From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4717AA0524; Tue, 13 Apr 2021 08:37:36 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C3230160B80; Tue, 13 Apr 2021 08:37:35 +0200 (CEST) Received: from mellanox.co.il (mail-il-dmz.mellanox.com [193.47.165.129]) by mails.dpdk.org (Postfix) with ESMTP id 25ECD160B77 for ; Tue, 13 Apr 2021 08:37:35 +0200 (CEST) Received: from Internal Mail-Server by MTLPINE1 (envelope-from matan@nvidia.com) with SMTP; 13 Apr 2021 09:37:34 +0300 Received: from pegasus25.mtr.labs.mlnx (pegasus25.mtr.labs.mlnx [10.210.16.10]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id 13D6bYtw027821; Tue, 13 Apr 2021 09:37:34 +0300 From: Matan Azrad To: dev@dpdk.org Cc: Akhil Goyal , Declan Doherty , Somalapuram Amaranath , Ruifeng Wang , Ajit Khaparde , Anoob Joseph , Fan Zhang , John Griffin , Pablo de Lara , Michael Shamis , Nagadheeraj Rottela , Ankur Dwivedi , Gagandeep Singh , Jay Zhou , ArkadiuszX Kusztal , sashakot@nvidia.com, oren@nvidia.com, Shiri Kuzin Date: Tue, 13 Apr 2021 09:37:18 +0300 Message-Id: <20210413063718.3123698-1-matan@nvidia.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210411140053.2914307-1-matan@nvidia.com> References: <20210411140053.2914307-1-matan@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH v3] cryptodev: formalize key wrap method in API X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The Key Wrap approach is used by applications in order to protect keys located in untrusted storage or transmitted over untrusted communications networks. The constructions are typically built from standard primitives such as block ciphers and cryptographic hash functions. The Key Wrap method and its parameters are a secret between the keys provider and the device, means that the device is preconfigured for this method using very secured way. The key wrap method may change the key length and layout. Add a description for the cipher transformation key to allow wrapped key to be forwarded by the same API. Add a new feature flag RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY to be enabled by PMDs support wrapped key in cipher trasformation. Signed-off-by: Matan Azrad --- V2: Address Akhil coment to introduce ne feature flag for wrapped keys. V3: Improve descriptions\spelling suggested by Akhil. doc/guides/cryptodevs/features/default.ini | 1 + doc/guides/cryptodevs/overview.rst | 3 +++ doc/guides/rel_notes/release_21_05.rst | 5 +++++ lib/librte_cryptodev/rte_crypto_sym.h | 8 ++++++++ lib/librte_cryptodev/rte_cryptodev.c | 2 ++ lib/librte_cryptodev/rte_cryptodev.h | 2 ++ 6 files changed, 21 insertions(+) diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini index 978bb30cc1..c24814de98 100644 --- a/doc/guides/cryptodevs/features/default.ini +++ b/doc/guides/cryptodevs/features/default.ini @@ -32,6 +32,7 @@ Symmetric sessionless = Non-Byte aligned data = Sym raw data path API = Cipher multiple data units = +Cipher wrapped key = ; ; Supported crypto algorithms of a default crypto driver. diff --git a/doc/guides/cryptodevs/overview.rst b/doc/guides/cryptodevs/overview.rst index e24e3e1993..b87c4c6a27 100644 --- a/doc/guides/cryptodevs/overview.rst +++ b/doc/guides/cryptodevs/overview.rst @@ -49,6 +49,9 @@ Supported Feature Flags - "CIPHER_MULTIPLE_DATA_UNITS" feature flag means PMD support operations on multiple data-units message. + - "CIPHER_WRAPPED_KEY" feature flag means PMD support wrapped key in cipher + xform. + Supported Cipher Algorithms --------------------------- diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 1537fac4bc..24b8b28253 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -132,6 +132,11 @@ New Features data-units for AES-XTS algorithm, the data-unit length should be set in the transformation. A capability for it was added too. +* **Added a crypto PMD feature flag to support cipher wrapped keys.** + + A new feature flag is added to allow application to provide cipher wrapped + keys in session xforms. + Removed Items ------------- diff --git a/lib/librte_cryptodev/rte_crypto_sym.h b/lib/librte_cryptodev/rte_crypto_sym.h index 5973e31f30..a1fb5b0f5c 100644 --- a/lib/librte_cryptodev/rte_crypto_sym.h +++ b/lib/librte_cryptodev/rte_crypto_sym.h @@ -200,6 +200,14 @@ struct rte_crypto_cipher_xform { uint16_t length; /**< key length in bytes */ } key; /**< Cipher key + * + * In case the PMD supports RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY, the + * original key data provided may be wrapped(encrypted) using key wrap + * algorithm such as AES key wrap (rfc3394) and hence length of the key + * may increase beyond the PMD advertised supported key size. + * PMD shall validate the key length and report EMSGSIZE error while + * configuring the session and application can skip checking the + * capability key length in such cases. * * For the RTE_CRYPTO_CIPHER_AES_F8 mode of operation, key.data will * point to a concatenation of the AES encryption key followed by a diff --git a/lib/librte_cryptodev/rte_cryptodev.c b/lib/librte_cryptodev/rte_cryptodev.c index e02e001325..a84cd745f9 100644 --- a/lib/librte_cryptodev/rte_cryptodev.c +++ b/lib/librte_cryptodev/rte_cryptodev.c @@ -619,6 +619,8 @@ rte_cryptodev_get_feature_name(uint64_t flag) return "NON_BYTE_ALIGNED_DATA"; case RTE_CRYPTODEV_FF_CIPHER_MULTIPLE_DATA_UNITS: return "CIPHER_MULTIPLE_DATA_UNITS"; + case RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY: + return "CIPHER_WRAPPED_KEY"; default: return NULL; } diff --git a/lib/librte_cryptodev/rte_cryptodev.h b/lib/librte_cryptodev/rte_cryptodev.h index c274e208ed..a823831065 100644 --- a/lib/librte_cryptodev/rte_cryptodev.h +++ b/lib/librte_cryptodev/rte_cryptodev.h @@ -476,6 +476,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum, /**< Support accelerator specific symmetric raw data-path APIs */ #define RTE_CRYPTODEV_FF_CIPHER_MULTIPLE_DATA_UNITS (1ULL << 25) /**< Support operations on multiple data-units message */ +#define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26) +/**< Support wrapped key in cipher xform */ /** * Get the name of a crypto device feature flag -- 2.25.1