1.. SPDX-License-Identifier: BSD-3-Clause 2 Copyright(c) 2016 Intel Corporation. 3 4KASUMI Crypto Poll Mode Driver 5=============================== 6 7The KASUMI PMD (**librte_pmd_kasumi**) provides poll mode crypto driver 8support for utilizing Intel Libsso library, which implements F8 and F9 functions 9for KASUMI UEA1 cipher and UIA1 hash algorithms. 10 11Features 12-------- 13 14KASUMI PMD has support for: 15 16Cipher algorithm: 17 18* RTE_CRYPTO_CIPHER_KASUMI_F8 19 20Authentication algorithm: 21 22* RTE_CRYPTO_AUTH_KASUMI_F9 23 24Limitations 25----------- 26 27* Chained mbufs are not supported. 28* KASUMI(F9) supported only if hash offset and length field is byte-aligned. 29* In-place bit-level operations for KASUMI(F8) are not supported 30 (if length and/or offset of data to be ciphered is not byte-aligned). 31 32 33Installation 34------------ 35 36To build DPDK with the KASUMI_PMD the user is required to download 37the export controlled ``libsso_kasumi`` library, by registering in 38`Intel Resource & Design Center <https://www.intel.com/content/www/us/en/design/resource-design-center.html>`_. 39Once approval has been granted, the user needs to search for 40*Kasumi F8 F9 3GPP cryptographic algorithms Software Library* to download the 41library or directly through this `link <https://cdrdv2.intel.com/v1/dl/getContent/575866>`_. 42After downloading the library, the user needs to unpack and compile it 43on their system before building DPDK:: 44 45 make 46 47**Note**: When encrypting with KASUMI F8, by default the library 48encrypts full blocks of 8 bytes, regardless the number of bytes to 49be encrypted provided (which leads to a possible buffer overflow). 50To avoid this situation, it is necessary not to pass 513GPP_SAFE_BUFFERS as a compilation flag. 52Also, this is required when using chained operations 53(cipher-then-auth/auth-then-cipher). 54For this, in the Makefile of the library, make sure that this flag 55is commented out:: 56 57 #EXTRA_CFLAGS += -D_3GPP_SAFE_BUFFERS 58 59**Note**: To build the PMD as a shared library, the libsso_kasumi 60library must be built as follows:: 61 62 make KASUMI_CFLAGS=-DKASUMI_C 63 64 65Initialization 66-------------- 67 68In order to enable this virtual crypto PMD, user must: 69 70* Export the environmental variable LIBSSO_KASUMI_PATH with the path where 71 the library was extracted (kasumi folder). 72 73* Build the LIBSSO library (explained in Installation section). 74 75* Set CONFIG_RTE_LIBRTE_PMD_KASUMI=y in config/common_base. 76 77To use the PMD in an application, user must: 78 79* Call rte_vdev_init("crypto_kasumi") within the application. 80 81* Use --vdev="crypto_kasumi" in the EAL options, which will call rte_vdev_init() internally. 82 83The following parameters (all optional) can be provided in the previous two calls: 84 85* socket_id: Specify the socket where the memory for the device is going to be allocated 86 (by default, socket_id will be the socket where the core that is creating the PMD is running on). 87 88* max_nb_queue_pairs: Specify the maximum number of queue pairs in the device (8 by default). 89 90* max_nb_sessions: Specify the maximum number of sessions that can be created (2048 by default). 91 92Example: 93 94.. code-block:: console 95 96 ./l2fwd-crypto -l 1 -n 4 --vdev="crypto_kasumi,socket_id=0,max_nb_sessions=128" \ 97 -- -p 1 --cdev SW --chain CIPHER_ONLY --cipher_algo "kasumi-f8" 98 99Extra notes on KASUMI F9 100------------------------ 101 102When using KASUMI F9 authentication algorithm, the input buffer must be 103constructed according to the 3GPP KASUMI specifications (section 4.4, page 13): 104`<http://cryptome.org/3gpp/35201-900.pdf>`_. 105Input buffer has to have COUNT (4 bytes), FRESH (4 bytes), MESSAGE and DIRECTION (1 bit) 106concatenated. After the DIRECTION bit, a single '1' bit is appended, followed by 107between 0 and 7 '0' bits, so that the total length of the buffer is multiple of 8 bits. 108Note that the actual message can be any length, specified in bits. 109 110Once this buffer is passed this way, when creating the crypto operation, 111length of data to authenticate (op.sym.auth.data.length) must be the length 112of all the items described above, including the padding at the end. 113Also, offset of data to authenticate (op.sym.auth.data.offset) 114must be such that points at the start of the COUNT bytes. 115