DPDK patches and discussions
 help / color / mirror / Atom feed
* [PATCH] crypto/qat: use intel-ipsec-mb for partial hash
@ 2022-04-07 15:29 Fan Zhang
  2022-04-14 18:45 ` [External] : " Changchun Zhang
  2022-05-17 14:16 ` [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib Kai Ji
  0 siblings, 2 replies; 18+ messages in thread
From: Fan Zhang @ 2022-04-07 15:29 UTC (permalink / raw)
  To: dev; +Cc: kai.ji, gakhil, pablo.de.lara.guarch, Fan Zhang

Since openssl 3.0 now deprecates the low level API QAT required to
perform partial hash operation when creating the session. This
patch is to transfer such dependency from openssl to intel-ipsec-mb.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 drivers/common/qat/meson.build       |  10 +++
 drivers/crypto/qat/qat_sym_session.c | 101 +++++----------------------
 2 files changed, 28 insertions(+), 83 deletions(-)

diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build
index b7027f3164..d35fc69d96 100644
--- a/drivers/common/qat/meson.build
+++ b/drivers/common/qat/meson.build
@@ -35,6 +35,16 @@ if qat_crypto and not libcrypto.found()
             'missing dependency, libcrypto')
 endif
 
+
+IMB_required_ver = '1.0.0'
+libipsecmb = cc.find_library('IPSec_MB', required: false)
+if not lib.found()
+    build = false
+    reason = 'missing dependency, "libIPSec_MB"'
+else
+    ext_deps += libipsecmb
+endif
+
 # The driver should not build if both compression and crypto are disabled
 #FIXME common code depends on compression files so check only compress!
 if not qat_compress # and not qat_crypto
diff --git a/drivers/crypto/qat/qat_sym_session.c b/drivers/crypto/qat/qat_sym_session.c
index 9d6a19c0be..05a11db750 100644
--- a/drivers/crypto/qat/qat_sym_session.c
+++ b/drivers/crypto/qat/qat_sym_session.c
@@ -6,6 +6,7 @@
 #include <openssl/aes.h>	/* Needed to calculate pre-compute values */
 #include <openssl/md5.h>	/* Needed to calculate pre-compute values */
 #include <openssl/evp.h>	/* Needed for bpi runt block processing */
+#include <intel-ipsec-mb.h>
 
 #include <rte_memcpy.h>
 #include <rte_common.h>
@@ -1057,139 +1058,73 @@ static int qat_hash_get_block_size(enum icp_qat_hw_auth_algo qat_hash_alg)
 	return -EFAULT;
 }
 
-static int partial_hash_sha1(uint8_t *data_in, uint8_t *data_out)
-{
-	SHA_CTX ctx;
-
-	if (!SHA1_Init(&ctx))
-		return -EFAULT;
-	SHA1_Transform(&ctx, data_in);
-	rte_memcpy(data_out, &ctx, SHA_DIGEST_LENGTH);
-	return 0;
-}
-
-static int partial_hash_sha224(uint8_t *data_in, uint8_t *data_out)
-{
-	SHA256_CTX ctx;
-
-	if (!SHA224_Init(&ctx))
-		return -EFAULT;
-	SHA256_Transform(&ctx, data_in);
-	rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
-	return 0;
-}
-
-static int partial_hash_sha256(uint8_t *data_in, uint8_t *data_out)
-{
-	SHA256_CTX ctx;
-
-	if (!SHA256_Init(&ctx))
-		return -EFAULT;
-	SHA256_Transform(&ctx, data_in);
-	rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
-	return 0;
-}
-
-static int partial_hash_sha384(uint8_t *data_in, uint8_t *data_out)
-{
-	SHA512_CTX ctx;
-
-	if (!SHA384_Init(&ctx))
-		return -EFAULT;
-	SHA512_Transform(&ctx, data_in);
-	rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
-	return 0;
-}
-
-static int partial_hash_sha512(uint8_t *data_in, uint8_t *data_out)
-{
-	SHA512_CTX ctx;
-
-	if (!SHA512_Init(&ctx))
-		return -EFAULT;
-	SHA512_Transform(&ctx, data_in);
-	rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
-	return 0;
-}
-
-static int partial_hash_md5(uint8_t *data_in, uint8_t *data_out)
-{
-	MD5_CTX ctx;
-
-	if (!MD5_Init(&ctx))
-		return -EFAULT;
-	MD5_Transform(&ctx, data_in);
-	rte_memcpy(data_out, &ctx, MD5_DIGEST_LENGTH);
-
-	return 0;
-}
-
 static int
 partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
 		uint8_t *data_in, uint8_t *data_out)
 {
+	IMB_MGR *m;
+	uint32_t *hash_state_out_be32;
+	uint64_t *hash_state_out_be64;
 	int digest_size;
 	uint8_t digest[qat_hash_get_digest_size(
 			ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
-	uint32_t *hash_state_out_be32;
-	uint64_t *hash_state_out_be64;
 	int i;
 
+	hash_state_out_be32 = (uint32_t *)data_out;
+	hash_state_out_be64 = (uint64_t *)data_out;
+
 	/* Initialize to avoid gcc warning */
 	memset(digest, 0, sizeof(digest));
 
 	digest_size = qat_hash_get_digest_size(hash_alg);
 	if (digest_size <= 0)
 		return -EFAULT;
+	m = alloc_mb_mgr(0);
+	if (m == NULL)
+		return -ENOMEM;
 
-	hash_state_out_be32 = (uint32_t *)data_out;
-	hash_state_out_be64 = (uint64_t *)data_out;
+	init_mb_mgr_auto(m, NULL);
 
 	switch (hash_alg) {
 	case ICP_QAT_HW_AUTH_ALGO_SHA1:
-		if (partial_hash_sha1(data_in, digest))
-			return -EFAULT;
+		IMB_SHA1_ONE_BLOCK(m, data_in, digest);
 		for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
 			*hash_state_out_be32 =
 				rte_bswap32(*(((uint32_t *)digest)+i));
 		break;
 	case ICP_QAT_HW_AUTH_ALGO_SHA224:
-		if (partial_hash_sha224(data_in, digest))
-			return -EFAULT;
+		IMB_SHA224_ONE_BLOCK(m, data_in, digest);
 		for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
 			*hash_state_out_be32 =
 				rte_bswap32(*(((uint32_t *)digest)+i));
 		break;
 	case ICP_QAT_HW_AUTH_ALGO_SHA256:
-		if (partial_hash_sha256(data_in, digest))
-			return -EFAULT;
+		IMB_SHA256_ONE_BLOCK(m, data_in, digest);
 		for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
 			*hash_state_out_be32 =
 				rte_bswap32(*(((uint32_t *)digest)+i));
 		break;
 	case ICP_QAT_HW_AUTH_ALGO_SHA384:
-		if (partial_hash_sha384(data_in, digest))
-			return -EFAULT;
+		IMB_SHA384_ONE_BLOCK(m, data_in, digest);
 		for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
 			*hash_state_out_be64 =
 				rte_bswap64(*(((uint64_t *)digest)+i));
 		break;
 	case ICP_QAT_HW_AUTH_ALGO_SHA512:
-		if (partial_hash_sha512(data_in, digest))
-			return -EFAULT;
+		IMB_SHA512_ONE_BLOCK(m, data_in, digest);
 		for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
 			*hash_state_out_be64 =
 				rte_bswap64(*(((uint64_t *)digest)+i));
 		break;
 	case ICP_QAT_HW_AUTH_ALGO_MD5:
-		if (partial_hash_md5(data_in, data_out))
-			return -EFAULT;
+		IMB_MD5_ONE_BLOCK(m, data_in, data_out);
 		break;
 	default:
 		QAT_LOG(ERR, "invalid hash alg %u", hash_alg);
 		return -EFAULT;
 	}
 
+	free_mb_mgr(m);
 	return 0;
 }
 #define HMAC_IPAD_VALUE	0x36
-- 
2.32.0


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for partial hash
  2022-04-07 15:29 [PATCH] crypto/qat: use intel-ipsec-mb for partial hash Fan Zhang
@ 2022-04-14 18:45 ` Changchun Zhang
  2022-04-20 18:14   ` Changchun Zhang
  2022-05-17 14:16 ` [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib Kai Ji
  1 sibling, 1 reply; 18+ messages in thread
From: Changchun Zhang @ 2022-04-14 18:45 UTC (permalink / raw)
  To: Fan Zhang, dev; +Cc: kai.ji, gakhil, pablo.de.lara.guarch, Fan Zhang

[-- Attachment #1: Type: text/plain, Size: 7962 bytes --]

Hi Fan,

Does it mean the intel-ipsec-mb would be prerequisite of applying QAT offloading for security application? It this is the case, as I know, the intel-ipsec-mb has no FIPS certification yet. Thus I am thinking this would impact existing QAT based security application, right?

Best Regards,
Changchun Zhang

From: Fan Zhang <roy.fan.zhang@intel.com>
Date: Thursday, April 7, 2022 at 11:29 AM
To: dev@dpdk.org <dev@dpdk.org>
Cc: kai.ji@intel.com <kai.ji@intel.com>, gakhil@marvell.com <gakhil@marvell.com>, pablo.de.lara.guarch@intel.com <pablo.de.lara.guarch@intel.com>, Fan Zhang <roy.fan.zhang@intel.com>
Subject: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for partial hash
Since openssl 3.0 now deprecates the low level API QAT required to
perform partial hash operation when creating the session. This
patch is to transfer such dependency from openssl to intel-ipsec-mb.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 drivers/common/qat/meson.build       |  10 +++
 drivers/crypto/qat/qat_sym_session.c | 101 +++++----------------------
 2 files changed, 28 insertions(+), 83 deletions(-)

diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build
index b7027f3164..d35fc69d96 100644
--- a/drivers/common/qat/meson.build
+++ b/drivers/common/qat/meson.build
@@ -35,6 +35,16 @@ if qat_crypto and not libcrypto.found()
             'missing dependency, libcrypto')
 endif

+
+IMB_required_ver = '1.0.0'
+libipsecmb = cc.find_library('IPSec_MB', required: false)
+if not lib.found()
+    build = false
+    reason = 'missing dependency, "libIPSec_MB"'
+else
+    ext_deps += libipsecmb
+endif
+
 # The driver should not build if both compression and crypto are disabled
 #FIXME common code depends on compression files so check only compress!
 if not qat_compress # and not qat_crypto
diff --git a/drivers/crypto/qat/qat_sym_session.c b/drivers/crypto/qat/qat_sym_session.c
index 9d6a19c0be..05a11db750 100644
--- a/drivers/crypto/qat/qat_sym_session.c
+++ b/drivers/crypto/qat/qat_sym_session.c
@@ -6,6 +6,7 @@
 #include <openssl/aes.h>        /* Needed to calculate pre-compute values */
 #include <openssl/md5.h>        /* Needed to calculate pre-compute values */
 #include <openssl/evp.h>        /* Needed for bpi runt block processing */
+#include <intel-ipsec-mb.h>

 #include <rte_memcpy.h>
 #include <rte_common.h>
@@ -1057,139 +1058,73 @@ static int qat_hash_get_block_size(enum icp_qat_hw_auth_algo qat_hash_alg)
         return -EFAULT;
 }

-static int partial_hash_sha1(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA_CTX ctx;
-
-       if (!SHA1_Init(&ctx))
-               return -EFAULT;
-       SHA1_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, SHA_DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha224(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA256_CTX ctx;
-
-       if (!SHA224_Init(&ctx))
-               return -EFAULT;
-       SHA256_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha256(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA256_CTX ctx;
-
-       if (!SHA256_Init(&ctx))
-               return -EFAULT;
-       SHA256_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha384(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA512_CTX ctx;
-
-       if (!SHA384_Init(&ctx))
-               return -EFAULT;
-       SHA512_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha512(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA512_CTX ctx;
-
-       if (!SHA512_Init(&ctx))
-               return -EFAULT;
-       SHA512_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_md5(uint8_t *data_in, uint8_t *data_out)
-{
-       MD5_CTX ctx;
-
-       if (!MD5_Init(&ctx))
-               return -EFAULT;
-       MD5_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, MD5_DIGEST_LENGTH);
-
-       return 0;
-}
-
 static int
 partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
                 uint8_t *data_in, uint8_t *data_out)
 {
+       IMB_MGR *m;
+       uint32_t *hash_state_out_be32;
+       uint64_t *hash_state_out_be64;
         int digest_size;
         uint8_t digest[qat_hash_get_digest_size(
                         ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
-       uint32_t *hash_state_out_be32;
-       uint64_t *hash_state_out_be64;
         int i;

+       hash_state_out_be32 = (uint32_t *)data_out;
+       hash_state_out_be64 = (uint64_t *)data_out;
+
         /* Initialize to avoid gcc warning */
         memset(digest, 0, sizeof(digest));

         digest_size = qat_hash_get_digest_size(hash_alg);
         if (digest_size <= 0)
                 return -EFAULT;
+       m = alloc_mb_mgr(0);
+       if (m == NULL)
+               return -ENOMEM;

-       hash_state_out_be32 = (uint32_t *)data_out;
-       hash_state_out_be64 = (uint64_t *)data_out;
+       init_mb_mgr_auto(m, NULL);

         switch (hash_alg) {
         case ICP_QAT_HW_AUTH_ALGO_SHA1:
-               if (partial_hash_sha1(data_in, digest))
-                       return -EFAULT;
+               IMB_SHA1_ONE_BLOCK(m, data_in, digest);
                 for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
                         *hash_state_out_be32 =
                                 rte_bswap32(*(((uint32_t *)digest)+i));
                 break;
         case ICP_QAT_HW_AUTH_ALGO_SHA224:
-               if (partial_hash_sha224(data_in, digest))
-                       return -EFAULT;
+               IMB_SHA224_ONE_BLOCK(m, data_in, digest);
                 for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
                         *hash_state_out_be32 =
                                 rte_bswap32(*(((uint32_t *)digest)+i));
                 break;
         case ICP_QAT_HW_AUTH_ALGO_SHA256:
-               if (partial_hash_sha256(data_in, digest))
-                       return -EFAULT;
+               IMB_SHA256_ONE_BLOCK(m, data_in, digest);
                 for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
                         *hash_state_out_be32 =
                                 rte_bswap32(*(((uint32_t *)digest)+i));
                 break;
         case ICP_QAT_HW_AUTH_ALGO_SHA384:
-               if (partial_hash_sha384(data_in, digest))
-                       return -EFAULT;
+               IMB_SHA384_ONE_BLOCK(m, data_in, digest);
                 for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
                         *hash_state_out_be64 =
                                 rte_bswap64(*(((uint64_t *)digest)+i));
                 break;
         case ICP_QAT_HW_AUTH_ALGO_SHA512:
-               if (partial_hash_sha512(data_in, digest))
-                       return -EFAULT;
+               IMB_SHA512_ONE_BLOCK(m, data_in, digest);
                 for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
                         *hash_state_out_be64 =
                                 rte_bswap64(*(((uint64_t *)digest)+i));
                 break;
         case ICP_QAT_HW_AUTH_ALGO_MD5:
-               if (partial_hash_md5(data_in, data_out))
-                       return -EFAULT;
+               IMB_MD5_ONE_BLOCK(m, data_in, data_out);
                 break;
         default:
                 QAT_LOG(ERR, "invalid hash alg %u", hash_alg);
                 return -EFAULT;
         }

+       free_mb_mgr(m);
         return 0;
 }
 #define HMAC_IPAD_VALUE 0x36
--
2.32.0

[-- Attachment #2: Type: text/html, Size: 18668 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for partial hash
  2022-04-14 18:45 ` [External] : " Changchun Zhang
@ 2022-04-20 18:14   ` Changchun Zhang
  2022-05-17 14:21     ` Ji, Kai
  0 siblings, 1 reply; 18+ messages in thread
From: Changchun Zhang @ 2022-04-20 18:14 UTC (permalink / raw)
  To: Fan Zhang, dev, pablo.de.lara.guarch; +Cc: kai.ji, gakhil, Fan Zhang

[-- Attachment #1: Type: text/plain, Size: 8626 bytes --]

Hello,

Can I know the status of this patch, and the possible impact on any existing applications because the partial hash is switched from OpenSSL to intel-ipsec-mb which is not under FIPS certification?

Thanks!
Changchun

From: Changchun Zhang <changchun.zhang@oracle.com>
Date: Thursday, April 14, 2022 at 2:46 PM
To: Fan Zhang <roy.fan.zhang@intel.com>, dev@dpdk.org <dev@dpdk.org>
Cc: kai.ji@intel.com <kai.ji@intel.com>, gakhil@marvell.com <gakhil@marvell.com>, pablo.de.lara.guarch@intel.com <pablo.de.lara.guarch@intel.com>, Fan Zhang <roy.fan.zhang@intel.com>
Subject: Re: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for partial hash
Hi Fan,

Does it mean the intel-ipsec-mb would be prerequisite of applying QAT offloading for security application? It this is the case, as I know, the intel-ipsec-mb has no FIPS certification yet. Thus I am thinking this would impact existing QAT based security application, right?

Best Regards,
Changchun Zhang

From: Fan Zhang <roy.fan.zhang@intel.com>
Date: Thursday, April 7, 2022 at 11:29 AM
To: dev@dpdk.org <dev@dpdk.org>
Cc: kai.ji@intel.com <kai.ji@intel.com>, gakhil@marvell.com <gakhil@marvell.com>, pablo.de.lara.guarch@intel.com <pablo.de.lara.guarch@intel.com>, Fan Zhang <roy.fan.zhang@intel.com>
Subject: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for partial hash
Since openssl 3.0 now deprecates the low level API QAT required to
perform partial hash operation when creating the session. This
patch is to transfer such dependency from openssl to intel-ipsec-mb.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 drivers/common/qat/meson.build       |  10 +++
 drivers/crypto/qat/qat_sym_session.c | 101 +++++----------------------
 2 files changed, 28 insertions(+), 83 deletions(-)

diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build
index b7027f3164..d35fc69d96 100644
--- a/drivers/common/qat/meson.build
+++ b/drivers/common/qat/meson.build
@@ -35,6 +35,16 @@ if qat_crypto and not libcrypto.found()
             'missing dependency, libcrypto')
 endif

+
+IMB_required_ver = '1.0.0'
+libipsecmb = cc.find_library('IPSec_MB', required: false)
+if not lib.found()
+    build = false
+    reason = 'missing dependency, "libIPSec_MB"'
+else
+    ext_deps += libipsecmb
+endif
+
 # The driver should not build if both compression and crypto are disabled
 #FIXME common code depends on compression files so check only compress!
 if not qat_compress # and not qat_crypto
diff --git a/drivers/crypto/qat/qat_sym_session.c b/drivers/crypto/qat/qat_sym_session.c
index 9d6a19c0be..05a11db750 100644
--- a/drivers/crypto/qat/qat_sym_session.c
+++ b/drivers/crypto/qat/qat_sym_session.c
@@ -6,6 +6,7 @@
 #include <openssl/aes.h>        /* Needed to calculate pre-compute values */
 #include <openssl/md5.h>        /* Needed to calculate pre-compute values */
 #include <openssl/evp.h>        /* Needed for bpi runt block processing */
+#include <intel-ipsec-mb.h>

 #include <rte_memcpy.h>
 #include <rte_common.h>
@@ -1057,139 +1058,73 @@ static int qat_hash_get_block_size(enum icp_qat_hw_auth_algo qat_hash_alg)
         return -EFAULT;
 }

-static int partial_hash_sha1(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA_CTX ctx;
-
-       if (!SHA1_Init(&ctx))
-               return -EFAULT;
-       SHA1_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, SHA_DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha224(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA256_CTX ctx;
-
-       if (!SHA224_Init(&ctx))
-               return -EFAULT;
-       SHA256_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha256(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA256_CTX ctx;
-
-       if (!SHA256_Init(&ctx))
-               return -EFAULT;
-       SHA256_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha384(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA512_CTX ctx;
-
-       if (!SHA384_Init(&ctx))
-               return -EFAULT;
-       SHA512_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha512(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA512_CTX ctx;
-
-       if (!SHA512_Init(&ctx))
-               return -EFAULT;
-       SHA512_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_md5(uint8_t *data_in, uint8_t *data_out)
-{
-       MD5_CTX ctx;
-
-       if (!MD5_Init(&ctx))
-               return -EFAULT;
-       MD5_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, MD5_DIGEST_LENGTH);
-
-       return 0;
-}
-
 static int
 partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
                 uint8_t *data_in, uint8_t *data_out)
 {
+       IMB_MGR *m;
+       uint32_t *hash_state_out_be32;
+       uint64_t *hash_state_out_be64;
         int digest_size;
         uint8_t digest[qat_hash_get_digest_size(
                         ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
-       uint32_t *hash_state_out_be32;
-       uint64_t *hash_state_out_be64;
         int i;

+       hash_state_out_be32 = (uint32_t *)data_out;
+       hash_state_out_be64 = (uint64_t *)data_out;
+
         /* Initialize to avoid gcc warning */
         memset(digest, 0, sizeof(digest));

         digest_size = qat_hash_get_digest_size(hash_alg);
         if (digest_size <= 0)
                 return -EFAULT;
+       m = alloc_mb_mgr(0);
+       if (m == NULL)
+               return -ENOMEM;

-       hash_state_out_be32 = (uint32_t *)data_out;
-       hash_state_out_be64 = (uint64_t *)data_out;
+       init_mb_mgr_auto(m, NULL);

         switch (hash_alg) {
         case ICP_QAT_HW_AUTH_ALGO_SHA1:
-               if (partial_hash_sha1(data_in, digest))
-                       return -EFAULT;
+               IMB_SHA1_ONE_BLOCK(m, data_in, digest);
                 for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
                         *hash_state_out_be32 =
                                 rte_bswap32(*(((uint32_t *)digest)+i));
                 break;
         case ICP_QAT_HW_AUTH_ALGO_SHA224:
-               if (partial_hash_sha224(data_in, digest))
-                       return -EFAULT;
+               IMB_SHA224_ONE_BLOCK(m, data_in, digest);
                 for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
                         *hash_state_out_be32 =
                                 rte_bswap32(*(((uint32_t *)digest)+i));
                 break;
         case ICP_QAT_HW_AUTH_ALGO_SHA256:
-               if (partial_hash_sha256(data_in, digest))
-                       return -EFAULT;
+               IMB_SHA256_ONE_BLOCK(m, data_in, digest);
                 for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
                         *hash_state_out_be32 =
                                 rte_bswap32(*(((uint32_t *)digest)+i));
                 break;
         case ICP_QAT_HW_AUTH_ALGO_SHA384:
-               if (partial_hash_sha384(data_in, digest))
-                       return -EFAULT;
+               IMB_SHA384_ONE_BLOCK(m, data_in, digest);
                 for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
                         *hash_state_out_be64 =
                                 rte_bswap64(*(((uint64_t *)digest)+i));
                 break;
         case ICP_QAT_HW_AUTH_ALGO_SHA512:
-               if (partial_hash_sha512(data_in, digest))
-                       return -EFAULT;
+               IMB_SHA512_ONE_BLOCK(m, data_in, digest);
                 for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
                         *hash_state_out_be64 =
                                 rte_bswap64(*(((uint64_t *)digest)+i));
                 break;
         case ICP_QAT_HW_AUTH_ALGO_MD5:
-               if (partial_hash_md5(data_in, data_out))
-                       return -EFAULT;
+               IMB_MD5_ONE_BLOCK(m, data_in, data_out);
                 break;
         default:
                 QAT_LOG(ERR, "invalid hash alg %u", hash_alg);
                 return -EFAULT;
         }

+       free_mb_mgr(m);
         return 0;
 }
 #define HMAC_IPAD_VALUE 0x36
--
2.32.0

[-- Attachment #2: Type: text/html, Size: 20184 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-04-07 15:29 [PATCH] crypto/qat: use intel-ipsec-mb for partial hash Fan Zhang
  2022-04-14 18:45 ` [External] : " Changchun Zhang
@ 2022-05-17 14:16 ` Kai Ji
  2022-05-17 14:16   ` [dpdk-dev v2 2/2] crypto/qat: use intel-ipsec-mb for partial hash & aes Kai Ji
                     ` (2 more replies)
  1 sibling, 3 replies; 18+ messages in thread
From: Kai Ji @ 2022-05-17 14:16 UTC (permalink / raw)
  To: dev; +Cc: Kai Ji

Add in build option for QAT pmd use intel ipsec-mb lib
instead openssl for precompute partial hash & aes.

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/common/qat/meson.build | 12 ++++++++++++
 meson_options.txt              |  2 ++
 2 files changed, 14 insertions(+)

diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build
index b7027f3164..d6eaff3e0e 100644
--- a/drivers/common/qat/meson.build
+++ b/drivers/common/qat/meson.build
@@ -35,6 +35,18 @@ if qat_crypto and not libcrypto.found()
             'missing dependency, libcrypto')
 endif
 
+if get_option('qat_libipsecmb')
+    IMB_required_ver = '1.0.0'
+    libipsecmb = cc.find_library('IPSec_MB', required: false)
+    if not lib.found()
+        build = false
+        reason = 'missing dependency, "libIPSec_MB"'
+    else
+        ext_deps += libipsecmb
+        dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
+    endif
+endif
+
 # The driver should not build if both compression and crypto are disabled
 #FIXME common code depends on compression files so check only compress!
 if not qat_compress # and not qat_crypto
diff --git a/meson_options.txt b/meson_options.txt
index 7c220ad68d..e48e7dd966 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -42,6 +42,8 @@ option('mbuf_refcnt_atomic', type: 'boolean', value: true, description:
        'Atomically access the mbuf refcnt.')
 option('platform', type: 'string', value: 'native', description:
        'Platform to build, either "native", "generic" or a SoC. Please refer to the Linux build guide for more information.')
+option('qat_libipsecmb', type: 'boolean', value: false, description:
+       'use ipsec mb lib instead openssl for QAT pmd')
 option('enable_trace_fp', type: 'boolean', value: false, description:
        'enable fast path trace points.')
 option('tests', type: 'boolean', value: true, description:
-- 
2.17.1


^ permalink raw reply	[flat|nested] 18+ messages in thread

* [dpdk-dev v2 2/2] crypto/qat: use intel-ipsec-mb for partial hash & aes
  2022-05-17 14:16 ` [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib Kai Ji
@ 2022-05-17 14:16   ` Kai Ji
  2022-05-17 15:01     ` Zhang, Roy Fan
  2022-05-17 15:00   ` [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib Zhang, Roy Fan
  2022-05-18  8:04   ` Bruce Richardson
  2 siblings, 1 reply; 18+ messages in thread
From: Kai Ji @ 2022-05-17 14:16 UTC (permalink / raw)
  To: dev; +Cc: Kai Ji, Fan Zhang

Since openssl 3.0 now deprecates the low level API QAT required to
perform partial hash & aes operation when creating the session. This
patch is to transfer such dependency from openssl to intel-ipsec-mb.

Signed-off-by: Kai Ji <kai.ji@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 drivers/crypto/qat/qat_sym_session.c | 353 +++++++++++++++++++++++++--
 1 file changed, 334 insertions(+), 19 deletions(-)

diff --git a/drivers/crypto/qat/qat_sym_session.c b/drivers/crypto/qat/qat_sym_session.c
index 9d6a19c0be..3f806a4b55 100644
--- a/drivers/crypto/qat/qat_sym_session.c
+++ b/drivers/crypto/qat/qat_sym_session.c
@@ -7,6 +7,10 @@
 #include <openssl/md5.h>	/* Needed to calculate pre-compute values */
 #include <openssl/evp.h>	/* Needed for bpi runt block processing */
 
+#ifdef RTE_QAT_LIBIPSECMB
+#include <intel-ipsec-mb.h>
+#endif
+
 #include <rte_memcpy.h>
 #include <rte_common.h>
 #include <rte_spinlock.h>
@@ -22,6 +26,10 @@
 #include "qat_sym_session.h"
 #include "qat_sym.h"
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#endif
+
 /* SHA1 - 20 bytes - Initialiser state can be found in FIPS stds 180-2 */
 static const uint8_t sha1InitialState[] = {
 	0x67, 0x45, 0x23, 0x01, 0xef, 0xcd, 0xab, 0x89, 0x98, 0xba,
@@ -470,6 +478,21 @@ qat_sym_session_configure(struct rte_cryptodev *dev,
 		return -ENOMEM;
 	}
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	OSSL_PROVIDER * legacy;
+	OSSL_PROVIDER *deflt;
+
+	/* Load Multiple providers into the default (NULL) library context */
+	legacy = OSSL_PROVIDER_load(NULL, "legacy");
+	if (legacy == NULL)
+		return -EINVAL;
+
+	deflt = OSSL_PROVIDER_load(NULL, "default");
+	if (deflt == NULL) {
+		OSSL_PROVIDER_unload(legacy);
+		return  -EINVAL;
+	}
+#endif
 	ret = qat_sym_session_set_parameters(dev, xform, sess_private_data);
 	if (ret != 0) {
 		QAT_LOG(ERR,
@@ -483,6 +506,10 @@ qat_sym_session_configure(struct rte_cryptodev *dev,
 	set_sym_session_private_data(sess, dev->driver_id,
 		sess_private_data);
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	OSSL_PROVIDER_unload(legacy);
+	OSSL_PROVIDER_unload(deflt);
+# endif
 	return 0;
 }
 
@@ -1057,6 +1084,297 @@ static int qat_hash_get_block_size(enum icp_qat_hw_auth_algo qat_hash_alg)
 	return -EFAULT;
 }
 
+#define HMAC_IPAD_VALUE	0x36
+#define HMAC_OPAD_VALUE	0x5c
+#define HASH_XCBC_PRECOMP_KEY_NUM 3
+
+static const uint8_t AES_CMAC_SEED[ICP_QAT_HW_AES_128_KEY_SZ];
+
+#ifdef RTE_QAT_LIBIPSECMB
+static int aes_ipsecmb_job(uint8_t *in, uint8_t *out, IMB_MGR *m,
+		const uint8_t *key, uint16_t auth_keylen)
+{
+	int err;
+	struct IMB_JOB *job;
+	DECLARE_ALIGNED(uint32_t expkey[4*15], 16);
+	DECLARE_ALIGNED(uint32_t dust[4*15], 16);
+
+	if (auth_keylen == ICP_QAT_HW_AES_128_KEY_SZ)
+		IMB_AES_KEYEXP_128(m, key, expkey, dust);
+	else if (auth_keylen == ICP_QAT_HW_AES_192_KEY_SZ)
+		IMB_AES_KEYEXP_192(m, key, expkey, dust);
+	else if (auth_keylen == ICP_QAT_HW_AES_256_KEY_SZ)
+		IMB_AES_KEYEXP_256(m, key, expkey, dust);
+	else
+		return -EFAULT;
+
+	job = IMB_GET_NEXT_JOB(m);
+
+	job->src = in;
+	job->dst = out;
+	job->enc_keys = expkey;
+	job->key_len_in_bytes = auth_keylen;
+	job->msg_len_to_cipher_in_bytes = 16;
+	job->iv_len_in_bytes = 0;
+	job->cipher_direction = IMB_DIR_ENCRYPT;
+	job->cipher_mode = IMB_CIPHER_ECB;
+	job->hash_alg = IMB_AUTH_NULL;
+
+	while (IMB_FLUSH_JOB(m) != NULL)
+		;
+
+	job = IMB_SUBMIT_JOB(m);
+	if (job) {
+		if (job->status == IMB_STATUS_COMPLETED)
+			return 0;
+	}
+
+	err = imb_get_errno(m);
+	if (err)
+		QAT_LOG(ERR, "Error: %s!\n", imb_get_strerror(err));
+
+	return -EFAULT;
+}
+
+static int
+partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
+		uint8_t *data_in, uint8_t *data_out)
+{
+	int digest_size;
+	uint8_t digest[qat_hash_get_digest_size(
+			ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
+	uint32_t *hash_state_out_be32;
+	uint64_t *hash_state_out_be64;
+	int i;
+	IMB_MGR *m;
+
+	m = alloc_mb_mgr(0);
+	if (m == NULL)
+		return -ENOMEM;
+	init_mb_mgr_auto(m, NULL);
+
+	/* Initialize to avoid gcc warning */
+	memset(digest, 0, sizeof(digest));
+
+	digest_size = qat_hash_get_digest_size(hash_alg);
+	if (digest_size <= 0)
+		return -EFAULT;
+
+	hash_state_out_be32 = (uint32_t *)data_out;
+	hash_state_out_be64 = (uint64_t *)data_out;
+
+	switch (hash_alg) {
+	case ICP_QAT_HW_AUTH_ALGO_SHA1:
+		IMB_SHA1_ONE_BLOCK(m, data_in, digest);
+		for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
+			*hash_state_out_be32 =
+				rte_bswap32(*(((uint32_t *)digest)+i));
+		break;
+	case ICP_QAT_HW_AUTH_ALGO_SHA224:
+		IMB_SHA224_ONE_BLOCK(m, data_in, digest);
+		for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
+			*hash_state_out_be32 =
+				rte_bswap32(*(((uint32_t *)digest)+i));
+		break;
+	case ICP_QAT_HW_AUTH_ALGO_SHA256:
+		IMB_SHA256_ONE_BLOCK(m, data_in, digest);
+		for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
+			*hash_state_out_be32 =
+				rte_bswap32(*(((uint32_t *)digest)+i));
+		break;
+	case ICP_QAT_HW_AUTH_ALGO_SHA384:
+		IMB_SHA384_ONE_BLOCK(m, data_in, digest);
+		for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
+			*hash_state_out_be64 =
+				rte_bswap64(*(((uint64_t *)digest)+i));
+		break;
+	case ICP_QAT_HW_AUTH_ALGO_SHA512:
+		IMB_SHA512_ONE_BLOCK(m, data_in, digest);
+		for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
+			*hash_state_out_be64 =
+				rte_bswap64(*(((uint64_t *)digest)+i));
+		break;
+	case ICP_QAT_HW_AUTH_ALGO_MD5:
+		IMB_MD5_ONE_BLOCK(m, data_in, data_out);
+		break;
+	default:
+		QAT_LOG(ERR, "invalid hash alg %u", hash_alg);
+		return -EFAULT;
+	}
+	free_mb_mgr(m);
+	return 0;
+}
+
+static int qat_sym_do_precomputes(enum icp_qat_hw_auth_algo hash_alg,
+				const uint8_t *auth_key,
+				uint16_t auth_keylen,
+				uint8_t *p_state_buf,
+				uint16_t *p_state_len,
+				uint8_t aes_cmac)
+{
+	int block_size;
+	uint8_t ipad[qat_hash_get_block_size(ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
+	uint8_t opad[qat_hash_get_block_size(ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
+	int i;
+
+	IMB_MGR *m;
+	m = alloc_mb_mgr(0);
+	if (m == NULL)
+		return -ENOMEM;
+
+	init_mb_mgr_auto(m, NULL);
+
+	if (hash_alg == ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC) {
+
+		/* CMAC */
+		if (aes_cmac) {
+			uint8_t *in = NULL;
+			uint8_t k0[ICP_QAT_HW_AES_128_KEY_SZ];
+			uint8_t *k1, *k2;
+
+			auth_keylen = ICP_QAT_HW_AES_128_KEY_SZ;
+
+			in = rte_zmalloc("AES CMAC K1",
+					 ICP_QAT_HW_AES_128_KEY_SZ, 16);
+
+			if (in == NULL) {
+				QAT_LOG(ERR, "Failed to alloc memory");
+				return -ENOMEM;
+			}
+
+			rte_memcpy(in, AES_CMAC_SEED,
+				   ICP_QAT_HW_AES_128_KEY_SZ);
+			rte_memcpy(p_state_buf, auth_key, auth_keylen);
+
+			DECLARE_ALIGNED(uint32_t expkey[4*15], 16);
+			DECLARE_ALIGNED(uint32_t dust[4*15], 16);
+			IMB_AES_KEYEXP_128(m, p_state_buf, expkey, dust);
+			k1 = p_state_buf + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;
+			k2 = k1 + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;
+
+			IMB_AES_CMAC_SUBKEY_GEN_128(m, expkey, k1, k2);
+			memset(k0, 0, ICP_QAT_HW_AES_128_KEY_SZ);
+			*p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
+			rte_free(in);
+			free_mb_mgr(m);
+			return 0;
+		}
+
+		static uint8_t qat_aes_xcbc_key_seed[
+				ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ] = {
+			0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+			0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+			0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+			0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+			0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+			0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+		};
+
+		uint8_t *in = NULL;
+		uint8_t *out = p_state_buf;
+		int x;
+
+		in = rte_zmalloc("working mem for key",
+				ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ, 16);
+		if (in == NULL) {
+			QAT_LOG(ERR, "Failed to alloc memory");
+			return -ENOMEM;
+		}
+
+		rte_memcpy(in, qat_aes_xcbc_key_seed,
+				ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
+		for (x = 0; x < HASH_XCBC_PRECOMP_KEY_NUM; x++) {
+			if (aes_ipsecmb_job(in, out, m, auth_key, auth_keylen)) {
+				rte_free(in -
+				  (x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ));
+				memset(out -
+				   (x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ),
+				  0, ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
+				return -EFAULT;
+			}
+
+			in += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
+			out += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
+		}
+		*p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
+		rte_free(in - x*ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ);
+		free_mb_mgr(m);
+		return 0;
+
+	} else if ((hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_128) ||
+		(hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_64)) {
+		uint8_t *in = NULL;
+		uint8_t *out = p_state_buf;
+
+		memset(p_state_buf, 0, ICP_QAT_HW_GALOIS_H_SZ +
+				ICP_QAT_HW_GALOIS_LEN_A_SZ +
+				ICP_QAT_HW_GALOIS_E_CTR0_SZ);
+		in = rte_zmalloc("working mem for key",
+				ICP_QAT_HW_GALOIS_H_SZ, 16);
+		if (in == NULL) {
+			QAT_LOG(ERR, "Failed to alloc memory");
+			return -ENOMEM;
+		}
+
+		memset(in, 0, ICP_QAT_HW_GALOIS_H_SZ);
+		if (aes_ipsecmb_job(in, out, m, auth_key, auth_keylen))
+			return -EFAULT;
+
+		*p_state_len = ICP_QAT_HW_GALOIS_H_SZ +
+				ICP_QAT_HW_GALOIS_LEN_A_SZ +
+				ICP_QAT_HW_GALOIS_E_CTR0_SZ;
+		rte_free(in);
+		free_mb_mgr(m);
+		return 0;
+	}
+
+	block_size = qat_hash_get_block_size(hash_alg);
+	if (block_size < 0)
+		return block_size;
+	/* init ipad and opad from key and xor with fixed values */
+	memset(ipad, 0, block_size);
+	memset(opad, 0, block_size);
+
+	if (auth_keylen > (unsigned int)block_size) {
+		QAT_LOG(ERR, "invalid keylen %u", auth_keylen);
+		return -EFAULT;
+	}
+	rte_memcpy(ipad, auth_key, auth_keylen);
+	rte_memcpy(opad, auth_key, auth_keylen);
+
+	for (i = 0; i < block_size; i++) {
+		uint8_t *ipad_ptr = ipad + i;
+		uint8_t *opad_ptr = opad + i;
+		*ipad_ptr ^= HMAC_IPAD_VALUE;
+		*opad_ptr ^= HMAC_OPAD_VALUE;
+	}
+
+	/* do partial hash of ipad and copy to state1 */
+	if (partial_hash_compute(hash_alg, ipad, p_state_buf)) {
+		memset(ipad, 0, block_size);
+		memset(opad, 0, block_size);
+		QAT_LOG(ERR, "ipad precompute failed");
+		return -EFAULT;
+	}
+
+	/*
+	 * State len is a multiple of 8, so may be larger than the digest.
+	 * Put the partial hash of opad state_len bytes after state1
+	 */
+	*p_state_len = qat_hash_get_state1_size(hash_alg);
+	if (partial_hash_compute(hash_alg, opad, p_state_buf + *p_state_len)) {
+		memset(ipad, 0, block_size);
+		memset(opad, 0, block_size);
+		QAT_LOG(ERR, "opad precompute failed");
+		return -EFAULT;
+	}
+
+	/*  don't leave data lying around */
+	memset(ipad, 0, block_size);
+	memset(opad, 0, block_size);
+	return 0;
+}
+#else
 static int partial_hash_sha1(uint8_t *data_in, uint8_t *data_out)
 {
 	SHA_CTX ctx;
@@ -1124,6 +1442,20 @@ static int partial_hash_md5(uint8_t *data_in, uint8_t *data_out)
 	return 0;
 }
 
+static void aes_cmac_key_derive(uint8_t *base, uint8_t *derived)
+{
+	int i;
+
+	derived[0] = base[0] << 1;
+	for (i = 1; i < ICP_QAT_HW_AES_BLK_SZ ; i++) {
+		derived[i] = base[i] << 1;
+		derived[i - 1] |= base[i] >> 7;
+	}
+
+	if (base[0] & 0x80)
+		derived[ICP_QAT_HW_AES_BLK_SZ - 1] ^= QAT_AES_CMAC_CONST_RB;
+}
+
 static int
 partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
 		uint8_t *data_in, uint8_t *data_out)
@@ -1192,25 +1524,6 @@ partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
 
 	return 0;
 }
-#define HMAC_IPAD_VALUE	0x36
-#define HMAC_OPAD_VALUE	0x5c
-#define HASH_XCBC_PRECOMP_KEY_NUM 3
-
-static const uint8_t AES_CMAC_SEED[ICP_QAT_HW_AES_128_KEY_SZ];
-
-static void aes_cmac_key_derive(uint8_t *base, uint8_t *derived)
-{
-	int i;
-
-	derived[0] = base[0] << 1;
-	for (i = 1; i < ICP_QAT_HW_AES_BLK_SZ ; i++) {
-		derived[i] = base[i] << 1;
-		derived[i - 1] |= base[i] >> 7;
-	}
-
-	if (base[0] & 0x80)
-		derived[ICP_QAT_HW_AES_BLK_SZ - 1] ^= QAT_AES_CMAC_CONST_RB;
-}
 
 static int qat_sym_do_precomputes(enum icp_qat_hw_auth_algo hash_alg,
 				const uint8_t *auth_key,
@@ -1279,6 +1592,7 @@ static int qat_sym_do_precomputes(enum icp_qat_hw_auth_algo hash_alg,
 			uint8_t *in = NULL;
 			uint8_t *out = p_state_buf;
 			int x;
+
 			AES_KEY enc_key;
 
 			in = rte_zmalloc("working mem for key",
@@ -1385,6 +1699,7 @@ static int qat_sym_do_precomputes(enum icp_qat_hw_auth_algo hash_alg,
 	memset(opad, 0, block_size);
 	return 0;
 }
+#endif
 
 static void
 qat_sym_session_init_common_hdr(struct qat_sym_session *session)
-- 
2.17.1


^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for partial hash
  2022-04-20 18:14   ` Changchun Zhang
@ 2022-05-17 14:21     ` Ji, Kai
  0 siblings, 0 replies; 18+ messages in thread
From: Ji, Kai @ 2022-05-17 14:21 UTC (permalink / raw)
  To: Zhang, Changchun, Zhang, Roy Fan, dev; +Cc: gakhil, Zhang, Roy Fan

[-- Attachment #1: Type: text/plain, Size: 409 bytes --]

Please see v2: http://patchwork.dpdk.org/project/dpdk/list/?series=22973

Regards

Kai


Does it mean the intel-ipsec-mb would be prerequisite of applying QAT offloading for security application? It this is the case, as I know, the intel-ipsec-mb has no FIPS certification yet. Thus I am thinking this would impact existing QAT based security application, right?

Best Regards,
Changchun Zhang



[-- Attachment #2: Type: text/html, Size: 3692 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-05-17 14:16 ` [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib Kai Ji
  2022-05-17 14:16   ` [dpdk-dev v2 2/2] crypto/qat: use intel-ipsec-mb for partial hash & aes Kai Ji
@ 2022-05-17 15:00   ` Zhang, Roy Fan
  2022-05-18  8:04   ` Bruce Richardson
  2 siblings, 0 replies; 18+ messages in thread
From: Zhang, Roy Fan @ 2022-05-17 15:00 UTC (permalink / raw)
  To: Ji, Kai, dev; +Cc: Ji, Kai, gakhil

> -----Original Message-----
> From: Kai Ji <kai.ji@intel.com>
> Sent: Tuesday, May 17, 2022 3:17 PM
> To: dev@dpdk.org
> Cc: Ji, Kai <kai.ji@intel.com>
> Subject: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
> 
> Add in build option for QAT pmd use intel ipsec-mb lib
> instead openssl for precompute partial hash & aes.
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
Please don't forget to CC maintainer next time :-)

Acked-by: Fan Zhang <roy.fan.zhang@intel.com>

^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [dpdk-dev v2 2/2] crypto/qat: use intel-ipsec-mb for partial hash & aes
  2022-05-17 14:16   ` [dpdk-dev v2 2/2] crypto/qat: use intel-ipsec-mb for partial hash & aes Kai Ji
@ 2022-05-17 15:01     ` Zhang, Roy Fan
  0 siblings, 0 replies; 18+ messages in thread
From: Zhang, Roy Fan @ 2022-05-17 15:01 UTC (permalink / raw)
  To: Ji, Kai, dev

> -----Original Message-----
> From: Ji, Kai <kai.ji@intel.com>
> Sent: Tuesday, May 17, 2022 3:17 PM
> To: dev@dpdk.org
> Cc: Ji, Kai <kai.ji@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: [dpdk-dev v2 2/2] crypto/qat: use intel-ipsec-mb for partial hash &
> aes
> 
> Since openssl 3.0 now deprecates the low level API QAT required to
> perform partial hash & aes operation when creating the session. This
> patch is to transfer such dependency from openssl to intel-ipsec-mb.
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
Please don't forget to CC maintainer next time :-)

Acked-by: Fan Zhang <roy.fan.zhang@intel.com>

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-05-17 14:16 ` [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib Kai Ji
  2022-05-17 14:16   ` [dpdk-dev v2 2/2] crypto/qat: use intel-ipsec-mb for partial hash & aes Kai Ji
  2022-05-17 15:00   ` [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib Zhang, Roy Fan
@ 2022-05-18  8:04   ` Bruce Richardson
  2022-05-18 10:26     ` Ferruh Yigit
  2 siblings, 1 reply; 18+ messages in thread
From: Bruce Richardson @ 2022-05-18  8:04 UTC (permalink / raw)
  To: Kai Ji; +Cc: dev, roy.fan.zhang

On Tue, May 17, 2022 at 10:16:51PM +0800, Kai Ji wrote:
> Add in build option for QAT pmd use intel ipsec-mb lib
> instead openssl for precompute partial hash & aes.
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
>  drivers/common/qat/meson.build | 12 ++++++++++++
>  meson_options.txt              |  2 ++
>  2 files changed, 14 insertions(+)
> 
> diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build
> index b7027f3164..d6eaff3e0e 100644
> --- a/drivers/common/qat/meson.build
> +++ b/drivers/common/qat/meson.build
> @@ -35,6 +35,18 @@ if qat_crypto and not libcrypto.found()
>              'missing dependency, libcrypto')
>  endif
>  
> +if get_option('qat_libipsecmb')
> +    IMB_required_ver = '1.0.0'
> +    libipsecmb = cc.find_library('IPSec_MB', required: false)
> +    if not lib.found()
> +        build = false
> +        reason = 'missing dependency, "libIPSec_MB"'
> +    else
> +        ext_deps += libipsecmb
> +        dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
> +    endif
> +endif
> +

In general it's not a good idea for individual drivers to add top-level
meson.build options. If every driver does this for all its options we will
have an unmanageable set of hundreds of options. Unfortunately, though, I
don't see a really good way to replace this with something other than a
build option - I assume it's not just good enough to check which of the
dependencies is found/not-found? Is there some way that this can be a
generic option, that may be applicable to other drivers? Could the option
be instead to prioritize FIPs compatibility?

/Bruce

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-05-18  8:04   ` Bruce Richardson
@ 2022-05-18 10:26     ` Ferruh Yigit
  2022-05-18 10:33       ` Bruce Richardson
  2022-05-19  9:22       ` Zhang, Roy Fan
  0 siblings, 2 replies; 18+ messages in thread
From: Ferruh Yigit @ 2022-05-18 10:26 UTC (permalink / raw)
  To: Bruce Richardson, Kai Ji; +Cc: dev, roy.fan.zhang

On 5/18/2022 9:04 AM, Bruce Richardson wrote:
> On Tue, May 17, 2022 at 10:16:51PM +0800, Kai Ji wrote:
>> Add in build option for QAT pmd use intel ipsec-mb lib
>> instead openssl for precompute partial hash & aes.
>>
>> Signed-off-by: Kai Ji <kai.ji@intel.com>
>> ---
>>   drivers/common/qat/meson.build | 12 ++++++++++++
>>   meson_options.txt              |  2 ++
>>   2 files changed, 14 insertions(+)
>>
>> diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build
>> index b7027f3164..d6eaff3e0e 100644
>> --- a/drivers/common/qat/meson.build
>> +++ b/drivers/common/qat/meson.build
>> @@ -35,6 +35,18 @@ if qat_crypto and not libcrypto.found()
>>               'missing dependency, libcrypto')
>>   endif
>>   
>> +if get_option('qat_libipsecmb')
>> +    IMB_required_ver = '1.0.0'
>> +    libipsecmb = cc.find_library('IPSec_MB', required: false)
>> +    if not lib.found()
>> +        build = false
>> +        reason = 'missing dependency, "libIPSec_MB"'
>> +    else
>> +        ext_deps += libipsecmb
>> +        dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
>> +    endif
>> +endif
>> +
> 
> In general it's not a good idea for individual drivers to add top-level
> meson.build options. If every driver does this for all its options we will
> have an unmanageable set of hundreds of options. Unfortunately, though, I
> don't see a really good way to replace this with something other than a
> build option - I assume it's not just good enough to check which of the
> dependencies is found/not-found? Is there some way that this can be a
> generic option, that may be applicable to other drivers? Could the option
> be instead to prioritize FIPs compatibility?
> 

+1 to not have top level meson option for a driver.

Will it work to give priority to intel-ipsec-mb lib, like when ipsec-mb 
library exists use it, else use openssl?

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-05-18 10:26     ` Ferruh Yigit
@ 2022-05-18 10:33       ` Bruce Richardson
  2022-05-18 13:35         ` Ji, Kai
  2022-05-19  9:14         ` Zhang, Roy Fan
  2022-05-19  9:22       ` Zhang, Roy Fan
  1 sibling, 2 replies; 18+ messages in thread
From: Bruce Richardson @ 2022-05-18 10:33 UTC (permalink / raw)
  To: Ferruh Yigit; +Cc: Kai Ji, dev, roy.fan.zhang

On Wed, May 18, 2022 at 11:26:27AM +0100, Ferruh Yigit wrote:
> On 5/18/2022 9:04 AM, Bruce Richardson wrote:
> > On Tue, May 17, 2022 at 10:16:51PM +0800, Kai Ji wrote:
> > > Add in build option for QAT pmd use intel ipsec-mb lib
> > > instead openssl for precompute partial hash & aes.
> > > 
> > > Signed-off-by: Kai Ji <kai.ji@intel.com>
> > > ---
> > >   drivers/common/qat/meson.build | 12 ++++++++++++
> > >   meson_options.txt              |  2 ++
> > >   2 files changed, 14 insertions(+)
> > > 
> > > diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build
> > > index b7027f3164..d6eaff3e0e 100644
> > > --- a/drivers/common/qat/meson.build
> > > +++ b/drivers/common/qat/meson.build
> > > @@ -35,6 +35,18 @@ if qat_crypto and not libcrypto.found()
> > >               'missing dependency, libcrypto')
> > >   endif
> > > +if get_option('qat_libipsecmb')
> > > +    IMB_required_ver = '1.0.0'
> > > +    libipsecmb = cc.find_library('IPSec_MB', required: false)
> > > +    if not lib.found()
> > > +        build = false
> > > +        reason = 'missing dependency, "libIPSec_MB"'
> > > +    else
> > > +        ext_deps += libipsecmb
> > > +        dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
> > > +    endif
> > > +endif
> > > +
> > 
> > In general it's not a good idea for individual drivers to add top-level
> > meson.build options. If every driver does this for all its options we will
> > have an unmanageable set of hundreds of options. Unfortunately, though, I
> > don't see a really good way to replace this with something other than a
> > build option - I assume it's not just good enough to check which of the
> > dependencies is found/not-found? Is there some way that this can be a
> > generic option, that may be applicable to other drivers? Could the option
> > be instead to prioritize FIPs compatibility?
> > 
> 
> +1 to not have top level meson option for a driver.
> 
> Will it work to give priority to intel-ipsec-mb lib, like when ipsec-mb
> library exists use it, else use openssl?

Looking at the patch a bit more, is there a reason why this cannot be made
a run-time option when both libraries are available?

^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-05-18 10:33       ` Bruce Richardson
@ 2022-05-18 13:35         ` Ji, Kai
  2022-05-19  9:14         ` Zhang, Roy Fan
  1 sibling, 0 replies; 18+ messages in thread
From: Ji, Kai @ 2022-05-18 13:35 UTC (permalink / raw)
  To: Richardson, Bruce, Ferruh Yigit; +Cc: dev, Zhang, Roy Fan

Hi Bruce,

We want user to have the ability to choice which lib they want to use, so the original design was to make the build option temporary, and it will get removed after ipsec-mb FIP certified.

Will look into the runtime option to avoid top level build option modification.

Regards

Kai 

> Looking at the patch a bit more, is there a reason why this cannot be made a run-
> time option when both libraries are available?

^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-05-18 10:33       ` Bruce Richardson
  2022-05-18 13:35         ` Ji, Kai
@ 2022-05-19  9:14         ` Zhang, Roy Fan
  2022-05-19 10:22           ` Bruce Richardson
  1 sibling, 1 reply; 18+ messages in thread
From: Zhang, Roy Fan @ 2022-05-19  9:14 UTC (permalink / raw)
  To: Richardson, Bruce, Ferruh Yigit; +Cc: Ji, Kai, dev

> -----Original Message-----
> From: Richardson, Bruce <bruce.richardson@intel.com>
> Sent: Wednesday, May 18, 2022 11:33 AM
> To: Ferruh Yigit <ferruh.yigit@xilinx.com>
> Cc: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org; Zhang, Roy Fan
> <roy.fan.zhang@intel.com>
> Subject: Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb
> lib
> 
> On Wed, May 18, 2022 at 11:26:27AM +0100, Ferruh Yigit wrote:
> > On 5/18/2022 9:04 AM, Bruce Richardson wrote:
> > > On Tue, May 17, 2022 at 10:16:51PM +0800, Kai Ji wrote:
> > > > Add in build option for QAT pmd use intel ipsec-mb lib
> > > > instead openssl for precompute partial hash & aes.
> > > >
> > > > Signed-off-by: Kai Ji <kai.ji@intel.com>
> > > > ---
> > > >   drivers/common/qat/meson.build | 12 ++++++++++++
> > > >   meson_options.txt              |  2 ++
> > > >   2 files changed, 14 insertions(+)
> > > >
> > > > diff --git a/drivers/common/qat/meson.build
> b/drivers/common/qat/meson.build
> > > > index b7027f3164..d6eaff3e0e 100644
> > > > --- a/drivers/common/qat/meson.build
> > > > +++ b/drivers/common/qat/meson.build
> > > > @@ -35,6 +35,18 @@ if qat_crypto and not libcrypto.found()
> > > >               'missing dependency, libcrypto')
> > > >   endif
> > > > +if get_option('qat_libipsecmb')
> > > > +    IMB_required_ver = '1.0.0'
> > > > +    libipsecmb = cc.find_library('IPSec_MB', required: false)
> > > > +    if not lib.found()
> > > > +        build = false
> > > > +        reason = 'missing dependency, "libIPSec_MB"'
> > > > +    else
> > > > +        ext_deps += libipsecmb
> > > > +        dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
> > > > +    endif
> > > > +endif
> > > > +
> > >
> > > In general it's not a good idea for individual drivers to add top-level
> > > meson.build options. If every driver does this for all its options we will
> > > have an unmanageable set of hundreds of options. Unfortunately,
> though, I
> > > don't see a really good way to replace this with something other than a
> > > build option - I assume it's not just good enough to check which of the
> > > dependencies is found/not-found? Is there some way that this can be a
> > > generic option, that may be applicable to other drivers? Could the option
> > > be instead to prioritize FIPs compatibility?
> > >
> >
> > +1 to not have top level meson option for a driver.
> >
> > Will it work to give priority to intel-ipsec-mb lib, like when ipsec-mb
> > library exists use it, else use openssl?
> 
> Looking at the patch a bit more, is there a reason why this cannot be made
> a run-time option when both libraries are available?

Hi Bruce,

Thanks for the review.
Are you suggesting adding a EAL option to the QAT PMD?

Regards,
Fan



^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-05-18 10:26     ` Ferruh Yigit
  2022-05-18 10:33       ` Bruce Richardson
@ 2022-05-19  9:22       ` Zhang, Roy Fan
  2022-05-19 11:15         ` Ferruh Yigit
  1 sibling, 1 reply; 18+ messages in thread
From: Zhang, Roy Fan @ 2022-05-19  9:22 UTC (permalink / raw)
  To: Ferruh Yigit, Richardson, Bruce, Ji, Kai; +Cc: dev



> -----Original Message-----
> From: Ferruh Yigit <ferruh.yigit@xilinx.com>
> Sent: Wednesday, May 18, 2022 11:26 AM
> To: Richardson, Bruce <bruce.richardson@intel.com>; Ji, Kai
> <kai.ji@intel.com>
> Cc: dev@dpdk.org; Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb
> lib
> 
> On 5/18/2022 9:04 AM, Bruce Richardson wrote:
> > On Tue, May 17, 2022 at 10:16:51PM +0800, Kai Ji wrote:
> >> Add in build option for QAT pmd use intel ipsec-mb lib
> >> instead openssl for precompute partial hash & aes.
> >>
> >> Signed-off-by: Kai Ji <kai.ji@intel.com>
> >> ---
> >>   drivers/common/qat/meson.build | 12 ++++++++++++
> >>   meson_options.txt              |  2 ++
> >>   2 files changed, 14 insertions(+)
> >>
> >> diff --git a/drivers/common/qat/meson.build
> b/drivers/common/qat/meson.build
> >> index b7027f3164..d6eaff3e0e 100644
> >> --- a/drivers/common/qat/meson.build
> >> +++ b/drivers/common/qat/meson.build
> >> @@ -35,6 +35,18 @@ if qat_crypto and not libcrypto.found()
> >>               'missing dependency, libcrypto')
> >>   endif
> >>
> >> +if get_option('qat_libipsecmb')
> >> +    IMB_required_ver = '1.0.0'
> >> +    libipsecmb = cc.find_library('IPSec_MB', required: false)
> >> +    if not lib.found()
> >> +        build = false
> >> +        reason = 'missing dependency, "libIPSec_MB"'
> >> +    else
> >> +        ext_deps += libipsecmb
> >> +        dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
> >> +    endif
> >> +endif
> >> +
> >
> > In general it's not a good idea for individual drivers to add top-level
> > meson.build options. If every driver does this for all its options we will
> > have an unmanageable set of hundreds of options. Unfortunately, though,
> I
> > don't see a really good way to replace this with something other than a
> > build option - I assume it's not just good enough to check which of the
> > dependencies is found/not-found? Is there some way that this can be a
> > generic option, that may be applicable to other drivers? Could the option
> > be instead to prioritize FIPs compatibility?
> >
> 
> +1 to not have top level meson option for a driver.
> 
> Will it work to give priority to intel-ipsec-mb lib, like when ipsec-mb
> library exists use it, else use openssl?

Hi Ferruh,

If both ipsec-mb and openssl3.0 presents in the system.
- Choose openssl 3.0 will result in deprecated API warnings.
- Choose ipsec-mb will ruin the FIPs compliance of QAT PMD.
That's why we think it shall be up to user to select which way to do small cipher/hash op.

Regards,
fan


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-05-19  9:14         ` Zhang, Roy Fan
@ 2022-05-19 10:22           ` Bruce Richardson
  2022-05-19 12:25             ` Zhang, Roy Fan
  0 siblings, 1 reply; 18+ messages in thread
From: Bruce Richardson @ 2022-05-19 10:22 UTC (permalink / raw)
  To: Zhang, Roy Fan; +Cc: Ferruh Yigit, Ji, Kai, dev

On Thu, May 19, 2022 at 10:14:14AM +0100, Zhang, Roy Fan wrote:
> > -----Original Message-----
> > From: Richardson, Bruce <bruce.richardson@intel.com>
> > Sent: Wednesday, May 18, 2022 11:33 AM
> > To: Ferruh Yigit <ferruh.yigit@xilinx.com>
> > Cc: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org; Zhang, Roy Fan
> > <roy.fan.zhang@intel.com>
> > Subject: Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb
> > lib
> >
> > On Wed, May 18, 2022 at 11:26:27AM +0100, Ferruh Yigit wrote:
> > > On 5/18/2022 9:04 AM, Bruce Richardson wrote:
> > > > On Tue, May 17, 2022 at 10:16:51PM +0800, Kai Ji wrote:
> > > > > Add in build option for QAT pmd use intel ipsec-mb lib
> > > > > instead openssl for precompute partial hash & aes.
> > > > >
> > > > > Signed-off-by: Kai Ji <kai.ji@intel.com>
> > > > > ---
> > > > >   drivers/common/qat/meson.build | 12 ++++++++++++
> > > > >   meson_options.txt              |  2 ++
> > > > >   2 files changed, 14 insertions(+)
> > > > >
> > > > > diff --git a/drivers/common/qat/meson.build
> > b/drivers/common/qat/meson.build
> > > > > index b7027f3164..d6eaff3e0e 100644
> > > > > --- a/drivers/common/qat/meson.build
> > > > > +++ b/drivers/common/qat/meson.build
> > > > > @@ -35,6 +35,18 @@ if qat_crypto and not libcrypto.found()
> > > > >               'missing dependency, libcrypto')
> > > > >   endif
> > > > > +if get_option('qat_libipsecmb')
> > > > > +    IMB_required_ver = '1.0.0'
> > > > > +    libipsecmb = cc.find_library('IPSec_MB', required: false)
> > > > > +    if not lib.found()
> > > > > +        build = false
> > > > > +        reason = 'missing dependency, "libIPSec_MB"'
> > > > > +    else
> > > > > +        ext_deps += libipsecmb
> > > > > +        dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
> > > > > +    endif
> > > > > +endif
> > > > > +
> > > >
> > > > In general it's not a good idea for individual drivers to add top-level
> > > > meson.build options. If every driver does this for all its options we will
> > > > have an unmanageable set of hundreds of options. Unfortunately,
> > though, I
> > > > don't see a really good way to replace this with something other than a
> > > > build option - I assume it's not just good enough to check which of the
> > > > dependencies is found/not-found? Is there some way that this can be a
> > > > generic option, that may be applicable to other drivers? Could the option
> > > > be instead to prioritize FIPs compatibility?
> > > >
> > >
> > > +1 to not have top level meson option for a driver.
> > >
> > > Will it work to give priority to intel-ipsec-mb lib, like when ipsec-mb
> > > library exists use it, else use openssl?
> >
> > Looking at the patch a bit more, is there a reason why this cannot be made
> > a run-time option when both libraries are available?
> 
> Hi Bruce,
> 
> Thanks for the review.
> Are you suggesting adding a EAL option to the QAT PMD?
>
I was thinking you can add a driver option, to allow switching from the
default if both openssl and ipsec-mb were available to be compiled in. 

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-05-19  9:22       ` Zhang, Roy Fan
@ 2022-05-19 11:15         ` Ferruh Yigit
  0 siblings, 0 replies; 18+ messages in thread
From: Ferruh Yigit @ 2022-05-19 11:15 UTC (permalink / raw)
  To: Zhang, Roy Fan, Ferruh Yigit, Richardson, Bruce, Ji, Kai; +Cc: dev

On 5/19/2022 10:22 AM, Zhang, Roy Fan wrote:

> 
>> -----Original Message-----
>> From: Ferruh Yigit <ferruh.yigit@xilinx.com>
>> Sent: Wednesday, May 18, 2022 11:26 AM
>> To: Richardson, Bruce <bruce.richardson@intel.com>; Ji, Kai
>> <kai.ji@intel.com>
>> Cc: dev@dpdk.org; Zhang, Roy Fan <roy.fan.zhang@intel.com>
>> Subject: Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb
>> lib
>>
>> On 5/18/2022 9:04 AM, Bruce Richardson wrote:
>>> On Tue, May 17, 2022 at 10:16:51PM +0800, Kai Ji wrote:
>>>> Add in build option for QAT pmd use intel ipsec-mb lib
>>>> instead openssl for precompute partial hash & aes.
>>>>
>>>> Signed-off-by: Kai Ji <kai.ji@intel.com>
>>>> ---
>>>>    drivers/common/qat/meson.build | 12 ++++++++++++
>>>>    meson_options.txt              |  2 ++
>>>>    2 files changed, 14 insertions(+)
>>>>
>>>> diff --git a/drivers/common/qat/meson.build
>> b/drivers/common/qat/meson.build
>>>> index b7027f3164..d6eaff3e0e 100644
>>>> --- a/drivers/common/qat/meson.build
>>>> +++ b/drivers/common/qat/meson.build
>>>> @@ -35,6 +35,18 @@ if qat_crypto and not libcrypto.found()
>>>>                'missing dependency, libcrypto')
>>>>    endif
>>>>
>>>> +if get_option('qat_libipsecmb')
>>>> +    IMB_required_ver = '1.0.0'
>>>> +    libipsecmb = cc.find_library('IPSec_MB', required: false)
>>>> +    if not lib.found()
>>>> +        build = false
>>>> +        reason = 'missing dependency, "libIPSec_MB"'
>>>> +    else
>>>> +        ext_deps += libipsecmb
>>>> +        dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
>>>> +    endif
>>>> +endif
>>>> +
>>>
>>> In general it's not a good idea for individual drivers to add top-level
>>> meson.build options. If every driver does this for all its options we will
>>> have an unmanageable set of hundreds of options. Unfortunately, though,
>> I
>>> don't see a really good way to replace this with something other than a
>>> build option - I assume it's not just good enough to check which of the
>>> dependencies is found/not-found? Is there some way that this can be a
>>> generic option, that may be applicable to other drivers? Could the option
>>> be instead to prioritize FIPs compatibility?
>>>
>>
>> +1 to not have top level meson option for a driver.
>>
>> Will it work to give priority to intel-ipsec-mb lib, like when ipsec-mb
>> library exists use it, else use openssl?
> 
> Hi Ferruh,
> 
> If both ipsec-mb and openssl3.0 presents in the system.
> - Choose openssl 3.0 will result in deprecated API warnings.
> - Choose ipsec-mb will ruin the FIPs compliance of QAT PMD.
> That's why we think it shall be up to user to select which way to do small cipher/hash op.
> 

Hi Fan, got it. So the runtime devarg option Bruce mentioned can be a 
solution, if it works.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-05-19 10:22           ` Bruce Richardson
@ 2022-05-19 12:25             ` Zhang, Roy Fan
  2022-05-19 14:39               ` Bruce Richardson
  0 siblings, 1 reply; 18+ messages in thread
From: Zhang, Roy Fan @ 2022-05-19 12:25 UTC (permalink / raw)
  To: Richardson, Bruce; +Cc: Ferruh Yigit, Ji, Kai, dev

Hi Bruce,

> -----Original Message-----
> From: Richardson, Bruce <bruce.richardson@intel.com>
> Sent: Thursday, May 19, 2022 11:23 AM
> To: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Cc: Ferruh Yigit <ferruh.yigit@xilinx.com>; Ji, Kai <kai.ji@intel.com>;
> dev@dpdk.org
> Subject: Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb
> lib
> 
> On Thu, May 19, 2022 at 10:14:14AM +0100, Zhang, Roy Fan wrote:
> > > -----Original Message-----
> > > From: Richardson, Bruce <bruce.richardson@intel.com>
> > > Sent: Wednesday, May 18, 2022 11:33 AM
> > > To: Ferruh Yigit <ferruh.yigit@xilinx.com>
> > > Cc: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org; Zhang, Roy Fan
> > > <roy.fan.zhang@intel.com>
> > > Subject: Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-
> mb
> > > lib
> > >
> > > On Wed, May 18, 2022 at 11:26:27AM +0100, Ferruh Yigit wrote:
> > > > On 5/18/2022 9:04 AM, Bruce Richardson wrote:
> > > > > On Tue, May 17, 2022 at 10:16:51PM +0800, Kai Ji wrote:
> > > > > > Add in build option for QAT pmd use intel ipsec-mb lib
> > > > > > instead openssl for precompute partial hash & aes.
> > > > > >
> > > > > > Signed-off-by: Kai Ji <kai.ji@intel.com>
> > > > > > ---
> > > > > >   drivers/common/qat/meson.build | 12 ++++++++++++
> > > > > >   meson_options.txt              |  2 ++
> > > > > >   2 files changed, 14 insertions(+)
> > > > > >
> > > > > > diff --git a/drivers/common/qat/meson.build
> > > b/drivers/common/qat/meson.build
> > > > > > index b7027f3164..d6eaff3e0e 100644
> > > > > > --- a/drivers/common/qat/meson.build
> > > > > > +++ b/drivers/common/qat/meson.build
> > > > > > @@ -35,6 +35,18 @@ if qat_crypto and not libcrypto.found()
> > > > > >               'missing dependency, libcrypto')
> > > > > >   endif
> > > > > > +if get_option('qat_libipsecmb')
> > > > > > +    IMB_required_ver = '1.0.0'
> > > > > > +    libipsecmb = cc.find_library('IPSec_MB', required: false)
> > > > > > +    if not lib.found()
> > > > > > +        build = false
> > > > > > +        reason = 'missing dependency, "libIPSec_MB"'
> > > > > > +    else
> > > > > > +        ext_deps += libipsecmb
> > > > > > +        dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
> > > > > > +    endif
> > > > > > +endif
> > > > > > +
> > > > >
> > > > > In general it's not a good idea for individual drivers to add top-level
> > > > > meson.build options. If every driver does this for all its options we will
> > > > > have an unmanageable set of hundreds of options. Unfortunately,
> > > though, I
> > > > > don't see a really good way to replace this with something other than
> a
> > > > > build option - I assume it's not just good enough to check which of the
> > > > > dependencies is found/not-found? Is there some way that this can be
> a
> > > > > generic option, that may be applicable to other drivers? Could the
> option
> > > > > be instead to prioritize FIPs compatibility?
> > > > >
> > > >
> > > > +1 to not have top level meson option for a driver.
> > > >
> > > > Will it work to give priority to intel-ipsec-mb lib, like when ipsec-mb
> > > > library exists use it, else use openssl?
> > >
> > > Looking at the patch a bit more, is there a reason why this cannot be
> made
> > > a run-time option when both libraries are available?
> >
> > Hi Bruce,
> >
> > Thanks for the review.
> > Are you suggesting adding a EAL option to the QAT PMD?
> >
> I was thinking you can add a driver option, to allow switching from the
> default if both openssl and ipsec-mb were available to be compiled in.

We may have to use macros to filter out openssl deprecated API calls
otherwise the warning may still be there. Also what kind of driver option
are we talking about - any reference you can point to us? Much appreciated!

Regards,
Fan

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib
  2022-05-19 12:25             ` Zhang, Roy Fan
@ 2022-05-19 14:39               ` Bruce Richardson
  0 siblings, 0 replies; 18+ messages in thread
From: Bruce Richardson @ 2022-05-19 14:39 UTC (permalink / raw)
  To: Zhang, Roy Fan; +Cc: Ferruh Yigit, Ji, Kai, dev

On Thu, May 19, 2022 at 01:25:25PM +0100, Zhang, Roy Fan wrote:
> Hi Bruce,
> 
> > -----Original Message-----
> > From: Richardson, Bruce <bruce.richardson@intel.com>
> > Sent: Thursday, May 19, 2022 11:23 AM
> > To: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> > Cc: Ferruh Yigit <ferruh.yigit@xilinx.com>; Ji, Kai <kai.ji@intel.com>;
> > dev@dpdk.org
> > Subject: Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb
> > lib
> >
> > On Thu, May 19, 2022 at 10:14:14AM +0100, Zhang, Roy Fan wrote:
> > > > -----Original Message-----
> > > > From: Richardson, Bruce <bruce.richardson@intel.com>
> > > > Sent: Wednesday, May 18, 2022 11:33 AM
> > > > To: Ferruh Yigit <ferruh.yigit@xilinx.com>
> > > > Cc: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org; Zhang, Roy Fan
> > > > <roy.fan.zhang@intel.com>
> > > > Subject: Re: [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-
> > mb
> > > > lib
> > > >
> > > > On Wed, May 18, 2022 at 11:26:27AM +0100, Ferruh Yigit wrote:
> > > > > On 5/18/2022 9:04 AM, Bruce Richardson wrote:
> > > > > > On Tue, May 17, 2022 at 10:16:51PM +0800, Kai Ji wrote:
> > > > > > > Add in build option for QAT pmd use intel ipsec-mb lib
> > > > > > > instead openssl for precompute partial hash & aes.
> > > > > > >
> > > > > > > Signed-off-by: Kai Ji <kai.ji@intel.com>
> > > > > > > ---
> > > > > > >   drivers/common/qat/meson.build | 12 ++++++++++++
> > > > > > >   meson_options.txt              |  2 ++
> > > > > > >   2 files changed, 14 insertions(+)
> > > > > > >
> > > > > > > diff --git a/drivers/common/qat/meson.build
> > > > b/drivers/common/qat/meson.build
> > > > > > > index b7027f3164..d6eaff3e0e 100644
> > > > > > > --- a/drivers/common/qat/meson.build
> > > > > > > +++ b/drivers/common/qat/meson.build
> > > > > > > @@ -35,6 +35,18 @@ if qat_crypto and not libcrypto.found()
> > > > > > >               'missing dependency, libcrypto')
> > > > > > >   endif
> > > > > > > +if get_option('qat_libipsecmb')
> > > > > > > +    IMB_required_ver = '1.0.0'
> > > > > > > +    libipsecmb = cc.find_library('IPSec_MB', required: false)
> > > > > > > +    if not lib.found()
> > > > > > > +        build = false
> > > > > > > +        reason = 'missing dependency, "libIPSec_MB"'
> > > > > > > +    else
> > > > > > > +        ext_deps += libipsecmb
> > > > > > > +        dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
> > > > > > > +    endif
> > > > > > > +endif
> > > > > > > +
> > > > > >
> > > > > > In general it's not a good idea for individual drivers to add top-level
> > > > > > meson.build options. If every driver does this for all its options we will
> > > > > > have an unmanageable set of hundreds of options. Unfortunately,
> > > > though, I
> > > > > > don't see a really good way to replace this with something other than
> > a
> > > > > > build option - I assume it's not just good enough to check which of the
> > > > > > dependencies is found/not-found? Is there some way that this can be
> > a
> > > > > > generic option, that may be applicable to other drivers? Could the
> > option
> > > > > > be instead to prioritize FIPs compatibility?
> > > > > >
> > > > >
> > > > > +1 to not have top level meson option for a driver.
> > > > >
> > > > > Will it work to give priority to intel-ipsec-mb lib, like when ipsec-mb
> > > > > library exists use it, else use openssl?
> > > >
> > > > Looking at the patch a bit more, is there a reason why this cannot be
> > made
> > > > a run-time option when both libraries are available?
> > >
> > > Hi Bruce,
> > >
> > > Thanks for the review.
> > > Are you suggesting adding a EAL option to the QAT PMD?
> > >
> > I was thinking you can add a driver option, to allow switching from the
> > default if both openssl and ipsec-mb were available to be compiled in.
> 
> We may have to use macros to filter out openssl deprecated API calls
> otherwise the warning may still be there. Also what kind of driver option
> are we talking about - any reference you can point to us? Much appreciated!
> 

Many drivers support additional parameters, but the vdev's are the most
common case. For example, AF_XDP:

http://git.dpdk.org/dpdk/tree/drivers/net/af_xdp/rte_eth_af_xdp.c#n2056

or for a physical PCI devices, i40e:

http://git.dpdk.org/dpdk/tree/drivers/net/i40e/i40e_ethdev.c#n12133

/Bruce

^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2022-05-19 15:28 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-07 15:29 [PATCH] crypto/qat: use intel-ipsec-mb for partial hash Fan Zhang
2022-04-14 18:45 ` [External] : " Changchun Zhang
2022-04-20 18:14   ` Changchun Zhang
2022-05-17 14:21     ` Ji, Kai
2022-05-17 14:16 ` [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib Kai Ji
2022-05-17 14:16   ` [dpdk-dev v2 2/2] crypto/qat: use intel-ipsec-mb for partial hash & aes Kai Ji
2022-05-17 15:01     ` Zhang, Roy Fan
2022-05-17 15:00   ` [dpdk-dev v2 1/2] build: add in option for qat use intel ipsec-mb lib Zhang, Roy Fan
2022-05-18  8:04   ` Bruce Richardson
2022-05-18 10:26     ` Ferruh Yigit
2022-05-18 10:33       ` Bruce Richardson
2022-05-18 13:35         ` Ji, Kai
2022-05-19  9:14         ` Zhang, Roy Fan
2022-05-19 10:22           ` Bruce Richardson
2022-05-19 12:25             ` Zhang, Roy Fan
2022-05-19 14:39               ` Bruce Richardson
2022-05-19  9:22       ` Zhang, Roy Fan
2022-05-19 11:15         ` Ferruh Yigit

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).