[dpdk-dev] [RFC PATCH 1/4] rte_security: API definitions
Radu Nicolau
radu.nicolau at intel.com
Tue Aug 15 13:04:37 CEST 2017
On 8/15/2017 7:35 AM, Akhil Goyal wrote:
> Detailed description is added in the coverletter
>
> Signed-off-by: Akhil Goyal <akhil.goyal at nxp.com>
> ---
> lib/librte_cryptodev/rte_security.c | 171 +++++++++++++++
> lib/librte_cryptodev/rte_security.h | 409 ++++++++++++++++++++++++++++++++++++
> 2 files changed, 580 insertions(+)
> create mode 100644 lib/librte_cryptodev/rte_security.c
> create mode 100644 lib/librte_cryptodev/rte_security.h
>
> diff --git a/lib/librte_cryptodev/rte_security.c b/lib/librte_cryptodev/rte_security.c
> new file mode 100644
> index 0000000..7c73c93
> --- /dev/null
> +++ b/lib/librte_cryptodev/rte_security.c
> @@ -0,0 +1,171 @@
> +/*-
> + * BSD LICENSE
> + *
> + * Copyright 2017 NXP.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + *
> + * * Redistributions of source code must retain the above copyright
> + * notice, this list of conditions and the following disclaimer.
> + * * Redistributions in binary form must reproduce the above copyright
> + * notice, this list of conditions and the following disclaimer in
> + * the documentation and/or other materials provided with the
> + * distribution.
> + * * Neither the name of NXP nor the names of its
> + * contributors may be used to endorse or promote products derived
> + * from this software without specific prior written permission.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +
> +#include <rte_log.h>
> +#include <rte_debug.h>
> +#include <rte_dev.h>
> +#include <rte_memory.h>
> +#include <rte_memcpy.h>
> +#include <rte_launch.h>
> +#include <rte_common.h>
> +#include <rte_mempool.h>
> +#include <rte_malloc.h>
> +#include <rte_errno.h>
> +
> +#include "rte_crypto.h"
> +#include "rte_cryptodev_pmd.h"
> +#include "rte_security.h"
> +#include "rte_ethdev.h"
> +#include "rte_cryptodev.h"
> +
> +
> +struct rte_security_session *
> +rte_security_session_create(struct rte_mempool *mp)
> +{
> + struct rte_security_session *sess;
> +
> + /* Allocate a session structure from the session pool */
> + if (rte_mempool_get(mp, (void *)&sess)) {
> + CDEV_LOG_ERR("couldn't get object from session mempool");
> + return NULL;
> + }
> +
> + /* Clear device session pointer */
> + memset(sess, 0, (sizeof(void *) *
> + RTE_MAX(rte_eth_dev_count(), rte_cryptodev_count())));
> +
> + return sess;
> +}
> +
> +int
> +rte_security_session_init(uint16_t dev_id,
> + struct rte_security_session *sess,
> + struct rte_security_sess_conf *conf,
> + struct rte_mempool *mp)
> +{
> + struct rte_cryptodev *cdev = NULL;
> + struct rte_eth_dev *dev = NULL;
> + uint8_t index;
> + int ret;
> +
> + if (sess == NULL || conf == NULL)
> + return -EINVAL;
> +
> + switch (conf->action_type) {
> + case RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD:
> + if (!rte_cryptodev_pmd_is_valid_dev(dev_id))
> + return -EINVAL;
> + cdev = rte_cryptodev_pmd_get_dev(dev_id);
> + index = cdev->driver_id;
> + if (sess->sess_private_data[index] == NULL) {
> + ret = cdev->sec_ops->session_configure(cdev, conf, sess, mp);
> + if (ret < 0) {
> + CDEV_LOG_ERR(
> + "cdev_id %d failed to configure session details",
> + dev_id);
> + return ret;
> + }
> + }
> + break;
> + case RTE_SECURITY_SESS_ETH_INLINE_CRYPTO:
> + case RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD:
> + dev = &rte_eth_devices[dev_id];
> + index = dev->data->port_id;
> + if (sess->sess_private_data[index] == NULL) {
> +// ret = dev->sec_ops->session_configure(dev, conf, sess, mp);
> +// if (ret < 0) {
> +// CDEV_LOG_ERR(
> +// "dev_id %d failed to configure session details",
> +// dev_id);
> +// return ret;
> +// }
The commented lines above suggests that also eth devices will have a
sec_ops field, (which makes sense). Is this correct?
Also, if the above is correct, session_configure and session_clear
should accept both crypto and eth devices as first parameter.
> + }
> + break;
> + default:
> + return -EINVAL;
> + }
> +
> + return 0;
> +}
> +
> +int
> +rte_security_session_free(struct rte_security_session *sess)
> +{
> + uint8_t i, nb_drivers = RTE_MAX(rte_eth_dev_count(),
> + rte_cryptodev_count());
> + void *sess_priv;
> + struct rte_mempool *sess_mp;
> +
> + if (sess == NULL)
> + return -EINVAL;
> +
> + /* Check that all device private data has been freed */
> + for (i = 0; i < nb_drivers; i++) {
> + sess_priv = get_sec_session_private_data(sess, i);
> + if (sess_priv != NULL)
> + return -EBUSY;
> + }
> +
> + /* Return session to mempool */
> + sess_mp = rte_mempool_from_obj(sess);
> + rte_mempool_put(sess_mp, sess);
> +
> + return 0;
> +}
> +
> +int
> +rte_security_session_clear(uint8_t dev_id,
> + enum rte_security_session_action_type action_type,
> + struct rte_security_session *sess)
> +{
> + struct rte_cryptodev *cdev = NULL;
> + struct rte_eth_dev *dev = NULL;
> + switch (action_type) {
> + case RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD:
> + cdev = rte_cryptodev_pmd_get_dev(dev_id);
> + if (cdev == NULL || sess == NULL)
> + return -EINVAL;
> + cdev->sec_ops->session_clear(cdev, sess);
> + break;
> + case RTE_SECURITY_SESS_ETH_INLINE_CRYPTO:
> + case RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD:
> + dev = &rte_eth_devices[dev_id];
> + if (dev == NULL || sess == NULL)
> + return -EINVAL;
> +// dev->dev_ops->session_clear(dev, sess);
> + break;
> + default:
> + return -EINVAL;
> + }
> +
> + return 0;
> +}
> diff --git a/lib/librte_cryptodev/rte_security.h b/lib/librte_cryptodev/rte_security.h
> new file mode 100644
> index 0000000..9747d5e
> --- /dev/null
> +++ b/lib/librte_cryptodev/rte_security.h
> @@ -0,0 +1,409 @@
> +#ifndef _RTE_SECURITY_H_
> +#define _RTE_SECURITY_H_
> +
> +/**
> + * @file rte_security.h
> + *
> + * RTE Security Common Definitions
> + *
> + */
> +
> +#ifdef __cplusplus
> +extern "C" {
> +#endif
> +
> +#include <netinet/in.h>
> +#include <netinet/ip.h>
> +#include <netinet/ip6.h>
> +
> +#include <rte_mbuf.h>
> +#include <rte_memory.h>
> +#include <rte_mempool.h>
> +#include <rte_common.h>
> +#include <rte_crypto.h>
> +
> +/** IPSec protocol mode */
> +enum rte_security_conf_ipsec_sa_mode {
> + RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
> + /**< IPSec Transport mode */
> + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
> + /**< IPSec Tunnel mode */
> +};
> +
> +/** IPSec Protocol */
> +enum rte_security_conf_ipsec_sa_protocol {
> + RTE_SECURITY_IPSEC_SA_PROTO_AH,
> + /**< AH protocol */
> + RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> + /**< ESP protocol */
> +};
> +
> +/** IPSEC tunnel type */
> +enum rte_security_ipsec_tunnel_type {
> + RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 0,
> + /**< Outer header is IPv4 */
> + RTE_SECURITY_IPSEC_TUNNEL_IPV6,
> + /**< Outer header is IPv6 */
> +};
> +
> +/**
> + * IPSEC tunnel parameters
> + *
> + * These parameters are used to build outbound tunnel headers.
> + */
> +struct rte_security_ipsec_tunnel_param {
> + enum rte_security_ipsec_tunnel_type type;
> + /**< Tunnel type: IPv4 or IPv6 */
> +
> + union {
> + struct {
> + struct in_addr src_ip;
> + /**< IPv4 source address */
> + struct in_addr dst_ip;
> + /**< IPv4 destination address */
> + uint8_t dscp;
> + /**< IPv4 Differentiated Services Code Point */
> + uint8_t df;
> + /**< IPv4 Don't Fragment bit */
> + uint8_t ttl;
> + /**< IPv4 Time To Live */
> + } ipv4; /**< IPv4 header parameters */
> +
> + struct {
> + struct in6_addr *src_addr;
> + /**< IPv6 source address */
> + struct in6_addr *dst_addr;
> + /**< IPv6 destination address */
> + uint8_t dscp;
> + /**< IPv6 Differentiated Services Code Point */
> + uint32_t flabel;
> + /**< IPv6 flow label */
> + uint8_t hlimit;
> + /**< IPv6 hop limit */
> + } ipv6; /**< IPv6 header parameters */
> + }; /**< Various tunnel parameters */
> +};
> +
> +/**
> + * IPSEC SA option flags
> + */
> +struct rte_security_ipsec_sa_options {
> + /** Extended Sequence Numbers (ESN)
> + *
> + * * 1: Use extended (64 bit) sequence numbers
> + * * 0: Use normal sequence numbers
> + */
> + uint32_t esn : 1;
> +
> + /** UDP encapsulation
> + *
> + * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
> + * traverse through NAT boxes.
> + * * 0: No UDP encapsulation
> + */
> + uint32_t udp_encap : 1;
> +
> + /** Copy DSCP bits
> + *
> + * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
> + * the outer IP header in encapsulation, and vice versa in
> + * decapsulation.
> + * * 0: Use values from odp_ipsec_tunnel_param_t in encapsulation and
> + * do not change DSCP field in decapsulation.
> + */
> + uint32_t copy_dscp : 1;
> +
> + /** Copy IPv6 Flow Label
> + *
> + * * 1: Copy IPv6 flow label from inner IPv6 header to the
> + * outer IPv6 header.
> + * * 0: Use value from odp_ipsec_tunnel_param_t
> + */
> + uint32_t copy_flabel : 1;
> +
> + /** Copy IPv4 Don't Fragment bit
> + *
> + * * 1: Copy the DF bit from the inner IPv4 header to the outer
> + * IPv4 header.
> + * * 0: Use value from odp_ipsec_tunnel_param_t
> + */
> + uint32_t copy_df : 1;
> +
> + /** Decrement inner packet Time To Live (TTL) field
> + *
> + * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
> + * IPv6 Hop Limit after tunnel decapsulation, or before tunnel
> + * encapsulation.
> + * * 0: Inner packet is not modified.
> + */
> + uint32_t dec_ttl : 1;
> +
> +};
> +
> +/** IPSec Operations */
> +enum rte_security_ipsec_operation {
> + RTE_SECURITY_IPSEC_OP_ENCAP,
> + /**< Encrypt and generate digest */
> + RTE_SECURITY_IPSEC_OP_DECAP,
> + /**< Verify digest and decrypt */
> +};
> +
> +/**
> + * IPSec Setup Data.
> + *
> + * This structure contains data relating to IPSec
> + * used to create a session.
> + */
> +struct rte_security_ipsec_xform {
> + enum rte_security_ipsec_operation op;
> + /**< IPSec operation - Encap or Decap */
> + unsigned int spi;
> + /**< SA security parameter index */
> + enum rte_crypto_cipher_algorithm cipher_alg;
> + /**< Cipher Algorithm */
> + struct {
> + uint8_t *data; /**< pointer to key data */
> + size_t length; /**< key length in bytes */
> + } cipher_key;
> + enum rte_crypto_auth_algorithm auth_alg;
> + /**< Authentication Algorithm */
> + struct {
> + uint8_t *data; /**< pointer to key data */
> + size_t length; /**< key length in bytes */
> + } auth_key;
> + uint32_t salt; /**< salt for this SA */
> + enum rte_security_conf_ipsec_sa_mode mode;
> + /**< IPsec SA Mode - transport/tunnel */
> + enum rte_security_conf_ipsec_sa_protocol proto;
> + /**< IPsec SA Protocol - AH/ESP */
> + struct rte_security_ipsec_tunnel_param tunnel;
> + /**< Tunnel parameters, NULL for transport mode */
> + struct rte_security_ipsec_sa_options options;
> + /**< various SA options */
> +};
> +
> +/** IPsec Security Session Configuration */
> +struct rte_security_dtls_xform {
> + /** To be Filled */
> +};
> +
> +/** IPsec Security Session Configuration */
> +struct rte_security_macsec_xform {
> + /** To be Filled */
> +};
> +
> +/**< Security Session action type */
> +enum rte_security_session_action_type {
> + RTE_SECURITY_SESS_NONE,
> + /**< Non protocol offload. Application need to manage everything */
> + RTE_SECURITY_SESS_ETH_INLINE_CRYPTO,
> + /**< Crypto operations are performed by Network interface */
> + RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD,
> + /**< Crypto operations with protocol support are performed
> + * by Network/ethernet device.
> + */
> + RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD,
> + /**< Crypto operations with protocol support are performed
> + * by Crypto device.
> + */
> +};
> +
> +/** Security Session Protocols */
> +enum rte_security_sess_protocol {
> + RTE_SEC_CONF_DTLS,
> + /**< DTLS Protocol */
> + RTE_SEC_CONF_IPSEC,
> + /**< IPSec Protocol */
> + RTE_SEC_CONF_MACSEC,
> + /**< MACSec Protocol */
> +};
> +
> +/**
> + * Security Session Configuration
> + */
> +struct rte_security_sess_conf {
> + enum rte_security_session_action_type action_type;
> + /**< Type of action to be performed on the session */
> + enum rte_security_sess_protocol protocol;
> + /**< Security protocol to be configured */
> +
> + union {
> + struct rte_security_ipsec_xform *ipsec_xform;
> + struct rte_security_dtls_xform *dtls_xform;
> + struct rte_security_macsec_xform *macsec_xform;
> + };
> + /**< Configuration parameters for security session */
> +};
> +
> +struct rte_security_session {
> + __extension__ void *sess_private_data[0];
> + /**< Private session material */
> +};
> +
> +/**
> + * Create Security session header (generic with no private data)
> + *
> + * @param mempool Session mempool to allocate session objects from
> + * @return
> + * - On success, pointer to session
> + * - On failure, NULL
> + */
> +struct rte_security_session *
> +rte_security_session_create(struct rte_mempool *mempool);
> +
> +/**
> + * Fill out private data for the device, based on its device id and name.
> + *
> + * @param dev_id Device id that we want the session to be used on
> + * @param dev_name Device name for which session is to be used
> + * @param sess Session where the private data will be attached to
> + * @param conf Security config to apply on flow
> + * processed with this session
> + * @param mempool Mempool where the private data is allocated.
> + *
> + * @return
> + * - On success, zero.
> + * - On failure, a negative value.
> + */
> +int
> +rte_security_session_init(uint16_t dev_id,
> + struct rte_security_session *sess,
> + struct rte_security_sess_conf *conf,
> + struct rte_mempool *mempool);
> +
> +/**
> + * Frees Security session header, after checking that all
> + * the device private data has been freed, returning it
> + * to its original mempool.
> + *
> + * @param sess Session header to be freed.
> + *
> + * @return
> + * - 0 if successful.
> + * - -EINVAL if session is NULL.
> + * - -EBUSY if not all device private data has been freed.
> + */
> +int
> +rte_security_session_free(struct rte_security_session *sess);
> +
> +/**
> + * Frees private data for the device id, based on its device name,
> + * returning it to its mempool.
> + *
> + * @param dev_id ID of device that uses the session.
> + * @param action_type Action type for Security operation.
> + * @param sess Session containing the reference to the private data
> + *
> + * @return
> + * - 0 if successful.
> + * - -EINVAL if device is invalid or session is NULL.
> + */
> +int
> +rte_security_session_clear(uint8_t dev_id,
> + enum rte_security_session_action_type action_type,
> + struct rte_security_session *sess);
> +
> +/**
> + * Attach a session to a symmetric crypto operation
> + *
> + * @param sym_op crypto operation
> + * @param sess security session
> + */
> +static inline int
> +__rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
> + struct rte_security_session *sess)
> +{
> + sym_op->sec_session = sess;
> +
> + return 0;
> +}
> +
> +static inline void *
> +get_sec_session_private_data(const struct rte_security_session *sess,
> + uint8_t driver_id) {
> + return sess->sess_private_data[driver_id];
> +}
> +
> +static inline void
> +set_sec_session_private_data(struct rte_security_session *sess,
> + uint8_t driver_id, void *private_data)
> +{
> + sess->sess_private_data[driver_id] = private_data;
> +}
> +
> +/**
> + * Attach a session to a crypto operation.
> + * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
> + * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
> + * defined to perform security operations.
> + *
> + * @param op crypto operation
> + * @param sess security session
> + */
> +static inline int
> +rte_security_attach_session(struct rte_crypto_op *op,
> + struct rte_security_session *sess)
> +{
> + if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
> + return -1;
> +
> + op->sess_type = RTE_CRYPTO_OP_WITH_SESSION;
> +
> + return __rte_security_attach_session(op->sym, sess);
> +}
> +
> +/**
> + * Security Capability
> + */
> +struct rte_security_capabilities {
> + enum rte_security_sess_protocol protocol;
> + RTE_STD_C11
> + union {
> + struct {
> + enum rte_crypto_auth_algorithm a_algo;
> + /**< authentication algorithm */
> + enum rte_crypto_cipher_algorithm c_algo;
> + /**< cipher algorithm */
> + uint16_t block_size;
> + /**< algorithm block size */
> + struct rte_crypto_param_range c_key_size;
> + /**< cipher key size range */
> + struct rte_crypto_param_range a_key_size;
> + /**< auth key size range */
> + struct rte_crypto_param_range digest_size;
> + /**< digest size range */
> + struct rte_crypto_param_range iv_size;
> + /**< Initialisation vector data size range */
> + } ipsec;
> + /**< IPSEC transform capabilities */
> + struct {
> + /* To be Filled */
> + } dtls;
> + /**< DTLS transform capabilities */
> + struct {
> + /* To be Filled */
> + } macsec;
> + /**< MACSEC transform capabilities */
> + };
> +};
> +
> +/**
> + * Provide capabilities available for defined device and algorithm
> + *
> + * @param dev_id The identifier of the device.
> + * @param dev_name Device name for which capability is needed
> + * @param protocol Protocol for which capability is required
> + *
> + * @return
> + * - Return description of the security capability if exist.
> + * - Return NULL if the capability not exist.
> + */
> +const struct rte_security_capabilities *
> +rte_security_capability_get(uint8_t dev_id, char *dev_name,
> + enum rte_security_sess_protocol protocol);
> +
> +#ifdef __cplusplus
> +}
> +#endif
> +
> +#endif /* _RTE_SECURITY_H_ */
More information about the dev
mailing list