Adding basic framework to use snow3g f8 and f9 based
ciphering or integrity with direct crypto apis.
This patch does not support any combo usages yet.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Add support for snow-f9 in non pdcp protocol offload mode.
This essentially add support to pass pre-computed IV to SEC.
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch add support for non-protocol offload mode
of snow-f8 algo
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch support SNOW-SNOW (enc-auth) 18bit PDCP case
for devices which do not support PROTOCOL command
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch support ZUC-ZUC PDCP enc-auth case for
devices which do not support PROTOCOL command for 18bit.
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch support AES-AES PDCP enc-auth case for
devices which do not support PROTOCOL command for 18bit
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
PDCP descriptors in some cases internally use commands which overwrite
memory with extra '0s' if write-safe is kept enabled. This breaks
correct functional behavior of PDCP apis and they in many cases give
incorrect crypto output. There we disable 'write-safe' bit in FLC for
PDCP cases. If there is a performance drop, then write-safe would be
enabled selectively through a separate patch.
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch add support for chained input or output
mbufs for PDCP and ipsec protocol offload cases.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
For sec era 8, NULL auth using protocol command does not add
4 bytes of null MAC-I and treat NULL integrity as no integrity which
is not correct.
Hence converting this particular case of null integrity on 12b SN
on SEC ERA 8 from protocol offload to non-protocol offload case.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Adding minimal support for CAAM HW era 10 (used in LX2)
Primary changes are:
1. increased shard desc length form 6 bit to 7 bits
2. support for several PDCP operations as PROTOCOL offload.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Per packet HFN override is supported in NXP PMDs
(dpaa2_sec and dpaa_sec). DPOVRD register can be
updated with the per packet value if it is enabled
in session configuration. The value is read from
the IV offset.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
PDCP u-plane may optionally support integrity as well.
This patch add support for supporting integrity along with
confidentiality.
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Added support for 12-bit c-plane. We implement it using 'u-plane for RN'
protocol descriptors. This is because 'c-plane' protocol descriptors
assume 5-bit sequence numbers. Since the crypto processing remains same
irrespective of c-plane or u-plane, we choose 'u-plane for RN' protocol
descriptors to implement 12-bit c-plane. 'U-plane for RN' protocol
descriptors support both confidentiality and integrity (required for
c-plane) for 7/12/15 bit sequence numbers.
For little endian platforms, incorrect IV is generated if MOVE command
is used in pdcp non-proto descriptors. This is because MOVE command
treats data as word. We changed MOVE to MOVEB since we require data to
be treated as byte array. The change works on both ls1046, ls2088.
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
outer IP header is formed at the time of session initialization
using the ipsec xform. This outer IP header will be appended by
hardware for each packet.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
outer IP header is formed at the time of session initialization
using the ipsec xform. This outer IP header will be appended by
hardware for each packet.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Like for Ethernet ports, the OCTEON TX crypto engines must
first be unbound from their kernel module, then rebound to
vfio-pci, before being used in DPDK.
As this capability is detected at runtime by dpdk-pmdinfo,
add the info in the PMD registering directives.
Then an external script can be used for bind and unbind.
Fixes: bfe2ae495ee2 ("crypto/octeontx: add PMD skeleton")
Cc: stable@dpdk.org
Signed-off-by: Thierry Herbelot <thierry.herbelot@6wind.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
dpaa_sec needs translations between physical and virtual addresses.
V to P translation is relatively fast, as memory is managed in
contiguous segments.
The result of each V to P translation is used to update the DPAA iova
table, which should be updated by a Mem event callback, but is not.
Then the DPAA iova table has entries for all needed memory ranges.
With this patch, dpaa_mem_ptov will always use dpaax_iova_table_get_va,
which ensures optimal performance.
Fixes: 5a7dbb934d75 ("dpaa: enable dpaax library")
Cc: stable@dpdk.org
Signed-off-by: Thierry Herbelot <thierry.herbelot@6wind.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Up to version 0.52 of the IPSec Multi buffer library,
the chain order for AES-CCM was CIPHER_HASH when encrypting.
However, after this version, the order has been reversed in the library
since, when encrypting, hashing is done first and then ciphering.
Therefore, order is changed to be compatible with newer versions
of the library.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
If the application enables the use of ESN in the
ipsec_xform for security session create, pdb options
are set for enabling ESN.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Virtual to physical conversions are optimized using the
DPAAX tables. This patch integrates DPAAX with caam_jr PMD.
Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Reducing the functional traces from data path and critical session path
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
The session init shall return failure if the internal
session create fails for any reasons.
Fixes: 13273250eec5 ("crypto/dpaa2_sec: support AES-GCM and CTR")
Cc: stable@dpdk.org
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
BT0 block type padding after rfc2313 has been discontinued.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
Acked-by: Shally Verma <shallyv@marvell.com>
Asymmetric nature of RSA algorithm suggest to use
additional field for output. In place operations
still can be done by setting cipher and message pointers
with the same memory address.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
Acked-by: Shally Verma <shallyv@marvell.com>
Resolution for seg-faults observed:
1) in buffer re-alignment in-place sgl case
2) case where data end is exactly at end of an sgl segment.
Also renamed variable and increased comments for clearer code.
Fixes: 40002f6c2a24 ("crypto/qat: extend support for digest-encrypted auth-cipher")
Signed-off-by: Fiona Trahe <fiona.trahe@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
This patch changes the key pointer data types in cipher, auth,
and aead xforms from "uint8_t *" to "const uint8_t *" for a
more intuitive and safe sessionn creation.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Liron Himi <lironh@marvell.com>
This patch adds condition to be met when using
out-of-place auth-cipher operations. It checks
if the digest location overlaps with the data to
be encrypted or decrypted and if so, treats as a
digest-encrypted case.
Patch adds checking, if the digest is being
encrypted or decrypted partially and extends PMD
buffers accordingly.
It also adds feature flag for QuickAssist
Technology to emphasize it's support for digest
appended auth-cipher operations.
Signed-off-by: Damian Nowak <damianx.nowak@intel.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
In case big number need to be freed, data it contains should
also be cleared before especially if it is critical data like
private keys.
Fixes: 3e9d6bd447fb ("crypto/openssl: add RSA and mod asym operations")
Cc: stable@dpdk.org
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
This patch fixes the out-of-bounds coverity issue by adding
missed algorithms to the array.
Coverity issue: 337683
Fixes: c68d7aa354f6 ("crypto/aesni_mb: use architecture independent macros")
Cc: stable@dpdk.org
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
ANSI C memcmp is not constant time function per spec so it should
be avoided in cryptography usage.
Fixes: d61f70b4c918 ("crypto/libcrypto: add driver for OpenSSL library")
Cc: stable@dpdk.org
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
For each driver where we optionally disable it, add in the reason why it's
being disabled, so the user knows how to fix it.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
On CentOS/RHEL 7, we get build errors reported due to a variable being
possibly uninitialized. Setting a default init value fixes this issue.
Fixes: c68d7aa354f6 ("crypto/aesni_mb: use architecture independent macros")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
The check for the zuc library dependency did not check for the include
file needed for compilation. It's also recommended when looking for a
library to use the name without the lib prefix.
Fixes: df1740a8db5f ("crypto/zuc: enable meson build")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
The check for the kasumi library dependency did not check for the include
file needed for compilation. It's also recommended when looking for a
library to use the name without the lib prefix.
Fixes: 2ec2d46c6255 ("crypto/kasumi: enable meson build")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Snow3G driver is missing support for building with meson. Add a new
meson.build file so it can be included in the builds.
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
The metabuf pool is shared across all queue pairs belonging to the
PMD. In order to prevent one queue pair from starving another,
use a distinct mempool for each queue pair.
Fixes: 273487f7b381 ("crypto/octeontx: add global resource init")
Cc: stable@dpdk.org
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Shally Verma <shallyv@marvell.com>
NULL cipher algo of 4-byte multiple and other sizes caused firmware hang
due to use of wrong mode. Changed from ECB mode to CTR mode to fix.
Fixes: 98f060891615 ("crypto/qat: add symmetric session file")
Cc: stable@dpdk.org
Signed-off-by: Fiona Trahe <fiona.trahe@intel.com>
The aesni_mb driver has a check in its Makefile for the correct version of
the IPsec_MB library, but this check was missed for the aesni_gcm driver.
Add this check to the makefile, removing an unnecessary assignment in the
process.
Suggested-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
The version check for the IPSec_MB library present in the aesni_gcm
library's meson.build file is a little cleaner than that given here,
so update this one so that both work identically.
While one could use the checks done in the other right now, potentially in
future they may have different version dependencies, or may be compiled in
different orders, so keep the code duplicated for safety, since it's only a
few lines.
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Acked-by: Luca Boccassi <bluca@debian.org>
