diff mbox series

[v3,16/29] crypto/cnxk: add skip for unsupported cases

Message ID	1639732811-1440-17-git-send-email-anoobj@marvell.com (mailing list archive)
State	Accepted, archived
Delegated to:	akhil goyal
Headers	From: Anoob Joseph <anoobj@marvell.com> To: Akhil Goyal <gakhil@marvell.com>, Jerin Jacob <jerinj@marvell.com> CC: Anoob Joseph <anoobj@marvell.com>, Archana Muniganti <marchana@marvell.com>, Tejasree Kondoj <ktejasree@marvell.com>, <dev@dpdk.org> Subject: [PATCH v3 16/29] crypto/cnxk: add skip for unsupported cases Date: Fri, 17 Dec 2021 14:49:58 +0530 Message-ID: <1639732811-1440-17-git-send-email-anoobj@marvell.com> In-Reply-To: <1639732811-1440-1-git-send-email-anoobj@marvell.com> References: <1639676975-1316-1-git-send-email-anoobj@marvell.com> <1639732811-1440-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: list Errors-To: dev-bounces@dpdk.org
Series	New features and improvements in cnxk crypto PMD \| [v3,00/29] New features and improvements in cnxk crypto PMD [v3,01/29] common/cnxk: define minor opcodes for MISC opcode [v3,02/29] common/cnxk: add aes-xcbc key derive [v3,03/29] common/cnxk: add bit fields for params [v3,04/29] common/cnxk: fix reset of fields [v3,05/29] common/cnxk: verify input args [v3,06/29] common/cnxk: update completion code [v3,07/29] crypto/cnxk: only enable queues that are allocated [v3,08/29] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA256 support [v3,09/29] crypto/cnxk: clear session data before populating [v3,10/29] crypto/cnxk: update max sec crypto caps [v3,11/29] crypto/cnxk: write CPT CTX through microcode op [v3,12/29] crypto/cnxk: support cnxk lookaside IPsec HMAC-SHA384/512 [v3,13/29] crypto/cnxk: account for CPT CTX updates and flush delays [v3,14/29] crypto/cnxk: use struct sizes for ctx writes [v3,15/29] crypto/cnxk: add security session stats get [v3,16/29] crypto/cnxk: add skip for unsupported cases [v3,17/29] crypto/cnxk: add context reload for IV [v3,18/29] crypto/cnxk: handle null chained ops [v3,19/29] crypto/cnxk: fix inflight cnt calculation [v3,20/29] crypto/cnxk: use atomics to access CPT res [v3,21/29] crypto/cnxk: add more info on command timeout [v3,22/29] crypto/cnxk: support lookaside IPsec AES-CTR [v3,23/29] crypto/cnxk: fix extend tail calculation [v3,24/29] crypto/cnxk: add aes xcbc and null cipher [v3,25/29] crypto/cnxk: add copy and set DF [v3,26/29] crypto/cnxk: add aes cmac [v3,27/29] crypto/cnxk: add per pkt IV in lookaside IPsec debug mode [v3,28/29] crypto/cnxk: enable copy dscp [v3,29/29] crypto/cnxk: update microcode completion handling

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK

Commit Message

Anoob Joseph Dec. 17, 2021, 9:19 a.m. UTC

  Add skip for transport mode tests that are not supported. Also,
updated the transport mode path to configure IP version as v4.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 drivers/crypto/cnxk/cn9k_ipsec.c | 53 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 47 insertions(+), 6 deletions(-)

diff mbox series

Patch

diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index 395b0d5..c27845c 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -141,11 +141,10 @@  ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
 			return -EINVAL;
 	}
 
-	ctl->inner_ip_ver = ctl->outer_ip_ver;
-
-	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) {
 		ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT;
-	else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+		ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
+	} else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
 		ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL;
 	else
 		return -EINVAL;
@@ -548,7 +547,8 @@  cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
 }
 
 static inline int
-cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
+cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec,
+			struct rte_crypto_sym_xform *crypto)
 {
 	if (ipsec->life.bytes_hard_limit != 0 ||
 	    ipsec->life.bytes_soft_limit != 0 ||
@@ -556,6 +556,47 @@  cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
 	    ipsec->life.packets_soft_limit != 0)
 		return -ENOTSUP;
 
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) {
+		enum rte_crypto_sym_xform_type type = crypto->type;
+
+		if (type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+			if ((crypto->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) &&
+			    (crypto->aead.key.length == 32)) {
+				plt_err("Transport mode AES-256-GCM is not supported");
+				return -ENOTSUP;
+			}
+		} else {
+			struct rte_crypto_cipher_xform *cipher;
+			struct rte_crypto_auth_xform *auth;
+
+			if (crypto->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+				cipher = &crypto->cipher;
+				auth = &crypto->next->auth;
+			} else {
+				cipher = &crypto->next->cipher;
+				auth = &crypto->auth;
+			}
+
+			if ((cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) &&
+			    (auth->algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) {
+				plt_err("Transport mode AES-CBC SHA2 HMAC 256 is not supported");
+				return -ENOTSUP;
+			}
+
+			if ((cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) &&
+			    (auth->algo == RTE_CRYPTO_AUTH_SHA384_HMAC)) {
+				plt_err("Transport mode AES-CBC SHA2 HMAC 384 is not supported");
+				return -ENOTSUP;
+			}
+
+			if ((cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) &&
+			    (auth->algo == RTE_CRYPTO_AUTH_SHA512_HMAC)) {
+				plt_err("Transport mode AES-CBC SHA2 HMAC 512 is not supported");
+				return -ENOTSUP;
+			}
+		}
+	}
+
 	return 0;
 }
 
@@ -580,7 +621,7 @@  cn9k_ipsec_session_create(void *dev,
 	if (ret)
 		return ret;
 
-	ret = cn9k_ipsec_xform_verify(ipsec_xform);
+	ret = cn9k_ipsec_xform_verify(ipsec_xform, crypto_xform);
 	if (ret)
 		return ret;