Support for aes-cbc sha256-128-hmac is added in lookaside protocol mode. The functionality is verified using ipsec-secgw application.
Signed-off-by: Ankur Dwivedi <[email protected]> --- doc/guides/cryptodevs/octeontx2.rst | 1 + doc/guides/rel_notes/release_21_02.rst | 2 + drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 41 +++++++++++++++++-- drivers/crypto/octeontx2/otx2_ipsec_po.h | 25 ++++++++--- drivers/crypto/octeontx2/otx2_security.h | 1 + 5 files changed, 61 insertions(+), 9 deletions(-) diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst index ef21ad830e..fcfb649cce 100644 --- a/doc/guides/cryptodevs/octeontx2.rst +++ b/doc/guides/cryptodevs/octeontx2.rst @@ -179,3 +179,4 @@ Features supported * Anti-replay * AES-128/192/256-GCM * AES-128/192/256-CBC-SHA1-HMAC +* AES-128/192/256-CBC-SHA256-128-HMAC diff --git a/doc/guides/rel_notes/release_21_02.rst b/doc/guides/rel_notes/release_21_02.rst index c11c25806f..a6a689d01c 100644 --- a/doc/guides/rel_notes/release_21_02.rst +++ b/doc/guides/rel_notes/release_21_02.rst @@ -63,6 +63,8 @@ New Features * Added support for aes-cbc sha1-hmac cipher combination in OCTEON TX2 crypto PMD lookaside protocol offload for IPsec. + * Added support for aes-cbc sha256-128-hmac cipher combination in OCTEON TX2 + crypto PMD lookaside protocol offload for IPsec. Removed Items ------------- diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c index 3cdb5bd1e6..89ed7cbd25 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c @@ -74,6 +74,8 @@ ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec, if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) lp->partial_len += OTX2_SEC_SHA1_HMAC_LEN; + else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) + lp->partial_len += OTX2_SEC_SHA2_HMAC_LEN; else return -EINVAL; @@ -268,6 +270,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, sa->sha1.template.ip4); ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); lp->ctx_len = ctx_len >> 3; + } else if (ctl->auth_type == + OTX2_IPSEC_PO_SA_AUTH_SHA2_256) { + if (ipsec->options.udp_encap) { + sa->sha2.template.ip4.udp_src = 4500; + sa->sha2.template.ip4.udp_dst = 4500; + } + ip = &sa->sha2.template.ip4.ipv4_hdr; + ctx_len = offsetof(struct otx2_ipsec_po_out_sa, + sha2.template) + sizeof( + sa->sha2.template.ip4); + ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); + lp->ctx_len = ctx_len >> 3; } ip->version_ihl = RTE_IPV4_VHL_DEF; ip->next_proto_id = IPPROTO_ESP; @@ -305,6 +319,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, sa->sha1.template.ip6); ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); lp->ctx_len = ctx_len >> 3; + } else if (ctl->auth_type == + OTX2_IPSEC_PO_SA_AUTH_SHA2_256) { + if (ipsec->options.udp_encap) { + sa->sha2.template.ip6.udp_src = 4500; + sa->sha2.template.ip6.udp_dst = 4500; + } + ip6 = &sa->sha2.template.ip6.ipv6_hdr; + ctx_len = offsetof(struct otx2_ipsec_po_out_sa, + sha2.template) + sizeof( + sa->sha2.template.ip6); + ctx_len = RTE_ALIGN_CEIL(ctx_len, 8); + lp->ctx_len = ctx_len >> 3; } ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 | @@ -348,6 +374,8 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) memcpy(sa->sha1.hmac_key, auth_key, auth_key_len); + else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) + memcpy(sa->sha2.hmac_key, auth_key, auth_key_len); } if (cipher_key_len != 0) @@ -427,11 +455,16 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev, auth_key = auth_xform->auth.key.data; auth_key_len = auth_xform->auth.key.length; - if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) + if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) { memcpy(sa->aes_gcm.hmac_key, auth_key, auth_key_len); - - lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa, - aes_gcm.selector) >> 3; + lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa, + aes_gcm.selector) >> 3; + } else if (auth_xform->auth.algo == + RTE_CRYPTO_AUTH_SHA256_HMAC) { + memcpy(sa->sha2.hmac_key, auth_key, auth_key_len); + lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa, + sha2.selector) >> 3; + } } if (cipher_key_len != 0) diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h index 2141b6c793..8a672a38ea 100644 --- a/drivers/crypto/octeontx2/otx2_ipsec_po.h +++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h @@ -152,11 +152,18 @@ struct otx2_ipsec_po_in_sa { /* w8 */ uint8_t udp_encap[8]; - /* w9-w23 */ - struct { - uint8_t hmac_key[48]; - struct otx2_ipsec_po_traffic_selector selector; - } aes_gcm; + /* w9-w33 */ + union { + struct { + uint8_t hmac_key[48]; + struct otx2_ipsec_po_traffic_selector selector; + } aes_gcm; + struct { + uint8_t hmac_key[64]; + uint8_t hmac_iv[64]; + struct otx2_ipsec_po_traffic_selector selector; + } sha2; + }; union { struct otx2_ipsec_replay *replay; uint64_t replay64; @@ -205,6 +212,11 @@ struct otx2_ipsec_po_out_sa { uint8_t unused[24]; struct otx2_ipsec_po_ip_template template; } sha1; + struct { + uint8_t hmac_key[64]; + uint8_t hmac_iv[64]; + struct otx2_ipsec_po_ip_template template; + } sha2; }; }; @@ -234,6 +246,9 @@ ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform) if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) { if (keylen >= 20 && keylen <= 64) return 0; + } else if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) { + if (keylen >= 32 && keylen <= 64) + return 0; } return -ENOTSUP; diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h index 33d3b15155..9f1ba71b46 100644 --- a/drivers/crypto/octeontx2/otx2_security.h +++ b/drivers/crypto/octeontx2/otx2_security.h @@ -15,6 +15,7 @@ #define OTX2_SEC_AES_GCM_MAC_LEN 16 #define OTX2_SEC_AES_CBC_IV_LEN 16 #define OTX2_SEC_SHA1_HMAC_LEN 12 +#define OTX2_SEC_SHA2_HMAC_LEN 16 #define OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN 4 #define OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN 16 -- 2.28.0
