Add option to indicate whether UDP encapsulation ports verification need to be done as part of inbound IPsec processing. CNXK PMD support and unit tests are also added for the same. Depends on https://patches.dpdk.org/project/dpdk/list/?series=18755 v2: * Fixed release notes * Moved newly added struct field to the end Tejasree Kondoj (3): security: add option to configure UDP ports verification common/cnxk: add support for UDP ports verification test/crypto: add UDP encapsulation ports verification tests app/test/test_cryptodev.c | 17 +++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 11 +++++++++++ app/test/test_cryptodev_security_ipsec.h | 1 + doc/guides/rel_notes/release_21_11.rst | 4 ++++ drivers/common/cnxk/cnxk_security.c | 3 +++ drivers/common/cnxk/roc_ie_ot.h | 4 ++-- .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 1 + lib/security/rte_security.h | 7 +++++++ 8 files changed, 46 insertions(+), 2 deletions(-) -- 2.27.0
Add option to indicate whether UDP encapsulation ports verification need to be done as part of inbound IPsec processing. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com> Acked-by: Akhil Goyal <gakhil@marvell.com> --- doc/guides/rel_notes/release_21_11.rst | 4 ++++ lib/security/rte_security.h | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index f85dc99c8b..8da851cccc 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -185,6 +185,10 @@ ABI Changes ``rte_security_ipsec_sa_options`` to indicate whether outer header verification need to be done as part of inbound IPsec processing. +* security: A new option ``udp_ports_verify`` was added in structure + ``rte_security_ipsec_sa_options`` to indicate whether UDP ports + verification need to be done as part of inbound IPsec processing. + * security: A new structure ``rte_security_ipsec_lifetime`` was added to replace ``esn_soft_limit`` in IPsec configuration structure ``rte_security_ipsec_xform`` to allow applications to configure SA soft diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index a10c9b5f00..ab1a6e1f65 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -223,6 +223,13 @@ struct rte_security_ipsec_sa_options { * source and destination IP addresses. */ uint32_t tunnel_hdr_verify : 2; + + /** Verify UDP encapsulation ports in inbound + * + * * 1: Match UDP source and destination ports + * * 0: Do not match UDP ports + */ + uint32_t udp_ports_verify : 1; }; /** IPSec security association direction */ -- 2.27.0
Adding support to verify UDP encapsulation ports in IPsec inbound. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- drivers/common/cnxk/cnxk_security.c | 3 +++ drivers/common/cnxk/roc_ie_ot.h | 4 ++-- drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 1 + 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index cc5daf333c..13c4f128ae 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -303,6 +303,9 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, sa->w10.s.udp_dst_port = 4500; } + if (ipsec_xfrm->options.udp_ports_verify) + sa->w2.s.udp_ports_verify = 1; + offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx); /* Word offset for HW managed SA field */ sa->w0.s.hw_ctx_off = offset / 8; diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h index 12c75afac2..e8415cff3c 100644 --- a/drivers/common/cnxk/roc_ie_ot.h +++ b/drivers/common/cnxk/roc_ie_ot.h @@ -184,7 +184,7 @@ union roc_ot_ipsec_sa_word2 { uint64_t esn_en : 1; uint64_t tport_l4_incr_csum : 1; uint64_t ip_hdr_verify : 2; - uint64_t rsvd5 : 1; + uint64_t udp_ports_verify : 1; uint64_t rsvd2 : 7; uint64_t async_mode : 1; @@ -329,7 +329,7 @@ struct roc_ot_ipsec_inb_sa { uint64_t esn_en : 1; uint64_t tport_l4_incr_csum : 1; uint64_t ip_hdr_verify : 2; - uint64_t rsvd5 : 1; + uint64_t udp_ports_verify : 1; uint64_t rsvd6 : 7; uint64_t async_mode : 1; diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 8a0cf289fd..ba4166c56d 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -921,6 +921,7 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap) sec_cap->ipsec.options.iv_gen_disable = 1; #endif } else { + sec_cap->ipsec.options.udp_ports_verify = 1; if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) sec_cap->ipsec.options.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; -- 2.27.0
Adding UDP encapsulation ports verification test cases. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 17 +++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 11 +++++++++++ app/test/test_cryptodev_security_ipsec.h | 1 + 3 files changed, 29 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 665d19c0a4..5f0d023451 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9262,6 +9262,19 @@ test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused) return test_ipsec_proto_all(&flags); } +static int +test_ipsec_proto_udp_ports_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.udp_encap = true; + flags.udp_ports_verify = true; + + return test_ipsec_proto_all(&flags); +} + static int test_PDCP_PROTO_all(void) { @@ -14194,6 +14207,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "UDP encapsulation", ut_setup_security, ut_teardown, test_ipsec_proto_udp_encap), + TEST_CASE_NAMED_ST( + "UDP encapsulation ports verification test", + ut_setup_security, ut_teardown, + test_ipsec_proto_udp_ports_verify), TEST_CASE_NAMED_ST( "SA expiry packets soft", ut_setup_security, ut_teardown, diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index f040630655..764e77bbff 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -36,6 +36,14 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, return -ENOTSUP; } + if (ipsec_xform->options.udp_ports_verify == 1 && + sec_cap->ipsec.options.udp_ports_verify == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "UDP encapsulation ports " + "verification is not supported\n"); + return -ENOTSUP; + } + if (ipsec_xform->options.copy_dscp == 1 && sec_cap->ipsec.options.copy_dscp == 0) { if (!silent) @@ -216,6 +224,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; + if (flags->udp_ports_verify) + td_inb[i].ipsec_xform.options.udp_ports_verify = 1; + td_inb[i].ipsec_xform.options.tunnel_hdr_verify = flags->tunnel_hdr_verify; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index a65cb54eae..0416005520 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -55,6 +55,7 @@ struct ipsec_test_flags { bool iv_gen; uint32_t tunnel_hdr_verify; bool udp_encap; + bool udp_ports_verify; }; struct crypto_param { -- 2.27.0
> Add option to indicate whether UDP encapsulation ports verification
> need to be done as part of inbound IPsec processing.
> CNXK PMD support and unit tests are also added for the same.
>
> Depends on
> https://patches.dpdk.org/project/dpdk/list/?series=18755
>
Series
Acked-by: Akhil Goyal <gakhil@marvell.com>
Applied to dpdk-next-crypto