#include "otx2_cryptodev_hw_access.h"
#include "otx2_cryptodev_mbox.h"
#include "otx2_cryptodev_ops.h"
+#include "otx2_cryptodev_ops_helper.h"
+#include "otx2_ipsec_anti_replay.h"
+#include "otx2_ipsec_po_ops.h"
#include "otx2_mbox.h"
#include "otx2_sec_idev.h"
+#include "otx2_security.h"
#include "cpt_hw_types.h"
#include "cpt_pmd_logs.h"
size_div40 = (iq_len + 40 - 1) / 40 + 1;
/* For pending queue */
- len = iq_len * RTE_ALIGN(sizeof(struct rid), 8);
+ len = iq_len * sizeof(uintptr_t);
/* Space for instruction group memory */
len += size_div40 * 16;
}
/* Initialize pending queue */
- qp->pend_q.rid_queue = (struct rid *)va;
+ qp->pend_q.req_queue = (uintptr_t *)va;
qp->pend_q.enq_tail = 0;
qp->pend_q.deq_head = 0;
qp->pend_q.pending_count = 0;
- used_len = iq_len * RTE_ALIGN(sizeof(struct rid), 8);
+ used_len = iq_len * sizeof(uintptr_t);
used_len += size_div40 * 16;
used_len = RTE_ALIGN(used_len, pg_sz);
iova += used_len;
qp->iq_dma_addr = iova;
qp->id = qp_id;
- qp->base = OTX2_CPT_LF_BAR2(vf, qp_id);
+ qp->blkaddr = vf->lf_blkaddr[qp_id];
+ qp->base = OTX2_CPT_LF_BAR2(vf, qp->blkaddr, qp_id);
lmtline = vf->otx2_dev.bar2 +
(RVU_BLOCK_ADDR_LMT << 20 | qp_id << 12) +
if (xform->next) {
if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
- xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
+ xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT &&
+ (xform->auth.algo != RTE_CRYPTO_AUTH_SHA1_HMAC ||
+ xform->next->cipher.algo != RTE_CRYPTO_CIPHER_AES_CBC))
return -ENOTSUP;
if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
xform->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT &&
- xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH)
+ xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
+ (xform->cipher.algo != RTE_CRYPTO_CIPHER_AES_CBC ||
+ xform->next->auth.algo != RTE_CRYPTO_AUTH_SHA1_HMAC))
return -ENOTSUP;
if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
struct rte_cryptodev_sym_session *sess,
struct rte_mempool *pool)
{
+ struct rte_crypto_sym_xform *temp_xform = xform;
struct cpt_sess_misc *misc;
+ vq_cmd_word3_t vq_cmd_w3;
void *priv;
int ret;
return -ENOMEM;
}
+ memset(priv, 0, sizeof(struct cpt_sess_misc) +
+ offsetof(struct cpt_ctx, mc_ctx));
+
misc = priv;
for ( ; xform != NULL; xform = xform->next) {
goto priv_put;
}
+ if ((GET_SESS_FC_TYPE(misc) == HASH_HMAC) &&
+ cpt_mac_len_verify(&temp_xform->auth)) {
+ CPT_LOG_ERR("MAC length is not supported");
+ ret = -ENOTSUP;
+ goto priv_put;
+ }
+
set_sym_session_private_data(sess, driver_id, misc);
misc->ctx_dma_addr = rte_mempool_virt2iova(misc) +
sizeof(struct cpt_sess_misc);
+ vq_cmd_w3.u64 = 0;
+ vq_cmd_w3.s.cptr = misc->ctx_dma_addr + offsetof(struct cpt_ctx,
+ mc_ctx);
+
/*
* IE engines support IPsec operations
- * SE engines support IPsec operations and Air-Crypto operations
+ * SE engines support IPsec operations, Chacha-Poly and
+ * Air-Crypto operations
*/
- if (misc->zsk_flag)
- misc->egrp = OTX2_CPT_EGRP_SE;
+ if (misc->zsk_flag || misc->chacha_poly)
+ vq_cmd_w3.s.grp = OTX2_CPT_EGRP_SE;
else
- misc->egrp = OTX2_CPT_EGRP_SE_IE;
+ vq_cmd_w3.s.grp = OTX2_CPT_EGRP_SE_IE;
+
+ misc->cpt_inst_w7 = vq_cmd_w3.u64;
return 0;
return -ENOTSUP;
}
-static void
-sym_session_clear(int driver_id, struct rte_cryptodev_sym_session *sess)
+static __rte_always_inline void __rte_hot
+otx2_ca_enqueue_req(const struct otx2_cpt_qp *qp,
+ struct cpt_request_info *req,
+ void *lmtline,
+ uint64_t cpt_inst_w7)
{
- void *priv = get_sym_session_private_data(sess, driver_id);
- struct rte_mempool *pool;
+ union cpt_inst_s inst;
+ uint64_t lmt_status;
- if (priv == NULL)
- return;
+ inst.u[0] = 0;
+ inst.s9x.res_addr = req->comp_baddr;
+ inst.u[2] = 0;
+ inst.u[3] = 0;
- memset(priv, 0, cpt_get_session_size());
+ inst.s9x.ei0 = req->ist.ei0;
+ inst.s9x.ei1 = req->ist.ei1;
+ inst.s9x.ei2 = req->ist.ei2;
+ inst.s9x.ei3 = cpt_inst_w7;
- pool = rte_mempool_from_obj(priv);
+ inst.s9x.qord = 1;
+ inst.s9x.grp = qp->ev.queue_id;
+ inst.s9x.tt = qp->ev.sched_type;
+ inst.s9x.tag = (RTE_EVENT_TYPE_CRYPTODEV << 28) |
+ qp->ev.flow_id;
+ inst.s9x.wq_ptr = (uint64_t)req >> 3;
+ req->qp = qp;
- set_sym_session_private_data(sess, driver_id, NULL);
+ do {
+ /* Copy CPT command to LMTLINE */
+ memcpy(lmtline, &inst, sizeof(inst));
+
+ /*
+ * Make sure compiler does not reorder memcpy and ldeor.
+ * LMTST transactions are always flushed from the write
+ * buffer immediately, a DMB is not required to push out
+ * LMTSTs.
+ */
+ rte_io_wmb();
+ lmt_status = otx2_lmt_submit(qp->lf_nq_reg);
+ } while (lmt_status == 0);
- rte_mempool_put(pool, priv);
}
static __rte_always_inline int32_t __rte_hot
otx2_cpt_enqueue_req(const struct otx2_cpt_qp *qp,
struct pending_queue *pend_q,
- struct cpt_request_info *req)
+ struct cpt_request_info *req,
+ uint64_t cpt_inst_w7)
{
void *lmtline = qp->lmtline;
union cpt_inst_s inst;
uint64_t lmt_status;
+ if (qp->ca_enable) {
+ otx2_ca_enqueue_req(qp, req, lmtline, cpt_inst_w7);
+ return 0;
+ }
+
if (unlikely(pend_q->pending_count >= OTX2_CPT_DEFAULT_CMD_QLEN))
return -EAGAIN;
inst.s9x.ei0 = req->ist.ei0;
inst.s9x.ei1 = req->ist.ei1;
inst.s9x.ei2 = req->ist.ei2;
- inst.s9x.ei3 = req->ist.ei3;
+ inst.s9x.ei3 = cpt_inst_w7;
req->time_out = rte_get_timer_cycles() +
DEFAULT_COMMAND_TIMEOUT * rte_get_timer_hz();
* buffer immediately, a DMB is not required to push out
* LMTSTs.
*/
- rte_cio_wmb();
+ rte_io_wmb();
lmt_status = otx2_lmt_submit(qp->lf_nq_reg);
} while (lmt_status == 0);
- pend_q->rid_queue[pend_q->enq_tail].rid = (uintptr_t)req;
+ pend_q->req_queue[pend_q->enq_tail] = (uintptr_t)req;
/* We will use soft queue length here to limit requests */
MOD_INC(pend_q->enq_tail, OTX2_CPT_DEFAULT_CMD_QLEN);
struct rte_crypto_asym_op *asym_op = op->asym;
struct asym_op_params params = {0};
struct cpt_asym_sess_misc *sess;
- vq_cmd_word3_t *w3;
uintptr_t *cop;
void *mdata;
int ret;
goto req_fail;
}
- /* Set engine group of AE */
- w3 = (vq_cmd_word3_t *)¶ms.req->ist.ei3;
- w3->s.grp = OTX2_CPT_EGRP_AE;
-
- ret = otx2_cpt_enqueue_req(qp, pend_q, params.req);
+ ret = otx2_cpt_enqueue_req(qp, pend_q, params.req, sess->cpt_inst_w7);
if (unlikely(ret)) {
CPT_LOG_DP_ERR("Could not enqueue crypto req");
struct rte_crypto_sym_op *sym_op = op->sym;
struct cpt_request_info *req;
struct cpt_sess_misc *sess;
- vq_cmd_word3_t *w3;
uint64_t cpt_op;
void *mdata;
int ret;
return ret;
}
- w3 = ((vq_cmd_word3_t *)(&req->ist.ei3));
- w3->s.grp = sess->egrp;
-
- ret = otx2_cpt_enqueue_req(qp, pend_q, req);
+ ret = otx2_cpt_enqueue_req(qp, pend_q, req, sess->cpt_inst_w7);
if (unlikely(ret)) {
/* Free buffer allocated by fill params routines */
return ret;
}
+static __rte_always_inline int __rte_hot
+otx2_cpt_enqueue_sec(struct otx2_cpt_qp *qp, struct rte_crypto_op *op,
+ struct pending_queue *pend_q)
+{
+ uint32_t winsz, esn_low = 0, esn_hi = 0, seql = 0, seqh = 0;
+ struct rte_mbuf *m_src = op->sym->m_src;
+ struct otx2_sec_session_ipsec_lp *sess;
+ struct otx2_ipsec_po_sa_ctl *ctl_wrd;
+ struct otx2_ipsec_po_in_sa *sa;
+ struct otx2_sec_session *priv;
+ struct cpt_request_info *req;
+ uint64_t seq_in_sa, seq = 0;
+ uint8_t esn;
+ int ret;
+
+ priv = get_sec_session_private_data(op->sym->sec_session);
+ sess = &priv->ipsec.lp;
+ sa = &sess->in_sa;
+
+ ctl_wrd = &sa->ctl;
+ esn = ctl_wrd->esn_en;
+ winsz = sa->replay_win_sz;
+
+ if (ctl_wrd->direction == OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND)
+ ret = process_outb_sa(op, sess, &qp->meta_info, (void **)&req);
+ else {
+ if (winsz) {
+ esn_low = rte_be_to_cpu_32(sa->esn_low);
+ esn_hi = rte_be_to_cpu_32(sa->esn_hi);
+ seql = *rte_pktmbuf_mtod_offset(m_src, uint32_t *,
+ sizeof(struct rte_ipv4_hdr) + 4);
+ seql = rte_be_to_cpu_32(seql);
+
+ if (!esn)
+ seq = (uint64_t)seql;
+ else {
+ seqh = anti_replay_get_seqh(winsz, seql, esn_hi,
+ esn_low);
+ seq = ((uint64_t)seqh << 32) | seql;
+ }
+
+ if (unlikely(seq == 0))
+ return IPSEC_ANTI_REPLAY_FAILED;
+
+ ret = anti_replay_check(sa->replay, seq, winsz);
+ if (unlikely(ret)) {
+ otx2_err("Anti replay check failed");
+ return IPSEC_ANTI_REPLAY_FAILED;
+ }
+ }
+
+ ret = process_inb_sa(op, sess, &qp->meta_info, (void **)&req);
+ }
+
+ if (unlikely(ret)) {
+ otx2_err("Crypto req : op %p, ret 0x%x", op, ret);
+ return ret;
+ }
+
+ ret = otx2_cpt_enqueue_req(qp, pend_q, req, sess->cpt_inst_w7);
+
+ if (winsz && esn) {
+ seq_in_sa = ((uint64_t)esn_hi << 32) | esn_low;
+ if (seq > seq_in_sa) {
+ sa->esn_low = rte_cpu_to_be_32(seql);
+ sa->esn_hi = rte_cpu_to_be_32(seqh);
+ }
+ }
+
+ return ret;
+}
+
static __rte_always_inline int __rte_hot
otx2_cpt_enqueue_sym_sessless(struct otx2_cpt_qp *qp, struct rte_crypto_op *op,
struct pending_queue *pend_q)
int ret;
/* Create temporary session */
-
- if (rte_mempool_get(qp->sess_mp, (void **)&sess))
+ sess = rte_cryptodev_sym_session_create(qp->sess_mp);
+ if (sess == NULL)
return -ENOMEM;
ret = sym_session_configure(driver_id, sym_op->xform, sess,
for (count = 0; count < nb_ops; count++) {
op = ops[count];
if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
- if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION)
+ if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION)
+ ret = otx2_cpt_enqueue_sec(qp, op, pend_q);
+ else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION)
ret = otx2_cpt_enqueue_sym(qp, op, pend_q);
else
ret = otx2_cpt_enqueue_sym_sessless(qp, op,
/* Separate out sign r and s components */
memcpy(ecdsa->r.data, req->rptr, prime_len);
- memcpy(ecdsa->s.data, req->rptr + ROUNDUP8(prime_len), prime_len);
+ memcpy(ecdsa->s.data, req->rptr + RTE_ALIGN_CEIL(prime_len, 8),
+ prime_len);
ecdsa->r.length = prime_len;
ecdsa->s.length = prime_len;
}
int prime_len = ec_grp[ec->curveid].prime.length;
memcpy(ecpm->r.x.data, req->rptr, prime_len);
- memcpy(ecpm->r.y.data, req->rptr + ROUNDUP8(prime_len), prime_len);
+ memcpy(ecpm->r.y.data, req->rptr + RTE_ALIGN_CEIL(prime_len, 8),
+ prime_len);
ecpm->r.x.length = prime_len;
ecpm->r.y.length = prime_len;
}
}
}
+static void
+otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp)
+{
+ struct cpt_request_info *req = (struct cpt_request_info *)rsp[2];
+ vq_cmd_word0_t *word0 = (vq_cmd_word0_t *)&req->ist.ei0;
+ struct rte_crypto_sym_op *sym_op = cop->sym;
+ struct rte_mbuf *m = sym_op->m_src;
+ struct rte_ipv6_hdr *ip6;
+ struct rte_ipv4_hdr *ip;
+ uint16_t m_len;
+ int mdata_len;
+ char *data;
+
+ mdata_len = (int)rsp[3];
+ rte_pktmbuf_trim(m, mdata_len);
+
+ if (word0->s.opcode.major == OTX2_IPSEC_PO_PROCESS_IPSEC_INB) {
+ data = rte_pktmbuf_mtod(m, char *);
+
+ if (rsp[4] == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+ ip = (struct rte_ipv4_hdr *)(data +
+ OTX2_IPSEC_PO_INB_RPTR_HDR);
+ m_len = rte_be_to_cpu_16(ip->total_length);
+ } else {
+ ip6 = (struct rte_ipv6_hdr *)(data +
+ OTX2_IPSEC_PO_INB_RPTR_HDR);
+ m_len = rte_be_to_cpu_16(ip6->payload_len) +
+ sizeof(struct rte_ipv6_hdr);
+ }
+
+ m->data_len = m_len;
+ m->pkt_len = m_len;
+ m->data_off += OTX2_IPSEC_PO_INB_RPTR_HDR;
+ }
+}
+
static inline void
otx2_cpt_dequeue_post_process(struct otx2_cpt_qp *qp, struct rte_crypto_op *cop,
uintptr_t *rsp, uint8_t cc)
{
+ unsigned int sz;
+
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
+ if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+ if (likely(cc == OTX2_IPSEC_PO_CC_SUCCESS)) {
+ otx2_cpt_sec_post_process(cop, rsp);
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ } else
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+
+ return;
+ }
+
if (likely(cc == NO_ERR)) {
/* Verify authentication data if required */
if (unlikely(rsp[2]))
if (unlikely(cop->sess_type == RTE_CRYPTO_OP_SESSIONLESS)) {
sym_session_clear(otx2_cryptodev_driver_id,
cop->sym->session);
+ sz = rte_cryptodev_sym_get_existing_header_session_size(
+ cop->sym->session);
+ memset(cop->sym->session, 0, sz);
rte_mempool_put(qp->sess_mp, cop->sym->session);
cop->sym->session = NULL;
}
}
}
-static __rte_always_inline uint8_t
-otx2_cpt_compcode_get(struct cpt_request_info *req)
-{
- volatile struct cpt_res_s_9s *res;
- uint8_t ret;
-
- res = (volatile struct cpt_res_s_9s *)req->completion_addr;
-
- if (unlikely(res->compcode == CPT_9X_COMP_E_NOTDONE)) {
- if (rte_get_timer_cycles() < req->time_out)
- return ERR_REQ_PENDING;
-
- CPT_LOG_DP_ERR("Request timed out");
- return ERR_REQ_TIMEOUT;
- }
-
- if (likely(res->compcode == CPT_9X_COMP_E_GOOD)) {
- ret = NO_ERR;
- if (unlikely(res->uc_compcode)) {
- ret = res->uc_compcode;
- CPT_LOG_DP_DEBUG("Request failed with microcode error");
- CPT_LOG_DP_DEBUG("MC completion code 0x%x",
- res->uc_compcode);
- }
- } else {
- CPT_LOG_DP_DEBUG("HW completion code 0x%x", res->compcode);
-
- ret = res->compcode;
- switch (res->compcode) {
- case CPT_9X_COMP_E_INSTERR:
- CPT_LOG_DP_ERR("Request failed with instruction error");
- break;
- case CPT_9X_COMP_E_FAULT:
- CPT_LOG_DP_ERR("Request failed with DMA fault");
- break;
- case CPT_9X_COMP_E_HWERR:
- CPT_LOG_DP_ERR("Request failed with hardware error");
- break;
- default:
- CPT_LOG_DP_ERR("Request failed with unknown completion code");
- }
- }
-
- return ret;
-}
-
static uint16_t
otx2_cpt_dequeue_burst(void *qptr, struct rte_crypto_op **ops, uint16_t nb_ops)
{
struct cpt_request_info *req;
struct rte_crypto_op *cop;
uint8_t cc[nb_ops];
- struct rid *rid;
uintptr_t *rsp;
void *metabuf;
nb_ops = nb_pending;
for (i = 0; i < nb_ops; i++) {
- rid = &pend_q->rid_queue[pend_q->deq_head];
- req = (struct cpt_request_info *)(rid->rid);
+ req = (struct cpt_request_info *)
+ pend_q->req_queue[pend_q->deq_head];
cc[i] = otx2_cpt_compcode_get(req);
return nb_completed;
}
+void
+otx2_cpt_set_enqdeq_fns(struct rte_cryptodev *dev)
+{
+ dev->enqueue_burst = otx2_cpt_enqueue_burst;
+ dev->dequeue_burst = otx2_cpt_dequeue_burst;
+
+ rte_mb();
+}
+
/* PMD ops */
static int
goto intr_unregister;
}
- dev->enqueue_burst = otx2_cpt_enqueue_burst;
- dev->dequeue_burst = otx2_cpt_dequeue_burst;
+ otx2_cpt_set_enqdeq_fns(dev);
- rte_mb();
return 0;
intr_unregister:
struct rte_mempool *pool)
{
struct cpt_asym_sess_misc *priv;
+ vq_cmd_word3_t vq_cmd_w3;
int ret;
CPT_PMD_INIT_FUNC_TRACE();
return ret;
}
+ vq_cmd_w3.u64 = 0;
+ vq_cmd_w3.s.grp = OTX2_CPT_EGRP_AE;
+ priv->cpt_inst_w7 = vq_cmd_w3.u64;
+
set_asym_session_private_data(sess, dev->driver_id, priv);
+
return 0;
}