Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/113083/?format=api
{ "id": 113083, "url": "http://patchwork.dpdk.org/api/patches/113083/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/patch/20220620071807.951128-2-ktejasree@marvell.com/", "project": { "id": 1, "url": "http://patchwork.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20220620071807.951128-2-ktejasree@marvell.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20220620071807.951128-2-ktejasree@marvell.com", "date": "2022-06-20T07:18:05", "name": "[1/3] crypto/cnxk: move IPsec SA creation to common", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "d5cb61ced0403148c8cff9eb169a06a29d29c551", "submitter": { "id": 1789, "url": "http://patchwork.dpdk.org/api/people/1789/?format=api", "name": "Tejasree Kondoj", "email": "ktejasree@marvell.com" }, "delegate": { "id": 6690, "url": "http://patchwork.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patchwork.dpdk.org/project/dpdk/patch/20220620071807.951128-2-ktejasree@marvell.com/mbox/", "series": [ { "id": 23627, "url": "http://patchwork.dpdk.org/api/series/23627/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/list/?series=23627", "date": "2022-06-20T07:18:04", "name": "support new full context firmware", "version": 1, "mbox": "http://patchwork.dpdk.org/series/23627/mbox/" } ], "comments": "http://patchwork.dpdk.org/api/patches/113083/comments/", "check": "success", "checks": "http://patchwork.dpdk.org/api/patches/113083/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 0999CA0545;\n\tMon, 20 Jun 2022 09:18:25 +0200 (CEST)", "from [217.70.189.124] (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id E3EE9427EB;\n\tMon, 20 Jun 2022 09:18:24 +0200 (CEST)", "from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com\n [67.231.148.174])\n by mails.dpdk.org (Postfix) with ESMTP id 5AE2340150\n for <dev@dpdk.org>; Mon, 20 Jun 2022 09:18:22 +0200 (CEST)", "from pps.filterd (m0045849.ppops.net [127.0.0.1])\n by mx0a-0016f401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id\n 25JNE48W011897\n for <dev@dpdk.org>; Mon, 20 Jun 2022 00:18:21 -0700", "from dc5-exch01.marvell.com ([199.233.59.181])\n by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3gsc2p5u2n-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT)\n for <dev@dpdk.org>; Mon, 20 Jun 2022 00:18:18 -0700", "from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com\n (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2;\n Mon, 20 Jun 2022 00:18:15 -0700", "from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com\n (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend\n Transport; Mon, 20 Jun 2022 00:18:15 -0700", "from hyd1554.marvell.com (unknown [10.29.57.11])\n by maili.marvell.com (Postfix) with ESMTP id 0026B5B6957;\n Mon, 20 Jun 2022 00:18:11 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;\n h=from : to : cc :\n subject : date : message-id : in-reply-to : references : mime-version :\n content-transfer-encoding : content-type; s=pfpt0220;\n bh=9XcsW0wBSLsqzdSjU7xBzj/6QZap0qGpGMoVF2sgVvs=;\n b=C5GpKF/38Q1yvW8I3HjWN2Al2jyOqwtKTDkegzj0gVdrWiXfLPTaZMHVMSEeKBSutZ7q\n msbnXNVp2trDqEaXnPKdnC86ztbLzdt1T0HLXFBoE4z5pBQEXm8j7cVDS+tNvG2ZwqYn\n Ub/C8slVrULDQrKmVNkwv5QrjaIvLaRPEV0Ta0FT1XBS5aA/wXfSO+sJLWGeUw8smkiV\n nzRYP6bJZcJo3PvWDN7XTKxe6Ko7kpia9ie36EPFwRYPMnAaZOJIAcsl3LVqa6DJ9vP1\n Zihbg021rB/Lar5zCiC+0AeHxp2bjCPOoffkKp/WNlGpV9kDDnvr70DbcT612BwzuQYR dg==", "From": "Tejasree Kondoj <ktejasree@marvell.com>", "To": "Akhil Goyal <gakhil@marvell.com>", "CC": "Vidya Sagar Velumuri <vvelumuri@marvell.com>, Jerin Jacob\n <jerinj@marvell.com>, Anoob Joseph <anoobj@marvell.com>, Nithin Dabilpuram\n <ndabilpuram@marvell.com>, Archana Muniganti <marchana@marvell.com>, \"Ankur\n Dwivedi\" <adwivedi@marvell.com>, Kiran Kumar K <kirankumark@marvell.com>,\n Sunil Kumar Kori <skori@marvell.com>,\n Satha Rao <skoteshwar@marvell.com>, <dev@dpdk.org>", "Subject": "[PATCH 1/3] crypto/cnxk: move IPsec SA creation to common", "Date": "Mon, 20 Jun 2022 12:48:05 +0530", "Message-ID": "<20220620071807.951128-2-ktejasree@marvell.com>", "X-Mailer": "git-send-email 2.25.1", "In-Reply-To": "<20220620071807.951128-1-ktejasree@marvell.com>", "References": "<20220620071807.951128-1-ktejasree@marvell.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain", "X-Proofpoint-ORIG-GUID": "CTkhrIgzYPGvUDiz4suEoTlE2M_V4Lss", "X-Proofpoint-GUID": "CTkhrIgzYPGvUDiz4suEoTlE2M_V4Lss", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.64.514\n definitions=2022-06-20_05,2022-06-17_01,2022-02-23_01", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org" }, "content": "From: Vidya Sagar Velumuri <vvelumuri@marvell.com>\n\nMove the IPsec SA creation to common.\nThe code can be used by fastpath also to create the SAs\nAdd changes to support new full context microcode\n\nSigned-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>\nSigned-off-by: Archana Muniganti <marchana@marvell.com>\n---\n drivers/common/cnxk/cnxk_security.c | 398 +++++++++++++++\n drivers/common/cnxk/cnxk_security.h | 11 +\n drivers/common/cnxk/roc_cpt.c | 93 ++++\n drivers/common/cnxk/roc_cpt.h | 3 +\n drivers/common/cnxk/roc_ie_on.h | 21 +-\n drivers/common/cnxk/version.map | 3 +\n drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 24 +\n drivers/crypto/cnxk/cn9k_ipsec.c | 594 +++--------------------\n drivers/crypto/cnxk/cn9k_ipsec_la_ops.h | 16 +-\n drivers/crypto/cnxk/cnxk_cryptodev_ops.h | 1 +\n 10 files changed, 631 insertions(+), 533 deletions(-)", "diff": "diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c\nindex 72ee5ee91f..dca8742be3 100644\n--- a/drivers/common/cnxk/cnxk_security.c\n+++ b/drivers/common/cnxk/cnxk_security.c\n@@ -971,3 +971,401 @@ cnxk_ipsec_outb_rlens_get(struct cnxk_ipsec_outb_rlens *rlens,\n \trlens->max_extended_len = partial_len + roundup_len + roundup_byte;\n \treturn 0;\n }\n+\n+static inline int\n+on_ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,\n+\t\t struct rte_crypto_sym_xform *crypto_xform,\n+\t\t struct roc_ie_on_sa_ctl *ctl)\n+{\n+\tstruct rte_crypto_sym_xform *cipher_xform, *auth_xform;\n+\tint aes_key_len = 0;\n+\n+\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {\n+\t\tauth_xform = crypto_xform;\n+\t\tcipher_xform = crypto_xform->next;\n+\t} else {\n+\t\tcipher_xform = crypto_xform;\n+\t\tauth_xform = crypto_xform->next;\n+\t}\n+\n+\tif (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)\n+\t\tctl->direction = ROC_IE_SA_DIR_OUTBOUND;\n+\telse\n+\t\tctl->direction = ROC_IE_SA_DIR_INBOUND;\n+\n+\tif (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {\n+\t\tif (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)\n+\t\t\tctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;\n+\t\telse if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)\n+\t\t\tctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_6;\n+\t\telse\n+\t\t\treturn -EINVAL;\n+\t}\n+\n+\tif (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) {\n+\t\tctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT;\n+\t\tctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;\n+\t} else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)\n+\t\tctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL;\n+\telse\n+\t\treturn -EINVAL;\n+\n+\tif (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)\n+\t\tctl->ipsec_proto = ROC_IE_SA_PROTOCOL_AH;\n+\telse if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)\n+\t\tctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP;\n+\telse\n+\t\treturn -EINVAL;\n+\n+\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {\n+\t\tswitch (crypto_xform->aead.algo) {\n+\t\tcase RTE_CRYPTO_AEAD_AES_GCM:\n+\t\t\tctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM;\n+\t\t\taes_key_len = crypto_xform->aead.key.length;\n+\t\t\tbreak;\n+\t\tdefault:\n+\t\t\tplt_err(\"Unsupported AEAD algorithm\");\n+\t\t\treturn -ENOTSUP;\n+\t\t}\n+\t} else {\n+\t\tif (cipher_xform != NULL) {\n+\t\t\tswitch (cipher_xform->cipher.algo) {\n+\t\t\tcase RTE_CRYPTO_CIPHER_NULL:\n+\t\t\t\tctl->enc_type = ROC_IE_ON_SA_ENC_NULL;\n+\t\t\t\tbreak;\n+\t\t\tcase RTE_CRYPTO_CIPHER_AES_CBC:\n+\t\t\t\tctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;\n+\t\t\t\taes_key_len = cipher_xform->cipher.key.length;\n+\t\t\t\tbreak;\n+\t\t\tcase RTE_CRYPTO_CIPHER_AES_CTR:\n+\t\t\t\tctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR;\n+\t\t\t\taes_key_len = cipher_xform->cipher.key.length;\n+\t\t\t\tbreak;\n+\t\t\tdefault:\n+\t\t\t\tplt_err(\"Unsupported cipher algorithm\");\n+\t\t\t\treturn -ENOTSUP;\n+\t\t\t}\n+\t\t}\n+\n+\t\tswitch (auth_xform->auth.algo) {\n+\t\tcase RTE_CRYPTO_AUTH_NULL:\n+\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_NULL;\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_MD5_HMAC:\n+\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_MD5;\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_SHA1_HMAC:\n+\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1;\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_SHA224_HMAC:\n+\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_224;\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_SHA256_HMAC:\n+\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_256;\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_SHA384_HMAC:\n+\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_384;\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_SHA512_HMAC:\n+\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_512;\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_AES_GMAC:\n+\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC;\n+\t\t\taes_key_len = auth_xform->auth.key.length;\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_AES_XCBC_MAC:\n+\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128;\n+\t\t\tbreak;\n+\t\tdefault:\n+\t\t\tplt_err(\"Unsupported auth algorithm\");\n+\t\t\treturn -ENOTSUP;\n+\t\t}\n+\t}\n+\n+\t/* Set AES key length */\n+\tif (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CBC ||\n+\t ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CCM ||\n+\t ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CTR ||\n+\t ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||\n+\t ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) {\n+\t\tswitch (aes_key_len) {\n+\t\tcase 16:\n+\t\t\tctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;\n+\t\t\tbreak;\n+\t\tcase 24:\n+\t\t\tctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;\n+\t\t\tbreak;\n+\t\tcase 32:\n+\t\t\tctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;\n+\t\t\tbreak;\n+\t\tdefault:\n+\t\t\tplt_err(\"Invalid AES key length\");\n+\t\t\treturn -EINVAL;\n+\t\t}\n+\t}\n+\n+\tif (ipsec->options.esn)\n+\t\tctl->esn_en = 1;\n+\n+\tif (ipsec->options.udp_encap == 1)\n+\t\tctl->encap_type = ROC_IE_ON_SA_ENCAP_UDP;\n+\n+\tctl->copy_df = ipsec->options.copy_df;\n+\n+\tctl->spi = rte_cpu_to_be_32(ipsec->spi);\n+\n+\trte_io_wmb();\n+\n+\tctl->valid = 1;\n+\n+\treturn 0;\n+}\n+\n+static inline int\n+on_fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,\n+\t\t\tstruct rte_crypto_sym_xform *crypto_xform,\n+\t\t\tstruct roc_ie_on_common_sa *common_sa)\n+{\n+\tstruct rte_crypto_sym_xform *cipher_xform, *auth_xform;\n+\tconst uint8_t *cipher_key;\n+\tint cipher_key_len = 0;\n+\tint ret;\n+\n+\tret = on_ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl);\n+\tif (ret)\n+\t\treturn ret;\n+\n+\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {\n+\t\tauth_xform = crypto_xform;\n+\t\tcipher_xform = crypto_xform->next;\n+\t} else {\n+\t\tcipher_xform = crypto_xform;\n+\t\tauth_xform = crypto_xform->next;\n+\t}\n+\n+\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {\n+\t\tif (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)\n+\t\t\tmemcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);\n+\t\tcipher_key = crypto_xform->aead.key.data;\n+\t\tcipher_key_len = crypto_xform->aead.key.length;\n+\t} else {\n+\t\tif (cipher_xform) {\n+\t\t\tcipher_key = cipher_xform->cipher.key.data;\n+\t\t\tcipher_key_len = cipher_xform->cipher.key.length;\n+\t\t}\n+\n+\t\tif (auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {\n+\t\t\tmemcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);\n+\t\t\tcipher_key = auth_xform->auth.key.data;\n+\t\t\tcipher_key_len = auth_xform->auth.key.length;\n+\t\t}\n+\t}\n+\n+\tif (cipher_key_len != 0)\n+\t\tmemcpy(common_sa->cipher_key, cipher_key, cipher_key_len);\n+\n+\treturn 0;\n+}\n+\n+int\n+cnxk_on_ipsec_outb_sa_create(struct rte_security_ipsec_xform *ipsec,\n+\t\t\t struct rte_crypto_sym_xform *crypto_xform,\n+\t\t\t struct roc_ie_on_outb_sa *out_sa)\n+{\n+\tstruct roc_ie_on_ip_template *template = NULL;\n+\tstruct rte_crypto_sym_xform *auth_xform;\n+\tstruct roc_ie_on_sa_ctl *ctl;\n+\tstruct rte_ipv6_hdr *ip6;\n+\tstruct rte_ipv4_hdr *ip4;\n+\tconst uint8_t *auth_key;\n+\tint auth_key_len = 0;\n+\tsize_t ctx_len;\n+\tint ret;\n+\n+\tctl = &out_sa->common_sa.ctl;\n+\n+\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH)\n+\t\tauth_xform = crypto_xform;\n+\telse\n+\t\tauth_xform = crypto_xform->next;\n+\n+\tret = on_fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa);\n+\tif (ret)\n+\t\treturn ret;\n+\n+\tif (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||\n+\t ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL ||\n+\t ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) {\n+\t\ttemplate = &out_sa->aes_gcm.template;\n+\t\tctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);\n+\t} else {\n+\t\tswitch (ctl->auth_type) {\n+\t\tcase ROC_IE_ON_SA_AUTH_SHA1:\n+\t\t\ttemplate = &out_sa->sha1.template;\n+\t\t\tctx_len = offsetof(struct roc_ie_on_outb_sa,\n+\t\t\t\t\t sha1.template);\n+\t\t\tbreak;\n+\t\tcase ROC_IE_ON_SA_AUTH_SHA2_256:\n+\t\tcase ROC_IE_ON_SA_AUTH_SHA2_384:\n+\t\tcase ROC_IE_ON_SA_AUTH_SHA2_512:\n+\t\t\ttemplate = &out_sa->sha2.template;\n+\t\t\tctx_len = offsetof(struct roc_ie_on_outb_sa,\n+\t\t\t\t\t sha2.template);\n+\t\t\tbreak;\n+\t\tcase ROC_IE_ON_SA_AUTH_AES_XCBC_128:\n+\t\t\ttemplate = &out_sa->aes_xcbc.template;\n+\t\t\tctx_len = offsetof(struct roc_ie_on_outb_sa,\n+\t\t\t\t\t aes_xcbc.template);\n+\t\t\tbreak;\n+\t\tdefault:\n+\t\t\tplt_err(\"Unsupported auth algorithm\");\n+\t\t\treturn -EINVAL;\n+\t\t}\n+\t}\n+\n+\tip4 = (struct rte_ipv4_hdr *)&template->ip4.ipv4_hdr;\n+\tif (ipsec->options.udp_encap) {\n+\t\tip4->next_proto_id = IPPROTO_UDP;\n+\t\ttemplate->ip4.udp_src = rte_be_to_cpu_16(4500);\n+\t\ttemplate->ip4.udp_dst = rte_be_to_cpu_16(4500);\n+\t} else {\n+\t\tif (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)\n+\t\t\tip4->next_proto_id = IPPROTO_AH;\n+\t\telse\n+\t\t\tip4->next_proto_id = IPPROTO_ESP;\n+\t}\n+\n+\tif (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {\n+\t\tif (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {\n+\t\t\tuint16_t frag_off = 0;\n+\n+\t\t\tctx_len += sizeof(template->ip4);\n+\n+\t\t\tip4->version_ihl = RTE_IPV4_VHL_DEF;\n+\t\t\tip4->time_to_live = ipsec->tunnel.ipv4.ttl;\n+\t\t\tip4->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);\n+\t\t\tif (ipsec->tunnel.ipv4.df)\n+\t\t\t\tfrag_off |= RTE_IPV4_HDR_DF_FLAG;\n+\t\t\tip4->fragment_offset = rte_cpu_to_be_16(frag_off);\n+\n+\t\t\tmemcpy(&ip4->src_addr, &ipsec->tunnel.ipv4.src_ip,\n+\t\t\t sizeof(struct in_addr));\n+\t\t\tmemcpy(&ip4->dst_addr, &ipsec->tunnel.ipv4.dst_ip,\n+\t\t\t sizeof(struct in_addr));\n+\t\t} else if (ipsec->tunnel.type ==\n+\t\t\t RTE_SECURITY_IPSEC_TUNNEL_IPV6) {\n+\t\t\tctx_len += sizeof(template->ip6);\n+\n+\t\t\tip6 = (struct rte_ipv6_hdr *)&template->ip6.ipv6_hdr;\n+\t\t\tif (ipsec->options.udp_encap) {\n+\t\t\t\tip6->proto = IPPROTO_UDP;\n+\t\t\t\ttemplate->ip6.udp_src = rte_be_to_cpu_16(4500);\n+\t\t\t\ttemplate->ip6.udp_dst = rte_be_to_cpu_16(4500);\n+\t\t\t} else {\n+\t\t\t\tip6->proto = (ipsec->proto ==\n+\t\t\t\t\t RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?\n+\t\t\t\t\t\t IPPROTO_ESP :\n+\t\t\t\t\t\t IPPROTO_AH;\n+\t\t\t}\n+\t\t\tip6->vtc_flow =\n+\t\t\t\trte_cpu_to_be_32(0x60000000 |\n+\t\t\t\t\t\t ((ipsec->tunnel.ipv6.dscp\n+\t\t\t\t\t\t << RTE_IPV6_HDR_TC_SHIFT) &\n+\t\t\t\t\t\t RTE_IPV6_HDR_TC_MASK) |\n+\t\t\t\t\t\t ((ipsec->tunnel.ipv6.flabel\n+\t\t\t\t\t\t << RTE_IPV6_HDR_FL_SHIFT) &\n+\t\t\t\t\t\t RTE_IPV6_HDR_FL_MASK));\n+\t\t\tip6->hop_limits = ipsec->tunnel.ipv6.hlimit;\n+\t\t\tmemcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr,\n+\t\t\t sizeof(struct in6_addr));\n+\t\t\tmemcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,\n+\t\t\t sizeof(struct in6_addr));\n+\t\t}\n+\t} else\n+\t\tctx_len += sizeof(template->ip4);\n+\n+\tctx_len += RTE_ALIGN_CEIL(ctx_len, 8);\n+\n+\tif (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {\n+\t\tauth_key = auth_xform->auth.key.data;\n+\t\tauth_key_len = auth_xform->auth.key.length;\n+\n+\t\tswitch (auth_xform->auth.algo) {\n+\t\tcase RTE_CRYPTO_AUTH_AES_GMAC:\n+\t\tcase RTE_CRYPTO_AUTH_NULL:\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_SHA1_HMAC:\n+\t\t\tmemcpy(out_sa->sha1.hmac_key, auth_key, auth_key_len);\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_SHA256_HMAC:\n+\t\tcase RTE_CRYPTO_AUTH_SHA384_HMAC:\n+\t\tcase RTE_CRYPTO_AUTH_SHA512_HMAC:\n+\t\t\tmemcpy(out_sa->sha2.hmac_key, auth_key, auth_key_len);\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_AES_XCBC_MAC:\n+\t\t\tmemcpy(out_sa->aes_xcbc.key, auth_key, auth_key_len);\n+\t\t\tbreak;\n+\t\tdefault:\n+\t\t\tplt_err(\"Unsupported auth algorithm %u\",\n+\t\t\t\tauth_xform->auth.algo);\n+\t\t\treturn -ENOTSUP;\n+\t\t}\n+\t}\n+\n+\treturn ctx_len;\n+}\n+\n+int\n+cnxk_on_ipsec_inb_sa_create(struct rte_security_ipsec_xform *ipsec,\n+\t\t\t struct rte_crypto_sym_xform *crypto_xform,\n+\t\t\t struct roc_ie_on_inb_sa *in_sa)\n+{\n+\tstruct rte_crypto_sym_xform *auth_xform = crypto_xform;\n+\tconst uint8_t *auth_key;\n+\tint auth_key_len = 0;\n+\tsize_t ctx_len = 0;\n+\tint ret;\n+\n+\tret = on_fill_ipsec_common_sa(ipsec, crypto_xform, &in_sa->common_sa);\n+\tif (ret)\n+\t\treturn ret;\n+\n+\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD ||\n+\t auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL ||\n+\t auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {\n+\t\tctx_len = offsetof(struct roc_ie_on_inb_sa,\n+\t\t\t\t sha1_or_gcm.hmac_key[0]);\n+\t} else {\n+\t\tauth_key = auth_xform->auth.key.data;\n+\t\tauth_key_len = auth_xform->auth.key.length;\n+\n+\t\tswitch (auth_xform->auth.algo) {\n+\t\tcase RTE_CRYPTO_AUTH_NULL:\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_SHA1_HMAC:\n+\t\t\tmemcpy(in_sa->sha1_or_gcm.hmac_key, auth_key,\n+\t\t\t auth_key_len);\n+\t\t\tctx_len = offsetof(struct roc_ie_on_inb_sa,\n+\t\t\t\t\t sha1_or_gcm.selector);\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_SHA256_HMAC:\n+\t\tcase RTE_CRYPTO_AUTH_SHA384_HMAC:\n+\t\tcase RTE_CRYPTO_AUTH_SHA512_HMAC:\n+\t\t\tmemcpy(in_sa->sha2.hmac_key, auth_key, auth_key_len);\n+\t\t\tctx_len = offsetof(struct roc_ie_on_inb_sa,\n+\t\t\t\t\t sha2.selector);\n+\t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AUTH_AES_XCBC_MAC:\n+\t\t\tmemcpy(in_sa->aes_xcbc.key, auth_key, auth_key_len);\n+\t\t\tctx_len = offsetof(struct roc_ie_on_inb_sa,\n+\t\t\t\t\t aes_xcbc.selector);\n+\t\t\tbreak;\n+\t\tdefault:\n+\t\t\tplt_err(\"Unsupported auth algorithm %u\",\n+\t\t\t\tauth_xform->auth.algo);\n+\t\t\treturn -ENOTSUP;\n+\t\t}\n+\t}\n+\n+\treturn ctx_len;\n+}\ndiff --git a/drivers/common/cnxk/cnxk_security.h b/drivers/common/cnxk/cnxk_security.h\nindex 02cdad269c..4e477ec53f 100644\n--- a/drivers/common/cnxk/cnxk_security.h\n+++ b/drivers/common/cnxk/cnxk_security.h\n@@ -59,4 +59,15 @@ cnxk_onf_ipsec_outb_sa_fill(struct roc_onf_ipsec_outb_sa *sa,\n bool __roc_api cnxk_onf_ipsec_inb_sa_valid(struct roc_onf_ipsec_inb_sa *sa);\n bool __roc_api cnxk_onf_ipsec_outb_sa_valid(struct roc_onf_ipsec_outb_sa *sa);\n \n+/* [CN9K] */\n+int __roc_api\n+cnxk_on_ipsec_inb_sa_create(struct rte_security_ipsec_xform *ipsec,\n+\t\t\t struct rte_crypto_sym_xform *crypto_xform,\n+\t\t\t struct roc_ie_on_inb_sa *in_sa);\n+\n+int __roc_api\n+cnxk_on_ipsec_outb_sa_create(struct rte_security_ipsec_xform *ipsec,\n+\t\t\t struct rte_crypto_sym_xform *crypto_xform,\n+\t\t\t struct roc_ie_on_outb_sa *out_sa);\n+\n #endif /* _CNXK_SECURITY_H__ */\ndiff --git a/drivers/common/cnxk/roc_cpt.c b/drivers/common/cnxk/roc_cpt.c\nindex 742723ad1d..e5b179e8e1 100644\n--- a/drivers/common/cnxk/roc_cpt.c\n+++ b/drivers/common/cnxk/roc_cpt.c\n@@ -981,3 +981,96 @@ roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr, void *sa_cptr,\n \n \treturn 0;\n }\n+\n+int\n+roc_on_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa, uint8_t opcode,\n+\t\t uint16_t ctx_len, uint8_t egrp)\n+{\n+\tunion cpt_res_s res, *hw_res;\n+\tstruct cpt_inst_s inst;\n+\tuint64_t lmt_status;\n+\tint ret = 0;\n+\n+\thw_res = plt_zmalloc(sizeof(*hw_res), ROC_CPT_RES_ALIGN);\n+\tif (unlikely(hw_res == NULL)) {\n+\t\tplt_err(\"Couldn't allocate memory for result address\");\n+\t\treturn -ENOMEM;\n+\t}\n+\n+\thw_res->cn9k.compcode = CPT_COMP_NOT_DONE;\n+\n+\tinst.w4.s.opcode_major = opcode;\n+\tinst.w4.s.opcode_minor = ctx_len >> 3;\n+\tinst.w4.s.param1 = 0;\n+\tinst.w4.s.param2 = 0;\n+\tinst.w4.s.dlen = ctx_len;\n+\tinst.dptr = rte_mempool_virt2iova(sa);\n+\tinst.rptr = 0;\n+\tinst.w7.s.cptr = rte_mempool_virt2iova(sa);\n+\tinst.w7.s.egrp = egrp;\n+\n+\tinst.w0.u64 = 0;\n+\tinst.w2.u64 = 0;\n+\tinst.w3.u64 = 0;\n+\tinst.res_addr = (uintptr_t)hw_res;\n+\n+\trte_io_wmb();\n+\n+\tdo {\n+\t\t/* Copy CPT command to LMTLINE */\n+\t\troc_lmt_mov64((void *)lf->lmt_base, &inst);\n+\t\tlmt_status = roc_lmt_submit_ldeor(lf->io_addr);\n+\t} while (lmt_status == 0);\n+\n+\tconst uint64_t timeout = plt_tsc_cycles() + 60 * plt_tsc_hz();\n+\n+\t/* Wait until CPT instruction completes */\n+\tdo {\n+\t\tres.u64[0] = __atomic_load_n(&hw_res->u64[0], __ATOMIC_RELAXED);\n+\t\tif (unlikely(plt_tsc_cycles() > timeout)) {\n+\t\t\tplt_err(\"Request timed out\");\n+\t\t\tret = -ETIMEDOUT;\n+\t\t\tgoto free;\n+\t\t}\n+\t} while (res.cn9k.compcode == CPT_COMP_NOT_DONE);\n+\n+\tif (unlikely(res.cn9k.compcode != CPT_COMP_GOOD)) {\n+\t\tret = res.cn9k.compcode;\n+\t\tswitch (ret) {\n+\t\tcase CPT_COMP_INSTERR:\n+\t\t\tplt_err(\"Request failed with instruction error\");\n+\t\t\tbreak;\n+\t\tcase CPT_COMP_FAULT:\n+\t\t\tplt_err(\"Request failed with DMA fault\");\n+\t\t\tbreak;\n+\t\tcase CPT_COMP_HWERR:\n+\t\t\tplt_err(\"Request failed with hardware error\");\n+\t\t\tbreak;\n+\t\tdefault:\n+\t\t\tplt_err(\"Request failed with unknown hardware completion code : 0x%x\",\n+\t\t\t\tret);\n+\t\t}\n+\t\tret = -EINVAL;\n+\t\tgoto free;\n+\t}\n+\n+\tif (unlikely(res.cn9k.uc_compcode != ROC_IE_ON_UCC_SUCCESS)) {\n+\t\tret = res.cn9k.uc_compcode;\n+\t\tswitch (ret) {\n+\t\tcase ROC_IE_ON_AUTH_UNSUPPORTED:\n+\t\t\tplt_err(\"Invalid auth type\");\n+\t\t\tbreak;\n+\t\tcase ROC_IE_ON_ENCRYPT_UNSUPPORTED:\n+\t\t\tplt_err(\"Invalid encrypt type\");\n+\t\t\tbreak;\n+\t\tdefault:\n+\t\t\tplt_err(\"Request failed with unknown microcode completion code : 0x%x\",\n+\t\t\t\tret);\n+\t\t}\n+\t\tret = -ENOTSUP;\n+\t}\n+\n+free:\n+\tplt_free(hw_res);\n+\treturn ret;\n+}\ndiff --git a/drivers/common/cnxk/roc_cpt.h b/drivers/common/cnxk/roc_cpt.h\nindex 99cb8b2862..1b2032b547 100644\n--- a/drivers/common/cnxk/roc_cpt.h\n+++ b/drivers/common/cnxk/roc_cpt.h\n@@ -181,4 +181,7 @@ void __roc_api roc_cpt_parse_hdr_dump(const struct cpt_parse_hdr_s *cpth);\n int __roc_api roc_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa_dptr,\n \t\t\t\tvoid *sa_cptr, uint16_t sa_len);\n \n+int __roc_api roc_on_cpt_ctx_write(struct roc_cpt_lf *lf, void *sa,\n+\t\t\t\t uint8_t opcode, uint16_t ctx_len,\n+\t\t\t\t uint8_t egrp);\n #endif /* _ROC_CPT_H_ */\ndiff --git a/drivers/common/cnxk/roc_ie_on.h b/drivers/common/cnxk/roc_ie_on.h\nindex 7dd7b6595f..37f711c643 100644\n--- a/drivers/common/cnxk/roc_ie_on.h\n+++ b/drivers/common/cnxk/roc_ie_on.h\n@@ -23,7 +23,7 @@ enum roc_ie_on_ucc_ipsec {\n };\n \n /* Helper macros */\n-#define ROC_IE_ON_INB_RPTR_HDR 0x8\n+#define ROC_IE_ON_INB_RPTR_HDR 16\n #define ROC_IE_ON_MAX_IV_LEN 16\n #define ROC_IE_ON_PER_PKT_IV BIT(43)\n \n@@ -67,9 +67,17 @@ enum {\n struct roc_ie_on_outb_hdr {\n \tuint32_t ip_id;\n \tuint32_t seq;\n+\tuint32_t esn;\n+\tuint32_t df_tos;\n \tuint8_t iv[16];\n };\n \n+struct roc_ie_on_inb_hdr {\n+\tuint32_t sa_index;\n+\tuint64_t seq;\n+\tuint32_t pad;\n+};\n+\n union roc_ie_on_bit_perfect_iv {\n \tuint8_t aes_iv[16];\n \tuint8_t des_iv[8];\n@@ -113,7 +121,7 @@ struct roc_ie_on_ip_template {\n union roc_on_ipsec_outb_param1 {\n \tuint16_t u16;\n \tstruct {\n-\t\tuint16_t frag_num : 4;\n+\t\tuint16_t l2hdr_len : 4;\n \t\tuint16_t rsvd_4_6 : 3;\n \t\tuint16_t gre_select : 1;\n \t\tuint16_t dsiv : 1;\n@@ -171,8 +179,13 @@ struct roc_ie_on_common_sa {\n \tunion roc_ie_on_bit_perfect_iv iv;\n \n \t/* w7 */\n-\tuint32_t esn_hi;\n-\tuint32_t esn_low;\n+\tunion {\n+\t\tuint64_t u64;\n+\t\tstruct {\n+\t\t\tuint32_t th;\n+\t\t\tuint32_t tl;\n+\t\t};\n+\t} seq_t;\n };\n \n struct roc_ie_on_outb_sa {\ndiff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map\nindex a77f3f6e3c..db61fe575d 100644\n--- a/drivers/common/cnxk/version.map\n+++ b/drivers/common/cnxk/version.map\n@@ -23,6 +23,8 @@ INTERNAL {\n \tcnxk_ot_ipsec_outb_sa_fill;\n \tcnxk_ot_ipsec_inb_sa_valid;\n \tcnxk_ot_ipsec_outb_sa_valid;\n+\tcnxk_on_ipsec_inb_sa_create;\n+\tcnxk_on_ipsec_outb_sa_create;\n \troc_ae_ec_grp_get;\n \troc_ae_ec_grp_put;\n \troc_ae_fpm_get;\n@@ -72,6 +74,7 @@ INTERNAL {\n \troc_cpt_parse_hdr_dump;\n \troc_cpt_rxc_time_cfg;\n \troc_cpt_ctx_write;\n+\troc_on_cpt_ctx_write;\n \troc_dpi_configure;\n \troc_dpi_dev_fini;\n \troc_dpi_dev_init;\ndiff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c\nindex eccaf398df..7720730120 100644\n--- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c\n+++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c\n@@ -43,7 +43,9 @@ cn9k_cpt_sec_inst_fill(struct rte_crypto_op *op,\n \t\t struct cpt_inst_s *inst)\n {\n \tstruct rte_crypto_sym_op *sym_op = op->sym;\n+\tstruct roc_ie_on_common_sa *common_sa;\n \tstruct cn9k_sec_session *priv;\n+\tstruct roc_ie_on_sa_ctl *ctl;\n \tstruct cn9k_ipsec_sa *sa;\n \n \tif (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) {\n@@ -64,6 +66,12 @@ cn9k_cpt_sec_inst_fill(struct rte_crypto_op *op,\n \n \tinfl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;\n \n+\tcommon_sa = &sa->in_sa.common_sa;\n+\tctl = &common_sa->ctl;\n+\n+\tif (ctl->esn_en)\n+\t\tinfl_req->op_flags |= CPT_OP_FLAGS_IPSEC_INB_ESN;\n+\n \treturn process_inb_sa(op, sa, inst);\n }\n \n@@ -491,14 +499,28 @@ cn9k_cpt_sec_post_process(struct rte_crypto_op *cop,\n {\n \tstruct rte_crypto_sym_op *sym_op = cop->sym;\n \tstruct rte_mbuf *m = sym_op->m_src;\n+\tstruct cn9k_sec_session *priv;\n+\tstruct cn9k_ipsec_sa *sa;\n \tstruct rte_ipv6_hdr *ip6;\n \tstruct rte_ipv4_hdr *ip;\n \tuint16_t m_len = 0;\n \tchar *data;\n \n+\tpriv = get_sec_session_private_data(cop->sym->sec_session);\n+\tsa = &priv->sa;\n+\n \tif (infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND) {\n+\t\tstruct roc_ie_on_common_sa *common_sa = &sa->in_sa.common_sa;\n+\n \t\tdata = rte_pktmbuf_mtod(m, char *);\n+\t\tif (infl_req->op_flags == CPT_OP_FLAGS_IPSEC_INB_ESN) {\n+\t\t\tstruct roc_ie_on_inb_hdr *inb_hdr =\n+\t\t\t\t(struct roc_ie_on_inb_hdr *)data;\n+\t\t\tuint64_t seq = rte_be_to_cpu_64(inb_hdr->seq);\n \n+\t\t\tif (seq > common_sa->seq_t.u64)\n+\t\t\t\tcommon_sa->seq_t.u64 = seq;\n+\t\t}\n \t\tip = (struct rte_ipv4_hdr *)(data + ROC_IE_ON_INB_RPTR_HDR);\n \n \t\tif (((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) ==\n@@ -515,6 +537,8 @@ cn9k_cpt_sec_post_process(struct rte_crypto_op *cop,\n \t\tm->data_len = m_len;\n \t\tm->pkt_len = m_len;\n \t\tm->data_off += ROC_IE_ON_INB_RPTR_HDR;\n+\t} else {\n+\t\trte_pktmbuf_adj(m, sa->custom_hdr_len);\n \t}\n }\n \ndiff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c\nindex 82b8dae786..85f3f26c32 100644\n--- a/drivers/crypto/cnxk/cn9k_ipsec.c\n+++ b/drivers/crypto/cnxk/cn9k_ipsec.c\n@@ -15,331 +15,26 @@\n \n #include \"roc_api.h\"\n \n-static inline int\n-cn9k_cpt_enq_sa_write(struct cn9k_ipsec_sa *sa, struct cnxk_cpt_qp *qp,\n-\t\t uint8_t opcode, size_t ctx_len)\n-{\n-\tstruct roc_cpt *roc_cpt = qp->lf.roc_cpt;\n-\tuint64_t lmtline = qp->lmtline.lmt_base;\n-\tuint64_t io_addr = qp->lmtline.io_addr;\n-\tuint64_t lmt_status, time_out;\n-\tstruct cpt_cn9k_res_s *res;\n-\tstruct cpt_inst_s inst;\n-\tuint64_t *mdata;\n-\tint ret = 0;\n-\n-\tif (unlikely(rte_mempool_get(qp->meta_info.pool, (void **)&mdata) < 0))\n-\t\treturn -ENOMEM;\n-\n-\tres = (struct cpt_cn9k_res_s *)RTE_PTR_ALIGN(mdata, 16);\n-\tres->compcode = CPT_COMP_NOT_DONE;\n-\n-\tinst.w4.s.opcode_major = opcode;\n-\tinst.w4.s.opcode_minor = ctx_len >> 3;\n-\tinst.w4.s.param1 = 0;\n-\tinst.w4.s.param2 = 0;\n-\tinst.w4.s.dlen = ctx_len;\n-\tinst.dptr = rte_mempool_virt2iova(sa);\n-\tinst.rptr = 0;\n-\tinst.w7.s.cptr = rte_mempool_virt2iova(sa);\n-\tinst.w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];\n-\n-\tinst.w0.u64 = 0;\n-\tinst.w2.u64 = 0;\n-\tinst.w3.u64 = 0;\n-\tinst.res_addr = rte_mempool_virt2iova(res);\n-\n-\trte_io_wmb();\n-\n-\tdo {\n-\t\t/* Copy CPT command to LMTLINE */\n-\t\troc_lmt_mov64((void *)lmtline, &inst);\n-\t\tlmt_status = roc_lmt_submit_ldeor(io_addr);\n-\t} while (lmt_status == 0);\n-\n-\ttime_out = rte_get_timer_cycles() +\n-\t\t DEFAULT_COMMAND_TIMEOUT * rte_get_timer_hz();\n-\n-\twhile (res->compcode == CPT_COMP_NOT_DONE) {\n-\t\tif (rte_get_timer_cycles() > time_out) {\n-\t\t\trte_mempool_put(qp->meta_info.pool, mdata);\n-\t\t\tplt_err(\"Request timed out\");\n-\t\t\treturn -ETIMEDOUT;\n-\t\t}\n-\t\trte_io_rmb();\n-\t}\n-\n-\tif (unlikely(res->compcode != CPT_COMP_GOOD)) {\n-\t\tret = res->compcode;\n-\t\tswitch (ret) {\n-\t\tcase CPT_COMP_INSTERR:\n-\t\t\tplt_err(\"Request failed with instruction error\");\n-\t\t\tbreak;\n-\t\tcase CPT_COMP_FAULT:\n-\t\t\tplt_err(\"Request failed with DMA fault\");\n-\t\t\tbreak;\n-\t\tcase CPT_COMP_HWERR:\n-\t\t\tplt_err(\"Request failed with hardware error\");\n-\t\t\tbreak;\n-\t\tdefault:\n-\t\t\tplt_err(\"Request failed with unknown hardware \"\n-\t\t\t\t\"completion code : 0x%x\",\n-\t\t\t\tret);\n-\t\t}\n-\t\tret = -EINVAL;\n-\t\tgoto mempool_put;\n-\t}\n-\n-\tif (unlikely(res->uc_compcode != ROC_IE_ON_UCC_SUCCESS)) {\n-\t\tret = res->uc_compcode;\n-\t\tswitch (ret) {\n-\t\tcase ROC_IE_ON_AUTH_UNSUPPORTED:\n-\t\t\tplt_err(\"Invalid auth type\");\n-\t\t\tbreak;\n-\t\tcase ROC_IE_ON_ENCRYPT_UNSUPPORTED:\n-\t\t\tplt_err(\"Invalid encrypt type\");\n-\t\t\tbreak;\n-\t\tdefault:\n-\t\t\tplt_err(\"Request failed with unknown microcode \"\n-\t\t\t\t\"completion code : 0x%x\",\n-\t\t\t\tret);\n-\t\t}\n-\t\tret = -ENOTSUP;\n-\t}\n-\n-mempool_put:\n-\trte_mempool_put(qp->meta_info.pool, mdata);\n-\treturn ret;\n-}\n-\n-static inline int\n-ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,\n-\t\t struct rte_crypto_sym_xform *crypto_xform,\n-\t\t struct roc_ie_on_sa_ctl *ctl)\n-{\n-\tstruct rte_crypto_sym_xform *cipher_xform, *auth_xform;\n-\tint aes_key_len = 0;\n-\n-\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {\n-\t\tauth_xform = crypto_xform;\n-\t\tcipher_xform = crypto_xform->next;\n-\t} else {\n-\t\tcipher_xform = crypto_xform;\n-\t\tauth_xform = crypto_xform->next;\n-\t}\n-\n-\tif (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)\n-\t\tctl->direction = ROC_IE_SA_DIR_OUTBOUND;\n-\telse\n-\t\tctl->direction = ROC_IE_SA_DIR_INBOUND;\n-\n-\tif (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {\n-\t\tif (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)\n-\t\t\tctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;\n-\t\telse if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)\n-\t\t\tctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_6;\n-\t\telse\n-\t\t\treturn -EINVAL;\n-\t}\n-\n-\tif (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) {\n-\t\tctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT;\n-\t\tctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;\n-\t} else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)\n-\t\tctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL;\n-\telse\n-\t\treturn -EINVAL;\n-\n-\tif (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)\n-\t\tctl->ipsec_proto = ROC_IE_SA_PROTOCOL_AH;\n-\telse if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)\n-\t\tctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP;\n-\telse\n-\t\treturn -EINVAL;\n-\n-\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {\n-\t\tswitch (crypto_xform->aead.algo) {\n-\t\tcase RTE_CRYPTO_AEAD_AES_GCM:\n-\t\t\tctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM;\n-\t\t\taes_key_len = crypto_xform->aead.key.length;\n-\t\t\tbreak;\n-\t\tdefault:\n-\t\t\tplt_err(\"Unsupported AEAD algorithm\");\n-\t\t\treturn -ENOTSUP;\n-\t\t}\n-\t} else {\n-\t\tif (cipher_xform != NULL) {\n-\t\t\tswitch (cipher_xform->cipher.algo) {\n-\t\t\tcase RTE_CRYPTO_CIPHER_NULL:\n-\t\t\t\tctl->enc_type = ROC_IE_ON_SA_ENC_NULL;\n-\t\t\t\tbreak;\n-\t\t\tcase RTE_CRYPTO_CIPHER_AES_CBC:\n-\t\t\t\tctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;\n-\t\t\t\taes_key_len = cipher_xform->cipher.key.length;\n-\t\t\t\tbreak;\n-\t\t\tcase RTE_CRYPTO_CIPHER_AES_CTR:\n-\t\t\t\tctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR;\n-\t\t\t\taes_key_len = cipher_xform->cipher.key.length;\n-\t\t\t\tbreak;\n-\t\t\tdefault:\n-\t\t\t\tplt_err(\"Unsupported cipher algorithm\");\n-\t\t\t\treturn -ENOTSUP;\n-\t\t\t}\n-\t\t}\n-\n-\t\tswitch (auth_xform->auth.algo) {\n-\t\tcase RTE_CRYPTO_AUTH_NULL:\n-\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_NULL;\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_MD5_HMAC:\n-\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_MD5;\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_SHA1_HMAC:\n-\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1;\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_SHA224_HMAC:\n-\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_224;\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_SHA256_HMAC:\n-\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_256;\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_SHA384_HMAC:\n-\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_384;\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_SHA512_HMAC:\n-\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_512;\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_AES_GMAC:\n-\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC;\n-\t\t\taes_key_len = auth_xform->auth.key.length;\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_AES_XCBC_MAC:\n-\t\t\tctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128;\n-\t\t\tbreak;\n-\t\tdefault:\n-\t\t\tplt_err(\"Unsupported auth algorithm\");\n-\t\t\treturn -ENOTSUP;\n-\t\t}\n-\t}\n-\n-\t/* Set AES key length */\n-\tif (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CBC ||\n-\t ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CCM ||\n-\t ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CTR ||\n-\t ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||\n-\t ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) {\n-\t\tswitch (aes_key_len) {\n-\t\tcase 16:\n-\t\t\tctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;\n-\t\t\tbreak;\n-\t\tcase 24:\n-\t\t\tctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;\n-\t\t\tbreak;\n-\t\tcase 32:\n-\t\t\tctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;\n-\t\t\tbreak;\n-\t\tdefault:\n-\t\t\tplt_err(\"Invalid AES key length\");\n-\t\t\treturn -EINVAL;\n-\t\t}\n-\t}\n-\n-\tif (ipsec->options.esn)\n-\t\tctl->esn_en = 1;\n-\n-\tif (ipsec->options.udp_encap == 1)\n-\t\tctl->encap_type = ROC_IE_ON_SA_ENCAP_UDP;\n-\n-\tctl->copy_df = ipsec->options.copy_df;\n-\n-\tctl->spi = rte_cpu_to_be_32(ipsec->spi);\n-\n-\trte_io_wmb();\n-\n-\tctl->valid = 1;\n-\n-\treturn 0;\n-}\n-\n-static inline int\n-fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,\n-\t\t struct rte_crypto_sym_xform *crypto_xform,\n-\t\t struct roc_ie_on_common_sa *common_sa)\n-{\n-\tstruct rte_crypto_sym_xform *cipher_xform, *auth_xform;\n-\tconst uint8_t *cipher_key;\n-\tint cipher_key_len = 0;\n-\tint ret;\n-\n-\tret = ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl);\n-\tif (ret)\n-\t\treturn ret;\n-\n-\tif (ipsec->esn.value) {\n-\t\tcommon_sa->esn_low = ipsec->esn.low;\n-\t\tcommon_sa->esn_hi = ipsec->esn.hi;\n-\t}\n-\n-\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {\n-\t\tauth_xform = crypto_xform;\n-\t\tcipher_xform = crypto_xform->next;\n-\t} else {\n-\t\tcipher_xform = crypto_xform;\n-\t\tauth_xform = crypto_xform->next;\n-\t}\n-\n-\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {\n-\t\tif (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)\n-\t\t\tmemcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);\n-\t\tcipher_key = crypto_xform->aead.key.data;\n-\t\tcipher_key_len = crypto_xform->aead.key.length;\n-\t} else {\n-\t\tif (cipher_xform) {\n-\t\t\tcipher_key = cipher_xform->cipher.key.data;\n-\t\t\tcipher_key_len = cipher_xform->cipher.key.length;\n-\t\t}\n-\n-\t\tif (auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {\n-\t\t\tmemcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);\n-\t\t\tcipher_key = auth_xform->auth.key.data;\n-\t\t\tcipher_key_len = auth_xform->auth.key.length;\n-\t\t}\n-\t}\n-\n-\tif (cipher_key_len != 0)\n-\t\tmemcpy(common_sa->cipher_key, cipher_key, cipher_key_len);\n-\n-\treturn 0;\n-}\n-\n static int\n cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,\n \t\t\t struct rte_security_ipsec_xform *ipsec,\n \t\t\t struct rte_crypto_sym_xform *crypto_xform,\n \t\t\t struct rte_security_session *sec_sess)\n {\n-\tstruct roc_ie_on_ip_template *template = NULL;\n \tstruct roc_cpt *roc_cpt = qp->lf.roc_cpt;\n-\tstruct rte_crypto_sym_xform *auth_xform;\n \tunion roc_on_ipsec_outb_param1 param1;\n \tstruct cnxk_cpt_inst_tmpl *inst_tmpl;\n-\tstruct roc_ie_on_outb_sa *out_sa;\n \tstruct cn9k_sec_session *sess;\n-\tstruct roc_ie_on_sa_ctl *ctl;\n \tstruct cn9k_ipsec_sa *sa;\n-\tstruct rte_ipv6_hdr *ip6;\n-\tstruct rte_ipv4_hdr *ip4;\n-\tconst uint8_t *auth_key;\n \tunion cpt_inst_w4 w4;\n \tunion cpt_inst_w7 w7;\n-\tint auth_key_len = 0;\n \tsize_t ctx_len;\n+\tuint8_t opcode;\n+\tuint8_t egrp;\n \tint ret;\n \n \tsess = get_sec_session_private_data(sec_sess);\n \tsa = &sess->sa;\n-\tout_sa = &sa->out_sa;\n-\tctl = &out_sa->common_sa.ctl;\n \n \tmemset(sa, 0, sizeof(struct cn9k_ipsec_sa));\n \n@@ -353,153 +48,16 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,\n \tif (ipsec->esn.value)\n \t\tsa->esn = ipsec->esn.value;\n \n-\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH)\n-\t\tauth_xform = crypto_xform;\n-\telse\n-\t\tauth_xform = crypto_xform->next;\n-\n-\tret = fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa);\n-\tif (ret)\n-\t\treturn ret;\n-\n \tret = cnxk_ipsec_outb_rlens_get(&sa->rlens, ipsec, crypto_xform);\n \tif (ret)\n \t\treturn ret;\n \n-\tif (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||\n-\t ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL ||\n-\t ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) {\n-\t\ttemplate = &out_sa->aes_gcm.template;\n-\t\tctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);\n-\t} else {\n-\t\tswitch (ctl->auth_type) {\n-\t\tcase ROC_IE_ON_SA_AUTH_SHA1:\n-\t\t\ttemplate = &out_sa->sha1.template;\n-\t\t\tctx_len = offsetof(struct roc_ie_on_outb_sa,\n-\t\t\t\t\t sha1.template);\n-\t\t\tbreak;\n-\t\tcase ROC_IE_ON_SA_AUTH_SHA2_256:\n-\t\tcase ROC_IE_ON_SA_AUTH_SHA2_384:\n-\t\tcase ROC_IE_ON_SA_AUTH_SHA2_512:\n-\t\t\ttemplate = &out_sa->sha2.template;\n-\t\t\tctx_len = offsetof(struct roc_ie_on_outb_sa,\n-\t\t\t\t\t sha2.template);\n-\t\t\tbreak;\n-\t\tcase ROC_IE_ON_SA_AUTH_AES_XCBC_128:\n-\t\t\ttemplate = &out_sa->aes_xcbc.template;\n-\t\t\tctx_len = offsetof(struct roc_ie_on_outb_sa,\n-\t\t\t\t\t aes_xcbc.template);\n-\t\t\tbreak;\n-\t\tdefault:\n-\t\t\tplt_err(\"Unsupported auth algorithm\");\n-\t\t\treturn -EINVAL;\n-\t\t}\n-\t}\n-\n-\tip4 = (struct rte_ipv4_hdr *)&template->ip4.ipv4_hdr;\n-\tif (ipsec->options.udp_encap) {\n-\t\tip4->next_proto_id = IPPROTO_UDP;\n-\t\ttemplate->ip4.udp_src = rte_be_to_cpu_16(4500);\n-\t\ttemplate->ip4.udp_dst = rte_be_to_cpu_16(4500);\n-\t} else {\n-\t\tif (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)\n-\t\t\tip4->next_proto_id = IPPROTO_AH;\n-\t\telse\n-\t\t\tip4->next_proto_id = IPPROTO_ESP;\n-\t}\n-\n-\tif (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {\n-\t\tif (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {\n-\t\t\tuint16_t frag_off = 0;\n-\t\t\tctx_len += sizeof(template->ip4);\n-\n-\t\t\tip4->version_ihl = RTE_IPV4_VHL_DEF;\n-\t\t\tip4->time_to_live = ipsec->tunnel.ipv4.ttl;\n-\t\t\tip4->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);\n-\t\t\tif (ipsec->tunnel.ipv4.df)\n-\t\t\t\tfrag_off |= RTE_IPV4_HDR_DF_FLAG;\n-\t\t\tip4->fragment_offset = rte_cpu_to_be_16(frag_off);\n-\n-\t\t\tmemcpy(&ip4->src_addr, &ipsec->tunnel.ipv4.src_ip,\n-\t\t\t sizeof(struct in_addr));\n-\t\t\tmemcpy(&ip4->dst_addr, &ipsec->tunnel.ipv4.dst_ip,\n-\t\t\t sizeof(struct in_addr));\n-\t\t} else if (ipsec->tunnel.type ==\n-\t\t\t RTE_SECURITY_IPSEC_TUNNEL_IPV6) {\n-\t\t\tctx_len += sizeof(template->ip6);\n-\n-\t\t\tip6 = (struct rte_ipv6_hdr *)&template->ip6.ipv6_hdr;\n-\t\t\tif (ipsec->options.udp_encap) {\n-\t\t\t\tip6->proto = IPPROTO_UDP;\n-\t\t\t\ttemplate->ip6.udp_src = rte_be_to_cpu_16(4500);\n-\t\t\t\ttemplate->ip6.udp_dst = rte_be_to_cpu_16(4500);\n-\t\t\t} else {\n-\t\t\t\tip6->proto = (ipsec->proto ==\n-\t\t\t\t\t RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?\n-\t\t\t\t\t\t IPPROTO_ESP :\n-\t\t\t\t\t\t IPPROTO_AH;\n-\t\t\t}\n-\t\t\tip6->vtc_flow =\n-\t\t\t\trte_cpu_to_be_32(0x60000000 |\n-\t\t\t\t\t\t ((ipsec->tunnel.ipv6.dscp\n-\t\t\t\t\t\t << RTE_IPV6_HDR_TC_SHIFT) &\n-\t\t\t\t\t\t RTE_IPV6_HDR_TC_MASK) |\n-\t\t\t\t\t\t ((ipsec->tunnel.ipv6.flabel\n-\t\t\t\t\t\t << RTE_IPV6_HDR_FL_SHIFT) &\n-\t\t\t\t\t\t RTE_IPV6_HDR_FL_MASK));\n-\t\t\tip6->hop_limits = ipsec->tunnel.ipv6.hlimit;\n-\t\t\tmemcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr,\n-\t\t\t sizeof(struct in6_addr));\n-\t\t\tmemcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,\n-\t\t\t sizeof(struct in6_addr));\n-\t\t}\n-\t} else\n-\t\tctx_len += sizeof(template->ip4);\n-\n-\tctx_len += RTE_ALIGN_CEIL(ctx_len, 8);\n-\n-\tif (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {\n-\t\tauth_key = auth_xform->auth.key.data;\n-\t\tauth_key_len = auth_xform->auth.key.length;\n-\n-\t\tswitch (auth_xform->auth.algo) {\n-\t\tcase RTE_CRYPTO_AUTH_AES_GMAC:\n-\t\tcase RTE_CRYPTO_AUTH_NULL:\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_SHA1_HMAC:\n-\t\t\tmemcpy(out_sa->sha1.hmac_key, auth_key, auth_key_len);\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_SHA256_HMAC:\n-\t\tcase RTE_CRYPTO_AUTH_SHA384_HMAC:\n-\t\tcase RTE_CRYPTO_AUTH_SHA512_HMAC:\n-\t\t\tmemcpy(out_sa->sha2.hmac_key, auth_key, auth_key_len);\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_AES_XCBC_MAC:\n-\t\t\tmemcpy(out_sa->aes_xcbc.key, auth_key, auth_key_len);\n-\t\t\tbreak;\n-\t\tdefault:\n-\t\t\tplt_err(\"Unsupported auth algorithm %u\",\n-\t\t\t\tauth_xform->auth.algo);\n-\t\t\treturn -ENOTSUP;\n-\t\t}\n-\t}\n-\n-\tinst_tmpl = &sa->inst;\n-\n-\tw4.u64 = 0;\n-\tw4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;\n-\tw4.s.opcode_minor = ctx_len >> 3;\n-\n-\tparam1.u16 = 0;\n-\tparam1.s.ikev2 = 1;\n-\n-\tsa->custom_hdr_len = sizeof(struct roc_ie_on_outb_hdr) -\n-\t\t\t ROC_IE_ON_MAX_IV_LEN;\n+\tsa->custom_hdr_len =\n+\t\tsizeof(struct roc_ie_on_outb_hdr) - ROC_IE_ON_MAX_IV_LEN;\n \n #ifdef LA_IPSEC_DEBUG\n \t/* Use IV from application in debug mode */\n \tif (ipsec->options.iv_gen_disable == 1) {\n-\t\tparam1.s.per_pkt_iv = ROC_IE_ON_IV_SRC_FROM_DPTR;\n \t\tsa->custom_hdr_len = sizeof(struct roc_ie_on_outb_hdr);\n \n \t\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {\n@@ -520,17 +78,49 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,\n \t}\n #endif\n \n-\tw4.s.param1 = param1.u16;\n+\tret = cnxk_on_ipsec_outb_sa_create(ipsec, crypto_xform, &sa->out_sa);\n \n-\tinst_tmpl->w4 = w4.u64;\n+\tif (ret < 0)\n+\t\treturn ret;\n+\n+\tctx_len = ret;\n+\topcode = ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_OUTBOUND;\n+\tegrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];\n+\tret = roc_on_cpt_ctx_write(&qp->lf, (void *)&sa->out_sa, opcode,\n+\t\t\t\t ctx_len, egrp);\n+\n+\tif (ret)\n+\t\treturn ret;\n+\n+\tw4.u64 = 0;\n+\tw4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;\n+\tw4.s.opcode_minor = ctx_len >> 3;\n+\n+\tparam1.u16 = 0;\n+\tparam1.s.ikev2 = 1;\n+\n+#ifdef LA_IPSEC_DEBUG\n+\t/* Use IV from application in debug mode */\n+\tif (ipsec->options.iv_gen_disable == 1)\n+\t\tparam1.s.per_pkt_iv = ROC_IE_ON_IV_SRC_FROM_DPTR;\n+#else\n+\tif (ipsec->options.iv_gen_disable != 0) {\n+\t\tplt_err(\"Application provided IV is not supported\");\n+\t\treturn -ENOTSUP;\n+\t}\n+#endif\n+\n+\tw4.s.param1 = param1.u16;\n \n \tw7.u64 = 0;\n-\tw7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];\n-\tw7.s.cptr = rte_mempool_virt2iova(out_sa);\n+\tw7.s.egrp = egrp;\n+\tw7.s.cptr = rte_mempool_virt2iova(&sa->out_sa);\n+\n+\tinst_tmpl = &sa->inst;\n+\tinst_tmpl->w4 = w4.u64;\n \tinst_tmpl->w7 = w7.u64;\n \n-\treturn cn9k_cpt_enq_sa_write(\n-\t\tsa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_OUTBOUND, ctx_len);\n+\treturn 0;\n }\n \n static int\n@@ -539,71 +129,54 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,\n \t\t\t struct rte_crypto_sym_xform *crypto_xform,\n \t\t\t struct rte_security_session *sec_sess)\n {\n-\tstruct rte_crypto_sym_xform *auth_xform = crypto_xform;\n \tstruct roc_cpt *roc_cpt = qp->lf.roc_cpt;\n-\tunion roc_on_ipsec_inb_param2 param2;\n \tstruct cnxk_cpt_inst_tmpl *inst_tmpl;\n-\tstruct roc_ie_on_inb_sa *in_sa;\n+\tunion roc_on_ipsec_inb_param2 param2;\n \tstruct cn9k_sec_session *sess;\n \tstruct cn9k_ipsec_sa *sa;\n-\tconst uint8_t *auth_key;\n \tunion cpt_inst_w4 w4;\n \tunion cpt_inst_w7 w7;\n-\tint auth_key_len = 0;\n \tsize_t ctx_len = 0;\n-\tint ret;\n+\tuint8_t opcode;\n+\tuint8_t egrp;\n+\tint ret = 0;\n \n \tsess = get_sec_session_private_data(sec_sess);\n \tsa = &sess->sa;\n-\tin_sa = &sa->in_sa;\n \n \tmemset(sa, 0, sizeof(struct cn9k_ipsec_sa));\n \n \tsa->dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;\n \tsa->replay_win_sz = ipsec->replay_win_sz;\n \n-\tret = fill_ipsec_common_sa(ipsec, crypto_xform, &in_sa->common_sa);\n-\tif (ret)\n-\t\treturn ret;\n-\n-\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD ||\n-\t auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL ||\n-\t auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {\n-\t\tctx_len = offsetof(struct roc_ie_on_inb_sa,\n-\t\t\t\t sha1_or_gcm.hmac_key[0]);\n-\t} else {\n-\t\tauth_key = auth_xform->auth.key.data;\n-\t\tauth_key_len = auth_xform->auth.key.length;\n-\n-\t\tswitch (auth_xform->auth.algo) {\n-\t\tcase RTE_CRYPTO_AUTH_NULL:\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_SHA1_HMAC:\n-\t\t\tmemcpy(in_sa->sha1_or_gcm.hmac_key, auth_key,\n-\t\t\t auth_key_len);\n-\t\t\tctx_len = offsetof(struct roc_ie_on_inb_sa,\n-\t\t\t\t\t sha1_or_gcm.selector);\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_SHA256_HMAC:\n-\t\tcase RTE_CRYPTO_AUTH_SHA384_HMAC:\n-\t\tcase RTE_CRYPTO_AUTH_SHA512_HMAC:\n-\t\t\tmemcpy(in_sa->sha2.hmac_key, auth_key, auth_key_len);\n-\t\t\tctx_len = offsetof(struct roc_ie_on_inb_sa,\n-\t\t\t\t\t sha2.selector);\n-\t\t\tbreak;\n-\t\tcase RTE_CRYPTO_AUTH_AES_XCBC_MAC:\n-\t\t\tmemcpy(in_sa->aes_xcbc.key, auth_key, auth_key_len);\n-\t\t\tctx_len = offsetof(struct roc_ie_on_inb_sa,\n-\t\t\t\t\t aes_xcbc.selector);\n-\t\t\tbreak;\n-\t\tdefault:\n-\t\t\tplt_err(\"Unsupported auth algorithm %u\",\n-\t\t\t\tauth_xform->auth.algo);\n+\tif (sa->replay_win_sz) {\n+\t\tif (sa->replay_win_sz > CNXK_ON_AR_WIN_SIZE_MAX) {\n+\t\t\tplt_err(\"Replay window size:%u is not supported\",\n+\t\t\t\tsa->replay_win_sz);\n \t\t\treturn -ENOTSUP;\n \t\t}\n+\n+\t\t/* Set window bottom to 1, base and top to size of window */\n+\t\tsa->ar.winb = 1;\n+\t\tsa->ar.wint = sa->replay_win_sz;\n+\t\tsa->ar.base = sa->replay_win_sz;\n+\n+\t\tsa->in_sa.common_sa.seq_t.tl = sa->seq_lo;\n+\t\tsa->in_sa.common_sa.seq_t.th = sa->seq_hi;\n \t}\n \n-\tinst_tmpl = &sa->inst;\n+\tret = cnxk_on_ipsec_inb_sa_create(ipsec, crypto_xform, &sa->in_sa);\n+\n+\tif (ret < 0)\n+\t\treturn ret;\n+\n+\tctx_len = ret;\n+\topcode = ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_INBOUND;\n+\tegrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];\n+\tret = roc_on_cpt_ctx_write(&qp->lf, (void *)&sa->in_sa, opcode, ctx_len,\n+\t\t\t\t egrp);\n+\tif (ret)\n+\t\treturn ret;\n \n \tw4.u64 = 0;\n \tw4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_INBOUND_IPSEC;\n@@ -613,31 +186,14 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,\n \tparam2.s.ikev2 = 1;\n \tw4.s.param2 = param2.u16;\n \n-\tinst_tmpl->w4 = w4.u64;\n+\tw7.s.egrp = egrp;\n+\tw7.s.cptr = rte_mempool_virt2iova(&sa->in_sa);\n \n-\tw7.u64 = 0;\n-\tw7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];\n-\tw7.s.cptr = rte_mempool_virt2iova(in_sa);\n+\tinst_tmpl = &sa->inst;\n+\tinst_tmpl->w4 = w4.u64;\n \tinst_tmpl->w7 = w7.u64;\n \n-\tif (sa->replay_win_sz) {\n-\t\tif (sa->replay_win_sz > CNXK_ON_AR_WIN_SIZE_MAX) {\n-\t\t\tplt_err(\"Replay window size:%u is not supported\",\n-\t\t\t\tsa->replay_win_sz);\n-\t\t\treturn -ENOTSUP;\n-\t\t}\n-\n-\t\t/* Set window bottom to 1, base and top to size of window */\n-\t\tsa->ar.winb = 1;\n-\t\tsa->ar.wint = sa->replay_win_sz;\n-\t\tsa->ar.base = sa->replay_win_sz;\n-\n-\t\tin_sa->common_sa.esn_low = sa->seq_lo;\n-\t\tin_sa->common_sa.esn_hi = sa->seq_hi;\n-\t}\n-\n-\treturn cn9k_cpt_enq_sa_write(\n-\t\tsa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_INBOUND, ctx_len);\n+\treturn 0;\n }\n \n static inline int\ndiff --git a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h\nindex df89aaca4e..bbb4404a89 100644\n--- a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h\n+++ b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h\n@@ -20,7 +20,7 @@ ipsec_po_out_rlen_get(struct cn9k_ipsec_sa *sa, uint32_t plen)\n \tenc_payload_len = RTE_ALIGN_CEIL(plen + sa->rlens.roundup_len,\n \t\t\t\t\t sa->rlens.roundup_byte);\n \n-\treturn sa->rlens.partial_len + enc_payload_len;\n+\treturn sa->custom_hdr_len + sa->rlens.partial_len + enc_payload_len;\n }\n \n static __rte_always_inline int\n@@ -41,8 +41,8 @@ ipsec_antireplay_check(struct cn9k_ipsec_sa *sa, uint32_t win_sz,\n \tctl = &common_sa->ctl;\n \n \tesn = ctl->esn_en;\n-\tesn_low = rte_be_to_cpu_32(common_sa->esn_low);\n-\tesn_hi = rte_be_to_cpu_32(common_sa->esn_hi);\n+\tesn_low = rte_be_to_cpu_32(common_sa->seq_t.tl);\n+\tesn_hi = rte_be_to_cpu_32(common_sa->seq_t.th);\n \n \tesp = rte_pktmbuf_mtod_offset(m, void *, sizeof(struct rte_ipv4_hdr));\n \tseql = rte_be_to_cpu_32(esp->seq);\n@@ -62,8 +62,8 @@ ipsec_antireplay_check(struct cn9k_ipsec_sa *sa, uint32_t win_sz,\n \tif (esn && !ret) {\n \t\tseq_in_sa = ((uint64_t)esn_hi << 32) | esn_low;\n \t\tif (seq > seq_in_sa) {\n-\t\t\tcommon_sa->esn_low = rte_cpu_to_be_32(seql);\n-\t\t\tcommon_sa->esn_hi = rte_cpu_to_be_32(seqh);\n+\t\t\tcommon_sa->seq_t.tl = rte_cpu_to_be_32(seql);\n+\t\t\tcommon_sa->seq_t.th = rte_cpu_to_be_32(seqh);\n \t\t}\n \t}\n \n@@ -77,13 +77,10 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,\n \tconst unsigned int hdr_len = sa->custom_hdr_len;\n \tstruct rte_crypto_sym_op *sym_op = cop->sym;\n \tstruct rte_mbuf *m_src = sym_op->m_src;\n-\tstruct roc_ie_on_outb_sa *out_sa;\n \tstruct roc_ie_on_outb_hdr *hdr;\n \tuint32_t dlen, rlen;\n \tint32_t extend_tail;\n \n-\tout_sa = &sa->out_sa;\n-\n \tdlen = rte_pktmbuf_pkt_len(m_src) + hdr_len;\n \trlen = ipsec_po_out_rlen_get(sa, dlen - hdr_len);\n \n@@ -114,8 +111,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,\n \n \thdr->seq = rte_cpu_to_be_32(sa->seq_lo);\n \thdr->ip_id = rte_cpu_to_be_32(sa->ip_id);\n-\n-\tout_sa->common_sa.esn_hi = sa->seq_hi;\n+\thdr->esn = rte_cpu_to_be_32(sa->seq_hi);\n \n \tsa->ip_id++;\n \tsa->esn++;\ndiff --git a/drivers/crypto/cnxk/cnxk_cryptodev_ops.h b/drivers/crypto/cnxk/cnxk_cryptodev_ops.h\nindex 7ece0214dc..ec99e6d660 100644\n--- a/drivers/crypto/cnxk/cnxk_cryptodev_ops.h\n+++ b/drivers/crypto/cnxk/cnxk_cryptodev_ops.h\n@@ -33,6 +33,7 @@ struct cpt_qp_meta_info {\n #define CPT_OP_FLAGS_METABUF\t (1 << 1)\n #define CPT_OP_FLAGS_AUTH_VERIFY (1 << 0)\n #define CPT_OP_FLAGS_IPSEC_DIR_INBOUND (1 << 2)\n+#define CPT_OP_FLAGS_IPSEC_INB_ESN (1 << 3)\n \n struct cpt_inflight_req {\n \tunion cpt_res_s res;\n", "prefixes": [ "1/3" ] }