From patchwork Tue Jun 29 07:34:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 94947 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 38E20A0A0C; Tue, 29 Jun 2021 09:35:09 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 230C741187; Tue, 29 Jun 2021 09:35:07 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 322C241187 for ; Tue, 29 Jun 2021 09:35:05 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15T7QRdD006855; Tue, 29 Jun 2021 00:35:04 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=3U4crViiU1o79ZT/Q3WXZtPBtcVmI+2M6giCIBZo66I=; b=APVWUbY/Dmfc5LJbn67Bs01AffjpAotzaBnAJGtXpX0npIKBj+KGbESwFcHH3T9zjKFB xP43Y/LYFg1ZB+W9TiqOx5MRcwNWF1JOVpe7LAFeeF0zBIrhtYrGMUS7mSkW3OkWvzJS 53fsajI7SsctMztnVXhGN/ydp+tq/ipUEU2YVe9jjwj/AJMx53M5/Tb+imoI1aTXysLF 4AhF8P1yeG110QvDXqnKPax2qwgGZBHuQvfvFOzXIkrzbbMDlhA0AQaCr7nJBMZyTyoN 7F70tigLeDjlkUZXNiEvyOHG7O4IMRYJ8pjrZqLKF1cNnz4pa7qZI6ZjqQe23Ar4dr7B CQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 39fuw50s5f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 29 Jun 2021 00:35:04 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 29 Jun 2021 00:35:02 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Tue, 29 Jun 2021 00:35:02 -0700 Received: from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218]) by maili.marvell.com (Postfix) with ESMTP id F3D7D5B6925; Tue, 29 Jun 2021 00:34:57 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Thomas Monjalon CC: Tejasree Kondoj , Jerin Jacob , Ankur Dwivedi , , Anoob Joseph , Archana Muniganti , "Srujana Challa" Date: Tue, 29 Jun 2021 13:04:30 +0530 Message-ID: <1624952076-30928-3-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1624952076-30928-1-git-send-email-anoobj@marvell.com> References: <1624601708-29991-1-git-send-email-anoobj@marvell.com> <1624952076-30928-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: J5c7P70OF0vZkJr5BHcwrPWuDe_jNoPb X-Proofpoint-GUID: J5c7P70OF0vZkJr5BHcwrPWuDe_jNoPb X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-06-29_02:2021-06-25, 2021-06-29 signatures=0 Subject: [dpdk-dev] [PATCH v3 2/8] crypto/cnxk: add security session ops X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Tejasree Kondoj Add security session ops in cn10k crypto PMD. Signed-off-by: Anoob Joseph Signed-off-by: Archana Muniganti Signed-off-by: Srujana Challa Signed-off-by: Tejasree Kondoj --- drivers/crypto/cnxk/cn10k_cryptodev.c | 2 + drivers/crypto/cnxk/cn10k_ipsec.c | 275 ++++++++++++++++++++++++++++++++++ drivers/crypto/cnxk/cn10k_ipsec.h | 36 +++++ drivers/crypto/cnxk/cnxk_ipsec.h | 20 +++ drivers/crypto/cnxk/meson.build | 3 + 5 files changed, 336 insertions(+) create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.c create mode 100644 drivers/crypto/cnxk/cn10k_ipsec.h create mode 100644 drivers/crypto/cnxk/cnxk_ipsec.h diff --git a/drivers/crypto/cnxk/cn10k_cryptodev.c b/drivers/crypto/cnxk/cn10k_cryptodev.c index ffe654c..cacf9c2 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev.c @@ -12,6 +12,7 @@ #include "cn10k_cryptodev.h" #include "cn10k_cryptodev_ops.h" +#include "cn10k_ipsec.h" #include "cnxk_cryptodev.h" #include "cnxk_cryptodev_capabilities.h" #include "cnxk_cryptodev_sec.h" @@ -101,6 +102,7 @@ cn10k_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; cn10k_cpt_set_enqdeq_fns(dev); + cn10k_sec_ops_override(); return 0; diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c new file mode 100644 index 0000000..1d567bf --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -0,0 +1,275 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#include +#include +#include +#include +#include +#include +#include + +#include "cnxk_cryptodev.h" +#include "cnxk_ipsec.h" +#include "cnxk_security.h" +#include "cn10k_ipsec.h" + +#include "roc_api.h" + +static int +ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && + crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT) + return -EINVAL; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && + crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT) + return -EINVAL; + + if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + switch (crypto_xfrm->aead.key.length) { + case ROC_CPT_AES128_KEY_LEN: + case ROC_CPT_AES192_KEY_LEN: + case ROC_CPT_AES256_KEY_LEN: + break; + default: + return -EINVAL; + } + return 0; + } + + return -ENOTSUP; +} + +static int +cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) + return -EINVAL; + + if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) && + (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH)) + return -EINVAL; + + if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) && + (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)) + return -EINVAL; + + if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) && + (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6)) + return -EINVAL; + + if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) + return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm); + + return -ENOTSUP; +} + +static uint64_t +ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa) +{ + union cpt_inst_w7 w7; + + w7.u64 = 0; + w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE]; + w7.s.ctx_val = 1; + w7.s.cptr = (uint64_t)sa; + rte_mb(); + + return w7.u64; +} + +static int +cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sec_sess) +{ + struct roc_ot_ipsec_outb_sa *out_sa; + struct cnxk_ipsec_outb_rlens rlens; + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + union cpt_inst_w4 inst_w4; + int ret; + + sess = get_sec_session_private_data(sec_sess); + sa = &sess->sa; + out_sa = &sa->out_sa; + + memset(out_sa, 0, sizeof(struct roc_ot_ipsec_outb_sa)); + + /* Translate security parameters to SA */ + ret = cnxk_ot_ipsec_outb_sa_fill(out_sa, ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa); + + /* Get Rlen calculation data */ + ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + sa->partial_len = rlens.partial_len; + sa->roundup_byte = rlens.roundup_byte; + sa->roundup_len = rlens.roundup_len; + + /* pre-populate CPT INST word 4 */ + inst_w4.u64 = 0; + inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC; + inst_w4.s.param1 = 0; + sa->inst.w4 = inst_w4.u64; + + return 0; +} + +static int +cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sec_sess) +{ + struct roc_ot_ipsec_inb_sa *in_sa; + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + union cpt_inst_w4 inst_w4; + int ret; + + sess = get_sec_session_private_data(sec_sess); + sa = &sess->sa; + in_sa = &sa->in_sa; + + /* Translate security parameters to SA */ + ret = cnxk_ot_ipsec_inb_sa_fill(in_sa, ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + /* TODO add support for antireplay */ + sa->in_sa.w0.s.ar_win = 0; + + /* TODO add support for udp encap */ + + sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa); + + /* pre-populate CPT INST word 4 */ + inst_w4.u64 = 0; + inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC; + + /* Disable checksum verification for now */ + inst_w4.s.param1 = 7; + sa->inst.w4 = inst_w4.u64; + + return 0; +} + +static int +cn10k_ipsec_session_create(void *dev, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm, + struct rte_security_session *sess) +{ + struct rte_cryptodev *crypto_dev = dev; + struct roc_cpt *roc_cpt; + struct cnxk_cpt_vf *vf; + int ret; + + vf = crypto_dev->data->dev_private; + roc_cpt = &vf->cpt; + + if (crypto_dev->data->queue_pairs[0] == NULL) { + plt_err("Setup cpt queue pair before creating security session"); + return -EPERM; + } + + ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm); + if (ret) + return ret; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + return cn10k_ipsec_inb_sa_create(roc_cpt, ipsec_xfrm, + crypto_xfrm, sess); + else + return cn10k_ipsec_outb_sa_create(roc_cpt, ipsec_xfrm, + crypto_xfrm, sess); +} + +static int +cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf, + struct rte_security_session *sess, + struct rte_mempool *mempool) +{ + struct cn10k_sec_session *priv; + int ret; + + if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) + return -EINVAL; + + if (rte_security_dynfield_register() < 0) + return -ENOTSUP; + + if (rte_mempool_get(mempool, (void **)&priv)) { + plt_err("Could not allocate security session private data"); + return -ENOMEM; + } + + set_sec_session_private_data(sess, priv); + + priv->userdata = conf->userdata; + + if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) { + ret = -ENOTSUP; + goto mempool_put; + } + ret = cn10k_ipsec_session_create(device, &conf->ipsec, + conf->crypto_xform, sess); + if (ret) + goto mempool_put; + + return 0; + +mempool_put: + rte_mempool_put(mempool, priv); + set_sec_session_private_data(sess, NULL); + return ret; +} + +static int +cn10k_sec_session_destroy(void *device __rte_unused, + struct rte_security_session *sess) +{ + struct cn10k_sec_session *priv; + struct rte_mempool *sess_mp; + + priv = get_sec_session_private_data(sess); + + if (priv == NULL) + return 0; + + sess_mp = rte_mempool_from_obj(priv); + + set_sec_session_private_data(sess, NULL); + rte_mempool_put(sess_mp, priv); + + return 0; +} + +static unsigned int +cn10k_sec_session_get_size(void *device __rte_unused) +{ + return sizeof(struct cn10k_sec_session); +} + +/* Update platform specific security ops */ +void +cn10k_sec_ops_override(void) +{ + /* Update platform specific ops */ + cnxk_sec_ops.session_create = cn10k_sec_session_create; + cnxk_sec_ops.session_destroy = cn10k_sec_session_destroy; + cnxk_sec_ops.session_get_size = cn10k_sec_session_get_size; +} diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h new file mode 100644 index 0000000..668282f --- /dev/null +++ b/drivers/crypto/cnxk/cn10k_ipsec.h @@ -0,0 +1,36 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef __CN10K_IPSEC_H__ +#define __CN10K_IPSEC_H__ + +#include + +#include "cnxk_ipsec.h" + +#define CN10K_IPSEC_SA_CTX_HDR_SIZE 1 + +struct cn10k_ipsec_sa { + union { + /** Inbound SA */ + struct roc_ot_ipsec_inb_sa in_sa; + /** Outbound SA */ + struct roc_ot_ipsec_outb_sa out_sa; + }; + /** Pre-populated CPT inst words */ + struct cnxk_cpt_inst_tmpl inst; + uint8_t partial_len; + uint8_t roundup_len; + uint8_t roundup_byte; +}; + +struct cn10k_sec_session { + struct cn10k_ipsec_sa sa; + void *userdata; + /**< Userdata registered by the application */ +} __rte_cache_aligned; + +void cn10k_sec_ops_override(void); + +#endif /* __CN10K_IPSEC_H__ */ diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h new file mode 100644 index 0000000..f6897a0 --- /dev/null +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -0,0 +1,20 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ +#ifndef __CNXK_IPSEC_H__ +#define __CNXK_IPSEC_H__ + +#include +#include + +#include "roc_api.h" + +extern struct rte_security_ops cnxk_sec_ops; + +struct cnxk_cpt_inst_tmpl { + uint64_t w2; + uint64_t w4; + uint64_t w7; +}; + +#endif /* __CNXK_IPSEC_H__ */ diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build index a2b461e..c56d6cf 100644 --- a/drivers/crypto/cnxk/meson.build +++ b/drivers/crypto/cnxk/meson.build @@ -13,6 +13,7 @@ sources = files( 'cn9k_cryptodev_ops.c', 'cn10k_cryptodev.c', 'cn10k_cryptodev_ops.c', + 'cn10k_ipsec.c', 'cnxk_cryptodev.c', 'cnxk_cryptodev_capabilities.c', 'cnxk_cryptodev_ops.c', @@ -20,3 +21,5 @@ sources = files( ) deps += ['bus_pci', 'common_cnxk', 'security'] + +includes += include_directories('../../../lib/net')