From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00068.outbound.protection.outlook.com [40.107.0.68]) by dpdk.org (Postfix) with ESMTP id 207C34CA1 for ; Mon, 15 Oct 2018 14:53:40 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2NVF8I3FJc+tCqxczstoarwhEx65xdo1x5lHBxLBVxY=; b=Dvg0aeRyLBdYHb1DFJLdlhM9bt4+/MoBOHLpoqspFLdAjsePaO10zzkH+bmrmlBqzOZPZj3PVSoyoFZXOmUOYbZ7lm06UZG6Ahh3naQe/GV8HkIh2fW8nHfAi8rJs+sbjYXNSi4AEUyGP28rsvwEFyAcVULt/JtTC3CToGTZimE= Received: from VI1PR04MB4893.eurprd04.prod.outlook.com (20.177.49.154) by VI1PR04MB1629.eurprd04.prod.outlook.com (10.164.84.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1228.23; Mon, 15 Oct 2018 12:53:39 +0000 Received: from VI1PR04MB4893.eurprd04.prod.outlook.com ([fe80::cc19:b6c6:27db:3fec]) by VI1PR04MB4893.eurprd04.prod.outlook.com ([fe80::cc19:b6c6:27db:3fec%3]) with mapi id 15.20.1228.027; Mon, 15 Oct 2018 12:53:39 +0000 From: Akhil Goyal To: "dev@dpdk.org" CC: "pablo.de.lara.guarch@intel.com" , "radu.nicolau@intel.com" , "jerin.jacob@caviumnetworks.com" , "narayanaprasad.athreya@caviumnetworks.com" , "Shally.Verma@caviumnetworks.com" , "Anoob.Joseph@caviumnetworks.com" , "Vidya.Velumuri@caviumnetworks.com" , Hemant Agrawal , Akhil Goyal Thread-Topic: [PATCH v4 1/3] security: support pdcp protocol Thread-Index: AQHUZIYX/uZUaJdfJ02VD+U/jFQEyA== Date: Mon, 15 Oct 2018 12:53:39 +0000 Message-ID: <20181015124858.5562-2-akhil.goyal@nxp.com> References: <20181005135318.6350-1-akhil.goyal@nxp.com> <20181015124858.5562-1-akhil.goyal@nxp.com> In-Reply-To: <20181015124858.5562-1-akhil.goyal@nxp.com> Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: SG2PR06CA0220.apcprd06.prod.outlook.com (2603:1096:4:68::28) To VI1PR04MB4893.eurprd04.prod.outlook.com (2603:10a6:803:56::26) authentication-results: spf=none (sender IP is ) smtp.mailfrom=akhil.goyal@nxp.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [14.143.30.134] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; VI1PR04MB1629; 6:yTNqTCGNwaBdoBibtvI+2uH5l4zBd5PSs+E5UpadVQj2HiaA/wJg7zhDeX1xdTVGq7nTUuwPeT7ENdwY4C+qFOJZIEQ/UDahnqnydsAACINlk6yBspIR8QqNtZ0XzcWP9ddTWcG8Hkxq4G0yRjFIiCAXGAhHJ1h9JsKLHfQXJH2Q1CPQe0aSaEEF8BPUu2IUS+fxFmUzJxju4j1h9jcKeX6g/s/It5y3J+kbcZqtwMXE2hU8A9AFZ5nxOkaKMhpK6moPWnYciXYgI/VSaZHXwiCm6ydDd/G5e/ygOz8YzYD8DHpUwooKg+EtQcTT1H9bU3YCHqq/8mYgUwGIL2xROxdjpjt/9Ethh9r9xde7GecvexFTf+QFZ2kuzVvvkt8aOOMaL5EdGUaerWuFC3kEZU1oqoUAtLExelgFUBeKmbCjGyvxM7PdyMV21IDHr2SldH1l3eDOt8hSLqhyPjYxLA==; 5:zUmdpVimmzB3VuImaxcCa400VdiHAq1oYGSBTZiz5gCyHhfmXjriEH4Tj5MJO4NCre5Kz1So4a9Vo3J2FFt2sPBo1cBh71dcS6n1mlwEIn7G1yY+Skq9iCPXDckLFPqRjE0BvHxzWkh8lVoHhvX2LbQCtMnY2PxUoYC7gSyIaeg=; 7:QLtWpsjujCUozvAWxEZakiUXsliqIimYwLKU8dv8U1fLDOe73NqLqw8HSHKvYwVBb7lm9kA8y8yxI2ZDf9t5wA9HwP7dZJpnac6fkaI5AffQWdh0A0tNf5Om157SVjzsr741YcDww+o+k2ycdRfwd3iJFfOoWqcwHvWMtvfeiLorrDZs0o+JzXyaqEy4tYsrRRd3eH2cXu4z6z+n2xe2ZKdyYmy++oxGFfdPcvpH11IrSRco789P2LkdsotZ1lrc x-ms-office365-filtering-correlation-id: 9940a875-b34a-4fc8-fd22-08d6329d3a14 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR04MB1629; x-ms-traffictypediagnostic: VI1PR04MB1629: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(192374486261705)(269456686620040)(185117386973197); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231355)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(6055026)(149066)(150057)(6041310)(20161123560045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(201708071742011)(7699051); SRVR:VI1PR04MB1629; BCL:0; PCL:0; RULEID:; SRVR:VI1PR04MB1629; x-forefront-prvs: 0826B2F01B x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(136003)(346002)(39860400002)(396003)(376002)(199004)(189003)(99286004)(26005)(25786009)(68736007)(55236004)(8936002)(53936002)(102836004)(4744004)(386003)(6506007)(66066001)(76176011)(478600001)(52116002)(14454004)(106356001)(2351001)(316002)(15650500001)(105586002)(2900100001)(5640700003)(6512007)(81156014)(8676002)(1730700003)(81166006)(71200400001)(71190400001)(305945005)(7736002)(6486002)(54906003)(6436002)(5660300001)(2616005)(2501003)(6916009)(476003)(486006)(97736004)(11346002)(446003)(575784001)(6116002)(2906002)(14444005)(1076002)(256004)(4326008)(5250100002)(36756003)(44832011)(86362001)(3846002)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR04MB1629; H:VI1PR04MB4893.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: 9AmvYMJJl1I0KVEzP/lV0d6CsmQZg2yHNZ6nP+Rth4q7eghEO27gUhqKgVtPKAFd2U4N9AcMNp1iqc3q+V0bvmCXsaunSx0RlEQpfBeDlNVEmMB0/c1CC9831yZe08PBAoatGDctHsFWLst/ETj/53faGjh7TxH4RrY5IveDmxaNYUlxLX4lVmQO2neihxLiez9Bnljd76rPAsi3QOHXtm1ctAtEY//idzTQcs61SsL70IRDTUGFrWcdjKCn8nleeB/DzVXa9JlhA7gMtJG167/MR4HGWbgdew87RagJ2sJ2m1IRLrkamdImBSa9szfvljuqCGm/4VOuP21Vd96Tb+vrPmskcnHMWTbNoEj41nQ= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9940a875-b34a-4fc8-fd22-08d6329d3a14 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Oct 2018 12:53:39.0996 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB1629 Subject: [dpdk-dev] [PATCH v4 1/3] security: support pdcp protocol X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Oct 2018 12:53:41 -0000 From: Akhil Goyal Packet Data Convergence Protocol (PDCP) is added in rte_security for 3GPP TS 36.323 for LTE. The patchset provide the structure definitions for configuring the PDCP sessions and relevant documentation is added. Signed-off-by: Hemant Agrawal Signed-off-by: Akhil Goyal --- doc/guides/prog_guide/rte_security.rst | 107 +++++++++++++++++++++++-- lib/librte_security/rte_security.c | 4 + lib/librte_security/rte_security.h | 91 +++++++++++++++++++++ 3 files changed, 195 insertions(+), 7 deletions(-) diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide= /rte_security.rst index 0812abe77..f09e7c8bb 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -10,8 +10,8 @@ The security library provides a framework for management = and provisioning of security protocol operations offloaded to hardware based devices. The library defines generic APIs to create and free security sessions which ca= n support full protocol offload as well as inline crypto operation with -NIC or crypto devices. The framework currently only supports the IPSec pro= tocol -and associated operations, other protocols will be added in future. +NIC or crypto devices. The framework currently only supports the IPSec and= PDCP +protocol and associated operations, other protocols will be added in futur= e. =20 Design Principles ----------------- @@ -253,6 +253,49 @@ for any protocol header addition. +--------|--------+ V =20 +PDCP Flow Diagram +~~~~~~~~~~~~~~~~~ + +Based on 3GPP TS 36.323 Evolved Universal Terrestrial Radio Access (E-UTRA= ); +Packet Data Convergence Protocol (PDCP) specification + +.. code-block:: c + + Transmitting PDCP Entity Receiving PDCP Entity + | ^ + | +-----------|-----------+ + V | In order delivery and | + +---------|----------+ | Duplicate detection | + | Sequence Numbering | | (Data Plane only) | + +---------|----------+ +-----------|-----------+ + | | + +---------|----------+ +-----------|----------+ + | Header Compression*| | Header Decompression*| + | (Data-Plane only) | | (Data Plane only) | + +---------|----------+ +-----------|----------+ + | | + +---------|-----------+ +-----------|----------+ + | Integrity Protection| |Integrity Verification| + | (Control Plane only)| | (Control Plane only) | + +---------|-----------+ +-----------|----------+ + +---------|-----------+ +----------|----------+ + | Ciphering | | Deciphering | + +---------|-----------+ +----------|----------+ + +---------|-----------+ +----------|----------+ + | Add PDCP header | | Remove PDCP Header | + +---------|-----------+ +----------|----------+ + | | + +----------------->>----------------+ + + +.. note:: + + * Header Compression and decompression are not supported currently. + +Just like IPSec, in case of PDCP also header addition/deletion, cipher/ +de-cipher, integrity protection/verification is done based on the action +type chosen. + Device Features and Capabilities --------------------------------- =20 @@ -271,7 +314,7 @@ structure in the *DPDK API Reference*. =20 Each driver (crypto or ethernet) defines its own private array of capabili= ties for the operations it supports. Below is an example of the capabilities fo= r a -PMD which supports the IPSec protocol. +PMD which supports the IPSec and PDCP protocol. =20 .. code-block:: c =20 @@ -298,6 +341,24 @@ PMD which supports the IPSec protocol. }, .crypto_capabilities =3D pmd_capabilities }, + { /* PDCP Lookaside Protocol offload Data Plane */ + .action =3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol =3D RTE_SECURITY_PROTOCOL_PDCP, + .pdcp =3D { + .domain =3D RTE_SECURITY_PDCP_MODE_DATA, + .capa_flags =3D 0 + }, + .crypto_capabilities =3D pmd_capabilities + }, + { /* PDCP Lookaside Protocol offload Control */ + .action =3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol =3D RTE_SECURITY_PROTOCOL_PDCP, + .pdcp =3D { + .domain =3D RTE_SECURITY_PDCP_MODE_CONTROL, + .capa_flags =3D 0 + }, + .crypto_capabilities =3D pmd_capabilities + }, { .action =3D RTE_SECURITY_ACTION_TYPE_NONE } @@ -429,6 +490,7 @@ Security Session configuration structure is defined as = ``rte_security_session_co union { struct rte_security_ipsec_xform ipsec; struct rte_security_macsec_xform macsec; + struct rte_security_pdcp_xform pdcp; }; /**< Configuration parameters for security session */ struct rte_crypto_sym_xform *crypto_xform; @@ -463,15 +525,17 @@ The ``rte_security_session_protocol`` is defined as .. code-block:: c =20 enum rte_security_session_protocol { - RTE_SECURITY_PROTOCOL_IPSEC, + RTE_SECURITY_PROTOCOL_IPSEC =3D 1, /**< IPsec Protocol */ RTE_SECURITY_PROTOCOL_MACSEC, /**< MACSec Protocol */ + RTE_SECURITY_PROTOCOL_PDCP, + /**< PDCP Protocol */ }; =20 -Currently the library defines configuration parameters for IPSec only. For= other -protocols like MACSec, structures and enums are defined as place holders w= hich -will be updated in the future. +Currently the library defines configuration parameters for IPSec and PDCP = only. +For other protocols like MACSec, structures and enums are defined as place= holders +which will be updated in the future. =20 IPsec related configuration parameters are defined in ``rte_security_ipsec= _xform`` =20 @@ -494,6 +558,35 @@ IPsec related configuration parameters are defined in = ``rte_security_ipsec_xform /**< Tunnel parameters, NULL for transport mode */ }; =20 +PDCP related configuration parameters are defined in ``rte_security_pdcp_x= form`` + +.. code-block:: c + + struct rte_security_pdcp_xform { + int8_t bearer; /**< PDCP bearer ID */ + /**< PDCP mode of operation: Control or data */ + uint8_t en_ordering; + /**< Enable in order delivery, this field shall be set only if + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. + */ + uint8_t remove_duplicates; + /**< Notify driver/HW to detect and remove duplicate packets. + * This field should be set only when driver/hw is capable. + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. + */ + enum rte_security_pdcp_domain domain; + /**< PDCP Frame Direction 0:UL 1:DL */ + enum rte_security_pdcp_direction pkt_dir; + /**< Sequence number size, 5/7/12/15/18 */ + enum rte_security_pdcp_sn_size sn_size; + /**< Starting Hyper Frame Number to be used together with the SN + * from the PDCP frames + */ + uint32_t hfn; + /**< HFN Threashold for key renegotiation */ + uint32_t hfn_threshold; + }; + =20 Security API ~~~~~~~~~~~~ diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_s= ecurity.c index 1954960a5..c6355de95 100644 --- a/lib/librte_security/rte_security.c +++ b/lib/librte_security/rte_security.c @@ -131,6 +131,10 @@ rte_security_capability_get(struct rte_security_ctx *i= nstance, capability->ipsec.direction =3D=3D idx->ipsec.direction) return capability; + } else if (idx->protocol =3D=3D RTE_SECURITY_PROTOCOL_PDCP) { + if (capability->pdcp.domain =3D=3D + idx->pdcp.domain) + return capability; } } } diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_s= ecurity.h index b0d1b97ee..1d20530f4 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -206,6 +206,66 @@ struct rte_security_macsec_xform { int dummy; }; =20 +/** + * PDCP Mode of session + */ +enum rte_security_pdcp_domain { + RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ + RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ +}; + +/** PDCP Frame direction */ +enum rte_security_pdcp_direction { + RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ + RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ +}; + +/** + * PDCP Sequence Number Size selectors + * @PDCP_SN_SIZE_5: 5bit sequence number + * @PDCP_SN_SIZE_7: 7bit sequence number + * @PDCP_SN_SIZE_12: 12bit sequence number + * @PDCP_SN_SIZE_15: 15bit sequence number + * @PDCP_SN_SIZE_18: 18bit sequence number + */ +enum rte_security_pdcp_sn_size { + RTE_SECURITY_PDCP_SN_SIZE_5 =3D 5, + RTE_SECURITY_PDCP_SN_SIZE_7 =3D 7, + RTE_SECURITY_PDCP_SN_SIZE_12 =3D 12, + RTE_SECURITY_PDCP_SN_SIZE_15 =3D 15, + RTE_SECURITY_PDCP_SN_SIZE_18 =3D 18 +}; + +/** + * PDCP security association configuration data. + * + * This structure contains data required to create a PDCP security session= . + */ +struct rte_security_pdcp_xform { + int8_t bearer; /**< PDCP bearer ID */ + /**< PDCP mode of operation: Control or data */ + uint8_t en_ordering; + /**< Enable in order delivery, this field shall be set only if + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. + */ + uint8_t remove_duplicates; + /**< Notify driver/HW to detect and remove duplicate packets. + * This field should be set only when driver/hw is capable. + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. + */ + enum rte_security_pdcp_domain domain; + /**< PDCP Frame Direction 0:UL 1:DL */ + enum rte_security_pdcp_direction pkt_dir; + /**< Sequence number size, 5/7/12/15/18 */ + enum rte_security_pdcp_sn_size sn_size; + /**< Starting Hyper Frame Number to be used together with the SN + * from the PDCP frames + */ + uint32_t hfn; + /**< HFN Threshold for key renegotiation */ + uint32_t hfn_threshold; +}; + /** * Security session action type. */ @@ -232,6 +292,8 @@ enum rte_security_session_protocol { /**< IPsec Protocol */ RTE_SECURITY_PROTOCOL_MACSEC, /**< MACSec Protocol */ + RTE_SECURITY_PROTOCOL_PDCP, + /**< PDCP Protocol */ }; =20 /** @@ -246,6 +308,7 @@ struct rte_security_session_conf { union { struct rte_security_ipsec_xform ipsec; struct rte_security_macsec_xform macsec; + struct rte_security_pdcp_xform pdcp; }; /**< Configuration parameters for security session */ struct rte_crypto_sym_xform *crypto_xform; @@ -413,6 +476,10 @@ struct rte_security_ipsec_stats { =20 }; =20 +struct rte_security_pdcp_stats { + uint64_t reserved; +}; + struct rte_security_stats { enum rte_security_session_protocol protocol; /**< Security protocol to be configured */ @@ -421,6 +488,7 @@ struct rte_security_stats { union { struct rte_security_macsec_stats macsec; struct rte_security_ipsec_stats ipsec; + struct rte_security_pdcp_stats pdcp; }; }; =20 @@ -465,6 +533,13 @@ struct rte_security_capability { int dummy; } macsec; /**< MACsec capability */ + struct { + enum rte_security_pdcp_domain domain; + /** < PDCP mode of operation: Control or data */ + uint32_t capa_flags; + /** < Capabilitity flags, see RTE_SECURITY_PDCP_* */ + } pdcp; + /**< PDCP capability */ }; =20 const struct rte_cryptodev_capabilities *crypto_capabilities; @@ -474,6 +549,19 @@ struct rte_security_capability { /**< Device offload flags */ }; =20 +/**< Underlying Hardware/driver which support PDCP may or may not support + * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. + * If it is not set, driver/HW assumes packets received are in order + * and it will be application's responsibility to maintain ordering. + */ +#define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 + +/**< Underlying Hardware/driver which support PDCP may or may not detect + * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. + * If it is not set, driver/HW assumes there is no duplicate packet receiv= ed. + */ +#define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 + #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). */ @@ -506,6 +594,9 @@ struct rte_security_capability_idx { enum rte_security_ipsec_sa_mode mode; enum rte_security_ipsec_sa_direction direction; } ipsec; + struct { + enum rte_security_pdcp_domain domain; + } pdcp; }; }; =20 --=20 2.17.1