@@ -58,6 +58,8 @@ New Features
* **Updated Marvell cnxk crypto driver.**
* Added support for Rx inject in crypto_cn10k.
+ * Added support for TLS record processing in crypto_cn10k. Supports TLS 1.2
+ and DTLS 1.2.
Removed Items
-------------
@@ -80,7 +80,8 @@ union cpt_eng_caps {
uint64_t __io sg_ver2 : 1;
uint64_t __io sm2 : 1;
uint64_t __io pdcp_chain_zuc256 : 1;
- uint64_t __io reserved_38_63 : 26;
+ uint64_t __io tls : 1;
+ uint64_t __io reserved_39_63 : 25;
};
};
@@ -11,9 +11,11 @@
#include "roc_ae.h"
#include "roc_cpt.h"
-#define CNXK_CPT_MAX_CAPS 55
-#define CNXK_SEC_IPSEC_CRYPTO_MAX_CAPS 16
-#define CNXK_SEC_MAX_CAPS 9
+#define CNXK_CPT_MAX_CAPS 55
+#define CNXK_SEC_IPSEC_CRYPTO_MAX_CAPS 16
+#define CNXK_SEC_TLS_1_3_CRYPTO_MAX_CAPS 2
+#define CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS 6
+#define CNXK_SEC_MAX_CAPS 17
/**
* Device private data
@@ -25,6 +27,10 @@ struct cnxk_cpt_vf {
struct roc_cpt cpt;
struct rte_cryptodev_capabilities crypto_caps[CNXK_CPT_MAX_CAPS];
struct rte_cryptodev_capabilities sec_ipsec_crypto_caps[CNXK_SEC_IPSEC_CRYPTO_MAX_CAPS];
+ struct rte_cryptodev_capabilities sec_tls_1_3_crypto_caps[CNXK_SEC_TLS_1_3_CRYPTO_MAX_CAPS];
+ struct rte_cryptodev_capabilities sec_tls_1_2_crypto_caps[CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS];
+ struct rte_cryptodev_capabilities
+ sec_dtls_1_2_crypto_caps[CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS];
struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS];
uint64_t cnxk_fpm_iova[ROC_AE_EC_ID_PMAX];
struct roc_ae_ec_group *ec_grp[ROC_AE_EC_ID_PMAX];
@@ -30,6 +30,16 @@
RTE_DIM(sec_ipsec_caps_##name)); \
} while (0)
+#define SEC_TLS12_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name) \
+ do { \
+ if ((hw_caps[CPT_ENG_TYPE_SE].name) || \
+ (hw_caps[CPT_ENG_TYPE_IE].name) || \
+ (hw_caps[CPT_ENG_TYPE_AE].name)) \
+ sec_tls12_caps_add(cnxk_caps, cur_pos, \
+ sec_tls12_caps_##name, \
+ RTE_DIM(sec_tls12_caps_##name)); \
+ } while (0)
+
static const struct rte_cryptodev_capabilities caps_mul[] = {
{ /* RSA */
.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
@@ -1502,6 +1512,125 @@ static const struct rte_cryptodev_capabilities sec_ipsec_caps_null[] = {
},
};
+static const struct rte_cryptodev_capabilities sec_tls12_caps_aes[] = {
+ { /* AES GCM */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+ {.aead = {
+ .algo = RTE_CRYPTO_AEAD_AES_GCM,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 16
+ },
+ .digest_size = {
+ .min = 16,
+ .max = 16,
+ .increment = 0
+ },
+ .aad_size = {
+ .min = 13,
+ .max = 13,
+ .increment = 0
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
+ { /* AES CBC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ {.cipher = {
+ .algo = RTE_CRYPTO_CIPHER_AES_CBC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .iv_size = {
+ .min = 16,
+ .max = 16,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
+};
+
+static const struct rte_cryptodev_capabilities sec_tls12_caps_des[] = {
+ { /* 3DES CBC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ {.cipher = {
+ .algo = RTE_CRYPTO_CIPHER_3DES_CBC,
+ .block_size = 8,
+ .key_size = {
+ .min = 24,
+ .max = 24,
+ .increment = 0
+ },
+ .iv_size = {
+ .min = 8,
+ .max = 8,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
+};
+
+static const struct rte_cryptodev_capabilities sec_tls12_caps_sha1_sha2[] = {
+ { /* SHA1 HMAC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+ .block_size = 64,
+ .key_size = {
+ .min = 20,
+ .max = 20,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 20,
+ .max = 20,
+ .increment = 0
+ },
+ }, }
+ }, }
+ },
+ { /* SHA256 HMAC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_SHA256_HMAC,
+ .block_size = 64,
+ .key_size = {
+ .min = 32,
+ .max = 32,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 32,
+ .max = 32,
+ .increment = 0
+ },
+ }, }
+ }, }
+ },
+};
+
static const struct rte_security_capability sec_caps_templ[] = {
{ /* IPsec Lookaside Protocol ESP Tunnel Ingress */
.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
@@ -1591,6 +1720,46 @@ static const struct rte_security_capability sec_caps_templ[] = {
},
.crypto_capabilities = NULL,
},
+ { /* TLS 1.2 Record Read */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
+ .tls_record = {
+ .ver = RTE_SECURITY_VERSION_TLS_1_2,
+ .type = RTE_SECURITY_TLS_SESS_TYPE_READ,
+ .ar_win_size = 0,
+ },
+ .crypto_capabilities = NULL,
+ },
+ { /* TLS 1.2 Record Write */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
+ .tls_record = {
+ .ver = RTE_SECURITY_VERSION_TLS_1_2,
+ .type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+ .ar_win_size = 0,
+ },
+ .crypto_capabilities = NULL,
+ },
+ { /* DTLS 1.2 Record Read */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
+ .tls_record = {
+ .ver = RTE_SECURITY_VERSION_DTLS_1_2,
+ .type = RTE_SECURITY_TLS_SESS_TYPE_READ,
+ .ar_win_size = 0,
+ },
+ .crypto_capabilities = NULL,
+ },
+ { /* DTLS 1.2 Record Write */
+ .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ .protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
+ .tls_record = {
+ .ver = RTE_SECURITY_VERSION_DTLS_1_2,
+ .type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+ .ar_win_size = 0,
+ },
+ .crypto_capabilities = NULL,
+ },
{
.action = RTE_SECURITY_ACTION_TYPE_NONE
}
@@ -1807,6 +1976,35 @@ cn9k_sec_ipsec_caps_update(struct rte_security_capability *sec_cap)
sec_cap->ipsec.options.esn = 1;
}
+static void
+sec_tls12_caps_limit_check(int *cur_pos, int nb_caps)
+{
+ PLT_VERIFY(*cur_pos + nb_caps <= CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS);
+}
+
+static void
+sec_tls12_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos,
+ const struct rte_cryptodev_capabilities *caps, int nb_caps)
+{
+ sec_tls12_caps_limit_check(cur_pos, nb_caps);
+
+ memcpy(&cnxk_caps[*cur_pos], caps, nb_caps * sizeof(caps[0]));
+ *cur_pos += nb_caps;
+}
+
+static void
+sec_tls12_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
+ union cpt_eng_caps *hw_caps)
+{
+ int cur_pos = 0;
+
+ SEC_TLS12_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes);
+ SEC_TLS12_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, des);
+ SEC_TLS12_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2);
+
+ sec_tls12_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
+}
+
void
cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
{
@@ -1815,6 +2013,11 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
crypto_caps_populate(vf->crypto_caps, vf->cpt.hw_caps);
sec_ipsec_crypto_caps_populate(vf->sec_ipsec_crypto_caps, vf->cpt.hw_caps);
+ if (vf->cpt.hw_caps[CPT_ENG_TYPE_SE].tls) {
+ sec_tls12_crypto_caps_populate(vf->sec_tls_1_2_crypto_caps, vf->cpt.hw_caps);
+ sec_tls12_crypto_caps_populate(vf->sec_dtls_1_2_crypto_caps, vf->cpt.hw_caps);
+ }
+
PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps));
memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ));
@@ -1830,6 +2033,13 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
if (roc_model_is_cn9k())
cn9k_sec_ipsec_caps_update(&vf->sec_caps[i]);
+ } else if (vf->sec_caps[i].protocol == RTE_SECURITY_PROTOCOL_TLS_RECORD) {
+ if (vf->sec_caps[i].tls_record.ver == RTE_SECURITY_VERSION_TLS_1_3)
+ vf->sec_caps[i].crypto_capabilities = vf->sec_tls_1_3_crypto_caps;
+ else if (vf->sec_caps[i].tls_record.ver == RTE_SECURITY_VERSION_DTLS_1_2)
+ vf->sec_caps[i].crypto_capabilities = vf->sec_dtls_1_2_crypto_caps;
+ else
+ vf->sec_caps[i].crypto_capabilities = vf->sec_tls_1_2_crypto_caps;
}
}
}