From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B63C1438E9; Wed, 17 Jan 2024 11:33:18 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id AFD704113D; Wed, 17 Jan 2024 11:32:00 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id DB6A7410ED for ; Wed, 17 Jan 2024 11:31:57 +0100 (CET) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 40H7jRiZ028483 for ; Wed, 17 Jan 2024 02:31:57 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding:content-type; s= pfpt0220; bh=JjgJ6g/1vAEVsXtuX7yoRbN+hqx4MEgpzZ6nE7KZA9o=; b=Z9w eTATNUrVOyRDUpMBcJezsGGmRQzeJWbVBz+nF2VTTpD3Ko6QXjqIBrj7X8Jl6spd YHVj/wR9pykf4ybzeF4zRKVfFQFefUZDDyphfHZ9kiyuIQA6rfYzxvk/cX6bHQVo JIuWR2ZzMw74cQfK5nVQUmWTPo4nF8xwiy/qBmk9yyGz2qF7nVAcZYb6X77o9AAH YdzN4x2xgnXG4j8uotdPVRsD7+LJr4ysFE/XaB1Z6RANxF0i8e2P9s5cKQGW5MCq CJg+x6aSa8MUj7EoCGiGqsqmAXD7mbmtEz1Gwf8kmZ3wzYzlh+MbL7TJrdauJXdT 3wIugA62TRPRWT8Ji5Q== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3vpask8f9f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Wed, 17 Jan 2024 02:31:56 -0800 (PST) Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Wed, 17 Jan 2024 02:31:54 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Wed, 17 Jan 2024 02:31:54 -0800 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.22.179]) by maili.marvell.com (Postfix) with ESMTP id A94CC3F7048; Wed, 17 Jan 2024 02:31:52 -0800 (PST) From: Anoob Joseph To: Akhil Goyal CC: Vidya Sagar Velumuri , Jerin Jacob , Tejasree Kondoj , Subject: [PATCH v3 17/24] crypto/cnxk: add TLS capability Date: Wed, 17 Jan 2024 16:01:02 +0530 Message-ID: <20240117103109.922-18-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240117103109.922-1-anoobj@marvell.com> References: <20240102045417.115-1-anoobj@marvell.com> <20240117103109.922-1-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-ORIG-GUID: Izs2va5ArPvUv4LV-Y1JF6GPJnYBUa2g X-Proofpoint-GUID: Izs2va5ArPvUv4LV-Y1JF6GPJnYBUa2g X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-17_05,2024-01-17_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Vidya Sagar Velumuri Add TLS 1.2 record read and write capability. Add DTLS 1.2 record read and write capability. Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri --- doc/guides/rel_notes/release_24_03.rst | 2 + drivers/common/cnxk/hw/cpt.h | 3 +- drivers/crypto/cnxk/cnxk_cryptodev.h | 12 +- .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 210 ++++++++++++++++++ 4 files changed, 223 insertions(+), 4 deletions(-) diff --git a/doc/guides/rel_notes/release_24_03.rst b/doc/guides/rel_notes/release_24_03.rst index eb63728cfd..1fd87500ab 100644 --- a/doc/guides/rel_notes/release_24_03.rst +++ b/doc/guides/rel_notes/release_24_03.rst @@ -58,6 +58,8 @@ New Features * **Updated Marvell cnxk crypto driver.** * Added support for Rx inject in crypto_cn10k. + * Added support for TLS record processing in crypto_cn10k. Supports TLS 1.2 + and DTLS 1.2. Removed Items diff --git a/drivers/common/cnxk/hw/cpt.h b/drivers/common/cnxk/hw/cpt.h index edab8a5d83..2620965606 100644 --- a/drivers/common/cnxk/hw/cpt.h +++ b/drivers/common/cnxk/hw/cpt.h @@ -80,7 +80,8 @@ union cpt_eng_caps { uint64_t __io sg_ver2 : 1; uint64_t __io sm2 : 1; uint64_t __io pdcp_chain_zuc256 : 1; - uint64_t __io reserved_38_63 : 26; + uint64_t __io tls : 1; + uint64_t __io reserved_39_63 : 25; }; }; diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index 6f21d91812..45d01b94b3 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -11,9 +11,11 @@ #include "roc_ae.h" #include "roc_cpt.h" -#define CNXK_CPT_MAX_CAPS 55 -#define CNXK_SEC_IPSEC_CRYPTO_MAX_CAPS 16 -#define CNXK_SEC_MAX_CAPS 9 +#define CNXK_CPT_MAX_CAPS 55 +#define CNXK_SEC_IPSEC_CRYPTO_MAX_CAPS 16 +#define CNXK_SEC_TLS_1_3_CRYPTO_MAX_CAPS 2 +#define CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS 6 +#define CNXK_SEC_MAX_CAPS 17 /** * Device private data @@ -25,6 +27,10 @@ struct cnxk_cpt_vf { struct roc_cpt cpt; struct rte_cryptodev_capabilities crypto_caps[CNXK_CPT_MAX_CAPS]; struct rte_cryptodev_capabilities sec_ipsec_crypto_caps[CNXK_SEC_IPSEC_CRYPTO_MAX_CAPS]; + struct rte_cryptodev_capabilities sec_tls_1_3_crypto_caps[CNXK_SEC_TLS_1_3_CRYPTO_MAX_CAPS]; + struct rte_cryptodev_capabilities sec_tls_1_2_crypto_caps[CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS]; + struct rte_cryptodev_capabilities + sec_dtls_1_2_crypto_caps[CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS]; struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS]; uint64_t cnxk_fpm_iova[ROC_AE_EC_ID_PMAX]; struct roc_ae_ec_group *ec_grp[ROC_AE_EC_ID_PMAX]; diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 178f510a63..73100377d9 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -30,6 +30,16 @@ RTE_DIM(sec_ipsec_caps_##name)); \ } while (0) +#define SEC_TLS12_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name) \ + do { \ + if ((hw_caps[CPT_ENG_TYPE_SE].name) || \ + (hw_caps[CPT_ENG_TYPE_IE].name) || \ + (hw_caps[CPT_ENG_TYPE_AE].name)) \ + sec_tls12_caps_add(cnxk_caps, cur_pos, \ + sec_tls12_caps_##name, \ + RTE_DIM(sec_tls12_caps_##name)); \ + } while (0) + static const struct rte_cryptodev_capabilities caps_mul[] = { { /* RSA */ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC, @@ -1502,6 +1512,125 @@ static const struct rte_cryptodev_capabilities sec_ipsec_caps_null[] = { }, }; +static const struct rte_cryptodev_capabilities sec_tls12_caps_aes[] = { + { /* AES GCM */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD, + {.aead = { + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 16 + }, + .digest_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + .aad_size = { + .min = 13, + .max = 13, + .increment = 0 + }, + .iv_size = { + .min = 12, + .max = 12, + .increment = 0 + } + }, } + }, } + }, + { /* AES CBC */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER, + {.cipher = { + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 8 + }, + .iv_size = { + .min = 16, + .max = 16, + .increment = 0 + } + }, } + }, } + }, +}; + +static const struct rte_cryptodev_capabilities sec_tls12_caps_des[] = { + { /* 3DES CBC */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER, + {.cipher = { + .algo = RTE_CRYPTO_CIPHER_3DES_CBC, + .block_size = 8, + .key_size = { + .min = 24, + .max = 24, + .increment = 0 + }, + .iv_size = { + .min = 8, + .max = 8, + .increment = 0 + } + }, } + }, } + }, +}; + +static const struct rte_cryptodev_capabilities sec_tls12_caps_sha1_sha2[] = { + { /* SHA1 HMAC */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_SHA1_HMAC, + .block_size = 64, + .key_size = { + .min = 20, + .max = 20, + .increment = 0 + }, + .digest_size = { + .min = 20, + .max = 20, + .increment = 0 + }, + }, } + }, } + }, + { /* SHA256 HMAC */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_SHA256_HMAC, + .block_size = 64, + .key_size = { + .min = 32, + .max = 32, + .increment = 0 + }, + .digest_size = { + .min = 32, + .max = 32, + .increment = 0 + }, + }, } + }, } + }, +}; + static const struct rte_security_capability sec_caps_templ[] = { { /* IPsec Lookaside Protocol ESP Tunnel Ingress */ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, @@ -1591,6 +1720,46 @@ static const struct rte_security_capability sec_caps_templ[] = { }, .crypto_capabilities = NULL, }, + { /* TLS 1.2 Record Read */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD, + .tls_record = { + .ver = RTE_SECURITY_VERSION_TLS_1_2, + .type = RTE_SECURITY_TLS_SESS_TYPE_READ, + .ar_win_size = 0, + }, + .crypto_capabilities = NULL, + }, + { /* TLS 1.2 Record Write */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD, + .tls_record = { + .ver = RTE_SECURITY_VERSION_TLS_1_2, + .type = RTE_SECURITY_TLS_SESS_TYPE_WRITE, + .ar_win_size = 0, + }, + .crypto_capabilities = NULL, + }, + { /* DTLS 1.2 Record Read */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD, + .tls_record = { + .ver = RTE_SECURITY_VERSION_DTLS_1_2, + .type = RTE_SECURITY_TLS_SESS_TYPE_READ, + .ar_win_size = 0, + }, + .crypto_capabilities = NULL, + }, + { /* DTLS 1.2 Record Write */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD, + .tls_record = { + .ver = RTE_SECURITY_VERSION_DTLS_1_2, + .type = RTE_SECURITY_TLS_SESS_TYPE_WRITE, + .ar_win_size = 0, + }, + .crypto_capabilities = NULL, + }, { .action = RTE_SECURITY_ACTION_TYPE_NONE } @@ -1807,6 +1976,35 @@ cn9k_sec_ipsec_caps_update(struct rte_security_capability *sec_cap) sec_cap->ipsec.options.esn = 1; } +static void +sec_tls12_caps_limit_check(int *cur_pos, int nb_caps) +{ + PLT_VERIFY(*cur_pos + nb_caps <= CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS); +} + +static void +sec_tls12_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, + const struct rte_cryptodev_capabilities *caps, int nb_caps) +{ + sec_tls12_caps_limit_check(cur_pos, nb_caps); + + memcpy(&cnxk_caps[*cur_pos], caps, nb_caps * sizeof(caps[0])); + *cur_pos += nb_caps; +} + +static void +sec_tls12_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[], + union cpt_eng_caps *hw_caps) +{ + int cur_pos = 0; + + SEC_TLS12_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes); + SEC_TLS12_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, des); + SEC_TLS12_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2); + + sec_tls12_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end)); +} + void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) { @@ -1815,6 +2013,11 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) crypto_caps_populate(vf->crypto_caps, vf->cpt.hw_caps); sec_ipsec_crypto_caps_populate(vf->sec_ipsec_crypto_caps, vf->cpt.hw_caps); + if (vf->cpt.hw_caps[CPT_ENG_TYPE_SE].tls) { + sec_tls12_crypto_caps_populate(vf->sec_tls_1_2_crypto_caps, vf->cpt.hw_caps); + sec_tls12_crypto_caps_populate(vf->sec_dtls_1_2_crypto_caps, vf->cpt.hw_caps); + } + PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps)); memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ)); @@ -1830,6 +2033,13 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) if (roc_model_is_cn9k()) cn9k_sec_ipsec_caps_update(&vf->sec_caps[i]); + } else if (vf->sec_caps[i].protocol == RTE_SECURITY_PROTOCOL_TLS_RECORD) { + if (vf->sec_caps[i].tls_record.ver == RTE_SECURITY_VERSION_TLS_1_3) + vf->sec_caps[i].crypto_capabilities = vf->sec_tls_1_3_crypto_caps; + else if (vf->sec_caps[i].tls_record.ver == RTE_SECURITY_VERSION_DTLS_1_2) + vf->sec_caps[i].crypto_capabilities = vf->sec_dtls_1_2_crypto_caps; + else + vf->sec_caps[i].crypto_capabilities = vf->sec_tls_1_2_crypto_caps; } } } -- 2.25.1