From: Tejasree Kondoj Date: Wed, 1 Sep 2021 10:19:28 +0000 (+0530) Subject: crypto/cnxk: support cn10k transport mode X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=d9bf3a41501b10c9b666bfada5fc2a2a2e4419b9;p=dpdk.git crypto/cnxk: support cn10k transport mode Adding support for cn10k lookaside IPsec transport mode. Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal --- diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index a40295c087..1eb72282db 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -230,6 +230,8 @@ Features supported * IPv4 * ESP * Tunnel mode +* Transport mode +* UDP Encapsulation * AES-128/192/256-GCM * AES-128/192/256-CBC-SHA1-HMAC diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index bcc3e2275a..262dc159f9 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -65,6 +65,8 @@ New Features * **Updated Marvell cnxk crypto PMD.** * Added AES-CBC SHA1-HMAC support in lookaside protocol (IPsec) for CN10K. + * Added Transport mode support in lookaside protocol (IPsec) for CN10K. + * Added UDP encapsulation support in lookaside protocol (IPsec) for CN10K. Removed Items diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index b3856f7eaa..8e051fa0fa 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -12,7 +12,7 @@ #define CNXK_CPT_MAX_CAPS 34 #define CNXK_SEC_CRYPTO_MAX_CAPS 4 -#define CNXK_SEC_MAX_CAPS 3 +#define CNXK_SEC_MAX_CAPS 5 #define CNXK_AE_EC_ID_MAX 8 /** * Device private data diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 9430ca5d00..c4f7824332 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -822,6 +822,28 @@ static const struct rte_security_capability sec_caps_templ[] = { }, .crypto_capabilities = NULL, }, + { /* IPsec Lookaside Protocol ESP Transport Ingress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT, + .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + .options = { 0 }, + }, + .crypto_capabilities = NULL, + }, + { /* IPsec Lookaside Protocol ESP Transport Egress */ + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = { + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .options = { 0 }, + }, + .crypto_capabilities = NULL, + }, { .action = RTE_SECURITY_ACTION_TYPE_NONE } @@ -885,6 +907,12 @@ sec_crypto_caps_populate(struct rte_cryptodev_capabilities cnxk_caps[], sec_caps_add(cnxk_caps, &cur_pos, caps_end, RTE_DIM(caps_end)); } +static void +cnxk_sec_caps_update(struct rte_security_capability *sec_cap) +{ + sec_cap->ipsec.options.udp_encap = 1; +} + void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) { @@ -896,8 +924,11 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) PLT_STATIC_ASSERT(RTE_DIM(sec_caps_templ) <= RTE_DIM(vf->sec_caps)); memcpy(vf->sec_caps, sec_caps_templ, sizeof(sec_caps_templ)); - for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++) + for (i = 0; i < RTE_DIM(sec_caps_templ) - 1; i++) { vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps; + + cnxk_sec_caps_update(&vf->sec_caps[i]); + } } const struct rte_security_capability * diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h index d1eb74ebbe..ff396179ca 100644 --- a/drivers/crypto/cnxk/cnxk_ipsec.h +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -98,7 +98,8 @@ cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform, (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)) return -EINVAL; - if ((ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) && + if ((ipsec_xform->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) && + (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) && (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6)) return -EINVAL;