From 55a4438f8e375fa37475834e968f23907c674686 Mon Sep 17 00:00:00 2001 From: Akhil Goyal Date: Thu, 3 Sep 2020 22:37:33 +0530 Subject: [PATCH] crypto/dpaa2_sec: increase max anti-replay window size In case of LX2160 or SEC ERA >= 10, max anti replay window size supported is 1024. For all other versions of SEC, the maximum value is capped at 128 even if application gives more than that. Signed-off-by: Akhil Goyal Signed-off-by: Yi Liu Acked-by: Hemant Agrawal --- drivers/common/dpaax/caamflib/desc/ipsec.h | 48 +++++++++++++++++++-- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 14 ++++++ 2 files changed, 59 insertions(+), 3 deletions(-) diff --git a/drivers/common/dpaax/caamflib/desc/ipsec.h b/drivers/common/dpaax/caamflib/desc/ipsec.h index cf6fa42525..83dd93f587 100644 --- a/drivers/common/dpaax/caamflib/desc/ipsec.h +++ b/drivers/common/dpaax/caamflib/desc/ipsec.h @@ -1,7 +1,7 @@ /* SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0) * * Copyright 2008-2016 Freescale Semiconductor Inc. - * Copyright 2016,2019 NXP + * Copyright 2016,2019-2020 NXP * */ @@ -119,8 +119,15 @@ /* IPSec ESP Decap PDB options */ +/** + * PDBOPTS_ESP_ARS_MASK_ERA10 - antireplay window mask + * for SEC_ERA >= 10 + */ +#define PDBOPTS_ESP_ARS_MASK_ERA10 0xc8 + /** * PDBOPTS_ESP_ARS_MASK - antireplay window mask + * for SEC_ERA < 10 */ #define PDBOPTS_ESP_ARS_MASK 0xc0 @@ -141,6 +148,27 @@ */ #define PDBOPTS_ESP_ARS128 0x80 +/** + * PDBOPTS_ESP_ARS256 - 256-entry antireplay window + * + * Valid only for IPsec new mode. + */ +#define PDBOPTS_ESP_ARS256 0x08 + +/** + * PDBOPTS_ESP_ARS512 - 512-entry antireplay window + * + * Valid only for IPsec new mode. + */ +#define PDBOPTS_ESP_ARS512 0x48 + +/** + * PDBOPTS_ESP_ARS1024 - 1024-entry antireplay window + * + * Valid only for IPsec new mode. + */ +#define PDBOPTS_ESP_ARS1024 0x88 + /** * PDBOPTS_ESP_ARS32 - 32-entry antireplay window */ @@ -439,7 +467,7 @@ struct ipsec_decap_pdb { }; uint32_t seq_num_ext_hi; uint32_t seq_num; - uint32_t anti_replay[4]; + uint32_t anti_replay[32]; }; static inline unsigned int @@ -449,6 +477,7 @@ __rta_copy_ipsec_decap_pdb(struct program *program, { unsigned int start_pc = program->current_pc; unsigned int i, ars; + uint8_t mask; __rta_out32(program, pdb->options); @@ -486,7 +515,20 @@ __rta_copy_ipsec_decap_pdb(struct program *program, __rta_out32(program, pdb->seq_num_ext_hi); __rta_out32(program, pdb->seq_num); - switch (pdb->options & PDBOPTS_ESP_ARS_MASK) { + if (rta_sec_era < RTA_SEC_ERA_10) + mask = PDBOPTS_ESP_ARS_MASK; + else + mask = PDBOPTS_ESP_ARS_MASK_ERA10; + switch (pdb->options & mask) { + case PDBOPTS_ESP_ARS1024: + ars = 32; + break; + case PDBOPTS_ESP_ARS512: + ars = 16; + break; + case PDBOPTS_ESP_ARS256: + ars = 8; + break; case PDBOPTS_ESP_ARS128: ars = 4; break; diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 1e2e8a80ba..6b1c41525f 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -2995,6 +2995,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, uint32_t win_sz; win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); + if (rta_sec_era < RTA_SEC_ERA_10 && win_sz > 128) { + DPAA2_SEC_INFO("Max Anti replay Win sz = 128"); + win_sz = 128; + } switch (win_sz) { case 1: case 2: @@ -3007,6 +3011,16 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, case 64: decap_pdb.options |= PDBOPTS_ESP_ARS64; break; + case 256: + decap_pdb.options |= PDBOPTS_ESP_ARS256; + break; + case 512: + decap_pdb.options |= PDBOPTS_ESP_ARS512; + break; + case 1024: + decap_pdb.options |= PDBOPTS_ESP_ARS1024; + break; + case 128: default: decap_pdb.options |= PDBOPTS_ESP_ARS128; } -- 2.20.1