Symmetric Cryptographic Intel FPGA Hard IP User Guide

ID 714305
Date 10/31/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

5.3.3. Stream and Channel ID Buffering

The AES/SM4 Inline Cryptographic Accelerator supports four segments (0, 1, 2, and 3) within each data bus. Each segment contains 16 bytes. The end of packet (EOP) for a specific channel may occur in any of these segments (0, 1, 2, or 3). This feature is only available for the MACsec profile.

If EOP occurs in segments 1, 2, or 3, the subsequent segment can contain the start of packet (SOP) for another channel in supporting the MACsec profile for multi-packet mode.

The TID[31:0] signal specifies the stream and channel ID(s) for packet 0 and packet 1. Packet 0 supports both Single Packet Profile and Multi Packet Profile. Packet 1 supports Multi Packet Profile. Packet 0 is a starting packet in a MACsec profile or the only packet in the cycle. Packet 1 is an ending packet in the cycle in a MACsec profile.

  • TID[31:16]—Stream ID for packet 1
  • TID[25:16]—Channel ID for packet 1
  • TID[15:10]—Stream ID for packet 0
  • TID[9:0]—Channel ID for packet 0
The TID[31:0] signal is valid on the first clock cycle when tvalid signal is asserted.

The IP allows only a single SOP per any clock cycle. Sending multiple SOPs per the same cycle is not allowed. Similarly, only a single EOP per any clock cycle is allowed. If two packets are present within the same cycle, both packets must be the same stream.

The Symmetric Cryptographic IP core implements per stream register on AXI-ST RX data path MAC Security profile to store the channel ID of the first packet, packet 0. The IP core stares the channel ID at the start of the packet (SOP). When the IP core observes 2 packets within the same cycle, the previously stored channel ID belongs the packet 1 and the IP core stores the channel ID of the new packet 0 into the per stream register. When the AES/SM4 Inline Cryptographic Accelerator sends the EOP signal, the stored channel ID is assigned to the TID signal.

In the example below, the Symmetric Cryptographic IP core receives 4 requests from stream 0 and stream 1: during the cycle 0, the stream 0 EOP packet 1 accessing channel 1 and SOP packet 0 accesses channel 4. In cycle 1, the stream 1 EOP packet 1 is accessing channel 6 and SOP packet 0 accesses channel 7.
Table 28.  Example of Stream and Channel ID Buffering
Cycle 0 1 2 3
Profile MACsec MACsec MACsec MACsec
tvalid 1 1 1 1
tlast 1 1 0 0
tuser.TID[31:0]={Stream ID for Pkt 1, Channel ID for Pkt 1, Stream ID for Pkt 0, Channel ID for Pkt 0}
TID[31:26] 0 1 X X
TID[25:16] 1 6 X X
TID[15:10] 0 1 0 1
TID[9:0] 4 7 4 7
tkeep All 1s All 1s All 1s All 1s
DATA
tdata[127:0] EOP (Pkt 1) Data (Pkt 1) Data (Pkt 0) Data (Pkt 0)
tdata[255:128] SOP (Pkt 0) EOP (Pkt 1) Data (Pkt 0) Data (Pkt 0)
tdata[391:256] Data (Pkt 0) Idle Data (Pkt 0) Data (Pkt 0)
tdata[511:392] Data (Pkt 0) SOP (Pkt 0) Data (Pkt 0) Data (Pkt 0)

Internally, the Symmetric Cryptographic IP core stores the packet 1 channel 1 and 6 into stream 0 and 1 registers respectively during the SOP. When the AES/SM4 Inline Cryptographic Accelerator returns the EOP, the soft logic extracts the channel ID from the stream register and appends it to the TID[31:16] and sends it to the customer logic. The TID[15:0] is assigned with the stream and channel ID based on the packet with the SOP in the same cycle.

In Multi Packet Mode, 32 bits of TID are used to indicate the Stream and Channel ID for both packet within same cycle. In Single Packet Mode, only 16 bits of TID are used to indicate the Stream and Channel ID for the single packet. Upper 16 bits of TID (packet 1) are ignored.