From c7c7f34739f464cb1b0874ad7abfa9ecbbaf5e6b Mon Sep 17 00:00:00 2001 From: Tejasree Kondoj Date: Tue, 7 Sep 2021 21:47:41 +0530 Subject: [PATCH] crypto/cnxk: add IV in SA in lookaside IPsec debug mode Adding IV in SA in lookaside IPsec debug mode. It helps to verify lookaside PMD using known outbound vectors in lookaside autotest. Signed-off-by: Anoob Joseph Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal --- drivers/crypto/cnxk/cn10k_ipsec.c | 16 +++++++ drivers/crypto/cnxk/cn10k_ipsec.h | 2 + drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 44 +++++++++++++++++++ .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 29 +++++++++++- drivers/crypto/cnxk/meson.build | 6 +++ 5 files changed, 95 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c index 5c57cf2818..ebb2a7ec48 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.c +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -57,6 +57,22 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa); +#ifdef LA_IPSEC_DEBUG + /* Use IV from application in debug mode */ + if (ipsec_xfrm->options.iv_gen_disable == 1) { + out_sa->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA; + if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + sa->iv_offset = crypto_xfrm->aead.iv.offset; + sa->iv_length = crypto_xfrm->aead.iv.length; + } + } +#else + if (ipsec_xfrm->options.iv_gen_disable != 0) { + plt_err("Application provided IV not supported"); + return -ENOTSUP; + } +#endif + /* Get Rlen calculation data */ ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm); if (ret) diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h index bc52c60179..6f974b716d 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.h +++ b/drivers/crypto/cnxk/cn10k_ipsec.h @@ -21,6 +21,8 @@ struct cn10k_ipsec_sa { /** Pre-populated CPT inst words */ struct cnxk_cpt_inst_tmpl inst; uint16_t max_extended_len; + uint16_t iv_offset; + uint8_t iv_length; }; struct cn10k_sec_session { diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h index fe91638c99..862476a72e 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h +++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h @@ -12,6 +12,41 @@ #include "cn10k_ipsec.h" #include "cnxk_cryptodev.h" +static inline void +ipsec_po_sa_iv_set(struct cn10k_ipsec_sa *sess, struct rte_crypto_op *cop) +{ + uint64_t *iv = &sess->out_sa.iv.u64[0]; + uint64_t *tmp_iv; + + memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset), + 16); + tmp_iv = (uint64_t *)iv; + *tmp_iv = rte_be_to_cpu_64(*tmp_iv); + + tmp_iv = (uint64_t *)(iv + 1); + *tmp_iv = rte_be_to_cpu_64(*tmp_iv); +} + +static inline void +ipsec_po_sa_aes_gcm_iv_set(struct cn10k_ipsec_sa *sess, + struct rte_crypto_op *cop) +{ + uint8_t *iv = &sess->out_sa.iv.s.iv_dbg1[0]; + uint32_t *tmp_iv; + + memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset), + 4); + tmp_iv = (uint32_t *)iv; + *tmp_iv = rte_be_to_cpu_32(*tmp_iv); + + iv = &sess->out_sa.iv.s.iv_dbg2[0]; + memcpy(iv, + rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset + 4), + 4); + tmp_iv = (uint32_t *)iv; + *tmp_iv = rte_be_to_cpu_32(*tmp_iv); +} + static __rte_always_inline int process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess, struct cpt_inst_s *inst) @@ -24,6 +59,15 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess, return -ENOMEM; } +#ifdef LA_IPSEC_DEBUG + if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) { + if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM) + ipsec_po_sa_aes_gcm_iv_set(sess, cop); + else + ipsec_po_sa_iv_set(sess, cop); + } +#endif + /* Prepare CPT instruction */ inst->w4.u64 = sess->inst.w4; inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src); diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index c4f7824332..4b97639e56 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -807,7 +807,7 @@ static const struct rte_security_capability sec_caps_templ[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, - .options = { 0 } + .options = { 0 }, }, .crypto_capabilities = NULL, }, @@ -818,7 +818,7 @@ static const struct rte_security_capability sec_caps_templ[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, - .options = { 0 } + .options = { 0 }, }, .crypto_capabilities = NULL, }, @@ -913,6 +913,24 @@ cnxk_sec_caps_update(struct rte_security_capability *sec_cap) sec_cap->ipsec.options.udp_encap = 1; } +static void +cn10k_sec_caps_update(struct rte_security_capability *sec_cap) +{ + if (sec_cap->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { +#ifdef LA_IPSEC_DEBUG + sec_cap->ipsec.options.iv_gen_disable = 1; +#endif + } +} + +static void +cn9k_sec_caps_update(struct rte_security_capability *sec_cap) +{ + if (sec_cap->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + sec_cap->ipsec.options.iv_gen_disable = 1; + } +} + void cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) { @@ -928,6 +946,13 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf) vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps; cnxk_sec_caps_update(&vf->sec_caps[i]); + + if (roc_model_is_cn10k()) + cn10k_sec_caps_update(&vf->sec_caps[i]); + + if (roc_model_is_cn9k()) + cn9k_sec_caps_update(&vf->sec_caps[i]); + } } diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build index e40d132f80..437d208b5a 100644 --- a/drivers/crypto/cnxk/meson.build +++ b/drivers/crypto/cnxk/meson.build @@ -24,3 +24,9 @@ sources = files( deps += ['bus_pci', 'common_cnxk', 'security', 'eventdev'] includes += include_directories('../../../lib/net') + +if get_option('buildtype').contains('debug') + cflags += [ '-DLA_IPSEC_DEBUG' ] +else + cflags += [ '-ULA_IPSEC_DEBUG' ] +endif -- 2.20.1