From 582458001757555b244927d36459b519079c3fdc Mon Sep 17 00:00:00 2001 From: Archana Muniganti Date: Thu, 30 Sep 2021 18:28:31 +0530 Subject: [PATCH] crypto/cnxk: support inner checksum Add inner checksum support for cn10k. Signed-off-by: Archana Muniganti Acked-by: Akhil Goyal --- doc/guides/cryptodevs/features/cn10k.ini | 1 + doc/guides/rel_notes/release_21_11.rst | 1 + drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 65 +++++++++++++++---- drivers/crypto/cnxk/cn10k_ipsec.c | 49 +++++++++++++- drivers/crypto/cnxk/cn10k_ipsec.h | 1 + drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 9 ++- drivers/crypto/cnxk/cnxk_cryptodev.c | 3 + .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 2 + 8 files changed, 113 insertions(+), 18 deletions(-) diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini index f5552feca3..9d08bd5c04 100644 --- a/doc/guides/cryptodevs/features/cn10k.ini +++ b/doc/guides/cryptodevs/features/cn10k.ini @@ -15,6 +15,7 @@ OOP SGL In SGL Out = Y OOP LB In LB Out = Y Symmetric sessionless = Y Digest encrypted = Y +Inner checksum = Y ; ; Supported crypto algorithms of 'cn10k' crypto driver. diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index aad7b1ff20..079f7fa2a1 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -109,6 +109,7 @@ New Features * Added support for lookaside protocol (IPsec) offload for CN9K. * Added support for ZUC algorithm with 256-bit key length for CN10K. * Added support for CN98xx dual block. + * Added inner checksum support in lookaside protocol (IPsec) for CN10K. * **Added support for event crypto adapter on Marvell CN10K and CN9K.** diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c index 3caf05aab9..c25c8e67b2 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c @@ -50,7 +50,7 @@ sess_put: static __rte_always_inline int __rte_hot cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess, - struct cpt_inst_s *inst) + struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst) { struct rte_crypto_sym_op *sym_op = op->sym; union roc_ot_ipsec_sa_word2 *w2; @@ -72,8 +72,10 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess, if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND) ret = process_outb_sa(op, sa, inst); - else + else { + infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND; ret = process_inb_sa(op, sa, inst); + } return ret; } @@ -122,7 +124,8 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { sec_sess = get_sec_session_private_data( sym_op->sec_session); - ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]); + ret = cpt_sec_inst_fill(op, sec_sess, infl_req, + &inst[0]); if (unlikely(ret)) return 0; w7 = sec_sess->sa.inst.w7; @@ -342,6 +345,49 @@ cn10k_cpt_sec_post_process(struct rte_crypto_op *cop, m->pkt_len = m_len; } +static inline void +cn10k_cpt_sec_ucc_process(struct rte_crypto_op *cop, + struct cpt_inflight_req *infl_req, + const uint8_t uc_compcode) +{ + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + struct rte_mbuf *mbuf; + + if (uc_compcode == ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST) + cop->aux_flags = RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY; + + if (!(infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND)) + return; + + sess = get_sec_session_private_data(cop->sym->sec_session); + sa = &sess->sa; + + mbuf = cop->sym->m_src; + + switch (uc_compcode) { + case ROC_IE_OT_UCC_SUCCESS: + if (sa->ip_csum_enable) + mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD; + break; + case ROC_IE_OT_UCC_SUCCESS_PKT_IP_BADCSUM: + mbuf->ol_flags |= PKT_RX_IP_CKSUM_BAD; + break; + case ROC_IE_OT_UCC_SUCCESS_PKT_L4_GOODCSUM: + mbuf->ol_flags |= PKT_RX_L4_CKSUM_GOOD; + if (sa->ip_csum_enable) + mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD; + break; + case ROC_IE_OT_UCC_SUCCESS_PKT_L4_BADCSUM: + mbuf->ol_flags |= PKT_RX_L4_CKSUM_BAD; + if (sa->ip_csum_enable) + mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD; + break; + default: + break; + } +} + static inline void cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, struct rte_crypto_op *cop, @@ -357,17 +403,8 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC && cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { if (likely(compcode == CPT_COMP_WARN)) { - if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) { - /* Success with additional info */ - switch (uc_compcode) { - case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST: - cop->aux_flags = - RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY; - break; - default: - break; - } - } + /* Success with additional info */ + cn10k_cpt_sec_ucc_process(cop, infl_req, uc_compcode); cn10k_cpt_sec_post_process(cop, res); } else { cop->status = RTE_CRYPTO_OP_STATUS_ERROR; diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c index ebb2a7ec48..defc792aa8 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.c +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -37,6 +37,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct rte_crypto_sym_xform *crypto_xfrm, struct rte_security_session *sec_sess) { + union roc_ot_ipsec_outb_param1 param1; struct roc_ot_ipsec_outb_sa *out_sa; struct cnxk_ipsec_outb_rlens rlens; struct cn10k_sec_session *sess; @@ -83,7 +84,27 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, /* pre-populate CPT INST word 4 */ inst_w4.u64 = 0; inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC; - inst_w4.s.param1 = 0; + + param1.u16 = 0; + + /* Disable IP checksum computation by default */ + param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE; + + if (ipsec_xfrm->options.ip_csum_enable) { + param1.s.ip_csum_disable = + ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE; + } + + /* Disable L4 checksum computation by default */ + param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE; + + if (ipsec_xfrm->options.l4_csum_enable) { + param1.s.l4_csum_disable = + ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE; + } + + inst_w4.s.param1 = param1.u16; + sa->inst.w4 = inst_w4.u64; return 0; @@ -95,6 +116,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, struct rte_crypto_sym_xform *crypto_xfrm, struct rte_security_session *sec_sess) { + union roc_ot_ipsec_inb_param1 param1; struct roc_ot_ipsec_inb_sa *in_sa; struct cn10k_sec_session *sess; struct cn10k_ipsec_sa *sa; @@ -121,8 +143,29 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, inst_w4.u64 = 0; inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC; - /* Disable checksum verification for now */ - inst_w4.s.param1 = 7; + param1.u16 = 0; + + /* Disable IP checksum verification by default */ + param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE; + + if (ipsec_xfrm->options.ip_csum_enable) { + param1.s.ip_csum_disable = + ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE; + sa->ip_csum_enable = true; + } + + /* Disable L4 checksum verification by default */ + param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE; + + if (ipsec_xfrm->options.l4_csum_enable) { + param1.s.l4_csum_disable = + ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE; + } + + param1.s.esp_trailer_disable = 1; + + inst_w4.s.param1 = param1.u16; + sa->inst.w4 = inst_w4.u64; return 0; diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h index 6f974b716d..86cd2483f5 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.h +++ b/drivers/crypto/cnxk/cn10k_ipsec.h @@ -23,6 +23,7 @@ struct cn10k_ipsec_sa { uint16_t max_extended_len; uint16_t iv_offset; uint8_t iv_length; + bool ip_csum_enable; }; struct cn10k_sec_session { diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h index 862476a72e..df1b0a3678 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h +++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h @@ -53,6 +53,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess, { struct rte_crypto_sym_op *sym_op = cop->sym; struct rte_mbuf *m_src = sym_op->m_src; + uint64_t inst_w4_u64 = sess->inst.w4; if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) { plt_dp_err("Not enough tail room"); @@ -68,8 +69,14 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess, } #endif + if (m_src->ol_flags & PKT_TX_IP_CKSUM) + inst_w4_u64 &= ~BIT_ULL(33); + + if (m_src->ol_flags & PKT_TX_L4_MASK) + inst_w4_u64 &= ~BIT_ULL(32); + /* Prepare CPT instruction */ - inst->w4.u64 = sess->inst.w4; + inst->w4.u64 = inst_w4_u64; inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src); inst->dptr = rte_pktmbuf_iova(m_src); inst->rptr = inst->dptr; diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.c b/drivers/crypto/cnxk/cnxk_cryptodev.c index 5c7801ec48..d67de54a7b 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev.c @@ -24,6 +24,9 @@ cnxk_cpt_default_ff_get(void) RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED | RTE_CRYPTODEV_FF_SECURITY; + if (roc_model_is_cn10k()) + ff |= RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM; + return ff; } diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 34eb441ab3..a227e6981c 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -961,6 +961,8 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap) sec_cap->ipsec.options.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; } + sec_cap->ipsec.options.ip_csum_enable = 1; + sec_cap->ipsec.options.l4_csum_enable = 1; } static void -- 2.20.1