From patchwork Thu Oct 31 04:54:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178135 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp2279855ill; Wed, 30 Oct 2019 21:58:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqzVOUdvxmwBvUG15w3tjOuLYPkLkYLQ8zRLggqi2ydJM87wr7rabJmVambVN1M4Q7L2TUD1 X-Received: by 2002:aa7:d281:: with SMTP id w1mr3700750edq.154.1572497885351; Wed, 30 Oct 2019 21:58:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572497885; cv=none; d=google.com; s=arc-20160816; b=QegX6rqliSVppOfRsYLHcLSHQMwnKvSM4tj2WFhzsz1sSsHeO8eXVvh1OpFMcnQLqK fvhdj4N9hOK6XGdLnv1KBpngPAJgzJo+aXKChpTuPGkrrz9oFTjL82FLZtYJEtCzIK5C v/y26uwXqbP4Y0/WXnBL8Xz8jx0H3AS61cGnM+Mdtzb3qWt2P4OR1b4ANVa/ScNClD+l a1t+CFCnk+K4NJjrohgXPbTh6m9I8tfXVL/p1l82U+1sbPLLxKQcgOoM26PuDT0stPxt vgr7cLomOfGpnPY7TfLWafN/jP96mPTN7+dbhNsWTaQHq8Cko3HWWR6P3D2qMa/glhKM 5WcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=YU2BxtTodu4sd9SMdgfQ+RXg7rvfdMfMQXWV8ECbxf0=; b=0GvkTjCnsKwlzs2xnL1fcQ9TWQ9ac2kFS9eLvvdlisQZVYmGQ296RH6v8Tz1txuv1P fA2w9xe6NJoStMF5LAOu/8r3ro3q7cM47VzyUHADtuqjTHOMfdbEPtJ1g2QnDdjreKDk wGorMnKibdYCPOS24yz9Hbil5Sf9MhPNI99xpzObJ57pkOQrVPS4hLHVHZiA/uxhH4YI ORLprCRzKABqxC6Mi4B+5yr8op3NEm+d1ccwhsIXyLK+UVtrUIAQ4nvW2U5JzWFQjUOv NybCBW5m0DZNVSoRtvnXmYlC7jUeqona6OVWBn92mTDn8rnGG9g4g4vFEke7TJ34a4ki RvNg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id bi17si3338769edb.430.2019.10.30.21.58.04; Wed, 30 Oct 2019 21:58:05 -0700 (PDT) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id B6E0D1C19C; Thu, 31 Oct 2019 05:58:02 +0100 (CET) Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13]) by dpdk.org (Postfix) with ESMTP id CDCE41BFE4 for ; Thu, 31 Oct 2019 05:58:01 +0100 (CET) Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 37EC21A04CB; Thu, 31 Oct 2019 05:58:01 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 0A03A1A02EF; Thu, 31 Oct 2019 05:57:59 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 290F8402E2; Thu, 31 Oct 2019 12:57:56 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org, akhil.goyal@nxp.com Cc: konstantin.ananyev@intel.com, Hemant Agrawal Date: Thu, 31 Oct 2019 10:24:56 +0530 Message-Id: <20191031045458.29166-1-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191030085701.13815-1-hemant.agrawal@nxp.com> References: <20191030085701.13815-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal --- doc/guides/rel_notes/release_19_11.rst | 6 +++++- lib/librte_security/Makefile | 2 +- lib/librte_security/meson.build | 2 +- lib/librte_security/rte_security.h | 4 ++++ 4 files changed, 11 insertions(+), 3 deletions(-) -- 2.17.1 Acked-by: Konstantin Ananyev diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index ae8e7b2f0..0508ec545 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,6 +365,10 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. +* security: A new field ''replay_win_sz'' has been added to the structure + ``rte_security_ipsec_xform``, which specify the Anti replay window size + to enable sequence replay attack handling. + Shared Library Versions ----------------------- @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_reorder.so.1 librte_ring.so.2 + librte_sched.so.4 - librte_security.so.2 + + librte_security.so.3 librte_stack.so.1 librte_table.so.3 librte_timer.so.1 diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 --- a/lib/librte_security/Makefile +++ b/lib/librte_security/Makefile @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a # library version -LIBABIVER := 2 +LIBABIVER := 3 # build flags CFLAGS += -O3 diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 --- a/lib/librte_security/meson.build +++ b/lib/librte_security/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel Corporation -version = 2 +version = 3 sources = files('rte_security.c') headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', 'cryptodev'] diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..195ad5645 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** From patchwork Thu Oct 31 04:54:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178136 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp2279963ill; Wed, 30 Oct 2019 21:58:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqyHJ90ke86H38G3FGCePr36Yn1jppthHvu7nqz61sik0iSCBkOwhIepIa4bxacoT/DXUPfw X-Received: by 2002:a17:906:85da:: with SMTP id i26mr1932892ejy.186.1572497893330; Wed, 30 Oct 2019 21:58:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572497893; cv=none; d=google.com; s=arc-20160816; b=O36PUPkmDP/p3TNOzOUHnYXiG7MXE8+FEaCt9Tc8ALn9DWoJPQzhvOIpP7znppbJOI d/rJgXgkID1Fusx3dpvjIOMb/6EQDWQI6o4vNcg5RzdPQYMOcKPn44qjUxqTeOi0VP7N xeluQZvwpVsdcWS9AQzLSsPjCmkekRlqPD4S64QRDNHMoP6nMZ2B7kbIh0vB/ifjl3TU 3HhPwJX7mkMiJWuUiNcJxDM+DagcMQIDsfq1dUgOB63sTPr/wawkxtUShRjXKA69wOZu h2qb8LEboxJUbVyy7NHqUWomCCQ5m4oh5LyjhKymJtGbLH+gbqWWhufkHFZE20EdMrF0 ys9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=h+ErwSIcbS2dM2H2XfU5vmi4hLGmrX4mHKRgeSLJVUI=; b=wJL+eZU3mG9RlAvoegYH94gpARITswv3R3y0MHuoc22Y5OARa3b2QZRAwfH8mU5Rev 7qSeITSIGWFtv1gUqgJw8UJu3h22FYJ88+WVWrK63/xdxHQQDiLe8v+XVOlHITQNTBgY NY/yFNuxMUL/FlDfGk6UguTZKAI6HajOoUNnItTJZbfo10olBVWzVsUN0ed6X/H3/tUg twWNuoKWPpXze++AF5JJcKNVjfGx3O/lUa/Io1E89MqcMcD03jrIBnbhomZ7/2rfgN/e UOVLcV/EPHYw96njNY4fuliWzZ2WDKk2tJFThlVhoh4OeklP3WKg/+g+zqZ9GiyVBbGF pNxA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id z25si2765866eju.56.2019.10.30.21.58.13; Wed, 30 Oct 2019 21:58:13 -0700 (PDT) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 26EE51C1A6; Thu, 31 Oct 2019 05:58:06 +0100 (CET) Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21]) by dpdk.org (Postfix) with ESMTP id A00321BFE4 for ; Thu, 31 Oct 2019 05:58:02 +0100 (CET) Received: from inva021.nxp.com (localhost [127.0.0.1]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 418ED20024C; Thu, 31 Oct 2019 05:58:02 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id D82512000B0; Thu, 31 Oct 2019 05:57:59 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 04250402FC; Thu, 31 Oct 2019 12:57:56 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org, akhil.goyal@nxp.com Cc: konstantin.ananyev@intel.com, Hemant Agrawal Date: Thu, 31 Oct 2019 10:24:57 +0530 Message-Id: <20191031045458.29166-2-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191031045458.29166-1-hemant.agrawal@nxp.com> References: <20191030085701.13815-1-hemant.agrawal@nxp.com> <20191031045458.29166-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The rte_security lib has introduced replay_win_sz, so it can be removed from the rte_ipsec lib. Also, the relaved tests,app are also update to reflect the usages. Signed-off-by: Hemant Agrawal --- app/test/test_ipsec.c | 2 +- doc/guides/rel_notes/release_19_11.rst | 7 +++++-- examples/ipsec-secgw/ipsec.c | 1 + examples/ipsec-secgw/sa.c | 2 +- lib/librte_ipsec/Makefile | 2 +- lib/librte_ipsec/meson.build | 1 + lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ lib/librte_ipsec/sa.c | 4 ++-- 8 files changed, 12 insertions(+), 13 deletions(-) -- 2.17.1 Acked-by: Konstantin Ananyev diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 4007eff19..7dc83fee7 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; prm->ipsec_xform.salt = (uint32_t)rte_rand(); + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup tunnel related fields */ prm->tun.hdr_len = sizeof(ipv4_outer); diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index 0508ec545..ca414edb5 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,10 +365,13 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. -* security: A new field ''replay_win_sz'' has been added to the structure +* security: The field ''replay_win_sz'' has been moved from ipsec library + based ''rte_ipsec_sa_prm'' structure to security library based structure ``rte_security_ipsec_xform``, which specify the Anti replay window size to enable sequence replay attack handling. +* ipsec: The field ''replay_win_sz'' has been removed from the structure + ''rte_ipsec_sa_prm'' as it has been added to the security library. Shared Library Versions ----------------------- @@ -411,7 +414,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_gso.so.1 librte_hash.so.2 librte_ip_frag.so.1 - librte_ipsec.so.1 + + librte_ipsec.so.2 librte_jobstats.so.1 librte_kni.so.2 librte_kvargs.so.1 diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; } int diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee94731..3d687c459 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; - prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = app_prm->window_size; } static int diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 81fb99980..161ea9e3d 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash EXPORT_MAP := rte_ipsec_version.map -LIBABIVER := 1 +LIBABIVER := 2 # all source are stored in SRCS-y SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 70358526b..e8604dadd 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -1,6 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation +version = 2 allow_experimental_apis = true sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index 47ce169d2..1cfde5874 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { uint8_t proto; /**< next header protocol */ } trs; /**< transport mode related parameters */ }; - - /** - * window size to enable sequence replay attack handling. - * replay checking is disabled if the window size is 0. - */ - uint32_t replay_win_sz; }; /** diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 23d394b46..6f1d92c3c 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; return ipsec_sa_size(type, &wsz, &nb); } @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; sz = ipsec_sa_size(type, &wsz, &nb); if (sz < 0) return sz; From patchwork Thu Oct 31 04:54:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178137 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp2280072ill; Wed, 30 Oct 2019 21:58:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqz0ISJOVXwP8d6rge3eQYk98I/5LLa/SAFpRbfkSKvCBV7bTRZWdu0SGQsykhbJ/Qt5Sj7k X-Received: by 2002:a17:907:2130:: with SMTP id qo16mr1830845ejb.183.1572497901488; Wed, 30 Oct 2019 21:58:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572497901; cv=none; d=google.com; s=arc-20160816; b=H9ReFgtiq3+EgSVqeg8RCbQXOW3rre8QmGN/BJ1W79JN1/8V5wdmrCSe4vN171K9Q6 9svC8kKCjAmObDIpSRQHn9KNuEORcRgsV5XLNf4n72i8/jesJc5kl3oOUk9DclVL6FRE fvLe9J+O42NDaUEYJcTSjUcBI6C3M1isstydlWZ5SfX674KorOo3fuH4GgT6ZGqcUH40 TApLGaw/3MukUBT5ZlY5rzlsqtiVPzkDkDznDNVs1lBAm2rLSB0iXVdlzI+Ocr5YbNHd R0QUNUYNMaRfViHEBs2nF2rFIPAJRDImhFF9AILVDgssDWYgGdD3mBDKVWurlAC/ICrm U/jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=Quhm0cKPQZV98gJT5BCUooY1ZF13htb0/jTqFBDzJgo=; b=tuhxL2oBSRl8vbV4pcH6K8xBWFnC1T6OwNbga+AFE811hVUTHq/Ma3WGvjEaAS+2Ep iv4FokPwUTHuT4F2W+1n1ZLYy8UESgA/0eWr8/5X2jBwEsQY+TAU47mGOoVaMQ/GWjBO r26NAJlfa8CwAkk8i95umoT7pDoR2sCYDoCbybycUi8BE+Dhu4fRNDRzP3MMNb0yh2vC +xmSPi2AiKlq7SDEogwPdD+miUSlmb+chSxFTqJz3q3LxTAfTthEL/r2yMYzIaq3//Qo Hv9LDIcFXK/PcRIk2OLyJneWkoxPz0a3M+7va0R/MSjFF2EYiOvEtcsSDKPCU46dgdh+ 5tyg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id k24si3179849edk.367.2019.10.30.21.58.21; Wed, 30 Oct 2019 21:58:21 -0700 (PDT) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id EF2B21C1C7; Thu, 31 Oct 2019 05:58:07 +0100 (CET) Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13]) by dpdk.org (Postfix) with ESMTP id 1D5211BFE4 for ; Thu, 31 Oct 2019 05:58:03 +0100 (CET) Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id DE0831A04DB; Thu, 31 Oct 2019 05:58:02 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id B1A5C1A04B5; Thu, 31 Oct 2019 05:58:00 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id D226E402B7; Thu, 31 Oct 2019 12:57:57 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org, akhil.goyal@nxp.com Cc: konstantin.ananyev@intel.com, Hemant Agrawal Date: Thu, 31 Oct 2019 10:24:58 +0530 Message-Id: <20191031045458.29166-3-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191031045458.29166-1-hemant.agrawal@nxp.com> References: <20191030085701.13815-1-hemant.agrawal@nxp.com> <20191031045458.29166-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v4 3/3] crypto/dpaa2_sec: enable anti replay window config X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" This patch usages the anti replay window size to config the anti replay checking in decap path for lookaside IPSEC offload Signed-off-by: Hemant Agrawal --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 21 +++++++++++++++++ drivers/crypto/dpaa_sec/dpaa_sec.c | 26 +++++++++++++++++++++ 2 files changed, 47 insertions(+) -- 2.17.1 diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 7364b78e7..d7d95bf80 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -2887,6 +2887,27 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) decap_pdb.options |= PDBOPTS_ESP_ESN; + + if (ipsec_xform->replay_win_sz) { + uint32_t win_sz; + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); + + switch (win_sz) { + case 1: + case 2: + case 4: + case 8: + case 16: + case 32: + decap_pdb.options |= PDBOPTS_ESP_ARS32; + break; + case 64: + decap_pdb.options |= PDBOPTS_ESP_ARS64; + break; + default: + decap_pdb.options |= PDBOPTS_ESP_ARS128; + } + } session->dir = DIR_DEC; bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c index a828b23c7..f5f18457a 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.c +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c @@ -2832,6 +2832,32 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) session->decap_pdb.options |= PDBOPTS_ESP_ESN; + if (ipsec_xform->replay_win_sz) { + uint32_t win_sz; + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); + + switch (win_sz) { + case 1: + case 2: + case 4: + case 8: + case 16: + case 32: + if (ipsec_xform->options.esn) + session->decap_pdb.options |= + PDBOPTS_ESP_ARS64; + else + session->decap_pdb.options |= + PDBOPTS_ESP_ARS32; + break; + case 64: + session->decap_pdb.options |= PDBOPTS_ESP_ARS64; + break; + default: + session->decap_pdb.options |= + PDBOPTS_ESP_ARS128; + } + } session->dir = DIR_DEC; } else goto out;