From e85982ab3220897e0bda3a5ff85dcf415b1243e3 Mon Sep 17 00:00:00 2001 From: Archana Muniganti Date: Mon, 25 Apr 2022 11:08:22 +0530 Subject: [PATCH] crypto/cnxk: support AES-GMAC Added lookaside IPsec AES-GMAC support in CNXK PMD. Signed-off-by: Archana Muniganti Acked-by: Anoob Joseph Acked-by: Akhil Goyal --- doc/guides/cryptodevs/cnxk.rst | 2 ++ doc/guides/rel_notes/release_22_07.rst | 1 + drivers/common/cnxk/cnxk_security.c | 8 +++++ drivers/crypto/cnxk/cn10k_ipsec.c | 3 ++ drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 3 +- drivers/crypto/cnxk/cn9k_ipsec.c | 35 +++++++++++++------ drivers/crypto/cnxk/cnxk_cryptodev.h | 2 +- .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 25 +++++++++++++ drivers/crypto/cnxk/cnxk_ipsec.h | 3 ++ 9 files changed, 70 insertions(+), 12 deletions(-) diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst index 19c4a8b52f..baf0e3c4fd 100644 --- a/doc/guides/cryptodevs/cnxk.rst +++ b/doc/guides/cryptodevs/cnxk.rst @@ -274,6 +274,7 @@ Auth algorithms * SHA384-192-HMAC * SHA512-256-HMAC * AES-XCBC-96 +* AES-GMAC CN10XX Features supported ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -308,3 +309,4 @@ Auth algorithms * SHA384-192-HMAC * SHA512-256-HMAC * AES-XCBC-96 +* AES-GMAC diff --git a/doc/guides/rel_notes/release_22_07.rst b/doc/guides/rel_notes/release_22_07.rst index 2c9eb543eb..4ae91dd94d 100644 --- a/doc/guides/rel_notes/release_22_07.rst +++ b/doc/guides/rel_notes/release_22_07.rst @@ -68,6 +68,7 @@ New Features * **Updated Marvell cnxk crypto driver.** * Added AH mode support in lookaside protocol (IPsec) for CN9K & CN10K. + * Added AES-GMAC support in lookaside protocol (IPsec) for CN9K & CN10K. Removed Items diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index afefbd2963..69a962d6b7 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -155,6 +155,14 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, case RTE_CRYPTO_AUTH_AES_XCBC_MAC: w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128; break; + case RTE_CRYPTO_AUTH_AES_GMAC: + w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_GMAC; + key = auth_xfrm->auth.key.data; + length = auth_xfrm->auth.key.length; + memcpy(salt_key, &ipsec_xfrm->salt, 4); + tmp_salt = (uint32_t *)salt_key; + *tmp_salt = rte_be_to_cpu_32(*tmp_salt); + break; default: return -ENOTSUP; } diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c index 0c9e24468a..3a2bf0f5eb 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.c +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -77,6 +77,9 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf, } else if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) { sa->iv_offset = crypto_xfrm->cipher.iv.offset; sa->iv_length = crypto_xfrm->cipher.iv.length; + } else { + sa->iv_offset = crypto_xfrm->auth.iv.offset; + sa->iv_length = crypto_xfrm->auth.iv.length; } } #else diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h index f2d812238d..66cfe6ca98 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h +++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h @@ -65,7 +65,8 @@ process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop, #ifdef LA_IPSEC_DEBUG if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) { - if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM) + if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM || + sess->out_sa.w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) ipsec_po_sa_aes_gcm_iv_set(sess, cop); else ipsec_po_sa_iv_set(sess, cop); diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c index eaa3698043..82b8dae786 100644 --- a/drivers/crypto/cnxk/cn9k_ipsec.c +++ b/drivers/crypto/cnxk/cn9k_ipsec.c @@ -211,6 +211,7 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec, break; case RTE_CRYPTO_AUTH_AES_GMAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC; + aes_key_len = auth_xform->auth.key.length; break; case RTE_CRYPTO_AUTH_AES_XCBC_MAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128; @@ -265,7 +266,7 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec, struct rte_crypto_sym_xform *crypto_xform, struct roc_ie_on_common_sa *common_sa) { - struct rte_crypto_sym_xform *cipher_xform; + struct rte_crypto_sym_xform *cipher_xform, *auth_xform; const uint8_t *cipher_key; int cipher_key_len = 0; int ret; @@ -279,13 +280,13 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec, common_sa->esn_hi = ipsec->esn.hi; } - if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) - return 0; - - if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) { + auth_xform = crypto_xform; cipher_xform = crypto_xform->next; - else + } else { cipher_xform = crypto_xform; + auth_xform = crypto_xform->next; + } if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) @@ -293,8 +294,16 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec, cipher_key = crypto_xform->aead.key.data; cipher_key_len = crypto_xform->aead.key.length; } else { - cipher_key = cipher_xform->cipher.key.data; - cipher_key_len = cipher_xform->cipher.key.length; + if (cipher_xform) { + cipher_key = cipher_xform->cipher.key.data; + cipher_key_len = cipher_xform->cipher.key.length; + } + + if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { + memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4); + cipher_key = auth_xform->auth.key.data; + cipher_key_len = auth_xform->auth.key.length; + } } if (cipher_key_len != 0) @@ -358,7 +367,8 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp, return ret; if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM || - ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL) { + ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL || + ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) { template = &out_sa->aes_gcm.template; ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template); } else { @@ -453,6 +463,7 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp, auth_key_len = auth_xform->auth.key.length; switch (auth_xform->auth.algo) { + case RTE_CRYPTO_AUTH_AES_GMAC: case RTE_CRYPTO_AUTH_NULL: break; case RTE_CRYPTO_AUTH_SHA1_HMAC: @@ -497,6 +508,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp, } else if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) { sa->cipher_iv_off = crypto_xform->cipher.iv.offset; sa->cipher_iv_len = crypto_xform->cipher.iv.length; + } else { + sa->cipher_iv_off = crypto_xform->auth.iv.offset; + sa->cipher_iv_len = crypto_xform->auth.iv.length; } } #else @@ -553,7 +567,8 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp, return ret; if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD || - auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL) { + auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL || + auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { ctx_len = offsetof(struct roc_ie_on_inb_sa, sha1_or_gcm.hmac_key[0]); } else { diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h index 542c93bd93..fe2904b619 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.h +++ b/drivers/crypto/cnxk/cnxk_cryptodev.h @@ -11,7 +11,7 @@ #include "roc_cpt.h" #define CNXK_CPT_MAX_CAPS 34 -#define CNXK_SEC_CRYPTO_MAX_CAPS 11 +#define CNXK_SEC_CRYPTO_MAX_CAPS 12 #define CNXK_SEC_MAX_CAPS 9 #define CNXK_AE_EC_ID_MAX 8 /** diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index efd53dbe57..98b002d93a 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -835,6 +835,31 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = { }, } }, } }, + { /* AES GMAC (AUTH) */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_AES_GMAC, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 8 + }, + .digest_size = { + .min = 8, + .max = 16, + .increment = 4 + }, + .iv_size = { + .min = 12, + .max = 12, + .increment = 0 + } + }, } + }, } + }, }; static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = { diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h index 1524217f98..171ea2774e 100644 --- a/drivers/crypto/cnxk/cnxk_ipsec.h +++ b/drivers/crypto/cnxk/cnxk_ipsec.h @@ -59,6 +59,9 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform) } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA512_HMAC) { if (keylen == 64) return 0; + } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { + if (keylen >= 16 && keylen <= 32) + return 0; } if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC && -- 2.20.1