Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 76404,
    "url": "http://patches.dpdk.org/api/patches/76404/?format=api",
    "web_url": "http://patches.dpdk.org/project/dpdk/patch/20200903111836.6864-3-adwivedi@marvell.com/",
    "project": {
        "id": 1,
        "url": "http://patches.dpdk.org/api/projects/1/?format=api",
        "name": "DPDK",
        "link_name": "dpdk",
        "list_id": "dev.dpdk.org",
        "list_email": "dev@dpdk.org",
        "web_url": "http://core.dpdk.org",
        "scm_url": "git://dpdk.org/dpdk",
        "webscm_url": "http://git.dpdk.org/dpdk",
        "list_archive_url": "https://inbox.dpdk.org/dev",
        "list_archive_url_format": "https://inbox.dpdk.org/dev/{}",
        "commit_url_format": ""
    },
    "msgid": "<20200903111836.6864-3-adwivedi@marvell.com>",
    "list_archive_url": "https://inbox.dpdk.org/dev/20200903111836.6864-3-adwivedi@marvell.com",
    "date": "2020-09-03T11:18:36",
    "name": "[2/2] net/octeontx2: add replay check for inline inbound packets",
    "commit_ref": null,
    "pull_url": null,
    "state": "superseded",
    "archived": true,
    "hash": "144dcb80e3c31ddb736f54d9638eeeaa09fa5c13",
    "submitter": {
        "id": 1561,
        "url": "http://patches.dpdk.org/api/people/1561/?format=api",
        "name": "Ankur Dwivedi",
        "email": "adwivedi@marvell.com"
    },
    "delegate": {
        "id": 310,
        "url": "http://patches.dpdk.org/api/users/310/?format=api",
        "username": "jerin",
        "first_name": "Jerin",
        "last_name": "Jacob",
        "email": "jerinj@marvell.com"
    },
    "mbox": "http://patches.dpdk.org/project/dpdk/patch/20200903111836.6864-3-adwivedi@marvell.com/mbox/",
    "series": [
        {
            "id": 11925,
            "url": "http://patches.dpdk.org/api/series/11925/?format=api",
            "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=11925",
            "date": "2020-09-03T11:18:34",
            "name": "add anti replay support in OCTEON TX2 security",
            "version": 1,
            "mbox": "http://patches.dpdk.org/series/11925/mbox/"
        }
    ],
    "comments": "http://patches.dpdk.org/api/patches/76404/comments/",
    "check": "success",
    "checks": "http://patches.dpdk.org/api/patches/76404/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<dev-bounces@dpdk.org>",
        "X-Original-To": "patchwork@inbox.dpdk.org",
        "Delivered-To": "patchwork@inbox.dpdk.org",
        "Received": [
            "from dpdk.org (dpdk.org [92.243.14.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 8FE2CA04C5;\n\tThu,  3 Sep 2020 13:20:16 +0200 (CEST)",
            "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id 733B11C0B6;\n\tThu,  3 Sep 2020 13:20:16 +0200 (CEST)",
            "from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com\n [67.231.156.173]) by dpdk.org (Postfix) with ESMTP id 77F091BEAF\n for <dev@dpdk.org>; Thu,  3 Sep 2020 13:20:15 +0200 (CEST)",
            "from pps.filterd (m0045851.ppops.net [127.0.0.1])\n by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id\n 083BFqaV006708; Thu, 3 Sep 2020 04:20:14 -0700",
            "from sc-exch02.marvell.com ([199.233.58.182])\n by mx0b-0016f401.pphosted.com with ESMTP id 337phqb5gk-2\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);\n Thu, 03 Sep 2020 04:20:14 -0700",
            "from DC5-EXCH01.marvell.com (10.69.176.38) by SC-EXCH02.marvell.com\n (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1497.2;\n Thu, 3 Sep 2020 04:20:13 -0700",
            "from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com\n (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend\n Transport; Thu, 3 Sep 2020 04:20:12 -0700",
            "from hyd1349.t110.caveonetworks.com (unknown [10.29.45.13])\n by maili.marvell.com (Postfix) with ESMTP id 16F583F704C;\n Thu,  3 Sep 2020 04:20:10 -0700 (PDT)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;\n h=from : to : cc :\n subject : date : message-id : in-reply-to : references : mime-version :\n content-transfer-encoding : content-type; s=pfpt0220;\n bh=8HOhr49GfNNnd4TKTIpu6J+t2HDBYwjV5UDwK+jr2II=;\n b=Vw4dBT7B22WxcR1ACkZKbrjeeQ/lNmqARyjNo+Z2Splwa1Lt0qQQ49L41jMZpuy8ZyyF\n cafEBS+y1ifY+OAtIpPGqHc2WyPFa/+YkYt0DzwtsKrsPjCRrO55SXM7UWLDyD3yUzUZ\n 9AOEMDpVQc8ZPM1510u++I29il0opJjP1mOB7KrZQwreHHoV1eGUEc6RkZTqE48y1UxN\n Kk06tyYCUtkq87OSkif43nAJUtsOaBY+Q/GGo5zc+iG+GVP/RFxqlR0U527AO/8l3Wok\n QlnU/2wPr6PwdPlXA+a4JxtwJGXaFcvkHgZ2JxRZ/sCEc2kc7EHtTcJC/acsnl8cWeYo kQ==",
        "From": "Ankur Dwivedi <adwivedi@marvell.com>",
        "To": "<dev@dpdk.org>",
        "CC": "<akhil.goyal@nxp.com>, <radu.nicolau@intel.com>, <anoobj@marvell.com>,\n Ankur Dwivedi <adwivedi@marvell.com>",
        "Date": "Thu, 3 Sep 2020 16:48:36 +0530",
        "Message-ID": "<20200903111836.6864-3-adwivedi@marvell.com>",
        "X-Mailer": "git-send-email 2.28.0",
        "In-Reply-To": "<20200903111836.6864-1-adwivedi@marvell.com>",
        "References": "<20200903111836.6864-1-adwivedi@marvell.com>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "Content-Type": "text/plain",
        "X-Proofpoint-Virus-Version": "vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687\n definitions=2020-09-03_05:2020-09-03,\n 2020-09-03 signatures=0",
        "Subject": "[dpdk-dev] [PATCH 2/2] net/octeontx2: add replay check for inline\n\tinbound packets",
        "X-BeenThere": "dev@dpdk.org",
        "X-Mailman-Version": "2.1.15",
        "Precedence": "list",
        "List-Id": "DPDK patches and discussions <dev.dpdk.org>",
        "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>",
        "List-Archive": "<http://mails.dpdk.org/archives/dev/>",
        "List-Post": "<mailto:dev@dpdk.org>",
        "List-Help": "<mailto:dev-request@dpdk.org?subject=help>",
        "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>",
        "Errors-To": "dev-bounces@dpdk.org",
        "Sender": "\"dev\" <dev-bounces@dpdk.org>"
    },
    "content": "The function handling anti replay is added. If replay window\nis enabled the rx packets will be validated against the window. The\nrx offload fails in case of error.\n\nSigned-off-by: Ankur Dwivedi <adwivedi@marvell.com>\n---\n .../crypto/octeontx2/otx2_ipsec_anti_replay.h | 208 ++++++++++++++++++\n drivers/net/octeontx2/otx2_rx.h               |   7 +\n 2 files changed, 215 insertions(+)\n create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h",
    "diff": "diff --git a/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h\nnew file mode 100644\nindex 000000000..44a1be426\n--- /dev/null\n+++ b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h\n@@ -0,0 +1,208 @@\n+/* SPDX-License-Identifier: BSD-3-Clause\n+ * Copyright (C) 2020 Marvell International Ltd.\n+ */\n+\n+#ifndef __OTX2_IPSEC_ANTI_REPLAY_H__\n+#define __OTX2_IPSEC_ANTI_REPLAY_H__\n+\n+#include <rte_mbuf.h>\n+\n+#include \"otx2_ipsec_fp.h\"\n+\n+#define WORD_SHIFT\t6\n+#define WORD_SIZE\t(1 << WORD_SHIFT)\n+#define WORD_MASK\t(WORD_SIZE - 1)\n+\n+#define IPSEC_ANTI_REPLAY_FAILED\t(-1)\n+\n+static inline int\n+anti_replay_check(uint64_t seq, struct otx2_ipsec_fp_in_sa *sa)\n+{\n+\tstruct otx2_ipsec_replay *replay = sa->replay;\n+\tuint64_t *window = &replay->window[0];\n+\tuint64_t winsz = sa->replay_win_sz;\n+\tuint64_t ex_winsz = winsz + WORD_SIZE;\n+\tuint64_t winwords = ex_winsz >> WORD_SHIFT;\n+\tuint64_t base = replay->base;\n+\tuint32_t winb = replay->winb;\n+\tuint32_t wint = replay->wint;\n+\tuint64_t seqword, shiftwords;\n+\tuint64_t shift = 0;\n+\tuint64_t bit_pos;\n+\tuint64_t tmp = 0;\n+\tuint64_t *wptr;\n+\n+\tif (winsz > 64)\n+\t\tgoto slow_shift;\n+\t/* Check if the seq is the biggest one yet */\n+\tif (likely(seq > base)) {\n+\t\tshift = seq - base;\n+\t\tif (shift < winsz) {  /* In window */\n+\t\t\t/*\n+\t\t\t * If more than 64-bit anti-replay window,\n+\t\t\t * use slow shift routine\n+\t\t\t */\n+\t\t\twptr = window + (shift >> WORD_SHIFT);\n+\t\t\t*wptr <<= shift;\n+\t\t\t*wptr |= 1ull;\n+\t\t} else {\n+\t\t\t/* No special handling of window size > 64 */\n+\t\t\twptr = window + ((winsz - 1) >> WORD_SHIFT);\n+\t\t\t/*\n+\t\t\t * Zero out the whole window (especially for\n+\t\t\t * bigger than 64b window) till the last 64b word\n+\t\t\t * as the incoming sequence number minus\n+\t\t\t * base sequence is more than the window size.\n+\t\t\t */\n+\t\t\twhile (window != wptr)\n+\t\t\t\t*window++ = 0ull;\n+\t\t\t/*\n+\t\t\t * Set the last bit (of the window) to 1\n+\t\t\t * as that corresponds to the base sequence number.\n+\t\t\t * Now any incoming sequence number which is\n+\t\t\t * (base - window size - 1) will pass anti-replay check\n+\t\t\t */\n+\t\t\t*wptr = 1ull;\n+\t\t}\n+\t\t/*\n+\t\t * Set the base to incoming sequence number as\n+\t\t * that is the biggest sequence number seen yet\n+\t\t */\n+\t\treplay->base = seq;\n+\t\treturn 0;\n+\t}\n+\n+\tbit_pos = base - seq;\n+\n+\t/* If seq falls behind the window, return failure */\n+\tif (bit_pos >= winsz)\n+\t\treturn IPSEC_ANTI_REPLAY_FAILED;\n+\n+\t/* seq is within anti-replay window */\n+\twptr = window + ((winsz - bit_pos - 1) >> WORD_SHIFT);\n+\tbit_pos &= WORD_MASK;\n+\n+\t/* Check if this is a replayed packet */\n+\tif (*wptr & ((1ull) << bit_pos))\n+\t\treturn IPSEC_ANTI_REPLAY_FAILED;\n+\n+\t/* mark as seen */\n+\t*wptr |= ((1ull) << bit_pos);\n+\treturn 0;\n+\n+slow_shift:\n+\tif (likely(seq > base)) {\n+\t\tuint32_t i;\n+\n+\t\tshift = seq - base;\n+\t\tif (unlikely(shift >= winsz)) {\n+\t\t\t/*\n+\t\t\t * shift is bigger than the window,\n+\t\t\t * so just zero out everything\n+\t\t\t */\n+\t\t\tfor (i = 0; i < winwords; i++)\n+\t\t\t\twindow[i] = 0;\n+winupdate:\n+\t\t\t/* Find out the word */\n+\t\t\tseqword = ((seq - 1) % ex_winsz) >> WORD_SHIFT;\n+\n+\t\t\t/* Find out the bit in the word */\n+\t\t\tbit_pos = (seq - 1) & WORD_MASK;\n+\n+\t\t\t/*\n+\t\t\t * Set the bit corresponding to sequence number\n+\t\t\t * in window to mark it as received\n+\t\t\t */\n+\t\t\twindow[seqword] |= (1ull << (63 - bit_pos));\n+\n+\t\t\t/* wint and winb range from 1 to ex_winsz */\n+\t\t\treplay->wint = ((wint + shift - 1) % ex_winsz) + 1;\n+\t\t\treplay->winb = ((winb + shift - 1) % ex_winsz) + 1;\n+\n+\t\t\treplay->base = seq;\n+\t\t\treturn 0;\n+\t\t}\n+\n+\t\t/*\n+\t\t * New sequence number is bigger than the base but\n+\t\t * it's not bigger than base + window size\n+\t\t */\n+\n+\t\tshiftwords = ((wint + shift - 1) >> WORD_SHIFT) -\n+\t\t\t     ((wint - 1) >> WORD_SHIFT);\n+\t\tif (unlikely(shiftwords)) {\n+\t\t\ttmp = (wint + WORD_SIZE - 1) / WORD_SIZE;\n+\t\t\tfor (i = 0; i < shiftwords; i++) {\n+\t\t\t\ttmp %= winwords;\n+\t\t\t\twindow[tmp++] = 0;\n+\t\t\t}\n+\t\t}\n+\n+\t\tgoto winupdate;\n+\t}\n+\n+\t/* Sequence number is before the window */\n+\tif (unlikely((seq + winsz) <= base))\n+\t\treturn IPSEC_ANTI_REPLAY_FAILED;\n+\n+\t/* Sequence number is within the window */\n+\n+\t/* Find out the word */\n+\tseqword = ((seq - 1) % ex_winsz) >> WORD_SHIFT;\n+\n+\t/* Find out the bit in the word */\n+\tbit_pos = (seq - 1) & WORD_MASK;\n+\n+\t/* Check if this is a replayed packet */\n+\tif (window[seqword] & (1ull << (63 - bit_pos)))\n+\t\treturn IPSEC_ANTI_REPLAY_FAILED;\n+\n+\t/*\n+\t * Set the bit corresponding to sequence number\n+\t * in window to mark it as received\n+\t */\n+\twindow[seqword] |= (1ull << (63 - bit_pos));\n+\n+\treturn 0;\n+}\n+\n+static int\n+cpt_ipsec_antireplay_check(struct otx2_ipsec_fp_in_sa *sa, char *data)\n+{\n+\tuint64_t seq_in_sa = 0;\n+\tuint32_t seqh = 0;\n+\tuint32_t seql;\n+\tuint64_t seq;\n+\tuint8_t esn;\n+\tint ret;\n+\n+\tesn = sa->ctl.esn_en;\n+\tseql = rte_be_to_cpu_32(*((uint32_t *)(data +\n+\t\t\tOTX2_IPSEC_SEQNO_LO_INDEX)));\n+\n+\tif (!esn)\n+\t\tseq = (uint64_t)seql;\n+\telse {\n+\t\tseqh = rte_be_to_cpu_32(*((uint32_t *)(data +\n+\t\t\t\tOTX2_IPSEC_SEQNO_HI_INDEX)));\n+\t\tseq = ((uint64_t)seqh << 32) | seql;\n+\t}\n+\n+\tif (unlikely(seq == 0))\n+\t\treturn IPSEC_ANTI_REPLAY_FAILED;\n+\n+\trte_spinlock_lock(&sa->replay->lock);\n+\tret = anti_replay_check(seq, sa);\n+\tif (esn && (ret == 0)) {\n+\t\tseq_in_sa = ((uint64_t)rte_be_to_cpu_32(sa->esn_hi) << 32) |\n+\t\t\t\trte_be_to_cpu_32(sa->esn_low);\n+\t\tif (seq > seq_in_sa) {\n+\t\t\tsa->esn_low = rte_cpu_to_be_32(seql);\n+\t\t\tsa->esn_hi = rte_cpu_to_be_32(seqh);\n+\t\t}\n+\t}\n+\trte_spinlock_unlock(&sa->replay->lock);\n+\n+\treturn ret;\n+}\n+#endif /* __OTX2_IPSEC_ANTI_REPLAY_H__ */\ndiff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h\nindex d8648b692..f29a0542f 100644\n--- a/drivers/net/octeontx2/otx2_rx.h\n+++ b/drivers/net/octeontx2/otx2_rx.h\n@@ -9,6 +9,7 @@\n \n #include \"otx2_common.h\"\n #include \"otx2_ethdev_sec.h\"\n+#include \"otx2_ipsec_anti_replay.h\"\n #include \"otx2_ipsec_fp.h\"\n \n /* Default mark value used when none is provided. */\n@@ -243,6 +244,12 @@ nix_rx_sec_mbuf_update(const struct nix_cqe_hdr_s *cq, struct rte_mbuf *m,\n \tm->udata64 = (uint64_t)sa->userdata;\n \n \tdata = rte_pktmbuf_mtod(m, char *);\n+\n+\tif (sa->replay_win_sz) {\n+\t\tif (cpt_ipsec_antireplay_check(sa, data) < 0)\n+\t\t\treturn PKT_RX_SEC_OFFLOAD | PKT_RX_SEC_OFFLOAD_FAILED;\n+\t}\n+\n \tmemcpy(data + INLINE_INB_RPTR_HDR, data, RTE_ETHER_HDR_LEN);\n \n \tm->data_off += INLINE_INB_RPTR_HDR;\n",
    "prefixes": [
        "2/2"
    ]
}