From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 72A16A04F1; Sun, 8 Dec 2019 12:56:22 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 673001BF7A; Sun, 8 Dec 2019 12:56:06 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by dpdk.org (Postfix) with ESMTP id BB5241BF7A for ; Sun, 8 Dec 2019 12:56:04 +0100 (CET) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xB8BpS6R005483; Sun, 8 Dec 2019 03:56:04 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0818; bh=BsoV6WhQEqthDLoDf11sK2LWiyS3W7DBSV6aQGE6yls=; b=B+O2ZfAiNOqpXMPZMUDWjrbuenrktEabeAxhBJrSi/GhoNGjZ7ZRV9DOrxLKCkBesRto GUP0gLj2maM4gcymHuLB/f7OnOO7jSjVnQnJCQt0bni7S9nID0rQ2J1I4ccbaaYxuRHN P4+iHvzo2AZRxRNjsfC2RMnI4UO8LLkqMuNrlIrD4ZASPOBU3t7s8dTYpNm52j1AwHiH U4yUnKHP9EFvCN8qcBUhHJ7G8dr6WAr8arkXcyuU+tZw6YKo2JgfJ+pNXR6i2KHgB/QI xmCYiq7CKJb85IkPnq+GRZ5YnmqEndWHK89+3rHpkDfrlYgUGQeJ6RIKMHRhn16Hz7so 8w== Received: from sc-exch01.marvell.com ([199.233.58.181]) by mx0b-0016f401.pphosted.com with ESMTP id 2wrcfptc19-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sun, 08 Dec 2019 03:56:03 -0800 Received: from SC-EXCH01.marvell.com (10.93.176.81) by SC-EXCH01.marvell.com (10.93.176.81) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Sun, 8 Dec 2019 03:56:01 -0800 Received: from maili.marvell.com (10.93.176.43) by SC-EXCH01.marvell.com (10.93.176.81) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Sun, 8 Dec 2019 03:56:01 -0800 Received: from ajoseph83.caveonetworks.com.com (unknown [10.29.45.60]) by maili.marvell.com (Postfix) with ESMTP id BB2AB3F7043; Sun, 8 Dec 2019 03:55:56 -0800 (PST) From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Thomas Monjalon CC: Tejasree Kondoj , Jerin Jacob , Narayana Prasad , Kiran Kumar K , Nithin Dabilpuram , "Pavan Nikhilesh" , Ankur Dwivedi , Anoob Joseph , Archana Muniganti , Vamsi Attunuru , Lukasz Bartosik , Date: Sun, 8 Dec 2019 17:24:44 +0530 Message-ID: <1575806094-28391-6-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1575806094-28391-1-git-send-email-anoobj@marvell.com> References: <1575806094-28391-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-12-08_03:2019-12-05,2019-12-08 signatures=0 Subject: [dpdk-dev] [PATCH 05/15] crypto/octeontx2: add security in eth dev configure X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Tejasree Kondoj Adding security in eth device configure. Signed-off-by: Ankur Dwivedi Signed-off-by: Anoob Joseph Signed-off-by: Archana Muniganti Signed-off-by: Tejasree Kondoj Signed-off-by: Vamsi Attunuru --- doc/guides/nics/octeontx2.rst | 20 +++++ drivers/common/octeontx2/otx2_common.h | 4 + drivers/crypto/octeontx2/Makefile | 2 +- drivers/crypto/octeontx2/meson.build | 1 + drivers/crypto/octeontx2/otx2_cryptodev.c | 2 + drivers/crypto/octeontx2/otx2_ipsec_fp.h | 55 +++++++++++++ drivers/crypto/octeontx2/otx2_security.c | 122 ++++++++++++++++++++++++++++ drivers/crypto/octeontx2/otx2_security.h | 4 + drivers/net/octeontx2/otx2_ethdev.c | 22 ++++- drivers/net/octeontx2/otx2_ethdev.h | 2 + drivers/net/octeontx2/otx2_ethdev_devargs.c | 19 +++++ 11 files changed, 251 insertions(+), 2 deletions(-) create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h diff --git a/doc/guides/nics/octeontx2.rst b/doc/guides/nics/octeontx2.rst index db62a45..fd4e455 100644 --- a/doc/guides/nics/octeontx2.rst +++ b/doc/guides/nics/octeontx2.rst @@ -38,6 +38,7 @@ Features of the OCTEON TX2 Ethdev PMD are: - IEEE1588 timestamping - HW offloaded `ethdev Rx queue` to `eventdev event queue` packet injection - Support Rx interrupt +- Inline IPsec processing support Prerequisites ------------- @@ -178,6 +179,17 @@ Runtime Config Options traffic on this port should be higig2 traffic only. Supported switch header types are "higig2" and "dsa". +- ``Max SPI for inbound inline IPsec`` (default ``1``) + + Max SPI supported for inbound inline IPsec processing can be specified by + ``ipsec_in_max_spi`` ``devargs`` parameter. + + For example:: + -w 0002:02:00.0,ipsec_in_max_spi=128 + + With the above configuration, application can enable inline IPsec processing + on 128 SAs (SPI 0-127). + .. note:: Above devarg parameters are configurable per device, user needs to pass the @@ -211,6 +223,14 @@ SDP interface support ~~~~~~~~~~~~~~~~~~~~~ OCTEON TX2 SDP interface support is limited to PF device, No VF support. +Inline Protocol Processing +~~~~~~~~~~~~~~~~~~~~~~~~~~ +``net_octeontx2`` pmd doesn't support the following features for packets to be +inline protocol processed. +- TSO offload +- VLAN/QinQ offload +- Fragmentation + Debugging Options ----------------- diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h index a1cb434..9705a8d 100644 --- a/drivers/common/octeontx2/otx2_common.h +++ b/drivers/common/octeontx2/otx2_common.h @@ -79,10 +79,14 @@ int otx2_npa_lf_obj_ref(void); typedef int (*otx2_sec_eth_ctx_create_t)(struct rte_eth_dev *eth_dev); typedef void (*otx2_sec_eth_ctx_destroy_t)(struct rte_eth_dev *eth_dev); +typedef int (*otx2_sec_eth_init_t)(struct rte_eth_dev *eth_dev); +typedef void (*otx2_sec_eth_fini_t)(struct rte_eth_dev *eth_dev); struct otx2_sec_eth_crypto_idev_ops { otx2_sec_eth_ctx_create_t ctx_create; otx2_sec_eth_ctx_destroy_t ctx_destroy; + otx2_sec_eth_init_t init; + otx2_sec_eth_fini_t fini; }; extern struct otx2_sec_eth_crypto_idev_ops otx2_sec_idev_ops; diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile index d2e9b9f..5966ddc 100644 --- a/drivers/crypto/octeontx2/Makefile +++ b/drivers/crypto/octeontx2/Makefile @@ -11,7 +11,7 @@ LIB = librte_pmd_octeontx2_crypto.a CFLAGS += $(WERROR_FLAGS) LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring -LDLIBS += -lrte_cryptodev -lrte_security +LDLIBS += -lrte_cryptodev -lrte_security -lrte_eventdev LDLIBS += -lrte_pci -lrte_bus_pci LDLIBS += -lrte_common_cpt -lrte_common_octeontx2 diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build index f7b2937..f0f5043 100644 --- a/drivers/crypto/octeontx2/meson.build +++ b/drivers/crypto/octeontx2/meson.build @@ -9,6 +9,7 @@ deps += ['bus_pci'] deps += ['common_cpt'] deps += ['common_octeontx2'] deps += ['ethdev'] +deps += ['eventdev'] deps += ['security'] name = 'octeontx2_crypto' diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.c b/drivers/crypto/octeontx2/otx2_cryptodev.c index 86c1188..34feb82 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev.c @@ -158,4 +158,6 @@ RTE_INIT(otx2_cpt_init_log) otx2_sec_idev_ops.ctx_create = otx2_sec_eth_ctx_create; otx2_sec_idev_ops.ctx_destroy = otx2_sec_eth_ctx_destroy; + otx2_sec_idev_ops.init = otx2_sec_eth_init; + otx2_sec_idev_ops.fini = otx2_sec_eth_fini; } diff --git a/drivers/crypto/octeontx2/otx2_ipsec_fp.h b/drivers/crypto/octeontx2/otx2_ipsec_fp.h new file mode 100644 index 0000000..520a3fe --- /dev/null +++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h @@ -0,0 +1,55 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2019 Marvell International Ltd. + */ + +#ifndef __OTX2_IPSEC_FP_H__ +#define __OTX2_IPSEC_FP_H__ + +struct otx2_ipsec_fp_sa_ctl { + rte_be32_t spi : 32; + uint64_t exp_proto_inter_frag : 8; + uint64_t rsvd_42_40 : 3; + uint64_t esn_en : 1; + uint64_t rsvd_45_44 : 2; + uint64_t encap_type : 2; + uint64_t enc_type : 3; + uint64_t rsvd_48 : 1; + uint64_t auth_type : 4; + uint64_t valid : 1; + uint64_t direction : 1; + uint64_t outer_ip_ver : 1; + uint64_t inner_ip_ver : 1; + uint64_t ipsec_mode : 1; + uint64_t ipsec_proto : 1; + uint64_t aes_key_len : 2; +}; + +struct otx2_ipsec_fp_in_sa { + /* w0 */ + struct otx2_ipsec_fp_sa_ctl ctl; + + /* w1 */ + uint8_t nonce[4]; /* Only for AES-GCM */ + uint32_t unused; + + /* w2 */ + uint32_t esn_low; + uint32_t esn_hi; + + /* w3-w6 */ + uint8_t cipher_key[32]; + + /* w7-w12 */ + uint8_t hmac_key[48]; + + RTE_STD_C11 + union { + void *userdata; + uint64_t udata64; + }; + + uint64_t reserved1; + uint64_t reserved2; +}; + +#endif /* __OTX2_IPSEC_FP_H__ */ diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c index 14394d2..9cd4683 100644 --- a/drivers/crypto/octeontx2/otx2_security.c +++ b/drivers/crypto/octeontx2/otx2_security.c @@ -3,11 +3,36 @@ */ #include +#include #include +#include #include +#include "otx2_ethdev.h" +#include "otx2_ipsec_fp.h" #include "otx2_security.h" +#define SEC_ETH_MAX_PKT_LEN 1450 + +struct sec_eth_tag_const { + RTE_STD_C11 + union { + struct { + uint32_t rsvd_11_0 : 12; + uint32_t port : 8; + uint32_t event_type : 4; + uint32_t rsvd_31_24 : 8; + }; + uint32_t u32; + }; +}; + +static inline void +in_sa_mz_name_get(char *name, int size, uint16_t port) +{ + snprintf(name, size, "otx2_ipsec_in_sadb_%u", port); +} + int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev) { @@ -33,3 +58,100 @@ otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev) { rte_free(eth_dev->security_ctx); } + +static int +sec_eth_ipsec_cfg(struct rte_eth_dev *eth_dev, uint8_t tt) +{ + struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev); + uint16_t port = eth_dev->data->port_id; + struct nix_inline_ipsec_lf_cfg *req; + struct otx2_mbox *mbox = dev->mbox; + struct sec_eth_tag_const tag_const; + char name[RTE_MEMZONE_NAMESIZE]; + const struct rte_memzone *mz; + + in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port); + mz = rte_memzone_lookup(name); + if (mz == NULL) + return -EINVAL; + + req = otx2_mbox_alloc_msg_nix_inline_ipsec_lf_cfg(mbox); + req->enable = 1; + req->sa_base_addr = mz->iova; + + req->ipsec_cfg0.tt = tt; + + tag_const.u32 = 0; + tag_const.event_type = RTE_EVENT_TYPE_ETHDEV; + tag_const.port = port; + req->ipsec_cfg0.tag_const = tag_const.u32; + + req->ipsec_cfg0.sa_pow2_size = + rte_log2_u32(sizeof(struct otx2_ipsec_fp_in_sa)); + req->ipsec_cfg0.lenm1_max = SEC_ETH_MAX_PKT_LEN - 1; + + req->ipsec_cfg1.sa_idx_w = rte_log2_u32(dev->ipsec_in_max_spi); + req->ipsec_cfg1.sa_idx_max = dev->ipsec_in_max_spi - 1; + + return otx2_mbox_process(mbox); +} + +int +otx2_sec_eth_init(struct rte_eth_dev *eth_dev) +{ + const size_t sa_width = sizeof(struct otx2_ipsec_fp_in_sa); + struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev); + uint16_t port = eth_dev->data->port_id; + char name[RTE_MEMZONE_NAMESIZE]; + const struct rte_memzone *mz; + int mz_sz, ret; + uint16_t nb_sa; + + RTE_BUILD_BUG_ON(sa_width < 32 || sa_width > 512 || + !RTE_IS_POWER_OF_2(sa_width)); + + if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) && + !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY)) + return 0; + + nb_sa = dev->ipsec_in_max_spi; + mz_sz = nb_sa * sa_width; + in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port); + mz = rte_memzone_reserve_aligned(name, mz_sz, rte_socket_id(), + RTE_MEMZONE_IOVA_CONTIG, OTX2_ALIGN); + + if (mz == NULL) { + otx2_err("Could not allocate inbound SA DB"); + return -ENOMEM; + } + + memset(mz->addr, 0, mz_sz); + + ret = sec_eth_ipsec_cfg(eth_dev, SSO_TT_ORDERED); + if (ret < 0) { + otx2_err("Could not configure inline IPsec"); + goto sec_fini; + } + + return 0; + +sec_fini: + otx2_err("Could not configure device for security"); + otx2_sec_eth_fini(eth_dev); + return ret; +} + +void +otx2_sec_eth_fini(struct rte_eth_dev *eth_dev) +{ + struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev); + uint16_t port = eth_dev->data->port_id; + char name[RTE_MEMZONE_NAMESIZE]; + + if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) && + !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY)) + return; + + in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port); + rte_memzone_free(rte_memzone_lookup(name)); +} diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h index 6ebf73f..4704781 100644 --- a/drivers/crypto/octeontx2/otx2_security.h +++ b/drivers/crypto/octeontx2/otx2_security.h @@ -11,4 +11,8 @@ int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev); void otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev); +int otx2_sec_eth_init(struct rte_eth_dev *eth_dev); + +void otx2_sec_eth_fini(struct rte_eth_dev *eth_dev); + #endif /* __OTX2_SECURITY_H__ */ diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c index 3e19ac2..131e883 100644 --- a/drivers/net/octeontx2/otx2_ethdev.c +++ b/drivers/net/octeontx2/otx2_ethdev.c @@ -337,6 +337,10 @@ nix_cq_rq_init(struct rte_eth_dev *eth_dev, struct otx2_eth_dev *dev, aq->op = NIX_AQ_INSTOP_INIT; aq->rq.sso_ena = 0; + + if (rxq->offloads & DEV_RX_OFFLOAD_SECURITY) + aq->rq.ipsech_ena = 1; + aq->rq.cq = qid; /* RQ to CQ 1:1 mapped */ aq->rq.spb_ena = 0; aq->rq.lpb_aura = npa_lf_aura_handle_to_aura(mp->pool_id); @@ -1610,6 +1614,8 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev) /* Free the resources allocated from the previous configure */ if (dev->configured == 1) { + if (otx2_sec_idev_ops.fini != NULL) + otx2_sec_idev_ops.fini(eth_dev); otx2_nix_rxchan_bpid_cfg(eth_dev, false); otx2_nix_vlan_fini(eth_dev); otx2_nix_mc_addr_list_uninstall(eth_dev); @@ -1714,10 +1720,17 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev) goto cq_fini; } + /* Enable security */ + if (otx2_sec_idev_ops.init != NULL) { + rc = otx2_sec_idev_ops.init(eth_dev); + if (rc) + goto cq_fini; + } + rc = otx2_nix_mc_addr_list_install(eth_dev); if (rc < 0) { otx2_err("Failed to install mc address list rc=%d", rc); - goto cq_fini; + goto sec_fini; } /* @@ -1753,6 +1766,9 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev) uninstall_mc_list: otx2_nix_mc_addr_list_uninstall(eth_dev); +sec_fini: + if (otx2_sec_idev_ops.fini != NULL) + otx2_sec_idev_ops.fini(eth_dev); cq_fini: oxt2_nix_unregister_cq_irqs(eth_dev); q_irq_fini: @@ -2345,6 +2361,10 @@ otx2_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool mbox_close) if (rc) otx2_err("Failed to cleanup npa lf, rc=%d", rc); + /* Disable security */ + if (otx2_sec_idev_ops.fini != NULL) + otx2_sec_idev_ops.fini(eth_dev); + /* Destroy security ctx */ if (otx2_sec_idev_ops.ctx_destroy != NULL) otx2_sec_idev_ops.ctx_destroy(eth_dev); diff --git a/drivers/net/octeontx2/otx2_ethdev.h b/drivers/net/octeontx2/otx2_ethdev.h index 987e760..41fef6e 100644 --- a/drivers/net/octeontx2/otx2_ethdev.h +++ b/drivers/net/octeontx2/otx2_ethdev.h @@ -324,6 +324,8 @@ struct otx2_eth_dev { bool mc_tbl_set; struct otx2_nix_mc_filter_tbl mc_fltr_tbl; bool sdp_link; /* SDP flag */ + /* Inline IPsec params */ + uint16_t ipsec_in_max_spi; } __rte_cache_aligned; struct otx2_eth_txq { diff --git a/drivers/net/octeontx2/otx2_ethdev_devargs.c b/drivers/net/octeontx2/otx2_ethdev_devargs.c index 04da1ab..a3f7598 100644 --- a/drivers/net/octeontx2/otx2_ethdev_devargs.c +++ b/drivers/net/octeontx2/otx2_ethdev_devargs.c @@ -64,6 +64,19 @@ parse_reta_size(const char *key, const char *value, void *extra_args) } static int +parse_ipsec_in_max_spi(const char *key, const char *value, void *extra_args) +{ + RTE_SET_USED(key); + uint32_t val; + + val = atoi(value); + + *(uint16_t *)extra_args = val; + + return 0; +} + +static int parse_flag(const char *key, const char *value, void *extra_args) { RTE_SET_USED(key); @@ -104,6 +117,7 @@ parse_switch_header_type(const char *key, const char *value, void *extra_args) } #define OTX2_RSS_RETA_SIZE "reta_size" +#define OTX2_IPSEC_IN_MAX_SPI "ipsec_in_max_spi" #define OTX2_SCL_ENABLE "scalar_enable" #define OTX2_MAX_SQB_COUNT "max_sqb_count" #define OTX2_FLOW_PREALLOC_SIZE "flow_prealloc_size" @@ -118,6 +132,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev) uint16_t flow_prealloc_size = 8; uint16_t switch_header_type = 0; uint16_t flow_max_priority = 3; + uint16_t ipsec_in_max_spi = 1; uint16_t scalar_enable = 0; struct rte_kvargs *kvlist; @@ -130,6 +145,8 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev) rte_kvargs_process(kvlist, OTX2_RSS_RETA_SIZE, &parse_reta_size, &rss_size); + rte_kvargs_process(kvlist, OTX2_IPSEC_IN_MAX_SPI, + &parse_ipsec_in_max_spi, &ipsec_in_max_spi); rte_kvargs_process(kvlist, OTX2_SCL_ENABLE, &parse_flag, &scalar_enable); rte_kvargs_process(kvlist, OTX2_MAX_SQB_COUNT, @@ -143,6 +160,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev) rte_kvargs_free(kvlist); null_devargs: + dev->ipsec_in_max_spi = ipsec_in_max_spi; dev->scalar_ena = scalar_enable; dev->max_sqb_count = sqb_count; dev->rss_info.rss_size = rss_size; @@ -157,6 +175,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev) RTE_PMD_REGISTER_PARAM_STRING(net_octeontx2, OTX2_RSS_RETA_SIZE "=<64|128|256>" + OTX2_IPSEC_IN_MAX_SPI "=<1-65535>" OTX2_SCL_ENABLE "=1" OTX2_MAX_SQB_COUNT "=<8-512>" OTX2_FLOW_PREALLOC_SIZE "=<1-32>" -- 2.7.4