d/numam-dpdk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

crypto/octeontx2: support UDP encapsulation

Browse Source 
Adding UDP encapsulation support for IPsec in
lookaside protocol mode.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
This commit is contained in:
Tejasree Kondoj 2021-04-15 12:52:03 +05:30 committed by Akhil Goyal
parent d014dddb2d
commit 0ff065d096
3 changed files with 28 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
doc/guides/cryptodevs/octeontx2.rst
View File

@ -181,6 +181,7 @@ Features supported
* Tunnel mode
* ESN
* Anti-replay
* UDP Encapsulation
* AES-128/192/256-GCM
* AES-128/192/256-CBC-SHA1-HMAC
* AES-128/192/256-CBC-SHA256-128-HMAC

2
doc/guides/rel_notes/release_21_05.rst
View File

@ -163,6 +163,8 @@ New Features
* **Updated the OCTEON TX2 crypto PMD.**
* Added support for DIGEST_ENCRYPTED mode in OCTEON TX2 crypto PMD.
* Added support in lookaside protocol offload mode for IPsec with
UDP encapsulation support for NAT Traversal.
* **Updated Mellanox RegEx PMD.**

59
drivers/crypto/octeontx2/otx2_cryptodev_sec.c
View File

@ -203,6 +203,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
struct rte_security_session *sec_sess)
{
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
struct otx2_ipsec_po_ip_template *template;
const uint8_t *cipher_key, *auth_key;
struct otx2_sec_session_ipsec_lp *lp;
struct otx2_ipsec_po_sa_ctl *ctl;
@ -248,11 +249,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
if (ipsec->options.udp_encap) {
sa->aes_gcm.template.ip4.udp_src = 4500;
sa->aes_gcm.template.ip4.udp_dst = 4500;
}
ip = &sa->aes_gcm.template.ip4.ipv4_hdr;
template = &sa->aes_gcm.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
aes_gcm.template) + sizeof(
sa->aes_gcm.template.ip4);
@ -260,11 +257,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA1) {
if (ipsec->options.udp_encap) {
sa->sha1.template.ip4.udp_src = 4500;
sa->sha1.template.ip4.udp_dst = 4500;
}
ip = &sa->sha1.template.ip4.ipv4_hdr;
template = &sa->sha1.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha1.template) + sizeof(
sa->sha1.template.ip4);
@ -272,11 +265,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
if (ipsec->options.udp_encap) {
sa->sha2.template.ip4.udp_src = 4500;
sa->sha2.template.ip4.udp_dst = 4500;
}
ip = &sa->sha2.template.ip4.ipv4_hdr;
template = &sa->sha2.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha2.template) + sizeof(
sa->sha2.template.ip4);
@ -285,8 +274,15 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
} else {
return -EINVAL;
}
ip = &template->ip4.ipv4_hdr;
if (ipsec->options.udp_encap) {
ip->next_proto_id = IPPROTO_UDP;
template->ip4.udp_src = rte_be_to_cpu_16(4500);
template->ip4.udp_dst = rte_be_to_cpu_16(4500);
} else {
ip->next_proto_id = IPPROTO_ESP;
}
ip->version_ihl = RTE_IPV4_VHL_DEF;
ip->next_proto_id = IPPROTO_ESP;
ip->time_to_live = ipsec->tunnel.ipv4.ttl;
ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
if (ipsec->tunnel.ipv4.df)
@ -299,11 +295,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
if (ipsec->options.udp_encap) {
sa->aes_gcm.template.ip6.udp_src = 4500;
sa->aes_gcm.template.ip6.udp_dst = 4500;
}
ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
template = &sa->aes_gcm.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
aes_gcm.template) + sizeof(
sa->aes_gcm.template.ip6);
@ -311,11 +303,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA1) {
if (ipsec->options.udp_encap) {
sa->sha1.template.ip6.udp_src = 4500;
sa->sha1.template.ip6.udp_dst = 4500;
}
ip6 = &sa->sha1.template.ip6.ipv6_hdr;
template = &sa->sha1.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha1.template) + sizeof(
sa->sha1.template.ip6);
@ -323,11 +311,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
if (ipsec->options.udp_encap) {
sa->sha2.template.ip6.udp_src = 4500;
sa->sha2.template.ip6.udp_dst = 4500;
}
ip6 = &sa->sha2.template.ip6.ipv6_hdr;
template = &sa->sha2.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha2.template) + sizeof(
sa->sha2.template.ip6);
@ -337,6 +321,16 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
return -EINVAL;
}
ip6 = &template->ip6.ipv6_hdr;
if (ipsec->options.udp_encap) {
ip6->proto = IPPROTO_UDP;
template->ip6.udp_src = rte_be_to_cpu_16(4500);
template->ip6.udp_dst = rte_be_to_cpu_16(4500);
} else {
ip6->proto = (ipsec->proto ==
RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
IPPROTO_ESP : IPPROTO_AH;
}
ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 |
((ipsec->tunnel.ipv6.dscp <<
RTE_IPV6_HDR_TC_SHIFT) &
@ -345,9 +339,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
RTE_IPV6_HDR_FL_SHIFT) &
RTE_IPV6_HDR_FL_MASK));
ip6->hop_limits = ipsec->tunnel.ipv6.hlimit;
ip6->proto = (ipsec->proto ==
RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
IPPROTO_ESP : IPPROTO_AH;
memcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr,
sizeof(struct in6_addr));
memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,