1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
5 #include <rte_malloc.h>
6 #include <rte_cryptodev.h>
9 #include <rte_security.h>
10 #include <rte_security_driver.h>
13 #include "cnxk_cryptodev.h"
14 #include "cnxk_ipsec.h"
15 #include "cnxk_security.h"
16 #include "cn10k_ipsec.h"
21 ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
23 if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
24 switch (xform->cipher.key.length) {
39 ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform)
41 uint16_t keylen = xform->auth.key.length;
43 if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
44 if (keylen >= 20 && keylen <= 64)
52 ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
53 struct rte_crypto_sym_xform *crypto_xfrm)
55 if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
56 crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
59 if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
60 crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
63 if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
64 switch (crypto_xfrm->aead.key.length) {
65 case ROC_CPT_AES128_KEY_LEN:
66 case ROC_CPT_AES192_KEY_LEN:
67 case ROC_CPT_AES256_KEY_LEN:
79 cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
80 struct rte_crypto_sym_xform *crypto_xfrm)
82 struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
85 if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
86 (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
89 if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
90 (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
93 if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
94 (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
97 if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
98 (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
101 if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
102 return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
104 if (crypto_xfrm->next == NULL)
107 if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
109 if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
110 crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
112 auth_xform = crypto_xfrm;
113 cipher_xform = crypto_xfrm->next;
116 if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
117 crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
119 cipher_xform = crypto_xfrm;
120 auth_xform = crypto_xfrm->next;
123 ret = ipsec_xform_cipher_verify(cipher_xform);
127 ret = ipsec_xform_auth_verify(auth_xform);
135 ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa)
137 union cpt_inst_w7 w7;
140 w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
142 w7.s.cptr = (uint64_t)sa;
149 cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
150 struct rte_security_ipsec_xform *ipsec_xfrm,
151 struct rte_crypto_sym_xform *crypto_xfrm,
152 struct rte_security_session *sec_sess)
154 struct roc_ot_ipsec_outb_sa *out_sa;
155 struct cnxk_ipsec_outb_rlens rlens;
156 struct cn10k_sec_session *sess;
157 struct cn10k_ipsec_sa *sa;
158 union cpt_inst_w4 inst_w4;
161 sess = get_sec_session_private_data(sec_sess);
163 out_sa = &sa->out_sa;
165 memset(out_sa, 0, sizeof(struct roc_ot_ipsec_outb_sa));
167 /* Translate security parameters to SA */
168 ret = cnxk_ot_ipsec_outb_sa_fill(out_sa, ipsec_xfrm, crypto_xfrm);
172 sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa);
174 /* Get Rlen calculation data */
175 ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm);
179 sa->max_extended_len = rlens.max_extended_len;
181 /* pre-populate CPT INST word 4 */
183 inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
184 inst_w4.s.param1 = 0;
185 sa->inst.w4 = inst_w4.u64;
191 cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
192 struct rte_security_ipsec_xform *ipsec_xfrm,
193 struct rte_crypto_sym_xform *crypto_xfrm,
194 struct rte_security_session *sec_sess)
196 struct roc_ot_ipsec_inb_sa *in_sa;
197 struct cn10k_sec_session *sess;
198 struct cn10k_ipsec_sa *sa;
199 union cpt_inst_w4 inst_w4;
202 sess = get_sec_session_private_data(sec_sess);
206 /* Translate security parameters to SA */
207 ret = cnxk_ot_ipsec_inb_sa_fill(in_sa, ipsec_xfrm, crypto_xfrm);
211 /* TODO add support for antireplay */
212 sa->in_sa.w0.s.ar_win = 0;
214 /* TODO add support for udp encap */
216 sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa);
218 /* pre-populate CPT INST word 4 */
220 inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC;
222 /* Disable checksum verification for now */
223 inst_w4.s.param1 = 7;
224 sa->inst.w4 = inst_w4.u64;
230 cn10k_ipsec_session_create(void *dev,
231 struct rte_security_ipsec_xform *ipsec_xfrm,
232 struct rte_crypto_sym_xform *crypto_xfrm,
233 struct rte_security_session *sess)
235 struct rte_cryptodev *crypto_dev = dev;
236 struct roc_cpt *roc_cpt;
237 struct cnxk_cpt_vf *vf;
240 vf = crypto_dev->data->dev_private;
243 if (crypto_dev->data->queue_pairs[0] == NULL) {
244 plt_err("Setup cpt queue pair before creating security session");
248 ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
252 if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
253 return cn10k_ipsec_inb_sa_create(roc_cpt, ipsec_xfrm,
256 return cn10k_ipsec_outb_sa_create(roc_cpt, ipsec_xfrm,
261 cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf,
262 struct rte_security_session *sess,
263 struct rte_mempool *mempool)
265 struct cn10k_sec_session *priv;
268 if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
271 if (rte_mempool_get(mempool, (void **)&priv)) {
272 plt_err("Could not allocate security session private data");
276 set_sec_session_private_data(sess, priv);
278 if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) {
282 ret = cn10k_ipsec_session_create(device, &conf->ipsec,
283 conf->crypto_xform, sess);
290 rte_mempool_put(mempool, priv);
291 set_sec_session_private_data(sess, NULL);
296 cn10k_sec_session_destroy(void *device __rte_unused,
297 struct rte_security_session *sess)
299 struct cn10k_sec_session *priv;
300 struct rte_mempool *sess_mp;
302 priv = get_sec_session_private_data(sess);
307 sess_mp = rte_mempool_from_obj(priv);
309 set_sec_session_private_data(sess, NULL);
310 rte_mempool_put(sess_mp, priv);
316 cn10k_sec_session_get_size(void *device __rte_unused)
318 return sizeof(struct cn10k_sec_session);
321 /* Update platform specific security ops */
323 cn10k_sec_ops_override(void)
325 /* Update platform specific ops */
326 cnxk_sec_ops.session_create = cn10k_sec_session_create;
327 cnxk_sec_ops.session_destroy = cn10k_sec_session_destroy;
328 cnxk_sec_ops.session_get_size = cn10k_sec_session_get_size;