From: Vidya Sagar Velumuri <vvelumuri@marvell.com>
To: Nithin Dabilpuram <ndabilpuram@marvell.com>,
Kiran Kumar K <kirankumark@marvell.com>,
Sunil Kumar Kori <skori@marvell.com>,
Satha Rao <skoteshwar@marvell.com>,
Harman Kalra <hkalra@marvell.com>,
Ankur Dwivedi <adwivedi@marvell.com>,
Anoob Joseph <anoobj@marvell.com>,
Tejasree Kondoj <ktejasree@marvell.com>
Cc: <gakhil@marvell.com>, <jerinj@marvell.com>,
<vvelumuri@marvell.com>, <asasidharan@marvell.com>,
<dev@dpdk.org>
Subject: [PATCH v2 2/8] crypto/cnxk: enable sha384 and chachapoly for tls
Date: Thu, 14 Mar 2024 06:18:33 -0700 [thread overview]
Message-ID: <20240314131839.3362494-3-vvelumuri@marvell.com> (raw)
In-Reply-To: <20240314083844.3319506-1-vvelumuri@marvell.com>
Enable SHA384-HMAC support for TLS & DTLS 1.2.
Enable CHACHA20-POLY1305 support for TLS-1.3.
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
drivers/common/cnxk/roc_ie_ot_tls.h | 1 +
drivers/crypto/cnxk/cn10k_tls.c | 56 +++++++++++++------
drivers/crypto/cnxk/cnxk_cryptodev.h | 6 +-
.../crypto/cnxk/cnxk_cryptodev_capabilities.c | 52 +++++++++++++++++
4 files changed, 95 insertions(+), 20 deletions(-)
diff --git a/drivers/common/cnxk/roc_ie_ot_tls.h b/drivers/common/cnxk/roc_ie_ot_tls.h
index b85d075e86..39c42775f4 100644
--- a/drivers/common/cnxk/roc_ie_ot_tls.h
+++ b/drivers/common/cnxk/roc_ie_ot_tls.h
@@ -39,6 +39,7 @@ enum roc_ie_ot_tls_cipher_type {
ROC_IE_OT_TLS_CIPHER_AES_CBC = 3,
ROC_IE_OT_TLS_CIPHER_AES_GCM = 7,
ROC_IE_OT_TLS_CIPHER_AES_CCM = 10,
+ ROC_IE_OT_TLS_CIPHER_CHACHA_POLY = 9,
};
enum roc_ie_ot_tls_ver {
diff --git a/drivers/crypto/cnxk/cn10k_tls.c b/drivers/crypto/cnxk/cn10k_tls.c
index b46904d3f8..c95fcfdfa7 100644
--- a/drivers/crypto/cnxk/cn10k_tls.c
+++ b/drivers/crypto/cnxk/cn10k_tls.c
@@ -28,7 +28,8 @@ tls_xform_cipher_auth_verify(struct rte_crypto_sym_xform *cipher_xform,
switch (c_algo) {
case RTE_CRYPTO_CIPHER_NULL:
if ((a_algo == RTE_CRYPTO_AUTH_MD5_HMAC) || (a_algo == RTE_CRYPTO_AUTH_SHA1_HMAC) ||
- (a_algo == RTE_CRYPTO_AUTH_SHA256_HMAC))
+ (a_algo == RTE_CRYPTO_AUTH_SHA256_HMAC) ||
+ (a_algo == RTE_CRYPTO_AUTH_SHA384_HMAC))
ret = 0;
break;
case RTE_CRYPTO_CIPHER_3DES_CBC:
@@ -37,7 +38,8 @@ tls_xform_cipher_auth_verify(struct rte_crypto_sym_xform *cipher_xform,
break;
case RTE_CRYPTO_CIPHER_AES_CBC:
if ((a_algo == RTE_CRYPTO_AUTH_SHA1_HMAC) ||
- (a_algo == RTE_CRYPTO_AUTH_SHA256_HMAC))
+ (a_algo == RTE_CRYPTO_AUTH_SHA256_HMAC) ||
+ (a_algo == RTE_CRYPTO_AUTH_SHA384_HMAC))
ret = 0;
break;
default:
@@ -69,7 +71,8 @@ tls_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
if (((a_algo == RTE_CRYPTO_AUTH_MD5_HMAC) && (keylen == 16)) ||
((a_algo == RTE_CRYPTO_AUTH_SHA1_HMAC) && (keylen == 20)) ||
- ((a_algo == RTE_CRYPTO_AUTH_SHA256_HMAC) && (keylen == 32)))
+ ((a_algo == RTE_CRYPTO_AUTH_SHA256_HMAC) && (keylen == 32)) ||
+ ((a_algo == RTE_CRYPTO_AUTH_SHA384_HMAC) && (keylen == 48)))
return 0;
return -EINVAL;
@@ -94,6 +97,9 @@ tls_xform_aead_verify(struct rte_security_tls_record_xform *tls_xform,
return 0;
}
+ if ((crypto_xform->aead.algo == RTE_CRYPTO_AEAD_CHACHA20_POLY1305) && (keylen == 32))
+ return 0;
+
return -EINVAL;
}
@@ -251,6 +257,9 @@ tls_write_rlens_get(struct rte_security_tls_record_xform *tls_xfrm,
case RTE_CRYPTO_AUTH_SHA256_HMAC:
mac_len = 32;
break;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ mac_len = 32;
+ break;
default:
mac_len = 0;
break;
@@ -339,15 +348,20 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
cipher_key = read_sa->cipher_key;
/* Set encryption algorithm */
- if ((crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) &&
- (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)) {
- read_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_AES_GCM;
-
+ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
length = crypto_xfrm->aead.key.length;
- if (length == 16)
- read_sa->w2.s.aes_key_len = ROC_IE_OT_TLS_AES_KEY_LEN_128;
- else
+ if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+ read_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_AES_GCM;
+ if (length == 16)
+ read_sa->w2.s.aes_key_len = ROC_IE_OT_TLS_AES_KEY_LEN_128;
+ else
+ read_sa->w2.s.aes_key_len = ROC_IE_OT_TLS_AES_KEY_LEN_256;
+ }
+
+ if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_CHACHA20_POLY1305) {
+ read_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_CHACHA_POLY;
read_sa->w2.s.aes_key_len = ROC_IE_OT_TLS_AES_KEY_LEN_256;
+ }
key = crypto_xfrm->aead.key.data;
memcpy(cipher_key, key, length);
@@ -397,6 +411,8 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
read_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA1;
else if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
read_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_256;
+ else if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_SHA384_HMAC)
+ read_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_384;
else
return -EINVAL;
@@ -476,15 +492,19 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
cipher_key = write_sa->cipher_key;
/* Set encryption algorithm */
- if ((crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) &&
- (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)) {
- write_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_AES_GCM;
-
+ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
length = crypto_xfrm->aead.key.length;
- if (length == 16)
- write_sa->w2.s.aes_key_len = ROC_IE_OT_TLS_AES_KEY_LEN_128;
- else
+ if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+ write_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_AES_GCM;
+ if (length == 16)
+ write_sa->w2.s.aes_key_len = ROC_IE_OT_TLS_AES_KEY_LEN_128;
+ else
+ write_sa->w2.s.aes_key_len = ROC_IE_OT_TLS_AES_KEY_LEN_256;
+ }
+ if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_CHACHA20_POLY1305) {
+ write_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_CHACHA_POLY;
write_sa->w2.s.aes_key_len = ROC_IE_OT_TLS_AES_KEY_LEN_256;
+ }
key = crypto_xfrm->aead.key.data;
memcpy(cipher_key, key, length);
@@ -538,6 +558,8 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
write_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA1;
else if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
write_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_256;
+ else if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_SHA384_HMAC)
+ write_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_384;
else
return -EINVAL;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index 45d01b94b3..fffc4a47b4 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -13,9 +13,9 @@
#define CNXK_CPT_MAX_CAPS 55
#define CNXK_SEC_IPSEC_CRYPTO_MAX_CAPS 16
-#define CNXK_SEC_TLS_1_3_CRYPTO_MAX_CAPS 2
-#define CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS 6
-#define CNXK_SEC_MAX_CAPS 17
+#define CNXK_SEC_TLS_1_3_CRYPTO_MAX_CAPS 3
+#define CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS 7
+#define CNXK_SEC_MAX_CAPS 19
/**
* Device private data
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index db50de5d58..0d5d64b6e7 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -1639,6 +1639,27 @@ static const struct rte_cryptodev_capabilities sec_tls12_caps_sha1_sha2[] = {
}, }
}, }
},
+ { /* SHA384 HMAC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+ .block_size = 64,
+ .key_size = {
+ .min = 48,
+ .max = 48,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 48,
+ .max = 48,
+ .increment = 0
+ },
+ }, }
+ }, }
+ },
+
};
static const struct rte_cryptodev_capabilities sec_tls13_caps_aes[] = {
@@ -1672,6 +1693,37 @@ static const struct rte_cryptodev_capabilities sec_tls13_caps_aes[] = {
}, }
}, }
},
+ { /* CHACHA POLY */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+ {.aead = {
+ .algo = RTE_CRYPTO_AEAD_CHACHA20_POLY1305,
+ .block_size = 64,
+ .key_size = {
+ .min = 32,
+ .max = 32,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 16,
+ .max = 16,
+ .increment = 0
+ },
+ .aad_size = {
+ .min = 5,
+ .max = 5,
+ .increment = 0
+ },
+ .iv_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
+
};
--
2.25.1
next prev parent reply other threads:[~2024-03-14 13:20 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-14 8:38 [PATCH 00/12] Add TLS features Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 01/12] crypto/cnxk: multi seg support block ciphers in tls Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 02/12] crypto/cnxk: enable sha384 capability for tls Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 03/12] crypto/cnxk: add support for session update for TLS Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 04/12] crypto/cnxk: avoid branches in datapath Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 05/12] crypto/cnxk: move metadata to second cacheline Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 06/12] crypto/cnxk: handle the extra len reported by microcode Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 07/12] crypto/cnxk: add support for padding verification in TLS Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 08/12] crypto/cnxk: add support for oop processing " Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 09/12] crypto/cnxk: update the context structure of tls Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 10/12] crypto/cnxk: use proper offset for context calculation Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 11/12] crypto/cnxk: enable chachapoly capability for tls Vidya Sagar Velumuri
2024-03-14 8:38 ` [PATCH 12/12] crypto/cnxk: remove the response len handling " Vidya Sagar Velumuri
2024-03-14 9:46 ` [PATCH 00/12] Add TLS features Anoob Joseph
2024-03-14 14:48 ` Patrick Robb
2024-03-14 13:18 ` [PATCH v2 0/8] crypto/cnxk: fixes and minor updates for TLS Vidya Sagar Velumuri
2024-03-15 5:42 ` [PATCH v3 0/8] Fixes and minor improvements for Crypto cnxk Vidya Sagar Velumuri
2024-03-15 5:42 ` [PATCH v3 1/8] crypto/cnxk: multi seg support block ciphers in tls Vidya Sagar Velumuri
2024-03-15 5:42 ` [PATCH v3 2/8] crypto/cnxk: enable sha384 and chachapoly for tls Vidya Sagar Velumuri
2024-03-15 5:42 ` [PATCH v3 3/8] crypto/cnxk: add support for session update for TLS Vidya Sagar Velumuri
2024-03-15 5:42 ` [PATCH v3 4/8] crypto/cnxk: avoid branches in datapath Vidya Sagar Velumuri
2024-03-15 5:42 ` [PATCH v3 5/8] crypto/cnxk: move metadata to second cacheline Vidya Sagar Velumuri
2024-03-15 5:42 ` [PATCH v3 6/8] crypto/cnxk: add support for padding verification in TLS Vidya Sagar Velumuri
2024-03-15 5:42 ` [PATCH v3 7/8] crypto/cnxk: add support for oop processing " Vidya Sagar Velumuri
2024-03-15 5:42 ` [PATCH v3 8/8] crypto/cnxk: update the context structure of tls Vidya Sagar Velumuri
2024-03-15 6:45 ` [PATCH v4 0/8] Fixes and minor improvements for Crypto cnxk Vidya Sagar Velumuri
2024-03-15 6:45 ` [PATCH v4 1/8] crypto/cnxk: multi seg support block ciphers in tls Vidya Sagar Velumuri
2024-03-15 6:45 ` [PATCH v4 2/8] crypto/cnxk: enable sha384 and chachapoly for tls Vidya Sagar Velumuri
2024-03-15 6:45 ` [PATCH v4 3/8] crypto/cnxk: add support for session update for TLS Vidya Sagar Velumuri
2024-03-15 6:45 ` [PATCH v4 4/8] crypto/cnxk: avoid branches in datapath Vidya Sagar Velumuri
2024-03-15 6:45 ` [PATCH v4 5/8] crypto/cnxk: move metadata to second cacheline Vidya Sagar Velumuri
2024-03-15 6:45 ` [PATCH v4 6/8] crypto/cnxk: add support for padding verification in TLS Vidya Sagar Velumuri
2024-03-15 6:45 ` [PATCH v4 7/8] crypto/cnxk: add support for oop processing " Vidya Sagar Velumuri
2024-03-15 6:45 ` [PATCH v4 8/8] crypto/cnxk: update the context structure of tls Vidya Sagar Velumuri
2024-03-15 11:40 ` [PATCH v4 0/8] Fixes and minor improvements for Crypto cnxk Akhil Goyal
2024-03-14 13:18 ` [PATCH v2 1/8] crypto/cnxk: multi seg support block ciphers in tls Vidya Sagar Velumuri
2024-03-14 13:18 ` Vidya Sagar Velumuri [this message]
2024-03-14 13:18 ` [PATCH v2 3/8] crypto/cnxk: add support for session update for TLS Vidya Sagar Velumuri
2024-03-14 13:18 ` [PATCH v2 4/8] crypto/cnxk: avoid branches in datapath Vidya Sagar Velumuri
2024-03-14 13:18 ` [PATCH v2 5/8] crypto/cnxk: move metadata to second cacheline Vidya Sagar Velumuri
2024-03-14 13:18 ` [PATCH v2 6/8] crypto/cnxk: add support for padding verification in TLS Vidya Sagar Velumuri
2024-03-14 13:18 ` [PATCH v2 7/8] crypto/cnxk: add support for oop processing " Vidya Sagar Velumuri
2024-03-14 13:18 ` [PATCH v2 8/8] crypto/cnxk: update the context structure of tls Vidya Sagar Velumuri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240314131839.3362494-3-vvelumuri@marvell.com \
--to=vvelumuri@marvell.com \
--cc=adwivedi@marvell.com \
--cc=anoobj@marvell.com \
--cc=asasidharan@marvell.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
--cc=hkalra@marvell.com \
--cc=jerinj@marvell.com \
--cc=kirankumark@marvell.com \
--cc=ktejasree@marvell.com \
--cc=ndabilpuram@marvell.com \
--cc=skori@marvell.com \
--cc=skoteshwar@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).