Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/132277/?format=api
{ "id": 132277, "url": "http://patches.dpdk.org/api/patches/132277/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/20231003104854.1381-3-anoobj@marvell.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20231003104854.1381-3-anoobj@marvell.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20231003104854.1381-3-anoobj@marvell.com", "date": "2023-10-03T10:48:51", "name": "[v2,2/5] security: add TLS record processing", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "510f7cb24f85c5b8c832424bd3e66118ea5d702f", "submitter": { "id": 1205, "url": "http://patches.dpdk.org/api/people/1205/?format=api", "name": "Anoob Joseph", "email": "anoobj@marvell.com" }, "delegate": { "id": 6690, "url": "http://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/20231003104854.1381-3-anoobj@marvell.com/mbox/", "series": [ { "id": 29720, "url": "http://patches.dpdk.org/api/series/29720/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=29720", "date": "2023-10-03T10:48:49", "name": "add TLS record processing security offload", "version": 2, "mbox": "http://patches.dpdk.org/series/29720/mbox/" } ], "comments": "http://patches.dpdk.org/api/patches/132277/comments/", "check": "success", "checks": "http://patches.dpdk.org/api/patches/132277/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 8D236426AE;\n\tTue, 3 Oct 2023 12:49:10 +0200 (CEST)", "from mails.dpdk.org (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 6DA6D40685;\n\tTue, 3 Oct 2023 12:49:07 +0200 (CEST)", "from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com\n [67.231.148.174])\n by mails.dpdk.org (Postfix) with ESMTP id 9CC074067D\n for <dev@dpdk.org>; Tue, 3 Oct 2023 12:49:05 +0200 (CEST)", "from pps.filterd (m0045849.ppops.net [127.0.0.1])\n by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id\n 3933ikxS022252; Tue, 3 Oct 2023 03:49:01 -0700", "from dc5-exch02.marvell.com ([199.233.59.182])\n by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3tgbas98vr-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);\n Tue, 03 Oct 2023 03:49:01 -0700", "from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com\n (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.48;\n Tue, 3 Oct 2023 03:48:59 -0700", "from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com\n (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.48 via Frontend\n Transport; Tue, 3 Oct 2023 03:48:59 -0700", "from BG-LT92004.corp.innovium.com (unknown [10.28.163.189])\n by maili.marvell.com (Postfix) with ESMTP id 2CAE33F7082;\n Tue, 3 Oct 2023 03:48:53 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;\n h=from : to : cc :\n subject : date : message-id : in-reply-to : references : mime-version :\n content-transfer-encoding : content-type; s=pfpt0220;\n bh=l/GP9WBFnpCPgEi4TGcbx/osCbyYrXMBJXM7DuAxsVo=;\n b=lPyQ00N7tvaO17xeezgzGiw8akoniMK/aBolNkccik3pqf0nXG/NIW/Ti3Up81EyoXbc\n 9l0zfZiGHYLS7NSCKGz2F3WS4zUtpjwEhgcIAoy2U0plCxg/SCdxgKR/YOcN1ITsyDzs\n cPGckHSYxT8z0zHxr1OcBz1MCmahyYDOJ27QgqnRIamhTEqlRyGpCyFYeooMOnYu3eQM\n losrWGN76EHmUF4WhKYJ6BmFAqb90CFGah5FrG7qNgrE7Hv8D/rFOEPpqrxUHSRSg4nU\n w2kek09/Alv7Pgk1wStpe+TtdL6Qz4iRbWTM2Q6E0hiVzrt2SMal9tucVekte95uxUFg Gg==", "From": "Anoob Joseph <anoobj@marvell.com>", "To": "Thomas Monjalon <thomas@monjalon.net>, Akhil Goyal <gakhil@marvell.com>,\n Jerin Jacob <jerinj@marvell.com>, Harry van Haaren\n <harry.van.haaren@intel.com>", "CC": "Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>, Hemant Agrawal\n <hemant.agrawal@nxp.com>, <dev@dpdk.org>, Olivier Matz\n <olivier.matz@6wind.com>, Vidya Sagar Velumuri <vvelumuri@marvell.com>", "Subject": "[PATCH v2 2/5] security: add TLS record processing", "Date": "Tue, 3 Oct 2023 16:18:51 +0530", "Message-ID": "<20231003104854.1381-3-anoobj@marvell.com>", "X-Mailer": "git-send-email 2.25.1", "In-Reply-To": "<20231003104854.1381-1-anoobj@marvell.com>", "References": "<20230811071712.240-1-anoobj@marvell.com>\n <20231003104854.1381-1-anoobj@marvell.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain", "X-Proofpoint-ORIG-GUID": "fy3gdiF6CrLA2ETBY_YP3bfWce_OctSC", "X-Proofpoint-GUID": "fy3gdiF6CrLA2ETBY_YP3bfWce_OctSC", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26\n definitions=2023-10-03_07,2023-10-02_01,2023-05-22_02", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org" }, "content": "Add Transport Layer Security (TLS) and Datagram Transport Layer Security\n(DTLS). The protocols provide communications privacy for L4 protocols\nsuch as TCP & UDP.\n\nTLS (and DTLS) protocol is composed of two layers,\n1. TLS Record Protocol\n2. TLS Handshake Protocol\n\nWhile TLS Handshake Protocol helps in establishing security parameters\nby which client and server can communicate, TLS Record Protocol provides\nthe connection security. TLS Record Protocol leverages symmetric\ncryptographic operations such as data encryption and authentication for\nproviding security to the communications.\n\nCryptodevs that are capable of offloading TLS Record Protocol may\nperform other operations like IV generation, header insertion, atomic\nsequence number updates and anti-replay window check in addition to\ncryptographic transformations.\n\nSupport for TLS record protocol is added for TLS 1.2, TLS 1.3 and\nDTLS 1.2.\n\nSigned-off-by: Akhil Goyal <gakhil@marvell.com>\nSigned-off-by: Anoob Joseph <anoobj@marvell.com>\nSigned-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>\n---\n doc/guides/prog_guide/rte_security.rst | 62 ++++++++++++++\n lib/security/rte_security.c | 4 +\n lib/security/rte_security.h | 110 +++++++++++++++++++++++++\n 3 files changed, 176 insertions(+)", "diff": "diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst\nindex ad8c6374bd..f90dee5df0 100644\n--- a/doc/guides/prog_guide/rte_security.rst\n+++ b/doc/guides/prog_guide/rte_security.rst\n@@ -399,6 +399,66 @@ The API ``rte_security_macsec_sc_create`` returns a handle for SC,\n and this handle is set in ``rte_security_macsec_xform``\n to create a MACsec session using ``rte_security_session_create``.\n \n+TLS-Record Protocol\n+~~~~~~~~~~~~~~~~~~~\n+\n+The Transport Layer Protocol provides communications security over the Internet. The protocol\n+allows client/server applications to communicate in a way that is designed to prevent eavesdropping,\n+tampering, or message forgery.\n+\n+TLS protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. At\n+the lowest level, layered on top of some reliable transport protocol (e.g., TCP), is the TLS Record\n+Protocol. The TLS Record Protocol provides connection security that has two basic properties:\n+\n+ - The connection is private. Symmetric cryptography is used for data\n+ encryption (e.g., AES, DES, etc.). The keys for this symmetric encryption\n+ are generated uniquely for each connection and are based on a secret\n+ negotiated during TLS Handshake Protocol. The Record Protocol can also be\n+ used without encryption.\n+\n+ - The connection is reliable. Message transport includes a message\n+ integrity check using a keyed MAC. Secure hash functions (e.g.,\n+ SHA-1, etc.) are used for MAC computations. The Record Protocol can\n+ operate without a MAC when it is being used as a transport for negotiating\n+ security parameters by another protocol.\n+\n+.. code-block:: c\n+\n+ Record Write Record Read\n+ ------------ -----------\n+\n+ TLSPlaintext TLSCiphertext\n+ | |\n+ ~ ~\n+ | |\n+ V V\n+ +----------|-----------+ +----------|-----------+\n+ | Generate sequence no.| | Generate sequence no.|\n+ +----------|-----------+ +----------------------+\n+ | | AR check (DTLS) |\n+ +----------|-----------+ +----------|-----------+\n+ | Insert TLS header | |\n+ | & trailer. | +----------|-----------+\n+ | (including padding) | | Decrypt & MAC verify |\n+ +----------|-----------+ +----------|-----------+\n+ | |\n+ +---------|-----------+ +----------|-----------+\n+ | MAC generate & | | Remove TLS header |\n+ | Encrypt | | & trailer. |\n+ +---------|-----------+ | (including padding) |\n+ | +----------|-----------+\n+ | |\n+ ~ ~\n+ | |\n+ V V\n+ TLSCiphertext TLSPlaintext\n+\n+Supported Versions\n+^^^^^^^^^^^^^^^^^^\n+\n+* TLS 1.2\n+* TLS 1.3\n+* DTLS 1.2\n \n Device Features and Capabilities\n ---------------------------------\n@@ -701,6 +761,8 @@ PDCP related configuration parameters are defined in ``rte_security_pdcp_xform``\n \n DOCSIS related configuration parameters are defined in ``rte_security_docsis_xform``\n \n+TLS record related configuration parameters are defined in ``rte_security_tls_record_xform``\n+\n \n Security API\n ~~~~~~~~~~~~\ndiff --git a/lib/security/rte_security.c b/lib/security/rte_security.c\nindex ab44bbe0f0..04872ec1a0 100644\n--- a/lib/security/rte_security.c\n+++ b/lib/security/rte_security.c\n@@ -314,6 +314,10 @@ rte_security_capability_get(void *ctx, struct rte_security_capability_idx *idx)\n \t\t\t\t\t\tRTE_SECURITY_PROTOCOL_MACSEC) {\n \t\t\t\tif (idx->macsec.alg == capability->macsec.alg)\n \t\t\t\t\treturn capability;\n+\t\t\t} else if (idx->protocol == RTE_SECURITY_PROTOCOL_TLS_RECORD) {\n+\t\t\t\tif (capability->tls_record.ver == idx->tls_record.ver &&\n+\t\t\t\t capability->tls_record.type == idx->tls_record.type)\n+\t\t\t\t\treturn capability;\n \t\t\t}\n \t\t}\n \t}\ndiff --git a/lib/security/rte_security.h b/lib/security/rte_security.h\nindex c9cc7a45a6..54c32c1147 100644\n--- a/lib/security/rte_security.h\n+++ b/lib/security/rte_security.h\n@@ -597,6 +597,98 @@ struct rte_security_docsis_xform {\n \t/**< DOCSIS direction */\n };\n \n+/** Implicit nonce length to be used with AEAD algos in TLS 1.2 */\n+#define RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN 4\n+/** Implicit nonce length to be used with AEAD algos in TLS 1.3 */\n+#define RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN 12\n+/** Implicit nonce length to be used with AEAD algos in DTLS 1.2 */\n+#define RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN 4\n+\n+/** TLS version */\n+enum rte_security_tls_version {\n+\tRTE_SECURITY_VERSION_TLS_1_2,\t/**< TLS 1.2 */\n+\tRTE_SECURITY_VERSION_TLS_1_3,\t/**< TLS 1.3 */\n+\tRTE_SECURITY_VERSION_DTLS_1_2,\t/**< DTLS 1.2 */\n+};\n+\n+/** TLS session type */\n+enum rte_security_tls_sess_type {\n+\t/** Record read session\n+\t * - Decrypt & digest verification.\n+\t */\n+\tRTE_SECURITY_TLS_SESS_TYPE_READ,\n+\t/** Record write session\n+\t * - Encrypt & digest generation.\n+\t */\n+\tRTE_SECURITY_TLS_SESS_TYPE_WRITE,\n+};\n+\n+/**\n+ * TLS record session options\n+ */\n+struct rte_security_tls_record_sess_options {\n+\t/** Disable IV generation in PMD\n+\t *\n+\t * * 1: Disable IV generation in PMD. When disabled, IV provided in rte_crypto_op will be\n+\t * used by the PMD.\n+\t *\n+\t * * 0: Enable IV generation in PMD. When enabled, PMD generated random value would be used\n+\t * and application is not required to provide IV.\n+\t */\n+\tuint32_t iv_gen_disable : 1;\n+};\n+\n+/**\n+ * TLS record protocol session configuration.\n+ *\n+ * This structure contains data required to create a TLS record security session.\n+ */\n+struct rte_security_tls_record_xform {\n+\t/** TLS record version. */\n+\tenum rte_security_tls_version ver;\n+\t/** TLS record session type. */\n+\tenum rte_security_tls_sess_type type;\n+\t/** TLS record session options. */\n+\tstruct rte_security_tls_record_sess_options options;\n+\tunion {\n+\t\t/** TLS 1.2 parameters. */\n+\t\tstruct {\n+\t\t\t/** Starting sequence number. */\n+\t\t\tuint64_t seq_no;\n+\t\t\t/** Implicit nonce to be used for AEAD algos. */\n+\t\t\tuint8_t imp_nonce[RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN];\n+\t\t} tls_1_2;\n+\n+\t\t/** TLS 1.3 parameters. */\n+\t\tstruct {\n+\t\t\t/** Starting sequence number. */\n+\t\t\tuint64_t seq_no;\n+\t\t\t/** Implicit nonce to be used for AEAD algos. */\n+\t\t\tuint8_t imp_nonce[RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN];\n+\t\t\t/**\n+\t\t\t * Minimum payload length (in case of write sessions). For shorter inputs,\n+\t\t\t * the payload would be padded appropriately before performing crypto\n+\t\t\t * transformations.\n+\t\t\t */\n+\t\t\tuint32_t min_payload_len;\n+\t\t} tls_1_3;\n+\n+\t\t/** DTLS 1.2 parameters */\n+\t\tstruct {\n+\t\t\t/** Epoch value to be used. */\n+\t\t\tuint16_t epoch;\n+\t\t\t/** 6B starting sequence number to be used. */\n+\t\t\tuint64_t seq_no;\n+\t\t\t/** Implicit nonce to be used for AEAD algos. */\n+\t\t\tuint8_t imp_nonce[RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN];\n+\t\t\t/** Anti replay window size to enable sequence replay attack handling.\n+\t\t\t * Anti replay check is disabled if the window size is 0.\n+\t\t\t */\n+\t\t\tuint32_t ar_win_sz;\n+\t\t} dtls_1_2;\n+\t};\n+};\n+\n /**\n * Security session action type.\n */\n@@ -634,6 +726,8 @@ enum rte_security_session_protocol {\n \t/**< PDCP Protocol */\n \tRTE_SECURITY_PROTOCOL_DOCSIS,\n \t/**< DOCSIS Protocol */\n+\tRTE_SECURITY_PROTOCOL_TLS_RECORD,\n+\t/**< TLS Record Protocol */\n };\n /* >8 End enumeration of rte_security_session_protocol. */\n \n@@ -651,6 +745,7 @@ struct rte_security_session_conf {\n \t\tstruct rte_security_macsec_xform macsec;\n \t\tstruct rte_security_pdcp_xform pdcp;\n \t\tstruct rte_security_docsis_xform docsis;\n+\t\tstruct rte_security_tls_record_xform tls_record;\n \t};\n \t/**< Configuration parameters for security session */\n \tstruct rte_crypto_sym_xform *crypto_xform;\n@@ -1217,6 +1312,17 @@ struct rte_security_capability {\n \t\t\t/**< DOCSIS direction */\n \t\t} docsis;\n \t\t/**< DOCSIS capability */\n+\t\tstruct {\n+\t\t\tenum rte_security_tls_version ver;\n+\t\t\t/**< TLS record version. */\n+\t\t\tenum rte_security_tls_sess_type type;\n+\t\t\t/**< TLS record session type. */\n+\t\t\tuint32_t ar_win_size;\n+\t\t\t/**< Maximum anti replay window size supported for DTLS 1.2 record read\n+\t\t\t * operation. Value of 0 means anti replay check is not supported.\n+\t\t\t */\n+\t\t} tls_record;\n+\t\t/**< TLS record capability */\n \t};\n \n \tconst struct rte_cryptodev_capabilities *crypto_capabilities;\n@@ -1280,6 +1386,10 @@ struct rte_security_capability_idx {\n \t\tstruct {\n \t\t\tenum rte_security_macsec_alg alg;\n \t\t} macsec;\n+\t\tstruct {\n+\t\t\tenum rte_security_tls_version ver;\n+\t\t\tenum rte_security_tls_sess_type type;\n+\t\t} tls_record;\n \t};\n };\n \n", "prefixes": [ "v2", "2/5" ] }