This patch add rte_security support support to AESNI-GCM PMD. The PMD now
initialize security context instance, create/delete PMD specific security
sessions, and process crypto workloads in synchronous mode with
scatter-gather list buffer supported.
Signed-off-by: Fan Zhang <roy.fan.zh...@intel.com>
---
drivers/crypto/aesni_gcm/aesni_gcm_pmd.c | 91 ++++++++++++++++++++++-
drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c | 95 ++++++++++++++++++++++++
drivers/crypto/aesni_gcm/aesni_gcm_pmd_private.h | 23 ++++++
3 files changed, 208 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
b/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
index 1006a5c4d..0a346eddd 100644
--- a/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
+++ b/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
@@ -6,6 +6,7 @@
#include <rte_hexdump.h>
#include <rte_cryptodev.h>
#include <rte_cryptodev_pmd.h>
+#include <rte_security_driver.h>
#include <rte_bus_vdev.h>
#include <rte_malloc.h>
#include <rte_cpuflags.h>
@@ -174,6 +175,56 @@ aesni_gcm_get_session(struct aesni_gcm_qp *qp, struct
rte_crypto_op *op)
return sess;
}
+static __rte_always_inline int
+process_gcm_security_sgl_buf(struct aesni_gcm_security_session *sess,
+ struct rte_security_vec *buf, uint8_t *iv,
+ uint8_t *aad, uint8_t *digest)
+{
+ struct aesni_gcm_session *session = &sess->sess;
+ uint8_t *tag;
+ uint32_t i;
+
+ sess->init(&session->gdata_key, &sess->gdata_ctx, iv, aad,
+ (uint64_t)session->aad_length);
+
+ for (i = 0; i < buf->num; i++) {
+ struct iovec *vec = &buf->vec[i];
+
+ sess->update(&session->gdata_key, &sess->gdata_ctx,
+ vec->iov_base, vec->iov_base, vec->iov_len);
+ }
+
+ switch (session->op) {
+ case AESNI_GCM_OP_AUTHENTICATED_ENCRYPTION:
+ if (session->req_digest_length != session->gen_digest_length)
+ tag = sess->temp_digest;
+ else
+ tag = digest;
+
+ sess->finalize(&session->gdata_key, &sess->gdata_ctx, tag,
+ session->gen_digest_length);
+
+ if (session->req_digest_length != session->gen_digest_length)
+ memcpy(digest, sess->temp_digest,
+ session->req_digest_length);
+ break;
+
+ case AESNI_GCM_OP_AUTHENTICATED_DECRYPTION:
+ tag = sess->temp_digest;
+
+ sess->finalize(&session->gdata_key, &sess->gdata_ctx, tag,
+ session->gen_digest_length);
+
+ if (memcmp(tag, digest, session->req_digest_length) != 0)
+ return -1;
+ break;
+ default:
+ return -1;
+ }
+
+ return 0;
+}
+
/**
* Process a crypto operation, calling
* the GCM API from the multi buffer library.
@@ -488,8 +539,10 @@ aesni_gcm_create(const char *name,
{
struct rte_cryptodev *dev;
struct aesni_gcm_private *internals;
+ struct rte_security_ctx *sec_ctx;
enum aesni_gcm_vector_mode vector_mode;
MB_MGR *mb_mgr;
+ char sec_name[RTE_DEV_NAME_MAX_LEN];
/* Check CPU for support for AES instruction set */
if (!rte_cpu_get_flag_enabled(RTE_CPUFLAG_AES)) {
@@ -524,7 +577,8 @@ aesni_gcm_create(const char *name,
RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
RTE_CRYPTODEV_FF_CPU_AESNI |
RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT |
- RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT;
+ RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT |
+ RTE_CRYPTODEV_FF_SECURITY;
mb_mgr = alloc_mb_mgr(0);
if (mb_mgr == NULL)
@@ -587,6 +641,21 @@ aesni_gcm_create(const char *name,
internals->max_nb_queue_pairs = init_params->max_nb_queue_pairs;
+ /* setup security operations */
+ snprintf(sec_name, sizeof(sec_name) - 1, "aes_gcm_sec_%u",
+ dev->driver_id);
+ sec_ctx = rte_zmalloc_socket(sec_name,
+ sizeof(struct rte_security_ctx),
+ RTE_CACHE_LINE_SIZE, init_params->socket_id);
+ if (sec_ctx == NULL) {
+ AESNI_GCM_LOG(ERR, "memory allocation failed\n");
+ goto error_exit;
+ }
+
+ sec_ctx->device = (void *)dev;
+ sec_ctx->ops = rte_aesni_gcm_pmd_security_ops;
+ dev->security_ctx = sec_ctx;
+
#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
AESNI_GCM_LOG(INFO, "IPSec Multi-buffer library version used: %s\n",
imb_get_version_str());
@@ -641,6 +710,8 @@ aesni_gcm_remove(struct rte_vdev_device *vdev)
if (cryptodev == NULL)
return -ENODEV;
+ rte_free(cryptodev->security_ctx);
+
internals = cryptodev->data->dev_private;
free_mb_mgr(internals->mb_mgr);
@@ -648,6 +719,24 @@ aesni_gcm_remove(struct rte_vdev_device *vdev)
return rte_cryptodev_pmd_destroy(cryptodev);
}
+void
+aesni_gcm_sec_crypto_process_bulk(struct rte_security_session *sess,
+ struct rte_security_vec buf[], void *iv[], void *aad[],
+ void *digest[], int status[], uint32_t num)
+{
+ struct aesni_gcm_security_session *session =
+ get_sec_session_private_data(sess);
+ uint32_t i;
+
+ if (unlikely(!session))
+ return;
+
+ for (i = 0; i < num; i++)
+ status[i] = process_gcm_security_sgl_buf(session, &buf[i],
+ (uint8_t *)iv[i], (uint8_t *)aad[i],
+ (uint8_t *)digest[i]);
+}
+
static struct rte_vdev_driver aesni_gcm_pmd_drv = {
.probe = aesni_gcm_probe,
.remove = aesni_gcm_remove
diff --git a/drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c
b/drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c
index 2f66c7c58..cc71dbd60 100644
--- a/drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c
+++ b/drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c
@@ -7,6 +7,7 @@
#include <rte_common.h>
#include <rte_malloc.h>
#include <rte_cryptodev_pmd.h>
+#include <rte_security_driver.h>
#include "aesni_gcm_pmd_private.h"
@@ -316,6 +317,85 @@ aesni_gcm_pmd_sym_session_clear(struct rte_cryptodev *dev,
}
}
+static int
+aesni_gcm_security_session_create(void *dev,
+ struct rte_security_session_conf *conf,
+ struct rte_security_session *sess,
+ struct rte_mempool *mempool)
+{
+ struct rte_cryptodev *cdev = dev;
+ struct aesni_gcm_private *internals = cdev->data->dev_private;
+ struct aesni_gcm_security_session *sess_priv;
+ int ret;
+
+ if (!conf->crypto_xform) {
+ AESNI_GCM_LOG(ERR, "Invalid security session conf");
+ return -EINVAL;
+ }
+
+ if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ AESNI_GCM_LOG(ERR, "GMAC is not supported in security session");
+ return -EINVAL;
+ }
+
+
+ if (rte_mempool_get(mempool, (void **)(&sess_priv))) {
+ AESNI_GCM_LOG(ERR,
+ "Couldn't get object from session mempool");
+ return -ENOMEM;
+ }
+
+ ret = aesni_gcm_set_session_parameters(internals->ops,
+ &sess_priv->sess, conf->crypto_xform);
+ if (ret != 0) {
+ AESNI_GCM_LOG(ERR, "Failed configure session parameters");
+
+ /* Return session to mempool */
+ rte_mempool_put(mempool, (void *)sess_priv);
+ return ret;
+ }
+
+ sess_priv->pre = internals->ops[sess_priv->sess.key].pre;
+ sess_priv->init = internals->ops[sess_priv->sess.key].init;
+ if (sess_priv->sess.op == AESNI_GCM_OP_AUTHENTICATED_ENCRYPTION) {
+ sess_priv->update =
+ internals->ops[sess_priv->sess.key].update_enc;
+ sess_priv->finalize =
+ internals->ops[sess_priv->sess.key].finalize_enc;
+ } else {
+ sess_priv->update =
+ internals->ops[sess_priv->sess.key].update_dec;
+ sess_priv->finalize =
+ internals->ops[sess_priv->sess.key].finalize_dec;
+ }
+
+ sess->sess_private_data = sess_priv;
+
+ return 0;
+}
+
+static int
+aesni_gcm_security_session_destroy(void *dev __rte_unused,
+ struct rte_security_session *sess)
+{
+ void *sess_priv = get_sec_session_private_data(sess);
+
+ if (sess_priv) {
+ struct rte_mempool *sess_mp = rte_mempool_from_obj(sess_priv);
+
+ memset(sess, 0, sizeof(struct aesni_gcm_security_session));
+ set_sec_session_private_data(sess, NULL);
+ rte_mempool_put(sess_mp, sess_priv);
+ }
+ return 0;
+}
+
+static unsigned int
+aesni_gcm_sec_session_get_size(__rte_unused void *device)
+{
+ return sizeof(struct aesni_gcm_security_session);
+}
+
struct rte_cryptodev_ops aesni_gcm_pmd_ops = {
.dev_configure = aesni_gcm_pmd_config,
.dev_start = aesni_gcm_pmd_start,
@@ -336,4 +416,19 @@ struct rte_cryptodev_ops aesni_gcm_pmd_ops = {
.sym_session_clear = aesni_gcm_pmd_sym_session_clear
};
+static struct rte_security_ops aesni_gcm_security_ops = {
+ .session_create = aesni_gcm_security_session_create,
+ .session_get_size = aesni_gcm_sec_session_get_size,
+ .session_update = NULL,
+ .session_stats_get = NULL,
+ .session_destroy = aesni_gcm_security_session_destroy,
+ .set_pkt_metadata = NULL,
+ .capabilities_get = NULL,
+ .process_cpu_crypto_bulk =
+ aesni_gcm_sec_crypto_process_bulk,
+};
+
struct rte_cryptodev_ops *rte_aesni_gcm_pmd_ops = &aesni_gcm_pmd_ops;
+
+struct rte_security_ops *rte_aesni_gcm_pmd_security_ops =
+ &aesni_gcm_security_ops;
diff --git a/drivers/crypto/aesni_gcm/aesni_gcm_pmd_private.h
b/drivers/crypto/aesni_gcm/aesni_gcm_pmd_private.h
index 56b29e013..8e490b6ce 100644
--- a/drivers/crypto/aesni_gcm/aesni_gcm_pmd_private.h
+++ b/drivers/crypto/aesni_gcm/aesni_gcm_pmd_private.h
@@ -114,5 +114,28 @@ aesni_gcm_set_session_parameters(const struct
aesni_gcm_ops *ops,
* Device specific operations function pointer structure */
extern struct rte_cryptodev_ops *rte_aesni_gcm_pmd_ops;
+/**
+ * Security session structure.
+ */
+struct aesni_gcm_security_session {
+ /** Temp digest for decryption */
+ uint8_t temp_digest[DIGEST_LENGTH_MAX];
+ /** GCM operations */
+ aesni_gcm_pre_t pre;
+ aesni_gcm_init_t init;
+ aesni_gcm_update_t update;
+ aesni_gcm_finalize_t finalize;
+ /** AESNI-GCM session */
+ struct aesni_gcm_session sess;
+ /** AESNI-GCM context */
+ struct gcm_context_data gdata_ctx;
+};
+
+extern void
+aesni_gcm_sec_crypto_process_bulk(struct rte_security_session *sess,
+ struct rte_security_vec buf[], void *iv[], void *aad[],
+ void *digest[], int status[], uint32_t num);
+
+extern struct rte_security_ops *rte_aesni_gcm_pmd_security_ops;
#endif /* _RTE_AESNI_GCM_PMD_PRIVATE_H_ */
--
2.14.5
