Re: [dpdk-dev] [PATCH 1/3] security: support pdcp protocol
Hi Akhil,
On 15-10-2018 18:33, Akhil Goyal wrote:
> External Email
>
> On 10/9/2018 5:08 PM, Joseph, Anoob wrote:
>> Hi Akhil,
>>
>> Please see inline.
>>
>> Thanks,
>> Anoob
>> On 08-10-2018 15:19, Akhil Goyal wrote:
>>> External Email
>>>
>>> Hi Anoob,
>>>>>>> @@ -494,6 +553,23 @@ IPsec related configuration parameters are
>>>>>>> defined in ``rte_security_ipsec_xform
>>>>>>> /**< Tunnel parameters, NULL for transport mode */
>>>>>>> };
>>>>>>> +PDCP related configuration parameters are defined in
>>>>>>> ``rte_security_pdcp_xform``
>>>>>>> +
>>>>>>> +.. code-block:: c
>>>>>>> +
>>>>>>> + struct rte_security_pdcp_xform {
>>>>>>> + int8_t bearer; /**< PDCP bearer ID */
>>>>>>> + enum rte_security_pdcp_domain domain;
>>>>>>> + /** < PDCP mode of operation: Control or data */
>>>>>>> + enum rte_security_pdcp_direction pkt_dir;
>>>>>>> + /**< PDCP Frame Direction 0:UL 1:DL */
>>>>>>> + enum rte_security_pdcp_sn_size sn_size;
>>>>>>> + /**< Sequence number size, 5/7/12/15 */
>>>>>>> + int8_t hfn_ovd; /**< Overwrite HFN per operation */
>>>>>>> + uint32_t hfn; /**< Hyper Frame Number */
>>>>>>> + uint32_t hfn_threshold; /**< HFN Threashold for key
>>>>>>> renegotiation */
>>>>>>> + };
>>>>>>> +
>>>>>> [Anoob] PDCP packet ordering should be both a capability and a
>>>>>> setting.
>>>>>> HFN will be incremented overtime and starts at 0. So why is it
>>>>>> part of
>>>>>> the xform?
>>>>>
>>>>> The Security accelerators may assume packet in order. Latest PDCP TS
>>>>> suggest to do de-Ciphering before re-Ordering the Rx PDCP PDUs. In
>>>>> this
>>>>> situation, the accelerator may use wrong HFN value. The PDCP
>>>>> application
>>>>> can provide the appropriate HFN value along with PDU to the security
>>>>> accelerator.
>>>>>
>>>> So what is the expectation with regards to ordering? Would PDCP know
>>>> the order or is it unaware of the order?
>>>> If implementation of this Spec knows the order of packets(which is
>>>> implied by the "In order delivery and Duplicate detection
>>>> Sequence Numbering" statement in the PDCP flow diagram), then there
>>>> should be no need to override the
>>>> HFN. If the implementation does not know the order of packets, then
>>>> the flow diagram should be corrected.
>>>> Also, is implementation expected to support ordered delivery and
>>>> duplicate detection. Perhaps it should be
>>>> a capability or 2.
>>> This patchset is basically talking about full protocol offload with
>>> look
>>> aside accelerators.
>>> And when we are talking about full protocol offload, all protocol
>>> related stuff like ordering, headers etc.
>>> needs to be handled by the HW/driver.
>>> So the expectation is driver/HW should be able to perform in order
>>> delivery and detect duplicates.
>> How will errors in these situations be reported to the application -
>> if packets are not in order or if a duplicate is detected - how should
>> driver report it?
>> Is the driver/HW expected to correct the order OR is the behaviour
>> limited to detection of out-of-order? In order to correct the order,
>> the driver/HW will need to accumulate packets. Is that really the
>> expectation of this specification
> I have added a setting in xform and capability for in-order and
> duplicate packet detection.
> So if the capability is there in hardware to do such processing then it
> will do that and report error
> in crypto status and if the capability is not there then application
> will be responsible for handling such cases.
> I hope this would answer your query.
Seems good.
>
>>> If somebody have support for PDCP in the hardware, we can add
>>> capabilities as per the specific requirements.
>>> In v2/v3 I have removed the hfn_override. Will add it later when it
>>> will
>>> be supported.
>>>
>>>
>>> Thanks,
>>> Akhil
>>
>
Re: [dpdk-dev] [PATCH v4 1/3] security: support pdcp protocol
Hi Akhil,
https://tools.ietf.org/html/rfc4301#section-1
RFC says we need to use "IPsec" and not "IPSec". Can you fix this in the
lines you have added?
And do see inline for other comments.
Thanks,
Anoob
On 15-10-2018 18:23, Akhil Goyal wrote:
> External Email
>
> From: Akhil Goyal
>
> Packet Data Convergence Protocol (PDCP) is added in rte_security
> for 3GPP TS 36.323 for LTE.
>
> The patchset provide the structure definitions for configuring the
> PDCP sessions and relevant documentation is added.
>
> Signed-off-by: Hemant Agrawal
> Signed-off-by: Akhil Goyal
> ---
> doc/guides/prog_guide/rte_security.rst | 107 +++--
> lib/librte_security/rte_security.c | 4 +
> lib/librte_security/rte_security.h | 91 +
> 3 files changed, 195 insertions(+), 7 deletions(-)
>
> diff --git a/doc/guides/prog_guide/rte_security.rst
> b/doc/guides/prog_guide/rte_security.rst
> index 0812abe77..f09e7c8bb 100644
> --- a/doc/guides/prog_guide/rte_security.rst
> +++ b/doc/guides/prog_guide/rte_security.rst
> @@ -10,8 +10,8 @@ The security library provides a framework for management
> and provisioning
> of security protocol operations offloaded to hardware based devices. The
> library defines generic APIs to create and free security sessions which can
> support full protocol offload as well as inline crypto operation with
> -NIC or crypto devices. The framework currently only supports the IPSec
> protocol
> -and associated operations, other protocols will be added in future.
> +NIC or crypto devices. The framework currently only supports the IPSec and
> PDCP
> +protocol and associated operations, other protocols will be added in future.
>
> Design Principles
> -
> @@ -253,6 +253,49 @@ for any protocol header addition.
> +|+
>V
>
> +PDCP Flow Diagram
> +~
> +
> +Based on 3GPP TS 36.323 Evolved Universal Terrestrial Radio Access (E-UTRA);
> +Packet Data Convergence Protocol (PDCP) specification
> +
> +.. code-block:: c
> +
> +Transmitting PDCP Entity Receiving PDCP Entity
> + | ^
> + | +---|---+
> + V | In order delivery and |
> ++-|--+| Duplicate detection |
> +| Sequence Numbering || (Data Plane only)|
> ++-|--++---|---+
> + | |
> ++-|--++---|--+
> +| Header Compression*|| Header Decompression*|
> +| (Data-Plane only) || (Data Plane only) |
> ++-|--++---|--+
> + | |
> ++-|---+ +---|--+
> +| Integrity Protection| |Integrity Verification|
> +| (Control Plane only)| | (Control Plane only) |
> ++-|---+ +---|--+
> ++-|---++--|--+
> +| Ciphering || Deciphering |
> ++-|---++--|--+
> ++-|---++--|--+
> +| Add PDCP header || Remove PDCP Header |
> ++-|---++--|--+
> + | |
> + +->>+
> +
> +
> +.. note::
> +
> +* Header Compression and decompression are not supported currently.
> +
> +Just like IPSec, in case of PDCP also header addition/deletion, cipher/
> +de-cipher, integrity protection/verification is done based on the action
> +type chosen.
> +
> Device Features and Capabilities
> -
>
> @@ -271,7 +314,7 @@ structure in the *DPDK API Reference*.
>
> Each driver (crypto or ethernet) defines its own private array of
> capabilities
> for the operations it supports. Below is an example of the capabilities for
> a
> -PMD which supports the IPSec protocol.
> +PMD which supports the IPSec and PDCP protocol.
>
> .. code-block:: c
>
> @@ -298,6 +341,24 @@ PMD which supports the IPSec protocol.
> },
> .crypto_capabilities = pmd_capabilities
> },
> +{ /* PDCP Lookaside Protocol offload Data Plane */
> +.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> +.protocol = RTE_SECURITY_PROTOCOL_PDCP,
> +.pdcp = {
> +.domain = RTE_SECURITY_PDCP_MODE_DATA,
> +.capa_flags = 0
> +
Re: [dpdk-dev] [PATCH v2 01/33] config: add Cavium OcteonTX crypto PMD skeleton
Hi Akhil, On 18-09-2018 18:01, Akhil Goyal wrote: > External Email > > Hi Anoob, > > On 9/17/2018 7:43 PM, Joseph, Anoob wrote: >> Hi Akhil, >> >> >> On 17-09-2018 17:50, Akhil Goyal wrote: >>> External Email >>> >>> On 9/17/2018 5:12 PM, Joseph, Anoob wrote: >>> >>>> Hi Akhil, >>>> On 17-09-2018 16:07, Akhil Goyal wrote: >>>>> External Email >>>>>>> I think it would be better to squash the makefile related >>>>>>> changes in >>>>>>> the 3/33 patch as the code >>>>>>> is actually added in that and here the code is not getting compiled >>>>>>> here. >>>>>> So the changes in the following files has to be moved to patch 3/33? >>>>>> drivers/crypto/Makefile >>>>>> drivers/crypto/meson.build >>>>>> drivers/crypto/octeontx/Makefile >>>>>> drivers/crypto/octeontx/meson.build >>>>>> mk/rte.app.mk >>>>>> I think this patch will just have MAINTAINER edit (even that >>>>>> might be >>>>>> required to be moved to 3/33?) & changes to config/common_base, >>>>>> after >>>>>> that. Is that fine? >>>>> In my opinion, you do not need this patch as separate one. >>>>> config/common_base can also be added in the 3/33. >>>> In that case 02/33 patch would become the first patch right? The same >>>> problem would be there too, I guess. The macros added in that patch >>>> gets >>>> used only in 03/33 patch. Is that fine? >>> >>> I think that would be fine. Better to have a 03/33 patch before 02/33 >>> if it doesn't have dependencies. >> 03/33 patch is dependent on 02/33 patch. Shall I proceed with merging >> 01/33 to 03/33 and make 02/33 the first patch? >>> >>>> The first patch would be a shell patch for most PMD additions. That's >>>> the reason we started this way. If you want it changed, will do so. >>>> Please do let me know what will be the right approach. >>> >>> For the makefiles, you would be compiling the empty files which does >>> not have any code. That does not make any sense to me. >> With 01/33 there won't be any files compiled. We are just adding the >> library (which would be empty) >>> >>> Normally, when we submit a new PMD, we add the basic PMD probe/remove >>> in the first patch and add it into build system. Maintainers is also >>> updated for the new PMD. >>> >>> Further ops are added later in the patchset. >>> >>> Hardware specific header files/ functions are added before they are >>> used in the driver in a single/multiple logical patches. >>> >>> In the end, documentation is added along with release note and >>> MAINTAINERS update for documentation files. >> I shall proceed with merging 01/33 to 03/33, if you can confirm making >> 02/33 the first patch is fine. Or please do let me know if you have >> any other suggestions. >> > I see that the 2/33 is adding the logging macros. I believe that can > also be merged in the 03/33. ./devtools/check-git-log.sh was giving me issues when one patch was having edits in both drivers/common/cpt & drivers/crypto/octeontx. That's the reason it was separated out. Many patches had to be divided because of this. > Also I missed one comment on the documentation patch.. Please add your > pmd doc entry in index.rst as well. Will fix this in v3. Thanks, Anoob
[PATCH v2 1/2] security: add fallback security processing and Rx inject
Add alternate datapath API for security processing which would do Rx
injection (similar to loopback) after successful security processing.
With inline protocol offload, variable part of the session context
(AR windows, lifetime etc in case of IPsec), is not accessible to the
application. If packets are not getting processed in the inline path
due to non security reasons (such as outer fragmentation or rte_flow
packet steering limitations), then the packet cannot be security
processed as the session context is private to the PMD and security
library doesn't provide alternate APIs to make use of the same session.
Introduce new API and Rx injection as fallback mechanism to security
processing failures due to non-security reasons. For example, when there
is outer fragmentation and PMD doesn't support reassembly of outer
fragments, application would receive fragments which it can then
reassemble. Post successful reassembly, packet can be submitted for
security processing and Rx inject. The packets can be then received in
the application as normal inline protocol processed packets.
Same API can be leveraged in lookaside protocol offload mode to inject
packet to Rx. This would help in using rte_flow based packet parsing
after security processing. For example, with IPsec, this will help in
inner parsing and flow splitting after IPsec processing is done.
In both inline protocol capable ethdevs and lookaside protocol capable
cryptodevs, the packet would be received back in eth port & queue based
on rte_flow rules and packet parsing after security processing. The API
would behave like a loopback but with the additional security
processing.
Signed-off-by: Anoob Joseph
Signed-off-by: Vidya Sagar Velumuri
---
v2:
* Added a new API for configuring security device to do Rx inject to a specific
ethdev port
* Rebased
doc/guides/cryptodevs/features/default.ini | 1 +
lib/cryptodev/rte_cryptodev.h | 2 +
lib/security/rte_security.c| 22 ++
lib/security/rte_security.h| 85 ++
lib/security/rte_security_driver.h | 44 +++
lib/security/version.map | 3 +
6 files changed, 157 insertions(+)
diff --git a/doc/guides/cryptodevs/features/default.ini
b/doc/guides/cryptodevs/features/default.ini
index 6f637fa7e2..f411d4bab7 100644
--- a/doc/guides/cryptodevs/features/default.ini
+++ b/doc/guides/cryptodevs/features/default.ini
@@ -34,6 +34,7 @@ Sym raw data path API =
Cipher multiple data units =
Cipher wrapped key =
Inner checksum =
+Rx inject =
;
; Supported crypto algorithms of a default crypto driver.
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index 9f07e1ed2c..05aabb6526 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -534,6 +534,8 @@ rte_cryptodev_asym_get_xform_string(enum
rte_crypto_asym_xform_type xform_enum);
/**< Support wrapped key in cipher xform */
#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27)
/**< Support inner checksum computation/verification */
+#define RTE_CRYPTODEV_FF_SECURITY_RX_INJECT(1ULL << 28)
+/**< Support Rx injection after security processing */
/**
* Get the name of a crypto device feature flag
diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c
index ab44bbe0f0..fa8d2bb7ce 100644
--- a/lib/security/rte_security.c
+++ b/lib/security/rte_security.c
@@ -321,6 +321,28 @@ rte_security_capability_get(void *ctx, struct
rte_security_capability_idx *idx)
return NULL;
}
+int
+rte_security_rx_inject_configure(void *ctx, uint16_t port_id, bool enable)
+{
+ struct rte_security_ctx *instance = ctx;
+
+ RTE_PTR_OR_ERR_RET(instance, -EINVAL);
+ RTE_PTR_OR_ERR_RET(instance->ops, -ENOTSUP);
+ RTE_PTR_OR_ERR_RET(instance->ops->rx_inject_configure, -ENOTSUP);
+
+ return instance->ops->rx_inject_configure(instance->device, port_id,
enable);
+}
+
+uint16_t
+rte_security_inb_pkt_rx_inject(void *ctx, struct rte_mbuf **pkts, void **sess,
+ uint16_t nb_pkts)
+{
+ struct rte_security_ctx *instance = ctx;
+
+ return instance->ops->inb_pkt_rx_inject(instance->device, pkts,
+ (struct rte_security_session
**)sess, nb_pkts);
+}
+
static int
security_handle_cryptodev_list(const char *cmd __rte_unused,
const char *params __rte_unused,
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index c9cc7a45a6..fe8e8e9813 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -1310,6 +1310,91 @@ const struct rte_security_capability *
rte_security_capability_get(void *instance,
struct rte_security_capability_idx *idx);
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change,
[PATCH v2 2/2] test/cryptodev: add Rx inject test
From: Vidya Sagar Velumuri
Add test to verify Rx inject. The test case added would push a known
vector to cryptodev which would be injected to ethdev Rx. The test
case verifies that the packet is received from ethdev Rx and is
processed successfully. It also verifies that the userdata matches with
the expectation.
Signed-off-by: Anoob Joseph
Signed-off-by: Vidya Sagar Velumuri
---
app/test/test_cryptodev.c| 341 +++
app/test/test_cryptodev_security_ipsec.h | 1 +
2 files changed, 289 insertions(+), 53 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index f2112e181e..420f60553d 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17,6 +17,7 @@
#include
#include
+#include
#include
#include
#include
@@ -1426,6 +1427,93 @@ ut_setup_security(void)
return dev_configure_and_start(0);
}
+static int
+ut_setup_security_rx_inject(void)
+{
+ struct rte_mempool *mbuf_pool = rte_mempool_lookup("CRYPTO_MBUFPOOL");
+ struct crypto_testsuite_params *ts_params = &testsuite_params;
+ struct rte_eth_conf port_conf = {
+ .rxmode = {
+ .offloads = RTE_ETH_RX_OFFLOAD_CHECKSUM |
+ RTE_ETH_RX_OFFLOAD_SECURITY,
+ },
+ .txmode = {
+ .offloads = RTE_ETH_TX_OFFLOAD_MBUF_FAST_FREE,
+ },
+ .lpbk_mode = 1, /* Enable loopback */
+ };
+ struct rte_cryptodev_info dev_info;
+ struct rte_eth_rxconf rx_conf = {
+ .rx_thresh = {
+ .pthresh = 8,
+ .hthresh = 8,
+ .wthresh = 8,
+ },
+ .rx_free_thresh = 32,
+ };
+ uint16_t nb_ports;
+ void *sec_ctx;
+ int ret;
+
+ rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+ if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY_RX_INJECT) ||
+ !(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
+ RTE_LOG(INFO, USER1, "Feature requirements for IPsec Rx inject
test case not met\n"
+ );
+ return TEST_SKIPPED;
+ }
+
+ sec_ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]);
+ if (sec_ctx == NULL)
+ return TEST_SKIPPED;
+
+ nb_ports = rte_eth_dev_count_avail();
+ if (nb_ports == 0)
+ return TEST_SKIPPED;
+
+ ret = rte_eth_dev_configure(0 /* port_id */,
+ 1 /* nb_rx_queue */,
+ 0 /* nb_tx_queue */,
+ &port_conf);
+ if (ret) {
+ printf("Could not configure ethdev port 0 [err=%d]\n", ret);
+ return TEST_SKIPPED;
+ }
+
+ /* Rx queue setup */
+ ret = rte_eth_rx_queue_setup(0 /* port_id */,
+0 /* rx_queue_id */,
+1024 /* nb_rx_desc */,
+SOCKET_ID_ANY,
+&rx_conf,
+mbuf_pool);
+ if (ret) {
+ printf("Could not setup eth port 0 queue 0\n");
+ return TEST_SKIPPED;
+ }
+
+ ret = rte_security_rx_inject_configure(sec_ctx, 0, true);
+ if (ret) {
+ printf("Could not enable Rx inject offload");
+ return TEST_SKIPPED;
+ }
+
+ ret = rte_eth_dev_start(0);
+ if (ret) {
+ printf("Could not start ethdev");
+ return TEST_SKIPPED;
+ }
+
+ ret = rte_eth_promiscuous_enable(0);
+ if (ret) {
+ printf("Could not enable promiscuous mode");
+ return TEST_SKIPPED;
+ }
+
+ /* Configure and start cryptodev with no features disabled */
+ return dev_configure_and_start(0);
+}
+
void
ut_teardown(void)
{
@@ -1478,6 +1566,33 @@ ut_teardown(void)
rte_cryptodev_stop(ts_params->valid_devs[0]);
}
+static void
+ut_teardown_rx_inject(void)
+{
+ struct crypto_testsuite_params *ts_params = &testsuite_params;
+ void *sec_ctx;
+ int ret;
+
+ if (rte_eth_dev_count_avail() != 0) {
+ ret = rte_eth_dev_reset(0);
+ if (ret)
+ printf("Could not reset eth port 0");
+
+ }
+
+ ut_teardown();
+
+ sec_ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]);
+ if (sec_ctx == NULL)
+ return;
+
+ ret = rte_security_rx_inject_configure(sec_ctx, 0, false);
+ if (ret) {
+ printf("Could not disable Rx inject offload");
+ return;
+ }
+}
+
static int
test_device_configur
[PATCH v3 1/2] security: add fallback security processing and Rx inject
Add alternate datapath API for security processing which would do Rx
injection (similar to loopback) after successful security processing.
With inline protocol offload, variable part of the session context
(AR windows, lifetime etc in case of IPsec), is not accessible to the
application. If packets are not getting processed in the inline path
due to non security reasons (such as outer fragmentation or rte_flow
packet steering limitations), then the packet cannot be security
processed as the session context is private to the PMD and security
library doesn't provide alternate APIs to make use of the same session.
Introduce new API and Rx injection as fallback mechanism to security
processing failures due to non-security reasons. For example, when there
is outer fragmentation and PMD doesn't support reassembly of outer
fragments, application would receive fragments which it can then
reassemble. Post successful reassembly, packet can be submitted for
security processing and Rx inject. The packets can be then received in
the application as normal inline protocol processed packets.
Same API can be leveraged in lookaside protocol offload mode to inject
packet to Rx. This would help in using rte_flow based packet parsing
after security processing. For example, with IPsec, this will help in
flow splitting after IPsec processing is done.
In both inline protocol capable ethdevs and lookaside protocol capable
cryptodevs, the packet would be received back in eth port & queue based
on rte_flow rules and packet parsing after security processing. The API
would behave like a loopback but with the additional security
processing.
Signed-off-by: Anoob Joseph
Signed-off-by: Vidya Sagar Velumuri
---
v3:
* Resolved compilation error with 32 bit build
v2:
* Added a new API for configuring security device to do Rx inject to a specific
ethdev port
* Rebased
doc/guides/cryptodevs/features/default.ini | 1 +
lib/cryptodev/rte_cryptodev.h | 2 +
lib/security/rte_security.c| 22 ++
lib/security/rte_security.h| 85 ++
lib/security/rte_security_driver.h | 44 +++
lib/security/version.map | 3 +
6 files changed, 157 insertions(+)
diff --git a/doc/guides/cryptodevs/features/default.ini
b/doc/guides/cryptodevs/features/default.ini
index 6f637fa7e2..f411d4bab7 100644
--- a/doc/guides/cryptodevs/features/default.ini
+++ b/doc/guides/cryptodevs/features/default.ini
@@ -34,6 +34,7 @@ Sym raw data path API =
Cipher multiple data units =
Cipher wrapped key =
Inner checksum =
+Rx inject =
;
; Supported crypto algorithms of a default crypto driver.
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index 9f07e1ed2c..05aabb6526 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -534,6 +534,8 @@ rte_cryptodev_asym_get_xform_string(enum
rte_crypto_asym_xform_type xform_enum);
/**< Support wrapped key in cipher xform */
#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27)
/**< Support inner checksum computation/verification */
+#define RTE_CRYPTODEV_FF_SECURITY_RX_INJECT(1ULL << 28)
+/**< Support Rx injection after security processing */
/**
* Get the name of a crypto device feature flag
diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c
index ab44bbe0f0..fa8d2bb7ce 100644
--- a/lib/security/rte_security.c
+++ b/lib/security/rte_security.c
@@ -321,6 +321,28 @@ rte_security_capability_get(void *ctx, struct
rte_security_capability_idx *idx)
return NULL;
}
+int
+rte_security_rx_inject_configure(void *ctx, uint16_t port_id, bool enable)
+{
+ struct rte_security_ctx *instance = ctx;
+
+ RTE_PTR_OR_ERR_RET(instance, -EINVAL);
+ RTE_PTR_OR_ERR_RET(instance->ops, -ENOTSUP);
+ RTE_PTR_OR_ERR_RET(instance->ops->rx_inject_configure, -ENOTSUP);
+
+ return instance->ops->rx_inject_configure(instance->device, port_id,
enable);
+}
+
+uint16_t
+rte_security_inb_pkt_rx_inject(void *ctx, struct rte_mbuf **pkts, void **sess,
+ uint16_t nb_pkts)
+{
+ struct rte_security_ctx *instance = ctx;
+
+ return instance->ops->inb_pkt_rx_inject(instance->device, pkts,
+ (struct rte_security_session
**)sess, nb_pkts);
+}
+
static int
security_handle_cryptodev_list(const char *cmd __rte_unused,
const char *params __rte_unused,
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index c9cc7a45a6..fe8e8e9813 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -1310,6 +1310,91 @@ const struct rte_security_capability *
rte_security_capability_get(void *instance,
struct rte_security_capability_idx *idx);
+/**
+ * @warning
+ * @b E
[PATCH v3 2/2] test/cryptodev: add Rx inject test
From: Vidya Sagar Velumuri
Add test to verify Rx inject. The test case added would push a known
vector to cryptodev which would be injected to ethdev Rx. The test
case verifies that the packet is received from ethdev Rx and is
processed successfully. It also verifies that the userdata matches with
the expectation.
Signed-off-by: Anoob Joseph
Signed-off-by: Vidya Sagar Velumuri
---
app/test/test_cryptodev.c| 340 +++
app/test/test_cryptodev_security_ipsec.h | 1 +
2 files changed, 288 insertions(+), 53 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index f2112e181e..b645cb32f1 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17,6 +17,7 @@
#include
#include
+#include
#include
#include
#include
@@ -1426,6 +1427,93 @@ ut_setup_security(void)
return dev_configure_and_start(0);
}
+static int
+ut_setup_security_rx_inject(void)
+{
+ struct rte_mempool *mbuf_pool = rte_mempool_lookup("CRYPTO_MBUFPOOL");
+ struct crypto_testsuite_params *ts_params = &testsuite_params;
+ struct rte_eth_conf port_conf = {
+ .rxmode = {
+ .offloads = RTE_ETH_RX_OFFLOAD_CHECKSUM |
+ RTE_ETH_RX_OFFLOAD_SECURITY,
+ },
+ .txmode = {
+ .offloads = RTE_ETH_TX_OFFLOAD_MBUF_FAST_FREE,
+ },
+ .lpbk_mode = 1, /* Enable loopback */
+ };
+ struct rte_cryptodev_info dev_info;
+ struct rte_eth_rxconf rx_conf = {
+ .rx_thresh = {
+ .pthresh = 8,
+ .hthresh = 8,
+ .wthresh = 8,
+ },
+ .rx_free_thresh = 32,
+ };
+ uint16_t nb_ports;
+ void *sec_ctx;
+ int ret;
+
+ rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+ if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY_RX_INJECT) ||
+ !(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
+ RTE_LOG(INFO, USER1,
+ "Feature requirements for IPsec Rx inject test case not
met\n");
+ return TEST_SKIPPED;
+ }
+
+ sec_ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]);
+ if (sec_ctx == NULL)
+ return TEST_SKIPPED;
+
+ nb_ports = rte_eth_dev_count_avail();
+ if (nb_ports == 0)
+ return TEST_SKIPPED;
+
+ ret = rte_eth_dev_configure(0 /* port_id */,
+ 1 /* nb_rx_queue */,
+ 0 /* nb_tx_queue */,
+ &port_conf);
+ if (ret) {
+ printf("Could not configure ethdev port 0 [err=%d]\n", ret);
+ return TEST_SKIPPED;
+ }
+
+ /* Rx queue setup */
+ ret = rte_eth_rx_queue_setup(0 /* port_id */,
+0 /* rx_queue_id */,
+1024 /* nb_rx_desc */,
+SOCKET_ID_ANY,
+&rx_conf,
+mbuf_pool);
+ if (ret) {
+ printf("Could not setup eth port 0 queue 0\n");
+ return TEST_SKIPPED;
+ }
+
+ ret = rte_security_rx_inject_configure(sec_ctx, 0, true);
+ if (ret) {
+ printf("Could not enable Rx inject offload");
+ return TEST_SKIPPED;
+ }
+
+ ret = rte_eth_dev_start(0);
+ if (ret) {
+ printf("Could not start ethdev");
+ return TEST_SKIPPED;
+ }
+
+ ret = rte_eth_promiscuous_enable(0);
+ if (ret) {
+ printf("Could not enable promiscuous mode");
+ return TEST_SKIPPED;
+ }
+
+ /* Configure and start cryptodev with no features disabled */
+ return dev_configure_and_start(0);
+}
+
void
ut_teardown(void)
{
@@ -1478,6 +1566,33 @@ ut_teardown(void)
rte_cryptodev_stop(ts_params->valid_devs[0]);
}
+static void
+ut_teardown_rx_inject(void)
+{
+ struct crypto_testsuite_params *ts_params = &testsuite_params;
+ void *sec_ctx;
+ int ret;
+
+ if (rte_eth_dev_count_avail() != 0) {
+ ret = rte_eth_dev_reset(0);
+ if (ret)
+ printf("Could not reset eth port 0");
+
+ }
+
+ ut_teardown();
+
+ sec_ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]);
+ if (sec_ctx == NULL)
+ return;
+
+ ret = rte_security_rx_inject_configure(sec_ctx, 0, false);
+ if (ret) {
+ printf("Could not disable Rx inject offload");
+ return;
+ }
+}
+
static int
test_device_configur
[PATCH v2 1/5] net: add headers for TLS/DTLS packets
From: Akhil Goyal
Added TLS and DTLS packet headers for L4 security applications.
Signed-off-by: Akhil Goyal
Signed-off-by: Anoob Joseph
Signed-off-by: Vidya Sagar Velumuri
---
doc/api/doxy-api-index.md | 2 ++
lib/net/meson.build | 2 ++
lib/net/rte_dtls.h| 61 +++
lib/net/rte_tls.h | 48 ++
4 files changed, 113 insertions(+)
create mode 100644 lib/net/rte_dtls.h
create mode 100644 lib/net/rte_tls.h
diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md
index fdeda13932..03e2445bb1 100644
--- a/doc/api/doxy-api-index.md
+++ b/doc/api/doxy-api-index.md
@@ -128,6 +128,8 @@ The public API headers are grouped by topics:
[eCPRI](@ref rte_ecpri.h),
[PDCP hdr](@ref rte_pdcp_hdr.h),
[PDCP](@ref rte_pdcp.h),
+ [TLS](@ref rte_tls.h),
+ [DTLS](@ref rte_dtls.h),
[L2TPv2](@ref rte_l2tpv2.h),
[PPP](@ref rte_ppp.h),
[IB](@ref rte_ib.h)
diff --git a/lib/net/meson.build b/lib/net/meson.build
index b1bc27bad5..0b69138949 100644
--- a/lib/net/meson.build
+++ b/lib/net/meson.build
@@ -5,6 +5,8 @@ headers = files(
'rte_ip.h',
'rte_tcp.h',
'rte_udp.h',
+'rte_tls.h',
+'rte_dtls.h',
'rte_esp.h',
'rte_sctp.h',
'rte_icmp.h',
diff --git a/lib/net/rte_dtls.h b/lib/net/rte_dtls.h
new file mode 100644
index 00..49bded1d96
--- /dev/null
+++ b/lib/net/rte_dtls.h
@@ -0,0 +1,61 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#ifndef RTE_DTLS_H
+#define RTE_DTLS_H
+
+/**
+ * @file
+ *
+ * Datagram transport layer security(DTLS) related defines.
+ */
+
+#include
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define RTE_DTLS_TYPE_INVALID 0 /**< Invalid DTLS message
type. */
+#define RTE_DTLS_TYPE_CHANGE_CIPHER_SPEC 20 /**< Change cipher spec
message. */
+#define RTE_DTLS_TYPE_ALERT21 /**< Alert message. */
+#define RTE_DTLS_TYPE_HANDSHAKE22 /**< Handshake
message for DTLS. */
+#define RTE_DTLS_TYPE_APPDATA 23 /**< DTLS application data
message. */
+#define RTE_DTLS_TYPE_HEARTBEAT24 /**< DTLS 1.3
heartbeat message. */
+#define RTE_DTLS_TYPE_CIPHERTEXT_WITH_CID 25 /**< DTLS 1.3 ciphertext
with CID message. */
+#define RTE_DTLS_TYPE_ACK 26 /**< DTLS 1.3 ACK message. */
+#define RTE_DTLS_TYPE_MAX 255 /**< Maximum value as DTLS
content type. */
+
+#define RTE_DTLS_VERSION_1_2 0xFEFD /**< DTLS 1.2 version. 1's complement of
1.2. */
+#define RTE_DTLS_VERSION_1_3 0xFEFC /**< DTLS 1.3 version. 1's complement of
1.3. */
+
+/**
+ * DTLS Header
+ */
+__extension__
+struct rte_dtls_hdr {
+ /** Content type of DTLS packet. Defined as RTE_DTLS_TYPE_*. */
+ uint8_t type;
+ /** DTLS Version defined as RTE_DTLS_VERSION*. */
+ rte_be16_t version;
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+ /** The sequence number for the DTLS record. */
+ uint64_t sequence_number : 48;
+ /** A counter value that is incremented on every cipher state change. */
+ uint64_t epoch : 16;
+#elif RTE_BYTE_ORDER == RTE_BIG_ENDIAN
+ /** A counter value that is incremented on every cipher state change. */
+ uint64_t epoch : 16;
+ /** The sequence number for the DTLS record. */
+ uint64_t sequence_number : 48;
+#endif
+ /** The length (in bytes) of the following DTLS packet. */
+ rte_be16_t length;
+} __rte_packed;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* RTE_DTLS_H */
diff --git a/lib/net/rte_tls.h b/lib/net/rte_tls.h
new file mode 100644
index 00..ee1e3aa249
--- /dev/null
+++ b/lib/net/rte_tls.h
@@ -0,0 +1,48 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#ifndef RTE_TLS_H
+#define RTE_TLS_H
+
+/**
+ * @file
+ *
+ * Transport layer security(TLS) related defines.
+ */
+
+#include
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define RTE_TLS_TYPE_INVALID 0 /**< Invalid TLS message type. */
+#define RTE_TLS_TYPE_CHANGE_CIPHER_SPEC20 /**< Change cipher spec
message. */
+#define RTE_TLS_TYPE_ALERT 21 /**< Alert message. */
+#define RTE_TLS_TYPE_HANDSHAKE 22 /**< Handshake message for TLS. */
+#define RTE_TLS_TYPE_APPDATA 23 /**< TLS application data message. */
+#define RTE_TLS_TYPE_HEARTBEAT 24 /**< TLS 1.3 heartbeat message. */
+#define RTE_TLS_TYPE_MAX 255 /**< Maximum value as TLS content
type. */
+
+#define RTE_TLS_VERSION_1_20x0303 /**< TLS 1.2 version. */
+#define RTE_TLS_VERSION_1_30x0304 /**< TLS 1.3 version. */
+
+/**
+ * TLS Header
+ */
+__extension__
+struct rte_tls_hdr {
+ /** Content t
[PATCH v2 0/5] add TLS record processing security offload
Add Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The protocols provide communications privacy for L4 protocols such as TCP & UDP. TLS (and DTLS) protocol is composed of two layers, 1. TLS Record Protocol 2. TLS Handshake Protocol While TLS Handshake Protocol helps in establishing security parameters by which client and server can communicate, TLS Record Protocol provides the connection security. TLS Record Protocol leverages symmetric cryptographic operations such as data encryption and authentication for providing security to the communications. Cryptodevs that are capable of offloading TLS Record Protocol may perform other operations like IV generation, header insertion, atomic sequence number updates and anti-replay window check in addition to cryptographic transformations. In record write operations, message content type is a per packet field which is used in constructing the TLS header. One session is expected to handle all types of content types and so, 'rte_crypto_op.aux_flags' is used for passing the same. Support for TLS record protocol is added for TLS 1.2, TLS 1.3 and DTLS 1.2. Changes in v2: - Replaced CCS with CHANGE_CIPHER_SPEC (Harry) - Split patches to clarify lifetime tracking and notification of the same in rte_crypto_op (Harry) - Use 8 bits reserved space in rte_crypto_op to pass content type from application to PMD (in case of record write) and from PMD to application (in case of of record read). TLS 1.3 has content type as part of trailer which would be encrypted and would be removed by PMD. - Updated documentation (Harry) Akhil Goyal (1): net: add headers for TLS/DTLS packets Anoob Joseph (2): security: add TLS record processing security: support extra padding with TLS Vidya Sagar Velumuri (2): security: support TLS record lifetime notification cryptodev: add details of datapath handling of TLS records doc/api/doxy-api-index.md | 2 + doc/guides/prog_guide/rte_security.rst | 74 + doc/guides/rel_notes/release_23_11.rst | 6 ++ lib/cryptodev/rte_crypto.h | 50 - lib/net/meson.build| 2 + lib/net/rte_dtls.h | 61 +++ lib/net/rte_tls.h | 48 + lib/security/rte_security.c| 4 + lib/security/rte_security.h| 144 + 9 files changed, 388 insertions(+), 3 deletions(-) create mode 100644 lib/net/rte_dtls.h create mode 100644 lib/net/rte_tls.h -- 2.25.1
[PATCH v2 2/5] security: add TLS record processing
Add Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The protocols provide communications privacy for L4 protocols such as TCP & UDP. TLS (and DTLS) protocol is composed of two layers, 1. TLS Record Protocol 2. TLS Handshake Protocol While TLS Handshake Protocol helps in establishing security parameters by which client and server can communicate, TLS Record Protocol provides the connection security. TLS Record Protocol leverages symmetric cryptographic operations such as data encryption and authentication for providing security to the communications. Cryptodevs that are capable of offloading TLS Record Protocol may perform other operations like IV generation, header insertion, atomic sequence number updates and anti-replay window check in addition to cryptographic transformations. Support for TLS record protocol is added for TLS 1.2, TLS 1.3 and DTLS 1.2. Signed-off-by: Akhil Goyal Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri --- doc/guides/prog_guide/rte_security.rst | 62 ++ lib/security/rte_security.c| 4 + lib/security/rte_security.h| 110 + 3 files changed, 176 insertions(+) diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst index ad8c6374bd..f90dee5df0 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -399,6 +399,66 @@ The API ``rte_security_macsec_sc_create`` returns a handle for SC, and this handle is set in ``rte_security_macsec_xform`` to create a MACsec session using ``rte_security_session_create``. +TLS-Record Protocol +~~~ + +The Transport Layer Protocol provides communications security over the Internet. The protocol +allows client/server applications to communicate in a way that is designed to prevent eavesdropping, +tampering, or message forgery. + +TLS protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. At +the lowest level, layered on top of some reliable transport protocol (e.g., TCP), is the TLS Record +Protocol. The TLS Record Protocol provides connection security that has two basic properties: + + - The connection is private. Symmetric cryptography is used for data + encryption (e.g., AES, DES, etc.). The keys for this symmetric encryption + are generated uniquely for each connection and are based on a secret + negotiated during TLS Handshake Protocol. The Record Protocol can also be + used without encryption. + + - The connection is reliable. Message transport includes a message + integrity check using a keyed MAC. Secure hash functions (e.g., + SHA-1, etc.) are used for MAC computations. The Record Protocol can + operate without a MAC when it is being used as a transport for negotiating + security parameters by another protocol. + +.. code-block:: c + + Record Write Record Read + --- + + TLSPlaintext TLSCiphertext + | | + ~ ~ + | | + V V + +--|---+ +--|---+ + | Generate sequence no.| | Generate sequence no.| + +--|---+ +--+ + | |AR check (DTLS) | + +--|---+ +--|---+ + | Insert TLS header | | + | & trailer. | +--|---+ + | (including padding) | | Decrypt & MAC verify | + +--|---+ +--|---+ + | | ++-|---+ +--|---+ +|MAC generate & | | Remove TLS header | +| Encrypt| | & trailer. | ++-|---+ | (including padding) | + | +--|---+ + | | + ~ ~ + | | + V V +TLSCiphertext TLSPlaintext + +Supported Versions +^^ + +* TLS 1.2 +* TLS 1.3 +* DTLS 1.2 Device Features and Capabilities - @@ -701,6 +761,8 @@ PDCP related configuration parameters are defined in ``rte_security_pdcp_xform`` DOCSIS related configuration parameters are defined in ``rte_security_docsis_xform`` +TLS record related configuration parameters are defined in ``rte_security_tls_record_xform
[PATCH v2 3/5] security: support extra padding with TLS
In TLS record write protocol (encrypt), application may request for
extra padding in addition to the default padding which ensures that
crypto payload is aligned to block size. This is required to hide
the size of the traffic from an observer.
Extend the usage of ``rte_crypto_op.aux_flags`` to allow users to
provide extra padding in units of 8B. It is an optional feature and any
device that supports the same can declare so by making use of
corresponding capability.
Signed-off-by: Anoob Joseph
Signed-off-by: Vidya Sagar Velumuri
---
lib/cryptodev/rte_crypto.h | 14 +-
lib/security/rte_security.h | 16
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h
index 9b8d0331a4..7b8f2bdc6d 100644
--- a/lib/cryptodev/rte_crypto.h
+++ b/lib/cryptodev/rte_crypto.h
@@ -99,8 +99,20 @@ struct rte_crypto_op {
/**< operation session type */
uint8_t aux_flags;
/**< Operation specific auxiliary/additional flags.
-* These flags carry additional information from the
+* These flags carry additional information from/to the
* operation. Processing of the same is optional.
+*
+* The flags are defined as RTE_CRYPTO_OP_AUX_FLAGS_*
and would be set by
+* PMD for application consumption when the status is
+* RTE_CRYPTO_OP_STATUS_SUCCESS. In case of errors, the
value of this
+* field is undefined.
+*
+* With TLS record offload
(RTE_SECURITY_PROTOCOL_TLS_RECORD),
+* application may provide the extra padding required
for the plaintext
+* provided. This field can be used for passing the
same in units of 8B. The
+* value would be set by application for PMD
consumption.
+*
+* @see struct rte_security_tls_record_sess_options
*/
uint8_t reserved[2];
/**< Reserved bytes to fill 64 bits for
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 54c32c1147..89e61e10ad 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -636,6 +636,22 @@ struct rte_security_tls_record_sess_options {
* and application is not required to provide IV.
*/
uint32_t iv_gen_disable : 1;
+ /** Enable extra padding
+*
+* TLS allows user to pad the plain text to hide the actual size of
the record. This is
+* required to achieve traffic flow confidentiality in case of
TLS/DTLS flows. This padding
+* is in addition to the default padding performed by PMD (which
ensures ciphertext is
+* aligned to block size).
+*
+* On supported devices, application may pass the required additional
padding via
+* ``rte_crypto_op.aux_flags`` field.
+*
+* 1 : Enable extra padding of the plain text provided. The extra
padding value would be
+* read from ``rte_crypto_op.aux_flags``.
+*
+* 0 : Disable extra padding
+*/
+ uint32_t extra_padding_enable : 1;
};
/**
--
2.25.1
[PATCH v2 4/5] security: support TLS record lifetime notification
From: Vidya Sagar Velumuri
Support TLS record lifetime notification. TLS record sessions may need
to be renegotiated after a specific number of records are processed. For
devices that are capable of tracking lifetime, application may request
to do so by configuring the lifetime parameters in session. Upon soft
expiry, PMD will set the notification in `rte_crypto_op.aux_flags` field.
Hard expiration of the session would mean any subsequent crypto
operation would fail.
Extend `rte_crypto_op.aux_flags` to support all sessions that may have a
lifetime notification and include TLS record lifetime under the same.
Signed-off-by: Anoob Joseph
Signed-off-by: Vidya Sagar Velumuri
---
lib/cryptodev/rte_crypto.h | 11 ++-
lib/security/rte_security.h | 18 ++
2 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h
index 7b8f2bdc6d..9fe3e3d529 100644
--- a/lib/cryptodev/rte_crypto.h
+++ b/lib/cryptodev/rte_crypto.h
@@ -64,9 +64,18 @@ enum rte_crypto_op_sess_type {
RTE_CRYPTO_OP_SECURITY_SESSION /**< Security session crypto operation
*/
};
+/* Auxiliary flags related to crypto operation */
+#define RTE_CRYPTO_OP_AUX_FLAGS_SESS_SOFT_EXPIRY (1 << 0)
+/**< Session soft expiry limit has been reached. Applicable for any session
that has a soft lifetime
+ * feature supported.
+ *
+ * @see rte_security_ipsec_lifetime
+ * @see rte_security_tls_record_lifetime
+ */
+
/* Auxiliary flags related to IPsec offload with RTE_SECURITY */
-#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0)
+#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY
RTE_CRYPTO_OP_AUX_FLAGS_SESS_SOFT_EXPIRY
/**< SA soft expiry limit has been reached */
/**
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 89e61e10ad..00d2a29a01 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -654,6 +654,22 @@ struct rte_security_tls_record_sess_options {
uint32_t extra_padding_enable : 1;
};
+/**
+ * Configure soft and hard lifetime of a TLS record session
+ *
+ * Lifetime of a TLS record session would specify the maximum number of
packets that can be
+ * processed. TLS record processing operations would start failing once hard
limit is reached.
+ *
+ * Soft limits can be specified to generate notification when the TLS record
session is approaching
+ * hard limits for lifetime. This would result in a warning returned in
``rte_crypto_op.aux_flags``.
+ */
+struct rte_security_tls_record_lifetime {
+ /** Soft expiry limit in number of packets */
+ uint64_t packets_soft_limit;
+ /** Hard expiry limit in number of packets */
+ uint64_t packets_hard_limit;
+};
+
/**
* TLS record protocol session configuration.
*
@@ -666,6 +682,8 @@ struct rte_security_tls_record_xform {
enum rte_security_tls_sess_type type;
/** TLS record session options. */
struct rte_security_tls_record_sess_options options;
+ /** TLS record session lifetime. */
+ struct rte_security_tls_record_lifetime life;
union {
/** TLS 1.2 parameters. */
struct {
--
2.25.1
[PATCH v2 5/5] cryptodev: add details of datapath handling of TLS records
From: Vidya Sagar Velumuri
TLS/DTLS record processing requires content type to be provided per
packet (for record write operation). Extend usage of reserved fields in
rte_crypto_op for the same purpose.
Signed-off-by: Anoob Joseph
Signed-off-by: Vidya Sagar Velumuri
---
doc/guides/prog_guide/rte_security.rst | 12
doc/guides/rel_notes/release_23_11.rst | 6 ++
lib/cryptodev/rte_crypto.h | 25 -
3 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/doc/guides/prog_guide/rte_security.rst
b/doc/guides/prog_guide/rte_security.rst
index f90dee5df0..7a25a7e649 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -453,6 +453,18 @@ Protocol. The TLS Record Protocol provides connection
security that has two basi
V V
TLSCiphertext TLSPlaintext
+TLS and DTLS header formation (in record write operation) would depend on
+type of content. It is a per packet variable and would need to be handled by
+the same session. Application may pass this info to a cryptodev performing
+lookaside protocol offload by passing the same in ``rte_crypto_op.param1``.
+
+In record read operation, application is required to preserve any info it may
+need from the TLS/DTLS header (such as content type and sequence number) as the
+cryptodev would remove the header and padding as part of the lookaside protocol
+processing. With TLS 1.3, the actual content type is part of the trailer
(before
+padding) and would be stripped by the PMD. For applications that may need this
+info, PMD would return the value in ``rte_crypto_op.param1`` field.
+
Supported Versions
^^
diff --git a/doc/guides/rel_notes/release_23_11.rst
b/doc/guides/rel_notes/release_23_11.rst
index 250735efa9..663d1e9cf9 100644
--- a/doc/guides/rel_notes/release_23_11.rst
+++ b/doc/guides/rel_notes/release_23_11.rst
@@ -83,6 +83,12 @@ New Features
Similar to out of place processing support for lookaside security session,
added
the same support for inline ingress security session.
+* **Added support for TLS and DTLS record in rte_security.**
+
+ Added TLS and DTLS record transform for rte_security session and added
+ enhancements to ``rte_crypto_op`` fields to handle all datapath requirements
+ of TLS and DTLS. The support is added for TLS 1.2, TLS 1.3 and DTLS 1.2.
+
* **Updated ipsec_mb crypto driver.**
Added support for digest encrypted to AESNI_MB asynchronous crypto driver.
diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h
index 9fe3e3d529..34aacd9312 100644
--- a/lib/cryptodev/rte_crypto.h
+++ b/lib/cryptodev/rte_crypto.h
@@ -123,7 +123,30 @@ struct rte_crypto_op {
*
* @see struct rte_security_tls_record_sess_options
*/
- uint8_t reserved[2];
+ union {
+ struct {
+ uint8_t content_type;
+ /**< Content type. The field can act
both as input
+* and output.
+*
+* As input, for passing message type
in case of record
+* write (encrypt) operation.
Applicable for,
+* 1. TLS 1.2
+* 2. TLS 1.3
+* 3. DTLS 1.2
+*
+* As output, for returning message
type in case of record
+* read (decrypt) operation. Applicable
for,
+* 1. TLS 1.3
+*
+* Message types are listed as
RTE_TLS_TYPE_* and
+* RTE_DTLS_TYPE_*.
+*/
+ } tls_record;
+ /**< TLS record */
+ } param1;
+ /**< Additional per operation parameter 1. */
+ uint8_t reserved[1];
/**< Reserved bytes to fill 64 bits for
* future additions
*/
--
2.25.1
[PATCH v4 1/2] security: add fallback security processing and Rx inject
Add alternate datapath API for security processing which would do Rx injection (similar to loopback) after successful security processing. With inline protocol offload, variable part of the session context (AR windows, lifetime etc in case of IPsec), is not accessible to the application. If packets are not getting processed in the inline path due to non security reasons (such as outer fragmentation or rte_flow packet steering limitations), then the packet cannot be security processed as the session context is private to the PMD and security library doesn't provide alternate APIs to make use of the same session. Introduce new API and Rx injection as fallback mechanism to security processing failures due to non-security reasons. For example, when there is outer fragmentation and PMD doesn't support reassembly of outer fragments, application would receive fragments which it can then reassemble. Post successful reassembly, packet can be submitted for security processing and Rx inject. The packets can be then received in the application as normal inline protocol processed packets. Same API can be leveraged in lookaside protocol offload mode to inject packet to Rx. This would help in using rte_flow based packet parsing after security processing. For example, with IPsec, this will help in flow splitting after IPsec processing is done. In both inline protocol capable ethdevs and lookaside protocol capable cryptodevs, the packet would be received back in eth port & queue based on rte_flow rules and packet parsing after security processing. The API would behave like a loopback but with the additional security processing. Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri Acked-by: Akhil Goyal --- v4: Updated release notes v3: * Resolved compilation error with 32 bit build v2: * Added a new API for configuring security device to do Rx inject to a specific ethdev port * Rebased doc/guides/cryptodevs/features/default.ini | 1 + doc/guides/rel_notes/release_23_11.rst | 19 + lib/cryptodev/rte_cryptodev.h | 2 + lib/security/rte_security.c| 22 ++ lib/security/rte_security.h| 85 ++ lib/security/rte_security_driver.h | 44 +++ lib/security/version.map | 3 + 7 files changed, 176 insertions(+) diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini index 6f637fa7e2..f411d4bab7 100644 --- a/doc/guides/cryptodevs/features/default.ini +++ b/doc/guides/cryptodevs/features/default.ini @@ -34,6 +34,7 @@ Sym raw data path API = Cipher multiple data units = Cipher wrapped key = Inner checksum = +Rx inject = ; ; Supported crypto algorithms of a default crypto driver. diff --git a/doc/guides/rel_notes/release_23_11.rst b/doc/guides/rel_notes/release_23_11.rst index be51f00dbf..6853c907c9 100644 --- a/doc/guides/rel_notes/release_23_11.rst +++ b/doc/guides/rel_notes/release_23_11.rst @@ -107,6 +107,25 @@ New Features enhancements to ``rte_crypto_op`` fields to handle all datapath requirements of TLS and DTLS. The support is added for TLS 1.2, TLS 1.3 and DTLS 1.2. +* **Added support for rte_security Rx inject API.** + + Added Rx inject API to allow applications to submit packets for protocol + offload and have them injected back to ethdev Rx so that further ethdev Rx + actions (IP reassembly, packet parsing and flow lookups) can happen based on + inner packet. + + The API when implemented by an ethdev, may be used to process packets that the + application wants to process with inline protocol offload enabled rte_security + session. These can be packets that are received from other non-inline capable + ethdevs or can be packets that failed inline protocol offload (such as + receiving fragmented ESP packets in case of inline IPsec offload). + + The API when implemented by a cryptodev, can be used for injecting packets to + ethdev Rx after IPsec processing and take advantage of ethdev Rx processing + for the inner packet. The API helps application to avail ethdev Rx actions + based on inner packet while working with rte_security sessions which cannot + be accelerated in inline protocol offload mode. + * **Updated ipsec_mb crypto driver.** Added support for digest encrypted to AESNI_MB asynchronous crypto driver. diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h index 6c8f532797..be0698ce9f 100644 --- a/lib/cryptodev/rte_cryptodev.h +++ b/lib/cryptodev/rte_cryptodev.h @@ -559,6 +559,8 @@ rte_cryptodev_asym_get_xform_string(enum rte_crypto_asym_xform_type xform_enum); /**< Support wrapped key in cipher xform */ #define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27) /**< Support inner checksum computation/verification */ +#define RTE_CRYPTODEV_FF_SECURITY_RX_INJECT(1ULL << 28) +/**< Support Rx
[PATCH v4 2/2] test/cryptodev: add Rx inject test
From: Vidya Sagar Velumuri
Add test to verify Rx inject. The test case added would push a known
vector to cryptodev which would be injected to ethdev Rx. The test
case verifies that the packet is received from ethdev Rx and is
processed successfully. It also verifies that the userdata matches with
the expectation.
Signed-off-by: Anoob Joseph
Signed-off-by: Vidya Sagar Velumuri
Acked-by: Akhil Goyal
---
app/test/test_cryptodev.c| 340 +++
app/test/test_cryptodev_security_ipsec.h | 1 +
2 files changed, 288 insertions(+), 53 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index f2112e181e..b645cb32f1 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17,6 +17,7 @@
#include
#include
+#include
#include
#include
#include
@@ -1426,6 +1427,93 @@ ut_setup_security(void)
return dev_configure_and_start(0);
}
+static int
+ut_setup_security_rx_inject(void)
+{
+ struct rte_mempool *mbuf_pool = rte_mempool_lookup("CRYPTO_MBUFPOOL");
+ struct crypto_testsuite_params *ts_params = &testsuite_params;
+ struct rte_eth_conf port_conf = {
+ .rxmode = {
+ .offloads = RTE_ETH_RX_OFFLOAD_CHECKSUM |
+ RTE_ETH_RX_OFFLOAD_SECURITY,
+ },
+ .txmode = {
+ .offloads = RTE_ETH_TX_OFFLOAD_MBUF_FAST_FREE,
+ },
+ .lpbk_mode = 1, /* Enable loopback */
+ };
+ struct rte_cryptodev_info dev_info;
+ struct rte_eth_rxconf rx_conf = {
+ .rx_thresh = {
+ .pthresh = 8,
+ .hthresh = 8,
+ .wthresh = 8,
+ },
+ .rx_free_thresh = 32,
+ };
+ uint16_t nb_ports;
+ void *sec_ctx;
+ int ret;
+
+ rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+ if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY_RX_INJECT) ||
+ !(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
+ RTE_LOG(INFO, USER1,
+ "Feature requirements for IPsec Rx inject test case not
met\n");
+ return TEST_SKIPPED;
+ }
+
+ sec_ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]);
+ if (sec_ctx == NULL)
+ return TEST_SKIPPED;
+
+ nb_ports = rte_eth_dev_count_avail();
+ if (nb_ports == 0)
+ return TEST_SKIPPED;
+
+ ret = rte_eth_dev_configure(0 /* port_id */,
+ 1 /* nb_rx_queue */,
+ 0 /* nb_tx_queue */,
+ &port_conf);
+ if (ret) {
+ printf("Could not configure ethdev port 0 [err=%d]\n", ret);
+ return TEST_SKIPPED;
+ }
+
+ /* Rx queue setup */
+ ret = rte_eth_rx_queue_setup(0 /* port_id */,
+0 /* rx_queue_id */,
+1024 /* nb_rx_desc */,
+SOCKET_ID_ANY,
+&rx_conf,
+mbuf_pool);
+ if (ret) {
+ printf("Could not setup eth port 0 queue 0\n");
+ return TEST_SKIPPED;
+ }
+
+ ret = rte_security_rx_inject_configure(sec_ctx, 0, true);
+ if (ret) {
+ printf("Could not enable Rx inject offload");
+ return TEST_SKIPPED;
+ }
+
+ ret = rte_eth_dev_start(0);
+ if (ret) {
+ printf("Could not start ethdev");
+ return TEST_SKIPPED;
+ }
+
+ ret = rte_eth_promiscuous_enable(0);
+ if (ret) {
+ printf("Could not enable promiscuous mode");
+ return TEST_SKIPPED;
+ }
+
+ /* Configure and start cryptodev with no features disabled */
+ return dev_configure_and_start(0);
+}
+
void
ut_teardown(void)
{
@@ -1478,6 +1566,33 @@ ut_teardown(void)
rte_cryptodev_stop(ts_params->valid_devs[0]);
}
+static void
+ut_teardown_rx_inject(void)
+{
+ struct crypto_testsuite_params *ts_params = &testsuite_params;
+ void *sec_ctx;
+ int ret;
+
+ if (rte_eth_dev_count_avail() != 0) {
+ ret = rte_eth_dev_reset(0);
+ if (ret)
+ printf("Could not reset eth port 0");
+
+ }
+
+ ut_teardown();
+
+ sec_ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]);
+ if (sec_ctx == NULL)
+ return;
+
+ ret = rte_security_rx_inject_configure(sec_ctx, 0, false);
+ if (ret) {
+ printf("Could not disable Rx inject offload");
+ return;
+ }
+}
+
static int
RE: [EXT] Re: [PATCH 1/2] ethdev: add IPsec event subtype range for PMD specific code
Hi Ferruh,
>
> --
> On 10/4/2023 1:59 PM, Nithin Dabilpuram wrote:
> > Add IPsec event subtype range for PMD specific code in order to
> > accommodate wide range of errors that PMD supports.
> > These IPsec event subtypes are used when an error doesn't match the
> > spec defined subtypes between RTE_ETH_EVENT_IPSEC_UNKNOWN and
> > RTE_ETH_EVENT_IPSEC_MAX. Adding this as -ve error range to avoid ABI
> > breakage.
> >
> > Signed-off-by: Nithin Dabilpuram
> > ---
> > lib/ethdev/rte_ethdev.h | 4
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/lib/ethdev/rte_ethdev.h b/lib/ethdev/rte_ethdev.h index
> > 8542257721..f949dfc83d 100644
> > --- a/lib/ethdev/rte_ethdev.h
> > +++ b/lib/ethdev/rte_ethdev.h
> > @@ -3905,6 +3905,10 @@ struct rte_eth_event_macsec_desc {
> > * eth device.
> > */
> > enum rte_eth_event_ipsec_subtype {
> > + /** PMD specific error start */
> > + RTE_ETH_EVENT_IPSEC_PMD_ERROR_START = -256,
> > + /** PMD specific error end */
> > + RTE_ETH_EVENT_IPSEC_PMD_ERROR_END = -1,
> > /** Unknown event type */
> > RTE_ETH_EVENT_IPSEC_UNKNOWN = 0,
> > /** Sequence number overflow */
> >
>
> I don't see any problem to extend event subtype with custom error range,
> @Akhil, @Anoob what do you think?
[Anoob] Thanks for looping in. I do not see an issue with the approach either.
Acked-by: Anoob Joseph
Thanks,
Anoob
[PATCH v2] app/test-security-perf: add security perf app
Add performance application to test security session create & destroy
rates supported by the security enabled cryptodev PMD. The
application would create specified number of sessions and captures the
time taken for the same before proceeding to destroy of the same. When
operating on multi-core, the number of sessions would be evenly
distributed across all cores.
The application would test with all combinations of cipher & auth
algorithms supported by the PMD.
Signed-off-by: Aakash Sasidharan
Signed-off-by: Anoob Joseph
---
v2:
* Rebased on latest code. Made changes to accommodate session rework
* Fixed debug build failure
MAINTAINERS | 6 +
app/meson.build | 1 +
app/test-security-perf/meson.build | 14 +
app/test-security-perf/test_security_perf.c | 575
doc/guides/rel_notes/release_22_11.rst | 6 +
doc/guides/tools/index.rst | 1 +
doc/guides/tools/securityperf.rst | 47 ++
7 files changed, 650 insertions(+)
create mode 100644 app/test-security-perf/meson.build
create mode 100644 app/test-security-perf/test_security_perf.c
create mode 100644 doc/guides/tools/securityperf.rst
diff --git a/MAINTAINERS b/MAINTAINERS
index 6f56111323..14dcdd2d7f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1735,6 +1735,12 @@ M: Reshma Pattan
F: app/proc-info/
F: doc/guides/tools/proc_info.rst
+Security performance tool
+M: Anoob Joseph
+T: git://dpdk.org/next/dpdk-next-crypto
+F: app/test-security-perf/
+F: doc/guides/tools/securityperf.rst
+
Other Example Applications
--
diff --git a/app/meson.build b/app/meson.build
index 93d8c15032..ef54b90d36 100644
--- a/app/meson.build
+++ b/app/meson.build
@@ -18,6 +18,7 @@ apps = [
'test-pmd',
'test-regex',
'test-sad',
+'test-security-perf',
]
default_cflags = machine_args + ['-DALLOW_EXPERIMENTAL_API']
diff --git a/app/test-security-perf/meson.build
b/app/test-security-perf/meson.build
new file mode 100644
index 00..076999022e
--- /dev/null
+++ b/app/test-security-perf/meson.build
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright(C) 2022 Marvell.
+
+if is_windows
+build = false
+reason = 'not supported on Windows'
+subdir_done()
+endif
+
+sources = files(
+'test_security_perf.c',
+'../test/test_cryptodev_security_ipsec.c',
+)
+deps += ['security', 'cmdline']
diff --git a/app/test-security-perf/test_security_perf.c
b/app/test-security-perf/test_security_perf.c
new file mode 100644
index 00..9bb50689e3
--- /dev/null
+++ b/app/test-security-perf/test_security_perf.c
@@ -0,0 +1,575 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2022, Marvell
+ */
+
+#include
+#include
+#include
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include
+#include
+#include
+
+#define NB_DESC 4096
+#define DEF_NB_SESSIONS (16 * 10 * 1024) /* 16 * 10K tunnels */
+
+struct lcore_conf {
+ struct rte_crypto_sym_xform cipher_xform;
+ struct rte_crypto_sym_xform auth_xform;
+ struct rte_crypto_sym_xform aead_xform;
+ uint8_t dev_id;
+ uint8_t qp_id;
+ struct test_ctx *ctx;
+};
+
+struct test_ctx {
+ struct lcore_conf lconf[RTE_MAX_LCORE];
+ void *sec_ctx;
+ struct rte_mempool *sess_mp;
+ struct ipsec_test_data *td;
+ int nb_sess;
+ unsigned long td_idx;
+ uint8_t nb_lcores;
+ uint8_t nb_cryptodevs;
+ uint8_t enabled_cdevs[RTE_CRYPTO_MAX_DEVS];
+ bool is_inbound;
+};
+
+static struct test_ctx ctx;
+
+static int
+cryptodev_init(struct test_ctx *ctx, uint8_t nb_lcores)
+{
+ const char dev_names[][RTE_CRYPTODEV_NAME_MAX_LEN] = {
+ "crypto_cn10k",
+ "crypto_cn9k",
+ "crypto_dpaa_sec",
+ "crypto_dpaa2_sec",
+ };
+ struct rte_cryptodev_qp_conf qp_conf;
+ struct rte_cryptodev_info dev_info;
+ struct rte_cryptodev_config config;
+ unsigned int j, nb_qp, qps_reqd;
+ uint8_t socket_id;
+ uint32_t dev_cnt;
+ int ret, core_id;
+ void *sec_ctx;
+ uint64_t i;
+
+ i = 0;
+ do {
+ dev_cnt = rte_cryptodev_devices_get(dev_names[i],
+ctx->enabled_cdevs,
+RTE_CRYPTO_MAX_DEVS);
+ i++;
+ } while (dev_cnt == 0 && i < RTE_DIM(dev_names));
+
+ if (dev_cnt == 0)
+ return -1;
+
+ /* Check first device for capabilities */
+ rte_cryptodev_info_get(0, &dev_info);
+ if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
+ RTE_LOG(ERR, USER1
[PATCH] common/cnxk: fix build failure with rhel
Fix compiler warning of uninitialized address.
Fixes: a7033a2fb2bf ("common/cnxk: support custom UDP port values")
Signed-off-by: Anoob Joseph
---
drivers/common/cnxk/cnxk_security.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/common/cnxk/cnxk_security.c
b/drivers/common/cnxk/cnxk_security.c
index 68ed0d08b4..85105472a1 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -1269,10 +1269,12 @@ cnxk_on_ipsec_outb_sa_create(struct
rte_security_ipsec_xform *ipsec,
}
ip4 = (struct rte_ipv4_hdr *)&template->ip4.ipv4_hdr;
+
+ sport = 4500;
+ dport = 4500;
+
/* If custom port values are provided, Overwrite default port values. */
if (ipsec->options.udp_encap) {
- sport = 4500;
- dport = 4500;
if (ipsec->udp.sport)
sport = ipsec->udp.sport;
--
2.25.1
[RFC 0/1] lib: add pdcp protocol
ther. Frees crypto op and based
* on crypto_op status, set mbuf->ol_flags which would be
* checked in rte_pdcp_pkt_post_process().
*/
nb_grp = rte_pdcp_pkt_crypto_group(cop, pkts, grp, ret);
for (i = 0; i != nb_grp; i++) {
/**
* Post process packets after crypto completion.
* Following operations would be done,
*
* Transmiting entity/UL:
* - Check crypto result
*
* Receiving entity/DL:
* - Check crypto operation status
* - Check for duplication (if yes, drop duplicate)
* - Perform decompression
* - Trim PDCP header
* - Hold packet (SDU) for in-order delivery (return
*completed packets as and when sequence is
*completed)
* - If not in sequence, cache the packet and start
*t-Reordering timer. When timer expires, the
*packets need to delivered to upper layers (not
*treated as error packets).
*/
nb_success = rte_pdcp_pkt_post_process(grp[i].id.ptr,
grp[i].m, out_mb,
grp[i].cnt,
&nb_err);
if (nb_err != 0) {
/* Handle error packets */
}
/* Perform additional operations */
/**
* Tranmitting entity/UL
* - If duplication is enabled, duplicate PDCP PDUs
* - When lower layers confirm reception of a PDCP PDU,
* it should be communicated to PDCP layer so that
* PDCP can drop the corresponding SDU
*/
}
}
Anoob Joseph (1):
lib: add pdcp protocol
doc/api/doxy-api-index.md | 3 +-
doc/api/doxy-api.conf.in | 1 +
lib/meson.build | 1 +
lib/pdcp/meson.build | 7 ++
lib/pdcp/rte_pdcp.h | 244 ++
lib/pdcp/rte_pdcp_group.h | 134 +
lib/pdcp/version.map | 13 ++
7 files changed, 402 insertions(+), 1 deletion(-)
create mode 100644 lib/pdcp/meson.build
create mode 100644 lib/pdcp/rte_pdcp.h
create mode 100644 lib/pdcp/rte_pdcp_group.h
create mode 100644 lib/pdcp/version.map
--
2.28.0
[RFC 1/1] lib: add pdcp protocol
Add Packet Data Convergence Protocol (PDCP) processing library.
The library is similar to lib_ipsec which provides IPsec processing
capabilities in DPDK.
PDCP would involve roughly the following options,
1. Transfer of user plane data
2. Transfer of control plane data
3. Header compression
4. Uplink data compression
5. Ciphering and integrity protection
PDCP library provides following control path APIs that is used to
configure various PDCP entities,
1. rte_pdcp_establish()
2. rte_pdcp_suspend()
3. rte_pdcp_release()
PDCP process is split into 2 parts. One before crypto processing
(rte_pdcp_pkt_pre_process()) and one after crypto processing
(rte_pdcp_pkt_post_process()). Since cryptodev dequeue can return crypto
operations belonging to multiple entities, rte_pdcp_pkt_crypto_group()
is added to help grouping crypto operations beloning to same entity.
Signed-off-by: Anoob Joseph
Signed-off-by: Kiran Kumar K
Signed-off-by: Volodymyr Fialko
---
doc/api/doxy-api-index.md | 3 +-
doc/api/doxy-api.conf.in | 1 +
lib/meson.build | 1 +
lib/pdcp/meson.build | 7 ++
lib/pdcp/rte_pdcp.h | 244 ++
lib/pdcp/rte_pdcp_group.h | 134 +
lib/pdcp/version.map | 13 ++
7 files changed, 402 insertions(+), 1 deletion(-)
create mode 100644 lib/pdcp/meson.build
create mode 100644 lib/pdcp/rte_pdcp.h
create mode 100644 lib/pdcp/rte_pdcp_group.h
create mode 100644 lib/pdcp/version.map
diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md
index de488c7abf..42bcef9a17 100644
--- a/doc/api/doxy-api-index.md
+++ b/doc/api/doxy-api-index.md
@@ -125,7 +125,8 @@ The public API headers are grouped by topics:
[Geneve](@ref rte_geneve.h),
[eCPRI](@ref rte_ecpri.h),
[L2TPv2](@ref rte_l2tpv2.h),
- [PPP](@ref rte_ppp.h)
+ [PPP](@ref rte_ppp.h),
+ [PDCP](@ref rte_pdcp.h)
- **QoS**:
[metering](@ref rte_meter.h),
diff --git a/doc/api/doxy-api.conf.in b/doc/api/doxy-api.conf.in
index f0886c3bd1..01314b087e 100644
--- a/doc/api/doxy-api.conf.in
+++ b/doc/api/doxy-api.conf.in
@@ -61,6 +61,7 @@ INPUT = @TOPDIR@/doc/api/doxy-api-index.md \
@TOPDIR@/lib/net \
@TOPDIR@/lib/pcapng \
@TOPDIR@/lib/pci \
+ @TOPDIR@/lib/pdcp \
@TOPDIR@/lib/pdump \
@TOPDIR@/lib/pipeline \
@TOPDIR@/lib/port \
diff --git a/lib/meson.build b/lib/meson.build
index c51cdc24fa..15b7f77c68 100644
--- a/lib/meson.build
+++ b/lib/meson.build
@@ -63,6 +63,7 @@ libraries = [
'flow_classify', # flow_classify lib depends on pkt framework table lib
'graph',
'node',
+'pdcp', # pdcp lib depends on crypto and security
]
optional_libs = [
diff --git a/lib/pdcp/meson.build b/lib/pdcp/meson.build
new file mode 100644
index 00..4c329cf57d
--- /dev/null
+++ b/lib/pdcp/meson.build
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright(C) 2022 Marvell.
+#
+
+headers = files('rte_pdcp.h')
+
+deps += ['security']
diff --git a/lib/pdcp/rte_pdcp.h b/lib/pdcp/rte_pdcp.h
new file mode 100644
index 00..3d2640240a
--- /dev/null
+++ b/lib/pdcp/rte_pdcp.h
@@ -0,0 +1,244 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _RTE_PDCP_H_
+#define _RTE_PDCP_H_
+
+/**
+ * @file rte_pdcp.h
+ *
+ * RTE PDCP support.
+ *
+ * librte_pdcp provides a framework for PDCP protocol processing.
+ */
+
+#include
+#include
+#include
+#include
+#include
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Forward declarations */
+
+struct rte_pdcp_entity;
+
+/* PDCP pre-process function based on entity configuration */
+typedef uint16_t (*rte_pdcp_pre_p_t)(const struct rte_pdcp_entity *entity,
+struct rte_mbuf *mb[],
+struct rte_crypto_op *cop[],
+uint16_t num, uint16_t *nb_err);
+
+/* PDCP post-process function based on entity configuration */
+typedef uint16_t (*rte_pdcp_post_p_t)(const struct rte_pdcp_entity *entity,
+ struct rte_mbuf *in_mb[],
+ struct rte_mbuf *out_mb[],
+ uint16_t num, uint16_t *nb_err);
+
+/**
+ * PDCP entity.
+ */
+struct rte_pdcp_entity {
+ /** Entity specific pre-process handle */
+ rte_pdcp_pre_p_t pre_process;
+ /** Entity specific post-process handle */
+ rte_pdcp_post_p_t post_process;
+ /**
+* PDCP entities may hold packets for purposes of in-order delivery (in
+* case of receiving PDCP entity) and re-transmission (in case of
+* transmitting PDCP entity).
+*
+* For receiving PDCP entity, it may hold p
[PATCH v3] app/test-security-perf: add security perf app
Add performance application to test security session create & destroy
rates supported by the security enabled cryptodev PMD. The
application would create specified number of sessions and captures the
time taken for the same before proceeding to destroy of the same. When
operating on multi-core, the number of sessions would be evenly
distributed across all cores.
The application would test with all combinations of cipher & auth
algorithms supported by the PMD.
Signed-off-by: Aakash Sasidharan
Signed-off-by: Anoob Joseph
---
v3:
* Rebased
v2:
* Rebased on latest code. Made changes to accommodate session rework
* Fixed debug build failure
MAINTAINERS | 6 +
app/meson.build | 1 +
app/test-security-perf/meson.build | 14 +
app/test-security-perf/test_security_perf.c | 575
doc/guides/rel_notes/release_22_11.rst | 6 +
doc/guides/tools/index.rst | 1 +
doc/guides/tools/securityperf.rst | 47 ++
7 files changed, 650 insertions(+)
create mode 100644 app/test-security-perf/meson.build
create mode 100644 app/test-security-perf/test_security_perf.c
create mode 100644 doc/guides/tools/securityperf.rst
diff --git a/MAINTAINERS b/MAINTAINERS
index 0d7df177c9..1e0e60847a 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1743,6 +1743,12 @@ M: Reshma Pattan
F: app/proc-info/
F: doc/guides/tools/proc_info.rst
+Security performance tool
+M: Anoob Joseph
+T: git://dpdk.org/next/dpdk-next-crypto
+F: app/test-security-perf/
+F: doc/guides/tools/securityperf.rst
+
Other Example Applications
--
diff --git a/app/meson.build b/app/meson.build
index 96b9a78d3a..b44a3123ee 100644
--- a/app/meson.build
+++ b/app/meson.build
@@ -21,6 +21,7 @@ apps = [
'test-pmd',
'test-regex',
'test-sad',
+'test-security-perf',
]
default_cflags = machine_args + ['-DALLOW_EXPERIMENTAL_API']
diff --git a/app/test-security-perf/meson.build
b/app/test-security-perf/meson.build
new file mode 100644
index 00..076999022e
--- /dev/null
+++ b/app/test-security-perf/meson.build
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright(C) 2022 Marvell.
+
+if is_windows
+build = false
+reason = 'not supported on Windows'
+subdir_done()
+endif
+
+sources = files(
+'test_security_perf.c',
+'../test/test_cryptodev_security_ipsec.c',
+)
+deps += ['security', 'cmdline']
diff --git a/app/test-security-perf/test_security_perf.c
b/app/test-security-perf/test_security_perf.c
new file mode 100644
index 00..9bb50689e3
--- /dev/null
+++ b/app/test-security-perf/test_security_perf.c
@@ -0,0 +1,575 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2022, Marvell
+ */
+
+#include
+#include
+#include
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include
+#include
+#include
+
+#define NB_DESC 4096
+#define DEF_NB_SESSIONS (16 * 10 * 1024) /* 16 * 10K tunnels */
+
+struct lcore_conf {
+ struct rte_crypto_sym_xform cipher_xform;
+ struct rte_crypto_sym_xform auth_xform;
+ struct rte_crypto_sym_xform aead_xform;
+ uint8_t dev_id;
+ uint8_t qp_id;
+ struct test_ctx *ctx;
+};
+
+struct test_ctx {
+ struct lcore_conf lconf[RTE_MAX_LCORE];
+ void *sec_ctx;
+ struct rte_mempool *sess_mp;
+ struct ipsec_test_data *td;
+ int nb_sess;
+ unsigned long td_idx;
+ uint8_t nb_lcores;
+ uint8_t nb_cryptodevs;
+ uint8_t enabled_cdevs[RTE_CRYPTO_MAX_DEVS];
+ bool is_inbound;
+};
+
+static struct test_ctx ctx;
+
+static int
+cryptodev_init(struct test_ctx *ctx, uint8_t nb_lcores)
+{
+ const char dev_names[][RTE_CRYPTODEV_NAME_MAX_LEN] = {
+ "crypto_cn10k",
+ "crypto_cn9k",
+ "crypto_dpaa_sec",
+ "crypto_dpaa2_sec",
+ };
+ struct rte_cryptodev_qp_conf qp_conf;
+ struct rte_cryptodev_info dev_info;
+ struct rte_cryptodev_config config;
+ unsigned int j, nb_qp, qps_reqd;
+ uint8_t socket_id;
+ uint32_t dev_cnt;
+ int ret, core_id;
+ void *sec_ctx;
+ uint64_t i;
+
+ i = 0;
+ do {
+ dev_cnt = rte_cryptodev_devices_get(dev_names[i],
+ctx->enabled_cdevs,
+RTE_CRYPTO_MAX_DEVS);
+ i++;
+ } while (dev_cnt == 0 && i < RTE_DIM(dev_names));
+
+ if (dev_cnt == 0)
+ return -1;
+
+ /* Check first device for capabilities */
+ rte_cryptodev_info_get(0, &dev_info);
+ if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SEC
RE: [EXT] Re: [PATCH 1/5] net: add PDCP header
Hi Thomas, Please see inline. Thanks, Anoob > Subject: [EXT] Re: [PATCH 1/5] net: add PDCP header > > External Email > > -- > 22/12/2022 10:25, Anoob Joseph: > > --- /dev/null > > +++ b/lib/net/rte_pdcp_hdr.h > > @@ -0,0 +1,93 @@ > > +/* SPDX-License-Identifier: BSD-3-Clause > > + * Copyright(C) 2022 Marvell. > > + */ > > + > > +#ifndef _RTE_PDCP_HDR_H_ > > +#define _RTE_PDCP_HDR_H_ > > No need of extra underscores before and after. [Anoob] I was following the example quoted in https://doc.dpdk.org/guides/contributing/coding_style.html. Also, other files such as rte_esp.h, rte_udp.h, etc. follow the same. Isn't it better to have a uniform coding style?
RE: [EXT] Re: [PATCH 1/5] net: add PDCP header
Hi Thomas, Please see inline. Thanks, Anoob > Subject: Re: [EXT] Re: [PATCH 1/5] net: add PDCP header > > 18/01/2023 18:39, Anoob Joseph: > > > 22/12/2022 10:25, Anoob Joseph: > > > > --- /dev/null > > > > +++ b/lib/net/rte_pdcp_hdr.h > > > > @@ -0,0 +1,93 @@ > > > > +/* SPDX-License-Identifier: BSD-3-Clause > > > > + * Copyright(C) 2022 Marvell. > > > > + */ > > > > + > > > > +#ifndef _RTE_PDCP_HDR_H_ > > > > +#define _RTE_PDCP_HDR_H_ > > > > > > No need of extra underscores before and after. > > > > [Anoob] I was following the example quoted in > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__doc.dpdk.org_guides_contributing_coding- > 5Fstyle.html&d=DwICAg&c=nKjWec2b6R0mOyPaz7xtfQ&r=jPfB8rwwviRSxyL > Ws2n6B-WYLn1v9SyTMrT5EQqh2TU&m=Btr0wWqHo_dHGchyRWTnjO6xY- > 7p33pUSKSBLIXtL4DOAv-GsZmL2lZ2OHyJWoiZ&s=- > AQhSWF0bWFXTyxL0rPCW6fz6I7GYhwyQ9qjYG3FFn0&e= . > > Oh thanks for the reference, I will fix it. > > > Also, other files such as rte_esp.h, rte_udp.h, etc. follow the same. > > Some other files don't have underscores. > > > Isn't it better to have a uniform coding style? > > No really I prefer no underscores, > they are supposed to be used for standard libraries. [Anoob] I see that most of the files do have underscores. While I do not have any personal preference, I would really prefer new code to not stand out from the rest. If you have considered this already, then I'll make the change in next version. Please confirm.
[PATCH] cryptodev: add missing doc
Description for rte_cryptodev_get_sec_ctx is missing. Add the same.
Signed-off-by: Anoob Joseph
---
lib/cryptodev/rte_cryptodev.h | 9 +
1 file changed, 9 insertions(+)
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index ba730373fb..8876e0427f 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -973,6 +973,15 @@ struct rte_cryptodev_cb_rcu {
/**< RCU QSBR variable per queue pair */
};
+/**
+ * Get the security context for the cryptodev.
+ *
+ * @param dev_id
+ * The device identifier.
+ * @return
+ * - NULL on error.
+ * - Pointer to security context on success.
+ */
void *
rte_cryptodev_get_sec_ctx(uint8_t dev_id);
--
2.25.1
[PATCH 1/4] security: remove redundant cast
The API 'rte_cryptodev_get_sec_ctx' returns void *. Type cast is not required. Signed-off-by: Anoob Joseph --- lib/security/rte_security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c index c4d64bb8e9..71910863bc 100644 --- a/lib/security/rte_security.c +++ b/lib/security/rte_security.c @@ -385,7 +385,7 @@ security_capabilities_from_dev_id(int dev_id, const void **caps) if (rte_cryptodev_is_valid_dev(dev_id) == 0) return -EINVAL; - sec_ctx = (struct rte_security_ctx *)rte_cryptodev_get_sec_ctx(dev_id); + sec_ctx = rte_cryptodev_get_sec_ctx(dev_id); RTE_PTR_OR_ERR_RET(sec_ctx, -EINVAL); capabilities = rte_security_capabilities_get(sec_ctx); -- 2.25.1
[PATCH 2/4] test/crypto: remove redundant cast
The API 'rte_cryptodev_get_sec_ctx' returns void *. Type cast is not
required.
Signed-off-by: Anoob Joseph
---
app/test/test_cryptodev.c | 29 -
1 file changed, 12 insertions(+), 17 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index fb2af40b99..589b9860ce 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8920,15 +8920,12 @@ security_proto_supported(enum
rte_security_session_action_type action,
enum rte_security_session_protocol proto)
{
struct crypto_testsuite_params *ts_params = &testsuite_params;
-
const struct rte_security_capability *capabilities;
const struct rte_security_capability *capability;
+ struct rte_security_ctx *ctx;
uint16_t i = 0;
- struct rte_security_ctx *ctx = (struct rte_security_ctx *)
- rte_cryptodev_get_sec_ctx(
- ts_params->valid_devs[0]);
-
+ ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]);
capabilities = rte_security_capabilities_get(ctx);
@@ -8967,12 +8964,12 @@ static int test_pdcp_proto(int i, int oop, enum
rte_crypto_cipher_operation opc,
struct crypto_unittest_params *ut_params = &unittest_params;
uint8_t *plaintext;
int ret = TEST_SUCCESS;
- struct rte_security_ctx *ctx = (struct rte_security_ctx *)
- rte_cryptodev_get_sec_ctx(
- ts_params->valid_devs[0]);
struct rte_cryptodev_info dev_info;
+ struct rte_security_ctx *ctx;
uint64_t feat_flags;
+ ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]);
+
rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
feat_flags = dev_info.feature_flags;
@@ -9174,11 +9171,11 @@ test_pdcp_proto_SGL(int i, int oop,
unsigned int trn_data = 0;
struct rte_cryptodev_info dev_info;
uint64_t feat_flags;
- struct rte_security_ctx *ctx = (struct rte_security_ctx *)
- rte_cryptodev_get_sec_ctx(
- ts_params->valid_devs[0]);
+ struct rte_security_ctx *ctx;
struct rte_mbuf *temp_mbuf;
+ ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]);
+
rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
feat_flags = dev_info.feature_flags;
@@ -10898,6 +10895,7 @@ test_docsis_proto_uplink(const void *data)
const struct docsis_test_data *d_td = data;
struct crypto_testsuite_params *ts_params = &testsuite_params;
struct crypto_unittest_params *ut_params = &unittest_params;
+ struct rte_security_ctx *ctx;
uint8_t *plaintext = NULL;
uint8_t *ciphertext = NULL;
uint8_t *iv_ptr;
@@ -10905,9 +10903,7 @@ test_docsis_proto_uplink(const void *data)
uint32_t crc_data_len;
int ret = TEST_SUCCESS;
- struct rte_security_ctx *ctx = (struct rte_security_ctx *)
- rte_cryptodev_get_sec_ctx(
- ts_params->valid_devs[0]);
+ ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]);
/* Verify the capabilities */
struct rte_security_capability_idx sec_cap_idx;
@@ -11083,15 +11079,14 @@ test_docsis_proto_downlink(const void *data)
const struct docsis_test_data *d_td = data;
struct crypto_testsuite_params *ts_params = &testsuite_params;
struct crypto_unittest_params *ut_params = &unittest_params;
+ struct rte_security_ctx *ctx;
uint8_t *plaintext = NULL;
uint8_t *ciphertext = NULL;
uint8_t *iv_ptr;
int32_t cipher_len, crc_len;
int ret = TEST_SUCCESS;
- struct rte_security_ctx *ctx = (struct rte_security_ctx *)
- rte_cryptodev_get_sec_ctx(
- ts_params->valid_devs[0]);
+ ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]);
/* Verify the capabilities */
struct rte_security_capability_idx sec_cap_idx;
--
2.25.1
[PATCH 3/4] app/crypto-perf: remove redundant cast
The API 'rte_cryptodev_get_sec_ctx' returns void *. Type cast is not
required.
Signed-off-by: Anoob Joseph
---
app/test-crypto-perf/cperf_ops.c | 12 ++--
app/test-crypto-perf/cperf_test_pmd_cyclecount.c | 4 +---
app/test-crypto-perf/cperf_test_throughput.c | 4 +---
3 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
index 93b9bfb240..5bb2ce954a 100644
--- a/app/test-crypto-perf/cperf_ops.c
+++ b/app/test-crypto-perf/cperf_ops.c
@@ -647,6 +647,7 @@ create_ipsec_session(struct rte_mempool *sess_mp,
struct rte_crypto_sym_xform auth_xform = {0};
struct rte_crypto_sym_xform *crypto_xform;
struct rte_crypto_sym_xform xform = {0};
+ struct rte_security_ctx *ctx;
if (options->aead_algo != 0) {
/* Setup AEAD Parameters */
@@ -749,8 +750,7 @@ create_ipsec_session(struct rte_mempool *sess_mp,
else
sess_conf.ipsec.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
- struct rte_security_ctx *ctx = (struct rte_security_ctx *)
- rte_cryptodev_get_sec_ctx(dev_id);
+ ctx = rte_cryptodev_get_sec_ctx(dev_id);
/* Create security session */
return (void *)rte_security_session_create(ctx, &sess_conf, sess_mp);
@@ -766,6 +766,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
struct rte_crypto_sym_xform cipher_xform;
struct rte_crypto_sym_xform auth_xform;
struct rte_crypto_sym_xform aead_xform;
+ struct rte_security_ctx *ctx;
void *sess = NULL;
void *asym_sess = NULL;
struct rte_crypto_asym_xform xform = {0};
@@ -853,8 +854,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
.crypto_xform = &cipher_xform
};
- struct rte_security_ctx *ctx = (struct rte_security_ctx *)
- rte_cryptodev_get_sec_ctx(dev_id);
+ ctx = rte_cryptodev_get_sec_ctx(dev_id);
/* Create security session */
return (void *)rte_security_session_create(ctx, &sess_conf,
sess_mp);
@@ -901,8 +901,8 @@ cperf_create_session(struct rte_mempool *sess_mp,
} },
.crypto_xform = &cipher_xform
};
- struct rte_security_ctx *ctx = (struct rte_security_ctx *)
- rte_cryptodev_get_sec_ctx(dev_id);
+
+ ctx = rte_cryptodev_get_sec_ctx(dev_id);
/* Create security session */
return (void *)rte_security_session_create(ctx, &sess_conf,
sess_mp);
diff --git a/app/test-crypto-perf/cperf_test_pmd_cyclecount.c
b/app/test-crypto-perf/cperf_test_pmd_cyclecount.c
index 0307e82996..d6d4130195 100644
--- a/app/test-crypto-perf/cperf_test_pmd_cyclecount.c
+++ b/app/test-crypto-perf/cperf_test_pmd_cyclecount.c
@@ -67,9 +67,7 @@ cperf_pmd_cyclecount_test_free(struct
cperf_pmd_cyclecount_ctx *ctx)
#ifdef RTE_LIB_SECURITY
if (ctx->options->op_type == CPERF_PDCP ||
ctx->options->op_type == CPERF_DOCSIS) {
- struct rte_security_ctx *sec_ctx =
- (struct rte_security_ctx *)
- rte_cryptodev_get_sec_ctx(ctx->dev_id);
+ struct rte_security_ctx *sec_ctx =
rte_cryptodev_get_sec_ctx(ctx->dev_id);
rte_security_session_destroy(sec_ctx,
(void *)ctx->sess);
} else
diff --git a/app/test-crypto-perf/cperf_test_throughput.c
b/app/test-crypto-perf/cperf_test_throughput.c
index e892a70699..21738e8425 100644
--- a/app/test-crypto-perf/cperf_test_throughput.c
+++ b/app/test-crypto-perf/cperf_test_throughput.c
@@ -44,9 +44,7 @@ cperf_throughput_test_free(struct cperf_throughput_ctx *ctx)
else if (ctx->options->op_type == CPERF_PDCP ||
ctx->options->op_type == CPERF_DOCSIS ||
ctx->options->op_type == CPERF_IPSEC) {
- struct rte_security_ctx *sec_ctx =
- (struct rte_security_ctx *)
- rte_cryptodev_get_sec_ctx(ctx->dev_id);
+ struct rte_security_ctx *sec_ctx =
rte_cryptodev_get_sec_ctx(ctx->dev_id);
rte_security_session_destroy(
sec_ctx,
(void *)ctx->sess);
--
2.25.1
[PATCH 4/4] examples/ipsec-secgw: remove redundant cast
The API 'rte_cryptodev_get_sec_ctx' returns void *. Type cast is not
required.
Signed-off-by: Anoob Joseph
---
examples/ipsec-secgw/ipsec.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index a5706bed24..984fb7a2ec 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -327,9 +327,7 @@ create_lookaside_session(struct ipsec_ctx
*ipsec_ctx_lcore[],
};
if (ips->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
- struct rte_security_ctx *ctx = (struct rte_security_ctx
*)
-
rte_cryptodev_get_sec_ctx(
- cdev_id);
+ struct rte_security_ctx *ctx =
rte_cryptodev_get_sec_ctx(cdev_id);
/* Set IPsec parameters in conf */
set_ipsec_conf(sa, &(sess_conf.ipsec));
--
2.25.1
[PATCH v2] cryptodev: add missing doc
Description for rte_cryptodev_get_sec_ctx is missing. Add the same.
Fixes: eadb4fa1e1fe ("cryptodev: support security APIs")
Signed-off-by: Anoob Joseph
---
lib/cryptodev/rte_cryptodev.h | 9 +
1 file changed, 9 insertions(+)
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index 9246df90ef..9017a56cd0 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -971,6 +971,15 @@ struct rte_cryptodev_cb_rcu {
/**< RCU QSBR variable per queue pair */
};
+/**
+ * Get the security context for the cryptodev.
+ *
+ * @param dev_id
+ * The device identifier.
+ * @return
+ * - NULL on error.
+ * - Pointer to security context on success.
+ */
void *
rte_cryptodev_get_sec_ctx(uint8_t dev_id);
--
2.25.1
RE: [EXT] [PATCH v2 0/2] crypto/scheduler: add support for security protocols
Hi David, Please see inline. Thanks, Anoob > -Original Message- > From: Coyle, David > Sent: Monday, September 11, 2023 9:32 PM > To: Anoob Joseph ; dev@dpdk.org > Cc: Ji, Kai ; O'Sullivan, Kevin ; > Jerin Jacob Kollanukkaran > Subject: RE: [EXT] [PATCH v2 0/2] crypto/scheduler: add support for security > protocols > > Hi Anoob, > > Thank you for that feedback - I was on extended leave so only just getting > back to it now. > See replies below. > > Regards, > David > > > -Original Message- > > From: Anoob Joseph > > Sent: Friday, August 11, 2023 12:09 PM > > To: Coyle, David ; dev@dpdk.org > > Cc: Ji, Kai ; O'Sullivan, Kevin > > ; Jerin Jacob Kollanukkaran > > > > Subject: RE: [EXT] [PATCH v2 0/2] crypto/scheduler: add support for > > security protocols > > > > Hi David, > > > > While it is desirable to add security under crypto/scheduler, would it > > be functionally possible if the PMDs perform stateful processing? For > > example, with lookaside protocol mode of IPsec, fields such as seq no > > & AR defines how the crypto operation can be performed. Without two > > PMDs sharing this (actively), how can the load balancing happen? > > [DC] So if some fields such as seq numbers are maintained within the PMDs > for some protocols, then yes you are right - this would not work without > some synchronization across PMD instances which I think we'd want to avoid > at this point. > > I tried to find some cases where a crypto PMD that supports IPSec, for > example, maintains some global stateful parameters, but I could not find > these cases. > I'm not at all familiar with these PMDs (cnxk, mvsam, dpaa_sec, dpaa2_sec) > though, so maybe you could guide me as to where they are maintained? [Anoob] I can comment about cnxk. In cn9k, PMD updates the states. https://elixir.bootlin.com/dpdk/v23.07/source/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h#L177 In cn10k, hw updates the states. Please check the corresponding fields, https://elixir.bootlin.com/dpdk/v23.07/source/drivers/common/cnxk/roc_ie_ot.h#L258 > > > > > Said that, I agree utility of scheduler for stateless operations. My > > understanding is, PDCP offload that is available today is not stateful > > and that can leverage this. I'm not sure of DOCSIS and MACsec. > > [DC] I notice that the PDCP security xform struct has a seq number related > field, which would also suggest it could be stateful, but I could be wrong. [Anoob] The field there is seq no size. That is not stateful. But then, it has HFN field which is the upper few bits of seq no. It is unclear if HFN is expected to be incremented when lower bits overflow. May be it's better PDCP is also left unsupported. I'll let Hemanth confirm. > > From a google search MACSec is stateless, but again I'm not an expert. > > The protocol I am familiar with is DOCSIS, and it is for this protocol that we > have added security support to the cryptodev scheduler. > DOCSIS is 100% stateless, so will work no problem with the scheduler. > > > > > Should we make it such that only specific security sessions would be > > eligible for scheduler operation? > > [DC] Do you think it would be acceptable to limit the scheduler to the DOCSIS > protocol only for now, and let the IPSec, MACSec and PDCP experts add > these later if applicable? > If you think this would be ok, I can easily make that change. [Anoob] I think that would be a good approach. For any stateless protocols, addition of crypto scheduler is a huge plus. > > > > > Thanks, > > Anoob > > > > > -Original Message- > > > From: David Coyle > > > Sent: Friday, August 11, 2023 3:54 PM > > > To: dev@dpdk.org > > > Cc: kai...@intel.com; kevin.osulli...@intel.com; David Coyle > > > > > > Subject: [EXT] [PATCH v2 0/2] crypto/scheduler: add support for > > > security protocols > > > > > > External Email > > > > > > > > > -- This patchset adds support to the cryptodev scheduler PMD and > > > unit tests for the existing security protocols in the security > > > library, namely IPSec, MACSec, PDCP and DOCSIS. > > > > > > v2: > > > * Improve inclusion of rte_security header files > > > * Fix typo in commit message > > > > > > David Coyle (2): > > > crypto/scheduler: support security protocols > > > test/crypto: add security tests for cryptodev scheduler > > > > > > app/test/test_cry
RE: [EXT] [PATCH v3 1/2] crypto/scheduler: support DOCSIS security protocol
Hi David,
Thanks for updating the patches based on the comments provided on previous
version. Please see inline for some comments on code.
Thanks,
Anoob
> -Original Message-
> From: David Coyle
> Sent: Thursday, September 14, 2023 8:52 PM
> To: dev@dpdk.org
> Cc: kai...@intel.com; Anoob Joseph ;
> kevin.osulli...@intel.com; David Coyle
> Subject: [EXT] [PATCH v3 1/2] crypto/scheduler: support DOCSIS security
> protocol
>
> External Email
>
> --
> Add support to the cryptodev scheduler PMD for the DOCSIS security
> protocol. This includes adding the following to the scheduler:
> - synchronization of worker's security capabilities
> - retrieval of the scheduler's synchronized security capabilities
> - retrieval of the security session size i.e. maximum session size
> across all workers
> - creation of security sessions on each worker
> - deletion of security sessions on each worker
>
> Signed-off-by: David Coyle
> Signed-off-by: Kevin O'Sullivan
> ---
> doc/guides/rel_notes/release_23_11.rst| 4 +
> drivers/crypto/scheduler/meson.build | 2 +-
> .../scheduler/rte_cryptodev_scheduler.c | 221 +-
> drivers/crypto/scheduler/scheduler_failover.c | 12 +-
> .../crypto/scheduler/scheduler_multicore.c| 10 +-
> .../scheduler/scheduler_pkt_size_distr.c | 54 +--
> drivers/crypto/scheduler/scheduler_pmd.c | 33 ++
> drivers/crypto/scheduler/scheduler_pmd_ops.c | 381 +-
> .../crypto/scheduler/scheduler_pmd_private.h | 159 +---
> .../crypto/scheduler/scheduler_roundrobin.c | 6 +-
> 10 files changed, 653 insertions(+), 229 deletions(-)
>
> diff --git a/drivers/crypto/scheduler/rte_cryptodev_scheduler.c
> b/drivers/crypto/scheduler/rte_cryptodev_scheduler.c
> index 258d6f8c43..e8b905af2f 100644
> --- a/drivers/crypto/scheduler/rte_cryptodev_scheduler.c
> +++ b/drivers/crypto/scheduler/rte_cryptodev_scheduler.c
> @@ -5,11 +5,14 @@
> #include
> #include
> #include
> +#include
> #include
>
> #include "rte_cryptodev_scheduler.h"
> #include "scheduler_pmd_private.h"
>
> +#define MAX_CAPS 256
> +
> /** update the scheduler pmd's capability with attaching device's
> * capability.
> * For each device to be attached, the scheduler's capability should be @@ -
> 59,7 +62,6 @@ sync_caps(struct rte_cryptodev_capabilities *caps,
> cap->sym.auth.digest_size.max ?
> s_cap->sym.auth.digest_size.max :
> cap->sym.auth.digest_size.max;
> -
> }
>
> if (s_cap->sym.xform_type ==
> @@ -81,25 +83,176 @@ sync_caps(struct rte_cryptodev_capabilities *caps,
>
> memset(&caps[sync_nb_caps - 1], 0, sizeof(*cap));
> sync_nb_caps--;
> + i--;
> }
>
> return sync_nb_caps;
> }
>
> static int
> -update_scheduler_capability(struct scheduler_ctx *sched_ctx)
> +check_sec_cap_equal(const struct rte_security_capability *sec_cap1,
> + struct rte_security_capability *sec_cap2) {
> + if (sec_cap1->action != sec_cap2->action ||
> + sec_cap1->protocol != sec_cap2->protocol ||
> + sec_cap1->ol_flags != sec_cap2->ol_flags)
> + return 0;
> +
> + if (sec_cap1->protocol == RTE_SECURITY_PROTOCOL_DOCSIS)
> + return !memcmp(&sec_cap1->docsis, &sec_cap2->docsis,
> + sizeof(sec_cap1->docsis));
> + else
> + return 0;
> +}
> +
> +static void
> +copy_sec_cap(struct rte_security_capability *dst_sec_cap,
> + struct rte_security_capability *src_sec_cap) {
> + dst_sec_cap->action = src_sec_cap->action;
> + dst_sec_cap->protocol = src_sec_cap->protocol;
> + if (src_sec_cap->protocol == RTE_SECURITY_PROTOCOL_DOCSIS)
> + dst_sec_cap->docsis = src_sec_cap->docsis;
> + dst_sec_cap->ol_flags = src_sec_cap->ol_flags; }
> +
> +static uint32_t
> +sync_sec_crypto_caps(struct rte_cryptodev_capabilities
> *tmp_sec_crypto_caps,
> + const struct rte_cryptodev_capabilities *sec_crypto_caps,
> + const struct rte_cryptodev_capabilities
> *worker_sec_crypto_caps) {
> + uint8_t nb_caps = 0;
> +
> + nb_caps = sync_caps(tmp_sec_crypto_caps, nb_caps,
> sec_crypto_caps);
> + sync_caps(tmp_sec_crypto_caps, nb_caps,
> worker_sec_crypto_caps);
&g
RE: [PATCH v1 1/2] dmadev: offload to free source buffer
Hi Amit,
Thanks for adding the feature. Please see inline.
With the mentioned fixes,
Acked-by: Anoob Joseph
Thanks,
Anoob
> -Original Message-
> From: Amit Prakash Shukla
> Sent: Thursday, September 7, 2023 1:41 PM
> To: Chengwen Feng ; Kevin Laatz
> ; Bruce Richardson
> Cc: dev@dpdk.org; Jerin Jacob Kollanukkaran ;
> conor.wa...@intel.com; Vamsi Krishna Attunuru ;
> g.si...@nxp.com; sachin.sax...@oss.nxp.com; hemant.agra...@nxp.com;
> cheng1.ji...@intel.com; Nithin Kumar Dabilpuram
> ; Anoob Joseph ; Amit
> Prakash Shukla ; Morten Brørup
>
> Subject: [PATCH v1 1/2] dmadev: offload to free source buffer
>
> This changeset adds support in DMA library to free source DMA buffer by
> hardware. On a supported hardware, application can pass on the mempool
> information as part of vchan config when the DMA transfer direction is
> configured as RTE_DMA_DIR_MEM_TO_DEV.
>
> Signed-off-by: Amit Prakash Shukla
> Acked-by: Morten Brørup
> ---
> lib/dmadev/rte_dmadev.h | 27 +++
> 1 file changed, 27 insertions(+)
>
> diff --git a/lib/dmadev/rte_dmadev.h b/lib/dmadev/rte_dmadev.h index
> b157ab7600..d6a685907f 100644
> --- a/lib/dmadev/rte_dmadev.h
> +++ b/lib/dmadev/rte_dmadev.h
> @@ -278,6 +278,13 @@ int16_t rte_dma_next_dev(int16_t start_dev_id);
> #define RTE_DMA_CAPA_OPS_COPY_SG RTE_BIT64(33)
> /** Support fill operation. */
> #define RTE_DMA_CAPA_OPS_FILLRTE_BIT64(34)
> +/** Support for source buffer free for mem to dev transfer.
> + *
> + * @note Even though the DMA driver has this capability, it may not
> +support all
> + * mempool drivers. If the mempool is not supported by the DMA driver,
> + * rte_dma_vchan_setup() will fail.
> + **/
[Anoob] I think you can remove the note. It is mentioned below also, right?
That should be sufficient I guess. Not a strong comment. You can decide.
> +#define RTE_DMA_CAPA_MEM_TO_DEV_SOURCE_BUFFER_FREE
> RTE_BIT64(35)
> /**@}*/
>
> /**
> @@ -581,6 +588,19 @@ struct rte_dma_vchan_conf {
>* @see struct rte_dma_port_param
>*/
> struct rte_dma_port_param dst_port;
> + /** mempool from which source buffer is allocated. mempool info is
[Anoob] Mempool -> Mempool (in both places)
> used
> + * for freeing source buffer by hardware when configured direction is
> + * RTE_DMA_DIR_MEM_TO_DEV. To free the source buffer by
> hardware,
> + * RTE_DMA_OP_FLAG_FREE_SBUF must be set while calling
> rte_dma_copy and
> + * rte_dma_copy_sg().
> + *
> + * @note If the mempool is not supported by the DMA driver,
> + * rte_dma_vchan_setup() will fail.
[Anoob] "If the mempool is not supported by the DMA device, ..."
driver -> device.
> + *
> + * @see RTE_DMA_OP_FLAG_FREE_SBUF
> + */
> + struct rte_mempool *mem_to_dev_src_buf_pool;
> +
> };
>
> /**
> @@ -818,6 +838,13 @@ struct rte_dma_sge {
> * capability bit for this, driver should not return error if this flag was
> set.
> */
> #define RTE_DMA_OP_FLAG_LLC RTE_BIT64(2)
> +/** Mem to dev source buffer free flag.
> + * Used for freeing source DMA buffer by hardware when the transfer
> +direction is
> + * configured as RTE_DMA_DIR_MEM_TO_DEV.
> + *
> + * @see struct rte_dma_vchan_conf::mem_to_dev_src_buf_pool
> + */
> +#define RTE_DMA_OP_FLAG_FREE_SBUFRTE_BIT64(3)
> /**@}*/
>
> /**
> --
> 2.25.1
RE: [PATCH v1 2/2] test/dma: add source buffer offload free test
Hi Amit,
Please see inline.
Thanks,
Anoob
> -Original Message-
> From: Amit Prakash Shukla
> Sent: Thursday, September 7, 2023 1:41 PM
> To: Chengwen Feng ; Kevin Laatz
> ; Bruce Richardson
> Cc: dev@dpdk.org; Jerin Jacob Kollanukkaran ;
> conor.wa...@intel.com; Vamsi Krishna Attunuru ;
> g.si...@nxp.com; sachin.sax...@oss.nxp.com; hemant.agra...@nxp.com;
> cheng1.ji...@intel.com; Nithin Kumar Dabilpuram
> ; Anoob Joseph ; Amit
> Prakash Shukla
> Subject: [PATCH v1 2/2] test/dma: add source buffer offload free test
>
> Add a test case to validate the functionality of drivers' dma source buffer
> offload free. As part of dmadev_autotest, test case will be executed only if
> the driver supports source buffer offload free and if the test is exported by
> env variable DPDK_ADD_DMA_TEST.
>
> Signed-off-by: Amit Prakash Shukla
> ---
> app/test/test_dmadev.c | 132
> -
> 1 file changed, 131 insertions(+), 1 deletion(-)
>
> diff --git a/app/test/test_dmadev.c b/app/test/test_dmadev.c index
> 6ef875e545..48da4664ae 100644
> --- a/app/test/test_dmadev.c
> +++ b/app/test/test_dmadev.c
> @@ -18,11 +18,26 @@
>
> #define ERR_RETURN(...) do { print_err(__func__, __LINE__,
> __VA_ARGS__); return -1; } while (0)
>
> +#define TEST_RINGSIZE 512
> #define COPY_LEN 1024
>
> static struct rte_mempool *pool;
> static uint16_t id_count;
>
> +enum {
> + TEST_SRC_BUF_FREE = 0,
> + TEST_MAX,
> +};
> +
> +struct dma_add_test {
> + const char *name;
> + bool enabled;
> +};
> +
> +struct dma_add_test dma_add_test[] = {
> + [TEST_SRC_BUF_FREE] = {.name = "sbuf_free", .enabled = false}, };
> +
> static void
> __rte_format_printf(3, 4)
> print_err(const char *func, int lineno, const char *format, ...) @@ -797,10
> +812,93 @@ test_burst_capacity(int16_t dev_id, uint16_t vchan)
> return 0;
> }
>
> +static int
> +test_sbuf_free(int16_t dev_id, uint16_t vchan) { #define NR_MBUF 256
> + int i, ret = 0;
> + int retry = 100;
> + uint16_t nb_done = 0;
> + bool dma_err = false;
> + uint32_t buf_cnt1, buf_cnt2;
> + struct rte_mempool_ops *ops;
> + uint64_t remote_addr = 0x4000ull;
[Anoob] Can you make remote_addr as a variable read from env variable? Hard
coding may not be the right approach.
> + struct rte_mbuf *src[NR_MBUF], *dst[NR_MBUF];
> + const struct rte_dma_vchan_conf qconf = {
> + .direction = RTE_DMA_DIR_MEM_TO_DEV,
> + .nb_desc = TEST_RINGSIZE,
> + .mem_to_dev_src_buf_pool = pool,
> + .dst_port.port_type = RTE_DMA_PORT_PCIE,
> + /* Assuming pemid as 0. */
> + .dst_port.pcie.coreid = 0,
> + };
> + static int dev_init;
[Anoob] Can you use bool instead of int for dev_init?
> +
> + if (!dev_init) {
> + /* Stop the device to reconfigure vchan. */
> + if (rte_dma_stop(dev_id) < 0)
> + ERR_RETURN("Error stopping device %u\n", dev_id);
> +
> + if (rte_dma_vchan_setup(dev_id, vchan, &qconf) < 0)
> + ERR_RETURN("Error with queue configuration\n");
> +
> + if (rte_dma_start(dev_id) != 0)
> + ERR_RETURN("Error with rte_dma_start()\n");
> +
> + dev_init++;
> + }
> +
> + if (rte_pktmbuf_alloc_bulk(pool, dst, NR_MBUF) != 0)
> + ERR_RETURN("alloc dst mbufs failed.\n");
> +
> + for (i = 0; i < NR_MBUF; i++) {
> + /* Using mbuf structure to hold remote iova address. */
> + rte_mbuf_iova_set(dst[i], (rte_iova_t)remote_addr);
> + dst[i]->data_off = 0;
> + }
> +
> + /* Capture buffer count before allocating source buffer. */
> + ops = rte_mempool_get_ops(pool->ops_index);
> + buf_cnt1 = ops->get_count(pool);
> +
> + if (rte_pktmbuf_alloc_bulk(pool, src, NR_MBUF) != 0)
> + ERR_RETURN("alloc src mbufs failed.\n");
[Anoob] The memory is not freed in case of errors. May be you can free them in
the end and use goto as required.
> +
> + if ((buf_cnt1 - NR_MBUF) != ops->get_count(pool))
> + ERR_RETURN("Buffer count check failed.\n");
> +
> + for (i = 0; i < NR_MBUF; i++) {
> + ret = rte_dma_copy(dev_id, vchan,
> rte_mbuf_data_iova(src[i]),
> + rte_mbuf_data_iova(dst[i]), COPY_LEN,
> + RTE_DMA_OP_FLAG_FREE_SBUF);
> +
> + if (ret < 0)
> + ERR_RET
RE: [EXT] [PATCH v4 0/2] crypto/scheduler: add support for DOCSIS security protocol
> > -- > This patchset adds support to the cryptodev scheduler PMD and unit tests > for the DOCSIS security protocol. Support for other stateless security > protocols can be added in the future as required with relative ease now that > the framework is in place. > > v4: > * Address review comments from Anoob > * Remove unnecessary pointer type casting > * Free capability and worker name memory if memory allocation fails > during scheduler PMD creation > * Use RTE_MAX when getting max worker session size > > v3: > * Limit support to the DOCSIS security protocol only > > v2: > * Improve inclusion of rte_security header files > * Fix typo in commit message > > Series-acked-by: Ciara Power > > David Coyle (2): > crypto/scheduler: support DOCSIS security protocol > test/crypto: add DOCSIS security tests for cryptodev scheduler > > app/test/test_cryptodev.c | 12 +- > doc/guides/rel_notes/release_23_11.rst| 4 + > drivers/crypto/scheduler/meson.build | 2 +- > .../scheduler/rte_cryptodev_scheduler.c | 218 ++- > drivers/crypto/scheduler/scheduler_failover.c | 12 +- > .../crypto/scheduler/scheduler_multicore.c| 10 +- > .../scheduler/scheduler_pkt_size_distr.c | 54 +-- > drivers/crypto/scheduler/scheduler_pmd.c | 59 ++- > drivers/crypto/scheduler/scheduler_pmd_ops.c | 370 +- > .../crypto/scheduler/scheduler_pmd_private.h | 155 +--- > .../crypto/scheduler/scheduler_roundrobin.c | 6 +- > 11 files changed, 668 insertions(+), 234 deletions(-) > > -- Series Acked-by: Anoob Joseph
RE: [RFC PATCH 2/3] security: add TLS record processing
Hi Harry, Thanks for the review. Please see inline. Thanks, Anoob > -Original Message- > From: Van Haaren, Harry > Sent: Wednesday, September 20, 2023 2:53 PM > To: Anoob Joseph ; Thomas Monjalon > ; Akhil Goyal ; Jerin Jacob > Kollanukkaran ; Konstantin Ananyev > > Cc: Hemant Agrawal ; dev@dpdk.org; Matz, > Olivier ; Vidya Sagar Velumuri > > Subject: [EXT] RE: [RFC PATCH 2/3] security: add TLS record processing > > External Email > > -- > > -Original Message- > > From: Anoob Joseph > > Sent: Friday, August 11, 2023 8:17 AM > > To: Thomas Monjalon ; Akhil Goyal > > ; Jerin Jacob ; Konstantin > > Ananyev > > Cc: Hemant Agrawal ; dev@dpdk.org; Matz, > > Olivier ; Vidya Sagar Velumuri > > > > Subject: [RFC PATCH 2/3] security: add TLS record processing > > > > Add Transport Layer Security (TLS) and Datagram Transport Layer > > Security (DTLS). The protocols provide communications privacy for L4 > > protocols such as TCP & UDP. > > > > TLS (and DTLS) protocol is composed of two layers, 1. TLS Record > > Protocol 2. TLS Handshake Protocol > > > > While TLS Handshake Protocol helps in establishing security parameters > > by which client and server can communicate, TLS Record Protocol > > provides the connection security. TLS Record Protocol leverages > > symmetric cryptographic operations such as data encryption and > > authentication for providing security to the communications. > > > > Cryptodevs that are capable of offloading TLS Record Protocol may > > perform other operations like IV generation, header insertion, atomic > > sequence number updates and anti-replay window check in addition to > > cryptographic transformations. > > > > The support is added for TLS 1.2, TLS 1.3 and DTLS 1.2. > > From the code below, my understanding is that *ONLY* the record layer is > being added/supported? The difference is described well above, but the > intended support added is not clearly defined. > > Suggest reword the last line to clarify: > "Support for TLS record protocol is added for TLS 1.2, TLS 1.3 and DTLS 1.2." [Anoob] Indeed. Will reword as suggested. > > > > Signed-off-by: Akhil Goyal > > Signed-off-by: Anoob Joseph > > Signed-off-by: Vidya Sagar Velumuri > > --- > > doc/guides/prog_guide/rte_security.rst | 58 + > > lib/security/rte_security.c| 4 + > > lib/security/rte_security.h| 110 + > > 3 files changed, 172 insertions(+) > > > > diff --git a/doc/guides/prog_guide/rte_security.rst > > b/doc/guides/prog_guide/rte_security.rst > > index 7418e35c1b..7716d7239f 100644 > > --- a/doc/guides/prog_guide/rte_security.rst > > +++ b/doc/guides/prog_guide/rte_security.rst > > @@ -399,6 +399,64 @@ The API ``rte_security_macsec_sc_create`` returns > > a handle for SC, and this handle is set in > > ``rte_security_macsec_xform`` to create a MACsec session using > > ``rte_security_session_create``. > > > > +TLS-Record Protocol > > +~~~ > > + > > +The Transport Layer Protocol provides communications security over > > +the > > Internet. The protocol > > +allows client/server applications to communicate in a way that is > > +designed to > > prevent eavesdropping, > > +tampering, or message forgery. > > + > > +TLS protocol is composed of two layers: the TLS Record Protocol and > > +the TLS > > Handshake Protocol. At > > +the lowest level, layered on top of some reliable transport protocol > > +(e.g., TCP), > > is the TLS Record > > +Protocol. The TLS Record Protocol provides connection security that > > +has two > > basic properties: > > + > > + - The connection is private. Symmetric cryptography is used for data > > + encryption (e.g., AES, DES, etc.). The keys for this symmetric > encryption > > + are generated uniquely for each connection and are based on a secret > > + negotiated by another protocol (such as the TLS Handshake Protocol). > The > > + Record Protocol can also be used without encryption. > > + > > + - The connection is reliable. Message transport includes a message > > + integrity check using a keyed MAC. Secure hash functions (e.g., > > + SHA-1, etc.) are used for MAC computations. The Record Protocol > > + can operate without a MAC, but is generally only used in this mode > > +
RE: [RFC PATCH 2/3] security: add TLS record processing
Hi Harry, Please see inline. Thanks, Anoob > -Original Message- > From: Van Haaren, Harry > Sent: Thursday, September 21, 2023 2:09 PM > To: Anoob Joseph > Cc: Hemant Agrawal ; dev@dpdk.org; Matz, > Olivier ; Vidya Sagar Velumuri > ; Thomas Monjalon ; > Akhil Goyal ; Jerin Jacob Kollanukkaran > ; Konstantin Ananyev > > Subject: [EXT] RE: [RFC PATCH 2/3] security: add TLS record processing > > External Email > > -- > > -Original Message- > > From: Anoob Joseph > > Sent: Wednesday, September 20, 2023 12:52 PM > > To: Van Haaren, Harry > > Cc: Hemant Agrawal ; dev@dpdk.org; Matz, > > Olivier ; Vidya Sagar Velumuri > > ; Thomas Monjalon ; > Akhil > > Goyal ; Jerin Jacob Kollanukkaran > > ; Konstantin Ananyev > > > > Subject: RE: [RFC PATCH 2/3] security: add TLS record processing > > > > Hi Harry, > > > > Thanks for the review. Please see inline. > > > > Thanks, > > Anoob > > > > > -Original Message- > > > From: Van Haaren, Harry > > > Sent: Wednesday, September 20, 2023 2:53 PM > > > To: Anoob Joseph ; Thomas Monjalon > > > ; Akhil Goyal ; Jerin Jacob > > > Kollanukkaran ; Konstantin Ananyev > > > > > > Cc: Hemant Agrawal ; dev@dpdk.org; Matz, > > > Olivier ; Vidya Sagar Velumuri > > > > > > Subject: [EXT] RE: [RFC PATCH 2/3] security: add TLS record > > > processing > > > > > > External Email > > > > > > > > > -- > > > > -Original Message- > > > > From: Anoob Joseph > > > > Sent: Friday, August 11, 2023 8:17 AM > > > > To: Thomas Monjalon ; Akhil Goyal > > > > ; Jerin Jacob ; Konstantin > > > > Ananyev > > > > Cc: Hemant Agrawal ; dev@dpdk.org; > Matz, > > > > Olivier ; Vidya Sagar Velumuri > > > > > > > > Subject: [RFC PATCH 2/3] security: add TLS record processing > > > > > > > > Add Transport Layer Security (TLS) and Datagram Transport Layer > > > > Security (DTLS). The protocols provide communications privacy for > > > > L4 protocols such as TCP & UDP. > > > > > > > > TLS (and DTLS) protocol is composed of two layers, 1. TLS Record > > > > Protocol 2. TLS Handshake Protocol > > > > > > > > While TLS Handshake Protocol helps in establishing security > > > > parameters by which client and server can communicate, TLS Record > > > > Protocol provides the connection security. TLS Record Protocol > > > > leverages symmetric cryptographic operations such as data > > > > encryption and authentication for providing security to the > communications. > > > > > > > > Cryptodevs that are capable of offloading TLS Record Protocol may > > > > perform other operations like IV generation, header insertion, > > > > atomic sequence number updates and anti-replay window check in > > > > addition to cryptographic transformations. > > > > > > > > The support is added for TLS 1.2, TLS 1.3 and DTLS 1.2. > > > > > > From the code below, my understanding is that *ONLY* the record > > > layer is being added/supported? The difference is described well > > > above, but the intended support added is not clearly defined. > > > > > > Suggest reword the last line to clarify: > > > "Support for TLS record protocol is added for TLS 1.2, TLS 1.3 and DTLS > 1.2." > > > > [Anoob] Indeed. Will reword as suggested. > > Thanks. > > > > > Signed-off-by: Akhil Goyal > > > > Signed-off-by: Anoob Joseph > > > > Signed-off-by: Vidya Sagar Velumuri > > > > --- > > > > doc/guides/prog_guide/rte_security.rst | 58 + > > > > lib/security/rte_security.c| 4 + > > > > lib/security/rte_security.h| 110 + > > > > 3 files changed, 172 insertions(+) > > > > > > > > diff --git a/doc/guides/prog_guide/rte_security.rst > > > > b/doc/guides/prog_guide/rte_security.rst > > > > index 7418e35c1b..7716d7239f 100644 > > > > --- a/doc/guides/prog_guide/rte_security.rst > > > > +++ b/doc/guides/prog_guide/rte_security.rst > > > > @@ -399,6 +399,64 @@ The API ``rte_security_ma
RE: [PATCH v2 00/15] fixes and improvements to cnxk crypto PMD
> > This series adds improvements and support for raw cryptodev API in cnxk > crypto PMD. > > v2: > * Updated feature file for cn10k > * Updated commit message > > Aakash Sasidharan (1): > crypto/cnxk: add support for packets with cipher len zero > > Anoob Joseph (4): > crypto/cnxk: clear rptr and dptr fields > common/cnxk: set cipher key only for non-null cipher > crypto/cnxk: add support for raw APIs > test/crypto: enable raw crypto tests for crypto_cn10k > > Gowrishankar Muthukrishnan (1): > crypto/cnxk: update private key length in ECDSA param > > Tejasree Kondoj (4): > crypto/cnxk: fix IPsec CCM and GCM capabilities > crypto/cnxk: remove pdcp chain bit from capabilities > crypto/cnxk: make IV pointers as constant > crypto/cnxk: set PDCP chain IV offset based on FVC > > Vidya Sagar Velumuri (5): > common/cnxk: update SE context fields to match ucode spec > crypto/cnxk: check for sg version in SE engine capabilities > crypto/cnxk: fix control flow issues > crypto/cnxk: minor shuffling in the sess structure > crypto/cnxk: update the iv from proper param for gmac > > app/test/test_cryptodev.c | 8 + > doc/guides/cryptodevs/features/cn10k.ini | 1 + > drivers/common/cnxk/hw/cpt.h | 7 +- > drivers/common/cnxk/roc_se.c | 11 +- > drivers/common/cnxk/roc_se.h | 15 +- > drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 461 +++ > drivers/crypto/cnxk/cnxk_ae.h | 4 +- > drivers/crypto/cnxk/cnxk_cryptodev.c | 20 +- > .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 10 +- > drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 13 +- > drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 6 +- > drivers/crypto/cnxk/cnxk_se.h | 527 ++ > 12 files changed, 937 insertions(+), 146 deletions(-) > > -- > 2.25.1 Series Acked-by: Anoob Joseph
RE: [PATCH] test/pdcp: add data walkthrough test
> > Enable data walkthrough test in combined mode. > The test covers data size ranging from 0B to 9000B both inclusive. > > Signed-off-by: Aakash Sasidharan Acked-by: Anoob Joseph
RE: [PATCH v3 0/2] offload support to free dma source buffer
> > This series adds offload support to free source buffer in dma library and adds > a test support in dmadev_autotest to validate the functionality. > > v3: > - Removed unwanted comment from code. > > v2: > - Resolved review comments. > - Fixed compilation issue. > > v1: > - Implementation from RFC. > - Add test support to validate functionality. > > Amit Prakash Shukla (2): > dmadev: offload to free source buffer > test/dma: add source buffer offload free test > > app/test/test_dmadev.c | 166 > +++- > lib/dmadev/rte_dmadev.h | 27 +++ > 2 files changed, 192 insertions(+), 1 deletion(-) > > -- > 2.25.1 Series Acked-by: Anoob Joseph
RE: [PATCH v3 2/2] test/dma: add source buffer offload free test
> > Add a test case to validate the functionality of drivers' dma source buffer > offload free. As part of dmadev_autotest, test case will be executed only if > the driver supports source buffer offload free and if the test is exported by > env variable DPDK_ADD_DMA_TEST. > > Signed-off-by: Amit Prakash Shukla Acked-by: Anoob Joseph
Re: [dpdk-dev] [PATCH 05/20] crypto/cnxk: add queue pair ops
Hi Akhil,
Please see inline.
Thanks,
Anoob
> -Original Message-
> From: Akhil Goyal
> Sent: Wednesday, June 16, 2021 4:36 PM
> To: Anoob Joseph ; Thomas Monjalon
>
> Cc: Ankur Dwivedi ; Jerin Jacob Kollanukkaran
> ; Tejasree Kondoj ;
> dev@dpdk.org; Anoob Joseph ; Archana Muniganti
>
> Subject: RE: [PATCH 05/20] crypto/cnxk: add queue pair ops
>
> > diff --git a/drivers/crypto/cnxk/cnxk_cpt_ops_helper.c
> > b/drivers/crypto/cnxk/cnxk_cpt_ops_helper.c
> > new file mode 100644
> > index 000..103195e
> > --- /dev/null
> > +++ b/drivers/crypto/cnxk/cnxk_cpt_ops_helper.c
> > @@ -0,0 +1,28 @@
> > +/* SPDX-License-Identifier: BSD-3-Clause
> > + * Copyright(C) 2021 Marvell.
> > + */
> > +
> > +#include
> > +
> > +#include "hw/cpt.h"
> > +#include "roc_api.h"
> > +
> > +#include "cnxk_cpt_ops_helper.h"
> > +
> > +int
> > +cnxk_cpt_ops_helper_get_mlen(void)
> > +{
> > + uint32_t len;
> > +
> > + /* For MAC */
> > + len = 2 * sizeof(uint64_t);
> > + len += ROC_SE_MAX_MAC_LEN * sizeof(uint8_t);
> > +
> > + len += CPT_OFFSET_CONTROL_BYTES + CPT_MAX_IV_LEN;
> > + len += RTE_ALIGN_CEIL((ROC_SE_SG_LIST_HDR_SIZE +
> > +
> > (RTE_ALIGN_CEIL(ROC_SE_MAX_SG_IN_OUT_CNT, 4) >>
> > + 2) * SG_ENTRY_SIZE),
> > + 8);
> > +
> > + return len;
> > +}
> > diff --git a/drivers/crypto/cnxk/cnxk_cpt_ops_helper.h
> > b/drivers/crypto/cnxk/cnxk_cpt_ops_helper.h
> > new file mode 100644
> > index 000..23c6fed
> > --- /dev/null
> > +++ b/drivers/crypto/cnxk/cnxk_cpt_ops_helper.h
> > @@ -0,0 +1,20 @@
> > +/* SPDX-License-Identifier: BSD-3-Clause
> > + * Copyright(C) 2021 Marvell.
> > + */
> > +
> > +#ifndef _CNXK_CPT_OPS_HELPER_H_
> > +#define _CNXK_CPT_OPS_HELPER_H_
> > +
> > +#define CPT_MAX_IV_LEN 16
> > +#define CPT_OFFSET_CONTROL_BYTES 8
> > +#define SG_ENTRY_SIZE sizeof(struct roc_se_sglist_comp)
> > +
> > +/*
> > + * Get size of contiguous meta buffer to be allocated
> > + *
> > + * @return
> > + * - length
> > + */
> > +int cnxk_cpt_ops_helper_get_mlen(void);
> > +
> > +#endif /* _CNXK_CPT_OPS_HELPER_H_ */
>
> Why do we need these separate helper files. It has only one function and few
> Macros which can be easily moved to
> drivers/crypto/cnxk/cnxk_cryptodev_ops.c/.h
>
[Anoob] Yes. This can be removed. Will move to cnxk_cryptodev_ops.c as the
macros are not used elsewhere.
Re: [dpdk-dev] [PATCH 3/4] crypto/cnxk: add security session ops
Hi Akhil,
Please see inline.
Thanks,
Anoob
> -Original Message-
> From: Akhil Goyal
> Sent: Thursday, June 17, 2021 1:41 AM
> To: Anoob Joseph ; Thomas Monjalon
>
> Cc: Tejasree Kondoj ; Jerin Jacob Kollanukkaran
> ; Ankur Dwivedi ;
> dev@dpdk.org; Anoob Joseph ; Archana Muniganti
> ; Srujana Challa
> Subject: RE: [PATCH 3/4] crypto/cnxk: add security session ops
>
> > diff --git a/drivers/crypto/cnxk/meson.build
> > b/drivers/crypto/cnxk/meson.build index ab45483..eea08fa 100644
> > --- a/drivers/crypto/cnxk/meson.build
> > +++ b/drivers/crypto/cnxk/meson.build
> > @@ -13,6 +13,7 @@ sources = files(
> > 'cn9k_cryptodev_ops.c',
> > 'cn10k_cryptodev.c',
> > 'cn10k_cryptodev_ops.c',
> > +'cn10k_ipsec.c',
> > 'cnxk_cpt_ops_helper.c',
> > 'cnxk_cryptodev.c',
> > 'cnxk_cryptodev_capabilities.c', @@ -20,4 +21,4 @@ sources =
> > files(
> > 'cnxk_cryptodev_sec.c',
> > )
> >
> > -deps += ['bus_pci', 'common_cnxk', 'security']
> > +deps += ['bus_pci', 'common_cnxk', 'security', 'rte_net']
> > --
> This should be 'net' and not 'rte_net'.
> Do we really need this dependency?
[Anoob] It was required since we had a dependency on rte_esp.h. But, as you
said, we don't need to make it as dependency on 'net'. Something like,
includes += include_directories('../../../lib/net')
Is good enough. Will have this changed so.
[dpdk-dev] [PATCH v2 00/17] Add CPT in Marvell CNXK common driver
This patchset adds initial support for CPT in common code for Marvell CN10K SoC. CPT is the hardware cryptographic block available in 'cnxk' family SoC. CPT, with its microcoded engines can support symmetric, asymmetric and IPsec operations. CPT can associate with NIX (rte_ethdev) to enable inline IPsec functionality. Similarly, CPT can associate with SSO (rte_eventdev) to enable crypto adapter. Based on CNXK common driver, new crypto PMDs would be added under 'crypto/cnxk'. Changes in v2 - Moved FPM & EC tables to RoC - Moved set_key routines to RoC - Added inline IPsec required mboxes and framework - Added security common code - Added plt_dp_* log based on Akhil's comment Aakash Sasidharan (2): common/cnxk: add CPT diagnostics common/cnxk: add CPT LF flush Ankur Dwivedi (1): common/cnxk: add SE set key functions in roc Anoob Joseph (3): common/cnxk: add CPT dev config routines common/cnxk: add idev CPT set - get common/cnxk: add lmtline init Archana Muniganti (1): common/cnxk: add CPT LF config Kiran Kumar Kokkilagadda (4): common/cnxk: add SE microcode defines common/cnxk: add AE microcode defines common/cnxk: add fpm tables common/cnxk: add EC grp static vectors Srujana Challa (3): common/cnxk: update Rx inline IPsec mbox message format common/cnxk: add IE microcode defines common/cnxk: add IPsec common code Vidya Sagar Velumuri (3): common/cnxk: add CPT HW defines common/cnxk: add mbox to configure RXC common/cnxk: add inline IPsec configuration mbox drivers/common/cnxk/cnxk_security.c | 468 + drivers/common/cnxk/cnxk_security.h | 49 ++ drivers/common/cnxk/hw/cpt.h| 291 drivers/common/cnxk/meson.build | 11 +- drivers/common/cnxk/roc_ae.c| 142 drivers/common/cnxk/roc_ae.h| 63 ++ drivers/common/cnxk/roc_ae_fpm_tables.c | 1140 +++ drivers/common/cnxk/roc_ae_fpm_tables.h | 13 + drivers/common/cnxk/roc_api.h | 16 + drivers/common/cnxk/roc_cpt.c | 828 ++ drivers/common/cnxk/roc_cpt.h | 145 drivers/common/cnxk/roc_cpt_debug.c | 167 + drivers/common/cnxk/roc_cpt_priv.h | 41 ++ drivers/common/cnxk/roc_dev.c |2 + drivers/common/cnxk/roc_dev_priv.h |1 + drivers/common/cnxk/roc_idev.c | 21 + drivers/common/cnxk/roc_idev.h |3 + drivers/common/cnxk/roc_idev_priv.h |2 + drivers/common/cnxk/roc_ie.h| 19 + drivers/common/cnxk/roc_ie_on.h | 152 + drivers/common/cnxk/roc_ie_ot.h | 534 +++ drivers/common/cnxk/roc_mbox.h |3 + drivers/common/cnxk/roc_platform.c |1 + drivers/common/cnxk/roc_platform.h |9 + drivers/common/cnxk/roc_priv.h |3 + drivers/common/cnxk/roc_se.c| 342 ++ drivers/common/cnxk/roc_se.h| 275 drivers/common/cnxk/version.map | 32 + 28 files changed, 4772 insertions(+), 1 deletion(-) create mode 100644 drivers/common/cnxk/cnxk_security.c create mode 100644 drivers/common/cnxk/cnxk_security.h create mode 100644 drivers/common/cnxk/hw/cpt.h create mode 100644 drivers/common/cnxk/roc_ae.c create mode 100644 drivers/common/cnxk/roc_ae.h create mode 100644 drivers/common/cnxk/roc_ae_fpm_tables.c create mode 100644 drivers/common/cnxk/roc_ae_fpm_tables.h create mode 100644 drivers/common/cnxk/roc_cpt.c create mode 100644 drivers/common/cnxk/roc_cpt.h create mode 100644 drivers/common/cnxk/roc_cpt_debug.c create mode 100644 drivers/common/cnxk/roc_cpt_priv.h create mode 100644 drivers/common/cnxk/roc_ie.h create mode 100644 drivers/common/cnxk/roc_ie_on.h create mode 100644 drivers/common/cnxk/roc_ie_ot.h create mode 100644 drivers/common/cnxk/roc_se.c create mode 100644 drivers/common/cnxk/roc_se.h -- 2.7.4
[dpdk-dev] [PATCH v2 01/17] common/cnxk: add CPT HW defines
From: Vidya Sagar Velumuri
Add CPT hardware definitions. CPT is the hardware block on
cnxk family of processors, that can be used to offload
cryptographic operations.
Signed-off-by: Anoob Joseph
Signed-off-by: Vidya Sagar Velumuri
---
drivers/common/cnxk/hw/cpt.h | 291 ++
drivers/common/cnxk/roc_api.h | 6 +
2 files changed, 297 insertions(+)
create mode 100644 drivers/common/cnxk/hw/cpt.h
diff --git a/drivers/common/cnxk/hw/cpt.h b/drivers/common/cnxk/hw/cpt.h
new file mode 100644
index 000..84ebf2d
--- /dev/null
+++ b/drivers/common/cnxk/hw/cpt.h
@@ -0,0 +1,291 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef __CPT_HW_H__
+#define __CPT_HW_H__
+
+/* Register offsets */
+
+#define CPT_COMP_NOT_DONE (0x0ull)
+#define CPT_COMP_GOOD(0x1ull)
+#define CPT_COMP_FAULT (0x2ull)
+#define CPT_COMP_SWERR (0x3ull)
+#define CPT_COMP_HWERR (0x4ull)
+#define CPT_COMP_INSTERR (0x5ull)
+#define CPT_COMP_WARN(0x6ull) /* [CN10K, .) */
+
+#define CPT_LF_INT_VEC_MISC(0x0ull)
+#define CPT_LF_INT_VEC_DONE(0x1ull)
+#define CPT_LF_CTL (0x10ull)
+#define CPT_LF_DONE_WAIT (0x30ull)
+#define CPT_LF_INPROG (0x40ull)
+#define CPT_LF_DONE(0x50ull)
+#define CPT_LF_DONE_ACK(0x60ull)
+#define CPT_LF_DONE_INT_ENA_W1S (0x90ull)
+#define CPT_LF_DONE_INT_ENA_W1C (0xa0ull)
+#define CPT_LF_MISC_INT(0xb0ull)
+#define CPT_LF_MISC_INT_W1S(0xc0ull)
+#define CPT_LF_MISC_INT_ENA_W1S (0xd0ull)
+#define CPT_LF_MISC_INT_ENA_W1C (0xe0ull)
+#define CPT_LF_Q_BASE (0xf0ull)
+#define CPT_LF_Q_SIZE (0x100ull)
+#define CPT_LF_Q_INST_PTR (0x110ull)
+#define CPT_LF_Q_GRP_PTR (0x120ull)
+#define CPT_LF_NQX(a) (0x400ull | (uint64_t)(a) << 3)
+#define CPT_LF_CTX_CTL (0x500ull)
+#define CPT_LF_CTX_FLUSH (0x510ull)
+#define CPT_LF_CTX_ERR (0x520ull)
+#define CPT_LF_CTX_ENC_BYTE_CNT (0x530ull)
+#define CPT_LF_CTX_ENC_PKT_CNT (0x540ull)
+#define CPT_LF_CTX_DEC_BYTE_CNT (0x550ull)
+#define CPT_LF_CTX_DEC_PKT_CNT (0x560ull)
+
+#define CPT_AF_LFX_CTL(a) (0x27000ull | (uint64_t)(a) << 3)
+#define CPT_AF_LFX_CTL2(a) (0x29000ull | (uint64_t)(a) << 3)
+
+/* Structures definitions */
+
+union cpt_lf_ctl {
+ uint64_t u;
+ struct cpt_lf_ctl_s {
+ uint64_t ena : 1;
+ uint64_t fc_ena : 1;
+ uint64_t fc_up_crossing : 1;
+ uint64_t reserved_3_3 : 1;
+ uint64_t fc_hyst_bits : 4;
+ uint64_t reserved_8_63 : 56;
+ } s;
+};
+
+union cpt_lf_ctx_flush {
+ uint64_t u;
+ struct {
+ uint64_t cptr : 46;
+ uint64_t inval : 1;
+ uint64_t res : 1;
+ uint64_t pf_func : 16;
+ } s;
+};
+
+union cpt_lf_inprog {
+ uint64_t u;
+ struct cpt_lf_inprog_s {
+ uint64_t inflight : 9;
+ uint64_t reserved_9_15 : 7;
+ uint64_t eena : 1;
+ uint64_t grp_drp : 1;
+ uint64_t reserved_18_30 : 13;
+ uint64_t grb_partial : 1;
+ uint64_t grb_cnt : 8;
+ uint64_t gwb_cnt : 8;
+ uint64_t reserved_48_63 : 16;
+ } s;
+};
+
+union cpt_lf_q_base {
+ uint64_t u;
+ struct cpt_lf_q_base_s {
+ uint64_t fault : 1;
+ uint64_t stopped : 1;
+ uint64_t reserved_2_6 : 5;
+ uint64_t addr : 46;
+ uint64_t reserved_53_63 : 11;
+ } s;
+};
+
+union cpt_lf_q_size {
+ uint64_t u;
+ struct cpt_lf_q_size_s {
+ uint64_t size_div40 : 15;
+ uint64_t reserved_15_63 : 49;
+ } s;
+};
+
+union cpt_lf_misc_int {
+ uint64_t u;
+ struct cpt_lf_misc_int_s {
+ uint64_t reserved_0_0 : 1;
+ uint64_t nqerr : 1;
+ uint64_t irde : 1;
+ uint64_t nwrp : 1;
+ uint64_t reserved_4_4 : 1;
+ uint64_t hwerr : 1;
+ uint64_t fault : 1;
+ uint64_t reserved_7_63 : 57;
+ } s;
+};
+
+union cpt_inst_w4 {
+ uint64_t u64;
+ struct {
+ uint64_t dlen : 16;
+ uint64_t param2 : 16;
+ uint64_t param1 : 16;
+ uint64_t opcode_major : 8;
+ uint64_t opcode_minor : 8;
+ } s;
+};
+
+union cpt_inst_w7 {
+ uint64_t u64;
+ struct {
+ uint64_t cptr : 60;
+ uint64_t ctx_val : 1;
+ uint64_t egrp : 3;
+ } s;
+};
+
+struct cpt_inst_s {
+ union cpt_inst_w0 {
+ struct {
+ uint64_t nixtxl : 3;
+ uint64_t doneint : 1;
+ uint64_t nixtx_addr : 60;
+ } s;
+ uint64_t u64;
+ } w0;
+
+
[dpdk-dev] [PATCH v2 02/17] common/cnxk: update Rx inline IPsec mbox message format
From: Srujana Challa
Updates Rx inline IPSEC mailbox message format to make it
sync with latest CPT PF driver.
Signed-off-by: Srujana Challa
---
drivers/common/cnxk/roc_mbox.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index f6b11b6..fe4df21 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -1328,6 +1328,9 @@ struct cpt_rxc_time_cfg_req {
struct cpt_rx_inline_lf_cfg_msg {
struct mbox_msghdr hdr;
uint16_t __io sso_pf_func;
+ uint16_t __io param1;
+ uint16_t __io param2;
+ uint16_t __io reserved;
};
enum cpt_eng_type {
--
2.7.4
[dpdk-dev] [PATCH v2 03/17] common/cnxk: add CPT dev config routines
Add routines to init, fini, configure & clear CPT device.
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Vidya Sagar Velumuri
---
drivers/common/cnxk/meson.build| 1 +
drivers/common/cnxk/roc_api.h | 3 +
drivers/common/cnxk/roc_cpt.c | 308 +
drivers/common/cnxk/roc_cpt.h | 37 +
drivers/common/cnxk/roc_cpt_priv.h | 37 +
drivers/common/cnxk/roc_dev.c | 2 +
drivers/common/cnxk/roc_dev_priv.h | 1 +
drivers/common/cnxk/roc_platform.c | 1 +
drivers/common/cnxk/roc_platform.h | 8 +
drivers/common/cnxk/roc_priv.h | 3 +
drivers/common/cnxk/version.map| 6 +
11 files changed, 407 insertions(+)
create mode 100644 drivers/common/cnxk/roc_cpt.c
create mode 100644 drivers/common/cnxk/roc_cpt.h
create mode 100644 drivers/common/cnxk/roc_cpt_priv.h
diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 178bce7..739e0e4 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -11,6 +11,7 @@ endif
config_flag_fmt = 'RTE_LIBRTE_@0@_COMMON'
deps = ['eal', 'pci', 'bus_pci', 'mbuf']
sources = files(
+'roc_cpt.c',
'roc_dev.c',
'roc_idev.c',
'roc_irq.c',
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index 049854d..88a5611 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -106,4 +106,7 @@
/* Idev */
#include "roc_idev.h"
+/* CPT */
+#include "roc_cpt.h"
+
#endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
new file mode 100644
index 000..2376125
--- /dev/null
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -0,0 +1,308 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+cpt_get_msix_offset(struct dev *dev, struct msix_offset_rsp **msix_rsp)
+{
+ struct mbox *mbox = dev->mbox;
+ int rc;
+
+ /* Get MSIX vector offsets */
+ mbox_alloc_msg_msix_offset(mbox);
+ rc = mbox_process_msg(mbox, (void *)msix_rsp);
+
+ return rc;
+}
+
+int
+cpt_lfs_attach(struct dev *dev, uint8_t blkaddr, bool modify, uint16_t nb_lf)
+{
+ struct mbox *mbox = dev->mbox;
+ struct rsrc_attach_req *req;
+
+ if (blkaddr != RVU_BLOCK_ADDR_CPT0 && blkaddr != RVU_BLOCK_ADDR_CPT1)
+ return -EINVAL;
+
+ /* Attach CPT(lf) */
+ req = mbox_alloc_msg_attach_resources(mbox);
+ if (req == NULL)
+ return -ENOSPC;
+
+ req->cptlfs = nb_lf;
+ req->modify = modify;
+ req->cpt_blkaddr = blkaddr;
+
+ return mbox_process(mbox);
+}
+
+int
+cpt_lfs_detach(struct dev *dev)
+{
+ struct mbox *mbox = dev->mbox;
+ struct rsrc_detach_req *req;
+
+ req = mbox_alloc_msg_detach_resources(mbox);
+ if (req == NULL)
+ return -ENOSPC;
+
+ req->cptlfs = 1;
+ req->partial = 1;
+
+ return mbox_process(mbox);
+}
+
+static int
+cpt_available_lfs_get(struct dev *dev, uint16_t *nb_lf)
+{
+ struct mbox *mbox = dev->mbox;
+ struct free_rsrcs_rsp *rsp;
+ int rc;
+
+ mbox_alloc_msg_free_rsrc_cnt(mbox);
+
+ rc = mbox_process_msg(mbox, (void *)&rsp);
+ if (rc)
+ return -EIO;
+
+ *nb_lf = rsp->cpt;
+ return 0;
+}
+
+int
+cpt_lfs_alloc(struct dev *dev, uint8_t eng_grpmsk, uint8_t blkaddr,
+ bool inl_dev_sso)
+{
+ struct cpt_lf_alloc_req_msg *req;
+ struct mbox *mbox = dev->mbox;
+
+ if (blkaddr != RVU_BLOCK_ADDR_CPT0 && blkaddr != RVU_BLOCK_ADDR_CPT1)
+ return -EINVAL;
+
+ PLT_SET_USED(inl_dev_sso);
+
+ req = mbox_alloc_msg_cpt_lf_alloc(mbox);
+ req->nix_pf_func = 0;
+ req->sso_pf_func = idev_sso_pffunc_get();
+ req->eng_grpmsk = eng_grpmsk;
+ req->blkaddr = blkaddr;
+
+ return mbox_process(mbox);
+}
+
+int
+cpt_lfs_free(struct dev *dev)
+{
+ mbox_alloc_msg_cpt_lf_free(dev->mbox);
+
+ return mbox_process(dev->mbox);
+}
+
+static int
+cpt_hardware_caps_get(struct dev *dev, union cpt_eng_caps *hw_caps)
+{
+ struct cpt_caps_rsp_msg *rsp;
+ int ret;
+
+ mbox_alloc_msg_cpt_caps_get(dev->mbox);
+
+ ret = mbox_process_msg(dev->mbox, (void *)&rsp);
+ if (ret)
+ return -EIO;
+
+ mbox_memcpy(hw_caps, rsp->eng_caps,
+ sizeof(union cpt_eng_caps) * CPT_MAX_ENG_TYPES);
+
+ return 0;
+}
+
+int
+roc_cpt_dev_configure(struct roc_cpt *roc_cpt, int nb_lf)
+{
+ struct cpt *cpt = roc_cpt_to_cpt_priv(roc_cpt);
+ uint8_t blkaddr = RVU_BLOCK_ADDR_CPT0;
+ struct msix_offset_rs
[dpdk-dev] [PATCH v2 04/17] common/cnxk: add idev CPT set - get
Add APIs to set & get CPT device.
Signed-off-by: Anoob Joseph
---
drivers/common/cnxk/roc_cpt.c | 8
drivers/common/cnxk/roc_idev.c | 21 +
drivers/common/cnxk/roc_idev.h | 3 +++
drivers/common/cnxk/roc_idev_priv.h | 2 ++
drivers/common/cnxk/version.map | 2 ++
5 files changed, 36 insertions(+)
diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
index 2376125..d891a3b 100644
--- a/drivers/common/cnxk/roc_cpt.c
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -230,6 +230,10 @@ roc_cpt_dev_init(struct roc_cpt *roc_cpt)
dev->roc_cpt = roc_cpt;
+ /* Set it to idev if not already present */
+ if (!roc_idev_cpt_get())
+ roc_idev_cpt_set(roc_cpt);
+
return 0;
fail:
@@ -244,6 +248,10 @@ roc_cpt_dev_fini(struct roc_cpt *roc_cpt)
if (cpt == NULL)
return -EINVAL;
+ /* Remove idev references */
+ if (roc_idev_cpt_get() == roc_cpt)
+ roc_idev_cpt_set(NULL);
+
roc_cpt->nb_lf_avail = 0;
roc_cpt->lmt_base = 0;
diff --git a/drivers/common/cnxk/roc_idev.c b/drivers/common/cnxk/roc_idev.c
index 63cc040..b40ae82 100644
--- a/drivers/common/cnxk/roc_idev.c
+++ b/drivers/common/cnxk/roc_idev.c
@@ -36,6 +36,7 @@ idev_set_defaults(struct idev_cfg *idev)
idev->lmt_pf_func = 0;
idev->lmt_base_addr = 0;
idev->num_lmtlines = 0;
+ idev->cpt = NULL;
__atomic_store_n(&idev->npa_refcnt, 0, __ATOMIC_RELEASE);
}
@@ -170,6 +171,26 @@ roc_idev_num_lmtlines_get(void)
return num_lmtlines;
}
+struct roc_cpt *
+roc_idev_cpt_get(void)
+{
+ struct idev_cfg *idev = idev_get_cfg();
+
+ if (idev != NULL)
+ return idev->cpt;
+
+ return NULL;
+}
+
+void
+roc_idev_cpt_set(struct roc_cpt *cpt)
+{
+ struct idev_cfg *idev = idev_get_cfg();
+
+ if (idev != NULL)
+ __atomic_store_n(&idev->cpt, cpt, __ATOMIC_RELEASE);
+}
+
struct roc_nix *
roc_idev_npa_nix_get(void)
{
diff --git a/drivers/common/cnxk/roc_idev.h b/drivers/common/cnxk/roc_idev.h
index 043e8af..16793c2 100644
--- a/drivers/common/cnxk/roc_idev.h
+++ b/drivers/common/cnxk/roc_idev.h
@@ -12,6 +12,9 @@ void __roc_api roc_idev_npa_maxpools_set(uint32_t max_pools);
uint64_t __roc_api roc_idev_lmt_base_addr_get(void);
uint16_t __roc_api roc_idev_num_lmtlines_get(void);
+struct roc_cpt *__roc_api roc_idev_cpt_get(void);
+void __roc_api roc_idev_cpt_set(struct roc_cpt *cpt);
+
struct roc_nix *__roc_api roc_idev_npa_nix_get(void);
#endif /* _ROC_IDEV_H_ */
diff --git a/drivers/common/cnxk/roc_idev_priv.h
b/drivers/common/cnxk/roc_idev_priv.h
index ff10a90..95b2389 100644
--- a/drivers/common/cnxk/roc_idev_priv.h
+++ b/drivers/common/cnxk/roc_idev_priv.h
@@ -7,6 +7,7 @@
/* Intra device related functions */
struct npa_lf;
+struct roc_cpt;
struct idev_cfg {
uint16_t sso_pf_func;
uint16_t npa_pf_func;
@@ -16,6 +17,7 @@ struct idev_cfg {
uint16_t lmt_pf_func;
uint16_t num_lmtlines;
uint64_t lmt_base_addr;
+ struct roc_cpt *cpt;
};
/* Generic */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index f8e286e..f36127c 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -17,6 +17,8 @@ INTERNAL {
roc_cpt_dev_init;
roc_cpt_eng_grp_add;
roc_error_msg_get;
+ roc_idev_cpt_get;
+ roc_idev_cpt_set;
roc_idev_lmt_base_addr_get;
roc_idev_npa_maxpools_get;
roc_idev_npa_maxpools_set;
--
2.7.4
[dpdk-dev] [PATCH v2 05/17] common/cnxk: add mbox to configure RXC
From: Vidya Sagar Velumuri
Add mailbox to configure tiemouts and thresholds in
CPT RXC unit.
Signed-off-by: Aakash Sasidharan
Signed-off-by: Vidya Sagar Velumuri
---
drivers/common/cnxk/roc_cpt.c | 27 +++
drivers/common/cnxk/roc_cpt.h | 10 ++
drivers/common/cnxk/version.map | 1 +
3 files changed, 38 insertions(+)
diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
index d891a3b..e723ee7 100644
--- a/drivers/common/cnxk/roc_cpt.c
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -6,6 +6,33 @@
#include "roc_priv.h"
int
+roc_cpt_rxc_time_cfg(struct roc_cpt *roc_cpt, struct roc_cpt_rxc_time_cfg *cfg)
+{
+ struct cpt *cpt = roc_cpt_to_cpt_priv(roc_cpt);
+ struct cpt_rxc_time_cfg_req *req;
+ struct dev *dev = &cpt->dev;
+
+ req = mbox_alloc_msg_cpt_rxc_time_cfg(dev->mbox);
+ if (req == NULL)
+ return -ENOSPC;
+
+ req->blkaddr = 0;
+
+ /* The step value is in microseconds. */
+ req->step = cfg->step;
+
+ /* The timeout will be: limit * step microseconds */
+ req->zombie_limit = cfg->zombie_limit;
+ req->zombie_thres = cfg->zombie_thres;
+
+ /* The timeout will be: limit * step microseconds */
+ req->active_limit = cfg->active_limit;
+ req->active_thres = cfg->active_thres;
+
+ return mbox_process(dev->mbox);
+}
+
+int
cpt_get_msix_offset(struct dev *dev, struct msix_offset_rsp **msix_rsp)
{
struct mbox *mbox = dev->mbox;
diff --git a/drivers/common/cnxk/roc_cpt.h b/drivers/common/cnxk/roc_cpt.h
index 4e1cf84..bae472f 100644
--- a/drivers/common/cnxk/roc_cpt.h
+++ b/drivers/common/cnxk/roc_cpt.h
@@ -28,6 +28,16 @@ struct roc_cpt {
uint8_t reserved[ROC_CPT_MEM_SZ] __plt_cache_aligned;
} __plt_cache_aligned;
+struct roc_cpt_rxc_time_cfg {
+ uint32_t step;
+ uint16_t active_limit;
+ uint16_t active_thres;
+ uint16_t zombie_limit;
+ uint16_t zombie_thres;
+};
+
+int __roc_api roc_cpt_rxc_time_cfg(struct roc_cpt *roc_cpt,
+ struct roc_cpt_rxc_time_cfg *cfg);
int __roc_api roc_cpt_dev_init(struct roc_cpt *roc_cpt);
int __roc_api roc_cpt_dev_fini(struct roc_cpt *roc_cpt);
int __roc_api roc_cpt_eng_grp_add(struct roc_cpt *roc_cpt,
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index f36127c..13fd026 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -16,6 +16,7 @@ INTERNAL {
roc_cpt_dev_fini;
roc_cpt_dev_init;
roc_cpt_eng_grp_add;
+ roc_cpt_rxc_time_cfg;
roc_error_msg_get;
roc_idev_cpt_get;
roc_idev_cpt_set;
--
2.7.4
[dpdk-dev] [PATCH v2 06/17] common/cnxk: add CPT LF config
From: Archana Muniganti
Add routines to init & fini CPT LFs. CPT LFs are
queues to the hardware enabling instruction submissions.
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Vidya Sagar Velumuri
---
drivers/common/cnxk/roc_cpt.c | 357 +
drivers/common/cnxk/roc_cpt.h | 20 +++
drivers/common/cnxk/roc_cpt_priv.h | 2 +
drivers/common/cnxk/version.map| 3 +
4 files changed, 382 insertions(+)
diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
index e723ee7..02062c1 100644
--- a/drivers/common/cnxk/roc_cpt.c
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -5,6 +5,189 @@
#include "roc_api.h"
#include "roc_priv.h"
+#define CPT_IQ_FC_LEN 128
+#define CPT_IQ_GRP_LEN 16
+
+#define CPT_IQ_NB_DESC_MULTIPLIER 40
+
+/* The effective queue size to software is (CPT_LF_Q_SIZE[SIZE_DIV40] - 1 - 8).
+ *
+ * CPT requires 320 free entries (+8). And 40 entries are required for
+ * allowing CPT to discard packet when the queues are full (+1).
+ */
+#define CPT_IQ_NB_DESC_SIZE_DIV40(nb_desc)
\
+ (PLT_DIV_CEIL(nb_desc, CPT_IQ_NB_DESC_MULTIPLIER) + 1 + 8)
+
+#define CPT_IQ_GRP_SIZE(nb_desc)
\
+ (CPT_IQ_NB_DESC_SIZE_DIV40(nb_desc) * CPT_IQ_GRP_LEN)
+
+#define CPT_LF_MAX_NB_DESC 128000
+#define CPT_LF_DEFAULT_NB_DESC 1024
+
+static void
+cpt_lf_misc_intr_enb_dis(struct roc_cpt_lf *lf, bool enb)
+{
+ /* Enable all cpt lf error irqs except RQ_DISABLED and CQ_DISABLED */
+ if (enb)
+ plt_write64((BIT_ULL(6) | BIT_ULL(5) | BIT_ULL(3) | BIT_ULL(2) |
+BIT_ULL(1)),
+ lf->rbase + CPT_LF_MISC_INT_ENA_W1S);
+ else
+ plt_write64((BIT_ULL(6) | BIT_ULL(5) | BIT_ULL(3) | BIT_ULL(2) |
+BIT_ULL(1)),
+ lf->rbase + CPT_LF_MISC_INT_ENA_W1C);
+}
+
+static void
+cpt_lf_misc_irq(void *param)
+{
+ struct roc_cpt_lf *lf = (struct roc_cpt_lf *)param;
+ struct dev *dev = lf->dev;
+ uint64_t intr;
+
+ intr = plt_read64(lf->rbase + CPT_LF_MISC_INT);
+ if (intr == 0)
+ return;
+
+ plt_err("Err_irq=0x%" PRIx64 " pf=%d, vf=%d", intr, dev->pf, dev->vf);
+
+ /* Clear interrupt */
+ plt_write64(intr, lf->rbase + CPT_LF_MISC_INT);
+}
+
+static int
+cpt_lf_register_misc_irq(struct roc_cpt_lf *lf)
+{
+ struct plt_pci_device *pci_dev = lf->pci_dev;
+ struct plt_intr_handle *handle;
+ int rc, vec;
+
+ handle = &pci_dev->intr_handle;
+
+ vec = lf->msixoff + CPT_LF_INT_VEC_MISC;
+ /* Clear err interrupt */
+ cpt_lf_misc_intr_enb_dis(lf, false);
+ /* Set used interrupt vectors */
+ rc = dev_irq_register(handle, cpt_lf_misc_irq, lf, vec);
+ /* Enable all dev interrupt except for RQ_DISABLED */
+ cpt_lf_misc_intr_enb_dis(lf, true);
+
+ return rc;
+}
+
+static void
+cpt_lf_unregister_misc_irq(struct roc_cpt_lf *lf)
+{
+ struct plt_pci_device *pci_dev = lf->pci_dev;
+ struct plt_intr_handle *handle;
+ int vec;
+
+ handle = &pci_dev->intr_handle;
+
+ vec = lf->msixoff + CPT_LF_INT_VEC_MISC;
+ /* Clear err interrupt */
+ cpt_lf_misc_intr_enb_dis(lf, false);
+ dev_irq_unregister(handle, cpt_lf_misc_irq, lf, vec);
+}
+
+static void
+cpt_lf_done_intr_enb_dis(struct roc_cpt_lf *lf, bool enb)
+{
+ if (enb)
+ plt_write64(0x1, lf->rbase + CPT_LF_DONE_INT_ENA_W1S);
+ else
+ plt_write64(0x1, lf->rbase + CPT_LF_DONE_INT_ENA_W1C);
+}
+
+static void
+cpt_lf_done_irq(void *param)
+{
+ struct roc_cpt_lf *lf = param;
+ uint64_t done_wait;
+ uint64_t intr;
+
+ /* Read the number of completed requests */
+ intr = plt_read64(lf->rbase + CPT_LF_DONE);
+ if (intr == 0)
+ return;
+
+ done_wait = plt_read64(lf->rbase + CPT_LF_DONE_WAIT);
+
+ /* Acknowledge the number of completed requests */
+ plt_write64(intr, lf->rbase + CPT_LF_DONE_ACK);
+
+ plt_write64(done_wait, lf->rbase + CPT_LF_DONE_WAIT);
+}
+
+static int
+cpt_lf_register_done_irq(struct roc_cpt_lf *lf)
+{
+ struct plt_pci_device *pci_dev = lf->pci_dev;
+ struct plt_intr_handle *handle;
+ int rc, vec;
+
+ handle = &pci_dev->intr_handle;
+
+ vec = lf->msixoff + CPT_LF_INT_VEC_DONE;
+
+ /* Clear done interrupt */
+ cpt_lf_done_intr_enb_dis(lf, false);
+
+ /* Set used interrupt vectors */
+ rc = dev_irq_register(handle, cpt_lf_done_irq, lf, vec);
+
+ /* Enable done interrupt */
+ cpt_lf_done_intr_enb_dis(lf, true);
+
+ return rc;
+}
+
+static void
+cpt_lf_unregister_done_irq(struct roc_cp
[dpdk-dev] [PATCH v2 07/17] common/cnxk: add CPT diagnostics
From: Aakash Sasidharan
Add routines to fetch and dump CPT statistics and states.
Signed-off-by: Aakash Sasidharan
Signed-off-by: Srujana Challa
---
drivers/common/cnxk/meson.build | 1 +
drivers/common/cnxk/roc_cpt.c | 29 +++
drivers/common/cnxk/roc_cpt.h | 3 +
drivers/common/cnxk/roc_cpt_debug.c | 167
drivers/common/cnxk/version.map | 2 +
5 files changed, 202 insertions(+)
create mode 100644 drivers/common/cnxk/roc_cpt_debug.c
diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 739e0e4..f139e0b 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -12,6 +12,7 @@ config_flag_fmt = 'RTE_LIBRTE_@0@_COMMON'
deps = ['eal', 'pci', 'bus_pci', 'mbuf']
sources = files(
'roc_cpt.c',
+'roc_cpt_debug.c',
'roc_dev.c',
'roc_idev.c',
'roc_irq.c',
diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
index 02062c1..21c7704 100644
--- a/drivers/common/cnxk/roc_cpt.c
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -188,6 +188,34 @@ cpt_lf_unregister_irqs(struct roc_cpt_lf *lf)
cpt_lf_unregister_done_irq(lf);
}
+static void
+cpt_lf_dump(struct roc_cpt_lf *lf)
+{
+ plt_cpt_dbg("CPT LF");
+ plt_cpt_dbg("RBASE: 0x%016" PRIx64, lf->rbase);
+ plt_cpt_dbg("LMT_BASE: 0x%016" PRIx64, lf->lmt_base);
+ plt_cpt_dbg("MSIXOFF: 0x%x", lf->msixoff);
+ plt_cpt_dbg("LF_ID: 0x%x", lf->lf_id);
+ plt_cpt_dbg("NB DESC: %d", lf->nb_desc);
+ plt_cpt_dbg("FC_ADDR: 0x%016" PRIx64, (uintptr_t)lf->fc_addr);
+ plt_cpt_dbg("CQ.VADDR: 0x%016" PRIx64, (uintptr_t)lf->iq_vaddr);
+
+ plt_cpt_dbg("CPT LF REG:");
+ plt_cpt_dbg("LF_CTL[0x%016llx]: 0x%016" PRIx64, CPT_LF_CTL,
+ plt_read64(lf->rbase + CPT_LF_CTL));
+ plt_cpt_dbg("Q_SIZE[0x%016llx]: 0x%016" PRIx64, CPT_LF_INPROG,
+ plt_read64(lf->rbase + CPT_LF_INPROG));
+
+ plt_cpt_dbg("Q_BASE[0x%016llx]: 0x%016" PRIx64, CPT_LF_Q_BASE,
+ plt_read64(lf->rbase + CPT_LF_Q_BASE));
+ plt_cpt_dbg("Q_SIZE[0x%016llx]: 0x%016" PRIx64, CPT_LF_Q_SIZE,
+ plt_read64(lf->rbase + CPT_LF_Q_SIZE));
+ plt_cpt_dbg("Q_INST_PTR[0x%016llx]: 0x%016" PRIx64, CPT_LF_Q_INST_PTR,
+ plt_read64(lf->rbase + CPT_LF_Q_INST_PTR));
+ plt_cpt_dbg("Q_GRP_PTR[0x%016llx]: 0x%016" PRIx64, CPT_LF_Q_GRP_PTR,
+ plt_read64(lf->rbase + CPT_LF_Q_GRP_PTR));
+}
+
int
roc_cpt_rxc_time_cfg(struct roc_cpt *roc_cpt, struct roc_cpt_rxc_time_cfg *cfg)
{
@@ -484,6 +512,7 @@ cpt_lf_init(struct roc_cpt_lf *lf)
if (rc)
goto disable_iq;
+ cpt_lf_dump(lf);
return 0;
disable_iq:
diff --git a/drivers/common/cnxk/roc_cpt.h b/drivers/common/cnxk/roc_cpt.h
index e258ca5..73ecb4e 100644
--- a/drivers/common/cnxk/roc_cpt.h
+++ b/drivers/common/cnxk/roc_cpt.h
@@ -63,5 +63,8 @@ int __roc_api roc_cpt_dev_configure(struct roc_cpt *roc_cpt,
int nb_lf);
void __roc_api roc_cpt_dev_clear(struct roc_cpt *roc_cpt);
int __roc_api roc_cpt_lf_init(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf);
void __roc_api roc_cpt_lf_fini(struct roc_cpt_lf *lf);
+int __roc_api roc_cpt_afs_print(struct roc_cpt *roc_cpt);
+int __roc_api roc_cpt_lfs_print(struct roc_cpt *roc_cpt);
void __roc_api roc_cpt_iq_disable(struct roc_cpt_lf *lf);
+
#endif /* _ROC_CPT_H_ */
diff --git a/drivers/common/cnxk/roc_cpt_debug.c
b/drivers/common/cnxk/roc_cpt_debug.c
new file mode 100644
index 000..9a9dcba
--- /dev/null
+++ b/drivers/common/cnxk/roc_cpt_debug.c
@@ -0,0 +1,167 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+static int
+cpt_af_reg_read(struct roc_cpt *roc_cpt, uint64_t reg, uint64_t *val)
+{
+ struct cpt *cpt = roc_cpt_to_cpt_priv(roc_cpt);
+ struct cpt_rd_wr_reg_msg *msg;
+ struct dev *dev = &cpt->dev;
+ int ret;
+
+ msg = mbox_alloc_msg_cpt_rd_wr_register(dev->mbox);
+ if (msg == NULL)
+ return -EIO;
+
+ msg->hdr.pcifunc = dev->pf_func;
+
+ msg->is_write = 0;
+ msg->reg_offset = reg;
+ msg->ret_val = val;
+
+ ret = mbox_process_msg(dev->mbox, (void *)&msg);
+ if (ret)
+ return -EIO;
+
+ *val = msg->val;
+
+ return 0;
+}
+
+static int
+cpt_sts_print(struct roc_cpt *roc_cpt)
+{
+ struct cpt *cpt = roc_cpt_to_cpt_priv(roc_cpt);
+ struct dev *dev = &cpt->dev;
+ struct cpt_sts_req *req;
+ struct cpt_sts_rsp *rsp;
+ int ret;
+
+ req = mbox_alloc_msg_cpt_sts_get(dev->mbox);
+ if (req == NULL)
+ return -EIO;
+
+ req->blkaddr = 0;
+ ret = mbox_process_msg(dev->mbox, (void *)&rsp);
+ if (ret)
+ return -EIO;
+
+ plt_print("%s:\t0x%016" PRIx64, "inst_req_pc", rsp->inst
[dpdk-dev] [PATCH v2 08/17] common/cnxk: add CPT LF flush
From: Aakash Sasidharan
Add routine to flush context from CPT context processor cache.
Signed-off-by: Aakash Sasidharan
Signed-off-by: Vidya Sagar Velumuri
---
drivers/common/cnxk/roc_cpt.c | 18 ++
drivers/common/cnxk/roc_cpt.h | 1 +
drivers/common/cnxk/version.map | 1 +
3 files changed, 20 insertions(+)
diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
index 21c7704..fd92de3 100644
--- a/drivers/common/cnxk/roc_cpt.c
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -599,6 +599,24 @@ roc_cpt_dev_init(struct roc_cpt *roc_cpt)
return rc;
}
+int
+roc_cpt_lf_ctx_flush(struct roc_cpt_lf *lf, uint64_t cptr)
+{
+ union cpt_lf_ctx_flush reg;
+
+ if (lf == NULL)
+ return -ENOTSUP;
+
+ reg.u = 0;
+ reg.s.pf_func = lf->pf_func;
+ reg.s.inval = 1;
+ reg.s.cptr = cptr;
+
+ plt_write64(reg.u, lf->rbase + CPT_LF_CTX_FLUSH);
+
+ return 0;
+}
+
void
cpt_lf_fini(struct roc_cpt_lf *lf)
{
diff --git a/drivers/common/cnxk/roc_cpt.h b/drivers/common/cnxk/roc_cpt.h
index 73ecb4e..022c8ad 100644
--- a/drivers/common/cnxk/roc_cpt.h
+++ b/drivers/common/cnxk/roc_cpt.h
@@ -63,6 +63,7 @@ int __roc_api roc_cpt_dev_configure(struct roc_cpt *roc_cpt,
int nb_lf);
void __roc_api roc_cpt_dev_clear(struct roc_cpt *roc_cpt);
int __roc_api roc_cpt_lf_init(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf);
void __roc_api roc_cpt_lf_fini(struct roc_cpt_lf *lf);
+int __roc_api roc_cpt_lf_ctx_flush(struct roc_cpt_lf *lf, uint64_t cptr);
int __roc_api roc_cpt_afs_print(struct roc_cpt *roc_cpt);
int __roc_api roc_cpt_lfs_print(struct roc_cpt *roc_cpt);
void __roc_api roc_cpt_iq_disable(struct roc_cpt_lf *lf);
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 87130df..0827b77 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -18,6 +18,7 @@ INTERNAL {
roc_cpt_dev_init;
roc_cpt_eng_grp_add;
roc_cpt_iq_disable;
+ roc_cpt_lf_ctx_flush;
roc_cpt_lf_init;
roc_cpt_lf_fini;
roc_cpt_lfs_print;
--
2.7.4
[dpdk-dev] [PATCH v2 09/17] common/cnxk: add inline IPsec configuration mbox
From: Vidya Sagar Velumuri
Add mbox to configure inbound & outbound inline IPsec.
Signed-off-by: Tejasree Kondoj
Signed-off-by: Vidya Sagar Velumuri
---
drivers/common/cnxk/roc_cpt.c | 61 ++
drivers/common/cnxk/roc_cpt.h | 5
drivers/common/cnxk/roc_cpt_priv.h | 2 ++
drivers/common/cnxk/version.map| 2 ++
4 files changed, 70 insertions(+)
diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
index fd92de3..81e8b15 100644
--- a/drivers/common/cnxk/roc_cpt.c
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -217,6 +217,67 @@ cpt_lf_dump(struct roc_cpt_lf *lf)
}
int
+cpt_lf_outb_cfg(struct dev *dev, uint16_t sso_pf_func, uint16_t nix_pf_func,
+ uint8_t lf_id, bool ena)
+{
+ struct cpt_inline_ipsec_cfg_msg *req;
+ struct mbox *mbox = dev->mbox;
+
+ req = mbox_alloc_msg_cpt_inline_ipsec_cfg(mbox);
+ if (req == NULL)
+ return -ENOSPC;
+
+ req->dir = CPT_INLINE_OUTBOUND;
+ req->slot = lf_id;
+ if (ena) {
+ req->enable = 1;
+ req->sso_pf_func = sso_pf_func;
+ req->nix_pf_func = nix_pf_func;
+ } else {
+ req->enable = 0;
+ }
+
+ return mbox_process(mbox);
+}
+
+int
+roc_cpt_inline_ipsec_cfg(struct dev *cpt_dev, uint8_t lf_id,
+struct roc_nix *roc_nix)
+{
+ bool ena = roc_nix ? true : false;
+ uint16_t nix_pf_func = 0;
+ uint16_t sso_pf_func = 0;
+
+ if (ena) {
+ nix_pf_func = roc_nix_get_pf_func(roc_nix);
+ sso_pf_func = idev_sso_pffunc_get();
+ }
+
+ return cpt_lf_outb_cfg(cpt_dev, sso_pf_func, nix_pf_func, lf_id, ena);
+}
+
+int
+roc_cpt_inline_ipsec_inb_cfg(struct roc_cpt *roc_cpt, uint16_t param1,
+uint16_t param2)
+{
+ struct cpt *cpt = roc_cpt_to_cpt_priv(roc_cpt);
+ struct cpt_rx_inline_lf_cfg_msg *req;
+ struct mbox *mbox;
+
+ mbox = cpt->dev.mbox;
+
+ req = mbox_alloc_msg_cpt_rx_inline_lf_cfg(mbox);
+ if (req == NULL)
+ return -ENOSPC;
+
+ req->sso_pf_func = idev_sso_pffunc_get();
+ req->param1 = param1;
+ req->param2 = param2;
+
+ return mbox_process(mbox);
+}
+
+int
roc_cpt_rxc_time_cfg(struct roc_cpt *roc_cpt, struct roc_cpt_rxc_time_cfg *cfg)
{
struct cpt *cpt = roc_cpt_to_cpt_priv(roc_cpt);
diff --git a/drivers/common/cnxk/roc_cpt.h b/drivers/common/cnxk/roc_cpt.h
index 022c8ad..83ef5c7 100644
--- a/drivers/common/cnxk/roc_cpt.h
+++ b/drivers/common/cnxk/roc_cpt.h
@@ -29,6 +29,7 @@ struct roc_cpt_lf {
uint64_t *fc_addr;
uint64_t io_addr;
uint8_t *iq_vaddr;
+ struct roc_nix *inl_outb_nix;
} __plt_cache_aligned;
struct roc_cpt {
@@ -64,6 +65,10 @@ void __roc_api roc_cpt_dev_clear(struct roc_cpt *roc_cpt);
int __roc_api roc_cpt_lf_init(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf);
void __roc_api roc_cpt_lf_fini(struct roc_cpt_lf *lf);
int __roc_api roc_cpt_lf_ctx_flush(struct roc_cpt_lf *lf, uint64_t cptr);
+int __roc_api roc_cpt_inline_ipsec_cfg(struct dev *dev, uint8_t slot,
+ struct roc_nix *nix);
+int __roc_api roc_cpt_inline_ipsec_inb_cfg(struct roc_cpt *roc_cpt,
+ uint16_t param1, uint16_t param2);
int __roc_api roc_cpt_afs_print(struct roc_cpt *roc_cpt);
int __roc_api roc_cpt_lfs_print(struct roc_cpt *roc_cpt);
void __roc_api roc_cpt_iq_disable(struct roc_cpt_lf *lf);
diff --git a/drivers/common/cnxk/roc_cpt_priv.h
b/drivers/common/cnxk/roc_cpt_priv.h
index 6cfa4df..0880ec0 100644
--- a/drivers/common/cnxk/roc_cpt_priv.h
+++ b/drivers/common/cnxk/roc_cpt_priv.h
@@ -33,6 +33,8 @@ int cpt_lfs_free(struct dev *dev);
int cpt_lf_init(struct roc_cpt_lf *lf);
void cpt_lf_fini(struct roc_cpt_lf *lf);
+int cpt_lf_outb_cfg(struct dev *dev, uint16_t sso_pf_func, uint16_t
nix_pf_func,
+ uint8_t lf_id, bool ena);
int cpt_get_msix_offset(struct dev *dev, struct msix_offset_rsp **msix_rsp);
uint64_t cpt_get_blkaddr(struct dev *dev);
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 0827b77..59d7d91 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -17,6 +17,8 @@ INTERNAL {
roc_cpt_dev_fini;
roc_cpt_dev_init;
roc_cpt_eng_grp_add;
+ roc_cpt_inline_ipsec_cfg;
+ roc_cpt_inline_ipsec_inb_cfg;
roc_cpt_iq_disable;
roc_cpt_lf_ctx_flush;
roc_cpt_lf_init;
--
2.7.4
[dpdk-dev] [PATCH v2 10/17] common/cnxk: add SE microcode defines
From: Kiran Kumar Kokkilagadda
Microcode SE opcodes support symmetric operations. Add defines
and structs defined by microcode.
Signed-off-by: Anoob Joseph
Signed-off-by: Kiran Kumar Kokkilagadda
Signed-off-by: Vidya Sagar Velumuri
---
drivers/common/cnxk/roc_api.h | 3 +
drivers/common/cnxk/roc_cpt.h | 34 ++
drivers/common/cnxk/roc_se.h | 267 ++
3 files changed, 304 insertions(+)
create mode 100644 drivers/common/cnxk/roc_se.h
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index 88a5611..6511614 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -109,4 +109,7 @@
/* CPT */
#include "roc_cpt.h"
+/* CPT microcode */
+#include "roc_se.h"
+
#endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_cpt.h b/drivers/common/cnxk/roc_cpt.h
index 83ef5c7..cb2838e 100644
--- a/drivers/common/cnxk/roc_cpt.h
+++ b/drivers/common/cnxk/roc_cpt.h
@@ -14,6 +14,40 @@
#define ROC_CPT_MAX_LFS 64
+/* CPT helper macros */
+#define ROC_CPT_AH_HDR_LEN 12
+#define ROC_CPT_AES_GCM_IV_LEN 8
+#define ROC_CPT_AES_GCM_MAC_LEN 16
+#define ROC_CPT_AES_CBC_IV_LEN 16
+#define ROC_CPT_SHA1_HMAC_LEN 12
+#define ROC_CPT_AUTH_KEY_LEN_MAX 64
+
+#define ROC_CPT_DES3_KEY_LEN 24
+#define ROC_CPT_AES128_KEY_LEN 16
+#define ROC_CPT_AES192_KEY_LEN 24
+#define ROC_CPT_AES256_KEY_LEN 32
+#define ROC_CPT_MD5_KEY_LENGTH 16
+#define ROC_CPT_SHA1_KEY_LENGTH 20
+#define ROC_CPT_SHA256_KEY_LENGTH 32
+#define ROC_CPT_SHA384_KEY_LENGTH 48
+#define ROC_CPT_SHA512_KEY_LENGTH 64
+#define ROC_CPT_AUTH_KEY_LEN_MAX 64
+
+#define ROC_CPT_DES_BLOCK_LENGTH 8
+#define ROC_CPT_AES_BLOCK_LENGTH 16
+
+#define ROC_CPT_AES_GCM_ROUNDUP_BYTE_LEN 4
+#define ROC_CPT_AES_CBC_ROUNDUP_BYTE_LEN 16
+
+/* Salt length for AES-CTR/GCM/CCM and AES-GMAC */
+#define ROC_CPT_SALT_LEN 4
+
+#define ROC_CPT_ESP_HDR_LEN8
+#define ROC_CPT_ESP_TRL_LEN2
+#define ROC_CPT_AH_HDR_LEN 12
+#define ROC_CPT_TUNNEL_IPV4_HDR_LEN 20
+#define ROC_CPT_TUNNEL_IPV6_HDR_LEN 40
+
struct roc_cpt_lf {
/* Input parameters */
uint16_t lf_id;
diff --git a/drivers/common/cnxk/roc_se.h b/drivers/common/cnxk/roc_se.h
new file mode 100644
index 000..ffae065
--- /dev/null
+++ b/drivers/common/cnxk/roc_se.h
@@ -0,0 +1,267 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef __ROC_SE_H__
+#define __ROC_SE_H__
+
+/* SE opcodes */
+#define ROC_SE_MAJOR_OP_FC 0x33
+#define ROC_SE_FC_MINOR_OP_ENCRYPT0x0
+#define ROC_SE_FC_MINOR_OP_DECRYPT0x1
+#define ROC_SE_FC_MINOR_OP_HMAC_FIRST 0x10
+
+#define ROC_SE_MAJOR_OP_HASH 0x34
+#define ROC_SE_MAJOR_OP_HMAC 0x35
+#define ROC_SE_MAJOR_OP_ZUC_SNOW3G 0x37
+#define ROC_SE_MAJOR_OP_KASUMI0x38
+#define ROC_SE_MAJOR_OP_MISC 0x01
+
+#define ROC_SE_MAX_AAD_SIZE 64
+#define ROC_SE_MAX_MAC_LEN 64
+
+#define ROC_SE_OFF_CTRL_LEN 8
+#define ROC_SE_DMA_MODE(1 << 7)
+
+#define ROC_SE_MAX_SG_IN_OUT_CNT 32
+#define ROC_SE_MAX_SG_CNT (ROC_SE_MAX_SG_IN_OUT_CNT / 2)
+
+#define ROC_SE_SG_LIST_HDR_SIZE (8u)
+#define ROC_SE_SG_ENTRY_SIZE sizeof(struct roc_se_sglist_comp)
+
+#define ROC_SE_ZS_EA 0x1
+#define ROC_SE_ZS_IA 0x2
+#define ROC_SE_K_F8 0x4
+#define ROC_SE_K_F9 0x8
+
+#define ROC_SE_FC_GEN 0x1
+#define ROC_SE_PDCP 0x2
+#define ROC_SE_KASUMI 0x3
+#define ROC_SE_HASH_HMAC 0x4
+
+#define ROC_SE_OP_CIPHER_ENCRYPT 0x1
+#define ROC_SE_OP_CIPHER_DECRYPT 0x2
+#define ROC_SE_OP_CIPHER_MASK
\
+ (ROC_SE_OP_CIPHER_ENCRYPT | ROC_SE_OP_CIPHER_DECRYPT)
+
+#define ROC_SE_OP_AUTH_VERIFY 0x4
+#define ROC_SE_OP_AUTH_GENERATE 0x8
+#define ROC_SE_OP_AUTH_MASK
\
+ (ROC_SE_OP_AUTH_VERIFY | ROC_SE_OP_AUTH_GENERATE)
+
+#define ROC_SE_OP_ENCODE (ROC_SE_OP_CIPHER_ENCRYPT | ROC_SE_OP_AUTH_GENERATE)
+#define ROC_SE_OP_DECODE (ROC_SE_OP_CIPHER_DECRYPT | ROC_SE_OP_AUTH_VERIFY)
+
+#define ROC_SE_ALWAYS_USE_SEPARATE_BUF
+
+/*
+ * Parameters for Flexi Crypto
+ * requests
+ */
+#define ROC_SE_VALID_AAD_BUF 0x01
+#define ROC_SE_VALID_MAC_BUF 0x02
+#define ROC_SE_VALID_IV_BUF 0x04
+#define ROC_SE_SINGLE_BUF_INPLACE 0x08
+#define ROC_SE_SINGLE_BUF_HEADROOM 0x10
+
+#define ROC_SE_ENCR_IV_OFFSET(__d_offs) (((__d_offs) >> 32) & 0x)
+#define ROC_SE_ENCR_OFFSET(__d_offs) (((__d_offs) >> 16) & 0x)
+#define ROC_SE_AUTH_OFFSET(__d_offs) ((__d_offs) & 0x)
+#define ROC_SE_ENCR_DLEN(__d_lens) ((__d_lens) >> 32)
+#define ROC_SE_AUTH_DLEN(__d_lens) ((__d_lens) & 0x)
+
+typedef enum { ROC_SE_FROM_CTX = 0, ROC_SE_FROM_DPTR = 1 } roc_se_input_type;
+
+typedef enum {
+ ROC_SE_MD5_TYPE = 1,
+ ROC_SE_SHA1_TYPE = 2,
+ ROC_SE_SHA2_SHA224 = 3,
+ ROC_SE_SHA2_SHA256 = 4,
+
[dpdk-dev] [PATCH v2 11/17] common/cnxk: add IE microcode defines
From: Srujana Challa
Microcode IE opcodes support IPsec operations. Add defines
and structs defined by microcode.
Signed-off-by: Anoob Joseph
Signed-off-by: Srujana Challa
Signed-off-by: Tejasree Kondoj
---
drivers/common/cnxk/roc_api.h | 2 +
drivers/common/cnxk/roc_ie.h | 19 ++
drivers/common/cnxk/roc_ie_on.h| 152 +++
drivers/common/cnxk/roc_ie_ot.h| 534 +
drivers/common/cnxk/roc_platform.h | 1 +
5 files changed, 708 insertions(+)
create mode 100644 drivers/common/cnxk/roc_ie.h
create mode 100644 drivers/common/cnxk/roc_ie_on.h
create mode 100644 drivers/common/cnxk/roc_ie_ot.h
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index 6511614..d545bb9 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -110,6 +110,8 @@
#include "roc_cpt.h"
/* CPT microcode */
+#include "roc_ie_on.h"
+#include "roc_ie_ot.h"
#include "roc_se.h"
#endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_ie.h b/drivers/common/cnxk/roc_ie.h
new file mode 100644
index 000..a330ea1
--- /dev/null
+++ b/drivers/common/cnxk/roc_ie.h
@@ -0,0 +1,19 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef __ROC_IE_H__
+#define __ROC_IE_H__
+
+/* CNXK IPSEC helper macros */
+#define ROC_IE_AH_HDR_LEN 12
+#define ROC_IE_AES_GCM_IV_LEN 8
+#define ROC_IE_AES_GCM_MAC_LEN 16
+#define ROC_IE_AES_CBC_IV_LEN 16
+#define ROC_IE_SHA1_HMAC_LEN 12
+#define ROC_IE_AUTH_KEY_LEN_MAX 64
+
+#define ROC_IE_AES_GCM_ROUNDUP_BYTE_LEN 4
+#define ROC_IE_AES_CBC_ROUNDUP_BYTE_LEN 16
+
+#endif /* __ROC_IE_H__ */
diff --git a/drivers/common/cnxk/roc_ie_on.h b/drivers/common/cnxk/roc_ie_on.h
new file mode 100644
index 000..508654a
--- /dev/null
+++ b/drivers/common/cnxk/roc_ie_on.h
@@ -0,0 +1,152 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef __ROC_IE_ON_H__
+#define __ROC_IE_ON_H__
+
+/* CN9K IPSEC LA opcodes */
+#define ROC_IE_ONL_MAJOR_OP_WRITE_IPSEC_OUTBOUND 0x20
+#define ROC_IE_ONL_MAJOR_OP_WRITE_IPSEC_INBOUND 0x21
+#define ROC_IE_ONL_MAJOR_OP_PROCESS_OUTBOUND_IPSEC 0x23
+#define ROC_IE_ONL_MAJOR_OP_PROCESS_INBOUND_IPSEC 0x24
+
+/* CN9K IPSEC FP opcodes */
+#define ROC_IE_ONF_MAJOR_OP_PROCESS_OUTBOUND_IPSEC 0x25UL
+#define ROC_IE_ONF_MAJOR_OP_PROCESS_INBOUND_IPSEC 0x26UL
+
+/* Ucode completion codes */
+#define ROC_IE_ONF_UCC_SUCCESS 0
+
+enum {
+ ROC_IE_ON_SA_DIR_INBOUND = 0,
+ ROC_IE_ON_SA_DIR_OUTBOUND = 1,
+};
+
+enum {
+ ROC_IE_ON_SA_IP_VERSION_4 = 0,
+ ROC_IE_ON_SA_IP_VERSION_6 = 1,
+};
+
+enum {
+ ROC_IE_ON_SA_MODE_TRANSPORT = 0,
+ ROC_IE_ON_SA_MODE_TUNNEL = 1,
+};
+
+enum {
+ ROC_IE_ON_SA_PROTOCOL_AH = 0,
+ ROC_IE_ON_SA_PROTOCOL_ESP = 1,
+};
+
+enum {
+ ROC_IE_ON_SA_AES_KEY_LEN_128 = 1,
+ ROC_IE_ON_SA_AES_KEY_LEN_192 = 2,
+ ROC_IE_ON_SA_AES_KEY_LEN_256 = 3,
+};
+
+enum {
+ ROC_IE_ON_SA_ENC_NULL = 0,
+ ROC_IE_ON_SA_ENC_DES_CBC = 1,
+ ROC_IE_ON_SA_ENC_3DES_CBC = 2,
+ ROC_IE_ON_SA_ENC_AES_CBC = 3,
+ ROC_IE_ON_SA_ENC_AES_CTR = 4,
+ ROC_IE_ON_SA_ENC_AES_GCM = 5,
+ ROC_IE_ON_SA_ENC_AES_CCM = 6,
+};
+
+enum {
+ ROC_IE_ON_SA_AUTH_NULL = 0,
+ ROC_IE_ON_SA_AUTH_MD5 = 1,
+ ROC_IE_ON_SA_AUTH_SHA1 = 2,
+ ROC_IE_ON_SA_AUTH_SHA2_224 = 3,
+ ROC_IE_ON_SA_AUTH_SHA2_256 = 4,
+ ROC_IE_ON_SA_AUTH_SHA2_384 = 5,
+ ROC_IE_ON_SA_AUTH_SHA2_512 = 6,
+ ROC_IE_ON_SA_AUTH_AES_GMAC = 7,
+ ROC_IE_ON_SA_AUTH_AES_XCBC_128 = 8,
+};
+
+enum {
+ ROC_IE_ON_SA_FRAG_POST = 0,
+ ROC_IE_ON_SA_FRAG_PRE = 1,
+};
+
+enum {
+ ROC_IE_ON_SA_ENCAP_NONE = 0,
+ ROC_IE_ON_SA_ENCAP_UDP = 1,
+};
+
+struct roc_ie_onf_sa_ctl {
+ uint32_t spi;
+ uint64_t exp_proto_inter_frag : 8;
+ uint64_t rsvd_41_40 : 2;
+ /* Disable SPI, SEQ data in RPTR for Inbound inline */
+ uint64_t spi_seq_dis : 1;
+ uint64_t esn_en : 1;
+ uint64_t rsvd_44_45 : 2;
+ uint64_t encap_type : 2;
+ uint64_t enc_type : 3;
+ uint64_t rsvd_48 : 1;
+ uint64_t auth_type : 4;
+ uint64_t valid : 1;
+ uint64_t direction : 1;
+ uint64_t outer_ip_ver : 1;
+ uint64_t inner_ip_ver : 1;
+ uint64_t ipsec_mode : 1;
+ uint64_t ipsec_proto : 1;
+ uint64_t aes_key_len : 2;
+};
+
+struct roc_onf_ipsec_outb_sa {
+ /* w0 */
+ struct roc_ie_onf_sa_ctl ctl;
+
+ /* w1 */
+ uint8_t nonce[4];
+ uint16_t udp_src;
+ uint16_t udp_dst;
+
+ /* w2 */
+ uint32_t ip_src;
+ uint32_t ip_dst;
+
+ /* w3-w6 */
+ uint8_t cipher_key[32];
+
+ /* w7-w12 */
+ uint8_t hmac_key[48];
+};
+
+struct roc_onf_ipsec_inb_sa {
+ /* w0 */
+ struct roc_ie_onf_sa_ctl ctl;
+
+ /* w1 */
+ uint8_t nonce[4]; /* Onl
[dpdk-dev] [PATCH v2 12/17] common/cnxk: add AE microcode defines
From: Kiran Kumar Kokkilagadda
Microcode AE opcodes support asymmetric operations. Add defines
and structs defined by microcode.
Signed-off-by: Anoob Joseph
Signed-off-by: Kiran Kumar Kokkilagadda
---
drivers/common/cnxk/roc_ae.h | 56 +++
drivers/common/cnxk/roc_api.h | 1 +
drivers/common/cnxk/roc_cpt.h | 3 +++
3 files changed, 60 insertions(+)
create mode 100644 drivers/common/cnxk/roc_ae.h
diff --git a/drivers/common/cnxk/roc_ae.h b/drivers/common/cnxk/roc_ae.h
new file mode 100644
index 000..c549e18
--- /dev/null
+++ b/drivers/common/cnxk/roc_ae.h
@@ -0,0 +1,56 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef __ROC_AE_H__
+#define __ROC_AE_H__
+
+/* AE opcodes */
+#define ROC_AE_MAJOR_OP_MODEX 0x03
+#define ROC_AE_MAJOR_OP_ECDSA 0x04
+#define ROC_AE_MAJOR_OP_ECC 0x05
+#define ROC_AE_MINOR_OP_MODEX 0x01
+#define ROC_AE_MINOR_OP_PKCS_ENC 0x02
+#define ROC_AE_MINOR_OP_PKCS_ENC_CRT 0x03
+#define ROC_AE_MINOR_OP_PKCS_DEC 0x04
+#define ROC_AE_MINOR_OP_PKCS_DEC_CRT 0x05
+#define ROC_AE_MINOR_OP_MODEX_CRT0x06
+#define ROC_AE_MINOR_OP_ECDSA_SIGN 0x01
+#define ROC_AE_MINOR_OP_ECDSA_VERIFY 0x02
+#define ROC_AE_MINOR_OP_ECC_UMP 0x03
+
+/**
+ * Enumeration roc_ae_ec_id
+ *
+ * Enumerates supported elliptic curves
+ */
+typedef enum {
+ ROC_AE_EC_ID_P192 = 0,
+ ROC_AE_EC_ID_P224 = 1,
+ ROC_AE_EC_ID_P256 = 2,
+ ROC_AE_EC_ID_P384 = 3,
+ ROC_AE_EC_ID_P521 = 4,
+ ROC_AE_EC_ID_PMAX = 5
+} roc_ae_ec_id;
+
+/* Prime and order fields of built-in elliptic curves */
+struct roc_ae_ec_group {
+ struct {
+ /* P521 maximum length */
+ uint8_t data[66];
+ unsigned int length;
+ } prime;
+
+ struct {
+ /* P521 maximum length */
+ uint8_t data[66];
+ unsigned int length;
+ } order;
+};
+
+struct roc_ae_ec_ctx {
+ /* Prime length defined by microcode for EC operations */
+ uint8_t curveid;
+};
+
+#endif /* __ROC_AE_H__ */
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index d545bb9..546818d 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -110,6 +110,7 @@
#include "roc_cpt.h"
/* CPT microcode */
+#include "roc_ae.h"
#include "roc_ie_on.h"
#include "roc_ie_ot.h"
#include "roc_se.h"
diff --git a/drivers/common/cnxk/roc_cpt.h b/drivers/common/cnxk/roc_cpt.h
index cb2838e..5577fea 100644
--- a/drivers/common/cnxk/roc_cpt.h
+++ b/drivers/common/cnxk/roc_cpt.h
@@ -7,6 +7,9 @@
#include "roc_api.h"
+#define ROC_AE_CPT_BLOCK_TYPE1 0
+#define ROC_AE_CPT_BLOCK_TYPE2 1
+
/* Default engine groups */
#define ROC_CPT_DFLT_ENG_GRP_SE 0UL
#define ROC_CPT_DFLT_ENG_GRP_SE_IE 1UL
--
2.7.4
[dpdk-dev] [PATCH v2 13/17] common/cnxk: add lmtline init
Add routine to initialize LMTLINE which facilitates instruction
submission to CPT. Add common macros required in the enqueue
operations.
Signed-off-by: Anoob Joseph
Signed-off-by: Ankur Dwivedi
---
drivers/common/cnxk/roc_cpt.c | 20
drivers/common/cnxk/roc_cpt.h | 32
drivers/common/cnxk/version.map | 1 +
3 files changed, 53 insertions(+)
diff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c
index 81e8b15..788b28a 100644
--- a/drivers/common/cnxk/roc_cpt.c
+++ b/drivers/common/cnxk/roc_cpt.c
@@ -806,3 +806,23 @@ roc_cpt_iq_disable(struct roc_cpt_lf *lf)
lf_inprog.s.eena = 0x0;
plt_write64(lf_inprog.u, lf->rbase + CPT_LF_INPROG);
}
+
+int
+roc_cpt_lmtline_init(struct roc_cpt *roc_cpt, struct roc_cpt_lmtline *lmtline,
+int lf_id)
+{
+ struct roc_cpt_lf *lf;
+
+ lf = roc_cpt->lf[lf_id];
+ if (lf == NULL)
+ return -ENOTSUP;
+
+ lmtline->io_addr = lf->io_addr;
+ if (roc_model_is_cn10k())
+ lmtline->io_addr |= ROC_CN10K_CPT_INST_DW_M1 << 4;
+
+ lmtline->fc_addr = lf->fc_addr;
+ lmtline->lmt_base = lf->lmt_base;
+
+ return 0;
+}
diff --git a/drivers/common/cnxk/roc_cpt.h b/drivers/common/cnxk/roc_cpt.h
index 5577fea..8dd2b5e 100644
--- a/drivers/common/cnxk/roc_cpt.h
+++ b/drivers/common/cnxk/roc_cpt.h
@@ -16,6 +16,30 @@
#define ROC_CPT_DFLT_ENG_GRP_AE 2UL
#define ROC_CPT_MAX_LFS 64
+#define ROC_CN10K_CPT_INST_DW_M1
\
+ ((uint64_t)(((sizeof(struct cpt_inst_s) / 16) - 1) & 0x7))
+#define ROC_CN10K_TWO_CPT_INST_DW_M1
\
+ ((uint64_t)(((sizeof(struct cpt_inst_s) * 2 / 16) - 1) & 0x7))
+
+/* Vector of sizes in the burst of 16 CPT inst except first in 63:19 of
+ * APT_LMT_ARG_S
+ */
+#define ROC_CN10K_CPT_LMT_ARG
\
+ (ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 0) |\
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 1) |\
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 2) |\
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 3) |\
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 4) |\
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 5) |\
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 6) |\
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 7) |\
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 8) |\
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 9) |\
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 10) | \
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 11) | \
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 12) | \
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 13) | \
+ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 14))
/* CPT helper macros */
#define ROC_CPT_AH_HDR_LEN 12
@@ -51,6 +75,12 @@
#define ROC_CPT_TUNNEL_IPV4_HDR_LEN 20
#define ROC_CPT_TUNNEL_IPV6_HDR_LEN 40
+struct roc_cpt_lmtline {
+ uint64_t io_addr;
+ uint64_t *fc_addr;
+ uintptr_t lmt_base;
+};
+
struct roc_cpt_lf {
/* Input parameters */
uint16_t lf_id;
@@ -109,5 +139,7 @@ int __roc_api roc_cpt_inline_ipsec_inb_cfg(struct roc_cpt
*roc_cpt,
int __roc_api roc_cpt_afs_print(struct roc_cpt *roc_cpt);
int __roc_api roc_cpt_lfs_print(struct roc_cpt *roc_cpt);
void __roc_api roc_cpt_iq_disable(struct roc_cpt_lf *lf);
+int __roc_api roc_cpt_lmtline_init(struct roc_cpt *roc_cpt,
+ struct roc_cpt_lmtline *lmtline, int lf_id);
#endif /* _ROC_CPT_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 59d7d91..e079bc7 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -24,6 +24,7 @@ INTERNAL {
roc_cpt_lf_init;
roc_cpt_lf_fini;
roc_cpt_lfs_print;
+ roc_cpt_lmtline_init;
roc_cpt_rxc_time_cfg;
roc_error_msg_get;
roc_idev_cpt_get;
--
2.7.4
[dpdk-dev] [PATCH v2 14/17] common/cnxk: add fpm tables
From: Kiran Kumar Kokkilagadda
Add scalar FPM tables to be used for asymmetric operations.
Signed-off-by: Anoob Joseph
Signed-off-by: Kiran Kumar Kokkilagadda
---
drivers/common/cnxk/meson.build |1 +
drivers/common/cnxk/roc_ae_fpm_tables.c | 1140 +++
drivers/common/cnxk/roc_ae_fpm_tables.h | 13 +
drivers/common/cnxk/roc_api.h |1 +
drivers/common/cnxk/version.map |2 +
5 files changed, 1157 insertions(+)
create mode 100644 drivers/common/cnxk/roc_ae_fpm_tables.c
create mode 100644 drivers/common/cnxk/roc_ae_fpm_tables.h
diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index f139e0b..181b58e 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -11,6 +11,7 @@ endif
config_flag_fmt = 'RTE_LIBRTE_@0@_COMMON'
deps = ['eal', 'pci', 'bus_pci', 'mbuf']
sources = files(
+'roc_ae_fpm_tables.c',
'roc_cpt.c',
'roc_cpt_debug.c',
'roc_dev.c',
diff --git a/drivers/common/cnxk/roc_ae_fpm_tables.c
b/drivers/common/cnxk/roc_ae_fpm_tables.c
new file mode 100644
index 000..afb2a50
--- /dev/null
+++ b/drivers/common/cnxk/roc_ae_fpm_tables.c
@@ -0,0 +1,1140 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include "roc_ae_fpm_tables.h"
+#include "roc_ae.h"
+
+#define AE_FPM_TBL_NAME "ae_fpm_tbl"
+
+/*
+ * AE FPM table sizes Enumeration
+ *
+ * 15 table entries * (X, Y, Z coordinates) * Coordinate Offset
+ * Coordinate Offset depends on elliptic curve as mentioned below,
+ * 6 quadwords for P-192, P-224 and P-256
+ * 7 quadwords for P-384
+ * 9 quadwords for P-521
+ */
+typedef enum {
+ AE_FPM_P192_LEN = 2160,
+ AE_FPM_P224_LEN = 2160,
+ AE_FPM_P256_LEN = 2160,
+ AE_FPM_P384_LEN = 2520,
+ AE_FPM_P521_LEN = 3240
+} ae_fpm_len;
+
+/* FPM table address and length */
+struct ae_fpm_entry {
+ const uint8_t *data;
+ int len;
+};
+
+struct ae_fpm_tbl {
+ uint64_t refcount;
+ uint8_t fpm_tbl[];
+};
+
+/*
+ * Pre-computed ECC FMUL tables needed by cpt microcode
+ * for NIST curves P-192, P-256, P-384, P-521, P-224.
+ */
+
+const uint8_t ae_fpm_tbl_p192[AE_FPM_P192_LEN] = {
+ 0xf4, 0xff, 0x0a, 0xfd, 0x82, 0xff, 0x10, 0x12, 0x7c, 0xbf, 0x20, 0xeb,
+ 0x43, 0xa1, 0x88, 0x00, 0x18, 0x8d, 0xa8, 0x0e, 0xb0, 0x30, 0x90, 0xf6,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x73, 0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, 0x63, 0x10, 0x11, 0xed,
+ 0x6b, 0x24, 0xcd, 0xd5, 0x07, 0x19, 0x2b, 0x95, 0xff, 0xc8, 0xda, 0x78,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0xc3, 0x96, 0x49, 0xc5, 0x5d, 0x7c, 0x48, 0xd8, 0xeb, 0x2c, 0xdf, 0xae,
+ 0x5a, 0x92, 0x7c, 0x35, 0x67, 0xe3, 0x0c, 0xbd, 0xcb, 0xa6, 0x71, 0xfb,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x7a, 0x83, 0xce, 0xe1, 0xec, 0xbf, 0xbe, 0x7d, 0xce, 0x32, 0xd0, 0x3c,
+ 0x06, 0x30, 0x15, 0x77, 0xa9, 0x35, 0x49, 0xc4, 0x58, 0x10, 0xf5, 0xc3,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x6f, 0x5e, 0xf8, 0x89, 0x66, 0xe3, 0xea, 0xd3, 0xf2, 0x9e, 0x6f, 0xea,
+ 0xdf, 0xc9, 0xbf, 0x1a, 0xce, 0x21, 0x6b, 0xb8, 0x45, 0x20, 0x06, 0xe0,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x46, 0xb9, 0x09, 0x2d, 0x92, 0x7b, 0x37, 0x79, 0x1d, 0x0a, 0xeb, 0x4b,
+ 0xb5, 0xb8, 0x0a, 0x20, 0xd9, 0x8a, 0x2e, 0xe2, 0x5a, 0xae, 0xc9, 0x58,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x
[dpdk-dev] [PATCH v2 15/17] common/cnxk: add EC grp static vectors
From: Kiran Kumar Kokkilagadda
EC group static vectors are required for CPT asymmetric operations.
Signed-off-by: Anoob Joseph
Signed-off-by: Kiran Kumar Kokkilagadda
---
drivers/common/cnxk/meson.build | 1 +
drivers/common/cnxk/roc_ae.c| 142
drivers/common/cnxk/roc_ae.h| 7 ++
drivers/common/cnxk/version.map | 2 +
4 files changed, 152 insertions(+)
create mode 100644 drivers/common/cnxk/roc_ae.c
diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 181b58e..4c5d318 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -11,6 +11,7 @@ endif
config_flag_fmt = 'RTE_LIBRTE_@0@_COMMON'
deps = ['eal', 'pci', 'bus_pci', 'mbuf']
sources = files(
+'roc_ae.c',
'roc_ae_fpm_tables.c',
'roc_cpt.c',
'roc_cpt_debug.c',
diff --git a/drivers/common/cnxk/roc_ae.c b/drivers/common/cnxk/roc_ae.c
new file mode 100644
index 000..cf3f7fc
--- /dev/null
+++ b/drivers/common/cnxk/roc_ae.c
@@ -0,0 +1,142 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include "roc_api.h"
+
+#define AE_EC_GRP_TBL_NAME "ae_ec_grp_tbl"
+
+struct ae_ec_grp_tbl {
+ uint64_t refcount;
+ uint8_t ec_grp_tbl[];
+};
+
+const struct roc_ae_ec_group ae_ec_grp[ROC_AE_EC_ID_PMAX] = {
+ {
+ .prime = {.data = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF},
+ .length = 24},
+ .order = {.data = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0x99, 0xDE, 0xF8, 0x36, 0x14, 0x6B,
+ 0xC9, 0xB1, 0xB4, 0xD2, 0x28, 0x31},
+ .length = 24},
+ },
+ {
+ .prime = {.data = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
+ .length = 28},
+ .order = {.data = {0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF,
+ 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF, 0XFF,
+ 0X16, 0XA2, 0XE0, 0XB8, 0XF0, 0X3E, 0X13,
+ 0XDD, 0X29, 0X45, 0X5C, 0X5C, 0X2A, 0X3D},
+ .length = 28},
+ },
+ {
+ .prime = {.data = {0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF},
+ .length = 32},
+ .order = {.data = {0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00,
+ 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7,
+ 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2,
+ 0xFC, 0x63, 0x25, 0x51},
+ .length = 32},
+ },
+ {.prime = {.data = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF},
+ .length = 48},
+.order = {.data = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF,
+ 0x58, 0x1A, 0x0D, 0xB2, 0x48, 0xB0, 0xA7, 0x7A,
+ 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73},
+ .length = 48}},
+ {.prime = {.data = {0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
[dpdk-dev] [PATCH v2 16/17] common/cnxk: add IPsec common code
From: Srujana Challa
Add code that can be leveraged across
lookaside and inline IPsec on cn10k.
Signed-off-by: Srujana Challa
Signed-off-by: Nithin Dabilpuram
Signed-off-by: Tejasree Kondoj
---
drivers/common/cnxk/cnxk_security.c | 468
drivers/common/cnxk/cnxk_security.h | 49
drivers/common/cnxk/meson.build | 6 +-
drivers/common/cnxk/version.map | 8 +
4 files changed, 530 insertions(+), 1 deletion(-)
create mode 100644 drivers/common/cnxk/cnxk_security.c
create mode 100644 drivers/common/cnxk/cnxk_security.h
diff --git a/drivers/common/cnxk/cnxk_security.c
b/drivers/common/cnxk/cnxk_security.c
new file mode 100644
index 000..17889bb
--- /dev/null
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -0,0 +1,468 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include "cnxk_security.h"
+
+static int
+ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
+ uint8_t *cipher_key, uint8_t *salt_key,
+ struct rte_security_ipsec_xform *ipsec_xfrm,
+ struct rte_crypto_sym_xform *crypto_xfrm)
+{
+ const uint8_t *key;
+ uint32_t *tmp_salt;
+ uint64_t *tmp_key;
+ int length, i;
+
+ /* Set direction */
+ switch (ipsec_xfrm->direction) {
+ case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
+ w2->s.dir = ROC_IE_OT_SA_DIR_INBOUND;
+ break;
+ case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
+ w2->s.dir = ROC_IE_OT_SA_DIR_OUTBOUND;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ /* Set protocol - ESP vs AH */
+ switch (ipsec_xfrm->proto) {
+ case RTE_SECURITY_IPSEC_SA_PROTO_ESP:
+ w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_ESP;
+ break;
+ case RTE_SECURITY_IPSEC_SA_PROTO_AH:
+ w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_AH;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ /* Set mode - transport vs tunnel */
+ switch (ipsec_xfrm->mode) {
+ case RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT:
+ w2->s.mode = ROC_IE_OT_SA_MODE_TRANSPORT;
+ break;
+ case RTE_SECURITY_IPSEC_SA_MODE_TUNNEL:
+ w2->s.mode = ROC_IE_OT_SA_MODE_TUNNEL;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ /* Set encryption algorithm */
+ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ key = crypto_xfrm->aead.key.data;
+ length = crypto_xfrm->aead.key.length;
+
+ switch (crypto_xfrm->aead.algo) {
+ case RTE_CRYPTO_AEAD_AES_GCM:
+ w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_GCM;
+ w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL;
+ memcpy(salt_key, &ipsec_xfrm->salt, 4);
+ tmp_salt = (uint32_t *)salt_key;
+ *tmp_salt = rte_be_to_cpu_32(*tmp_salt);
+ break;
+ default:
+ return -ENOTSUP;
+ }
+ } else {
+ return -ENOTSUP;
+ }
+
+ w2->s.spi = ipsec_xfrm->spi;
+
+ /* Copy encryption key */
+ memcpy(cipher_key, key, length);
+ tmp_key = (uint64_t *)cipher_key;
+ for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++)
+ tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+
+ switch (length) {
+ case ROC_CPT_AES128_KEY_LEN:
+ w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_128;
+ break;
+ case ROC_CPT_AES192_KEY_LEN:
+ w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_192;
+ break;
+ case ROC_CPT_AES256_KEY_LEN:
+ w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_256;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static size_t
+ot_ipsec_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa)
+{
+ size_t size;
+
+ /* Variable based on Anti-replay Window */
+ size = offsetof(struct roc_ot_ipsec_inb_sa, ctx) +
+ offsetof(struct roc_ot_ipsec_inb_ctx_update_reg, ar_winbits);
+
+ if (sa->w0.s.ar_win)
+ size += (1 << (sa->w0.s.ar_win - 1)) * sizeof(uint64_t);
+
+ return size;
+}
+
+int
+cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
+ struct rte_security_ipsec_xform *ipsec_xfrm,
+ struct rte_crypto_sym_xform *crypto_xfrm)
+{
+ union roc_ot_ipsec_sa_word2 w2;
+ uint32_t replay_win_sz;
+ size_t offset;
+ int rc;
+
+ w2.u64 = 0;
+ rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->w8.s.salt,
+ ipsec_xfrm, crypto_xfrm);
+ if (rc)
+ return
[dpdk-dev] [PATCH v2 17/17] common/cnxk: add SE set key functions in roc
From: Ankur Dwivedi
The set key functions are added in roc.
Signed-off-by: Ankur Dwivedi
---
drivers/common/cnxk/meson.build | 1 +
drivers/common/cnxk/roc_se.c| 342
drivers/common/cnxk/roc_se.h| 8 +
drivers/common/cnxk/version.map | 2 +
4 files changed, 353 insertions(+)
create mode 100644 drivers/common/cnxk/roc_se.c
diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 1f118ef..08f54f5 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -44,6 +44,7 @@ sources = files(
'roc_npc_parse.c',
'roc_npc_utils.c',
'roc_platform.c',
+'roc_se.c',
'roc_sso.c',
'roc_sso_debug.c',
'roc_sso_irq.c',
diff --git a/drivers/common/cnxk/roc_se.c b/drivers/common/cnxk/roc_se.c
new file mode 100644
index 000..3f74175
--- /dev/null
+++ b/drivers/common/cnxk/roc_se.c
@@ -0,0 +1,342 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include "roc_api.h"
+
+static uint8_t zuc_d[32] = {0x44, 0xD7, 0x26, 0xBC, 0x62, 0x6B, 0x13, 0x5E,
+ 0x57, 0x89, 0x35, 0xE2, 0x71, 0x35, 0x09, 0xAF,
+ 0x4D, 0x78, 0x2F, 0x13, 0x6B, 0xC4, 0x1A, 0xF1,
+ 0x5E, 0x26, 0x3C, 0x4D, 0x78, 0x9A, 0x47, 0xAC};
+
+static inline void
+cpt_snow3g_key_gen(const uint8_t *ck, uint32_t *keyx)
+{
+ int i, base;
+
+ for (i = 0; i < 4; i++) {
+ base = 4 * i;
+ keyx[3 - i] = (ck[base] << 24) | (ck[base + 1] << 16) |
+ (ck[base + 2] << 8) | (ck[base + 3]);
+ keyx[3 - i] = plt_cpu_to_be_32(keyx[3 - i]);
+ }
+}
+
+static inline int
+cpt_ciph_aes_key_validate(uint16_t key_len)
+{
+ switch (key_len) {
+ case 16:
+ case 24:
+ case 32:
+ return 0;
+ default:
+ return -1;
+ }
+}
+
+static inline int
+cpt_ciph_type_set(roc_se_cipher_type type, struct roc_se_ctx *ctx,
+ uint16_t key_len)
+{
+ int fc_type = 0;
+
+ switch (type) {
+ case ROC_SE_PASSTHROUGH:
+ fc_type = ROC_SE_FC_GEN;
+ break;
+ case ROC_SE_DES3_CBC:
+ case ROC_SE_DES3_ECB:
+ fc_type = ROC_SE_FC_GEN;
+ break;
+ case ROC_SE_AES_CBC:
+ case ROC_SE_AES_ECB:
+ case ROC_SE_AES_CFB:
+ case ROC_SE_AES_CTR:
+ case ROC_SE_AES_GCM:
+ if (unlikely(cpt_ciph_aes_key_validate(key_len) != 0))
+ return -1;
+ fc_type = ROC_SE_FC_GEN;
+ break;
+ case ROC_SE_CHACHA20:
+ fc_type = ROC_SE_FC_GEN;
+ break;
+ case ROC_SE_AES_XTS:
+ key_len = key_len / 2;
+ if (unlikely(key_len == 24)) {
+ plt_err("Invalid AES key len for XTS");
+ return -1;
+ }
+ if (unlikely(cpt_ciph_aes_key_validate(key_len) != 0))
+ return -1;
+ fc_type = ROC_SE_FC_GEN;
+ break;
+ case ROC_SE_ZUC_EEA3:
+ case ROC_SE_SNOW3G_UEA2:
+ if (unlikely(key_len != 16))
+ return -1;
+ /* No support for AEAD yet */
+ if (unlikely(ctx->hash_type))
+ return -1;
+ fc_type = ROC_SE_PDCP;
+ break;
+ case ROC_SE_AES_CTR_EEA2:
+ fc_type = ROC_SE_PDCP;
+ break;
+ case ROC_SE_KASUMI_F8_CBC:
+ case ROC_SE_KASUMI_F8_ECB:
+ if (unlikely(key_len != 16))
+ return -1;
+ /* No support for AEAD yet */
+ if (unlikely(ctx->hash_type))
+ return -1;
+ fc_type = ROC_SE_KASUMI;
+ break;
+ default:
+ return -1;
+ }
+
+ ctx->fc_type = fc_type;
+ return 0;
+}
+
+static inline void
+cpt_ciph_aes_key_type_set(struct roc_se_context *fctx, uint16_t key_len)
+{
+ roc_se_aes_type aes_key_type = 0;
+
+ switch (key_len) {
+ case 16:
+ aes_key_type = ROC_SE_AES_128_BIT;
+ break;
+ case 24:
+ aes_key_type = ROC_SE_AES_192_BIT;
+ break;
+ case 32:
+ aes_key_type = ROC_SE_AES_256_BIT;
+ break;
+ default:
+ /* This should not happen */
+ plt_err("Invalid AES key len");
+ return;
+ }
+ fctx->enc.aes_key = aes_key_type;
+}
+
+int
+roc_se_auth_key_set(struct roc_se_ctx *se_ctx, roc_se_auth_type type,
+ const uint8_t *key, uint16_t key_len, uint16_t mac_len)
+{
+ struct roc_se_zuc_snow3g_ctx *zs_ctx;
+ struct roc_se_kasumi_ctx *k_ctx;
+ struct roc_se_context *fctx;
+
+
[dpdk-dev] [PATCH v2 00/20] Add Marvell CNXK crypto PMDs
Add cnxk crypto PMDs supporting Marvell CN106XX SoC, based on 'common/cnxk'.
This series utilizes 'common/cnxk' to register cn9k & cn10k crypto PMDs and
add symmetric cryptographic features for the same.
Depends-on: series-17482 ("Add CPT in Marvell CNXK common driver")
Changes in v2:
- Added documentation & updated release notes
- Reworked DP logs as suggested by Akhil
- Rearranged capability additions & feature flag updates as suggested by Akhil
- Rebased on v2 of dependant series
Ankur Dwivedi (5):
crypto/cnxk: add driver skeleton
crypto/cnxk: add probe and remove
crypto/cnxk: add device control ops
crypto/cnxk: add queue pair ops
crypto/cnxk: add symmetric crypto capabilities
Anoob Joseph (5):
crypto/cnxk: add session ops framework
crypto/cnxk: add enqueue burst op
crypto/cnxk: add dequeue burst op
crypto/cnxk: add cipher operation in session
crypto/cnxk: add auth operation in session
Archana Muniganti (5):
crypto/cnxk: add aead operation in session
crypto/cnxk: add chained operation in session
crypto/cnxk: add flexi crypto cipher encrypt
crypto/cnxk: add flexi crypto cipher decrypt
crypto/cnxk: add ZUC and SNOW3G encrypt
Tejasree Kondoj (5):
crypto/cnxk: add ZUC and SNOW3G decrypt
crypto/cnxk: add KASUMI encrypt
crypto/cnxk: add KASUMI decrypt
crypto/cnxk: add digest support
test/crypto: enable cnxk crypto PMDs
MAINTAINERS |9 +
app/test/meson.build |2 +
app/test/test_cryptodev.c | 14 +
app/test/test_cryptodev.h |2 +
doc/guides/cryptodevs/cnxk.rst| 192 ++
doc/guides/cryptodevs/features/cn10k.ini | 66 +
doc/guides/cryptodevs/features/cn9k.ini | 66 +
doc/guides/rel_notes/release_21_08.rst|7 +
drivers/crypto/cnxk/cn10k_cryptodev.c | 152 ++
drivers/crypto/cnxk/cn10k_cryptodev.h | 13 +
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 357 +++
drivers/crypto/cnxk/cn10k_cryptodev_ops.h | 15 +
drivers/crypto/cnxk/cn9k_cryptodev.c | 150 ++
drivers/crypto/cnxk/cn9k_cryptodev.h | 13 +
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 319 +++
drivers/crypto/cnxk/cn9k_cryptodev_ops.h | 14 +
drivers/crypto/cnxk/cnxk_cryptodev.c | 33 +
drivers/crypto/cnxk/cnxk_cryptodev.h | 26 +
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 699 ++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 25 +
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 551 +
drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 108 +
drivers/crypto/cnxk/cnxk_se.h | 2675 +
drivers/crypto/cnxk/meson.build | 21 +
drivers/crypto/cnxk/version.map |3 +
drivers/crypto/meson.build|1 +
26 files changed, 5533 insertions(+)
create mode 100644 doc/guides/cryptodevs/cnxk.rst
create mode 100644 doc/guides/cryptodevs/features/cn10k.ini
create mode 100644 doc/guides/cryptodevs/features/cn9k.ini
create mode 100644 drivers/crypto/cnxk/cn10k_cryptodev.c
create mode 100644 drivers/crypto/cnxk/cn10k_cryptodev.h
create mode 100644 drivers/crypto/cnxk/cn10k_cryptodev_ops.c
create mode 100644 drivers/crypto/cnxk/cn10k_cryptodev_ops.h
create mode 100644 drivers/crypto/cnxk/cn9k_cryptodev.c
create mode 100644 drivers/crypto/cnxk/cn9k_cryptodev.h
create mode 100644 drivers/crypto/cnxk/cn9k_cryptodev_ops.c
create mode 100644 drivers/crypto/cnxk/cn9k_cryptodev_ops.h
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev.c
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev.h
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_ops.c
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_ops.h
create mode 100644 drivers/crypto/cnxk/cnxk_se.h
create mode 100644 drivers/crypto/cnxk/meson.build
create mode 100644 drivers/crypto/cnxk/version.map
--
2.7.4
[dpdk-dev] [PATCH v2 01/20] crypto/cnxk: add driver skeleton
From: Ankur Dwivedi Add driver skeleton for crypto_cn9k & crypto_cn10k PMDs leveraging cnxk common framework. Signed-off-by: Ankur Dwivedi Signed-off-by: Anoob Joseph Signed-off-by: Archana Muniganti Signed-off-by: Tejasree Kondoj --- MAINTAINERS | 9 +++ doc/guides/cryptodevs/cnxk.rst | 126 +++ doc/guides/cryptodevs/features/cn10k.ini | 21 ++ doc/guides/cryptodevs/features/cn9k.ini | 21 ++ drivers/crypto/cnxk/cn10k_cryptodev.c| 42 +++ drivers/crypto/cnxk/cn10k_cryptodev.h| 13 drivers/crypto/cnxk/cn9k_cryptodev.c | 40 ++ drivers/crypto/cnxk/cn9k_cryptodev.h | 13 drivers/crypto/cnxk/meson.build | 16 drivers/crypto/cnxk/version.map | 3 + drivers/crypto/meson.build | 1 + 11 files changed, 305 insertions(+) create mode 100644 doc/guides/cryptodevs/cnxk.rst create mode 100644 doc/guides/cryptodevs/features/cn10k.ini create mode 100644 doc/guides/cryptodevs/features/cn9k.ini create mode 100644 drivers/crypto/cnxk/cn10k_cryptodev.c create mode 100644 drivers/crypto/cnxk/cn10k_cryptodev.h create mode 100644 drivers/crypto/cnxk/cn9k_cryptodev.c create mode 100644 drivers/crypto/cnxk/cn9k_cryptodev.h create mode 100644 drivers/crypto/cnxk/meson.build create mode 100644 drivers/crypto/cnxk/version.map diff --git a/MAINTAINERS b/MAINTAINERS index 5877a16..851b408 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1080,6 +1080,15 @@ F: drivers/crypto/octeontx2/ F: doc/guides/cryptodevs/octeontx2.rst F: doc/guides/cryptodevs/features/octeontx2.ini +Marvell cnxk crypto +M: Ankur Dwivedi +M: Anoob Joseph +M: Tejasree Kondoj +F: drivers/crypto/cnxk/ +F: doc/guides/cryptodevs/cnxk.rst +F: doc/guides/cryptodevs/features/cn9k.ini +F: doc/guides/cryptodevs/features/cn10k.ini + Null Crypto M: Declan Doherty F: drivers/crypto/null/ diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst new file mode 100644 index 000..8bac539 --- /dev/null +++ b/doc/guides/cryptodevs/cnxk.rst @@ -0,0 +1,126 @@ +.. SPDX-License-Identifier: BSD-3-Clause + Copyright(c) 2021 Marvell. + +Marvell cnxk Crypto Poll Mode Driver + + +The cnxk crypto poll mode driver provides support for offloading +cryptographic operations to cryptographic accelerator units on the +**Marvell OCTEON cnxk** SoC family. + +The cnxk crypto PMD code is organized into different sets of files. +The file names starting with cn9k and cn10k provides support for CN9XX +and CN10XX respectively. The common code between the SoCs is present +in file names starting with cnxk. + +More information about OCTEON cnxk SoCs may be obtained from `<https://www.marvell.com>`_ + +Supported OCTEON cnxk SoCs +-- + +- CN9XX +- CN10XX + +Installation + + +The OCTEON cnxk crypto PMD may be compiled natively on an OCTEON cnxk platform +or cross-compiled on an x86 platform. + +Refer to :doc:`../platform/cnxk` for instructions to build your DPDK +application. + +.. note:: + + The OCTEON cnxk crypto PMD uses services from the kernel mode OCTEON cnxk + crypto PF driver in linux. This driver is included in the OCTEON TX SDK. + +Initialization +-- + +``CN9K Initialization`` + +List the CPT PF devices available on cn9k platform: + +.. code-block:: console + +lspci -d:a0fd + +``a0fd`` is the CPT PF device id. You should see output similar to: + +.. code-block:: console + +0002:10:00.0 Class 1080: Device 177d:a0fd + +Set ``sriov_numvfs`` on the CPT PF device, to create a VF: + +.. code-block:: console + +echo 1 > /sys/bus/pci/devices/0002:10:00.0/sriov_numvfs + +Bind the CPT VF device to the vfio_pci driver: + +.. code-block:: console + +cd +./usertools/dpdk-devbind.py -u 0002:10:00.1 +./usertools/dpdk-devbind.py -b vfio-pci 0002:10.00.1 + +.. note:: + +* For CN98xx SoC, it is recommended to use even and odd DBDF VFs to achieve + higher performance as even VF uses one crypto engine and odd one uses + another crypto engine. + +* Ensure that sufficient huge pages are available for your application:: + + dpdk-hugepages.py --setup 4G --pagesize 512M + + Refer to :ref:`linux_gsg_hugepages` for more details. + +``CN10K Initialization`` + +List the CPT PF devices available on cn10k platform: + +.. code-block:: console + +lspci -d:a0f2 + +``a0f2`` is the CPT PF device id. You should see output similar to: + +.. code-block:: console + +0002:20:00.0 Class 1080: Device 177d:a0f2 + +Set ``sriov_numvfs`` on the CPT PF device, to create a VF: + +.. code-block:: console + +echo 1 > /sys/bus/pci/devices/0002:20:00.0/sriov_numvfs + +Bind the CPT VF device to the vfio_pci driver: + +.. code-block:: console + +cd +./usertools/dpdk-devbind.py -u 0002:20:00.1 +./usertools/dpdk-devbind.py -b vfio-pci 0002:20:00.1 + +D
[dpdk-dev] [PATCH v2 02/20] crypto/cnxk: add probe and remove
From: Ankur Dwivedi
Add probe & remove for cn9k & cn10k crypto PMDs.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph >
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev.c | 98 ++-
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 34 +++
drivers/crypto/cnxk/cn10k_cryptodev_ops.h | 13
drivers/crypto/cnxk/cn9k_cryptodev.c | 98 ++-
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 34 +++
drivers/crypto/cnxk/cn9k_cryptodev_ops.h | 12
drivers/crypto/cnxk/cnxk_cryptodev.c | 33 +++
drivers/crypto/cnxk/cnxk_cryptodev.h | 21 +++
drivers/crypto/cnxk/meson.build | 3 +
9 files changed, 342 insertions(+), 4 deletions(-)
create mode 100644 drivers/crypto/cnxk/cn10k_cryptodev_ops.c
create mode 100644 drivers/crypto/cnxk/cn10k_cryptodev_ops.h
create mode 100644 drivers/crypto/cnxk/cn9k_cryptodev_ops.c
create mode 100644 drivers/crypto/cnxk/cn9k_cryptodev_ops.h
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev.c
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev.h
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c
b/drivers/crypto/cnxk/cn10k_cryptodev.c
index 4d2140c..a66b777 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -11,6 +11,8 @@
#include
#include "cn10k_cryptodev.h"
+#include "cn10k_cryptodev_ops.h"
+#include "cnxk_cryptodev.h"
#include "roc_api.h"
uint8_t cn10k_cryptodev_driver_id;
@@ -26,11 +28,103 @@ static struct rte_pci_id pci_id_cpt_table[] = {
},
};
+static int
+cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
+ struct rte_pci_device *pci_dev)
+{
+ struct rte_cryptodev_pmd_init_params init_params = {
+ .name = "",
+ .socket_id = rte_socket_id(),
+ .private_data_size = sizeof(struct cnxk_cpt_vf)
+ };
+ char name[RTE_CRYPTODEV_NAME_MAX_LEN];
+ struct rte_cryptodev *dev;
+ struct roc_cpt *roc_cpt;
+ struct cnxk_cpt_vf *vf;
+ int rc;
+
+ rc = roc_plt_init();
+ if (rc < 0) {
+ plt_err("Failed to initialize platform model");
+ return rc;
+ }
+
+ rte_pci_device_name(&pci_dev->addr, name, sizeof(name));
+
+ dev = rte_cryptodev_pmd_create(name, &pci_dev->device, &init_params);
+ if (dev == NULL) {
+ rc = -ENODEV;
+ goto exit;
+ }
+
+ /* Get private data space allocated */
+ vf = dev->data->dev_private;
+
+ roc_cpt = &vf->cpt;
+
+ if (rte_eal_process_type() == RTE_PROC_PRIMARY) {
+ roc_cpt->pci_dev = pci_dev;
+ rc = roc_cpt_dev_init(roc_cpt);
+ if (rc) {
+ plt_err("Failed to initialize roc cpt rc=%d", rc);
+ goto pmd_destroy;
+ }
+
+ rc = cnxk_cpt_eng_grp_add(roc_cpt);
+ if (rc) {
+ plt_err("Failed to add engine group rc=%d", rc);
+ goto dev_fini;
+ }
+ }
+
+ dev->dev_ops = &cn10k_cpt_ops;
+ dev->driver_id = cn10k_cryptodev_driver_id;
+
+ return 0;
+
+dev_fini:
+ if (rte_eal_process_type() == RTE_PROC_PRIMARY)
+ roc_cpt_dev_fini(roc_cpt);
+pmd_destroy:
+ rte_cryptodev_pmd_destroy(dev);
+exit:
+ plt_err("Could not create device (vendor_id: 0x%x device_id: 0x%x)",
+ pci_dev->id.vendor_id, pci_dev->id.device_id);
+ return rc;
+}
+
+static int
+cn10k_cpt_pci_remove(struct rte_pci_device *pci_dev)
+{
+ char name[RTE_CRYPTODEV_NAME_MAX_LEN];
+ struct rte_cryptodev *dev;
+ struct cnxk_cpt_vf *vf;
+ int ret;
+
+ if (pci_dev == NULL)
+ return -EINVAL;
+
+ rte_pci_device_name(&pci_dev->addr, name, sizeof(name));
+
+ dev = rte_cryptodev_pmd_get_named_dev(name);
+ if (dev == NULL)
+ return -ENODEV;
+
+ if (rte_eal_process_type() == RTE_PROC_PRIMARY) {
+ vf = dev->data->dev_private;
+ ret = roc_cpt_dev_fini(&vf->cpt);
+ if (ret)
+ return ret;
+ }
+
+ return rte_cryptodev_pmd_destroy(dev);
+}
+
static struct rte_pci_driver cn10k_cryptodev_pmd = {
.id_table = pci_id_cpt_table,
.drv_flags = RTE_PCI_DRV_NEED_MAPPING | RTE_PCI_DRV_NEED_IOVA_AS_VA,
- .probe = NULL,
- .remove = NULL,
+ .probe = cn10k_cpt_pci_probe,
+ .remove = cn10k_cpt_pci_remove,
};
static struct cryptodev_driver cn10k_cryptodev_drv;
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_crypto
[dpdk-dev] [PATCH v2 03/20] crypto/cnxk: add device control ops
From: Ankur Dwivedi
Add ops for
- dev_configure()
- dev_start()
- dev_stop()
- dev_close()
- dev_infos_get()
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 21 +++--
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 21 +++--
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 77 +++
drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 24 ++
drivers/crypto/cnxk/meson.build | 1 +
5 files changed, 134 insertions(+), 10 deletions(-)
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_ops.c
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_ops.h
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 6f80f74..b0eccb3 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -7,14 +7,25 @@
#include "cn10k_cryptodev.h"
#include "cn10k_cryptodev_ops.h"
+#include "cnxk_cryptodev_ops.h"
+
+static void
+cn10k_cpt_dev_info_get(struct rte_cryptodev *dev,
+ struct rte_cryptodev_info *info)
+{
+ if (info != NULL) {
+ cnxk_cpt_dev_info_get(dev, info);
+ info->driver_id = cn10k_cryptodev_driver_id;
+ }
+}
struct rte_cryptodev_ops cn10k_cpt_ops = {
/* Device control ops */
- .dev_configure = NULL,
- .dev_start = NULL,
- .dev_stop = NULL,
- .dev_close = NULL,
- .dev_infos_get = NULL,
+ .dev_configure = cnxk_cpt_dev_config,
+ .dev_start = cnxk_cpt_dev_start,
+ .dev_stop = cnxk_cpt_dev_stop,
+ .dev_close = cnxk_cpt_dev_close,
+ .dev_infos_get = cn10k_cpt_dev_info_get,
.stats_get = NULL,
.stats_reset = NULL,
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
index 51f9845..acfb071 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
@@ -7,14 +7,25 @@
#include "cn9k_cryptodev.h"
#include "cn9k_cryptodev_ops.h"
+#include "cnxk_cryptodev_ops.h"
+
+static void
+cn9k_cpt_dev_info_get(struct rte_cryptodev *dev,
+ struct rte_cryptodev_info *info)
+{
+ if (info != NULL) {
+ cnxk_cpt_dev_info_get(dev, info);
+ info->driver_id = cn9k_cryptodev_driver_id;
+ }
+}
struct rte_cryptodev_ops cn9k_cpt_ops = {
/* Device control ops */
- .dev_configure = NULL,
- .dev_start = NULL,
- .dev_stop = NULL,
- .dev_close = NULL,
- .dev_infos_get = NULL,
+ .dev_configure = cnxk_cpt_dev_config,
+ .dev_start = cnxk_cpt_dev_start,
+ .dev_stop = cnxk_cpt_dev_stop,
+ .dev_close = cnxk_cpt_dev_close,
+ .dev_infos_get = cn9k_cpt_dev_info_get,
.stats_get = NULL,
.stats_reset = NULL,
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
new file mode 100644
index 000..810f3b8
--- /dev/null
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
@@ -0,0 +1,77 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include
+#include
+#include
+
+#include "roc_cpt.h"
+
+#include "cnxk_cryptodev.h"
+#include "cnxk_cryptodev_ops.h"
+
+int
+cnxk_cpt_dev_config(struct rte_cryptodev *dev,
+ struct rte_cryptodev_config *conf)
+{
+ struct cnxk_cpt_vf *vf = dev->data->dev_private;
+ struct roc_cpt *roc_cpt = &vf->cpt;
+ uint16_t nb_lf_avail, nb_lf;
+ int ret;
+
+ dev->feature_flags &= ~conf->ff_disable;
+
+ nb_lf_avail = roc_cpt->nb_lf_avail;
+ nb_lf = conf->nb_queue_pairs;
+
+ if (nb_lf > nb_lf_avail)
+ return -ENOTSUP;
+
+ ret = roc_cpt_dev_configure(roc_cpt, nb_lf);
+ if (ret) {
+ plt_err("Could not configure device");
+ return ret;
+ }
+
+ return 0;
+}
+
+int
+cnxk_cpt_dev_start(struct rte_cryptodev *dev)
+{
+ RTE_SET_USED(dev);
+
+ return 0;
+}
+
+void
+cnxk_cpt_dev_stop(struct rte_cryptodev *dev)
+{
+ RTE_SET_USED(dev);
+}
+
+int
+cnxk_cpt_dev_close(struct rte_cryptodev *dev)
+{
+ struct cnxk_cpt_vf *vf = dev->data->dev_private;
+
+ roc_cpt_dev_clear(&vf->cpt);
+
+ return 0;
+}
+
+void
+cnxk_cpt_dev_info_get(struct rte_cryptodev *dev,
+ struct rte_cryptodev_info *info)
+{
+ struct cnxk_cpt_vf *vf = dev->data->dev_private;
+ struct roc_cpt *roc_cpt = &vf->cpt;
+
+ info->max_nb_queue_pairs = roc_cpt->nb_lf_avail;
+ info->feature_flags = dev->feature_flags;
+ info->capabilities = NULL;
+ info->sym.max_nb_sessions = 0;
+
[dpdk-dev] [PATCH v2 04/20] crypto/cnxk: add queue pair ops
From: Ankur Dwivedi
Add ops for
- queue_pair_setup()
- queue_pair_release()
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 4 +-
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 4 +-
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 253 ++
drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 48 ++
4 files changed, 305 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index b0eccb3..007d449 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -29,8 +29,8 @@ struct rte_cryptodev_ops cn10k_cpt_ops = {
.stats_get = NULL,
.stats_reset = NULL,
- .queue_pair_setup = NULL,
- .queue_pair_release = NULL,
+ .queue_pair_setup = cnxk_cpt_queue_pair_setup,
+ .queue_pair_release = cnxk_cpt_queue_pair_release,
/* Symmetric crypto ops */
.sym_session_get_size = NULL,
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
index acfb071..73ccf5b 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
@@ -29,8 +29,8 @@ struct rte_cryptodev_ops cn9k_cpt_ops = {
.stats_get = NULL,
.stats_reset = NULL,
- .queue_pair_setup = NULL,
- .queue_pair_release = NULL,
+ .queue_pair_setup = cnxk_cpt_queue_pair_setup,
+ .queue_pair_release = cnxk_cpt_queue_pair_release,
/* Symmetric crypto ops */
.sym_session_get_size = NULL,
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
index 810f3b8..cf04aec 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
@@ -11,6 +11,24 @@
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_ops.h"
+static int
+cnxk_cpt_get_mlen(void)
+{
+ uint32_t len;
+
+ /* For MAC */
+ len = 2 * sizeof(uint64_t);
+ len += ROC_SE_MAX_MAC_LEN * sizeof(uint8_t);
+
+ len += ROC_SE_OFF_CTRL_LEN + ROC_CPT_AES_CBC_IV_LEN;
+ len += RTE_ALIGN_CEIL((ROC_SE_SG_LIST_HDR_SIZE +
+ (RTE_ALIGN_CEIL(ROC_SE_MAX_SG_IN_OUT_CNT, 4) >>
+ 2) * ROC_SE_SG_ENTRY_SIZE),
+ 8);
+
+ return len;
+}
+
int
cnxk_cpt_dev_config(struct rte_cryptodev *dev,
struct rte_cryptodev_config *conf)
@@ -55,6 +73,16 @@ int
cnxk_cpt_dev_close(struct rte_cryptodev *dev)
{
struct cnxk_cpt_vf *vf = dev->data->dev_private;
+ uint16_t i;
+ int ret;
+
+ for (i = 0; i < dev->data->nb_queue_pairs; i++) {
+ ret = cnxk_cpt_queue_pair_release(dev, i);
+ if (ret < 0) {
+ plt_err("Could not release queue pair %u", i);
+ return ret;
+ }
+ }
roc_cpt_dev_clear(&vf->cpt);
@@ -75,3 +103,228 @@ cnxk_cpt_dev_info_get(struct rte_cryptodev *dev,
info->min_mbuf_headroom_req = CNXK_CPT_MIN_HEADROOM_REQ;
info->min_mbuf_tailroom_req = 0;
}
+
+static void
+qp_memzone_name_get(char *name, int size, int dev_id, int qp_id)
+{
+ snprintf(name, size, "cnxk_cpt_pq_mem_%u:%u", dev_id, qp_id);
+}
+
+static int
+cnxk_cpt_metabuf_mempool_create(const struct rte_cryptodev *dev,
+ struct cnxk_cpt_qp *qp, uint8_t qp_id,
+ uint32_t nb_elements)
+{
+ char mempool_name[RTE_MEMPOOL_NAMESIZE];
+ struct cpt_qp_meta_info *meta_info;
+ struct rte_mempool *pool;
+ uint32_t cache_sz;
+ int mlen = 8;
+
+ if (dev->feature_flags & RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO) {
+ /* Get meta len */
+ mlen = cnxk_cpt_get_mlen();
+ }
+
+ cache_sz = RTE_MIN(RTE_MEMPOOL_CACHE_MAX_SIZE, nb_elements / 1.5);
+
+ /* Allocate mempool */
+
+ snprintf(mempool_name, RTE_MEMPOOL_NAMESIZE, "cnxk_cpt_mb_%u:%u",
+dev->data->dev_id, qp_id);
+
+ pool = rte_mempool_create(mempool_name, nb_elements, mlen, cache_sz, 0,
+ NULL, NULL, NULL, NULL, rte_socket_id(), 0);
+
+ if (pool == NULL) {
+ plt_err("Could not create mempool for metabuf");
+ return rte_errno;
+ }
+
+ meta_info = &qp->meta_info;
+
+ meta_info->pool = pool;
+ meta_info->mlen = mlen;
+
+ return 0;
+}
+
+static void
+cnxk_cpt_metabuf_mempool_destroy(struct cnxk_cpt_qp *qp)
+{
+ struct cpt_qp_meta_info *meta_info = &qp->meta_info;
+
+ rte_mempool_free(meta_info->pool);
+
+ meta_info->pool =
[dpdk-dev] [PATCH v2 05/20] crypto/cnxk: add session ops framework
Add session ops
- sym_session_get_size
- sym_session_configure
- sym_session_clear
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 6 +-
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 6 +-
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 187 ++
drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 27 +
drivers/crypto/cnxk/cnxk_se.h | 31 +
5 files changed, 251 insertions(+), 6 deletions(-)
create mode 100644 drivers/crypto/cnxk/cnxk_se.h
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 007d449..34dc107 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -33,9 +33,9 @@ struct rte_cryptodev_ops cn10k_cpt_ops = {
.queue_pair_release = cnxk_cpt_queue_pair_release,
/* Symmetric crypto ops */
- .sym_session_get_size = NULL,
- .sym_session_configure = NULL,
- .sym_session_clear = NULL,
+ .sym_session_get_size = cnxk_cpt_sym_session_get_size,
+ .sym_session_configure = cnxk_cpt_sym_session_configure,
+ .sym_session_clear = cnxk_cpt_sym_session_clear,
/* Asymmetric crypto ops */
.asym_session_get_size = NULL,
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
index 73ccf5b..bef6159 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
@@ -33,9 +33,9 @@ struct rte_cryptodev_ops cn9k_cpt_ops = {
.queue_pair_release = cnxk_cpt_queue_pair_release,
/* Symmetric crypto ops */
- .sym_session_get_size = NULL,
- .sym_session_configure = NULL,
- .sym_session_clear = NULL,
+ .sym_session_get_size = cnxk_cpt_sym_session_get_size,
+ .sym_session_configure = cnxk_cpt_sym_session_configure,
+ .sym_session_clear = cnxk_cpt_sym_session_clear,
/* Asymmetric crypto ops */
.asym_session_get_size = NULL,
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
index cf04aec..8ef0e6f 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
@@ -10,6 +10,7 @@
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_ops.h"
+#include "cnxk_se.h"
static int
cnxk_cpt_get_mlen(void)
@@ -328,3 +329,189 @@ cnxk_cpt_queue_pair_setup(struct rte_cryptodev *dev,
uint16_t qp_id,
cnxk_cpt_qp_destroy(dev, qp);
return ret;
}
+
+unsigned int
+cnxk_cpt_sym_session_get_size(struct rte_cryptodev *dev __rte_unused)
+{
+ return sizeof(struct cnxk_se_sess);
+}
+
+static int
+sym_xform_verify(struct rte_crypto_sym_xform *xform)
+{
+ if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
+ xform->auth.algo == RTE_CRYPTO_AUTH_NULL &&
+ xform->auth.op == RTE_CRYPTO_AUTH_OP_VERIFY)
+ return -ENOTSUP;
+
+ if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL)
+ return CNXK_CPT_CIPHER;
+
+ if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH && xform->next == NULL)
+ return CNXK_CPT_AUTH;
+
+ if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD && xform->next == NULL)
+ return CNXK_CPT_AEAD;
+
+ if (xform->next == NULL)
+ return -EIO;
+
+ if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
+ xform->cipher.algo == RTE_CRYPTO_CIPHER_3DES_CBC &&
+ xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
+ xform->next->auth.algo == RTE_CRYPTO_AUTH_SHA1)
+ return -ENOTSUP;
+
+ if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
+ xform->auth.algo == RTE_CRYPTO_AUTH_SHA1 &&
+ xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
+ xform->next->cipher.algo == RTE_CRYPTO_CIPHER_3DES_CBC)
+ return -ENOTSUP;
+
+ if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
+ xform->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT &&
+ xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
+ xform->next->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE)
+ return CNXK_CPT_CIPHER_ENC_AUTH_GEN;
+
+ if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
+ xform->auth.op == RTE_CRYPTO_AUTH_OP_VERIFY &&
+ xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
+ xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT)
+ return CNXK_CPT_AUTH_VRFY_CIPHER_DEC;
+
+ if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
+
[dpdk-dev] [PATCH v2 06/20] crypto/cnxk: add enqueue burst op
Add enqueue_burst op in cn9k & cn10k.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev.c | 2 +
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 189 ++
drivers/crypto/cnxk/cn10k_cryptodev_ops.h | 2 +
drivers/crypto/cnxk/cn9k_cryptodev.c | 2 +
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 154
drivers/crypto/cnxk/cn9k_cryptodev_ops.h | 2 +
drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 9 ++
7 files changed, 360 insertions(+)
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c
b/drivers/crypto/cnxk/cn10k_cryptodev.c
index a66b777..53f7a94 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -80,6 +80,8 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
dev->dev_ops = &cn10k_cpt_ops;
dev->driver_id = cn10k_cryptodev_driver_id;
+ cn10k_cpt_set_enqdeq_fns(dev);
+
return 0;
dev_fini:
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 34dc107..5dd2cd2 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -7,7 +7,196 @@
#include "cn10k_cryptodev.h"
#include "cn10k_cryptodev_ops.h"
+#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_ops.h"
+#include "cnxk_se.h"
+
+static inline struct cnxk_se_sess *
+cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op
*op)
+{
+ const int driver_id = cn10k_cryptodev_driver_id;
+ struct rte_crypto_sym_op *sym_op = op->sym;
+ struct rte_cryptodev_sym_session *sess;
+ struct cnxk_se_sess *priv;
+ int ret;
+
+ /* Create temporary session */
+ sess = rte_cryptodev_sym_session_create(qp->sess_mp);
+ if (sess == NULL)
+ return NULL;
+
+ ret = sym_session_configure(qp->lf.roc_cpt, driver_id, sym_op->xform,
+ sess, qp->sess_mp_priv);
+ if (ret)
+ goto sess_put;
+
+ priv = get_sym_session_private_data(sess, driver_id);
+
+ sym_op->session = sess;
+
+ return priv;
+
+sess_put:
+ rte_mempool_put(qp->sess_mp, sess);
+ return NULL;
+}
+
+static __rte_always_inline int __rte_hot
+cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op,
+ struct cnxk_se_sess *sess, struct cpt_inflight_req *infl_req,
+ struct cpt_inst_s *inst)
+{
+ RTE_SET_USED(qp);
+ RTE_SET_USED(op);
+ RTE_SET_USED(sess);
+ RTE_SET_USED(infl_req);
+ RTE_SET_USED(inst);
+
+ return -ENOTSUP;
+}
+
+static inline int
+cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
+ struct cpt_inst_s inst[], struct cpt_inflight_req *infl_req)
+{
+ struct rte_crypto_sym_op *sym_op;
+ struct cnxk_se_sess *sess;
+ struct rte_crypto_op *op;
+ uint64_t w7;
+ int ret;
+
+ op = ops[0];
+
+ inst[0].w0.u64 = 0;
+ inst[0].w2.u64 = 0;
+ inst[0].w3.u64 = 0;
+
+ sym_op = op->sym;
+
+ if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
+ if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
+ sess = get_sym_session_private_data(
+ sym_op->session, cn10k_cryptodev_driver_id);
+ ret = cpt_sym_inst_fill(qp, op, sess, infl_req,
+ &inst[0]);
+ if (unlikely(ret))
+ return 0;
+ w7 = sess->cpt_inst_w7;
+ } else {
+ sess = cn10k_cpt_sym_temp_sess_create(qp, op);
+ if (unlikely(sess == NULL)) {
+ plt_dp_err("Could not create temp session");
+ return 0;
+ }
+
+ ret = cpt_sym_inst_fill(qp, op, sess, infl_req,
+ &inst[0]);
+ if (unlikely(ret)) {
+ sym_session_clear(cn10k_cryptodev_driver_id,
+ op->sym->session);
+ rte_mempool_put(qp->sess_mp, op->sym->session);
+ return 0;
+ }
+ w7 = sess->cpt_inst_w7;
+ }
+ } else {
+ plt_dp_err("Unsupported op type");
+ return 0;
+ }
+
+ inst[0].res_addr = (uint64_t)&infl_req->res;
+ infl_req->res.cn10k.compcode = CPT_COMP_NOT_DONE;
+ infl_req->cop = op;
+
+
[dpdk-dev] [PATCH v2 07/20] crypto/cnxk: add dequeue burst op
Add dequeue_burst op in cn9k & cn10k.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
doc/guides/cryptodevs/features/cn10k.ini | 3 +
doc/guides/cryptodevs/features/cn9k.ini | 3 +
drivers/crypto/cnxk/cn10k_cryptodev.c | 4 ++
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 105 ++
drivers/crypto/cnxk/cn9k_cryptodev.c | 4 ++
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 103 +
6 files changed, 222 insertions(+)
diff --git a/doc/guides/cryptodevs/features/cn10k.ini
b/doc/guides/cryptodevs/features/cn10k.ini
index 0aa097d..7f433fa 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -4,6 +4,9 @@
; Refer to default.ini for the full list of available PMD features.
;
[Features]
+Symmetric crypto = Y
+HW Accelerated = Y
+Symmetric sessionless = Y
;
; Supported crypto algorithms of 'cn10k' crypto driver.
diff --git a/doc/guides/cryptodevs/features/cn9k.ini
b/doc/guides/cryptodevs/features/cn9k.ini
index 64ee929..9c9d54d 100644
--- a/doc/guides/cryptodevs/features/cn9k.ini
+++ b/doc/guides/cryptodevs/features/cn9k.ini
@@ -4,6 +4,9 @@
; Refer to default.ini for the full list of available PMD features.
;
[Features]
+Symmetric crypto = Y
+HW Accelerated = Y
+Symmetric sessionless = Y
;
; Supported crypto algorithms of 'cn9k' crypto driver.
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c
b/drivers/crypto/cnxk/cn10k_cryptodev.c
index 53f7a94..31addc0 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -80,6 +80,10 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
dev->dev_ops = &cn10k_cpt_ops;
dev->driver_id = cn10k_cryptodev_driver_id;
+ dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
+RTE_CRYPTODEV_FF_HW_ACCELERATED |
+RTE_CRYPTODEV_FF_SYM_SESSIONLESS;
+
cn10k_cpt_set_enqdeq_fns(dev);
return 0;
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 5dd2cd2..ec301f4 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -190,10 +190,115 @@ cn10k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op
**ops, uint16_t nb_ops)
return count + i;
}
+static inline void
+cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
+ struct rte_crypto_op *cop,
+ struct cpt_inflight_req *infl_req)
+{
+ struct cpt_cn10k_res_s *res = (struct cpt_cn10k_res_s *)&infl_req->res;
+ unsigned int sz;
+
+ if (likely(res->compcode == CPT_COMP_GOOD ||
+ res->compcode == CPT_COMP_WARN)) {
+ if (unlikely(res->uc_compcode)) {
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+
+ plt_dp_info("Request failed with microcode error");
+ plt_dp_info("MC completion code 0x%x",
+ res->uc_compcode);
+ goto temp_sess_free;
+ }
+
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ } else {
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ plt_dp_info("HW completion code 0x%x", res->compcode);
+
+ switch (res->compcode) {
+ case CPT_COMP_INSTERR:
+ plt_dp_err("Request failed with instruction error");
+ break;
+ case CPT_COMP_FAULT:
+ plt_dp_err("Request failed with DMA fault");
+ break;
+ case CPT_COMP_HWERR:
+ plt_dp_err("Request failed with hardware error");
+ break;
+ default:
+ plt_dp_err(
+ "Request failed with unknown completion code");
+ }
+ }
+
+temp_sess_free:
+ if (unlikely(cop->sess_type == RTE_CRYPTO_OP_SESSIONLESS)) {
+ if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
+ sym_session_clear(cn10k_cryptodev_driver_id,
+ cop->sym->session);
+ sz = rte_cryptodev_sym_get_existing_header_session_size(
+ cop->sym->session);
+ memset(cop->sym->session, 0, sz);
+ rte_mempool_put(qp->sess_mp, cop->sym->session);
+ cop->sym->session = NULL;
+ }
+ }
+}
+
+static uint16_t
+cn10k_cpt_dequeue_burst
[dpdk-dev] [PATCH v2 08/20] crypto/cnxk: add cipher operation in session
Add support for cipher operation in session.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 3 +
drivers/crypto/cnxk/cnxk_se.h| 106 +++
2 files changed, 109 insertions(+)
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
index 8ef0e6f..b6d3076 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
@@ -457,6 +457,9 @@ sym_session_configure(struct roc_cpt *roc_cpt, int
driver_id,
sess_priv = priv;
switch (ret) {
+ case CNXK_CPT_CIPHER:
+ ret = fill_sess_cipher(xform, sess_priv);
+ break;
default:
ret = -1;
}
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index 9cccab0..b5a16c4 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -28,4 +28,110 @@ struct cnxk_se_sess {
struct roc_se_ctx roc_se_ctx;
} __rte_cache_aligned;
+static __rte_always_inline int
+fill_sess_cipher(struct rte_crypto_sym_xform *xform, struct cnxk_se_sess *sess)
+{
+ struct rte_crypto_cipher_xform *c_form;
+ roc_se_cipher_type enc_type = 0; /* NULL Cipher type */
+ uint32_t cipher_key_len = 0;
+ uint8_t zsk_flag = 0, aes_ctr = 0, is_null = 0;
+
+ c_form = &xform->cipher;
+
+ if (c_form->op == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
+ sess->cpt_op |= ROC_SE_OP_CIPHER_ENCRYPT;
+ else if (c_form->op == RTE_CRYPTO_CIPHER_OP_DECRYPT) {
+ sess->cpt_op |= ROC_SE_OP_CIPHER_DECRYPT;
+ if (xform->next != NULL &&
+ xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ /* Perform decryption followed by auth verify */
+ sess->roc_se_ctx.template_w4.s.opcode_minor =
+ ROC_SE_FC_MINOR_OP_HMAC_FIRST;
+ }
+ } else {
+ plt_dp_err("Unknown cipher operation\n");
+ return -1;
+ }
+
+ switch (c_form->algo) {
+ case RTE_CRYPTO_CIPHER_AES_CBC:
+ enc_type = ROC_SE_AES_CBC;
+ cipher_key_len = 16;
+ break;
+ case RTE_CRYPTO_CIPHER_3DES_CBC:
+ enc_type = ROC_SE_DES3_CBC;
+ cipher_key_len = 24;
+ break;
+ case RTE_CRYPTO_CIPHER_DES_CBC:
+ /* DES is implemented using 3DES in hardware */
+ enc_type = ROC_SE_DES3_CBC;
+ cipher_key_len = 8;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CTR:
+ enc_type = ROC_SE_AES_CTR;
+ cipher_key_len = 16;
+ aes_ctr = 1;
+ break;
+ case RTE_CRYPTO_CIPHER_NULL:
+ enc_type = 0;
+ is_null = 1;
+ break;
+ case RTE_CRYPTO_CIPHER_KASUMI_F8:
+ enc_type = ROC_SE_KASUMI_F8_ECB;
+ cipher_key_len = 16;
+ zsk_flag = ROC_SE_K_F8;
+ break;
+ case RTE_CRYPTO_CIPHER_SNOW3G_UEA2:
+ enc_type = ROC_SE_SNOW3G_UEA2;
+ cipher_key_len = 16;
+ zsk_flag = ROC_SE_ZS_EA;
+ break;
+ case RTE_CRYPTO_CIPHER_ZUC_EEA3:
+ enc_type = ROC_SE_ZUC_EEA3;
+ cipher_key_len = 16;
+ zsk_flag = ROC_SE_ZS_EA;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_XTS:
+ enc_type = ROC_SE_AES_XTS;
+ cipher_key_len = 16;
+ break;
+ case RTE_CRYPTO_CIPHER_3DES_ECB:
+ enc_type = ROC_SE_DES3_ECB;
+ cipher_key_len = 24;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_ECB:
+ enc_type = ROC_SE_AES_ECB;
+ cipher_key_len = 16;
+ break;
+ case RTE_CRYPTO_CIPHER_3DES_CTR:
+ case RTE_CRYPTO_CIPHER_AES_F8:
+ case RTE_CRYPTO_CIPHER_ARC4:
+ plt_dp_err("Crypto: Unsupported cipher algo %u", c_form->algo);
+ return -1;
+ default:
+ plt_dp_err("Crypto: Undefined cipher algo %u specified",
+ c_form->algo);
+ return -1;
+ }
+
+ if (c_form->key.length < cipher_key_len) {
+ plt_dp_err("Invalid cipher params keylen %u",
+ c_form->key.length);
+ return -1;
+ }
+
+ sess->zsk_flag = zsk_flag;
+ sess->aes_gcm = 0;
+ sess->aes_ctr = aes_ctr;
+ sess->iv_offset = c_form->iv.offset;
+ sess->iv_length = c_form->iv.length;
+ sess->is_null = is_null;
+
+ if (unlikely(roc_s
[dpdk-dev] [PATCH v2 09/20] crypto/cnxk: add auth operation in session
Add support for auth operations in session.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 13 +++
drivers/crypto/cnxk/cnxk_se.h| 194 +++
2 files changed, 207 insertions(+)
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
index b6d3076..f2319df 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
@@ -460,6 +460,12 @@ sym_session_configure(struct roc_cpt *roc_cpt, int
driver_id,
case CNXK_CPT_CIPHER:
ret = fill_sess_cipher(xform, sess_priv);
break;
+ case CNXK_CPT_AUTH:
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC)
+ ret = fill_sess_gmac(xform, sess_priv);
+ else
+ ret = fill_sess_auth(xform, sess_priv);
+ break;
default:
ret = -1;
}
@@ -467,6 +473,13 @@ sym_session_configure(struct roc_cpt *roc_cpt, int
driver_id,
if (ret)
goto priv_put;
+ if ((sess_priv->roc_se_ctx.fc_type == ROC_SE_HASH_HMAC) &&
+ cpt_mac_len_verify(&xform->auth)) {
+ plt_dp_err("MAC length is not supported");
+ ret = -ENOTSUP;
+ goto priv_put;
+ }
+
sess_priv->cpt_inst_w7 = cnxk_cpt_inst_w7_get(sess_priv, roc_cpt);
set_sym_session_private_data(sess, driver_id, sess_priv);
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index b5a16c4..6e4b032 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -29,6 +29,48 @@ struct cnxk_se_sess {
} __rte_cache_aligned;
static __rte_always_inline int
+cpt_mac_len_verify(struct rte_crypto_auth_xform *auth)
+{
+ uint16_t mac_len = auth->digest_length;
+ int ret;
+
+ switch (auth->algo) {
+ case RTE_CRYPTO_AUTH_MD5:
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ ret = (mac_len == 16) ? 0 : -1;
+ break;
+ case RTE_CRYPTO_AUTH_SHA1:
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ ret = (mac_len == 20) ? 0 : -1;
+ break;
+ case RTE_CRYPTO_AUTH_SHA224:
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ ret = (mac_len == 28) ? 0 : -1;
+ break;
+ case RTE_CRYPTO_AUTH_SHA256:
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ ret = (mac_len == 32) ? 0 : -1;
+ break;
+ case RTE_CRYPTO_AUTH_SHA384:
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ ret = (mac_len == 48) ? 0 : -1;
+ break;
+ case RTE_CRYPTO_AUTH_SHA512:
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ ret = (mac_len == 64) ? 0 : -1;
+ break;
+ case RTE_CRYPTO_AUTH_NULL:
+ ret = 0;
+ break;
+ default:
+ ret = -1;
+ }
+
+ return ret;
+}
+
+
+static __rte_always_inline int
fill_sess_cipher(struct rte_crypto_sym_xform *xform, struct cnxk_se_sess *sess)
{
struct rte_crypto_cipher_xform *c_form;
@@ -134,4 +176,156 @@ fill_sess_cipher(struct rte_crypto_sym_xform *xform,
struct cnxk_se_sess *sess)
return 0;
}
+
+static __rte_always_inline int
+fill_sess_auth(struct rte_crypto_sym_xform *xform, struct cnxk_se_sess *sess)
+{
+ struct rte_crypto_auth_xform *a_form;
+ roc_se_auth_type auth_type = 0; /* NULL Auth type */
+ uint8_t zsk_flag = 0, aes_gcm = 0, is_null = 0;
+
+ if (xform->next != NULL &&
+ xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
+ xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
+ /* Perform auth followed by encryption */
+ sess->roc_se_ctx.template_w4.s.opcode_minor =
+ ROC_SE_FC_MINOR_OP_HMAC_FIRST;
+ }
+
+ a_form = &xform->auth;
+
+ if (a_form->op == RTE_CRYPTO_AUTH_OP_VERIFY)
+ sess->cpt_op |= ROC_SE_OP_AUTH_VERIFY;
+ else if (a_form->op == RTE_CRYPTO_AUTH_OP_GENERATE)
+ sess->cpt_op |= ROC_SE_OP_AUTH_GENERATE;
+ else {
+ plt_dp_err("Unknown auth operation");
+ return -1;
+ }
+
+ switch (a_form->algo) {
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ /* Fall through */
+ case RTE_CRYPTO_AUTH_SHA1:
+ auth_type = ROC_SE_SHA1_TYPE;
+ break;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_SHA256:
+ auth_type = ROC_SE_SHA2_SHA256;
+ break;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ case RTE_CRYPTO_AUTH_SHA512:
+ auth_type = ROC_SE_SHA2_SHA512;
[dpdk-dev] [PATCH v2 10/20] crypto/cnxk: add aead operation in session
From: Archana Muniganti
Add support for AEAD operations in session.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 3 ++
drivers/crypto/cnxk/cnxk_se.h| 64
2 files changed, 67 insertions(+)
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
index f2319df..acb9f1f 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c
@@ -466,6 +466,9 @@ sym_session_configure(struct roc_cpt *roc_cpt, int
driver_id,
else
ret = fill_sess_auth(xform, sess_priv);
break;
+ case CNXK_CPT_AEAD:
+ ret = fill_sess_aead(xform, sess_priv);
+ break;
default:
ret = -1;
}
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index 6e4b032..57bbd70 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -69,6 +69,70 @@ cpt_mac_len_verify(struct rte_crypto_auth_xform *auth)
return ret;
}
+static __rte_always_inline int
+fill_sess_aead(struct rte_crypto_sym_xform *xform, struct cnxk_se_sess *sess)
+{
+ struct rte_crypto_aead_xform *aead_form;
+ roc_se_cipher_type enc_type = 0; /* NULL Cipher type */
+ roc_se_auth_type auth_type = 0; /* NULL Auth type */
+ uint32_t cipher_key_len = 0;
+ uint8_t aes_gcm = 0;
+ aead_form = &xform->aead;
+
+ if (aead_form->op == RTE_CRYPTO_AEAD_OP_ENCRYPT) {
+ sess->cpt_op |= ROC_SE_OP_CIPHER_ENCRYPT;
+ sess->cpt_op |= ROC_SE_OP_AUTH_GENERATE;
+ } else if (aead_form->op == RTE_CRYPTO_AEAD_OP_DECRYPT) {
+ sess->cpt_op |= ROC_SE_OP_CIPHER_DECRYPT;
+ sess->cpt_op |= ROC_SE_OP_AUTH_VERIFY;
+ } else {
+ plt_dp_err("Unknown aead operation\n");
+ return -1;
+ }
+ switch (aead_form->algo) {
+ case RTE_CRYPTO_AEAD_AES_GCM:
+ enc_type = ROC_SE_AES_GCM;
+ cipher_key_len = 16;
+ aes_gcm = 1;
+ break;
+ case RTE_CRYPTO_AEAD_AES_CCM:
+ plt_dp_err("Crypto: Unsupported cipher algo %u",
+ aead_form->algo);
+ return -1;
+ case RTE_CRYPTO_AEAD_CHACHA20_POLY1305:
+ enc_type = ROC_SE_CHACHA20;
+ auth_type = ROC_SE_POLY1305;
+ cipher_key_len = 32;
+ sess->chacha_poly = 1;
+ break;
+ default:
+ plt_dp_err("Crypto: Undefined cipher algo %u specified",
+ aead_form->algo);
+ return -1;
+ }
+ if (aead_form->key.length < cipher_key_len) {
+ plt_dp_err("Invalid cipher params keylen %u",
+ aead_form->key.length);
+ return -1;
+ }
+ sess->zsk_flag = 0;
+ sess->aes_gcm = aes_gcm;
+ sess->mac_len = aead_form->digest_length;
+ sess->iv_offset = aead_form->iv.offset;
+ sess->iv_length = aead_form->iv.length;
+ sess->aad_length = aead_form->aad_length;
+
+ if (unlikely(roc_se_ciph_key_set(&sess->roc_se_ctx, enc_type,
+aead_form->key.data,
+aead_form->key.length, NULL)))
+ return -1;
+
+ if (unlikely(roc_se_auth_key_set(&sess->roc_se_ctx, auth_type, NULL, 0,
+aead_form->digest_length)))
+ return -1;
+
+ return 0;
+}
static __rte_always_inline int
fill_sess_cipher(struct rte_crypto_sym_xform *xform, struct cnxk_se_sess *sess)
--
2.7.4
[dpdk-dev] [PATCH v2 11/20] crypto/cnxk: add chained operation in session
From: Archana Muniganti Add support for chained operations in session. Signed-off-by: Ankur Dwivedi Signed-off-by: Anoob Joseph Signed-off-by: Archana Muniganti Signed-off-by: Tejasree Kondoj --- doc/guides/cryptodevs/features/cn10k.ini | 2 ++ doc/guides/cryptodevs/features/cn9k.ini | 2 ++ drivers/crypto/cnxk/cn10k_cryptodev.c| 4 +++- drivers/crypto/cnxk/cn9k_cryptodev.c | 4 +++- drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 14 ++ 5 files changed, 24 insertions(+), 2 deletions(-) diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini index 7f433fa..175fbf7 100644 --- a/doc/guides/cryptodevs/features/cn10k.ini +++ b/doc/guides/cryptodevs/features/cn10k.ini @@ -5,8 +5,10 @@ ; [Features] Symmetric crypto = Y +Sym operation chaining = Y HW Accelerated = Y Symmetric sessionless = Y +Digest encrypted = Y ; ; Supported crypto algorithms of 'cn10k' crypto driver. diff --git a/doc/guides/cryptodevs/features/cn9k.ini b/doc/guides/cryptodevs/features/cn9k.ini index 9c9d54d..c22b25c 100644 --- a/doc/guides/cryptodevs/features/cn9k.ini +++ b/doc/guides/cryptodevs/features/cn9k.ini @@ -5,8 +5,10 @@ ; [Features] Symmetric crypto = Y +Sym operation chaining = Y HW Accelerated = Y Symmetric sessionless = Y +Digest encrypted = Y ; ; Supported crypto algorithms of 'cn9k' crypto driver. diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index 31addc0..8a31290 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -82,7 +82,9 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_HW_ACCELERATED | -RTE_CRYPTODEV_FF_SYM_SESSIONLESS; +RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING | +RTE_CRYPTODEV_FF_SYM_SESSIONLESS | +RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn10k_cpt_set_enqdeq_fns(dev); diff --git a/drivers/crypto/cnxk/cn9k_cryptodev.c b/drivers/crypto/cnxk/cn9k_cryptodev.c index 7908896..6b5c9e3 100644 --- a/drivers/crypto/cnxk/cn9k_cryptodev.c +++ b/drivers/crypto/cnxk/cn9k_cryptodev.c @@ -80,7 +80,9 @@ cn9k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_HW_ACCELERATED | -RTE_CRYPTODEV_FF_SYM_SESSIONLESS; +RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING | +RTE_CRYPTODEV_FF_SYM_SESSIONLESS | +RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn9k_cpt_set_enqdeq_fns(dev); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c index acb9f1f..10bb191 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.c @@ -469,6 +469,20 @@ sym_session_configure(struct roc_cpt *roc_cpt, int driver_id, case CNXK_CPT_AEAD: ret = fill_sess_aead(xform, sess_priv); break; + case CNXK_CPT_CIPHER_ENC_AUTH_GEN: + case CNXK_CPT_CIPHER_DEC_AUTH_VRFY: + ret = fill_sess_cipher(xform, sess_priv); + if (ret < 0) + break; + ret = fill_sess_auth(xform->next, sess_priv); + break; + case CNXK_CPT_AUTH_VRFY_CIPHER_DEC: + case CNXK_CPT_AUTH_GEN_CIPHER_ENC: + ret = fill_sess_auth(xform, sess_priv); + if (ret < 0) + break; + ret = fill_sess_cipher(xform->next, sess_priv); + break; default: ret = -1; } -- 2.7.4
[dpdk-dev] [PATCH v2 12/20] crypto/cnxk: add flexi crypto cipher encrypt
From: Archana Muniganti
Add flexi crypto cipher encrypt in enqueue API. Flexi crypto
opcode covers a broad set of ciphers including variants of AES.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 14 +-
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 14 +-
drivers/crypto/cnxk/cnxk_se.h | 818 +-
3 files changed, 833 insertions(+), 13 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index ec301f4..8af2ce9 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -46,13 +46,15 @@ cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct
rte_crypto_op *op,
struct cnxk_se_sess *sess, struct cpt_inflight_req *infl_req,
struct cpt_inst_s *inst)
{
- RTE_SET_USED(qp);
- RTE_SET_USED(op);
- RTE_SET_USED(sess);
- RTE_SET_USED(infl_req);
- RTE_SET_USED(inst);
+ uint64_t cpt_op;
+ int ret;
+
+ cpt_op = sess->cpt_op;
+
+ if (cpt_op & ROC_SE_OP_CIPHER_MASK)
+ ret = fill_fc_params(op, sess, &qp->meta_info, infl_req, inst);
- return -ENOTSUP;
+ return ret;
}
static inline int
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
index 27076a8..e8189d0 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
@@ -17,13 +17,15 @@ cn9k_cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct
rte_crypto_op *op,
struct cpt_inflight_req *infl_req,
struct cpt_inst_s *inst)
{
- RTE_SET_USED(qp);
- RTE_SET_USED(op);
- RTE_SET_USED(sess);
- RTE_SET_USED(infl_req);
- RTE_SET_USED(inst);
+ uint64_t cpt_op;
+ int ret;
+
+ cpt_op = sess->cpt_op;
+
+ if (cpt_op & ROC_SE_OP_CIPHER_MASK)
+ ret = fill_fc_params(op, sess, &qp->meta_info, infl_req, inst);
- return -ENOTSUP;
+ return ret;
}
static inline struct cnxk_se_sess *
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index 57bbd70..2110f49 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -6,7 +6,15 @@
#define _CNXK_SE_H_
#include
-#include "roc_se.h"
+#include "cnxk_cryptodev.h"
+#include "cnxk_cryptodev_ops.h"
+
+#define SRC_IOV_SIZE
\
+ (sizeof(struct roc_se_iov_ptr) + \
+(sizeof(struct roc_se_buf_ptr) * ROC_SE_MAX_SG_CNT))
+#define DST_IOV_SIZE
\
+ (sizeof(struct roc_se_iov_ptr) + \
+(sizeof(struct roc_se_buf_ptr) * ROC_SE_MAX_SG_CNT))
struct cnxk_se_sess {
uint16_t cpt_op : 4;
@@ -69,6 +77,457 @@ cpt_mac_len_verify(struct rte_crypto_auth_xform *auth)
return ret;
}
+static __rte_always_inline void
+cpt_fc_salt_update(struct roc_se_ctx *se_ctx, uint8_t *salt)
+{
+ struct roc_se_context *fctx = &se_ctx->se_ctx.fctx;
+ memcpy(fctx->enc.encr_iv, salt, 4);
+}
+
+static __rte_always_inline uint32_t
+fill_sg_comp(struct roc_se_sglist_comp *list, uint32_t i, phys_addr_t dma_addr,
+uint32_t size)
+{
+ struct roc_se_sglist_comp *to = &list[i >> 2];
+
+ to->u.s.len[i % 4] = rte_cpu_to_be_16(size);
+ to->ptr[i % 4] = rte_cpu_to_be_64(dma_addr);
+ i++;
+ return i;
+}
+
+static __rte_always_inline uint32_t
+fill_sg_comp_from_buf(struct roc_se_sglist_comp *list, uint32_t i,
+ struct roc_se_buf_ptr *from)
+{
+ struct roc_se_sglist_comp *to = &list[i >> 2];
+
+ to->u.s.len[i % 4] = rte_cpu_to_be_16(from->size);
+ to->ptr[i % 4] = rte_cpu_to_be_64((uint64_t)from->vaddr);
+ i++;
+ return i;
+}
+
+static __rte_always_inline uint32_t
+fill_sg_comp_from_buf_min(struct roc_se_sglist_comp *list, uint32_t i,
+ struct roc_se_buf_ptr *from, uint32_t *psize)
+{
+ struct roc_se_sglist_comp *to = &list[i >> 2];
+ uint32_t size = *psize;
+ uint32_t e_len;
+
+ e_len = (size > from->size) ? from->size : size;
+ to->u.s.len[i % 4] = rte_cpu_to_be_16(e_len);
+ to->ptr[i % 4] = rte_cpu_to_be_64((uint64_t)from->vaddr);
+ *psize -= e_len;
+ i++;
+ return i;
+}
+
+/*
+ * This fills the MC expected SGIO list
+ * from IOV given by user.
+ */
+static __rte_always_inline uint32_t
+fill_sg_comp_from_iov(struct roc_se_sglist_comp *list, uint32_t i,
+ struct roc_se_iov_ptr *from, uint
[dpdk-dev] [PATCH v2 13/20] crypto/cnxk: add flexi crypto cipher decrypt
From: Archana Muniganti Add flexi crypto cipher decrypt support in enqueue API. Flexi crypto opcode covers a broad set of ciphers including variants of AES. Signed-off-by: Ankur Dwivedi Signed-off-by: Anoob Joseph Signed-off-by: Archana Muniganti Signed-off-by: Tejasree Kondoj --- doc/guides/cryptodevs/features/cn10k.ini | 20 ++ doc/guides/cryptodevs/features/cn9k.ini | 20 ++ drivers/crypto/cnxk/cn10k_cryptodev.c| 4 + drivers/crypto/cnxk/cn9k_cryptodev.c | 4 + drivers/crypto/cnxk/cnxk_se.h| 324 ++- 5 files changed, 371 insertions(+), 1 deletion(-) diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini index 175fbf7..7750d92 100644 --- a/doc/guides/cryptodevs/features/cn10k.ini +++ b/doc/guides/cryptodevs/features/cn10k.ini @@ -7,6 +7,10 @@ Symmetric crypto = Y Sym operation chaining = Y HW Accelerated = Y +In Place SGL = Y +OOP SGL In LB Out = Y +OOP SGL In SGL Out = Y +OOP LB In LB Out = Y Symmetric sessionless = Y Digest encrypted = Y @@ -14,6 +18,18 @@ Digest encrypted = Y ; Supported crypto algorithms of 'cn10k' crypto driver. ; [Cipher] +NULL = Y +3DES CBC = Y +3DES ECB = Y +AES CBC (128) = Y +AES CBC (192) = Y +AES CBC (256) = Y +AES CTR (128) = Y +AES CTR (192) = Y +AES CTR (256) = Y +AES XTS (128) = Y +AES XTS (256) = Y +DES CBC= Y ; ; Supported authentication algorithms of 'cn10k' crypto driver. @@ -24,3 +40,7 @@ Digest encrypted = Y ; Supported AEAD algorithms of 'cn10k' crypto driver. ; [AEAD] +AES GCM (128) = Y +AES GCM (192) = Y +AES GCM (256) = Y +CHACHA20-POLY1305 = Y diff --git a/doc/guides/cryptodevs/features/cn9k.ini b/doc/guides/cryptodevs/features/cn9k.ini index c22b25c..7007d11 100644 --- a/doc/guides/cryptodevs/features/cn9k.ini +++ b/doc/guides/cryptodevs/features/cn9k.ini @@ -7,6 +7,10 @@ Symmetric crypto = Y Sym operation chaining = Y HW Accelerated = Y +In Place SGL = Y +OOP SGL In LB Out = Y +OOP SGL In SGL Out = Y +OOP LB In LB Out = Y Symmetric sessionless = Y Digest encrypted = Y @@ -14,6 +18,18 @@ Digest encrypted = Y ; Supported crypto algorithms of 'cn9k' crypto driver. ; [Cipher] +NULL = Y +3DES CBC = Y +3DES ECB = Y +AES CBC (128) = Y +AES CBC (192) = Y +AES CBC (256) = Y +AES CTR (128) = Y +AES CTR (192) = Y +AES CTR (256) = Y +AES XTS (128) = Y +AES XTS (256) = Y +DES CBC= Y ; ; Supported authentication algorithms of 'cn9k' crypto driver. @@ -24,3 +40,7 @@ Digest encrypted = Y ; Supported AEAD algorithms of 'cn9k' crypto driver. ; [AEAD] +AES GCM (128) = Y +AES GCM (192) = Y +AES GCM (256) = Y +CHACHA20-POLY1305 = Y diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index 8a31290..2ae61b5 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -83,6 +83,10 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_HW_ACCELERATED | RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING | +RTE_CRYPTODEV_FF_IN_PLACE_SGL | +RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT | +RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | +RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | RTE_CRYPTODEV_FF_SYM_SESSIONLESS | RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; diff --git a/drivers/crypto/cnxk/cn9k_cryptodev.c b/drivers/crypto/cnxk/cn9k_cryptodev.c index 6b5c9e3..9a2d565 100644 --- a/drivers/crypto/cnxk/cn9k_cryptodev.c +++ b/drivers/crypto/cnxk/cn9k_cryptodev.c @@ -81,6 +81,10 @@ cn9k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_HW_ACCELERATED | RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING | +RTE_CRYPTODEV_FF_IN_PLACE_SGL | +RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT | +RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | +RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | RTE_CRYPTODEV_FF_SYM_SESSIONLESS | RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h index 2110f49..e8be663 100644 --- a/drivers/crypto/cnxk/cnxk_se.h +++ b/drivers/crypto/cnxk/cnxk_se.h @@ -512,6 +512,327 @@ cpt_enc_hmac_prep(uint32_t flags, uint64_t d_offs, uint64_t d_lens, } static __rte_always_inline int +
[dpdk-dev] [PATCH v2 14/20] crypto/cnxk: add ZUC and SNOW3G encrypt
From: Archana Muniganti
Add PDCP opcode which handles ZUC and SNOW3G.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cnxk_se.h | 268 +-
1 file changed, 267 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index e8be663..7d3bcbc 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -817,6 +817,268 @@ cpt_dec_hmac_prep(uint32_t flags, uint64_t d_offs,
uint64_t d_lens,
}
static __rte_always_inline int
+cpt_zuc_snow3g_enc_prep(uint32_t req_flags, uint64_t d_offs, uint64_t d_lens,
+ struct roc_se_fc_params *params,
+ struct cpt_inst_s *inst)
+{
+ uint32_t size;
+ int32_t inputlen, outputlen;
+ struct roc_se_ctx *se_ctx;
+ uint32_t mac_len = 0;
+ uint8_t pdcp_alg_type, j;
+ uint32_t encr_offset = 0, auth_offset = 0;
+ uint32_t encr_data_len = 0, auth_data_len = 0;
+ int flags, iv_len = 16;
+ uint64_t offset_ctrl;
+ uint64_t *offset_vaddr;
+ uint32_t *iv_s, iv[4];
+ union cpt_inst_w4 cpt_inst_w4;
+
+ se_ctx = params->ctx_buf.vaddr;
+ flags = se_ctx->zsk_flags;
+ mac_len = se_ctx->mac_len;
+ pdcp_alg_type = se_ctx->pdcp_alg_type;
+
+ cpt_inst_w4.s.opcode_major = ROC_SE_MAJOR_OP_ZUC_SNOW3G;
+
+ /* indicates CPTR ctx, operation type, KEY & IV mode from DPTR */
+
+ cpt_inst_w4.s.opcode_minor = ((1 << 7) | (pdcp_alg_type << 5) |
+ (0 << 4) | (0 << 3) | (flags & 0x7));
+
+ if (flags == 0x1) {
+ /*
+* Microcode expects offsets in bytes
+* TODO: Rounding off
+*/
+ auth_data_len = ROC_SE_AUTH_DLEN(d_lens);
+
+ /* EIA3 or UIA2 */
+ auth_offset = ROC_SE_AUTH_OFFSET(d_offs);
+ auth_offset = auth_offset / 8;
+
+ /* consider iv len */
+ auth_offset += iv_len;
+
+ inputlen = auth_offset + (RTE_ALIGN(auth_data_len, 8) / 8);
+ outputlen = mac_len;
+
+ offset_ctrl = rte_cpu_to_be_64((uint64_t)auth_offset);
+
+ } else {
+ /* EEA3 or UEA2 */
+ /*
+* Microcode expects offsets in bytes
+* TODO: Rounding off
+*/
+ encr_data_len = ROC_SE_ENCR_DLEN(d_lens);
+
+ encr_offset = ROC_SE_ENCR_OFFSET(d_offs);
+ encr_offset = encr_offset / 8;
+ /* consider iv len */
+ encr_offset += iv_len;
+
+ inputlen = encr_offset + (RTE_ALIGN(encr_data_len, 8) / 8);
+ outputlen = inputlen;
+
+ /* iv offset is 0 */
+ offset_ctrl = rte_cpu_to_be_64((uint64_t)encr_offset << 16);
+ }
+
+ if (unlikely((encr_offset >> 16) || (auth_offset >> 8))) {
+ plt_dp_err("Offset not supported");
+ plt_dp_err("enc_offset: %d", encr_offset);
+ plt_dp_err("auth_offset: %d", auth_offset);
+ return -1;
+ }
+
+ /* IV */
+ iv_s = (flags == 0x1) ? params->auth_iv_buf : params->iv_buf;
+
+ if (pdcp_alg_type == ROC_SE_PDCP_ALG_TYPE_SNOW3G) {
+ /*
+* DPDK seems to provide it in form of IV3 IV2 IV1 IV0
+* and BigEndian, MC needs it as IV0 IV1 IV2 IV3
+*/
+
+ for (j = 0; j < 4; j++)
+ iv[j] = iv_s[3 - j];
+ } else {
+ /* ZUC doesn't need a swap */
+ for (j = 0; j < 4; j++)
+ iv[j] = iv_s[j];
+ }
+
+ /*
+* GP op header, lengths are expected in bits.
+*/
+ cpt_inst_w4.s.param1 = encr_data_len;
+ cpt_inst_w4.s.param2 = auth_data_len;
+
+ /*
+* In cn9k, cn10k since we have a limitation of
+* IV & Offset control word not part of instruction
+* and need to be part of Data Buffer, we check if
+* head room is there and then only do the Direct mode processing
+*/
+ if (likely((req_flags & ROC_SE_SINGLE_BUF_INPLACE) &&
+ (req_flags & ROC_SE_SINGLE_BUF_HEADROOM))) {
+ void *dm_vaddr = params->bufs[0].vaddr;
+
+ /* Use Direct mode */
+
+ offset_vaddr = (uint64_t *)((uint8_t *)dm_vaddr -
+ ROC_SE_OFF_CTRL_LEN - iv_len);
+
+ /* DPTR */
+ inst->dptr = (uint64_t)offset_vaddr;
+ /* RPTR should just exclude offset control word */
+ inst->rptr
[dpdk-dev] [PATCH v2 15/20] crypto/cnxk: add ZUC and SNOW3G decrypt
From: Tejasree Kondoj
Add PDCP opcode which handles ZUC and SNOW3G.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
doc/guides/cryptodevs/features/cn10k.ini | 2 +
doc/guides/cryptodevs/features/cn9k.ini | 2 +
drivers/crypto/cnxk/cnxk_se.h| 209 ++-
3 files changed, 212 insertions(+), 1 deletion(-)
diff --git a/doc/guides/cryptodevs/features/cn10k.ini
b/doc/guides/cryptodevs/features/cn10k.ini
index 7750d92..a90421a 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -30,6 +30,8 @@ AES CTR (256) = Y
AES XTS (128) = Y
AES XTS (256) = Y
DES CBC= Y
+SNOW3G UEA2= Y
+ZUC EEA3 = Y
;
; Supported authentication algorithms of 'cn10k' crypto driver.
diff --git a/doc/guides/cryptodevs/features/cn9k.ini
b/doc/guides/cryptodevs/features/cn9k.ini
index 7007d11..fb0c09b 100644
--- a/doc/guides/cryptodevs/features/cn9k.ini
+++ b/doc/guides/cryptodevs/features/cn9k.ini
@@ -30,6 +30,8 @@ AES CTR (256) = Y
AES XTS (128) = Y
AES XTS (256) = Y
DES CBC= Y
+SNOW3G UEA2= Y
+ZUC EEA3 = Y
;
; Supported authentication algorithms of 'cn9k' crypto driver.
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index 7d3bcbc..c483b95 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -1079,6 +1079,209 @@ cpt_zuc_snow3g_enc_prep(uint32_t req_flags, uint64_t
d_offs, uint64_t d_lens,
}
static __rte_always_inline int
+cpt_zuc_snow3g_dec_prep(uint32_t req_flags, uint64_t d_offs, uint64_t d_lens,
+ struct roc_se_fc_params *params,
+ struct cpt_inst_s *inst)
+{
+ uint32_t size;
+ int32_t inputlen = 0, outputlen;
+ struct roc_se_ctx *se_ctx;
+ uint8_t pdcp_alg_type, iv_len = 16;
+ uint32_t encr_offset;
+ uint32_t encr_data_len;
+ int flags;
+ uint64_t *offset_vaddr;
+ uint32_t *iv_s, iv[4], j;
+ union cpt_inst_w4 cpt_inst_w4;
+
+ /*
+* Microcode expects offsets in bytes
+* TODO: Rounding off
+*/
+ encr_offset = ROC_SE_ENCR_OFFSET(d_offs) / 8;
+ encr_data_len = ROC_SE_ENCR_DLEN(d_lens);
+
+ se_ctx = params->ctx_buf.vaddr;
+ flags = se_ctx->zsk_flags;
+ pdcp_alg_type = se_ctx->pdcp_alg_type;
+
+ cpt_inst_w4.u64 = 0;
+ cpt_inst_w4.s.opcode_major = ROC_SE_MAJOR_OP_ZUC_SNOW3G;
+
+ /* indicates CPTR ctx, operation type, KEY & IV mode from DPTR */
+
+ cpt_inst_w4.s.opcode_minor = ((1 << 7) | (pdcp_alg_type << 5) |
+ (0 << 4) | (0 << 3) | (flags & 0x7));
+
+ /* consider iv len */
+ encr_offset += iv_len;
+
+ inputlen = encr_offset + (RTE_ALIGN(encr_data_len, 8) / 8);
+ outputlen = inputlen;
+
+ /* IV */
+ iv_s = params->iv_buf;
+ if (pdcp_alg_type == ROC_SE_PDCP_ALG_TYPE_SNOW3G) {
+ /*
+* DPDK seems to provide it in form of IV3 IV2 IV1 IV0
+* and BigEndian, MC needs it as IV0 IV1 IV2 IV3
+*/
+
+ for (j = 0; j < 4; j++)
+ iv[j] = iv_s[3 - j];
+ } else {
+ /* ZUC doesn't need a swap */
+ for (j = 0; j < 4; j++)
+ iv[j] = iv_s[j];
+ }
+
+ /*
+* GP op header, lengths are expected in bits.
+*/
+ cpt_inst_w4.s.param1 = encr_data_len;
+
+ /*
+* In cn9k, cn10k since we have a limitation of
+* IV & Offset control word not part of instruction
+* and need to be part of Data Buffer, we check if
+* head room is there and then only do the Direct mode processing
+*/
+ if (likely((req_flags & ROC_SE_SINGLE_BUF_INPLACE) &&
+ (req_flags & ROC_SE_SINGLE_BUF_HEADROOM))) {
+ void *dm_vaddr = params->bufs[0].vaddr;
+
+ /* Use Direct mode */
+
+ offset_vaddr = (uint64_t *)((uint8_t *)dm_vaddr -
+ ROC_SE_OFF_CTRL_LEN - iv_len);
+
+ /* DPTR */
+ inst->dptr = (uint64_t)offset_vaddr;
+
+ /* RPTR should just exclude offset control word */
+ inst->rptr = (uint64_t)dm_vaddr - iv_len;
+
+ cpt_inst_w4.s.dlen = inputlen + ROC_SE_OFF_CTRL_LEN;
+
+ if (likely(iv_len)) {
+ uint32_t *iv_d = (uint32_t *)((uint8_t *)offset_vaddr +
+ ROC_SE_OFF_CTRL_LEN);
+ memcpy(iv_d, iv, 16);
+ }
+
+ /* iv offset is 0 */
+ *offset_vaddr = rte_cpu_to_be_64((uint64_t)encr_offset << 16);
+
[dpdk-dev] [PATCH v2 16/20] crypto/cnxk: add KASUMI encrypt
From: Tejasree Kondoj
Add KASUMI encrypt support.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cnxk_se.h | 196 ++
1 file changed, 196 insertions(+)
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index c483b95..34907c6 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -1282,6 +1282,199 @@ cpt_zuc_snow3g_dec_prep(uint32_t req_flags, uint64_t
d_offs, uint64_t d_lens,
}
static __rte_always_inline int
+cpt_kasumi_enc_prep(uint32_t req_flags, uint64_t d_offs, uint64_t d_lens,
+ struct roc_se_fc_params *params, struct cpt_inst_s *inst)
+{
+ void *m_vaddr = params->meta_buf.vaddr;
+ uint32_t size;
+ int32_t inputlen = 0, outputlen = 0;
+ struct roc_se_ctx *se_ctx;
+ uint32_t mac_len = 0;
+ uint8_t i = 0;
+ uint32_t encr_offset, auth_offset;
+ uint32_t encr_data_len, auth_data_len;
+ int flags;
+ uint8_t *iv_s, *iv_d, iv_len = 8;
+ uint8_t dir = 0;
+ uint64_t *offset_vaddr;
+ union cpt_inst_w4 cpt_inst_w4;
+ uint8_t *in_buffer;
+ uint32_t g_size_bytes, s_size_bytes;
+ struct roc_se_sglist_comp *gather_comp;
+ struct roc_se_sglist_comp *scatter_comp;
+
+ encr_offset = ROC_SE_ENCR_OFFSET(d_offs) / 8;
+ auth_offset = ROC_SE_AUTH_OFFSET(d_offs) / 8;
+ encr_data_len = ROC_SE_ENCR_DLEN(d_lens);
+ auth_data_len = ROC_SE_AUTH_DLEN(d_lens);
+
+ se_ctx = params->ctx_buf.vaddr;
+ flags = se_ctx->zsk_flags;
+ mac_len = se_ctx->mac_len;
+
+ if (flags == 0x0)
+ iv_s = params->iv_buf;
+ else
+ iv_s = params->auth_iv_buf;
+
+ dir = iv_s[8] & 0x1;
+
+ cpt_inst_w4.s.opcode_major = ROC_SE_MAJOR_OP_KASUMI | ROC_SE_DMA_MODE;
+
+ /* indicates ECB/CBC, direction, ctx from cptr, iv from dptr */
+ cpt_inst_w4.s.opcode_minor = ((1 << 6) | (se_ctx->k_ecb << 5) |
+ (dir << 4) | (0 << 3) | (flags & 0x7));
+
+ /*
+* GP op header, lengths are expected in bits.
+*/
+ cpt_inst_w4.s.param1 = encr_data_len;
+ cpt_inst_w4.s.param2 = auth_data_len;
+
+ /* consider iv len */
+ if (flags == 0x0) {
+ encr_offset += iv_len;
+ auth_offset += iv_len;
+ }
+
+ /* save space for offset ctrl and iv */
+ offset_vaddr = m_vaddr;
+
+ m_vaddr = (uint8_t *)m_vaddr + ROC_SE_OFF_CTRL_LEN + iv_len;
+
+ /* DPTR has SG list */
+ in_buffer = m_vaddr;
+
+ ((uint16_t *)in_buffer)[0] = 0;
+ ((uint16_t *)in_buffer)[1] = 0;
+
+ /* TODO Add error check if space will be sufficient */
+ gather_comp = (struct roc_se_sglist_comp *)((uint8_t *)m_vaddr + 8);
+
+ /*
+* Input Gather List
+*/
+ i = 0;
+
+ /* Offset control word followed by iv */
+
+ if (flags == 0x0) {
+ inputlen = encr_offset + (RTE_ALIGN(encr_data_len, 8) / 8);
+ outputlen = inputlen;
+ /* iv offset is 0 */
+ *offset_vaddr = rte_cpu_to_be_64((uint64_t)encr_offset << 16);
+ if (unlikely((encr_offset >> 16))) {
+ plt_dp_err("Offset not supported");
+ plt_dp_err("enc_offset: %d", encr_offset);
+ return -1;
+ }
+ } else {
+ inputlen = auth_offset + (RTE_ALIGN(auth_data_len, 8) / 8);
+ outputlen = mac_len;
+ /* iv offset is 0 */
+ *offset_vaddr = rte_cpu_to_be_64((uint64_t)auth_offset);
+ if (unlikely((auth_offset >> 8))) {
+ plt_dp_err("Offset not supported");
+ plt_dp_err("auth_offset: %d", auth_offset);
+ return -1;
+ }
+ }
+
+ i = fill_sg_comp(gather_comp, i, (uint64_t)offset_vaddr,
+ROC_SE_OFF_CTRL_LEN + iv_len);
+
+ /* IV */
+ iv_d = (uint8_t *)offset_vaddr + ROC_SE_OFF_CTRL_LEN;
+ memcpy(iv_d, iv_s, iv_len);
+
+ /* input data */
+ size = inputlen - iv_len;
+ if (size) {
+ i = fill_sg_comp_from_iov(gather_comp, i, params->src_iov, 0,
+ &size, NULL, 0);
+
+ if (unlikely(size)) {
+ plt_dp_err("Insufficient buffer space,"
+ " size %d needed",
+ size);
+ return -1;
+ }
+ }
+ ((uint16_t *)in_buffer)[2] = rte_cpu_to_be_16(i);
+ g_size_bytes = ((i + 3) / 4) *
[dpdk-dev] [PATCH v2 17/20] crypto/cnxk: add KASUMI decrypt
From: Tejasree Kondoj
Add KASUMI decrypt support.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
doc/guides/cryptodevs/features/cn10k.ini | 1 +
doc/guides/cryptodevs/features/cn9k.ini | 1 +
drivers/crypto/cnxk/cnxk_se.h| 133 +++
3 files changed, 135 insertions(+)
diff --git a/doc/guides/cryptodevs/features/cn10k.ini
b/doc/guides/cryptodevs/features/cn10k.ini
index a90421a..c611535 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -30,6 +30,7 @@ AES CTR (256) = Y
AES XTS (128) = Y
AES XTS (256) = Y
DES CBC= Y
+KASUMI F8 = Y
SNOW3G UEA2= Y
ZUC EEA3 = Y
diff --git a/doc/guides/cryptodevs/features/cn9k.ini
b/doc/guides/cryptodevs/features/cn9k.ini
index fb0c09b..e833dc0 100644
--- a/doc/guides/cryptodevs/features/cn9k.ini
+++ b/doc/guides/cryptodevs/features/cn9k.ini
@@ -30,6 +30,7 @@ AES CTR (256) = Y
AES XTS (128) = Y
AES XTS (256) = Y
DES CBC= Y
+KASUMI F8 = Y
SNOW3G UEA2= Y
ZUC EEA3 = Y
diff --git a/drivers/crypto/cnxk/cnxk_se.h b/drivers/crypto/cnxk/cnxk_se.h
index 34907c6..b1337cc 100644
--- a/drivers/crypto/cnxk/cnxk_se.h
+++ b/drivers/crypto/cnxk/cnxk_se.h
@@ -1475,6 +1475,137 @@ cpt_kasumi_enc_prep(uint32_t req_flags, uint64_t
d_offs, uint64_t d_lens,
}
static __rte_always_inline int
+cpt_kasumi_dec_prep(uint64_t d_offs, uint64_t d_lens,
+ struct roc_se_fc_params *params, struct cpt_inst_s *inst)
+{
+ void *m_vaddr = params->meta_buf.vaddr;
+ uint32_t size;
+ int32_t inputlen = 0, outputlen;
+ struct roc_se_ctx *se_ctx;
+ uint8_t i = 0, iv_len = 8;
+ uint32_t encr_offset;
+ uint32_t encr_data_len;
+ int flags;
+ uint8_t dir = 0;
+ uint64_t *offset_vaddr;
+ union cpt_inst_w4 cpt_inst_w4;
+ uint8_t *in_buffer;
+ uint32_t g_size_bytes, s_size_bytes;
+ struct roc_se_sglist_comp *gather_comp;
+ struct roc_se_sglist_comp *scatter_comp;
+
+ encr_offset = ROC_SE_ENCR_OFFSET(d_offs) / 8;
+ encr_data_len = ROC_SE_ENCR_DLEN(d_lens);
+
+ se_ctx = params->ctx_buf.vaddr;
+ flags = se_ctx->zsk_flags;
+
+ cpt_inst_w4.u64 = 0;
+ cpt_inst_w4.s.opcode_major = ROC_SE_MAJOR_OP_KASUMI | ROC_SE_DMA_MODE;
+
+ /* indicates ECB/CBC, direction, ctx from cptr, iv from dptr */
+ cpt_inst_w4.s.opcode_minor = ((1 << 6) | (se_ctx->k_ecb << 5) |
+ (dir << 4) | (0 << 3) | (flags & 0x7));
+
+ /*
+* GP op header, lengths are expected in bits.
+*/
+ cpt_inst_w4.s.param1 = encr_data_len;
+
+ /* consider iv len */
+ encr_offset += iv_len;
+
+ inputlen = iv_len + (RTE_ALIGN(encr_data_len, 8) / 8);
+ outputlen = inputlen;
+
+ /* save space for offset ctrl & iv */
+ offset_vaddr = m_vaddr;
+
+ m_vaddr = (uint8_t *)m_vaddr + ROC_SE_OFF_CTRL_LEN + iv_len;
+
+ /* DPTR has SG list */
+ in_buffer = m_vaddr;
+
+ ((uint16_t *)in_buffer)[0] = 0;
+ ((uint16_t *)in_buffer)[1] = 0;
+
+ /* TODO Add error check if space will be sufficient */
+ gather_comp = (struct roc_se_sglist_comp *)((uint8_t *)m_vaddr + 8);
+
+ /*
+* Input Gather List
+*/
+ i = 0;
+
+ /* Offset control word followed by iv */
+ *offset_vaddr = rte_cpu_to_be_64((uint64_t)encr_offset << 16);
+ if (unlikely((encr_offset >> 16))) {
+ plt_dp_err("Offset not supported");
+ plt_dp_err("enc_offset: %d", encr_offset);
+ return -1;
+ }
+
+ i = fill_sg_comp(gather_comp, i, (uint64_t)offset_vaddr,
+ROC_SE_OFF_CTRL_LEN + iv_len);
+
+ /* IV */
+ memcpy((uint8_t *)offset_vaddr + ROC_SE_OFF_CTRL_LEN, params->iv_buf,
+ iv_len);
+
+ /* Add input data */
+ size = inputlen - iv_len;
+ if (size) {
+ i = fill_sg_comp_from_iov(gather_comp, i, params->src_iov, 0,
+ &size, NULL, 0);
+ if (unlikely(size)) {
+ plt_dp_err("Insufficient buffer space,"
+ " size %d needed",
+ size);
+ return -1;
+ }
+ }
+ ((uint16_t *)in_buffer)[2] = rte_cpu_to_be_16(i);
+ g_size_bytes = ((i + 3) / 4) * sizeof(struct roc_se_sglist_comp);
+
+ /*
+* Output Scatter List
+*/
+
+ i = 0;
+ scatter_comp = (struct roc_se_sglist_comp *)((uint8_t *)gather_comp +
+g_size_bytes);
+
+ /* IV */
+ i = fill_sg_comp(scatter
[dpdk-dev] [PATCH v2 18/20] crypto/cnxk: add digest support
From: Tejasree Kondoj
Add support for digest support for various algorithms.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
doc/guides/cryptodevs/features/cn10k.ini | 17 ++
doc/guides/cryptodevs/features/cn9k.ini | 17 ++
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 18 +-
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 17 +-
drivers/crypto/cnxk/cnxk_se.h | 340 ++
5 files changed, 407 insertions(+), 2 deletions(-)
diff --git a/doc/guides/cryptodevs/features/cn10k.ini
b/doc/guides/cryptodevs/features/cn10k.ini
index c611535..77c4a2d 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -38,6 +38,23 @@ ZUC EEA3 = Y
; Supported authentication algorithms of 'cn10k' crypto driver.
;
[Auth]
+NULL = Y
+AES GMAC = Y
+KASUMI F9= Y
+MD5 = Y
+MD5 HMAC = Y
+SHA1 = Y
+SHA1 HMAC= Y
+SHA224 = Y
+SHA224 HMAC = Y
+SHA256 = Y
+SHA256 HMAC = Y
+SHA384 = Y
+SHA384 HMAC = Y
+SHA512 = Y
+SHA512 HMAC = Y
+SNOW3G UIA2 = Y
+ZUC EIA3 = Y
;
; Supported AEAD algorithms of 'cn10k' crypto driver.
diff --git a/doc/guides/cryptodevs/features/cn9k.ini
b/doc/guides/cryptodevs/features/cn9k.ini
index e833dc0..7b310e6 100644
--- a/doc/guides/cryptodevs/features/cn9k.ini
+++ b/doc/guides/cryptodevs/features/cn9k.ini
@@ -38,6 +38,23 @@ ZUC EEA3 = Y
; Supported authentication algorithms of 'cn9k' crypto driver.
;
[Auth]
+NULL = Y
+AES GMAC = Y
+KASUMI F9= Y
+MD5 = Y
+MD5 HMAC = Y
+SHA1 = Y
+SHA1 HMAC= Y
+SHA224 = Y
+SHA224 HMAC = Y
+SHA256 = Y
+SHA256 HMAC = Y
+SHA384 = Y
+SHA384 HMAC = Y
+SHA512 = Y
+SHA512 HMAC = Y
+SNOW3G UIA2 = Y
+ZUC EIA3 = Y
;
; Supported AEAD algorithms of 'cn9k' crypto driver.
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 8af2ce9..6207627 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -53,6 +53,9 @@ cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct
rte_crypto_op *op,
if (cpt_op & ROC_SE_OP_CIPHER_MASK)
ret = fill_fc_params(op, sess, &qp->meta_info, infl_req, inst);
+ else
+ ret = fill_digest_params(op, sess, &qp->meta_info, infl_req,
+inst);
return ret;
}
@@ -203,7 +206,10 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
if (likely(res->compcode == CPT_COMP_GOOD ||
res->compcode == CPT_COMP_WARN)) {
if (unlikely(res->uc_compcode)) {
- cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ if (res->uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
+ cop->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
+ else
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
plt_dp_info("Request failed with microcode error");
plt_dp_info("MC completion code 0x%x",
@@ -212,6 +218,16 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
}
cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
+
+ /* Verify authentication data if required */
+ if (unlikely(infl_req->op_flags &
+CPT_OP_FLAGS_AUTH_VERIFY)) {
+ uintptr_t *rsp = infl_req->mdata;
+ compl_auth_verify(cop, (uint8_t *)rsp[0],
+ rsp[1]);
+ }
+ }
} else {
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
plt_dp_info("HW completion code 0x%x", res->compcode);
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
index e8189d0..da13c7d 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
@@ -24,6 +24,9 @@ cn9k_cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct
rte_crypto_op *op,
if (cpt_op & ROC_SE_OP_CIPHER_MASK)
ret = fill_fc_params(op, sess, &qp->meta_info, infl_req, inst);
+ else
+ ret = fill_digest_params(op, sess, &qp->meta_info, infl_req,
+inst);
return ret;
}
@@ -166,7 +169,10 @@ cn9k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
struct rte_crypto_op *cop,
if (likely(res->compcode == CPT_COMP_GOOD)) {
[dpdk-dev] [PATCH v2 19/20] crypto/cnxk: add symmetric crypto capabilities
From: Ankur Dwivedi Add symmetric crypto capabilities for cn9k & cn10k. Signed-off-by: Ankur Dwivedi Signed-off-by: Anoob Joseph Signed-off-by: Archana Muniganti Signed-off-by: Tejasree Kondoj --- doc/guides/cryptodevs/cnxk.rst| 46 ++ doc/guides/rel_notes/release_21_08.rst| 7 + drivers/crypto/cnxk/cn10k_cryptodev.c | 4 + drivers/crypto/cnxk/cn9k_cryptodev.c | 4 + drivers/crypto/cnxk/cnxk_cryptodev.h | 5 + drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 699 ++ drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 25 + drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 3 +- drivers/crypto/cnxk/meson.build | 1 + 9 files changed, 793 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index 8bac539..885d941 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -21,6 +21,52 @@ Supported OCTEON cnxk SoCs - CN9XX - CN10XX +Features + + +The OCTEON cnxk crypto PMD has support for: + +Symmetric Crypto Algorithms +~~~ + +Cipher algorithms: + +* ``RTE_CRYPTO_CIPHER_NULL`` +* ``RTE_CRYPTO_CIPHER_3DES_CBC`` +* ``RTE_CRYPTO_CIPHER_3DES_ECB`` +* ``RTE_CRYPTO_CIPHER_AES_CBC`` +* ``RTE_CRYPTO_CIPHER_AES_CTR`` +* ``RTE_CRYPTO_CIPHER_AES_XTS`` +* ``RTE_CRYPTO_CIPHER_DES_CBC`` +* ``RTE_CRYPTO_CIPHER_KASUMI_F8`` +* ``RTE_CRYPTO_CIPHER_SNOW3G_UEA2`` +* ``RTE_CRYPTO_CIPHER_ZUC_EEA3`` + +Hash algorithms: + +* ``RTE_CRYPTO_AUTH_NULL`` +* ``RTE_CRYPTO_AUTH_AES_GMAC`` +* ``RTE_CRYPTO_AUTH_KASUMI_F9`` +* ``RTE_CRYPTO_AUTH_MD5`` +* ``RTE_CRYPTO_AUTH_MD5_HMAC`` +* ``RTE_CRYPTO_AUTH_SHA1`` +* ``RTE_CRYPTO_AUTH_SHA1_HMAC`` +* ``RTE_CRYPTO_AUTH_SHA224`` +* ``RTE_CRYPTO_AUTH_SHA224_HMAC`` +* ``RTE_CRYPTO_AUTH_SHA256`` +* ``RTE_CRYPTO_AUTH_SHA256_HMAC`` +* ``RTE_CRYPTO_AUTH_SHA384`` +* ``RTE_CRYPTO_AUTH_SHA384_HMAC`` +* ``RTE_CRYPTO_AUTH_SHA512`` +* ``RTE_CRYPTO_AUTH_SHA512_HMAC`` +* ``RTE_CRYPTO_AUTH_SNOW3G_UIA2`` +* ``RTE_CRYPTO_AUTH_ZUC_EIA3`` + +AEAD algorithms: + +* ``RTE_CRYPTO_AEAD_AES_GCM`` +* ``RTE_CRYPTO_AEAD_CHACHA20_POLY1305`` + Installation diff --git a/doc/guides/rel_notes/release_21_08.rst b/doc/guides/rel_notes/release_21_08.rst index a6ecfdf..52f2788 100644 --- a/doc/guides/rel_notes/release_21_08.rst +++ b/doc/guides/rel_notes/release_21_08.rst @@ -136,3 +136,10 @@ Tested Platforms This section is a comment. Do not overwrite or remove it. Also, make sure to start the actual text at the margin. === + +* **Added support for Marvell CN10K crypto driver.** + + Added Marvell CN10K crypto PMD. + + * Added crypto/cnxk driver which provides the support for the integrated +crypto device. diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index 2ae61b5..559aaef 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -13,6 +13,8 @@ #include "cn10k_cryptodev.h" #include "cn10k_cryptodev_ops.h" #include "cnxk_cryptodev.h" +#include "cnxk_cryptodev_capabilities.h" + #include "roc_api.h" uint8_t cn10k_cryptodev_driver_id; @@ -77,6 +79,8 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, } } + cnxk_cpt_caps_populate(vf); + dev->dev_ops = &cn10k_cpt_ops; dev->driver_id = cn10k_cryptodev_driver_id; diff --git a/drivers/crypto/cnxk/cn9k_cryptodev.c b/drivers/crypto/cnxk/cn9k_cryptodev.c index 9a2d565..d3dc084 100644 --- a/drivers/crypto/cnxk/cn9k_cryptodev.c +++ b/drivers/crypto/cnxk/cn9k_cryptodev.c @@ -13,6 +13,8 @@ #include "cn9k_cryptodev.h" #include "cn9k_cryptodev_ops.h" #include "cnxk_cryptodev.h" +#include "cnxk_cryptodev_capabilities.h" + #include "roc_api.h" uint8_t cn9k_cryptodev_driver_id; @@ -78,6 +80,8 @@ cn9k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, dev->dev_ops = &cn9k_cpt_ops; dev->driver_id = cn9k_cryptodev_driver_id; + cnxk_cpt_caps_populate(vf); + dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_HW_ACCELERATED | RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING | diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index 5b84f0b..03af4af 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -9,11 +9,16 @@ #include "roc_cpt.h" +#define CNXK_CPT_MAX_CAPS 34 +#define CNXK_SEC_CRYPTO_MAX_CAPS 4 +#define CNXK_SEC_MAX_CAPS 3 +
[dpdk-dev] [PATCH v2 20/20] test/crypto: enable cnxk crypto PMDs
From: Tejasree Kondoj
Enable tests for cn9k & cn10k crypto PMDs.
Signed-off-by: Ankur Dwivedi
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Tejasree Kondoj
---
app/test/meson.build | 2 ++
app/test/test_cryptodev.c | 14 ++
app/test/test_cryptodev.h | 2 ++
doc/guides/cryptodevs/cnxk.rst | 20
4 files changed, 38 insertions(+)
diff --git a/app/test/meson.build b/app/test/meson.build
index 0a5f425..2b4bddd 100644
--- a/app/test/meson.build
+++ b/app/test/meson.build
@@ -311,6 +311,8 @@ perf_test_names = [
driver_test_names = [
'cryptodev_aesni_mb_autotest',
'cryptodev_aesni_gcm_autotest',
+'cryptodev_cn9k_autotest',
+'cryptodev_cn10k_autotest',
'cryptodev_dpaa_sec_autotest',
'cryptodev_dpaa2_sec_autotest',
'cryptodev_null_autotest',
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 39db52b..ead8c6e 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -14778,6 +14778,18 @@ test_cryptodev_qat_raw_api(void /*argv __rte_unused,
int argc __rte_unused*/)
return ret;
}
+static int
+test_cryptodev_cn9k(void)
+{
+ return run_cryptodev_testsuite(RTE_STR(CRYPTODEV_NAME_CN9K_PMD));
+}
+
+static int
+test_cryptodev_cn10k(void)
+{
+ return run_cryptodev_testsuite(RTE_STR(CRYPTODEV_NAME_CN10K_PMD));
+}
+
REGISTER_TEST_COMMAND(cryptodev_qat_raw_api_autotest,
test_cryptodev_qat_raw_api);
REGISTER_TEST_COMMAND(cryptodev_qat_autotest, test_cryptodev_qat);
@@ -14803,3 +14815,5 @@ REGISTER_TEST_COMMAND(cryptodev_octeontx2_autotest,
test_cryptodev_octeontx2);
REGISTER_TEST_COMMAND(cryptodev_caam_jr_autotest, test_cryptodev_caam_jr);
REGISTER_TEST_COMMAND(cryptodev_nitrox_autotest, test_cryptodev_nitrox);
REGISTER_TEST_COMMAND(cryptodev_bcmfs_autotest, test_cryptodev_bcmfs);
+REGISTER_TEST_COMMAND(cryptodev_cn9k_autotest, test_cryptodev_cn9k);
+REGISTER_TEST_COMMAND(cryptodev_cn10k_autotest, test_cryptodev_cn10k);
diff --git a/app/test/test_cryptodev.h b/app/test/test_cryptodev.h
index f81f8e3..5bf1e88 100644
--- a/app/test/test_cryptodev.h
+++ b/app/test/test_cryptodev.h
@@ -71,6 +71,8 @@
#define CRYPTODEV_NAME_CAAM_JR_PMD crypto_caam_jr
#define CRYPTODEV_NAME_NITROX_PMD crypto_nitrox_sym
#define CRYPTODEV_NAME_BCMFS_PMD crypto_bcmfs
+#define CRYPTODEV_NAME_CN9K_PMDcrypto_cn9k
+#define CRYPTODEV_NAME_CN10K_PMD crypto_cn10k
enum cryptodev_api_test_type {
CRYPTODEV_API_TEST = 0,
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 885d941..66b0b63 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -165,6 +165,26 @@ Debugging Options
| 1 | CPT| --log-level='pmd\.crypto\.cnxk,8' |
+---++---+
+Testing
+---
+
+The symmetric crypto operations on OCTEON cnxk crypto PMD may be verified by
+running the test application:
+
+``CN9K``
+
+.. code-block:: console
+
+./dpdk-test
+RTE>>cryptodev_cn9k_autotest
+
+``CN10K``
+
+.. code-block:: console
+
+./dpdk-test
+RTE>>cryptodev_cn10k_autotest
+
Limitations
---
--
2.7.4
[dpdk-dev] [PATCH v2 0/4] Add rte_security in crypto_cn10k PMD
Add rte_security (lookaside protocol - IPsec) support in crypto_cn10k.
IPsec operations can be offloaded to CPT's SE and IE engines, which
can process IPsec protcol operations including atomic sequence number
increment (for outbound operations) and anti replay window check (for
inbound operations).
Depends-on: series-17482 ("Add CPT in Marvell CNXK common driver")
Depends-on: series-17483 ("Add Marvell CNXK crypto PMDs")
Changes in v2:
- Rearranged capability additions & feature flag updates as suggested by Akhil
- Rebased on v2 of dependant series
Anoob Joseph (1):
crypto/cnxk: add security capabilities
Srujana Challa (1):
crypto/cnxk: add security ctx skeleton
Tejasree Kondoj (2):
crypto/cnxk: add security session ops
crypto/cnxk: add security handling in datapath ops
doc/guides/cryptodevs/cnxk.rst| 24 ++
doc/guides/cryptodevs/features/cn10k.ini | 1 +
drivers/crypto/cnxk/cn10k_cryptodev.c | 12 +
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 78 +-
drivers/crypto/cnxk/cn10k_ipsec.c | 275 ++
drivers/crypto/cnxk/cn10k_ipsec.h | 36 +++
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 74 ++
drivers/crypto/cnxk/cnxk_cryptodev.h | 4 +
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 114 +
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +-
drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 48
drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 ++
drivers/crypto/cnxk/cnxk_ipsec.h | 20 ++
drivers/crypto/cnxk/meson.build | 6 +-
14 files changed, 712 insertions(+), 3 deletions(-)
create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c
create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h
create mode 100644 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h
create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h
--
2.7.4
[dpdk-dev] [PATCH v2 1/4] crypto/cnxk: add security ctx skeleton
From: Srujana Challa
Add security ctx in cn10k crypto PMD.
Signed-off-by: Anoob Joseph
Signed-off-by: Srujana Challa
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev.c| 9 ++
drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 47
drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 ++
drivers/crypto/cnxk/meson.build | 3 +-
4 files changed, 72 insertions(+), 1 deletion(-)
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c
b/drivers/crypto/cnxk/cn10k_cryptodev.c
index 559aaef..ffe654c 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -14,6 +14,7 @@
#include "cn10k_cryptodev_ops.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_capabilities.h"
+#include "cnxk_cryptodev_sec.h"
#include "roc_api.h"
@@ -77,6 +78,11 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
plt_err("Failed to add engine group rc=%d", rc);
goto dev_fini;
}
+
+ /* Create security context */
+ rc = cnxk_crypto_sec_ctx_create(dev);
+ if (rc)
+ goto dev_fini;
}
cnxk_cpt_caps_populate(vf);
@@ -126,6 +132,9 @@ cn10k_cpt_pci_remove(struct rte_pci_device *pci_dev)
if (dev == NULL)
return -ENODEV;
+ /* Destroy security context */
+ cnxk_crypto_sec_ctx_destroy(dev);
+
if (rte_eal_process_type() == RTE_PROC_PRIMARY) {
vf = dev->data->dev_private;
ret = roc_cpt_dev_fini(&vf->cpt);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c
b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c
new file mode 100644
index 000..f03d2ed
--- /dev/null
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c
@@ -0,0 +1,47 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include
+#include
+#include
+#include
+
+#include "cnxk_cryptodev_sec.h"
+
+/* Common security ops */
+struct rte_security_ops cnxk_sec_ops = {
+ .session_create = NULL,
+ .session_destroy = NULL,
+ .session_get_size = NULL,
+ .set_pkt_metadata = NULL,
+ .get_userdata = NULL,
+ .capabilities_get = NULL,
+};
+
+int
+cnxk_crypto_sec_ctx_create(struct rte_cryptodev *cdev)
+{
+ struct rte_security_ctx *ctx;
+
+ ctx = rte_malloc("cnxk_cpt_dev_sec_ctx",
+sizeof(struct rte_security_ctx), 0);
+
+ if (ctx == NULL)
+ return -ENOMEM;
+
+ /* Populate ctx */
+ ctx->device = cdev;
+ ctx->ops = &cnxk_sec_ops;
+ ctx->sess_cnt = 0;
+
+ cdev->security_ctx = ctx;
+
+ return 0;
+}
+
+void
+cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *cdev)
+{
+ rte_free(cdev->security_ctx);
+}
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.h
b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h
new file mode 100644
index 000..9ab0e9e
--- /dev/null
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef __CNXK_CRYPTODEV_SEC_H__
+#define __CNXK_CRYPTODEV_SEC_H__
+
+#include
+
+int cnxk_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev);
+
+void cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *crypto_dev);
+
+#endif /* __CNXK_CRYPTODEV_SEC_H__ */
diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build
index fa6be06..a2b461e 100644
--- a/drivers/crypto/cnxk/meson.build
+++ b/drivers/crypto/cnxk/meson.build
@@ -16,6 +16,7 @@ sources = files(
'cnxk_cryptodev.c',
'cnxk_cryptodev_capabilities.c',
'cnxk_cryptodev_ops.c',
+'cnxk_cryptodev_sec.c',
)
-deps += ['bus_pci', 'common_cnxk']
+deps += ['bus_pci', 'common_cnxk', 'security']
--
2.7.4
[dpdk-dev] [PATCH v2 2/4] crypto/cnxk: add security session ops
From: Tejasree Kondoj
Add security session ops in cn10k crypto PMD.
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Srujana Challa
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev.c | 2 +
drivers/crypto/cnxk/cn10k_ipsec.c | 275 ++
drivers/crypto/cnxk/cn10k_ipsec.h | 36 +
drivers/crypto/cnxk/cnxk_ipsec.h | 20 +++
drivers/crypto/cnxk/meson.build | 3 +
5 files changed, 336 insertions(+)
create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c
create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h
create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c
b/drivers/crypto/cnxk/cn10k_cryptodev.c
index ffe654c..cacf9c2 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -12,6 +12,7 @@
#include "cn10k_cryptodev.h"
#include "cn10k_cryptodev_ops.h"
+#include "cn10k_ipsec.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_capabilities.h"
#include "cnxk_cryptodev_sec.h"
@@ -101,6 +102,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED;
cn10k_cpt_set_enqdeq_fns(dev);
+ cn10k_sec_ops_override();
return 0;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c
b/drivers/crypto/cnxk/cn10k_ipsec.c
new file mode 100644
index 000..1d567bf
--- /dev/null
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -0,0 +1,275 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "cnxk_cryptodev.h"
+#include "cnxk_ipsec.h"
+#include "cnxk_security.h"
+#include "cn10k_ipsec.h"
+
+#include "roc_api.h"
+
+static int
+ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
+ struct rte_crypto_sym_xform *crypto_xfrm)
+{
+ if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+ crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+ return -EINVAL;
+
+ if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+ return -EINVAL;
+
+ if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+ switch (crypto_xfrm->aead.key.length) {
+ case ROC_CPT_AES128_KEY_LEN:
+ case ROC_CPT_AES192_KEY_LEN:
+ case ROC_CPT_AES256_KEY_LEN:
+ break;
+ default:
+ return -EINVAL;
+ }
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static int
+cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
+struct rte_crypto_sym_xform *crypto_xfrm)
+{
+ if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
+ return -EINVAL;
+
+ if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
+ (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
+ return -EINVAL;
+
+ if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
+ (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
+ return -EINVAL;
+
+ if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
+ (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
+ return -EINVAL;
+
+ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+ return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
+
+ return -ENOTSUP;
+}
+
+static uint64_t
+ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa)
+{
+ union cpt_inst_w7 w7;
+
+ w7.u64 = 0;
+ w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
+ w7.s.ctx_val = 1;
+ w7.s.cptr = (uint64_t)sa;
+ rte_mb();
+
+ return w7.u64;
+}
+
+static int
+cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
+ struct rte_security_ipsec_xform *ipsec_xfrm,
+ struct rte_crypto_sym_xform *crypto_xfrm,
+ struct rte_security_session *sec_sess)
+{
+ struct roc_ot_ipsec_outb_sa *out_sa;
+ struct cnxk_ipsec_outb_rlens rlens;
+ struct cn10k_sec_session *sess;
+ struct cn10k_ipsec_sa *sa;
+ union cpt_inst_w4 inst_w4;
+ int ret;
+
+ sess = get_sec_session_private_data(sec_sess);
+ sa = &sess->sa;
+ out_sa = &sa->out_sa;
+
+ memset(out_sa, 0, sizeof(struct roc_ot_ipsec_outb_sa));
+
+
[dpdk-dev] [PATCH v2 3/4] crypto/cnxk: add security handling in datapath ops
From: Tejasree Kondoj
Add security handling in enqueue dequeue ops.
Signed-off-by: Anoob Joseph
Signed-off-by: Srujana Challa
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 78 ++-
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 74 +
2 files changed, 151 insertions(+), 1 deletion(-)
create mode 100644 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 6207627..29525cd 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -4,9 +4,12 @@
#include
#include
+#include
#include "cn10k_cryptodev.h"
#include "cn10k_cryptodev_ops.h"
+#include "cn10k_ipsec_la_ops.h"
+#include "cn10k_ipsec.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_ops.h"
#include "cnxk_se.h"
@@ -42,6 +45,38 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp,
struct rte_crypto_op *op)
}
static __rte_always_inline int __rte_hot
+cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
+ struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
+{
+ struct rte_crypto_sym_op *sym_op = op->sym;
+ union roc_ot_ipsec_sa_word2 *w2;
+ struct cn10k_ipsec_sa *sa;
+ int ret;
+
+ if (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) {
+ plt_dp_err("Out of place is not supported");
+ return -ENOTSUP;
+ }
+
+ if (unlikely(!rte_pktmbuf_is_contiguous(sym_op->m_src))) {
+ plt_dp_err("Scatter Gather mode is not supported");
+ return -ENOTSUP;
+ }
+
+ sa = &sess->sa;
+ w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
+
+ if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND)
+ ret = process_outb_sa(op, sa, inst);
+ else {
+ infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
+ ret = process_inb_sa(op, sa, inst);
+ }
+
+ return ret;
+}
+
+static __rte_always_inline int __rte_hot
cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op,
struct cnxk_se_sess *sess, struct cpt_inflight_req *infl_req,
struct cpt_inst_s *inst)
@@ -64,6 +99,7 @@ static inline int
cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
struct cpt_inst_s inst[], struct cpt_inflight_req *infl_req)
{
+ struct cn10k_sec_session *sec_sess;
struct rte_crypto_sym_op *sym_op;
struct cnxk_se_sess *sess;
struct rte_crypto_op *op;
@@ -79,7 +115,15 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct
rte_crypto_op *ops[],
sym_op = op->sym;
if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
- if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
+ if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+ sec_sess = get_sec_session_private_data(
+ sym_op->sec_session);
+ ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
+ &inst[0]);
+ if (unlikely(ret))
+ return 0;
+ w7 = sec_sess->sa.inst.w7;
+ } else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
sess = get_sym_session_private_data(
sym_op->session, cn10k_cryptodev_driver_id);
ret = cpt_sym_inst_fill(qp, op, sess, infl_req,
@@ -196,6 +240,34 @@ cn10k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op
**ops, uint16_t nb_ops)
}
static inline void
+cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
+ struct cpt_inflight_req *infl_req)
+{
+ struct rte_crypto_sym_op *sym_op = cop->sym;
+ struct rte_mbuf *m = sym_op->m_src;
+ struct rte_ipv6_hdr *ip6;
+ struct rte_ipv4_hdr *ip;
+ uint16_t m_len;
+
+ if (infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND) {
+ ip = (struct rte_ipv4_hdr *)rte_pktmbuf_mtod(m, char *);
+
+ if (((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) ==
+ IPVERSION) {
+ m_len = rte_be_to_cpu_16(ip->total_length);
+ } else {
+ PLT_ASSERT(((ip->version_ihl & 0xf0) >>
+ RTE_IPV4_IHL_MULTIPLIER) == IPV6_VERSION);
+ ip6 = (struct rte_ipv6_hdr *)ip;
+ m_len = rte_be_to_cpu_16(ip6->payload_len) +
+ siz
[dpdk-dev] [PATCH v2 4/4] crypto/cnxk: add security capabilities
Add security capabilities supported by crypto cn10k PMD.
Signed-off-by: Anoob Joseph
Signed-off-by: Srujana Challa
Signed-off-by: Tejasree Kondoj
---
doc/guides/cryptodevs/cnxk.rst| 24 +
doc/guides/cryptodevs/features/cn10k.ini | 1 +
drivers/crypto/cnxk/cn10k_cryptodev.c | 1 +
drivers/crypto/cnxk/cnxk_cryptodev.h | 4 +
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 114 ++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +-
drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 3 +-
7 files changed, 154 insertions(+), 2 deletions(-)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 66b0b63..db949fa 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -185,6 +185,30 @@ running the test application:
./dpdk-test
RTE>>cryptodev_cn10k_autotest
+Lookaside IPsec Support
+---
+
+The OCTEON cnxk SoCs can accelerate IPsec traffic in lookaside protocol mode,
+with its **cryptographic accelerator (CPT)**. ``OCTEON cnxk crypto PMD``
implements
+this as an ``RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL`` offload.
+
+Refer to :doc:`../prog_guide/rte_security` for more details on protocol
offloads.
+
+This feature can be tested with ipsec-secgw sample application.
+
+Supported OCTEON cnxk SoCs
+~~
+
+- CN10XX
+
+Features supported
+~~
+
+* IPv4
+* ESP
+* Tunnel mode
+* AES-128/192/256-GCM
+
Limitations
---
diff --git a/doc/guides/cryptodevs/features/cn10k.ini
b/doc/guides/cryptodevs/features/cn10k.ini
index 77c4a2d..b268f84 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -7,6 +7,7 @@
Symmetric crypto = Y
Sym operation chaining = Y
HW Accelerated = Y
+Protocol offload = Y
In Place SGL = Y
OOP SGL In LB Out = Y
OOP SGL In SGL Out = Y
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c
b/drivers/crypto/cnxk/cn10k_cryptodev.c
index cacf9c2..22ae810 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -99,6 +99,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT |
RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT |
RTE_CRYPTODEV_FF_SYM_SESSIONLESS |
+RTE_CRYPTODEV_FF_SECURITY |
RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED;
cn10k_cpt_set_enqdeq_fns(dev);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h
b/drivers/crypto/cnxk/cnxk_cryptodev.h
index 03af4af..6760c13 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -6,6 +6,7 @@
#define _CNXK_CRYPTODEV_H_
#include
+#include
#include "roc_cpt.h"
@@ -19,6 +20,9 @@
struct cnxk_cpt_vf {
struct roc_cpt cpt;
struct rte_cryptodev_capabilities crypto_caps[CNXK_CPT_MAX_CAPS];
+ struct rte_cryptodev_capabilities
+ sec_crypto_caps[CNXK_SEC_CRYPTO_MAX_CAPS];
+ struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS];
};
int cnxk_cpt_eng_grp_add(struct roc_cpt *roc_cpt);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index a5195e8..d52fa89 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -3,6 +3,7 @@
*/
#include
+#include
#include "roc_api.h"
@@ -18,6 +19,15 @@
RTE_DIM(caps_##name));\
} while (0)
+#define SEC_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name)
\
+ do { \
+ if ((hw_caps[CPT_ENG_TYPE_SE].name) || \
+ (hw_caps[CPT_ENG_TYPE_IE].name) || \
+ (hw_caps[CPT_ENG_TYPE_AE].name)) \
+ sec_caps_add(cnxk_caps, cur_pos, sec_caps_##name, \
+RTE_DIM(sec_caps_##name));\
+ } while (0)
+
static const struct rte_cryptodev_capabilities caps_sha1_sha2[] = {
{ /* SHA1 */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
@@ -658,6 +668,69 @@ static const struct rte_cryptodev_capabilities caps_end[]
= {
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
+static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
+ { /* AES GCM */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+ {.aead = {
+ .algo
[dpdk-dev] [PATCH v2 0/4] Add asymmetric ops in crypto cnxk PMDs
Add support for asymmetric operations in crypto cnxk PMDs.
Following operations are supported,
- RSA
- DSA
- ECDSA
- ECPM
- Modular Exponentation
Depends-on: series-17482 ("Add CPT in Marvell CNXK common driver")
Depends-on: series-17483 ("Add Marvell CNXK crypto PMDs")
Depends-on: series-17484 ("Add rte_security in crypto_cn10k PMD")
Changes in v2:
- Added documentation
- Added asymmetric capabilities as separate patch
Anoob Joseph (1):
crypto/cnxk: add asymmetric capabilities
Kiran Kumar K (3):
crypto/cnxk: add asymmetric session ops
crypto/cnxk: add asymmetric datapath ops
test/crypto: add cnxk for asymmetric cases
app/test/test_cryptodev_asym.c| 30 +
doc/guides/cryptodevs/cnxk.rst| 23 +
doc/guides/cryptodevs/features/cn10k.ini | 13 +
doc/guides/cryptodevs/features/cn9k.ini | 13 +
drivers/crypto/cnxk/cn10k_cryptodev.c | 2 +
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 33 +-
drivers/crypto/cnxk/cn9k_cryptodev.c | 4 +-
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 35 +-
drivers/crypto/cnxk/cnxk_ae.h | 836 ++
drivers/crypto/cnxk/cnxk_cryptodev.h | 4 +-
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 56 ++
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 106 +++
drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 8 +
13 files changed, 1153 insertions(+), 10 deletions(-)
create mode 100644 drivers/crypto/cnxk/cnxk_ae.h
--
2.7.4
[dpdk-dev] [PATCH v2 1/4] crypto/cnxk: add asymmetric session ops
From: Kiran Kumar K
Add asymmetric crypto session ops.
Signed-off-by: Kiran Kumar K
---
doc/guides/cryptodevs/features/cn10k.ini | 13 ++
doc/guides/cryptodevs/features/cn9k.ini | 13 ++
drivers/crypto/cnxk/cn10k_cryptodev.c | 2 +
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 6 +-
drivers/crypto/cnxk/cn9k_cryptodev.c | 4 +-
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 6 +-
drivers/crypto/cnxk/cnxk_ae.h | 211 ++
drivers/crypto/cnxk/cnxk_cryptodev.h | 4 +-
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 106 +++
drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 8 ++
10 files changed, 365 insertions(+), 8 deletions(-)
create mode 100644 drivers/crypto/cnxk/cnxk_ae.h
diff --git a/doc/guides/cryptodevs/features/cn10k.ini
b/doc/guides/cryptodevs/features/cn10k.ini
index b268f84..f5552fe 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -5,6 +5,7 @@
;
[Features]
Symmetric crypto = Y
+Asymmetric crypto = Y
Sym operation chaining = Y
HW Accelerated = Y
Protocol offload = Y
@@ -65,3 +66,15 @@ AES GCM (128) = Y
AES GCM (192) = Y
AES GCM (256) = Y
CHACHA20-POLY1305 = Y
+
+;
+; Supported Asymmetric algorithms of the 'cn10k' crypto driver.
+;
+[Asymmetric]
+RSA = Y
+DSA =
+Modular Exponentiation = Y
+Modular Inversion =
+Diffie-hellman =
+ECDSA = Y
+ECPM= Y
diff --git a/doc/guides/cryptodevs/features/cn9k.ini
b/doc/guides/cryptodevs/features/cn9k.ini
index 7b310e6..d69dbe8 100644
--- a/doc/guides/cryptodevs/features/cn9k.ini
+++ b/doc/guides/cryptodevs/features/cn9k.ini
@@ -5,6 +5,7 @@
;
[Features]
Symmetric crypto = Y
+Asymmetric crypto = Y
Sym operation chaining = Y
HW Accelerated = Y
In Place SGL = Y
@@ -64,3 +65,15 @@ AES GCM (128) = Y
AES GCM (192) = Y
AES GCM (256) = Y
CHACHA20-POLY1305 = Y
+
+;
+; Supported Asymmetric algorithms of the 'cn9k' crypto driver.
+;
+[Asymmetric]
+RSA = Y
+DSA =
+Modular Exponentiation = Y
+Modular Inversion =
+Diffie-hellman =
+ECDSA = Y
+ECPM= Y
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c
b/drivers/crypto/cnxk/cn10k_cryptodev.c
index 22ae810..10a621f 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -92,7 +92,9 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
dev->driver_id = cn10k_cryptodev_driver_id;
dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
+RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO |
RTE_CRYPTODEV_FF_HW_ACCELERATED |
+RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT |
RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
RTE_CRYPTODEV_FF_IN_PLACE_SGL |
RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT |
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 29525cd..8b33764 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -426,8 +426,8 @@ struct rte_cryptodev_ops cn10k_cpt_ops = {
.sym_session_clear = cnxk_cpt_sym_session_clear,
/* Asymmetric crypto ops */
- .asym_session_get_size = NULL,
- .asym_session_configure = NULL,
- .asym_session_clear = NULL,
+ .asym_session_get_size = cnxk_ae_session_size_get,
+ .asym_session_configure = cnxk_ae_session_cfg,
+ .asym_session_clear = cnxk_ae_session_clear,
};
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev.c
b/drivers/crypto/cnxk/cn9k_cryptodev.c
index d3dc084..e74e739 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev.c
@@ -83,6 +83,7 @@ cn9k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
cnxk_cpt_caps_populate(vf);
dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
+RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO |
RTE_CRYPTODEV_FF_HW_ACCELERATED |
RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
RTE_CRYPTODEV_FF_IN_PLACE_SGL |
@@ -90,7 +91,8 @@ cn9k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT |
RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT |
RTE_CRYPTODEV_FF_SYM_SESSIONLESS |
-RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED;
+RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED |
+RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT;
cn9k_cpt_set_enqdeq_fns(dev);
diff --git a/drivers/crypt
[dpdk-dev] [PATCH v2 2/4] crypto/cnxk: add asymmetric datapath ops
From: Kiran Kumar K
Add asymmetric crypto datapath ops.
Signed-off-by: Kiran Kumar K
---
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 27 ++
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 29 +-
drivers/crypto/cnxk/cnxk_ae.h | 625 ++
3 files changed, 679 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 8b33764..6d12cc3 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -10,6 +10,7 @@
#include "cn10k_cryptodev_ops.h"
#include "cn10k_ipsec_la_ops.h"
#include "cn10k_ipsec.h"
+#include "cnxk_ae.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_ops.h"
#include "cnxk_se.h"
@@ -100,7 +101,9 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct
rte_crypto_op *ops[],
struct cpt_inst_s inst[], struct cpt_inflight_req *infl_req)
{
struct cn10k_sec_session *sec_sess;
+ struct rte_crypto_asym_op *asym_op;
struct rte_crypto_sym_op *sym_op;
+ struct cnxk_ae_sess *ae_sess;
struct cnxk_se_sess *sess;
struct rte_crypto_op *op;
uint64_t w7;
@@ -148,6 +151,21 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct
rte_crypto_op *ops[],
}
w7 = sess->cpt_inst_w7;
}
+ } else if (op->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) {
+
+ if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
+ asym_op = op->asym;
+ ae_sess = get_asym_session_private_data(
+ asym_op->session, cn10k_cryptodev_driver_id);
+ ret = cnxk_ae_enqueue(qp, op, infl_req, &inst[0],
+ ae_sess);
+ if (unlikely(ret))
+ return 0;
+ w7 = ae_sess->cpt_inst_w7;
+ } else {
+ plt_dp_err("Not supported Asym op without session");
+ return 0;
+ }
} else {
plt_dp_err("Unsupported op type");
return 0;
@@ -303,6 +321,15 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
compl_auth_verify(cop, (uint8_t *)rsp[0],
rsp[1]);
}
+ } else if (cop->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) {
+ struct rte_crypto_asym_op *op = cop->asym;
+ uintptr_t *mdata = infl_req->mdata;
+ struct cnxk_ae_sess *sess;
+
+ sess = get_asym_session_private_data(
+ op->session, cn10k_cryptodev_driver_id);
+
+ cnxk_ae_post_process(cop, sess, (uint8_t *)mdata[0]);
}
} else {
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
index d8b2aea..e367cc4 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
@@ -7,6 +7,7 @@
#include "cn9k_cryptodev.h"
#include "cn9k_cryptodev_ops.h"
+#include "cnxk_ae.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_ops.h"
#include "cnxk_se.h"
@@ -65,11 +66,11 @@ static uint16_t
cn9k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops)
{
struct cpt_inflight_req *infl_req;
+ struct rte_crypto_asym_op *asym_op;
struct rte_crypto_sym_op *sym_op;
uint16_t nb_allowed, count = 0;
struct cnxk_cpt_qp *qp = qptr;
struct pending_queue *pend_q;
- struct cnxk_se_sess *sess;
struct rte_crypto_op *op;
struct cpt_inst_s inst;
uint64_t lmt_status;
@@ -95,6 +96,8 @@ cn9k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op
**ops, uint16_t nb_ops)
infl_req->op_flags = 0;
if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
+ struct cnxk_se_sess *sess;
+
if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
sym_op = op->sym;
sess = get_sym_session_private_data(
@@ -120,6 +123,20 @@ cn9k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op
**ops, uint16_t nb_ops)
op->sym->session);
}
}
+ inst.w7.u64 = sess->cpt_inst_w7;
+ } else if (op->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) {
+ struct cnxk_ae_sess *sess;
+
+ ret = -EINVAL;
+ if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
+ asym_op = op->asym;
+
[dpdk-dev] [PATCH v2 3/4] crypto/cnxk: add asymmetric capabilities
Add asymmetric capabilities supported.
Signed-off-by: Anoob Joseph
---
doc/guides/cryptodevs/cnxk.rst| 6 +++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 56 +++
2 files changed, 62 insertions(+)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index db949fa..bbc6daa 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -67,6 +67,12 @@ AEAD algorithms:
* ``RTE_CRYPTO_AEAD_AES_GCM``
* ``RTE_CRYPTO_AEAD_CHACHA20_POLY1305``
+Asymmetric Crypto Algorithms
+
+
+* ``RTE_CRYPTO_ASYM_XFORM_RSA``
+* ``RTE_CRYPTO_ASYM_XFORM_MODEX``
+
Installation
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index d52fa89..ab37f9c 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -28,6 +28,61 @@
RTE_DIM(sec_caps_##name));\
} while (0)
+static const struct rte_cryptodev_capabilities caps_mul[] = {
+ { /* RSA */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_capa = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
+ .op_types = ((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
+ (1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
+ (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
+ (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
+ {.modlen = {
+ .min = 17,
+ .max = 1024,
+ .increment = 1
+ }, }
+ }
+ }, }
+ },
+ { /* MOD_EXP */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_capa = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
+ .op_types = 0,
+ {.modlen = {
+ .min = 17,
+ .max = 1024,
+ .increment = 1
+ }, }
+ }
+ }, }
+ },
+ { /* ECDSA */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_capa = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_ECDSA,
+ .op_types = ((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
+ (1 << RTE_CRYPTO_ASYM_OP_VERIFY)),
+ }
+ },
+ }
+ },
+ { /* ECPM */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_capa = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_ECPM,
+ .op_types = 0
+ }
+ },
+ }
+ },
+};
+
static const struct rte_cryptodev_capabilities caps_sha1_sha2[] = {
{ /* SHA1 */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
@@ -748,6 +803,7 @@ crypto_caps_populate(struct rte_cryptodev_capabilities
cnxk_caps[],
{
int cur_pos = 0;
+ CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, mul);
CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2);
CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, chacha20);
CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, zuc_snow3g);
--
2.7.4
[dpdk-dev] [PATCH v2 4/4] test/crypto: add cnxk for asymmetric cases
From: Kiran Kumar K
Adding autotest for cn9k and cn10k.
Signed-off-by: Kiran Kumar K
---
app/test/test_cryptodev_asym.c | 30 ++
doc/guides/cryptodevs/cnxk.rst | 17 +
2 files changed, 47 insertions(+)
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index b36eec9..847b074 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -2390,6 +2390,34 @@ test_cryptodev_octeontx2_asym(void)
return unit_test_suite_runner(&cryptodev_octeontx_asym_testsuite);
}
+static int
+test_cryptodev_cn9k_asym(void)
+{
+ gbl_driver_id = rte_cryptodev_driver_id_get(
+ RTE_STR(CRYPTODEV_NAME_CN9K_PMD));
+ if (gbl_driver_id == -1) {
+ RTE_LOG(ERR, USER1, "CN9K PMD must be loaded.\n");
+ return TEST_FAILED;
+ }
+
+ /* Use test suite registered for crypto_octeontx PMD */
+ return unit_test_suite_runner(&cryptodev_octeontx_asym_testsuite);
+}
+
+static int
+test_cryptodev_cn10k_asym(void)
+{
+ gbl_driver_id = rte_cryptodev_driver_id_get(
+ RTE_STR(CRYPTODEV_NAME_CN10K_PMD));
+ if (gbl_driver_id == -1) {
+ RTE_LOG(ERR, USER1, "CN10K PMD must be loaded.\n");
+ return TEST_FAILED;
+ }
+
+ /* Use test suite registered for crypto_octeontx PMD */
+ return unit_test_suite_runner(&cryptodev_octeontx_asym_testsuite);
+}
+
REGISTER_TEST_COMMAND(cryptodev_openssl_asym_autotest,
test_cryptodev_openssl_asym);
@@ -2400,3 +2428,5 @@ REGISTER_TEST_COMMAND(cryptodev_octeontx_asym_autotest,
REGISTER_TEST_COMMAND(cryptodev_octeontx2_asym_autotest,
test_cryptodev_octeontx2_asym);
+REGISTER_TEST_COMMAND(cryptodev_cn9k_asym_autotest, test_cryptodev_cn9k_asym);
+REGISTER_TEST_COMMAND(cryptodev_cn10k_asym_autotest,
test_cryptodev_cn10k_asym);
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index bbc6daa..98c7118 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -191,6 +191,23 @@ running the test application:
./dpdk-test
RTE>>cryptodev_cn10k_autotest
+The asymmetric crypto operations on OCTEON cnxk crypto PMD may be verified by
+running the test application:
+
+``CN9K``
+
+.. code-block:: console
+
+./dpdk-test
+RTE>>cryptodev_cn9k_asym_autotest
+
+``CN10K``
+
+.. code-block:: console
+
+./dpdk-test
+RTE>>cryptodev_cn10k_asym_autotest
+
Lookaside IPsec Support
---
--
2.7.4
[dpdk-dev] [PATCH v3 0/8] Add lookaside IPsec and asymmetric in cnxk crypto PMDs
Add rte_security (lookaside protocol - IPsec) support in crypto_cn10k. IPsec operations can be offloaded to CPT's SE and IE engines, which can process IPsec protcol operations including atomic sequence number increment (for outbound operations) and anti replay window check (for inbound operations). Add support for asymmetric operations in crypto cnxk PMDs. Following operations are supported, - RSA - DSA - ECDSA - ECPM - Modular Exponentation Anoob Joseph (2): crypto/cnxk: add security capabilities crypto/cnxk: add asymmetric capabilities Kiran Kumar K (3): crypto/cnxk: add asymmetric session ops crypto/cnxk: add asymmetric datapath ops test/crypto: add cnxk for asymmetric cases Srujana Challa (1): crypto/cnxk: add security ctx skeleton Tejasree Kondoj (2): crypto/cnxk: add security session ops crypto/cnxk: add security handling in datapath ops Changes in v3: - Rebased on dpdk-next-crypto ToT - Merged asymmetric & lookaside IPsec series Changes in v2: - Added documentation - Added asymmetric capabilities as separate patch app/test/test_cryptodev_asym.c| 30 + doc/guides/cryptodevs/cnxk.rst| 47 ++ doc/guides/cryptodevs/features/cn10k.ini | 14 + doc/guides/cryptodevs/features/cn9k.ini | 13 + doc/guides/rel_notes/release_21_08.rst| 4 + drivers/crypto/cnxk/cn10k_cryptodev.c | 14 + drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 111 ++- drivers/crypto/cnxk/cn10k_ipsec.c | 275 +++ drivers/crypto/cnxk/cn10k_ipsec.h | 36 + drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 74 ++ drivers/crypto/cnxk/cn9k_cryptodev.c | 4 +- drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 35 +- drivers/crypto/cnxk/cnxk_ae.h | 836 ++ drivers/crypto/cnxk/cnxk_cryptodev.h | 8 +- drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 170 + drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +- drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 106 +++ drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 8 + drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 48 ++ drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 + drivers/crypto/cnxk/cnxk_ipsec.h | 20 + drivers/crypto/cnxk/meson.build | 6 +- 22 files changed, 1869 insertions(+), 13 deletions(-) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h create mode 100644 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h create mode 100644 drivers/crypto/cnxk/cnxk_ae.h create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h -- 2.7.4
[dpdk-dev] [PATCH v3 1/8] crypto/cnxk: add security ctx skeleton
From: Srujana Challa
Add security ctx in cn10k crypto PMD.
Signed-off-by: Anoob Joseph
Signed-off-by: Srujana Challa
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev.c| 9 ++
drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 47
drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 ++
drivers/crypto/cnxk/meson.build | 3 +-
4 files changed, 72 insertions(+), 1 deletion(-)
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c
create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c
b/drivers/crypto/cnxk/cn10k_cryptodev.c
index 559aaef..ffe654c 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -14,6 +14,7 @@
#include "cn10k_cryptodev_ops.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_capabilities.h"
+#include "cnxk_cryptodev_sec.h"
#include "roc_api.h"
@@ -77,6 +78,11 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
plt_err("Failed to add engine group rc=%d", rc);
goto dev_fini;
}
+
+ /* Create security context */
+ rc = cnxk_crypto_sec_ctx_create(dev);
+ if (rc)
+ goto dev_fini;
}
cnxk_cpt_caps_populate(vf);
@@ -126,6 +132,9 @@ cn10k_cpt_pci_remove(struct rte_pci_device *pci_dev)
if (dev == NULL)
return -ENODEV;
+ /* Destroy security context */
+ cnxk_crypto_sec_ctx_destroy(dev);
+
if (rte_eal_process_type() == RTE_PROC_PRIMARY) {
vf = dev->data->dev_private;
ret = roc_cpt_dev_fini(&vf->cpt);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c
b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c
new file mode 100644
index 000..f03d2ed
--- /dev/null
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c
@@ -0,0 +1,47 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include
+#include
+#include
+#include
+
+#include "cnxk_cryptodev_sec.h"
+
+/* Common security ops */
+struct rte_security_ops cnxk_sec_ops = {
+ .session_create = NULL,
+ .session_destroy = NULL,
+ .session_get_size = NULL,
+ .set_pkt_metadata = NULL,
+ .get_userdata = NULL,
+ .capabilities_get = NULL,
+};
+
+int
+cnxk_crypto_sec_ctx_create(struct rte_cryptodev *cdev)
+{
+ struct rte_security_ctx *ctx;
+
+ ctx = rte_malloc("cnxk_cpt_dev_sec_ctx",
+sizeof(struct rte_security_ctx), 0);
+
+ if (ctx == NULL)
+ return -ENOMEM;
+
+ /* Populate ctx */
+ ctx->device = cdev;
+ ctx->ops = &cnxk_sec_ops;
+ ctx->sess_cnt = 0;
+
+ cdev->security_ctx = ctx;
+
+ return 0;
+}
+
+void
+cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *cdev)
+{
+ rte_free(cdev->security_ctx);
+}
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.h
b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h
new file mode 100644
index 000..9ab0e9e
--- /dev/null
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef __CNXK_CRYPTODEV_SEC_H__
+#define __CNXK_CRYPTODEV_SEC_H__
+
+#include
+
+int cnxk_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev);
+
+void cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *crypto_dev);
+
+#endif /* __CNXK_CRYPTODEV_SEC_H__ */
diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build
index fa6be06..a2b461e 100644
--- a/drivers/crypto/cnxk/meson.build
+++ b/drivers/crypto/cnxk/meson.build
@@ -16,6 +16,7 @@ sources = files(
'cnxk_cryptodev.c',
'cnxk_cryptodev_capabilities.c',
'cnxk_cryptodev_ops.c',
+'cnxk_cryptodev_sec.c',
)
-deps += ['bus_pci', 'common_cnxk']
+deps += ['bus_pci', 'common_cnxk', 'security']
--
2.7.4
[dpdk-dev] [PATCH v3 2/8] crypto/cnxk: add security session ops
From: Tejasree Kondoj
Add security session ops in cn10k crypto PMD.
Signed-off-by: Anoob Joseph
Signed-off-by: Archana Muniganti
Signed-off-by: Srujana Challa
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev.c | 2 +
drivers/crypto/cnxk/cn10k_ipsec.c | 275 ++
drivers/crypto/cnxk/cn10k_ipsec.h | 36 +
drivers/crypto/cnxk/cnxk_ipsec.h | 20 +++
drivers/crypto/cnxk/meson.build | 3 +
5 files changed, 336 insertions(+)
create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c
create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h
create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c
b/drivers/crypto/cnxk/cn10k_cryptodev.c
index ffe654c..cacf9c2 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -12,6 +12,7 @@
#include "cn10k_cryptodev.h"
#include "cn10k_cryptodev_ops.h"
+#include "cn10k_ipsec.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_capabilities.h"
#include "cnxk_cryptodev_sec.h"
@@ -101,6 +102,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED;
cn10k_cpt_set_enqdeq_fns(dev);
+ cn10k_sec_ops_override();
return 0;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c
b/drivers/crypto/cnxk/cn10k_ipsec.c
new file mode 100644
index 000..1d567bf
--- /dev/null
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -0,0 +1,275 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "cnxk_cryptodev.h"
+#include "cnxk_ipsec.h"
+#include "cnxk_security.h"
+#include "cn10k_ipsec.h"
+
+#include "roc_api.h"
+
+static int
+ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
+ struct rte_crypto_sym_xform *crypto_xfrm)
+{
+ if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+ crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+ return -EINVAL;
+
+ if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+ return -EINVAL;
+
+ if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+ switch (crypto_xfrm->aead.key.length) {
+ case ROC_CPT_AES128_KEY_LEN:
+ case ROC_CPT_AES192_KEY_LEN:
+ case ROC_CPT_AES256_KEY_LEN:
+ break;
+ default:
+ return -EINVAL;
+ }
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static int
+cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
+struct rte_crypto_sym_xform *crypto_xfrm)
+{
+ if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
+ return -EINVAL;
+
+ if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
+ (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
+ return -EINVAL;
+
+ if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
+ (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
+ return -EINVAL;
+
+ if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
+ (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
+ return -EINVAL;
+
+ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+ return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
+
+ return -ENOTSUP;
+}
+
+static uint64_t
+ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa)
+{
+ union cpt_inst_w7 w7;
+
+ w7.u64 = 0;
+ w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
+ w7.s.ctx_val = 1;
+ w7.s.cptr = (uint64_t)sa;
+ rte_mb();
+
+ return w7.u64;
+}
+
+static int
+cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
+ struct rte_security_ipsec_xform *ipsec_xfrm,
+ struct rte_crypto_sym_xform *crypto_xfrm,
+ struct rte_security_session *sec_sess)
+{
+ struct roc_ot_ipsec_outb_sa *out_sa;
+ struct cnxk_ipsec_outb_rlens rlens;
+ struct cn10k_sec_session *sess;
+ struct cn10k_ipsec_sa *sa;
+ union cpt_inst_w4 inst_w4;
+ int ret;
+
+ sess = get_sec_session_private_data(sec_sess);
+ sa = &sess->sa;
+ out_sa = &sa->out_sa;
+
+ memset(out_sa, 0, sizeof(struct roc_ot_ipsec_outb_sa));
+
+
[dpdk-dev] [PATCH v3 3/8] crypto/cnxk: add security handling in datapath ops
From: Tejasree Kondoj
Add security handling in enqueue dequeue ops.
Signed-off-by: Anoob Joseph
Signed-off-by: Srujana Challa
Signed-off-by: Tejasree Kondoj
---
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 78 ++-
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 74 +
2 files changed, 151 insertions(+), 1 deletion(-)
create mode 100644 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 1a30908..8005a25 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -4,9 +4,12 @@
#include
#include
+#include
#include "cn10k_cryptodev.h"
#include "cn10k_cryptodev_ops.h"
+#include "cn10k_ipsec_la_ops.h"
+#include "cn10k_ipsec.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_ops.h"
#include "cnxk_se.h"
@@ -42,6 +45,38 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp,
struct rte_crypto_op *op)
}
static __rte_always_inline int __rte_hot
+cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
+ struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
+{
+ struct rte_crypto_sym_op *sym_op = op->sym;
+ union roc_ot_ipsec_sa_word2 *w2;
+ struct cn10k_ipsec_sa *sa;
+ int ret;
+
+ if (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) {
+ plt_dp_err("Out of place is not supported");
+ return -ENOTSUP;
+ }
+
+ if (unlikely(!rte_pktmbuf_is_contiguous(sym_op->m_src))) {
+ plt_dp_err("Scatter Gather mode is not supported");
+ return -ENOTSUP;
+ }
+
+ sa = &sess->sa;
+ w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
+
+ if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND)
+ ret = process_outb_sa(op, sa, inst);
+ else {
+ infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
+ ret = process_inb_sa(op, sa, inst);
+ }
+
+ return ret;
+}
+
+static __rte_always_inline int __rte_hot
cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op,
struct cnxk_se_sess *sess, struct cpt_inflight_req *infl_req,
struct cpt_inst_s *inst)
@@ -64,6 +99,7 @@ static inline int
cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
struct cpt_inst_s inst[], struct cpt_inflight_req *infl_req)
{
+ struct cn10k_sec_session *sec_sess;
struct rte_crypto_sym_op *sym_op;
struct cnxk_se_sess *sess;
struct rte_crypto_op *op;
@@ -79,7 +115,15 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct
rte_crypto_op *ops[],
sym_op = op->sym;
if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
- if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
+ if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+ sec_sess = get_sec_session_private_data(
+ sym_op->sec_session);
+ ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
+ &inst[0]);
+ if (unlikely(ret))
+ return 0;
+ w7 = sec_sess->sa.inst.w7;
+ } else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
sess = get_sym_session_private_data(
sym_op->session, cn10k_cryptodev_driver_id);
ret = cpt_sym_inst_fill(qp, op, sess, infl_req,
@@ -196,6 +240,34 @@ cn10k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op
**ops, uint16_t nb_ops)
}
static inline void
+cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
+ struct cpt_inflight_req *infl_req)
+{
+ struct rte_crypto_sym_op *sym_op = cop->sym;
+ struct rte_mbuf *m = sym_op->m_src;
+ struct rte_ipv6_hdr *ip6;
+ struct rte_ipv4_hdr *ip;
+ uint16_t m_len;
+
+ if (infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND) {
+ ip = (struct rte_ipv4_hdr *)rte_pktmbuf_mtod(m, char *);
+
+ if (((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) ==
+ IPVERSION) {
+ m_len = rte_be_to_cpu_16(ip->total_length);
+ } else {
+ PLT_ASSERT(((ip->version_ihl & 0xf0) >>
+ RTE_IPV4_IHL_MULTIPLIER) == IPV6_VERSION);
+ ip6 = (struct rte_ipv6_hdr *)ip;
+ m_len = rte_be_to_cpu_16(ip6->payload_len) +
+ siz
[dpdk-dev] [PATCH v3 4/8] crypto/cnxk: add security capabilities
Add security capabilities supported by crypto cn10k PMD.
Signed-off-by: Anoob Joseph
Signed-off-by: Srujana Challa
Signed-off-by: Tejasree Kondoj
---
doc/guides/cryptodevs/cnxk.rst| 24 +
doc/guides/cryptodevs/features/cn10k.ini | 1 +
drivers/crypto/cnxk/cn10k_cryptodev.c | 1 +
drivers/crypto/cnxk/cnxk_cryptodev.h | 4 +
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 114 ++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +-
drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 3 +-
7 files changed, 154 insertions(+), 2 deletions(-)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 66b0b63..db949fa 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -185,6 +185,30 @@ running the test application:
./dpdk-test
RTE>>cryptodev_cn10k_autotest
+Lookaside IPsec Support
+---
+
+The OCTEON cnxk SoCs can accelerate IPsec traffic in lookaside protocol mode,
+with its **cryptographic accelerator (CPT)**. ``OCTEON cnxk crypto PMD``
implements
+this as an ``RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL`` offload.
+
+Refer to :doc:`../prog_guide/rte_security` for more details on protocol
offloads.
+
+This feature can be tested with ipsec-secgw sample application.
+
+Supported OCTEON cnxk SoCs
+~~
+
+- CN10XX
+
+Features supported
+~~
+
+* IPv4
+* ESP
+* Tunnel mode
+* AES-128/192/256-GCM
+
Limitations
---
diff --git a/doc/guides/cryptodevs/features/cn10k.ini
b/doc/guides/cryptodevs/features/cn10k.ini
index 77c4a2d..b268f84 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -7,6 +7,7 @@
Symmetric crypto = Y
Sym operation chaining = Y
HW Accelerated = Y
+Protocol offload = Y
In Place SGL = Y
OOP SGL In LB Out = Y
OOP SGL In SGL Out = Y
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c
b/drivers/crypto/cnxk/cn10k_cryptodev.c
index cacf9c2..22ae810 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -99,6 +99,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT |
RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT |
RTE_CRYPTODEV_FF_SYM_SESSIONLESS |
+RTE_CRYPTODEV_FF_SECURITY |
RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED;
cn10k_cpt_set_enqdeq_fns(dev);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h
b/drivers/crypto/cnxk/cnxk_cryptodev.h
index 03af4af..6760c13 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -6,6 +6,7 @@
#define _CNXK_CRYPTODEV_H_
#include
+#include
#include "roc_cpt.h"
@@ -19,6 +20,9 @@
struct cnxk_cpt_vf {
struct roc_cpt cpt;
struct rte_cryptodev_capabilities crypto_caps[CNXK_CPT_MAX_CAPS];
+ struct rte_cryptodev_capabilities
+ sec_crypto_caps[CNXK_SEC_CRYPTO_MAX_CAPS];
+ struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS];
};
int cnxk_cpt_eng_grp_add(struct roc_cpt *roc_cpt);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index a5195e8..d52fa89 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -3,6 +3,7 @@
*/
#include
+#include
#include "roc_api.h"
@@ -18,6 +19,15 @@
RTE_DIM(caps_##name));\
} while (0)
+#define SEC_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name)
\
+ do { \
+ if ((hw_caps[CPT_ENG_TYPE_SE].name) || \
+ (hw_caps[CPT_ENG_TYPE_IE].name) || \
+ (hw_caps[CPT_ENG_TYPE_AE].name)) \
+ sec_caps_add(cnxk_caps, cur_pos, sec_caps_##name, \
+RTE_DIM(sec_caps_##name));\
+ } while (0)
+
static const struct rte_cryptodev_capabilities caps_sha1_sha2[] = {
{ /* SHA1 */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
@@ -658,6 +668,69 @@ static const struct rte_cryptodev_capabilities caps_end[]
= {
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
+static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
+ { /* AES GCM */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+ {.aead = {
+ .algo
[dpdk-dev] [PATCH v3 5/8] crypto/cnxk: add asymmetric session ops
From: Kiran Kumar K
Add asymmetric crypto session ops.
Signed-off-by: Kiran Kumar K
---
doc/guides/cryptodevs/features/cn10k.ini | 13 ++
doc/guides/cryptodevs/features/cn9k.ini | 13 ++
drivers/crypto/cnxk/cn10k_cryptodev.c | 2 +
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 6 +-
drivers/crypto/cnxk/cn9k_cryptodev.c | 4 +-
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 6 +-
drivers/crypto/cnxk/cnxk_ae.h | 211 ++
drivers/crypto/cnxk/cnxk_cryptodev.h | 4 +-
drivers/crypto/cnxk/cnxk_cryptodev_ops.c | 106 +++
drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 8 ++
10 files changed, 365 insertions(+), 8 deletions(-)
create mode 100644 drivers/crypto/cnxk/cnxk_ae.h
diff --git a/doc/guides/cryptodevs/features/cn10k.ini
b/doc/guides/cryptodevs/features/cn10k.ini
index b268f84..f5552fe 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -5,6 +5,7 @@
;
[Features]
Symmetric crypto = Y
+Asymmetric crypto = Y
Sym operation chaining = Y
HW Accelerated = Y
Protocol offload = Y
@@ -65,3 +66,15 @@ AES GCM (128) = Y
AES GCM (192) = Y
AES GCM (256) = Y
CHACHA20-POLY1305 = Y
+
+;
+; Supported Asymmetric algorithms of the 'cn10k' crypto driver.
+;
+[Asymmetric]
+RSA = Y
+DSA =
+Modular Exponentiation = Y
+Modular Inversion =
+Diffie-hellman =
+ECDSA = Y
+ECPM= Y
diff --git a/doc/guides/cryptodevs/features/cn9k.ini
b/doc/guides/cryptodevs/features/cn9k.ini
index 7b310e6..d69dbe8 100644
--- a/doc/guides/cryptodevs/features/cn9k.ini
+++ b/doc/guides/cryptodevs/features/cn9k.ini
@@ -5,6 +5,7 @@
;
[Features]
Symmetric crypto = Y
+Asymmetric crypto = Y
Sym operation chaining = Y
HW Accelerated = Y
In Place SGL = Y
@@ -64,3 +65,15 @@ AES GCM (128) = Y
AES GCM (192) = Y
AES GCM (256) = Y
CHACHA20-POLY1305 = Y
+
+;
+; Supported Asymmetric algorithms of the 'cn9k' crypto driver.
+;
+[Asymmetric]
+RSA = Y
+DSA =
+Modular Exponentiation = Y
+Modular Inversion =
+Diffie-hellman =
+ECDSA = Y
+ECPM= Y
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c
b/drivers/crypto/cnxk/cn10k_cryptodev.c
index 22ae810..10a621f 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev.c
@@ -92,7 +92,9 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
dev->driver_id = cn10k_cryptodev_driver_id;
dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
+RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO |
RTE_CRYPTODEV_FF_HW_ACCELERATED |
+RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT |
RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
RTE_CRYPTODEV_FF_IN_PLACE_SGL |
RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT |
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 8005a25..aa615b2 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -426,8 +426,8 @@ struct rte_cryptodev_ops cn10k_cpt_ops = {
.sym_session_clear = cnxk_cpt_sym_session_clear,
/* Asymmetric crypto ops */
- .asym_session_get_size = NULL,
- .asym_session_configure = NULL,
- .asym_session_clear = NULL,
+ .asym_session_get_size = cnxk_ae_session_size_get,
+ .asym_session_configure = cnxk_ae_session_cfg,
+ .asym_session_clear = cnxk_ae_session_clear,
};
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev.c
b/drivers/crypto/cnxk/cn9k_cryptodev.c
index d3dc084..e74e739 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev.c
@@ -83,6 +83,7 @@ cn9k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
cnxk_cpt_caps_populate(vf);
dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
+RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO |
RTE_CRYPTODEV_FF_HW_ACCELERATED |
RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
RTE_CRYPTODEV_FF_IN_PLACE_SGL |
@@ -90,7 +91,8 @@ cn9k_cpt_pci_probe(struct rte_pci_driver *pci_drv
__rte_unused,
RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT |
RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT |
RTE_CRYPTODEV_FF_SYM_SESSIONLESS |
-RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED;
+RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED |
+RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT;
cn9k_cpt_set_enqdeq_fns(dev);
diff --git a/drivers/crypt
[dpdk-dev] [PATCH v3 6/8] crypto/cnxk: add asymmetric datapath ops
From: Kiran Kumar K
Add asymmetric crypto datapath ops.
Signed-off-by: Kiran Kumar K
---
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 27 ++
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 29 +-
drivers/crypto/cnxk/cnxk_ae.h | 625 ++
3 files changed, 679 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index aa615b2..6d322a9 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -10,6 +10,7 @@
#include "cn10k_cryptodev_ops.h"
#include "cn10k_ipsec_la_ops.h"
#include "cn10k_ipsec.h"
+#include "cnxk_ae.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_ops.h"
#include "cnxk_se.h"
@@ -100,7 +101,9 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct
rte_crypto_op *ops[],
struct cpt_inst_s inst[], struct cpt_inflight_req *infl_req)
{
struct cn10k_sec_session *sec_sess;
+ struct rte_crypto_asym_op *asym_op;
struct rte_crypto_sym_op *sym_op;
+ struct cnxk_ae_sess *ae_sess;
struct cnxk_se_sess *sess;
struct rte_crypto_op *op;
uint64_t w7;
@@ -148,6 +151,21 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct
rte_crypto_op *ops[],
}
w7 = sess->cpt_inst_w7;
}
+ } else if (op->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) {
+
+ if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
+ asym_op = op->asym;
+ ae_sess = get_asym_session_private_data(
+ asym_op->session, cn10k_cryptodev_driver_id);
+ ret = cnxk_ae_enqueue(qp, op, infl_req, &inst[0],
+ ae_sess);
+ if (unlikely(ret))
+ return 0;
+ w7 = ae_sess->cpt_inst_w7;
+ } else {
+ plt_dp_err("Not supported Asym op without session");
+ return 0;
+ }
} else {
plt_dp_err("Unsupported op type");
return 0;
@@ -303,6 +321,15 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
compl_auth_verify(cop, (uint8_t *)rsp[0],
rsp[1]);
}
+ } else if (cop->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) {
+ struct rte_crypto_asym_op *op = cop->asym;
+ uintptr_t *mdata = infl_req->mdata;
+ struct cnxk_ae_sess *sess;
+
+ sess = get_asym_session_private_data(
+ op->session, cn10k_cryptodev_driver_id);
+
+ cnxk_ae_post_process(cop, sess, (uint8_t *)mdata[0]);
}
} else {
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
index 6d1537b..724965b 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
@@ -7,6 +7,7 @@
#include "cn9k_cryptodev.h"
#include "cn9k_cryptodev_ops.h"
+#include "cnxk_ae.h"
#include "cnxk_cryptodev.h"
#include "cnxk_cryptodev_ops.h"
#include "cnxk_se.h"
@@ -65,11 +66,11 @@ static uint16_t
cn9k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops)
{
struct cpt_inflight_req *infl_req;
+ struct rte_crypto_asym_op *asym_op;
struct rte_crypto_sym_op *sym_op;
uint16_t nb_allowed, count = 0;
struct cnxk_cpt_qp *qp = qptr;
struct pending_queue *pend_q;
- struct cnxk_se_sess *sess;
struct rte_crypto_op *op;
struct cpt_inst_s inst;
uint64_t lmt_status;
@@ -95,6 +96,8 @@ cn9k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op
**ops, uint16_t nb_ops)
infl_req->op_flags = 0;
if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
+ struct cnxk_se_sess *sess;
+
if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
sym_op = op->sym;
sess = get_sym_session_private_data(
@@ -120,6 +123,20 @@ cn9k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op
**ops, uint16_t nb_ops)
op->sym->session);
}
}
+ inst.w7.u64 = sess->cpt_inst_w7;
+ } else if (op->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) {
+ struct cnxk_ae_sess *sess;
+
+ ret = -EINVAL;
+ if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
+ asym_op = op->asym;
+
[dpdk-dev] [PATCH v3 7/8] crypto/cnxk: add asymmetric capabilities
Add asymmetric capabilities supported.
Signed-off-by: Anoob Joseph
---
doc/guides/cryptodevs/cnxk.rst| 6 +++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 56 +++
2 files changed, 62 insertions(+)
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index db949fa..bbc6daa 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -67,6 +67,12 @@ AEAD algorithms:
* ``RTE_CRYPTO_AEAD_AES_GCM``
* ``RTE_CRYPTO_AEAD_CHACHA20_POLY1305``
+Asymmetric Crypto Algorithms
+
+
+* ``RTE_CRYPTO_ASYM_XFORM_RSA``
+* ``RTE_CRYPTO_ASYM_XFORM_MODEX``
+
Installation
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index d52fa89..ab37f9c 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -28,6 +28,61 @@
RTE_DIM(sec_caps_##name));\
} while (0)
+static const struct rte_cryptodev_capabilities caps_mul[] = {
+ { /* RSA */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_capa = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
+ .op_types = ((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
+ (1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
+ (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
+ (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
+ {.modlen = {
+ .min = 17,
+ .max = 1024,
+ .increment = 1
+ }, }
+ }
+ }, }
+ },
+ { /* MOD_EXP */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_capa = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
+ .op_types = 0,
+ {.modlen = {
+ .min = 17,
+ .max = 1024,
+ .increment = 1
+ }, }
+ }
+ }, }
+ },
+ { /* ECDSA */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_capa = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_ECDSA,
+ .op_types = ((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
+ (1 << RTE_CRYPTO_ASYM_OP_VERIFY)),
+ }
+ },
+ }
+ },
+ { /* ECPM */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_capa = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_ECPM,
+ .op_types = 0
+ }
+ },
+ }
+ },
+};
+
static const struct rte_cryptodev_capabilities caps_sha1_sha2[] = {
{ /* SHA1 */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
@@ -748,6 +803,7 @@ crypto_caps_populate(struct rte_cryptodev_capabilities
cnxk_caps[],
{
int cur_pos = 0;
+ CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, mul);
CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2);
CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, chacha20);
CPT_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, zuc_snow3g);
--
2.7.4
[dpdk-dev] [PATCH v3 8/8] test/crypto: add cnxk for asymmetric cases
From: Kiran Kumar K
Adding autotest for cn9k and cn10k.
Signed-off-by: Kiran Kumar K
---
app/test/test_cryptodev_asym.c | 30 ++
doc/guides/cryptodevs/cnxk.rst | 17 +
doc/guides/rel_notes/release_21_08.rst | 4
3 files changed, 51 insertions(+)
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index b36eec9..847b074 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -2390,6 +2390,34 @@ test_cryptodev_octeontx2_asym(void)
return unit_test_suite_runner(&cryptodev_octeontx_asym_testsuite);
}
+static int
+test_cryptodev_cn9k_asym(void)
+{
+ gbl_driver_id = rte_cryptodev_driver_id_get(
+ RTE_STR(CRYPTODEV_NAME_CN9K_PMD));
+ if (gbl_driver_id == -1) {
+ RTE_LOG(ERR, USER1, "CN9K PMD must be loaded.\n");
+ return TEST_FAILED;
+ }
+
+ /* Use test suite registered for crypto_octeontx PMD */
+ return unit_test_suite_runner(&cryptodev_octeontx_asym_testsuite);
+}
+
+static int
+test_cryptodev_cn10k_asym(void)
+{
+ gbl_driver_id = rte_cryptodev_driver_id_get(
+ RTE_STR(CRYPTODEV_NAME_CN10K_PMD));
+ if (gbl_driver_id == -1) {
+ RTE_LOG(ERR, USER1, "CN10K PMD must be loaded.\n");
+ return TEST_FAILED;
+ }
+
+ /* Use test suite registered for crypto_octeontx PMD */
+ return unit_test_suite_runner(&cryptodev_octeontx_asym_testsuite);
+}
+
REGISTER_TEST_COMMAND(cryptodev_openssl_asym_autotest,
test_cryptodev_openssl_asym);
@@ -2400,3 +2428,5 @@ REGISTER_TEST_COMMAND(cryptodev_octeontx_asym_autotest,
REGISTER_TEST_COMMAND(cryptodev_octeontx2_asym_autotest,
test_cryptodev_octeontx2_asym);
+REGISTER_TEST_COMMAND(cryptodev_cn9k_asym_autotest, test_cryptodev_cn9k_asym);
+REGISTER_TEST_COMMAND(cryptodev_cn10k_asym_autotest,
test_cryptodev_cn10k_asym);
diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index bbc6daa..98c7118 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -191,6 +191,23 @@ running the test application:
./dpdk-test
RTE>>cryptodev_cn10k_autotest
+The asymmetric crypto operations on OCTEON cnxk crypto PMD may be verified by
+running the test application:
+
+``CN9K``
+
+.. code-block:: console
+
+./dpdk-test
+RTE>>cryptodev_cn9k_asym_autotest
+
+``CN10K``
+
+.. code-block:: console
+
+./dpdk-test
+RTE>>cryptodev_cn10k_asym_autotest
+
Lookaside IPsec Support
---
diff --git a/doc/guides/rel_notes/release_21_08.rst
b/doc/guides/rel_notes/release_21_08.rst
index 72652ac..cd51b49 100644
--- a/doc/guides/rel_notes/release_21_08.rst
+++ b/doc/guides/rel_notes/release_21_08.rst
@@ -59,6 +59,10 @@ New Features
* Added cnxk crypto PMD which provides support for an integrated
crypto driver for CN9K and CN10K series of SOCs.
+ * Added 'cn9k_crypto' PMD which supports symmetric & asymmetric
+offloads
+ * Added 'cn10k_crypto' PMD which supports symmetric, asymmetric
+and lookaside protocol (IPsec) offloads.
Removed Items
--
2.7.4
