From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2BB0CA0032; Thu, 16 Dec 2021 18:55:05 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id EC09041180; Thu, 16 Dec 2021 18:54:49 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 1E7EB41145 for ; Thu, 16 Dec 2021 18:54:47 +0100 (CET) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 1BGEd9JB007246 for ; Thu, 16 Dec 2021 09:54:46 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=bFytE7SCBlVbCJhu+/5xBy/vGGeSyHLm0TzDazBKHsQ=; b=e55RaayjrCRrUrzU4OW8VH4J4EWvxRn1EFMCdpKqapzC2SYkl8rMdWCGxcaeGLuX+3GR /qVl0QixRQ2sG+u4nIIfO64jE2BaliqgEvZVk4rLe5xbLf1QY8Pyu2AoyFTkYmUuJBUH kMjahu0cY32OQ55JqxmJDZ2Ex7IXEWDYS3NWXDc4uZ59ITyYE7Z8Bfchj/KdFB7MVsFQ lMqzohaGQwZ9Tk4DT3eekT6heO4tQ2JiWk/VT8v9lqIPxvL/d4qZPbxzvgn6ht//AAtL npCChHYf3Vvih4FtWIOVDbwm7FAOYgchbpDOJG1Dl306C32O1ApNepLqf5htswunmEvM 8w== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3d02p0af40-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Thu, 16 Dec 2021 09:54:46 -0800 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Thu, 16 Dec 2021 09:54:44 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Thu, 16 Dec 2021 09:54:44 -0800 Received: from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218]) by maili.marvell.com (Postfix) with ESMTP id 0B5A23F7048; Thu, 16 Dec 2021 09:54:41 -0800 (PST) From: Anoob Joseph To: Akhil Goyal , Jerin Jacob CC: Anoob Joseph , Archana Muniganti , Tejasree Kondoj , Subject: [PATCH v2 24/29] crypto/cnxk: add aes xcbc and null cipher Date: Thu, 16 Dec 2021 23:19:30 +0530 Message-ID: <1639676975-1316-25-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1639676975-1316-1-git-send-email-anoobj@marvell.com> References: <1638859858-734-1-git-send-email-anoobj@marvell.com> <1639676975-1316-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: A3ROs4AzfLqAUUzZKE7DeVseDd7CyLzE X-Proofpoint-ORIG-GUID: A3ROs4AzfLqAUUzZKE7DeVseDd7CyLzE X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2021-12-16_06,2021-12-16_01,2021-12-02_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Add support for AES XCBC and NULL cipher. Signed-off-by: Anoob Joseph --- doc/guides/cryptodevs/cnxk.rst | 4 + doc/guides/rel_notes/release_22_03.rst | 2 + drivers/common/cnxk/cnxk_security.c | 48 ++++++++---- drivers/common/cnxk/roc_ie_on.h | 10 +++ drivers/crypto/cnxk/cn9k_ipsec.c | 93 ++++++++++++++++------- drivers/crypto/cnxk/cnxk_cryptodev.h | 2 +- drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 45 +++++++++++ drivers/crypto/cnxk/cnxk_ipsec.h | 7 ++ 8 files changed, 169 insertions(+), 42 deletions(-) diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index 1239155..6e844f5 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -260,6 +260,7 @@ AEAD algorithms Cipher algorithms +++++++++++++++++ +* NULL * AES-128/192/256-CBC * AES-128/192/256-CTR @@ -270,6 +271,7 @@ Auth algorithms * SHA256-128-HMAC * SHA384-192-HMAC * SHA512-256-HMAC +* AES-XCBC-96 CN10XX Features supported ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -288,6 +290,7 @@ AEAD algorithms Cipher algorithms +++++++++++++++++ +* NULL * AES-128/192/256-CBC * AES-128/192/256-CTR @@ -299,3 +302,4 @@ Auth algorithms * SHA256-128-HMAC * SHA384-192-HMAC * SHA512-256-HMAC +* AES-XCBC-96 diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 4b272e4..e8fec00 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -61,6 +61,8 @@ New Features * Added SHA384-HMAC support in lookaside protocol (IPsec) for CN9K & CN10K. * Added SHA512-HMAC support in lookaside protocol (IPsec) for CN9K & CN10K. * Added AES-CTR support in lookaside protocol (IPsec) for CN9K & CN10K. + * Added NULL cipher support in lookaside protocol (IPsec) for CN9K & CN10K. + * Added AES-XCBC support in lookaside protocol (IPsec) for CN9K & CN10K. Removed Items diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 0d4baa9..6ebf084 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -120,6 +120,9 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, } } else { switch (cipher_xfrm->cipher.algo) { + case RTE_CRYPTO_CIPHER_NULL: + w2->s.enc_type = ROC_IE_OT_SA_ENC_NULL; + break; case RTE_CRYPTO_CIPHER_AES_CBC: w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC; break; @@ -146,11 +149,19 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, case RTE_CRYPTO_AUTH_SHA512_HMAC: w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_512; break; + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128; + break; default: return -ENOTSUP; } - ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad); + if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC) { + const uint8_t *auth_key = auth_xfrm->auth.key.data; + roc_aes_xcbc_key_derive(auth_key, hmac_opad_ipad); + } else { + ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad); + } tmp_key = (uint64_t *)hmac_opad_ipad; for (i = 0; @@ -174,18 +185,26 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++) tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); - switch (length) { - case ROC_CPT_AES128_KEY_LEN: - w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128; - break; - case ROC_CPT_AES192_KEY_LEN: - w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192; - break; - case ROC_CPT_AES256_KEY_LEN: - w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256; - break; - default: - return -EINVAL; + /* Set AES key length */ + if (w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CBC || + w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM || + w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CTR || + w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM || + w2->s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) { + switch (length) { + case ROC_CPT_AES128_KEY_LEN: + w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128; + break; + case ROC_CPT_AES192_KEY_LEN: + w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192; + break; + case ROC_CPT_AES256_KEY_LEN: + w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256; + break; + default: + plt_err("Invalid AES key length"); + return -EINVAL; + } } if (ipsec_xfrm->life.packets_soft_limit != 0 || @@ -815,6 +834,9 @@ cnxk_ipsec_icvlen_get(enum rte_crypto_cipher_algorithm c_algo, case RTE_CRYPTO_AUTH_SHA512_HMAC: icv = 32; break; + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + icv = 12; + break; default: break; } diff --git a/drivers/common/cnxk/roc_ie_on.h b/drivers/common/cnxk/roc_ie_on.h index 817ef33..cb56a70 100644 --- a/drivers/common/cnxk/roc_ie_on.h +++ b/drivers/common/cnxk/roc_ie_on.h @@ -181,6 +181,11 @@ struct roc_ie_on_outb_sa { struct roc_ie_on_ip_template template; } sha1; struct { + uint8_t key[16]; + uint8_t unused[32]; + struct roc_ie_on_ip_template template; + } aes_xcbc; + struct { uint8_t hmac_key[64]; uint8_t hmac_iv[64]; struct roc_ie_on_ip_template template; @@ -202,6 +207,11 @@ struct roc_ie_on_inb_sa { struct roc_ie_on_traffic_selector selector; } sha1_or_gcm; struct { + uint8_t key[16]; + uint8_t unused[32]; + struct roc_ie_on_traffic_selector selector; + } aes_xcbc; + struct { uint8_t hmac_key[64]; uint8_t hmac_iv[64]; struct roc_ie_on_traffic_selector selector; diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c index 1e2269c..c9f5825 100644 --- a/drivers/crypto/cnxk/cn9k_ipsec.c +++ b/drivers/crypto/cnxk/cn9k_ipsec.c @@ -118,7 +118,7 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec, struct roc_ie_on_sa_ctl *ctl) { struct rte_crypto_sym_xform *cipher_xform, *auth_xform; - int aes_key_len; + int aes_key_len = 0; if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { ctl->direction = ROC_IE_SA_DIR_OUTBOUND; @@ -157,37 +157,33 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec, return -EINVAL; if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { - if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + switch (crypto_xform->aead.algo) { + case RTE_CRYPTO_AEAD_AES_GCM: ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM; aes_key_len = crypto_xform->aead.key.length; - } else { + break; + default: + plt_err("Unsupported AEAD algorithm"); return -ENOTSUP; } - } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) { - ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC; - aes_key_len = cipher_xform->cipher.key.length; - } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CTR) { - ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR; - aes_key_len = cipher_xform->cipher.key.length; } else { - return -ENOTSUP; - } - - switch (aes_key_len) { - case 16: - ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128; - break; - case 24: - ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192; - break; - case 32: - ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256; - break; - default: - return -EINVAL; - } + switch (cipher_xform->cipher.algo) { + case RTE_CRYPTO_CIPHER_NULL: + ctl->enc_type = ROC_IE_ON_SA_ENC_NULL; + break; + case RTE_CRYPTO_CIPHER_AES_CBC: + ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC; + aes_key_len = cipher_xform->cipher.key.length; + break; + case RTE_CRYPTO_CIPHER_AES_CTR: + ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR; + aes_key_len = cipher_xform->cipher.key.length; + break; + default: + plt_err("Unsupported cipher algorithm"); + return -ENOTSUP; + } - if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) { switch (auth_xform->auth.algo) { case RTE_CRYPTO_AUTH_NULL: ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL; @@ -217,10 +213,33 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec, ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128; break; default: + plt_err("Unsupported auth algorithm"); return -ENOTSUP; } } + /* Set AES key length */ + if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CBC || + ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CCM || + ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CTR || + ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM || + ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) { + switch (aes_key_len) { + case 16: + ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128; + break; + case 24: + ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192; + break; + case 32: + ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256; + break; + default: + plt_err("Invalid AES key length"); + return -EINVAL; + } + } + if (ipsec->options.esn) ctl->esn_en = 1; @@ -267,8 +286,6 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec, if (cipher_key_len != 0) memcpy(common_sa->cipher_key, cipher_key, cipher_key_len); - else - return -EINVAL; return 0; } @@ -337,7 +354,13 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp, ctx_len = offsetof(struct roc_ie_on_outb_sa, sha2.template); break; + case ROC_IE_ON_SA_AUTH_AES_XCBC_128: + template = &out_sa->aes_xcbc.template; + ctx_len = offsetof(struct roc_ie_on_outb_sa, + aes_xcbc.template); + break; default: + plt_err("Unsupported auth algorithm"); return -EINVAL; } } @@ -419,6 +442,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp, case RTE_CRYPTO_AUTH_SHA512_HMAC: memcpy(out_sa->sha2.hmac_key, auth_key, auth_key_len); break; + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + memcpy(out_sa->aes_xcbc.key, auth_key, auth_key_len); + break; default: plt_err("Unsupported auth algorithm %u", auth_xform->auth.algo); @@ -505,6 +531,11 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp, ctx_len = offsetof(struct roc_ie_on_inb_sa, sha2.selector); break; + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + memcpy(in_sa->aes_xcbc.key, auth_key, auth_key_len); + ctx_len = offsetof(struct roc_ie_on_inb_sa, + aes_xcbc.selector); + break; default: plt_err("Unsupported auth algorithm %u", auth_xform->auth.algo); @@ -597,6 +628,12 @@ cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec, plt_err("Transport mode AES-CBC SHA2 HMAC 512 is not supported"); return -ENOTSUP; } + + if ((cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) && + (auth->algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC)) { + plt_err("Transport mode AES-CBC AES-XCBC is not supported"); + return -ENOTSUP; + } } } diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index 4a1e377..16e7572 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -11,7 +11,7 @@ #include "roc_cpt.h" #define CNXK_CPT_MAX_CAPS 34 -#define CNXK_SEC_CRYPTO_MAX_CAPS 9 +#define CNXK_SEC_CRYPTO_MAX_CAPS 11 #define CNXK_SEC_MAX_CAPS 5 #define CNXK_AE_EC_ID_MAX 8 /** diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index fae433e..a0b2a1f 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -794,6 +794,26 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = { }, } }, } }, + { /* AES-XCBC */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + { .sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC, + .block_size = 16, + .key_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + .digest_size = { + .min = 12, + .max = 12, + .increment = 0, + }, + }, } + }, } + }, }; static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = { @@ -879,6 +899,29 @@ static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = { }, }; +static const struct rte_cryptodev_capabilities sec_caps_null[] = { + { /* NULL (CIPHER) */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER, + {.cipher = { + .algo = RTE_CRYPTO_CIPHER_NULL, + .block_size = 1, + .key_size = { + .min = 0, + .max = 0, + .increment = 0 + }, + .iv_size = { + .min = 0, + .max = 0, + .increment = 0 + } + }, }, + }, } + }, +}; + static const struct rte_security_capability sec_caps_templ[] = { { /* IPsec Lookaside Protocol ESP Tunnel Ingress */ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, @@ -1069,6 +1112,8 @@ sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[], else cn9k_sec_crypto_caps_update(cnxk_caps); + sec_caps_add(cnxk_caps, &cur_pos, sec_caps_null, + RTE_DIM(sec_caps_null)); sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end)); } diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h index f5a51b5..f50d9fa 100644 --- a/drivers/crypto/cnxk/cnxk_ipsec.h +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -20,6 +20,9 @@ struct cnxk_cpt_inst_tmpl { static inline int ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *crypto_xform) { + if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL) + return 0; + if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC || crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CTR) { switch (crypto_xform->cipher.key.length) { @@ -58,6 +61,10 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform) return 0; } + if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC && + keylen == ROC_CPT_AES_XCBC_KEY_LENGTH) + return 0; + return -ENOTSUP; } -- 2.7.4