[PATCH v3 08/29] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA256 support

Fri, 17 Dec 2021 01:21:23 -0800 

From: Tejasree Kondoj <ktejas...@marvell.com>

Adding AES-CBC-HMAC-SHA256 support to lookaside IPsec PMD.

Signed-off-by: Tejasree Kondoj <ktejas...@marvell.com>
---
 doc/guides/cryptodevs/cnxk.rst                    | 39 +++++++++++++++++++----
 doc/guides/rel_notes/release_22_03.rst            |  4 +++
 drivers/common/cnxk/cnxk_security.c               | 14 ++++++++
 drivers/crypto/cnxk/cn10k_ipsec.c                 |  3 ++
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 20 ++++++++++++
 drivers/crypto/cnxk/cnxk_ipsec.h                  |  3 +-
 6 files changed, 75 insertions(+), 8 deletions(-)

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 23cc823..8c4c4ea 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -246,14 +246,27 @@ CN9XX Features supported
 * IPv4
 * IPv6
 * ESP
+* ESN
+* Anti-replay
 * Tunnel mode
 * Transport mode(IPv4)
 * UDP Encapsulation
+
+AEAD algorithms
++++++++++++++++
+
 * AES-128/192/256-GCM
-* AES-128/192/256-CBC-SHA1-HMAC
-* AES-128/192/256-CBC-SHA256-128-HMAC
-* ESN
-* Anti-replay
+
+Cipher algorithms
++++++++++++++++++
+
+* AES-128/192/256-CBC
+
+Auth algorithms
++++++++++++++++
+
+* SHA1-HMAC
+* SHA256-128-HMAC
 
 CN10XX Features supported
 ~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -263,6 +276,20 @@ CN10XX Features supported
 * Tunnel mode
 * Transport mode
 * UDP Encapsulation
+
+AEAD algorithms
++++++++++++++++
+
 * AES-128/192/256-GCM
-* AES-128/192/256-CBC-NULL
-* AES-128/192/256-CBC-SHA1-HMAC
+
+Cipher algorithms
++++++++++++++++++
+
+* AES-128/192/256-CBC
+
+Auth algorithms
++++++++++++++++
+
+* NULL
+* SHA1-HMAC
+* SHA256-128-HMAC
diff --git a/doc/guides/rel_notes/release_22_03.rst 
b/doc/guides/rel_notes/release_22_03.rst
index 6d99d1e..1639b0e 100644
--- a/doc/guides/rel_notes/release_22_03.rst
+++ b/doc/guides/rel_notes/release_22_03.rst
@@ -55,6 +55,10 @@ New Features
      Also, make sure to start the actual text at the margin.
      =======================================================
 
+* **Updated Marvell cnxk crypto PMD.**
+
+  * Added SHA256-HMAC support in lookaside protocol (IPsec) for CN10K.
+
 
 Removed Items
 -------------
diff --git a/drivers/common/cnxk/cnxk_security.c 
b/drivers/common/cnxk/cnxk_security.c
index 787138b..f39bc1e 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -32,6 +32,10 @@ ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform 
*auth_xform,
                roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
                roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]);
                break;
+       case RTE_CRYPTO_AUTH_SHA256_HMAC:
+               roc_hash_sha256_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
+               roc_hash_sha256_gen(ipad, (uint32_t *)&hmac_opad_ipad[64]);
+               break;
        default:
                break;
        }
@@ -129,6 +133,16 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 
*w2,
                             i++)
                                tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
                        break;
+               case RTE_CRYPTO_AUTH_SHA256_HMAC:
+                       w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_256;
+                       ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+
+                       tmp_key = (uint64_t *)hmac_opad_ipad;
+                       for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN /
+                                             sizeof(uint64_t));
+                            i++)
+                               tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+                       break;
                default:
                        return -ENOTSUP;
                }
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c 
b/drivers/crypto/cnxk/cn10k_ipsec.c
index 27df1dc..93eab1b 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -65,6 +65,9 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
                if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
                        sa->iv_offset = crypto_xfrm->aead.iv.offset;
                        sa->iv_length = crypto_xfrm->aead.iv.length;
+               } else {
+                       sa->iv_offset = crypto_xfrm->cipher.iv.offset;
+                       sa->iv_length = crypto_xfrm->cipher.iv.length;
                }
        }
 #else
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c 
b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 59b63ed..7d22626 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -797,6 +797,26 @@ static const struct rte_cryptodev_capabilities 
sec_caps_sha1_sha2[] = {
                        }, }
                }, }
        },
+       {       /* SHA256 HMAC */
+               .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+               {.sym = {
+                       .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+                       {.auth = {
+                               .algo = RTE_CRYPTO_AUTH_SHA256_HMAC,
+                               .block_size = 64,
+                               .key_size = {
+                                       .min = 1,
+                                       .max = 1024,
+                                       .increment = 1
+                               },
+                               .digest_size = {
+                                       .min = 16,
+                                       .max = 16,
+                                       .increment = 0
+                               },
+                       }, }
+               }, }
+       },
 };
 
 static const struct rte_security_capability sec_caps_templ[] = {
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index dddb414..f4a1012 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -46,8 +46,7 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform 
*crypto_xform)
        if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
                if (keylen >= 20 && keylen <= 64)
                        return 0;
-       } else if (roc_model_is_cn9k() &&
-                  (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) {
+       } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
                if (keylen >= 32 && keylen <= 64)
                        return 0;
        }
-- 
2.7.4

Reply via email to