170
AMD Alchemy Au1550 Security Network Processor Data Book
Security Engine
30283D
7.3.2.2
Descriptor Ring Mode (PE Mode = 1, Ring Size > 0)
PE Mode = 1 enables the PDR/RDR manager. The descriptor ring mode is more efficient because it allows the security
engine and the host to operate asynchronously and allows for the queuing of multiple packets for processing. This mini-
mizes ‘starving’ of the security engine and provides the highest possible throughput.
If the Descriptor Ring mode is enabled, the grouping configuration of the Packet Descriptors, the Packet Data, and the SA
structure must be selected. Each of these elements may be in distinct locations, with the Descriptor pointing to both Packet
Data and SA location. Or, the data elements may be linked together so that one piece follows another. This selection is
7.3.2.3
Host Writes to Command Queue (PE Mode = 1, Ring Size = 0)
With the Descriptor Ring enabled and sec_glbrsize[SIZE] = 0, the host writes each packet descriptor directly into the com-
mand queue. The packet engine then writes the result descriptor to the single-entry (5-word) external RDR location. Upon
the ‘Descriptor Completed’ interrupt, the Host can write the next packet descriptor into the command queue while it copies
the result from the RDR to keep the packet flow pipelined.
7.3.2.4
Target Command Mode (PE Mode = 0)
In target command mode (PE Mode = 0), the Host performs writes of a single packet descriptor (5 words) at a time directly
into the command queue. In this mode, the Host must poll the last word of the command queue to determine when the com-
mand has been processed.
The Host has complete control over the descriptor flow, writing them into and reading them out of the command queue.
There are no external PDR or RDR rings to maintain. This mode can be useful for performing special encryption opera-
tions. For example, the PE Mode can be cleared to stop the regular packet flow, and then an operation can be written to the
command queue for file encryption, key exchange, or some other relatively rare cryptographic operation. The PE Mode can
then be set back to 1.
7.3.2.5
Descriptor Notification
Assuming the “External PDR” mode is used, a decision must be made as to how the security engine is made aware of new
descriptors appearing on the PDR. The two choices are polling or interrupt:
In the Polling configuration, the security engine simply polls the PDR until it finds one or more entries that have the
ownership bits set to the security engine. The frequency of polling, and therefore the amount of bus bandwidth that is
consumed, is configurable in the sec_glbrpoll register. Separate controls are provided for normal polling and for poll re-
tries when the descriptor read is not ready.
In the Interrupt configuration, the host populates one or more Packet Descriptors and then issues an interrupt to the
security engine to tell it to fetch the descriptor(s) and begin processing. This mode usually imposes less bus overhead on
the system. It also offers controlled processing latency, since the host specifies when descriptors are processed.
7.3.2.6
Result Descriptors
When the security engine finishes processing a packet, it writes a Result Descriptor to a Result Descriptor Ring (RDR). The
RDR can be thought of as a mirror to the PDR. The user specifies the base address for the RDR ring.
Generally, if the host does not write packet descriptors to the internal command queue, the PDR and RDR should overlap
each other. This minimizes the memory consumed for descriptors and reduces the memory bus utilization. If the PDR and
RDR are in separate external locations, then an additional update is also required to the ownership bits in the PDR to pre-
vent the security engine from re-processing old descriptors.
7.3.2.7
SA Record Storage
The SA records are always stored in system memory accessible to the security engine. Each SA record is 128-bytes in
size, and there is no limit to how many SAs the security engine can support.