1 snooping, 2 dynamic multi-function descriptor formats, Snooping -91 – Freescale Semiconductor MCF5480 User Manual
Page 693: Dynamic multi-function descriptor formats -91
EU Specific Data Packet Descriptors
MCF548x Reference Manual, Rev. 3
Freescale Semiconductor
22-91
such that the same data read into the DEU, AESU, or AFEU modules can be simultaneously directed to
the MDEU module.
22.14.6.1 Snooping
As shown in
, the ST bit in the descriptor header controls the type of snooping which must
occur between the primary and secondary EU. The rationale of in-snooping vs. out-snooping is found in
security protocols which perform both encryption and integrity checking, such as IPSec.
Upon transmission of an IPSec ESP packet, the encapsulator must encrypt the packet payload, then
calculate an HMAC over the header plus encrypted payload. Because the MDEU cannot generate the
HMAC without the output of the primary EU (the one performing the encryption, typically the DEU or
AESU), the MDEU must out-snoop.
Upon receiving an IPSec packet, the decapsulator must calculate the HMAC over the encrypted portion or
the packet prior to decryption. In this case in-snooping would be used. This allows the MEDU to source
its data from the input FIFO of the primary EU without waiting for the primary EU to finish its task.
NOTE
Slightly different portions of an IPSec packet would pass through the
primary and secondary EUs in both the in-snooping and out-snooping cases.
These offsets are dealt with by providing different starting pointers and byte
lengths to the channel in the body of the descriptor.
illustrates in-snooping and out-snooping.
Figure 22-50. Snooping Example
22.14.6.2 Dynamic Multi-Function Descriptor Formats
shows the representative descriptor used for multi-function encryption such as inbound IPSec
ESP. The descriptor header encodes to select the DEU or AESU as the primary EU, and the MDEU for the
secondary EU. Because all the data necessary to calculate the HMAC in a single dynamic descriptor is
available, initialize and autopad are set, while continue is cleared in the SMODE field.
The descriptor header also encodes the descriptor type 0010, which defines the input and output ordering
for “hmac_snoop_no_afeu.” The HMAC key is loaded first, followed by the length and pointer to the data
over which the HMAC will be calculated. The DEU/AESU key is loaded next, followed by the context
(IV). The number of bytes to be ciphered and starting address will be an offset of the number of bytes being
HMAC’d. The data to be decrypted and HMAC’d is only brought in the SEC a single time, with the
In FIFO
Out FIFO
DEU
In FIFO
Out FIFO
DEU
In-Snooping
Out-Snooping
In FIFO
MDEU
In FIFO
MDEU