From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 443F8A0548; Thu, 1 Apr 2021 12:30:38 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B3C6F141004; Thu, 1 Apr 2021 12:30:23 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id EDB28141000 for ; Thu, 1 Apr 2021 12:30:22 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 131ALAP1014433; Thu, 1 Apr 2021 03:30:22 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=HEm9oF8ChK9mCOKnX523rsuL0vM6ozoFVloMVsArceQ=; b=SYvFXSwyUalW6VXKRuaPMtx6XCP4cARqISDi1o/m0nRiWr6H7CcmeHRiFqlbFm/TAN6B sl9dsWcnEZfUK/Iv/ijTqGWSIg/3ydZTofCqjHk3V7ZAdoF1/8bww4bRtS70hqzAjlAF PBrDbBlSPt/yz8DV2C+ycGh4fNUaX+arW3HaPrsJJldH7+aN99NuYGRGrSiG5qpjOiiG b1x4fR9jl+0nSFsgGYf99uR6w7E0TogmDBdTkOmfom0mKEw0WjD6GhlTPBbaoMbzhLxq ev8dEp4p1khZvC1W3MKK+FahNsTPSZOApEVSlojKs4u5/Lbxx8GdiqbbQqKkBb1eVQGj TA== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com with ESMTP id 37n28jj1qf-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 01 Apr 2021 03:30:22 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 1 Apr 2021 03:30:19 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Thu, 1 Apr 2021 03:30:19 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 43F553F7044; Thu, 1 Apr 2021 03:30:17 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Date: Thu, 1 Apr 2021 16:56:23 +0530 Message-ID: <20210401112623.20951-5-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210401112623.20951-1-ktejasree@marvell.com> References: <20210401112623.20951-1-ktejasree@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: eeg1EEOmKL79RuDJTytCHi0rhY4ibLhP X-Proofpoint-ORIG-GUID: eeg1EEOmKL79RuDJTytCHi0rhY4ibLhP X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-04-01_04:2021-03-31, 2021-04-01 signatures=0 Subject: [dpdk-dev] [PATCH v2 4/4] crypto/octeontx2: support lookaside IPv4 transport mode X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding support for IPv4 lookaside IPsec transport mode. Signed-off-by: Tejasree Kondoj --- doc/guides/cryptodevs/octeontx2.rst | 1 + doc/guides/rel_notes/release_21_05.rst | 2 + drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 7 +- drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 110 ++++++++++-------- drivers/crypto/octeontx2/otx2_cryptodev_sec.h | 4 +- drivers/crypto/octeontx2/otx2_ipsec_po.h | 6 + drivers/crypto/octeontx2/otx2_ipsec_po_ops.h | 8 +- 7 files changed, 78 insertions(+), 60 deletions(-) diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst index b30f98180a..811e61a1f6 100644 --- a/doc/guides/cryptodevs/octeontx2.rst +++ b/doc/guides/cryptodevs/octeontx2.rst @@ -179,6 +179,7 @@ Features supported * IPv6 * ESP * Tunnel mode +* Transport mode(IPv4) * ESN * Anti-replay * UDP Encapsulation diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 9ef2537b1a..be8c36b92e 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -103,6 +103,8 @@ New Features * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with UDP encapsulation support for NAT Traversal. + * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with + IPv4 transport mode support. * **Updated testpmd.** diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c index cec20b5c6d..c20170bcaa 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c @@ -928,7 +928,7 @@ otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp) struct rte_mbuf *m = sym_op->m_src; struct rte_ipv6_hdr *ip6; struct rte_ipv4_hdr *ip; - uint16_t m_len; + uint16_t m_len = 0; int mdata_len; char *data; @@ -938,11 +938,12 @@ otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp) if (word0->s.opcode.major == OTX2_IPSEC_PO_PROCESS_IPSEC_INB) { data = rte_pktmbuf_mtod(m, char *); - if (rsp[4] == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + if (rsp[4] == OTX2_IPSEC_PO_TRANSPORT || + rsp[4] == OTX2_IPSEC_PO_TUNNEL_IPV4) { ip = (struct rte_ipv4_hdr *)(data + OTX2_IPSEC_PO_INB_RPTR_HDR); m_len = rte_be_to_cpu_16(ip->total_length); - } else { + } else if (rsp[4] == OTX2_IPSEC_PO_TUNNEL_IPV6) { ip6 = (struct rte_ipv6_hdr *)(data + OTX2_IPSEC_PO_INB_RPTR_HDR); m_len = rte_be_to_cpu_16(ip6->payload_len) + diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c index 8942ff1fac..6493ce8370 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c @@ -25,12 +25,15 @@ ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec, { struct rte_crypto_sym_xform *cipher_xform, *auth_xform; - if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) - lp->partial_len = sizeof(struct rte_ipv4_hdr); - else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) - lp->partial_len = sizeof(struct rte_ipv6_hdr); - else - return -EINVAL; + lp->partial_len = 0; + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) + lp->partial_len = sizeof(struct rte_ipv4_hdr); + else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) + lp->partial_len = sizeof(struct rte_ipv6_hdr); + else + return -EINVAL; + } if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) { lp->partial_len += sizeof(struct rte_esp_hdr); @@ -203,7 +206,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, struct rte_security_session *sec_sess) { struct rte_crypto_sym_xform *auth_xform, *cipher_xform; - struct otx2_ipsec_po_ip_template *template; + struct otx2_ipsec_po_ip_template *template = NULL; const uint8_t *cipher_key, *auth_key; struct otx2_sec_session_ipsec_lp *lp; struct otx2_ipsec_po_sa_ctl *ctl; @@ -229,10 +232,10 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, memset(sa, 0, sizeof(struct otx2_ipsec_po_out_sa)); /* Initialize lookaside ipsec private data */ + lp->mode_type = OTX2_IPSEC_PO_TRANSPORT; lp->ip_id = 0; lp->seq_lo = 1; lp->seq_hi = 0; - lp->tunnel_type = ipsec->tunnel.type; ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl); if (ret) @@ -242,46 +245,47 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, if (ret) return ret; - if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { - /* Start ip id from 1 */ - lp->ip_id = 1; + /* Start ip id from 1 */ + lp->ip_id = 1; + + if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) { + template = &sa->aes_gcm.template; + ctx_len = offsetof(struct otx2_ipsec_po_out_sa, + aes_gcm.template) + sizeof( + sa->aes_gcm.template.ip4); + ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); + lp->ctx_len = ctx_len >> 3; + } else if (ctl->auth_type == + OTX2_IPSEC_PO_SA_AUTH_SHA1) { + template = &sa->sha1.template; + ctx_len = offsetof(struct otx2_ipsec_po_out_sa, + sha1.template) + sizeof( + sa->sha1.template.ip4); + ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); + lp->ctx_len = ctx_len >> 3; + } else if (ctl->auth_type == + OTX2_IPSEC_PO_SA_AUTH_SHA2_256) { + template = &sa->sha2.template; + ctx_len = offsetof(struct otx2_ipsec_po_out_sa, + sha2.template) + sizeof( + sa->sha2.template.ip4); + ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); + lp->ctx_len = ctx_len >> 3; + } else { + return -EINVAL; + } + ip = &template->ip4.ipv4_hdr; + if (ipsec->options.udp_encap) { + ip->next_proto_id = IPPROTO_UDP; + template->ip4.udp_src = rte_be_to_cpu_16(4500); + template->ip4.udp_dst = rte_be_to_cpu_16(4500); + } else { + ip->next_proto_id = IPPROTO_ESP; + } + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { - - if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) { - template = &sa->aes_gcm.template; - ctx_len = offsetof(struct otx2_ipsec_po_out_sa, - aes_gcm.template) + sizeof( - sa->aes_gcm.template.ip4); - ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); - lp->ctx_len = ctx_len >> 3; - } else if (ctl->auth_type == - OTX2_IPSEC_PO_SA_AUTH_SHA1) { - template = &sa->sha1.template; - ctx_len = offsetof(struct otx2_ipsec_po_out_sa, - sha1.template) + sizeof( - sa->sha1.template.ip4); - ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); - lp->ctx_len = ctx_len >> 3; - } else if (ctl->auth_type == - OTX2_IPSEC_PO_SA_AUTH_SHA2_256) { - template = &sa->sha2.template; - ctx_len = offsetof(struct otx2_ipsec_po_out_sa, - sha2.template) + sizeof( - sa->sha2.template.ip4); - ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); - lp->ctx_len = ctx_len >> 3; - } else { - return -EINVAL; - } - ip = &template->ip4.ipv4_hdr; - if (ipsec->options.udp_encap) { - ip->next_proto_id = IPPROTO_UDP; - template->ip4.udp_src = rte_be_to_cpu_16(4500); - template->ip4.udp_dst = rte_be_to_cpu_16(4500); - } else { - ip->next_proto_id = IPPROTO_ESP; - } + lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV4; ip->version_ihl = RTE_IPV4_VHL_DEF; ip->time_to_live = ipsec->tunnel.ipv4.ttl; ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2); @@ -294,6 +298,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, } else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV6; if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) { ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, @@ -336,11 +341,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, sizeof(struct in6_addr)); memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr, sizeof(struct in6_addr)); - } else { - return -EINVAL; } - } else { - return -EINVAL; } cipher_xform = crypto_xform; @@ -421,13 +422,20 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev, if (ret) return ret; - lp->tunnel_type = ipsec->tunnel.type; + lp->mode_type = OTX2_IPSEC_PO_TRANSPORT; + auth_xform = crypto_xform; cipher_xform = crypto_xform->next; cipher_key_len = 0; auth_key_len = 0; + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + lp->mode_type = (ipsec->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) ? + OTX2_IPSEC_PO_TUNNEL_IPV4 : + OTX2_IPSEC_PO_TUNNEL_IPV6; + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4); diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h index 2849c1ab75..87f55c97fe 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h +++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h @@ -55,8 +55,8 @@ struct otx2_sec_session_ipsec_lp { uint8_t iv_length; /** Auth IV length in bytes */ uint8_t auth_iv_length; - /** IPsec tunnel type */ - enum rte_security_ipsec_tunnel_type tunnel_type; + /** IPsec mode and tunnel type */ + enum otx2_ipsec_po_mode_type mode_type; }; int otx2_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev); diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h index eda9f19738..b3e7456551 100644 --- a/drivers/crypto/octeontx2/otx2_ipsec_po.h +++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h @@ -20,6 +20,12 @@ #define OTX2_IPSEC_PO_INB_RPTR_HDR 0x8 +enum otx2_ipsec_po_mode_type { + OTX2_IPSEC_PO_TRANSPORT = 1, + OTX2_IPSEC_PO_TUNNEL_IPV4, + OTX2_IPSEC_PO_TUNNEL_IPV6, +}; + enum otx2_ipsec_po_comp_e { OTX2_IPSEC_PO_CC_SUCCESS = 0x00, OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0, diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h index f4cab19811..58b199f4f3 100644 --- a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h +++ b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h @@ -26,7 +26,7 @@ otx2_ipsec_po_out_rlen_get(struct otx2_sec_session_ipsec_lp *sess, static __rte_always_inline struct cpt_request_info * alloc_request_struct(char *maddr, void *cop, int mdata_len, - enum rte_security_ipsec_tunnel_type tunnel_type) + enum otx2_ipsec_po_mode_type mode_type) { struct cpt_request_info *req; struct cpt_meta_info *meta; @@ -48,7 +48,7 @@ alloc_request_struct(char *maddr, void *cop, int mdata_len, op[1] = (uintptr_t)cop; op[2] = (uintptr_t)req; op[3] = mdata_len; - op[4] = tunnel_type; + op[4] = mode_type; return req; } @@ -89,7 +89,7 @@ process_outb_sa(struct rte_crypto_op *cop, mdata += extend_tail; /* mdata follows encrypted data */ req = alloc_request_struct(mdata, (void *)cop, mdata_len, - sess->tunnel_type); + sess->mode_type); data = rte_pktmbuf_prepend(m_src, extend_head); if (unlikely(data == NULL)) { @@ -162,7 +162,7 @@ process_inb_sa(struct rte_crypto_op *cop, } req = alloc_request_struct(mdata, (void *)cop, mdata_len, - sess->tunnel_type); + sess->mode_type); /* Prepare CPT instruction */ word0.u64 = sess->ucmd_w0; -- 2.27.0