[PATCH 16/30] net/mlx5/hws: support IPsec encryption/decryption action

[Gregory Etelson <getelson@nvidia.com>]

From: Hamdan Igbaria <hamdani@nvidia.com>

Support crypto action creation, this action allows encryption/decryption
of the packet according a specific security crypto protocol.
For now we support encryption/decryption according ipsec protocol.
ipsec encryption handles the encoding of the data.
ipsec decryption handles the decoding of the data and a decryption result
status will be placed in the ipsec_syndrome field.
Both operations should be used only for packets that have esp header and
ipsec trailer.

Signed-off-by: Hamdan Igbaria <hamdani@nvidia.com>
Reviewed-by: Alex Vesker <valex@nvidia.com>
Acked-by: Matan Azrad <matan@nvidia.com>
---
 drivers/common/mlx5/mlx5_prm.h        |  12 ++
 drivers/net/mlx5/hws/mlx5dr.h         |  42 +++++++
 drivers/net/mlx5/hws/mlx5dr_action.c  | 172 +++++++++++++++++++++++++-
 drivers/net/mlx5/hws/mlx5dr_action.h  |  44 ++++---
 drivers/net/mlx5/hws/mlx5dr_cmd.c     |   8 ++
 drivers/net/mlx5/hws/mlx5dr_cmd.h     |   2 +-
 drivers/net/mlx5/hws/mlx5dr_debug.c   |   2 +
 drivers/net/mlx5/hws/mlx5dr_matcher.c |   5 +
 8 files changed, 266 insertions(+), 21 deletions(-)

diff --git a/drivers/common/mlx5/mlx5_prm.h b/drivers/common/mlx5/mlx5_prm.h
index 2b499666f8..0eecf0691b 100644
--- a/drivers/common/mlx5/mlx5_prm.h
+++ b/drivers/common/mlx5/mlx5_prm.h
@@ -3498,6 +3498,8 @@ enum mlx5_ifc_stc_action_type {
 	MLX5_IFC_STC_ACTION_TYPE_HEADER_INSERT = 0x0b,
 	MLX5_IFC_STC_ACTION_TYPE_TAG = 0x0c,
 	MLX5_IFC_STC_ACTION_TYPE_ACC_MODIFY_LIST = 0x0e,
+	MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION = 0x10,
+	MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION = 0x11,
 	MLX5_IFC_STC_ACTION_TYPE_ASO = 0x12,
 	MLX5_IFC_STC_ACTION_TYPE_COUNTER = 0x14,
 	MLX5_IFC_STC_ACTION_TYPE_ADD_FIELD = 0x1b,
@@ -3546,6 +3548,14 @@ struct mlx5_ifc_stc_ste_param_execute_aso_bits {
 	u8 reserved_at_28[0x18];
 };
 
+struct mlx5_ifc_stc_ste_param_ipsec_encrypt_bits {
+	u8 ipsec_object_id[0x20];
+};
+
+struct mlx5_ifc_stc_ste_param_ipsec_decrypt_bits {
+	u8 ipsec_object_id[0x20];
+};
+
 struct mlx5_ifc_stc_ste_param_header_modify_list_bits {
 	u8 header_modify_pattern_id[0x20];
 	u8 header_modify_argument_id[0x20];
@@ -3612,6 +3622,8 @@ union mlx5_ifc_stc_param_bits {
 	struct mlx5_ifc_set_action_in_bits set;
 	struct mlx5_ifc_copy_action_in_bits copy;
 	struct mlx5_ifc_stc_ste_param_vport_bits vport;
+	struct mlx5_ifc_stc_ste_param_ipsec_encrypt_bits ipsec_encrypt;
+	struct mlx5_ifc_stc_ste_param_ipsec_decrypt_bits ipsec_decrypt;
 	u8 reserved_at_0[0x80];
 };
 
diff --git a/drivers/net/mlx5/hws/mlx5dr.h b/drivers/net/mlx5/hws/mlx5dr.h
index 39d902e762..74d05229c7 100644
--- a/drivers/net/mlx5/hws/mlx5dr.h
+++ b/drivers/net/mlx5/hws/mlx5dr.h
@@ -45,6 +45,8 @@ enum mlx5dr_action_type {
 	MLX5DR_ACTION_TYP_PUSH_VLAN,
 	MLX5DR_ACTION_TYP_ASO_METER,
 	MLX5DR_ACTION_TYP_ASO_CT,
+	MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT,
+	MLX5DR_ACTION_TYP_CRYPTO_DECRYPT,
 	MLX5DR_ACTION_TYP_DEST_ROOT,
 	MLX5DR_ACTION_TYP_DEST_ARRAY,
 	MLX5DR_ACTION_TYP_MAX,
@@ -176,6 +178,22 @@ struct mlx5dr_action_mh_pattern {
 	__be64 *data;
 };
 
+enum mlx5dr_action_crypto_op {
+	MLX5DR_ACTION_CRYPTO_OP_NONE,
+	MLX5DR_ACTION_CRYPTO_OP_ENCRYPT,
+	MLX5DR_ACTION_CRYPTO_OP_DECRYPT,
+};
+
+enum mlx5dr_action_crypto_type {
+	MLX5DR_ACTION_CRYPTO_TYPE_NISP,
+	MLX5DR_ACTION_CRYPTO_TYPE_IPSEC,
+};
+
+struct mlx5dr_action_crypto_attr {
+	enum mlx5dr_action_crypto_type crypto_type;
+	enum mlx5dr_action_crypto_op op;
+};
+
 /* In actions that take offset, the offset is unique, pointing to a single
  * resource and the user should not reuse the same index because data changing
  * is not atomic.
@@ -216,6 +234,10 @@ struct mlx5dr_rule_action {
 			uint32_t offset;
 			enum mlx5dr_action_aso_ct_flags direction;
 		} aso_ct;
+
+		struct {
+			uint32_t offset;
+		} crypto;
 	};
 };
 
@@ -691,6 +713,26 @@ mlx5dr_action_create_dest_root(struct mlx5dr_context *ctx,
 				uint16_t priority,
 				uint32_t flags);
 
+/* Create crypto action, this action will create specific security protocol
+ * encryption/decryption, for now we only support IPSec protocol.
+ *
+ * @param[in] ctx
+ *	The context in which the new action will be created.
+ * @param[in] devx_obj
+ *	The SADB corresponding devx obj
+ * @param[in] attr
+ *	attributes: specifies if to encrypt/decrypt,
+ *	also specifies the crypto security protocol.
+ * @param[in] flags
+ *	Action creation flags. (enum mlx5dr_action_flags)
+ * @return pointer to mlx5dr_action on success NULL otherwise.
+ */
+struct mlx5dr_action *
+mlx5dr_action_create_crypto(struct mlx5dr_context *ctx,
+			    struct mlx5dr_devx_obj *devx_obj,
+			    struct mlx5dr_action_crypto_attr *attr,
+			    uint32_t flags);
+
 /* Destroy direct rule action.
  *
  * @param[in] action
diff --git a/drivers/net/mlx5/hws/mlx5dr_action.c b/drivers/net/mlx5/hws/mlx5dr_action.c
index 11a7c58925..4910b4f730 100644
--- a/drivers/net/mlx5/hws/mlx5dr_action.c
+++ b/drivers/net/mlx5/hws/mlx5dr_action.c
@@ -9,11 +9,12 @@
 #define MLX5DR_ACTION_METER_INIT_COLOR_OFFSET 1
 
 /* This is the maximum allowed action order for each table type:
- *	 TX: POP_VLAN, CTR, ASO_METER, AS_CT, PUSH_VLAN, MODIFY, ENCAP, Term
- *	 RX: TAG, DECAP, POP_VLAN, CTR, ASO_METER, ASO_CT, PUSH_VLAN, MODIFY,
- *	     ENCAP, Term
- *	FDB: DECAP, POP_VLAN, CTR, ASO_METER, ASO_CT, PUSH_VLAN, MODIFY,
- *	     ENCAP, Term
+ *	 TX: POP_VLAN, CTR, ASO_METER, AS_CT, PUSH_VLAN, MODIFY, ENCAP, ENCRYPT,
+ *	     Term
+ *	 RX: TAG, DECAP, POP_VLAN, CTR, DECRYPT, ASO_METER, ASO_CT, PUSH_VLAN,
+ *	     MODIFY, ENCAP, Term
+ *	FDB: DECAP, POP_VLAN, CTR, DECRYPT, ASO_METER, ASO_CT, PUSH_VLAN, MODIFY,
+ *	     ENCAP, ENCRYPT, Term
  */
 static const uint32_t action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_MAX] = {
 	[MLX5DR_TABLE_TYPE_NIC_RX] = {
@@ -23,6 +24,7 @@ static const uint32_t action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_
 		BIT(MLX5DR_ACTION_TYP_POP_VLAN),
 		BIT(MLX5DR_ACTION_TYP_POP_VLAN),
 		BIT(MLX5DR_ACTION_TYP_CTR),
+		BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT),
 		BIT(MLX5DR_ACTION_TYP_ASO_METER),
 		BIT(MLX5DR_ACTION_TYP_ASO_CT),
 		BIT(MLX5DR_ACTION_TYP_PUSH_VLAN),
@@ -49,6 +51,7 @@ static const uint32_t action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_
 		BIT(MLX5DR_ACTION_TYP_MODIFY_HDR),
 		BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L2) |
 		BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L3),
+		BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT),
 		BIT(MLX5DR_ACTION_TYP_TBL) |
 		BIT(MLX5DR_ACTION_TYP_MISS) |
 		BIT(MLX5DR_ACTION_TYP_DROP) |
@@ -61,6 +64,7 @@ static const uint32_t action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_
 		BIT(MLX5DR_ACTION_TYP_POP_VLAN),
 		BIT(MLX5DR_ACTION_TYP_POP_VLAN),
 		BIT(MLX5DR_ACTION_TYP_CTR),
+		BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT),
 		BIT(MLX5DR_ACTION_TYP_ASO_METER),
 		BIT(MLX5DR_ACTION_TYP_ASO_CT),
 		BIT(MLX5DR_ACTION_TYP_PUSH_VLAN),
@@ -68,6 +72,7 @@ static const uint32_t action_order_arr[MLX5DR_TABLE_TYPE_MAX][MLX5DR_ACTION_TYP_
 		BIT(MLX5DR_ACTION_TYP_MODIFY_HDR),
 		BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L2) |
 		BIT(MLX5DR_ACTION_TYP_REFORMAT_L2_TO_TNL_L3),
+		BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT),
 		BIT(MLX5DR_ACTION_TYP_TBL) |
 		BIT(MLX5DR_ACTION_TYP_MISS) |
 		BIT(MLX5DR_ACTION_TYP_VPORT) |
@@ -266,6 +271,41 @@ bool mlx5dr_action_check_combo(enum mlx5dr_action_type *user_actions,
 	return valid_combo;
 }
 
+bool mlx5dr_action_check_restrictions(struct mlx5dr_matcher *matcher,
+				      enum mlx5dr_action_type *actions)
+{
+	uint32_t restricted_bits;
+	uint8_t idx = 0;
+
+	/* Check for restricted actions, these actions are restricted
+	 * to RX or TX only in FDB domain.
+	 * if one of these actions presented require correct optimize_flow_src.
+	 */
+	if (matcher->tbl->type != MLX5DR_TABLE_TYPE_FDB)
+		return false;
+
+	switch (matcher->attr.optimize_flow_src) {
+	case MLX5DR_MATCHER_FLOW_SRC_WIRE:
+		restricted_bits = BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT);
+		break;
+	case MLX5DR_MATCHER_FLOW_SRC_VPORT:
+		restricted_bits = BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT);
+		break;
+	default:
+		restricted_bits = BIT(MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT) |
+				  BIT(MLX5DR_ACTION_TYP_CRYPTO_DECRYPT);
+	}
+
+	while (actions[idx] != MLX5DR_ACTION_TYP_LAST) {
+		if (BIT(actions[idx++]) & restricted_bits) {
+			DR_LOG(ERR, "Invalid actions combination containing restricted actions was provided");
+			return true;
+		}
+	}
+
+	return false;
+}
+
 int mlx5dr_action_root_build_attr(struct mlx5dr_rule_action rule_actions[],
 				  uint32_t num_actions,
 				  struct mlx5dv_flow_action_attr *attr)
@@ -383,6 +423,24 @@ mlx5dr_action_fixup_stc_attr(struct mlx5dr_context *ctx,
 		use_fixup = true;
 		break;
 
+	case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION:
+		if (fw_tbl_type == FS_FT_FDB_RX) {
+			fixup_stc_attr->action_type = MLX5_IFC_STC_ACTION_TYPE_NOP;
+			fixup_stc_attr->action_offset = stc_attr->action_offset;
+			fixup_stc_attr->stc_offset = stc_attr->stc_offset;
+			use_fixup = true;
+		}
+		break;
+
+	case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION:
+		if (fw_tbl_type == FS_FT_FDB_TX) {
+			fixup_stc_attr->action_type = MLX5_IFC_STC_ACTION_TYPE_NOP;
+			fixup_stc_attr->action_offset = stc_attr->action_offset;
+			fixup_stc_attr->stc_offset = stc_attr->stc_offset;
+			use_fixup = true;
+		}
+		break;
+
 	default:
 		break;
 	}
@@ -605,6 +663,16 @@ static void mlx5dr_action_fill_stc_attr(struct mlx5dr_action *action,
 		attr->insert_header.insert_offset = MLX5DR_ACTION_HDR_LEN_L2_MACS;
 		attr->insert_header.header_size = MLX5DR_ACTION_HDR_LEN_L2_VLAN;
 		break;
+	case MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT:
+		attr->action_type = MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION;
+		attr->action_offset = MLX5DR_ACTION_OFFSET_DW5;
+		attr->id = obj->id;
+		break;
+	case MLX5DR_ACTION_TYP_CRYPTO_DECRYPT:
+		attr->action_type = MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION;
+		attr->action_offset = MLX5DR_ACTION_OFFSET_DW5;
+		attr->id = obj->id;
+		break;
 	default:
 		DR_LOG(ERR, "Invalid action type %d", action->type);
 		assert(false);
@@ -1943,6 +2011,55 @@ mlx5dr_action_create_dest_root(struct mlx5dr_context *ctx,
 	return NULL;
 }
 
+struct mlx5dr_action *
+mlx5dr_action_create_crypto(struct mlx5dr_context *ctx,
+			    struct mlx5dr_devx_obj *devx_obj,
+			    struct mlx5dr_action_crypto_attr *attr,
+			    uint32_t flags)
+{
+	enum mlx5dr_action_type action_type;
+	struct mlx5dr_action *action;
+
+	if (mlx5dr_action_is_root_flags(flags)) {
+		DR_LOG(ERR, "Action flags must be only non root (HWS)");
+		rte_errno = ENOTSUP;
+		return NULL;
+	}
+
+	if (attr->crypto_type != MLX5DR_ACTION_CRYPTO_TYPE_IPSEC) {
+		rte_errno = ENOTSUP;
+		return NULL;
+	}
+
+	if (attr->op == MLX5DR_ACTION_CRYPTO_OP_ENCRYPT) {
+		if (flags & MLX5DR_ACTION_FLAG_HWS_RX) {
+			rte_errno = EINVAL;
+			return NULL;
+		}
+		action_type = MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT;
+	} else if (attr->op == MLX5DR_ACTION_CRYPTO_OP_DECRYPT) {
+		if (flags & MLX5DR_ACTION_FLAG_HWS_TX) {
+			rte_errno = EINVAL;
+			return NULL;
+		}
+		action_type = MLX5DR_ACTION_TYP_CRYPTO_DECRYPT;
+	} else {
+		rte_errno = ENOTSUP;
+		return NULL;
+	}
+
+	action = mlx5dr_action_create_generic(ctx, flags, action_type);
+	if (!action)
+		return NULL;
+
+	if (mlx5dr_action_create_stcs(action, devx_obj)) {
+		simple_free(action);
+		return NULL;
+	}
+
+	return action;
+}
+
 static void mlx5dr_action_destroy_hws(struct mlx5dr_action *action)
 {
 	struct mlx5dr_devx_obj *obj = NULL;
@@ -1963,6 +2080,8 @@ static void mlx5dr_action_destroy_hws(struct mlx5dr_action *action)
 	case MLX5DR_ACTION_TYP_ASO_METER:
 	case MLX5DR_ACTION_TYP_ASO_CT:
 	case MLX5DR_ACTION_TYP_PUSH_VLAN:
+	case MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT:
+	case MLX5DR_ACTION_TYP_CRYPTO_DECRYPT:
 		mlx5dr_action_destroy_stcs(action);
 		break;
 	case MLX5DR_ACTION_TYP_DEST_ROOT:
@@ -2460,6 +2579,33 @@ mlx5dr_action_setter_common_decap(struct mlx5dr_actions_apply_data *apply,
 							    MLX5DR_CONTEXT_SHARED_STC_DECAP));
 }
 
+static void
+mlx5dr_action_setter_crypto_encryption(struct mlx5dr_actions_apply_data *apply,
+				       struct mlx5dr_actions_wqe_setter *setter)
+{
+	struct mlx5dr_rule_action *rule_action;
+
+	rule_action = &apply->rule_action[setter->idx_single];
+	apply->wqe_data[MLX5DR_ACTION_OFFSET_DW5] = htobe32(rule_action->crypto.offset);
+	mlx5dr_action_apply_stc(apply, MLX5DR_ACTION_STC_IDX_DW5, setter->idx_single);
+}
+
+static void
+mlx5dr_action_setter_crypto_decryption(struct mlx5dr_actions_apply_data *apply,
+				       struct mlx5dr_actions_wqe_setter *setter)
+{
+	struct mlx5dr_rule_action *rule_action;
+
+	rule_action = &apply->rule_action[setter->idx_triple];
+
+	mlx5dr_action_apply_stc(apply, MLX5DR_ACTION_STC_IDX_DW5, setter->idx_triple);
+	apply->wqe_ctrl->stc_ix[MLX5DR_ACTION_STC_IDX_DW6] = 0;
+	apply->wqe_ctrl->stc_ix[MLX5DR_ACTION_STC_IDX_DW7] = 0;
+	apply->wqe_data[MLX5DR_ACTION_OFFSET_DW5] = htobe32(rule_action->crypto.offset);
+	apply->wqe_data[MLX5DR_ACTION_OFFSET_DW6] = 0;
+	apply->wqe_data[MLX5DR_ACTION_OFFSET_DW7] = 0;
+}
+
 int mlx5dr_action_template_process(struct mlx5dr_action_template *at)
 {
 	struct mlx5dr_actions_wqe_setter *start_setter = at->setters + 1;
@@ -2594,6 +2740,22 @@ int mlx5dr_action_template_process(struct mlx5dr_action_template *at)
 			setter->idx_ctr = i;
 			break;
 
+		case MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT:
+			/* Single encryption action, consume triple due to HW limitations */
+			setter = mlx5dr_action_setter_find_first(last_setter, ASF_TRIPLE);
+			setter->flags |= ASF_TRIPLE;
+			setter->set_single = &mlx5dr_action_setter_crypto_encryption;
+			setter->idx_single = i;
+			break;
+
+		case MLX5DR_ACTION_TYP_CRYPTO_DECRYPT:
+			/* Triple decryption action */
+			setter = mlx5dr_action_setter_find_first(last_setter, ASF_TRIPLE);
+			setter->flags |= ASF_TRIPLE;
+			setter->set_triple = &mlx5dr_action_setter_crypto_decryption;
+			setter->idx_triple = i;
+			break;
+
 		default:
 			DR_LOG(ERR, "Unsupported action type: %d", action_type[i]);
 			rte_errno = ENOTSUP;
diff --git a/drivers/net/mlx5/hws/mlx5dr_action.h b/drivers/net/mlx5/hws/mlx5dr_action.h
index 582a38bebc..6bfa0bcc4a 100644
--- a/drivers/net/mlx5/hws/mlx5dr_action.h
+++ b/drivers/net/mlx5/hws/mlx5dr_action.h
@@ -21,6 +21,8 @@ enum mlx5dr_action_stc_idx {
 	MLX5DR_ACTION_STC_IDX_LAST_COMBO1 = 3,
 	/* STC combo2: CTR, 3 x SINGLE, Hit */
 	MLX5DR_ACTION_STC_IDX_LAST_COMBO2 = 4,
+	/* STC combo2: CTR, TRIPLE, Hit */
+	MLX5DR_ACTION_STC_IDX_LAST_COMBO3 = 2,
 };
 
 enum mlx5dr_action_offset {
@@ -52,6 +54,7 @@ enum mlx5dr_action_setter_flag {
 	ASF_SINGLE2 = 1 << 1,
 	ASF_SINGLE3 = 1 << 2,
 	ASF_DOUBLE = ASF_SINGLE2 | ASF_SINGLE3,
+	ASF_TRIPLE = ASF_SINGLE1 | ASF_DOUBLE,
 	ASF_REPARSE = 1 << 3,
 	ASF_REMOVE = 1 << 4,
 	ASF_MODIFY = 1 << 5,
@@ -94,10 +97,12 @@ typedef void (*mlx5dr_action_setter_fp)
 struct mlx5dr_actions_wqe_setter {
 	mlx5dr_action_setter_fp set_single;
 	mlx5dr_action_setter_fp set_double;
+	mlx5dr_action_setter_fp set_triple;
 	mlx5dr_action_setter_fp set_hit;
 	mlx5dr_action_setter_fp set_ctr;
 	uint8_t idx_single;
 	uint8_t idx_double;
+	uint8_t idx_triple;
 	uint8_t idx_ctr;
 	uint8_t idx_hit;
 	uint8_t flags;
@@ -183,6 +188,9 @@ int mlx5dr_action_template_process(struct mlx5dr_action_template *at);
 bool mlx5dr_action_check_combo(enum mlx5dr_action_type *user_actions,
 			       enum mlx5dr_table_type table_type);
 
+bool mlx5dr_action_check_restrictions(struct mlx5dr_matcher *matcher,
+				      enum mlx5dr_action_type *actions);
+
 int mlx5dr_action_alloc_single_stc(struct mlx5dr_context *ctx,
 				   struct mlx5dr_cmd_stc_modify_attr *stc_attr,
 				   uint32_t table_type,
@@ -230,26 +238,32 @@ mlx5dr_action_apply_setter(struct mlx5dr_actions_apply_data *apply,
 	uint8_t num_of_actions;
 
 	/* Set control counter */
-	if (setter->flags & ASF_CTR)
+	if (setter->set_ctr)
 		setter->set_ctr(apply, setter);
 	else
 		mlx5dr_action_setter_default_ctr(apply, setter);
 
-	/* Set single and double on match */
 	if (!is_jumbo) {
-		if (setter->flags & ASF_SINGLE1)
-			setter->set_single(apply, setter);
-		else
-			mlx5dr_action_setter_default_single(apply, setter);
-
-		if (setter->flags & ASF_DOUBLE)
-			setter->set_double(apply, setter);
-		else
-			mlx5dr_action_setter_default_double(apply, setter);
-
-		num_of_actions = setter->flags & ASF_DOUBLE ?
-			MLX5DR_ACTION_STC_IDX_LAST_COMBO1 :
-			MLX5DR_ACTION_STC_IDX_LAST_COMBO2;
+		if (unlikely(setter->set_triple)) {
+			/* Set triple on match */
+			setter->set_triple(apply, setter);
+			num_of_actions = MLX5DR_ACTION_STC_IDX_LAST_COMBO3;
+		} else {
+			/* Set single and double on match */
+			if (setter->set_single)
+				setter->set_single(apply, setter);
+			else
+				mlx5dr_action_setter_default_single(apply, setter);
+
+			if (setter->set_double)
+				setter->set_double(apply, setter);
+			else
+				mlx5dr_action_setter_default_double(apply, setter);
+
+			num_of_actions = setter->set_double ?
+				MLX5DR_ACTION_STC_IDX_LAST_COMBO1 :
+				MLX5DR_ACTION_STC_IDX_LAST_COMBO2;
+		}
 	} else {
 		apply->wqe_data[MLX5DR_ACTION_OFFSET_DW5] = 0;
 		apply->wqe_data[MLX5DR_ACTION_OFFSET_DW6] = 0;
diff --git a/drivers/net/mlx5/hws/mlx5dr_cmd.c b/drivers/net/mlx5/hws/mlx5dr_cmd.c
index c52cdd0767..3b3690699d 100644
--- a/drivers/net/mlx5/hws/mlx5dr_cmd.c
+++ b/drivers/net/mlx5/hws/mlx5dr_cmd.c
@@ -541,6 +541,14 @@ mlx5dr_cmd_stc_modify_set_stc_param(struct mlx5dr_cmd_stc_modify_attr *stc_attr,
 		MLX5_SET(stc_ste_param_remove_words, stc_parm,
 			 remove_size, stc_attr->remove_words.num_of_words);
 		break;
+	case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_ENCRYPTION:
+		MLX5_SET(stc_ste_param_ipsec_encrypt, stc_parm, ipsec_object_id,
+			 stc_attr->id);
+		break;
+	case MLX5_IFC_STC_ACTION_TYPE_CRYPTO_IPSEC_DECRYPTION:
+		MLX5_SET(stc_ste_param_ipsec_decrypt, stc_parm, ipsec_object_id,
+			 stc_attr->id);
+		break;
 	default:
 		DR_LOG(ERR, "Not supported type %d", stc_attr->action_type);
 		rte_errno = EINVAL;
diff --git a/drivers/net/mlx5/hws/mlx5dr_cmd.h b/drivers/net/mlx5/hws/mlx5dr_cmd.h
index 03db62e2e2..7bbb684dbd 100644
--- a/drivers/net/mlx5/hws/mlx5dr_cmd.h
+++ b/drivers/net/mlx5/hws/mlx5dr_cmd.h
@@ -100,7 +100,7 @@ struct mlx5dr_cmd_stc_modify_attr {
 	uint8_t action_offset;
 	enum mlx5_ifc_stc_action_type action_type;
 	union {
-		uint32_t id; /* TIRN, TAG, FT ID, STE ID */
+		uint32_t id; /* TIRN, TAG, FT ID, STE ID, CRYPTO */
 		struct {
 			uint8_t decap;
 			uint16_t start_anchor;
diff --git a/drivers/net/mlx5/hws/mlx5dr_debug.c b/drivers/net/mlx5/hws/mlx5dr_debug.c
index e7b1f2cc32..8cf3909606 100644
--- a/drivers/net/mlx5/hws/mlx5dr_debug.c
+++ b/drivers/net/mlx5/hws/mlx5dr_debug.c
@@ -24,6 +24,8 @@ const char *mlx5dr_debug_action_type_str[] = {
 	[MLX5DR_ACTION_TYP_ASO_CT] = "ASO_CT",
 	[MLX5DR_ACTION_TYP_DEST_ROOT] = "DEST_ROOT",
 	[MLX5DR_ACTION_TYP_DEST_ARRAY] = "DEST_ARRAY",
+	[MLX5DR_ACTION_TYP_CRYPTO_ENCRYPT] = "CRYPTO_ENCRYPT",
+	[MLX5DR_ACTION_TYP_CRYPTO_DECRYPT] = "CRYPTO_DECRYPT",
 };
 
 static_assert(ARRAY_SIZE(mlx5dr_debug_action_type_str) == MLX5DR_ACTION_TYP_MAX,
diff --git a/drivers/net/mlx5/hws/mlx5dr_matcher.c b/drivers/net/mlx5/hws/mlx5dr_matcher.c
index a82c182460..6f74cf3677 100644
--- a/drivers/net/mlx5/hws/mlx5dr_matcher.c
+++ b/drivers/net/mlx5/hws/mlx5dr_matcher.c
@@ -714,6 +714,11 @@ static int mlx5dr_matcher_check_and_process_at(struct mlx5dr_matcher *matcher,
 		return rte_errno;
 	}
 
+	if (mlx5dr_action_check_restrictions(matcher, at->action_type_arr)) {
+		rte_errno = EINVAL;
+		return rte_errno;
+	}
+
 	/* Process action template to setters */
 	ret = mlx5dr_action_template_process(at);
 	if (ret) {
-- 
2.39.2