* [dpdk-dev] [PATCH 1/3] security: add option to configure UDP ports verification
2021-09-08 8:25 [dpdk-dev] [PATCH 0/3] add option to configure UDP ports verification Tejasree Kondoj
@ 2021-09-08 8:25 ` Tejasree Kondoj
2021-09-08 7:42 ` Hemant Agrawal
` (2 more replies)
2021-09-08 8:25 ` [dpdk-dev] [PATCH 2/3] common/cnxk: add support for " Tejasree Kondoj
2021-09-08 8:25 ` [dpdk-dev] [PATCH 3/3] test/crypto: add UDP encapsulation ports verification tests Tejasree Kondoj
2 siblings, 3 replies; 8+ messages in thread
From: Tejasree Kondoj @ 2021-09-08 8:25 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau, Declan Doherty
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob,
Konstantin Ananyev, Ciara Power, Hemant Agrawal, Gagandeep Singh,
Fan Zhang, Archana Muniganti, dev
Add option to indicate whether UDP encapsulation ports
verification need to be done as part of inbound
IPsec processing.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/rel_notes/release_21_11.rst | 5 +++++
lib/security/rte_security.h | 7 +++++++
2 files changed, 12 insertions(+)
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index b0606cb542..afeba0105b 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -141,6 +141,11 @@ ABI Changes
* Added SA option to indicate whether outer header verification need to be
done as part of inbound IPsec processing.
+* security: add IPsec SA option to configure UDP ports verification
+
+ * Added SA option to indicate whether UDP ports verification need to be
+ done as part of inbound IPsec processing.
+
Known Issues
------------
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 2a61cad885..18b0f02c44 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -139,6 +139,13 @@ struct rte_security_ipsec_sa_options {
*/
uint32_t udp_encap : 1;
+ /** Verify UDP encapsulation ports in inbound
+ *
+ * * 1: Match UDP source and destination ports
+ * * 0: Do not match UDP ports
+ */
+ uint32_t udp_ports_verify : 1;
+
/** Copy DSCP bits
*
* * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
--
2.27.0
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dpdk-dev] [PATCH 1/3] security: add option to configure UDP ports verification
2021-09-08 8:25 ` [dpdk-dev] [PATCH 1/3] security: " Tejasree Kondoj
@ 2021-09-08 7:42 ` Hemant Agrawal
2021-09-08 10:45 ` Akhil Goyal
2021-09-28 16:11 ` Akhil Goyal
2 siblings, 0 replies; 8+ messages in thread
From: Hemant Agrawal @ 2021-09-08 7:42 UTC (permalink / raw)
To: Tejasree Kondoj, Akhil Goyal, Radu Nicolau, Declan Doherty
Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob, Konstantin Ananyev,
Ciara Power, Hemant Agrawal, Gagandeep Singh, Fan Zhang,
Archana Muniganti, dev
On 9/8/2021 1:55 PM, Tejasree Kondoj wrote:
> Add option to indicate whether UDP encapsulation ports
> verification need to be done as part of inbound
> IPsec processing.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> ---
> doc/guides/rel_notes/release_21_11.rst | 5 +++++
> lib/security/rte_security.h | 7 +++++++
> 2 files changed, 12 insertions(+)
>
> diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
> index b0606cb542..afeba0105b 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -141,6 +141,11 @@ ABI Changes
> * Added SA option to indicate whether outer header verification need to be
> done as part of inbound IPsec processing.
>
> +* security: add IPsec SA option to configure UDP ports verification
> +
> + * Added SA option to indicate whether UDP ports verification need to be
> + done as part of inbound IPsec processing.
> +
>
> Known Issues
> ------------
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index 2a61cad885..18b0f02c44 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -139,6 +139,13 @@ struct rte_security_ipsec_sa_options {
> */
> uint32_t udp_encap : 1;
>
> + /** Verify UDP encapsulation ports in inbound
> + *
> + * * 1: Match UDP source and destination ports
> + * * 0: Do not match UDP ports
> + */
> + uint32_t udp_ports_verify : 1;
> +
> /** Copy DSCP bits
> *
> * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dpdk-dev] [PATCH 1/3] security: add option to configure UDP ports verification
2021-09-08 8:25 ` [dpdk-dev] [PATCH 1/3] security: " Tejasree Kondoj
2021-09-08 7:42 ` Hemant Agrawal
@ 2021-09-08 10:45 ` Akhil Goyal
2021-09-28 16:11 ` Akhil Goyal
2 siblings, 0 replies; 8+ messages in thread
From: Akhil Goyal @ 2021-09-08 10:45 UTC (permalink / raw)
To: Tejasree Kondoj, Radu Nicolau, Declan Doherty
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi,
Jerin Jacob Kollanukkaran, Konstantin Ananyev, Ciara Power,
Hemant Agrawal, Gagandeep Singh, Fan Zhang, Archana Muniganti,
dev
> Add option to indicate whether UDP encapsulation ports
> verification need to be done as part of inbound
> IPsec processing.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dpdk-dev] [PATCH 1/3] security: add option to configure UDP ports verification
2021-09-08 8:25 ` [dpdk-dev] [PATCH 1/3] security: " Tejasree Kondoj
2021-09-08 7:42 ` Hemant Agrawal
2021-09-08 10:45 ` Akhil Goyal
@ 2021-09-28 16:11 ` Akhil Goyal
2 siblings, 0 replies; 8+ messages in thread
From: Akhil Goyal @ 2021-09-28 16:11 UTC (permalink / raw)
To: Tejasree Kondoj, Radu Nicolau, Declan Doherty
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi,
Jerin Jacob Kollanukkaran, Konstantin Ananyev, Ciara Power,
Hemant Agrawal, Gagandeep Singh, Fan Zhang, Archana Muniganti,
dev
> Add option to indicate whether UDP encapsulation ports
> verification need to be done as part of inbound
> IPsec processing.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
> doc/guides/rel_notes/release_21_11.rst | 5 +++++
> lib/security/rte_security.h | 7 +++++++
> 2 files changed, 12 insertions(+)
>
> diff --git a/doc/guides/rel_notes/release_21_11.rst
> b/doc/guides/rel_notes/release_21_11.rst
> index b0606cb542..afeba0105b 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -141,6 +141,11 @@ ABI Changes
> * Added SA option to indicate whether outer header verification need to be
> done as part of inbound IPsec processing.
>
> +* security: add IPsec SA option to configure UDP ports verification
> +
> + * Added SA option to indicate whether UDP ports verification need to be
> + done as part of inbound IPsec processing.
> +
Reword as
+* security: A new option ``udp_ports_verify`` is added in structure
+ ``rte_security_ipsec_sa_options`` to indicate whether UDP ports
+ verification need to be done as part of inbound IPsec processing.
+
>
> Known Issues
> ------------
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index 2a61cad885..18b0f02c44 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -139,6 +139,13 @@ struct rte_security_ipsec_sa_options {
> */
> uint32_t udp_encap : 1;
>
> + /** Verify UDP encapsulation ports in inbound
> + *
> + * * 1: Match UDP source and destination ports
> + * * 0: Do not match UDP ports
> + */
> + uint32_t udp_ports_verify : 1;
> +
> /** Copy DSCP bits
> *
> * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
All new options should be added in the end of this structure for backward compatibility.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [dpdk-dev] [PATCH 2/3] common/cnxk: add support for UDP ports verification
2021-09-08 8:25 [dpdk-dev] [PATCH 0/3] add option to configure UDP ports verification Tejasree Kondoj
2021-09-08 8:25 ` [dpdk-dev] [PATCH 1/3] security: " Tejasree Kondoj
@ 2021-09-08 8:25 ` Tejasree Kondoj
2021-09-08 10:46 ` Akhil Goyal
2021-09-08 8:25 ` [dpdk-dev] [PATCH 3/3] test/crypto: add UDP encapsulation ports verification tests Tejasree Kondoj
2 siblings, 1 reply; 8+ messages in thread
From: Tejasree Kondoj @ 2021-09-08 8:25 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau, Declan Doherty
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob,
Konstantin Ananyev, Ciara Power, Hemant Agrawal, Gagandeep Singh,
Fan Zhang, Archana Muniganti, dev
Adding support to verify UDP encapsulation ports
in IPsec inbound.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
drivers/common/cnxk/cnxk_security.c | 3 +++
drivers/common/cnxk/roc_ie_ot.h | 4 ++--
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 1 +
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index cc5daf333c..13c4f128ae 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -303,6 +303,9 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
sa->w10.s.udp_dst_port = 4500;
}
+ if (ipsec_xfrm->options.udp_ports_verify)
+ sa->w2.s.udp_ports_verify = 1;
+
offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx);
/* Word offset for HW managed SA field */
sa->w0.s.hw_ctx_off = offset / 8;
diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h
index 12c75afac2..e8415cff3c 100644
--- a/drivers/common/cnxk/roc_ie_ot.h
+++ b/drivers/common/cnxk/roc_ie_ot.h
@@ -184,7 +184,7 @@ union roc_ot_ipsec_sa_word2 {
uint64_t esn_en : 1;
uint64_t tport_l4_incr_csum : 1;
uint64_t ip_hdr_verify : 2;
- uint64_t rsvd5 : 1;
+ uint64_t udp_ports_verify : 1;
uint64_t rsvd2 : 7;
uint64_t async_mode : 1;
@@ -329,7 +329,7 @@ struct roc_ot_ipsec_inb_sa {
uint64_t esn_en : 1;
uint64_t tport_l4_incr_csum : 1;
uint64_t ip_hdr_verify : 2;
- uint64_t rsvd5 : 1;
+ uint64_t udp_ports_verify : 1;
uint64_t rsvd6 : 7;
uint64_t async_mode : 1;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 8a0cf289fd..ba4166c56d 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -921,6 +921,7 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
sec_cap->ipsec.options.iv_gen_disable = 1;
#endif
} else {
+ sec_cap->ipsec.options.udp_ports_verify = 1;
if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
sec_cap->ipsec.options.tunnel_hdr_verify =
RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
--
2.27.0
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dpdk-dev] [PATCH 2/3] common/cnxk: add support for UDP ports verification
2021-09-08 8:25 ` [dpdk-dev] [PATCH 2/3] common/cnxk: add support for " Tejasree Kondoj
@ 2021-09-08 10:46 ` Akhil Goyal
0 siblings, 0 replies; 8+ messages in thread
From: Akhil Goyal @ 2021-09-08 10:46 UTC (permalink / raw)
To: Tejasree Kondoj, Radu Nicolau, Declan Doherty
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi,
Jerin Jacob Kollanukkaran, Konstantin Ananyev, Ciara Power,
Hemant Agrawal, Gagandeep Singh, Fan Zhang, Archana Muniganti,
dev
> Adding support to verify UDP encapsulation ports
> in IPsec inbound.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
> drivers/common/cnxk/cnxk_security.c | 3 +++
Acked-by: Akhil Goyal <gakhil@marvell.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [dpdk-dev] [PATCH 3/3] test/crypto: add UDP encapsulation ports verification tests
2021-09-08 8:25 [dpdk-dev] [PATCH 0/3] add option to configure UDP ports verification Tejasree Kondoj
2021-09-08 8:25 ` [dpdk-dev] [PATCH 1/3] security: " Tejasree Kondoj
2021-09-08 8:25 ` [dpdk-dev] [PATCH 2/3] common/cnxk: add support for " Tejasree Kondoj
@ 2021-09-08 8:25 ` Tejasree Kondoj
2 siblings, 0 replies; 8+ messages in thread
From: Tejasree Kondoj @ 2021-09-08 8:25 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau, Declan Doherty
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob,
Konstantin Ananyev, Ciara Power, Hemant Agrawal, Gagandeep Singh,
Fan Zhang, Archana Muniganti, dev
Adding UDP encapsulation ports verification test cases.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
app/test/test_cryptodev.c | 17 +++++++++++++++++
app/test/test_cryptodev_security_ipsec.c | 11 +++++++++++
app/test/test_cryptodev_security_ipsec.h | 1 +
3 files changed, 29 insertions(+)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index ab7b63f37f..352d8f4360 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9214,6 +9214,19 @@ test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused)
return test_ipsec_proto_all(&flags);
}
+static int
+test_ipsec_proto_udp_ports_verify(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.udp_encap = true;
+ flags.udp_ports_verify = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
static int
test_PDCP_PROTO_all(void)
{
@@ -14145,6 +14158,10 @@ static struct unit_test_suite ipsec_proto_testsuite = {
"UDP encapsulation",
ut_setup_security, ut_teardown,
test_ipsec_proto_udp_encap),
+ TEST_CASE_NAMED_ST(
+ "UDP encapsulation ports verification test",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_udp_ports_verify),
TEST_CASE_NAMED_ST(
"SA expiry packets soft",
ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index f040630655..764e77bbff 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -36,6 +36,14 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
return -ENOTSUP;
}
+ if (ipsec_xform->options.udp_ports_verify == 1 &&
+ sec_cap->ipsec.options.udp_ports_verify == 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1, "UDP encapsulation ports "
+ "verification is not supported\n");
+ return -ENOTSUP;
+ }
+
if (ipsec_xform->options.copy_dscp == 1 &&
sec_cap->ipsec.options.copy_dscp == 0) {
if (!silent)
@@ -216,6 +224,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
if (flags->udp_encap)
td_inb[i].ipsec_xform.options.udp_encap = 1;
+ if (flags->udp_ports_verify)
+ td_inb[i].ipsec_xform.options.udp_ports_verify = 1;
+
td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
flags->tunnel_hdr_verify;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index a65cb54eae..0416005520 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -55,6 +55,7 @@ struct ipsec_test_flags {
bool iv_gen;
uint32_t tunnel_hdr_verify;
bool udp_encap;
+ bool udp_ports_verify;
};
struct crypto_param {
--
2.27.0
^ permalink raw reply [flat|nested] 8+ messages in thread