crypto/cnxk: support lookaside IPsec AES-CBC-HMAC-SHA256

Adding AES-CBC-HMAC-SHA256 support to lookaside IPsec PMD.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

doc/guides/cryptodevs/cnxk.rst

@@ -246,14 +246,27 @@ CN9XX Features supported
 * IPv4
 * IPv6
 * ESP
+* ESN
+* Anti-replay
 * Tunnel mode
 * Transport mode(IPv4)
 * UDP Encapsulation
+
+AEAD algorithms
++++++++++++++++
+
 * AES-128/192/256-GCM
-* AES-128/192/256-CBC-SHA1-HMAC
-* AES-128/192/256-CBC-SHA256-128-HMAC
-* ESN
-* Anti-replay
+
+Cipher algorithms
++++++++++++++++++
+
+* AES-128/192/256-CBC
+
+Auth algorithms
++++++++++++++++
+
+* SHA1-HMAC
+* SHA256-128-HMAC
 
 CN10XX Features supported
 ~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -263,6 +276,20 @@ CN10XX Features supported
 * Tunnel mode
 * Transport mode
 * UDP Encapsulation
+
+AEAD algorithms
++++++++++++++++
+
 * AES-128/192/256-GCM
-* AES-128/192/256-CBC-NULL
-* AES-128/192/256-CBC-SHA1-HMAC
+
+Cipher algorithms
++++++++++++++++++
+
+* AES-128/192/256-CBC
+
+Auth algorithms
++++++++++++++++
+
+* NULL
+* SHA1-HMAC
+* SHA256-128-HMAC

doc/guides/rel_notes/release_22_03.rst

@@ -55,6 +55,10 @@ New Features
      Also, make sure to start the actual text at the margin.
      =======================================================
 
+* **Updated Marvell cnxk crypto PMD.**
+
+  * Added SHA256-HMAC support in lookaside protocol (IPsec) for CN10K.
+
 * **Added an API to retrieve event port id of ethdev Rx adapter.**
 
   The new API ``rte_event_eth_rx_adapter_event_port_get()`` was added.

drivers/common/cnxk/cnxk_security.c

@@ -32,6 +32,10 @@ ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
 		roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
 		roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]);
 		break;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		roc_hash_sha256_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
+		roc_hash_sha256_gen(ipad, (uint32_t *)&hmac_opad_ipad[64]);
+		break;
 	default:
 		break;
 	}
@@ -123,6 +127,16 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1;
 			ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
 
+			tmp_key = (uint64_t *)hmac_opad_ipad;
+			for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN /
+					      sizeof(uint64_t));
+			     i++)
+				tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+			break;
+		case RTE_CRYPTO_AUTH_SHA256_HMAC:
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_256;
+			ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+
 			tmp_key = (uint64_t *)hmac_opad_ipad;
 			for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN /
 					      sizeof(uint64_t));

drivers/crypto/cnxk/cn10k_ipsec.c

@@ -65,6 +65,9 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 		if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			sa->iv_offset = crypto_xfrm->aead.iv.offset;
 			sa->iv_length = crypto_xfrm->aead.iv.length;
+		} else {
+			sa->iv_offset = crypto_xfrm->cipher.iv.offset;
+			sa->iv_length = crypto_xfrm->cipher.iv.length;
 		}
 	}
 #else

drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c

@@ -797,6 +797,26 @@ static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
 			}, }
 		}, }
 	},
+	{	/* SHA256 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA256_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 1,
+					.max = 1024,
+					.increment = 1
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+			}, }
+		}, }
+	},
 };
 
 static const struct rte_security_capability sec_caps_templ[] = {

drivers/crypto/cnxk/cnxk_ipsec.h

@@ -46,8 +46,7 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
 	if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
 		if (keylen >= 20 && keylen <= 64)
 			return 0;
-	} else if (roc_model_is_cn9k() &&
-		   (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) {
+	} else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
 		if (keylen >= 32 && keylen <= 64)
 			return 0;
 	}