diff mbox series

[v2,2/5] security: support PDCP short MAC-I

Message ID 20210907085605.3010882-3-g.singh@nxp.com
State Superseded
Headers show
Series None | expand

Commit Message

Gagandeep Singh Sept. 7, 2021, 8:56 a.m. UTC
From: Hemant Agrawal <hemant.agrawal@nxp.com>


This patch add support to handle PDCP short MAC-I domain
along with standard control and data domains as it has to
be treated as special case with PDCP protocol offload support.

ShortMAC-I is the 16 least significant bits of calculated MAC-I. Usually
when a RRC message is exchanged between UE and eNodeB it is integrity &
ciphered protected.

MAC-I = f(key, varShortMAC-I, count, bearer, direction).
Here varShortMAC-I is prepared by using (current cellId, pci of source cell
and C-RNTI of old cell). Other parameters like count, bearer and
direction set to all 1.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>

---
 app/test-crypto-perf/cperf_options_parsing.c |  8 ++++++-
 doc/guides/prog_guide/rte_security.rst       | 11 ++++++++-
 doc/guides/tools/cryptoperf.rst              |  4 ++--
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c  | 25 ++++++++++----------
 lib/security/rte_security.h                  |  1 +
 5 files changed, 33 insertions(+), 16 deletions(-)

-- 
2.25.1
diff mbox series

Patch

diff --git a/app/test-crypto-perf/cperf_options_parsing.c b/app/test-crypto-perf/cperf_options_parsing.c
index e84f56cfaa..0348972c85 100644
--- a/app/test-crypto-perf/cperf_options_parsing.c
+++ b/app/test-crypto-perf/cperf_options_parsing.c
@@ -662,7 +662,8 @@  parse_pdcp_sn_sz(struct cperf_options *opts, const char *arg)
 
 const char *cperf_pdcp_domain_strs[] = {
 	[RTE_SECURITY_PDCP_MODE_CONTROL] = "control",
-	[RTE_SECURITY_PDCP_MODE_DATA] = "data"
+	[RTE_SECURITY_PDCP_MODE_DATA] = "data",
+	[RTE_SECURITY_PDCP_MODE_SHORT_MAC] = "short_mac"
 };
 
 static int
@@ -677,6 +678,11 @@  parse_pdcp_domain(struct cperf_options *opts, const char *arg)
 			cperf_pdcp_domain_strs
 			[RTE_SECURITY_PDCP_MODE_DATA],
 			RTE_SECURITY_PDCP_MODE_DATA
+		},
+		{
+			cperf_pdcp_domain_strs
+			[RTE_SECURITY_PDCP_MODE_SHORT_MAC],
+			RTE_SECURITY_PDCP_MODE_SHORT_MAC
 		}
 	};
 
diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index f72bc8a78f..ad92c16868 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -1,5 +1,5 @@ 
 ..  SPDX-License-Identifier: BSD-3-Clause
-    Copyright 2017,2020 NXP
+    Copyright 2017,2020-2021 NXP
 
 
 
@@ -408,6 +408,15 @@  PMD which supports the IPsec and PDCP protocol.
                 },
                 .crypto_capabilities = pmd_capabilities
         },
+	{ /* PDCP Lookaside Protocol offload short MAC-I */
+                .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+                .protocol = RTE_SECURITY_PROTOCOL_PDCP,
+                .pdcp = {
+                        .domain = RTE_SECURITY_PDCP_MODE_SHORT_MAC,
+                        .capa_flags = 0
+                },
+                .crypto_capabilities = pmd_capabilities
+        },
         {
                 .action = RTE_SECURITY_ACTION_TYPE_NONE
         }
diff --git a/doc/guides/tools/cryptoperf.rst b/doc/guides/tools/cryptoperf.rst
index be3109054d..d3963f23e3 100644
--- a/doc/guides/tools/cryptoperf.rst
+++ b/doc/guides/tools/cryptoperf.rst
@@ -316,9 +316,9 @@  The following are the application command-line options:
         Set PDCP sequence number size(n) in bits. Valid values of n will
         be 5/7/12/15/18.
 
-* ``--pdcp-domain <control/user>``
+* ``--pdcp-domain <control/user/short_mac>``
 
-        Set PDCP domain to specify Control/user plane.
+        Set PDCP domain to specify short_mac/control/user plane.
 
 * ``--docsis-hdr-sz <n>``
 
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 1ccead3641..4438486a8b 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -3102,7 +3102,7 @@  dpaa2_sec_set_pdcp_session(struct rte_cryptodev *dev,
 	struct rte_security_pdcp_xform *pdcp_xform = &conf->pdcp;
 	struct rte_crypto_sym_xform *xform = conf->crypto_xform;
 	struct rte_crypto_auth_xform *auth_xform = NULL;
-	struct rte_crypto_cipher_xform *cipher_xform;
+	struct rte_crypto_cipher_xform *cipher_xform = NULL;
 	dpaa2_sec_session *session = (dpaa2_sec_session *)sess;
 	struct ctxt_priv *priv;
 	struct dpaa2_sec_dev_private *dev_priv = dev->data->dev_private;
@@ -3134,18 +3134,18 @@  dpaa2_sec_set_pdcp_session(struct rte_cryptodev *dev,
 	flc = &priv->flc_desc[0].flc;
 
 	/* find xfrm types */
-	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
-		cipher_xform = &xform->cipher;
-	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
-		   xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
-		session->ext_params.aead_ctxt.auth_cipher_text = true;
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 		cipher_xform = &xform->cipher;
-		auth_xform = &xform->next->auth;
-	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
-		   xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
-		session->ext_params.aead_ctxt.auth_cipher_text = false;
-		cipher_xform = &xform->next->cipher;
+		if (xform->next != NULL) {
+			session->ext_params.aead_ctxt.auth_cipher_text = true;
+			auth_xform = &xform->next->auth;
+		}
+	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		auth_xform = &xform->auth;
+		if (xform->next != NULL) {
+			session->ext_params.aead_ctxt.auth_cipher_text = false;
+			cipher_xform = &xform->next->cipher;
+		}
 	} else {
 		DPAA2_SEC_ERR("Invalid crypto type");
 		return -EINVAL;
@@ -3184,7 +3184,8 @@  dpaa2_sec_set_pdcp_session(struct rte_cryptodev *dev,
 	session->pdcp.hfn_threshold = pdcp_xform->hfn_threshold;
 	session->pdcp.hfn_ovd = pdcp_xform->hfn_ovrd;
 	/* hfv ovd offset location is stored in iv.offset value*/
-	session->pdcp.hfn_ovd_offset = cipher_xform->iv.offset;
+	if (cipher_xform)
+		session->pdcp.hfn_ovd_offset = cipher_xform->iv.offset;
 
 	cipherdata.key = (size_t)session->cipher_key.data;
 	cipherdata.keylen = session->cipher_key.length;
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 88d31de0a6..2e136d7929 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -233,6 +233,7 @@  struct rte_security_macsec_xform {
 enum rte_security_pdcp_domain {
 	RTE_SECURITY_PDCP_MODE_CONTROL,	/**< PDCP control plane */
 	RTE_SECURITY_PDCP_MODE_DATA,	/**< PDCP data plane */
+	RTE_SECURITY_PDCP_MODE_SHORT_MAC,	/**< PDCP short mac */
 };
 
 /** PDCP Frame direction */