From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 8A65142606; Tue, 19 Sep 2023 15:54:33 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id AFC7B40E68; Tue, 19 Sep 2023 15:54:25 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id D171C40A8B for ; Tue, 19 Sep 2023 15:54:23 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 38J64dYB022840 for ; Tue, 19 Sep 2023 06:54:23 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=k1wrxmCizzeYjWYU8Tfpdr+bcO/NYDbhvdKr4FdZQdM=; b=N2ggV8Tiz2eiGFWcOr0urGo29bzGOnbeOWmxNB0XrMrh/kcznPdzvBhFduSv3fs3OiKM +HznPrbQVfcNIdHyoJJHR4rFmndFMlUuxJaEUVh4CWGHMfPTn1p2mjEmf9X9c5T44WzJ ltYzGfvjC+hlw/Wr0gXJOGRuWsrN/NIRiU6eB+U2Yb9J0b49A3JVHEaKLjt1u8Qt7HWI DrKps+Ixxl16DTzM89z3/73DdDo419L1Zo/NotjFXbmCPk2U4TxJrJIshpChetqd7LiS MyT3Y3xPgIhhz6U+DOhSYBgVGvwnE0Q+z/A8bW+k9LFsk1Kx3sVZttaTrZfkNfSAsZLN rg== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3t5bvkrmn6-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Tue, 19 Sep 2023 06:54:23 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 19 Sep 2023 06:54:21 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Tue, 19 Sep 2023 06:54:21 -0700 Received: from localhost.localdomain (unknown [10.28.36.102]) by maili.marvell.com (Postfix) with ESMTP id 87FE53F709C; Tue, 19 Sep 2023 06:54:19 -0700 (PDT) From: Akhil Goyal To: CC: , , , Akhil Goyal Subject: [PATCH v2 2/3] net/cnxk: add MACsec capability Date: Tue, 19 Sep 2023 19:24:08 +0530 Message-ID: <20230919135409.2544309-3-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230919135409.2544309-1-gakhil@marvell.com> References: <20230731034447.929506-1-gakhil@marvell.com> <20230919135409.2544309-1-gakhil@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: u_pQZnqtvqcnkmH7V9Sqm2VcUMFApRW0 X-Proofpoint-ORIG-GUID: u_pQZnqtvqcnkmH7V9Sqm2VcUMFApRW0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-09-19_06,2023-09-19_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Ankur Dwivedi Adds the MACsec capability for CN10K-B. The ethernet security capability structure is populated based on the feature supported by the device. Signed-off-by: Ankur Dwivedi Acked-by: Akhil Goyal --- drivers/common/cnxk/roc_features.h | 6 ++ drivers/common/cnxk/roc_mcs.h | 3 + drivers/net/cnxk/cn10k_ethdev_sec.c | 120 +++++++++++++++++++++++++++- 3 files changed, 125 insertions(+), 4 deletions(-) diff --git a/drivers/common/cnxk/roc_features.h b/drivers/common/cnxk/roc_features.h index 815f800e7a..d5d0c0c901 100644 --- a/drivers/common/cnxk/roc_features.h +++ b/drivers/common/cnxk/roc_features.h @@ -71,4 +71,10 @@ roc_feature_bphy_has_macsec(void) { return roc_model_is_cnf10kb(); } + +static inline bool +roc_feature_nix_has_inl_ipsec(void) +{ + return !roc_model_is_cnf10kb(); +} #endif diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h index afac6c92e2..602f1cae1d 100644 --- a/drivers/common/cnxk/roc_mcs.h +++ b/drivers/common/cnxk/roc_mcs.h @@ -7,6 +7,9 @@ #define MCS_AES_GCM_256_KEYLEN 32 +#define ROC_MCS_MAX_AR_WINSZ BIT_ULL(31) +#define ROC_MCS_MAX_MTU (BIT_ULL(16) - 1) + struct roc_mcs_alloc_rsrc_req { uint8_t rsrc_type; uint8_t rsrc_cnt; /* Resources count */ diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c index b98fc9378e..a7473922af 100644 --- a/drivers/net/cnxk/cn10k_ethdev_sec.c +++ b/drivers/net/cnxk/cn10k_ethdev_sec.c @@ -303,7 +303,7 @@ static struct rte_cryptodev_capabilities cn10k_eth_sec_crypto_caps[] = { RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST() }; -static const struct rte_security_capability cn10k_eth_sec_capabilities[] = { +static const struct rte_security_capability cn10k_eth_sec_ipsec_capabilities[] = { { /* IPsec Inline Protocol ESP Tunnel Ingress */ .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, .protocol = RTE_SECURITY_PROTOCOL_IPSEC, @@ -401,11 +401,100 @@ static const struct rte_security_capability cn10k_eth_sec_capabilities[] = { .crypto_capabilities = cn10k_eth_sec_crypto_caps, .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA }, - { - .action = RTE_SECURITY_ACTION_TYPE_NONE - } }; +static const struct rte_security_capability cn10k_eth_sec_macsec_capabilities[] = { + { /* MACsec Inline Protocol, AES-GCM-128 algo */ + .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_MACSEC, + .macsec = { + .mtu = ROC_MCS_MAX_MTU, + .alg = RTE_SECURITY_MACSEC_ALG_GCM_128, + .max_nb_sc = 128, + .max_nb_sa = 256, + .max_nb_sess = 256, + .replay_win_sz = ROC_MCS_MAX_AR_WINSZ, + .relative_sectag_insert = 1, + .fixed_sectag_insert = 1, + .icv_include_da_sa = 1, + .ctrl_port_enable = 1, + .preserve_sectag = 1, + .preserve_icv = 1, + .validate_frames = 1, + .re_key = 1, + .anti_replay = 1, + }, + }, + { /* MACsec Inline Protocol, AES-GCM-256 algo */ + .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_MACSEC, + .macsec = { + .mtu = ROC_MCS_MAX_MTU, + .alg = RTE_SECURITY_MACSEC_ALG_GCM_256, + .max_nb_sc = 128, + .max_nb_sa = 256, + .max_nb_sess = 256, + .replay_win_sz = ROC_MCS_MAX_AR_WINSZ, + .relative_sectag_insert = 1, + .fixed_sectag_insert = 1, + .icv_include_da_sa = 1, + .ctrl_port_enable = 1, + .preserve_sectag = 1, + .preserve_icv = 1, + .validate_frames = 1, + .re_key = 1, + .anti_replay = 1, + }, + }, + { /* MACsec Inline Protocol, AES-GCM-XPN-128 algo */ + .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_MACSEC, + .macsec = { + .mtu = ROC_MCS_MAX_MTU, + .alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, + .max_nb_sc = 128, + .max_nb_sa = 256, + .max_nb_sess = 256, + .replay_win_sz = ROC_MCS_MAX_AR_WINSZ, + .relative_sectag_insert = 1, + .fixed_sectag_insert = 1, + .icv_include_da_sa = 1, + .ctrl_port_enable = 1, + .preserve_sectag = 1, + .preserve_icv = 1, + .validate_frames = 1, + .re_key = 1, + .anti_replay = 1, + }, + }, + { /* MACsec Inline Protocol, AES-GCM-XPN-256 algo */ + .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_MACSEC, + .macsec = { + .mtu = ROC_MCS_MAX_MTU, + .alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, + .max_nb_sc = 128, + .max_nb_sa = 256, + .max_nb_sess = 256, + .replay_win_sz = ROC_MCS_MAX_AR_WINSZ, + .relative_sectag_insert = 1, + .fixed_sectag_insert = 1, + .icv_include_da_sa = 1, + .ctrl_port_enable = 1, + .preserve_sectag = 1, + .preserve_icv = 1, + .validate_frames = 1, + .re_key = 1, + .anti_replay = 1, + }, + }, +}; + +#define SEC_CAPS_LEN (RTE_DIM(cn10k_eth_sec_ipsec_capabilities) + \ + RTE_DIM(cn10k_eth_sec_macsec_capabilities) + 1) + +static struct rte_security_capability cn10k_eth_sec_capabilities[SEC_CAPS_LEN]; + static inline void cnxk_pktmbuf_free_no_cache(struct rte_mbuf *mbuf) { @@ -1093,15 +1182,38 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess, return 0; } +static void +eth_sec_caps_add(struct rte_security_capability eth_sec_caps[], uint32_t *idx, + const struct rte_security_capability *caps, uint32_t nb_caps) +{ + PLT_VERIFY(*idx + nb_caps < SEC_CAPS_LEN); + + rte_memcpy(ð_sec_caps[*idx], caps, nb_caps * sizeof(caps[0])); + *idx += nb_caps; +} + void cn10k_eth_sec_ops_override(void) { static int init_once; + uint32_t idx = 0; if (init_once) return; init_once = 1; + if (roc_feature_nix_has_inl_ipsec()) + eth_sec_caps_add(cn10k_eth_sec_capabilities, &idx, + cn10k_eth_sec_ipsec_capabilities, + RTE_DIM(cn10k_eth_sec_ipsec_capabilities)); + + if (roc_feature_nix_has_macsec()) + eth_sec_caps_add(cn10k_eth_sec_capabilities, &idx, + cn10k_eth_sec_macsec_capabilities, + RTE_DIM(cn10k_eth_sec_macsec_capabilities)); + + cn10k_eth_sec_capabilities[idx].action = RTE_SECURITY_ACTION_TYPE_NONE; + /* Update platform specific ops */ cnxk_eth_sec_ops.macsec_sa_create = cnxk_eth_macsec_sa_create; cnxk_eth_sec_ops.macsec_sc_create = cnxk_eth_macsec_sc_create; -- 2.25.1