From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id ED408A0C56; Wed, 8 Sep 2021 09:28:05 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id F34804013F; Wed, 8 Sep 2021 09:28:04 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 758D54003C for ; Wed, 8 Sep 2021 09:28:03 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1883X1DX016086; Wed, 8 Sep 2021 00:28:01 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=UY03JMet7z2Gjx+Zo4HcaitELFeywRWffFwUytw3OBU=; b=YBgk37IHYcKXQzPbXO19N+wgsBCQ2hWASdXfwN6llKhMVCqYjCF0s6FLhRZZKa16/YpN DQ7oYJRyc/Ql6Wjz2y2C6TO0rBlraj8xZdq2+LakH1Mcy9yvj6Dzdo7Nj5guxyAZxpYv D/Xge7uhzmIML0fMFNq2VQ7nYiS8CATdKovlQ14kuS9BC3K0dOvC9Pd/BYcYKu2Su7Ww FSO9lWwGnKjRVjZmBbK+0gn8h4fdJz3nOeRxduA56IJUPKkKjmfjx/m4IfbwL+5JStfD 7EpJyA83lG8z4F66e+HQFlpOPnvR1t9q7JEXb8n6B/PtIO2VdP9SqWXVz+ilTmpRySY7 wg== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com with ESMTP id 3axcm7tffj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 08 Sep 2021 00:28:01 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 8 Sep 2021 00:28:00 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Wed, 8 Sep 2021 00:28:00 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id C0F7D3F705B; Wed, 8 Sep 2021 00:27:55 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Wed, 8 Sep 2021 13:51:10 +0530 Message-ID: <20210908082111.27396-3-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210908082111.27396-1-ktejasree@marvell.com> References: <20210908082111.27396-1-ktejasree@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: qjxbwN_dIY-E0iQjVTTh-Jcanld9hYhA X-Proofpoint-ORIG-GUID: qjxbwN_dIY-E0iQjVTTh-Jcanld9hYhA X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-08_02,2021-09-07_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH 2/3] common/cnxk: add support for tunnel header verification X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding support to verify tunnel header in IPsec inbound. Signed-off-by: Tejasree Kondoj --- drivers/common/cnxk/cnxk_security.c | 60 +++++++++++++++++++ drivers/common/cnxk/roc_ie_ot.h | 6 +- .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 4 ++ 3 files changed, 69 insertions(+), 1 deletion(-) diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 215d9fd4d1..cc5daf333c 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -199,6 +199,62 @@ ot_ipsec_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa) return size; } +static int +ot_ipsec_inb_tunnel_hdr_fill(struct roc_ot_ipsec_inb_sa *sa, + struct rte_security_ipsec_xform *ipsec_xfrm) +{ + struct rte_security_ipsec_tunnel_param *tunnel; + + if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + return 0; + + if (ipsec_xfrm->options.tunnel_hdr_verify == 0) + return 0; + + tunnel = &ipsec_xfrm->tunnel; + + switch (tunnel->type) { + case RTE_SECURITY_IPSEC_TUNNEL_IPV4: + sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4; + memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip, + sizeof(struct in_addr)); + memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip, + sizeof(struct in_addr)); + + /* IP Source and Dest are in LE/CPU endian */ + sa->outer_hdr.ipv4.src_addr = + rte_be_to_cpu_32(sa->outer_hdr.ipv4.src_addr); + sa->outer_hdr.ipv4.dst_addr = + rte_be_to_cpu_32(sa->outer_hdr.ipv4.dst_addr); + + break; + case RTE_SECURITY_IPSEC_TUNNEL_IPV6: + sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6; + memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr, + sizeof(struct in6_addr)); + memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr, + sizeof(struct in6_addr)); + + break; + default: + return -EINVAL; + } + + switch (ipsec_xfrm->options.tunnel_hdr_verify) { + case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR: + sa->w2.s.ip_hdr_verify = ROC_IE_OT_SA_IP_HDR_VERIFY_DST_ADDR; + break; + case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR: + sa->w2.s.ip_hdr_verify = + ROC_IE_OT_SA_IP_HDR_VERIFY_SRC_DST_ADDR; + break; + default: + return -ENOTSUP; + } + + return 0; +} + int cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, struct rte_security_ipsec_xform *ipsec_xfrm, @@ -229,6 +285,10 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5; } + rc = ot_ipsec_inb_tunnel_hdr_fill(sa, ipsec_xfrm); + if (rc) + return rc; + /* Default options for pkt_out and pkt_fmt are with * second pass meta and no defrag. */ diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h index 1ff468841d..12c75afac2 100644 --- a/drivers/common/cnxk/roc_ie_ot.h +++ b/drivers/common/cnxk/roc_ie_ot.h @@ -180,7 +180,11 @@ union roc_ot_ipsec_sa_word2 { uint64_t auth_type : 4; uint64_t encap_type : 2; - uint64_t rsvd1 : 6; + uint64_t et_ovrwr_ddr_en : 1; + uint64_t esn_en : 1; + uint64_t tport_l4_incr_csum : 1; + uint64_t ip_hdr_verify : 2; + uint64_t rsvd5 : 1; uint64_t rsvd2 : 7; uint64_t async_mode : 1; diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 4b97639e56..8a0cf289fd 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -920,6 +920,10 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap) #ifdef LA_IPSEC_DEBUG sec_cap->ipsec.options.iv_gen_disable = 1; #endif + } else { + if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + sec_cap->ipsec.options.tunnel_hdr_verify = + RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; } } -- 2.27.0