1.. SPDX-License-Identifier: BSD-3-Clause 2 Copyright 2016 NXP 3 4 5 6NXP DPAA2 CAAM (DPAA2_SEC) 7========================== 8 9The DPAA2_SEC PMD provides poll mode crypto driver support for NXP DPAA2 CAAM 10hardware accelerator. 11 12Architecture 13------------ 14 15SEC is the SOC's security engine, which serves as NXP's latest cryptographic 16acceleration and offloading hardware. It combines functions previously 17implemented in separate modules to create a modular and scalable acceleration 18and assurance engine. It also implements block encryption algorithms, stream 19cipher algorithms, hashing algorithms, public key algorithms, run-time 20integrity checking, and a hardware random number generator. SEC performs 21higher-level cryptographic operations than previous NXP cryptographic 22accelerators. This provides significant improvement to system level performance. 23 24DPAA2_SEC is one of the hardware resource in DPAA2 Architecture. More information 25on DPAA2 Architecture is described in :ref:`dpaa2_overview`. 26 27DPAA2_SEC PMD is one of DPAA2 drivers which interacts with Management Complex (MC) 28portal to access the hardware object - DPSECI. The MC provides access to create, 29discover, connect, configure and destroy dpseci objects in DPAA2_SEC PMD. 30 31DPAA2_SEC PMD also uses some of the other hardware resources like buffer pools, 32queues, queue portals to store and to enqueue/dequeue data to the hardware SEC. 33 34DPSECI objects are detected by PMD using a resource container called DPRC (like 35in :ref:`dpaa2_overview`). 36 37For example: 38 39.. code-block:: console 40 41 DPRC.1 (bus) 42 | 43 +--+--------+-------+-------+-------+---------+ 44 | | | | | | 45 DPMCP.1 DPIO.1 DPBP.1 DPNI.1 DPMAC.1 DPSECI.1 46 DPMCP.2 DPIO.2 DPNI.2 DPMAC.2 DPSECI.2 47 DPMCP.3 48 49Implementation 50-------------- 51 52SEC provides platform assurance by working with SecMon, which is a companion 53logic block that tracks the security state of the SOC. SEC is programmed by 54means of descriptors (not to be confused with frame descriptors (FDs)) that 55indicate the operations to be performed and link to the message and 56associated data. SEC incorporates two DMA engines to fetch the descriptors, 57read the message data, and write the results of the operations. The DMA 58engine provides a scatter/gather capability so that SEC can read and write 59data scattered in memory. SEC may be configured by means of software for 60dynamic changes in byte ordering. The default configuration for this version 61of SEC is little-endian mode. 62 63A block diagram similar to dpaa2 NIC is shown below to show where DPAA2_SEC 64fits in the DPAA2 Bus model 65 66.. code-block:: console 67 68 69 +----------------+ 70 | DPDK DPAA2_SEC | 71 | PMD | 72 +----------------+ +------------+ 73 | MC SEC object |.......| Mempool | 74 . . . . . . . . . | (DPSECI) | | (DPBP) | 75 . +---+---+--------+ +-----+------+ 76 . ^ | . 77 . | |<enqueue, . 78 . | | dequeue> . 79 . | | . 80 . +---+---V----+ . 81 . . . . . . . . . . .| DPIO driver| . 82 . . | (DPIO) | . 83 . . +-----+------+ . 84 . . | QBMAN | . 85 . . | Driver | . 86 +----+------+-------+ +-----+----- | . 87 | dpaa2 bus | | . 88 | VFIO fslmc-bus |....................|......................... 89 | | | 90 | /bus/fslmc | | 91 +-------------------+ | 92 | 93 ========================== HARDWARE =====|======================= 94 DPIO 95 | 96 DPSECI---DPBP 97 =========================================|======================== 98 99 100 101Features 102-------- 103 104The DPAA2_SEC PMD has support for: 105 106Cipher algorithms: 107 108* ``RTE_CRYPTO_CIPHER_3DES_CBC`` 109* ``RTE_CRYPTO_CIPHER_AES128_CBC`` 110* ``RTE_CRYPTO_CIPHER_AES192_CBC`` 111* ``RTE_CRYPTO_CIPHER_AES256_CBC`` 112* ``RTE_CRYPTO_CIPHER_AES128_CTR`` 113* ``RTE_CRYPTO_CIPHER_AES192_CTR`` 114* ``RTE_CRYPTO_CIPHER_AES256_CTR`` 115 116Hash algorithms: 117 118* ``RTE_CRYPTO_AUTH_SHA1_HMAC`` 119* ``RTE_CRYPTO_AUTH_SHA224_HMAC`` 120* ``RTE_CRYPTO_AUTH_SHA256_HMAC`` 121* ``RTE_CRYPTO_AUTH_SHA384_HMAC`` 122* ``RTE_CRYPTO_AUTH_SHA512_HMAC`` 123* ``RTE_CRYPTO_AUTH_MD5_HMAC`` 124 125AEAD algorithms: 126 127* ``RTE_CRYPTO_AEAD_AES_GCM`` 128 129Supported DPAA2 SoCs 130-------------------- 131 132* LS2080A/LS2040A 133* LS2084A/LS2044A 134* LS2088A/LS2048A 135* LS1088A/LS1048A 136 137Whitelisting & Blacklisting 138--------------------------- 139 140For blacklisting a DPAA2 SEC device, following commands can be used. 141 142 .. code-block:: console 143 144 <dpdk app> <EAL args> -b "fslmc:dpseci.x" -- ... 145 146Where x is the device object id as configured in resource container. 147 148Limitations 149----------- 150 151* Chained mbufs are not supported. 152* Hash followed by Cipher mode is not supported 153* Only supports the session-oriented API implementation (session-less APIs are not supported). 154 155Prerequisites 156------------- 157 158DPAA2_SEC driver has similar pre-requisites as described in :ref:`dpaa2_overview`. 159The following dependencies are not part of DPDK and must be installed separately: 160 161* **NXP Linux SDK** 162 163 NXP Linux software development kit (SDK) includes support for the family 164 of QorIQ® ARM-Architecture-based system on chip (SoC) processors 165 and corresponding boards. 166 167 It includes the Linux board support packages (BSPs) for NXP SoCs, 168 a fully operational tool chain, kernel and board specific modules. 169 170 SDK and related information can be obtained from: `NXP QorIQ SDK <http://www.nxp.com/products/software-and-tools/run-time-software/linux-sdk/linux-sdk-for-qoriq-processors:SDKLINUX>`_. 171 172* **DPDK Extra Scripts** 173 174 DPAA2 based resources can be configured easily with the help of ready scripts 175 as provided in the DPDK helper repository. 176 177 `DPDK Extra Scripts <https://github.com/qoriq-open-source/dpdk-extras>`_. 178 179Currently supported by DPDK: 180 181* NXP SDK **17.08+**. 182* MC Firmware version **10.3.1** and higher. 183* Supported architectures: **arm64 LE**. 184 185* Follow the DPDK :ref:`Getting Started Guide for Linux <linux_gsg>` to setup the basic DPDK environment. 186 187Pre-Installation Configuration 188------------------------------ 189 190Config File Options 191~~~~~~~~~~~~~~~~~~~ 192 193Basic DPAA2 config file options are described in :ref:`dpaa2_overview`. 194In addition to those, the following options can be modified in the ``config`` file 195to enable DPAA2_SEC PMD. 196 197Please note that enabling debugging options may affect system performance. 198 199* ``CONFIG_RTE_LIBRTE_PMD_DPAA2_SEC`` (default ``n``) 200 By default it is only enabled in defconfig_arm64-dpaa2-* config. 201 Toggle compilation of the ``librte_pmd_dpaa2_sec`` driver. 202 203* ``CONFIG_RTE_DPAA2_SEC_PMD_MAX_NB_SESSIONS`` 204 By default it is set as 2048 in defconfig_arm64-dpaa2-* config. 205 It indicates Number of sessions to create in the session memory pool 206 on a single DPAA2 SEC device. 207 208Installations 209------------- 210To compile the DPAA2_SEC PMD for Linux arm64 gcc target, run the 211following ``make`` command: 212 213.. code-block:: console 214 215 cd <DPDK-source-directory> 216 make config T=arm64-dpaa2-linuxapp-gcc install 217 218Enabling logs 219------------- 220 221For enabling logs, use the following EAL parameter: 222 223.. code-block:: console 224 225 ./your_crypto_application <EAL args> --log-level=pmd.crypto.dpaa2:<level> 226 227Using ``crypto.dpaa2`` as log matching criteria, all Crypto PMD logs can be 228enabled which are lower than logging ``level``. 229