crypto/zuc: use IPsec library

Link against Intel IPsec Multi-buffer library, which
added support for ZUC-EEA3 and ZUC-EIA3 from version v0.53,
moving from libSSO ZUC library.

Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This commit is contained in:
Pablo de Lara 2020-01-20 11:47:54 +00:00 committed by Akhil Goyal
parent c6420a3632
commit 61f7c988e3
9 changed files with 123 additions and 61 deletions

View File

@ -31,7 +31,6 @@ default_path=$PATH
# - LIBMUSDK_PATH
# - LIBSSO_SNOW3G_PATH
# - LIBSSO_KASUMI_PATH
# - LIBSSO_ZUC_PATH
devtools_dir=$(dirname $(readlink -f $0))
. $devtools_dir/load-devel-config
@ -127,7 +126,6 @@ reset_env ()
unset LIBMUSDK_PATH
unset LIBSSO_SNOW3G_PATH
unset LIBSSO_KASUMI_PATH
unset LIBSSO_ZUC_PATH
unset PQOS_INSTALL_PATH
}
@ -187,12 +185,12 @@ config () # <directory> <target> <options>
sed -ri="" 's,(PMD_AESNI_MB=)n,\1y,' $1/.config
test "$DPDK_DEP_IPSEC_MB" != y || \
sed -ri="" 's,(PMD_AESNI_GCM=)n,\1y,' $1/.config
test "$DPDK_DEP_IPSEC_MB" != y || \
sed -ri="" 's,(PMD_ZUC=)n,\1y,' $1/.config
test -z "$LIBSSO_SNOW3G_PATH" || \
sed -ri="" 's,(PMD_SNOW3G=)n,\1y,' $1/.config
test -z "$LIBSSO_KASUMI_PATH" || \
sed -ri="" 's,(PMD_KASUMI=)n,\1y,' $1/.config
test -z "$LIBSSO_ZUC_PATH" || \
sed -ri="" 's,(PMD_ZUC=)n,\1y,' $1/.config
test "$DPDK_DEP_SSL" != y || \
sed -ri="" 's,(PMD_CCP=)n,\1y,' $1/.config
test "$DPDK_DEP_SSL" != y || \

View File

@ -1,12 +1,12 @@
.. SPDX-License-Identifier: BSD-3-Clause
Copyright(c) 2016 Intel Corporation.
Copyright(c) 2016-2019 Intel Corporation.
ZUC Crypto Poll Mode Driver
===========================
The ZUC PMD (**librte_pmd_zuc**) provides poll mode crypto driver
support for utilizing Intel Libsso library, which implements F8 and F9 functions
for ZUC EEA3 cipher and EIA3 hash algorithms.
The ZUC PMD (**librte_pmd_zuc**) provides poll mode crypto driver support for
utilizing `Intel IPSec Multi-buffer library <https://github.com/01org/intel-ipsec-mb>`_
which implements F8 and F9 functions for ZUC EEA3 cipher and EIA3 hash algorithms.
Features
--------
@ -27,36 +27,46 @@ Limitations
* Chained mbufs are not supported.
* ZUC (EIA3) supported only if hash offset field is byte-aligned.
* ZUC (EEA3) supported only if cipher length, cipher offset fields are byte-aligned.
* ZUC PMD cannot be built as a shared library, due to limitations in
the underlying library.
Installation
------------
To build DPDK with the ZUC_PMD the user is required to download
the export controlled ``libsso_zuc`` library, by registering in
`Intel Resource & Design Center <https://www.intel.com/content/www/us/en/design/resource-design-center.html>`_.
Once approval has been granted, the user needs to search for
*ZUC 128-EAA3 and 128-EIA3 3GPP cryptographic algorithms Software Library* to download the
library or directly through this `link <https://cdrdv2.intel.com/v1/dl/getContent/575868>`_.
After downloading the library, the user needs to unpack and compile it
on their system before building DPDK::
To build DPDK with the ZUC_PMD the user is required to download the multi-buffer
library from `here <https://github.com/01org/intel-ipsec-mb>`_
and compile it on their user system before building DPDK.
The latest version of the library supported by this PMD is v0.53, which
can be downloaded from `<https://github.com/01org/intel-ipsec-mb/archive/v0.53.zip>`_.
After downloading the library, the user needs to unpack and compile it
on their system before building DPDK:
.. code-block:: console
make
make install
As a reference, the following table shows a mapping between the past DPDK versions
and the external crypto libraries supported by them:
.. _table_zuc_versions:
.. table:: DPDK and external crypto library version compatibility
============= ================================
DPDK version Crypto library version
============= ================================
16.11 - 19.11 LibSSO ZUC
20.02+ Multi-buffer library 0.53
============= ================================
make
Initialization
--------------
In order to enable this virtual crypto PMD, user must:
* Export the environmental variable LIBSSO_ZUC_PATH with the path where
the library was extracted (zuc folder).
* Export the environmental variable LD_LIBRARY_PATH with the path
where the built libsso library is (LIBSSO_ZUC_PATH/build).
* Build the LIBSSO_ZUC library (explained in Installation section).
* Build the multi buffer library (explained in Installation section).
* Build DPDK as follows:

View File

@ -138,6 +138,13 @@ New Features
Such algorithm combinations are not supported on GEN1/GEN2 hardware
and executing the request returns RTE_CRYPTO_OP_STATUS_INVALID_SESSION.
* **Updated the ZUC PMD.**
* Transistioned underlying library from libSSO ZUC to intel-ipsec-mb
library (minimum version required 0.53).
* Removed dynamic library limitation, so PMD can be built as a shared
object now.
* **Added Marvell OCTEON TX2 End Point rawdev PMD.**
Added a new OCTEON TX2 rawdev PMD for End Point mode of operation.

View File

@ -1,14 +1,8 @@
# SPDX-License-Identifier: BSD-3-Clause
# Copyright(c) 2016 Intel Corporation
# Copyright(c) 2016-2019 Intel Corporation
include $(RTE_SDK)/mk/rte.vars.mk
ifneq ($(MAKECMDGOALS),clean)
ifeq ($(LIBSSO_ZUC_PATH),)
$(error "Please define LIBSSO_ZUC_PATH environment variable")
endif
endif
# library name
LIB = librte_pmd_zuc.a
@ -21,14 +15,26 @@ CFLAGS += -DALLOW_EXPERIMENTAL_API
EXPORT_MAP := rte_pmd_zuc_version.map
# external library dependencies
CFLAGS += -I$(LIBSSO_ZUC_PATH)
CFLAGS += -I$(LIBSSO_ZUC_PATH)/include
CFLAGS += -I$(LIBSSO_ZUC_PATH)/build
LDLIBS += -L$(LIBSSO_ZUC_PATH)/build -lsso_zuc
LDLIBS += -lIPSec_MB
LDLIBS += -lrte_eal -lrte_mbuf -lrte_mempool -lrte_ring
LDLIBS += -lrte_cryptodev
LDLIBS += -lrte_bus_vdev
IMB_HDR = $(shell echo '\#include <intel-ipsec-mb.h>' | \
$(CC) -E $(EXTRA_CFLAGS) - | grep 'intel-ipsec-mb.h' | \
head -n1 | cut -d'"' -f2)
# Detect library version
IMB_VERSION = $(shell grep -e "IMB_VERSION_STR" $(IMB_HDR) | cut -d'"' -f2)
IMB_VERSION_NUM = $(shell grep -e "IMB_VERSION_NUM" $(IMB_HDR) | cut -d' ' -f3)
ifeq ($(IMB_VERSION),)
$(error "IPSec_MB version >= 0.53 is required")
endif
ifeq ($(shell expr $(IMB_VERSION_NUM) \< 0x3400), 1)
$(error "IPSec_MB version >= 0.53 is required")
endif
# library source files
SRCS-$(CONFIG_RTE_LIBRTE_PMD_ZUC) += rte_zuc_pmd.c
SRCS-$(CONFIG_RTE_LIBRTE_PMD_ZUC) += rte_zuc_pmd_ops.c

View File

@ -1,11 +1,22 @@
# SPDX-License-Identifier: BSD-3-Clause
# Copyright(c) 2018 Intel Corporation
# Copyright(c) 2018-2020 Intel Corporation
lib = cc.find_library('sso_zuc', required: false)
if not lib.found() or not cc.has_header('sso_zuc.h')
IMB_required_ver = '0.53.0'
lib = cc.find_library('IPSec_MB', required: false)
if not lib.found()
build = false
reason = 'missing dependency, "libsso_zuc"'
subdir_done()
reason = 'missing dependency, "libIPSec_MB"'
else
# version comes with quotes, so we split based on " and take the middle
imb_ver = cc.get_define('IMB_VERSION_STR',
prefix : '#include<intel-ipsec-mb.h>').split('"')[1]
if (imb_ver == '') or (imb_ver.version_compare('<' + IMB_required_ver))
reason = 'IPSec_MB version >= @0@ is required, found version @1@'.format(
IMB_required_ver, imb_ver)
build = false
endif
endif
allow_experimental_apis = true

View File

@ -11,7 +11,7 @@
#include <rte_cpuflags.h>
#include "zuc_pmd_private.h"
#define ZUC_MAX_BURST 4
#define ZUC_MAX_BURST 16
#define BYTE_LEN 8
static uint8_t cryptodev_driver_id;
@ -170,16 +170,17 @@ zuc_get_session(struct zuc_qp *qp, struct rte_crypto_op *op)
/** Encrypt/decrypt mbufs. */
static uint8_t
process_zuc_cipher_op(struct rte_crypto_op **ops,
process_zuc_cipher_op(struct zuc_qp *qp, struct rte_crypto_op **ops,
struct zuc_session **sessions,
uint8_t num_ops)
{
unsigned i;
uint8_t processed_ops = 0;
uint8_t *src[ZUC_MAX_BURST], *dst[ZUC_MAX_BURST];
uint8_t *iv[ZUC_MAX_BURST];
const void *src[ZUC_MAX_BURST];
void *dst[ZUC_MAX_BURST];
const void *iv[ZUC_MAX_BURST];
uint32_t num_bytes[ZUC_MAX_BURST];
uint8_t *cipher_keys[ZUC_MAX_BURST];
const void *cipher_keys[ZUC_MAX_BURST];
struct zuc_session *sess;
for (i = 0; i < num_ops; i++) {
@ -222,7 +223,8 @@ process_zuc_cipher_op(struct rte_crypto_op **ops,
processed_ops++;
}
sso_zuc_eea3_n_buffer(cipher_keys, iv, src, dst,
IMB_ZUC_EEA3_N_BUFFER(qp->mb_mgr, (const void **)cipher_keys,
(const void **)iv, (const void **)src, (void **)dst,
num_bytes, processed_ops);
return processed_ops;
@ -262,7 +264,7 @@ process_zuc_hash_op(struct zuc_qp *qp, struct rte_crypto_op **ops,
if (sess->auth_op == RTE_CRYPTO_AUTH_OP_VERIFY) {
dst = (uint32_t *)qp->temp_digest;
sso_zuc_eia3_1_buffer(sess->pKey_hash,
IMB_ZUC_EIA3_1_BUFFER(qp->mb_mgr, sess->pKey_hash,
iv, src,
length_in_bits, dst);
/* Verify digest. */
@ -272,7 +274,7 @@ process_zuc_hash_op(struct zuc_qp *qp, struct rte_crypto_op **ops,
} else {
dst = (uint32_t *)ops[i]->sym->auth.digest.data;
sso_zuc_eia3_1_buffer(sess->pKey_hash,
IMB_ZUC_EIA3_1_BUFFER(qp->mb_mgr, sess->pKey_hash,
iv, src,
length_in_bits, dst);
}
@ -294,7 +296,7 @@ process_ops(struct rte_crypto_op **ops, enum zuc_operation op_type,
switch (op_type) {
case ZUC_OP_ONLY_CIPHER:
processed_ops = process_zuc_cipher_op(ops,
processed_ops = process_zuc_cipher_op(qp, ops,
sessions, num_ops);
break;
case ZUC_OP_ONLY_AUTH:
@ -302,14 +304,14 @@ process_ops(struct rte_crypto_op **ops, enum zuc_operation op_type,
num_ops);
break;
case ZUC_OP_CIPHER_AUTH:
processed_ops = process_zuc_cipher_op(ops, sessions,
processed_ops = process_zuc_cipher_op(qp, ops, sessions,
num_ops);
process_zuc_hash_op(qp, ops, sessions, processed_ops);
break;
case ZUC_OP_AUTH_CIPHER:
processed_ops = process_zuc_hash_op(qp, ops, sessions,
num_ops);
process_zuc_cipher_op(ops, sessions, processed_ops);
process_zuc_cipher_op(qp, ops, sessions, processed_ops);
break;
default:
/* Operation not supported. */
@ -457,8 +459,7 @@ cryptodev_zuc_create(const char *name,
{
struct rte_cryptodev *dev;
struct zuc_private *internals;
uint64_t cpu_flags = RTE_CRYPTODEV_FF_CPU_SSE;
MB_MGR *mb_mgr;
dev = rte_cryptodev_pmd_create(name, &vdev->device, init_params);
if (dev == NULL) {
@ -466,6 +467,27 @@ cryptodev_zuc_create(const char *name,
goto init_error;
}
dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING;
mb_mgr = alloc_mb_mgr(0);
if (mb_mgr == NULL)
return -ENOMEM;
if (rte_cpu_get_flag_enabled(RTE_CPUFLAG_AVX512F)) {
dev->feature_flags |= RTE_CRYPTODEV_FF_CPU_AVX512;
init_mb_mgr_avx512(mb_mgr);
} else if (rte_cpu_get_flag_enabled(RTE_CPUFLAG_AVX2)) {
dev->feature_flags |= RTE_CRYPTODEV_FF_CPU_AVX2;
init_mb_mgr_avx2(mb_mgr);
} else if (rte_cpu_get_flag_enabled(RTE_CPUFLAG_AVX)) {
dev->feature_flags |= RTE_CRYPTODEV_FF_CPU_AVX;
init_mb_mgr_avx(mb_mgr);
} else {
dev->feature_flags |= RTE_CRYPTODEV_FF_CPU_SSE;
init_mb_mgr_sse(mb_mgr);
}
dev->driver_id = cryptodev_driver_id;
dev->dev_ops = rte_zuc_pmd_ops;
@ -473,11 +495,8 @@ cryptodev_zuc_create(const char *name,
dev->dequeue_burst = zuc_pmd_dequeue_burst;
dev->enqueue_burst = zuc_pmd_enqueue_burst;
dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
cpu_flags;
internals = dev->data->dev_private;
internals->mb_mgr = mb_mgr;
internals->max_nb_queue_pairs = init_params->max_nb_queue_pairs;
@ -518,6 +537,7 @@ cryptodev_zuc_remove(struct rte_vdev_device *vdev)
struct rte_cryptodev *cryptodev;
const char *name;
struct zuc_private *internals;
name = rte_vdev_device_name(vdev);
if (name == NULL)
@ -527,6 +547,10 @@ cryptodev_zuc_remove(struct rte_vdev_device *vdev)
if (cryptodev == NULL)
return -ENODEV;
internals = cryptodev->data->dev_private;
free_mb_mgr(internals->mb_mgr);
return rte_cryptodev_pmd_destroy(cryptodev);
}

View File

@ -201,6 +201,7 @@ zuc_pmd_qp_setup(struct rte_cryptodev *dev, uint16_t qp_id,
int socket_id)
{
struct zuc_qp *qp = NULL;
struct zuc_private *internals = dev->data->dev_private;
/* Free memory prior to re-allocation if needed. */
if (dev->data->queue_pairs[qp_id] != NULL)
@ -223,6 +224,7 @@ zuc_pmd_qp_setup(struct rte_cryptodev *dev, uint16_t qp_id,
if (qp->processed_ops == NULL)
goto qp_setup_cleanup;
qp->mb_mgr = internals->mb_mgr;
qp->sess_mp = qp_conf->mp_session;
qp->sess_mp_priv = qp_conf->mp_session_private;

View File

@ -5,7 +5,7 @@
#ifndef _ZUC_PMD_PRIVATE_H_
#define _ZUC_PMD_PRIVATE_H_
#include <sso_zuc.h>
#include <intel-ipsec-mb.h>
#define CRYPTODEV_NAME_ZUC_PMD crypto_zuc
/**< KASUMI PMD device name */
@ -24,6 +24,8 @@ int zuc_logtype_driver;
struct zuc_private {
unsigned max_nb_queue_pairs;
/**< Max number of queue pairs supported by device */
MB_MGR *mb_mgr;
/**< Multi-buffer instance */
};
/** ZUC buffer queue pair */
@ -45,6 +47,8 @@ struct zuc_qp {
* by the driver when verifying a digest provided
* by the user (using authentication verify operation)
*/
MB_MGR *mb_mgr;
/**< Multi-buffer instance */
} __rte_cache_aligned;
enum zuc_operation {

View File

@ -282,7 +282,7 @@ _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_SNOW3G) += -L$(LIBSSO_SNOW3G_PATH)/build -l
_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_KASUMI) += -lrte_pmd_kasumi
_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_KASUMI) += -L$(LIBSSO_KASUMI_PATH)/build -lsso_kasumi
_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_ZUC) += -lrte_pmd_zuc
_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_ZUC) += -L$(LIBSSO_ZUC_PATH)/build -lsso_zuc
_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_ZUC) += -lIPSec_MB
_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_ARMV8_CRYPTO) += -lrte_pmd_armv8
_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_ARMV8_CRYPTO) += -L$(ARMV8_CRYPTO_LIB_PATH) -larmv8_crypto
_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_MVSAM_CRYPTO) += -L$(LIBMUSDK_PATH)/lib -lrte_pmd_mvsam_crypto -lmusdk