diff mbox series

[28/32] net/ngbe: add IPsec context creation

Message ID 20210908083758.312055-29-jiawenwu@trustnetic.com (mailing list archive)
State Changes Requested, archived
Delegated to: Ferruh Yigit
Headers show
Series net/ngbe: add many features | expand

Checks

Context Check Description
ci/checkpatch success coding style OK

Commit Message

Jiawen Wu Sept. 8, 2021, 8:37 a.m. UTC
Initialize securiry context, and support to get security
capabilities.

Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
---
 doc/guides/nics/features/ngbe.ini |   1 +
 drivers/net/ngbe/meson.build      |   3 +-
 drivers/net/ngbe/ngbe_ethdev.c    |  10 ++
 drivers/net/ngbe/ngbe_ethdev.h    |   4 +
 drivers/net/ngbe/ngbe_ipsec.c     | 178 ++++++++++++++++++++++++++++++
 5 files changed, 195 insertions(+), 1 deletion(-)
 create mode 100644 drivers/net/ngbe/ngbe_ipsec.c

Comments

Ferruh Yigit Sept. 15, 2021, 4:58 p.m. UTC | #1
On 9/8/2021 9:37 AM, Jiawen Wu wrote:
> Initialize securiry context, and support to get security
> capabilities.
> 
> Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>

<...>

> --- a/drivers/net/ngbe/ngbe_ethdev.c
> +++ b/drivers/net/ngbe/ngbe_ethdev.c
> @@ -430,6 +430,12 @@ eth_ngbe_dev_init(struct rte_eth_dev *eth_dev, void *init_params __rte_unused)
>  	/* Unlock any pending hardware semaphore */
>  	ngbe_swfw_lock_reset(hw);
>  
> +#ifdef RTE_LIB_SECURITY
> +	/* Initialize security_ctx only for primary process*/
> +	if (ngbe_ipsec_ctx_create(eth_dev))
> +		return -ENOMEM;
> +#endif

Hi Hemant,

I see 'RTE_LIB_SECURITY' is still used in some PMDs, as this new PMD also uses it?
Previously I assume this macro was to mark that security library is enabled, is
this macro still valid? Who should set this macro now?

Also can you please help reviewing this and next a few patches since they are
related to the security?
Hemant Agrawal Sept. 16, 2021, 9 a.m. UTC | #2
On 9/15/2021 10:28 PM, Ferruh Yigit wrote:
> On 9/8/2021 9:37 AM, Jiawen Wu wrote:
>> Initialize securiry context, and support to get security
>> capabilities.
>>
>> Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
> <...>
>
>> --- a/drivers/net/ngbe/ngbe_ethdev.c
>> +++ b/drivers/net/ngbe/ngbe_ethdev.c
>> @@ -430,6 +430,12 @@ eth_ngbe_dev_init(struct rte_eth_dev *eth_dev, void *init_params __rte_unused)
>>   	/* Unlock any pending hardware semaphore */
>>   	ngbe_swfw_lock_reset(hw);
>>   
>> +#ifdef RTE_LIB_SECURITY
>> +	/* Initialize security_ctx only for primary process*/
>> +	if (ngbe_ipsec_ctx_create(eth_dev))
>> +		return -ENOMEM;
>> +#endif
> Hi Hemant,
>
> I see 'RTE_LIB_SECURITY' is still used in some PMDs, as this new PMD also uses it?
> Previously I assume this macro was to mark that security library is enabled, is
> this macro still valid? Who should set this macro now?
>
> Also can you please help reviewing this and next a few patches since they are
> related to the security?

Hi Ferruh,

      It indicate if the driver is using SECURITY library functions. In 
Ethernet driver, it typically means the inline security offload.

Ok, I will try to review.


regards,

Hemant

>
Hemant Agrawal Sept. 16, 2021, 9:04 a.m. UTC | #3
On 9/8/2021 2:07 PM, Jiawen Wu wrote:
> Initialize securiry context, and support to get security
> capabilities.
>
> Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
> ---
>   doc/guides/nics/features/ngbe.ini |   1 +
>   drivers/net/ngbe/meson.build      |   3 +-
>   drivers/net/ngbe/ngbe_ethdev.c    |  10 ++
>   drivers/net/ngbe/ngbe_ethdev.h    |   4 +
>   drivers/net/ngbe/ngbe_ipsec.c     | 178 ++++++++++++++++++++++++++++++
>   5 files changed, 195 insertions(+), 1 deletion(-)
>   create mode 100644 drivers/net/ngbe/ngbe_ipsec.c
>
> diff --git a/doc/guides/nics/features/ngbe.ini b/doc/guides/nics/features/ngbe.ini
> index 56d5d71ea8..facdb5f006 100644
> --- a/doc/guides/nics/features/ngbe.ini
> +++ b/doc/guides/nics/features/ngbe.ini
> @@ -23,6 +23,7 @@ RSS reta update      = Y
>   SR-IOV               = Y
>   VLAN filter          = Y
>   Flow control         = Y
> +Inline crypto        = Y
>   CRC offload          = P
>   VLAN offload         = P
>   QinQ offload         = P
> diff --git a/drivers/net/ngbe/meson.build b/drivers/net/ngbe/meson.build
> index b276ec3341..f222595b19 100644
> --- a/drivers/net/ngbe/meson.build
> +++ b/drivers/net/ngbe/meson.build
> @@ -12,12 +12,13 @@ objs = [base_objs]
>   
>   sources = files(
>           'ngbe_ethdev.c',
> +        'ngbe_ipsec.c',

Ideally you shall be creating a crypto/security driver and have your 
ipsec related functions there.

@akhil - what is your opinion here?


>           'ngbe_ptypes.c',
>           'ngbe_pf.c',
>           'ngbe_rxtx.c',
>   )
>   
> -deps += ['hash']
> +deps += ['hash', 'security']
>   
>   includes += include_directories('base')
>   
> diff --git a/drivers/net/ngbe/ngbe_ethdev.c b/drivers/net/ngbe/ngbe_ethdev.c
> index 4eaf9b0724..b0e0f7411e 100644
> --- a/drivers/net/ngbe/ngbe_ethdev.c
> +++ b/drivers/net/ngbe/ngbe_ethdev.c
> @@ -430,6 +430,12 @@ eth_ngbe_dev_init(struct rte_eth_dev *eth_dev, void *init_params __rte_unused)
>   	/* Unlock any pending hardware semaphore */
>   	ngbe_swfw_lock_reset(hw);
>   
> +#ifdef RTE_LIB_SECURITY
> +	/* Initialize security_ctx only for primary process*/
> +	if (ngbe_ipsec_ctx_create(eth_dev))
> +		return -ENOMEM;
> +#endif
> +
>   	/* Get Hardware Flow Control setting */
>   	hw->fc.requested_mode = ngbe_fc_full;
>   	hw->fc.current_mode = ngbe_fc_full;
> @@ -1282,6 +1288,10 @@ ngbe_dev_close(struct rte_eth_dev *dev)
>   	rte_free(dev->data->hash_mac_addrs);
>   	dev->data->hash_mac_addrs = NULL;
>   
> +#ifdef RTE_LIB_SECURITY
> +	rte_free(dev->security_ctx);
> +#endif
> +
>   	return ret;
>   }
>   
> diff --git a/drivers/net/ngbe/ngbe_ethdev.h b/drivers/net/ngbe/ngbe_ethdev.h
> index aacc0b68b2..9eda024d65 100644
> --- a/drivers/net/ngbe/ngbe_ethdev.h
> +++ b/drivers/net/ngbe/ngbe_ethdev.h
> @@ -264,6 +264,10 @@ void ngbe_pf_mbx_process(struct rte_eth_dev *eth_dev);
>   
>   int ngbe_pf_host_configure(struct rte_eth_dev *eth_dev);
>   
> +#ifdef RTE_LIB_SECURITY
> +int ngbe_ipsec_ctx_create(struct rte_eth_dev *dev);
> +#endif
> +
>   /* High threshold controlling when to start sending XOFF frames. */
>   #define NGBE_FC_XOFF_HITH              128 /*KB*/
>   /* Low threshold controlling when to start sending XON frames. */
> diff --git a/drivers/net/ngbe/ngbe_ipsec.c b/drivers/net/ngbe/ngbe_ipsec.c
> new file mode 100644
> index 0000000000..5f8b0bab29
> --- /dev/null
> +++ b/drivers/net/ngbe/ngbe_ipsec.c
> @@ -0,0 +1,178 @@
> +/* SPDX-License-Identifier: BSD-3-Clause
> + * Copyright(c) 2018-2021 Beijing WangXun Technology Co., Ltd.
> + * Copyright(c) 2010-2017 Intel Corporation
> + */
> +
> +#include <ethdev_pci.h>
> +#include <rte_security_driver.h>
> +#include <rte_cryptodev.h>
> +
> +#include "base/ngbe.h"
> +#include "ngbe_ethdev.h"
> +
> +static const struct rte_security_capability *
> +ngbe_crypto_capabilities_get(void *device __rte_unused)
> +{
> +	static const struct rte_cryptodev_capabilities
> +	aes_gcm_gmac_crypto_capabilities[] = {
> +		{	/* AES GMAC (128-bit) */
> +			.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
> +			{.sym = {
> +				.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
> +				{.auth = {
> +					.algo = RTE_CRYPTO_AUTH_AES_GMAC,
> +					.block_size = 16,
> +					.key_size = {
> +						.min = 16,
> +						.max = 16,
> +						.increment = 0
> +					},
> +					.digest_size = {
> +						.min = 16,
> +						.max = 16,
> +						.increment = 0
> +					},
> +					.iv_size = {
> +						.min = 12,
> +						.max = 12,
> +						.increment = 0
> +					}
> +				}, }
> +			}, }
> +		},
> +		{	/* AES GCM (128-bit) */
> +			.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
> +			{.sym = {
> +				.xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
> +				{.aead = {
> +					.algo = RTE_CRYPTO_AEAD_AES_GCM,
> +					.block_size = 16,
> +					.key_size = {
> +						.min = 16,
> +						.max = 16,
> +						.increment = 0
> +					},
> +					.digest_size = {
> +						.min = 16,
> +						.max = 16,
> +						.increment = 0
> +					},
> +					.aad_size = {
> +						.min = 0,
> +						.max = 65535,
> +						.increment = 1
> +					},
> +					.iv_size = {
> +						.min = 12,
> +						.max = 12,
> +						.increment = 0
> +					}
> +				}, }
> +			}, }
> +		},
> +		{
> +			.op = RTE_CRYPTO_OP_TYPE_UNDEFINED,
> +			{.sym = {
> +				.xform_type = RTE_CRYPTO_SYM_XFORM_NOT_SPECIFIED
> +			}, }
> +		},
> +	};
> +
> +	static const struct rte_security_capability
> +	ngbe_security_capabilities[] = {
> +		{ /* IPsec Inline Crypto ESP Transport Egress */
> +			.action = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
> +			.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
> +			{.ipsec = {
> +				.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> +				.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
> +				.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
> +				.options = { 0 }
> +			} },
> +			.crypto_capabilities = aes_gcm_gmac_crypto_capabilities,
> +			.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
> +		},
> +		{ /* IPsec Inline Crypto ESP Transport Ingress */
> +			.action = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
> +			.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
> +			{.ipsec = {
> +				.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> +				.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
> +				.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
> +				.options = { 0 }
> +			} },
> +			.crypto_capabilities = aes_gcm_gmac_crypto_capabilities,
> +			.ol_flags = 0
> +		},
> +		{ /* IPsec Inline Crypto ESP Tunnel Egress */
> +			.action = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
> +			.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
> +			{.ipsec = {
> +				.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> +				.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
> +				.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
> +				.options = { 0 }
> +			} },
> +			.crypto_capabilities = aes_gcm_gmac_crypto_capabilities,
> +			.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
> +		},
> +		{ /* IPsec Inline Crypto ESP Tunnel Ingress */
> +			.action = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
> +			.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
> +			{.ipsec = {
> +				.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> +				.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
> +				.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
> +				.options = { 0 }
> +			} },
> +			.crypto_capabilities = aes_gcm_gmac_crypto_capabilities,
> +			.ol_flags = 0
> +		},
> +		{
> +			.action = RTE_SECURITY_ACTION_TYPE_NONE
> +		}
> +	};
> +
> +	return ngbe_security_capabilities;
> +}
> +
> +static struct rte_security_ops ngbe_security_ops = {
> +	.capabilities_get = ngbe_crypto_capabilities_get
> +};
> +
> +static int
> +ngbe_crypto_capable(struct rte_eth_dev *dev)
> +{
> +	struct ngbe_hw *hw = ngbe_dev_hw(dev);
> +	uint32_t reg_i, reg, capable = 1;
> +	/* test if rx crypto can be enabled and then write back initial value*/
> +	reg_i = rd32(hw, NGBE_SECRXCTL);
> +	wr32m(hw, NGBE_SECRXCTL, NGBE_SECRXCTL_ODSA, 0);
> +	reg = rd32m(hw, NGBE_SECRXCTL, NGBE_SECRXCTL_ODSA);
> +	if (reg != 0)
> +		capable = 0;
> +	wr32(hw, NGBE_SECRXCTL, reg_i);
> +	return capable;
> +}
> +
> +int
> +ngbe_ipsec_ctx_create(struct rte_eth_dev *dev)
> +{
> +	struct rte_security_ctx *ctx = NULL;
> +
> +	if (ngbe_crypto_capable(dev)) {
> +		ctx = rte_malloc("rte_security_instances_ops",
> +				 sizeof(struct rte_security_ctx), 0);
> +		if (ctx) {
> +			ctx->device = (void *)dev;
> +			ctx->ops = &ngbe_security_ops;
> +			ctx->sess_cnt = 0;
> +			dev->security_ctx = ctx;
> +		} else {
> +			return -ENOMEM;
> +		}
> +	}
> +	if (rte_security_dynfield_register() < 0)
> +		return -rte_errno;
> +	return 0;
> +}
Ferruh Yigit Sept. 16, 2021, 5:15 p.m. UTC | #4
On 9/16/2021 10:00 AM, Hemant Agrawal wrote:
> 
> On 9/15/2021 10:28 PM, Ferruh Yigit wrote:
>> On 9/8/2021 9:37 AM, Jiawen Wu wrote:
>>> Initialize securiry context, and support to get security
>>> capabilities.
>>>
>>> Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
>> <...>
>>
>>> --- a/drivers/net/ngbe/ngbe_ethdev.c
>>> +++ b/drivers/net/ngbe/ngbe_ethdev.c
>>> @@ -430,6 +430,12 @@ eth_ngbe_dev_init(struct rte_eth_dev *eth_dev, void
>>> *init_params __rte_unused)
>>>       /* Unlock any pending hardware semaphore */
>>>       ngbe_swfw_lock_reset(hw);
>>>   +#ifdef RTE_LIB_SECURITY
>>> +    /* Initialize security_ctx only for primary process*/
>>> +    if (ngbe_ipsec_ctx_create(eth_dev))
>>> +        return -ENOMEM;
>>> +#endif
>> Hi Hemant,
>>
>> I see 'RTE_LIB_SECURITY' is still used in some PMDs, as this new PMD also uses
>> it?
>> Previously I assume this macro was to mark that security library is enabled, is
>> this macro still valid? Who should set this macro now?
>>
>> Also can you please help reviewing this and next a few patches since they are
>> related to the security?
> 
> Hi Ferruh,
> 
>      It indicate if the driver is using SECURITY library functions. In Ethernet
> driver, it typically means the inline security offload.
> 

Got it, but right now who sets this macro? It isn't set automatically when
security library is enabled/compiled, right?

> Ok, I will try to review.
> 
> 
> regards,
> 
> Hemant
> 
>>
diff mbox series

Patch

diff --git a/doc/guides/nics/features/ngbe.ini b/doc/guides/nics/features/ngbe.ini
index 56d5d71ea8..facdb5f006 100644
--- a/doc/guides/nics/features/ngbe.ini
+++ b/doc/guides/nics/features/ngbe.ini
@@ -23,6 +23,7 @@  RSS reta update      = Y
 SR-IOV               = Y
 VLAN filter          = Y
 Flow control         = Y
+Inline crypto        = Y
 CRC offload          = P
 VLAN offload         = P
 QinQ offload         = P
diff --git a/drivers/net/ngbe/meson.build b/drivers/net/ngbe/meson.build
index b276ec3341..f222595b19 100644
--- a/drivers/net/ngbe/meson.build
+++ b/drivers/net/ngbe/meson.build
@@ -12,12 +12,13 @@  objs = [base_objs]
 
 sources = files(
         'ngbe_ethdev.c',
+        'ngbe_ipsec.c',
         'ngbe_ptypes.c',
         'ngbe_pf.c',
         'ngbe_rxtx.c',
 )
 
-deps += ['hash']
+deps += ['hash', 'security']
 
 includes += include_directories('base')
 
diff --git a/drivers/net/ngbe/ngbe_ethdev.c b/drivers/net/ngbe/ngbe_ethdev.c
index 4eaf9b0724..b0e0f7411e 100644
--- a/drivers/net/ngbe/ngbe_ethdev.c
+++ b/drivers/net/ngbe/ngbe_ethdev.c
@@ -430,6 +430,12 @@  eth_ngbe_dev_init(struct rte_eth_dev *eth_dev, void *init_params __rte_unused)
 	/* Unlock any pending hardware semaphore */
 	ngbe_swfw_lock_reset(hw);
 
+#ifdef RTE_LIB_SECURITY
+	/* Initialize security_ctx only for primary process*/
+	if (ngbe_ipsec_ctx_create(eth_dev))
+		return -ENOMEM;
+#endif
+
 	/* Get Hardware Flow Control setting */
 	hw->fc.requested_mode = ngbe_fc_full;
 	hw->fc.current_mode = ngbe_fc_full;
@@ -1282,6 +1288,10 @@  ngbe_dev_close(struct rte_eth_dev *dev)
 	rte_free(dev->data->hash_mac_addrs);
 	dev->data->hash_mac_addrs = NULL;
 
+#ifdef RTE_LIB_SECURITY
+	rte_free(dev->security_ctx);
+#endif
+
 	return ret;
 }
 
diff --git a/drivers/net/ngbe/ngbe_ethdev.h b/drivers/net/ngbe/ngbe_ethdev.h
index aacc0b68b2..9eda024d65 100644
--- a/drivers/net/ngbe/ngbe_ethdev.h
+++ b/drivers/net/ngbe/ngbe_ethdev.h
@@ -264,6 +264,10 @@  void ngbe_pf_mbx_process(struct rte_eth_dev *eth_dev);
 
 int ngbe_pf_host_configure(struct rte_eth_dev *eth_dev);
 
+#ifdef RTE_LIB_SECURITY
+int ngbe_ipsec_ctx_create(struct rte_eth_dev *dev);
+#endif
+
 /* High threshold controlling when to start sending XOFF frames. */
 #define NGBE_FC_XOFF_HITH              128 /*KB*/
 /* Low threshold controlling when to start sending XON frames. */
diff --git a/drivers/net/ngbe/ngbe_ipsec.c b/drivers/net/ngbe/ngbe_ipsec.c
new file mode 100644
index 0000000000..5f8b0bab29
--- /dev/null
+++ b/drivers/net/ngbe/ngbe_ipsec.c
@@ -0,0 +1,178 @@ 
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018-2021 Beijing WangXun Technology Co., Ltd.
+ * Copyright(c) 2010-2017 Intel Corporation
+ */
+
+#include <ethdev_pci.h>
+#include <rte_security_driver.h>
+#include <rte_cryptodev.h>
+
+#include "base/ngbe.h"
+#include "ngbe_ethdev.h"
+
+static const struct rte_security_capability *
+ngbe_crypto_capabilities_get(void *device __rte_unused)
+{
+	static const struct rte_cryptodev_capabilities
+	aes_gcm_gmac_crypto_capabilities[] = {
+		{	/* AES GMAC (128-bit) */
+			.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+			{.sym = {
+				.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+				{.auth = {
+					.algo = RTE_CRYPTO_AUTH_AES_GMAC,
+					.block_size = 16,
+					.key_size = {
+						.min = 16,
+						.max = 16,
+						.increment = 0
+					},
+					.digest_size = {
+						.min = 16,
+						.max = 16,
+						.increment = 0
+					},
+					.iv_size = {
+						.min = 12,
+						.max = 12,
+						.increment = 0
+					}
+				}, }
+			}, }
+		},
+		{	/* AES GCM (128-bit) */
+			.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+			{.sym = {
+				.xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+				{.aead = {
+					.algo = RTE_CRYPTO_AEAD_AES_GCM,
+					.block_size = 16,
+					.key_size = {
+						.min = 16,
+						.max = 16,
+						.increment = 0
+					},
+					.digest_size = {
+						.min = 16,
+						.max = 16,
+						.increment = 0
+					},
+					.aad_size = {
+						.min = 0,
+						.max = 65535,
+						.increment = 1
+					},
+					.iv_size = {
+						.min = 12,
+						.max = 12,
+						.increment = 0
+					}
+				}, }
+			}, }
+		},
+		{
+			.op = RTE_CRYPTO_OP_TYPE_UNDEFINED,
+			{.sym = {
+				.xform_type = RTE_CRYPTO_SYM_XFORM_NOT_SPECIFIED
+			}, }
+		},
+	};
+
+	static const struct rte_security_capability
+	ngbe_security_capabilities[] = {
+		{ /* IPsec Inline Crypto ESP Transport Egress */
+			.action = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
+			.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+			{.ipsec = {
+				.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+				.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+				.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+				.options = { 0 }
+			} },
+			.crypto_capabilities = aes_gcm_gmac_crypto_capabilities,
+			.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+		},
+		{ /* IPsec Inline Crypto ESP Transport Ingress */
+			.action = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
+			.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+			{.ipsec = {
+				.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+				.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+				.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+				.options = { 0 }
+			} },
+			.crypto_capabilities = aes_gcm_gmac_crypto_capabilities,
+			.ol_flags = 0
+		},
+		{ /* IPsec Inline Crypto ESP Tunnel Egress */
+			.action = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
+			.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+			{.ipsec = {
+				.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+				.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+				.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+				.options = { 0 }
+			} },
+			.crypto_capabilities = aes_gcm_gmac_crypto_capabilities,
+			.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+		},
+		{ /* IPsec Inline Crypto ESP Tunnel Ingress */
+			.action = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
+			.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+			{.ipsec = {
+				.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+				.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+				.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+				.options = { 0 }
+			} },
+			.crypto_capabilities = aes_gcm_gmac_crypto_capabilities,
+			.ol_flags = 0
+		},
+		{
+			.action = RTE_SECURITY_ACTION_TYPE_NONE
+		}
+	};
+
+	return ngbe_security_capabilities;
+}
+
+static struct rte_security_ops ngbe_security_ops = {
+	.capabilities_get = ngbe_crypto_capabilities_get
+};
+
+static int
+ngbe_crypto_capable(struct rte_eth_dev *dev)
+{
+	struct ngbe_hw *hw = ngbe_dev_hw(dev);
+	uint32_t reg_i, reg, capable = 1;
+	/* test if rx crypto can be enabled and then write back initial value*/
+	reg_i = rd32(hw, NGBE_SECRXCTL);
+	wr32m(hw, NGBE_SECRXCTL, NGBE_SECRXCTL_ODSA, 0);
+	reg = rd32m(hw, NGBE_SECRXCTL, NGBE_SECRXCTL_ODSA);
+	if (reg != 0)
+		capable = 0;
+	wr32(hw, NGBE_SECRXCTL, reg_i);
+	return capable;
+}
+
+int
+ngbe_ipsec_ctx_create(struct rte_eth_dev *dev)
+{
+	struct rte_security_ctx *ctx = NULL;
+
+	if (ngbe_crypto_capable(dev)) {
+		ctx = rte_malloc("rte_security_instances_ops",
+				 sizeof(struct rte_security_ctx), 0);
+		if (ctx) {
+			ctx->device = (void *)dev;
+			ctx->ops = &ngbe_security_ops;
+			ctx->sess_cnt = 0;
+			dev->security_ctx = ctx;
+		} else {
+			return -ENOMEM;
+		}
+	}
+	if (rte_security_dynfield_register() < 0)
+		return -rte_errno;
+	return 0;
+}