* [dpdk-dev] [PATCH 0/2] add lookaside IPsec ESN and anti-replay support
@ 2020-12-18 14:14 Tejasree Kondoj
2020-12-18 14:14 ` [dpdk-dev] [PATCH 1/2] crypto/octeontx2: make anti-replay routine generic Tejasree Kondoj
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Tejasree Kondoj @ 2020-12-18 14:14 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, dev
This series adds lookaside IPsec ESN and anti-replay support to
OCTEON TX2 crypto PMD.
The functionality has been tested with ipsec-secgw application running in
lookaside protocol offload mode.
Tejasree Kondoj (2):
crypto/octeontx2: make anti-replay routine generic
crypto/octeontx2: add lookaside IPsec ESN and anti-replay support
doc/guides/cryptodevs/octeontx2.rst | 2 +
doc/guides/rel_notes/release_21_02.rst | 5 ++
drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 47 ++++++++++++++++++-
drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 21 +++++++++
.../crypto/octeontx2/otx2_ipsec_anti_replay.h | 32 ++++++++++---
drivers/crypto/octeontx2/otx2_ipsec_po.h | 5 ++
drivers/crypto/octeontx2/otx2_ipsec_po_ops.h | 2 +
drivers/net/octeontx2/otx2_rx.h | 2 +-
8 files changed, 107 insertions(+), 9 deletions(-)
--
2.27.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [dpdk-dev] [PATCH 1/2] crypto/octeontx2: make anti-replay routine generic
2020-12-18 14:14 [dpdk-dev] [PATCH 0/2] add lookaside IPsec ESN and anti-replay support Tejasree Kondoj
@ 2020-12-18 14:14 ` Tejasree Kondoj
2020-12-18 14:14 ` [dpdk-dev] [PATCH 2/2] crypto/octeontx2: add lookaside IPsec ESN and anti-replay support Tejasree Kondoj
2021-01-15 5:32 ` [dpdk-dev] [PATCH 0/2] " Anoob Joseph
2 siblings, 0 replies; 5+ messages in thread
From: Tejasree Kondoj @ 2020-12-18 14:14 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, dev
Adding changes to make anti-replay routine common to both inline and
lookaside IPsec.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h | 11 +++++------
drivers/net/octeontx2/otx2_rx.h | 2 +-
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h
index 858ce5b15f..d599692a75 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h
@@ -16,11 +16,10 @@
#define IPSEC_ANTI_REPLAY_FAILED (-1)
static inline int
-anti_replay_check(uint64_t seq, struct otx2_ipsec_fp_in_sa *sa)
+anti_replay_check(struct otx2_ipsec_replay *replay, uint64_t seq,
+ uint64_t winsz)
{
- struct otx2_ipsec_replay *replay = sa->replay;
uint64_t *window = &replay->window[0];
- uint64_t winsz = sa->replay_win_sz;
uint64_t ex_winsz = winsz + WORD_SIZE;
uint64_t winwords = ex_winsz >> WORD_SHIFT;
uint64_t base = replay->base;
@@ -166,8 +165,8 @@ anti_replay_check(uint64_t seq, struct otx2_ipsec_fp_in_sa *sa)
return 0;
}
-static int
-cpt_ipsec_antireplay_check(struct otx2_ipsec_fp_in_sa *sa, char *data)
+static inline int
+cpt_ipsec_ip_antireplay_check(struct otx2_ipsec_fp_in_sa *sa, char *data)
{
uint64_t seq_in_sa;
uint32_t seqh = 0;
@@ -192,7 +191,7 @@ cpt_ipsec_antireplay_check(struct otx2_ipsec_fp_in_sa *sa, char *data)
return IPSEC_ANTI_REPLAY_FAILED;
rte_spinlock_lock(&sa->replay->lock);
- ret = anti_replay_check(seq, sa);
+ ret = anti_replay_check(sa->replay, seq, sa->replay_win_sz);
if (esn && (ret == 0)) {
seq_in_sa = ((uint64_t)rte_be_to_cpu_32(sa->esn_hi) << 32) |
rte_be_to_cpu_32(sa->esn_low);
diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h
index 926f614a4e..523f36e9f1 100644
--- a/drivers/net/octeontx2/otx2_rx.h
+++ b/drivers/net/octeontx2/otx2_rx.h
@@ -259,7 +259,7 @@ nix_rx_sec_mbuf_update(const struct nix_cqe_hdr_s *cq, struct rte_mbuf *m,
data = rte_pktmbuf_mtod(m, char *);
if (sa->replay_win_sz) {
- if (cpt_ipsec_antireplay_check(sa, data) < 0)
+ if (cpt_ipsec_ip_antireplay_check(sa, data) < 0)
return PKT_RX_SEC_OFFLOAD | PKT_RX_SEC_OFFLOAD_FAILED;
}
--
2.27.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [dpdk-dev] [PATCH 2/2] crypto/octeontx2: add lookaside IPsec ESN and anti-replay support
2020-12-18 14:14 [dpdk-dev] [PATCH 0/2] add lookaside IPsec ESN and anti-replay support Tejasree Kondoj
2020-12-18 14:14 ` [dpdk-dev] [PATCH 1/2] crypto/octeontx2: make anti-replay routine generic Tejasree Kondoj
@ 2020-12-18 14:14 ` Tejasree Kondoj
2021-01-15 5:32 ` [dpdk-dev] [PATCH 0/2] " Anoob Joseph
2 siblings, 0 replies; 5+ messages in thread
From: Tejasree Kondoj @ 2020-12-18 14:14 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, dev
Adding ESN and anti-replay support for lookaside IPsec.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/cryptodevs/octeontx2.rst | 2 +
doc/guides/rel_notes/release_21_02.rst | 5 ++
drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 47 ++++++++++++++++++-
drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 21 +++++++++
.../crypto/octeontx2/otx2_ipsec_anti_replay.h | 21 +++++++++
drivers/crypto/octeontx2/otx2_ipsec_po.h | 5 ++
drivers/crypto/octeontx2/otx2_ipsec_po_ops.h | 2 +
7 files changed, 101 insertions(+), 2 deletions(-)
diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index 0a38b8662e..170f03dd0f 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -175,4 +175,6 @@ Features supported
* IPv6
* ESP
* Tunnel mode
+* ESN
+* Anti-replay
* AES-128/192/256-GCM
diff --git a/doc/guides/rel_notes/release_21_02.rst b/doc/guides/rel_notes/release_21_02.rst
index 638f98168b..d9ca17e83c 100644
--- a/doc/guides/rel_notes/release_21_02.rst
+++ b/doc/guides/rel_notes/release_21_02.rst
@@ -55,6 +55,11 @@ New Features
Also, make sure to start the actual text at the margin.
=======================================================
+* **Updated the OCTEON TX2 crypto PMD.**
+
+ * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with
+ ESN and anti-replay support.
+
Removed Items
-------------
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index 5f2ccc0872..16aa7f4a0a 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -14,6 +14,7 @@
#include "otx2_cryptodev_mbox.h"
#include "otx2_cryptodev_ops.h"
#include "otx2_cryptodev_ops_helper.h"
+#include "otx2_ipsec_anti_replay.h"
#include "otx2_ipsec_po_ops.h"
#include "otx2_mbox.h"
#include "otx2_sec_idev.h"
@@ -650,21 +651,55 @@ static __rte_always_inline int __rte_hot
otx2_cpt_enqueue_sec(struct otx2_cpt_qp *qp, struct rte_crypto_op *op,
struct pending_queue *pend_q)
{
+ uint32_t winsz, esn_low = 0, esn_hi = 0, seql = 0, seqh = 0;
+ struct rte_mbuf *m_src = op->sym->m_src;
struct otx2_sec_session_ipsec_lp *sess;
struct otx2_ipsec_po_sa_ctl *ctl_wrd;
+ struct otx2_ipsec_po_in_sa *sa;
struct otx2_sec_session *priv;
struct cpt_request_info *req;
+ uint64_t seq_in_sa, seq = 0;
+ uint8_t esn;
int ret;
priv = get_sec_session_private_data(op->sym->sec_session);
sess = &priv->ipsec.lp;
+ sa = &sess->in_sa;
- ctl_wrd = &sess->in_sa.ctl;
+ ctl_wrd = &sa->ctl;
+ esn = ctl_wrd->esn_en;
+ winsz = sa->replay_win_sz;
if (ctl_wrd->direction == OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND)
ret = process_outb_sa(op, sess, &qp->meta_info, (void **)&req);
- else
+ else {
+ if (winsz) {
+ esn_low = rte_be_to_cpu_32(sa->esn_low);
+ esn_hi = rte_be_to_cpu_32(sa->esn_hi);
+ seql = *rte_pktmbuf_mtod_offset(m_src, uint32_t *,
+ sizeof(struct rte_ipv4_hdr) + 4);
+ seql = rte_be_to_cpu_32(seql);
+
+ if (!esn)
+ seq = (uint64_t)seql;
+ else {
+ seqh = anti_replay_get_seqh(winsz, seql, esn_hi,
+ esn_low);
+ seq = ((uint64_t)seqh << 32) | seql;
+ }
+
+ if (unlikely(seq == 0))
+ return IPSEC_ANTI_REPLAY_FAILED;
+
+ ret = anti_replay_check(sa->replay, seq, winsz);
+ if (unlikely(ret)) {
+ otx2_err("Anti replay check failed");
+ return IPSEC_ANTI_REPLAY_FAILED;
+ }
+ }
+
ret = process_inb_sa(op, sess, &qp->meta_info, (void **)&req);
+ }
if (unlikely(ret)) {
otx2_err("Crypto req : op %p, ret 0x%x", op, ret);
@@ -673,6 +708,14 @@ otx2_cpt_enqueue_sec(struct otx2_cpt_qp *qp, struct rte_crypto_op *op,
ret = otx2_cpt_enqueue_req(qp, pend_q, req, sess->cpt_inst_w7);
+ if (winsz && esn) {
+ seq_in_sa = ((uint64_t)esn_hi << 32) | esn_low;
+ if (seq > seq_in_sa) {
+ sa->esn_low = rte_cpu_to_be_32(seql);
+ sa->esn_hi = rte_cpu_to_be_32(seqh);
+ }
+ }
+
return ret;
}
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index bad9c5ca9f..1f5645f2f1 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -213,6 +213,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
int ret;
sess = get_sec_session_private_data(sec_sess);
+ sess->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
lp = &sess->ipsec.lp;
sa = &lp->out_sa;
@@ -351,6 +352,7 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
int ret;
sess = get_sec_session_private_data(sec_sess);
+ sess->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
lp = &sess->ipsec.lp;
sa = &lp->in_sa;
@@ -362,6 +364,7 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
}
memset(sa, 0, sizeof(struct otx2_ipsec_po_in_sa));
+ sa->replay_win_sz = ipsec->replay_win_sz;
ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl);
if (ret)
@@ -414,6 +417,24 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
set_session_misc_attributes(lp, crypto_xform,
auth_xform, cipher_xform);
+ if (sa->replay_win_sz) {
+ if (sa->replay_win_sz > OTX2_IPSEC_MAX_REPLAY_WIN_SZ) {
+ otx2_err("Replay window size is not supported");
+ return -ENOTSUP;
+ }
+ sa->replay = rte_zmalloc(NULL, sizeof(struct otx2_ipsec_replay),
+ 0);
+ if (sa->replay == NULL)
+ return -ENOMEM;
+
+ /* Set window bottom to 1, base and top to size of window */
+ sa->replay->winb = 1;
+ sa->replay->wint = sa->replay_win_sz;
+ sa->replay->base = sa->replay_win_sz;
+ sa->esn_low = 0;
+ sa->esn_hi = 0;
+ }
+
return otx2_cpt_enq_sa_write(lp, crypto_dev->data->queue_pairs[0],
OTX2_IPSEC_PO_WRITE_IPSEC_INB);
}
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h
index d599692a75..b2b1f77284 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h
@@ -204,4 +204,25 @@ cpt_ipsec_ip_antireplay_check(struct otx2_ipsec_fp_in_sa *sa, char *data)
return ret;
}
+
+static inline uint32_t
+anti_replay_get_seqh(uint32_t winsz, uint32_t seql,
+ uint32_t esn_hi, uint32_t esn_low)
+{
+ uint32_t win_low = esn_low - winsz + 1;
+
+ if (esn_low > winsz - 1) {
+ /* Window is in one sequence number subspace */
+ if (seql > win_low)
+ return esn_hi;
+ else
+ return esn_hi + 1;
+ } else {
+ /* Window is split across two sequence number subspaces */
+ if (seql > win_low)
+ return esn_hi - 1;
+ else
+ return esn_hi;
+ }
+}
#endif /* __OTX2_IPSEC_ANTI_REPLAY_H__ */
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index da24f6a5d4..6d25e29734 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -161,6 +161,11 @@ struct otx2_ipsec_po_in_sa {
uint8_t hmac_key[48];
struct otx2_ipsec_po_traffic_selector selector;
} aes_gcm;
+ union {
+ struct otx2_ipsec_replay *replay;
+ uint64_t replay64;
+ };
+ uint32_t replay_win_sz;
};
struct otx2_ipsec_po_ip_template {
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
index bc702d5c79..c0c936141d 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
@@ -124,6 +124,8 @@ process_outb_sa(struct rte_crypto_op *cop,
req->ist.ei1 = rte_pktmbuf_iova(m_src);
req->ist.ei2 = req->ist.ei1;
+ sa->esn_hi = sess->seq_hi;
+
hdr->seq = rte_cpu_to_be_32(sess->seq_lo);
hdr->ip_id = rte_cpu_to_be_32(sess->ip_id);
--
2.27.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dpdk-dev] [PATCH 0/2] add lookaside IPsec ESN and anti-replay support
2020-12-18 14:14 [dpdk-dev] [PATCH 0/2] add lookaside IPsec ESN and anti-replay support Tejasree Kondoj
2020-12-18 14:14 ` [dpdk-dev] [PATCH 1/2] crypto/octeontx2: make anti-replay routine generic Tejasree Kondoj
2020-12-18 14:14 ` [dpdk-dev] [PATCH 2/2] crypto/octeontx2: add lookaside IPsec ESN and anti-replay support Tejasree Kondoj
@ 2021-01-15 5:32 ` Anoob Joseph
2021-01-15 16:03 ` Akhil Goyal
2 siblings, 1 reply; 5+ messages in thread
From: Anoob Joseph @ 2021-01-15 5:32 UTC (permalink / raw)
To: Tejasree Kondoj, Akhil Goyal, Radu Nicolau
Cc: Tejasree Kondoj, Ankur Dwivedi, dev
>
> This series adds lookaside IPsec ESN and anti-replay support to OCTEON TX2
> crypto PMD.
> The functionality has been tested with ipsec-secgw application running in
> lookaside protocol offload mode.
>
> Tejasree Kondoj (2):
> crypto/octeontx2: make anti-replay routine generic
> crypto/octeontx2: add lookaside IPsec ESN and anti-replay support
>
> doc/guides/cryptodevs/octeontx2.rst | 2 +
> doc/guides/rel_notes/release_21_02.rst | 5 ++
> drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 47
> ++++++++++++++++++- drivers/crypto/octeontx2/otx2_cryptodev_sec.c |
> 21 +++++++++ .../crypto/octeontx2/otx2_ipsec_anti_replay.h | 32
> ++++++++++---
> drivers/crypto/octeontx2/otx2_ipsec_po.h | 5 ++
> drivers/crypto/octeontx2/otx2_ipsec_po_ops.h | 2 +
> drivers/net/octeontx2/otx2_rx.h | 2 +-
> 8 files changed, 107 insertions(+), 9 deletions(-)
>
Series Acked-by: Anoob Joseph <anoobj@marvell.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dpdk-dev] [PATCH 0/2] add lookaside IPsec ESN and anti-replay support
2021-01-15 5:32 ` [dpdk-dev] [PATCH 0/2] " Anoob Joseph
@ 2021-01-15 16:03 ` Akhil Goyal
0 siblings, 0 replies; 5+ messages in thread
From: Akhil Goyal @ 2021-01-15 16:03 UTC (permalink / raw)
To: Anoob Joseph, Tejasree Kondoj, Radu Nicolau
Cc: Tejasree Kondoj, Ankur Dwivedi, dev
> >
> > This series adds lookaside IPsec ESN and anti-replay support to OCTEON TX2
> > crypto PMD.
> > The functionality has been tested with ipsec-secgw application running in
> > lookaside protocol offload mode.
> >
> > Tejasree Kondoj (2):
> > crypto/octeontx2: make anti-replay routine generic
> > crypto/octeontx2: add lookaside IPsec ESN and anti-replay support
> >
> > doc/guides/cryptodevs/octeontx2.rst | 2 +
> > doc/guides/rel_notes/release_21_02.rst | 5 ++
> > drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 47
> > ++++++++++++++++++- drivers/crypto/octeontx2/otx2_cryptodev_sec.c |
> > 21 +++++++++ .../crypto/octeontx2/otx2_ipsec_anti_replay.h | 32
> > ++++++++++---
> > drivers/crypto/octeontx2/otx2_ipsec_po.h | 5 ++
> > drivers/crypto/octeontx2/otx2_ipsec_po_ops.h | 2 +
> > drivers/net/octeontx2/otx2_rx.h | 2 +-
> > 8 files changed, 107 insertions(+), 9 deletions(-)
> >
>
> Series Acked-by: Anoob Joseph <anoobj@marvell.com>
Applied to dpdk-next-crypto
Thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-01-15 16:03 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-18 14:14 [dpdk-dev] [PATCH 0/2] add lookaside IPsec ESN and anti-replay support Tejasree Kondoj
2020-12-18 14:14 ` [dpdk-dev] [PATCH 1/2] crypto/octeontx2: make anti-replay routine generic Tejasree Kondoj
2020-12-18 14:14 ` [dpdk-dev] [PATCH 2/2] crypto/octeontx2: add lookaside IPsec ESN and anti-replay support Tejasree Kondoj
2021-01-15 5:32 ` [dpdk-dev] [PATCH 0/2] " Anoob Joseph
2021-01-15 16:03 ` Akhil Goyal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).