From patchwork Tue Aug 15 06:35:02 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 27602 Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [IPv6:::1]) by dpdk.org (Postfix) with ESMTP id 3EAB78CEE; Tue, 15 Aug 2017 08:37:13 +0200 (CEST) Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0081.outbound.protection.outlook.com [104.47.34.81]) by dpdk.org (Postfix) with ESMTP id 5AA7E7D77 for ; Tue, 15 Aug 2017 08:37:11 +0200 (CEST) Received: from DM5PR03CA0025.namprd03.prod.outlook.com (10.174.189.142) by BY2PR03MB556.namprd03.prod.outlook.com (10.141.142.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1341.21; Tue, 15 Aug 2017 06:37:09 +0000 Received: from BY2FFO11FD047.protection.gbl (2a01:111:f400:7c0c::192) by DM5PR03CA0025.outlook.office365.com (2603:10b6:4:3b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1341.21 via Frontend Transport; Tue, 15 Aug 2017 06:37:08 +0000 Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.158.2 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.158.2; helo=az84smr01.freescale.net; Received: from az84smr01.freescale.net (192.88.158.2) by BY2FFO11FD047.mail.protection.outlook.com (10.1.15.175) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1304.16 via Frontend Transport; Tue, 15 Aug 2017 06:37:08 +0000 Received: from netperf2.ap.freescale.net ([10.232.133.164]) by az84smr01.freescale.net (8.14.3/8.14.0) with ESMTP id v7F6atQE015692; Mon, 14 Aug 2017 23:37:04 -0700 From: Akhil Goyal To: , , , , , , , CC: , , Akhil Goyal Date: Tue, 15 Aug 2017 12:05:02 +0530 Message-ID: <20170815063505.22032-2-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170815063505.22032-1-akhil.goyal@nxp.com> References: <20170725112153.29699-1-akhil.goyal@nxp.com> <20170815063505.22032-1-akhil.goyal@nxp.com> X-EOPAttributedMessage: 0 X-Matching-Connectors: 131472526285533332; (91ab9b29-cfa4-454e-5278-08d120cd25b8); () X-Forefront-Antispam-Report: CIP:192.88.158.2; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(336005)(39380400002)(39860400002)(2980300002)(1109001)(1110001)(339900001)(199003)(189002)(5890100001)(47776003)(2906002)(1076002)(50226002)(7416002)(77096006)(189998001)(86362001)(48376002)(8936002)(50986999)(33646002)(50466002)(8676002)(69596002)(76176999)(81166006)(105606002)(5660300001)(8656003)(106466001)(97736004)(498600001)(356003)(5003940100001)(104016004)(4326008)(2201001)(305945005)(68736007)(626005)(36756003)(2950100002)(54906002)(53936002)(81156014)(217873001)(2101003); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB556; H:az84smr01.freescale.net; FPR:; SPF:Fail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BY2FFO11FD047; 1:DSLHxGA8PkNhPbULepB8xZRzjj5NbR+yvB4I8h4Y0f?= 1Ocwg2xUU3Cw+wLoAgzHCbCY7BNb53U7eV6q7zYVH8N4oQnjmVdRGcG1jx5SVR6eSFUPaOSljbngX24ga6WFRInDLJPf/FWT11GgDI3nX9Y+A5L+F1hI1AttdW1kK7HSfhPpKn965nlgG5awDhcnZPy3Xy/PlVB7HQatYI47WPoej8hsWEeUhtnINZzTjp/ebobCBZzU+V1iVNfO7cVkhMGZvh02EVYjWFk921Q5mfiPc52/wguvWOJw/R8qjeBgeTi8Wy67L5fNper6Y9hUZb9mJtUZtGmTXnM3aUAjMV88UOs+3vhhu7PiBi+epHfnwMJ5GKNrTaZIAyfkHYQB8SIel2qaE7Y/OR2f21lW7KcohlupN9U4uIz4EuRE+FCEm4bFxtH/TxdyqnELKJgbNGYB+G1vn8unu28PO6D/WJa4WrdIRWd5v8GQpkZEnuK1f8FRFnNKryGvV+VHX7LGZycvJ8JOwm+SsV0vNXEKfn5KtfSoqZouUTZb6k+96+hJ9grdOeQk6abXWudslmvs0o5LERr3UYaVkYg4wkI5sEZU21acc9THCTKxey9ElRjlXvJ7I9PwiEUe8MPAOrq3aDadK1MJBvv8HEwY6+UMG4bixg+n7uoN7HEPuYlEpGBSuJISJG+6x6sl3gR1I64f7S9/8J1NmlbN6msue8aD+Nz+pUfB9UCFyr/MjhjZJDR7ryenneyWUnKBnnqzKjbfEAajaaKKnQnzYrpJt4adtuFt1i6eG0KJACg8OP4tgBQFNswjTYy8H3gEyQYZO/RhzCKcVYqWboG0P8zN3hhGLqgBCRVrxbGIKAwQ1lPaKwEtAl2YEoObTZhU+6F9GbJy0meCUbW/vmvGPJw3q9uyIGLwIENMGMIaCioAvqvoBuD6sRzB0BK5AnwCdiGXKh7UXNze2JLHyOOJMiF2YFTm1VjASnabIV+by9VrT4hgApUdg+e3Y7AIXEAjNxR/OvWN3A MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8cb3b2fb-3c70-4f6b-843d-08d4e3a80d5a X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(2017052603031)(201703131430075)(201703131517081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY2PR03MB556; X-Microsoft-Exchange-Diagnostics: 1; BY2PR03MB556; 3:aNwaaAIMOCw9xw+LUzAdRlpE2AJpoH+wyIw7SkQWKWNf2nnt6SOrHg5xBQHIPbAACY4XDQeUSmZYDkIMY7ovmI2P4etykdZY11Jnz5x18VycpLgg45EV66YRHvpNfEEwemIIOs1uVqxgZyF0FkNL0HaV+7RtPWxBn81AKKcshPYd00I34U8ZuZg+pg6H4jRChADDHC34yUcxIVVLq9H7GsPe+OWjhP/f6KJ5GW11eeMx1ec3q1jymX3P4vI+vVDxQmr9aen8Q2pcdjqTNBYDZXU3pvDkh1HF7NcCUfybZGSmO01AwTpkpAdc3CZQkdOfx0QYrxZu586D6DdpzlZ0dg==; 25:tKy6w2kwndatsDIbqyjT1Mn1mXaVtvNSayizmcF58D4kj5IE6v/S9vEVNi7eJ1nIZ+AgKb+eGFuNQvPPxlbhz+cHmYfS9xb77sJLi5j+PWdtdeTjSrG/c7R3edpcUJm5jxAsanJWog9BQLC/rMwzHqHDL0PMVAZiscFiCXw80Cs/k9ve8pjqGcxy0oZO5rQOEkmgH3oP13Qoi9DtuADzll5xIZiti2XC+XXV08If11ERV5mgNIMarWC49gvv3Uvt27WvrpGElowjrxuRFf3VrUFDScsVrTcYVz1uSkG7Af3pYNumC2/hw7vK4+pHrpdUe0pnaW/3ta4n72vw9kci3A==; 31:RjBXUDcI+52nGNMEYuhbWRUFPODv5b1uu4yZTWPcCcBbBJwzyvFw2zVFVZwLTGhbJWhpzGnH/pjAFFZKtj3nElXcwvzogkCTOMGiPQHMLHvOZUHak4Wa9Phf1iefQ39X/YMaG/LaU+V7TZxtIucZi9GoJqtkhFZkyGAgUf8KobJyOzUtGOa+XDnhE84VareAEpPTB7klNFXQvWqi7MUAs1BsJnTk7+Kgg/ePiAuCg+E= X-MS-TrafficTypeDiagnostic: BY2PR03MB556: X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(185117386973197); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6095135)(601004)(2401047)(5005006)(13018025)(13016025)(8121501046)(3002001)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(6055026)(6096035)(20161123559100)(20161123556025)(201703131430075)(201703131433075)(201703131441075)(201703131448075)(201703161259150)(20161123561025)(20161123563025)(20161123565025)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY2PR03MB556; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(400006)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY2PR03MB556; X-Microsoft-Exchange-Diagnostics: 1; BY2PR03MB556; 4:fVsj7XGRmmdjSf2IGZtqI083aF66MaDFoOemhT5O61ONrwa+OIoL5/qvY6pasl+X8aO43eVxUAJWce1MmVvfaWxcUqXIQ9Cs37YYy2s3gvM8UcbfUB2iqEX3CKL6xOhoPD5LVFC2z7IqvssXWKX+cSRfnc9LIot+8eR0MLvCrguHn+I2jaX7G8nxzdli8hX4UlFStUIchtSK9d2eM7dn6YU/rZluH3sIglkBlXSGPmfHIQogldeHV7fOKoBHdUZvQOl+nDqn7tBvIUOrrCKiLncbMZe0wyBY5snSiJX/xXFgZ+SWE34ZLJTLSjd+FyLohDC25ge2ip9OGxeW+SfxKg== X-Forefront-PRVS: 04004D94E2 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BY2PR03MB556; 23:AyRz/x08gCYRpIOYBwXrQ0bdyHhgl8Kcgpu9oow3Ha?= sht+iWnTX96r8ynaVb+2ODLR4odjbjuma2TTafpdoAC607j6hFzPwpUvhmssxq71NGlfwsS/VoFc/qIYq1kQzPm7eueUZMv0a2JHuOcBYqAZZIA9llLlQQUKXG+20cP8srU0JGETZ+BFapzJ6gkozV+Q6MUyP/KR2GI9VwV+TbiVGm0X4okyJV/JNI17F03q9Sbww7Z3kfclwOIxSenp1kw4Ba5K/mNTOgD5TMrT5xLckSsJ0XRrmRcaX53OZEb3CiylF22wZAmTV5/sD2gbRbASx1H/w8JPUWXT+2T6rNoZek+rdLk5akokpxQk+EElneiMop6rxGyFatl/DHvId661olsvRmh5fQbVmneJ2rsC2zsW5UYm+NtGbQE3avzh2AShhWlyaXKJFCDXR7jA2UmLvKyxhypCZQn66p2w/iXQaRoKqeZ2h2fy9bqMwBNuc7cgedNZ3rT5tyDVLkwbFT0KFvNXw26AxOaBqsDTjsJAEuXuDrYMxptR1ZOpRjp4v14JRE0UfhZJLIzAwrmdSnPlIF6fNy1E1HoxmoTl72n7TByMx0XKFwGiQyUTWD65RpZUKD//Dfj0Vy4rquBXxmH55iWKmJf5CeitB3xVqyj2V1QnwEQ/UJtksh8pt6KU/Tb0iUwtBrqgph6WORAQLLFZpgDsBUxp5552zdypioeRZ78GrhYXdJ0uhoDhuQ6RG0k6d/CgEZgMY870suxlq17+uJvrKtd83tYfb8vjXovpBZxnyp+SH9JNcdoffT/cqA2nFWYVpsBB7xfD10XS6NYH9Lxg+A0licxuEOX2wYBRcUlUGg8WiQu/VEQQNwiFkNAaTbGQe1tmTXkAOiGQ+tRIltQCPpo8moRmgd+zCbdm02J1Rit2CYeK3WAMU5+HfhTH24RC8IqbryvUm6ulme2ayCkh100eFFt2eTBYKIetteB6kGa2RgMpGazUKiTdottmmG+CuxDTLo8SZ6+32A078NAxIS57IXUebrFJ/QcWxmkn2gXW1yO9gxlx+gl9qJaOpiS079iV1MBCeuIKtsAHd3KTAXWKfhPx18JBkVvfkg6FASTMptvM5+AfQwQjvZrhW6zBXBO+132dgLl6ahpKTXfoyGmmV1bAhsPfIQ9IKn4kTWNyaKw7xzo+VZFJk= X-Microsoft-Exchange-Diagnostics: 1; BY2PR03MB556; 6:4n5mGczJyOghmW2egTZJPZXiizpybuS1jdGbqGJ8A/MzgcPOuy4VKMKZxA6hhsnO9KqgClQgCvI8OGRDrQvlwVbQJ4uCtuSpl4VXhTerfK4YLv0tn8hfpEuVedzUCayd8yjCG+eaiPn1AmDB32v81LPJhwmR4JPiM7jEiDDsbfPzhvKR7aRfH0BYCtqn/jEDzkznOpqLhTVqAsBhDJ5wkuPVW7ftt0pYyQVdntJlGTxDKrcOPJYz9bmPeS5nTLlx4jLq+/HV6o13AiF+qpvN8C61zy0n6DkfBpsrvG6VeiMhX+hnVlZKmVc7Z3eJKDbO28j6yoSHgdL7+mti+9hTQA==; 5:Y3qb1wM1u1P+yeYmAh1RxG6sAVpI18CJWIfNV9uR/iiTL98f+7Nh1cAwLq2kejRSOlPYXrBp/nSf1smyqZ2mLMNryAvzdAIdCCz35rKiEl6lnLhBrMPOCW9YOvf88tMMJzT2tbXiLcBjr+g6zTwYEQ==; 24:5o16Yfk2cA3M2Nc92pJ+yMHB/f48XFNx2ZbXOt0TSVFrdAc5eVRs4LYhXFVi2XXKKlf4YTELiCJcjbgWapaHrX6HSA/hVDg5P4SuAErKmVw=; 7:zzm8T1foSBSyZSsZe0ZHmf3TORdKr3PNQ/fB1E9efWMc5MN5Dom56LJXVQwfnDraAdO0Ol38H+vp//Zwh2BWZhyXtj4IeS9bkWq4wlty3sshc91j78PMaPXSLBYSVTdJhhUJxxAmTHUmb2ccC/CmFjydQShpJWjQB46M7BN5Up8xAthWukF0S2jUzhH1CcYNEAAb3PP0EOTb+WqBvREJizn5fnaC+9R3pTGyBomQIh0= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Aug 2017 06:37:08.3037 (UTC) X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[192.88.158.2]; Helo=[az84smr01.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB556 Subject: [dpdk-dev] [RFC PATCH 1/4] rte_security: API definitions X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Detailed description is added in the coverletter Signed-off-by: Akhil Goyal --- lib/librte_cryptodev/rte_security.c | 171 +++++++++++++++ lib/librte_cryptodev/rte_security.h | 409 ++++++++++++++++++++++++++++++++++++ 2 files changed, 580 insertions(+) create mode 100644 lib/librte_cryptodev/rte_security.c create mode 100644 lib/librte_cryptodev/rte_security.h diff --git a/lib/librte_cryptodev/rte_security.c b/lib/librte_cryptodev/rte_security.c new file mode 100644 index 0000000..7c73c93 --- /dev/null +++ b/lib/librte_cryptodev/rte_security.c @@ -0,0 +1,171 @@ +/*- + * BSD LICENSE + * + * Copyright 2017 NXP. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of NXP nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "rte_crypto.h" +#include "rte_cryptodev_pmd.h" +#include "rte_security.h" +#include "rte_ethdev.h" +#include "rte_cryptodev.h" + + +struct rte_security_session * +rte_security_session_create(struct rte_mempool *mp) +{ + struct rte_security_session *sess; + + /* Allocate a session structure from the session pool */ + if (rte_mempool_get(mp, (void *)&sess)) { + CDEV_LOG_ERR("couldn't get object from session mempool"); + return NULL; + } + + /* Clear device session pointer */ + memset(sess, 0, (sizeof(void *) * + RTE_MAX(rte_eth_dev_count(), rte_cryptodev_count()))); + + return sess; +} + +int +rte_security_session_init(uint16_t dev_id, + struct rte_security_session *sess, + struct rte_security_sess_conf *conf, + struct rte_mempool *mp) +{ + struct rte_cryptodev *cdev = NULL; + struct rte_eth_dev *dev = NULL; + uint8_t index; + int ret; + + if (sess == NULL || conf == NULL) + return -EINVAL; + + switch (conf->action_type) { + case RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD: + if (!rte_cryptodev_pmd_is_valid_dev(dev_id)) + return -EINVAL; + cdev = rte_cryptodev_pmd_get_dev(dev_id); + index = cdev->driver_id; + if (sess->sess_private_data[index] == NULL) { + ret = cdev->sec_ops->session_configure(cdev, conf, sess, mp); + if (ret < 0) { + CDEV_LOG_ERR( + "cdev_id %d failed to configure session details", + dev_id); + return ret; + } + } + break; + case RTE_SECURITY_SESS_ETH_INLINE_CRYPTO: + case RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD: + dev = &rte_eth_devices[dev_id]; + index = dev->data->port_id; + if (sess->sess_private_data[index] == NULL) { +// ret = dev->sec_ops->session_configure(dev, conf, sess, mp); +// if (ret < 0) { +// CDEV_LOG_ERR( +// "dev_id %d failed to configure session details", +// dev_id); +// return ret; +// } + } + break; + default: + return -EINVAL; + } + + return 0; +} + +int +rte_security_session_free(struct rte_security_session *sess) +{ + uint8_t i, nb_drivers = RTE_MAX(rte_eth_dev_count(), + rte_cryptodev_count()); + void *sess_priv; + struct rte_mempool *sess_mp; + + if (sess == NULL) + return -EINVAL; + + /* Check that all device private data has been freed */ + for (i = 0; i < nb_drivers; i++) { + sess_priv = get_sec_session_private_data(sess, i); + if (sess_priv != NULL) + return -EBUSY; + } + + /* Return session to mempool */ + sess_mp = rte_mempool_from_obj(sess); + rte_mempool_put(sess_mp, sess); + + return 0; +} + +int +rte_security_session_clear(uint8_t dev_id, + enum rte_security_session_action_type action_type, + struct rte_security_session *sess) +{ + struct rte_cryptodev *cdev = NULL; + struct rte_eth_dev *dev = NULL; + switch (action_type) { + case RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD: + cdev = rte_cryptodev_pmd_get_dev(dev_id); + if (cdev == NULL || sess == NULL) + return -EINVAL; + cdev->sec_ops->session_clear(cdev, sess); + break; + case RTE_SECURITY_SESS_ETH_INLINE_CRYPTO: + case RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD: + dev = &rte_eth_devices[dev_id]; + if (dev == NULL || sess == NULL) + return -EINVAL; +// dev->dev_ops->session_clear(dev, sess); + break; + default: + return -EINVAL; + } + + return 0; +} diff --git a/lib/librte_cryptodev/rte_security.h b/lib/librte_cryptodev/rte_security.h new file mode 100644 index 0000000..9747d5e --- /dev/null +++ b/lib/librte_cryptodev/rte_security.h @@ -0,0 +1,409 @@ +#ifndef _RTE_SECURITY_H_ +#define _RTE_SECURITY_H_ + +/** + * @file rte_security.h + * + * RTE Security Common Definitions + * + */ + +#ifdef __cplusplus +extern "C" { +#endif + +#include +#include +#include + +#include +#include +#include +#include +#include + +/** IPSec protocol mode */ +enum rte_security_conf_ipsec_sa_mode { + RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT, + /**< IPSec Transport mode */ + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + /**< IPSec Tunnel mode */ +}; + +/** IPSec Protocol */ +enum rte_security_conf_ipsec_sa_protocol { + RTE_SECURITY_IPSEC_SA_PROTO_AH, + /**< AH protocol */ + RTE_SECURITY_IPSEC_SA_PROTO_ESP, + /**< ESP protocol */ +}; + +/** IPSEC tunnel type */ +enum rte_security_ipsec_tunnel_type { + RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 0, + /**< Outer header is IPv4 */ + RTE_SECURITY_IPSEC_TUNNEL_IPV6, + /**< Outer header is IPv6 */ +}; + +/** + * IPSEC tunnel parameters + * + * These parameters are used to build outbound tunnel headers. + */ +struct rte_security_ipsec_tunnel_param { + enum rte_security_ipsec_tunnel_type type; + /**< Tunnel type: IPv4 or IPv6 */ + + union { + struct { + struct in_addr src_ip; + /**< IPv4 source address */ + struct in_addr dst_ip; + /**< IPv4 destination address */ + uint8_t dscp; + /**< IPv4 Differentiated Services Code Point */ + uint8_t df; + /**< IPv4 Don't Fragment bit */ + uint8_t ttl; + /**< IPv4 Time To Live */ + } ipv4; /**< IPv4 header parameters */ + + struct { + struct in6_addr *src_addr; + /**< IPv6 source address */ + struct in6_addr *dst_addr; + /**< IPv6 destination address */ + uint8_t dscp; + /**< IPv6 Differentiated Services Code Point */ + uint32_t flabel; + /**< IPv6 flow label */ + uint8_t hlimit; + /**< IPv6 hop limit */ + } ipv6; /**< IPv6 header parameters */ + }; /**< Various tunnel parameters */ +}; + +/** + * IPSEC SA option flags + */ +struct rte_security_ipsec_sa_options { + /** Extended Sequence Numbers (ESN) + * + * * 1: Use extended (64 bit) sequence numbers + * * 0: Use normal sequence numbers + */ + uint32_t esn : 1; + + /** UDP encapsulation + * + * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can + * traverse through NAT boxes. + * * 0: No UDP encapsulation + */ + uint32_t udp_encap : 1; + + /** Copy DSCP bits + * + * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to + * the outer IP header in encapsulation, and vice versa in + * decapsulation. + * * 0: Use values from odp_ipsec_tunnel_param_t in encapsulation and + * do not change DSCP field in decapsulation. + */ + uint32_t copy_dscp : 1; + + /** Copy IPv6 Flow Label + * + * * 1: Copy IPv6 flow label from inner IPv6 header to the + * outer IPv6 header. + * * 0: Use value from odp_ipsec_tunnel_param_t + */ + uint32_t copy_flabel : 1; + + /** Copy IPv4 Don't Fragment bit + * + * * 1: Copy the DF bit from the inner IPv4 header to the outer + * IPv4 header. + * * 0: Use value from odp_ipsec_tunnel_param_t + */ + uint32_t copy_df : 1; + + /** Decrement inner packet Time To Live (TTL) field + * + * * 1: In tunnel mode, decrement inner packet IPv4 TTL or + * IPv6 Hop Limit after tunnel decapsulation, or before tunnel + * encapsulation. + * * 0: Inner packet is not modified. + */ + uint32_t dec_ttl : 1; + +}; + +/** IPSec Operations */ +enum rte_security_ipsec_operation { + RTE_SECURITY_IPSEC_OP_ENCAP, + /**< Encrypt and generate digest */ + RTE_SECURITY_IPSEC_OP_DECAP, + /**< Verify digest and decrypt */ +}; + +/** + * IPSec Setup Data. + * + * This structure contains data relating to IPSec + * used to create a session. + */ +struct rte_security_ipsec_xform { + enum rte_security_ipsec_operation op; + /**< IPSec operation - Encap or Decap */ + unsigned int spi; + /**< SA security parameter index */ + enum rte_crypto_cipher_algorithm cipher_alg; + /**< Cipher Algorithm */ + struct { + uint8_t *data; /**< pointer to key data */ + size_t length; /**< key length in bytes */ + } cipher_key; + enum rte_crypto_auth_algorithm auth_alg; + /**< Authentication Algorithm */ + struct { + uint8_t *data; /**< pointer to key data */ + size_t length; /**< key length in bytes */ + } auth_key; + uint32_t salt; /**< salt for this SA */ + enum rte_security_conf_ipsec_sa_mode mode; + /**< IPsec SA Mode - transport/tunnel */ + enum rte_security_conf_ipsec_sa_protocol proto; + /**< IPsec SA Protocol - AH/ESP */ + struct rte_security_ipsec_tunnel_param tunnel; + /**< Tunnel parameters, NULL for transport mode */ + struct rte_security_ipsec_sa_options options; + /**< various SA options */ +}; + +/** IPsec Security Session Configuration */ +struct rte_security_dtls_xform { + /** To be Filled */ +}; + +/** IPsec Security Session Configuration */ +struct rte_security_macsec_xform { + /** To be Filled */ +}; + +/**< Security Session action type */ +enum rte_security_session_action_type { + RTE_SECURITY_SESS_NONE, + /**< Non protocol offload. Application need to manage everything */ + RTE_SECURITY_SESS_ETH_INLINE_CRYPTO, + /**< Crypto operations are performed by Network interface */ + RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD, + /**< Crypto operations with protocol support are performed + * by Network/ethernet device. + */ + RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD, + /**< Crypto operations with protocol support are performed + * by Crypto device. + */ +}; + +/** Security Session Protocols */ +enum rte_security_sess_protocol { + RTE_SEC_CONF_DTLS, + /**< DTLS Protocol */ + RTE_SEC_CONF_IPSEC, + /**< IPSec Protocol */ + RTE_SEC_CONF_MACSEC, + /**< MACSec Protocol */ +}; + +/** + * Security Session Configuration + */ +struct rte_security_sess_conf { + enum rte_security_session_action_type action_type; + /**< Type of action to be performed on the session */ + enum rte_security_sess_protocol protocol; + /**< Security protocol to be configured */ + + union { + struct rte_security_ipsec_xform *ipsec_xform; + struct rte_security_dtls_xform *dtls_xform; + struct rte_security_macsec_xform *macsec_xform; + }; + /**< Configuration parameters for security session */ +}; + +struct rte_security_session { + __extension__ void *sess_private_data[0]; + /**< Private session material */ +}; + +/** + * Create Security session header (generic with no private data) + * + * @param mempool Session mempool to allocate session objects from + * @return + * - On success, pointer to session + * - On failure, NULL + */ +struct rte_security_session * +rte_security_session_create(struct rte_mempool *mempool); + +/** + * Fill out private data for the device, based on its device id and name. + * + * @param dev_id Device id that we want the session to be used on + * @param dev_name Device name for which session is to be used + * @param sess Session where the private data will be attached to + * @param conf Security config to apply on flow + * processed with this session + * @param mempool Mempool where the private data is allocated. + * + * @return + * - On success, zero. + * - On failure, a negative value. + */ +int +rte_security_session_init(uint16_t dev_id, + struct rte_security_session *sess, + struct rte_security_sess_conf *conf, + struct rte_mempool *mempool); + +/** + * Frees Security session header, after checking that all + * the device private data has been freed, returning it + * to its original mempool. + * + * @param sess Session header to be freed. + * + * @return + * - 0 if successful. + * - -EINVAL if session is NULL. + * - -EBUSY if not all device private data has been freed. + */ +int +rte_security_session_free(struct rte_security_session *sess); + +/** + * Frees private data for the device id, based on its device name, + * returning it to its mempool. + * + * @param dev_id ID of device that uses the session. + * @param action_type Action type for Security operation. + * @param sess Session containing the reference to the private data + * + * @return + * - 0 if successful. + * - -EINVAL if device is invalid or session is NULL. + */ +int +rte_security_session_clear(uint8_t dev_id, + enum rte_security_session_action_type action_type, + struct rte_security_session *sess); + +/** + * Attach a session to a symmetric crypto operation + * + * @param sym_op crypto operation + * @param sess security session + */ +static inline int +__rte_security_attach_session(struct rte_crypto_sym_op *sym_op, + struct rte_security_session *sess) +{ + sym_op->sec_session = sess; + + return 0; +} + +static inline void * +get_sec_session_private_data(const struct rte_security_session *sess, + uint8_t driver_id) { + return sess->sess_private_data[driver_id]; +} + +static inline void +set_sec_session_private_data(struct rte_security_session *sess, + uint8_t driver_id, void *private_data) +{ + sess->sess_private_data[driver_id] = private_data; +} + +/** + * Attach a session to a crypto operation. + * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD + * For other rte_security_session_action_type, ol_flags in rte_mbuf may be + * defined to perform security operations. + * + * @param op crypto operation + * @param sess security session + */ +static inline int +rte_security_attach_session(struct rte_crypto_op *op, + struct rte_security_session *sess) +{ + if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) + return -1; + + op->sess_type = RTE_CRYPTO_OP_WITH_SESSION; + + return __rte_security_attach_session(op->sym, sess); +} + +/** + * Security Capability + */ +struct rte_security_capabilities { + enum rte_security_sess_protocol protocol; + RTE_STD_C11 + union { + struct { + enum rte_crypto_auth_algorithm a_algo; + /**< authentication algorithm */ + enum rte_crypto_cipher_algorithm c_algo; + /**< cipher algorithm */ + uint16_t block_size; + /**< algorithm block size */ + struct rte_crypto_param_range c_key_size; + /**< cipher key size range */ + struct rte_crypto_param_range a_key_size; + /**< auth key size range */ + struct rte_crypto_param_range digest_size; + /**< digest size range */ + struct rte_crypto_param_range iv_size; + /**< Initialisation vector data size range */ + } ipsec; + /**< IPSEC transform capabilities */ + struct { + /* To be Filled */ + } dtls; + /**< DTLS transform capabilities */ + struct { + /* To be Filled */ + } macsec; + /**< MACSEC transform capabilities */ + }; +}; + +/** + * Provide capabilities available for defined device and algorithm + * + * @param dev_id The identifier of the device. + * @param dev_name Device name for which capability is needed + * @param protocol Protocol for which capability is required + * + * @return + * - Return description of the security capability if exist. + * - Return NULL if the capability not exist. + */ +const struct rte_security_capabilities * +rte_security_capability_get(uint8_t dev_id, char *dev_name, + enum rte_security_sess_protocol protocol); + +#ifdef __cplusplus +} +#endif + +#endif /* _RTE_SECURITY_H_ */