1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
5 #include <rte_malloc.h>
6 #include <cryptodev_pmd.h>
9 #include <rte_security.h>
10 #include <rte_security_driver.h>
13 #include "cnxk_cryptodev.h"
14 #include "cnxk_ipsec.h"
15 #include "cnxk_security.h"
16 #include "cn10k_ipsec.h"
21 ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa)
26 w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
28 w7.s.cptr = (uint64_t)sa;
35 cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
36 struct rte_security_ipsec_xform *ipsec_xfrm,
37 struct rte_crypto_sym_xform *crypto_xfrm,
38 struct rte_security_session *sec_sess)
40 union roc_ot_ipsec_outb_param1 param1;
41 struct roc_ot_ipsec_outb_sa *out_sa;
42 struct cnxk_ipsec_outb_rlens rlens;
43 struct cn10k_sec_session *sess;
44 struct cn10k_ipsec_sa *sa;
45 union cpt_inst_w4 inst_w4;
48 sess = get_sec_session_private_data(sec_sess);
52 memset(out_sa, 0, sizeof(struct roc_ot_ipsec_outb_sa));
54 /* Translate security parameters to SA */
55 ret = cnxk_ot_ipsec_outb_sa_fill(out_sa, ipsec_xfrm, crypto_xfrm);
59 sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa);
62 /* Use IV from application in debug mode */
63 if (ipsec_xfrm->options.iv_gen_disable == 1) {
64 out_sa->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
65 if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
66 sa->iv_offset = crypto_xfrm->aead.iv.offset;
67 sa->iv_length = crypto_xfrm->aead.iv.length;
69 sa->iv_offset = crypto_xfrm->cipher.iv.offset;
70 sa->iv_length = crypto_xfrm->cipher.iv.length;
74 if (ipsec_xfrm->options.iv_gen_disable != 0) {
75 plt_err("Application provided IV not supported");
80 /* Get Rlen calculation data */
81 ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm);
85 sa->max_extended_len = rlens.max_extended_len;
87 /* pre-populate CPT INST word 4 */
89 inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
93 /* Disable IP checksum computation by default */
94 param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
96 if (ipsec_xfrm->options.ip_csum_enable) {
97 param1.s.ip_csum_disable =
98 ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
101 /* Disable L4 checksum computation by default */
102 param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
104 if (ipsec_xfrm->options.l4_csum_enable) {
105 param1.s.l4_csum_disable =
106 ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
109 inst_w4.s.param1 = param1.u16;
111 sa->inst.w4 = inst_w4.u64;
117 cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
118 struct rte_security_ipsec_xform *ipsec_xfrm,
119 struct rte_crypto_sym_xform *crypto_xfrm,
120 struct rte_security_session *sec_sess)
122 union roc_ot_ipsec_inb_param1 param1;
123 struct roc_ot_ipsec_inb_sa *in_sa;
124 struct cn10k_sec_session *sess;
125 struct cn10k_ipsec_sa *sa;
126 union cpt_inst_w4 inst_w4;
129 sess = get_sec_session_private_data(sec_sess);
133 /* Translate security parameters to SA */
134 ret = cnxk_ot_ipsec_inb_sa_fill(in_sa, ipsec_xfrm, crypto_xfrm);
138 /* TODO add support for antireplay */
139 sa->in_sa.w0.s.ar_win = 0;
141 /* TODO add support for udp encap */
143 sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa);
145 /* pre-populate CPT INST word 4 */
147 inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC;
151 /* Disable IP checksum verification by default */
152 param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
154 if (ipsec_xfrm->options.ip_csum_enable) {
155 param1.s.ip_csum_disable =
156 ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
157 sa->ip_csum_enable = true;
160 /* Disable L4 checksum verification by default */
161 param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
163 if (ipsec_xfrm->options.l4_csum_enable) {
164 param1.s.l4_csum_disable =
165 ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
168 param1.s.esp_trailer_disable = 1;
170 inst_w4.s.param1 = param1.u16;
172 sa->inst.w4 = inst_w4.u64;
178 cn10k_ipsec_session_create(void *dev,
179 struct rte_security_ipsec_xform *ipsec_xfrm,
180 struct rte_crypto_sym_xform *crypto_xfrm,
181 struct rte_security_session *sess)
183 struct rte_cryptodev *crypto_dev = dev;
184 struct roc_cpt *roc_cpt;
185 struct cnxk_cpt_vf *vf;
188 vf = crypto_dev->data->dev_private;
191 if (crypto_dev->data->queue_pairs[0] == NULL) {
192 plt_err("Setup cpt queue pair before creating security session");
196 ret = cnxk_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
200 if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
201 return cn10k_ipsec_inb_sa_create(roc_cpt, ipsec_xfrm,
204 return cn10k_ipsec_outb_sa_create(roc_cpt, ipsec_xfrm,
209 cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf,
210 struct rte_security_session *sess,
211 struct rte_mempool *mempool)
213 struct cn10k_sec_session *priv;
216 if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
219 if (rte_mempool_get(mempool, (void **)&priv)) {
220 plt_err("Could not allocate security session private data");
224 set_sec_session_private_data(sess, priv);
226 if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) {
230 ret = cn10k_ipsec_session_create(device, &conf->ipsec,
231 conf->crypto_xform, sess);
238 rte_mempool_put(mempool, priv);
239 set_sec_session_private_data(sess, NULL);
244 cn10k_sec_session_destroy(void *device __rte_unused,
245 struct rte_security_session *sess)
247 struct cn10k_sec_session *priv;
248 struct rte_mempool *sess_mp;
250 priv = get_sec_session_private_data(sess);
255 sess_mp = rte_mempool_from_obj(priv);
257 set_sec_session_private_data(sess, NULL);
258 rte_mempool_put(sess_mp, priv);
264 cn10k_sec_session_get_size(void *device __rte_unused)
266 return sizeof(struct cn10k_sec_session);
269 /* Update platform specific security ops */
271 cn10k_sec_ops_override(void)
273 /* Update platform specific ops */
274 cnxk_sec_ops.session_create = cn10k_sec_session_create;
275 cnxk_sec_ops.session_destroy = cn10k_sec_session_destroy;
276 cnxk_sec_ops.session_get_size = cn10k_sec_session_get_size;