* [PATCH 1/5] crypto/cnxk: support AH mode
2022-04-25 5:38 [PATCH 0/5] Fixes and improvements to cnxk crypto PMDs Anoob Joseph
@ 2022-04-25 5:38 ` Anoob Joseph
2022-04-25 5:38 ` [PATCH 2/5] crypto/cnxk: support AES-GMAC Anoob Joseph
` (3 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: Anoob Joseph @ 2022-04-25 5:38 UTC (permalink / raw)
To: Akhil Goyal, Jerin Jacob; +Cc: Archana Muniganti, Tejasree Kondoj, dev
From: Archana Muniganti <marchana@marvell.com>
Added IPsec AH mode support in CN9K and CN10K PMD
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
---
doc/guides/cryptodevs/cnxk.rst | 2 +
doc/guides/rel_notes/release_22_07.rst | 4 ++
drivers/common/cnxk/cnxk_security.c | 61 ++++++++--------
drivers/crypto/cnxk/cn10k_ipsec.c | 2 +-
drivers/crypto/cnxk/cn9k_ipsec.c | 85 +++++++++++++----------
drivers/crypto/cnxk/cnxk_cryptodev.h | 2 +-
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 44 ++++++++++++
drivers/crypto/cnxk/cnxk_ipsec.h | 73 ++++++++++++++-----
8 files changed, 188 insertions(+), 85 deletions(-)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 46431dd..19c4a8b 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -252,6 +252,7 @@ CN9XX Features supported
* Tunnel mode
* Transport mode(IPv4)
* UDP Encapsulation
+* AH
AEAD algorithms
+++++++++++++++
@@ -284,6 +285,7 @@ CN10XX Features supported
* Tunnel mode
* Transport mode
* UDP Encapsulation
+* AH
AEAD algorithms
+++++++++++++++
diff --git a/doc/guides/rel_notes/release_22_07.rst b/doc/guides/rel_notes/release_22_07.rst
index 42a5f2d..68857d4 100644
--- a/doc/guides/rel_notes/release_22_07.rst
+++ b/doc/guides/rel_notes/release_22_07.rst
@@ -55,6 +55,10 @@ New Features
Also, make sure to start the actual text at the margin.
=======================================================
+* **Updated Marvell cnxk crypto PMD.**
+
+ * Added AH mode support in lookaside protocol (IPsec) for CN9K & CN10K.
+
Removed Items
-------------
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index ec808c0..afefbd2 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -57,25 +57,23 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
struct rte_crypto_sym_xform *crypto_xfrm)
{
struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
- const uint8_t *key;
+ const uint8_t *key = NULL;
uint32_t *tmp_salt;
uint64_t *tmp_key;
- int length, i;
+ int i, length = 0;
/* Set direction */
- switch (ipsec_xfrm->direction) {
- case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
+ if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+ w2->s.dir = ROC_IE_SA_DIR_OUTBOUND;
+ else
w2->s.dir = ROC_IE_SA_DIR_INBOUND;
+
+ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
auth_xfrm = crypto_xfrm;
cipher_xfrm = crypto_xfrm->next;
- break;
- case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
- w2->s.dir = ROC_IE_SA_DIR_OUTBOUND;
+ } else {
cipher_xfrm = crypto_xfrm;
auth_xfrm = crypto_xfrm->next;
- break;
- default:
- return -EINVAL;
}
/* Set protocol - ESP vs AH */
@@ -119,18 +117,23 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
return -ENOTSUP;
}
} else {
- switch (cipher_xfrm->cipher.algo) {
- case RTE_CRYPTO_CIPHER_NULL:
- w2->s.enc_type = ROC_IE_OT_SA_ENC_NULL;
- break;
- case RTE_CRYPTO_CIPHER_AES_CBC:
- w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
- break;
- case RTE_CRYPTO_CIPHER_AES_CTR:
- w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CTR;
- break;
- default:
- return -ENOTSUP;
+ if (cipher_xfrm != NULL) {
+ switch (cipher_xfrm->cipher.algo) {
+ case RTE_CRYPTO_CIPHER_NULL:
+ w2->s.enc_type = ROC_IE_OT_SA_ENC_NULL;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CBC:
+ w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CTR:
+ w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CTR;
+ break;
+ default:
+ return -ENOTSUP;
+ }
+
+ key = cipher_xfrm->cipher.key.data;
+ length = cipher_xfrm->cipher.key.length;
}
switch (auth_xfrm->auth.algo) {
@@ -169,8 +172,6 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
i++)
tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
- key = cipher_xfrm->cipher.key.data;
- length = cipher_xfrm->cipher.key.length;
}
/* Set encapsulation type */
@@ -179,11 +180,13 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
w2->s.spi = ipsec_xfrm->spi;
- /* Copy encryption key */
- memcpy(cipher_key, key, length);
- tmp_key = (uint64_t *)cipher_key;
- for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++)
- tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+ if (key != NULL && length != 0) {
+ /* Copy encryption key */
+ memcpy(cipher_key, key, length);
+ tmp_key = (uint64_t *)cipher_key;
+ for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++)
+ tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+ }
/* Set AES key length */
if (w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CBC ||
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 15ebd57..0c9e244 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -74,7 +74,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
sa->iv_offset = crypto_xfrm->aead.iv.offset;
sa->iv_length = crypto_xfrm->aead.iv.length;
- } else {
+ } else if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
sa->iv_offset = crypto_xfrm->cipher.iv.offset;
sa->iv_length = crypto_xfrm->cipher.iv.length;
}
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index 737bafd..eaa3698 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -120,18 +120,19 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
int aes_key_len = 0;
- if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
- ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
- cipher_xform = crypto_xform;
- auth_xform = crypto_xform->next;
- } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
- ctl->direction = ROC_IE_SA_DIR_INBOUND;
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
auth_xform = crypto_xform;
cipher_xform = crypto_xform->next;
} else {
- return -EINVAL;
+ cipher_xform = crypto_xform;
+ auth_xform = crypto_xform->next;
}
+ if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+ ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
+ else
+ ctl->direction = ROC_IE_SA_DIR_INBOUND;
+
if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
@@ -167,21 +168,23 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
return -ENOTSUP;
}
} else {
- switch (cipher_xform->cipher.algo) {
- case RTE_CRYPTO_CIPHER_NULL:
- ctl->enc_type = ROC_IE_ON_SA_ENC_NULL;
- break;
- case RTE_CRYPTO_CIPHER_AES_CBC:
- ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
- aes_key_len = cipher_xform->cipher.key.length;
- break;
- case RTE_CRYPTO_CIPHER_AES_CTR:
- ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR;
- aes_key_len = cipher_xform->cipher.key.length;
- break;
- default:
- plt_err("Unsupported cipher algorithm");
- return -ENOTSUP;
+ if (cipher_xform != NULL) {
+ switch (cipher_xform->cipher.algo) {
+ case RTE_CRYPTO_CIPHER_NULL:
+ ctl->enc_type = ROC_IE_ON_SA_ENC_NULL;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CBC:
+ ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
+ aes_key_len = cipher_xform->cipher.key.length;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CTR:
+ ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR;
+ aes_key_len = cipher_xform->cipher.key.length;
+ break;
+ default:
+ plt_err("Unsupported cipher algorithm");
+ return -ENOTSUP;
+ }
}
switch (auth_xform->auth.algo) {
@@ -267,15 +270,23 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
int cipher_key_len = 0;
int ret;
+ ret = ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl);
+ if (ret)
+ return ret;
+
+ if (ipsec->esn.value) {
+ common_sa->esn_low = ipsec->esn.low;
+ common_sa->esn_hi = ipsec->esn.hi;
+ }
+
+ if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
+ return 0;
+
if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
cipher_xform = crypto_xform->next;
else
cipher_xform = crypto_xform;
- ret = ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl);
- if (ret)
- return ret;
-
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);
@@ -289,11 +300,6 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
if (cipher_key_len != 0)
memcpy(common_sa->cipher_key, cipher_key, cipher_key_len);
- if (ipsec->esn.value) {
- common_sa->esn_low = ipsec->esn.low;
- common_sa->esn_hi = ipsec->esn.hi;
- }
-
return 0;
}
@@ -303,9 +309,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
struct rte_crypto_sym_xform *crypto_xform,
struct rte_security_session *sec_sess)
{
- struct rte_crypto_sym_xform *auth_xform = crypto_xform->next;
struct roc_ie_on_ip_template *template = NULL;
struct roc_cpt *roc_cpt = qp->lf.roc_cpt;
+ struct rte_crypto_sym_xform *auth_xform;
union roc_on_ipsec_outb_param1 param1;
struct cnxk_cpt_inst_tmpl *inst_tmpl;
struct roc_ie_on_outb_sa *out_sa;
@@ -338,6 +344,11 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
if (ipsec->esn.value)
sa->esn = ipsec->esn.value;
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH)
+ auth_xform = crypto_xform;
+ else
+ auth_xform = crypto_xform->next;
+
ret = fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa);
if (ret)
return ret;
@@ -381,7 +392,10 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
template->ip4.udp_src = rte_be_to_cpu_16(4500);
template->ip4.udp_dst = rte_be_to_cpu_16(4500);
} else {
- ip4->next_proto_id = IPPROTO_ESP;
+ if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
+ ip4->next_proto_id = IPPROTO_AH;
+ else
+ ip4->next_proto_id = IPPROTO_ESP;
}
if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
@@ -480,7 +494,7 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
sa->cipher_iv_off = crypto_xform->aead.iv.offset;
sa->cipher_iv_len = crypto_xform->aead.iv.length;
- } else {
+ } else if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
sa->cipher_iv_len = crypto_xform->cipher.iv.length;
}
@@ -621,7 +635,8 @@ cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec,
ipsec->life.packets_soft_limit != 0)
return -ENOTSUP;
- if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) {
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT &&
+ ipsec->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH) {
enum rte_crypto_sym_xform_type type = crypto->type;
if (type == RTE_CRYPTO_SYM_XFORM_AEAD) {
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index 16e7572..542c93b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -12,7 +12,7 @@
#define CNXK_CPT_MAX_CAPS 34
#define CNXK_SEC_CRYPTO_MAX_CAPS 11
-#define CNXK_SEC_MAX_CAPS 5
+#define CNXK_SEC_MAX_CAPS 9
#define CNXK_AE_EC_ID_MAX 8
/**
* Device private data
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 5cb27aa..efd53db 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -988,6 +988,50 @@ static const struct rte_security_capability sec_caps_templ[] = {
},
.crypto_capabilities = NULL,
},
+ { /* IPsec Lookaside Protocol AH Tunnel Ingress */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+ .ipsec = {
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_AH,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+ .options = { 0 },
+ },
+ .crypto_capabilities = NULL,
+ },
+ { /* IPsec Lookaside Protocol AH Tunnel Egress */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+ .ipsec = {
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_AH,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+ .options = { 0 },
+ },
+ .crypto_capabilities = NULL,
+ },
+ { /* IPsec Lookaside Protocol AH Transport Ingress */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+ .ipsec = {
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_AH,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+ .options = { 0 },
+ },
+ .crypto_capabilities = NULL,
+ },
+ { /* IPsec Lookaside Protocol AH Transport Egress */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+ .ipsec = {
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_AH,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+ .options = { 0 },
+ },
+ .crypto_capabilities = NULL,
+ },
{
.action = RTE_SECURITY_ACTION_TYPE_NONE
}
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index f50d9fa..1524217 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -122,28 +122,63 @@ cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
return ipsec_xform_aead_verify(ipsec_xform, crypto_xform);
- if (crypto_xform->next == NULL)
- return -EINVAL;
-
- if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
- /* Ingress */
- if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
- crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
- return -EINVAL;
- auth_xform = crypto_xform;
- cipher_xform = crypto_xform->next;
+ if (ipsec_xform->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) {
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+ /* Ingress */
+ auth_xform = crypto_xform;
+ cipher_xform = crypto_xform->next;
+
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+ return -EINVAL;
+
+ if ((cipher_xform != NULL) && ((cipher_xform->type !=
+ RTE_CRYPTO_SYM_XFORM_CIPHER) ||
+ (cipher_xform->cipher.algo !=
+ RTE_CRYPTO_CIPHER_NULL)))
+ return -EINVAL;
+ } else {
+ /* Egress */
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+ cipher_xform = crypto_xform;
+ auth_xform = crypto_xform->next;
+
+ if (auth_xform == NULL ||
+ cipher_xform->cipher.algo !=
+ RTE_CRYPTO_CIPHER_NULL)
+ return -EINVAL;
+ } else if (crypto_xform->type ==
+ RTE_CRYPTO_SYM_XFORM_AUTH)
+ auth_xform = crypto_xform;
+ else
+ return -EINVAL;
+ }
} else {
- /* Egress */
- if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
- crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+ if (crypto_xform->next == NULL)
return -EINVAL;
- cipher_xform = crypto_xform;
- auth_xform = crypto_xform->next;
- }
- ret = ipsec_xform_cipher_verify(cipher_xform);
- if (ret)
- return ret;
+ if (ipsec_xform->direction ==
+ RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+ /* Ingress */
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+ crypto_xform->next->type !=
+ RTE_CRYPTO_SYM_XFORM_CIPHER)
+ return -EINVAL;
+ auth_xform = crypto_xform;
+ cipher_xform = crypto_xform->next;
+ } else {
+ /* Egress */
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+ crypto_xform->next->type !=
+ RTE_CRYPTO_SYM_XFORM_AUTH)
+ return -EINVAL;
+ cipher_xform = crypto_xform;
+ auth_xform = crypto_xform->next;
+ }
+
+ ret = ipsec_xform_cipher_verify(cipher_xform);
+ if (ret)
+ return ret;
+ }
return ipsec_xform_auth_verify(auth_xform);
}
--
2.7.4
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 2/5] crypto/cnxk: support AES-GMAC
2022-04-25 5:38 [PATCH 0/5] Fixes and improvements to cnxk crypto PMDs Anoob Joseph
2022-04-25 5:38 ` [PATCH 1/5] crypto/cnxk: support AH mode Anoob Joseph
@ 2022-04-25 5:38 ` Anoob Joseph
2022-04-28 8:30 ` Akhil Goyal
2022-04-25 5:38 ` [PATCH 3/5] crypto/cnxk: remove redundant return Anoob Joseph
` (2 subsequent siblings)
4 siblings, 1 reply; 9+ messages in thread
From: Anoob Joseph @ 2022-04-25 5:38 UTC (permalink / raw)
To: Akhil Goyal, Jerin Jacob; +Cc: Archana Muniganti, Tejasree Kondoj, dev
From: Archana Muniganti <marchana@marvell.com>
Added lookaside IPsec AES-GMAC support in CNXK PMD.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
---
doc/guides/cryptodevs/cnxk.rst | 2 ++
doc/guides/rel_notes/release_22_07.rst | 1 +
drivers/common/cnxk/cnxk_security.c | 8 ++++++
drivers/crypto/cnxk/cn10k_ipsec.c | 3 ++
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 3 +-
drivers/crypto/cnxk/cn9k_ipsec.c | 35 ++++++++++++++++-------
drivers/crypto/cnxk/cnxk_cryptodev.h | 2 +-
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 25 ++++++++++++++++
drivers/crypto/cnxk/cnxk_ipsec.h | 3 ++
9 files changed, 70 insertions(+), 12 deletions(-)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 19c4a8b..baf0e3c 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -274,6 +274,7 @@ Auth algorithms
* SHA384-192-HMAC
* SHA512-256-HMAC
* AES-XCBC-96
+* AES-GMAC
CN10XX Features supported
~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -308,3 +309,4 @@ Auth algorithms
* SHA384-192-HMAC
* SHA512-256-HMAC
* AES-XCBC-96
+* AES-GMAC
diff --git a/doc/guides/rel_notes/release_22_07.rst b/doc/guides/rel_notes/release_22_07.rst
index 68857d4..a5ac90d 100644
--- a/doc/guides/rel_notes/release_22_07.rst
+++ b/doc/guides/rel_notes/release_22_07.rst
@@ -58,6 +58,7 @@ New Features
* **Updated Marvell cnxk crypto PMD.**
* Added AH mode support in lookaside protocol (IPsec) for CN9K & CN10K.
+ * Added AES-GMAC support in lookaside protocol (IPsec) for CN9K & CN10K.
Removed Items
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index afefbd2..69a962d 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -155,6 +155,14 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128;
break;
+ case RTE_CRYPTO_AUTH_AES_GMAC:
+ w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_GMAC;
+ key = auth_xfrm->auth.key.data;
+ length = auth_xfrm->auth.key.length;
+ memcpy(salt_key, &ipsec_xfrm->salt, 4);
+ tmp_salt = (uint32_t *)salt_key;
+ *tmp_salt = rte_be_to_cpu_32(*tmp_salt);
+ break;
default:
return -ENOTSUP;
}
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 0c9e244..3a2bf0f 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -77,6 +77,9 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
} else if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
sa->iv_offset = crypto_xfrm->cipher.iv.offset;
sa->iv_length = crypto_xfrm->cipher.iv.length;
+ } else {
+ sa->iv_offset = crypto_xfrm->auth.iv.offset;
+ sa->iv_length = crypto_xfrm->auth.iv.length;
}
}
#else
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index f2d8122..66cfe6c 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -65,7 +65,8 @@ process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop,
#ifdef LA_IPSEC_DEBUG
if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
- if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM)
+ if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
+ sess->out_sa.w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC)
ipsec_po_sa_aes_gcm_iv_set(sess, cop);
else
ipsec_po_sa_iv_set(sess, cop);
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index eaa3698..82b8dae 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -211,6 +211,7 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
break;
case RTE_CRYPTO_AUTH_AES_GMAC:
ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC;
+ aes_key_len = auth_xform->auth.key.length;
break;
case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128;
@@ -265,7 +266,7 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
struct rte_crypto_sym_xform *crypto_xform,
struct roc_ie_on_common_sa *common_sa)
{
- struct rte_crypto_sym_xform *cipher_xform;
+ struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
const uint8_t *cipher_key;
int cipher_key_len = 0;
int ret;
@@ -279,13 +280,13 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
common_sa->esn_hi = ipsec->esn.hi;
}
- if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
- return 0;
-
- if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ auth_xform = crypto_xform;
cipher_xform = crypto_xform->next;
- else
+ } else {
cipher_xform = crypto_xform;
+ auth_xform = crypto_xform->next;
+ }
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
@@ -293,8 +294,16 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
cipher_key = crypto_xform->aead.key.data;
cipher_key_len = crypto_xform->aead.key.length;
} else {
- cipher_key = cipher_xform->cipher.key.data;
- cipher_key_len = cipher_xform->cipher.key.length;
+ if (cipher_xform) {
+ cipher_key = cipher_xform->cipher.key.data;
+ cipher_key_len = cipher_xform->cipher.key.length;
+ }
+
+ if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);
+ cipher_key = auth_xform->auth.key.data;
+ cipher_key_len = auth_xform->auth.key.length;
+ }
}
if (cipher_key_len != 0)
@@ -358,7 +367,8 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
return ret;
if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||
- ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL) {
+ ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL ||
+ ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) {
template = &out_sa->aes_gcm.template;
ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
} else {
@@ -453,6 +463,7 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
auth_key_len = auth_xform->auth.key.length;
switch (auth_xform->auth.algo) {
+ case RTE_CRYPTO_AUTH_AES_GMAC:
case RTE_CRYPTO_AUTH_NULL:
break;
case RTE_CRYPTO_AUTH_SHA1_HMAC:
@@ -497,6 +508,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
} else if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
sa->cipher_iv_len = crypto_xform->cipher.iv.length;
+ } else {
+ sa->cipher_iv_off = crypto_xform->auth.iv.offset;
+ sa->cipher_iv_len = crypto_xform->auth.iv.length;
}
}
#else
@@ -553,7 +567,8 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
return ret;
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD ||
- auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL) {
+ auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL ||
+ auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
ctx_len = offsetof(struct roc_ie_on_inb_sa,
sha1_or_gcm.hmac_key[0]);
} else {
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index 542c93b..fe2904b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -11,7 +11,7 @@
#include "roc_cpt.h"
#define CNXK_CPT_MAX_CAPS 34
-#define CNXK_SEC_CRYPTO_MAX_CAPS 11
+#define CNXK_SEC_CRYPTO_MAX_CAPS 12
#define CNXK_SEC_MAX_CAPS 9
#define CNXK_AE_EC_ID_MAX 8
/**
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index efd53db..98b002d 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -835,6 +835,31 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
};
static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index 1524217..171ea27 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -59,6 +59,9 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
} else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA512_HMAC) {
if (keylen == 64)
return 0;
+ } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (keylen >= 16 && keylen <= 32)
+ return 0;
}
if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC &&
--
2.7.4
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: [PATCH 2/5] crypto/cnxk: support AES-GMAC
2022-04-25 5:38 ` [PATCH 2/5] crypto/cnxk: support AES-GMAC Anoob Joseph
@ 2022-04-28 8:30 ` Akhil Goyal
2022-04-28 8:34 ` Anoob Joseph
0 siblings, 1 reply; 9+ messages in thread
From: Akhil Goyal @ 2022-04-28 8:30 UTC (permalink / raw)
To: Anoob Joseph, Jerin Jacob Kollanukkaran
Cc: Archana Muniganti, Tejasree Kondoj, dev
> Subject: [PATCH 2/5] crypto/cnxk: support AES-GMAC
>
> From: Archana Muniganti <marchana@marvell.com>
>
> Added lookaside IPsec AES-GMAC support in CNXK PMD.
>
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> Acked-by: Anoob Joseph <anoobj@marvell.com>
> ---
> doc/guides/cryptodevs/cnxk.rst | 2 ++
Update in .ini files missing.
> doc/guides/rel_notes/release_22_07.rst | 1 +
> drivers/common/cnxk/cnxk_security.c | 8 ++++++
> drivers/crypto/cnxk/cn10k_ipsec.c | 3 ++
> drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 3 +-
> drivers/crypto/cnxk/cn9k_ipsec.c | 35 ++++++++++++++++-------
> drivers/crypto/cnxk/cnxk_cryptodev.h | 2 +-
> drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 25 ++++++++++++++++
> drivers/crypto/cnxk/cnxk_ipsec.h | 3 ++
> 9 files changed, 70 insertions(+), 12 deletions(-)
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: [PATCH 2/5] crypto/cnxk: support AES-GMAC
2022-04-28 8:30 ` Akhil Goyal
@ 2022-04-28 8:34 ` Anoob Joseph
2022-04-28 9:50 ` Akhil Goyal
0 siblings, 1 reply; 9+ messages in thread
From: Anoob Joseph @ 2022-04-28 8:34 UTC (permalink / raw)
To: Akhil Goyal, Jerin Jacob Kollanukkaran
Cc: Archana Muniganti, Tejasree Kondoj, dev
Hi Akhil,
Please see inline.
Thanks,
Anoob
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Thursday, April 28, 2022 2:00 PM
> To: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>
> Cc: Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; dev@dpdk.org
> Subject: RE: [PATCH 2/5] crypto/cnxk: support AES-GMAC
>
> > Subject: [PATCH 2/5] crypto/cnxk: support AES-GMAC
> >
> > From: Archana Muniganti <marchana@marvell.com>
> >
> > Added lookaside IPsec AES-GMAC support in CNXK PMD.
> >
> > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > Acked-by: Anoob Joseph <anoobj@marvell.com>
> > ---
> > doc/guides/cryptodevs/cnxk.rst | 2 ++
>
> Update in .ini files missing.
[Anoob] The .ini file is only listing symmetric & asymmetric capabilities. This patch is adding AES-GMAC with IPsec (ie, lookaside protocol). AES-GMAC with lookaside crypto is already supported and ini file reflects the same as well.
https://elixir.bootlin.com/dpdk/latest/source/doc/guides/cryptodevs/features/cn10k.ini
>
> > doc/guides/rel_notes/release_22_07.rst | 1 +
> > drivers/common/cnxk/cnxk_security.c | 8 ++++++
> > drivers/crypto/cnxk/cn10k_ipsec.c | 3 ++
> > drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 3 +-
> > drivers/crypto/cnxk/cn9k_ipsec.c | 35 ++++++++++++++++-------
> > drivers/crypto/cnxk/cnxk_cryptodev.h | 2 +-
> > drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 25 ++++++++++++++++
> > drivers/crypto/cnxk/cnxk_ipsec.h | 3 ++
> > 9 files changed, 70 insertions(+), 12 deletions(-)
> >
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 3/5] crypto/cnxk: remove redundant return
2022-04-25 5:38 [PATCH 0/5] Fixes and improvements to cnxk crypto PMDs Anoob Joseph
2022-04-25 5:38 ` [PATCH 1/5] crypto/cnxk: support AH mode Anoob Joseph
2022-04-25 5:38 ` [PATCH 2/5] crypto/cnxk: support AES-GMAC Anoob Joseph
@ 2022-04-25 5:38 ` Anoob Joseph
2022-04-25 5:38 ` [PATCH 4/5] common/cnxk: add timeout for ctx write operation Anoob Joseph
2022-04-25 5:38 ` [PATCH 5/5] crypto/cnxk: use set ctx operation for session destroy Anoob Joseph
4 siblings, 0 replies; 9+ messages in thread
From: Anoob Joseph @ 2022-04-25 5:38 UTC (permalink / raw)
To: Akhil Goyal, Jerin Jacob
Cc: Anoob Joseph, Archana Muniganti, Tejasree Kondoj, dev
The function doesn't return error. Remove return.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/crypto/cnxk/cnxk_se.h | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index e988d57..ce7ca2e 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -2047,7 +2047,7 @@ prepare_iov_from_pkt(struct rte_mbuf *pkt, struct roc_se_iov_ptr *iovec,
return 0;
}
-static __rte_always_inline uint32_t
+static __rte_always_inline void
prepare_iov_from_pkt_inplace(struct rte_mbuf *pkt,
struct roc_se_fc_params *param, uint32_t *flags)
{
@@ -2070,7 +2070,7 @@ prepare_iov_from_pkt_inplace(struct rte_mbuf *pkt,
param->bufs[0].vaddr = seg_data;
param->bufs[0].size = seg_size;
- return 0;
+ return;
}
iovec = param->src_iov;
iovec->bufs[index].vaddr = seg_data;
@@ -2094,7 +2094,7 @@ prepare_iov_from_pkt_inplace(struct rte_mbuf *pkt,
}
iovec->buf_cnt = index;
- return 0;
+ return;
}
static __rte_always_inline int
@@ -2254,12 +2254,7 @@ fill_fc_params(struct rte_crypto_op *cop, struct cnxk_se_sess *sess,
*/
fc_params.dst_iov = fc_params.src_iov = (void *)src;
- if (unlikely(prepare_iov_from_pkt_inplace(m_src, &fc_params,
- &flags))) {
- plt_dp_err("Prepare inplace src iov failed");
- ret = -EINVAL;
- goto err_exit;
- }
+ prepare_iov_from_pkt_inplace(m_src, &fc_params, &flags);
} else {
/* Out of place processing */
--
2.7.4
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 4/5] common/cnxk: add timeout for ctx write operation
2022-04-25 5:38 [PATCH 0/5] Fixes and improvements to cnxk crypto PMDs Anoob Joseph
` (2 preceding siblings ...)
2022-04-25 5:38 ` [PATCH 3/5] crypto/cnxk: remove redundant return Anoob Joseph
@ 2022-04-25 5:38 ` Anoob Joseph
2022-04-25 5:38 ` [PATCH 5/5] crypto/cnxk: use set ctx operation for session destroy Anoob Joseph
4 siblings, 0 replies; 9+ messages in thread
From: Anoob Joseph @ 2022-04-25 5:38 UTC (permalink / raw)
To: Akhil Goyal, Jerin Jacob
Cc: Anoob Joseph, Archana Muniganti, Tejasree Kondoj, dev
Add busy wait and polling for ctx write operation rather than waiting
with 1 ms delay.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/common/cnxk/roc_cpt.c | 31 +++++++++++++++++++++----------
drivers/common/cnxk/roc_platform.h | 7 ++++---
2 files changed, 25 insertions(+), 13 deletions(-)
diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
index b3a3649..742723a 100644
--- a/drivers/common/cnxk/roc_cpt.c
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -915,9 +915,9 @@ roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr, void *sa_cptr,
uint16_t sa_len)
{
uintptr_t lmt_base = lf->lmt_base;
+ union cpt_res_s res, *hw_res;
uint64_t lmt_arg, io_addr;
struct cpt_inst_s *inst;
- union cpt_res_s *res;
uint16_t lmt_id;
uint64_t *dptr;
int i;
@@ -927,8 +927,8 @@ roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr, void *sa_cptr,
memset(inst, 0, sizeof(struct cpt_inst_s));
- res = plt_zmalloc(sizeof(*res), ROC_CPT_RES_ALIGN);
- if (res == NULL) {
+ hw_res = plt_zmalloc(sizeof(*hw_res), ROC_CPT_RES_ALIGN);
+ if (hw_res == NULL) {
plt_err("Couldn't allocate memory for result address");
return -ENOMEM;
}
@@ -936,7 +936,7 @@ roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr, void *sa_cptr,
dptr = plt_zmalloc(sa_len, 8);
if (dptr == NULL) {
plt_err("Couldn't allocate memory for SA dptr");
- plt_free(res);
+ plt_free(hw_res);
return -ENOMEM;
}
@@ -944,8 +944,8 @@ roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr, void *sa_cptr,
dptr[i] = plt_cpu_to_be_64(((uint64_t *)sa_dptr)[i]);
/* Fill CPT_INST_S for WRITE_SA microcode op */
- res->cn10k.compcode = CPT_COMP_NOT_DONE;
- inst->res_addr = (uint64_t)res;
+ hw_res->cn10k.compcode = CPT_COMP_NOT_DONE;
+ inst->res_addr = (uint64_t)hw_res;
inst->dptr = (uint64_t)dptr;
inst->w4.s.param2 = sa_len >> 3;
inst->w4.s.dlen = sa_len;
@@ -959,14 +959,25 @@ roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr, void *sa_cptr,
io_addr = lf->io_addr | ROC_CN10K_CPT_INST_DW_M1 << 4;
roc_lmt_submit_steorl(lmt_arg, io_addr);
- plt_wmb();
+ plt_io_wmb();
+
+ /* Use 1 min timeout for the poll */
+ const uint64_t timeout = plt_tsc_cycles() + 60 * plt_tsc_hz();
/* Wait until CPT instruction completes */
- while (res->cn10k.compcode == CPT_COMP_NOT_DONE)
- plt_delay_ms(1);
+ do {
+ res.u64[0] = __atomic_load_n(&hw_res->u64[0], __ATOMIC_RELAXED);
+ if (unlikely(plt_tsc_cycles() > timeout))
+ break;
+ } while (res.cn10k.compcode == CPT_COMP_NOT_DONE);
- plt_free(res);
plt_free(dptr);
+ plt_free(hw_res);
+
+ if (res.cn10k.compcode != CPT_COMP_WARN) {
+ plt_err("Write SA operation timed out");
+ return -ETIMEDOUT;
+ }
return 0;
}
diff --git a/drivers/common/cnxk/roc_platform.h b/drivers/common/cnxk/roc_platform.h
index 28004b1..86987ae 100644
--- a/drivers/common/cnxk/roc_platform.h
+++ b/drivers/common/cnxk/roc_platform.h
@@ -184,9 +184,10 @@
#define plt_memzone_reserve_aligned(name, len, flags, align) \
rte_memzone_reserve_aligned((name), (len), 0, (flags), (align))
-#define plt_tsc_hz rte_get_tsc_hz
-#define plt_delay_ms rte_delay_ms
-#define plt_delay_us rte_delay_us
+#define plt_tsc_hz rte_get_tsc_hz
+#define plt_tsc_cycles rte_get_tsc_cycles
+#define plt_delay_ms rte_delay_ms
+#define plt_delay_us rte_delay_us
#define plt_lcore_id rte_lcore_id
--
2.7.4
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 5/5] crypto/cnxk: use set ctx operation for session destroy
2022-04-25 5:38 [PATCH 0/5] Fixes and improvements to cnxk crypto PMDs Anoob Joseph
` (3 preceding siblings ...)
2022-04-25 5:38 ` [PATCH 4/5] common/cnxk: add timeout for ctx write operation Anoob Joseph
@ 2022-04-25 5:38 ` Anoob Joseph
4 siblings, 0 replies; 9+ messages in thread
From: Anoob Joseph @ 2022-04-25 5:38 UTC (permalink / raw)
To: Akhil Goyal, Jerin Jacob
Cc: Anoob Joseph, Archana Muniganti, Tejasree Kondoj, dev
Usage of flush and invalidate would involve delays to account for flush
delay. Use set_ctx operation instead. When set_ctx fails, fall back to
flush + invalidate scheme.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/crypto/cnxk/cn10k_ipsec.c | 44 ++++++++++++++++++++++++++++++++-------
1 file changed, 37 insertions(+), 7 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 3a2bf0f..d6ff134 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -333,6 +333,8 @@ cn10k_sec_session_destroy(void *dev, struct rte_security_session *sec_sess)
struct cn10k_ipsec_sa *sa;
struct cnxk_cpt_qp *qp;
struct roc_cpt_lf *lf;
+ void *sa_dptr = NULL;
+ int ret;
sess = get_sec_session_private_data(sec_sess);
if (sess == NULL)
@@ -349,16 +351,44 @@ cn10k_sec_session_destroy(void *dev, struct rte_security_session *sec_sess)
/* Trigger CTX flush to write dirty data back to DRAM */
roc_cpt_lf_ctx_flush(lf, &sa->in_sa, false);
- /* Wait for 1 ms so that flush is complete */
- rte_delay_ms(1);
+ ret = -1;
- w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
- w2->s.valid = 0;
+ if (sa->is_outbound) {
+ sa_dptr = plt_zmalloc(sizeof(struct roc_ot_ipsec_outb_sa), 8);
+ if (sa_dptr != NULL) {
+ roc_ot_ipsec_outb_sa_init(sa_dptr);
- plt_atomic_thread_fence(__ATOMIC_SEQ_CST);
+ ret = roc_cpt_ctx_write(
+ lf, sa_dptr, &sa->out_sa,
+ sizeof(struct roc_ot_ipsec_outb_sa));
+ }
+ } else {
+ sa_dptr = plt_zmalloc(sizeof(struct roc_ot_ipsec_inb_sa), 8);
+ if (sa_dptr != NULL) {
+ roc_ot_ipsec_inb_sa_init(sa_dptr, false);
+
+ ret = roc_cpt_ctx_write(
+ lf, sa_dptr, &sa->in_sa,
+ sizeof(struct roc_ot_ipsec_inb_sa));
+ }
+ }
- /* Trigger CTX reload to fetch new data from DRAM */
- roc_cpt_lf_ctx_reload(lf, &sa->in_sa);
+ plt_free(sa_dptr);
+
+ if (ret) {
+ /* MC write_ctx failed. Attempt reload of CTX */
+
+ /* Wait for 1 ms so that flush is complete */
+ rte_delay_ms(1);
+
+ w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
+ w2->s.valid = 0;
+
+ plt_atomic_thread_fence(__ATOMIC_SEQ_CST);
+
+ /* Trigger CTX reload to fetch new data from DRAM */
+ roc_cpt_lf_ctx_reload(lf, &sa->in_sa);
+ }
sess_mp = rte_mempool_from_obj(sess);
--
2.7.4
^ permalink raw reply [flat|nested] 9+ messages in thread