From patchwork Fri Oct  1 13:39:55 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nithin Dabilpuram <ndabilpuram@marvell.com>
X-Patchwork-Id: 100247
X-Patchwork-Delegate: jerinj@marvell.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 0C3C1A0032;
	Fri,  1 Oct 2021 15:40:38 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id E84504118A;
	Fri,  1 Oct 2021 15:40:35 +0200 (CEST)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com
 [67.231.156.173])
 by mails.dpdk.org (Postfix) with ESMTP id 7029E40040
 for <dev@dpdk.org>; Fri,  1 Oct 2021 15:40:34 +0200 (CEST)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1])
 by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id
 1919hdjQ021664;
 Fri, 1 Oct 2021 06:40:32 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;
 h=from : to : cc :
 subject : date : message-id : in-reply-to : references : mime-version :
 content-type; s=pfpt0220; bh=J3GL32YkqXBjc3hRuaVuEPbeowzzVzamDA9BoDLNPvI=;
 b=KxyBp7ODKSoVHsyde5WAHQU5srmFktntivQ/kNEwOc96nnqeLo8zfEDN8miAtjw3D2tm
 qGD5w5Sd0CITbP5WNRfRnwfcGE2IaZ4JCCbh/2ZLPzNVBZMIUdTYQdC2Tz+5Z39pdy55
 jJx52a1nAFKF5EyswUSdCGwtQ/wiw8GJWfm6pkV0dZr8Q8I3CS88XGb85HOY8KJ8gNpu
 vZxcqTJW9rEXSSh3sIbk5m2wO+pb/zKP1t/aZwpgCh+ucSA7b3qBc4bbwK8edE5CFVQd
 awjh3hQDQ4bp30MavpRtwUv/ESdpdN45HaRMpLSIxYob2E6nynzj+DbamRyVQB0u0QxS jw==
Received: from dc5-exch01.marvell.com ([199.233.59.181])
 by mx0b-0016f401.pphosted.com with ESMTP id 3bdrxmhx7u-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);
 Fri, 01 Oct 2021 06:40:32 -0700
Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com
 (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18;
 Fri, 1 Oct 2021 06:40:29 -0700
Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com
 (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend
 Transport; Fri, 1 Oct 2021 06:40:29 -0700
Received: from hyd1588t430.marvell.com (unknown [10.29.52.204])
 by maili.marvell.com (Postfix) with ESMTP id 48D593F7043;
 Fri,  1 Oct 2021 06:40:27 -0700 (PDT)
From: Nithin Dabilpuram <ndabilpuram@marvell.com>
To: <jerinj@marvell.com>, Nithin Dabilpuram <ndabilpuram@marvell.com>, "Kiran
 Kumar K" <kirankumark@marvell.com>, Sunil Kumar Kori <skori@marvell.com>,
 Satha Rao <skoteshwar@marvell.com>, Ray Kinsella <mdr@ashroe.eu>
CC: <dev@dpdk.org>, Srujana Challa <schalla@marvell.com>
Date: Fri, 1 Oct 2021 19:09:55 +0530
Message-ID: <20211001134022.22700-2-ndabilpuram@marvell.com>
X-Mailer: git-send-email 2.8.4
In-Reply-To: <20211001134022.22700-1-ndabilpuram@marvell.com>
References: <20210902021505.17607-1-ndabilpuram@marvell.com>
 <20211001134022.22700-1-ndabilpuram@marvell.com>
MIME-Version: 1.0
X-Proofpoint-GUID: 8B6kJk6Sjqgktm5hHHr5_Ytq2FB4jm_l
X-Proofpoint-ORIG-GUID: 8B6kJk6Sjqgktm5hHHr5_Ytq2FB4jm_l
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475
 definitions=2021-10-01_02,2021-10-01_02,2020-04-07_01
Subject: [dpdk-dev] [PATCH v3 01/28] common/cnxk: support cn9k fast path
 security session
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

From: Srujana Challa <schalla@marvell.com>

Add security support to init cn9k fast path SA data
for AES GCM and AES CBC + HMAC SHA1.

Signed-off-by: Srujana Challa <schalla@marvell.com>
Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
---
 drivers/common/cnxk/cnxk_security.c | 211 ++++++++++++++++++++++++++++++++++++
 drivers/common/cnxk/cnxk_security.h |  12 ++
 drivers/common/cnxk/version.map     |   4 +
 3 files changed, 227 insertions(+)

diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index cc5daf3..c117fa7 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -513,6 +513,217 @@ cnxk_ot_ipsec_outb_sa_valid(struct roc_ot_ipsec_outb_sa *sa)
 	return !!sa->w2.s.valid;
 }
 
+static inline int
+ipsec_xfrm_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
+		  struct rte_crypto_sym_xform *crypto_xfrm)
+{
+	if (crypto_xfrm->next == NULL)
+		return -EINVAL;
+
+	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+	} else {
+		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+	}
+
+	return 0;
+}
+
+static int
+onf_ipsec_sa_common_param_fill(struct roc_ie_onf_sa_ctl *ctl, uint8_t *salt,
+			       uint8_t *cipher_key, uint8_t *hmac_opad_ipad,
+			       struct rte_security_ipsec_xform *ipsec_xfrm,
+			       struct rte_crypto_sym_xform *crypto_xfrm)
+{
+	struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
+	int rc, length, auth_key_len;
+	const uint8_t *key = NULL;
+
+	/* Set direction */
+	switch (ipsec_xfrm->direction) {
+	case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
+		ctl->direction = ROC_IE_SA_DIR_INBOUND;
+		auth_xfrm = crypto_xfrm;
+		cipher_xfrm = crypto_xfrm->next;
+		break;
+	case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
+		ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
+		cipher_xfrm = crypto_xfrm;
+		auth_xfrm = crypto_xfrm->next;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	/* Set protocol - ESP vs AH */
+	switch (ipsec_xfrm->proto) {
+	case RTE_SECURITY_IPSEC_SA_PROTO_ESP:
+		ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP;
+		break;
+	case RTE_SECURITY_IPSEC_SA_PROTO_AH:
+		return -ENOTSUP;
+	default:
+		return -EINVAL;
+	}
+
+	/* Set mode - transport vs tunnel */
+	switch (ipsec_xfrm->mode) {
+	case RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT:
+		ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT;
+		break;
+	case RTE_SECURITY_IPSEC_SA_MODE_TUNNEL:
+		ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	/* Set encryption algorithm */
+	if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		length = crypto_xfrm->aead.key.length;
+
+		switch (crypto_xfrm->aead.algo) {
+		case RTE_CRYPTO_AEAD_AES_GCM:
+			ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM;
+			ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL;
+			memcpy(salt, &ipsec_xfrm->salt, 4);
+			key = crypto_xfrm->aead.key.data;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+
+	} else {
+		rc = ipsec_xfrm_verify(ipsec_xfrm, crypto_xfrm);
+		if (rc)
+			return rc;
+
+		switch (cipher_xfrm->cipher.algo) {
+		case RTE_CRYPTO_CIPHER_AES_CBC:
+			ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+
+		switch (auth_xfrm->auth.algo) {
+		case RTE_CRYPTO_AUTH_SHA1_HMAC:
+			ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		auth_key_len = auth_xfrm->auth.key.length;
+		if (auth_key_len < 20 || auth_key_len > 64)
+			return -ENOTSUP;
+
+		key = cipher_xfrm->cipher.key.data;
+		length = cipher_xfrm->cipher.key.length;
+
+		ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+	}
+
+	switch (length) {
+	case ROC_CPT_AES128_KEY_LEN:
+		ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
+		break;
+	case ROC_CPT_AES192_KEY_LEN:
+		ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
+		break;
+	case ROC_CPT_AES256_KEY_LEN:
+		ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	memcpy(cipher_key, key, length);
+
+	if (ipsec_xfrm->options.esn)
+		ctl->esn_en = 1;
+
+	ctl->spi = rte_cpu_to_be_32(ipsec_xfrm->spi);
+	return 0;
+}
+
+int
+cnxk_onf_ipsec_inb_sa_fill(struct roc_onf_ipsec_inb_sa *sa,
+			   struct rte_security_ipsec_xform *ipsec_xfrm,
+			   struct rte_crypto_sym_xform *crypto_xfrm)
+{
+	struct roc_ie_onf_sa_ctl *ctl = &sa->ctl;
+	int rc;
+
+	rc = onf_ipsec_sa_common_param_fill(ctl, sa->nonce, sa->cipher_key,
+					    sa->hmac_key, ipsec_xfrm,
+					    crypto_xfrm);
+	if (rc)
+		return rc;
+
+	rte_wmb();
+
+	/* Enable SA */
+	ctl->valid = 1;
+	return 0;
+}
+
+int
+cnxk_onf_ipsec_outb_sa_fill(struct roc_onf_ipsec_outb_sa *sa,
+			    struct rte_security_ipsec_xform *ipsec_xfrm,
+			    struct rte_crypto_sym_xform *crypto_xfrm)
+{
+	struct rte_security_ipsec_tunnel_param *tunnel = &ipsec_xfrm->tunnel;
+	struct roc_ie_onf_sa_ctl *ctl = &sa->ctl;
+	int rc;
+
+	/* Fill common params */
+	rc = onf_ipsec_sa_common_param_fill(ctl, sa->nonce, sa->cipher_key,
+					    sa->hmac_key, ipsec_xfrm,
+					    crypto_xfrm);
+	if (rc)
+		return rc;
+
+	if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+		goto skip_tunnel_info;
+
+	/* Tunnel header info */
+	switch (tunnel->type) {
+	case RTE_SECURITY_IPSEC_TUNNEL_IPV4:
+		memcpy(&sa->ip_src, &tunnel->ipv4.src_ip,
+		       sizeof(struct in_addr));
+		memcpy(&sa->ip_dst, &tunnel->ipv4.dst_ip,
+		       sizeof(struct in_addr));
+		break;
+	case RTE_SECURITY_IPSEC_TUNNEL_IPV6:
+		return -ENOTSUP;
+	default:
+		return -EINVAL;
+	}
+
+skip_tunnel_info:
+	rte_wmb();
+
+	/* Enable SA */
+	ctl->valid = 1;
+	return 0;
+}
+
+bool
+cnxk_onf_ipsec_inb_sa_valid(struct roc_onf_ipsec_inb_sa *sa)
+{
+	return !!sa->ctl.valid;
+}
+
+bool
+cnxk_onf_ipsec_outb_sa_valid(struct roc_onf_ipsec_outb_sa *sa)
+{
+	return !!sa->ctl.valid;
+}
+
 uint8_t
 cnxk_ipsec_ivlen_get(enum rte_crypto_cipher_algorithm c_algo,
 		     enum rte_crypto_auth_algorithm a_algo,
diff --git a/drivers/common/cnxk/cnxk_security.h b/drivers/common/cnxk/cnxk_security.h
index 602f583..db97887 100644
--- a/drivers/common/cnxk/cnxk_security.h
+++ b/drivers/common/cnxk/cnxk_security.h
@@ -46,4 +46,16 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
 bool __roc_api cnxk_ot_ipsec_inb_sa_valid(struct roc_ot_ipsec_inb_sa *sa);
 bool __roc_api cnxk_ot_ipsec_outb_sa_valid(struct roc_ot_ipsec_outb_sa *sa);
 
+/* [CN9K, CN10K) */
+int __roc_api
+cnxk_onf_ipsec_inb_sa_fill(struct roc_onf_ipsec_inb_sa *sa,
+			   struct rte_security_ipsec_xform *ipsec_xfrm,
+			   struct rte_crypto_sym_xform *crypto_xfrm);
+int __roc_api
+cnxk_onf_ipsec_outb_sa_fill(struct roc_onf_ipsec_outb_sa *sa,
+			    struct rte_security_ipsec_xform *ipsec_xfrm,
+			    struct rte_crypto_sym_xform *crypto_xfrm);
+bool __roc_api cnxk_onf_ipsec_inb_sa_valid(struct roc_onf_ipsec_inb_sa *sa);
+bool __roc_api cnxk_onf_ipsec_outb_sa_valid(struct roc_onf_ipsec_outb_sa *sa);
+
 #endif /* _CNXK_SECURITY_H__ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index fff7902..f7b6ef6 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -14,6 +14,10 @@ INTERNAL {
 	cnxk_logtype_sso;
 	cnxk_logtype_tim;
 	cnxk_logtype_tm;
+	cnxk_onf_ipsec_inb_sa_fill;
+	cnxk_onf_ipsec_outb_sa_fill;
+	cnxk_onf_ipsec_inb_sa_valid;
+	cnxk_onf_ipsec_outb_sa_valid;
 	cnxk_ot_ipsec_inb_sa_fill;
 	cnxk_ot_ipsec_outb_sa_fill;
 	cnxk_ot_ipsec_inb_sa_valid;