From patchwork Wed Sep 8 08:25:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 98275 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5FD3FA0C56; Wed, 8 Sep 2021 09:31:44 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 4C75E41139; Wed, 8 Sep 2021 09:31:44 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 31E8A41130 for ; Wed, 8 Sep 2021 09:31:43 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1882piif018485; Wed, 8 Sep 2021 00:31:42 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=1oHI3j8dlpZXP2wcxEDRgmV6EGHJEEZYWRf1ETSAZ1Q=; b=DtHkiZpwWXhpe9Vxf4GUx3BgXnFBr8jhID6wckYaw6zzhhuVXQ7ueC9yoGL1fNYspSb1 y+DMVLtdCb77yYAaxKWTcMsRcA6xa1OyuWdWC5ZE4Rtau72ctcAI1twxNkHzmO6tLokN Llk8O2bFu8Jzox8VSU714SKaC+k99Gj890NTgSjipM/cQNnJdUArZAKSyBCgKSfvV3NO GsTNPFswiK0PATMBQ1sIdLRp+I1Q1Q7uAMD31EbhrdDmxh3SZhpvqkD943SpnUZ4KVqt 1htsrgLeNQgbz6KxZaVAjdSN3ojl3A8RnmMq0tL1p2pUyNUiloBQCaxgEeAoKUDSXpMi og== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com with ESMTP id 3axcmjaegu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 08 Sep 2021 00:31:42 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 8 Sep 2021 00:31:40 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Wed, 8 Sep 2021 00:31:40 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 5D9B63F705B; Wed, 8 Sep 2021 00:31:31 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Wed, 8 Sep 2021 13:55:29 +0530 Message-ID: <20210908082531.27477-2-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210908082531.27477-1-ktejasree@marvell.com> References: <20210908082531.27477-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: -1Mn5oCN4lhaDoXs4Qi14OsaCt5-yo3M X-Proofpoint-ORIG-GUID: -1Mn5oCN4lhaDoXs4Qi14OsaCt5-yo3M X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-08_02,2021-09-07_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH 1/3] security: add option to configure UDP ports verification X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add option to indicate whether UDP encapsulation ports verification need to be done as part of inbound IPsec processing. Signed-off-by: Tejasree Kondoj Acked-by: Hemant Agrawal Acked-by: Akhil Goyal --- doc/guides/rel_notes/release_21_11.rst | 5 +++++ lib/security/rte_security.h | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index b0606cb542..afeba0105b 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -141,6 +141,11 @@ ABI Changes * Added SA option to indicate whether outer header verification need to be done as part of inbound IPsec processing. +* security: add IPsec SA option to configure UDP ports verification + + * Added SA option to indicate whether UDP ports verification need to be + done as part of inbound IPsec processing. + Known Issues ------------ diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 2a61cad885..18b0f02c44 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -139,6 +139,13 @@ struct rte_security_ipsec_sa_options { */ uint32_t udp_encap : 1; + /** Verify UDP encapsulation ports in inbound + * + * * 1: Match UDP source and destination ports + * * 0: Do not match UDP ports + */ + uint32_t udp_ports_verify : 1; + /** Copy DSCP bits * * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to From patchwork Wed Sep 8 08:25:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 98276 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 80E8EA0C56; Wed, 8 Sep 2021 09:31:53 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 6E2D74112E; Wed, 8 Sep 2021 09:31:53 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id CB1904013F for ; Wed, 8 Sep 2021 09:31:52 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1882pV4q018346; Wed, 8 Sep 2021 00:31:52 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=iUNn6QWv/NnMpSEdMi0V6+vJLba7IEoj41H53UJLDas=; b=Nb+Ozf1K/EDScjsH4lHl6sJ5+gWayMItsIrhkkaBVZ+300ku2J9SIyT4bXDqWS2M6WDj iey/0+SZ+D55f06MZbqxFvHznoRTfyccSG0gRR8lMmLbQulkYTXvHTP9k2T7SuwTE4Tc FaSeCbzvJMj+CXbXyiruYs1ihKL6QggcKJjxdaLuaL1rcDc9FAKTzPsuSiEH27N077HI wtAS5m/+HU4pkcHNsHVyoMkPnvNDjPkQoUJrkT0GPUW22rcECRNufe84kplX88jO2hTy e37b/y3eU4Y+hdS2Put9Ss4bau984/WwJ4SFhyjdT1kYf2DIzyn5SiW+yoT7HhddhklE zA== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com with ESMTP id 3axcmjaeh9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 08 Sep 2021 00:31:52 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 8 Sep 2021 00:31:50 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Wed, 8 Sep 2021 00:31:50 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 57CD03F70AB; Wed, 8 Sep 2021 00:31:40 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Wed, 8 Sep 2021 13:55:30 +0530 Message-ID: <20210908082531.27477-3-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210908082531.27477-1-ktejasree@marvell.com> References: <20210908082531.27477-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: r96FJtJiWSpDhIGDi-UVPviKRqz100Xz X-Proofpoint-ORIG-GUID: r96FJtJiWSpDhIGDi-UVPviKRqz100Xz X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-08_02,2021-09-07_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH 2/3] common/cnxk: add support for UDP ports verification X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding support to verify UDP encapsulation ports in IPsec inbound. Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal --- drivers/common/cnxk/cnxk_security.c | 3 +++ drivers/common/cnxk/roc_ie_ot.h | 4 ++-- drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 1 + 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index cc5daf333c..13c4f128ae 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -303,6 +303,9 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, sa->w10.s.udp_dst_port = 4500; } + if (ipsec_xfrm->options.udp_ports_verify) + sa->w2.s.udp_ports_verify = 1; + offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx); /* Word offset for HW managed SA field */ sa->w0.s.hw_ctx_off = offset / 8; diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h index 12c75afac2..e8415cff3c 100644 --- a/drivers/common/cnxk/roc_ie_ot.h +++ b/drivers/common/cnxk/roc_ie_ot.h @@ -184,7 +184,7 @@ union roc_ot_ipsec_sa_word2 { uint64_t esn_en : 1; uint64_t tport_l4_incr_csum : 1; uint64_t ip_hdr_verify : 2; - uint64_t rsvd5 : 1; + uint64_t udp_ports_verify : 1; uint64_t rsvd2 : 7; uint64_t async_mode : 1; @@ -329,7 +329,7 @@ struct roc_ot_ipsec_inb_sa { uint64_t esn_en : 1; uint64_t tport_l4_incr_csum : 1; uint64_t ip_hdr_verify : 2; - uint64_t rsvd5 : 1; + uint64_t udp_ports_verify : 1; uint64_t rsvd6 : 7; uint64_t async_mode : 1; diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 8a0cf289fd..ba4166c56d 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -921,6 +921,7 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap) sec_cap->ipsec.options.iv_gen_disable = 1; #endif } else { + sec_cap->ipsec.options.udp_ports_verify = 1; if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) sec_cap->ipsec.options.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; From patchwork Wed Sep 8 08:25:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 98277 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id D4175A0C56; Wed, 8 Sep 2021 09:32:03 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C1DB441130; Wed, 8 Sep 2021 09:32:03 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 05F5B4013F for ; Wed, 8 Sep 2021 09:32:01 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1882YCZp018276; Wed, 8 Sep 2021 00:32:01 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=cCa3TSPlEyb3uLeRp30vICLdvagUjSnZWqIRHklo+/8=; b=CL9wV3lNKwS1/qbBcuuH3St/MFF75Gt2F2aoX2c+v3o19b3AzReU4AEH2aMjBRXgaGAz yJeYniH4PR5ujS49ZvQMR8o1EkIMKR3+Z2VldpEv/h1IpTyDEabgVQmb5d2CX39rsP7P Y2/aiulmDoVRGI6tZegA7MZaoYDmomuKKPNAnlVXBpufJ+1auaUXEol7OGoOt2s0EazJ KAyLXyd+yTizP71B8A/bG+PQFNaqVMBQRF0BIUmcXSq++MT0hWNAiS7GZDsazzpMtcxD HEUrf5dcqBANeB6NyNnJ6B597WeGM2251YaqHj6x7ksW5UlViIexes3XHp43hX5QsDbA 5Q== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com with ESMTP id 3axcmjaej0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 08 Sep 2021 00:32:01 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 8 Sep 2021 00:31:59 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Wed, 8 Sep 2021 00:31:59 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 0E9E63F705B; Wed, 8 Sep 2021 00:31:50 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Wed, 8 Sep 2021 13:55:31 +0530 Message-ID: <20210908082531.27477-4-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210908082531.27477-1-ktejasree@marvell.com> References: <20210908082531.27477-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: ZFGfHaOr77zwb2gWXFhu_HPUGNSdwFuQ X-Proofpoint-ORIG-GUID: ZFGfHaOr77zwb2gWXFhu_HPUGNSdwFuQ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-08_02,2021-09-07_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH 3/3] test/crypto: add UDP encapsulation ports verification tests X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding UDP encapsulation ports verification test cases. Signed-off-by: Tejasree Kondoj --- app/test/test_cryptodev.c | 17 +++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 11 +++++++++++ app/test/test_cryptodev_security_ipsec.h | 1 + 3 files changed, 29 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index ab7b63f37f..352d8f4360 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9214,6 +9214,19 @@ test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused) return test_ipsec_proto_all(&flags); } +static int +test_ipsec_proto_udp_ports_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.udp_encap = true; + flags.udp_ports_verify = true; + + return test_ipsec_proto_all(&flags); +} + static int test_PDCP_PROTO_all(void) { @@ -14145,6 +14158,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "UDP encapsulation", ut_setup_security, ut_teardown, test_ipsec_proto_udp_encap), + TEST_CASE_NAMED_ST( + "UDP encapsulation ports verification test", + ut_setup_security, ut_teardown, + test_ipsec_proto_udp_ports_verify), TEST_CASE_NAMED_ST( "SA expiry packets soft", ut_setup_security, ut_teardown, diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index f040630655..764e77bbff 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -36,6 +36,14 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, return -ENOTSUP; } + if (ipsec_xform->options.udp_ports_verify == 1 && + sec_cap->ipsec.options.udp_ports_verify == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "UDP encapsulation ports " + "verification is not supported\n"); + return -ENOTSUP; + } + if (ipsec_xform->options.copy_dscp == 1 && sec_cap->ipsec.options.copy_dscp == 0) { if (!silent) @@ -216,6 +224,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; + if (flags->udp_ports_verify) + td_inb[i].ipsec_xform.options.udp_ports_verify = 1; + td_inb[i].ipsec_xform.options.tunnel_hdr_verify = flags->tunnel_hdr_verify; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index a65cb54eae..0416005520 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -55,6 +55,7 @@ struct ipsec_test_flags { bool iv_gen; uint32_t tunnel_hdr_verify; bool udp_encap; + bool udp_ports_verify; }; struct crypto_param {