From patchwork Thu Oct 31 13:15:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178173 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp2831122ill; Thu, 31 Oct 2019 06:18:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqzQikUAHjjwoGF8aHr+M6Ci0n1x4YBB+TXx7gm5PNQCh3dti/AWc0p54owyMOIUCISl/vhE X-Received: by 2002:a50:eb92:: with SMTP id y18mr5951997edr.244.1572527892254; Thu, 31 Oct 2019 06:18:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572527892; cv=none; d=google.com; s=arc-20160816; b=eGr8aZiERxiciHgfW9GBA1hYqTxALWYkNN1uGtlEaOXxzKJM2QgOKlUbAfj1fuAjEr cX0Ox6SlltQy7cZthJVR4j4IaBLvJ5N/a557mFJBc7Ap/dAdRV1NSfVTKuxBRGPBeaXH cC/cZDE1zctbGuagLMMKoj24/2/Tjx9AiEq94qlVQavhnKeJwnFM024PshOf8wHN0eEL yg4ZSQrkKYvOashqUZr4GXJPgsHtcXoArJo0N5snLu8mf/hSKdTMeTvCBgmzwgXOe5G1 7WVQc3/tVV3SwQZ7gSudAoYgX+FdcFY/qzIUnNsdBub1xpLt0y0+30ibNsIk94+1LMST +r3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=ineFBYKHAyT6r7jPJa/mLMtIG++WC8fkyIOtYz4abio=; b=YfvsNcOz9wKxAnqxaHljscX+iQNjHws0SJuZwyOStNCtqq5GvDWLlaWogwsOlu/yjj 151AzSrE0wbMmGw2zyrKwyuByMdvqiOEitCY5Y+HHRy5f95Xdw20LpwQl/7w+BeCUq7R 7wddHveX+tEbKcZWnNXAom6V9aMneeJVYc2pcTztaAo7DbcRZ5nUPhGUVAr4yvgYfLZW RtICHXLW0RMzCZjvFjXCkdD0rBqx7vGUVqLRM9EjYZcoaWNiWuRfKdVJjFeg97Wgvihq z/JHHHrsqsQhzoTlZ4ihVWfFxwHfeyzZl0MYc8dfRIdjeub2DJdak8TzqQ+1VK/iYsEk 7b1g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id i52si4059827ede.65.2019.10.31.06.18.11; Thu, 31 Oct 2019 06:18:12 -0700 (PDT) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 629701C232; Thu, 31 Oct 2019 14:18:11 +0100 (CET) Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13]) by dpdk.org (Postfix) with ESMTP id C2B181C230 for ; Thu, 31 Oct 2019 14:18:09 +0100 (CET) Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 8F4791A087A; Thu, 31 Oct 2019 14:18:09 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 032411A04FC; Thu, 31 Oct 2019 14:18:07 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id B093A402FC; Thu, 31 Oct 2019 21:18:01 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org, akhil.goyal@nxp.com Cc: konstantin.ananyev@intel.com, anoobj@marvell.com, Hemant Agrawal Date: Thu, 31 Oct 2019 18:45:00 +0530 Message-Id: <20191031131502.12504-1-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191031045458.29166-1-hemant.agrawal@nxp.com> References: <20191031045458.29166-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v5 1/3] security: add anti replay window size X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal Acked-by: Konstantin Ananyev --- doc/guides/rel_notes/release_19_11.rst | 6 +++++- lib/librte_security/Makefile | 2 +- lib/librte_security/meson.build | 2 +- lib/librte_security/rte_security.h | 8 ++++++++ 4 files changed, 15 insertions(+), 3 deletions(-) -- 2.17.1 Acked-by: Anoob Joseph diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index ae8e7b2f0..0508ec545 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,6 +365,10 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. +* security: A new field ''replay_win_sz'' has been added to the structure + ``rte_security_ipsec_xform``, which specify the Anti replay window size + to enable sequence replay attack handling. + Shared Library Versions ----------------------- @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_reorder.so.1 librte_ring.so.2 + librte_sched.so.4 - librte_security.so.2 + + librte_security.so.3 librte_stack.so.1 librte_table.so.3 librte_timer.so.1 diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 --- a/lib/librte_security/Makefile +++ b/lib/librte_security/Makefile @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a # library version -LIBABIVER := 2 +LIBABIVER := 3 # build flags CFLAGS += -O3 diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 --- a/lib/librte_security/meson.build +++ b/lib/librte_security/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel Corporation -version = 2 +version = 3 sources = files('rte_security.c') headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', 'cryptodev'] diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..216e5370f 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** @@ -563,6 +567,10 @@ struct rte_security_capability { /**< IPsec SA direction */ struct rte_security_ipsec_sa_options options; /**< IPsec SA supported options */ + uint32_t replay_win_sz_max; + /**< IPsec Anti Replay Window Size. A '0' value + * indicates that Anti Replay Window is not supported. + */ } ipsec; /**< IPsec capability */ struct { From patchwork Thu Oct 31 13:15:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178174 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp2831259ill; Thu, 31 Oct 2019 06:18:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqyerzPe3e53AaPjrA/OBiqckunt6E5idaAtwbyFhsbS+8foh7EtwuMfB3bBYKwucGdDCrMi X-Received: by 2002:a17:906:6449:: with SMTP id l9mr3977387ejn.187.1572527899604; Thu, 31 Oct 2019 06:18:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572527899; cv=none; d=google.com; s=arc-20160816; b=wLJY48OkOzKlUmlVzxwyIZIxTW289uaOAQTnEH1D21o7whrO11cTdd56prXC+FWK7B QjDDe2nPyMHBTolARdsQ8Ib9tmzT2ubqdp8PbOjKRklNsL8CZotgkNkueRtYQG8EAfMJ SQSYEqCDMGXcTbGlrOie5sWLCdj1tt6FjvbaZSPJj6YK1AGTvN2NfXZF6Li2W6Mpmk9t 2SINF1j9QOHWNihFjdausOQrpX9LjBL72rUTE1Z6K54oa+kFglgHRgMnnpNVbV1wO5XL hFeiztnrN2wGyPpa4qLvjAGc1J1GgPUdtZVUgSRRqxjdFZfO2yWwcoUiC+AWt9Zainae lPnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=kUZwmZciLCRGlHW7JHWzFbCotXeV1s9EgvhcI9Gx+QU=; b=BLc4osawASGmAVy8Wgif0wwQn2W59X+2Un2NUSgDqYAULHghSf8sjBGS8ZdDlSwZ8m CkOPV6vbBR4vHL5zFZpiOD+Nik3UNXwsnTOmq/+3955yyJ/us978QgIYkZ+Tnh0DOmvL 9TDFG+KIWQHBtJaU7QDWDctdyuGtfdxmD58VACcfhF00ptiOUqvvnWDhqKCG9zAWPZFx bmAvJO1L+HmwYDdfZiqNPo9u49AH4IivNbzLX+a9PTlM3ahDzt9lVWKvCXWflyp4a8R6 tjLZnK3WrL3kNz+Y43RqLNGQVjKNqfy/WQZEi7aCi6IZUcg70EgPTH9G6UBRfdxEE32L cjYQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id t8si4383047edd.373.2019.10.31.06.18.19; Thu, 31 Oct 2019 06:18:19 -0700 (PDT) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id BB1421C23D; Thu, 31 Oct 2019 14:18:15 +0100 (CET) Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21]) by dpdk.org (Postfix) with ESMTP id 8F0991C23A for ; Thu, 31 Oct 2019 14:18:12 +0100 (CET) Received: from inva021.nxp.com (localhost [127.0.0.1]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id E0086200512; Thu, 31 Oct 2019 14:18:11 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 24A742000EA; Thu, 31 Oct 2019 14:18:09 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 7BE8C4032A; Thu, 31 Oct 2019 21:18:02 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org, akhil.goyal@nxp.com Cc: konstantin.ananyev@intel.com, anoobj@marvell.com, Hemant Agrawal Date: Thu, 31 Oct 2019 18:45:01 +0530 Message-Id: <20191031131502.12504-2-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191031131502.12504-1-hemant.agrawal@nxp.com> References: <20191031045458.29166-1-hemant.agrawal@nxp.com> <20191031131502.12504-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The rte_security lib has introduced replay_win_sz, so it can be removed from the rte_ipsec lib. Also, the relaved tests,app are also update to reflect the usages. Signed-off-by: Hemant Agrawal Acked-by: Konstantin Ananyev --- app/test/test_ipsec.c | 2 +- doc/guides/rel_notes/release_19_11.rst | 7 +++++-- examples/ipsec-secgw/ipsec.c | 1 + examples/ipsec-secgw/sa.c | 2 +- lib/librte_ipsec/Makefile | 2 +- lib/librte_ipsec/meson.build | 1 + lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ lib/librte_ipsec/sa.c | 4 ++-- 8 files changed, 12 insertions(+), 13 deletions(-) -- 2.17.1 diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 4007eff19..7dc83fee7 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; prm->ipsec_xform.salt = (uint32_t)rte_rand(); + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup tunnel related fields */ prm->tun.hdr_len = sizeof(ipv4_outer); diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index 0508ec545..ca414edb5 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,10 +365,13 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. -* security: A new field ''replay_win_sz'' has been added to the structure +* security: The field ''replay_win_sz'' has been moved from ipsec library + based ''rte_ipsec_sa_prm'' structure to security library based structure ``rte_security_ipsec_xform``, which specify the Anti replay window size to enable sequence replay attack handling. +* ipsec: The field ''replay_win_sz'' has been removed from the structure + ''rte_ipsec_sa_prm'' as it has been added to the security library. Shared Library Versions ----------------------- @@ -411,7 +414,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_gso.so.1 librte_hash.so.2 librte_ip_frag.so.1 - librte_ipsec.so.1 + + librte_ipsec.so.2 librte_jobstats.so.1 librte_kni.so.2 librte_kvargs.so.1 diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; } int diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee94731..3d687c459 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; - prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = app_prm->window_size; } static int diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 81fb99980..161ea9e3d 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash EXPORT_MAP := rte_ipsec_version.map -LIBABIVER := 1 +LIBABIVER := 2 # all source are stored in SRCS-y SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 70358526b..e8604dadd 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -1,6 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation +version = 2 allow_experimental_apis = true sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index 47ce169d2..1cfde5874 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { uint8_t proto; /**< next header protocol */ } trs; /**< transport mode related parameters */ }; - - /** - * window size to enable sequence replay attack handling. - * replay checking is disabled if the window size is 0. - */ - uint32_t replay_win_sz; }; /** diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 23d394b46..6f1d92c3c 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; return ipsec_sa_size(type, &wsz, &nb); } @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; sz = ipsec_sa_size(type, &wsz, &nb); if (sz < 0) return sz; From patchwork Thu Oct 31 13:15:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178175 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp2831421ill; Thu, 31 Oct 2019 06:18:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqzgnBQzIvJJLKH+DKqBK99TrGz8AgGna2p47wSWH3xmDYby+7V4iWskkoe+u+BzJQSj2cXC X-Received: by 2002:aa7:d891:: with SMTP id u17mr5887248edq.282.1572527907155; Thu, 31 Oct 2019 06:18:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572527907; cv=none; d=google.com; s=arc-20160816; b=qUgi8RfpgeBul0KliFi7gA8xyp4W8xdo+w8otEct6x7QwBcdBlFBz/dXtYRG9ZzJ77 Pjn+RrdIToCKW9dt8lrXLUFmr52N6XwwhQVrTpMKtjyjJXNbPGkhpkIbTjMrlcuF0djN A4FTL5IiRhHxZhhXLpK472YMJQBYfgFEw/KbApQv6EZijCH4eWxUxROCfPA7yMlmu1eX gK8LYsoRNAcx8PtEJtLyGCimgVhyLfQ2MXFZUA4DggdABJwkKmst/wXsleserSNtV+Jb p8zdaCVnG8h39LIcCylqHSPFi8zUBriVqLksSyDqs+iH0ZK3YtVmG16mPeZTjCVnePol 31Og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=UnLukddXdbz5riP18dYf1LGFjOmy44ZMNpd6m/kcwXA=; b=DeQkWIIFkZQn7ome19LGl49dXuvshBveRXhDWtWSU8mxjmSHe7no0RogBJMyUTK/vE xOa8UJf+vgUlHXylw1C+at8I0VORrYwxcoiZCwwEkIQIzliyQPgfbq5NaH17HKXStIxE IlYFbC9xgWBS3snP1gdvNQ4Y2IZFQGUPI/eVmtWbK83Vpud/sxzcntEr/rGod3eMtpvx bhN9eMRxvxB4/oLxUqcxq0sNA8UkPrTWWmK8uis+tzrfB7G4f1cgVIc1OpnYE7Nldlgf MVKxJyqOtLBdREO6NQ75sm2Z2eag87UbLtFzzLWc7NL7y7i1hazz/usQOq6ulHjsAOKG wtOg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id z13si3428342ejw.409.2019.10.31.06.18.26; Thu, 31 Oct 2019 06:18:27 -0700 (PDT) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id D9BCC1C24B; Thu, 31 Oct 2019 14:18:17 +0100 (CET) Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21]) by dpdk.org (Postfix) with ESMTP id E8EC81C23C for ; Thu, 31 Oct 2019 14:18:12 +0100 (CET) Received: from inva021.nxp.com (localhost [127.0.0.1]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 7AB302000EA; Thu, 31 Oct 2019 14:18:12 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id B2A062001E0; Thu, 31 Oct 2019 14:18:09 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 49BAB4032B; Thu, 31 Oct 2019 21:18:03 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org, akhil.goyal@nxp.com Cc: konstantin.ananyev@intel.com, anoobj@marvell.com, Hemant Agrawal Date: Thu, 31 Oct 2019 18:45:02 +0530 Message-Id: <20191031131502.12504-3-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191031131502.12504-1-hemant.agrawal@nxp.com> References: <20191031045458.29166-1-hemant.agrawal@nxp.com> <20191031131502.12504-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" This patch usages the anti replay window size to config the anti replay checking in decap path for lookaside IPSEC offload Signed-off-by: Hemant Agrawal --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 24 +++++++++++++++++++ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 6 +++-- drivers/crypto/dpaa_sec/dpaa_sec.c | 26 +++++++++++++++++++++ drivers/crypto/dpaa_sec/dpaa_sec.h | 6 +++-- 4 files changed, 58 insertions(+), 4 deletions(-) -- 2.17.1 diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 52e522e4a..6d59e73e9 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -2836,6 +2836,30 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) decap_pdb.options |= PDBOPTS_ESP_ESN; + + if (ipsec_xform->replay_win_sz) { + uint32_t win_sz; + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); + + switch (win_sz) { + case 1: + case 2: + case 4: + case 8: + case 16: + case 32: + if (ipsec_xform->options.esn) + decap_pdb.options |= PDBOPTS_ESP_ARS64; + else + decap_pdb.options |= PDBOPTS_ESP_ARS32; + break; + case 64: + decap_pdb.options |= PDBOPTS_ESP_ARS64; + break; + default: + decap_pdb.options |= PDBOPTS_ESP_ARS128; + } + } session->dir = DIR_DEC; bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h index 662559422..b97dacbcb 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h @@ -675,7 +675,8 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa2_sec_capabilities }, @@ -686,7 +687,8 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa2_sec_capabilities }, diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c index 6c186338f..7cfa5f6dc 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.c +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c @@ -2693,6 +2693,32 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) session->decap_pdb.options |= PDBOPTS_ESP_ESN; + if (ipsec_xform->replay_win_sz) { + uint32_t win_sz; + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); + + switch (win_sz) { + case 1: + case 2: + case 4: + case 8: + case 16: + case 32: + if (ipsec_xform->options.esn) + session->decap_pdb.options |= + PDBOPTS_ESP_ARS64; + else + session->decap_pdb.options |= + PDBOPTS_ESP_ARS32; + break; + case 64: + session->decap_pdb.options |= PDBOPTS_ESP_ARS64; + break; + default: + session->decap_pdb.options |= + PDBOPTS_ESP_ARS128; + } + } session->dir = DIR_DEC; } else goto out; diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h index c10ec1007..684950d6d 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.h +++ b/drivers/crypto/dpaa_sec/dpaa_sec.h @@ -692,7 +692,8 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa_sec_capabilities }, @@ -703,7 +704,8 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa_sec_capabilities },