9. Marvell cnxk Crypto Poll Mode Driver

The cnxk crypto poll mode driver provides support for offloading cryptographic operations to cryptographic accelerator units on the Marvell OCTEON cnxk SoC family.

The cnxk crypto PMD code is organized into different sets of files. The file names starting with cn9k and cn10k provides support for CN9XX and CN10XX respectively. The common code between the SoCs is present in file names starting with cnxk.

More information about OCTEON cnxk SoCs may be obtained from https://www.marvell.com

9.1. Supported OCTEON cnxk SoCs

  • CN9XX
  • CN10XX

9.2. Features

The OCTEON cnxk crypto PMD has support for:

9.2.1. Symmetric Crypto Algorithms

Cipher algorithms:

  • RTE_CRYPTO_CIPHER_NULL
  • RTE_CRYPTO_CIPHER_3DES_CBC
  • RTE_CRYPTO_CIPHER_3DES_ECB
  • RTE_CRYPTO_CIPHER_AES_CBC
  • RTE_CRYPTO_CIPHER_AES_CTR
  • RTE_CRYPTO_CIPHER_AES_XTS
  • RTE_CRYPTO_CIPHER_DES_CBC
  • RTE_CRYPTO_CIPHER_KASUMI_F8
  • RTE_CRYPTO_CIPHER_SNOW3G_UEA2
  • RTE_CRYPTO_CIPHER_ZUC_EEA3

Hash algorithms:

  • RTE_CRYPTO_AUTH_NULL
  • RTE_CRYPTO_AUTH_AES_GMAC
  • RTE_CRYPTO_AUTH_KASUMI_F9
  • RTE_CRYPTO_AUTH_MD5
  • RTE_CRYPTO_AUTH_MD5_HMAC
  • RTE_CRYPTO_AUTH_SHA1
  • RTE_CRYPTO_AUTH_SHA1_HMAC
  • RTE_CRYPTO_AUTH_SHA224
  • RTE_CRYPTO_AUTH_SHA224_HMAC
  • RTE_CRYPTO_AUTH_SHA256
  • RTE_CRYPTO_AUTH_SHA256_HMAC
  • RTE_CRYPTO_AUTH_SHA384
  • RTE_CRYPTO_AUTH_SHA384_HMAC
  • RTE_CRYPTO_AUTH_SHA512
  • RTE_CRYPTO_AUTH_SHA512_HMAC
  • RTE_CRYPTO_AUTH_SNOW3G_UIA2
  • RTE_CRYPTO_AUTH_ZUC_EIA3

AEAD algorithms:

  • RTE_CRYPTO_AEAD_AES_GCM
  • RTE_CRYPTO_AEAD_CHACHA20_POLY1305

9.2.2. Asymmetric Crypto Algorithms

  • RTE_CRYPTO_ASYM_XFORM_RSA
  • RTE_CRYPTO_ASYM_XFORM_MODEX

9.3. Installation

The OCTEON cnxk crypto PMD may be compiled natively on an OCTEON cnxk platform or cross-compiled on an x86 platform.

Refer to Marvell cnxk platform guide for instructions to build your DPDK application.

Note

The OCTEON cnxk crypto PMD uses services from the kernel mode OCTEON cnxk crypto PF driver in linux. This driver is included in the OCTEON TX SDK.

9.4. Initialization

CN9K Initialization

List the CPT PF devices available on cn9k platform:

lspci -d:a0fd

a0fd is the CPT PF device id. You should see output similar to:

0002:10:00.0 Class 1080: Device 177d:a0fd

Set sriov_numvfs on the CPT PF device, to create a VF:

echo 1 > /sys/bus/pci/devices/0002:10:00.0/sriov_numvfs

Bind the CPT VF device to the vfio_pci driver:

cd <dpdk directory>
./usertools/dpdk-devbind.py -u 0002:10:00.1
./usertools/dpdk-devbind.py -b vfio-pci 0002:10.00.1

Note

  • For CN98xx SoC, it is recommended to use even and odd DBDF VFs to achieve higher performance as even VF uses one crypto engine and odd one uses another crypto engine.

  • Ensure that sufficient huge pages are available for your application:

    dpdk-hugepages.py --setup 4G --pagesize 512M
    

    Refer to Use of Hugepages in the Linux Environment for more details.

CN10K Initialization

List the CPT PF devices available on cn10k platform:

lspci -d:a0f2

a0f2 is the CPT PF device id. You should see output similar to:

0002:20:00.0 Class 1080: Device 177d:a0f2

Set sriov_numvfs on the CPT PF device, to create a VF:

echo 1 > /sys/bus/pci/devices/0002:20:00.0/sriov_numvfs

Bind the CPT VF device to the vfio_pci driver:

cd <dpdk directory>
./usertools/dpdk-devbind.py -u 0002:20:00.1
./usertools/dpdk-devbind.py -b vfio-pci 0002:20:00.1

9.5. Runtime Config Options

  • Maximum queue pairs limit (default 63)

    The number of maximum queue pairs supported by the device, can be limited during runtime by using max_qps_limit devargs parameter.

    For example:

    -a 0002:20:00.1,max_qps_limit=4
    

    With the above configuration, the number of maximum queue pairs supported by the device is limited to 4.

9.6. Debugging Options

Table 9.1 OCTEON cnxk crypto PMD debug options
# Component EAL log command
1 CPT –log-level=’pmd.crypto.cnxk,8’

9.7. Testing

The symmetric crypto operations on OCTEON cnxk crypto PMD may be verified by running the test application:

CN9K

./dpdk-test
RTE>>cryptodev_cn9k_autotest

CN10K

./dpdk-test
RTE>>cryptodev_cn10k_autotest

The asymmetric crypto operations on OCTEON cnxk crypto PMD may be verified by running the test application:

CN9K

./dpdk-test
RTE>>cryptodev_cn9k_asym_autotest

CN10K

./dpdk-test
RTE>>cryptodev_cn10k_asym_autotest

9.8. Lookaside IPsec Support

The OCTEON cnxk SoCs can accelerate IPsec traffic in lookaside protocol mode, with its cryptographic accelerator (CPT). OCTEON cnxk crypto PMD implements this as an RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL offload.

Refer to Security Library for more details on protocol offloads.

This feature can be tested with ipsec-secgw sample application.

9.8.1. Supported OCTEON cnxk SoCs

  • CN9XX
  • CN10XX

9.8.2. CN9XX Features supported

  • IPv4
  • IPv6
  • ESP
  • Tunnel mode
  • Transport mode(IPv4)
  • UDP Encapsulation
  • AES-128/192/256-GCM
  • AES-128/192/256-CBC-SHA1-HMAC
  • AES-128/192/256-CBC-SHA256-128-HMAC
  • ESN
  • Anti-replay

9.8.3. CN10XX Features supported

  • IPv4
  • ESP
  • Tunnel mode
  • Transport mode
  • UDP Encapsulation
  • AES-128/192/256-GCM
  • AES-128/192/256-CBC-NULL
  • AES-128/192/256-CBC-SHA1-HMAC