From patchwork Thu Sep 2 02:14:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nithin Dabilpuram X-Patchwork-Id: 97727 X-Patchwork-Delegate: jerinj@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 32F7DA0C4C; Thu, 2 Sep 2021 04:16:54 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 1B94A40698; Thu, 2 Sep 2021 04:16:54 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 397FA40696 for ; Thu, 2 Sep 2021 04:16:53 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 181HQBNn011731; Wed, 1 Sep 2021 19:16:51 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=pfpt0220; bh=6pvlpxrIQQpbibBBfgI7qe4xb5Iet4DEcFQLqK/k5l8=; b=g9vSeBiaiVsVyrrKpcscfSMgAgD48evnmZyzbbl6Hwm3obS5RzCSkDpLr8a/U7ifVZR+ 1AheoN0uusGDpkbTfcLcAoI3DY8jqpUMbFzSKBt0XYWETKP7afCs8Ks8RXeo47zhdNgl kIA8kqY3jvmvwYUU9rJWnFvni4l75/NzwTfjnhJQYQ7fuDlbUaDmcahotHm12Yb+NhKP QVa6kc4e/s7KMgjcJDVDTINzPHu1KmV+BjgLLnO+zqPjw2vR5fQXV2JJrWIGLRnjbkhA cVokJZn8V6ffG1Exs8mGi8VJSX+nOh/H8hTyuf1bgeDKXFXhbH/GIDyh5XJry3voIJg1 Kg== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com with ESMTP id 3atdwq9hpu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 01 Sep 2021 19:16:49 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 1 Sep 2021 19:16:47 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Wed, 1 Sep 2021 19:16:47 -0700 Received: from hyd1588t430.marvell.com (unknown [10.29.52.204]) by maili.marvell.com (Postfix) with ESMTP id DEA923F704B; Wed, 1 Sep 2021 19:16:44 -0700 (PDT) From: Nithin Dabilpuram To: Nithin Dabilpuram , Kiran Kumar K , Sunil Kumar Kori , Satha Rao , Ray Kinsella CC: , , Date: Thu, 2 Sep 2021 07:44:39 +0530 Message-ID: <20210902021505.17607-2-ndabilpuram@marvell.com> X-Mailer: git-send-email 2.8.4 In-Reply-To: <20210902021505.17607-1-ndabilpuram@marvell.com> References: <20210902021505.17607-1-ndabilpuram@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: qTjmChuHoaJdmzut40hKpPrGyEz7UIF9 X-Proofpoint-GUID: qTjmChuHoaJdmzut40hKpPrGyEz7UIF9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-01_05,2021-09-01_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH 01/27] common/cnxk: add security support for cn9k fast path X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Srujana Challa Add security support to init cn9k fast path SA data for AES GCM and AES CBC + HMAC SHA1. Signed-off-by: Srujana Challa Signed-off-by: Nithin Dabilpuram --- drivers/common/cnxk/cnxk_security.c | 211 ++++++++++++++++++++++++++++++++++++ drivers/common/cnxk/cnxk_security.h | 12 ++ drivers/common/cnxk/version.map | 4 + 3 files changed, 227 insertions(+) diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 4f7fd1b..c25b3fd 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -383,6 +383,217 @@ cnxk_ot_ipsec_outb_sa_valid(struct roc_ot_ipsec_outb_sa *sa) return !!sa->w2.s.valid; } +static inline int +ipsec_xfrm_verify(struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + if (crypto_xfrm->next == NULL) + return -EINVAL; + + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH || + crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER) + return -EINVAL; + } else { + if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER || + crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH) + return -EINVAL; + } + + return 0; +} + +static int +onf_ipsec_sa_common_param_fill(struct roc_ie_onf_sa_ctl *ctl, uint8_t *salt, + uint8_t *cipher_key, uint8_t *hmac_opad_ipad, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm; + int rc, length, auth_key_len; + const uint8_t *key = NULL; + + /* Set direction */ + switch (ipsec_xfrm->direction) { + case RTE_SECURITY_IPSEC_SA_DIR_INGRESS: + ctl->direction = ROC_IE_SA_DIR_INBOUND; + auth_xfrm = crypto_xfrm; + cipher_xfrm = crypto_xfrm->next; + break; + case RTE_SECURITY_IPSEC_SA_DIR_EGRESS: + ctl->direction = ROC_IE_SA_DIR_OUTBOUND; + cipher_xfrm = crypto_xfrm; + auth_xfrm = crypto_xfrm->next; + break; + default: + return -EINVAL; + } + + /* Set protocol - ESP vs AH */ + switch (ipsec_xfrm->proto) { + case RTE_SECURITY_IPSEC_SA_PROTO_ESP: + ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP; + break; + case RTE_SECURITY_IPSEC_SA_PROTO_AH: + return -ENOTSUP; + default: + return -EINVAL; + } + + /* Set mode - transport vs tunnel */ + switch (ipsec_xfrm->mode) { + case RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT: + ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT; + break; + case RTE_SECURITY_IPSEC_SA_MODE_TUNNEL: + ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL; + break; + default: + return -EINVAL; + } + + /* Set encryption algorithm */ + if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + length = crypto_xfrm->aead.key.length; + + switch (crypto_xfrm->aead.algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM; + ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL; + memcpy(salt, &ipsec_xfrm->salt, 4); + key = crypto_xfrm->aead.key.data; + break; + default: + return -ENOTSUP; + } + + } else { + rc = ipsec_xfrm_verify(ipsec_xfrm, crypto_xfrm); + if (rc) + return rc; + + switch (cipher_xfrm->cipher.algo) { + case RTE_CRYPTO_CIPHER_AES_CBC: + ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC; + break; + default: + return -ENOTSUP; + } + + switch (auth_xfrm->auth.algo) { + case RTE_CRYPTO_AUTH_SHA1_HMAC: + ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1; + break; + default: + return -ENOTSUP; + } + auth_key_len = auth_xfrm->auth.key.length; + if (auth_key_len < 20 || auth_key_len > 64) + return -ENOTSUP; + + key = cipher_xfrm->cipher.key.data; + length = cipher_xfrm->cipher.key.length; + + ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad); + } + + switch (length) { + case ROC_CPT_AES128_KEY_LEN: + ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128; + break; + case ROC_CPT_AES192_KEY_LEN: + ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192; + break; + case ROC_CPT_AES256_KEY_LEN: + ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256; + break; + default: + return -EINVAL; + } + + memcpy(cipher_key, key, length); + + if (ipsec_xfrm->options.esn) + ctl->esn_en = 1; + + ctl->spi = rte_cpu_to_be_32(ipsec_xfrm->spi); + return 0; +} + +int +cnxk_onf_ipsec_inb_sa_fill(struct roc_onf_ipsec_inb_sa *sa, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + struct roc_ie_onf_sa_ctl *ctl = &sa->ctl; + int rc; + + rc = onf_ipsec_sa_common_param_fill(ctl, sa->nonce, sa->cipher_key, + sa->hmac_key, ipsec_xfrm, + crypto_xfrm); + if (rc) + return rc; + + rte_wmb(); + + /* Enable SA */ + ctl->valid = 1; + return 0; +} + +int +cnxk_onf_ipsec_outb_sa_fill(struct roc_onf_ipsec_outb_sa *sa, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm) +{ + struct rte_security_ipsec_tunnel_param *tunnel = &ipsec_xfrm->tunnel; + struct roc_ie_onf_sa_ctl *ctl = &sa->ctl; + int rc; + + /* Fill common params */ + rc = onf_ipsec_sa_common_param_fill(ctl, sa->nonce, sa->cipher_key, + sa->hmac_key, ipsec_xfrm, + crypto_xfrm); + if (rc) + return rc; + + if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + goto skip_tunnel_info; + + /* Tunnel header info */ + switch (tunnel->type) { + case RTE_SECURITY_IPSEC_TUNNEL_IPV4: + memcpy(&sa->ip_src, &tunnel->ipv4.src_ip, + sizeof(struct in_addr)); + memcpy(&sa->ip_dst, &tunnel->ipv4.dst_ip, + sizeof(struct in_addr)); + break; + case RTE_SECURITY_IPSEC_TUNNEL_IPV6: + return -ENOTSUP; + default: + return -EINVAL; + } + +skip_tunnel_info: + rte_wmb(); + + /* Enable SA */ + ctl->valid = 1; + return 0; +} + +bool +cnxk_onf_ipsec_inb_sa_valid(struct roc_onf_ipsec_inb_sa *sa) +{ + return !!sa->ctl.valid; +} + +bool +cnxk_onf_ipsec_outb_sa_valid(struct roc_onf_ipsec_outb_sa *sa) +{ + return !!sa->ctl.valid; +} + uint8_t cnxk_ipsec_ivlen_get(enum rte_crypto_cipher_algorithm c_algo, enum rte_crypto_auth_algorithm a_algo, diff --git a/drivers/common/cnxk/cnxk_security.h b/drivers/common/cnxk/cnxk_security.h index 602f583..db97887 100644 --- a/drivers/common/cnxk/cnxk_security.h +++ b/drivers/common/cnxk/cnxk_security.h @@ -46,4 +46,16 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa, bool __roc_api cnxk_ot_ipsec_inb_sa_valid(struct roc_ot_ipsec_inb_sa *sa); bool __roc_api cnxk_ot_ipsec_outb_sa_valid(struct roc_ot_ipsec_outb_sa *sa); +/* [CN9K, CN10K) */ +int __roc_api +cnxk_onf_ipsec_inb_sa_fill(struct roc_onf_ipsec_inb_sa *sa, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm); +int __roc_api +cnxk_onf_ipsec_outb_sa_fill(struct roc_onf_ipsec_outb_sa *sa, + struct rte_security_ipsec_xform *ipsec_xfrm, + struct rte_crypto_sym_xform *crypto_xfrm); +bool __roc_api cnxk_onf_ipsec_inb_sa_valid(struct roc_onf_ipsec_inb_sa *sa); +bool __roc_api cnxk_onf_ipsec_outb_sa_valid(struct roc_onf_ipsec_outb_sa *sa); + #endif /* _CNXK_SECURITY_H__ */ diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map index 34a844b..7814b60 100644 --- a/drivers/common/cnxk/version.map +++ b/drivers/common/cnxk/version.map @@ -14,6 +14,10 @@ INTERNAL { cnxk_logtype_sso; cnxk_logtype_tim; cnxk_logtype_tm; + cnxk_onf_ipsec_inb_sa_fill; + cnxk_onf_ipsec_outb_sa_fill; + cnxk_onf_ipsec_inb_sa_valid; + cnxk_onf_ipsec_outb_sa_valid; cnxk_ot_ipsec_inb_sa_fill; cnxk_ot_ipsec_outb_sa_fill; cnxk_ot_ipsec_inb_sa_valid;