From: Tejasree Kondoj <ktejasree@marvell.com>
Adding AES-CBC-HMAC-SHA256 support to lookaside IPsec PMD.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/cryptodevs/cnxk.rst | 39 +++++++++++++++++++----
doc/guides/rel_notes/release_22_03.rst | 4 +++
drivers/common/cnxk/cnxk_security.c | 14 ++++++++
drivers/crypto/cnxk/cn10k_ipsec.c | 3 ++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 20 ++++++++++++
drivers/crypto/cnxk/cnxk_ipsec.h | 3 +-
6 files changed, 75 insertions(+), 8 deletions(-)
@@ -246,14 +246,27 @@ CN9XX Features supported
* IPv4
* IPv6
* ESP
+* ESN
+* Anti-replay
* Tunnel mode
* Transport mode(IPv4)
* UDP Encapsulation
+
+AEAD algorithms
++++++++++++++++
+
* AES-128/192/256-GCM
-* AES-128/192/256-CBC-SHA1-HMAC
-* AES-128/192/256-CBC-SHA256-128-HMAC
-* ESN
-* Anti-replay
+
+Cipher algorithms
++++++++++++++++++
+
+* AES-128/192/256-CBC
+
+Auth algorithms
++++++++++++++++
+
+* SHA1-HMAC
+* SHA256-128-HMAC
CN10XX Features supported
~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -263,6 +276,20 @@ CN10XX Features supported
* Tunnel mode
* Transport mode
* UDP Encapsulation
+
+AEAD algorithms
++++++++++++++++
+
* AES-128/192/256-GCM
-* AES-128/192/256-CBC-NULL
-* AES-128/192/256-CBC-SHA1-HMAC
+
+Cipher algorithms
++++++++++++++++++
+
+* AES-128/192/256-CBC
+
+Auth algorithms
++++++++++++++++
+
+* NULL
+* SHA1-HMAC
+* SHA256-128-HMAC
@@ -55,6 +55,10 @@ New Features
Also, make sure to start the actual text at the margin.
=======================================================
+* **Updated Marvell cnxk crypto PMD.**
+
+ * Added SHA256-HMAC support in lookaside protocol (IPsec) for CN10K.
+
Removed Items
-------------
@@ -32,6 +32,10 @@ ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]);
break;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ roc_hash_sha256_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
+ roc_hash_sha256_gen(ipad, (uint32_t *)&hmac_opad_ipad[64]);
+ break;
default:
break;
}
@@ -129,6 +133,16 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
i++)
tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
break;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_256;
+ ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+
+ tmp_key = (uint64_t *)hmac_opad_ipad;
+ for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN /
+ sizeof(uint64_t));
+ i++)
+ tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+ break;
default:
return -ENOTSUP;
}
@@ -65,6 +65,9 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
sa->iv_offset = crypto_xfrm->aead.iv.offset;
sa->iv_length = crypto_xfrm->aead.iv.length;
+ } else {
+ sa->iv_offset = crypto_xfrm->cipher.iv.offset;
+ sa->iv_length = crypto_xfrm->cipher.iv.length;
}
}
#else
@@ -797,6 +797,26 @@ static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
}, }
}, }
},
+ { /* SHA256 HMAC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_SHA256_HMAC,
+ .block_size = 64,
+ .key_size = {
+ .min = 1,
+ .max = 1024,
+ .increment = 1
+ },
+ .digest_size = {
+ .min = 16,
+ .max = 16,
+ .increment = 0
+ },
+ }, }
+ }, }
+ },
};
static const struct rte_security_capability sec_caps_templ[] = {
@@ -46,8 +46,7 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
if (keylen >= 20 && keylen <= 64)
return 0;
- } else if (roc_model_is_cn9k() &&
- (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) {
+ } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
if (keylen >= 32 && keylen <= 64)
return 0;
}