From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3C87942535; Thu, 7 Sep 2023 12:26:28 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 872A0402DC; Thu, 7 Sep 2023 12:26:23 +0200 (CEST) Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.126]) by mails.dpdk.org (Postfix) with ESMTP id 8D7F34026C for ; Thu, 7 Sep 2023 12:26:21 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1694082381; x=1725618381; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=+d/k5NrLtEDV3/qj0QKVHe6aDir2+S8UdGIl0AqObIY=; b=IMd/GkzSIllfdi9/xJCZQKazKqK7O/673sTFK4AQXXUft5GFeQLegzR1 1RU+EgmgJoPDFnJUQ2PuUuzo50y564+F4VLVyl+AxA2iLJbJH0hLLxscl e049HP28F53Nk7cfiWg+lHUHCf2hAMs7ilOCKJ8CNICM7rJAl3zzurWka RRCfQvW9QFEMHIbjaGhEqurr8bf5y5QCSqs2PRwmMcvZYobanKhuG5jIx DBQ5jjmOXoye3jg0cDVOoXi4wU10O96qdBXXHzGL2lnAiLIjmkY2SiTZG y+Hk7nOZj0GPqo+nE/k6EjaRdCnf7y+GSMnlGp8qBm0WvI1D5RKrCVWiH g==; X-IronPort-AV: E=McAfee;i="6600,9927,10825"; a="362343370" X-IronPort-AV: E=Sophos;i="6.02,234,1688454000"; d="scan'208";a="362343370" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Sep 2023 03:26:21 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10825"; a="988715256" X-IronPort-AV: E=Sophos;i="6.02,234,1688454000"; d="scan'208";a="988715256" Received: from silpixa00400883.ir.intel.com ([10.243.22.155]) by fmsmga006.fm.intel.com with ESMTP; 07 Sep 2023 03:26:19 -0700 From: Brian Dooley To: Akhil Goyal , Fan Zhang , Kai Ji , Pablo de Lara Cc: dev@dpdk.org, Brian Dooley Subject: [PATCH v6 1/2] crypto/ipsec_mb: add digest encrypted feature Date: Thu, 7 Sep 2023 10:26:13 +0000 Message-Id: <20230907102614.2269913-2-brian.dooley@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230907102614.2269913-1-brian.dooley@intel.com> References: <20230905161507.1561889-1-brian.dooley@intel.com> <20230907102614.2269913-1-brian.dooley@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org AESNI_MB PMD does not support Digest Encrypted. This patch adds a check and support for this feature. Signed-off-by: Brian Dooley --- v2: Fixed CHECKPATCH warning v3: Add Digest encrypted support to docs v4: Add comments and small refactor v5: Fix checkpatch warnings v6: Add skipping tests for synchronous crypto --- app/test/test_cryptodev.c | 6 ++ doc/guides/cryptodevs/features/aesni_mb.ini | 1 + drivers/crypto/ipsec_mb/pmd_aesni_mb.c | 109 +++++++++++++++++++- 3 files changed, 111 insertions(+), 5 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 956268bfcd..70f6b7ece1 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -6394,6 +6394,9 @@ test_zuc_auth_cipher(const struct wireless_test_data *tdata, tdata->digest.len) < 0) return TEST_SKIPPED; + if (gbl_action_type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) + return TEST_SKIPPED; + rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info); uint64_t feat_flags = dev_info.feature_flags; @@ -7829,6 +7832,9 @@ test_mixed_auth_cipher(const struct mixed_cipher_auth_test_data *tdata, if (global_api_test_type == CRYPTODEV_RAW_API_TEST) return TEST_SKIPPED; + if (gbl_action_type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) + return TEST_SKIPPED; + rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info); uint64_t feat_flags = dev_info.feature_flags; diff --git a/doc/guides/cryptodevs/features/aesni_mb.ini b/doc/guides/cryptodevs/features/aesni_mb.ini index e4e965c35a..8df5fa2c85 100644 --- a/doc/guides/cryptodevs/features/aesni_mb.ini +++ b/doc/guides/cryptodevs/features/aesni_mb.ini @@ -20,6 +20,7 @@ OOP LB In LB Out = Y CPU crypto = Y Symmetric sessionless = Y Non-Byte aligned data = Y +Digest encrypted = Y ; ; Supported crypto algorithms of the 'aesni_mb' crypto driver. diff --git a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c index 9e298023d7..7f61065939 100644 --- a/drivers/crypto/ipsec_mb/pmd_aesni_mb.c +++ b/drivers/crypto/ipsec_mb/pmd_aesni_mb.c @@ -1438,6 +1438,54 @@ set_gcm_job(IMB_MGR *mb_mgr, IMB_JOB *job, const uint8_t sgl, return 0; } +/** Check if conditions are met for digest-appended operations */ +static uint8_t * +aesni_mb_digest_appended_in_src(struct rte_crypto_op *op, IMB_JOB *job, + uint32_t oop) +{ + unsigned int auth_size, cipher_size; + uint8_t *end_cipher; + uint8_t *start_cipher; + + if (job->cipher_mode == IMB_CIPHER_NULL) + return NULL; + + if (job->cipher_mode == IMB_CIPHER_ZUC_EEA3 || + job->cipher_mode == IMB_CIPHER_SNOW3G_UEA2_BITLEN || + job->cipher_mode == IMB_CIPHER_KASUMI_UEA1_BITLEN) { + cipher_size = (op->sym->cipher.data.offset >> 3) + + (op->sym->cipher.data.length >> 3); + } else { + cipher_size = (op->sym->cipher.data.offset) + + (op->sym->cipher.data.length); + } + if (job->hash_alg == IMB_AUTH_ZUC_EIA3_BITLEN || + job->hash_alg == IMB_AUTH_SNOW3G_UIA2_BITLEN || + job->hash_alg == IMB_AUTH_KASUMI_UIA1 || + job->hash_alg == IMB_AUTH_ZUC256_EIA3_BITLEN) { + auth_size = (op->sym->auth.data.offset >> 3) + + (op->sym->auth.data.length >> 3); + } else { + auth_size = (op->sym->auth.data.offset) + + (op->sym->auth.data.length); + } + + if (!oop) { + end_cipher = rte_pktmbuf_mtod_offset(op->sym->m_src, uint8_t *, cipher_size); + start_cipher = rte_pktmbuf_mtod(op->sym->m_src, uint8_t *); + } else { + end_cipher = rte_pktmbuf_mtod_offset(op->sym->m_dst, uint8_t *, cipher_size); + start_cipher = rte_pktmbuf_mtod(op->sym->m_dst, uint8_t *); + } + + if (start_cipher < op->sym->auth.digest.data && + op->sym->auth.digest.data < end_cipher) { + return rte_pktmbuf_mtod_offset(op->sym->m_src, uint8_t *, auth_size); + } else { + return NULL; + } +} + /** * Process a crypto operation and complete a IMB_JOB job structure for * submission to the multi buffer library for processing. @@ -1580,9 +1628,12 @@ set_mb_job_params(IMB_JOB *job, struct ipsec_mb_qp *qp, } else { if (aead) job->auth_tag_output = op->sym->aead.digest.data; - else - job->auth_tag_output = op->sym->auth.digest.data; - + else { + job->auth_tag_output = aesni_mb_digest_appended_in_src(op, job, oop); + if (job->auth_tag_output == NULL) { + job->auth_tag_output = op->sym->auth.digest.data; + } + } if (session->auth.req_digest_len != job->auth_tag_output_len_in_bytes) { job->auth_tag_output = @@ -1917,6 +1968,7 @@ post_process_mb_job(struct ipsec_mb_qp *qp, IMB_JOB *job) struct aesni_mb_session *sess = NULL; uint8_t *linear_buf = NULL; int sgl = 0; + uint8_t oop = 0; uint8_t is_docsis_sec = 0; if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { @@ -1962,8 +2014,54 @@ post_process_mb_job(struct ipsec_mb_qp *qp, IMB_JOB *job) op->sym->auth.digest.data, sess->auth.req_digest_len, &op->status); - } else + } else { + if (!op->sym->m_dst || op->sym->m_dst == op->sym->m_src) { + /* in-place operation */ + oop = 0; + } else { /* out-of-place operation */ + oop = 1; + } + + /* Enable digest check */ + if (op->sym->m_src->nb_segs == 1 && op->sym->m_dst != NULL + && !is_aead_algo(job->hash_alg, sess->template_job.cipher_mode) && + aesni_mb_digest_appended_in_src(op, job, oop) != NULL) { + unsigned int auth_size, cipher_size; + int unencrypted_bytes = 0; + if (job->cipher_mode == IMB_CIPHER_SNOW3G_UEA2_BITLEN || + job->cipher_mode == IMB_CIPHER_KASUMI_UEA1_BITLEN || + job->cipher_mode == IMB_CIPHER_ZUC_EEA3) { + cipher_size = (op->sym->cipher.data.offset >> 3) + + (op->sym->cipher.data.length >> 3); + } else { + cipher_size = (op->sym->cipher.data.offset) + + (op->sym->cipher.data.length); + } + if (job->hash_alg == IMB_AUTH_ZUC_EIA3_BITLEN || + job->hash_alg == IMB_AUTH_SNOW3G_UIA2_BITLEN || + job->hash_alg == IMB_AUTH_KASUMI_UIA1 || + job->hash_alg == IMB_AUTH_ZUC256_EIA3_BITLEN) { + auth_size = (op->sym->auth.data.offset >> 3) + + (op->sym->auth.data.length >> 3); + } else { + auth_size = (op->sym->auth.data.offset) + + (op->sym->auth.data.length); + } + /* Check for unencrypted bytes in partial digest cases */ + if (job->cipher_mode != IMB_CIPHER_NULL) { + unencrypted_bytes = auth_size + + job->auth_tag_output_len_in_bytes - cipher_size; + } + if (unencrypted_bytes > 0) + rte_memcpy( + rte_pktmbuf_mtod_offset(op->sym->m_dst, uint8_t *, + cipher_size), + rte_pktmbuf_mtod_offset(op->sym->m_src, uint8_t *, + cipher_size), + unencrypted_bytes); + } generate_digest(job, op, sess); + } break; default: op->status = RTE_CRYPTO_OP_STATUS_ERROR; @@ -2555,7 +2653,8 @@ RTE_INIT(ipsec_mb_register_aesni_mb) RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | RTE_CRYPTODEV_FF_OOP_LB_IN_SGL_OUT | RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | - RTE_CRYPTODEV_FF_SECURITY; + RTE_CRYPTODEV_FF_SECURITY | + RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; aesni_mb_data->internals_priv_size = 0; aesni_mb_data->ops = &aesni_mb_pmd_ops; -- 2.25.1