@@ -178,3 +178,4 @@ Features supported
* ESN
* Anti-replay
* AES-128/192/256-GCM
+* AES-128/192/256-CBC-SHA1-HMAC
@@ -60,6 +60,9 @@ New Features
* Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with
ESN and anti-replay support.
+ * Added support for aes-cbc sha1-hmac cipher combination in OCTEON TX2 crypto
+ PMD lookaside protocol offload for IPsec.
+
Removed Items
-------------
@@ -206,11 +206,11 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
struct otx2_ipsec_po_sa_ctl *ctl;
int cipher_key_len, auth_key_len;
struct otx2_ipsec_po_out_sa *sa;
+ struct rte_ipv6_hdr *ip6 = NULL;
+ struct rte_ipv4_hdr *ip = NULL;
struct otx2_sec_session *sess;
struct otx2_cpt_inst_s inst;
- struct rte_ipv6_hdr *ip6;
- struct rte_ipv4_hdr *ip;
- int ret;
+ int ret, ctx_len;
sess = get_sec_session_private_data(sec_sess);
sess->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
@@ -239,19 +239,36 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
if (ret)
return ret;
- memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4);
-
- if (ipsec->options.udp_encap) {
- sa->udp_src = 4500;
- sa->udp_dst = 4500;
- }
-
if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
/* Start ip id from 1 */
lp->ip_id = 1;
if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
- ip = &sa->template.ipv4_hdr;
+
+ if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
+ if (ipsec->options.udp_encap) {
+ sa->aes_gcm.template.ip4.udp_src = 4500;
+ sa->aes_gcm.template.ip4.udp_dst = 4500;
+ }
+ ip = &sa->aes_gcm.template.ip4.ipv4_hdr;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ aes_gcm.template) + sizeof(
+ sa->aes_gcm.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA1) {
+ if (ipsec->options.udp_encap) {
+ sa->sha1.template.ip4.udp_src = 4500;
+ sa->sha1.template.ip4.udp_dst = 4500;
+ }
+ ip = &sa->sha1.template.ip4.ipv4_hdr;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha1.template) + sizeof(
+ sa->sha1.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ }
ip->version_ihl = RTE_IPV4_VHL_DEF;
ip->next_proto_id = IPPROTO_ESP;
ip->time_to_live = ipsec->tunnel.ipv4.ttl;
@@ -264,7 +281,32 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
sizeof(struct in_addr));
} else if (ipsec->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
- ip6 = &sa->template.ipv6_hdr;
+
+ if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
+ if (ipsec->options.udp_encap) {
+ sa->aes_gcm.template.ip6.udp_src = 4500;
+ sa->aes_gcm.template.ip6.udp_dst = 4500;
+ }
+ ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ aes_gcm.template) + sizeof(
+ sa->aes_gcm.template.ip6);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA1) {
+ if (ipsec->options.udp_encap) {
+ sa->sha1.template.ip6.udp_src = 4500;
+ sa->sha1.template.ip6.udp_dst = 4500;
+ }
+ ip6 = &sa->sha1.template.ip6.ipv6_hdr;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha1.template) + sizeof(
+ sa->sha1.template.ip6);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ }
+
ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 |
((ipsec->tunnel.ipv6.dscp <<
RTE_IPV6_HDR_TC_SHIFT) &
@@ -294,21 +336,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
auth_key_len = 0;
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
+ memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4);
cipher_key = crypto_xform->aead.key.data;
cipher_key_len = crypto_xform->aead.key.length;
-
- lp->ctx_len = sizeof(struct otx2_ipsec_po_out_sa);
- lp->ctx_len >>= 3;
- RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_AES_GCM_OUTB_CTX_LEN);
} else {
cipher_key = cipher_xform->cipher.key.data;
cipher_key_len = cipher_xform->cipher.key.length;
auth_key = auth_xform->auth.key.data;
auth_key_len = auth_xform->auth.key.length;
- /* TODO: check the ctx len for supporting ALGO */
- lp->ctx_len = sizeof(struct otx2_ipsec_po_out_sa) >> 3;
- RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_MAX_OUTB_CTX_LEN);
+ if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+ memcpy(sa->sha1.hmac_key, auth_key, auth_key_len);
}
if (cipher_key_len != 0)
@@ -316,10 +355,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
else
return -EINVAL;
- /* Use OPAD & IPAD */
- RTE_SET_USED(auth_key);
- RTE_SET_USED(auth_key_len);
-
inst.u64[7] = 0;
inst.egrp = OTX2_CPT_EGRP_SE;
inst.cptr = rte_mempool_virt2iova(sa);
@@ -342,9 +377,9 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
struct rte_security_session *sec_sess)
{
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+ const uint8_t *cipher_key, *auth_key;
struct otx2_sec_session_ipsec_lp *lp;
struct otx2_ipsec_po_sa_ctl *ctl;
- const uint8_t *cipher_key, *auth_key;
int cipher_key_len, auth_key_len;
struct otx2_ipsec_po_in_sa *sa;
struct otx2_sec_session *sess;
@@ -392,9 +427,11 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
auth_key = auth_xform->auth.key.data;
auth_key_len = auth_xform->auth.key.length;
- /* TODO: check the ctx len for supporting ALGO */
- lp->ctx_len = sizeof(struct otx2_ipsec_po_in_sa) >> 2;
- RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_MAX_INB_CTX_LEN);
+ if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+ memcpy(sa->aes_gcm.hmac_key, auth_key, auth_key_len);
+
+ lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+ aes_gcm.selector) >> 3;
}
if (cipher_key_len != 0)
@@ -402,10 +439,6 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
else
return -EINVAL;
- /* Use OPAD & IPAD */
- RTE_SET_USED(auth_key);
- RTE_SET_USED(auth_key_len);
-
inst.u64[7] = 0;
inst.egrp = OTX2_CPT_EGRP_SE;
inst.cptr = rte_mempool_virt2iova(sa);
@@ -10,10 +10,6 @@
#include <rte_security.h>
#define OTX2_IPSEC_PO_AES_GCM_INB_CTX_LEN 0x09
-#define OTX2_IPSEC_PO_AES_GCM_OUTB_CTX_LEN 0x28
-
-#define OTX2_IPSEC_PO_MAX_INB_CTX_LEN 0x22
-#define OTX2_IPSEC_PO_MAX_OUTB_CTX_LEN 0x38
#define OTX2_IPSEC_PO_PER_PKT_IV BIT(11)
@@ -171,9 +167,16 @@ struct otx2_ipsec_po_in_sa {
struct otx2_ipsec_po_ip_template {
RTE_STD_C11
union {
- uint8_t raw[252];
- struct rte_ipv4_hdr ipv4_hdr;
- struct rte_ipv6_hdr ipv6_hdr;
+ struct {
+ struct rte_ipv4_hdr ipv4_hdr;
+ uint16_t udp_src;
+ uint16_t udp_dst;
+ } ip4;
+ struct {
+ struct rte_ipv6_hdr ipv6_hdr;
+ uint16_t udp_src;
+ uint16_t udp_dst;
+ } ip6;
};
};
@@ -191,10 +194,18 @@ struct otx2_ipsec_po_out_sa {
uint32_t esn_hi;
uint32_t esn_low;
- /* w8-w39 */
- struct otx2_ipsec_po_ip_template template;
- uint16_t udp_src;
- uint16_t udp_dst;
+ /* w8-w55 */
+ union {
+ uint8_t raw[384];
+ struct {
+ struct otx2_ipsec_po_ip_template template;
+ } aes_gcm;
+ struct {
+ uint8_t hmac_key[24];
+ uint8_t unused[24];
+ struct otx2_ipsec_po_ip_template template;
+ } sha1;
+ };
};
static inline int
@@ -348,8 +359,8 @@ ipsec_po_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
return -ENOTSUP;
}
} else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
- ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_CCM;
- aes_key_len = xform->cipher.key.length;
+ ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_CBC;
+ aes_key_len = cipher_xform->cipher.key.length;
} else {
return -ENOTSUP;
}
@@ -111,7 +111,7 @@ process_outb_sa(struct rte_crypto_op *cop,
memcpy(&hdr->iv[0], &sa->iv.gcm.nonce, 4);
memcpy(&hdr->iv[4], rte_crypto_op_ctod_offset(cop, uint8_t *,
sess->iv_offset), sess->iv_length);
- } else if (ctl_wrd->auth_type == OTX2_IPSEC_FP_SA_ENC_AES_CBC) {
+ } else if (ctl_wrd->auth_type == OTX2_IPSEC_PO_SA_AUTH_SHA1) {
memcpy(&hdr->iv[0], rte_crypto_op_ctod_offset(cop, uint8_t *,
sess->iv_offset), sess->iv_length);
}