From 6dc3f45fd4fde97f1e846ea13037c697c8cdb5da Mon Sep 17 00:00:00 2001 From: Tejasree Kondoj Date: Fri, 17 Dec 2021 14:49:50 +0530 Subject: [PATCH] crypto/cnxk: support lookaside IPsec AES-CBC-HMAC-SHA256 Adding AES-CBC-HMAC-SHA256 support to lookaside IPsec PMD. Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal --- doc/guides/cryptodevs/cnxk.rst | 39 ++++++++++++++++--- doc/guides/rel_notes/release_22_03.rst | 4 ++ drivers/common/cnxk/cnxk_security.c | 14 +++++++ drivers/crypto/cnxk/cn10k_ipsec.c | 3 ++ .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 20 ++++++++++ drivers/crypto/cnxk/cnxk_ipsec.h | 3 +- 6 files changed, 75 insertions(+), 8 deletions(-) diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index 23cc823e03..8c4c4ea5dc 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -246,14 +246,27 @@ CN9XX Features supported * IPv4 * IPv6 * ESP +* ESN +* Anti-replay * Tunnel mode * Transport mode(IPv4) * UDP Encapsulation + +AEAD algorithms ++++++++++++++++ + * AES-128/192/256-GCM -* AES-128/192/256-CBC-SHA1-HMAC -* AES-128/192/256-CBC-SHA256-128-HMAC -* ESN -* Anti-replay + +Cipher algorithms ++++++++++++++++++ + +* AES-128/192/256-CBC + +Auth algorithms ++++++++++++++++ + +* SHA1-HMAC +* SHA256-128-HMAC CN10XX Features supported ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -263,6 +276,20 @@ CN10XX Features supported * Tunnel mode * Transport mode * UDP Encapsulation + +AEAD algorithms ++++++++++++++++ + * AES-128/192/256-GCM -* AES-128/192/256-CBC-NULL -* AES-128/192/256-CBC-SHA1-HMAC + +Cipher algorithms ++++++++++++++++++ + +* AES-128/192/256-CBC + +Auth algorithms ++++++++++++++++ + +* NULL +* SHA1-HMAC +* SHA256-128-HMAC diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index bd42b62324..5582416a66 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -55,6 +55,10 @@ New Features Also, make sure to start the actual text at the margin. ======================================================= +* **Updated Marvell cnxk crypto PMD.** + + * Added SHA256-HMAC support in lookaside protocol (IPsec) for CN10K. + * **Added an API to retrieve event port id of ethdev Rx adapter.** The new API ``rte_event_eth_rx_adapter_event_port_get()`` was added. diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 787138b059..f39bc1ebdd 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -32,6 +32,10 @@ ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform, roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]); roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]); break; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + roc_hash_sha256_gen(opad, (uint32_t *)&hmac_opad_ipad[0]); + roc_hash_sha256_gen(ipad, (uint32_t *)&hmac_opad_ipad[64]); + break; default: break; } @@ -123,6 +127,16 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1; ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad); + tmp_key = (uint64_t *)hmac_opad_ipad; + for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / + sizeof(uint64_t)); + i++) + tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); + break; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_256; + ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad); + tmp_key = (uint64_t *)hmac_opad_ipad; for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t)); diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c index 27df1dcd64..93eab1b7a1 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.c +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -65,6 +65,9 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) { sa->iv_offset = crypto_xfrm->aead.iv.offset; sa->iv_length = crypto_xfrm->aead.iv.length; + } else { + sa->iv_offset = crypto_xfrm->cipher.iv.offset; + sa->iv_length = crypto_xfrm->cipher.iv.length; } } #else diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 59b63ed070..7d22626cb8 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -797,6 +797,26 @@ static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = { }, } }, } }, + { /* SHA256 HMAC */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_SHA256_HMAC, + .block_size = 64, + .key_size = { + .min = 1, + .max = 1024, + .increment = 1 + }, + .digest_size = { + .min = 16, + .max = 16, + .increment = 0 + }, + }, } + }, } + }, }; static const struct rte_security_capability sec_caps_templ[] = { diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h index dddb414793..f4a1012fff 100644 --- a/drivers/crypto/cnxk/cnxk_ipsec.h +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -46,8 +46,7 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform) if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) { if (keylen >= 20 && keylen <= 64) return 0; - } else if (roc_model_is_cn9k() && - (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) { + } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) { if (keylen >= 32 && keylen <= 64) return 0; }