X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;ds=sidebyside;f=drivers%2Fcommon%2Fcnxk%2Fcnxk_security.c;h=0d4baa942ef90f55d85ebb6ca3d0cdda0639cb09;hb=538bf10043542d0510aeabe460e0a29618885a84;hp=cc5daf333cc6b6ee0accbb7b6a4029342f9b2c99;hpb=07d4bde1c0e811ae60144ae74337237e6fb47e29;p=dpdk.git

diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index cc5daf333c..0d4baa942e 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -32,6 +32,18 @@ ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
 		roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
 		roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]);
 		break;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		roc_hash_sha256_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
+		roc_hash_sha256_gen(ipad, (uint32_t *)&hmac_opad_ipad[64]);
+		break;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 384);
+		roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 384);
+		break;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 512);
+		roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 512);
+		break;
 	default:
 		break;
 	}
@@ -111,21 +123,33 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 		case RTE_CRYPTO_CIPHER_AES_CBC:
 			w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
 			break;
+		case RTE_CRYPTO_CIPHER_AES_CTR:
+			w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CTR;
+			break;
 		default:
 			return -ENOTSUP;
 		}
 
 		switch (auth_xfrm->auth.algo) {
+		case RTE_CRYPTO_AUTH_NULL:
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL;
+			break;
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
 			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1;
 			break;
+		case RTE_CRYPTO_AUTH_SHA256_HMAC:
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_256;
+			break;
+		case RTE_CRYPTO_AUTH_SHA384_HMAC:
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_384;
+			break;
+		case RTE_CRYPTO_AUTH_SHA512_HMAC:
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_512;
+			break;
 		default:
 			return -ENOTSUP;
 		}
 
-		key = cipher_xfrm->cipher.key.data;
-		length = cipher_xfrm->cipher.key.length;
-
 		ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
 
 		tmp_key = (uint64_t *)hmac_opad_ipad;
@@ -133,6 +157,9 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 		     i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t));
 		     i++)
 			tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+
+		key = cipher_xfrm->cipher.key.data;
+		length = cipher_xfrm->cipher.key.length;
 	}
 
 	/* Set encapsulation type */
@@ -303,6 +330,9 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
 		sa->w10.s.udp_dst_port = 4500;
 	}
 
+	if (ipsec_xfrm->options.udp_ports_verify)
+		sa->w2.s.udp_ports_verify = 1;
+
 	offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx);
 	/* Word offset for HW managed SA field */
 	sa->w0.s.hw_ctx_off = offset / 8;
@@ -344,6 +374,7 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
 	/* There are two words of CPT_CTX_HW_S for ucode to skip */
 	sa->w0.s.ctx_hdr_size = 1;
 	sa->w0.s.aop_valid = 1;
+	sa->w0.s.et_ovrwr = 1;
 
 	rte_wmb();
 
@@ -438,10 +469,6 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
 		return -EINVAL;
 	}
 
-	/* Default options of DSCP and Flow label/DF */
-	sa->w2.s.dscp_src = ROC_IE_OT_SA_COPY_FROM_SA;
-	sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = ROC_IE_OT_SA_COPY_FROM_SA;
-
 skip_tunnel_info:
 	/* ESN */
 	sa->w0.s.esn_en = !!ipsec_xfrm->options.esn;
@@ -513,6 +540,220 @@ cnxk_ot_ipsec_outb_sa_valid(struct roc_ot_ipsec_outb_sa *sa)
 	return !!sa->w2.s.valid;
 }
 
+static inline int
+ipsec_xfrm_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
+		  struct rte_crypto_sym_xform *crypto_xfrm)
+{
+	if (crypto_xfrm->next == NULL)
+		return -EINVAL;
+
+	if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+	} else {
+		if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+	}
+
+	return 0;
+}
+
+static int
+onf_ipsec_sa_common_param_fill(struct roc_ie_onf_sa_ctl *ctl, uint8_t *salt,
+			       uint8_t *cipher_key, uint8_t *hmac_opad_ipad,
+			       struct rte_security_ipsec_xform *ipsec_xfrm,
+			       struct rte_crypto_sym_xform *crypto_xfrm)
+{
+	struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
+	int rc, length, auth_key_len;
+	const uint8_t *key = NULL;
+
+	/* Set direction */
+	switch (ipsec_xfrm->direction) {
+	case RTE_SECURITY_IPSEC_SA_DIR_INGRESS:
+		ctl->direction = ROC_IE_SA_DIR_INBOUND;
+		auth_xfrm = crypto_xfrm;
+		cipher_xfrm = crypto_xfrm->next;
+		break;
+	case RTE_SECURITY_IPSEC_SA_DIR_EGRESS:
+		ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
+		cipher_xfrm = crypto_xfrm;
+		auth_xfrm = crypto_xfrm->next;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	/* Set protocol - ESP vs AH */
+	switch (ipsec_xfrm->proto) {
+	case RTE_SECURITY_IPSEC_SA_PROTO_ESP:
+		ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP;
+		break;
+	case RTE_SECURITY_IPSEC_SA_PROTO_AH:
+		return -ENOTSUP;
+	default:
+		return -EINVAL;
+	}
+
+	/* Set mode - transport vs tunnel */
+	switch (ipsec_xfrm->mode) {
+	case RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT:
+		ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT;
+		break;
+	case RTE_SECURITY_IPSEC_SA_MODE_TUNNEL:
+		ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	/* Set encryption algorithm */
+	if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		length = crypto_xfrm->aead.key.length;
+
+		switch (crypto_xfrm->aead.algo) {
+		case RTE_CRYPTO_AEAD_AES_GCM:
+			ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM;
+			ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL;
+			memcpy(salt, &ipsec_xfrm->salt, 4);
+			key = crypto_xfrm->aead.key.data;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+
+	} else {
+		rc = ipsec_xfrm_verify(ipsec_xfrm, crypto_xfrm);
+		if (rc)
+			return rc;
+
+		switch (cipher_xfrm->cipher.algo) {
+		case RTE_CRYPTO_CIPHER_AES_CBC:
+			ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
+			break;
+		case RTE_CRYPTO_CIPHER_AES_CTR:
+			ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+
+		switch (auth_xfrm->auth.algo) {
+		case RTE_CRYPTO_AUTH_SHA1_HMAC:
+			ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		auth_key_len = auth_xfrm->auth.key.length;
+		if (auth_key_len < 20 || auth_key_len > 64)
+			return -ENOTSUP;
+
+		key = cipher_xfrm->cipher.key.data;
+		length = cipher_xfrm->cipher.key.length;
+
+		ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+	}
+
+	switch (length) {
+	case ROC_CPT_AES128_KEY_LEN:
+		ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
+		break;
+	case ROC_CPT_AES192_KEY_LEN:
+		ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
+		break;
+	case ROC_CPT_AES256_KEY_LEN:
+		ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	memcpy(cipher_key, key, length);
+
+	if (ipsec_xfrm->options.esn)
+		ctl->esn_en = 1;
+
+	ctl->spi = rte_cpu_to_be_32(ipsec_xfrm->spi);
+	return 0;
+}
+
+int
+cnxk_onf_ipsec_inb_sa_fill(struct roc_onf_ipsec_inb_sa *sa,
+			   struct rte_security_ipsec_xform *ipsec_xfrm,
+			   struct rte_crypto_sym_xform *crypto_xfrm)
+{
+	struct roc_ie_onf_sa_ctl *ctl = &sa->ctl;
+	int rc;
+
+	rc = onf_ipsec_sa_common_param_fill(ctl, sa->nonce, sa->cipher_key,
+					    sa->hmac_key, ipsec_xfrm,
+					    crypto_xfrm);
+	if (rc)
+		return rc;
+
+	rte_wmb();
+
+	/* Enable SA */
+	ctl->valid = 1;
+	return 0;
+}
+
+int
+cnxk_onf_ipsec_outb_sa_fill(struct roc_onf_ipsec_outb_sa *sa,
+			    struct rte_security_ipsec_xform *ipsec_xfrm,
+			    struct rte_crypto_sym_xform *crypto_xfrm)
+{
+	struct rte_security_ipsec_tunnel_param *tunnel = &ipsec_xfrm->tunnel;
+	struct roc_ie_onf_sa_ctl *ctl = &sa->ctl;
+	int rc;
+
+	/* Fill common params */
+	rc = onf_ipsec_sa_common_param_fill(ctl, sa->nonce, sa->cipher_key,
+					    sa->hmac_key, ipsec_xfrm,
+					    crypto_xfrm);
+	if (rc)
+		return rc;
+
+	if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+		goto skip_tunnel_info;
+
+	/* Tunnel header info */
+	switch (tunnel->type) {
+	case RTE_SECURITY_IPSEC_TUNNEL_IPV4:
+		memcpy(&sa->ip_src, &tunnel->ipv4.src_ip,
+		       sizeof(struct in_addr));
+		memcpy(&sa->ip_dst, &tunnel->ipv4.dst_ip,
+		       sizeof(struct in_addr));
+		break;
+	case RTE_SECURITY_IPSEC_TUNNEL_IPV6:
+		return -ENOTSUP;
+	default:
+		return -EINVAL;
+	}
+
+skip_tunnel_info:
+	rte_wmb();
+
+	/* Enable SA */
+	ctl->valid = 1;
+	return 0;
+}
+
+bool
+cnxk_onf_ipsec_inb_sa_valid(struct roc_onf_ipsec_inb_sa *sa)
+{
+	return !!sa->ctl.valid;
+}
+
+bool
+cnxk_onf_ipsec_outb_sa_valid(struct roc_onf_ipsec_outb_sa *sa)
+{
+	return !!sa->ctl.valid;
+}
+
 uint8_t
 cnxk_ipsec_ivlen_get(enum rte_crypto_cipher_algorithm c_algo,
 		     enum rte_crypto_auth_algorithm a_algo,