1.. SPDX-License-Identifier: BSD-3-Clause 2 Copyright (c) 2021 NVIDIA Corporation & Affiliates 3 4.. include:: <isonum.txt> 5 6MLX5 Crypto Driver 7================== 8 9The MLX5 crypto driver library 10(**librte_crypto_mlx5**) provides support for **Mellanox ConnectX-6** 11family adapters. 12 13Overview 14-------- 15 16The device can provide disk encryption services, 17allowing data encryption and decryption towards a disk. 18Having all encryption/decryption operations done in a single device 19can reduce cost and overheads of the related FIPS certification, 20as ConnectX-6 is FIPS 140-2 level-2 ready. 21The encryption cipher is AES-XTS of 256/512 bit key size. 22 23MKEY is a memory region object in the hardware, 24that holds address translation information and attributes per memory area. 25Its ID must be tied to addresses provided to the hardware. 26The encryption operations are performed with MKEY read/write transactions, 27when the MKEY is configured to perform crypto operations. 28 29The encryption does not require text to be aligned to the AES block size (128b). 30 31See :doc:`../../platform/mlx5` guide for more design details. 32 33Configuration 34------------- 35 36See the :ref:`mlx5 common configuration <mlx5_common_env>`. 37 38In order to move the device to crypto operational mode, credential and KEK 39(Key Encrypting Key) should be set as the first step. 40The credential will be used by the software in order to perform crypto login, and the KEK is 41the AES Key Wrap Algorithm (rfc3394) key that will be used for sensitive data 42wrapping. 43The credential and the AES-XTS keys should be provided to the hardware, as ciphertext 44encrypted by the KEK. 45 46A keytag (64 bits) should be appended to the AES-XTS keys (before wrapping), 47and will be validated when the hardware attempts to access it. 48 49When crypto engines are defined to work in wrapped import method, they come out 50of the factory in Commissioning mode, and thus, cannot be used for crypto operations 51yet. A dedicated tool is used for changing the mode from Commissioning to 52Operational, while setting the first import_KEK and credential in plaintext. 53The mlxreg dedicated tool should be used as follows: 54 55- Set CRYPTO_OPERATIONAL register to set the device in crypto operational mode. 56 57 The input to this tool is: 58 59 - The first credential in plaintext, 40B. 60 - The first import_KEK in plaintext: kek size 0 for 16B or 1 for 32B, kek data. 61 62 Example:: 63 64 mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get 65 66 The "wrapped_crypto_operational" value will be "0x00000000". 67 The command to set the register should be executed only once, and all the 68 values mentioned above should be specified in the same command. 69 70 Example:: 71 72 mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL \ 73 --set "credential[0]=0x10000000, credential[1]=0x10000000, kek[0]=0x00000000" 74 75 All values not specified will remain 0. 76 "wrapped_crypto_going_to_commissioning" and "wrapped_crypto_operational" 77 should not be specified. 78 79 All the device ports should set it in order to move to operational mode. 80 For BlueField-2, the internal ports in the ARM system should also be set. 81 82- Query CRYPTO_OPERATIONAL register to make sure the device is in Operational 83 mode. 84 85 Example:: 86 87 mlxreg -d /dev/mst/mt4123_pciconf0 --reg_name CRYPTO_OPERATIONAL --get 88 89 The "wrapped_crypto_operational" value will be "0x00000001" if the mode was 90 successfully changed to operational mode. 91 92 The mlx5 crypto PMD can be verified by running the test application:: 93 94 dpdk-test -c 1 -n 1 -w <dev>,class=crypto,wcs_file=<file_path> 95 RTE>>cryptodev_mlx5_autotest 96 97 98Driver options 99-------------- 100 101Please refer to :ref:`mlx5 common options <mlx5_common_driver_options>` 102for an additional list of options shared with other mlx5 drivers. 103 104- ``wcs_file`` parameter [string] - mandatory 105 106 File path including only the wrapped credential in string format of hexadecimal 107 numbers, represent 48 bytes (8 bytes IV added by the AES key wrap algorithm). 108 109- ``import_kek_id`` parameter [int] 110 111 The identifier of the KEK, default value is 0 represents the operational 112 register import_kek.. 113 114- ``credential_id`` parameter [int] 115 116 The identifier of the credential, default value is 0 represents the operational 117 register credential. 118 119- ``keytag`` parameter [int] 120 121 The plaintext of the keytag appended to the AES-XTS keys, default value is 0. 122 123- ``max_segs_num`` parameter [int] 124 125 Maximum number of mbuf chain segments(src or dest), default value is 8. 126 127 128Supported NICs 129-------------- 130 131* Mellanox\ |reg| ConnectX\ |reg|-6 200G MCX654106A-HCAT (2x200G) 132* Mellanox\ |reg| BlueField-2 SmartNIC 133* Mellanox\ |reg| ConnectX\ |reg|-6 Dx 134 135 136Limitations 137----------- 138 139- AES-XTS keys provided in xform must include keytag and should be wrapped. 140- The supported data-unit lengths are 512B and 4KB and 1MB. In case the `dataunit_len` 141 is not provided in the cipher xform, the OP length is limited to the above 142 values. 143 144 145Prerequisites 146------------- 147 148FW Prerequisites 149~~~~~~~~~~~~~~~~ 150 151- xx.31.0328 for ConnectX-6. 152- xx.32.0108 for ConnectX-6 Dx and BlueField-2. 153 154Linux Prerequisites 155~~~~~~~~~~~~~~~~~~~ 156 157- Mellanox OFED version: **5.3**. 158- Compilation can be done also with rdma-core v15+. 159 160 See :ref:`mlx5 common prerequisites <mlx5_linux_prerequisites>` for more details. 161 162Windows Prerequisites 163~~~~~~~~~~~~~~~~~~~~~ 164 165- Mellanox WINOF-2 version: **2.60** or higher. 166 See :ref:`mlx5 common prerequisites <mlx5_windows_prerequisites>` for more details. 167