X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=drivers%2Fcommon%2Fcnxk%2Fcnxk_security.c;h=72ee5ee91f8812681425f0ded52a9960e0b6ada8;hb=28b283fa7f7519425c2d26ff9f774c5e5afdf429;hp=0039a9d6ab881121b709172de7b7cc5936977442;hpb=9d422a38be596d571270efc7e2d7b25a877e8beb;p=dpdk.git diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 0039a9d6ab..72ee5ee91f 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -32,6 +32,18 @@ ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform, roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]); roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]); break; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + roc_hash_sha256_gen(opad, (uint32_t *)&hmac_opad_ipad[0]); + roc_hash_sha256_gen(ipad, (uint32_t *)&hmac_opad_ipad[64]); + break; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 384); + roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 384); + break; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 512); + roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 512); + break; default: break; } @@ -45,25 +57,23 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, struct rte_crypto_sym_xform *crypto_xfrm) { struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm; - const uint8_t *key; + const uint8_t *key = NULL; uint32_t *tmp_salt; uint64_t *tmp_key; - int length, i; + int i, length = 0; /* Set direction */ - switch (ipsec_xfrm->direction) { - case RTE_SECURITY_IPSEC_SA_DIR_INGRESS: + if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) + w2->s.dir = ROC_IE_SA_DIR_OUTBOUND; + else w2->s.dir = ROC_IE_SA_DIR_INBOUND; + + if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AUTH) { auth_xfrm = crypto_xfrm; cipher_xfrm = crypto_xfrm->next; - break; - case RTE_SECURITY_IPSEC_SA_DIR_EGRESS: - w2->s.dir = ROC_IE_SA_DIR_OUTBOUND; + } else { cipher_xfrm = crypto_xfrm; auth_xfrm = crypto_xfrm->next; - break; - default: - return -EINVAL; } /* Set protocol - ESP vs AH */ @@ -107,32 +117,72 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, return -ENOTSUP; } } else { - switch (cipher_xfrm->cipher.algo) { - case RTE_CRYPTO_CIPHER_AES_CBC: - w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC; - break; - default: - return -ENOTSUP; + if (cipher_xfrm != NULL) { + switch (cipher_xfrm->cipher.algo) { + case RTE_CRYPTO_CIPHER_NULL: + w2->s.enc_type = ROC_IE_OT_SA_ENC_NULL; + break; + case RTE_CRYPTO_CIPHER_AES_CBC: + w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC; + break; + case RTE_CRYPTO_CIPHER_AES_CTR: + w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CTR; + break; + case RTE_CRYPTO_CIPHER_3DES_CBC: + w2->s.enc_type = ROC_IE_OT_SA_ENC_3DES_CBC; + break; + default: + return -ENOTSUP; + } + + key = cipher_xfrm->cipher.key.data; + length = cipher_xfrm->cipher.key.length; } switch (auth_xfrm->auth.algo) { + case RTE_CRYPTO_AUTH_NULL: + w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL; + break; case RTE_CRYPTO_AUTH_SHA1_HMAC: w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1; break; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_256; + break; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_384; + break; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_512; + break; + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128; + break; + case RTE_CRYPTO_AUTH_AES_GMAC: + w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_GMAC; + key = auth_xfrm->auth.key.data; + length = auth_xfrm->auth.key.length; + memcpy(salt_key, &ipsec_xfrm->salt, 4); + tmp_salt = (uint32_t *)salt_key; + *tmp_salt = rte_be_to_cpu_32(*tmp_salt); + break; default: return -ENOTSUP; } - key = cipher_xfrm->cipher.key.data; - length = cipher_xfrm->cipher.key.length; - - ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad); + if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC) { + const uint8_t *auth_key = auth_xfrm->auth.key.data; + roc_aes_xcbc_key_derive(auth_key, hmac_opad_ipad); + } else { + ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad); + } tmp_key = (uint64_t *)hmac_opad_ipad; for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t)); i++) tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); + } /* Set encapsulation type */ @@ -141,24 +191,34 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, w2->s.spi = ipsec_xfrm->spi; - /* Copy encryption key */ - memcpy(cipher_key, key, length); - tmp_key = (uint64_t *)cipher_key; - for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++) - tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); + if (key != NULL && length != 0) { + /* Copy encryption key */ + memcpy(cipher_key, key, length); + tmp_key = (uint64_t *)cipher_key; + for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++) + tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); + } - switch (length) { - case ROC_CPT_AES128_KEY_LEN: - w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128; - break; - case ROC_CPT_AES192_KEY_LEN: - w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192; - break; - case ROC_CPT_AES256_KEY_LEN: - w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256; - break; - default: - return -EINVAL; + /* Set AES key length */ + if (w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CBC || + w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM || + w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CTR || + w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM || + w2->s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) { + switch (length) { + case ROC_CPT_AES128_KEY_LEN: + w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128; + break; + case ROC_CPT_AES192_KEY_LEN: + w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192; + break; + case ROC_CPT_AES256_KEY_LEN: + w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256; + break; + default: + plt_err("Invalid AES key length"); + return -EINVAL; + } } if (ipsec_xfrm->life.packets_soft_limit != 0 || @@ -258,13 +318,17 @@ ot_ipsec_inb_tunnel_hdr_fill(struct roc_ot_ipsec_inb_sa *sa, int cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, struct rte_security_ipsec_xform *ipsec_xfrm, - struct rte_crypto_sym_xform *crypto_xfrm) + struct rte_crypto_sym_xform *crypto_xfrm, + bool is_inline) { union roc_ot_ipsec_sa_word2 w2; uint32_t replay_win_sz; size_t offset; int rc; + /* Initialize the SA */ + roc_ot_ipsec_inb_sa_init(sa, is_inline); + w2.u64 = 0; rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->w8.s.salt, sa->hmac_opad_ipad, ipsec_xfrm, @@ -293,8 +357,11 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, * second pass meta and no defrag. */ sa->w0.s.pkt_format = ROC_IE_OT_SA_PKT_FMT_META; - sa->w0.s.pkt_output = ROC_IE_OT_SA_PKT_OUTPUT_HW_BASED_DEFRAG; - sa->w0.s.pkind = ROC_OT_CPT_META_PKIND; + sa->w0.s.pkt_output = ROC_IE_OT_SA_PKT_OUTPUT_NO_FRAG; + sa->w0.s.pkind = ROC_IE_OT_CPT_PKIND; + + if (ipsec_xfrm->options.ip_reassembly_en) + sa->w0.s.pkt_output = ROC_IE_OT_SA_PKT_OUTPUT_HW_BASED_DEFRAG; /* ESN */ sa->w2.s.esn_en = !!ipsec_xfrm->options.esn; @@ -303,6 +370,9 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, sa->w10.s.udp_dst_port = 4500; } + if (ipsec_xfrm->options.udp_ports_verify) + sa->w2.s.udp_ports_verify = 1; + offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx); /* Word offset for HW managed SA field */ sa->w0.s.hw_ctx_off = offset / 8; @@ -341,11 +411,6 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, sa->w0.s.hard_life_dec = 1; } - /* There are two words of CPT_CTX_HW_S for ucode to skip */ - sa->w0.s.ctx_hdr_size = 1; - sa->w0.s.aop_valid = 1; - sa->w0.s.et_ovrwr = 1; - rte_wmb(); /* Enable SA */ @@ -363,6 +428,9 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa, size_t offset; int rc; + /* Initialize the SA */ + roc_ot_ipsec_outb_sa_init(sa); + w2.u64 = 0; rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->iv.s.salt, sa->hmac_opad_ipad, ipsec_xfrm, @@ -439,14 +507,13 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa, return -EINVAL; } - /* Default options of DSCP and Flow label/DF */ - sa->w2.s.dscp_src = ROC_IE_OT_SA_COPY_FROM_SA; - sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = ROC_IE_OT_SA_COPY_FROM_SA; - skip_tunnel_info: /* ESN */ sa->w0.s.esn_en = !!ipsec_xfrm->options.esn; + if (ipsec_xfrm->esn.value) + sa->ctx.esn_val = ipsec_xfrm->esn.value - 1; + if (ipsec_xfrm->options.udp_encap) { sa->w10.s.udp_src_port = 4500; sa->w10.s.udp_dst_port = 4500; @@ -455,8 +522,10 @@ skip_tunnel_info: offset = offsetof(struct roc_ot_ipsec_outb_sa, ctx); /* Word offset for HW managed SA field */ sa->w0.s.hw_ctx_off = offset / 8; - /* Context push size is up to hmac_opad_ipad */ - sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off; + + /* Context push size is up to err ctl in HW ctx */ + sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off + 1; + /* Entire context size in 128B units */ offset = sizeof(struct roc_ot_ipsec_outb_sa); sa->w0.s.ctx_size = (PLT_ALIGN_CEIL(offset, ROC_CTX_UNIT_128B) / @@ -607,6 +676,9 @@ onf_ipsec_sa_common_param_fill(struct roc_ie_onf_sa_ctl *ctl, uint8_t *salt, case RTE_CRYPTO_CIPHER_AES_CBC: ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC; break; + case RTE_CRYPTO_CIPHER_AES_CTR: + ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR; + break; default: return -ENOTSUP; } @@ -705,6 +777,12 @@ cnxk_onf_ipsec_outb_sa_fill(struct roc_onf_ipsec_outb_sa *sa, return -EINVAL; } + /* Update udp encap ports */ + if (ipsec_xfrm->options.udp_encap == 1) { + sa->udp_src = 4500; + sa->udp_dst = 4500; + } + skip_tunnel_info: rte_wmb(); @@ -786,6 +864,9 @@ cnxk_ipsec_icvlen_get(enum rte_crypto_cipher_algorithm c_algo, case RTE_CRYPTO_AUTH_SHA512_HMAC: icv = 32; break; + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + icv = 12; + break; default: break; }