From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2E9E242BB3; Sat, 27 May 2023 11:51:13 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 21B3A42670; Sat, 27 May 2023 11:51:13 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 7023A4021D for ; Sat, 27 May 2023 11:51:11 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34R9Wx2m028283; Sat, 27 May 2023 02:51:10 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=dsYOTmFpJXbpoIuNNm8jBjS7f2C5Gv3pHkQ5IrzQezo=; b=cOFCa6EmoyNwa+MPMweHqAk0rXr6Re005i+mPGdMOIQHWQiWD2YBP6uQ0P0blHCKll4S xWA8hJ/ZlXk1YqK2SGN276fnAGGhvtP/G5oWHWRfZj89HO8Jr+hQEDPObI1N0XnnhkbD uyjo/5Usjn8pa5SEd68foULLP/dEArHFZTBkvwwNiU2Cs3eK5siE5tqt2rweYcrKSJ3N Zfw5Fep1edrTw3kOUeXn4jpdxQKeOFHnPL7l4AkkCjHuNPW1SIq6HlYbmcg8M+juRshF 8GYYzQgH/gb2B423i+FiC1Q6GDj/wHZX7NObucfLItFioaE8jRhyfS8WLm18M0rkFeDG JA== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3quaj6rka5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 27 May 2023 02:51:10 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Sat, 27 May 2023 02:51:08 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Sat, 27 May 2023 02:51:08 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.193.65.175]) by maili.marvell.com (Postfix) with ESMTP id 708E95E72D6; Sat, 27 May 2023 01:59:37 -0700 (PDT) From: Anoob Joseph To: Thomas Monjalon , Akhil Goyal , Jerin Jacob , Konstantin Ananyev CC: Hemant Agrawal , =?UTF-8?q?Mattias=20R=C3=B6nnblom?= , "Kiran Kumar K" , Volodymyr Fialko , , Olivier Matz , Stephen Hemminger Subject: [PATCH v5 05/21] pdcp: add crypto session create and destroy Date: Sat, 27 May 2023 14:28:54 +0530 Message-ID: <20230527085910.972-6-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230527085910.972-1-anoobj@marvell.com> References: <20230526210214.617-1-anoobj@marvell.com> <20230527085910.972-1-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: aY6yQSZB6AHdEzxEZPJdzS2d8OanZcPk X-Proofpoint-ORIG-GUID: aY6yQSZB6AHdEzxEZPJdzS2d8OanZcPk X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-27_06,2023-05-25_03,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Add routines to create & destroy sessions. PDCP lib would take crypto transforms as input and creates the session on the corresponding device after verifying capabilities. Signed-off-by: Anoob Joseph Signed-off-by: Volodymyr Fialko Acked-by: Akhil Goyal --- lib/pdcp/pdcp_crypto.c | 223 ++++++++++++++++++++++++++++++++++++++++- lib/pdcp/pdcp_crypto.h | 5 + 2 files changed, 225 insertions(+), 3 deletions(-) diff --git a/lib/pdcp/pdcp_crypto.c b/lib/pdcp/pdcp_crypto.c index 755e27ec9e..6d2a85dc7d 100644 --- a/lib/pdcp/pdcp_crypto.c +++ b/lib/pdcp/pdcp_crypto.c @@ -2,20 +2,237 @@ * Copyright(C) 2023 Marvell. */ +#include +#include +#include +#include #include +#include #include "pdcp_crypto.h" +#include "pdcp_entity.h" + +static int +pdcp_crypto_caps_cipher_verify(uint8_t dev_id, const struct rte_crypto_sym_xform *c_xfrm) +{ + const struct rte_cryptodev_symmetric_capability *cap; + struct rte_cryptodev_sym_capability_idx cap_idx; + int ret; + + cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER; + cap_idx.algo.cipher = c_xfrm->cipher.algo; + + cap = rte_cryptodev_sym_capability_get(dev_id, &cap_idx); + if (cap == NULL) + return -1; + + ret = rte_cryptodev_sym_capability_check_cipher(cap, c_xfrm->cipher.key.length, + c_xfrm->cipher.iv.length); + + return ret; +} + +static int +pdcp_crypto_caps_auth_verify(uint8_t dev_id, const struct rte_crypto_sym_xform *a_xfrm) +{ + const struct rte_cryptodev_symmetric_capability *cap; + struct rte_cryptodev_sym_capability_idx cap_idx; + int ret; + + cap_idx.type = RTE_CRYPTO_SYM_XFORM_AUTH; + cap_idx.algo.auth = a_xfrm->auth.algo; + + cap = rte_cryptodev_sym_capability_get(dev_id, &cap_idx); + if (cap == NULL) + return -1; + + ret = rte_cryptodev_sym_capability_check_auth(cap, a_xfrm->auth.key.length, + a_xfrm->auth.digest_length, + a_xfrm->auth.iv.length); + + return ret; +} + +static int +pdcp_crypto_xfrm_validate(const struct rte_pdcp_entity_conf *conf, + const struct rte_crypto_sym_xform *c_xfrm, + const struct rte_crypto_sym_xform *a_xfrm, + bool is_auth_then_cipher) +{ + uint16_t cipher_iv_len, auth_digest_len, auth_iv_len; + int ret; + + /* + * Uplink means PDCP entity is configured for transmit. Downlink means PDCP entity is + * configured for receive. When integrity protection is enabled, PDCP always performs + * digest-encrypted or auth-gen-encrypt for uplink (and decrypt-auth-verify for downlink). + * So for uplink, crypto chain would be auth-cipher while for downlink it would be + * cipher-auth. + * + * When integrity protection is not required, xform would be cipher only. + */ + + if (c_xfrm == NULL) + return -EINVAL; + + if (conf->pdcp_xfrm.pkt_dir == RTE_SECURITY_PDCP_UPLINK) { + + /* With UPLINK, if auth is enabled, it should be before cipher */ + if (a_xfrm != NULL && !is_auth_then_cipher) + return -EINVAL; + + /* With UPLINK, cipher operation must be encrypt */ + if (c_xfrm->cipher.op != RTE_CRYPTO_CIPHER_OP_ENCRYPT) + return -EINVAL; + + /* With UPLINK, auth operation (if present) must be generate */ + if (a_xfrm != NULL && a_xfrm->auth.op != RTE_CRYPTO_AUTH_OP_GENERATE) + return -EINVAL; + + } else if (conf->pdcp_xfrm.pkt_dir == RTE_SECURITY_PDCP_DOWNLINK) { + + /* With DOWNLINK, if auth is enabled, it should be after cipher */ + if (a_xfrm != NULL && is_auth_then_cipher) + return -EINVAL; + + /* With DOWNLINK, cipher operation must be decrypt */ + if (c_xfrm->cipher.op != RTE_CRYPTO_CIPHER_OP_DECRYPT) + return -EINVAL; + + /* With DOWNLINK, auth operation (if present) must be verify */ + if (a_xfrm != NULL && a_xfrm->auth.op != RTE_CRYPTO_AUTH_OP_VERIFY) + return -EINVAL; + + } else { + return -EINVAL; + } + + if ((c_xfrm->cipher.algo != RTE_CRYPTO_CIPHER_NULL) && + (c_xfrm->cipher.algo != RTE_CRYPTO_CIPHER_AES_CTR) && + (c_xfrm->cipher.algo != RTE_CRYPTO_CIPHER_ZUC_EEA3) && + (c_xfrm->cipher.algo != RTE_CRYPTO_CIPHER_SNOW3G_UEA2)) + return -EINVAL; + + if (c_xfrm->cipher.algo == RTE_CRYPTO_CIPHER_NULL) + cipher_iv_len = 0; + else + cipher_iv_len = PDCP_IV_LEN; + + if (cipher_iv_len != c_xfrm->cipher.iv.length) + return -EINVAL; + + if (a_xfrm != NULL) { + if ((a_xfrm->auth.algo != RTE_CRYPTO_AUTH_NULL) && + (a_xfrm->auth.algo != RTE_CRYPTO_AUTH_AES_CMAC) && + (a_xfrm->auth.algo != RTE_CRYPTO_AUTH_ZUC_EIA3) && + (a_xfrm->auth.algo != RTE_CRYPTO_AUTH_SNOW3G_UIA2)) + return -EINVAL; + + /* For AUTH NULL, lib PDCP would add 4 byte 0s */ + if (a_xfrm->auth.algo == RTE_CRYPTO_AUTH_NULL) + auth_digest_len = 0; + else + auth_digest_len = RTE_PDCP_MAC_I_LEN; + + if (auth_digest_len != a_xfrm->auth.digest_length) + return -EINVAL; + + if ((a_xfrm->auth.algo == RTE_CRYPTO_AUTH_ZUC_EIA3) || + (a_xfrm->auth.algo == RTE_CRYPTO_AUTH_SNOW3G_UIA2)) + auth_iv_len = PDCP_IV_LEN; + else + auth_iv_len = 0; + + if (a_xfrm->auth.iv.length != auth_iv_len) + return -EINVAL; + } + + if (!rte_cryptodev_is_valid_dev(conf->dev_id)) + return -EINVAL; + + ret = pdcp_crypto_caps_cipher_verify(conf->dev_id, c_xfrm); + if (ret) + return -ENOTSUP; + + if (a_xfrm != NULL) { + ret = pdcp_crypto_caps_auth_verify(conf->dev_id, a_xfrm); + if (ret) + return -ENOTSUP; + } + + return 0; +} int pdcp_crypto_sess_create(struct rte_pdcp_entity *entity, const struct rte_pdcp_entity_conf *conf) { - RTE_SET_USED(entity); - RTE_SET_USED(conf); + struct rte_crypto_sym_xform *c_xfrm, *a_xfrm; + struct entity_priv *en_priv; + bool is_auth_then_cipher; + int ret; + + if (entity == NULL || conf == NULL || conf->crypto_xfrm == NULL) + return -EINVAL; + + en_priv = entity_priv_get(entity); + + en_priv->dev_id = conf->dev_id; + + if (conf->crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) { + c_xfrm = conf->crypto_xfrm; + a_xfrm = conf->crypto_xfrm->next; + is_auth_then_cipher = false; + } else if (conf->crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AUTH) { + a_xfrm = conf->crypto_xfrm; + c_xfrm = conf->crypto_xfrm->next; + is_auth_then_cipher = true; + } else { + return -EINVAL; + } + + ret = pdcp_crypto_xfrm_validate(conf, c_xfrm, a_xfrm, is_auth_then_cipher); + if (ret) + return ret; + + if (c_xfrm->cipher.algo == RTE_CRYPTO_CIPHER_NULL) + c_xfrm->cipher.iv.offset = 0; + else + c_xfrm->cipher.iv.offset = PDCP_IV_OFFSET; + + if (a_xfrm != NULL) { + if (a_xfrm->auth.algo == RTE_CRYPTO_AUTH_NULL) + a_xfrm->auth.iv.offset = 0; + else + if (c_xfrm->cipher.iv.offset) + a_xfrm->auth.iv.offset = PDCP_IV_OFFSET + PDCP_IV_LEN; + else + a_xfrm->auth.iv.offset = PDCP_IV_OFFSET; + } + + if (conf->sess_mpool == NULL) + return -EINVAL; + + en_priv->crypto_sess = rte_cryptodev_sym_session_create(conf->dev_id, conf->crypto_xfrm, + conf->sess_mpool); + if (en_priv->crypto_sess == NULL) { + /* rte_errno is set as positive values of error codes */ + return -rte_errno; + } + + rte_cryptodev_sym_session_opaque_data_set(en_priv->crypto_sess, (uint64_t)entity); + return 0; } void pdcp_crypto_sess_destroy(struct rte_pdcp_entity *entity) { - RTE_SET_USED(entity); + struct entity_priv *en_priv; + + en_priv = entity_priv_get(entity); + + if (en_priv->crypto_sess != NULL) { + rte_cryptodev_sym_session_free(en_priv->dev_id, en_priv->crypto_sess); + en_priv->crypto_sess = NULL; + } } diff --git a/lib/pdcp/pdcp_crypto.h b/lib/pdcp/pdcp_crypto.h index 6563331d37..f694818713 100644 --- a/lib/pdcp/pdcp_crypto.h +++ b/lib/pdcp/pdcp_crypto.h @@ -5,8 +5,13 @@ #ifndef PDCP_CRYPTO_H #define PDCP_CRYPTO_H +#include +#include #include +#define PDCP_IV_OFFSET (sizeof(struct rte_crypto_op) + sizeof(struct rte_crypto_sym_op)) +#define PDCP_IV_LEN 16 + int pdcp_crypto_sess_create(struct rte_pdcp_entity *entity, const struct rte_pdcp_entity_conf *conf); -- 2.25.1