[PATCH 1/9] common/dpaax: fix invalid key command error

[PATCH 1/9] common/dpaax: fix invalid key command error

[Gagandeep Singh]

Due to race between KEY loading to CAAM’s internal memory
and initiating crypto operations can SEC errors in PDCP
AES algo combinations.
To mitigate this, adding CALM instruction in SN 12bit case
and using older version of descriptor for SN 18bit case.

Fixes: 6127fff842a7 ("common/dpaax: remove outdated caamflib code")
Cc: franck.lenormand@nxp.com
Cc: stable@dpdk.org

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
 drivers/common/dpaax/caamflib/desc/pdcp.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/common/dpaax/caamflib/desc/pdcp.h b/drivers/common/dpaax/caamflib/desc/pdcp.h
index 9ada3905c5..f4379ede2c 100644
--- a/drivers/common/dpaax/caamflib/desc/pdcp.h
+++ b/drivers/common/dpaax/caamflib/desc/pdcp.h
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: BSD-3-Clause or GPL-2.0+
  * Copyright 2008-2013 Freescale Semiconductor, Inc.
- * Copyright 2019-2023 NXP
+ * Copyright 2019-2025 NXP
  */
 
 #ifndef __DESC_PDCP_H__
@@ -1981,8 +1981,7 @@ pdcp_insert_uplane_no_int_op(struct program *p,
 	KEY(p, KEY1, cipherdata->key_enc_flags, cipherdata->key,
 	    cipherdata->keylen, INLINE_KEY(cipherdata));
 
-	if ((sn_size == PDCP_SN_SIZE_15) ||
-			(rta_sec_era >= RTA_SEC_ERA_10)) {
+	if (sn_size == PDCP_SN_SIZE_15) {
 		PROTOCOL(p, dir, OP_PCLID_LTE_PDCP_USER,
 			 (uint16_t)cipherdata->algtype);
 		return 0;
@@ -2747,6 +2746,7 @@ cnstr_shdsc_pdcp_u_plane_encap(uint32_t *descbuf,
 			    (uint64_t)cipherdata->key, cipherdata->keylen,
 			    INLINE_KEY(cipherdata));
 
+			JUMP(p, 1, LOCAL_JUMP, ALL_TRUE, CALM);
 			if (authdata)
 				PROTOCOL(p, OP_TYPE_ENCAP_PROTOCOL,
 					 OP_PCLID_LTE_PDCP_USER_RN,
-- 
2.25.1

[PATCH 2/9] common/dpaax: fix for PDCP AES only 12bit SN case

[Gagandeep Singh]

This workaround fixes the invalid key command SEC error.
Fixes: 6127fff842a7 ("common/dpaax: remove outdated caamflib code")
Cc: franck.lenormand@nxp.com
Cc: stable@dpdk.org

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
 drivers/common/dpaax/caamflib/desc/pdcp.h | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/drivers/common/dpaax/caamflib/desc/pdcp.h b/drivers/common/dpaax/caamflib/desc/pdcp.h
index f4379ede2c..c90eff26a8 100644
--- a/drivers/common/dpaax/caamflib/desc/pdcp.h
+++ b/drivers/common/dpaax/caamflib/desc/pdcp.h
@@ -619,7 +619,7 @@ pdcp_insert_cplane_enc_only_op(struct program *p,
 	KEY(p, KEY1, cipherdata->key_enc_flags, cipherdata->key,
 	    cipherdata->keylen, INLINE_KEY(cipherdata));
 
-	if ((sn_size != PDCP_SN_SIZE_18 &&
+	if ((authdata && sn_size != PDCP_SN_SIZE_18 &&
 			!(rta_sec_era == RTA_SEC_ERA_8 &&
 				authdata->algtype == 0))
 			|| (rta_sec_era == RTA_SEC_ERA_10)) {
@@ -631,6 +631,7 @@ pdcp_insert_cplane_enc_only_op(struct program *p,
 				 (uint16_t)cipherdata->algtype << 8);
 		return 0;
 	}
+
 	/* Non-proto is supported only for 5bit cplane and 18bit uplane */
 	switch (sn_size) {
 	case PDCP_SN_SIZE_5:
@@ -2719,7 +2720,7 @@ cnstr_shdsc_pdcp_u_plane_encap(uint32_t *descbuf,
 		case PDCP_CIPHER_TYPE_AES:
 		case PDCP_CIPHER_TYPE_SNOW:
 		case PDCP_CIPHER_TYPE_NULL:
-			if (rta_sec_era == RTA_SEC_ERA_8 &&
+			if (rta_sec_era >= RTA_SEC_ERA_8 &&
 					authdata && authdata->algtype == 0){
 				err = pdcp_insert_uplane_with_int_op(p, swap,
 						cipherdata, authdata,
@@ -2729,6 +2730,17 @@ cnstr_shdsc_pdcp_u_plane_encap(uint32_t *descbuf,
 					return err;
 				break;
 			}
+			if (rta_sec_era >= RTA_SEC_ERA_8 &&
+					cipherdata->algtype == PDCP_CIPHER_TYPE_AES
+					&& !authdata
+					&& sn_size == PDCP_SN_SIZE_12) {
+				err = pdcp_insert_cplane_enc_only_op(p, swap, cipherdata,
+						authdata,
+						OP_TYPE_ENCAP_PROTOCOL, sn_size);
+				if (err)
+					return err;
+				break;
+			}
 
 			if (pdb_type != PDCP_PDB_TYPE_FULL_PDB) {
 				pr_err("PDB type must be FULL for PROTO desc\n");
-- 
2.25.1

[PATCH 3/9] common/dpaax: support 12bit SN in pdcp uplane

[Gagandeep Singh]

update pdcp_insert_uplane_no_int_op() to support 12bit SN size

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
 drivers/common/dpaax/caamflib/desc/pdcp.h | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/drivers/common/dpaax/caamflib/desc/pdcp.h b/drivers/common/dpaax/caamflib/desc/pdcp.h
index c90eff26a8..55159d53f0 100644
--- a/drivers/common/dpaax/caamflib/desc/pdcp.h
+++ b/drivers/common/dpaax/caamflib/desc/pdcp.h
@@ -1988,10 +1988,10 @@ pdcp_insert_uplane_no_int_op(struct program *p,
 		return 0;
 	}
 
-	if (sn_size == PDCP_SN_SIZE_15) {
+	if (sn_size == PDCP_SN_SIZE_12) {
 		SEQLOAD(p, MATH0, 6, 2, 0);
-		sn_mask = (swap == false) ? PDCP_U_PLANE_15BIT_SN_MASK :
-					PDCP_U_PLANE_15BIT_SN_MASK_BE;
+		sn_mask = (swap == false) ? PDCP_12BIT_SN_MASK :
+			PDCP_12BIT_SN_MASK_BE;
 	} else { /* SN Size == PDCP_SN_SIZE_18 */
 		SEQLOAD(p, MATH0, 5, 3, 0);
 		sn_mask = (swap == false) ? PDCP_U_PLANE_18BIT_SN_MASK :
@@ -2000,7 +2000,7 @@ pdcp_insert_uplane_no_int_op(struct program *p,
 	JUMP(p, 1, LOCAL_JUMP, ALL_TRUE, CALM);
 	MATHB(p, MATH0, AND, sn_mask, MATH1, 8, IFB | IMMED2);
 
-	if (sn_size == PDCP_SN_SIZE_15)
+	if (sn_size == PDCP_SN_SIZE_12)
 		SEQSTORE(p, MATH0, 6, 2, 0);
 	else /* SN Size == PDCP_SN_SIZE_18 */
 		SEQSTORE(p, MATH0, 5, 3, 0);
@@ -2047,7 +2047,7 @@ pdcp_insert_uplane_no_int_op(struct program *p,
 
 	default:
 		pr_err("%s: Invalid encrypt algorithm selected: %d\n",
-		       "pdcp_insert_uplane_15bit_op", cipherdata->algtype);
+		       "pdcp_insert_uplane_no_int_op", cipherdata->algtype);
 		return -EINVAL;
 	}
 
@@ -2734,8 +2734,7 @@ cnstr_shdsc_pdcp_u_plane_encap(uint32_t *descbuf,
 					cipherdata->algtype == PDCP_CIPHER_TYPE_AES
 					&& !authdata
 					&& sn_size == PDCP_SN_SIZE_12) {
-				err = pdcp_insert_cplane_enc_only_op(p, swap, cipherdata,
-						authdata,
+				err = pdcp_insert_uplane_no_int_op(p, swap, cipherdata,
 						OP_TYPE_ENCAP_PROTOCOL, sn_size);
 				if (err)
 					return err;
-- 
2.25.1

Re: [PATCH 3/9] common/dpaax: support 12bit SN in pdcp uplane

[Hemant Agrawal]

On 20-05-2025 11:21, Gagandeep Singh wrote:
> update pdcp_insert_uplane_no_int_op() to support 12bit SN size
>
> Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
> ---
>   drivers/common/dpaax/caamflib/desc/pdcp.h | 13 ++++++-------
>   1 file changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/common/dpaax/caamflib/desc/pdcp.h b/drivers/common/dpaax/caamflib/desc/pdcp.h
> index c90eff26a8..55159d53f0 100644
> --- a/drivers/common/dpaax/caamflib/desc/pdcp.h
> +++ b/drivers/common/dpaax/caamflib/desc/pdcp.h
> @@ -1988,10 +1988,10 @@ pdcp_insert_uplane_no_int_op(struct program *p,
>   		return 0;
>   	}
>   
> -	if (sn_size == PDCP_SN_SIZE_15) {
> +	if (sn_size == PDCP_SN_SIZE_12) {
>   		SEQLOAD(p, MATH0, 6, 2, 0);
> -		sn_mask = (swap == false) ? PDCP_U_PLANE_15BIT_SN_MASK :
> -					PDCP_U_PLANE_15BIT_SN_MASK_BE;
> +		sn_mask = (swap == false) ? PDCP_12BIT_SN_MASK :
> +			PDCP_12BIT_SN_MASK_BE;
how the 15 bit will be handled now?
>   	} else { /* SN Size == PDCP_SN_SIZE_18 */
>   		SEQLOAD(p, MATH0, 5, 3, 0);
>   		sn_mask = (swap == false) ? PDCP_U_PLANE_18BIT_SN_MASK :
> @@ -2000,7 +2000,7 @@ pdcp_insert_uplane_no_int_op(struct program *p,
>   	JUMP(p, 1, LOCAL_JUMP, ALL_TRUE, CALM);
>   	MATHB(p, MATH0, AND, sn_mask, MATH1, 8, IFB | IMMED2);
>   
> -	if (sn_size == PDCP_SN_SIZE_15)
> +	if (sn_size == PDCP_SN_SIZE_12)
>   		SEQSTORE(p, MATH0, 6, 2, 0);
>   	else /* SN Size == PDCP_SN_SIZE_18 */
>   		SEQSTORE(p, MATH0, 5, 3, 0);
> @@ -2047,7 +2047,7 @@ pdcp_insert_uplane_no_int_op(struct program *p,
>   
>   	default:
>   		pr_err("%s: Invalid encrypt algorithm selected: %d\n",
> -		       "pdcp_insert_uplane_15bit_op", cipherdata->algtype);
> +		       "pdcp_insert_uplane_no_int_op", cipherdata->algtype);

Why not use DPDK LOG APIs?

also, why not use __func__ ?

>   		return -EINVAL;
>   	}
>   
> @@ -2734,8 +2734,7 @@ cnstr_shdsc_pdcp_u_plane_encap(uint32_t *descbuf,
>   					cipherdata->algtype == PDCP_CIPHER_TYPE_AES
>   					&& !authdata
>   					&& sn_size == PDCP_SN_SIZE_12) {
> -				err = pdcp_insert_cplane_enc_only_op(p, swap, cipherdata,
> -						authdata,
> +				err = pdcp_insert_uplane_no_int_op(p, swap, cipherdata,
>   						OP_TYPE_ENCAP_PROTOCOL, sn_size);
>   				if (err)
>   					return err;

[PATCH 4/9] crypto/dpaa2_sec: change custom device API to standard

[Gagandeep Singh]

Replacing existing device creation and deletion code in probe and
remove functions with rte_cryptodev_pmd_create() and
rte_cryptodev_pmd_destroy() APIs provided by the DPDK library,
simplifying drivers initialization and teardown.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 38 +++++++------------
 drivers/crypto/dpaa_sec/dpaa_sec.c          | 42 +++++++--------------
 2 files changed, 27 insertions(+), 53 deletions(-)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 0ccadecff4..925d2709d2 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  *
  *   Copyright (c) 2016 Freescale Semiconductor, Inc. All rights reserved.
- *   Copyright 2016-2023 NXP
+ *   Copyright 2016-2025 NXP
  *
  */
 
@@ -4413,33 +4413,27 @@ cryptodev_dpaa2_sec_probe(struct rte_dpaa2_driver *dpaa2_drv __rte_unused,
 {
 	struct rte_cryptodev *cryptodev;
 	char cryptodev_name[RTE_CRYPTODEV_NAME_MAX_LEN];
-
 	int retval;
+	struct rte_cryptodev_pmd_init_params init_params = {
+		.name = "",
+		.private_data_size = sizeof(struct dpaa2_sec_dev_private),
+		.socket_id = rte_socket_id(),
+		.max_nb_queue_pairs =
+			RTE_CRYPTODEV_PMD_DEFAULT_MAX_NB_QUEUE_PAIRS,
+			/* setting default, will be updated in init. */
+	};
 
 	snprintf(cryptodev_name, sizeof(cryptodev_name), "dpsec-%d",
 			dpaa2_dev->object_id);
 
-	cryptodev = rte_cryptodev_pmd_allocate(cryptodev_name, rte_socket_id());
-	if (cryptodev == NULL)
+	cryptodev = rte_cryptodev_pmd_create(cryptodev_name, &dpaa2_dev->device,
+			&init_params);
+	if (cryptodev == NULL) {
+		DPAA2_SEC_ERR("failed to create cryptodev vdev");
 		return -ENOMEM;
-
-	if (rte_eal_process_type() == RTE_PROC_PRIMARY) {
-		cryptodev->data->dev_private = rte_zmalloc_socket(
-					"cryptodev private structure",
-					sizeof(struct dpaa2_sec_dev_private),
-					RTE_CACHE_LINE_SIZE,
-					rte_socket_id());
-
-		if (cryptodev->data->dev_private == NULL)
-			rte_panic("Cannot allocate memzone for private "
-				  "device data");
 	}
 
 	dpaa2_dev->cryptodev = cryptodev;
-	cryptodev->device = &dpaa2_dev->device;
-
-	/* init user callbacks */
-	TAILQ_INIT(&(cryptodev->link_intr_cbs));
 
 	if (dpaa2_svr_family == SVR_LX2160A)
 		rta_set_sec_era(RTA_SEC_ERA_10);
@@ -4454,11 +4448,7 @@ cryptodev_dpaa2_sec_probe(struct rte_dpaa2_driver *dpaa2_drv __rte_unused,
 		rte_cryptodev_pmd_probing_finish(cryptodev);
 		return 0;
 	}
-
-	if (rte_eal_process_type() == RTE_PROC_PRIMARY)
-		rte_free(cryptodev->data->dev_private);
-
-	cryptodev->attached = RTE_CRYPTODEV_DETACHED;
+	rte_cryptodev_pmd_destroy(cryptodev);
 
 	return -ENXIO;
 }
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index bcea4ff3ab..58d691d8a6 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  *
  *   Copyright (c) 2016 Freescale Semiconductor, Inc. All rights reserved.
- *   Copyright 2017-2024 NXP
+ *   Copyright 2017-2025 NXP
  *
  */
 
@@ -3614,16 +3614,10 @@ static const struct rte_security_ops dpaa_sec_security_ops = {
 static int
 dpaa_sec_uninit(struct rte_cryptodev *dev)
 {
-	struct dpaa_sec_dev_private *internals;
-
 	if (dev == NULL)
 		return -ENODEV;
 
-	internals = dev->data->dev_private;
 	rte_free(dev->security_ctx);
-
-	rte_free(internals);
-
 	DPAA_SEC_INFO("Closing DPAA_SEC device %s on numa socket %u",
 		      dev->data->name, rte_socket_id());
 
@@ -3780,33 +3774,26 @@ cryptodev_dpaa_sec_probe(struct rte_dpaa_driver *dpaa_drv __rte_unused,
 {
 	struct rte_cryptodev *cryptodev;
 	char cryptodev_name[RTE_CRYPTODEV_NAME_MAX_LEN];
-
 	int retval;
+	struct rte_cryptodev_pmd_init_params init_params = {
+		.name = "",
+		.private_data_size = sizeof(struct dpaa_sec_dev_private),
+		.socket_id = rte_socket_id(),
+		.max_nb_queue_pairs =
+			RTE_DPAA_MAX_NB_SEC_QPS,
+	};
 
 	if (rte_eal_process_type() != RTE_PROC_PRIMARY)
 		return 0;
 
 	snprintf(cryptodev_name, sizeof(cryptodev_name), "%s", dpaa_dev->name);
 
-	cryptodev = rte_cryptodev_pmd_allocate(cryptodev_name, rte_socket_id());
-	if (cryptodev == NULL)
+	cryptodev = rte_cryptodev_pmd_create(cryptodev_name, &dpaa_dev->device, &init_params);
+	if (cryptodev == NULL) {
+		DPAA_SEC_ERR("failed to create cryptodev vdev");
 		return -ENOMEM;
-
-	cryptodev->data->dev_private = rte_zmalloc_socket(
-				"cryptodev private structure",
-				sizeof(struct dpaa_sec_dev_private),
-				RTE_CACHE_LINE_SIZE,
-				rte_socket_id());
-
-	if (cryptodev->data->dev_private == NULL)
-		rte_panic("Cannot allocate memzone for private "
-				"device data");
-
+	}
 	dpaa_dev->crypto_dev = cryptodev;
-	cryptodev->device = &dpaa_dev->device;
-
-	/* init user callbacks */
-	TAILQ_INIT(&(cryptodev->link_intr_cbs));
 
 	/* if sec device version is not configured */
 	if (!rta_get_sec_era()) {
@@ -3841,10 +3828,7 @@ cryptodev_dpaa_sec_probe(struct rte_dpaa_driver *dpaa_drv __rte_unused,
 
 	retval = -ENXIO;
 out:
-	/* In case of error, cleanup is done */
-	rte_free(cryptodev->data->dev_private);
-
-	rte_cryptodev_pmd_release_device(cryptodev);
+	rte_cryptodev_pmd_destroy(cryptodev);
 
 	return retval;
 }
-- 
2.25.1

[PATCH 5/9] crypto/dpaa2_sec: fix coverity Issues

[Gagandeep Singh]

From: Vanshika Shukla <vanshika.shukla@nxp.com>

Fixes the uninitialized variable issue - reported by NXP internal
coverity.

Fixes: 1182b364312c ("crypto/dpaax_sec: set authdata in non-auth case")
Cc: g.singh@nxp.com
Cc: stable@dpdk.org

Signed-off-by: Vanshika Shukla <vanshika.shukla@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 925d2709d2..5995eb58d8 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -3576,6 +3576,7 @@ dpaa2_sec_set_pdcp_session(struct rte_cryptodev *dev,
 		session->auth_key.data = NULL;
 		session->auth_key.length = 0;
 		session->auth_alg = 0;
+		authdata.algtype = PDCP_AUTH_TYPE_NULL;
 	}
 	authdata.key = (size_t)session->auth_key.data;
 	authdata.keylen = session->auth_key.length;
-- 
2.25.1

[PATCH 6/9] crypto/dpaa2_sec: add null algo capability

[Gagandeep Singh]

This patch adds NULL algo capabilities.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 41 +++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
index 1c0bc3d6de..e9b601c035 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
@@ -227,6 +227,27 @@ typedef struct dpaa2_sec_session_entry {
 
 static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
 	/* Symmetric capabilities */
+	{	/* NULL (AUTH) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = { 0 }
+			}, },
+		}, },
+	},
 	{	/* MD5 */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
@@ -553,6 +574,26 @@ static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
 			}, }
 		}, }
 	},
+	{	/* NULL (CIPHER) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_NULL,
+				.block_size = 1,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				}
+			}, },
+		}, }
+	},
 	{	/* AES CBC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
-- 
2.25.1

Re: [PATCH 6/9] crypto/dpaa2_sec: add null algo capability

[Hemant Agrawal]

On 20-05-2025 11:21, Gagandeep Singh wrote:
> This patch adds NULL algo capabilities.
Do you also need to update documentation for the same?
>
> Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
> ---
>   drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 41 +++++++++++++++++++++++
>   1 file changed, 41 insertions(+)
>
> diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
> index 1c0bc3d6de..e9b601c035 100644
> --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
> +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
> @@ -227,6 +227,27 @@ typedef struct dpaa2_sec_session_entry {
>   
>   static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
>   	/* Symmetric capabilities */
> +	{	/* NULL (AUTH) */
> +		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
> +		{.sym = {
> +			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
> +			{.auth = {
> +				.algo = RTE_CRYPTO_AUTH_NULL,
> +				.block_size = 1,
> +				.key_size = {
> +					.min = 0,
> +					.max = 0,
> +					.increment = 0
> +				},
> +				.digest_size = {
> +					.min = 0,
> +					.max = 0,
> +					.increment = 0
> +				},
> +				.iv_size = { 0 }
> +			}, },
> +		}, },
> +	},
>   	{	/* MD5 */
>   		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
>   		{.sym = {
> @@ -553,6 +574,26 @@ static const struct rte_cryptodev_capabilities dpaa2_sec_capabilities[] = {
>   			}, }
>   		}, }
>   	},
> +	{	/* NULL (CIPHER) */
> +		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
> +		{.sym = {
> +			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
> +			{.cipher = {
> +				.algo = RTE_CRYPTO_CIPHER_NULL,
> +				.block_size = 1,
> +				.key_size = {
> +					.min = 0,
> +					.max = 0,
> +					.increment = 0
> +				},
> +				.iv_size = {
> +					.min = 0,
> +					.max = 0,
> +					.increment = 0
> +				}
> +			}, },
> +		}, }
> +	},
>   	{	/* AES CBC */
>   		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
>   		{.sym = {

[PATCH 7/9] net/dpaa2: configure buffer layout

[Gagandeep Singh]

From: Jun Yang <jun.yang@nxp.com>

Make header room big enough for IPSec with TX dynamic confirm enabled.
Ingress minimum header room:
64(size of parser result) + 8(address of SEC context) * 2.
Egress minimum header room:
88(FAEAD offset) + 8(FAEAD size) + 8(address of SEC context) * 2 +
114(expansion).

Signed-off-by: Jun Yang <jun.yang@nxp.com>
---
 drivers/bus/fslmc/portal/dpaa2_hw_pvt.h      | 10 ++++++++++
 drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h    |  4 +---
 drivers/net/dpaa2/base/dpaa2_hw_dpni.c       | 18 ++++++++++++++++--
 drivers/net/dpaa2/base/dpaa2_hw_dpni_annot.h |  6 ++++++
 drivers/net/dpaa2/dpaa2_ethdev.h             |  6 +++++-
 5 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/drivers/bus/fslmc/portal/dpaa2_hw_pvt.h b/drivers/bus/fslmc/portal/dpaa2_hw_pvt.h
index be0719aac6..10bc191645 100644
--- a/drivers/bus/fslmc/portal/dpaa2_hw_pvt.h
+++ b/drivers/bus/fslmc/portal/dpaa2_hw_pvt.h
@@ -84,6 +84,16 @@
 #define DPAA2_INVALID_FLOW_ID 0xffff
 #define DPAA2_INVALID_CGID 0xff
 
+#define SEC_FLC_DHR_OUTBOUND	(-114)
+#define SEC_FLC_DHR_INBOUND	0
+
+/** Consider aligning with 8 bytes to multiply point size with 2.*/
+#define DPAA2_SEC_SIMPLE_FD_OB_MIN \
+	((-SEC_FLC_DHR_OUTBOUND) + sizeof(void *) * 2)
+
+#define DPAA2_SEC_SIMPLE_FD_IB_MIN \
+	((-SEC_FLC_DHR_INBOUND) + sizeof(void *) * 2)
+
 struct dpaa2_queue;
 
 struct eqresp_metadata {
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
index e9b601c035..755c8e9cc3 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  *
  *   Copyright (c) 2016 Freescale Semiconductor, Inc. All rights reserved.
- *   Copyright 2016,2020-2023 NXP
+ *   Copyright 2016,2020-2024 NXP
  *
  */
 
@@ -20,8 +20,6 @@ extern uint8_t cryptodev_driver_id;
 #define FLE_POOL_BUF_SIZE	256
 #define FLE_POOL_CACHE_SIZE	512
 #define FLE_SG_MEM_SIZE(num)	(FLE_POOL_BUF_SIZE + ((num) * 32))
-#define SEC_FLC_DHR_OUTBOUND	-114
-#define SEC_FLC_DHR_INBOUND	0
 
 #define MAX_QUEUES		64
 #define MAX_DESC_SIZE		64
diff --git a/drivers/net/dpaa2/base/dpaa2_hw_dpni.c b/drivers/net/dpaa2/base/dpaa2_hw_dpni.c
index 8d00a86032..b1d473429a 100644
--- a/drivers/net/dpaa2/base/dpaa2_hw_dpni.c
+++ b/drivers/net/dpaa2/base/dpaa2_hw_dpni.c
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  *
  *   Copyright (c) 2016 Freescale Semiconductor, Inc. All rights reserved.
- *   Copyright 2016-2021 NXP
+ *   Copyright 2016-2021,2023-2024 NXP
  *
  */
 
@@ -492,7 +492,21 @@ dpaa2_attach_bp_list(struct dpaa2_dev_priv *priv,
 	 */
 
 	/* ... rx buffer layout ... */
-	tot_size = RTE_PKTMBUF_HEADROOM;
+	if (priv->flags & DPAA2_TX_DYNAMIC_CONF_ENABLE) {
+		int out_min_hdr_room, in_min_hdr_room;
+		/** Additional headroom layout for IPSec with TX configure
+		 * dynamic enabled.
+		 */
+		in_min_hdr_room = DPAA2_RX_MIN_FD_OFFSET +
+			DPAA2_SEC_SIMPLE_FD_IB_MIN;
+		out_min_hdr_room = DPAA2_DYN_TX_MIN_FD_OFFSET +
+			DPAA2_SEC_SIMPLE_FD_OB_MIN;
+		tot_size = RTE_MAX(in_min_hdr_room, out_min_hdr_room);
+		if (tot_size < RTE_PKTMBUF_HEADROOM)
+			tot_size = RTE_PKTMBUF_HEADROOM;
+	} else {
+		tot_size = RTE_PKTMBUF_HEADROOM;
+	}
 	tot_size = RTE_ALIGN_CEIL(tot_size, DPAA2_PACKET_LAYOUT_ALIGN);
 
 	memset(&layout, 0, sizeof(struct dpni_buffer_layout));
diff --git a/drivers/net/dpaa2/base/dpaa2_hw_dpni_annot.h b/drivers/net/dpaa2/base/dpaa2_hw_dpni_annot.h
index fb026d6e49..d156b07087 100644
--- a/drivers/net/dpaa2/base/dpaa2_hw_dpni_annot.h
+++ b/drivers/net/dpaa2/base/dpaa2_hw_dpni_annot.h
@@ -253,6 +253,9 @@ struct dpaa2_annot_hdr {
 #define PARSE_ERROR_CODE(var)		((uint64_t)(var) & 0xFF00000000000000)
 #define SOFT_PARSING_CONTEXT(var)	((uint64_t)(var) & 0x00FFFFFFFFFFFFFF)
 
+#define DPAA2_RX_MIN_FD_OFFSET \
+	(DPAA2_FD_PTA_SIZE + sizeof(struct dpaa2_annot_hdr))
+
 /*FAEAD offset in anmotation area*/
 #define DPAA2_FD_HW_ANNOT_FAEAD_OFFSET	0x58
 
@@ -261,6 +264,9 @@ struct dpaa2_faead {
 	uint32_t ctrl;
 };
 
+#define DPAA2_DYN_TX_MIN_FD_OFFSET \
+	(DPAA2_FD_HW_ANNOT_FAEAD_OFFSET + sizeof(struct dpaa2_faead))
+
 /*FAEAD bits */
 /*A2 OMB contains valid data*/
 #define DPAA2_ANNOT_FAEAD_A2V		0x20000000
diff --git a/drivers/net/dpaa2/dpaa2_ethdev.h b/drivers/net/dpaa2/dpaa2_ethdev.h
index fd3119247a..b9dd9b22fd 100644
--- a/drivers/net/dpaa2/dpaa2_ethdev.h
+++ b/drivers/net/dpaa2/dpaa2_ethdev.h
@@ -70,8 +70,12 @@
 /* Disable RX tail drop, default is enable */
 #define DPAA2_RX_TAILDROP_OFF	0x04
 /* Tx confirmation enabled */
-#define DPAA2_TX_CONF_ENABLE	0x06
+#define DPAA2_TX_CONF_ENABLE	0x08
 
+/* Tx dynamic confirmation enabled,
+ * only valid with Tx confirmation enabled.
+ */
+#define DPAA2_TX_DYNAMIC_CONF_ENABLE	0x10
 /* DPDMUX index for DPMAC */
 #define DPAA2_DPDMUX_DPMAC_IDX 0
 
-- 
2.25.1

[PATCH 8/9] mempool/dpaa2: mempool operation index

[Gagandeep Singh]

From: Jun Yang <jun.yang@nxp.com>

For user to identify dpaa2 mempool by operation index.

Signed-off-by: Jun Yang <jun.yang@nxp.com>
---
 drivers/mempool/dpaa2/dpaa2_hw_mempool.c | 20 +++++++++++++++++++-
 drivers/mempool/dpaa2/dpaa2_hw_mempool.h |  5 ++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/drivers/mempool/dpaa2/dpaa2_hw_mempool.c b/drivers/mempool/dpaa2/dpaa2_hw_mempool.c
index 09729d2828..118eb76db7 100644
--- a/drivers/mempool/dpaa2/dpaa2_hw_mempool.c
+++ b/drivers/mempool/dpaa2/dpaa2_hw_mempool.c
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  *
  *   Copyright (c) 2016 Freescale Semiconductor, Inc. All rights reserved.
- *   Copyright 2016-2019 NXP
+ *   Copyright 2016-2019,2022-2025 NXP
  *
  */
 
@@ -38,6 +38,14 @@ RTE_EXPORT_INTERNAL_SYMBOL(rte_dpaa2_bpid_info)
 struct dpaa2_bp_info *rte_dpaa2_bpid_info;
 static struct dpaa2_bp_list *h_bp_list;
 
+static int16_t s_dpaa2_pool_ops_idx = RTE_MEMPOOL_MAX_OPS_IDX;
+
+RTE_EXPORT_INTERNAL_SYMBOL(rte_dpaa2_mpool_get_ops_idx)
+int rte_dpaa2_mpool_get_ops_idx(void)
+{
+	return s_dpaa2_pool_ops_idx;
+}
+
 static int
 rte_hw_mbuf_create_pool(struct rte_mempool *mp)
 {
@@ -119,6 +127,14 @@ rte_hw_mbuf_create_pool(struct rte_mempool *mp)
 	bp_list->buf_pool.dpbp_node = avail_dpbp;
 	/* Identification for our offloaded pool_data structure */
 	bp_list->dpaa2_ops_index = mp->ops_index;
+	if (s_dpaa2_pool_ops_idx == RTE_MEMPOOL_MAX_OPS_IDX) {
+		s_dpaa2_pool_ops_idx = mp->ops_index;
+	} else if (s_dpaa2_pool_ops_idx != mp->ops_index) {
+		DPAA2_MEMPOOL_ERR("Only single ops index only");
+		ret = -EINVAL;
+		goto err4;
+	}
+
 	bp_list->next = h_bp_list;
 	bp_list->mp = mp;
 
@@ -150,6 +166,8 @@ rte_hw_mbuf_create_pool(struct rte_mempool *mp)
 	}
 
 	return 0;
+err4:
+	rte_free(bp_list);
 err3:
 	rte_free(bp_info);
 err2:
diff --git a/drivers/mempool/dpaa2/dpaa2_hw_mempool.h b/drivers/mempool/dpaa2/dpaa2_hw_mempool.h
index 9e21823fb6..8b2718bfa1 100644
--- a/drivers/mempool/dpaa2/dpaa2_hw_mempool.h
+++ b/drivers/mempool/dpaa2/dpaa2_hw_mempool.h
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  *
  *   Copyright (c) 2016 Freescale Semiconductor, Inc. All rights reserved.
- *   Copyright 2016-2019 NXP
+ *   Copyright 2016-2024 NXP
  *
  */
 
@@ -65,4 +65,7 @@ __rte_internal
 int rte_dpaa2_mbuf_alloc_bulk(struct rte_mempool *pool,
 		       void **obj_table, unsigned int count);
 
+__rte_internal
+int rte_dpaa2_mpool_get_ops_idx(void);
+
 #endif /* _DPAA2_HW_DPBP_H_ */
-- 
2.25.1

[PATCH 9/9] crypto/dpaa2_sec: add support for simple IPsec FD

[Gagandeep Singh]

From: Jun Yang <jun.yang@nxp.com>

For IVP mode of simple IPsec FD, store op context point just
before expansion and align with point size(8).
Otherwise, store op context point in offset to mbuf with
rte_mbuf_dynfield register.

Signed-off-by: Jun Yang <jun.yang@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 143 +++++++++++++++-----
 drivers/crypto/dpaa2_sec/meson.build        |   3 +-
 2 files changed, 108 insertions(+), 38 deletions(-)

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 5995eb58d8..6cc42ff5e0 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -35,6 +35,7 @@
 #include "dpaa2_sec_priv.h"
 #include "dpaa2_sec_event.h"
 #include "dpaa2_sec_logs.h"
+#include "dpaa2_hw_dpni_annot.h"
 
 /* RTA header files */
 #include <desc/ipsec.h>
@@ -67,6 +68,14 @@ enum dpaa2_sec_dump_levels {
 uint8_t cryptodev_driver_id;
 uint8_t dpaa2_sec_dp_dump = DPAA2_SEC_DP_ERR_DUMP;
 
+static int s_dpaa2_sec_cntx_pos = -1;
+
+static const struct rte_mbuf_dynfield s_dpaa2_sec_cntx_pos_dyn = {
+	.name = "dpaa2_sec_cntx_pos_dyn",
+	.size = sizeof(void *),
+	.align = alignof(void *),
+};
+
 static inline void
 dpaa2_sec_dp_fd_dump(const struct qbman_fd *fd, uint16_t bpid,
 		     struct rte_mbuf *mbuf, bool tx)
@@ -319,30 +328,58 @@ build_proto_fd(dpaa2_sec_session *sess,
 	       struct qbman_fd *fd, uint16_t bpid, struct dpaa2_sec_qp *qp)
 {
 	struct rte_crypto_sym_op *sym_op = op->sym;
+	struct sec_flow_context *flc;
+	struct ctxt_priv *priv = sess->ctxt;
+	int min_hdr;
+	void **op_context;
+
 	if (sym_op->m_dst)
 		return build_proto_compound_fd(sess, op, fd, bpid, qp);
 
-	struct ctxt_priv *priv = sess->ctxt;
-	struct sec_flow_context *flc;
-	struct rte_mbuf *mbuf = sym_op->m_src;
-
-	if (likely(bpid < MAX_BPID))
-		DPAA2_SET_FD_BPID(fd, bpid);
+	if (sess->dir == DIR_ENC)
+		min_hdr = -SEC_FLC_DHR_OUTBOUND;
 	else
-		DPAA2_SET_FD_IVP(fd);
+		min_hdr = SEC_FLC_DHR_INBOUND;
 
-	/* Save the shared descriptor */
 	flc = &priv->flc_desc[0].flc;
 
+	if (likely(bpid < MAX_BPID)) {
+		if (unlikely(s_dpaa2_sec_cntx_pos < 0)) {
+			DPAA2_SEC_ERR("SEC context position not registered!");
+			return -EINVAL;
+		}
+		op_context = (void *)((uint8_t *)sym_op->m_src +
+			s_dpaa2_sec_cntx_pos);
+		*op_context = op;
+		DPAA2_SET_FD_BPID(fd, bpid);
+	} else {
+		op_context = rte_pktmbuf_mtod_offset(sym_op->m_src,
+			void **, -(min_hdr + sizeof(void *)));
+		op_context = (void **)RTE_ALIGN_FLOOR((uint64_t)op_context,
+			sizeof(void *));
+		if (unlikely((uint64_t)op_context <
+			(uint64_t)sym_op->m_src->buf_addr)) {
+			DPAA2_SEC_ERR("Too short offset to save context %p < %p",
+				op_context, sym_op->m_src->buf_addr);
+			return -EINVAL;
+		}
+		if (unlikely(sess->dir == DIR_ENC &&
+			(uint64_t)op_context <
+			((uint64_t)sym_op->m_src->buf_addr +
+			DPAA2_DYN_TX_MIN_FD_OFFSET))) {
+			DPAA2_SEC_ERR("ENC FAEAD being overlapped %p < %p + %lu",
+				op_context, sym_op->m_src->buf_addr,
+				DPAA2_DYN_TX_MIN_FD_OFFSET);
+			return -EINVAL;
+		}
+		DPAA2_SET_FD_IVP(fd);
+	}
+
 	DPAA2_SET_FD_ADDR(fd, DPAA2_MBUF_VADDR_TO_IOVA(sym_op->m_src));
 	DPAA2_SET_FD_OFFSET(fd, sym_op->m_src->data_off);
 	DPAA2_SET_FD_LEN(fd, sym_op->m_src->pkt_len);
 	DPAA2_SET_FD_FLC(fd, DPAA2_VADDR_TO_IOVA(flc));
 
-	/* save physical address of mbuf */
-	op->sym->aead.digest.phys_addr = mbuf->buf_iova;
-	mbuf->buf_iova = (size_t)op;
-
 	return 0;
 }
 
@@ -1503,7 +1540,11 @@ dpaa2_sec_enqueue_burst(void *qp, struct rte_crypto_op **ops,
 			/*Clear the unused FD fields before sending*/
 			memset(&fd_arr[loop], 0, sizeof(struct qbman_fd));
 			mb_pool = (*ops)->sym->m_src->pool;
-			bpid = mempool_to_bpid(mb_pool);
+			if (mb_pool->ops_index ==
+				rte_dpaa2_mpool_get_ops_idx())
+				bpid = mempool_to_bpid(mb_pool);
+			else
+				bpid = MAX_BPID;
 			ret = build_sec_fd(*ops, &fd_arr[loop], bpid, dpaa2_qp);
 			if (ret) {
 				DPAA2_SEC_DP_DEBUG("FD build failed");
@@ -1549,37 +1590,51 @@ dpaa2_sec_enqueue_burst(void *qp, struct rte_crypto_op **ops,
 }
 
 static inline struct rte_crypto_op *
-sec_simple_fd_to_mbuf(const struct qbman_fd *fd)
+dpaa2_sec_simple_fd_to_mbuf(const struct qbman_fd *fd)
 {
 	struct rte_crypto_op *op;
-	uint16_t len = DPAA2_GET_FD_LEN(fd);
+	uint16_t len = DPAA2_GET_FD_LEN(fd), bpid = MAX_BPID;
 	int16_t diff = 0;
-	dpaa2_sec_session *sess_priv __rte_unused;
+	struct rte_mbuf *mbuf;
+	dpaa2_sec_session *sess_priv;
+	uint8_t *vir;
+	void **op_context;
+
+	vir = DPAA2_IOVA_TO_VADDR(DPAA2_GET_FD_ADDR(fd));
+
+	if (likely(!DPAA2_GET_FD_IVP(fd))) {
+		bpid = DPAA2_GET_FD_BPID(fd);
+		mbuf = DPAA2_INLINE_MBUF_FROM_BUF(vir,
+			rte_dpaa2_bpid_info[bpid].meta_data_size);
+		if (unlikely(s_dpaa2_sec_cntx_pos < 0)) {
+			DPAA2_SEC_ERR("SEC context position not registered!");
+			return NULL;
+		}
+		op_context = (void *)((uint64_t)mbuf + s_dpaa2_sec_cntx_pos);
+		op = *op_context;
+	} else {
+		op_context = (void **)RTE_PTR_ALIGN_FLOOR(vir +
+			DPAA2_GET_FD_OFFSET(fd) - sizeof(void *),
+			sizeof(void *));
 
-	if (unlikely(DPAA2_GET_FD_IVP(fd))) {
-		DPAA2_SEC_ERR("error: non inline buffer");
-		return NULL;
+		op = *op_context;
+		mbuf = op->sym->m_src;
 	}
-	struct rte_mbuf *mbuf = DPAA2_INLINE_MBUF_FROM_BUF(
-		DPAA2_IOVA_TO_VADDR(DPAA2_GET_FD_ADDR(fd)),
-		rte_dpaa2_bpid_info[DPAA2_GET_FD_BPID(fd)].meta_data_size);
+	sess_priv = SECURITY_GET_SESS_PRIV(op->sym->session);
 
 	diff = len - mbuf->pkt_len;
 	mbuf->pkt_len += diff;
 	mbuf->data_len += diff;
-	op = (struct rte_crypto_op *)(size_t)mbuf->buf_iova;
-	mbuf->buf_iova = op->sym->aead.digest.phys_addr;
-	op->sym->aead.digest.phys_addr = 0L;
 
-	sess_priv = SECURITY_GET_SESS_PRIV(op->sym->session);
 	if (sess_priv->dir == DIR_ENC)
 		mbuf->data_off += SEC_FLC_DHR_OUTBOUND;
 	else
 		mbuf->data_off += SEC_FLC_DHR_INBOUND;
 
 	if (unlikely(fd->simple.frc)) {
-		DPAA2_SEC_ERR("SEC returned Error - %x",
-				fd->simple.frc);
+		DPAA2_SEC_ERR("SEC %s returned Error - %x",
+			sess_priv->dir == DIR_ENC ? "encap" : "decap",
+			fd->simple.frc);
 		op->status = RTE_CRYPTO_OP_STATUS_ERROR;
 	} else {
 		op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
@@ -1589,14 +1644,15 @@ sec_simple_fd_to_mbuf(const struct qbman_fd *fd)
 }
 
 static inline struct rte_crypto_op *
-sec_fd_to_mbuf(const struct qbman_fd *fd, struct dpaa2_sec_qp *qp)
+dpaa2_sec_fd_to_mbuf(const struct qbman_fd *fd,
+	struct dpaa2_sec_qp *qp)
 {
 	struct qbman_fle *fle;
 	struct rte_crypto_op *op;
 	struct rte_mbuf *dst, *src;
 
 	if (DPAA2_FD_GET_FORMAT(fd) == qbman_fd_single)
-		return sec_simple_fd_to_mbuf(fd);
+		return dpaa2_sec_simple_fd_to_mbuf(fd);
 
 	fle = (struct qbman_fle *)DPAA2_IOVA_TO_VADDR(DPAA2_GET_FD_ADDR(fd));
 
@@ -1728,7 +1784,7 @@ dpaa2_sec_free_eqresp_buf(uint16_t eqresp_ci,
 
 	dpaa2_qp = container_of(dpaa2_q, struct dpaa2_sec_qp, tx_vq);
 	fd = qbman_result_eqresp_fd(&dpio_dev->eqresp[eqresp_ci]);
-	op = sec_fd_to_mbuf(fd, dpaa2_qp);
+	op = dpaa2_sec_fd_to_mbuf(fd, dpaa2_qp);
 	/* Instead of freeing, enqueue it to the sec tx queue (sec->core)
 	 * after setting an error in FD. But this will have performance impact.
 	 */
@@ -1843,7 +1899,11 @@ dpaa2_sec_enqueue_burst_ordered(void *qp, struct rte_crypto_op **ops,
 			/*Clear the unused FD fields before sending*/
 			memset(&fd_arr[loop], 0, sizeof(struct qbman_fd));
 			mb_pool = (*ops)->sym->m_src->pool;
-			bpid = mempool_to_bpid(mb_pool);
+			if (mb_pool->ops_index ==
+				rte_dpaa2_mpool_get_ops_idx())
+				bpid = mempool_to_bpid(mb_pool);
+			else
+				bpid = MAX_BPID;
 			ret = build_sec_fd(*ops, &fd_arr[loop], bpid, dpaa2_qp);
 			if (ret) {
 				DPAA2_SEC_DP_DEBUG("FD build failed");
@@ -1965,7 +2025,7 @@ dpaa2_sec_dequeue_burst(void *qp, struct rte_crypto_op **ops,
 		}
 
 		fd = qbman_result_DQ_fd(dq_storage);
-		ops[num_rx] = sec_fd_to_mbuf(fd, dpaa2_qp);
+		ops[num_rx] = dpaa2_sec_fd_to_mbuf(fd, dpaa2_qp);
 
 		if (unlikely(fd->simple.frc)) {
 			/* TODO Parse SEC errors */
@@ -3374,6 +3434,15 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 		goto out;
 	}
 
+	ret = rte_mbuf_dynfield_register(&s_dpaa2_sec_cntx_pos_dyn);
+	if (ret < 0) {
+		DPAA2_SEC_ERR("Failed to register context pos");
+		goto out;
+	}
+	DPAA2_SEC_INFO("Register mbuf offset(%d) for sec context pos",
+		ret);
+	s_dpaa2_sec_cntx_pos = ret;
+
 	flc->word1_sdl = (uint8_t)bufsize;
 
 	flc_iova = DPAA2_VADDR_TO_IOVA(flc);
@@ -4028,7 +4097,7 @@ dpaa2_sec_process_parallel_event(struct qbman_swp *swp,
 	ev->sched_type = rxq->ev.sched_type;
 	ev->queue_id = rxq->ev.queue_id;
 	ev->priority = rxq->ev.priority;
-	ev->event_ptr = sec_fd_to_mbuf(fd, qp);
+	ev->event_ptr = dpaa2_sec_fd_to_mbuf(fd, qp);
 
 	qbman_swp_dqrr_consume(swp, dq);
 }
@@ -4053,7 +4122,7 @@ dpaa2_sec_process_atomic_event(struct qbman_swp *swp __rte_unused,
 	ev->queue_id = rxq->ev.queue_id;
 	ev->priority = rxq->ev.priority;
 
-	crypto_op = sec_fd_to_mbuf(fd, qp);
+	crypto_op = dpaa2_sec_fd_to_mbuf(fd, qp);
 	dqrr_index = qbman_get_dqrr_idx(dq);
 	*dpaa2_seqn(crypto_op->sym->m_src) = QBMAN_ENQUEUE_FLAG_DCA | dqrr_index;
 	DPAA2_PER_LCORE_DQRR_SIZE++;
@@ -4080,7 +4149,7 @@ dpaa2_sec_process_ordered_event(struct qbman_swp *swp,
 	ev->sched_type = rxq->ev.sched_type;
 	ev->queue_id = rxq->ev.queue_id;
 	ev->priority = rxq->ev.priority;
-	crypto_op = sec_fd_to_mbuf(fd, qp);
+	crypto_op = dpaa2_sec_fd_to_mbuf(fd, qp);
 
 	*dpaa2_seqn(crypto_op->sym->m_src) = DPAA2_ENQUEUE_FLAG_ORP;
 	*dpaa2_seqn(crypto_op->sym->m_src) |= qbman_result_DQ_odpid(dq) <<
@@ -4355,7 +4424,7 @@ dpaa2_sec_dev_init(struct rte_cryptodev *cryptodev)
 	}
 
 	/* Initialize security_ctx only for primary process*/
-	security_instance = rte_malloc("rte_security_instances_ops",
+	security_instance = rte_zmalloc("rte_security_instances_ops",
 				sizeof(struct rte_security_ctx), 0);
 	if (security_instance == NULL)
 		return -ENOMEM;
diff --git a/drivers/crypto/dpaa2_sec/meson.build b/drivers/crypto/dpaa2_sec/meson.build
index acca4176b0..31a441824d 100644
--- a/drivers/crypto/dpaa2_sec/meson.build
+++ b/drivers/crypto/dpaa2_sec/meson.build
@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: BSD-3-Clause
-# Copyright 2018,2021 NXP
+# Copyright 2018,2021-2024 NXP
 
 if not is_linux
     build = false
@@ -14,3 +14,4 @@ sources = files(
 )
 
 includes += include_directories('mc', '../../common/dpaax', '../../common/dpaax/caamflib')
+includes += include_directories('../../net/dpaa2/base')
-- 
2.25.1

Re: [PATCH 1/9] common/dpaax: fix invalid key command error

[Hemant Agrawal]

On 20-05-2025 11:21, Gagandeep Singh wrote:
> Due to race between KEY loading to CAAM’s internal memory
> and initiating crypto operations can SEC errors in PDCP
> AES algo combinations.
Please fix grammar.
> To mitigate this, adding CALM instruction in SN 12bit case
> and using older version of descriptor for SN 18bit case.
>
> Fixes: 6127fff842a7 ("common/dpaax: remove outdated caamflib code")
> Cc: franck.lenormand@nxp.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
> ---

Please send cover-letter for multi patch series.

>   drivers/common/dpaax/caamflib/desc/pdcp.h | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/common/dpaax/caamflib/desc/pdcp.h b/drivers/common/dpaax/caamflib/desc/pdcp.h
> index 9ada3905c5..f4379ede2c 100644
> --- a/drivers/common/dpaax/caamflib/desc/pdcp.h
> +++ b/drivers/common/dpaax/caamflib/desc/pdcp.h
> @@ -1,6 +1,6 @@
>   /* SPDX-License-Identifier: BSD-3-Clause or GPL-2.0+
>    * Copyright 2008-2013 Freescale Semiconductor, Inc.
> - * Copyright 2019-2023 NXP
> + * Copyright 2019-2025 NXP
>    */
>   
>   #ifndef __DESC_PDCP_H__
> @@ -1981,8 +1981,7 @@ pdcp_insert_uplane_no_int_op(struct program *p,
>   	KEY(p, KEY1, cipherdata->key_enc_flags, cipherdata->key,
>   	    cipherdata->keylen, INLINE_KEY(cipherdata));
>   
> -	if ((sn_size == PDCP_SN_SIZE_15) ||
> -			(rta_sec_era >= RTA_SEC_ERA_10)) {
> +	if (sn_size == PDCP_SN_SIZE_15) {

In description, you mentioned 18 bit SN case, however here you are 
modifying  15 bit code?

am I missing the changes for 18 bit ?

>   		PROTOCOL(p, dir, OP_PCLID_LTE_PDCP_USER,
>   			 (uint16_t)cipherdata->algtype);
>   		return 0;
> @@ -2747,6 +2746,7 @@ cnstr_shdsc_pdcp_u_plane_encap(uint32_t *descbuf,
>   			    (uint64_t)cipherdata->key, cipherdata->keylen,
>   			    INLINE_KEY(cipherdata));
>   
> +			JUMP(p, 1, LOCAL_JUMP, ALL_TRUE, CALM);
>   			if (authdata)
>   				PROTOCOL(p, OP_TYPE_ENCAP_PROTOCOL,
>   					 OP_PCLID_LTE_PDCP_USER_RN,