From patchwork Mon Jan 31 12:30:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 106734 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 827C0A04A2; Mon, 31 Jan 2022 12:39:12 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7711D4117E; Mon, 31 Jan 2022 12:39:12 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 4DB0C41176 for ; Mon, 31 Jan 2022 12:39:10 +0100 (CET) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 20UNpov4002662 for ; Mon, 31 Jan 2022 03:39:09 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=Tv0jPLxmSNSAAkuxYtgtqheodEeSUQioGxz3kBzZjmE=; b=NjupFpt3U8amoY4sjKlHtCe15BgDF1ZWMX6GoZbzNKtTJ4eAR5V0HFvAMhmtZAbvQ/3w o+ktYRWFKt+fpLXcqjGB6QdrHZBKK1FUBsl5Ziqwwgf9gnDqS6oIEN/F10btAAqUVcmi +/jt17xAXUtyF6ohF/xqhLjGn0ecL6Bf+/vE+SdUnV4+zHnHEDN4PMG+TfE/vHG29wIX fD3ZvEhqIpj2T8fCT0jNmYHBIbZZFNy73/hEjRlwZf/UxyBFJPd3RkIdxO4KpPGpUoJ8 CGerLsdREi484N7E+ym15DDTnxttsqwkJgzG/L82hm6ZF2SXKUMniAnqLqMmtOsKgVie Cw== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3dw5yqm8ky-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Mon, 31 Jan 2022 03:39:09 -0800 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Mon, 31 Jan 2022 03:39:07 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Mon, 31 Jan 2022 03:39:07 -0800 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 19BBE5B693C; Mon, 31 Jan 2022 03:39:04 -0800 (PST) From: Tejasree Kondoj To: Akhil Goyal CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Archana Muniganti , Subject: [PATCH 2/5] crypto/cnxk: add ESN and antireplay support Date: Mon, 31 Jan 2022 18:00:26 +0530 Message-ID: <20220131123029.4024-3-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220131123029.4024-1-ktejasree@marvell.com> References: <20220131123029.4024-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: DGHgcABqptAspq91wKP8jJUN4AG5-saX X-Proofpoint-GUID: DGHgcABqptAspq91wKP8jJUN4AG5-saX X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2022-01-31_04,2022-01-28_01,2021-12-02_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Adding lookaside IPsec ESN and anti-replay support through security session update. Signed-off-by: Tejasree Kondoj --- doc/guides/cryptodevs/cnxk.rst | 2 + doc/guides/rel_notes/release_22_03.rst | 1 + drivers/common/cnxk/cnxk_security.c | 3 ++ drivers/common/cnxk/cnxk_security_ar.h | 2 +- drivers/common/cnxk/roc_ie_on.h | 2 + drivers/crypto/cnxk/cn10k_ipsec.c | 36 +++++++++++++++- drivers/crypto/cnxk/cn9k_ipsec.c | 43 ++++++++++++++++++- drivers/crypto/cnxk/cn9k_ipsec_la_ops.h | 16 ++++++- .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 4 ++ 9 files changed, 103 insertions(+), 6 deletions(-) diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index 3c585175e3..46431dd755 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -279,6 +279,8 @@ CN10XX Features supported * IPv4 * ESP +* ESN +* Anti-replay * Tunnel mode * Transport mode * UDP Encapsulation diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 3bc0630c7c..a992fe85f5 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -64,6 +64,7 @@ New Features * Added NULL cipher support in lookaside protocol (IPsec) for CN9K & CN10K. * Added AES-XCBC support in lookaside protocol (IPsec) for CN9K & CN10K. * Added AES-CMAC support in CN9K & CN10K. + * Added ESN and anti-replay support in lookaside protocol (IPsec) for CN10K. * **Added an API to retrieve event port id of ethdev Rx adapter.** diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 035d61180a..718983d892 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -492,6 +492,9 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa, /* ESN */ sa->w0.s.esn_en = !!ipsec_xfrm->options.esn; + if (ipsec_xfrm->esn.value) + sa->ctx.esn_val = ipsec_xfrm->esn.value - 1; + if (ipsec_xfrm->options.udp_encap) { sa->w10.s.udp_src_port = 4500; sa->w10.s.udp_dst_port = 4500; diff --git a/drivers/common/cnxk/cnxk_security_ar.h b/drivers/common/cnxk/cnxk_security_ar.h index 3ec4c296c2..deb38db0d0 100644 --- a/drivers/common/cnxk/cnxk_security_ar.h +++ b/drivers/common/cnxk/cnxk_security_ar.h @@ -13,7 +13,7 @@ /* u64 array size to fit anti replay window bits */ #define AR_WIN_ARR_SZ \ - (PLT_ALIGN_CEIL(CNXK_ON_AR_WIN_SIZE_MAX, BITS_PER_LONG_LONG) / \ + (PLT_ALIGN_CEIL(CNXK_ON_AR_WIN_SIZE_MAX + 1, BITS_PER_LONG_LONG) / \ BITS_PER_LONG_LONG) #define WORD_SHIFT 6 diff --git a/drivers/common/cnxk/roc_ie_on.h b/drivers/common/cnxk/roc_ie_on.h index aaad87243f..638b02062d 100644 --- a/drivers/common/cnxk/roc_ie_on.h +++ b/drivers/common/cnxk/roc_ie_on.h @@ -18,6 +18,8 @@ enum roc_ie_on_ucc_ipsec { ROC_IE_ON_UCC_SUCCESS = 0, ROC_IE_ON_AUTH_UNSUPPORTED = 0xB0, ROC_IE_ON_ENCRYPT_UNSUPPORTED = 0xB1, + /* Software defined completion code for anti-replay failed packets */ + ROC_IE_ON_SWCC_ANTI_REPLAY = 0xE7, }; /* Helper macros */ diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c index 7f4ccaff99..c95c57a84d 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.c +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -239,7 +239,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf, } /* Trigger CTX flush so that data is written back to DRAM */ - roc_cpt_lf_ctx_flush(lf, in_sa, false); + roc_cpt_lf_ctx_flush(lf, in_sa, true); plt_atomic_thread_fence(__ATOMIC_SEQ_CST); @@ -410,6 +410,39 @@ cn10k_sec_session_stats_get(void *device, struct rte_security_session *sess, return 0; } +static int +cn10k_sec_session_update(void *device, struct rte_security_session *sess, + struct rte_security_session_conf *conf) +{ + struct rte_cryptodev *crypto_dev = device; + struct cn10k_sec_session *priv; + struct roc_cpt *roc_cpt; + struct cnxk_cpt_qp *qp; + struct cnxk_cpt_vf *vf; + int ret; + + priv = get_sec_session_private_data(sess); + if (priv == NULL) + return -EINVAL; + + qp = crypto_dev->data->queue_pairs[0]; + if (qp == NULL) + return -EINVAL; + + if (conf->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + return -ENOTSUP; + + ret = cnxk_ipsec_xform_verify(&conf->ipsec, conf->crypto_xform); + if (ret) + return ret; + + vf = crypto_dev->data->dev_private; + roc_cpt = &vf->cpt; + + return cn10k_ipsec_outb_sa_create(roc_cpt, &qp->lf, &conf->ipsec, + conf->crypto_xform, sess); +} + /* Update platform specific security ops */ void cn10k_sec_ops_override(void) @@ -419,4 +452,5 @@ cn10k_sec_ops_override(void) cnxk_sec_ops.session_destroy = cn10k_sec_session_destroy; cnxk_sec_ops.session_get_size = cn10k_sec_session_get_size; cnxk_sec_ops.session_stats_get = cn10k_sec_session_stats_get; + cnxk_sec_ops.session_update = cn10k_sec_session_update; } diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c index 9f876f75f2..f71b5101db 100644 --- a/drivers/crypto/cnxk/cn9k_ipsec.c +++ b/drivers/crypto/cnxk/cn9k_ipsec.c @@ -289,6 +289,11 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec, if (cipher_key_len != 0) memcpy(common_sa->cipher_key, cipher_key, cipher_key_len); + if (ipsec->esn.value) { + common_sa->esn_low = ipsec->esn.low; + common_sa->esn_hi = ipsec->esn.hi; + } + return 0; } @@ -330,6 +335,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp, sa->seq_lo = 1; sa->seq_hi = 0; + if (ipsec->esn.value) + sa->esn = ipsec->esn.value; + ret = fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa); if (ret) return ret; @@ -595,8 +603,8 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp, sa->ar.wint = sa->replay_win_sz; sa->ar.base = sa->replay_win_sz; - in_sa->common_sa.esn_low = 0; - in_sa->common_sa.esn_hi = 0; + in_sa->common_sa.esn_low = sa->seq_lo; + in_sa->common_sa.esn_hi = sa->seq_hi; } return cn9k_cpt_enq_sa_write( @@ -772,6 +780,36 @@ cn9k_sec_session_get_size(void *device __rte_unused) return sizeof(struct cn9k_sec_session); } +static int +cn9k_sec_session_update(void *device, struct rte_security_session *sec_sess, + struct rte_security_session_conf *conf) +{ + struct rte_cryptodev *crypto_dev = device; + struct cnxk_cpt_qp *qp; + int ret; + + qp = crypto_dev->data->queue_pairs[0]; + if (qp == NULL) { + plt_err("CPT queue pairs need to be setup for updating security" + " session"); + return -EPERM; + } + + if (conf->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + return -ENOTSUP; + + ret = cnxk_ipsec_xform_verify(&conf->ipsec, conf->crypto_xform); + if (ret) + return ret; + + ret = cn9k_ipsec_xform_verify(&conf->ipsec, conf->crypto_xform); + if (ret) + return ret; + + return cn9k_ipsec_outb_sa_create(qp, &conf->ipsec, conf->crypto_xform, + sec_sess); +} + /* Update platform specific security ops */ void cn9k_sec_ops_override(void) @@ -780,4 +818,5 @@ cn9k_sec_ops_override(void) cnxk_sec_ops.session_create = cn9k_sec_session_create; cnxk_sec_ops.session_destroy = cn9k_sec_session_destroy; cnxk_sec_ops.session_get_size = cn9k_sec_session_get_size; + cnxk_sec_ops.session_update = cn9k_sec_session_update; } diff --git a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h index 9a1e217042..df89aaca4e 100644 --- a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h +++ b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h @@ -140,8 +140,20 @@ process_inb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa, if (sa->replay_win_sz) { ret = ipsec_antireplay_check(sa, sa->replay_win_sz, m_src); if (unlikely(ret)) { - plt_dp_err("Anti replay check failed"); - return ret; + /* Use PASSTHROUGH op for failed antireplay packet */ + inst->w4.u64 = 0; + inst->w4.s.opcode_major = ROC_SE_MAJOR_OP_MISC; + inst->w4.s.opcode_minor = + ROC_SE_MISC_MINOR_OP_PASSTHROUGH; + inst->w4.s.param1 = 1; + /* Send out completion code only */ + inst->w4.s.param2 = + (ROC_IE_ON_SWCC_ANTI_REPLAY << 8) | 0x1; + inst->w4.s.dlen = 1; + inst->dptr = rte_pktmbuf_iova(m_src); + inst->rptr = inst->dptr; + inst->w7.u64 = sa->inst.w7; + return 0; } } diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index f8c007e320..04402a4b46 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -9,6 +9,7 @@ #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_capabilities.h" +#include "cnxk_security_ar.h" #define CPT_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name) \ do { \ @@ -1161,6 +1162,8 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap) sec_cap->ipsec.options.ip_csum_enable = 1; sec_cap->ipsec.options.l4_csum_enable = 1; sec_cap->ipsec.options.stats = 1; + sec_cap->ipsec.options.esn = 1; + sec_cap->ipsec.replay_win_sz_max = ROC_AR_WIN_SIZE_MAX; } static void @@ -1171,6 +1174,7 @@ cn9k_sec_caps_update(struct rte_security_capability *sec_cap) sec_cap->ipsec.options.iv_gen_disable = 1; #endif } + sec_cap->ipsec.replay_win_sz_max = CNXK_ON_AR_WIN_SIZE_MAX; } void