From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by dpdk.org (Postfix) with ESMTP id 702F91B01D for ; Wed, 20 Dec 2017 12:37:15 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Dec 2017 03:37:14 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.45,431,1508828400"; d="scan'208";a="14196176" Received: from silpixa00383879.ir.intel.com (HELO silpixa00383879.ger.corp.intel.com) ([10.237.223.127]) by fmsmga004.fm.intel.com with ESMTP; 20 Dec 2017 03:37:12 -0800 From: Radu Nicolau To: dev@dpdk.org Cc: helin.zhang@intel.com, konstantin.ananyev@intel.com, wenzhuo.lu@intel.com, declan.doherty@intel.com, Radu Nicolau Date: Wed, 20 Dec 2017 11:32:51 +0000 Message-Id: <1513769571-16734-1-git-send-email-radu.nicolau@intel.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1511349560-12704-1-git-send-email-radu.nicolau@intel.com> References: <1511349560-12704-1-git-send-email-radu.nicolau@intel.com> Subject: [dpdk-dev] [PATCH v2] net/ixgbe: removed ipsec keys from private data X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2017 11:37:15 -0000 All ipsec related setting are being held in the driver private data to allow easy add and remove of SAs. There is no need to keep a record of the keys, and also storing the keys can be a security issue. Signed-off-by: Radu Nicolau Acked-by: Declan Doherty --- drivers/net/ixgbe/ixgbe_ipsec.c | 78 ++++++++++++++++++----------------------- drivers/net/ixgbe/ixgbe_ipsec.h | 4 --- 2 files changed, 35 insertions(+), 47 deletions(-) diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ipsec.c index 105da11..a7ba358 100644 --- a/drivers/net/ixgbe/ixgbe_ipsec.c +++ b/drivers/net/ixgbe/ixgbe_ipsec.c @@ -70,6 +70,8 @@ static void ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev) { struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private); + struct ixgbe_ipsec *priv = IXGBE_DEV_PRIVATE_TO_IPSEC( + dev->data->dev_private); int i = 0; /* clear Rx IP table*/ @@ -106,6 +108,10 @@ ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev) IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT, 0); IXGBE_WAIT_TWRITE; } + + memset(priv->rx_ip_tbl, 0, sizeof(priv->rx_ip_tbl)); + memset(priv->rx_sa_tbl, 0, sizeof(priv->rx_sa_tbl)); + memset(priv->tx_sa_tbl, 0, sizeof(priv->tx_sa_tbl)); } static int @@ -117,6 +123,8 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session) dev->data->dev_private); uint32_t reg_val; int sa_index = -1; + uint32_t key[4]; + uint32_t salt; if (ic_session->op == IXGBE_OP_AUTHENTICATED_DECRYPTION) { int i, ip_index = -1; @@ -173,16 +181,11 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session) priv->rx_sa_tbl[sa_index].spi = rte_cpu_to_be_32(ic_session->spi); priv->rx_sa_tbl[sa_index].ip_index = ip_index; - priv->rx_sa_tbl[sa_index].key[3] = - rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]); - priv->rx_sa_tbl[sa_index].key[2] = - rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]); - priv->rx_sa_tbl[sa_index].key[1] = - rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]); - priv->rx_sa_tbl[sa_index].key[0] = - rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]); - priv->rx_sa_tbl[sa_index].salt = - rte_cpu_to_be_32(ic_session->salt); + key[3] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]); + key[2] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]); + key[1] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]); + key[0] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]); + salt = rte_cpu_to_be_32(ic_session->salt); priv->rx_sa_tbl[sa_index].mode = IPSRXMOD_VALID; if (ic_session->op == IXGBE_OP_AUTHENTICATED_DECRYPTION) priv->rx_sa_tbl[sa_index].mode |= @@ -224,19 +227,16 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session) /* write Key table entry*/ reg_val = IPSRXIDX_RX_EN | IPSRXIDX_WRITE | IPSRXIDX_TABLE_KEY | (sa_index << 3); - IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(0), - priv->rx_sa_tbl[sa_index].key[0]); - IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(1), - priv->rx_sa_tbl[sa_index].key[1]); - IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(2), - priv->rx_sa_tbl[sa_index].key[2]); - IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(3), - priv->rx_sa_tbl[sa_index].key[3]); - IXGBE_WRITE_REG(hw, IXGBE_IPSRXSALT, - priv->rx_sa_tbl[sa_index].salt); + IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(0), key[0]); + IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(1), key[1]); + IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(2), key[2]); + IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(3), key[3]); + IXGBE_WRITE_REG(hw, IXGBE_IPSRXSALT, salt); IXGBE_WRITE_REG(hw, IXGBE_IPSRXMOD, priv->rx_sa_tbl[sa_index].mode); IXGBE_WAIT_RWRITE; + memset(key, 0, sizeof(key)); + salt = 0; } else { /* sess->dir == RTE_CRYPTO_OUTBOUND */ int i; @@ -257,32 +257,24 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session) priv->tx_sa_tbl[sa_index].spi = rte_cpu_to_be_32(ic_session->spi); - priv->tx_sa_tbl[sa_index].key[3] = - rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]); - priv->tx_sa_tbl[sa_index].key[2] = - rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]); - priv->tx_sa_tbl[sa_index].key[1] = - rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]); - priv->tx_sa_tbl[sa_index].key[0] = - rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]); - priv->tx_sa_tbl[sa_index].salt = - rte_cpu_to_be_32(ic_session->salt); + key[3] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]); + key[2] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]); + key[1] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]); + key[0] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]); + salt = rte_cpu_to_be_32(ic_session->salt); + priv->tx_sa_tbl[i].used = 1; + ic_session->sa_index = sa_index; + /* write Key table entry*/ reg_val = IPSRXIDX_RX_EN | IPSRXIDX_WRITE | (sa_index << 3); - IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(0), - priv->tx_sa_tbl[sa_index].key[0]); - IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(1), - priv->tx_sa_tbl[sa_index].key[1]); - IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(2), - priv->tx_sa_tbl[sa_index].key[2]); - IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(3), - priv->tx_sa_tbl[sa_index].key[3]); - IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT, - priv->tx_sa_tbl[sa_index].salt); + IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(0), key[0]); + IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(1), key[1]); + IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(2), key[2]); + IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(3), key[3]); + IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT, salt); IXGBE_WAIT_TWRITE; - - priv->tx_sa_tbl[i].used = 1; - ic_session->sa_index = sa_index; + memset(key, 0, sizeof(key)); + salt = 0; } return 0; diff --git a/drivers/net/ixgbe/ixgbe_ipsec.h b/drivers/net/ixgbe/ixgbe_ipsec.h index fb8fefc..3932fa2 100644 --- a/drivers/net/ixgbe/ixgbe_ipsec.h +++ b/drivers/net/ixgbe/ixgbe_ipsec.h @@ -107,16 +107,12 @@ struct ixgbe_crypto_rx_ip_table { struct ixgbe_crypto_rx_sa_table { uint32_t spi; uint32_t ip_index; - uint32_t key[4]; - uint32_t salt; uint8_t mode; uint8_t used; }; struct ixgbe_crypto_tx_sa_table { uint32_t spi; - uint32_t key[4]; - uint32_t salt; uint8_t used; }; -- 2.7.5