|
| 1 | +/* |
| 2 | +Copyright 2022 Advanced Micro Devices, Inc |
| 3 | +
|
| 4 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +you may not use this file except in compliance with the License. |
| 6 | +You may obtain a copy of the License at |
| 7 | +
|
| 8 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +
|
| 10 | +Unless required by applicable law or agreed to in writing, software |
| 11 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +See the License for the specific language governing permissions and |
| 14 | +limitations under the License. |
| 15 | +*/ |
| 16 | + |
| 17 | +/// Crypto accelerator Extern definition |
| 18 | + |
| 19 | +/// Crypto accelerator object is instantiated for each crypto algorithm |
| 20 | +enum crypto_algorithm_e { |
| 21 | + AES_GCM |
| 22 | +} |
| 23 | + |
| 24 | +/// Results from crypto accelerator |
| 25 | +enum crypto_results_e { |
| 26 | + SUCCESS, |
| 27 | + AUTH_FAILURE, |
| 28 | + HW_ERROR |
| 29 | +} |
| 30 | + |
| 31 | +/// special value to indicate that ICV is after the crypto payload |
| 32 | +#define ICV_AFTER_PAYLOAD ((int<32>)-1) |
| 33 | + |
| 34 | +/// The crypto_accelerator engine used in this example uses AES-GCM algorithm. |
| 35 | +/// It is assumed to be agnostic to wire protocols i.e. does not understand protocol |
| 36 | +/// specific headers like ESP, AH etc |
| 37 | +/// |
| 38 | +/// The crypto accelerator does not modify the packet outside the payload area and ICV |
| 39 | +/// Any wire-protocol header, trailer add/remove is handled by P4 pipeline |
| 40 | +/// The engine does not perform additional functions such as anti-replay protection, it |
| 41 | +/// is done in P4 pipeline |
| 42 | +/// |
| 43 | +/// Crypto Engine takes the following inputs: |
| 44 | +/// - key, iv, icv_location/size, enable_auth, auth_data (aka AAD), payload location |
| 45 | +/// In some protocols AAD can be present in the packet (e.g ESP header), in that case AAD |
| 46 | +/// can be specified as offset/len within the packet. Additional auth data |
| 47 | +/// that is not part of the packet can also be provided |
| 48 | +/// On encrypt operation, icv_location/size indicates that icv is inserted in the |
| 49 | +/// packet at the specified packet offset |
| 50 | +/// On decrypt operation, icv_location and size is used for auth validation |
| 51 | +/// |
| 52 | +/// Example: |
| 53 | +/// Encrypt operation: |
| 54 | +/// Parameters passed : key, iv, icv_location/size, enable_auth, auth_data |
| 55 | +/// Packet presented to the engine - |
| 56 | +/// +------------------+--------------------------+-----------+ |
| 57 | +/// | Headers not to | Encryption protocol | payload | |
| 58 | +/// | be Encrypted | headers (E.g Esp, Esp-IV)| | |
| 59 | +/// +------------------+----------------------- -+-----------+ |
| 60 | +/// Packet after Encryption: |
| 61 | +/// +------------------+--------------------------+-----------+-----------+ |
| 62 | +/// | Headers not to | Encryption protocol | Encrypted | ICV (opt) | |
| 63 | +/// | be Encrypted | headers (E.g Esp, Esp-IV)| Payload | | |
| 64 | +/// +------------------+--------------------------+-----------+-----------+ |
| 65 | +/// ICV can be inserted either before or right after the encrypted payload |
| 66 | +/// as specified by icv_location/size |
| 67 | +/// Results: Success, Hardware Error |
| 68 | +/// |
| 69 | +/// Decrypt operation: |
| 70 | +/// Parameters passed : key, iv, icv_location/size, enable_auth, auth_data |
| 71 | +/// Packet presented to the engine - |
| 72 | +/// +------------------+--------------------------+-----------+-----+ |
| 73 | +/// | Headers not to | Encryption protocol | Encrypted | ICV | |
| 74 | +/// | Encrypted | headers (E.g Esp, Esp-IV)| Payload | | |
| 75 | +/// +------------------+--------------------------+-----------+-----+ |
| 76 | +/// Packet after decrytion: |
| 77 | +/// +------------------+--------------------------+-----------+-----+ |
| 78 | +/// | Headers not to | Encryption protocol | cleartext | ICV | |
| 79 | +/// | Encrypted | headers (E.g Esp, Esp-IV)| Payload | | |
| 80 | +/// +------------------+-- ----------------------+-----------+-----+ |
| 81 | +/// Results: Success, Auth Failure, Hardware Error |
| 82 | +/// |
| 83 | +extern crypto_accelerator { |
| 84 | + /// constructor |
| 85 | + /// Some methods provided in this object may be specific to an algorithm used. |
| 86 | + /// Compiler may be able to check and warn/error when incorrect methods are used |
| 87 | + crypto_accelerator(crypto_algorithm_e algo); |
| 88 | + |
| 89 | + |
| 90 | + // security association index for this security session |
| 91 | + // Some implementations do not need it.. in that case this method should result in no-op |
| 92 | + void set_sa_index<T>(in T sa_index); |
| 93 | + |
| 94 | + // Set the initialization data based on protocol used. E.g. salt, random number/ counter for ipsec |
| 95 | + void set_iv<T>(in T iv); |
| 96 | + void set_key<T,S>(in T key, in S key_size); // 128, 192, 256 |
| 97 | + |
| 98 | + // The format of the auth data is not specified/mandated by this object definition |
| 99 | + // If it is part of the packet, it can be specified using offset/len mothods below |
| 100 | + void set_auth_data_offset<T>(in T offset); |
| 101 | + void set_auth_data_len<T>(in T len); |
| 102 | + |
| 103 | + // Alternatively: Following API can be used to consturct the auth_data and |
| 104 | + // provide it to the engine. |
| 105 | + void add_auth_data<H>(in H auth_data); |
| 106 | + |
| 107 | + // Auth trailer aka ICV is added by the engine after doing encryption operation |
| 108 | + // Specify icv location - when a wire protocol wants to add ICV in a specific location (e.g. AH) |
| 109 | + // The following apis can be used to specify the location of ICV in the packet |
| 110 | + // A special offset indicates ICV is after the payload |
| 111 | + void set_icv_offset<T>(in T offset); |
| 112 | + void set_icv_len<L>(in L len); |
| 113 | + |
| 114 | + // setup payload to be encrypted/decrypted |
| 115 | + void set_payload_offset<T>(in T offset); |
| 116 | + void set_payload_len<T>(in T len); |
| 117 | + |
| 118 | + // crypto accelerator runs at the end of the pipeline (after deparser), the following |
| 119 | + // methods will enable the accelerator to run encrypt/decrypt operations |
| 120 | + // enable_auth flag enables authentication check for decrypt. For encrypt operation, |
| 121 | + // auth data computed, is added to specified icv_offset/len |
| 122 | + void enable_encrypt<T>(in T enable_auth); |
| 123 | + void enable_decrypt<T>(in T enable_auth); |
| 124 | + |
| 125 | + // disable crypto engine. Between enable and disable methods, |
| 126 | + // whichever method is called last overrides the previous calls |
| 127 | + void disable(); |
| 128 | + |
| 129 | + // get results of the previous operation |
| 130 | + crypto_results_e get_results(); |
| 131 | +} |
0 commit comments