[v4] security: add telemetry endpoint for cryptodev security capabilities
Checks
Commit Message
Add telemetry endpoint for cryptodev security capabilities.
Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
---
v4:
- fixed typo in help.
---
doc/guides/prog_guide/rte_security.rst | 28 ++++
doc/guides/rel_notes/release_21_11.rst | 5 +
lib/security/rte_security.c | 182 +++++++++++++++++++++++++
3 files changed, 215 insertions(+)
Comments
> +static int
> +security_handle_cryptodev_crypto_caps(const char *cmd __rte_unused,
> const char *params,
> + struct rte_tel_data *d)
> +{
> + const struct rte_security_capability *capabilities;
> + struct rte_tel_data *crypto_caps;
> + const char *capa_param;
> + int dev_id, capa_id;
> + int crypto_caps_n;
> + char *end_param;
> + int rc;
> +
> + if (!params || strlen(params) == 0 || !isdigit(*params))
> + return -EINVAL;
> +
> + dev_id = strtoul(params, &end_param, 0);
> + capa_param = strtok(end_param, ",");
> + if (!capa_param || strlen(capa_param) == 0 ||
> !isdigit(*capa_param))
> + return -EINVAL;
> +
> + capa_id = strtoul(capa_param, &end_param, 0);
> + if (*end_param != '\0')
> + CDEV_LOG_ERR("Extra parameters passed to command,
> ignoring");
> +
> + rc = security_capabilities_from_dev_id(dev_id, (void *)&capabilities);
> + if (rc < 0)
> + return rc;
> +
> + crypto_caps = rte_tel_data_alloc();
> + RTE_PTR_OR_ERR_RET(crypto_caps, -ENOMEM);
> +
> + rte_tel_data_start_dict(d);
> + crypto_caps_n = crypto_caps_array(crypto_caps, capabilities-
> >crypto_capabilities);
> + if (capa_id >= crypto_caps_n) {
> + CDEV_LOG_ERR("Extra parameters passed to command,
> ignoring");
> + return -EINVAL;
> + }
Something is not correct here.
Capa_id is not getting used properly.
Security_capabilities should be traversed until capa_id and then extract
The corresponding crypto capabilities. Right?
> +
> + rte_tel_data_add_dict_container(d, "crypto_caps", crypto_caps, 0);
> + rte_tel_data_add_dict_int(d, "crypto_caps_n", crypto_caps_n);
> +
> + return 0;
> +}
> +
> +RTE_INIT(security_init_telemetry)
> +{
> + rte_telemetry_register_cmd("/security/cryptodev/list",
> + security_handle_cryptodev_list,
> + "Returns list of available crypto devices by IDs. No
> parameters.");
> +
> + rte_telemetry_register_cmd("/security/cryptodev/sec_caps",
> + security_handle_cryptodev_sec_caps,
> + "Returns security capabilities for a cryptodev. Parameters: int
> dev_id");
> +
> + rte_telemetry_register_cmd("/security/cryptodev/crypto_caps",
> + security_handle_cryptodev_crypto_caps,
> + "Returns crypto capabilities for a security capability.
> Parameters: int dev_id, sec_cap_id");
> +}
> --
> 2.25.1
>
> > +static int
> > +security_handle_cryptodev_crypto_caps(const char *cmd __rte_unused,
> > const char *params,
> > + struct rte_tel_data *d)
> > +{
> > + const struct rte_security_capability *capabilities;
> > + struct rte_tel_data *crypto_caps;
> > + const char *capa_param;
> > + int dev_id, capa_id;
> > + int crypto_caps_n;
> > + char *end_param;
> > + int rc;
> > +
> > + if (!params || strlen(params) == 0 || !isdigit(*params))
> > + return -EINVAL;
> > +
> > + dev_id = strtoul(params, &end_param, 0);
> > + capa_param = strtok(end_param, ",");
> > + if (!capa_param || strlen(capa_param) == 0 ||
> > !isdigit(*capa_param))
> > + return -EINVAL;
> > +
> > + capa_id = strtoul(capa_param, &end_param, 0);
> > + if (*end_param != '\0')
> > + CDEV_LOG_ERR("Extra parameters passed to command,
> > ignoring");
> > +
> > + rc = security_capabilities_from_dev_id(dev_id, (void *)&capabilities);
> > + if (rc < 0)
> > + return rc;
> > +
> > + crypto_caps = rte_tel_data_alloc();
> > + RTE_PTR_OR_ERR_RET(crypto_caps, -ENOMEM);
> > +
> > + rte_tel_data_start_dict(d);
> > + crypto_caps_n = crypto_caps_array(crypto_caps, capabilities-
> > >crypto_capabilities);
> > + if (capa_id >= crypto_caps_n) {
> > + CDEV_LOG_ERR("Extra parameters passed to command,
> > ignoring");
> > + return -EINVAL;
> > + }
>
> Something is not correct here.
> Capa_id is not getting used properly.
> Security_capabilities should be traversed until capa_id and then extract The
> corresponding crypto capabilities. Right?
>
Yeah right. Fixing it.
Thanks,
Gowrishankar
>
> > +
> > + rte_tel_data_add_dict_container(d, "crypto_caps", crypto_caps, 0);
> > + rte_tel_data_add_dict_int(d, "crypto_caps_n", crypto_caps_n);
> > +
> > + return 0;
> > +}
> > +
> > +RTE_INIT(security_init_telemetry)
> > +{
> > + rte_telemetry_register_cmd("/security/cryptodev/list",
> > + security_handle_cryptodev_list,
> > + "Returns list of available crypto devices by IDs. No
> > parameters.");
> > +
> > + rte_telemetry_register_cmd("/security/cryptodev/sec_caps",
> > + security_handle_cryptodev_sec_caps,
> > + "Returns security capabilities for a cryptodev. Parameters: int
> > dev_id");
> > +
> > + rte_telemetry_register_cmd("/security/cryptodev/crypto_caps",
> > + security_handle_cryptodev_crypto_caps,
> > + "Returns crypto capabilities for a security capability.
> > Parameters: int dev_id, sec_cap_id");
> > +}
> > --
> > 2.25.1
@@ -728,3 +728,31 @@ it is only valid to have a single flow to map to that security session.
+-------+ +--------+ +-----+
| Eth | -> ... -> | ESP | -> | END |
+-------+ +--------+ +-----+
+
+
+Telemetry support
+-----------------
+
+The Security library has support for displaying Crypto device information
+with respect to its Security capabilities. Telemetry commands that can be used
+are shown below.
+
+#. Get the list of available Crypto devices by ID, that supports Security features::
+
+ --> /security/cryptodev/list
+ {"/security/cryptodev/list": [0, 1, 2, 3]}
+
+#. Get the security capabilities of a Crypto device::
+
+ --> /security/cryptodev/sec_caps,0
+ {"/security/cryptodev/sec_caps": {"sec_caps": [<array of serialized bytes of
+ capabilities>], "sec_caps_n": <number of capabilities>}}
+
+ #. Get the security crypto capabilities of a Crypto device::
+
+ --> /security/cryptodev/crypto_caps,0,0
+ {"/security/cryptodev/crypto_caps": {"crypto_caps": [<array of serialized bytes of
+ capabilities>], "crypto_caps_n": <number of capabilities>}}
+
+For more information on how to use the Telemetry interface, see
+the :doc:`../howto/telemetry`.
@@ -197,6 +197,11 @@ New Features
* Added port representors support on SN1000 SmartNICs
* Added flow API transfer proxy support
+* **Added Telemetry callback to Security library.**
+
+ Added Telemetry callback functions to query security capabilities of
+ Crypto device.
+
* **Updated Marvell cnxk crypto PMD.**
* Added AES-CBC SHA1-HMAC support in lookaside protocol (IPsec) for CN10K.
@@ -4,8 +4,10 @@
* Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
*/
+#include <rte_cryptodev.h>
#include <rte_malloc.h>
#include <rte_dev.h>
+#include <rte_telemetry.h>
#include "rte_compat.h"
#include "rte_security.h"
#include "rte_security_driver.h"
@@ -203,3 +205,183 @@ rte_security_capability_get(struct rte_security_ctx *instance,
return NULL;
}
+
+static int
+security_handle_cryptodev_list(const char *cmd __rte_unused,
+ const char *params __rte_unused,
+ struct rte_tel_data *d)
+{
+ int dev_id;
+
+ if (rte_cryptodev_count() < 1)
+ return -1;
+
+ rte_tel_data_start_array(d, RTE_TEL_INT_VAL);
+ for (dev_id = 0; dev_id < RTE_CRYPTO_MAX_DEVS; dev_id++)
+ if (rte_cryptodev_is_valid_dev(dev_id) &&
+ rte_cryptodev_get_sec_ctx(dev_id))
+ rte_tel_data_add_array_int(d, dev_id);
+
+ return 0;
+}
+
+#define CRYPTO_CAPS_SZ \
+ (RTE_ALIGN_CEIL(sizeof(struct rte_cryptodev_capabilities), \
+ sizeof(uint64_t)) / sizeof(uint64_t))
+
+static int
+crypto_caps_array(struct rte_tel_data *d,
+ const struct rte_cryptodev_capabilities *capabilities)
+{
+ const struct rte_cryptodev_capabilities *dev_caps;
+ uint64_t caps_val[CRYPTO_CAPS_SZ];
+ unsigned int i = 0, j;
+
+ rte_tel_data_start_array(d, RTE_TEL_U64_VAL);
+
+ while ((dev_caps = &capabilities[i++])->op !=
+ RTE_CRYPTO_OP_TYPE_UNDEFINED) {
+ memset(&caps_val, 0, CRYPTO_CAPS_SZ * sizeof(caps_val[0]));
+ rte_memcpy(caps_val, dev_caps, sizeof(capabilities[0]));
+ for (j = 0; j < CRYPTO_CAPS_SZ; j++)
+ rte_tel_data_add_array_u64(d, caps_val[j]);
+ }
+
+ return i;
+}
+
+#define SEC_CAPS_SZ \
+ (RTE_ALIGN_CEIL(sizeof(struct rte_security_capability), \
+ sizeof(uint64_t)) / sizeof(uint64_t))
+
+static int
+sec_caps_array(struct rte_tel_data *d,
+ const struct rte_security_capability *capabilities)
+{
+ const struct rte_security_capability *dev_caps;
+ uint64_t caps_val[SEC_CAPS_SZ];
+ unsigned int i = 0, j;
+
+ rte_tel_data_start_array(d, RTE_TEL_U64_VAL);
+
+ while ((dev_caps = &capabilities[i++])->action !=
+ RTE_SECURITY_ACTION_TYPE_NONE) {
+ memset(&caps_val, 0, SEC_CAPS_SZ * sizeof(caps_val[0]));
+ rte_memcpy(caps_val, dev_caps, sizeof(capabilities[0]));
+ for (j = 0; j < SEC_CAPS_SZ; j++)
+ rte_tel_data_add_array_u64(d, caps_val[j]);
+ }
+
+ return i;
+}
+
+static int
+security_capabilities_from_dev_id(int dev_id, const void **caps)
+{
+ const struct rte_security_capability *capabilities;
+ struct rte_security_ctx *sec_ctx;
+
+ if (rte_cryptodev_is_valid_dev(dev_id) == 0)
+ return -EINVAL;
+
+ sec_ctx = (struct rte_security_ctx *)rte_cryptodev_get_sec_ctx(dev_id);
+ RTE_PTR_OR_ERR_RET(sec_ctx, -EINVAL);
+
+ capabilities = rte_security_capabilities_get(sec_ctx);
+ RTE_PTR_OR_ERR_RET(capabilities, -EINVAL);
+
+ *caps = capabilities;
+ return 0;
+}
+
+static int
+security_handle_cryptodev_sec_caps(const char *cmd __rte_unused, const char *params,
+ struct rte_tel_data *d)
+{
+ const struct rte_security_capability *capabilities;
+ struct rte_tel_data *sec_caps;
+ char *end_param;
+ int sec_caps_n;
+ int dev_id;
+ int rc;
+
+ if (!params || strlen(params) == 0 || !isdigit(*params))
+ return -EINVAL;
+
+ dev_id = strtoul(params, &end_param, 0);
+ if (*end_param != '\0')
+ CDEV_LOG_ERR("Extra parameters passed to command, ignoring");
+
+ rc = security_capabilities_from_dev_id(dev_id, (void *)&capabilities);
+ if (rc < 0)
+ return rc;
+
+ sec_caps = rte_tel_data_alloc();
+ RTE_PTR_OR_ERR_RET(sec_caps, -ENOMEM);
+
+ rte_tel_data_start_dict(d);
+ sec_caps_n = sec_caps_array(sec_caps, capabilities);
+ rte_tel_data_add_dict_container(d, "sec_caps", sec_caps, 0);
+ rte_tel_data_add_dict_int(d, "sec_caps_n", sec_caps_n);
+
+ return 0;
+}
+
+static int
+security_handle_cryptodev_crypto_caps(const char *cmd __rte_unused, const char *params,
+ struct rte_tel_data *d)
+{
+ const struct rte_security_capability *capabilities;
+ struct rte_tel_data *crypto_caps;
+ const char *capa_param;
+ int dev_id, capa_id;
+ int crypto_caps_n;
+ char *end_param;
+ int rc;
+
+ if (!params || strlen(params) == 0 || !isdigit(*params))
+ return -EINVAL;
+
+ dev_id = strtoul(params, &end_param, 0);
+ capa_param = strtok(end_param, ",");
+ if (!capa_param || strlen(capa_param) == 0 || !isdigit(*capa_param))
+ return -EINVAL;
+
+ capa_id = strtoul(capa_param, &end_param, 0);
+ if (*end_param != '\0')
+ CDEV_LOG_ERR("Extra parameters passed to command, ignoring");
+
+ rc = security_capabilities_from_dev_id(dev_id, (void *)&capabilities);
+ if (rc < 0)
+ return rc;
+
+ crypto_caps = rte_tel_data_alloc();
+ RTE_PTR_OR_ERR_RET(crypto_caps, -ENOMEM);
+
+ rte_tel_data_start_dict(d);
+ crypto_caps_n = crypto_caps_array(crypto_caps, capabilities->crypto_capabilities);
+ if (capa_id >= crypto_caps_n) {
+ CDEV_LOG_ERR("Extra parameters passed to command, ignoring");
+ return -EINVAL;
+ }
+
+ rte_tel_data_add_dict_container(d, "crypto_caps", crypto_caps, 0);
+ rte_tel_data_add_dict_int(d, "crypto_caps_n", crypto_caps_n);
+
+ return 0;
+}
+
+RTE_INIT(security_init_telemetry)
+{
+ rte_telemetry_register_cmd("/security/cryptodev/list",
+ security_handle_cryptodev_list,
+ "Returns list of available crypto devices by IDs. No parameters.");
+
+ rte_telemetry_register_cmd("/security/cryptodev/sec_caps",
+ security_handle_cryptodev_sec_caps,
+ "Returns security capabilities for a cryptodev. Parameters: int dev_id");
+
+ rte_telemetry_register_cmd("/security/cryptodev/crypto_caps",
+ security_handle_cryptodev_crypto_caps,
+ "Returns crypto capabilities for a security capability. Parameters: int dev_id, sec_cap_id");
+}