[PATCH v3 22/24] crypto/cnxk: add support for TLS 1.3

[Anoob Joseph <anoobj@marvell.com>]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add support for TLS-1.3.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 drivers/common/cnxk/roc_ie_ot_tls.h       |  50 +++++--
 drivers/crypto/cnxk/cn10k_cryptodev_sec.h |   3 +-
 drivers/crypto/cnxk/cn10k_tls.c           | 159 +++++++++++++---------
 3 files changed, 136 insertions(+), 76 deletions(-)

diff --git a/drivers/common/cnxk/roc_ie_ot_tls.h b/drivers/common/cnxk/roc_ie_ot_tls.h
index 206c3104e6..b85d075e86 100644
--- a/drivers/common/cnxk/roc_ie_ot_tls.h
+++ b/drivers/common/cnxk/roc_ie_ot_tls.h
@@ -17,8 +17,10 @@
 	(PLT_ALIGN_CEIL(ROC_IE_OT_TLS_AR_WIN_SIZE_MAX, BITS_PER_LONG_LONG) / BITS_PER_LONG_LONG)
 
 /* CN10K TLS opcodes */
-#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC 0x16UL
-#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC 0x17UL
+#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC   0x16UL
+#define ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC   0x17UL
+#define ROC_IE_OT_TLS13_MAJOR_OP_RECORD_ENC 0x18UL
+#define ROC_IE_OT_TLS13_MAJOR_OP_RECORD_DEC 0x19UL
 
 #define ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN 128
 #define ROC_IE_OT_TLS_CTX_MAX_KEY_IV_LEN    48
@@ -42,6 +44,7 @@ enum roc_ie_ot_tls_cipher_type {
 enum roc_ie_ot_tls_ver {
 	ROC_IE_OT_TLS_VERSION_TLS_12 = 1,
 	ROC_IE_OT_TLS_VERSION_DTLS_12 = 2,
+	ROC_IE_OT_TLS_VERSION_TLS_13 = 3,
 };
 
 enum roc_ie_ot_tls_aes_key_len {
@@ -131,11 +134,23 @@ struct roc_ie_ot_tls_read_sa {
 	/* Word4 - Word9 */
 	uint8_t cipher_key[ROC_IE_OT_TLS_CTX_MAX_KEY_IV_LEN];
 
-	/* Word10 - Word25 */
-	uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN];
+	union {
+		struct {
+			/* Word10 */
+			uint64_t w10_rsvd6;
+
+			/* Word11 - Word25 */
+			struct roc_ie_ot_tls_read_ctx_update_reg ctx;
+		} tls_13;
+
+		struct {
+			/* Word10 - Word25 */
+			uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN];
 
-	/* Word26 - Word32 */
-	struct roc_ie_ot_tls_read_ctx_update_reg ctx;
+			/* Word26 - Word95 */
+			struct roc_ie_ot_tls_read_ctx_update_reg ctx;
+		} tls_12;
+	};
 };
 
 struct roc_ie_ot_tls_write_sa {
@@ -187,13 +202,24 @@ struct roc_ie_ot_tls_write_sa {
 	/* Word4 - Word9 */
 	uint8_t cipher_key[ROC_IE_OT_TLS_CTX_MAX_KEY_IV_LEN];
 
-	/* Word10 - Word25 */
-	uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN];
+	union {
+		struct {
+			/* Word10 */
+			uint64_t w10_rsvd7;
+
+			uint64_t seq_num;
+		} tls_13;
+
+		struct {
+			/* Word10 - Word25 */
+			uint8_t opad_ipad[ROC_IE_OT_TLS_CTX_MAX_OPAD_IPAD_LEN];
 
-	/* Word26 */
-	uint64_t w26_rsvd7;
+			/* Word26 */
+			uint64_t w26_rsvd7;
 
-	/* Word27 */
-	uint64_t seq_num;
+			/* Word27 */
+			uint64_t seq_num;
+		} tls_12;
+	};
 };
 #endif /* __ROC_IE_OT_TLS_H__ */
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_sec.h b/drivers/crypto/cnxk/cn10k_cryptodev_sec.h
index 703e71475a..20a260d9ff 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_sec.h
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_sec.h
@@ -31,8 +31,7 @@ struct cn10k_sec_session {
 		} ipsec;
 		struct {
 			uint8_t enable_padding : 1;
-			uint8_t hdr_len : 4;
-			uint8_t rvsd : 3;
+			uint8_t rvsd : 7;
 			bool is_write;
 		} tls;
 	};
diff --git a/drivers/crypto/cnxk/cn10k_tls.c b/drivers/crypto/cnxk/cn10k_tls.c
index c30e04a7c0..879e0ea978 100644
--- a/drivers/crypto/cnxk/cn10k_tls.c
+++ b/drivers/crypto/cnxk/cn10k_tls.c
@@ -105,7 +105,8 @@ cnxk_tls_xform_verify(struct rte_security_tls_record_xform *tls_xform,
 	int ret = 0;
 
 	if ((tls_xform->ver != RTE_SECURITY_VERSION_TLS_1_2) &&
-	    (tls_xform->ver != RTE_SECURITY_VERSION_DTLS_1_2))
+	    (tls_xform->ver != RTE_SECURITY_VERSION_DTLS_1_2) &&
+	    (tls_xform->ver != RTE_SECURITY_VERSION_TLS_1_3))
 		return -EINVAL;
 
 	if ((tls_xform->type != RTE_SECURITY_TLS_SESS_TYPE_READ) &&
@@ -115,6 +116,12 @@ cnxk_tls_xform_verify(struct rte_security_tls_record_xform *tls_xform,
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 		return tls_xform_aead_verify(tls_xform, crypto_xform);
 
+	/* TLS-1.3 only support AEAD.
+	 * Control should not reach here for TLS-1.3
+	 */
+	if (tls_xform->ver == RTE_SECURITY_VERSION_TLS_1_3)
+		return -EINVAL;
+
 	if (tls_xform->type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) {
 		/* Egress */
 
@@ -259,7 +266,7 @@ tls_write_sa_init(struct roc_ie_ot_tls_write_sa *sa)
 
 	memset(sa, 0, sizeof(struct roc_ie_ot_tls_write_sa));
 
-	offset = offsetof(struct roc_ie_ot_tls_write_sa, w26_rsvd7);
+	offset = offsetof(struct roc_ie_ot_tls_write_sa, tls_12.w26_rsvd7);
 	sa->w0.s.hw_ctx_off = offset / ROC_CTX_UNIT_8B;
 	sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off;
 	sa->w0.s.ctx_size = ROC_IE_OT_TLS_CTX_ILEN;
@@ -274,7 +281,7 @@ tls_read_sa_init(struct roc_ie_ot_tls_read_sa *sa)
 
 	memset(sa, 0, sizeof(struct roc_ie_ot_tls_read_sa));
 
-	offset = offsetof(struct roc_ie_ot_tls_read_sa, ctx);
+	offset = offsetof(struct roc_ie_ot_tls_read_sa, tls_12.ctx);
 	sa->w0.s.hw_ctx_off = offset / ROC_CTX_UNIT_8B;
 	sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off;
 	sa->w0.s.ctx_size = ROC_IE_OT_TLS_CTX_ILEN;
@@ -283,13 +290,18 @@ tls_read_sa_init(struct roc_ie_ot_tls_read_sa *sa)
 }
 
 static size_t
-tls_read_ctx_size(struct roc_ie_ot_tls_read_sa *sa)
+tls_read_ctx_size(struct roc_ie_ot_tls_read_sa *sa, enum rte_security_tls_version tls_ver)
 {
 	size_t size;
 
 	/* Variable based on Anti-replay Window */
-	size = offsetof(struct roc_ie_ot_tls_read_sa, ctx) +
-	       offsetof(struct roc_ie_ot_tls_read_ctx_update_reg, ar_winbits);
+	if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		size = offsetof(struct roc_ie_ot_tls_read_sa, tls_13.ctx) +
+		       offsetof(struct roc_ie_ot_tls_read_ctx_update_reg, ar_winbits);
+	} else {
+		size = offsetof(struct roc_ie_ot_tls_read_sa, tls_12.ctx) +
+		       offsetof(struct roc_ie_ot_tls_read_ctx_update_reg, ar_winbits);
+	}
 
 	if (sa->w0.s.ar_win)
 		size += (1 << (sa->w0.s.ar_win - 1)) * sizeof(uint64_t);
@@ -302,6 +314,7 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
 		 struct rte_security_tls_record_xform *tls_xfrm,
 		 struct rte_crypto_sym_xform *crypto_xfrm)
 {
+	enum rte_security_tls_version tls_ver = tls_xfrm->ver;
 	struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
 	const uint8_t *key = NULL;
 	uint64_t *tmp, *tmp_key;
@@ -313,13 +326,22 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
 	/* Initialize the SA */
 	memset(read_sa, 0, sizeof(struct roc_ie_ot_tls_read_sa));
 
+	if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2) {
+		read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12;
+		read_sa->tls_12.ctx.ar_valid_mask = tls_xfrm->tls_1_2.seq_no - 1;
+	} else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2) {
+		read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12;
+	} else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_13;
+		read_sa->tls_13.ctx.ar_valid_mask = tls_xfrm->tls_1_3.seq_no - 1;
+	}
+
 	cipher_key = read_sa->cipher_key;
 
 	/* Set encryption algorithm */
 	if ((crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) &&
 	    (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)) {
 		read_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_AES_GCM;
-		read_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_256;
 
 		length = crypto_xfrm->aead.key.length;
 		if (length == 16)
@@ -330,10 +352,12 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
 		key = crypto_xfrm->aead.key.data;
 		memcpy(cipher_key, key, length);
 
-		if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2)
+		if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2)
 			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_2.imp_nonce, 4);
-		else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2)
+		else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2)
 			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->dtls_1_2.imp_nonce, 4);
+		else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3)
+			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_3.imp_nonce, 12);
 
 		goto key_swap;
 	}
@@ -377,9 +401,10 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
 		return -EINVAL;
 
 	roc_se_hmac_opad_ipad_gen(read_sa->w2.s.mac_select, auth_xfrm->auth.key.data,
-				  auth_xfrm->auth.key.length, read_sa->opad_ipad, ROC_SE_TLS);
+				  auth_xfrm->auth.key.length, read_sa->tls_12.opad_ipad,
+				  ROC_SE_TLS);
 
-	tmp = (uint64_t *)read_sa->opad_ipad;
+	tmp = (uint64_t *)read_sa->tls_12.opad_ipad;
 	for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t)); i++)
 		tmp[i] = rte_be_to_cpu_64(tmp[i]);
 
@@ -403,24 +428,20 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,
 	read_sa->w0.s.ctx_hdr_size = ROC_IE_OT_TLS_CTX_HDR_SIZE;
 	read_sa->w0.s.aop_valid = 1;
 
-	offset = offsetof(struct roc_ie_ot_tls_read_sa, ctx);
+	offset = offsetof(struct roc_ie_ot_tls_read_sa, tls_12.ctx);
+	if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3)
+		offset = offsetof(struct roc_ie_ot_tls_read_sa, tls_13.ctx);
+
+	/* Entire context size in 128B units */
+	read_sa->w0.s.ctx_size =
+		(PLT_ALIGN_CEIL(tls_read_ctx_size(read_sa, tls_ver), ROC_CTX_UNIT_128B) /
+		 ROC_CTX_UNIT_128B) -
+		1;
 
 	/* Word offset for HW managed CTX field */
 	read_sa->w0.s.hw_ctx_off = offset / 8;
 	read_sa->w0.s.ctx_push_size = read_sa->w0.s.hw_ctx_off;
 
-	/* Entire context size in 128B units */
-	read_sa->w0.s.ctx_size = (PLT_ALIGN_CEIL(tls_read_ctx_size(read_sa), ROC_CTX_UNIT_128B) /
-				  ROC_CTX_UNIT_128B) -
-				 1;
-
-	if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2) {
-		read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12;
-		read_sa->ctx.ar_valid_mask = tls_xfrm->tls_1_2.seq_no - 1;
-	} else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2) {
-		read_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12;
-	}
-
 	rte_wmb();
 
 	return 0;
@@ -431,6 +452,7 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
 		  struct rte_security_tls_record_xform *tls_xfrm,
 		  struct rte_crypto_sym_xform *crypto_xfrm)
 {
+	enum rte_security_tls_version tls_ver = tls_xfrm->ver;
 	struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;
 	const uint8_t *key = NULL;
 	uint8_t *cipher_key;
@@ -438,13 +460,25 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
 	int i, length = 0;
 	size_t offset;
 
+	if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2) {
+		write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12;
+		write_sa->tls_12.seq_num = tls_xfrm->tls_1_2.seq_no - 1;
+	} else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2) {
+		write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12;
+		write_sa->tls_12.seq_num = ((uint64_t)tls_xfrm->dtls_1_2.epoch << 48) |
+					   (tls_xfrm->dtls_1_2.seq_no & 0x0000ffffffffffff);
+		write_sa->tls_12.seq_num -= 1;
+	} else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_13;
+		write_sa->tls_13.seq_num = tls_xfrm->tls_1_3.seq_no - 1;
+	}
+
 	cipher_key = write_sa->cipher_key;
 
 	/* Set encryption algorithm */
 	if ((crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) &&
 	    (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)) {
 		write_sa->w2.s.cipher_select = ROC_IE_OT_TLS_CIPHER_AES_GCM;
-		write_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_256;
 
 		length = crypto_xfrm->aead.key.length;
 		if (length == 16)
@@ -455,10 +489,12 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
 		key = crypto_xfrm->aead.key.data;
 		memcpy(cipher_key, key, length);
 
-		if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2)
+		if (tls_ver == RTE_SECURITY_VERSION_TLS_1_2)
 			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_2.imp_nonce, 4);
-		else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2)
+		else if (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2)
 			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->dtls_1_2.imp_nonce, 4);
+		else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3)
+			memcpy(((uint8_t *)cipher_key + 32), &tls_xfrm->tls_1_3.imp_nonce, 12);
 
 		goto key_swap;
 	}
@@ -506,11 +542,11 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
 			return -EINVAL;
 
 		roc_se_hmac_opad_ipad_gen(write_sa->w2.s.mac_select, auth_xfrm->auth.key.data,
-					  auth_xfrm->auth.key.length, write_sa->opad_ipad,
+					  auth_xfrm->auth.key.length, write_sa->tls_12.opad_ipad,
 					  ROC_SE_TLS);
 	}
 
-	tmp_key = (uint64_t *)write_sa->opad_ipad;
+	tmp_key = (uint64_t *)write_sa->tls_12.opad_ipad;
 	for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t)); i++)
 		tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 
@@ -520,40 +556,37 @@ tls_write_sa_fill(struct roc_ie_ot_tls_write_sa *write_sa,
 		tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]);
 
 	write_sa->w0.s.ctx_hdr_size = ROC_IE_OT_TLS_CTX_HDR_SIZE;
-	offset = offsetof(struct roc_ie_ot_tls_write_sa, w26_rsvd7);
-
-	/* Word offset for HW managed CTX field */
-	write_sa->w0.s.hw_ctx_off = offset / 8;
-	write_sa->w0.s.ctx_push_size = write_sa->w0.s.hw_ctx_off;
-
 	/* Entire context size in 128B units */
 	write_sa->w0.s.ctx_size =
 		(PLT_ALIGN_CEIL(sizeof(struct roc_ie_ot_tls_write_sa), ROC_CTX_UNIT_128B) /
 		 ROC_CTX_UNIT_128B) -
 		1;
-	write_sa->w0.s.aop_valid = 1;
+	offset = offsetof(struct roc_ie_ot_tls_write_sa, tls_12.w26_rsvd7);
 
-	if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_2) {
-		write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_TLS_12;
-		write_sa->seq_num = tls_xfrm->tls_1_2.seq_no - 1;
-	} else if (tls_xfrm->ver == RTE_SECURITY_VERSION_DTLS_1_2) {
-		write_sa->w2.s.version_select = ROC_IE_OT_TLS_VERSION_DTLS_12;
-		write_sa->seq_num = ((uint64_t)tls_xfrm->dtls_1_2.epoch << 48) |
-				    (tls_xfrm->dtls_1_2.seq_no & 0x0000ffffffffffff);
-		write_sa->seq_num -= 1;
+	if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		offset = offsetof(struct roc_ie_ot_tls_write_sa, tls_13.w10_rsvd7);
+		write_sa->w0.s.ctx_size -= 1;
 	}
 
+	/* Word offset for HW managed CTX field */
+	write_sa->w0.s.hw_ctx_off = offset / 8;
+	write_sa->w0.s.ctx_push_size = write_sa->w0.s.hw_ctx_off;
+
+	write_sa->w0.s.aop_valid = 1;
+
 	write_sa->w2.s.iv_at_cptr = ROC_IE_OT_TLS_IV_SRC_DEFAULT;
 
+	if (write_sa->w2.s.version_select != ROC_IE_OT_TLS_VERSION_TLS_13) {
 #ifdef LA_IPSEC_DEBUG
-	if (tls_xfrm->options.iv_gen_disable == 1)
-		write_sa->w2.s.iv_at_cptr = ROC_IE_OT_TLS_IV_SRC_FROM_SA;
+		if (tls_xfrm->options.iv_gen_disable == 1)
+			write_sa->w2.s.iv_at_cptr = ROC_IE_OT_TLS_IV_SRC_FROM_SA;
 #else
-	if (tls_xfrm->options.iv_gen_disable) {
-		plt_err("Application provided IV is not supported");
-		return -ENOTSUP;
-	}
+		if (tls_xfrm->options.iv_gen_disable) {
+			plt_err("Application provided IV is not supported");
+			return -ENOTSUP;
+		}
 #endif
+	}
 
 	rte_wmb();
 
@@ -599,20 +632,17 @@ cn10k_tls_read_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
 		sec_sess->iv_length = crypto_xfrm->auth.iv.length;
 	}
 
-	if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_DTLS_12)
-		sec_sess->tls.hdr_len = 13;
-	else if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_12)
-		sec_sess->tls.hdr_len = 5;
-
 	sec_sess->proto = RTE_SECURITY_PROTOCOL_TLS_RECORD;
 
-	/* Enable mib counters */
-	sa_dptr->w0.s.count_mib_bytes = 1;
-	sa_dptr->w0.s.count_mib_pkts = 1;
-
 	/* pre-populate CPT INST word 4 */
 	inst_w4.u64 = 0;
-	inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC | ROC_IE_OT_INPLACE_BIT;
+	if ((sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_12) ||
+	    (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_DTLS_12)) {
+		inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC | ROC_IE_OT_INPLACE_BIT;
+	} else if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_13) {
+		inst_w4.s.opcode_major =
+			ROC_IE_OT_TLS13_MAJOR_OP_RECORD_DEC | ROC_IE_OT_INPLACE_BIT;
+	}
 
 	sec_sess->inst.w4 = inst_w4.u64;
 	sec_sess->inst.w7 = cpt_inst_w7_get(roc_cpt, read_sa);
@@ -689,8 +719,13 @@ cn10k_tls_write_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
 
 	/* pre-populate CPT INST word 4 */
 	inst_w4.u64 = 0;
-	inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC | ROC_IE_OT_INPLACE_BIT;
-
+	if ((sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_12) ||
+	    (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_DTLS_12)) {
+		inst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC | ROC_IE_OT_INPLACE_BIT;
+	} else if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_13) {
+		inst_w4.s.opcode_major =
+			ROC_IE_OT_TLS13_MAJOR_OP_RECORD_ENC | ROC_IE_OT_INPLACE_BIT;
+	}
 	sec_sess->inst.w4 = inst_w4.u64;
 	sec_sess->inst.w7 = cpt_inst_w7_get(roc_cpt, write_sa);
 
-- 
2.25.1