From: Jiawen Wu <jiawenwu@trustnetic.com>
To: dev@dpdk.org
Cc: Jiawen Wu <jiawenwu@trustnetic.com>
Subject: [dpdk-dev] [PATCH v3 30/33] net/txgbe: add security session create operation
Date: Fri, 18 Dec 2020 17:36:59 +0800 [thread overview]
Message-ID: <20201218093702.3651867-31-jiawenwu@trustnetic.com> (raw)
In-Reply-To: <20201218093702.3651867-1-jiawenwu@trustnetic.com>
Add support to configure a security session.
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
---
drivers/net/txgbe/txgbe_ethdev.h | 9 ++
drivers/net/txgbe/txgbe_ipsec.c | 251 +++++++++++++++++++++++++++++++
drivers/net/txgbe/txgbe_ipsec.h | 77 ++++++++++
3 files changed, 337 insertions(+)
create mode 100644 drivers/net/txgbe/txgbe_ipsec.h
diff --git a/drivers/net/txgbe/txgbe_ethdev.h b/drivers/net/txgbe/txgbe_ethdev.h
index e6c60b03d..6814acf1e 100644
--- a/drivers/net/txgbe/txgbe_ethdev.h
+++ b/drivers/net/txgbe/txgbe_ethdev.h
@@ -9,6 +9,9 @@
#include "base/txgbe.h"
#include "txgbe_ptypes.h"
+#ifdef RTE_LIB_SECURITY
+#include "txgbe_ipsec.h"
+#endif
#include <rte_flow.h>
#include <rte_flow_driver.h>
#include <rte_time.h>
@@ -357,6 +360,9 @@ struct txgbe_adapter {
struct txgbe_filter_info filter;
struct txgbe_l2_tn_info l2_tn;
struct txgbe_bw_conf bw_conf;
+#ifdef RTE_LIB_SECURITY
+ struct txgbe_ipsec ipsec;
+#endif
bool rx_bulk_alloc_allowed;
struct rte_timecounter systime_tc;
struct rte_timecounter rx_tstamp_tc;
@@ -415,6 +421,9 @@ struct txgbe_adapter {
#define TXGBE_DEV_TM_CONF(dev) \
(&((struct txgbe_adapter *)(dev)->data->dev_private)->tm_conf)
+#define TXGBE_DEV_IPSEC(dev) \
+ (&((struct txgbe_adapter *)(dev)->data->dev_private)->ipsec)
+
/*
* RX/TX function prototypes
*/
diff --git a/drivers/net/txgbe/txgbe_ipsec.c b/drivers/net/txgbe/txgbe_ipsec.c
index 9e400b630..24dd09191 100644
--- a/drivers/net/txgbe/txgbe_ipsec.c
+++ b/drivers/net/txgbe/txgbe_ipsec.c
@@ -8,6 +8,256 @@
#include "base/txgbe.h"
#include "txgbe_ethdev.h"
+#include "txgbe_ipsec.h"
+
+#define CMP_IP(a, b) (\
+ (a).ipv6[0] == (b).ipv6[0] && \
+ (a).ipv6[1] == (b).ipv6[1] && \
+ (a).ipv6[2] == (b).ipv6[2] && \
+ (a).ipv6[3] == (b).ipv6[3])
+
+static int
+txgbe_crypto_add_sa(struct txgbe_crypto_session *ic_session)
+{
+ struct rte_eth_dev *dev = ic_session->dev;
+ struct txgbe_hw *hw = TXGBE_DEV_HW(dev);
+ struct txgbe_ipsec *priv = TXGBE_DEV_IPSEC(dev);
+ uint32_t reg_val;
+ int sa_index = -1;
+
+ if (ic_session->op == TXGBE_OP_AUTHENTICATED_DECRYPTION) {
+ int i, ip_index = -1;
+ uint8_t *key;
+
+ /* Find a match in the IP table*/
+ for (i = 0; i < IPSEC_MAX_RX_IP_COUNT; i++) {
+ if (CMP_IP(priv->rx_ip_tbl[i].ip,
+ ic_session->dst_ip)) {
+ ip_index = i;
+ break;
+ }
+ }
+ /* If no match, find a free entry in the IP table*/
+ if (ip_index < 0) {
+ for (i = 0; i < IPSEC_MAX_RX_IP_COUNT; i++) {
+ if (priv->rx_ip_tbl[i].ref_count == 0) {
+ ip_index = i;
+ break;
+ }
+ }
+ }
+
+ /* Fail if no match and no free entries*/
+ if (ip_index < 0) {
+ PMD_DRV_LOG(ERR,
+ "No free entry left in the Rx IP table\n");
+ return -1;
+ }
+
+ /* Find a free entry in the SA table*/
+ for (i = 0; i < IPSEC_MAX_SA_COUNT; i++) {
+ if (priv->rx_sa_tbl[i].used == 0) {
+ sa_index = i;
+ break;
+ }
+ }
+ /* Fail if no free entries*/
+ if (sa_index < 0) {
+ PMD_DRV_LOG(ERR,
+ "No free entry left in the Rx SA table\n");
+ return -1;
+ }
+
+ priv->rx_ip_tbl[ip_index].ip.ipv6[0] =
+ ic_session->dst_ip.ipv6[0];
+ priv->rx_ip_tbl[ip_index].ip.ipv6[1] =
+ ic_session->dst_ip.ipv6[1];
+ priv->rx_ip_tbl[ip_index].ip.ipv6[2] =
+ ic_session->dst_ip.ipv6[2];
+ priv->rx_ip_tbl[ip_index].ip.ipv6[3] =
+ ic_session->dst_ip.ipv6[3];
+ priv->rx_ip_tbl[ip_index].ref_count++;
+
+ priv->rx_sa_tbl[sa_index].spi = ic_session->spi;
+ priv->rx_sa_tbl[sa_index].ip_index = ip_index;
+ priv->rx_sa_tbl[sa_index].mode = IPSRXMOD_VALID;
+ if (ic_session->op == TXGBE_OP_AUTHENTICATED_DECRYPTION)
+ priv->rx_sa_tbl[sa_index].mode |=
+ (IPSRXMOD_PROTO | IPSRXMOD_DECRYPT);
+ if (ic_session->dst_ip.type == IPv6) {
+ priv->rx_sa_tbl[sa_index].mode |= IPSRXMOD_IPV6;
+ priv->rx_ip_tbl[ip_index].ip.type = IPv6;
+ } else if (ic_session->dst_ip.type == IPv4) {
+ priv->rx_ip_tbl[ip_index].ip.type = IPv4;
+ }
+ priv->rx_sa_tbl[sa_index].used = 1;
+
+ /* write IP table entry*/
+ reg_val = TXGBE_IPSRXIDX_ENA | TXGBE_IPSRXIDX_WRITE |
+ TXGBE_IPSRXIDX_TB_IP | (ip_index << 3);
+ if (priv->rx_ip_tbl[ip_index].ip.type == IPv4) {
+ wr32(hw, TXGBE_IPSRXADDR(0), 0);
+ wr32(hw, TXGBE_IPSRXADDR(1), 0);
+ wr32(hw, TXGBE_IPSRXADDR(2), 0);
+ wr32(hw, TXGBE_IPSRXADDR(3),
+ priv->rx_ip_tbl[ip_index].ip.ipv4);
+ } else {
+ wr32(hw, TXGBE_IPSRXADDR(0),
+ priv->rx_ip_tbl[ip_index].ip.ipv6[0]);
+ wr32(hw, TXGBE_IPSRXADDR(1),
+ priv->rx_ip_tbl[ip_index].ip.ipv6[1]);
+ wr32(hw, TXGBE_IPSRXADDR(2),
+ priv->rx_ip_tbl[ip_index].ip.ipv6[2]);
+ wr32(hw, TXGBE_IPSRXADDR(3),
+ priv->rx_ip_tbl[ip_index].ip.ipv6[3]);
+ }
+ wr32w(hw, TXGBE_IPSRXIDX, reg_val, TXGBE_IPSRXIDX_WRITE, 1000);
+
+ /* write SPI table entry*/
+ reg_val = TXGBE_IPSRXIDX_ENA | TXGBE_IPSRXIDX_WRITE |
+ TXGBE_IPSRXIDX_TB_SPI | (sa_index << 3);
+ wr32(hw, TXGBE_IPSRXSPI,
+ priv->rx_sa_tbl[sa_index].spi);
+ wr32(hw, TXGBE_IPSRXADDRIDX,
+ priv->rx_sa_tbl[sa_index].ip_index);
+ wr32w(hw, TXGBE_IPSRXIDX, reg_val, TXGBE_IPSRXIDX_WRITE, 1000);
+
+ /* write Key table entry*/
+ key = malloc(ic_session->key_len);
+ if (!key)
+ return -ENOMEM;
+
+ memcpy(key, ic_session->key, ic_session->key_len);
+
+ reg_val = TXGBE_IPSRXIDX_ENA | TXGBE_IPSRXIDX_WRITE |
+ TXGBE_IPSRXIDX_TB_KEY | (sa_index << 3);
+ wr32(hw, TXGBE_IPSRXKEY(0),
+ rte_cpu_to_be_32(*(uint32_t *)&key[12]));
+ wr32(hw, TXGBE_IPSRXKEY(1),
+ rte_cpu_to_be_32(*(uint32_t *)&key[8]));
+ wr32(hw, TXGBE_IPSRXKEY(2),
+ rte_cpu_to_be_32(*(uint32_t *)&key[4]));
+ wr32(hw, TXGBE_IPSRXKEY(3),
+ rte_cpu_to_be_32(*(uint32_t *)&key[0]));
+ wr32(hw, TXGBE_IPSRXSALT,
+ rte_cpu_to_be_32(ic_session->salt));
+ wr32(hw, TXGBE_IPSRXMODE,
+ priv->rx_sa_tbl[sa_index].mode);
+ wr32w(hw, TXGBE_IPSRXIDX, reg_val, TXGBE_IPSRXIDX_WRITE, 1000);
+
+ free(key);
+ } else { /* sess->dir == RTE_CRYPTO_OUTBOUND */
+ uint8_t *key;
+ int i;
+
+ /* Find a free entry in the SA table*/
+ for (i = 0; i < IPSEC_MAX_SA_COUNT; i++) {
+ if (priv->tx_sa_tbl[i].used == 0) {
+ sa_index = i;
+ break;
+ }
+ }
+ /* Fail if no free entries*/
+ if (sa_index < 0) {
+ PMD_DRV_LOG(ERR,
+ "No free entry left in the Tx SA table\n");
+ return -1;
+ }
+
+ priv->tx_sa_tbl[sa_index].spi =
+ rte_cpu_to_be_32(ic_session->spi);
+ priv->tx_sa_tbl[i].used = 1;
+ ic_session->sa_index = sa_index;
+
+ key = malloc(ic_session->key_len);
+ if (!key)
+ return -ENOMEM;
+
+ memcpy(key, ic_session->key, ic_session->key_len);
+
+ /* write Key table entry*/
+ reg_val = TXGBE_IPSRXIDX_ENA |
+ TXGBE_IPSRXIDX_WRITE | (sa_index << 3);
+ wr32(hw, TXGBE_IPSTXKEY(0),
+ rte_cpu_to_be_32(*(uint32_t *)&key[12]));
+ wr32(hw, TXGBE_IPSTXKEY(1),
+ rte_cpu_to_be_32(*(uint32_t *)&key[8]));
+ wr32(hw, TXGBE_IPSTXKEY(2),
+ rte_cpu_to_be_32(*(uint32_t *)&key[4]));
+ wr32(hw, TXGBE_IPSTXKEY(3),
+ rte_cpu_to_be_32(*(uint32_t *)&key[0]));
+ wr32(hw, TXGBE_IPSTXSALT,
+ rte_cpu_to_be_32(ic_session->salt));
+ wr32w(hw, TXGBE_IPSTXIDX, reg_val, TXGBE_IPSTXIDX_WRITE, 1000);
+
+ free(key);
+ }
+
+ return 0;
+}
+
+static int
+txgbe_crypto_create_session(void *device,
+ struct rte_security_session_conf *conf,
+ struct rte_security_session *session,
+ struct rte_mempool *mempool)
+{
+ struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+ struct txgbe_crypto_session *ic_session = NULL;
+ struct rte_crypto_aead_xform *aead_xform;
+ struct rte_eth_conf *dev_conf = ð_dev->data->dev_conf;
+
+ if (rte_mempool_get(mempool, (void **)&ic_session)) {
+ PMD_DRV_LOG(ERR, "Cannot get object from ic_session mempool");
+ return -ENOMEM;
+ }
+
+ if (conf->crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD ||
+ conf->crypto_xform->aead.algo !=
+ RTE_CRYPTO_AEAD_AES_GCM) {
+ PMD_DRV_LOG(ERR, "Unsupported crypto transformation mode\n");
+ rte_mempool_put(mempool, (void *)ic_session);
+ return -ENOTSUP;
+ }
+ aead_xform = &conf->crypto_xform->aead;
+
+ if (conf->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+ if (dev_conf->rxmode.offloads & DEV_RX_OFFLOAD_SECURITY) {
+ ic_session->op = TXGBE_OP_AUTHENTICATED_DECRYPTION;
+ } else {
+ PMD_DRV_LOG(ERR, "IPsec decryption not enabled\n");
+ rte_mempool_put(mempool, (void *)ic_session);
+ return -ENOTSUP;
+ }
+ } else {
+ if (dev_conf->txmode.offloads & DEV_TX_OFFLOAD_SECURITY) {
+ ic_session->op = TXGBE_OP_AUTHENTICATED_ENCRYPTION;
+ } else {
+ PMD_DRV_LOG(ERR, "IPsec encryption not enabled\n");
+ rte_mempool_put(mempool, (void *)ic_session);
+ return -ENOTSUP;
+ }
+ }
+
+ ic_session->key = aead_xform->key.data;
+ ic_session->key_len = aead_xform->key.length;
+ memcpy(&ic_session->salt,
+ &aead_xform->key.data[aead_xform->key.length], 4);
+ ic_session->spi = conf->ipsec.spi;
+ ic_session->dev = eth_dev;
+
+ set_sec_session_private_data(session, ic_session);
+
+ if (ic_session->op == TXGBE_OP_AUTHENTICATED_ENCRYPTION) {
+ if (txgbe_crypto_add_sa(ic_session)) {
+ PMD_DRV_LOG(ERR, "Failed to add SA\n");
+ rte_mempool_put(mempool, (void *)ic_session);
+ return -EPERM;
+ }
+ }
+
+ return 0;
+}
static const struct rte_security_capability *
txgbe_crypto_capabilities_get(void *device __rte_unused)
@@ -136,6 +386,7 @@ txgbe_crypto_capabilities_get(void *device __rte_unused)
}
static struct rte_security_ops txgbe_security_ops = {
+ .session_create = txgbe_crypto_create_session,
.capabilities_get = txgbe_crypto_capabilities_get
};
diff --git a/drivers/net/txgbe/txgbe_ipsec.h b/drivers/net/txgbe/txgbe_ipsec.h
new file mode 100644
index 000000000..2f0d813bc
--- /dev/null
+++ b/drivers/net/txgbe/txgbe_ipsec.h
@@ -0,0 +1,77 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2015-2020
+ */
+
+#ifndef TXGBE_IPSEC_H_
+#define TXGBE_IPSEC_H_
+
+#include <rte_ethdev.h>
+#include <rte_ethdev_core.h>
+#include <rte_security.h>
+
+#define IPSRXMOD_VALID 0x00000001
+#define IPSRXMOD_PROTO 0x00000004
+#define IPSRXMOD_DECRYPT 0x00000008
+#define IPSRXMOD_IPV6 0x00000010
+
+#define IPSEC_MAX_RX_IP_COUNT 128
+#define IPSEC_MAX_SA_COUNT 1024
+
+enum txgbe_operation {
+ TXGBE_OP_AUTHENTICATED_ENCRYPTION,
+ TXGBE_OP_AUTHENTICATED_DECRYPTION
+};
+
+/**
+ * Generic IP address structure
+ * TODO: Find better location for this rte_net.h possibly.
+ **/
+struct ipaddr {
+ enum ipaddr_type {
+ IPv4,
+ IPv6
+ } type;
+ /**< IP Address Type - IPv4/IPv6 */
+
+ union {
+ uint32_t ipv4;
+ uint32_t ipv6[4];
+ };
+};
+
+/** inline crypto private session structure */
+struct txgbe_crypto_session {
+ enum txgbe_operation op;
+ const uint8_t *key;
+ uint32_t key_len;
+ uint32_t salt;
+ uint32_t sa_index;
+ uint32_t spi;
+ struct ipaddr src_ip;
+ struct ipaddr dst_ip;
+ struct rte_eth_dev *dev;
+} __rte_cache_aligned;
+
+struct txgbe_crypto_rx_ip_table {
+ struct ipaddr ip;
+ uint16_t ref_count;
+};
+struct txgbe_crypto_rx_sa_table {
+ uint32_t spi;
+ uint32_t ip_index;
+ uint8_t mode;
+ uint8_t used;
+};
+
+struct txgbe_crypto_tx_sa_table {
+ uint32_t spi;
+ uint8_t used;
+};
+
+struct txgbe_ipsec {
+ struct txgbe_crypto_rx_ip_table rx_ip_tbl[IPSEC_MAX_RX_IP_COUNT];
+ struct txgbe_crypto_rx_sa_table rx_sa_tbl[IPSEC_MAX_SA_COUNT];
+ struct txgbe_crypto_tx_sa_table tx_sa_tbl[IPSEC_MAX_SA_COUNT];
+};
+
+#endif /*TXGBE_IPSEC_H_*/
--
2.18.2
next prev parent reply other threads:[~2020-12-18 9:44 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-18 9:36 [dpdk-dev] [PATCH v3 00/33] net: add txgbe PMD part 2 Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 01/33] net/txgbe: add generic flow API Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 02/33] net/txgbe: add ntuple filter init and uninit Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 03/33] net/txgbe: support ntuple filter add and delete Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 04/33] net/txgbe: parse n-tuple filter Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 05/33] net/txgbe: support ethertype filter add and delete Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 06/33] net/txgbe: parse ethertype filter Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 07/33] net/txgbe: support syn filter add and delete Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 08/33] net/txgbe: parse syn filter Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 09/33] net/txgbe: add L2 tunnel filter init and uninit Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 10/33] net/txgbe: config L2 tunnel filter with e-tag Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 11/33] net/txgbe: support L2 tunnel filter add and delete Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 12/33] net/txgbe: parse L2 tunnel filter Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 13/33] net/txgbe: add flow director filter init and uninit Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 14/33] net/txgbe: configure flow director filter Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 15/33] net/txgbe: support flow director filter add and delete Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 16/33] net/txgbe: parse flow director filter Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 17/33] net/txgbe: restore RSS filter Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 18/33] net/txgbe: parse " Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 19/33] net/txgbe: support to create consistent filter Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 20/33] net/txgbe: support to destroy " Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 21/33] net/txgbe: flush all the filters Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 22/33] net/txgbe: support UDP tunnel port add and delete Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 23/33] net/txgbe: add TM configuration init and uninit Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 24/33] net/txgbe: add TM capabilities get operation Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 25/33] net/txgbe: support TM shaper profile add and delete Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 26/33] net/txgbe: support TM node " Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 27/33] net/txgbe: add TM hierarchy commit Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 28/33] net/txgbe: support to add traffic mirror rules Jiawen Wu
2020-12-18 9:36 ` [dpdk-dev] [PATCH v3 29/33] net/txgbe: add IPsec context creation Jiawen Wu
2020-12-18 9:36 ` Jiawen Wu [this message]
2020-12-18 9:37 ` [dpdk-dev] [PATCH v3 31/33] net/txgbe: destroy security session Jiawen Wu
2020-12-18 9:37 ` [dpdk-dev] [PATCH v3 32/33] net/txgbe: add security offload in Rx and Tx process Jiawen Wu
2020-12-18 9:37 ` [dpdk-dev] [PATCH v3 33/33] net/txgbe: add security type in flow action Jiawen Wu
2021-01-13 6:15 ` [dpdk-dev] [PATCH v3 00/33] net: add txgbe PMD part 2 Jiawen Wu
2021-01-13 13:15 ` Ferruh Yigit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201218093702.3651867-31-jiawenwu@trustnetic.com \
--to=jiawenwu@trustnetic.com \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).