#include <rte_eventdev.h>
#include <rte_security.h>
#include <rte_security_driver.h>
+#include <rte_pmd_cnxk.h>
#include <cn10k_ethdev.h>
#include <cnxk_security.h>
+#include <roc_priv.h>
static struct rte_cryptodev_capabilities cn10k_eth_sec_crypto_caps[] = {
{ /* AES GCM */
}, }
}, }
},
+ { /* 3DES CBC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ {.cipher = {
+ .algo = RTE_CRYPTO_CIPHER_3DES_CBC,
+ .block_size = 8,
+ .key_size = {
+ .min = 24,
+ .max = 24,
+ .increment = 0
+ },
+ .iv_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 8
+ }
+ }, }
+ }, }
+ },
{ /* SHA1 HMAC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
}
};
-static void
-cn10k_eth_sec_sso_work_cb(uint64_t *gw, void *args)
+static inline void
+cnxk_pktmbuf_free_no_cache(struct rte_mbuf *mbuf)
+{
+ struct rte_mbuf *next;
+
+ if (!mbuf)
+ return;
+ do {
+ next = mbuf->next;
+ roc_npa_aura_op_free(mbuf->pool->pool_id, 1, (rte_iova_t)mbuf);
+ mbuf = next;
+ } while (mbuf != NULL);
+}
+
+void
+cn10k_eth_sec_sso_work_cb(uint64_t *gw, void *args, uint32_t soft_exp_event)
{
struct rte_eth_event_ipsec_desc desc;
struct cn10k_sec_sess_priv sess_priv;
struct cpt_cn10k_res_s *res;
struct rte_eth_dev *eth_dev;
struct cnxk_eth_dev *dev;
+ static uint64_t warn_cnt;
uint16_t dlen_adj, rlen;
struct rte_mbuf *mbuf;
uintptr_t sa_base;
/* Event from inbound inline dev due to IPSEC packet bad L4 */
mbuf = (struct rte_mbuf *)(gw[1] - sizeof(struct rte_mbuf));
plt_nix_dbg("Received mbuf %p from inline dev inbound", mbuf);
- rte_pktmbuf_free(mbuf);
+ cnxk_pktmbuf_free_no_cache(mbuf);
return;
case RTE_EVENT_TYPE_CPU:
/* Check for subtype */
}
/* Fall through */
default:
- plt_err("Unknown event gw[0] = 0x%016lx, gw[1] = 0x%016lx",
- gw[0], gw[1]);
+ if (soft_exp_event & 0x1) {
+ sa = (struct roc_ot_ipsec_outb_sa *)args;
+ priv = roc_nix_inl_ot_ipsec_outb_sa_sw_rsvd(sa);
+ desc.metadata = (uint64_t)priv->userdata;
+ desc.subtype = RTE_ETH_EVENT_IPSEC_SA_TIME_EXPIRY;
+ eth_dev = &rte_eth_devices[soft_exp_event >> 8];
+ rte_eth_dev_callback_process(eth_dev,
+ RTE_ETH_EVENT_IPSEC, &desc);
+ } else {
+ plt_err("Unknown event gw[0] = 0x%016lx, gw[1] = 0x%016lx",
+ gw[0], gw[1]);
+ }
return;
}
case ROC_IE_OT_UCC_ERR_SA_OVERFLOW:
desc.subtype = RTE_ETH_EVENT_IPSEC_ESN_OVERFLOW;
break;
+ case ROC_IE_OT_UCC_ERR_PKT_IP:
+ warn_cnt++;
+ if (warn_cnt % 10000 == 0)
+ plt_warn("Outbound error, bad ip pkt, mbuf %p,"
+ " sa_index %u (total warnings %" PRIu64 ")",
+ mbuf, sess_priv.sa_idx, warn_cnt);
+ desc.subtype = RTE_ETH_EVENT_IPSEC_UNKNOWN;
+ break;
default:
- plt_warn("Outbound error, mbuf %p, sa_index %u, "
- "compcode %x uc %x", mbuf, sess_priv.sa_idx,
- res->compcode, res->uc_compcode);
+ warn_cnt++;
+ if (warn_cnt % 10000 == 0)
+ plt_warn("Outbound error, mbuf %p, sa_index %u,"
+ " compcode %x uc %x,"
+ " (total warnings %" PRIu64 ")",
+ mbuf, sess_priv.sa_idx, res->compcode,
+ res->uc_compcode, warn_cnt);
desc.subtype = RTE_ETH_EVENT_IPSEC_UNKNOWN;
break;
}
desc.metadata = (uint64_t)priv->userdata;
rte_eth_dev_callback_process(eth_dev, RTE_ETH_EVENT_IPSEC, &desc);
- rte_pktmbuf_free(mbuf);
+ cnxk_pktmbuf_free_no_cache(mbuf);
+}
+
+static void
+outb_dbg_iv_update(struct roc_ot_ipsec_outb_sa *outb_sa, const char *__iv_str)
+{
+ uint8_t *iv_dbg = outb_sa->iv.iv_dbg;
+ char *iv_str = strdup(__iv_str);
+ char *iv_b = NULL, len = 16;
+ char *save;
+ int i;
+
+ if (!iv_str)
+ return;
+
+ if (outb_sa->w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
+ outb_sa->w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_CTR ||
+ outb_sa->w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM ||
+ outb_sa->w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) {
+ memset(outb_sa->iv.s.iv_dbg1, 0, sizeof(outb_sa->iv.s.iv_dbg1));
+ memset(outb_sa->iv.s.iv_dbg2, 0, sizeof(outb_sa->iv.s.iv_dbg2));
+
+ iv_dbg = outb_sa->iv.s.iv_dbg1;
+ for (i = 0; i < 4; i++) {
+ iv_b = strtok_r(i ? NULL : iv_str, ",", &save);
+ if (!iv_b)
+ break;
+ iv_dbg[i] = strtoul(iv_b, NULL, 0);
+ }
+ *(uint32_t *)iv_dbg = rte_be_to_cpu_32(*(uint32_t *)iv_dbg);
+
+ iv_dbg = outb_sa->iv.s.iv_dbg2;
+ for (i = 0; i < 4; i++) {
+ iv_b = strtok_r(NULL, ",", &save);
+ if (!iv_b)
+ break;
+ iv_dbg[i] = strtoul(iv_b, NULL, 0);
+ }
+ *(uint32_t *)iv_dbg = rte_be_to_cpu_32(*(uint32_t *)iv_dbg);
+
+ } else {
+ iv_dbg = outb_sa->iv.iv_dbg;
+ memset(iv_dbg, 0, sizeof(outb_sa->iv.iv_dbg));
+
+ for (i = 0; i < len; i++) {
+ iv_b = strtok_r(i ? NULL : iv_str, ",", &save);
+ if (!iv_b)
+ break;
+ iv_dbg[i] = strtoul(iv_b, NULL, 0);
+ }
+ *(uint64_t *)iv_dbg = rte_be_to_cpu_64(*(uint64_t *)iv_dbg);
+ *(uint64_t *)&iv_dbg[8] =
+ rte_be_to_cpu_64(*(uint64_t *)&iv_dbg[8]);
+ }
+
+ /* Update source of IV */
+ outb_sa->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
+ free(iv_str);
+}
+
+static int
+cn10k_eth_sec_outb_sa_misc_fill(struct roc_nix *roc_nix,
+ struct roc_ot_ipsec_outb_sa *sa, void *sa_cptr,
+ struct rte_security_ipsec_xform *ipsec_xfrm,
+ uint32_t sa_idx)
+{
+ uint64_t *ring_base, ring_addr;
+
+ if (ipsec_xfrm->life.bytes_soft_limit |
+ ipsec_xfrm->life.packets_soft_limit) {
+ ring_base = roc_nix_inl_outb_ring_base_get(roc_nix);
+ if (ring_base == NULL)
+ return -ENOTSUP;
+
+ ring_addr = ring_base[sa_idx >>
+ ROC_NIX_SOFT_EXP_ERR_RING_MAX_ENTRY_LOG2];
+ sa->ctx.err_ctl.s.mode = ROC_IE_OT_ERR_CTL_MODE_RING;
+ sa->ctx.err_ctl.s.address = ring_addr >> 3;
+ sa->w0.s.ctx_id = ((uintptr_t)sa_cptr >> 51) & 0x1ff;
+ }
+
+ return 0;
}
static int
struct cn10k_sec_sess_priv sess_priv;
struct rte_crypto_sym_xform *crypto;
struct cnxk_eth_sec_sess *eth_sec;
+ struct roc_nix *nix = &dev->nix;
bool inbound, inl_dev;
rte_spinlock_t *lock;
char tbuf[128] = {0};
if (rte_security_dynfield_register() < 0)
return -ENOTSUP;
- if (rte_eal_process_type() == RTE_PROC_PRIMARY)
- roc_nix_inl_cb_register(cn10k_eth_sec_sso_work_cb, NULL);
+ if (conf->ipsec.options.ip_reassembly_en &&
+ dev->reass_dynfield_off < 0) {
+ if (rte_eth_ip_reassembly_dynfield_register(&dev->reass_dynfield_off,
+ &dev->reass_dynflag_bit) < 0)
+ return -rte_errno;
+ }
ipsec = &conf->ipsec;
crypto = conf->crypto_xform;
if (inbound) {
struct roc_ot_ipsec_inb_sa *inb_sa, *inb_sa_dptr;
struct cn10k_inb_priv_data *inb_priv;
+ uint32_t spi_mask;
uintptr_t sa;
PLT_STATIC_ASSERT(sizeof(struct cn10k_inb_priv_data) <
ROC_NIX_INL_OT_IPSEC_INB_SW_RSVD);
+ spi_mask = roc_nix_inl_inb_spi_range(nix, inl_dev, NULL, NULL);
+
/* Get Inbound SA from NIX_RX_IPSEC_SA_BASE */
- sa = roc_nix_inl_inb_sa_get(&dev->nix, inl_dev, ipsec->spi);
+ sa = roc_nix_inl_inb_sa_get(nix, inl_dev, ipsec->spi);
if (!sa && dev->inb.inl_dev) {
snprintf(tbuf, sizeof(tbuf),
"Failed to create ingress sa, inline dev "
memset(inb_sa_dptr, 0, sizeof(struct roc_ot_ipsec_inb_sa));
/* Fill inbound sa params */
- rc = cnxk_ot_ipsec_inb_sa_fill(inb_sa_dptr, ipsec, crypto);
+ rc = cnxk_ot_ipsec_inb_sa_fill(inb_sa_dptr, ipsec, crypto,
+ true);
if (rc) {
snprintf(tbuf, sizeof(tbuf),
"Failed to init inbound sa, rc=%d", rc);
inb_priv->userdata = conf->userdata;
/* Save SA index/SPI in cookie for now */
- inb_sa_dptr->w1.s.cookie = rte_cpu_to_be_32(ipsec->spi);
+ inb_sa_dptr->w1.s.cookie =
+ rte_cpu_to_be_32(ipsec->spi & spi_mask);
/* Prepare session priv */
sess_priv.inb_sa = 1;
- sess_priv.sa_idx = ipsec->spi;
+ sess_priv.sa_idx = ipsec->spi & spi_mask;
/* Pointer from eth_sec -> inb_sa */
eth_sec->sa = inb_sa;
eth_sec->sess = sess;
- eth_sec->sa_idx = ipsec->spi;
+ eth_sec->sa_idx = ipsec->spi & spi_mask;
eth_sec->spi = ipsec->spi;
eth_sec->inl_dev = !!dev->inb.inl_dev;
eth_sec->inb = true;
sizeof(struct roc_ot_ipsec_inb_sa));
if (rc)
goto mempool_put;
+
+ if (conf->ipsec.options.ip_reassembly_en) {
+ inb_priv->reass_dynfield_off = dev->reass_dynfield_off;
+ inb_priv->reass_dynflag_bit = dev->reass_dynflag_bit;
+ }
+
} else {
struct roc_ot_ipsec_outb_sa *outb_sa, *outb_sa_dptr;
struct cn10k_outb_priv_data *outb_priv;
struct cnxk_ipsec_outb_rlens *rlens;
uint64_t sa_base = dev->outb.sa_base;
+ const char *iv_str;
uint32_t sa_idx;
PLT_STATIC_ASSERT(sizeof(struct cn10k_outb_priv_data) <
ROC_NIX_INL_OT_IPSEC_OUTB_SW_RSVD);
/* Alloc an sa index */
- rc = cnxk_eth_outb_sa_idx_get(dev, &sa_idx);
+ rc = cnxk_eth_outb_sa_idx_get(dev, &sa_idx, ipsec->spi);
if (rc)
goto mempool_put;
goto mempool_put;
}
+ iv_str = getenv("CN10K_ETH_SEC_IV_OVR");
+ if (iv_str)
+ outb_dbg_iv_update(outb_sa_dptr, iv_str);
+
+ /* Fill outbound sa misc params */
+ rc = cn10k_eth_sec_outb_sa_misc_fill(&dev->nix, outb_sa_dptr,
+ outb_sa, ipsec, sa_idx);
+ if (rc) {
+ snprintf(tbuf, sizeof(tbuf),
+ "Failed to init outb sa misc params, rc=%d",
+ rc);
+ rc |= cnxk_eth_outb_sa_idx_put(dev, sa_idx);
+ goto mempool_put;
+ }
+
/* Save userdata */
outb_priv->userdata = conf->userdata;
outb_priv->sa_idx = sa_idx;
sess_priv.partial_len = rlens->partial_len;
sess_priv.mode = outb_sa_dptr->w2.s.ipsec_mode;
sess_priv.outer_ip_ver = outb_sa_dptr->w2.s.outer_ip_ver;
+ /* Propagate inner checksum enable from SA to fast path */
+ sess_priv.chksum = (!ipsec->options.ip_csum_enable << 1 |
+ !ipsec->options.l4_csum_enable);
/* Pointer from eth_sec -> outb_sa */
eth_sec->sa = outb_sa;
if (eth_sec->inb) {
/* Disable SA */
sa_dptr = dev->inb.sa_dptr;
- roc_nix_inl_inb_sa_init(sa_dptr);
+ roc_ot_ipsec_inb_sa_init(sa_dptr, true);
roc_nix_inl_ctx_write(&dev->nix, sa_dptr, eth_sec->sa,
eth_sec->inb,
} else {
/* Disable SA */
sa_dptr = dev->outb.sa_dptr;
- roc_nix_inl_outb_sa_init(sa_dptr);
+ roc_ot_ipsec_outb_sa_init(sa_dptr);
roc_nix_inl_ctx_write(&dev->nix, sa_dptr, eth_sec->sa,
eth_sec->inb,
return cn10k_eth_sec_capabilities;
}
+static int
+cn10k_eth_sec_session_update(void *device, struct rte_security_session *sess,
+ struct rte_security_session_conf *conf)
+{
+ struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+ struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+ struct roc_ot_ipsec_inb_sa *inb_sa_dptr;
+ struct rte_security_ipsec_xform *ipsec;
+ struct rte_crypto_sym_xform *crypto;
+ struct cnxk_eth_sec_sess *eth_sec;
+ bool inbound;
+ int rc;
+
+ if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
+ conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
+ return -ENOENT;
+
+ ipsec = &conf->ipsec;
+ crypto = conf->crypto_xform;
+ inbound = !!(ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
+
+ eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
+ if (!eth_sec)
+ return -ENOENT;
+
+ eth_sec->spi = conf->ipsec.spi;
+
+ if (inbound) {
+ inb_sa_dptr = (struct roc_ot_ipsec_inb_sa *)dev->inb.sa_dptr;
+ memset(inb_sa_dptr, 0, sizeof(struct roc_ot_ipsec_inb_sa));
+
+ rc = cnxk_ot_ipsec_inb_sa_fill(inb_sa_dptr, ipsec, crypto,
+ true);
+ if (rc)
+ return -EINVAL;
+
+ rc = roc_nix_inl_ctx_write(&dev->nix, inb_sa_dptr, eth_sec->sa,
+ eth_sec->inb,
+ sizeof(struct roc_ot_ipsec_inb_sa));
+ if (rc)
+ return -EINVAL;
+ } else {
+ struct roc_ot_ipsec_outb_sa *outb_sa_dptr;
+
+ outb_sa_dptr = (struct roc_ot_ipsec_outb_sa *)dev->outb.sa_dptr;
+ memset(outb_sa_dptr, 0, sizeof(struct roc_ot_ipsec_outb_sa));
+
+ rc = cnxk_ot_ipsec_outb_sa_fill(outb_sa_dptr, ipsec, crypto);
+ if (rc)
+ return -EINVAL;
+ rc = roc_nix_inl_ctx_write(&dev->nix, outb_sa_dptr, eth_sec->sa,
+ eth_sec->inb,
+ sizeof(struct roc_ot_ipsec_outb_sa));
+ if (rc)
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+int
+rte_pmd_cnxk_hw_sa_read(void *device, struct rte_security_session *sess,
+ void *data, uint32_t len)
+{
+ struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+ struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+ struct cnxk_eth_sec_sess *eth_sec;
+ int rc;
+
+ eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
+ if (eth_sec == NULL)
+ return -EINVAL;
+
+ rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
+ ROC_NIX_INL_SA_OP_FLUSH);
+ if (rc)
+ return -EINVAL;
+ rte_delay_ms(1);
+ memcpy(data, eth_sec->sa, len);
+
+ return 0;
+}
+
+int
+rte_pmd_cnxk_hw_sa_write(void *device, struct rte_security_session *sess,
+ void *data, uint32_t len)
+{
+ struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+ struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+ struct cnxk_eth_sec_sess *eth_sec;
+ int rc = -EINVAL;
+
+ eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
+ if (eth_sec == NULL)
+ return rc;
+ rc = roc_nix_inl_ctx_write(&dev->nix, data, eth_sec->sa, eth_sec->inb,
+ len);
+ if (rc)
+ return rc;
+
+ return 0;
+}
+
void
cn10k_eth_sec_ops_override(void)
{
cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
+ cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
}
git.droids-corp.org / dpdk.git / blobdiff