@@ -331,18 +331,13 @@ To use this feature the user must set the devarg on process start as a device ad
-a 03:01.1,qat_sym_cipher_crc_enable=1
-Running QAT PMD with Intel IPSEC MB library for symmetric precomputes function
+Running QAT PMD with Intel IPsec MB library for symmetric precomputes function
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-The QAT PMD use Openssl library for partial hash calculation in symmetirc precomputes function by
-default, the following parameter is allow QAT PMD switch over to multi-buffer job API if Intel
-IPSEC MB library installed on system.
-
-- qat_ipsec_mb_lib
-
-To use this feature the user must set the parameter on process start as a device additional parameter::
-
- -a 03:01.1,qat_ipsec_mb_lib=1
+The QAT PMD uses Intel IPsec MB library for partial hash calculation in symmetric precomputes function by
+default, the minimum required version of IPsec MB library is v1.4. If this version of IPsec is not met it
+will fallback to use OpenSSL. ARM will always default to using OpenSSL as ARM IPsec MB does not support
+the necessary algorithms.
Device and driver naming
@@ -28,29 +28,45 @@ if disable_drivers.contains(qat_compress_path)
endif
libcrypto = dependency('libcrypto', required: false, method: 'pkg-config')
-if qat_crypto and not libcrypto.found()
- qat_crypto = false
- dpdk_drvs_disabled += qat_crypto_path
- set_variable(qat_crypto_path.underscorify() + '_disable_reason',
- 'missing dependency, libcrypto')
-endif
-IMB_required_ver = '1.2.0'
-IMB_header = '#include<intel-ipsec-mb.h>'
if arch_subdir == 'arm'
- IMB_header = '#include<ipsec-mb.h>'
-endif
-libipsecmb = cc.find_library('IPSec_MB', required: false)
-libcrypto_3 = dependency('libcrypto', required: false,
- method: 'pkg-config', version : '>=3.0.0')
-if libipsecmb.found() and libcrypto_3.found()
- # version comes with quotes, so we split based on " and take the middle
- imb_ver = cc.get_define('IMB_VERSION_STR',
- prefix : IMB_header).split('"')[1]
+ if libcrypto.found()
+ ext_deps += libcrypto
+ dpdk_conf.set('RTE_QAT_OPENSSL', true)
+ else
+ qat_crypto = false
+ dpdk_drvs_disabled += qat_crypto_path
+ set_variable(qat_crypto_path.underscorify() + '_disable_reason',
+ 'missing dependency for Arm, libcrypto')
+ endif
+else
+ IMB_required_ver = '1.4.0'
+ IMB_header = '#include<intel-ipsec-mb.h>'
+ libipsecmb = cc.find_library('IPSec_MB', required: false)
+ if libipsecmb.found()
+ # version comes with quotes, so we split based on " and take the middle
+ imb_ver = cc.get_define('IMB_VERSION_STR',
+ prefix : IMB_header).split('"')[1]
- if (imb_ver.version_compare('>=' + IMB_required_ver))
- ext_deps += libipsecmb
- dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)
+ if (imb_ver.version_compare('>=' + IMB_required_ver))
+ ext_deps += libipsecmb
+ elif libcrypto.found()
+ ext_deps += libcrypto
+ dpdk_conf.set('RTE_QAT_OPENSSL', true)
+ else
+ qat_crypto = false
+ dpdk_drvs_disabled += qat_crypto_path
+ set_variable(qat_crypto_path.underscorify() + '_disable_reason',
+ 'missing dependency, libipsecmb or libcrypto')
+ endif
+ elif libcrypto.found()
+ ext_deps += libcrypto
+ dpdk_conf.set('RTE_QAT_OPENSSL', true)
+ else
+ qat_crypto = false
+ dpdk_drvs_disabled += qat_crypto_path
+ set_variable(qat_crypto_path.underscorify() + '_disable_reason',
+ 'missing dependency, libipsecmb or libcrypto')
endif
endif
@@ -103,6 +119,5 @@ if qat_crypto
sources += files(join_paths(qat_crypto_relpath, f))
endforeach
deps += ['security']
- ext_deps += libcrypto
cflags += ['-DBUILD_QAT_SYM', '-DBUILD_QAT_ASYM']
endif
@@ -372,7 +372,6 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
struct qat_dev_hw_spec_funcs *ops_hw;
struct qat_dev_cmd_param qat_dev_cmd_param[] = {
{ QAT_LEGACY_CAPA, 0 },
- { QAT_IPSEC_MB_LIB, 0 },
{ SYM_ENQ_THRESHOLD_NAME, 0 },
{ ASYM_ENQ_THRESHOLD_NAME, 0 },
{ COMP_ENQ_THRESHOLD_NAME, 0 },
@@ -18,13 +18,12 @@
#define QAT_DEV_NAME_MAX_LEN 64
#define QAT_LEGACY_CAPA "qat_legacy_capa"
-#define QAT_IPSEC_MB_LIB "qat_ipsec_mb_lib"
#define SYM_ENQ_THRESHOLD_NAME "qat_sym_enq_threshold"
#define ASYM_ENQ_THRESHOLD_NAME "qat_asym_enq_threshold"
#define COMP_ENQ_THRESHOLD_NAME "qat_comp_enq_threshold"
#define SYM_CIPHER_CRC_ENABLE_NAME "qat_sym_cipher_crc_enable"
#define QAT_CMD_SLICE_MAP "qat_cmd_slice_disable"
-#define QAT_CMD_SLICE_MAP_POS 6
+#define QAT_CMD_SLICE_MAP_POS 5
#define MAX_QP_THRESHOLD_SIZE 32
/**
@@ -82,8 +82,13 @@ qat_bpicipher_preprocess(struct qat_sym_session *ctx,
QAT_DP_HEXDUMP_LOG(DEBUG, "BPI: dst before pre-process:",
dst, last_block_len);
#endif
+#ifdef RTE_QAT_OPENSSL
op_bpi_cipher_decrypt(last_block, dst, iv, block_len,
last_block_len, ctx->bpi_ctx);
+#else
+ bpi_cipher_ipsec(last_block, dst, iv, last_block_len, ctx->expkey,
+ ctx->mb_mgr, ctx->docsis_key_len);
+#endif
#if RTE_LOG_DP_LEVEL >= RTE_LOG_DEBUG
QAT_DP_HEXDUMP_LOG(DEBUG, "BPI: src after pre-process:",
last_block, last_block_len);
@@ -231,7 +236,12 @@ qat_sym_convert_op_to_vec_cipher(struct rte_crypto_op *op,
cipher_ofs = op->sym->cipher.data.offset >> 3;
break;
case 0:
+
+#ifdef RTE_QAT_OPENSSL
if (ctx->bpi_ctx) {
+#else
+ if (ctx->mb_mgr) {
+#endif
/* DOCSIS - only send complete blocks to device.
* Process any partial block using CFB mode.
* Even if 0 complete blocks, still send this to device
@@ -375,6 +385,7 @@ qat_sym_convert_op_to_vec_chain(struct rte_crypto_op *op,
int is_oop = (op->sym->m_dst != NULL) &&
(op->sym->m_dst != op->sym->m_src);
int is_sgl = op->sym->m_src->nb_segs > 1;
+ int is_bpi = 0;
int n_src;
int ret;
@@ -399,9 +410,14 @@ qat_sym_convert_op_to_vec_chain(struct rte_crypto_op *op,
cipher_ofs = op->sym->cipher.data.offset >> 3;
break;
case 0:
+#ifdef RTE_QAT_OPENSSL
if (ctx->bpi_ctx) {
+#else
+ if (ctx->mb_mgr) {
+#endif
cipher_len = qat_bpicipher_preprocess(ctx, op);
cipher_ofs = op->sym->cipher.data.offset;
+ is_bpi = 1;
} else {
cipher_len = op->sym->cipher.data.length;
cipher_ofs = op->sym->cipher.data.offset;
@@ -436,7 +452,7 @@ qat_sym_convert_op_to_vec_chain(struct rte_crypto_op *op,
/* digest in buffer check. Needed only for wireless algos
* or combined cipher-crc operations
*/
- if (ret == 1 || ctx->bpi_ctx) {
+ if (ret == 1 || is_bpi) {
/* Handle digest-encrypted cases, i.e.
* auth-gen-then-cipher-encrypt and
* cipher-decrypt-then-auth-verify
@@ -465,7 +481,11 @@ qat_sym_convert_op_to_vec_chain(struct rte_crypto_op *op,
/* Then check if digest-encrypted conditions are met */
if (((auth_ofs + auth_len < cipher_ofs + cipher_len) &&
(digest->iova == auth_end_iova)) ||
+#ifdef RTE_QAT_OPENSSL
ctx->bpi_ctx)
+#else
+ ctx->mb_mgr)
+#endif
max_len = RTE_MAX(max_len, auth_ofs + auth_len +
ctx->digest_length);
}
@@ -702,7 +722,12 @@ enqueue_one_chain_job_gen1(struct qat_sym_session *ctx,
/* Then check if digest-encrypted conditions are met */
if (((auth_param->auth_off + auth_param->auth_len <
cipher_param->cipher_offset + cipher_param->cipher_length) &&
- (digest->iova == auth_iova_end)) || ctx->bpi_ctx) {
+ (digest->iova == auth_iova_end)) ||
+#ifdef RTE_QAT_OPENSSL
+ ctx->bpi_ctx) {
+#else
+ ctx->mb_mgr) {
+#endif
/* Handle partial digest encryption */
if (cipher_param->cipher_offset + cipher_param->cipher_length <
auth_param->auth_off + auth_param->auth_len +
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2015-2022 Intel Corporation
+ * Copyright(c) 2015-2023 Intel Corporation
*/
#include <openssl/evp.h>
@@ -16,7 +16,6 @@
#include "qat_qp.h"
uint8_t qat_sym_driver_id;
-int qat_ipsec_mb_lib;
int qat_legacy_capa;
struct qat_crypto_gen_dev_ops qat_sym_gen_dev_ops[QAT_N_GENS];
@@ -108,7 +107,11 @@ qat_sym_build_request(void *in_op, uint8_t *out_msg,
struct rte_cryptodev *cdev;
struct qat_cryptodev_private *internals;
+#ifdef RTE_QAT_OPENSSL
if (unlikely(ctx->bpi_ctx == NULL)) {
+#else
+ if (unlikely(ctx->mb_mgr == NULL)) {
+#endif
QAT_DP_LOG(ERR, "QAT PMD only supports security"
" operation requests for"
" DOCSIS, op (%p) is not for"
@@ -277,8 +280,6 @@ qat_sym_dev_create(struct qat_pci_device *qat_pci_dev,
SYM_CIPHER_CRC_ENABLE_NAME))
internals->cipher_crc_offload_enable =
qat_dev_cmd_param[i].val;
- if (!strcmp(qat_dev_cmd_param[i].name, QAT_IPSEC_MB_LIB))
- qat_ipsec_mb_lib = qat_dev_cmd_param[i].val;
if (!strcmp(qat_dev_cmd_param[i].name, QAT_LEGACY_CAPA))
qat_legacy_capa = qat_dev_cmd_param[i].val;
if (!strcmp(qat_dev_cmd_param[i].name, QAT_CMD_SLICE_MAP))
@@ -160,6 +160,20 @@ bpi_cipher_encrypt(uint8_t *src, uint8_t *dst,
return -EINVAL;
}
+#ifndef RTE_QAT_OPENSSL
+static __rte_always_inline void
+bpi_cipher_ipsec(uint8_t *src, uint8_t *dst, uint8_t *iv, int srclen,
+ uint64_t *expkey, IMB_MGR *m, uint8_t docsis_key_len)
+{
+ if (docsis_key_len == ICP_QAT_HW_AES_128_KEY_SZ)
+ IMB_AES128_CFB_ONE(m, dst, src, (uint64_t *)iv, expkey, srclen);
+ else if (docsis_key_len == ICP_QAT_HW_AES_256_KEY_SZ)
+ IMB_AES256_CFB_ONE(m, dst, src, (uint64_t *)iv, expkey, srclen);
+ else if (docsis_key_len == ICP_QAT_HW_DES_KEY_SZ)
+ des_cfb_one(dst, src, (uint64_t *)iv, expkey, srclen);
+}
+#endif
+
static inline uint32_t
qat_bpicipher_postprocess(struct qat_sym_session *ctx,
struct rte_crypto_op *op)
@@ -204,8 +218,13 @@ qat_bpicipher_postprocess(struct qat_sym_session *ctx,
"BPI: dst before post-process:",
dst, last_block_len);
#endif
+#ifdef RTE_QAT_OPENSSL
bpi_cipher_encrypt(last_block, dst, iv, block_len,
last_block_len, ctx->bpi_ctx);
+#else
+ bpi_cipher_ipsec(last_block, dst, iv, last_block_len, ctx->expkey,
+ ctx->mb_mgr, ctx->docsis_key_len);
+#endif
#if RTE_LOG_DP_LEVEL >= RTE_LOG_DEBUG
QAT_DP_HEXDUMP_LOG(DEBUG, "BPI: src after post-process:",
last_block, last_block_len);
@@ -275,7 +294,11 @@ qat_sym_preprocess_requests(void **ops, uint16_t nb_ops)
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
ctx = SECURITY_GET_SESS_PRIV(op->sym->session);
+#ifdef RTE_QAT_OPENSSL
if (ctx == NULL || ctx->bpi_ctx == NULL)
+#else
+ if (ctx == NULL || ctx->mb_mgr == NULL)
+#endif
continue;
if (ctx->qat_cmd != ICP_QAT_FW_LA_CMD_CIPHER_CRC)
@@ -320,7 +343,11 @@ qat_sym_process_response(void **op, uint8_t *resp, void *op_cookie,
} else {
rx_op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+#ifdef RTE_QAT_OPENSSL
if (sess->bpi_ctx) {
+#else
+ if (sess->mb_mgr) {
+#endif
qat_bpicipher_postprocess(sess, rx_op);
if (is_docsis_sec && sess->qat_cmd !=
ICP_QAT_FW_LA_CMD_CIPHER_CRC)
@@ -9,11 +9,8 @@
#include <openssl/md5.h> /* Needed to calculate pre-compute values */
#include <openssl/evp.h> /* Needed for bpi runt block processing */
-#ifdef RTE_QAT_LIBIPSECMB
-#define NO_COMPAT_IMB_API_053
-#if defined(RTE_ARCH_ARM)
-#include <ipsec-mb.h>
-#else
+#ifndef RTE_QAT_OPENSSL
+#ifndef RTE_ARCH_ARM
#include <intel-ipsec-mb.h>
#endif
#endif
@@ -32,6 +29,7 @@
#include "qat_sym_session.h"
#include "qat_sym.h"
+#ifdef RTE_QAT_OPENSSL
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
#include <openssl/provider.h>
@@ -64,8 +62,7 @@ static void ossl_legacy_provider_unload(void)
OSSL_PROVIDER_unload(default_lib);
}
#endif
-
-extern int qat_ipsec_mb_lib;
+#endif
#define ETH_CRC32_POLYNOMIAL 0x04c11db7
#define ETH_CRC32_INIT_VAL 0xffffffff
@@ -144,6 +141,7 @@ qat_sym_session_finalize(struct qat_sym_session *session)
qat_sym_session_init_common_hdr(session);
}
+#ifdef RTE_QAT_OPENSSL
/** Frees a context previously created
* Depends on openssl libcrypto
*/
@@ -194,6 +192,51 @@ bpi_cipher_ctx_init(enum rte_crypto_cipher_algorithm cryptodev_algo,
}
return ret;
}
+#endif
+
+#ifndef RTE_QAT_OPENSSL
+/** Creates a context in either AES or DES in ECB mode
+ */
+static int
+ipsec_mb_ctx_init(const uint8_t *key, uint16_t key_length,
+ enum rte_crypto_cipher_algorithm cryptodev_algo,
+ uint64_t *expkey, uint32_t *dust, IMB_MGR **m)
+{
+ int ret;
+
+ *m = alloc_mb_mgr(0);
+ if (*m == NULL)
+ return -ENOMEM;
+
+ init_mb_mgr_auto(*m, NULL);
+
+ if (cryptodev_algo == RTE_CRYPTO_CIPHER_AES_DOCSISBPI) {
+ if (key_length == ICP_QAT_HW_AES_128_KEY_SZ)
+ IMB_AES_KEYEXP_128(*m, key, expkey, dust);
+ else if (key_length == ICP_QAT_HW_AES_256_KEY_SZ)
+ IMB_AES_KEYEXP_256(*m, key, expkey, dust);
+ else {
+ ret = -EFAULT;
+ goto error_out;
+ }
+ } else if (cryptodev_algo == RTE_CRYPTO_CIPHER_DES_DOCSISBPI) {
+ if (key_length == ICP_QAT_HW_DES_KEY_SZ)
+ IMB_DES_KEYSCHED(*m, (uint64_t *)expkey, key);
+ else {
+ ret = -EFAULT;
+ goto error_out;
+ }
+ }
+ return 0;
+
+error_out:
+ if (*m) {
+ free_mb_mgr(*m);
+ *m = NULL;
+ }
+ return ret;
+}
+#endif
static int
qat_is_cipher_alg_supported(enum rte_crypto_cipher_algorithm algo,
@@ -243,8 +286,13 @@ qat_sym_session_clear(struct rte_cryptodev *dev __rte_unused,
{
struct qat_sym_session *s = CRYPTODEV_GET_SYM_SESS_PRIV(sess);
+#ifdef RTE_QAT_OPENSSL
if (s->bpi_ctx)
bpi_cipher_ctx_free(s->bpi_ctx);
+#else
+ if (s->mb_mgr)
+ free_mb_mgr(s->mb_mgr);
+#endif
}
static int
@@ -407,12 +455,23 @@ qat_sym_session_configure_cipher(struct rte_cryptodev *dev,
session->qat_mode = ICP_QAT_HW_CIPHER_CTR_MODE;
break;
case RTE_CRYPTO_CIPHER_DES_DOCSISBPI:
+#ifdef RTE_QAT_OPENSSL
ret = bpi_cipher_ctx_init(
cipher_xform->algo,
cipher_xform->op,
cipher_xform->key.data,
cipher_xform->key.length,
&session->bpi_ctx);
+#else
+ session->docsis_key_len = cipher_xform->key.length;
+ ret = ipsec_mb_ctx_init(
+ cipher_xform->key.data,
+ cipher_xform->key.length,
+ cipher_xform->algo,
+ session->expkey,
+ session->dust,
+ &session->mb_mgr);
+#endif
if (ret != 0) {
QAT_LOG(ERR, "failed to create DES BPI ctx");
goto error_out;
@@ -426,12 +485,23 @@ qat_sym_session_configure_cipher(struct rte_cryptodev *dev,
session->qat_mode = ICP_QAT_HW_CIPHER_CBC_MODE;
break;
case RTE_CRYPTO_CIPHER_AES_DOCSISBPI:
+#ifdef RTE_QAT_OPENSSL
ret = bpi_cipher_ctx_init(
cipher_xform->algo,
cipher_xform->op,
cipher_xform->key.data,
cipher_xform->key.length,
&session->bpi_ctx);
+#else
+ session->docsis_key_len = cipher_xform->key.length;
+ ret = ipsec_mb_ctx_init(
+ cipher_xform->key.data,
+ cipher_xform->key.length,
+ cipher_xform->algo,
+ session->expkey,
+ session->dust,
+ &session->mb_mgr);
+#endif
if (ret != 0) {
QAT_LOG(ERR, "failed to create AES BPI ctx");
goto error_out;
@@ -517,10 +587,18 @@ qat_sym_session_configure_cipher(struct rte_cryptodev *dev,
return 0;
error_out:
+#ifdef RTE_QAT_OPENSSL
if (session->bpi_ctx) {
bpi_cipher_ctx_free(session->bpi_ctx);
session->bpi_ctx = NULL;
}
+#else
+ if (session->mb_mgr) {
+ free_mb_mgr(session->mb_mgr);
+ session->mb_mgr = NULL;
+ }
+
+#endif
return ret;
}
@@ -531,8 +609,10 @@ qat_sym_session_configure(struct rte_cryptodev *dev,
{
int ret;
+#ifdef RTE_QAT_OPENSSL
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
ossl_legacy_provider_load();
+#endif
#endif
ret = qat_sym_session_set_parameters(dev, xform,
CRYPTODEV_GET_SYM_SESS_PRIV(sess),
@@ -544,8 +624,10 @@ qat_sym_session_configure(struct rte_cryptodev *dev,
return ret;
}
+#ifdef RTE_QAT_OPENSSL
# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
ossl_legacy_provider_unload();
+# endif
# endif
return 0;
}
@@ -1207,57 +1289,91 @@ static int qat_hash_get_block_size(enum icp_qat_hw_auth_algo qat_hash_alg)
#define HMAC_OPAD_VALUE 0x5c
#define HASH_XCBC_PRECOMP_KEY_NUM 3
-static const uint8_t AES_CMAC_SEED[ICP_QAT_HW_AES_128_KEY_SZ];
+#ifdef RTE_QAT_OPENSSL
+static int partial_hash_sha1(uint8_t *data_in, uint8_t *data_out)
+{
+ SHA_CTX ctx;
-#ifdef RTE_QAT_LIBIPSECMB
-static int aes_ipsecmb_job(uint8_t *in, uint8_t *out, IMB_MGR *m,
- const uint8_t *key, uint16_t auth_keylen)
+ if (!SHA1_Init(&ctx))
+ return -EFAULT;
+ SHA1_Transform(&ctx, data_in);
+ rte_memcpy(data_out, &ctx, SHA_DIGEST_LENGTH);
+ return 0;
+}
+
+static int partial_hash_sha224(uint8_t *data_in, uint8_t *data_out)
{
- int err;
- struct IMB_JOB *job;
- DECLARE_ALIGNED(uint32_t expkey[4*15], 16);
- DECLARE_ALIGNED(uint32_t dust[4*15], 16);
+ SHA256_CTX ctx;
- if (auth_keylen == ICP_QAT_HW_AES_128_KEY_SZ)
- IMB_AES_KEYEXP_128(m, key, expkey, dust);
- else if (auth_keylen == ICP_QAT_HW_AES_192_KEY_SZ)
- IMB_AES_KEYEXP_192(m, key, expkey, dust);
- else if (auth_keylen == ICP_QAT_HW_AES_256_KEY_SZ)
- IMB_AES_KEYEXP_256(m, key, expkey, dust);
- else
+ if (!SHA224_Init(&ctx))
return -EFAULT;
+ SHA256_Transform(&ctx, data_in);
+ rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
+ return 0;
+}
- job = IMB_GET_NEXT_JOB(m);
+static int partial_hash_sha256(uint8_t *data_in, uint8_t *data_out)
+{
+ SHA256_CTX ctx;
- job->src = in;
- job->dst = out;
- job->enc_keys = expkey;
- job->key_len_in_bytes = auth_keylen;
- job->msg_len_to_cipher_in_bytes = 16;
- job->iv_len_in_bytes = 0;
- job->cipher_direction = IMB_DIR_ENCRYPT;
- job->cipher_mode = IMB_CIPHER_ECB;
- job->hash_alg = IMB_AUTH_NULL;
+ if (!SHA256_Init(&ctx))
+ return -EFAULT;
+ SHA256_Transform(&ctx, data_in);
+ rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
+ return 0;
+}
- while (IMB_FLUSH_JOB(m) != NULL)
- ;
+static int partial_hash_sha384(uint8_t *data_in, uint8_t *data_out)
+{
+ SHA512_CTX ctx;
- job = IMB_SUBMIT_JOB(m);
- if (job) {
- if (job->status == IMB_STATUS_COMPLETED)
- return 0;
- }
+ if (!SHA384_Init(&ctx))
+ return -EFAULT;
+ SHA512_Transform(&ctx, data_in);
+ rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
+ return 0;
+}
- err = imb_get_errno(m);
- if (err)
- QAT_LOG(ERR, "Error: %s!\n", imb_get_strerror(err));
+static int partial_hash_sha512(uint8_t *data_in, uint8_t *data_out)
+{
+ SHA512_CTX ctx;
- return -EFAULT;
+ if (!SHA512_Init(&ctx))
+ return -EFAULT;
+ SHA512_Transform(&ctx, data_in);
+ rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
+ return 0;
+}
+
+static int partial_hash_md5(uint8_t *data_in, uint8_t *data_out)
+{
+ MD5_CTX ctx;
+
+ if (!MD5_Init(&ctx))
+ return -EFAULT;
+ MD5_Transform(&ctx, data_in);
+ rte_memcpy(data_out, &ctx, MD5_DIGEST_LENGTH);
+
+ return 0;
+}
+
+static void aes_cmac_key_derive(uint8_t *base, uint8_t *derived)
+{
+ int i;
+
+ derived[0] = base[0] << 1;
+ for (i = 1; i < ICP_QAT_HW_AES_BLK_SZ ; i++) {
+ derived[i] = base[i] << 1;
+ derived[i - 1] |= base[i] >> 7;
+ }
+
+ if (base[0] & 0x80)
+ derived[ICP_QAT_HW_AES_BLK_SZ - 1] ^= QAT_AES_CMAC_CONST_RB;
}
static int
-partial_hash_compute_ipsec_mb(enum icp_qat_hw_auth_algo hash_alg,
- uint8_t *data_in, uint8_t *data_out, IMB_MGR *m)
+partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
+ uint8_t *data_in, uint8_t *data_out)
{
int digest_size;
uint8_t digest[qat_hash_get_digest_size(
@@ -1278,37 +1394,43 @@ partial_hash_compute_ipsec_mb(enum icp_qat_hw_auth_algo hash_alg,
switch (hash_alg) {
case ICP_QAT_HW_AUTH_ALGO_SHA1:
- IMB_SHA1_ONE_BLOCK(m, data_in, digest);
+ if (partial_hash_sha1(data_in, digest))
+ return -EFAULT;
for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
*hash_state_out_be32 =
rte_bswap32(*(((uint32_t *)digest)+i));
break;
case ICP_QAT_HW_AUTH_ALGO_SHA224:
- IMB_SHA224_ONE_BLOCK(m, data_in, digest);
+ if (partial_hash_sha224(data_in, digest))
+ return -EFAULT;
for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
*hash_state_out_be32 =
rte_bswap32(*(((uint32_t *)digest)+i));
break;
case ICP_QAT_HW_AUTH_ALGO_SHA256:
- IMB_SHA256_ONE_BLOCK(m, data_in, digest);
+ if (partial_hash_sha256(data_in, digest))
+ return -EFAULT;
for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
*hash_state_out_be32 =
rte_bswap32(*(((uint32_t *)digest)+i));
break;
case ICP_QAT_HW_AUTH_ALGO_SHA384:
- IMB_SHA384_ONE_BLOCK(m, data_in, digest);
+ if (partial_hash_sha384(data_in, digest))
+ return -EFAULT;
for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
*hash_state_out_be64 =
rte_bswap64(*(((uint64_t *)digest)+i));
break;
case ICP_QAT_HW_AUTH_ALGO_SHA512:
- IMB_SHA512_ONE_BLOCK(m, data_in, digest);
+ if (partial_hash_sha512(data_in, digest))
+ return -EFAULT;
for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
*hash_state_out_be64 =
rte_bswap64(*(((uint64_t *)digest)+i));
break;
case ICP_QAT_HW_AUTH_ALGO_MD5:
- IMB_MD5_ONE_BLOCK(m, data_in, data_out);
+ if (partial_hash_md5(data_in, data_out))
+ return -EFAULT;
break;
default:
QAT_LOG(ERR, "invalid hash alg %u", hash_alg);
@@ -1318,108 +1440,150 @@ partial_hash_compute_ipsec_mb(enum icp_qat_hw_auth_algo hash_alg,
return 0;
}
-static int qat_sym_do_precomputes_ipsec_mb(enum icp_qat_hw_auth_algo hash_alg,
+static const uint8_t AES_CMAC_SEED[ICP_QAT_HW_AES_128_KEY_SZ];
+
+static int qat_sym_do_precomputes(enum icp_qat_hw_auth_algo hash_alg,
const uint8_t *auth_key,
uint16_t auth_keylen,
uint8_t *p_state_buf,
uint16_t *p_state_len,
uint8_t aes_cmac)
{
- int block_size = 0;
+ int block_size;
uint8_t ipad[qat_hash_get_block_size(ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
uint8_t opad[qat_hash_get_block_size(ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
- int i, ret = 0;
- uint8_t in[ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ];
-
- IMB_MGR *m;
- m = alloc_mb_mgr(0);
- if (m == NULL)
- return -ENOMEM;
+ int i;
- init_mb_mgr_auto(m, NULL);
- memset(in, 0, ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
if (hash_alg == ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC) {
/* CMAC */
if (aes_cmac) {
+ AES_KEY enc_key;
+ uint8_t *in = NULL;
+ uint8_t k0[ICP_QAT_HW_AES_128_KEY_SZ];
uint8_t *k1, *k2;
+
auth_keylen = ICP_QAT_HW_AES_128_KEY_SZ;
- rte_memcpy(p_state_buf, auth_key, auth_keylen);
- DECLARE_ALIGNED(uint32_t expkey[4*15], 16);
- DECLARE_ALIGNED(uint32_t dust[4*15], 16);
- IMB_AES_KEYEXP_128(m, p_state_buf, expkey, dust);
- k1 = p_state_buf + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;
- k2 = k1 + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;
+ in = rte_zmalloc("AES CMAC K1",
+ ICP_QAT_HW_AES_128_KEY_SZ, 16);
- IMB_AES_CMAC_SUBKEY_GEN_128(m, expkey, k1, k2);
- *p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
- goto out;
- }
+ if (in == NULL) {
+ QAT_LOG(ERR, "Failed to alloc memory");
+ return -ENOMEM;
+ }
- static uint8_t qat_aes_xcbc_key_seed[
- ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ] = {
- 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
- 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
- 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
- 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
- 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
- 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
- };
+ rte_memcpy(in, AES_CMAC_SEED,
+ ICP_QAT_HW_AES_128_KEY_SZ);
+ rte_memcpy(p_state_buf, auth_key, auth_keylen);
- uint8_t *input = in;
- uint8_t *out = p_state_buf;
- rte_memcpy(input, qat_aes_xcbc_key_seed,
- ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
- for (i = 0; i < HASH_XCBC_PRECOMP_KEY_NUM; i++) {
- if (aes_ipsecmb_job(input, out, m, auth_key, auth_keylen)) {
- memset(input -
- (i * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ),
- 0, ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
- ret = -EFAULT;
- goto out;
+ if (AES_set_encrypt_key(auth_key, auth_keylen << 3,
+ &enc_key) != 0) {
+ rte_free(in);
+ return -EFAULT;
}
- input += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
- out += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
- }
- *p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
- goto out;
+ AES_encrypt(in, k0, &enc_key);
- } else if ((hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_128) ||
- (hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_64)) {
- uint8_t *out = p_state_buf;
+ k1 = p_state_buf + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;
+ k2 = k1 + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;
- memset(p_state_buf, 0, ICP_QAT_HW_GALOIS_H_SZ +
- ICP_QAT_HW_GALOIS_LEN_A_SZ +
- ICP_QAT_HW_GALOIS_E_CTR0_SZ);
- if (aes_ipsecmb_job(in, out, m, auth_key, auth_keylen)) {
- ret = -EFAULT;
- goto out;
- }
+ aes_cmac_key_derive(k0, k1);
+ aes_cmac_key_derive(k1, k2);
+ memset(k0, 0, ICP_QAT_HW_AES_128_KEY_SZ);
+ *p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
+ rte_free(in);
+ goto out;
+ } else {
+ static uint8_t qat_aes_xcbc_key_seed[
+ ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ] = {
+ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ };
+
+ uint8_t *in = NULL;
+ uint8_t *out = p_state_buf;
+ int x;
+ AES_KEY enc_key;
+
+ in = rte_zmalloc("working mem for key",
+ ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ, 16);
+ if (in == NULL) {
+ QAT_LOG(ERR, "Failed to alloc memory");
+ return -ENOMEM;
+ }
+
+ rte_memcpy(in, qat_aes_xcbc_key_seed,
+ ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
+ for (x = 0; x < HASH_XCBC_PRECOMP_KEY_NUM; x++) {
+ if (AES_set_encrypt_key(auth_key,
+ auth_keylen << 3,
+ &enc_key) != 0) {
+ rte_free(in -
+ (x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ));
+ memset(out -
+ (x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ),
+ 0, ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
+ return -EFAULT;
+ }
+ AES_encrypt(in, out, &enc_key);
+ in += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
+ out += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
+ }
+ *p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
+ rte_free(in - x*ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ);
+ goto out;
+ }
+
+ } else if ((hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_128) ||
+ (hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_64)) {
+ uint8_t *in = NULL;
+ uint8_t *out = p_state_buf;
+ AES_KEY enc_key;
+
+ memset(p_state_buf, 0, ICP_QAT_HW_GALOIS_H_SZ +
+ ICP_QAT_HW_GALOIS_LEN_A_SZ +
+ ICP_QAT_HW_GALOIS_E_CTR0_SZ);
+ in = rte_zmalloc("working mem for key",
+ ICP_QAT_HW_GALOIS_H_SZ, 16);
+ if (in == NULL) {
+ QAT_LOG(ERR, "Failed to alloc memory");
+ return -ENOMEM;
+ }
+
+ memset(in, 0, ICP_QAT_HW_GALOIS_H_SZ);
+ if (AES_set_encrypt_key(auth_key, auth_keylen << 3,
+ &enc_key) != 0) {
+ return -EFAULT;
+ }
+ AES_encrypt(in, out, &enc_key);
*p_state_len = ICP_QAT_HW_GALOIS_H_SZ +
ICP_QAT_HW_GALOIS_LEN_A_SZ +
ICP_QAT_HW_GALOIS_E_CTR0_SZ;
- goto out;
+ rte_free(in);
+ return 0;
}
block_size = qat_hash_get_block_size(hash_alg);
- if (block_size < 0) {
- free_mb_mgr(m);
+ if (block_size < 0)
return block_size;
- }
+ /* init ipad and opad from key and xor with fixed values */
+ memset(ipad, 0, block_size);
+ memset(opad, 0, block_size);
if (auth_keylen > (unsigned int)block_size) {
QAT_LOG(ERR, "invalid keylen %u", auth_keylen);
- ret = -EFAULT;
- goto out;
+ return -EFAULT;
}
- /* init ipad and opad from key and xor with fixed values */
- memset(ipad, 0, block_size);
- memset(opad, 0, block_size);
+
RTE_VERIFY(auth_keylen <= sizeof(ipad));
RTE_VERIFY(auth_keylen <= sizeof(opad));
+
rte_memcpy(ipad, auth_key, auth_keylen);
rte_memcpy(opad, auth_key, auth_keylen);
@@ -1431,10 +1595,11 @@ static int qat_sym_do_precomputes_ipsec_mb(enum icp_qat_hw_auth_algo hash_alg,
}
/* do partial hash of ipad and copy to state1 */
- if (partial_hash_compute_ipsec_mb(hash_alg, ipad, p_state_buf, m)) {
+ if (partial_hash_compute(hash_alg, ipad, p_state_buf)) {
+ memset(ipad, 0, block_size);
+ memset(opad, 0, block_size);
QAT_LOG(ERR, "ipad precompute failed");
- ret = -EFAULT;
- goto out;
+ return -EFAULT;
}
/*
@@ -1442,105 +1607,70 @@ static int qat_sym_do_precomputes_ipsec_mb(enum icp_qat_hw_auth_algo hash_alg,
* Put the partial hash of opad state_len bytes after state1
*/
*p_state_len = qat_hash_get_state1_size(hash_alg);
- if (partial_hash_compute_ipsec_mb(hash_alg, opad,
- p_state_buf + *p_state_len, m)) {
+ if (partial_hash_compute(hash_alg, opad, p_state_buf + *p_state_len)) {
+ memset(ipad, 0, block_size);
+ memset(opad, 0, block_size);
QAT_LOG(ERR, "opad precompute failed");
- ret = -EFAULT;
- goto out;
+ return -EFAULT;
}
-out:
/* don't leave data lying around */
memset(ipad, 0, block_size);
memset(opad, 0, block_size);
- free_mb_mgr(m);
- return ret;
-}
-#endif
-static int partial_hash_sha1(uint8_t *data_in, uint8_t *data_out)
-{
- SHA_CTX ctx;
-
- if (!SHA1_Init(&ctx))
- return -EFAULT;
- SHA1_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, SHA_DIGEST_LENGTH);
- return 0;
-}
-
-static int partial_hash_sha224(uint8_t *data_in, uint8_t *data_out)
-{
- SHA256_CTX ctx;
-
- if (!SHA224_Init(&ctx))
- return -EFAULT;
- SHA256_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
- return 0;
-}
-
-static int partial_hash_sha256(uint8_t *data_in, uint8_t *data_out)
-{
- SHA256_CTX ctx;
-
- if (!SHA256_Init(&ctx))
- return -EFAULT;
- SHA256_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);
+out:
return 0;
}
-static int partial_hash_sha384(uint8_t *data_in, uint8_t *data_out)
-{
- SHA512_CTX ctx;
-
- if (!SHA384_Init(&ctx))
- return -EFAULT;
- SHA512_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
- return 0;
-}
+#else
-static int partial_hash_sha512(uint8_t *data_in, uint8_t *data_out)
+static int aes_ipsecmb_job(uint8_t *in, uint8_t *out, IMB_MGR *m,
+ const uint8_t *key, uint16_t auth_keylen)
{
- SHA512_CTX ctx;
+ int err;
+ struct IMB_JOB *job;
+ DECLARE_ALIGNED(uint32_t expkey[4*15], 16);
+ DECLARE_ALIGNED(uint32_t dust[4*15], 16);
- if (!SHA512_Init(&ctx))
+ if (auth_keylen == ICP_QAT_HW_AES_128_KEY_SZ)
+ IMB_AES_KEYEXP_128(m, key, expkey, dust);
+ else if (auth_keylen == ICP_QAT_HW_AES_192_KEY_SZ)
+ IMB_AES_KEYEXP_192(m, key, expkey, dust);
+ else if (auth_keylen == ICP_QAT_HW_AES_256_KEY_SZ)
+ IMB_AES_KEYEXP_256(m, key, expkey, dust);
+ else
return -EFAULT;
- SHA512_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);
- return 0;
-}
-static int partial_hash_md5(uint8_t *data_in, uint8_t *data_out)
-{
- MD5_CTX ctx;
-
- if (!MD5_Init(&ctx))
- return -EFAULT;
- MD5_Transform(&ctx, data_in);
- rte_memcpy(data_out, &ctx, MD5_DIGEST_LENGTH);
+ job = IMB_GET_NEXT_JOB(m);
- return 0;
-}
+ job->src = in;
+ job->dst = out;
+ job->enc_keys = expkey;
+ job->key_len_in_bytes = auth_keylen;
+ job->msg_len_to_cipher_in_bytes = 16;
+ job->iv_len_in_bytes = 0;
+ job->cipher_direction = IMB_DIR_ENCRYPT;
+ job->cipher_mode = IMB_CIPHER_ECB;
+ job->hash_alg = IMB_AUTH_NULL;
-static void aes_cmac_key_derive(uint8_t *base, uint8_t *derived)
-{
- int i;
+ while (IMB_FLUSH_JOB(m) != NULL)
+ ;
- derived[0] = base[0] << 1;
- for (i = 1; i < ICP_QAT_HW_AES_BLK_SZ ; i++) {
- derived[i] = base[i] << 1;
- derived[i - 1] |= base[i] >> 7;
+ job = IMB_SUBMIT_JOB(m);
+ if (job) {
+ if (job->status == IMB_STATUS_COMPLETED)
+ return 0;
}
- if (base[0] & 0x80)
- derived[ICP_QAT_HW_AES_BLK_SZ - 1] ^= QAT_AES_CMAC_CONST_RB;
+ err = imb_get_errno(m);
+ if (err)
+ QAT_LOG(ERR, "Error: %s!\n", imb_get_strerror(err));
+
+ return -EFAULT;
}
static int
-partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
- uint8_t *data_in, uint8_t *data_out)
+partial_hash_compute_ipsec_mb(enum icp_qat_hw_auth_algo hash_alg,
+ uint8_t *data_in, uint8_t *data_out, IMB_MGR *m)
{
int digest_size;
uint8_t digest[qat_hash_get_digest_size(
@@ -1561,43 +1691,37 @@ partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
switch (hash_alg) {
case ICP_QAT_HW_AUTH_ALGO_SHA1:
- if (partial_hash_sha1(data_in, digest))
- return -EFAULT;
+ IMB_SHA1_ONE_BLOCK(m, data_in, digest);
for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
*hash_state_out_be32 =
rte_bswap32(*(((uint32_t *)digest)+i));
break;
case ICP_QAT_HW_AUTH_ALGO_SHA224:
- if (partial_hash_sha224(data_in, digest))
- return -EFAULT;
+ IMB_SHA224_ONE_BLOCK(m, data_in, digest);
for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
*hash_state_out_be32 =
rte_bswap32(*(((uint32_t *)digest)+i));
break;
case ICP_QAT_HW_AUTH_ALGO_SHA256:
- if (partial_hash_sha256(data_in, digest))
- return -EFAULT;
+ IMB_SHA256_ONE_BLOCK(m, data_in, digest);
for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)
*hash_state_out_be32 =
rte_bswap32(*(((uint32_t *)digest)+i));
break;
case ICP_QAT_HW_AUTH_ALGO_SHA384:
- if (partial_hash_sha384(data_in, digest))
- return -EFAULT;
+ IMB_SHA384_ONE_BLOCK(m, data_in, digest);
for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
*hash_state_out_be64 =
rte_bswap64(*(((uint64_t *)digest)+i));
break;
case ICP_QAT_HW_AUTH_ALGO_SHA512:
- if (partial_hash_sha512(data_in, digest))
- return -EFAULT;
+ IMB_SHA512_ONE_BLOCK(m, data_in, digest);
for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)
*hash_state_out_be64 =
rte_bswap64(*(((uint64_t *)digest)+i));
break;
case ICP_QAT_HW_AUTH_ALGO_MD5:
- if (partial_hash_md5(data_in, data_out))
- return -EFAULT;
+ IMB_MD5_ONE_BLOCK(m, data_in, data_out);
break;
default:
QAT_LOG(ERR, "invalid hash alg %u", hash_alg);
@@ -1607,148 +1731,108 @@ partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,
return 0;
}
-static int qat_sym_do_precomputes(enum icp_qat_hw_auth_algo hash_alg,
+static int qat_sym_do_precomputes_ipsec_mb(enum icp_qat_hw_auth_algo hash_alg,
const uint8_t *auth_key,
uint16_t auth_keylen,
uint8_t *p_state_buf,
uint16_t *p_state_len,
uint8_t aes_cmac)
{
- int block_size;
+ int block_size = 0;
uint8_t ipad[qat_hash_get_block_size(ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
uint8_t opad[qat_hash_get_block_size(ICP_QAT_HW_AUTH_ALGO_DELIMITER)];
- int i;
+ int i, ret = 0;
+ uint8_t in[ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ];
+ IMB_MGR *m;
+ m = alloc_mb_mgr(0);
+ if (m == NULL)
+ return -ENOMEM;
+
+ init_mb_mgr_auto(m, NULL);
+ memset(in, 0, ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
if (hash_alg == ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC) {
/* CMAC */
if (aes_cmac) {
- AES_KEY enc_key;
- uint8_t *in = NULL;
- uint8_t k0[ICP_QAT_HW_AES_128_KEY_SZ];
uint8_t *k1, *k2;
-
auth_keylen = ICP_QAT_HW_AES_128_KEY_SZ;
-
- in = rte_zmalloc("AES CMAC K1",
- ICP_QAT_HW_AES_128_KEY_SZ, 16);
-
- if (in == NULL) {
- QAT_LOG(ERR, "Failed to alloc memory");
- return -ENOMEM;
- }
-
- rte_memcpy(in, AES_CMAC_SEED,
- ICP_QAT_HW_AES_128_KEY_SZ);
rte_memcpy(p_state_buf, auth_key, auth_keylen);
- if (AES_set_encrypt_key(auth_key, auth_keylen << 3,
- &enc_key) != 0) {
- rte_free(in);
- return -EFAULT;
- }
-
- AES_encrypt(in, k0, &enc_key);
-
+ DECLARE_ALIGNED(uint32_t expkey[4*15], 16);
+ DECLARE_ALIGNED(uint32_t dust[4*15], 16);
+ IMB_AES_KEYEXP_128(m, p_state_buf, expkey, dust);
k1 = p_state_buf + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;
k2 = k1 + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;
- aes_cmac_key_derive(k0, k1);
- aes_cmac_key_derive(k1, k2);
-
- memset(k0, 0, ICP_QAT_HW_AES_128_KEY_SZ);
+ IMB_AES_CMAC_SUBKEY_GEN_128(m, expkey, k1, k2);
*p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
- rte_free(in);
- return 0;
- } else {
- static uint8_t qat_aes_xcbc_key_seed[
- ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ] = {
- 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
- 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
- 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
- 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
- 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
- 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
- };
+ goto out;
+ }
- uint8_t *in = NULL;
- uint8_t *out = p_state_buf;
- int x;
- AES_KEY enc_key;
+ static uint8_t qat_aes_xcbc_key_seed[
+ ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ] = {
+ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ };
- in = rte_zmalloc("working mem for key",
- ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ, 16);
- if (in == NULL) {
- QAT_LOG(ERR, "Failed to alloc memory");
- return -ENOMEM;
+ uint8_t *input = in;
+ uint8_t *out = p_state_buf;
+ rte_memcpy(input, qat_aes_xcbc_key_seed,
+ ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
+ for (i = 0; i < HASH_XCBC_PRECOMP_KEY_NUM; i++) {
+ if (aes_ipsecmb_job(input, out, m, auth_key, auth_keylen)) {
+ memset(input -
+ (i * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ),
+ 0, ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
+ ret = -EFAULT;
+ goto out;
}
- rte_memcpy(in, qat_aes_xcbc_key_seed,
- ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
- for (x = 0; x < HASH_XCBC_PRECOMP_KEY_NUM; x++) {
- if (AES_set_encrypt_key(auth_key,
- auth_keylen << 3,
- &enc_key) != 0) {
- rte_free(in -
- (x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ));
- memset(out -
- (x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ),
- 0, ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);
- return -EFAULT;
- }
- AES_encrypt(in, out, &enc_key);
- in += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
- out += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
- }
- *p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
- rte_free(in - x*ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ);
- return 0;
+ input += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
+ out += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;
}
+ *p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;
+ goto out;
} else if ((hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_128) ||
(hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_64)) {
- uint8_t *in = NULL;
uint8_t *out = p_state_buf;
- AES_KEY enc_key;
memset(p_state_buf, 0, ICP_QAT_HW_GALOIS_H_SZ +
ICP_QAT_HW_GALOIS_LEN_A_SZ +
ICP_QAT_HW_GALOIS_E_CTR0_SZ);
- in = rte_zmalloc("working mem for key",
- ICP_QAT_HW_GALOIS_H_SZ, 16);
- if (in == NULL) {
- QAT_LOG(ERR, "Failed to alloc memory");
- return -ENOMEM;
+ if (aes_ipsecmb_job(in, out, m, auth_key, auth_keylen)) {
+ ret = -EFAULT;
+ goto out;
}
- memset(in, 0, ICP_QAT_HW_GALOIS_H_SZ);
- if (AES_set_encrypt_key(auth_key, auth_keylen << 3,
- &enc_key) != 0) {
- return -EFAULT;
- }
- AES_encrypt(in, out, &enc_key);
*p_state_len = ICP_QAT_HW_GALOIS_H_SZ +
ICP_QAT_HW_GALOIS_LEN_A_SZ +
ICP_QAT_HW_GALOIS_E_CTR0_SZ;
- rte_free(in);
- return 0;
+ goto out;
}
block_size = qat_hash_get_block_size(hash_alg);
- if (block_size < 0)
+ if (block_size < 0) {
+ free_mb_mgr(m);
return block_size;
- /* init ipad and opad from key and xor with fixed values */
- memset(ipad, 0, block_size);
- memset(opad, 0, block_size);
+ }
if (auth_keylen > (unsigned int)block_size) {
QAT_LOG(ERR, "invalid keylen %u", auth_keylen);
- return -EFAULT;
+ ret = -EFAULT;
+ goto out;
}
-
+ /* init ipad and opad from key and xor with fixed values */
+ memset(ipad, 0, block_size);
+ memset(opad, 0, block_size);
RTE_VERIFY(auth_keylen <= sizeof(ipad));
RTE_VERIFY(auth_keylen <= sizeof(opad));
-
rte_memcpy(ipad, auth_key, auth_keylen);
rte_memcpy(opad, auth_key, auth_keylen);
@@ -1760,11 +1844,10 @@ static int qat_sym_do_precomputes(enum icp_qat_hw_auth_algo hash_alg,
}
/* do partial hash of ipad and copy to state1 */
- if (partial_hash_compute(hash_alg, ipad, p_state_buf)) {
- memset(ipad, 0, block_size);
- memset(opad, 0, block_size);
+ if (partial_hash_compute_ipsec_mb(hash_alg, ipad, p_state_buf, m)) {
QAT_LOG(ERR, "ipad precompute failed");
- return -EFAULT;
+ ret = -EFAULT;
+ goto out;
}
/*
@@ -1772,18 +1855,21 @@ static int qat_sym_do_precomputes(enum icp_qat_hw_auth_algo hash_alg,
* Put the partial hash of opad state_len bytes after state1
*/
*p_state_len = qat_hash_get_state1_size(hash_alg);
- if (partial_hash_compute(hash_alg, opad, p_state_buf + *p_state_len)) {
- memset(ipad, 0, block_size);
- memset(opad, 0, block_size);
+ if (partial_hash_compute_ipsec_mb(hash_alg, opad,
+ p_state_buf + *p_state_len, m)) {
QAT_LOG(ERR, "opad precompute failed");
- return -EFAULT;
+ ret = -EFAULT;
+ goto out;
}
+out:
/* don't leave data lying around */
memset(ipad, 0, block_size);
memset(opad, 0, block_size);
- return 0;
+ free_mb_mgr(m);
+ return ret;
}
+#endif
static void
qat_sym_session_init_common_hdr(struct qat_sym_session *session)
@@ -2178,20 +2264,16 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
}
/* SHA-1 HMAC */
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA1,
- authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
+#ifdef RTE_QAT_OPENSSL
+ ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA1, authkey,
+ authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
+
#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA1,
+ authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA1, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
if (ret) {
QAT_LOG(ERR, "(SHA)precompute failed");
@@ -2209,21 +2291,15 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
}
/* SHA-224 HMAC */
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA224,
- authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
+#ifdef RTE_QAT_OPENSSL
+ ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA224, authkey,
+ authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA224,
+ authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA224, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
-
if (ret) {
QAT_LOG(ERR, "(SHA)precompute failed");
return -EFAULT;
@@ -2240,21 +2316,15 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
}
/* SHA-256 HMAC */
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA256,
- authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
+#ifdef RTE_QAT_OPENSSL
+ ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA256, authkey,
+ authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA256,
+ authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA256, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
-
if (ret) {
QAT_LOG(ERR, "(SHA)precompute failed");
return -EFAULT;
@@ -2271,21 +2341,15 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
}
/* SHA-384 HMAC */
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA384,
- authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
+#ifdef RTE_QAT_OPENSSL
+ ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA384, authkey,
+ authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA384,
+ authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA384, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
-
if (ret) {
QAT_LOG(ERR, "(SHA)precompute failed");
return -EFAULT;
@@ -2302,21 +2366,15 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
}
/* SHA-512 HMAC */
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA512,
- authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
+#ifdef RTE_QAT_OPENSSL
+ ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA512, authkey,
+ authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA512,
+ authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA512, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
-
if (ret) {
QAT_LOG(ERR, "(SHA)precompute failed");
return -EFAULT;
@@ -2352,22 +2410,16 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
if (cdesc->aes_cmac)
memset(cdesc->cd_cur_ptr, 0, state1_size);
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(
- ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC,
- authkey, authkeylen, cdesc->cd_cur_ptr + state1_size,
- &state2_size, cdesc->aes_cmac);
+#ifdef RTE_QAT_OPENSSL
+ ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC,
+ authkey, authkeylen, cdesc->cd_cur_ptr + state1_size,
+ &state2_size, cdesc->aes_cmac);
#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
+ ret = qat_sym_do_precomputes_ipsec_mb(
+ ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC,
+ authkey, authkeylen, cdesc->cd_cur_ptr + state1_size,
+ &state2_size, cdesc->aes_cmac);
#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC,
- authkey, authkeylen, cdesc->cd_cur_ptr + state1_size,
- &state2_size, cdesc->aes_cmac);
- }
-
if (ret) {
cdesc->aes_cmac ? QAT_LOG(ERR,
"(CMAC)precompute failed")
@@ -2380,21 +2432,15 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
case ICP_QAT_HW_AUTH_ALGO_GALOIS_64:
cdesc->qat_proto_flag = QAT_CRYPTO_PROTO_FLAG_GCM;
state1_size = ICP_QAT_HW_GALOIS_128_STATE1_SZ;
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(cdesc->qat_hash_alg, authkey,
- authkeylen, cdesc->cd_cur_ptr + state1_size,
- &state2_size, cdesc->aes_cmac);
+#ifdef RTE_QAT_OPENSSL
+ ret = qat_sym_do_precomputes(cdesc->qat_hash_alg, authkey,
+ authkeylen, cdesc->cd_cur_ptr + state1_size,
+ &state2_size, cdesc->aes_cmac);
#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing ?");
- return -EFAULT;
+ ret = qat_sym_do_precomputes_ipsec_mb(cdesc->qat_hash_alg, authkey,
+ authkeylen, cdesc->cd_cur_ptr + state1_size,
+ &state2_size, cdesc->aes_cmac);
#endif
- } else {
- ret = qat_sym_do_precomputes(cdesc->qat_hash_alg, authkey,
- authkeylen, cdesc->cd_cur_ptr + state1_size,
- &state2_size, cdesc->aes_cmac);
- }
-
if (ret) {
QAT_LOG(ERR, "(GCM)precompute failed");
return -EFAULT;
@@ -2451,21 +2497,15 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,
break;
case ICP_QAT_HW_AUTH_ALGO_MD5:
- if (qat_ipsec_mb_lib) {
-#ifdef RTE_QAT_LIBIPSECMB
- ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_MD5,
- authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
+#ifdef RTE_QAT_OPENSSL
+ ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_MD5, authkey,
+ authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
#else
- QAT_LOG(ERR, "Intel IPSEC-MB LIB missing");
- return -EFAULT;
+ ret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_MD5,
+ authkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,
+ cdesc->aes_cmac);
#endif
- } else {
- ret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_MD5, authkey,
- authkeylen, cdesc->cd_cur_ptr, &state1_size,
- cdesc->aes_cmac);
- }
-
if (ret) {
QAT_LOG(ERR, "(MD5)precompute failed");
return -EFAULT;
@@ -2899,9 +2939,11 @@ qat_security_session_create(void *dev,
return -EINVAL;
}
+#ifdef RTE_QAT_OPENSSL
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
if (ossl_legacy_provider_load())
return -EINVAL;
+#endif
#endif
ret = qat_sec_session_set_docsis_parameters(cdev, conf,
sess_private_data, SECURITY_GET_SESS_PRIV_IOVA(sess));
@@ -2910,8 +2952,10 @@ qat_security_session_create(void *dev,
return ret;
}
+#ifdef RTE_QAT_OPENSSL
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
ossl_legacy_provider_unload();
+#endif
#endif
return 0;
}
@@ -2924,8 +2968,13 @@ qat_security_session_destroy(void *dev __rte_unused,
struct qat_sym_session *s = (struct qat_sym_session *)sess_priv;
if (sess_priv) {
+#ifdef RTE_QAT_OPENSSL
if (s->bpi_ctx)
bpi_cipher_ctx_free(s->bpi_ctx);
+#else
+ if (s->mb_mgr)
+ free_mb_mgr(s->mb_mgr);
+#endif
memset(s, 0, qat_sym_session_get_private_size(dev));
}
@@ -13,6 +13,12 @@
#include "icp_qat_fw.h"
#include "icp_qat_fw_la.h"
+#ifndef RTE_QAT_OPENSSL
+#ifndef RTE_ARCH_ARM
+#include <intel-ipsec-mb.h>
+#endif
+#endif
+
/*
* Key Modifier (KM) value used in KASUMI algorithm in F9 mode to XOR
* Integrity Key (IK)
@@ -127,6 +133,12 @@ struct qat_sym_session {
uint32_t slice_types;
enum qat_sym_proto_flag qat_proto_flag;
qat_sym_build_request_t build_request[2];
+#ifndef RTE_QAT_OPENSSL
+ IMB_MGR *mb_mgr;
+#endif
+ uint64_t expkey[4*15];
+ uint32_t dust[4*15];
+ uint8_t docsis_key_len;
};
int