168
AMD Alchemy Au1550 Security Network Processor Data Book
Security Engine
30283D
In addition, the packet header/trailer processors are responsible for many operations on an inbound packet such as:
Validating Sequence Number (IPsec ESP and AH)
Validating ICVs
Validating Pad Values
Stripping Headers and Trailers
Stripping Pad
Note:
Record Header processing is not provided in hardware for the SSL protocol.
The algorithm engines are fed with data from a 64-byte input buffer. A second 64-byte block is used for the output buffer.
Data for the Packet Engine is always input and output to the input/output buffers using the security engine’s DMA engine. In
its Descriptor Ring mode, the DMA movements of data are fully automatic and do not require host intervention.
The control data which specifies the processing for each packet is provided in two elements:
Packet descriptor
Security association (SA) record
The packet descriptor is a 20-byte (5 word) structure which is either written directly into the Command Queue using host
descriptor writes or is placed in a packet descriptor ring (PDR) in system memory and walked through by the security
engine using PE descriptor reads. The Packet Descriptor contains fields such as packet length which tend to vary on a per-
packet basis.
The SA record is a packed structure which contains the remainder of the information needed by the security engine to pro-
cess a packet. The SA record is automatically fetched from system memory by the security engine once it has read a valid
descriptor. The information fields in the SA record are generally static for the lifetime of the association and do not require
frequent manipulation by the Host. The SA fields which are not static include the Sequence Numbers for IPsec, and the
“State” field, but these are typically managed automatically by the security engine.
7.3.1
Packet Engine Modes and Descriptor Ring Configurations
The security engine has multiple methods for feeding descriptors into the device.
Packet Engine Mode = 0 (“Target command”) (sec_glbdmacfg[PE]=0): With the Descriptor Ring disabled, the host
initiates packet processing by writing a packet descriptor into an internal register set called the Command Queue. The
host must poll this same set of registers to determine when packet processing is complete. This mode, referred to as
target command mode, provides a generally synchronous interface between the host and the security engine.
Packet Engine Mode = 1 (“Descriptor Ring”) (sec_glbdmacfg[PE]=1): The security engine’s “Descriptor Ring” mode
may be enabled, allowing the security engine to autonomously fetch its own packet descriptors from Host memory. In this
mode, the security engine and the host operate somewhat asynchronously, with the host populating Packet Descriptors
in a ring, and the security engine consuming those descriptors, processing the referenced packets, and finally writing out
Result Descriptors. The security engine supports four descriptor ring configurations: Basic, SaPkt, PdPkt, and PdSaPkt,
all of which are selected using sec_glbdmacfg[PFD, SAP].
— PFD=0, SAP=0: The Basic Descriptor Ring configuration—The security engine has a discrete Packet Descriptor Ring
(PDR) in memory, with pointers to the packet data source and destination, and another pointer to the SA record.
— PFD=0, SAP=1: SaPkt Descriptor Ring configuration—The packet and corresponding SA are stored together in the
same buffer. Similar to the Basic ring configuration the PDR and RDR are located in separate rings. In the destination
buffer, the 32-bit words for the SA are unused.
— PFD=1, SAP=0: PdPkt Descriptor Ring configuration—The packet and SA are separated in two buffers. Although the
descriptors are located just before the corresponding packet in the same buffer. This is the case for source as well as
destination.
— PFD=1, SAP=1: PdSaPkt Descriptor Ring configuration—Just two buffers are used, one for the source and one for
destination. Each buffer contains descriptor, SA, and packets. Before each packet a descriptor and SA are located. In
the destination buffer, the 32-bit words for the SA are unused.