1.. SPDX-License-Identifier: BSD-3-Clause 2 Copyright 2017 NXP 3 4 5 6NXP DPAA CAAM (DPAA_SEC) 7======================== 8 9The DPAA_SEC PMD provides poll mode crypto driver support for NXP DPAA CAAM 10hardware accelerator. 11 12Architecture 13------------ 14 15SEC is the SOC's security engine, which serves as NXP's latest cryptographic 16acceleration and offloading hardware. It combines functions previously 17implemented in separate modules to create a modular and scalable acceleration 18and assurance engine. It also implements block encryption algorithms, stream 19cipher algorithms, hashing algorithms, public key algorithms, run-time 20integrity checking, and a hardware random number generator. SEC performs 21higher-level cryptographic operations than previous NXP cryptographic 22accelerators. This provides significant improvement to system level performance. 23 24DPAA_SEC is one of the hardware resource in DPAA Architecture. More information 25on DPAA Architecture is described in :ref:`dpaa_overview`. 26 27DPAA_SEC PMD is one of DPAA drivers which interacts with QBMAN to create, 28configure and destroy the device instance using queue pair with CAAM portal. 29 30DPAA_SEC PMD also uses some of the other hardware resources like buffer pools, 31queues, queue portals to store and to enqueue/dequeue data to the hardware SEC. 32 33Implementation 34-------------- 35 36SEC provides platform assurance by working with SecMon, which is a companion 37logic block that tracks the security state of the SOC. SEC is programmed by 38means of descriptors (not to be confused with frame descriptors (FDs)) that 39indicate the operations to be performed and link to the message and 40associated data. SEC incorporates two DMA engines to fetch the descriptors, 41read the message data, and write the results of the operations. The DMA 42engine provides a scatter/gather capability so that SEC can read and write 43data scattered in memory. SEC may be configured by means of software for 44dynamic changes in byte ordering. The default configuration for this version 45of SEC is little-endian mode. 46 47Features 48-------- 49 50The DPAA PMD has support for: 51 52Cipher algorithms: 53 54* ``RTE_CRYPTO_CIPHER_3DES_CBC`` 55* ``RTE_CRYPTO_CIPHER_AES128_CBC`` 56* ``RTE_CRYPTO_CIPHER_AES192_CBC`` 57* ``RTE_CRYPTO_CIPHER_AES256_CBC`` 58* ``RTE_CRYPTO_CIPHER_AES128_CTR`` 59* ``RTE_CRYPTO_CIPHER_AES192_CTR`` 60* ``RTE_CRYPTO_CIPHER_AES256_CTR`` 61 62Hash algorithms: 63 64* ``RTE_CRYPTO_AUTH_SHA1_HMAC`` 65* ``RTE_CRYPTO_AUTH_SHA224_HMAC`` 66* ``RTE_CRYPTO_AUTH_SHA256_HMAC`` 67* ``RTE_CRYPTO_AUTH_SHA384_HMAC`` 68* ``RTE_CRYPTO_AUTH_SHA512_HMAC`` 69* ``RTE_CRYPTO_AUTH_MD5_HMAC`` 70 71AEAD algorithms: 72 73* ``RTE_CRYPTO_AEAD_AES_GCM`` 74 75Supported DPAA SoCs 76-------------------- 77 78* LS1046A/LS1026A 79* LS1043A/LS1023A 80 81Whitelisting & Blacklisting 82--------------------------- 83 84For blacklisting a DPAA device, following commands can be used. 85 86 .. code-block:: console 87 88 <dpdk app> <EAL args> -b "dpaa_bus:dpaa-secX" -- ... 89 e.g. "dpaa_bus:dpaa-sec0" 90 91 or to disable all 4 SEC devices 92 -b "dpaa_sec:dpaa-sec0" -b "dpaa_sec:dpaa-sec1" -b "dpaa_sec:dpaa-sec2" -b "dpaa_sec:dpaa-sec3" 93 94Limitations 95----------- 96 97* Chained mbufs are not supported. 98* Hash followed by Cipher mode is not supported 99* Only supports the session-oriented API implementation (session-less APIs are not supported). 100 101Prerequisites 102------------- 103 104DPAA_SEC driver has similar pre-requisites as described in :ref:`dpaa_overview`. 105The following dependencies are not part of DPDK and must be installed separately: 106 107* **NXP Linux SDK** 108 109 NXP Linux software development kit (SDK) includes support for the family 110 of QorIQ® ARM-Architecture-based system on chip (SoC) processors 111 and corresponding boards. 112 113 It includes the Linux board support packages (BSPs) for NXP SoCs, 114 a fully operational tool chain, kernel and board specific modules. 115 116 SDK and related information can be obtained from: `NXP QorIQ SDK <http://www.nxp.com/products/software-and-tools/run-time-software/linux-sdk/linux-sdk-for-qoriq-processors:SDKLINUX>`_. 117 118* **DPDK Extras Scripts** 119 120 DPAA based resources can be configured easily with the help of ready scripts 121 as provided in the DPDK Extras repository. 122 123 `DPDK Extras Scripts <https://github.com/qoriq-open-source/dpdk-extras>`_. 124 125Currently supported by DPDK: 126 127* NXP SDK **2.0+**. 128* Supported architectures: **arm64 LE**. 129 130* Follow the DPDK :ref:`Getting Started Guide for Linux <linux_gsg>` to setup the basic DPDK environment. 131 132Pre-Installation Configuration 133------------------------------ 134 135Config File Options 136~~~~~~~~~~~~~~~~~~~ 137 138Basic DPAA config file options are described in :ref:`dpaa_overview`. 139In addition to those, the following options can be modified in the ``config`` file 140to enable DPAA_SEC PMD. 141 142Please note that enabling debugging options may affect system performance. 143 144* ``CONFIG_RTE_LIBRTE_PMD_DPAA_SEC`` (default ``n``) 145 By default it is only enabled in defconfig_arm64-dpaa-* config. 146 Toggle compilation of the ``librte_pmd_dpaa_sec`` driver. 147 148* ``CONFIG_RTE_DPAA_SEC_PMD_MAX_NB_SESSIONS`` 149 By default it is set as 2048 in defconfig_arm64-dpaa-* config. 150 It indicates Number of sessions to create in the session memory pool 151 on a single DPAA SEC device. 152 153Installations 154------------- 155To compile the DPAA_SEC PMD for Linux arm64 gcc target, run the 156following ``make`` command: 157 158.. code-block:: console 159 160 cd <DPDK-source-directory> 161 make config T=arm64-dpaa-linuxapp-gcc install 162 163Enabling logs 164------------- 165 166For enabling logs, use the following EAL parameter: 167 168.. code-block:: console 169 170 ./your_crypto_application <EAL args> --log-level=pmd.crypto.dpaa:<level> 171 172Using ``pmd.crypto.dpaa`` as log matching criteria, all Crypto PMD logs can be 173enabled which are lower than logging ``level``. 174