crypto/cnxk: support lookaside IPsec HMAC-SHA384/512

Adding HMAC-SHA384/512 support to cnxk lookaside IPsec. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-12-17 14:49:54 +05:30 · 2021-12-17 14:49:54 +05:30 · 09e5c772fa
commit 09e5c772fa
parent c59311e11e
7 changed files with 118 additions and 27 deletions
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@ -267,6 +267,8 @@ Auth algorithms
 * SHA1-HMAC
 * SHA256-128-HMAC
 * SHA384-192-HMAC
 * SHA512-256-HMAC
 CN10XX Features supported
 ~~~~~~~~~~~~~~~~~~~~~~~~~
@ -293,3 +295,5 @@ Auth algorithms
 * NULL
 * SHA1-HMAC
 * SHA256-128-HMAC
 * SHA384-192-HMAC
 * SHA512-256-HMAC
--- a/doc/guides/rel_notes/release_22_03.rst
+++ b/doc/guides/rel_notes/release_22_03.rst
@ -58,6 +58,8 @@ New Features
 * **Updated Marvell cnxk crypto PMD.**
  * Added SHA256-HMAC support in lookaside protocol (IPsec) for CN10K.
  * Added SHA384-HMAC support in lookaside protocol (IPsec) for CN9K & CN10K.
  * Added SHA512-HMAC support in lookaside protocol (IPsec) for CN9K & CN10K.
 * **Added an API to retrieve event port id of ethdev Rx adapter.**
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@ -36,6 +36,14 @@ ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
 		roc_hash_sha256_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
 		roc_hash_sha256_gen(ipad, (uint32_t *)&hmac_opad_ipad[64]);
 		break;
 	case RTE_CRYPTO_AUTH_SHA384_HMAC:
 		roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 384);
 		roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 384);
 		break;
 	case RTE_CRYPTO_AUTH_SHA512_HMAC:
 		roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 512);
 		roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 512);
 		break;
 	default:
 		break;
 	}
@ -125,28 +133,28 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 			break;
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
 			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1;
 			ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
 			tmp_key = (uint64_t *)hmac_opad_ipad;
 			for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN /
 					      sizeof(uint64_t));
 			     i++)
 				tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 			break;
 		case RTE_CRYPTO_AUTH_SHA256_HMAC:
 			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_256;
-			ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+			break;
-
+		case RTE_CRYPTO_AUTH_SHA384_HMAC:
-			tmp_key = (uint64_t *)hmac_opad_ipad;
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_384;
-			for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN /
+			break;
-					      sizeof(uint64_t));
+		case RTE_CRYPTO_AUTH_SHA512_HMAC:
-			     i++)
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_512;
 				tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 			break;
 		default:
 			return -ENOTSUP;
 		}
 		ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
 		tmp_key = (uint64_t *)hmac_opad_ipad;
 		for (i = 0;
 		     i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t));
 		     i++)
 			tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 		key = cipher_xfrm->cipher.key.data;
 		length = cipher_xfrm->cipher.key.length;
 	}
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@ -321,14 +321,23 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 	    ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL) {
 		template = &out_sa->aes_gcm.template;
 		ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
 	} else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA1) {
 		template = &out_sa->sha1.template;
 		ctx_len = offsetof(struct roc_ie_on_outb_sa, sha1.template);
 	} else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA2_256) {
 		template = &out_sa->sha2.template;
 		ctx_len = offsetof(struct roc_ie_on_outb_sa, sha2.template);
 	} else {
-		return -EINVAL;
+		switch (ctl->auth_type) {
 		case ROC_IE_ON_SA_AUTH_SHA1:
 			template = &out_sa->sha1.template;
 			ctx_len = offsetof(struct roc_ie_on_outb_sa,
 					   sha1.template);
 			break;
 		case ROC_IE_ON_SA_AUTH_SHA2_256:
 		case ROC_IE_ON_SA_AUTH_SHA2_384:
 		case ROC_IE_ON_SA_AUTH_SHA2_512:
 			template = &out_sa->sha2.template;
 			ctx_len = offsetof(struct roc_ie_on_outb_sa,
 					   sha2.template);
 			break;
 		default:
 			return -EINVAL;
 		}
 	}
 	ip4 = (struct rte_ipv4_hdr *)&template->ip4.ipv4_hdr;
@ -397,10 +406,22 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 		auth_key = auth_xform->auth.key.data;
 		auth_key_len = auth_xform->auth.key.length;
-		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+		switch (auth_xform->auth.algo) {
 		case RTE_CRYPTO_AUTH_NULL:
 			break;
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
 			memcpy(out_sa->sha1.hmac_key, auth_key, auth_key_len);
-		else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+			break;
 		case RTE_CRYPTO_AUTH_SHA256_HMAC:
 		case RTE_CRYPTO_AUTH_SHA384_HMAC:
 		case RTE_CRYPTO_AUTH_SHA512_HMAC:
 			memcpy(out_sa->sha2.hmac_key, auth_key, auth_key_len);
 			break;
 		default:
 			plt_err("Unsupported auth algorithm %u",
 				auth_xform->auth.algo);
 			return -ENOTSUP;
 		}
 	}
 	inst_tmpl = &sa->inst;
@ -466,16 +487,26 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
 		auth_key = auth_xform->auth.key.data;
 		auth_key_len = auth_xform->auth.key.length;
-		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+		switch (auth_xform->auth.algo) {
 		case RTE_CRYPTO_AUTH_NULL:
 			break;
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
 			memcpy(in_sa->sha1_or_gcm.hmac_key, auth_key,
 			       auth_key_len);
 			ctx_len = offsetof(struct roc_ie_on_inb_sa,
 					   sha1_or_gcm.selector);
-		} else if (auth_xform->auth.algo ==
+			break;
-			   RTE_CRYPTO_AUTH_SHA256_HMAC) {
+		case RTE_CRYPTO_AUTH_SHA256_HMAC:
 		case RTE_CRYPTO_AUTH_SHA384_HMAC:
 		case RTE_CRYPTO_AUTH_SHA512_HMAC:
 			memcpy(in_sa->sha2.hmac_key, auth_key, auth_key_len);
 			ctx_len = offsetof(struct roc_ie_on_inb_sa,
 					   sha2.selector);
 			break;
 		default:
 			plt_err("Unsupported auth algorithm %u",
 				auth_xform->auth.algo);
 			return -ENOTSUP;
 		}
 	}
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@ -11,7 +11,7 @@
 #include "roc_cpt.h"
 #define CNXK_CPT_MAX_CAPS	 34
-#define CNXK_SEC_CRYPTO_MAX_CAPS 6
+#define CNXK_SEC_CRYPTO_MAX_CAPS 8
 #define CNXK_SEC_MAX_CAPS	 5
 #define CNXK_AE_EC_ID_MAX	 8
 /**
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@ -817,6 +817,46 @@ static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
 			}, }
 		}, }
 	},
 	{	/* SHA384 HMAC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
 			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
 			{.auth = {
 				.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
 				.block_size = 64,
 				.key_size = {
 					.min = 48,
 					.max = 48,
 					.increment = 0
 				},
 				.digest_size = {
 					.min = 24,
 					.max = 24,
 					.increment = 0
 					},
 			}, }
 		}, }
 	},
 	{	/* SHA512 HMAC */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
 		{.sym = {
 			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
 			{.auth = {
 				.algo = RTE_CRYPTO_AUTH_SHA512_HMAC,
 				.block_size = 128,
 				.key_size = {
 					.min = 64,
 					.max = 64,
 					.increment = 0
 				},
 				.digest_size = {
 					.min = 32,
 					.max = 32,
 					.increment = 0
 				},
 			}, }
 		}, }
 	},
 };
 static const struct rte_security_capability sec_caps_templ[] = {
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@ -49,6 +49,12 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
 	} else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
 		if (keylen >= 32 && keylen <= 64)
 			return 0;
 	} else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA384_HMAC) {
 		if (keylen == 48)
 			return 0;
 	} else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA512_HMAC) {
 		if (keylen == 64)
 			return 0;
 	}
 	return -ENOTSUP;