14. Marvell OCTEON TX2 Crypto Poll Mode Driver

The OCTEON TX2 crypto poll mode driver provides support for offloading cryptographic operations to cryptographic accelerator units on the OCTEON TX2 ® family of processors (CN9XXX).

More information about OCTEON TX2 SoCs may be obtained from https://www.marvell.com

14.1. Features

The OCTEON TX2 crypto PMD has support for:

14.1.1. Symmetric Crypto Algorithms

Cipher algorithms:

  • RTE_CRYPTO_CIPHER_NULL

  • RTE_CRYPTO_CIPHER_3DES_CBC

  • RTE_CRYPTO_CIPHER_3DES_ECB

  • RTE_CRYPTO_CIPHER_AES_CBC

  • RTE_CRYPTO_CIPHER_AES_CTR

  • RTE_CRYPTO_CIPHER_AES_XTS

  • RTE_CRYPTO_CIPHER_DES_CBC

  • RTE_CRYPTO_CIPHER_KASUMI_F8

  • RTE_CRYPTO_CIPHER_SNOW3G_UEA2

  • RTE_CRYPTO_CIPHER_ZUC_EEA3

Hash algorithms:

  • RTE_CRYPTO_AUTH_NULL

  • RTE_CRYPTO_AUTH_AES_GMAC

  • RTE_CRYPTO_AUTH_KASUMI_F9

  • RTE_CRYPTO_AUTH_MD5

  • RTE_CRYPTO_AUTH_MD5_HMAC

  • RTE_CRYPTO_AUTH_SHA1

  • RTE_CRYPTO_AUTH_SHA1_HMAC

  • RTE_CRYPTO_AUTH_SHA224

  • RTE_CRYPTO_AUTH_SHA224_HMAC

  • RTE_CRYPTO_AUTH_SHA256

  • RTE_CRYPTO_AUTH_SHA256_HMAC

  • RTE_CRYPTO_AUTH_SHA384

  • RTE_CRYPTO_AUTH_SHA384_HMAC

  • RTE_CRYPTO_AUTH_SHA512

  • RTE_CRYPTO_AUTH_SHA512_HMAC

  • RTE_CRYPTO_AUTH_SNOW3G_UIA2

  • RTE_CRYPTO_AUTH_ZUC_EIA3

AEAD algorithms:

  • RTE_CRYPTO_AEAD_AES_GCM

  • RTE_CRYPTO_AEAD_CHACHA20_POLY1305

14.1.2. Asymmetric Crypto Algorithms

  • RTE_CRYPTO_ASYM_XFORM_RSA

  • RTE_CRYPTO_ASYM_XFORM_MODEX

14.2. Installation

The OCTEON TX2 crypto PMD may be compiled natively on an OCTEON TX2 platform or cross-compiled on an x86 platform.

Refer to Marvell OCTEON TX2 Platform Guide for instructions to build your DPDK application.

Note

The OCTEON TX2 crypto PMD uses services from the kernel mode OCTEON TX2 crypto PF driver in linux. This driver is included in the OCTEON TX SDK.

14.3. Initialization

List the CPT PF devices available on your OCTEON TX2 platform:

lspci -d:a0fd

a0fd is the CPT PF device id. You should see output similar to:

0002:10:00.0 Class 1080: Device 177d:a0fd

Set sriov_numvfs on the CPT PF device, to create a VF:

echo 1 > /sys/bus/pci/drivers/octeontx2-cpt/0002:10:00.0/sriov_numvfs

Bind the CPT VF device to the vfio_pci driver:

echo '177d a0fe' > /sys/bus/pci/drivers/vfio-pci/new_id
echo 0002:10:00.1 > /sys/bus/pci/devices/0002:10:00.1/driver/unbind
echo 0002:10:00.1 > /sys/bus/pci/drivers/vfio-pci/bind

Another way to bind the VF would be to use the dpdk-devbind.py script:

cd <dpdk directory>
./usertools/dpdk-devbind.py -u 0002:10:00.1
./usertools/dpdk-devbind.py -b vfio-pci 0002:10.00.1

Note

  • For CN98xx SoC, it is recommended to use even and odd DBDF VFs to achieve higher performance as even VF uses one crypto engine and odd one uses another crypto engine.

  • Ensure that sufficient huge pages are available for your application:

    dpdk-hugepages.py --setup 4G --pagesize 512M
    

    Refer to Use of Hugepages in the Linux Environment for more details.

14.4. Debugging Options

Table 14.1 OCTEON TX2 crypto PMD debug options

#

Component

EAL log command

1

CPT

–log-level=’pmd.crypto.octeontx2,8’

14.5. Testing

The symmetric crypto operations on OCTEON TX2 crypto PMD may be verified by running the test application:

./dpdk-test
RTE>>cryptodev_octeontx2_autotest

The asymmetric crypto operations on OCTEON TX2 crypto PMD may be verified by running the test application:

./dpdk-test
RTE>>cryptodev_octeontx2_asym_autotest

14.6. Lookaside IPsec Support

The OCTEON TX2 SoC can accelerate IPsec traffic in lookaside protocol mode, with its cryptographic accelerator (CPT). OCTEON TX2 crypto PMD implements this as an RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL offload.

Refer to Security Library for more details on protocol offloads.

This feature can be tested with ipsec-secgw sample application.

14.6.1. Features supported

  • IPv4

  • IPv6

  • ESP

  • Tunnel mode

  • Transport mode(IPv4)

  • ESN

  • Anti-replay

  • UDP Encapsulation

  • AES-128/192/256-GCM

  • AES-128/192/256-CBC-SHA1-HMAC

  • AES-128/192/256-CBC-SHA256-128-HMAC