From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 96CBBA0548; Sun, 9 May 2021 18:07:04 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 368AA41162; Sun, 9 May 2021 18:05:56 +0200 (CEST) Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2068.outbound.protection.outlook.com [40.107.243.68]) by mails.dpdk.org (Postfix) with ESMTP id DF15141158 for ; Sun, 9 May 2021 18:05:52 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U44+TW0Lqwub5/PHXGoDACF/zecf9puz1LA7k8GeqKmBuThSfh5d1Wdd6dUQq5a2AZdhp84vMvhw4OlAo2na2UcoqtHW8kSkN0ZGZqQ8G65UKIERmWvfNOb+9kzv4KqbGD31DbtPm/tU4GPo/TU7YaOjvOzCLCVtfG9W+IvqAAU13BqdHkZoAWGf3ze7yO6cQGTqUr38DEMaVyfB0yvsWs1SDeFkTXxkBl4yLuqWjVxIPQuKyfFisUcrkQuBZT1uidT/JZrlqplBLRN/T88rf7ttNZPe8CJ2jL9wU2xkqV+tpDWqdGaZ0HGZ0CVNLf45swPwCP8aDrKgq21wDPfB/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C4zhoVA84OXybRk4XS9m39CN8kz0/RGWspvpH7bhZqA=; b=kSjQ6HhIgFrJ1BvpI4mwgv4pPnbiVWlcsruH28sgLq1eY0yuekucKv7/CdNVIMyAe6dN7ekJVwr7YYXM3lhLMO5iCzj63WY6ALHuVNsSE2DQWR13qCJVtW2jRd14DEXAq1XUT65736SEZuFc+rh1FCiFey5ow7qozsfIB5e/SxHQvqZgFl4zbh3wlzsw2F6fKCbSEcwsZQoL9tKTYglaReK8nnYlY7ElUKJTmx2jZpEJLlNDi6oUHs9tScGPjB/3KNBE/OJLRShkTFfhUnNfAfgFdWctZoEJHvwVBU9lSD/AzocD4drIrSFLvwJmCMWzgXyHqpUOfDraTcmU8FhGDw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.112.34) smtp.rcpttodomain=monjalon.net smtp.mailfrom=nvidia.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C4zhoVA84OXybRk4XS9m39CN8kz0/RGWspvpH7bhZqA=; b=CaQRz8SvJbNiv6wI1rLNoKHlgUkINKE0d9itQnQXvMtpD6yWOtTLIko4+OtQmhFmdeW3p4N85N2Um1Uwzge+XnCWaYiCfOHJAxTobGUfuNP8VVbcAy1Vslm0MqMpd6IsHN9cyIusjtbBF/IxYsXhX1uLwYI3EJcTaJHNyhK+6pCnHyW0lbjsx0Kuj+hYdPLtzVLdwBnmLE2b1nR7Btyd5ikPBhk4pYLzmyc1XGVrO2zKl6VYy3YfOzkBCtHtU5St4TKW55/umLL+2Zq7rp27ksxiruaWS7cjihazqOs0ydPRVEk4UV0FJI4hTUaLoTYA5bb/fuEjImAM5IJtW3o4Eg== Received: from MWHPR14CA0010.namprd14.prod.outlook.com (2603:10b6:300:ae::20) by DM6PR12MB4170.namprd12.prod.outlook.com (2603:10b6:5:219::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.25; Sun, 9 May 2021 16:05:51 +0000 Received: from CO1NAM11FT005.eop-nam11.prod.protection.outlook.com (2603:10b6:300:ae:cafe::11) by MWHPR14CA0010.outlook.office365.com (2603:10b6:300:ae::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.25 via Frontend Transport; Sun, 9 May 2021 16:05:51 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.112.34) smtp.mailfrom=nvidia.com; monjalon.net; dkim=none (message not signed) header.d=none;monjalon.net; dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.112.34 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.112.34; helo=mail.nvidia.com; Received: from mail.nvidia.com (216.228.112.34) by CO1NAM11FT005.mail.protection.outlook.com (10.13.174.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4108.25 via Frontend Transport; Sun, 9 May 2021 16:05:49 +0000 Received: from nvidia.com (172.20.145.6) by HQMAIL107.nvidia.com (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 9 May 2021 16:05:47 +0000 From: Matan Azrad To: CC: , , , "Thomas Monjalon" , Shiri Kuzin Date: Sun, 9 May 2021 19:05:07 +0300 Message-ID: <20210509160507.224644-15-matan@nvidia.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210509160507.224644-1-matan@nvidia.com> References: <20210504210857.3398397-1-matan@nvidia.com> <20210509160507.224644-1-matan@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [172.20.145.6] X-ClientProxiedBy: HQMAIL105.nvidia.com (172.20.187.12) To HQMAIL107.nvidia.com (172.20.187.13) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2ee02323-acc1-4752-20ed-08d913045053 X-MS-TrafficTypeDiagnostic: DM6PR12MB4170: X-LD-Processed: 43083d15-7273-40c1-b7db-39efd9ccc17a,ExtAddr X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Xo6RgcncI4CErH0DncPB8+SpWb6V3oTx6YOkPHazRYdB3HYo5ch+cOv/lSpzIZW+UMH2BXT4IKmbhZRL0iN87Q3rXAMrNXq5JPG/Hq4+fFrQg26MXd4JIyAMKtzoyK0OIWyW6bkup+0G5kjMCDcG9FaJKkvr0LZkM/mGN5Fs4dErj+s4L6jBBSbCiezZMLbaEPI0lADQ+RmKnr5ysMDuh/3lW3EnQQyGd5k7yrfL75Pkz4E2sWSbUB+OwKzfUdjnsRNReaCc2HMjtm9iukpXG9NsFBSIGCtjpRhlud8yoiKDX/XYv0XIDnGcxpz463kQqWcvwX3nB7TGWx9Wcv5xG955XyUg/2tRDqa1R08iIam6Q7Yy1+79dpdsV3j2X+S0N9pyy+zBE4qs3Db7wLJZes4QnbpHlgfbBG2W7Nd0QnU1DJSK5Pg0RsM5CtnttqYKo6abZM0Chu1yGY5OjcTXIVoIJivuZ0aBvDKyBihnMOCXgHPMgG4AXCDYKtcyCugTXJ8raGzfo9O+XJ6OLVD3DvxCQlaSkHg8qoibYfxoa+gfOA+uWHylGG0EVi3xdNoaW69MamLw0e8RPo9bwyagV6+L0uMRop1ArSk/WgDS1dgAsKR20EBxwZGyP5gOMP7OOtcvyaDXcY6byvNfDhUXU7/tt+Y/IOVgUsVJ8jAiuK8= X-Forefront-Antispam-Report: CIP:216.228.112.34; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:schybrid03.nvidia.com; CAT:NONE; SFS:(4636009)(376002)(346002)(136003)(39860400002)(396003)(46966006)(36840700001)(426003)(1076003)(83380400001)(36756003)(6286002)(16526019)(186003)(2906002)(336012)(107886003)(86362001)(47076005)(478600001)(54906003)(55016002)(36860700001)(8936002)(6916009)(8676002)(7696005)(82310400003)(6666004)(30864003)(356005)(36906005)(26005)(7636003)(5660300002)(70206006)(82740400003)(70586007)(2616005)(4326008)(316002); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 May 2021 16:05:49.6968 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 2ee02323-acc1-4752-20ed-08d913045053 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.112.34]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT005.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4170 Subject: [dpdk-dev] [PATCH v4 14/14] crypto/mlx5: set feature flags and capabilities X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Shiri Kuzin Add the supported capabilities to the crypto driver. Add supported feature flags. Add crypto driver documentation. Signed-off-by: Shiri Kuzin Signed-off-by: Matan Azrad --- doc/guides/cryptodevs/features/mlx5.ini | 37 ++++++ doc/guides/cryptodevs/index.rst | 1 + doc/guides/cryptodevs/mlx5.rst | 152 ++++++++++++++++++++++++ doc/guides/rel_notes/release_21_05.rst | 5 + drivers/crypto/mlx5/mlx5_crypto.c | 40 ++++++- 5 files changed, 231 insertions(+), 4 deletions(-) create mode 100644 doc/guides/cryptodevs/features/mlx5.ini create mode 100644 doc/guides/cryptodevs/mlx5.rst diff --git a/doc/guides/cryptodevs/features/mlx5.ini b/doc/guides/cryptodevs/features/mlx5.ini new file mode 100644 index 0000000000..a89526add0 --- /dev/null +++ b/doc/guides/cryptodevs/features/mlx5.ini @@ -0,0 +1,37 @@ +; +; Features of a mlx5 crypto driver. +; +; Refer to default.ini for the full list of available PMD features. +; +[Features] +Symmetric crypto = Y +HW Accelerated = Y +In Place SGL = Y +OOP SGL In SGL Out = Y +OOP SGL In LB Out = Y +OOP LB In SGL Out = Y +OOP LB In LB Out = Y +Cipher multiple data units = Y +Cipher wrapped key = Y + +; +; Supported crypto algorithms of a mlx5 crypto driver. +; +[Cipher] +AES XTS (128) = Y +AES XTS (256) = Y + +; +; Supported authentication algorithms of a mlx5 crypto driver. +; +[Auth] + +; +; Supported AEAD algorithms of a mlx5 crypto driver. +; +[AEAD] + +; +; Supported Asymmetric algorithms of a mlx5 crypto driver. +; +[Asymmetric] diff --git a/doc/guides/cryptodevs/index.rst b/doc/guides/cryptodevs/index.rst index 279f56a002..747409c441 100644 --- a/doc/guides/cryptodevs/index.rst +++ b/doc/guides/cryptodevs/index.rst @@ -22,6 +22,7 @@ Crypto Device Drivers octeontx octeontx2 openssl + mlx5 mvsam nitrox null diff --git a/doc/guides/cryptodevs/mlx5.rst b/doc/guides/cryptodevs/mlx5.rst new file mode 100644 index 0000000000..735c0e1fa0 --- /dev/null +++ b/doc/guides/cryptodevs/mlx5.rst @@ -0,0 +1,152 @@ +.. SPDX-License-Identifier: BSD-3-Clause + Copyright 2021 Mellanox Technologies, Ltd + +.. include:: + +MLX5 Crypto Driver +================== + +The MLX5 crypto driver library +(**librte_crypto_mlx5**) provides support for **Mellanox ConnectX-6** +family adapters. + +Overview +-------- + +The device can provide disk encryption services, allowing data encryption +and decryption towards a disk. Having all encryption/decryption +operations done in a single device can reduce cost and overheads of the related +FIPS certification, as ConnectX-6 is FIPS 140-2 level-2 ready. +The encryption cipher is AES-XTS of 256/512 bit key size. + +MKEY is a memory region object in the hardware, that holds address translation information and +attributes per memory area. Its ID must be tied to addresses provided to the hardware. +The encryption operations are performed with MKEY read/write transactions, when +the MKEY is configured to perform crypto operations. + +The encryption does not require text to be aligned to the AES block size (128b). + +In order to move the device to crypto operational mode, credential and KEK +(Key Encrypting Key) should be set as the first step. +The credential will be used by the software in order to perform crypto login, and the KEK is +the AES Key Wrap Algorithm (rfc3394) key that will be used for sensitive data +wrapping. +The credential and the AES-XTS keys should be provided to the hardware, as ciphertext +encrypted by the KEK. + +A keytag (64 bits) should be appended to the AES-XTS keys (before wrapping), +and will be validated when the hardware attempts to access it. + +For security reasons and to increase robustness, this driver only deals with virtual +memory addresses. The way resources allocations are handled by the kernel, +combined with hardware specifications that allow handling virtual memory +addresses directly, ensure that DPDK applications cannot access random +physical memory (or memory that does not belong to the current process). + +The PMD uses libibverbs and libmlx5 to access the device firmware or to +access the hardware components directly. +There are different levels of objects and bypassing abilities. +To get the best performances: + +- Verbs is a complete high-level generic API. +- Direct Verbs is a device-specific API. +- DevX allows to access firmware objects. + +Enabling librte_crypto_mlx5 causes DPDK applications to be linked against +libibverbs. + +Mellanox mlx5 PCI device can be probed by a number of different PCI devices, such as +net / vDPA / RegEx. To select the crypto PMD, ``class=crypto`` +should be specified as a device parameter. The crypto device can be probed and +used with other Mellanox classes by adding more options in the class. +For example: ``class=net:crypto`` will probe both the net PMD and the crypto +PMD. + +When crypto engines are defined to work in wrapped import method, they come out +of the factory in Commissioning mode, and thus, cannot be used for crypto operations +yet. A dedicated tool is used for changing the mode from Commissioning to +Operational, while setting the first import_KEK and credential in plaintext. +The mlxreg dedicated tool should be used as follows: + +- Set CRYPTO_OPERATIONAL register to set the device in crypto operational mode. + + The input to this tool is: + The first credential in plaintext, 40B. + The first import_KEK in plaintext: kek size 0 for 16B or 1 for 32B, kek data. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get + + The "wrapped_crypto_operational" value will be "0x00000000". + The command to set the register should be executed only once, and all the + values mentioned above should be specified in the same command. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL + --set "credential[0]=0x10000000, credential[1]=0x10000000, kek[0]=0x00000000" + + All values not specified will remain 0. + "wrapped_crypto_going_to_commissioning" and "wrapped_crypto_operational" + should not be specified. + + All the device ports should set it in order to move to operational mode. + +- Query CRYPTO_OPERATIONAL register to make sure the device is in Operational + mode. + + Example: + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get + The "wrapped_crypto_operational" value will be "0x00000001" if the mode was + successfully changed to operational mode. + + +Driver options +-------------- + +- ``class`` parameter [string] + + Select the class of the driver that should probe the device. + `crypto` for the mlx5 crypto driver. + +- ``wcs_file`` parameter [string] - mandatory + + File path including only the wrapped credential in string format of hexadecimal + numbers, represent 48 bytes (8 bytes IV added by the AES key wrap algorithm). + +- ``import_kek_id`` parameter [int] + + The identifier of the KEK, default value is 0 represents the operational + register import_kek.. + +- ``credential_id`` parameter [int] + + The identifier of the credential, default value is 0 represents the operational + register credential. + +- ``max_segs_num`` parameter [int] + + Maximum number of mbuf chain segments(src or dest), default value is 8. + +- ``keytag`` parameter [int] + + The plaintext of the keytag appanded to the AES-XTS keys, default value is 0. + + +Limitations +----------- + +- AES-XTS keys provided in xform must include keytag and should be wrappend. +- The supported data-unit lengths are: 512B, 1KB, 1MB. In case the `dataunit_len` + is not provided in the cipher xform, the OP length is limited to the above values. + + +Supported NICs +-------------- + +* Mellanox\ |reg| ConnectX\ |reg|-6 200G MCX654106A-HCAT (2x200G) + +Prerequisites +------------- + +- Mellanox OFED version: **5.3** + see :doc:`../../nics/mlx5` guide for more Mellanox OFED details. diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 30dec1c1d1..eaaa9eecbf 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -287,6 +287,11 @@ New Features * Added support for crypto adapter forward mode in octeontx2 event and crypto device driver. +* **Added support for Nvidia crypto device driver.** + + * Added mlx5 crypto driver to support AES-XTS cipher operations. + the first device to support it is ConnectX-6. + Removed Items ------------- diff --git a/drivers/crypto/mlx5/mlx5_crypto.c b/drivers/crypto/mlx5/mlx5_crypto.c index 60ffa6951e..4c5cbf5ffe 100644 --- a/drivers/crypto/mlx5/mlx5_crypto.c +++ b/drivers/crypto/mlx5/mlx5_crypto.c @@ -22,6 +22,14 @@ #define MLX5_CRYPTO_LOG_NAME pmd.crypto.mlx5 #define MLX5_CRYPTO_MAX_QPS 1024 #define MLX5_CRYPTO_MAX_SEGS 56 +#define MLX5_CRYPTO_FEATURE_FLAGS \ + (RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_HW_ACCELERATED | \ + RTE_CRYPTODEV_FF_IN_PLACE_SGL | RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | \ + RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | \ + RTE_CRYPTODEV_FF_OOP_LB_IN_SGL_OUT | \ + RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT | \ + RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY | \ + RTE_CRYPTODEV_FF_CIPHER_MULTIPLE_DATA_UNITS) TAILQ_HEAD(mlx5_crypto_privs, mlx5_crypto_priv) mlx5_crypto_priv_list = TAILQ_HEAD_INITIALIZER(mlx5_crypto_priv_list); @@ -31,8 +39,32 @@ int mlx5_crypto_logtype; uint8_t mlx5_crypto_driver_id; -const struct rte_cryptodev_capabilities - mlx5_crypto_caps[RTE_CRYPTO_OP_TYPE_UNDEFINED]; +const struct rte_cryptodev_capabilities mlx5_crypto_caps[] = { + { /* AES XTS */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER, + {.cipher = { + .algo = RTE_CRYPTO_CIPHER_AES_XTS, + .block_size = 16, + .key_size = { + .min = 32, + .max = 64, + .increment = 32 + }, + .iv_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + .dataunit_set = + RTE_CRYPTO_CIPHER_DATA_UNIT_LEN_512_BYTES | + RTE_CRYPTO_CIPHER_DATA_UNIT_LEN_4096_BYTES, + }, } + }, } + }, +}; + static const char mlx5_crypto_drv_name[] = RTE_STR(MLX5_CRYPTO_DRIVER_NAME); @@ -67,7 +99,7 @@ mlx5_crypto_dev_infos_get(struct rte_cryptodev *dev, RTE_SET_USED(dev); if (dev_info != NULL) { dev_info->driver_id = mlx5_crypto_driver_id; - dev_info->feature_flags = 0; + dev_info->feature_flags = MLX5_CRYPTO_FEATURE_FLAGS; dev_info->capabilities = mlx5_crypto_caps; dev_info->max_nb_queue_pairs = MLX5_CRYPTO_MAX_QPS; dev_info->min_mbuf_headroom_req = 0; @@ -955,7 +987,7 @@ mlx5_crypto_pci_probe(struct rte_pci_driver *pci_drv, crypto_dev->dev_ops = &mlx5_crypto_ops; crypto_dev->dequeue_burst = mlx5_crypto_dequeue_burst; crypto_dev->enqueue_burst = mlx5_crypto_enqueue_burst; - crypto_dev->feature_flags = 0; + crypto_dev->feature_flags = MLX5_CRYPTO_FEATURE_FLAGS; crypto_dev->driver_id = mlx5_crypto_driver_id; priv = crypto_dev->data->dev_private; priv->ctx = ctx; -- 2.25.1