[dpdk-dev] [PATCH v2 0/9] add OCTEON TX2 lookaside IPsec support

[dpdk-dev] [PATCH v2 0/9] add OCTEON TX2 lookaside IPsec support

[Tejasree Kondoj]

This series adds lookaside IPsec support in OCTEON TX2 PMD.

Features supported:
* IPv4
* ESP
* Tunnel mode
* AES-128/192/256-GCM

v2:
* Updated PMD documentation and release notes
* Moved capabilities initialization into probe
* Added patch description to all patches
* Renamed few structures and macros
* Cosmetics and code style fixes

Tejasree Kondoj (5):
  crypto/octeontx2: move capabilities initialization into probe
  net/octeontx2: move otx2_sec_session struct to otx2_security.h
  crypto/octeontx2: add lookaside SA context definitions
  crypto/octeontx2: add cryptodev sec registration
  crypto/octeontx2: add cryptodev sec capabilities

Vamsi Attunuru (4):
  crypto/octeontx2: add cryptodev sec misc callbacks
  crypto/octeontx2: add cryptodev sec session create
  crypto/octeontx2: add cryptodev sec enqueue routine
  crypto/octeontx2: add cryptodev sec dequeue routine

 doc/guides/cryptodevs/octeontx2.rst           |  19 +
 doc/guides/rel_notes/release_20_08.rst        |   5 +
 drivers/crypto/octeontx2/Makefile             |   1 +
 drivers/crypto/octeontx2/meson.build          |   3 +-
 drivers/crypto/octeontx2/otx2_cryptodev.c     |  15 +-
 drivers/crypto/octeontx2/otx2_cryptodev.h     |   8 +
 .../octeontx2/otx2_cryptodev_capabilities.c   | 110 +++-
 .../octeontx2/otx2_cryptodev_capabilities.h   |  21 +-
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c |  75 ++-
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 540 ++++++++++++++++++
 drivers/crypto/octeontx2/otx2_cryptodev_sec.h |  64 +++
 drivers/crypto/octeontx2/otx2_ipsec_po.h      | 441 ++++++++++++++
 drivers/crypto/octeontx2/otx2_ipsec_po_ops.h  | 175 ++++++
 drivers/crypto/octeontx2/otx2_security.h      |  31 +
 drivers/net/octeontx2/otx2_ethdev_sec.c       |  24 +-
 drivers/net/octeontx2/otx2_ethdev_sec.h       |  11 +-
 drivers/net/octeontx2/otx2_ethdev_sec_tx.h    |   1 +
 17 files changed, 1510 insertions(+), 34 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_sec.c
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_sec.h
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_po.h
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
 create mode 100644 drivers/crypto/octeontx2/otx2_security.h

-- 
2.27.0

[dpdk-dev] [PATCH v2 1/9] crypto/octeontx2: move capabilities initialization into probe

[Tejasree Kondoj]

This patch moves capabilities initialization into probe.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/octeontx2/otx2_cryptodev.c              | 2 ++
 drivers/crypto/octeontx2/otx2_cryptodev_capabilities.c | 9 ++++++---
 drivers/crypto/octeontx2/otx2_cryptodev_capabilities.h | 8 +++++++-
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c          | 2 +-
 4 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.c b/drivers/crypto/octeontx2/otx2_cryptodev.c
index 9aa0fe35b4..a51d532553 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev.c
@@ -101,6 +101,8 @@ otx2_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 		goto otx2_dev_fini;
 	}
 
+	otx2_crypto_capabilities_init(vf->hw_caps);
+
 	dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
 			     RTE_CRYPTODEV_FF_HW_ACCELERATED |
 			     RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.c b/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.c
index f6f4dee6cf..f0ed1e2df9 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.c
@@ -737,10 +737,9 @@ cpt_caps_add(const struct rte_cryptodev_capabilities *caps, int nb_caps)
 	cur_pos += nb_caps;
 }
 
-const struct rte_cryptodev_capabilities *
-otx2_cpt_capabilities_get(union cpt_eng_caps *hw_caps)
+void
+otx2_crypto_capabilities_init(union cpt_eng_caps *hw_caps)
 {
-
 	CPT_CAPS_ADD(hw_caps, mul);
 	CPT_CAPS_ADD(hw_caps, sha1_sha2);
 	CPT_CAPS_ADD(hw_caps, chacha20);
@@ -751,6 +750,10 @@ otx2_cpt_capabilities_get(union cpt_eng_caps *hw_caps)
 
 	cpt_caps_add(caps_null, RTE_DIM(caps_null));
 	cpt_caps_add(caps_end, RTE_DIM(caps_end));
+}
 
+const struct rte_cryptodev_capabilities *
+otx2_cpt_capabilities_get(void)
+{
 	return otx2_cpt_caps;
 }
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.h b/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.h
index e07a2a8c92..a439cbefd3 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.h
@@ -16,11 +16,17 @@ enum otx2_cpt_egrp {
 	OTX2_CPT_EGRP_MAX,
 };
 
+/*
+ * Initialize crypto capabilities for the device
+ *
+ */
+void otx2_crypto_capabilities_init(union cpt_eng_caps *hw_caps);
+
 /*
  * Get capabilities list for the device
  *
  */
 const struct rte_cryptodev_capabilities *
-otx2_cpt_capabilities_get(union cpt_eng_caps *hw_caps);
+otx2_cpt_capabilities_get(void);
 
 #endif /* _OTX2_CRYPTODEV_CAPABILITIES_H_ */
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index a3703682a0..229b719b42 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -1071,7 +1071,7 @@ otx2_cpt_dev_info_get(struct rte_cryptodev *dev,
 	if (info != NULL) {
 		info->max_nb_queue_pairs = vf->max_queues;
 		info->feature_flags = dev->feature_flags;
-		info->capabilities = otx2_cpt_capabilities_get(vf->hw_caps);
+		info->capabilities = otx2_cpt_capabilities_get();
 		info->sym.max_nb_sessions = 0;
 		info->driver_id = otx2_cryptodev_driver_id;
 		info->min_mbuf_headroom_req = OTX2_CPT_MIN_HEADROOM_REQ;
-- 
2.27.0

[dpdk-dev] [PATCH v2 2/9] net/octeontx2: move otx2_sec_session struct to otx2_security.h

[Tejasree Kondoj]

This patch moves otx2_sec_session structure to otx2_security.h
to make it common for inline and lookaside protocol.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/octeontx2/otx2_security.h   | 20 ++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.c    |  1 +
 drivers/net/octeontx2/otx2_ethdev_sec.h    | 10 ----------
 drivers/net/octeontx2/otx2_ethdev_sec_tx.h |  1 +
 4 files changed, 22 insertions(+), 10 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_security.h

diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
new file mode 100644
index 0000000000..9790c709d6
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_SECURITY_H__
+#define __OTX2_SECURITY_H__
+
+#include "otx2_ethdev_sec.h"
+
+union otx2_sec_session_ipsec {
+	struct otx2_sec_session_ipsec_ip ip;
+};
+
+struct otx2_sec_session {
+	union otx2_sec_session_ipsec ipsec;
+	void *userdata;
+	/**< Userdata registered by the application */
+} __rte_cache_aligned;
+
+#endif /* __OTX2_SECURITY_H__ */
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index 5f6140f70b..c2ad32cf0c 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -19,6 +19,7 @@
 #include "otx2_ethdev_sec.h"
 #include "otx2_ipsec_fp.h"
 #include "otx2_sec_idev.h"
+#include "otx2_security.h"
 
 #define AH_HDR_LEN	12
 #define AES_GCM_IV_LEN	8
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index e24358a05a..22025d0d0c 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -116,16 +116,6 @@ struct otx2_sec_session_ipsec_ip {
 	struct otx2_cpt_qp *qp;
 };
 
-struct otx2_sec_session_ipsec {
-	struct otx2_sec_session_ipsec_ip ip;
-};
-
-struct otx2_sec_session {
-	struct otx2_sec_session_ipsec ipsec;
-	void *userdata;
-	/**< Userdata registered by the application */
-} __rte_cache_aligned;
-
 int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev);
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec_tx.h b/drivers/net/octeontx2/otx2_ethdev_sec_tx.h
index 2e35a8c773..f8130ca624 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec_tx.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec_tx.h
@@ -9,6 +9,7 @@
 #include <rte_mbuf.h>
 
 #include "otx2_ethdev_sec.h"
+#include "otx2_security.h"
 
 struct otx2_ipsec_fp_out_hdr {
 	uint32_t ip_id;
-- 
2.27.0

[dpdk-dev] [PATCH v2 3/9] crypto/octeontx2: add lookaside SA context definitions

[Tejasree Kondoj]

This patch adds lookaside IPsec SA context definitions.

Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/octeontx2/otx2_cryptodev_sec.h |  58 +++++++++
 drivers/crypto/octeontx2/otx2_ipsec_po.h      | 110 ++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h      |   2 +
 drivers/net/octeontx2/otx2_ethdev_sec.h       |   1 +
 4 files changed, 171 insertions(+)
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_sec.h
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_po.h

diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
new file mode 100644
index 0000000000..253f62d873
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
@@ -0,0 +1,58 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_CRYPTODEV_SEC_H__
+#define __OTX2_CRYPTODEV_SEC_H__
+
+#include "otx2_ipsec_po.h"
+
+struct otx2_sec_session_ipsec_lp {
+	RTE_STD_C11
+	union {
+		/* Inbound SA */
+		struct otx2_ipsec_po_in_sa in_sa;
+		/* Outbound SA */
+		struct otx2_ipsec_po_out_sa out_sa;
+	};
+
+	uint64_t ucmd_w3;
+	union {
+		uint64_t ucmd_w0;
+		struct {
+			uint16_t ucmd_dlen;
+			uint16_t ucmd_param2;
+			uint16_t ucmd_param1;
+			uint16_t ucmd_opcode;
+		};
+	};
+
+	uint8_t partial_len;
+	uint8_t roundup_len;
+	uint8_t roundup_byte;
+	uint16_t ip_id;
+	union {
+		uint64_t esn;
+		struct {
+			uint32_t seq_lo;
+			uint32_t seq_hi;
+		};
+	};
+
+	/** Context length in 8-byte words */
+	size_t ctx_len;
+	/** Auth IV offset in bytes */
+	uint16_t auth_iv_offset;
+	/** IV offset in bytes */
+	uint16_t iv_offset;
+	/** AAD length */
+	uint16_t aad_length;
+	/** MAC len in bytes */
+	uint8_t mac_len;
+	/** IV length in bytes */
+	uint8_t iv_length;
+	/** Auth IV length in bytes */
+	uint8_t auth_iv_length;
+};
+
+#endif /* __OTX2_CRYPTODEV_SEC_H__ */
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
new file mode 100644
index 0000000000..217dfeaff0
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -0,0 +1,110 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_IPSEC_PO_H__
+#define __OTX2_IPSEC_PO_H__
+
+#include <rte_crypto_sym.h>
+#include <rte_ip.h>
+#include <rte_security.h>
+
+union otx2_ipsec_po_bit_perfect_iv {
+	uint8_t aes_iv[16];
+	uint8_t des_iv[8];
+	struct {
+		uint8_t nonce[4];
+		uint8_t iv[8];
+		uint8_t counter[4];
+	} gcm;
+};
+
+struct otx2_ipsec_po_traffic_selector {
+	rte_be16_t src_port[2];
+	rte_be16_t dst_port[2];
+	RTE_STD_C11
+	union {
+		struct {
+			rte_be32_t src_addr[2];
+			rte_be32_t dst_addr[2];
+		} ipv4;
+		struct {
+			uint8_t src_addr[32];
+			uint8_t dst_addr[32];
+		} ipv6;
+	};
+};
+
+struct otx2_ipsec_po_sa_ctl {
+	rte_be32_t spi          : 32;
+	uint64_t exp_proto_inter_frag : 8;
+	uint64_t rsvd_42_40   : 3;
+	uint64_t esn_en       : 1;
+	uint64_t rsvd_45_44   : 2;
+	uint64_t encap_type   : 2;
+	uint64_t enc_type     : 3;
+	uint64_t rsvd_48      : 1;
+	uint64_t auth_type    : 4;
+	uint64_t valid        : 1;
+	uint64_t direction    : 1;
+	uint64_t outer_ip_ver : 1;
+	uint64_t inner_ip_ver : 1;
+	uint64_t ipsec_mode   : 1;
+	uint64_t ipsec_proto  : 1;
+	uint64_t aes_key_len  : 2;
+};
+
+struct otx2_ipsec_po_in_sa {
+	/* w0 */
+	struct otx2_ipsec_po_sa_ctl ctl;
+
+	/* w1-w4 */
+	uint8_t cipher_key[32];
+
+	/* w5-w6 */
+	union otx2_ipsec_po_bit_perfect_iv iv;
+
+	/* w7 */
+	uint32_t esn_hi;
+	uint32_t esn_low;
+
+	/* w8 */
+	uint8_t udp_encap[8];
+
+	/* w9-w23 */
+	struct {
+		uint8_t hmac_key[48];
+		struct otx2_ipsec_po_traffic_selector selector;
+	} aes_gcm;
+};
+
+struct otx2_ipsec_po_ip_template {
+	RTE_STD_C11
+	union {
+		uint8_t raw[252];
+		struct rte_ipv4_hdr ipv4_hdr;
+		struct rte_ipv6_hdr ipv6_hdr;
+	};
+};
+
+struct otx2_ipsec_po_out_sa {
+	/* w0 */
+	struct otx2_ipsec_po_sa_ctl ctl;
+
+	/* w1-w4 */
+	uint8_t cipher_key[32];
+
+	/* w5-w6 */
+	union otx2_ipsec_po_bit_perfect_iv iv;
+
+	/* w7 */
+	uint32_t esn_hi;
+	uint32_t esn_low;
+
+	/* w8-w39 */
+	struct otx2_ipsec_po_ip_template template;
+	uint16_t udp_src;
+	uint16_t udp_dst;
+};
+
+#endif /* __OTX2_IPSEC_PO_H__ */
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 9790c709d6..9b4fe263c4 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -5,10 +5,12 @@
 #ifndef __OTX2_SECURITY_H__
 #define __OTX2_SECURITY_H__
 
+#include "otx2_cryptodev_sec.h"
 #include "otx2_ethdev_sec.h"
 
 union otx2_sec_session_ipsec {
 	struct otx2_sec_session_ipsec_ip ip;
+	struct otx2_sec_session_ipsec_lp lp;
 };
 
 struct otx2_sec_session {
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index 22025d0d0c..298b00bf89 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -8,6 +8,7 @@
 #include <rte_ethdev.h>
 
 #include "otx2_ipsec_fp.h"
+#include "otx2_ipsec_po.h"
 
 #define OTX2_CPT_RES_ALIGN		16
 #define OTX2_NIX_SEND_DESC_ALIGN	16
-- 
2.27.0

[dpdk-dev] [PATCH v2 4/9] crypto/octeontx2: add cryptodev sec registration

[Tejasree Kondoj]

This patch registers security operations with cryptodev.

Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/octeontx2/Makefile             |  1 +
 drivers/crypto/octeontx2/meson.build          |  3 +-
 drivers/crypto/octeontx2/otx2_cryptodev.c     | 12 ++++-
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 46 +++++++++++++++++++
 drivers/crypto/octeontx2/otx2_cryptodev_sec.h |  6 +++
 5 files changed, 66 insertions(+), 2 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_sec.c

diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index 5f9a6a0e3f..14152c6117 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -38,6 +38,7 @@ SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_capabilities.c
 SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_hw_access.c
 SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_mbox.c
 SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_ops.c
+SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_sec.c
 
 # export include files
 SYMLINK-y-include +=
diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build
index 0948e73607..148ec184a6 100644
--- a/drivers/crypto/octeontx2/meson.build
+++ b/drivers/crypto/octeontx2/meson.build
@@ -17,7 +17,8 @@ sources = files('otx2_cryptodev.c',
 		'otx2_cryptodev_capabilities.c',
 		'otx2_cryptodev_hw_access.c',
 		'otx2_cryptodev_mbox.c',
-		'otx2_cryptodev_ops.c')
+		'otx2_cryptodev_ops.c',
+		'otx2_cryptodev_sec.c')
 
 extra_flags = []
 # This integrated controller runs only on a arm64 machine, remove 32bit warnings
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.c b/drivers/crypto/octeontx2/otx2_cryptodev.c
index a51d532553..e9b7c1cc04 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev.c
@@ -17,6 +17,7 @@
 #include "otx2_cryptodev_capabilities.h"
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_cryptodev_ops.h"
+#include "otx2_cryptodev_sec.h"
 #include "otx2_dev.h"
 
 /* CPT common headers */
@@ -103,6 +104,11 @@ otx2_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 
 	otx2_crypto_capabilities_init(vf->hw_caps);
 
+	/* Create security ctx */
+	ret = otx2_crypto_sec_ctx_create(dev);
+	if (ret)
+		goto otx2_dev_fini;
+
 	dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
 			     RTE_CRYPTODEV_FF_HW_ACCELERATED |
 			     RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
@@ -111,7 +117,8 @@ otx2_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 			     RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT |
 			     RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO |
 			     RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT |
-			     RTE_CRYPTODEV_FF_SYM_SESSIONLESS;
+			     RTE_CRYPTODEV_FF_SYM_SESSIONLESS |
+			     RTE_CRYPTODEV_FF_SECURITY;
 
 	return 0;
 
@@ -140,6 +147,9 @@ otx2_cpt_pci_remove(struct rte_pci_device *pci_dev)
 	if (dev == NULL)
 		return -ENODEV;
 
+	/* Destroy security ctx */
+	otx2_crypto_sec_ctx_destroy(dev);
+
 	return rte_cryptodev_pmd_destroy(dev);
 }
 
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
new file mode 100644
index 0000000000..d937e6f37a
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -0,0 +1,46 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#include <rte_cryptodev.h>
+#include <rte_malloc.h>
+#include <rte_security.h>
+#include <rte_security_driver.h>
+
+#include "otx2_cryptodev_sec.h"
+
+static struct rte_security_ops otx2_crypto_sec_ops = {
+	.session_create		= NULL,
+	.session_destroy	= NULL,
+	.session_get_size	= NULL,
+	.set_pkt_metadata	= NULL,
+	.get_userdata		= NULL,
+	.capabilities_get	= NULL
+};
+
+int
+otx2_crypto_sec_ctx_create(struct rte_cryptodev *cdev)
+{
+	struct rte_security_ctx *ctx;
+
+	ctx = rte_malloc("otx2_cpt_dev_sec_ctx",
+			 sizeof(struct rte_security_ctx), 0);
+
+	if (ctx == NULL)
+		return -ENOMEM;
+
+	/* Populate ctx */
+	ctx->device = cdev;
+	ctx->ops = &otx2_crypto_sec_ops;
+	ctx->sess_cnt = 0;
+
+	cdev->security_ctx = ctx;
+
+	return 0;
+}
+
+void
+otx2_crypto_sec_ctx_destroy(struct rte_cryptodev *cdev)
+{
+	rte_free(cdev->security_ctx);
+}
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
index 253f62d873..b989251e71 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
@@ -5,6 +5,8 @@
 #ifndef __OTX2_CRYPTODEV_SEC_H__
 #define __OTX2_CRYPTODEV_SEC_H__
 
+#include <rte_cryptodev.h>
+
 #include "otx2_ipsec_po.h"
 
 struct otx2_sec_session_ipsec_lp {
@@ -55,4 +57,8 @@ struct otx2_sec_session_ipsec_lp {
 	uint8_t auth_iv_length;
 };
 
+int otx2_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev);
+
+void otx2_crypto_sec_ctx_destroy(struct rte_cryptodev *crypto_dev);
+
 #endif /* __OTX2_CRYPTODEV_SEC_H__ */
-- 
2.27.0

[dpdk-dev] [PATCH v2 5/9] crypto/octeontx2: add cryptodev sec capabilities

[Tejasree Kondoj]

This patch adds lookaside IPsec capabilities.

Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/octeontx2/otx2_cryptodev.c     |   1 +
 .../octeontx2/otx2_cryptodev_capabilities.c   | 101 ++++++++++++++++++
 .../octeontx2/otx2_cryptodev_capabilities.h   |  13 +++
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c |   4 +-
 4 files changed, 118 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.c b/drivers/crypto/octeontx2/otx2_cryptodev.c
index e9b7c1cc04..02d2fd83bd 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev.c
@@ -103,6 +103,7 @@ otx2_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 	}
 
 	otx2_crypto_capabilities_init(vf->hw_caps);
+	otx2_crypto_sec_capabilities_init(vf->hw_caps);
 
 	/* Create security ctx */
 	ret = otx2_crypto_sec_ctx_create(dev);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.c b/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.c
index f0ed1e2df9..80f3729995 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.c
@@ -3,7 +3,9 @@
  */
 
 #include <rte_cryptodev.h>
+#include <rte_security.h>
 
+#include "otx2_cryptodev.h"
 #include "otx2_cryptodev_capabilities.h"
 #include "otx2_mbox.h"
 
@@ -26,9 +28,18 @@
 		cpt_caps_add(caps_##name, RTE_DIM(caps_##name));	\
 } while (0)
 
+#define SEC_CAPS_ADD(hw_caps, name) do {				\
+	enum otx2_cpt_egrp egrp;					\
+	CPT_EGRP_GET(hw_caps, name, &egrp);				\
+	if (egrp < OTX2_CPT_EGRP_MAX)					\
+		sec_caps_add(sec_caps_##name, RTE_DIM(sec_caps_##name));\
+} while (0)
+
 #define OTX2_CPT_MAX_CAPS 34
+#define OTX2_SEC_MAX_CAPS 4
 
 static struct rte_cryptodev_capabilities otx2_cpt_caps[OTX2_CPT_MAX_CAPS];
+static struct rte_cryptodev_capabilities otx2_cpt_sec_caps[OTX2_SEC_MAX_CAPS];
 
 static const struct rte_cryptodev_capabilities caps_mul[] = {
 	{	/* RSA */
@@ -725,6 +736,70 @@ static const struct rte_cryptodev_capabilities caps_end[] = {
 	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
 };
 
+static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
+	{	/* AES GCM */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			{.aead = {
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = {
+					.min = 8,
+					.max = 12,
+					.increment = 4
+				},
+				.iv_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+};
+
+static const struct rte_security_capability
+otx2_crypto_sec_capabilities[] = {
+	{	/* IPsec Lookaside Protocol ESP Tunnel Ingress */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+			.options = { 0 }
+		},
+		.crypto_capabilities = otx2_cpt_sec_caps,
+		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+	},
+	{	/* IPsec Lookaside Protocol ESP Tunnel Egress */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+			.options = { 0 }
+		},
+		.crypto_capabilities = otx2_cpt_sec_caps,
+		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+	},
+	{
+		.action = RTE_SECURITY_ACTION_TYPE_NONE
+	}
+};
+
 static void
 cpt_caps_add(const struct rte_cryptodev_capabilities *caps, int nb_caps)
 {
@@ -757,3 +832,29 @@ otx2_cpt_capabilities_get(void)
 {
 	return otx2_cpt_caps;
 }
+
+static void
+sec_caps_add(const struct rte_cryptodev_capabilities *caps, int nb_caps)
+{
+	static int cur_pos;
+
+	if (cur_pos + nb_caps > OTX2_SEC_MAX_CAPS)
+		return;
+
+	memcpy(&otx2_cpt_sec_caps[cur_pos], caps, nb_caps * sizeof(caps[0]));
+	cur_pos += nb_caps;
+}
+
+void
+otx2_crypto_sec_capabilities_init(union cpt_eng_caps *hw_caps)
+{
+	SEC_CAPS_ADD(hw_caps, aes);
+
+	sec_caps_add(caps_end, RTE_DIM(caps_end));
+}
+
+const struct rte_security_capability *
+otx2_crypto_sec_capabilities_get(void *device __rte_unused)
+{
+	return otx2_crypto_sec_capabilities;
+}
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.h b/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.h
index a439cbefd3..c1e0001190 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_capabilities.h
@@ -29,4 +29,17 @@ void otx2_crypto_capabilities_init(union cpt_eng_caps *hw_caps);
 const struct rte_cryptodev_capabilities *
 otx2_cpt_capabilities_get(void);
 
+/*
+ * Initialize security capabilities for the device
+ *
+ */
+void otx2_crypto_sec_capabilities_init(union cpt_eng_caps *hw_caps);
+
+/*
+ * Get security capabilities list for the device
+ *
+ */
+const struct rte_security_capability *
+otx2_crypto_sec_capabilities_get(void *device __rte_unused);
+
 #endif /* _OTX2_CRYPTODEV_CAPABILITIES_H_ */
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index d937e6f37a..906a87b9e5 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -7,6 +7,8 @@
 #include <rte_security.h>
 #include <rte_security_driver.h>
 
+#include "otx2_cryptodev.h"
+#include "otx2_cryptodev_capabilities.h"
 #include "otx2_cryptodev_sec.h"
 
 static struct rte_security_ops otx2_crypto_sec_ops = {
@@ -15,7 +17,7 @@ static struct rte_security_ops otx2_crypto_sec_ops = {
 	.session_get_size	= NULL,
 	.set_pkt_metadata	= NULL,
 	.get_userdata		= NULL,
-	.capabilities_get	= NULL
+	.capabilities_get	= otx2_crypto_sec_capabilities_get
 };
 
 int
-- 
2.27.0

[dpdk-dev] [PATCH v2 6/9] crypto/octeontx2: add cryptodev sec misc callbacks

[Tejasree Kondoj]

From: Vamsi Attunuru <vattunuru@marvell.com>

This patch adds lookaside IPsec callback functions.

Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 34 +++++++++++++++++--
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 906a87b9e5..6e14b37a68 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -10,13 +10,41 @@
 #include "otx2_cryptodev.h"
 #include "otx2_cryptodev_capabilities.h"
 #include "otx2_cryptodev_sec.h"
+#include "otx2_security.h"
+
+static unsigned int
+otx2_crypto_sec_session_get_size(void *device __rte_unused)
+{
+	return sizeof(struct otx2_sec_session);
+}
+
+static int
+otx2_crypto_sec_set_pkt_mdata(void *device __rte_unused,
+			      struct rte_security_session *session,
+			      struct rte_mbuf *m, void *params __rte_unused)
+{
+	/* Set security session as the pkt metadata */
+	m->udata64 = (uint64_t)session;
+
+	return 0;
+}
+
+static int
+otx2_crypto_sec_get_userdata(void *device __rte_unused, uint64_t md,
+			     void **userdata)
+{
+	/* Retrieve userdata  */
+	*userdata = (void *)md;
+
+	return 0;
+}
 
 static struct rte_security_ops otx2_crypto_sec_ops = {
 	.session_create		= NULL,
 	.session_destroy	= NULL,
-	.session_get_size	= NULL,
-	.set_pkt_metadata	= NULL,
-	.get_userdata		= NULL,
+	.session_get_size	= otx2_crypto_sec_session_get_size,
+	.set_pkt_metadata	= otx2_crypto_sec_set_pkt_mdata,
+	.get_userdata		= otx2_crypto_sec_get_userdata,
 	.capabilities_get	= otx2_crypto_sec_capabilities_get
 };
 
-- 
2.27.0

[dpdk-dev] [PATCH v2 7/9] crypto/octeontx2: add cryptodev sec session create

[Tejasree Kondoj]

From: Vamsi Attunuru <vattunuru@marvell.com>

This patch creates session for lookaside IPsec.

Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 468 +++++++++++++++++-
 drivers/crypto/octeontx2/otx2_ipsec_po.h      | 295 +++++++++++
 drivers/crypto/octeontx2/otx2_security.h      |   9 +
 drivers/net/octeontx2/otx2_ethdev_sec.c       |  23 +-
 4 files changed, 777 insertions(+), 18 deletions(-)

diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 6e14b37a68..0741a592cd 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -3,15 +3,479 @@
  */
 
 #include <rte_cryptodev.h>
+#include <rte_esp.h>
+#include <rte_ethdev.h>
+#include <rte_ip.h>
 #include <rte_malloc.h>
 #include <rte_security.h>
 #include <rte_security_driver.h>
+#include <rte_udp.h>
 
 #include "otx2_cryptodev.h"
 #include "otx2_cryptodev_capabilities.h"
+#include "otx2_cryptodev_hw_access.h"
+#include "otx2_cryptodev_ops.h"
 #include "otx2_cryptodev_sec.h"
 #include "otx2_security.h"
 
+static int
+ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec,
+		struct rte_crypto_sym_xform *xform,
+		struct otx2_sec_session_ipsec_lp *lp)
+{
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
+
+	lp->partial_len = sizeof(struct rte_ipv4_hdr);
+
+	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) {
+		lp->partial_len += sizeof(struct rte_esp_hdr);
+		lp->roundup_len = sizeof(struct rte_esp_tail);
+	} else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) {
+		lp->partial_len += OTX2_SEC_AH_HDR_LEN;
+	} else {
+		return -EINVAL;
+	}
+
+	if (ipsec->options.udp_encap)
+		lp->partial_len += sizeof(struct rte_udp_hdr);
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+			lp->partial_len += OTX2_SEC_AES_GCM_IV_LEN;
+			lp->partial_len += OTX2_SEC_AES_GCM_MAC_LEN;
+			lp->roundup_byte = OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN;
+			return 0;
+		} else {
+			return -EINVAL;
+		}
+	}
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	} else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		return -EINVAL;
+	}
+
+	if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		lp->partial_len += OTX2_SEC_AES_CBC_IV_LEN;
+		lp->roundup_byte = OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN;
+	} else {
+		return -EINVAL;
+	}
+
+	if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+		lp->partial_len += OTX2_SEC_SHA1_HMAC_LEN;
+	else
+		return -EINVAL;
+
+	return 0;
+}
+
+static int
+otx2_cpt_enq_sa_write(struct otx2_sec_session_ipsec_lp *lp,
+		      struct otx2_cpt_qp *qptr, uint8_t opcode)
+{
+	uint64_t lmt_status, time_out;
+	void *lmtline = qptr->lmtline;
+	struct otx2_cpt_inst_s inst;
+	struct otx2_cpt_res *res;
+	uint64_t *mdata;
+	int ret = 0;
+
+	if (unlikely(rte_mempool_get(qptr->meta_info.pool,
+				     (void **)&mdata) < 0))
+		return -ENOMEM;
+
+	res = (struct otx2_cpt_res *)RTE_PTR_ALIGN(mdata, 16);
+	res->compcode = CPT_9X_COMP_E_NOTDONE;
+
+	inst.opcode = opcode | (lp->ctx_len << 8);
+	inst.param1 = 0;
+	inst.param2 = 0;
+	inst.dlen = lp->ctx_len << 3;
+	inst.dptr = rte_mempool_virt2iova(lp);
+	inst.rptr = 0;
+	inst.cptr = rte_mempool_virt2iova(lp);
+	inst.egrp  = OTX2_CPT_EGRP_SE;
+
+	inst.u64[0] = 0;
+	inst.u64[2] = 0;
+	inst.u64[3] = 0;
+	inst.res_addr = rte_mempool_virt2iova(res);
+
+	rte_cio_wmb();
+
+	do {
+		/* Copy CPT command to LMTLINE */
+		otx2_lmt_mov(lmtline, &inst, 2);
+		lmt_status = otx2_lmt_submit(qptr->lf_nq_reg);
+	} while (lmt_status == 0);
+
+	time_out = rte_get_timer_cycles() +
+			DEFAULT_COMMAND_TIMEOUT * rte_get_timer_hz();
+
+	while (res->compcode == CPT_9X_COMP_E_NOTDONE) {
+		if (rte_get_timer_cycles() > time_out) {
+			rte_mempool_put(qptr->meta_info.pool, mdata);
+			otx2_err("Request timed out");
+			return -ETIMEDOUT;
+		}
+	    rte_cio_rmb();
+	}
+
+	if (unlikely(res->compcode != CPT_9X_COMP_E_GOOD)) {
+		ret = res->compcode;
+		switch (ret) {
+		case CPT_9X_COMP_E_INSTERR:
+			otx2_err("Request failed with instruction error");
+			break;
+		case CPT_9X_COMP_E_FAULT:
+			otx2_err("Request failed with DMA fault");
+			break;
+		case CPT_9X_COMP_E_HWERR:
+			otx2_err("Request failed with hardware error");
+			break;
+		default:
+			otx2_err("Request failed with unknown hardware "
+				 "completion code : 0x%x", ret);
+		}
+		goto mempool_put;
+	}
+
+	if (unlikely(res->uc_compcode != OTX2_IPSEC_PO_CC_SUCCESS)) {
+		ret = res->uc_compcode;
+		switch (ret) {
+		case OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED:
+			otx2_err("Invalid auth type");
+			break;
+		case OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED:
+			otx2_err("Invalid encrypt type");
+			break;
+		default:
+			otx2_err("Request failed with unknown microcode "
+				 "completion code : 0x%x", ret);
+		}
+	}
+
+mempool_put:
+	rte_mempool_put(qptr->meta_info.pool, mdata);
+	return ret;
+}
+
+static void
+set_session_misc_attributes(struct otx2_sec_session_ipsec_lp *sess,
+			    struct rte_crypto_sym_xform *crypto_xform,
+			    struct rte_crypto_sym_xform *auth_xform,
+			    struct rte_crypto_sym_xform *cipher_xform)
+{
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		sess->iv_offset = crypto_xform->aead.iv.offset;
+		sess->iv_length = crypto_xform->aead.iv.length;
+		sess->aad_length = crypto_xform->aead.aad_length;
+		sess->mac_len = crypto_xform->aead.digest_length;
+	} else {
+		sess->iv_offset = cipher_xform->cipher.iv.offset;
+		sess->iv_length = cipher_xform->cipher.iv.length;
+		sess->auth_iv_offset = auth_xform->auth.iv.offset;
+		sess->auth_iv_length = auth_xform->auth.iv.length;
+		sess->mac_len = auth_xform->auth.digest_length;
+	}
+
+	sess->ucmd_param1 = OTX2_IPSEC_PO_PER_PKT_IV;
+	sess->ucmd_param2 = 0;
+}
+
+static int
+crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
+				     struct rte_security_ipsec_xform *ipsec,
+				     struct rte_crypto_sym_xform *crypto_xform,
+				     struct rte_security_session *sec_sess)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	const uint8_t *cipher_key, *auth_key;
+	struct otx2_sec_session_ipsec_lp *lp;
+	struct otx2_ipsec_po_sa_ctl *ctl;
+	int cipher_key_len, auth_key_len;
+	struct otx2_ipsec_po_out_sa *sa;
+	struct otx2_sec_session *sess;
+	struct otx2_cpt_inst_s inst;
+	struct rte_ipv4_hdr *ip;
+	int ret;
+
+	sess = get_sec_session_private_data(sec_sess);
+	lp = &sess->ipsec.lp;
+
+	sa = &lp->out_sa;
+	ctl = &sa->ctl;
+	if (ctl->valid) {
+		otx2_err("SA already registered");
+		return -EINVAL;
+	}
+
+	memset(sa, 0, sizeof(struct otx2_ipsec_po_out_sa));
+
+	/* Initialize lookaside ipsec private data */
+	lp->ip_id = 0;
+	lp->seq_lo = 1;
+	lp->seq_hi = 0;
+
+	ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl);
+	if (ret)
+		return ret;
+
+	ret = ipsec_lp_len_precalc(ipsec, crypto_xform, lp);
+	if (ret)
+		return ret;
+
+	memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4);
+
+	if (ipsec->options.udp_encap) {
+		sa->udp_src = 4500;
+		sa->udp_dst = 4500;
+	}
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		/* Start ip id from 1 */
+		lp->ip_id = 1;
+
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+			ip = &sa->template.ipv4_hdr;
+			ip->version_ihl = RTE_IPV4_VHL_DEF;
+			ip->next_proto_id = IPPROTO_ESP;
+			ip->time_to_live = ipsec->tunnel.ipv4.ttl;
+			ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
+			if (ipsec->tunnel.ipv4.df)
+				ip->fragment_offset = BIT(14);
+			memcpy(&ip->src_addr, &ipsec->tunnel.ipv4.src_ip,
+				sizeof(struct in_addr));
+			memcpy(&ip->dst_addr, &ipsec->tunnel.ipv4.dst_ip,
+				sizeof(struct in_addr));
+		} else {
+			return -EINVAL;
+		}
+	} else {
+		return -EINVAL;
+	}
+
+	cipher_xform = crypto_xform;
+	auth_xform = crypto_xform->next;
+
+	cipher_key_len = 0;
+	auth_key_len = 0;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		cipher_key = crypto_xform->aead.key.data;
+		cipher_key_len = crypto_xform->aead.key.length;
+
+		lp->ctx_len = sizeof(struct otx2_ipsec_po_out_sa);
+		lp->ctx_len >>= 3;
+		RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_AES_GCM_OUTB_CTX_LEN);
+	} else {
+		cipher_key = cipher_xform->cipher.key.data;
+		cipher_key_len = cipher_xform->cipher.key.length;
+		auth_key = auth_xform->auth.key.data;
+		auth_key_len = auth_xform->auth.key.length;
+
+		/* TODO: check the ctx len for supporting ALGO */
+		lp->ctx_len = sizeof(struct otx2_ipsec_po_out_sa) >> 3;
+		RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_MAX_OUTB_CTX_LEN);
+	}
+
+	if (cipher_key_len != 0)
+		memcpy(sa->cipher_key, cipher_key, cipher_key_len);
+	else
+		return -EINVAL;
+
+	/* Use OPAD & IPAD */
+	RTE_SET_USED(auth_key);
+	RTE_SET_USED(auth_key_len);
+
+	inst.u64[7] = 0;
+	inst.egrp = OTX2_CPT_EGRP_SE;
+	inst.cptr = rte_mempool_virt2iova(sa);
+
+	lp->ucmd_w3 = inst.u64[7];
+	lp->ucmd_opcode = (lp->ctx_len << 8) |
+				(OTX2_IPSEC_PO_PROCESS_IPSEC_OUTB);
+
+	set_session_misc_attributes(lp, crypto_xform,
+				    auth_xform, cipher_xform);
+
+	return otx2_cpt_enq_sa_write(lp, crypto_dev->data->queue_pairs[0],
+				     OTX2_IPSEC_PO_WRITE_IPSEC_OUTB);
+}
+
+static int
+crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
+				    struct rte_security_ipsec_xform *ipsec,
+				    struct rte_crypto_sym_xform *crypto_xform,
+				    struct rte_security_session *sec_sess)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_sec_session_ipsec_lp *lp;
+	struct otx2_ipsec_po_sa_ctl *ctl;
+	const uint8_t *cipher_key, *auth_key;
+	int cipher_key_len, auth_key_len;
+	struct otx2_ipsec_po_in_sa *sa;
+	struct otx2_sec_session *sess;
+	struct otx2_cpt_inst_s inst;
+	int ret;
+
+	sess = get_sec_session_private_data(sec_sess);
+	lp = &sess->ipsec.lp;
+
+	sa = &lp->in_sa;
+	ctl = &sa->ctl;
+
+	if (ctl->valid) {
+		otx2_err("SA already registered");
+		return -EINVAL;
+	}
+
+	memset(sa, 0, sizeof(struct otx2_ipsec_po_in_sa));
+
+	ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl);
+	if (ret)
+		return ret;
+
+	auth_xform = crypto_xform;
+	cipher_xform = crypto_xform->next;
+
+	cipher_key_len = 0;
+	auth_key_len = 0;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
+			memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4);
+		cipher_key = crypto_xform->aead.key.data;
+		cipher_key_len = crypto_xform->aead.key.length;
+
+		lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+					    aes_gcm.hmac_key[0]) >> 3;
+		RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_AES_GCM_INB_CTX_LEN);
+	} else {
+		cipher_key = cipher_xform->cipher.key.data;
+		cipher_key_len = cipher_xform->cipher.key.length;
+		auth_key = auth_xform->auth.key.data;
+		auth_key_len = auth_xform->auth.key.length;
+
+		/* TODO: check the ctx len for supporting ALGO */
+		lp->ctx_len = sizeof(struct otx2_ipsec_po_in_sa) >> 2;
+		RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_MAX_INB_CTX_LEN);
+	}
+
+	if (cipher_key_len != 0)
+		memcpy(sa->cipher_key, cipher_key, cipher_key_len);
+	else
+		return -EINVAL;
+
+	/* Use OPAD & IPAD */
+	RTE_SET_USED(auth_key);
+	RTE_SET_USED(auth_key_len);
+
+	inst.u64[7] = 0;
+	inst.egrp = OTX2_CPT_EGRP_SE;
+	inst.cptr = rte_mempool_virt2iova(sa);
+
+	lp->ucmd_w3 = inst.u64[7];
+	lp->ucmd_opcode = (lp->ctx_len << 8) |
+				(OTX2_IPSEC_PO_PROCESS_IPSEC_INB);
+
+	set_session_misc_attributes(lp, crypto_xform,
+				    auth_xform, cipher_xform);
+
+	return otx2_cpt_enq_sa_write(lp, crypto_dev->data->queue_pairs[0],
+				     OTX2_IPSEC_PO_WRITE_IPSEC_INB);
+}
+
+static int
+crypto_sec_ipsec_session_create(struct rte_cryptodev *crypto_dev,
+				struct rte_security_ipsec_xform *ipsec,
+				struct rte_crypto_sym_xform *crypto_xform,
+				struct rte_security_session *sess)
+{
+	int ret;
+
+	if (crypto_dev->data->queue_pairs[0] == NULL) {
+		otx2_err("Setup cpt queue pair before creating sec session");
+		return -EPERM;
+	}
+
+	ret = ipsec_po_xform_verify(ipsec, crypto_xform);
+	if (ret)
+		return ret;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+		return crypto_sec_ipsec_inb_session_create(crypto_dev, ipsec,
+							   crypto_xform, sess);
+	else
+		return crypto_sec_ipsec_outb_session_create(crypto_dev, ipsec,
+							    crypto_xform, sess);
+}
+
+static int
+otx2_crypto_sec_session_create(void *device,
+			       struct rte_security_session_conf *conf,
+			       struct rte_security_session *sess,
+			       struct rte_mempool *mempool)
+{
+	struct otx2_sec_session *priv;
+	int ret;
+
+	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
+		return -ENOTSUP;
+
+	if (rte_mempool_get(mempool, (void **)&priv)) {
+		otx2_err("Could not allocate security session private data");
+		return -ENOMEM;
+	}
+
+	set_sec_session_private_data(sess, priv);
+
+	priv->userdata = conf->userdata;
+
+	if (conf->protocol == RTE_SECURITY_PROTOCOL_IPSEC)
+		ret = crypto_sec_ipsec_session_create(device, &conf->ipsec,
+						      conf->crypto_xform,
+						      sess);
+	else
+		ret = -ENOTSUP;
+
+	if (ret)
+		goto mempool_put;
+
+	return 0;
+
+mempool_put:
+	rte_mempool_put(mempool, priv);
+	set_sec_session_private_data(sess, NULL);
+	return ret;
+}
+
+static int
+otx2_crypto_sec_session_destroy(void *device __rte_unused,
+				struct rte_security_session *sess)
+{
+	struct otx2_sec_session *priv;
+	struct rte_mempool *sess_mp;
+
+	priv = get_sec_session_private_data(sess);
+
+	if (priv == NULL)
+		return 0;
+
+	sess_mp = rte_mempool_from_obj(priv);
+
+	set_sec_session_private_data(sess, NULL);
+	rte_mempool_put(sess_mp, priv);
+
+	return 0;
+}
+
 static unsigned int
 otx2_crypto_sec_session_get_size(void *device __rte_unused)
 {
@@ -40,8 +504,8 @@ otx2_crypto_sec_get_userdata(void *device __rte_unused, uint64_t md,
 }
 
 static struct rte_security_ops otx2_crypto_sec_ops = {
-	.session_create		= NULL,
-	.session_destroy	= NULL,
+	.session_create		= otx2_crypto_sec_session_create,
+	.session_destroy	= otx2_crypto_sec_session_destroy,
 	.session_get_size	= otx2_crypto_sec_session_get_size,
 	.set_pkt_metadata	= otx2_crypto_sec_set_pkt_mdata,
 	.get_userdata		= otx2_crypto_sec_get_userdata,
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index 217dfeaff0..f2167f220a 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -9,6 +9,83 @@
 #include <rte_ip.h>
 #include <rte_security.h>
 
+#define OTX2_IPSEC_PO_AES_GCM_INB_CTX_LEN    0x09
+#define OTX2_IPSEC_PO_AES_GCM_OUTB_CTX_LEN   0x28
+
+#define OTX2_IPSEC_PO_MAX_INB_CTX_LEN    0x22
+#define OTX2_IPSEC_PO_MAX_OUTB_CTX_LEN   0x38
+
+#define OTX2_IPSEC_PO_PER_PKT_IV  BIT(11)
+
+#define OTX2_IPSEC_PO_WRITE_IPSEC_OUTB     0x20
+#define OTX2_IPSEC_PO_WRITE_IPSEC_INB      0x21
+#define OTX2_IPSEC_PO_PROCESS_IPSEC_OUTB   0x23
+#define OTX2_IPSEC_PO_PROCESS_IPSEC_INB    0x24
+
+enum otx2_ipsec_po_comp_e {
+	OTX2_IPSEC_PO_CC_SUCCESS = 0x00,
+	OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0,
+	OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED = 0xB1,
+};
+
+enum {
+	OTX2_IPSEC_PO_SA_DIRECTION_INBOUND = 0,
+	OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND = 1,
+};
+
+enum {
+	OTX2_IPSEC_PO_SA_IP_VERSION_4 = 0,
+	OTX2_IPSEC_PO_SA_IP_VERSION_6 = 1,
+};
+
+enum {
+	OTX2_IPSEC_PO_SA_MODE_TRANSPORT = 0,
+	OTX2_IPSEC_PO_SA_MODE_TUNNEL = 1,
+};
+
+enum {
+	OTX2_IPSEC_PO_SA_PROTOCOL_AH = 0,
+	OTX2_IPSEC_PO_SA_PROTOCOL_ESP = 1,
+};
+
+enum {
+	OTX2_IPSEC_PO_SA_AES_KEY_LEN_128 = 1,
+	OTX2_IPSEC_PO_SA_AES_KEY_LEN_192 = 2,
+	OTX2_IPSEC_PO_SA_AES_KEY_LEN_256 = 3,
+};
+
+enum {
+	OTX2_IPSEC_PO_SA_ENC_NULL = 0,
+	OTX2_IPSEC_PO_SA_ENC_DES_CBC = 1,
+	OTX2_IPSEC_PO_SA_ENC_3DES_CBC = 2,
+	OTX2_IPSEC_PO_SA_ENC_AES_CBC = 3,
+	OTX2_IPSEC_PO_SA_ENC_AES_CTR = 4,
+	OTX2_IPSEC_PO_SA_ENC_AES_GCM = 5,
+	OTX2_IPSEC_PO_SA_ENC_AES_CCM = 6,
+};
+
+enum {
+	OTX2_IPSEC_PO_SA_AUTH_NULL = 0,
+	OTX2_IPSEC_PO_SA_AUTH_MD5 = 1,
+	OTX2_IPSEC_PO_SA_AUTH_SHA1 = 2,
+	OTX2_IPSEC_PO_SA_AUTH_SHA2_224 = 3,
+	OTX2_IPSEC_PO_SA_AUTH_SHA2_256 = 4,
+	OTX2_IPSEC_PO_SA_AUTH_SHA2_384 = 5,
+	OTX2_IPSEC_PO_SA_AUTH_SHA2_512 = 6,
+	OTX2_IPSEC_PO_SA_AUTH_AES_GMAC = 7,
+	OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128 = 8,
+};
+
+enum {
+	OTX2_IPSEC_PO_SA_FRAG_POST = 0,
+	OTX2_IPSEC_PO_SA_FRAG_PRE = 1,
+};
+
+enum {
+	OTX2_IPSEC_PO_SA_ENCAP_NONE = 0,
+	OTX2_IPSEC_PO_SA_ENCAP_UDP = 1,
+};
+
 union otx2_ipsec_po_bit_perfect_iv {
 	uint8_t aes_iv[16];
 	uint8_t des_iv[8];
@@ -107,4 +184,222 @@ struct otx2_ipsec_po_out_sa {
 	uint16_t udp_dst;
 };
 
+static inline int
+ipsec_po_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
+{
+	if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		switch (xform->cipher.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform)
+{
+	uint16_t keylen = xform->auth.key.length;
+
+	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+		if (keylen >= 20 && keylen <= 64)
+			return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_po_xform_aead_verify(struct rte_security_ipsec_xform *ipsec,
+			   struct rte_crypto_sym_xform *xform)
+{
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+	    xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+		return -EINVAL;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+	    xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+		return -EINVAL;
+
+	if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+		switch (xform->aead.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -EINVAL;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_po_xform_verify(struct rte_security_ipsec_xform *ipsec,
+		      struct rte_crypto_sym_xform *xform)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	int ret;
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		return ipsec_po_xform_aead_verify(ipsec, xform);
+
+	if (xform->next == NULL)
+		return -EINVAL;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		/* Ingress */
+		if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		/* Egress */
+		if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	}
+
+	ret = ipsec_po_xform_cipher_verify(cipher_xform);
+	if (ret)
+		return ret;
+
+	ret = ipsec_po_xform_auth_verify(auth_xform);
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
+static inline int
+ipsec_po_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
+		    struct rte_crypto_sym_xform *xform,
+		    struct otx2_ipsec_po_sa_ctl *ctl)
+{
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
+	int aes_key_len;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND;
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	} else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_INBOUND;
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		return -EINVAL;
+	}
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+			ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_4;
+		else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
+			ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_6;
+		else
+			return -EINVAL;
+	}
+
+	ctl->inner_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_4;
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+		ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TRANSPORT;
+	else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+		ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TUNNEL;
+	else
+		return -EINVAL;
+
+	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
+		ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_AH;
+	else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
+		ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_ESP;
+	else
+		return -EINVAL;
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+			ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_GCM;
+			aes_key_len = xform->aead.key.length;
+		} else {
+			return -ENOTSUP;
+		}
+	} else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_CCM;
+		aes_key_len = xform->cipher.key.length;
+	} else {
+		return -ENOTSUP;
+	}
+
+
+	switch (aes_key_len) {
+	case 16:
+		ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_128;
+		break;
+	case 24:
+		ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_192;
+		break;
+	case 32:
+		ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_256;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
+		switch (auth_xform->auth.algo) {
+		case RTE_CRYPTO_AUTH_NULL:
+			ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_NULL;
+			break;
+		case RTE_CRYPTO_AUTH_MD5_HMAC:
+			ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_MD5;
+			break;
+		case RTE_CRYPTO_AUTH_SHA1_HMAC:
+			ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA1;
+			break;
+		case RTE_CRYPTO_AUTH_SHA224_HMAC:
+			ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_224;
+			break;
+		case RTE_CRYPTO_AUTH_SHA256_HMAC:
+			ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_256;
+			break;
+		case RTE_CRYPTO_AUTH_SHA384_HMAC:
+			ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_384;
+			break;
+		case RTE_CRYPTO_AUTH_SHA512_HMAC:
+			ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_512;
+			break;
+		case RTE_CRYPTO_AUTH_AES_GMAC:
+			ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_GMAC;
+			break;
+		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+			ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+	}
+
+	if (ipsec->options.esn)
+		ctl->esn_en = 1;
+
+	if (ipsec->options.udp_encap == 1)
+		ctl->encap_type = OTX2_IPSEC_PO_SA_ENCAP_UDP;
+
+	ctl->spi = rte_cpu_to_be_32(ipsec->spi);
+	ctl->valid = 1;
+
+	return 0;
+}
+
 #endif /* __OTX2_IPSEC_PO_H__ */
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 9b4fe263c4..086b506047 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -8,6 +8,15 @@
 #include "otx2_cryptodev_sec.h"
 #include "otx2_ethdev_sec.h"
 
+#define OTX2_SEC_AH_HDR_LEN			12
+#define OTX2_SEC_AES_GCM_IV_LEN			8
+#define OTX2_SEC_AES_GCM_MAC_LEN		16
+#define OTX2_SEC_AES_CBC_IV_LEN			16
+#define OTX2_SEC_SHA1_HMAC_LEN			12
+
+#define OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN	4
+#define OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN	16
+
 union otx2_sec_session_ipsec {
 	struct otx2_sec_session_ipsec_ip ip;
 	struct otx2_sec_session_ipsec_lp lp;
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index c2ad32cf0c..a155594e25 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -21,15 +21,6 @@
 #include "otx2_sec_idev.h"
 #include "otx2_security.h"
 
-#define AH_HDR_LEN	12
-#define AES_GCM_IV_LEN	8
-#define AES_GCM_MAC_LEN	16
-#define AES_CBC_IV_LEN	16
-#define SHA1_HMAC_LEN	12
-
-#define AES_GCM_ROUNDUP_BYTE_LEN	4
-#define AES_CBC_ROUNDUP_BYTE_LEN	16
-
 struct eth_sec_tag_const {
 	RTE_STD_C11
 	union {
@@ -238,7 +229,7 @@ ipsec_sa_const_set(struct rte_security_ipsec_xform *ipsec,
 		sess->partial_len += sizeof(struct rte_esp_hdr);
 		sess->roundup_len = sizeof(struct rte_esp_tail);
 	} else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) {
-		sess->partial_len += AH_HDR_LEN;
+		sess->partial_len += OTX2_SEC_AH_HDR_LEN;
 	} else {
 		return -EINVAL;
 	}
@@ -248,9 +239,9 @@ ipsec_sa_const_set(struct rte_security_ipsec_xform *ipsec,
 
 	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 		if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
-			sess->partial_len += AES_GCM_IV_LEN;
-			sess->partial_len += AES_GCM_MAC_LEN;
-			sess->roundup_byte = AES_GCM_ROUNDUP_BYTE_LEN;
+			sess->partial_len += OTX2_SEC_AES_GCM_IV_LEN;
+			sess->partial_len += OTX2_SEC_AES_GCM_MAC_LEN;
+			sess->roundup_byte = OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN;
 		}
 		return 0;
 	}
@@ -265,14 +256,14 @@ ipsec_sa_const_set(struct rte_security_ipsec_xform *ipsec,
 		return -EINVAL;
 	}
 	if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
-		sess->partial_len += AES_CBC_IV_LEN;
-		sess->roundup_byte = AES_CBC_ROUNDUP_BYTE_LEN;
+		sess->partial_len += OTX2_SEC_AES_CBC_IV_LEN;
+		sess->roundup_byte = OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN;
 	} else {
 		return -EINVAL;
 	}
 
 	if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
-		sess->partial_len += SHA1_HMAC_LEN;
+		sess->partial_len += OTX2_SEC_SHA1_HMAC_LEN;
 	else
 		return -EINVAL;
 
-- 
2.27.0

[dpdk-dev] [PATCH v2 8/9] crypto/octeontx2: add cryptodev sec enqueue routine

[Tejasree Kondoj]

From: Vamsi Attunuru <vattunuru@marvell.com>

This patch adds lookaside IPsec enqueue routine.

Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/octeontx2/otx2_cryptodev.h     |   8 +
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c |  36 +++-
 drivers/crypto/octeontx2/otx2_ipsec_po.h      |   6 +
 drivers/crypto/octeontx2/otx2_ipsec_po_ops.h  | 175 ++++++++++++++++++
 4 files changed, 224 insertions(+), 1 deletion(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_po_ops.h

diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.h b/drivers/crypto/octeontx2/otx2_cryptodev.h
index e7a1730b22..f329741b38 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev.h
@@ -6,6 +6,7 @@
 #define _OTX2_CRYPTODEV_H_
 
 #include "cpt_common.h"
+#include "cpt_hw_types.h"
 
 #include "otx2_dev.h"
 
@@ -33,6 +34,13 @@ struct otx2_cpt_vf {
 	/**< CPT device capabilities */
 };
 
+struct cpt_meta_info {
+	uint64_t deq_op_info[4];
+	uint64_t comp_code_sz;
+	union cpt_res_s cpt_res __rte_aligned(16);
+	struct cpt_request_info cpt_req __rte_aligned(8);
+};
+
 #define CPT_LOGTYPE otx2_cpt_logtype
 
 extern int otx2_cpt_logtype;
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index 229b719b42..6a2753eb22 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -13,8 +13,10 @@
 #include "otx2_cryptodev_hw_access.h"
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_cryptodev_ops.h"
+#include "otx2_ipsec_po_ops.h"
 #include "otx2_mbox.h"
 #include "otx2_sec_idev.h"
+#include "otx2_security.h"
 
 #include "cpt_hw_types.h"
 #include "cpt_pmd_logs.h"
@@ -606,6 +608,36 @@ otx2_cpt_enqueue_sym(struct otx2_cpt_qp *qp, struct rte_crypto_op *op,
 	return ret;
 }
 
+static __rte_always_inline int __rte_hot
+otx2_cpt_enqueue_sec(struct otx2_cpt_qp *qp, struct rte_crypto_op *op,
+		     struct pending_queue *pend_q)
+{
+	struct otx2_sec_session_ipsec_lp *sess;
+	struct otx2_ipsec_po_sa_ctl *ctl_wrd;
+	struct otx2_sec_session *priv;
+	struct cpt_request_info *req;
+	int ret;
+
+	priv = get_sec_session_private_data(op->sym->sec_session);
+	sess = &priv->ipsec.lp;
+
+	ctl_wrd = &sess->in_sa.ctl;
+
+	if (ctl_wrd->direction == OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND)
+		ret = process_outb_sa(op, sess, &qp->meta_info, (void **)&req);
+	else
+		ret = process_inb_sa(op, sess, &qp->meta_info, (void **)&req);
+
+	if (unlikely(ret)) {
+		otx2_err("Crypto req : op %p, ret 0x%x", op, ret);
+		return ret;
+	}
+
+	ret = otx2_cpt_enqueue_req(qp, pend_q, req);
+
+	return ret;
+}
+
 static __rte_always_inline int __rte_hot
 otx2_cpt_enqueue_sym_sessless(struct otx2_cpt_qp *qp, struct rte_crypto_op *op,
 			      struct pending_queue *pend_q)
@@ -659,7 +691,9 @@ otx2_cpt_enqueue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops)
 	for (count = 0; count < nb_ops; count++) {
 		op = ops[count];
 		if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
-			if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION)
+			if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION)
+				ret = otx2_cpt_enqueue_sec(qp, op, pend_q);
+			else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION)
 				ret = otx2_cpt_enqueue_sym(qp, op, pend_q);
 			else
 				ret = otx2_cpt_enqueue_sym_sessless(qp, op,
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index f2167f220a..5acda79749 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -86,6 +86,12 @@ enum {
 	OTX2_IPSEC_PO_SA_ENCAP_UDP = 1,
 };
 
+struct otx2_ipsec_po_out_hdr {
+	uint32_t ip_id;
+	uint32_t seq;
+	uint8_t iv[16];
+};
+
 union otx2_ipsec_po_bit_perfect_iv {
 	uint8_t aes_iv[16];
 	uint8_t des_iv[8];
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
new file mode 100644
index 0000000000..dd29c413d3
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
@@ -0,0 +1,175 @@
+
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2019 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_IPSEC_PO_OPS_H__
+#define __OTX2_IPSEC_PO_OPS_H__
+
+#include <rte_crypto_sym.h>
+#include <rte_security.h>
+
+#include "otx2_cryptodev.h"
+#include "otx2_security.h"
+
+static __rte_always_inline int32_t
+otx2_ipsec_po_out_rlen_get(struct otx2_sec_session_ipsec_lp *sess,
+			   uint32_t plen)
+{
+	uint32_t enc_payload_len;
+
+	enc_payload_len = RTE_ALIGN_CEIL(plen + sess->roundup_len,
+			sess->roundup_byte);
+
+	return sess->partial_len + enc_payload_len;
+}
+
+static __rte_always_inline struct cpt_request_info *
+alloc_request_struct(char *maddr, void *cop, int mdata_len)
+{
+	struct cpt_request_info *req;
+	struct cpt_meta_info *meta;
+	uint8_t *resp_addr;
+	uintptr_t *op;
+
+	meta = (void *)RTE_PTR_ALIGN((uint8_t *)maddr, 16);
+
+	op = (uintptr_t *)meta->deq_op_info;
+	req = &meta->cpt_req;
+	resp_addr = (uint8_t *)&meta->cpt_res;
+
+	req->completion_addr = (uint64_t *)((uint8_t *)resp_addr);
+	*req->completion_addr = COMPLETION_CODE_INIT;
+	req->comp_baddr = rte_mem_virt2iova(resp_addr);
+	req->op = op;
+
+	op[0] = (uintptr_t)((uint64_t)meta | 1ull);
+	op[1] = (uintptr_t)cop;
+	op[2] = (uintptr_t)req;
+	op[3] = mdata_len;
+
+	return req;
+}
+
+static __rte_always_inline int
+process_outb_sa(struct rte_crypto_op *cop,
+	       struct otx2_sec_session_ipsec_lp *sess,
+	       struct cpt_qp_meta_info *m_info, void **prep_req)
+{
+	uint32_t dlen, rlen, extend_head, extend_tail;
+	struct rte_crypto_sym_op *sym_op = cop->sym;
+	struct rte_mbuf *m_src = sym_op->m_src;
+	struct otx2_ipsec_po_sa_ctl *ctl_wrd;
+	struct cpt_request_info *req = NULL;
+	struct otx2_ipsec_po_out_hdr *hdr;
+	struct otx2_ipsec_po_out_sa *sa;
+	int hdr_len, mdata_len, ret = 0;
+	vq_cmd_word0_t word0;
+	char *mdata, *data;
+
+	sa = &sess->out_sa;
+	ctl_wrd = &sa->ctl;
+	hdr_len = sizeof(*hdr);
+
+	dlen = rte_pktmbuf_pkt_len(m_src) + hdr_len;
+	rlen = otx2_ipsec_po_out_rlen_get(sess, dlen - hdr_len);
+
+	extend_head = hdr_len + RTE_ETHER_HDR_LEN;
+	extend_tail = rlen - dlen;
+	mdata_len = m_info->lb_mlen + 8;
+
+	mdata = rte_pktmbuf_append(m_src, extend_tail + mdata_len);
+	if (unlikely(mdata == NULL)) {
+		otx2_err("Not enough tail room\n");
+		ret = -ENOMEM;
+		goto exit;
+	}
+
+	mdata += extend_tail; /* mdata follows encrypted data */
+	req = alloc_request_struct(mdata, (void *)cop, mdata_len);
+
+	data = rte_pktmbuf_prepend(m_src, extend_head);
+	if (unlikely(data == NULL)) {
+		otx2_err("Not enough head room\n");
+		ret = -ENOMEM;
+		goto exit;
+	}
+
+	/*
+	 * Move the Ethernet header, to insert otx2_ipsec_po_out_hdr prior
+	 * to the IP header
+	 */
+	memcpy(data, data + hdr_len, RTE_ETHER_HDR_LEN);
+
+	hdr = (struct otx2_ipsec_po_out_hdr *)rte_pktmbuf_adj(m_src,
+							RTE_ETHER_HDR_LEN);
+
+	if (ctl_wrd->enc_type == OTX2_IPSEC_FP_SA_ENC_AES_GCM) {
+		memcpy(&hdr->iv[0], &sa->iv.gcm.nonce, 4);
+		memcpy(&hdr->iv[4], rte_crypto_op_ctod_offset(cop, uint8_t *,
+			sess->iv_offset), sess->iv_length);
+	} else if (ctl_wrd->auth_type == OTX2_IPSEC_FP_SA_ENC_AES_CBC) {
+		memcpy(&hdr->iv[0], rte_crypto_op_ctod_offset(cop, uint8_t *,
+			sess->iv_offset), sess->iv_length);
+	}
+
+	/* Prepare CPT instruction */
+	word0.u64 = sess->ucmd_w0;
+	word0.s.dlen = dlen;
+
+	req->ist.ei0 = word0.u64;
+	req->ist.ei1 = rte_pktmbuf_iova(m_src);
+	req->ist.ei2 = req->ist.ei1;
+	req->ist.ei3 = sess->ucmd_w3;
+
+	hdr->seq = rte_cpu_to_be_32(sess->seq_lo);
+	hdr->ip_id = rte_cpu_to_be_32(sess->ip_id);
+
+	sess->ip_id++;
+	sess->esn++;
+
+exit:
+	*prep_req = req;
+
+	return ret;
+}
+
+static __rte_always_inline int
+process_inb_sa(struct rte_crypto_op *cop,
+	      struct otx2_sec_session_ipsec_lp *sess,
+	      struct cpt_qp_meta_info *m_info, void **prep_req)
+{
+	struct rte_crypto_sym_op *sym_op = cop->sym;
+	struct rte_mbuf *m_src = sym_op->m_src;
+	struct cpt_request_info *req = NULL;
+	int mdata_len, ret = 0;
+	vq_cmd_word0_t word0;
+	uint32_t dlen;
+	char *mdata;
+
+	dlen = rte_pktmbuf_pkt_len(m_src);
+	mdata_len = m_info->lb_mlen + 8;
+
+	mdata = rte_pktmbuf_append(m_src, mdata_len);
+	if (unlikely(mdata == NULL)) {
+		otx2_err("Not enough tail room\n");
+		ret = -ENOMEM;
+		goto exit;
+	}
+
+	req = alloc_request_struct(mdata, (void *)cop, mdata_len);
+
+	/* Prepare CPT instruction */
+	word0.u64 = sess->ucmd_w0;
+	word0.s.dlen   = dlen;
+
+	req->ist.ei0 = word0.u64;
+	req->ist.ei1 = rte_pktmbuf_iova(m_src);
+	req->ist.ei2 = req->ist.ei1;
+	req->ist.ei3 = sess->ucmd_w3;
+
+exit:
+	*prep_req = req;
+	return ret;
+}
+#endif /* __OTX2_IPSEC_PO_OPS_H__ */
-- 
2.27.0

[dpdk-dev] [PATCH v2 9/9] crypto/octeontx2: add cryptodev sec dequeue routine

[Tejasree Kondoj]

From: Vamsi Attunuru <vattunuru@marvell.com>

This patch adds lookaside IPsec dequeue routine.

Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/octeontx2.rst           | 19 ++++++++++
 doc/guides/rel_notes/release_20_08.rst        |  5 +++
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 37 +++++++++++++++++++
 drivers/crypto/octeontx2/otx2_ipsec_po.h      | 30 +++++++++++++++
 4 files changed, 91 insertions(+)

diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index 085d669e49..5d111e46c3 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -158,3 +158,22 @@ application:
 
     ./test
     RTE>>cryptodev_octeontx2_asym_autotest
+
+
+Lookaside IPsec Support
+-----------------------
+
+The OCTEON TX2 SoC can accelerate IPsec traffic in lookaside protocol mode,
+with its **cryptographic accelerator (CPT)**. ``OCTEON TX2 crypto PMD`` implements
+this as an ``RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL`` offload.
+
+Refer to :doc:`../prog_guide/rte_security` for more details on protocol offloads.
+
+
+Features supported
+~~~~~~~~~~~~~~~~~~
+
+* IPv4
+* ESP
+* Tunnel mode
+* AES-128/192/256-GCM
diff --git a/doc/guides/rel_notes/release_20_08.rst b/doc/guides/rel_notes/release_20_08.rst
index f19b748728..2d57adc283 100644
--- a/doc/guides/rel_notes/release_20_08.rst
+++ b/doc/guides/rel_notes/release_20_08.rst
@@ -225,6 +225,11 @@ New Features
   See the :doc:`../sample_app_ug/l2_forward_real_virtual` for more
   details of this parameter usage.
 
+* **Added lookaside IPsec support to OCTEON TX2 crypto PMD.**
+
+  Added lookaside IPsec support to OCTEON TX2 crypto PMD. With this feature,
+  applications will be able to offload lookaside IPsec to the hardware.
+
 
 Removed Items
 -------------
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index 6a2753eb22..9d51b17ddd 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -835,11 +835,48 @@ otx2_cpt_asym_post_process(struct rte_crypto_op *cop,
 	}
 }
 
+static void
+otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp)
+{
+	struct cpt_request_info *req = (struct cpt_request_info *)rsp[2];
+	vq_cmd_word0_t *word0 = (vq_cmd_word0_t *)&req->ist.ei0;
+	struct rte_crypto_sym_op *sym_op = cop->sym;
+	struct rte_mbuf *m = sym_op->m_src;
+	struct rte_ipv4_hdr *ip;
+	uint16_t m_len;
+	int mdata_len;
+	char *data;
+
+	mdata_len = (int)rsp[3];
+	rte_pktmbuf_trim(m, mdata_len);
+
+	if ((word0->s.opcode & 0xff) == OTX2_IPSEC_PO_PROCESS_IPSEC_INB) {
+		data = rte_pktmbuf_mtod(m, char *);
+		ip = (struct rte_ipv4_hdr *)(data + OTX2_IPSEC_PO_INB_RPTR_HDR);
+
+		m_len = rte_be_to_cpu_16(ip->total_length);
+
+		m->data_len = m_len;
+		m->pkt_len = m_len;
+		m->data_off += OTX2_IPSEC_PO_INB_RPTR_HDR;
+	}
+}
+
 static inline void
 otx2_cpt_dequeue_post_process(struct otx2_cpt_qp *qp, struct rte_crypto_op *cop,
 			      uintptr_t *rsp, uint8_t cc)
 {
 	if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
+		if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+			if (likely(cc == OTX2_IPSEC_PO_CC_SUCCESS)) {
+				otx2_cpt_sec_post_process(cop, rsp);
+				cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+			} else
+				cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+
+			return;
+		}
+
 		if (likely(cc == NO_ERR)) {
 			/* Verify authentication data if required */
 			if (unlikely(rsp[2]))
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index 5acda79749..bafc5c7653 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -22,10 +22,40 @@
 #define OTX2_IPSEC_PO_PROCESS_IPSEC_OUTB   0x23
 #define OTX2_IPSEC_PO_PROCESS_IPSEC_INB    0x24
 
+#define OTX2_IPSEC_PO_INB_RPTR_HDR         0x8
+
 enum otx2_ipsec_po_comp_e {
 	OTX2_IPSEC_PO_CC_SUCCESS = 0x00,
 	OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0,
 	OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED = 0xB1,
+	OTX2_IPSEC_PO_CC_IP_VERSION = 0xB2,
+	OTX2_IPSEC_PO_CC_PROTOCOL = 0xB3,
+	OTX2_IPSEC_PO_CC_CTX_INVALID = 0xB4,
+	OTX2_IPSEC_PO_CC_CTX_DIR_MISMATCH = 0xB5,
+	OTX2_IPSEC_PO_CC_IP_PAYLOAD_TYPE = 0xB6,
+	OTX2_IPSEC_PO_CC_CTX_FLAG_MISMATCH = 0xB7,
+	OTX2_IPSEC_PO_CC_GRE_HDR_MISMATCH = 0xB8,
+	OTX2_IPSEC_PO_CC_GRE_PROTOCOL = 0xB9,
+	OTX2_IPSEC_PO_CC_CUSTOM_HDR_LEN = 0xBA,
+	OTX2_IPSEC_PO_CC_ENC_TYPE_CTR_GCM = 0xBB,
+	OTX2_IPSEC_PO_CC_IPCOMP_CONF = 0xBC,
+	OTX2_IPSEC_PO_CC_FREG_SIZE_CONF = 0xBD,
+	OTX2_IPSEC_PO_CC_SPI_MISMATCH = 0xBE,
+	OTX2_IPSEC_PO_CC_CHECKSUM = 0xBF,
+	OTX2_IPSEC_PO_CC_IPCOMP_PKT_DETECTED = 0xC0,
+	OTX2_IPSEC_PO_CC_TFC_PADDING_WITH_PREFRAG = 0xC1,
+	OTX2_IPSEC_PO_CC_DSIV_INCORRECT_PARAM = 0xC2,
+	OTX2_IPSEC_PO_CC_AUTH_MISMATCH = 0xC3,
+	OTX2_IPSEC_PO_CC_PADDING = 0xC4,
+	OTX2_IPSEC_PO_CC_DUMMY_PADDING = 0xC5,
+	OTX2_IPSEC_PO_CC_IPV6_EXT_HDRS_TOO_BIG = 0xC6,
+	OTX2_IPSEC_PO_CC_IPV6_HOP_BY_HOP = 0xC7,
+	OTX2_IPSEC_PO_CC_IPV6_RH_LENGTH = 0xC8,
+	OTX2_IPSEC_PO_CC_IPV6_OUTB_RH_COPY_ADDR = 0xC9,
+	OTX2_IPSEC_PO_CC_IPV6_DEC_RH_SEGS_LEFT = 0xCA,
+	OTX2_IPSEC_PO_CC_IPV6_HDR_INVALID = 0xCB,
+	OTX2_IPSEC_PO_CC_IPV6_SELECTOR_MATCH = 0xCC,
+	OTX2_IPSEC_PO_CC_IPV6_UDP_PAYLOAD_CSUM_MISMATCH = 0xCE,
 };
 
 enum {
-- 
2.27.0

Re: [dpdk-dev] [PATCH v2 4/9] crypto/octeontx2: add cryptodev sec registration

[Akhil Goyal]

>  			     RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT |
>  			     RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO |
>  			     RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT |
> -			     RTE_CRYPTODEV_FF_SYM_SESSIONLESS;
> +			     RTE_CRYPTODEV_FF_SYM_SESSIONLESS |
> +			     RTE_CRYPTODEV_FF_SECURITY;
> 
Missed the corresponding change in doc/guides/cryptodevs/features/octeontx2.ini

Re: [dpdk-dev] [PATCH v2 9/9] crypto/octeontx2: add cryptodev sec dequeue routine

[Akhil Goyal]

> From: Vamsi Attunuru <vattunuru@marvell.com>
> 
> This patch adds lookaside IPsec dequeue routine.
> 
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---

The patch can be squashed into the previous one.
As enqueue will not work without dequeue operation.

>  doc/guides/cryptodevs/octeontx2.rst           | 19 ++++++++++
>  doc/guides/rel_notes/release_20_08.rst        |  5 +++
>  drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 37 +++++++++++++++++++
>  drivers/crypto/octeontx2/otx2_ipsec_po.h      | 30 +++++++++++++++
>  4 files changed, 91 insertions(+)
> 
> diff --git a/doc/guides/cryptodevs/octeontx2.rst
> b/doc/guides/cryptodevs/octeontx2.rst
> index 085d669e49..5d111e46c3 100644
> --- a/doc/guides/cryptodevs/octeontx2.rst
> +++ b/doc/guides/cryptodevs/octeontx2.rst
> @@ -158,3 +158,22 @@ application:
> 
>      ./test
>      RTE>>cryptodev_octeontx2_asym_autotest
> +
> +
> +Lookaside IPsec Support
> +-----------------------
> +
> +The OCTEON TX2 SoC can accelerate IPsec traffic in lookaside protocol mode,
> +with its **cryptographic accelerator (CPT)**. ``OCTEON TX2 crypto PMD``
> implements
> +this as an ``RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL`` offload.
> +
> +Refer to :doc:`../prog_guide/rte_security` for more details on protocol
> offloads.
> +
You can probably add here that the feature can be tested with ipsec-secgw
sample application 

> +
> +Features supported
> +~~~~~~~~~~~~~~~~~~
> +
> +* IPv4
> +* ESP
> +* Tunnel mode
> +* AES-128/192/256-GCM
> diff --git a/doc/guides/rel_notes/release_20_08.rst
> b/doc/guides/rel_notes/release_20_08.rst
> index f19b748728..2d57adc283 100644
> --- a/doc/guides/rel_notes/release_20_08.rst
> +++ b/doc/guides/rel_notes/release_20_08.rst
> @@ -225,6 +225,11 @@ New Features
>    See the :doc:`../sample_app_ug/l2_forward_real_virtual` for more
>    details of this parameter usage.
> 
> +* **Added lookaside IPsec support to OCTEON TX2 crypto PMD.**
> +
> +  Added lookaside IPsec support to OCTEON TX2 crypto PMD. With this feature,
> +  applications will be able to offload lookaside IPsec to the hardware.
> +

Move this bullet as per the order described in this doc(below the new features section).
And it would be better to re-phrase the statement as
* **Updated the OCTEON TX2 crypto PMD to support rte_security.**

  Updated the OCTEON TX2 crypto PMD to support ``rte_security`` lookaside
  protocol offload for IPsec.

> 
>  Removed Items
>  -------------
> diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
> b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
> index 6a2753eb22..9d51b17ddd 100644
> --- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
> +++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
> @@ -835,11 +835,48 @@ otx2_cpt_asym_post_process(struct rte_crypto_op
> *cop,
>  	}
>  }
> 

<snip>

> +
>  enum otx2_ipsec_po_comp_e {
>  	OTX2_IPSEC_PO_CC_SUCCESS = 0x00,
>  	OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0,
>  	OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED = 0xB1,
> +	OTX2_IPSEC_PO_CC_IP_VERSION = 0xB2,
> +	OTX2_IPSEC_PO_CC_PROTOCOL = 0xB3,
> +	OTX2_IPSEC_PO_CC_CTX_INVALID = 0xB4,
> +	OTX2_IPSEC_PO_CC_CTX_DIR_MISMATCH = 0xB5,
> +	OTX2_IPSEC_PO_CC_IP_PAYLOAD_TYPE = 0xB6,
> +	OTX2_IPSEC_PO_CC_CTX_FLAG_MISMATCH = 0xB7,
> +	OTX2_IPSEC_PO_CC_GRE_HDR_MISMATCH = 0xB8,
> +	OTX2_IPSEC_PO_CC_GRE_PROTOCOL = 0xB9,
> +	OTX2_IPSEC_PO_CC_CUSTOM_HDR_LEN = 0xBA,
> +	OTX2_IPSEC_PO_CC_ENC_TYPE_CTR_GCM = 0xBB,
> +	OTX2_IPSEC_PO_CC_IPCOMP_CONF = 0xBC,
> +	OTX2_IPSEC_PO_CC_FREG_SIZE_CONF = 0xBD,
> +	OTX2_IPSEC_PO_CC_SPI_MISMATCH = 0xBE,
> +	OTX2_IPSEC_PO_CC_CHECKSUM = 0xBF,
> +	OTX2_IPSEC_PO_CC_IPCOMP_PKT_DETECTED = 0xC0,
> +	OTX2_IPSEC_PO_CC_TFC_PADDING_WITH_PREFRAG = 0xC1,
> +	OTX2_IPSEC_PO_CC_DSIV_INCORRECT_PARAM = 0xC2,
> +	OTX2_IPSEC_PO_CC_AUTH_MISMATCH = 0xC3,
> +	OTX2_IPSEC_PO_CC_PADDING = 0xC4,
> +	OTX2_IPSEC_PO_CC_DUMMY_PADDING = 0xC5,
> +	OTX2_IPSEC_PO_CC_IPV6_EXT_HDRS_TOO_BIG = 0xC6,
> +	OTX2_IPSEC_PO_CC_IPV6_HOP_BY_HOP = 0xC7,
> +	OTX2_IPSEC_PO_CC_IPV6_RH_LENGTH = 0xC8,
> +	OTX2_IPSEC_PO_CC_IPV6_OUTB_RH_COPY_ADDR = 0xC9,
> +	OTX2_IPSEC_PO_CC_IPV6_DEC_RH_SEGS_LEFT = 0xCA,
> +	OTX2_IPSEC_PO_CC_IPV6_HDR_INVALID = 0xCB,
> +	OTX2_IPSEC_PO_CC_IPV6_SELECTOR_MATCH = 0xCC,
> +	OTX2_IPSEC_PO_CC_IPV6_UDP_PAYLOAD_CSUM_MISMATCH = 0xCE,
>  };

Are these error codes? Are they added in the debug prints somewhere?
> 
>  enum {
> --
> 2.27.0

Re: [dpdk-dev] [PATCH v2 4/9] crypto/octeontx2: add cryptodev sec registration

[Tejasree Kondoj]

Hi Akhil,

Please see inline.

Thanks
Tejasree

> -----Original Message-----
> From: Akhil Goyal <akhil.goyal@nxp.com>
> Sent: Wednesday, July 15, 2020 10:28 PM
> To: Tejasree Kondoj <ktejasree@marvell.com>; Radu Nicolau
> <radu.nicolau@intel.com>
> Cc: Narayana Prasad Raju Athreya <pathreya@marvell.com>; Anoob Joseph
> <anoobj@marvell.com>; Vamsi Krishna Attunuru <vattunuru@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 4/9] crypto/octeontx2: add cryptodev sec
> registration
> 
> External Email
> 
> ----------------------------------------------------------------------
> >  			     RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT |
> >  			     RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO |
> >  			     RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT |
> > -			     RTE_CRYPTODEV_FF_SYM_SESSIONLESS;
> > +			     RTE_CRYPTODEV_FF_SYM_SESSIONLESS |
> > +			     RTE_CRYPTODEV_FF_SECURITY;
> >
> Missed the corresponding change in
> doc/guides/cryptodevs/features/octeontx2.ini
[Tejasree] Will add it.

Re: [dpdk-dev] [PATCH v2 9/9] crypto/octeontx2: add cryptodev sec dequeue routine

[Tejasree Kondoj]

Hi Akhil,

Please see inline.

Thanks
Tejasree

> -----Original Message-----
> From: Akhil Goyal <akhil.goyal@nxp.com>
> Sent: Wednesday, July 15, 2020 10:40 PM
> To: Tejasree Kondoj <ktejasree@marvell.com>; Radu Nicolau
> <radu.nicolau@intel.com>
> Cc: Vamsi Krishna Attunuru <vattunuru@marvell.com>; Narayana Prasad
> Raju Athreya <pathreya@marvell.com>; Anoob Joseph
> <anoobj@marvell.com>; dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 9/9] crypto/octeontx2: add cryptodev sec
> dequeue routine
> 
> External Email
> 
> ----------------------------------------------------------------------
> > From: Vamsi Attunuru <vattunuru@marvell.com>
> >
> > This patch adds lookaside IPsec dequeue routine.
> >
> > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > ---
> 
> The patch can be squashed into the previous one.
> As enqueue will not work without dequeue operation.
[Tejasree] Will squash it with previous patch.
> 
> >  doc/guides/cryptodevs/octeontx2.rst           | 19 ++++++++++
> >  doc/guides/rel_notes/release_20_08.rst        |  5 +++
> >  drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 37
> +++++++++++++++++++
> >  drivers/crypto/octeontx2/otx2_ipsec_po.h      | 30 +++++++++++++++
> >  4 files changed, 91 insertions(+)
> >
> > diff --git a/doc/guides/cryptodevs/octeontx2.rst
> > b/doc/guides/cryptodevs/octeontx2.rst
> > index 085d669e49..5d111e46c3 100644
> > --- a/doc/guides/cryptodevs/octeontx2.rst
> > +++ b/doc/guides/cryptodevs/octeontx2.rst
> > @@ -158,3 +158,22 @@ application:
> >
> >      ./test
> >      RTE>>cryptodev_octeontx2_asym_autotest
> > +
> > +
> > +Lookaside IPsec Support
> > +-----------------------
> > +
> > +The OCTEON TX2 SoC can accelerate IPsec traffic in lookaside protocol
> > +mode, with its **cryptographic accelerator (CPT)**. ``OCTEON TX2
> > +crypto PMD``
> > implements
> > +this as an ``RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL``
> offload.
> > +
> > +Refer to :doc:`../prog_guide/rte_security` for more details on
> > +protocol
> > offloads.
> > +
> You can probably add here that the feature can be tested with ipsec-secgw
> sample application
[Tejasree] Sure
> 
> > +
> > +Features supported
> > +~~~~~~~~~~~~~~~~~~
> > +
> > +* IPv4
> > +* ESP
> > +* Tunnel mode
> > +* AES-128/192/256-GCM
> > diff --git a/doc/guides/rel_notes/release_20_08.rst
> > b/doc/guides/rel_notes/release_20_08.rst
> > index f19b748728..2d57adc283 100644
> > --- a/doc/guides/rel_notes/release_20_08.rst
> > +++ b/doc/guides/rel_notes/release_20_08.rst
> > @@ -225,6 +225,11 @@ New Features
> >    See the :doc:`../sample_app_ug/l2_forward_real_virtual` for more
> >    details of this parameter usage.
> >
> > +* **Added lookaside IPsec support to OCTEON TX2 crypto PMD.**
> > +
> > +  Added lookaside IPsec support to OCTEON TX2 crypto PMD. With this
> > + feature,  applications will be able to offload lookaside IPsec to the
> hardware.
> > +
> 
> Move this bullet as per the order described in this doc(below the new
> features section).
> And it would be better to re-phrase the statement as
> * **Updated the OCTEON TX2 crypto PMD to support rte_security.**
> 
>   Updated the OCTEON TX2 crypto PMD to support ``rte_security`` lookaside
>   protocol offload for IPsec.
[Tejasree] Will move it and rephrase the statement.
> 
> >
> >  Removed Items
> >  -------------
> > diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
> > b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
> > index 6a2753eb22..9d51b17ddd 100644
> > --- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
> > +++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
> > @@ -835,11 +835,48 @@ otx2_cpt_asym_post_process(struct
> rte_crypto_op
> > *cop,
> >  	}
> >  }
> >
> 
> <snip>
> 
> > +
> >  enum otx2_ipsec_po_comp_e {
> >  	OTX2_IPSEC_PO_CC_SUCCESS = 0x00,
> >  	OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0,
> >  	OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED = 0xB1,
> > +	OTX2_IPSEC_PO_CC_IP_VERSION = 0xB2,
> > +	OTX2_IPSEC_PO_CC_PROTOCOL = 0xB3,
> > +	OTX2_IPSEC_PO_CC_CTX_INVALID = 0xB4,
> > +	OTX2_IPSEC_PO_CC_CTX_DIR_MISMATCH = 0xB5,
> > +	OTX2_IPSEC_PO_CC_IP_PAYLOAD_TYPE = 0xB6,
> > +	OTX2_IPSEC_PO_CC_CTX_FLAG_MISMATCH = 0xB7,
> > +	OTX2_IPSEC_PO_CC_GRE_HDR_MISMATCH = 0xB8,
> > +	OTX2_IPSEC_PO_CC_GRE_PROTOCOL = 0xB9,
> > +	OTX2_IPSEC_PO_CC_CUSTOM_HDR_LEN = 0xBA,
> > +	OTX2_IPSEC_PO_CC_ENC_TYPE_CTR_GCM = 0xBB,
> > +	OTX2_IPSEC_PO_CC_IPCOMP_CONF = 0xBC,
> > +	OTX2_IPSEC_PO_CC_FREG_SIZE_CONF = 0xBD,
> > +	OTX2_IPSEC_PO_CC_SPI_MISMATCH = 0xBE,
> > +	OTX2_IPSEC_PO_CC_CHECKSUM = 0xBF,
> > +	OTX2_IPSEC_PO_CC_IPCOMP_PKT_DETECTED = 0xC0,
> > +	OTX2_IPSEC_PO_CC_TFC_PADDING_WITH_PREFRAG = 0xC1,
> > +	OTX2_IPSEC_PO_CC_DSIV_INCORRECT_PARAM = 0xC2,
> > +	OTX2_IPSEC_PO_CC_AUTH_MISMATCH = 0xC3,
> > +	OTX2_IPSEC_PO_CC_PADDING = 0xC4,
> > +	OTX2_IPSEC_PO_CC_DUMMY_PADDING = 0xC5,
> > +	OTX2_IPSEC_PO_CC_IPV6_EXT_HDRS_TOO_BIG = 0xC6,
> > +	OTX2_IPSEC_PO_CC_IPV6_HOP_BY_HOP = 0xC7,
> > +	OTX2_IPSEC_PO_CC_IPV6_RH_LENGTH = 0xC8,
> > +	OTX2_IPSEC_PO_CC_IPV6_OUTB_RH_COPY_ADDR = 0xC9,
> > +	OTX2_IPSEC_PO_CC_IPV6_DEC_RH_SEGS_LEFT = 0xCA,
> > +	OTX2_IPSEC_PO_CC_IPV6_HDR_INVALID = 0xCB,
> > +	OTX2_IPSEC_PO_CC_IPV6_SELECTOR_MATCH = 0xCC,
> > +	OTX2_IPSEC_PO_CC_IPV6_UDP_PAYLOAD_CSUM_MISMATCH = 0xCE,
> >  };
> 
> Are these error codes? Are they added in the debug prints somewhere?
[Tejasree] Yes, these are error codes but they are not used right now. Will remove them.
> >
> >  enum {
> > --
> > 2.27.0