@@ -294,18 +294,11 @@ by comma. When the same parameter is used more than once first occurrence of the
is used.
Maximum threshold that can be set is 32.
-Running QAT PMD with Intel IPSEC MB library for symmetric precomputes function
+Running QAT PMD with Intel IPsec MB library for symmetric precomputes function
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-The QAT PMD use Openssl library for partial hash calculation in symmetirc precomputes function by
-default, the following parameter is allow QAT PMD switch over to multi-buffer job API if Intel
-IPSEC MB library installed on system.
-
-- qat_ipsec_mb_lib
-
-To use this feature the user must set the parameter on process start as a device additional parameter::
-
- -a 03:01.1,qat_ipsec_mb_lib=1
+The QAT PMD uses Intel IPsec MB library for partial hash calculation in symmetric precomputes function by
+default, the minimum required version of IPsec MB library is v1.4.
Device and driver naming
@@ -27,30 +27,23 @@ if disable_drivers.contains(qat_compress_path)
'Explicitly disabled via build config')
endif
-libcrypto = dependency('libcrypto', required: false, method: 'pkg-config')
-if qat_crypto and not libcrypto.found()
- qat_crypto = false
- dpdk_drvs_disabled += qat_crypto_path
- set_variable(qat_crypto_path.underscorify() + '_disable_reason',
- 'missing dependency, libcrypto')
-endif
-
-IMB_required_ver = '1.2.0'
+IMB_required_ver = '1.4.0'
IMB_header = '#include<intel-ipsec-mb.h>'
if arch_subdir == 'arm'
IMB_header = '#include<ipsec-mb.h>'
endif
libipsecmb = cc.find_library('IPSec_MB', required: false)
-libcrypto_3 = dependency('libcrypto', required: false,
- method: 'pkg-config', version : '>=3.0.0')
-if libipsecmb.found() and libcrypto_3.found()
+if libipsecmb.found()
# version comes with quotes, so we split based on " and take the middle
imb_ver = cc.get_define('IMB_VERSION_STR',
prefix : IMB_header).split('"')[1]
- if (imb_ver.version_compare('>=' + IMB_required_ver))
- ext_deps += libipsecmb
- dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
+ if (imb_ver.version_compare('<' + IMB_required_ver))
+ qat_crypto = false
+ dpdk_drvs_disabled += qat_crypto_path
+ set_variable(qat_crypto_path.underscorify() + '_disable_reason',
+ 'missing dependency, "IPsec_MB" >= @0@ is required, found version @1@'
+ .format(IMB_required_ver, imb_ver))
endif
endif
@@ -103,6 +96,6 @@ if qat_crypto
sources += files(join_paths(qat_crypto_relpath, f))
endforeach
deps += ['security']
- ext_deps += libcrypto
+ ext_deps += libipsecmb
cflags += ['-DBUILD_QAT_SYM', '-DBUILD_QAT_ASYM']
endif
@@ -365,7 +365,6 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
struct qat_pci_device *qat_pci_dev;
struct qat_dev_hw_spec_funcs *ops_hw;
struct qat_dev_cmd_param qat_dev_cmd_param[] = {
- { QAT_IPSEC_MB_LIB, 0 },
{ SYM_ENQ_THRESHOLD_NAME, 0 },
{ ASYM_ENQ_THRESHOLD_NAME, 0 },
{ COMP_ENQ_THRESHOLD_NAME, 0 },
@@ -17,12 +17,11 @@
#define QAT_DEV_NAME_MAX_LEN 64
-#define QAT_IPSEC_MB_LIB "qat_ipsec_mb_lib"
#define SYM_ENQ_THRESHOLD_NAME "qat_sym_enq_threshold"
#define ASYM_ENQ_THRESHOLD_NAME "qat_asym_enq_threshold"
#define COMP_ENQ_THRESHOLD_NAME "qat_comp_enq_threshold"
#define QAT_CMD_SLICE_MAP "qat_cmd_slice_disable"
-#define QAT_CMD_SLICE_MAP_POS 4
+#define QAT_CMD_SLICE_MAP_POS 3
#define MAX_QP_THRESHOLD_SIZE 32
/**
@@ -17,31 +17,6 @@
(ICP_QAT_FW_COMN_STATUS_FLAG_OK == \
ICP_QAT_FW_COMN_RESP_CRYPTO_STAT_GET(resp->comn_hdr.comn_status))
-static __rte_always_inline int
-op_bpi_cipher_decrypt(uint8_t *src, uint8_t *dst,
- uint8_t *iv, int ivlen, int srclen,
- void *bpi_ctx)
-{
- EVP_CIPHER_CTX *ctx = (EVP_CIPHER_CTX *)bpi_ctx;
- int encrypted_ivlen;
- uint8_t encrypted_iv[BPI_MAX_ENCR_IV_LEN];
- uint8_t *encr = encrypted_iv;
-
- /* ECB method: encrypt (not decrypt!) the IV, then XOR with plaintext */
- if (EVP_EncryptUpdate(ctx, encrypted_iv, &encrypted_ivlen, iv, ivlen)
- <= 0)
- goto cipher_decrypt_err;
-
- for (; srclen != 0; --srclen, ++dst, ++src, ++encr)
- *dst = *src ^ *encr;
-
- return 0;
-
-cipher_decrypt_err:
- QAT_DP_LOG(ERR, "libcrypto ECB cipher decrypt for BPI IV failed");
- return -EINVAL;
-}
-
static __rte_always_inline uint32_t
qat_bpicipher_preprocess(struct qat_sym_session *ctx,
struct rte_crypto_op *op)
@@ -82,8 +57,8 @@ qat_bpicipher_preprocess(struct qat_sym_session *ctx,
QAT_DP_HEXDUMP_LOG(DEBUG, "BPI: dst before pre-process:",
dst, last_block_len);
#endif
- op_bpi_cipher_decrypt(last_block, dst, iv, block_len,
- last_block_len, ctx->bpi_ctx);
+ bpi_cipher_job(last_block, dst, iv, last_block_len, ctx->expkey,
+ ctx->mb_mgr, ctx->docsis_key_len);
#if RTE_LOG_DP_LEVEL >= RTE_LOG_DEBUG
QAT_DP_HEXDUMP_LOG(DEBUG, "BPI: src after pre-process:",
last_block, last_block_len);
@@ -231,7 +206,7 @@ qat_sym_convert_op_to_vec_cipher(struct rte_crypto_op *op,
cipher_ofs = op->sym->cipher.data.offset >> 3;
break;
case 0:
- if (ctx->bpi_ctx) {
+ if (ctx->mb_mgr) {
/* DOCSIS - only send complete blocks to device.
* Process any partial block using CFB mode.
* Even if 0 complete blocks, still send this to device
@@ -1,9 +1,7 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2015-2022 Intel Corporation
+ * Copyright(c) 2015-2023 Intel Corporation
*/
-#include <openssl/evp.h>
-
#include <rte_mempool.h>
#include <rte_mbuf.h>
#include <rte_crypto_sym.h>
@@ -16,7 +14,6 @@
#include "qat_qp.h"
uint8_t qat_sym_driver_id;
-int qat_ipsec_mb_lib;
struct qat_crypto_gen_dev_ops qat_sym_gen_dev_ops[QAT_N_GENS];
@@ -110,7 +107,7 @@ qat_sym_build_request(void *in_op, uint8_t *out_msg,
struct rte_cryptodev *cdev;
struct qat_cryptodev_private *internals;
- if (unlikely(ctx->bpi_ctx == NULL)) {
+ if (unlikely(ctx->mb_mgr == NULL)) {
QAT_DP_LOG(ERR, "QAT PMD only supports security"
" operation requests for"
" DOCSIS, op (%p) is not for"
@@ -279,8 +276,6 @@ qat_sym_dev_create(struct qat_pci_device *qat_pci_dev,
if (!strcmp(qat_dev_cmd_param[i].name, SYM_ENQ_THRESHOLD_NAME))
internals->min_enq_burst_threshold =
qat_dev_cmd_param[i].val;
- if (!strcmp(qat_dev_cmd_param[i].name, QAT_IPSEC_MB_LIB))
- qat_ipsec_mb_lib = qat_dev_cmd_param[i].val;
if (!strcmp(qat_dev_cmd_param[i].name, QAT_CMD_SLICE_MAP))
slice_map = qat_dev_cmd_param[i].val;
i++;
@@ -20,6 +20,11 @@
#include "qat_sym_session.h"
#include "qat_crypto.h"
#include "qat_logs.h"
+#if defined(RTE_ARCH_ARM)
+#include <ipsec-mb.h>
+#else
+#include <intel-ipsec-mb.h>
+#endif
#define BYTE_LENGTH 8
/* bpi is only used for partial blocks of DES and AES
@@ -134,33 +139,16 @@ uint16_t
qat_sym_dequeue_burst(void *qp, struct rte_crypto_op **ops,
uint16_t nb_ops);
-/** Encrypt a single partial block
- * Depends on openssl libcrypto
- * Uses ECB+XOR to do CFB encryption, same result, more performant
- */
-static inline int
-bpi_cipher_encrypt(uint8_t *src, uint8_t *dst,
- uint8_t *iv, int ivlen, int srclen,
- void *bpi_ctx)
+static __rte_always_inline void
+bpi_cipher_job(uint8_t *src, uint8_t *dst, uint8_t *iv, int srclen,
+ uint64_t *expkey, IMB_MGR *m, uint8_t docsis_key_len)
{
- EVP_CIPHER_CTX *ctx = (EVP_CIPHER_CTX *)bpi_ctx;
- int encrypted_ivlen;
- uint8_t encrypted_iv[BPI_MAX_ENCR_IV_LEN];
- uint8_t *encr = encrypted_iv;
-
- /* ECB method: encrypt the IV, then XOR this with plaintext */
- if (EVP_EncryptUpdate(ctx, encrypted_iv, &encrypted_ivlen, iv, ivlen)
- <= 0)
- goto cipher_encrypt_err;
-
- for (; srclen != 0; --srclen, ++dst, ++src, ++encr)
- *dst = *src ^ *encr;
-
- return 0;
-
-cipher_encrypt_err:
- QAT_DP_LOG(ERR, "libcrypto ECB cipher encrypt failed");
- return -EINVAL;
+ if (docsis_key_len == ICP_QAT_HW_AES_128_KEY_SZ)
+ IMB_AES128_CFB_ONE(m, dst, src, (uint64_t *)iv, expkey, srclen);
+ else if (docsis_key_len == ICP_QAT_HW_AES_256_KEY_SZ)
+ IMB_AES256_CFB_ONE(m, dst, src, (uint64_t *)iv, expkey, srclen);
+ else if (docsis_key_len == ICP_QAT_HW_DES_KEY_SZ)
+ des_cfb_one(dst, src, (uint64_t *)iv, expkey, srclen);
}
static inline uint32_t
@@ -207,8 +195,8 @@ qat_bpicipher_postprocess(struct qat_sym_session *ctx,
"BPI: dst before post-process:",
dst, last_block_len);
#endif
- bpi_cipher_encrypt(last_block, dst, iv, block_len,
- last_block_len, ctx->bpi_ctx);
+ bpi_cipher_job(last_block, dst, iv, last_block_len, ctx->expkey,
+ ctx->mb_mgr, ctx->docsis_key_len);
#if RTE_LOG_DP_LEVEL >= RTE_LOG_DEBUG
QAT_DP_HEXDUMP_LOG(DEBUG, "BPI: src after post-process:",
last_block, last_block_len);
@@ -279,7 +267,7 @@ qat_sym_preprocess_requests(void **ops, uint16_t nb_ops)
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
ctx = SECURITY_GET_SESS_PRIV(op->sym->session);
- if (ctx == NULL || ctx->bpi_ctx == NULL)
+ if (ctx == NULL || ctx->mb_mgr == NULL)
continue;
qat_crc_generate(ctx, op);
@@ -327,7 +315,7 @@ qat_sym_process_response(void **op, uint8_t *resp, void *op_cookie,
} else {
rx_op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (sess->bpi_ctx) {
+ if (sess->mb_mgr) {
qat_bpicipher_postprocess(sess, rx_op);
#ifdef RTE_LIB_SECURITY
if (is_docsis_sec)
@@ -2,21 +2,12 @@
* Copyright(c) 2015-2022 Intel Corporation
*/
-#define OPENSSL_API_COMPAT 0x10100000L
-
-#include <openssl/sha.h> /* Needed to calculate pre-compute values */
-#include <openssl/aes.h> /* Needed to calculate pre-compute values */
-#include <openssl/md5.h> /* Needed to calculate pre-compute values */
-#include <openssl/evp.h> /* Needed for bpi runt block processing */
-
-#ifdef RTE_QAT_LIBIPSECMB
#define NO_COMPAT_IMB_API_053
#if defined(RTE_ARCH_ARM)
#include <ipsec-mb.h>
#else
#include <intel-ipsec-mb.h>
#endif
-#endif
#include <rte_memcpy.h>
#include <rte_common.h>
@@ -33,40 +24,18 @@
#include "qat_sym_session.h"
#include "qat_sym.h"
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
-#include <openssl/provider.h>
-
-static OSSL_PROVIDER * legacy_lib;
-static OSSL_PROVIDER *default_lib;
-
-/* Some cryptographic algorithms such as MD and DES are now considered legacy
- * and not enabled by default in OpenSSL 3.0. Load up lagacy provider as MD5
- * DES are needed in QAT pre-computes and secure session creation.
+#define MD5_CBLOCK 64
+#define SHA_LBLOCK 16
+/* SHA treats input data as a contiguous array of 32 bit wide big-endian
+ * values.
*/
-static int ossl_legacy_provider_load(void)
-{
- /* Load Multiple providers into the default (NULL) library context */
- legacy_lib = OSSL_PROVIDER_load(NULL, "legacy");
- if (legacy_lib == NULL)
- return -EINVAL;
+#define SHA_CBLOCK (SHA_LBLOCK*4)
- default_lib = OSSL_PROVIDER_load(NULL, "default");
- if (default_lib == NULL) {
- OSSL_PROVIDER_unload(legacy_lib);
- return -EINVAL;
- }
-
- return 0;
-}
-
-static void ossl_legacy_provider_unload(void)
-{
- OSSL_PROVIDER_unload(legacy_lib);
- OSSL_PROVIDER_unload(default_lib);
-}
-#endif
-
-extern int qat_ipsec_mb_lib;
+/* SHA-256 treats input data as a contiguous array of 32 bit wide big-endian
+ * values.
+ */
+#define SHA256_CBLOCK (SHA_LBLOCK*4)
+#define SHA512_CBLOCK (SHA_LBLOCK*8)
/* SHA1 - 20 bytes - Initialiser state can be found in FIPS stds 180-2 */
static const uint8_t sha1InitialState[] = {
@@ -133,53 +102,44 @@ qat_sym_session_finalize(struct qat_sym_session *session)
qat_sym_session_init_common_hdr(session);
}
-/** Frees a context previously created
- * Depends on openssl libcrypto
- */
-static void
-bpi_cipher_ctx_free(void *bpi_ctx)
-{
- if (bpi_ctx != NULL)
- EVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)bpi_ctx);
-}
-
/** Creates a context in either AES or DES in ECB mode
- * Depends on openssl libcrypto
*/
static int
-bpi_cipher_ctx_init(enum rte_crypto_cipher_algorithm cryptodev_algo,
- enum rte_crypto_cipher_operation direction __rte_unused,
- const uint8_t *key, uint16_t key_length, void **ctx)
+ipsec_mb_ctx_init(const uint8_t *key, uint16_t key_length,
+ enum rte_crypto_cipher_algorithm cryptodev_algo,
+ uint64_t *expkey, uint32_t *dust, IMB_MGR **m)
{
- const EVP_CIPHER *algo = NULL;
int ret;
- *ctx = EVP_CIPHER_CTX_new();
- if (*ctx == NULL) {
- ret = -ENOMEM;
- goto ctx_init_err;
- }
+ *m = alloc_mb_mgr(0);
+ if (*m == NULL)
+ return -ENOMEM;
- if (cryptodev_algo == RTE_CRYPTO_CIPHER_DES_DOCSISBPI)
- algo = EVP_des_ecb();
- else
- if (key_length == ICP_QAT_HW_AES_128_KEY_SZ)
- algo = EVP_aes_128_ecb();
- else
- algo = EVP_aes_256_ecb();
+ init_mb_mgr_auto(*m, NULL);
- /* IV will be ECB encrypted whether direction is encrypt or decrypt*/
- if (EVP_EncryptInit_ex(*ctx, algo, NULL, key, 0) != 1) {
- ret = -EINVAL;
- goto ctx_init_err;
+ if (cryptodev_algo == RTE_CRYPTO_CIPHER_AES_DOCSISBPI) {
+ if (key_length == ICP_QAT_HW_AES_128_KEY_SZ)
+ IMB_AES_KEYEXP_128(*m, key, expkey, dust);
+ else if (key_length == ICP_QAT_HW_AES_256_KEY_SZ)
+ IMB_AES_KEYEXP_256(*m, key, expkey, dust);
+ else {
+ ret = -EFAULT;
+ goto error_out;
+ }
+ } else if (cryptodev_algo == RTE_CRYPTO_CIPHER_DES_DOCSISBPI) {
+ if (key_length == ICP_QAT_HW_DES_KEY_SZ)
+ IMB_DES_KEYSCHED(*m, (uint64_t *)expkey, key);
+ else {
+ ret = -EFAULT;
+ goto error_out;
+ }
}
-
return 0;
-ctx_init_err:
- if (*ctx != NULL) {
- EVP_CIPHER_CTX_free(*ctx);
- *ctx = NULL;
+error_out:
+ if (*m) {
+ free_mb_mgr(*m);
+ *m = NULL;
}
return ret;
}
@@ -232,8 +192,8 @@ qat_sym_session_clear(struct rte_cryptodev *dev __rte_unused,
{
struct qat_sym_session *s = CRYPTODEV_GET_SYM_SESS_PRIV(sess);
- if (s->bpi_ctx)
- bpi_cipher_ctx_free(s->bpi_ctx);
+ if (s->mb_mgr)
+ free_mb_mgr(s->mb_mgr);
}
static int
@@ -396,12 +356,14 @@ qat_sym_session_configure_cipher(struct rte_cryptodev *dev,
session->qat_mode = ICP_QAT_HW_CIPHER_CTR_MODE;
break;
case RTE_CRYPTO_CIPHER_DES_DOCSISBPI:
- ret = bpi_cipher_ctx_init(
- cipher_xform->algo,
- cipher_xform->op,
+ session->docsis_key_len = cipher_xform->key.length;
+ ret = ipsec_mb_ctx_init(
cipher_xform->key.data,
cipher_xform->key.length,
- &session->bpi_ctx);
+ cipher_xform->algo,
+ session->expkey,
+ session->dust,
+ &session->mb_mgr);
if (ret != 0) {
QAT_LOG(ERR, "failed to create DES BPI ctx");
goto error_out;
@@ -415,12 +377,14 @@ qat_sym_session_configure_cipher(struct rte_cryptodev *dev,
session->qat_mode = ICP_QAT_HW_CIPHER_CBC_MODE;
break;
case RTE_CRYPTO_CIPHER_AES_DOCSISBPI:
- ret = bpi_cipher_ctx_init(
- cipher_xform->algo,
- cipher_xform->op,
+ session->docsis_key_len = cipher_xform->key.length;
+ ret = ipsec_mb_ctx_init(
cipher_xform->key.data,
cipher_xform->key.length,
- &session->bpi_ctx);
+ cipher_xform->algo,
+ session->expkey,
+ session->dust,
+ &session->mb_mgr);
if (ret != 0) {
QAT_LOG(ERR, "failed to create AES BPI ctx");
goto error_out;
@@ -506,9 +470,9 @@ qat_sym_session_configure_cipher(struct rte_cryptodev *dev,
return 0;
error_out:
- if (session->bpi_ctx) {
- bpi_cipher_ctx_free(session->bpi_ctx);
- session->bpi_ctx = NULL;
+ if (session->mb_mgr) {
+ free_mb_mgr(session->mb_mgr);
+ session->mb_mgr = NULL;
}
return ret;
}
@@ -520,9 +484,6 @@ qat_sym_session_configure(struct rte_cryptodev *dev,
{
int ret;
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
- ossl_legacy_provider_load();
-#endif
ret = qat_sym_session_set_parameters(dev, xform,
CRYPTODEV_GET_SYM_SESS_PRIV(sess),
CRYPTODEV_GET_SYM_SESS_PRIV_IOVA(sess));
@@ -533,9 +494,6 @@ qat_sym_session_configure(struct rte_cryptodev *dev,
return ret;
}
-# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
- ossl_legacy_provider_unload();
-# endif
return 0;
}
@@ -1156,9 +1114,6 @@ static int qat_hash_get_block_size(enum icp_qat_hw_auth_algo qat_hash_alg)
#define HMAC_OPAD_VALUE 0x5c
#define HASH_XCBC_PRECOMP_KEY_NUM 3
-static const uint8_t AES_CMAC_SEED[ICP_QAT_HW_AES_128_KEY_SZ];
-
-#ifdef RTE_QAT_LIBIPSECMB
static int aes_ipsecmb_job(uint8_t *in, uint8_t *out, IMB_MGR *m,
const uint8_t *key, uint16_t auth_keylen)
{
@@ -1405,334 +1360,6 @@ static int qat_sym_do_precomputes_ipsec_mb(enum icp_qat_hw_auth_algo hash_alg,
free_mb_mgr(m);
return ret;
}
-#endif
-static int partial_hash_sha1(uint8_t *data_in, uint8_t *data_out)
-{
- SHA_CTX ctx;
-
- if (!SHA1_Init(&ctx))
- return -EFAULT;
- SHA1_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, SHA_DIGEST_LENGTH);
- return 0;
-}
-
-static int partial_hash_sha224(uint8_t *data_in, uint8_t *data_out)
-{
- SHA256_CTX ctx;
-
- if (!SHA224_Init(&ctx))
- return -EFAULT;
- SHA256_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
- return 0;
-}
-
-static int partial_hash_sha256(uint8_t *data_in, uint8_t *data_out)
-{
- SHA256_CTX ctx;
-
- if (!SHA256_Init(&ctx))
- return -EFAULT;
- SHA256_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
- return 0;
-}
-
-static int partial_hash_sha384(uint8_t *data_in, uint8_t *data_out)
-{
- SHA512_CTX ctx;
-
- if (!SHA384_Init(&ctx))
- return -EFAULT;
- SHA512_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
- return 0;
-}
-
-static int partial_hash_sha512(uint8_t *data_in, uint8_t *data_out)
-{
- SHA512_CTX ctx;
-
- if (!SHA512_Init(&ctx))
- return -EFAULT;
- SHA512_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
- return 0;
-}
-
-static int partial_hash_md5(uint8_t *data_in, uint8_t *data_out)
-{
- MD5_CTX ctx;
-
- if (!MD5_Init(&ctx))
- return -EFAULT;
- MD5_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, MD5_DIGEST_LENGTH);
-
- return 0;
-}
-
-static void aes_cmac_key_derive(uint8_t *base, uint8_t *derived)
-{
- int i;
-
- derived[0] = base[0] << 1;
- for (i = 1; i < ICP_QAT_HW_AES_BLK_SZ ; i++) {
- derived[i] = base[i] << 1;
- derived[i - 1] |= base[i] >> 7;
- }
-
- if (base[0] & 0x80)
- derived[ICP_QAT_HW_AES_BLK_SZ - 1] ^= QAT_AES_CMAC_CONST_RB;
-}
-
-static int
-partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
- uint8_t *data_in, uint8_t *data_out)
-{
- int digest_size;
- uint8_t digest[qat_hash_get_digest_size(
- ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
- uint32_t *hash_state_out_be32;
- uint64_t *hash_state_out_be64;
- int i;
-
- /* Initialize to avoid gcc warning */
- memset(digest, 0, sizeof(digest));
-
- digest_size = qat_hash_get_digest_size(hash_alg);
- if (digest_size <= 0)
- return -EFAULT;
-
- hash_state_out_be32 = (uint32_t *)data_out;
- hash_state_out_be64 = (uint64_t *)data_out;
-
- switch (hash_alg) {
- case ICP_QAT_HW_AUTH_ALGO_SHA1:
- if (partial_hash_sha1(data_in, digest))
- return -EFAULT;
- for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
- *hash_state_out_be32 =
- rte_bswap32(*(((uint32_t *)digest)+i));
- break;
- case ICP_QAT_HW_AUTH_ALGO_SHA224:
- if (partial_hash_sha224(data_in, digest))
- return -EFAULT;
- for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
- *hash_state_out_be32 =
- rte_bswap32(*(((uint32_t *)digest)+i));
- break;
- case ICP_QAT_HW_AUTH_ALGO_SHA256:
- if (partial_hash_sha256(data_in, digest))
- return -EFAULT;
- for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
- *hash_state_out_be32 =
- rte_bswap32(*(((uint32_t *)digest)+i));
- break;
- case ICP_QAT_HW_AUTH_ALGO_SHA384:
- if (partial_hash_sha384(data_in, digest))
- return -EFAULT;
- for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
- *hash_state_out_be64 =
- rte_bswap64(*(((uint64_t *)digest)+i));
- break;
- case ICP_QAT_HW_AUTH_ALGO_SHA512:
- if (partial_hash_sha512(data_in, digest))
- return -EFAULT;
- for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
- *hash_state_out_be64 =
- rte_bswap64(*(((uint64_t *)digest)+i));
- break;
- case ICP_QAT_HW_AUTH_ALGO_MD5:
- if (partial_hash_md5(data_in, data_out))
- return -EFAULT;
- break;
- default:
- QAT_LOG(ERR, "invalid hash alg %u", hash_alg);
- return -EFAULT;
- }
-
- return 0;
-}
-
-static int qat_sym_do_precomputes(enum icp_qat_hw_auth_algo hash_alg,
- const uint8_t *auth_key,
- uint16_t auth_keylen,
- uint8_t *p_state_buf,
- uint16_t *p_state_len,
- uint8_t aes_cmac)
-{
- int block_size;
- uint8_t ipad[qat_hash_get_block_size(ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
- uint8_t opad[qat_hash_get_block_size(ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
- int i;
-
- if (hash_alg == ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC) {
-
- /* CMAC */
- if (aes_cmac) {
- AES_KEY enc_key;
- uint8_t *in = NULL;
- uint8_t k0[ICP_QAT_HW_AES_128_KEY_SZ];
- uint8_t *k1, *k2;
-
- auth_keylen = ICP_QAT_HW_AES_128_KEY_SZ;
-
- in = rte_zmalloc("AES CMAC K1",
- ICP_QAT_HW_AES_128_KEY_SZ, 16);
-
- if (in == NULL) {
- QAT_LOG(ERR, "Failed to alloc memory");
- return -ENOMEM;
- }
-
- rte_memcpy(in, AES_CMAC_SEED,
- ICP_QAT_HW_AES_128_KEY_SZ);
- rte_memcpy(p_state_buf, auth_key, auth_keylen);
-
- if (AES_set_encrypt_key(auth_key, auth_keylen << 3,
- &enc_key) != 0) {
- rte_free(in);
- return -EFAULT;
- }
-
- AES_encrypt(in, k0, &enc_key);
-
- k1 = p_state_buf + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;
- k2 = k1 + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;
-
- aes_cmac_key_derive(k0, k1);
- aes_cmac_key_derive(k1, k2);
-
- memset(k0, 0, ICP_QAT_HW_AES_128_KEY_SZ);
- *p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
- rte_free(in);
- return 0;
- } else {
- static uint8_t qat_aes_xcbc_key_seed[
- ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ] = {
- 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
- 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
- 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
- 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
- 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
- 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
- };
-
- uint8_t *in = NULL;
- uint8_t *out = p_state_buf;
- int x;
- AES_KEY enc_key;
-
- in = rte_zmalloc("working mem for key",
- ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ, 16);
- if (in == NULL) {
- QAT_LOG(ERR, "Failed to alloc memory");
- return -ENOMEM;
- }
-
- rte_memcpy(in, qat_aes_xcbc_key_seed,
- ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
- for (x = 0; x < HASH_XCBC_PRECOMP_KEY_NUM; x++) {
- if (AES_set_encrypt_key(auth_key,
- auth_keylen << 3,
- &enc_key) != 0) {
- rte_free(in -
- (x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ));
- memset(out -
- (x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ),
- 0, ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
- return -EFAULT;
- }
- AES_encrypt(in, out, &enc_key);
- in += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
- out += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
- }
- *p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
- rte_free(in - x*ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ);
- return 0;
- }
-
- } else if ((hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_128) ||
- (hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_64)) {
- uint8_t *in = NULL;
- uint8_t *out = p_state_buf;
- AES_KEY enc_key;
-
- memset(p_state_buf, 0, ICP_QAT_HW_GALOIS_H_SZ +
- ICP_QAT_HW_GALOIS_LEN_A_SZ +
- ICP_QAT_HW_GALOIS_E_CTR0_SZ);
- in = rte_zmalloc("working mem for key",
- ICP_QAT_HW_GALOIS_H_SZ, 16);
- if (in == NULL) {
- QAT_LOG(ERR, "Failed to alloc memory");
- return -ENOMEM;
- }
-
- memset(in, 0, ICP_QAT_HW_GALOIS_H_SZ);
- if (AES_set_encrypt_key(auth_key, auth_keylen << 3,
- &enc_key) != 0) {
- return -EFAULT;
- }
- AES_encrypt(in, out, &enc_key);
- *p_state_len = ICP_QAT_HW_GALOIS_H_SZ +
- ICP_QAT_HW_GALOIS_LEN_A_SZ +
- ICP_QAT_HW_GALOIS_E_CTR0_SZ;
- rte_free(in);
- return 0;
- }
-
- block_size = qat_hash_get_block_size(hash_alg);
- if (block_size < 0)
- return block_size;
- /* init ipad and opad from key and xor with fixed values */
- memset(ipad, 0, block_size);
- memset(opad, 0, block_size);
-
- if (auth_keylen > (unsigned int)block_size) {
- QAT_LOG(ERR, "invalid keylen %u", auth_keylen);
- return -EFAULT;
- }
-
- RTE_VERIFY(auth_keylen <= sizeof(ipad));
- RTE_VERIFY(auth_keylen <= sizeof(opad));
-
- rte_memcpy(ipad, auth_key, auth_keylen);
- rte_memcpy(opad, auth_key, auth_keylen);
-
- for (i = 0; i < block_size; i++) {
- uint8_t *ipad_ptr = ipad + i;
- uint8_t *opad_ptr = opad + i;
- *ipad_ptr ^= HMAC_IPAD_VALUE;
- *opad_ptr ^= HMAC_OPAD_VALUE;
- }
-
- /* do partial hash of ipad and copy to state1 */
- if (partial_hash_compute(hash_alg, ipad, p_state_buf)) {
- memset(ipad, 0, block_size);
- memset(opad, 0, block_size);
- QAT_LOG(ERR, "ipad precompute failed");
- return -EFAULT;
- }
-
- /*
- * State len is a multiple of 8, so may be larger than the digest.
- * Put the partial hash of opad state_len bytes after state1
- */
- *p_state_len = qat_hash_get_state1_size(hash_alg);
- if (partial_hash_compute(hash_alg, opad, p_state_buf + *p_state_len)) {
- memset(ipad, 0, block_size);
- memset(opad, 0, block_size);
- QAT_LOG(ERR, "opad precompute failed");
- return -EFAULT;
- }
-
- /* don't leave data lying around */
- memset(ipad, 0, block_size);
- memset(opad, 0, block_size);
- return 0;
-}
static void
qat_sym_session_init_common_hdr(struct qat_sym_session *session)
@@ -2124,20 +1751,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
}
/* SHA-1 HMAC */
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA1,
- authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
-#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
-#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA1, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA1,
+ authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
if (ret) {
QAT_LOG(ERR, "(SHA)precompute failed");
@@ -2155,20 +1771,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
}
/* SHA-224 HMAC */
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA224,
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA224,
authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
cdesc->aes_cmac);
-#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
-#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA224, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
if (ret) {
QAT_LOG(ERR, "(SHA)precompute failed");
@@ -2186,20 +1791,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
}
/* SHA-256 HMAC */
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA256,
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA256,
authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
cdesc->aes_cmac);
-#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
-#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA256, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
if (ret) {
QAT_LOG(ERR, "(SHA)precompute failed");
@@ -2217,20 +1811,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
}
/* SHA-384 HMAC */
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA384,
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA384,
authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
cdesc->aes_cmac);
-#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
-#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA384, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
if (ret) {
QAT_LOG(ERR, "(SHA)precompute failed");
@@ -2248,20 +1831,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
}
/* SHA-512 HMAC */
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA512,
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA512,
authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
cdesc->aes_cmac);
-#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
-#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA512, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
if (ret) {
QAT_LOG(ERR, "(SHA)precompute failed");
@@ -2298,21 +1870,10 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
if (cdesc->aes_cmac)
memset(cdesc->cd_cur_ptr, 0, state1_size);
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(
+ ret = qat_sym_do_precomputes_ipsec_mb(
ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC,
authkey, authkeylen, cdesc->cd_cur_ptr + state1_size,
&state2_size, cdesc->aes_cmac);
-#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
-#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC,
- authkey, authkeylen, cdesc->cd_cur_ptr + state1_size,
- &state2_size, cdesc->aes_cmac);
- }
if (ret) {
cdesc->aes_cmac ? QAT_LOG(ERR,
@@ -2326,20 +1887,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
case ICP_QAT_HW_AUTH_ALGO_GALOIS_64:
cdesc->qat_proto_flag = QAT_CRYPTO_PROTO_FLAG_GCM;
state1_size = ICP_QAT_HW_GALOIS_128_STATE1_SZ;
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(cdesc->qat_hash_alg, authkey,
+ ret = qat_sym_do_precomputes_ipsec_mb(cdesc->qat_hash_alg, authkey,
authkeylen, cdesc->cd_cur_ptr + state1_size,
&state2_size, cdesc->aes_cmac);
-#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
-#endif
- } else {
- ret = qat_sym_do_precomputes(cdesc->qat_hash_alg, authkey,
- authkeylen, cdesc->cd_cur_ptr + state1_size,
- &state2_size, cdesc->aes_cmac);
- }
if (ret) {
QAT_LOG(ERR, "(GCM)precompute failed");
@@ -2397,20 +1947,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
case ICP_QAT_HW_AUTH_ALGO_MD5:
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_MD5,
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_MD5,
authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
cdesc->aes_cmac);
-#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing");
- return -EFAULT;
-#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_MD5, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
if (ret) {
QAT_LOG(ERR, "(MD5)precompute failed");
@@ -2708,10 +2247,6 @@ qat_security_session_create(void *dev,
return -EINVAL;
}
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
- if (ossl_legacy_provider_load())
- return -EINVAL;
-#endif
ret = qat_sec_session_set_docsis_parameters(cdev, conf,
sess_private_data, SECURITY_GET_SESS_PRIV_IOVA(sess));
if (ret != 0) {
@@ -2719,9 +2254,6 @@ qat_security_session_create(void *dev,
return ret;
}
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
- ossl_legacy_provider_unload();
-#endif
return 0;
}
@@ -2733,8 +2265,8 @@ qat_security_session_destroy(void *dev __rte_unused,
struct qat_sym_session *s = (struct qat_sym_session *)sess_priv;
if (sess_priv) {
- if (s->bpi_ctx)
- bpi_cipher_ctx_free(s->bpi_ctx);
+ if (s->mb_mgr)
+ free_mb_mgr(s->mb_mgr);
memset(s, 0, qat_sym_session_get_private_size(dev));
}
@@ -15,6 +15,12 @@
#include "icp_qat_fw.h"
#include "icp_qat_fw_la.h"
+#if defined(RTE_ARCH_ARM)
+#include <ipsec-mb.h>
+#else
+#include <intel-ipsec-mb.h>
+#endif
+
/*
* Key Modifier (KM) value used in KASUMI algorithm in F9 mode to XOR
* Integrity Key (IK)
@@ -87,7 +93,6 @@ struct qat_sym_session {
enum icp_qat_hw_auth_algo qat_hash_alg;
enum icp_qat_hw_auth_op auth_op;
enum icp_qat_hw_auth_mode auth_mode;
- void *bpi_ctx;
struct qat_sym_cd cd;
uint8_t *cd_cur_ptr;
phys_addr_t cd_paddr;
@@ -118,6 +123,10 @@ struct qat_sym_session {
uint32_t slice_types;
enum qat_sym_proto_flag qat_proto_flag;
qat_sym_build_request_t build_request[2];
+ IMB_MGR *mb_mgr;
+ uint64_t expkey[4*15];
+ uint32_t dust[4*15];
+ uint8_t docsis_key_len;
};
int