crypto/cnxk: enable allocated queues only
[dpdk.git] / drivers / crypto / cnxk / cn9k_ipsec.c
1 /* SPDX-License-Identifier: BSD-3-Clause
2  * Copyright(C) 2021 Marvell.
3  */
4
5 #include <cryptodev_pmd.h>
6 #include <rte_ip.h>
7 #include <rte_security.h>
8 #include <rte_security_driver.h>
9
10 #include "cnxk_cryptodev.h"
11 #include "cnxk_cryptodev_ops.h"
12 #include "cnxk_ipsec.h"
13 #include "cnxk_security.h"
14 #include "cn9k_ipsec.h"
15
16 #include "roc_api.h"
17
18 static inline int
19 cn9k_cpt_enq_sa_write(struct cn9k_ipsec_sa *sa, struct cnxk_cpt_qp *qp,
20                       uint8_t opcode, size_t ctx_len)
21 {
22         struct roc_cpt *roc_cpt = qp->lf.roc_cpt;
23         uint64_t lmtline = qp->lmtline.lmt_base;
24         uint64_t io_addr = qp->lmtline.io_addr;
25         uint64_t lmt_status, time_out;
26         struct cpt_cn9k_res_s *res;
27         struct cpt_inst_s inst;
28         uint64_t *mdata;
29         int ret = 0;
30
31         if (unlikely(rte_mempool_get(qp->meta_info.pool, (void **)&mdata) < 0))
32                 return -ENOMEM;
33
34         res = (struct cpt_cn9k_res_s *)RTE_PTR_ALIGN(mdata, 16);
35         res->compcode = CPT_COMP_NOT_DONE;
36
37         inst.w4.s.opcode_major = opcode;
38         inst.w4.s.opcode_minor = ctx_len >> 3;
39         inst.w4.s.param1 = 0;
40         inst.w4.s.param2 = 0;
41         inst.w4.s.dlen = ctx_len;
42         inst.dptr = rte_mempool_virt2iova(sa);
43         inst.rptr = 0;
44         inst.w7.s.cptr = rte_mempool_virt2iova(sa);
45         inst.w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
46
47         inst.w0.u64 = 0;
48         inst.w2.u64 = 0;
49         inst.w3.u64 = 0;
50         inst.res_addr = rte_mempool_virt2iova(res);
51
52         rte_io_wmb();
53
54         do {
55                 /* Copy CPT command to LMTLINE */
56                 roc_lmt_mov((void *)lmtline, &inst, 2);
57                 lmt_status = roc_lmt_submit_ldeor(io_addr);
58         } while (lmt_status == 0);
59
60         time_out = rte_get_timer_cycles() +
61                    DEFAULT_COMMAND_TIMEOUT * rte_get_timer_hz();
62
63         while (res->compcode == CPT_COMP_NOT_DONE) {
64                 if (rte_get_timer_cycles() > time_out) {
65                         rte_mempool_put(qp->meta_info.pool, mdata);
66                         plt_err("Request timed out");
67                         return -ETIMEDOUT;
68                 }
69                 rte_io_rmb();
70         }
71
72         if (unlikely(res->compcode != CPT_COMP_GOOD)) {
73                 ret = res->compcode;
74                 switch (ret) {
75                 case CPT_COMP_INSTERR:
76                         plt_err("Request failed with instruction error");
77                         break;
78                 case CPT_COMP_FAULT:
79                         plt_err("Request failed with DMA fault");
80                         break;
81                 case CPT_COMP_HWERR:
82                         plt_err("Request failed with hardware error");
83                         break;
84                 default:
85                         plt_err("Request failed with unknown hardware "
86                                 "completion code : 0x%x",
87                                 ret);
88                 }
89                 ret = -EINVAL;
90                 goto mempool_put;
91         }
92
93         if (unlikely(res->uc_compcode != ROC_IE_ON_UCC_SUCCESS)) {
94                 ret = res->uc_compcode;
95                 switch (ret) {
96                 case ROC_IE_ON_AUTH_UNSUPPORTED:
97                         plt_err("Invalid auth type");
98                         break;
99                 case ROC_IE_ON_ENCRYPT_UNSUPPORTED:
100                         plt_err("Invalid encrypt type");
101                         break;
102                 default:
103                         plt_err("Request failed with unknown microcode "
104                                 "completion code : 0x%x",
105                                 ret);
106                 }
107                 ret = -ENOTSUP;
108         }
109
110 mempool_put:
111         rte_mempool_put(qp->meta_info.pool, mdata);
112         return ret;
113 }
114
115 static inline int
116 ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
117                  struct rte_crypto_sym_xform *crypto_xform,
118                  struct roc_ie_on_sa_ctl *ctl)
119 {
120         struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
121         int aes_key_len;
122
123         if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
124                 ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
125                 cipher_xform = crypto_xform;
126                 auth_xform = crypto_xform->next;
127         } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
128                 ctl->direction = ROC_IE_SA_DIR_INBOUND;
129                 auth_xform = crypto_xform;
130                 cipher_xform = crypto_xform->next;
131         } else {
132                 return -EINVAL;
133         }
134
135         if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
136                 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
137                         ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
138                 else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
139                         ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
140                 else
141                         return -EINVAL;
142         }
143
144         ctl->inner_ip_ver = ctl->outer_ip_ver;
145
146         if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
147                 ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT;
148         else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
149                 ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL;
150         else
151                 return -EINVAL;
152
153         if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
154                 ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_AH;
155         else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
156                 ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP;
157         else
158                 return -EINVAL;
159
160         if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
161                 if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
162                         ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM;
163                         aes_key_len = crypto_xform->aead.key.length;
164                 } else {
165                         return -ENOTSUP;
166                 }
167         } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
168                 ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
169                 aes_key_len = cipher_xform->cipher.key.length;
170         } else {
171                 return -ENOTSUP;
172         }
173
174         switch (aes_key_len) {
175         case 16:
176                 ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
177                 break;
178         case 24:
179                 ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
180                 break;
181         case 32:
182                 ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
183                 break;
184         default:
185                 return -EINVAL;
186         }
187
188         if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
189                 switch (auth_xform->auth.algo) {
190                 case RTE_CRYPTO_AUTH_NULL:
191                         ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL;
192                         break;
193                 case RTE_CRYPTO_AUTH_MD5_HMAC:
194                         ctl->auth_type = ROC_IE_ON_SA_AUTH_MD5;
195                         break;
196                 case RTE_CRYPTO_AUTH_SHA1_HMAC:
197                         ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1;
198                         break;
199                 case RTE_CRYPTO_AUTH_SHA224_HMAC:
200                         ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_224;
201                         break;
202                 case RTE_CRYPTO_AUTH_SHA256_HMAC:
203                         ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_256;
204                         break;
205                 case RTE_CRYPTO_AUTH_SHA384_HMAC:
206                         ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_384;
207                         break;
208                 case RTE_CRYPTO_AUTH_SHA512_HMAC:
209                         ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_512;
210                         break;
211                 case RTE_CRYPTO_AUTH_AES_GMAC:
212                         ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC;
213                         break;
214                 case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
215                         ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128;
216                         break;
217                 default:
218                         return -ENOTSUP;
219                 }
220         }
221
222         if (ipsec->options.esn)
223                 ctl->esn_en = 1;
224
225         if (ipsec->options.udp_encap == 1)
226                 ctl->encap_type = ROC_IE_ON_SA_ENCAP_UDP;
227
228         ctl->spi = rte_cpu_to_be_32(ipsec->spi);
229
230         rte_io_wmb();
231
232         ctl->valid = 1;
233
234         return 0;
235 }
236
237 static inline int
238 fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
239                      struct rte_crypto_sym_xform *crypto_xform,
240                      struct roc_ie_on_common_sa *common_sa)
241 {
242         struct rte_crypto_sym_xform *cipher_xform;
243         const uint8_t *cipher_key;
244         int cipher_key_len = 0;
245         int ret;
246
247         if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
248                 cipher_xform = crypto_xform->next;
249         else
250                 cipher_xform = crypto_xform;
251
252         ret = ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl);
253         if (ret)
254                 return ret;
255
256         if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
257                 if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
258                         memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);
259                 cipher_key = crypto_xform->aead.key.data;
260                 cipher_key_len = crypto_xform->aead.key.length;
261         } else {
262                 cipher_key = cipher_xform->cipher.key.data;
263                 cipher_key_len = cipher_xform->cipher.key.length;
264         }
265
266         if (cipher_key_len != 0)
267                 memcpy(common_sa->cipher_key, cipher_key, cipher_key_len);
268         else
269                 return -EINVAL;
270
271         return 0;
272 }
273
274 static int
275 cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
276                           struct rte_security_ipsec_xform *ipsec,
277                           struct rte_crypto_sym_xform *crypto_xform,
278                           struct rte_security_session *sec_sess)
279 {
280         struct rte_crypto_sym_xform *auth_xform = crypto_xform->next;
281         struct roc_ie_on_ip_template *template = NULL;
282         struct roc_cpt *roc_cpt = qp->lf.roc_cpt;
283         union roc_on_ipsec_outb_param1 param1;
284         struct cnxk_cpt_inst_tmpl *inst_tmpl;
285         struct roc_ie_on_outb_sa *out_sa;
286         struct cn9k_sec_session *sess;
287         struct roc_ie_on_sa_ctl *ctl;
288         struct cn9k_ipsec_sa *sa;
289         struct rte_ipv6_hdr *ip6;
290         struct rte_ipv4_hdr *ip4;
291         const uint8_t *auth_key;
292         union cpt_inst_w4 w4;
293         union cpt_inst_w7 w7;
294         int auth_key_len = 0;
295         size_t ctx_len;
296         int ret;
297
298         sess = get_sec_session_private_data(sec_sess);
299         sa = &sess->sa;
300         out_sa = &sa->out_sa;
301         ctl = &out_sa->common_sa.ctl;
302
303         memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
304
305         /* Initialize lookaside IPsec private data */
306         sa->dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
307         /* Start ip id from 1 */
308         sa->ip_id = 1;
309         sa->seq_lo = 1;
310         sa->seq_hi = 0;
311
312         ret = fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa);
313         if (ret)
314                 return ret;
315
316         ret = cnxk_ipsec_outb_rlens_get(&sa->rlens, ipsec, crypto_xform);
317         if (ret)
318                 return ret;
319
320         if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||
321             ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL) {
322                 template = &out_sa->aes_gcm.template;
323                 ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
324         } else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA1) {
325                 template = &out_sa->sha1.template;
326                 ctx_len = offsetof(struct roc_ie_on_outb_sa, sha1.template);
327         } else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA2_256) {
328                 template = &out_sa->sha2.template;
329                 ctx_len = offsetof(struct roc_ie_on_outb_sa, sha2.template);
330         } else {
331                 return -EINVAL;
332         }
333
334         ip4 = (struct rte_ipv4_hdr *)&template->ip4.ipv4_hdr;
335         if (ipsec->options.udp_encap) {
336                 ip4->next_proto_id = IPPROTO_UDP;
337                 template->ip4.udp_src = rte_be_to_cpu_16(4500);
338                 template->ip4.udp_dst = rte_be_to_cpu_16(4500);
339         } else {
340                 ip4->next_proto_id = IPPROTO_ESP;
341         }
342
343         if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
344                 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
345                         ctx_len += sizeof(template->ip4);
346
347                         ip4->version_ihl = RTE_IPV4_VHL_DEF;
348                         ip4->time_to_live = ipsec->tunnel.ipv4.ttl;
349                         ip4->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
350                         if (ipsec->tunnel.ipv4.df)
351                                 ip4->fragment_offset = BIT(14);
352                         memcpy(&ip4->src_addr, &ipsec->tunnel.ipv4.src_ip,
353                                sizeof(struct in_addr));
354                         memcpy(&ip4->dst_addr, &ipsec->tunnel.ipv4.dst_ip,
355                                sizeof(struct in_addr));
356                 } else if (ipsec->tunnel.type ==
357                            RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
358                         ctx_len += sizeof(template->ip6);
359
360                         ip6 = (struct rte_ipv6_hdr *)&template->ip6.ipv6_hdr;
361                         if (ipsec->options.udp_encap) {
362                                 ip6->proto = IPPROTO_UDP;
363                                 template->ip6.udp_src = rte_be_to_cpu_16(4500);
364                                 template->ip6.udp_dst = rte_be_to_cpu_16(4500);
365                         } else {
366                                 ip6->proto = (ipsec->proto ==
367                                               RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
368                                                      IPPROTO_ESP :
369                                                      IPPROTO_AH;
370                         }
371                         ip6->vtc_flow =
372                                 rte_cpu_to_be_32(0x60000000 |
373                                                  ((ipsec->tunnel.ipv6.dscp
374                                                    << RTE_IPV6_HDR_TC_SHIFT) &
375                                                   RTE_IPV6_HDR_TC_MASK) |
376                                                  ((ipsec->tunnel.ipv6.flabel
377                                                    << RTE_IPV6_HDR_FL_SHIFT) &
378                                                   RTE_IPV6_HDR_FL_MASK));
379                         ip6->hop_limits = ipsec->tunnel.ipv6.hlimit;
380                         memcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr,
381                                sizeof(struct in6_addr));
382                         memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,
383                                sizeof(struct in6_addr));
384                 }
385         } else
386                 ctx_len += sizeof(template->ip4);
387
388         ctx_len += RTE_ALIGN_CEIL(ctx_len, 8);
389
390         if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
391                 sa->cipher_iv_off = crypto_xform->aead.iv.offset;
392                 sa->cipher_iv_len = crypto_xform->aead.iv.length;
393         } else {
394                 sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
395                 sa->cipher_iv_len = crypto_xform->cipher.iv.length;
396
397                 auth_key = auth_xform->auth.key.data;
398                 auth_key_len = auth_xform->auth.key.length;
399
400                 if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
401                         memcpy(out_sa->sha1.hmac_key, auth_key, auth_key_len);
402                 else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
403                         memcpy(out_sa->sha2.hmac_key, auth_key, auth_key_len);
404         }
405
406         inst_tmpl = &sa->inst;
407
408         w4.u64 = 0;
409         w4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
410         w4.s.opcode_minor = ctx_len >> 3;
411
412         param1.u16 = 0;
413         param1.s.ikev2 = 1;
414         param1.s.per_pkt_iv = 1;
415         w4.s.param1 = param1.u16;
416
417         inst_tmpl->w4 = w4.u64;
418
419         w7.u64 = 0;
420         w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
421         w7.s.cptr = rte_mempool_virt2iova(out_sa);
422         inst_tmpl->w7 = w7.u64;
423
424         return cn9k_cpt_enq_sa_write(
425                 sa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_OUTBOUND, ctx_len);
426 }
427
428 static int
429 cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
430                          struct rte_security_ipsec_xform *ipsec,
431                          struct rte_crypto_sym_xform *crypto_xform,
432                          struct rte_security_session *sec_sess)
433 {
434         struct rte_crypto_sym_xform *auth_xform = crypto_xform;
435         struct roc_cpt *roc_cpt = qp->lf.roc_cpt;
436         union roc_on_ipsec_inb_param2 param2;
437         struct cnxk_cpt_inst_tmpl *inst_tmpl;
438         struct roc_ie_on_inb_sa *in_sa;
439         struct cn9k_sec_session *sess;
440         struct cn9k_ipsec_sa *sa;
441         const uint8_t *auth_key;
442         union cpt_inst_w4 w4;
443         union cpt_inst_w7 w7;
444         int auth_key_len = 0;
445         size_t ctx_len = 0;
446         int ret;
447
448         sess = get_sec_session_private_data(sec_sess);
449         sa = &sess->sa;
450         in_sa = &sa->in_sa;
451
452         memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
453
454         sa->dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
455         sa->replay_win_sz = ipsec->replay_win_sz;
456
457         ret = fill_ipsec_common_sa(ipsec, crypto_xform, &in_sa->common_sa);
458         if (ret)
459                 return ret;
460
461         if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD ||
462             auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL) {
463                 ctx_len = offsetof(struct roc_ie_on_inb_sa,
464                                    sha1_or_gcm.hmac_key[0]);
465         } else {
466                 auth_key = auth_xform->auth.key.data;
467                 auth_key_len = auth_xform->auth.key.length;
468
469                 if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
470                         memcpy(in_sa->sha1_or_gcm.hmac_key, auth_key,
471                                auth_key_len);
472                         ctx_len = offsetof(struct roc_ie_on_inb_sa,
473                                            sha1_or_gcm.selector);
474                 } else if (auth_xform->auth.algo ==
475                            RTE_CRYPTO_AUTH_SHA256_HMAC) {
476                         memcpy(in_sa->sha2.hmac_key, auth_key, auth_key_len);
477                         ctx_len = offsetof(struct roc_ie_on_inb_sa,
478                                            sha2.selector);
479                 }
480         }
481
482         inst_tmpl = &sa->inst;
483
484         w4.u64 = 0;
485         w4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_INBOUND_IPSEC;
486         w4.s.opcode_minor = ctx_len >> 3;
487
488         param2.u16 = 0;
489         param2.s.ikev2 = 1;
490         w4.s.param2 = param2.u16;
491
492         inst_tmpl->w4 = w4.u64;
493
494         w7.u64 = 0;
495         w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
496         w7.s.cptr = rte_mempool_virt2iova(in_sa);
497         inst_tmpl->w7 = w7.u64;
498
499         if (sa->replay_win_sz) {
500                 if (sa->replay_win_sz > CNXK_ON_AR_WIN_SIZE_MAX) {
501                         plt_err("Replay window size:%u is not supported",
502                                 sa->replay_win_sz);
503                         return -ENOTSUP;
504                 }
505
506                 /* Set window bottom to 1, base and top to size of window */
507                 sa->ar.winb = 1;
508                 sa->ar.wint = sa->replay_win_sz;
509                 sa->ar.base = sa->replay_win_sz;
510
511                 in_sa->common_sa.esn_low = 0;
512                 in_sa->common_sa.esn_hi = 0;
513         }
514
515         return cn9k_cpt_enq_sa_write(
516                 sa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_INBOUND, ctx_len);
517 }
518
519 static inline int
520 cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
521 {
522         if (ipsec->life.bytes_hard_limit != 0 ||
523             ipsec->life.bytes_soft_limit != 0 ||
524             ipsec->life.packets_hard_limit != 0 ||
525             ipsec->life.packets_soft_limit != 0)
526                 return -ENOTSUP;
527
528         return 0;
529 }
530
531 static int
532 cn9k_ipsec_session_create(void *dev,
533                           struct rte_security_ipsec_xform *ipsec_xform,
534                           struct rte_crypto_sym_xform *crypto_xform,
535                           struct rte_security_session *sess)
536 {
537         struct rte_cryptodev *crypto_dev = dev;
538         struct cnxk_cpt_qp *qp;
539         int ret;
540
541         qp = crypto_dev->data->queue_pairs[0];
542         if (qp == NULL) {
543                 plt_err("CPT queue pairs need to be setup for creating security"
544                         " session");
545                 return -EPERM;
546         }
547
548         ret = cnxk_ipsec_xform_verify(ipsec_xform, crypto_xform);
549         if (ret)
550                 return ret;
551
552         ret = cn9k_ipsec_xform_verify(ipsec_xform);
553         if (ret)
554                 return ret;
555
556         if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
557                 return cn9k_ipsec_inb_sa_create(qp, ipsec_xform, crypto_xform,
558                                                 sess);
559         else
560                 return cn9k_ipsec_outb_sa_create(qp, ipsec_xform, crypto_xform,
561                                                  sess);
562 }
563
564 static int
565 cn9k_sec_session_create(void *device, struct rte_security_session_conf *conf,
566                         struct rte_security_session *sess,
567                         struct rte_mempool *mempool)
568 {
569         struct cn9k_sec_session *priv;
570         int ret;
571
572         if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
573                 return -EINVAL;
574
575         if (rte_mempool_get(mempool, (void **)&priv)) {
576                 plt_err("Could not allocate security session private data");
577                 return -ENOMEM;
578         }
579
580         memset(priv, 0, sizeof(*priv));
581
582         set_sec_session_private_data(sess, priv);
583
584         if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) {
585                 ret = -ENOTSUP;
586                 goto mempool_put;
587         }
588
589         ret = cn9k_ipsec_session_create(device, &conf->ipsec,
590                                         conf->crypto_xform, sess);
591         if (ret)
592                 goto mempool_put;
593
594         return 0;
595
596 mempool_put:
597         rte_mempool_put(mempool, priv);
598         set_sec_session_private_data(sess, NULL);
599         return ret;
600 }
601
602 static int
603 cn9k_sec_session_destroy(void *device __rte_unused,
604                          struct rte_security_session *sess)
605 {
606         struct roc_ie_on_outb_sa *out_sa;
607         struct cn9k_sec_session *priv;
608         struct rte_mempool *sess_mp;
609         struct roc_ie_on_sa_ctl *ctl;
610         struct cn9k_ipsec_sa *sa;
611
612         priv = get_sec_session_private_data(sess);
613         if (priv == NULL)
614                 return 0;
615
616         sa = &priv->sa;
617         out_sa = &sa->out_sa;
618
619         ctl = &out_sa->common_sa.ctl;
620         ctl->valid = 0;
621
622         rte_io_wmb();
623
624         sess_mp = rte_mempool_from_obj(priv);
625
626         memset(priv, 0, sizeof(*priv));
627
628         set_sec_session_private_data(sess, NULL);
629         rte_mempool_put(sess_mp, priv);
630
631         return 0;
632 }
633
634 static unsigned int
635 cn9k_sec_session_get_size(void *device __rte_unused)
636 {
637         return sizeof(struct cn9k_sec_session);
638 }
639
640 /* Update platform specific security ops */
641 void
642 cn9k_sec_ops_override(void)
643 {
644         /* Update platform specific ops */
645         cnxk_sec_ops.session_create = cn9k_sec_session_create;
646         cnxk_sec_ops.session_destroy = cn9k_sec_session_destroy;
647         cnxk_sec_ops.session_get_size = cn9k_sec_session_get_size;
648 }