From patchwork Tue Aug 31 14:01:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 97604 Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id A6E66A0C46; Tue, 31 Aug 2021 15:08:06 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 33061406A3; Tue, 31 Aug 2021 15:08:02 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 23A224067E for ; Tue, 31 Aug 2021 15:07:59 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 17VCMRwm029338 for ; Tue, 31 Aug 2021 06:07:58 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=4TeJeYpAmV/L09CUnyFlf7G76j+41Jaoojr7BQHvHOk=; b=CauFxbbicVF1qowl/HN8S0mw+usVQTw7Qn8ijcSF3F51OoyF3U1WidGpEtOk66C5gmTx 3j4B9iJNWZwzMqs7W9gb45Ig1EQQmLpU3pAqshBl74fcaTbcK1Jk+gCdQwrPQEAyTjVK fNyUWOelejWPFM4HihPWrT7y/t7Y3J/p1I/jT3OYkTel/0675Bly/UGHms+1UXSl4Vu/ 93lYCGnKhqoDFwpCxHdMPme2n0or+TG8x3B7gxbSt60ziMvnmZm2xIxuNkAt17nu9cGf Tt49Z+8vLBq6KEVUByQkVKeejWHSekPpeiYZFGgZWKZ7JaAvR9+nWntX7LyDFtSiHBBc Sw== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com with ESMTP id 3asf15hhe0-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Tue, 31 Aug 2021 06:07:57 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 31 Aug 2021 06:07:54 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Tue, 31 Aug 2021 06:07:54 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id A4DC53F7083; Tue, 31 Aug 2021 06:07:51 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Archana Muniganti , Srujana Challa , "Nithin Dabilpuram" , Jerin Jacob , Date: Tue, 31 Aug 2021 19:31:21 +0530 Message-ID: <20210831140127.31775-3-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210831140127.31775-1-ktejasree@marvell.com> References: <20210831140127.31775-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: xdS9mQHxXTowdnULNNja0bnDuU4pllaG X-Proofpoint-GUID: xdS9mQHxXTowdnULNNja0bnDuU4pllaG X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-08-31_05,2021-08-31_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH 2/8] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding lookaside IPsec AES-CBC-HMAC-SHA1 support to cnxk driver. Signed-off-by: Tejasree Kondoj --- doc/guides/cryptodevs/cnxk.rst | 1 + doc/guides/rel_notes/release_21_11.rst | 4 ++ drivers/common/cnxk/cnxk_security.c | 68 ++++++++++++++++++- drivers/crypto/cnxk/cn10k_ipsec.c | 63 ++++++++++++++++- .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 44 ++++++++++++ 5 files changed, 176 insertions(+), 4 deletions(-) diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index 98c7118d68..a40295c087 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -231,6 +231,7 @@ Features supported * ESP * Tunnel mode * AES-128/192/256-GCM +* AES-128/192/256-CBC-SHA1-HMAC Limitations ----------- diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index d707a554ef..0d9ce123aa 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -20,6 +20,10 @@ DPDK Release 21.11 make doc-guides-html xdg-open build/doc/html/guides/rel_notes/release_21_11.html +* **Updated Marvell cn10k_crypto PMD.** + + * Added AES-CBC-SHA1-HMAC in lookaside protocol (IPsec). + New Features ------------ diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 6c6728f570..fe64e70c81 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -6,12 +6,43 @@ #include "cnxk_security.h" +static void +ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform, + uint8_t *hmac_opad_ipad) +{ + const uint8_t *key = auth_xform->auth.key.data; + uint32_t length = auth_xform->auth.key.length; + uint8_t opad[128] = {[0 ... 127] = 0x5c}; + uint8_t ipad[128] = {[0 ... 127] = 0x36}; + uint32_t i; + + /* HMAC OPAD and IPAD */ + for (i = 0; i < 127 && i < length; i++) { + opad[i] = opad[i] ^ key[i]; + ipad[i] = ipad[i] ^ key[i]; + } + + /* Precompute hash of HMAC OPAD and IPAD to avoid + * per packet computation + */ + switch (auth_xform->auth.algo) { + case RTE_CRYPTO_AUTH_SHA1_HMAC: + roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]); + roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]); + break; + default: + break; + } +} + static int ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, uint8_t *cipher_key, uint8_t *salt_key, + uint8_t *hmac_opad_ipad, struct rte_security_ipsec_xform *ipsec_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) { + struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm; const uint8_t *key; uint32_t *tmp_salt; uint64_t *tmp_key; @@ -21,9 +52,13 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, switch (ipsec_xfrm->direction) { case RTE_SECURITY_IPSEC_SA_DIR_INGRESS: w2->s.dir = ROC_IE_OT_SA_DIR_INBOUND; + auth_xfrm = crypto_xfrm; + cipher_xfrm = crypto_xfrm->next; break; case RTE_SECURITY_IPSEC_SA_DIR_EGRESS: w2->s.dir = ROC_IE_OT_SA_DIR_OUTBOUND; + cipher_xfrm = crypto_xfrm; + auth_xfrm = crypto_xfrm->next; break; default: return -EINVAL; @@ -70,7 +105,32 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, return -ENOTSUP; } } else { - return -ENOTSUP; + switch (cipher_xfrm->cipher.algo) { + case RTE_CRYPTO_CIPHER_AES_CBC: + w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC; + break; + default: + return -ENOTSUP; + } + + switch (auth_xfrm->auth.algo) { + case RTE_CRYPTO_AUTH_SHA1_HMAC: + w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1; + break; + default: + return -ENOTSUP; + } + + key = cipher_xfrm->cipher.key.data; + length = cipher_xfrm->cipher.key.length; + + ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad); + + tmp_key = (uint64_t *)hmac_opad_ipad; + for (i = 0; + i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t)); + i++) + tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); } /* Set encapsulation type */ @@ -129,7 +189,8 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, w2.u64 = 0; rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->w8.s.salt, - ipsec_xfrm, crypto_xfrm); + sa->hmac_opad_ipad, ipsec_xfrm, + crypto_xfrm); if (rc) return rc; @@ -196,7 +257,8 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa, w2.u64 = 0; rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->iv.s.salt, - ipsec_xfrm, crypto_xfrm); + sa->hmac_opad_ipad, ipsec_xfrm, + crypto_xfrm); if (rc) return rc; diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c index 1d567bf188..408a682b21 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.c +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -17,6 +17,37 @@ #include "roc_api.h" +static int +ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform) +{ + if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) { + switch (xform->cipher.key.length) { + case 16: + case 24: + case 32: + break; + default: + return -ENOTSUP; + } + return 0; + } + + return -ENOTSUP; +} + +static int +ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform) +{ + uint16_t keylen = xform->auth.key.length; + + if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) { + if (keylen >= 20 && keylen <= 64) + return 0; + } + + return -ENOTSUP; +} + static int ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) @@ -48,6 +79,9 @@ static int cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) { + struct rte_crypto_sym_xform *auth_xform, *cipher_xform; + int ret; + if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) return -EINVAL; @@ -67,7 +101,34 @@ cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm, if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm); - return -ENOTSUP; + if (crypto_xfrm->next == NULL) + return -EINVAL; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + /* Ingress */ + if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH || + crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER) + return -EINVAL; + auth_xform = crypto_xfrm; + cipher_xform = crypto_xfrm->next; + } else { + /* Egress */ + if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER || + crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH) + return -EINVAL; + cipher_xform = crypto_xfrm; + auth_xform = crypto_xfrm->next; + } + + ret = ipsec_xform_cipher_verify(cipher_xform); + if (ret) + return ret; + + ret = ipsec_xform_auth_verify(auth_xform); + if (ret) + return ret; + + return 0; } static uint64_t diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index ab37f9c43b..47274b2c24 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -754,6 +754,49 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = { }, } }, } }, + { /* AES CBC */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER, + {.cipher = { + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 8 + }, + .iv_size = { + .min = 16, + .max = 16, + .increment = 0 + } + }, } + }, } + }, +}; + +static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = { + { /* SHA1 HMAC */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_SHA1_HMAC, + .block_size = 64, + .key_size = { + .min = 20, + .max = 64, + .increment = 1 + }, + .digest_size = { + .min = 12, + .max = 12, + .increment = 0 + }, + }, } + }, } + }, }; static const struct rte_security_capability sec_caps_templ[] = { @@ -839,6 +882,7 @@ sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[], int cur_pos = 0; SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes); + SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2); sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end)); }