@@ -267,6 +267,8 @@ Auth algorithms
* SHA1-HMAC
* SHA256-128-HMAC
+* SHA384-192-HMAC
+* SHA512-256-HMAC
CN10XX Features supported
~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -293,3 +295,5 @@ Auth algorithms
* NULL
* SHA1-HMAC
* SHA256-128-HMAC
+* SHA384-192-HMAC
+* SHA512-256-HMAC
@@ -58,6 +58,8 @@ New Features
* **Updated Marvell cnxk crypto PMD.**
* Added SHA256-HMAC support in lookaside protocol (IPsec) for CN10K.
+ * Added SHA384-HMAC support in lookaside protocol (IPsec) for CN9K & CN10K.
+ * Added SHA512-HMAC support in lookaside protocol (IPsec) for CN9K & CN10K.
Removed Items
@@ -36,6 +36,14 @@ ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
roc_hash_sha256_gen(opad, (uint32_t *)&hmac_opad_ipad[0]);
roc_hash_sha256_gen(ipad, (uint32_t *)&hmac_opad_ipad[64]);
break;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 384);
+ roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 384);
+ break;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 512);
+ roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 512);
+ break;
default:
break;
}
@@ -125,28 +133,28 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
break;
case RTE_CRYPTO_AUTH_SHA1_HMAC:
w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1;
- ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
-
- tmp_key = (uint64_t *)hmac_opad_ipad;
- for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN /
- sizeof(uint64_t));
- i++)
- tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
break;
case RTE_CRYPTO_AUTH_SHA256_HMAC:
w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_256;
- ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
-
- tmp_key = (uint64_t *)hmac_opad_ipad;
- for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN /
- sizeof(uint64_t));
- i++)
- tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+ break;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_384;
+ break;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_512;
break;
default:
return -ENOTSUP;
}
+ ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad);
+
+ tmp_key = (uint64_t *)hmac_opad_ipad;
+ for (i = 0;
+ i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t));
+ i++)
+ tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
+
key = cipher_xfrm->cipher.key.data;
length = cipher_xfrm->cipher.key.length;
}
@@ -321,14 +321,23 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL) {
template = &out_sa->aes_gcm.template;
ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
- } else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA1) {
- template = &out_sa->sha1.template;
- ctx_len = offsetof(struct roc_ie_on_outb_sa, sha1.template);
- } else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA2_256) {
- template = &out_sa->sha2.template;
- ctx_len = offsetof(struct roc_ie_on_outb_sa, sha2.template);
} else {
- return -EINVAL;
+ switch (ctl->auth_type) {
+ case ROC_IE_ON_SA_AUTH_SHA1:
+ template = &out_sa->sha1.template;
+ ctx_len = offsetof(struct roc_ie_on_outb_sa,
+ sha1.template);
+ break;
+ case ROC_IE_ON_SA_AUTH_SHA2_256:
+ case ROC_IE_ON_SA_AUTH_SHA2_384:
+ case ROC_IE_ON_SA_AUTH_SHA2_512:
+ template = &out_sa->sha2.template;
+ ctx_len = offsetof(struct roc_ie_on_outb_sa,
+ sha2.template);
+ break;
+ default:
+ return -EINVAL;
+ }
}
ip4 = (struct rte_ipv4_hdr *)&template->ip4.ipv4_hdr;
@@ -397,10 +406,22 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
auth_key = auth_xform->auth.key.data;
auth_key_len = auth_xform->auth.key.length;
- if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+ switch (auth_xform->auth.algo) {
+ case RTE_CRYPTO_AUTH_NULL:
+ break;
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
memcpy(out_sa->sha1.hmac_key, auth_key, auth_key_len);
- else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+ break;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
memcpy(out_sa->sha2.hmac_key, auth_key, auth_key_len);
+ break;
+ default:
+ plt_err("Unsupported auth algorithm %u",
+ auth_xform->auth.algo);
+ return -ENOTSUP;
+ }
}
inst_tmpl = &sa->inst;
@@ -466,16 +487,26 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
auth_key = auth_xform->auth.key.data;
auth_key_len = auth_xform->auth.key.length;
- if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+ switch (auth_xform->auth.algo) {
+ case RTE_CRYPTO_AUTH_NULL:
+ break;
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
memcpy(in_sa->sha1_or_gcm.hmac_key, auth_key,
auth_key_len);
ctx_len = offsetof(struct roc_ie_on_inb_sa,
sha1_or_gcm.selector);
- } else if (auth_xform->auth.algo ==
- RTE_CRYPTO_AUTH_SHA256_HMAC) {
+ break;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
memcpy(in_sa->sha2.hmac_key, auth_key, auth_key_len);
ctx_len = offsetof(struct roc_ie_on_inb_sa,
sha2.selector);
+ break;
+ default:
+ plt_err("Unsupported auth algorithm %u",
+ auth_xform->auth.algo);
+ return -ENOTSUP;
}
}
@@ -11,7 +11,7 @@
#include "roc_cpt.h"
#define CNXK_CPT_MAX_CAPS 34
-#define CNXK_SEC_CRYPTO_MAX_CAPS 6
+#define CNXK_SEC_CRYPTO_MAX_CAPS 8
#define CNXK_SEC_MAX_CAPS 5
#define CNXK_AE_EC_ID_MAX 8
/**
@@ -817,6 +817,46 @@ static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
}, }
}, }
},
+ { /* SHA384 HMAC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+ .block_size = 64,
+ .key_size = {
+ .min = 48,
+ .max = 48,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 24,
+ .max = 24,
+ .increment = 0
+ },
+ }, }
+ }, }
+ },
+ { /* SHA512 HMAC */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_SHA512_HMAC,
+ .block_size = 128,
+ .key_size = {
+ .min = 64,
+ .max = 64,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 32,
+ .max = 32,
+ .increment = 0
+ },
+ }, }
+ }, }
+ },
};
static const struct rte_security_capability sec_caps_templ[] = {
@@ -49,6 +49,12 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
} else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
if (keylen >= 32 && keylen <= 64)
return 0;
+ } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA384_HMAC) {
+ if (keylen == 48)
+ return 0;
+ } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA512_HMAC) {
+ if (keylen == 64)
+ return 0;
}
return -ENOTSUP;