From: Gagandeep Singh <g.singh@nxp.com>
To: hemant.agrawal@nxp.com
Cc: Gagandeep Singh <g.singh@nxp.com>, stable@dpdk.org
Subject: [PATCH 03/11] crypto/dpaa: fix SEC err due to an wrong desc
Date: Wed, 3 Jul 2024 15:43:39 +0530 [thread overview]
Message-ID: <20240703101347.3091547-4-g.singh@nxp.com> (raw)
In-Reply-To: <20240703101347.3091547-1-g.singh@nxp.com>
During IPsec operations, driver code pre-check
whether KEYS can be inlined to limited size descriptor
or not and based on that it decides to copy the complete
KEY in descriptor or just give the memory pointer of
KEY in descriptor.
This pre-check code does not take care of padding required
for security engine to make the KEYs inline which results
in incorrect length descriptor for some algorithms.
This patch fixes this issue by updating the pre-check code
with proper padding size included for each supported
algorithm.
Fixes: 453b9593a3cf ("crypto/dpaax_sec: fix inline query for descriptors")
Cc: stable@dpdk.org
Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
drivers/common/dpaax/caamflib/desc/ipsec.h | 73 ++++++++++++++++++++++
drivers/crypto/dpaa_sec/dpaa_sec.c | 4 +-
2 files changed, 75 insertions(+), 2 deletions(-)
diff --git a/drivers/common/dpaax/caamflib/desc/ipsec.h b/drivers/common/dpaax/caamflib/desc/ipsec.h
index eff26f6f8b..b902873970 100644
--- a/drivers/common/dpaax/caamflib/desc/ipsec.h
+++ b/drivers/common/dpaax/caamflib/desc/ipsec.h
@@ -728,6 +728,79 @@ static inline void __gen_auth_key(struct program *program,
authdata->key, authdata->key_type);
}
+/**
+ * rta_inline_ipsec_query() - Provide indications on which data items can be inlined
+ * and which shall be referenced in IPsec shared descriptor.
+ * @sd_base_len: Shared descriptor base length - bytes consumed by the commands,
+ * excluding the data items to be inlined (or corresponding
+ * pointer if an item is not inlined). Each cnstr_* function that
+ * generates descriptors should have a define mentioning
+ * corresponding length.
+ * @jd_len: Maximum length of the job descriptor(s) that will be used
+ * together with the shared descriptor.
+ * @data_len: Array of lengths of the data items trying to be inlined
+ * @inl_mask: 32bit mask with bit x = 1 if data item x can be inlined, 0
+ * otherwise.
+ * @count: Number of data items (size of @data_len array); must be <= 32
+ * @auth_algtype: Authentication algorithm type.
+ * @auth_index: Index value of data_len for authentication key length.
+ * -1 if authentication key length is not present in data_len.
+ *
+ * Return: 0 if data can be inlined / referenced, negative value if not. If 0,
+ * check @inl_mask for details.
+ */
+static inline int
+rta_inline_ipsec_query(unsigned int sd_base_len,
+ unsigned int jd_len,
+ unsigned int *data_len,
+ uint32_t *inl_mask,
+ unsigned int count,
+ uint32_t auth_algtype,
+ int32_t auth_index)
+{
+ uint32_t dkp_protid;
+
+ switch (auth_algtype & OP_PCL_IPSEC_AUTH_MASK) {
+ case OP_PCL_IPSEC_HMAC_MD5_96:
+ case OP_PCL_IPSEC_HMAC_MD5_128:
+ dkp_protid = OP_PCLID_DKP_MD5;
+ break;
+ case OP_PCL_IPSEC_HMAC_SHA1_96:
+ case OP_PCL_IPSEC_HMAC_SHA1_160:
+ dkp_protid = OP_PCLID_DKP_SHA1;
+ break;
+ case OP_PCL_IPSEC_HMAC_SHA2_256_128:
+ dkp_protid = OP_PCLID_DKP_SHA256;
+ break;
+ case OP_PCL_IPSEC_HMAC_SHA2_384_192:
+ dkp_protid = OP_PCLID_DKP_SHA384;
+ break;
+ case OP_PCL_IPSEC_HMAC_SHA2_512_256:
+ dkp_protid = OP_PCLID_DKP_SHA512;
+ break;
+ case OP_PCL_IPSEC_HMAC_SHA2_224_96:
+ case OP_PCL_IPSEC_HMAC_SHA2_224_112:
+ case OP_PCL_IPSEC_HMAC_SHA2_224_224:
+ dkp_protid = OP_PCLID_DKP_SHA224;
+ break;
+ default:
+ return rta_inline_query(sd_base_len,
+ jd_len,
+ data_len,
+ inl_mask, count);
+ }
+
+ /* Updating the maximum supported inline key length */
+ if (auth_index != -1) {
+ if (split_key_len(dkp_protid) > data_len[auth_index])
+ data_len[auth_index] = split_key_len(dkp_protid);
+ }
+ return rta_inline_query(sd_base_len,
+ jd_len,
+ data_len,
+ inl_mask, count);
+}
+
/**
* cnstr_shdsc_ipsec_encap - IPSec ESP encapsulation protocol-level shared
* descriptor.
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 44528eaf7f..679f78c4b9 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -395,10 +395,10 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session *ses)
cdb->sh_desc[0] = cipherdata.keylen;
cdb->sh_desc[1] = authdata.keylen;
- err = rta_inline_query(IPSEC_AUTH_VAR_AES_DEC_BASE_DESC_LEN,
+ err = rta_inline_ipsec_query(IPSEC_AUTH_VAR_AES_DEC_BASE_DESC_LEN,
DESC_JOB_IO_LEN,
(unsigned int *)cdb->sh_desc,
- &cdb->sh_desc[2], 2);
+ &cdb->sh_desc[2], 2, authdata.algtype, 1);
if (err < 0) {
DPAA_SEC_ERR("Crypto: Incorrect key lengths");
--
2.25.1
next prev parent reply other threads:[~2024-07-03 10:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240703101347.3091547-1-g.singh@nxp.com>
2024-07-03 10:13 ` [PATCH 01/11] common/dpaax: caamflib: fix PDCP-SDAP wdog DECO err Gagandeep Singh
2024-07-03 10:13 ` [PATCH 02/11] common/dpaax: caamflib: fix PDCP AES-AES " Gagandeep Singh
2024-07-03 10:13 ` Gagandeep Singh [this message]
2024-07-03 10:13 ` [PATCH 11/11] crypto/dpaa2_sec: fix issue of user ctxt for Event queue Gagandeep Singh
[not found] <20240703102649.3096530-1-g.singh@nxp.com>
2024-07-03 10:26 ` [PATCH 03/11] crypto/dpaa: fix SEC err due to an wrong desc Gagandeep Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240703101347.3091547-4-g.singh@nxp.com \
--to=g.singh@nxp.com \
--cc=hemant.agrawal@nxp.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).