From: Archana Muniganti <marchana@marvell.com>
For cn9k, use HW GEN IV as default and add per pkt IV
in lookaside IPsec debug mode. Debug mode helps to verify
lookaside PMD using known outbound vectors in lookaside
autotest.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
drivers/common/cnxk/roc_ie_on.h | 7 +++++
drivers/crypto/cnxk/cn9k_ipsec.c | 34 +++++++++++++++++------
drivers/crypto/cnxk/cn9k_ipsec.h | 2 ++
drivers/crypto/cnxk/cn9k_ipsec_la_ops.h | 14 +++++++---
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 2 ++
5 files changed, 47 insertions(+), 12 deletions(-)
@@ -22,6 +22,8 @@ enum roc_ie_on_ucc_ipsec {
/* Helper macros */
#define ROC_IE_ON_INB_RPTR_HDR 0x8
+#define ROC_IE_ON_MAX_IV_LEN 16
+#define ROC_IE_ON_PER_PKT_IV BIT(43)
enum {
ROC_IE_ON_SA_ENC_NULL = 0,
@@ -55,6 +57,11 @@ enum {
ROC_IE_ON_SA_ENCAP_UDP = 1,
};
+enum {
+ ROC_IE_ON_IV_SRC_HW_GEN_DEFAULT = 0,
+ ROC_IE_ON_IV_SRC_FROM_DPTR = 1,
+};
+
struct roc_ie_on_outb_hdr {
uint32_t ip_id;
uint32_t seq;
@@ -426,13 +426,7 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
ctx_len += RTE_ALIGN_CEIL(ctx_len, 8);
- if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
- sa->cipher_iv_off = crypto_xform->aead.iv.offset;
- sa->cipher_iv_len = crypto_xform->aead.iv.length;
- } else {
- sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
- sa->cipher_iv_len = crypto_xform->cipher.iv.length;
-
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
auth_key = auth_xform->auth.key.data;
auth_key_len = auth_xform->auth.key.length;
@@ -465,7 +459,31 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
param1.u16 = 0;
param1.s.ikev2 = 1;
- param1.s.per_pkt_iv = 1;
+
+ sa->custom_hdr_len = sizeof(struct roc_ie_on_outb_hdr) -
+ ROC_IE_ON_MAX_IV_LEN;
+
+#ifdef LA_IPSEC_DEBUG
+ /* Use IV from application in debug mode */
+ if (ipsec->options.iv_gen_disable == 1) {
+ param1.s.per_pkt_iv = ROC_IE_ON_IV_SRC_FROM_DPTR;
+ sa->custom_hdr_len = sizeof(struct roc_ie_on_outb_hdr);
+
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ sa->cipher_iv_off = crypto_xform->aead.iv.offset;
+ sa->cipher_iv_len = crypto_xform->aead.iv.length;
+ } else {
+ sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
+ sa->cipher_iv_len = crypto_xform->cipher.iv.length;
+ }
+ }
+#else
+ if (ipsec->options.iv_gen_disable != 0) {
+ plt_err("Application provided IV is not supported");
+ return -ENOTSUP;
+ }
+#endif
+
w4.s.param1 = param1.u16;
inst_tmpl->w4 = w4.u64;
@@ -24,6 +24,8 @@ struct cn9k_ipsec_sa {
uint16_t cipher_iv_off;
/** Cipher IV length in bytes */
uint8_t cipher_iv_len;
+ /** Outbound custom header length */
+ uint8_t custom_hdr_len;
/** Response length calculation data */
struct cnxk_ipsec_outb_rlens rlens;
/** Outbound IP-ID */
@@ -74,7 +74,7 @@ static __rte_always_inline int
process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
struct cpt_inst_s *inst)
{
- const unsigned int hdr_len = sizeof(struct roc_ie_on_outb_hdr);
+ const unsigned int hdr_len = sa->custom_hdr_len;
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
struct roc_ie_on_outb_sa *out_sa;
@@ -103,9 +103,15 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
return -ENOMEM;
}
- memcpy(&hdr->iv[0],
- rte_crypto_op_ctod_offset(cop, uint8_t *, sa->cipher_iv_off),
- sa->cipher_iv_len);
+#ifdef LA_IPSEC_DEBUG
+ if (sa->inst.w4 & ROC_IE_ON_PER_PKT_IV) {
+ memcpy(&hdr->iv[0],
+ rte_crypto_op_ctod_offset(cop, uint8_t *,
+ sa->cipher_iv_off),
+ sa->cipher_iv_len);
+ }
+#endif
+
hdr->seq = rte_cpu_to_be_32(sa->seq_lo);
hdr->ip_id = rte_cpu_to_be_32(sa->ip_id);
@@ -1166,7 +1166,9 @@ static void
cn9k_sec_caps_update(struct rte_security_capability *sec_cap)
{
if (sec_cap->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+#ifdef LA_IPSEC_DEBUG
sec_cap->ipsec.options.iv_gen_disable = 1;
+#endif
}
}