@@ -15,6 +15,7 @@ OOP SGL In SGL Out = Y
OOP LB In LB Out = Y
Symmetric sessionless = Y
Digest encrypted = Y
+Inner checksum = Y
;
; Supported crypto algorithms of 'cn10k' crypto driver.
@@ -73,6 +73,7 @@ New Features
* Added UDP encapsulation support in lookaside protocol (IPsec) for CN10K.
* Added support for lookaside protocol (IPsec) offload for CN9K.
* Added support for ZUC algorithm with 256 bit key length for CN10K.
+ * Added inner checksum support in lookaside protocol (IPsec) for CN10K.
* **Added support for event crypto adapter on Marvell CN10K and CN9K.**
@@ -50,7 +50,7 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
static __rte_always_inline int __rte_hot
cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
- struct cpt_inst_s *inst)
+ struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = op->sym;
union roc_ot_ipsec_sa_word2 *w2;
@@ -72,8 +72,10 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND)
ret = process_outb_sa(op, sa, inst);
- else
+ else {
+ infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
ret = process_inb_sa(op, sa, inst);
+ }
return ret;
}
@@ -122,7 +124,8 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
sec_sess = get_sec_session_private_data(
sym_op->sec_session);
- ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]);
+ ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
+ &inst[0]);
if (unlikely(ret))
return 0;
w7 = sec_sess->sa.inst.w7;
@@ -342,6 +345,49 @@ cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
m->pkt_len = m_len;
}
+static inline void
+cn10k_cpt_sec_ucc_process(struct rte_crypto_op *cop,
+ struct cpt_inflight_req *infl_req,
+ const uint8_t uc_compcode)
+{
+ struct cn10k_sec_session *sess;
+ struct cn10k_ipsec_sa *sa;
+ struct rte_mbuf *mbuf;
+
+ if (uc_compcode == ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST)
+ cop->aux_flags = RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+
+ if (!(infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND))
+ return;
+
+ sess = get_sec_session_private_data(cop->sym->sec_session);
+ sa = &sess->sa;
+
+ mbuf = cop->sym->m_src;
+
+ switch (uc_compcode) {
+ case ROC_IE_OT_UCC_SUCCESS:
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_IP_BADCSUM:
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_BAD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_L4_GOODCSUM:
+ mbuf->ol_flags |= PKT_RX_L4_CKSUM_GOOD;
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_L4_BADCSUM:
+ mbuf->ol_flags |= PKT_RX_L4_CKSUM_BAD;
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ default:
+ break;
+ }
+}
+
static inline void
cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
struct rte_crypto_op *cop,
@@ -357,17 +403,8 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
if (likely(compcode == CPT_COMP_WARN)) {
- if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
- /* Success with additional info */
- switch (uc_compcode) {
- case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
- cop->aux_flags =
- RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
- break;
- default:
- break;
- }
- }
+ /* Success with additional info */
+ cn10k_cpt_sec_ucc_process(cop, infl_req, uc_compcode);
cn10k_cpt_sec_post_process(cop, res);
} else {
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -37,6 +37,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
struct rte_crypto_sym_xform *crypto_xfrm,
struct rte_security_session *sec_sess)
{
+ union roc_ot_ipsec_outb_param1 param1;
struct roc_ot_ipsec_outb_sa *out_sa;
struct cnxk_ipsec_outb_rlens rlens;
struct cn10k_sec_session *sess;
@@ -83,7 +84,27 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
/* pre-populate CPT INST word 4 */
inst_w4.u64 = 0;
inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
- inst_w4.s.param1 = 0;
+
+ param1.u16 = 0;
+
+ /* Disable IP checksum computation by default */
+ param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.ip_csum_enable) {
+ param1.s.ip_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+ }
+
+ /* Disable L4 checksum computation by default */
+ param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.l4_csum_enable) {
+ param1.s.l4_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+ }
+
+ inst_w4.s.param1 = param1.u16;
+
sa->inst.w4 = inst_w4.u64;
return 0;
@@ -95,6 +116,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
struct rte_crypto_sym_xform *crypto_xfrm,
struct rte_security_session *sec_sess)
{
+ union roc_ot_ipsec_inb_param1 param1;
struct roc_ot_ipsec_inb_sa *in_sa;
struct cn10k_sec_session *sess;
struct cn10k_ipsec_sa *sa;
@@ -121,8 +143,29 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
inst_w4.u64 = 0;
inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC;
- /* Disable checksum verification for now */
- inst_w4.s.param1 = 7;
+ param1.u16 = 0;
+
+ /* Disable IP checksum verification by default */
+ param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.ip_csum_enable) {
+ param1.s.ip_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+ sa->ip_csum_enable = true;
+ }
+
+ /* Disable L4 checksum verification by default */
+ param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.l4_csum_enable) {
+ param1.s.l4_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+ }
+
+ param1.s.esp_trailer_disable = 1;
+
+ inst_w4.s.param1 = param1.u16;
+
sa->inst.w4 = inst_w4.u64;
return 0;
@@ -23,6 +23,7 @@ struct cn10k_ipsec_sa {
uint16_t max_extended_len;
uint16_t iv_offset;
uint8_t iv_length;
+ bool ip_csum_enable;
};
struct cn10k_sec_session {
@@ -53,6 +53,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
+ uint64_t inst_w4_u64 = sess->inst.w4;
if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) {
plt_dp_err("Not enough tail room");
@@ -68,8 +69,14 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
}
#endif
+ if (m_src->ol_flags & PKT_TX_IP_CKSUM)
+ inst_w4_u64 &= ~BIT_ULL(33);
+
+ if (m_src->ol_flags & PKT_TX_L4_MASK)
+ inst_w4_u64 &= ~BIT_ULL(32);
+
/* Prepare CPT instruction */
- inst->w4.u64 = sess->inst.w4;
+ inst->w4.u64 = inst_w4_u64;
inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
inst->dptr = rte_pktmbuf_iova(m_src);
inst->rptr = inst->dptr;
@@ -24,6 +24,9 @@ cnxk_cpt_default_ff_get(void)
RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED |
RTE_CRYPTODEV_FF_SECURITY;
+ if (roc_model_is_cn10k())
+ ff |= RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM;
+
return ff;
}
@@ -961,6 +961,8 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
sec_cap->ipsec.options.tunnel_hdr_verify =
RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
}
+ sec_cap->ipsec.options.ip_csum_enable = 1;
+ sec_cap->ipsec.options.l4_csum_enable = 1;
}
static void