From patchwork Wed Jun 2 17:10:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 93830 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BB7F7A0524; Wed, 2 Jun 2021 19:11:48 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id A1C02410E0; Wed, 2 Jun 2021 19:11:48 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id B1339410DF for ; Wed, 2 Jun 2021 19:11:47 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 152H6BtE025821; Wed, 2 Jun 2021 10:11:47 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=CIsGv+kMNB0D4X90Y4QA/cEAdmfnfaK539nHTkfrsyE=; b=Cv+Z8c1jln3TgCvrLMNjvTlI7MjCDjxVN3GO8IXpgqxi7axJr7MbJCbvGTkovAT/RcRO /e0KwTmF5EbREj5J2oWlrd2GAVS7S0PtC5htnCgjZutdc66wUX/p1tqY+8e/giJEkwWC QNn7zbCjTYEBiiEiWtlXuRtnfHHJ+IO0kHUq2+BWRD764xPLaeqsX5DByQlO8xmfmoGZ 2cXD1+9rdlz6bvH6SKPts/CoowK0dgAr/U+vRtdCRMQZJcvvsZMtyIx/yO90I4Bh6WI7 9ngeDHv3pmr0uUfKlmKnKWd2wKGyVNKsp2ANUddYoWQYnnEqRyQ7ScbCMC68Kr9ySB4+ ZQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com with ESMTP id 38wufguujm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 02 Jun 2021 10:11:47 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 2 Jun 2021 10:11:44 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Wed, 2 Jun 2021 10:11:44 -0700 Received: from HY-LT1002.marvell.com (unknown [10.193.70.1]) by maili.marvell.com (Postfix) with ESMTP id 647E63F703F; Wed, 2 Jun 2021 10:11:40 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Thomas Monjalon CC: Srujana Challa , Jerin Jacob , Ankur Dwivedi , Tejasree Kondoj , , Anoob Joseph Date: Wed, 2 Jun 2021 22:40:59 +0530 Message-ID: <1622653862-22830-2-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1622653862-22830-1-git-send-email-anoobj@marvell.com> References: <1622653862-22830-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: RGB9RraIDTF3gz-gz-VDl6wdpiHULt08 X-Proofpoint-GUID: RGB9RraIDTF3gz-gz-VDl6wdpiHULt08 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-06-02_09:2021-06-02, 2021-06-02 signatures=0 Subject: [dpdk-dev] [PATCH 1/4] crypto/cnxk: add security ctx skeleton X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Srujana Challa Add security ctx in cn10k crypto PMD. Signed-off-by: Anoob Joseph Signed-off-by: Srujana Challa Signed-off-by: Tejasree Kondoj --- drivers/crypto/cnxk/cn10k_cryptodev.c | 10 +++++++ drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 47 ++++++++++++++++++++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev_sec.h | 14 ++++++++++ drivers/crypto/cnxk/meson.build | 3 +- 4 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.c create mode 100644 drivers/crypto/cnxk/cnxk_cryptodev_sec.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index ca3adea..b58d390 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -14,6 +14,7 @@ #include "cn10k_cryptodev_ops.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_capabilities.h" +#include "cnxk_cryptodev_sec.h" #include "roc_api.h" @@ -75,6 +76,11 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, plt_err("Failed to add engine group rc=%d", rc); goto dev_fini; } + + /* Create security context */ + rc = cnxk_crypto_sec_ctx_create(dev); + if (rc) + goto dev_fini; } cnxk_cpt_caps_populate(vf); @@ -87,6 +93,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | RTE_CRYPTODEV_FF_SYM_SESSIONLESS | + RTE_CRYPTODEV_FF_SECURITY | RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn10k_cpt_set_enqdeq_fns(dev); @@ -121,6 +128,9 @@ cn10k_cpt_pci_remove(struct rte_pci_device *pci_dev) if (dev == NULL) return -ENODEV; + /* Destroy security context */ + cnxk_crypto_sec_ctx_destroy(dev); + if (rte_eal_process_type() == RTE_PROC_PRIMARY) { vf = dev->data->dev_private; ret = roc_cpt_dev_fini(&vf->cpt); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c new file mode 100644 index 0000000..f03d2ed --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c @@ -0,0 +1,47 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#include +#include +#include +#include + +#include "cnxk_cryptodev_sec.h" + +/* Common security ops */ +struct rte_security_ops cnxk_sec_ops = { + .session_create = NULL, + .session_destroy = NULL, + .session_get_size = NULL, + .set_pkt_metadata = NULL, + .get_userdata = NULL, + .capabilities_get = NULL, +}; + +int +cnxk_crypto_sec_ctx_create(struct rte_cryptodev *cdev) +{ + struct rte_security_ctx *ctx; + + ctx = rte_malloc("cnxk_cpt_dev_sec_ctx", + sizeof(struct rte_security_ctx), 0); + + if (ctx == NULL) + return -ENOMEM; + + /* Populate ctx */ + ctx->device = cdev; + ctx->ops = &cnxk_sec_ops; + ctx->sess_cnt = 0; + + cdev->security_ctx = ctx; + + return 0; +} + +void +cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *cdev) +{ + rte_free(cdev->security_ctx); +} diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.h b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h new file mode 100644 index 0000000..9ab0e9e --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CNXK_CRYPTODEV_SEC_H__ +#define __CNXK_CRYPTODEV_SEC_H__ + +#include + +int cnxk_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev); + +void cnxk_crypto_sec_ctx_destroy(struct rte_cryptodev *crypto_dev); + +#endif /* __CNXK_CRYPTODEV_SEC_H__ */ diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build index b0aa3c0..ab45483 100644 --- a/drivers/crypto/cnxk/meson.build +++ b/drivers/crypto/cnxk/meson.build @@ -17,6 +17,7 @@ sources = files( 'cnxk_cryptodev.c', 'cnxk_cryptodev_capabilities.c', 'cnxk_cryptodev_ops.c', + 'cnxk_cryptodev_sec.c', ) -deps += ['bus_pci', 'common_cnxk'] +deps += ['bus_pci', 'common_cnxk', 'security'] From patchwork Wed Jun 2 17:11:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 93831 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id EB59AA0524; Wed, 2 Jun 2021 19:11:54 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id D8F7F410E1; Wed, 2 Jun 2021 19:11:54 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id A6F8F40689 for ; Wed, 2 Jun 2021 19:11:53 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 152H6EA6006394; Wed, 2 Jun 2021 10:11:52 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=hqjCXDEOEHjGy/UTvNayunX/nTfiH0JrTp0gxe/ncro=; b=HXnpvkvHCSDCm66NkQ5Q7DTfv2KW5HSSIGgZxeQK29nS6slDAR3wxzGYzoY9lV89Ytte P4B5XxFjsi7LDJNcoNjEGCYKB2oJkekJ+s24jh92FnmfYytGkPvN/aWA7ksOtkOK2ORp rBs/81gPzF4shiqaNX+DVvPsz7hxUneBRikUOp9jZHHTRNG+IO5ltz0TdM4ccY3bBwlP AiR1HuKEF24upCrzyFN+3gNgzG0Xr7DbXNaJ3hvGCtP0Z2lWBzPWEWk3sh5ki28VD4be Hn9Y3LjZ9WEINwme8/wYzNj5pJOUNWJMVrgFxpKhAILNJFgV0bA7jOXoKFsIhYOVUT/o XA== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com with ESMTP id 38wug7404n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 02 Jun 2021 10:11:52 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 2 Jun 2021 10:11:51 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Wed, 2 Jun 2021 10:11:50 -0700 Received: from HY-LT1002.marvell.com (unknown [10.193.70.1]) by maili.marvell.com (Postfix) with ESMTP id AE3973F703F; Wed, 2 Jun 2021 10:11:46 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Thomas Monjalon CC: Anoob Joseph , Jerin Jacob , "Ankur Dwivedi" , Tejasree Kondoj , , Srujana Challa Date: Wed, 2 Jun 2021 22:41:00 +0530 Message-ID: <1622653862-22830-3-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1622653862-22830-1-git-send-email-anoobj@marvell.com> References: <1622653862-22830-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 6PdznPkGS6jLvTG7NYZ__ZC69D8Wi5EC X-Proofpoint-GUID: 6PdznPkGS6jLvTG7NYZ__ZC69D8Wi5EC X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-06-02_09:2021-06-02, 2021-06-02 signatures=0 Subject: [dpdk-dev] [PATCH 2/4] crypto/cnxk: add security capabilities X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add security capabilities supported by crypto cn10k PMD. Signed-off-by: Anoob Joseph Signed-off-by: Srujana Challa Signed-off-by: Tejasree Kondoj --- drivers/crypto/cnxk/cnxk_cryptodev.h | 4 + drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 114 ++++++++++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +- drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 3 +- 4 files changed, 128 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index dcbdc53..1568be3 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -6,6 +6,7 @@ #define _CNXK_CRYPTODEV_H_ #include +#include #include "roc_cpt.h" @@ -31,6 +32,9 @@ struct cnxk_cpt_vf { struct roc_cpt cpt; struct rte_cryptodev_capabilities crypto_caps[CNXK_CPT_MAX_CAPS]; + struct rte_cryptodev_capabilities + sec_crypto_caps[CNXK_SEC_CRYPTO_MAX_CAPS]; + struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS]; }; int cnxk_cpt_eng_grp_add(struct roc_cpt *roc_cpt); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index e627854..ab37f9c 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -3,6 +3,7 @@ */ #include +#include #include "roc_api.h" @@ -18,6 +19,15 @@ RTE_DIM(caps_##name)); \ } while (0) +#define SEC_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name) \ + do { \ + if ((hw_caps[CPT_ENG_TYPE_SE].name) || \ + (hw_caps[CPT_ENG_TYPE_IE].name) || \ + (hw_caps[CPT_ENG_TYPE_AE].name)) \ + sec_caps_add(cnxk_caps, cur_pos, sec_caps_##name, \ + RTE_DIM(sec_caps_##name)); \ + } while (0) + static const struct rte_cryptodev_capabilities caps_mul[] = { { /* RSA */ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC, @@ -713,6 +723,69 @@ static const struct rte_cryptodev_capabilities caps_end[] = { RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST() }; +static const struct rte_cryptodev_capabilities sec_caps_aes[] = { + { /* AES GCM */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD, + {.aead = { + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 8 + }, + .digest_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + .aad_size = { + .min = 8, + .max = 12, + .increment = 4 + }, + .iv_size = { + .min = 12, + .max = 12, + .increment = 0 + } + }, } + }, } + }, +}; + +static const struct rte_security_capability sec_caps_templ[] = { + { /* IPsec Lookaside Protocol ESP Tunnel Ingress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + .options = { 0 } + }, + .crypto_capabilities = NULL, + .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA + }, + { /* IPsec Lookaside Protocol ESP Tunnel Egress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .options = { 0 } + }, + .crypto_capabilities = NULL, + .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA + }, + { + .action = RTE_SECURITY_ACTION_TYPE_NONE + } +}; + static void cpt_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, const struct rte_cryptodev_capabilities *caps, int nb_caps) @@ -748,8 +821,49 @@ cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf) return vf->crypto_caps; } +static void +sec_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, + const struct rte_cryptodev_capabilities *caps, int nb_caps) +{ + if (*cur_pos + nb_caps > CNXK_SEC_CRYPTO_MAX_CAPS) + return; + + memcpy(&cnxk_caps[*cur_pos], caps, nb_caps * sizeof(caps[0])); + *cur_pos += nb_caps; +} + +static void +sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[], + union cpt_eng_caps *hw_caps) +{ + int cur_pos = 0; + + SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes); + + sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end)); +} + void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) { + unsigned long i; + crypto_caps_populate(vf->crypto_caps, vf->cpt.hw_caps); + sec_crypto_caps_populate(vf->sec_crypto_caps, vf->cpt.hw_caps); + + PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps)); + memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ)); + + for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++) + vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps; +} + +const struct rte_security_capability * +cnxk_crypto_sec_capabilities_get(void *device) +{ + struct rte_cryptodev *dev = device; + struct cnxk_cpt_vf *vf; + + vf = dev->data->dev_private; + return vf->sec_caps; } diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h index 85f5ad2..fe07e43 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h @@ -10,7 +10,7 @@ #include "cnxk_cryptodev.h" /* - * Initialize crypto capabilities for the device + * Initialize crypto and IPsec capabilities for the device * */ void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf); @@ -22,4 +22,11 @@ void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf); const struct rte_cryptodev_capabilities * cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf); +/* + * Get security capabilities list for the device + * + */ +const struct rte_security_capability * +cnxk_crypto_sec_capabilities_get(void *device); + #endif /* _CNXK_CRYPTODEV_CAPABILITIES_H_ */ diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c index f03d2ed..8d04d4b 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c @@ -7,6 +7,7 @@ #include #include +#include "cnxk_cryptodev_capabilities.h" #include "cnxk_cryptodev_sec.h" /* Common security ops */ @@ -16,7 +17,7 @@ struct rte_security_ops cnxk_sec_ops = { .session_get_size = NULL, .set_pkt_metadata = NULL, .get_userdata = NULL, - .capabilities_get = NULL, + .capabilities_get = cnxk_crypto_sec_capabilities_get }; int From patchwork Wed Jun 2 17:11:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 93832 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 29A89A0524; Wed, 2 Jun 2021 19:12:03 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 18D8B410DF; Wed, 2 Jun 2021 19:12:03 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 33B41410E5 for ; Wed, 2 Jun 2021 19:12:01 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 152H6DVK006378; Wed, 2 Jun 2021 10:12:00 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=MXxQFQJv4Bn+yFD+JE9LEtU6w7LlqEp1l69bpmC/E14=; b=RDZ60zo7kkbvW/qTnS50myjO5uPJiRCeIusiY/vEwJDzMmjp3N+MWtp1cOJk5+UCNq0W sMkecOAmqF2KjvgLLnmuHK+SL3q1wSvJ+wte9jHseLP0hukts5UA8qUyVwIytVd1JFhe Uk7KE5zGnDaicZTbc1lsYvLWDw6epFUIRp864EP21b6P+kYyaQk5Ev5kq+o1xRQGBx7Q kJuxegel1DNBq0VQNl2wJ/OmccNdhlB5QO8zTvWq1VCLBmfe7gTyf+bzGUkPAs6auZN/ /4qL5+UiLpOf6ECRLqxxPkJcdspRq9nX2ziNozZPKVJlgeWwXKmXZ/uYaQRYBL01r34n eg== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 38wug7405e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 02 Jun 2021 10:12:00 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 2 Jun 2021 10:11:58 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Wed, 2 Jun 2021 10:11:58 -0700 Received: from HY-LT1002.marvell.com (unknown [10.193.70.1]) by maili.marvell.com (Postfix) with ESMTP id E8D393F703F; Wed, 2 Jun 2021 10:11:53 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Thomas Monjalon CC: Tejasree Kondoj , Jerin Jacob , Ankur Dwivedi , , Anoob Joseph , Archana Muniganti , "Srujana Challa" Date: Wed, 2 Jun 2021 22:41:01 +0530 Message-ID: <1622653862-22830-4-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1622653862-22830-1-git-send-email-anoobj@marvell.com> References: <1622653862-22830-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 6qLp0Xz_FpQ4sF5Y1ByxPeOZOjjZG4dX X-Proofpoint-GUID: 6qLp0Xz_FpQ4sF5Y1ByxPeOZOjjZG4dX X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-06-02_09:2021-06-02, 2021-06-02 signatures=0 Subject: [dpdk-dev] [PATCH 3/4] crypto/cnxk: add security session ops X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Tejasree Kondoj Add security session ops in cn10k crypto PMD. Signed-off-by: Anoob Joseph Signed-off-by: Archana Muniganti Signed-off-by: Srujana Challa Signed-off-by: Tejasree Kondoj --- drivers/crypto/cnxk/cn10k_cryptodev.c | 2 + drivers/crypto/cnxk/cn10k_ipsec.c | 520 ++++++++++++++++++++++++++++++++++ drivers/crypto/cnxk/cn10k_ipsec.h | 38 +++ drivers/crypto/cnxk/cnxk_ipsec.h | 18 ++ drivers/crypto/cnxk/meson.build | 3 +- 5 files changed, 580 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index b58d390..9517e62 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -12,6 +12,7 @@ #include "cn10k_cryptodev.h" #include "cn10k_cryptodev_ops.h" +#include "cn10k_ipsec.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_capabilities.h" #include "cnxk_cryptodev_sec.h" @@ -97,6 +98,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn10k_cpt_set_enqdeq_fns(dev); + cn10k_sec_ops_override(); return 0; diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c new file mode 100644 index 0000000..31be6e7 --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -0,0 +1,520 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#include +#include +#include +#include +#include +#include +#include + +#include "cnxk_cryptodev.h" +#include "cnxk_ipsec.h" +#include "cn10k_ipsec.h" + +#include "roc_api.h" +#include "roc_ie.h" + +static int +ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && + crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT) + return -EINVAL; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && + crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT) + return -EINVAL; + + if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + switch (crypto_xfrm->aead.key.length) { + case ROC_AES128_KEY_LEN: + case ROC_AES192_KEY_LEN: + case ROC_AES256_KEY_LEN: + break; + default: + return -EINVAL; + } + return 0; + } + + return -ENOTSUP; +} + +static int +cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) + return -EINVAL; + + if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) && + (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH)) + return -EINVAL; + + if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) && + (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)) + return -EINVAL; + + if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) && + (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6)) + return -EINVAL; + + if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) + return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm); + + return -ENOTSUP; +} + +static uint64_t +ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa) +{ + union cpt_inst_w7 w7; + + w7.u64 = 0; + w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE]; + w7.s.ctx_val = 1; + w7.s.cptr = (uint64_t)sa; + rte_mb(); + + return w7.u64; +} + +static int +ipsec_get_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa __rte_unused) +{ + + return offsetof(struct roc_ot_ipsec_inb_sa, ctx) + + offsetof(struct roc_ot_ipsec_inb_ctx_update_reg, ar_winbits) + 8; +} + +static int +ipsec_sa_inb_param_fill(struct roc_cpt *roc_cpt, struct cn10k_ipsec_sa *sa) +{ + /* TODO add support for antireplay */ + sa->in_sa.w0.s.ar_win = 0; + + /* TODO add support for udp encap */ + + sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa); + + return 0; +} + +static int +ipsec_sa_len_precalc(struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *xform, + struct cn10k_ipsec_sa *sa) +{ + if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) + sa->partial_len = sizeof(struct rte_ipv4_hdr); + else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) + sa->partial_len = sizeof(struct rte_ipv6_hdr); + else + return -EINVAL; + + if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) { + sa->partial_len += sizeof(struct rte_esp_hdr); + sa->roundup_len = sizeof(struct rte_esp_tail); + } else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) { + sa->partial_len += ROC_IE_AH_HDR_LEN; + } else { + return -EINVAL; + } + + if (ipsec->options.udp_encap) + sa->partial_len += sizeof(struct rte_udp_hdr); + + if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + sa->partial_len += ROC_IE_AES_GCM_IV_LEN; + sa->partial_len += ROC_IE_AES_GCM_MAC_LEN; + sa->roundup_byte = ROC_IE_AES_GCM_ROUNDUP_BYTE_LEN; + return 0; + } else { + return -EINVAL; + } + } + + return 0; +} + +static int +ipsec_sa_outb_param_fill(struct roc_cpt *roc_cpt, + struct cn10k_ipsec_sa *ipsec_sa, + struct rte_security_ipsec_xform *ipsec) +{ + struct roc_ot_ipsec_outb_sa *sa = &ipsec_sa->out_sa; + uint32_t *ip_addr; + + /* Set up tunnel header generation */ + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_4; + memcpy(&sa->outer_hdr.ipv4.src_addr, + &ipsec->tunnel.ipv4.src_ip, + sizeof(struct in_addr)); + ip_addr = (uint32_t *)&sa->outer_hdr.ipv4.src_addr; + *ip_addr = rte_be_to_cpu_32(*ip_addr); + memcpy(&sa->outer_hdr.ipv4.dst_addr, + &ipsec->tunnel.ipv4.dst_ip, + sizeof(struct in_addr)); + ip_addr = (uint32_t *)&sa->outer_hdr.ipv4.dst_addr; + *ip_addr = rte_be_to_cpu_32(*ip_addr); + + if (!ipsec->options.copy_df) { + sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = + ROC_IE_OT_SA_COPY_FROM_SA; + sa->w10.s.ipv4_df_or_ipv6_flw_lbl = + ipsec->tunnel.ipv4.df; + } else + sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = + ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; + + if (!ipsec->options.copy_dscp) { + sa->w2.s.dscp_src = ROC_IE_OT_SA_COPY_FROM_SA; + sa->w10.s.dscp = ipsec->tunnel.ipv4.dscp; + } else + sa->w2.s.dscp_src = + ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; + + } else if (ipsec->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_6; + memcpy(&sa->outer_hdr.ipv6.src_addr, + &ipsec->tunnel.ipv6.src_addr, + sizeof(struct in6_addr)); + memcpy(&sa->outer_hdr.ipv6.dst_addr, + &ipsec->tunnel.ipv6.dst_addr, + sizeof(struct in6_addr)); + + if (!ipsec->options.copy_flabel) { + sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = + ROC_IE_OT_SA_COPY_FROM_SA; + + sa->w10.s.ipv4_df_or_ipv6_flw_lbl = + ipsec->tunnel.ipv6.flabel; + } else + sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = + ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; + + if (!ipsec->options.copy_dscp) { + sa->w2.s.dscp_src = ROC_IE_OT_SA_COPY_FROM_SA; + sa->w10.s.dscp = ipsec->tunnel.ipv6.dscp; + } else + sa->w2.s.dscp_src = + ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; + } else { + return -EINVAL; + } + + } else { + return -EINVAL; + } + + ipsec_sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa); + + return 0; +} + +static void +ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, uint8_t *cipher_key, + uint8_t *salt_key, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + const uint8_t *key = NULL; + uint32_t *tmp_salt; + uint64_t *tmp_key; + uint32_t i; + int length = 0; + + /* Set direction */ + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + w2->s.dir = ROC_IE_OT_SA_DIR_INBOUND; + else + w2->s.dir = ROC_IE_OT_SA_DIR_OUTBOUND; + + /* Set protocol - ESP vs AH */ + if (ipsec_xfrm->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) + w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_ESP; + else + w2->s.protocol = ROC_IE_OT_SA_PROTOCOL_AH; + + /* Set mode - transport vs tunnel */ + if (ipsec_xfrm->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) + w2->s.mode = ROC_IE_OT_SA_MODE_TRANSPORT; + else + w2->s.mode = ROC_IE_OT_SA_MODE_TUNNEL; + + /* Set encryption algorithm */ + if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + switch ((int)crypto_xfrm->aead.algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_GCM; + w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL; + memcpy(salt_key, &ipsec_xfrm->salt, ROC_SALT_LEN); + tmp_salt = (uint32_t *)salt_key; + *tmp_salt = rte_be_to_cpu_32(*tmp_salt); + break; + } + key = crypto_xfrm->aead.key.data; + length = crypto_xfrm->aead.key.length; + } + + w2->s.spi = ipsec_xfrm->spi; + + /* Copy encryption key */ + memcpy(cipher_key, key, length); + tmp_key = (uint64_t *)cipher_key; + for (i = 0; i < ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t); i++) + tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); + + switch (length) { + case ROC_AES128_KEY_LEN: + w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_128; + break; + case ROC_AES192_KEY_LEN: + w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_192; + break; + case ROC_AES256_KEY_LEN: + w2->s.aes_key_len = ROC_IE_OT_SA_AES_KEY_LEN_256; + break; + } +} + +static int +cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sec_sess) +{ + struct roc_ot_ipsec_outb_sa *out_sa; + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + union cpt_inst_w4 inst_w4; + size_t offset; + int ret; + + sess = get_sec_session_private_data(sec_sess); + sa = &sess->sa; + out_sa = &sa->out_sa; + + memset(out_sa, 0, sizeof(struct roc_ot_ipsec_outb_sa)); + + ipsec_sa_common_param_fill((union roc_ot_ipsec_sa_word2 *)&out_sa->w2, + out_sa->cipher_key, out_sa->iv.s.salt, + ipsec_xfrm, crypto_xfrm); + + ret = ipsec_sa_outb_param_fill(roc_cpt, sa, ipsec_xfrm); + if (ret) + return ret; + + ret = ipsec_sa_len_precalc(ipsec_xfrm, crypto_xfrm, sa); + if (ret) + return ret; + + /* Set context offsets and sizes */ + + /* Set offset of hw_ctx in 8b units */ + offset = offsetof(struct roc_ot_ipsec_outb_sa, ctx); + out_sa->w0.s.hw_ctx_off = offset / ROC_CTX_UNIT_8B; + + /* Context push size for outbound spans up to and includes + * relevant keys, for example for AES-GCM it need not push beyond + * cipher_key field, for SHAx it need not push beyond + * hmac_opad_ipad field. + * TODO for now let's set it up to hw_ctx however it should be + * updated later + */ + out_sa->w0.s.ctx_push_size = out_sa->w0.s.hw_ctx_off; + /* Entire context size in 128b units */ + offset = sizeof(struct roc_ot_ipsec_outb_sa); + out_sa->w0.s.ctx_size = + PLT_ALIGN_CEIL(offset, ROC_CTX_UNIT_128B) / ROC_CTX_UNIT_128B - + 1; + /* There are 2 words prepended to the context */ + out_sa->w0.s.ctx_hdr_size = CN10K_IPSEC_SA_CTX_HDR_SIZE; + out_sa->w0.s.aop_valid = 1; + + /* pre-populate CPT INST word 4 */ + inst_w4.u64 = 0; + inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC; + inst_w4.s.param1 = 0; + sa->inst.w4 = inst_w4.u64; + + out_sa->w2.s.ipid_gen = 1; + + /* Enable SA */ + out_sa->w2.s.valid = 1; + + return 0; +} + +static int +cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sec_sess) +{ + struct roc_ot_ipsec_inb_sa *in_sa; + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + union cpt_inst_w4 inst_w4; + size_t offset; + + sess = get_sec_session_private_data(sec_sess); + sa = &sess->sa; + in_sa = &sa->in_sa; + + ipsec_sa_common_param_fill((union roc_ot_ipsec_sa_word2 *)&in_sa->w2, + in_sa->cipher_key, in_sa->w8.s.salt, + ipsec_xfrm, crypto_xfrm); + + ipsec_sa_inb_param_fill(roc_cpt, sa); + + /* Set context offsets and sizes */ + + /* Set offset of hw_ctx in 8b units */ + offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx); + in_sa->w0.s.hw_ctx_off = offset / ROC_CTX_UNIT_8B; + + /* Context push size for inbound spans up to hw_ctx including ar_base + * field, in 8b units + */ + in_sa->w0.s.ctx_push_size = in_sa->w0.s.hw_ctx_off + 1; + /* Entire context size in 128b units */ + in_sa->w0.s.ctx_size = PLT_ALIGN_CEIL(ipsec_get_inb_ctx_size(in_sa), + ROC_CTX_UNIT_128B) / + ROC_CTX_UNIT_128B - + 1; + /* There are 2 words prepended to the context */ + in_sa->w0.s.ctx_hdr_size = CN10K_IPSEC_SA_CTX_HDR_SIZE; + in_sa->w0.s.aop_valid = 1; + + /* pre-populate CPT INST word 4 */ + inst_w4.u64 = 0; + inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC; + + /* Disable checksum verification for now */ + inst_w4.s.param1 = 7; + sa->inst.w4 = inst_w4.u64; + + in_sa->w2.s.outer_ip_ver = ROC_IE_OT_SA_IP_VERSION_4; + + /* Enable SA */ + in_sa->w2.s.valid = 1; + + return 0; +} + +static int +cn10k_ipsec_session_create(void *dev, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sess) +{ + struct rte_cryptodev *crypto_dev = dev; + struct roc_cpt *roc_cpt; + struct cnxk_cpt_vf *vf; + int ret; + + vf = crypto_dev->data->dev_private; + roc_cpt = &vf->cpt; + + if (crypto_dev->data->queue_pairs[0] == NULL) { + plt_err("Setup cpt queue pair before creating security session"); + return -EPERM; + } + + ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + return cn10k_ipsec_inb_sa_create(roc_cpt, ipsec_xfrm, + crypto_xfrm, sess); + else + return cn10k_ipsec_outb_sa_create(roc_cpt, ipsec_xfrm, + crypto_xfrm, sess); +} + +static int +cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf, + struct rte_security_session *sess, + struct rte_mempool *mempool) +{ + struct cn10k_sec_session *priv; + int ret; + + if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) + return -EINVAL; + + if (rte_security_dynfield_register() < 0) + return -ENOTSUP; + + if (rte_mempool_get(mempool, (void **)&priv)) { + plt_err("Could not allocate security session private data"); + return -ENOMEM; + } + + set_sec_session_private_data(sess, priv); + + priv->userdata = conf->userdata; + + if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) { + ret = -ENOTSUP; + goto mempool_put; + } + ret = cn10k_ipsec_session_create(device, &conf->ipsec, + conf->crypto_xform, sess); + if (ret) + goto mempool_put; + + return 0; + +mempool_put: + rte_mempool_put(mempool, priv); + set_sec_session_private_data(sess, NULL); + return ret; +} + +static int +cn10k_sec_session_destroy(void *device __rte_unused, + struct rte_security_session *sess) +{ + struct cn10k_sec_session *priv; + struct rte_mempool *sess_mp; + + priv = get_sec_session_private_data(sess); + + if (priv == NULL) + return 0; + + sess_mp = rte_mempool_from_obj(priv); + + set_sec_session_private_data(sess, NULL); + rte_mempool_put(sess_mp, priv); + + return 0; +} + +static unsigned int +cn10k_sec_session_get_size(void *device __rte_unused) +{ + return sizeof(struct cn10k_sec_session); +} + +/* Update platform specific security ops */ +void +cn10k_sec_ops_override(void) +{ + /* Update platform specific ops */ + cnxk_sec_ops.session_create = cn10k_sec_session_create; + cnxk_sec_ops.session_destroy = cn10k_sec_session_destroy; + cnxk_sec_ops.session_get_size = cn10k_sec_session_get_size; +} diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h new file mode 100644 index 0000000..6e36e67 --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec.h @@ -0,0 +1,38 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CN10K_IPSEC_H__ +#define __CN10K_IPSEC_H__ + +#include + +#include "roc_platform.h" +#include "roc_ie_ot.h" +#include "cnxk_ipsec.h" + +#define CN10K_IPSEC_SA_CTX_HDR_SIZE 1 + +struct cn10k_ipsec_sa { + union { + /** Inbound SA */ + struct roc_ot_ipsec_inb_sa in_sa; + /** Outbound SA */ + struct roc_ot_ipsec_outb_sa out_sa; + }; + /** Pre-populated CPT inst words */ + struct cnxk_cpt_inst_tmpl inst; + uint8_t partial_len; + uint8_t roundup_len; + uint8_t roundup_byte; +}; + +struct cn10k_sec_session { + struct cn10k_ipsec_sa sa; + void *userdata; + /**< Userdata registered by the application */ +} __rte_cache_aligned; + +void cn10k_sec_ops_override(void); + +#endif /* __CN10K_IPSEC_H__ */ diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h new file mode 100644 index 0000000..8b9500d --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -0,0 +1,18 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ +#ifndef __CNXK_IPSEC_H__ +#define __CNXK_IPSEC_H__ + +#include +#include + +extern struct rte_security_ops cnxk_sec_ops; + +struct cnxk_cpt_inst_tmpl { + uint64_t w2; + uint64_t w4; + uint64_t w7; +}; + +#endif /* __CNXK_IPSEC_H__ */ diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build index ab45483..eea08fa 100644 --- a/drivers/crypto/cnxk/meson.build +++ b/drivers/crypto/cnxk/meson.build @@ -13,6 +13,7 @@ sources = files( 'cn9k_cryptodev_ops.c', 'cn10k_cryptodev.c', 'cn10k_cryptodev_ops.c', + 'cn10k_ipsec.c', 'cnxk_cpt_ops_helper.c', 'cnxk_cryptodev.c', 'cnxk_cryptodev_capabilities.c', @@ -20,4 +21,4 @@ sources = files( 'cnxk_cryptodev_sec.c', ) -deps += ['bus_pci', 'common_cnxk', 'security'] +deps += ['bus_pci', 'common_cnxk', 'security', 'rte_net'] From patchwork Wed Jun 2 17:11:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 93833 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id D9B9DA0524; Wed, 2 Jun 2021 19:12:26 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C9DF44069F; Wed, 2 Jun 2021 19:12:26 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id DF98D40689 for ; Wed, 2 Jun 2021 19:12:25 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 152H6A8e025799; Wed, 2 Jun 2021 10:12:25 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=HBYR4K/p/FSTA3UDlfSzhiB/RDLCp+sCdtqCPkFLG/4=; b=QDMluOJ0vovxbd3spRFBOslv2nWPlI8M64X2WO720TA/RasXnG+0fv/XenB4g1HHdx1O 8B/SIapy2wtE/+VPVl+IkBqv075L4/Qbt4PxC4AIzJpUZ5fWJ7G+2HJzbWwgsSz5sY+1 tlyUf7/vZBmRjcvHE1afZyERXMTwUOrJfXzcaU383RmLgNHzS9UeOHJ39sa46X4BWyF0 bqotiJ7q7L1rLe+L7YcyXEM3zIUdPG79PAWMOvPdmIZrmrrU4zIwL0KZWU6VhnV4Jszx 7yGfVLdM/LGTeMHj9yojK6YAFYuijSLwzZ+ljXy5AXkF8z5+Xkzge5REakhEhD0vM0lR Wg== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com with ESMTP id 38wufguunj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 02 Jun 2021 10:12:25 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 2 Jun 2021 10:12:22 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Wed, 2 Jun 2021 10:12:22 -0700 Received: from HY-LT1002.marvell.com (unknown [10.193.70.1]) by maili.marvell.com (Postfix) with ESMTP id CDB8D3F703F; Wed, 2 Jun 2021 10:12:18 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Thomas Monjalon CC: Tejasree Kondoj , Jerin Jacob , Ankur Dwivedi , , Anoob Joseph , Srujana Challa Date: Wed, 2 Jun 2021 22:41:02 +0530 Message-ID: <1622653862-22830-5-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1622653862-22830-1-git-send-email-anoobj@marvell.com> References: <1622653862-22830-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 0PLeD7VRdh09xxVSDeJUnV_rXoiQeVtt X-Proofpoint-GUID: 0PLeD7VRdh09xxVSDeJUnV_rXoiQeVtt X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-06-02_09:2021-06-02, 2021-06-02 signatures=0 Subject: [dpdk-dev] [PATCH 4/4] crypto/cnxk: add security handling in datapath ops X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Tejasree Kondoj Add security handling in enqueue dequeue ops. Signed-off-by: Anoob Joseph Signed-off-by: Srujana Challa Signed-off-by: Tejasree Kondoj --- drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 78 ++++++++++++++++++++++++++++++- drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 74 +++++++++++++++++++++++++++++ 2 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c index 22704df..68093ea 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c @@ -4,9 +4,12 @@ #include #include +#include #include "cn10k_cryptodev.h" #include "cn10k_cryptodev_ops.h" +#include "cn10k_ipsec_la_ops.h" +#include "cn10k_ipsec.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_ops.h" #include "cnxk_se.h" @@ -42,6 +45,38 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op) } static __rte_always_inline int __rte_hot +cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess, + struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = op->sym; + union roc_ot_ipsec_sa_word2 *w2; + struct cn10k_ipsec_sa *sa; + int ret; + + if (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) { + CPT_LOG_DP_ERR("Out of place is not supported"); + return -ENOTSUP; + } + + if (unlikely(!rte_pktmbuf_is_contiguous(sym_op->m_src))) { + CPT_LOG_DP_ERR("Scatter Gather mode is not supported"); + return -ENOTSUP; + } + + sa = &sess->sa; + w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2; + + if (w2->s.dir == ROC_IE_OT_SA_DIR_OUTBOUND) + ret = process_outb_sa(op, sa, inst); + else { + infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND; + ret = process_inb_sa(op, sa, inst); + } + + return ret; +} + +static __rte_always_inline int __rte_hot cpt_sym_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op, struct cnxk_se_sess *sess, struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst) @@ -64,6 +99,7 @@ static inline int cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], struct cpt_inst_s inst[], struct cpt_inflight_req *infl_req) { + struct cn10k_sec_session *sec_sess; struct rte_crypto_sym_op *sym_op; struct cnxk_se_sess *sess; struct rte_crypto_op *op; @@ -79,7 +115,15 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], sym_op = op->sym; if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { - if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { + if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + sec_sess = get_sec_session_private_data( + sym_op->sec_session); + ret = cpt_sec_inst_fill(op, sec_sess, infl_req, + &inst[0]); + if (unlikely(ret)) + return 0; + w7 = sec_sess->sa.inst.w7; + } else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { sess = get_sym_session_private_data( sym_op->session, cn10k_cryptodev_driver_id); ret = cpt_sym_inst_fill(qp, op, sess, infl_req, @@ -196,6 +240,34 @@ cn10k_cpt_enqueue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops) } static inline void +cn10k_cpt_sec_post_process(struct rte_crypto_op *cop, + struct cpt_inflight_req *infl_req) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m = sym_op->m_src; + struct rte_ipv6_hdr *ip6; + struct rte_ipv4_hdr *ip; + uint16_t m_len; + + if (infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND) { + ip = (struct rte_ipv4_hdr *)rte_pktmbuf_mtod(m, char *); + + if (((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) == + IPVERSION) { + m_len = rte_be_to_cpu_16(ip->total_length); + } else { + PLT_ASSERT(((ip->version_ihl & 0xf0) >> + RTE_IPV4_IHL_MULTIPLIER) == IPV6_VERSION); + ip6 = (struct rte_ipv6_hdr *)ip; + m_len = rte_be_to_cpu_16(ip6->payload_len) + + sizeof(struct rte_ipv6_hdr); + } + m->data_len = m_len; + m->pkt_len = m_len; + } +} + +static inline void cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, struct rte_crypto_op *cop, struct cpt_inflight_req *infl_req) @@ -219,6 +291,10 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { + if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + cn10k_cpt_sec_post_process(cop, infl_req); + return; + } /* Verify authentication data if required */ if (unlikely(infl_req->op_flags & diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h new file mode 100644 index 0000000..dc547d1 --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h @@ -0,0 +1,74 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CN10K_IPSEC_LA_OPS_H__ +#define __CN10K_IPSEC_LA_OPS_H__ + +#include +#include + +#include "cn10k_cryptodev.h" +#include "cn10k_ipsec.h" +#include "cnxk_cryptodev.h" + +static __rte_always_inline int32_t +ipsec_po_out_rlen_get(struct cn10k_ipsec_sa *sess, uint32_t plen) +{ + uint32_t enc_payload_len; + + enc_payload_len = + RTE_ALIGN_CEIL(plen + sess->roundup_len, sess->roundup_byte); + + return sess->partial_len + enc_payload_len; +} + +static __rte_always_inline int +process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess, + struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m_src = sym_op->m_src; + uint32_t dlen, rlen, extend_tail; + char *mdata; + + dlen = rte_pktmbuf_pkt_len(m_src); + rlen = ipsec_po_out_rlen_get(sess, dlen); + + extend_tail = rlen - dlen; + + mdata = rte_pktmbuf_append(m_src, extend_tail); + if (unlikely(mdata == NULL)) { + CPT_LOG_DP_ERR("Not enough tail room"); + return -ENOMEM; + } + + /* Prepare CPT instruction */ + inst->w4.u64 = sess->inst.w4; + inst->w4.s.dlen = dlen; + inst->dptr = rte_pktmbuf_iova(m_src); + inst->rptr = inst->dptr; + + return 0; +} + +static __rte_always_inline int +process_inb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sa, + struct cpt_inst_s *inst) +{ + struct rte_crypto_sym_op *sym_op = cop->sym; + struct rte_mbuf *m_src = sym_op->m_src; + uint32_t dlen; + + dlen = rte_pktmbuf_pkt_len(m_src); + + /* Prepare CPT instruction */ + inst->w4.u64 = sa->inst.w4; + inst->w4.s.dlen = dlen; + inst->dptr = rte_pktmbuf_iova(m_src); + inst->rptr = inst->dptr; + + return 0; +} + +#endif /* __CN10K_IPSEC_LA_OPS_H__ */