From patchwork Thu Oct 14 16:03:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101638 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B1EDBA0C4B; Thu, 14 Oct 2021 18:17:45 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 99F874113C; Thu, 14 Oct 2021 18:17:40 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id EB1004003C for ; Thu, 14 Oct 2021 18:17:37 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10137"; a="214879280" X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="214879280" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2021 09:15:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="442881569" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga003.jf.intel.com with ESMTP; 14 Oct 2021 09:15:33 -0700 From: Radu Nicolau To: Ray Kinsella , Akhil Goyal , Declan Doherty Cc: dev@dpdk.org, konstantin.ananyev@intel.com, vladimir.medvedkin@intel.com, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, anoobj@marvell.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Thu, 14 Oct 2021 17:03:21 +0100 Message-Id: <20211014160329.579970-2-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211014160329.579970-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211014160329.579970-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v10 1/9] security: add ESN field to ipsec_xform X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Update ipsec_xform definition to include ESN field. This allows the application to control the ESN starting value. Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Anoob Joseph Acked-by: Konstantin Ananyev --- doc/guides/rel_notes/deprecation.rst | 2 +- doc/guides/rel_notes/release_21_11.rst | 5 +++++ lib/security/rte_security.h | 8 ++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index 45239ca56e..adec0a5677 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -201,7 +201,7 @@ Deprecation Notices * security: The structure ``rte_security_ipsec_xform`` will be extended with multiple fields: source and destination port of UDP encapsulation, - IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number). + IPsec payload MSS (Maximum Segment Size). * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options`` will be updated with new fields to support new features like TSO in case of diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 4c56cdfeaa..8bc51a048c 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -273,6 +273,11 @@ ABI Changes packet IPv4 header checksum and L4 checksum need to be offloaded to security device. +* security: A new structure ``esn`` was added in structure + ``rte_security_ipsec_xform`` to set an initial ESN value. This permits + application to start from an arbitrary ESN value for debug and SA lifetime + enforcement purposes. + * bbdev: Added capability related to more comprehensive CRC options, shifting values of the ``enum rte_bbdev_op_ldpcdec_flag_bitmasks``. diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 7eb9f109ae..764ce83bca 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -318,6 +318,14 @@ struct rte_security_ipsec_xform { /**< Anti replay window size to enable sequence replay attack handling. * replay checking is disabled if the window size is 0. */ + union { + uint64_t value; + struct { + uint32_t low; + uint32_t hi; + }; + } esn; + /**< Extended Sequence Number */ }; /** From patchwork Thu Oct 14 16:03:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101639 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id D3C73A0C4B; Thu, 14 Oct 2021 18:17:51 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id A60E0410F8; Thu, 14 Oct 2021 18:17:43 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 8BADC410E1 for ; Thu, 14 Oct 2021 18:17:41 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10137"; a="214879294" X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="214879294" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2021 09:15:41 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="442881594" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga003.jf.intel.com with ESMTP; 14 Oct 2021 09:15:37 -0700 From: Radu Nicolau To: Konstantin Ananyev , Bernard Iremonger , Vladimir Medvedkin Cc: dev@dpdk.org, mdr@ashroe.eu, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Thu, 14 Oct 2021 17:03:22 +0100 Message-Id: <20211014160329.579970-3-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211014160329.579970-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211014160329.579970-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v10 2/9] ipsec: add support for AEAD algorithms X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add support for AES_CCM, CHACHA20_POLY1305 and AES_GMAC. Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Konstantin Ananyev --- doc/guides/prog_guide/ipsec_lib.rst | 3 +- doc/guides/rel_notes/release_21_11.rst | 4 + lib/ipsec/crypto.h | 137 +++++++++++++++++++++++++ lib/ipsec/esp_inb.c | 66 +++++++++++- lib/ipsec/esp_outb.c | 70 ++++++++++++- lib/ipsec/sa.c | 54 +++++++++- lib/ipsec/sa.h | 6 ++ 7 files changed, 328 insertions(+), 12 deletions(-) diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst index 9f2b26072d..93e213bf36 100644 --- a/doc/guides/prog_guide/ipsec_lib.rst +++ b/doc/guides/prog_guide/ipsec_lib.rst @@ -313,7 +313,8 @@ Supported features * ESN and replay window. -* algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, HMAC-SHA1, NULL. +* algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, AES_CCM, CHACHA20_POLY1305, + AES_GMAC, HMAC-SHA1, NULL. Limitations diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 8bc51a048c..ef078e756a 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -159,6 +159,10 @@ New Features * Added tests to verify tunnel header verification in IPsec inbound. * Added tests to verify inner checksum. +* **IPsec library new features.** + + * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES_GMAC. + Removed Items ------------- diff --git a/lib/ipsec/crypto.h b/lib/ipsec/crypto.h index 3d03034590..93d20aaaa0 100644 --- a/lib/ipsec/crypto.h +++ b/lib/ipsec/crypto.h @@ -21,6 +21,37 @@ struct aesctr_cnt_blk { uint32_t cnt; } __rte_packed; + /* + * CHACHA20-POLY1305 devices have some specific requirements + * for IV and AAD formats. + * Ideally that to be done by the driver itself. + */ + +struct aead_chacha20_poly1305_iv { + uint32_t salt; + uint64_t iv; + uint32_t cnt; +} __rte_packed; + +struct aead_chacha20_poly1305_aad { + uint32_t spi; + /* + * RFC 4106, section 5: + * Two formats of the AAD are defined: + * one for 32-bit sequence numbers, and one for 64-bit ESN. + */ + union { + uint32_t u32[2]; + uint64_t u64; + } sqn; + uint32_t align0; /* align to 16B boundary */ +} __rte_packed; + +struct chacha20_poly1305_esph_iv { + struct rte_esp_hdr esph; + uint64_t iv; +} __rte_packed; + /* * AES-GCM devices have some specific requirements for IV and AAD formats. * Ideally that to be done by the driver itself. @@ -51,6 +82,47 @@ struct gcm_esph_iv { uint64_t iv; } __rte_packed; + /* + * AES-CCM devices have some specific requirements for IV and AAD formats. + * Ideally that to be done by the driver itself. + */ +union aead_ccm_salt { + uint32_t salt; + struct inner { + uint8_t salt8[3]; + uint8_t ccm_flags; + } inner; +} __rte_packed; + + +struct aead_ccm_iv { + uint8_t ccm_flags; + uint8_t salt[3]; + uint64_t iv; + uint32_t cnt; +} __rte_packed; + +struct aead_ccm_aad { + uint8_t padding[18]; + uint32_t spi; + /* + * RFC 4309, section 5: + * Two formats of the AAD are defined: + * one for 32-bit sequence numbers, and one for 64-bit ESN. + */ + union { + uint32_t u32[2]; + uint64_t u64; + } sqn; + uint32_t align0; /* align to 16B boundary */ +} __rte_packed; + +struct ccm_esph_iv { + struct rte_esp_hdr esph; + uint64_t iv; +} __rte_packed; + + static inline void aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) { @@ -59,6 +131,16 @@ aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) ctr->cnt = rte_cpu_to_be_32(1); } +static inline void +aead_chacha20_poly1305_iv_fill(struct aead_chacha20_poly1305_iv + *chacha20_poly1305, + uint64_t iv, uint32_t salt) +{ + chacha20_poly1305->salt = salt; + chacha20_poly1305->iv = iv; + chacha20_poly1305->cnt = rte_cpu_to_be_32(1); +} + static inline void aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) { @@ -67,6 +149,21 @@ aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) gcm->cnt = rte_cpu_to_be_32(1); } +static inline void +aead_ccm_iv_fill(struct aead_ccm_iv *ccm, uint64_t iv, uint32_t salt) +{ + union aead_ccm_salt tsalt; + + tsalt.salt = salt; + ccm->ccm_flags = tsalt.inner.ccm_flags; + ccm->salt[0] = tsalt.inner.salt8[0]; + ccm->salt[1] = tsalt.inner.salt8[1]; + ccm->salt[2] = tsalt.inner.salt8[2]; + ccm->iv = iv; + ccm->cnt = rte_cpu_to_be_32(1); +} + + /* * RFC 4106, 5 AAD Construction * spi and sqn should already be converted into network byte order. @@ -86,6 +183,25 @@ aead_gcm_aad_fill(struct aead_gcm_aad *aad, rte_be32_t spi, rte_be64_t sqn, aad->align0 = 0; } +/* + * RFC 4309, 5 AAD Construction + * spi and sqn should already be converted into network byte order. + * Make sure that not used bytes are zeroed. + */ +static inline void +aead_ccm_aad_fill(struct aead_ccm_aad *aad, rte_be32_t spi, rte_be64_t sqn, + int esn) +{ + aad->spi = spi; + if (esn) + aad->sqn.u64 = sqn; + else { + aad->sqn.u32[0] = sqn_low32(sqn); + aad->sqn.u32[1] = 0; + } + aad->align0 = 0; +} + static inline void gen_iv(uint64_t iv[IPSEC_MAX_IV_QWORD], rte_be64_t sqn) { @@ -93,6 +209,27 @@ gen_iv(uint64_t iv[IPSEC_MAX_IV_QWORD], rte_be64_t sqn) iv[1] = 0; } + +/* + * RFC 7634, 2.1 AAD Construction + * spi and sqn should already be converted into network byte order. + * Make sure that not used bytes are zeroed. + */ +static inline void +aead_chacha20_poly1305_aad_fill(struct aead_chacha20_poly1305_aad *aad, + rte_be32_t spi, rte_be64_t sqn, + int esn) +{ + aad->spi = spi; + if (esn) + aad->sqn.u64 = sqn; + else { + aad->sqn.u32[0] = sqn_low32(sqn); + aad->sqn.u32[1] = 0; + } + aad->align0 = 0; +} + /* * Helper routine to copy IV * Right now we support only algorithms with IV length equals 0/8/16 bytes. diff --git a/lib/ipsec/esp_inb.c b/lib/ipsec/esp_inb.c index 2b1df6a032..d66c88f05d 100644 --- a/lib/ipsec/esp_inb.c +++ b/lib/ipsec/esp_inb.c @@ -63,6 +63,8 @@ inb_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aead_ccm_iv *ccm; + struct aead_chacha20_poly1305_iv *chacha20_poly1305; struct aesctr_cnt_blk *ctr; uint64_t *ivc, *ivp; uint32_t algo; @@ -83,6 +85,24 @@ inb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; + case ALGO_TYPE_AES_CCM: + sop_aead_prepare(sop, sa, icv, pofs, plen); + + /* fill AAD IV (located inside crypto op) */ + ccm = rte_crypto_op_ctod_offset(cop, struct aead_ccm_iv *, + sa->iv_ofs); + aead_ccm_iv_fill(ccm, ivp[0], sa->salt); + break; + case ALGO_TYPE_CHACHA20_POLY1305: + sop_aead_prepare(sop, sa, icv, pofs, plen); + + /* fill AAD IV (located inside crypto op) */ + chacha20_poly1305 = rte_crypto_op_ctod_offset(cop, + struct aead_chacha20_poly1305_iv *, + sa->iv_ofs); + aead_chacha20_poly1305_iv_fill(chacha20_poly1305, + ivp[0], sa->salt); + break; case ALGO_TYPE_AES_CBC: case ALGO_TYPE_3DES_CBC: sop_ciph_auth_prepare(sop, sa, icv, pofs, plen); @@ -91,6 +111,14 @@ inb_cop_prepare(struct rte_crypto_op *cop, ivc = rte_crypto_op_ctod_offset(cop, uint64_t *, sa->iv_ofs); copy_iv(ivc, ivp, sa->iv_len); break; + case ALGO_TYPE_AES_GMAC: + sop_ciph_auth_prepare(sop, sa, icv, pofs, plen); + + /* fill AAD IV (located inside crypto op) */ + gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, + sa->iv_ofs); + aead_gcm_iv_fill(gcm, ivp[0], sa->salt); + break; case ALGO_TYPE_AES_CTR: sop_ciph_auth_prepare(sop, sa, icv, pofs, plen); @@ -110,6 +138,8 @@ inb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb, uint32_t *pofs, uint32_t plen, void *iv) { struct aead_gcm_iv *gcm; + struct aead_ccm_iv *ccm; + struct aead_chacha20_poly1305_iv *chacha20_poly1305; struct aesctr_cnt_blk *ctr; uint64_t *ivp; uint32_t clen; @@ -120,9 +150,19 @@ inb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb, switch (sa->algo_type) { case ALGO_TYPE_AES_GCM: + case ALGO_TYPE_AES_GMAC: gcm = (struct aead_gcm_iv *)iv; aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; + case ALGO_TYPE_AES_CCM: + ccm = (struct aead_ccm_iv *)iv; + aead_ccm_iv_fill(ccm, ivp[0], sa->salt); + break; + case ALGO_TYPE_CHACHA20_POLY1305: + chacha20_poly1305 = (struct aead_chacha20_poly1305_iv *)iv; + aead_chacha20_poly1305_iv_fill(chacha20_poly1305, + ivp[0], sa->salt); + break; case ALGO_TYPE_AES_CBC: case ALGO_TYPE_3DES_CBC: copy_iv(iv, ivp, sa->iv_len); @@ -175,6 +215,8 @@ inb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, const union sym_op_data *icv) { struct aead_gcm_aad *aad; + struct aead_ccm_aad *caad; + struct aead_chacha20_poly1305_aad *chacha_aad; /* insert SQN.hi between ESP trailer and ICV */ if (sa->sqh_len != 0) @@ -184,9 +226,27 @@ inb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, * fill AAD fields, if any (aad fields are placed after icv), * right now we support only one AEAD algorithm: AES-GCM. */ - if (sa->aad_len != 0) { - aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); - aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); + switch (sa->algo_type) { + case ALGO_TYPE_AES_GCM: + if (sa->aad_len != 0) { + aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); + aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); + } + break; + case ALGO_TYPE_AES_CCM: + if (sa->aad_len != 0) { + caad = (struct aead_ccm_aad *)(icv->va + sa->icv_len); + aead_ccm_aad_fill(caad, sa->spi, sqc, IS_ESN(sa)); + } + break; + case ALGO_TYPE_CHACHA20_POLY1305: + if (sa->aad_len != 0) { + chacha_aad = (struct aead_chacha20_poly1305_aad *) + (icv->va + sa->icv_len); + aead_chacha20_poly1305_aad_fill(chacha_aad, + sa->spi, sqc, IS_ESN(sa)); + } + break; } } diff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c index 1e181cf2ce..a3f77469c3 100644 --- a/lib/ipsec/esp_outb.c +++ b/lib/ipsec/esp_outb.c @@ -63,6 +63,8 @@ outb_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aead_ccm_iv *ccm; + struct aead_chacha20_poly1305_iv *chacha20_poly1305; struct aesctr_cnt_blk *ctr; uint32_t algo; @@ -80,6 +82,15 @@ outb_cop_prepare(struct rte_crypto_op *cop, /* NULL case */ sop_ciph_auth_prepare(sop, sa, icv, hlen, plen); break; + case ALGO_TYPE_AES_GMAC: + /* GMAC case */ + sop_ciph_auth_prepare(sop, sa, icv, hlen, plen); + + /* fill AAD IV (located inside crypto op) */ + gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, + sa->iv_ofs); + aead_gcm_iv_fill(gcm, ivp[0], sa->salt); + break; case ALGO_TYPE_AES_GCM: /* AEAD (AES_GCM) case */ sop_aead_prepare(sop, sa, icv, hlen, plen); @@ -89,6 +100,26 @@ outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; + case ALGO_TYPE_AES_CCM: + /* AEAD (AES_CCM) case */ + sop_aead_prepare(sop, sa, icv, hlen, plen); + + /* fill AAD IV (located inside crypto op) */ + ccm = rte_crypto_op_ctod_offset(cop, struct aead_ccm_iv *, + sa->iv_ofs); + aead_ccm_iv_fill(ccm, ivp[0], sa->salt); + break; + case ALGO_TYPE_CHACHA20_POLY1305: + /* AEAD (CHACHA20_POLY) case */ + sop_aead_prepare(sop, sa, icv, hlen, plen); + + /* fill AAD IV (located inside crypto op) */ + chacha20_poly1305 = rte_crypto_op_ctod_offset(cop, + struct aead_chacha20_poly1305_iv *, + sa->iv_ofs); + aead_chacha20_poly1305_iv_fill(chacha20_poly1305, + ivp[0], sa->salt); + break; case ALGO_TYPE_AES_CTR: /* Cipher-Auth (AES-CTR *) case */ sop_ciph_auth_prepare(sop, sa, icv, hlen, plen); @@ -196,7 +227,9 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, const union sym_op_data *icv) { uint32_t *psqh; - struct aead_gcm_aad *aad; + struct aead_gcm_aad *gaad; + struct aead_ccm_aad *caad; + struct aead_chacha20_poly1305_aad *chacha20_poly1305_aad; /* insert SQN.hi between ESP trailer and ICV */ if (sa->sqh_len != 0) { @@ -208,9 +241,29 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, * fill IV and AAD fields, if any (aad fields are placed after icv), * right now we support only one AEAD algorithm: AES-GCM . */ + switch (sa->algo_type) { + case ALGO_TYPE_AES_GCM: if (sa->aad_len != 0) { - aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); - aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); + gaad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); + aead_gcm_aad_fill(gaad, sa->spi, sqc, IS_ESN(sa)); + } + break; + case ALGO_TYPE_AES_CCM: + if (sa->aad_len != 0) { + caad = (struct aead_ccm_aad *)(icv->va + sa->icv_len); + aead_ccm_aad_fill(caad, sa->spi, sqc, IS_ESN(sa)); + } + break; + case ALGO_TYPE_CHACHA20_POLY1305: + if (sa->aad_len != 0) { + chacha20_poly1305_aad = (struct aead_chacha20_poly1305_aad *) + (icv->va + sa->icv_len); + aead_chacha20_poly1305_aad_fill(chacha20_poly1305_aad, + sa->spi, sqc, IS_ESN(sa)); + } + break; + default: + break; } } @@ -418,6 +471,8 @@ outb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, uint32_t *pofs, { uint64_t *ivp = iv; struct aead_gcm_iv *gcm; + struct aead_ccm_iv *ccm; + struct aead_chacha20_poly1305_iv *chacha20_poly1305; struct aesctr_cnt_blk *ctr; uint32_t clen; @@ -426,6 +481,15 @@ outb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, uint32_t *pofs, gcm = iv; aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; + case ALGO_TYPE_AES_CCM: + ccm = iv; + aead_ccm_iv_fill(ccm, ivp[0], sa->salt); + break; + case ALGO_TYPE_CHACHA20_POLY1305: + chacha20_poly1305 = iv; + aead_chacha20_poly1305_iv_fill(chacha20_poly1305, + ivp[0], sa->salt); + break; case ALGO_TYPE_AES_CTR: ctr = iv; aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c index e59189d215..720e0f365b 100644 --- a/lib/ipsec/sa.c +++ b/lib/ipsec/sa.c @@ -47,6 +47,15 @@ fill_crypto_xform(struct crypto_xform *xform, uint64_t type, if (xfn != NULL) return -EINVAL; xform->aead = &xf->aead; + + /* GMAC has only auth */ + } else if (xf->type == RTE_CRYPTO_SYM_XFORM_AUTH && + xf->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { + if (xfn != NULL) + return -EINVAL; + xform->auth = &xf->auth; + xform->cipher = &xfn->cipher; + /* * CIPHER+AUTH xforms are expected in strict order, * depending on SA direction: @@ -247,12 +256,13 @@ esp_inb_init(struct rte_ipsec_sa *sa) sa->ctp.cipher.length = sa->icv_len + sa->ctp.cipher.offset; /* - * for AEAD and NULL algorithms we can assume that + * for AEAD algorithms we can assume that * auth and cipher offsets would be equal. */ switch (sa->algo_type) { case ALGO_TYPE_AES_GCM: - case ALGO_TYPE_NULL: + case ALGO_TYPE_AES_CCM: + case ALGO_TYPE_CHACHA20_POLY1305: sa->ctp.auth.raw = sa->ctp.cipher.raw; break; default: @@ -294,6 +304,8 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) switch (algo_type) { case ALGO_TYPE_AES_GCM: + case ALGO_TYPE_AES_CCM: + case ALGO_TYPE_CHACHA20_POLY1305: case ALGO_TYPE_AES_CTR: case ALGO_TYPE_NULL: sa->ctp.cipher.offset = hlen + sizeof(struct rte_esp_hdr) + @@ -305,15 +317,20 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) sa->ctp.cipher.offset = hlen + sizeof(struct rte_esp_hdr); sa->ctp.cipher.length = sa->iv_len; break; + case ALGO_TYPE_AES_GMAC: + sa->ctp.cipher.offset = 0; + sa->ctp.cipher.length = 0; + break; } /* - * for AEAD and NULL algorithms we can assume that + * for AEAD algorithms we can assume that * auth and cipher offsets would be equal. */ switch (algo_type) { case ALGO_TYPE_AES_GCM: - case ALGO_TYPE_NULL: + case ALGO_TYPE_AES_CCM: + case ALGO_TYPE_CHACHA20_POLY1305: sa->ctp.auth.raw = sa->ctp.cipher.raw; break; default: @@ -374,13 +391,39 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, sa->pad_align = IPSEC_PAD_AES_GCM; sa->algo_type = ALGO_TYPE_AES_GCM; break; + case RTE_CRYPTO_AEAD_AES_CCM: + /* RFC 4309 */ + sa->aad_len = sizeof(struct aead_ccm_aad); + sa->icv_len = cxf->aead->digest_length; + sa->iv_ofs = cxf->aead->iv.offset; + sa->iv_len = sizeof(uint64_t); + sa->pad_align = IPSEC_PAD_AES_CCM; + sa->algo_type = ALGO_TYPE_AES_CCM; + break; + case RTE_CRYPTO_AEAD_CHACHA20_POLY1305: + /* RFC 7634 & 8439*/ + sa->aad_len = sizeof(struct aead_chacha20_poly1305_aad); + sa->icv_len = cxf->aead->digest_length; + sa->iv_ofs = cxf->aead->iv.offset; + sa->iv_len = sizeof(uint64_t); + sa->pad_align = IPSEC_PAD_CHACHA20_POLY1305; + sa->algo_type = ALGO_TYPE_CHACHA20_POLY1305; + break; default: return -EINVAL; } + } else if (cxf->auth->algo == RTE_CRYPTO_AUTH_AES_GMAC) { + /* RFC 4543 */ + /* AES-GMAC is a special case of auth that needs IV */ + sa->pad_align = IPSEC_PAD_AES_GMAC; + sa->iv_len = sizeof(uint64_t); + sa->icv_len = cxf->auth->digest_length; + sa->iv_ofs = cxf->auth->iv.offset; + sa->algo_type = ALGO_TYPE_AES_GMAC; + } else { sa->icv_len = cxf->auth->digest_length; sa->iv_ofs = cxf->cipher->iv.offset; - sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; switch (cxf->cipher->algo) { case RTE_CRYPTO_CIPHER_NULL: @@ -414,6 +457,7 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, } } + sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; sa->udata = prm->userdata; sa->spi = rte_cpu_to_be_32(prm->ipsec_xform.spi); sa->salt = prm->ipsec_xform.salt; diff --git a/lib/ipsec/sa.h b/lib/ipsec/sa.h index 1bffe751f5..107ebd1519 100644 --- a/lib/ipsec/sa.h +++ b/lib/ipsec/sa.h @@ -19,7 +19,10 @@ enum { IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, + IPSEC_PAD_AES_CCM = IPSEC_PAD_DEFAULT, + IPSEC_PAD_CHACHA20_POLY1305 = IPSEC_PAD_DEFAULT, IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, + IPSEC_PAD_AES_GMAC = IPSEC_PAD_DEFAULT, }; /* iv sizes for different algorithms */ @@ -67,6 +70,9 @@ enum sa_algo_type { ALGO_TYPE_AES_CBC, ALGO_TYPE_AES_CTR, ALGO_TYPE_AES_GCM, + ALGO_TYPE_AES_CCM, + ALGO_TYPE_CHACHA20_POLY1305, + ALGO_TYPE_AES_GMAC, ALGO_TYPE_MAX }; From patchwork Thu Oct 14 16:03:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101640 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9137BA0C4B; Thu, 14 Oct 2021 18:17:58 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id AF38640E0F; Thu, 14 Oct 2021 18:17:46 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id CA2B7410E1 for ; Thu, 14 Oct 2021 18:17:42 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10137"; a="214879311" X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="214879311" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2021 09:15:45 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="442881620" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga003.jf.intel.com with ESMTP; 14 Oct 2021 09:15:41 -0700 From: Radu Nicolau To: Ray Kinsella , Akhil Goyal , Declan Doherty Cc: dev@dpdk.org, konstantin.ananyev@intel.com, vladimir.medvedkin@intel.com, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, anoobj@marvell.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Thu, 14 Oct 2021 17:03:23 +0100 Message-Id: <20211014160329.579970-4-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211014160329.579970-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211014160329.579970-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v10 3/9] security: add UDP params for IPsec NAT-T X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add support for specifying UDP port params for UDP encapsulation option. RFC3948 section-2.1 does not enforce using specific the UDP ports for UDP-Encapsulated ESP Header Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Anoob Joseph Acked-by: Konstantin Ananyev --- doc/guides/rel_notes/deprecation.rst | 5 ++--- doc/guides/rel_notes/release_21_11.rst | 4 ++++ lib/security/rte_security.h | 7 +++++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index adec0a5677..a744fdb2c6 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -199,9 +199,8 @@ Deprecation Notices pointer for the private data to the application which can be attached to the packet while enqueuing. -* security: The structure ``rte_security_ipsec_xform`` will be extended with - multiple fields: source and destination port of UDP encapsulation, - IPsec payload MSS (Maximum Segment Size). +* security: The structure ``rte_security_ipsec_xform`` will be extended with: + new field: IPsec payload MSS (Maximum Segment Size). * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options`` will be updated with new fields to support new features like TSO in case of diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index ef078e756a..ed56c16d4b 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -282,6 +282,10 @@ ABI Changes application to start from an arbitrary ESN value for debug and SA lifetime enforcement purposes. +* security: A new structure ``udp`` was added in structure + ``rte_security_ipsec_xform`` to allow setting the source and destination ports + for UDP encapsulated IPsec traffic. + * bbdev: Added capability related to more comprehensive CRC options, shifting values of the ``enum rte_bbdev_op_ldpcdec_flag_bitmasks``. diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 764ce83bca..17d0e95412 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -128,6 +128,11 @@ struct rte_security_ipsec_tunnel_param { }; }; +struct rte_security_ipsec_udp_param { + uint16_t sport; + uint16_t dport; +}; + /** * IPsec Security Association option flags */ @@ -326,6 +331,8 @@ struct rte_security_ipsec_xform { }; } esn; /**< Extended Sequence Number */ + struct rte_security_ipsec_udp_param udp; + /**< UDP parameters, ignored when udp_encap option not specified */ }; /** From patchwork Thu Oct 14 16:03:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101641 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9A399A0C4B; Thu, 14 Oct 2021 18:18:06 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 21848411AA; Thu, 14 Oct 2021 18:17:49 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id D6EF740041 for ; Thu, 14 Oct 2021 18:17:45 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10137"; a="214879323" X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="214879323" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2021 09:15:49 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="442881633" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga003.jf.intel.com with ESMTP; 14 Oct 2021 09:15:45 -0700 From: Radu Nicolau To: Konstantin Ananyev , Bernard Iremonger , Vladimir Medvedkin Cc: dev@dpdk.org, mdr@ashroe.eu, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Thu, 14 Oct 2021 17:03:24 +0100 Message-Id: <20211014160329.579970-5-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211014160329.579970-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211014160329.579970-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v10 4/9] ipsec: add support for NAT-T X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add support for the IPsec NAT-Traversal use case for Tunnel mode packets. Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Konstantin Ananyev --- doc/guides/prog_guide/ipsec_lib.rst | 2 ++ doc/guides/rel_notes/release_21_11.rst | 1 + lib/ipsec/esp_outb.c | 9 ++++++ lib/ipsec/rte_ipsec_sa.h | 9 +++++- lib/ipsec/sa.c | 38 ++++++++++++++++++++++---- 5 files changed, 52 insertions(+), 7 deletions(-) diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst index 93e213bf36..af51ff8131 100644 --- a/doc/guides/prog_guide/ipsec_lib.rst +++ b/doc/guides/prog_guide/ipsec_lib.rst @@ -313,6 +313,8 @@ Supported features * ESN and replay window. +* NAT-T / UDP encapsulated ESP. + * algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, AES_CCM, CHACHA20_POLY1305, AES_GMAC, HMAC-SHA1, NULL. diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index ed56c16d4b..9b6591340a 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -162,6 +162,7 @@ New Features * **IPsec library new features.** * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES_GMAC. + * Added support for NAT-T / UDP encapsulated ESP Removed Items diff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c index a3f77469c3..0e3314b358 100644 --- a/lib/ipsec/esp_outb.c +++ b/lib/ipsec/esp_outb.c @@ -5,6 +5,7 @@ #include #include #include +#include #include #include @@ -185,6 +186,14 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc, /* copy tunnel pkt header */ rte_memcpy(ph, sa->hdr, sa->hdr_len); + /* if UDP encap is enabled update the dgram_len */ + if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) { + struct rte_udp_hdr *udph = (struct rte_udp_hdr *) + (ph - sizeof(struct rte_udp_hdr)); + udph->dgram_len = rte_cpu_to_be_16(mb->pkt_len - sqh_len - + sa->hdr_l3_off - sa->hdr_len); + } + /* update original and new ip header fields */ update_tun_outb_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen, mb->pkt_len - sqh_len, sa->hdr_l3_off, sqn_low16(sqc)); diff --git a/lib/ipsec/rte_ipsec_sa.h b/lib/ipsec/rte_ipsec_sa.h index cf51ad8338..3a22705055 100644 --- a/lib/ipsec/rte_ipsec_sa.h +++ b/lib/ipsec/rte_ipsec_sa.h @@ -78,6 +78,7 @@ struct rte_ipsec_sa_prm { * - for TUNNEL outer IP version (IPv4/IPv6) * - are SA SQN operations 'atomic' * - ESN enabled/disabled + * - NAT-T UDP encapsulated (TUNNEL mode only) * ... */ @@ -89,7 +90,8 @@ enum { RTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2, RTE_SATP_LOG2_ESN, RTE_SATP_LOG2_ECN, - RTE_SATP_LOG2_DSCP + RTE_SATP_LOG2_DSCP, + RTE_SATP_LOG2_NATT }; #define RTE_IPSEC_SATP_IPV_MASK (1ULL << RTE_SATP_LOG2_IPV) @@ -125,6 +127,11 @@ enum { #define RTE_IPSEC_SATP_DSCP_DISABLE (0ULL << RTE_SATP_LOG2_DSCP) #define RTE_IPSEC_SATP_DSCP_ENABLE (1ULL << RTE_SATP_LOG2_DSCP) +#define RTE_IPSEC_SATP_NATT_MASK (1ULL << RTE_SATP_LOG2_NATT) +#define RTE_IPSEC_SATP_NATT_DISABLE (0ULL << RTE_SATP_LOG2_NATT) +#define RTE_IPSEC_SATP_NATT_ENABLE (1ULL << RTE_SATP_LOG2_NATT) + + /** * get type of given SA * @return diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c index 720e0f365b..fa5a76cde1 100644 --- a/lib/ipsec/sa.c +++ b/lib/ipsec/sa.c @@ -5,6 +5,7 @@ #include #include #include +#include #include #include @@ -217,6 +218,10 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type) } else return -EINVAL; + /* check for UDP encapsulation flag */ + if (prm->ipsec_xform.options.udp_encap == 1) + tp |= RTE_IPSEC_SATP_NATT_ENABLE; + /* check for ESN flag */ if (prm->ipsec_xform.options.esn == 0) tp |= RTE_IPSEC_SATP_ESN_DISABLE; @@ -355,12 +360,22 @@ esp_outb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) sa->hdr_len = prm->tun.hdr_len; sa->hdr_l3_off = prm->tun.hdr_l3_off; + memcpy(sa->hdr, prm->tun.hdr, prm->tun.hdr_len); + + /* insert UDP header if UDP encapsulation is inabled */ + if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) { + struct rte_udp_hdr *udph = (struct rte_udp_hdr *) + &sa->hdr[prm->tun.hdr_len]; + sa->hdr_len += sizeof(struct rte_udp_hdr); + udph->src_port = prm->ipsec_xform.udp.sport; + udph->dst_port = prm->ipsec_xform.udp.dport; + udph->dgram_cksum = 0; + } + /* update l2_len and l3_len fields for outbound mbuf */ sa->tx_offload.val = rte_mbuf_tx_offload(sa->hdr_l3_off, sa->hdr_len - sa->hdr_l3_off, 0, 0, 0, 0, 0); - memcpy(sa->hdr, prm->tun.hdr, sa->hdr_len); - esp_outb_init(sa, sa->hdr_len); } @@ -372,7 +387,8 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, const struct crypto_xform *cxf) { static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK | - RTE_IPSEC_SATP_MODE_MASK; + RTE_IPSEC_SATP_MODE_MASK | + RTE_IPSEC_SATP_NATT_MASK; if (prm->ipsec_xform.options.ecn) sa->tos_mask |= RTE_IPV4_HDR_ECN_MASK; @@ -475,10 +491,16 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS): esp_inb_init(sa); break; + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4 | + RTE_IPSEC_SATP_NATT_ENABLE): + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6 | + RTE_IPSEC_SATP_NATT_ENABLE): case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4): case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6): esp_outb_tun_init(sa, prm); break; + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS | + RTE_IPSEC_SATP_NATT_ENABLE): case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS): esp_outb_init(sa, 0); break; @@ -551,9 +573,13 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, if (prm->ipsec_xform.proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) return -EINVAL; - if (prm->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL && - prm->tun.hdr_len > sizeof(sa->hdr)) - return -EINVAL; + if (prm->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + uint32_t hlen = prm->tun.hdr_len; + if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) + hlen += sizeof(struct rte_udp_hdr); + if (hlen > sizeof(sa->hdr)) + return -EINVAL; + } rc = fill_crypto_xform(&cxf, type, prm); if (rc != 0) From patchwork Thu Oct 14 16:03:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101642 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 62362A0C4B; Thu, 14 Oct 2021 18:18:13 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 3AD01411B4; Thu, 14 Oct 2021 18:17:50 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 0F80A41176 for ; Thu, 14 Oct 2021 18:17:46 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10137"; a="214879348" X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="214879348" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2021 09:15:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="442881654" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga003.jf.intel.com with ESMTP; 14 Oct 2021 09:15:49 -0700 From: Radu Nicolau To: Olivier Matz Cc: dev@dpdk.org, mdr@ashroe.eu, konstantin.ananyev@intel.com, vladimir.medvedkin@intel.com, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Thu, 14 Oct 2021 17:03:25 +0100 Message-Id: <20211014160329.579970-6-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211014160329.579970-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211014160329.579970-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v10 5/9] mbuf: add IPsec ESP tunnel type X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add ESP tunnel type to the tunnel types list that can be specified for TSO or checksum on the inner part of tunnel packets. Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Akhil Goyal Acked-by: Olivier Matz --- lib/mbuf/rte_mbuf_core.h | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h index d6f1679944..fdaaaf67f2 100644 --- a/lib/mbuf/rte_mbuf_core.h +++ b/lib/mbuf/rte_mbuf_core.h @@ -248,6 +248,7 @@ extern "C" { #define PKT_TX_TUNNEL_MPLSINUDP (0x5ULL << 45) #define PKT_TX_TUNNEL_VXLAN_GPE (0x6ULL << 45) #define PKT_TX_TUNNEL_GTP (0x7ULL << 45) +#define PKT_TX_TUNNEL_ESP (0x8ULL << 45) /** * Generic IP encapsulated tunnel type, used for TSO and checksum offload. * It can be used for tunnels which are not standards or listed above. From patchwork Thu Oct 14 16:03:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101643 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id C3FD8A0C4B; Thu, 14 Oct 2021 18:18:19 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 49A554118C; Thu, 14 Oct 2021 18:17:53 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 7B53841135 for ; Thu, 14 Oct 2021 18:17:49 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10137"; a="214879367" X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="214879367" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2021 09:15:57 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="442881677" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga003.jf.intel.com with ESMTP; 14 Oct 2021 09:15:53 -0700 From: Radu Nicolau To: Konstantin Ananyev , Bernard Iremonger , Vladimir Medvedkin , Ray Kinsella Cc: dev@dpdk.org, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Thu, 14 Oct 2021 17:03:26 +0100 Message-Id: <20211014160329.579970-7-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211014160329.579970-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211014160329.579970-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v10 6/9] ipsec: add support for SA telemetry X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add telemetry support for ipsec SAs Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Konstantin Ananyev --- doc/guides/prog_guide/ipsec_lib.rst | 7 + doc/guides/rel_notes/release_21_11.rst | 1 + lib/ipsec/esp_inb.c | 18 +- lib/ipsec/esp_outb.c | 12 +- lib/ipsec/ipsec_telemetry.c | 244 +++++++++++++++++++++++++ lib/ipsec/meson.build | 6 +- lib/ipsec/rte_ipsec.h | 23 +++ lib/ipsec/sa.c | 10 +- lib/ipsec/sa.h | 9 + lib/ipsec/version.map | 9 + 10 files changed, 328 insertions(+), 11 deletions(-) create mode 100644 lib/ipsec/ipsec_telemetry.c diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst index af51ff8131..1bafdc608c 100644 --- a/doc/guides/prog_guide/ipsec_lib.rst +++ b/doc/guides/prog_guide/ipsec_lib.rst @@ -319,6 +319,13 @@ Supported features AES_GMAC, HMAC-SHA1, NULL. +Telemetry support +------------------ +Telemetry support implements SA details and IPsec packet add data counters +statistics. Per SA telemetry statistics can be enabled using +``rte_ipsec_telemetry_sa_add`` and disabled using +``rte_ipsec_telemetry_sa_del``. Note that these calls are not thread safe. + Limitations ----------- diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 9b6591340a..8286a6cee7 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -163,6 +163,7 @@ New Features * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES_GMAC. * Added support for NAT-T / UDP encapsulated ESP + * Added support for SA telemetry. Removed Items diff --git a/lib/ipsec/esp_inb.c b/lib/ipsec/esp_inb.c index d66c88f05d..6fbe468a61 100644 --- a/lib/ipsec/esp_inb.c +++ b/lib/ipsec/esp_inb.c @@ -15,7 +15,7 @@ #include "misc.h" #include "pad.h" -typedef uint16_t (*esp_inb_process_t)(const struct rte_ipsec_sa *sa, +typedef uint16_t (*esp_inb_process_t)(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t sqh_len); @@ -573,10 +573,10 @@ tun_process_step3(struct rte_mbuf *mb, uint64_t txof_msk, uint64_t txof_val) * *process* function for tunnel packets */ static inline uint16_t -tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], +tun_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t sqh_len) { - uint32_t adj, i, k, tl; + uint32_t adj, i, k, tl, bytes; uint32_t hl[num], to[num]; struct rte_esp_tail espt[num]; struct rte_mbuf *ml[num]; @@ -598,6 +598,7 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], process_step1(mb[i], tlen, &ml[i], &espt[i], &hl[i], &to[i]); k = 0; + bytes = 0; for (i = 0; i != num; i++) { adj = hl[i] + cofs; @@ -621,10 +622,13 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], tun_process_step3(mb[i], sa->tx_offload.msk, sa->tx_offload.val); k++; + bytes += mb[i]->pkt_len; } else dr[i - k] = i; } + sa->statistics.count += k; + sa->statistics.bytes += bytes; return k; } @@ -632,11 +636,11 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], * *process* function for tunnel packets */ static inline uint16_t -trs_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], +trs_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t sqh_len) { char *np; - uint32_t i, k, l2, tl; + uint32_t i, k, l2, tl, bytes; uint32_t hl[num], to[num]; struct rte_esp_tail espt[num]; struct rte_mbuf *ml[num]; @@ -656,6 +660,7 @@ trs_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], process_step1(mb[i], tlen, &ml[i], &espt[i], &hl[i], &to[i]); k = 0; + bytes = 0; for (i = 0; i != num; i++) { tl = tlen + espt[i].pad_len; @@ -674,10 +679,13 @@ trs_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], /* update mbuf's metadata */ trs_process_step3(mb[i]); k++; + bytes += mb[i]->pkt_len; } else dr[i - k] = i; } + sa->statistics.count += k; + sa->statistics.bytes += bytes; return k; } diff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c index 0e3314b358..b6c72f58a4 100644 --- a/lib/ipsec/esp_outb.c +++ b/lib/ipsec/esp_outb.c @@ -606,7 +606,7 @@ uint16_t esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], uint16_t num) { - uint32_t i, k, icv_len, *icv; + uint32_t i, k, icv_len, *icv, bytes; struct rte_mbuf *ml; struct rte_ipsec_sa *sa; uint32_t dr[num]; @@ -615,6 +615,7 @@ esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], k = 0; icv_len = sa->icv_len; + bytes = 0; for (i = 0; i != num; i++) { if ((mb[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) == 0) { @@ -625,10 +626,13 @@ esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], icv = rte_pktmbuf_mtod_offset(ml, void *, ml->data_len - icv_len); remove_sqh(icv, icv_len); + bytes += mb[i]->pkt_len; k++; } else dr[i - k] = i; } + sa->statistics.count += k; + sa->statistics.bytes += bytes; /* handle unprocessed mbufs */ if (k != num) { @@ -648,16 +652,20 @@ static inline void inline_outb_mbuf_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], uint16_t num) { - uint32_t i, ol_flags; + uint32_t i, ol_flags, bytes; ol_flags = ss->security.ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA; + bytes = 0; for (i = 0; i != num; i++) { mb[i]->ol_flags |= PKT_TX_SEC_OFFLOAD; + bytes += mb[i]->pkt_len; if (ol_flags != 0) rte_security_set_pkt_metadata(ss->security.ctx, ss->security.ses, mb[i], NULL); } + ss->sa->statistics.count += num; + ss->sa->statistics.bytes += bytes; } /* diff --git a/lib/ipsec/ipsec_telemetry.c b/lib/ipsec/ipsec_telemetry.c new file mode 100644 index 0000000000..713da75f38 --- /dev/null +++ b/lib/ipsec/ipsec_telemetry.c @@ -0,0 +1,244 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(c) 2021 Intel Corporation + */ + +#include +#include +#include +#include "sa.h" + + +struct ipsec_telemetry_entry { + LIST_ENTRY(ipsec_telemetry_entry) next; + const struct rte_ipsec_sa *sa; +}; +static LIST_HEAD(ipsec_telemetry_head, ipsec_telemetry_entry) + ipsec_telemetry_list = LIST_HEAD_INITIALIZER(); + +static int +handle_telemetry_cmd_ipsec_sa_list(const char *cmd __rte_unused, + const char *params __rte_unused, + struct rte_tel_data *data) +{ + struct ipsec_telemetry_entry *entry; + rte_tel_data_start_array(data, RTE_TEL_U64_VAL); + + LIST_FOREACH(entry, &ipsec_telemetry_list, next) { + const struct rte_ipsec_sa *sa = entry->sa; + rte_tel_data_add_array_u64(data, rte_be_to_cpu_32(sa->spi)); + } + + return 0; +} + +/** + * Handle IPsec SA statistics telemetry request + * + * Return dict of SA's with dict of key/value counters + * + * { + * "SA_SPI_XX": {"count": 0, "bytes": 0, "errors": 0}, + * "SA_SPI_YY": {"count": 0, "bytes": 0, "errors": 0} + * } + * + */ +static int +handle_telemetry_cmd_ipsec_sa_stats(const char *cmd __rte_unused, + const char *params, + struct rte_tel_data *data) +{ + struct ipsec_telemetry_entry *entry; + const struct rte_ipsec_sa *sa; + uint32_t sa_spi = 0; + + if (params) { + sa_spi = rte_cpu_to_be_32((uint32_t)strtoul(params, NULL, 0)); + if (sa_spi == 0) + return -EINVAL; + } + + rte_tel_data_start_dict(data); + + LIST_FOREACH(entry, &ipsec_telemetry_list, next) { + char sa_name[64]; + sa = entry->sa; + static const char *name_pkt_cnt = "count"; + static const char *name_byte_cnt = "bytes"; + static const char *name_error_cnt = "errors"; + struct rte_tel_data *sa_data; + + /* If user provided SPI only get telemetry for that SA */ + if (sa_spi && (sa_spi != sa->spi)) + continue; + + /* allocate telemetry data struct for SA telemetry */ + sa_data = rte_tel_data_alloc(); + if (!sa_data) + return -ENOMEM; + + rte_tel_data_start_dict(sa_data); + + /* add telemetry key/values pairs */ + rte_tel_data_add_dict_u64(sa_data, name_pkt_cnt, + sa->statistics.count); + + rte_tel_data_add_dict_u64(sa_data, name_byte_cnt, + sa->statistics.bytes - + (sa->statistics.count * sa->hdr_len)); + + rte_tel_data_add_dict_u64(sa_data, name_error_cnt, + sa->statistics.errors.count); + + /* generate telemetry label */ + snprintf(sa_name, sizeof(sa_name), "SA_SPI_%i", + rte_be_to_cpu_32(sa->spi)); + + /* add SA telemetry to dictionary container */ + rte_tel_data_add_dict_container(data, sa_name, sa_data, 0); + } + + return 0; +} + +static int +handle_telemetry_cmd_ipsec_sa_details(const char *cmd __rte_unused, + const char *params, + struct rte_tel_data *data) +{ + struct ipsec_telemetry_entry *entry; + const struct rte_ipsec_sa *sa; + uint32_t sa_spi = 0; + + if (params) + sa_spi = rte_cpu_to_be_32((uint32_t)strtoul(params, NULL, 0)); + /* valid SPI needed */ + if (sa_spi == 0) + return -EINVAL; + + + rte_tel_data_start_dict(data); + + LIST_FOREACH(entry, &ipsec_telemetry_list, next) { + uint64_t mode; + sa = entry->sa; + if (sa_spi != sa->spi) + continue; + + /* add SA configuration key/values pairs */ + rte_tel_data_add_dict_string(data, "Type", + (sa->type & RTE_IPSEC_SATP_PROTO_MASK) == + RTE_IPSEC_SATP_PROTO_AH ? "AH" : "ESP"); + + rte_tel_data_add_dict_string(data, "Direction", + (sa->type & RTE_IPSEC_SATP_DIR_MASK) == + RTE_IPSEC_SATP_DIR_IB ? "Inbound" : "Outbound"); + + mode = sa->type & RTE_IPSEC_SATP_MODE_MASK; + + if (mode == RTE_IPSEC_SATP_MODE_TRANS) { + rte_tel_data_add_dict_string(data, "Mode", "Transport"); + } else { + rte_tel_data_add_dict_string(data, "Mode", "Tunnel"); + + if ((sa->type & RTE_IPSEC_SATP_NATT_MASK) == + RTE_IPSEC_SATP_NATT_ENABLE) { + if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) { + rte_tel_data_add_dict_string(data, + "Tunnel-Type", + "IPv4-UDP"); + } else if (sa->type & + RTE_IPSEC_SATP_MODE_TUNLV6) { + rte_tel_data_add_dict_string(data, + "Tunnel-Type", + "IPv4-UDP"); + } + } else { + if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) { + rte_tel_data_add_dict_string(data, + "Tunnel-Type", + "IPv4-UDP"); + } else if (sa->type & + RTE_IPSEC_SATP_MODE_TUNLV6) { + rte_tel_data_add_dict_string(data, + "Tunnel-Type", + "IPv4-UDP"); + } + } + } + + rte_tel_data_add_dict_string(data, + "extended-sequence-number", + (sa->type & RTE_IPSEC_SATP_ESN_MASK) == + RTE_IPSEC_SATP_ESN_ENABLE ? + "enabled" : "disabled"); + + if ((sa->type & RTE_IPSEC_SATP_DIR_MASK) == + RTE_IPSEC_SATP_DIR_IB) + + if (sa->sqn.inb.rsn[sa->sqn.inb.rdidx]) + rte_tel_data_add_dict_u64(data, + "sequence-number", + sa->sqn.inb.rsn[sa->sqn.inb.rdidx]->sqn); + else + rte_tel_data_add_dict_u64(data, + "sequence-number", 0); + else + rte_tel_data_add_dict_u64(data, "sequence-number", + sa->sqn.outb); + + rte_tel_data_add_dict_string(data, + "explicit-congestion-notification", + (sa->type & RTE_IPSEC_SATP_ECN_MASK) == + RTE_IPSEC_SATP_ECN_ENABLE ? + "enabled" : "disabled"); + + rte_tel_data_add_dict_string(data, + "copy-DSCP", + (sa->type & RTE_IPSEC_SATP_DSCP_MASK) == + RTE_IPSEC_SATP_DSCP_ENABLE ? + "enabled" : "disabled"); + } + + return 0; +} + + +int +rte_ipsec_telemetry_sa_add(const struct rte_ipsec_sa *sa) +{ + struct ipsec_telemetry_entry *entry = rte_zmalloc(NULL, + sizeof(struct ipsec_telemetry_entry), 0); + if (entry == NULL) + return -ENOMEM; + entry->sa = sa; + LIST_INSERT_HEAD(&ipsec_telemetry_list, entry, next); + return 0; +} + +void +rte_ipsec_telemetry_sa_del(const struct rte_ipsec_sa *sa) +{ + struct ipsec_telemetry_entry *entry; + LIST_FOREACH(entry, &ipsec_telemetry_list, next) { + if (sa == entry->sa) { + LIST_REMOVE(entry, next); + rte_free(entry); + return; + } + } +} + + +RTE_INIT(rte_ipsec_telemetry_init) +{ + rte_telemetry_register_cmd("/ipsec/sa/list", + handle_telemetry_cmd_ipsec_sa_list, + "Return list of IPsec SAs with telemetry enabled."); + rte_telemetry_register_cmd("/ipsec/sa/stats", + handle_telemetry_cmd_ipsec_sa_stats, + "Returns IPsec SA stastistics. Parameters: int sa_spi"); + rte_telemetry_register_cmd("/ipsec/sa/details", + handle_telemetry_cmd_ipsec_sa_details, + "Returns IPsec SA configuration. Parameters: int sa_spi"); +} + diff --git a/lib/ipsec/meson.build b/lib/ipsec/meson.build index 1497f573bb..ddb9ea1767 100644 --- a/lib/ipsec/meson.build +++ b/lib/ipsec/meson.build @@ -1,9 +1,11 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation -sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') +sources = files('esp_inb.c', 'esp_outb.c', + 'sa.c', 'ses.c', 'ipsec_sad.c', + 'ipsec_telemetry.c') headers = files('rte_ipsec.h', 'rte_ipsec_sa.h', 'rte_ipsec_sad.h') indirect_headers += files('rte_ipsec_group.h') -deps += ['mbuf', 'net', 'cryptodev', 'security', 'hash'] +deps += ['mbuf', 'net', 'cryptodev', 'security', 'hash', 'telemetry'] diff --git a/lib/ipsec/rte_ipsec.h b/lib/ipsec/rte_ipsec.h index dd60d95915..5308f250a7 100644 --- a/lib/ipsec/rte_ipsec.h +++ b/lib/ipsec/rte_ipsec.h @@ -158,6 +158,29 @@ rte_ipsec_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], return ss->pkt_func.process(ss, mb, num); } + +/** + * Enable per SA telemetry for a specific SA. + * Note that this function is not thread safe + * @param sa + * Pointer to the *rte_ipsec_sa* object that will have telemetry enabled. + * @return + * 0 on success, negative value otherwise. + */ +__rte_experimental +int +rte_ipsec_telemetry_sa_add(const struct rte_ipsec_sa *sa); + +/** + * Disable per SA telemetry for a specific SA. + * Note that this function is not thread safe + * @param sa + * Pointer to the *rte_ipsec_sa* object that will have telemetry disabled. + */ +__rte_experimental +void +rte_ipsec_telemetry_sa_del(const struct rte_ipsec_sa *sa); + #include #ifdef __cplusplus diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c index fa5a76cde1..bbe2fa3612 100644 --- a/lib/ipsec/sa.c +++ b/lib/ipsec/sa.c @@ -653,19 +653,25 @@ uint16_t pkt_flag_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], uint16_t num) { - uint32_t i, k; + uint32_t i, k, bytes; uint32_t dr[num]; RTE_SET_USED(ss); k = 0; + bytes = 0; for (i = 0; i != num; i++) { - if ((mb[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) == 0) + if ((mb[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) == 0) { k++; + bytes += mb[i]->pkt_len; + } else dr[i - k] = i; } + ss->sa->statistics.count += k; + ss->sa->statistics.bytes += bytes; + /* handle unprocessed mbufs */ if (k != num) { rte_errno = EBADMSG; diff --git a/lib/ipsec/sa.h b/lib/ipsec/sa.h index 107ebd1519..6e59f18e16 100644 --- a/lib/ipsec/sa.h +++ b/lib/ipsec/sa.h @@ -132,6 +132,15 @@ struct rte_ipsec_sa { struct replay_sqn *rsn[REPLAY_SQN_NUM]; } inb; } sqn; + /* Statistics */ + struct { + uint64_t count; + uint64_t bytes; + struct { + uint64_t count; + uint64_t authentication_failed; + } errors; + } statistics; } __rte_cache_aligned; diff --git a/lib/ipsec/version.map b/lib/ipsec/version.map index ba8753eac4..0af27ffd60 100644 --- a/lib/ipsec/version.map +++ b/lib/ipsec/version.map @@ -19,3 +19,12 @@ DPDK_22 { local: *; }; + +EXPERIMENTAL { + global: + + # added in 21.11 + rte_ipsec_telemetry_sa_add; + rte_ipsec_telemetry_sa_del; + +}; From patchwork Thu Oct 14 16:03:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101644 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 19920A0C4B; Thu, 14 Oct 2021 18:18:27 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 49DC9411D9; Thu, 14 Oct 2021 18:17:54 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id AE8DA41135 for ; Thu, 14 Oct 2021 18:17:50 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10137"; a="214879384" X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="214879384" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2021 09:16:01 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="442881703" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga003.jf.intel.com with ESMTP; 14 Oct 2021 09:15:58 -0700 From: Radu Nicolau To: Konstantin Ananyev , Bernard Iremonger , Vladimir Medvedkin Cc: dev@dpdk.org, mdr@ashroe.eu, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Thu, 14 Oct 2021 17:03:27 +0100 Message-Id: <20211014160329.579970-8-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211014160329.579970-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211014160329.579970-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v10 7/9] ipsec: add support for initial SQN value X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Update IPsec library to support initial SQN value. Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Konstantin Ananyev --- doc/guides/rel_notes/release_21_11.rst | 1 + lib/ipsec/sa.c | 18 +++++++++++------- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 8286a6cee7..89ed92abd5 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -164,6 +164,7 @@ New Features * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES_GMAC. * Added support for NAT-T / UDP encapsulated ESP * Added support for SA telemetry. + * Added support for setting a non default starting ESN value. Removed Items diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c index bbe2fa3612..9d5ffda627 100644 --- a/lib/ipsec/sa.c +++ b/lib/ipsec/sa.c @@ -294,11 +294,11 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) * Init ESP outbound specific things. */ static void -esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) +esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen, uint64_t sqn) { uint8_t algo_type; - sa->sqn.outb = 1; + sa->sqn.outb = sqn > 1 ? sqn : 1; algo_type = sa->algo_type; @@ -376,7 +376,7 @@ esp_outb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) sa->tx_offload.val = rte_mbuf_tx_offload(sa->hdr_l3_off, sa->hdr_len - sa->hdr_l3_off, 0, 0, 0, 0, 0); - esp_outb_init(sa, sa->hdr_len); + esp_outb_init(sa, sa->hdr_len, prm->ipsec_xform.esn.value); } /* @@ -502,7 +502,7 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS | RTE_IPSEC_SATP_NATT_ENABLE): case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS): - esp_outb_init(sa, 0); + esp_outb_init(sa, 0, prm->ipsec_xform.esn.value); break; } @@ -513,15 +513,19 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, * helper function, init SA replay structure. */ static void -fill_sa_replay(struct rte_ipsec_sa *sa, uint32_t wnd_sz, uint32_t nb_bucket) +fill_sa_replay(struct rte_ipsec_sa *sa, uint32_t wnd_sz, uint32_t nb_bucket, + uint64_t sqn) { sa->replay.win_sz = wnd_sz; sa->replay.nb_bucket = nb_bucket; sa->replay.bucket_index_mask = nb_bucket - 1; sa->sqn.inb.rsn[0] = (struct replay_sqn *)(sa + 1); - if ((sa->type & RTE_IPSEC_SATP_SQN_MASK) == RTE_IPSEC_SATP_SQN_ATOM) + sa->sqn.inb.rsn[0]->sqn = sqn; + if ((sa->type & RTE_IPSEC_SATP_SQN_MASK) == RTE_IPSEC_SATP_SQN_ATOM) { sa->sqn.inb.rsn[1] = (struct replay_sqn *) ((uintptr_t)sa->sqn.inb.rsn[0] + rsn_size(nb_bucket)); + sa->sqn.inb.rsn[1]->sqn = sqn; + } } int @@ -601,7 +605,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, /* fill replay window related fields */ if (nb != 0) - fill_sa_replay(sa, wsz, nb); + fill_sa_replay(sa, wsz, nb, prm->ipsec_xform.esn.value); return sz; } From patchwork Thu Oct 14 16:03:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101645 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 811BDA0C4B; Thu, 14 Oct 2021 18:18:35 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8EB8F41219; Thu, 14 Oct 2021 18:17:55 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 02EE741135 for ; Thu, 14 Oct 2021 18:17:52 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10137"; a="214879402" X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="214879402" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2021 09:16:05 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="442881710" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga003.jf.intel.com with ESMTP; 14 Oct 2021 09:16:02 -0700 From: Radu Nicolau To: Ray Kinsella Cc: dev@dpdk.org, konstantin.ananyev@intel.com, vladimir.medvedkin@intel.com, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Thu, 14 Oct 2021 17:03:28 +0100 Message-Id: <20211014160329.579970-9-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211014160329.579970-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211014160329.579970-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v10 8/9] doc: remove unneeded ipsec new field deprecation X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The deprecation notice regarding extendig rte_ipsec_sa_prm with a new field hdr_l3_len is no longer applicable. Signed-off-by: Radu Nicolau --- doc/guides/rel_notes/deprecation.rst | 3 --- 1 file changed, 3 deletions(-) diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index a744fdb2c6..e11db1bd4a 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -206,9 +206,6 @@ Deprecation Notices will be updated with new fields to support new features like TSO in case of protocol offload. -* ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field - ``hdr_l3_len`` to configure tunnel L3 header length. - * eventdev: The file ``rte_eventdev_pmd.h`` will be renamed to ``eventdev_driver.h`` to make the driver interface as internal and the structures ``rte_eventdev_data``, ``rte_eventdev`` and ``rte_eventdevs`` will be moved to a new file named From patchwork Thu Oct 14 16:03:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101646 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B2EDDA0C4B; Thu, 14 Oct 2021 18:18:41 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 818A54124C; Thu, 14 Oct 2021 18:17:56 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id C241F41135 for ; Thu, 14 Oct 2021 18:17:53 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10137"; a="214879416" X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="214879416" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2021 09:16:09 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,372,1624345200"; d="scan'208";a="442881773" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga003.jf.intel.com with ESMTP; 14 Oct 2021 09:16:05 -0700 From: Radu Nicolau To: Ray Kinsella Cc: dev@dpdk.org, konstantin.ananyev@intel.com, vladimir.medvedkin@intel.com, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Thu, 14 Oct 2021 17:03:29 +0100 Message-Id: <20211014160329.579970-10-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211014160329.579970-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211014160329.579970-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v10 9/9] doc: remove unneeded security deprecation X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The new fields regarding TSO support were not implemented following feedback, it was decided to implement TSO support by using existing mbuf fields. Signed-off-by: Radu Nicolau --- doc/guides/rel_notes/deprecation.rst | 7 ------- 1 file changed, 7 deletions(-) diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index e11db1bd4a..9585f90af6 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -199,13 +199,6 @@ Deprecation Notices pointer for the private data to the application which can be attached to the packet while enqueuing. -* security: The structure ``rte_security_ipsec_xform`` will be extended with: - new field: IPsec payload MSS (Maximum Segment Size). - -* security: The IPsec SA config options ``struct rte_security_ipsec_sa_options`` - will be updated with new fields to support new features like TSO in case of - protocol offload. - * eventdev: The file ``rte_eventdev_pmd.h`` will be renamed to ``eventdev_driver.h`` to make the driver interface as internal and the structures ``rte_eventdev_data``, ``rte_eventdev`` and ``rte_eventdevs`` will be moved to a new file named