* [dpdk-dev] [PATCH 0/3] Add user specified IV with lookaside IPsec
@ 2021-08-16 5:59 Anoob Joseph
2021-08-16 5:59 ` [dpdk-dev] [PATCH 1/3] security: support user specified IV Anoob Joseph
` (3 more replies)
0 siblings, 4 replies; 17+ messages in thread
From: Anoob Joseph @ 2021-08-16 5:59 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, dev
Add support for using user provided IV with lookaside protocol (IPsec). Using
this option, application can provide IV to be used per operation. This
option can be used for knownn vector tests (which is otherwise impossible
due to random nature of IV) as well as if application wishes to use its
own random generator source.
Depends on
1. http://patches.dpdk.org/project/dpdk/list/?series=18253
Anoob Joseph (2):
security: support user specified IV
test/crypto: add outbound known vector tests
Tejasree Kondoj (1):
crypto/cnxk: add IV in SA in lookaside IPsec debug mode
app/test/test_cryptodev.c | 44 +++++++++++++++++++++++
app/test/test_cryptodev_security_ipsec.c | 16 ++++++++-
drivers/crypto/cnxk/cn10k_ipsec.c | 16 +++++++++
drivers/crypto/cnxk/cn10k_ipsec.h | 2 ++
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 24 +++++++++++++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 16 ++++++++-
drivers/crypto/cnxk/meson.build | 6 ++++
lib/security/rte_security.h | 14 ++++++++
8 files changed, 136 insertions(+), 2 deletions(-)
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* [dpdk-dev] [PATCH 1/3] security: support user specified IV
2021-08-16 5:59 [dpdk-dev] [PATCH 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
@ 2021-08-16 5:59 ` Anoob Joseph
2021-08-16 5:59 ` [dpdk-dev] [PATCH 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode Anoob Joseph
` (2 subsequent siblings)
3 siblings, 0 replies; 17+ messages in thread
From: Anoob Joseph @ 2021-08-16 5:59 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, dev
Enable user to provide IV to be used per security operation. This
would be used with lookaside protocol offload for comparing
against known vectors.
By default, PMD would generate IV internally and would be random.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
lib/security/rte_security.h | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 88d31de..b4b6776 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -181,6 +181,20 @@ struct rte_security_ipsec_sa_options {
* * 0: Disable per session security statistics collection for this SA.
*/
uint32_t stats : 1;
+
+ /** Disable IV generation in PMD
+ *
+ * * 1: Disable IV generation in PMD. When disabled, IV provided in
+ * rte_crypto_op will be used by the PMD.
+ *
+ * * 0: Enable IV generation in PMD. When enabled, PMD generated random
+ * value would be used and application is not required to provide
+ * IV.
+ *
+ * Note: For inline cases, IV generation would always need to be handled
+ * by the PMD.
+ */
+ uint32_t iv_gen_disable : 1;
};
/** IPSec security association direction */
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* [dpdk-dev] [PATCH 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode
2021-08-16 5:59 [dpdk-dev] [PATCH 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
2021-08-16 5:59 ` [dpdk-dev] [PATCH 1/3] security: support user specified IV Anoob Joseph
@ 2021-08-16 5:59 ` Anoob Joseph
2021-08-16 5:59 ` [dpdk-dev] [PATCH 3/3] test/crypto: add outbound known vector tests Anoob Joseph
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
3 siblings, 0 replies; 17+ messages in thread
From: Anoob Joseph @ 2021-08-16 5:59 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
Radu Nicolau, Ciara Power, dev, Anoob Joseph
From: Tejasree Kondoj <ktejasree@marvell.com>
Adding IV in SA in lookaside IPsec debug mode. It helps
to verify lookaside PMD using known outbound vectors in
lookaside autotest.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
drivers/crypto/cnxk/cn10k_ipsec.c | 16 +++++++++++++++
drivers/crypto/cnxk/cn10k_ipsec.h | 2 ++
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 24 +++++++++++++++++++++++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 16 ++++++++++++++-
drivers/crypto/cnxk/meson.build | 6 ++++++
5 files changed, 63 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 1d567bf..3ce25f2 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -110,6 +110,22 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa);
+#ifdef LA_IPSEC_DEBUG
+ /* Use IV from application in debug mode */
+ if (ipsec_xfrm->options.iv_gen_disable == 1) {
+ out_sa->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
+ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ sa->iv_offset = crypto_xfrm->aead.iv.offset;
+ sa->iv_length = crypto_xfrm->aead.iv.length;
+ }
+ }
+#else
+ if (ipsec_xfrm->options.iv_gen_disable != 0) {
+ plt_err("Application provided IV not supported");
+ return -ENOTSUP;
+ }
+#endif
+
/* Get Rlen calculation data */
ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm);
if (ret)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 668282f..25fc2ee 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -20,6 +20,8 @@ struct cn10k_ipsec_sa {
};
/** Pre-populated CPT inst words */
struct cnxk_cpt_inst_tmpl inst;
+ uint16_t iv_offset;
+ uint8_t iv_length;
uint8_t partial_len;
uint8_t roundup_len;
uint8_t roundup_byte;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 1e9ebb5..1c142d2 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -23,6 +23,25 @@ ipsec_po_out_rlen_get(struct cn10k_ipsec_sa *sess, uint32_t plen)
return sess->partial_len + enc_payload_len;
}
+static inline void
+ipsec_po_sa_iv_set(struct cn10k_ipsec_sa *sess, struct rte_crypto_op *cop)
+{
+ uint8_t *iv = &sess->out_sa.iv.s.iv_dbg1[0];
+ uint32_t *tmp_iv;
+
+ memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
+ 4);
+ tmp_iv = (uint32_t *)iv;
+ *tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+
+ iv = &sess->out_sa.iv.s.iv_dbg2[0];
+ memcpy(iv,
+ rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset + 4),
+ 4);
+ tmp_iv = (uint32_t *)iv;
+ *tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+}
+
static __rte_always_inline int
process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
struct cpt_inst_s *inst)
@@ -43,6 +62,11 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
return -ENOMEM;
}
+#ifdef LA_IPSEC_DEBUG
+ if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA)
+ ipsec_po_sa_iv_set(sess, cop);
+#endif
+
/* Prepare CPT instruction */
inst->w4.u64 = sess->inst.w4;
inst->w4.s.dlen = dlen;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index ab37f9c..8ec1e9d 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -776,7 +776,21 @@ static const struct rte_security_capability sec_caps_templ[] = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
- .options = { 0 }
+ .options = {
+ .esn = 0,
+ .udp_encap = 0,
+ .copy_dscp = 0,
+ .copy_flabel = 0,
+ .copy_df = 0,
+ .dec_ttl = 0,
+ .ecn = 0,
+ .stats = 0,
+#ifdef LA_IPSEC_DEBUG
+ .iv_gen_disable = 1,
+#else
+ .iv_gen_disable = 0,
+#endif
+ }
},
.crypto_capabilities = NULL,
.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build
index c56d6cf..1694e05 100644
--- a/drivers/crypto/cnxk/meson.build
+++ b/drivers/crypto/cnxk/meson.build
@@ -23,3 +23,9 @@ sources = files(
deps += ['bus_pci', 'common_cnxk', 'security']
includes += include_directories('../../../lib/net')
+
+if get_option('buildtype').contains('debug')
+ cflags += [ '-DLA_IPSEC_DEBUG' ]
+else
+ cflags += [ '-ULA_IPSEC_DEBUG' ]
+endif
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* [dpdk-dev] [PATCH 3/3] test/crypto: add outbound known vector tests
2021-08-16 5:59 [dpdk-dev] [PATCH 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
2021-08-16 5:59 ` [dpdk-dev] [PATCH 1/3] security: support user specified IV Anoob Joseph
2021-08-16 5:59 ` [dpdk-dev] [PATCH 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode Anoob Joseph
@ 2021-08-16 5:59 ` Anoob Joseph
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
3 siblings, 0 replies; 17+ messages in thread
From: Anoob Joseph @ 2021-08-16 5:59 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, dev
Add outbound known vector tests. The tests would be skipped on PMDs
which do not support IV provided by application.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
app/test/test_cryptodev.c | 44 ++++++++++++++++++++++++++++++++
app/test/test_cryptodev_security_ipsec.c | 16 +++++++++++-
2 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 71e6c1a..dfc49e0 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8975,6 +8975,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
ut_params->op->sym->m_src = ut_params->ibuf;
ut_params->op->sym->m_dst = NULL;
+ /* Copy IV in crypto operation when IV generation is disabled */
+ if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+ ipsec_xform.options.iv_gen_disable == 1) {
+ uint8_t *iv = rte_crypto_op_ctod_offset(ut_params->op,
+ uint8_t *,
+ IV_OFFSET);
+ int len;
+
+ if (td[i].aead)
+ len = td[i].xform.aead.aead.iv.length;
+ else
+ len = td[i].xform.chain.cipher.cipher.iv.length;
+
+ memcpy(iv, td[i].iv.data, len);
+ }
+
/* Process crypto operation */
process_crypto_request(dev_id, ut_params->op);
@@ -9012,6 +9028,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
}
static int
+test_ipsec_proto_known_vec(const void *test_data)
+{
+ struct ipsec_test_data td_outb;
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ memcpy(&td_outb, test_data, sizeof(td_outb));
+
+ /* Disable IV gen to be able to test with known vectors */
+ td_outb.ipsec_xform.options.iv_gen_disable = 1;
+
+ return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags);
+}
+
+static int
test_ipsec_proto_known_vec_inb(const void *td_outb)
{
struct ipsec_test_flags flags;
@@ -14003,6 +14035,18 @@ static struct unit_test_suite ipsec_proto_testsuite = {
.setup = ipsec_proto_testsuite_setup,
.unit_test_cases = {
TEST_CASE_NAMED_WITH_DATA(
+ "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec, &pkt_aes_128_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec, &pkt_aes_192_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec, &pkt_aes_256_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
ut_setup_security, ut_teardown,
test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 78c7f3a..a0b37e7 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -76,6 +76,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
return -ENOTSUP;
}
+ if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) &&
+ (ipsec_xform->options.iv_gen_disable == 1) &&
+ (sec_cap->ipsec.options.iv_gen_disable != 1)) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Application provided IV is not supported\n");
+ return -ENOTSUP;
+ }
+
return 0;
}
@@ -160,9 +169,11 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
td->xform.aead.aead.algo = param1->alg.aead;
td->xform.aead.aead.key.length = param1->key_length;
+
+ if (flags->iv_gen)
+ td->ipsec_xform.options.iv_gen_disable = 0;
}
- RTE_SET_USED(flags);
RTE_SET_USED(param2);
}
@@ -183,6 +194,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
int icv_pos = td_inb[i].input_text.len - 4;
td_inb[i].input_text.data[icv_pos] += 1;
}
+
+ /* Clear outbound specific flags */
+ td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
}
}
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* [dpdk-dev] [PATCH v2 0/3] Add user specified IV with lookaside IPsec
2021-08-16 5:59 [dpdk-dev] [PATCH 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
` (2 preceding siblings ...)
2021-08-16 5:59 ` [dpdk-dev] [PATCH 3/3] test/crypto: add outbound known vector tests Anoob Joseph
@ 2021-09-06 14:58 ` Anoob Joseph
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 1/3] security: support user specified IV Anoob Joseph
` (3 more replies)
3 siblings, 4 replies; 17+ messages in thread
From: Anoob Joseph @ 2021-09-06 14:58 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add support for using user provided IV with lookaside protocol (IPsec). Using
this option, application can provide IV to be used per operation. This
option can be used for knownn vector tests (which is otherwise impossible
due to random nature of IV) as well as if application wishes to use its
own random generator source.
Depends on
http://patches.dpdk.org/project/dpdk/list/?series=18642
Changes in v2:
- Updated crypto/cnxk patch to handle non-aes-gcm cases
- Rebased on v3 of lookaside IPsec tests
Anoob Joseph (2):
security: support user specified IV
test/crypto: add outbound known vector tests
Tejasree Kondoj (1):
crypto/cnxk: add IV in SA in lookaside IPsec debug mode
app/test/test_cryptodev.c | 44 +++++++++++++++++++++++
app/test/test_cryptodev_security_ipsec.c | 16 ++++++++-
doc/guides/rel_notes/release_21_11.rst | 5 +++
drivers/crypto/cnxk/cn10k_ipsec.c | 16 +++++++++
drivers/crypto/cnxk/cn10k_ipsec.h | 2 ++
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 44 +++++++++++++++++++++++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 29 +++++++++++++--
drivers/crypto/cnxk/meson.build | 6 ++++
lib/security/rte_security.h | 14 ++++++++
9 files changed, 173 insertions(+), 3 deletions(-)
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* [dpdk-dev] [PATCH v2 1/3] security: support user specified IV
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
@ 2021-09-06 14:58 ` Anoob Joseph
2021-09-06 19:07 ` Akhil Goyal
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode Anoob Joseph
` (2 subsequent siblings)
3 siblings, 1 reply; 17+ messages in thread
From: Anoob Joseph @ 2021-09-06 14:58 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Enable user to provide IV to be used per security operation. This
would be used with lookaside protocol offload for comparing
against known vectors.
By default, PMD would generate IV internally and would be random.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
doc/guides/rel_notes/release_21_11.rst | 5 +++++
lib/security/rte_security.h | 14 ++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 83da727..a1813bd 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -105,6 +105,11 @@ API Changes
Also, make sure to start the actual text at the margin.
=======================================================
+* security: add IPsec SA option to disable IV generation
+
+ * Added IPsec SA option to disable IV generation to allow known vector
+ tests as well as usage of application provided IV on supported PMDs.
+
ABI Changes
-----------
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 88d31de..b4b6776 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -181,6 +181,20 @@ struct rte_security_ipsec_sa_options {
* * 0: Disable per session security statistics collection for this SA.
*/
uint32_t stats : 1;
+
+ /** Disable IV generation in PMD
+ *
+ * * 1: Disable IV generation in PMD. When disabled, IV provided in
+ * rte_crypto_op will be used by the PMD.
+ *
+ * * 0: Enable IV generation in PMD. When enabled, PMD generated random
+ * value would be used and application is not required to provide
+ * IV.
+ *
+ * Note: For inline cases, IV generation would always need to be handled
+ * by the PMD.
+ */
+ uint32_t iv_gen_disable : 1;
};
/** IPSec security association direction */
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* [dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 1/3] security: support user specified IV Anoob Joseph
@ 2021-09-06 14:58 ` Anoob Joseph
2021-09-06 19:08 ` Akhil Goyal
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add outbound known vector tests Anoob Joseph
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
3 siblings, 1 reply; 17+ messages in thread
From: Anoob Joseph @ 2021-09-06 14:58 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
Radu Nicolau, Ciara Power, Gagandeep Singh, dev, Anoob Joseph
From: Tejasree Kondoj <ktejasree@marvell.com>
Adding IV in SA in lookaside IPsec debug mode. It helps
to verify lookaside PMD using known outbound vectors in
lookaside autotest.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
drivers/crypto/cnxk/cn10k_ipsec.c | 16 +++++++++
drivers/crypto/cnxk/cn10k_ipsec.h | 2 ++
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 44 +++++++++++++++++++++++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 29 +++++++++++++--
drivers/crypto/cnxk/meson.build | 6 ++++
5 files changed, 95 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 5c57cf2..ebb2a7e 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -57,6 +57,22 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa);
+#ifdef LA_IPSEC_DEBUG
+ /* Use IV from application in debug mode */
+ if (ipsec_xfrm->options.iv_gen_disable == 1) {
+ out_sa->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
+ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ sa->iv_offset = crypto_xfrm->aead.iv.offset;
+ sa->iv_length = crypto_xfrm->aead.iv.length;
+ }
+ }
+#else
+ if (ipsec_xfrm->options.iv_gen_disable != 0) {
+ plt_err("Application provided IV not supported");
+ return -ENOTSUP;
+ }
+#endif
+
/* Get Rlen calculation data */
ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm);
if (ret)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index bc52c60..6f974b7 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -21,6 +21,8 @@ struct cn10k_ipsec_sa {
/** Pre-populated CPT inst words */
struct cnxk_cpt_inst_tmpl inst;
uint16_t max_extended_len;
+ uint16_t iv_offset;
+ uint8_t iv_length;
};
struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index fe91638..862476a 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -12,6 +12,41 @@
#include "cn10k_ipsec.h"
#include "cnxk_cryptodev.h"
+static inline void
+ipsec_po_sa_iv_set(struct cn10k_ipsec_sa *sess, struct rte_crypto_op *cop)
+{
+ uint64_t *iv = &sess->out_sa.iv.u64[0];
+ uint64_t *tmp_iv;
+
+ memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
+ 16);
+ tmp_iv = (uint64_t *)iv;
+ *tmp_iv = rte_be_to_cpu_64(*tmp_iv);
+
+ tmp_iv = (uint64_t *)(iv + 1);
+ *tmp_iv = rte_be_to_cpu_64(*tmp_iv);
+}
+
+static inline void
+ipsec_po_sa_aes_gcm_iv_set(struct cn10k_ipsec_sa *sess,
+ struct rte_crypto_op *cop)
+{
+ uint8_t *iv = &sess->out_sa.iv.s.iv_dbg1[0];
+ uint32_t *tmp_iv;
+
+ memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
+ 4);
+ tmp_iv = (uint32_t *)iv;
+ *tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+
+ iv = &sess->out_sa.iv.s.iv_dbg2[0];
+ memcpy(iv,
+ rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset + 4),
+ 4);
+ tmp_iv = (uint32_t *)iv;
+ *tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+}
+
static __rte_always_inline int
process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
struct cpt_inst_s *inst)
@@ -24,6 +59,15 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
return -ENOMEM;
}
+#ifdef LA_IPSEC_DEBUG
+ if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
+ if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM)
+ ipsec_po_sa_aes_gcm_iv_set(sess, cop);
+ else
+ ipsec_po_sa_iv_set(sess, cop);
+ }
+#endif
+
/* Prepare CPT instruction */
inst->w4.u64 = sess->inst.w4;
inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index c4f7824..4b97639 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -807,7 +807,7 @@ static const struct rte_security_capability sec_caps_templ[] = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
- .options = { 0 }
+ .options = { 0 },
},
.crypto_capabilities = NULL,
},
@@ -818,7 +818,7 @@ static const struct rte_security_capability sec_caps_templ[] = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
- .options = { 0 }
+ .options = { 0 },
},
.crypto_capabilities = NULL,
},
@@ -913,6 +913,24 @@ cnxk_sec_caps_update(struct rte_security_capability *sec_cap)
sec_cap->ipsec.options.udp_encap = 1;
}
+static void
+cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
+{
+ if (sec_cap->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+#ifdef LA_IPSEC_DEBUG
+ sec_cap->ipsec.options.iv_gen_disable = 1;
+#endif
+ }
+}
+
+static void
+cn9k_sec_caps_update(struct rte_security_capability *sec_cap)
+{
+ if (sec_cap->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+ sec_cap->ipsec.options.iv_gen_disable = 1;
+ }
+}
+
void
cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
{
@@ -928,6 +946,13 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps;
cnxk_sec_caps_update(&vf->sec_caps[i]);
+
+ if (roc_model_is_cn10k())
+ cn10k_sec_caps_update(&vf->sec_caps[i]);
+
+ if (roc_model_is_cn9k())
+ cn9k_sec_caps_update(&vf->sec_caps[i]);
+
}
}
diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build
index e40d132..437d208 100644
--- a/drivers/crypto/cnxk/meson.build
+++ b/drivers/crypto/cnxk/meson.build
@@ -24,3 +24,9 @@ sources = files(
deps += ['bus_pci', 'common_cnxk', 'security', 'eventdev']
includes += include_directories('../../../lib/net')
+
+if get_option('buildtype').contains('debug')
+ cflags += [ '-DLA_IPSEC_DEBUG' ]
+else
+ cflags += [ '-ULA_IPSEC_DEBUG' ]
+endif
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* [dpdk-dev] [PATCH v2 3/3] test/crypto: add outbound known vector tests
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 1/3] security: support user specified IV Anoob Joseph
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode Anoob Joseph
@ 2021-09-06 14:58 ` Anoob Joseph
2021-09-06 19:09 ` Akhil Goyal
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
3 siblings, 1 reply; 17+ messages in thread
From: Anoob Joseph @ 2021-09-06 14:58 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add outbound known vector tests. The tests would be skipped on PMDs
which do not support IV provided by application.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
app/test/test_cryptodev.c | 44 ++++++++++++++++++++++++++++++++
app/test/test_cryptodev_security_ipsec.c | 16 +++++++++++-
2 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index b7c5270..1024f93 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8978,6 +8978,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
ut_params->op->sym->m_src = ut_params->ibuf;
ut_params->op->sym->m_dst = NULL;
+ /* Copy IV in crypto operation when IV generation is disabled */
+ if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+ ipsec_xform.options.iv_gen_disable == 1) {
+ uint8_t *iv = rte_crypto_op_ctod_offset(ut_params->op,
+ uint8_t *,
+ IV_OFFSET);
+ int len;
+
+ if (td[i].aead)
+ len = td[i].xform.aead.aead.iv.length;
+ else
+ len = td[i].xform.chain.cipher.cipher.iv.length;
+
+ memcpy(iv, td[i].iv.data, len);
+ }
+
/* Process crypto operation */
process_crypto_request(dev_id, ut_params->op);
@@ -9015,6 +9031,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
}
static int
+test_ipsec_proto_known_vec(const void *test_data)
+{
+ struct ipsec_test_data td_outb;
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ memcpy(&td_outb, test_data, sizeof(td_outb));
+
+ /* Disable IV gen to be able to test with known vectors */
+ td_outb.ipsec_xform.options.iv_gen_disable = 1;
+
+ return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags);
+}
+
+static int
test_ipsec_proto_known_vec_inb(const void *td_outb)
{
struct ipsec_test_flags flags;
@@ -14018,6 +14050,18 @@ static struct unit_test_suite ipsec_proto_testsuite = {
.setup = ipsec_proto_testsuite_setup,
.unit_test_cases = {
TEST_CASE_NAMED_WITH_DATA(
+ "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec, &pkt_aes_128_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec, &pkt_aes_192_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec, &pkt_aes_256_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
ut_setup_security, ut_teardown,
test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 5b54996..f371b15 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -77,6 +77,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
return -ENOTSUP;
}
+ if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) &&
+ (ipsec_xform->options.iv_gen_disable == 1) &&
+ (sec_cap->ipsec.options.iv_gen_disable != 1)) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Application provided IV is not supported\n");
+ return -ENOTSUP;
+ }
+
return 0;
}
@@ -161,9 +170,11 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
td->xform.aead.aead.algo = param1->alg.aead;
td->xform.aead.aead.key.length = param1->key_length;
+
+ if (flags->iv_gen)
+ td->ipsec_xform.options.iv_gen_disable = 0;
}
- RTE_SET_USED(flags);
RTE_SET_USED(param2);
}
@@ -187,6 +198,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
if (flags->udp_encap)
td_inb[i].ipsec_xform.options.udp_encap = 1;
+
+ /* Clear outbound specific flags */
+ td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
}
}
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dpdk-dev] [PATCH v2 1/3] security: support user specified IV
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 1/3] security: support user specified IV Anoob Joseph
@ 2021-09-06 19:07 ` Akhil Goyal
0 siblings, 0 replies; 17+ messages in thread
From: Akhil Goyal @ 2021-09-06 19:07 UTC (permalink / raw)
To: Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob Kollanukkaran, Archana Muniganti,
Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power,
Gagandeep Singh, dev
> Enable user to provide IV to be used per security operation. This
> would be used with lookaside protocol offload for comparing
> against known vectors.
>
> By default, PMD would generate IV internally and would be random.
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode Anoob Joseph
@ 2021-09-06 19:08 ` Akhil Goyal
0 siblings, 0 replies; 17+ messages in thread
From: Akhil Goyal @ 2021-09-06 19:08 UTC (permalink / raw)
To: Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Tejasree Kondoj, Jerin Jacob Kollanukkaran, Archana Muniganti,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev,
Anoob Joseph
> From: Tejasree Kondoj <ktejasree@marvell.com>
>
> Adding IV in SA in lookaside IPsec debug mode. It helps
> to verify lookaside PMD using known outbound vectors in
> lookaside autotest.
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dpdk-dev] [PATCH v2 3/3] test/crypto: add outbound known vector tests
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add outbound known vector tests Anoob Joseph
@ 2021-09-06 19:09 ` Akhil Goyal
0 siblings, 0 replies; 17+ messages in thread
From: Akhil Goyal @ 2021-09-06 19:09 UTC (permalink / raw)
To: Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob Kollanukkaran, Archana Muniganti,
Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power,
Gagandeep Singh, dev
> Add outbound known vector tests. The tests would be skipped on PMDs
> which do not support IV provided by application.
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>
^ permalink raw reply [flat|nested] 17+ messages in thread
* [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
` (2 preceding siblings ...)
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add outbound known vector tests Anoob Joseph
@ 2021-09-07 16:17 ` Anoob Joseph
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 1/3] security: support user specified IV Anoob Joseph
` (3 more replies)
3 siblings, 4 replies; 17+ messages in thread
From: Anoob Joseph @ 2021-09-07 16:17 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add support for using user provided IV with lookaside protocol (IPsec). Using
this option, application can provide IV to be used per operation. This
option can be used for knownn vector tests (which is otherwise impossible
due to random nature of IV) as well as if application wishes to use its
own random generator source.
Depends on
http://patches.dpdk.org/project/dpdk/list/?series=18642
Changes in v3:
- Moved release notes update to ABI section instead of API section
Changes in v2:
- Updated crypto/cnxk patch to handle non-aes-gcm cases
- Rebased on v3 of lookaside IPsec tests
Anoob Joseph (2):
security: support user specified IV
test/crypto: add outbound known vector tests
Tejasree Kondoj (1):
crypto/cnxk: add IV in SA in lookaside IPsec debug mode
app/test/test_cryptodev.c | 44 +++++++++++++++++++++++
app/test/test_cryptodev_security_ipsec.c | 16 ++++++++-
doc/guides/rel_notes/release_21_11.rst | 5 +++
drivers/crypto/cnxk/cn10k_ipsec.c | 16 +++++++++
drivers/crypto/cnxk/cn10k_ipsec.h | 2 ++
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 44 +++++++++++++++++++++++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 29 +++++++++++++--
drivers/crypto/cnxk/meson.build | 6 ++++
lib/security/rte_security.h | 14 ++++++++
9 files changed, 173 insertions(+), 3 deletions(-)
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* [dpdk-dev] [PATCH v3 1/3] security: support user specified IV
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
@ 2021-09-07 16:17 ` Anoob Joseph
2021-09-16 11:14 ` Ananyev, Konstantin
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode Anoob Joseph
` (2 subsequent siblings)
3 siblings, 1 reply; 17+ messages in thread
From: Anoob Joseph @ 2021-09-07 16:17 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Enable user to provide IV to be used per security operation. This
would be used with lookaside protocol offload for comparing
against known vectors.
By default, PMD would generate IV internally and would be random.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
doc/guides/rel_notes/release_21_11.rst | 5 +++++
lib/security/rte_security.h | 14 ++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 411fa95..9b14c84 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -118,6 +118,11 @@ ABI Changes
Also, make sure to start the actual text at the margin.
=======================================================
+* security: add IPsec SA option to disable IV generation
+
+ * Added IPsec SA option to disable IV generation to allow known vector
+ tests as well as usage of application provided IV on supported PMDs.
+
Known Issues
------------
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 88d31de..b4b6776 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -181,6 +181,20 @@ struct rte_security_ipsec_sa_options {
* * 0: Disable per session security statistics collection for this SA.
*/
uint32_t stats : 1;
+
+ /** Disable IV generation in PMD
+ *
+ * * 1: Disable IV generation in PMD. When disabled, IV provided in
+ * rte_crypto_op will be used by the PMD.
+ *
+ * * 0: Enable IV generation in PMD. When enabled, PMD generated random
+ * value would be used and application is not required to provide
+ * IV.
+ *
+ * Note: For inline cases, IV generation would always need to be handled
+ * by the PMD.
+ */
+ uint32_t iv_gen_disable : 1;
};
/** IPSec security association direction */
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* [dpdk-dev] [PATCH v3 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 1/3] security: support user specified IV Anoob Joseph
@ 2021-09-07 16:17 ` Anoob Joseph
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 3/3] test/crypto: add outbound known vector tests Anoob Joseph
2021-09-28 8:32 ` [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec Akhil Goyal
3 siblings, 0 replies; 17+ messages in thread
From: Anoob Joseph @ 2021-09-07 16:17 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
Radu Nicolau, Ciara Power, Gagandeep Singh, dev, Anoob Joseph
From: Tejasree Kondoj <ktejasree@marvell.com>
Adding IV in SA in lookaside IPsec debug mode. It helps
to verify lookaside PMD using known outbound vectors in
lookaside autotest.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
drivers/crypto/cnxk/cn10k_ipsec.c | 16 +++++++++
drivers/crypto/cnxk/cn10k_ipsec.h | 2 ++
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 44 +++++++++++++++++++++++
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 29 +++++++++++++--
drivers/crypto/cnxk/meson.build | 6 ++++
5 files changed, 95 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 5c57cf2..ebb2a7e 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -57,6 +57,22 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, sa);
+#ifdef LA_IPSEC_DEBUG
+ /* Use IV from application in debug mode */
+ if (ipsec_xfrm->options.iv_gen_disable == 1) {
+ out_sa->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
+ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ sa->iv_offset = crypto_xfrm->aead.iv.offset;
+ sa->iv_length = crypto_xfrm->aead.iv.length;
+ }
+ }
+#else
+ if (ipsec_xfrm->options.iv_gen_disable != 0) {
+ plt_err("Application provided IV not supported");
+ return -ENOTSUP;
+ }
+#endif
+
/* Get Rlen calculation data */
ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm);
if (ret)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index bc52c60..6f974b7 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -21,6 +21,8 @@ struct cn10k_ipsec_sa {
/** Pre-populated CPT inst words */
struct cnxk_cpt_inst_tmpl inst;
uint16_t max_extended_len;
+ uint16_t iv_offset;
+ uint8_t iv_length;
};
struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index fe91638..862476a 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -12,6 +12,41 @@
#include "cn10k_ipsec.h"
#include "cnxk_cryptodev.h"
+static inline void
+ipsec_po_sa_iv_set(struct cn10k_ipsec_sa *sess, struct rte_crypto_op *cop)
+{
+ uint64_t *iv = &sess->out_sa.iv.u64[0];
+ uint64_t *tmp_iv;
+
+ memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
+ 16);
+ tmp_iv = (uint64_t *)iv;
+ *tmp_iv = rte_be_to_cpu_64(*tmp_iv);
+
+ tmp_iv = (uint64_t *)(iv + 1);
+ *tmp_iv = rte_be_to_cpu_64(*tmp_iv);
+}
+
+static inline void
+ipsec_po_sa_aes_gcm_iv_set(struct cn10k_ipsec_sa *sess,
+ struct rte_crypto_op *cop)
+{
+ uint8_t *iv = &sess->out_sa.iv.s.iv_dbg1[0];
+ uint32_t *tmp_iv;
+
+ memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
+ 4);
+ tmp_iv = (uint32_t *)iv;
+ *tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+
+ iv = &sess->out_sa.iv.s.iv_dbg2[0];
+ memcpy(iv,
+ rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset + 4),
+ 4);
+ tmp_iv = (uint32_t *)iv;
+ *tmp_iv = rte_be_to_cpu_32(*tmp_iv);
+}
+
static __rte_always_inline int
process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
struct cpt_inst_s *inst)
@@ -24,6 +59,15 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
return -ENOMEM;
}
+#ifdef LA_IPSEC_DEBUG
+ if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
+ if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM)
+ ipsec_po_sa_aes_gcm_iv_set(sess, cop);
+ else
+ ipsec_po_sa_iv_set(sess, cop);
+ }
+#endif
+
/* Prepare CPT instruction */
inst->w4.u64 = sess->inst.w4;
inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index c4f7824..4b97639 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -807,7 +807,7 @@ static const struct rte_security_capability sec_caps_templ[] = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
- .options = { 0 }
+ .options = { 0 },
},
.crypto_capabilities = NULL,
},
@@ -818,7 +818,7 @@ static const struct rte_security_capability sec_caps_templ[] = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
- .options = { 0 }
+ .options = { 0 },
},
.crypto_capabilities = NULL,
},
@@ -913,6 +913,24 @@ cnxk_sec_caps_update(struct rte_security_capability *sec_cap)
sec_cap->ipsec.options.udp_encap = 1;
}
+static void
+cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
+{
+ if (sec_cap->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+#ifdef LA_IPSEC_DEBUG
+ sec_cap->ipsec.options.iv_gen_disable = 1;
+#endif
+ }
+}
+
+static void
+cn9k_sec_caps_update(struct rte_security_capability *sec_cap)
+{
+ if (sec_cap->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+ sec_cap->ipsec.options.iv_gen_disable = 1;
+ }
+}
+
void
cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
{
@@ -928,6 +946,13 @@ cnxk_cpt_caps_populate(struct cnxk_cpt_vf *vf)
vf->sec_caps[i].crypto_capabilities = vf->sec_crypto_caps;
cnxk_sec_caps_update(&vf->sec_caps[i]);
+
+ if (roc_model_is_cn10k())
+ cn10k_sec_caps_update(&vf->sec_caps[i]);
+
+ if (roc_model_is_cn9k())
+ cn9k_sec_caps_update(&vf->sec_caps[i]);
+
}
}
diff --git a/drivers/crypto/cnxk/meson.build b/drivers/crypto/cnxk/meson.build
index e40d132..437d208 100644
--- a/drivers/crypto/cnxk/meson.build
+++ b/drivers/crypto/cnxk/meson.build
@@ -24,3 +24,9 @@ sources = files(
deps += ['bus_pci', 'common_cnxk', 'security', 'eventdev']
includes += include_directories('../../../lib/net')
+
+if get_option('buildtype').contains('debug')
+ cflags += [ '-DLA_IPSEC_DEBUG' ]
+else
+ cflags += [ '-ULA_IPSEC_DEBUG' ]
+endif
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* [dpdk-dev] [PATCH v3 3/3] test/crypto: add outbound known vector tests
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 1/3] security: support user specified IV Anoob Joseph
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode Anoob Joseph
@ 2021-09-07 16:17 ` Anoob Joseph
2021-09-28 8:32 ` [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec Akhil Goyal
3 siblings, 0 replies; 17+ messages in thread
From: Anoob Joseph @ 2021-09-07 16:17 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add outbound known vector tests. The tests would be skipped on PMDs
which do not support IV provided by application.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
app/test/test_cryptodev.c | 44 ++++++++++++++++++++++++++++++++
app/test/test_cryptodev_security_ipsec.c | 16 +++++++++++-
2 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index fefab3c..dd68080 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8978,6 +8978,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
ut_params->op->sym->m_src = ut_params->ibuf;
ut_params->op->sym->m_dst = NULL;
+ /* Copy IV in crypto operation when IV generation is disabled */
+ if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+ ipsec_xform.options.iv_gen_disable == 1) {
+ uint8_t *iv = rte_crypto_op_ctod_offset(ut_params->op,
+ uint8_t *,
+ IV_OFFSET);
+ int len;
+
+ if (td[i].aead)
+ len = td[i].xform.aead.aead.iv.length;
+ else
+ len = td[i].xform.chain.cipher.cipher.iv.length;
+
+ memcpy(iv, td[i].iv.data, len);
+ }
+
/* Process crypto operation */
process_crypto_request(dev_id, ut_params->op);
@@ -9015,6 +9031,22 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
}
static int
+test_ipsec_proto_known_vec(const void *test_data)
+{
+ struct ipsec_test_data td_outb;
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ memcpy(&td_outb, test_data, sizeof(td_outb));
+
+ /* Disable IV gen to be able to test with known vectors */
+ td_outb.ipsec_xform.options.iv_gen_disable = 1;
+
+ return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags);
+}
+
+static int
test_ipsec_proto_known_vec_inb(const void *td_outb)
{
struct ipsec_test_flags flags;
@@ -14019,6 +14051,18 @@ static struct unit_test_suite ipsec_proto_testsuite = {
.setup = ipsec_proto_testsuite_setup,
.unit_test_cases = {
TEST_CASE_NAMED_WITH_DATA(
+ "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec, &pkt_aes_128_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec, &pkt_aes_192_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec, &pkt_aes_256_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
ut_setup_security, ut_teardown,
test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 5b54996..f371b15 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -77,6 +77,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
return -ENOTSUP;
}
+ if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) &&
+ (ipsec_xform->options.iv_gen_disable == 1) &&
+ (sec_cap->ipsec.options.iv_gen_disable != 1)) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Application provided IV is not supported\n");
+ return -ENOTSUP;
+ }
+
return 0;
}
@@ -161,9 +170,11 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
td->xform.aead.aead.algo = param1->alg.aead;
td->xform.aead.aead.key.length = param1->key_length;
+
+ if (flags->iv_gen)
+ td->ipsec_xform.options.iv_gen_disable = 0;
}
- RTE_SET_USED(flags);
RTE_SET_USED(param2);
}
@@ -187,6 +198,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
if (flags->udp_encap)
td_inb[i].ipsec_xform.options.udp_encap = 1;
+
+ /* Clear outbound specific flags */
+ td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
}
}
--
2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dpdk-dev] [PATCH v3 1/3] security: support user specified IV
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 1/3] security: support user specified IV Anoob Joseph
@ 2021-09-16 11:14 ` Ananyev, Konstantin
0 siblings, 0 replies; 17+ messages in thread
From: Ananyev, Konstantin @ 2021-09-16 11:14 UTC (permalink / raw)
To: Anoob Joseph, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan
Cc: Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal,
Nicolau, Radu, Power, Ciara, Gagandeep Singh, dev
>
> Enable user to provide IV to be used per security operation. This
> would be used with lookaside protocol offload for comparing
> against known vectors.
>
> By default, PMD would generate IV internally and would be random.
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Acked-by: Akhil Goyal <gakhil@marvell.com>
> ---
> doc/guides/rel_notes/release_21_11.rst | 5 +++++
> lib/security/rte_security.h | 14 ++++++++++++++
> 2 files changed, 19 insertions(+)
>
> diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
> index 411fa95..9b14c84 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -118,6 +118,11 @@ ABI Changes
> Also, make sure to start the actual text at the margin.
> =======================================================
>
> +* security: add IPsec SA option to disable IV generation
> +
> + * Added IPsec SA option to disable IV generation to allow known vector
> + tests as well as usage of application provided IV on supported PMDs.
> +
>
> Known Issues
> ------------
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index 88d31de..b4b6776 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -181,6 +181,20 @@ struct rte_security_ipsec_sa_options {
> * * 0: Disable per session security statistics collection for this SA.
> */
> uint32_t stats : 1;
> +
> + /** Disable IV generation in PMD
> + *
> + * * 1: Disable IV generation in PMD. When disabled, IV provided in
> + * rte_crypto_op will be used by the PMD.
> + *
> + * * 0: Enable IV generation in PMD. When enabled, PMD generated random
> + * value would be used and application is not required to provide
> + * IV.
> + *
> + * Note: For inline cases, IV generation would always need to be handled
> + * by the PMD.
> + */
> + uint32_t iv_gen_disable : 1;
> };
>
> /** IPSec security association direction */
> --
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> 2.7.4
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
` (2 preceding siblings ...)
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 3/3] test/crypto: add outbound known vector tests Anoob Joseph
@ 2021-09-28 8:32 ` Akhil Goyal
3 siblings, 0 replies; 17+ messages in thread
From: Akhil Goyal @ 2021-09-28 8:32 UTC (permalink / raw)
To: Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob Kollanukkaran, Archana Muniganti,
Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power,
Gagandeep Singh, dev
> Add support for using user provided IV with lookaside protocol (IPsec). Using
> this option, application can provide IV to be used per operation. This
> option can be used for knownn vector tests (which is otherwise impossible
> due to random nature of IV) as well as if application wishes to use its
> own random generator source.
>
> Depends on
> http://patches.dpdk.org/project/dpdk/list/?series=18642
Applied to dpdk-next-crypto
Thanks.
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2021-09-28 8:32 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-16 5:59 [dpdk-dev] [PATCH 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
2021-08-16 5:59 ` [dpdk-dev] [PATCH 1/3] security: support user specified IV Anoob Joseph
2021-08-16 5:59 ` [dpdk-dev] [PATCH 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode Anoob Joseph
2021-08-16 5:59 ` [dpdk-dev] [PATCH 3/3] test/crypto: add outbound known vector tests Anoob Joseph
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 1/3] security: support user specified IV Anoob Joseph
2021-09-06 19:07 ` Akhil Goyal
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode Anoob Joseph
2021-09-06 19:08 ` Akhil Goyal
2021-09-06 14:58 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add outbound known vector tests Anoob Joseph
2021-09-06 19:09 ` Akhil Goyal
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec Anoob Joseph
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 1/3] security: support user specified IV Anoob Joseph
2021-09-16 11:14 ` Ananyev, Konstantin
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 2/3] crypto/cnxk: add IV in SA in lookaside IPsec debug mode Anoob Joseph
2021-09-07 16:17 ` [dpdk-dev] [PATCH v3 3/3] test/crypto: add outbound known vector tests Anoob Joseph
2021-09-28 8:32 ` [dpdk-dev] [PATCH v3 0/3] Add user specified IV with lookaside IPsec Akhil Goyal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).