return IPSEC_ANTI_REPLAY_FAILED; + + ret = cnxk_on_anti_replay_check(seq, &sa->ar, win_sz); + if (esn && !ret) { + seq_in_sa = ((uint64_t)esn_hi << 32) | esn_low; + if (seq > seq_in_sa) { + common_sa->esn_low = rte_cpu_to_be_32(seql); + common_sa->esn_hi = rte_cpu_to_be_32(seqh); + } + } + + return ret; +} + static __rte_always_inline int process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa, struct cpt_inst_s *inst) @@ -78,6 +127,15 @@ process_inb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa, { struct rte_crypto_sym_op *sym_op = cop->sym; struct rte_mbuf *m_src = sym_op->m_src; + int ret; + + if (sa->replay_win_sz) { + ret = ipsec_antireplay_check(sa, sa->replay_win_sz, m_src); + if (unlikely(ret)) { + plt_dp_err("Anti replay check failed"); + return ret; + } + } /* Prepare CPT instruction */ inst->w4.u64 = sa->inst.w4 | rte_pktmbuf_pkt_len(m_src); -- 2.22.0