This patch makes some improvements to the security instance setup for
the AESNI-MB PMD, as follows:
- fix potential memory leak where the security instance was not freed if
an error occurred later in the device creation
- tidy-up security instance initialization code by moving it all,
including enabling the RTE_CRYPTODEV_FF_SECURITY feature, into one
'#ifdef AESNI_MB_DOCSIS_SEC_ENABLED' block
Fixes: fda5216fba55 ("crypto/aesni_mb: support DOCSIS protocol")
Signed-off-by: David Coyle <david.coyle@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
This patch improves the DOCSIS session creation as follows:
- it validates the security action type as well as the protocol before
creating a session and now does this validation before allocating the
session from the mempool
Fixes: fda5216fba55 ("crypto/aesni_mb: support DOCSIS protocol")
Signed-off-by: David Coyle <david.coyle@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Add support to the AESNI-MB PMD for the DOCSIS protocol, through the
rte_security API. This, therefore, includes adding support for the
rte_security API to this PMD.
Signed-off-by: David Coyle <david.coyle@intel.com>
Signed-off-by: Mairtin o Loingsigh <mairtin.oloingsigh@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Introduce the RTE_LOG_REGISTER macro to avoid the code duplication
in the logtype registration process.
It is a wrapper macro for declaring the logtype, registering it and
setting its level in the constructor context.
Signed-off-by: Jerin Jacob <jerinj@marvell.com>
Acked-by: Adam Dybkowski <adamx.dybkowski@intel.com>
Acked-by: Sachin Saxena <sachin.saxena@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
When adding support for DOCSIS AES-256,
when setting the cipher parameters, all key sizes
were accepted, but only 128-bit and 256-bit keys
are supported.
Fixes: 9536622b86c8 ("crypto/aesni_mb: support DOCSIS AES-256")
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Mairtin o Loingsigh <mairtin.oloingsigh@intel.com>
Check if session is valid after getting operation
out of the internal IPSec MB manager, in case the
session has been freed while the operation was still
inside the manager.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Add feature flag for symmetric sessionless support,
so it can be checked by applications.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Adam Dybkowski <adamx.dybkowski@intel.com>
Tested-by: Ruifeng Wang <ruifeng.wang@arm.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Add support for CPU crypto mode by introducing required handler.
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
This patch adds support for DOCSIS AES-256 when using AESNI-MB
Signed-off-by: Mairtin o Loingsigh <mairtin.oloingsigh@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
The zlib compression driver, as well as the aesni-gcm, aesni-mb and openssl
crypto drivers all defined the logtype variable in the header file
directly. This gives errors with gcc 10, due to -fno-common being the
default, so we need to apply the same fix in all cases:
* move the variable definition to a suitable .c file
* mark the forward declaration of the variable in the header as "extern"
Fixes: 0c4e4c16b004 ("compress/zlib: introduce zlib PMD")
Fixes: 90c8a2d02a31 ("crypto/aesni_gcm: add dynamic logging")
Fixes: 276624ae2ef6 ("crypto/aesni_mb: add dynamic logging")
Fixes: 094b2386f461 ("crypto/openssl: add dynamic logging")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Remove setting ALLOW_EXPERIMENTAL_API individually for each Makefile and
meson.build. Instead, enable ALLOW_EXPERIMENTAL_API flag across app, lib
and drivers.
This changes reduces the clutter across the project while still
maintaining the functionality of ALLOW_EXPERIMENTAL_API i.e. warning
external applications about experimental API usage.
Signed-off-by: Pavan Nikhilesh <pbhagavatula@marvell.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: David Marchand <david.marchand@redhat.com>
This commit removes unused function pointer (queue_pair_count)
from struct rte_cryptodev_ops. Related functions removed as well.
Signed-off-by: Artur Trybula <arturx.trybula@intel.com>
Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
In the check for the version of intel-ipsec-mb library,
there is a backslash in front of the #include.
This backslash is for escaping the hash sign parsed as
a number sign in make.
Since make-4.3, escaping is not required for the number sign.
As a consequence, it resolves now to '\#':
syntax error near unexpected token `|'
`grep -e "IMB_VERSION_STR" \#include <intel-ipsec-mb.h> | cut -d'"' -f2'
syntax error near unexpected token `|'
`grep -e "IMB_VERSION_NUM" \#include <intel-ipsec-mb.h> | cut -d' ' -f3'
The makefiles are fixed by using a variable for the hash sign,
as recommended in make-4.3 changelog:
https://lists.gnu.org/archive/html/info-gnu/2020-01/msg00004.html
Fixes: 3067c8ce77ac ("crypto/aesni_mb: fix build with custom dependency path")
Fixes: 457b8e372975 ("crypto/aesni_gcm: check dependency version with make")
Fixes: bf6eb2c22fd1 ("crypto/kasumi: use IPsec library")
Fixes: 7c87e2d7b359 ("crypto/snow3g: use IPsec library")
Fixes: 61f7c988e39e ("crypto/zuc: use IPsec library")
Cc: stable@dpdk.org
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
When OpenSSL or AESNI-MB cryptodev is being used in sessionless mode
for symmetric crypto operation (e.g. SHA256 hash), the driver prints
error message:
CRYPTODEV: set_sym_session_private_data() line 489:
Set private data for driver 0 not allowed
Then, AESNI-MB driver segfaults in post_process_mb_job().
Bugzilla ID: 377
Fixes: b3bbd9e5f2 ("cryptodev: support device independent sessions")
Fixes: c68d7aa354 ("crypto/aesni_mb: use architecture independent macros")
Cc: stable@dpdk.org
Signed-off-by: Junxiao Shi <git@mail1.yoursunny.com>
Merge all versions in linker version script files to DPDK_20.0.
This commit was generated by running the following command:
:~/DPDK$ buildtools/update-abi.sh 20.0
Signed-off-by: Pawel Modrak <pawelx.modrak@intel.com>
Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Thomas Monjalon <thomas@monjalon.net>
Since the library versioning for both stable and experimental ABI's is
now managed globally, the LIBABIVER and version variables no longer
serve any useful purpose, and can be removed.
The replacement in Makefiles was done using the following regex:
^(#.*\n)?LIBABIVER\s*:=\s*\d+\n(\s*\n)?
(LIBABIVER := numbers, optionally preceded by a comment and optionally
succeeded by an empty line)
The replacement for meson files was done using the following regex:
^(#.*\n)?version\s*=\s*\d+\n(\s*\n)?
(version = numbers, optionally preceded by a comment and optionally
succeeded by an empty line)
[David]: those variables are manually removed for the files:
- drivers/common/qat/Makefile
- lib/librte_eal/meson.build
[David]: the LIBABIVER is restored for the external ethtool example
library.
Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
Signed-off-by: David Marchand <david.marchand@redhat.com>
Acked-by: Thomas Monjalon <thomas@monjalon.net>
Some of the internal header files have 'rte_' prefix
and some don't.
Remove 'rte_' prefix from all internal header files.
Suggested-by: Thomas Monjalon <thomas@monjalon.net>
Signed-off-by: Dharmik Thakkar <dharmik.thakkar@arm.com>
Reviewed-by: Phil Yang <phil.yang@arm.com>
Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>
The IPSec Multi buffer library does not require AES-NI
instructions to be supported by the CPU, as it can emulate these
instructions in software (adding a big performance penalty when
using AES algorithms).
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Up to version 0.52 of the IPSec Multi buffer library,
the chain order for AES-CCM was CIPHER_HASH when encrypting.
However, after this version, the order has been reversed in the library
since, when encrypting, hashing is done first and then ciphering.
Therefore, order is changed to be compatible with newer versions
of the library.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
This patch changes the key pointer data types in cipher, auth,
and aead xforms from "uint8_t *" to "const uint8_t *" for a
more intuitive and safe sessionn creation.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Liron Himi <lironh@marvell.com>
This patch fixes the out-of-bounds coverity issue by adding
missed algorithms to the array.
Coverity issue: 337683
Fixes: c68d7aa354f6 ("crypto/aesni_mb: use architecture independent macros")
Cc: stable@dpdk.org
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
For each driver where we optionally disable it, add in the reason why it's
being disabled, so the user knows how to fix it.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
On CentOS/RHEL 7, we get build errors reported due to a variable being
possibly uninitialized. Setting a default init value fixes this issue.
Fixes: c68d7aa354f6 ("crypto/aesni_mb: use architecture independent macros")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
The version check for the IPSec_MB library present in the aesni_gcm
library's meson.build file is a little cleaner than that given here,
so update this one so that both work identically.
While one could use the checks done in the other right now, potentially in
future they may have different version dependencies, or may be compiled in
different orders, so keep the code duplicated for safety, since it's only a
few lines.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
Do a global replace of snprintf(..."%s",...) with strlcpy, adding in the
rte_string_fns.h header if needed. The function changes in this patch were
auto-generated via command:
spatch --sp-file devtools/cocci/strlcpy.cocci --dir . --in-place
and then the files edited using awk to add in the missing header:
gawk -i inplace '/include <rte_/ && ! seen { \
print "#include <rte_string_fns.h>"; seen=1} {print}'
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
As stated in 19.02 deprecation notice, this patch updates the
aesni_mb PMD to remove the support of older Intel-ipsec-mb
library version earlier than 0.52.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Add out-of-place processing, i.e. different source and
destination m_bufs, plus related capability update, tests
and documentation.
Signed-off-by: Fiona Trahe <fiona.trahe@intel.com>
Signed-off-by: Paul Luse <paul.e.luse@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
This patch fixes the inflexible compile issue AESNI-MB PMD.
Originally the compile of the PMD will fail if IPSec_MB is
not installed in default location.
Fixes: c68d7aa354f6 ("crypto/aesni_mb: use architecture independent macros")
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
This patch adds a new API in Cryptodev Framework. The API is used
to get the header size for the created symmetric Cryptodev session.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch changes the cryptodev queue pair configure structure
to enable two mempool passed into cryptodev PMD simutaneously.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch adds the plain SHA1, SHA224, SHA256, SHA384, and SHA512
algorithms support to AESNI-MB PMD. The cryptodev unit test and
documentation are updated accordingly.
Signed-off-by: Damian Nowak <damianx.nowak@intel.com>
Signed-off-by: Lukasz Krakowiak <lukaszx.krakowiak@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
This patch adds the AES-GMAC authentication only support to AESNI-MB
PMD, including the driver code, cryptodev unit test, and documentation
updates.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
This patch duplicates the original rte_aesni_mb_pmd*.c files and replaces
the function calls provided by intel-ipsec-mb library into
architecture-independent macros. The build systems are updated to choose
compiling either rte_aesni_mb_pmd*.c or rte_aesni_mb_pmd*_compat.c based
on the installed intel-ipsec-mb version. For the intel-ipsec-mb older
than 0.52.0 rte_aesni_mb_pmd*_compat.c will be compiled, otherwise
rte_aesni_mb_pmd*.c will be compiled.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: Lukasz Krakowiak <lukaszx.krakowiak@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
This patch renames the rte_aesni_mb_pmd*.c to
rte_aesni_mb_pmd*_compat.c to indicate those files are for
compatible with older versoin of intel-ipsec-mb library
only.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: Lukasz Krakowiak <lukaszx.krakowiak@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
This patch fixes the queue pair free for AESNI-MB PMD. Originally
the queue pair ring name are different than the object name,
caused the aesni_mb_pmd_qp_release() cannot find the ring to
release. This patch uses the same name between queue pair object
name and ring name.
Fixes: a831c318c54d ("crypto/aesni_mb: free ring memory on queue release")
Cc: stable@dpdk.org
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
This patch updates the current AESNI-MB PMD with added AES-GCM
algorithm support. The patch includes the necessary changes
to the code including the capability update, control and data
patch changes for the AES-GCM algorithm support.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
Add support for SHAx-HMAC key sizes larger than the block size.
For these sizes, the input key is digested with the non-HMAC
version of the algorithm and used as the key.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Marko Kovacevic <marko.kovacevic@intel.com>
The full digest size of CMAC algorithm is 16 bytes.
However, it is sometimes truncated to a smaller size (such as in IPSec).
This commit allows a user to generate a digest of any size
up to the full size.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Marko Kovacevic <marko.kovacevic@intel.com>
The truncated digest size for AES-CMAC is 12 and not 16,
as the Multi-buffer library can output both 12 and 16 bytes.
Fixes: 6491dbbecebb ("crypto/aesni_mb: support AES CMAC")
Cc: stable@dpdk.org
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Marko Kovacevic <marko.kovacevic@intel.com>
When creating a crypto session, check if
ther requested digest size is supported for
AES-XCBC-MAC and AES-CCM.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Marko Kovacevic <marko.kovacevic@intel.com>
HMAC algorithms (MD5 and SHAx) have different full digest sizes.
However, they are often truncated to a smaller size (such as in IPSec).
This commit allows a user to generate a digest of any size
up to the full size.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Marko Kovacevic <marko.kovacevic@intel.com>
In order to process crypto operations in the AESNI MB PMD,
they need to be sent to the buffer manager of the Multi-buffer library,
through the "job" structure.
Currently, it is checked if there are outstanding operations to process
in the ring, before getting a new job. However, if there are no available
jobs in the manager, a flush operation needs to take place, freeing some
of the jobs, so it can be used for the outstanding operation.
In order to avoid leaving the dequeued operation without being processed,
the maximum number of operations that can be flushed is the remaining
operations to return, which is the maximum number of operations that can
be return minus the number of operations ready to be returned
(nb_ops - processed_jobs), minus 1 (for the new operation).
The problem comes when (nb_ops - processed_jobs) is 1 (last operation to
dequeue). In that case, flush_mb_mgr is called with maximum number of
operations equal to 0, which is wrong, causing a potential overrun in the
"ops" array.
Besides, the operation dequeued from the ring will be leaked, as no more
operations can be returned.
The solution is to first check if there are jobs available in the manager.
If there are not, flush operation gets called, and if enough operations
are returned from the manager, then no more outstanding operations get
dequeued from the ring, avoiding both the memory leak and the array
overrun.
If there are enough jobs, PMD tries to dequeue an operation from the ring.
If there are no operations in the ring, the new job pointer is not used,
and it will be used in the next get_next_job call, so no memory leak
happens.
Fixes: 0f548b50a160 ("crypto/aesni_mb: process crypto op on dequeue")
Cc: stable@dpdk.org
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Added support for 3DES cipher algorithm which
will support 8, 16 and 24 byte keys, which also has been
added in the v0.50 of the IPSec Multi-buffer lib.
Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Adds support for the v0.50 of the IPsec Multi-buffer lib.
The library now exposes its version, with the idea
of maintaining backwards compatibility in the future,
avoiding breaking the compilation of the PMD every time
there is a new version available.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Instead of having a static field for the buffer manager
MB_MGR in the queue pair structure, use the provided API
that allocates memory for it and store a pointer to it.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
A constructor is usually declared with RTE_INIT* macros.
As it is a static function, no need to declare before its definition.
The macro is used directly in the function definition.
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
The PMD specific API to configure, clear and
obtain session private size is renamed, including
the word _sym_ to clarify that it is API
for symmetric sessions, so there will not be any
conflicts for asymmetric and other type of sessions
in the future.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Removed cryptodev queue start/stop functions,
as they were marked deprecated in 18.05, since they
were not implemented by any driver.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Most crypto PMDs do not have a limitation
of the number of the sessions that can be handled
internally. The value that was set before was not
actually used at all, since the sessions are created
at the application level.
Therefore, this value is not parsed from the initial
crypto parameters anymore and it is set to 0,
meaning that there is no actual limit.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
