From patchwork Wed Nov 6 05:17:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178597 Delivered-To: patch@linaro.org Received: by 2002:a92:38d5:0:0:0:0:0 with SMTP id g82csp126768ilf; Tue, 5 Nov 2019 21:21:28 -0800 (PST) X-Google-Smtp-Source: APXvYqwRQIufPx9A9iSD0iZaxM1VXP0ppd/6SWEw19j13vC9Dx5t1woqdhy305iaDzzhGV0A44+X X-Received: by 2002:a17:906:1f09:: with SMTP id w9mr33661240ejj.35.1573017688309; Tue, 05 Nov 2019 21:21:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573017688; cv=none; d=google.com; s=arc-20160816; b=pLSxZYKCBr8orOB/GoV1D2UWjDYoz1FOB8+gWWgAA1MOtH1lhx5wAiyE4lfjefftU9 K9MH/XNF8fBo2j/k5BTNQWgLsH1iTNnUyh+1/8QJvfKPd/wKkcNFkSush9twRe30zNzb Zk0Pn6O2ueTXyDkFBPvk9wWPJyjyd/Y905kcrrm0j5DiJ3lcghiDZleoPX0bX4vGnOQS Gcdi2PUC5DIHDWYuXIUqJaF1bFgUUeaRoji/ZtZ9524w1RQdijBbruvBLyOH57DiNmNL bcjBvJ+nbSCdUOtXiEtJwDNFnKVr2jV/uO89nGfXvEGPNljtJF8JKZ69oYpG2qZ2lWU6 8+xQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=/I5NYceu6BAHIj6dmlPfFprZzbQs7O00BofcoOOyVS0=; b=T3ilH1I+UpSpFqIcP92so2tdbVgjia+evIndXIXW45txKGIt1jXQ6rvpfkEiWmh/TZ 02FpLfXhHlgGi0yrrA2/0hRoG1Hv7wWme09yi7cjY0XCM0YTYuu3L9KCYpNT3FvDrEhx w/w1EWVW9yt3xAp8xZ/lkJuZpBSUMvV+/Ee+O3IBxM5EQE8azs6xW4AObCJDWYQpHX3I Mi+FqlQY/x7ey+KswNXPSj2/XB8P0GrVf/R1TW6uRh94iFUEu26WVDMQegKA7qTrKoOD FSV8ikOmTHIcRutSfvo5E3DvOX4mJUrP9WZ98BDGZSfn6PdxT+7xOX2ePxtDFckMEpUJ bN/A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id l3si5782444ejr.86.2019.11.05.21.21.28; Tue, 05 Nov 2019 21:21:28 -0800 (PST) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 6F96D1BFC1; Wed, 6 Nov 2019 06:20:52 +0100 (CET) Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13]) by dpdk.org (Postfix) with ESMTP id CA4261BF70 for ; Wed, 6 Nov 2019 06:20:42 +0100 (CET) Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id AEC011A0625; Wed, 6 Nov 2019 06:20:42 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id DF8F41A07BD; Wed, 6 Nov 2019 06:20:40 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 194D34030F; Wed, 6 Nov 2019 13:20:38 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org Cc: akhil.goyal@nxp.com Date: Wed, 6 Nov 2019 10:47:25 +0530 Message-Id: <20191106051731.3625-7-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191106051731.3625-1-hemant.agrawal@nxp.com> References: <20191101175141.4663-1-hemant.agrawal@nxp.com> <20191106051731.3625-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: add AES-GCM support for lookaside case X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" This patch add support for AES-128-GCM, when used in proto lookaside mode. Signed-off-by: Hemant Agrawal --- drivers/crypto/dpaa_sec/dpaa_sec.c | 309 ++++++++++++++++++++--------- 1 file changed, 211 insertions(+), 98 deletions(-) -- 2.17.1 diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c index 0ef17ee00..27a31d065 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.c +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c @@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session *ses) cipherdata.algtype = ses->cipher_key.alg; cipherdata.algmode = ses->cipher_key.algmode; - authdata.key = (size_t)ses->auth_key.data; - authdata.keylen = ses->auth_key.length; - authdata.key_enc_flags = 0; - authdata.key_type = RTA_DATA_IMM; - authdata.algtype = ses->auth_key.alg; - authdata.algmode = ses->auth_key.algmode; + if (ses->auth_key.length) { + authdata.key = (size_t)ses->auth_key.data; + authdata.keylen = ses->auth_key.length; + authdata.key_enc_flags = 0; + authdata.key_type = RTA_DATA_IMM; + authdata.algtype = ses->auth_key.alg; + authdata.algmode = ses->auth_key.algmode; + } cdb->sh_desc[0] = cipherdata.keylen; cdb->sh_desc[1] = authdata.keylen; @@ -2523,33 +2525,76 @@ dpaa_sec_sym_session_clear(struct rte_cryptodev *dev, #ifdef RTE_LIBRTE_SECURITY static int -dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, - struct rte_security_session_conf *conf, - void *sess) +dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform, + struct rte_security_ipsec_xform *ipsec_xform, + dpaa_sec_session *session) { - struct dpaa_sec_dev_private *internals = dev->data->dev_private; - struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec; - struct rte_crypto_auth_xform *auth_xform = NULL; - struct rte_crypto_cipher_xform *cipher_xform = NULL; - dpaa_sec_session *session = (dpaa_sec_session *)sess; - uint32_t i; - PMD_INIT_FUNC_TRACE(); - memset(session, 0, sizeof(dpaa_sec_session)); - if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - cipher_xform = &conf->crypto_xform->cipher; - if (conf->crypto_xform->next) - auth_xform = &conf->crypto_xform->next->auth; - } else { - auth_xform = &conf->crypto_xform->auth; - if (conf->crypto_xform->next) - cipher_xform = &conf->crypto_xform->next->cipher; + session->aead_key.data = rte_zmalloc(NULL, aead_xform->key.length, + RTE_CACHE_LINE_SIZE); + if (session->aead_key.data == NULL && aead_xform->key.length > 0) { + DPAA_SEC_ERR("No Memory for aead key"); + return -1; } - session->proto_alg = conf->protocol; - session->ctxt = DPAA_SEC_IPSEC; + memcpy(session->aead_key.data, aead_xform->key.data, + aead_xform->key.length); + + session->digest_length = aead_xform->digest_length; + session->aead_key.length = aead_xform->key.length; + + switch (aead_xform->algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + switch (session->digest_length) { + case 8: + session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8; + break; + case 12: + session->aead_key.alg = OP_PCL_IPSEC_AES_GCM12; + break; + case 16: + session->aead_key.alg = OP_PCL_IPSEC_AES_GCM16; + break; + default: + DPAA_SEC_ERR("Crypto: Undefined GCM digest %d", + session->digest_length); + return -1; + } + if (session->dir == DIR_ENC) { + memcpy(session->encap_pdb.gcm.salt, + (uint8_t *)&(ipsec_xform->salt), 4); + } else { + memcpy(session->decap_pdb.gcm.salt, + (uint8_t *)&(ipsec_xform->salt), 4); + } + session->aead_key.algmode = OP_ALG_AAI_GCM; + session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM; + break; + if (session->dir == DIR_ENC) { + /* todo CCM salt length is 3 bytes, left shift 8 bits */ + memcpy(session->encap_pdb.ccm.salt, + (uint8_t *)&(ipsec_xform->salt), 4); + } else { + memcpy(session->decap_pdb.ccm.salt, + (uint8_t *)&(ipsec_xform->salt), 4); + } + session->aead_key.algmode = OP_ALG_AAI_CCM; + session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM; + break; + default: + DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u", + aead_xform->algo); + return -1; + } + return 0; +} - if (cipher_xform && cipher_xform->algo != RTE_CRYPTO_CIPHER_NULL) { +static int +dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform, + struct rte_crypto_auth_xform *auth_xform, + dpaa_sec_session *session) +{ + if (cipher_xform) { session->cipher_key.data = rte_zmalloc(NULL, cipher_xform->key.length, RTE_CACHE_LINE_SIZE); @@ -2558,31 +2603,10 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, DPAA_SEC_ERR("No Memory for cipher key"); return -ENOMEM; } + + session->cipher_key.length = cipher_xform->key.length; memcpy(session->cipher_key.data, cipher_xform->key.data, cipher_xform->key.length); - session->cipher_key.length = cipher_xform->key.length; - - switch (cipher_xform->algo) { - case RTE_CRYPTO_CIPHER_NULL: - session->cipher_key.alg = OP_PCL_IPSEC_NULL; - break; - case RTE_CRYPTO_CIPHER_AES_CBC: - session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC; - session->cipher_key.algmode = OP_ALG_AAI_CBC; - break; - case RTE_CRYPTO_CIPHER_3DES_CBC: - session->cipher_key.alg = OP_PCL_IPSEC_3DES; - session->cipher_key.algmode = OP_ALG_AAI_CBC; - break; - case RTE_CRYPTO_CIPHER_AES_CTR: - session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR; - session->cipher_key.algmode = OP_ALG_AAI_CTR; - break; - default: - DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u", - cipher_xform->algo); - goto out; - } session->cipher_alg = cipher_xform->algo; } else { session->cipher_key.data = NULL; @@ -2590,54 +2614,18 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, session->cipher_alg = RTE_CRYPTO_CIPHER_NULL; } - if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) { + if (auth_xform) { session->auth_key.data = rte_zmalloc(NULL, auth_xform->key.length, RTE_CACHE_LINE_SIZE); if (session->auth_key.data == NULL && auth_xform->key.length > 0) { DPAA_SEC_ERR("No Memory for auth key"); - rte_free(session->cipher_key.data); return -ENOMEM; } + session->auth_key.length = auth_xform->key.length; memcpy(session->auth_key.data, auth_xform->key.data, auth_xform->key.length); - session->auth_key.length = auth_xform->key.length; - - switch (auth_xform->algo) { - case RTE_CRYPTO_AUTH_NULL: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL; - session->digest_length = 0; - break; - case RTE_CRYPTO_AUTH_MD5_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - case RTE_CRYPTO_AUTH_SHA1_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - case RTE_CRYPTO_AUTH_SHA224_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_160; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - case RTE_CRYPTO_AUTH_SHA256_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - case RTE_CRYPTO_AUTH_SHA384_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - case RTE_CRYPTO_AUTH_SHA512_HMAC: - session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256; - session->auth_key.algmode = OP_ALG_AAI_HMAC; - break; - default: - DPAA_SEC_ERR("Crypto: Unsupported auth alg %u", - auth_xform->algo); - goto out; - } session->auth_alg = auth_xform->algo; } else { session->auth_key.data = NULL; @@ -2645,12 +2633,142 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, session->auth_alg = RTE_CRYPTO_AUTH_NULL; } + switch (session->auth_alg) { + case RTE_CRYPTO_AUTH_SHA1_HMAC: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96; + session->auth_key.algmode = OP_ALG_AAI_HMAC; + break; + case RTE_CRYPTO_AUTH_MD5_HMAC: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96; + session->auth_key.algmode = OP_ALG_AAI_HMAC; + break; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128; + session->auth_key.algmode = OP_ALG_AAI_HMAC; + break; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192; + session->auth_key.algmode = OP_ALG_AAI_HMAC; + break; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256; + session->auth_key.algmode = OP_ALG_AAI_HMAC; + break; + case RTE_CRYPTO_AUTH_AES_CMAC: + session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96; + break; + case RTE_CRYPTO_AUTH_NULL: + session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL; + break; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + case RTE_CRYPTO_AUTH_SNOW3G_UIA2: + case RTE_CRYPTO_AUTH_SHA1: + case RTE_CRYPTO_AUTH_SHA256: + case RTE_CRYPTO_AUTH_SHA512: + case RTE_CRYPTO_AUTH_SHA224: + case RTE_CRYPTO_AUTH_SHA384: + case RTE_CRYPTO_AUTH_MD5: + case RTE_CRYPTO_AUTH_AES_GMAC: + case RTE_CRYPTO_AUTH_KASUMI_F9: + case RTE_CRYPTO_AUTH_AES_CBC_MAC: + case RTE_CRYPTO_AUTH_ZUC_EIA3: + DPAA_SEC_ERR("Crypto: Unsupported auth alg %u", + session->auth_alg); + return -1; + default: + DPAA_SEC_ERR("Crypto: Undefined Auth specified %u", + session->auth_alg); + return -1; + } + + switch (session->cipher_alg) { + case RTE_CRYPTO_CIPHER_AES_CBC: + session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC; + session->cipher_key.algmode = OP_ALG_AAI_CBC; + break; + case RTE_CRYPTO_CIPHER_3DES_CBC: + session->cipher_key.alg = OP_PCL_IPSEC_3DES; + session->cipher_key.algmode = OP_ALG_AAI_CBC; + break; + case RTE_CRYPTO_CIPHER_AES_CTR: + session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR; + session->cipher_key.algmode = OP_ALG_AAI_CTR; + break; + case RTE_CRYPTO_CIPHER_NULL: + session->cipher_key.alg = OP_PCL_IPSEC_NULL; + break; + case RTE_CRYPTO_CIPHER_SNOW3G_UEA2: + case RTE_CRYPTO_CIPHER_ZUC_EEA3: + case RTE_CRYPTO_CIPHER_3DES_ECB: + case RTE_CRYPTO_CIPHER_AES_ECB: + case RTE_CRYPTO_CIPHER_KASUMI_F8: + DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u", + session->cipher_alg); + return -1; + default: + DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u", + session->cipher_alg); + return -1; + } + + return 0; +} + +static int +dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, + struct rte_security_session_conf *conf, + void *sess) +{ + struct dpaa_sec_dev_private *internals = dev->data->dev_private; + struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec; + struct rte_crypto_auth_xform *auth_xform = NULL; + struct rte_crypto_cipher_xform *cipher_xform = NULL; + struct rte_crypto_aead_xform *aead_xform = NULL; + dpaa_sec_session *session = (dpaa_sec_session *)sess; + uint32_t i; + int ret; + + PMD_INIT_FUNC_TRACE(); + + memset(session, 0, sizeof(dpaa_sec_session)); + session->proto_alg = conf->protocol; + session->ctxt = DPAA_SEC_IPSEC; + + if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) + session->dir = DIR_ENC; + else + session->dir = DIR_DEC; + + if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) { + cipher_xform = &conf->crypto_xform->cipher; + if (conf->crypto_xform->next) + auth_xform = &conf->crypto_xform->next->auth; + ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform, + session); + } else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) { + auth_xform = &conf->crypto_xform->auth; + if (conf->crypto_xform->next) + cipher_xform = &conf->crypto_xform->next->cipher; + ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform, + session); + } else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + aead_xform = &conf->crypto_xform->aead; + ret = dpaa_sec_ipsec_aead_init(aead_xform, + ipsec_xform, session); + } else { + DPAA_SEC_ERR("XFORM not specified"); + ret = -EINVAL; + goto out; + } + if (ret) { + DPAA_SEC_ERR("Failed to process xform"); + goto out; + } + if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { - memset(&session->encap_pdb, 0, - sizeof(struct ipsec_encap_pdb) + - sizeof(session->ip4_hdr)); session->ip4_hdr.ip_v = IPVERSION; session->ip4_hdr.ip_hl = 5; session->ip4_hdr.ip_len = rte_cpu_to_be_16( @@ -2673,9 +2791,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, session->encap_pdb.ip_hdr_len = sizeof(struct ip); } else if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) { - memset(&session->encap_pdb, 0, - sizeof(struct ipsec_encap_pdb) + - sizeof(session->ip6_hdr)); session->ip6_hdr.vtc_flow = rte_cpu_to_be_32( DPAA_IPv6_DEFAULT_VTC_FLOW | ((ipsec_xform->tunnel.ipv6.dscp << @@ -2707,10 +2822,9 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, if (ipsec_xform->options.esn) session->encap_pdb.options |= PDBOPTS_ESP_ESN; session->encap_pdb.spi = ipsec_xform->spi; - session->dir = DIR_ENC; + } else if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { - memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) session->decap_pdb.options = sizeof(struct ip) << 16; else @@ -2718,7 +2832,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) session->decap_pdb.options |= PDBOPTS_ESP_ESN; - session->dir = DIR_DEC; } else goto out; rte_spinlock_lock(&internals->lock);