From patchwork Thu Sep 5 12:48:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 58650 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 9310B1EFF9; Thu, 5 Sep 2019 15:02:33 +0200 (CEST) Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21]) by dpdk.org (Postfix) with ESMTP id CC6221EFE2 for ; Thu, 5 Sep 2019 15:02:30 +0200 (CEST) Received: from inva021.nxp.com (localhost [127.0.0.1]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 912CB20009C; Thu, 5 Sep 2019 15:02:30 +0200 (CEST) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 2C2762004D2; Thu, 5 Sep 2019 15:02:28 +0200 (CEST) Received: from GDB1.ap.freescale.net (GDB1.ap.freescale.net [10.232.132.179]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id EF9E8402F0; Thu, 5 Sep 2019 21:02:24 +0800 (SGT) From: Akhil Goyal To: dev@dpdk.org Cc: hemant.agrawal@nxp.com, konstantin.ananyev@intel.com, Akhil Goyal Date: Thu, 5 Sep 2019 18:18:05 +0530 Message-Id: <20190905124807.22158-2-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190905124807.22158-1-akhil.goyal@nxp.com> References: <20190805082205.10794-1-akhil.goyal@nxp.com> <20190905124807.22158-1-akhil.goyal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v3 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" outer IP header is formed at the time of session initialization using the ipsec xform. This outer IP header will be appended by hardware for each packet. Signed-off-by: Akhil Goyal --- drivers/crypto/dpaa_sec/dpaa_sec.c | 71 ++++++++++++++++++++++-------- drivers/crypto/dpaa_sec/dpaa_sec.h | 7 ++- 2 files changed, 59 insertions(+), 19 deletions(-) diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c index 122c80a07..e6f57ce3d 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.c +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c @@ -2230,26 +2230,58 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, } if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - memset(&session->encap_pdb, 0, sizeof(struct ipsec_encap_pdb) + + if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + memset(&session->encap_pdb, 0, + sizeof(struct ipsec_encap_pdb) + sizeof(session->ip4_hdr)); - session->ip4_hdr.ip_v = IPVERSION; - session->ip4_hdr.ip_hl = 5; - session->ip4_hdr.ip_len = rte_cpu_to_be_16( + session->ip4_hdr.ip_v = IPVERSION; + session->ip4_hdr.ip_hl = 5; + session->ip4_hdr.ip_len = rte_cpu_to_be_16( sizeof(session->ip4_hdr)); - session->ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; - session->ip4_hdr.ip_id = 0; - session->ip4_hdr.ip_off = 0; - session->ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; - session->ip4_hdr.ip_p = (ipsec_xform->proto == - RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? IPPROTO_ESP - : IPPROTO_AH; - session->ip4_hdr.ip_sum = 0; - session->ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; - session->ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; - session->ip4_hdr.ip_sum = calc_chksum((uint16_t *) + session->ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; + session->ip4_hdr.ip_id = 0; + session->ip4_hdr.ip_off = 0; + session->ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; + session->ip4_hdr.ip_p = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + session->ip4_hdr.ip_sum = 0; + session->ip4_hdr.ip_src = + ipsec_xform->tunnel.ipv4.src_ip; + session->ip4_hdr.ip_dst = + ipsec_xform->tunnel.ipv4.dst_ip; + session->ip4_hdr.ip_sum = calc_chksum((uint16_t *) (void *)&session->ip4_hdr, sizeof(struct ip)); - + session->encap_pdb.ip_hdr_len = sizeof(struct ip); + } else if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + memset(&session->encap_pdb, 0, + sizeof(struct ipsec_encap_pdb) + + sizeof(session->ip6_hdr)); + session->ip6_hdr.vtc_flow = rte_cpu_to_be_32( + DPAA_IPv6_DEFAULT_VTC_FLOW | + ((ipsec_xform->tunnel.ipv6.dscp << + RTE_IPV6_HDR_TC_SHIFT) & + RTE_IPV6_HDR_TC_MASK) | + ((ipsec_xform->tunnel.ipv6.flabel << + RTE_IPV6_HDR_FL_SHIFT) & + RTE_IPV6_HDR_FL_MASK)); + /* Payload length will be updated by HW */ + session->ip6_hdr.payload_len = 0; + session->ip6_hdr.hop_limits = + ipsec_xform->tunnel.ipv6.hlimit; + session->ip6_hdr.proto = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + memcpy(&session->ip6_hdr.src_addr, + &ipsec_xform->tunnel.ipv6.src_addr, 16); + memcpy(&session->ip6_hdr.dst_addr, + &ipsec_xform->tunnel.ipv6.dst_addr, 16); + session->encap_pdb.ip_hdr_len = + sizeof(struct rte_ipv6_hdr); + } session->encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | PDBOPTS_ESP_OIHI_PDB_INL | @@ -2257,13 +2289,16 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, PDBHMO_ESP_ENCAP_DTTL | PDBHMO_ESP_SNR; session->encap_pdb.spi = ipsec_xform->spi; - session->encap_pdb.ip_hdr_len = sizeof(struct ip); session->dir = DIR_ENC; } else if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); - session->decap_pdb.options = sizeof(struct ip) << 16; + if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) + session->decap_pdb.options = sizeof(struct ip) << 16; + else + session->decap_pdb.options = + sizeof(struct rte_ipv6_hdr) << 16; session->dir = DIR_DEC; } else goto out; diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h index 75c0960a9..08e7d66e5 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.h +++ b/drivers/crypto/dpaa_sec/dpaa_sec.h @@ -19,6 +19,8 @@ #define AES_CTR_IV_LEN 16 #define AES_GCM_IV_LEN 12 +#define DPAA_IPv6_DEFAULT_VTC_FLOW 0x60000000 + /* Minimum job descriptor consists of a oneword job descriptor HEADER and * a pointer to the shared descriptor. */ @@ -139,7 +141,10 @@ typedef struct dpaa_sec_session_entry { uint32_t digest_length; struct ipsec_decap_pdb decap_pdb; struct ipsec_encap_pdb encap_pdb; - struct ip ip4_hdr; + union { + struct ip ip4_hdr; + struct rte_ipv6_hdr ip6_hdr; + }; }; struct sec_pdcp_ctxt pdcp; }; From patchwork Thu Sep 5 12:48:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 58651 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 23E7F1EFFE; Thu, 5 Sep 2019 15:02:36 +0200 (CEST) Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13]) by dpdk.org (Postfix) with ESMTP id BE7851EFF3 for ; Thu, 5 Sep 2019 15:02:31 +0200 (CEST) Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 4A38E1A0298; Thu, 5 Sep 2019 15:02:31 +0200 (CEST) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id D8E141A0484; Thu, 5 Sep 2019 15:02:28 +0200 (CEST) Received: from GDB1.ap.freescale.net (GDB1.ap.freescale.net [10.232.132.179]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id A821A4030B; Thu, 5 Sep 2019 21:02:25 +0800 (SGT) From: Akhil Goyal To: dev@dpdk.org Cc: hemant.agrawal@nxp.com, konstantin.ananyev@intel.com, Akhil Goyal Date: Thu, 5 Sep 2019 18:18:06 +0530 Message-Id: <20190905124807.22158-3-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190905124807.22158-1-akhil.goyal@nxp.com> References: <20190805082205.10794-1-akhil.goyal@nxp.com> <20190905124807.22158-1-akhil.goyal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v3 2/3] crypto/dpaa2_sec: support IPv6 tunnel for protocol offload X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" outer IP header is formed at the time of session initialization using the ipsec xform. This outer IP header will be appended by hardware for each packet. Signed-off-by: Akhil Goyal --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 69 +++++++++++++++------ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 2 + 2 files changed, 52 insertions(+), 19 deletions(-) diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 26458e5d1..9047b5c19 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -9,6 +9,7 @@ #include #include +#include #include #include #include @@ -2465,23 +2466,11 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, session->ctxt_type = DPAA2_SEC_IPSEC; if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + uint8_t *hdr = NULL; struct ip ip4_hdr; + struct rte_ipv6_hdr ip6_hdr; flc->dhr = SEC_FLC_DHR_OUTBOUND; - ip4_hdr.ip_v = IPVERSION; - ip4_hdr.ip_hl = 5; - ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); - ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; - ip4_hdr.ip_id = 0; - ip4_hdr.ip_off = 0; - ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; - ip4_hdr.ip_p = IPPROTO_ESP; - ip4_hdr.ip_sum = 0; - ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; - ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; - ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *)&ip4_hdr, - sizeof(struct ip)); - /* For Sec Proto only one descriptor is required. */ memset(&encap_pdb, 0, sizeof(struct ipsec_encap_pdb)); encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | @@ -2490,18 +2479,60 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, PDBHMO_ESP_ENCAP_DTTL | PDBHMO_ESP_SNR; encap_pdb.spi = ipsec_xform->spi; - encap_pdb.ip_hdr_len = sizeof(struct ip); - session->dir = DIR_ENC; + + if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + encap_pdb.ip_hdr_len = sizeof(struct ip); + ip4_hdr.ip_v = IPVERSION; + ip4_hdr.ip_hl = 5; + ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); + ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; + ip4_hdr.ip_id = 0; + ip4_hdr.ip_off = 0; + ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; + ip4_hdr.ip_p = IPPROTO_ESP; + ip4_hdr.ip_sum = 0; + ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; + ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; + ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *) + &ip4_hdr, sizeof(struct ip)); + hdr = (uint8_t *)&ip4_hdr; + } else if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + ip6_hdr.vtc_flow = rte_cpu_to_be_32( + DPAA2_IPv6_DEFAULT_VTC_FLOW | + ((ipsec_xform->tunnel.ipv6.dscp << + RTE_IPV6_HDR_TC_SHIFT) & + RTE_IPV6_HDR_TC_MASK) | + ((ipsec_xform->tunnel.ipv6.flabel << + RTE_IPV6_HDR_FL_SHIFT) & + RTE_IPV6_HDR_FL_MASK)); + /* Payload length will be updated by HW */ + ip6_hdr.payload_len = 0; + ip6_hdr.hop_limits = + ipsec_xform->tunnel.ipv6.hlimit; + ip6_hdr.proto = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + memcpy(&ip6_hdr.src_addr, + &ipsec_xform->tunnel.ipv6.src_addr, 16); + memcpy(&ip6_hdr.dst_addr, + &ipsec_xform->tunnel.ipv6.dst_addr, 16); + encap_pdb.ip_hdr_len = sizeof(struct rte_ipv6_hdr); + hdr = (uint8_t *)&ip6_hdr; + } bufsize = cnstr_shdsc_ipsec_new_encap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, &encap_pdb, - (uint8_t *)&ip4_hdr, - &cipherdata, &authdata); + hdr, &cipherdata, &authdata); } else if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { flc->dhr = SEC_FLC_DHR_INBOUND; memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); - decap_pdb.options = sizeof(struct ip) << 16; + decap_pdb.options = (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) ? + sizeof(struct ip) << 16 : + sizeof(struct rte_ipv6_hdr) << 16; session->dir = DIR_DEC; bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h index 51751103d..a05deaebd 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h @@ -41,6 +41,8 @@ enum shr_desc_type { #define DIR_ENC 1 #define DIR_DEC 0 +#define DPAA2_IPv6_DEFAULT_VTC_FLOW 0x60000000 + #define DPAA2_SET_FLC_EWS(flc) (flc->word1_bits23_16 |= 0x1) #define DPAA2_SET_FLC_RSC(flc) (flc->word1_bits31_24 |= 0x1) #define DPAA2_SET_FLC_REUSE_BS(flc) (flc->mode_bits |= 0x8000) From patchwork Thu Sep 5 12:48:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 58652 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 95A021F004; Thu, 5 Sep 2019 15:02:37 +0200 (CEST) Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13]) by dpdk.org (Postfix) with ESMTP id 15C6C1EFF3 for ; Thu, 5 Sep 2019 15:02:32 +0200 (CEST) Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id C59C81A0073; Thu, 5 Sep 2019 15:02:31 +0200 (CEST) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 9A7D31A0491; Thu, 5 Sep 2019 15:02:29 +0200 (CEST) Received: from GDB1.ap.freescale.net (GDB1.ap.freescale.net [10.232.132.179]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 620564030C; Thu, 5 Sep 2019 21:02:26 +0800 (SGT) From: Akhil Goyal To: dev@dpdk.org Cc: hemant.agrawal@nxp.com, konstantin.ananyev@intel.com, Akhil Goyal Date: Thu, 5 Sep 2019 18:18:07 +0530 Message-Id: <20190905124807.22158-4-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190905124807.22158-1-akhil.goyal@nxp.com> References: <20190805082205.10794-1-akhil.goyal@nxp.com> <20190905124807.22158-1-akhil.goyal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" IPv6 tunnels are already supported in case of inline and lookaside none cases. In case of protocol offload, the details for IPv6 header need to be added in session configuration for security session create. Signed-off-by: Akhil Goyal Acked-by: Konstantin Ananyev --- examples/ipsec-secgw/ipsec.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index dc85adfe5..317faed7a 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -33,8 +33,20 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) memcpy((uint8_t *)&tunnel->ipv4.dst_ip, (uint8_t *)&sa->dst.ip.ip4, 4); + } else if (IS_IP6_TUNNEL(sa->flags)) { + tunnel->type = + RTE_SECURITY_IPSEC_TUNNEL_IPV6; + tunnel->ipv6.hlimit = IPDEFTTL; + tunnel->ipv6.dscp = 0; + tunnel->ipv6.flabel = 0; + + memcpy((uint8_t *)&tunnel->ipv6.src_addr, + (uint8_t *)&sa->src.ip.ip6.ip6_b, 16); + + memcpy((uint8_t *)&tunnel->ipv6.dst_addr, + (uint8_t *)&sa->dst.ip.ip6.ip6_b, 16); } - /* TODO support for Transport and IPV6 tunnel */ + /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; }