* [dpdk-dev] [PATCH] net/ixgbe: removed ipsec keys from private data
@ 2017-11-22 11:19 Radu Nicolau
2017-12-13 9:43 ` Declan Doherty
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Radu Nicolau @ 2017-11-22 11:19 UTC (permalink / raw)
To: dev; +Cc: konstantin.ananyev, wenzhuo.lu, Radu Nicolau
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
---
drivers/net/ixgbe/ixgbe_ipsec.c | 78 ++++++++++++++++++-----------------------
drivers/net/ixgbe/ixgbe_ipsec.h | 4 ---
2 files changed, 35 insertions(+), 47 deletions(-)
diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ipsec.c
index 105da11..a7ba358 100644
--- a/drivers/net/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ixgbe/ixgbe_ipsec.c
@@ -70,6 +70,8 @@ static void
ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev)
{
struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
+ struct ixgbe_ipsec *priv = IXGBE_DEV_PRIVATE_TO_IPSEC(
+ dev->data->dev_private);
int i = 0;
/* clear Rx IP table*/
@@ -106,6 +108,10 @@ ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev)
IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT, 0);
IXGBE_WAIT_TWRITE;
}
+
+ memset(priv->rx_ip_tbl, 0, sizeof(priv->rx_ip_tbl));
+ memset(priv->rx_sa_tbl, 0, sizeof(priv->rx_sa_tbl));
+ memset(priv->tx_sa_tbl, 0, sizeof(priv->tx_sa_tbl));
}
static int
@@ -117,6 +123,8 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
dev->data->dev_private);
uint32_t reg_val;
int sa_index = -1;
+ uint32_t key[4];
+ uint32_t salt;
if (ic_session->op == IXGBE_OP_AUTHENTICATED_DECRYPTION) {
int i, ip_index = -1;
@@ -173,16 +181,11 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
priv->rx_sa_tbl[sa_index].spi =
rte_cpu_to_be_32(ic_session->spi);
priv->rx_sa_tbl[sa_index].ip_index = ip_index;
- priv->rx_sa_tbl[sa_index].key[3] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]);
- priv->rx_sa_tbl[sa_index].key[2] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]);
- priv->rx_sa_tbl[sa_index].key[1] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]);
- priv->rx_sa_tbl[sa_index].key[0] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]);
- priv->rx_sa_tbl[sa_index].salt =
- rte_cpu_to_be_32(ic_session->salt);
+ key[3] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]);
+ key[2] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]);
+ key[1] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]);
+ key[0] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]);
+ salt = rte_cpu_to_be_32(ic_session->salt);
priv->rx_sa_tbl[sa_index].mode = IPSRXMOD_VALID;
if (ic_session->op == IXGBE_OP_AUTHENTICATED_DECRYPTION)
priv->rx_sa_tbl[sa_index].mode |=
@@ -224,19 +227,16 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
/* write Key table entry*/
reg_val = IPSRXIDX_RX_EN | IPSRXIDX_WRITE |
IPSRXIDX_TABLE_KEY | (sa_index << 3);
- IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(0),
- priv->rx_sa_tbl[sa_index].key[0]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(1),
- priv->rx_sa_tbl[sa_index].key[1]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(2),
- priv->rx_sa_tbl[sa_index].key[2]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(3),
- priv->rx_sa_tbl[sa_index].key[3]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSRXSALT,
- priv->rx_sa_tbl[sa_index].salt);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(0), key[0]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(1), key[1]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(2), key[2]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(3), key[3]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSRXSALT, salt);
IXGBE_WRITE_REG(hw, IXGBE_IPSRXMOD,
priv->rx_sa_tbl[sa_index].mode);
IXGBE_WAIT_RWRITE;
+ memset(key, 0, sizeof(key));
+ salt = 0;
} else { /* sess->dir == RTE_CRYPTO_OUTBOUND */
int i;
@@ -257,32 +257,24 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
priv->tx_sa_tbl[sa_index].spi =
rte_cpu_to_be_32(ic_session->spi);
- priv->tx_sa_tbl[sa_index].key[3] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]);
- priv->tx_sa_tbl[sa_index].key[2] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]);
- priv->tx_sa_tbl[sa_index].key[1] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]);
- priv->tx_sa_tbl[sa_index].key[0] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]);
- priv->tx_sa_tbl[sa_index].salt =
- rte_cpu_to_be_32(ic_session->salt);
+ key[3] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]);
+ key[2] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]);
+ key[1] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]);
+ key[0] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]);
+ salt = rte_cpu_to_be_32(ic_session->salt);
+ priv->tx_sa_tbl[i].used = 1;
+ ic_session->sa_index = sa_index;
+ /* write Key table entry*/
reg_val = IPSRXIDX_RX_EN | IPSRXIDX_WRITE | (sa_index << 3);
- IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(0),
- priv->tx_sa_tbl[sa_index].key[0]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(1),
- priv->tx_sa_tbl[sa_index].key[1]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(2),
- priv->tx_sa_tbl[sa_index].key[2]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(3),
- priv->tx_sa_tbl[sa_index].key[3]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT,
- priv->tx_sa_tbl[sa_index].salt);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(0), key[0]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(1), key[1]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(2), key[2]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(3), key[3]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT, salt);
IXGBE_WAIT_TWRITE;
-
- priv->tx_sa_tbl[i].used = 1;
- ic_session->sa_index = sa_index;
+ memset(key, 0, sizeof(key));
+ salt = 0;
}
return 0;
diff --git a/drivers/net/ixgbe/ixgbe_ipsec.h b/drivers/net/ixgbe/ixgbe_ipsec.h
index fb8fefc..3932fa2 100644
--- a/drivers/net/ixgbe/ixgbe_ipsec.h
+++ b/drivers/net/ixgbe/ixgbe_ipsec.h
@@ -107,16 +107,12 @@ struct ixgbe_crypto_rx_ip_table {
struct ixgbe_crypto_rx_sa_table {
uint32_t spi;
uint32_t ip_index;
- uint32_t key[4];
- uint32_t salt;
uint8_t mode;
uint8_t used;
};
struct ixgbe_crypto_tx_sa_table {
uint32_t spi;
- uint32_t key[4];
- uint32_t salt;
uint8_t used;
};
--
2.7.5
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dpdk-dev] [PATCH] net/ixgbe: removed ipsec keys from private data
2017-11-22 11:19 [dpdk-dev] [PATCH] net/ixgbe: removed ipsec keys from private data Radu Nicolau
@ 2017-12-13 9:43 ` Declan Doherty
2018-01-07 15:24 ` Zhang, Helin
2017-12-20 6:48 ` Zhang, Helin
2017-12-20 11:32 ` [dpdk-dev] [PATCH v2] " Radu Nicolau
2 siblings, 1 reply; 8+ messages in thread
From: Declan Doherty @ 2017-12-13 9:43 UTC (permalink / raw)
To: Radu Nicolau, dev; +Cc: konstantin.ananyev, wenzhuo.lu
On 22/11/17 11:19, Radu Nicolau wrote:
> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
> ---
...
>
Acked-by: Declan Doherty <declan.doherty@intel.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dpdk-dev] [PATCH] net/ixgbe: removed ipsec keys from private data
2017-12-13 9:43 ` Declan Doherty
@ 2018-01-07 15:24 ` Zhang, Helin
0 siblings, 0 replies; 8+ messages in thread
From: Zhang, Helin @ 2018-01-07 15:24 UTC (permalink / raw)
To: Doherty, Declan, Nicolau, Radu, dev; +Cc: Ananyev, Konstantin, Lu, Wenzhuo
> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Declan Doherty
> Sent: Wednesday, December 13, 2017 5:44 PM
> To: Nicolau, Radu; dev@dpdk.org
> Cc: Ananyev, Konstantin; Lu, Wenzhuo
> Subject: Re: [dpdk-dev] [PATCH] net/ixgbe: removed ipsec keys from private
> data
>
> On 22/11/17 11:19, Radu Nicolau wrote:
> > Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
> > ---
> ...
> >
> Acked-by: Declan Doherty <declan.doherty@intel.com>
Applied into dpdk-next-net-intel, and thanks!
/Helin
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dpdk-dev] [PATCH] net/ixgbe: removed ipsec keys from private data
2017-11-22 11:19 [dpdk-dev] [PATCH] net/ixgbe: removed ipsec keys from private data Radu Nicolau
2017-12-13 9:43 ` Declan Doherty
@ 2017-12-20 6:48 ` Zhang, Helin
2017-12-20 11:32 ` [dpdk-dev] [PATCH v2] " Radu Nicolau
2 siblings, 0 replies; 8+ messages in thread
From: Zhang, Helin @ 2017-12-20 6:48 UTC (permalink / raw)
To: Nicolau, Radu, dev; +Cc: Ananyev, Konstantin, Lu, Wenzhuo, Nicolau, Radu
> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Radu Nicolau
> Sent: Wednesday, November 22, 2017 7:19 PM
> To: dev@dpdk.org
> Cc: Ananyev, Konstantin; Lu, Wenzhuo; Nicolau, Radu
> Subject: [dpdk-dev] [PATCH] net/ixgbe: removed ipsec keys from private data
We need some description here, like other commits?
>
> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
> ---
^ permalink raw reply [flat|nested] 8+ messages in thread
* [dpdk-dev] [PATCH v2] net/ixgbe: removed ipsec keys from private data
2017-11-22 11:19 [dpdk-dev] [PATCH] net/ixgbe: removed ipsec keys from private data Radu Nicolau
2017-12-13 9:43 ` Declan Doherty
2017-12-20 6:48 ` Zhang, Helin
@ 2017-12-20 11:32 ` Radu Nicolau
2017-12-20 15:46 ` Stephen Hemminger
2017-12-21 10:55 ` [dpdk-dev] [PATCH v3] " Radu Nicolau
2 siblings, 2 replies; 8+ messages in thread
From: Radu Nicolau @ 2017-12-20 11:32 UTC (permalink / raw)
To: dev
Cc: helin.zhang, konstantin.ananyev, wenzhuo.lu, declan.doherty,
Radu Nicolau
All ipsec related setting are being held in the driver
private data to allow easy add and remove of SAs. There
is no need to keep a record of the keys, and also
storing the keys can be a security issue.
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
---
drivers/net/ixgbe/ixgbe_ipsec.c | 78 ++++++++++++++++++-----------------------
drivers/net/ixgbe/ixgbe_ipsec.h | 4 ---
2 files changed, 35 insertions(+), 47 deletions(-)
diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ipsec.c
index 105da11..a7ba358 100644
--- a/drivers/net/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ixgbe/ixgbe_ipsec.c
@@ -70,6 +70,8 @@ static void
ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev)
{
struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
+ struct ixgbe_ipsec *priv = IXGBE_DEV_PRIVATE_TO_IPSEC(
+ dev->data->dev_private);
int i = 0;
/* clear Rx IP table*/
@@ -106,6 +108,10 @@ ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev)
IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT, 0);
IXGBE_WAIT_TWRITE;
}
+
+ memset(priv->rx_ip_tbl, 0, sizeof(priv->rx_ip_tbl));
+ memset(priv->rx_sa_tbl, 0, sizeof(priv->rx_sa_tbl));
+ memset(priv->tx_sa_tbl, 0, sizeof(priv->tx_sa_tbl));
}
static int
@@ -117,6 +123,8 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
dev->data->dev_private);
uint32_t reg_val;
int sa_index = -1;
+ uint32_t key[4];
+ uint32_t salt;
if (ic_session->op == IXGBE_OP_AUTHENTICATED_DECRYPTION) {
int i, ip_index = -1;
@@ -173,16 +181,11 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
priv->rx_sa_tbl[sa_index].spi =
rte_cpu_to_be_32(ic_session->spi);
priv->rx_sa_tbl[sa_index].ip_index = ip_index;
- priv->rx_sa_tbl[sa_index].key[3] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]);
- priv->rx_sa_tbl[sa_index].key[2] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]);
- priv->rx_sa_tbl[sa_index].key[1] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]);
- priv->rx_sa_tbl[sa_index].key[0] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]);
- priv->rx_sa_tbl[sa_index].salt =
- rte_cpu_to_be_32(ic_session->salt);
+ key[3] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]);
+ key[2] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]);
+ key[1] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]);
+ key[0] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]);
+ salt = rte_cpu_to_be_32(ic_session->salt);
priv->rx_sa_tbl[sa_index].mode = IPSRXMOD_VALID;
if (ic_session->op == IXGBE_OP_AUTHENTICATED_DECRYPTION)
priv->rx_sa_tbl[sa_index].mode |=
@@ -224,19 +227,16 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
/* write Key table entry*/
reg_val = IPSRXIDX_RX_EN | IPSRXIDX_WRITE |
IPSRXIDX_TABLE_KEY | (sa_index << 3);
- IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(0),
- priv->rx_sa_tbl[sa_index].key[0]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(1),
- priv->rx_sa_tbl[sa_index].key[1]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(2),
- priv->rx_sa_tbl[sa_index].key[2]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(3),
- priv->rx_sa_tbl[sa_index].key[3]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSRXSALT,
- priv->rx_sa_tbl[sa_index].salt);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(0), key[0]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(1), key[1]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(2), key[2]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(3), key[3]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSRXSALT, salt);
IXGBE_WRITE_REG(hw, IXGBE_IPSRXMOD,
priv->rx_sa_tbl[sa_index].mode);
IXGBE_WAIT_RWRITE;
+ memset(key, 0, sizeof(key));
+ salt = 0;
} else { /* sess->dir == RTE_CRYPTO_OUTBOUND */
int i;
@@ -257,32 +257,24 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
priv->tx_sa_tbl[sa_index].spi =
rte_cpu_to_be_32(ic_session->spi);
- priv->tx_sa_tbl[sa_index].key[3] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]);
- priv->tx_sa_tbl[sa_index].key[2] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]);
- priv->tx_sa_tbl[sa_index].key[1] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]);
- priv->tx_sa_tbl[sa_index].key[0] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]);
- priv->tx_sa_tbl[sa_index].salt =
- rte_cpu_to_be_32(ic_session->salt);
+ key[3] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]);
+ key[2] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]);
+ key[1] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]);
+ key[0] = rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]);
+ salt = rte_cpu_to_be_32(ic_session->salt);
+ priv->tx_sa_tbl[i].used = 1;
+ ic_session->sa_index = sa_index;
+ /* write Key table entry*/
reg_val = IPSRXIDX_RX_EN | IPSRXIDX_WRITE | (sa_index << 3);
- IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(0),
- priv->tx_sa_tbl[sa_index].key[0]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(1),
- priv->tx_sa_tbl[sa_index].key[1]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(2),
- priv->tx_sa_tbl[sa_index].key[2]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(3),
- priv->tx_sa_tbl[sa_index].key[3]);
- IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT,
- priv->tx_sa_tbl[sa_index].salt);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(0), key[0]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(1), key[1]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(2), key[2]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(3), key[3]);
+ IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT, salt);
IXGBE_WAIT_TWRITE;
-
- priv->tx_sa_tbl[i].used = 1;
- ic_session->sa_index = sa_index;
+ memset(key, 0, sizeof(key));
+ salt = 0;
}
return 0;
diff --git a/drivers/net/ixgbe/ixgbe_ipsec.h b/drivers/net/ixgbe/ixgbe_ipsec.h
index fb8fefc..3932fa2 100644
--- a/drivers/net/ixgbe/ixgbe_ipsec.h
+++ b/drivers/net/ixgbe/ixgbe_ipsec.h
@@ -107,16 +107,12 @@ struct ixgbe_crypto_rx_ip_table {
struct ixgbe_crypto_rx_sa_table {
uint32_t spi;
uint32_t ip_index;
- uint32_t key[4];
- uint32_t salt;
uint8_t mode;
uint8_t used;
};
struct ixgbe_crypto_tx_sa_table {
uint32_t spi;
- uint32_t key[4];
- uint32_t salt;
uint8_t used;
};
--
2.7.5
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dpdk-dev] [PATCH v2] net/ixgbe: removed ipsec keys from private data
2017-12-20 11:32 ` [dpdk-dev] [PATCH v2] " Radu Nicolau
@ 2017-12-20 15:46 ` Stephen Hemminger
2017-12-20 18:06 ` Radu Nicolau
2017-12-21 10:55 ` [dpdk-dev] [PATCH v3] " Radu Nicolau
1 sibling, 1 reply; 8+ messages in thread
From: Stephen Hemminger @ 2017-12-20 15:46 UTC (permalink / raw)
To: Radu Nicolau
Cc: dev, helin.zhang, konstantin.ananyev, wenzhuo.lu, declan.doherty
On Wed, 20 Dec 2017 11:32:51 +0000
Radu Nicolau <radu.nicolau@intel.com> wrote:
> All ipsec related setting are being held in the driver
> private data to allow easy add and remove of SAs. There
> is no need to keep a record of the keys, and also
> storing the keys can be a security issue.
>
> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
> Acked-by: Declan Doherty <declan.doherty@intel.com>
> ---
> drivers/net/ixgbe/ixgbe_ipsec.c | 78 ++++++++++++++++++-----------------------
> drivers/net/ixgbe/ixgbe_ipsec.h | 4 ---
> 2 files changed, 35 insertions(+), 47 deletions(-)
>
> diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ipsec.c
> index 105da11..a7ba358 100644
> --- a/drivers/net/ixgbe/ixgbe_ipsec.c
> +++ b/drivers/net/ixgbe/ixgbe_ipsec.c
> @@ -70,6 +70,8 @@ static void
> ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev)
> {
> struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
> + struct ixgbe_ipsec *priv = IXGBE_DEV_PRIVATE_TO_IPSEC(
> + dev->data->dev_private);
> int i = 0;
>
> /* clear Rx IP table*/
> @@ -106,6 +108,10 @@ ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev)
> IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT, 0);
> IXGBE_WAIT_TWRITE;
> }
> +
> + memset(priv->rx_ip_tbl, 0, sizeof(priv->rx_ip_tbl));
> + memset(priv->rx_sa_tbl, 0, sizeof(priv->rx_sa_tbl));
> + memset(priv->tx_sa_tbl, 0, sizeof(priv->tx_sa_tbl));
GCC has been known to optimize out this kind of memset.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=8537
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dpdk-dev] [PATCH v2] net/ixgbe: removed ipsec keys from private data
2017-12-20 15:46 ` Stephen Hemminger
@ 2017-12-20 18:06 ` Radu Nicolau
0 siblings, 0 replies; 8+ messages in thread
From: Radu Nicolau @ 2017-12-20 18:06 UTC (permalink / raw)
To: Stephen Hemminger
Cc: dev, helin.zhang, konstantin.ananyev, wenzhuo.lu, declan.doherty
On 12/20/2017 3:46 PM, Stephen Hemminger wrote:
> On Wed, 20 Dec 2017 11:32:51 +0000
> Radu Nicolau <radu.nicolau@intel.com> wrote:
>
>> All ipsec related setting are being held in the driver
>> private data to allow easy add and remove of SAs. There
>> is no need to keep a record of the keys, and also
>> storing the keys can be a security issue.
>>
>> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
>> Acked-by: Declan Doherty <declan.doherty@intel.com>
>> ---
>> drivers/net/ixgbe/ixgbe_ipsec.c | 78 ++++++++++++++++++-----------------------
>> drivers/net/ixgbe/ixgbe_ipsec.h | 4 ---
>> 2 files changed, 35 insertions(+), 47 deletions(-)
>>
>> diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ipsec.c
>> index 105da11..a7ba358 100644
>> --- a/drivers/net/ixgbe/ixgbe_ipsec.c
>> +++ b/drivers/net/ixgbe/ixgbe_ipsec.c
>> @@ -70,6 +70,8 @@ static void
>> ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev)
>> {
>> struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
>> + struct ixgbe_ipsec *priv = IXGBE_DEV_PRIVATE_TO_IPSEC(
>> + dev->data->dev_private);
>> int i = 0;
>>
>> /* clear Rx IP table*/
>> @@ -106,6 +108,10 @@ ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev)
>> IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT, 0);
>> IXGBE_WAIT_TWRITE;
>> }
>> +
>> + memset(priv->rx_ip_tbl, 0, sizeof(priv->rx_ip_tbl));
>> + memset(priv->rx_sa_tbl, 0, sizeof(priv->rx_sa_tbl));
>> + memset(priv->tx_sa_tbl, 0, sizeof(priv->tx_sa_tbl));
> GCC has been known to optimize out this kind of memset.
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=8537
>
Thanks for pointing it out, I will send an update.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [dpdk-dev] [PATCH v3] net/ixgbe: removed ipsec keys from private data
2017-12-20 11:32 ` [dpdk-dev] [PATCH v2] " Radu Nicolau
2017-12-20 15:46 ` Stephen Hemminger
@ 2017-12-21 10:55 ` Radu Nicolau
1 sibling, 0 replies; 8+ messages in thread
From: Radu Nicolau @ 2017-12-21 10:55 UTC (permalink / raw)
To: dev
Cc: helin.zhang, konstantin.ananyev, wenzhuo.lu, declan.doherty,
stephen, Radu Nicolau
All ipsec related setting are being held in the driver
private data to allow easy add and remove of SAs. There
is no need to keep a record of the keys, and also
storing the keys can be a security issue.
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
---
v2: updated commit msg
v3: removed key local copy
drivers/net/ixgbe/ixgbe_ipsec.c | 52 +++++++++++++++--------------------------
drivers/net/ixgbe/ixgbe_ipsec.h | 4 ----
2 files changed, 19 insertions(+), 37 deletions(-)
diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ipsec.c
index 105da11..91254de 100644
--- a/drivers/net/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ixgbe/ixgbe_ipsec.c
@@ -70,6 +70,8 @@ static void
ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev)
{
struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
+ struct ixgbe_ipsec *priv = IXGBE_DEV_PRIVATE_TO_IPSEC(
+ dev->data->dev_private);
int i = 0;
/* clear Rx IP table*/
@@ -106,6 +108,10 @@ ixgbe_crypto_clear_ipsec_tables(struct rte_eth_dev *dev)
IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT, 0);
IXGBE_WAIT_TWRITE;
}
+
+ memset(priv->rx_ip_tbl, 0, sizeof(priv->rx_ip_tbl));
+ memset(priv->rx_sa_tbl, 0, sizeof(priv->rx_sa_tbl));
+ memset(priv->tx_sa_tbl, 0, sizeof(priv->tx_sa_tbl));
}
static int
@@ -173,16 +179,6 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
priv->rx_sa_tbl[sa_index].spi =
rte_cpu_to_be_32(ic_session->spi);
priv->rx_sa_tbl[sa_index].ip_index = ip_index;
- priv->rx_sa_tbl[sa_index].key[3] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]);
- priv->rx_sa_tbl[sa_index].key[2] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]);
- priv->rx_sa_tbl[sa_index].key[1] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]);
- priv->rx_sa_tbl[sa_index].key[0] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]);
- priv->rx_sa_tbl[sa_index].salt =
- rte_cpu_to_be_32(ic_session->salt);
priv->rx_sa_tbl[sa_index].mode = IPSRXMOD_VALID;
if (ic_session->op == IXGBE_OP_AUTHENTICATED_DECRYPTION)
priv->rx_sa_tbl[sa_index].mode |=
@@ -225,15 +221,15 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
reg_val = IPSRXIDX_RX_EN | IPSRXIDX_WRITE |
IPSRXIDX_TABLE_KEY | (sa_index << 3);
IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(0),
- priv->rx_sa_tbl[sa_index].key[0]);
+ rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]));
IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(1),
- priv->rx_sa_tbl[sa_index].key[1]);
+ rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]));
IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(2),
- priv->rx_sa_tbl[sa_index].key[2]);
+ rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]));
IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(3),
- priv->rx_sa_tbl[sa_index].key[3]);
+ rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]));
IXGBE_WRITE_REG(hw, IXGBE_IPSRXSALT,
- priv->rx_sa_tbl[sa_index].salt);
+ rte_cpu_to_be_32(ic_session->salt));
IXGBE_WRITE_REG(hw, IXGBE_IPSRXMOD,
priv->rx_sa_tbl[sa_index].mode);
IXGBE_WAIT_RWRITE;
@@ -257,32 +253,22 @@ ixgbe_crypto_add_sa(struct ixgbe_crypto_session *ic_session)
priv->tx_sa_tbl[sa_index].spi =
rte_cpu_to_be_32(ic_session->spi);
- priv->tx_sa_tbl[sa_index].key[3] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]);
- priv->tx_sa_tbl[sa_index].key[2] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]);
- priv->tx_sa_tbl[sa_index].key[1] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]);
- priv->tx_sa_tbl[sa_index].key[0] =
- rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]);
- priv->tx_sa_tbl[sa_index].salt =
- rte_cpu_to_be_32(ic_session->salt);
+ priv->tx_sa_tbl[i].used = 1;
+ ic_session->sa_index = sa_index;
+ /* write Key table entry*/
reg_val = IPSRXIDX_RX_EN | IPSRXIDX_WRITE | (sa_index << 3);
IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(0),
- priv->tx_sa_tbl[sa_index].key[0]);
+ rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[12]));
IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(1),
- priv->tx_sa_tbl[sa_index].key[1]);
+ rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[8]));
IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(2),
- priv->tx_sa_tbl[sa_index].key[2]);
+ rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[4]));
IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(3),
- priv->tx_sa_tbl[sa_index].key[3]);
+ rte_cpu_to_be_32(*(uint32_t *)&ic_session->key[0]));
IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT,
- priv->tx_sa_tbl[sa_index].salt);
+ rte_cpu_to_be_32(ic_session->salt));
IXGBE_WAIT_TWRITE;
-
- priv->tx_sa_tbl[i].used = 1;
- ic_session->sa_index = sa_index;
}
return 0;
diff --git a/drivers/net/ixgbe/ixgbe_ipsec.h b/drivers/net/ixgbe/ixgbe_ipsec.h
index fb8fefc..3932fa2 100644
--- a/drivers/net/ixgbe/ixgbe_ipsec.h
+++ b/drivers/net/ixgbe/ixgbe_ipsec.h
@@ -107,16 +107,12 @@ struct ixgbe_crypto_rx_ip_table {
struct ixgbe_crypto_rx_sa_table {
uint32_t spi;
uint32_t ip_index;
- uint32_t key[4];
- uint32_t salt;
uint8_t mode;
uint8_t used;
};
struct ixgbe_crypto_tx_sa_table {
uint32_t spi;
- uint32_t key[4];
- uint32_t salt;
uint8_t used;
};
--
2.7.5
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-01-07 15:24 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-22 11:19 [dpdk-dev] [PATCH] net/ixgbe: removed ipsec keys from private data Radu Nicolau
2017-12-13 9:43 ` Declan Doherty
2018-01-07 15:24 ` Zhang, Helin
2017-12-20 6:48 ` Zhang, Helin
2017-12-20 11:32 ` [dpdk-dev] [PATCH v2] " Radu Nicolau
2017-12-20 15:46 ` Stephen Hemminger
2017-12-20 18:06 ` Radu Nicolau
2017-12-21 10:55 ` [dpdk-dev] [PATCH v3] " Radu Nicolau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).