Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/130109/?format=api
{ "id": 130109, "url": "http://patchwork.dpdk.org/api/patches/130109/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/patch/20230811071712.240-3-anoobj@marvell.com/", "project": { "id": 1, "url": "http://patchwork.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20230811071712.240-3-anoobj@marvell.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20230811071712.240-3-anoobj@marvell.com", "date": "2023-08-11T07:17:11", "name": "[RFC,2/3] security: add TLS record processing", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "6bbf3b84632a3cc5b49710cd928782cea27b903f", "submitter": { "id": 1205, "url": "http://patchwork.dpdk.org/api/people/1205/?format=api", "name": "Anoob Joseph", "email": "anoobj@marvell.com" }, "delegate": { "id": 6690, "url": "http://patchwork.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patchwork.dpdk.org/project/dpdk/patch/20230811071712.240-3-anoobj@marvell.com/mbox/", "series": [ { "id": 29175, "url": "http://patchwork.dpdk.org/api/series/29175/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/list/?series=29175", "date": "2023-08-11T07:17:09", "name": "add TLS record processing security offload", "version": 1, "mbox": "http://patchwork.dpdk.org/series/29175/mbox/" } ], "comments": "http://patchwork.dpdk.org/api/patches/130109/comments/", "check": "success", "checks": "http://patchwork.dpdk.org/api/patches/130109/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id BD5684302F;\n\tFri, 11 Aug 2023 09:17:47 +0200 (CEST)", "from mails.dpdk.org (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 26ECF4323A;\n\tFri, 11 Aug 2023 09:17:42 +0200 (CEST)", "from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com\n [67.231.148.174])\n by mails.dpdk.org (Postfix) with ESMTP id 1502240E03\n for <dev@dpdk.org>; Fri, 11 Aug 2023 09:17:40 +0200 (CEST)", "from pps.filterd (m0045849.ppops.net [127.0.0.1])\n by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id\n 37AMjxvU001610; Fri, 11 Aug 2023 00:17:36 -0700", "from dc5-exch01.marvell.com ([199.233.59.181])\n by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3sd8yp9f1c-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);\n Fri, 11 Aug 2023 00:17:36 -0700", "from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com\n (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48;\n Fri, 11 Aug 2023 00:17:35 -0700", "from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com\n (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.48 via Frontend\n Transport; Fri, 11 Aug 2023 00:17:35 -0700", "from BG-LT92004.corp.innovium.com (unknown [10.28.163.189])\n by maili.marvell.com (Postfix) with ESMTP id 974203F706C;\n Fri, 11 Aug 2023 00:17:24 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;\n h=from : to : cc :\n subject : date : message-id : in-reply-to : references : mime-version :\n content-transfer-encoding : content-type; s=pfpt0220;\n bh=cfeYzbE85m6tHh44esonP8TJs1ZgyxhIITIxasLHpAY=;\n b=lT1gXk9xf1vg2cs5+o/xR2RwZ/g+gktGytNi1thwMS0qaOFduWBqHWWg/U9vcXK/dyjt\n wLADcKREhRuCZVE+qwLTNRXN2gaiu6u47V1wCBHWYiYcSncZtIuFFNytL2NRSWPG48c/\n Px5QCdzbSR3PERKSlHobfvdKHG/YyY2AyU8rZ54zPbOHA2YGWxot6MK11ErfrDuDDaM2\n n2KnykjuukIwyzbz45acDnHFHI0zvulOsMvwsKII4nnMeQ68FXSPRm6E+IvSL3TI0EQC\n ZvDfnF4P2miCLZ+Jx1nVWaMMh795rUdTV+jJdM71yrLGWGXL7i12mQDw5cCcTkCgEBgB Xg==", "From": "Anoob Joseph <anoobj@marvell.com>", "To": "Thomas Monjalon <thomas@monjalon.net>, Akhil Goyal <gakhil@marvell.com>,\n Jerin Jacob <jerinj@marvell.com>, Konstantin Ananyev\n <konstantin.v.ananyev@yandex.ru>", "CC": "Hemant Agrawal <hemant.agrawal@nxp.com>, <dev@dpdk.org>, Olivier Matz\n <olivier.matz@6wind.com>, Vidya Sagar Velumuri <vvelumuri@marvell.com>", "Subject": "[RFC PATCH 2/3] security: add TLS record processing", "Date": "Fri, 11 Aug 2023 12:47:11 +0530", "Message-ID": "<20230811071712.240-3-anoobj@marvell.com>", "X-Mailer": "git-send-email 2.25.1", "In-Reply-To": "<20230811071712.240-1-anoobj@marvell.com>", "References": "<20230811071712.240-1-anoobj@marvell.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain", "X-Proofpoint-ORIG-GUID": "iR5Cq7j5i2SaQnft5UffUR2CXLLOZgnA", "X-Proofpoint-GUID": "iR5Cq7j5i2SaQnft5UffUR2CXLLOZgnA", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26\n definitions=2023-08-10_20,2023-08-10_01,2023-05-22_02", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org" }, "content": "Add Transport Layer Security (TLS) and Datagram Transport Layer Security\n(DTLS). The protocols provide communications privacy for L4 protocols\nsuch as TCP & UDP.\n\nTLS (and DTLS) protocol is composed of two layers,\n1. TLS Record Protocol\n2. TLS Handshake Protocol\n\nWhile TLS Handshake Protocol helps in establishing security parameters\nby which client and server can communicate, TLS Record Protocol provides\nthe connection security. TLS Record Protocol leverages symmetric\ncryptographic operations such as data encryption and authentication for\nproviding security to the communications.\n\nCryptodevs that are capable of offloading TLS Record Protocol may\nperform other operations like IV generation, header insertion, atomic\nsequence number updates and anti-replay window check in addition to\ncryptographic transformations.\n\nThe support is added for TLS 1.2, TLS 1.3 and DTLS 1.2.\n\nSigned-off-by: Akhil Goyal <gakhil@marvell.com>\nSigned-off-by: Anoob Joseph <anoobj@marvell.com>\nSigned-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>\n---\n doc/guides/prog_guide/rte_security.rst | 58 +++++++++++++\n lib/security/rte_security.c | 4 +\n lib/security/rte_security.h | 110 +++++++++++++++++++++++++\n 3 files changed, 172 insertions(+)", "diff": "diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst\nindex 7418e35c1b..7716d7239f 100644\n--- a/doc/guides/prog_guide/rte_security.rst\n+++ b/doc/guides/prog_guide/rte_security.rst\n@@ -399,6 +399,64 @@ The API ``rte_security_macsec_sc_create`` returns a handle for SC,\n and this handle is set in ``rte_security_macsec_xform``\n to create a MACsec session using ``rte_security_session_create``.\n \n+TLS-Record Protocol\n+~~~~~~~~~~~~~~~~~~~\n+\n+The Transport Layer Protocol provides communications security over the Internet. The protocol\n+allows client/server applications to communicate in a way that is designed to prevent eavesdropping,\n+tampering, or message forgery.\n+\n+TLS protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. At\n+the lowest level, layered on top of some reliable transport protocol (e.g., TCP), is the TLS Record\n+Protocol. The TLS Record Protocol provides connection security that has two basic properties:\n+\n+ - The connection is private. Symmetric cryptography is used for data\n+ encryption (e.g., AES, DES, etc.). The keys for this symmetric encryption\n+ are generated uniquely for each connection and are based on a secret\n+ negotiated by another protocol (such as the TLS Handshake Protocol). The\n+ Record Protocol can also be used without encryption.\n+\n+ - The connection is reliable. Message transport includes a message\n+ integrity check using a keyed MAC. Secure hash functions (e.g.,\n+ SHA-1, etc.) are used for MAC computations. The Record Protocol\n+ can operate without a MAC, but is generally only used in this mode\n+ while another protocol is using the Record Protocol as a transport\n+ for negotiating security parameters.\n+\n+.. code-block:: c\n+\n+ Record Write Record Read\n+ ------------ -----------\n+\n+ TLSPlaintext TLSCiphertext\n+ | |\n+ ~ ~\n+ | |\n+ V V\n+ +---------|----------+ +----------|---------+\n+ | Seq. no generation | | Seq. no generation |\n+ +---------|----------+ +----------|---------+\n+ | |\n+ +---------|----------+ +----------|---------+\n+ | Header insertion | | Decryption & |\n+ +---------|----------+ | MAC verification |\n+ | +----------|---------+\n+ +---------|----------+ |\n+ | MAC generation & | +----------|---------+\n+ | Encryption | | TLS Header removal |\n+ +---------|----------+ +----------|---------+\n+ | |\n+ ~ ~\n+ | |\n+ V V\n+ TLSCiphertext TLSPlaintext\n+\n+Supported Versions\n+^^^^^^^^^^^^^^^^^^\n+\n+* TLS 1.2\n+* TLS 1.3\n+* DTLS 1.2\n \n Device Features and Capabilities\n ---------------------------------\ndiff --git a/lib/security/rte_security.c b/lib/security/rte_security.c\nindex c4d64bb8e9..bd7b026547 100644\n--- a/lib/security/rte_security.c\n+++ b/lib/security/rte_security.c\n@@ -282,6 +282,10 @@ rte_security_capability_get(struct rte_security_ctx *instance,\n \t\t\t\tif (capability->docsis.direction ==\n \t\t\t\t\t\t\tidx->docsis.direction)\n \t\t\t\t\treturn capability;\n+\t\t\t} else if (idx->protocol == RTE_SECURITY_PROTOCOL_TLS_RECORD) {\n+\t\t\t\tif (capability->tls_record.ver == idx->tls_record.ver &&\n+\t\t\t\t capability->tls_record.type == idx->tls_record.type)\n+\t\t\t\t\treturn capability;\n \t\t\t}\n \t\t}\n \t}\ndiff --git a/lib/security/rte_security.h b/lib/security/rte_security.h\nindex 3b2df526ba..b9d064ed84 100644\n--- a/lib/security/rte_security.h\n+++ b/lib/security/rte_security.h\n@@ -620,6 +620,99 @@ struct rte_security_docsis_xform {\n \t/**< DOCSIS direction */\n };\n \n+/** Salt len to be used with AEAD algos in TLS 1.2 */\n+#define RTE_SECURITY_TLS_1_2_SALT_LEN 4\n+/** Salt len to be used with AEAD algos in TLS 1.3 */\n+#define RTE_SECURITY_TLS_1_3_SALT_LEN 12\n+/** Salt len to be used with AEAD algos in DTLS 1.2 */\n+#define RTE_SECURITY_DTLS_1_2_SALT_LEN 4\n+\n+/** TLS version */\n+enum rte_security_tls_version {\n+\tRTE_SECURITY_VERSION_TLS_1_2,\t/**< TLS 1.2 */\n+\tRTE_SECURITY_VERSION_TLS_1_3,\t/**< TLS 1.3 */\n+\tRTE_SECURITY_VERSION_DTLS_1_2,\t/**< DTLS 1.2 */\n+};\n+\n+/** TLS session type */\n+enum rte_security_tls_sess_type {\n+\t/** Record read session\n+\t * - Decrypt & digest verification.\n+\t */\n+\tRTE_SECURITY_TLS_SESS_TYPE_READ,\n+\t/** Record write session\n+\t * - Encrypt & digest generation.\n+\t */\n+\tRTE_SECURITY_TLS_SESS_TYPE_WRITE,\n+};\n+\n+/**\n+ * Configure soft and hard lifetime of a TLS record session\n+ *\n+ * Lifetime of a TLS record session would specify the maximum number of packets that can be\n+ * processed. TLS record processing operations would start failing once hard limit is reached.\n+ *\n+ * Soft limits can be specified to generate notification when the TLS record session is approaching\n+ * hard limits for lifetime. This would result in a warning returned in ``rte_crypto_op.aux_flags``.\n+ */\n+struct rte_security_tls_record_lifetime {\n+\t/** Soft expiry limit in number of packets */\n+\tuint64_t packets_soft_limit;\n+\t/** Hard expiry limit in number of packets */\n+\tuint64_t packets_hard_limit;\n+};\n+\n+/**\n+ * TLS record protocol session configuration.\n+ *\n+ * This structure contains data required to create a TLS record security session.\n+ */\n+struct rte_security_tls_record_xform {\n+\t/** TLS record version. */\n+\tenum rte_security_tls_version ver;\n+\t/** TLS record session type. */\n+\tenum rte_security_tls_sess_type type;\n+\t/** TLS record session lifetime. */\n+\tstruct rte_security_tls_record_lifetime life;\n+\tunion {\n+\t\t/** TLS 1.2 parameters. */\n+\t\tstruct {\n+\t\t\t/** Starting sequence number. */\n+\t\t\tuint64_t seq_no;\n+\t\t\t/** Salt to be used for AEAD algos. */\n+\t\t\tuint8_t salt[RTE_SECURITY_TLS_1_2_SALT_LEN];\n+\t\t} tls_1_2;\n+\n+\t\t/** TLS 1.3 parameters. */\n+\t\tstruct {\n+\t\t\t/** Starting sequence number. */\n+\t\t\tuint64_t seq_no;\n+\t\t\t/** Salt to be used for AEAD algos. */\n+\t\t\tuint8_t salt[RTE_SECURITY_TLS_1_3_SALT_LEN];\n+\t\t\t/**\n+\t\t\t * Minimum payload length (in case of write sessions). For shorter inputs,\n+\t\t\t * the payload would be padded appropriately before performing crypto\n+\t\t\t * transformations.\n+\t\t\t */\n+\t\t\tuint32_t min_payload_len;\n+\t\t} tls_1_3;\n+\n+\t\t/** DTLS 1.2 parameters */\n+\t\tstruct {\n+\t\t\t/** Epoch value to be used. */\n+\t\t\tuint16_t epoch;\n+\t\t\t/** 6B starting sequence number to be used. */\n+\t\t\tuint64_t seq_no;\n+\t\t\t/** Salt to be used for AEAD algos. */\n+\t\t\tuint8_t salt[RTE_SECURITY_DTLS_1_2_SALT_LEN];\n+\t\t\t/** Anti replay window size to enable sequence replay attack handling.\n+\t\t\t * Anti replay check is disabled if the window size is 0.\n+\t\t\t */\n+\t\t\tuint32_t ar_win_sz;\n+\t\t} dtls_1_2;\n+\t};\n+};\n+\n /**\n * Security session action type.\n */\n@@ -654,6 +747,8 @@ enum rte_security_session_protocol {\n \t/**< PDCP Protocol */\n \tRTE_SECURITY_PROTOCOL_DOCSIS,\n \t/**< DOCSIS Protocol */\n+\tRTE_SECURITY_PROTOCOL_TLS_RECORD,\n+\t/**< TLS Record Protocol */\n };\n \n /**\n@@ -670,6 +765,7 @@ struct rte_security_session_conf {\n \t\tstruct rte_security_macsec_xform macsec;\n \t\tstruct rte_security_pdcp_xform pdcp;\n \t\tstruct rte_security_docsis_xform docsis;\n+\t\tstruct rte_security_tls_record_xform tls;\n \t};\n \t/**< Configuration parameters for security session */\n \tstruct rte_crypto_sym_xform *crypto_xform;\n@@ -1190,6 +1286,16 @@ struct rte_security_capability {\n \t\t\t/**< DOCSIS direction */\n \t\t} docsis;\n \t\t/**< DOCSIS capability */\n+\t\tstruct {\n+\t\t\tenum rte_security_tls_version ver;\n+\t\t\t/**< TLS record version. */\n+\t\t\tenum rte_security_tls_sess_type type;\n+\t\t\t/**< TLS record session type. */\n+\t\t\tuint32_t ar_win_size;\n+\t\t\t/**< Maximum anti replay window size supported for DTLS 1.2 record read\n+\t\t\t * operation. Value of 0 means anti replay check is not supported.\n+\t\t\t */\n+\t\t} tls_record;\n \t};\n \n \tconst struct rte_cryptodev_capabilities *crypto_capabilities;\n@@ -1251,6 +1357,10 @@ struct rte_security_capability_idx {\n \t\tstruct {\n \t\t\tenum rte_security_docsis_direction direction;\n \t\t} docsis;\n+\t\tstruct {\n+\t\t\tenum rte_security_tls_version ver;\n+\t\t\tenum rte_security_tls_sess_type type;\n+\t\t} tls_record;\n \t};\n };\n \n", "prefixes": [ "RFC", "2/3" ] }