[dpdk-dev] [PATCH 00/11] introduce security offload library

[Akhil Goyal]

This patchset introduce the rte_security library in DPDK.
This also includes the sample implementation of drivers and
changes in ipsec gateway application to demonstrate its usage.


rte_security library is implemented on the idea proposed earlier [1],[2],[3]
to support IPsec Inline and look aside crypto offload. Though
the current focus is only on IPsec protocol, but the library is
not limited to IPsec, it can be extended to other security
protocols e.g. MACSEC, PDCP or DTLS.

In this library, crypto/ethernet devices can register itself to
the security library to support security offload.

The library support 3 modes of operation
1. full protocol offload using crypto devices.
   (RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
2. inline ipsec using ethernet devices to perform crypto operations
   (RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
3. full protocol offload using ethernet devices.
   (RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)

The details for each mode is documented in the patchset in
doc/guides/prog_guide/rte_security.rst

The modification in the application ipsec-secgw is also doocumented in
doc/guides/sample_app_ug/ipsec_secgw.rst

This patchset is also available at:
git://dpdk.org/draft/dpdk-draft-ipsec
branch: integration

To Do:
1. update documentation for rte_flow
2. unregister device to security library is incomplete
3. test application support

Future enhancements:
1. for full protocol offload - error handling and notification cases
2. add more security protocols

Reference:
[1] http://dpdk.org/ml/archives/dev/2017-July/070793.html
[2] http://dpdk.org/ml/archives/dev/2017-July/071893.html
[3] http://dpdk.org/ml/archives/dev/2017-August/072900.html

Akhil Goyal (6):
  lib/rte_security: add security library
  doc: add details of rte security
  cryptodev: extend cryptodev to support security APIs
  mk: add rte security into build system
  crypto/dpaa2_sec: add support for protocol offload ipsec
  examples/ipsec-secgw: add support for security offload

Boris Pismenny (3):
  lib/librte_net: add ESP header to generic flow steering
  lib/librte_mbuf: add security crypto flags and mbuf fields
  ethdev: add rte flow action for crypto

Declan Doherty (1):
  ethdev: extend ethdev to support security APIs

Radu Nicolau (1):
  net/ixgbe: enable inline ipsec

 MAINTAINERS                                    |   6 +
 config/common_base                             |   7 +
 doc/api/doxy-api-index.md                      |   4 +-
 doc/api/doxy-api.conf                          |   1 +
 doc/guides/cryptodevs/features/default.ini     |   1 +
 doc/guides/cryptodevs/features/dpaa2_sec.ini   |   1 +
 doc/guides/prog_guide/index.rst                |   1 +
 doc/guides/prog_guide/rte_security.rst         | 552 +++++++++++++++++
 doc/guides/sample_app_ug/ipsec_secgw.rst       |  52 +-
 drivers/crypto/Makefile                        |   2 +-
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c    | 402 +++++++++++-
 drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h      |  62 ++
 drivers/net/Makefile                           |   2 +-
 drivers/net/ixgbe/Makefile                     |   4 +-
 drivers/net/ixgbe/ixgbe_ethdev.c               |  13 +
 drivers/net/ixgbe/ixgbe_ethdev.h               |  10 +-
 drivers/net/ixgbe/ixgbe_flow.c                 |  27 +
 drivers/net/ixgbe/ixgbe_ipsec.c                | 815 +++++++++++++++++++++++++
 drivers/net/ixgbe/ixgbe_ipsec.h                | 145 +++++
 drivers/net/ixgbe/ixgbe_rxtx.c                 |  63 +-
 drivers/net/ixgbe/ixgbe_rxtx.h                 |   4 +
 drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c         |  44 ++
 examples/ipsec-secgw/esp.c                     | 101 ++-
 examples/ipsec-secgw/esp.h                     |  10 -
 examples/ipsec-secgw/ipsec-secgw.c             |   5 +
 examples/ipsec-secgw/ipsec.c                   | 275 +++++++--
 examples/ipsec-secgw/ipsec.h                   |  32 +-
 examples/ipsec-secgw/sa.c                      | 151 +++--
 lib/Makefile                                   |   5 +
 lib/librte_cryptodev/rte_crypto.h              |   3 +-
 lib/librte_cryptodev/rte_crypto_sym.h          |   2 +
 lib/librte_cryptodev/rte_cryptodev.c           |  10 +
 lib/librte_cryptodev/rte_cryptodev.h           |   8 +-
 lib/librte_cryptodev/rte_cryptodev_version.map |   7 +
 lib/librte_ether/rte_ethdev.c                  |  11 +
 lib/librte_ether/rte_ethdev.h                  |  22 +-
 lib/librte_ether/rte_ethdev_version.map        |   7 +
 lib/librte_ether/rte_flow.h                    |  56 ++
 lib/librte_mbuf/rte_mbuf.c                     |   6 +
 lib/librte_mbuf/rte_mbuf.h                     |  32 +-
 lib/librte_net/Makefile                        |   2 +-
 lib/librte_net/rte_esp.h                       |  60 ++
 lib/librte_security/Makefile                   |  53 ++
 lib/librte_security/rte_security.c             | 252 ++++++++
 lib/librte_security/rte_security.h             | 494 +++++++++++++++
 lib/librte_security/rte_security_driver.h      | 181 ++++++
 lib/librte_security/rte_security_version.map   |  13 +
 mk/rte.app.mk                                  |   1 +
 48 files changed, 3862 insertions(+), 155 deletions(-)
 create mode 100644 doc/guides/prog_guide/rte_security.rst
 create mode 100644 drivers/net/ixgbe/ixgbe_ipsec.c
 create mode 100644 drivers/net/ixgbe/ixgbe_ipsec.h
 create mode 100644 lib/librte_net/rte_esp.h
 create mode 100644 lib/librte_security/Makefile
 create mode 100644 lib/librte_security/rte_security.c
 create mode 100644 lib/librte_security/rte_security.h
 create mode 100644 lib/librte_security/rte_security_driver.h
 create mode 100644 lib/librte_security/rte_security_version.map

-- 
2.9.3