From: Hamdan Igbaria <hamd...@nvidia.com>
Support crypto action creation, this action allows encryption/decryption
of the packet according a specific security crypto protocol.
For now we support encryption/decryption according ipsec protocol.
ipsec encryption handles the encoding of the data.
ipsec decryption handles the decoding of the data and a decryption result
status will be placed in the ipsec_syndrome field.
Both operations should be used only for packets that have esp header and
ipsec trailer.
Signed-off-by: Hamdan Igbaria <hamd...@nvidia.com>
Reviewed-by: Alex Vesker <va...@nvidia.com>
Acked-by: Matan Azrad <ma...@nvidia.com>
---
drivers/common/mlx5/mlx5_prm.h | 12 ++
drivers/net/mlx5/hws/mlx5dr.h | 42 +++++++
drivers/net/mlx5/hws/mlx5dr_action.c | 172 +++++++++++++++++++++++++-
drivers/net/mlx5/hws/mlx5dr_action.h | 44 ++++---
drivers/net/mlx5/hws/mlx5dr_cmd.c | 8 ++
drivers/net/mlx5/hws/mlx5dr_cmd.h | 2 +-
drivers/net/mlx5/hws/mlx5dr_debug.c | 2 +
drivers/net/mlx5/hws/mlx5dr_matcher.c | 5 +
8 files changed, 266 insertions(+), 21 deletions(-)
diff --git a/drivers/common/mlx5/mlx5_prm.h b/drivers/common/mlx5/mlx5_prm.h
index 2b499666f8..0eecf0691b 100644
--- a/drivers/common/mlx5/mlx5_prm.h
+++ b/drivers/common/mlx5/mlx5_prm.h
@@ -3498,6 +3498,8 @@ enum mlx5_ifc_stc_action_type {
MLX5_IFC_STC_ACTION_TYPE_HEADER_INSERT = 0x0b,
MLX5_IFC_STC_ACTION_TYPE_TAG = 0x0c,
MLX5_IFC_STC_ACTION_TYPE_ACC_MODIFY_LIST = 0x0e,
+ MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION = 0x10,
+ MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION = 0x11,
MLX5_IFC_STC_ACTION_TYPE_ASO = 0x12,
MLX5_IFC_STC_ACTION_TYPE_COUNTER = 0x14,
MLX5_IFC_STC_ACTION_TYPE_ADD_FIELD = 0x1b,
@@ -3546,6 +3548,14 @@ struct mlx5_ifc_stc_ste_param_execute_aso_bits {
u8 reserved_at_28[0x18];
};
+struct mlx5_ifc_stc_ste_param_ipsec_encrypt_bits {
+ u8 ipsec_object_id[0x20];
+};
+
+struct mlx5_ifc_stc_ste_param_ipsec_decrypt_bits {
+ u8 ipsec_object_id[0x20];
+};
+
struct mlx5_ifc_stc_ste_param_header_modify_list_bits {
u8 header_modify_pattern_id[0x20];
u8 header_modify_argument_id[0x20];
@@ -3612,6 +3622,8 @@ union mlx5_ifc_stc_param_bits {
struct mlx5_ifc_set_action_in_bits set;
struct mlx5_ifc_copy_action_in_bits copy;
struct mlx5_ifc_stc_ste_param_vport_bits vport;
+ struct mlx5_ifc_stc_ste_param_ipsec_encrypt_bits ipsec_encrypt;
+ struct mlx5_ifc_stc_ste_param_ipsec_decrypt_bits ipsec_decrypt;
u8 reserved_at_0[0x80];
};
diff --git a/drivers/net/mlx5/hws/mlx5dr.h b/drivers/net/mlx5/hws/mlx5dr.h
index 39d902e762..74d05229c7 100644
--- a/drivers/net/mlx5/hws/mlx5dr.h
+++ b/drivers/net/mlx5/hws/mlx5dr.h
@@ -45,6 +45,8 @@ enum mlx5dr_action_type {
MLX5DR_ACTION_TYP_PUSH_VLAN,
MLX5DR_ACTION_TYP_ASO_METER,
MLX5DR_ACTION_TYP_ASO_CT,
+ MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT,
+ MLX5DR_ACTION_TYP_CRYPTO_DECRYPT,
MLX5DR_ACTION_TYP_DEST_ROOT,
MLX5DR_ACTION_TYP_DEST_ARRAY,
MLX5DR_ACTION_TYP_MAX,
@@ -176,6 +178,22 @@ struct mlx5dr_action_mh_pattern {
__be64 *data;
};
+enum mlx5dr_action_crypto_op {
+ MLX5DR_ACTION_CRYPTO_OP_NONE,
+ MLX5DR_ACTION_CRYPTO_OP_ENCRYPT,
+ MLX5DR_ACTION_CRYPTO_OP_DECRYPT,
+};
+
+enum mlx5dr_action_crypto_type {
+ MLX5DR_ACTION_CRYPTO_TYPE_NISP,
+ MLX5DR_ACTION_CRYPTO_TYPE_IPSEC,
+};
+
+struct mlx5dr_action_crypto_attr {
+ enum mlx5dr_action_crypto_type crypto_type;
+ enum mlx5dr_action_crypto_op op;
+};
+
/* In actions that take offset, the offset is unique, pointing to a single
* resource and the user should not reuse the same index because data changing
* is not atomic.
@@ -216,6 +234,10 @@ struct mlx5dr_rule_action {
uint32_t offset;
enum mlx5dr_action_aso_ct_flags direction;
} aso_ct;
+
+ struct {
+ uint32_t offset;
+ } crypto;
};
};
@@ -691,6 +713,26 @@ mlx5dr_action_create_dest_root(struct mlx5dr_context *ctx,
uint16_t priority,
uint32_t flags);
+/* Create crypto action, this action will create specific security protocol
+ * encryption/decryption, for now we only support IPSec protocol.
+ *
+ * @param[in] ctx
+ * The context in which the new action will be created.
+ * @param[in] devx_obj
+ * The SADB corresponding devx obj
+ * @param[in] attr
+ * attributes: specifies if to encrypt/decrypt,
+ * also specifies the crypto security protocol.
+ * @param[in] flags
+ * Action creation flags. (enum mlx5dr_action_flags)
+ * @return pointer to mlx5dr_action on success NULL otherwise.
+ */
+struct mlx5dr_action *
+mlx5dr_action_create_crypto(struct mlx5dr_context *ctx,
+ struct mlx5dr_devx_obj *devx_obj,
+ struct mlx5dr_action_crypto_attr *attr,
+ uint32_t flags);
+
/* Destroy direct rule action.
*
* @param[in] action
diff --git a/drivers/net/mlx5/hws/mlx5dr_action.c
b/drivers/net/mlx5/hws/mlx5dr_action.c
index 11a7c58925..4910b4f730 100644
--- a/drivers/net/mlx5/hws/mlx5dr_action.c
+++ b/drivers/net/mlx5/hws/mlx5dr_action.c
@@ -9,11 +9,12 @@
#define MLX5DR_ACTION_METER_INIT_COLOR_OFFSET 1
/* This is the maximum allowed action order for each table type:
- * TX: POP_VLAN, CTR, ASO_METER, AS_CT, PUSH_VLAN, MODIFY, ENCAP, Term
- * RX: TAG, DECAP, POP_VLAN, CTR, ASO_METER, ASO_CT, PUSH_VLAN, MODIFY,
- * ENCAP, Term
- * FDB: DECAP, POP_VLAN, CTR, ASO_METER, ASO_CT, PUSH_VLAN, MODIFY,
- * ENCAP, Term
+ * TX: POP_VLAN, CTR, ASO_METER, AS_CT, PUSH_VLAN, MODIFY, ENCAP, ENCRYPT,
+ * Term
+ * RX: TAG, DECAP, POP_VLAN, CTR, DECRYPT, ASO_METER, ASO_CT, PUSH_VLAN,
+ * MODIFY, ENCAP, Term
+ * FDB: DECAP, POP_VLAN, CTR, DECRYPT, ASO_METER, ASO_CT, PUSH_VLAN,
MODIFY,
+ * ENCAP, ENCRYPT, Term
*/
static const uint32_t
action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_MAX] = {
[MLX5DR_TABLE_TYPE_NIC_RX] = {
@@ -23,6 +24,7 @@ static const uint32_t
action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_
BIT(MLX5DR_ACTION_TYP_POP_VLAN),
BIT(MLX5DR_ACTION_TYP_POP_VLAN),
BIT(MLX5DR_ACTION_TYP_CTR),
+ BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT),
BIT(MLX5DR_ACTION_TYP_ASO_METER),
BIT(MLX5DR_ACTION_TYP_ASO_CT),
BIT(MLX5DR_ACTION_TYP_PUSH_VLAN),
@@ -49,6 +51,7 @@ static const uint32_t
action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_
BIT(MLX5DR_ACTION_TYP_MODIFY_HDR),
BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L2) |
BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L3),
+ BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT),
BIT(MLX5DR_ACTION_TYP_TBL) |
BIT(MLX5DR_ACTION_TYP_MISS) |
BIT(MLX5DR_ACTION_TYP_DROP) |
@@ -61,6 +64,7 @@ static const uint32_t
action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_
BIT(MLX5DR_ACTION_TYP_POP_VLAN),
BIT(MLX5DR_ACTION_TYP_POP_VLAN),
BIT(MLX5DR_ACTION_TYP_CTR),
+ BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT),
BIT(MLX5DR_ACTION_TYP_ASO_METER),
BIT(MLX5DR_ACTION_TYP_ASO_CT),
BIT(MLX5DR_ACTION_TYP_PUSH_VLAN),
@@ -68,6 +72,7 @@ static const uint32_t
action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_
BIT(MLX5DR_ACTION_TYP_MODIFY_HDR),
BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L2) |
BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L3),
+ BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT),
BIT(MLX5DR_ACTION_TYP_TBL) |
BIT(MLX5DR_ACTION_TYP_MISS) |
BIT(MLX5DR_ACTION_TYP_VPORT) |
@@ -266,6 +271,41 @@ bool mlx5dr_action_check_combo(enum mlx5dr_action_type
*user_actions,
return valid_combo;
}
+bool mlx5dr_action_check_restrictions(struct mlx5dr_matcher *matcher,
+ enum mlx5dr_action_type *actions)
+{
+ uint32_t restricted_bits;
+ uint8_t idx = 0;
+
+ /* Check for restricted actions, these actions are restricted
+ * to RX or TX only in FDB domain.
+ * if one of these actions presented require correct optimize_flow_src.
+ */
+ if (matcher->tbl->type != MLX5DR_TABLE_TYPE_FDB)
+ return false;
+
+ switch (matcher->attr.optimize_flow_src) {
+ case MLX5DR_MATCHER_FLOW_SRC_WIRE:
+ restricted_bits = BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT);
+ break;
+ case MLX5DR_MATCHER_FLOW_SRC_VPORT:
+ restricted_bits = BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT);
+ break;
+ default:
+ restricted_bits = BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT) |
+ BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT);
+ }
+
+ while (actions[idx] != MLX5DR_ACTION_TYP_LAST) {
+ if (BIT(actions[idx++]) & restricted_bits) {
+ DR_LOG(ERR, "Invalid actions combination containing
restricted actions was provided");
+ return true;
+ }
+ }
+
+ return false;
+}
+
int mlx5dr_action_root_build_attr(struct mlx5dr_rule_action rule_actions[],
uint32_t num_actions,
struct mlx5dv_flow_action_attr *attr)
@@ -383,6 +423,24 @@ mlx5dr_action_fixup_stc_attr(struct mlx5dr_context *ctx,
use_fixup = true;
break;
+ case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION:
+ if (fw_tbl_type == FS_FT_FDB_RX) {
+ fixup_stc_attr->action_type =
MLX5_IFC_STC_ACTION_TYPE_NOP;
+ fixup_stc_attr->action_offset = stc_attr->action_offset;
+ fixup_stc_attr->stc_offset = stc_attr->stc_offset;
+ use_fixup = true;
+ }
+ break;
+
+ case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION:
+ if (fw_tbl_type == FS_FT_FDB_TX) {
+ fixup_stc_attr->action_type =
MLX5_IFC_STC_ACTION_TYPE_NOP;
+ fixup_stc_attr->action_offset = stc_attr->action_offset;
+ fixup_stc_attr->stc_offset = stc_attr->stc_offset;
+ use_fixup = true;
+ }
+ break;
+
default:
break;
}
@@ -605,6 +663,16 @@ static void mlx5dr_action_fill_stc_attr(struct
mlx5dr_action *action,
attr->insert_header.insert_offset =
MLX5DR_ACTION_HDR_LEN_L2_MACS;
attr->insert_header.header_size = MLX5DR_ACTION_HDR_LEN_L2_VLAN;
break;
+ case MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT:
+ attr->action_type =
MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION;
+ attr->action_offset = MLX5DR_ACTION_OFFSET_DW5;
+ attr->id = obj->id;
+ break;
+ case MLX5DR_ACTION_TYP_CRYPTO_DECRYPT:
+ attr->action_type =
MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION;
+ attr->action_offset = MLX5DR_ACTION_OFFSET_DW5;
+ attr->id = obj->id;
+ break;
default:
DR_LOG(ERR, "Invalid action type %d", action->type);
assert(false);
@@ -1943,6 +2011,55 @@ mlx5dr_action_create_dest_root(struct mlx5dr_context
*ctx,
return NULL;
}
+struct mlx5dr_action *
+mlx5dr_action_create_crypto(struct mlx5dr_context *ctx,
+ struct mlx5dr_devx_obj *devx_obj,
+ struct mlx5dr_action_crypto_attr *attr,
+ uint32_t flags)
+{
+ enum mlx5dr_action_type action_type;
+ struct mlx5dr_action *action;
+
+ if (mlx5dr_action_is_root_flags(flags)) {
+ DR_LOG(ERR, "Action flags must be only non root (HWS)");
+ rte_errno = ENOTSUP;
+ return NULL;
+ }
+
+ if (attr->crypto_type != MLX5DR_ACTION_CRYPTO_TYPE_IPSEC) {
+ rte_errno = ENOTSUP;
+ return NULL;
+ }
+
+ if (attr->op == MLX5DR_ACTION_CRYPTO_OP_ENCRYPT) {
+ if (flags & MLX5DR_ACTION_FLAG_HWS_RX) {
+ rte_errno = EINVAL;
+ return NULL;
+ }
+ action_type = MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT;
+ } else if (attr->op == MLX5DR_ACTION_CRYPTO_OP_DECRYPT) {
+ if (flags & MLX5DR_ACTION_FLAG_HWS_TX) {
+ rte_errno = EINVAL;
+ return NULL;
+ }
+ action_type = MLX5DR_ACTION_TYP_CRYPTO_DECRYPT;
+ } else {
+ rte_errno = ENOTSUP;
+ return NULL;
+ }
+
+ action = mlx5dr_action_create_generic(ctx, flags, action_type);
+ if (!action)
+ return NULL;
+
+ if (mlx5dr_action_create_stcs(action, devx_obj)) {
+ simple_free(action);
+ return NULL;
+ }
+
+ return action;
+}
+
static void mlx5dr_action_destroy_hws(struct mlx5dr_action *action)
{
struct mlx5dr_devx_obj *obj = NULL;
@@ -1963,6 +2080,8 @@ static void mlx5dr_action_destroy_hws(struct
mlx5dr_action *action)
case MLX5DR_ACTION_TYP_ASO_METER:
case MLX5DR_ACTION_TYP_ASO_CT:
case MLX5DR_ACTION_TYP_PUSH_VLAN:
+ case MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT:
+ case MLX5DR_ACTION_TYP_CRYPTO_DECRYPT:
mlx5dr_action_destroy_stcs(action);
break;
case MLX5DR_ACTION_TYP_DEST_ROOT:
@@ -2460,6 +2579,33 @@ mlx5dr_action_setter_common_decap(struct
mlx5dr_actions_apply_data *apply,
MLX5DR_CONTEXT_SHARED_STC_DECAP));
}
+static void
+mlx5dr_action_setter_crypto_encryption(struct mlx5dr_actions_apply_data *apply,
+ struct mlx5dr_actions_wqe_setter *setter)
+{
+ struct mlx5dr_rule_action *rule_action;
+
+ rule_action = &apply->rule_action[setter->idx_single];
+ apply->wqe_data[MLX5DR_ACTION_OFFSET_DW5] =
htobe32(rule_action->crypto.offset);
+ mlx5dr_action_apply_stc(apply, MLX5DR_ACTION_STC_IDX_DW5,
setter->idx_single);
+}
+
+static void
+mlx5dr_action_setter_crypto_decryption(struct mlx5dr_actions_apply_data *apply,
+ struct mlx5dr_actions_wqe_setter *setter)
+{
+ struct mlx5dr_rule_action *rule_action;
+
+ rule_action = &apply->rule_action[setter->idx_triple];
+
+ mlx5dr_action_apply_stc(apply, MLX5DR_ACTION_STC_IDX_DW5,
setter->idx_triple);
+ apply->wqe_ctrl->stc_ix[MLX5DR_ACTION_STC_IDX_DW6] = 0;
+ apply->wqe_ctrl->stc_ix[MLX5DR_ACTION_STC_IDX_DW7] = 0;
+ apply->wqe_data[MLX5DR_ACTION_OFFSET_DW5] =
htobe32(rule_action->crypto.offset);
+ apply->wqe_data[MLX5DR_ACTION_OFFSET_DW6] = 0;
+ apply->wqe_data[MLX5DR_ACTION_OFFSET_DW7] = 0;
+}
+
int mlx5dr_action_template_process(struct mlx5dr_action_template *at)
{
struct mlx5dr_actions_wqe_setter *start_setter = at->setters + 1;
@@ -2594,6 +2740,22 @@ int mlx5dr_action_template_process(struct
mlx5dr_action_template *at)
setter->idx_ctr = i;
break;
+ case MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT:
+ /* Single encryption action, consume triple due to HW
limitations */
+ setter = mlx5dr_action_setter_find_first(last_setter,
ASF_TRIPLE);
+ setter->flags |= ASF_TRIPLE;
+ setter->set_single =
&mlx5dr_action_setter_crypto_encryption;
+ setter->idx_single = i;
+ break;
+
+ case MLX5DR_ACTION_TYP_CRYPTO_DECRYPT:
+ /* Triple decryption action */
+ setter = mlx5dr_action_setter_find_first(last_setter,
ASF_TRIPLE);
+ setter->flags |= ASF_TRIPLE;
+ setter->set_triple =
&mlx5dr_action_setter_crypto_decryption;
+ setter->idx_triple = i;
+ break;
+
default:
DR_LOG(ERR, "Unsupported action type: %d",
action_type[i]);
rte_errno = ENOTSUP;
diff --git a/drivers/net/mlx5/hws/mlx5dr_action.h
b/drivers/net/mlx5/hws/mlx5dr_action.h
index 582a38bebc..6bfa0bcc4a 100644
--- a/drivers/net/mlx5/hws/mlx5dr_action.h
+++ b/drivers/net/mlx5/hws/mlx5dr_action.h
@@ -21,6 +21,8 @@ enum mlx5dr_action_stc_idx {
MLX5DR_ACTION_STC_IDX_LAST_COMBO1 = 3,
/* STC combo2: CTR, 3 x SINGLE, Hit */
MLX5DR_ACTION_STC_IDX_LAST_COMBO2 = 4,
+ /* STC combo2: CTR, TRIPLE, Hit */
+ MLX5DR_ACTION_STC_IDX_LAST_COMBO3 = 2,
};
enum mlx5dr_action_offset {
@@ -52,6 +54,7 @@ enum mlx5dr_action_setter_flag {
ASF_SINGLE2 = 1 << 1,
ASF_SINGLE3 = 1 << 2,
ASF_DOUBLE = ASF_SINGLE2 | ASF_SINGLE3,
+ ASF_TRIPLE = ASF_SINGLE1 | ASF_DOUBLE,
ASF_REPARSE = 1 << 3,
ASF_REMOVE = 1 << 4,
ASF_MODIFY = 1 << 5,
@@ -94,10 +97,12 @@ typedef void (*mlx5dr_action_setter_fp)
struct mlx5dr_actions_wqe_setter {
mlx5dr_action_setter_fp set_single;
mlx5dr_action_setter_fp set_double;
+ mlx5dr_action_setter_fp set_triple;
mlx5dr_action_setter_fp set_hit;
mlx5dr_action_setter_fp set_ctr;
uint8_t idx_single;
uint8_t idx_double;
+ uint8_t idx_triple;
uint8_t idx_ctr;
uint8_t idx_hit;
uint8_t flags;
@@ -183,6 +188,9 @@ int mlx5dr_action_template_process(struct
mlx5dr_action_template *at);
bool mlx5dr_action_check_combo(enum mlx5dr_action_type *user_actions,
enum mlx5dr_table_type table_type);
+bool mlx5dr_action_check_restrictions(struct mlx5dr_matcher *matcher,
+ enum mlx5dr_action_type *actions);
+
int mlx5dr_action_alloc_single_stc(struct mlx5dr_context *ctx,
struct mlx5dr_cmd_stc_modify_attr *stc_attr,
uint32_t table_type,
@@ -230,26 +238,32 @@ mlx5dr_action_apply_setter(struct
mlx5dr_actions_apply_data *apply,
uint8_t num_of_actions;
/* Set control counter */
- if (setter->flags & ASF_CTR)
+ if (setter->set_ctr)
setter->set_ctr(apply, setter);
else
mlx5dr_action_setter_default_ctr(apply, setter);
- /* Set single and double on match */
if (!is_jumbo) {
- if (setter->flags & ASF_SINGLE1)
- setter->set_single(apply, setter);
- else
- mlx5dr_action_setter_default_single(apply, setter);
-
- if (setter->flags & ASF_DOUBLE)
- setter->set_double(apply, setter);
- else
- mlx5dr_action_setter_default_double(apply, setter);
-
- num_of_actions = setter->flags & ASF_DOUBLE ?
- MLX5DR_ACTION_STC_IDX_LAST_COMBO1 :
- MLX5DR_ACTION_STC_IDX_LAST_COMBO2;
+ if (unlikely(setter->set_triple)) {
+ /* Set triple on match */
+ setter->set_triple(apply, setter);
+ num_of_actions = MLX5DR_ACTION_STC_IDX_LAST_COMBO3;
+ } else {
+ /* Set single and double on match */
+ if (setter->set_single)
+ setter->set_single(apply, setter);
+ else
+ mlx5dr_action_setter_default_single(apply,
setter);
+
+ if (setter->set_double)
+ setter->set_double(apply, setter);
+ else
+ mlx5dr_action_setter_default_double(apply,
setter);
+
+ num_of_actions = setter->set_double ?
+ MLX5DR_ACTION_STC_IDX_LAST_COMBO1 :
+ MLX5DR_ACTION_STC_IDX_LAST_COMBO2;
+ }
} else {
apply->wqe_data[MLX5DR_ACTION_OFFSET_DW5] = 0;
apply->wqe_data[MLX5DR_ACTION_OFFSET_DW6] = 0;
diff --git a/drivers/net/mlx5/hws/mlx5dr_cmd.c
b/drivers/net/mlx5/hws/mlx5dr_cmd.c
index c52cdd0767..3b3690699d 100644
--- a/drivers/net/mlx5/hws/mlx5dr_cmd.c
+++ b/drivers/net/mlx5/hws/mlx5dr_cmd.c
@@ -541,6 +541,14 @@ mlx5dr_cmd_stc_modify_set_stc_param(struct
mlx5dr_cmd_stc_modify_attr *stc_attr,
MLX5_SET(stc_ste_param_remove_words, stc_parm,
remove_size, stc_attr->remove_words.num_of_words);
break;
+ case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION:
+ MLX5_SET(stc_ste_param_ipsec_encrypt, stc_parm, ipsec_object_id,
+ stc_attr->id);
+ break;
+ case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION:
+ MLX5_SET(stc_ste_param_ipsec_decrypt, stc_parm, ipsec_object_id,
+ stc_attr->id);
+ break;
default:
DR_LOG(ERR, "Not supported type %d", stc_attr->action_type);
rte_errno = EINVAL;
diff --git a/drivers/net/mlx5/hws/mlx5dr_cmd.h
b/drivers/net/mlx5/hws/mlx5dr_cmd.h
index 03db62e2e2..7bbb684dbd 100644
--- a/drivers/net/mlx5/hws/mlx5dr_cmd.h
+++ b/drivers/net/mlx5/hws/mlx5dr_cmd.h
@@ -100,7 +100,7 @@ struct mlx5dr_cmd_stc_modify_attr {
uint8_t action_offset;
enum mlx5_ifc_stc_action_type action_type;
union {
- uint32_t id; /* TIRN, TAG, FT ID, STE ID */
+ uint32_t id; /* TIRN, TAG, FT ID, STE ID, CRYPTO */
struct {
uint8_t decap;
uint16_t start_anchor;
diff --git a/drivers/net/mlx5/hws/mlx5dr_debug.c
b/drivers/net/mlx5/hws/mlx5dr_debug.c
index e7b1f2cc32..8cf3909606 100644
--- a/drivers/net/mlx5/hws/mlx5dr_debug.c
+++ b/drivers/net/mlx5/hws/mlx5dr_debug.c
@@ -24,6 +24,8 @@ const char *mlx5dr_debug_action_type_str[] = {
[MLX5DR_ACTION_TYP_ASO_CT] = "ASO_CT",
[MLX5DR_ACTION_TYP_DEST_ROOT] = "DEST_ROOT",
[MLX5DR_ACTION_TYP_DEST_ARRAY] = "DEST_ARRAY",
+ [MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT] = "CRYPTO_ENCRYPT",
+ [MLX5DR_ACTION_TYP_CRYPTO_DECRYPT] = "CRYPTO_DECRYPT",
};
static_assert(ARRAY_SIZE(mlx5dr_debug_action_type_str) ==
MLX5DR_ACTION_TYP_MAX,
diff --git a/drivers/net/mlx5/hws/mlx5dr_matcher.c
b/drivers/net/mlx5/hws/mlx5dr_matcher.c
index a82c182460..6f74cf3677 100644
--- a/drivers/net/mlx5/hws/mlx5dr_matcher.c
+++ b/drivers/net/mlx5/hws/mlx5dr_matcher.c
@@ -714,6 +714,11 @@ static int mlx5dr_matcher_check_and_process_at(struct
mlx5dr_matcher *matcher,
return rte_errno;
}
+ if (mlx5dr_action_check_restrictions(matcher, at->action_type_arr)) {
+ rte_errno = EINVAL;
+ return rte_errno;
+ }
+
/* Process action template to setters */
ret = mlx5dr_action_template_process(at);
if (ret) {
--
2.39.2
