From patchwork Tue Jan  2 04:54:10 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anoob Joseph <anoobj@marvell.com>
X-Patchwork-Id: 135664
X-Patchwork-Delegate: gakhil@marvell.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 8440F437F8;
	Tue,  2 Jan 2024 05:56:40 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 2078A40649;
	Tue,  2 Jan 2024 05:56:33 +0100 (CET)
Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com
 [67.231.148.174])
 by mails.dpdk.org (Postfix) with ESMTP id 2A10A40DCB
 for <dev@dpdk.org>; Tue,  2 Jan 2024 05:56:31 +0100 (CET)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1])
 by mx0a-0016f401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id
 401MmZg9026172 for <dev@dpdk.org>; Mon, 1 Jan 2024 20:56:30 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=
 from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding:content-type; s=
 pfpt0220; bh=z1gWFZ1xbdY5YLY4AxpQk0tr2V85UDU8suSr7Ho+7Vo=; b=ULz
 wI1ev9tHUun4Mpk6M/btMVi4r85XgeH48w6bBYmXQnNdjvXSEUl5DNPzx/QOCZku
 NnAIwVkCUUJmLqOwsWGFMmI0vcgqaQbXilWwslYoP/+9RDql48NRzlXjSWTHXX7z
 SWWiPB7FMbx1hYydQsxhlSuyAY23r/4y26JDZ9VKGZtjoy1D1wutAQSVdIj/8JE8
 S0i1uN3eSh8BEGbfLHqPkdxw6HKBYdbKA2fEw80wx0z3wwCsTPZqw/xFrL9GnEZ0
 PKC7TTdY9po5RcdUnYJsT3f+dMjYsueJnhiXoiNnb/6OtAJ0k3kte9cOAGbgz3Mt
 tWp2sBc2GUCcabjLUqA==
Received: from dc5-exch01.marvell.com ([199.233.59.181])
 by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3vb5c34693-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT)
 for <dev@dpdk.org>; Mon, 01 Jan 2024 20:56:30 -0800 (PST)
Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com
 (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48;
 Mon, 1 Jan 2024 20:56:28 -0800
Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com
 (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend
 Transport; Mon, 1 Jan 2024 20:56:28 -0800
Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189])
 by maili.marvell.com (Postfix) with ESMTP id 8952E3F7082;
 Mon,  1 Jan 2024 20:56:24 -0800 (PST)
From: Anoob Joseph <anoobj@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>
CC: Vidya Sagar Velumuri <vvelumuri@marvell.com>, Jerin Jacob
 <jerinj@marvell.com>,
 Tejasree Kondoj <ktejasree@marvell.com>, <dev@dpdk.org>
Subject: [PATCH v2 17/24] crypto/cnxk: add TLS capability
Date: Tue, 2 Jan 2024 10:24:10 +0530
Message-ID: <20240102045417.115-18-anoobj@marvell.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20240102045417.115-1-anoobj@marvell.com>
References: <20231221123545.510-1-anoobj@marvell.com>
 <20240102045417.115-1-anoobj@marvell.com>
MIME-Version: 1.0
X-Proofpoint-GUID: P9yYkfqAgSYelQ328xskSgOCoTgStRqr
X-Proofpoint-ORIG-GUID: P9yYkfqAgSYelQ328xskSgOCoTgStRqr
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2023-12-09_02,2023-12-07_01,2023-05-22_02
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add TLS 1.2 record read and write capability.
Add DTLS 1.2 record read and write capability.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 doc/guides/rel_notes/release_24_03.rst        |   2 +
 drivers/common/cnxk/hw/cpt.h                  |   3 +-
 drivers/crypto/cnxk/cnxk_cryptodev.h          |  12 +-
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 210 ++++++++++++++++++
 4 files changed, 223 insertions(+), 4 deletions(-)

diff --git a/doc/guides/rel_notes/release_24_03.rst b/doc/guides/rel_notes/release_24_03.rst
index fa30b46ead..0ebbae9f4e 100644
--- a/doc/guides/rel_notes/release_24_03.rst
+++ b/doc/guides/rel_notes/release_24_03.rst
@@ -58,6 +58,8 @@ New Features
 * **Updated Marvell cnxk crypto driver.**
 
   * Added support for Rx inject in crypto_cn10k.
+  * Added support for TLS record processing in crypto_cn10k. Supports TLS 1.2
+    and DTLS 1.2.
 
 Removed Items
 -------------
diff --git a/drivers/common/cnxk/hw/cpt.h b/drivers/common/cnxk/hw/cpt.h
index edab8a5d83..2620965606 100644
--- a/drivers/common/cnxk/hw/cpt.h
+++ b/drivers/common/cnxk/hw/cpt.h
@@ -80,7 +80,8 @@ union cpt_eng_caps {
 		uint64_t __io sg_ver2 : 1;
 		uint64_t __io sm2 : 1;
 		uint64_t __io pdcp_chain_zuc256 : 1;
-		uint64_t __io reserved_38_63 : 26;
+		uint64_t __io tls : 1;
+		uint64_t __io reserved_39_63 : 25;
 	};
 };
 
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index a5c4365631..8c8c58a76b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -11,9 +11,11 @@
 #include "roc_ae.h"
 #include "roc_cpt.h"
 
-#define CNXK_CPT_MAX_CAPS	       55
-#define CNXK_SEC_IPSEC_CRYPTO_MAX_CAPS 16
-#define CNXK_SEC_MAX_CAPS	       9
+#define CNXK_CPT_MAX_CAPS		 55
+#define CNXK_SEC_IPSEC_CRYPTO_MAX_CAPS	 16
+#define CNXK_SEC_TLS_1_3_CRYPTO_MAX_CAPS 2
+#define CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS 6
+#define CNXK_SEC_MAX_CAPS		 17
 
 /**
  * Device private data
@@ -25,6 +27,10 @@ struct cnxk_cpt_vf {
 	struct roc_cpt cpt;
 	struct rte_cryptodev_capabilities crypto_caps[CNXK_CPT_MAX_CAPS];
 	struct rte_cryptodev_capabilities sec_ipsec_crypto_caps[CNXK_SEC_IPSEC_CRYPTO_MAX_CAPS];
+	struct rte_cryptodev_capabilities sec_tls_1_3_crypto_caps[CNXK_SEC_TLS_1_3_CRYPTO_MAX_CAPS];
+	struct rte_cryptodev_capabilities sec_tls_1_2_crypto_caps[CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS];
+	struct rte_cryptodev_capabilities
+		sec_dtls_1_2_crypto_caps[CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS];
 	struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS];
 	uint64_t cnxk_fpm_iova[ROC_AE_EC_ID_PMAX];
 	struct roc_ae_ec_group *ec_grp[ROC_AE_EC_ID_PMAX];
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 178f510a63..73100377d9 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -30,6 +30,16 @@
 					  RTE_DIM(sec_ipsec_caps_##name));     \
 	} while (0)
 
+#define SEC_TLS12_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name)                  \
+	do {                                                                   \
+		if ((hw_caps[CPT_ENG_TYPE_SE].name) ||                         \
+		    (hw_caps[CPT_ENG_TYPE_IE].name) ||                         \
+		    (hw_caps[CPT_ENG_TYPE_AE].name))                           \
+			sec_tls12_caps_add(cnxk_caps, cur_pos,                 \
+					   sec_tls12_caps_##name,               \
+					   RTE_DIM(sec_tls12_caps_##name));     \
+	} while (0)
+
 static const struct rte_cryptodev_capabilities caps_mul[] = {
 	{	/* RSA */
 		.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
@@ -1502,6 +1512,125 @@ static const struct rte_cryptodev_capabilities sec_ipsec_caps_null[] = {
 	},
 };
 
+static const struct rte_cryptodev_capabilities sec_tls12_caps_aes[] = {
+	{	/* AES GCM */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			{.aead = {
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 16
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = {
+					.min = 13,
+					.max = 13,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{	/* AES CBC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+};
+
+static const struct rte_cryptodev_capabilities sec_tls12_caps_des[] = {
+	{	/* 3DES CBC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_3DES_CBC,
+				.block_size = 8,
+				.key_size = {
+					.min = 24,
+					.max = 24,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 8,
+					.max = 8,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+};
+
+static const struct rte_cryptodev_capabilities sec_tls12_caps_sha1_sha2[] = {
+	{	/* SHA1 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 20,
+					.max = 20,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 20,
+					.max = 20,
+					.increment = 0
+				},
+			}, }
+		}, }
+	},
+	{	/* SHA256 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA256_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 32,
+					.max = 32,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 32,
+					.max = 32,
+					.increment = 0
+				},
+			}, }
+		}, }
+	},
+};
+
 static const struct rte_security_capability sec_caps_templ[] = {
 	{	/* IPsec Lookaside Protocol ESP Tunnel Ingress */
 		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
@@ -1591,6 +1720,46 @@ static const struct rte_security_capability sec_caps_templ[] = {
 		},
 		.crypto_capabilities = NULL,
 	},
+	{	/* TLS 1.2 Record Read */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
+		.tls_record = {
+			.ver = RTE_SECURITY_VERSION_TLS_1_2,
+			.type = RTE_SECURITY_TLS_SESS_TYPE_READ,
+			.ar_win_size = 0,
+		},
+		.crypto_capabilities = NULL,
+	},
+	{	/* TLS 1.2 Record Write */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
+		.tls_record = {
+			.ver = RTE_SECURITY_VERSION_TLS_1_2,
+			.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+			.ar_win_size = 0,
+		},
+		.crypto_capabilities = NULL,
+	},
+	{	/* DTLS 1.2 Record Read */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
+		.tls_record = {
+			.ver = RTE_SECURITY_VERSION_DTLS_1_2,
+			.type = RTE_SECURITY_TLS_SESS_TYPE_READ,
+			.ar_win_size = 0,
+		},
+		.crypto_capabilities = NULL,
+	},
+	{	/* DTLS 1.2 Record Write */
+		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
+		.tls_record = {
+			.ver = RTE_SECURITY_VERSION_DTLS_1_2,
+			.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+			.ar_win_size = 0,
+		},
+		.crypto_capabilities = NULL,
+	},
 	{
 		.action = RTE_SECURITY_ACTION_TYPE_NONE
 	}
@@ -1807,6 +1976,35 @@ cn9k_sec_ipsec_caps_update(struct rte_security_capability *sec_cap)
 	sec_cap->ipsec.options.esn = 1;
 }
 
+static void
+sec_tls12_caps_limit_check(int *cur_pos, int nb_caps)
+{
+	PLT_VERIFY(*cur_pos + nb_caps <= CNXK_SEC_TLS_1_2_CRYPTO_MAX_CAPS);
+}
+
+static void
+sec_tls12_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos,
+		   const struct rte_cryptodev_capabilities *caps, int nb_caps)
+{
+	sec_tls12_caps_limit_check(cur_pos, nb_caps);
+
+	memcpy(&cnxk_caps[*cur_pos], caps, nb_caps * sizeof(caps[0]));
+	*cur_pos += nb_caps;
+}
+
+static void
+sec_tls12_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
+			       union cpt_eng_caps *hw_caps)
+{
+	int cur_pos = 0;
+
+	SEC_TLS12_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes);
+	SEC_TLS12_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, des);
+	SEC_TLS12_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2);
+
+	sec_tls12_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
+}
+
 void
 cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
 {
@@ -1815,6 +2013,11 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
 	crypto_caps_populate(vf->crypto_caps, vf->cpt.hw_caps);
 	sec_ipsec_crypto_caps_populate(vf->sec_ipsec_crypto_caps, vf->cpt.hw_caps);
 
+	if (vf->cpt.hw_caps[CPT_ENG_TYPE_SE].tls) {
+		sec_tls12_crypto_caps_populate(vf->sec_tls_1_2_crypto_caps, vf->cpt.hw_caps);
+		sec_tls12_crypto_caps_populate(vf->sec_dtls_1_2_crypto_caps, vf->cpt.hw_caps);
+	}
+
 	PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps));
 	memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ));
 
@@ -1830,6 +2033,13 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
 
 			if (roc_model_is_cn9k())
 				cn9k_sec_ipsec_caps_update(&vf->sec_caps[i]);
+		} else if (vf->sec_caps[i].protocol == RTE_SECURITY_PROTOCOL_TLS_RECORD) {
+			if (vf->sec_caps[i].tls_record.ver == RTE_SECURITY_VERSION_TLS_1_3)
+				vf->sec_caps[i].crypto_capabilities = vf->sec_tls_1_3_crypto_caps;
+			else if (vf->sec_caps[i].tls_record.ver == RTE_SECURITY_VERSION_DTLS_1_2)
+				vf->sec_caps[i].crypto_capabilities = vf->sec_dtls_1_2_crypto_caps;
+			else
+				vf->sec_caps[i].crypto_capabilities = vf->sec_tls_1_2_crypto_caps;
 		}
 	}
 }