crypto/octeontx2: support AES-CBC SHA256-128-HMAC

Support for aes-cbc sha256-128-hmac is added in lookaside protocol
mode. The functionality is verified using ipsec-secgw application.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>

diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index 7ac798d..a648a33 100644 (file)
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -183,3 +183,4 @@ Features supported
 * Anti-replay
 * AES-128/192/256-GCM
 * AES-128/192/256-CBC-SHA1-HMAC
+* AES-128/192/256-CBC-SHA256-128-HMAC

diff --git a/doc/guides/rel_notes/release_21_02.rst b/doc/guides/rel_notes/release_21_02.rst
index 57c7ddc..01fa26a 100644 (file)
--- a/doc/guides/rel_notes/release_21_02.rst
+++ b/doc/guides/rel_notes/release_21_02.rst
@@ -83,6 +83,8 @@ New Features
   * Updated the OCTEON TX2 crypto PMD with CN98xx support.
   * Added support for aes-cbc sha1-hmac cipher combination in OCTEON TX2 crypto
     PMD lookaside protocol offload for IPsec.
+  * Added support for aes-cbc sha256-128-hmac cipher combination in OCTEON TX2
+    crypto PMD lookaside protocol offload for IPsec.
 
 
 Removed Items

diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 3cdb5bd..89ed7cb 100644 (file)
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -74,6 +74,8 @@ ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec,
 
        if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
                lp->partial_len += OTX2_SEC_SHA1_HMAC_LEN;
+       else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+               lp->partial_len += OTX2_SEC_SHA2_HMAC_LEN;
        else
                return -EINVAL;
 
@@ -268,6 +270,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
                                                sa->sha1.template.ip4);
                                ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
                                lp->ctx_len = ctx_len >> 3;
+                       } else if (ctl->auth_type ==
+                                       OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+                               if (ipsec->options.udp_encap) {
+                                       sa->sha2.template.ip4.udp_src = 4500;
+                                       sa->sha2.template.ip4.udp_dst = 4500;
+                               }
+                               ip = &sa->sha2.template.ip4.ipv4_hdr;
+                               ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+                                               sha2.template) + sizeof(
+                                               sa->sha2.template.ip4);
+                               ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+                               lp->ctx_len = ctx_len >> 3;
                        }
                        ip->version_ihl = RTE_IPV4_VHL_DEF;
                        ip->next_proto_id = IPPROTO_ESP;
@@ -305,6 +319,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
                                                sa->sha1.template.ip6);
                                ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
                                lp->ctx_len = ctx_len >> 3;
+                       } else if (ctl->auth_type ==
+                                       OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+                               if (ipsec->options.udp_encap) {
+                                       sa->sha2.template.ip6.udp_src = 4500;
+                                       sa->sha2.template.ip6.udp_dst = 4500;
+                               }
+                               ip6 = &sa->sha2.template.ip6.ipv6_hdr;
+                               ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+                                               sha2.template) + sizeof(
+                                               sa->sha2.template.ip6);
+                               ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+                               lp->ctx_len = ctx_len >> 3;
                        }
 
                        ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 |
@@ -348,6 +374,8 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 
                if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
                        memcpy(sa->sha1.hmac_key, auth_key, auth_key_len);
+               else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+                       memcpy(sa->sha2.hmac_key, auth_key, auth_key_len);
        }
 
        if (cipher_key_len != 0)
@@ -427,11 +455,16 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
                auth_key = auth_xform->auth.key.data;
                auth_key_len = auth_xform->auth.key.length;
 
-               if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+               if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
                        memcpy(sa->aes_gcm.hmac_key, auth_key, auth_key_len);
-
-               lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
-                                           aes_gcm.selector) >> 3;
+                       lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+                                                   aes_gcm.selector) >> 3;
+               } else if (auth_xform->auth.algo ==
+                               RTE_CRYPTO_AUTH_SHA256_HMAC) {
+                       memcpy(sa->sha2.hmac_key, auth_key, auth_key_len);
+                       lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+                                                   sha2.selector) >> 3;
+               }
        }
 
        if (cipher_key_len != 0)

diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index 2141b6c..8a672a3 100644 (file)
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -152,11 +152,18 @@ struct otx2_ipsec_po_in_sa {
        /* w8 */
        uint8_t udp_encap[8];
 
-       /* w9-w23 */
-       struct {
-               uint8_t hmac_key[48];
-               struct otx2_ipsec_po_traffic_selector selector;
-       } aes_gcm;
+       /* w9-w33 */
+       union {
+               struct {
+                       uint8_t hmac_key[48];
+                       struct otx2_ipsec_po_traffic_selector selector;
+               } aes_gcm;
+               struct {
+                       uint8_t hmac_key[64];
+                       uint8_t hmac_iv[64];
+                       struct otx2_ipsec_po_traffic_selector selector;
+               } sha2;
+       };
        union {
                struct otx2_ipsec_replay *replay;
                uint64_t replay64;
@@ -205,6 +212,11 @@ struct otx2_ipsec_po_out_sa {
                        uint8_t unused[24];
                        struct otx2_ipsec_po_ip_template template;
                } sha1;
+               struct {
+                       uint8_t hmac_key[64];
+                       uint8_t hmac_iv[64];
+                       struct otx2_ipsec_po_ip_template template;
+               } sha2;
        };
 };
 
@@ -234,6 +246,9 @@ ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform)
        if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
                if (keylen >= 20 && keylen <= 64)
                        return 0;
+       } else if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
+               if (keylen >= 32 && keylen <= 64)
+                       return 0;
        }
 
        return -ENOTSUP;

diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 33d3b15..9f1ba71 100644 (file)
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -15,6 +15,7 @@
 #define OTX2_SEC_AES_GCM_MAC_LEN               16
 #define OTX2_SEC_AES_CBC_IV_LEN                        16
 #define OTX2_SEC_SHA1_HMAC_LEN                 12
+#define OTX2_SEC_SHA2_HMAC_LEN                 16
 
 #define OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN      4
 #define OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN      16