From: Hemant Agrawal <hemant.agrawal@nxp.com>
To: dev@dpdk.org
Cc: gakhil@marvell.com
Subject: [PATCH 11/12] crypto/dpaa2_sec: add NAT-T support in IPsec offload
Date: Wed, 23 Aug 2023 12:38:54 +0530 [thread overview]
Message-ID: <20230823070855.27532-12-hemant.agrawal@nxp.com> (raw)
In-Reply-To: <20230823070855.27532-1-hemant.agrawal@nxp.com>
This patch adds supports for UDP encapsulation in NAT-T for
IPSEC security protocol offload case.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 101 ++++++++++++++------
drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 3 +
2 files changed, 75 insertions(+), 29 deletions(-)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 7fd15de1a5..675ee49489 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -10,6 +10,7 @@
#include <unistd.h>
#include <rte_ip.h>
+#include <rte_udp.h>
#include <rte_mbuf.h>
#include <rte_cryptodev.h>
#include <rte_malloc.h>
@@ -3162,9 +3163,9 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
session->ctxt_type = DPAA2_SEC_IPSEC;
if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
- uint8_t *hdr = NULL;
- struct ip ip4_hdr;
- struct rte_ipv6_hdr ip6_hdr;
+ uint8_t hdr[48] = {};
+ struct rte_ipv4_hdr *ip4_hdr;
+ struct rte_ipv6_hdr *ip6_hdr;
struct ipsec_encap_pdb encap_pdb;
flc->dhr = SEC_FLC_DHR_OUTBOUND;
@@ -3187,38 +3188,77 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) |
PDBOPTS_ESP_OIHI_PDB_INL |
- PDBOPTS_ESP_IVSRC |
PDBHMO_ESP_SNR;
- if (ipsec_xform->options.dec_ttl)
- encap_pdb.options |= PDBHMO_ESP_ENCAP_DTTL;
+
+ if (ipsec_xform->options.iv_gen_disable == 0)
+ encap_pdb.options |= PDBOPTS_ESP_IVSRC;
if (ipsec_xform->options.esn)
encap_pdb.options |= PDBOPTS_ESP_ESN;
if (ipsec_xform->options.copy_dscp)
encap_pdb.options |= PDBOPTS_ESP_DIFFSERV;
+ if (ipsec_xform->options.ecn)
+ encap_pdb.options |= PDBOPTS_ESP_TECN;
encap_pdb.spi = ipsec_xform->spi;
session->dir = DIR_ENC;
if (ipsec_xform->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
if (ipsec_xform->options.copy_df)
encap_pdb.options |= PDBHMO_ESP_DFBIT;
- encap_pdb.ip_hdr_len = sizeof(struct ip);
- ip4_hdr.ip_v = IPVERSION;
- ip4_hdr.ip_hl = 5;
- ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr));
- ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp;
- ip4_hdr.ip_id = 0;
- ip4_hdr.ip_off = 0;
- ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl;
- ip4_hdr.ip_p = IPPROTO_ESP;
- ip4_hdr.ip_sum = 0;
- ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip;
- ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip;
- ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *)
- &ip4_hdr, sizeof(struct ip));
- hdr = (uint8_t *)&ip4_hdr;
+ ip4_hdr = (struct rte_ipv4_hdr *)&hdr;
+
+ encap_pdb.ip_hdr_len = sizeof(struct rte_ipv4_hdr);
+ ip4_hdr->version_ihl = RTE_IPV4_VHL_DEF;
+ ip4_hdr->time_to_live = ipsec_xform->tunnel.ipv4.ttl;
+ ip4_hdr->type_of_service =
+ ipsec_xform->tunnel.ipv4.dscp;
+ ip4_hdr->hdr_checksum = 0;
+ ip4_hdr->packet_id = 0;
+ ip4_hdr->fragment_offset = 0;
+ memcpy(&ip4_hdr->src_addr,
+ &ipsec_xform->tunnel.ipv4.src_ip,
+ sizeof(struct in_addr));
+ memcpy(&ip4_hdr->dst_addr,
+ &ipsec_xform->tunnel.ipv4.dst_ip,
+ sizeof(struct in_addr));
+ if (ipsec_xform->options.udp_encap) {
+ uint16_t sport, dport;
+ struct rte_udp_hdr *uh =
+ (struct rte_udp_hdr *) (ip4_hdr +
+ sizeof(struct rte_ipv4_hdr));
+
+ sport = ipsec_xform->udp.sport ?
+ ipsec_xform->udp.sport : 4500;
+ dport = ipsec_xform->udp.dport ?
+ ipsec_xform->udp.dport : 4500;
+ uh->src_port = rte_cpu_to_be_16(sport);
+ uh->dst_port = rte_cpu_to_be_16(dport);
+ uh->dgram_len = 0;
+ uh->dgram_cksum = 0;
+
+ ip4_hdr->next_proto_id = IPPROTO_UDP;
+ ip4_hdr->total_length =
+ rte_cpu_to_be_16(
+ sizeof(struct rte_ipv4_hdr) +
+ sizeof(struct rte_udp_hdr));
+ encap_pdb.ip_hdr_len +=
+ sizeof(struct rte_udp_hdr);
+ encap_pdb.options |=
+ PDBOPTS_ESP_NAT | PDBOPTS_ESP_NUC;
+ } else {
+ ip4_hdr->total_length =
+ rte_cpu_to_be_16(
+ sizeof(struct rte_ipv4_hdr));
+ ip4_hdr->next_proto_id = IPPROTO_ESP;
+ }
+
+ ip4_hdr->hdr_checksum = calc_chksum((uint16_t *)
+ (void *)ip4_hdr, sizeof(struct rte_ipv4_hdr));
+
} else if (ipsec_xform->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
- ip6_hdr.vtc_flow = rte_cpu_to_be_32(
+ ip6_hdr = (struct rte_ipv6_hdr *)&hdr;
+
+ ip6_hdr->vtc_flow = rte_cpu_to_be_32(
DPAA2_IPv6_DEFAULT_VTC_FLOW |
((ipsec_xform->tunnel.ipv6.dscp <<
RTE_IPV6_HDR_TC_SHIFT) &
@@ -3227,18 +3267,17 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
RTE_IPV6_HDR_FL_SHIFT) &
RTE_IPV6_HDR_FL_MASK));
/* Payload length will be updated by HW */
- ip6_hdr.payload_len = 0;
- ip6_hdr.hop_limits =
- ipsec_xform->tunnel.ipv6.hlimit;
- ip6_hdr.proto = (ipsec_xform->proto ==
+ ip6_hdr->payload_len = 0;
+ ip6_hdr->hop_limits = ipsec_xform->tunnel.ipv6.hlimit ?
+ ipsec_xform->tunnel.ipv6.hlimit : 0x40;
+ ip6_hdr->proto = (ipsec_xform->proto ==
RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
IPPROTO_ESP : IPPROTO_AH;
- memcpy(&ip6_hdr.src_addr,
+ memcpy(&ip6_hdr->src_addr,
&ipsec_xform->tunnel.ipv6.src_addr, 16);
- memcpy(&ip6_hdr.dst_addr,
+ memcpy(&ip6_hdr->dst_addr,
&ipsec_xform->tunnel.ipv6.dst_addr, 16);
encap_pdb.ip_hdr_len = sizeof(struct rte_ipv6_hdr);
- hdr = (uint8_t *)&ip6_hdr;
}
bufsize = cnstr_shdsc_ipsec_new_encap(priv->flc_desc[0].desc,
@@ -3277,6 +3316,10 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
decap_pdb.options |= PDBOPTS_ESP_ESN;
if (ipsec_xform->options.copy_dscp)
decap_pdb.options |= PDBOPTS_ESP_DIFFSERV;
+ if (ipsec_xform->options.ecn)
+ decap_pdb.options |= PDBOPTS_ESP_TECN;
+ if (ipsec_xform->options.dec_ttl)
+ decap_pdb.options |= PDBHMO_ESP_DECAP_DTTL;
if (ipsec_xform->replay_win_sz) {
uint32_t win_sz;
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
index d3e2df72b0..cf6542a222 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
@@ -930,6 +930,7 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = {
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.options = {
+ .udp_encap = 1,
.copy_df = 1,
.copy_dscp = 1,
.esn = 1,
@@ -946,6 +947,8 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = {
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
.options = {
+ .iv_gen_disable = 1,
+ .udp_encap = 1,
.copy_df = 1,
.copy_dscp = 1,
.esn = 1,
--
2.17.1
next prev parent reply other threads:[~2023-08-23 7:10 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-23 7:08 [PATCH 00/12] crypto/dpaax_sec: misc enhancements Hemant Agrawal
2023-08-23 7:08 ` [PATCH 01/12] common/dpaax: update IPsec base descriptor length Hemant Agrawal
2023-08-23 7:08 ` [PATCH 02/12] common/dpaax: change mode to wait in shared desc Hemant Agrawal
2023-08-23 7:08 ` [PATCH 03/12] crypto/dpaa2_sec: initialize the pdcp alg to null Hemant Agrawal
2023-08-23 7:08 ` [PATCH 04/12] crypto/dpaa2_sec: supporting null cipher and auth Hemant Agrawal
2023-08-23 7:08 ` [PATCH 05/12] crypto/dpaa_sec: " Hemant Agrawal
2023-08-23 7:08 ` [PATCH 06/12] crypto/dpaax_sec: set the authdata in non-auth case Hemant Agrawal
2023-08-23 7:08 ` [PATCH 07/12] crypto/dpaa2_sec: enhance dpaa FD FL FMT offset set Hemant Agrawal
2023-08-23 7:08 ` [PATCH 08/12] crypto/dpaa2_sec: support copy df and dscp in proto offload Hemant Agrawal
2023-08-23 7:08 ` [PATCH 09/12] crypto/dpaa2_sec: increase the anti replay window size Hemant Agrawal
2023-08-23 7:08 ` [PATCH 10/12] crypto/dpaa2_sec: enable esn support Hemant Agrawal
2023-08-23 7:08 ` Hemant Agrawal [this message]
2023-08-23 7:08 ` [PATCH 12/12] crypto/dpaa2_sec: add support to set df and diffserv Hemant Agrawal
2023-09-18 10:31 ` [EXT] [PATCH 00/12] crypto/dpaax_sec: misc enhancements Akhil Goyal
2023-09-20 13:33 ` [PATCH v2 00/13] " Hemant Agrawal
2023-09-20 13:33 ` [PATCH v2 01/13] common/dpaax: update IPsec base descriptor length Hemant Agrawal
2023-09-20 13:33 ` [PATCH v2 02/13] common/dpaax: change mode to wait in shared desc Hemant Agrawal
2023-09-20 13:33 ` [PATCH v2 03/13] crypto/dpaa2_sec: initialize the pdcp alg to null Hemant Agrawal
2023-09-20 13:33 ` [PATCH v2 04/13] crypto/dpaa2_sec: supporting null cipher and auth Hemant Agrawal
2023-09-20 13:33 ` [PATCH v2 05/13] crypto/dpaa_sec: " Hemant Agrawal
2023-09-20 13:33 ` [PATCH v2 06/13] crypto/dpaax_sec: set the authdata in non-auth case Hemant Agrawal
2023-09-20 13:33 ` [PATCH v2 07/13] crypto/dpaa2_sec: enhance dpaa FD FL FMT offset set Hemant Agrawal
2023-09-20 13:33 ` [PATCH v2 08/13] crypto/dpaa2_sec: support copy df and dscp in proto offload Hemant Agrawal
2023-09-20 13:33 ` [PATCH v2 09/13] crypto/dpaa2_sec: increase the anti replay window size Hemant Agrawal
2023-09-20 13:34 ` [PATCH v2 10/13] crypto/dpaa2_sec: enable esn support Hemant Agrawal
2023-09-20 13:34 ` [PATCH v2 11/13] crypto/dpaa2_sec: add NAT-T support in IPsec offload Hemant Agrawal
2023-09-20 13:34 ` [PATCH v2 12/13] crypto/dpaa2_sec: add support to set df and diffserv Hemant Agrawal
2023-09-20 13:34 ` [PATCH v2 13/13] crypto/dpaax_sec: enable sha224-hmac support for IPsec Hemant Agrawal
2023-09-21 8:05 ` [EXT] [PATCH v2 00/13] crypto/dpaax_sec: misc enhancements Akhil Goyal
2023-09-21 8:55 ` Hemant Agrawal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230823070855.27532-12-hemant.agrawal@nxp.com \
--to=hemant.agrawal@nxp.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).