From patchwork Wed Aug 23 07:08:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 130673 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2444D430DE; Wed, 23 Aug 2023 09:10:34 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id A76E04328C; Wed, 23 Aug 2023 09:09:30 +0200 (CEST) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on2061.outbound.protection.outlook.com [40.107.6.61]) by mails.dpdk.org (Postfix) with ESMTP id DE0494325E for ; Wed, 23 Aug 2023 09:09:26 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Rg2H8umIOQlnzrmjKQ0T1RTENgj0NG2rFs8LMhjXXjSt3tYUShx3AM1hTV9E1VMLpWWoDaaV9uzUyyAghxSdv9rzoIxqlr5xH+WTlIfk+JhE0EIv+m8NqSxl3YEdquN2smnJAmPSKi9isxu7/wBK6w864NzK5kgiL6n56XjBfFQYJA7YDC9wF0r+EUbvy5ZVLZ/R591/c6Od6eyVfqVrc7O8BPTcTJxaWQuOA4/DnRVcabsJ3zCJ36P90nXNqXX18yNe46yfzAt14A9/DbqsqAAl161VlGEXKkY6vWUqYjG3pZUEoshOPEoz8YRuewXxdlTqGEDvmQZeApfKU/K21Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XA3iSylW7m8SBjJ/5eGQvsU5l6F5v5P8qm7YhOh3ZyE=; b=WbP+CGwb7+YWZbY5I0OfMtmrYnnUPKPDSAqMVBM3I7sePev5bYbmt9N1xq8D+FZIn1i7mVXuzMb/v22V6BXqZRA9WfIgZys/DsgQOTaoM0xuaRafBbPvUuBPEcX60KPgsb061THQWg75VtfrZGPkFXAgJdZ5uSL1oDz11OfipBuIlQdTCMW3MuADn+3SSJ9/fhhvo9p9VxVCbJLNKeAZkJffl7XjyP4/0ilzF7P9kWtcrhSe0LhKX/8MRMXGrVn3VYIu8cI/gqj3nc8jlFivpgYs2EXFpeD7bdn1AUj81grEgNewBD8INnMDIOeOm43etAV9sbtEmQgXA/Te6AGviw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XA3iSylW7m8SBjJ/5eGQvsU5l6F5v5P8qm7YhOh3ZyE=; b=ZSmUXtw1vMVkzFbDPZ9NKtAJeh4he0k1b4BN8YpnSsNVigegLNY1y97KP76fGqUBTSIlns9IWNgx0kfFkICapNlmwOEC6qgiiwsdu8qdvrb24rjGeksdvm8NVu854G4xx8BdC1qKJOMJiYnrwELdwn67zCIlcfcUKHIRJtteUSo= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from PAXPR04MB9328.eurprd04.prod.outlook.com (2603:10a6:102:2b6::15) by PA4PR04MB9711.eurprd04.prod.outlook.com (2603:10a6:102:267::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.26; Wed, 23 Aug 2023 07:09:25 +0000 Received: from PAXPR04MB9328.eurprd04.prod.outlook.com ([fe80::450d:89ac:4f6a:6ae2]) by PAXPR04MB9328.eurprd04.prod.outlook.com ([fe80::450d:89ac:4f6a:6ae2%4]) with mapi id 15.20.6699.020; Wed, 23 Aug 2023 07:09:25 +0000 From: Hemant Agrawal To: dev@dpdk.org Cc: gakhil@marvell.com Subject: [PATCH 11/12] crypto/dpaa2_sec: add NAT-T support in IPsec offload Date: Wed, 23 Aug 2023 12:38:54 +0530 Message-Id: <20230823070855.27532-12-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230823070855.27532-1-hemant.agrawal@nxp.com> References: <20230823070855.27532-1-hemant.agrawal@nxp.com> X-ClientProxiedBy: SG2PR02CA0072.apcprd02.prod.outlook.com (2603:1096:4:54::36) To PAXPR04MB9328.eurprd04.prod.outlook.com (2603:10a6:102:2b6::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR04MB9328:EE_|PA4PR04MB9711:EE_ X-MS-Office365-Filtering-Correlation-Id: d7dce668-088b-421b-bfba-08dba3a7e263 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: lxO/Wsh/HPbr89pScMlC8/5iZT33uBrauyxooWsoW7bOht5Ae8ePGxVClWoqdhWwgBZSzpqgAJJ0JbwIiCCJMZ5qDRtNzmgSDRHKJ2qeBtAEl+R4zXpxE9of/IQ5UbCTI5It0pBxIiVTXKJduPU6iRkUkFTK2XKAVCcK3PVymJul1MCrAIJIO6L/1GLLAf1Y6OBhBWd6Dhj/m8R63wp1hhqzySCZkZfPXBKlkOMvQf3RuibeEvV9zxIs9MPgsfeuL4PUMBtxMx54A3RIPuq33ctB2SWdL3gRoyBZ4WQ8Zygmfz4FtqZcdJzwaNDfJp90cyeohAnubr6wKas4gofnGHW+KoQ4QZcDHZlg/Senefv40GlRv1a2oNYhWj9aq4p6hxZ4kkD47anxJtKZTGkaEPXwMf9TUGltSXVKmeuxqg+xjgsNmOAq4Kv7RvUEJ9x4s4WUw+TSHHGDZLGFByX3hH0ansdVcNkd+e18ulbKAu69kevEnoRe+Y/x+/tKpsFjt+PLF7HgBuwrZ+piRDYlvWxgg5iVndapiQg+e6x+zobPiAqPBDvvWpCrxnhNU9EgQnNC2dywWOiQp2/dZZKxZyaIviMSTXMjJQdED64QW1heYbKFYQ0/fYjRRWr2q8FS X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PAXPR04MB9328.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(366004)(346002)(136003)(376002)(396003)(1800799009)(451199024)(186009)(83380400001)(2906002)(52116002)(66946007)(6486002)(6506007)(478600001)(2616005)(26005)(5660300002)(44832011)(1076003)(4326008)(8936002)(8676002)(38100700002)(38350700002)(6666004)(66556008)(316002)(6916009)(66476007)(41300700001)(6512007)(86362001)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: c1uYpLiz1z+dUZg/m9n8hhs/u0Jmlwv8wZ72APyvdtu0agqzpOgxEIzgOrfCQgFV3/vOncYL5ffzwdZuXgoRM5yjlGNmkzTWOm9kbOevWHJr12kyWOS+ukofEO2Kc1/vpY4KUsleH/bPJ03b2tZ9AAW42IvY4abA9wLWEB+vjg2XH2KgJcRrBLharLqMai0KogTeNlJW06D/CTNIdwu08MNgTb7bAfU5Xgn5+naAdE8boZIcgLqloUTLq2pzww6XZKmMDhR6MmfHLPgD73JPmBVRAmsktDJkhXjfHuvYfSMjqovn9asUeMJme+sKhUnFkVzfFXc6+Fn8S7vB9a6MLrkifoJBlOfnvEvm4t4YJSCgYoHxNfJG59Ht0GfCpK2IsU4qQNhLA8zuVeKxSLhGR6FDM55LCzup9os+ENm/mbRuGXWgX954Z7sohFINPVs/+P5yA1Svx1SSHkItt/p98y/19lV8etJcIgd80pBHCWkrRegJ4LlqsU/86OfI1L0oIHMuea5oPuIidivBi03LuTzMNkrrTwAhZYyVb//1qIdmZeZQHrfBCy2QYUftqQH6RqNnpUMzmmM2j7WHr+3Kw3kcN9V9cqtzYaCxNnthyJxm1YhQt/r7bcf+Sibr+0t5C265ZfhGVUe3fZkBWn6t0pau8Axzil806sB1vudEliwCoRzHxAyiKCmIwYA94k+YsJ0CKmDiJRnEpo6ipFfMO/TPvXAagA3ixtABwQLYB7P5A+fxum9VnT+Bj1QHHzfel3iRBL56Kj6EAPa9dUixEBkkBnRLjTs9asmimh6y3ico/mokYMtXxMTLQCn4hQU+dNp0DRfr/9vFRq8hk7AbgsHhmgGX0EBpfiKUDDmwTODwQF8QvNuc5n5vA/Gn1lznAgAyl8NvJ3VyVmWvex0QCnNLSSfPorM7HW9hOzEhV8cwOOdRG3cOXea33kx9ISHa0QQdXHY2jTwrO0YuB8Z1l1H0OHeDKra72jyQnbzZcaUJdeO9TIIld5n/kL3NkrEABzsWiXiFpDUC+sK222dI23BEiyjHcDvHT3GK3Rau3SRPbUIA7nGGBXs+a22BzMH5a5CVOLbNrDq9rgqk+bj92OGOkJqXrK7bd/qrWnH+AS3Sui+xfXTycqxh5dZKCFBnqMzvesLcQFrEScuq+ZYbde+lGDmV5mYtfIhMHwCa8zaNKqkmg8oriRzBwILZNSijz6dDoBYDMELKdcTP9GXaw5+NAfnsUJB7GlUIdyBDPxKBH/aGrvbh6pVipUxO+z2BTa8WC7w8UgjdWVt3D6JzI5CmaWCaBMAMfmAoP+Exq2iKOfZj7qTZ2hgLSQMbmqjjt8ohtfSUaDGoqbkJ8iAGGo5CxCS9XP0ZvFqRgqgS9sK+OAgw/OjihLf//h3LevCDDFAQ6B25CsXxT7Fi3K5ugW/Ixs2mbRFVvHwJE2y4kl9l2xd7/2q9H62NH8Z32gmBXSLNONiMStZc9IWnScZzzC/KCPnYNVmFoxT/yvcD+n2ZwtDWhj7Wo9VB0D7yejNWP/NqkQ3vOAjP+sIpTJjvSKSXlQmZMkS+Lzp5KZbHI6cQNla9vaOSuQxB+naNnI6ghmtpUv2QTZuHH7yqsAx/LQ== X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: d7dce668-088b-421b-bfba-08dba3a7e263 X-MS-Exchange-CrossTenant-AuthSource: PAXPR04MB9328.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Aug 2023 07:09:25.7957 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: PGiQ2rZ3oIoXhThIws8KlAoezXp/eVrK/MgvS6ekV6y+C7FbHdPjVCzvpHjGQ1GsDbaXE2humAPKyyKzke3ZRQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR04MB9711 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch adds supports for UDP encapsulation in NAT-T for IPSEC security protocol offload case. Signed-off-by: Hemant Agrawal --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 101 ++++++++++++++------ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 3 + 2 files changed, 75 insertions(+), 29 deletions(-) diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 7fd15de1a5..675ee49489 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -10,6 +10,7 @@ #include #include +#include #include #include #include @@ -3162,9 +3163,9 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, session->ctxt_type = DPAA2_SEC_IPSEC; if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - uint8_t *hdr = NULL; - struct ip ip4_hdr; - struct rte_ipv6_hdr ip6_hdr; + uint8_t hdr[48] = {}; + struct rte_ipv4_hdr *ip4_hdr; + struct rte_ipv6_hdr *ip6_hdr; struct ipsec_encap_pdb encap_pdb; flc->dhr = SEC_FLC_DHR_OUTBOUND; @@ -3187,38 +3188,77 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | PDBOPTS_ESP_OIHI_PDB_INL | - PDBOPTS_ESP_IVSRC | PDBHMO_ESP_SNR; - if (ipsec_xform->options.dec_ttl) - encap_pdb.options |= PDBHMO_ESP_ENCAP_DTTL; + + if (ipsec_xform->options.iv_gen_disable == 0) + encap_pdb.options |= PDBOPTS_ESP_IVSRC; if (ipsec_xform->options.esn) encap_pdb.options |= PDBOPTS_ESP_ESN; if (ipsec_xform->options.copy_dscp) encap_pdb.options |= PDBOPTS_ESP_DIFFSERV; + if (ipsec_xform->options.ecn) + encap_pdb.options |= PDBOPTS_ESP_TECN; encap_pdb.spi = ipsec_xform->spi; session->dir = DIR_ENC; if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { if (ipsec_xform->options.copy_df) encap_pdb.options |= PDBHMO_ESP_DFBIT; - encap_pdb.ip_hdr_len = sizeof(struct ip); - ip4_hdr.ip_v = IPVERSION; - ip4_hdr.ip_hl = 5; - ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); - ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; - ip4_hdr.ip_id = 0; - ip4_hdr.ip_off = 0; - ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; - ip4_hdr.ip_p = IPPROTO_ESP; - ip4_hdr.ip_sum = 0; - ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; - ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; - ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *) - &ip4_hdr, sizeof(struct ip)); - hdr = (uint8_t *)&ip4_hdr; + ip4_hdr = (struct rte_ipv4_hdr *)&hdr; + + encap_pdb.ip_hdr_len = sizeof(struct rte_ipv4_hdr); + ip4_hdr->version_ihl = RTE_IPV4_VHL_DEF; + ip4_hdr->time_to_live = ipsec_xform->tunnel.ipv4.ttl; + ip4_hdr->type_of_service = + ipsec_xform->tunnel.ipv4.dscp; + ip4_hdr->hdr_checksum = 0; + ip4_hdr->packet_id = 0; + ip4_hdr->fragment_offset = 0; + memcpy(&ip4_hdr->src_addr, + &ipsec_xform->tunnel.ipv4.src_ip, + sizeof(struct in_addr)); + memcpy(&ip4_hdr->dst_addr, + &ipsec_xform->tunnel.ipv4.dst_ip, + sizeof(struct in_addr)); + if (ipsec_xform->options.udp_encap) { + uint16_t sport, dport; + struct rte_udp_hdr *uh = + (struct rte_udp_hdr *) (ip4_hdr + + sizeof(struct rte_ipv4_hdr)); + + sport = ipsec_xform->udp.sport ? + ipsec_xform->udp.sport : 4500; + dport = ipsec_xform->udp.dport ? + ipsec_xform->udp.dport : 4500; + uh->src_port = rte_cpu_to_be_16(sport); + uh->dst_port = rte_cpu_to_be_16(dport); + uh->dgram_len = 0; + uh->dgram_cksum = 0; + + ip4_hdr->next_proto_id = IPPROTO_UDP; + ip4_hdr->total_length = + rte_cpu_to_be_16( + sizeof(struct rte_ipv4_hdr) + + sizeof(struct rte_udp_hdr)); + encap_pdb.ip_hdr_len += + sizeof(struct rte_udp_hdr); + encap_pdb.options |= + PDBOPTS_ESP_NAT | PDBOPTS_ESP_NUC; + } else { + ip4_hdr->total_length = + rte_cpu_to_be_16( + sizeof(struct rte_ipv4_hdr)); + ip4_hdr->next_proto_id = IPPROTO_ESP; + } + + ip4_hdr->hdr_checksum = calc_chksum((uint16_t *) + (void *)ip4_hdr, sizeof(struct rte_ipv4_hdr)); + } else if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) { - ip6_hdr.vtc_flow = rte_cpu_to_be_32( + ip6_hdr = (struct rte_ipv6_hdr *)&hdr; + + ip6_hdr->vtc_flow = rte_cpu_to_be_32( DPAA2_IPv6_DEFAULT_VTC_FLOW | ((ipsec_xform->tunnel.ipv6.dscp << RTE_IPV6_HDR_TC_SHIFT) & @@ -3227,18 +3267,17 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, RTE_IPV6_HDR_FL_SHIFT) & RTE_IPV6_HDR_FL_MASK)); /* Payload length will be updated by HW */ - ip6_hdr.payload_len = 0; - ip6_hdr.hop_limits = - ipsec_xform->tunnel.ipv6.hlimit; - ip6_hdr.proto = (ipsec_xform->proto == + ip6_hdr->payload_len = 0; + ip6_hdr->hop_limits = ipsec_xform->tunnel.ipv6.hlimit ? + ipsec_xform->tunnel.ipv6.hlimit : 0x40; + ip6_hdr->proto = (ipsec_xform->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? IPPROTO_ESP : IPPROTO_AH; - memcpy(&ip6_hdr.src_addr, + memcpy(&ip6_hdr->src_addr, &ipsec_xform->tunnel.ipv6.src_addr, 16); - memcpy(&ip6_hdr.dst_addr, + memcpy(&ip6_hdr->dst_addr, &ipsec_xform->tunnel.ipv6.dst_addr, 16); encap_pdb.ip_hdr_len = sizeof(struct rte_ipv6_hdr); - hdr = (uint8_t *)&ip6_hdr; } bufsize = cnstr_shdsc_ipsec_new_encap(priv->flc_desc[0].desc, @@ -3277,6 +3316,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, decap_pdb.options |= PDBOPTS_ESP_ESN; if (ipsec_xform->options.copy_dscp) decap_pdb.options |= PDBOPTS_ESP_DIFFSERV; + if (ipsec_xform->options.ecn) + decap_pdb.options |= PDBOPTS_ESP_TECN; + if (ipsec_xform->options.dec_ttl) + decap_pdb.options |= PDBHMO_ESP_DECAP_DTTL; if (ipsec_xform->replay_win_sz) { uint32_t win_sz; diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h index d3e2df72b0..cf6542a222 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h @@ -930,6 +930,7 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = { .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .options = { + .udp_encap = 1, .copy_df = 1, .copy_dscp = 1, .esn = 1, @@ -946,6 +947,8 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = { .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, .options = { + .iv_gen_disable = 1, + .udp_encap = 1, .copy_df = 1, .copy_dscp = 1, .esn = 1,