| Message ID | cover.1571928488.git.Pavel.Belous@aquantia.com (mailing list archive) |
|---|---|
| Headers |
Return-Path: <dev-bounces@dpdk.org> X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 1EE891D425; Fri, 25 Oct 2019 19:53:55 +0200 (CEST) Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-eopbgr730073.outbound.protection.outlook.com [40.107.73.73]) by dpdk.org (Postfix) with ESMTP id D3E771D421 for <dev@dpdk.org>; Fri, 25 Oct 2019 19:53:53 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pq5FRLE02lzdAgFiejwp0+AYYiU8KTVVFSI+zP/iDAkBsW9QeIT1UMHKP3VlFJFjqSybbBDE9op6O+WePyOR3QvjgsjdOhXwHEk6GO2+7pG9+QNy5AO8dsj6EShttEin9prLJoPe7QApvo5Db06PkYkJZVbOUaeMv9K0iPnn3CEmN57cUvUqdQnD1uvdlv5Tk+Yx3IjZYYTv1o/G3G0UL/AaaLBCrBm0l/3RxS87ytHJmxItduAJ5hqWFJSR7rZuuyXXL8uTIALHC8Q/4qojBDuk4iJeomKDdbh5Vn5u0KBIwH1oICOTDv/q+wMF3PvPbADgGZb/TWP5eO3fOANyfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pfcHmmQGOY2K6xYjIicsW3StPkW2/DXrp9lAxIyRhws=; b=SWMopm/jCpWZ5235sJ4IfhBfoDv1yPIoVXvUb2/5tgJyISFSUd0LlEhVkmGnstV+Bg1vrstVzGQsTIbgN+GzuKESJtGoWNarMo1B8vet+mg1cSvVXu6V0HZfu//FQJf7zyIT7zHPeLcPx0o88gscrgscTaLS5mebjN5miMWVXwnP9ULLl1ww+IpdnKax6F5RcUmR0mdGDoHfBTGSY8rLdTIZ89n7bRACdHTlImPUF+ToVFsbzTyisl6ColhGZKmyuI5gU0XznNFEIXCLeGz5v7/TZfSQ0P6aIJSwY8ezQYY+SCmenaN8lquky3XBQ2Fz0IUxOTLWEqFQIMK4VG2tBQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aquantia.com; dmarc=pass action=none header.from=aquantia.com; dkim=pass header.d=aquantia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=AQUANTIA1COM.onmicrosoft.com; s=selector2-AQUANTIA1COM-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pfcHmmQGOY2K6xYjIicsW3StPkW2/DXrp9lAxIyRhws=; b=i4e3utwZ02pplTqz6n2PUV4ht7ZSNXoYlsnKz9KcQ79wL/7QOytl7JvyfrCssYCchcmUpCDnSInSe/oafBginkalbWsgBbNQgfGXKaj7yuqL4nbPhsOYZdlBZ7iDHuqCsnHctoP7an3MWxbCY57gLkW7y8fbR4zY8CdGwYEin6k= Received: from CY4PR1101MB2183.namprd11.prod.outlook.com (10.172.76.20) by CY4PR1101MB2311.namprd11.prod.outlook.com (10.174.53.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.22; Fri, 25 Oct 2019 17:53:50 +0000 Received: from CY4PR1101MB2183.namprd11.prod.outlook.com ([fe80::55e:4921:90d1:670a]) by CY4PR1101MB2183.namprd11.prod.outlook.com ([fe80::55e:4921:90d1:670a%12]) with mapi id 15.20.2387.023; Fri, 25 Oct 2019 17:53:49 +0000 From: Pavel Belous <Pavel.Belous@aquantia.com> To: "dev@dpdk.org" <dev@dpdk.org> CC: Ferruh Yigit <ferruh.yigit@intel.com>, Akhil Goyal <akhil.goyal@nxp.com>, John McNamara <john.mcnamara@intel.com>, Declan Doherty <declan.doherty@intel.com>, Konstantin Ananyev <konstantin.ananyev@intel.com>, Thomas Monjalon <thomas@monjalon.net>, Igor Russkikh <Igor.Russkikh@aquantia.com>, Fenilkumar Patel <fenpatel@cisco.com>, Hitesh K Maisheri <hmaisher@cisco.com>, Pavel Belous <Pavel.Belous@aquantia.com> Thread-Topic: [RFC v2 0/7] RFC: Support MACSEC offload in the RTE_SECURITY infrastructure. Thread-Index: AQHVi10nBXEPDIlV80SgF8Z6g0SzcQ== Date: Fri, 25 Oct 2019 17:53:49 +0000 Message-ID: <cover.1571928488.git.Pavel.Belous@aquantia.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: PR1PR01CA0020.eurprd01.prod.exchangelabs.com (2603:10a6:102::33) To CY4PR1101MB2183.namprd11.prod.outlook.com (2603:10b6:910:18::20) authentication-results: spf=none (sender IP is ) smtp.mailfrom=Pavel.Belous@aquantia.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.7.4 x-originating-ip: [95.79.108.179] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: bb78c616-8b9e-42fa-93cd-08d759744a17 x-ms-traffictypediagnostic: CY4PR1101MB2311: x-ms-exchange-purlcount: 1 x-ld-processed: 83e2e134-991c-4ede-8ced-34d47e38e6b1,ExtFwd x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: <CY4PR1101MB23112E1669FE1F7E6EFCB286E1650@CY4PR1101MB2311.namprd11.prod.outlook.com> x-ms-oob-tlc-oobclassifiers: OLM:10000; x-forefront-prvs: 02015246A9 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39850400004)(366004)(396003)(376002)(136003)(346002)(199004)(189003)(66476007)(66556008)(486006)(66446008)(64756008)(7736002)(476003)(36756003)(86362001)(2616005)(6486002)(71200400001)(6512007)(5640700003)(71190400001)(44832011)(2906002)(6436002)(2351001)(305945005)(66946007)(14454004)(5660300002)(966005)(508600001)(25786009)(4326008)(50226002)(66066001)(6116002)(2501003)(107886003)(3846002)(256004)(14444005)(6306002)(54906003)(99286004)(6916009)(26005)(186003)(102836004)(52116002)(386003)(6506007)(316002)(8676002)(1730700003)(81156014)(81166006)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1101MB2311; H:CY4PR1101MB2183.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: aquantia.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: /tEKgJv1+9/Mu1H8HPeWbbP2h8bhun4D8Mdst2RrGM6e9jxeIC7w77H952IxE8iqvOqFMiWqjrv8cIo3CTi4me7hfBEW4+21xf5RvrLBxss+gJfTolktCCZux15KY5sFPiy75ZK53wx8asFy15I1ixOFK9pqODNaMvDK42Tti64oAbZijYsX1vdsu1gmpnzTqUH1N7Xk2d23j6Ie5MufyO08mTeUE8sTAVOcFK8yD+pMXaOZxcebmecTApV+Z8feNKL7snB6mKOFMlN5NWlc6N/8hVZ8CX4DmMXA7+um3WOZes/39dDrtoLVDomFq4TwwFlczkSVT3Mm+mUUKG5Ijrjs89TlbJtu6qCtJS2LPFapQiQecPisl2U7a4iiCZAO/HKzaMeD+wwbKOaUI4Pjx/0GMtXfYiUiJ6bzV5bGSFcFnF3bH8PkifaVRg62ypntnehoB++N4/4r+s6f8Mc1kVIMytjcGmLSD0AbmjTbs1E= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: aquantia.com X-MS-Exchange-CrossTenant-Network-Message-Id: bb78c616-8b9e-42fa-93cd-08d759744a17 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2019 17:53:49.3630 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 83e2e134-991c-4ede-8ced-34d47e38e6b1 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: EK6ewOlG3l8Q/MlO7XXrbz/7Vfwjr2G/mT8hmiB0NaNs1gg/6Pp3MW4WYRoV9tYHhO6+m+4Ot3czM3w3EbpV7g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2311 Subject: [dpdk-dev] [RFC v2 0/7] RFC: Support MACSEC offload in the RTE_SECURITY infrastructure. X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions <dev.dpdk.org> List-Unsubscribe: <https://mails.dpdk.org/options/dev>, <mailto:dev-request@dpdk.org?subject=unsubscribe> List-Archive: <http://mails.dpdk.org/archives/dev/> List-Post: <mailto:dev@dpdk.org> List-Help: <mailto:dev-request@dpdk.org?subject=help> List-Subscribe: <https://mails.dpdk.org/listinfo/dev>, <mailto:dev-request@dpdk.org?subject=subscribe> Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org> |
| Series |
RFC: Support MACSEC offload in the RTE_SECURITY infrastructure.
|
|
Message
Pavel Belous
Oct. 25, 2019, 5:53 p.m. UTC
From: Pavel Belous <Pavel.Belous@aquantia.com>
This RFC suggest possible API to implement generic MACSEC HW
offload in DPDK infrastructure.
Right now two PMDs implementing MACSEC hw offload via private
API: ixgbe (Intel) and atlantic (Aquantia).
During that private API discussion it was decided to go further
with well defined public API, based most probably on rte_security
infrastructure.
Here is that previous discussion:
http://inbox.dpdk.org/dev/20190416101145.nVecHKp3w14Ptd_hne-DqHhKyzbre88PwNI-OAowXJM@z/
Declaring macsec API via rte_security gives a good data-centric view on parameters
and operations macsec supports. Old, pure functional API (basically ixbe only API)
presented function calls with big argument lists which is hard to extend and analyse.
However, I'd like to note rte_security has to be used via explicitly created
mempools - this hardens abit the usage.
It also may be hard to extend the structures in the ABI compatible way.
One of the problems with MACSEC is that internally implementation and hardware
support could be either very simple, doing only endpoint encryption with a single
TX SC (Secure Connection), or quite complex, capable to do flexible filtering
and SC matching based on mac, vlan, ethertype and other.
Different macsec hardware supports some custom features and from our experience
users would like to configure these as well. Therefore there will probably be
needed a number of PMD specific macsec operators support.
Examples include: custom in-the-clear tag (matched by vlan id or mask),
configurable internal logic to allow both secure and unsecure traffic,
bypass filters on specific ethertypes.
To support such extensions, suggest use rte_security_macsec_op enum with
vendor specific operation codes.
In context of rte_security, MACSEC operations should normally be based on
security session create and update calls.
Session create is used to setup overall session. Thats equivalent of old
`macsec enable` operation.
Session update is used to update security connections and associations.
Here xform->op contains the required operation: rx/tx session/association
add/update/removal.
This RFC contains:
- patch 1-2 is rte_security data structures declaration and documentation
- patches 3-5 MACSEC implementation for atlantic (Aquantia) driver, using
new rte_security interface.
- patches 6-7 is a draft on how testpmd based invocations of rte_security
API will look like
To be done/decide:
- add missing documentation and comments to all the structures
- full testpmd macsec API adoption
- ixgbe api adoptation
- decide on how to declare SA (Security Associations) auto rollover and
some other important features.
- interrupt event callback detalization of possible macsec events.
Notice that it is not a part of rte_security, but a part of rte_ethdev.
- add ability to retrieve MACSEC statistics per individual SC/SA.
Pavel Belous (7):
security: MACSEC infrastructure data declarations
security: Update rte_security documentation
net/atlantic: Add helper functions for PHY access
net/atlantic: add MACSEC internal HW data declaration and functions
net/atlantic: implementation of the MACSEC using rte_security
interface
app/testpmd: macsec on/off commands using rte_security interface
app/testpmd: macsec adding RX/TX SC using rte_security interface
app/test-pmd/Makefile | 1 +
app/test-pmd/cmdline.c | 20 +-
app/test-pmd/macsec.c | 138 ++
app/test-pmd/macsec.h | 14 +
app/test-pmd/meson.build | 3 +-
doc/guides/prog_guide/rte_security.rst | 4 -
drivers/net/atlantic/Makefile | 5 +-
drivers/net/atlantic/atl_ethdev.c | 316 +---
drivers/net/atlantic/atl_sec.c | 615 ++++++++
drivers/net/atlantic/atl_sec.h | 124 ++
drivers/net/atlantic/hw_atl/hw_atl_utils.h | 116 +-
drivers/net/atlantic/macsec/MSS_Egress_registers.h | 1498 ++++++++++++++++++
.../net/atlantic/macsec/MSS_Ingress_registers.h | 1135 ++++++++++++++
drivers/net/atlantic/macsec/macsec_api.c | 1612 ++++++++++++++++++++
drivers/net/atlantic/macsec/macsec_api.h | 111 ++
drivers/net/atlantic/macsec/macsec_struct.h | 269 ++++
drivers/net/atlantic/macsec/mdio.c | 328 ++++
drivers/net/atlantic/macsec/mdio.h | 19 +
drivers/net/atlantic/meson.build | 6 +-
drivers/net/atlantic/rte_pmd_atlantic.c | 102 --
drivers/net/atlantic/rte_pmd_atlantic.h | 144 --
drivers/net/atlantic/rte_pmd_atlantic_version.map | 16 -
lib/librte_security/rte_security.h | 143 +-
23 files changed, 6080 insertions(+), 659 deletions(-)
create mode 100644 app/test-pmd/macsec.c
create mode 100644 app/test-pmd/macsec.h
create mode 100644 drivers/net/atlantic/atl_sec.c
create mode 100644 drivers/net/atlantic/atl_sec.h
create mode 100644 drivers/net/atlantic/macsec/MSS_Egress_registers.h
create mode 100644 drivers/net/atlantic/macsec/MSS_Ingress_registers.h
create mode 100644 drivers/net/atlantic/macsec/macsec_api.c
create mode 100644 drivers/net/atlantic/macsec/macsec_api.h
create mode 100644 drivers/net/atlantic/macsec/macsec_struct.h
create mode 100644 drivers/net/atlantic/macsec/mdio.c
create mode 100644 drivers/net/atlantic/macsec/mdio.h
delete mode 100644 drivers/net/atlantic/rte_pmd_atlantic.c
delete mode 100644 drivers/net/atlantic/rte_pmd_atlantic.h
delete mode 100644 drivers/net/atlantic/rte_pmd_atlantic_version.map
Comments
Hi Pavel, > From: Pavel Belous <Pavel.Belous@aquantia.com> > > This RFC suggest possible API to implement generic MACSEC HW > offload in DPDK infrastructure. > > Right now two PMDs implementing MACSEC hw offload via private > API: ixgbe (Intel) and atlantic (Aquantia). > > During that private API discussion it was decided to go further > with well defined public API, based most probably on rte_security > infrastructure. > > Here is that previous discussion: > > http://inbox.dpdk.org/dev/20190416101145.nVecHKp3w14Ptd_hne-DqHhKyzbre88PwNI-OAowXJM@z/ > > Declaring macsec API via rte_security gives a good data-centric view on > parameters > and operations macsec supports. Old, pure functional API (basically ixbe only API) > presented function calls with big argument lists which is hard to extend and > analyse. > > However, I'd like to note rte_security has to be used via explicitly created > mempools - this hardens abit the usage. > It also may be hard to extend the structures in the ABI compatible way. > > One of the problems with MACSEC is that internally implementation and > hardware > support could be either very simple, doing only endpoint encryption with a single > TX SC (Secure Connection), or quite complex, capable to do flexible filtering > and SC matching based on mac, vlan, ethertype and other. > > Different macsec hardware supports some custom features and from our > experience > users would like to configure these as well. Therefore there will probably be > needed a number of PMD specific macsec operators support. > > Examples include: custom in-the-clear tag (matched by vlan id or mask), > configurable internal logic to allow both secure and unsecure traffic, > bypass filters on specific ethertypes. > To support such extensions, suggest use rte_security_macsec_op enum with > vendor specific operation codes. > > In context of rte_security, MACSEC operations should normally be based on > security session create and update calls. > > Session create is used to setup overall session. Thats equivalent of old > `macsec enable` operation. > > Session update is used to update security connections and associations. > Here xform->op contains the required operation: rx/tx session/association > add/update/removal. > The patches look good from rte_security perspective. You can send the formal Patches for 20.05 window.