1.. SPDX-License-Identifier: BSD-3-Clause 2 Copyright 2017 NXP 3 4 5 6NXP DPAA CAAM (DPAA_SEC) 7======================== 8 9The DPAA_SEC PMD provides poll mode crypto driver support for NXP DPAA CAAM 10hardware accelerator. 11 12Architecture 13------------ 14 15SEC is the SOC's security engine, which serves as NXP's latest cryptographic 16acceleration and offloading hardware. It combines functions previously 17implemented in separate modules to create a modular and scalable acceleration 18and assurance engine. It also implements block encryption algorithms, stream 19cipher algorithms, hashing algorithms, public key algorithms, run-time 20integrity checking, and a hardware random number generator. SEC performs 21higher-level cryptographic operations than previous NXP cryptographic 22accelerators. This provides significant improvement to system level performance. 23 24DPAA_SEC is one of the hardware resource in DPAA Architecture. More information 25on DPAA Architecture is described in :ref:`dpaa_overview`. 26 27DPAA_SEC PMD is one of DPAA drivers which interacts with QBMAN to create, 28configure and destroy the device instance using queue pair with CAAM portal. 29 30DPAA_SEC PMD also uses some of the other hardware resources like buffer pools, 31queues, queue portals to store and to enqueue/dequeue data to the hardware SEC. 32 33Implementation 34-------------- 35 36SEC provides platform assurance by working with SecMon, which is a companion 37logic block that tracks the security state of the SOC. SEC is programmed by 38means of descriptors (not to be confused with frame descriptors (FDs)) that 39indicate the operations to be performed and link to the message and 40associated data. SEC incorporates two DMA engines to fetch the descriptors, 41read the message data, and write the results of the operations. The DMA 42engine provides a scatter/gather capability so that SEC can read and write 43data scattered in memory. SEC may be configured by means of software for 44dynamic changes in byte ordering. The default configuration for this version 45of SEC is little-endian mode. 46 47Features 48-------- 49 50The DPAA PMD has support for: 51 52Cipher algorithms: 53 54* ``RTE_CRYPTO_CIPHER_3DES_CBC`` 55* ``RTE_CRYPTO_CIPHER_AES128_CBC`` 56* ``RTE_CRYPTO_CIPHER_AES192_CBC`` 57* ``RTE_CRYPTO_CIPHER_AES256_CBC`` 58* ``RTE_CRYPTO_CIPHER_AES128_CTR`` 59* ``RTE_CRYPTO_CIPHER_AES192_CTR`` 60* ``RTE_CRYPTO_CIPHER_AES256_CTR`` 61* ``RTE_CRYPTO_CIPHER_SNOW3G_UEA2`` 62* ``RTE_CRYPTO_CIPHER_ZUC_EEA3`` 63 64Hash algorithms: 65 66* ``RTE_CRYPTO_AUTH_SHA1_HMAC`` 67* ``RTE_CRYPTO_AUTH_SHA224_HMAC`` 68* ``RTE_CRYPTO_AUTH_SHA256_HMAC`` 69* ``RTE_CRYPTO_AUTH_SHA384_HMAC`` 70* ``RTE_CRYPTO_AUTH_SHA512_HMAC`` 71* ``RTE_CRYPTO_AUTH_SNOW3G_UIA2`` 72* ``RTE_CRYPTO_AUTH_MD5_HMAC`` 73* ``RTE_CRYPTO_AUTH_ZUC_EIA3`` 74 75AEAD algorithms: 76 77* ``RTE_CRYPTO_AEAD_AES_GCM`` 78 79Supported DPAA SoCs 80-------------------- 81 82* LS1046A/LS1026A 83* LS1043A/LS1023A 84 85Allowing & Blocking 86------------------- 87 88For blocking a DPAA device, following commands can be used. 89 90 .. code-block:: console 91 92 <dpdk app> <EAL args> -b "dpaa:dpaa_sec-X" -- ... 93 e.g. "dpaa:dpaa_sec-1" 94 95 or to disable all 4 SEC devices 96 -b "dpaa:dpaa_sec-1" -b "dpaa:dpaa_sec-2" -b "dpaa:dpaa_sec-3" -b "dpaa:dpaa_sec-4" 97 98Limitations 99----------- 100 101* Hash followed by Cipher mode is not supported 102* Only supports the session-oriented API implementation (session-less APIs are not supported). 103 104Prerequisites 105------------- 106 107DPAA_SEC driver has similar pre-requisites as described in :ref:`dpaa_overview`. 108 109See :doc:`../platform/dpaa` for setup information 110 111 112- Follow the DPDK :ref:`Getting Started Guide for Linux <linux_gsg>` to setup the basic DPDK environment. 113 114 115Enabling logs 116------------- 117 118For enabling logs, use the following EAL parameter: 119 120.. code-block:: console 121 122 ./your_crypto_application <EAL args> --log-level=pmd.crypto.dpaa:<level> 123 124Using ``pmd.crypto.dpaa`` as log matching criteria, all Crypto PMD logs can be 125enabled which are lower than logging ``level``. 126 127Enabling debug prints 128--------------------- 129 130Use dev arg option ``drv_dump_mode=x`` to dump useful debug prints on HW sec 131error. There are 3 dump modes available 0, 1 and 2. Mode 0 means no dump print 132on error, mode 1 means dump HW error code and mode 2 means dump HW error code 133along with other useful debugging information like session, queue, descriptor 134data. 135e.g. ``dpaa_bus:dpaa_sec-1,drv_dump_mode=1`` 136