| Message ID | 20231003104854.1381-1-anoobj@marvell.com (mailing list archive) |
|---|---|
| Headers |
Return-Path: <dev-bounces@dpdk.org> X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 6528E426AE; Tue, 3 Oct 2023 12:49:00 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 53D4C402D5; Tue, 3 Oct 2023 12:49:00 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 25EF14026B for <dev@dpdk.org>; Tue, 3 Oct 2023 12:48:58 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3933ipKf022325; Tue, 3 Oct 2023 03:48:53 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=FdoXjJ5wd0/BRyonXQ/T40K8uNCQnLi4s3aUQUWqJXI=; b=CEoj5bdhvTwNp46U5fD9525Jqhu1fQkCVnaMLEsXVmEl4ePXAFm7ep083APSyYgtTGCX b8UXf8fGW6SwEE1t2ixcif1+aLob4HtOl7m+SvUiQlDiEVV755vFtyrOSr5IkCtmkK+y m9hODWNYQe9j6BcTXkc0vkxTR0vtburLiUZuOwd+mNQXL0lDOJcjl1XMtkvYo+dF0pGS wGD2ZlMqdNKA6OIWOG9feuMlsFtxU2unoBOkLGGXUhUTe7UGqV/Gt/ON3rB9yCTDAOAz +r/0L0/I1Lxu4EQWmk6Kw91FS5Sch+kwJV/lCc2yUXdoZFkZWUjmZePRMkWewAnG/+a7 Qg== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3tgbas98vf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 03 Oct 2023 03:48:53 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 3 Oct 2023 03:48:51 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Tue, 3 Oct 2023 03:48:51 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189]) by maili.marvell.com (Postfix) with ESMTP id F19953F7043; Tue, 3 Oct 2023 03:48:46 -0700 (PDT) From: Anoob Joseph <anoobj@marvell.com> To: Thomas Monjalon <thomas@monjalon.net>, Akhil Goyal <gakhil@marvell.com>, Jerin Jacob <jerinj@marvell.com>, Harry van Haaren <harry.van.haaren@intel.com> CC: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>, Hemant Agrawal <hemant.agrawal@nxp.com>, <dev@dpdk.org>, Olivier Matz <olivier.matz@6wind.com>, Vidya Sagar Velumuri <vvelumuri@marvell.com> Subject: [PATCH v2 0/5] add TLS record processing security offload Date: Tue, 3 Oct 2023 16:18:49 +0530 Message-ID: <20231003104854.1381-1-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230811071712.240-1-anoobj@marvell.com> References: <20230811071712.240-1-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-ORIG-GUID: -EtO6uD2D6FIEQt9Dn_I-lceJjIIm9sE X-Proofpoint-GUID: -EtO6uD2D6FIEQt9Dn_I-lceJjIIm9sE X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-03_07,2023-10-02_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions <dev.dpdk.org> List-Unsubscribe: <https://mails.dpdk.org/options/dev>, <mailto:dev-request@dpdk.org?subject=unsubscribe> List-Archive: <http://mails.dpdk.org/archives/dev/> List-Post: <mailto:dev@dpdk.org> List-Help: <mailto:dev-request@dpdk.org?subject=help> List-Subscribe: <https://mails.dpdk.org/listinfo/dev>, <mailto:dev-request@dpdk.org?subject=subscribe> Errors-To: dev-bounces@dpdk.org |
| Series |
add TLS record processing security offload
|
|
Message
Anoob Joseph
Oct. 3, 2023, 10:48 a.m. UTC
Add Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The protocols provide communications privacy for L4 protocols such as TCP & UDP. TLS (and DTLS) protocol is composed of two layers, 1. TLS Record Protocol 2. TLS Handshake Protocol While TLS Handshake Protocol helps in establishing security parameters by which client and server can communicate, TLS Record Protocol provides the connection security. TLS Record Protocol leverages symmetric cryptographic operations such as data encryption and authentication for providing security to the communications. Cryptodevs that are capable of offloading TLS Record Protocol may perform other operations like IV generation, header insertion, atomic sequence number updates and anti-replay window check in addition to cryptographic transformations. In record write operations, message content type is a per packet field which is used in constructing the TLS header. One session is expected to handle all types of content types and so, 'rte_crypto_op.aux_flags' is used for passing the same. Support for TLS record protocol is added for TLS 1.2, TLS 1.3 and DTLS 1.2. Changes in v2: - Replaced CCS with CHANGE_CIPHER_SPEC (Harry) - Split patches to clarify lifetime tracking and notification of the same in rte_crypto_op (Harry) - Use 8 bits reserved space in rte_crypto_op to pass content type from application to PMD (in case of record write) and from PMD to application (in case of of record read). TLS 1.3 has content type as part of trailer which would be encrypted and would be removed by PMD. - Updated documentation (Harry) Akhil Goyal (1): net: add headers for TLS/DTLS packets Anoob Joseph (2): security: add TLS record processing security: support extra padding with TLS Vidya Sagar Velumuri (2): security: support TLS record lifetime notification cryptodev: add details of datapath handling of TLS records doc/api/doxy-api-index.md | 2 + doc/guides/prog_guide/rte_security.rst | 74 +++++++++++++ doc/guides/rel_notes/release_23_11.rst | 6 ++ lib/cryptodev/rte_crypto.h | 50 ++++++++- lib/net/meson.build | 2 + lib/net/rte_dtls.h | 61 +++++++++++ lib/net/rte_tls.h | 48 +++++++++ lib/security/rte_security.c | 4 + lib/security/rte_security.h | 144 +++++++++++++++++++++++++ 9 files changed, 388 insertions(+), 3 deletions(-) create mode 100644 lib/net/rte_dtls.h create mode 100644 lib/net/rte_tls.h
Comments
Hi Harry, Do you have any further comments on this series? Regards, Akhil > -----Original Message----- > From: Anoob Joseph <anoobj@marvell.com> > Sent: Tuesday, October 3, 2023 4:19 PM > To: Thomas Monjalon <thomas@monjalon.net>; Akhil Goyal > <gakhil@marvell.com>; Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Harry > van Haaren <harry.van.haaren@intel.com> > Cc: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>; Hemant Agrawal > <hemant.agrawal@nxp.com>; dev@dpdk.org; Olivier Matz > <olivier.matz@6wind.com>; Vidya Sagar Velumuri <vvelumuri@marvell.com> > Subject: [PATCH v2 0/5] add TLS record processing security offload > > Add Transport Layer Security (TLS) and Datagram Transport Layer Security > (DTLS). The protocols provide communications privacy for L4 protocols > such as TCP & UDP. > > TLS (and DTLS) protocol is composed of two layers, > 1. TLS Record Protocol > 2. TLS Handshake Protocol > > While TLS Handshake Protocol helps in establishing security parameters > by which client and server can communicate, TLS Record Protocol provides > the connection security. TLS Record Protocol leverages symmetric > cryptographic operations such as data encryption and authentication for > providing security to the communications. > > Cryptodevs that are capable of offloading TLS Record Protocol may > perform other operations like IV generation, header insertion, atomic > sequence number updates and anti-replay window check in addition to > cryptographic transformations. > > In record write operations, message content type is a per packet field > which is used in constructing the TLS header. One session is expected > to handle all types of content types and so, 'rte_crypto_op.aux_flags' > is used for passing the same. > > Support for TLS record protocol is added for TLS 1.2, TLS 1.3 and > DTLS 1.2. > > Changes in v2: > - Replaced CCS with CHANGE_CIPHER_SPEC (Harry) > - Split patches to clarify lifetime tracking and notification of the > same in rte_crypto_op (Harry) > - Use 8 bits reserved space in rte_crypto_op to pass content type from > application to PMD (in case of record write) and from PMD to > application (in case of of record read). TLS 1.3 has content type as > part of trailer which would be encrypted and would be removed by PMD. > - Updated documentation (Harry) > > Akhil Goyal (1): > net: add headers for TLS/DTLS packets > > Anoob Joseph (2): > security: add TLS record processing > security: support extra padding with TLS > > Vidya Sagar Velumuri (2): > security: support TLS record lifetime notification > cryptodev: add details of datapath handling of TLS records > > doc/api/doxy-api-index.md | 2 + > doc/guides/prog_guide/rte_security.rst | 74 +++++++++++++ > doc/guides/rel_notes/release_23_11.rst | 6 ++ > lib/cryptodev/rte_crypto.h | 50 ++++++++- > lib/net/meson.build | 2 + > lib/net/rte_dtls.h | 61 +++++++++++ > lib/net/rte_tls.h | 48 +++++++++ > lib/security/rte_security.c | 4 + > lib/security/rte_security.h | 144 +++++++++++++++++++++++++ > 9 files changed, 388 insertions(+), 3 deletions(-) > create mode 100644 lib/net/rte_dtls.h > create mode 100644 lib/net/rte_tls.h > > -- > 2.25.1
> -----Original Message----- > From: Akhil Goyal <gakhil@marvell.com> > Sent: Wednesday, October 4, 2023 11:51 AM > To: Van Haaren, Harry <harry.van.haaren@intel.com>; Thomas Monjalon > <thomas@monjalon.net> > Cc: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>; Hemant Agrawal > <hemant.agrawal@nxp.com>; dev@dpdk.org; Jerin Jacob Kollanukkaran > <jerinj@marvell.com>; Anoob Joseph <anoobj@marvell.com>; Matz, Olivier > <olivier.matz@6wind.com>; Vidya Sagar Velumuri <vvelumuri@marvell.com> > Subject: RE: [PATCH v2 0/5] add TLS record processing security offload > > Hi Harry, > > Do you have any further comments on this series? No additional comments here, thanks for rework Anoob. Series-Acked-By: Harry van Haaren <harry.van.haaren@intel.com> <snip>
> Subject: [PATCH v2 0/5] add TLS record processing security offload > > Add Transport Layer Security (TLS) and Datagram Transport Layer Security > (DTLS). The protocols provide communications privacy for L4 protocols > such as TCP & UDP. > > TLS (and DTLS) protocol is composed of two layers, > 1. TLS Record Protocol > 2. TLS Handshake Protocol > > While TLS Handshake Protocol helps in establishing security parameters > by which client and server can communicate, TLS Record Protocol provides > the connection security. TLS Record Protocol leverages symmetric > cryptographic operations such as data encryption and authentication for > providing security to the communications. > > Cryptodevs that are capable of offloading TLS Record Protocol may > perform other operations like IV generation, header insertion, atomic > sequence number updates and anti-replay window check in addition to > cryptographic transformations. > > In record write operations, message content type is a per packet field > which is used in constructing the TLS header. One session is expected > to handle all types of content types and so, 'rte_crypto_op.aux_flags' > is used for passing the same. > > Support for TLS record protocol is added for TLS 1.2, TLS 1.3 and > DTLS 1.2. > > Changes in v2: > - Replaced CCS with CHANGE_CIPHER_SPEC (Harry) > - Split patches to clarify lifetime tracking and notification of the > same in rte_crypto_op (Harry) > - Use 8 bits reserved space in rte_crypto_op to pass content type from > application to PMD (in case of record write) and from PMD to > application (in case of of record read). TLS 1.3 has content type as > part of trailer which would be encrypted and would be removed by PMD. > - Updated documentation (Harry) > > Akhil Goyal (1): > net: add headers for TLS/DTLS packets > > Anoob Joseph (2): > security: add TLS record processing > security: support extra padding with TLS > > Vidya Sagar Velumuri (2): > security: support TLS record lifetime notification > cryptodev: add details of datapath handling of TLS records > > doc/api/doxy-api-index.md | 2 + > doc/guides/prog_guide/rte_security.rst | 74 +++++++++++++ > doc/guides/rel_notes/release_23_11.rst | 6 ++ > lib/cryptodev/rte_crypto.h | 50 ++++++++- > lib/net/meson.build | 2 + > lib/net/rte_dtls.h | 61 +++++++++++ > lib/net/rte_tls.h | 48 +++++++++ > lib/security/rte_security.c | 4 + > lib/security/rte_security.h | 144 +++++++++++++++++++++++++ > 9 files changed, 388 insertions(+), 3 deletions(-) > create mode 100644 lib/net/rte_dtls.h > create mode 100644 lib/net/rte_tls.h > Series Applied to dpdk-next-crypto Updated comments with minor formatting across the patches. Please check. Thanks.