* [dpdk-dev] [PATCH v2 1/6] crypto/cnxk: add cn9k security ctx
2021-09-07 14:20 [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support Archana Muniganti
@ 2021-09-07 14:20 ` Archana Muniganti
2021-09-07 14:20 ` [dpdk-dev] [PATCH v2 2/6] common/cnxk: add cn9k IPsec microcode defines Archana Muniganti
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Archana Muniganti @ 2021-09-07 14:20 UTC (permalink / raw)
To: gakhil
Cc: Archana Muniganti, ktejasree, adwivedi, anoobj, jerinj, dev,
Vamsi Attunuru
Add security ctx in cn9k crypto PMD.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
drivers/crypto/cnxk/cn9k_cryptodev.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev.c b/drivers/crypto/cnxk/cn9k_cryptodev.c
index 9ff2383d98..db2e085161 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev.c
@@ -14,6 +14,7 @@
#include "cn9k_cryptodev_ops.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_capabilities.h"
+#include "cnxk_cryptodev_sec.h"
#include "roc_api.h"
@@ -77,6 +78,11 @@ cn9k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
plt_err("Failed to add engine group rc=%d", rc);
goto dev_fini;
}
+
+ /* Create security context */
+ rc = cnxk_crypto_sec_ctx_create(dev);
+ if (rc)
+ goto dev_fini;
}
dev->dev_ops = &cn9k_cpt_ops;
@@ -117,6 +123,9 @@ cn9k_cpt_pci_remove(struct rte_pci_device *pci_dev)
if (dev == NULL)
return -ENODEV;
+ /* Destroy security context */
+ cnxk_crypto_sec_ctx_destroy(dev);
+
if (rte_eal_process_type() == RTE_PROC_PRIMARY) {
vf = dev->data->dev_private;
ret = roc_cpt_dev_fini(&vf->cpt);
--
2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH v2 2/6] common/cnxk: add cn9k IPsec microcode defines
2021-09-07 14:20 [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support Archana Muniganti
2021-09-07 14:20 ` [dpdk-dev] [PATCH v2 1/6] crypto/cnxk: add cn9k security ctx Archana Muniganti
@ 2021-09-07 14:20 ` Archana Muniganti
2021-09-07 14:21 ` [dpdk-dev] [PATCH v2 3/6] crypto/cnxk: add cn9k security session ops Archana Muniganti
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Archana Muniganti @ 2021-09-07 14:20 UTC (permalink / raw)
To: gakhil
Cc: Archana Muniganti, ktejasree, adwivedi, anoobj, jerinj, dev,
Vamsi Attunuru
Microcode IE opcodes support IPsec operations. Add defines
and structs defined by microcode.
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
drivers/common/cnxk/roc_cpt.h | 1 +
drivers/common/cnxk/roc_ie_on.h | 158 ++++++++++++++++++++++++++++++--
2 files changed, 150 insertions(+), 9 deletions(-)
diff --git a/drivers/common/cnxk/roc_cpt.h b/drivers/common/cnxk/roc_cpt.h
index f0f505a8c2..9e63073a52 100644
--- a/drivers/common/cnxk/roc_cpt.h
+++ b/drivers/common/cnxk/roc_cpt.h
@@ -47,6 +47,7 @@
#define ROC_CPT_AES_GCM_MAC_LEN 16
#define ROC_CPT_AES_CBC_IV_LEN 16
#define ROC_CPT_SHA1_HMAC_LEN 12
+#define ROC_CPT_SHA2_HMAC_LEN 16
#define ROC_CPT_AUTH_KEY_LEN_MAX 64
#define ROC_CPT_DES3_KEY_LEN 24
diff --git a/drivers/common/cnxk/roc_ie_on.h b/drivers/common/cnxk/roc_ie_on.h
index 222c298a53..53591c6f02 100644
--- a/drivers/common/cnxk/roc_ie_on.h
+++ b/drivers/common/cnxk/roc_ie_on.h
@@ -5,18 +5,24 @@
#ifndef __ROC_IE_ON_H__
#define __ROC_IE_ON_H__
-/* CN9K IPSEC LA opcodes */
-#define ROC_IE_ONL_MAJOR_OP_WRITE_IPSEC_OUTBOUND 0x20
-#define ROC_IE_ONL_MAJOR_OP_WRITE_IPSEC_INBOUND 0x21
-#define ROC_IE_ONL_MAJOR_OP_PROCESS_OUTBOUND_IPSEC 0x23
-#define ROC_IE_ONL_MAJOR_OP_PROCESS_INBOUND_IPSEC 0x24
+/* CN9K IPsec LA */
-/* CN9K IPSEC FP opcodes */
-#define ROC_IE_ONF_MAJOR_OP_PROCESS_OUTBOUND_IPSEC 0x25UL
-#define ROC_IE_ONF_MAJOR_OP_PROCESS_INBOUND_IPSEC 0x26UL
+/* CN9K IPsec LA opcodes */
+#define ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_OUTBOUND 0x20
+#define ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_INBOUND 0x21
+#define ROC_IE_ON_MAJOR_OP_PROCESS_OUTBOUND_IPSEC 0x23
+#define ROC_IE_ON_MAJOR_OP_PROCESS_INBOUND_IPSEC 0x24
/* Ucode completion codes */
-#define ROC_IE_ONF_UCC_SUCCESS 0
+enum roc_ie_on_ucc_ipsec {
+ ROC_IE_ON_UCC_SUCCESS = 0,
+ ROC_IE_ON_AUTH_UNSUPPORTED = 0xB0,
+ ROC_IE_ON_ENCRYPT_UNSUPPORTED = 0xB1,
+};
+
+/* Helper macros */
+#define ROC_IE_ON_PER_PKT_IV BIT(11)
+#define ROC_IE_ON_INB_RPTR_HDR 0x8
enum {
ROC_IE_ON_SA_ENC_NULL = 0,
@@ -50,6 +56,140 @@ enum {
ROC_IE_ON_SA_ENCAP_UDP = 1,
};
+struct roc_ie_on_outb_hdr {
+ uint32_t ip_id;
+ uint32_t seq;
+ uint8_t iv[16];
+};
+
+union roc_ie_on_bit_perfect_iv {
+ uint8_t aes_iv[16];
+ uint8_t des_iv[8];
+ struct {
+ uint8_t nonce[4];
+ uint8_t iv[8];
+ uint8_t counter[4];
+ } gcm;
+};
+
+struct roc_ie_on_traffic_selector {
+ uint16_t src_port[2];
+ uint16_t dst_port[2];
+ union {
+ struct {
+ uint32_t src_addr[2];
+ uint32_t dst_addr[2];
+ } ipv4;
+ struct {
+ uint8_t src_addr[32];
+ uint8_t dst_addr[32];
+ } ipv6;
+ };
+};
+
+struct roc_ie_on_ip_template {
+ union {
+ struct {
+ uint8_t ipv4_hdr[20];
+ uint16_t udp_src;
+ uint16_t udp_dst;
+ } ip4;
+ struct {
+ uint8_t ipv6_hdr[40];
+ uint16_t udp_src;
+ uint16_t udp_dst;
+ } ip6;
+ };
+};
+
+struct roc_ie_on_sa_ctl {
+ uint64_t spi : 32;
+ uint64_t exp_proto_inter_frag : 8;
+ uint64_t copy_df : 1;
+ uint64_t frag_type : 1;
+ uint64_t explicit_iv_en : 1;
+ uint64_t esn_en : 1;
+ uint64_t rsvd_45_44 : 2;
+ uint64_t encap_type : 2;
+ uint64_t enc_type : 3;
+ uint64_t rsvd_48 : 1;
+ uint64_t auth_type : 4;
+ uint64_t valid : 1;
+ uint64_t direction : 1;
+ uint64_t outer_ip_ver : 1;
+ uint64_t inner_ip_ver : 1;
+ uint64_t ipsec_mode : 1;
+ uint64_t ipsec_proto : 1;
+ uint64_t aes_key_len : 2;
+};
+
+struct roc_ie_on_common_sa {
+ /* w0 */
+ struct roc_ie_on_sa_ctl ctl;
+
+ /* w1-w4 */
+ uint8_t cipher_key[32];
+
+ /* w5-w6 */
+ union roc_ie_on_bit_perfect_iv iv;
+
+ /* w7 */
+ uint32_t esn_hi;
+ uint32_t esn_low;
+};
+
+struct roc_ie_on_outb_sa {
+ /* w0 - w7 */
+ struct roc_ie_on_common_sa common_sa;
+
+ /* w8-w55 */
+ union {
+ struct {
+ struct roc_ie_on_ip_template template;
+ } aes_gcm;
+ struct {
+ uint8_t hmac_key[24];
+ uint8_t unused[24];
+ struct roc_ie_on_ip_template template;
+ } sha1;
+ struct {
+ uint8_t hmac_key[64];
+ uint8_t hmac_iv[64];
+ struct roc_ie_on_ip_template template;
+ } sha2;
+ };
+};
+
+struct roc_ie_on_inb_sa {
+ /* w0 - w7 */
+ struct roc_ie_on_common_sa common_sa;
+
+ /* w8 */
+ uint8_t udp_encap[8];
+
+ /* w9-w33 */
+ union {
+ struct {
+ uint8_t hmac_key[48];
+ struct roc_ie_on_traffic_selector selector;
+ } sha1_or_gcm;
+ struct {
+ uint8_t hmac_key[64];
+ uint8_t hmac_iv[64];
+ struct roc_ie_on_traffic_selector selector;
+ } sha2;
+ };
+};
+
+/* CN9K IPsec FP */
+
+/* CN9K IPsec FP opcodes */
+#define ROC_IE_ONF_MAJOR_OP_PROCESS_OUTBOUND_IPSEC 0x25UL
+#define ROC_IE_ONF_MAJOR_OP_PROCESS_INBOUND_IPSEC 0x26UL
+
+/* Ucode completion codes */
+#define ROC_IE_ONF_UCC_SUCCESS 0
+
struct roc_ie_onf_sa_ctl {
uint32_t spi;
uint64_t exp_proto_inter_frag : 8;
--
2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH v2 3/6] crypto/cnxk: add cn9k security session ops
2021-09-07 14:20 [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support Archana Muniganti
2021-09-07 14:20 ` [dpdk-dev] [PATCH v2 1/6] crypto/cnxk: add cn9k security ctx Archana Muniganti
2021-09-07 14:20 ` [dpdk-dev] [PATCH v2 2/6] common/cnxk: add cn9k IPsec microcode defines Archana Muniganti
@ 2021-09-07 14:21 ` Archana Muniganti
2021-09-07 14:21 ` [dpdk-dev] [PATCH v2 4/6] crypto/cnxk: add cn9k lookaside IPsec datapath Archana Muniganti
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Archana Muniganti @ 2021-09-07 14:21 UTC (permalink / raw)
To: gakhil
Cc: Archana Muniganti, ktejasree, adwivedi, anoobj, jerinj, dev,
Vamsi Attunuru
Add security session ops.
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
drivers/crypto/cnxk/cn9k_cryptodev.c | 2 +
drivers/crypto/cnxk/cn9k_ipsec.c | 610 +++++++++++++++++++++++++++
drivers/crypto/cnxk/cn9k_ipsec.h | 46 ++
drivers/crypto/cnxk/meson.build | 1 +
4 files changed, 659 insertions(+)
create mode 100644 drivers/crypto/cnxk/cn9k_ipsec.c
create mode 100644 drivers/crypto/cnxk/cn9k_ipsec.h
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev.c b/drivers/crypto/cnxk/cn9k_cryptodev.c
index db2e085161..e60b352fac 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev.c
@@ -12,6 +12,7 @@
#include "cn9k_cryptodev.h"
#include "cn9k_cryptodev_ops.h"
+#include "cn9k_ipsec.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_capabilities.h"
#include "cnxk_cryptodev_sec.h"
@@ -92,6 +93,7 @@ cn9k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
cnxk_cpt_caps_populate(vf);
cn9k_cpt_set_enqdeq_fns(dev);
+ cn9k_sec_ops_override();
return 0;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
new file mode 100644
index 0000000000..0b63cc408a
--- /dev/null
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -0,0 +1,610 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include <rte_cryptodev.h>
+#include <rte_ip.h>
+#include <rte_security.h>
+#include <rte_security_driver.h>
+
+#include "cnxk_cryptodev.h"
+#include "cnxk_cryptodev_ops.h"
+#include "cnxk_ipsec.h"
+#include "cnxk_security.h"
+#include "cn9k_ipsec.h"
+
+#include "roc_api.h"
+
+static inline int
+cn9k_cpt_enq_sa_write(struct cn9k_ipsec_sa *sa, struct cnxk_cpt_qp *qp,
+ uint8_t opcode, size_t ctx_len)
+{
+ uint64_t lmtline = qp->lmtline.lmt_base;
+ uint64_t io_addr = qp->lmtline.io_addr;
+ uint64_t lmt_status, time_out;
+ struct cpt_cn9k_res_s *res;
+ struct cpt_inst_s inst;
+ uint64_t *mdata;
+ int ret = 0;
+
+ if (unlikely(rte_mempool_get(qp->meta_info.pool, (void **)&mdata) < 0))
+ return -ENOMEM;
+
+ res = (struct cpt_cn9k_res_s *)RTE_PTR_ALIGN(mdata, 16);
+ res->compcode = CPT_COMP_NOT_DONE;
+
+ inst.w4.s.opcode_major = opcode;
+ inst.w4.s.opcode_minor = ctx_len >> 3;
+ inst.w4.s.param1 = 0;
+ inst.w4.s.param2 = 0;
+ inst.w4.s.dlen = ctx_len;
+ inst.dptr = rte_mempool_virt2iova(sa);
+ inst.rptr = 0;
+ inst.w7.s.cptr = rte_mempool_virt2iova(sa);
+ inst.w7.s.egrp = ROC_CPT_DFLT_ENG_GRP_SE;
+
+ inst.w0.u64 = 0;
+ inst.w2.u64 = 0;
+ inst.w3.u64 = 0;
+ inst.res_addr = rte_mempool_virt2iova(res);
+
+ rte_io_wmb();
+
+ do {
+ /* Copy CPT command to LMTLINE */
+ roc_lmt_mov((void *)lmtline, &inst, 2);
+ lmt_status = roc_lmt_submit_ldeor(io_addr);
+ } while (lmt_status == 0);
+
+ time_out = rte_get_timer_cycles() +
+ DEFAULT_COMMAND_TIMEOUT * rte_get_timer_hz();
+
+ while (res->compcode == CPT_COMP_NOT_DONE) {
+ if (rte_get_timer_cycles() > time_out) {
+ rte_mempool_put(qp->meta_info.pool, mdata);
+ plt_err("Request timed out");
+ return -ETIMEDOUT;
+ }
+ rte_io_rmb();
+ }
+
+ if (unlikely(res->compcode != CPT_COMP_GOOD)) {
+ ret = res->compcode;
+ switch (ret) {
+ case CPT_COMP_INSTERR:
+ plt_err("Request failed with instruction error");
+ break;
+ case CPT_COMP_FAULT:
+ plt_err("Request failed with DMA fault");
+ break;
+ case CPT_COMP_HWERR:
+ plt_err("Request failed with hardware error");
+ break;
+ default:
+ plt_err("Request failed with unknown hardware "
+ "completion code : 0x%x",
+ ret);
+ }
+ ret = -EINVAL;
+ goto mempool_put;
+ }
+
+ if (unlikely(res->uc_compcode != ROC_IE_ON_UCC_SUCCESS)) {
+ ret = res->uc_compcode;
+ switch (ret) {
+ case ROC_IE_ON_AUTH_UNSUPPORTED:
+ plt_err("Invalid auth type");
+ break;
+ case ROC_IE_ON_ENCRYPT_UNSUPPORTED:
+ plt_err("Invalid encrypt type");
+ break;
+ default:
+ plt_err("Request failed with unknown microcode "
+ "completion code : 0x%x",
+ ret);
+ }
+ ret = -ENOTSUP;
+ }
+
+mempool_put:
+ rte_mempool_put(qp->meta_info.pool, mdata);
+ return ret;
+}
+
+static inline int
+ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
+ struct rte_crypto_sym_xform *crypto_xform,
+ struct roc_ie_on_sa_ctl *ctl)
+{
+ struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
+ int aes_key_len;
+
+ if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+ ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
+ cipher_xform = crypto_xform;
+ auth_xform = crypto_xform->next;
+ } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+ ctl->direction = ROC_IE_SA_DIR_INBOUND;
+ auth_xform = crypto_xform;
+ cipher_xform = crypto_xform->next;
+ } else {
+ return -EINVAL;
+ }
+
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+ if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+ ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
+ else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
+ ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
+ else
+ return -EINVAL;
+ }
+
+ ctl->inner_ip_ver = ctl->outer_ip_ver;
+
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+ ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT;
+ else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+ ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL;
+ else
+ return -EINVAL;
+
+ if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
+ ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_AH;
+ else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
+ ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP;
+ else
+ return -EINVAL;
+
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+ ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM;
+ aes_key_len = crypto_xform->aead.key.length;
+ } else {
+ return -ENOTSUP;
+ }
+ } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+ ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
+ aes_key_len = cipher_xform->cipher.key.length;
+ } else {
+ return -ENOTSUP;
+ }
+
+ switch (aes_key_len) {
+ case 16:
+ ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
+ break;
+ case 24:
+ ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
+ break;
+ case 32:
+ ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
+ switch (auth_xform->auth.algo) {
+ case RTE_CRYPTO_AUTH_NULL:
+ ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL;
+ break;
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ ctl->auth_type = ROC_IE_ON_SA_AUTH_MD5;
+ break;
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1;
+ break;
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_224;
+ break;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_256;
+ break;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_384;
+ break;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_512;
+ break;
+ case RTE_CRYPTO_AUTH_AES_GMAC:
+ ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC;
+ break;
+ case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+ ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128;
+ break;
+ default:
+ return -ENOTSUP;
+ }
+ }
+
+ if (ipsec->options.esn)
+ ctl->esn_en = 1;
+
+ if (ipsec->options.udp_encap == 1)
+ ctl->encap_type = ROC_IE_ON_SA_ENCAP_UDP;
+
+ ctl->spi = rte_cpu_to_be_32(ipsec->spi);
+
+ rte_io_wmb();
+
+ ctl->valid = 1;
+
+ return 0;
+}
+
+static inline int
+fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
+ struct rte_crypto_sym_xform *crypto_xform,
+ struct roc_ie_on_common_sa *common_sa)
+{
+ struct rte_crypto_sym_xform *cipher_xform;
+ const uint8_t *cipher_key;
+ int cipher_key_len = 0;
+ int ret;
+
+ if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+ cipher_xform = crypto_xform->next;
+ else
+ cipher_xform = crypto_xform;
+
+ ret = ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl);
+ if (ret)
+ return ret;
+
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
+ memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);
+ cipher_key = crypto_xform->aead.key.data;
+ cipher_key_len = crypto_xform->aead.key.length;
+ } else {
+ cipher_key = cipher_xform->cipher.key.data;
+ cipher_key_len = cipher_xform->cipher.key.length;
+ }
+
+ if (cipher_key_len != 0)
+ memcpy(common_sa->cipher_key, cipher_key, cipher_key_len);
+ else
+ return -EINVAL;
+
+ return 0;
+}
+
+static int
+cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
+ struct rte_security_ipsec_xform *ipsec,
+ struct rte_crypto_sym_xform *crypto_xform,
+ struct rte_security_session *sec_sess)
+{
+ struct rte_crypto_sym_xform *auth_xform = crypto_xform->next;
+ struct roc_ie_on_ip_template *template = NULL;
+ struct cnxk_cpt_inst_tmpl *inst_tmpl;
+ struct roc_ie_on_outb_sa *out_sa;
+ struct cn9k_sec_session *sess;
+ struct roc_ie_on_sa_ctl *ctl;
+ struct cn9k_ipsec_sa *sa;
+ struct rte_ipv6_hdr *ip6;
+ struct rte_ipv4_hdr *ip4;
+ const uint8_t *auth_key;
+ union cpt_inst_w4 w4;
+ union cpt_inst_w7 w7;
+ int auth_key_len = 0;
+ size_t ctx_len;
+ int ret;
+
+ sess = get_sec_session_private_data(sec_sess);
+ sa = &sess->sa;
+ out_sa = &sa->out_sa;
+ ctl = &out_sa->common_sa.ctl;
+
+ memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
+
+ /* Initialize lookaside IPsec private data */
+ sa->dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
+ /* Start ip id from 1 */
+ sa->ip_id = 1;
+ sa->seq_lo = 1;
+ sa->seq_hi = 0;
+
+ ret = fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa);
+ if (ret)
+ return ret;
+
+ ret = cnxk_ipsec_outb_rlens_get(&sa->rlens, ipsec, crypto_xform);
+ if (ret)
+ return ret;
+
+ if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM) {
+ template = &out_sa->aes_gcm.template;
+ ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
+ } else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA1) {
+ template = &out_sa->sha1.template;
+ ctx_len = offsetof(struct roc_ie_on_outb_sa, sha1.template);
+ } else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA2_256) {
+ template = &out_sa->sha2.template;
+ ctx_len = offsetof(struct roc_ie_on_outb_sa, sha2.template);
+ } else {
+ return -EINVAL;
+ }
+
+ ip4 = (struct rte_ipv4_hdr *)&template->ip4.ipv4_hdr;
+ if (ipsec->options.udp_encap) {
+ ip4->next_proto_id = IPPROTO_UDP;
+ template->ip4.udp_src = rte_be_to_cpu_16(4500);
+ template->ip4.udp_dst = rte_be_to_cpu_16(4500);
+ } else {
+ ip4->next_proto_id = IPPROTO_ESP;
+ }
+
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+ if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+ ctx_len += sizeof(template->ip4);
+
+ ip4->version_ihl = RTE_IPV4_VHL_DEF;
+ ip4->time_to_live = ipsec->tunnel.ipv4.ttl;
+ ip4->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
+ if (ipsec->tunnel.ipv4.df)
+ ip4->fragment_offset = BIT(14);
+ memcpy(&ip4->src_addr, &ipsec->tunnel.ipv4.src_ip,
+ sizeof(struct in_addr));
+ memcpy(&ip4->dst_addr, &ipsec->tunnel.ipv4.dst_ip,
+ sizeof(struct in_addr));
+ } else if (ipsec->tunnel.type ==
+ RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
+ ctx_len += sizeof(template->ip6);
+
+ ip6 = (struct rte_ipv6_hdr *)&template->ip6.ipv6_hdr;
+ if (ipsec->options.udp_encap) {
+ ip6->proto = IPPROTO_UDP;
+ template->ip6.udp_src = rte_be_to_cpu_16(4500);
+ template->ip6.udp_dst = rte_be_to_cpu_16(4500);
+ } else {
+ ip6->proto = (ipsec->proto ==
+ RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
+ IPPROTO_ESP :
+ IPPROTO_AH;
+ }
+ ip6->vtc_flow =
+ rte_cpu_to_be_32(0x60000000 |
+ ((ipsec->tunnel.ipv6.dscp
+ << RTE_IPV6_HDR_TC_SHIFT) &
+ RTE_IPV6_HDR_TC_MASK) |
+ ((ipsec->tunnel.ipv6.flabel
+ << RTE_IPV6_HDR_FL_SHIFT) &
+ RTE_IPV6_HDR_FL_MASK));
+ ip6->hop_limits = ipsec->tunnel.ipv6.hlimit;
+ memcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr,
+ sizeof(struct in6_addr));
+ memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,
+ sizeof(struct in6_addr));
+ }
+ } else
+ ctx_len += sizeof(template->ip4);
+
+ ctx_len += RTE_ALIGN_CEIL(ctx_len, 8);
+
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ sa->cipher_iv_off = crypto_xform->aead.iv.offset;
+ sa->cipher_iv_len = crypto_xform->aead.iv.length;
+ } else {
+ sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
+ sa->cipher_iv_len = crypto_xform->cipher.iv.length;
+
+ auth_key = auth_xform->auth.key.data;
+ auth_key_len = auth_xform->auth.key.length;
+
+ if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+ memcpy(out_sa->sha1.hmac_key, auth_key, auth_key_len);
+ else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+ memcpy(out_sa->sha2.hmac_key, auth_key, auth_key_len);
+ }
+
+ inst_tmpl = &sa->inst;
+
+ w4.u64 = 0;
+ w4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
+ w4.s.opcode_minor = ctx_len >> 3;
+ w4.s.param1 = ROC_IE_ON_PER_PKT_IV;
+ inst_tmpl->w4 = w4.u64;
+
+ w7.u64 = 0;
+ w7.s.egrp = ROC_CPT_DFLT_ENG_GRP_SE;
+ w7.s.cptr = rte_mempool_virt2iova(out_sa);
+ inst_tmpl->w7 = w7.u64;
+
+ return cn9k_cpt_enq_sa_write(
+ sa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_OUTBOUND, ctx_len);
+}
+
+static int
+cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
+ struct rte_security_ipsec_xform *ipsec,
+ struct rte_crypto_sym_xform *crypto_xform,
+ struct rte_security_session *sec_sess)
+{
+ struct rte_crypto_sym_xform *auth_xform = crypto_xform;
+ struct cnxk_cpt_inst_tmpl *inst_tmpl;
+ struct roc_ie_on_inb_sa *in_sa;
+ struct cn9k_sec_session *sess;
+ struct cn9k_ipsec_sa *sa;
+ const uint8_t *auth_key;
+ union cpt_inst_w4 w4;
+ union cpt_inst_w7 w7;
+ int auth_key_len = 0;
+ size_t ctx_len = 0;
+ int ret;
+
+ sess = get_sec_session_private_data(sec_sess);
+ sa = &sess->sa;
+ in_sa = &sa->in_sa;
+
+ memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
+
+ sa->dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
+
+ ret = fill_ipsec_common_sa(ipsec, crypto_xform, &in_sa->common_sa);
+ if (ret)
+ return ret;
+
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ ctx_len = offsetof(struct roc_ie_on_inb_sa,
+ sha1_or_gcm.hmac_key[0]);
+ } else {
+ auth_key = auth_xform->auth.key.data;
+ auth_key_len = auth_xform->auth.key.length;
+
+ if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+ memcpy(in_sa->sha1_or_gcm.hmac_key, auth_key,
+ auth_key_len);
+ ctx_len = offsetof(struct roc_ie_on_inb_sa,
+ sha1_or_gcm.selector);
+ } else if (auth_xform->auth.algo ==
+ RTE_CRYPTO_AUTH_SHA256_HMAC) {
+ memcpy(in_sa->sha2.hmac_key, auth_key, auth_key_len);
+ ctx_len = offsetof(struct roc_ie_on_inb_sa,
+ sha2.selector);
+ }
+ }
+
+ inst_tmpl = &sa->inst;
+
+ w4.u64 = 0;
+ w4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_INBOUND_IPSEC;
+ w4.s.opcode_minor = ctx_len >> 3;
+ inst_tmpl->w4 = w4.u64;
+
+ w7.u64 = 0;
+ w7.s.egrp = ROC_CPT_DFLT_ENG_GRP_SE;
+ w7.s.cptr = rte_mempool_virt2iova(in_sa);
+ inst_tmpl->w7 = w7.u64;
+
+ return cn9k_cpt_enq_sa_write(
+ sa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_INBOUND, ctx_len);
+}
+
+static inline int
+cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
+{
+ RTE_SET_USED(ipsec);
+
+ return 0;
+}
+
+static int
+cn9k_ipsec_session_create(void *dev,
+ struct rte_security_ipsec_xform *ipsec_xform,
+ struct rte_crypto_sym_xform *crypto_xform,
+ struct rte_security_session *sess)
+{
+ struct rte_cryptodev *crypto_dev = dev;
+ struct cnxk_cpt_qp *qp;
+ int ret;
+
+ qp = crypto_dev->data->queue_pairs[0];
+ if (qp == NULL) {
+ plt_err("CPT queue pairs need to be setup for creating security"
+ " session");
+ return -EPERM;
+ }
+
+ ret = cnxk_ipsec_xform_verify(ipsec_xform, crypto_xform);
+ if (ret)
+ return ret;
+
+ ret = cn9k_ipsec_xform_verify(ipsec_xform);
+ if (ret)
+ return ret;
+
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+ return cn9k_ipsec_inb_sa_create(qp, ipsec_xform, crypto_xform,
+ sess);
+ else
+ return cn9k_ipsec_outb_sa_create(qp, ipsec_xform, crypto_xform,
+ sess);
+}
+
+static int
+cn9k_sec_session_create(void *device, struct rte_security_session_conf *conf,
+ struct rte_security_session *sess,
+ struct rte_mempool *mempool)
+{
+ struct cn9k_sec_session *priv;
+ int ret;
+
+ if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
+ return -EINVAL;
+
+ if (rte_mempool_get(mempool, (void **)&priv)) {
+ plt_err("Could not allocate security session private data");
+ return -ENOMEM;
+ }
+
+ memset(priv, 0, sizeof(*priv));
+
+ set_sec_session_private_data(sess, priv);
+
+ if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) {
+ ret = -ENOTSUP;
+ goto mempool_put;
+ }
+
+ ret = cn9k_ipsec_session_create(device, &conf->ipsec,
+ conf->crypto_xform, sess);
+ if (ret)
+ goto mempool_put;
+
+ return 0;
+
+mempool_put:
+ rte_mempool_put(mempool, priv);
+ set_sec_session_private_data(sess, NULL);
+ return ret;
+}
+
+static int
+cn9k_sec_session_destroy(void *device __rte_unused,
+ struct rte_security_session *sess)
+{
+ struct roc_ie_on_outb_sa *out_sa;
+ struct cn9k_sec_session *priv;
+ struct rte_mempool *sess_mp;
+ struct roc_ie_on_sa_ctl *ctl;
+ struct cn9k_ipsec_sa *sa;
+
+ priv = get_sec_session_private_data(sess);
+ if (priv == NULL)
+ return 0;
+
+ sa = &priv->sa;
+ out_sa = &sa->out_sa;
+
+ ctl = &out_sa->common_sa.ctl;
+ ctl->valid = 0;
+
+ rte_io_wmb();
+
+ sess_mp = rte_mempool_from_obj(priv);
+
+ memset(priv, 0, sizeof(*priv));
+
+ set_sec_session_private_data(sess, NULL);
+ rte_mempool_put(sess_mp, priv);
+
+ return 0;
+}
+
+static unsigned int
+cn9k_sec_session_get_size(void *device __rte_unused)
+{
+ return sizeof(struct cn9k_sec_session);
+}
+
+/* Update platform specific security ops */
+void
+cn9k_sec_ops_override(void)
+{
+ /* Update platform specific ops */
+ cnxk_sec_ops.session_create = cn9k_sec_session_create;
+ cnxk_sec_ops.session_destroy = cn9k_sec_session_destroy;
+ cnxk_sec_ops.session_get_size = cn9k_sec_session_get_size;
+}
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.h b/drivers/crypto/cnxk/cn9k_ipsec.h
new file mode 100644
index 0000000000..13d522ec6f
--- /dev/null
+++ b/drivers/crypto/cnxk/cn9k_ipsec.h
@@ -0,0 +1,46 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef __CN9K_IPSEC_H__
+#define __CN9K_IPSEC_H__
+
+#include "cnxk_ipsec.h"
+#include "cnxk_security.h"
+
+struct cn9k_ipsec_sa {
+ union {
+ /** Inbound SA */
+ struct roc_ie_on_inb_sa in_sa;
+ /** Outbound SA */
+ struct roc_ie_on_outb_sa out_sa;
+ };
+ /** IPsec SA direction */
+ enum rte_security_ipsec_sa_direction dir;
+ /** Pre-populated CPT inst words */
+ struct cnxk_cpt_inst_tmpl inst;
+ /** Cipher IV offset in bytes */
+ uint16_t cipher_iv_off;
+ /** Cipher IV length in bytes */
+ uint8_t cipher_iv_len;
+ /** Response length calculation data */
+ struct cnxk_ipsec_outb_rlens rlens;
+ /** Outbound IP-ID */
+ uint16_t ip_id;
+ /** ESN */
+ union {
+ uint64_t esn;
+ struct {
+ uint32_t seq_lo;
+ uint32_t seq_hi;
+ };
+ };
+};
+
+struct cn9k_sec_session {
+ struct cn9k_ipsec_sa sa;
+} __rte_cache_aligned;
+
+void cn9k_sec_ops_override(void);
+
+#endif /* __CN9K_IPSEC_H__ */
diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build
index e076783629..e40d132f80 100644
--- a/drivers/crypto/cnxk/meson.build
+++ b/drivers/crypto/cnxk/meson.build
@@ -11,6 +11,7 @@ endif
sources = files(
'cn9k_cryptodev.c',
'cn9k_cryptodev_ops.c',
+ 'cn9k_ipsec.c',
'cn10k_cryptodev.c',
'cn10k_cryptodev_ops.c',
'cn10k_ipsec.c',
--
2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH v2 4/6] crypto/cnxk: add cn9k lookaside IPsec datapath
2021-09-07 14:20 [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support Archana Muniganti
` (2 preceding siblings ...)
2021-09-07 14:21 ` [dpdk-dev] [PATCH v2 3/6] crypto/cnxk: add cn9k security session ops Archana Muniganti
@ 2021-09-07 14:21 ` Archana Muniganti
2021-09-07 14:21 ` [dpdk-dev] [PATCH v2 5/6] crypto/cnxk: update tailroom requirement Archana Muniganti
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Archana Muniganti @ 2021-09-07 14:21 UTC (permalink / raw)
To: gakhil
Cc: Archana Muniganti, ktejasree, adwivedi, anoobj, jerinj, dev,
Vamsi Attunuru
Adds support for cn9k lookaside enqueue and dequeue
operations.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 78 +++++++++++++++++++-
drivers/crypto/cnxk/cn9k_ipsec_la_ops.h | 90 ++++++++++++++++++++++++
2 files changed, 166 insertions(+), 2 deletions(-)
create mode 100644 drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
index 8ade1977e1..40109acc3f 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
@@ -5,10 +5,13 @@
#include <rte_cryptodev.h>
#include <rte_cryptodev_pmd.h>
#include <rte_event_crypto_adapter.h>
+#include <rte_ip.h>
#include <rte_vect.h>
#include "cn9k_cryptodev.h"
#include "cn9k_cryptodev_ops.h"
+#include "cn9k_ipsec.h"
+#include "cn9k_ipsec_la_ops.h"
#include "cnxk_ae.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_ops.h"
@@ -34,6 +37,36 @@ cn9k_cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op,
return ret;
}
+static __rte_always_inline int __rte_hot
+cn9k_cpt_sec_inst_fill(struct rte_crypto_op *op,
+ struct cpt_inflight_req *infl_req,
+ struct cpt_inst_s *inst)
+{
+ struct rte_crypto_sym_op *sym_op = op->sym;
+ struct cn9k_sec_session *priv;
+ struct cn9k_ipsec_sa *sa;
+
+ if (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) {
+ plt_dp_err("Out of place is not supported");
+ return -ENOTSUP;
+ }
+
+ if (unlikely(!rte_pktmbuf_is_contiguous(sym_op->m_src))) {
+ plt_dp_err("Scatter Gather mode is not supported");
+ return -ENOTSUP;
+ }
+
+ priv = get_sec_session_private_data(op->sym->sec_session);
+ sa = &priv->sa;
+
+ if (sa->dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+ return process_outb_sa(op, sa, inst);
+
+ infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
+
+ return process_inb_sa(op, sa, inst);
+}
+
static inline struct cnxk_se_sess *
cn9k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
{
@@ -80,7 +113,10 @@ cn9k_cpt_inst_prep(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op,
sym_op->session, cn9k_cryptodev_driver_id);
ret = cn9k_cpt_sym_inst_fill(qp, op, sess, infl_req,
inst);
- } else {
+ inst->w7.u64 = sess->cpt_inst_w7;
+ } else if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION)
+ ret = cn9k_cpt_sec_inst_fill(op, infl_req, inst);
+ else {
sess = cn9k_cpt_sym_temp_sess_create(qp, op);
if (unlikely(sess == NULL)) {
plt_dp_err("Could not create temp session");
@@ -94,8 +130,8 @@ cn9k_cpt_inst_prep(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op,
op->sym->session);
rte_mempool_put(qp->sess_mp, op->sym->session);
}
+ inst->w7.u64 = sess->cpt_inst_w7;
}
- inst->w7.u64 = sess->cpt_inst_w7;
} else if (op->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) {
struct rte_crypto_asym_op *asym_op;
struct cnxk_ae_sess *sess;
@@ -348,6 +384,39 @@ cn9k_cpt_crypto_adapter_enqueue(uintptr_t tag_op, struct rte_crypto_op *op)
return 1;
}
+static inline void
+cn9k_cpt_sec_post_process(struct rte_crypto_op *cop,
+ struct cpt_inflight_req *infl_req)
+{
+ struct rte_crypto_sym_op *sym_op = cop->sym;
+ struct rte_mbuf *m = sym_op->m_src;
+ struct rte_ipv6_hdr *ip6;
+ struct rte_ipv4_hdr *ip;
+ uint16_t m_len = 0;
+ char *data;
+
+ if (infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND) {
+ data = rte_pktmbuf_mtod(m, char *);
+
+ ip = (struct rte_ipv4_hdr *)(data + ROC_IE_ON_INB_RPTR_HDR);
+
+ if (((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) ==
+ IPVERSION) {
+ m_len = rte_be_to_cpu_16(ip->total_length);
+ } else {
+ PLT_ASSERT(((ip->version_ihl & 0xf0) >>
+ RTE_IPV4_IHL_MULTIPLIER) == 6);
+ ip6 = (struct rte_ipv6_hdr *)ip;
+ m_len = rte_be_to_cpu_16(ip6->payload_len) +
+ sizeof(struct rte_ipv6_hdr);
+ }
+
+ m->data_len = m_len;
+ m->pkt_len = m_len;
+ m->data_off += ROC_IE_ON_INB_RPTR_HDR;
+ }
+}
+
static inline void
cn9k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, struct rte_crypto_op *cop,
struct cpt_inflight_req *infl_req)
@@ -370,6 +439,11 @@ cn9k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, struct rte_crypto_op *cop,
cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
+ if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+ cn9k_cpt_sec_post_process(cop, infl_req);
+ return;
+ }
+
/* Verify authentication data if required */
if (unlikely(infl_req->op_flags &
CPT_OP_FLAGS_AUTH_VERIFY)) {
diff --git a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
new file mode 100644
index 0000000000..b7a88e1b35
--- /dev/null
+++ b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
@@ -0,0 +1,90 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef __CN9K_IPSEC_LA_OPS_H__
+#define __CN9K_IPSEC_LA_OPS_H__
+
+#include <rte_crypto_sym.h>
+#include <rte_security.h>
+
+#include "cn9k_ipsec.h"
+
+static __rte_always_inline int32_t
+ipsec_po_out_rlen_get(struct cn9k_ipsec_sa *sa, uint32_t plen)
+{
+ uint32_t enc_payload_len;
+
+ enc_payload_len = RTE_ALIGN_CEIL(plen + sa->rlens.roundup_len,
+ sa->rlens.roundup_byte);
+
+ return sa->rlens.partial_len + enc_payload_len;
+}
+
+static __rte_always_inline int
+process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
+ struct cpt_inst_s *inst)
+{
+ const unsigned int hdr_len = sizeof(struct roc_ie_on_outb_hdr);
+ struct rte_crypto_sym_op *sym_op = cop->sym;
+ struct rte_mbuf *m_src = sym_op->m_src;
+ uint32_t dlen, rlen, extend_tail;
+ struct roc_ie_on_outb_sa *out_sa;
+ struct roc_ie_on_outb_hdr *hdr;
+
+ out_sa = &sa->out_sa;
+
+ dlen = rte_pktmbuf_pkt_len(m_src) + hdr_len;
+ rlen = ipsec_po_out_rlen_get(sa, dlen - hdr_len);
+
+ extend_tail = rlen - dlen;
+ if (unlikely(extend_tail > rte_pktmbuf_tailroom(m_src))) {
+ plt_dp_err("Not enough tail room");
+ return -ENOMEM;
+ }
+
+ m_src->data_len += extend_tail;
+ m_src->pkt_len += extend_tail;
+
+ hdr = (struct roc_ie_on_outb_hdr *)rte_pktmbuf_prepend(m_src, hdr_len);
+ if (unlikely(hdr == NULL)) {
+ plt_dp_err("Not enough head room");
+ return -ENOMEM;
+ }
+
+ memcpy(&hdr->iv[0],
+ rte_crypto_op_ctod_offset(cop, uint8_t *, sa->cipher_iv_off),
+ sa->cipher_iv_len);
+ hdr->seq = rte_cpu_to_be_32(sa->seq_lo);
+ hdr->ip_id = rte_cpu_to_be_32(sa->ip_id);
+
+ out_sa->common_sa.esn_hi = sa->seq_hi;
+
+ sa->ip_id++;
+ sa->esn++;
+
+ /* Prepare CPT instruction */
+ inst->w4.u64 = sa->inst.w4 | dlen;
+ inst->dptr = rte_pktmbuf_iova(m_src);
+ inst->rptr = inst->dptr;
+ inst->w7.u64 = sa->inst.w7;
+
+ return 0;
+}
+
+static __rte_always_inline int
+process_inb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
+ struct cpt_inst_s *inst)
+{
+ struct rte_crypto_sym_op *sym_op = cop->sym;
+ struct rte_mbuf *m_src = sym_op->m_src;
+
+ /* Prepare CPT instruction */
+ inst->w4.u64 = sa->inst.w4 | rte_pktmbuf_pkt_len(m_src);
+ inst->dptr = rte_pktmbuf_iova(m_src);
+ inst->rptr = inst->dptr;
+ inst->w7.u64 = sa->inst.w7;
+
+ return 0;
+}
+#endif /* __CN9K_IPSEC_LA_OPS_H__ */
--
2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH v2 5/6] crypto/cnxk: update tailroom requirement
2021-09-07 14:20 [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support Archana Muniganti
` (3 preceding siblings ...)
2021-09-07 14:21 ` [dpdk-dev] [PATCH v2 4/6] crypto/cnxk: add cn9k lookaside IPsec datapath Archana Muniganti
@ 2021-09-07 14:21 ` Archana Muniganti
2021-09-07 14:21 ` [dpdk-dev] [PATCH v2 6/6] crypto/cnxk: update feature flag for cn9k lookaside IPsec Archana Muniganti
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Archana Muniganti @ 2021-09-07 14:21 UTC (permalink / raw)
To: gakhil; +Cc: Archana Muniganti, ktejasree, adwivedi, anoobj, jerinj, dev
Update min tailroom to reflect IPsec additions.
PMD crypto_cn9k & crypto_cn10k would have packet
grow into tailroom post IPsec processing.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 2 +-
drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
index 440dbc3adb..957c78063f 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
@@ -155,7 +155,7 @@ cnxk_cpt_dev_info_get(struct rte_cryptodev *dev,
info->capabilities = cnxk_crypto_capabilities_get(vf);
info->sym.max_nb_sessions = 0;
info->min_mbuf_headroom_req = CNXK_CPT_MIN_HEADROOM_REQ;
- info->min_mbuf_tailroom_req = 0;
+ info->min_mbuf_tailroom_req = CNXK_CPT_MIN_TAILROOM_REQ;
}
static void
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.h b/drivers/crypto/cnxk/cnxk_cryptodev_ops.h
index 0d02d44799..c5332dec53 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.h
@@ -11,6 +11,7 @@
#include "roc_api.h"
#define CNXK_CPT_MIN_HEADROOM_REQ 24
+#define CNXK_CPT_MIN_TAILROOM_REQ 102
/* Default command timeout in seconds */
#define DEFAULT_COMMAND_TIMEOUT 4
--
2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH v2 6/6] crypto/cnxk: update feature flag for cn9k lookaside IPsec
2021-09-07 14:20 [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support Archana Muniganti
` (4 preceding siblings ...)
2021-09-07 14:21 ` [dpdk-dev] [PATCH v2 5/6] crypto/cnxk: update tailroom requirement Archana Muniganti
@ 2021-09-07 14:21 ` Archana Muniganti
2021-09-07 16:02 ` [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support Anoob Joseph
2021-09-07 18:22 ` Akhil Goyal
7 siblings, 0 replies; 9+ messages in thread
From: Archana Muniganti @ 2021-09-07 14:21 UTC (permalink / raw)
To: gakhil
Cc: Archana Muniganti, ktejasree, adwivedi, anoobj, jerinj, dev,
Vamsi Attunuru
Update device feature flag to support lookaside IPsec for
cn9k.
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
doc/guides/cryptodevs/cnxk.rst | 14 ++++++++++++--
doc/guides/cryptodevs/features/cn9k.ini | 1 +
doc/guides/rel_notes/release_21_11.rst | 1 +
drivers/crypto/cnxk/cnxk_cryptodev.c | 6 ++----
4 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 1eb72282db..752316fd37 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -222,10 +222,20 @@ This feature can be tested with ipsec-secgw sample application.
Supported OCTEON cnxk SoCs
~~~~~~~~~~~~~~~~~~~~~~~~~~
+- CN9XX
- CN10XX
-Features supported
-~~~~~~~~~~~~~~~~~~
+CN9XX Features supported
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+* IPv4
+* ESP
+* Tunnel mode
+* UDP Encapsulation
+* AES-128/192/256-GCM
+
+CN10XX Features supported
+~~~~~~~~~~~~~~~~~~~~~~~~~
* IPv4
* ESP
diff --git a/doc/guides/cryptodevs/features/cn9k.ini b/doc/guides/cryptodevs/features/cn9k.ini
index d69dbe8512..dd935d439d 100644
--- a/doc/guides/cryptodevs/features/cn9k.ini
+++ b/doc/guides/cryptodevs/features/cn9k.ini
@@ -8,6 +8,7 @@ Symmetric crypto = Y
Asymmetric crypto = Y
Sym operation chaining = Y
HW Accelerated = Y
+Protocol offload = Y
In Place SGL = Y
OOP SGL In LB Out = Y
OOP SGL In SGL Out = Y
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index b55900936d..411fa9530a 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -67,6 +67,7 @@ New Features
* Added AES-CBC SHA1-HMAC support in lookaside protocol (IPsec) for CN10K.
* Added Transport mode support in lookaside protocol (IPsec) for CN10K.
* Added UDP encapsulation support in lookaside protocol (IPsec) for CN10K.
+ * Added support for lookaside protocol (IPsec) offload for CN9K.
* **Added support for event crypto adapter on Marvell CN10K and CN9K.**
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.c b/drivers/crypto/cnxk/cnxk_cryptodev.c
index 9c7dc6297a..5c7801ec48 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.c
@@ -21,10 +21,8 @@ cnxk_cpt_default_ff_get(void)
RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT |
RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT |
RTE_CRYPTODEV_FF_SYM_SESSIONLESS |
- RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED;
-
- if (roc_model_is_cn10k())
- ff |= RTE_CRYPTODEV_FF_SECURITY;
+ RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED |
+ RTE_CRYPTODEV_FF_SECURITY;
return ff;
}
--
2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support
2021-09-07 14:20 [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support Archana Muniganti
` (5 preceding siblings ...)
2021-09-07 14:21 ` [dpdk-dev] [PATCH v2 6/6] crypto/cnxk: update feature flag for cn9k lookaside IPsec Archana Muniganti
@ 2021-09-07 16:02 ` Anoob Joseph
2021-09-07 18:22 ` Akhil Goyal
7 siblings, 0 replies; 9+ messages in thread
From: Anoob Joseph @ 2021-09-07 16:02 UTC (permalink / raw)
To: Archana Muniganti, Akhil Goyal
Cc: Archana Muniganti, Tejasree Kondoj, Ankur Dwivedi,
Jerin Jacob Kollanukkaran, dev
>
> This series adds lookaside IPsec support in cnxk crypto PMD for Marvell CN9K
> SOC.
>
> Changes in v2:
> - Fixed release notes
> - Squashed patches and reduced no of patches from 8 to 6
>
> Archana Muniganti (6):
> crypto/cnxk: add cn9k security ctx
> common/cnxk: add cn9k IPsec microcode defines
> crypto/cnxk: add cn9k security session ops
> crypto/cnxk: add cn9k lookaside IPsec datapath
> crypto/cnxk: update tailroom requirement
> crypto/cnxk: update feature flag for cn9k lookaside IPsec
>
> doc/guides/cryptodevs/cnxk.rst | 14 +-
> doc/guides/cryptodevs/features/cn9k.ini | 1 +
> doc/guides/rel_notes/release_21_11.rst | 1 +
> drivers/common/cnxk/roc_cpt.h | 1 +
> drivers/common/cnxk/roc_ie_on.h | 158 +++++-
> drivers/crypto/cnxk/cn9k_cryptodev.c | 11 +
> drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 78 ++-
> drivers/crypto/cnxk/cn9k_ipsec.c | 610 +++++++++++++++++++++++
> drivers/crypto/cnxk/cn9k_ipsec.h | 46 ++
> drivers/crypto/cnxk/cn9k_ipsec_la_ops.h | 90 ++++
> drivers/crypto/cnxk/cnxk_cryptodev.c | 6 +-
> drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 2 +-
> drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 1 +
> drivers/crypto/cnxk/meson.build | 1 +
> 14 files changed, 1002 insertions(+), 18 deletions(-) create mode 100644
> drivers/crypto/cnxk/cn9k_ipsec.c create mode 100644
> drivers/crypto/cnxk/cn9k_ipsec.h create mode 100644
> drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
>
> --
> 2.22.0
Series Acked-by: Anoob Joseph <anoobj@marvell.com>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support
2021-09-07 14:20 [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support Archana Muniganti
` (6 preceding siblings ...)
2021-09-07 16:02 ` [dpdk-dev] [PATCH v2 0/6] add cn9k lookaside IPsec support Anoob Joseph
@ 2021-09-07 18:22 ` Akhil Goyal
7 siblings, 0 replies; 9+ messages in thread
From: Akhil Goyal @ 2021-09-07 18:22 UTC (permalink / raw)
To: Archana Muniganti
Cc: Archana Muniganti, Tejasree Kondoj, Ankur Dwivedi, Anoob Joseph,
Jerin Jacob Kollanukkaran, dev
> This series adds lookaside IPsec support in cnxk crypto PMD
> for Marvell CN9K SOC.
>
> Changes in v2:
> - Fixed release notes
> - Squashed patches and reduced no of patches from 8 to 6
>
> Archana Muniganti (6):
> crypto/cnxk: add cn9k security ctx
> common/cnxk: add cn9k IPsec microcode defines
> crypto/cnxk: add cn9k security session ops
> crypto/cnxk: add cn9k lookaside IPsec datapath
> crypto/cnxk: update tailroom requirement
> crypto/cnxk: update feature flag for cn9k lookaside IPsec
>
> doc/guides/cryptodevs/cnxk.rst | 14 +-
> doc/guides/cryptodevs/features/cn9k.ini | 1 +
> doc/guides/rel_notes/release_21_11.rst | 1 +
> drivers/common/cnxk/roc_cpt.h | 1 +
> drivers/common/cnxk/roc_ie_on.h | 158 +++++-
> drivers/crypto/cnxk/cn9k_cryptodev.c | 11 +
> drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 78 ++-
> drivers/crypto/cnxk/cn9k_ipsec.c | 610 +++++++++++++++++++++++
> drivers/crypto/cnxk/cn9k_ipsec.h | 46 ++
> drivers/crypto/cnxk/cn9k_ipsec_la_ops.h | 90 ++++
> drivers/crypto/cnxk/cnxk_cryptodev.c | 6 +-
> drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 2 +-
> drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 1 +
> drivers/crypto/cnxk/meson.build | 1 +
> 14 files changed, 1002 insertions(+), 18 deletions(-)
> create mode 100644 drivers/crypto/cnxk/cn9k_ipsec.c
> create mode 100644 drivers/crypto/cnxk/cn9k_ipsec.h
> create mode 100644 drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
>
Applied to dpdk-next-crypto
Thanks.
^ permalink raw reply [flat|nested] 9+ messages in thread