From patchwork Mon Aug 8 08:05:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 114691 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B0D11A034C; Mon, 8 Aug 2022 10:06:18 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 3FDAE42B79; Mon, 8 Aug 2022 10:06:13 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 2245342B77 for ; Mon, 8 Aug 2022 10:06:12 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 277MwkKn002933 for ; Mon, 8 Aug 2022 01:06:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=OnIKocMc22pkSG+IkxP5G4WyVzBqGbZQm5JJM091grk=; b=GlDWUbht7vB5nElVW1SHjzcCLxRwsi15c2Wd3KBPmsj0VqrXn1b9cWMVdNKiPJFbOvMY PgmANNnPiv2hiDoRdkg292BPZ1PIqx0wGWc7NbRMxmqAOL97KBKStJ8msy3KSgG3M6jq sF378BE5syA/YtVxO1KPB+j3QmU8OsM2RVAKRSo4VfC+5qYBkfrnFC+h+uumv8tOTFp0 pQH+qzBiqAY6Ihe9elpsDxUThhukk6lGIEDKU35dygvmvl4MwntPy/KvqoyFgilyR/pv g1u4t8kHZLyBY9PebbwvpM74Iki+puH6qgbuMaC+MruE7VqJiU9S3qU8pN7kqEU/Wl6C iA== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3hsqtmmxdq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Mon, 08 Aug 2022 01:06:11 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Mon, 8 Aug 2022 01:06:09 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Mon, 8 Aug 2022 01:06:09 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.160.62]) by maili.marvell.com (Postfix) with ESMTP id 2E1C03F7043; Mon, 8 Aug 2022 01:06:06 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Jerin Jacob CC: Archana Muniganti , Tejasree Kondoj , Subject: [PATCH 01/18] crypto/cnxk: add AES-CCM support Date: Mon, 8 Aug 2022 13:35:49 +0530 Message-ID: <20220808080606.220-2-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220808080606.220-1-anoobj@marvell.com> References: <20220808080606.220-1-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: fxYBbm1aNGEWbobCbCLrb68A6q4P3ycM X-Proofpoint-ORIG-GUID: fxYBbm1aNGEWbobCbCLrb68A6q4P3ycM X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-08_05,2022-08-05_01,2022-06-22_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Archana Muniganti Add lookaside IPsec AES-CCM support in CN9K & CN10K PMDs. Signed-off-by: Archana Muniganti --- doc/guides/rel_notes/release_22_11.rst | 4 ++ drivers/common/cnxk/cnxk_security.c | 38 ++++++++++++-- drivers/common/cnxk/roc_cpt.h | 13 ++--- drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 1 + drivers/crypto/cnxk/cnxk_cryptodev.h | 2 +- .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 49 ++++++++++++++++--- drivers/crypto/cnxk/cnxk_ipsec.h | 3 +- 7 files changed, 93 insertions(+), 17 deletions(-) diff --git a/doc/guides/rel_notes/release_22_11.rst b/doc/guides/rel_notes/release_22_11.rst index 8c021cf050..333f66bef3 100644 --- a/doc/guides/rel_notes/release_22_11.rst +++ b/doc/guides/rel_notes/release_22_11.rst @@ -55,6 +55,10 @@ New Features Also, make sure to start the actual text at the margin. ======================================================= +* **Updated Marvell cnxk crypto driver.** + + * Added AES-CCM support in lookaside protocol (IPsec) for CN9K & CN10K. + Removed Items ------------- diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index dca8742be3..8a0e4dea4c 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -58,6 +58,7 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, { struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm; const uint8_t *key = NULL; + uint8_t ccm_flag = 0; uint32_t *tmp_salt; uint64_t *tmp_key; int i, length = 0; @@ -113,6 +114,15 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, tmp_salt = (uint32_t *)salt_key; *tmp_salt = rte_be_to_cpu_32(*tmp_salt); break; + case RTE_CRYPTO_AEAD_AES_CCM: + w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CCM; + w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL; + ccm_flag = 0x07 & ~ROC_CPT_AES_CCM_CTR_LEN; + *salt_key = ccm_flag; + memcpy(PLT_PTR_ADD(salt_key, 1), &ipsec_xfrm->salt, 3); + tmp_salt = (uint32_t *)salt_key; + *tmp_salt = rte_be_to_cpu_32(*tmp_salt); + break; default: return -ENOTSUP; } @@ -204,6 +214,7 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM || w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CTR || w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM || + w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM || w2->s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) { switch (length) { case ROC_CPT_AES128_KEY_LEN: @@ -612,6 +623,7 @@ onf_ipsec_sa_common_param_fill(struct roc_ie_onf_sa_ctl *ctl, uint8_t *salt, struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm; int rc, length, auth_key_len; const uint8_t *key = NULL; + uint8_t ccm_flag = 0; /* Set direction */ switch (ipsec_xfrm->direction) { @@ -663,6 +675,14 @@ onf_ipsec_sa_common_param_fill(struct roc_ie_onf_sa_ctl *ctl, uint8_t *salt, memcpy(salt, &ipsec_xfrm->salt, 4); key = crypto_xfrm->aead.key.data; break; + case RTE_CRYPTO_AEAD_AES_CCM: + ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CCM; + ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL; + ccm_flag = 0x07 & ~ROC_CPT_AES_CCM_CTR_LEN; + *salt = ccm_flag; + memcpy(PLT_PTR_ADD(salt, 1), &ipsec_xfrm->salt, 3); + key = crypto_xfrm->aead.key.data; + break; default: return -ENOTSUP; } @@ -810,7 +830,7 @@ cnxk_ipsec_ivlen_get(enum rte_crypto_cipher_algorithm c_algo, { uint8_t ivlen = 0; - if (aead_algo == RTE_CRYPTO_AEAD_AES_GCM) + if ((aead_algo == RTE_CRYPTO_AEAD_AES_GCM) || (aead_algo == RTE_CRYPTO_AEAD_AES_CCM)) ivlen = 8; switch (c_algo) { @@ -873,6 +893,7 @@ cnxk_ipsec_icvlen_get(enum rte_crypto_cipher_algorithm c_algo, switch (aead_algo) { case RTE_CRYPTO_AEAD_AES_GCM: + case RTE_CRYPTO_AEAD_AES_CCM: icv = 16; break; default: @@ -888,7 +909,7 @@ cnxk_ipsec_outb_roundup_byte(enum rte_crypto_cipher_algorithm c_algo, { uint8_t roundup_byte = 4; - if (aead_algo == RTE_CRYPTO_AEAD_AES_GCM) + if ((aead_algo == RTE_CRYPTO_AEAD_AES_GCM) || (aead_algo == RTE_CRYPTO_AEAD_AES_CCM)) return roundup_byte; switch (c_algo) { @@ -1023,6 +1044,10 @@ on_ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec, ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM; aes_key_len = crypto_xform->aead.key.length; break; + case RTE_CRYPTO_AEAD_AES_CCM: + ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CCM; + aes_key_len = crypto_xform->aead.key.length; + break; default: plt_err("Unsupported AEAD algorithm"); return -ENOTSUP; @@ -1087,6 +1112,7 @@ on_ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec, ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CCM || ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CTR || ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM || + ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CCM || ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) { switch (aes_key_len) { case 16: @@ -1129,6 +1155,7 @@ on_fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec, struct rte_crypto_sym_xform *cipher_xform, *auth_xform; const uint8_t *cipher_key; int cipher_key_len = 0; + uint8_t ccm_flag = 0; int ret; ret = on_ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl); @@ -1146,6 +1173,11 @@ on_fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec, if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4); + else if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_CCM) { + ccm_flag = 0x07 & ~ROC_CPT_AES_CCM_CTR_LEN; + *common_sa->iv.gcm.nonce = ccm_flag; + memcpy(PLT_PTR_ADD(common_sa->iv.gcm.nonce, 1), &ipsec->salt, 3); + } cipher_key = crypto_xform->aead.key.data; cipher_key_len = crypto_xform->aead.key.length; } else { @@ -1194,7 +1226,7 @@ cnxk_on_ipsec_outb_sa_create(struct rte_security_ipsec_xform *ipsec, return ret; if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM || - ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL || + ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CCM || ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL || ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) { template = &out_sa->aes_gcm.template; ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template); diff --git a/drivers/common/cnxk/roc_cpt.h b/drivers/common/cnxk/roc_cpt.h index a3a65f1e94..0cebc05c74 100644 --- a/drivers/common/cnxk/roc_cpt.h +++ b/drivers/common/cnxk/roc_cpt.h @@ -43,12 +43,13 @@ ROC_CN10K_CPT_INST_DW_M1 << (19 + 3 * 14)) /* CPT helper macros */ -#define ROC_CPT_AH_HDR_LEN 12 -#define ROC_CPT_AES_GCM_IV_LEN 8 -#define ROC_CPT_AES_GCM_MAC_LEN 16 -#define ROC_CPT_AES_CBC_IV_LEN 16 -#define ROC_CPT_SHA1_HMAC_LEN 12 -#define ROC_CPT_SHA2_HMAC_LEN 16 +#define ROC_CPT_AH_HDR_LEN 12 +#define ROC_CPT_AES_GCM_IV_LEN 8 +#define ROC_CPT_AES_GCM_MAC_LEN 16 +#define ROC_CPT_AES_CCM_CTR_LEN 4 +#define ROC_CPT_AES_CBC_IV_LEN 16 +#define ROC_CPT_SHA1_HMAC_LEN 12 +#define ROC_CPT_SHA2_HMAC_LEN 16 #define ROC_CPT_DES3_KEY_LEN 24 #define ROC_CPT_AES128_KEY_LEN 16 diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h index 66cfe6ca98..e220863799 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h +++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h @@ -66,6 +66,7 @@ process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop, #ifdef LA_IPSEC_DEBUG if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) { if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM || + sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM || sess->out_sa.w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) ipsec_po_sa_aes_gcm_iv_set(sess, cop); else diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index 8870021725..a3dcfbfa6d 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -11,7 +11,7 @@ #include "roc_cpt.h" #define CNXK_CPT_MAX_CAPS 35 -#define CNXK_SEC_CRYPTO_MAX_CAPS 13 +#define CNXK_SEC_CRYPTO_MAX_CAPS 14 #define CNXK_SEC_MAX_CAPS 9 #define CNXK_AE_EC_ID_MAX 8 /** diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 705d67e91f..fdc646a6fc 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -775,6 +775,36 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = { }, } }, } }, + { /* AES CCM */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD, + {.aead = { + .algo = RTE_CRYPTO_AEAD_AES_CCM, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 8 + }, + .digest_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + .aad_size = { + .min = 8, + .max = 12, + .increment = 4 + }, + .iv_size = { + .min = 12, + .max = 12, + .increment = 0 + } + }, } + }, } + }, { /* AES CTR */ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, {.sym = { @@ -1155,14 +1185,23 @@ cnxk_crypto_capabilities_get(struct cnxk_cpt_vf *vf) return vf->crypto_caps; } +static bool +sec_caps_limit_check(int *cur_pos, int nb_caps) +{ + if (*cur_pos + nb_caps > CNXK_SEC_CRYPTO_MAX_CAPS) { + rte_panic("Could not add sec crypto caps"); + return true; + } + + return false; +} + static void sec_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos, const struct rte_cryptodev_capabilities *caps, int nb_caps) { - if (*cur_pos + nb_caps > CNXK_SEC_CRYPTO_MAX_CAPS) { - rte_panic("Could not add sec crypto caps"); + if (sec_caps_limit_check(cur_pos, nb_caps)) return; - } memcpy(&cnxk_caps[*cur_pos], caps, nb_caps * sizeof(caps[0])); *cur_pos += nb_caps; @@ -1175,10 +1214,8 @@ cn10k_sec_crypto_caps_update(struct rte_cryptodev_capabilities cnxk_caps[], const struct rte_cryptodev_capabilities *cap; unsigned int i; - if ((CNXK_SEC_CRYPTO_MAX_CAPS - *cur_pos) < 1) { - rte_panic("Could not add sec crypto caps"); + if (sec_caps_limit_check(cur_pos, 1)) return; - } /* NULL auth */ for (i = 0; i < RTE_DIM(caps_null); i++) { diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h index 07ab2cf4ee..00873ca6ac 100644 --- a/drivers/crypto/cnxk/cnxk_ipsec.h +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -87,7 +87,8 @@ ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xform, crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT) return -EINVAL; - if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM || + crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_CCM) { switch (crypto_xform->aead.key.length) { case 16: case 24: