Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/126246/?format=api
{ "id": 126246, "url": "https://patches.dpdk.org/api/patches/126246/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/patch/20230418152324.806134-1-brian.dooley@intel.com/", "project": { "id": 1, "url": "https://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20230418152324.806134-1-brian.dooley@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20230418152324.806134-1-brian.dooley@intel.com", "date": "2023-04-18T15:23:23", "name": "[v1] crypto/qat: add IPsec MB AES and DES Docsis support", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "a48ccee00ee6d83d14c3aa89d6d3d7a2e2194ed2", "submitter": { "id": 2520, "url": "https://patches.dpdk.org/api/people/2520/?format=api", "name": "Dooley, Brian", "email": "brian.dooley@intel.com" }, "delegate": { "id": 6690, "url": "https://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "https://patches.dpdk.org/project/dpdk/patch/20230418152324.806134-1-brian.dooley@intel.com/mbox/", "series": [ { "id": 27764, "url": "https://patches.dpdk.org/api/series/27764/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/list/?series=27764", "date": "2023-04-18T15:23:23", "name": "[v1] crypto/qat: add IPsec MB AES and DES Docsis support", "version": 1, "mbox": "https://patches.dpdk.org/series/27764/mbox/" } ], "comments": "https://patches.dpdk.org/api/patches/126246/comments/", "check": "fail", "checks": "https://patches.dpdk.org/api/patches/126246/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 9FF264297D;\n\tTue, 18 Apr 2023 17:23:40 +0200 (CEST)", "from mails.dpdk.org (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 227FD410EA;\n\tTue, 18 Apr 2023 17:23:40 +0200 (CEST)", "from mga03.intel.com (mga03.intel.com [134.134.136.65])\n by mails.dpdk.org (Postfix) with ESMTP id 009424014F\n for <dev@dpdk.org>; Tue, 18 Apr 2023 17:23:37 +0200 (CEST)", "from orsmga003.jf.intel.com ([10.7.209.27])\n by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 18 Apr 2023 08:23:37 -0700", "from silpixa00400883.ir.intel.com ([10.243.22.146])\n by orsmga003.jf.intel.com with ESMTP; 18 Apr 2023 08:23:35 -0700" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1681831418; x=1713367418;\n h=from:to:cc:subject:date:message-id:mime-version:\n content-transfer-encoding;\n bh=mZnIKzFpqX3LkgtdAjNQKjrwAAoHU1Pt5QYK7IuFlZc=;\n b=CKsoL6PRO0085854GYjdUjQe6ApprNk5CUst1p3p0ELO5B1zYaXm9WAD\n OJt/HVZ9h452HKEUXLbetHkiTWETrAeat4gLQ/fNYxkqAS4HXNl+ozHXO\n E7O3ZlBW0RsC+sBD/X5Y0ns/vPMhZEetkY1cUunmjPYM2P2rE+f3ax5e7\n 0p9k+9OwJBIcbHGzzJScuAbqSNiLMfjTBtQX67Ljyl5yCx0P6HoLQ6lCI\n 6nlTBu082GbTfbnzeNe6TsG1sIRRU+rGNk6YGrCjTqOtCUaXjTwX8/Grt\n fnCcCETdclxeM7lshyuo8DP7CnhEvK15Y9IRfn+3vRRjYi2dMh4qK3F+k Q==;", "X-IronPort-AV": [ "E=McAfee;i=\"6600,9927,10684\"; a=\"347958738\"", "E=Sophos;i=\"5.99,207,1677571200\"; d=\"scan'208\";a=\"347958738\"", "E=McAfee;i=\"6600,9927,10684\"; a=\"641398211\"", "E=Sophos;i=\"5.99,207,1677571200\"; d=\"scan'208\";a=\"641398211\"" ], "X-ExtLoop1": "1", "From": "Brian Dooley <brian.dooley@intel.com>", "To": "Kai Ji <kai.ji@intel.com>", "Cc": "dev@dpdk.org,\n\tBrian Dooley <brian.dooley@intel.com>", "Subject": "[PATCH v1] crypto/qat: add IPsec MB AES and DES Docsis support", "Date": "Tue, 18 Apr 2023 15:23:23 +0000", "Message-Id": "<20230418152324.806134-1-brian.dooley@intel.com>", "X-Mailer": "git-send-email 2.25.1", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org" }, "content": "Pre and post computations currently use the OpenSSL library by default.\nThis patch removes this dependency on OpenSSL and uses Intel IPsec MB\nlibrary for the required computations.\n\nRemoved OpenSSL dependency for QAT PMD compilation. IPsec MB is now a\nrequirement and minimum version of IPsec MB is v1.4.\n\nSigned-off-by: Brian Dooley <brian.dooley@intel.com>\n---\nA fallback feature is planned for v2 where IPsec MB v1.4 is the default\noption and the fallback option is to use OpenSSL. The code removed in this\npatch will be added back in for the fallback feature.\nIPsec MB is v1.4 is not yet released.\n---\n doc/guides/cryptodevs/qat.rst | 13 +-\n drivers/common/qat/meson.build | 25 +-\n drivers/common/qat/qat_device.c | 1 -\n drivers/common/qat/qat_device.h | 3 +-\n drivers/crypto/qat/dev/qat_crypto_pmd_gens.h | 31 +-\n drivers/crypto/qat/qat_sym.c | 9 +-\n drivers/crypto/qat/qat_sym.h | 48 +-\n drivers/crypto/qat/qat_sym_session.c | 600 ++-----------------\n drivers/crypto/qat/qat_sym_session.h | 11 +-\n 9 files changed, 112 insertions(+), 629 deletions(-)", "diff": "diff --git a/doc/guides/cryptodevs/qat.rst b/doc/guides/cryptodevs/qat.rst\nindex ef754106a8..7054aaba23 100644\n--- a/doc/guides/cryptodevs/qat.rst\n+++ b/doc/guides/cryptodevs/qat.rst\n@@ -294,18 +294,11 @@ by comma. When the same parameter is used more than once first occurrence of the\n is used.\n Maximum threshold that can be set is 32.\n \n-Running QAT PMD with Intel IPSEC MB library for symmetric precomputes function\n+Running QAT PMD with Intel IPsec MB library for symmetric precomputes function\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n \n-The QAT PMD use Openssl library for partial hash calculation in symmetirc precomputes function by\n-default, the following parameter is allow QAT PMD switch over to multi-buffer job API if Intel\n-IPSEC MB library installed on system.\n-\n-- qat_ipsec_mb_lib\n-\n-To use this feature the user must set the parameter on process start as a device additional parameter::\n-\n- -a 03:01.1,qat_ipsec_mb_lib=1\n+The QAT PMD uses Intel IPsec MB library for partial hash calculation in symmetric precomputes function by\n+default, the minimum required version of IPsec MB library is v1.4.\n \n \n Device and driver naming\ndiff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build\nindex b84e5b3c6c..f4c4f07c9a 100644\n--- a/drivers/common/qat/meson.build\n+++ b/drivers/common/qat/meson.build\n@@ -27,30 +27,23 @@ if disable_drivers.contains(qat_compress_path)\n 'Explicitly disabled via build config')\n endif\n \n-libcrypto = dependency('libcrypto', required: false, method: 'pkg-config')\n-if qat_crypto and not libcrypto.found()\n- qat_crypto = false\n- dpdk_drvs_disabled += qat_crypto_path\n- set_variable(qat_crypto_path.underscorify() + '_disable_reason',\n- 'missing dependency, libcrypto')\n-endif\n-\n-IMB_required_ver = '1.2.0'\n+IMB_required_ver = '1.4.0'\n IMB_header = '#include<intel-ipsec-mb.h>'\n if arch_subdir == 'arm'\n IMB_header = '#include<ipsec-mb.h>'\n endif\n libipsecmb = cc.find_library('IPSec_MB', required: false)\n-libcrypto_3 = dependency('libcrypto', required: false,\n- method: 'pkg-config', version : '>=3.0.0')\n-if libipsecmb.found() and libcrypto_3.found()\n+if libipsecmb.found()\n # version comes with quotes, so we split based on \" and take the middle\n imb_ver = cc.get_define('IMB_VERSION_STR',\n prefix : IMB_header).split('\"')[1]\n \n- if (imb_ver.version_compare('>=' + IMB_required_ver))\n- ext_deps += libipsecmb\n- dpdk_conf.set('RTE_QAT_LIBIPSECMB', true)\n+ if (imb_ver.version_compare('<' + IMB_required_ver))\n+ qat_crypto = false\n+ dpdk_drvs_disabled += qat_crypto_path\n+ set_variable(qat_crypto_path.underscorify() + '_disable_reason',\n+ 'missing dependency, \"IPsec_MB\" >= @0@ is required, found version @1@'\n+ .format(IMB_required_ver, imb_ver))\n endif\n endif\n \n@@ -103,6 +96,6 @@ if qat_crypto\n sources += files(join_paths(qat_crypto_relpath, f))\n endforeach\n deps += ['security']\n- ext_deps += libcrypto\n+ ext_deps += libipsecmb\n cflags += ['-DBUILD_QAT_SYM', '-DBUILD_QAT_ASYM']\n endif\ndiff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c\nindex 8bce2ac073..cf9a89dc0c 100644\n--- a/drivers/common/qat/qat_device.c\n+++ b/drivers/common/qat/qat_device.c\n@@ -365,7 +365,6 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,\n \tstruct qat_pci_device *qat_pci_dev;\n \tstruct qat_dev_hw_spec_funcs *ops_hw;\n \tstruct qat_dev_cmd_param qat_dev_cmd_param[] = {\n-\t\t\t{ QAT_IPSEC_MB_LIB, 0 },\n \t\t\t{ SYM_ENQ_THRESHOLD_NAME, 0 },\n \t\t\t{ ASYM_ENQ_THRESHOLD_NAME, 0 },\n \t\t\t{ COMP_ENQ_THRESHOLD_NAME, 0 },\ndiff --git a/drivers/common/qat/qat_device.h b/drivers/common/qat/qat_device.h\nindex bc3da04238..873a5583ad 100644\n--- a/drivers/common/qat/qat_device.h\n+++ b/drivers/common/qat/qat_device.h\n@@ -17,12 +17,11 @@\n \n #define QAT_DEV_NAME_MAX_LEN\t64\n \n-#define QAT_IPSEC_MB_LIB \"qat_ipsec_mb_lib\"\n #define SYM_ENQ_THRESHOLD_NAME \"qat_sym_enq_threshold\"\n #define ASYM_ENQ_THRESHOLD_NAME \"qat_asym_enq_threshold\"\n #define COMP_ENQ_THRESHOLD_NAME \"qat_comp_enq_threshold\"\n #define QAT_CMD_SLICE_MAP \"qat_cmd_slice_disable\"\n-#define QAT_CMD_SLICE_MAP_POS\t4\n+#define QAT_CMD_SLICE_MAP_POS\t3\n #define MAX_QP_THRESHOLD_SIZE\t32\n \n /**\ndiff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h b/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h\nindex 524c291340..77a504d5f3 100644\n--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h\n+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h\n@@ -17,31 +17,6 @@\n \t(ICP_QAT_FW_COMN_STATUS_FLAG_OK == \\\n \tICP_QAT_FW_COMN_RESP_CRYPTO_STAT_GET(resp->comn_hdr.comn_status))\n \n-static __rte_always_inline int\n-op_bpi_cipher_decrypt(uint8_t *src, uint8_t *dst,\n-\t\tuint8_t *iv, int ivlen, int srclen,\n-\t\tvoid *bpi_ctx)\n-{\n-\tEVP_CIPHER_CTX *ctx = (EVP_CIPHER_CTX *)bpi_ctx;\n-\tint encrypted_ivlen;\n-\tuint8_t encrypted_iv[BPI_MAX_ENCR_IV_LEN];\n-\tuint8_t *encr = encrypted_iv;\n-\n-\t/* ECB method: encrypt (not decrypt!) the IV, then XOR with plaintext */\n-\tif (EVP_EncryptUpdate(ctx, encrypted_iv, &encrypted_ivlen, iv, ivlen)\n-\t\t\t\t\t\t\t\t<= 0)\n-\t\tgoto cipher_decrypt_err;\n-\n-\tfor (; srclen != 0; --srclen, ++dst, ++src, ++encr)\n-\t\t*dst = *src ^ *encr;\n-\n-\treturn 0;\n-\n-cipher_decrypt_err:\n-\tQAT_DP_LOG(ERR, \"libcrypto ECB cipher decrypt for BPI IV failed\");\n-\treturn -EINVAL;\n-}\n-\n static __rte_always_inline uint32_t\n qat_bpicipher_preprocess(struct qat_sym_session *ctx,\n \t\t\t\tstruct rte_crypto_op *op)\n@@ -82,8 +57,8 @@ qat_bpicipher_preprocess(struct qat_sym_session *ctx,\n \t\t\tQAT_DP_HEXDUMP_LOG(DEBUG, \"BPI: dst before pre-process:\",\n \t\t\tdst, last_block_len);\n #endif\n-\t\top_bpi_cipher_decrypt(last_block, dst, iv, block_len,\n-\t\t\t\tlast_block_len, ctx->bpi_ctx);\n+\t\tbpi_cipher_job(last_block, dst, iv, last_block_len, ctx->expkey,\n+\t\t\tctx->mb_mgr, ctx->docsis_key_len);\n #if RTE_LOG_DP_LEVEL >= RTE_LOG_DEBUG\n \t\tQAT_DP_HEXDUMP_LOG(DEBUG, \"BPI: src after pre-process:\",\n \t\t\tlast_block, last_block_len);\n@@ -231,7 +206,7 @@ qat_sym_convert_op_to_vec_cipher(struct rte_crypto_op *op,\n \t\tcipher_ofs = op->sym->cipher.data.offset >> 3;\n \t\tbreak;\n \tcase 0:\n-\t\tif (ctx->bpi_ctx) {\n+\t\tif (ctx->mb_mgr) {\n \t\t\t/* DOCSIS - only send complete blocks to device.\n \t\t\t * Process any partial block using CFB mode.\n \t\t\t * Even if 0 complete blocks, still send this to device\ndiff --git a/drivers/crypto/qat/qat_sym.c b/drivers/crypto/qat/qat_sym.c\nindex 08e92191a3..989efef0ed 100644\n--- a/drivers/crypto/qat/qat_sym.c\n+++ b/drivers/crypto/qat/qat_sym.c\n@@ -1,9 +1,7 @@\n /* SPDX-License-Identifier: BSD-3-Clause\n- * Copyright(c) 2015-2022 Intel Corporation\n+ * Copyright(c) 2015-2023 Intel Corporation\n */\n \n-#include <openssl/evp.h>\n-\n #include <rte_mempool.h>\n #include <rte_mbuf.h>\n #include <rte_crypto_sym.h>\n@@ -16,7 +14,6 @@\n #include \"qat_qp.h\"\n \n uint8_t qat_sym_driver_id;\n-int qat_ipsec_mb_lib;\n \n struct qat_crypto_gen_dev_ops qat_sym_gen_dev_ops[QAT_N_GENS];\n \n@@ -110,7 +107,7 @@ qat_sym_build_request(void *in_op, uint8_t *out_msg,\n \t\t\tstruct rte_cryptodev *cdev;\n \t\t\tstruct qat_cryptodev_private *internals;\n \n-\t\t\tif (unlikely(ctx->bpi_ctx == NULL)) {\n+\t\t\tif (unlikely(ctx->mb_mgr == NULL)) {\n \t\t\t\tQAT_DP_LOG(ERR, \"QAT PMD only supports security\"\n \t\t\t\t\t\t\" operation requests for\"\n \t\t\t\t\t\t\" DOCSIS, op (%p) is not for\"\n@@ -279,8 +276,6 @@ qat_sym_dev_create(struct qat_pci_device *qat_pci_dev,\n \t\tif (!strcmp(qat_dev_cmd_param[i].name, SYM_ENQ_THRESHOLD_NAME))\n \t\t\tinternals->min_enq_burst_threshold =\n \t\t\t\t\tqat_dev_cmd_param[i].val;\n-\t\tif (!strcmp(qat_dev_cmd_param[i].name, QAT_IPSEC_MB_LIB))\n-\t\t\tqat_ipsec_mb_lib = qat_dev_cmd_param[i].val;\n \t\tif (!strcmp(qat_dev_cmd_param[i].name, QAT_CMD_SLICE_MAP))\n \t\t\tslice_map = qat_dev_cmd_param[i].val;\n \t\ti++;\ndiff --git a/drivers/crypto/qat/qat_sym.h b/drivers/crypto/qat/qat_sym.h\nindex 9a4251e08b..1806fb684b 100644\n--- a/drivers/crypto/qat/qat_sym.h\n+++ b/drivers/crypto/qat/qat_sym.h\n@@ -20,6 +20,11 @@\n #include \"qat_sym_session.h\"\n #include \"qat_crypto.h\"\n #include \"qat_logs.h\"\n+#if defined(RTE_ARCH_ARM)\n+#include <ipsec-mb.h>\n+#else\n+#include <intel-ipsec-mb.h>\n+#endif\n \n #define BYTE_LENGTH 8\n /* bpi is only used for partial blocks of DES and AES\n@@ -134,33 +139,16 @@ uint16_t\n qat_sym_dequeue_burst(void *qp, struct rte_crypto_op **ops,\n \t\tuint16_t nb_ops);\n \n-/** Encrypt a single partial block\n- * Depends on openssl libcrypto\n- * Uses ECB+XOR to do CFB encryption, same result, more performant\n- */\n-static inline int\n-bpi_cipher_encrypt(uint8_t *src, uint8_t *dst,\n-\t\tuint8_t *iv, int ivlen, int srclen,\n-\t\tvoid *bpi_ctx)\n+static __rte_always_inline void\n+bpi_cipher_job(uint8_t *src, uint8_t *dst, uint8_t *iv, int srclen,\n+\t\tuint64_t *expkey, IMB_MGR *m, uint8_t docsis_key_len)\n {\n-\tEVP_CIPHER_CTX *ctx = (EVP_CIPHER_CTX *)bpi_ctx;\n-\tint encrypted_ivlen;\n-\tuint8_t encrypted_iv[BPI_MAX_ENCR_IV_LEN];\n-\tuint8_t *encr = encrypted_iv;\n-\n-\t/* ECB method: encrypt the IV, then XOR this with plaintext */\n-\tif (EVP_EncryptUpdate(ctx, encrypted_iv, &encrypted_ivlen, iv, ivlen)\n-\t\t\t\t\t\t\t\t<= 0)\n-\t\tgoto cipher_encrypt_err;\n-\n-\tfor (; srclen != 0; --srclen, ++dst, ++src, ++encr)\n-\t\t*dst = *src ^ *encr;\n-\n-\treturn 0;\n-\n-cipher_encrypt_err:\n-\tQAT_DP_LOG(ERR, \"libcrypto ECB cipher encrypt failed\");\n-\treturn -EINVAL;\n+\tif (docsis_key_len == ICP_QAT_HW_AES_128_KEY_SZ)\n+\t\tIMB_AES128_CFB_ONE(m, dst, src, (uint64_t *)iv, expkey, srclen);\n+\telse if (docsis_key_len == ICP_QAT_HW_AES_256_KEY_SZ)\n+\t\tIMB_AES256_CFB_ONE(m, dst, src, (uint64_t *)iv, expkey, srclen);\n+\telse if (docsis_key_len == ICP_QAT_HW_DES_KEY_SZ)\n+\t\tdes_cfb_one(dst, src, (uint64_t *)iv, expkey, srclen);\n }\n \n static inline uint32_t\n@@ -207,8 +195,8 @@ qat_bpicipher_postprocess(struct qat_sym_session *ctx,\n \t\t\t\t\"BPI: dst before post-process:\",\n \t\t\t\tdst, last_block_len);\n #endif\n-\t\tbpi_cipher_encrypt(last_block, dst, iv, block_len,\n-\t\t\t\tlast_block_len, ctx->bpi_ctx);\n+\t\tbpi_cipher_job(last_block, dst, iv, last_block_len, ctx->expkey,\n+\t\t\tctx->mb_mgr, ctx->docsis_key_len);\n #if RTE_LOG_DP_LEVEL >= RTE_LOG_DEBUG\n \t\tQAT_DP_HEXDUMP_LOG(DEBUG, \"BPI: src after post-process:\",\n \t\t\t\tlast_block, last_block_len);\n@@ -279,7 +267,7 @@ qat_sym_preprocess_requests(void **ops, uint16_t nb_ops)\n \t\tif (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {\n \t\t\tctx = SECURITY_GET_SESS_PRIV(op->sym->session);\n \n-\t\t\tif (ctx == NULL || ctx->bpi_ctx == NULL)\n+\t\t\tif (ctx == NULL || ctx->mb_mgr == NULL)\n \t\t\t\tcontinue;\n \n \t\t\tqat_crc_generate(ctx, op);\n@@ -327,7 +315,7 @@ qat_sym_process_response(void **op, uint8_t *resp, void *op_cookie,\n \t} else {\n \t\trx_op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;\n \n-\t\tif (sess->bpi_ctx) {\n+\t\tif (sess->mb_mgr) {\n \t\t\tqat_bpicipher_postprocess(sess, rx_op);\n #ifdef RTE_LIB_SECURITY\n \t\t\tif (is_docsis_sec)\ndiff --git a/drivers/crypto/qat/qat_sym_session.c b/drivers/crypto/qat/qat_sym_session.c\nindex 466482d225..40e40bdcb3 100644\n--- a/drivers/crypto/qat/qat_sym_session.c\n+++ b/drivers/crypto/qat/qat_sym_session.c\n@@ -2,21 +2,12 @@\n * Copyright(c) 2015-2022 Intel Corporation\n */\n \n-#define OPENSSL_API_COMPAT 0x10100000L\n-\n-#include <openssl/sha.h>\t/* Needed to calculate pre-compute values */\n-#include <openssl/aes.h>\t/* Needed to calculate pre-compute values */\n-#include <openssl/md5.h>\t/* Needed to calculate pre-compute values */\n-#include <openssl/evp.h>\t/* Needed for bpi runt block processing */\n-\n-#ifdef RTE_QAT_LIBIPSECMB\n #define NO_COMPAT_IMB_API_053\n #if defined(RTE_ARCH_ARM)\n #include <ipsec-mb.h>\n #else\n #include <intel-ipsec-mb.h>\n #endif\n-#endif\n \n #include <rte_memcpy.h>\n #include <rte_common.h>\n@@ -33,40 +24,18 @@\n #include \"qat_sym_session.h\"\n #include \"qat_sym.h\"\n \n-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n-#include <openssl/provider.h>\n-\n-static OSSL_PROVIDER * legacy_lib;\n-static OSSL_PROVIDER *default_lib;\n-\n-/* Some cryptographic algorithms such as MD and DES are now considered legacy\n- * and not enabled by default in OpenSSL 3.0. Load up lagacy provider as MD5\n- * DES are needed in QAT pre-computes and secure session creation.\n+#define MD5_CBLOCK 64\n+#define SHA_LBLOCK 16\n+/* SHA treats input data as a contiguous array of 32 bit wide big-endian\n+ * values.\n */\n-static int ossl_legacy_provider_load(void)\n-{\n-\t/* Load Multiple providers into the default (NULL) library context */\n-\tlegacy_lib = OSSL_PROVIDER_load(NULL, \"legacy\");\n-\tif (legacy_lib == NULL)\n-\t\treturn -EINVAL;\n+#define SHA_CBLOCK (SHA_LBLOCK*4)\n \n-\tdefault_lib = OSSL_PROVIDER_load(NULL, \"default\");\n-\tif (default_lib == NULL) {\n-\t\tOSSL_PROVIDER_unload(legacy_lib);\n-\t\treturn -EINVAL;\n-\t}\n-\n-\treturn 0;\n-}\n-\n-static void ossl_legacy_provider_unload(void)\n-{\n-\tOSSL_PROVIDER_unload(legacy_lib);\n-\tOSSL_PROVIDER_unload(default_lib);\n-}\n-#endif\n-\n-extern int qat_ipsec_mb_lib;\n+/* SHA-256 treats input data as a contiguous array of 32 bit wide big-endian\n+ * values.\n+ */\n+#define SHA256_CBLOCK (SHA_LBLOCK*4)\n+#define SHA512_CBLOCK (SHA_LBLOCK*8)\n \n /* SHA1 - 20 bytes - Initialiser state can be found in FIPS stds 180-2 */\n static const uint8_t sha1InitialState[] = {\n@@ -133,53 +102,44 @@ qat_sym_session_finalize(struct qat_sym_session *session)\n \tqat_sym_session_init_common_hdr(session);\n }\n \n-/** Frees a context previously created\n- * Depends on openssl libcrypto\n- */\n-static void\n-bpi_cipher_ctx_free(void *bpi_ctx)\n-{\n-\tif (bpi_ctx != NULL)\n-\t\tEVP_CIPHER_CTX_free((EVP_CIPHER_CTX *)bpi_ctx);\n-}\n-\n /** Creates a context in either AES or DES in ECB mode\n- * Depends on openssl libcrypto\n */\n static int\n-bpi_cipher_ctx_init(enum rte_crypto_cipher_algorithm cryptodev_algo,\n-\t\tenum rte_crypto_cipher_operation direction __rte_unused,\n-\t\tconst uint8_t *key, uint16_t key_length, void **ctx)\n+ipsec_mb_ctx_init(const uint8_t *key, uint16_t key_length,\n+\t\tenum rte_crypto_cipher_algorithm cryptodev_algo,\n+\t\tuint64_t *expkey, uint32_t *dust, IMB_MGR **m)\n {\n-\tconst EVP_CIPHER *algo = NULL;\n \tint ret;\n-\t*ctx = EVP_CIPHER_CTX_new();\n \n-\tif (*ctx == NULL) {\n-\t\tret = -ENOMEM;\n-\t\tgoto ctx_init_err;\n-\t}\n+\t*m = alloc_mb_mgr(0);\n+\tif (*m == NULL)\n+\t\treturn -ENOMEM;\n \n-\tif (cryptodev_algo == RTE_CRYPTO_CIPHER_DES_DOCSISBPI)\n-\t\talgo = EVP_des_ecb();\n-\telse\n-\t\tif (key_length == ICP_QAT_HW_AES_128_KEY_SZ)\n-\t\t\talgo = EVP_aes_128_ecb();\n-\t\telse\n-\t\t\talgo = EVP_aes_256_ecb();\n+\tinit_mb_mgr_auto(*m, NULL);\n \n-\t/* IV will be ECB encrypted whether direction is encrypt or decrypt*/\n-\tif (EVP_EncryptInit_ex(*ctx, algo, NULL, key, 0) != 1) {\n-\t\tret = -EINVAL;\n-\t\tgoto ctx_init_err;\n+\tif (cryptodev_algo == RTE_CRYPTO_CIPHER_AES_DOCSISBPI) {\n+\t\tif (key_length == ICP_QAT_HW_AES_128_KEY_SZ)\n+\t\t\tIMB_AES_KEYEXP_128(*m, key, expkey, dust);\n+\t\telse if (key_length == ICP_QAT_HW_AES_256_KEY_SZ)\n+\t\t\tIMB_AES_KEYEXP_256(*m, key, expkey, dust);\n+\t\telse {\n+\t\t\tret = -EFAULT;\n+\t\t\tgoto error_out;\n+\t\t}\n+\t} else if (cryptodev_algo == RTE_CRYPTO_CIPHER_DES_DOCSISBPI) {\n+\t\tif (key_length == ICP_QAT_HW_DES_KEY_SZ)\n+\t\t\tIMB_DES_KEYSCHED(*m, (uint64_t *)expkey, key);\n+\t\telse {\n+\t\t\tret = -EFAULT;\n+\t\t\tgoto error_out;\n+\t\t}\n \t}\n-\n \treturn 0;\n \n-ctx_init_err:\n-\tif (*ctx != NULL) {\n-\t\tEVP_CIPHER_CTX_free(*ctx);\n-\t\t*ctx = NULL;\n+error_out:\n+\tif (*m) {\n+\t\tfree_mb_mgr(*m);\n+\t\t*m = NULL;\n \t}\n \treturn ret;\n }\n@@ -232,8 +192,8 @@ qat_sym_session_clear(struct rte_cryptodev *dev __rte_unused,\n {\n \tstruct qat_sym_session *s = CRYPTODEV_GET_SYM_SESS_PRIV(sess);\n \n-\tif (s->bpi_ctx)\n-\t\tbpi_cipher_ctx_free(s->bpi_ctx);\n+\tif (s->mb_mgr)\n+\t\tfree_mb_mgr(s->mb_mgr);\n }\n \n static int\n@@ -396,12 +356,14 @@ qat_sym_session_configure_cipher(struct rte_cryptodev *dev,\n \t\tsession->qat_mode = ICP_QAT_HW_CIPHER_CTR_MODE;\n \t\tbreak;\n \tcase RTE_CRYPTO_CIPHER_DES_DOCSISBPI:\n-\t\tret = bpi_cipher_ctx_init(\n-\t\t\t\t\tcipher_xform->algo,\n-\t\t\t\t\tcipher_xform->op,\n+\t\tsession->docsis_key_len = cipher_xform->key.length;\n+\t\tret = ipsec_mb_ctx_init(\n \t\t\t\t\tcipher_xform->key.data,\n \t\t\t\t\tcipher_xform->key.length,\n-\t\t\t\t\t&session->bpi_ctx);\n+\t\t\t\t\tcipher_xform->algo,\n+\t\t\t\t\tsession->expkey,\n+\t\t\t\t\tsession->dust,\n+\t\t\t\t\t&session->mb_mgr);\n \t\tif (ret != 0) {\n \t\t\tQAT_LOG(ERR, \"failed to create DES BPI ctx\");\n \t\t\tgoto error_out;\n@@ -415,12 +377,14 @@ qat_sym_session_configure_cipher(struct rte_cryptodev *dev,\n \t\tsession->qat_mode = ICP_QAT_HW_CIPHER_CBC_MODE;\n \t\tbreak;\n \tcase RTE_CRYPTO_CIPHER_AES_DOCSISBPI:\n-\t\tret = bpi_cipher_ctx_init(\n-\t\t\t\t\tcipher_xform->algo,\n-\t\t\t\t\tcipher_xform->op,\n+\t\tsession->docsis_key_len = cipher_xform->key.length;\n+\t\tret = ipsec_mb_ctx_init(\n \t\t\t\t\tcipher_xform->key.data,\n \t\t\t\t\tcipher_xform->key.length,\n-\t\t\t\t\t&session->bpi_ctx);\n+\t\t\t\t\tcipher_xform->algo,\n+\t\t\t\t\tsession->expkey,\n+\t\t\t\t\tsession->dust,\n+\t\t\t\t\t&session->mb_mgr);\n \t\tif (ret != 0) {\n \t\t\tQAT_LOG(ERR, \"failed to create AES BPI ctx\");\n \t\t\tgoto error_out;\n@@ -506,9 +470,9 @@ qat_sym_session_configure_cipher(struct rte_cryptodev *dev,\n \treturn 0;\n \n error_out:\n-\tif (session->bpi_ctx) {\n-\t\tbpi_cipher_ctx_free(session->bpi_ctx);\n-\t\tsession->bpi_ctx = NULL;\n+\tif (session->mb_mgr) {\n+\t\tfree_mb_mgr(session->mb_mgr);\n+\t\tsession->mb_mgr = NULL;\n \t}\n \treturn ret;\n }\n@@ -520,9 +484,6 @@ qat_sym_session_configure(struct rte_cryptodev *dev,\n {\n \tint ret;\n \n-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n-\tossl_legacy_provider_load();\n-#endif\n \tret = qat_sym_session_set_parameters(dev, xform,\n \t\t\tCRYPTODEV_GET_SYM_SESS_PRIV(sess),\n \t\t\tCRYPTODEV_GET_SYM_SESS_PRIV_IOVA(sess));\n@@ -533,9 +494,6 @@ qat_sym_session_configure(struct rte_cryptodev *dev,\n \t\treturn ret;\n \t}\n \n-# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n-\tossl_legacy_provider_unload();\n-# endif\n \treturn 0;\n }\n \n@@ -1156,9 +1114,6 @@ static int qat_hash_get_block_size(enum icp_qat_hw_auth_algo qat_hash_alg)\n #define HMAC_OPAD_VALUE\t0x5c\n #define HASH_XCBC_PRECOMP_KEY_NUM 3\n \n-static const uint8_t AES_CMAC_SEED[ICP_QAT_HW_AES_128_KEY_SZ];\n-\n-#ifdef RTE_QAT_LIBIPSECMB\n static int aes_ipsecmb_job(uint8_t *in, uint8_t *out, IMB_MGR *m,\n \t\tconst uint8_t *key, uint16_t auth_keylen)\n {\n@@ -1405,334 +1360,6 @@ static int qat_sym_do_precomputes_ipsec_mb(enum icp_qat_hw_auth_algo hash_alg,\n \tfree_mb_mgr(m);\n \treturn ret;\n }\n-#endif\n-static int partial_hash_sha1(uint8_t *data_in, uint8_t *data_out)\n-{\n-\tSHA_CTX ctx;\n-\n-\tif (!SHA1_Init(&ctx))\n-\t\treturn -EFAULT;\n-\tSHA1_Transform(&ctx, data_in);\n-\trte_memcpy(data_out, &ctx, SHA_DIGEST_LENGTH);\n-\treturn 0;\n-}\n-\n-static int partial_hash_sha224(uint8_t *data_in, uint8_t *data_out)\n-{\n-\tSHA256_CTX ctx;\n-\n-\tif (!SHA224_Init(&ctx))\n-\t\treturn -EFAULT;\n-\tSHA256_Transform(&ctx, data_in);\n-\trte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);\n-\treturn 0;\n-}\n-\n-static int partial_hash_sha256(uint8_t *data_in, uint8_t *data_out)\n-{\n-\tSHA256_CTX ctx;\n-\n-\tif (!SHA256_Init(&ctx))\n-\t\treturn -EFAULT;\n-\tSHA256_Transform(&ctx, data_in);\n-\trte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);\n-\treturn 0;\n-}\n-\n-static int partial_hash_sha384(uint8_t *data_in, uint8_t *data_out)\n-{\n-\tSHA512_CTX ctx;\n-\n-\tif (!SHA384_Init(&ctx))\n-\t\treturn -EFAULT;\n-\tSHA512_Transform(&ctx, data_in);\n-\trte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);\n-\treturn 0;\n-}\n-\n-static int partial_hash_sha512(uint8_t *data_in, uint8_t *data_out)\n-{\n-\tSHA512_CTX ctx;\n-\n-\tif (!SHA512_Init(&ctx))\n-\t\treturn -EFAULT;\n-\tSHA512_Transform(&ctx, data_in);\n-\trte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);\n-\treturn 0;\n-}\n-\n-static int partial_hash_md5(uint8_t *data_in, uint8_t *data_out)\n-{\n-\tMD5_CTX ctx;\n-\n-\tif (!MD5_Init(&ctx))\n-\t\treturn -EFAULT;\n-\tMD5_Transform(&ctx, data_in);\n-\trte_memcpy(data_out, &ctx, MD5_DIGEST_LENGTH);\n-\n-\treturn 0;\n-}\n-\n-static void aes_cmac_key_derive(uint8_t *base, uint8_t *derived)\n-{\n-\tint i;\n-\n-\tderived[0] = base[0] << 1;\n-\tfor (i = 1; i < ICP_QAT_HW_AES_BLK_SZ ; i++) {\n-\t\tderived[i] = base[i] << 1;\n-\t\tderived[i - 1] |= base[i] >> 7;\n-\t}\n-\n-\tif (base[0] & 0x80)\n-\t\tderived[ICP_QAT_HW_AES_BLK_SZ - 1] ^= QAT_AES_CMAC_CONST_RB;\n-}\n-\n-static int\n-partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,\n-\t\tuint8_t *data_in, uint8_t *data_out)\n-{\n-\tint digest_size;\n-\tuint8_t digest[qat_hash_get_digest_size(\n-\t\t\tICP_QAT_HW_AUTH_ALGO_DELIMITER)];\n-\tuint32_t *hash_state_out_be32;\n-\tuint64_t *hash_state_out_be64;\n-\tint i;\n-\n-\t/* Initialize to avoid gcc warning */\n-\tmemset(digest, 0, sizeof(digest));\n-\n-\tdigest_size = qat_hash_get_digest_size(hash_alg);\n-\tif (digest_size <= 0)\n-\t\treturn -EFAULT;\n-\n-\thash_state_out_be32 = (uint32_t *)data_out;\n-\thash_state_out_be64 = (uint64_t *)data_out;\n-\n-\tswitch (hash_alg) {\n-\tcase ICP_QAT_HW_AUTH_ALGO_SHA1:\n-\t\tif (partial_hash_sha1(data_in, digest))\n-\t\t\treturn -EFAULT;\n-\t\tfor (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)\n-\t\t\t*hash_state_out_be32 =\n-\t\t\t\trte_bswap32(*(((uint32_t *)digest)+i));\n-\t\tbreak;\n-\tcase ICP_QAT_HW_AUTH_ALGO_SHA224:\n-\t\tif (partial_hash_sha224(data_in, digest))\n-\t\t\treturn -EFAULT;\n-\t\tfor (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)\n-\t\t\t*hash_state_out_be32 =\n-\t\t\t\trte_bswap32(*(((uint32_t *)digest)+i));\n-\t\tbreak;\n-\tcase ICP_QAT_HW_AUTH_ALGO_SHA256:\n-\t\tif (partial_hash_sha256(data_in, digest))\n-\t\t\treturn -EFAULT;\n-\t\tfor (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)\n-\t\t\t*hash_state_out_be32 =\n-\t\t\t\trte_bswap32(*(((uint32_t *)digest)+i));\n-\t\tbreak;\n-\tcase ICP_QAT_HW_AUTH_ALGO_SHA384:\n-\t\tif (partial_hash_sha384(data_in, digest))\n-\t\t\treturn -EFAULT;\n-\t\tfor (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)\n-\t\t\t*hash_state_out_be64 =\n-\t\t\t\trte_bswap64(*(((uint64_t *)digest)+i));\n-\t\tbreak;\n-\tcase ICP_QAT_HW_AUTH_ALGO_SHA512:\n-\t\tif (partial_hash_sha512(data_in, digest))\n-\t\t\treturn -EFAULT;\n-\t\tfor (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)\n-\t\t\t*hash_state_out_be64 =\n-\t\t\t\trte_bswap64(*(((uint64_t *)digest)+i));\n-\t\tbreak;\n-\tcase ICP_QAT_HW_AUTH_ALGO_MD5:\n-\t\tif (partial_hash_md5(data_in, data_out))\n-\t\t\treturn -EFAULT;\n-\t\tbreak;\n-\tdefault:\n-\t\tQAT_LOG(ERR, \"invalid hash alg %u\", hash_alg);\n-\t\treturn -EFAULT;\n-\t}\n-\n-\treturn 0;\n-}\n-\n-static int qat_sym_do_precomputes(enum icp_qat_hw_auth_algo hash_alg,\n-\t\t\t\tconst uint8_t *auth_key,\n-\t\t\t\tuint16_t auth_keylen,\n-\t\t\t\tuint8_t *p_state_buf,\n-\t\t\t\tuint16_t *p_state_len,\n-\t\t\t\tuint8_t aes_cmac)\n-{\n-\tint block_size;\n-\tuint8_t ipad[qat_hash_get_block_size(ICP_QAT_HW_AUTH_ALGO_DELIMITER)];\n-\tuint8_t opad[qat_hash_get_block_size(ICP_QAT_HW_AUTH_ALGO_DELIMITER)];\n-\tint i;\n-\n-\tif (hash_alg == ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC) {\n-\n-\t\t/* CMAC */\n-\t\tif (aes_cmac) {\n-\t\t\tAES_KEY enc_key;\n-\t\t\tuint8_t *in = NULL;\n-\t\t\tuint8_t k0[ICP_QAT_HW_AES_128_KEY_SZ];\n-\t\t\tuint8_t *k1, *k2;\n-\n-\t\t\tauth_keylen = ICP_QAT_HW_AES_128_KEY_SZ;\n-\n-\t\t\tin = rte_zmalloc(\"AES CMAC K1\",\n-\t\t\t\t\t ICP_QAT_HW_AES_128_KEY_SZ, 16);\n-\n-\t\t\tif (in == NULL) {\n-\t\t\t\tQAT_LOG(ERR, \"Failed to alloc memory\");\n-\t\t\t\treturn -ENOMEM;\n-\t\t\t}\n-\n-\t\t\trte_memcpy(in, AES_CMAC_SEED,\n-\t\t\t\t ICP_QAT_HW_AES_128_KEY_SZ);\n-\t\t\trte_memcpy(p_state_buf, auth_key, auth_keylen);\n-\n-\t\t\tif (AES_set_encrypt_key(auth_key, auth_keylen << 3,\n-\t\t\t\t&enc_key) != 0) {\n-\t\t\t\trte_free(in);\n-\t\t\t\treturn -EFAULT;\n-\t\t\t}\n-\n-\t\t\tAES_encrypt(in, k0, &enc_key);\n-\n-\t\t\tk1 = p_state_buf + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;\n-\t\t\tk2 = k1 + ICP_QAT_HW_AES_XCBC_MAC_STATE1_SZ;\n-\n-\t\t\taes_cmac_key_derive(k0, k1);\n-\t\t\taes_cmac_key_derive(k1, k2);\n-\n-\t\t\tmemset(k0, 0, ICP_QAT_HW_AES_128_KEY_SZ);\n-\t\t\t*p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;\n-\t\t\trte_free(in);\n-\t\t\treturn 0;\n-\t\t} else {\n-\t\t\tstatic uint8_t qat_aes_xcbc_key_seed[\n-\t\t\t\t\tICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ] = {\n-\t\t\t\t0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,\n-\t\t\t\t0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,\n-\t\t\t\t0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,\n-\t\t\t\t0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,\n-\t\t\t\t0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,\n-\t\t\t\t0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,\n-\t\t\t};\n-\n-\t\t\tuint8_t *in = NULL;\n-\t\t\tuint8_t *out = p_state_buf;\n-\t\t\tint x;\n-\t\t\tAES_KEY enc_key;\n-\n-\t\t\tin = rte_zmalloc(\"working mem for key\",\n-\t\t\t\t\tICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ, 16);\n-\t\t\tif (in == NULL) {\n-\t\t\t\tQAT_LOG(ERR, \"Failed to alloc memory\");\n-\t\t\t\treturn -ENOMEM;\n-\t\t\t}\n-\n-\t\t\trte_memcpy(in, qat_aes_xcbc_key_seed,\n-\t\t\t\t\tICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);\n-\t\t\tfor (x = 0; x < HASH_XCBC_PRECOMP_KEY_NUM; x++) {\n-\t\t\t\tif (AES_set_encrypt_key(auth_key,\n-\t\t\t\t\t\t\tauth_keylen << 3,\n-\t\t\t\t\t\t\t&enc_key) != 0) {\n-\t\t\t\t\trte_free(in -\n-\t\t\t\t\t (x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ));\n-\t\t\t\t\tmemset(out -\n-\t\t\t\t\t (x * ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ),\n-\t\t\t\t\t 0, ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ);\n-\t\t\t\t\treturn -EFAULT;\n-\t\t\t\t}\n-\t\t\t\tAES_encrypt(in, out, &enc_key);\n-\t\t\t\tin += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;\n-\t\t\t\tout += ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ;\n-\t\t\t}\n-\t\t\t*p_state_len = ICP_QAT_HW_AES_XCBC_MAC_STATE2_SZ;\n-\t\t\trte_free(in - x*ICP_QAT_HW_AES_XCBC_MAC_KEY_SZ);\n-\t\t\treturn 0;\n-\t\t}\n-\n-\t} else if ((hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_128) ||\n-\t\t(hash_alg == ICP_QAT_HW_AUTH_ALGO_GALOIS_64)) {\n-\t\tuint8_t *in = NULL;\n-\t\tuint8_t *out = p_state_buf;\n-\t\tAES_KEY enc_key;\n-\n-\t\tmemset(p_state_buf, 0, ICP_QAT_HW_GALOIS_H_SZ +\n-\t\t\t\tICP_QAT_HW_GALOIS_LEN_A_SZ +\n-\t\t\t\tICP_QAT_HW_GALOIS_E_CTR0_SZ);\n-\t\tin = rte_zmalloc(\"working mem for key\",\n-\t\t\t\tICP_QAT_HW_GALOIS_H_SZ, 16);\n-\t\tif (in == NULL) {\n-\t\t\tQAT_LOG(ERR, \"Failed to alloc memory\");\n-\t\t\treturn -ENOMEM;\n-\t\t}\n-\n-\t\tmemset(in, 0, ICP_QAT_HW_GALOIS_H_SZ);\n-\t\tif (AES_set_encrypt_key(auth_key, auth_keylen << 3,\n-\t\t\t&enc_key) != 0) {\n-\t\t\treturn -EFAULT;\n-\t\t}\n-\t\tAES_encrypt(in, out, &enc_key);\n-\t\t*p_state_len = ICP_QAT_HW_GALOIS_H_SZ +\n-\t\t\t\tICP_QAT_HW_GALOIS_LEN_A_SZ +\n-\t\t\t\tICP_QAT_HW_GALOIS_E_CTR0_SZ;\n-\t\trte_free(in);\n-\t\treturn 0;\n-\t}\n-\n-\tblock_size = qat_hash_get_block_size(hash_alg);\n-\tif (block_size < 0)\n-\t\treturn block_size;\n-\t/* init ipad and opad from key and xor with fixed values */\n-\tmemset(ipad, 0, block_size);\n-\tmemset(opad, 0, block_size);\n-\n-\tif (auth_keylen > (unsigned int)block_size) {\n-\t\tQAT_LOG(ERR, \"invalid keylen %u\", auth_keylen);\n-\t\treturn -EFAULT;\n-\t}\n-\n-\tRTE_VERIFY(auth_keylen <= sizeof(ipad));\n-\tRTE_VERIFY(auth_keylen <= sizeof(opad));\n-\n-\trte_memcpy(ipad, auth_key, auth_keylen);\n-\trte_memcpy(opad, auth_key, auth_keylen);\n-\n-\tfor (i = 0; i < block_size; i++) {\n-\t\tuint8_t *ipad_ptr = ipad + i;\n-\t\tuint8_t *opad_ptr = opad + i;\n-\t\t*ipad_ptr ^= HMAC_IPAD_VALUE;\n-\t\t*opad_ptr ^= HMAC_OPAD_VALUE;\n-\t}\n-\n-\t/* do partial hash of ipad and copy to state1 */\n-\tif (partial_hash_compute(hash_alg, ipad, p_state_buf)) {\n-\t\tmemset(ipad, 0, block_size);\n-\t\tmemset(opad, 0, block_size);\n-\t\tQAT_LOG(ERR, \"ipad precompute failed\");\n-\t\treturn -EFAULT;\n-\t}\n-\n-\t/*\n-\t * State len is a multiple of 8, so may be larger than the digest.\n-\t * Put the partial hash of opad state_len bytes after state1\n-\t */\n-\t*p_state_len = qat_hash_get_state1_size(hash_alg);\n-\tif (partial_hash_compute(hash_alg, opad, p_state_buf + *p_state_len)) {\n-\t\tmemset(ipad, 0, block_size);\n-\t\tmemset(opad, 0, block_size);\n-\t\tQAT_LOG(ERR, \"opad precompute failed\");\n-\t\treturn -EFAULT;\n-\t}\n-\n-\t/* don't leave data lying around */\n-\tmemset(ipad, 0, block_size);\n-\tmemset(opad, 0, block_size);\n-\treturn 0;\n-}\n \n static void\n qat_sym_session_init_common_hdr(struct qat_sym_session *session)\n@@ -2124,20 +1751,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,\n \t\t\tbreak;\n \t\t}\n \t\t/* SHA-1 HMAC */\n-\t\tif (qat_ipsec_mb_lib) {\n-#ifdef RTE_QAT_LIBIPSECMB\n-\t\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA1,\n-\t\t\t\tauthkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,\n-\t\t\t\tcdesc->aes_cmac);\n-#else\n-\t\t\tQAT_LOG(ERR, \"Intel IPSEC-MB LIB missing ?\");\n-\t\t\treturn -EFAULT;\n-#endif\n-\t\t} else {\n-\t\t\tret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA1, authkey,\n-\t\t\t\tauthkeylen, cdesc->cd_cur_ptr, &state1_size,\n-\t\t\t\tcdesc->aes_cmac);\n-\t\t}\n+\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA1,\n+\t\t\tauthkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,\n+\t\t\tcdesc->aes_cmac);\n \n \t\tif (ret) {\n \t\t\tQAT_LOG(ERR, \"(SHA)precompute failed\");\n@@ -2155,20 +1771,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,\n \t\t\tbreak;\n \t\t}\n \t\t/* SHA-224 HMAC */\n-\t\tif (qat_ipsec_mb_lib) {\n-#ifdef RTE_QAT_LIBIPSECMB\n-\t\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA224,\n+\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA224,\n \t\t\t\tauthkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,\n \t\t\t\tcdesc->aes_cmac);\n-#else\n-\t\t\tQAT_LOG(ERR, \"Intel IPSEC-MB LIB missing ?\");\n-\t\t\treturn -EFAULT;\n-#endif\n-\t\t} else {\n-\t\t\tret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA224, authkey,\n-\t\t\t\tauthkeylen, cdesc->cd_cur_ptr, &state1_size,\n-\t\t\t\tcdesc->aes_cmac);\n-\t\t}\n \n \t\tif (ret) {\n \t\t\tQAT_LOG(ERR, \"(SHA)precompute failed\");\n@@ -2186,20 +1791,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,\n \t\t\tbreak;\n \t\t}\n \t\t/* SHA-256 HMAC */\n-\t\tif (qat_ipsec_mb_lib) {\n-#ifdef RTE_QAT_LIBIPSECMB\n-\t\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA256,\n+\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA256,\n \t\t\t\tauthkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,\n \t\t\t\tcdesc->aes_cmac);\n-#else\n-\t\t\tQAT_LOG(ERR, \"Intel IPSEC-MB LIB missing ?\");\n-\t\t\treturn -EFAULT;\n-#endif\n-\t\t} else {\n-\t\t\tret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA256, authkey,\n-\t\t\t\tauthkeylen, cdesc->cd_cur_ptr, &state1_size,\n-\t\t\t\tcdesc->aes_cmac);\n-\t\t}\n \n \t\tif (ret) {\n \t\t\tQAT_LOG(ERR, \"(SHA)precompute failed\");\n@@ -2217,20 +1811,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,\n \t\t\tbreak;\n \t\t}\n \t\t/* SHA-384 HMAC */\n-\t\tif (qat_ipsec_mb_lib) {\n-#ifdef RTE_QAT_LIBIPSECMB\n-\t\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA384,\n+\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA384,\n \t\t\t\tauthkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,\n \t\t\t\tcdesc->aes_cmac);\n-#else\n-\t\t\tQAT_LOG(ERR, \"Intel IPSEC-MB LIB missing ?\");\n-\t\t\treturn -EFAULT;\n-#endif\n-\t\t} else {\n-\t\t\tret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA384, authkey,\n-\t\t\t\tauthkeylen, cdesc->cd_cur_ptr, &state1_size,\n-\t\t\t\tcdesc->aes_cmac);\n-\t\t}\n \n \t\tif (ret) {\n \t\t\tQAT_LOG(ERR, \"(SHA)precompute failed\");\n@@ -2248,20 +1831,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,\n \t\t\tbreak;\n \t\t}\n \t\t/* SHA-512 HMAC */\n-\t\tif (qat_ipsec_mb_lib) {\n-#ifdef RTE_QAT_LIBIPSECMB\n-\t\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA512,\n+\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_SHA512,\n \t\t\t\tauthkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,\n \t\t\t\tcdesc->aes_cmac);\n-#else\n-\t\t\tQAT_LOG(ERR, \"Intel IPSEC-MB LIB missing ?\");\n-\t\t\treturn -EFAULT;\n-#endif\n-\t\t} else {\n-\t\t\tret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_SHA512, authkey,\n-\t\t\t\tauthkeylen, cdesc->cd_cur_ptr, &state1_size,\n-\t\t\t\tcdesc->aes_cmac);\n-\t\t}\n \n \t\tif (ret) {\n \t\t\tQAT_LOG(ERR, \"(SHA)precompute failed\");\n@@ -2298,21 +1870,10 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,\n \n \t\tif (cdesc->aes_cmac)\n \t\t\tmemset(cdesc->cd_cur_ptr, 0, state1_size);\n-\t\tif (qat_ipsec_mb_lib) {\n-#ifdef RTE_QAT_LIBIPSECMB\n-\t\t\tret = qat_sym_do_precomputes_ipsec_mb(\n+\t\tret = qat_sym_do_precomputes_ipsec_mb(\n \t\t\t\tICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC,\n \t\t\t\tauthkey, authkeylen, cdesc->cd_cur_ptr + state1_size,\n \t\t\t\t&state2_size, cdesc->aes_cmac);\n-#else\n-\t\t\tQAT_LOG(ERR, \"Intel IPSEC-MB LIB missing ?\");\n-\t\t\treturn -EFAULT;\n-#endif\n-\t\t} else {\n-\t\t\tret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_AES_XCBC_MAC,\n-\t\t\t\tauthkey, authkeylen, cdesc->cd_cur_ptr + state1_size,\n-\t\t\t\t&state2_size, cdesc->aes_cmac);\n-\t\t}\n \n \t\tif (ret) {\n \t\t\tcdesc->aes_cmac ? QAT_LOG(ERR,\n@@ -2326,20 +1887,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,\n \tcase ICP_QAT_HW_AUTH_ALGO_GALOIS_64:\n \t\tcdesc->qat_proto_flag = QAT_CRYPTO_PROTO_FLAG_GCM;\n \t\tstate1_size = ICP_QAT_HW_GALOIS_128_STATE1_SZ;\n-\t\tif (qat_ipsec_mb_lib) {\n-#ifdef RTE_QAT_LIBIPSECMB\n-\t\t\tret = qat_sym_do_precomputes_ipsec_mb(cdesc->qat_hash_alg, authkey,\n+\t\tret = qat_sym_do_precomputes_ipsec_mb(cdesc->qat_hash_alg, authkey,\n \t\t\t\tauthkeylen, cdesc->cd_cur_ptr + state1_size,\n \t\t\t\t&state2_size, cdesc->aes_cmac);\n-#else\n-\t\t\tQAT_LOG(ERR, \"Intel IPSEC-MB LIB missing ?\");\n-\t\t\treturn -EFAULT;\n-#endif\n-\t\t} else {\n-\t\t\tret = qat_sym_do_precomputes(cdesc->qat_hash_alg, authkey,\n-\t\t\t\tauthkeylen, cdesc->cd_cur_ptr + state1_size,\n-\t\t\t\t&state2_size, cdesc->aes_cmac);\n-\t\t}\n \n \t\tif (ret) {\n \t\t\tQAT_LOG(ERR, \"(GCM)precompute failed\");\n@@ -2397,20 +1947,9 @@ int qat_sym_cd_auth_set(struct qat_sym_session *cdesc,\n \n \t\tbreak;\n \tcase ICP_QAT_HW_AUTH_ALGO_MD5:\n-\t\tif (qat_ipsec_mb_lib) {\n-#ifdef RTE_QAT_LIBIPSECMB\n-\t\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_MD5,\n+\t\tret = qat_sym_do_precomputes_ipsec_mb(ICP_QAT_HW_AUTH_ALGO_MD5,\n \t\t\t\tauthkey, authkeylen, cdesc->cd_cur_ptr, &state1_size,\n \t\t\t\tcdesc->aes_cmac);\n-#else\n-\t\t\tQAT_LOG(ERR, \"Intel IPSEC-MB LIB missing\");\n-\t\t\treturn -EFAULT;\n-#endif\n-\t\t} else {\n-\t\t\tret = qat_sym_do_precomputes(ICP_QAT_HW_AUTH_ALGO_MD5, authkey,\n-\t\t\t\tauthkeylen, cdesc->cd_cur_ptr, &state1_size,\n-\t\t\t\tcdesc->aes_cmac);\n-\t\t}\n \n \t\tif (ret) {\n \t\t\tQAT_LOG(ERR, \"(MD5)precompute failed\");\n@@ -2708,10 +2247,6 @@ qat_security_session_create(void *dev,\n \t\treturn -EINVAL;\n \t}\n \n-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n-\tif (ossl_legacy_provider_load())\n-\t\treturn -EINVAL;\n-#endif\n \tret = qat_sec_session_set_docsis_parameters(cdev, conf,\n \t\t\tsess_private_data, SECURITY_GET_SESS_PRIV_IOVA(sess));\n \tif (ret != 0) {\n@@ -2719,9 +2254,6 @@ qat_security_session_create(void *dev,\n \t\treturn ret;\n \t}\n \n-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)\n-\tossl_legacy_provider_unload();\n-#endif\n \treturn 0;\n }\n \n@@ -2733,8 +2265,8 @@ qat_security_session_destroy(void *dev __rte_unused,\n \tstruct qat_sym_session *s = (struct qat_sym_session *)sess_priv;\n \n \tif (sess_priv) {\n-\t\tif (s->bpi_ctx)\n-\t\t\tbpi_cipher_ctx_free(s->bpi_ctx);\n+\t\tif (s->mb_mgr)\n+\t\t\tfree_mb_mgr(s->mb_mgr);\n \t\tmemset(s, 0, qat_sym_session_get_private_size(dev));\n \t}\n \ndiff --git a/drivers/crypto/qat/qat_sym_session.h b/drivers/crypto/qat/qat_sym_session.h\nindex 6322d7e3bc..fa8731c0f9 100644\n--- a/drivers/crypto/qat/qat_sym_session.h\n+++ b/drivers/crypto/qat/qat_sym_session.h\n@@ -15,6 +15,12 @@\n #include \"icp_qat_fw.h\"\n #include \"icp_qat_fw_la.h\"\n \n+#if defined(RTE_ARCH_ARM)\n+#include <ipsec-mb.h>\n+#else\n+#include <intel-ipsec-mb.h>\n+#endif\n+\n /*\n * Key Modifier (KM) value used in KASUMI algorithm in F9 mode to XOR\n * Integrity Key (IK)\n@@ -87,7 +93,6 @@ struct qat_sym_session {\n \tenum icp_qat_hw_auth_algo qat_hash_alg;\n \tenum icp_qat_hw_auth_op auth_op;\n \tenum icp_qat_hw_auth_mode auth_mode;\n-\tvoid *bpi_ctx;\n \tstruct qat_sym_cd cd;\n \tuint8_t *cd_cur_ptr;\n \tphys_addr_t cd_paddr;\n@@ -118,6 +123,10 @@ struct qat_sym_session {\n \tuint32_t slice_types;\n \tenum qat_sym_proto_flag qat_proto_flag;\n \tqat_sym_build_request_t build_request[2];\n+\tIMB_MGR *mb_mgr;\n+\tuint64_t expkey[4*15];\n+\tuint32_t dust[4*15];\n+\tuint8_t docsis_key_len;\n };\n \n int\n", "prefixes": [ "v1" ] }