From: Tejasree Kondoj <ktejasree@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>,
Radu Nicolau <radu.nicolau@intel.com>,
Declan Doherty <declan.doherty@intel.com>
Cc: Tejasree Kondoj <ktejasree@marvell.com>,
Anoob Joseph <anoobj@marvell.com>,
Ankur Dwivedi <adwivedi@marvell.com>,
Jerin Jacob <jerinj@marvell.com>,
Konstantin Ananyev <konstantin.ananyev@intel.com>,
Ciara Power <ciara.power@intel.com>,
Hemant Agrawal <hemant.agrawal@nxp.com>,
Gagandeep Singh <g.singh@nxp.com>,
Fan Zhang <roy.fan.zhang@intel.com>,
Archana Muniganti <marchana@marvell.com>, <dev@dpdk.org>
Subject: [dpdk-dev] [PATCH 2/3] common/cnxk: add support for tunnel header verification
Date: Wed, 8 Sep 2021 13:51:10 +0530 [thread overview]
Message-ID: <20210908082111.27396-3-ktejasree@marvell.com> (raw)
In-Reply-To: <20210908082111.27396-1-ktejasree@marvell.com>
Adding support to verify tunnel header in IPsec inbound.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
drivers/common/cnxk/cnxk_security.c | 60 +++++++++++++++++++
drivers/common/cnxk/roc_ie_ot.h | 6 +-
.../crypto/cnxk/cnxk_cryptodev_capabilities.c | 4 ++
3 files changed, 69 insertions(+), 1 deletion(-)
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 215d9fd4d1..cc5daf333c 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -199,6 +199,62 @@ ot_ipsec_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa)
return size;
}
+static int
+ot_ipsec_inb_tunnel_hdr_fill(struct roc_ot_ipsec_inb_sa *sa,
+ struct rte_security_ipsec_xform *ipsec_xfrm)
+{
+ struct rte_security_ipsec_tunnel_param *tunnel;
+
+ if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+ return 0;
+
+ if (ipsec_xfrm->options.tunnel_hdr_verify == 0)
+ return 0;
+
+ tunnel = &ipsec_xfrm->tunnel;
+
+ switch (tunnel->type) {
+ case RTE_SECURITY_IPSEC_TUNNEL_IPV4:
+ sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
+ memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip,
+ sizeof(struct in_addr));
+ memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip,
+ sizeof(struct in_addr));
+
+ /* IP Source and Dest are in LE/CPU endian */
+ sa->outer_hdr.ipv4.src_addr =
+ rte_be_to_cpu_32(sa->outer_hdr.ipv4.src_addr);
+ sa->outer_hdr.ipv4.dst_addr =
+ rte_be_to_cpu_32(sa->outer_hdr.ipv4.dst_addr);
+
+ break;
+ case RTE_SECURITY_IPSEC_TUNNEL_IPV6:
+ sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
+ memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr,
+ sizeof(struct in6_addr));
+ memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr,
+ sizeof(struct in6_addr));
+
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ switch (ipsec_xfrm->options.tunnel_hdr_verify) {
+ case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR:
+ sa->w2.s.ip_hdr_verify = ROC_IE_OT_SA_IP_HDR_VERIFY_DST_ADDR;
+ break;
+ case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR:
+ sa->w2.s.ip_hdr_verify =
+ ROC_IE_OT_SA_IP_HDR_VERIFY_SRC_DST_ADDR;
+ break;
+ default:
+ return -ENOTSUP;
+ }
+
+ return 0;
+}
+
int
cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
struct rte_security_ipsec_xform *ipsec_xfrm,
@@ -229,6 +285,10 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5;
}
+ rc = ot_ipsec_inb_tunnel_hdr_fill(sa, ipsec_xfrm);
+ if (rc)
+ return rc;
+
/* Default options for pkt_out and pkt_fmt are with
* second pass meta and no defrag.
*/
diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h
index 1ff468841d..12c75afac2 100644
--- a/drivers/common/cnxk/roc_ie_ot.h
+++ b/drivers/common/cnxk/roc_ie_ot.h
@@ -180,7 +180,11 @@ union roc_ot_ipsec_sa_word2 {
uint64_t auth_type : 4;
uint64_t encap_type : 2;
- uint64_t rsvd1 : 6;
+ uint64_t et_ovrwr_ddr_en : 1;
+ uint64_t esn_en : 1;
+ uint64_t tport_l4_incr_csum : 1;
+ uint64_t ip_hdr_verify : 2;
+ uint64_t rsvd5 : 1;
uint64_t rsvd2 : 7;
uint64_t async_mode : 1;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 4b97639e56..8a0cf289fd 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -920,6 +920,10 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
#ifdef LA_IPSEC_DEBUG
sec_cap->ipsec.options.iv_gen_disable = 1;
#endif
+ } else {
+ if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+ sec_cap->ipsec.options.tunnel_hdr_verify =
+ RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
}
}
--
2.27.0
next prev parent reply other threads:[~2021-09-08 7:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-08 8:21 [dpdk-dev] [PATCH 0/3] add option to configure " Tejasree Kondoj
2021-09-08 8:21 ` [dpdk-dev] [PATCH 1/3] security: " Tejasree Kondoj
2021-09-08 7:46 ` Hemant Agrawal
2021-09-08 10:42 ` Akhil Goyal
2021-09-08 8:21 ` Tejasree Kondoj [this message]
2021-09-08 8:21 ` [dpdk-dev] [PATCH 3/3] test/crypto: add tunnel header verification tests Tejasree Kondoj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210908082111.27396-3-ktejasree@marvell.com \
--to=ktejasree@marvell.com \
--cc=adwivedi@marvell.com \
--cc=anoobj@marvell.com \
--cc=ciara.power@intel.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=g.singh@nxp.com \
--cc=gakhil@marvell.com \
--cc=hemant.agrawal@nxp.com \
--cc=jerinj@marvell.com \
--cc=konstantin.ananyev@intel.com \
--cc=marchana@marvell.com \
--cc=radu.nicolau@intel.com \
--cc=roy.fan.zhang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).