From: Tejasree Kondoj Date: Wed, 24 Mar 2021 16:45:07 +0000 (+0530) Subject: common/cpt: support encrypted digest mode X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=de5eb0a60412cbeac4854329e28baec81154b865;p=dpdk.git common/cpt: support encrypted digest mode Added support for DIGEST_ENCRYPTED mode for octeontx and octeontx2 platforms. Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal --- diff --git a/doc/guides/cryptodevs/features/octeontx.ini b/doc/guides/cryptodevs/features/octeontx.ini index 10d94e3f7b..d9776a5788 100644 --- a/doc/guides/cryptodevs/features/octeontx.ini +++ b/doc/guides/cryptodevs/features/octeontx.ini @@ -13,6 +13,7 @@ OOP SGL In LB Out = Y OOP SGL In SGL Out = Y OOP LB In LB Out = Y RSA PRIV OP KEY QT = Y +Digest encrypted = Y Symmetric sessionless = Y ; diff --git a/doc/guides/cryptodevs/features/octeontx2.ini b/doc/guides/cryptodevs/features/octeontx2.ini index b0d50ce984..66c5fefde6 100644 --- a/doc/guides/cryptodevs/features/octeontx2.ini +++ b/doc/guides/cryptodevs/features/octeontx2.ini @@ -14,6 +14,7 @@ OOP SGL In LB Out = Y OOP SGL In SGL Out = Y OOP LB In LB Out = Y RSA PRIV OP KEY QT = Y +Digest encrypted = Y Symmetric sessionless = Y ; diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 2e3bf5c95a..b21906ccf6 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -150,6 +150,14 @@ New Features * Added support for preferred busy polling. +* **Updated the OCTEON TX crypto PMD.** + + * Added support for DIGEST_ENCRYPTED mode in OCTEON TX crypto PMD. + +* **Updated the OCTEON TX2 crypto PMD.** + + * Added support for DIGEST_ENCRYPTED mode in OCTEON TX2 crypto PMD. + * **Updated Mellanox RegEx PMD.** * Added support for multi-segments mbuf. diff --git a/drivers/common/cpt/cpt_mcode_defines.h b/drivers/common/cpt/cpt_mcode_defines.h index 56a745f419..624bdcf3cf 100644 --- a/drivers/common/cpt/cpt_mcode_defines.h +++ b/drivers/common/cpt/cpt_mcode_defines.h @@ -20,6 +20,9 @@ #define CPT_MAJOR_OP_ZUC_SNOW3G 0x37 #define CPT_MAJOR_OP_KASUMI 0x38 #define CPT_MAJOR_OP_MISC 0x01 +#define CPT_HMAC_FIRST_BIT_POS 0x4 +#define CPT_FC_MINOR_OP_ENCRYPT 0x0 +#define CPT_FC_MINOR_OP_DECRYPT 0x1 /* AE opcodes */ #define CPT_MAJOR_OP_MODEX 0x03 @@ -314,8 +317,10 @@ struct cpt_ctx { uint64_t hmac :1; uint64_t zsk_flags :3; uint64_t k_ecb :1; + uint64_t auth_enc :1; + uint64_t dec_auth :1; uint64_t snow3g :2; - uint64_t rsvd :21; + uint64_t rsvd :19; /* Below fields are accessed by hardware */ union { mc_fc_context_t fctx; diff --git a/drivers/common/cpt/cpt_ucode.h b/drivers/common/cpt/cpt_ucode.h index 0536620710..ee6d49aae7 100644 --- a/drivers/common/cpt/cpt_ucode.h +++ b/drivers/common/cpt/cpt_ucode.h @@ -752,7 +752,9 @@ cpt_enc_hmac_prep(uint32_t flags, /* Encryption */ vq_cmd_w0.s.opcode.major = CPT_MAJOR_OP_FC; - vq_cmd_w0.s.opcode.minor = 0; + vq_cmd_w0.s.opcode.minor = CPT_FC_MINOR_OP_ENCRYPT; + vq_cmd_w0.s.opcode.minor |= (cpt_ctx->auth_enc << + CPT_HMAC_FIRST_BIT_POS); if (hash_type == GMAC_TYPE) { encr_offset = 0; @@ -779,6 +781,9 @@ cpt_enc_hmac_prep(uint32_t flags, outputlen = enc_dlen + mac_len; } + if (cpt_ctx->auth_enc != 0) + outputlen = enc_dlen; + /* GP op header */ vq_cmd_w0.s.param1 = encr_data_len; vq_cmd_w0.s.param2 = auth_data_len; @@ -1112,7 +1117,9 @@ cpt_dec_hmac_prep(uint32_t flags, /* Decryption */ vq_cmd_w0.s.opcode.major = CPT_MAJOR_OP_FC; - vq_cmd_w0.s.opcode.minor = 1; + vq_cmd_w0.s.opcode.minor = CPT_FC_MINOR_OP_DECRYPT; + vq_cmd_w0.s.opcode.minor |= (cpt_ctx->dec_auth << + CPT_HMAC_FIRST_BIT_POS); if (hash_type == GMAC_TYPE) { encr_offset = 0; @@ -1130,6 +1137,9 @@ cpt_dec_hmac_prep(uint32_t flags, outputlen = enc_dlen; } + if (cpt_ctx->dec_auth != 0) + outputlen = inputlen = enc_dlen; + vq_cmd_w0.s.param1 = encr_data_len; vq_cmd_w0.s.param2 = auth_data_len; @@ -2566,6 +2576,7 @@ fill_sess_cipher(struct rte_crypto_sym_xform *xform, struct cpt_sess_misc *sess) { struct rte_crypto_cipher_xform *c_form; + struct cpt_ctx *ctx = SESS_PRIV(sess); cipher_type_t enc_type = 0; /* NULL Cipher type */ uint32_t cipher_key_len = 0; uint8_t zsk_flag = 0, aes_ctr = 0, is_null = 0; @@ -2574,9 +2585,14 @@ fill_sess_cipher(struct rte_crypto_sym_xform *xform, if (c_form->op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) sess->cpt_op |= CPT_OP_CIPHER_ENCRYPT; - else if (c_form->op == RTE_CRYPTO_CIPHER_OP_DECRYPT) + else if (c_form->op == RTE_CRYPTO_CIPHER_OP_DECRYPT) { sess->cpt_op |= CPT_OP_CIPHER_DECRYPT; - else { + if (xform->next != NULL && + xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) { + /* Perform decryption followed by auth verify */ + ctx->dec_auth = 1; + } + } else { CPT_LOG_DP_ERR("Unknown cipher operation\n"); return -1; } @@ -2667,10 +2683,18 @@ static __rte_always_inline int fill_sess_auth(struct rte_crypto_sym_xform *xform, struct cpt_sess_misc *sess) { + struct cpt_ctx *ctx = SESS_PRIV(sess); struct rte_crypto_auth_xform *a_form; auth_type_t auth_type = 0; /* NULL Auth type */ uint8_t zsk_flag = 0, aes_gcm = 0, is_null = 0; + if (xform->next != NULL && + xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER && + xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { + /* Perform auth followed by encryption */ + ctx->auth_enc = 1; + } + a_form = &xform->auth; if (a_form->op == RTE_CRYPTO_AUTH_OP_VERIFY) @@ -2993,6 +3017,7 @@ fill_fc_params(struct rte_crypto_op *cop, { uint32_t space = 0; struct rte_crypto_sym_op *sym_op = cop->sym; + struct cpt_ctx *ctx = SESS_PRIV(sess_misc); void *mdata = NULL; uintptr_t *op; uint32_t mc_hash_off; @@ -3120,9 +3145,10 @@ fill_fc_params(struct rte_crypto_op *cop, m = m_src; /* hmac immediately following data is best case */ - if (unlikely(rte_pktmbuf_mtod(m, uint8_t *) + + if (!ctx->dec_auth && !ctx->auth_enc && + (unlikely(rte_pktmbuf_mtod(m, uint8_t *) + mc_hash_off != - (uint8_t *)sym_op->auth.digest.data)) { + (uint8_t *)sym_op->auth.digest.data))) { flags |= VALID_MAC_BUF; fc_params.mac_buf.size = sess_misc->mac_len; @@ -3137,7 +3163,9 @@ fill_fc_params(struct rte_crypto_op *cop, fc_params.ctx_buf.vaddr = SESS_PRIV(sess_misc); fc_params.ctx_buf.dma_addr = sess_misc->ctx_dma_addr; - if (unlikely(sess_misc->is_null || sess_misc->cpt_op == CPT_OP_DECODE)) + if (!ctx->dec_auth && + unlikely(sess_misc->is_null || + sess_misc->cpt_op == CPT_OP_DECODE)) inplace = 0; if (likely(!m_dst && inplace)) { diff --git a/drivers/crypto/octeontx/otx_cryptodev_ops.c b/drivers/crypto/octeontx/otx_cryptodev_ops.c index b74eb2694b..d75f4b5f81 100644 --- a/drivers/crypto/octeontx/otx_cryptodev_ops.c +++ b/drivers/crypto/octeontx/otx_cryptodev_ops.c @@ -205,12 +205,16 @@ sym_xform_verify(struct rte_crypto_sym_xform *xform) if (xform->next) { if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH && xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER && - xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) + xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT && + (xform->auth.algo != RTE_CRYPTO_AUTH_SHA1_HMAC || + xform->next->cipher.algo != RTE_CRYPTO_CIPHER_AES_CBC)) return -ENOTSUP; if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT && - xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) + xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH && + (xform->cipher.algo != RTE_CRYPTO_CIPHER_AES_CBC || + xform->next->auth.algo != RTE_CRYPTO_AUTH_SHA1_HMAC)) return -ENOTSUP; if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && @@ -1004,7 +1008,8 @@ otx_cpt_dev_create(struct rte_cryptodev *c_dev) RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT | RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT | RTE_CRYPTODEV_FF_OOP_SGL_IN_SGL_OUT | - RTE_CRYPTODEV_FF_SYM_SESSIONLESS; + RTE_CRYPTODEV_FF_SYM_SESSIONLESS | + RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; break; default: /* Feature not supported. Abort */ diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.c b/drivers/crypto/octeontx2/otx2_cryptodev.c index e0a559b663..7f45e57cce 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev.c @@ -123,7 +123,8 @@ otx2_cpt_pci_probe(struct rte_pci_driver *pci_drv __rte_unused, RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT | RTE_CRYPTODEV_FF_SYM_SESSIONLESS | - RTE_CRYPTODEV_FF_SECURITY; + RTE_CRYPTODEV_FF_SECURITY | + RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED; if (rte_eal_process_type() == RTE_PROC_SECONDARY) otx2_cpt_set_enqdeq_fns(dev); diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c index cec20b5c6d..fc4d5bac49 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c @@ -322,12 +322,16 @@ sym_xform_verify(struct rte_crypto_sym_xform *xform) if (xform->next) { if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH && xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER && - xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) + xform->next->cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT && + (xform->auth.algo != RTE_CRYPTO_AUTH_SHA1_HMAC || + xform->next->cipher.algo != RTE_CRYPTO_CIPHER_AES_CBC)) return -ENOTSUP; if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->cipher.op == RTE_CRYPTO_CIPHER_OP_DECRYPT && - xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) + xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH && + (xform->cipher.algo != RTE_CRYPTO_CIPHER_AES_CBC || + xform->next->auth.algo != RTE_CRYPTO_AUTH_SHA1_HMAC)) return -ENOTSUP; if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&