[2/3] common/cnxk: add support for UDP ports verification
Checks
Commit Message
Adding support to verify UDP encapsulation ports
in IPsec inbound.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
drivers/common/cnxk/cnxk_security.c | 3 +++
drivers/common/cnxk/roc_ie_ot.h | 4 ++--
drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 1 +
3 files changed, 6 insertions(+), 2 deletions(-)
Comments
> Adding support to verify UDP encapsulation ports
> in IPsec inbound.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
> drivers/common/cnxk/cnxk_security.c | 3 +++
Acked-by: Akhil Goyal <gakhil@marvell.com>
@@ -303,6 +303,9 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
sa->w10.s.udp_dst_port = 4500;
}
+ if (ipsec_xfrm->options.udp_ports_verify)
+ sa->w2.s.udp_ports_verify = 1;
+
offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx);
/* Word offset for HW managed SA field */
sa->w0.s.hw_ctx_off = offset / 8;
@@ -184,7 +184,7 @@ union roc_ot_ipsec_sa_word2 {
uint64_t esn_en : 1;
uint64_t tport_l4_incr_csum : 1;
uint64_t ip_hdr_verify : 2;
- uint64_t rsvd5 : 1;
+ uint64_t udp_ports_verify : 1;
uint64_t rsvd2 : 7;
uint64_t async_mode : 1;
@@ -329,7 +329,7 @@ struct roc_ot_ipsec_inb_sa {
uint64_t esn_en : 1;
uint64_t tport_l4_incr_csum : 1;
uint64_t ip_hdr_verify : 2;
- uint64_t rsvd5 : 1;
+ uint64_t udp_ports_verify : 1;
uint64_t rsvd6 : 7;
uint64_t async_mode : 1;
@@ -921,6 +921,7 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
sec_cap->ipsec.options.iv_gen_disable = 1;
#endif
} else {
+ sec_cap->ipsec.options.udp_ports_verify = 1;
if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
sec_cap->ipsec.options.tunnel_hdr_verify =
RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;