DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH v2 0/3] add option to configure UDP ports verification
@ 2021-09-29  3:25 Tejasree Kondoj
  2021-09-29  3:25 ` [dpdk-dev] [PATCH v2 1/3] security: " Tejasree Kondoj
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Tejasree Kondoj @ 2021-09-29  3:25 UTC (permalink / raw)
  To: Akhil Goyal, Radu Nicolau, Declan Doherty
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob,
	Konstantin Ananyev, Ciara Power, Hemant Agrawal, Gagandeep Singh,
	Fan Zhang, Archana Muniganti, dev

Add option to indicate whether UDP encapsulation ports verification
need to be done as part of inbound IPsec processing.
CNXK PMD support and unit tests are also added for the same.

Depends on
https://patches.dpdk.org/project/dpdk/list/?series=18755

v2:
* Fixed release notes
* Moved newly added struct field to the end

Tejasree Kondoj (3):
  security: add option to configure UDP ports verification
  common/cnxk: add support for UDP ports verification
  test/crypto: add UDP encapsulation ports verification tests

 app/test/test_cryptodev.c                       | 17 +++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c        | 11 +++++++++++
 app/test/test_cryptodev_security_ipsec.h        |  1 +
 doc/guides/rel_notes/release_21_11.rst          |  4 ++++
 drivers/common/cnxk/cnxk_security.c             |  3 +++
 drivers/common/cnxk/roc_ie_ot.h                 |  4 ++--
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c   |  1 +
 lib/security/rte_security.h                     |  7 +++++++
 8 files changed, 46 insertions(+), 2 deletions(-)

-- 
2.27.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [dpdk-dev] [PATCH v2 1/3] security: add option to configure UDP ports verification
  2021-09-29  3:25 [dpdk-dev] [PATCH v2 0/3] add option to configure UDP ports verification Tejasree Kondoj
@ 2021-09-29  3:25 ` Tejasree Kondoj
  2021-09-29  3:25 ` [dpdk-dev] [PATCH v2 2/3] common/cnxk: add support for " Tejasree Kondoj
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Tejasree Kondoj @ 2021-09-29  3:25 UTC (permalink / raw)
  To: Akhil Goyal, Radu Nicolau, Declan Doherty
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob,
	Konstantin Ananyev, Ciara Power, Hemant Agrawal, Gagandeep Singh,
	Fan Zhang, Archana Muniganti, dev

Add option to indicate whether UDP encapsulation ports
verification need to be done as part of inbound
IPsec processing.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
 doc/guides/rel_notes/release_21_11.rst | 4 ++++
 lib/security/rte_security.h            | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index f85dc99c8b..8da851cccc 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -185,6 +185,10 @@ ABI Changes
   ``rte_security_ipsec_sa_options`` to indicate whether outer header
   verification need to be done as part of inbound IPsec processing.
 
+* security: A new option ``udp_ports_verify`` was added in structure
+  ``rte_security_ipsec_sa_options`` to indicate whether UDP ports
+  verification need to be done as part of inbound IPsec processing.
+
 * security: A new structure ``rte_security_ipsec_lifetime`` was added to
   replace ``esn_soft_limit`` in IPsec configuration structure
   ``rte_security_ipsec_xform`` to allow applications to configure SA soft
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index a10c9b5f00..ab1a6e1f65 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -223,6 +223,13 @@ struct rte_security_ipsec_sa_options {
 	 *   source and destination IP addresses.
 	 */
 	uint32_t tunnel_hdr_verify : 2;
+
+	/** Verify UDP encapsulation ports in inbound
+	 *
+	 * * 1: Match UDP source and destination ports
+	 * * 0: Do not match UDP ports
+	 */
+	uint32_t udp_ports_verify : 1;
 };
 
 /** IPSec security association direction */
-- 
2.27.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [dpdk-dev] [PATCH v2 2/3] common/cnxk: add support for UDP ports verification
  2021-09-29  3:25 [dpdk-dev] [PATCH v2 0/3] add option to configure UDP ports verification Tejasree Kondoj
  2021-09-29  3:25 ` [dpdk-dev] [PATCH v2 1/3] security: " Tejasree Kondoj
@ 2021-09-29  3:25 ` Tejasree Kondoj
  2021-09-29  3:25 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add UDP encapsulation ports verification tests Tejasree Kondoj
  2021-09-29 14:53 ` [dpdk-dev] [PATCH v2 0/3] add option to configure UDP ports verification Akhil Goyal
  3 siblings, 0 replies; 5+ messages in thread
From: Tejasree Kondoj @ 2021-09-29  3:25 UTC (permalink / raw)
  To: Akhil Goyal, Radu Nicolau, Declan Doherty
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob,
	Konstantin Ananyev, Ciara Power, Hemant Agrawal, Gagandeep Singh,
	Fan Zhang, Archana Muniganti, dev

Adding support to verify UDP encapsulation ports
in IPsec inbound.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/common/cnxk/cnxk_security.c               | 3 +++
 drivers/common/cnxk/roc_ie_ot.h                   | 4 ++--
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 1 +
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index cc5daf333c..13c4f128ae 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -303,6 +303,9 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
 		sa->w10.s.udp_dst_port = 4500;
 	}
 
+	if (ipsec_xfrm->options.udp_ports_verify)
+		sa->w2.s.udp_ports_verify = 1;
+
 	offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx);
 	/* Word offset for HW managed SA field */
 	sa->w0.s.hw_ctx_off = offset / 8;
diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h
index 12c75afac2..e8415cff3c 100644
--- a/drivers/common/cnxk/roc_ie_ot.h
+++ b/drivers/common/cnxk/roc_ie_ot.h
@@ -184,7 +184,7 @@ union roc_ot_ipsec_sa_word2 {
 		uint64_t esn_en : 1;
 		uint64_t tport_l4_incr_csum : 1;
 		uint64_t ip_hdr_verify : 2;
-		uint64_t rsvd5 : 1;
+		uint64_t udp_ports_verify : 1;
 
 		uint64_t rsvd2 : 7;
 		uint64_t async_mode : 1;
@@ -329,7 +329,7 @@ struct roc_ot_ipsec_inb_sa {
 			uint64_t esn_en : 1;
 			uint64_t tport_l4_incr_csum : 1;
 			uint64_t ip_hdr_verify : 2;
-			uint64_t rsvd5 : 1;
+			uint64_t udp_ports_verify : 1;
 
 			uint64_t rsvd6 : 7;
 			uint64_t async_mode : 1;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 8a0cf289fd..ba4166c56d 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -921,6 +921,7 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
 		sec_cap->ipsec.options.iv_gen_disable = 1;
 #endif
 	} else {
+		sec_cap->ipsec.options.udp_ports_verify = 1;
 		if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
 			sec_cap->ipsec.options.tunnel_hdr_verify =
 				RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
-- 
2.27.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [dpdk-dev] [PATCH v2 3/3] test/crypto: add UDP encapsulation ports verification tests
  2021-09-29  3:25 [dpdk-dev] [PATCH v2 0/3] add option to configure UDP ports verification Tejasree Kondoj
  2021-09-29  3:25 ` [dpdk-dev] [PATCH v2 1/3] security: " Tejasree Kondoj
  2021-09-29  3:25 ` [dpdk-dev] [PATCH v2 2/3] common/cnxk: add support for " Tejasree Kondoj
@ 2021-09-29  3:25 ` Tejasree Kondoj
  2021-09-29 14:53 ` [dpdk-dev] [PATCH v2 0/3] add option to configure UDP ports verification Akhil Goyal
  3 siblings, 0 replies; 5+ messages in thread
From: Tejasree Kondoj @ 2021-09-29  3:25 UTC (permalink / raw)
  To: Akhil Goyal, Radu Nicolau, Declan Doherty
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob,
	Konstantin Ananyev, Ciara Power, Hemant Agrawal, Gagandeep Singh,
	Fan Zhang, Archana Muniganti, dev

Adding UDP encapsulation ports verification test cases.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                | 17 +++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 11 +++++++++++
 app/test/test_cryptodev_security_ipsec.h |  1 +
 3 files changed, 29 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 665d19c0a4..5f0d023451 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9262,6 +9262,19 @@ test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused)
 	return test_ipsec_proto_all(&flags);
 }
 
+static int
+test_ipsec_proto_udp_ports_verify(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.udp_encap = true;
+	flags.udp_ports_verify = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
 static int
 test_PDCP_PROTO_all(void)
 {
@@ -14194,6 +14207,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"UDP encapsulation",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_udp_encap),
+		TEST_CASE_NAMED_ST(
+			"UDP encapsulation ports verification test",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_udp_ports_verify),
 		TEST_CASE_NAMED_ST(
 			"SA expiry packets soft",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index f040630655..764e77bbff 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -36,6 +36,14 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 		return -ENOTSUP;
 	}
 
+	if (ipsec_xform->options.udp_ports_verify == 1 &&
+	    sec_cap->ipsec.options.udp_ports_verify == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "UDP encapsulation ports "
+				"verification is not supported\n");
+		return -ENOTSUP;
+	}
+
 	if (ipsec_xform->options.copy_dscp == 1 &&
 	    sec_cap->ipsec.options.copy_dscp == 0) {
 		if (!silent)
@@ -216,6 +224,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 		if (flags->udp_encap)
 			td_inb[i].ipsec_xform.options.udp_encap = 1;
 
+		if (flags->udp_ports_verify)
+			td_inb[i].ipsec_xform.options.udp_ports_verify = 1;
+
 		td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
 			flags->tunnel_hdr_verify;
 
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index a65cb54eae..0416005520 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -55,6 +55,7 @@ struct ipsec_test_flags {
 	bool iv_gen;
 	uint32_t tunnel_hdr_verify;
 	bool udp_encap;
+	bool udp_ports_verify;
 };
 
 struct crypto_param {
-- 
2.27.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [dpdk-dev] [PATCH v2 0/3] add option to configure UDP ports verification
  2021-09-29  3:25 [dpdk-dev] [PATCH v2 0/3] add option to configure UDP ports verification Tejasree Kondoj
                   ` (2 preceding siblings ...)
  2021-09-29  3:25 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add UDP encapsulation ports verification tests Tejasree Kondoj
@ 2021-09-29 14:53 ` Akhil Goyal
  3 siblings, 0 replies; 5+ messages in thread
From: Akhil Goyal @ 2021-09-29 14:53 UTC (permalink / raw)
  To: Tejasree Kondoj, Radu Nicolau, Declan Doherty
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi,
	Jerin Jacob Kollanukkaran, Konstantin Ananyev, Ciara Power,
	Hemant Agrawal, Gagandeep Singh, Fan Zhang, Archana Muniganti,
	dev

> Add option to indicate whether UDP encapsulation ports verification
> need to be done as part of inbound IPsec processing.
> CNXK PMD support and unit tests are also added for the same.
> 
> Depends on
> https://patches.dpdk.org/project/dpdk/list/?series=18755
> 
Series
Acked-by: Akhil Goyal <gakhil@marvell.com>

Applied to dpdk-next-crypto

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-09-29 14:53 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-29  3:25 [dpdk-dev] [PATCH v2 0/3] add option to configure UDP ports verification Tejasree Kondoj
2021-09-29  3:25 ` [dpdk-dev] [PATCH v2 1/3] security: " Tejasree Kondoj
2021-09-29  3:25 ` [dpdk-dev] [PATCH v2 2/3] common/cnxk: add support for " Tejasree Kondoj
2021-09-29  3:25 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add UDP encapsulation ports verification tests Tejasree Kondoj
2021-09-29 14:53 ` [dpdk-dev] [PATCH v2 0/3] add option to configure UDP ports verification Akhil Goyal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).