crypto/cnxk: support null authentication in IPsec

Add null auth support with lookaside IPsec on cn10k crypto PMDs.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index b5b66450089fe1b12cf951ccbe9fc7ea30a53eaf..709da56ca8fa95ceef53e4ad3a9bdc49d37e38b1 100644 (file)
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -258,4 +258,5 @@ CN10XX Features supported
 * Transport mode
 * UDP Encapsulation
 * AES-128/192/256-GCM
+* AES-128/192/256-CBC-NULL
 * AES-128/192/256-CBC-SHA1-HMAC

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index f62c7c4ca3189d0af4e3a023736ae3c18182c5db..e4eb58dd8f6ac1f8c2b9c0185903eb24a7b3e13d 100644 (file)
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -248,6 +248,7 @@ New Features
   * Added support for ZUC algorithm with 256-bit key length for CN10K.
   * Added support for CN98xx dual block.
   * Added inner checksum support in lookaside protocol (IPsec) for CN10K.
+  * Added AES-CBC NULL auth support in lookaside protocol (IPsec) for CN10K.
 
 * **Added support for event crypto adapter on Marvell CN10K and CN9K.**
 

diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index 53fb7936545408662dde5cbf712c07710075de43..a43864df0d3f9af35376b08744c9d3b6d8a7cb20 100644 (file)
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -316,7 +316,8 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
        if (ret)
                return ret;
 
-       if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM) {
+       if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||
+           ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL) {
                template = &out_sa->aes_gcm.template;
                ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
        } else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA1) {
@@ -449,7 +450,8 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
        if (ret)
                return ret;
 
-       if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+       if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD ||
+           auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL) {
                ctx_len = offsetof(struct roc_ie_on_inb_sa,
                                   sha1_or_gcm.hmac_key[0]);
        } else {

diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index a53b489a043492a46199cd94141cf3d00bbfaaef..19d75a63c6740b88604da61d64d073309b202153 100644 (file)
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -930,6 +930,27 @@ sec_caps_add(struct rte_cryptodev_capabilities cnxk_caps[], int *cur_pos,
        *cur_pos += nb_caps;
 }
 
+static void
+cn10k_sec_crypto_caps_update(struct rte_cryptodev_capabilities cnxk_caps[],
+                            int *cur_pos)
+{
+       const struct rte_cryptodev_capabilities *cap;
+       unsigned int i;
+
+       if ((CNXK_CPT_MAX_CAPS - *cur_pos) < 1)
+               return;
+
+       /* NULL auth */
+       for (i = 0; i < RTE_DIM(caps_null); i++) {
+               cap = &caps_null[i];
+               if (cap->sym.xform_type == RTE_CRYPTO_SYM_XFORM_AUTH &&
+                   cap->sym.auth.algo == RTE_CRYPTO_AUTH_NULL) {
+                       cnxk_caps[*cur_pos] = caps_null[i];
+                       *cur_pos += 1;
+               }
+       }
+}
+
 static void
 sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
                         union cpt_eng_caps *hw_caps)
@@ -939,6 +960,9 @@ sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[],
        SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, aes);
        SEC_CAPS_ADD(cnxk_caps, &cur_pos, hw_caps, sha1_sha2);
 
+       if (roc_model_is_cn10k())
+               cn10k_sec_crypto_caps_update(cnxk_caps, &cur_pos);
+
        sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end));
 }
 

diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index ff396179cad6025a42387c6169760fdedda11788..dddb4147933617c6f12f35c4195a9b62c985b7bd 100644 (file)
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -40,6 +40,9 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
 {
        uint16_t keylen = crypto_xform->auth.key.length;
 
+       if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
+               return 0;
+
        if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
                if (keylen >= 20 && keylen <= 64)
                        return 0;