1131a75b6SHemant Agrawal.. SPDX-License-Identifier: BSD-3-Clause 2131a75b6SHemant Agrawal Copyright 2016 NXP 34bbee28bSAkhil Goyal 44bbee28bSAkhil Goyal 54bbee28bSAkhil Goyal 64bbee28bSAkhil GoyalNXP DPAA2 CAAM (DPAA2_SEC) 74bbee28bSAkhil Goyal========================== 84bbee28bSAkhil Goyal 94bbee28bSAkhil GoyalThe DPAA2_SEC PMD provides poll mode crypto driver support for NXP DPAA2 CAAM 104bbee28bSAkhil Goyalhardware accelerator. 114bbee28bSAkhil Goyal 124bbee28bSAkhil GoyalArchitecture 134bbee28bSAkhil Goyal------------ 144bbee28bSAkhil Goyal 154bbee28bSAkhil GoyalSEC is the SOC's security engine, which serves as NXP's latest cryptographic 164bbee28bSAkhil Goyalacceleration and offloading hardware. It combines functions previously 174bbee28bSAkhil Goyalimplemented in separate modules to create a modular and scalable acceleration 184bbee28bSAkhil Goyaland assurance engine. It also implements block encryption algorithms, stream 194bbee28bSAkhil Goyalcipher algorithms, hashing algorithms, public key algorithms, run-time 204bbee28bSAkhil Goyalintegrity checking, and a hardware random number generator. SEC performs 214bbee28bSAkhil Goyalhigher-level cryptographic operations than previous NXP cryptographic 224bbee28bSAkhil Goyalaccelerators. This provides significant improvement to system level performance. 234bbee28bSAkhil Goyal 244bbee28bSAkhil GoyalDPAA2_SEC is one of the hardware resource in DPAA2 Architecture. More information 254bbee28bSAkhil Goyalon DPAA2 Architecture is described in :ref:`dpaa2_overview`. 264bbee28bSAkhil Goyal 274bbee28bSAkhil GoyalDPAA2_SEC PMD is one of DPAA2 drivers which interacts with Management Complex (MC) 284bbee28bSAkhil Goyalportal to access the hardware object - DPSECI. The MC provides access to create, 294bbee28bSAkhil Goyaldiscover, connect, configure and destroy dpseci objects in DPAA2_SEC PMD. 304bbee28bSAkhil Goyal 314bbee28bSAkhil GoyalDPAA2_SEC PMD also uses some of the other hardware resources like buffer pools, 324bbee28bSAkhil Goyalqueues, queue portals to store and to enqueue/dequeue data to the hardware SEC. 334bbee28bSAkhil Goyal 344bbee28bSAkhil GoyalDPSECI objects are detected by PMD using a resource container called DPRC (like 354bbee28bSAkhil Goyalin :ref:`dpaa2_overview`). 364bbee28bSAkhil Goyal 374bbee28bSAkhil GoyalFor example: 384bbee28bSAkhil Goyal 394bbee28bSAkhil Goyal.. code-block:: console 404bbee28bSAkhil Goyal 414bbee28bSAkhil Goyal DPRC.1 (bus) 424bbee28bSAkhil Goyal | 434bbee28bSAkhil Goyal +--+--------+-------+-------+-------+---------+ 444bbee28bSAkhil Goyal | | | | | | 454bbee28bSAkhil Goyal DPMCP.1 DPIO.1 DPBP.1 DPNI.1 DPMAC.1 DPSECI.1 464bbee28bSAkhil Goyal DPMCP.2 DPIO.2 DPNI.2 DPMAC.2 DPSECI.2 474bbee28bSAkhil Goyal DPMCP.3 484bbee28bSAkhil Goyal 494bbee28bSAkhil GoyalImplementation 504bbee28bSAkhil Goyal-------------- 514bbee28bSAkhil Goyal 524bbee28bSAkhil GoyalSEC provides platform assurance by working with SecMon, which is a companion 534bbee28bSAkhil Goyallogic block that tracks the security state of the SOC. SEC is programmed by 544bbee28bSAkhil Goyalmeans of descriptors (not to be confused with frame descriptors (FDs)) that 554bbee28bSAkhil Goyalindicate the operations to be performed and link to the message and 564bbee28bSAkhil Goyalassociated data. SEC incorporates two DMA engines to fetch the descriptors, 574bbee28bSAkhil Goyalread the message data, and write the results of the operations. The DMA 584bbee28bSAkhil Goyalengine provides a scatter/gather capability so that SEC can read and write 594bbee28bSAkhil Goyaldata scattered in memory. SEC may be configured by means of software for 604bbee28bSAkhil Goyaldynamic changes in byte ordering. The default configuration for this version 614bbee28bSAkhil Goyalof SEC is little-endian mode. 624bbee28bSAkhil Goyal 634bbee28bSAkhil GoyalA block diagram similar to dpaa2 NIC is shown below to show where DPAA2_SEC 644bbee28bSAkhil Goyalfits in the DPAA2 Bus model 654bbee28bSAkhil Goyal 664bbee28bSAkhil Goyal.. code-block:: console 674bbee28bSAkhil Goyal 684bbee28bSAkhil Goyal 694bbee28bSAkhil Goyal +----------------+ 704bbee28bSAkhil Goyal | DPDK DPAA2_SEC | 714bbee28bSAkhil Goyal | PMD | 724bbee28bSAkhil Goyal +----------------+ +------------+ 734bbee28bSAkhil Goyal | MC SEC object |.......| Mempool | 744bbee28bSAkhil Goyal . . . . . . . . . | (DPSECI) | | (DPBP) | 754bbee28bSAkhil Goyal . +---+---+--------+ +-----+------+ 764bbee28bSAkhil Goyal . ^ | . 774bbee28bSAkhil Goyal . | |<enqueue, . 784bbee28bSAkhil Goyal . | | dequeue> . 794bbee28bSAkhil Goyal . | | . 804bbee28bSAkhil Goyal . +---+---V----+ . 814bbee28bSAkhil Goyal . . . . . . . . . . .| DPIO driver| . 824bbee28bSAkhil Goyal . . | (DPIO) | . 834bbee28bSAkhil Goyal . . +-----+------+ . 844bbee28bSAkhil Goyal . . | QBMAN | . 854bbee28bSAkhil Goyal . . | Driver | . 864bbee28bSAkhil Goyal +----+------+-------+ +-----+----- | . 874bbee28bSAkhil Goyal | dpaa2 bus | | . 884bbee28bSAkhil Goyal | VFIO fslmc-bus |....................|......................... 894bbee28bSAkhil Goyal | | | 904bbee28bSAkhil Goyal | /bus/fslmc | | 914bbee28bSAkhil Goyal +-------------------+ | 924bbee28bSAkhil Goyal | 934bbee28bSAkhil Goyal ========================== HARDWARE =====|======================= 944bbee28bSAkhil Goyal DPIO 954bbee28bSAkhil Goyal | 964bbee28bSAkhil Goyal DPSECI---DPBP 974bbee28bSAkhil Goyal =========================================|======================== 984bbee28bSAkhil Goyal 994bbee28bSAkhil Goyal 1004bbee28bSAkhil Goyal 1014bbee28bSAkhil GoyalFeatures 1024bbee28bSAkhil Goyal-------- 1034bbee28bSAkhil Goyal 10413273250SAkhil GoyalThe DPAA2_SEC PMD has support for: 1054bbee28bSAkhil Goyal 1064bbee28bSAkhil GoyalCipher algorithms: 1074bbee28bSAkhil Goyal 1084bbee28bSAkhil Goyal* ``RTE_CRYPTO_CIPHER_3DES_CBC`` 1094bbee28bSAkhil Goyal* ``RTE_CRYPTO_CIPHER_AES128_CBC`` 1104bbee28bSAkhil Goyal* ``RTE_CRYPTO_CIPHER_AES192_CBC`` 1114bbee28bSAkhil Goyal* ``RTE_CRYPTO_CIPHER_AES256_CBC`` 11213273250SAkhil Goyal* ``RTE_CRYPTO_CIPHER_AES128_CTR`` 11313273250SAkhil Goyal* ``RTE_CRYPTO_CIPHER_AES192_CTR`` 11413273250SAkhil Goyal* ``RTE_CRYPTO_CIPHER_AES256_CTR`` 1154bbee28bSAkhil Goyal 1164bbee28bSAkhil GoyalHash algorithms: 1174bbee28bSAkhil Goyal 1184bbee28bSAkhil Goyal* ``RTE_CRYPTO_AUTH_SHA1_HMAC`` 1194bbee28bSAkhil Goyal* ``RTE_CRYPTO_AUTH_SHA224_HMAC`` 1204bbee28bSAkhil Goyal* ``RTE_CRYPTO_AUTH_SHA256_HMAC`` 1214bbee28bSAkhil Goyal* ``RTE_CRYPTO_AUTH_SHA384_HMAC`` 1224bbee28bSAkhil Goyal* ``RTE_CRYPTO_AUTH_SHA512_HMAC`` 1234bbee28bSAkhil Goyal* ``RTE_CRYPTO_AUTH_MD5_HMAC`` 124caf84d61SAkhil Goyal* ``RTE_CRYPTO_AUTH_AES_XCBC_MAC`` 12583087a92SHemant Agrawal* ``RTE_CRYPTO_AUTH_AES_CMAC`` 1264bbee28bSAkhil Goyal 12713273250SAkhil GoyalAEAD algorithms: 12813273250SAkhil Goyal 12913273250SAkhil Goyal* ``RTE_CRYPTO_AEAD_AES_GCM`` 13013273250SAkhil Goyal 1314bbee28bSAkhil GoyalSupported DPAA2 SoCs 1324bbee28bSAkhil Goyal-------------------- 1334bbee28bSAkhil Goyal 134b84c1087SHemant Agrawal* LS2160A 1354bbee28bSAkhil Goyal* LS2084A/LS2044A 1364bbee28bSAkhil Goyal* LS2088A/LS2048A 1374bbee28bSAkhil Goyal* LS1088A/LS1048A 1384bbee28bSAkhil Goyal 139db27370bSStephen HemmingerAllowing & Blocking 140db27370bSStephen Hemminger------------------- 14150245be0SHemant Agrawal 142db27370bSStephen HemmingerThe DPAA2 SEC device can be blocked with the following: 14350245be0SHemant Agrawal 14450245be0SHemant Agrawal .. code-block:: console 14550245be0SHemant Agrawal 14650245be0SHemant Agrawal <dpdk app> <EAL args> -b "fslmc:dpseci.x" -- ... 14750245be0SHemant Agrawal 14850245be0SHemant AgrawalWhere x is the device object id as configured in resource container. 14950245be0SHemant Agrawal 1504bbee28bSAkhil GoyalLimitations 1514bbee28bSAkhil Goyal----------- 1524bbee28bSAkhil Goyal 1534bbee28bSAkhil Goyal* Hash followed by Cipher mode is not supported 1544bbee28bSAkhil Goyal* Only supports the session-oriented API implementation (session-less APIs are not supported). 1554bbee28bSAkhil Goyal 1564bbee28bSAkhil GoyalPrerequisites 1574bbee28bSAkhil Goyal------------- 1584bbee28bSAkhil Goyal 1594bbee28bSAkhil GoyalDPAA2_SEC driver has similar pre-requisites as described in :ref:`dpaa2_overview`. 1604bbee28bSAkhil GoyalThe following dependencies are not part of DPDK and must be installed separately: 1614bbee28bSAkhil Goyal 162b84c1087SHemant AgrawalSee :doc:`../platform/dpaa2` for setup information 1634bbee28bSAkhil Goyal 164b84c1087SHemant Agrawal- Follow the DPDK :ref:`Getting Started Guide for Linux <linux_gsg>` to setup the basic DPDK environment. 1654bbee28bSAkhil Goyal 1665644a1f6SShreyansh Jain 1675644a1f6SShreyansh JainEnabling logs 1685644a1f6SShreyansh Jain------------- 1695644a1f6SShreyansh Jain 1705644a1f6SShreyansh JainFor enabling logs, use the following EAL parameter: 1715644a1f6SShreyansh Jain 1725644a1f6SShreyansh Jain.. code-block:: console 1735644a1f6SShreyansh Jain 174a0173139SStephen Hemminger ./your_crypto_application <EAL args> --log-level=pmd.crypto.dpaa2:<level> 1755644a1f6SShreyansh Jain 1765644a1f6SShreyansh JainUsing ``crypto.dpaa2`` as log matching criteria, all Crypto PMD logs can be 1775644a1f6SShreyansh Jainenabled which are lower than logging ``level``. 17884bb24bdSGagandeep Singh 17984bb24bdSGagandeep SinghEnabling debug prints 18084bb24bdSGagandeep Singh--------------------- 18184bb24bdSGagandeep Singh 18284bb24bdSGagandeep SinghUse dev arg option ``drv_dump_mode=x`` to dump useful debug prints on HW sec 18384bb24bdSGagandeep Singherror. There are 3 dump modes available 0, 1 and 2. Mode 0 means no dump print 18484bb24bdSGagandeep Singhon error, mode 1 means dump HW error code and mode 2 means dump HW error code 18584bb24bdSGagandeep Singhalong with other useful debugging information like session, queue, descriptor 18684bb24bdSGagandeep Singhdata. 18784bb24bdSGagandeep Singhe.g. ``fslmc:dpseci.1,drv_dump_mode=1`` 188*4562de32SNipun Gupta 189*4562de32SNipun GuptaEnable strict ordering 190*4562de32SNipun Gupta---------------------- 191*4562de32SNipun Gupta 192*4562de32SNipun GuptaUse dev arg option ``drv_strict_order=1`` to enable strict ordering. 193*4562de32SNipun GuptaBy default, loose ordering is set for ordered schedule type event. 194*4562de32SNipun Guptae.g. ``fslmc:dpseci.1,drv_strict_order=1`` 195