From patchwork Wed Sep 29 03:25:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 99953 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5DB82A0547; Wed, 29 Sep 2021 04:31:51 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 4F11F410F4; Wed, 29 Sep 2021 04:31:48 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id C32084068F for ; Wed, 29 Sep 2021 04:31:46 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18T2SeOx017570; Tue, 28 Sep 2021 19:31:46 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=ZMwO6mt+1J3lGTiYLnWkLgGV/4iqLIKiWeOY+jGiCLg=; b=QVcRxtL1VGcE99K/SfD4pLtzcBAkWuDcaJcCIvb1w6MlvihgRgXcYcdkeGV5eXaGG95H jL4gyUE46D7F1Cbb/HvuPlWXFztoAKmA+ITAk3RH7cCQVYOCBy4qDlP2EeudpKSgHfMl Ayvi2/N8oZvnx9vDB7sd6SLVVH4U8oC6wbUA5xkJJ7h0dCx2vi7gHrMna58x+XeNLmZc XygqCoulQW9TV+kqNJBWhPeVfyHvNyaLdRLKGLxQ5D6EXP1wnCddcAsHvYYMPJ7qhSH0 UdrL7cQWbbd3VabPFvD1pv5Dshxm31XIat/9nIKlUXC72XLdNH+s6TwO5Y6zT1UV91RJ 5A== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com with ESMTP id 3bcfd480am-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 28 Sep 2021 19:31:46 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 28 Sep 2021 19:31:44 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Tue, 28 Sep 2021 19:31:44 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 479263F7099; Tue, 28 Sep 2021 19:31:40 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Wed, 29 Sep 2021 08:55:12 +0530 Message-ID: <20210929032514.9416-2-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210929032514.9416-1-ktejasree@marvell.com> References: <20210929032514.9416-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: Mc1zkU45554WT59ue7hX4UbbEUxFKFuk X-Proofpoint-ORIG-GUID: Mc1zkU45554WT59ue7hX4UbbEUxFKFuk X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-28_11,2021-09-28_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v2 1/3] security: add option to configure UDP ports verification X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add option to indicate whether UDP encapsulation ports verification need to be done as part of inbound IPsec processing. Signed-off-by: Tejasree Kondoj Acked-by: Hemant Agrawal Acked-by: Akhil Goyal --- doc/guides/rel_notes/release_21_11.rst | 4 ++++ lib/security/rte_security.h | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index f85dc99c8b..8da851cccc 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -185,6 +185,10 @@ ABI Changes ``rte_security_ipsec_sa_options`` to indicate whether outer header verification need to be done as part of inbound IPsec processing. +* security: A new option ``udp_ports_verify`` was added in structure + ``rte_security_ipsec_sa_options`` to indicate whether UDP ports + verification need to be done as part of inbound IPsec processing. + * security: A new structure ``rte_security_ipsec_lifetime`` was added to replace ``esn_soft_limit`` in IPsec configuration structure ``rte_security_ipsec_xform`` to allow applications to configure SA soft diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index a10c9b5f00..ab1a6e1f65 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -223,6 +223,13 @@ struct rte_security_ipsec_sa_options { * source and destination IP addresses. */ uint32_t tunnel_hdr_verify : 2; + + /** Verify UDP encapsulation ports in inbound + * + * * 1: Match UDP source and destination ports + * * 0: Do not match UDP ports + */ + uint32_t udp_ports_verify : 1; }; /** IPSec security association direction */ From patchwork Wed Sep 29 03:25:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 99954 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 83AF1A0547; Wed, 29 Sep 2021 04:31:57 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7F586410F7; Wed, 29 Sep 2021 04:31:52 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id E5E38410F7 for ; Wed, 29 Sep 2021 04:31:50 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18SHQPf7008439; Tue, 28 Sep 2021 19:31:50 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=iUNn6QWv/NnMpSEdMi0V6+vJLba7IEoj41H53UJLDas=; b=YpZ23r0n6eHyv4jGezOKjsK+jya+FFyj1bgtQHGhcMjMA4P4w2taLFhHVlR3LPKaRGdz cJDVssFLSadY6wUrH/f2CwuzUbKJZ/8CJ7vjoBZNDNBT5pW6qKycyjpU5g9f6f/3znrw SqDSB9n8zai0kZNJQA7vHw6O5EuoMIlsbctAqlpw7c5NryNfPFFpKWhu4dhpZ5VuIq8T mHDFTDbmfYEfBRXvh1akEms4tZEvMQkTSmQwuC9nrzAWEG91nJ6NmwaikOZZqCb535KP wr3S8XYCY79ar1Pvm1FFakr8N37wbvQIyY6Q8ZPL/R5Nn6IqxIrn3f7rlRX/UUBp7nU2 sA== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 3bc7eyhsgu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 28 Sep 2021 19:31:49 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 28 Sep 2021 19:31:48 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Tue, 28 Sep 2021 19:31:48 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id A29BF3F7080; Tue, 28 Sep 2021 19:31:44 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Wed, 29 Sep 2021 08:55:13 +0530 Message-ID: <20210929032514.9416-3-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210929032514.9416-1-ktejasree@marvell.com> References: <20210929032514.9416-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: LxgRXJ9223m-6RIETUNNqpzJ2Dl0W6sv X-Proofpoint-ORIG-GUID: LxgRXJ9223m-6RIETUNNqpzJ2Dl0W6sv X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-28_11,2021-09-28_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v2 2/3] common/cnxk: add support for UDP ports verification X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding support to verify UDP encapsulation ports in IPsec inbound. Signed-off-by: Tejasree Kondoj --- drivers/common/cnxk/cnxk_security.c | 3 +++ drivers/common/cnxk/roc_ie_ot.h | 4 ++-- drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 1 + 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index cc5daf333c..13c4f128ae 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -303,6 +303,9 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, sa->w10.s.udp_dst_port = 4500; } + if (ipsec_xfrm->options.udp_ports_verify) + sa->w2.s.udp_ports_verify = 1; + offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx); /* Word offset for HW managed SA field */ sa->w0.s.hw_ctx_off = offset / 8; diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h index 12c75afac2..e8415cff3c 100644 --- a/drivers/common/cnxk/roc_ie_ot.h +++ b/drivers/common/cnxk/roc_ie_ot.h @@ -184,7 +184,7 @@ union roc_ot_ipsec_sa_word2 { uint64_t esn_en : 1; uint64_t tport_l4_incr_csum : 1; uint64_t ip_hdr_verify : 2; - uint64_t rsvd5 : 1; + uint64_t udp_ports_verify : 1; uint64_t rsvd2 : 7; uint64_t async_mode : 1; @@ -329,7 +329,7 @@ struct roc_ot_ipsec_inb_sa { uint64_t esn_en : 1; uint64_t tport_l4_incr_csum : 1; uint64_t ip_hdr_verify : 2; - uint64_t rsvd5 : 1; + uint64_t udp_ports_verify : 1; uint64_t rsvd6 : 7; uint64_t async_mode : 1; diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 8a0cf289fd..ba4166c56d 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -921,6 +921,7 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap) sec_cap->ipsec.options.iv_gen_disable = 1; #endif } else { + sec_cap->ipsec.options.udp_ports_verify = 1; if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) sec_cap->ipsec.options.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; From patchwork Wed Sep 29 03:25:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 99955 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id C9A20A0547; Wed, 29 Sep 2021 04:32:02 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id AA0A9410E5; Wed, 29 Sep 2021 04:31:56 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 5C7D0410F2 for ; Wed, 29 Sep 2021 04:31:55 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18T2ScFk017510; Tue, 28 Sep 2021 19:31:54 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=ZmwXdL06EcdwqVai0lqWauOquwAvnvHMbeaa+yO+UjY=; b=QPg8ZRCdQ27nv6ecvpZY5U3SJx6lqwtt0tl/sm2qCj7dGF5a1a+aBlOczZRFWzq2CCtP 6wcSsiXpnH8UgBerYoghl7n93mUuzDWoyihhPEi/2hGZsJ08ZPSGLlPHHmK8PUVDpytc IkECZi+0o6dHh0EYgsEivqBjbOmKBGFBTOUJi42WnqTCL+fO9ZRb618ddZ1Z/DmemTqL 8XQEYz4fB1T+AmiQsux4KjHYVMcIX7Wp8KzcAWSPVlLOC1q0JrFhUGz1KdpHabZ0poYj 0p0HR7lnEnhj+w5GIkoKc4PvemVtu534CeJ8KwNH+2UWoIs6kX/+54ULrR1mzbYGCjpv fQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com with ESMTP id 3bcfd480ck-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 28 Sep 2021 19:31:54 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 28 Sep 2021 19:31:52 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Tue, 28 Sep 2021 19:31:52 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id ECEDF3F707E; Tue, 28 Sep 2021 19:31:48 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Wed, 29 Sep 2021 08:55:14 +0530 Message-ID: <20210929032514.9416-4-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210929032514.9416-1-ktejasree@marvell.com> References: <20210929032514.9416-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: rUINfsRtki_eC8qPW037jIjejbJZItHa X-Proofpoint-ORIG-GUID: rUINfsRtki_eC8qPW037jIjejbJZItHa X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-28_11,2021-09-28_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v2 3/3] test/crypto: add UDP encapsulation ports verification tests X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding UDP encapsulation ports verification test cases. Signed-off-by: Tejasree Kondoj --- app/test/test_cryptodev.c | 17 +++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 11 +++++++++++ app/test/test_cryptodev_security_ipsec.h | 1 + 3 files changed, 29 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 665d19c0a4..5f0d023451 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9262,6 +9262,19 @@ test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused) return test_ipsec_proto_all(&flags); } +static int +test_ipsec_proto_udp_ports_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.udp_encap = true; + flags.udp_ports_verify = true; + + return test_ipsec_proto_all(&flags); +} + static int test_PDCP_PROTO_all(void) { @@ -14194,6 +14207,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "UDP encapsulation", ut_setup_security, ut_teardown, test_ipsec_proto_udp_encap), + TEST_CASE_NAMED_ST( + "UDP encapsulation ports verification test", + ut_setup_security, ut_teardown, + test_ipsec_proto_udp_ports_verify), TEST_CASE_NAMED_ST( "SA expiry packets soft", ut_setup_security, ut_teardown, diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index f040630655..764e77bbff 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -36,6 +36,14 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, return -ENOTSUP; } + if (ipsec_xform->options.udp_ports_verify == 1 && + sec_cap->ipsec.options.udp_ports_verify == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "UDP encapsulation ports " + "verification is not supported\n"); + return -ENOTSUP; + } + if (ipsec_xform->options.copy_dscp == 1 && sec_cap->ipsec.options.copy_dscp == 0) { if (!silent) @@ -216,6 +224,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; + if (flags->udp_ports_verify) + td_inb[i].ipsec_xform.options.udp_ports_verify = 1; + td_inb[i].ipsec_xform.options.tunnel_hdr_verify = flags->tunnel_hdr_verify; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index a65cb54eae..0416005520 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -55,6 +55,7 @@ struct ipsec_test_flags { bool iv_gen; uint32_t tunnel_hdr_verify; bool udp_encap; + bool udp_ports_verify; }; struct crypto_param {