From: Anoob Joseph <anoobj@marvell.com>
To: Thomas Monjalon <thomas@monjalon.net>,
Akhil Goyal <gakhil@marvell.com>,
Jerin Jacob <jerinj@marvell.com>,
Harry van Haaren <harry.van.haaren@intel.com>
Cc: Vidya Sagar Velumuri <vvelumuri@marvell.com>,
Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>,
Hemant Agrawal <hemant.agrawal@nxp.com>, <dev@dpdk.org>,
Olivier Matz <olivier.matz@6wind.com>
Subject: [PATCH v2 5/5] cryptodev: add details of datapath handling of TLS records
Date: Tue, 3 Oct 2023 16:18:54 +0530 [thread overview]
Message-ID: <20231003104854.1381-6-anoobj@marvell.com> (raw)
In-Reply-To: <20231003104854.1381-1-anoobj@marvell.com>
From: Vidya Sagar Velumuri <vvelumuri@marvell.com>
TLS/DTLS record processing requires content type to be provided per
packet (for record write operation). Extend usage of reserved fields in
rte_crypto_op for the same purpose.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
doc/guides/prog_guide/rte_security.rst | 12 ++++++++++++
doc/guides/rel_notes/release_23_11.rst | 6 ++++++
lib/cryptodev/rte_crypto.h | 25 ++++++++++++++++++++++++-
3 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index f90dee5df0..7a25a7e649 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -453,6 +453,18 @@ Protocol. The TLS Record Protocol provides connection security that has two basi
V V
TLSCiphertext TLSPlaintext
+TLS and DTLS header formation (in record write operation) would depend on
+type of content. It is a per packet variable and would need to be handled by
+the same session. Application may pass this info to a cryptodev performing
+lookaside protocol offload by passing the same in ``rte_crypto_op.param1``.
+
+In record read operation, application is required to preserve any info it may
+need from the TLS/DTLS header (such as content type and sequence number) as the
+cryptodev would remove the header and padding as part of the lookaside protocol
+processing. With TLS 1.3, the actual content type is part of the trailer (before
+padding) and would be stripped by the PMD. For applications that may need this
+info, PMD would return the value in ``rte_crypto_op.param1`` field.
+
Supported Versions
^^^^^^^^^^^^^^^^^^
diff --git a/doc/guides/rel_notes/release_23_11.rst b/doc/guides/rel_notes/release_23_11.rst
index 250735efa9..663d1e9cf9 100644
--- a/doc/guides/rel_notes/release_23_11.rst
+++ b/doc/guides/rel_notes/release_23_11.rst
@@ -83,6 +83,12 @@ New Features
Similar to out of place processing support for lookaside security session, added
the same support for inline ingress security session.
+* **Added support for TLS and DTLS record in rte_security.**
+
+ Added TLS and DTLS record transform for rte_security session and added
+ enhancements to ``rte_crypto_op`` fields to handle all datapath requirements
+ of TLS and DTLS. The support is added for TLS 1.2, TLS 1.3 and DTLS 1.2.
+
* **Updated ipsec_mb crypto driver.**
Added support for digest encrypted to AESNI_MB asynchronous crypto driver.
diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h
index 9fe3e3d529..34aacd9312 100644
--- a/lib/cryptodev/rte_crypto.h
+++ b/lib/cryptodev/rte_crypto.h
@@ -123,7 +123,30 @@ struct rte_crypto_op {
*
* @see struct rte_security_tls_record_sess_options
*/
- uint8_t reserved[2];
+ union {
+ struct {
+ uint8_t content_type;
+ /**< Content type. The field can act both as input
+ * and output.
+ *
+ * As input, for passing message type in case of record
+ * write (encrypt) operation. Applicable for,
+ * 1. TLS 1.2
+ * 2. TLS 1.3
+ * 3. DTLS 1.2
+ *
+ * As output, for returning message type in case of record
+ * read (decrypt) operation. Applicable for,
+ * 1. TLS 1.3
+ *
+ * Message types are listed as RTE_TLS_TYPE_* and
+ * RTE_DTLS_TYPE_*.
+ */
+ } tls_record;
+ /**< TLS record */
+ } param1;
+ /**< Additional per operation parameter 1. */
+ uint8_t reserved[1];
/**< Reserved bytes to fill 64 bits for
* future additions
*/
--
2.25.1
next prev parent reply other threads:[~2023-10-03 10:49 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-11 7:17 [RFC PATCH 0/3] add TLS record processing security offload Anoob Joseph
2023-08-11 7:17 ` [RFC PATCH 1/3] net: add headers for TLS/DTLS packets Anoob Joseph
2023-09-20 9:22 ` Van Haaren, Harry
2023-08-11 7:17 ` [RFC PATCH 2/3] security: add TLS record processing Anoob Joseph
2023-09-20 9:23 ` Van Haaren, Harry
2023-09-20 11:51 ` Anoob Joseph
2023-09-21 8:38 ` Van Haaren, Harry
2023-09-21 10:55 ` Anoob Joseph
2023-09-21 11:01 ` Van Haaren, Harry
2023-08-11 7:17 ` [RFC PATCH 3/3] cryptodev: add details of datapath handling of TLS records Anoob Joseph
2023-09-20 9:24 ` Van Haaren, Harry
2023-09-20 9:22 ` [RFC PATCH 0/3] add TLS record processing security offload Van Haaren, Harry
2023-10-03 10:48 ` [PATCH v2 0/5] " Anoob Joseph
2023-10-03 10:48 ` [PATCH v2 1/5] net: add headers for TLS/DTLS packets Anoob Joseph
2023-10-03 10:48 ` [PATCH v2 2/5] security: add TLS record processing Anoob Joseph
2023-10-03 10:48 ` [PATCH v2 3/5] security: support extra padding with TLS Anoob Joseph
2023-10-03 10:48 ` [PATCH v2 4/5] security: support TLS record lifetime notification Anoob Joseph
2023-10-03 10:48 ` Anoob Joseph [this message]
2023-10-04 10:51 ` [PATCH v2 0/5] add TLS record processing security offload Akhil Goyal
2023-10-04 15:44 ` Van Haaren, Harry
2023-10-09 20:08 ` Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231003104854.1381-6-anoobj@marvell.com \
--to=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
--cc=harry.van.haaren@intel.com \
--cc=hemant.agrawal@nxp.com \
--cc=jerinj@marvell.com \
--cc=konstantin.v.ananyev@yandex.ru \
--cc=olivier.matz@6wind.com \
--cc=thomas@monjalon.net \
--cc=vvelumuri@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).