From patchwork Wed Sep 20 13:34:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 131739 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5916A425EA; Wed, 20 Sep 2023 15:36:18 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 6284B42DF5; Wed, 20 Sep 2023 15:34:42 +0200 (CEST) Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2089.outbound.protection.outlook.com [40.107.20.89]) by mails.dpdk.org (Postfix) with ESMTP id 78F7D42DE4 for ; Wed, 20 Sep 2023 15:34:38 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ksh0mUeH70K81LWFmnyx6IuzBwD5MyqGY7kfl4vevWIRsutVddJ8ovl3rUWr4AAYsNmQ/czb1KH4IENX7q/20hc204jYmdJuG8WC0XvRJEV2gzvhLyQtie/w6rUlc2GyzLPhRevZiAX0k6fdlJDTlTmCsCn4ySWG8/u3jD+3ydJgbxMu6VaIhdyO2zaKECfzidZOKmxRIblVpVWBEGLf8lYCQDUwhrky5ClIz9/fVoJK5l+fiWrXkXfrPqxOu35kPMV198r/uJ2aCwjO7vecfQwS6Z3l6pN8yPM1xUGZdLfGFkogOutUe13yTZ08bkA4X7c3W1OYYB0Ih41uoO7b2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1xHAnZw+g4xZKOjUvnB1M5Ylqei4/YiFpjqsfetr8WA=; b=jtO3NvATw0dP4Va1S41pslrpuZwZyXbcoQA9SnhvQE14ju+26H/wpBQBeyHpPyVQYi+mikvfKI5HZxy0N9HlvaXQPJN1qYcP56Jp1QD03+svGfgUBxthi6SqPhLEML6KDjWzEm3wQJHAFxRQ9ZqhKW7R2B6GdDj+obgk5kCDdj8Ile8PO8f/cuhyyLlD7sKAC3Dh+EGo0+4zBnw0OMyWhDwdZRZZQ2pdBEtpVV74Cs8+JdDfcm2j9xMF0c0Bx/bClhR1cgItgT+s94jQpCMODRDLDx0Ru81o0krPEU6ZuddRkcTdTZHeS8ZuDQscKzD5LlJoIH3pSCNvlKQmrUpVRA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1xHAnZw+g4xZKOjUvnB1M5Ylqei4/YiFpjqsfetr8WA=; b=rJ3kkYw9hCmSLa+4ypsKabEAaE3xAV2lSM590pndgzAoTKiRxHRAJmXKk368oXXkDvNvtFmjsmeJv8KSJG9Xf9Ln2zbtSLQ1MkeS7SXYm3VFgNpKtMeO1JtRUKmZ0DSwvKIHAt984zH6bVFJue7Hk3/Vi57UUFtLR6qh6DQNRx4= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from PAXPR04MB9328.eurprd04.prod.outlook.com (2603:10a6:102:2b6::15) by AS8PR04MB7606.eurprd04.prod.outlook.com (2603:10a6:20b:23e::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6792.27; Wed, 20 Sep 2023 13:34:35 +0000 Received: from PAXPR04MB9328.eurprd04.prod.outlook.com ([fe80::450d:89ac:4f6a:6ae2]) by PAXPR04MB9328.eurprd04.prod.outlook.com ([fe80::450d:89ac:4f6a:6ae2%4]) with mapi id 15.20.6792.021; Wed, 20 Sep 2023 13:34:35 +0000 From: Hemant Agrawal To: gakhil@marvell.com Cc: dev@dpdk.org Subject: [PATCH v2 11/13] crypto/dpaa2_sec: add NAT-T support in IPsec offload Date: Wed, 20 Sep 2023 19:04:01 +0530 Message-Id: <20230920133403.6420-12-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230920133403.6420-1-hemant.agrawal@nxp.com> References: <20230823070855.27532-1-hemant.agrawal@nxp.com> <20230920133403.6420-1-hemant.agrawal@nxp.com> X-ClientProxiedBy: SI2PR01CA0015.apcprd01.prod.exchangelabs.com (2603:1096:4:191::15) To PAXPR04MB9328.eurprd04.prod.outlook.com (2603:10a6:102:2b6::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PAXPR04MB9328:EE_|AS8PR04MB7606:EE_ X-MS-Office365-Filtering-Correlation-Id: d3687fca-e6da-4b9b-a4a2-08dbb9de546b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: a4lSnrupj96obCw2wC65UjZO/RZBb9pHjvduYw8OUKmDW4gCwkpkREEjFiqmKt2p8YktjxhIVykyu4D2uXIgbnOWvtKcKnaJ2kMJI3+MhpSFNGCRxtHHpnuBfw+P4m0iTmjFvAXcjrAns/Q9ElDDNnKJw1Sz+xwJie4FdNL1P5LKY5U6ARrWUQ98MR1iAxF5/88Q8zw424xsSnXa2aVMUPDUQfJmsK63eZpTAoTniNQXfxgU4yMJLbcTLOjR1cQCQJ/uNXwaFlGKw6gGtum9sPXt8cvJ+2Rn+W3LIgn+1jUJtAX6i52p3PxFiaYaSMF+Vjvso0TXEJhS+dppqJOHFEu/AWnq+bR83FuQsBAknBG815vr1+lv/FXjcF+eJCOLhHrFpEyZTykmEiajKkBAAcO6kAHgIpsFqR4IiS5ln1pjpPgQKn+yhaeAFuzXoaosNG2sjGz8PFsPTWwhHOOrnFmCp6vXyn29xSpvEbiMYCRsQQmF0oz9oHvDgfL/640+nEgnnprQriUgVAGet2jdtCB+RpYf3H7jk5YX/5KKy1d5PFCYzwFIkA22QgGVRaOa5Ps7ePNzn1dWzYmByZZ3xScvlFJ9CXOiZysDABJHJ4f2VHqM41UNEuHNcjW2bZHX X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PAXPR04MB9328.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(366004)(136003)(376002)(346002)(39860400002)(451199024)(186009)(1800799009)(6506007)(52116002)(6666004)(6512007)(478600001)(26005)(6486002)(4326008)(2616005)(41300700001)(5660300002)(2906002)(66946007)(66476007)(66556008)(8676002)(83380400001)(8936002)(6916009)(44832011)(316002)(1076003)(86362001)(36756003)(38100700002)(38350700002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: re/d7UfKp+IZfibPqi9W876TeIbsjpOFVfj1Fjo28ses+LzJsFaH91lG3Sovfziu+GTkqCHbbkmCU178xy2YqByzVy2HogY4Nup9/0MmtCD125XfhyeD2ExdRNNGW80XiPH9JJ7ftbg9/7LaUvP728RKGjhCdS4zm3MVeIjoEidPkLqRYWIBauYvuWJ1milOFhVqPPvtM3+/d/t4WRQvhpa4LSlbXqrNf6aG+ZJlD7H9I0yUsJIebH21Fet7+PvBevydOCASOpwfTY43gZr/Rt1q4zSmQ5kbNA9ZOUga9gcV6KOlyHgTGVBQnA6x6vcoJpuR72B8ZmpVVhuWg5WghhkTWjN1z0XaZbY+/JLdG3uRWQYxfm1cUhSYu901JyaEZ5j+OyX+CBe8eJQZeXr5+Y5Sz1vqEYtWb6yt+VJsdRhrf7D+/4JDBaDDeZFEomv3NgsllIL7ACy9y+D2q/fJh89rOJ5O0UHzH2XiAJbqFExeFHr/1EMuGlM5/1SacFcwXCDuQczacAohEiaZtzTMcPsbSSZWngTQoTPO9MC/U5bKcU6CqzEtgRwalMNZI6MVbRhwhANGCHPtx29dodS2F3BKCOHA2FYBTM5PFyKYUJGd0f0BygUWhoCfD7Z0REol8tiYNMHHugfK1SIlv44j09utNehSHB+Y0HKAvu1nggQsRB15EKxtPNVD8RSFU/Sje336AfUkZUiaDmH1lRLyr38YxSt8Qj1WIdhVdZ+VZ5cIPjb0ZBxIv2TYK79RRBfrHkVicaoI/oFhE4LGAhWiVlmhuep6QCCTc/3Oyz3NyJ/z1PmY6UjIBDISzPpLgfcxSBtdP4LZ2YwF6YhnIOQrv1MfQkHwoS9SxZm8Zn5zio2k41EV8NiOHNDm75665jVTRX3Qnny3AyK3l3IGmQIbOkCXPlQLYquO4DxC2cwmg9OZd0TE1nJEFi3CdRwwH9BrxiHSmyoUSQgVaLS+txdvKF83zW2viPAqwhEqL1cvbvMZ5KMQtr4Fvyb450558SdxKwnxg1QTK83bJe9Gj7k9+5OlofU9xKQm8FPIWT2MMdT5EcEX4yeqTxlBGJo2soPK4Ru8erjHIg6rXUdeKzH802+Yp77ZD+lGM00p1hRwhkir+J3IYvDQSw65vely9SLMU//U+QGBLtAON1DkubhTtosOA69bUY/tXZi/Hsaeov05wfR4FV5x3lLQNNC9xHs3Rbl7w9eDu6869RdRSLC/6OBpszCtcKX67tN3C3dwRjoKcBKW3Uo7yPERNut5EZlPRVOmfXPAGr/rJAy1NwVOr/gzAozqWJjnh1tY2an+TnCePCoKSNXjsZ4hHTvvtgDQt4t0VNiLxZkJc9bPCmawI/U63naeiSa4xc2NGAUt6Gm5924r7cDzzO3SR1X71DpKC6xadhd1HbGqh5akOCMqtqZsayCTvdmwQ6//gDhEwC3+DvUD1LOFhcsTielvop0+h6rIVQ9U/i1OQX7sphY3IHzJ8XOIF3yx9C5dmDzzTbYkdWmG8C+V9AdK4D5LT3sMbPiU5XJBB2tHv0KQe2wagJZ2j458vGs5gUDYDlyZCbjxn2vuDALUc3gDt/BJ/Bjou1vnRDRxV3WeZNrfHZDclA== X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: d3687fca-e6da-4b9b-a4a2-08dbb9de546b X-MS-Exchange-CrossTenant-AuthSource: PAXPR04MB9328.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Sep 2023 13:34:35.4882 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GMoMndevApcU+r/dDn/w5GQlFSvzof1lu9RIxj3xIa8KIKMzTqymQm9Orp21yOBEVx37r8C5BT5ZcTuZqLJCMg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR04MB7606 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch adds supports for UDP encapsulation in NAT-T for IPSEC security protocol offload case. Signed-off-by: Hemant Agrawal --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 101 ++++++++++++++------ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 3 + 2 files changed, 75 insertions(+), 29 deletions(-) diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 85830347c6..809c357423 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -10,6 +10,7 @@ #include #include +#include #include #include #include @@ -3162,9 +3163,9 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, session->ctxt_type = DPAA2_SEC_IPSEC; if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - uint8_t *hdr = NULL; - struct ip ip4_hdr; - struct rte_ipv6_hdr ip6_hdr; + uint8_t hdr[48] = {}; + struct rte_ipv4_hdr *ip4_hdr; + struct rte_ipv6_hdr *ip6_hdr; struct ipsec_encap_pdb encap_pdb; flc->dhr = SEC_FLC_DHR_OUTBOUND; @@ -3187,38 +3188,77 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | PDBOPTS_ESP_OIHI_PDB_INL | - PDBOPTS_ESP_IVSRC | PDBHMO_ESP_SNR; - if (ipsec_xform->options.dec_ttl) - encap_pdb.options |= PDBHMO_ESP_ENCAP_DTTL; + + if (ipsec_xform->options.iv_gen_disable == 0) + encap_pdb.options |= PDBOPTS_ESP_IVSRC; if (ipsec_xform->options.esn) encap_pdb.options |= PDBOPTS_ESP_ESN; if (ipsec_xform->options.copy_dscp) encap_pdb.options |= PDBOPTS_ESP_DIFFSERV; + if (ipsec_xform->options.ecn) + encap_pdb.options |= PDBOPTS_ESP_TECN; encap_pdb.spi = ipsec_xform->spi; session->dir = DIR_ENC; if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { if (ipsec_xform->options.copy_df) encap_pdb.options |= PDBHMO_ESP_DFBIT; - encap_pdb.ip_hdr_len = sizeof(struct ip); - ip4_hdr.ip_v = IPVERSION; - ip4_hdr.ip_hl = 5; - ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); - ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; - ip4_hdr.ip_id = 0; - ip4_hdr.ip_off = 0; - ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; - ip4_hdr.ip_p = IPPROTO_ESP; - ip4_hdr.ip_sum = 0; - ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; - ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; - ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *) - &ip4_hdr, sizeof(struct ip)); - hdr = (uint8_t *)&ip4_hdr; + ip4_hdr = (struct rte_ipv4_hdr *)hdr; + + encap_pdb.ip_hdr_len = sizeof(struct rte_ipv4_hdr); + ip4_hdr->version_ihl = RTE_IPV4_VHL_DEF; + ip4_hdr->time_to_live = ipsec_xform->tunnel.ipv4.ttl; + ip4_hdr->type_of_service = + ipsec_xform->tunnel.ipv4.dscp; + ip4_hdr->hdr_checksum = 0; + ip4_hdr->packet_id = 0; + ip4_hdr->fragment_offset = 0; + memcpy(&ip4_hdr->src_addr, + &ipsec_xform->tunnel.ipv4.src_ip, + sizeof(struct in_addr)); + memcpy(&ip4_hdr->dst_addr, + &ipsec_xform->tunnel.ipv4.dst_ip, + sizeof(struct in_addr)); + if (ipsec_xform->options.udp_encap) { + uint16_t sport, dport; + struct rte_udp_hdr *uh = + (struct rte_udp_hdr *) (hdr + + sizeof(struct rte_ipv4_hdr)); + + sport = ipsec_xform->udp.sport ? + ipsec_xform->udp.sport : 4500; + dport = ipsec_xform->udp.dport ? + ipsec_xform->udp.dport : 4500; + uh->src_port = rte_cpu_to_be_16(sport); + uh->dst_port = rte_cpu_to_be_16(dport); + uh->dgram_len = 0; + uh->dgram_cksum = 0; + + ip4_hdr->next_proto_id = IPPROTO_UDP; + ip4_hdr->total_length = + rte_cpu_to_be_16( + sizeof(struct rte_ipv4_hdr) + + sizeof(struct rte_udp_hdr)); + encap_pdb.ip_hdr_len += + sizeof(struct rte_udp_hdr); + encap_pdb.options |= + PDBOPTS_ESP_NAT | PDBOPTS_ESP_NUC; + } else { + ip4_hdr->total_length = + rte_cpu_to_be_16( + sizeof(struct rte_ipv4_hdr)); + ip4_hdr->next_proto_id = IPPROTO_ESP; + } + + ip4_hdr->hdr_checksum = calc_chksum((uint16_t *) + (void *)ip4_hdr, sizeof(struct rte_ipv4_hdr)); + } else if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) { - ip6_hdr.vtc_flow = rte_cpu_to_be_32( + ip6_hdr = (struct rte_ipv6_hdr *)hdr; + + ip6_hdr->vtc_flow = rte_cpu_to_be_32( DPAA2_IPv6_DEFAULT_VTC_FLOW | ((ipsec_xform->tunnel.ipv6.dscp << RTE_IPV6_HDR_TC_SHIFT) & @@ -3227,18 +3267,17 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, RTE_IPV6_HDR_FL_SHIFT) & RTE_IPV6_HDR_FL_MASK)); /* Payload length will be updated by HW */ - ip6_hdr.payload_len = 0; - ip6_hdr.hop_limits = - ipsec_xform->tunnel.ipv6.hlimit; - ip6_hdr.proto = (ipsec_xform->proto == + ip6_hdr->payload_len = 0; + ip6_hdr->hop_limits = ipsec_xform->tunnel.ipv6.hlimit ? + ipsec_xform->tunnel.ipv6.hlimit : 0x40; + ip6_hdr->proto = (ipsec_xform->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? IPPROTO_ESP : IPPROTO_AH; - memcpy(&ip6_hdr.src_addr, + memcpy(&ip6_hdr->src_addr, &ipsec_xform->tunnel.ipv6.src_addr, 16); - memcpy(&ip6_hdr.dst_addr, + memcpy(&ip6_hdr->dst_addr, &ipsec_xform->tunnel.ipv6.dst_addr, 16); encap_pdb.ip_hdr_len = sizeof(struct rte_ipv6_hdr); - hdr = (uint8_t *)&ip6_hdr; } bufsize = cnstr_shdsc_ipsec_new_encap(priv->flc_desc[0].desc, @@ -3277,6 +3316,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, decap_pdb.options |= PDBOPTS_ESP_ESN; if (ipsec_xform->options.copy_dscp) decap_pdb.options |= PDBOPTS_ESP_DIFFSERV; + if (ipsec_xform->options.ecn) + decap_pdb.options |= PDBOPTS_ESP_TECN; + if (ipsec_xform->options.dec_ttl) + decap_pdb.options |= PDBHMO_ESP_DECAP_DTTL; if (ipsec_xform->replay_win_sz) { uint32_t win_sz; diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h index d3e2df72b0..cf6542a222 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h @@ -930,6 +930,7 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = { .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .options = { + .udp_encap = 1, .copy_df = 1, .copy_dscp = 1, .esn = 1, @@ -946,6 +947,8 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = { .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, .options = { + .iv_gen_disable = 1, + .udp_encap = 1, .copy_df = 1, .copy_dscp = 1, .esn = 1,