From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 5252EA04B5;
	Sat, 19 Dec 2020 07:55:58 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id D7063CB34;
	Sat, 19 Dec 2020 07:55:44 +0100 (CET)
Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com
 [67.231.148.174]) by dpdk.org (Postfix) with ESMTP id 75DC8CB33
 for <dev@dpdk.org>; Sat, 19 Dec 2020 07:55:42 +0100 (CET)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1])
 by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 0BJ6oSbP027437; Fri, 18 Dec 2020 22:55:40 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;
 h=from : to : cc :
 subject : date : message-id : in-reply-to : references : mime-version :
 content-transfer-encoding : content-type; s=pfpt0220;
 bh=OybBZx+qOHhbIwVar4y+FdFl76W8W8hl8I7niOKZloA=;
 b=DRMUJh5P+EyTbppbpUjSYwZrNDtBUA5l3mhimAuDRLo+zmlmoACE82s2/cF8s0YPWUBk
 GR2vACPEAVikwDHhOmIUmAD7anWVCcxFuVi4Zpvun7p11lfGP8UFW/zayPCpuqfHWjnq
 Cj0uRpsUdHktHPtqt7Vnaz14gIr++9kvQXqAUt9B3uinTiY7BLazh8OG/M0QK8TWqcmu
 jJjDloZvfAJb3WJ09jkqY80Cqac54i+H0mpGZYFwMlYeqhNP5TPmdc1VikZnBKmDE/En
 /9RpRPzEeduW1S7BcB64SL4Vdt+psq1JplOhNGHuRWnlE6yIbaE89mRClYe9aa3uLlQ1 Dg== 
Received: from sc-exch03.marvell.com ([199.233.58.183])
 by mx0a-0016f401.pphosted.com with ESMTP id 35g4rp63fd-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);
 Fri, 18 Dec 2020 22:55:40 -0800
Received: from DC5-EXCH02.marvell.com (10.69.176.39) by SC-EXCH03.marvell.com
 (10.93.176.83) with Microsoft SMTP Server (TLS) id 15.0.1497.2;
 Fri, 18 Dec 2020 22:55:39 -0800
Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com
 (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.2 via Frontend
 Transport; Fri, 18 Dec 2020 22:55:39 -0800
Received: from hyd1349.t110.caveonetworks.com.com (unknown [10.29.45.13])
 by maili.marvell.com (Postfix) with ESMTP id F3F253F703F;
 Fri, 18 Dec 2020 22:55:37 -0800 (PST)
From: Ankur Dwivedi <adwivedi@marvell.com>
To: <dev@dpdk.org>
CC: <akhil.goyal@nxp.com>, <anoobj@marvell.com>, <ktejasree@marvell.com>,
 Ankur Dwivedi <adwivedi@marvell.com>
Date: Sat, 19 Dec 2020 12:24:56 +0530
Message-ID: <20201219065456.24156-3-adwivedi@marvell.com>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <20201219065456.24156-1-adwivedi@marvell.com>
References: <20201219065456.24156-1-adwivedi@marvell.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737
 definitions=2020-12-19_01:2020-12-18,
 2020-12-19 signatures=0
Subject: [dpdk-dev] [PATCH 2/2] crypto/octeontx2: add support for aes-cbc
	sha256-128-hmac
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Support for aes-cbc sha256-128-hmac is added in lookaside protocol
mode. The functionality is verified using ipsec-secgw application.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
---
 doc/guides/cryptodevs/octeontx2.rst           |  1 +
 doc/guides/rel_notes/release_21_02.rst        |  2 +
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 41 +++++++++++++++++--
 drivers/crypto/octeontx2/otx2_ipsec_po.h      | 25 ++++++++---
 drivers/crypto/octeontx2/otx2_security.h      |  1 +
 5 files changed, 61 insertions(+), 9 deletions(-)

diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index ef21ad830e..fcfb649cce 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -179,3 +179,4 @@ Features supported
 * Anti-replay
 * AES-128/192/256-GCM
 * AES-128/192/256-CBC-SHA1-HMAC
+* AES-128/192/256-CBC-SHA256-128-HMAC
diff --git a/doc/guides/rel_notes/release_21_02.rst b/doc/guides/rel_notes/release_21_02.rst
index c11c25806f..a6a689d01c 100644
--- a/doc/guides/rel_notes/release_21_02.rst
+++ b/doc/guides/rel_notes/release_21_02.rst
@@ -63,6 +63,8 @@ New Features
   * Added support for aes-cbc sha1-hmac cipher combination in OCTEON TX2 crypto
     PMD lookaside protocol offload for IPsec.
 
+  * Added support for aes-cbc sha256-128-hmac cipher combination in OCTEON TX2
+    crypto PMD lookaside protocol offload for IPsec.
 
 Removed Items
 -------------
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 3cdb5bd1e6..89ed7cbd25 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -74,6 +74,8 @@ ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec,
 
 	if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
 		lp->partial_len += OTX2_SEC_SHA1_HMAC_LEN;
+	else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+		lp->partial_len += OTX2_SEC_SHA2_HMAC_LEN;
 	else
 		return -EINVAL;
 
@@ -268,6 +270,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 						sa->sha1.template.ip4);
 				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
 				lp->ctx_len = ctx_len >> 3;
+			} else if (ctl->auth_type ==
+					OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+				if (ipsec->options.udp_encap) {
+					sa->sha2.template.ip4.udp_src = 4500;
+					sa->sha2.template.ip4.udp_dst = 4500;
+				}
+				ip = &sa->sha2.template.ip4.ipv4_hdr;
+				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+						sha2.template) + sizeof(
+						sa->sha2.template.ip4);
+				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+				lp->ctx_len = ctx_len >> 3;
 			}
 			ip->version_ihl = RTE_IPV4_VHL_DEF;
 			ip->next_proto_id = IPPROTO_ESP;
@@ -305,6 +319,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 						sa->sha1.template.ip6);
 				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
 				lp->ctx_len = ctx_len >> 3;
+			} else if (ctl->auth_type ==
+					OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+				if (ipsec->options.udp_encap) {
+					sa->sha2.template.ip6.udp_src = 4500;
+					sa->sha2.template.ip6.udp_dst = 4500;
+				}
+				ip6 = &sa->sha2.template.ip6.ipv6_hdr;
+				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+						sha2.template) + sizeof(
+						sa->sha2.template.ip6);
+				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+				lp->ctx_len = ctx_len >> 3;
 			}
 
 			ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 |
@@ -348,6 +374,8 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 
 		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
 			memcpy(sa->sha1.hmac_key, auth_key, auth_key_len);
+		else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+			memcpy(sa->sha2.hmac_key, auth_key, auth_key_len);
 	}
 
 	if (cipher_key_len != 0)
@@ -427,11 +455,16 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
 		auth_key = auth_xform->auth.key.data;
 		auth_key_len = auth_xform->auth.key.length;
 
-		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
 			memcpy(sa->aes_gcm.hmac_key, auth_key, auth_key_len);
-
-		lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
-					    aes_gcm.selector) >> 3;
+			lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+						    aes_gcm.selector) >> 3;
+		} else if (auth_xform->auth.algo ==
+				RTE_CRYPTO_AUTH_SHA256_HMAC) {
+			memcpy(sa->sha2.hmac_key, auth_key, auth_key_len);
+			lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+						    sha2.selector) >> 3;
+		}
 	}
 
 	if (cipher_key_len != 0)
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index 2141b6c793..8a672a38ea 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -152,11 +152,18 @@ struct otx2_ipsec_po_in_sa {
 	/* w8 */
 	uint8_t udp_encap[8];
 
-	/* w9-w23 */
-	struct {
-		uint8_t hmac_key[48];
-		struct otx2_ipsec_po_traffic_selector selector;
-	} aes_gcm;
+	/* w9-w33 */
+	union {
+		struct {
+			uint8_t hmac_key[48];
+			struct otx2_ipsec_po_traffic_selector selector;
+		} aes_gcm;
+		struct {
+			uint8_t hmac_key[64];
+			uint8_t hmac_iv[64];
+			struct otx2_ipsec_po_traffic_selector selector;
+		} sha2;
+	};
 	union {
 		struct otx2_ipsec_replay *replay;
 		uint64_t replay64;
@@ -205,6 +212,11 @@ struct otx2_ipsec_po_out_sa {
 			uint8_t unused[24];
 			struct otx2_ipsec_po_ip_template template;
 		} sha1;
+		struct {
+			uint8_t hmac_key[64];
+			uint8_t hmac_iv[64];
+			struct otx2_ipsec_po_ip_template template;
+		} sha2;
 	};
 };
 
@@ -234,6 +246,9 @@ ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform)
 	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
 		if (keylen >= 20 && keylen <= 64)
 			return 0;
+	} else if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
+		if (keylen >= 32 && keylen <= 64)
+			return 0;
 	}
 
 	return -ENOTSUP;
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 33d3b15155..9f1ba71b46 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -15,6 +15,7 @@
 #define OTX2_SEC_AES_GCM_MAC_LEN		16
 #define OTX2_SEC_AES_CBC_IV_LEN			16
 #define OTX2_SEC_SHA1_HMAC_LEN			12
+#define OTX2_SEC_SHA2_HMAC_LEN			16
 
 #define OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN	4
 #define OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN	16
-- 
2.28.0