[dpdk-dev] [PATCH 0/2] crypto/octeontx2: add support for cipher combinations

[dpdk-dev] [PATCH 0/2] crypto/octeontx2: add support for cipher combinations

[Ankur Dwivedi]

This series adds support for aes-cbc sha1-hmac and aes-cbc sha256-128-hmac
cipher combinations in lookaside protocol offload mode. The functionality
has been verified with ipsec-secgw application running in lookaside
protocol offload mode.

This series should be applied after the following patch series:
http://patches.dpdk.org/project/dpdk/list/?series=14374

Ankur Dwivedi (2):
  crypto/octeontx2: add support for aes-cbc sha1-hmac
  crypto/octeontx2: add support for aes-cbc sha256-128-hmac

 doc/guides/cryptodevs/octeontx2.rst           |   2 +
 doc/guides/rel_notes/release_21_02.rst        |   5 +
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 128 +++++++++++++-----
 drivers/crypto/octeontx2/otx2_ipsec_po.h      |  62 ++++++---
 drivers/crypto/octeontx2/otx2_ipsec_po_ops.h  |   2 +-
 drivers/crypto/octeontx2/otx2_security.h      |   1 +
 6 files changed, 150 insertions(+), 50 deletions(-)

-- 
2.28.0

[dpdk-dev] [PATCH 1/2] crypto/octeontx2: add support for aes-cbc sha1-hmac

[Ankur Dwivedi]

Support for aes-cbc sha1-hmac is added in lookaside protocol
mode. The functionality is verified using ipsec-secgw application.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
---
 doc/guides/cryptodevs/octeontx2.rst           |  1 +
 doc/guides/rel_notes/release_21_02.rst        |  3 +
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 95 +++++++++++++------
 drivers/crypto/octeontx2/otx2_ipsec_po.h      | 37 +++++---
 drivers/crypto/octeontx2/otx2_ipsec_po_ops.h  |  2 +-
 5 files changed, 93 insertions(+), 45 deletions(-)

diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index 170f03dd0f..ef21ad830e 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -178,3 +178,4 @@ Features supported
 * ESN
 * Anti-replay
 * AES-128/192/256-GCM
+* AES-128/192/256-CBC-SHA1-HMAC
diff --git a/doc/guides/rel_notes/release_21_02.rst b/doc/guides/rel_notes/release_21_02.rst
index d9ca17e83c..c11c25806f 100644
--- a/doc/guides/rel_notes/release_21_02.rst
+++ b/doc/guides/rel_notes/release_21_02.rst
@@ -60,6 +60,9 @@ New Features
   * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with
     ESN and anti-replay support.
 
+  * Added support for aes-cbc sha1-hmac cipher combination in OCTEON TX2 crypto
+    PMD lookaside protocol offload for IPsec.
+
 
 Removed Items
 -------------
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 1f5645f2f1..3cdb5bd1e6 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -206,11 +206,11 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 	struct otx2_ipsec_po_sa_ctl *ctl;
 	int cipher_key_len, auth_key_len;
 	struct otx2_ipsec_po_out_sa *sa;
+	struct rte_ipv6_hdr *ip6 = NULL;
+	struct rte_ipv4_hdr *ip = NULL;
 	struct otx2_sec_session *sess;
 	struct otx2_cpt_inst_s inst;
-	struct rte_ipv6_hdr *ip6;
-	struct rte_ipv4_hdr *ip;
-	int ret;
+	int ret, ctx_len;
 
 	sess = get_sec_session_private_data(sec_sess);
 	sess->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
@@ -239,19 +239,36 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 	if (ret)
 		return ret;
 
-	memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4);
-
-	if (ipsec->options.udp_encap) {
-		sa->udp_src = 4500;
-		sa->udp_dst = 4500;
-	}
-
 	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
 		/* Start ip id from 1 */
 		lp->ip_id = 1;
 
 		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
-			ip = &sa->template.ipv4_hdr;
+
+			if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
+				if (ipsec->options.udp_encap) {
+					sa->aes_gcm.template.ip4.udp_src = 4500;
+					sa->aes_gcm.template.ip4.udp_dst = 4500;
+				}
+				ip = &sa->aes_gcm.template.ip4.ipv4_hdr;
+				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+						aes_gcm.template) + sizeof(
+						sa->aes_gcm.template.ip4);
+				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+				lp->ctx_len = ctx_len >> 3;
+			} else if (ctl->auth_type ==
+					OTX2_IPSEC_PO_SA_AUTH_SHA1) {
+				if (ipsec->options.udp_encap) {
+					sa->sha1.template.ip4.udp_src = 4500;
+					sa->sha1.template.ip4.udp_dst = 4500;
+				}
+				ip = &sa->sha1.template.ip4.ipv4_hdr;
+				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+						sha1.template) + sizeof(
+						sa->sha1.template.ip4);
+				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+				lp->ctx_len = ctx_len >> 3;
+			}
 			ip->version_ihl = RTE_IPV4_VHL_DEF;
 			ip->next_proto_id = IPPROTO_ESP;
 			ip->time_to_live = ipsec->tunnel.ipv4.ttl;
@@ -264,7 +281,32 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				sizeof(struct in_addr));
 		} else if (ipsec->tunnel.type ==
 				RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
-			ip6 = &sa->template.ipv6_hdr;
+
+			if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
+				if (ipsec->options.udp_encap) {
+					sa->aes_gcm.template.ip6.udp_src = 4500;
+					sa->aes_gcm.template.ip6.udp_dst = 4500;
+				}
+				ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
+				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+						aes_gcm.template) + sizeof(
+						sa->aes_gcm.template.ip6);
+				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+				lp->ctx_len = ctx_len >> 3;
+			} else if (ctl->auth_type ==
+					OTX2_IPSEC_PO_SA_AUTH_SHA1) {
+				if (ipsec->options.udp_encap) {
+					sa->sha1.template.ip6.udp_src = 4500;
+					sa->sha1.template.ip6.udp_dst = 4500;
+				}
+				ip6 = &sa->sha1.template.ip6.ipv6_hdr;
+				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+						sha1.template) + sizeof(
+						sa->sha1.template.ip6);
+				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+				lp->ctx_len = ctx_len >> 3;
+			}
+
 			ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 |
 				((ipsec->tunnel.ipv6.dscp <<
 					RTE_IPV6_HDR_TC_SHIFT) &
@@ -294,21 +336,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 	auth_key_len = 0;
 
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
+			memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4);
 		cipher_key = crypto_xform->aead.key.data;
 		cipher_key_len = crypto_xform->aead.key.length;
-
-		lp->ctx_len = sizeof(struct otx2_ipsec_po_out_sa);
-		lp->ctx_len >>= 3;
-		RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_AES_GCM_OUTB_CTX_LEN);
 	} else {
 		cipher_key = cipher_xform->cipher.key.data;
 		cipher_key_len = cipher_xform->cipher.key.length;
 		auth_key = auth_xform->auth.key.data;
 		auth_key_len = auth_xform->auth.key.length;
 
-		/* TODO: check the ctx len for supporting ALGO */
-		lp->ctx_len = sizeof(struct otx2_ipsec_po_out_sa) >> 3;
-		RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_MAX_OUTB_CTX_LEN);
+		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+			memcpy(sa->sha1.hmac_key, auth_key, auth_key_len);
 	}
 
 	if (cipher_key_len != 0)
@@ -316,10 +355,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 	else
 		return -EINVAL;
 
-	/* Use OPAD & IPAD */
-	RTE_SET_USED(auth_key);
-	RTE_SET_USED(auth_key_len);
-
 	inst.u64[7] = 0;
 	inst.egrp = OTX2_CPT_EGRP_SE;
 	inst.cptr = rte_mempool_virt2iova(sa);
@@ -342,9 +377,9 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
 				    struct rte_security_session *sec_sess)
 {
 	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	const uint8_t *cipher_key, *auth_key;
 	struct otx2_sec_session_ipsec_lp *lp;
 	struct otx2_ipsec_po_sa_ctl *ctl;
-	const uint8_t *cipher_key, *auth_key;
 	int cipher_key_len, auth_key_len;
 	struct otx2_ipsec_po_in_sa *sa;
 	struct otx2_sec_session *sess;
@@ -392,9 +427,11 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
 		auth_key = auth_xform->auth.key.data;
 		auth_key_len = auth_xform->auth.key.length;
 
-		/* TODO: check the ctx len for supporting ALGO */
-		lp->ctx_len = sizeof(struct otx2_ipsec_po_in_sa) >> 2;
-		RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_MAX_INB_CTX_LEN);
+		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+			memcpy(sa->aes_gcm.hmac_key, auth_key, auth_key_len);
+
+		lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+					    aes_gcm.selector) >> 3;
 	}
 
 	if (cipher_key_len != 0)
@@ -402,10 +439,6 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
 	else
 		return -EINVAL;
 
-	/* Use OPAD & IPAD */
-	RTE_SET_USED(auth_key);
-	RTE_SET_USED(auth_key_len);
-
 	inst.u64[7] = 0;
 	inst.egrp = OTX2_CPT_EGRP_SE;
 	inst.cptr = rte_mempool_virt2iova(sa);
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index 6d25e29734..2141b6c793 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -10,10 +10,6 @@
 #include <rte_security.h>
 
 #define OTX2_IPSEC_PO_AES_GCM_INB_CTX_LEN    0x09
-#define OTX2_IPSEC_PO_AES_GCM_OUTB_CTX_LEN   0x28
-
-#define OTX2_IPSEC_PO_MAX_INB_CTX_LEN    0x22
-#define OTX2_IPSEC_PO_MAX_OUTB_CTX_LEN   0x38
 
 #define OTX2_IPSEC_PO_PER_PKT_IV  BIT(11)
 
@@ -171,9 +167,16 @@ struct otx2_ipsec_po_in_sa {
 struct otx2_ipsec_po_ip_template {
 	RTE_STD_C11
 	union {
-		uint8_t raw[252];
-		struct rte_ipv4_hdr ipv4_hdr;
-		struct rte_ipv6_hdr ipv6_hdr;
+		struct {
+			struct rte_ipv4_hdr ipv4_hdr;
+			uint16_t udp_src;
+			uint16_t udp_dst;
+		} ip4;
+		struct {
+			struct rte_ipv6_hdr ipv6_hdr;
+			uint16_t udp_src;
+			uint16_t udp_dst;
+		} ip6;
 	};
 };
 
@@ -191,10 +194,18 @@ struct otx2_ipsec_po_out_sa {
 	uint32_t esn_hi;
 	uint32_t esn_low;
 
-	/* w8-w39 */
-	struct otx2_ipsec_po_ip_template template;
-	uint16_t udp_src;
-	uint16_t udp_dst;
+	/* w8-w55 */
+	union {
+		uint8_t raw[384];
+		struct {
+			struct otx2_ipsec_po_ip_template template;
+		} aes_gcm;
+		struct {
+			uint8_t hmac_key[24];
+			uint8_t unused[24];
+			struct otx2_ipsec_po_ip_template template;
+		} sha1;
+	};
 };
 
 static inline int
@@ -348,8 +359,8 @@ ipsec_po_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
 			return -ENOTSUP;
 		}
 	} else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
-		ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_CCM;
-		aes_key_len = xform->cipher.key.length;
+		ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_CBC;
+		aes_key_len = cipher_xform->cipher.key.length;
 	} else {
 		return -ENOTSUP;
 	}
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
index c0c936141d..f4cab19811 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
@@ -111,7 +111,7 @@ process_outb_sa(struct rte_crypto_op *cop,
 		memcpy(&hdr->iv[0], &sa->iv.gcm.nonce, 4);
 		memcpy(&hdr->iv[4], rte_crypto_op_ctod_offset(cop, uint8_t *,
 			sess->iv_offset), sess->iv_length);
-	} else if (ctl_wrd->auth_type == OTX2_IPSEC_FP_SA_ENC_AES_CBC) {
+	} else if (ctl_wrd->auth_type == OTX2_IPSEC_PO_SA_AUTH_SHA1) {
 		memcpy(&hdr->iv[0], rte_crypto_op_ctod_offset(cop, uint8_t *,
 			sess->iv_offset), sess->iv_length);
 	}
-- 
2.28.0

[dpdk-dev] [PATCH 2/2] crypto/octeontx2: add support for aes-cbc sha256-128-hmac

[Ankur Dwivedi]

Support for aes-cbc sha256-128-hmac is added in lookaside protocol
mode. The functionality is verified using ipsec-secgw application.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
---
 doc/guides/cryptodevs/octeontx2.rst           |  1 +
 doc/guides/rel_notes/release_21_02.rst        |  2 +
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 41 +++++++++++++++++--
 drivers/crypto/octeontx2/otx2_ipsec_po.h      | 25 ++++++++---
 drivers/crypto/octeontx2/otx2_security.h      |  1 +
 5 files changed, 61 insertions(+), 9 deletions(-)

diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index ef21ad830e..fcfb649cce 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -179,3 +179,4 @@ Features supported
 * Anti-replay
 * AES-128/192/256-GCM
 * AES-128/192/256-CBC-SHA1-HMAC
+* AES-128/192/256-CBC-SHA256-128-HMAC
diff --git a/doc/guides/rel_notes/release_21_02.rst b/doc/guides/rel_notes/release_21_02.rst
index c11c25806f..a6a689d01c 100644
--- a/doc/guides/rel_notes/release_21_02.rst
+++ b/doc/guides/rel_notes/release_21_02.rst
@@ -63,6 +63,8 @@ New Features
   * Added support for aes-cbc sha1-hmac cipher combination in OCTEON TX2 crypto
     PMD lookaside protocol offload for IPsec.
 
+  * Added support for aes-cbc sha256-128-hmac cipher combination in OCTEON TX2
+    crypto PMD lookaside protocol offload for IPsec.
 
 Removed Items
 -------------
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 3cdb5bd1e6..89ed7cbd25 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -74,6 +74,8 @@ ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec,
 
 	if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
 		lp->partial_len += OTX2_SEC_SHA1_HMAC_LEN;
+	else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+		lp->partial_len += OTX2_SEC_SHA2_HMAC_LEN;
 	else
 		return -EINVAL;
 
@@ -268,6 +270,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 						sa->sha1.template.ip4);
 				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
 				lp->ctx_len = ctx_len >> 3;
+			} else if (ctl->auth_type ==
+					OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+				if (ipsec->options.udp_encap) {
+					sa->sha2.template.ip4.udp_src = 4500;
+					sa->sha2.template.ip4.udp_dst = 4500;
+				}
+				ip = &sa->sha2.template.ip4.ipv4_hdr;
+				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+						sha2.template) + sizeof(
+						sa->sha2.template.ip4);
+				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+				lp->ctx_len = ctx_len >> 3;
 			}
 			ip->version_ihl = RTE_IPV4_VHL_DEF;
 			ip->next_proto_id = IPPROTO_ESP;
@@ -305,6 +319,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 						sa->sha1.template.ip6);
 				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
 				lp->ctx_len = ctx_len >> 3;
+			} else if (ctl->auth_type ==
+					OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+				if (ipsec->options.udp_encap) {
+					sa->sha2.template.ip6.udp_src = 4500;
+					sa->sha2.template.ip6.udp_dst = 4500;
+				}
+				ip6 = &sa->sha2.template.ip6.ipv6_hdr;
+				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+						sha2.template) + sizeof(
+						sa->sha2.template.ip6);
+				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+				lp->ctx_len = ctx_len >> 3;
 			}
 
 			ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 |
@@ -348,6 +374,8 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 
 		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
 			memcpy(sa->sha1.hmac_key, auth_key, auth_key_len);
+		else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+			memcpy(sa->sha2.hmac_key, auth_key, auth_key_len);
 	}
 
 	if (cipher_key_len != 0)
@@ -427,11 +455,16 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
 		auth_key = auth_xform->auth.key.data;
 		auth_key_len = auth_xform->auth.key.length;
 
-		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
 			memcpy(sa->aes_gcm.hmac_key, auth_key, auth_key_len);
-
-		lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
-					    aes_gcm.selector) >> 3;
+			lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+						    aes_gcm.selector) >> 3;
+		} else if (auth_xform->auth.algo ==
+				RTE_CRYPTO_AUTH_SHA256_HMAC) {
+			memcpy(sa->sha2.hmac_key, auth_key, auth_key_len);
+			lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+						    sha2.selector) >> 3;
+		}
 	}
 
 	if (cipher_key_len != 0)
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index 2141b6c793..8a672a38ea 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -152,11 +152,18 @@ struct otx2_ipsec_po_in_sa {
 	/* w8 */
 	uint8_t udp_encap[8];
 
-	/* w9-w23 */
-	struct {
-		uint8_t hmac_key[48];
-		struct otx2_ipsec_po_traffic_selector selector;
-	} aes_gcm;
+	/* w9-w33 */
+	union {
+		struct {
+			uint8_t hmac_key[48];
+			struct otx2_ipsec_po_traffic_selector selector;
+		} aes_gcm;
+		struct {
+			uint8_t hmac_key[64];
+			uint8_t hmac_iv[64];
+			struct otx2_ipsec_po_traffic_selector selector;
+		} sha2;
+	};
 	union {
 		struct otx2_ipsec_replay *replay;
 		uint64_t replay64;
@@ -205,6 +212,11 @@ struct otx2_ipsec_po_out_sa {
 			uint8_t unused[24];
 			struct otx2_ipsec_po_ip_template template;
 		} sha1;
+		struct {
+			uint8_t hmac_key[64];
+			uint8_t hmac_iv[64];
+			struct otx2_ipsec_po_ip_template template;
+		} sha2;
 	};
 };
 
@@ -234,6 +246,9 @@ ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform)
 	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
 		if (keylen >= 20 && keylen <= 64)
 			return 0;
+	} else if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
+		if (keylen >= 32 && keylen <= 64)
+			return 0;
 	}
 
 	return -ENOTSUP;
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 33d3b15155..9f1ba71b46 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -15,6 +15,7 @@
 #define OTX2_SEC_AES_GCM_MAC_LEN		16
 #define OTX2_SEC_AES_CBC_IV_LEN			16
 #define OTX2_SEC_SHA1_HMAC_LEN			12
+#define OTX2_SEC_SHA2_HMAC_LEN			16
 
 #define OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN	4
 #define OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN	16
-- 
2.28.0

Re: [dpdk-dev] [PATCH 0/2] crypto/octeontx2: add support for cipher combinations

[Akhil Goyal]

> This series adds support for aes-cbc sha1-hmac and aes-cbc sha256-128-hmac
> cipher combinations in lookaside protocol offload mode. The functionality
> has been verified with ipsec-secgw application running in lookaside
> protocol offload mode.
> 
> This series should be applied after the following patch series:
> http://patches.dpdk.org/project/dpdk/list/?series=14374
> 
Applied to dpdk-next-crypto

Thanks.