From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3B3C2A0350; Tue, 23 Jun 2020 13:19:54 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id E85AC1D65A; Tue, 23 Jun 2020 13:19:28 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by dpdk.org (Postfix) with ESMTP id 8CB681D66D for ; Tue, 23 Jun 2020 13:19:27 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 05NBFwjr030170; Tue, 23 Jun 2020 04:19:27 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0818; bh=d7vXVW1UkyGy9qQxV5m4Rbw3MAcSiaDKmSsbs2xw/Iw=; b=jYrmGDXM47W8x8CMS0SJ9qm6ldNBCLGezhIve8dFo5xUxpXIIFwTaaKyl0Y3uvUJaYuU fGqNCTr9k62bG3aBqh0NYjveXmbV46bR83Cn0RIA5g/mD1GNd02RCWjyu/b70kP4rCoO XLNc7ifAn3PS/VVyt+nPAk02CnQHoI2w4w11DlaRQOU+786Iq2s4p06FI467mljfXEwz +ys5/4DjjTLWAdR7FNRoEnsyk4NBx4ZylbMUe+f8XrKrEnLy1/a1scbiUUqSr1TE+vnS wVc1x5gnjQuv7v04hw2MWwhXs2Iv+UoqMRLISSEbg2/Wv/1D07Z+MwX+xHWx5zWNFnvj KQ== Received: from sc-exch04.marvell.com ([199.233.58.184]) by mx0b-0016f401.pphosted.com with ESMTP id 31shynw01j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 23 Jun 2020 04:19:26 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by SC-EXCH04.marvell.com (10.93.176.84) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 23 Jun 2020 04:19:25 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Tue, 23 Jun 2020 04:19:25 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id CAFEA3F7040; Tue, 23 Jun 2020 04:19:22 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau CC: Vamsi Attunuru , Narayana Prasad , Anoob Joseph , Tejasree Kondoj , Date: Tue, 23 Jun 2020 17:42:26 +0530 Message-ID: <20200623121228.10355-7-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200623121228.10355-1-ktejasree@marvell.com> References: <20200623121228.10355-1-ktejasree@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.687 definitions=2020-06-23_06:2020-06-23, 2020-06-23 signatures=0 Subject: [dpdk-dev] [PATCH 6/8] crypto/octeontx2: add cryptodev sec session create X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Vamsi Attunuru Signed-off-by: Vamsi Attunuru Signed-off-by: Tejasree Kondoj --- drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 466 +++++++++++++++++- drivers/crypto/octeontx2/otx2_ipsec_po.h | 295 +++++++++++ drivers/crypto/octeontx2/otx2_security.h | 9 + drivers/net/octeontx2/otx2_ethdev_sec.c | 9 - 4 files changed, 768 insertions(+), 11 deletions(-) diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c index 6e14b37a68..0172bf6aae 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c @@ -3,15 +3,477 @@ */ #include +#include +#include +#include +#include #include #include #include +#include #include "otx2_cryptodev.h" #include "otx2_cryptodev_capabilities.h" +#include "otx2_cryptodev_hw_access.h" +#include "otx2_cryptodev_ops.h" #include "otx2_cryptodev_sec.h" #include "otx2_security.h" +static int +ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *xform, + struct otx2_sec_session_ipsec_lp *priv_lp) +{ + struct rte_crypto_sym_xform *cipher_xform, *auth_xform; + + priv_lp->partial_len += sizeof(struct rte_ipv4_hdr); + + if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) { + priv_lp->partial_len += sizeof(struct rte_esp_hdr); + priv_lp->roundup_len = sizeof(struct rte_esp_tail); + } else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) { + priv_lp->partial_len += AH_HDR_LEN; + } else { + return -EINVAL; + } + + if (ipsec->options.udp_encap) + priv_lp->partial_len += sizeof(struct rte_udp_hdr); + + if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + priv_lp->partial_len += AES_GCM_IV_LEN; + priv_lp->partial_len += AES_GCM_MAC_LEN; + priv_lp->roundup_byte = AES_GCM_ROUNDUP_BYTE_LEN; + return 0; + } else { + return -EINVAL; + } + } + + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + cipher_xform = xform; + auth_xform = xform->next; + } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + auth_xform = xform; + cipher_xform = xform->next; + } else { + return -EINVAL; + } + + if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) { + priv_lp->partial_len += AES_CBC_IV_LEN; + priv_lp->roundup_byte = AES_CBC_ROUNDUP_BYTE_LEN; + } else { + return -EINVAL; + } + + if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) + priv_lp->partial_len += SHA1_HMAC_LEN; + else + return -EINVAL; + + return 0; +} + +static int +otx2_cpt_enq_sa_write(struct otx2_sec_session_ipsec_lp *lp, + struct otx2_cpt_qp *qptr, uint8_t opcode) +{ + uint64_t lmt_status, time_out; + void *lmtline = qptr->lmtline; + struct cpt_res_s_9s *res; + union cpt_inst_s inst; + cpt_vq_cmd_t uc_inst; + uint64_t *mdata; + int ret = 0; + + if (unlikely(rte_mempool_get(qptr->meta_info.pool, + (void **)&mdata) < 0)) + return -ENOMEM; + + res = (struct cpt_res_s_9s *)RTE_PTR_ALIGN(mdata, 16); + res->compcode = CPT_9X_COMP_E_NOTDONE; + + uc_inst.cmd.s.opcode = opcode | (lp->ctx_len << 8); + uc_inst.cmd.s.param1 = 0; + uc_inst.cmd.s.param2 = 0; + uc_inst.cmd.s.dlen = lp->ctx_len << 3; + uc_inst.dptr = rte_mempool_virt2iova(lp); + uc_inst.rptr = 0; + uc_inst.cptr.s.cptr = rte_mempool_virt2iova(lp); + uc_inst.cptr.s.grp = OTX2_CPT_EGRP_SE; + + memset(&inst, 0, sizeof(union cpt_inst_s)); + inst.s9x.res_addr = rte_mempool_virt2iova(res); + + rte_memcpy(&inst.s9x.ei0, &uc_inst, sizeof(cpt_vq_cmd_t)); + rte_cio_wmb(); + + do { + /* Copy CPT command to LMTLINE */ + otx2_lmt_mov(lmtline, &inst, 2); + lmt_status = otx2_lmt_submit(qptr->lf_nq_reg); + } while (lmt_status == 0); + + time_out = rte_get_timer_cycles() + + DEFAULT_COMMAND_TIMEOUT * rte_get_timer_hz(); + + while (res->compcode == CPT_9X_COMP_E_NOTDONE) { + if (rte_get_timer_cycles() > time_out) { + rte_mempool_put(qptr->meta_info.pool, mdata); + otx2_err("Request timed out"); + ret = -ETIMEDOUT; + goto exit; + } + rte_cio_rmb(); + } + + if (likely(res->compcode == CPT_9X_COMP_E_GOOD)) { + if (unlikely(res->uc_compcode)) { + ret = res->uc_compcode; + otx2_err("Request failed with microcode error"); + otx2_err("MC completion code 0x%x", res->uc_compcode); + ret = res->uc_compcode; + switch (res->uc_compcode) { + case OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED: + otx2_err("Auth type unsupported"); + break; + case OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED: + otx2_err("Encrypt type unsupported"); + } + } + } else { + otx2_err("HW completion code 0x%x", res->compcode); + ret = res->compcode; + switch (res->compcode) { + case CPT_9X_COMP_E_INSTERR: + otx2_err("Request failed with instruction error"); + break; + case CPT_9X_COMP_E_FAULT: + otx2_err("Request failed with DMA fault"); + } + } + + rte_mempool_put(qptr->meta_info.pool, mdata); + +exit: + return ret; +} + +static void +set_session_misc_attributes(struct otx2_sec_session_ipsec_lp *sess, + struct rte_crypto_sym_xform *crypto_xform, + struct rte_crypto_sym_xform *auth_xform, + struct rte_crypto_sym_xform *cipher_xform) +{ + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + sess->iv_offset = crypto_xform->aead.iv.offset; + sess->iv_length = crypto_xform->aead.iv.length; + sess->aad_length = crypto_xform->aead.aad_length; + sess->mac_len = crypto_xform->aead.digest_length; + } else { + sess->iv_offset = cipher_xform->cipher.iv.offset; + sess->iv_length = cipher_xform->cipher.iv.length; + sess->auth_iv_offset = auth_xform->auth.iv.offset; + sess->auth_iv_length = auth_xform->auth.iv.length; + sess->mac_len = auth_xform->auth.digest_length; + } + + sess->ucmd_param1 = OTX2_IPSEC_PO_PER_PKT_IV; + sess->ucmd_param2 = 0; +} + +static int +crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, + struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *crypto_xform, + struct rte_security_session *sec_sess) +{ + struct rte_crypto_sym_xform *auth_xform, *cipher_xform; + struct otx2_sec_session_ipsec_lp *sess; + struct otx2_ipsec_po_sa_ctl *ctl_wrd; + const uint8_t *cipher_key, *auth_key; + int cipher_key_len, auth_key_len; + struct otx2_ipsec_po_out_sa *sa; + struct otx2_sec_session *priv; + struct otx2_cpt_inst_s inst; + int ret; + + priv = get_sec_session_private_data(sec_sess); + sess = &priv->ipsec.lp; + + sa = &sess->out_sa; + ctl_wrd = &sa->ctl; + if (ctl_wrd->valid) { + otx2_err("SA already registered"); + return -EINVAL; + } + + memset(sa, 0, sizeof(struct otx2_ipsec_po_out_sa)); + + /* Initialize inline ipsec private data */ + sess->ip_id = 0; + sess->seq_lo = 1; + sess->seq_hi = 0; + sess->partial_len = 0; + sess->roundup_len = 0; + sess->roundup_byte = 0; + + ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl_wrd); + if (ret) + return ret; + + ret = ipsec_lp_len_precalc(ipsec, crypto_xform, sess); + if (ret < 0) + return ret; + + memcpy(sa->iv.misc.nonce, &ipsec->salt, 4); + + if (ipsec->options.udp_encap == 1) { + sa->udp_src = 4500; + sa->udp_dst = 4500; + } + + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + /* Start ip id from 1 */ + sess->ip_id = 1; + + if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + struct rte_ipv4_hdr *ip = &sa->templt.ipv4.hdr; + + ip->version_ihl = RTE_IPV4_VHL_DEF; + ip->next_proto_id = IPPROTO_ESP; + ip->time_to_live = ipsec->tunnel.ipv4.ttl; + ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2); + if (ipsec->tunnel.ipv4.df) + ip->fragment_offset = BIT(14); + memcpy(&ip->src_addr, &ipsec->tunnel.ipv4.src_ip, + sizeof(struct in_addr)); + memcpy(&ip->dst_addr, &ipsec->tunnel.ipv4.dst_ip, + sizeof(struct in_addr)); + } else { + return -EINVAL; + } + } else { + return -EINVAL; + } + + cipher_xform = crypto_xform; + auth_xform = crypto_xform->next; + + cipher_key_len = 0; + auth_key_len = 0; + + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + cipher_key = crypto_xform->aead.key.data; + cipher_key_len = crypto_xform->aead.key.length; + + sess->ctx_len = sizeof(struct otx2_ipsec_po_out_sa); + sess->ctx_len >>= 3; + RTE_ASSERT(sess->ctx_len == OTX2_IPSEC_PO_AES_GCM_OUTB_CTX_LEN); + } else { + cipher_key = cipher_xform->cipher.key.data; + cipher_key_len = cipher_xform->cipher.key.length; + auth_key = auth_xform->auth.key.data; + auth_key_len = auth_xform->auth.key.length; + + /* TODO: check the ctx len for supporting ALGO */ + sess->ctx_len = sizeof(struct otx2_ipsec_po_out_sa) >> 3; + RTE_ASSERT(sess->ctx_len == OTX2_IPSEC_PO_MAX_OUTB_CTX_LEN); + } + + if (cipher_key_len != 0) + memcpy(sa->cipher_key, cipher_key, cipher_key_len); + else + return -EINVAL; + + /* Use OPAD & IPAD */ + RTE_SET_USED(auth_key); + RTE_SET_USED(auth_key_len); + + inst.u64[7] = 0; + inst.egrp = OTX2_CPT_EGRP_SE; + inst.cptr = rte_mempool_virt2iova(sa); + + sess->ucmd_w3 = inst.u64[7]; + sess->ucmd_opcode = (sess->ctx_len << 8) | + (OTX2_IPSEC_PO_PROCESS_IPSEC_OUTB); + + set_session_misc_attributes(sess, crypto_xform, + auth_xform, cipher_xform); + + return otx2_cpt_enq_sa_write(sess, crypto_dev->data->queue_pairs[0], + OTX2_IPSEC_PO_WRITE_IPSEC_OUTB); +} + +static int +crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev, + struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *crypto_xform, + struct rte_security_session *sec_sess) +{ + struct rte_crypto_sym_xform *auth_xform, *cipher_xform; + struct otx2_sec_session_ipsec_lp *sess; + struct otx2_ipsec_po_sa_ctl *ctl_wrd; + const uint8_t *cipher_key, *auth_key; + int cipher_key_len, auth_key_len; + struct otx2_ipsec_po_in_sa *sa; + struct otx2_sec_session *priv; + struct otx2_cpt_inst_s inst; + int ret; + + priv = get_sec_session_private_data(sec_sess); + sess = &priv->ipsec.lp; + + sa = &sess->in_sa; + ctl_wrd = &sa->ctl; + + if (ctl_wrd->valid) { + otx2_err("SA already registered"); + return -EINVAL; + } + + memset(sa, 0, sizeof(struct otx2_ipsec_po_in_sa)); + + ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl_wrd); + if (ret) + return ret; + + auth_xform = crypto_xform; + cipher_xform = crypto_xform->next; + + cipher_key_len = 0; + auth_key_len = 0; + + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) + memcpy(sa->iv.misc.nonce, &ipsec->salt, 4); + cipher_key = crypto_xform->aead.key.data; + cipher_key_len = crypto_xform->aead.key.length; + + sess->ctx_len = offsetof(struct otx2_ipsec_po_in_sa, + aes_gcm.hmac_key[0]) >> 3; + RTE_ASSERT(sess->ctx_len == OTX2_IPSEC_PO_AES_GCM_INB_CTX_LEN); + } else { + cipher_key = cipher_xform->cipher.key.data; + cipher_key_len = cipher_xform->cipher.key.length; + auth_key = auth_xform->auth.key.data; + auth_key_len = auth_xform->auth.key.length; + + /* TODO: check the ctx len for supporting ALGO */ + sess->ctx_len = sizeof(struct otx2_ipsec_po_in_sa) >> 2; + RTE_ASSERT(sess->ctx_len == OTX2_IPSEC_PO_MAX_INB_CTX_LEN); + } + + if (cipher_key_len != 0) + memcpy(sa->cipher_key, cipher_key, cipher_key_len); + else + return -EINVAL; + + /* Use OPAD & IPAD */ + RTE_SET_USED(auth_key); + RTE_SET_USED(auth_key_len); + + inst.u64[7] = 0; + inst.egrp = OTX2_CPT_EGRP_SE; + inst.cptr = rte_mempool_virt2iova(sa); + + sess->ucmd_w3 = inst.u64[7]; + sess->ucmd_opcode = (sess->ctx_len << 8) | + (OTX2_IPSEC_PO_PROCESS_IPSEC_INB); + + set_session_misc_attributes(sess, crypto_xform, + auth_xform, cipher_xform); + + return otx2_cpt_enq_sa_write(sess, crypto_dev->data->queue_pairs[0], + OTX2_IPSEC_PO_WRITE_IPSEC_INB); +} + +static int +crypto_sec_ipsec_session_create(struct rte_cryptodev *crypto_dev, + struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *crypto_xform, + struct rte_security_session *sess) +{ + int ret; + + if (crypto_dev->data->queue_pairs[0] == NULL) { + otx2_err("Setup cpt queue pair before creating sec session"); + return -EPERM; + } + + ret = ipsec_po_xform_verify(ipsec, crypto_xform); + if (ret) + return ret; + + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + return crypto_sec_ipsec_inb_session_create(crypto_dev, ipsec, + crypto_xform, sess); + else + return crypto_sec_ipsec_outb_session_create(crypto_dev, ipsec, + crypto_xform, sess); +} + +static int +otx2_crypto_sec_session_create(void *device, + struct rte_security_session_conf *conf, + struct rte_security_session *sess, + struct rte_mempool *mempool) +{ + struct otx2_sec_session *priv; + int ret; + + if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) + return -ENOTSUP; + + if (rte_mempool_get(mempool, (void **)&priv)) { + otx2_err("Could not allocate security session private data"); + return -ENOMEM; + } + + set_sec_session_private_data(sess, priv); + + priv->userdata = conf->userdata; + + if (conf->protocol == RTE_SECURITY_PROTOCOL_IPSEC) + ret = crypto_sec_ipsec_session_create(device, &conf->ipsec, + conf->crypto_xform, + sess); + else + ret = -ENOTSUP; + + if (ret) + goto mempool_put; + + return 0; + +mempool_put: + rte_mempool_put(mempool, priv); + set_sec_session_private_data(sess, NULL); + return ret; +} + +static int +otx2_crypto_sec_session_destroy(void *device __rte_unused, + struct rte_security_session *sess) +{ + struct otx2_sec_session *priv; + struct rte_mempool *sess_mp; + + priv = get_sec_session_private_data(sess); + + if (priv == NULL) + return 0; + + sess_mp = rte_mempool_from_obj(priv); + + set_sec_session_private_data(sess, NULL); + rte_mempool_put(sess_mp, priv); + + return 0; +} + static unsigned int otx2_crypto_sec_session_get_size(void *device __rte_unused) { @@ -40,8 +502,8 @@ otx2_crypto_sec_get_userdata(void *device __rte_unused, uint64_t md, } static struct rte_security_ops otx2_crypto_sec_ops = { - .session_create = NULL, - .session_destroy = NULL, + .session_create = otx2_crypto_sec_session_create, + .session_destroy = otx2_crypto_sec_session_destroy, .session_get_size = otx2_crypto_sec_session_get_size, .set_pkt_metadata = otx2_crypto_sec_set_pkt_mdata, .get_userdata = otx2_crypto_sec_get_userdata, diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h index 602b9d10e2..5d9f1393e2 100644 --- a/drivers/crypto/octeontx2/otx2_ipsec_po.h +++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h @@ -9,6 +9,83 @@ #include #include +#define OTX2_IPSEC_PO_AES_GCM_INB_CTX_LEN 0x09 +#define OTX2_IPSEC_PO_AES_GCM_OUTB_CTX_LEN 0x28 + +#define OTX2_IPSEC_PO_MAX_INB_CTX_LEN 0x22 +#define OTX2_IPSEC_PO_MAX_OUTB_CTX_LEN 0x38 + +#define OTX2_IPSEC_PO_PER_PKT_IV BIT(11) + +#define OTX2_IPSEC_PO_WRITE_IPSEC_OUTB 0x20 +#define OTX2_IPSEC_PO_WRITE_IPSEC_INB 0x21 +#define OTX2_IPSEC_PO_PROCESS_IPSEC_OUTB 0x23 +#define OTX2_IPSEC_PO_PROCESS_IPSEC_INB 0x24 + +enum otx2_ipsec_po_comp_e { + OTX2_IPSEC_PO_CC_SUCCESS = 0x00, + OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0, + OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED = 0xB1, +}; + +enum { + OTX2_IPSEC_PO_SA_DIRECTION_INBOUND = 0, + OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND = 1, +}; + +enum { + OTX2_IPSEC_PO_SA_IP_VERSION_4 = 0, + OTX2_IPSEC_PO_SA_IP_VERSION_6 = 1, +}; + +enum { + OTX2_IPSEC_PO_SA_MODE_TRANSPORT = 0, + OTX2_IPSEC_PO_SA_MODE_TUNNEL = 1, +}; + +enum { + OTX2_IPSEC_PO_SA_PROTOCOL_AH = 0, + OTX2_IPSEC_PO_SA_PROTOCOL_ESP = 1, +}; + +enum { + OTX2_IPSEC_PO_SA_AES_KEY_LEN_128 = 1, + OTX2_IPSEC_PO_SA_AES_KEY_LEN_192 = 2, + OTX2_IPSEC_PO_SA_AES_KEY_LEN_256 = 3, +}; + +enum { + OTX2_IPSEC_PO_SA_ENC_NULL = 0, + OTX2_IPSEC_PO_SA_ENC_DES_CBC = 1, + OTX2_IPSEC_PO_SA_ENC_3DES_CBC = 2, + OTX2_IPSEC_PO_SA_ENC_AES_CBC = 3, + OTX2_IPSEC_PO_SA_ENC_AES_CTR = 4, + OTX2_IPSEC_PO_SA_ENC_AES_GCM = 5, + OTX2_IPSEC_PO_SA_ENC_AES_CCM = 6, +}; + +enum { + OTX2_IPSEC_PO_SA_AUTH_NULL = 0, + OTX2_IPSEC_PO_SA_AUTH_MD5 = 1, + OTX2_IPSEC_PO_SA_AUTH_SHA1 = 2, + OTX2_IPSEC_PO_SA_AUTH_SHA2_224 = 3, + OTX2_IPSEC_PO_SA_AUTH_SHA2_256 = 4, + OTX2_IPSEC_PO_SA_AUTH_SHA2_384 = 5, + OTX2_IPSEC_PO_SA_AUTH_SHA2_512 = 6, + OTX2_IPSEC_PO_SA_AUTH_AES_GMAC = 7, + OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128 = 8, +}; + +enum { + OTX2_IPSEC_PO_SA_FRAG_POST = 0, + OTX2_IPSEC_PO_SA_FRAG_PRE = 1, +}; + +enum { + OTX2_IPSEC_PO_SA_ENCAP_NONE = 0, + OTX2_IPSEC_PO_SA_ENCAP_UDP = 1, +}; + union bit_perfect_iv { uint8_t aes_iv[16]; uint8_t des_iv[8]; @@ -116,4 +193,222 @@ struct otx2_ipsec_po_out_sa { uint16_t udp_dst; }; +static inline int +ipsec_po_xform_cipher_verify(struct rte_crypto_sym_xform *xform) +{ + if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) { + switch (xform->cipher.key.length) { + case 16: + case 24: + case 32: + break; + default: + return -ENOTSUP; + } + return 0; + } + + return -ENOTSUP; +} + +static inline int +ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform) +{ + uint16_t keylen = xform->auth.key.length; + + if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) { + if (keylen >= 20 && keylen <= 64) + return 0; + } + + return -ENOTSUP; +} + +static inline int +ipsec_po_xform_aead_verify(struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *xform) +{ + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && + xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT) + return -EINVAL; + + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && + xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT) + return -EINVAL; + + if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + switch (xform->aead.key.length) { + case 16: + case 24: + case 32: + break; + default: + return -EINVAL; + } + return 0; + } + + return -ENOTSUP; +} + +static inline int +ipsec_po_xform_verify(struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *xform) +{ + struct rte_crypto_sym_xform *auth_xform, *cipher_xform; + int ret; + + if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) + return ipsec_po_xform_aead_verify(ipsec, xform); + + if (xform->next == NULL) + return -EINVAL; + + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + /* Ingress */ + if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH || + xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER) + return -EINVAL; + auth_xform = xform; + cipher_xform = xform->next; + } else { + /* Egress */ + if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER || + xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH) + return -EINVAL; + cipher_xform = xform; + auth_xform = xform->next; + } + + ret = ipsec_po_xform_cipher_verify(cipher_xform); + if (ret) + return ret; + + ret = ipsec_po_xform_auth_verify(auth_xform); + if (ret) + return ret; + + return 0; +} + +static inline int +ipsec_po_sa_ctl_set(struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *xform, + struct otx2_ipsec_po_sa_ctl *ctl) +{ + struct rte_crypto_sym_xform *cipher_xform, *auth_xform; + int aes_key_len; + + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND; + cipher_xform = xform; + auth_xform = xform->next; + } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_INBOUND; + auth_xform = xform; + cipher_xform = xform->next; + } else { + return -EINVAL; + } + + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) + ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_4; + else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) + ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_6; + else + return -EINVAL; + } + + ctl->inner_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_4; + + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) + ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TRANSPORT; + else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TUNNEL; + else + return -EINVAL; + + if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) + ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_AH; + else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) + ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_ESP; + else + return -EINVAL; + + if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_GCM; + aes_key_len = xform->aead.key.length; + } else { + return -ENOTSUP; + } + } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) { + ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_CCM; + aes_key_len = xform->cipher.key.length; + } else { + return -ENOTSUP; + } + + + switch (aes_key_len) { + case 16: + ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_128; + break; + case 24: + ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_192; + break; + case 32: + ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_256; + break; + default: + return -EINVAL; + } + + if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) { + switch (auth_xform->auth.algo) { + case RTE_CRYPTO_AUTH_NULL: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_NULL; + break; + case RTE_CRYPTO_AUTH_MD5_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_MD5; + break; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA1; + break; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_224; + break; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_256; + break; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_384; + break; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_512; + break; + case RTE_CRYPTO_AUTH_AES_GMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_GMAC; + break; + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128; + break; + default: + return -ENOTSUP; + } + } + + if (ipsec->options.esn == 1) + ctl->esn_en = 1; + + if (ipsec->options.udp_encap == 1) + ctl->encap_type = OTX2_IPSEC_PO_SA_ENCAP_UDP; + + ctl->spi = rte_cpu_to_be_32(ipsec->spi); + ctl->valid = 1; + + return 0; +} + #endif /* __OTX2_IPSEC_PO_H__ */ diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h index e76cd843c7..da7b33ab0d 100644 --- a/drivers/crypto/octeontx2/otx2_security.h +++ b/drivers/crypto/octeontx2/otx2_security.h @@ -9,6 +9,15 @@ #include "otx2_ethdev_sec.h" #include "otx2_ipsec_fp.h" +#define AH_HDR_LEN 12 +#define AES_GCM_IV_LEN 8 +#define AES_GCM_MAC_LEN 16 +#define AES_CBC_IV_LEN 16 +#define SHA1_HMAC_LEN 12 + +#define AES_GCM_ROUNDUP_BYTE_LEN 4 +#define AES_CBC_ROUNDUP_BYTE_LEN 16 + union otx2_sec_session_ipsec { struct otx2_sec_session_ipsec_ip ip; struct otx2_sec_session_ipsec_lp lp; diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c index c2ad32cf0c..daff86cd5c 100644 --- a/drivers/net/octeontx2/otx2_ethdev_sec.c +++ b/drivers/net/octeontx2/otx2_ethdev_sec.c @@ -21,15 +21,6 @@ #include "otx2_sec_idev.h" #include "otx2_security.h" -#define AH_HDR_LEN 12 -#define AES_GCM_IV_LEN 8 -#define AES_GCM_MAC_LEN 16 -#define AES_CBC_IV_LEN 16 -#define SHA1_HMAC_LEN 12 - -#define AES_GCM_ROUNDUP_BYTE_LEN 4 -#define AES_CBC_ROUNDUP_BYTE_LEN 16 - struct eth_sec_tag_const { RTE_STD_C11 union { -- 2.27.0