From patchwork Thu Sep 14 08:26:41 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 28711 Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id D0EE71B160; Thu, 14 Sep 2017 10:29:17 +0200 (CEST) Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0084.outbound.protection.outlook.com [104.47.36.84]) by dpdk.org (Postfix) with ESMTP id 88CAE1AEE9 for ; Thu, 14 Sep 2017 10:29:16 +0200 (CEST) Received: from MWHPR03CA0050.namprd03.prod.outlook.com (10.174.173.167) by BN6PR03MB2689.namprd03.prod.outlook.com (10.173.144.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.35.12; Thu, 14 Sep 2017 08:29:14 +0000 Received: from BL2FFO11FD039.protection.gbl (2a01:111:f400:7c09::129) by MWHPR03CA0050.outlook.office365.com (2603:10b6:301:3b::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.56.11 via Frontend Transport; Thu, 14 Sep 2017 08:29:13 +0000 Authentication-Results: spf=fail (sender IP is 192.88.168.50) smtp.mailfrom=nxp.com; NXP1.onmicrosoft.com; dkim=none (message not signed) header.d=none;NXP1.onmicrosoft.com; dmarc=fail action=none header.from=nxp.com; Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.168.50 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.168.50; helo=tx30smr01.am.freescale.net; Received: from tx30smr01.am.freescale.net (192.88.168.50) by BL2FFO11FD039.mail.protection.outlook.com (10.173.161.135) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.20.13.11 via Frontend Transport; Thu, 14 Sep 2017 08:29:13 +0000 Received: from netperf2.ap.freescale.net ([10.232.133.164]) by tx30smr01.am.freescale.net (8.14.3/8.14.0) with ESMTP id v8E8T36F025953; Thu, 14 Sep 2017 01:29:09 -0700 From: Akhil Goyal To: CC: , , , , , , , , Date: Thu, 14 Sep 2017 13:56:41 +0530 Message-ID: <20170914082651.26232-2-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170914082651.26232-1-akhil.goyal@nxp.com> References: <20170914082651.26232-1-akhil.goyal@nxp.com> X-EOPAttributedMessage: 0 X-Matching-Connectors: 131498513531891477; (91ab9b29-cfa4-454e-5278-08d120cd25b8); () X-Forefront-Antispam-Report: CIP:192.88.168.50; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(336005)(39380400002)(346002)(376002)(39860400002)(2980300002)(1110001)(1109001)(339900001)(189002)(199003)(36756003)(86362001)(15650500001)(2351001)(2906002)(8936002)(6666003)(5890100001)(48376002)(33646002)(50466002)(316002)(110136004)(2950100002)(8656003)(50226002)(6916009)(106466001)(4326008)(16586007)(5660300001)(7416002)(97736004)(85426001)(50986999)(104016004)(77096006)(53946003)(47776003)(5003940100001)(76176999)(105606002)(1076002)(53936002)(54906002)(68736007)(189998001)(81166006)(8676002)(356003)(81156014)(305945005)(498600001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR03MB2689; H:tx30smr01.am.freescale.net; FPR:; SPF:Fail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11FD039; 1:z0gPOZvRwljJzHGwAWeRvHCfsMN6SG5llRMt1k56TpF4EeQGWcaQebz7LHTk4yS3mgs9fkvBTXDuQrKhph9U9onkcn7gBK0cJ7DNBceU37Ru9LKdlodb+lG5NoOhSMrl MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 97b3482d-98e6-4bed-0db7-08d4fb4aae04 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(2017052603199)(201703131430075)(201703131517081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN6PR03MB2689; X-Microsoft-Exchange-Diagnostics: 1; BN6PR03MB2689; 3:BbWD3NelXKuTXzhBMzyJK16Cy9NaDk67ECtOxNkfZxunv/kXJoVA6MVThTQMGXTg4QzRO/llDmPPly5sOI0gqBcUTSuj6dhdhRayWCytmV6C7ZfFVLPYKBXdj3TCfmewEa6XEHBHV5sr8Cv4008pIbKT1K+PTl9xLsWf8fxADZQavrjkIap5OXUNjsrbeYnCFAtdwZw04VeLjwqLJpHkH6euJd+fyaPO4x5bPLWJl3TQkiFj3I7h3kQ/rU24fIxaWt0QI+g+6QbrtWyFHlgGUlCfg8AetOxp2Jj4N6GL13oU26lxLjLCDvp3yhymyohupV83AoawV4WOVO+XE+LZa56zL5xnnoDJrtmRB+m5ANE=; 25:03F06JsAWiCocRK9tzeQntzUj8wMwL/48DHewCOJJsBg+SB6KWVcvhAQYhcb/OOn6rN11KWjoXSgViD3vb75Cg/PFA5XXzMETbN/PNMuKIwwn5kshBa789j/rxX6UDJ+xy01s+vFysfAL6YLKZ1k1jQAVDkx28lWH6EfVmR8/jdS+dhgfnsOdt2skM0G2wR/ieAoLIuI54GFrfvJqEfjf24vhiIrQhm8F2LI6cAoFI+DuatJwb6ULrMvmVEyo2njKx5SEmE+Gaf4HA9zcZzD7E/aaEuxw3XW6q1RpGmYSNvNDh4ILnZFzPcODaEVjzstfIE1Pjo4XKhM+TH6+D57ig== X-MS-TrafficTypeDiagnostic: BN6PR03MB2689: X-Microsoft-Exchange-Diagnostics: 1; BN6PR03MB2689; 31:1kaKnrkIOoRdeZSI4sKN9fZfSZyY73i/Zl4qUkfvD+qdAsR3jL31onvpphDkQams8eANFHCTpwtrT6/lkWrIctKF2OpLEZHhioNupqIo7HGzcJYTpNzWzn1zGVzyYKILJHIyZVKSHFF8fx+CsGhkmBNzNQyJvwI/yUWYRk1GKmj/hU3BxYTiAhkY4hrQfHJDy+60Z/69y9CT9VNq6PkNYCNU6+RDxoZ9GHq7BHotgZA=; 4:KSIe0GhGKdO0MDdmIXdop0cmBt3RE24Q62H7ztolkINyzqP0qegO081HNgXNBSEqUHBczBntnq4hf68cDYdlwd9vY1yO+46sTFRQk+Mt1Goq0oHFjrA+K/1kPITK7i1DcNV+lz4HyvfUilUJLbmYpiFf+3nt1UtGH9ooEvxpOWRe8AG8qlneYWs/7A+jy0hH5kQNBFgPFoMCf0Sp7yoX9RkfOoGBZg9K52o/9Rx5P7VzpaS7rA7iegAbwcBg7HEwN/nUmwHoGI/bgPtbpN5QSKUW3RddY37oPifIslY2FEFDQtFphryPis2xbE9kd9/H/ndSJU9CD/vDZlpkUygx0uZKXLor7CEkBttpH4CGdpGXoc9ioNT4NgMX0oHmxOO1 X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(185117386973197)(228905959029699); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6095135)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(100000703101)(100105400095)(6055026)(6096035)(20161123563025)(20161123556025)(20161123565025)(201703131430075)(201703131433075)(201703131448075)(201703161259150)(201703151042153)(20161123559100)(20161123561025)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN6PR03MB2689; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(400006)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN6PR03MB2689; X-Forefront-PRVS: 0430FA5CB7 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BN6PR03MB2689; 23:koFOerv/ErNXjgcLpL0DeIiFejp0dEIY3vT4sI5f6?= 6aC8kmoOBcx6xTYxZAUEo/iMkiDrkw5h6KvHmbAIRWPmmeDnzJy/VhJQ6xKGeHlWAaehRP9tmwuzi7fV4mYE5797qYpcQ+swiPxHNv4Dt/87njRE7ZrVwFb0R6GlIg2JFHxo64RBT08TgB58dm2OdNPsEwajyolT7Sny4WChe4e9su/SMd02IEXwRCnN5R52rpy/EGyIXX6cvN5rPiEwZT5Q1GZMnVQoProX85ZoQNQLDP5Iacnb+3hbpKQXE4mZ/w/dhK0BQ5bD9OB4RLqbRl8RVMXHJw2D+0VRC3kTIwmeFQYmrR5QhFKEHJwPqzXaDoVdavaDm3R4QtQ9OxtFidplykIqA62pm6R4cp4zlQ3f7/qT17cquv8t50Et3jFt+YDq7V9sSmYNIOX/awIg1+qSIGcZJzDj5mXBhzM92W3TC77bgZhy5qn6DVVwgR5c7C1VnhIt75NexqY88QNIE7pBZYhqmNt02o/+U/jQ4fNMTL5ywKVsZkMFZtnoAJqJu28xABqh/wd+zaQEHkb6DashxIvWmLZ5aebdCEtFRzY6GV2IZZT8BX28beEcDaVvfP34gaW4G9saJTZD46QY9bvHTTBc/ozsEyy+0FM8GktLvbYz99Pb+joxsCzRot4o5boJ5RXDYFGpKt64IlyLW5RqKRLbxGPl2asZ4ueKfzlZYmM6UtMViQbLBVPAeEX0ehX646+u6/asw35yxXeYu8wIlCnPHm75MOz58WNeEjnoiZteBLqq2uWj1YGijmoF2PWb7MMJ4uvVzf1Hbjayf+PcKjl8bxcIPwYdczkMLMK5VVtRfwcm8FkFo9K/Yu8qnWIKXdAGYPomBDQc+CxhVn3WqaMbGa5Hv1P4X9kApYJbQV8y3IvfmisyC2QdOz2TtCY2M87iieiMFONEMK1n9YSACyNRc5PwLCs9wwtJgFylya3nchyKj8Nxjalcpq+q4d86VKJkCJvUr7aE9QI7HglcaJVwXvJLqFfNKtkUZ6E8VnId+BS5tbmPRLQ9SmR9OIw5QbYC/o6M2BDPUEB9zfePoQZ3lWiNvm0BJuteHQXSXlRHxkPubwqmOFnrrKTfduIN78FJWv8RxNOZejWF5FrYB4TN7zVuvuu2ee8ycpnBC0eD9iIaluAMQ5Lluydw+idrwWf9FQmR6YVzAdu2j4NtpRuBqPN/H/5L2avhIu3ZHEde6RlpC873WLk3023NafpEtcNcSgCkexIJWd2wWQ50bR8VRfCRUGNtOVHi6/TmQ== X-Microsoft-Exchange-Diagnostics: 1; BN6PR03MB2689; 6:3uujd62fjaAhj3A4inGNhtN/KwPNgnUL6prieaE173ZQNur736l2fH25Be4PinTBAFd58k9K8G6m+5utrl4dXKU0qgbkILxYSbfsYyv4lEKPE7ytRRkXGESgeVD8kKNwykR5VfC4xJqVbXu3SqHwCc8J/bzl6P04JSG2wKqDAeqYJS/X8lG7ACwm+P+aNXBXhP+iBRQaxh6CHxAj2xFNfz7Gz9iC5OZO2vajz/nstp4nxuhs5ZD69Ii9vjUWb6hwnh79yibg3yqx/TWPl42E7yFfR/7VJigbhFK1WvCZcSlausjtr8UXqcTyw+scIn4xIs3zIzgxhifbW+MAt/F0SA==; 5:SyprRgUMZoyO7EjGTBFFz3EfVZa6/S+aDkGIbr20xdKZPPc+dbF0MzsapZV4HdhMEDSqpHpN1e6H11XbMpFWs3hVnmD3GUXo67g4Giox9L8UOsQHcBPhMfgsRXtBfUfBFbkJxYh1cyb0+oB9tzvo1Q==; 24:aIHzld8tXEQFKtyS3CfUI95OFwXSe88vK9Zys4HTtY6x96XwfiTHyxO7QD6iTuxfRqO8gAK0IyrJKKcMsVmIVmkrNbiQuBGFR5NVGf9yHM4=; 7:m6yxmyfgxOxMvCun2MepCiQf/tbVDwCjAzopAsROUXXcwj7A9G0X7L0mSkdAiSLrOgtoKJlwkn2ZAWOX+6pBN+KA3voB+n6DiXckh0JjGsgYEkTSXxIkBayH4LgxB7TeTtgaVhKpT54ievdWbFH35N5ryR+6mLBbxwh1gcGOCzsAnUz/kuiM1LMYF3li6ZMY+XZVTaZE26EUaIqSU5Dq4k1hQLTwttA7NeTjVMeI68c= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Sep 2017 08:29:13.0175 (UTC) X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[192.88.168.50]; Helo=[tx30smr01.am.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR03MB2689 Subject: [dpdk-dev] [PATCH 01/11] lib/rte_security: add security library X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" rte_security library provides APIs for security session create/free for protocol offload or offloaded crypto operation to ethernet device. Signed-off-by: Akhil Goyal Signed-off-by: Boris Pismenny Signed-off-by: Radu Nicolau Signed-off-by: Declan Doherty --- lib/librte_security/Makefile | 53 +++ lib/librte_security/rte_security.c | 252 ++++++++++++++ lib/librte_security/rte_security.h | 494 +++++++++++++++++++++++++++ lib/librte_security/rte_security_driver.h | 181 ++++++++++ lib/librte_security/rte_security_version.map | 13 + 5 files changed, 993 insertions(+) create mode 100644 lib/librte_security/Makefile create mode 100644 lib/librte_security/rte_security.c create mode 100644 lib/librte_security/rte_security.h create mode 100644 lib/librte_security/rte_security_driver.h create mode 100644 lib/librte_security/rte_security_version.map diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile new file mode 100644 index 0000000..af87bb2 --- /dev/null +++ b/lib/librte_security/Makefile @@ -0,0 +1,53 @@ +# BSD LICENSE +# +# Copyright(c) 2017 Intel Corporation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +include $(RTE_SDK)/mk/rte.vars.mk + +# library name +LIB = librte_security.a + +# library version +LIBABIVER := 1 + +# build flags +CFLAGS += -O3 +CFLAGS += $(WERROR_FLAGS) + +# library source files +SRCS-y += rte_security.c + +# export include files +SYMLINK-y-include += rte_security.h +SYMLINK-y-include += rte_security_driver.h + +# versioning export map +EXPORT_MAP := rte_security_version.map + +include $(RTE_SDK)/mk/rte.lib.mk diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c new file mode 100644 index 0000000..5776246 --- /dev/null +++ b/lib/librte_security/rte_security.c @@ -0,0 +1,252 @@ +/*- + * BSD LICENSE + * + * Copyright 2017 NXP. + * Copyright(c) 2017 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of NXP nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include + +#include "rte_security.h" +#include "rte_security_driver.h" + +#define RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ (8) + +struct rte_security_ctx { + uint16_t id; + enum { + RTE_SECURITY_INSTANCE_INVALID = 0, + RTE_SECURITY_INSTANCE_VALID + } state; + void *device; + struct rte_security_ops *ops; +}; + +static struct rte_security_ctx *security_instances; +static uint16_t max_nb_security_instances; +static uint16_t nb_security_instances; + +static int +rte_security_is_valid_id(uint16_t id) +{ + if (id >= nb_security_instances || + (security_instances[id].state != RTE_SECURITY_INSTANCE_VALID)) + return 0; + else + return 1; +} + +/* Macros to check for valid id */ +#define RTE_SEC_VALID_ID_OR_ERR_RET(id, retval) do { \ + if (!rte_security_is_valid_id(id)) { \ + RTE_PMD_DEBUG_TRACE("Invalid sec_id=%d\n", id); \ + return retval; \ + } \ +} while (0) + +#define RTE_SEC_VALID_ID_OR_RET(id) do { \ + if (!rte_security_is_valid_id(id)) { \ + RTE_PMD_DEBUG_TRACE("Invalid sec_id=%d\n", id); \ + return; \ + } \ +} while (0) + +int +rte_security_register(uint16_t *id, void *device, + struct rte_security_ops *ops) +{ + if (max_nb_security_instances == 0) { + security_instances = rte_malloc( + "rte_security_instances_ops", + sizeof(*security_instances) * + RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ, 0); + + if (security_instances == NULL) + return -ENOMEM; + max_nb_security_instances = + RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ; + } else if (nb_security_instances >= max_nb_security_instances) { + uint16_t *instances = rte_realloc(security_instances, + sizeof(struct rte_security_ops *) * + (max_nb_security_instances + + RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ), 0); + + if (instances == NULL) + return -ENOMEM; + + max_nb_security_instances += + RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ; + } + + *id = nb_security_instances++; + + security_instances[*id].id = *id; + security_instances[*id].state = RTE_SECURITY_INSTANCE_VALID; + security_instances[*id].device = device; + security_instances[*id].ops = ops; + + return 0; +} + +int +rte_security_unregister(__rte_unused uint16_t *id) +{ + /* To be implemented */ + return 0; +} + +struct rte_security_session * +rte_security_session_create(uint16_t id, + struct rte_security_session_conf *conf, + struct rte_mempool *mp) +{ + struct rte_security_ctx *instance; + struct rte_security_session *sess = NULL; + + RTE_SEC_VALID_ID_OR_ERR_RET(id, NULL); + instance = &security_instances[id]; + + if (conf == NULL) + return NULL; + + if (rte_mempool_get(mp, (void *)&sess)) + return NULL; + + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_create, NULL); + if (instance->ops->session_create(instance->device, conf, sess, mp)) { + rte_mempool_put(mp, (void *)sess); + return NULL; + } + return sess; +} + +int +rte_security_session_update(uint16_t id, + struct rte_security_session *sess, + struct rte_security_session_conf *conf) +{ + struct rte_security_ctx *instance; + + RTE_SEC_VALID_ID_OR_ERR_RET(id, -ENODEV); + instance = &security_instances[id]; + + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_update, -ENOTSUP); + return instance->ops->session_update(instance->device, sess, conf); +} + +int +rte_security_session_query(uint16_t id, + struct rte_security_session *sess, + struct rte_security_stats *stats) +{ + struct rte_security_ctx *instance; + + RTE_SEC_VALID_ID_OR_ERR_RET(id, -ENODEV); + instance = &security_instances[id]; + + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_query, -ENOTSUP); + return instance->ops->session_query(instance->device, sess, stats); +} + +int +rte_security_session_destroy(uint16_t id, struct rte_security_session *sess) +{ + struct rte_security_ctx *instance; + + RTE_SEC_VALID_ID_OR_ERR_RET(id, -ENODEV); + instance = &security_instances[id]; + + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_destroy, -ENOTSUP); + return instance->ops->session_destroy(instance->device, sess); +} + +int +rte_security_set_pkt_metadata(uint16_t id, + struct rte_security_session *sess, + struct rte_mbuf *m, void *params) +{ + struct rte_security_ctx *instance; + + RTE_SEC_VALID_ID_OR_ERR_RET(id, -ENODEV); + instance = &security_instances[id]; + + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->set_pkt_metadata, -ENOTSUP); + return instance->ops->set_pkt_metadata(instance->device, + sess, m, params); +} + +const struct rte_security_capability * +rte_security_capabilities_get(uint16_t id) +{ + struct rte_security_ctx *instance; + + RTE_SEC_VALID_ID_OR_ERR_RET(id, NULL); + instance = &security_instances[id]; + + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL); + return instance->ops->capabilities_get(instance->device); +} + +const struct rte_security_capability * +rte_security_capability_get(uint16_t id, + struct rte_security_capability_idx *idx) +{ + struct rte_security_ctx *instance; + const struct rte_security_capability *capabilities; + const struct rte_security_capability *capability; + uint16_t i = 0; + + RTE_SEC_VALID_ID_OR_ERR_RET(id, NULL); + instance = &security_instances[id]; + + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL); + capabilities = instance->ops->capabilities_get(instance->device); + + if (capabilities == NULL) + return NULL; + + while ((capability = &capabilities[i++])->action + != RTE_SECURITY_ACTION_TYPE_NONE) { + if (capability->action == idx->action && + capability->protocol == idx->protocol) { + if (idx->protocol == RTE_SECURITY_PROTOCOL_IPSEC) { + if (capability->ipsec.proto == + idx->ipsec.proto && + capability->ipsec.mode == + idx->ipsec.mode && + capability->ipsec.direction == + idx->ipsec.direction) + return capability; + } + } + } + + return NULL; +} diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h new file mode 100644 index 0000000..2faac96 --- /dev/null +++ b/lib/librte_security/rte_security.h @@ -0,0 +1,494 @@ +/*- + * BSD LICENSE + * + * Copyright 2017 NXP. + * Copyright(c) 2017 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of NXP nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _RTE_SECURITY_H_ +#define _RTE_SECURITY_H_ + +/** + * @file rte_security.h + * + * RTE Security Common Definitions + * + */ + +#ifdef __cplusplus +extern "C" { +#endif + +#include +#include +#include + +#include +#include +#include +#include +#include + +/** IPSec protocol mode */ +enum rte_security_ipsec_sa_mode { + RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT, + /**< IPSec Transport mode */ + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + /**< IPSec Tunnel mode */ +}; + +/** IPSec Protocol */ +enum rte_security_ipsec_sa_protocol { + RTE_SECURITY_IPSEC_SA_PROTO_AH, + /**< AH protocol */ + RTE_SECURITY_IPSEC_SA_PROTO_ESP, + /**< ESP protocol */ +}; + +/** IPSEC tunnel type */ +enum rte_security_ipsec_tunnel_type { + RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 0, + /**< Outer header is IPv4 */ + RTE_SECURITY_IPSEC_TUNNEL_IPV6, + /**< Outer header is IPv6 */ +}; + +/** + * IPSEC tunnel parameters + * + * These parameters are used to build outbound tunnel headers. + */ +struct rte_security_ipsec_tunnel_param { + enum rte_security_ipsec_tunnel_type type; + /**< Tunnel type: IPv4 or IPv6 */ + union { + struct { + struct in_addr src_ip; + /**< IPv4 source address */ + struct in_addr dst_ip; + /**< IPv4 destination address */ + uint8_t dscp; + /**< IPv4 Differentiated Services Code Point */ + uint8_t df; + /**< IPv4 Don't Fragment bit */ + uint8_t ttl; + /**< IPv4 Time To Live */ + } ipv4; + /**< IPv4 header parameters */ + struct { + struct in6_addr src_addr; + /**< IPv6 source address */ + struct in6_addr dst_addr; + /**< IPv6 destination address */ + uint8_t dscp; + /**< IPv6 Differentiated Services Code Point */ + uint32_t flabel; + /**< IPv6 flow label */ + uint8_t hlimit; + /**< IPv6 hop limit */ + } ipv6; + /**< IPv6 header parameters */ + }; +}; + +/** + * IPsec Security Association option flags + */ +struct rte_security_ipsec_sa_options { + /** Extended Sequence Numbers (ESN) + * + * * 1: Use extended (64 bit) sequence numbers + * * 0: Use normal sequence numbers + */ + uint32_t esn : 1; + + /** UDP encapsulation + * + * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can + * traverse through NAT boxes. + * * 0: No UDP encapsulation + */ + uint32_t udp_encap : 1; + + /** Copy DSCP bits + * + * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to + * the outer IP header in encapsulation, and vice versa in + * decapsulation. + * * 0: Use values from odp_ipsec_tunnel_param_t in encapsulation and + * do not change DSCP field in decapsulation. + */ + uint32_t copy_dscp : 1; + + /** Copy IPv6 Flow Label + * + * * 1: Copy IPv6 flow label from inner IPv6 header to the + * outer IPv6 header. + * * 0: Use value from odp_ipsec_tunnel_param_t + */ + uint32_t copy_flabel : 1; + + /** Copy IPv4 Don't Fragment bit + * + * * 1: Copy the DF bit from the inner IPv4 header to the outer + * IPv4 header. + * * 0: Use value from odp_ipsec_tunnel_param_t + */ + uint32_t copy_df : 1; + + /** Decrement inner packet Time To Live (TTL) field + * + * * 1: In tunnel mode, decrement inner packet IPv4 TTL or + * IPv6 Hop Limit after tunnel decapsulation, or before tunnel + * encapsulation. + * * 0: Inner packet is not modified. + */ + uint32_t dec_ttl : 1; + + /** HW constructs/removes trailer of packets + * + * * 1: Transmitted packets will have the trailer added to them by + * hardawre. The next protocol field will be based on the + * mbuf->inner_esp_next_proto field. + * Received packets have no trailer, the next protocol field is + * supplied in the mbuf->inner_esp_next_proto field. + * * 0: Inner packet is not modified. + */ + uint32_t no_trailer : 1; +}; + +/** IPSec security association direction */ +enum rte_security_ipsec_sa_direction { + RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + /**< Encrypt and generate digest */ + RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + /**< Verify digest and decrypt */ +}; + +/** + * IPsec security association configuration data. + * + * This structure contains data required to create an IPsec SA security session. + */ +struct rte_security_ipsec_xform { + uint32_t spi; + /**< SA security parameter index */ + uint32_t salt; + /**< SA salt */ + struct rte_security_ipsec_sa_options options; + /**< various SA options */ + enum rte_security_ipsec_sa_direction direction; + /**< IPSec SA Direction - Egress/Ingress */ + enum rte_security_ipsec_sa_protocol proto; + /**< IPsec SA Protocol - AH/ESP */ + enum rte_security_ipsec_sa_mode mode; + /**< IPsec SA Mode - transport/tunnel */ + struct rte_security_ipsec_tunnel_param tunnel; + /**< Tunnel parameters, NULL for transport mode */ +}; + +/** + * MACsec security session configuration + */ +struct rte_security_macsec_xform { + /** To be Filled */ +}; + +/** + * Security session action type. + */ +enum rte_security_session_action_type { + RTE_SECURITY_ACTION_TYPE_NONE, + /**< No security actions */ + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, + /**< Crypto processing for security protocol is processed inline + * during transmission */ + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, + /**< All security protocol processing is performed inline during + * transmission */ + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL + /**< All security protocol processing including crypto is performed + * on a lookaside accelerator */ +}; + +/** Security session protocol definition */ +enum rte_security_session_protocol { + RTE_SECURITY_PROTOCOL_IPSEC, + /**< IPsec Protocol */ + RTE_SECURITY_PROTOCOL_MACSEC, + /**< MACSec Protocol */ +}; + +/** + * Security session configuration + */ +struct rte_security_session_conf { + enum rte_security_session_action_type action_type; + /**< Type of action to be performed on the session */ + enum rte_security_session_protocol protocol; + /**< Security protocol to be configured */ + union { + struct rte_security_ipsec_xform ipsec; + struct rte_security_macsec_xform macsec; + }; + /**< Configuration parameters for security session */ + struct rte_crypto_sym_xform *crypto_xform; + /**< Security Session Crypto Transformations */ +}; + +struct rte_security_session { + __extension__ void *sess_private_data; + /**< Private session material */ +}; + +/** + * Create security session as specified by the session configuration + * + * @param id security instance identifier id + * @param conf session configuration parameters + * @param mp mempool to allocate session objects from + * @return + * - On success, pointer to session + * - On failure, NULL + */ +struct rte_security_session * +rte_security_session_create(uint16_t id, + struct rte_security_session_conf *conf, + struct rte_mempool *mp); + +/** + * Update security session as specified by the session configuration + * + * @param id security instance identifier id + * @param sess session to update parameters + * @param conf update configuration parameters + * @return + * - On success returns 0 + * - On failure return errno + */ +int +rte_security_session_update(uint16_t id, + struct rte_security_session *sess, + struct rte_security_session_conf *conf); + +/** + * Free security session header and the session private data and + * return it to its original mempool. + * + * @param id security instance identifier id + * @param sess security session to freed + * + * @return + * - 0 if successful. + * - -EINVAL if session is NULL. + * - -EBUSY if not all device private data has been freed. + */ +int +rte_security_session_destroy(uint16_t id, struct rte_security_session *sess); + +/** + * Updates the buffer with device-specific defined metadata + * + * @param id security instance identifier id + * @param sess security session + * @param m packet mbuf to set metadata on. + * @param params device-specific defined parameters required for metadata + * + * @return + * - On success, zero. + * - On failure, a negative value. + */ +int +rte_security_set_pkt_metadata(uint16_t id, + struct rte_security_session *sess, + struct rte_mbuf *mb, void *params); + +/** + * Attach a session to a symmetric crypto operation + * + * @param sym_op crypto operation + * @param sess security session + */ +static inline int +__rte_security_attach_session(struct rte_crypto_sym_op *sym_op, + struct rte_security_session *sess) +{ + sym_op->sec_session = sess; + + return 0; +} + +static inline void * +get_sec_session_private_data(const struct rte_security_session *sess) +{ + return sess->sess_private_data; +} + +static inline void +set_sec_session_private_data(struct rte_security_session *sess, + void *private_data) +{ + sess->sess_private_data = private_data; +} + +/** + * Attach a session to a crypto operation. + * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD + * For other rte_security_session_action_type, ol_flags in rte_mbuf may be + * defined to perform security operations. + * + * @param op crypto operation + * @param sess security session + */ +static inline int +rte_security_attach_session(struct rte_crypto_op *op, + struct rte_security_session *sess) +{ + if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) + return -1; + + op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; + + return __rte_security_attach_session(op->sym, sess); +} + +struct rte_security_macsec_stats { + uint64_t reserved; +}; + +struct rte_security_ipsec_stats { + uint64_t reserved; + +}; + +struct rte_security_stats { + enum rte_security_session_protocol protocol; + /**< Security protocol to be configured */ + + union { + struct rte_security_macsec_stats macsec; + struct rte_security_ipsec_stats ipsec; + }; +}; + +/** + * Query security session statistics + * + * @param id security instance identifier id + * @param sess security session + * @param stats statistics + * @return + * - On success return 0 + * - On failure errno + */ +int +rte_security_session_query(uint16_t id, + struct rte_security_session *sess, + struct rte_security_stats *stats); + +/** + * Security capability definition + */ +struct rte_security_capability { + enum rte_security_session_action_type action; + /**< Security action type*/ + enum rte_security_session_protocol protocol; + /**< Security protocol */ + RTE_STD_C11 + union { + struct { + enum rte_security_ipsec_sa_protocol proto; + /**< IPsec SA protocol */ + enum rte_security_ipsec_sa_mode mode; + /**< IPsec SA mode */ + enum rte_security_ipsec_sa_direction direction; + /**< IPsec SA direction */ + struct rte_security_ipsec_sa_options options; + /**< IPsec SA supported options */ + } ipsec; + /**< IPsec capability */ + struct { + /* To be Filled */ + } macsec; + /**< MACsec capability */ + }; + + const struct rte_cryptodev_capabilities *crypto_capabilities; + /**< Corresponding crypto capabilities for security capability */ +}; + +/** + * Security capability index used to query a security instance for a specific + * security capability + */ +struct rte_security_capability_idx { + enum rte_security_session_action_type action; + enum rte_security_session_protocol protocol; + + union { + struct { + enum rte_security_ipsec_sa_protocol proto; + enum rte_security_ipsec_sa_mode mode; + enum rte_security_ipsec_sa_direction direction; + } ipsec; + }; +}; + +/** + * Returns array of security instance capabilities + * + * @param id Security instance identifier. + * + * @return + * - Returns array of security capabilities. + * - Return NULL if no capabilities available. + */ +const struct rte_security_capability * +rte_security_capabilities_get(uint16_t id); + +/** + * Query if a specific capability is available on security instance + * + * @param id security instance identifier. + * @param idx security capability index to match against + * + * @return + * - Returns pointer to security capability on match of capability + * index criteria. + * - Return NULL if the capability not matched on security instance. + */ +const struct rte_security_capability * +rte_security_capability_get(uint16_t id, + struct rte_security_capability_idx *idx); + +#ifdef __cplusplus +} +#endif + +#endif /* _RTE_SECURITY_H_ */ diff --git a/lib/librte_security/rte_security_driver.h b/lib/librte_security/rte_security_driver.h new file mode 100644 index 0000000..e2632df --- /dev/null +++ b/lib/librte_security/rte_security_driver.h @@ -0,0 +1,181 @@ +/*- + * BSD LICENSE + * + * Copyright(c) 2017 Intel Corporation. All rights reserved. + * Copyright 2017 NXP. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _RTE_SECURITY_DRIVER_H_ +#define _RTE_SECURITY_DRIVER_H_ + +/** + * @file rte_security_driver.h + * + * RTE Security Common Definitions + * + */ + +#ifdef __cplusplus +extern "C" { +#endif + +#include "rte_security.h" + +/** + * Configure a security session on a device. + * + * @param device Crypto/eth device pointer + * @param conf Security session configuration + * @param sess Pointer to Security private session structure + * @param mp Mempool where the private session is allocated + * + * @return + * - Returns 0 if private session structure have been created successfully. + * - Returns -EINVAL if input parameters are invalid. + * - Returns -ENOTSUP if crypto device does not support the crypto transform. + * - Returns -ENOMEM if the private session could not be allocated. + */ +typedef int (*security_session_create_t)(void *device, + struct rte_security_session_conf *conf, + struct rte_security_session *sess, + struct rte_mempool *mp); + +/** + * Free driver private session data. + * + * @param dev Crypto/eth device pointer + * @param sess Security session structure + */ +typedef int (*security_session_destroy_t)(void *device, + struct rte_security_session *sess); + +/** + * Update driver private session data. + * + * @param device Crypto/eth device pointer + * @param sess Pointer to Security private session structure + * @param conf Security session configuration + * + * @return + * - Returns 0 if private session structure have been updated successfully. + * - Returns -EINVAL if input parameters are invalid. + * - Returns -ENOTSUP if crypto device does not support the crypto transform. + */ +typedef int (*security_session_update_t)(void *device, + struct rte_security_session *sess, + struct rte_security_session_conf *conf); +/** + * Query stats from the PMD. + * + * @param device Crypto/eth device pointer + * @param sess Pointer to Security private session structure + * @param stats Security stats of the driver + * + * @return + * - Returns 0 if private session structure have been updated successfully. + * - Returns -EINVAL if session parameters are invalid. + */ +typedef int (*security_session_query_t)(void *device, + struct rte_security_session *sess, + struct rte_security_stats *stats); + +/** + * Update buffer with provided metadata. + * + * @param sess Security session structure + * @param mb Packet buffer + * @param mt Metadata + * + * @return + * - Returns 0 if metadata updated successfully. + * - Returns -ve value for errors. + */ +typedef int (*security_set_pkt_metadata_t)(void *device, + struct rte_security_session *sess, struct rte_mbuf *m, + void *params); + +/** + * Get security capabilities of the device. + * + * @param device crypto/eth device pointer + * + * @return + * - Returns rte_security_capability pointer on success. + * - Returns NULL on error. + */ +typedef const struct rte_security_capability *(*security_capabilities_get_t)( + void *device); + +/** Security operations function pointer table */ +struct rte_security_ops { + security_session_create_t session_create; + /**< Configure a Security session. */ + security_session_update_t session_update; + /**< Update a security sessions state */ + security_session_query_t session_query; + /**< Clear a security sessions private data. */ + security_session_destroy_t session_destroy; + /**< Clear a security sessions private data. */ + security_set_pkt_metadata_t set_pkt_metadata; + /**< Update buffer metadata. */ + security_capabilities_get_t capabilities_get; +}; + +/** + * Register a Crypto/eth device for security operations. + * + * @param id id of the crypto/eth device + * @param device crypto/eth device pointer + * @param ops Security ops to be supported by device + * + * @return + * - Returns 0 if metadata updated successfully. + * - Returns -ve value for errors. + */ +int +rte_security_register(uint16_t *id, void *device, + struct rte_security_ops *ops); + +/** + * Unregister a Crypto/eth device for security operations. + * + * @param id id of the crypto/eth device + * + * @return + * - Returns 0 if device is successfully unregistered. + * - Returns -ve value for errors. + */ +int +rte_security_unregister(uint16_t *id); + +#ifdef __cplusplus +} +#endif + +#endif /* _RTE_SECURITY_DRIVER_H_ */ diff --git a/lib/librte_security/rte_security_version.map b/lib/librte_security/rte_security_version.map new file mode 100644 index 0000000..82b7921 --- /dev/null +++ b/lib/librte_security/rte_security_version.map @@ -0,0 +1,13 @@ +DPDK_17.11 { + global: + + rte_security_attach_session; + rte_security_capabilities_get; + rte_security_capability_get; + rte_security_session_create; + rte_security_session_free; + rte_security_session_query; + rte_security_session_update; + rte_security_set_pkt_metadata; + +};