From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f66.google.com (mail-wm0-f66.google.com [74.125.82.66]) by dpdk.org (Postfix) with ESMTP id 917791B2F7 for ; Sun, 15 Oct 2017 14:47:25 +0200 (CEST) Received: by mail-wm0-f66.google.com with SMTP id b189so28536074wmd.4 for ; Sun, 15 Oct 2017 05:47:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dev-mellanox-co-il.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=D267/HS9MOuVsjExa6XSyfFOx+HWZf+4uoij1FOfYfo=; b=g+FF12cMEL4jnHzzmmupM70PYTKKky9u046JUHFn9v9tSUh6Yx4cXAoojI4oyreQk0 pXqO0WCEXtutKHcZVp8quSJHYMHwJ/XboVFIulW7YDS1kp+6nN8Lss6pCTlBrwwp21+o Mfnu8WdBX2tqKyjnKvRetVsefUChGO+xoZydlvGdalYPuGNmi091EquUcIpZjlDww0k9 mb8dK3p8JBSoGsBVClP3AE6KhOzwPTI9RSYVA+WMeCtCFvcqnuhypibaiMDGeXdeuWF6 33gEtMFTtlxaxjOwV5wmdByRwqEiqW7wQE3aRcDsTy/IpnGoCcHqnfgDfUyaOZPPmkgE 5oQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=D267/HS9MOuVsjExa6XSyfFOx+HWZf+4uoij1FOfYfo=; b=hMZL/cKWbM4X/jZx8Qrc5OVtiQzHmKH1rK+LSeBulHMspBunv9dGmnb2goHZco9mcR OIqGzMff00U2GXBgRtPrRwAkHyLN6sgTocb97KIparH/OaKQ2cQ+hLbkcpe1awXD+lWG aCYS2SFZuVqm4Rwto5FZRZAJTD92W4IE5VMq1Spab50xYn7YMcDliGMmGy/2B/qYAY/L e2UaKXzSt1I/g0Djb/JX8bIAreSW1T53jI9k9gtAf0fAmGmli5x1L732MJIDvPsWzrLM wVROMbtGNcFJz9hdk9I50Ob/QRMrdgbWDgz71oZNuteweoY1GiG9HGdpgI55+peiEoVy MaDA== X-Gm-Message-State: AMCzsaW+1rrfXf7AJ4BK8TBIl90gZRLjPPaeKl5FaJ9pFaRCafQOIMJT y5J5OmH/SqKD4Vmgz9rQrn7FFQ== X-Google-Smtp-Source: AOwi7QB+Sse/zaVooYrTePia2u1gEFlyyTc47rhgY+UzHVcJNKZeI6oM6AwMG6OhD588re7LNR3NNg== X-Received: by 10.80.226.74 with SMTP id o10mr9374121edl.290.1508071644863; Sun, 15 Oct 2017 05:47:24 -0700 (PDT) Received: from [10.0.38.219] ([193.47.165.251]) by smtp.gmail.com with ESMTPSA id g49sm3884671edg.71.2017.10.15.05.47.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 15 Oct 2017 05:47:24 -0700 (PDT) To: Akhil Goyal , dev@dpdk.org Cc: declan.doherty@intel.com, pablo.de.lara.guarch@intel.com, hemant.agrawal@nxp.com, radu.nicolau@intel.com, borisp@mellanox.com, aviadye@mellanox.com, thomas@monjalon.net, sandeep.malik@nxp.com, jerin.jacob@caviumnetworks.com, john.mcnamara@intel.com, konstantin.ananyev@intel.com, shahafs@mellanox.com, olivier.matz@6wind.com References: <20171006181151.4758-1-akhil.goyal@nxp.com> <20171014221734.15511-1-akhil.goyal@nxp.com> <20171014221734.15511-2-akhil.goyal@nxp.com> From: Aviad Yehezkel Message-ID: Date: Sun, 15 Oct 2017 15:47:21 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20171014221734.15511-2-akhil.goyal@nxp.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Subject: Re: [dpdk-dev] [PATCH v4 01/12] lib/rte_security: add security library X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Oct 2017 12:47:25 -0000 On 10/15/2017 1:17 AM, Akhil Goyal wrote: > rte_security library provides APIs for security session > create/free for protocol offload or offloaded crypto > operation to ethernet device. > > Signed-off-by: Akhil Goyal > Signed-off-by: Boris Pismenny > Signed-off-by: Radu Nicolau > Signed-off-by: Declan Doherty > Signed-off-by: Aviad Yehezkel > --- > lib/librte_security/Makefile | 53 +++ > lib/librte_security/rte_security.c | 149 ++++++++ > lib/librte_security/rte_security.h | 535 +++++++++++++++++++++++++++ > lib/librte_security/rte_security_driver.h | 155 ++++++++ > lib/librte_security/rte_security_version.map | 13 + > 5 files changed, 905 insertions(+) > create mode 100644 lib/librte_security/Makefile > create mode 100644 lib/librte_security/rte_security.c > create mode 100644 lib/librte_security/rte_security.h > create mode 100644 lib/librte_security/rte_security_driver.h > create mode 100644 lib/librte_security/rte_security_version.map > > diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile > new file mode 100644 > index 0000000..af87bb2 > --- /dev/null > +++ b/lib/librte_security/Makefile > @@ -0,0 +1,53 @@ > +# BSD LICENSE > +# > +# Copyright(c) 2017 Intel Corporation. All rights reserved. > +# > +# Redistribution and use in source and binary forms, with or without > +# modification, are permitted provided that the following conditions > +# are met: > +# > +# * Redistributions of source code must retain the above copyright > +# notice, this list of conditions and the following disclaimer. > +# * Redistributions in binary form must reproduce the above copyright > +# notice, this list of conditions and the following disclaimer in > +# the documentation and/or other materials provided with the > +# distribution. > +# * Neither the name of Intel Corporation nor the names of its > +# contributors may be used to endorse or promote products derived > +# from this software without specific prior written permission. > +# > +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + > +include $(RTE_SDK)/mk/rte.vars.mk > + > +# library name > +LIB = librte_security.a > + > +# library version > +LIBABIVER := 1 > + > +# build flags > +CFLAGS += -O3 > +CFLAGS += $(WERROR_FLAGS) > + > +# library source files > +SRCS-y += rte_security.c > + > +# export include files > +SYMLINK-y-include += rte_security.h > +SYMLINK-y-include += rte_security_driver.h > + > +# versioning export map > +EXPORT_MAP := rte_security_version.map > + > +include $(RTE_SDK)/mk/rte.lib.mk > diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c > new file mode 100644 > index 0000000..1227fca > --- /dev/null > +++ b/lib/librte_security/rte_security.c > @@ -0,0 +1,149 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright 2017 NXP. > + * Copyright(c) 2017 Intel Corporation. All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of NXP nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +#include > +#include > + > +#include "rte_security.h" > +#include "rte_security_driver.h" > + > +struct rte_security_session * > +rte_security_session_create(struct rte_security_ctx *instance, > + struct rte_security_session_conf *conf, > + struct rte_mempool *mp) > +{ > + struct rte_security_session *sess = NULL; > + > + if (conf == NULL) > + return NULL; > + > + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_create, NULL); > + > + if (rte_mempool_get(mp, (void *)&sess)) > + return NULL; > + > + if (instance->ops->session_create(instance->device, conf, sess, mp)) { > + rte_mempool_put(mp, (void *)sess); > + return NULL; > + } > + instance->sess_cnt++; > + > + return sess; > +} > + > +int > +rte_security_session_update(struct rte_security_ctx *instance, > + struct rte_security_session *sess, > + struct rte_security_session_conf *conf) > +{ > + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_update, -ENOTSUP); > + return instance->ops->session_update(instance->device, sess, conf); > +} > + > +int > +rte_security_session_stats_get(struct rte_security_ctx *instance, > + struct rte_security_session *sess, > + struct rte_security_stats *stats) > +{ > + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_stats_get, -ENOTSUP); > + return instance->ops->session_stats_get(instance->device, sess, stats); > +} > + > +int > +rte_security_session_destroy(struct rte_security_ctx *instance, > + struct rte_security_session *sess) > +{ > + int ret; > + struct rte_mempool *mp = rte_mempool_from_obj(sess); > + > + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_destroy, -ENOTSUP); > + > + if (instance->sess_cnt) > + instance->sess_cnt--; > + > + ret = instance->ops->session_destroy(instance->device, sess); > + if (!ret) > + rte_mempool_put(mp, (void *)sess); > + > + return ret; > +} > + > +int > +rte_security_set_pkt_metadata(struct rte_security_ctx *instance, > + struct rte_security_session *sess, > + struct rte_mbuf *m, void *params) > +{ > + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->set_pkt_metadata, -ENOTSUP); > + return instance->ops->set_pkt_metadata(instance->device, > + sess, m, params); > +} > + > +const struct rte_security_capability * > +rte_security_capabilities_get(struct rte_security_ctx *instance) > +{ > + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL); > + return instance->ops->capabilities_get(instance->device); > +} > + > +const struct rte_security_capability * > +rte_security_capability_get(struct rte_security_ctx *instance, > + struct rte_security_capability_idx *idx) > +{ > + const struct rte_security_capability *capabilities; > + const struct rte_security_capability *capability; > + uint16_t i = 0; > + > + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL); > + capabilities = instance->ops->capabilities_get(instance->device); > + > + if (capabilities == NULL) > + return NULL; > + > + while ((capability = &capabilities[i++])->action > + != RTE_SECURITY_ACTION_TYPE_NONE) { > + if (capability->action == idx->action && > + capability->protocol == idx->protocol) { > + if (idx->protocol == RTE_SECURITY_PROTOCOL_IPSEC) { > + if (capability->ipsec.proto == > + idx->ipsec.proto && > + capability->ipsec.mode == > + idx->ipsec.mode && > + capability->ipsec.direction == > + idx->ipsec.direction) > + return capability; > + } > + } > + } > + > + return NULL; > +} > diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h > new file mode 100644 > index 0000000..416bbfd > --- /dev/null > +++ b/lib/librte_security/rte_security.h > @@ -0,0 +1,535 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright 2017 NXP. > + * Copyright(c) 2017 Intel Corporation. All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of NXP nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +#ifndef _RTE_SECURITY_H_ > +#define _RTE_SECURITY_H_ > + > +/** > + * @file rte_security.h > + * > + * RTE Security Common Definitions > + * > + */ > + > +#ifdef __cplusplus > +extern "C" { > +#endif > + > +#include > + > +#include > +#include > +#include > + > +#include > +#include > +#include > +#include > +#include > + > +/** IPSec protocol mode */ > +enum rte_security_ipsec_sa_mode { > + RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT, > + /**< IPSec Transport mode */ > + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > + /**< IPSec Tunnel mode */ > +}; > + > +/** IPSec Protocol */ > +enum rte_security_ipsec_sa_protocol { > + RTE_SECURITY_IPSEC_SA_PROTO_AH, > + /**< AH protocol */ > + RTE_SECURITY_IPSEC_SA_PROTO_ESP, > + /**< ESP protocol */ > +}; > + > +/** IPSEC tunnel type */ > +enum rte_security_ipsec_tunnel_type { > + RTE_SECURITY_IPSEC_TUNNEL_IPV4, > + /**< Outer header is IPv4 */ > + RTE_SECURITY_IPSEC_TUNNEL_IPV6, > + /**< Outer header is IPv6 */ > +}; > + > +/** > + * Security context for crypto/eth devices > + * > + * Security instance for each driver to register security operations. > + * The application can get the security context from the crypto/eth device id > + * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() > + * This structure is used to identify the device(crypto/eth) for which the > + * security operations need to be performed. > + */ > +struct rte_security_ctx { > + enum { > + RTE_SECURITY_INSTANCE_INVALID, > + /**< Security context is invalid */ > + RTE_SECURITY_INSTANCE_VALID > + /**< Security context is valid */ > + } state; > + /**< Current state of security context */ > + void *device; > + /**< Crypto/ethernet device attached */ > + struct rte_security_ops *ops; > + /**< Pointer to security ops for the device */ > + uint16_t sess_cnt; > + /**< Number of sessions attached to this context */ > +}; > + > +/** > + * IPSEC tunnel parameters > + * > + * These parameters are used to build outbound tunnel headers. > + */ > +struct rte_security_ipsec_tunnel_param { > + enum rte_security_ipsec_tunnel_type type; > + /**< Tunnel type: IPv4 or IPv6 */ > + RTE_STD_C11 > + union { > + struct { > + struct in_addr src_ip; > + /**< IPv4 source address */ > + struct in_addr dst_ip; > + /**< IPv4 destination address */ > + uint8_t dscp; > + /**< IPv4 Differentiated Services Code Point */ > + uint8_t df; > + /**< IPv4 Don't Fragment bit */ > + uint8_t ttl; > + /**< IPv4 Time To Live */ > + } ipv4; > + /**< IPv4 header parameters */ > + struct { > + struct in6_addr src_addr; > + /**< IPv6 source address */ > + struct in6_addr dst_addr; > + /**< IPv6 destination address */ > + uint8_t dscp; > + /**< IPv6 Differentiated Services Code Point */ > + uint32_t flabel; > + /**< IPv6 flow label */ > + uint8_t hlimit; > + /**< IPv6 hop limit */ > + } ipv6; > + /**< IPv6 header parameters */ > + }; > +}; > + > +/** > + * IPsec Security Association option flags > + */ > +struct rte_security_ipsec_sa_options { > + /**< Extended Sequence Numbers (ESN) > + * > + * * 1: Use extended (64 bit) sequence numbers > + * * 0: Use normal sequence numbers > + */ > + uint32_t esn : 1; > + > + /**< UDP encapsulation > + * > + * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can > + * traverse through NAT boxes. > + * * 0: No UDP encapsulation > + */ > + uint32_t udp_encap : 1; > + > + /**< Copy DSCP bits > + * > + * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to > + * the outer IP header in encapsulation, and vice versa in > + * decapsulation. > + * * 0: Do not change DSCP field. > + */ > + uint32_t copy_dscp : 1; > + > + /**< Copy IPv6 Flow Label > + * > + * * 1: Copy IPv6 flow label from inner IPv6 header to the > + * outer IPv6 header. > + * * 0: Outer header is not modified. > + */ > + uint32_t copy_flabel : 1; > + > + /**< Copy IPv4 Don't Fragment bit > + * > + * * 1: Copy the DF bit from the inner IPv4 header to the outer > + * IPv4 header. > + * * 0: Outer header is not modified. > + */ > + uint32_t copy_df : 1; > + > + /**< Decrement inner packet Time To Live (TTL) field > + * > + * * 1: In tunnel mode, decrement inner packet IPv4 TTL or > + * IPv6 Hop Limit after tunnel decapsulation, or before tunnel > + * encapsulation. > + * * 0: Inner packet is not modified. > + */ > + uint32_t dec_ttl : 1; > +}; > + > +/** IPSec security association direction */ > +enum rte_security_ipsec_sa_direction { > + RTE_SECURITY_IPSEC_SA_DIR_EGRESS, > + /**< Encrypt and generate digest */ > + RTE_SECURITY_IPSEC_SA_DIR_INGRESS, > + /**< Verify digest and decrypt */ > +}; > + > +/** > + * IPsec security association configuration data. > + * > + * This structure contains data required to create an IPsec SA security session. > + */ > +struct rte_security_ipsec_xform { > + uint32_t spi; > + /**< SA security parameter index */ > + uint32_t salt; > + /**< SA salt */ > + struct rte_security_ipsec_sa_options options; > + /**< various SA options */ > + enum rte_security_ipsec_sa_direction direction; > + /**< IPSec SA Direction - Egress/Ingress */ > + enum rte_security_ipsec_sa_protocol proto; > + /**< IPsec SA Protocol - AH/ESP */ > + enum rte_security_ipsec_sa_mode mode; > + /**< IPsec SA Mode - transport/tunnel */ > + struct rte_security_ipsec_tunnel_param tunnel; > + /**< Tunnel parameters, NULL for transport mode */ > +}; > + > +/** > + * MACsec security session configuration > + */ > +struct rte_security_macsec_xform { > + /** To be Filled */ > +}; > + > +/** > + * Security session action type. > + */ > +enum rte_security_session_action_type { > + RTE_SECURITY_ACTION_TYPE_NONE, > + /**< No security actions */ > + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, > + /**< Crypto processing for security protocol is processed inline > + * during transmission > + */ > + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, > + /**< All security protocol processing is performed inline during > + * transmission > + */ > + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL > + /**< All security protocol processing including crypto is performed > + * on a lookaside accelerator > + */ > +}; > + > +/** Security session protocol definition */ > +enum rte_security_session_protocol { > + RTE_SECURITY_PROTOCOL_IPSEC, > + /**< IPsec Protocol */ > + RTE_SECURITY_PROTOCOL_MACSEC, > + /**< MACSec Protocol */ > +}; > + > +/** > + * Security session configuration > + */ > +struct rte_security_session_conf { > + enum rte_security_session_action_type action_type; > + /**< Type of action to be performed on the session */ > + enum rte_security_session_protocol protocol; > + /**< Security protocol to be configured */ > + union { > + struct rte_security_ipsec_xform ipsec; > + struct rte_security_macsec_xform macsec; > + }; > + /**< Configuration parameters for security session */ > + struct rte_crypto_sym_xform *crypto_xform; > + /**< Security Session Crypto Transformations */ > +}; > + > +struct rte_security_session { > + void *sess_private_data; > + /**< Private session material */ > +}; > + > +/** > + * Create security session as specified by the session configuration > + * > + * @param instance security instance > + * @param conf session configuration parameters > + * @param mp mempool to allocate session objects from > + * @return > + * - On success, pointer to session > + * - On failure, NULL > + */ > +struct rte_security_session * > +rte_security_session_create(struct rte_security_ctx *instance, > + struct rte_security_session_conf *conf, > + struct rte_mempool *mp); > + > +/** > + * Update security session as specified by the session configuration > + * > + * @param instance security instance > + * @param sess session to update parameters > + * @param conf update configuration parameters > + * @return > + * - On success returns 0 > + * - On failure return errno > + */ > +int > +rte_security_session_update(struct rte_security_ctx *instance, > + struct rte_security_session *sess, > + struct rte_security_session_conf *conf); > + > +/** > + * Free security session header and the session private data and > + * return it to its original mempool. > + * > + * @param instance security instance > + * @param sess security session to freed > + * > + * @return > + * - 0 if successful. > + * - -EINVAL if session is NULL. > + * - -EBUSY if not all device private data has been freed. > + */ > +int > +rte_security_session_destroy(struct rte_security_ctx *instance, > + struct rte_security_session *sess); > + > +/** > + * Updates the buffer with device-specific defined metadata > + * > + * @param instance security instance > + * @param sess security session > + * @param mb packet mbuf to set metadata on. > + * @param params device-specific defined parameters > + * required for metadata > + * > + * @return > + * - On success, zero. > + * - On failure, a negative value. > + */ > +int > +rte_security_set_pkt_metadata(struct rte_security_ctx *instance, > + struct rte_security_session *sess, > + struct rte_mbuf *mb, void *params); > + > +/** > + * Attach a session to a symmetric crypto operation > + * > + * @param sym_op crypto operation > + * @param sess security session > + */ > +static inline int > +__rte_security_attach_session(struct rte_crypto_sym_op *sym_op, > + struct rte_security_session *sess) > +{ > + sym_op->sec_session = sess; > + > + return 0; > +} > + > +static inline void * > +get_sec_session_private_data(const struct rte_security_session *sess) > +{ > + return sess->sess_private_data; > +} > + > +static inline void > +set_sec_session_private_data(struct rte_security_session *sess, > + void *private_data) > +{ > + sess->sess_private_data = private_data; > +} > + > +/** > + * Attach a session to a crypto operation. > + * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD > + * For other rte_security_session_action_type, ol_flags in rte_mbuf may be > + * defined to perform security operations. > + * > + * @param op crypto operation > + * @param sess security session > + */ > +static inline int > +rte_security_attach_session(struct rte_crypto_op *op, > + struct rte_security_session *sess) > +{ > + if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) > + return -EINVAL; > + > + op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; > + > + return __rte_security_attach_session(op->sym, sess); > +} > + > +struct rte_security_macsec_stats { > + uint64_t reserved; > +}; > + > +struct rte_security_ipsec_stats { > + uint64_t reserved; > + > +}; > + > +struct rte_security_stats { > + enum rte_security_session_protocol protocol; > + /**< Security protocol to be configured */ > + > + union { > + struct rte_security_macsec_stats macsec; > + struct rte_security_ipsec_stats ipsec; > + }; > +}; > + > +/** > + * Get security session statistics > + * > + * @param instance security instance > + * @param sess security session > + * @param stats statistics > + * @return > + * - On success return 0 > + * - On failure errno > + */ > +int > +rte_security_session_stats_get(struct rte_security_ctx *instance, > + struct rte_security_session *sess, > + struct rte_security_stats *stats); > + > +/** > + * Security capability definition > + */ > +struct rte_security_capability { > + enum rte_security_session_action_type action; > + /**< Security action type*/ > + enum rte_security_session_protocol protocol; > + /**< Security protocol */ > + RTE_STD_C11 > + union { > + struct { > + enum rte_security_ipsec_sa_protocol proto; > + /**< IPsec SA protocol */ > + enum rte_security_ipsec_sa_mode mode; > + /**< IPsec SA mode */ > + enum rte_security_ipsec_sa_direction direction; > + /**< IPsec SA direction */ > + struct rte_security_ipsec_sa_options options; > + /**< IPsec SA supported options */ > + } ipsec; > + /**< IPsec capability */ > + struct { > + /* To be Filled */ > + } macsec; > + /**< MACsec capability */ > + }; > + > + const struct rte_cryptodev_capabilities *crypto_capabilities; > + /**< Corresponding crypto capabilities for security capability */ > + > + uint32_t ol_flags; > + /**< Device offload flags */ > +}; > + > +#define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 > +/**< HW needs metadata update, see rte_security_set_pkt_metadata(). > + */ > + > +#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 > +/**< HW constructs trailer of packets > + * Transmitted packets will have the trailer added to them > + * by hardawre. The next protocol field will be based on > + * the mbuf->inner_esp_next_proto field. > + */ > +#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 > +/**< HW removes trailer of packets > + * Received packets have no trailer, the next protocol field > + * is supplied in the mbuf->inner_esp_next_proto field. > + * Inner packet is not modified. > + */ > + > +/** > + * Security capability index used to query a security instance for a specific > + * security capability > + */ > +struct rte_security_capability_idx { > + enum rte_security_session_action_type action; > + enum rte_security_session_protocol protocol; > + > + union { > + struct { > + enum rte_security_ipsec_sa_protocol proto; > + enum rte_security_ipsec_sa_mode mode; > + enum rte_security_ipsec_sa_direction direction; > + } ipsec; > + }; > +}; > + > +/** > + * Returns array of security instance capabilities > + * > + * @param instance Security instance. > + * > + * @return > + * - Returns array of security capabilities. > + * - Return NULL if no capabilities available. > + */ > +const struct rte_security_capability * > +rte_security_capabilities_get(struct rte_security_ctx *instance); > + > +/** > + * Query if a specific capability is available on security instance > + * > + * @param instance security instance. > + * @param idx security capability index to match against > + * > + * @return > + * - Returns pointer to security capability on match of capability > + * index criteria. > + * - Return NULL if the capability not matched on security instance. > + */ > +const struct rte_security_capability * > +rte_security_capability_get(struct rte_security_ctx *instance, > + struct rte_security_capability_idx *idx); > + > +#ifdef __cplusplus > +} > +#endif > + > +#endif /* _RTE_SECURITY_H_ */ > diff --git a/lib/librte_security/rte_security_driver.h b/lib/librte_security/rte_security_driver.h > new file mode 100644 > index 0000000..78814fa > --- /dev/null > +++ b/lib/librte_security/rte_security_driver.h > @@ -0,0 +1,155 @@ > +/*- > + * BSD LICENSE > + * > + * Copyright(c) 2017 Intel Corporation. All rights reserved. > + * Copyright 2017 NXP. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * * Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * * Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in > + * the documentation and/or other materials provided with the > + * distribution. > + * * Neither the name of Intel Corporation nor the names of its > + * contributors may be used to endorse or promote products derived > + * from this software without specific prior written permission. > + * > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +#ifndef _RTE_SECURITY_DRIVER_H_ > +#define _RTE_SECURITY_DRIVER_H_ > + > +/** > + * @file rte_security_driver.h > + * > + * RTE Security Common Definitions > + * > + */ > + > +#ifdef __cplusplus > +extern "C" { > +#endif > + > +#include "rte_security.h" > + > +/** > + * Configure a security session on a device. > + * > + * @param device Crypto/eth device pointer > + * @param conf Security session configuration > + * @param sess Pointer to Security private session structure > + * @param mp Mempool where the private session is allocated > + * > + * @return > + * - Returns 0 if private session structure have been created successfully. > + * - Returns -EINVAL if input parameters are invalid. > + * - Returns -ENOTSUP if crypto device does not support the crypto transform. > + * - Returns -ENOMEM if the private session could not be allocated. > + */ > +typedef int (*security_session_create_t)(void *device, > + struct rte_security_session_conf *conf, > + struct rte_security_session *sess, > + struct rte_mempool *mp); > + > +/** > + * Free driver private session data. > + * > + * @param dev Crypto/eth device pointer > + * @param sess Security session structure > + */ > +typedef int (*security_session_destroy_t)(void *device, > + struct rte_security_session *sess); > + > +/** > + * Update driver private session data. > + * > + * @param device Crypto/eth device pointer > + * @param sess Pointer to Security private session structure > + * @param conf Security session configuration > + * > + * @return > + * - Returns 0 if private session structure have been updated successfully. > + * - Returns -EINVAL if input parameters are invalid. > + * - Returns -ENOTSUP if crypto device does not support the crypto transform. > + */ > +typedef int (*security_session_update_t)(void *device, > + struct rte_security_session *sess, > + struct rte_security_session_conf *conf); > +/** > + * Get stats from the PMD. > + * > + * @param device Crypto/eth device pointer > + * @param sess Pointer to Security private session structure > + * @param stats Security stats of the driver > + * > + * @return > + * - Returns 0 if private session structure have been updated successfully. > + * - Returns -EINVAL if session parameters are invalid. > + */ > +typedef int (*security_session_stats_get_t)(void *device, > + struct rte_security_session *sess, > + struct rte_security_stats *stats); > + > +/** > + * Update the mbuf with provided metadata. > + * > + * @param sess Security session structure > + * @param mb Packet buffer > + * @param mt Metadata > + * > + * @return > + * - Returns 0 if metadata updated successfully. > + * - Returns -ve value for errors. > + */ > +typedef int (*security_set_pkt_metadata_t)(void *device, > + struct rte_security_session *sess, struct rte_mbuf *m, > + void *params); > + > +/** > + * Get security capabilities of the device. > + * > + * @param device crypto/eth device pointer > + * > + * @return > + * - Returns rte_security_capability pointer on success. > + * - Returns NULL on error. > + */ > +typedef const struct rte_security_capability *(*security_capabilities_get_t)( > + void *device); > + > +/** Security operations function pointer table */ > +struct rte_security_ops { > + security_session_create_t session_create; > + /**< Configure a security session. */ > + security_session_update_t session_update; > + /**< Update a security session. */ > + security_session_stats_get_t session_stats_get; > + /**< Get security session statistics. */ > + security_session_destroy_t session_destroy; > + /**< Clear a security sessions private data. */ > + security_set_pkt_metadata_t set_pkt_metadata; > + /**< Update mbuf metadata. */ > + security_capabilities_get_t capabilities_get; > + /**< Get security capabilities. */ > +}; > + > +#ifdef __cplusplus > +} > +#endif > + > +#endif /* _RTE_SECURITY_DRIVER_H_ */ > diff --git a/lib/librte_security/rte_security_version.map b/lib/librte_security/rte_security_version.map > new file mode 100644 > index 0000000..8af7fc1 > --- /dev/null > +++ b/lib/librte_security/rte_security_version.map > @@ -0,0 +1,13 @@ > +DPDK_17.11 { > + global: > + > + rte_security_attach_session; > + rte_security_capabilities_get; > + rte_security_capability_get; > + rte_security_session_create; > + rte_security_session_destroy; > + rte_security_session_stats_get; > + rte_security_session_update; > + rte_security_set_pkt_metadata; > + > +}; Tested-by: Aviad Yehezkel