1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
5 #include <rte_cryptodev.h>
6 #include <rte_eventdev.h>
7 #include <rte_security.h>
8 #include <rte_security_driver.h>
9 #include <rte_pmd_cnxk.h>
11 #include <cn10k_ethdev.h>
12 #include <cnxk_security.h>
15 static struct rte_cryptodev_capabilities cn10k_eth_sec_crypto_caps[] = {
17 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
19 .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
21 .algo = RTE_CRYPTO_AEAD_AES_GCM,
47 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
49 .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
51 .algo = RTE_CRYPTO_CIPHER_AES_CBC,
67 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
69 .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
71 .algo = RTE_CRYPTO_CIPHER_AES_CTR,
87 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
89 .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
91 .algo = RTE_CRYPTO_CIPHER_3DES_CBC,
107 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
109 .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
111 .algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC,
127 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
129 .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
131 .algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
147 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
149 .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
151 .algo = RTE_CRYPTO_AUTH_SHA256_HMAC,
167 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
169 .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
171 .algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
187 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
189 .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
191 .algo = RTE_CRYPTO_AUTH_SHA512_HMAC,
206 { /* AES GMAC (AUTH) */
207 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
209 .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
211 .algo = RTE_CRYPTO_AUTH_AES_GMAC,
232 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
234 .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
236 .algo = RTE_CRYPTO_AUTH_NULL,
251 { /* NULL (CIPHER) */
252 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
254 .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
256 .algo = RTE_CRYPTO_CIPHER_NULL,
272 RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
275 static const struct rte_security_capability cn10k_eth_sec_capabilities[] = {
276 { /* IPsec Inline Protocol ESP Tunnel Ingress */
277 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
278 .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
280 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
281 .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
282 .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
283 .replay_win_sz_max = ROC_AR_WIN_SIZE_MAX,
286 .udp_ports_verify = 1,
290 .tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR,
298 .crypto_capabilities = cn10k_eth_sec_crypto_caps,
299 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
301 { /* IPsec Inline Protocol ESP Tunnel Egress */
302 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
303 .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
305 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
306 .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
307 .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
308 .replay_win_sz_max = ROC_AR_WIN_SIZE_MAX,
312 .udp_ports_verify = 1,
323 .crypto_capabilities = cn10k_eth_sec_crypto_caps,
324 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
326 { /* IPsec Inline Protocol ESP Transport Egress */
327 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
328 .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
330 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
331 .mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
332 .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
333 .replay_win_sz_max = ROC_AR_WIN_SIZE_MAX,
337 .udp_ports_verify = 1,
347 .crypto_capabilities = cn10k_eth_sec_crypto_caps,
348 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
350 { /* IPsec Inline Protocol ESP Transport Ingress */
351 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
352 .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
354 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
355 .mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
356 .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
357 .replay_win_sz_max = ROC_AR_WIN_SIZE_MAX,
360 .udp_ports_verify = 1,
370 .crypto_capabilities = cn10k_eth_sec_crypto_caps,
371 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
374 .action = RTE_SECURITY_ACTION_TYPE_NONE
379 cnxk_pktmbuf_free_no_cache(struct rte_mbuf *mbuf)
381 struct rte_mbuf *next;
387 roc_npa_aura_op_free(mbuf->pool->pool_id, 1, (rte_iova_t)mbuf);
389 } while (mbuf != NULL);
393 cn10k_eth_sec_sso_work_cb(uint64_t *gw, void *args, uint32_t soft_exp_event)
395 struct rte_eth_event_ipsec_desc desc;
396 struct cn10k_sec_sess_priv sess_priv;
397 struct cn10k_outb_priv_data *priv;
398 struct roc_ot_ipsec_outb_sa *sa;
399 struct cpt_cn10k_res_s *res;
400 struct rte_eth_dev *eth_dev;
401 struct cnxk_eth_dev *dev;
402 static uint64_t warn_cnt;
403 uint16_t dlen_adj, rlen;
404 struct rte_mbuf *mbuf;
411 switch ((gw[0] >> 28) & 0xF) {
412 case RTE_EVENT_TYPE_ETHDEV:
413 /* Event from inbound inline dev due to IPSEC packet bad L4 */
414 mbuf = (struct rte_mbuf *)(gw[1] - sizeof(struct rte_mbuf));
415 plt_nix_dbg("Received mbuf %p from inline dev inbound", mbuf);
416 cnxk_pktmbuf_free_no_cache(mbuf);
418 case RTE_EVENT_TYPE_CPU:
419 /* Check for subtype */
420 if (((gw[0] >> 20) & 0xFF) == CNXK_ETHDEV_SEC_OUTB_EV_SUB) {
421 /* Event from outbound inline error */
422 mbuf = (struct rte_mbuf *)gw[1];
427 if (soft_exp_event & 0x1) {
428 sa = (struct roc_ot_ipsec_outb_sa *)args;
429 priv = roc_nix_inl_ot_ipsec_outb_sa_sw_rsvd(sa);
430 desc.metadata = (uint64_t)priv->userdata;
431 desc.subtype = RTE_ETH_EVENT_IPSEC_SA_TIME_EXPIRY;
432 eth_dev = &rte_eth_devices[soft_exp_event >> 8];
433 rte_eth_dev_callback_process(eth_dev,
434 RTE_ETH_EVENT_IPSEC, &desc);
436 plt_err("Unknown event gw[0] = 0x%016lx, gw[1] = 0x%016lx",
442 /* Get ethdev port from tag */
444 eth_dev = &rte_eth_devices[port];
445 dev = cnxk_eth_pmd_priv(eth_dev);
447 sess_priv.u64 = *rte_security_dynfield(mbuf);
448 /* Calculate dlen adj */
449 dlen_adj = mbuf->pkt_len - mbuf->l2_len;
450 rlen = (dlen_adj + sess_priv.roundup_len) +
451 (sess_priv.roundup_byte - 1);
452 rlen &= ~(uint64_t)(sess_priv.roundup_byte - 1);
453 rlen += sess_priv.partial_len;
454 dlen_adj = rlen - dlen_adj;
456 /* Find the res area residing on next cacheline after end of data */
457 nixtx = rte_pktmbuf_mtod(mbuf, uintptr_t) + mbuf->pkt_len + dlen_adj;
459 nixtx = (nixtx - 1) & ~(BIT_ULL(7) - 1);
460 res = (struct cpt_cn10k_res_s *)nixtx;
462 plt_nix_dbg("Outbound error, mbuf %p, sa_index %u, compcode %x uc %x",
463 mbuf, sess_priv.sa_idx, res->compcode, res->uc_compcode);
465 sess_priv.u64 = *rte_security_dynfield(mbuf);
467 sa_base = dev->outb.sa_base;
468 sa = roc_nix_inl_ot_ipsec_outb_sa(sa_base, sess_priv.sa_idx);
469 priv = roc_nix_inl_ot_ipsec_outb_sa_sw_rsvd(sa);
471 memset(&desc, 0, sizeof(desc));
473 switch (res->uc_compcode) {
474 case ROC_IE_OT_UCC_ERR_SA_OVERFLOW:
475 desc.subtype = RTE_ETH_EVENT_IPSEC_ESN_OVERFLOW;
477 case ROC_IE_OT_UCC_ERR_PKT_IP:
479 if (warn_cnt % 10000 == 0)
480 plt_warn("Outbound error, bad ip pkt, mbuf %p,"
481 " sa_index %u (total warnings %" PRIu64 ")",
482 mbuf, sess_priv.sa_idx, warn_cnt);
483 desc.subtype = RTE_ETH_EVENT_IPSEC_UNKNOWN;
487 if (warn_cnt % 10000 == 0)
488 plt_warn("Outbound error, mbuf %p, sa_index %u,"
489 " compcode %x uc %x,"
490 " (total warnings %" PRIu64 ")",
491 mbuf, sess_priv.sa_idx, res->compcode,
492 res->uc_compcode, warn_cnt);
493 desc.subtype = RTE_ETH_EVENT_IPSEC_UNKNOWN;
497 desc.metadata = (uint64_t)priv->userdata;
498 rte_eth_dev_callback_process(eth_dev, RTE_ETH_EVENT_IPSEC, &desc);
499 cnxk_pktmbuf_free_no_cache(mbuf);
503 outb_dbg_iv_update(struct roc_ot_ipsec_outb_sa *outb_sa, const char *__iv_str)
505 uint8_t *iv_dbg = outb_sa->iv.iv_dbg;
506 char *iv_str = strdup(__iv_str);
507 char *iv_b = NULL, len = 16;
514 if (outb_sa->w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
515 outb_sa->w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_CTR ||
516 outb_sa->w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM ||
517 outb_sa->w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) {
518 memset(outb_sa->iv.s.iv_dbg1, 0, sizeof(outb_sa->iv.s.iv_dbg1));
519 memset(outb_sa->iv.s.iv_dbg2, 0, sizeof(outb_sa->iv.s.iv_dbg2));
521 iv_dbg = outb_sa->iv.s.iv_dbg1;
522 for (i = 0; i < 4; i++) {
523 iv_b = strtok_r(i ? NULL : iv_str, ",", &save);
526 iv_dbg[i] = strtoul(iv_b, NULL, 0);
528 *(uint32_t *)iv_dbg = rte_be_to_cpu_32(*(uint32_t *)iv_dbg);
530 iv_dbg = outb_sa->iv.s.iv_dbg2;
531 for (i = 0; i < 4; i++) {
532 iv_b = strtok_r(NULL, ",", &save);
535 iv_dbg[i] = strtoul(iv_b, NULL, 0);
537 *(uint32_t *)iv_dbg = rte_be_to_cpu_32(*(uint32_t *)iv_dbg);
540 iv_dbg = outb_sa->iv.iv_dbg;
541 memset(iv_dbg, 0, sizeof(outb_sa->iv.iv_dbg));
543 for (i = 0; i < len; i++) {
544 iv_b = strtok_r(i ? NULL : iv_str, ",", &save);
547 iv_dbg[i] = strtoul(iv_b, NULL, 0);
549 *(uint64_t *)iv_dbg = rte_be_to_cpu_64(*(uint64_t *)iv_dbg);
550 *(uint64_t *)&iv_dbg[8] =
551 rte_be_to_cpu_64(*(uint64_t *)&iv_dbg[8]);
554 /* Update source of IV */
555 outb_sa->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
560 cn10k_eth_sec_outb_sa_misc_fill(struct roc_nix *roc_nix,
561 struct roc_ot_ipsec_outb_sa *sa, void *sa_cptr,
562 struct rte_security_ipsec_xform *ipsec_xfrm,
565 uint64_t *ring_base, ring_addr;
567 if (ipsec_xfrm->life.bytes_soft_limit |
568 ipsec_xfrm->life.packets_soft_limit) {
569 ring_base = roc_nix_inl_outb_ring_base_get(roc_nix);
570 if (ring_base == NULL)
573 ring_addr = ring_base[sa_idx >>
574 ROC_NIX_SOFT_EXP_ERR_RING_MAX_ENTRY_LOG2];
575 sa->ctx.err_ctl.s.mode = ROC_IE_OT_ERR_CTL_MODE_RING;
576 sa->ctx.err_ctl.s.address = ring_addr >> 3;
577 sa->w0.s.ctx_id = ((uintptr_t)sa_cptr >> 51) & 0x1ff;
584 cn10k_eth_sec_session_create(void *device,
585 struct rte_security_session_conf *conf,
586 struct rte_security_session *sess,
587 struct rte_mempool *mempool)
589 struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
590 struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
591 struct rte_security_ipsec_xform *ipsec;
592 struct cn10k_sec_sess_priv sess_priv;
593 struct rte_crypto_sym_xform *crypto;
594 struct cnxk_eth_sec_sess *eth_sec;
595 struct roc_nix *nix = &dev->nix;
596 bool inbound, inl_dev;
597 rte_spinlock_t *lock;
598 char tbuf[128] = {0};
601 if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
604 if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
607 if (rte_security_dynfield_register() < 0)
610 if (conf->ipsec.options.ip_reassembly_en &&
611 dev->reass_dynfield_off < 0) {
612 if (rte_eth_ip_reassembly_dynfield_register(&dev->reass_dynfield_off,
613 &dev->reass_dynflag_bit) < 0)
617 ipsec = &conf->ipsec;
618 crypto = conf->crypto_xform;
619 inbound = !!(ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
620 inl_dev = !!dev->inb.inl_dev;
622 /* Search if a session already exits */
623 if (cnxk_eth_sec_sess_get_by_spi(dev, ipsec->spi, inbound)) {
624 plt_err("%s SA with SPI %u already in use",
625 inbound ? "Inbound" : "Outbound", ipsec->spi);
629 if (rte_mempool_get(mempool, (void **)ð_sec)) {
630 plt_err("Could not allocate security session private data");
634 memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess));
637 lock = inbound ? &dev->inb.lock : &dev->outb.lock;
638 rte_spinlock_lock(lock);
640 /* Acquire lock on inline dev for inbound */
641 if (inbound && inl_dev)
642 roc_nix_inl_dev_lock();
645 struct roc_ot_ipsec_inb_sa *inb_sa, *inb_sa_dptr;
646 struct cn10k_inb_priv_data *inb_priv;
650 PLT_STATIC_ASSERT(sizeof(struct cn10k_inb_priv_data) <
651 ROC_NIX_INL_OT_IPSEC_INB_SW_RSVD);
653 spi_mask = roc_nix_inl_inb_spi_range(nix, inl_dev, NULL, NULL);
655 /* Get Inbound SA from NIX_RX_IPSEC_SA_BASE */
656 sa = roc_nix_inl_inb_sa_get(nix, inl_dev, ipsec->spi);
657 if (!sa && dev->inb.inl_dev) {
658 snprintf(tbuf, sizeof(tbuf),
659 "Failed to create ingress sa, inline dev "
660 "not found or spi not in range");
664 snprintf(tbuf, sizeof(tbuf),
665 "Failed to create ingress sa");
670 inb_sa = (struct roc_ot_ipsec_inb_sa *)sa;
672 /* Check if SA is already in use */
673 if (inb_sa->w2.s.valid) {
674 snprintf(tbuf, sizeof(tbuf),
675 "Inbound SA with SPI %u already in use",
681 inb_sa_dptr = (struct roc_ot_ipsec_inb_sa *)dev->inb.sa_dptr;
682 memset(inb_sa_dptr, 0, sizeof(struct roc_ot_ipsec_inb_sa));
684 /* Fill inbound sa params */
685 rc = cnxk_ot_ipsec_inb_sa_fill(inb_sa_dptr, ipsec, crypto,
688 snprintf(tbuf, sizeof(tbuf),
689 "Failed to init inbound sa, rc=%d", rc);
693 inb_priv = roc_nix_inl_ot_ipsec_inb_sa_sw_rsvd(inb_sa);
694 /* Back pointer to get eth_sec */
695 inb_priv->eth_sec = eth_sec;
696 /* Save userdata in inb private area */
697 inb_priv->userdata = conf->userdata;
699 /* Save SA index/SPI in cookie for now */
700 inb_sa_dptr->w1.s.cookie =
701 rte_cpu_to_be_32(ipsec->spi & spi_mask);
703 if (ipsec->options.stats == 1) {
704 /* Enable mib counters */
705 inb_sa_dptr->w0.s.count_mib_bytes = 1;
706 inb_sa_dptr->w0.s.count_mib_pkts = 1;
708 /* Prepare session priv */
709 sess_priv.inb_sa = 1;
710 sess_priv.sa_idx = ipsec->spi & spi_mask;
712 /* Pointer from eth_sec -> inb_sa */
713 eth_sec->sa = inb_sa;
714 eth_sec->sess = sess;
715 eth_sec->sa_idx = ipsec->spi & spi_mask;
716 eth_sec->spi = ipsec->spi;
717 eth_sec->inl_dev = !!dev->inb.inl_dev;
720 TAILQ_INSERT_TAIL(&dev->inb.list, eth_sec, entry);
722 /* Sync session in context cache */
723 rc = roc_nix_inl_ctx_write(&dev->nix, inb_sa_dptr, eth_sec->sa,
725 sizeof(struct roc_ot_ipsec_inb_sa));
729 if (conf->ipsec.options.ip_reassembly_en) {
730 inb_priv->reass_dynfield_off = dev->reass_dynfield_off;
731 inb_priv->reass_dynflag_bit = dev->reass_dynflag_bit;
735 struct roc_ot_ipsec_outb_sa *outb_sa, *outb_sa_dptr;
736 struct cn10k_outb_priv_data *outb_priv;
737 struct cnxk_ipsec_outb_rlens *rlens;
738 uint64_t sa_base = dev->outb.sa_base;
742 PLT_STATIC_ASSERT(sizeof(struct cn10k_outb_priv_data) <
743 ROC_NIX_INL_OT_IPSEC_OUTB_SW_RSVD);
745 /* Alloc an sa index */
746 rc = cnxk_eth_outb_sa_idx_get(dev, &sa_idx, ipsec->spi);
750 outb_sa = roc_nix_inl_ot_ipsec_outb_sa(sa_base, sa_idx);
751 outb_priv = roc_nix_inl_ot_ipsec_outb_sa_sw_rsvd(outb_sa);
752 rlens = &outb_priv->rlens;
754 outb_sa_dptr = (struct roc_ot_ipsec_outb_sa *)dev->outb.sa_dptr;
755 memset(outb_sa_dptr, 0, sizeof(struct roc_ot_ipsec_outb_sa));
757 /* Fill outbound sa params */
758 rc = cnxk_ot_ipsec_outb_sa_fill(outb_sa_dptr, ipsec, crypto);
760 snprintf(tbuf, sizeof(tbuf),
761 "Failed to init outbound sa, rc=%d", rc);
762 rc |= cnxk_eth_outb_sa_idx_put(dev, sa_idx);
766 if (conf->ipsec.options.iv_gen_disable == 1) {
767 iv_str = getenv("ETH_SEC_IV_OVR");
769 outb_dbg_iv_update(outb_sa_dptr, iv_str);
771 /* Fill outbound sa misc params */
772 rc = cn10k_eth_sec_outb_sa_misc_fill(&dev->nix, outb_sa_dptr,
773 outb_sa, ipsec, sa_idx);
775 snprintf(tbuf, sizeof(tbuf),
776 "Failed to init outb sa misc params, rc=%d",
778 rc |= cnxk_eth_outb_sa_idx_put(dev, sa_idx);
783 outb_priv->userdata = conf->userdata;
784 outb_priv->sa_idx = sa_idx;
785 outb_priv->eth_sec = eth_sec;
788 cnxk_ipsec_outb_rlens_get(rlens, ipsec, crypto);
790 if (ipsec->options.stats == 1) {
791 /* Enable mib counters */
792 outb_sa_dptr->w0.s.count_mib_bytes = 1;
793 outb_sa_dptr->w0.s.count_mib_pkts = 1;
796 /* Prepare session priv */
797 sess_priv.sa_idx = outb_priv->sa_idx;
798 sess_priv.roundup_byte = rlens->roundup_byte;
799 sess_priv.roundup_len = rlens->roundup_len;
800 sess_priv.partial_len = rlens->partial_len;
801 sess_priv.mode = outb_sa_dptr->w2.s.ipsec_mode;
802 sess_priv.outer_ip_ver = outb_sa_dptr->w2.s.outer_ip_ver;
803 /* Propagate inner checksum enable from SA to fast path */
804 sess_priv.chksum = (!ipsec->options.ip_csum_enable << 1 |
805 !ipsec->options.l4_csum_enable);
806 sess_priv.dec_ttl = ipsec->options.dec_ttl;
808 /* Pointer from eth_sec -> outb_sa */
809 eth_sec->sa = outb_sa;
810 eth_sec->sess = sess;
811 eth_sec->sa_idx = sa_idx;
812 eth_sec->spi = ipsec->spi;
814 TAILQ_INSERT_TAIL(&dev->outb.list, eth_sec, entry);
816 /* Sync session in context cache */
817 rc = roc_nix_inl_ctx_write(&dev->nix, outb_sa_dptr, eth_sec->sa,
819 sizeof(struct roc_ot_ipsec_outb_sa));
823 if (inbound && inl_dev)
824 roc_nix_inl_dev_unlock();
825 rte_spinlock_unlock(lock);
827 plt_nix_dbg("Created %s session with spi=%u, sa_idx=%u inl_dev=%u",
828 inbound ? "inbound" : "outbound", eth_sec->spi,
829 eth_sec->sa_idx, eth_sec->inl_dev);
831 * Update fast path info in priv area.
833 set_sec_session_private_data(sess, (void *)sess_priv.u64);
837 if (inbound && inl_dev)
838 roc_nix_inl_dev_unlock();
839 rte_spinlock_unlock(lock);
841 rte_mempool_put(mempool, eth_sec);
848 cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)
850 struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
851 struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
852 struct cnxk_eth_sec_sess *eth_sec;
853 struct rte_mempool *mp;
854 rte_spinlock_t *lock;
857 eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
861 lock = eth_sec->inb ? &dev->inb.lock : &dev->outb.lock;
862 rte_spinlock_lock(lock);
864 if (eth_sec->inl_dev)
865 roc_nix_inl_dev_lock();
869 sa_dptr = dev->inb.sa_dptr;
870 roc_ot_ipsec_inb_sa_init(sa_dptr, true);
872 roc_nix_inl_ctx_write(&dev->nix, sa_dptr, eth_sec->sa,
874 sizeof(struct roc_ot_ipsec_inb_sa));
875 TAILQ_REMOVE(&dev->inb.list, eth_sec, entry);
879 sa_dptr = dev->outb.sa_dptr;
880 roc_ot_ipsec_outb_sa_init(sa_dptr);
882 roc_nix_inl_ctx_write(&dev->nix, sa_dptr, eth_sec->sa,
884 sizeof(struct roc_ot_ipsec_outb_sa));
885 /* Release Outbound SA index */
886 cnxk_eth_outb_sa_idx_put(dev, eth_sec->sa_idx);
887 TAILQ_REMOVE(&dev->outb.list, eth_sec, entry);
890 if (eth_sec->inl_dev)
891 roc_nix_inl_dev_unlock();
893 rte_spinlock_unlock(lock);
895 plt_nix_dbg("Destroyed %s session with spi=%u, sa_idx=%u, inl_dev=%u",
896 eth_sec->inb ? "inbound" : "outbound", eth_sec->spi,
897 eth_sec->sa_idx, eth_sec->inl_dev);
899 /* Put eth_sec object back to pool */
900 mp = rte_mempool_from_obj(eth_sec);
901 set_sec_session_private_data(sess, NULL);
902 rte_mempool_put(mp, eth_sec);
906 static const struct rte_security_capability *
907 cn10k_eth_sec_capabilities_get(void *device __rte_unused)
909 return cn10k_eth_sec_capabilities;
913 cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
914 struct rte_security_session_conf *conf)
916 struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
917 struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
918 struct roc_ot_ipsec_inb_sa *inb_sa_dptr;
919 struct rte_security_ipsec_xform *ipsec;
920 struct rte_crypto_sym_xform *crypto;
921 struct cnxk_eth_sec_sess *eth_sec;
925 if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
926 conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
929 ipsec = &conf->ipsec;
930 crypto = conf->crypto_xform;
931 inbound = !!(ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
933 eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
937 eth_sec->spi = conf->ipsec.spi;
940 inb_sa_dptr = (struct roc_ot_ipsec_inb_sa *)dev->inb.sa_dptr;
941 memset(inb_sa_dptr, 0, sizeof(struct roc_ot_ipsec_inb_sa));
943 rc = cnxk_ot_ipsec_inb_sa_fill(inb_sa_dptr, ipsec, crypto,
948 rc = roc_nix_inl_ctx_write(&dev->nix, inb_sa_dptr, eth_sec->sa,
950 sizeof(struct roc_ot_ipsec_inb_sa));
954 struct roc_ot_ipsec_outb_sa *outb_sa_dptr;
956 outb_sa_dptr = (struct roc_ot_ipsec_outb_sa *)dev->outb.sa_dptr;
957 memset(outb_sa_dptr, 0, sizeof(struct roc_ot_ipsec_outb_sa));
959 rc = cnxk_ot_ipsec_outb_sa_fill(outb_sa_dptr, ipsec, crypto);
962 rc = roc_nix_inl_ctx_write(&dev->nix, outb_sa_dptr, eth_sec->sa,
964 sizeof(struct roc_ot_ipsec_outb_sa));
973 rte_pmd_cnxk_hw_sa_read(void *device, struct rte_security_session *sess,
974 void *data, uint32_t len)
976 struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
977 struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
978 struct cnxk_eth_sec_sess *eth_sec;
981 eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
985 rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
986 ROC_NIX_INL_SA_OP_FLUSH);
990 memcpy(data, eth_sec->sa, len);
996 rte_pmd_cnxk_hw_sa_write(void *device, struct rte_security_session *sess,
997 void *data, uint32_t len)
999 struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
1000 struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
1001 struct cnxk_eth_sec_sess *eth_sec;
1004 eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
1005 if (eth_sec == NULL)
1007 rc = roc_nix_inl_ctx_write(&dev->nix, data, eth_sec->sa, eth_sec->inb,
1016 cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
1017 struct rte_security_stats *stats)
1019 struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
1020 struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
1021 struct cnxk_eth_sec_sess *eth_sec;
1024 eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
1025 if (eth_sec == NULL)
1028 rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
1029 ROC_NIX_INL_SA_OP_FLUSH);
1034 stats->protocol = RTE_SECURITY_PROTOCOL_IPSEC;
1037 stats->ipsec.ipackets =
1038 ((struct roc_ot_ipsec_inb_sa *)eth_sec->sa)->ctx.mib_pkts;
1039 stats->ipsec.ibytes =
1040 ((struct roc_ot_ipsec_inb_sa *)eth_sec->sa)->ctx.mib_octs;
1042 stats->ipsec.opackets =
1043 ((struct roc_ot_ipsec_outb_sa *)eth_sec->sa)->ctx.mib_pkts;
1044 stats->ipsec.obytes =
1045 ((struct roc_ot_ipsec_outb_sa *)eth_sec->sa)->ctx.mib_octs;
1052 cn10k_eth_sec_ops_override(void)
1054 static int init_once;
1060 /* Update platform specific ops */
1061 cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
1062 cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
1063 cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
1064 cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
1065 cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;