[dpdk-dev] [PATCH 1/2] lib/security: add support for saving app cookie

Anoob Joseph anoob.joseph at caviumnetworks.com
Mon Nov 20 11:31:44 CET 2017


In case of inline protocol processed ingress traffic, the packet may not
have enough information to determine the security parameters with which
the packet was processed. In such cases, the application could register
a cookie, which will be saved in the the security session.

As the ingress packets are received in the application, it will have
some metadata set in the mbuf. Application can pass this metadata to
"rte_security_session_get" API to retrieve the security session. Once
the security session is determined, another driver call with the
security session will give the application the cookie it had registered.

The cookie will be registered while creating the security session.
Without the cookie, the selector check (SP-SA check) for the incoming
IPsec traffic won't be possible in the application.

Application can choose what it should register as the cookie. It can
register SPI or a pointer to SA.

Signed-off-by: Anoob Joseph <anoob.joseph at caviumnetworks.com>
---
 lib/librte_security/rte_security.c        | 26 +++++++++++++++++++++++
 lib/librte_security/rte_security.h        | 30 +++++++++++++++++++++++++++
 lib/librte_security/rte_security_driver.h | 34 +++++++++++++++++++++++++++++++
 3 files changed, 90 insertions(+)

diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
index 1227fca..1c706fe 100644
--- a/lib/librte_security/rte_security.c
+++ b/lib/librte_security/rte_security.c
@@ -98,6 +98,32 @@ rte_security_session_destroy(struct rte_security_ctx *instance,
 	return ret;
 }
 
+struct rte_security_session *
+rte_security_session_get(struct rte_security_ctx *instance,
+			 uint64_t mdata)
+{
+	struct rte_security_session *sess = NULL;
+
+	RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_get, NULL);
+	if (instance->ops->session_get(instance->device, mdata, &sess))
+		return NULL;
+
+	return sess;
+}
+
+uint64_t
+rte_security_cookie_get(struct rte_security_ctx *instance,
+			struct rte_security_session *sess)
+{
+	uint64_t cookie = 0;
+
+	RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->cookie_get, 0);
+	if (instance->ops->cookie_get(instance->device, sess, &cookie))
+		return 0;
+
+	return cookie;
+}
+
 int
 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
 			      struct rte_security_session *sess,
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index 7e687d2..95f81ee 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -273,6 +273,8 @@ struct rte_security_session_conf {
 	/**< Configuration parameters for security session */
 	struct rte_crypto_sym_xform *crypto_xform;
 	/**< Security Session Crypto Transformations */
+	uint64_t cookie;
+	/**< Cookie registered by application */
 };
 
 struct rte_security_session {
@@ -327,6 +329,34 @@ rte_security_session_destroy(struct rte_security_ctx *instance,
 			     struct rte_security_session *sess);
 
 /**
+ * Get the security session from the metadata set in mbuf.
+ *
+ * @param   instance	security instance
+ * @param   mdata	metadata set in mbuf during rx offload
+ * @return
+ *  - On success, pointer to session
+ *  - On failure, NULL
+ */
+struct rte_security_session *
+rte_security_session_get(struct rte_security_ctx *instance,
+			 uint64_t mdata);
+
+/**
+ * Get the cookie set by application while creating the session. This could be
+ * used to identify the SA associated with the session.
+ *
+ * @param   instance	security instance
+ * @param   sess	security session
+ *
+ * @return
+ *  - On success, cookie
+ *  - On failure, 0
+ */
+uint64_t
+rte_security_cookie_get(struct rte_security_ctx *instance,
+			struct rte_security_session *sess);
+
+/**
  *  Updates the buffer with device-specific defined metadata
  *
  * @param	instance	security instance
diff --git a/lib/librte_security/rte_security_driver.h b/lib/librte_security/rte_security_driver.h
index 997fbe7..f503be6a 100644
--- a/lib/librte_security/rte_security_driver.h
+++ b/lib/librte_security/rte_security_driver.h
@@ -107,6 +107,36 @@ typedef int (*security_session_stats_get_t)(void *device,
 		struct rte_security_stats *stats);
 
 /**
+ * Get the security session from the metadata set in mbuf.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	mdata		Metadata set in mbuf during rx offload
+ * @param	sess		Pointer to return the security session retrieved
+ *
+ * @return
+ *  - Returns 0 if the security session was successfully retrieved.
+ *  - Returns -EINVAL if input parameters are invalid.
+ */
+typedef int (*security_session_get_t)(void *device,
+		uint64_t mdata,
+		struct rte_security_session **sess);
+
+/**
+ * Get the cookie associated with the security session.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sess		Security session
+ * @param	cookie		Cookie associated with the security session
+ *
+ * @return
+ *  - Returns 0 if the cookie was successfully retrieved.
+ *  - Returns -EINVAL if input parameters are invalid.
+ */
+typedef int (*security_cookie_get_t)(void *device,
+		struct rte_security_session *sess,
+		uint64_t *cookie);
+
+/**
  * Update the mbuf with provided metadata.
  *
  * @param	sess		Security session structure
@@ -143,6 +173,10 @@ struct rte_security_ops {
 	/**< Get security session statistics. */
 	security_session_destroy_t session_destroy;
 	/**< Clear a security sessions private data. */
+	security_session_get_t session_get;
+	/**< Get the security session associated with the metadata */
+	security_cookie_get_t cookie_get;
+	/**< Get the cookie associated with the security session */
 	security_set_pkt_metadata_t set_pkt_metadata;
 	/**< Update mbuf metadata. */
 	security_capabilities_get_t capabilities_get;
-- 
2.7.4



More information about the dev mailing list