From: Akhil Goyal <akhil.goyal@nxp.com>
To: "Joseph, Anoob" <Anoob.Joseph@cavium.com>, "dev@dpdk.org" <dev@dpdk.org>
Cc: "pablo.de.lara.guarch@intel.com" <pablo.de.lara.guarch@intel.com>,
"radu.nicolau@intel.com" <radu.nicolau@intel.com>,
"Jacob, Jerin" <Jerin.JacobKollanukkaran@cavium.com>,
"Athreya, Narayana Prasad" <NarayanaPrasad.Athreya@cavium.com>,
"Verma, Shally" <Shally.Verma@cavium.com>,
"Velumuri, Vidya" <Vidya.Velumuri@cavium.com>,
Hemant Agrawal <hemant.agrawal@nxp.com>
Subject: Re: [dpdk-dev] [PATCH v5 1/3] security: support pdcp protocol
Date: Tue, 16 Oct 2018 10:57:04 +0000 [thread overview]
Message-ID: <ae317495-6f07-5a3a-ff93-e69bfae72a90@nxp.com> (raw)
In-Reply-To: <SN6PR07MB49116F27242463A43FFC4E76F8FE0@SN6PR07MB4911.namprd07.prod.outlook.com>
Hi Anoob,
On 10/16/2018 4:19 PM, Joseph, Anoob wrote:
> Hi Akhil,
>
> The HFN threshold comment is still not right I guess,
>
>> + uint32_t hfn;
>> + /**< HFN Threshold for key renegotiation */
>> + uint32_t hfn_threshold;
> The above code snippet is there in the rte_security.rst file also. You may need to fix that also.
>
> And the following also need to be fixed,
I think there is some issue in your mail client.
please check patchworks. Everything looks good to me
http://patches.dpdk.org/patch/46886/
>> + * @PDCP_SN_SIZE_18: 18bit sequence number */ enum
>> +rte_security_pdcp_sn_size {
> ....
>> + RTE_SECURITY_PDCP_SN_SIZE_18 = 18 };
> With the above changes,
> Acked-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Thanks.
>
> Thanks,
> Anoob
>> -----Original Message-----
>> From: Akhil Goyal <akhil.goyal@nxp.com>
>> Sent: 16 October 2018 16:09
>> To: dev@dpdk.org
>> Cc: pablo.de.lara.guarch@intel.com; radu.nicolau@intel.com; Jacob, Jerin
>> <Jerin.JacobKollanukkaran@cavium.com>; Athreya, Narayana Prasad
>> <NarayanaPrasad.Athreya@cavium.com>; Verma, Shally
>> <Shally.Verma@cavium.com>; Joseph, Anoob <Anoob.Joseph@cavium.com>;
>> Velumuri, Vidya <Vidya.Velumuri@cavium.com>; Hemant Agrawal
>> <hemant.agrawal@nxp.com>; Akhil Goyal <akhil.goyal@nxp.com>
>> Subject: [PATCH v5 1/3] security: support pdcp protocol
>>
>> External Email
>>
>> From: Akhil Goyal <akhil.goyal@nxp.com>
>>
>> Packet Data Convergence Protocol (PDCP) is added in rte_security for 3GPP TS
>> 36.323 for LTE.
>>
>> The patchset provide the structure definitions for configuring the PDCP sessions
>> and relevant documentation is added.
>>
>> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
>> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
>> ---
>> doc/guides/prog_guide/rte_security.rst | 107 +++++++++++++++++++++++--
>> lib/librte_security/rte_security.c | 4 +
>> lib/librte_security/rte_security.h | 92 +++++++++++++++++++++
>> 3 files changed, 196 insertions(+), 7 deletions(-)
>>
>> diff --git a/doc/guides/prog_guide/rte_security.rst
>> b/doc/guides/prog_guide/rte_security.rst
>> index 0812abe77..e43f1554c 100644
>> --- a/doc/guides/prog_guide/rte_security.rst
>> +++ b/doc/guides/prog_guide/rte_security.rst
>> @@ -10,8 +10,8 @@ The security library provides a framework for management
>> and provisioning of security protocol operations offloaded to hardware based
>> devices. The library defines generic APIs to create and free security sessions
>> which can support full protocol offload as well as inline crypto operation with -
>> NIC or crypto devices. The framework currently only supports the IPSec protocol
>> -and associated operations, other protocols will be added in future.
>> +NIC or crypto devices. The framework currently only supports the IPsec
>> +and PDCP protocol and associated operations, other protocols will be added in
>> future.
>>
>> Design Principles
>> -----------------
>> @@ -253,6 +253,49 @@ for any protocol header addition.
>> +--------|--------+
>> V
>>
>> +PDCP Flow Diagram
>> +~~~~~~~~~~~~~~~~~
>> +
>> +Based on 3GPP TS 36.323 Evolved Universal Terrestrial Radio Access
>> +(E-UTRA); Packet Data Convergence Protocol (PDCP) specification
>> +
>> +.. code-block:: c
>> +
>> + Transmitting PDCP Entity Receiving PDCP Entity
>> + | ^
>> + | +-----------|-----------+
>> + V | In order delivery and |
>> + +---------|----------+ | Duplicate detection |
>> + | Sequence Numbering | | (Data Plane only) |
>> + +---------|----------+ +-----------|-----------+
>> + | |
>> + +---------|----------+ +-----------|----------+
>> + | Header Compression*| | Header Decompression*|
>> + | (Data-Plane only) | | (Data Plane only) |
>> + +---------|----------+ +-----------|----------+
>> + | |
>> + +---------|-----------+ +-----------|----------+
>> + | Integrity Protection| |Integrity Verification|
>> + | (Control Plane only)| | (Control Plane only) |
>> + +---------|-----------+ +-----------|----------+
>> + +---------|-----------+ +----------|----------+
>> + | Ciphering | | Deciphering |
>> + +---------|-----------+ +----------|----------+
>> + +---------|-----------+ +----------|----------+
>> + | Add PDCP header | | Remove PDCP Header |
>> + +---------|-----------+ +----------|----------+
>> + | |
>> + +----------------->>----------------+
>> +
>> +
>> +.. note::
>> +
>> + * Header Compression and decompression are not supported currently.
>> +
>> +Just like IPsec, in case of PDCP also header addition/deletion, cipher/
>> +de-cipher, integrity protection/verification is done based on the
>> +action type chosen.
>> +
>> Device Features and Capabilities
>> ---------------------------------
>>
>> @@ -271,7 +314,7 @@ structure in the *DPDK API Reference*.
>>
>> Each driver (crypto or ethernet) defines its own private array of capabilities for
>> the operations it supports. Below is an example of the capabilities for a -PMD
>> which supports the IPSec protocol.
>> +PMD which supports the IPsec and PDCP protocol.
>>
>> .. code-block:: c
>>
>> @@ -298,6 +341,24 @@ PMD which supports the IPSec protocol.
>> },
>> .crypto_capabilities = pmd_capabilities
>> },
>> + { /* PDCP Lookaside Protocol offload Data Plane */
>> + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
>> + .protocol = RTE_SECURITY_PROTOCOL_PDCP,
>> + .pdcp = {
>> + .domain = RTE_SECURITY_PDCP_MODE_DATA,
>> + .capa_flags = 0
>> + },
>> + .crypto_capabilities = pmd_capabilities
>> + },
>> + { /* PDCP Lookaside Protocol offload Control */
>> + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
>> + .protocol = RTE_SECURITY_PROTOCOL_PDCP,
>> + .pdcp = {
>> + .domain = RTE_SECURITY_PDCP_MODE_CONTROL,
>> + .capa_flags = 0
>> + },
>> + .crypto_capabilities = pmd_capabilities
>> + },
>> {
>> .action = RTE_SECURITY_ACTION_TYPE_NONE
>> }
>> @@ -429,6 +490,7 @@ Security Session configuration structure is defined as
>> ``rte_security_session_co
>> union {
>> struct rte_security_ipsec_xform ipsec;
>> struct rte_security_macsec_xform macsec;
>> + struct rte_security_pdcp_xform pdcp;
>> };
>> /**< Configuration parameters for security session */
>> struct rte_crypto_sym_xform *crypto_xform; @@ -463,15 +525,17 @@
>> The ``rte_security_session_protocol`` is defined as .. code-block:: c
>>
>> enum rte_security_session_protocol {
>> - RTE_SECURITY_PROTOCOL_IPSEC,
>> + RTE_SECURITY_PROTOCOL_IPSEC = 1,
>> /**< IPsec Protocol */
>> RTE_SECURITY_PROTOCOL_MACSEC,
>> /**< MACSec Protocol */
>> + RTE_SECURITY_PROTOCOL_PDCP,
>> + /**< PDCP Protocol */
>> };
>>
>> -Currently the library defines configuration parameters for IPSec only. For other
>> -protocols like MACSec, structures and enums are defined as place holders
>> which -will be updated in the future.
>> +Currently the library defines configuration parameters for IPsec and PDCP only.
>> +For other protocols like MACSec, structures and enums are defined as
>> +place holders which will be updated in the future.
>>
>> IPsec related configuration parameters are defined in
>> ``rte_security_ipsec_xform``
>>
>> @@ -494,6 +558,35 @@ IPsec related configuration parameters are defined in
>> ``rte_security_ipsec_xform
>> /**< Tunnel parameters, NULL for transport mode */
>> };
>>
>> +PDCP related configuration parameters are defined in
>> +``rte_security_pdcp_xform``
>> +
>> +.. code-block:: c
>> +
>> + struct rte_security_pdcp_xform {
>> + int8_t bearer; /**< PDCP bearer ID */
>> + /**< Enable in order delivery, this field shall be set only if
>> + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
>> + */
>> + uint8_t en_ordering;
>> + /**< Notify driver/HW to detect and remove duplicate packets.
>> + * This field should be set only when driver/hw is capable.
>> + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
>> + */
>> + uint8_t remove_duplicates;
>> + /**< PDCP mode of operation: Control or data */
>> + enum rte_security_pdcp_domain domain;
>> + /**< PDCP Frame Direction 0:UL 1:DL */
>> + enum rte_security_pdcp_direction pkt_dir;
>> + /**< Sequence number size, 5/7/12/15/18 */
>> + enum rte_security_pdcp_sn_size sn_size;
>> + /**< Starting Hyper Frame Number to be used together with the SN
>> + * from the PDCP frames
>> + */
>> + uint32_t hfn;
>> + /**< HFN Threshold for key renegotiation */
>> + uint32_t hfn_threshold;
>> + };
>> +
>>
>> Security API
>> ~~~~~~~~~~~~
>> diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
>> index 1954960a5..c6355de95 100644
>> --- a/lib/librte_security/rte_security.c
>> +++ b/lib/librte_security/rte_security.c
>> @@ -131,6 +131,10 @@ rte_security_capability_get(struct rte_security_ctx
>> *instance,
>> capability->ipsec.direction ==
>> idx->ipsec.direction)
>> return capability;
>> + } else if (idx->protocol == RTE_SECURITY_PROTOCOL_PDCP) {
>> + if (capability->pdcp.domain ==
>> + idx->pdcp.domain)
>> + return capability;
>> }
>> }
>> }
>> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
>> index b0d1b97ee..de49017e1 100644
>> --- a/lib/librte_security/rte_security.h
>> +++ b/lib/librte_security/rte_security.h
>> @@ -206,6 +206,66 @@ struct rte_security_macsec_xform {
>> int dummy;
>> };
>>
>> +/**
>> + * PDCP Mode of session
>> + */
>> +enum rte_security_pdcp_domain {
>> + RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */
>> + RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */
>> +};
>> +
>> +/** PDCP Frame direction */
>> +enum rte_security_pdcp_direction {
>> + RTE_SECURITY_PDCP_UPLINK, /**< Uplink */
>> + RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */
>> +};
>> +
>> +/**
>> + * PDCP Sequence Number Size selectors
>> + * @PDCP_SN_SIZE_5: 5bit sequence number
>> + * @PDCP_SN_SIZE_7: 7bit sequence number
>> + * @PDCP_SN_SIZE_12: 12bit sequence number
>> + * @PDCP_SN_SIZE_15: 15bit sequence number
>> + * @PDCP_SN_SIZE_18: 18bit sequence number */ enum
>> +rte_security_pdcp_sn_size {
>> + RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
>> + RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
>> + RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
>> + RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
>> + RTE_SECURITY_PDCP_SN_SIZE_18 = 18 };
>> +
>> +/**
>> + * PDCP security association configuration data.
>> + *
>> + * This structure contains data required to create a PDCP security session.
>> + */
>> +struct rte_security_pdcp_xform {
>> + int8_t bearer; /**< PDCP bearer ID */
>> + /**< Enable in order delivery, this field shall be set only if
>> + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
>> + */
>> + uint8_t en_ordering;
>> + /**< Notify driver/HW to detect and remove duplicate packets.
>> + * This field should be set only when driver/hw is capable.
>> + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
>> + */
>> + uint8_t remove_duplicates;
>> + /**< PDCP mode of operation: Control or data */
>> + enum rte_security_pdcp_domain domain;
>> + /**< PDCP Frame Direction 0:UL 1:DL */
>> + enum rte_security_pdcp_direction pkt_dir;
>> + /**< Sequence number size, 5/7/12/15/18 */
>> + enum rte_security_pdcp_sn_size sn_size;
>> + /**< Starting Hyper Frame Number to be used together with the SN
>> + * from the PDCP frames
>> + */
>> + uint32_t hfn;
>> + /**< HFN Threshold for key renegotiation */
>> + uint32_t hfn_threshold;
>> +};
>> +
>> /**
>> * Security session action type.
>> */
>> @@ -232,6 +292,8 @@ enum rte_security_session_protocol {
>> /**< IPsec Protocol */
>> RTE_SECURITY_PROTOCOL_MACSEC,
>> /**< MACSec Protocol */
>> + RTE_SECURITY_PROTOCOL_PDCP,
>> + /**< PDCP Protocol */
>> };
>>
>> /**
>> @@ -246,6 +308,7 @@ struct rte_security_session_conf {
>> union {
>> struct rte_security_ipsec_xform ipsec;
>> struct rte_security_macsec_xform macsec;
>> + struct rte_security_pdcp_xform pdcp;
>> };
>> /**< Configuration parameters for security session */
>> struct rte_crypto_sym_xform *crypto_xform; @@ -413,6 +476,10 @@
>> struct rte_security_ipsec_stats {
>>
>> };
>>
>> +struct rte_security_pdcp_stats {
>> + uint64_t reserved;
>> +};
>> +
>> struct rte_security_stats {
>> enum rte_security_session_protocol protocol;
>> /**< Security protocol to be configured */ @@ -421,6 +488,7 @@ struct
>> rte_security_stats {
>> union {
>> struct rte_security_macsec_stats macsec;
>> struct rte_security_ipsec_stats ipsec;
>> + struct rte_security_pdcp_stats pdcp;
>> };
>> };
>>
>> @@ -465,6 +533,13 @@ struct rte_security_capability {
>> int dummy;
>> } macsec;
>> /**< MACsec capability */
>> + struct {
>> + enum rte_security_pdcp_domain domain;
>> + /** < PDCP mode of operation: Control or data */
>> + uint32_t capa_flags;
>> + /** < Capabilitity flags, see RTE_SECURITY_PDCP_* */
>> + } pdcp;
>> + /**< PDCP capability */
>> };
>>
>> const struct rte_cryptodev_capabilities *crypto_capabilities; @@ -474,6
>> +549,19 @@ struct rte_security_capability {
>> /**< Device offload flags */
>> };
>>
>> +/**< Underlying Hardware/driver which support PDCP may or may not
>> +support
>> + * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
>> + * If it is not set, driver/HW assumes packets received are in order
>> + * and it will be application's responsibility to maintain ordering.
>> + */
>> +#define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
>> +
>> +/**< Underlying Hardware/driver which support PDCP may or may not
>> +detect
>> + * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
>> + * If it is not set, driver/HW assumes there is no duplicate packet received.
>> + */
>> +#define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
>> +
>> #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
>> /**< HW needs metadata update, see rte_security_set_pkt_metadata().
>> */
>> @@ -506,6 +594,10 @@ struct rte_security_capability_idx {
>> enum rte_security_ipsec_sa_mode mode;
>> enum rte_security_ipsec_sa_direction direction;
>> } ipsec;
>> + struct {
>> + enum rte_security_pdcp_domain domain;
>> + uint32_t capa_flags;
>> + } pdcp;
>> };
>> };
>>
>> --
>> 2.17.1
next prev parent reply other threads:[~2018-10-16 10:57 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-28 13:01 [dpdk-dev] [PATCH 0/3] security: support for pdcp akhil.goyal
2018-08-28 13:01 ` [dpdk-dev] [PATCH 1/3] security: support pdcp protocol akhil.goyal
2018-09-06 4:15 ` Joseph, Anoob
2018-10-05 12:05 ` Akhil Goyal
2018-10-07 9:02 ` Joseph, Anoob
2018-10-08 9:49 ` Akhil Goyal
2018-10-09 11:38 ` Joseph, Anoob
2018-10-15 13:03 ` Akhil Goyal
2018-10-16 6:27 ` Joseph
2018-08-28 13:01 ` [dpdk-dev] [PATCH 2/3] crypto/dpaa2_sec: add sample pdcp descriptor apis akhil.goyal
2018-08-28 13:01 ` [dpdk-dev] [PATCH 3/3] crypto/dpaa2_sec: support pdcp offload akhil.goyal
2018-08-30 6:46 ` [dpdk-dev] [PATCH 0/3] security: support for pdcp Akhil Goyal
2018-10-05 13:33 ` [dpdk-dev] [PATCH v2 " akhil.goyal
2018-10-05 13:33 ` [dpdk-dev] [PATCH v2 1/3] security: support pdcp protocol akhil.goyal
2018-10-05 13:33 ` [dpdk-dev] [PATCH v2 2/3] crypto/dpaa2_sec: add sample pdcp descriptor apis akhil.goyal
2018-10-05 13:33 ` [dpdk-dev] [PATCH v2 3/3] crypto/dpaa2_sec: support pdcp offload akhil.goyal
2018-10-05 13:53 ` [dpdk-dev] [PATCH v3 0/3] security: support for pdcp akhil.goyal
2018-10-05 13:53 ` [dpdk-dev] [PATCH v3 1/3] security: support pdcp protocol akhil.goyal
2018-10-05 13:53 ` [dpdk-dev] [PATCH v3 2/3] crypto/dpaa2_sec: add sample pdcp descriptor apis akhil.goyal
2018-10-05 13:53 ` [dpdk-dev] [PATCH v3 3/3] crypto/dpaa2_sec: support pdcp offload akhil.goyal
2018-10-15 12:53 ` [dpdk-dev] [PATCH v4 0/3] security: support for pdcp Akhil Goyal
2018-10-15 12:53 ` [dpdk-dev] [PATCH v4 1/3] security: support pdcp protocol Akhil Goyal
2018-10-16 6:40 ` Joseph
2018-10-16 6:55 ` Akhil Goyal
2018-10-15 12:53 ` [dpdk-dev] [PATCH v4 2/3] crypto/dpaa2_sec: add sample pdcp descriptor apis Akhil Goyal
2018-10-15 12:53 ` [dpdk-dev] [PATCH v4 3/3] crypto/dpaa2_sec: support pdcp offload Akhil Goyal
2018-10-16 10:38 ` [dpdk-dev] [PATCH v5 0/3] security: support for pdcp Akhil Goyal
2018-10-16 10:39 ` [dpdk-dev] [PATCH v5 1/3] security: support pdcp protocol Akhil Goyal
2018-10-16 10:49 ` Joseph, Anoob
2018-10-16 10:57 ` Akhil Goyal [this message]
2018-10-16 11:15 ` Joseph, Anoob
2018-10-16 12:25 ` Akhil Goyal
2018-10-16 10:39 ` [dpdk-dev] [PATCH v5 2/3] crypto/dpaa2_sec: add sample pdcp descriptor apis Akhil Goyal
2018-10-16 10:39 ` [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: support pdcp offload Akhil Goyal
2018-10-16 14:35 ` [dpdk-dev] [PATCH v5 0/3] security: support for pdcp Akhil Goyal
2018-10-18 14:40 ` Thomas Monjalon
2018-10-22 7:10 ` Hemant Agrawal
2018-10-22 7:12 ` [dpdk-dev] [PATCH v6 " Hemant Agrawal
2018-10-22 7:12 ` [dpdk-dev] [PATCH v6 1/3] security: support pdcp protocol Hemant Agrawal
2018-10-22 7:12 ` [dpdk-dev] [PATCH v6 2/3] crypto/dpaa2_sec: add sample pdcp descriptor apis Hemant Agrawal
2018-10-22 7:12 ` [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: support pdcp offload Hemant Agrawal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ae317495-6f07-5a3a-ff93-e69bfae72a90@nxp.com \
--to=akhil.goyal@nxp.com \
--cc=Anoob.Joseph@cavium.com \
--cc=Jerin.JacobKollanukkaran@cavium.com \
--cc=NarayanaPrasad.Athreya@cavium.com \
--cc=Shally.Verma@cavium.com \
--cc=Vidya.Velumuri@cavium.com \
--cc=dev@dpdk.org \
--cc=hemant.agrawal@nxp.com \
--cc=pablo.de.lara.guarch@intel.com \
--cc=radu.nicolau@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).