Enabling ``librte_crypto_mlx5`` causes DPDK applications
to be linked against libibverbs.
+In order to move the device to crypto operational mode, credential and KEK
+(Key Encrypting Key) should be set as the first step.
+The credential will be used by the software in order to perform crypto login, and the KEK is
+the AES Key Wrap Algorithm (rfc3394) key that will be used for sensitive data
+wrapping.
+The credential and the AES-XTS keys should be provided to the hardware, as ciphertext
+encrypted by the KEK.
+
+When crypto engines are defined to work in wrapped import method, they come out
+of the factory in Commissioning mode, and thus, cannot be used for crypto operations
+yet. A dedicated tool is used for changing the mode from Commissioning to
+Operational, while setting the first import_KEK and credential in plaintext.
+The mlxreg dedicated tool should be used as follows:
+
+- Set CRYPTO_OPERATIONAL register to set the device in crypto operational mode.
+
+ The input to this tool is:
+
+ - The first credential in plaintext, 40B.
+ - The first import_KEK in plaintext: kek size 0 for 16B or 1 for 32B, kek data.
+
+ Example::
+
+ mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get
+
+ The "wrapped_crypto_operational" value will be "0x00000000".
+ The command to set the register should be executed only once, and all the
+ values mentioned above should be specified in the same command.
+
+ Example::
+
+ mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL \
+ --set "credential[0]=0x10000000, credential[1]=0x10000000, kek[0]=0x00000000"
+
+ All values not specified will remain 0.
+ "wrapped_crypto_going_to_commissioning" and "wrapped_crypto_operational"
+ should not be specified.
+
+ All the device ports should set it in order to move to operational mode.
+
+- Query CRYPTO_OPERATIONAL register to make sure the device is in Operational
+ mode.
+
+ Example::
+
+ mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get
+
+ The "wrapped_crypto_operational" value will be "0x00000001" if the mode was
+ successfully changed to operational mode.
+
Driver options
--------------
Select the class of the driver that should probe the device.
`crypto` for the mlx5 crypto driver.
+- ``wcs_file`` parameter [string] - mandatory
+
+ File path including only the wrapped credential in string format of hexadecimal
+ numbers, represent 48 bytes (8 bytes IV added by the AES key wrap algorithm).
+
+- ``import_kek_id`` parameter [int]
+
+ The identifier of the KEK, default value is 0 represents the operational
+ register import_kek..
+
+- ``credential_id`` parameter [int]
+
+ The identifier of the credential, default value is 0 represents the operational
+ register credential.
+
Supported NICs
--------------
return 0;
}
+
+static int
+mlx5_crypto_args_check_handler(const char *key, const char *val, void *opaque)
+{
+ struct mlx5_crypto_devarg_params *devarg_prms = opaque;
+ struct mlx5_devx_crypto_login_attr *attr = &devarg_prms->login_attr;
+ unsigned long tmp;
+ FILE *file;
+ int ret;
+ int i;
+
+ if (strcmp(key, "class") == 0)
+ return 0;
+ if (strcmp(key, "wcs_file") == 0) {
+ file = fopen(val, "rb");
+ if (file == NULL) {
+ rte_errno = ENOTSUP;
+ return -rte_errno;
+ }
+ for (i = 0 ; i < MLX5_CRYPTO_CREDENTIAL_SIZE ; i++) {
+ ret = fscanf(file, "%02hhX", &attr->credential[i]);
+ if (ret <= 0) {
+ fclose(file);
+ DRV_LOG(ERR,
+ "Failed to read credential from file.");
+ rte_errno = EINVAL;
+ return -rte_errno;
+ }
+ }
+ fclose(file);
+ devarg_prms->login_devarg = true;
+ return 0;
+ }
+ errno = 0;
+ tmp = strtoul(val, NULL, 0);
+ if (errno) {
+ DRV_LOG(WARNING, "%s: \"%s\" is an invalid integer.", key, val);
+ return -errno;
+ }
+ if (strcmp(key, "import_kek_id") == 0)
+ attr->session_import_kek_ptr = (uint32_t)tmp;
+ else if (strcmp(key, "credential_id") == 0)
+ attr->credential_pointer = (uint32_t)tmp;
+ else
+ DRV_LOG(WARNING, "Invalid key %s.", key);
+ return 0;
+}
+
+static struct mlx5_devx_obj *
+mlx5_crypto_config_login(struct rte_devargs *devargs,
+ struct ibv_context *ctx)
+{
+ /*
+ * Set credential pointer and session import KEK pointer to a default
+ * value of 0.
+ */
+ struct mlx5_crypto_devarg_params login = {
+ .login_devarg = false,
+ .login_attr = {
+ .credential_pointer = 0,
+ .session_import_kek_ptr = 0,
+ }
+ };
+ struct rte_kvargs *kvlist;
+
+ if (devargs == NULL) {
+ DRV_LOG(ERR,
+ "No login devargs in order to enable crypto operations in the device.");
+ rte_errno = EINVAL;
+ return NULL;
+ }
+ kvlist = rte_kvargs_parse(devargs->args, NULL);
+ if (kvlist == NULL) {
+ DRV_LOG(ERR, "Failed to parse devargs.");
+ rte_errno = EINVAL;
+ return NULL;
+ }
+ if (rte_kvargs_process(kvlist, NULL, mlx5_crypto_args_check_handler,
+ &login) != 0) {
+ DRV_LOG(ERR, "Devargs handler function Failed.");
+ rte_kvargs_free(kvlist);
+ rte_errno = EINVAL;
+ return NULL;
+ }
+ rte_kvargs_free(kvlist);
+ if (login.login_devarg == false) {
+ DRV_LOG(ERR,
+ "No login credential devarg in order to enable crypto operations "
+ "in the device.");
+ rte_errno = EINVAL;
+ return NULL;
+ }
+ return mlx5_devx_cmd_create_crypto_login_obj(ctx, &login.login_attr);
+}
+
/**
* Callback for memory event.
*
struct ibv_device *ibv;
struct rte_cryptodev *crypto_dev;
struct ibv_context *ctx;
+ struct mlx5_devx_obj *login;
struct mlx5_crypto_priv *priv;
struct mlx5_hca_attr attr = { 0 };
struct rte_cryptodev_pmd_init_params init_params = {
rte_errno = ENOTSUP;
return -ENOTSUP;
}
+ login = mlx5_crypto_config_login(pci_dev->device.devargs, ctx);
+ if (login == NULL) {
+ DRV_LOG(ERR, "Failed to configure login.");
+ return -rte_errno;
+ }
crypto_dev = rte_cryptodev_pmd_create(ibv->name, &pci_dev->device,
&init_params);
if (crypto_dev == NULL) {
crypto_dev->driver_id = mlx5_crypto_driver_id;
priv = crypto_dev->data->dev_private;
priv->ctx = ctx;
+ priv->login_obj = login;
priv->pci_dev = pci_dev;
priv->crypto_dev = crypto_dev;
if (mlx5_crypto_hw_global_prepare(priv) != 0) {
mlx5_mr_release_cache(&priv->mr_scache);
mlx5_crypto_hw_global_release(priv);
rte_cryptodev_pmd_destroy(priv->crypto_dev);
+ claim_zero(mlx5_devx_cmd_destroy(priv->login_obj));
claim_zero(mlx5_glue->close_device(priv->ctx));
}
return 0;
git.droids-corp.org / dpdk.git / commitdiff