From 465f7e5804fa2ddc50a8d5239b78e2cb2e8fbd6a Mon Sep 17 00:00:00 2001 From: Vamsi Attunuru Date: Thu, 16 Jul 2020 14:09:30 +0530 Subject: [PATCH] crypto/octeontx2: support security session create This patch creates session for lookaside IPsec. Signed-off-by: Vamsi Attunuru Signed-off-by: Tejasree Kondoj Acked-by: Anoob Joseph Acked-by: Akhil Goyal --- drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 468 +++++++++++++++++- drivers/crypto/octeontx2/otx2_ipsec_po.h | 295 +++++++++++ drivers/crypto/octeontx2/otx2_security.h | 9 + drivers/net/octeontx2/otx2_ethdev_sec.c | 23 +- 4 files changed, 777 insertions(+), 18 deletions(-) diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c index 6e14b37a68..0741a592cd 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c @@ -3,15 +3,479 @@ */ #include +#include +#include +#include #include #include #include +#include #include "otx2_cryptodev.h" #include "otx2_cryptodev_capabilities.h" +#include "otx2_cryptodev_hw_access.h" +#include "otx2_cryptodev_ops.h" #include "otx2_cryptodev_sec.h" #include "otx2_security.h" +static int +ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *xform, + struct otx2_sec_session_ipsec_lp *lp) +{ + struct rte_crypto_sym_xform *cipher_xform, *auth_xform; + + lp->partial_len = sizeof(struct rte_ipv4_hdr); + + if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) { + lp->partial_len += sizeof(struct rte_esp_hdr); + lp->roundup_len = sizeof(struct rte_esp_tail); + } else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) { + lp->partial_len += OTX2_SEC_AH_HDR_LEN; + } else { + return -EINVAL; + } + + if (ipsec->options.udp_encap) + lp->partial_len += sizeof(struct rte_udp_hdr); + + if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + lp->partial_len += OTX2_SEC_AES_GCM_IV_LEN; + lp->partial_len += OTX2_SEC_AES_GCM_MAC_LEN; + lp->roundup_byte = OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN; + return 0; + } else { + return -EINVAL; + } + } + + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + cipher_xform = xform; + auth_xform = xform->next; + } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + auth_xform = xform; + cipher_xform = xform->next; + } else { + return -EINVAL; + } + + if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) { + lp->partial_len += OTX2_SEC_AES_CBC_IV_LEN; + lp->roundup_byte = OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN; + } else { + return -EINVAL; + } + + if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) + lp->partial_len += OTX2_SEC_SHA1_HMAC_LEN; + else + return -EINVAL; + + return 0; +} + +static int +otx2_cpt_enq_sa_write(struct otx2_sec_session_ipsec_lp *lp, + struct otx2_cpt_qp *qptr, uint8_t opcode) +{ + uint64_t lmt_status, time_out; + void *lmtline = qptr->lmtline; + struct otx2_cpt_inst_s inst; + struct otx2_cpt_res *res; + uint64_t *mdata; + int ret = 0; + + if (unlikely(rte_mempool_get(qptr->meta_info.pool, + (void **)&mdata) < 0)) + return -ENOMEM; + + res = (struct otx2_cpt_res *)RTE_PTR_ALIGN(mdata, 16); + res->compcode = CPT_9X_COMP_E_NOTDONE; + + inst.opcode = opcode | (lp->ctx_len << 8); + inst.param1 = 0; + inst.param2 = 0; + inst.dlen = lp->ctx_len << 3; + inst.dptr = rte_mempool_virt2iova(lp); + inst.rptr = 0; + inst.cptr = rte_mempool_virt2iova(lp); + inst.egrp = OTX2_CPT_EGRP_SE; + + inst.u64[0] = 0; + inst.u64[2] = 0; + inst.u64[3] = 0; + inst.res_addr = rte_mempool_virt2iova(res); + + rte_cio_wmb(); + + do { + /* Copy CPT command to LMTLINE */ + otx2_lmt_mov(lmtline, &inst, 2); + lmt_status = otx2_lmt_submit(qptr->lf_nq_reg); + } while (lmt_status == 0); + + time_out = rte_get_timer_cycles() + + DEFAULT_COMMAND_TIMEOUT * rte_get_timer_hz(); + + while (res->compcode == CPT_9X_COMP_E_NOTDONE) { + if (rte_get_timer_cycles() > time_out) { + rte_mempool_put(qptr->meta_info.pool, mdata); + otx2_err("Request timed out"); + return -ETIMEDOUT; + } + rte_cio_rmb(); + } + + if (unlikely(res->compcode != CPT_9X_COMP_E_GOOD)) { + ret = res->compcode; + switch (ret) { + case CPT_9X_COMP_E_INSTERR: + otx2_err("Request failed with instruction error"); + break; + case CPT_9X_COMP_E_FAULT: + otx2_err("Request failed with DMA fault"); + break; + case CPT_9X_COMP_E_HWERR: + otx2_err("Request failed with hardware error"); + break; + default: + otx2_err("Request failed with unknown hardware " + "completion code : 0x%x", ret); + } + goto mempool_put; + } + + if (unlikely(res->uc_compcode != OTX2_IPSEC_PO_CC_SUCCESS)) { + ret = res->uc_compcode; + switch (ret) { + case OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED: + otx2_err("Invalid auth type"); + break; + case OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED: + otx2_err("Invalid encrypt type"); + break; + default: + otx2_err("Request failed with unknown microcode " + "completion code : 0x%x", ret); + } + } + +mempool_put: + rte_mempool_put(qptr->meta_info.pool, mdata); + return ret; +} + +static void +set_session_misc_attributes(struct otx2_sec_session_ipsec_lp *sess, + struct rte_crypto_sym_xform *crypto_xform, + struct rte_crypto_sym_xform *auth_xform, + struct rte_crypto_sym_xform *cipher_xform) +{ + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + sess->iv_offset = crypto_xform->aead.iv.offset; + sess->iv_length = crypto_xform->aead.iv.length; + sess->aad_length = crypto_xform->aead.aad_length; + sess->mac_len = crypto_xform->aead.digest_length; + } else { + sess->iv_offset = cipher_xform->cipher.iv.offset; + sess->iv_length = cipher_xform->cipher.iv.length; + sess->auth_iv_offset = auth_xform->auth.iv.offset; + sess->auth_iv_length = auth_xform->auth.iv.length; + sess->mac_len = auth_xform->auth.digest_length; + } + + sess->ucmd_param1 = OTX2_IPSEC_PO_PER_PKT_IV; + sess->ucmd_param2 = 0; +} + +static int +crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, + struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *crypto_xform, + struct rte_security_session *sec_sess) +{ + struct rte_crypto_sym_xform *auth_xform, *cipher_xform; + const uint8_t *cipher_key, *auth_key; + struct otx2_sec_session_ipsec_lp *lp; + struct otx2_ipsec_po_sa_ctl *ctl; + int cipher_key_len, auth_key_len; + struct otx2_ipsec_po_out_sa *sa; + struct otx2_sec_session *sess; + struct otx2_cpt_inst_s inst; + struct rte_ipv4_hdr *ip; + int ret; + + sess = get_sec_session_private_data(sec_sess); + lp = &sess->ipsec.lp; + + sa = &lp->out_sa; + ctl = &sa->ctl; + if (ctl->valid) { + otx2_err("SA already registered"); + return -EINVAL; + } + + memset(sa, 0, sizeof(struct otx2_ipsec_po_out_sa)); + + /* Initialize lookaside ipsec private data */ + lp->ip_id = 0; + lp->seq_lo = 1; + lp->seq_hi = 0; + + ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl); + if (ret) + return ret; + + ret = ipsec_lp_len_precalc(ipsec, crypto_xform, lp); + if (ret) + return ret; + + memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4); + + if (ipsec->options.udp_encap) { + sa->udp_src = 4500; + sa->udp_dst = 4500; + } + + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + /* Start ip id from 1 */ + lp->ip_id = 1; + + if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + ip = &sa->template.ipv4_hdr; + ip->version_ihl = RTE_IPV4_VHL_DEF; + ip->next_proto_id = IPPROTO_ESP; + ip->time_to_live = ipsec->tunnel.ipv4.ttl; + ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2); + if (ipsec->tunnel.ipv4.df) + ip->fragment_offset = BIT(14); + memcpy(&ip->src_addr, &ipsec->tunnel.ipv4.src_ip, + sizeof(struct in_addr)); + memcpy(&ip->dst_addr, &ipsec->tunnel.ipv4.dst_ip, + sizeof(struct in_addr)); + } else { + return -EINVAL; + } + } else { + return -EINVAL; + } + + cipher_xform = crypto_xform; + auth_xform = crypto_xform->next; + + cipher_key_len = 0; + auth_key_len = 0; + + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + cipher_key = crypto_xform->aead.key.data; + cipher_key_len = crypto_xform->aead.key.length; + + lp->ctx_len = sizeof(struct otx2_ipsec_po_out_sa); + lp->ctx_len >>= 3; + RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_AES_GCM_OUTB_CTX_LEN); + } else { + cipher_key = cipher_xform->cipher.key.data; + cipher_key_len = cipher_xform->cipher.key.length; + auth_key = auth_xform->auth.key.data; + auth_key_len = auth_xform->auth.key.length; + + /* TODO: check the ctx len for supporting ALGO */ + lp->ctx_len = sizeof(struct otx2_ipsec_po_out_sa) >> 3; + RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_MAX_OUTB_CTX_LEN); + } + + if (cipher_key_len != 0) + memcpy(sa->cipher_key, cipher_key, cipher_key_len); + else + return -EINVAL; + + /* Use OPAD & IPAD */ + RTE_SET_USED(auth_key); + RTE_SET_USED(auth_key_len); + + inst.u64[7] = 0; + inst.egrp = OTX2_CPT_EGRP_SE; + inst.cptr = rte_mempool_virt2iova(sa); + + lp->ucmd_w3 = inst.u64[7]; + lp->ucmd_opcode = (lp->ctx_len << 8) | + (OTX2_IPSEC_PO_PROCESS_IPSEC_OUTB); + + set_session_misc_attributes(lp, crypto_xform, + auth_xform, cipher_xform); + + return otx2_cpt_enq_sa_write(lp, crypto_dev->data->queue_pairs[0], + OTX2_IPSEC_PO_WRITE_IPSEC_OUTB); +} + +static int +crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev, + struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *crypto_xform, + struct rte_security_session *sec_sess) +{ + struct rte_crypto_sym_xform *auth_xform, *cipher_xform; + struct otx2_sec_session_ipsec_lp *lp; + struct otx2_ipsec_po_sa_ctl *ctl; + const uint8_t *cipher_key, *auth_key; + int cipher_key_len, auth_key_len; + struct otx2_ipsec_po_in_sa *sa; + struct otx2_sec_session *sess; + struct otx2_cpt_inst_s inst; + int ret; + + sess = get_sec_session_private_data(sec_sess); + lp = &sess->ipsec.lp; + + sa = &lp->in_sa; + ctl = &sa->ctl; + + if (ctl->valid) { + otx2_err("SA already registered"); + return -EINVAL; + } + + memset(sa, 0, sizeof(struct otx2_ipsec_po_in_sa)); + + ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl); + if (ret) + return ret; + + auth_xform = crypto_xform; + cipher_xform = crypto_xform->next; + + cipher_key_len = 0; + auth_key_len = 0; + + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) + memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4); + cipher_key = crypto_xform->aead.key.data; + cipher_key_len = crypto_xform->aead.key.length; + + lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa, + aes_gcm.hmac_key[0]) >> 3; + RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_AES_GCM_INB_CTX_LEN); + } else { + cipher_key = cipher_xform->cipher.key.data; + cipher_key_len = cipher_xform->cipher.key.length; + auth_key = auth_xform->auth.key.data; + auth_key_len = auth_xform->auth.key.length; + + /* TODO: check the ctx len for supporting ALGO */ + lp->ctx_len = sizeof(struct otx2_ipsec_po_in_sa) >> 2; + RTE_ASSERT(lp->ctx_len == OTX2_IPSEC_PO_MAX_INB_CTX_LEN); + } + + if (cipher_key_len != 0) + memcpy(sa->cipher_key, cipher_key, cipher_key_len); + else + return -EINVAL; + + /* Use OPAD & IPAD */ + RTE_SET_USED(auth_key); + RTE_SET_USED(auth_key_len); + + inst.u64[7] = 0; + inst.egrp = OTX2_CPT_EGRP_SE; + inst.cptr = rte_mempool_virt2iova(sa); + + lp->ucmd_w3 = inst.u64[7]; + lp->ucmd_opcode = (lp->ctx_len << 8) | + (OTX2_IPSEC_PO_PROCESS_IPSEC_INB); + + set_session_misc_attributes(lp, crypto_xform, + auth_xform, cipher_xform); + + return otx2_cpt_enq_sa_write(lp, crypto_dev->data->queue_pairs[0], + OTX2_IPSEC_PO_WRITE_IPSEC_INB); +} + +static int +crypto_sec_ipsec_session_create(struct rte_cryptodev *crypto_dev, + struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *crypto_xform, + struct rte_security_session *sess) +{ + int ret; + + if (crypto_dev->data->queue_pairs[0] == NULL) { + otx2_err("Setup cpt queue pair before creating sec session"); + return -EPERM; + } + + ret = ipsec_po_xform_verify(ipsec, crypto_xform); + if (ret) + return ret; + + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + return crypto_sec_ipsec_inb_session_create(crypto_dev, ipsec, + crypto_xform, sess); + else + return crypto_sec_ipsec_outb_session_create(crypto_dev, ipsec, + crypto_xform, sess); +} + +static int +otx2_crypto_sec_session_create(void *device, + struct rte_security_session_conf *conf, + struct rte_security_session *sess, + struct rte_mempool *mempool) +{ + struct otx2_sec_session *priv; + int ret; + + if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) + return -ENOTSUP; + + if (rte_mempool_get(mempool, (void **)&priv)) { + otx2_err("Could not allocate security session private data"); + return -ENOMEM; + } + + set_sec_session_private_data(sess, priv); + + priv->userdata = conf->userdata; + + if (conf->protocol == RTE_SECURITY_PROTOCOL_IPSEC) + ret = crypto_sec_ipsec_session_create(device, &conf->ipsec, + conf->crypto_xform, + sess); + else + ret = -ENOTSUP; + + if (ret) + goto mempool_put; + + return 0; + +mempool_put: + rte_mempool_put(mempool, priv); + set_sec_session_private_data(sess, NULL); + return ret; +} + +static int +otx2_crypto_sec_session_destroy(void *device __rte_unused, + struct rte_security_session *sess) +{ + struct otx2_sec_session *priv; + struct rte_mempool *sess_mp; + + priv = get_sec_session_private_data(sess); + + if (priv == NULL) + return 0; + + sess_mp = rte_mempool_from_obj(priv); + + set_sec_session_private_data(sess, NULL); + rte_mempool_put(sess_mp, priv); + + return 0; +} + static unsigned int otx2_crypto_sec_session_get_size(void *device __rte_unused) { @@ -40,8 +504,8 @@ otx2_crypto_sec_get_userdata(void *device __rte_unused, uint64_t md, } static struct rte_security_ops otx2_crypto_sec_ops = { - .session_create = NULL, - .session_destroy = NULL, + .session_create = otx2_crypto_sec_session_create, + .session_destroy = otx2_crypto_sec_session_destroy, .session_get_size = otx2_crypto_sec_session_get_size, .set_pkt_metadata = otx2_crypto_sec_set_pkt_mdata, .get_userdata = otx2_crypto_sec_get_userdata, diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h index 217dfeaff0..f2167f220a 100644 --- a/drivers/crypto/octeontx2/otx2_ipsec_po.h +++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h @@ -9,6 +9,83 @@ #include #include +#define OTX2_IPSEC_PO_AES_GCM_INB_CTX_LEN 0x09 +#define OTX2_IPSEC_PO_AES_GCM_OUTB_CTX_LEN 0x28 + +#define OTX2_IPSEC_PO_MAX_INB_CTX_LEN 0x22 +#define OTX2_IPSEC_PO_MAX_OUTB_CTX_LEN 0x38 + +#define OTX2_IPSEC_PO_PER_PKT_IV BIT(11) + +#define OTX2_IPSEC_PO_WRITE_IPSEC_OUTB 0x20 +#define OTX2_IPSEC_PO_WRITE_IPSEC_INB 0x21 +#define OTX2_IPSEC_PO_PROCESS_IPSEC_OUTB 0x23 +#define OTX2_IPSEC_PO_PROCESS_IPSEC_INB 0x24 + +enum otx2_ipsec_po_comp_e { + OTX2_IPSEC_PO_CC_SUCCESS = 0x00, + OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0, + OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED = 0xB1, +}; + +enum { + OTX2_IPSEC_PO_SA_DIRECTION_INBOUND = 0, + OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND = 1, +}; + +enum { + OTX2_IPSEC_PO_SA_IP_VERSION_4 = 0, + OTX2_IPSEC_PO_SA_IP_VERSION_6 = 1, +}; + +enum { + OTX2_IPSEC_PO_SA_MODE_TRANSPORT = 0, + OTX2_IPSEC_PO_SA_MODE_TUNNEL = 1, +}; + +enum { + OTX2_IPSEC_PO_SA_PROTOCOL_AH = 0, + OTX2_IPSEC_PO_SA_PROTOCOL_ESP = 1, +}; + +enum { + OTX2_IPSEC_PO_SA_AES_KEY_LEN_128 = 1, + OTX2_IPSEC_PO_SA_AES_KEY_LEN_192 = 2, + OTX2_IPSEC_PO_SA_AES_KEY_LEN_256 = 3, +}; + +enum { + OTX2_IPSEC_PO_SA_ENC_NULL = 0, + OTX2_IPSEC_PO_SA_ENC_DES_CBC = 1, + OTX2_IPSEC_PO_SA_ENC_3DES_CBC = 2, + OTX2_IPSEC_PO_SA_ENC_AES_CBC = 3, + OTX2_IPSEC_PO_SA_ENC_AES_CTR = 4, + OTX2_IPSEC_PO_SA_ENC_AES_GCM = 5, + OTX2_IPSEC_PO_SA_ENC_AES_CCM = 6, +}; + +enum { + OTX2_IPSEC_PO_SA_AUTH_NULL = 0, + OTX2_IPSEC_PO_SA_AUTH_MD5 = 1, + OTX2_IPSEC_PO_SA_AUTH_SHA1 = 2, + OTX2_IPSEC_PO_SA_AUTH_SHA2_224 = 3, + OTX2_IPSEC_PO_SA_AUTH_SHA2_256 = 4, + OTX2_IPSEC_PO_SA_AUTH_SHA2_384 = 5, + OTX2_IPSEC_PO_SA_AUTH_SHA2_512 = 6, + OTX2_IPSEC_PO_SA_AUTH_AES_GMAC = 7, + OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128 = 8, +}; + +enum { + OTX2_IPSEC_PO_SA_FRAG_POST = 0, + OTX2_IPSEC_PO_SA_FRAG_PRE = 1, +}; + +enum { + OTX2_IPSEC_PO_SA_ENCAP_NONE = 0, + OTX2_IPSEC_PO_SA_ENCAP_UDP = 1, +}; + union otx2_ipsec_po_bit_perfect_iv { uint8_t aes_iv[16]; uint8_t des_iv[8]; @@ -107,4 +184,222 @@ struct otx2_ipsec_po_out_sa { uint16_t udp_dst; }; +static inline int +ipsec_po_xform_cipher_verify(struct rte_crypto_sym_xform *xform) +{ + if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) { + switch (xform->cipher.key.length) { + case 16: + case 24: + case 32: + break; + default: + return -ENOTSUP; + } + return 0; + } + + return -ENOTSUP; +} + +static inline int +ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform) +{ + uint16_t keylen = xform->auth.key.length; + + if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) { + if (keylen >= 20 && keylen <= 64) + return 0; + } + + return -ENOTSUP; +} + +static inline int +ipsec_po_xform_aead_verify(struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *xform) +{ + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && + xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT) + return -EINVAL; + + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && + xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT) + return -EINVAL; + + if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + switch (xform->aead.key.length) { + case 16: + case 24: + case 32: + break; + default: + return -EINVAL; + } + return 0; + } + + return -ENOTSUP; +} + +static inline int +ipsec_po_xform_verify(struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *xform) +{ + struct rte_crypto_sym_xform *auth_xform, *cipher_xform; + int ret; + + if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) + return ipsec_po_xform_aead_verify(ipsec, xform); + + if (xform->next == NULL) + return -EINVAL; + + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + /* Ingress */ + if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH || + xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER) + return -EINVAL; + auth_xform = xform; + cipher_xform = xform->next; + } else { + /* Egress */ + if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER || + xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH) + return -EINVAL; + cipher_xform = xform; + auth_xform = xform->next; + } + + ret = ipsec_po_xform_cipher_verify(cipher_xform); + if (ret) + return ret; + + ret = ipsec_po_xform_auth_verify(auth_xform); + if (ret) + return ret; + + return 0; +} + +static inline int +ipsec_po_sa_ctl_set(struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *xform, + struct otx2_ipsec_po_sa_ctl *ctl) +{ + struct rte_crypto_sym_xform *cipher_xform, *auth_xform; + int aes_key_len; + + if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND; + cipher_xform = xform; + auth_xform = xform->next; + } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_INBOUND; + auth_xform = xform; + cipher_xform = xform->next; + } else { + return -EINVAL; + } + + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) + ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_4; + else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) + ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_6; + else + return -EINVAL; + } + + ctl->inner_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_4; + + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) + ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TRANSPORT; + else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TUNNEL; + else + return -EINVAL; + + if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) + ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_AH; + else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) + ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_ESP; + else + return -EINVAL; + + if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { + ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_GCM; + aes_key_len = xform->aead.key.length; + } else { + return -ENOTSUP; + } + } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) { + ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_CCM; + aes_key_len = xform->cipher.key.length; + } else { + return -ENOTSUP; + } + + + switch (aes_key_len) { + case 16: + ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_128; + break; + case 24: + ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_192; + break; + case 32: + ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_256; + break; + default: + return -EINVAL; + } + + if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) { + switch (auth_xform->auth.algo) { + case RTE_CRYPTO_AUTH_NULL: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_NULL; + break; + case RTE_CRYPTO_AUTH_MD5_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_MD5; + break; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA1; + break; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_224; + break; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_256; + break; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_384; + break; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_512; + break; + case RTE_CRYPTO_AUTH_AES_GMAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_GMAC; + break; + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128; + break; + default: + return -ENOTSUP; + } + } + + if (ipsec->options.esn) + ctl->esn_en = 1; + + if (ipsec->options.udp_encap == 1) + ctl->encap_type = OTX2_IPSEC_PO_SA_ENCAP_UDP; + + ctl->spi = rte_cpu_to_be_32(ipsec->spi); + ctl->valid = 1; + + return 0; +} + #endif /* __OTX2_IPSEC_PO_H__ */ diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h index 9b4fe263c4..086b506047 100644 --- a/drivers/crypto/octeontx2/otx2_security.h +++ b/drivers/crypto/octeontx2/otx2_security.h @@ -8,6 +8,15 @@ #include "otx2_cryptodev_sec.h" #include "otx2_ethdev_sec.h" +#define OTX2_SEC_AH_HDR_LEN 12 +#define OTX2_SEC_AES_GCM_IV_LEN 8 +#define OTX2_SEC_AES_GCM_MAC_LEN 16 +#define OTX2_SEC_AES_CBC_IV_LEN 16 +#define OTX2_SEC_SHA1_HMAC_LEN 12 + +#define OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN 4 +#define OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN 16 + union otx2_sec_session_ipsec { struct otx2_sec_session_ipsec_ip ip; struct otx2_sec_session_ipsec_lp lp; diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c index c2ad32cf0c..a155594e25 100644 --- a/drivers/net/octeontx2/otx2_ethdev_sec.c +++ b/drivers/net/octeontx2/otx2_ethdev_sec.c @@ -21,15 +21,6 @@ #include "otx2_sec_idev.h" #include "otx2_security.h" -#define AH_HDR_LEN 12 -#define AES_GCM_IV_LEN 8 -#define AES_GCM_MAC_LEN 16 -#define AES_CBC_IV_LEN 16 -#define SHA1_HMAC_LEN 12 - -#define AES_GCM_ROUNDUP_BYTE_LEN 4 -#define AES_CBC_ROUNDUP_BYTE_LEN 16 - struct eth_sec_tag_const { RTE_STD_C11 union { @@ -238,7 +229,7 @@ ipsec_sa_const_set(struct rte_security_ipsec_xform *ipsec, sess->partial_len += sizeof(struct rte_esp_hdr); sess->roundup_len = sizeof(struct rte_esp_tail); } else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) { - sess->partial_len += AH_HDR_LEN; + sess->partial_len += OTX2_SEC_AH_HDR_LEN; } else { return -EINVAL; } @@ -248,9 +239,9 @@ ipsec_sa_const_set(struct rte_security_ipsec_xform *ipsec, if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) { - sess->partial_len += AES_GCM_IV_LEN; - sess->partial_len += AES_GCM_MAC_LEN; - sess->roundup_byte = AES_GCM_ROUNDUP_BYTE_LEN; + sess->partial_len += OTX2_SEC_AES_GCM_IV_LEN; + sess->partial_len += OTX2_SEC_AES_GCM_MAC_LEN; + sess->roundup_byte = OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN; } return 0; } @@ -265,14 +256,14 @@ ipsec_sa_const_set(struct rte_security_ipsec_xform *ipsec, return -EINVAL; } if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) { - sess->partial_len += AES_CBC_IV_LEN; - sess->roundup_byte = AES_CBC_ROUNDUP_BYTE_LEN; + sess->partial_len += OTX2_SEC_AES_CBC_IV_LEN; + sess->roundup_byte = OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN; } else { return -EINVAL; } if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) - sess->partial_len += SHA1_HMAC_LEN; + sess->partial_len += OTX2_SEC_SHA1_HMAC_LEN; else return -EINVAL; -- 2.20.1