struct rte_crypto_sym_xform *crypto_xfrm)
{
struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
- const uint8_t *key;
+ const uint8_t *key = NULL;
uint32_t *tmp_salt;
uint64_t *tmp_key;
- int length, i;
+ int i, length = 0;
/* Set direction */
- switch (ipsec_xfrm->direction) {
- case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
+ if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+ w2->s.dir = ROC_IE_SA_DIR_OUTBOUND;
+ else
w2->s.dir = ROC_IE_SA_DIR_INBOUND;
+
+ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
auth_xfrm = crypto_xfrm;
cipher_xfrm = crypto_xfrm->next;
- break;
- case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
- w2->s.dir = ROC_IE_SA_DIR_OUTBOUND;
+ } else {
cipher_xfrm = crypto_xfrm;
auth_xfrm = crypto_xfrm->next;
- break;
- default:
- return -EINVAL;
}
/* Set protocol - ESP vs AH */
return -ENOTSUP;
}
} else {
- switch (cipher_xfrm->cipher.algo) {
- case RTE_CRYPTO_CIPHER_NULL:
- w2->s.enc_type = ROC_IE_OT_SA_ENC_NULL;
- break;
- case RTE_CRYPTO_CIPHER_AES_CBC:
- w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
- break;
- case RTE_CRYPTO_CIPHER_AES_CTR:
- w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CTR;
- break;
- default:
- return -ENOTSUP;
+ if (cipher_xfrm != NULL) {
+ switch (cipher_xfrm->cipher.algo) {
+ case RTE_CRYPTO_CIPHER_NULL:
+ w2->s.enc_type = ROC_IE_OT_SA_ENC_NULL;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CBC:
+ w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CTR:
+ w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CTR;
+ break;
+ case RTE_CRYPTO_CIPHER_3DES_CBC:
+ w2->s.enc_type = ROC_IE_OT_SA_ENC_3DES_CBC;
+ break;
+ default:
+ return -ENOTSUP;
+ }
+
+ key = cipher_xfrm->cipher.key.data;
+ length = cipher_xfrm->cipher.key.length;
}
switch (auth_xfrm->auth.algo) {
case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128;
break;
+ case RTE_CRYPTO_AUTH_AES_GMAC:
+ w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_GMAC;
+ key = auth_xfrm->auth.key.data;
+ length = auth_xfrm->auth.key.length;
+ memcpy(salt_key, &ipsec_xfrm->salt, 4);
+ tmp_salt = (uint32_t *)salt_key;
+ *tmp_salt = rte_be_to_cpu_32(*tmp_salt);
+ break;
default:
return -ENOTSUP;
}
i++)
tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
- key = cipher_xfrm->cipher.key.data;
- length = cipher_xfrm->cipher.key.length;
}
/* Set encapsulation type */
w2->s.spi = ipsec_xfrm->spi;
- /* Copy encryption key */
- memcpy(cipher_key, key, length);
- tmp_key = (uint64_t *)cipher_key;
- for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++)
- tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+ if (key != NULL && length != 0) {
+ /* Copy encryption key */
+ memcpy(cipher_key, key, length);
+ tmp_key = (uint64_t *)cipher_key;
+ for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++)
+ tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+ }
/* Set AES key length */
if (w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CBC ||
int
cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
struct rte_security_ipsec_xform *ipsec_xfrm,
- struct rte_crypto_sym_xform *crypto_xfrm)
+ struct rte_crypto_sym_xform *crypto_xfrm,
+ bool is_inline)
{
union roc_ot_ipsec_sa_word2 w2;
uint32_t replay_win_sz;
size_t offset;
int rc;
+ /* Initialize the SA */
+ roc_ot_ipsec_inb_sa_init(sa, is_inline);
+
w2.u64 = 0;
rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->w8.s.salt,
sa->hmac_opad_ipad, ipsec_xfrm,
* second pass meta and no defrag.
*/
sa->w0.s.pkt_format = ROC_IE_OT_SA_PKT_FMT_META;
- sa->w0.s.pkt_output = ROC_IE_OT_SA_PKT_OUTPUT_HW_BASED_DEFRAG;
- sa->w0.s.pkind = ROC_OT_CPT_META_PKIND;
+ sa->w0.s.pkt_output = ROC_IE_OT_SA_PKT_OUTPUT_NO_FRAG;
+ sa->w0.s.pkind = ROC_IE_OT_CPT_PKIND;
+
+ if (ipsec_xfrm->options.ip_reassembly_en)
+ sa->w0.s.pkt_output = ROC_IE_OT_SA_PKT_OUTPUT_HW_BASED_DEFRAG;
/* ESN */
sa->w2.s.esn_en = !!ipsec_xfrm->options.esn;
sa->w0.s.hard_life_dec = 1;
}
- /* There are two words of CPT_CTX_HW_S for ucode to skip */
- sa->w0.s.ctx_hdr_size = 1;
- sa->w0.s.aop_valid = 1;
- sa->w0.s.et_ovrwr = 1;
-
rte_wmb();
/* Enable SA */
size_t offset;
int rc;
+ /* Initialize the SA */
+ roc_ot_ipsec_outb_sa_init(sa);
+
w2.u64 = 0;
rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->iv.s.salt,
sa->hmac_opad_ipad, ipsec_xfrm,
/* ESN */
sa->w0.s.esn_en = !!ipsec_xfrm->options.esn;
+ if (ipsec_xfrm->esn.value)
+ sa->ctx.esn_val = ipsec_xfrm->esn.value - 1;
+
if (ipsec_xfrm->options.udp_encap) {
sa->w10.s.udp_src_port = 4500;
sa->w10.s.udp_dst_port = 4500;
offset = offsetof(struct roc_ot_ipsec_outb_sa, ctx);
/* Word offset for HW managed SA field */
sa->w0.s.hw_ctx_off = offset / 8;
- /* Context push size is up to hmac_opad_ipad */
- sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off;
+
+ /* Context push size is up to err ctl in HW ctx */
+ sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off + 1;
+
/* Entire context size in 128B units */
offset = sizeof(struct roc_ot_ipsec_outb_sa);
sa->w0.s.ctx_size = (PLT_ALIGN_CEIL(offset, ROC_CTX_UNIT_128B) /
return -EINVAL;
}
+ /* Update udp encap ports */
+ if (ipsec_xfrm->options.udp_encap == 1) {
+ sa->udp_src = 4500;
+ sa->udp_dst = 4500;
+ }
+
skip_tunnel_info:
rte_wmb();