[dpdk-dev] [PATCH 2/3] common/cnxk: add support for tunnel header verification

[Tejasree Kondoj <ktejasree@marvell.com>]

Adding support to verify tunnel header in IPsec inbound.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/common/cnxk/cnxk_security.c           | 60 +++++++++++++++++++
 drivers/common/cnxk/roc_ie_ot.h               |  6 +-
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  4 ++
 3 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 215d9fd4d1..cc5daf333c 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -199,6 +199,62 @@ ot_ipsec_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa)
 	return size;
 }
 
+static int
+ot_ipsec_inb_tunnel_hdr_fill(struct roc_ot_ipsec_inb_sa *sa,
+			     struct rte_security_ipsec_xform *ipsec_xfrm)
+{
+	struct rte_security_ipsec_tunnel_param *tunnel;
+
+	if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+		return 0;
+
+	if (ipsec_xfrm->options.tunnel_hdr_verify == 0)
+		return 0;
+
+	tunnel = &ipsec_xfrm->tunnel;
+
+	switch (tunnel->type) {
+	case RTE_SECURITY_IPSEC_TUNNEL_IPV4:
+		sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
+		memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip,
+		       sizeof(struct in_addr));
+		memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip,
+		       sizeof(struct in_addr));
+
+		/* IP Source and Dest are in LE/CPU endian */
+		sa->outer_hdr.ipv4.src_addr =
+			rte_be_to_cpu_32(sa->outer_hdr.ipv4.src_addr);
+		sa->outer_hdr.ipv4.dst_addr =
+			rte_be_to_cpu_32(sa->outer_hdr.ipv4.dst_addr);
+
+		break;
+	case RTE_SECURITY_IPSEC_TUNNEL_IPV6:
+		sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
+		memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr,
+		       sizeof(struct in6_addr));
+		memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr,
+		       sizeof(struct in6_addr));
+
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	switch (ipsec_xfrm->options.tunnel_hdr_verify) {
+	case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR:
+		sa->w2.s.ip_hdr_verify = ROC_IE_OT_SA_IP_HDR_VERIFY_DST_ADDR;
+		break;
+	case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR:
+		sa->w2.s.ip_hdr_verify =
+			ROC_IE_OT_SA_IP_HDR_VERIFY_SRC_DST_ADDR;
+		break;
+	default:
+		return -ENOTSUP;
+	}
+
+	return 0;
+}
+
 int
 cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
 			  struct rte_security_ipsec_xform *ipsec_xfrm,
@@ -229,6 +285,10 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
 		sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5;
 	}
 
+	rc = ot_ipsec_inb_tunnel_hdr_fill(sa, ipsec_xfrm);
+	if (rc)
+		return rc;
+
 	/* Default options for pkt_out and pkt_fmt are with
 	 * second pass meta and no defrag.
 	 */
diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h
index 1ff468841d..12c75afac2 100644
--- a/drivers/common/cnxk/roc_ie_ot.h
+++ b/drivers/common/cnxk/roc_ie_ot.h
@@ -180,7 +180,11 @@ union roc_ot_ipsec_sa_word2 {
 		uint64_t auth_type : 4;
 
 		uint64_t encap_type : 2;
-		uint64_t rsvd1 : 6;
+		uint64_t et_ovrwr_ddr_en : 1;
+		uint64_t esn_en : 1;
+		uint64_t tport_l4_incr_csum : 1;
+		uint64_t ip_hdr_verify : 2;
+		uint64_t rsvd5 : 1;
 
 		uint64_t rsvd2 : 7;
 		uint64_t async_mode : 1;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 4b97639e56..8a0cf289fd 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -920,6 +920,10 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
 #ifdef LA_IPSEC_DEBUG
 		sec_cap->ipsec.options.iv_gen_disable = 1;
 #endif
+	} else {
+		if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+			sec_cap->ipsec.options.tunnel_hdr_verify =
+				RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
 	}
 }
 
-- 
2.27.0