From patchwork Fri Jun 25 06:15:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 94849 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 36AB0A0C40; Fri, 25 Jun 2021 08:16:08 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id E3895410E5; Fri, 25 Jun 2021 08:16:04 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 6989440E03 for ; Fri, 25 Jun 2021 08:16:02 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15P65xar002101; Thu, 24 Jun 2021 23:16:01 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=N6rM+RXq27KWzAv7wHjpNy8HqnfoJrb2/9jNiU0U2nk=; b=RKgO/sPmkbXeEo7SYILa1Cb4mqcgimlqwv3oiQF/j0TOR6h6O1R9jcZvjG8qsngOc/cD M5yjRcPThVVpcWAUdxF3K9jl6R9LYFM7YhAqj4CMZId00ww1sVuzZIfh+mHHFwEzTry2 2QkhTemQlDngz3aaS4BoXGQQnxK/DA3yWPqcbs6FwrwKwsyUeUFaIHmMiEJW90iCNCzU FF4MAhqGRIopLpZsbgSWip1vJhIyi5fGb1P++0AkaYaKO+k+Unb9zO5h3yRywk/kXX9h QlfURlp2anX/hwaOOM33gBxxJezm1mEcjmInl/QYdLTGaC34EjAgyGOa1lqq6paB8PyQ 4A== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com with ESMTP id 39d24dhmu4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 24 Jun 2021 23:16:01 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Thu, 24 Jun 2021 23:16:00 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Thu, 24 Jun 2021 23:16:00 -0700 Received: from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218]) by maili.marvell.com (Postfix) with ESMTP id 9DAA03F7041; Thu, 24 Jun 2021 23:15:56 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Thomas Monjalon CC: Anoob Joseph , Jerin Jacob , "Ankur Dwivedi" , Tejasree Kondoj , , Srujana Challa Date: Fri, 25 Jun 2021 11:45:08 +0530 Message-ID: <1624601708-29991-5-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1624601708-29991-1-git-send-email-anoobj@marvell.com> References: <1622653862-22830-2-git-send-email-anoobj@marvell.com> <1624601708-29991-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: LqKvZdl6utvSs-UMUfeKTqaQ3JX2LaJE X-Proofpoint-ORIG-GUID: LqKvZdl6utvSs-UMUfeKTqaQ3JX2LaJE X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-06-25_02:2021-06-24, 2021-06-25 signatures=0 Subject: [dpdk-dev] [PATCH v2 4/4] crypto/cnxk: add security capabilities X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add security capabilities supported by crypto cn10k PMD. Signed-off-by: Anoob Joseph Signed-off-by: Srujana Challa Signed-off-by: Tejasree Kondoj --- doc/guides/cryptodevs/cnxk.rst | 24 +++++ doc/guides/cryptodevs/features/cn10k.ini | 1 + drivers/crypto/cnxk/cn10k_cryptodev.c | 1 + drivers/crypto/cnxk/cnxk_cryptodev.h | 4 + drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 114 ++++++++++++++++++++++ drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h | 9 +- drivers/crypto/cnxk/cnxk_cryptodev_sec.c | 3 +- 7 files changed, 154 insertions(+), 2 deletions(-) diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index 66b0b63..db949fa 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -185,6 +185,30 @@ running the test application: ./dpdk-test RTE>>cryptodev_cn10k_autotest +Lookaside IPsec Support +----------------------- + +The OCTEON cnxk SoCs can accelerate IPsec traffic in lookaside protocol mode, +with its **cryptographic accelerator (CPT)**. ``OCTEON cnxk crypto PMD`` implements +this as an ``RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL`` offload. + +Refer to :doc:`../prog_guide/rte_security` for more details on protocol offloads. + +This feature can be tested with ipsec-secgw sample application. + +Supported OCTEON cnxk SoCs +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- CN10XX + +Features supported +~~~~~~~~~~~~~~~~~~ + +* IPv4 +* ESP +* Tunnel mode +* AES-128/192/256-GCM + Limitations ----------- diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini index 77c4a2d..b268f84 100644 --- a/doc/guides/cryptodevs/features/cn10k.ini +++ b/doc/guides/cryptodevs/features/cn10k.ini @@ -7,6 +7,7 @@ Symmetric crypto = Y Sym operation chaining = Y HW Accelerated = Y +Protocol offload = Y In Place SGL = Y OOP SGL In LB Out = Y OOP SGL In SGL Out = Y diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index cacf9c2..22ae810 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -99,6 +99,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | RTE_CRYPTODEV_FF_SYM_SESSIONLESS | + RTE_CRYPTODEV_FF_SECURITY | RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn10k_cpt_set_enqdeq_fns(dev); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index 03af4af..6760c13 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -6,6 +6,7 @@ #define _CNXK_CRYPTODEV_H_ #include +#include #include "roc_cpt.h" @@ -19,6 +20,9 @@ struct cnxk_cpt_vf { struct roc_cpt cpt; struct rte_cryptodev_capabilities crypto_caps[CNXK_CPT_MAX_CAPS]; + struct rte_cryptodev_capabilities + sec_crypto_caps[CNXK_SEC_CRYPTO_MAX_CAPS]; + struct rte_security_capability sec_caps[CNXK_SEC_MAX_CAPS]; }; int cnxk_cpt_eng_grp_add(struct roc_cpt *roc_cpt); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index a5195e8..d52fa89 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -3,6 +3,7 @@ */ #include +#include #include "roc_api.h" @@ -18,6 +19,15 @@ RTE_DIM(caps_##name)); \ } while (0) +#define SEC_CAPS_ADD(cnxk_caps, cur_pos, hw_caps, name) \ + do { \ + if ((hw_caps[CPT_ENG_TYPE_SE].name) || \ + (hw_caps[CPT_ENG_TYPE_IE].name) || \ + (hw_caps[CPT_ENG_TYPE_AE].name)) \ + sec_caps_add(cnxk_caps, cur_pos, sec_caps_##name, \ + RTE_DIM(sec_caps_##name)); \ + } while (0) + static const struct rte_cryptodev_capabilities caps_sha1_sha2[] = { { /* SHA1 */ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, @@ -658,6 +668,69 @@ static const struct rte_cryptodev_capabilities caps_end[] = { RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST() }; +static const struct rte_cryptodev_capabilities sec_caps_aes[] = { + { /* AES GCM */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD, + {.aead = { + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 8 + }, + .digest_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + .aad_size = { + .min = 8, + .max = 12, + .increment = 4 + }, + .iv_size = { + .min = 12, + .max = 12, + .increment = 0 + } + }, } + }, } + }, +}; + +static const struct rte_security_capability sec_caps_templ[] = { + { /* IPsec Lookaside Protocol ESP Tunnel Ingress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + .options = { 0 } + }, + .crypto_capabilities = NULL, + .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA + }, + { /* IPsec Lookaside Protocol ESP Tunnel Egress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .options = { 0 } + }, + .crypto_capabilities = NULL, + .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA + }, + { + .action = RTE_SECURITY_ACTION_TYPE_NONE + } +}; + static void cpt_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, const struct rte_cryptodev_capabilities *caps, int nb_caps) @@ -692,8 +765,49 @@ cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf) return vf->crypto_caps; } +static void +sec_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, + const struct rte_cryptodev_capabilities *caps, int nb_caps) +{ + if (*cur_pos + nb_caps > CNXK_SEC_CRYPTO_MAX_CAPS) + return; + + memcpy(&cnxk_caps[*cur_pos], caps, nb_caps * sizeof(caps[0])); + *cur_pos += nb_caps; +} + +static void +sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[], + union cpt_eng_caps *hw_caps) +{ + int cur_pos = 0; + + SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes); + + sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end)); +} + void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) { + unsigned long i; + crypto_caps_populate(vf->crypto_caps, vf->cpt.hw_caps); + sec_crypto_caps_populate(vf->sec_crypto_caps, vf->cpt.hw_caps); + + PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps)); + memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ)); + + for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++) + vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps; +} + +const struct rte_security_capability * +cnxk_crypto_sec_capabilities_get(void *device) +{ + struct rte_cryptodev *dev = device; + struct cnxk_cpt_vf *vf; + + vf = dev->data->dev_private; + return vf->sec_caps; } diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h index 85f5ad2..fe07e43 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.h @@ -10,7 +10,7 @@ #include "cnxk_cryptodev.h" /* - * Initialize crypto capabilities for the device + * Initialize crypto and IPsec capabilities for the device * */ void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf); @@ -22,4 +22,11 @@ void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf); const struct rte_cryptodev_capabilities * cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf); +/* + * Get security capabilities list for the device + * + */ +const struct rte_security_capability * +cnxk_crypto_sec_capabilities_get(void *device); + #endif /* _CNXK_CRYPTODEV_CAPABILITIES_H_ */ diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c index f03d2ed..8d04d4b 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_sec.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_sec.c @@ -7,6 +7,7 @@ #include #include +#include "cnxk_cryptodev_capabilities.h" #include "cnxk_cryptodev_sec.h" /* Common security ops */ @@ -16,7 +17,7 @@ struct rte_security_ops cnxk_sec_ops = { .session_get_size = NULL, .set_pkt_metadata = NULL, .get_userdata = NULL, - .capabilities_get = NULL, + .capabilities_get = cnxk_crypto_sec_capabilities_get }; int