security: introduce security API and framework
rte_security library provides APIs for security session create/free for protocol offload or offloaded crypto operation to ethernet device. Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> Signed-off-by: Boris Pismenny <borisp@mellanox.com> Signed-off-by: Radu Nicolau <radu.nicolau@intel.com> Signed-off-by: Declan Doherty <declan.doherty@intel.com> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
This commit is contained in:
parent
60fb11ff05
commit
c261d1431b
@ -267,6 +267,11 @@ F: lib/librte_cryptodev/
|
||||
F: test/test/test_cryptodev*
|
||||
F: examples/l2fwd-crypto/
|
||||
|
||||
Security API - EXPERIMENTAL
|
||||
M: Akhil Goyal <akhil.goyal@nxp.com>
|
||||
M: Declan Doherty <declan.doherty@intel.com>
|
||||
F: lib/librte_security/
|
||||
|
||||
Eventdev API - EXPERIMENTAL
|
||||
M: Jerin Jacob <jerin.jacob@caviumnetworks.com>
|
||||
T: git://dpdk.org/next/dpdk-next-eventdev
|
||||
|
@ -547,6 +547,11 @@ CONFIG_RTE_LIBRTE_PMD_NULL_CRYPTO=y
|
||||
CONFIG_RTE_LIBRTE_PMD_MRVL_CRYPTO=n
|
||||
CONFIG_RTE_LIBRTE_PMD_MRVL_CRYPTO_DEBUG=n
|
||||
|
||||
#
|
||||
# Compile generic security library
|
||||
#
|
||||
CONFIG_RTE_LIBRTE_SECURITY=y
|
||||
|
||||
#
|
||||
# Compile generic event device library
|
||||
#
|
||||
|
@ -43,6 +43,7 @@ The public API headers are grouped by topics:
|
||||
[rte_tm] (@ref rte_tm.h),
|
||||
[rte_mtr] (@ref rte_mtr.h),
|
||||
[cryptodev] (@ref rte_cryptodev.h),
|
||||
[security] (@ref rte_security.h),
|
||||
[eventdev] (@ref rte_eventdev.h),
|
||||
[event_eth_rx_adapter] (@ref rte_event_eth_rx_adapter.h),
|
||||
[metrics] (@ref rte_metrics.h),
|
||||
|
@ -71,6 +71,7 @@ INPUT = doc/api/doxy-api-index.md \
|
||||
lib/librte_reorder \
|
||||
lib/librte_ring \
|
||||
lib/librte_sched \
|
||||
lib/librte_security \
|
||||
lib/librte_table \
|
||||
lib/librte_timer \
|
||||
lib/librte_vhost
|
||||
|
@ -410,6 +410,7 @@ The libraries prepended with a plus sign were incremented in this version.
|
||||
librte_reorder.so.1
|
||||
librte_ring.so.1
|
||||
librte_sched.so.1
|
||||
+ librte_security.so.1
|
||||
+ librte_table.so.3
|
||||
librte_timer.so.1
|
||||
librte_vhost.so.3
|
||||
|
@ -50,6 +50,10 @@ DEPDIRS-librte_ether += librte_mbuf
|
||||
DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += librte_cryptodev
|
||||
DEPDIRS-librte_cryptodev := librte_eal librte_mempool librte_ring librte_mbuf
|
||||
DEPDIRS-librte_cryptodev += librte_kvargs
|
||||
DIRS-$(CONFIG_RTE_LIBRTE_SECURITY) += librte_security
|
||||
DEPDIRS-librte_security := librte_eal librte_mempool librte_ring librte_mbuf
|
||||
DEPDIRS-librte_security += librte_ether
|
||||
DEPDIRS-librte_security += librte_cryptodev
|
||||
DIRS-$(CONFIG_RTE_LIBRTE_EVENTDEV) += librte_eventdev
|
||||
DEPDIRS-librte_eventdev := librte_eal librte_ring librte_ether librte_hash
|
||||
DIRS-$(CONFIG_RTE_LIBRTE_VHOST) += librte_vhost
|
||||
|
54
lib/librte_security/Makefile
Normal file
54
lib/librte_security/Makefile
Normal file
@ -0,0 +1,54 @@
|
||||
# BSD LICENSE
|
||||
#
|
||||
# Copyright(c) 2017 Intel Corporation. All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# * Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in
|
||||
# the documentation and/or other materials provided with the
|
||||
# distribution.
|
||||
# * Neither the name of Intel Corporation nor the names of its
|
||||
# contributors may be used to endorse or promote products derived
|
||||
# from this software without specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
include $(RTE_SDK)/mk/rte.vars.mk
|
||||
|
||||
# library name
|
||||
LIB = librte_security.a
|
||||
|
||||
# library version
|
||||
LIBABIVER := 1
|
||||
|
||||
# build flags
|
||||
CFLAGS += -O3
|
||||
CFLAGS += $(WERROR_FLAGS)
|
||||
LDLIBS += -lrte_eal -lrte_mempool
|
||||
|
||||
# library source files
|
||||
SRCS-y += rte_security.c
|
||||
|
||||
# export include files
|
||||
SYMLINK-y-include += rte_security.h
|
||||
SYMLINK-y-include += rte_security_driver.h
|
||||
|
||||
# versioning export map
|
||||
EXPORT_MAP := rte_security_version.map
|
||||
|
||||
include $(RTE_SDK)/mk/rte.lib.mk
|
149
lib/librte_security/rte_security.c
Normal file
149
lib/librte_security/rte_security.c
Normal file
@ -0,0 +1,149 @@
|
||||
/*-
|
||||
* BSD LICENSE
|
||||
*
|
||||
* Copyright 2017 NXP.
|
||||
* Copyright(c) 2017 Intel Corporation. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* * Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
* * Neither the name of NXP nor the names of its
|
||||
* contributors may be used to endorse or promote products derived
|
||||
* from this software without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <rte_malloc.h>
|
||||
#include <rte_dev.h>
|
||||
|
||||
#include "rte_security.h"
|
||||
#include "rte_security_driver.h"
|
||||
|
||||
struct rte_security_session *
|
||||
rte_security_session_create(struct rte_security_ctx *instance,
|
||||
struct rte_security_session_conf *conf,
|
||||
struct rte_mempool *mp)
|
||||
{
|
||||
struct rte_security_session *sess = NULL;
|
||||
|
||||
if (conf == NULL)
|
||||
return NULL;
|
||||
|
||||
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_create, NULL);
|
||||
|
||||
if (rte_mempool_get(mp, (void *)&sess))
|
||||
return NULL;
|
||||
|
||||
if (instance->ops->session_create(instance->device, conf, sess, mp)) {
|
||||
rte_mempool_put(mp, (void *)sess);
|
||||
return NULL;
|
||||
}
|
||||
instance->sess_cnt++;
|
||||
|
||||
return sess;
|
||||
}
|
||||
|
||||
int
|
||||
rte_security_session_update(struct rte_security_ctx *instance,
|
||||
struct rte_security_session *sess,
|
||||
struct rte_security_session_conf *conf)
|
||||
{
|
||||
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_update, -ENOTSUP);
|
||||
return instance->ops->session_update(instance->device, sess, conf);
|
||||
}
|
||||
|
||||
int
|
||||
rte_security_session_stats_get(struct rte_security_ctx *instance,
|
||||
struct rte_security_session *sess,
|
||||
struct rte_security_stats *stats)
|
||||
{
|
||||
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_stats_get, -ENOTSUP);
|
||||
return instance->ops->session_stats_get(instance->device, sess, stats);
|
||||
}
|
||||
|
||||
int
|
||||
rte_security_session_destroy(struct rte_security_ctx *instance,
|
||||
struct rte_security_session *sess)
|
||||
{
|
||||
int ret;
|
||||
struct rte_mempool *mp = rte_mempool_from_obj(sess);
|
||||
|
||||
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_destroy, -ENOTSUP);
|
||||
|
||||
if (instance->sess_cnt)
|
||||
instance->sess_cnt--;
|
||||
|
||||
ret = instance->ops->session_destroy(instance->device, sess);
|
||||
if (!ret)
|
||||
rte_mempool_put(mp, (void *)sess);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int
|
||||
rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
|
||||
struct rte_security_session *sess,
|
||||
struct rte_mbuf *m, void *params)
|
||||
{
|
||||
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->set_pkt_metadata, -ENOTSUP);
|
||||
return instance->ops->set_pkt_metadata(instance->device,
|
||||
sess, m, params);
|
||||
}
|
||||
|
||||
const struct rte_security_capability *
|
||||
rte_security_capabilities_get(struct rte_security_ctx *instance)
|
||||
{
|
||||
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL);
|
||||
return instance->ops->capabilities_get(instance->device);
|
||||
}
|
||||
|
||||
const struct rte_security_capability *
|
||||
rte_security_capability_get(struct rte_security_ctx *instance,
|
||||
struct rte_security_capability_idx *idx)
|
||||
{
|
||||
const struct rte_security_capability *capabilities;
|
||||
const struct rte_security_capability *capability;
|
||||
uint16_t i = 0;
|
||||
|
||||
RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL);
|
||||
capabilities = instance->ops->capabilities_get(instance->device);
|
||||
|
||||
if (capabilities == NULL)
|
||||
return NULL;
|
||||
|
||||
while ((capability = &capabilities[i++])->action
|
||||
!= RTE_SECURITY_ACTION_TYPE_NONE) {
|
||||
if (capability->action == idx->action &&
|
||||
capability->protocol == idx->protocol) {
|
||||
if (idx->protocol == RTE_SECURITY_PROTOCOL_IPSEC) {
|
||||
if (capability->ipsec.proto ==
|
||||
idx->ipsec.proto &&
|
||||
capability->ipsec.mode ==
|
||||
idx->ipsec.mode &&
|
||||
capability->ipsec.direction ==
|
||||
idx->ipsec.direction)
|
||||
return capability;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
529
lib/librte_security/rte_security.h
Normal file
529
lib/librte_security/rte_security.h
Normal file
@ -0,0 +1,529 @@
|
||||
/*-
|
||||
* BSD LICENSE
|
||||
*
|
||||
* Copyright 2017 NXP.
|
||||
* Copyright(c) 2017 Intel Corporation. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* * Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
* * Neither the name of NXP nor the names of its
|
||||
* contributors may be used to endorse or promote products derived
|
||||
* from this software without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef _RTE_SECURITY_H_
|
||||
#define _RTE_SECURITY_H_
|
||||
|
||||
/**
|
||||
* @file rte_security.h
|
||||
* @b EXPERIMENTAL: this API may change without prior notice
|
||||
*
|
||||
* RTE Security Common Definitions
|
||||
*
|
||||
*/
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/ip6.h>
|
||||
|
||||
#include <rte_common.h>
|
||||
#include <rte_crypto.h>
|
||||
#include <rte_mbuf.h>
|
||||
#include <rte_memory.h>
|
||||
#include <rte_mempool.h>
|
||||
|
||||
/** IPSec protocol mode */
|
||||
enum rte_security_ipsec_sa_mode {
|
||||
RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
|
||||
/**< IPSec Transport mode */
|
||||
RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
|
||||
/**< IPSec Tunnel mode */
|
||||
};
|
||||
|
||||
/** IPSec Protocol */
|
||||
enum rte_security_ipsec_sa_protocol {
|
||||
RTE_SECURITY_IPSEC_SA_PROTO_AH,
|
||||
/**< AH protocol */
|
||||
RTE_SECURITY_IPSEC_SA_PROTO_ESP,
|
||||
/**< ESP protocol */
|
||||
};
|
||||
|
||||
/** IPSEC tunnel type */
|
||||
enum rte_security_ipsec_tunnel_type {
|
||||
RTE_SECURITY_IPSEC_TUNNEL_IPV4,
|
||||
/**< Outer header is IPv4 */
|
||||
RTE_SECURITY_IPSEC_TUNNEL_IPV6,
|
||||
/**< Outer header is IPv6 */
|
||||
};
|
||||
|
||||
/**
|
||||
* Security context for crypto/eth devices
|
||||
*
|
||||
* Security instance for each driver to register security operations.
|
||||
* The application can get the security context from the crypto/eth device id
|
||||
* using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
|
||||
* This structure is used to identify the device(crypto/eth) for which the
|
||||
* security operations need to be performed.
|
||||
*/
|
||||
struct rte_security_ctx {
|
||||
void *device;
|
||||
/**< Crypto/ethernet device attached */
|
||||
struct rte_security_ops *ops;
|
||||
/**< Pointer to security ops for the device */
|
||||
uint16_t sess_cnt;
|
||||
/**< Number of sessions attached to this context */
|
||||
};
|
||||
|
||||
/**
|
||||
* IPSEC tunnel parameters
|
||||
*
|
||||
* These parameters are used to build outbound tunnel headers.
|
||||
*/
|
||||
struct rte_security_ipsec_tunnel_param {
|
||||
enum rte_security_ipsec_tunnel_type type;
|
||||
/**< Tunnel type: IPv4 or IPv6 */
|
||||
RTE_STD_C11
|
||||
union {
|
||||
struct {
|
||||
struct in_addr src_ip;
|
||||
/**< IPv4 source address */
|
||||
struct in_addr dst_ip;
|
||||
/**< IPv4 destination address */
|
||||
uint8_t dscp;
|
||||
/**< IPv4 Differentiated Services Code Point */
|
||||
uint8_t df;
|
||||
/**< IPv4 Don't Fragment bit */
|
||||
uint8_t ttl;
|
||||
/**< IPv4 Time To Live */
|
||||
} ipv4;
|
||||
/**< IPv4 header parameters */
|
||||
struct {
|
||||
struct in6_addr src_addr;
|
||||
/**< IPv6 source address */
|
||||
struct in6_addr dst_addr;
|
||||
/**< IPv6 destination address */
|
||||
uint8_t dscp;
|
||||
/**< IPv6 Differentiated Services Code Point */
|
||||
uint32_t flabel;
|
||||
/**< IPv6 flow label */
|
||||
uint8_t hlimit;
|
||||
/**< IPv6 hop limit */
|
||||
} ipv6;
|
||||
/**< IPv6 header parameters */
|
||||
};
|
||||
};
|
||||
|
||||
/**
|
||||
* IPsec Security Association option flags
|
||||
*/
|
||||
struct rte_security_ipsec_sa_options {
|
||||
/**< Extended Sequence Numbers (ESN)
|
||||
*
|
||||
* * 1: Use extended (64 bit) sequence numbers
|
||||
* * 0: Use normal sequence numbers
|
||||
*/
|
||||
uint32_t esn : 1;
|
||||
|
||||
/**< UDP encapsulation
|
||||
*
|
||||
* * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
|
||||
* traverse through NAT boxes.
|
||||
* * 0: No UDP encapsulation
|
||||
*/
|
||||
uint32_t udp_encap : 1;
|
||||
|
||||
/**< Copy DSCP bits
|
||||
*
|
||||
* * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
|
||||
* the outer IP header in encapsulation, and vice versa in
|
||||
* decapsulation.
|
||||
* * 0: Do not change DSCP field.
|
||||
*/
|
||||
uint32_t copy_dscp : 1;
|
||||
|
||||
/**< Copy IPv6 Flow Label
|
||||
*
|
||||
* * 1: Copy IPv6 flow label from inner IPv6 header to the
|
||||
* outer IPv6 header.
|
||||
* * 0: Outer header is not modified.
|
||||
*/
|
||||
uint32_t copy_flabel : 1;
|
||||
|
||||
/**< Copy IPv4 Don't Fragment bit
|
||||
*
|
||||
* * 1: Copy the DF bit from the inner IPv4 header to the outer
|
||||
* IPv4 header.
|
||||
* * 0: Outer header is not modified.
|
||||
*/
|
||||
uint32_t copy_df : 1;
|
||||
|
||||
/**< Decrement inner packet Time To Live (TTL) field
|
||||
*
|
||||
* * 1: In tunnel mode, decrement inner packet IPv4 TTL or
|
||||
* IPv6 Hop Limit after tunnel decapsulation, or before tunnel
|
||||
* encapsulation.
|
||||
* * 0: Inner packet is not modified.
|
||||
*/
|
||||
uint32_t dec_ttl : 1;
|
||||
};
|
||||
|
||||
/** IPSec security association direction */
|
||||
enum rte_security_ipsec_sa_direction {
|
||||
RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
|
||||
/**< Encrypt and generate digest */
|
||||
RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
|
||||
/**< Verify digest and decrypt */
|
||||
};
|
||||
|
||||
/**
|
||||
* IPsec security association configuration data.
|
||||
*
|
||||
* This structure contains data required to create an IPsec SA security session.
|
||||
*/
|
||||
struct rte_security_ipsec_xform {
|
||||
uint32_t spi;
|
||||
/**< SA security parameter index */
|
||||
uint32_t salt;
|
||||
/**< SA salt */
|
||||
struct rte_security_ipsec_sa_options options;
|
||||
/**< various SA options */
|
||||
enum rte_security_ipsec_sa_direction direction;
|
||||
/**< IPSec SA Direction - Egress/Ingress */
|
||||
enum rte_security_ipsec_sa_protocol proto;
|
||||
/**< IPsec SA Protocol - AH/ESP */
|
||||
enum rte_security_ipsec_sa_mode mode;
|
||||
/**< IPsec SA Mode - transport/tunnel */
|
||||
struct rte_security_ipsec_tunnel_param tunnel;
|
||||
/**< Tunnel parameters, NULL for transport mode */
|
||||
};
|
||||
|
||||
/**
|
||||
* MACsec security session configuration
|
||||
*/
|
||||
struct rte_security_macsec_xform {
|
||||
/** To be Filled */
|
||||
};
|
||||
|
||||
/**
|
||||
* Security session action type.
|
||||
*/
|
||||
enum rte_security_session_action_type {
|
||||
RTE_SECURITY_ACTION_TYPE_NONE,
|
||||
/**< No security actions */
|
||||
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
|
||||
/**< Crypto processing for security protocol is processed inline
|
||||
* during transmission
|
||||
*/
|
||||
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
|
||||
/**< All security protocol processing is performed inline during
|
||||
* transmission
|
||||
*/
|
||||
RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
|
||||
/**< All security protocol processing including crypto is performed
|
||||
* on a lookaside accelerator
|
||||
*/
|
||||
};
|
||||
|
||||
/** Security session protocol definition */
|
||||
enum rte_security_session_protocol {
|
||||
RTE_SECURITY_PROTOCOL_IPSEC,
|
||||
/**< IPsec Protocol */
|
||||
RTE_SECURITY_PROTOCOL_MACSEC,
|
||||
/**< MACSec Protocol */
|
||||
};
|
||||
|
||||
/**
|
||||
* Security session configuration
|
||||
*/
|
||||
struct rte_security_session_conf {
|
||||
enum rte_security_session_action_type action_type;
|
||||
/**< Type of action to be performed on the session */
|
||||
enum rte_security_session_protocol protocol;
|
||||
/**< Security protocol to be configured */
|
||||
union {
|
||||
struct rte_security_ipsec_xform ipsec;
|
||||
struct rte_security_macsec_xform macsec;
|
||||
};
|
||||
/**< Configuration parameters for security session */
|
||||
struct rte_crypto_sym_xform *crypto_xform;
|
||||
/**< Security Session Crypto Transformations */
|
||||
};
|
||||
|
||||
struct rte_security_session {
|
||||
void *sess_private_data;
|
||||
/**< Private session material */
|
||||
};
|
||||
|
||||
/**
|
||||
* Create security session as specified by the session configuration
|
||||
*
|
||||
* @param instance security instance
|
||||
* @param conf session configuration parameters
|
||||
* @param mp mempool to allocate session objects from
|
||||
* @return
|
||||
* - On success, pointer to session
|
||||
* - On failure, NULL
|
||||
*/
|
||||
struct rte_security_session *
|
||||
rte_security_session_create(struct rte_security_ctx *instance,
|
||||
struct rte_security_session_conf *conf,
|
||||
struct rte_mempool *mp);
|
||||
|
||||
/**
|
||||
* Update security session as specified by the session configuration
|
||||
*
|
||||
* @param instance security instance
|
||||
* @param sess session to update parameters
|
||||
* @param conf update configuration parameters
|
||||
* @return
|
||||
* - On success returns 0
|
||||
* - On failure return errno
|
||||
*/
|
||||
int
|
||||
rte_security_session_update(struct rte_security_ctx *instance,
|
||||
struct rte_security_session *sess,
|
||||
struct rte_security_session_conf *conf);
|
||||
|
||||
/**
|
||||
* Free security session header and the session private data and
|
||||
* return it to its original mempool.
|
||||
*
|
||||
* @param instance security instance
|
||||
* @param sess security session to freed
|
||||
*
|
||||
* @return
|
||||
* - 0 if successful.
|
||||
* - -EINVAL if session is NULL.
|
||||
* - -EBUSY if not all device private data has been freed.
|
||||
*/
|
||||
int
|
||||
rte_security_session_destroy(struct rte_security_ctx *instance,
|
||||
struct rte_security_session *sess);
|
||||
|
||||
/**
|
||||
* Updates the buffer with device-specific defined metadata
|
||||
*
|
||||
* @param instance security instance
|
||||
* @param sess security session
|
||||
* @param mb packet mbuf to set metadata on.
|
||||
* @param params device-specific defined parameters
|
||||
* required for metadata
|
||||
*
|
||||
* @return
|
||||
* - On success, zero.
|
||||
* - On failure, a negative value.
|
||||
*/
|
||||
int
|
||||
rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
|
||||
struct rte_security_session *sess,
|
||||
struct rte_mbuf *mb, void *params);
|
||||
|
||||
/**
|
||||
* Attach a session to a symmetric crypto operation
|
||||
*
|
||||
* @param sym_op crypto operation
|
||||
* @param sess security session
|
||||
*/
|
||||
static inline int
|
||||
__rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
|
||||
struct rte_security_session *sess)
|
||||
{
|
||||
sym_op->sec_session = sess;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline void *
|
||||
get_sec_session_private_data(const struct rte_security_session *sess)
|
||||
{
|
||||
return sess->sess_private_data;
|
||||
}
|
||||
|
||||
static inline void
|
||||
set_sec_session_private_data(struct rte_security_session *sess,
|
||||
void *private_data)
|
||||
{
|
||||
sess->sess_private_data = private_data;
|
||||
}
|
||||
|
||||
/**
|
||||
* Attach a session to a crypto operation.
|
||||
* This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
|
||||
* For other rte_security_session_action_type, ol_flags in rte_mbuf may be
|
||||
* defined to perform security operations.
|
||||
*
|
||||
* @param op crypto operation
|
||||
* @param sess security session
|
||||
*/
|
||||
static inline int
|
||||
rte_security_attach_session(struct rte_crypto_op *op,
|
||||
struct rte_security_session *sess)
|
||||
{
|
||||
if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
|
||||
return -EINVAL;
|
||||
|
||||
op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
|
||||
|
||||
return __rte_security_attach_session(op->sym, sess);
|
||||
}
|
||||
|
||||
struct rte_security_macsec_stats {
|
||||
uint64_t reserved;
|
||||
};
|
||||
|
||||
struct rte_security_ipsec_stats {
|
||||
uint64_t reserved;
|
||||
|
||||
};
|
||||
|
||||
struct rte_security_stats {
|
||||
enum rte_security_session_protocol protocol;
|
||||
/**< Security protocol to be configured */
|
||||
|
||||
union {
|
||||
struct rte_security_macsec_stats macsec;
|
||||
struct rte_security_ipsec_stats ipsec;
|
||||
};
|
||||
};
|
||||
|
||||
/**
|
||||
* Get security session statistics
|
||||
*
|
||||
* @param instance security instance
|
||||
* @param sess security session
|
||||
* @param stats statistics
|
||||
* @return
|
||||
* - On success return 0
|
||||
* - On failure errno
|
||||
*/
|
||||
int
|
||||
rte_security_session_stats_get(struct rte_security_ctx *instance,
|
||||
struct rte_security_session *sess,
|
||||
struct rte_security_stats *stats);
|
||||
|
||||
/**
|
||||
* Security capability definition
|
||||
*/
|
||||
struct rte_security_capability {
|
||||
enum rte_security_session_action_type action;
|
||||
/**< Security action type*/
|
||||
enum rte_security_session_protocol protocol;
|
||||
/**< Security protocol */
|
||||
RTE_STD_C11
|
||||
union {
|
||||
struct {
|
||||
enum rte_security_ipsec_sa_protocol proto;
|
||||
/**< IPsec SA protocol */
|
||||
enum rte_security_ipsec_sa_mode mode;
|
||||
/**< IPsec SA mode */
|
||||
enum rte_security_ipsec_sa_direction direction;
|
||||
/**< IPsec SA direction */
|
||||
struct rte_security_ipsec_sa_options options;
|
||||
/**< IPsec SA supported options */
|
||||
} ipsec;
|
||||
/**< IPsec capability */
|
||||
struct {
|
||||
/* To be Filled */
|
||||
} macsec;
|
||||
/**< MACsec capability */
|
||||
};
|
||||
|
||||
const struct rte_cryptodev_capabilities *crypto_capabilities;
|
||||
/**< Corresponding crypto capabilities for security capability */
|
||||
|
||||
uint32_t ol_flags;
|
||||
/**< Device offload flags */
|
||||
};
|
||||
|
||||
#define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
|
||||
/**< HW needs metadata update, see rte_security_set_pkt_metadata().
|
||||
*/
|
||||
|
||||
#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
|
||||
/**< HW constructs trailer of packets
|
||||
* Transmitted packets will have the trailer added to them
|
||||
* by hardawre. The next protocol field will be based on
|
||||
* the mbuf->inner_esp_next_proto field.
|
||||
*/
|
||||
#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
|
||||
/**< HW removes trailer of packets
|
||||
* Received packets have no trailer, the next protocol field
|
||||
* is supplied in the mbuf->inner_esp_next_proto field.
|
||||
* Inner packet is not modified.
|
||||
*/
|
||||
|
||||
/**
|
||||
* Security capability index used to query a security instance for a specific
|
||||
* security capability
|
||||
*/
|
||||
struct rte_security_capability_idx {
|
||||
enum rte_security_session_action_type action;
|
||||
enum rte_security_session_protocol protocol;
|
||||
|
||||
union {
|
||||
struct {
|
||||
enum rte_security_ipsec_sa_protocol proto;
|
||||
enum rte_security_ipsec_sa_mode mode;
|
||||
enum rte_security_ipsec_sa_direction direction;
|
||||
} ipsec;
|
||||
};
|
||||
};
|
||||
|
||||
/**
|
||||
* Returns array of security instance capabilities
|
||||
*
|
||||
* @param instance Security instance.
|
||||
*
|
||||
* @return
|
||||
* - Returns array of security capabilities.
|
||||
* - Return NULL if no capabilities available.
|
||||
*/
|
||||
const struct rte_security_capability *
|
||||
rte_security_capabilities_get(struct rte_security_ctx *instance);
|
||||
|
||||
/**
|
||||
* Query if a specific capability is available on security instance
|
||||
*
|
||||
* @param instance security instance.
|
||||
* @param idx security capability index to match against
|
||||
*
|
||||
* @return
|
||||
* - Returns pointer to security capability on match of capability
|
||||
* index criteria.
|
||||
* - Return NULL if the capability not matched on security instance.
|
||||
*/
|
||||
const struct rte_security_capability *
|
||||
rte_security_capability_get(struct rte_security_ctx *instance,
|
||||
struct rte_security_capability_idx *idx);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* _RTE_SECURITY_H_ */
|
156
lib/librte_security/rte_security_driver.h
Normal file
156
lib/librte_security/rte_security_driver.h
Normal file
@ -0,0 +1,156 @@
|
||||
/*-
|
||||
* BSD LICENSE
|
||||
*
|
||||
* Copyright(c) 2017 Intel Corporation. All rights reserved.
|
||||
* Copyright 2017 NXP.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* * Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
* * Neither the name of Intel Corporation nor the names of its
|
||||
* contributors may be used to endorse or promote products derived
|
||||
* from this software without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef _RTE_SECURITY_DRIVER_H_
|
||||
#define _RTE_SECURITY_DRIVER_H_
|
||||
|
||||
/**
|
||||
* @file rte_security_driver.h
|
||||
* @b EXPERIMENTAL: this API may change without prior notice
|
||||
*
|
||||
* RTE Security Common Definitions
|
||||
*
|
||||
*/
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
#include "rte_security.h"
|
||||
|
||||
/**
|
||||
* Configure a security session on a device.
|
||||
*
|
||||
* @param device Crypto/eth device pointer
|
||||
* @param conf Security session configuration
|
||||
* @param sess Pointer to Security private session structure
|
||||
* @param mp Mempool where the private session is allocated
|
||||
*
|
||||
* @return
|
||||
* - Returns 0 if private session structure have been created successfully.
|
||||
* - Returns -EINVAL if input parameters are invalid.
|
||||
* - Returns -ENOTSUP if crypto device does not support the crypto transform.
|
||||
* - Returns -ENOMEM if the private session could not be allocated.
|
||||
*/
|
||||
typedef int (*security_session_create_t)(void *device,
|
||||
struct rte_security_session_conf *conf,
|
||||
struct rte_security_session *sess,
|
||||
struct rte_mempool *mp);
|
||||
|
||||
/**
|
||||
* Free driver private session data.
|
||||
*
|
||||
* @param dev Crypto/eth device pointer
|
||||
* @param sess Security session structure
|
||||
*/
|
||||
typedef int (*security_session_destroy_t)(void *device,
|
||||
struct rte_security_session *sess);
|
||||
|
||||
/**
|
||||
* Update driver private session data.
|
||||
*
|
||||
* @param device Crypto/eth device pointer
|
||||
* @param sess Pointer to Security private session structure
|
||||
* @param conf Security session configuration
|
||||
*
|
||||
* @return
|
||||
* - Returns 0 if private session structure have been updated successfully.
|
||||
* - Returns -EINVAL if input parameters are invalid.
|
||||
* - Returns -ENOTSUP if crypto device does not support the crypto transform.
|
||||
*/
|
||||
typedef int (*security_session_update_t)(void *device,
|
||||
struct rte_security_session *sess,
|
||||
struct rte_security_session_conf *conf);
|
||||
/**
|
||||
* Get stats from the PMD.
|
||||
*
|
||||
* @param device Crypto/eth device pointer
|
||||
* @param sess Pointer to Security private session structure
|
||||
* @param stats Security stats of the driver
|
||||
*
|
||||
* @return
|
||||
* - Returns 0 if private session structure have been updated successfully.
|
||||
* - Returns -EINVAL if session parameters are invalid.
|
||||
*/
|
||||
typedef int (*security_session_stats_get_t)(void *device,
|
||||
struct rte_security_session *sess,
|
||||
struct rte_security_stats *stats);
|
||||
|
||||
/**
|
||||
* Update the mbuf with provided metadata.
|
||||
*
|
||||
* @param sess Security session structure
|
||||
* @param mb Packet buffer
|
||||
* @param mt Metadata
|
||||
*
|
||||
* @return
|
||||
* - Returns 0 if metadata updated successfully.
|
||||
* - Returns -ve value for errors.
|
||||
*/
|
||||
typedef int (*security_set_pkt_metadata_t)(void *device,
|
||||
struct rte_security_session *sess, struct rte_mbuf *m,
|
||||
void *params);
|
||||
|
||||
/**
|
||||
* Get security capabilities of the device.
|
||||
*
|
||||
* @param device crypto/eth device pointer
|
||||
*
|
||||
* @return
|
||||
* - Returns rte_security_capability pointer on success.
|
||||
* - Returns NULL on error.
|
||||
*/
|
||||
typedef const struct rte_security_capability *(*security_capabilities_get_t)(
|
||||
void *device);
|
||||
|
||||
/** Security operations function pointer table */
|
||||
struct rte_security_ops {
|
||||
security_session_create_t session_create;
|
||||
/**< Configure a security session. */
|
||||
security_session_update_t session_update;
|
||||
/**< Update a security session. */
|
||||
security_session_stats_get_t session_stats_get;
|
||||
/**< Get security session statistics. */
|
||||
security_session_destroy_t session_destroy;
|
||||
/**< Clear a security sessions private data. */
|
||||
security_set_pkt_metadata_t set_pkt_metadata;
|
||||
/**< Update mbuf metadata. */
|
||||
security_capabilities_get_t capabilities_get;
|
||||
/**< Get security capabilities. */
|
||||
};
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* _RTE_SECURITY_DRIVER_H_ */
|
14
lib/librte_security/rte_security_version.map
Normal file
14
lib/librte_security/rte_security_version.map
Normal file
@ -0,0 +1,14 @@
|
||||
EXPERIMENTAL {
|
||||
global:
|
||||
|
||||
rte_security_attach_session;
|
||||
rte_security_capabilities_get;
|
||||
rte_security_capability_get;
|
||||
rte_security_session_create;
|
||||
rte_security_session_destroy;
|
||||
rte_security_session_stats_get;
|
||||
rte_security_session_update;
|
||||
rte_security_set_pkt_metadata;
|
||||
|
||||
local: *;
|
||||
};
|
@ -94,6 +94,7 @@ _LDLIBS-$(CONFIG_RTE_LIBRTE_MBUF) += -lrte_mbuf
|
||||
_LDLIBS-$(CONFIG_RTE_LIBRTE_NET) += -lrte_net
|
||||
_LDLIBS-$(CONFIG_RTE_LIBRTE_ETHER) += -lrte_ethdev
|
||||
_LDLIBS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += -lrte_cryptodev
|
||||
_LDLIBS-$(CONFIG_RTE_LIBRTE_SECURITY) += -lrte_security
|
||||
_LDLIBS-$(CONFIG_RTE_LIBRTE_EVENTDEV) += -lrte_eventdev
|
||||
_LDLIBS-$(CONFIG_RTE_LIBRTE_MEMPOOL) += -lrte_mempool
|
||||
_LDLIBS-$(CONFIG_RTE_DRIVER_MEMPOOL_RING) += -lrte_mempool_ring
|
||||
|
Loading…
Reference in New Issue
Block a user