From: Akhil Goyal <gakhil@marvell.com>
To: Matan Azrad <matan@nvidia.com>, "dev@dpdk.org" <dev@dpdk.org>
Cc: Declan Doherty <declan.doherty@intel.com>,
Somalapuram Amaranath <asomalap@amd.com>,
Ruifeng Wang <ruifeng.wang@arm.com>,
Ajit Khaparde <ajit.khaparde@broadcom.com>,
Anoob Joseph <anoobj@marvell.com>,
Fan Zhang <roy.fan.zhang@intel.com>,
John Griffin <john.griffin@intel.com>,
Pablo de Lara <pablo.de.lara.guarch@intel.com>,
Michael Shamis <michaelsh@marvell.com>,
Nagadheeraj Rottela <rnagadheeraj@marvell.com>,
Ankur Dwivedi <adwivedi@marvell.com>,
Gagandeep Singh <g.singh@nxp.com>,
Jay Zhou <jianjay.zhou@huawei.com>,
ArkadiuszX Kusztal <arkadiuszx.kusztal@intel.com>,
"sashakot@nvidia.com" <sashakot@nvidia.com>,
"oren@nvidia.com" <oren@nvidia.com>,
Shiri Kuzin <shirik@nvidia.com>
Subject: Re: [dpdk-dev] [EXT] [PATCH v3] cryptodev: formalize key wrap method in API
Date: Tue, 13 Apr 2021 09:58:38 +0000 [thread overview]
Message-ID: <MW2PR18MB2284C22DBD0E0282731F27A0D84F9@MW2PR18MB2284.namprd18.prod.outlook.com> (raw)
In-Reply-To: <20210413063718.3123698-1-matan@nvidia.com>
> The Key Wrap approach is used by applications in order to protect keys
> located in untrusted storage or transmitted over untrusted
> communications networks. The constructions are typically built from
> standard primitives such as block ciphers and cryptographic hash
> functions.
>
> The Key Wrap method and its parameters are a secret between the keys
> provider and the device, means that the device is preconfigured for
> this method using very secured way.
>
> The key wrap method may change the key length and layout.
>
> Add a description for the cipher transformation key to allow wrapped key
> to be forwarded by the same API.
>
> Add a new feature flag RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY to be
> enabled
> by PMDs support wrapped key in cipher trasformation.
>
> Signed-off-by: Matan Azrad <matan@nvidia.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>
I hope crypto mlx5 driver support this feature. Do not forget to add this flag
In that.
>
> V2:
> Address Akhil coment to introduce ne feature flag for wrapped keys.
>
> V3:
> Improve descriptions\spelling suggested by Akhil.
>
> doc/guides/cryptodevs/features/default.ini | 1 +
> doc/guides/cryptodevs/overview.rst | 3 +++
> doc/guides/rel_notes/release_21_05.rst | 5 +++++
> lib/librte_cryptodev/rte_crypto_sym.h | 8 ++++++++
> lib/librte_cryptodev/rte_cryptodev.c | 2 ++
> lib/librte_cryptodev/rte_cryptodev.h | 2 ++
> 6 files changed, 21 insertions(+)
>
> diff --git a/doc/guides/cryptodevs/features/default.ini
> b/doc/guides/cryptodevs/features/default.ini
> index 978bb30cc1..c24814de98 100644
> --- a/doc/guides/cryptodevs/features/default.ini
> +++ b/doc/guides/cryptodevs/features/default.ini
> @@ -32,6 +32,7 @@ Symmetric sessionless =
> Non-Byte aligned data =
> Sym raw data path API =
> Cipher multiple data units =
> +Cipher wrapped key =
>
> ;
> ; Supported crypto algorithms of a default crypto driver.
> diff --git a/doc/guides/cryptodevs/overview.rst
> b/doc/guides/cryptodevs/overview.rst
> index e24e3e1993..b87c4c6a27 100644
> --- a/doc/guides/cryptodevs/overview.rst
> +++ b/doc/guides/cryptodevs/overview.rst
> @@ -49,6 +49,9 @@ Supported Feature Flags
> - "CIPHER_MULTIPLE_DATA_UNITS" feature flag means PMD support
> operations
> on multiple data-units message.
>
> + - "CIPHER_WRAPPED_KEY" feature flag means PMD support wrapped key
> in cipher
> + xform.
> +
>
> Supported Cipher Algorithms
> ---------------------------
> diff --git a/doc/guides/rel_notes/release_21_05.rst
> b/doc/guides/rel_notes/release_21_05.rst
> index 1537fac4bc..24b8b28253 100644
> --- a/doc/guides/rel_notes/release_21_05.rst
> +++ b/doc/guides/rel_notes/release_21_05.rst
> @@ -132,6 +132,11 @@ New Features
> data-units for AES-XTS algorithm, the data-unit length should be set in the
> transformation. A capability for it was added too.
>
> +* **Added a crypto PMD feature flag to support cipher wrapped keys.**
> +
> + A new feature flag is added to allow application to provide cipher wrapped
> + keys in session xforms.
> +
>
> Removed Items
> -------------
> diff --git a/lib/librte_cryptodev/rte_crypto_sym.h
> b/lib/librte_cryptodev/rte_crypto_sym.h
> index 5973e31f30..a1fb5b0f5c 100644
> --- a/lib/librte_cryptodev/rte_crypto_sym.h
> +++ b/lib/librte_cryptodev/rte_crypto_sym.h
> @@ -200,6 +200,14 @@ struct rte_crypto_cipher_xform {
> uint16_t length; /**< key length in bytes */
> } key;
> /**< Cipher key
> + *
> + * In case the PMD supports
> RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY, the
> + * original key data provided may be wrapped(encrypted) using key
> wrap
> + * algorithm such as AES key wrap (rfc3394) and hence length of the
> key
> + * may increase beyond the PMD advertised supported key size.
> + * PMD shall validate the key length and report EMSGSIZE error while
> + * configuring the session and application can skip checking the
> + * capability key length in such cases.
> *
> * For the RTE_CRYPTO_CIPHER_AES_F8 mode of operation, key.data
> will
> * point to a concatenation of the AES encryption key followed by a
> diff --git a/lib/librte_cryptodev/rte_cryptodev.c
> b/lib/librte_cryptodev/rte_cryptodev.c
> index e02e001325..a84cd745f9 100644
> --- a/lib/librte_cryptodev/rte_cryptodev.c
> +++ b/lib/librte_cryptodev/rte_cryptodev.c
> @@ -619,6 +619,8 @@ rte_cryptodev_get_feature_name(uint64_t flag)
> return "NON_BYTE_ALIGNED_DATA";
> case RTE_CRYPTODEV_FF_CIPHER_MULTIPLE_DATA_UNITS:
> return "CIPHER_MULTIPLE_DATA_UNITS";
> + case RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY:
> + return "CIPHER_WRAPPED_KEY";
> default:
> return NULL;
> }
> diff --git a/lib/librte_cryptodev/rte_cryptodev.h
> b/lib/librte_cryptodev/rte_cryptodev.h
> index c274e208ed..a823831065 100644
> --- a/lib/librte_cryptodev/rte_cryptodev.h
> +++ b/lib/librte_cryptodev/rte_cryptodev.h
> @@ -476,6 +476,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> rte_crypto_asym_xform_type *xform_enum,
> /**< Support accelerator specific symmetric raw data-path APIs */
> #define RTE_CRYPTODEV_FF_CIPHER_MULTIPLE_DATA_UNITS (1ULL << 25)
> /**< Support operations on multiple data-units message */
> +#define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
> +/**< Support wrapped key in cipher xform */
>
> /**
> * Get the name of a crypto device feature flag
> --
> 2.25.1
next prev parent reply other threads:[~2021-04-13 9:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-16 6:51 [dpdk-dev] [PATCH] " Matan Azrad
2021-04-11 14:00 ` [dpdk-dev] [PATCH v2] " Matan Azrad
2021-04-11 20:26 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-04-13 6:37 ` [dpdk-dev] [PATCH v3] " Matan Azrad
2021-04-13 9:58 ` Akhil Goyal [this message]
2021-04-16 10:39 ` [dpdk-dev] [EXT] " Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW2PR18MB2284C22DBD0E0282731F27A0D84F9@MW2PR18MB2284.namprd18.prod.outlook.com \
--to=gakhil@marvell.com \
--cc=adwivedi@marvell.com \
--cc=ajit.khaparde@broadcom.com \
--cc=anoobj@marvell.com \
--cc=arkadiuszx.kusztal@intel.com \
--cc=asomalap@amd.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=g.singh@nxp.com \
--cc=jianjay.zhou@huawei.com \
--cc=john.griffin@intel.com \
--cc=matan@nvidia.com \
--cc=michaelsh@marvell.com \
--cc=oren@nvidia.com \
--cc=pablo.de.lara.guarch@intel.com \
--cc=rnagadheeraj@marvell.com \
--cc=roy.fan.zhang@intel.com \
--cc=ruifeng.wang@arm.com \
--cc=sashakot@nvidia.com \
--cc=shirik@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).