diff mbox series

[v2,22/24] crypto/cnxk: add support for TLS 1.3

Message ID	20240102045417.115-23-anoobj@marvell.com (mailing list archive)
State	Superseded, archived
Delegated to:	akhil goyal
Headers	From: Anoob Joseph <anoobj@marvell.com> To: Akhil Goyal <gakhil@marvell.com> CC: Vidya Sagar Velumuri <vvelumuri@marvell.com>, Jerin Jacob <jerinj@marvell.com>, Tejasree Kondoj <ktejasree@marvell.com>, <dev@dpdk.org> Subject: [PATCH v2 22/24] crypto/cnxk: add support for TLS 1.3 Date: Tue, 2 Jan 2024 10:24:15 +0530 Message-ID: <20240102045417.115-23-anoobj@marvell.com> In-Reply-To: <20240102045417.115-1-anoobj@marvell.com> References: <20231221123545.510-1-anoobj@marvell.com> <20240102045417.115-1-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: list Errors-To: dev-bounces@dpdk.org
Series	Fixes and improvements in crypto cnxk \| [v2,00/24] Fixes and improvements in crypto cnxk [v2,01/24] common/cnxk: fix memory leak [v2,02/24] crypto/cnxk: use common macro [v2,03/24] crypto/cnxk: fallback to SG if headroom is not available [v2,04/24] crypto/cnxk: return microcode completion code [v2,05/24] crypto/cnxk: fix ECDH pubkey verify in cn9k [v2,06/24] crypto/cnxk: enable digest gen for zero len input [v2,07/24] crypto/cnxk: enable Rx inject in security lookaside [v2,08/24] common/cnxk: add Rx inject configs [v2,09/24] crypto/cnxk: Rx inject config update [v2,10/24] crypto/cnxk: enable Rx inject for 103 [v2,11/24] crypto/cnxk: rename security caps as IPsec security caps [v2,12/24] common/cnxk: update opad-ipad gen to handle TLS [v2,13/24] common/cnxk: add TLS record contexts [v2,14/24] crypto/cnxk: separate IPsec from security common code [v2,15/24] crypto/cnxk: add TLS record session ops [v2,16/24] crypto/cnxk: add TLS record datapath handling [v2,17/24] crypto/cnxk: add TLS capability [v2,18/24] crypto/cnxk: add PMD APIs for raw submission to CPT [v2,19/24] crypto/cnxk: replace PDCP with PDCP chain opcode [v2,20/24] crypto/cnxk: validate the combinations supported in TLS [v2,21/24] crypto/cnxk: use a single function for opad ipad [v2,22/24] crypto/cnxk: add support for TLS 1.3 [v2,23/24] crypto/cnxk: add TLS 1.3 capability [v2,24/24] crypto/cnxk: add CPT SG mode debug

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK

Commit Message

Anoob Joseph Jan. 2, 2024, 4:54 a.m. UTC

  From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add support for TLS-1.3.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 drivers/common/cnxk/roc_ie_ot_tls.h       |  50 +++++--
 drivers/crypto/cnxk/cn10k_cryptodev_sec.h |   3 +-
 drivers/crypto/cnxk/cn10k_tls.c           | 159 +++++++++++++---------
 3 files changed, 136 insertions(+), 76 deletions(-)

diff mbox series

Patch

diff --git a/drivers/common/cnxk/roc_ie_ot_tls.h b/drivers/common/cnxk/roc_ie_ot_tls.h
index 61955ef4d1..91ddb25f7a 100644
--- a/drivers/common/cnxk/roc_ie_ot_tls.h
+++ b/drivers/common/cnxk/roc_ie_ot_tls.h
@@ -17,8 +17,10 @@ 
 	(PLT_ALIGN_CEIL(ROC_IE_OT_TLS_AR_WIN_SIZE_MAX, BITS_PER_LONG_LONG) / BITS_PER_LONG_LONG)
 
 /* CN10K TLS opcodes */
-#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC 0x16UL
-#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC 0x17UL
+#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC   0x16UL
+#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC   0x17UL
+#define ROC_IE_OT_TLS13_MAJOR_OP_RECORD_ENC 0x18UL
+#define ROC_IE_OT_TLS13_MAJOR_OP_RECORD_DEC 0x19UL
 
 #define ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN 128
 #define ROC_IE_OT_TLS_CTX_MAX_KEY_IV_LEN    48
@@ -42,6 +44,7 @@  enum roc_ie_ot_tls_cipher_type {
 enum roc_ie_ot_tls_ver {
 	ROC_IE_OT_TLS_VERSION_TLS_12 = 1,
 	ROC_IE_OT_TLS_VERSION_DTLS_12 = 2,
+	ROC_IE_OT_TLS_VERSION_TLS_13 = 3,
 };
 
 enum roc_ie_ot_tls_aes_key_len {
@@ -131,11 +134,23 @@  struct roc_ie_ot_tls_read_sa {
 	/* Word4 - Word9 */
 	uint8_t cipher_key[ROC_IE_OT_TLS_CTX_MAX_KEY_IV_LEN];
 
-	/* Word10 - Word25 */
-	uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN];
+	union {
+		struct {
+			/* Word10 */
+			uint64_t w10_rsvd6;
+
+			/* Word11 - Word25 */
+			struct roc_ie_ot_tls_read_ctx_update_reg ctx;
+		} tls_13;
+
+		struct {
+			/* Word10 - Word25 */
+			uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN];
 
-	/* Word26 - Word32 */
-	struct roc_ie_ot_tls_read_ctx_update_reg ctx;
+			/* Word26 - Word95 */
+			struct roc_ie_ot_tls_read_ctx_update_reg ctx;
+		} tls_12;
+	};
 };
 
 struct roc_ie_ot_tls_write_sa {
@@ -187,13 +202,24 @@  struct roc_ie_ot_tls_write_sa {
 	/* Word4 - Word9 */
 	uint8_t cipher_key[ROC_IE_OT_TLS_CTX_MAX_KEY_IV_LEN];
 
-	/* Word10 - Word25 */
-	uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN];
+	union {
+		struct {
+			/* Word10 */
+			uint64_t w10_rsvd7;
+
+			uint64_t seq_num;
+		} tls_13;
+
+		struct {
+			/* Word10 - Word25 */
+			uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN];
 
-	/* Word26 */
-	uint64_t w26_rsvd7;
+			/* Word26 */
+			uint64_t w26_rsvd7;
 
-	/* Word27 */
-	uint64_t seq_num;
+			/* Word27 */
+			uint64_t seq_num;
+		} tls_12;
+	};
 };
 #endif /* __ROC_IE_OT_TLS_H__ */
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_sec.h b/drivers/crypto/cnxk/cn10k_cryptodev_sec.h
index 33fd3aa398..1e117051cc 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_sec.h
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_sec.h
@@ -31,8 +31,7 @@  struct cn10k_sec_session {
 		} ipsec;
 		struct {
 			uint8_t enable_padding : 1;
-			uint8_t hdr_len : 4;
-			uint8_t rvsd : 3;
+			uint8_t rvsd : 7;
 			bool is_write;
 		} tls;
 	};
diff --git a/drivers/crypto/cnxk/cn10k_tls.c b/drivers/crypto/cnxk/cn10k_tls.c
index 6f6fdf95ee..1c1d2e9ece 100644
--- a/drivers/crypto/cnxk/cn10k_tls.c
+++ b/drivers/crypto/cnxk/cn10k_tls.c
@@ -105,7 +105,8 @@  cnxk_tls_xform_verify(struct rte_security_tls_record_xform *tls_xform,
 	int ret = 0;
 
 	if ((tls_xform->ver != RTE_SECURITY_VERSION_TLS_1_2) &&
-	    (tls_xform->ver != RTE_SECURITY_VERSION_DTLS_1_2))
+	    (tls_xform->ver != RTE_SECURITY_VERSION_DTLS_1_2) &&
+	    (tls_xform->ver != RTE_SECURITY_VERSION_TLS_1_3))
 		return -EINVAL;
 
 	if ((tls_xform->type != RTE_SECURITY_TLS_SESS_TYPE_READ) &&
@@ -115,6 +116,12 @@  cnxk_tls_xform_verify(struct rte_security_tls_record_xform *tls_xform,
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 		return tls_xform_aead_verify(tls_xform, crypto_xform);
 
+	/* TLS-1.3 only support AEAD.
+	 * Control should not reach here for TLS-1.3
+	 */
+	if (tls_xform->ver == RTE_SECURITY_VERSION_TLS_1_3)
+		return -EINVAL;
+
 	if (tls_xform->type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) {
 		/* Egress */
 
@@ -259,7 +266,7 @@  tls_write_sa_init(struct roc_ie_ot_tls_write_sa *sa)
 
 	memset(sa, 0, sizeof(struct roc_ie_ot_tls_write_sa));
 
-	offset = offsetof(struct roc_ie_ot_tls_write_sa, w26_rsvd7);
+	offset = offsetof(struct roc_ie_ot_tls_write_sa, tls_12.w26_rsvd7);
 	sa->w0.s.hw_ctx_off = offset / ROC_CTX_UNIT_8B;
 	sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off;
 	sa->w0.s.ctx_size = ROC_IE_OT_TLS_CTX_ILEN;
@@ -274,7 +281,7 @@  tls_read_sa_init(struct roc_ie_ot_tls_read_sa *sa)
 
 	memset(sa, 0, sizeof(struct roc_ie_ot_tls_read_sa));
 
-	offset = offsetof(struct roc_ie_ot_tls_read_sa, ctx);
+	offset = offsetof(struct roc_ie_ot_tls_read_sa, tls_12.ctx);
 	sa->w0.s.hw_ctx_off = offset / ROC_CTX_UNIT_8B;
 	sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off;
 	sa->w0.s.ctx_size = ROC_IE_OT_TLS_CTX_ILEN;
@@ -283,13 +290,18 @@  tls_read_sa_init(struct roc_ie_ot_tls_read_sa *sa)
 }
 
 static size_t
-tls_read_ctx_size(struct roc_ie_ot_tls_read_sa *sa)
+tls_read_ctx_size(struct roc_ie_ot_tls_read_sa *sa, enum rte_security_tls_version tls_ver)
 {
 	size_t size;
 
 	/* Variable based on Anti-replay Window */
-	size = offsetof(struct roc_ie_ot_tls_read_sa, ctx) +
-	       offsetof(struct roc_ie_ot_tls_read_ctx_update_reg, ar_winbits);
+	if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		size = offsetof(struct roc_ie_ot_tls_read_sa, tls_13.ctx) +
+		       offsetof(struct roc_ie_ot_tls_read_ctx_update_reg, ar_winbits);
+	} else {
+		size = offsetof(struct roc_ie_ot_tls_read_sa, tls_12.ctx) +
+		       offsetof(struct roc_ie_ot_tls_read_ctx_update_reg, ar_winbits);
+	}
 
 	if (sa->w0.s.ar_win)
 		size += (1 << (sa->w0.s.ar_win - 1)) * sizeof(uint64_t);
@@ -302,6 +314,7 @@  tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
 		 struct rte_security_tls_record_xform *tls_xfrm,
 		 struct rte_crypto_sym_xform *crypto_xfrm)
 {
+	enum rte_security_tls_version tls_ver = tls_xfrm->ver;
 	struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
 	const uint8_t *key = NULL;
 	uint64_t *tmp, *tmp_key;
@@ -313,13 +326,22 @@  tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
 	/* Initialize the SA */
 	memset(read_sa, 0, sizeof(struct roc_ie_ot_tls_read_sa));
 
+	if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2) {
+		read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12;
+		read_sa->tls_12.ctx.ar_valid_mask = tls_xfrm->tls_1_2.seq_no - 1;
+	} else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2) {
+		read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12;
+	} else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_13;
+		read_sa->tls_13.ctx.ar_valid_mask = tls_xfrm->tls_1_3.seq_no - 1;
+	}
+
 	cipher_key = read_sa->cipher_key;
 
 	/* Set encryption algorithm */
 	if ((crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) &&
 	    (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)) {
 		read_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_AES_GCM;
-		read_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_256;
 
 		length = crypto_xfrm->aead.key.length;
 		if (length == 16)
@@ -330,10 +352,12 @@  tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
 		key = crypto_xfrm->aead.key.data;
 		memcpy(cipher_key, key, length);
 
-		if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2)
+		if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2)
 			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_2.imp_nonce, 4);
-		else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2)
+		else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2)
 			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->dtls_1_2.imp_nonce, 4);
+		else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3)
+			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_3.imp_nonce, 12);
 
 		goto key_swap;
 	}
@@ -377,9 +401,10 @@  tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
 		return -EINVAL;
 
 	roc_se_hmac_opad_ipad_gen(read_sa->w2.s.mac_select, auth_xfrm->auth.key.data,
-				  auth_xfrm->auth.key.length, read_sa->opad_ipad, ROC_SE_TLS);
+				  auth_xfrm->auth.key.length, read_sa->tls_12.opad_ipad,
+				  ROC_SE_TLS);
 
-	tmp = (uint64_t *)read_sa->opad_ipad;
+	tmp = (uint64_t *)read_sa->tls_12.opad_ipad;
 	for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t)); i++)
 		tmp[i] = rte_be_to_cpu_64(tmp[i]);
 
@@ -403,24 +428,20 @@  tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
 	read_sa->w0.s.ctx_hdr_size = ROC_IE_OT_TLS_CTX_HDR_SIZE;
 	read_sa->w0.s.aop_valid = 1;
 
-	offset = offsetof(struct roc_ie_ot_tls_read_sa, ctx);
+	offset = offsetof(struct roc_ie_ot_tls_read_sa, tls_12.ctx);
+	if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3)
+		offset = offsetof(struct roc_ie_ot_tls_read_sa, tls_13.ctx);
+
+	/* Entire context size in 128B units */
+	read_sa->w0.s.ctx_size =
+		(PLT_ALIGN_CEIL(tls_read_ctx_size(read_sa, tls_ver), ROC_CTX_UNIT_128B) /
+		 ROC_CTX_UNIT_128B) -
+		1;
 
 	/* Word offset for HW managed CTX field */
 	read_sa->w0.s.hw_ctx_off = offset / 8;
 	read_sa->w0.s.ctx_push_size = read_sa->w0.s.hw_ctx_off;
 
-	/* Entire context size in 128B units */
-	read_sa->w0.s.ctx_size = (PLT_ALIGN_CEIL(tls_read_ctx_size(read_sa), ROC_CTX_UNIT_128B) /
-				  ROC_CTX_UNIT_128B) -
-				 1;
-
-	if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2) {
-		read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12;
-		read_sa->ctx.ar_valid_mask = tls_xfrm->tls_1_2.seq_no - 1;
-	} else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2) {
-		read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12;
-	}
-
 	rte_wmb();
 
 	return 0;
@@ -431,6 +452,7 @@  tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
 		  struct rte_security_tls_record_xform *tls_xfrm,
 		  struct rte_crypto_sym_xform *crypto_xfrm)
 {
+	enum rte_security_tls_version tls_ver = tls_xfrm->ver;
 	struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
 	const uint8_t *key = NULL;
 	uint8_t *cipher_key;
@@ -438,13 +460,25 @@  tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
 	int i, length = 0;
 	size_t offset;
 
+	if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2) {
+		write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12;
+		write_sa->tls_12.seq_num = tls_xfrm->tls_1_2.seq_no - 1;
+	} else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2) {
+		write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12;
+		write_sa->tls_12.seq_num = ((uint64_t)tls_xfrm->dtls_1_2.epoch << 48) |
+					   (tls_xfrm->dtls_1_2.seq_no & 0x0000ffffffffffff);
+		write_sa->tls_12.seq_num -= 1;
+	} else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_13;
+		write_sa->tls_13.seq_num = tls_xfrm->tls_1_3.seq_no - 1;
+	}
+
 	cipher_key = write_sa->cipher_key;
 
 	/* Set encryption algorithm */
 	if ((crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) &&
 	    (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)) {
 		write_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_AES_GCM;
-		write_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_256;
 
 		length = crypto_xfrm->aead.key.length;
 		if (length == 16)
@@ -455,10 +489,12 @@  tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
 		key = crypto_xfrm->aead.key.data;
 		memcpy(cipher_key, key, length);
 
-		if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2)
+		if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2)
 			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_2.imp_nonce, 4);
-		else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2)
+		else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2)
 			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->dtls_1_2.imp_nonce, 4);
+		else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3)
+			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_3.imp_nonce, 12);
 
 		goto key_swap;
 	}
@@ -506,11 +542,11 @@  tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
 			return -EINVAL;
 
 		roc_se_hmac_opad_ipad_gen(write_sa->w2.s.mac_select, auth_xfrm->auth.key.data,
-					  auth_xfrm->auth.key.length, write_sa->opad_ipad,
+					  auth_xfrm->auth.key.length, write_sa->tls_12.opad_ipad,
 					  ROC_SE_TLS);
 	}
 
-	tmp_key = (uint64_t *)write_sa->opad_ipad;
+	tmp_key = (uint64_t *)write_sa->tls_12.opad_ipad;
 	for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t)); i++)
 		tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 
@@ -520,40 +556,37 @@  tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
 		tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 
 	write_sa->w0.s.ctx_hdr_size = ROC_IE_OT_TLS_CTX_HDR_SIZE;
-	offset = offsetof(struct roc_ie_ot_tls_write_sa, w26_rsvd7);
-
-	/* Word offset for HW managed CTX field */
-	write_sa->w0.s.hw_ctx_off = offset / 8;
-	write_sa->w0.s.ctx_push_size = write_sa->w0.s.hw_ctx_off;
-
 	/* Entire context size in 128B units */
 	write_sa->w0.s.ctx_size =
 		(PLT_ALIGN_CEIL(sizeof(struct roc_ie_ot_tls_write_sa), ROC_CTX_UNIT_128B) /
 		 ROC_CTX_UNIT_128B) -
 		1;
-	write_sa->w0.s.aop_valid = 1;
+	offset = offsetof(struct roc_ie_ot_tls_write_sa, tls_12.w26_rsvd7);
 
-	if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2) {
-		write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12;
-		write_sa->seq_num = tls_xfrm->tls_1_2.seq_no - 1;
-	} else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2) {
-		write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12;
-		write_sa->seq_num = ((uint64_t)tls_xfrm->dtls_1_2.epoch << 48) |
-				    (tls_xfrm->dtls_1_2.seq_no & 0x0000ffffffffffff);
-		write_sa->seq_num -= 1;
+	if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		offset = offsetof(struct roc_ie_ot_tls_write_sa, tls_13.w10_rsvd7);
+		write_sa->w0.s.ctx_size -= 1;
 	}
 
+	/* Word offset for HW managed CTX field */
+	write_sa->w0.s.hw_ctx_off = offset / 8;
+	write_sa->w0.s.ctx_push_size = write_sa->w0.s.hw_ctx_off;
+
+	write_sa->w0.s.aop_valid = 1;
+
 	write_sa->w2.s.iv_at_cptr = ROC_IE_OT_TLS_IV_SRC_DEFAULT;
 
+	if (write_sa->w2.s.version_select != ROC_IE_OT_TLS_VERSION_TLS_13) {
 #ifdef LA_IPSEC_DEBUG
-	if (tls_xfrm->options.iv_gen_disable == 1)
-		write_sa->w2.s.iv_at_cptr = ROC_IE_OT_TLS_IV_SRC_FROM_SA;
+		if (tls_xfrm->options.iv_gen_disable == 1)
+			write_sa->w2.s.iv_at_cptr = ROC_IE_OT_TLS_IV_SRC_FROM_SA;
 #else
-	if (tls_xfrm->options.iv_gen_disable) {
-		plt_err("Application provided IV is not supported");
-		return -ENOTSUP;
-	}
+		if (tls_xfrm->options.iv_gen_disable) {
+			plt_err("Application provided IV is not supported");
+			return -ENOTSUP;
+		}
 #endif
+	}
 
 	rte_wmb();
 
@@ -599,20 +632,17 @@  cn10k_tls_read_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
 		sec_sess->iv_length = crypto_xfrm->auth.iv.length;
 	}
 
-	if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_DTLS_12)
-		sec_sess->tls.hdr_len = 13;
-	else if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_12)
-		sec_sess->tls.hdr_len = 5;
-
 	sec_sess->proto = RTE_SECURITY_PROTOCOL_TLS_RECORD;
 
-	/* Enable mib counters */
-	sa_dptr->w0.s.count_mib_bytes = 1;
-	sa_dptr->w0.s.count_mib_pkts = 1;
-
 	/* pre-populate CPT INST word 4 */
 	inst_w4.u64 = 0;
-	inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC | ROC_IE_OT_INPLACE_BIT;
+	if ((sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_12) ||
+	    (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_DTLS_12)) {
+		inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC | ROC_IE_OT_INPLACE_BIT;
+	} else if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_13) {
+		inst_w4.s.opcode_major =
+			ROC_IE_OT_TLS13_MAJOR_OP_RECORD_DEC | ROC_IE_OT_INPLACE_BIT;
+	}
 
 	sec_sess->inst.w4 = inst_w4.u64;
 	sec_sess->inst.w7 = cpt_inst_w7_get(roc_cpt, read_sa);
@@ -689,8 +719,13 @@  cn10k_tls_write_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
 
 	/* pre-populate CPT INST word 4 */
 	inst_w4.u64 = 0;
-	inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC | ROC_IE_OT_INPLACE_BIT;
-
+	if ((sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_12) ||
+	    (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_DTLS_12)) {
+		inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC | ROC_IE_OT_INPLACE_BIT;
+	} else if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_13) {
+		inst_w4.s.opcode_major =
+			ROC_IE_OT_TLS13_MAJOR_OP_RECORD_ENC | ROC_IE_OT_INPLACE_BIT;
+	}
 	sec_sess->inst.w4 = inst_w4.u64;
 	sec_sess->inst.w7 = cpt_inst_w7_get(roc_cpt, write_sa);