From: Ankur Dwivedi <adwivedi@marvell.com>
To: <dev@dpdk.org>
Cc: <akhil.goyal@nxp.com>, <radu.nicolau@intel.com>,
<anoobj@marvell.com>, Ankur Dwivedi <adwivedi@marvell.com>
Subject: [dpdk-dev] [PATCH 1/2] net/octeontx2: add anti replay support in security session
Date: Thu, 3 Sep 2020 16:48:35 +0530 [thread overview]
Message-ID: <20200903111836.6864-2-adwivedi@marvell.com> (raw)
In-Reply-To: <20200903111836.6864-1-adwivedi@marvell.com>
Initialize the inbound session for anti replay. The replay
window is allocated during session create and freed in session destroy.
Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
---
drivers/crypto/octeontx2/otx2_ipsec_fp.h | 29 ++++++++++++++--
drivers/crypto/octeontx2/otx2_security.h | 3 ++
drivers/net/octeontx2/otx2_ethdev_sec.c | 42 ++++++++++++++++++++++++
3 files changed, 71 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_fp.h b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
index 52b3b41e2..a33041d77 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_fp.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
@@ -8,6 +8,17 @@
#include <rte_crypto_sym.h>
#include <rte_security.h>
+/* Macros for anti replay and ESN */
+#define OTX2_IPSEC_MAX_REPLAY_WIN_SZ 1024
+#define OTX2_IPSEC_SAINDEX_SZ 4
+#define OTX2_IPSEC_SEQNO_LO 4
+
+#define OTX2_IPSEC_SEQNO_LO_INDEX (RTE_ETHER_HDR_LEN + \
+ OTX2_IPSEC_SAINDEX_SZ)
+
+#define OTX2_IPSEC_SEQNO_HI_INDEX (OTX2_IPSEC_SEQNO_LO_INDEX + \
+ OTX2_IPSEC_SEQNO_LO)
+
enum {
OTX2_IPSEC_FP_SA_DIRECTION_INBOUND = 0,
OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND = 1,
@@ -105,6 +116,14 @@ struct otx2_ipsec_fp_out_sa {
uint8_t hmac_key[48];
};
+struct otx2_ipsec_replay {
+ rte_spinlock_t lock;
+ uint32_t winb;
+ uint32_t wint;
+ uint64_t base; /**< base of the anti-replay window */
+ uint64_t window[17]; /**< anti-replay window */
+};
+
struct otx2_ipsec_fp_in_sa {
/* w0 */
struct otx2_ipsec_fp_sa_ctl ctl;
@@ -114,8 +133,8 @@ struct otx2_ipsec_fp_in_sa {
uint32_t unused;
/* w2 */
- uint32_t esn_low;
uint32_t esn_hi;
+ uint32_t esn_low;
/* w3-w6 */
uint8_t cipher_key[32];
@@ -128,9 +147,13 @@ struct otx2_ipsec_fp_in_sa {
void *userdata;
uint64_t udata64;
};
+ union {
+ struct otx2_ipsec_replay *replay;
+ uint64_t replay64;
+ };
+ uint32_t replay_win_sz;
- uint64_t reserved1;
- uint64_t reserved2;
+ uint32_t reserved1;
};
static inline int
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 086b50604..33d3b1515 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -5,6 +5,8 @@
#ifndef __OTX2_SECURITY_H__
#define __OTX2_SECURITY_H__
+#include <rte_security.h>
+
#include "otx2_cryptodev_sec.h"
#include "otx2_ethdev_sec.h"
@@ -20,6 +22,7 @@
union otx2_sec_session_ipsec {
struct otx2_sec_session_ipsec_ip ip;
struct otx2_sec_session_ipsec_lp lp;
+ enum rte_security_ipsec_sa_direction dir;
};
struct otx2_sec_session {
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index a155594e2..af91e30f4 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -360,6 +360,7 @@ eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
struct otx2_cpt_qp *qp;
priv = get_sec_session_private_data(sec_sess);
+ priv->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
sess = &priv->ipsec.ip;
sa = &sess->out_sa;
@@ -482,6 +483,7 @@ eth_sec_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
ctl = &sa->ctl;
priv = get_sec_session_private_data(sec_sess);
+ priv->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
sess = &priv->ipsec.ip;
if (ctl->valid) {
@@ -519,6 +521,8 @@ eth_sec_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
sa->userdata = priv->userdata;
+ sa->replay_win_sz = ipsec->replay_win_sz;
+
if (lookup_mem_sa_index_update(eth_dev, ipsec->spi, sa))
return -EINVAL;
@@ -533,7 +537,32 @@ eth_sec_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
return ret;
ret = hmac_init(ctl, qp, auth_key, auth_key_len, sa->hmac_key);
otx2_sec_idev_tx_cpt_qp_put(qp);
+ if (ret)
+ return ret;
}
+
+ if (sa->replay_win_sz) {
+ if (sa->replay_win_sz > OTX2_IPSEC_MAX_REPLAY_WIN_SZ) {
+ otx2_err("Replay window size is not supported");
+ return -ENOTSUP;
+ }
+ sa->replay = rte_zmalloc(NULL, sizeof(struct otx2_ipsec_replay),
+ 0);
+ if (sa->replay == NULL)
+ return -ENOMEM;
+
+ rte_spinlock_init(&sa->replay->lock);
+ /*
+ * Set window bottom to 1, base and top to size of
+ * window
+ */
+ sa->replay->winb = 1;
+ sa->replay->wint = sa->replay_win_sz;
+ sa->replay->base = sa->replay_win_sz;
+ sa->esn_low = 0;
+ sa->esn_hi = 0;
+ }
+
return ret;
}
@@ -600,6 +629,15 @@ otx2_eth_sec_session_create(void *device,
return ret;
}
+static void
+otx2_eth_sec_free_anti_replay(struct otx2_ipsec_fp_in_sa *sa)
+{
+ if (sa != NULL) {
+ if (sa->replay_win_sz && sa->replay)
+ rte_free(sa->replay);
+ }
+}
+
static int
otx2_eth_sec_session_destroy(void *device __rte_unused,
struct rte_security_session *sess)
@@ -615,6 +653,10 @@ otx2_eth_sec_session_destroy(void *device __rte_unused,
sess_ip = &priv->ipsec.ip;
+ /* Release the anti replay window */
+ if (priv->ipsec.dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+ otx2_eth_sec_free_anti_replay(sess_ip->in_sa);
+
/* Release CPT LF used for this session */
if (sess_ip->qp != NULL) {
ret = otx2_sec_idev_tx_cpt_qp_put(sess_ip->qp);
--
2.28.0
next prev parent reply other threads:[~2020-09-03 11:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-03 11:18 [dpdk-dev] [PATCH 0/2] add anti replay support in OCTEON TX2 security Ankur Dwivedi
2020-09-03 11:18 ` Ankur Dwivedi [this message]
2020-09-03 11:18 ` [dpdk-dev] [PATCH 2/2] net/octeontx2: add replay check for inline inbound packets Ankur Dwivedi
2020-09-18 4:31 ` [dpdk-dev] [PATCH 0/2] add anti replay support in OCTEON TX2 security Anoob Joseph
2020-09-27 12:31 ` Jerin Jacob
2020-09-18 11:09 ` [dpdk-dev] [PATCH v2 " Ankur Dwivedi
2020-09-18 11:09 ` [dpdk-dev] [PATCH v2 1/2] net/octeontx2: add anti replay support in security session Ankur Dwivedi
2020-09-18 11:09 ` [dpdk-dev] [PATCH v2 2/2] net/octeontx2: add replay check for inline inbound packets Ankur Dwivedi
2020-10-09 13:46 ` [dpdk-dev] [PATCH v2 0/2] add anti replay support in OCTEON TX2 security Ankur Dwivedi
2020-10-09 14:50 ` Ankur Dwivedi
2020-10-09 14:54 ` Akhil Goyal
2020-10-09 15:13 ` Ankur Dwivedi
2020-10-09 18:54 ` Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200903111836.6864-2-adwivedi@marvell.com \
--to=adwivedi@marvell.com \
--cc=akhil.goyal@nxp.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=radu.nicolau@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).