Add support for AES XCBC and NULL cipher.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Cipher algorithms
+++++++++++++++++
+* NULL
* AES-128/192/256-CBC
* AES-128/192/256-CTR
* SHA256-128-HMAC
* SHA384-192-HMAC
* SHA512-256-HMAC
+* AES-XCBC-96
CN10XX Features supported
~~~~~~~~~~~~~~~~~~~~~~~~~
Cipher algorithms
+++++++++++++++++
+* NULL
* AES-128/192/256-CBC
* AES-128/192/256-CTR
* SHA256-128-HMAC
* SHA384-192-HMAC
* SHA512-256-HMAC
+* AES-XCBC-96
* Added SHA384-HMAC support in lookaside protocol (IPsec) for CN9K & CN10K.
* Added SHA512-HMAC support in lookaside protocol (IPsec) for CN9K & CN10K.
* Added AES-CTR support in lookaside protocol (IPsec) for CN9K & CN10K.
+ * Added NULL cipher support in lookaside protocol (IPsec) for CN9K & CN10K.
+ * Added AES-XCBC support in lookaside protocol (IPsec) for CN9K & CN10K.
* **Added an API to retrieve event port id of ethdev Rx adapter.**
}
} else {
switch (cipher_xfrm->cipher.algo) {
+ case RTE_CRYPTO_CIPHER_NULL:
+ w2->s.enc_type = ROC_IE_OT_SA_ENC_NULL;
+ break;
case RTE_CRYPTO_CIPHER_AES_CBC:
w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC;
break;
case RTE_CRYPTO_AUTH_SHA512_HMAC:
w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_512;
break;
+ case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+ w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128;
+ break;
default:
return -ENOTSUP;
}
- ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+ if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC) {
+ const uint8_t *auth_key = auth_xfrm->auth.key.data;
+ roc_aes_xcbc_key_derive(auth_key, hmac_opad_ipad);
+ } else {
+ ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+ }
tmp_key = (uint64_t *)hmac_opad_ipad;
for (i = 0;
for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++)
tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
- switch (length) {
- case ROC_CPT_AES128_KEY_LEN:
- w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
- break;
- case ROC_CPT_AES192_KEY_LEN:
- w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
- break;
- case ROC_CPT_AES256_KEY_LEN:
- w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
- break;
- default:
- return -EINVAL;
+ /* Set AES key length */
+ if (w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CBC ||
+ w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM ||
+ w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CTR ||
+ w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
+ w2->s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) {
+ switch (length) {
+ case ROC_CPT_AES128_KEY_LEN:
+ w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
+ break;
+ case ROC_CPT_AES192_KEY_LEN:
+ w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
+ break;
+ case ROC_CPT_AES256_KEY_LEN:
+ w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
+ break;
+ default:
+ plt_err("Invalid AES key length");
+ return -EINVAL;
+ }
}
if (ipsec_xfrm->life.packets_soft_limit != 0 ||
case RTE_CRYPTO_AUTH_SHA512_HMAC:
icv = 32;
break;
+ case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+ icv = 12;
+ break;
default:
break;
}
uint8_t unused[24];
struct roc_ie_on_ip_template template;
} sha1;
+ struct {
+ uint8_t key[16];
+ uint8_t unused[32];
+ struct roc_ie_on_ip_template template;
+ } aes_xcbc;
struct {
uint8_t hmac_key[64];
uint8_t hmac_iv[64];
uint8_t hmac_key[48];
struct roc_ie_on_traffic_selector selector;
} sha1_or_gcm;
+ struct {
+ uint8_t key[16];
+ uint8_t unused[32];
+ struct roc_ie_on_traffic_selector selector;
+ } aes_xcbc;
struct {
uint8_t hmac_key[64];
uint8_t hmac_iv[64];
struct roc_ie_on_sa_ctl *ctl)
{
struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
- int aes_key_len;
+ int aes_key_len = 0;
if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
return -EINVAL;
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
- if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+ switch (crypto_xform->aead.algo) {
+ case RTE_CRYPTO_AEAD_AES_GCM:
ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM;
aes_key_len = crypto_xform->aead.key.length;
- } else {
+ break;
+ default:
+ plt_err("Unsupported AEAD algorithm");
return -ENOTSUP;
}
- } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
- ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
- aes_key_len = cipher_xform->cipher.key.length;
- } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CTR) {
- ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR;
- aes_key_len = cipher_xform->cipher.key.length;
} else {
- return -ENOTSUP;
- }
-
- switch (aes_key_len) {
- case 16:
- ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
- break;
- case 24:
- ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
- break;
- case 32:
- ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
- break;
- default:
- return -EINVAL;
- }
+ switch (cipher_xform->cipher.algo) {
+ case RTE_CRYPTO_CIPHER_NULL:
+ ctl->enc_type = ROC_IE_ON_SA_ENC_NULL;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CBC:
+ ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
+ aes_key_len = cipher_xform->cipher.key.length;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CTR:
+ ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR;
+ aes_key_len = cipher_xform->cipher.key.length;
+ break;
+ default:
+ plt_err("Unsupported cipher algorithm");
+ return -ENOTSUP;
+ }
- if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
switch (auth_xform->auth.algo) {
case RTE_CRYPTO_AUTH_NULL:
ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL;
ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128;
break;
default:
+ plt_err("Unsupported auth algorithm");
return -ENOTSUP;
}
}
+ /* Set AES key length */
+ if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CBC ||
+ ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CCM ||
+ ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CTR ||
+ ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||
+ ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) {
+ switch (aes_key_len) {
+ case 16:
+ ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
+ break;
+ case 24:
+ ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
+ break;
+ case 32:
+ ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
+ break;
+ default:
+ plt_err("Invalid AES key length");
+ return -EINVAL;
+ }
+ }
+
if (ipsec->options.esn)
ctl->esn_en = 1;
if (cipher_key_len != 0)
memcpy(common_sa->cipher_key, cipher_key, cipher_key_len);
- else
- return -EINVAL;
return 0;
}
ctx_len = offsetof(struct roc_ie_on_outb_sa,
sha2.template);
break;
+ case ROC_IE_ON_SA_AUTH_AES_XCBC_128:
+ template = &out_sa->aes_xcbc.template;
+ ctx_len = offsetof(struct roc_ie_on_outb_sa,
+ aes_xcbc.template);
+ break;
default:
+ plt_err("Unsupported auth algorithm");
return -EINVAL;
}
}
case RTE_CRYPTO_AUTH_SHA512_HMAC:
memcpy(out_sa->sha2.hmac_key, auth_key, auth_key_len);
break;
+ case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+ memcpy(out_sa->aes_xcbc.key, auth_key, auth_key_len);
+ break;
default:
plt_err("Unsupported auth algorithm %u",
auth_xform->auth.algo);
ctx_len = offsetof(struct roc_ie_on_inb_sa,
sha2.selector);
break;
+ case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+ memcpy(in_sa->aes_xcbc.key, auth_key, auth_key_len);
+ ctx_len = offsetof(struct roc_ie_on_inb_sa,
+ aes_xcbc.selector);
+ break;
default:
plt_err("Unsupported auth algorithm %u",
auth_xform->auth.algo);
plt_err("Transport mode AES-CBC SHA2 HMAC 512 is not supported");
return -ENOTSUP;
}
+
+ if ((cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) &&
+ (auth->algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC)) {
+ plt_err("Transport mode AES-CBC AES-XCBC is not supported");
+ return -ENOTSUP;
+ }
}
}
#include "roc_cpt.h"
#define CNXK_CPT_MAX_CAPS 34
-#define CNXK_SEC_CRYPTO_MAX_CAPS 9
+#define CNXK_SEC_CRYPTO_MAX_CAPS 11
#define CNXK_SEC_MAX_CAPS 5
#define CNXK_AE_EC_ID_MAX 8
/**
}, }
}, }
},
+ { /* AES-XCBC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ { .sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 16,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0,
+ },
+ }, }
+ }, }
+ },
};
static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
},
};
+static const struct rte_cryptodev_capabilities sec_caps_null[] = {
+ { /* NULL (CIPHER) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ {.cipher = {
+ .algo = RTE_CRYPTO_CIPHER_NULL,
+ .block_size = 1,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .iv_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ }
+ }, },
+ }, }
+ },
+};
+
static const struct rte_security_capability sec_caps_templ[] = {
{ /* IPsec Lookaside Protocol ESP Tunnel Ingress */
.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
else
cn9k_sec_crypto_caps_update(cnxk_caps);
+ sec_caps_add(cnxk_caps, &cur_pos, sec_caps_null,
+ RTE_DIM(sec_caps_null));
sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
}
static inline int
ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *crypto_xform)
{
+ if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
+ return 0;
+
if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC ||
crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CTR) {
switch (crypto_xform->cipher.key.length) {
return 0;
}
+ if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC &&
+ keylen == ROC_CPT_AES_XCBC_KEY_LENGTH)
+ return 0;
+
return -ENOTSUP;
}
git.droids-corp.org / dpdk.git / commitdiff