[2/2] crypto/octeontx2: add support for aes-cbc sha256-128-hmac
Checks
Commit Message
Support for aes-cbc sha256-128-hmac is added in lookaside protocol
mode. The functionality is verified using ipsec-secgw application.
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
---
doc/guides/cryptodevs/octeontx2.rst | 1 +
doc/guides/rel_notes/release_21_02.rst | 2 +
drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 41 +++++++++++++++++--
drivers/crypto/octeontx2/otx2_ipsec_po.h | 25 ++++++++---
drivers/crypto/octeontx2/otx2_security.h | 1 +
5 files changed, 61 insertions(+), 9 deletions(-)
@@ -179,3 +179,4 @@ Features supported
* Anti-replay
* AES-128/192/256-GCM
* AES-128/192/256-CBC-SHA1-HMAC
+* AES-128/192/256-CBC-SHA256-128-HMAC
@@ -63,6 +63,8 @@ New Features
* Added support for aes-cbc sha1-hmac cipher combination in OCTEON TX2 crypto
PMD lookaside protocol offload for IPsec.
+ * Added support for aes-cbc sha256-128-hmac cipher combination in OCTEON TX2
+ crypto PMD lookaside protocol offload for IPsec.
Removed Items
-------------
@@ -74,6 +74,8 @@ ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec,
if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
lp->partial_len += OTX2_SEC_SHA1_HMAC_LEN;
+ else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+ lp->partial_len += OTX2_SEC_SHA2_HMAC_LEN;
else
return -EINVAL;
@@ -268,6 +270,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
sa->sha1.template.ip4);
ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+ if (ipsec->options.udp_encap) {
+ sa->sha2.template.ip4.udp_src = 4500;
+ sa->sha2.template.ip4.udp_dst = 4500;
+ }
+ ip = &sa->sha2.template.ip4.ipv4_hdr;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha2.template) + sizeof(
+ sa->sha2.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
}
ip->version_ihl = RTE_IPV4_VHL_DEF;
ip->next_proto_id = IPPROTO_ESP;
@@ -305,6 +319,18 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
sa->sha1.template.ip6);
ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+ if (ipsec->options.udp_encap) {
+ sa->sha2.template.ip6.udp_src = 4500;
+ sa->sha2.template.ip6.udp_dst = 4500;
+ }
+ ip6 = &sa->sha2.template.ip6.ipv6_hdr;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha2.template) + sizeof(
+ sa->sha2.template.ip6);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
}
ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 |
@@ -348,6 +374,8 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
memcpy(sa->sha1.hmac_key, auth_key, auth_key_len);
+ else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
+ memcpy(sa->sha2.hmac_key, auth_key, auth_key_len);
}
if (cipher_key_len != 0)
@@ -427,11 +455,16 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
auth_key = auth_xform->auth.key.data;
auth_key_len = auth_xform->auth.key.length;
- if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+ if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
memcpy(sa->aes_gcm.hmac_key, auth_key, auth_key_len);
-
- lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
- aes_gcm.selector) >> 3;
+ lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+ aes_gcm.selector) >> 3;
+ } else if (auth_xform->auth.algo ==
+ RTE_CRYPTO_AUTH_SHA256_HMAC) {
+ memcpy(sa->sha2.hmac_key, auth_key, auth_key_len);
+ lp->ctx_len = offsetof(struct otx2_ipsec_po_in_sa,
+ sha2.selector) >> 3;
+ }
}
if (cipher_key_len != 0)
@@ -152,11 +152,18 @@ struct otx2_ipsec_po_in_sa {
/* w8 */
uint8_t udp_encap[8];
- /* w9-w23 */
- struct {
- uint8_t hmac_key[48];
- struct otx2_ipsec_po_traffic_selector selector;
- } aes_gcm;
+ /* w9-w33 */
+ union {
+ struct {
+ uint8_t hmac_key[48];
+ struct otx2_ipsec_po_traffic_selector selector;
+ } aes_gcm;
+ struct {
+ uint8_t hmac_key[64];
+ uint8_t hmac_iv[64];
+ struct otx2_ipsec_po_traffic_selector selector;
+ } sha2;
+ };
union {
struct otx2_ipsec_replay *replay;
uint64_t replay64;
@@ -205,6 +212,11 @@ struct otx2_ipsec_po_out_sa {
uint8_t unused[24];
struct otx2_ipsec_po_ip_template template;
} sha1;
+ struct {
+ uint8_t hmac_key[64];
+ uint8_t hmac_iv[64];
+ struct otx2_ipsec_po_ip_template template;
+ } sha2;
};
};
@@ -234,6 +246,9 @@ ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform)
if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
if (keylen >= 20 && keylen <= 64)
return 0;
+ } else if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
+ if (keylen >= 32 && keylen <= 64)
+ return 0;
}
return -ENOTSUP;
@@ -15,6 +15,7 @@
#define OTX2_SEC_AES_GCM_MAC_LEN 16
#define OTX2_SEC_AES_CBC_IV_LEN 16
#define OTX2_SEC_SHA1_HMAC_LEN 12
+#define OTX2_SEC_SHA2_HMAC_LEN 16
#define OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN 4
#define OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN 16