patch 'crypto/dpaa_sec: fix IPsec descriptor' has been queued to stable release 23.11.2

Xueming Li xuemingl at nvidia.com
Mon Aug 12 14:48:28 CEST 2024

Previous message (by thread): patch 'common/dpaax/caamflib: fix PDCP AES-AES watchdog error' has been queued to stable release 23.11.2
Next message (by thread): patch 'crypto/dpaa2_sec: fix event queue user context' has been queued to stable release 23.11.2
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 23.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 08/14/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging

This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=6e2def6ca9a6b1131b9efaf5ce913e7110459883

Thanks.

Xueming Li <xuemingl at nvidia.com>

---
>From 6e2def6ca9a6b1131b9efaf5ce913e7110459883 Mon Sep 17 00:00:00 2001
From: Gagandeep Singh <g.singh at nxp.com>
Date: Wed, 3 Jul 2024 15:56:41 +0530
Subject: [PATCH] crypto/dpaa_sec: fix IPsec descriptor
Cc: Xueming Li <xuemingl at nvidia.com>

[ upstream commit 046341575bd6e1210d6c12b595405ede41150da7 ]

During IPsec operations, driver code pre-check
whether KEYS can be inlined to limited size descriptor
or not and based on that it decides to copy the complete
KEY in descriptor or just give the memory pointer of
KEY in descriptor.
This pre-check code does not take care of padding required
for security engine to make the KEYs inline which results
in incorrect length descriptor for some algorithms.

This patch fixes this issue by updating the pre-check code
with proper padding size included for each supported
algorithm.

Fixes: 453b9593a3cf ("crypto/dpaax_sec: fix inline query for descriptors")

Signed-off-by: Gagandeep Singh <g.singh at nxp.com>
---
 drivers/common/dpaax/caamflib/desc/ipsec.h | 73 ++++++++++++++++++++++
 drivers/crypto/dpaa_sec/dpaa_sec.c         |  4 +-
 2 files changed, 75 insertions(+), 2 deletions(-)

diff --git a/drivers/common/dpaax/caamflib/desc/ipsec.h b/drivers/common/dpaax/caamflib/desc/ipsec.h
index 95fc3ea5ba..54fca3bc67 100644
--- a/drivers/common/dpaax/caamflib/desc/ipsec.h
+++ b/drivers/common/dpaax/caamflib/desc/ipsec.h
@@ -731,6 +731,79 @@ static inline void __gen_auth_key(struct program *program,
 			     authdata->key, authdata->key_type);
 }
 
+/**
+ * rta_inline_ipsec_query() - Provide indications on which data items can be inlined
+ *                      and which shall be referenced in IPsec shared descriptor.
+ * @sd_base_len: Shared descriptor base length - bytes consumed by the commands,
+ *               excluding the data items to be inlined (or corresponding
+ *               pointer if an item is not inlined). Each cnstr_* function that
+ *               generates descriptors should have a define mentioning
+ *               corresponding length.
+ * @jd_len: Maximum length of the job descriptor(s) that will be used
+ *          together with the shared descriptor.
+ * @data_len: Array of lengths of the data items trying to be inlined
+ * @inl_mask: 32bit mask with bit x = 1 if data item x can be inlined, 0
+ *            otherwise.
+ * @count: Number of data items (size of @data_len array); must be <= 32
+ * @auth_algtype: Authentication algorithm type.
+ * @auth_index: Index value of data_len for authentication key length.
+ *		-1 if authentication key length is not present in data_len.
+ *
+ * Return: 0 if data can be inlined / referenced, negative value if not. If 0,
+ *         check @inl_mask for details.
+ */
+static inline int
+rta_inline_ipsec_query(unsigned int sd_base_len,
+		       unsigned int jd_len,
+		       unsigned int *data_len,
+		       uint32_t *inl_mask,
+		       unsigned int count,
+		       uint32_t auth_algtype,
+		       int32_t auth_index)
+{
+	uint32_t dkp_protid;
+
+	switch (auth_algtype & OP_PCL_IPSEC_AUTH_MASK) {
+	case OP_PCL_IPSEC_HMAC_MD5_96:
+	case OP_PCL_IPSEC_HMAC_MD5_128:
+		dkp_protid = OP_PCLID_DKP_MD5;
+		break;
+	case OP_PCL_IPSEC_HMAC_SHA1_96:
+	case OP_PCL_IPSEC_HMAC_SHA1_160:
+		dkp_protid = OP_PCLID_DKP_SHA1;
+		break;
+	case OP_PCL_IPSEC_HMAC_SHA2_256_128:
+		dkp_protid = OP_PCLID_DKP_SHA256;
+		break;
+	case OP_PCL_IPSEC_HMAC_SHA2_384_192:
+		dkp_protid = OP_PCLID_DKP_SHA384;
+		break;
+	case OP_PCL_IPSEC_HMAC_SHA2_512_256:
+		dkp_protid = OP_PCLID_DKP_SHA512;
+		break;
+	case OP_PCL_IPSEC_HMAC_SHA2_224_96:
+	case OP_PCL_IPSEC_HMAC_SHA2_224_112:
+	case OP_PCL_IPSEC_HMAC_SHA2_224_224:
+		dkp_protid = OP_PCLID_DKP_SHA224;
+		break;
+	default:
+		return rta_inline_query(sd_base_len,
+				       jd_len,
+				       data_len,
+				       inl_mask, count);
+	}
+
+	/* Updating the maximum supported inline key length */
+	if (auth_index != -1) {
+		if (split_key_len(dkp_protid) > data_len[auth_index])
+			data_len[auth_index] = split_key_len(dkp_protid);
+	}
+	return rta_inline_query(sd_base_len,
+			       jd_len,
+			       data_len,
+			       inl_mask, count);
+}
+
 /**
  * cnstr_shdsc_ipsec_encap - IPSec ESP encapsulation protocol-level shared
  *                           descriptor.
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index a301e8edb2..906ea39047 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -395,10 +395,10 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session *ses)
 
 	cdb->sh_desc[0] = cipherdata.keylen;
 	cdb->sh_desc[1] = authdata.keylen;
-	err = rta_inline_query(IPSEC_AUTH_VAR_AES_DEC_BASE_DESC_LEN,
+	err = rta_inline_ipsec_query(IPSEC_AUTH_VAR_AES_DEC_BASE_DESC_LEN,
 			       DESC_JOB_IO_LEN,
 			       (unsigned int *)cdb->sh_desc,
-			       &cdb->sh_desc[2], 2);
+			       &cdb->sh_desc[2], 2, authdata.algtype, 1);
 
 	if (err < 0) {
 		DPAA_SEC_ERR("Crypto: Incorrect key lengths");
-- 
2.34.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-08-12 20:44:03.547048517 +0800
+++ 0031-crypto-dpaa_sec-fix-IPsec-descriptor.patch	2024-08-12 20:44:01.985069273 +0800
@@ -1 +1 @@
-From 046341575bd6e1210d6c12b595405ede41150da7 Mon Sep 17 00:00:00 2001
+From 6e2def6ca9a6b1131b9efaf5ce913e7110459883 Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit 046341575bd6e1210d6c12b595405ede41150da7 ]
@@ -20 +22,0 @@
-Cc: stable at dpdk.org
@@ -29 +31 @@
-index eff26f6f8b..b902873970 100644
+index 95fc3ea5ba..54fca3bc67 100644
@@ -32 +34 @@
-@@ -728,6 +728,79 @@ static inline void __gen_auth_key(struct program *program,
+@@ -731,6 +731,79 @@ static inline void __gen_auth_key(struct program *program,
@@ -113 +115 @@
-index 7aa163330a..bf2a11a4d4 100644
+index a301e8edb2..906ea39047 100644

Previous message (by thread): patch 'common/dpaax/caamflib: fix PDCP AES-AES watchdog error' has been queued to stable release 23.11.2
Next message (by thread): patch 'crypto/dpaa2_sec: fix event queue user context' has been queued to stable release 23.11.2
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list