I'm curious why you need this? OCF in 13.0 and later mandates HW MAC verification for both EtA and AEAD modes. Or rather, clients must request MAC verification (CRYPTO_OP_VERIFY_DIGEST) in any decryption requests. Trying to set CRYPTO_OP_DECRYPT with CRYPTO_OP_COMPUTE_DIGEST is rejected in crypto.c before it even gets to the driver by crp_sanity() if INVARIANTS is enabled (it causes a panic even) and this requirement is documented in crypto_request(9).

This change has been introduced as result of following discussion:

• GMAC MAC validation discussion

due the HW limitations when it comes to MAC validation (such like mlen and crp_digest_start)
we have decided to this partially in SW (the same approach as initial QAT OCF implementation).
HW is responsible for generating MAC and SW checks if it is consistent with provided one - taking into
account mlen as well (see symDpCallback). It has been tested and accepted by Mark.

In case of GCM and CCM, QAT driver forces HW MAC validation regardles of what the caller sets in
sessionSetupData.verifyDigest. To overcome this limitation and not break backward compatibility
we have introduced:

• icp_sal_setForceAEADMACVerify(CpaInstanceHandle instanceHandle, CpaBoolean forceAEADMacVerify)

By default force flag is set to true - OCF disables this to generate MAC by HW and perform additional checks. Please let me know if this answers your questions.

Ok. This is fine, but some other options you might consider:

1. You could reject GCM requests whose csp_auth_mlen specifies a value that QAT doesn't support. I think there are some NIST KAT tests that use tag lengths that aren't 16, but I think all of the other use cases in the kernel (IPsec, TLS, disk encryption) all use 16 byte tags.

2. You could work around the issue of needing the digest adjacent to the payload by just rewriting your scatter/gather lists you submit to the firmware to make the fields adjacent. This is the approach I used in ccr(4) which had some similar constraints. I get the "main" scatter/gather list from the buffer, but I then use the offset in struct cryptop to construct the scatter/gather list I send to the hardware, and am able to construct a scatter/gather list that always has AAD || IV || plaintext/ciphertext || MAC.

Yes, it makes sense. We can change implementation and upstream together with one of the next drops (we plan a few next year).

Some concerns:

1. Further performance measurements are required to ensure that adding another flat buffer to SGL performs at least as well as writing calculated digest back to DRAM.
2. Another concern is that it breaks the backward compatibility with the original QAT OCF driver from FBSD 13 - not sure if we can do this.

Let us know if it is acceptable to you to land this patch and address this comment in the next drops?