1.. SPDX-License-Identifier: BSD-3-Clause 2 Copyright(c) 2015-2018 Intel Corporation. 3 4AESN-NI Multi Buffer Crypto Poll Mode Driver 5============================================ 6 7 8The AESNI MB PMD (**librte_crypto_aesni_mb**) provides poll mode crypto driver 9support for utilizing Intel multi buffer library, see the white paper 10`Fast Multi-buffer IPsec Implementations on Intel® Architecture Processors 11<https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/fast-multi-buffer-ipsec-implementations-ia-processors-paper.pdf>`_. 12 13The AES-NI MB PMD has current only been tested on Fedora 21 64-bit with gcc. 14 15The AES-NI MB PMD supports synchronous mode of operation with 16``rte_cryptodev_sym_cpu_crypto_process`` function call. 17 18Features 19-------- 20 21AESNI MB PMD has support for: 22 23Cipher algorithms: 24 25* RTE_CRYPTO_CIPHER_AES128_CBC 26* RTE_CRYPTO_CIPHER_AES192_CBC 27* RTE_CRYPTO_CIPHER_AES256_CBC 28* RTE_CRYPTO_CIPHER_AES128_CTR 29* RTE_CRYPTO_CIPHER_AES192_CTR 30* RTE_CRYPTO_CIPHER_AES256_CTR 31* RTE_CRYPTO_CIPHER_AES_DOCSISBPI 32* RTE_CRYPTO_CIPHER_DES_CBC 33* RTE_CRYPTO_CIPHER_3DES_CBC 34* RTE_CRYPTO_CIPHER_DES_DOCSISBPI 35* RTE_CRYPTO_CIPHER_AES128_ECB 36* RTE_CRYPTO_CIPHER_AES192_ECB 37* RTE_CRYPTO_CIPHER_AES256_ECB 38* RTE_CRYPTO_CIPHER_ZUC_EEA3 39* RTE_CRYPTO_CIPHER_SNOW3G_UEA2 40* RTE_CRYPTO_CIPHER_KASUMI_F8 41 42Hash algorithms: 43 44* RTE_CRYPTO_AUTH_MD5_HMAC 45* RTE_CRYPTO_AUTH_SHA1_HMAC 46* RTE_CRYPTO_AUTH_SHA224_HMAC 47* RTE_CRYPTO_AUTH_SHA256_HMAC 48* RTE_CRYPTO_AUTH_SHA384_HMAC 49* RTE_CRYPTO_AUTH_SHA512_HMAC 50* RTE_CRYPTO_AUTH_AES_XCBC_HMAC 51* RTE_CRYPTO_AUTH_AES_CMAC 52* RTE_CRYPTO_AUTH_AES_GMAC 53* RTE_CRYPTO_AUTH_SHA1 54* RTE_CRYPTO_AUTH_SHA224 55* RTE_CRYPTO_AUTH_SHA256 56* RTE_CRYPTO_AUTH_SHA384 57* RTE_CRYPTO_AUTH_SHA512 58* RTE_CRYPTO_AUTH_ZUC_EIA3 59* RTE_CRYPTO_AUTH_SNOW3G_UIA2 60* RTE_CRYPTO_AUTH_KASUMI_F9 61 62AEAD algorithms: 63 64* RTE_CRYPTO_AEAD_AES_CCM 65* RTE_CRYPTO_AEAD_AES_GCM 66* RTE_CRYPTO_AEAD_CHACHA20_POLY1305 67 68Protocol offloads: 69 70* RTE_SECURITY_PROTOCOL_DOCSIS 71 72Limitations 73----------- 74 75* Chained mbufs are not supported. 76* Out-of-place is not supported for combined Crypto-CRC DOCSIS security 77 protocol. 78* RTE_CRYPTO_CIPHER_DES_DOCSISBPI is not supported for combined Crypto-CRC 79 DOCSIS security protocol. 80* The only tag size supported for ZUC-EIA3-256 is 4 bytes. 81 82 83Installation 84------------ 85 86To build DPDK with the AESNI_MB_PMD the user is required to download the multi-buffer 87library from `here <https://github.com/01org/intel-ipsec-mb>`_ 88and compile it on their user system before building DPDK. 89The latest version of the library supported by this PMD is v1.1, which 90can be downloaded from `<https://github.com/01org/intel-ipsec-mb/archive/v1.1.zip>`_. 91 92.. code-block:: console 93 94 make 95 make install 96 97The library requires NASM to be built. Depending on the library version, it might 98require a minimum NASM version (e.g. v0.54 requires at least NASM 2.14). 99 100NASM is packaged for different OS. However, on some OS the version is too old, 101so a manual installation is required. In that case, NASM can be downloaded from 102`NASM website <https://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D>`_. 103Once it is downloaded, extract it and follow these steps: 104 105.. code-block:: console 106 107 ./configure 108 make 109 make install 110 111.. note:: 112 113 Compilation of the Multi-Buffer library is broken when GCC < 5.0, if library <= v0.53. 114 If a lower GCC version than 5.0, the workaround proposed by the following link 115 should be used: `<https://github.com/intel/intel-ipsec-mb/issues/40>`_. 116 117As a reference, the following table shows a mapping between the past DPDK versions 118and the Multi-Buffer library version supported by them: 119 120.. _table_aesni_mb_versions: 121 122.. table:: DPDK and Multi-Buffer library version compatibility 123 124 ============== ============================ 125 DPDK version Multi-buffer library version 126 ============== ============================ 127 2.2 - 16.11 0.43 - 0.44 128 17.02 0.44 129 17.05 - 17.08 0.45 - 0.48 130 17.11 0.47 - 0.48 131 18.02 0.48 132 18.05 - 19.02 0.49 - 0.52 133 19.05 - 19.08 0.52 134 19.11 - 20.08 0.52 - 0.55 135 20.11 - 21.08 0.53 - 1.1* 136 21.11+ 1.0 - 1.1* 137 ============== ============================ 138 139\* Multi-buffer library 1.0 or newer only works for Meson but not Make build system. 140 141Initialization 142-------------- 143 144In order to enable this virtual crypto PMD, user must: 145 146* Build the multi buffer library (explained in Installation section). 147 148To use the PMD in an application, user must: 149 150* Call rte_vdev_init("crypto_aesni_mb") within the application. 151 152* Use --vdev="crypto_aesni_mb" in the EAL options, which will call rte_vdev_init() internally. 153 154The following parameters (all optional) can be provided in the previous two calls: 155 156* socket_id: Specify the socket where the memory for the device is going to be allocated 157 (by default, socket_id will be the socket where the core that is creating the PMD is running on). 158 159* max_nb_queue_pairs: Specify the maximum number of queue pairs in the device (8 by default). 160 161* max_nb_sessions: Specify the maximum number of sessions that can be created (2048 by default). 162 163Example: 164 165.. code-block:: console 166 167 ./dpdk-l2fwd-crypto -l 1 -n 4 --vdev="crypto_aesni_mb,socket_id=0,max_nb_sessions=128" \ 168 -- -p 1 --cdev SW --chain CIPHER_HASH --cipher_algo "aes-cbc" --auth_algo "sha1-hmac" 169 170Extra notes 171----------- 172 173For AES Counter mode (AES-CTR), the library supports two different sizes for Initialization 174Vector (IV): 175 176* 12 bytes: used mainly for IPsec, as it requires 12 bytes from the user, which internally 177 are appended the counter block (4 bytes), which is set to 1 for the first block 178 (no padding required from the user) 179 180* 16 bytes: when passing 16 bytes, the library will take them and use the last 4 bytes 181 as the initial counter block for the first block. 182