From patchwork Fri Dec 18 14:14:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 85458 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 7B599A09FD; Fri, 18 Dec 2020 14:18:11 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id DF131CAF8; Fri, 18 Dec 2020 14:17:58 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by dpdk.org (Postfix) with ESMTP id 0B554CAE2 for ; Fri, 18 Dec 2020 14:17:57 +0100 (CET) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 0BIDFpC6012834; Fri, 18 Dec 2020 05:17:56 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=aT6evRyd5O2hf6phqATvmsYqOAyo8XvcmUHvpon9eZw=; b=gTj3z1XHBDZ828hQUODtfdnJV+v6Qls/2RrGoet++eHB8dBXzG9iAm/6ANDBokkqk1mB MxNCE8Ad/mCMx/RYTO+MmTWFFppjGlNIQbL3JZIo27HlfastwXaeOCOJAhNBVk6ZJDXP AVxkBtnJm2mNVqu9c1EMjL8BzYDFJw/JXjnNjwfixBCcEyt/CkaAJJD+2gnzDt0caXu+ vB3oNJwQ86861WHW9+K2Bm/3uNye26vkPKFYAy86Ne801ZBHMUeEeHRBww7H8ESAo2RW 6kI5HFnoizKuP7qVZ9RoWVxM/KB+N9ZcM2M+o1/QFK/QSy+oaJuj5Vui6EItM6fSA4tz Yg== Received: from sc-exch02.marvell.com ([199.233.58.182]) by mx0a-0016f401.pphosted.com with ESMTP id 35g4rp40ej-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 18 Dec 2020 05:17:56 -0800 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 18 Dec 2020 05:17:54 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Fri, 18 Dec 2020 05:17:55 -0800 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 35EA83F703F; Fri, 18 Dec 2020 05:17:52 -0800 (PST) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Date: Fri, 18 Dec 2020 19:44:09 +0530 Message-ID: <20201218141410.1918-2-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20201218141410.1918-1-ktejasree@marvell.com> References: <20201218141410.1918-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-18_09:2020-12-18, 2020-12-18 signatures=0 Subject: [dpdk-dev] [PATCH 1/2] crypto/octeontx2: make anti-replay routine generic X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding changes to make anti-replay routine common to both inline and lookaside IPsec. Signed-off-by: Tejasree Kondoj --- drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h | 11 +++++------ drivers/net/octeontx2/otx2_rx.h | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h index 858ce5b15f..d599692a75 100644 --- a/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h +++ b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h @@ -16,11 +16,10 @@ #define IPSEC_ANTI_REPLAY_FAILED (-1) static inline int -anti_replay_check(uint64_t seq, struct otx2_ipsec_fp_in_sa *sa) +anti_replay_check(struct otx2_ipsec_replay *replay, uint64_t seq, + uint64_t winsz) { - struct otx2_ipsec_replay *replay = sa->replay; uint64_t *window = &replay->window[0]; - uint64_t winsz = sa->replay_win_sz; uint64_t ex_winsz = winsz + WORD_SIZE; uint64_t winwords = ex_winsz >> WORD_SHIFT; uint64_t base = replay->base; @@ -166,8 +165,8 @@ anti_replay_check(uint64_t seq, struct otx2_ipsec_fp_in_sa *sa) return 0; } -static int -cpt_ipsec_antireplay_check(struct otx2_ipsec_fp_in_sa *sa, char *data) +static inline int +cpt_ipsec_ip_antireplay_check(struct otx2_ipsec_fp_in_sa *sa, char *data) { uint64_t seq_in_sa; uint32_t seqh = 0; @@ -192,7 +191,7 @@ cpt_ipsec_antireplay_check(struct otx2_ipsec_fp_in_sa *sa, char *data) return IPSEC_ANTI_REPLAY_FAILED; rte_spinlock_lock(&sa->replay->lock); - ret = anti_replay_check(seq, sa); + ret = anti_replay_check(sa->replay, seq, sa->replay_win_sz); if (esn && (ret == 0)) { seq_in_sa = ((uint64_t)rte_be_to_cpu_32(sa->esn_hi) << 32) | rte_be_to_cpu_32(sa->esn_low); diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h index 926f614a4e..523f36e9f1 100644 --- a/drivers/net/octeontx2/otx2_rx.h +++ b/drivers/net/octeontx2/otx2_rx.h @@ -259,7 +259,7 @@ nix_rx_sec_mbuf_update(const struct nix_cqe_hdr_s *cq, struct rte_mbuf *m, data = rte_pktmbuf_mtod(m, char *); if (sa->replay_win_sz) { - if (cpt_ipsec_antireplay_check(sa, data) < 0) + if (cpt_ipsec_ip_antireplay_check(sa, data) < 0) return PKT_RX_SEC_OFFLOAD | PKT_RX_SEC_OFFLOAD_FAILED; } From patchwork Fri Dec 18 14:14:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 85459 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 0B741A09FD; Fri, 18 Dec 2020 14:18:30 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 400BFCB07; Fri, 18 Dec 2020 14:18:08 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by dpdk.org (Postfix) with ESMTP id 75BDCCAE3 for ; Fri, 18 Dec 2020 14:18:06 +0100 (CET) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 0BIDFpvw012840; Fri, 18 Dec 2020 05:18:04 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=Ne1qPn34D/CFLVR5r6qtshJEVsihJRzTgHT5kQTSEGA=; b=Msk/rqzHvgxzXqiHKEgjJHQH0qLdbhLeO50A8MM79TuUaEmKKQ3BLsHrAapCrm/pX6pv WVdAs0137IHvMBbzfv5wEwiJ1U0vMGp8X8+ANweExAdvdlFUganJZFAWZZMqbMCOOVmP L31M/A07cFzcvEDJ6ZWVrPUbe/kZdZM41u++q8IIScZe5vQ9sRjy2m+OTW+f9OqtLG+Y 8BlsMswsrPlrWdFwx2oqMBRhPMNrln8AmKvmKjRyygMdJBUq1++W1IkddumvpLF3TPUL uyCPcSK0ekp2v7Gz6sR+96k2dAsztTsJPZgNl0e648wIeovbU997459vxzHwGPTAII3q Lg== Received: from sc-exch01.marvell.com ([199.233.58.181]) by mx0a-0016f401.pphosted.com with ESMTP id 35g4rp40ey-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 18 Dec 2020 05:18:04 -0800 Received: from SC-EXCH04.marvell.com (10.93.176.84) by SC-EXCH01.marvell.com (10.93.176.81) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 18 Dec 2020 05:18:03 -0800 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by SC-EXCH04.marvell.com (10.93.176.84) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 18 Dec 2020 05:18:03 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Fri, 18 Dec 2020 05:18:03 -0800 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 60A823F703F; Fri, 18 Dec 2020 05:18:01 -0800 (PST) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Date: Fri, 18 Dec 2020 19:44:10 +0530 Message-ID: <20201218141410.1918-3-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20201218141410.1918-1-ktejasree@marvell.com> References: <20201218141410.1918-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-18_09:2020-12-18, 2020-12-18 signatures=0 Subject: [dpdk-dev] [PATCH 2/2] crypto/octeontx2: add lookaside IPsec ESN and anti-replay support X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding ESN and anti-replay support for lookaside IPsec. Signed-off-by: Tejasree Kondoj --- doc/guides/cryptodevs/octeontx2.rst | 2 + doc/guides/rel_notes/release_21_02.rst | 5 ++ drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 47 ++++++++++++++++++- drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 21 +++++++++ .../crypto/octeontx2/otx2_ipsec_anti_replay.h | 21 +++++++++ drivers/crypto/octeontx2/otx2_ipsec_po.h | 5 ++ drivers/crypto/octeontx2/otx2_ipsec_po_ops.h | 2 + 7 files changed, 101 insertions(+), 2 deletions(-) diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst index 0a38b8662e..170f03dd0f 100644 --- a/doc/guides/cryptodevs/octeontx2.rst +++ b/doc/guides/cryptodevs/octeontx2.rst @@ -175,4 +175,6 @@ Features supported * IPv6 * ESP * Tunnel mode +* ESN +* Anti-replay * AES-128/192/256-GCM diff --git a/doc/guides/rel_notes/release_21_02.rst b/doc/guides/rel_notes/release_21_02.rst index 638f98168b..d9ca17e83c 100644 --- a/doc/guides/rel_notes/release_21_02.rst +++ b/doc/guides/rel_notes/release_21_02.rst @@ -55,6 +55,11 @@ New Features Also, make sure to start the actual text at the margin. ======================================================= +* **Updated the OCTEON TX2 crypto PMD.** + + * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with + ESN and anti-replay support. + Removed Items ------------- diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c index 5f2ccc0872..16aa7f4a0a 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c @@ -14,6 +14,7 @@ #include "otx2_cryptodev_mbox.h" #include "otx2_cryptodev_ops.h" #include "otx2_cryptodev_ops_helper.h" +#include "otx2_ipsec_anti_replay.h" #include "otx2_ipsec_po_ops.h" #include "otx2_mbox.h" #include "otx2_sec_idev.h" @@ -650,21 +651,55 @@ static __rte_always_inline int __rte_hot otx2_cpt_enqueue_sec(struct otx2_cpt_qp *qp, struct rte_crypto_op *op, struct pending_queue *pend_q) { + uint32_t winsz, esn_low = 0, esn_hi = 0, seql = 0, seqh = 0; + struct rte_mbuf *m_src = op->sym->m_src; struct otx2_sec_session_ipsec_lp *sess; struct otx2_ipsec_po_sa_ctl *ctl_wrd; + struct otx2_ipsec_po_in_sa *sa; struct otx2_sec_session *priv; struct cpt_request_info *req; + uint64_t seq_in_sa, seq = 0; + uint8_t esn; int ret; priv = get_sec_session_private_data(op->sym->sec_session); sess = &priv->ipsec.lp; + sa = &sess->in_sa; - ctl_wrd = &sess->in_sa.ctl; + ctl_wrd = &sa->ctl; + esn = ctl_wrd->esn_en; + winsz = sa->replay_win_sz; if (ctl_wrd->direction == OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND) ret = process_outb_sa(op, sess, &qp->meta_info, (void **)&req); - else + else { + if (winsz) { + esn_low = rte_be_to_cpu_32(sa->esn_low); + esn_hi = rte_be_to_cpu_32(sa->esn_hi); + seql = *rte_pktmbuf_mtod_offset(m_src, uint32_t *, + sizeof(struct rte_ipv4_hdr) + 4); + seql = rte_be_to_cpu_32(seql); + + if (!esn) + seq = (uint64_t)seql; + else { + seqh = anti_replay_get_seqh(winsz, seql, esn_hi, + esn_low); + seq = ((uint64_t)seqh << 32) | seql; + } + + if (unlikely(seq == 0)) + return IPSEC_ANTI_REPLAY_FAILED; + + ret = anti_replay_check(sa->replay, seq, winsz); + if (unlikely(ret)) { + otx2_err("Anti replay check failed"); + return IPSEC_ANTI_REPLAY_FAILED; + } + } + ret = process_inb_sa(op, sess, &qp->meta_info, (void **)&req); + } if (unlikely(ret)) { otx2_err("Crypto req : op %p, ret 0x%x", op, ret); @@ -673,6 +708,14 @@ otx2_cpt_enqueue_sec(struct otx2_cpt_qp *qp, struct rte_crypto_op *op, ret = otx2_cpt_enqueue_req(qp, pend_q, req, sess->cpt_inst_w7); + if (winsz && esn) { + seq_in_sa = ((uint64_t)esn_hi << 32) | esn_low; + if (seq > seq_in_sa) { + sa->esn_low = rte_cpu_to_be_32(seql); + sa->esn_hi = rte_cpu_to_be_32(seqh); + } + } + return ret; } diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c index bad9c5ca9f..1f5645f2f1 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c @@ -213,6 +213,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, int ret; sess = get_sec_session_private_data(sec_sess); + sess->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS; lp = &sess->ipsec.lp; sa = &lp->out_sa; @@ -351,6 +352,7 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev, int ret; sess = get_sec_session_private_data(sec_sess); + sess->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS; lp = &sess->ipsec.lp; sa = &lp->in_sa; @@ -362,6 +364,7 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev, } memset(sa, 0, sizeof(struct otx2_ipsec_po_in_sa)); + sa->replay_win_sz = ipsec->replay_win_sz; ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl); if (ret) @@ -414,6 +417,24 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev, set_session_misc_attributes(lp, crypto_xform, auth_xform, cipher_xform); + if (sa->replay_win_sz) { + if (sa->replay_win_sz > OTX2_IPSEC_MAX_REPLAY_WIN_SZ) { + otx2_err("Replay window size is not supported"); + return -ENOTSUP; + } + sa->replay = rte_zmalloc(NULL, sizeof(struct otx2_ipsec_replay), + 0); + if (sa->replay == NULL) + return -ENOMEM; + + /* Set window bottom to 1, base and top to size of window */ + sa->replay->winb = 1; + sa->replay->wint = sa->replay_win_sz; + sa->replay->base = sa->replay_win_sz; + sa->esn_low = 0; + sa->esn_hi = 0; + } + return otx2_cpt_enq_sa_write(lp, crypto_dev->data->queue_pairs[0], OTX2_IPSEC_PO_WRITE_IPSEC_INB); } diff --git a/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h index d599692a75..b2b1f77284 100644 --- a/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h +++ b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h @@ -204,4 +204,25 @@ cpt_ipsec_ip_antireplay_check(struct otx2_ipsec_fp_in_sa *sa, char *data) return ret; } + +static inline uint32_t +anti_replay_get_seqh(uint32_t winsz, uint32_t seql, + uint32_t esn_hi, uint32_t esn_low) +{ + uint32_t win_low = esn_low - winsz + 1; + + if (esn_low > winsz - 1) { + /* Window is in one sequence number subspace */ + if (seql > win_low) + return esn_hi; + else + return esn_hi + 1; + } else { + /* Window is split across two sequence number subspaces */ + if (seql > win_low) + return esn_hi - 1; + else + return esn_hi; + } +} #endif /* __OTX2_IPSEC_ANTI_REPLAY_H__ */ diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h index da24f6a5d4..6d25e29734 100644 --- a/drivers/crypto/octeontx2/otx2_ipsec_po.h +++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h @@ -161,6 +161,11 @@ struct otx2_ipsec_po_in_sa { uint8_t hmac_key[48]; struct otx2_ipsec_po_traffic_selector selector; } aes_gcm; + union { + struct otx2_ipsec_replay *replay; + uint64_t replay64; + }; + uint32_t replay_win_sz; }; struct otx2_ipsec_po_ip_template { diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h index bc702d5c79..c0c936141d 100644 --- a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h +++ b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h @@ -124,6 +124,8 @@ process_outb_sa(struct rte_crypto_op *cop, req->ist.ei1 = rte_pktmbuf_iova(m_src); req->ist.ei2 = req->ist.ei1; + sa->esn_hi = sess->seq_hi; + hdr->seq = rte_cpu_to_be_32(sess->seq_lo); hdr->ip_id = rte_cpu_to_be_32(sess->ip_id);