git.droids-corp.org / dpdk.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
common/cnxk: add err ctl in SA
[dpdk.git] / drivers / common / cnxk / cnxk_security.c
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index cc5daf3..bd35f1c 100644 (file)
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -32,6 +32,18 @@ ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
                roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
                roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]);
                break;
+       case RTE_CRYPTO_AUTH_SHA256_HMAC:
+               roc_hash_sha256_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
+               roc_hash_sha256_gen(ipad, (uint32_t *)&hmac_opad_ipad[64]);
+               break;
+       case RTE_CRYPTO_AUTH_SHA384_HMAC:
+               roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 384);
+               roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 384);
+               break;
+       case RTE_CRYPTO_AUTH_SHA512_HMAC:
+               roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 512);
+               roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 512);
+               break;
        default:
                break;
        }
@@ -108,31 +120,57 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
                }
        } else {
                switch (cipher_xfrm->cipher.algo) {
+               case RTE_CRYPTO_CIPHER_NULL:
+                       w2->s.enc_type = ROC_IE_OT_SA_ENC_NULL;
+                       break;
                case RTE_CRYPTO_CIPHER_AES_CBC:
                        w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
                        break;
+               case RTE_CRYPTO_CIPHER_AES_CTR:
+                       w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CTR;
+                       break;
                default:
                        return -ENOTSUP;
                }
 
                switch (auth_xfrm->auth.algo) {
+               case RTE_CRYPTO_AUTH_NULL:
+                       w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL;
+                       break;
                case RTE_CRYPTO_AUTH_SHA1_HMAC:
                        w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1;
                        break;
+               case RTE_CRYPTO_AUTH_SHA256_HMAC:
+                       w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_256;
+                       break;
+               case RTE_CRYPTO_AUTH_SHA384_HMAC:
+                       w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_384;
+                       break;
+               case RTE_CRYPTO_AUTH_SHA512_HMAC:
+                       w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_512;
+                       break;
+               case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+                       w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128;
+                       break;
                default:
                        return -ENOTSUP;
                }
 
-               key = cipher_xfrm->cipher.key.data;
-               length = cipher_xfrm->cipher.key.length;
-
-               ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+               if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC) {
+                       const uint8_t *auth_key = auth_xfrm->auth.key.data;
+                       roc_aes_xcbc_key_derive(auth_key, hmac_opad_ipad);
+               } else {
+                       ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+               }
 
                tmp_key = (uint64_t *)hmac_opad_ipad;
                for (i = 0;
                     i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t));
                     i++)
                        tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+
+               key = cipher_xfrm->cipher.key.data;
+               length = cipher_xfrm->cipher.key.length;
        }
 
        /* Set encapsulation type */
@@ -147,18 +185,26 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
        for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++)
                tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 
-       switch (length) {
-       case ROC_CPT_AES128_KEY_LEN:
-               w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
-               break;
-       case ROC_CPT_AES192_KEY_LEN:
-               w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
-               break;
-       case ROC_CPT_AES256_KEY_LEN:
-               w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
-               break;
-       default:
-               return -EINVAL;
+       /* Set AES key length */
+       if (w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CBC ||
+           w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM ||
+           w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CTR ||
+           w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
+           w2->s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) {
+               switch (length) {
+               case ROC_CPT_AES128_KEY_LEN:
+                       w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
+                       break;
+               case ROC_CPT_AES192_KEY_LEN:
+                       w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
+                       break;
+               case ROC_CPT_AES256_KEY_LEN:
+                       w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
+                       break;
+               default:
+                       plt_err("Invalid AES key length");
+                       return -EINVAL;
+               }
        }
 
        if (ipsec_xfrm->life.packets_soft_limit != 0 ||
@@ -303,6 +349,9 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
                sa->w10.s.udp_dst_port = 4500;
        }
 
+       if (ipsec_xfrm->options.udp_ports_verify)
+               sa->w2.s.udp_ports_verify = 1;
+
        offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx);
        /* Word offset for HW managed SA field */
        sa->w0.s.hw_ctx_off = offset / 8;
@@ -344,6 +393,7 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
        /* There are two words of CPT_CTX_HW_S for ucode to skip */
        sa->w0.s.ctx_hdr_size = 1;
        sa->w0.s.aop_valid = 1;
+       sa->w0.s.et_ovrwr = 1;
 
        rte_wmb();
 
@@ -438,10 +488,6 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
                return -EINVAL;
        }
 
-       /* Default options of DSCP and Flow label/DF */
-       sa->w2.s.dscp_src = ROC_IE_OT_SA_COPY_FROM_SA;
-       sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = ROC_IE_OT_SA_COPY_FROM_SA;
-
 skip_tunnel_info:
        /* ESN */
        sa->w0.s.esn_en = !!ipsec_xfrm->options.esn;
@@ -454,8 +500,10 @@ skip_tunnel_info:
        offset = offsetof(struct roc_ot_ipsec_outb_sa, ctx);
        /* Word offset for HW managed SA field */
        sa->w0.s.hw_ctx_off = offset / 8;
-       /* Context push size is up to hmac_opad_ipad */
-       sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off;
+
+       /* Context push size is up to err ctl in HW ctx */
+       sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off + 1;
+
        /* Entire context size in 128B units */
        offset = sizeof(struct roc_ot_ipsec_outb_sa);
        sa->w0.s.ctx_size = (PLT_ALIGN_CEIL(offset, ROC_CTX_UNIT_128B) /
@@ -513,6 +561,226 @@ cnxk_ot_ipsec_outb_sa_valid(struct roc_ot_ipsec_outb_sa *sa)
        return !!sa->w2.s.valid;
 }
 
+static inline int
+ipsec_xfrm_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
+                 struct rte_crypto_sym_xform *crypto_xfrm)
+{
+       if (crypto_xfrm->next == NULL)
+               return -EINVAL;
+
+       if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+               if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+                   crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+                       return -EINVAL;
+       } else {
+               if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+                   crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+                       return -EINVAL;
+       }
+
+       return 0;
+}
+
+static int
+onf_ipsec_sa_common_param_fill(struct roc_ie_onf_sa_ctl *ctl, uint8_t *salt,
+                              uint8_t *cipher_key, uint8_t *hmac_opad_ipad,
+                              struct rte_security_ipsec_xform *ipsec_xfrm,
+                              struct rte_crypto_sym_xform *crypto_xfrm)
+{
+       struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
+       int rc, length, auth_key_len;
+       const uint8_t *key = NULL;
+
+       /* Set direction */
+       switch (ipsec_xfrm->direction) {
+       case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
+               ctl->direction = ROC_IE_SA_DIR_INBOUND;
+               auth_xfrm = crypto_xfrm;
+               cipher_xfrm = crypto_xfrm->next;
+               break;
+       case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
+               ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
+               cipher_xfrm = crypto_xfrm;
+               auth_xfrm = crypto_xfrm->next;
+               break;
+       default:
+               return -EINVAL;
+       }
+
+       /* Set protocol - ESP vs AH */
+       switch (ipsec_xfrm->proto) {
+       case RTE_SECURITY_IPSEC_SA_PROTO_ESP:
+               ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP;
+               break;
+       case RTE_SECURITY_IPSEC_SA_PROTO_AH:
+               return -ENOTSUP;
+       default:
+               return -EINVAL;
+       }
+
+       /* Set mode - transport vs tunnel */
+       switch (ipsec_xfrm->mode) {
+       case RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT:
+               ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT;
+               break;
+       case RTE_SECURITY_IPSEC_SA_MODE_TUNNEL:
+               ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL;
+               break;
+       default:
+               return -EINVAL;
+       }
+
+       /* Set encryption algorithm */
+       if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+               length = crypto_xfrm->aead.key.length;
+
+               switch (crypto_xfrm->aead.algo) {
+               case RTE_CRYPTO_AEAD_AES_GCM:
+                       ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM;
+                       ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL;
+                       memcpy(salt, &ipsec_xfrm->salt, 4);
+                       key = crypto_xfrm->aead.key.data;
+                       break;
+               default:
+                       return -ENOTSUP;
+               }
+
+       } else {
+               rc = ipsec_xfrm_verify(ipsec_xfrm, crypto_xfrm);
+               if (rc)
+                       return rc;
+
+               switch (cipher_xfrm->cipher.algo) {
+               case RTE_CRYPTO_CIPHER_AES_CBC:
+                       ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
+                       break;
+               case RTE_CRYPTO_CIPHER_AES_CTR:
+                       ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR;
+                       break;
+               default:
+                       return -ENOTSUP;
+               }
+
+               switch (auth_xfrm->auth.algo) {
+               case RTE_CRYPTO_AUTH_SHA1_HMAC:
+                       ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1;
+                       break;
+               default:
+                       return -ENOTSUP;
+               }
+               auth_key_len = auth_xfrm->auth.key.length;
+               if (auth_key_len < 20 || auth_key_len > 64)
+                       return -ENOTSUP;
+
+               key = cipher_xfrm->cipher.key.data;
+               length = cipher_xfrm->cipher.key.length;
+
+               ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+       }
+
+       switch (length) {
+       case ROC_CPT_AES128_KEY_LEN:
+               ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
+               break;
+       case ROC_CPT_AES192_KEY_LEN:
+               ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
+               break;
+       case ROC_CPT_AES256_KEY_LEN:
+               ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
+               break;
+       default:
+               return -EINVAL;
+       }
+
+       memcpy(cipher_key, key, length);
+
+       if (ipsec_xfrm->options.esn)
+               ctl->esn_en = 1;
+
+       ctl->spi = rte_cpu_to_be_32(ipsec_xfrm->spi);
+       return 0;
+}
+
+int
+cnxk_onf_ipsec_inb_sa_fill(struct roc_onf_ipsec_inb_sa *sa,
+                          struct rte_security_ipsec_xform *ipsec_xfrm,
+                          struct rte_crypto_sym_xform *crypto_xfrm)
+{
+       struct roc_ie_onf_sa_ctl *ctl = &sa->ctl;
+       int rc;
+
+       rc = onf_ipsec_sa_common_param_fill(ctl, sa->nonce, sa->cipher_key,
+                                           sa->hmac_key, ipsec_xfrm,
+                                           crypto_xfrm);
+       if (rc)
+               return rc;
+
+       rte_wmb();
+
+       /* Enable SA */
+       ctl->valid = 1;
+       return 0;
+}
+
+int
+cnxk_onf_ipsec_outb_sa_fill(struct roc_onf_ipsec_outb_sa *sa,
+                           struct rte_security_ipsec_xform *ipsec_xfrm,
+                           struct rte_crypto_sym_xform *crypto_xfrm)
+{
+       struct rte_security_ipsec_tunnel_param *tunnel = &ipsec_xfrm->tunnel;
+       struct roc_ie_onf_sa_ctl *ctl = &sa->ctl;
+       int rc;
+
+       /* Fill common params */
+       rc = onf_ipsec_sa_common_param_fill(ctl, sa->nonce, sa->cipher_key,
+                                           sa->hmac_key, ipsec_xfrm,
+                                           crypto_xfrm);
+       if (rc)
+               return rc;
+
+       if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+               goto skip_tunnel_info;
+
+       /* Tunnel header info */
+       switch (tunnel->type) {
+       case RTE_SECURITY_IPSEC_TUNNEL_IPV4:
+               memcpy(&sa->ip_src, &tunnel->ipv4.src_ip,
+                      sizeof(struct in_addr));
+               memcpy(&sa->ip_dst, &tunnel->ipv4.dst_ip,
+                      sizeof(struct in_addr));
+               break;
+       case RTE_SECURITY_IPSEC_TUNNEL_IPV6:
+               return -ENOTSUP;
+       default:
+               return -EINVAL;
+       }
+
+       /* Update udp encap ports */
+       if (ipsec_xfrm->options.udp_encap == 1) {
+               sa->udp_src = 4500;
+               sa->udp_dst = 4500;
+       }
+
+skip_tunnel_info:
+       rte_wmb();
+
+       /* Enable SA */
+       ctl->valid = 1;
+       return 0;
+}
+
+bool
+cnxk_onf_ipsec_inb_sa_valid(struct roc_onf_ipsec_inb_sa *sa)
+{
+       return !!sa->ctl.valid;
+}
+
+bool
+cnxk_onf_ipsec_outb_sa_valid(struct roc_onf_ipsec_outb_sa *sa)
+{
+       return !!sa->ctl.valid;
+}
+
 uint8_t
 cnxk_ipsec_ivlen_get(enum rte_crypto_cipher_algorithm c_algo,
                     enum rte_crypto_auth_algorithm a_algo,
@@ -574,6 +842,9 @@ cnxk_ipsec_icvlen_get(enum rte_crypto_cipher_algorithm c_algo,
        case RTE_CRYPTO_AUTH_SHA512_HMAC:
                icv = 32;
                break;
+       case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+               icv = 12;
+               break;
        default:
                break;
        }
DPDK repo used for reviews