Changeset View
Standalone View
sys/dev/qat/qat/qat_ocf.c
Show All 23 Lines | |||||
#include "lac_sym_hash_defs.h" | #include "lac_sym_hash_defs.h" | ||||
#include "lac_sym_qat_hash_defs_lookup.h" | #include "lac_sym_qat_hash_defs_lookup.h" | ||||
/* To get only IRQ instances */ | /* To get only IRQ instances */ | ||||
#include "icp_accel_devices.h" | #include "icp_accel_devices.h" | ||||
#include "icp_adf_accel_mgr.h" | #include "icp_adf_accel_mgr.h" | ||||
#include "lac_sal_types.h" | #include "lac_sal_types.h" | ||||
/* To disable AEAD HW MAC verification */ | |||||
#include "icp_sal_user.h" | |||||
/* QAT OCF specific headers */ | /* QAT OCF specific headers */ | ||||
#include "qat_ocf_mem_pool.h" | #include "qat_ocf_mem_pool.h" | ||||
#include "qat_ocf_utils.h" | #include "qat_ocf_utils.h" | ||||
#define QAT_OCF_MAX_INSTANCES (256) | #define QAT_OCF_MAX_INSTANCES (256) | ||||
#define QAT_OCF_SESSION_WAIT_TIMEOUT_MS (1000) | #define QAT_OCF_SESSION_WAIT_TIMEOUT_MS (1000) | ||||
MALLOC_DEFINE(M_QAT_OCF, "qat_ocf", "qat_ocf(4) memory allocations"); | MALLOC_DEFINE(M_QAT_OCF, "qat_ocf", "qat_ocf(4) memory allocations"); | ||||
▲ Show 20 Lines • Show All 378 Lines • ▼ Show 20 Lines | if (csp->csp_auth_mlen) { | ||||
qat_ssession->authLen = | qat_ssession->authLen = | ||||
pHashDefsInfo->algInfo->digestLength; | pHashDefsInfo->algInfo->digestLength; | ||||
} | } | ||||
sessionSetupData.verifyDigest = CPA_FALSE; | sessionSetupData.verifyDigest = CPA_FALSE; | ||||
} | } | ||||
switch (csp->csp_mode) { | switch (csp->csp_mode) { | ||||
case CSP_MODE_AEAD: | case CSP_MODE_AEAD: | ||||
sessionSetupData.symOperation = | |||||
CPA_CY_SYM_OP_ALGORITHM_CHAINING; | |||||
/* Place the digest result in a buffer unrelated to srcBuffer */ | |||||
sessionSetupData.digestIsAppended = CPA_TRUE; | |||||
/* For GCM and CCM driver forces to verify digest on HW */ | |||||
sessionSetupData.verifyDigest = CPA_TRUE; | |||||
if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { | |||||
sessionSetupData.cipherSetupData.cipherDirection = | |||||
CPA_CY_SYM_CIPHER_DIRECTION_ENCRYPT; | |||||
sessionSetupData.algChainOrder = | |||||
CPA_CY_SYM_ALG_CHAIN_ORDER_CIPHER_THEN_HASH; | |||||
} else { | |||||
sessionSetupData.cipherSetupData.cipherDirection = | |||||
CPA_CY_SYM_CIPHER_DIRECTION_DECRYPT; | |||||
sessionSetupData.algChainOrder = | |||||
CPA_CY_SYM_ALG_CHAIN_ORDER_HASH_THEN_CIPHER; | |||||
} | |||||
break; | |||||
case CSP_MODE_ETA: | case CSP_MODE_ETA: | ||||
sessionSetupData.symOperation = | sessionSetupData.symOperation = | ||||
CPA_CY_SYM_OP_ALGORITHM_CHAINING; | CPA_CY_SYM_OP_ALGORITHM_CHAINING; | ||||
/* Place the digest result in a buffer unrelated to srcBuffer */ | /* Place the digest result in a buffer unrelated to srcBuffer */ | ||||
sessionSetupData.digestIsAppended = CPA_FALSE; | sessionSetupData.digestIsAppended = CPA_FALSE; | ||||
/* Due to FW limitation to verify only appended MACs */ | /* Due to FW limitation to verify only appended MACs */ | ||||
sessionSetupData.verifyDigest = CPA_FALSE; | sessionSetupData.verifyDigest = CPA_FALSE; | ||||
if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { | if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { | ||||
▲ Show 20 Lines • Show All 629 Lines • ▼ Show 20 Lines | for (i = 0; i < numInstances; i++) { | ||||
/* Initialize cookie pool */ | /* Initialize cookie pool */ | ||||
status = qat_ocf_cookie_pool_init(qat_ocf_instance, dev); | status = qat_ocf_cookie_pool_init(qat_ocf_instance, dev); | ||||
if (CPA_STATUS_SUCCESS != status) { | if (CPA_STATUS_SUCCESS != status) { | ||||
device_printf(qat_softc->sc_dev, | device_printf(qat_softc->sc_dev, | ||||
"unable to create cookie pool\n"); | "unable to create cookie pool\n"); | ||||
goto fail; | goto fail; | ||||
} | } | ||||
/* Disable forcing HW MAC validation for AEAD */ | |||||
jhb: I'm curious why you need this? OCF in 13.0 and later mandates HW MAC verification for both EtA… | |||||
Done Inline ActionsThis change has been introduced as result of following discussion: due the HW limitations when it comes to MAC validation (such like mlen and crp_digest_start) In case of GCM and CCM, QAT driver forces HW MAC validation regardles of what the caller sets in
By default force flag is set to true - OCF disables this to generate MAC by HW and perform additional checks. Please let me know if this answers your questions. MichalX.Gulbicki_intel.com: This change has been introduced as result of following discussion:
- [[ https://reviews. | |||||
Not Done Inline ActionsOk. This is fine, but some other options you might consider:
jhb: Ok. This is fine, but some other options you might consider:
1) You could reject GCM requests… | |||||
Done Inline ActionsYes, it makes sense. We can change implementation and upstream together with one of the next drops (we plan a few next year). Some concerns:
Let us know if it is acceptable to you to land this patch and address this comment in the next drops? MichalX.Gulbicki_intel.com: Yes, it makes sense. We can change implementation and upstream together with one of the next… | |||||
status = icp_sal_setForceAEADMACVerify(cyInstHandle, CPA_FALSE); | |||||
if (CPA_STATUS_SUCCESS != status) { | |||||
device_printf( | |||||
qat_softc->sc_dev, | |||||
"unable to disable AEAD HW MAC verification\n"); | |||||
goto fail; | |||||
} | |||||
qat_ocf_instance->driver_id = qat_softc->cryptodev_id; | qat_ocf_instance->driver_id = qat_softc->cryptodev_id; | ||||
startedInstances++; | startedInstances++; | ||||
continue; | continue; | ||||
fail: | fail: | ||||
/* Stop instance */ | /* Stop instance */ | ||||
status = cpaCyStopInstance(cyInstHandle); | status = cpaCyStopInstance(cyInstHandle); | ||||
if (CPA_STATUS_SUCCESS != status) | if (CPA_STATUS_SUCCESS != status) | ||||
▲ Show 20 Lines • Show All 120 Lines • ▼ Show 20 Lines | DRIVER_MODULE_ORDERED(qat, | ||||
NULL, | NULL, | ||||
SI_ORDER_ANY); | SI_ORDER_ANY); | ||||
MODULE_VERSION(qat, 1); | MODULE_VERSION(qat, 1); | ||||
MODULE_DEPEND(qat, qat_c62x, 1, 1, 1); | MODULE_DEPEND(qat, qat_c62x, 1, 1, 1); | ||||
MODULE_DEPEND(qat, qat_200xx, 1, 1, 1); | MODULE_DEPEND(qat, qat_200xx, 1, 1, 1); | ||||
MODULE_DEPEND(qat, qat_c3xxx, 1, 1, 1); | MODULE_DEPEND(qat, qat_c3xxx, 1, 1, 1); | ||||
MODULE_DEPEND(qat, qat_c4xxx, 1, 1, 1); | MODULE_DEPEND(qat, qat_c4xxx, 1, 1, 1); | ||||
MODULE_DEPEND(qat, qat_dh895xcc, 1, 1, 1); | MODULE_DEPEND(qat, qat_dh895xcc, 1, 1, 1); | ||||
MODULE_DEPEND(qat, qat_4xxx, 1, 1, 1); | |||||
MODULE_DEPEND(qat, crypto, 1, 1, 1); | MODULE_DEPEND(qat, crypto, 1, 1, 1); | ||||
MODULE_DEPEND(qat, qat_common, 1, 1, 1); | MODULE_DEPEND(qat, qat_common, 1, 1, 1); | ||||
MODULE_DEPEND(qat, qat_api, 1, 1, 1); | MODULE_DEPEND(qat, qat_api, 1, 1, 1); | ||||
MODULE_DEPEND(qat, linuxkpi, 1, 1, 1); | MODULE_DEPEND(qat, linuxkpi, 1, 1, 1); |
I'm curious why you need this? OCF in 13.0 and later mandates HW MAC verification for both EtA and AEAD modes. Or rather, clients must request MAC verification (CRYPTO_OP_VERIFY_DIGEST) in any decryption requests. Trying to set CRYPTO_OP_DECRYPT with CRYPTO_OP_COMPUTE_DIGEST is rejected in crypto.c before it even gets to the driver by crp_sanity() if INVARIANTS is enabled (it causes a panic even) and this requirement is documented in crypto_request(9).