From: Tejasree Kondoj <ktejasree@marvell.com>
To: Akhil Goyal <akhil.goyal@nxp.com>, Radu Nicolau <radu.nicolau@intel.com>
Cc: Tejasree Kondoj <ktejasree@marvell.com>,
Anoob Joseph <anoobj@marvell.com>,
Ankur Dwivedi <adwivedi@marvell.com>, <dev@dpdk.org>
Subject: [dpdk-dev] [PATCH 1/2] common/cpt: support SSL/TLS way of cipher-auth operations
Date: Fri, 18 Dec 2020 19:40:15 +0530 [thread overview]
Message-ID: <20201218141016.1834-2-ktejasree@marvell.com> (raw)
In-Reply-To: <20201218141016.1834-1-ktejasree@marvell.com>
Adding support for SSL/TLS way of cipher-auth operations order
- auth generation followed by encryption
- decryption followed by auth verify
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/rel_notes/release_21_02.rst | 6 +++
drivers/common/cpt/cpt_mcode_defines.h | 7 +++-
drivers/common/cpt/cpt_ucode.h | 42 +++++++++++++++----
drivers/crypto/octeontx/otx_cryptodev_ops.c | 8 +++-
drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 8 +++-
5 files changed, 59 insertions(+), 12 deletions(-)
diff --git a/doc/guides/rel_notes/release_21_02.rst b/doc/guides/rel_notes/release_21_02.rst
index 638f98168b..d1d4b25665 100644
--- a/doc/guides/rel_notes/release_21_02.rst
+++ b/doc/guides/rel_notes/release_21_02.rst
@@ -55,6 +55,12 @@ New Features
Also, make sure to start the actual text at the margin.
=======================================================
+* **Updated OCTEON TX and OCTEON TX2 crypto PMDs.**
+
+ * Added SSL/TLS way of cipher-auth operations support i.e. auth generation
+ followed by encryption and decryption followed by auth verify in OCTEONT TX
+ and OCTEON TX2 crypto PMDs.
+
Removed Items
-------------
diff --git a/drivers/common/cpt/cpt_mcode_defines.h b/drivers/common/cpt/cpt_mcode_defines.h
index 56a745f419..624bdcf3cf 100644
--- a/drivers/common/cpt/cpt_mcode_defines.h
+++ b/drivers/common/cpt/cpt_mcode_defines.h
@@ -20,6 +20,9 @@
#define CPT_MAJOR_OP_ZUC_SNOW3G 0x37
#define CPT_MAJOR_OP_KASUMI 0x38
#define CPT_MAJOR_OP_MISC 0x01
+#define CPT_HMAC_FIRST_BIT_POS 0x4
+#define CPT_FC_MINOR_OP_ENCRYPT 0x0
+#define CPT_FC_MINOR_OP_DECRYPT 0x1
/* AE opcodes */
#define CPT_MAJOR_OP_MODEX 0x03
@@ -314,8 +317,10 @@ struct cpt_ctx {
uint64_t hmac :1;
uint64_t zsk_flags :3;
uint64_t k_ecb :1;
+ uint64_t auth_enc :1;
+ uint64_t dec_auth :1;
uint64_t snow3g :2;
- uint64_t rsvd :21;
+ uint64_t rsvd :19;
/* Below fields are accessed by hardware */
union {
mc_fc_context_t fctx;
diff --git a/drivers/common/cpt/cpt_ucode.h b/drivers/common/cpt/cpt_ucode.h
index 0536620710..ee6d49aae7 100644
--- a/drivers/common/cpt/cpt_ucode.h
+++ b/drivers/common/cpt/cpt_ucode.h
@@ -752,7 +752,9 @@ cpt_enc_hmac_prep(uint32_t flags,
/* Encryption */
vq_cmd_w0.s.opcode.major = CPT_MAJOR_OP_FC;
- vq_cmd_w0.s.opcode.minor = 0;
+ vq_cmd_w0.s.opcode.minor = CPT_FC_MINOR_OP_ENCRYPT;
+ vq_cmd_w0.s.opcode.minor |= (cpt_ctx->auth_enc <<
+ CPT_HMAC_FIRST_BIT_POS);
if (hash_type == GMAC_TYPE) {
encr_offset = 0;
@@ -779,6 +781,9 @@ cpt_enc_hmac_prep(uint32_t flags,
outputlen = enc_dlen + mac_len;
}
+ if (cpt_ctx->auth_enc != 0)
+ outputlen = enc_dlen;
+
/* GP op header */
vq_cmd_w0.s.param1 = encr_data_len;
vq_cmd_w0.s.param2 = auth_data_len;
@@ -1112,7 +1117,9 @@ cpt_dec_hmac_prep(uint32_t flags,
/* Decryption */
vq_cmd_w0.s.opcode.major = CPT_MAJOR_OP_FC;
- vq_cmd_w0.s.opcode.minor = 1;
+ vq_cmd_w0.s.opcode.minor = CPT_FC_MINOR_OP_DECRYPT;
+ vq_cmd_w0.s.opcode.minor |= (cpt_ctx->dec_auth <<
+ CPT_HMAC_FIRST_BIT_POS);
if (hash_type == GMAC_TYPE) {
encr_offset = 0;
@@ -1130,6 +1137,9 @@ cpt_dec_hmac_prep(uint32_t flags,
outputlen = enc_dlen;
}
+ if (cpt_ctx->dec_auth != 0)
+ outputlen = inputlen = enc_dlen;
+
vq_cmd_w0.s.param1 = encr_data_len;
vq_cmd_w0.s.param2 = auth_data_len;
@@ -2566,6 +2576,7 @@ fill_sess_cipher(struct rte_crypto_sym_xform *xform,
struct cpt_sess_misc *sess)
{
struct rte_crypto_cipher_xform *c_form;
+ struct cpt_ctx *ctx = SESS_PRIV(sess);
cipher_type_t enc_type = 0; /* NULL Cipher type */
uint32_t cipher_key_len = 0;
uint8_t zsk_flag = 0, aes_ctr = 0, is_null = 0;
@@ -2574,9 +2585,14 @@ fill_sess_cipher(struct rte_crypto_sym_xform *xform,
if (c_form->op == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
sess->cpt_op |= CPT_OP_CIPHER_ENCRYPT;
- else if (c_form->op == RTE_CRYPTO_CIPHER_OP_DECRYPT)
+ else if (c_form->op == RTE_CRYPTO_CIPHER_OP_DECRYPT) {
sess->cpt_op |= CPT_OP_CIPHER_DECRYPT;
- else {
+ if (xform->next != NULL &&
+ xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ /* Perform decryption followed by auth verify */
+ ctx->dec_auth = 1;
+ }
+ } else {
CPT_LOG_DP_ERR("Unknown cipher operation\n");
return -1;
}
@@ -2667,10 +2683,18 @@ static __rte_always_inline int
fill_sess_auth(struct rte_crypto_sym_xform *xform,
struct cpt_sess_misc *sess)
{
+ struct cpt_ctx *ctx = SESS_PRIV(sess);
struct rte_crypto_auth_xform *a_form;
auth_type_t auth_type = 0; /* NULL Auth type */
uint8_t zsk_flag = 0, aes_gcm = 0, is_null = 0;
+ if (xform->next != NULL &&
+ xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
+ xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
+ /* Perform auth followed by encryption */
+ ctx->auth_enc = 1;
+ }
+
a_form = &xform->auth;
if (a_form->op == RTE_CRYPTO_AUTH_OP_VERIFY)
@@ -2993,6 +3017,7 @@ fill_fc_params(struct rte_crypto_op *cop,
{
uint32_t space = 0;
struct rte_crypto_sym_op *sym_op = cop->sym;
+ struct cpt_ctx *ctx = SESS_PRIV(sess_misc);
void *mdata = NULL;
uintptr_t *op;
uint32_t mc_hash_off;
@@ -3120,9 +3145,10 @@ fill_fc_params(struct rte_crypto_op *cop,
m = m_src;
/* hmac immediately following data is best case */
- if (unlikely(rte_pktmbuf_mtod(m, uint8_t *) +
+ if (!ctx->dec_auth && !ctx->auth_enc &&
+ (unlikely(rte_pktmbuf_mtod(m, uint8_t *) +
mc_hash_off !=
- (uint8_t *)sym_op->auth.digest.data)) {
+ (uint8_t *)sym_op->auth.digest.data))) {
flags |= VALID_MAC_BUF;
fc_params.mac_buf.size =
sess_misc->mac_len;
@@ -3137,7 +3163,9 @@ fill_fc_params(struct rte_crypto_op *cop,
fc_params.ctx_buf.vaddr = SESS_PRIV(sess_misc);
fc_params.ctx_buf.dma_addr = sess_misc->ctx_dma_addr;
- if (unlikely(sess_misc->is_null || sess_misc->cpt_op == CPT_OP_DECODE))
+ if (!ctx->dec_auth &&
+ unlikely(sess_misc->is_null ||
+ sess_misc->cpt_op == CPT_OP_DECODE))
inplace = 0;
if (likely(!m_dst && inplace)) {
diff --git a/drivers/crypto/octeontx/otx_cryptodev_ops.c b/drivers/crypto/octeontx/otx_cryptodev_ops.c
index 0cf760b296..af7a1f64f8 100644
--- a/drivers/crypto/octeontx/otx_cryptodev_ops.c
+++ b/drivers/crypto/octeontx/otx_cryptodev_ops.c
@@ -205,12 +205,16 @@ sym_xform_verify(struct rte_crypto_sym_xform *xform)
if (xform->next) {
if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
- xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
+ xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT &&
+ (xform->auth.algo != RTE_CRYPTO_AUTH_SHA1_HMAC ||
+ xform->next->cipher.algo != RTE_CRYPTO_CIPHER_AES_CBC))
return -ENOTSUP;
if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
xform->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT &&
- xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH)
+ xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
+ (xform->cipher.algo != RTE_CRYPTO_CIPHER_AES_CBC ||
+ xform->next->auth.algo != RTE_CRYPTO_AUTH_SHA1_HMAC))
return -ENOTSUP;
if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index 5f2ccc0872..5511739663 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -320,12 +320,16 @@ sym_xform_verify(struct rte_crypto_sym_xform *xform)
if (xform->next) {
if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
- xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
+ xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT &&
+ (xform->auth.algo != RTE_CRYPTO_AUTH_SHA1_HMAC ||
+ xform->next->cipher.algo != RTE_CRYPTO_CIPHER_AES_CBC))
return -ENOTSUP;
if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
xform->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT &&
- xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH)
+ xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
+ (xform->cipher.algo != RTE_CRYPTO_CIPHER_AES_CBC ||
+ xform->next->auth.algo != RTE_CRYPTO_AUTH_SHA1_HMAC))
return -ENOTSUP;
if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
--
2.27.0
next prev parent reply other threads:[~2020-12-18 13:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-18 14:10 [dpdk-dev] [PATCH 0/2] " Tejasree Kondoj
2020-12-18 14:10 ` Tejasree Kondoj [this message]
2020-12-18 14:10 ` [dpdk-dev] [PATCH 2/2] test/crypto: " Tejasree Kondoj
2021-01-19 17:00 ` Akhil Goyal
2021-01-19 18:02 ` Doherty, Declan
2021-01-20 12:51 ` Zhang, Roy Fan
2021-01-20 14:34 ` Zhang, Roy Fan
2021-01-20 14:40 ` Tejasree Kondoj
2021-01-21 9:26 ` Kusztal, ArkadiuszX
2021-01-21 10:02 ` Tejasree Kondoj
2021-01-15 5:31 ` [dpdk-dev] [PATCH 0/2] " Anoob Joseph
2021-01-21 7:26 ` Tejasree Kondoj
2021-01-25 16:56 ` Akhil Goyal
2021-01-27 12:00 ` Tejasree Kondoj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201218141016.1834-2-ktejasree@marvell.com \
--to=ktejasree@marvell.com \
--cc=adwivedi@marvell.com \
--cc=akhil.goyal@nxp.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=radu.nicolau@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).