From: Ankur Dwivedi <adwivedi@marvell.com>
To: <dev@dpdk.org>
Cc: <akhil.goyal@nxp.com>, <anoobj@marvell.com>,
<ktejasree@marvell.com>, Ankur Dwivedi <adwivedi@marvell.com>
Subject: [dpdk-dev] [PATCH 2/2] crypto/octeontx2: add support for aes-cbc sha256-128-hmac
Date: Sat, 19 Dec 2020 12:24:56 +0530 [thread overview]
Message-ID: <20201219065456.24156-3-adwivedi@marvell.com> (raw)
In-Reply-To: <20201219065456.24156-1-adwivedi@marvell.com>
Support for aes-cbc sha256-128-hmac is added in lookaside protocol
mode. The functionality is verified using ipsec-secgw application.
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
---
doc/guides/cryptodevs/octeontx2.rst | 1 +
doc/guides/rel_notes/release_21_02.rst | 2 +
drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 41 +++++++++++++++++--
drivers/crypto/octeontx2/otx2_ipsec_po.h | 25 ++++++++---
drivers/crypto/octeontx2/otx2_security.h | 1 +
5 files changed, 61 insertions(+), 9 deletions(-)
diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index ef21ad830e..fcfb649cce 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -179,3 +179,4 @@ Features supported
* Anti-replay
* AES-128/192/256-GCM
* AES-128/192/256-CBC-SHA1-HMAC
+* AES-128/192/256-CBC-SHA256-128-HMAC
diff --git a/doc/guides/rel_notes/release_21_02.rst b/doc/guides/rel_notes/release_21_02.rst
index c11c25806f..a6a689d01c 100644
--- a/doc/guides/rel_notes/release_21_02.rst
+++ b/doc/guides/rel_notes/release_21_02.rst
@@ -63,6 +63,8 @@ New Features
* Added support for aes-cbc sha1-hmac cipher combination in OCTEON TX2 crypto
PMD lookaside protocol offload for IPsec.
+ * Added support for aes-cbc sha256-128-hmac cipher combination in OCTEON TX2
+ crypto PMD lookaside protocol offload for IPsec.
Removed Items
-------------
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 3cdb5bd1e6..89ed7cbd25 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -74,6 +74,8 @@ ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec,
if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
lp->partial_len += OTX2_SEC_SHA1_HMAC_LEN;
+ else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+ lp->partial_len += OTX2_SEC_SHA2_HMAC_LEN;
else
return -EINVAL;
@@ -268,6 +270,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
sa->sha1.template.ip4);
ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+ if (ipsec->options.udp_encap) {
+ sa->sha2.template.ip4.udp_src = 4500;
+ sa->sha2.template.ip4.udp_dst = 4500;
+ }
+ ip = &sa->sha2.template.ip4.ipv4_hdr;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha2.template) + sizeof(
+ sa->sha2.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
}
ip->version_ihl = RTE_IPV4_VHL_DEF;
ip->next_proto_id = IPPROTO_ESP;
@@ -305,6 +319,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
sa->sha1.template.ip6);
ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+ if (ipsec->options.udp_encap) {
+ sa->sha2.template.ip6.udp_src = 4500;
+ sa->sha2.template.ip6.udp_dst = 4500;
+ }
+ ip6 = &sa->sha2.template.ip6.ipv6_hdr;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha2.template) + sizeof(
+ sa->sha2.template.ip6);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
}
ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 |
@@ -348,6 +374,8 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
memcpy(sa->sha1.hmac_key, auth_key, auth_key_len);
+ else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+ memcpy(sa->sha2.hmac_key, auth_key, auth_key_len);
}
if (cipher_key_len != 0)
@@ -427,11 +455,16 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
auth_key = auth_xform->auth.key.data;
auth_key_len = auth_xform->auth.key.length;
- if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+ if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
memcpy(sa->aes_gcm.hmac_key, auth_key, auth_key_len);
-
- lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
- aes_gcm.selector) >> 3;
+ lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+ aes_gcm.selector) >> 3;
+ } else if (auth_xform->auth.algo ==
+ RTE_CRYPTO_AUTH_SHA256_HMAC) {
+ memcpy(sa->sha2.hmac_key, auth_key, auth_key_len);
+ lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+ sha2.selector) >> 3;
+ }
}
if (cipher_key_len != 0)
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index 2141b6c793..8a672a38ea 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -152,11 +152,18 @@ struct otx2_ipsec_po_in_sa {
/* w8 */
uint8_t udp_encap[8];
- /* w9-w23 */
- struct {
- uint8_t hmac_key[48];
- struct otx2_ipsec_po_traffic_selector selector;
- } aes_gcm;
+ /* w9-w33 */
+ union {
+ struct {
+ uint8_t hmac_key[48];
+ struct otx2_ipsec_po_traffic_selector selector;
+ } aes_gcm;
+ struct {
+ uint8_t hmac_key[64];
+ uint8_t hmac_iv[64];
+ struct otx2_ipsec_po_traffic_selector selector;
+ } sha2;
+ };
union {
struct otx2_ipsec_replay *replay;
uint64_t replay64;
@@ -205,6 +212,11 @@ struct otx2_ipsec_po_out_sa {
uint8_t unused[24];
struct otx2_ipsec_po_ip_template template;
} sha1;
+ struct {
+ uint8_t hmac_key[64];
+ uint8_t hmac_iv[64];
+ struct otx2_ipsec_po_ip_template template;
+ } sha2;
};
};
@@ -234,6 +246,9 @@ ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform)
if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
if (keylen >= 20 && keylen <= 64)
return 0;
+ } else if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
+ if (keylen >= 32 && keylen <= 64)
+ return 0;
}
return -ENOTSUP;
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 33d3b15155..9f1ba71b46 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -15,6 +15,7 @@
#define OTX2_SEC_AES_GCM_MAC_LEN 16
#define OTX2_SEC_AES_CBC_IV_LEN 16
#define OTX2_SEC_SHA1_HMAC_LEN 12
+#define OTX2_SEC_SHA2_HMAC_LEN 16
#define OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN 4
#define OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN 16
--
2.28.0
next prev parent reply other threads:[~2020-12-19 6:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-19 6:54 [dpdk-dev] [PATCH 0/2] crypto/octeontx2: add support for cipher combinations Ankur Dwivedi
2020-12-19 6:54 ` [dpdk-dev] [PATCH 1/2] crypto/octeontx2: add support for aes-cbc sha1-hmac Ankur Dwivedi
2020-12-19 6:54 ` Ankur Dwivedi [this message]
2021-01-15 16:06 ` [dpdk-dev] [PATCH 0/2] crypto/octeontx2: add support for cipher combinations Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201219065456.24156-3-adwivedi@marvell.com \
--to=adwivedi@marvell.com \
--cc=akhil.goyal@nxp.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=ktejasree@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).