Professional Documents
Culture Documents
Security-IP-197 DDK v5.5 User-Guide RevA
Security-IP-197 DDK v5.5 User-Guide RevA
Protocol-IP-197
User Guide
Document Revision: A
Document Date: 2021-11-16
Document Number: 007-197550-308
Document Status: Accepted
Table of Contents
List of Tables
Table 1 Typical driver development problems .................................................................................................. 13
Table 2 DDK folders after installation ................................................................................................................ 15
List of Figures
Figure 1 EIP-197 Driver Kernel-Space and User-Space Deployments ................................................................. 26
Figure 2 MemXS and Driver Framework user-space deployment ...................................................................... 27
Figure 3 Multiple application support example .................................................................................................. 33
Figure 4 Driver Data Structure Relationships, look-aside use case..................................................................... 40
Figure 5 PCL Data Structure Relationships.......................................................................................................... 45
1 Introduction
Purpose
The Security-IP-197 Engine (also referred to as the EIP-197) contains an engine that incorporates a number
of cryptographic hardware modules used to accelerate security protocols such as IPSec, SSL and SRTP as
well as block cipher crypto and hash algorithms. The protocol functions and operations are performed
within the EIP-197 Engine as well as on the host CPU. Security functions on the host CPU relate to key
management, maintenance of the Security Association Database (SAD) and the control of the EIP-197
Engine. The EIP-96 Packet Engine is one of the main functional blocks within the EIP-197 hardware that
performs encryption, hashing and various protocol processing. Another important functional block of the
EIP-197 Engine is the EIP-207 Classification Engine. The EIP-207 block with its dedicated firmware can be
used to offload the host CPU for the packet classification and network protocol header processing.
Please see the “Dependencies and Compatibility” section of the corresponding release notes for hardware
version specific compatibility information.
The Driver Development Kit (DDK) provides a set of solutions required to develop drivers for this engine for
systems built according to the Von Neumann architecture and its derivatives such as Harvard architecture
and Modified Harvard architecture. Solutions for typical driver development problems are provided in
various forms such as documentation, API specification and example code.
Note: The DDK contains Example Drivers for the EIP-197 hardware for the x86 PC and RISC ARM Linux
platforms. However, the main purpose of this toolkit is to provide support for the customized
driver development for HW platforms and OSes chosen by the DDK users.
The purpose of this document is to provide:
• High level overview of DDK components;
• Description of typical driver development problems and solutions provided in the DDK;
• References to APIs that can be used in customized drivers;
• References to example code that can be used as a base for customized drivers;
• Reference to the other documents useful for the understanding of driver development.
Related Documents
Ref Document Document Number
[1] Security-IP Driver Framework Porting Guide 007-900440-304
[2] Security-IP-PEC SLAD Test Tool User Guide 007-903110-302
[3] Security-IP-197 DDK Test Specification 007-197550-310
[4] Security-IP-197 Firmware Reference Manual 007-197340-204
[5] Security-IP-197 Driver Software Block Diagram N/A
[6] Security-IP-197 Driver Library User Guide 007-197290-307
[7] Security-IP-201 Driver Library User Guide 007-201310-307
[8] Security-IP-197 Regression System README N/A
[9] Security-IP-197 PEC PCL Test Tool README N/A
This information is correct at the time of document release. Rambus reserves the right to update the related
documents without updating this document. Please contact Rambus for the latest document revisions.
The preferred method for getting technical support is to use our online support system at
https://sipsupport.rambus.com. If you do not have an account yet for this system, please contact Rambus
technical support (sipsupport@rambus.com).
Target Audience
This document is for software developers who want to create customized drivers for the EIP-197 hardware.
Acronyms
Acronym Description
API Application Program Interface
CCS Concurrent Context Synchronization
CDS Concurrent Device Synchronization
CPU Central Processing Unit
DDK Driver Development Kit
DMA Direct Memory Access
EIP Embedded Intellectual Property
FW Firmware
HW Hardware
I/O Input/Output
IDE Integrated Development Environment
OCE Output Classification Engine
OS Operating System
PE Packet Engine
PEC Packet Engine Control
PCL Packet Classification
RTT RealTime Trace Tool
SATB SA and Token Builder
SLAD Security Look-aside Accelerator Driver
SW Software
2 DDK Concept
Goal
The goal of the DDK is to reduce the development effort of customized drivers for the EIP-197 hardware and
enable faster integration into the customer’s system applications. Example Drivers for the EIP-197 hardware
are provided which can be used as a starting point for development of a customized driver.
Note: The provided Example Drivers are tested only with the HW platform and OS indicated in its test
report. The DDK can be used to develop a driver for other HW platforms and OSes.
Terminology
The table below describes various terms used throughout the document.
Term Description
Adapter Software component that needs to be customized for specific hardware platform, OS, use
cases, system application and required driver API.
SLAD Adapter PEC Adapter used in EIP-197 Example Combined Driver and PEC Driver for the packet I/O
functionality implemented as the PEC API used in all packet flows that perform packet I/O
via the ring interface.
PCL Adapter Adapter used in EIP-197 Example Combined Driver and PEC-PCL Driver for the packet
classification functionality implemented as the PCL API used only in packet flows that
require classification.
Global Adapter Adapter used in EIP-197 Example Combined Driver and Global Control Driver for the
packet I/O functionality implemented as the PEC API used all packet flows.
Kernel-space Driver with its API is deployed in the application kernel-space memory domain, e.g. the
deployment application with the driver runs in the kernel-space.
User-space Driver with its API is deployed in the application user-space memory domain, e.g. the
deployment application with the driver runs in the user-space.
Driver Framework Collection of software interface (API) specifications typically used by EIP Driver Libraries
and other driver components. This framework defines how to use EIP Driver Libraries in a
driver.
EIP Driver Library Software library that contains control functionality for a given EIP hardware block only and
is free of any other hardware or software functionality not related to this EIP hardware
block.
EIP-197 Kernel An Example Driver which implements the support functionality for the EIP-197 driver(s)
Support Driver deployed in Linux user-space. It also implements the support functionality for the shared
device access (for example, EIP-207 Record Cache used from different applications) for
drivers deployed in Linux user-space as well as in the Linux kernel-space.
EIP-197 Combined An Example Driver which implements the Global Control API, SLAD PEC API (with SLAD
Driver DMABuf API).
It may be used to verify EIP-197 Driver Library including Global Control, Flow Control (EIP-
207) and Ring Control (EIP-202) functionality on one driver and other DDK software
components.
Some customization effort may be required from users to start using the driver in their
system application.
EIP-197 Global Control An Example Driver that implements the Global Control API. This API allows to initialize the
Driver EIP-197 engine which includes the firmware download and to get the engine status
information. Only on instance of this API is supported.
It may be used to verify EIP-197 Driver Library including only the Global Control
functionality in one driver and other DDK software components.
Some customization effort may be required from users to start using the driver in their
system application.
EIP-197 An Example Driver which implements the SLAD PEC API, IOToken API with SLAD DMABuf
PEC Driver API. The DMABuf API allows for allocation of DMA-safe buffers which can be used
subsequently with the PEC. The PEC API allows for packet I/O between the host CPU and
the EIP-197 engine for the Look-Aside packet flows. This API is also used for the record
invalidation in the EIP-197 engine internal record cache for the Look-Aside as well as for
the In-Line packet flows. Multiple instances of this API are supported. The maximum
number of this API instances is equal to the maximum number of the EIP-202 hardware
rings supported by the EIP-197 engine.
This Driver also provides the implementation of the IOToken API which allows for IO
tokens creation, standard ones for EIP-96 as well as extended ones for the EIP-207
firmware.
This Driver may be used to verify EIP-197 Driver Library including only the Ring Control
functionality in one driver and other DDK software components. This driver must be used
together with the EIP-197 Global Control Driver.
Some customization effort may be required from users to start using the driver in their
system application.
EIP-197 An Example Driver which implements the SLAD PEC API (with SLAD DMABuf API), IOToken
PEC PCL Driver API and PCL API. The PCL API allows setting the packet classification rules so that the
engine can match the packet to the keys (transform record) for the protocol crypto
operation for the Look-aside and In-Line packet flows. Only one instance of this API is
supported. For the Inline packet flows the external Hosts system can provide the
transform (SA) record pointer to the EIP-197. In this case the EIP-197 will skip the packet
classification step and proceed with the packet and transform record using the provided
pointer.
This Driver also provides the implementation of the IOToken API.
This Driver must be used together with the EIP-197 Global Control Driver and can be used
together with the EIP-197 PEC Driver.
This Driver may be used to verify EIP-197 Driver Library including only the Flow Control
and Ring Control functionality in one driver and other DDK software components.
Some customization effort may be required from users to start using the driver in their
system application.
SLAD PEC Test Tool Application used to verify the functionality of the Driver with the integrated EIP-197 Driver
Library that implements the SLAD PEC API, IOToken API and the SLAD DMABuf API.
Classification (PCL) Application used to verify the functionality of the driver with the integrated EIP-197 Driver
Test Tool Library that implements the PCL API, SLAD PEC API, IOToken API and the SLAD DMABuf
API.
Real-Time Trace Tool Application used to trace the packet processing inside the EIP-197 Engine using the Global
(RTT) Control API. This application can be used to poll the Engine registers as well as the EIP-207
firmware state transitions which the firmware undergoes during packet processing.
Customized Driver EIP-197 driver customized for specific use cases in a system application. Usually requires
(C-Driver) significant development effort. After the customization, the driver is ready to use in a
customer’s system application.
SA Builder Software component that creates SA data structures that are specific to a particular
(standalone) packet engine, e.g. the EIP-96 Packet Engine. This component via its SA Builder (SAB) API
allows for building SA’s (transform records) with the key material in the format specific to
the EIP-96 Packet Engine for the Look-Aside packet flows. This API can be instantiated as
many times as required.
This component is not a part of the Driver, but is provided as a part of the DDK.
Extended SA Builder SA Builder that contains functionality to offload token building to the firmware. This
component via its SA Builder API allows for building SA’s (transform records) with the key
material in the format specific to the EIP-96 Packet Engine with the EIP-207 firmware
specific extensions for the Look-Aside and In-line packet flows. This API can be instantiated
as many times as required.
This component is not a part of the Driver, but is provided as a part of the DDK. This is
used for all packet flows that employ token building offload.
Token Builder Software component that creates packet tokens, as required by some packet engine types,
such as the EIP-96 Packet Engine. This component via its Token Builder (TB) API allows for
building packet processing instructions (EIP-96 Tokens) in the format specific to the EIP-96
Packet Engine for the Look-Aside packet flows. This API is used together with the SA
Builder API and can be instantiated as many times as required.
This component is not a part of the Driver, but is provided as a part of the DDK. This is
used for all packet flows that do not employ token building offload.
Packet flow A set of operations performed by the host that interacts with the EIP-197 Engine in a
specific way to process packets. Some of these packet processing operations the host can
offload to the EIP-197 Engine. The packet flow type determines which packet processing
operations can be offloaded to the EIP-197 Engine. The EIP-197 Engine together with the
DDK software and EIP-207 firmware support several packet flow types. For more details
about the supported packet flow types refer to the DDK Test Specification [3] and
Firmware Reference Manual [4].
Contents
The DDK provides a set of re-usable software components used to solve typical problems encountered by C-
Driver development. The DDK includes re-usable software components, EIP Driver Libraries that allows full
utilization of all EIP hardware features, along with extensive documentation for the provided SW
components and EIP Driver Libraries.
Note: The DDK is designed to reduce the required driver development effort, but cannot entirely
eliminate it.
Solutions are provided in the DDK in the form of:
• Re-usable driver architecture and design principles (see Driver Framework Porting Guide [1]);
• Re-usable APIs (see Driver Framework Porting Guide [1] and C header-files);
• Documentation with guidelines on how to implement the provided APIs in a customer-specific way, e.g.
guidelines for the customization effort (Porting guidelines and implementation notes);
• Re-usable SW components (C source code, user documentation):
• Re-usable software libraries (SA and Token Builders);
• Required EIP-197 Driver Library;
• Test Tool with tests formalized in ASCII-format sltf- and vp-files;
• Other re-usable SW modules;
• Example Drivers for demonstrating how to use various DDK software components for making
customized drivers specific to the EIP-197 hardware.
The EIP-197 Driver Library together with the SA and Token Builders are the most important software
components included in the DDK. The DDK targets driver development for this EIP HW block integrated in a
chip. The DDK does not include development tools such as C compiler, linker, debugger, profiler or IDE.
• EIP HW block control functionality for data I/O that includes all required operations on the EIP HW
block before it can start to input and output data, as well as operations related to data input and
output;
• Provide access to static resources such EIP HW ‘memory mapped’ I/O registers and internal memories
shared between host CPU and EIP HW block:
• Resolve endianness differences between the host CPU and the EIP HW block;
• Read and write static device resources via the appropriate hardware paths;
• Map static device resources into memory domain of the application requiring the EIP-197 Engine
services;
• Provide access to dynamic resources such as DMA buffers shared between host CPU and EIP HW block:
• Dynamic resource (buffer) allocation, buffer address and size alignment;
• Dynamic resource (buffer) address-translation when a system uses several types of addresses such
as virtual, logical, physical;
• Data-cache coherency management, when required;
• Interrupt dispatching and servicing across heterogeneous memory domains (from kernel- to user-
space);
• Compatibility with C compiler, its C Run-Time Library and basic type definitions.
The DDK provides a set of solutions for these problems in various forms as well as guidelines for integrating
these solutions in a device driver. Although the DDK attempts to solve these problems, driver development
remains a creative and challenging task requiring solid experience and skills in the field.
Other considerations:
The EIP-197 Engine contains a DMA engine. All the EIP HW blocks are Little Endian devices.
During the DDK verification
• Two different hosts were used for verification: Little Endian x86 PC and Little Endian ARMv7 on a Zynq
ZC706 FPGA board;
• The Linux OS with SLUB/SLAB as buffer allocator was used for DMA buffer allocation on both hosts;
• Different addresses were used to access the DMA buffers from the device (using DMA) and from the
host (from Linux kernel space as well as from user space), requiring proper address translation (kernel-
virtual / user-virtual to PCI bus);
• The used ARM HW platform required software-controlled data cache coherency for DMA buffers.
DDK Installation
Unpack the DDK archive then run the install_ddk.sh script once.
Note: The EIP-207 firmware must be installed in the same directory where the DDK will be installed
before running the DDK installation script.
...
[INSTALL] Installation completed successfully
#
This script will first ask whether the DDK packages must be built. If the question is answered with “y”, then
this script will prompt for the environment variables required to build the DDK and will build the Example
Drivers, SLAD Test Tool, PCL Test Tool, Demo Applications, SA Builder and Token Builder. Otherwise, the
script will just unpack and install all the software packages included in the DDK. This table shows folders
that are available after installation:
Table 2 DDK folders after installation
Integration/SHDevXS • The SHDevXS part of the Linux Kernel Support Driver and its
user-space module that provides the shared EIP-197 device
access services to the Global Control, PEC and PEC-PCL Drivers.
This Kernel Support Driver functionality is used for the Linux
user-space and kernel-space deployments of the mentioned
above drivers.
Integration/UMDevXS • The UMDevXS part of the Linux Kernel Support Driver and its
user-space module that provides the required kernel services
to the EIP-197 user-space drivers. This Kernel Support Driver
functionality is mainly used for the Linux user-space driver
deployment. This part of the driver also provides support for
the SHDevXS part of the Kernel Support Driver and centralized
PCI device registration for all other drivers, except the
Combined driver.
Integration/InterruptDispatcher • A module that allows the user mode driver to work in interrupt
mode. This component is used for the Linux user-space
deployment of the EIP-197 driver only
Integration/WorkerThread • A module that allows the user mode driver to work in interrupt
mode; the interrupt handling code runs in a separate thread.
This component is used for the Linux user-space deployment
of the EIP-197 driver only.
Component Remarks
Examples/Driver/build Makefile to build the Combined Driver
Examples/Driver/docs Documentation, including this document
Examples/Driver_GlobalControl/build Makefile to build the Global Control Driver
Examples/Driver_PEC/build Makefile to build the PEC Driver
Examples/Driver_PEC_PCL/build Makefile to build the PEC-PCL Driver
Integration/SLAD_Adapter/src SLAD Adapter provides the implementation of the Driver API (SLAD API).
PCL Adapter provides the implementation of the PCL API.
Global Control Adapter provides the implementation of the Global Control
API.
Integration/SLAD_Adapter/incl/ API to initialize and de-initialize the Combined Driver. Please refer to
api_driver197_init.h included header file for details of the API.
Integration/SLAD_Adapter/incl/ API to initialize and de-initialize the PEC Driver. Please refer to included
api_driver197_pec_init.h header file for details of the API.
Integration/SLAD_Adapter/incl/ API to initialize and de-initialize the Global Control Driver. Please refer to
api_global_driver197_init.h included header file for details of the API.
Integration/SLAD_Adapter/incl/ API exposed by Driver to read the global status of the Packet Engine and to
api_global_status_eip97.h reseed the Pseudo Random Number Generator for IV generation. Part of the
Global Control API
Integration/SLAD_Adapter/incl API exposed by Driver to read the global status of the Packet Classification
api_global_status_eip207.h hardware. Part of the Global Control API.
Integration/SLAD_Adapter/incl/api_gl API exposed by Driver to control the Deterministic Random Bit Generator.
obal_eip74.h Part of the Global Control API.
Integration/SLAD_Adapter/incl/ SLAD PEC API exposed by Driver to use EIP-197 Packet Engine. Please refer
api_pec.h to included header file for details of the API.
Integration/SLAD_Adapter/incl/ SLAD PEC SG API exposed by Driver to use EIP-197 Packet Engine in scatter-
api_pec_sg.h gather mode. Please refer to included header file for details of the API.
Integration/SLAD_Adapter/incl/ PCL API, exposed by the Driver to use the EIP-207 Packet Classification
api_pcl.h Engine. Please refer to the included header file for details of the API.
Integration/SLAD_Adapter/incl/ DMABuf API for allocating and freeing DMA buffers. Used by the Driver.
api_dmabuf.h Please refer to the included header file for details.
Integration/SLAD_Adapter/incl/ MemXS API for accessing the internal EIP HW registers and memory, mostly
api_memxs.h designed for use from test tools.
The Driver depends on several other software components, which are included in the Kit directory (see [5])
for a diagram showing these components):
• The RingHelper component for ring buffer management;
• The Log component for outputting informational messages;
• The List component for managing linked lists.
• The EIP-197 Driver Library, for low level access to the Security-IP-197 Engine. This library contains the
Global Control (EIP-197, EIP-207 and EIP-202), Flow Control (EIP-207) and Ring Control (EIP-202)
functionality;
• The EIP-74 Driver Library, for low level access to the EIP-74 Deterministic Random Bit Generator;
• The EIP-201 Driver Library, for low level access to the EIP-201 Advanced Interrupt Controller;
• The IOToken component for creating input and parsing output tokens for the Security-IP-197 Engine;
• The Driver Framework.
Further, the Driver depends on the following software components under the Integration directory:
• The Driver Framework implementation, consisting of a generic part and several parts that depend on
the driver deployment.
In addition, the Driver uses several more software components when it is deployed in the Linux user space
and is accessed by user mode applications. These are included from the Integration directory.
• Linux_UMDevXS (Kernel Support Driver for the user-space device access with its user-space
component), which provides the required Linux kernel services to the Combined Driver deployed in the
user-space.
• KernelSupport_EIP197 (Kernel Support Driver for the shared device access with its user-space
component), which provides the shared devices access to the Global Control Driver, PEC Driver and the
PEC-PCL Driver both in the user-space and in the kernel-space.
• The InterruptDispatcher and WorkerThread components that implement the interrupt dispatching
functionality for the EIP-197 Driver in the Linux user space.
Finally, the Driver depends on the EIP-197 Firmware package, which is not supplied as part of the Driver but
is supplied separately. The firmware package contains both a set of APIs that define firmware-dependent
data structures (e.g. for flow and transform records) and an image of the firmware that is to downloaded by
the driver from a file and that will subsequently be written into the EIP-197.
The EIP-197 Driver interrupt handling code can be found in these files:
• Interface:
Integration/SLAD_Adapter/src/adapter_interrupts.h
• Example implementation for Combined Driver:
• Kernel Space Deployment
Integration/SLAD_Adapter/src/lkm/adapter_interrupts.c
• User Space Deployment
Integration/InterruptDispatcher/src/UMDevXS/$HOST_HW_PLATFORM/intdispatch_umdevx
s.c
Integration/WorkerThread/src/workerthread_linuxusermode.cIntegration/SLAD_Adapte
r/src/um/adapter_intdispatch.c
• Example implementation for PEC Driver both kernel and user space deployment:
Integration/SLAD_Adapter/src/adapter_int_shdevxs.c
Example implementation for Kernel Support Driver:
• Kernel-space part
Integration/SHDevXS/KernelPart/src/shdevxs_irq.cIntegration/SLAD_Adapter/src/lkm
/adapter_interrupts.c
• User-space proxy
Integration/WorkerThread/src/workerthread_linuxusermode.cIntegration/SHDevXS/Use
rPart/src/shdevxs_irq.c
For the architecture, functional decomposition and design principles of the Driver and SLAD Adapter
module, refer to the Driver Framework Porting Guide [1]and the Security-IP-197 Driver Software Block
Diagram [5].
Several guidelines are provided below for the driver interrupt functionality customization for Symmetric
Multi-Processor (SMP) and Asymmetric Multi-Processor (AMP) use cases.
Firmware download
The Security-IP-197 contains several programmable engines, each of which requires firmware to run. These
firmware images are provided by the Firmware package and they are normally stored in binary files, which
are loaded by the driver when it is loaded.
The SLAD Adapter contains the firmware download API in the file
Integration/SLAD_Adapter/src/adapter_firmware.h. An implementation of this API receives an image
name as input and it has to provide a reference to the firmware image in an array of 32-bit words as output.
The image name is a null-terminated string and it is typically a file name.
There are two implementations of the firmware download API:
• For kernel space deployment, the implementation is in
Integration/SLAD_Adapter/src/lkm/adapter_firmware.c. It uses the Linux kernel firmware
download API to retrieve files stored under /lib/firmware.
• For user space deployment, the implementation is in
Integration/SLAD_Adapter/src/um/adapter_firmware.c. It uses the standard C library to load files
into memory. These files are stored under /lib/firmware by default, but the patch name can be
configured at compile time via the ADAPTER_FIRMWARE_PATH_PREFIX parameter.
Alternatively, it is possible to create a custom implementation of this API that does not require a file system.
The firmware package contains each of the required firmware images in the form of a C file containing an
initialized array. These C files can be linked into the driver. A customized implementation of the firmware
download API must select a reference to the correct array, depending on the supplied image name.
The Kernel Support Driver implementation for user-space device access (UMDevXS):
Kernel modules
Integration/UMDevXS/KernelPart/src
User-space Proxy
Integration/UMDevXS/UserPart/src
The Kernel Support Driver implementation for shared device access (SHDevXS):
Kernel module
Integration/SHDevXS/KernelPart/src
User-space Proxy
Integration/SHDevXS/UserPart/src
Kernel Support Driver SHDevXS (also UMDevXS) configuration files can be found here:
General configuration file
• Examples/Driver_KernelSupport/SHDevXS/build/cs_*.h
• FPGA board specific configuration file
• Examples/Driver_KernelSupport/SHDevXS/build/$HOST_HW_PLATFORM/cs_*.h
device for its resources. The driver will have to register itself in the kernel using the kernel
platform_driver_register() function using the same device name as used in the device resource data
structure while registering the device.
An alternative method would be to use the Linux kernel Device Tree Structure file in the
arch/arm/boot/dts folder where a new record for the Security-IP-197 Engine could be added. Refer to the
Linux kernel documentation for details about the device tree structure files. The driver can use the Linux
kernel OpenFirmware API (exported under GPL) to read the registered device resources, such as its register
mapping and interrupt assignments. An example of such device record in the zynq-zc706.dts device tree
file is provided below. Refer to [8]for the entire file example.
ps7_pe: eip-197@40000000 {
#address-cells = <1>;
#size-cells = <1>;
compatible = "security-ip-197-srv";
interrupt-parent = <&ps7_scugic_0>;
interrupts = <0 29 0>, <0 30 0>, <0 31 0>, <0 32 0>, <0 33 0>;
reg = <0x40000000 0x100000>;
} ;
Note: The Security-IP-197 Engine interrupt numbers will be increased by 32, so in this example 29 + 32
gives the IRQ number 61, that will be assigned for the Engine at the system’s interrupt controller.
4 Driver Deployments
The EIP-197 Driver can be deployed in two different ways:
• Both the Driver and the application using it run in the Linux kernel space.
• Both the Driver and the application using it run in the Linux user space.
The software block diagrams below show how various DDK components are used in case of the kernel-space
and user-space EIP-197 driver deployment. The following notation is used in these diagrams
EIP-207
Driver Framework Kernel
Firmware Linux kernel space
The Classification (PCL) Test Tool can be used for the verification of all packet flows and the following APIs
• Global Control API,
• Classification (PCL) API,
• SLAD PEC API,
• SLAD DMABuf API,
• SA Builder API,
• Token Builder API and
• IOToken API.
This Classification Test tool can be deployed in the kernel-space as well as in the user-space. The same is
true for the Demo Applications. The Classification Test Tool will not use the Token Builder API and PCL API
all in the same test, but will use only some of these APIs in any given test, depending on the packet flow.
The SLAD Test Tool verifies the packet flows that do not require classification and the following APIs
MemXS Executable
MemXS
Log User
Kernel-space Driver
The kernel Driver is a Linux kernel module (driver_197_k.ko) that exports all functions of the Driver
Initialization API, the SLAD PEC API, the PCL API, the Global Control API and the SLAD DMABuf API to other
kernel modules. An application can be built as a kernel module and if it is loaded after the Driver, it can use
these APIs exported by the Driver
User-space Driver
The EIP-197 Driver can be compiled as a Linux user-space statically linkable library instead of a kernel
module. In this case, the user-space applications must link with libdriver_197_u.a and with the standard
pthread library. In this deployment, the Driver provides the same APIs as in the kernel-spacer deployment.
Three additional components from the Integration directory are required to build the user-space Driver:
1. WorkerThread: component that manages a separate thread for interrupt handling.
2. InterruptDispatcher: component that delivers hardware interrupts to the user-space.
3. Linux_UMDevXS: support kernel Driver that provides the required Linux kernel services to the user
space. The user-space part of this support Driver umdevxs_proxy.o is part of the user-space EIP-197
Example Driver.
The user-space EIP-197 Driver requires the support kernel Driver that can be found in the
Integration/Linux_UMDevXS directory. This support kernel Driver can be built as the umpci_k.ko module
for PCI and as the umdevxs_k.ko module for non-PCI. It requires a suitable character device node (for
example, /dev/umpci_c for PCI and /dev/umdevxs_c for non-PCI), which can be created as follows:
Check the /proc/devices file to find the correct major device number for this device.
5 Packet Flows
The EIP-197 hardware can process packets in many different ways and the supported set of operations is
largely determined by the internal firmware. Most types of operations require the use of external software
running on the host, e.g. the SA and Token Builder. Different types of operation usually require the use of
different driver APIs and different external software components.
A set of packet operations that interacts with the Packet Engine in a specific way is called a Packet
Processing Flow. The EIP-197 Driver supports different packet flows. Three characteristics of a packet flow
are directly relevant to the EIP-197 Driver:
• The interface on which packet I/O is performed. This can either be the Ring Interface (called look-aside
operation) or a dedicated FIFO interface (called inline operation). The EIP-197 Driver supports packet
I/O for look-aside operation only, any packet I/O for inline packet flows is outside the scope of the
Driver. However, the Global Control and Classification Drivers can still be used for inline packet flows.
For look-aside operation, the application supplies (DMABuf handles) of the source and destination
buffers of each packet, possibly along with references to SA and Token data structures.
• Whether EIP-96 instruction token building is offloaded to the firmware. If this is the case, the
application does not need to supply a Packet Token Data structure for each packet.
• Whether the classification hardware is used. If this use case, the host installs one or more transforms
and flows. The hardware will classify each packet and then it will automatically perform the required
transform. The token for the packet processing by the EIP-96 Packet Engine will be constructed by the
firmware running inside the EIP-197 hardware. Therefore, token building is always offloaded when
classification is used. If classification is not used, the application must supply the correct SA pointer for
each packet.
Packets for different packet flows can be combined in a single application. A driver that contains all the
required APIs for one packet flow, can also be used for any other packet flow that requires a subset of these
APIs. However, the application must take care to use the APIs in the correct way for each packet flow. An
application may not use an SA intended for non-classification use in a packet flow with classification.
Neither may it use a hardware transform intended for a packet flow with classification in a packet flow
without classification. For each packet, the application must use the PEC API consistently with the intended
packet flow.
The IOToken API should be used by applications to provide additional information for a specific packet flow,
such as flow type, address of the transform record (SA) and receive information required for the packet
header post-processing. Also, other information specific for a packet flow can be exchanged between
applications and the EIP-207 firmware, if present, via the extended IOToken API.
Note: The Driver for its internal purposes uses the standard IOToken API only and does not use its
extension. Applications can use both the standard as well as the extended IOToken API.
6 Application Support
The application is defined as a separate memory domain such as a Linux user-space process or the entire
Linux kernel space. The EIP-197 Driver functionality can be built to support a single application for any of the
packet flows. The Driver can also be built to support multiple applications for packet flows without
classification with one application supporting a packet flow with classification. The Driver can support only
one application for with classification at a time. The table below gives an overview of the Driver build
options and the support APIs.
Note that the Combined Driver cannot be used together with any of the other Drivers from this table.
PEC Adapter
Interrupt
Log User List Ring Helper
Dispatcher
Worker
Thread
1. Make sure the Linux kernel for the host hardware platform is correctly configured. Refer to [8] for the
example Linux kernel configuration files.
$ cd Examples/$DRIVER/build
3. Set KERNEL_DIR and ARCH in the user-editable section of Makefile or as shell variables, for example:
$ export KERNEL_DIR=/usr/src/linux
$ export ARCH=x86
or
$ export ARCH=arm
or
$ export ARCH=arm64
4. If building for ARM, set cross compilation variable and the cross library path variable, for example:
$ export CROSS_COMPILE=arm-non-linux-gnueabi-
$ export CROSS_LIB_PATH=/opt/arm/arm-non-linux-gnueabi/libc/usr/lib
5. If running on a 64-bit platform, set DDK_HOST64 to “y”, when using 64-bit DMA addresses, set
DDK_DEVICE64 to “y”, for example:
$ export DDK_HOST64=y
$ export DDK_DEVICE64=y
6. Set the HOST_HW_PLATFORM variable to the appropriate hardware platform (only FPGA is supported), for
example:
$ export HOST_HW_PLATFORM=FPGA_Zynq_ZC706
7. Set the EIP197_NOF_RINGS variable to the number of ring pairs for which to create multi-application
tests.
$ export EIP197_NOF_RINGS=4
8. Set the EIP197_BUS_VERSION variable to the appropriate bus type (PLB, AXI3 or AXI4) connected to
the system bus or to the FPGA PCIe bridge, for example:
$ export EIP197_BUS_VERSION=AXI4
9. Set the paths to the required firmware directories assuming the firmware is installed in the
FW_INSTALL_DIR directory.
$ export FW_EIP207_API_DIR=$FW_INSTALL_DIR/Firmware207/incl
$ export FW_EIP207_SRC_DIR=$FW_INSTALL_DIR/Firmware207/src
$ make
This will produce both the kernel module binary (driver_197_k.ko for the Combined Driver) and the user
mode Driver in the form of a static library (libdriver_197_u.a for the Combined Driver) in the same
directory.
In order to use the user-space Combined Driver deployment Kernel Support Driver in the
Examples/Driver_KernelSupport/UMDevXS/build
directory must be built. In order to use the Global Control Driver with the PEC(-PCL) Driver, the Kernel
Support Driver in the
Examples/Driver_KernelSupport/SHDevXS/build
directory must be built.
Test Instructions
The Driver can be tested with the SLAD Test Tool as well as with the PCL Test Tool. For the detailed Test
Specification refer to document [3]. Refer also to documents [2] and [9] for testing the Driver.
8 Driver API
Combined Driver Initialization API
Reference: Integration/SLAD_Adapter/incl/api_driver197_init.h
This API contains functions to initialize and un-initialize the Combined Driver. The Driver must be initialized
via this API before any of its other functions can be called.
Reference: Integration/SLAD_Adapter/incl/api_global_driver197_init.h
This API contains functions to initialize and un-initialize the Global Control Driver. The Driver must be
initialized via this API before any of its other functions can be called.
Reference: Integration/SLAD_Adapter/incl/api_driver197_pec_init.h
This API contains functions to initialize and un-initialize the PEC Driver. The Driver must be initialized via this
API before any of its other functions can be called.
Reference: Integration/SLAD_Adapter/incl/api_driver197_pec_pcl_init.h
This API contains functions to initialize and un-initialize the PEC-PCL Driver.
This API contains functions to initialize, un-initialize, submit and receive one or multiple packets, registering
callbacks for getting a processed packet and submitting a new packet.
Functions for creating, reading and writing fragmented buffers for source and destination data; registering
callback for backfilling scatter buffers.
Please also refer to “Implementation Notes” files in Integration/SLAD_Adapter/src for specific
implementation details of this API.
This API contains functions to obtain global status information of the hardware. It can also reseed the PRNG
(Pseudo Random Number Generator) used to generate random IVs in some protocols.
Reference: Integration/SLAD_Adapter/incl/api_pcl.h
Integration/SLAD_Adapter/incl/api_pcl_dtl.h
This API contains functions to initialize, un-initialize the classification engine, to add and remove flow record
and to register and unregister hardware transform records. In addition there are functions to install and
remove entries for Direct Transform Lookup. Please also refer to “Implementation Notes” files in
Integration/SLAD_Adapter/src for specific implementation details of this API.
Reference: Integration/SLAD_Adapter/incl/api_dmabuf.h
Purpose: The Example Driver depends on an implementation of the DMABuf API. Please refer to
“Implementation Notes” for specific implementation details of this API.
Reference: Integration/SLAD_Adapter/incl/api_memxs.h
Purpose: Interface to read and write internal EIP device memory and registers.
This API contains functions for the low-level EIP device internal memory and registers access. This interface
should be used for debugging purposes only. It is available in the Global Control Driver for the user-space
driver deployment only.
IOToken API
Reference: Kit/IOToken/incl/iotoken.h
Purpose: Interface to create input and parse output tokens of the engine.
This API contains functions for creation and parsing tokens that are used for the IO operations for the
Security-IP-197 Engine.
This interface can have an extension specific to the EIP-207 firmware IO token format determined by the
firmware configuration and supported packet flows. Typically the name of such an extended IOToken API
would be iotoken_ext_*.h.
9 Data Structures
This chapter describes the most important data structures used in the EIP-197 Example Driver. It also shows
how they are used in packet flows with or without packet classification.
DMAResource record #5
DMAResource record #1
Main SA Record #1
(DMA Buffer)
n
rsio
nve DMAResource record #3
Co
FIFO
ordering
Logical Prepared Result Descriptor
#1 Packet Input/Output Data #1
n
io (DMA Buffer)
e rs
Result Descriptor Ring
nv
(DMA Buffer) Co
Con
vers
ion
DMAResource record #2
Generic Result Descriptor #1
The EIP-96SA records are dynamic resources (DMA buffers). This means that the packet engine reads and
writes data from and to these buffers using its DMA engine in the ARM. Therefore, these buffers must be
allocated by the applications that use the packet engine Driver in a DMA-safe way. To do that, the
applications must use the Driver’s SLAD DMABuf API.
Once the application has allocated the EIP-96 SA record buffers and filled them in with the data for the
required packet operation it can register these SA buffers with the Driver using the PEC_SA_Register()
function. After this the application may not change (read or write) the content of the SA buffers anymore
and it can start submitting packets to the packet engine for processing using the PEC_Packet_Put()
function and retrieving the results using the PEC_Packet_Get() function. When the SA record is not
needed anymore, which means that there are no more packets to process for this SA, it can be destroyed.
To do this, the application must first call the PEC_SA_UnRegister() function. One of the tasks of the
PEC_SA_UnRegister() function is to remove the SA record (and any associated ARC4 state) from any
internal caches of the EIP-197. After this, the application can read the SA buffer content if needed. The DMA
buffer corresponding with the SA must be freed using the SLAD DMABuf API.
There can be multiple co-existing SA records created by the application for the same packet engine. Refer to
“PEC API Implementation Notes” file in the Integration/SLAD_Adapter/src directory for the API
implementation details and further description of the SA data structures. Refer also to “DMABuf API
Implementation Notes” in the Integration/SLAD_Adapter/src directory for the implementation details of
this API.
fields (depending on the protocol) in the same way the hardware would with packets containing these fields
in their headers.
Once the hash is computed, the application can create a PCL_FlowParams_t data structure, which contains
the hash and the DMABuf handle of the transform record and add a flow record to the Hash Table with
PCL_Flow_Add(). This function will also allocate the Flow descriptor for the Hash Bucket and in case this is
an overflow bucket (does not reside in the Hash Table due to Hash ID or record type mismatch) it will also
allocate the DMA–safe buffer for this bucket in the DMA bank. Once the Flow is added to the Hash Table,
the Classification Engine can look it up. Note that each combination of source address, destination address,
IP protocol (and for certain protocols, the source and destination port as well) has a unique hash and a
separate flow record must be created for each one. This means that for outbound IPsec traffic, many flows
typically exist for one transform record.
The application can also create a transform record for direct lookup to the Hash Table by using the
PCL_DTL_Transform_Add() function.
If a Flow record is no longer needed, it can be removed from the Hash Table with PCL_Flow_Remove(). Its
resources remain allocated. The same Flow handle can now be reused for a different flow or it could be
released completely with PCL_Flow_Release(). The PCL_DTL_Transform_Remove() function can be used
to remove the transform record from the Hash Table.
The Driver maintains the lookup data structures of the Hash Table in two representations:
• An internal representation for its own administration in memory that is not DMA-safe. Any pointers
linking parts of the table together are in a form suitable for use by the Driver software (host addresses).
The host endianness is used. Each Flow record in the internal representation is represented by a
structure of type EIP207_Flow_FR_Dscr_t. In fact, PCL_FlowHandle_t is a pointer to this data
structure. It contains a reference to the DMA-safe buffer of the Flow record.
• A representation suitable for the Classification Engine. All in-memory data structures are in DMA-safe
buffers. Pointers are bus addresses as used by the hardware. The endianness required by the hardware
is used. Each record has a layout that is dictated by the EIP-207 Engine and firmware.
When the Hash Table is updated, the Driver updates both representations. It uses the internal
representation to find the correct part of the Flow Table and to find the hardware representation.
Figure 5 shows an example where one Flow record and three Transform records are used. The Classification
Engine can directly look up only one of these three Transform records, namely the Transform record
identified by Transform Handle #1. Flow record #1 is associated with its own DMA-safe buffer #1 (where the
Flow data is stored) via its own DMA Resource record #1. The latter contains a pointer to Hash Bucket
Descriptor #1 that references the DMA buffer located in the Flow Hash Table. The Flow Hash Table itself is a
DMA buffer. Hash Bucket #1 references Hash Bucket #2 and vice versa by means of the doubly-linked list
implemented in the Flow Record descriptor data structure. Hash Bucket #2 is an overflow hash bucket for
Hash Bucket #1 in this example. Flow record #1 is associated with Transform record #1 via DMA buffer #1.
Transform record identified by Transform Handle #2 can be directly looked up by the Classification Engine in
the Flow Hash Table. DMA resource record #2 of this transform contains a pointer to the Hash Bucket
descriptor #1 that is also associated with the Flow record. The Hash ID of this Flow record and this
Transform record give the same offset in the Flow Hash Table.
Transform record identified by Transform Handle #3 can also be directly looked up by the Classification
Engine in the Flow Hash Table. However, this record is referenced by the overflow Hash Bucket #2.
Hash Bucket
DMA Buffer #2 (in DMA bank)
Transform
Handle #3
Co
Buffer #5 (in DMA bank)
nve
r si o
n DMAResource
Record #4
EIP-207 Transform DMAResource
Record Descriptor #3 Record #5
DMAResource
EIP-207 Flow Record Flow Record #1
Descriptor #1
n
sio
Descriptor #1
nv
Co
Flow Record
DMA Buffer #1 (in DMA bank)
Flow Record
Handle #1 Hash Bucket
DMA Buffer (in FHT)
EIP-207 Transform
Record Descriptor #1 Transform Record
DMA Buffer #4
n
io
e rs
o nv
C
DMAResource
Transform
Record #3
Handle #1 Transform Record
DMA Buffer #3 (in DMA bank)
Transform DMAResource
Handle #2 Record #2
Conversio
n
EIP-207 Transform
Record Descriptor #2
Reference by
PCL_FlowHandle_t DMAResource handle
• DDK_EIP197_FW_IOTOKEN_METADATA_ENABLE
Define this to include 16-byte meta data in each command and result token. Metadata is copied from
the command token to the corresponding result token. This can only be enabled if both hardware and
firmware support this feature.
• DDK_EIP197_FW_CFH_ENABLE
Define this to include a special header in command and result tokens on the look-aside FIFO and the
inline interface. This can only be enabled if both hardware and firmware support this feature.
• DDK_EIP197_EIP97_BLOCK_UPDATE_APPEND
Define this to prevent the update information (length, protocol, checksum) from being appended to the
packet. Update information is generated for IPSec ESP inbound transport packets. If the packet fits into
the output buffer, the header fields can be updated in-place, otherwise the update information is
usually appended to the packet.
• DDK_EIP197_EXTENDED_ERRORS_ENABLE
Define this to support extended error codes. Bit E14 in the result descriptor indicates the presence of
an extended error code. This can only be enabled if both hardware and firmware support this feature.
• DDK_EIP202_CD_OFFSET_BYTE_COUNT
Specify the offset in bytes between command descriptors in the ring buffer in memory.
• DDK_EIP202_RD_OFFSET_BYTE_COUNT
Specify the offset in bytes between result descriptors in the ring buffer in memory.
• DDK_EIP197_FW33_FEATURES
Define this when the DDK is tested on Hardware 3.3 and Firmware 3.3. This setting only influences the
test tools, so they leave out tests for newer features on older hardware.
• DDK_EIP197_SRV_ICEOCE
Define this if the DDK is packaged for the server version of the EIP-197 with both input and output
classification engines.
• DDK_EIP197_SRV_ICE
Define this if the DDK is packaged for the server version of the EIP-197 with input classification engines
only.
• DRIVER_NAME
Specifies the driver name used for reporting in the log files and operating system.
• DRIVER_MAX_NOF_RINGS_TO_USE
Specifies the maximum number of descriptor ring pairs that can be used by the driver. If this is set
higher than the number of ring pairs supported by the hardware, the driver will use the number of rings
supported by the hardware.
• DRIVER_SWAPENDIAN
The EIP-197 Engine is little endian. If the host processor is big endian then the endianness conversion
can be enabled in the Driver. This option causes the Driver software to perform any necessary
endianness conversion. Instead of setting DRIVER_SWAPENDIAN, one can set both
DRIVER_ENABLE_SWAP_SLAVE and DRIVER_ENABLE_SWAP_MASTER to achieve the same effect. The
latter option is more efficient, but it may not be supported in all hardware environments.
• DRIVER_ENABLE_SWAP_SLAVE
This option causes the driver to configure the hardware such that it swaps the byte order of all bus
target accesses to the device.
• DRIVER_ENABLE_SWAP_MASTER
This option causes the driver to configure the hardware such that it swaps the byte order of all bus
master accesses by the device.
• DRIVER_PE_ARM_SEPARATE
The EIP-197 Engine can operate in Autonomous Ring Mode (ARM) with separate rings for command
descriptors and for result descriptor. This parameter must be defined.
• DRIVER_INTERRUPTS
The Driver can be used with or without interrupts. It provides API functions that are registered as
callbacks to be invoked on receiving interrupts. These callbacks typically submit a packet or collect a
processed packet from the device.
When interrupts are off, the Driver is said to be in “polling mode”. In this mode, the caller of the Driver
API should poll the device registers for completion of a packet processing (packet-put and packet-get
API functions) or when the device is free to ‘put’ a new packet.
When interrupts are enabled, result notification callbacks are invoked asynchronously with respect to
the main application. Special care must be taken to make these callbacks work reliably. See the
description of PEC_ResultNotify_Request in the PEC API.
• DRIVER_INTERRUPT_COALESCING
If the Driver is used with interrupts, the hardware can generate a separate interrupt for every single
result packet available or it can generate one interrupt when a certain number of packets become
available. The latter case is called interrupt coalescing mode; it is more efficient as the interrupt service
routine is invoked fewer times, but it can cause a slightly longer packet latency.
• DRIVER_SCATTERGATHER
The EIP-197 Engine is capable of processing a non-contiguous packet. It is also capable of writing back
results to non-contiguous buffers. In such a case, each buffer forming one complete input packet is
called a “Gather Particle”, while for output packet, each buffer is called a “Scatter Particle”. By enabling
this parameter, Scatter and Gather support is enabled in the Driver.
• DRIVER_BOUNCEBUFFERS
In ARM mode, the EIP-197 Engine works on DMA buffers in system memory (Descriptor ring, SA and
Data). These buffers must be DMA-safe, i.e. aligned on cache-line size and in the DMA-able address
range.
The caller can create DMA-safe buffers either by using the DMABuf API or can provide such buffers
using operations outside the Driver. If the buffer provided by the application is not DMA-safe, the
Driver can allocate a DMA-safe buffer internally and copy the result of processing back to the user-
provided buffer. Such a buffer allocated by the Driver, is called a “Bounce Buffer”.
Enabling this parameter configures the Driver to create bounce buffers. In this case, the caller does not
have to provide DMA-safe buffers.
• DRIVER_PERFORMANCE
Enabling this parameter in the Driver suppresses informational messages. These messages are helpful in
debugging but otherwise slow-down the Driver.
• DRIVER_PEC_MAX_SAS
Specify the maximum number of SA’s that will be in use at a given time. This parameter and other
parameters determine the maximum number of DMA buffers that can be used by the Driver at any
given time.
• DRIVER_PEC_MAX_PACKETS
Specify the maximum number of packets that can be under processing by the system at any given time.
This parameter determines the size of the descriptor ring or rings. This parameter is also used for
determining the maximum number of DMA buffers that can be used by the Driver at any given time.
• DRIVER_MAX_PECLOGICDESCR
Specify the maximum number of packet descriptors that the PEC_Packet_Put and PEC_Packet_Get
functions can process in a single call. This is usually equal to DRIVER_PEC_MAX_PACKETS.
• DRIVER_PE_HOLD_OUTPUT_DATA
This parameter can be used for the in-place packet transformations when the transformed result
packet is larger than the original packet. In-place means that the same packet buffer is used to store the
original as well as the transformed packet data. In such a case the result packet data can overwrite the
original packet data in the packet buffer that has not been read yet. This parameter value defines the
number of 8-byte blocks that the packet engine will hold in its internal result packet buffer until the
packet processing is completed. The value can be set to match the size of the expected data expansion
(in an encryption or outbound protocol operation) at the start of the packet data.
• DRIVER_PCL_FLOW_HASH_ENTRIES_COUNT
Specify the number of entries (hash buckets) in the flow hash table of the Packet Classification Engine.
This must be a power of two, at least 32 and at most 1048576. To make the flow lookup operation
efficient, this parameter should be set higher than the total number of flow records used in the system.
This parameter is also used for determining the maximum number of DMA buffers that can be used by
the Driver at any given time.
• DRIVER_64BIT_HOST
Define this if the Driver is to be compiled for a platform that has 64-bit addresses. Leave this undefined
for a 32-bit platform. This option is normally passed via the make file from the DDK_HOST64
environment variable.
• DRIVER_64BIT_DEVICE
Define this if the Driver must use 64-bit DMA addresses. On the hardware supported by this driver, this
must always be enabled, even on 32-bit platforms. This option is normally passed via the make file from
the DDK_DEVICE64 environment variable.
• DRIVER_MAX_NOF_PE_TO_USE
This configuration parameter determines the maximum number of the Processing Engines that can be
used by the Driver. If this is set higher than the number of PEs supported by the hardware, the driver
will use the number of PEs supported by the hardware.
• DRIVER_DMARESOURCE_BANKS_ENABLE
Define this if special DMA banks must be allocated for Transform/SA records and for Flow records. This
is required when DRIVER_64_DEVICE is set, because the hardware requires all transform records to
reside in a 4GB address range. Flow records must also reside in a 4GB address range, which may have a
different base address. The special DMA banks specified by this option are designed to satisfy these
hardware requirements.
• DRIVER_ALLOW_UNALIGNED_DMA
Define this if DMA resource buffers should be allowed at unaligned addresses.
• DRIVER_PEC_BANK_SA
Specifies the DMA resource bank ID to use for SA bouncing by the PEC API implementation.
• DRIVER_PCL_BANK_TRANSFORM
Specifies the DMA resource bank ID for the transform records allocation by the PCL API
implementation. Can be the same as DRIVER_PEC_BANK_SA.
• DRIVER_PCL_BANK_FLOW
Specifies the DMA resource bank ID for the flow records allocation by the PCL API implementation.
• DRIVER_FLOW_RECORD_COUNT
Specifies the maximum number of flow records the driver can allocate. Can be set to
DRIVER_PCL_FLOW_HASH_ENTRIES_COUNT.
• DRIVER_FLOW_RECORD_BYTE_COUNT
Specifies the flow record size. For the hybrid use case the transform record size is determined by the
EIP-207 Firmware API. For the look-aside use case the transform record size is determined by the
maximum used SA size.
• DRIVER_TRANSFORM_RECORD_COUNT
Specifies the maximum number of SA or transform records the driver can allocate. Can be set to
DRIVER_PEC_MAX_SAS.
• DRIVER_TRANSFORM_RECORD_BYTE_COUNT
Specifies the transform record size.
• DRIVER_USE_SHDEVXS
Define this if the shared device access functionality must be used by the Driver in which case it must be
either the Global Control Driver or the PEC Driver. This parameter must not be defined for the
Combined Driver.
• DRIVER_DMA_ALIGNMENT_BYTE_COUNT
Set this parameter to the desired DMA buffer address and size alignment value. The Combined Driver
can determine this value from the Engine hardware registers for the Adapter software components. For
the Driver Framework DMA Resource API implementation (namely for the DMA banks allocation) this
parameter must be configured by the user and must be set to a value either equal or greater than what
is required by the Engine hardware (master interface).
• DRIVER_RING_AIC_DISABLE
Define this if the device does not contain a ring AIC, but has the ring IRQ signals directly wired to inputs
of the global AIC instead.
• DRIVER_AIC_SEPARATE_IRQ
Define this if the each AIC (global AIC and ring AICs) have a dedicated system IRQ. If this is not defined,
only the global AIC has a system IRQ, while the ring AICs have their outputs wired to inputs of the global
AIC.
All the ADAPTER_* parameters derived from the corresponding DRIVER_* parameters are not described
below).
• LOG_SEVERITY_MAX
Trace level (for informational messages) for the Adapter module. Default value is LOG_SEVERITY_WARN
(or LOG_SEVERITY_CRITICAL if DRIVER_PERFORMANCE is set). It can be set to LOG_SEVERITY_INFO,
which will give more traces but will also slow down the Driver operation.
• ADAPTER_DESCRIPTORDONECOUNT
Specify the number of result descriptors that must be available before a result descriptor IRQ is
generated. This is used with DRIVER_INTERRUPT_COALESCING.
• ADAPTER_DESCRIPTORDONETIMEOUT
Specify a timeout to generate an interrupt when at least one result descriptor is available, but not the
number specified by ADAPTER_DESCRIPTORDONECOUNT. This is used with
DRIVER_INTERRUPT_COALESCING.
• ADAPTER_MAX_DMARESOURCE_HANDLES
Specify the maximum number of DMA Resources that can be allocated by the driver.
• ADAPTER_EIP202_DEVICES
This is a list of all EIP-202 devices. Each entry in the list specifies a CDR/RDR pair together with their
interrupts.
• ADAPTER_EIP202_AICS
This is a list of all EIP-201 AIC devices and for each device the way its output is connected: either to an
input of another AIC device or to an external interrupt at system level.
• ADAPTER_EIP202_IRQS
This is a list of all interrupts used by the Driver, for each interrupt it lists the AIC by which it is serviced,
the interrupt number within the AIC, whether to use delayed execution of the bottom half handler and
the interrupt type.
• ADAPTER_FIRMWARE_PATH_PREFIX
Specify the directory from which the driver loads firmware images in user space deployment. Specify
this with a trailing slash, for example “/usr/eip197/firmware_images/”. The default is
“/usr/firmware/”.
• ADAPTER_EIP74_GEN_BLK_SIZE
Specify the number of 128-bit pseudo-random IVs generated by the DRBG in a single block.
• ADAPTER_EIP74_RESEED_THR
Specify the maximum number of generate operations of the DRBG before a reseed operation is
absolutely required.
• ADAPTER_EIP74_RESEED_THR_EARLY
Specify the maximum number of generate operations of the DRBG before a reseed warning is given.
This is sufficiently lower than the reseed threshold, so the software has enough time to perform the
reseed.
• ADAPTER_CS_GLOBAL_INCREMENT_PKTID
Define this to configure the firmware to generating Packet IDs on outer IPv4 tunnel headers generated
in outbound ESP tunnel transforms. This applies only to hardware that contains an output classification
engine.
• ADAPTER_CS_GLOBAL_ECN_CONTROL
This is a five-bit bitmask that specifies for certain type of ECN conditions when an error result should be
returned. This is a firmware configuration option on hardware versions prior to HW3.3. For these
versions it applies only to hardware that contains an output classification engine. For hardware versions
HW3.3 and later, it is a hardware configuration option and it also applies to hardware configurations
without an output classification engine.
• ADAPTER_CS_GLOBAL_DTLS_HDR_ALIGN
Specify the size of the DTLS record header that occurs in the output packet for inbound DTLS operations
when the SA specifies that DTLS headers must be returned. This is a firmware configuration option.
When it is set to 0, each DTLS header will be 5 bytes, which is the minimum required.
• ADAPTER_CS_GLOBAL_DTLS_DEFER_CCS
If this is defined, defer all incoming DTLS packets with record type Change Cipher Spec to the slow path.
This is a firmware configuration option.
• ADAPTER_CS_GLOBAL_DTLS_DEFER_ALTERT
If this is defined, defer all incoming DTLS packets with record type Alert to the slow path. This is a
firmware configuration option.
• ADAPTER_CS_GLOBAL_DTLS_DEFER_HANDSHAKE
If this is defined, defer all incoming DTLS packets with record type Handshake to the slow path. This is a
firmware configuration option.
• ADAPTER_CS_GLOBAL_DTLS_DEFER_APDATA
If this is defined, defer all incoming DTLS packets with record type Application Data to the slow path.
This is a firmware configuration option.
• ADAPTER_CS_GLOBAL_DTLS_DEFER_CAPWAP
If this is defined, defer all incoming DTLS packets with a CAPWAP header to the slow path. This is a
firmware configuration option.
Specific for the hardware platform settings can be configured in the cs_hwpal_ext.h configuration file. For
the x86 and PowerPC architectures, a PCI-based kernel integration is used and for any other architectures,
an Open Firmware (Platform) kernel integration is used.
Note: All the HWPAL_* parameters derived from the corresponding DRIVER_* parameters are not
described below.
• LOG_SEVERITY_MAX
Trace level (for informational messages) for the Driver Framework modules. Default value is
LOG_SEVERITY_WARN (or LOG_SEVERITY_CRITICAL if DRIVER_PERFORMANCE is set). It can be set to
LOG_SEVERITY_INFO, which will give more traces but will also slow down the Driver operation.
• HWPAL_STRICT_ARGS_CHECK
Enables strict argument checking for the input parameters in all the Driver Framework API functions.
• HWPAL_DEVICES
List of devices with their names and their addresses ranges. All addresses of all devices accessed by the
driver are assumed to lie in a single address range, e.g. a single BAR on a PCI device or a single address
range as specified in the Open Firmware device tree. The start and end addresses are specified as byte
offsets with respect to the start of that range.
• HWPAL_MAX_DEVICE_NAME_LENGTH
Maximum number of characters (bytes) that can be used for a device name as used in the
HWPAL_DEVICES list of devices.
• HWPAL_DEVICE_MAGIC
Optional magic number used to validate the device administration data.
• HWPAL_DEVICE_DIRECT_MEMIO
Enables direct access to memory mapped registers of the device bypassing the OS I/O functions.
• HWPAL_PLATFORM_IRQ_IDX
Index of the IRQ used to query the physical device interrupt number via the Linux platform kernel API.
• HWPAL_USE_MSI
This is only used for a PCI (or PCIe) device. It specifies whether the device must use MSI interrupts. Note
that a similar parameter must also be specified in the configuration of the Kernel Support Driver in
cs_umdevxs_ext.h
• HWPAL_PLATFORM_DEVICE_NAME
This is only used for an Open Firmware device. It specifies the name of the device as specified in the
Open Firmware device tree. Note that a similar parameter must also be specified in the configuration of
the Kernel Support Driver in cs_umdevxs_ext.h
• HWPAL_DEVICE_READ_DELAY_US
Device_Read32() function will busy wait for the specified by this parameter number of microseconds
before actually performing the read operation. This is a workaround for posted-writes implementation
of the MMIO register slave interface when too fast write-read sequence does not work.
• HWAL_DMARESOURCE_STRICT_ARGS_CHECKS
Enables strict argument checking for the input parameters of the DMAResource API functions.
• HWAL_DMA_NRESOURCES
Specifies the maximum number of DMA resources available. Change
ADAPTER_MAX_DMARESOURCE_HANDLES instead.
• HWAL_TRACE_DMARESOURCE_LEAKS
Keep track of allocation and deallocation of DMA resources and check that at driver unload time all
allocated DMA resources are freed.
• HWAL_DMARESOURCE_ALLOC_CACHE_COHERENT
Specifies that all DMA resources must be allocated in cache-coherent memory, which does not require
cache invalidate and flush operations from the CPU.
• HWAL_DMARESOURCE_UNCACHED_MAPPING
When defined enables use of ioremap_cache for mapping memory as non-cached. This is used for
static DMA banks.
• HWAL_DMARESOURCE_MINIMUM_CACHE_CONTROL
Enable this parameter in order to use the minimal Linux DMA API, This will also cause the Linux Kernel
to perform fewer sanity checks on the provided DMA buffers.
• HWAL_DMARESOURCE_DCACHE_LINE_SIZE
Specifies the size of a single data cache line in bytes.
• HWAL_DMARESOURCE_BANKS
List of DMA resource banks together with their properties. It is possible to specify banks with a fixed
block size and a number of blocks, so the entire bank will be allocated by the operating system in one
operation, single blocks are subsequently allocated from this bank. It is also possible to specify fixed
static addresses for certain banks.
• HWAL_DMARESOURCE_BANK_STATIC_OFFSET
Specifies an offset seen by the CPU, but not by EIP hardware when accessing static DMA banks,
For other configurations, refer to the Security-IP-197 DDK Test Specification [3].
To enable the informational traces in the driver Adapter layer, ensure that the following is present in the
Examples/$DRIVER/build/cs_adapter.h file
To enable the informational traces in the Driver Framework layer ensure that the following is present in the
Examples/$DRIVER/build/cs_hwpal.h file
Inspect the cs_adapter.h and cs_hwpal.h files for the details how the traces can be configured. Note how
the DRIVER_PERFORMANCE configuration parameter influences the tracing level in these files.
Note: Configuring the driver for the informational traces in the Adapter and especially in the Driver
Framework layers will result in very long log files produced by the driver when used with
applications performing lots of requests to the driver.
(End of Document)