From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70072.outbound.protection.outlook.com [40.107.7.72]) by dpdk.org (Postfix) with ESMTP id EB1964CA1 for ; Tue, 16 Oct 2018 12:39:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZFV004Zd4sXt/6AzJs1QDuqKpSz4DdwIbChPcOyGj40=; b=tylXKbz0KX60DtLEBLAx15zqTzAJ13v1AD/CEMQ43HJE0wgKwsDLTNs8TgJPPTcvdqqFAySzxL3IBax8XPDCm4ffYK3BwVL1E7Mn78TkiBRsrO0LRMDj8Wmte2soi+zukmFPhvdCC6BtV960S7fCFL2VxIt8IqVkwBvweoHk15Q= Received: from VI1PR04MB4893.eurprd04.prod.outlook.com (20.177.49.154) by VI1PR04MB3231.eurprd04.prod.outlook.com (10.170.227.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1228.31; Tue, 16 Oct 2018 10:39:00 +0000 Received: from VI1PR04MB4893.eurprd04.prod.outlook.com ([fe80::cc19:b6c6:27db:3fec]) by VI1PR04MB4893.eurprd04.prod.outlook.com ([fe80::cc19:b6c6:27db:3fec%3]) with mapi id 15.20.1228.027; Tue, 16 Oct 2018 10:39:00 +0000 From: Akhil Goyal To: "dev@dpdk.org" CC: "pablo.de.lara.guarch@intel.com" , "radu.nicolau@intel.com" , "jerin.jacob@caviumnetworks.com" , "narayanaprasad.athreya@caviumnetworks.com" , "Shally.Verma@caviumnetworks.com" , "Anoob.Joseph@caviumnetworks.com" , "Vidya.Velumuri@caviumnetworks.com" , Hemant Agrawal , Akhil Goyal Thread-Topic: [PATCH v5 1/3] security: support pdcp protocol Thread-Index: AQHUZTxyOx0g3JLO20SEBORh4Nx3vQ== Date: Tue, 16 Oct 2018 10:39:00 +0000 Message-ID: <20181016103352.2678-2-akhil.goyal@nxp.com> References: <20181015124858.5562-1-akhil.goyal@nxp.com> <20181016103352.2678-1-akhil.goyal@nxp.com> In-Reply-To: <20181016103352.2678-1-akhil.goyal@nxp.com> Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: TYAPR01CA0026.jpnprd01.prod.outlook.com (2603:1096:404:28::14) To VI1PR04MB4893.eurprd04.prod.outlook.com (2603:10a6:803:56::26) authentication-results: spf=none (sender IP is ) smtp.mailfrom=akhil.goyal@nxp.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [14.143.30.134] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; VI1PR04MB3231; 6:1WAAlm2AchbUmBlamDmu4bh/iNDg0+WRiOeE89sWRrJaqCpWmuyIXVDC3u0nRmj9YdP2GW0+pM9Cw1ySHzTSxadP7uiRor66IgSTXcKAeT/xAOHBVKtuUep+EIDVHKhBYTOAdsAB/amtBcte4NhEJlqhMXkbolimnepBNjM1vMNibdZyTvHL//+9fyXLnImmplLuplaOYdWFByvKD/5WaAhAqxvhllH+svtW65Wqr83FPcNHKpO0UwfxVHwGdEMFo3Le2Uy6HDklopZmOnxqobcZUGv/zYyL/ey5bZdFasSwBBwu3e04f6WY7+Rjczc2MB+fwPTbWqQaOYYlYEsZbGxWJspg0jGQ4qka9NGM12fzXqquhsOWK8YzgFxPRXNiiytSmPSUlbMUQ4Np65PckQ4TRaj4rGCYoFdB3FALD4QYliDTeBR1bBKdqRg/s0NhLiLk7+susxfynEvrLA2ezA==; 5:Llx7gemO+B5OCFsL2fUkGyUvTqqApq1bQ3Ejme6aphV+n5TGSKyriDqVUGEsFnjHjT+22oPkoV4Rw579sYMlC80KWraoUsdOAmbFqnoaolgDyfDRTELQJzzxULXx8ZHRqipK7gCtgJPvNIZN1bJDniSSpTOE2tMfXJ9Y58s9E2I=; 7:N+QVaoI+EUefur+iMq3v7HRHCllelGn1mm86qeVvXkBqkNyMeh+WnzxZBIyaFi7yC9WLV0sGvfDIbTrGuUFkDroZUbbDn2Jmoi9dbWe2kItykoc22lQB3UhoTaYeLOrvP4fVYjq7YCc52/okxjsQFp/nPbPOxr8shnlKIiCIaFRkG81bR8RCgHA3CZzuaxqQmt+pFhaecAP+a2Q6E1Yg9iKr2Nsy+AWs3991FWtIWwmRbnbtmZm5ce9LpgVn0fpX x-ms-office365-filtering-correlation-id: 255ee365-b1ad-415e-7fe5-08d6335394fb x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR04MB3231; x-ms-traffictypediagnostic: VI1PR04MB3231: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(192374486261705)(269456686620040)(185117386973197); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231355)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(6055026)(149066)(150057)(6041310)(20161123560045)(20161123558120)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051); SRVR:VI1PR04MB3231; BCL:0; PCL:0; RULEID:; SRVR:VI1PR04MB3231; x-forefront-prvs: 0827D7ACB9 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39860400002)(396003)(346002)(366004)(376002)(189003)(199004)(1076002)(53936002)(6512007)(14444005)(256004)(575784001)(6916009)(3846002)(86362001)(44832011)(97736004)(5640700003)(476003)(68736007)(15650500001)(6436002)(4744004)(55236004)(66066001)(6116002)(76176011)(2900100001)(36756003)(6506007)(6486002)(386003)(71200400001)(71190400001)(105586002)(2351001)(5250100002)(106356001)(99286004)(102836004)(8936002)(1730700003)(8676002)(2906002)(305945005)(478600001)(25786009)(81166006)(446003)(4326008)(81156014)(7736002)(316002)(54906003)(14454004)(2501003)(2616005)(486006)(186003)(11346002)(52116002)(26005)(5660300001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR04MB3231; H:VI1PR04MB4893.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: mQNir1X5B+UDEXPGKj6TKbk5PCKm5XjwE+dhcUPGjF4C8/vP9mPigJqOOQmDiM3t6UwCtSLOMm/YuezGbOcNzIoBEWQ0uEKIn1WCfXpq1ldfPk777fKn/VdqjlLV7qk33bbnhXiEl+qnQq3gZV9Gcgjxpzhfdsk+Ua53/8eyYtQdiFMPArdveoPuIZyvXl821pVs9qMERTI+vojg29VUE9c4Ev8kwBROEskDrr2bbAGUcXwI3zHAtjg8hr5ge+aMADdf1j/pkWjR0MOwBZLojdP4SA6AcHULu+fCM7EbnnEGMseHaxJFzDpdNuoC5FKM4qV53GrCVDlBvDnnowTDkPxATSpQv0Dm0V9vG/72az8= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 255ee365-b1ad-415e-7fe5-08d6335394fb X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Oct 2018 10:39:00.0330 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB3231 Subject: [dpdk-dev] [PATCH v5 1/3] security: support pdcp protocol X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Oct 2018 10:39:02 -0000 From: Akhil Goyal Packet Data Convergence Protocol (PDCP) is added in rte_security for 3GPP TS 36.323 for LTE. The patchset provide the structure definitions for configuring the PDCP sessions and relevant documentation is added. Signed-off-by: Hemant Agrawal Signed-off-by: Akhil Goyal --- doc/guides/prog_guide/rte_security.rst | 107 +++++++++++++++++++++++-- lib/librte_security/rte_security.c | 4 + lib/librte_security/rte_security.h | 92 +++++++++++++++++++++ 3 files changed, 196 insertions(+), 7 deletions(-) diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide= /rte_security.rst index 0812abe77..e43f1554c 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -10,8 +10,8 @@ The security library provides a framework for management = and provisioning of security protocol operations offloaded to hardware based devices. The library defines generic APIs to create and free security sessions which ca= n support full protocol offload as well as inline crypto operation with -NIC or crypto devices. The framework currently only supports the IPSec pro= tocol -and associated operations, other protocols will be added in future. +NIC or crypto devices. The framework currently only supports the IPsec and= PDCP +protocol and associated operations, other protocols will be added in futur= e. =20 Design Principles ----------------- @@ -253,6 +253,49 @@ for any protocol header addition. +--------|--------+ V =20 +PDCP Flow Diagram +~~~~~~~~~~~~~~~~~ + +Based on 3GPP TS 36.323 Evolved Universal Terrestrial Radio Access (E-UTRA= ); +Packet Data Convergence Protocol (PDCP) specification + +.. code-block:: c + + Transmitting PDCP Entity Receiving PDCP Entity + | ^ + | +-----------|-----------+ + V | In order delivery and | + +---------|----------+ | Duplicate detection | + | Sequence Numbering | | (Data Plane only) | + +---------|----------+ +-----------|-----------+ + | | + +---------|----------+ +-----------|----------+ + | Header Compression*| | Header Decompression*| + | (Data-Plane only) | | (Data Plane only) | + +---------|----------+ +-----------|----------+ + | | + +---------|-----------+ +-----------|----------+ + | Integrity Protection| |Integrity Verification| + | (Control Plane only)| | (Control Plane only) | + +---------|-----------+ +-----------|----------+ + +---------|-----------+ +----------|----------+ + | Ciphering | | Deciphering | + +---------|-----------+ +----------|----------+ + +---------|-----------+ +----------|----------+ + | Add PDCP header | | Remove PDCP Header | + +---------|-----------+ +----------|----------+ + | | + +----------------->>----------------+ + + +.. note:: + + * Header Compression and decompression are not supported currently. + +Just like IPsec, in case of PDCP also header addition/deletion, cipher/ +de-cipher, integrity protection/verification is done based on the action +type chosen. + Device Features and Capabilities --------------------------------- =20 @@ -271,7 +314,7 @@ structure in the *DPDK API Reference*. =20 Each driver (crypto or ethernet) defines its own private array of capabili= ties for the operations it supports. Below is an example of the capabilities fo= r a -PMD which supports the IPSec protocol. +PMD which supports the IPsec and PDCP protocol. =20 .. code-block:: c =20 @@ -298,6 +341,24 @@ PMD which supports the IPSec protocol. }, .crypto_capabilities =3D pmd_capabilities }, + { /* PDCP Lookaside Protocol offload Data Plane */ + .action =3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol =3D RTE_SECURITY_PROTOCOL_PDCP, + .pdcp =3D { + .domain =3D RTE_SECURITY_PDCP_MODE_DATA, + .capa_flags =3D 0 + }, + .crypto_capabilities =3D pmd_capabilities + }, + { /* PDCP Lookaside Protocol offload Control */ + .action =3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol =3D RTE_SECURITY_PROTOCOL_PDCP, + .pdcp =3D { + .domain =3D RTE_SECURITY_PDCP_MODE_CONTROL, + .capa_flags =3D 0 + }, + .crypto_capabilities =3D pmd_capabilities + }, { .action =3D RTE_SECURITY_ACTION_TYPE_NONE } @@ -429,6 +490,7 @@ Security Session configuration structure is defined as = ``rte_security_session_co union { struct rte_security_ipsec_xform ipsec; struct rte_security_macsec_xform macsec; + struct rte_security_pdcp_xform pdcp; }; /**< Configuration parameters for security session */ struct rte_crypto_sym_xform *crypto_xform; @@ -463,15 +525,17 @@ The ``rte_security_session_protocol`` is defined as .. code-block:: c =20 enum rte_security_session_protocol { - RTE_SECURITY_PROTOCOL_IPSEC, + RTE_SECURITY_PROTOCOL_IPSEC =3D 1, /**< IPsec Protocol */ RTE_SECURITY_PROTOCOL_MACSEC, /**< MACSec Protocol */ + RTE_SECURITY_PROTOCOL_PDCP, + /**< PDCP Protocol */ }; =20 -Currently the library defines configuration parameters for IPSec only. For= other -protocols like MACSec, structures and enums are defined as place holders w= hich -will be updated in the future. +Currently the library defines configuration parameters for IPsec and PDCP = only. +For other protocols like MACSec, structures and enums are defined as place= holders +which will be updated in the future. =20 IPsec related configuration parameters are defined in ``rte_security_ipsec= _xform`` =20 @@ -494,6 +558,35 @@ IPsec related configuration parameters are defined in = ``rte_security_ipsec_xform /**< Tunnel parameters, NULL for transport mode */ }; =20 +PDCP related configuration parameters are defined in ``rte_security_pdcp_x= form`` + +.. code-block:: c + + struct rte_security_pdcp_xform { + int8_t bearer; /**< PDCP bearer ID */ + /**< Enable in order delivery, this field shall be set only if + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. + */ + uint8_t en_ordering; + /**< Notify driver/HW to detect and remove duplicate packets. + * This field should be set only when driver/hw is capable. + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. + */ + uint8_t remove_duplicates; + /**< PDCP mode of operation: Control or data */ + enum rte_security_pdcp_domain domain; + /**< PDCP Frame Direction 0:UL 1:DL */ + enum rte_security_pdcp_direction pkt_dir; + /**< Sequence number size, 5/7/12/15/18 */ + enum rte_security_pdcp_sn_size sn_size; + /**< Starting Hyper Frame Number to be used together with the SN + * from the PDCP frames + */ + uint32_t hfn; + /**< HFN Threshold for key renegotiation */ + uint32_t hfn_threshold; + }; + =20 Security API ~~~~~~~~~~~~ diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_s= ecurity.c index 1954960a5..c6355de95 100644 --- a/lib/librte_security/rte_security.c +++ b/lib/librte_security/rte_security.c @@ -131,6 +131,10 @@ rte_security_capability_get(struct rte_security_ctx *i= nstance, capability->ipsec.direction =3D=3D idx->ipsec.direction) return capability; + } else if (idx->protocol =3D=3D RTE_SECURITY_PROTOCOL_PDCP) { + if (capability->pdcp.domain =3D=3D + idx->pdcp.domain) + return capability; } } } diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_s= ecurity.h index b0d1b97ee..de49017e1 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -206,6 +206,66 @@ struct rte_security_macsec_xform { int dummy; }; =20 +/** + * PDCP Mode of session + */ +enum rte_security_pdcp_domain { + RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ + RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ +}; + +/** PDCP Frame direction */ +enum rte_security_pdcp_direction { + RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ + RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ +}; + +/** + * PDCP Sequence Number Size selectors + * @PDCP_SN_SIZE_5: 5bit sequence number + * @PDCP_SN_SIZE_7: 7bit sequence number + * @PDCP_SN_SIZE_12: 12bit sequence number + * @PDCP_SN_SIZE_15: 15bit sequence number + * @PDCP_SN_SIZE_18: 18bit sequence number + */ +enum rte_security_pdcp_sn_size { + RTE_SECURITY_PDCP_SN_SIZE_5 =3D 5, + RTE_SECURITY_PDCP_SN_SIZE_7 =3D 7, + RTE_SECURITY_PDCP_SN_SIZE_12 =3D 12, + RTE_SECURITY_PDCP_SN_SIZE_15 =3D 15, + RTE_SECURITY_PDCP_SN_SIZE_18 =3D 18 +}; + +/** + * PDCP security association configuration data. + * + * This structure contains data required to create a PDCP security session= . + */ +struct rte_security_pdcp_xform { + int8_t bearer; /**< PDCP bearer ID */ + /**< Enable in order delivery, this field shall be set only if + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. + */ + uint8_t en_ordering; + /**< Notify driver/HW to detect and remove duplicate packets. + * This field should be set only when driver/hw is capable. + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. + */ + uint8_t remove_duplicates; + /**< PDCP mode of operation: Control or data */ + enum rte_security_pdcp_domain domain; + /**< PDCP Frame Direction 0:UL 1:DL */ + enum rte_security_pdcp_direction pkt_dir; + /**< Sequence number size, 5/7/12/15/18 */ + enum rte_security_pdcp_sn_size sn_size; + /**< Starting Hyper Frame Number to be used together with the SN + * from the PDCP frames + */ + uint32_t hfn; + /**< HFN Threshold for key renegotiation */ + uint32_t hfn_threshold; +}; + /** * Security session action type. */ @@ -232,6 +292,8 @@ enum rte_security_session_protocol { /**< IPsec Protocol */ RTE_SECURITY_PROTOCOL_MACSEC, /**< MACSec Protocol */ + RTE_SECURITY_PROTOCOL_PDCP, + /**< PDCP Protocol */ }; =20 /** @@ -246,6 +308,7 @@ struct rte_security_session_conf { union { struct rte_security_ipsec_xform ipsec; struct rte_security_macsec_xform macsec; + struct rte_security_pdcp_xform pdcp; }; /**< Configuration parameters for security session */ struct rte_crypto_sym_xform *crypto_xform; @@ -413,6 +476,10 @@ struct rte_security_ipsec_stats { =20 }; =20 +struct rte_security_pdcp_stats { + uint64_t reserved; +}; + struct rte_security_stats { enum rte_security_session_protocol protocol; /**< Security protocol to be configured */ @@ -421,6 +488,7 @@ struct rte_security_stats { union { struct rte_security_macsec_stats macsec; struct rte_security_ipsec_stats ipsec; + struct rte_security_pdcp_stats pdcp; }; }; =20 @@ -465,6 +533,13 @@ struct rte_security_capability { int dummy; } macsec; /**< MACsec capability */ + struct { + enum rte_security_pdcp_domain domain; + /** < PDCP mode of operation: Control or data */ + uint32_t capa_flags; + /** < Capabilitity flags, see RTE_SECURITY_PDCP_* */ + } pdcp; + /**< PDCP capability */ }; =20 const struct rte_cryptodev_capabilities *crypto_capabilities; @@ -474,6 +549,19 @@ struct rte_security_capability { /**< Device offload flags */ }; =20 +/**< Underlying Hardware/driver which support PDCP may or may not support + * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. + * If it is not set, driver/HW assumes packets received are in order + * and it will be application's responsibility to maintain ordering. + */ +#define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 + +/**< Underlying Hardware/driver which support PDCP may or may not detect + * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. + * If it is not set, driver/HW assumes there is no duplicate packet receiv= ed. + */ +#define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 + #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). */ @@ -506,6 +594,10 @@ struct rte_security_capability_idx { enum rte_security_ipsec_sa_mode mode; enum rte_security_ipsec_sa_direction direction; } ipsec; + struct { + enum rte_security_pdcp_domain domain; + uint32_t capa_flags; + } pdcp; }; }; =20 --=20 2.17.1