From patchwork Tue Jan 2 04:54:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 135669 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4C795437F8; Tue, 2 Jan 2024 05:57:21 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 96C8C40ECF; Tue, 2 Jan 2024 05:57:00 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 5479140A76 for ; Tue, 2 Jan 2024 05:56:55 +0100 (CET) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 401MmZgC026172 for ; Mon, 1 Jan 2024 20:56:54 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding:content-type; s= pfpt0220; bh=dwz/4bDK3jS+DipkgJgJkNcQlk9mhNfKgwYvnwiTdr4=; b=FjH TYr4io49ck5FUF42SJugOauY79ey7bcgZ7O10zBjFbEhOn55Mm5EljYozrwt1t/6 14rip0PGU46Y0oOgUkrr6TyHRTAbqlJKuLaGKr3GVBE2OGh0Csu1UDFnKdtHB3WH zkaOP2EPjjudqP4EQOplmPXN2Gu2dmEcIyHu5qwxmseATjOfEGtB8QRq/007ivzy pUVclm2bbVv8sEXPooVsa5xqBp1mnpMlnJzAL2EPtPuHQ8ruJJ1sOcEofp61Uzux eIKbDMY8QRtAn4Vy7fmezoMiNjQW61Sa/q4u4hvI6evVnwfgJC6lraTKMKrZdwFD R7b/Vd+CakzTf9YZAnA== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3vb5c346a1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Mon, 01 Jan 2024 20:56:54 -0800 (PST) Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Mon, 1 Jan 2024 20:56:52 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Mon, 1 Jan 2024 20:56:52 -0800 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189]) by maili.marvell.com (Postfix) with ESMTP id 06C213F7081; Mon, 1 Jan 2024 20:56:48 -0800 (PST) From: Anoob Joseph To: Akhil Goyal CC: Vidya Sagar Velumuri , Jerin Jacob , Tejasree Kondoj , Subject: [PATCH v2 22/24] crypto/cnxk: add support for TLS 1.3 Date: Tue, 2 Jan 2024 10:24:15 +0530 Message-ID: <20240102045417.115-23-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240102045417.115-1-anoobj@marvell.com> References: <20231221123545.510-1-anoobj@marvell.com> <20240102045417.115-1-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: NLlg_mr36DyRByZEUFZHbzZNbnfTRHc7 X-Proofpoint-ORIG-GUID: NLlg_mr36DyRByZEUFZHbzZNbnfTRHc7 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-09_02,2023-12-07_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Vidya Sagar Velumuri Add support for TLS-1.3. Signed-off-by: Vidya Sagar Velumuri --- drivers/common/cnxk/roc_ie_ot_tls.h | 50 +++++-- drivers/crypto/cnxk/cn10k_cryptodev_sec.h | 3 +- drivers/crypto/cnxk/cn10k_tls.c | 159 +++++++++++++--------- 3 files changed, 136 insertions(+), 76 deletions(-) diff --git a/drivers/common/cnxk/roc_ie_ot_tls.h b/drivers/common/cnxk/roc_ie_ot_tls.h index 61955ef4d1..91ddb25f7a 100644 --- a/drivers/common/cnxk/roc_ie_ot_tls.h +++ b/drivers/common/cnxk/roc_ie_ot_tls.h @@ -17,8 +17,10 @@ (PLT_ALIGN_CEIL(ROC_IE_OT_TLS_AR_WIN_SIZE_MAX, BITS_PER_LONG_LONG) / BITS_PER_LONG_LONG) /* CN10K TLS opcodes */ -#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC 0x16UL -#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC 0x17UL +#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC 0x16UL +#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC 0x17UL +#define ROC_IE_OT_TLS13_MAJOR_OP_RECORD_ENC 0x18UL +#define ROC_IE_OT_TLS13_MAJOR_OP_RECORD_DEC 0x19UL #define ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN 128 #define ROC_IE_OT_TLS_CTX_MAX_KEY_IV_LEN 48 @@ -42,6 +44,7 @@ enum roc_ie_ot_tls_cipher_type { enum roc_ie_ot_tls_ver { ROC_IE_OT_TLS_VERSION_TLS_12 = 1, ROC_IE_OT_TLS_VERSION_DTLS_12 = 2, + ROC_IE_OT_TLS_VERSION_TLS_13 = 3, }; enum roc_ie_ot_tls_aes_key_len { @@ -131,11 +134,23 @@ struct roc_ie_ot_tls_read_sa { /* Word4 - Word9 */ uint8_t cipher_key[ROC_IE_OT_TLS_CTX_MAX_KEY_IV_LEN]; - /* Word10 - Word25 */ - uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN]; + union { + struct { + /* Word10 */ + uint64_t w10_rsvd6; + + /* Word11 - Word25 */ + struct roc_ie_ot_tls_read_ctx_update_reg ctx; + } tls_13; + + struct { + /* Word10 - Word25 */ + uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN]; - /* Word26 - Word32 */ - struct roc_ie_ot_tls_read_ctx_update_reg ctx; + /* Word26 - Word95 */ + struct roc_ie_ot_tls_read_ctx_update_reg ctx; + } tls_12; + }; }; struct roc_ie_ot_tls_write_sa { @@ -187,13 +202,24 @@ struct roc_ie_ot_tls_write_sa { /* Word4 - Word9 */ uint8_t cipher_key[ROC_IE_OT_TLS_CTX_MAX_KEY_IV_LEN]; - /* Word10 - Word25 */ - uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN]; + union { + struct { + /* Word10 */ + uint64_t w10_rsvd7; + + uint64_t seq_num; + } tls_13; + + struct { + /* Word10 - Word25 */ + uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN]; - /* Word26 */ - uint64_t w26_rsvd7; + /* Word26 */ + uint64_t w26_rsvd7; - /* Word27 */ - uint64_t seq_num; + /* Word27 */ + uint64_t seq_num; + } tls_12; + }; }; #endif /* __ROC_IE_OT_TLS_H__ */ diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_sec.h b/drivers/crypto/cnxk/cn10k_cryptodev_sec.h index 33fd3aa398..1e117051cc 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev_sec.h +++ b/drivers/crypto/cnxk/cn10k_cryptodev_sec.h @@ -31,8 +31,7 @@ struct cn10k_sec_session { } ipsec; struct { uint8_t enable_padding : 1; - uint8_t hdr_len : 4; - uint8_t rvsd : 3; + uint8_t rvsd : 7; bool is_write; } tls; }; diff --git a/drivers/crypto/cnxk/cn10k_tls.c b/drivers/crypto/cnxk/cn10k_tls.c index 6f6fdf95ee..1c1d2e9ece 100644 --- a/drivers/crypto/cnxk/cn10k_tls.c +++ b/drivers/crypto/cnxk/cn10k_tls.c @@ -105,7 +105,8 @@ cnxk_tls_xform_verify(struct rte_security_tls_record_xform *tls_xform, int ret = 0; if ((tls_xform->ver != RTE_SECURITY_VERSION_TLS_1_2) && - (tls_xform->ver != RTE_SECURITY_VERSION_DTLS_1_2)) + (tls_xform->ver != RTE_SECURITY_VERSION_DTLS_1_2) && + (tls_xform->ver != RTE_SECURITY_VERSION_TLS_1_3)) return -EINVAL; if ((tls_xform->type != RTE_SECURITY_TLS_SESS_TYPE_READ) && @@ -115,6 +116,12 @@ cnxk_tls_xform_verify(struct rte_security_tls_record_xform *tls_xform, if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) return tls_xform_aead_verify(tls_xform, crypto_xform); + /* TLS-1.3 only support AEAD. + * Control should not reach here for TLS-1.3 + */ + if (tls_xform->ver == RTE_SECURITY_VERSION_TLS_1_3) + return -EINVAL; + if (tls_xform->type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) { /* Egress */ @@ -259,7 +266,7 @@ tls_write_sa_init(struct roc_ie_ot_tls_write_sa *sa) memset(sa, 0, sizeof(struct roc_ie_ot_tls_write_sa)); - offset = offsetof(struct roc_ie_ot_tls_write_sa, w26_rsvd7); + offset = offsetof(struct roc_ie_ot_tls_write_sa, tls_12.w26_rsvd7); sa->w0.s.hw_ctx_off = offset / ROC_CTX_UNIT_8B; sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off; sa->w0.s.ctx_size = ROC_IE_OT_TLS_CTX_ILEN; @@ -274,7 +281,7 @@ tls_read_sa_init(struct roc_ie_ot_tls_read_sa *sa) memset(sa, 0, sizeof(struct roc_ie_ot_tls_read_sa)); - offset = offsetof(struct roc_ie_ot_tls_read_sa, ctx); + offset = offsetof(struct roc_ie_ot_tls_read_sa, tls_12.ctx); sa->w0.s.hw_ctx_off = offset / ROC_CTX_UNIT_8B; sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off; sa->w0.s.ctx_size = ROC_IE_OT_TLS_CTX_ILEN; @@ -283,13 +290,18 @@ tls_read_sa_init(struct roc_ie_ot_tls_read_sa *sa) } static size_t -tls_read_ctx_size(struct roc_ie_ot_tls_read_sa *sa) +tls_read_ctx_size(struct roc_ie_ot_tls_read_sa *sa, enum rte_security_tls_version tls_ver) { size_t size; /* Variable based on Anti-replay Window */ - size = offsetof(struct roc_ie_ot_tls_read_sa, ctx) + - offsetof(struct roc_ie_ot_tls_read_ctx_update_reg, ar_winbits); + if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) { + size = offsetof(struct roc_ie_ot_tls_read_sa, tls_13.ctx) + + offsetof(struct roc_ie_ot_tls_read_ctx_update_reg, ar_winbits); + } else { + size = offsetof(struct roc_ie_ot_tls_read_sa, tls_12.ctx) + + offsetof(struct roc_ie_ot_tls_read_ctx_update_reg, ar_winbits); + } if (sa->w0.s.ar_win) size += (1 << (sa->w0.s.ar_win - 1)) * sizeof(uint64_t); @@ -302,6 +314,7 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa, struct rte_security_tls_record_xform *tls_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) { + enum rte_security_tls_version tls_ver = tls_xfrm->ver; struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm; const uint8_t *key = NULL; uint64_t *tmp, *tmp_key; @@ -313,13 +326,22 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa, /* Initialize the SA */ memset(read_sa, 0, sizeof(struct roc_ie_ot_tls_read_sa)); + if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2) { + read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12; + read_sa->tls_12.ctx.ar_valid_mask = tls_xfrm->tls_1_2.seq_no - 1; + } else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2) { + read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12; + } else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) { + read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_13; + read_sa->tls_13.ctx.ar_valid_mask = tls_xfrm->tls_1_3.seq_no - 1; + } + cipher_key = read_sa->cipher_key; /* Set encryption algorithm */ if ((crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) && (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)) { read_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_AES_GCM; - read_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_256; length = crypto_xfrm->aead.key.length; if (length == 16) @@ -330,10 +352,12 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa, key = crypto_xfrm->aead.key.data; memcpy(cipher_key, key, length); - if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2) + if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2) memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_2.imp_nonce, 4); - else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2) + else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2) memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->dtls_1_2.imp_nonce, 4); + else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) + memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_3.imp_nonce, 12); goto key_swap; } @@ -377,9 +401,10 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa, return -EINVAL; roc_se_hmac_opad_ipad_gen(read_sa->w2.s.mac_select, auth_xfrm->auth.key.data, - auth_xfrm->auth.key.length, read_sa->opad_ipad, ROC_SE_TLS); + auth_xfrm->auth.key.length, read_sa->tls_12.opad_ipad, + ROC_SE_TLS); - tmp = (uint64_t *)read_sa->opad_ipad; + tmp = (uint64_t *)read_sa->tls_12.opad_ipad; for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t)); i++) tmp[i] = rte_be_to_cpu_64(tmp[i]); @@ -403,24 +428,20 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa, read_sa->w0.s.ctx_hdr_size = ROC_IE_OT_TLS_CTX_HDR_SIZE; read_sa->w0.s.aop_valid = 1; - offset = offsetof(struct roc_ie_ot_tls_read_sa, ctx); + offset = offsetof(struct roc_ie_ot_tls_read_sa, tls_12.ctx); + if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) + offset = offsetof(struct roc_ie_ot_tls_read_sa, tls_13.ctx); + + /* Entire context size in 128B units */ + read_sa->w0.s.ctx_size = + (PLT_ALIGN_CEIL(tls_read_ctx_size(read_sa, tls_ver), ROC_CTX_UNIT_128B) / + ROC_CTX_UNIT_128B) - + 1; /* Word offset for HW managed CTX field */ read_sa->w0.s.hw_ctx_off = offset / 8; read_sa->w0.s.ctx_push_size = read_sa->w0.s.hw_ctx_off; - /* Entire context size in 128B units */ - read_sa->w0.s.ctx_size = (PLT_ALIGN_CEIL(tls_read_ctx_size(read_sa), ROC_CTX_UNIT_128B) / - ROC_CTX_UNIT_128B) - - 1; - - if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2) { - read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12; - read_sa->ctx.ar_valid_mask = tls_xfrm->tls_1_2.seq_no - 1; - } else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2) { - read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12; - } - rte_wmb(); return 0; @@ -431,6 +452,7 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa, struct rte_security_tls_record_xform *tls_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) { + enum rte_security_tls_version tls_ver = tls_xfrm->ver; struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm; const uint8_t *key = NULL; uint8_t *cipher_key; @@ -438,13 +460,25 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa, int i, length = 0; size_t offset; + if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2) { + write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12; + write_sa->tls_12.seq_num = tls_xfrm->tls_1_2.seq_no - 1; + } else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2) { + write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12; + write_sa->tls_12.seq_num = ((uint64_t)tls_xfrm->dtls_1_2.epoch << 48) | + (tls_xfrm->dtls_1_2.seq_no & 0x0000ffffffffffff); + write_sa->tls_12.seq_num -= 1; + } else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) { + write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_13; + write_sa->tls_13.seq_num = tls_xfrm->tls_1_3.seq_no - 1; + } + cipher_key = write_sa->cipher_key; /* Set encryption algorithm */ if ((crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) && (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)) { write_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_AES_GCM; - write_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_256; length = crypto_xfrm->aead.key.length; if (length == 16) @@ -455,10 +489,12 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa, key = crypto_xfrm->aead.key.data; memcpy(cipher_key, key, length); - if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2) + if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2) memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_2.imp_nonce, 4); - else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2) + else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2) memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->dtls_1_2.imp_nonce, 4); + else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) + memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_3.imp_nonce, 12); goto key_swap; } @@ -506,11 +542,11 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa, return -EINVAL; roc_se_hmac_opad_ipad_gen(write_sa->w2.s.mac_select, auth_xfrm->auth.key.data, - auth_xfrm->auth.key.length, write_sa->opad_ipad, + auth_xfrm->auth.key.length, write_sa->tls_12.opad_ipad, ROC_SE_TLS); } - tmp_key = (uint64_t *)write_sa->opad_ipad; + tmp_key = (uint64_t *)write_sa->tls_12.opad_ipad; for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t)); i++) tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); @@ -520,40 +556,37 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa, tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); write_sa->w0.s.ctx_hdr_size = ROC_IE_OT_TLS_CTX_HDR_SIZE; - offset = offsetof(struct roc_ie_ot_tls_write_sa, w26_rsvd7); - - /* Word offset for HW managed CTX field */ - write_sa->w0.s.hw_ctx_off = offset / 8; - write_sa->w0.s.ctx_push_size = write_sa->w0.s.hw_ctx_off; - /* Entire context size in 128B units */ write_sa->w0.s.ctx_size = (PLT_ALIGN_CEIL(sizeof(struct roc_ie_ot_tls_write_sa), ROC_CTX_UNIT_128B) / ROC_CTX_UNIT_128B) - 1; - write_sa->w0.s.aop_valid = 1; + offset = offsetof(struct roc_ie_ot_tls_write_sa, tls_12.w26_rsvd7); - if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2) { - write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12; - write_sa->seq_num = tls_xfrm->tls_1_2.seq_no - 1; - } else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2) { - write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12; - write_sa->seq_num = ((uint64_t)tls_xfrm->dtls_1_2.epoch << 48) | - (tls_xfrm->dtls_1_2.seq_no & 0x0000ffffffffffff); - write_sa->seq_num -= 1; + if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) { + offset = offsetof(struct roc_ie_ot_tls_write_sa, tls_13.w10_rsvd7); + write_sa->w0.s.ctx_size -= 1; } + /* Word offset for HW managed CTX field */ + write_sa->w0.s.hw_ctx_off = offset / 8; + write_sa->w0.s.ctx_push_size = write_sa->w0.s.hw_ctx_off; + + write_sa->w0.s.aop_valid = 1; + write_sa->w2.s.iv_at_cptr = ROC_IE_OT_TLS_IV_SRC_DEFAULT; + if (write_sa->w2.s.version_select != ROC_IE_OT_TLS_VERSION_TLS_13) { #ifdef LA_IPSEC_DEBUG - if (tls_xfrm->options.iv_gen_disable == 1) - write_sa->w2.s.iv_at_cptr = ROC_IE_OT_TLS_IV_SRC_FROM_SA; + if (tls_xfrm->options.iv_gen_disable == 1) + write_sa->w2.s.iv_at_cptr = ROC_IE_OT_TLS_IV_SRC_FROM_SA; #else - if (tls_xfrm->options.iv_gen_disable) { - plt_err("Application provided IV is not supported"); - return -ENOTSUP; - } + if (tls_xfrm->options.iv_gen_disable) { + plt_err("Application provided IV is not supported"); + return -ENOTSUP; + } #endif + } rte_wmb(); @@ -599,20 +632,17 @@ cn10k_tls_read_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf, sec_sess->iv_length = crypto_xfrm->auth.iv.length; } - if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_DTLS_12) - sec_sess->tls.hdr_len = 13; - else if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_12) - sec_sess->tls.hdr_len = 5; - sec_sess->proto = RTE_SECURITY_PROTOCOL_TLS_RECORD; - /* Enable mib counters */ - sa_dptr->w0.s.count_mib_bytes = 1; - sa_dptr->w0.s.count_mib_pkts = 1; - /* pre-populate CPT INST word 4 */ inst_w4.u64 = 0; - inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC | ROC_IE_OT_INPLACE_BIT; + if ((sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_12) || + (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_DTLS_12)) { + inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC | ROC_IE_OT_INPLACE_BIT; + } else if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_13) { + inst_w4.s.opcode_major = + ROC_IE_OT_TLS13_MAJOR_OP_RECORD_DEC | ROC_IE_OT_INPLACE_BIT; + } sec_sess->inst.w4 = inst_w4.u64; sec_sess->inst.w7 = cpt_inst_w7_get(roc_cpt, read_sa); @@ -689,8 +719,13 @@ cn10k_tls_write_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf, /* pre-populate CPT INST word 4 */ inst_w4.u64 = 0; - inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC | ROC_IE_OT_INPLACE_BIT; - + if ((sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_12) || + (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_DTLS_12)) { + inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC | ROC_IE_OT_INPLACE_BIT; + } else if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_13) { + inst_w4.s.opcode_major = + ROC_IE_OT_TLS13_MAJOR_OP_RECORD_ENC | ROC_IE_OT_INPLACE_BIT; + } sec_sess->inst.w4 = inst_w4.u64; sec_sess->inst.w7 = cpt_inst_w7_get(roc_cpt, write_sa);