Commit Graph

29 Commits

Author SHA1 Message Date
Akhil Goyal
badac76cec security: add HFN override option in PDCP
HFN can be given as a per packet value also.
As we do not have IV in case of PDCP, and HFN is
used to generate IV. IV field can be used to get the
per packet HFN while enq/deq
If hfn_ovrd field in pdcp_xform is set,
application is expected to set the per packet HFN
in place of IV. Driver will extract the HFN and perform
operations accordingly.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-10-09 11:50:12 +02:00
Radu Nicolau
382df9dfb6 security: fix doxygen fields
Replace /**< with /** for multiline doxygen comments.

Fixes: c261d1431b ("security: introduce security API and framework")
Cc: stable@dpdk.org

Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
2019-10-09 11:50:12 +02:00
Radu Nicolau
9404e0138d security: add IPsec statistics
Update IPsec statistics struct definition, add per SA
statistics collection enable flag.

Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
2019-10-09 11:50:12 +02:00
Ferruh Yigit
08644f1ad2 security: remove duplicated symbols from map file
Fixes: f63ffee26f ("security: restore experimental tag for unimplemented APIs")
Cc: stable@dpdk.org

Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-07-26 16:03:21 +02:00
Fan Zhang
cd5b860c18 ipsec: support header construction
Add support for RFC 4301(5.1.2) to update of
Type of service field and Traffic class field
bits inside ipv4/ipv6 packets for outbound cases
and inbound cases which deals with the update of
the DSCP/ENC bits inside each of the fields.

Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-07-05 15:28:14 +02:00
David Marchand
18218713bf enforce experimental tag at beginning of declarations
Putting a '__attribute__((deprecated))' in the middle of a function
prototype does not result in the expected result with gcc (while clang
is fine with this syntax).

$ cat deprecated.c
void * __attribute__((deprecated)) incorrect() { return 0; }
__attribute__((deprecated)) void *correct(void) { return 0; }
int main(int argc, char *argv[]) { incorrect(); correct(); return 0; }
$ gcc -o deprecated.o -c deprecated.c
deprecated.c: In function ‘main’:
deprecated.c:3:1: warning: ‘correct’ is deprecated (declared at
deprecated.c:2) [-Wdeprecated-declarations]
 int main(int argc, char *argv[]) { incorrect(); correct(); return 0; }
 ^

Move the tag on a separate line and make it the first thing of function
prototypes.
This is not perfect but we will trust reviewers to catch the other not
so easy to detect patterns.

sed -i \
     -e '/^\([^#].*\)\?__rte_experimental */{' \
     -e 's//\1/; s/ *$//; i\' \
     -e __rte_experimental \
     -e '/^$/d}' \
     $(git grep -l __rte_experimental -- '*.h')

Special mention for rte_mbuf_data_addr_default():

There is either a bug or a (not yet understood) issue with gcc.
gcc won't drop this inline when unused and rte_mbuf_data_addr_default()
calls rte_mbuf_buf_addr() which itself is experimental.
This results in a build warning when not accepting experimental apis
from sources just including rte_mbuf.h.

For this specific case, we hide the call to rte_mbuf_buf_addr() under
the ALLOW_EXPERIMENTAL_API flag.

Signed-off-by: Adrien Mazarguil <adrien.mazarguil@6wind.com>
Signed-off-by: David Marchand <david.marchand@redhat.com>
2019-06-29 19:04:48 +02:00
David Marchand
cfe3aeb170 remove experimental tags from all symbol definitions
We had some inconsistencies between functions prototypes and actual
definitions.
Let's avoid this by only adding the experimental tag to the prototypes.
Tests with gcc and clang show it is enough.

git grep -l __rte_experimental |grep \.c$ |while read file; do
	sed -i -e '/^__rte_experimental$/d' $file;
	sed -i -e 's/  *__rte_experimental//' $file;
	sed -i -e 's/__rte_experimental  *//' $file;
done

Signed-off-by: David Marchand <david.marchand@redhat.com>
Acked-by: Adrien Mazarguil <adrien.mazarguil@6wind.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
2019-06-29 19:04:43 +02:00
John McNamara
8bd5f07c7a doc: fix spelling reported by aspell in comments
Fix spelling errors in the doxygen docs.

Signed-off-by: John McNamara <john.mcnamara@intel.com>
2019-05-03 00:38:14 +02:00
Konstantin Ananyev
58a8e49a98 security: add opaque userdata pointer into security session
Add 'uint64_t opaque_data' inside struct rte_security_session.
That allows upper layer to easily associate some user defined
data with the session.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10 16:57:22 +01:00
Akhil Goyal
f63ffee26f security: restore experimental tag for unimplemented APIs
Following APIs are not currently implemented by any of the
drivers, so marking them as rte_experimental again.

Fixes: 1a81dce780 ("security: remove experimental tag")

rte_security_get_userdata;
rte_security_session_stats_get;
rte_security_session_update;

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
2018-11-23 02:03:33 +01:00
Akhil Goyal
1a81dce780 security: remove experimental tag
rte_security has been experimental since DPDK 17.11 release.
Now the library has matured and expermental tag is removed in
this patch.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Boris Pismenny <borisp@mellanox.com>
2018-11-18 22:31:30 +01:00
Akhil Goyal
8b593b8cbf security: support PDCP
Packet Data Convergence Protocol (PDCP) is added in rte_security
for 3GPP TS 36.323 for LTE.

The patchset provide the structure definitions for configuring the
PDCP sessions and relevant documentation is added.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
2018-10-24 15:12:33 +02:00
Radu Nicolau
8a29f519ef security: fix crash on destroy null session
rte_security_session_destroy should return -EINVAL if session is NULL,
but segfaults because of rte_mempool_from_obj(NULL) call.

Fixes: c261d1431b ("security: introduce security API and framework")
Cc: stable@dpdk.org

Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2018-07-11 00:57:51 +02:00
Hemant Agrawal
92c210f0b4 security: change to SPDX license tags
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2018-07-11 00:57:51 +02:00
Anoob Joseph
2f533cb325 security: extend userdata for IPsec events
Extending 'userdata' to be used for IPsec events too.

IPsec events would have some metadata which would uniquely identify the
security session for which the event is raised. But application would
need some construct which it can understand. The 'userdata' solves a
similar problem for inline processed inbound traffic. Updating the
documentation to extend the usage of 'userdata'.

Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2018-04-23 18:20:10 +01:00
Anoob Joseph
807b94b851 security: add ESN soft limit in config
Adding ESN soft limit in conf. This will be used in case of protocol
offload. Per SA, application could specify for what ESN the security
device need to notify application. In case of eth dev(inline protocol),
rte_eth_event framework would raise an IPsec event.

Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2018-04-23 18:20:10 +01:00
Bruce Richardson
6c9457c279 build: replace license text with SPDX tag
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Reviewed-by: Luca Boccassi <bluca@debian.org>
2018-01-30 21:58:59 +01:00
Bruce Richardson
5b9656b157 lib: build with meson
Add non-EAL libraries to DPDK build. The compat lib is a special case,
along with the previously-added EAL, but all other libs can be build using
the same set of commands, where the individual meson.build files only need
to specify their dependencies, source files, header files and ABI versions.

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Reviewed-by: Harry van Haaren <harry.van.haaren@intel.com>
Acked-by: Keith Wiles <keith.wiles@intel.com>
Acked-by: Luca Boccassi <luca.boccassi@gmail.com>
2018-01-30 17:49:16 +01:00
Zhiyong Yang
513942f07c cryptodev: fix session pointer cast
The wrong casts don't cause actual error, but they should conform to C
standard.

Fixes: c261d1431b ("security: introduce security API and framework")
Fixes: b3bbd9e5f2 ("cryptodev: support device independent sessions")
Cc: stable@dpdk.org

Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2018-01-29 20:22:33 +01:00
Neil Horman
a6ec31597a mk: add experimental tag check
Add checks during build to ensure that all symbols in the EXPERIMENTAL
version map section have __experimental tags on their definitions, and
enable the warnings needed to announce their use.  Also add an
ALLOW_EXPERIMENTAL_APIS define to allow individual libraries and files
to declare the acceptability of experimental api usage

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Thomas Monjalon <thomas@monjalon.net>
2018-01-29 23:35:29 +01:00
Neil Horman
77b7b81e32 add experimental tag to appropriate functions
Append the __rte_experimental tag to api calls appearing in the
EXPERIMENTAL section of their libraries version map

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Thomas Monjalon <thomas@monjalon.net>
2018-01-29 23:35:29 +01:00
Radu Nicolau
ba201f5547 security: get session size
Add function to get security session size.

Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-01-20 16:10:52 +01:00
Anoob Joseph
1a08c379b9 security: support user data retrieval
In case of inline protocol processed ingress traffic, the packet may not
have enough information to determine the security parameters with which
the packet was processed. In such cases, application could get metadata
from the packet which could be used to identify the security parameters
with which the packet was processed.

Application could register "userdata" with the security session, and
this could be retrieved from the metadata of inline processed packets.
The metadata returned by "rte_security_get_pkt_metadata()" will be
device specific. Also the driver is expected to return the application
registered "userdata" as is, without any modifications.

Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2018-01-20 16:10:20 +01:00
Akhil Goyal
009ac7157c security: fix enum start value
enum should be initialized with 1 so that unitialized(memset)
memory may not be treated as a valid enum value.

Fixes: c261d1431b ("security: introduce security API and framework")
Cc: stable@dpdk.org

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
2018-01-20 16:08:34 +01:00
Nélio Laranjeiro
9ee625c2cf security: fix pedantic compilation
/x86_64-native-linuxapp-gcc/include/rte_security.h:229:8:
error: struct has no members [-Werror=pedantic]
  struct rte_security_macsec_xform {
         ^~~~~~~~~~~~~~~~~~~~~~~~~
/x86_64-native-linuxapp-gcc/include/rte_security.h:453:3:
error: struct has no members [-Werror=pedantic]
    struct {
    ^~~~~~

Fixes: c261d1431b ("security: introduce security API and framework")
Cc: stable@dpdk.org

Signed-off-by: Nelio Laranjeiro <nelio.laranjeiro@6wind.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2018-01-20 16:08:34 +01:00
Nélio Laranjeiro
9265ef805d security: fix device operation type
Device operation pointers should be constant to avoid any modification
while it is in use.

Fixes: c261d1431b ("security: introduce security API and framework")
Cc: stable@dpdk.org

Signed-off-by: Nelio Laranjeiro <nelio.laranjeiro@6wind.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2018-01-20 16:08:34 +01:00
Bruce Richardson
369991d997 lib: use SPDX tag for Intel copyright files
Replace the BSD license header with the SPDX tag for files
with only an Intel copyright on them.

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
2018-01-04 22:41:39 +01:00
Akhil Goyal
db1ae72336 security: fix anonymous unions in structure definitions
Fixes: c261d1431b ("security: introduce security API and framework")

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2017-11-10 02:53:05 +01:00
Akhil Goyal
c261d1431b security: introduce security API and framework
rte_security library provides APIs for security session
create/free for protocol offload or offloaded crypto
operation to ethernet device.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Signed-off-by: Declan Doherty <declan.doherty@intel.com>
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
2017-10-26 03:10:51 +02:00