Differential D36254 Diff 115177 sys/dev/qat/qat/qat_ocf.c

Changeset View

Standalone View

sys/dev/qat/qat/qat_ocf.c

Show All 23 Lines
#include "lac_sym_hash_defs.h"		#include "lac_sym_hash_defs.h"
#include "lac_sym_qat_hash_defs_lookup.h"		#include "lac_sym_qat_hash_defs_lookup.h"

/* To get only IRQ instances */		/* To get only IRQ instances */
#include "icp_accel_devices.h"		#include "icp_accel_devices.h"
#include "icp_adf_accel_mgr.h"		#include "icp_adf_accel_mgr.h"
#include "lac_sal_types.h"		#include "lac_sal_types.h"

		/* To disable AEAD HW MAC verification */
		#include "icp_sal_user.h"

/* QAT OCF specific headers */		/* QAT OCF specific headers */
#include "qat_ocf_mem_pool.h"		#include "qat_ocf_mem_pool.h"
#include "qat_ocf_utils.h"		#include "qat_ocf_utils.h"

#define QAT_OCF_MAX_INSTANCES (256)		#define QAT_OCF_MAX_INSTANCES (256)
#define QAT_OCF_SESSION_WAIT_TIMEOUT_MS (1000)		#define QAT_OCF_SESSION_WAIT_TIMEOUT_MS (1000)

MALLOC_DEFINE(M_QAT_OCF, "qat_ocf", "qat_ocf(4) memory allocations");		MALLOC_DEFINE(M_QAT_OCF, "qat_ocf", "qat_ocf(4) memory allocations");
▲ Show 20 Lines • Show All 378 Lines • ▼ Show 20 Lines	if (csp->csp_auth_mlen) {
qat_ssession->authLen =		qat_ssession->authLen =
pHashDefsInfo->algInfo->digestLength;		pHashDefsInfo->algInfo->digestLength;
}		}
sessionSetupData.verifyDigest = CPA_FALSE;		sessionSetupData.verifyDigest = CPA_FALSE;
}		}

switch (csp->csp_mode) {		switch (csp->csp_mode) {
case CSP_MODE_AEAD:		case CSP_MODE_AEAD:
sessionSetupData.symOperation =
CPA_CY_SYM_OP_ALGORITHM_CHAINING;
/* Place the digest result in a buffer unrelated to srcBuffer */
sessionSetupData.digestIsAppended = CPA_TRUE;
/* For GCM and CCM driver forces to verify digest on HW */
sessionSetupData.verifyDigest = CPA_TRUE;
if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
sessionSetupData.cipherSetupData.cipherDirection =
CPA_CY_SYM_CIPHER_DIRECTION_ENCRYPT;
sessionSetupData.algChainOrder =
CPA_CY_SYM_ALG_CHAIN_ORDER_CIPHER_THEN_HASH;
} else {
sessionSetupData.cipherSetupData.cipherDirection =
CPA_CY_SYM_CIPHER_DIRECTION_DECRYPT;
sessionSetupData.algChainOrder =
CPA_CY_SYM_ALG_CHAIN_ORDER_HASH_THEN_CIPHER;
}
break;
case CSP_MODE_ETA:		case CSP_MODE_ETA:
sessionSetupData.symOperation =		sessionSetupData.symOperation =
CPA_CY_SYM_OP_ALGORITHM_CHAINING;		CPA_CY_SYM_OP_ALGORITHM_CHAINING;
/* Place the digest result in a buffer unrelated to srcBuffer */		/* Place the digest result in a buffer unrelated to srcBuffer */
sessionSetupData.digestIsAppended = CPA_FALSE;		sessionSetupData.digestIsAppended = CPA_FALSE;
/* Due to FW limitation to verify only appended MACs */		/* Due to FW limitation to verify only appended MACs */
sessionSetupData.verifyDigest = CPA_FALSE;		sessionSetupData.verifyDigest = CPA_FALSE;
if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
▲ Show 20 Lines • Show All 629 Lines • ▼ Show 20 Lines	for (i = 0; i < numInstances; i++) {
/* Initialize cookie pool */		/* Initialize cookie pool */
status = qat_ocf_cookie_pool_init(qat_ocf_instance, dev);		status = qat_ocf_cookie_pool_init(qat_ocf_instance, dev);
if (CPA_STATUS_SUCCESS != status) {		if (CPA_STATUS_SUCCESS != status) {
device_printf(qat_softc->sc_dev,		device_printf(qat_softc->sc_dev,
"unable to create cookie pool\n");		"unable to create cookie pool\n");
goto fail;		goto fail;
}		}

		/* Disable forcing HW MAC validation for AEAD */
		jhbUnsubmitted Not Done Inline Actions I'm curious why you need this? OCF in 13.0 and later mandates HW MAC verification for both EtA and AEAD modes. Or rather, clients must request MAC verification (CRYPTO_OP_VERIFY_DIGEST) in any decryption requests. Trying to set CRYPTO_OP_DECRYPT with CRYPTO_OP_COMPUTE_DIGEST is rejected in crypto.c before it even gets to the driver by crp_sanity() if INVARIANTS is enabled (it causes a panic even) and this requirement is documented in crypto_request(9). jhb: I'm curious why you need this? OCF in 13.0 and later mandates HW MAC verification for both EtA…
		MichalX.Gulbicki_intel.comAuthorUnsubmitted Done Inline Actions This change has been introduced as result of following discussion: GMAC MAC validation discussion due the HW limitations when it comes to MAC validation (such like mlen and crp_digest_start) we have decided to this partially in SW (the same approach as initial QAT OCF implementation). HW is responsible for generating MAC and SW checks if it is consistent with provided one - taking into account mlen as well (see symDpCallback). It has been tested and accepted by Mark. In case of GCM and CCM, QAT driver forces HW MAC validation regardles of what the caller sets in sessionSetupData.verifyDigest. To overcome this limitation and not break backward compatibility we have introduced: icp_sal_setForceAEADMACVerify(CpaInstanceHandle instanceHandle, CpaBoolean forceAEADMacVerify) By default force flag is set to true - OCF disables this to generate MAC by HW and perform additional checks. Please let me know if this answers your questions. MichalX.Gulbicki_intel.com: This change has been introduced as result of following discussion: - [[ https://reviews.
		jhbUnsubmitted Not Done Inline Actions Ok. This is fine, but some other options you might consider: You could reject GCM requests whose `csp_auth_mlen` specifies a value that QAT doesn't support. I think there are some NIST KAT tests that use tag lengths that aren't 16, but I think all of the other use cases in the kernel (IPsec, TLS, disk encryption) all use 16 byte tags. You could work around the issue of needing the digest adjacent to the payload by just rewriting your scatter/gather lists you submit to the firmware to make the fields adjacent. This is the approach I used in ccr(4) which had some similar constraints. I get the "main" scatter/gather list from the buffer, but I then use the offset in `struct cryptop` to construct the scatter/gather list I send to the hardware, and am able to construct a scatter/gather list that always has AAD \|\| IV \|\| plaintext/ciphertext \|\| MAC. jhb: Ok. This is fine, but some other options you might consider: 1) You could reject GCM requests…
		MichalX.Gulbicki_intel.comAuthorUnsubmitted Done Inline Actions Yes, it makes sense. We can change implementation and upstream together with one of the next drops (we plan a few next year). Some concerns: Further performance measurements are required to ensure that adding another flat buffer to SGL performs at least as well as writing calculated digest back to DRAM. Another concern is that it breaks the backward compatibility with the original QAT OCF driver from FBSD 13 - not sure if we can do this. Let us know if it is acceptable to you to land this patch and address this comment in the next drops? MichalX.Gulbicki_intel.com: Yes, it makes sense. We can change implementation and upstream together with one of the next…
		status = icp_sal_setForceAEADMACVerify(cyInstHandle, CPA_FALSE);
		if (CPA_STATUS_SUCCESS != status) {
		device_printf(
		qat_softc->sc_dev,
		"unable to disable AEAD HW MAC verification\n");
		goto fail;
		}

qat_ocf_instance->driver_id = qat_softc->cryptodev_id;		qat_ocf_instance->driver_id = qat_softc->cryptodev_id;

startedInstances++;		startedInstances++;
continue;		continue;
fail:		fail:
/* Stop instance */		/* Stop instance */
status = cpaCyStopInstance(cyInstHandle);		status = cpaCyStopInstance(cyInstHandle);
if (CPA_STATUS_SUCCESS != status)		if (CPA_STATUS_SUCCESS != status)
▲ Show 20 Lines • Show All 120 Lines • ▼ Show 20 Lines	DRIVER_MODULE_ORDERED(qat,
NULL,		NULL,
SI_ORDER_ANY);		SI_ORDER_ANY);
MODULE_VERSION(qat, 1);		MODULE_VERSION(qat, 1);
MODULE_DEPEND(qat, qat_c62x, 1, 1, 1);		MODULE_DEPEND(qat, qat_c62x, 1, 1, 1);
MODULE_DEPEND(qat, qat_200xx, 1, 1, 1);		MODULE_DEPEND(qat, qat_200xx, 1, 1, 1);
MODULE_DEPEND(qat, qat_c3xxx, 1, 1, 1);		MODULE_DEPEND(qat, qat_c3xxx, 1, 1, 1);
MODULE_DEPEND(qat, qat_c4xxx, 1, 1, 1);		MODULE_DEPEND(qat, qat_c4xxx, 1, 1, 1);
MODULE_DEPEND(qat, qat_dh895xcc, 1, 1, 1);		MODULE_DEPEND(qat, qat_dh895xcc, 1, 1, 1);
		MODULE_DEPEND(qat, qat_4xxx, 1, 1, 1);
MODULE_DEPEND(qat, crypto, 1, 1, 1);		MODULE_DEPEND(qat, crypto, 1, 1, 1);
MODULE_DEPEND(qat, qat_common, 1, 1, 1);		MODULE_DEPEND(qat, qat_common, 1, 1, 1);
MODULE_DEPEND(qat, qat_api, 1, 1, 1);		MODULE_DEPEND(qat, qat_api, 1, 1, 1);
MODULE_DEPEND(qat, linuxkpi, 1, 1, 1);		MODULE_DEPEND(qat, linuxkpi, 1, 1, 1);