| Message ID | 20191106051731.3625-7-hemant.agrawal@nxp.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v3,01/13] crypto/dpaa_sec: fix to set PDCP capability flags | expand |
Hi Akhil, > -----Original Message----- > From: dev <dev-bounces@dpdk.org> On Behalf Of Hemant Agrawal > Sent: Wednesday, November 6, 2019 10:47 AM > To: dev@dpdk.org > Cc: Akhil Goyal <akhil.goyal@nxp.com> > Subject: [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: add AES-GCM > support for lookaside case > > This patch add support for AES-128-GCM, when used in proto lookaside > mode. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > --- > drivers/crypto/dpaa_sec/dpaa_sec.c | 309 ++++++++++++++++++++--------- > 1 file changed, 211 insertions(+), 98 deletions(-) > > diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c > b/drivers/crypto/dpaa_sec/dpaa_sec.c > index 0ef17ee00..27a31d065 100644 > --- a/drivers/crypto/dpaa_sec/dpaa_sec.c > +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c > @@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session > *ses) > cipherdata.algtype = ses->cipher_key.alg; > cipherdata.algmode = ses->cipher_key.algmode; > > - authdata.key = (size_t)ses->auth_key.data; > - authdata.keylen = ses->auth_key.length; > - authdata.key_enc_flags = 0; > - authdata.key_type = RTA_DATA_IMM; > - authdata.algtype = ses->auth_key.alg; > - authdata.algmode = ses->auth_key.algmode; > + if (ses->auth_key.length) { > + authdata.key = (size_t)ses->auth_key.data; > + authdata.keylen = ses->auth_key.length; > + authdata.key_enc_flags = 0; > + authdata.key_type = RTA_DATA_IMM; > + authdata.algtype = ses->auth_key.alg; > + authdata.algmode = ses->auth_key.algmode; > + } > > cdb->sh_desc[0] = cipherdata.keylen; > cdb->sh_desc[1] = authdata.keylen; > @@ -2523,33 +2525,76 @@ dpaa_sec_sym_session_clear(struct > rte_cryptodev *dev, > > #ifdef RTE_LIBRTE_SECURITY > static int > -dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, > - struct rte_security_session_conf *conf, > - void *sess) > +dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform, > + struct rte_security_ipsec_xform *ipsec_xform, > + dpaa_sec_session *session) > { > - struct dpaa_sec_dev_private *internals = dev->data->dev_private; > - struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec; > - struct rte_crypto_auth_xform *auth_xform = NULL; > - struct rte_crypto_cipher_xform *cipher_xform = NULL; > - dpaa_sec_session *session = (dpaa_sec_session *)sess; > - uint32_t i; > - > PMD_INIT_FUNC_TRACE(); > > - memset(session, 0, sizeof(dpaa_sec_session)); > - if (ipsec_xform->direction == > RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { > - cipher_xform = &conf->crypto_xform->cipher; > - if (conf->crypto_xform->next) > - auth_xform = &conf->crypto_xform->next->auth; > - } else { > - auth_xform = &conf->crypto_xform->auth; > - if (conf->crypto_xform->next) > - cipher_xform = &conf->crypto_xform->next- > >cipher; > + session->aead_key.data = rte_zmalloc(NULL, aead_xform- > >key.length, > + RTE_CACHE_LINE_SIZE); > + if (session->aead_key.data == NULL && aead_xform->key.length > > 0) { > + DPAA_SEC_ERR("No Memory for aead key"); > + return -1; > } > - session->proto_alg = conf->protocol; > - session->ctxt = DPAA_SEC_IPSEC; > + memcpy(session->aead_key.data, aead_xform->key.data, > + aead_xform->key.length); > + > + session->digest_length = aead_xform->digest_length; > + session->aead_key.length = aead_xform->key.length; > + > + switch (aead_xform->algo) { > + case RTE_CRYPTO_AEAD_AES_GCM: > + switch (session->digest_length) { > + case 8: > + session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8; > + break; > + case 12: > + session->aead_key.alg = > OP_PCL_IPSEC_AES_GCM12; > + break; > + case 16: > + session->aead_key.alg = > OP_PCL_IPSEC_AES_GCM16; > + break; > + default: > + DPAA_SEC_ERR("Crypto: Undefined GCM digest > %d", > + session->digest_length); > + return -1; > + } > + if (session->dir == DIR_ENC) { > + memcpy(session->encap_pdb.gcm.salt, > + (uint8_t *)&(ipsec_xform->salt), 4); > + } else { > + memcpy(session->decap_pdb.gcm.salt, > + (uint8_t *)&(ipsec_xform->salt), 4); > + } > + session->aead_key.algmode = OP_ALG_AAI_GCM; > + session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM; > + break; [Hemant] There is a merge error. I see that you have already applied it. Can you remove following line from the patch. >>> start here. > + if (session->dir == DIR_ENC) { > + /* todo CCM salt length is 3 bytes, left shift 8 bits */ > + memcpy(session->encap_pdb.ccm.salt, > + (uint8_t *)&(ipsec_xform->salt), 4); > + } else { > + memcpy(session->decap_pdb.ccm.salt, > + (uint8_t *)&(ipsec_xform->salt), 4); > + } > + session->aead_key.algmode = OP_ALG_AAI_CCM; > + session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM; > + break; >>> end here. > + default: > + DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u", > + aead_xform->algo); > + return -1; > + } > + return 0; > +} > > - if (cipher_xform && cipher_xform->algo != > RTE_CRYPTO_CIPHER_NULL) { > +static int > +dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform > *cipher_xform, > + struct rte_crypto_auth_xform *auth_xform, > + dpaa_sec_session *session) > +{ > + if (cipher_xform) { > session->cipher_key.data = rte_zmalloc(NULL, > cipher_xform- > >key.length, > RTE_CACHE_LINE_SIZE); > @@ -2558,31 +2603,10 @@ dpaa_sec_set_ipsec_session(__rte_unused > struct rte_cryptodev *dev, > DPAA_SEC_ERR("No Memory for cipher key"); > return -ENOMEM; > } > + > + session->cipher_key.length = cipher_xform->key.length; > memcpy(session->cipher_key.data, cipher_xform- > >key.data, > cipher_xform->key.length); > - session->cipher_key.length = cipher_xform->key.length; > - > - switch (cipher_xform->algo) { > - case RTE_CRYPTO_CIPHER_NULL: > - session->cipher_key.alg = OP_PCL_IPSEC_NULL; > - break; > - case RTE_CRYPTO_CIPHER_AES_CBC: > - session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC; > - session->cipher_key.algmode = OP_ALG_AAI_CBC; > - break; > - case RTE_CRYPTO_CIPHER_3DES_CBC: > - session->cipher_key.alg = OP_PCL_IPSEC_3DES; > - session->cipher_key.algmode = OP_ALG_AAI_CBC; > - break; > - case RTE_CRYPTO_CIPHER_AES_CTR: > - session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR; > - session->cipher_key.algmode = OP_ALG_AAI_CTR; > - break; > - default: > - DPAA_SEC_ERR("Crypto: Unsupported Cipher alg > %u", > - cipher_xform->algo); > - goto out; > - } > session->cipher_alg = cipher_xform->algo; > } else { > session->cipher_key.data = NULL; > @@ -2590,54 +2614,18 @@ dpaa_sec_set_ipsec_session(__rte_unused > struct rte_cryptodev *dev, > session->cipher_alg = RTE_CRYPTO_CIPHER_NULL; > } > > - if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) { > + if (auth_xform) { > session->auth_key.data = rte_zmalloc(NULL, > auth_xform->key.length, > RTE_CACHE_LINE_SIZE); > if (session->auth_key.data == NULL && > auth_xform->key.length > 0) { > DPAA_SEC_ERR("No Memory for auth key"); > - rte_free(session->cipher_key.data); > return -ENOMEM; > } > + session->auth_key.length = auth_xform->key.length; > memcpy(session->auth_key.data, auth_xform->key.data, > auth_xform->key.length); > - session->auth_key.length = auth_xform->key.length; > - > - switch (auth_xform->algo) { > - case RTE_CRYPTO_AUTH_NULL: > - session->auth_key.alg = > OP_PCL_IPSEC_HMAC_NULL; > - session->digest_length = 0; > - break; > - case RTE_CRYPTO_AUTH_MD5_HMAC: > - session->auth_key.alg = > OP_PCL_IPSEC_HMAC_MD5_96; > - session->auth_key.algmode = OP_ALG_AAI_HMAC; > - break; > - case RTE_CRYPTO_AUTH_SHA1_HMAC: > - session->auth_key.alg = > OP_PCL_IPSEC_HMAC_SHA1_96; > - session->auth_key.algmode = OP_ALG_AAI_HMAC; > - break; > - case RTE_CRYPTO_AUTH_SHA224_HMAC: > - session->auth_key.alg = > OP_PCL_IPSEC_HMAC_SHA1_160; > - session->auth_key.algmode = OP_ALG_AAI_HMAC; > - break; > - case RTE_CRYPTO_AUTH_SHA256_HMAC: > - session->auth_key.alg = > OP_PCL_IPSEC_HMAC_SHA2_256_128; > - session->auth_key.algmode = OP_ALG_AAI_HMAC; > - break; > - case RTE_CRYPTO_AUTH_SHA384_HMAC: > - session->auth_key.alg = > OP_PCL_IPSEC_HMAC_SHA2_384_192; > - session->auth_key.algmode = OP_ALG_AAI_HMAC; > - break; > - case RTE_CRYPTO_AUTH_SHA512_HMAC: > - session->auth_key.alg = > OP_PCL_IPSEC_HMAC_SHA2_512_256; > - session->auth_key.algmode = OP_ALG_AAI_HMAC; > - break; > - default: > - DPAA_SEC_ERR("Crypto: Unsupported auth alg %u", > - auth_xform->algo); > - goto out; > - } > session->auth_alg = auth_xform->algo; > } else { > session->auth_key.data = NULL; > @@ -2645,12 +2633,142 @@ dpaa_sec_set_ipsec_session(__rte_unused > struct rte_cryptodev *dev, > session->auth_alg = RTE_CRYPTO_AUTH_NULL; > } > > + switch (session->auth_alg) { > + case RTE_CRYPTO_AUTH_SHA1_HMAC: > + session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96; > + session->auth_key.algmode = OP_ALG_AAI_HMAC; > + break; > + case RTE_CRYPTO_AUTH_MD5_HMAC: > + session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96; > + session->auth_key.algmode = OP_ALG_AAI_HMAC; > + break; > + case RTE_CRYPTO_AUTH_SHA256_HMAC: > + session->auth_key.alg = > OP_PCL_IPSEC_HMAC_SHA2_256_128; > + session->auth_key.algmode = OP_ALG_AAI_HMAC; > + break; > + case RTE_CRYPTO_AUTH_SHA384_HMAC: > + session->auth_key.alg = > OP_PCL_IPSEC_HMAC_SHA2_384_192; > + session->auth_key.algmode = OP_ALG_AAI_HMAC; > + break; > + case RTE_CRYPTO_AUTH_SHA512_HMAC: > + session->auth_key.alg = > OP_PCL_IPSEC_HMAC_SHA2_512_256; > + session->auth_key.algmode = OP_ALG_AAI_HMAC; > + break; > + case RTE_CRYPTO_AUTH_AES_CMAC: > + session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96; > + break; > + case RTE_CRYPTO_AUTH_NULL: > + session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL; > + break; > + case RTE_CRYPTO_AUTH_SHA224_HMAC: > + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: > + case RTE_CRYPTO_AUTH_SNOW3G_UIA2: > + case RTE_CRYPTO_AUTH_SHA1: > + case RTE_CRYPTO_AUTH_SHA256: > + case RTE_CRYPTO_AUTH_SHA512: > + case RTE_CRYPTO_AUTH_SHA224: > + case RTE_CRYPTO_AUTH_SHA384: > + case RTE_CRYPTO_AUTH_MD5: > + case RTE_CRYPTO_AUTH_AES_GMAC: > + case RTE_CRYPTO_AUTH_KASUMI_F9: > + case RTE_CRYPTO_AUTH_AES_CBC_MAC: > + case RTE_CRYPTO_AUTH_ZUC_EIA3: > + DPAA_SEC_ERR("Crypto: Unsupported auth alg %u", > + session->auth_alg); > + return -1; > + default: > + DPAA_SEC_ERR("Crypto: Undefined Auth specified %u", > + session->auth_alg); > + return -1; > + } > + > + switch (session->cipher_alg) { > + case RTE_CRYPTO_CIPHER_AES_CBC: > + session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC; > + session->cipher_key.algmode = OP_ALG_AAI_CBC; > + break; > + case RTE_CRYPTO_CIPHER_3DES_CBC: > + session->cipher_key.alg = OP_PCL_IPSEC_3DES; > + session->cipher_key.algmode = OP_ALG_AAI_CBC; > + break; > + case RTE_CRYPTO_CIPHER_AES_CTR: > + session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR; > + session->cipher_key.algmode = OP_ALG_AAI_CTR; > + break; > + case RTE_CRYPTO_CIPHER_NULL: > + session->cipher_key.alg = OP_PCL_IPSEC_NULL; > + break; > + case RTE_CRYPTO_CIPHER_SNOW3G_UEA2: > + case RTE_CRYPTO_CIPHER_ZUC_EEA3: > + case RTE_CRYPTO_CIPHER_3DES_ECB: > + case RTE_CRYPTO_CIPHER_AES_ECB: > + case RTE_CRYPTO_CIPHER_KASUMI_F8: > + DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u", > + session->cipher_alg); > + return -1; > + default: > + DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u", > + session->cipher_alg); > + return -1; > + } > + > + return 0; > +} > + > +static int > +dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, > + struct rte_security_session_conf *conf, > + void *sess) > +{ > + struct dpaa_sec_dev_private *internals = dev->data->dev_private; > + struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec; > + struct rte_crypto_auth_xform *auth_xform = NULL; > + struct rte_crypto_cipher_xform *cipher_xform = NULL; > + struct rte_crypto_aead_xform *aead_xform = NULL; > + dpaa_sec_session *session = (dpaa_sec_session *)sess; > + uint32_t i; > + int ret; > + > + PMD_INIT_FUNC_TRACE(); > + > + memset(session, 0, sizeof(dpaa_sec_session)); > + session->proto_alg = conf->protocol; > + session->ctxt = DPAA_SEC_IPSEC; > + > + if (ipsec_xform->direction == > RTE_SECURITY_IPSEC_SA_DIR_EGRESS) > + session->dir = DIR_ENC; > + else > + session->dir = DIR_DEC; > + > + if (conf->crypto_xform->type == > RTE_CRYPTO_SYM_XFORM_CIPHER) { > + cipher_xform = &conf->crypto_xform->cipher; > + if (conf->crypto_xform->next) > + auth_xform = &conf->crypto_xform->next->auth; > + ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform, > + session); > + } else if (conf->crypto_xform->type == > RTE_CRYPTO_SYM_XFORM_AUTH) { > + auth_xform = &conf->crypto_xform->auth; > + if (conf->crypto_xform->next) > + cipher_xform = &conf->crypto_xform->next- > >cipher; > + ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform, > + session); > + } else if (conf->crypto_xform->type == > RTE_CRYPTO_SYM_XFORM_AEAD) { > + aead_xform = &conf->crypto_xform->aead; > + ret = dpaa_sec_ipsec_aead_init(aead_xform, > + ipsec_xform, session); > + } else { > + DPAA_SEC_ERR("XFORM not specified"); > + ret = -EINVAL; > + goto out; > + } > + if (ret) { > + DPAA_SEC_ERR("Failed to process xform"); > + goto out; > + } > + > if (ipsec_xform->direction == > RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { > if (ipsec_xform->tunnel.type == > RTE_SECURITY_IPSEC_TUNNEL_IPV4) { > - memset(&session->encap_pdb, 0, > - sizeof(struct ipsec_encap_pdb) + > - sizeof(session->ip4_hdr)); > session->ip4_hdr.ip_v = IPVERSION; > session->ip4_hdr.ip_hl = 5; > session->ip4_hdr.ip_len = rte_cpu_to_be_16( @@ - > 2673,9 +2791,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct > rte_cryptodev *dev, > session->encap_pdb.ip_hdr_len = sizeof(struct ip); > } else if (ipsec_xform->tunnel.type == > RTE_SECURITY_IPSEC_TUNNEL_IPV6) { > - memset(&session->encap_pdb, 0, > - sizeof(struct ipsec_encap_pdb) + > - sizeof(session->ip6_hdr)); > session->ip6_hdr.vtc_flow = rte_cpu_to_be_32( > DPAA_IPv6_DEFAULT_VTC_FLOW | > ((ipsec_xform->tunnel.ipv6.dscp << > @@ -2707,10 +2822,9 @@ dpaa_sec_set_ipsec_session(__rte_unused struct > rte_cryptodev *dev, > if (ipsec_xform->options.esn) > session->encap_pdb.options |= PDBOPTS_ESP_ESN; > session->encap_pdb.spi = ipsec_xform->spi; > - session->dir = DIR_ENC; > + > } else if (ipsec_xform->direction == > RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { > - memset(&session->decap_pdb, 0, sizeof(struct > ipsec_decap_pdb)); > if (ipsec_xform->tunnel.type == > RTE_SECURITY_IPSEC_TUNNEL_IPV4) > session->decap_pdb.options = sizeof(struct ip) << 16; > else > @@ -2718,7 +2832,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct > rte_cryptodev *dev, > sizeof(struct rte_ipv6_hdr) << 16; > if (ipsec_xform->options.esn) > session->decap_pdb.options |= PDBOPTS_ESP_ESN; > - session->dir = DIR_DEC; > } else > goto out; > rte_spinlock_lock(&internals->lock); > -- > 2.17.1
> > Hi Akhil, > > > [Hemant] There is a merge error. I see that you have already applied it. > Can you remove following line from the patch. > >>> start here. > > + if (session->dir == DIR_ENC) { > > + /* todo CCM salt length is 3 bytes, left shift 8 bits */ > > + memcpy(session->encap_pdb.ccm.salt, > > + (uint8_t *)&(ipsec_xform->salt), 4); > > + } else { > > + memcpy(session->decap_pdb.ccm.salt, > > + (uint8_t *)&(ipsec_xform->salt), 4); > > + } > > + session->aead_key.algmode = OP_ALG_AAI_CCM; > > + session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM; > > + break; > >>> end here. > done
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c index 0ef17ee00..27a31d065 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.c +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c @@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session *ses) cipherdata.algtype = ses->cipher_key.alg; cipherdata.algmode = ses->cipher_key.algmode; - authdata.key = (size_t)ses->auth_key.data; - authdata.keylen = ses->auth_key.length; - authdata.key_enc_flags = 0; - authdata.key_type = RTA_DATA_IMM; - authdata.algtype = ses->auth_key.alg; - authdata.algmode = ses->auth_key.algmode; + if (ses->auth_key.length) { + authdata.key = (size_t)ses->auth_key.data; + authdata.keylen = ses->auth_key.length; + authdata.key_enc_flags = 0; + authdata.key_type = RTA_DATA_IMM; + authdata.algtype = ses->auth_key.alg; + authdata.algmode = ses->auth_key.algmode; + } cdb->sh_desc[0] = cipherdata.keylen; cdb->sh_desc[1] = authdata.keylen; @@ -2523,33 +2525,76 @@ dpaa_sec_sym_session_clear(struct rte_cryptodev *dev, #ifdef RTE_LIBRTE_SECURITY static int -dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, - struct rte_security_session_conf *conf, - void *sess) +dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform, + struct rte_security_ipsec_xform *ipsec_xform, + dpaa_sec_session *session) { - struct dpaa_sec_dev_private *internals = dev->data->dev_private; - struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec; - struct rte_crypto_auth_xform *auth_xform = NULL; - struct rte_crypto_cipher_xform *cipher_xform = NULL; - dpaa_sec_session *session = (dpaa_sec_session *)sess; - uint32_t i; - PMD_INIT_FUNC_TRACE(); - memset(session, 0, sizeof(dpaa_sec_session)); - if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - cipher_xform = &conf->crypto_xform->cipher; - if (conf->crypto_xform->next) - auth_xform = &conf->crypto_xform->next->auth; - } else { - auth_xform = &conf->crypto_xform->auth; - if (conf->crypto_xform->next) - cipher_xform = &conf->crypto_xform->next->cipher; + session->aead_key.data = rte_zmalloc(NULL, aead_xform->key.length, + RTE_CACHE_LINE_SIZE); + if (session->aead_key.data == NULL && aead_xform->key.length > 0) { + DPAA_SEC_ERR("No Memory for aead key"); + return -1; } - session->proto_alg = conf->protocol; - session->ctxt = DPAA_SEC_IPSEC; + memcpy(session->aead_key.data, aead_xform->key.data, + aead_xform->key.length); + + session->digest_length = aead_xform->digest_length; + session->aead_key.length = aead_xform->key.length; + + switch (aead_xform->algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + switch (session->digest_length) { + case 8: + session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8; + break; + case 12: + session->aead_key.alg = OP_PCL_IPSEC_AES_GCM12; + break; + case 16: + session->aead_key.alg = OP_PCL_IPSEC_AES_GCM16; + break; + default: + DPAA_SEC_ERR("Crypto: Undefined GCM digest %d", + session->digest_length); + return -1; + } + if (session->dir == DIR_ENC) { + memcpy(session->encap_pdb.gcm.salt, + (uint8_t *)&(ipsec_xform->salt), 4); + } else { + memcpy(session->decap_pdb.gcm.salt, + (uint8_t *)&(ipsec_xform->salt), 4); + } + session->aead_key.algmode = OP_ALG_AAI_GCM; + session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM; + break; + if (session->dir == DIR_ENC) { + /* todo CCM salt length is 3 bytes, left shift 8 bits */ + memcpy(session->encap_pdb.ccm.salt, + (uint8_t *)&(ipsec_xform->salt), 4); + } else { + memcpy(session->decap_pdb.ccm.salt, + (uint8_t *)&(ipsec_xform->salt), 4); + } + session->aead_key.algmode = OP_ALG_AAI_CCM; + session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM; + break; + default: + DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u", + aead_xform->algo); + return -1; + } + return 0; +} - if (cipher_xform && cipher_xform->algo != RTE_CRYPTO_CIPHER_NULL) { +static int +dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform, + struct rte_crypto_auth_xform *auth_xform, + dpaa_sec_session *session) +{ + if (cipher_xform) { session->cipher_key.data = rte_zmalloc(NULL, cipher_xform->key.length, RTE_CACHE_LINE_SIZE); @@ -2558,31 +2603,10 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, DPAA_SEC_ERR("No Memory for cipher key"); return -ENOMEM; } + + session->cipher_key.length = cipher_xform->key.length; memcpy(session->cipher_key.data, cipher_xform->key.data, cipher_xform->key.length); - session->cipher_key.length = cipher_xform->key.length; - - switch (cipher_xform->algo) { - case RTE_CRYPTO_CIPHER_NULL: - session->cipher_key.alg = OP_PCL_IPSEC_NULL; - break; - case RTE_CRYPTO_CIPHER_AES_CBC: - session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC; - session->cipher_key.algmode = OP_ALG_AAI_CBC; - break; - case RTE_CRYPTO_CIPHER_3DES_CBC: - session->cipher_key.alg = OP_PCL_IPSEC_3DES; - session->cipher_key.algmode = OP_ALG_AAI_CBC; - break; - case RTE_CRYPTO_CIPHER_AES_CTR: - session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR; - session->cipher_key.algmode = OP_ALG_AAI_CTR; - break; - default: - DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u", - cipher_xform->algo); - goto out; - } session->cipher_alg = cipher_xform->algo; } else { session->cipher_key.data = NULL; @@ -2590,54 +2614,18 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, session->cipher_alg = RTE_CRYPTO_CIPHER_NULL; } - if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) { + if (auth_xform) { session->auth_key.data = rte_zmalloc(NULL, auth_xform->key.length, RTE_CACHE_LINE_SIZE); if (session->auth_key.data == NULL && auth_xform->key.length > 0) { DPAA_SEC_ERR("No Memory for auth key"); - rte_free(session->cipher_key.data); return -ENOMEM; } + session->auth_key.length = auth_xform->key.length; memcpy(session->auth_key.data, auth_xform->key.data, auth_xform->key.length); - session->auth_key.length = auth_xform->key.length; - - switch (auth_xform->algo) { - case RTE_CRYPTO_AUTH_NULL: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL; - session->digest_length = 0; - break; - case RTE_CRYPTO_AUTH_MD5_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - case RTE_CRYPTO_AUTH_SHA1_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - case RTE_CRYPTO_AUTH_SHA224_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_160; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - case RTE_CRYPTO_AUTH_SHA256_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - case RTE_CRYPTO_AUTH_SHA384_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - case RTE_CRYPTO_AUTH_SHA512_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - default: - DPAA_SEC_ERR("Crypto: Unsupported auth alg %u", - auth_xform->algo); - goto out; - } session->auth_alg = auth_xform->algo; } else { session->auth_key.data = NULL; @@ -2645,12 +2633,142 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, session->auth_alg = RTE_CRYPTO_AUTH_NULL; } + switch (session->auth_alg) { + case RTE_CRYPTO_AUTH_SHA1_HMAC: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96; + session->auth_key.algmode = OP_ALG_AAI_HMAC; + break; + case RTE_CRYPTO_AUTH_MD5_HMAC: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96; + session->auth_key.algmode = OP_ALG_AAI_HMAC; + break; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128; + session->auth_key.algmode = OP_ALG_AAI_HMAC; + break; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192; + session->auth_key.algmode = OP_ALG_AAI_HMAC; + break; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256; + session->auth_key.algmode = OP_ALG_AAI_HMAC; + break; + case RTE_CRYPTO_AUTH_AES_CMAC: + session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96; + break; + case RTE_CRYPTO_AUTH_NULL: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL; + break; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + case RTE_CRYPTO_AUTH_SNOW3G_UIA2: + case RTE_CRYPTO_AUTH_SHA1: + case RTE_CRYPTO_AUTH_SHA256: + case RTE_CRYPTO_AUTH_SHA512: + case RTE_CRYPTO_AUTH_SHA224: + case RTE_CRYPTO_AUTH_SHA384: + case RTE_CRYPTO_AUTH_MD5: + case RTE_CRYPTO_AUTH_AES_GMAC: + case RTE_CRYPTO_AUTH_KASUMI_F9: + case RTE_CRYPTO_AUTH_AES_CBC_MAC: + case RTE_CRYPTO_AUTH_ZUC_EIA3: + DPAA_SEC_ERR("Crypto: Unsupported auth alg %u", + session->auth_alg); + return -1; + default: + DPAA_SEC_ERR("Crypto: Undefined Auth specified %u", + session->auth_alg); + return -1; + } + + switch (session->cipher_alg) { + case RTE_CRYPTO_CIPHER_AES_CBC: + session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC; + session->cipher_key.algmode = OP_ALG_AAI_CBC; + break; + case RTE_CRYPTO_CIPHER_3DES_CBC: + session->cipher_key.alg = OP_PCL_IPSEC_3DES; + session->cipher_key.algmode = OP_ALG_AAI_CBC; + break; + case RTE_CRYPTO_CIPHER_AES_CTR: + session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR; + session->cipher_key.algmode = OP_ALG_AAI_CTR; + break; + case RTE_CRYPTO_CIPHER_NULL: + session->cipher_key.alg = OP_PCL_IPSEC_NULL; + break; + case RTE_CRYPTO_CIPHER_SNOW3G_UEA2: + case RTE_CRYPTO_CIPHER_ZUC_EEA3: + case RTE_CRYPTO_CIPHER_3DES_ECB: + case RTE_CRYPTO_CIPHER_AES_ECB: + case RTE_CRYPTO_CIPHER_KASUMI_F8: + DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u", + session->cipher_alg); + return -1; + default: + DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u", + session->cipher_alg); + return -1; + } + + return 0; +} + +static int +dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, + struct rte_security_session_conf *conf, + void *sess) +{ + struct dpaa_sec_dev_private *internals = dev->data->dev_private; + struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec; + struct rte_crypto_auth_xform *auth_xform = NULL; + struct rte_crypto_cipher_xform *cipher_xform = NULL; + struct rte_crypto_aead_xform *aead_xform = NULL; + dpaa_sec_session *session = (dpaa_sec_session *)sess; + uint32_t i; + int ret; + + PMD_INIT_FUNC_TRACE(); + + memset(session, 0, sizeof(dpaa_sec_session)); + session->proto_alg = conf->protocol; + session->ctxt = DPAA_SEC_IPSEC; + + if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) + session->dir = DIR_ENC; + else + session->dir = DIR_DEC; + + if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) { + cipher_xform = &conf->crypto_xform->cipher; + if (conf->crypto_xform->next) + auth_xform = &conf->crypto_xform->next->auth; + ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform, + session); + } else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) { + auth_xform = &conf->crypto_xform->auth; + if (conf->crypto_xform->next) + cipher_xform = &conf->crypto_xform->next->cipher; + ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform, + session); + } else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + aead_xform = &conf->crypto_xform->aead; + ret = dpaa_sec_ipsec_aead_init(aead_xform, + ipsec_xform, session); + } else { + DPAA_SEC_ERR("XFORM not specified"); + ret = -EINVAL; + goto out; + } + if (ret) { + DPAA_SEC_ERR("Failed to process xform"); + goto out; + } + if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { - memset(&session->encap_pdb, 0, - sizeof(struct ipsec_encap_pdb) + - sizeof(session->ip4_hdr)); session->ip4_hdr.ip_v = IPVERSION; session->ip4_hdr.ip_hl = 5; session->ip4_hdr.ip_len = rte_cpu_to_be_16( @@ -2673,9 +2791,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, session->encap_pdb.ip_hdr_len = sizeof(struct ip); } else if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) { - memset(&session->encap_pdb, 0, - sizeof(struct ipsec_encap_pdb) + - sizeof(session->ip6_hdr)); session->ip6_hdr.vtc_flow = rte_cpu_to_be_32( DPAA_IPv6_DEFAULT_VTC_FLOW | ((ipsec_xform->tunnel.ipv6.dscp << @@ -2707,10 +2822,9 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, if (ipsec_xform->options.esn) session->encap_pdb.options |= PDBOPTS_ESP_ESN; session->encap_pdb.spi = ipsec_xform->spi; - session->dir = DIR_ENC; + } else if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { - memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) session->decap_pdb.options = sizeof(struct ip) << 16; else @@ -2718,7 +2832,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) session->decap_pdb.options |= PDBOPTS_ESP_ESN; - session->dir = DIR_DEC; } else goto out; rte_spinlock_lock(&internals->lock);
This patch add support for AES-128-GCM, when used in proto lookaside mode. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- drivers/crypto/dpaa_sec/dpaa_sec.c | 309 ++++++++++++++++++++--------- 1 file changed, 211 insertions(+), 98 deletions(-) -- 2.17.1