All of lore.kernel.org
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features
@ 2021-09-01 10:19 Tejasree Kondoj
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 1/8] common/cnxk: add hash generation APIs Tejasree Kondoj
                   ` (8 more replies)
  0 siblings, 9 replies; 10+ messages in thread
From: Tejasree Kondoj @ 2021-09-01 10:19 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
	Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev

This series adds cn10k lookaside IPsec AES-CBC-HMAC-SHA1, UDP encapsulation
and transport mode support along with common cnxk pmd changes.
The functionality has been tested with ipsec-secgw application running in
lookaside protocol offload mode.

v2:
* Fixed release notes

Archana Muniganti (2):
  crypto/cnxk: make IPsec verify functions common
  common/cnxk: make IPsec defines common

Tejasree Kondoj (6):
  common/cnxk: add hash generation APIs
  crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support
  crypto/cnxk: remove redundant code
  crypto/cnxk: use rlen from CPT result with lookaside
  crypto/cnxk: support cn10k transport mode
  crypto/cnxk: support UDP encap with lookaside IPsec

 doc/guides/cryptodevs/cnxk.rst                |   3 +
 doc/guides/rel_notes/release_21_11.rst        |   6 +
 drivers/common/cnxk/cnxk_security.c           |  92 +++++-
 drivers/common/cnxk/meson.build               |   1 +
 drivers/common/cnxk/roc_api.h                 |   4 +
 drivers/common/cnxk/roc_hash.c                | 275 ++++++++++++++++++
 drivers/common/cnxk/roc_hash.h                |  16 +
 drivers/common/cnxk/roc_ie.h                  |  33 ++-
 drivers/common/cnxk/roc_ie_on.h               |  26 --
 drivers/common/cnxk/roc_ie_ot.h               |  26 --
 drivers/common/cnxk/version.map               |   3 +
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c     |  44 +--
 drivers/crypto/cnxk/cn10k_ipsec.c             |  64 +---
 drivers/crypto/cnxk/cn10k_ipsec.h             |   6 +-
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h      |  28 +-
 drivers/crypto/cnxk/cnxk_cryptodev.h          |   2 +-
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  79 ++++-
 drivers/crypto/cnxk/cnxk_ipsec.h              | 114 ++++++++
 18 files changed, 620 insertions(+), 202 deletions(-)
 create mode 100644 drivers/common/cnxk/roc_hash.c
 create mode 100644 drivers/common/cnxk/roc_hash.h

-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [dpdk-dev] [PATCH v2 1/8] common/cnxk: add hash generation APIs
  2021-09-01 10:19 [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Tejasree Kondoj
@ 2021-09-01 10:19 ` Tejasree Kondoj
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 2/8] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support Tejasree Kondoj
                   ` (7 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Tejasree Kondoj @ 2021-09-01 10:19 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
	Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev

Adding functions for hash generation that can be used
in hmac opad/ipad calculation.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/common/cnxk/meson.build |   1 +
 drivers/common/cnxk/roc_api.h   |   3 +
 drivers/common/cnxk/roc_hash.c  | 275 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_hash.h  |  16 ++
 drivers/common/cnxk/version.map |   3 +
 5 files changed, 298 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_hash.c
 create mode 100644 drivers/common/cnxk/roc_hash.h

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 6a7849f31c..8a551d15d6 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -19,6 +19,7 @@ sources = files(
         'roc_cpt.c',
         'roc_cpt_debug.c',
         'roc_dev.c',
+        'roc_hash.c',
         'roc_idev.c',
         'roc_irq.c',
         'roc_mbox.c',
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index 52cb2f2d79..9c06cfee9a 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -125,4 +125,7 @@
 #include "roc_ie_ot.h"
 #include "roc_se.h"
 
+/* HASH computation */
+#include "roc_hash.h"
+
 #endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_hash.c b/drivers/common/cnxk/roc_hash.c
new file mode 100644
index 0000000000..092286e41e
--- /dev/null
+++ b/drivers/common/cnxk/roc_hash.c
@@ -0,0 +1,275 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (c) 2021 Marvell.
+ */
+
+#include "roc_api.h"
+
+#define lrot32(bits, word) (((word) << (bits)) | ((word) >> (32 - (bits))))
+#define rrot32(bits, word) lrot32(32 - (bits), word)
+#define lrot64(bits, word) (((word) << (bits)) | ((word) >> (64 - (bits))))
+#define rrot64(bits, word) lrot64(64 - (bits), word)
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void
+roc_hash_sha1_gen(uint8_t *msg, uint32_t *hash)
+{
+	const uint32_t _K[] = {/* Round Constants defined in SHA-1   */
+			       0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6};
+
+	const uint32_t _H[] = {/* Initial Hash constants defined in SHA-1 */
+			       0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476,
+			       0xC3D2E1F0};
+	int i;
+	uint32_t temp;		/* Temporary word value */
+	uint32_t W[80];		/* Word sequence */
+	uint32_t A, B, C, D, E; /* Word buffers */
+
+	/* Initialize the first 16 words in the array W */
+	memcpy(&W[0], msg, 16 * sizeof(W[0]));
+
+	for (i = 0; i < 16; i++)
+		W[i] = htobe32(W[i]);
+
+	for (i = 16; i < 80; i++)
+		W[i] = lrot32(1, W[i - 3] ^ W[i - 8] ^ W[i - 14] ^ W[i - 16]);
+
+	A = _H[0];
+	B = _H[1];
+	C = _H[2];
+	D = _H[3];
+	E = _H[4];
+
+	for (i = 0; i < 80; i++) {
+		if (i >= 0 && i <= 19)
+			temp = ((B & C) | ((~B) & D)) + _K[0];
+		else if (i >= 20 && i <= 39)
+			temp = (B ^ C ^ D) + _K[1];
+		else if (i >= 40 && i <= 59)
+			temp = ((B & C) | (B & D) | (C & D)) + _K[2];
+		else if (i >= 60 && i <= 79)
+			temp = (B ^ C ^ D) + _K[3];
+
+		temp = lrot32(5, A) + temp + E + W[i];
+		E = D;
+		D = C;
+		C = lrot32(30, B);
+		B = A;
+		A = temp;
+	}
+
+	A += _H[0];
+	B += _H[1];
+	C += _H[2];
+	D += _H[3];
+	E += _H[4];
+	hash[0] = htobe32(A);
+	hash[1] = htobe32(B);
+	hash[2] = htobe32(C);
+	hash[3] = htobe32(D);
+	hash[4] = htobe32(E);
+}
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void
+roc_hash_sha256_gen(uint8_t *msg, uint32_t *hash)
+{
+	const uint32_t _K[] = {
+		/* Round Constants defined in SHA-256   */
+		0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
+		0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
+		0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
+		0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
+		0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
+		0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
+		0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
+		0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+		0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
+		0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
+		0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
+		0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+		0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
+
+	const uint32_t _H[] = {/* Initial Hash constants defined in SHA-256 */
+			       0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
+			       0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
+	int i;
+	uint32_t temp[4], S0, S1;	 /* Temporary word value */
+	uint32_t W[64];			 /* Word sequence */
+	uint32_t A, B, C, D, E, F, G, H; /* Word buffers */
+
+	/* Initialize the first 16 words in the array W */
+	memcpy(&W[0], msg, 16 * sizeof(W[0]));
+
+	for (i = 0; i < 16; i++)
+		W[i] = htobe32(W[i]);
+
+	for (i = 16; i < 64; i++) {
+		S0 = rrot32(7, W[i - 15]) ^ rrot32(18, W[i - 15]) ^
+		     (W[i - 15] >> 3);
+		S1 = rrot32(17, W[i - 2]) ^ rrot32(19, W[i - 2]) ^
+		     (W[i - 2] >> 10);
+		W[i] = W[i - 16] + S0 + W[i - 7] + S1;
+	}
+
+	A = _H[0];
+	B = _H[1];
+	C = _H[2];
+	D = _H[3];
+	E = _H[4];
+	F = _H[5];
+	G = _H[6];
+	H = _H[7];
+
+	for (i = 0; i < 64; i++) {
+		S1 = rrot32(6, E) ^ rrot32(11, E) ^ rrot32(25, E);
+		temp[0] = (E & F) ^ ((~E) & G);
+		temp[1] = H + S1 + temp[0] + _K[i] + W[i];
+		S0 = rrot32(2, A) ^ rrot32(13, A) ^ rrot32(22, A);
+		temp[2] = (A & B) ^ (A & C) ^ (B & C);
+		temp[3] = S0 + temp[2];
+
+		H = G;
+		G = F;
+		F = E;
+		E = D + temp[1];
+		D = C;
+		C = B;
+		B = A;
+		A = temp[1] + temp[3];
+	}
+
+	A += _H[0];
+	B += _H[1];
+	C += _H[2];
+	D += _H[3];
+	E += _H[4];
+	F += _H[5];
+	G += _H[6];
+	H += _H[7];
+	hash[0] = htobe32(A);
+	hash[1] = htobe32(B);
+	hash[2] = htobe32(C);
+	hash[3] = htobe32(D);
+	hash[4] = htobe32(E);
+	hash[5] = htobe32(F);
+	hash[6] = htobe32(G);
+	hash[7] = htobe32(H);
+}
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void
+roc_hash_sha512_gen(uint8_t *msg, uint64_t *hash, int hash_size)
+{
+	const uint64_t _K[] = {
+		/* Round Constants defined in SHA-512   */
+		0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f,
+		0xe9b5dba58189dbbc, 0x3956c25bf348b538, 0x59f111f1b605d019,
+		0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242,
+		0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
+		0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235,
+		0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3,
+		0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 0x2de92c6f592b0275,
+		0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
+		0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f,
+		0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725,
+		0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc,
+		0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
+		0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6,
+		0x92722c851482353b, 0xa2bfe8a14cf10364, 0xa81a664bbc423001,
+		0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218,
+		0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8,
+		0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99,
+		0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb,
+		0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc,
+		0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec,
+		0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915,
+		0xc67178f2e372532b, 0xca273eceea26619c, 0xd186b8c721c0c207,
+		0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba,
+		0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b,
+		0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc,
+		0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a,
+		0x5fcb6fab3ad6faec, 0x6c44198c4a475817};
+
+	const uint64_t _H384[] = {/* Initial Hash constants defined in SHA384 */
+				  0xcbbb9d5dc1059ed8, 0x629a292a367cd507,
+				  0x9159015a3070dd17, 0x152fecd8f70e5939,
+				  0x67332667ffc00b31, 0x8eb44a8768581511,
+				  0xdb0c2e0d64f98fa7, 0x47b5481dbefa4fa4};
+	const uint64_t _H512[] = {/* Initial Hash constants defined in SHA512 */
+				  0x6a09e667f3bcc908, 0xbb67ae8584caa73b,
+				  0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1,
+				  0x510e527fade682d1, 0x9b05688c2b3e6c1f,
+				  0x1f83d9abfb41bd6b, 0x5be0cd19137e2179};
+	int i;
+	uint64_t temp[4], S0, S1;	 /* Temporary word value */
+	uint64_t W[80];			 /* Word sequence */
+	uint64_t A, B, C, D, E, F, G, H; /* Word buffers */
+	const uint64_t *_H = (hash_size == 384) ? _H384 : _H512;
+
+	/* Initialize the first 16 words in the array W */
+	memcpy(&W[0], msg, 16 * sizeof(W[0]));
+
+	for (i = 0; i < 16; i++)
+		W[i] = htobe64(W[i]);
+
+	for (i = 16; i < 80; i++) {
+		S0 = rrot64(1, W[i - 15]) ^ rrot64(8, W[i - 15]) ^
+		     (W[i - 15] >> 7);
+		S1 = rrot64(19, W[i - 2]) ^ rrot64(61, W[i - 2]) ^
+		     (W[i - 2] >> 6);
+		W[i] = W[i - 16] + S0 + W[i - 7] + S1;
+	}
+
+	A = _H[0];
+	B = _H[1];
+	C = _H[2];
+	D = _H[3];
+	E = _H[4];
+	F = _H[5];
+	G = _H[6];
+	H = _H[7];
+
+	for (i = 0; i < 80; i++) {
+		S1 = rrot64(14, E) ^ rrot64(18, E) ^ rrot64(41, E);
+		temp[0] = (E & F) ^ ((~E) & G);
+		temp[1] = H + S1 + temp[0] + _K[i] + W[i];
+		S0 = rrot64(28, A) ^ rrot64(34, A) ^ rrot64(39, A);
+		temp[2] = (A & B) ^ (A & C) ^ (B & C);
+		temp[3] = S0 + temp[2];
+
+		H = G;
+		G = F;
+		F = E;
+		E = D + temp[1];
+		D = C;
+		C = B;
+		B = A;
+		A = temp[1] + temp[3];
+	}
+
+	A += _H[0];
+	B += _H[1];
+	C += _H[2];
+	D += _H[3];
+	E += _H[4];
+	F += _H[5];
+	G += _H[6];
+	H += _H[7];
+	hash[0] = htobe64(A);
+	hash[1] = htobe64(B);
+	hash[2] = htobe64(C);
+	hash[3] = htobe64(D);
+	hash[4] = htobe64(E);
+	hash[5] = htobe64(F);
+	hash[6] = htobe64(G);
+	hash[7] = htobe64(H);
+}
diff --git a/drivers/common/cnxk/roc_hash.h b/drivers/common/cnxk/roc_hash.h
new file mode 100644
index 0000000000..1bc9222445
--- /dev/null
+++ b/drivers/common/cnxk/roc_hash.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (c) 2021 Marvell.
+ */
+
+#ifndef _ROC_HASH_H_
+#define _ROC_HASH_H_
+
+/*
+ * Compute a partial hash with the assumption that msg is the first block.
+ * Based on implementation from RFC 3174
+ */
+void __roc_api roc_hash_sha1_gen(uint8_t *msg, uint32_t *hash);
+void __roc_api roc_hash_sha256_gen(uint8_t *msg, uint32_t *hash);
+void __roc_api roc_hash_sha512_gen(uint8_t *msg, uint64_t *hash, int hash_size);
+
+#endif /* _ROC_HASH_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 2cbcc4b93a..34a844bfe8 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -64,6 +64,9 @@ INTERNAL {
 	roc_cpt_lmtline_init;
 	roc_cpt_rxc_time_cfg;
 	roc_error_msg_get;
+	roc_hash_sha1_gen;
+	roc_hash_sha256_gen;
+	roc_hash_sha512_gen;
 	roc_idev_cpt_get;
 	roc_idev_cpt_set;
 	roc_idev_lmt_base_addr_get;
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [dpdk-dev] [PATCH v2 2/8] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support
  2021-09-01 10:19 [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Tejasree Kondoj
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 1/8] common/cnxk: add hash generation APIs Tejasree Kondoj
@ 2021-09-01 10:19 ` Tejasree Kondoj
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 3/8] crypto/cnxk: remove redundant code Tejasree Kondoj
                   ` (6 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Tejasree Kondoj @ 2021-09-01 10:19 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
	Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev

Adding lookaside IPsec AES-CBC-HMAC-SHA1 support to cnxk driver.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/cnxk.rst                |  1 +
 doc/guides/rel_notes/release_21_11.rst        |  4 ++
 drivers/common/cnxk/cnxk_security.c           | 68 ++++++++++++++++++-
 drivers/crypto/cnxk/cn10k_ipsec.c             | 63 ++++++++++++++++-
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 44 ++++++++++++
 5 files changed, 176 insertions(+), 4 deletions(-)

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 98c7118d68..a40295c087 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -231,6 +231,7 @@ Features supported
 * ESP
 * Tunnel mode
 * AES-128/192/256-GCM
+* AES-128/192/256-CBC-SHA1-HMAC
 
 Limitations
 -----------
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index d707a554ef..130d676a11 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -55,6 +55,10 @@ New Features
      Also, make sure to start the actual text at the margin.
      =======================================================
 
+* **Updated Marvell cn10k_crypto PMD.**
+
+  * Added aes-cbc sha1-hmac in lookaside protocol (IPsec).
+
 
 Removed Items
 -------------
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 6c6728f570..fe64e70c81 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -6,12 +6,43 @@
 
 #include "cnxk_security.h"
 
+static void
+ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
+			 uint8_t *hmac_opad_ipad)
+{
+	const uint8_t *key = auth_xform->auth.key.data;
+	uint32_t length = auth_xform->auth.key.length;
+	uint8_t opad[128] = {[0 ... 127] = 0x5c};
+	uint8_t ipad[128] = {[0 ... 127] = 0x36};
+	uint32_t i;
+
+	/* HMAC OPAD and IPAD */
+	for (i = 0; i < 127 && i < length; i++) {
+		opad[i] = opad[i] ^ key[i];
+		ipad[i] = ipad[i] ^ key[i];
+	}
+
+	/* Precompute hash of HMAC OPAD and IPAD to avoid
+	 * per packet computation
+	 */
+	switch (auth_xform->auth.algo) {
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
+		roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]);
+		break;
+	default:
+		break;
+	}
+}
+
 static int
 ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 			      uint8_t *cipher_key, uint8_t *salt_key,
+			      uint8_t *hmac_opad_ipad,
 			      struct rte_security_ipsec_xform *ipsec_xfrm,
 			      struct rte_crypto_sym_xform *crypto_xfrm)
 {
+	struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
 	const uint8_t *key;
 	uint32_t *tmp_salt;
 	uint64_t *tmp_key;
@@ -21,9 +52,13 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 	switch (ipsec_xfrm->direction) {
 	case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
 		w2->s.dir = ROC_IE_OT_SA_DIR_INBOUND;
+		auth_xfrm = crypto_xfrm;
+		cipher_xfrm = crypto_xfrm->next;
 		break;
 	case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
 		w2->s.dir = ROC_IE_OT_SA_DIR_OUTBOUND;
+		cipher_xfrm = crypto_xfrm;
+		auth_xfrm = crypto_xfrm->next;
 		break;
 	default:
 		return -EINVAL;
@@ -70,7 +105,32 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 			return -ENOTSUP;
 		}
 	} else {
-		return -ENOTSUP;
+		switch (cipher_xfrm->cipher.algo) {
+		case RTE_CRYPTO_CIPHER_AES_CBC:
+			w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+
+		switch (auth_xfrm->auth.algo) {
+		case RTE_CRYPTO_AUTH_SHA1_HMAC:
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+
+		key = cipher_xfrm->cipher.key.data;
+		length = cipher_xfrm->cipher.key.length;
+
+		ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+
+		tmp_key = (uint64_t *)hmac_opad_ipad;
+		for (i = 0;
+		     i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t));
+		     i++)
+			tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 	}
 
 	/* Set encapsulation type */
@@ -129,7 +189,8 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
 
 	w2.u64 = 0;
 	rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->w8.s.salt,
-					   ipsec_xfrm, crypto_xfrm);
+					   sa->hmac_opad_ipad, ipsec_xfrm,
+					   crypto_xfrm);
 	if (rc)
 		return rc;
 
@@ -196,7 +257,8 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
 
 	w2.u64 = 0;
 	rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->iv.s.salt,
-					   ipsec_xfrm, crypto_xfrm);
+					   sa->hmac_opad_ipad, ipsec_xfrm,
+					   crypto_xfrm);
 	if (rc)
 		return rc;
 
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 1d567bf188..408a682b21 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -17,6 +17,37 @@
 
 #include "roc_api.h"
 
+static int
+ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
+{
+	if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		switch (xform->cipher.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static int
+ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform)
+{
+	uint16_t keylen = xform->auth.key.length;
+
+	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+		if (keylen >= 20 && keylen <= 64)
+			return 0;
+	}
+
+	return -ENOTSUP;
+}
+
 static int
 ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
 			struct rte_crypto_sym_xform *crypto_xfrm)
@@ -48,6 +79,9 @@ static int
 cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
 			 struct rte_crypto_sym_xform *crypto_xfrm)
 {
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	int ret;
+
 	if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
 	    (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
 		return -EINVAL;
@@ -67,7 +101,34 @@ cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
 	if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 		return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
 
-	return -ENOTSUP;
+	if (crypto_xfrm->next == NULL)
+		return -EINVAL;
+
+	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		/* Ingress */
+		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+		auth_xform = crypto_xfrm;
+		cipher_xform = crypto_xfrm->next;
+	} else {
+		/* Egress */
+		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+		cipher_xform = crypto_xfrm;
+		auth_xform = crypto_xfrm->next;
+	}
+
+	ret = ipsec_xform_cipher_verify(cipher_xform);
+	if (ret)
+		return ret;
+
+	ret = ipsec_xform_auth_verify(auth_xform);
+	if (ret)
+		return ret;
+
+	return 0;
 }
 
 static uint64_t
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index ab37f9c43b..47274b2c24 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -754,6 +754,49 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
 			}, }
 		}, }
 	},
+	{	/* AES CBC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+};
+
+static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
+	{	/* SHA1 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 20,
+					.max = 64,
+					.increment = 1
+				},
+				.digest_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				},
+			}, }
+		}, }
+	},
 };
 
 static const struct rte_security_capability sec_caps_templ[] = {
@@ -839,6 +882,7 @@ sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
 	int cur_pos = 0;
 
 	SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes);
+	SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2);
 
 	sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
 }
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [dpdk-dev] [PATCH v2 3/8] crypto/cnxk: remove redundant code
  2021-09-01 10:19 [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Tejasree Kondoj
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 1/8] common/cnxk: add hash generation APIs Tejasree Kondoj
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 2/8] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support Tejasree Kondoj
@ 2021-09-01 10:19 ` Tejasree Kondoj
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 4/8] crypto/cnxk: use rlen from CPT result with lookaside Tejasree Kondoj
                   ` (5 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Tejasree Kondoj @ 2021-09-01 10:19 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
	Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev

Removing redundant code in cn10k lookaside IPsec.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/cnxk/cn10k_ipsec.c                 | 5 -----
 drivers/crypto/cnxk/cn10k_ipsec.h                 | 2 --
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 2 --
 3 files changed, 9 deletions(-)

diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 408a682b21..944e0a7e3b 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -270,9 +270,6 @@ cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf,
 	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
 		return -EINVAL;
 
-	if (rte_security_dynfield_register() < 0)
-		return -ENOTSUP;
-
 	if (rte_mempool_get(mempool, (void **)&priv)) {
 		plt_err("Could not allocate security session private data");
 		return -ENOMEM;
@@ -280,8 +277,6 @@ cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf,
 
 	set_sec_session_private_data(sess, priv);
 
-	priv->userdata = conf->userdata;
-
 	if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) {
 		ret = -ENOTSUP;
 		goto mempool_put;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 668282f7aa..c30492e149 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -27,8 +27,6 @@ struct cn10k_ipsec_sa {
 
 struct cn10k_sec_session {
 	struct cn10k_ipsec_sa sa;
-	void *userdata;
-	/**< Userdata registered by the application */
 } __rte_cache_aligned;
 
 void cn10k_sec_ops_override(void);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 47274b2c24..9430ca5d00 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -810,7 +810,6 @@ static const struct rte_security_capability sec_caps_templ[] = {
 			.options = { 0 }
 		},
 		.crypto_capabilities = NULL,
-		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
 	},
 	{	/* IPsec Lookaside Protocol ESP Tunnel Egress */
 		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
@@ -822,7 +821,6 @@ static const struct rte_security_capability sec_caps_templ[] = {
 			.options = { 0 }
 		},
 		.crypto_capabilities = NULL,
-		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
 	},
 	{
 		.action = RTE_SECURITY_ACTION_TYPE_NONE
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [dpdk-dev] [PATCH v2 4/8] crypto/cnxk: use rlen from CPT result with lookaside
  2021-09-01 10:19 [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Tejasree Kondoj
                   ` (2 preceding siblings ...)
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 3/8] crypto/cnxk: remove redundant code Tejasree Kondoj
@ 2021-09-01 10:19 ` Tejasree Kondoj
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 5/8] crypto/cnxk: make IPsec verify functions common Tejasree Kondoj
                   ` (4 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Tejasree Kondoj @ 2021-09-01 10:19 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
	Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev

Use rlen from CPT result with lookaside operations

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 40 ++++++-----------------
 drivers/crypto/cnxk/cn10k_ipsec.c         |  4 +--
 drivers/crypto/cnxk/cn10k_ipsec.h         |  4 +--
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h  | 28 ++--------------
 4 files changed, 15 insertions(+), 61 deletions(-)

diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 15f66c2515..780a321cf7 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -48,7 +48,7 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
 
 static __rte_always_inline int __rte_hot
 cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
-		  struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
+		  struct cpt_inst_s *inst)
 {
 	struct rte_crypto_sym_op *sym_op = op->sym;
 	union roc_ot_ipsec_sa_word2 *w2;
@@ -70,10 +70,8 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
 
 	if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND)
 		ret = process_outb_sa(op, sa, inst);
-	else {
-		infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
+	else
 		ret = process_inb_sa(op, sa, inst);
-	}
 
 	return ret;
 }
@@ -122,8 +120,7 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
 		if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
 			sec_sess = get_sec_session_private_data(
 				sym_op->sec_session);
-			ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
-						&inst[0]);
+			ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]);
 			if (unlikely(ret))
 				return 0;
 			w7 = sec_sess->sa.inst.w7;
@@ -334,30 +331,13 @@ cn10k_cpt_crypto_adapter_enqueue(uintptr_t tag_op, struct rte_crypto_op *op)
 
 static inline void
 cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
-			   struct cpt_inflight_req *infl_req)
+			   struct cpt_cn10k_res_s *res)
 {
-	struct rte_crypto_sym_op *sym_op = cop->sym;
-	struct rte_mbuf *m = sym_op->m_src;
-	struct rte_ipv6_hdr *ip6;
-	struct rte_ipv4_hdr *ip;
-	uint16_t m_len;
-
-	if (infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND) {
-		ip = (struct rte_ipv4_hdr *)rte_pktmbuf_mtod(m, char *);
-
-		if (((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) ==
-		    IPVERSION) {
-			m_len = rte_be_to_cpu_16(ip->total_length);
-		} else {
-			PLT_ASSERT(((ip->version_ihl & 0xf0) >>
-				    RTE_IPV4_IHL_MULTIPLIER) == 6);
-			ip6 = (struct rte_ipv6_hdr *)ip;
-			m_len = rte_be_to_cpu_16(ip6->payload_len) +
-				sizeof(struct rte_ipv6_hdr);
-		}
-		m->data_len = m_len;
-		m->pkt_len = m_len;
-	}
+	struct rte_mbuf *m = cop->sym->m_src;
+	const uint16_t m_len = res->rlen;
+
+	m->data_len = m_len;
+	m->pkt_len = m_len;
 }
 
 static inline void
@@ -385,7 +365,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
 		cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
 		if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
 			if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
-				cn10k_cpt_sec_post_process(cop, infl_req);
+				cn10k_cpt_sec_post_process(cop, res);
 				return;
 			}
 
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 944e0a7e3b..98110872a3 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -176,9 +176,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 	if (ret)
 		return ret;
 
-	sa->partial_len = rlens.partial_len;
-	sa->roundup_byte = rlens.roundup_byte;
-	sa->roundup_len = rlens.roundup_len;
+	sa->max_extended_len = rlens.max_extended_len;
 
 	/* pre-populate CPT INST word 4 */
 	inst_w4.u64 = 0;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index c30492e149..bc52c60179 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -20,9 +20,7 @@ struct cn10k_ipsec_sa {
 	};
 	/** Pre-populated CPT inst words */
 	struct cnxk_cpt_inst_tmpl inst;
-	uint8_t partial_len;
-	uint8_t roundup_len;
-	uint8_t roundup_byte;
+	uint16_t max_extended_len;
 };
 
 struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 1e9ebb594a..fe91638c99 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -12,40 +12,21 @@
 #include "cn10k_ipsec.h"
 #include "cnxk_cryptodev.h"
 
-static __rte_always_inline int32_t
-ipsec_po_out_rlen_get(struct cn10k_ipsec_sa *sess, uint32_t plen)
-{
-	uint32_t enc_payload_len;
-
-	enc_payload_len =
-		RTE_ALIGN_CEIL(plen + sess->roundup_len, sess->roundup_byte);
-
-	return sess->partial_len + enc_payload_len;
-}
-
 static __rte_always_inline int
 process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 		struct cpt_inst_s *inst)
 {
 	struct rte_crypto_sym_op *sym_op = cop->sym;
 	struct rte_mbuf *m_src = sym_op->m_src;
-	uint32_t dlen, rlen, extend_tail;
-	char *mdata;
-
-	dlen = rte_pktmbuf_pkt_len(m_src);
-	rlen = ipsec_po_out_rlen_get(sess, dlen);
 
-	extend_tail = rlen - dlen;
-
-	mdata = rte_pktmbuf_append(m_src, extend_tail);
-	if (unlikely(mdata == NULL)) {
+	if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) {
 		plt_dp_err("Not enough tail room");
 		return -ENOMEM;
 	}
 
 	/* Prepare CPT instruction */
 	inst->w4.u64 = sess->inst.w4;
-	inst->w4.s.dlen = dlen;
+	inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
 	inst->dptr = rte_pktmbuf_iova(m_src);
 	inst->rptr = inst->dptr;
 
@@ -58,13 +39,10 @@ process_inb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sa,
 {
 	struct rte_crypto_sym_op *sym_op = cop->sym;
 	struct rte_mbuf *m_src = sym_op->m_src;
-	uint32_t dlen;
-
-	dlen = rte_pktmbuf_pkt_len(m_src);
 
 	/* Prepare CPT instruction */
 	inst->w4.u64 = sa->inst.w4;
-	inst->w4.s.dlen = dlen;
+	inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
 	inst->dptr = rte_pktmbuf_iova(m_src);
 	inst->rptr = inst->dptr;
 
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [dpdk-dev] [PATCH v2 5/8] crypto/cnxk: make IPsec verify functions common
  2021-09-01 10:19 [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Tejasree Kondoj
                   ` (3 preceding siblings ...)
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 4/8] crypto/cnxk: use rlen from CPT result with lookaside Tejasree Kondoj
@ 2021-09-01 10:19 ` Tejasree Kondoj
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 6/8] crypto/cnxk: support cn10k transport mode Tejasree Kondoj
                   ` (3 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Tejasree Kondoj @ 2021-09-01 10:19 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Archana Muniganti, Anoob Joseph, Ankur Dwivedi, Srujana Challa,
	Nithin Dabilpuram, Jerin Jacob, Tejasree Kondoj, dev

From: Archana Muniganti <marchana@marvell.com>

IPsec verify functions can be made common

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 drivers/crypto/cnxk/cn10k_ipsec.c | 116 +-----------------------------
 drivers/crypto/cnxk/cnxk_ipsec.h  | 113 +++++++++++++++++++++++++++++
 2 files changed, 114 insertions(+), 115 deletions(-)

diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 98110872a3..5c57cf2818 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -17,120 +17,6 @@
 
 #include "roc_api.h"
 
-static int
-ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
-{
-	if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
-		switch (xform->cipher.key.length) {
-		case 16:
-		case 24:
-		case 32:
-			break;
-		default:
-			return -ENOTSUP;
-		}
-		return 0;
-	}
-
-	return -ENOTSUP;
-}
-
-static int
-ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform)
-{
-	uint16_t keylen = xform->auth.key.length;
-
-	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
-		if (keylen >= 20 && keylen <= 64)
-			return 0;
-	}
-
-	return -ENOTSUP;
-}
-
-static int
-ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
-			struct rte_crypto_sym_xform *crypto_xfrm)
-{
-	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
-	    crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
-		return -EINVAL;
-
-	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
-	    crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
-		return -EINVAL;
-
-	if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
-		switch (crypto_xfrm->aead.key.length) {
-		case ROC_CPT_AES128_KEY_LEN:
-		case ROC_CPT_AES192_KEY_LEN:
-		case ROC_CPT_AES256_KEY_LEN:
-			break;
-		default:
-			return -EINVAL;
-		}
-		return 0;
-	}
-
-	return -ENOTSUP;
-}
-
-static int
-cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
-			 struct rte_crypto_sym_xform *crypto_xfrm)
-{
-	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
-	int ret;
-
-	if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
-	    (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
-		return -EINVAL;
-
-	if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
-	    (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
-		return -EINVAL;
-
-	if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
-	    (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
-		return -EINVAL;
-
-	if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
-	    (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
-		return -EINVAL;
-
-	if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
-		return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
-
-	if (crypto_xfrm->next == NULL)
-		return -EINVAL;
-
-	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
-		/* Ingress */
-		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
-		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
-			return -EINVAL;
-		auth_xform = crypto_xfrm;
-		cipher_xform = crypto_xfrm->next;
-	} else {
-		/* Egress */
-		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
-		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
-			return -EINVAL;
-		cipher_xform = crypto_xfrm;
-		auth_xform = crypto_xfrm->next;
-	}
-
-	ret = ipsec_xform_cipher_verify(cipher_xform);
-	if (ret)
-		return ret;
-
-	ret = ipsec_xform_auth_verify(auth_xform);
-	if (ret)
-		return ret;
-
-	return 0;
-}
-
 static uint64_t
 ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa)
 {
@@ -245,7 +131,7 @@ cn10k_ipsec_session_create(void *dev,
 		return -EPERM;
 	}
 
-	ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
+	ret = cnxk_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
 	if (ret)
 		return ret;
 
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index f6897a0e14..d1eb74ebbe 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -17,4 +17,117 @@ struct cnxk_cpt_inst_tmpl {
 	uint64_t w7;
 };
 
+static inline int
+ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *crypto_xform)
+{
+	if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		switch (crypto_xform->cipher.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
+{
+	uint16_t keylen = crypto_xform->auth.key.length;
+
+	if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+		if (keylen >= 20 && keylen <= 64)
+			return 0;
+	} else if (roc_model_is_cn9k() &&
+		   (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) {
+		if (keylen >= 32 && keylen <= 64)
+			return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			struct rte_crypto_sym_xform *crypto_xform)
+{
+	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+	    crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+		return -EINVAL;
+
+	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+	    crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+		return -EINVAL;
+
+	if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+		switch (crypto_xform->aead.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -EINVAL;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			struct rte_crypto_sym_xform *crypto_xform)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	int ret;
+
+	if ((ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+	    (ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
+		return -EINVAL;
+
+	if ((ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
+	    (ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
+		return -EINVAL;
+
+	if ((ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
+	    (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
+		return -EINVAL;
+
+	if ((ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
+	    (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
+		return -EINVAL;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		return ipsec_xform_aead_verify(ipsec_xform, crypto_xform);
+
+	if (crypto_xform->next == NULL)
+		return -EINVAL;
+
+	if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		/* Ingress */
+		if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+		auth_xform = crypto_xform;
+		cipher_xform = crypto_xform->next;
+	} else {
+		/* Egress */
+		if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+		cipher_xform = crypto_xform;
+		auth_xform = crypto_xform->next;
+	}
+
+	ret = ipsec_xform_cipher_verify(cipher_xform);
+	if (ret)
+		return ret;
+
+	return ipsec_xform_auth_verify(auth_xform);
+}
 #endif /* __CNXK_IPSEC_H__ */
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [dpdk-dev] [PATCH v2 6/8] crypto/cnxk: support cn10k transport mode
  2021-09-01 10:19 [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Tejasree Kondoj
                   ` (4 preceding siblings ...)
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 5/8] crypto/cnxk: make IPsec verify functions common Tejasree Kondoj
@ 2021-09-01 10:19 ` Tejasree Kondoj
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 7/8] crypto/cnxk: support UDP encap with lookaside IPsec Tejasree Kondoj
                   ` (2 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Tejasree Kondoj @ 2021-09-01 10:19 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
	Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev

Adding support for cn10k lookaside IPsec transport mode.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/cnxk.rst                |  1 +
 doc/guides/rel_notes/release_21_11.rst        |  1 +
 drivers/crypto/cnxk/cnxk_cryptodev.h          |  2 +-
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 22 +++++++++++++++++++
 drivers/crypto/cnxk/cnxk_ipsec.h              |  3 ++-
 5 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index a40295c087..0dd71135da 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -230,6 +230,7 @@ Features supported
 * IPv4
 * ESP
 * Tunnel mode
+* Transport mode
 * AES-128/192/256-GCM
 * AES-128/192/256-CBC-SHA1-HMAC
 
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 130d676a11..0a024dda8f 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -58,6 +58,7 @@ New Features
 * **Updated Marvell cn10k_crypto PMD.**
 
   * Added aes-cbc sha1-hmac in lookaside protocol (IPsec).
+  * Added transport mode in lookaside protocol (IPsec).
 
 
 Removed Items
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index b3856f7eaa..8e051fa0fa 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -12,7 +12,7 @@
 
 #define CNXK_CPT_MAX_CAPS	 34
 #define CNXK_SEC_CRYPTO_MAX_CAPS 4
-#define CNXK_SEC_MAX_CAPS	 3
+#define CNXK_SEC_MAX_CAPS	 5
 #define CNXK_AE_EC_ID_MAX	 8
 /**
  * Device private data
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 9430ca5d00..05bffa9759 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -822,6 +822,28 @@ static const struct rte_security_capability sec_caps_templ[] = {
 		},
 		.crypto_capabilities = NULL,
 	},
+	{	/* IPsec Lookaside Protocol ESP Transport Ingress */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+			.options = { 0 },
+		},
+		.crypto_capabilities = NULL,
+	},
+	{	/* IPsec Lookaside Protocol ESP Transport Egress */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+			.options = { 0 },
+		},
+		.crypto_capabilities = NULL,
+	},
 	{
 		.action = RTE_SECURITY_ACTION_TYPE_NONE
 	}
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index d1eb74ebbe..ff396179ca 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -98,7 +98,8 @@ cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
 	    (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
 		return -EINVAL;
 
-	if ((ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
+	if ((ipsec_xform->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) &&
+	    (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
 	    (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
 		return -EINVAL;
 
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [dpdk-dev] [PATCH v2 7/8] crypto/cnxk: support UDP encap with lookaside IPsec
  2021-09-01 10:19 [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Tejasree Kondoj
                   ` (5 preceding siblings ...)
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 6/8] crypto/cnxk: support cn10k transport mode Tejasree Kondoj
@ 2021-09-01 10:19 ` Tejasree Kondoj
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 8/8] common/cnxk: make IPsec defines common Tejasree Kondoj
  2021-09-02  9:12 ` [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Akhil Goyal
  8 siblings, 0 replies; 10+ messages in thread
From: Tejasree Kondoj @ 2021-09-01 10:19 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
	Srujana Challa, Nithin Dabilpuram, Jerin Jacob, dev

Adding support for UDP encapsulation in lookaside IPsec.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/cnxk.rst                    |  1 +
 doc/guides/rel_notes/release_21_11.rst            |  1 +
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 11 ++++++++++-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 0dd71135da..1eb72282db 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -231,6 +231,7 @@ Features supported
 * ESP
 * Tunnel mode
 * Transport mode
+* UDP Encapsulation
 * AES-128/192/256-GCM
 * AES-128/192/256-CBC-SHA1-HMAC
 
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 0a024dda8f..70dd1c52f7 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -59,6 +59,7 @@ New Features
 
   * Added aes-cbc sha1-hmac in lookaside protocol (IPsec).
   * Added transport mode in lookaside protocol (IPsec).
+  * Added UDP encapsulation in lookaside protocol (IPsec).
 
 
 Removed Items
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 05bffa9759..c4f7824332 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -907,6 +907,12 @@ sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
 	sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
 }
 
+static void
+cnxk_sec_caps_update(struct rte_security_capability *sec_cap)
+{
+	sec_cap->ipsec.options.udp_encap = 1;
+}
+
 void
 cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
 {
@@ -918,8 +924,11 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
 	PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps));
 	memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ));
 
-	for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++)
+	for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++) {
 		vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps;
+
+		cnxk_sec_caps_update(&vf->sec_caps[i]);
+	}
 }
 
 const struct rte_security_capability *
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [dpdk-dev] [PATCH v2 8/8] common/cnxk: make IPsec defines common
  2021-09-01 10:19 [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Tejasree Kondoj
                   ` (6 preceding siblings ...)
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 7/8] crypto/cnxk: support UDP encap with lookaside IPsec Tejasree Kondoj
@ 2021-09-01 10:19 ` Tejasree Kondoj
  2021-09-02  9:12 ` [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Akhil Goyal
  8 siblings, 0 replies; 10+ messages in thread
From: Tejasree Kondoj @ 2021-09-01 10:19 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Archana Muniganti, Anoob Joseph, Ankur Dwivedi, Srujana Challa,
	Nithin Dabilpuram, Jerin Jacob, Tejasree Kondoj, dev

From: Archana Muniganti <marchana@marvell.com>

Make IPsec defines common and remove redundant macros.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 drivers/common/cnxk/cnxk_security.c       | 24 +++++++++--------
 drivers/common/cnxk/roc_api.h             |  1 +
 drivers/common/cnxk/roc_ie.h              | 33 ++++++++++++++++-------
 drivers/common/cnxk/roc_ie_on.h           | 26 ------------------
 drivers/common/cnxk/roc_ie_ot.h           | 26 ------------------
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c |  4 ++-
 6 files changed, 41 insertions(+), 73 deletions(-)

diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index fe64e70c81..4f7fd1b3a0 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -6,6 +6,8 @@
 
 #include "cnxk_security.h"
 
+#include "roc_api.h"
+
 static void
 ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
 			 uint8_t *hmac_opad_ipad)
@@ -51,12 +53,12 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 	/* Set direction */
 	switch (ipsec_xfrm->direction) {
 	case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
-		w2->s.dir = ROC_IE_OT_SA_DIR_INBOUND;
+		w2->s.dir = ROC_IE_SA_DIR_INBOUND;
 		auth_xfrm = crypto_xfrm;
 		cipher_xfrm = crypto_xfrm->next;
 		break;
 	case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
-		w2->s.dir = ROC_IE_OT_SA_DIR_OUTBOUND;
+		w2->s.dir = ROC_IE_SA_DIR_OUTBOUND;
 		cipher_xfrm = crypto_xfrm;
 		auth_xfrm = crypto_xfrm->next;
 		break;
@@ -67,10 +69,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 	/* Set protocol - ESP vs AH */
 	switch (ipsec_xfrm->proto) {
 	case RTE_SECURITY_IPSEC_SA_PROTO_ESP:
-		w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_ESP;
+		w2->s.protocol = ROC_IE_SA_PROTOCOL_ESP;
 		break;
 	case RTE_SECURITY_IPSEC_SA_PROTO_AH:
-		w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_AH;
+		w2->s.protocol = ROC_IE_SA_PROTOCOL_AH;
 		break;
 	default:
 		return -EINVAL;
@@ -79,10 +81,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 	/* Set mode - transport vs tunnel */
 	switch (ipsec_xfrm->mode) {
 	case RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT:
-		w2->s.mode = ROC_IE_OT_SA_MODE_TRANSPORT;
+		w2->s.mode = ROC_IE_SA_MODE_TRANSPORT;
 		break;
 	case RTE_SECURITY_IPSEC_SA_MODE_TUNNEL:
-		w2->s.mode = ROC_IE_OT_SA_MODE_TUNNEL;
+		w2->s.mode = ROC_IE_SA_MODE_TUNNEL;
 		break;
 	default:
 		return -EINVAL;
@@ -147,13 +149,13 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 
 	switch (length) {
 	case ROC_CPT_AES128_KEY_LEN:
-		w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_128;
+		w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
 		break;
 	case ROC_CPT_AES192_KEY_LEN:
-		w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_192;
+		w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
 		break;
 	case ROC_CPT_AES256_KEY_LEN:
-		w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_256;
+		w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
 		break;
 	default:
 		return -EINVAL;
@@ -271,7 +273,7 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
 	/* Tunnel header info */
 	switch (tunnel->type) {
 	case RTE_SECURITY_IPSEC_TUNNEL_IPV4:
-		sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_4;
+		sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
 		memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip,
 		       sizeof(struct in_addr));
 		memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip,
@@ -302,7 +304,7 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
 		}
 		break;
 	case RTE_SECURITY_IPSEC_TUNNEL_IPV6:
-		sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_6;
+		sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
 		memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr,
 		       sizeof(struct in6_addr));
 		memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr,
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index 9c06cfee9a..7dec8453b4 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -121,6 +121,7 @@
 /* CPT microcode */
 #include "roc_ae.h"
 #include "roc_ae_fpm_tables.h"
+#include "roc_ie.h"
 #include "roc_ie_on.h"
 #include "roc_ie_ot.h"
 #include "roc_se.h"
diff --git a/drivers/common/cnxk/roc_ie.h b/drivers/common/cnxk/roc_ie.h
index a330ea1b50..31b83948e1 100644
--- a/drivers/common/cnxk/roc_ie.h
+++ b/drivers/common/cnxk/roc_ie.h
@@ -5,15 +5,30 @@
 #ifndef __ROC_IE_H__
 #define __ROC_IE_H__
 
-/* CNXK IPSEC helper macros */
-#define ROC_IE_AH_HDR_LEN      12
-#define ROC_IE_AES_GCM_IV_LEN  8
-#define ROC_IE_AES_GCM_MAC_LEN 16
-#define ROC_IE_AES_CBC_IV_LEN  16
-#define ROC_IE_SHA1_HMAC_LEN   12
-#define ROC_IE_AUTH_KEY_LEN_MAX 64
+enum {
+	ROC_IE_SA_DIR_INBOUND = 0,
+	ROC_IE_SA_DIR_OUTBOUND = 1,
+};
 
-#define ROC_IE_AES_GCM_ROUNDUP_BYTE_LEN 4
-#define ROC_IE_AES_CBC_ROUNDUP_BYTE_LEN 16
+enum {
+	ROC_IE_SA_IP_VERSION_4 = 0,
+	ROC_IE_SA_IP_VERSION_6 = 1,
+};
+
+enum {
+	ROC_IE_SA_MODE_TRANSPORT = 0,
+	ROC_IE_SA_MODE_TUNNEL = 1,
+};
+
+enum {
+	ROC_IE_SA_PROTOCOL_AH = 0,
+	ROC_IE_SA_PROTOCOL_ESP = 1,
+};
+
+enum {
+	ROC_IE_SA_AES_KEY_LEN_128 = 1,
+	ROC_IE_SA_AES_KEY_LEN_192 = 2,
+	ROC_IE_SA_AES_KEY_LEN_256 = 3,
+};
 
 #endif /* __ROC_IE_H__ */
diff --git a/drivers/common/cnxk/roc_ie_on.h b/drivers/common/cnxk/roc_ie_on.h
index 508654a9d8..222c298a53 100644
--- a/drivers/common/cnxk/roc_ie_on.h
+++ b/drivers/common/cnxk/roc_ie_on.h
@@ -18,32 +18,6 @@
 /* Ucode completion codes */
 #define ROC_IE_ONF_UCC_SUCCESS 0
 
-enum {
-	ROC_IE_ON_SA_DIR_INBOUND = 0,
-	ROC_IE_ON_SA_DIR_OUTBOUND = 1,
-};
-
-enum {
-	ROC_IE_ON_SA_IP_VERSION_4 = 0,
-	ROC_IE_ON_SA_IP_VERSION_6 = 1,
-};
-
-enum {
-	ROC_IE_ON_SA_MODE_TRANSPORT = 0,
-	ROC_IE_ON_SA_MODE_TUNNEL = 1,
-};
-
-enum {
-	ROC_IE_ON_SA_PROTOCOL_AH = 0,
-	ROC_IE_ON_SA_PROTOCOL_ESP = 1,
-};
-
-enum {
-	ROC_IE_ON_SA_AES_KEY_LEN_128 = 1,
-	ROC_IE_ON_SA_AES_KEY_LEN_192 = 2,
-	ROC_IE_ON_SA_AES_KEY_LEN_256 = 3,
-};
-
 enum {
 	ROC_IE_ON_SA_ENC_NULL = 0,
 	ROC_IE_ON_SA_ENC_DES_CBC = 1,
diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h
index aeb4be2971..3987a082a2 100644
--- a/drivers/common/cnxk/roc_ie_ot.h
+++ b/drivers/common/cnxk/roc_ie_ot.h
@@ -97,32 +97,6 @@ enum {
 	ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE = 1,
 };
 
-enum {
-	ROC_IE_OT_SA_DIR_INBOUND = 0,
-	ROC_IE_OT_SA_DIR_OUTBOUND = 1,
-};
-
-enum {
-	ROC_IE_OT_SA_IP_VERSION_4 = 0,
-	ROC_IE_OT_SA_IP_VERSION_6 = 1,
-};
-
-enum {
-	ROC_IE_OT_SA_MODE_TRANSPORT = 0,
-	ROC_IE_OT_SA_MODE_TUNNEL = 1,
-};
-
-enum {
-	ROC_IE_OT_SA_PROTOCOL_AH = 0,
-	ROC_IE_OT_SA_PROTOCOL_ESP = 1,
-};
-
-enum {
-	ROC_IE_OT_SA_AES_KEY_LEN_128 = 1,
-	ROC_IE_OT_SA_AES_KEY_LEN_192 = 2,
-	ROC_IE_OT_SA_AES_KEY_LEN_256 = 3,
-};
-
 enum {
 	ROC_IE_OT_SA_ENC_NULL = 0,
 	ROC_IE_OT_SA_ENC_3DES_CBC = 2,
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 780a321cf7..28055aceed 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -16,6 +16,8 @@
 #include "cnxk_cryptodev_ops.h"
 #include "cnxk_se.h"
 
+#include "roc_api.h"
+
 static inline struct cnxk_se_sess *
 cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
 {
@@ -68,7 +70,7 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
 	sa = &sess->sa;
 	w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
 
-	if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND)
+	if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND)
 		ret = process_outb_sa(op, sa, inst);
 	else
 		ret = process_inb_sa(op, sa, inst);
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* Re: [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features
  2021-09-01 10:19 [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Tejasree Kondoj
                   ` (7 preceding siblings ...)
  2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 8/8] common/cnxk: make IPsec defines common Tejasree Kondoj
@ 2021-09-02  9:12 ` Akhil Goyal
  8 siblings, 0 replies; 10+ messages in thread
From: Akhil Goyal @ 2021-09-02  9:12 UTC (permalink / raw)
  To: Tejasree Kondoj
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Archana Muniganti,
	Srujana Challa, Nithin Kumar Dabilpuram,
	Jerin Jacob Kollanukkaran, dev

> This series adds cn10k lookaside IPsec AES-CBC-HMAC-SHA1, UDP
> encapsulation
> and transport mode support along with common cnxk pmd changes.
> The functionality has been tested with ipsec-secgw application running in
> lookaside protocol offload mode.
> 
> v2:
> * Fixed release notes
> 
> Archana Muniganti (2):
>   crypto/cnxk: make IPsec verify functions common
>   common/cnxk: make IPsec defines common
> 
> Tejasree Kondoj (6):
>   common/cnxk: add hash generation APIs
>   crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support
>   crypto/cnxk: remove redundant code
>   crypto/cnxk: use rlen from CPT result with lookaside
>   crypto/cnxk: support cn10k transport mode
>   crypto/cnxk: support UDP encap with lookaside IPsec
> 
>  doc/guides/cryptodevs/cnxk.rst                |   3 +
>  doc/guides/rel_notes/release_21_11.rst        |   6 +
>  drivers/common/cnxk/cnxk_security.c           |  92 +++++-
>  drivers/common/cnxk/meson.build               |   1 +
>  drivers/common/cnxk/roc_api.h                 |   4 +
>  drivers/common/cnxk/roc_hash.c                | 275 ++++++++++++++++++
>  drivers/common/cnxk/roc_hash.h                |  16 +
>  drivers/common/cnxk/roc_ie.h                  |  33 ++-
>  drivers/common/cnxk/roc_ie_on.h               |  26 --
>  drivers/common/cnxk/roc_ie_ot.h               |  26 --
>  drivers/common/cnxk/version.map               |   3 +
>  drivers/crypto/cnxk/cn10k_cryptodev_ops.c     |  44 +--
>  drivers/crypto/cnxk/cn10k_ipsec.c             |  64 +---
>  drivers/crypto/cnxk/cn10k_ipsec.h             |   6 +-
>  drivers/crypto/cnxk/cn10k_ipsec_la_ops.h      |  28 +-
>  drivers/crypto/cnxk/cnxk_cryptodev.h          |   2 +-
>  .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  79 ++++-
>  drivers/crypto/cnxk/cnxk_ipsec.h              | 114 ++++++++
>  18 files changed, 620 insertions(+), 202 deletions(-)
>  create mode 100644 drivers/common/cnxk/roc_hash.c
>  create mode 100644 drivers/common/cnxk/roc_hash.h
> 
Series Acked-by: Akhil Goyal <gakhil@marvell.com>

Applied to dpdk-next-crypto

Thanks.

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2021-09-02  9:12 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-01 10:19 [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 1/8] common/cnxk: add hash generation APIs Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 2/8] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 3/8] crypto/cnxk: remove redundant code Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 4/8] crypto/cnxk: use rlen from CPT result with lookaside Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 5/8] crypto/cnxk: make IPsec verify functions common Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 6/8] crypto/cnxk: support cn10k transport mode Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 7/8] crypto/cnxk: support UDP encap with lookaside IPsec Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 8/8] common/cnxk: make IPsec defines common Tejasree Kondoj
2021-09-02  9:12 ` [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Akhil Goyal

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.