From patchwork Tue Jun 30 16:30:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Coyle, David" X-Patchwork-Id: 72470 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id CA599A0523; Tue, 30 Jun 2020 18:53:39 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 39BC91BFAC; Tue, 30 Jun 2020 18:53:38 +0200 (CEST) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by dpdk.org (Postfix) with ESMTP id 6BA891BEDD for ; Tue, 30 Jun 2020 18:53:30 +0200 (CEST) IronPort-SDR: Lh5fVi1E8lbdE+Ucf+bMJDxtHiugWLb2KgAGH4yZl2juO4Q1K2+6LF2Az3pfibwsiz57v1+N+/ GgCMXiMdroRQ== X-IronPort-AV: E=McAfee;i="6000,8403,9667"; a="144478907" X-IronPort-AV: E=Sophos;i="5.75,298,1589266800"; d="scan'208";a="144478907" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jun 2020 09:53:29 -0700 IronPort-SDR: 341uewBKX73Qb388dOKUIU7fc64QAmJEMbxPzDJkRoC0PWUqIMUkZGDH6exx1dRqbqQqqmknMg S+E/X3pr+raA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,298,1589266800"; d="scan'208";a="386747389" Received: from silpixa00399912.ir.intel.com (HELO silpixa00399912.ger.corp.intel.com) ([10.237.223.64]) by fmsmga001.fm.intel.com with ESMTP; 30 Jun 2020 09:53:23 -0700 From: David Coyle To: akhil.goyal@nxp.com, declan.doherty@intel.com, pablo.de.lara.guarch@intel.com, fiona.trahe@intel.com, roy.fan.zhang@intel.com, konstantin.ananyev@intel.com Cc: dev@dpdk.org, thomas@monjalon.net, ferruh.yigit@intel.com, brendan.ryan@intel.com, hemant.agrawal@nxp.com, anoobj@marvell.com, ruifeng.wang@arm.com, lironh@marvell.com, rnagadheeraj@marvell.com, jsrikanth@marvell.com, G.Singh@nxp.com, jianjay.zhou@huawei.com, ravi1.kumar@amd.com, bruce.richardson@intel.com, olivier.matz@6wind.com, honnappa.nagarahalli@arm.com, stephen@networkplumber.org, alexr@mellanox.com, jerinj@marvell.com, David Coyle , Mairtin o Loingsigh Date: Tue, 30 Jun 2020 17:30:44 +0100 Message-Id: <20200630163049.61900-4-david.coyle@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200630163049.61900-1-david.coyle@intel.com> References: <20200623101423.9215-1-david.coyle@intel.com> <20200630163049.61900-1-david.coyle@intel.com> Subject: [dpdk-dev] [PATCH v3 3/8] crypto/aesni_mb: add support for DOCSIS protocol X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add support to the AESNI-MB PMD for the DOCSIS protocol, through the rte_security API. This, therefore, includes adding support for the rte_security API to this PMD. Signed-off-by: David Coyle Signed-off-by: Mairtin o Loingsigh --- .../crypto/aesni_mb/aesni_mb_pmd_private.h | 19 +- drivers/crypto/aesni_mb/meson.build | 2 +- drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 293 +++++++++++++++++- .../crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 125 ++++++++ 4 files changed, 432 insertions(+), 7 deletions(-) diff --git a/drivers/crypto/aesni_mb/aesni_mb_pmd_private.h b/drivers/crypto/aesni_mb/aesni_mb_pmd_private.h index 347b4b7e0..e0c7b4f7c 100644 --- a/drivers/crypto/aesni_mb/aesni_mb_pmd_private.h +++ b/drivers/crypto/aesni_mb/aesni_mb_pmd_private.h @@ -7,6 +7,12 @@ #include +#if defined(RTE_LIBRTE_SECURITY) && (IMB_VERSION_NUM) >= IMB_VERSION(0, 54, 0) +#define AESNI_MB_DOCSIS_SEC_ENABLED 1 +#include +#include +#endif + enum aesni_mb_vector_mode { RTE_AESNI_MB_NOT_SUPPORTED = 0, RTE_AESNI_MB_SSE, @@ -272,8 +278,19 @@ aesni_mb_set_session_parameters(const MB_MGR *mb_mgr, struct aesni_mb_session *sess, const struct rte_crypto_sym_xform *xform); -/** device specific operations function pointer structure */ +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED +extern int +aesni_mb_set_docsis_sec_session_parameters( + __rte_unused struct rte_cryptodev *dev, + struct rte_security_session_conf *conf, + void *sess); +#endif + +/** device specific operations function pointer structures */ extern struct rte_cryptodev_ops *rte_aesni_mb_pmd_ops; +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED +extern struct rte_security_ops *rte_aesni_mb_pmd_sec_ops; +#endif extern uint32_t aesni_mb_cpu_crypto_process_bulk(struct rte_cryptodev *dev, diff --git a/drivers/crypto/aesni_mb/meson.build b/drivers/crypto/aesni_mb/meson.build index e557e0103..419b4743f 100644 --- a/drivers/crypto/aesni_mb/meson.build +++ b/drivers/crypto/aesni_mb/meson.build @@ -22,4 +22,4 @@ else endif sources = files('rte_aesni_mb_pmd.c', 'rte_aesni_mb_pmd_ops.c') -deps += ['bus_vdev'] +deps += ['bus_vdev', 'net', 'security'] diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c index 2d688f4d3..4b25c5e23 100644 --- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c +++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "aesni_mb_pmd_private.h" @@ -720,6 +721,134 @@ aesni_mb_set_session_parameters(const MB_MGR *mb_mgr, return 0; } +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED +/** Check DOCSIS security session configuration is valid */ +static int +check_docsis_sec_session(struct rte_security_session_conf *conf) +{ + struct rte_crypto_sym_xform *crypto_sym = conf->crypto_xform; + struct rte_security_docsis_xform *docsis = &conf->docsis; + + /* Downlink: CRC generate -> Cipher encrypt */ + if (docsis->direction == RTE_SECURITY_DOCSIS_DOWNLINK) { + + if (crypto_sym != NULL && + crypto_sym->type == RTE_CRYPTO_SYM_XFORM_CIPHER && + crypto_sym->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT && + crypto_sym->cipher.algo == + RTE_CRYPTO_CIPHER_AES_DOCSISBPI && + (crypto_sym->cipher.key.length == IMB_KEY_AES_128_BYTES || + crypto_sym->cipher.key.length == IMB_KEY_AES_256_BYTES) && + crypto_sym->cipher.iv.length == AES_BLOCK_SIZE && + crypto_sym->next == NULL) { + return 0; + } + /* Uplink: Cipher decrypt -> CRC verify */ + } else if (docsis->direction == RTE_SECURITY_DOCSIS_UPLINK) { + + if (crypto_sym != NULL && + crypto_sym->type == RTE_CRYPTO_SYM_XFORM_CIPHER && + crypto_sym->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT && + crypto_sym->cipher.algo == + RTE_CRYPTO_CIPHER_AES_DOCSISBPI && + (crypto_sym->cipher.key.length == IMB_KEY_AES_128_BYTES || + crypto_sym->cipher.key.length == IMB_KEY_AES_256_BYTES) && + crypto_sym->cipher.iv.length == AES_BLOCK_SIZE && + crypto_sym->next == NULL) { + return 0; + } + } + + return -EINVAL; +} + +/** Set DOCSIS security session auth (CRC) parameters */ +static int +aesni_mb_set_docsis_sec_session_auth_parameters(struct aesni_mb_session *sess, + struct rte_security_docsis_xform *xform) +{ + if (xform == NULL) { + AESNI_MB_LOG(ERR, "Invalid DOCSIS xform"); + return -EINVAL; + } + + /* Select CRC generate/verify */ + if (xform->direction == RTE_SECURITY_DOCSIS_UPLINK) { + sess->auth.algo = IMB_AUTH_DOCSIS_CRC32; + sess->auth.operation = RTE_CRYPTO_AUTH_OP_VERIFY; + } else if (xform->direction == RTE_SECURITY_DOCSIS_DOWNLINK) { + sess->auth.algo = IMB_AUTH_DOCSIS_CRC32; + sess->auth.operation = RTE_CRYPTO_AUTH_OP_GENERATE; + } else { + AESNI_MB_LOG(ERR, "Unsupported DOCSIS direction"); + return -ENOTSUP; + } + + sess->auth.req_digest_len = RTE_ETHER_CRC_LEN; + sess->auth.gen_digest_len = RTE_ETHER_CRC_LEN; + + return 0; +} + +/** + * Parse DOCSIS security session configuration and set private session + * parameters + */ +int +aesni_mb_set_docsis_sec_session_parameters( + __rte_unused struct rte_cryptodev *dev, + struct rte_security_session_conf *conf, + void *sess) +{ + struct rte_security_docsis_xform *docsis_xform; + struct rte_crypto_sym_xform *cipher_xform; + struct aesni_mb_session *aesni_sess = sess; + struct aesni_mb_private *internals = dev->data->dev_private; + int ret; + + ret = check_docsis_sec_session(conf); + if (ret) { + AESNI_MB_LOG(ERR, "Unsupported DOCSIS security configuration"); + return ret; + } + + switch (conf->docsis.direction) { + case RTE_SECURITY_DOCSIS_UPLINK: + aesni_sess->chain_order = IMB_ORDER_CIPHER_HASH; + docsis_xform = &conf->docsis; + cipher_xform = conf->crypto_xform; + break; + case RTE_SECURITY_DOCSIS_DOWNLINK: + aesni_sess->chain_order = IMB_ORDER_HASH_CIPHER; + cipher_xform = conf->crypto_xform; + docsis_xform = &conf->docsis; + break; + default: + return -EINVAL; + } + + /* Default IV length = 0 */ + aesni_sess->iv.length = 0; + + ret = aesni_mb_set_docsis_sec_session_auth_parameters(aesni_sess, + docsis_xform); + if (ret != 0) { + AESNI_MB_LOG(ERR, "Invalid/unsupported DOCSIS parameters"); + return -EINVAL; + } + + ret = aesni_mb_set_session_cipher_parameters(internals->mb_mgr, + aesni_sess, cipher_xform); + + if (ret != 0) { + AESNI_MB_LOG(ERR, "Invalid/unsupported cipher parameters"); + return -EINVAL; + } + + return 0; +} +#endif + /** * burst enqueue, place crypto operations on ingress queue for processing. * @@ -758,6 +887,13 @@ get_session(struct aesni_mb_qp *qp, struct rte_crypto_op *op) get_sym_session_private_data( op->sym->session, cryptodev_driver_id); +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED + } else if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + if (likely(op->sym->sec_session != NULL)) + sess = (struct aesni_mb_session *) + get_sec_session_private_data( + op->sym->sec_session); +#endif } else { void *_sess = rte_cryptodev_sym_session_create(qp->sess_mp); void *_sess_private_data = NULL; @@ -1158,6 +1294,106 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp, return 0; } +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED +/** + * Process a crypto operation containing a security op and complete a + * JOB_AES_HMAC job structure for submission to the multi buffer library for + * processing. + */ +static inline int +set_sec_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp, + struct rte_crypto_op *op, uint8_t *digest_idx) +{ + struct rte_mbuf *m_src, *m_dst; + struct rte_crypto_sym_op *sym; + struct aesni_mb_session *session; + + session = get_session(qp, op); + if (unlikely(session == NULL)) { + op->status = RTE_CRYPTO_OP_STATUS_INVALID_SESSION; + return -1; + } + + /* Only DOCSIS protocol operations supported now */ + if (session->cipher.mode != IMB_CIPHER_DOCSIS_SEC_BPI || + session->auth.algo != IMB_AUTH_DOCSIS_CRC32) { + op->status = RTE_CRYPTO_OP_STATUS_ERROR; + return -1; + } + + sym = op->sym; + m_src = sym->m_src; + + if (likely(sym->m_dst == NULL || sym->m_dst == m_src)) { + /* in-place operation */ + m_dst = m_src; + } else { + /* out-of-place operation not supported */ + op->status = RTE_CRYPTO_OP_STATUS_ERROR; + return -ENOTSUP; + } + + /* Set crypto operation */ + job->chain_order = session->chain_order; + + /* Set cipher parameters */ + job->cipher_direction = session->cipher.direction; + job->cipher_mode = session->cipher.mode; + + job->aes_key_len_in_bytes = session->cipher.key_length_in_bytes; + job->aes_enc_key_expanded = session->cipher.expanded_aes_keys.encode; + job->aes_dec_key_expanded = session->cipher.expanded_aes_keys.decode; + + /* Set IV parameters */ + job->iv_len_in_bytes = session->iv.length; + job->iv = (uint8_t *)op + session->iv.offset; + + /* Set authentication parameters */ + job->hash_alg = session->auth.algo; + + /* Set digest output location */ + job->auth_tag_output = qp->temp_digests[*digest_idx]; + *digest_idx = (*digest_idx + 1) % MAX_JOBS; + + /* Set digest length */ + job->auth_tag_output_len_in_bytes = session->auth.gen_digest_len; + + /* Set data parameters */ + job->src = rte_pktmbuf_mtod(m_src, uint8_t *); + job->dst = rte_pktmbuf_mtod_offset(m_dst, uint8_t *, + sym->cipher.data.offset); + + job->cipher_start_src_offset_in_bytes = sym->cipher.data.offset; + job->msg_len_to_cipher_in_bytes = sym->cipher.data.length; + + job->hash_start_src_offset_in_bytes = sym->auth.data.offset; + job->msg_len_to_hash_in_bytes = sym->auth.data.length; + + job->user_data = op; + + return 0; +} + +static inline void +verify_docsis_sec_crc(JOB_AES_HMAC *job, uint8_t *status) +{ + uint16_t crc_offset; + uint8_t *crc; + + if (!job->msg_len_to_hash_in_bytes) + return; + + crc_offset = job->hash_start_src_offset_in_bytes + + job->msg_len_to_hash_in_bytes - + job->cipher_start_src_offset_in_bytes; + crc = job->dst + crc_offset; + + /* Verify CRC (at the end of the message) */ + if (memcmp(job->auth_tag_output, crc, RTE_ETHER_CRC_LEN) != 0) + *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED; +} +#endif + static inline void verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status) { @@ -1196,9 +1432,25 @@ static inline struct rte_crypto_op * post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job) { struct rte_crypto_op *op = (struct rte_crypto_op *)job->user_data; - struct aesni_mb_session *sess = get_sym_session_private_data( - op->sym->session, - cryptodev_driver_id); + struct aesni_mb_session *sess = NULL; + +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED + uint8_t is_docsis_sec = 0; + + if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + /* + * Assuming at this point that if it's a security type op, that + * this is for DOCSIS + */ + is_docsis_sec = 1; + sess = get_sec_session_private_data(op->sym->sec_session); + } else +#endif + { + sess = get_sym_session_private_data(op->sym->session, + cryptodev_driver_id); + } + if (unlikely(sess == NULL)) { op->status = RTE_CRYPTO_OP_STATUS_INVALID_SESSION; return op; @@ -1220,6 +1472,11 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job) op->sym->aead.digest.data, sess->auth.req_digest_len, &op->status); +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED + else if (is_docsis_sec) + verify_docsis_sec_crc(job, + &op->status); +#endif else verify_digest(job, op->sym->auth.digest.data, @@ -1382,7 +1639,14 @@ aesni_mb_pmd_dequeue_burst(void *queue_pair, struct rte_crypto_op **ops, if (retval < 0) break; - retval = set_mb_job_params(job, qp, op, &digest_idx); +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED + if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) + retval = set_sec_mb_job_params(job, qp, op, + &digest_idx); + else +#endif + retval = set_mb_job_params(job, qp, op, &digest_idx); + if (unlikely(retval != 0)) { qp->stats.dequeue_err_count++; set_job_null_op(job, op); @@ -1619,6 +1883,9 @@ cryptodev_aesni_mb_create(const char *name, struct aesni_mb_private *internals; enum aesni_mb_vector_mode vector_mode; MB_MGR *mb_mgr; +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED + struct rte_security_ctx *security_instance; +#endif dev = rte_cryptodev_pmd_create(name, &vdev->device, init_params); if (dev == NULL) { @@ -1647,7 +1914,23 @@ cryptodev_aesni_mb_create(const char *name, RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING | RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT | RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO | - RTE_CRYPTODEV_FF_SYM_SESSIONLESS; + RTE_CRYPTODEV_FF_SYM_SESSIONLESS +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED + | RTE_CRYPTODEV_FF_SECURITY +#endif + ; + +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED + security_instance = rte_malloc("aesni_mb_sec", + sizeof(struct rte_security_ctx), 0); + if (security_instance == NULL) + AESNI_MB_LOG(ERR, "rte_security_ctx memory alloc failed\n"); + + security_instance->device = (void *)dev; + security_instance->ops = rte_aesni_mb_pmd_sec_ops; + security_instance->sess_cnt = 0; + dev->security_ctx = security_instance; +#endif /* Check CPU for support for AES instruction set */ if (rte_cpu_get_flag_enabled(RTE_CPUFLAG_AES)) diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c index 8c5e0cd92..ed93daec7 100644 --- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c +++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include "aesni_mb_pmd_private.h" @@ -499,6 +500,55 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = { RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST() }; +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED +static const struct rte_cryptodev_capabilities + aesni_mb_pmd_security_crypto_cap[] = { + { /* AES DOCSIS BPI */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER, + {.cipher = { + .algo = RTE_CRYPTO_CIPHER_AES_DOCSISBPI, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 16 + }, + .iv_size = { + .min = 16, + .max = 16, + .increment = 0 + } + }, } + }, } + }, + + RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST() +}; + +static const struct rte_security_capability aesni_mb_pmd_security_cap[] = { + { /* DOCSIS Uplink */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_DOCSIS, + .docsis = { + .direction = RTE_SECURITY_DOCSIS_UPLINK + }, + .crypto_capabilities = aesni_mb_pmd_security_crypto_cap + }, + { /* DOCSIS Downlink */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_DOCSIS, + .docsis = { + .direction = RTE_SECURITY_DOCSIS_DOWNLINK + }, + .crypto_capabilities = aesni_mb_pmd_security_crypto_cap + }, + { + .action = RTE_SECURITY_ACTION_TYPE_NONE + } +}; +#endif /** Configure device */ static int @@ -810,3 +860,78 @@ struct rte_cryptodev_ops aesni_mb_pmd_ops = { }; struct rte_cryptodev_ops *rte_aesni_mb_pmd_ops = &aesni_mb_pmd_ops; + +#ifdef AESNI_MB_DOCSIS_SEC_ENABLED +/** + * Configure a aesni multi-buffer session from a security session + * configuration + */ +static int +aesni_mb_pmd_sec_sess_create(void *dev, struct rte_security_session_conf *conf, + struct rte_security_session *sess, + struct rte_mempool *mempool) +{ + void *sess_private_data; + struct rte_cryptodev *cdev = (struct rte_cryptodev *)dev; + int ret; + + if (rte_mempool_get(mempool, &sess_private_data)) { + AESNI_MB_LOG(ERR, "Couldn't get object from session mempool"); + return -ENOMEM; + } + + if (conf->protocol != RTE_SECURITY_PROTOCOL_DOCSIS) { + AESNI_MB_LOG(ERR, "Invalid security protocol"); + return -EINVAL; + } + + ret = aesni_mb_set_docsis_sec_session_parameters(cdev, conf, + sess_private_data); + + if (ret != 0) { + AESNI_MB_LOG(ERR, "Failed to configure session parameters"); + + /* Return session to mempool */ + rte_mempool_put(mempool, sess_private_data); + return ret; + } + + set_sec_session_private_data(sess, sess_private_data); + + return ret; +} + +/** Clear the memory of session so it doesn't leave key material behind */ +static int +aesni_mb_pmd_sec_sess_destroy(void *dev __rte_unused, + struct rte_security_session *sess) +{ + void *sess_priv = get_sec_session_private_data(sess); + + if (sess_priv) { + struct rte_mempool *sess_mp = rte_mempool_from_obj(sess_priv); + memset(sess, 0, sizeof(struct aesni_mb_session)); + set_sec_session_private_data(sess, NULL); + rte_mempool_put(sess_mp, sess_priv); + } + return 0; +} + +/** Get security capabilities for aesni multi-buffer */ +static const struct rte_security_capability * +aesni_mb_pmd_sec_capa_get(void *device __rte_unused) +{ + return aesni_mb_pmd_security_cap; +} + +static struct rte_security_ops aesni_mb_pmd_sec_ops = { + .session_create = aesni_mb_pmd_sec_sess_create, + .session_update = NULL, + .session_stats_get = NULL, + .session_destroy = aesni_mb_pmd_sec_sess_destroy, + .set_pkt_metadata = NULL, + .capabilities_get = aesni_mb_pmd_sec_capa_get +}; + +struct rte_security_ops *rte_aesni_mb_pmd_sec_ops = &aesni_mb_pmd_sec_ops; +#endif