From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5A9A2A00BE; Mon, 25 Apr 2022 07:39:30 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id D2EDD427F6; Mon, 25 Apr 2022 07:39:24 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 27500410E6 for ; Mon, 25 Apr 2022 07:39:24 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23ONPmRG028740 for ; Sun, 24 Apr 2022 22:39:23 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=3qd8kY8cncc72FgZ1wzSgo8vcOcynD7TKec60RXEsl8=; b=W7SoVO7NIphFn7dMW/NJrzWjncxdlmaOXilysp2CvZmJhdxrBAsmrxif7lrZbJFvh2+p j9Wc2uoDzJRcZ0kBwCsFLElZd8MxsSz5X7nT/OlfT4YKF8ufHytecJ+XC5lVsB9nbspT K/IcIRqq2S/NSNyQX1sGgSkWHeFd/ikbRGBMCfOpcrDl59HSkPwmHzP5BJJtjCHjDba/ IX4p+yrnza2TmL2XxzUPBEzNP5Rx/renxnZzytqLUedQ3h48We5pVTWbzB+z2wihZavh yrVHc+on8RiQl4hOZTJkJQZKKOi7L42NtrQodu95iKyi+HmwpvYDeoGsmYTBzcx9SNWe jQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3fmgymcb0a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Sun, 24 Apr 2022 22:39:23 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 24 Apr 2022 22:39:21 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Sun, 24 Apr 2022 22:39:21 -0700 Received: from HY-LT1002.marvell.com (unknown [10.193.69.240]) by maili.marvell.com (Postfix) with ESMTP id 3241D3F7073; Sun, 24 Apr 2022 22:39:18 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Jerin Jacob CC: Archana Muniganti , Tejasree Kondoj , Subject: [PATCH 2/5] crypto/cnxk: support AES-GMAC Date: Mon, 25 Apr 2022 11:08:22 +0530 Message-ID: <1650865105-66-3-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1650865105-66-1-git-send-email-anoobj@marvell.com> References: <1650865105-66-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: _TO5jb0CzKjEu2nDBlxcb7mjpkUzEb87 X-Proofpoint-ORIG-GUID: _TO5jb0CzKjEu2nDBlxcb7mjpkUzEb87 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-25_01,2022-04-22_01,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Archana Muniganti Added lookaside IPsec AES-GMAC support in CNXK PMD. Signed-off-by: Archana Muniganti Acked-by: Anoob Joseph --- doc/guides/cryptodevs/cnxk.rst | 2 ++ doc/guides/rel_notes/release_22_07.rst | 1 + drivers/common/cnxk/cnxk_security.c | 8 ++++++ drivers/crypto/cnxk/cn10k_ipsec.c | 3 ++ drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 3 +- drivers/crypto/cnxk/cn9k_ipsec.c | 35 ++++++++++++++++------- drivers/crypto/cnxk/cnxk_cryptodev.h | 2 +- drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 25 ++++++++++++++++ drivers/crypto/cnxk/cnxk_ipsec.h | 3 ++ 9 files changed, 70 insertions(+), 12 deletions(-) diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index 19c4a8b..baf0e3c 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -274,6 +274,7 @@ Auth algorithms * SHA384-192-HMAC * SHA512-256-HMAC * AES-XCBC-96 +* AES-GMAC CN10XX Features supported ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -308,3 +309,4 @@ Auth algorithms * SHA384-192-HMAC * SHA512-256-HMAC * AES-XCBC-96 +* AES-GMAC diff --git a/doc/guides/rel_notes/release_22_07.rst b/doc/guides/rel_notes/release_22_07.rst index 68857d4..a5ac90d 100644 --- a/doc/guides/rel_notes/release_22_07.rst +++ b/doc/guides/rel_notes/release_22_07.rst @@ -58,6 +58,7 @@ New Features * **Updated Marvell cnxk crypto PMD.** * Added AH mode support in lookaside protocol (IPsec) for CN9K & CN10K. + * Added AES-GMAC support in lookaside protocol (IPsec) for CN9K & CN10K. Removed Items diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index afefbd2..69a962d 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -155,6 +155,14 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, case RTE_CRYPTO_AUTH_AES_XCBC_MAC: w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128; break; + case RTE_CRYPTO_AUTH_AES_GMAC: + w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_GMAC; + key = auth_xfrm->auth.key.data; + length = auth_xfrm->auth.key.length; + memcpy(salt_key, &ipsec_xfrm->salt, 4); + tmp_salt = (uint32_t *)salt_key; + *tmp_salt = rte_be_to_cpu_32(*tmp_salt); + break; default: return -ENOTSUP; } diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c index 0c9e244..3a2bf0f 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.c +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -77,6 +77,9 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf, } else if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) { sa->iv_offset = crypto_xfrm->cipher.iv.offset; sa->iv_length = crypto_xfrm->cipher.iv.length; + } else { + sa->iv_offset = crypto_xfrm->auth.iv.offset; + sa->iv_length = crypto_xfrm->auth.iv.length; } } #else diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h index f2d8122..66cfe6c 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h +++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h @@ -65,7 +65,8 @@ process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop, #ifdef LA_IPSEC_DEBUG if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) { - if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM) + if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM || + sess->out_sa.w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) ipsec_po_sa_aes_gcm_iv_set(sess, cop); else ipsec_po_sa_iv_set(sess, cop); diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c index eaa3698..82b8dae 100644 --- a/drivers/crypto/cnxk/cn9k_ipsec.c +++ b/drivers/crypto/cnxk/cn9k_ipsec.c @@ -211,6 +211,7 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec, break; case RTE_CRYPTO_AUTH_AES_GMAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC; + aes_key_len = auth_xform->auth.key.length; break; case RTE_CRYPTO_AUTH_AES_XCBC_MAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128; @@ -265,7 +266,7 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec, struct rte_crypto_sym_xform *crypto_xform, struct roc_ie_on_common_sa *common_sa) { - struct rte_crypto_sym_xform *cipher_xform; + struct rte_crypto_sym_xform *cipher_xform, *auth_xform; const uint8_t *cipher_key; int cipher_key_len = 0; int ret; @@ -279,13 +280,13 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec, common_sa->esn_hi = ipsec->esn.hi; } - if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) - return 0; - - if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) { + auth_xform = crypto_xform; cipher_xform = crypto_xform->next; - else + } else { cipher_xform = crypto_xform; + auth_xform = crypto_xform->next; + } if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) @@ -293,8 +294,16 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec, cipher_key = crypto_xform->aead.key.data; cipher_key_len = crypto_xform->aead.key.length; } else { - cipher_key = cipher_xform->cipher.key.data; - cipher_key_len = cipher_xform->cipher.key.length; + if (cipher_xform) { + cipher_key = cipher_xform->cipher.key.data; + cipher_key_len = cipher_xform->cipher.key.length; + } + + if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { + memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4); + cipher_key = auth_xform->auth.key.data; + cipher_key_len = auth_xform->auth.key.length; + } } if (cipher_key_len != 0) @@ -358,7 +367,8 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp, return ret; if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM || - ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL) { + ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL || + ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) { template = &out_sa->aes_gcm.template; ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template); } else { @@ -453,6 +463,7 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp, auth_key_len = auth_xform->auth.key.length; switch (auth_xform->auth.algo) { + case RTE_CRYPTO_AUTH_AES_GMAC: case RTE_CRYPTO_AUTH_NULL: break; case RTE_CRYPTO_AUTH_SHA1_HMAC: @@ -497,6 +508,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp, } else if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) { sa->cipher_iv_off = crypto_xform->cipher.iv.offset; sa->cipher_iv_len = crypto_xform->cipher.iv.length; + } else { + sa->cipher_iv_off = crypto_xform->auth.iv.offset; + sa->cipher_iv_len = crypto_xform->auth.iv.length; } } #else @@ -553,7 +567,8 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp, return ret; if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD || - auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL) { + auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL || + auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { ctx_len = offsetof(struct roc_ie_on_inb_sa, sha1_or_gcm.hmac_key[0]); } else { diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index 542c93b..fe2904b 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -11,7 +11,7 @@ #include "roc_cpt.h" #define CNXK_CPT_MAX_CAPS 34 -#define CNXK_SEC_CRYPTO_MAX_CAPS 11 +#define CNXK_SEC_CRYPTO_MAX_CAPS 12 #define CNXK_SEC_MAX_CAPS 9 #define CNXK_AE_EC_ID_MAX 8 /** diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index efd53db..98b002d 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -835,6 +835,31 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = { }, } }, } }, + { /* AES GMAC (AUTH) */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_AES_GMAC, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 8 + }, + .digest_size = { + .min = 8, + .max = 16, + .increment = 4 + }, + .iv_size = { + .min = 12, + .max = 12, + .increment = 0 + } + }, } + }, } + }, }; static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = { diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h index 1524217..171ea27 100644 --- a/drivers/crypto/cnxk/cnxk_ipsec.h +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -59,6 +59,9 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform) } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA512_HMAC) { if (keylen == 64) return 0; + } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { + if (keylen >= 16 && keylen <= 32) + return 0; } if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC && -- 2.7.4