On 9/8/2021 1:55 PM, Tejasree Kondoj wrote: > Add option to indicate whether UDP encapsulation ports > verification need to be done as part of inbound > IPsec processing. > > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com> > --- > doc/guides/rel_notes/release_21_11.rst | 5 +++++ > lib/security/rte_security.h | 7 +++++++ > 2 files changed, 12 insertions(+) > > diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst > index b0606cb542..afeba0105b 100644 > --- a/doc/guides/rel_notes/release_21_11.rst > +++ b/doc/guides/rel_notes/release_21_11.rst > @@ -141,6 +141,11 @@ ABI Changes > * Added SA option to indicate whether outer header verification need to be > done as part of inbound IPsec processing. > > +* security: add IPsec SA option to configure UDP ports verification > + > + * Added SA option to indicate whether UDP ports verification need to be > + done as part of inbound IPsec processing. > + > > Known Issues > ------------ > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h > index 2a61cad885..18b0f02c44 100644 > --- a/lib/security/rte_security.h > +++ b/lib/security/rte_security.h > @@ -139,6 +139,13 @@ struct rte_security_ipsec_sa_options { > */ > uint32_t udp_encap : 1; > > + /** Verify UDP encapsulation ports in inbound > + * > + * * 1: Match UDP source and destination ports > + * * 0: Do not match UDP ports > + */ > + uint32_t udp_ports_verify : 1; > + > /** Copy DSCP bits > * > * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
Add option to indicate whether UDP encapsulation ports verification need to be done as part of inbound IPsec processing. CNXK PMD support and unit tests are also added for the same. Depends on https://patches.dpdk.org/project/dpdk/list/?series=18755 Tejasree Kondoj (3): security: add option to configure UDP ports verification common/cnxk: add support for UDP ports verification test/crypto: add UDP encapsulation ports verification tests app/test/test_cryptodev.c | 17 +++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 11 +++++++++++ app/test/test_cryptodev_security_ipsec.h | 1 + doc/guides/rel_notes/release_21_11.rst | 5 +++++ drivers/common/cnxk/cnxk_security.c | 3 +++ drivers/common/cnxk/roc_ie_ot.h | 4 ++-- .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 1 + lib/security/rte_security.h | 7 +++++++ 8 files changed, 47 insertions(+), 2 deletions(-) -- 2.27.0
Add option to indicate whether UDP encapsulation ports verification need to be done as part of inbound IPsec processing. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- doc/guides/rel_notes/release_21_11.rst | 5 +++++ lib/security/rte_security.h | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index b0606cb542..afeba0105b 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -141,6 +141,11 @@ ABI Changes * Added SA option to indicate whether outer header verification need to be done as part of inbound IPsec processing. +* security: add IPsec SA option to configure UDP ports verification + + * Added SA option to indicate whether UDP ports verification need to be + done as part of inbound IPsec processing. + Known Issues ------------ diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 2a61cad885..18b0f02c44 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -139,6 +139,13 @@ struct rte_security_ipsec_sa_options { */ uint32_t udp_encap : 1; + /** Verify UDP encapsulation ports in inbound + * + * * 1: Match UDP source and destination ports + * * 0: Do not match UDP ports + */ + uint32_t udp_ports_verify : 1; + /** Copy DSCP bits * * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to -- 2.27.0
Adding support to verify UDP encapsulation ports in IPsec inbound. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/common/cnxk/cnxk_security.c | 3 +++ drivers/common/cnxk/roc_ie_ot.h | 4 ++-- drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 1 + 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index cc5daf333c..13c4f128ae 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -303,6 +303,9 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, sa->w10.s.udp_dst_port = 4500; } + if (ipsec_xfrm->options.udp_ports_verify) + sa->w2.s.udp_ports_verify = 1; + offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx); /* Word offset for HW managed SA field */ sa->w0.s.hw_ctx_off = offset / 8; diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h index 12c75afac2..e8415cff3c 100644 --- a/drivers/common/cnxk/roc_ie_ot.h +++ b/drivers/common/cnxk/roc_ie_ot.h @@ -184,7 +184,7 @@ union roc_ot_ipsec_sa_word2 { uint64_t esn_en : 1; uint64_t tport_l4_incr_csum : 1; uint64_t ip_hdr_verify : 2; - uint64_t rsvd5 : 1; + uint64_t udp_ports_verify : 1; uint64_t rsvd2 : 7; uint64_t async_mode : 1; @@ -329,7 +329,7 @@ struct roc_ot_ipsec_inb_sa { uint64_t esn_en : 1; uint64_t tport_l4_incr_csum : 1; uint64_t ip_hdr_verify : 2; - uint64_t rsvd5 : 1; + uint64_t udp_ports_verify : 1; uint64_t rsvd6 : 7; uint64_t async_mode : 1; diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 8a0cf289fd..ba4166c56d 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -921,6 +921,7 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap) sec_cap->ipsec.options.iv_gen_disable = 1; #endif } else { + sec_cap->ipsec.options.udp_ports_verify = 1; if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) sec_cap->ipsec.options.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; -- 2.27.0
Adding UDP encapsulation ports verification test cases. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 17 +++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 11 +++++++++++ app/test/test_cryptodev_security_ipsec.h | 1 + 3 files changed, 29 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index ab7b63f37f..352d8f4360 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9214,6 +9214,19 @@ test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused) return test_ipsec_proto_all(&flags); } +static int +test_ipsec_proto_udp_ports_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.udp_encap = true; + flags.udp_ports_verify = true; + + return test_ipsec_proto_all(&flags); +} + static int test_PDCP_PROTO_all(void) { @@ -14145,6 +14158,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "UDP encapsulation", ut_setup_security, ut_teardown, test_ipsec_proto_udp_encap), + TEST_CASE_NAMED_ST( + "UDP encapsulation ports verification test", + ut_setup_security, ut_teardown, + test_ipsec_proto_udp_ports_verify), TEST_CASE_NAMED_ST( "SA expiry packets soft", ut_setup_security, ut_teardown, diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index f040630655..764e77bbff 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -36,6 +36,14 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, return -ENOTSUP; } + if (ipsec_xform->options.udp_ports_verify == 1 && + sec_cap->ipsec.options.udp_ports_verify == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "UDP encapsulation ports " + "verification is not supported\n"); + return -ENOTSUP; + } + if (ipsec_xform->options.copy_dscp == 1 && sec_cap->ipsec.options.copy_dscp == 0) { if (!silent) @@ -216,6 +224,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; + if (flags->udp_ports_verify) + td_inb[i].ipsec_xform.options.udp_ports_verify = 1; + td_inb[i].ipsec_xform.options.tunnel_hdr_verify = flags->tunnel_hdr_verify; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index a65cb54eae..0416005520 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -55,6 +55,7 @@ struct ipsec_test_flags { bool iv_gen; uint32_t tunnel_hdr_verify; bool udp_encap; + bool udp_ports_verify; }; struct crypto_param { -- 2.27.0
> Add option to indicate whether UDP encapsulation ports
> verification need to be done as part of inbound
> IPsec processing.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>
> Adding support to verify UDP encapsulation ports
> in IPsec inbound.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
> drivers/common/cnxk/cnxk_security.c | 3 +++
Acked-by: Akhil Goyal <gakhil@marvell.com>
> Add option to indicate whether UDP encapsulation ports > verification need to be done as part of inbound > IPsec processing. > > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> > --- > doc/guides/rel_notes/release_21_11.rst | 5 +++++ > lib/security/rte_security.h | 7 +++++++ > 2 files changed, 12 insertions(+) > > diff --git a/doc/guides/rel_notes/release_21_11.rst > b/doc/guides/rel_notes/release_21_11.rst > index b0606cb542..afeba0105b 100644 > --- a/doc/guides/rel_notes/release_21_11.rst > +++ b/doc/guides/rel_notes/release_21_11.rst > @@ -141,6 +141,11 @@ ABI Changes > * Added SA option to indicate whether outer header verification need to be > done as part of inbound IPsec processing. > > +* security: add IPsec SA option to configure UDP ports verification > + > + * Added SA option to indicate whether UDP ports verification need to be > + done as part of inbound IPsec processing. > + Reword as +* security: A new option ``udp_ports_verify`` is added in structure + ``rte_security_ipsec_sa_options`` to indicate whether UDP ports + verification need to be done as part of inbound IPsec processing. + > > Known Issues > ------------ > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h > index 2a61cad885..18b0f02c44 100644 > --- a/lib/security/rte_security.h > +++ b/lib/security/rte_security.h > @@ -139,6 +139,13 @@ struct rte_security_ipsec_sa_options { > */ > uint32_t udp_encap : 1; > > + /** Verify UDP encapsulation ports in inbound > + * > + * * 1: Match UDP source and destination ports > + * * 0: Do not match UDP ports > + */ > + uint32_t udp_ports_verify : 1; > + > /** Copy DSCP bits > * > * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to All new options should be added in the end of this structure for backward compatibility.