* [PATCH 1/5] common/cnxk: add err ctl
2022-01-31 12:30 [PATCH 0/5] Adding new features and improvements in cnxk crypto PMD Tejasree Kondoj
@ 2022-01-31 12:30 ` Tejasree Kondoj
2022-01-31 12:30 ` [PATCH 2/5] crypto/cnxk: add ESN and antireplay support Tejasree Kondoj
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Tejasree Kondoj @ 2022-01-31 12:30 UTC (permalink / raw)
To: Akhil Goyal
Cc: Anoob Joseph, Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj, dev
From: Anoob Joseph <anoobj@marvell.com>
Add err ctl field in SA context.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/common/cnxk/cnxk_security.c | 6 ++++--
drivers/common/cnxk/roc_ie_ot.h | 17 ++++++++++++++++-
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 6ebf0846f5..035d61180a 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -500,8 +500,10 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
offset = offsetof(struct roc_ot_ipsec_outb_sa, ctx);
/* Word offset for HW managed SA field */
sa->w0.s.hw_ctx_off = offset / 8;
- /* Context push size is up to hmac_opad_ipad */
- sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off;
+
+ /* Context push size is up to err ctl in HW ctx */
+ sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off + 1;
+
/* Entire context size in 128B units */
offset = sizeof(struct roc_ot_ipsec_outb_sa);
sa->w0.s.ctx_size = (PLT_ALIGN_CEIL(offset, ROC_CTX_UNIT_128B) /
diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h
index 923656f4a5..c502c7983f 100644
--- a/drivers/common/cnxk/roc_ie_ot.h
+++ b/drivers/common/cnxk/roc_ie_ot.h
@@ -153,6 +153,13 @@ enum {
ROC_IE_OT_REAS_STS_L3P_ERR = 8,
ROC_IE_OT_REAS_STS_MAX = 9
};
+
+enum {
+ ROC_IE_OT_ERR_CTL_MODE_NONE = 0,
+ ROC_IE_OT_ERR_CTL_MODE_CLEAR = 1,
+ ROC_IE_OT_ERR_CTL_MODE_RING = 2,
+};
+
/* Context units in bytes */
#define ROC_CTX_UNIT_8B 8
#define ROC_CTX_UNIT_128B 128
@@ -235,7 +242,15 @@ union roc_ot_ipsec_outb_iv {
};
struct roc_ot_ipsec_outb_ctx_update_reg {
- uint64_t rsvd;
+ union {
+ struct {
+ uint64_t reserved_0_2 : 3;
+ uint64_t address : 57;
+ uint64_t mode : 4;
+ } s;
+ uint64_t u64;
+ } err_ctl;
+
uint64_t esn_val;
uint64_t hard_life;
uint64_t soft_life;
--
2.27.0
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH 2/5] crypto/cnxk: add ESN and antireplay support
2022-01-31 12:30 [PATCH 0/5] Adding new features and improvements in cnxk crypto PMD Tejasree Kondoj
2022-01-31 12:30 ` [PATCH 1/5] common/cnxk: add err ctl Tejasree Kondoj
@ 2022-01-31 12:30 ` Tejasree Kondoj
2022-01-31 12:30 ` [PATCH 3/5] common/cnxk: add ROC cache line size constant Tejasree Kondoj
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Tejasree Kondoj @ 2022-01-31 12:30 UTC (permalink / raw)
To: Akhil Goyal
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti, dev
Adding lookaside IPsec ESN and anti-replay support
through security session update.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/cryptodevs/cnxk.rst | 2 +
doc/guides/rel_notes/release_22_03.rst | 1 +
drivers/common/cnxk/cnxk_security.c | 3 ++
drivers/common/cnxk/cnxk_security_ar.h | 2 +-
drivers/common/cnxk/roc_ie_on.h | 2 +
drivers/crypto/cnxk/cn10k_ipsec.c | 36 +++++++++++++++-
drivers/crypto/cnxk/cn9k_ipsec.c | 43 ++++++++++++++++++-
drivers/crypto/cnxk/cn9k_ipsec_la_ops.h | 16 ++++++-
.../crypto/cnxk/cnxk_cryptodev_capabilities.c | 4 ++
9 files changed, 103 insertions(+), 6 deletions(-)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 3c585175e3..46431dd755 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -279,6 +279,8 @@ CN10XX Features supported
* IPv4
* ESP
+* ESN
+* Anti-replay
* Tunnel mode
* Transport mode
* UDP Encapsulation
diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst
index 3bc0630c7c..a992fe85f5 100644
--- a/doc/guides/rel_notes/release_22_03.rst
+++ b/doc/guides/rel_notes/release_22_03.rst
@@ -64,6 +64,7 @@ New Features
* Added NULL cipher support in lookaside protocol (IPsec) for CN9K & CN10K.
* Added AES-XCBC support in lookaside protocol (IPsec) for CN9K & CN10K.
* Added AES-CMAC support in CN9K & CN10K.
+ * Added ESN and anti-replay support in lookaside protocol (IPsec) for CN10K.
* **Added an API to retrieve event port id of ethdev Rx adapter.**
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 035d61180a..718983d892 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -492,6 +492,9 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
/* ESN */
sa->w0.s.esn_en = !!ipsec_xfrm->options.esn;
+ if (ipsec_xfrm->esn.value)
+ sa->ctx.esn_val = ipsec_xfrm->esn.value - 1;
+
if (ipsec_xfrm->options.udp_encap) {
sa->w10.s.udp_src_port = 4500;
sa->w10.s.udp_dst_port = 4500;
diff --git a/drivers/common/cnxk/cnxk_security_ar.h b/drivers/common/cnxk/cnxk_security_ar.h
index 3ec4c296c2..deb38db0d0 100644
--- a/drivers/common/cnxk/cnxk_security_ar.h
+++ b/drivers/common/cnxk/cnxk_security_ar.h
@@ -13,7 +13,7 @@
/* u64 array size to fit anti replay window bits */
#define AR_WIN_ARR_SZ \
- (PLT_ALIGN_CEIL(CNXK_ON_AR_WIN_SIZE_MAX, BITS_PER_LONG_LONG) / \
+ (PLT_ALIGN_CEIL(CNXK_ON_AR_WIN_SIZE_MAX + 1, BITS_PER_LONG_LONG) / \
BITS_PER_LONG_LONG)
#define WORD_SHIFT 6
diff --git a/drivers/common/cnxk/roc_ie_on.h b/drivers/common/cnxk/roc_ie_on.h
index aaad87243f..638b02062d 100644
--- a/drivers/common/cnxk/roc_ie_on.h
+++ b/drivers/common/cnxk/roc_ie_on.h
@@ -18,6 +18,8 @@ enum roc_ie_on_ucc_ipsec {
ROC_IE_ON_UCC_SUCCESS = 0,
ROC_IE_ON_AUTH_UNSUPPORTED = 0xB0,
ROC_IE_ON_ENCRYPT_UNSUPPORTED = 0xB1,
+ /* Software defined completion code for anti-replay failed packets */
+ ROC_IE_ON_SWCC_ANTI_REPLAY = 0xE7,
};
/* Helper macros */
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 7f4ccaff99..c95c57a84d 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -239,7 +239,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
}
/* Trigger CTX flush so that data is written back to DRAM */
- roc_cpt_lf_ctx_flush(lf, in_sa, false);
+ roc_cpt_lf_ctx_flush(lf, in_sa, true);
plt_atomic_thread_fence(__ATOMIC_SEQ_CST);
@@ -410,6 +410,39 @@ cn10k_sec_session_stats_get(void *device, struct rte_security_session *sess,
return 0;
}
+static int
+cn10k_sec_session_update(void *device, struct rte_security_session *sess,
+ struct rte_security_session_conf *conf)
+{
+ struct rte_cryptodev *crypto_dev = device;
+ struct cn10k_sec_session *priv;
+ struct roc_cpt *roc_cpt;
+ struct cnxk_cpt_qp *qp;
+ struct cnxk_cpt_vf *vf;
+ int ret;
+
+ priv = get_sec_session_private_data(sess);
+ if (priv == NULL)
+ return -EINVAL;
+
+ qp = crypto_dev->data->queue_pairs[0];
+ if (qp == NULL)
+ return -EINVAL;
+
+ if (conf->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+ return -ENOTSUP;
+
+ ret = cnxk_ipsec_xform_verify(&conf->ipsec, conf->crypto_xform);
+ if (ret)
+ return ret;
+
+ vf = crypto_dev->data->dev_private;
+ roc_cpt = &vf->cpt;
+
+ return cn10k_ipsec_outb_sa_create(roc_cpt, &qp->lf, &conf->ipsec,
+ conf->crypto_xform, sess);
+}
+
/* Update platform specific security ops */
void
cn10k_sec_ops_override(void)
@@ -419,4 +452,5 @@ cn10k_sec_ops_override(void)
cnxk_sec_ops.session_destroy = cn10k_sec_session_destroy;
cnxk_sec_ops.session_get_size = cn10k_sec_session_get_size;
cnxk_sec_ops.session_stats_get = cn10k_sec_session_stats_get;
+ cnxk_sec_ops.session_update = cn10k_sec_session_update;
}
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index 9f876f75f2..f71b5101db 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -289,6 +289,11 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
if (cipher_key_len != 0)
memcpy(common_sa->cipher_key, cipher_key, cipher_key_len);
+ if (ipsec->esn.value) {
+ common_sa->esn_low = ipsec->esn.low;
+ common_sa->esn_hi = ipsec->esn.hi;
+ }
+
return 0;
}
@@ -330,6 +335,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
sa->seq_lo = 1;
sa->seq_hi = 0;
+ if (ipsec->esn.value)
+ sa->esn = ipsec->esn.value;
+
ret = fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa);
if (ret)
return ret;
@@ -595,8 +603,8 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
sa->ar.wint = sa->replay_win_sz;
sa->ar.base = sa->replay_win_sz;
- in_sa->common_sa.esn_low = 0;
- in_sa->common_sa.esn_hi = 0;
+ in_sa->common_sa.esn_low = sa->seq_lo;
+ in_sa->common_sa.esn_hi = sa->seq_hi;
}
return cn9k_cpt_enq_sa_write(
@@ -772,6 +780,36 @@ cn9k_sec_session_get_size(void *device __rte_unused)
return sizeof(struct cn9k_sec_session);
}
+static int
+cn9k_sec_session_update(void *device, struct rte_security_session *sec_sess,
+ struct rte_security_session_conf *conf)
+{
+ struct rte_cryptodev *crypto_dev = device;
+ struct cnxk_cpt_qp *qp;
+ int ret;
+
+ qp = crypto_dev->data->queue_pairs[0];
+ if (qp == NULL) {
+ plt_err("CPT queue pairs need to be setup for updating security"
+ " session");
+ return -EPERM;
+ }
+
+ if (conf->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+ return -ENOTSUP;
+
+ ret = cnxk_ipsec_xform_verify(&conf->ipsec, conf->crypto_xform);
+ if (ret)
+ return ret;
+
+ ret = cn9k_ipsec_xform_verify(&conf->ipsec, conf->crypto_xform);
+ if (ret)
+ return ret;
+
+ return cn9k_ipsec_outb_sa_create(qp, &conf->ipsec, conf->crypto_xform,
+ sec_sess);
+}
+
/* Update platform specific security ops */
void
cn9k_sec_ops_override(void)
@@ -780,4 +818,5 @@ cn9k_sec_ops_override(void)
cnxk_sec_ops.session_create = cn9k_sec_session_create;
cnxk_sec_ops.session_destroy = cn9k_sec_session_destroy;
cnxk_sec_ops.session_get_size = cn9k_sec_session_get_size;
+ cnxk_sec_ops.session_update = cn9k_sec_session_update;
}
diff --git a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
index 9a1e217042..df89aaca4e 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
@@ -140,8 +140,20 @@ process_inb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
if (sa->replay_win_sz) {
ret = ipsec_antireplay_check(sa, sa->replay_win_sz, m_src);
if (unlikely(ret)) {
- plt_dp_err("Anti replay check failed");
- return ret;
+ /* Use PASSTHROUGH op for failed antireplay packet */
+ inst->w4.u64 = 0;
+ inst->w4.s.opcode_major = ROC_SE_MAJOR_OP_MISC;
+ inst->w4.s.opcode_minor =
+ ROC_SE_MISC_MINOR_OP_PASSTHROUGH;
+ inst->w4.s.param1 = 1;
+ /* Send out completion code only */
+ inst->w4.s.param2 =
+ (ROC_IE_ON_SWCC_ANTI_REPLAY << 8) | 0x1;
+ inst->w4.s.dlen = 1;
+ inst->dptr = rte_pktmbuf_iova(m_src);
+ inst->rptr = inst->dptr;
+ inst->w7.u64 = sa->inst.w7;
+ return 0;
}
}
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index f8c007e320..04402a4b46 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -9,6 +9,7 @@
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_capabilities.h"
+#include "cnxk_security_ar.h"
#define CPT_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name) \
do { \
@@ -1161,6 +1162,8 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
sec_cap->ipsec.options.ip_csum_enable = 1;
sec_cap->ipsec.options.l4_csum_enable = 1;
sec_cap->ipsec.options.stats = 1;
+ sec_cap->ipsec.options.esn = 1;
+ sec_cap->ipsec.replay_win_sz_max = ROC_AR_WIN_SIZE_MAX;
}
static void
@@ -1171,6 +1174,7 @@ cn9k_sec_caps_update(struct rte_security_capability *sec_cap)
sec_cap->ipsec.options.iv_gen_disable = 1;
#endif
}
+ sec_cap->ipsec.replay_win_sz_max = CNXK_ON_AR_WIN_SIZE_MAX;
}
void
--
2.27.0
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH 5/5] crypto/cnxk: fix updation of number of descriptors
2022-01-31 12:30 [PATCH 0/5] Adding new features and improvements in cnxk crypto PMD Tejasree Kondoj
` (3 preceding siblings ...)
2022-01-31 12:30 ` [PATCH 4/5] crypto/cnxk: use unique cache line per inst Tejasree Kondoj
@ 2022-01-31 12:30 ` Tejasree Kondoj
2022-02-08 22:26 ` [PATCH 0/5] Adding new features and improvements in cnxk crypto PMD Akhil Goyal
5 siblings, 0 replies; 7+ messages in thread
From: Tejasree Kondoj @ 2022-01-31 12:30 UTC (permalink / raw)
To: Akhil Goyal
Cc: Anoob Joseph, Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj, dev
From: Anoob Joseph <anoobj@marvell.com>
Pending queue also need to be adjusted while updating the number of
descriptors.
Fixes: a455fd869cd7 ("common/cnxk: align CPT queue depth to power of 2")
Cc: anoobj@marvell.com
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/common/cnxk/roc_cpt.c | 3 ---
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 8 ++++++--
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
index 1bc7a29ef9..4e24850366 100644
--- a/drivers/common/cnxk/roc_cpt.c
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -568,9 +568,6 @@ cpt_lf_init(struct roc_cpt_lf *lf)
if (lf->nb_desc == 0 || lf->nb_desc > CPT_LF_MAX_NB_DESC)
lf->nb_desc = CPT_LF_DEFAULT_NB_DESC;
- /* Update nb_desc to next power of 2 to aid in pending queue checks */
- lf->nb_desc = plt_align32pow2(lf->nb_desc);
-
/* Allocate memory for instruction queue for CPT LF. */
iq_mem = plt_zmalloc(cpt_lf_iq_mem_calc(lf->nb_desc), ROC_ALIGN);
if (iq_mem == NULL)
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
index 67a2d9b08e..a5fb68da02 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
@@ -361,6 +361,7 @@ cnxk_cpt_queue_pair_setup(struct rte_cryptodev *dev, uint16_t qp_id,
struct roc_cpt *roc_cpt = &vf->cpt;
struct rte_pci_device *pci_dev;
struct cnxk_cpt_qp *qp;
+ uint32_t nb_desc;
int ret;
if (dev->data->queue_pairs[qp_id] != NULL)
@@ -373,14 +374,17 @@ cnxk_cpt_queue_pair_setup(struct rte_cryptodev *dev, uint16_t qp_id,
return -EIO;
}
- qp = cnxk_cpt_qp_create(dev, qp_id, conf->nb_descriptors);
+ /* Update nb_desc to next power of 2 to aid in pending queue checks */
+ nb_desc = plt_align32pow2(conf->nb_descriptors);
+
+ qp = cnxk_cpt_qp_create(dev, qp_id, nb_desc);
if (qp == NULL) {
plt_err("Could not create queue pair %d", qp_id);
return -ENOMEM;
}
qp->lf.lf_id = qp_id;
- qp->lf.nb_desc = conf->nb_descriptors;
+ qp->lf.nb_desc = nb_desc;
ret = roc_cpt_lf_init(roc_cpt, &qp->lf);
if (ret < 0) {
--
2.27.0
^ permalink raw reply [flat|nested] 7+ messages in thread