DPDK patches and discussions
 help / color / mirror / Atom feed
From: Matan Azrad <matan@nvidia.com>
To: dev@dpdk.org
Cc: Akhil Goyal <gakhil@marvell.com>,
	Declan Doherty <declan.doherty@intel.com>,
	Somalapuram Amaranath <asomalap@amd.com>,
	Ruifeng Wang <ruifeng.wang@arm.com>,
	Ajit Khaparde <ajit.khaparde@broadcom.com>,
	Anoob Joseph <anoobj@marvell.com>,
	Fan Zhang <roy.fan.zhang@intel.com>,
	John Griffin <john.griffin@intel.com>,
	Pablo de Lara <pablo.de.lara.guarch@intel.com>,
	Michael Shamis <michaelsh@marvell.com>,
	Nagadheeraj Rottela <rnagadheeraj@marvell.com>,
	Ankur Dwivedi <adwivedi@marvell.com>,
	Gagandeep Singh <g.singh@nxp.com>,
	Jay Zhou <jianjay.zhou@huawei.com>,
	ArkadiuszX Kusztal <arkadiuszx.kusztal@intel.com>,
	sashakot@nvidia.com, oren@nvidia.com,
	Shiri Kuzin <shirik@nvidia.com>
Subject: [dpdk-dev] [PATCH v2] cryptodev: formalize key wrap method in API
Date: Sun, 11 Apr 2021 17:00:53 +0300	[thread overview]
Message-ID: <20210411140053.2914307-1-matan@nvidia.com> (raw)
In-Reply-To: <1615877501-164036-1-git-send-email-matan@nvidia.com>

The Key Wrap approach is used by applications in order to protect keys
located in untrusted storage or transmitted over untrusted
communications networks. The constructions are typically built from
standard primitives such as block ciphers and cryptographic hash
functions.

The Key Wrap method and its parameters are a secret between the keys
provider and the device, means that the device is preconfigured for
this method using very secured way.

The key wrap method may change the key length and layout.

Add a description for the cipher transformation key to allow wrapped key
to be forwarded by the same API.

Add a new feature flag RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY to be enabled
by PMDs support wrapped key in cipher trasformation.

Signed-off-by: Matan Azrad <matan@nvidia.com>
---

V2:
Address Akhil coment to introduce ne feature flag for wrapped keys.


 doc/guides/cryptodevs/features/default.ini | 1 +
 doc/guides/cryptodevs/overview.rst         | 3 +++
 doc/guides/rel_notes/release_21_05.rst     | 5 +++++
 lib/librte_cryptodev/rte_crypto_sym.h      | 8 ++++++++
 lib/librte_cryptodev/rte_cryptodev.c       | 2 ++
 lib/librte_cryptodev/rte_cryptodev.h       | 2 ++
 6 files changed, 21 insertions(+)

diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini
index 978bb30cc1..c24814de98 100644
--- a/doc/guides/cryptodevs/features/default.ini
+++ b/doc/guides/cryptodevs/features/default.ini
@@ -32,6 +32,7 @@ Symmetric sessionless  =
 Non-Byte aligned data  =
 Sym raw data path API  =
 Cipher multiple data units =
+Cipher wrapped key     =
 
 ;
 ; Supported crypto algorithms of a default crypto driver.
diff --git a/doc/guides/cryptodevs/overview.rst b/doc/guides/cryptodevs/overview.rst
index e24e3e1993..47b1231226 100644
--- a/doc/guides/cryptodevs/overview.rst
+++ b/doc/guides/cryptodevs/overview.rst
@@ -49,6 +49,9 @@ Supported Feature Flags
    - "CIPHER_MULTIPLE_DATA_UNITS" feature flag means PMD support operations
       on multiple data-units message.
 
+   - "CIPHER_WRAPPED_KEY" feature flag means PMD support wrapped key in cipher
+      transformation.
+
 
 Supported Cipher Algorithms
 ---------------------------
diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
index 1537fac4bc..75b2b86c5f 100644
--- a/doc/guides/rel_notes/release_21_05.rst
+++ b/doc/guides/rel_notes/release_21_05.rst
@@ -132,6 +132,11 @@ New Features
   data-units for AES-XTS algorithm, the data-unit length should be set in the
   transformation. A capability for it was added too.
 
+* **Added feature to support cipher wrapped key on cryptodev library API.**
+
+  The Cryptodev library has been enhanced to allow providing wrapped key in
+  cipher transformation. 
+
 
 Removed Items
 -------------
diff --git a/lib/librte_cryptodev/rte_crypto_sym.h b/lib/librte_cryptodev/rte_crypto_sym.h
index 5973e31f30..0e08d2ef9e 100644
--- a/lib/librte_cryptodev/rte_crypto_sym.h
+++ b/lib/librte_cryptodev/rte_crypto_sym.h
@@ -200,6 +200,14 @@ struct rte_crypto_cipher_xform {
 		uint16_t length;	/**< key length in bytes */
 	} key;
 	/**< Cipher key
+	 * When the device RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY feature is
+	 * enabled, the original key data may be provided wrapped (encrypted)
+	 * using a key wrap algorithm such as AES key wrap (from rfc3394) or
+	 * other. In such case, the wrapping details is a secret between the key
+	 * provider and the device. Such key wrapping may increase the length of
+	 * the provided key beyond the advertised supported key size. Hence it
+	 * is the responsibility of the driver/device to validate the length of
+	 * the provided key.
 	 *
 	 * For the RTE_CRYPTO_CIPHER_AES_F8 mode of operation, key.data will
 	 * point to a concatenation of the AES encryption key followed by a
diff --git a/lib/librte_cryptodev/rte_cryptodev.c b/lib/librte_cryptodev/rte_cryptodev.c
index e02e001325..a84cd745f9 100644
--- a/lib/librte_cryptodev/rte_cryptodev.c
+++ b/lib/librte_cryptodev/rte_cryptodev.c
@@ -619,6 +619,8 @@ rte_cryptodev_get_feature_name(uint64_t flag)
 		return "NON_BYTE_ALIGNED_DATA";
 	case RTE_CRYPTODEV_FF_CIPHER_MULTIPLE_DATA_UNITS:
 		return "CIPHER_MULTIPLE_DATA_UNITS";
+	case RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY:
+		return "CIPHER_WRAPPED_KEY";
 	default:
 		return NULL;
 	}
diff --git a/lib/librte_cryptodev/rte_cryptodev.h b/lib/librte_cryptodev/rte_cryptodev.h
index c274e208ed..16c20de94c 100644
--- a/lib/librte_cryptodev/rte_cryptodev.h
+++ b/lib/librte_cryptodev/rte_cryptodev.h
@@ -476,6 +476,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
 /**< Support accelerator specific symmetric raw data-path APIs */
 #define RTE_CRYPTODEV_FF_CIPHER_MULTIPLE_DATA_UNITS	(1ULL << 25)
 /**< Support operations on multiple data-units message */
+#define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY		(1ULL << 26)
+/**< Support wrapped key in cipher transformation  */
 
 /**
  * Get the name of a crypto device feature flag
-- 
2.25.1


  reply	other threads:[~2021-04-11 14:01 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-16  6:51 [dpdk-dev] [PATCH] " Matan Azrad
2021-04-11 14:00 ` Matan Azrad [this message]
2021-04-11 20:26   ` [dpdk-dev] [EXT] [PATCH v2] " Akhil Goyal
2021-04-13  6:37   ` [dpdk-dev] [PATCH v3] " Matan Azrad
2021-04-13  9:58     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-04-16 10:39       ` Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210411140053.2914307-1-matan@nvidia.com \
    --to=matan@nvidia.com \
    --cc=adwivedi@marvell.com \
    --cc=ajit.khaparde@broadcom.com \
    --cc=anoobj@marvell.com \
    --cc=arkadiuszx.kusztal@intel.com \
    --cc=asomalap@amd.com \
    --cc=declan.doherty@intel.com \
    --cc=dev@dpdk.org \
    --cc=g.singh@nxp.com \
    --cc=gakhil@marvell.com \
    --cc=jianjay.zhou@huawei.com \
    --cc=john.griffin@intel.com \
    --cc=michaelsh@marvell.com \
    --cc=oren@nvidia.com \
    --cc=pablo.de.lara.guarch@intel.com \
    --cc=rnagadheeraj@marvell.com \
    --cc=roy.fan.zhang@intel.com \
    --cc=ruifeng.wang@arm.com \
    --cc=sashakot@nvidia.com \
    --cc=shirik@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).