From patchwork Mon Aug 5 08:22:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 57429 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 92B7C1B203; Mon, 5 Aug 2019 10:35:30 +0200 (CEST) Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21]) by dpdk.org (Postfix) with ESMTP id A73F51BE0F for ; Mon, 5 Aug 2019 10:35:28 +0200 (CEST) Received: from inva021.nxp.com (localhost [127.0.0.1]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 46B2D2000F7; Mon, 5 Aug 2019 10:35:28 +0200 (CEST) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 7583C200296; Mon, 5 Aug 2019 10:35:25 +0200 (CEST) Received: from GDB1.ap.freescale.net (GDB1.ap.freescale.net [10.232.132.179]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id DDF92402C4; Mon, 5 Aug 2019 16:35:21 +0800 (SGT) From: Akhil Goyal To: dev@dpdk.org Cc: hemant.agrawal@nxp.com, konstantin.ananyev@intel.com, Akhil Goyal Date: Mon, 5 Aug 2019 13:52:03 +0530 Message-Id: <20190805082205.10794-2-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190805082205.10794-1-akhil.goyal@nxp.com> References: <20190805053827.29066-1-akhil.goyal@nxp.com> <20190805082205.10794-1-akhil.goyal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v2 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" outer IP header is formed at the time of session initialization using the ipsec xform. This outer IP header will be appended by hardware for each packet. Signed-off-by: Akhil Goyal --- drivers/crypto/dpaa_sec/dpaa_sec.c | 71 ++++++++++++++++++++++-------- drivers/crypto/dpaa_sec/dpaa_sec.h | 7 ++- 2 files changed, 59 insertions(+), 19 deletions(-) diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c index 122c80a07..e6f57ce3d 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.c +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c @@ -2230,26 +2230,58 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, } if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - memset(&session->encap_pdb, 0, sizeof(struct ipsec_encap_pdb) + + if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + memset(&session->encap_pdb, 0, + sizeof(struct ipsec_encap_pdb) + sizeof(session->ip4_hdr)); - session->ip4_hdr.ip_v = IPVERSION; - session->ip4_hdr.ip_hl = 5; - session->ip4_hdr.ip_len = rte_cpu_to_be_16( + session->ip4_hdr.ip_v = IPVERSION; + session->ip4_hdr.ip_hl = 5; + session->ip4_hdr.ip_len = rte_cpu_to_be_16( sizeof(session->ip4_hdr)); - session->ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; - session->ip4_hdr.ip_id = 0; - session->ip4_hdr.ip_off = 0; - session->ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; - session->ip4_hdr.ip_p = (ipsec_xform->proto == - RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? IPPROTO_ESP - : IPPROTO_AH; - session->ip4_hdr.ip_sum = 0; - session->ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; - session->ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; - session->ip4_hdr.ip_sum = calc_chksum((uint16_t *) + session->ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; + session->ip4_hdr.ip_id = 0; + session->ip4_hdr.ip_off = 0; + session->ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; + session->ip4_hdr.ip_p = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + session->ip4_hdr.ip_sum = 0; + session->ip4_hdr.ip_src = + ipsec_xform->tunnel.ipv4.src_ip; + session->ip4_hdr.ip_dst = + ipsec_xform->tunnel.ipv4.dst_ip; + session->ip4_hdr.ip_sum = calc_chksum((uint16_t *) (void *)&session->ip4_hdr, sizeof(struct ip)); - + session->encap_pdb.ip_hdr_len = sizeof(struct ip); + } else if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + memset(&session->encap_pdb, 0, + sizeof(struct ipsec_encap_pdb) + + sizeof(session->ip6_hdr)); + session->ip6_hdr.vtc_flow = rte_cpu_to_be_32( + DPAA_IPv6_DEFAULT_VTC_FLOW | + ((ipsec_xform->tunnel.ipv6.dscp << + RTE_IPV6_HDR_TC_SHIFT) & + RTE_IPV6_HDR_TC_MASK) | + ((ipsec_xform->tunnel.ipv6.flabel << + RTE_IPV6_HDR_FL_SHIFT) & + RTE_IPV6_HDR_FL_MASK)); + /* Payload length will be updated by HW */ + session->ip6_hdr.payload_len = 0; + session->ip6_hdr.hop_limits = + ipsec_xform->tunnel.ipv6.hlimit; + session->ip6_hdr.proto = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + memcpy(&session->ip6_hdr.src_addr, + &ipsec_xform->tunnel.ipv6.src_addr, 16); + memcpy(&session->ip6_hdr.dst_addr, + &ipsec_xform->tunnel.ipv6.dst_addr, 16); + session->encap_pdb.ip_hdr_len = + sizeof(struct rte_ipv6_hdr); + } session->encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | PDBOPTS_ESP_OIHI_PDB_INL | @@ -2257,13 +2289,16 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, PDBHMO_ESP_ENCAP_DTTL | PDBHMO_ESP_SNR; session->encap_pdb.spi = ipsec_xform->spi; - session->encap_pdb.ip_hdr_len = sizeof(struct ip); session->dir = DIR_ENC; } else if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); - session->decap_pdb.options = sizeof(struct ip) << 16; + if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) + session->decap_pdb.options = sizeof(struct ip) << 16; + else + session->decap_pdb.options = + sizeof(struct rte_ipv6_hdr) << 16; session->dir = DIR_DEC; } else goto out; diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h index 75c0960a9..08e7d66e5 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.h +++ b/drivers/crypto/dpaa_sec/dpaa_sec.h @@ -19,6 +19,8 @@ #define AES_CTR_IV_LEN 16 #define AES_GCM_IV_LEN 12 +#define DPAA_IPv6_DEFAULT_VTC_FLOW 0x60000000 + /* Minimum job descriptor consists of a oneword job descriptor HEADER and * a pointer to the shared descriptor. */ @@ -139,7 +141,10 @@ typedef struct dpaa_sec_session_entry { uint32_t digest_length; struct ipsec_decap_pdb decap_pdb; struct ipsec_encap_pdb encap_pdb; - struct ip ip4_hdr; + union { + struct ip ip4_hdr; + struct rte_ipv6_hdr ip6_hdr; + }; }; struct sec_pdcp_ctxt pdcp; }; From patchwork Mon Aug 5 08:22:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 57430 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 766441BE38; Mon, 5 Aug 2019 10:35:32 +0200 (CEST) Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13]) by dpdk.org (Postfix) with ESMTP id 4A9871BDE2 for ; Mon, 5 Aug 2019 10:35:29 +0200 (CEST) Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id DF4CE1A027A; Mon, 5 Aug 2019 10:35:28 +0200 (CEST) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 1AFB21A027C; Mon, 5 Aug 2019 10:35:26 +0200 (CEST) Received: from GDB1.ap.freescale.net (GDB1.ap.freescale.net [10.232.132.179]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 83B4C402E2; Mon, 5 Aug 2019 16:35:22 +0800 (SGT) From: Akhil Goyal To: dev@dpdk.org Cc: hemant.agrawal@nxp.com, konstantin.ananyev@intel.com, Akhil Goyal Date: Mon, 5 Aug 2019 13:52:04 +0530 Message-Id: <20190805082205.10794-3-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190805082205.10794-1-akhil.goyal@nxp.com> References: <20190805053827.29066-1-akhil.goyal@nxp.com> <20190805082205.10794-1-akhil.goyal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v2 2/3] crypto/dpaa2_sec: support IPv6 tunnel for protocol offload X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" outer IP header is formed at the time of session initialization using the ipsec xform. This outer IP header will be appended by hardware for each packet. Signed-off-by: Akhil Goyal --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 73 +++++++++++++++------ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 2 + 2 files changed, 55 insertions(+), 20 deletions(-) diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 26458e5d1..12961e313 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -9,6 +9,7 @@ #include #include +#include #include #include #include @@ -2465,23 +2466,9 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, session->ctxt_type = DPAA2_SEC_IPSEC; if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - struct ip ip4_hdr; + uint8_t *hdr = NULL; flc->dhr = SEC_FLC_DHR_OUTBOUND; - ip4_hdr.ip_v = IPVERSION; - ip4_hdr.ip_hl = 5; - ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); - ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; - ip4_hdr.ip_id = 0; - ip4_hdr.ip_off = 0; - ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; - ip4_hdr.ip_p = IPPROTO_ESP; - ip4_hdr.ip_sum = 0; - ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; - ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; - ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *)&ip4_hdr, - sizeof(struct ip)); - /* For Sec Proto only one descriptor is required. */ memset(&encap_pdb, 0, sizeof(struct ipsec_encap_pdb)); encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | @@ -2490,18 +2477,64 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, PDBHMO_ESP_ENCAP_DTTL | PDBHMO_ESP_SNR; encap_pdb.spi = ipsec_xform->spi; - encap_pdb.ip_hdr_len = sizeof(struct ip); - session->dir = DIR_ENC; + + if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + struct ip ip4_hdr; + + encap_pdb.ip_hdr_len = sizeof(struct ip); + ip4_hdr.ip_v = IPVERSION; + ip4_hdr.ip_hl = 5; + ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); + ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; + ip4_hdr.ip_id = 0; + ip4_hdr.ip_off = 0; + ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; + ip4_hdr.ip_p = IPPROTO_ESP; + ip4_hdr.ip_sum = 0; + ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; + ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; + ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *) + &ip4_hdr, sizeof(struct ip)); + hdr = (uint8_t *)&ip4_hdr; + } else if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + struct rte_ipv6_hdr ip6_hdr; + + ip6_hdr.vtc_flow = rte_cpu_to_be_32( + DPAA2_IPv6_DEFAULT_VTC_FLOW | + ((ipsec_xform->tunnel.ipv6.dscp << + RTE_IPV6_HDR_TC_SHIFT) & + RTE_IPV6_HDR_TC_MASK) | + ((ipsec_xform->tunnel.ipv6.flabel << + RTE_IPV6_HDR_FL_SHIFT) & + RTE_IPV6_HDR_FL_MASK)); + /* Payload length will be updated by HW */ + ip6_hdr.payload_len = 0; + ip6_hdr.hop_limits = + ipsec_xform->tunnel.ipv6.hlimit; + ip6_hdr.proto = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + memcpy(&ip6_hdr.src_addr, + &ipsec_xform->tunnel.ipv6.src_addr, 16); + memcpy(&ip6_hdr.dst_addr, + &ipsec_xform->tunnel.ipv6.dst_addr, 16); + encap_pdb.ip_hdr_len = sizeof(struct rte_ipv6_hdr); + hdr = (uint8_t *)&ip6_hdr; + } bufsize = cnstr_shdsc_ipsec_new_encap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, &encap_pdb, - (uint8_t *)&ip4_hdr, - &cipherdata, &authdata); + hdr, &cipherdata, &authdata); } else if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { flc->dhr = SEC_FLC_DHR_INBOUND; memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); - decap_pdb.options = sizeof(struct ip) << 16; + decap_pdb.options = (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) ? + sizeof(struct ip) << 16 : + sizeof(struct rte_ipv6_hdr) << 16; session->dir = DIR_DEC; bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h index 51751103d..a05deaebd 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h @@ -41,6 +41,8 @@ enum shr_desc_type { #define DIR_ENC 1 #define DIR_DEC 0 +#define DPAA2_IPv6_DEFAULT_VTC_FLOW 0x60000000 + #define DPAA2_SET_FLC_EWS(flc) (flc->word1_bits23_16 |= 0x1) #define DPAA2_SET_FLC_RSC(flc) (flc->word1_bits31_24 |= 0x1) #define DPAA2_SET_FLC_REUSE_BS(flc) (flc->mode_bits |= 0x8000) From patchwork Mon Aug 5 08:22:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 57431 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 9450A1BE42; Mon, 5 Aug 2019 10:35:34 +0200 (CEST) Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13]) by dpdk.org (Postfix) with ESMTP id 9957D1BE35 for ; Mon, 5 Aug 2019 10:35:31 +0200 (CEST) Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 33E501A00FE; Mon, 5 Aug 2019 10:35:31 +0200 (CEST) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 9BF2E1A0281; Mon, 5 Aug 2019 10:35:28 +0200 (CEST) Received: from GDB1.ap.freescale.net (GDB1.ap.freescale.net [10.232.132.179]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 2924E402FF; Mon, 5 Aug 2019 16:35:23 +0800 (SGT) From: Akhil Goyal To: dev@dpdk.org Cc: hemant.agrawal@nxp.com, konstantin.ananyev@intel.com, Akhil Goyal Date: Mon, 5 Aug 2019 13:52:05 +0530 Message-Id: <20190805082205.10794-4-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190805082205.10794-1-akhil.goyal@nxp.com> References: <20190805053827.29066-1-akhil.goyal@nxp.com> <20190805082205.10794-1-akhil.goyal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v2 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" IPv6 tunnels are already supported in case of inline and lookaside none cases. In case of protocol offload, the details for IPv6 header need to be added in session configuration for security session create. Signed-off-by: Akhil Goyal --- examples/ipsec-secgw/ipsec.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index dc85adfe5..317faed7a 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -33,8 +33,20 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) memcpy((uint8_t *)&tunnel->ipv4.dst_ip, (uint8_t *)&sa->dst.ip.ip4, 4); + } else if (IS_IP6_TUNNEL(sa->flags)) { + tunnel->type = + RTE_SECURITY_IPSEC_TUNNEL_IPV6; + tunnel->ipv6.hlimit = IPDEFTTL; + tunnel->ipv6.dscp = 0; + tunnel->ipv6.flabel = 0; + + memcpy((uint8_t *)&tunnel->ipv6.src_addr, + (uint8_t *)&sa->src.ip.ip6.ip6_b, 16); + + memcpy((uint8_t *)&tunnel->ipv6.dst_addr, + (uint8_t *)&sa->dst.ip.ip6.ip6_b, 16); } - /* TODO support for Transport and IPV6 tunnel */ + /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; }