From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id D7837A00C3; Wed, 20 Apr 2022 20:15:00 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 66026410E1; Wed, 20 Apr 2022 20:15:00 +0200 (CEST) Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by mails.dpdk.org (Postfix) with ESMTP id A6EA740C35 for ; Wed, 20 Apr 2022 20:14:59 +0200 (CEST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 23KHqYqL012445; Wed, 20 Apr 2022 18:14:58 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=corp-2021-07-09; bh=zGaF+AkiAFyuRXCQNVgWPDwJRZMh18QRbrTpERtZjMM=; b=leG2oQckqaXFx9eKOknY/h2GYyogdyDmdlp8rbRl6p25orBabs7t6BA3QEouGpBi5oiX gyugnALT+mjnAAdlkQevdyE9KXzmiYpdFdRZAr0I/f7A8g0eMWJevXIBh+1iMavXB2/8 HrfAiDpBmxYBtI+M3YA21kHhuEGevsqYhjcnXA41bgVMBijNMpzPtDBwHxDAUlHGGXB+ t037nGH0Oa+xnRPPknz0RdYlKUbSCifC9TOB86y+GqsLmoTjQz9uj1Wvsolwh8zi/Tul mwtr8xz58OjEQRD938SUX9eWi+N5XenNwKPehlhSN3BGfLbRFU2EdG7UIKrzA38hyPE1 Aw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com with ESMTP id 3ffpbva372-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Apr 2022 18:14:58 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.16.1.2/8.16.1.2) with SMTP id 23KIC9c7019207; Wed, 20 Apr 2022 18:14:57 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2104.outbound.protection.outlook.com [104.47.70.104]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com with ESMTP id 3ffm87qcyu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Apr 2022 18:14:57 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l+IZoje0su/vh+LcALY0IoBGDLhgmdenJWL15lzJ91k7p79HbefU27yb8h7el2scJYetPDhY5+MKNHtYYxqM2mFCr/8bxd+Q+WTO6Fuu3bWhRs1I52ciNLrozKuGLAIl1xVjqsS+dl92CQD/2+JVCqq6LjiBEimRq8hF3zQTFbuW98eAecewZDma0PMryuTyyFbfptI15HI7/OWJIQxVLdcUU1tW1N9XHXTjjT+/dncN5xrdtURxQu2EFRzNy5TrahbyFQT2LteUixFJIKaJ480976ZHeszXixMAHjfc2cIrUNtXV7SCcBuYE3bl/wQBt9Cx7rKaVRtwGkHIrOgO/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zGaF+AkiAFyuRXCQNVgWPDwJRZMh18QRbrTpERtZjMM=; b=gzWJzEOfnMmHaChi9pErbE/vAuldpsNK10JfFNXDnTyzO0tJxRHKGaYINygPChxCGN/KvEjUTniieBRzypjOn6ZC0bQ/vdTdJbfQ6gGx2ObSm3UB77T8AgaiLG1DeF9Og6vVcGEUbfca48AWso+L6E+PeYp/v7F0t8LU7/GyLQJZfOYrwV/sDVz6Kpwcg8lLHX8BzqdUXjWhglhKSNItLV/KwlGD1hgj0vLC9jtJVfJrrpARaOKgPtOQ6VHDlRuYcdTr8mMvNWO5jHMRHignJxLjdsJYzfpJ+IHrZA1Ns6zFQLyiyUP5bn/klKUW/hrc8E9Cp7nmMor9ucMaTp0hcg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zGaF+AkiAFyuRXCQNVgWPDwJRZMh18QRbrTpERtZjMM=; b=cnFK4Pqo6BJfZ5Rs3K9lFlErzuoYJJUzuxeORr9XNF5YK+PKIDTEUWXuV+UzWPpJm9WFR+I5X8ULRhyCz9+FE/FA87rO1RxaygOUTSFezUh2ZWFXot9Hozv7Ulyroz33AOd9VNqXYIEJlIGARCmxU5z/M+d1eBaEDbknU+CbWRs= Received: from CO1PR10MB4756.namprd10.prod.outlook.com (2603:10b6:303:9b::17) by MWHPR10MB1631.namprd10.prod.outlook.com (2603:10b6:301:7::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Wed, 20 Apr 2022 18:14:54 +0000 Received: from CO1PR10MB4756.namprd10.prod.outlook.com ([fe80::65c1:1da4:12f8:9c]) by CO1PR10MB4756.namprd10.prod.outlook.com ([fe80::65c1:1da4:12f8:9c%3]) with mapi id 15.20.5186.013; Wed, 20 Apr 2022 18:14:54 +0000 From: Changchun Zhang To: Fan Zhang , "dev@dpdk.org" , "pablo.de.lara.guarch@intel.com" CC: "kai.ji@intel.com" , "gakhil@marvell.com" , Fan Zhang Subject: Re: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for partial hash Thread-Topic: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for partial hash Thread-Index: AQHYSpRRRGFHnV57w0yEJUyDPsfrYazvydcwgAli7QI= Date: Wed, 20 Apr 2022 18:14:54 +0000 Message-ID: References: <20220407152931.8771-1-roy.fan.zhang@intel.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 3b52b919-a9cb-421a-4772-08da22f9ab6c x-ms-traffictypediagnostic: MWHPR10MB1631:EE_ x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: rxMrHRSc4orRjIr11q8KrmJbErzkXi7OkFD0yX5VOSTULggmL4IwE/e0DfUN0bCpvClxG9DuPI9k2mUXKH3W7+psgyJ1VI/aL6CDhC1ZfsOOwkyqKvPkHOpth8TDp+0KYVw6oXmLC5fWC0dg0NkkifbcyLaGvhScCofafU/ymeJoDYdKsYlVNaGl6Ew3y/VspM1mkWrlwomUJUGYqJdo882ywXoxLRhdAZwHq5Pi0LQprH1yqw+lCStORt0Rl+pUV1adnOIoghau75r5zH8PmofZA1w84/RWMTtdifGA3Op4aLg+mxTa5/IzdQYmwmcrB3GEyS1iROlHgeFLoRyWot8mPN9o8aXYQ0LNGScRxjCTUMwIfJH255EIviSyLCXAMb30e0Acj/8jCMVaduw11h+fIcsWF50TZMKTDjIavQ3om1HvlqBC8rdSuVfAsnQVMh1ZD/Ntf9Mw3wgW457o7l4IlDsKXHhBZ30Firxnr8saKlgnIHQ8ZRJ9aQhZmUEZ+C08udyPNcGOncVsGVDsPfTkhzCJX0mL/eRRwrGIS0U8SR/B5rr3LkAEwI6t561D5be4pzkibIsop4WgkuT4WDU59zI3m+LBRwwZHH2aTUPIPLHpV2TsDUCCh5MIJka2/keB+KyyWWabIFs9hcSjgCnM1D67PvmX+f4UX0kPVuH91AqyvNQOGb1jNVaRO2OYMDclXzEycp9dmIMJsjhJ+Q== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR10MB4756.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(38070700005)(38100700002)(508600001)(52536014)(316002)(8936002)(122000001)(9326002)(2906002)(7696005)(26005)(33656002)(9686003)(83380400001)(53546011)(186003)(110136005)(6506007)(66946007)(66476007)(66556008)(66446008)(76116006)(8676002)(44832011)(4326008)(64756008)(91956017)(71200400001)(54906003)(5660300002)(55016003)(86362001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?2ljN4s1xzWFyswFd45mcYTLgENxX0IftUsfjiw9aRoUWI+CFiAKUNaVOedDZ?= =?us-ascii?Q?q9EP/TcJ9vi1DX3LvaQvw5boRvEOvysUEosO6xjXCFsdbKvNHhqpjl8VC0QP?= =?us-ascii?Q?O8+Zg1RBXYTzH5avm2zxn7RoVUbW+Sm4nEAZWvqOtGRmyMpl/18S9exd7mJC?= =?us-ascii?Q?ijauNxFYr9QfslHpTzy+zN15uZvuXZhoaj1/rjnlZjwU90eJ2Vg/P1h984NH?= =?us-ascii?Q?+vgS+WcNyXA/kf5O6MwSDlb3yGhtUkCTLq0KAwtmL+lGHjI3cE5Qs1E0U82l?= =?us-ascii?Q?v/RjC787ev4qFQ2Kez9++SiTj7l0u2sgsw7UjXCKPMPtl2GLU8G32fokyIVD?= =?us-ascii?Q?ONnPpkKkTXnPvwgy8WizClcyxZ+V+F42zj9zWoNsxaL+cp64EZGCkLku8dLf?= =?us-ascii?Q?i297NLLxYw1dYAegBvW65z/4JkAJBeUyezOdmEoTUIMVAo0NJthoUAZowCGv?= =?us-ascii?Q?3BY818Q0eF53duE+Nko1iclQOn2iO1qLkAdQqKBbjBpZTlB8QvQ6UB1fEuzZ?= =?us-ascii?Q?cl2B2vU1haao41LEhpOzA7lE65ZeKI0mrr72eNh8tCD8mvKOQRmx3xJhBkSE?= =?us-ascii?Q?T4JOBAdY88FmWslU6FVZDNESiiiAXdKE0LEBFbtvA4j7xGATthLOcRuTkMei?= =?us-ascii?Q?9Fo+hdIGeHoeqsRucrtVOPKIEuHBs0Mr3wHgsqi2n553QJh47JG1tqJniZtB?= =?us-ascii?Q?F0glKokqa1kxm7Tbh03za2gq67R84roFuT9Kq5xp0jbWy1amzB2bjt9FnaBL?= =?us-ascii?Q?QUw1EvOfozKTVbRNsFG/ThFoXjveC9Tb2KF5qZE9yqrBzB7SNdBWt5CB9cQ4?= =?us-ascii?Q?UCOhQA2++vKkJedt+lVSZ6saDk5hHIdG+y0cUyUMZ43R2StvlVu0kFLw4A+z?= =?us-ascii?Q?1bd8+uH+/xCDK5KlYiWt3QgxmO9RgyI5EEdP5MYgIxhX464TcWpL6o1imd3q?= =?us-ascii?Q?5kikvGVSOAjbriUNJ4fSiNBKwOf7rT9oh9AB1z3XfDE/x8TjhFDoau3EW1jZ?= =?us-ascii?Q?WXiuJYwemtcaCLP3cdgi6nbE51RoTUgjBOMH+5PDZoCuBTzKS9fI2UEMV/iE?= =?us-ascii?Q?j+k5eHMZnwBnEyL31z+u965nfkkYjoNo0LX0dCfY72l4bTUJGMnLa/xSkquj?= =?us-ascii?Q?ViViUiR8Oa+WQPiNO1B8LilfOLO72BL1Q08ufKWAJ5zLmeoBZmpaMfgSyKu5?= =?us-ascii?Q?udgBWXE3hg/QzCNWv+aa+zf8KPXCn4VNNGjbwubLGneWGYnOkVF7077lqB0Z?= =?us-ascii?Q?MnTKq8tbboQmWT4/6HMvrdPuwrc0+LyEC+yOwKyI8av5MxXIskwCp9HAUgPV?= =?us-ascii?Q?wDHUttKBwWZeK78H9pMZt0AA+2Pvu3LCjcrElZp+/GmB6uRpxoujyXaEUNL/?= =?us-ascii?Q?J+d7WIBavlqTbKwLpjJLGO5MUFiNB3Ntf4SV/SowmbZ3JCeWhgAQu/QzZaWT?= =?us-ascii?Q?vfykT9phvYdih8sIFfs2s8VMkMGy42bWuDv4Oghk4JLMt3cyp2bFZtM6uiaZ?= =?us-ascii?Q?iCXOPVBdFBN2ESf70Mg3prJ7JkR/jUMfN8koN5ZCH2atoG6TH8lWw8VPcF9l?= =?us-ascii?Q?kCqMSvw2G+MH8IcIKR9+29iULeloZPge5ZSpj6sAYk2heucYvwapwCC0ybqA?= =?us-ascii?Q?ncBmxyQo9KdXPi6diHDJuvqypfyrpTfb0mqqQGwYdIwj4QxtXnJQKILw4+z6?= =?us-ascii?Q?+cWa/ySFp4CtBYXD4y9MNblZILmHzAqMkMyIFXnNnuevHUe3RCJpZao317qA?= =?us-ascii?Q?lAq47mO9Ma4yoQ9uTJIy0Z9noM3algZp8KCfZHG7NdscYid1OJiC?= Content-Type: multipart/alternative; boundary="_000_CO1PR10MB47569F996E04857C09B1F80084F59CO1PR10MB4756namp_" MIME-Version: 1.0 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CO1PR10MB4756.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3b52b919-a9cb-421a-4772-08da22f9ab6c X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2022 18:14:54.4235 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: POFqbvMU2f4xa4xa3lbuWustA6kAGsVMMmnWAt+LGgHw4DHcxPohZfzecDIG56dbOiEAQXwIFEBF06KLl5lIhGBAPleHDVdo5w1E3B24C7o= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR10MB1631 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-04-20_05:2022-04-20, 2022-04-20 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 adultscore=0 malwarescore=0 mlxlogscore=999 suspectscore=0 spamscore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204200108 X-Proofpoint-GUID: BIQFRZL_8BoFur_1q236X1Up2yzKgoCP X-Proofpoint-ORIG-GUID: BIQFRZL_8BoFur_1q236X1Up2yzKgoCP X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org --_000_CO1PR10MB47569F996E04857C09B1F80084F59CO1PR10MB4756namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello, Can I know the status of this patch, and the possible impact on any existin= g applications because the partial hash is switched from OpenSSL to intel-i= psec-mb which is not under FIPS certification? Thanks! Changchun From: Changchun Zhang Date: Thursday, April 14, 2022 at 2:46 PM To: Fan Zhang , dev@dpdk.org Cc: kai.ji@intel.com , gakhil@marvell.com , pablo.de.lara.guarch@intel.com , Fan= Zhang Subject: Re: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for partia= l hash Hi Fan, Does it mean the intel-ipsec-mb would be prerequisite of applying QAT offlo= ading for security application? It this is the case, as I know, the intel-i= psec-mb has no FIPS certification yet. Thus I am thinking this would impact= existing QAT based security application, right? Best Regards, Changchun Zhang From: Fan Zhang Date: Thursday, April 7, 2022 at 11:29 AM To: dev@dpdk.org Cc: kai.ji@intel.com , gakhil@marvell.com , pablo.de.lara.guarch@intel.com , Fan= Zhang Subject: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for partial ha= sh Since openssl 3.0 now deprecates the low level API QAT required to perform partial hash operation when creating the session. This patch is to transfer such dependency from openssl to intel-ipsec-mb. Signed-off-by: Fan Zhang --- drivers/common/qat/meson.build | 10 +++ drivers/crypto/qat/qat_sym_session.c | 101 +++++---------------------- 2 files changed, 28 insertions(+), 83 deletions(-) diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.buil= d index b7027f3164..d35fc69d96 100644 --- a/drivers/common/qat/meson.build +++ b/drivers/common/qat/meson.build @@ -35,6 +35,16 @@ if qat_crypto and not libcrypto.found() 'missing dependency, libcrypto') endif + +IMB_required_ver =3D '1.0.0' +libipsecmb =3D cc.find_library('IPSec_MB', required: false) +if not lib.found() + build =3D false + reason =3D 'missing dependency, "libIPSec_MB"' +else + ext_deps +=3D libipsecmb +endif + # The driver should not build if both compression and crypto are disabled #FIXME common code depends on compression files so check only compress! if not qat_compress # and not qat_crypto diff --git a/drivers/crypto/qat/qat_sym_session.c b/drivers/crypto/qat/qat_= sym_session.c index 9d6a19c0be..05a11db750 100644 --- a/drivers/crypto/qat/qat_sym_session.c +++ b/drivers/crypto/qat/qat_sym_session.c @@ -6,6 +6,7 @@ #include /* Needed to calculate pre-compute values = */ #include /* Needed to calculate pre-compute values = */ #include /* Needed for bpi runt block processing */ +#include #include #include @@ -1057,139 +1058,73 @@ static int qat_hash_get_block_size(enum icp_qat_hw= _auth_algo qat_hash_alg) return -EFAULT; } -static int partial_hash_sha1(uint8_t *data_in, uint8_t *data_out) -{ - SHA_CTX ctx; - - if (!SHA1_Init(&ctx)) - return -EFAULT; - SHA1_Transform(&ctx, data_in); - rte_memcpy(data_out, &ctx, SHA_DIGEST_LENGTH); - return 0; -} - -static int partial_hash_sha224(uint8_t *data_in, uint8_t *data_out) -{ - SHA256_CTX ctx; - - if (!SHA224_Init(&ctx)) - return -EFAULT; - SHA256_Transform(&ctx, data_in); - rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH); - return 0; -} - -static int partial_hash_sha256(uint8_t *data_in, uint8_t *data_out) -{ - SHA256_CTX ctx; - - if (!SHA256_Init(&ctx)) - return -EFAULT; - SHA256_Transform(&ctx, data_in); - rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH); - return 0; -} - -static int partial_hash_sha384(uint8_t *data_in, uint8_t *data_out) -{ - SHA512_CTX ctx; - - if (!SHA384_Init(&ctx)) - return -EFAULT; - SHA512_Transform(&ctx, data_in); - rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH); - return 0; -} - -static int partial_hash_sha512(uint8_t *data_in, uint8_t *data_out) -{ - SHA512_CTX ctx; - - if (!SHA512_Init(&ctx)) - return -EFAULT; - SHA512_Transform(&ctx, data_in); - rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH); - return 0; -} - -static int partial_hash_md5(uint8_t *data_in, uint8_t *data_out) -{ - MD5_CTX ctx; - - if (!MD5_Init(&ctx)) - return -EFAULT; - MD5_Transform(&ctx, data_in); - rte_memcpy(data_out, &ctx, MD5_DIGEST_LENGTH); - - return 0; -} - static int partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg, uint8_t *data_in, uint8_t *data_out) { + IMB_MGR *m; + uint32_t *hash_state_out_be32; + uint64_t *hash_state_out_be64; int digest_size; uint8_t digest[qat_hash_get_digest_size( ICP_QAT_HW_AUTH_ALGO_DELIMITER)]; - uint32_t *hash_state_out_be32; - uint64_t *hash_state_out_be64; int i; + hash_state_out_be32 =3D (uint32_t *)data_out; + hash_state_out_be64 =3D (uint64_t *)data_out; + /* Initialize to avoid gcc warning */ memset(digest, 0, sizeof(digest)); digest_size =3D qat_hash_get_digest_size(hash_alg); if (digest_size <=3D 0) return -EFAULT; + m =3D alloc_mb_mgr(0); + if (m =3D=3D NULL) + return -ENOMEM; - hash_state_out_be32 =3D (uint32_t *)data_out; - hash_state_out_be64 =3D (uint64_t *)data_out; + init_mb_mgr_auto(m, NULL); switch (hash_alg) { case ICP_QAT_HW_AUTH_ALGO_SHA1: - if (partial_hash_sha1(data_in, digest)) - return -EFAULT; + IMB_SHA1_ONE_BLOCK(m, data_in, digest); for (i =3D 0; i < digest_size >> 2; i++, hash_state_out_be= 32++) *hash_state_out_be32 =3D rte_bswap32(*(((uint32_t *)digest)+i)); break; case ICP_QAT_HW_AUTH_ALGO_SHA224: - if (partial_hash_sha224(data_in, digest)) - return -EFAULT; + IMB_SHA224_ONE_BLOCK(m, data_in, digest); for (i =3D 0; i < digest_size >> 2; i++, hash_state_out_be= 32++) *hash_state_out_be32 =3D rte_bswap32(*(((uint32_t *)digest)+i)); break; case ICP_QAT_HW_AUTH_ALGO_SHA256: - if (partial_hash_sha256(data_in, digest)) - return -EFAULT; + IMB_SHA256_ONE_BLOCK(m, data_in, digest); for (i =3D 0; i < digest_size >> 2; i++, hash_state_out_be= 32++) *hash_state_out_be32 =3D rte_bswap32(*(((uint32_t *)digest)+i)); break; case ICP_QAT_HW_AUTH_ALGO_SHA384: - if (partial_hash_sha384(data_in, digest)) - return -EFAULT; + IMB_SHA384_ONE_BLOCK(m, data_in, digest); for (i =3D 0; i < digest_size >> 3; i++, hash_state_out_be= 64++) *hash_state_out_be64 =3D rte_bswap64(*(((uint64_t *)digest)+i)); break; case ICP_QAT_HW_AUTH_ALGO_SHA512: - if (partial_hash_sha512(data_in, digest)) - return -EFAULT; + IMB_SHA512_ONE_BLOCK(m, data_in, digest); for (i =3D 0; i < digest_size >> 3; i++, hash_state_out_be= 64++) *hash_state_out_be64 =3D rte_bswap64(*(((uint64_t *)digest)+i)); break; case ICP_QAT_HW_AUTH_ALGO_MD5: - if (partial_hash_md5(data_in, data_out)) - return -EFAULT; + IMB_MD5_ONE_BLOCK(m, data_in, data_out); break; default: QAT_LOG(ERR, "invalid hash alg %u", hash_alg); return -EFAULT; } + free_mb_mgr(m); return 0; } #define HMAC_IPAD_VALUE 0x36 -- 2.32.0 --_000_CO1PR10MB47569F996E04857C09B1F80084F59CO1PR10MB4756namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello,

 

Can I know the stat= us of this patch, and the possible impact on any existing applications beca= use the partial hash is switched from OpenSSL to intel-ipsec-mb which is no= t under FIPS certification?

 

Thanks!<= /span>

Changchun

 

From: Changchun Zhang <= ;changchun.zhang@oracle.com>
Date: Thursday, April 14, 2022 at 2:46 PM
To: Fan Zhang <roy.fan.zhang@intel.com>, dev@dpdk.org <dev@= dpdk.org>
Cc: kai.ji@intel.com <kai.ji@intel.com>, gakhil@marvell.com &l= t;gakhil@marvell.com>, pablo.de.lara.guarch@intel.com <pablo.de.lara.= guarch@intel.com>, Fan Zhang <roy.fan.zhang@intel.com>
Subject: Re: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for= partial hash

Hi Fan,=

 <= /o:p>

Does it mean the in= tel-ipsec-mb would be prerequisite of applying QAT offloading for security = application? It this is the case, as I know, the intel-ipsec-mb has no FIPS= certification yet. Thus I am thinking this would impact existing QAT based security application, right?

 <= /o:p>

Best Regards,

Changchun Zhang

 <= /o:p>

From: Fan Zhang <roy.f= an.zhang@intel.com>
Date: Thursday, April 7, 2022 at 11:29 AM
To: dev@dpdk.org <dev@dpdk.org>
Cc: kai.ji@intel.com <kai.ji@intel.com>, gakhil@marvell.com &l= t;gakhil@marvell.com>, pablo.de.lara.guarch@intel.com <pablo.de.lara.= guarch@intel.com>, Fan Zhang <roy.fan.zhang@intel.com>
Subject: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for par= tial hash

Since openssl 3.0 now deprecates the low level API QAT required= to
perform partial hash operation when creating the session. This
patch is to transfer such dependency from openssl to intel-ipsec-mb.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 drivers/common/qat/meson.build       |&= nbsp; 10 +++
 drivers/crypto/qat/qat_sym_session.c | 101 +++++---------------------= -
 2 files changed, 28 insertions(+), 83 deletions(-)

diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.buil= d
index b7027f3164..d35fc69d96 100644
--- a/drivers/common/qat/meson.build
+++ b/drivers/common/qat/meson.build
@@ -35,6 +35,16 @@ if qat_crypto and not libcrypto.found()
             'm= issing dependency, libcrypto')
 endif
 
+
+IMB_required_ver =3D '1.0.0'
+libipsecmb =3D cc.find_library('IPSec_MB', required: false)
+if not lib.found()
+    build =3D false
+    reason =3D 'missing dependency, "libIPSec_MB"= '
+else
+    ext_deps +=3D libipsecmb
+endif
+
 # The driver should not build if both compression and crypto are disa= bled
 #FIXME common code depends on compression files so check only compres= s!
 if not qat_compress # and not qat_crypto
diff --git a/drivers/crypto/qat/qat_sym_session.c b/drivers/crypto/qat/qat_= sym_session.c
index 9d6a19c0be..05a11db750 100644
--- a/drivers/crypto/qat/qat_sym_session.c
+++ b/drivers/crypto/qat/qat_sym_session.c
@@ -6,6 +6,7 @@
 #include <openssl/aes.h>      &nb= sp; /* Needed to calculate pre-compute values */
 #include <openssl/md5.h>      &nb= sp; /* Needed to calculate pre-compute values */
 #include <openssl/evp.h>      &nb= sp; /* Needed for bpi runt block processing */
+#include <intel-ipsec-mb.h>
 
 #include <rte_memcpy.h>
 #include <rte_common.h>
@@ -1057,139 +1058,73 @@ static int qat_hash_get_block_size(enum icp_qat_hw= _auth_algo qat_hash_alg)
         return -EFAULT;
 }
 
-static int partial_hash_sha1(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA_CTX ctx;
-
-       if (!SHA1_Init(&ctx))
-            &n= bsp;  return -EFAULT;
-       SHA1_Transform(&ctx, data_in); -       rte_memcpy(data_out, &ctx, SHA_DI= GEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha224(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA256_CTX ctx;
-
-       if (!SHA224_Init(&ctx))
-            &n= bsp;  return -EFAULT;
-       SHA256_Transform(&ctx, data_in);<= br> -       rte_memcpy(data_out, &ctx, SHA256= _DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha256(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA256_CTX ctx;
-
-       if (!SHA256_Init(&ctx))
-            &n= bsp;  return -EFAULT;
-       SHA256_Transform(&ctx, data_in);<= br> -       rte_memcpy(data_out, &ctx, SHA256= _DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha384(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA512_CTX ctx;
-
-       if (!SHA384_Init(&ctx))
-            &n= bsp;  return -EFAULT;
-       SHA512_Transform(&ctx, data_in);<= br> -       rte_memcpy(data_out, &ctx, SHA512= _DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_sha512(uint8_t *data_in, uint8_t *data_out)
-{
-       SHA512_CTX ctx;
-
-       if (!SHA512_Init(&ctx))
-            &n= bsp;  return -EFAULT;
-       SHA512_Transform(&ctx, data_in);<= br> -       rte_memcpy(data_out, &ctx, SHA512= _DIGEST_LENGTH);
-       return 0;
-}
-
-static int partial_hash_md5(uint8_t *data_in, uint8_t *data_out)
-{
-       MD5_CTX ctx;
-
-       if (!MD5_Init(&ctx))
-            &n= bsp;  return -EFAULT;
-       MD5_Transform(&ctx, data_in);
-       rte_memcpy(data_out, &ctx, MD5_DI= GEST_LENGTH);
-
-       return 0;
-}
-
 static int
 partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
            &nb= sp;    uint8_t *data_in, uint8_t *data_out)
 {
+       IMB_MGR *m;
+       uint32_t *hash_state_out_be32;
+       uint64_t *hash_state_out_be64;
         int digest_size;
         uint8_t digest[qat_hash_ge= t_digest_size(
            &nb= sp;            ICP_Q= AT_HW_AUTH_ALGO_DELIMITER)];
-       uint32_t *hash_state_out_be32;
-       uint64_t *hash_state_out_be64;
         int i;
 
+       hash_state_out_be32 =3D (uint32_t *)d= ata_out;
+       hash_state_out_be64 =3D (uint64_t *)d= ata_out;
+
         /* Initialize to avoid gcc= warning */
         memset(digest, 0, sizeof(d= igest));
 
         digest_size =3D qat_hash_g= et_digest_size(hash_alg);
         if (digest_size <=3D 0)=
            &nb= sp;    return -EFAULT;
+       m =3D alloc_mb_mgr(0);
+       if (m =3D=3D NULL)
+            &n= bsp;  return -ENOMEM;
 
-       hash_state_out_be32 =3D (uint32_t *)d= ata_out;
-       hash_state_out_be64 =3D (uint64_t *)d= ata_out;
+       init_mb_mgr_auto(m, NULL);
 
         switch (hash_alg) {
         case ICP_QAT_HW_AUTH_ALGO_= SHA1:
-            &n= bsp;  if (partial_hash_sha1(data_in, digest))
-            &n= bsp;          return -EFAULT;<= br> +            &n= bsp;  IMB_SHA1_ONE_BLOCK(m, data_in, digest);
            &nb= sp;    for (i =3D 0; i < digest_size >> 2; i++, has= h_state_out_be32++)
            &nb= sp;            *hash= _state_out_be32 =3D
            &nb= sp;            =         rte_bswap32(*(((uint32_t *)diges= t)+i));
            &nb= sp;    break;
         case ICP_QAT_HW_AUTH_ALGO_= SHA224:
-            &n= bsp;  if (partial_hash_sha224(data_in, digest))
-            &n= bsp;          return -EFAULT;<= br> +            &n= bsp;  IMB_SHA224_ONE_BLOCK(m, data_in, digest);
            &nb= sp;    for (i =3D 0; i < digest_size >> 2; i++, has= h_state_out_be32++)
            &nb= sp;            *hash= _state_out_be32 =3D
            &nb= sp;            =         rte_bswap32(*(((uint32_t *)diges= t)+i));
            &nb= sp;    break;
         case ICP_QAT_HW_AUTH_ALGO_= SHA256:
-            &n= bsp;  if (partial_hash_sha256(data_in, digest))
-            &n= bsp;          return -EFAULT;<= br> +            &n= bsp;  IMB_SHA256_ONE_BLOCK(m, data_in, digest);
            &nb= sp;    for (i =3D 0; i < digest_size >> 2; i++, has= h_state_out_be32++)
            &nb= sp;            *hash= _state_out_be32 =3D
            &nb= sp;            =         rte_bswap32(*(((uint32_t *)diges= t)+i));
            &nb= sp;    break;
         case ICP_QAT_HW_AUTH_ALGO_= SHA384:
-            &n= bsp;  if (partial_hash_sha384(data_in, digest))
-            &n= bsp;          return -EFAULT;<= br> +            &n= bsp;  IMB_SHA384_ONE_BLOCK(m, data_in, digest);
            &nb= sp;    for (i =3D 0; i < digest_size >> 3; i++, has= h_state_out_be64++)
            &nb= sp;            *hash= _state_out_be64 =3D
            &nb= sp;            =         rte_bswap64(*(((uint64_t *)diges= t)+i));
            &nb= sp;    break;
         case ICP_QAT_HW_AUTH_ALGO_= SHA512:
-            &n= bsp;  if (partial_hash_sha512(data_in, digest))
-            &n= bsp;          return -EFAULT;<= br> +            &n= bsp;  IMB_SHA512_ONE_BLOCK(m, data_in, digest);
            &nb= sp;    for (i =3D 0; i < digest_size >> 3; i++, has= h_state_out_be64++)
            &nb= sp;            *hash= _state_out_be64 =3D
            &nb= sp;            =         rte_bswap64(*(((uint64_t *)diges= t)+i));
            &nb= sp;    break;
         case ICP_QAT_HW_AUTH_ALGO_= MD5:
-            &n= bsp;  if (partial_hash_md5(data_in, data_out))
-            &n= bsp;          return -EFAULT;<= br> +            &n= bsp;  IMB_MD5_ONE_BLOCK(m, data_in, data_out);
            &nb= sp;    break;
         default:
            &nb= sp;    QAT_LOG(ERR, "invalid hash alg %u", hash_al= g);
            &nb= sp;    return -EFAULT;
         }
 
+       free_mb_mgr(m);
         return 0;
 }
 #define HMAC_IPAD_VALUE 0x36
--
2.32.0

--_000_CO1PR10MB47569F996E04857C09B1F80084F59CO1PR10MB4756namp_--