[dpdk-dev] [PATCH 4/8] crypto/cnxk: add cn9k IPsec outbound session create function

DPDK patches and discussions
 help / color / mirror / Atom feed

From: Archana Muniganti <marchana@marvell.com>
To: <gakhil@marvell.com>
Cc: Archana Muniganti <marchana@marvell.com>, <ktejasree@marvell.com>,
	<adwivedi@marvell.com>, <anoobj@marvell.com>,
	<jerinj@marvell.com>, <dev@dpdk.org>,
	Vamsi Attunuru <vattunuru@marvell.com>
Subject: [dpdk-dev] [PATCH 4/8] crypto/cnxk: add cn9k IPsec outbound session create function
Date: Thu, 2 Sep 2021 19:12:50 +0530	[thread overview]
Message-ID: <20210902134254.28373-5-marchana@marvell.com> (raw)
In-Reply-To: <20210902134254.28373-1-marchana@marvell.com>

Adding logic for IPsec outbound session creation.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/cnxk/cn9k_ipsec.c | 143 +++++++++++++++++++++++++++++--
 drivers/crypto/cnxk/cn9k_ipsec.h |  17 ++++
 2 files changed, 155 insertions(+), 5 deletions(-)

diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index dd02cc7764..52fbc5e350 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -3,6 +3,7 @@
  */
 
 #include <rte_cryptodev.h>
+#include <rte_ip.h>
 #include <rte_security.h>
 #include <rte_security_driver.h>
 
@@ -275,12 +276,144 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 			  struct rte_crypto_sym_xform *crypto_xform,
 			  struct rte_security_session *sec_sess)
 {
-	RTE_SET_USED(qp);
-	RTE_SET_USED(ipsec);
-	RTE_SET_USED(crypto_xform);
-	RTE_SET_USED(sec_sess);
+	struct rte_crypto_sym_xform *auth_xform = crypto_xform->next;
+	struct roc_ie_on_ip_template *template = NULL;
+	struct cnxk_cpt_inst_tmpl *inst_tmpl;
+	struct roc_ie_on_outb_sa *out_sa;
+	struct cn9k_sec_session *sess;
+	struct roc_ie_on_sa_ctl *ctl;
+	struct cn9k_ipsec_sa *sa;
+	struct rte_ipv6_hdr *ip6;
+	struct rte_ipv4_hdr *ip4;
+	const uint8_t *auth_key;
+	union cpt_inst_w4 w4;
+	union cpt_inst_w7 w7;
+	int auth_key_len = 0;
+	size_t ctx_len;
+	int ret;
 
-	return 0;
+	sess = get_sec_session_private_data(sec_sess);
+	sa = &sess->sa;
+	out_sa = &sa->out_sa;
+	ctl = &out_sa->common_sa.ctl;
+
+	memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
+
+	/* Initialize lookaside IPsec private data */
+	sa->dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
+	/* Start ip id from 1 */
+	sa->ip_id = 1;
+	sa->seq_lo = 1;
+	sa->seq_hi = 0;
+
+	ret = fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa);
+	if (ret)
+		return ret;
+
+	ret = cnxk_ipsec_outb_rlens_get(&sa->rlens, ipsec, crypto_xform);
+	if (ret)
+		return ret;
+
+	if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM) {
+		template = &out_sa->aes_gcm.template;
+		ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
+	} else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA1) {
+		template = &out_sa->sha1.template;
+		ctx_len = offsetof(struct roc_ie_on_outb_sa, sha1.template);
+	} else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA2_256) {
+		template = &out_sa->sha2.template;
+		ctx_len = offsetof(struct roc_ie_on_outb_sa, sha2.template);
+	} else {
+		return -EINVAL;
+	}
+
+	ip4 = (struct rte_ipv4_hdr *)&template->ip4.ipv4_hdr;
+	if (ipsec->options.udp_encap) {
+		ip4->next_proto_id = IPPROTO_UDP;
+		template->ip4.udp_src = rte_be_to_cpu_16(4500);
+		template->ip4.udp_dst = rte_be_to_cpu_16(4500);
+	} else {
+		ip4->next_proto_id = IPPROTO_ESP;
+	}
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+			ctx_len += sizeof(template->ip4);
+
+			ip4->version_ihl = RTE_IPV4_VHL_DEF;
+			ip4->time_to_live = ipsec->tunnel.ipv4.ttl;
+			ip4->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
+			if (ipsec->tunnel.ipv4.df)
+				ip4->fragment_offset = BIT(14);
+			memcpy(&ip4->src_addr, &ipsec->tunnel.ipv4.src_ip,
+			       sizeof(struct in_addr));
+			memcpy(&ip4->dst_addr, &ipsec->tunnel.ipv4.dst_ip,
+			       sizeof(struct in_addr));
+		} else if (ipsec->tunnel.type ==
+			   RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
+			ctx_len += sizeof(template->ip6);
+
+			ip6 = (struct rte_ipv6_hdr *)&template->ip6.ipv6_hdr;
+			if (ipsec->options.udp_encap) {
+				ip6->proto = IPPROTO_UDP;
+				template->ip6.udp_src = rte_be_to_cpu_16(4500);
+				template->ip6.udp_dst = rte_be_to_cpu_16(4500);
+			} else {
+				ip6->proto = (ipsec->proto ==
+					      RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
+						     IPPROTO_ESP :
+						     IPPROTO_AH;
+			}
+			ip6->vtc_flow =
+				rte_cpu_to_be_32(0x60000000 |
+						 ((ipsec->tunnel.ipv6.dscp
+						   << RTE_IPV6_HDR_TC_SHIFT) &
+						  RTE_IPV6_HDR_TC_MASK) |
+						 ((ipsec->tunnel.ipv6.flabel
+						   << RTE_IPV6_HDR_FL_SHIFT) &
+						  RTE_IPV6_HDR_FL_MASK));
+			ip6->hop_limits = ipsec->tunnel.ipv6.hlimit;
+			memcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr,
+			       sizeof(struct in6_addr));
+			memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,
+			       sizeof(struct in6_addr));
+		}
+	} else
+		ctx_len += sizeof(template->ip4);
+
+	ctx_len += RTE_ALIGN_CEIL(ctx_len, 8);
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		sa->cipher_iv_off = crypto_xform->aead.iv.offset;
+		sa->cipher_iv_len = crypto_xform->aead.iv.length;
+	} else {
+		sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
+		sa->cipher_iv_len = crypto_xform->cipher.iv.length;
+
+		auth_key = auth_xform->auth.key.data;
+		auth_key_len = auth_xform->auth.key.length;
+
+		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+			memcpy(out_sa->sha1.hmac_key, auth_key, auth_key_len);
+		else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+			memcpy(out_sa->sha2.hmac_key, auth_key, auth_key_len);
+	}
+
+	inst_tmpl = &sa->inst;
+
+	w4.u64 = 0;
+	w4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
+	w4.s.opcode_minor = ctx_len >> 3;
+	w4.s.param1 = ROC_IE_ON_PER_PKT_IV;
+	inst_tmpl->w4 = w4.u64;
+
+	w7.u64 = 0;
+	w7.s.egrp = ROC_CPT_DFLT_ENG_GRP_SE;
+	w7.s.cptr = rte_mempool_virt2iova(out_sa);
+	inst_tmpl->w7 = w7.u64;
+
+	return cn9k_cpt_enq_sa_write(
+		sa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_OUTBOUND, ctx_len);
 }
 
 static int
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.h b/drivers/crypto/cnxk/cn9k_ipsec.h
index 0fe78df49b..13d522ec6f 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.h
+++ b/drivers/crypto/cnxk/cn9k_ipsec.h
@@ -6,6 +6,7 @@
 #define __CN9K_IPSEC_H__
 
 #include "cnxk_ipsec.h"
+#include "cnxk_security.h"
 
 struct cn9k_ipsec_sa {
 	union {
@@ -18,6 +19,22 @@ struct cn9k_ipsec_sa {
 	enum rte_security_ipsec_sa_direction dir;
 	/** Pre-populated CPT inst words */
 	struct cnxk_cpt_inst_tmpl inst;
+	/** Cipher IV offset in bytes */
+	uint16_t cipher_iv_off;
+	/** Cipher IV length in bytes */
+	uint8_t cipher_iv_len;
+	/** Response length calculation data */
+	struct cnxk_ipsec_outb_rlens rlens;
+	/** Outbound IP-ID */
+	uint16_t ip_id;
+	/** ESN */
+	union {
+		uint64_t esn;
+		struct {
+			uint32_t seq_lo;
+			uint32_t seq_hi;
+		};
+	};
 };
 
 struct cn9k_sec_session {
-- 
2.22.0

next prev parent reply	other threads:[~2021-09-02 13:44 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-02 13:42 [dpdk-dev] [PATCH 0/8] add cn9k lookaside IPsec support Archana Muniganti
2021-09-02 13:42 ` [dpdk-dev] [PATCH 1/8] crypto/cnxk: add cn9k security ctx Archana Muniganti
2021-09-02 13:42 ` [dpdk-dev] [PATCH 2/8] common/cnxk: add cn9k IPsec microcode defines Archana Muniganti
2021-09-02 13:42 ` [dpdk-dev] [PATCH 3/8] crypto/cnxk: add cn9k IPsec session related functions Archana Muniganti
2021-09-06 19:39   ` Akhil Goyal
2021-09-02 13:42 ` Archana Muniganti [this message]
2021-09-02 13:42 ` [dpdk-dev] [PATCH 5/8] crypto/cnxk: add cn9k IPsec inbound session create function Archana Muniganti
2021-09-02 13:42 ` [dpdk-dev] [PATCH 6/8] crypto/cnxk: add cn9k lookaside IPsec datapath Archana Muniganti
2021-09-02 13:42 ` [dpdk-dev] [PATCH 7/8] crypto/cnxk: update tailroom requirement Archana Muniganti
2021-09-02 13:42 ` [dpdk-dev] [PATCH 8/8] crypto/cnxk: update feature flag for cn9k lookaside IPsec Archana Muniganti

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210902134254.28373-5-marchana@marvell.com \
    --to=marchana@marvell.com \
    --cc=adwivedi@marvell.com \
    --cc=anoobj@marvell.com \
    --cc=dev@dpdk.org \
    --cc=gakhil@marvell.com \
    --cc=jerinj@marvell.com \
    --cc=ktejasree@marvell.com \
    --cc=vattunuru@marvell.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).