git.droids-corp.org / dpdk.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b4409f2)
crypto/cnxk: support AES-GMAC
authorArchana Muniganti <marchana@marvell.com>
Mon, 25 Apr 2022 05:38:22 +0000 (11:08 +0530)
committerAkhil Goyal <gakhil@marvell.com>
Thu, 28 Apr 2022 09:46:09 +0000 (11:46 +0200)
Added lookaside IPsec AES-GMAC support in CNXK PMD.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
doc/guides/cryptodevs/cnxk.rst patch | blob | history
doc/guides/rel_notes/release_22_07.rst patch | blob | history
drivers/common/cnxk/cnxk_security.c patch | blob | history
drivers/crypto/cnxk/cn10k_ipsec.c patch | blob | history
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h patch | blob | history
drivers/crypto/cnxk/cn9k_ipsec.c patch | blob | history
drivers/crypto/cnxk/cnxk_cryptodev.h patch | blob | history
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c patch | blob | history
drivers/crypto/cnxk/cnxk_ipsec.h patch | blob | history

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 19c4a8b..baf0e3c 100644 (file)
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -274,6 +274,7 @@ Auth algorithms
 * SHA384-192-HMAC
 * SHA512-256-HMAC
 * AES-XCBC-96
+* AES-GMAC
 
 CN10XX Features supported
 ~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -308,3 +309,4 @@ Auth algorithms
 * SHA384-192-HMAC
 * SHA512-256-HMAC
 * AES-XCBC-96
+* AES-GMAC
diff --git a/doc/guides/rel_notes/release_22_07.rst b/doc/guides/rel_notes/release_22_07.rst
index 2c9eb54..4ae91dd 100644 (file)
--- a/doc/guides/rel_notes/release_22_07.rst
+++ b/doc/guides/rel_notes/release_22_07.rst
@@ -68,6 +68,7 @@ New Features
 * **Updated Marvell cnxk crypto driver.**
 
   * Added AH mode support in lookaside protocol (IPsec) for CN9K & CN10K.
+  * Added AES-GMAC support in lookaside protocol (IPsec) for CN9K & CN10K.
 
 
 Removed Items
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index afefbd2..69a962d 100644 (file)
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -155,6 +155,14 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
                case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
                        w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128;
                        break;
+               case RTE_CRYPTO_AUTH_AES_GMAC:
+                       w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_GMAC;
+                       key = auth_xfrm->auth.key.data;
+                       length = auth_xfrm->auth.key.length;
+                       memcpy(salt_key, &ipsec_xfrm->salt, 4);
+                       tmp_salt = (uint32_t *)salt_key;
+                       *tmp_salt = rte_be_to_cpu_32(*tmp_salt);
+                       break;
                default:
                        return -ENOTSUP;
                }
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 0c9e244..3a2bf0f 100644 (file)
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -77,6 +77,9 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
                } else if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
                        sa->iv_offset = crypto_xfrm->cipher.iv.offset;
                        sa->iv_length = crypto_xfrm->cipher.iv.length;
+               } else {
+                       sa->iv_offset = crypto_xfrm->auth.iv.offset;
+                       sa->iv_length = crypto_xfrm->auth.iv.length;
                }
        }
 #else
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index f2d8122..66cfe6c 100644 (file)
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -65,7 +65,8 @@ process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop,
 
 #ifdef LA_IPSEC_DEBUG
        if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
-               if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM)
+               if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
+                   sess->out_sa.w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC)
                        ipsec_po_sa_aes_gcm_iv_set(sess, cop);
                else
                        ipsec_po_sa_iv_set(sess, cop);
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index eaa3698..82b8dae 100644 (file)
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -211,6 +211,7 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
                        break;
                case RTE_CRYPTO_AUTH_AES_GMAC:
                        ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC;
+                       aes_key_len = auth_xform->auth.key.length;
                        break;
                case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
                        ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128;
@@ -265,7 +266,7 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
                     struct rte_crypto_sym_xform *crypto_xform,
                     struct roc_ie_on_common_sa *common_sa)
 {
-       struct rte_crypto_sym_xform *cipher_xform;
+       struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
        const uint8_t *cipher_key;
        int cipher_key_len = 0;
        int ret;
@@ -279,13 +280,13 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
                common_sa->esn_hi = ipsec->esn.hi;
        }
 
-       if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
-               return 0;
-
-       if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+       if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+               auth_xform = crypto_xform;
                cipher_xform = crypto_xform->next;
-       else
+       } else {
                cipher_xform = crypto_xform;
+               auth_xform = crypto_xform->next;
+       }
 
        if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
                if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
@@ -293,8 +294,16 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
                cipher_key = crypto_xform->aead.key.data;
                cipher_key_len = crypto_xform->aead.key.length;
        } else {
-               cipher_key = cipher_xform->cipher.key.data;
-               cipher_key_len = cipher_xform->cipher.key.length;
+               if (cipher_xform) {
+                       cipher_key = cipher_xform->cipher.key.data;
+                       cipher_key_len = cipher_xform->cipher.key.length;
+               }
+
+               if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+                       memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);
+                       cipher_key = auth_xform->auth.key.data;
+                       cipher_key_len = auth_xform->auth.key.length;
+               }
        }
 
        if (cipher_key_len != 0)
@@ -358,7 +367,8 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
                return ret;
 
        if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||
-           ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL) {
+           ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL ||
+           ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) {
                template = &out_sa->aes_gcm.template;
                ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
        } else {
@@ -453,6 +463,7 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
                auth_key_len = auth_xform->auth.key.length;
 
                switch (auth_xform->auth.algo) {
+               case RTE_CRYPTO_AUTH_AES_GMAC:
                case RTE_CRYPTO_AUTH_NULL:
                        break;
                case RTE_CRYPTO_AUTH_SHA1_HMAC:
@@ -497,6 +508,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
                } else if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
                        sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
                        sa->cipher_iv_len = crypto_xform->cipher.iv.length;
+               } else {
+                       sa->cipher_iv_off = crypto_xform->auth.iv.offset;
+                       sa->cipher_iv_len = crypto_xform->auth.iv.length;
                }
        }
 #else
@@ -553,7 +567,8 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
                return ret;
 
        if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD ||
-           auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL) {
+           auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL ||
+           auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
                ctx_len = offsetof(struct roc_ie_on_inb_sa,
                                   sha1_or_gcm.hmac_key[0]);
        } else {
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index 542c93b..fe2904b 100644 (file)
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -11,7 +11,7 @@
 #include "roc_cpt.h"
 
 #define CNXK_CPT_MAX_CAPS       34
-#define CNXK_SEC_CRYPTO_MAX_CAPS 11
+#define CNXK_SEC_CRYPTO_MAX_CAPS 12
 #define CNXK_SEC_MAX_CAPS       9
 #define CNXK_AE_EC_ID_MAX       8
 /**
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index efd53db..98b002d 100644 (file)
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -835,6 +835,31 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
                        }, }
                }, }
        },
+       {       /* AES GMAC (AUTH) */
+               .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+               {.sym = {
+                       .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+                       {.auth = {
+                               .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+                               .block_size = 16,
+                               .key_size = {
+                                       .min = 16,
+                                       .max = 32,
+                                       .increment = 8
+                               },
+                               .digest_size = {
+                                       .min = 8,
+                                       .max = 16,
+                                       .increment = 4
+                               },
+                               .iv_size = {
+                                       .min = 12,
+                                       .max = 12,
+                                       .increment = 0
+                               }
+                       }, }
+               }, }
+       },
 };
 
 static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index 1524217..171ea27 100644 (file)
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -59,6 +59,9 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
        } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA512_HMAC) {
                if (keylen == 64)
                        return 0;
+       } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+               if (keylen >= 16 && keylen <= 32)
+                       return 0;
        }
 
        if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC &&
DPDK repo used for reviews