X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=doc%2Fguides%2Fcryptodevs%2Fmlx5.rst;h=68bfdf3a83d5404f40c79bf519c87f8bbc01e2d0;hb=f16662885472d33570b564e62427199d733be363;hp=ac89a4029e0e40daae2622350326de15d3af8f1e;hpb=a7c86884f150eaa20aa990028274e602d60884f4;p=dpdk.git diff --git a/doc/guides/cryptodevs/mlx5.rst b/doc/guides/cryptodevs/mlx5.rst index ac89a4029e..68bfdf3a83 100644 --- a/doc/guides/cryptodevs/mlx5.rst +++ b/doc/guides/cryptodevs/mlx5.rst @@ -28,6 +28,12 @@ when the MKEY is configured to perform crypto operations. The encryption does not require text to be aligned to the AES block size (128b). +For security reasons and to increase robustness, this driver only deals with virtual +memory addresses. The way resources allocations are handled by the kernel, +combined with hardware specifications that allow handling virtual memory +addresses directly, ensure that DPDK applications cannot access random +physical memory (or memory that does not belong to the current process). + The PMD uses ``libibverbs`` and ``libmlx5`` to access the device firmware or to access the hardware components directly. There are different levels of objects and bypassing abilities. @@ -40,6 +46,64 @@ To get the best performances: Enabling ``librte_crypto_mlx5`` causes DPDK applications to be linked against libibverbs. +In order to move the device to crypto operational mode, credential and KEK +(Key Encrypting Key) should be set as the first step. +The credential will be used by the software in order to perform crypto login, and the KEK is +the AES Key Wrap Algorithm (rfc3394) key that will be used for sensitive data +wrapping. +The credential and the AES-XTS keys should be provided to the hardware, as ciphertext +encrypted by the KEK. + +A keytag (64 bits) should be appended to the AES-XTS keys (before wrapping), +and will be validated when the hardware attempts to access it. + +When crypto engines are defined to work in wrapped import method, they come out +of the factory in Commissioning mode, and thus, cannot be used for crypto operations +yet. A dedicated tool is used for changing the mode from Commissioning to +Operational, while setting the first import_KEK and credential in plaintext. +The mlxreg dedicated tool should be used as follows: + +- Set CRYPTO_OPERATIONAL register to set the device in crypto operational mode. + + The input to this tool is: + + - The first credential in plaintext, 40B. + - The first import_KEK in plaintext: kek size 0 for 16B or 1 for 32B, kek data. + + Example:: + + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get + + The "wrapped_crypto_operational" value will be "0x00000000". + The command to set the register should be executed only once, and all the + values mentioned above should be specified in the same command. + + Example:: + + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL \ + --set "credential[0]=0x10000000, credential[1]=0x10000000, kek[0]=0x00000000" + + All values not specified will remain 0. + "wrapped_crypto_going_to_commissioning" and "wrapped_crypto_operational" + should not be specified. + + All the device ports should set it in order to move to operational mode. + +- Query CRYPTO_OPERATIONAL register to make sure the device is in Operational + mode. + + Example:: + + mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get + + The "wrapped_crypto_operational" value will be "0x00000001" if the mode was + successfully changed to operational mode. + + The mlx5 crypto PMD can be verified by running the test application:: + + dpdk-test -c 1 -n 1 -w ,class=crypto,wcs_file= + RTE>>cryptodev_mlx5_autotest + Driver options -------------- @@ -49,12 +113,45 @@ Driver options Select the class of the driver that should probe the device. `crypto` for the mlx5 crypto driver. +- ``wcs_file`` parameter [string] - mandatory + + File path including only the wrapped credential in string format of hexadecimal + numbers, represent 48 bytes (8 bytes IV added by the AES key wrap algorithm). + +- ``import_kek_id`` parameter [int] + + The identifier of the KEK, default value is 0 represents the operational + register import_kek.. + +- ``credential_id`` parameter [int] + + The identifier of the credential, default value is 0 represents the operational + register credential. + +- ``keytag`` parameter [int] + + The plaintext of the keytag appended to the AES-XTS keys, default value is 0. + +- ``max_segs_num`` parameter [int] + + Maximum number of mbuf chain segments(src or dest), default value is 8. + Supported NICs -------------- * Mellanox\ |reg| ConnectX\ |reg|-6 200G MCX654106A-HCAT (2x200G) + +Limitations +----------- + +- AES-XTS keys provided in xform must include keytag and should be wrapped. +- The supported data-unit lengths are 512B and 1KB. In case the `dataunit_len` + is not provided in the cipher xform, the OP length is limited to the above + values and 1MB. + + Prerequisites -------------