From patchwork Tue Oct 24 14:15:41 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 30808 Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id C3FF31B83E; Tue, 24 Oct 2017 16:19:23 +0200 (CEST) Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0082.outbound.protection.outlook.com [104.47.38.82]) by dpdk.org (Postfix) with ESMTP id 92C201B829 for ; Tue, 24 Oct 2017 16:19:14 +0200 (CEST) Received: from CY1PR03CA0010.namprd03.prod.outlook.com (10.174.128.20) by BN6PR03MB2691.namprd03.prod.outlook.com (10.173.144.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Tue, 24 Oct 2017 14:19:13 +0000 Received: from BY2FFO11OLC004.protection.gbl (2a01:111:f400:7c0c::166) by CY1PR03CA0010.outlook.office365.com (2603:10b6:600::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.4 via Frontend Transport; Tue, 24 Oct 2017 14:19:13 +0000 Authentication-Results: spf=fail (sender IP is 192.88.168.50) smtp.mailfrom=nxp.com; NXP1.onmicrosoft.com; dkim=none (message not signed) header.d=none;NXP1.onmicrosoft.com; dmarc=fail action=none header.from=nxp.com; Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.168.50 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.168.50; helo=tx30smr01.am.freescale.net; Received: from tx30smr01.am.freescale.net (192.88.168.50) by BY2FFO11OLC004.mail.protection.outlook.com (10.1.15.184) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.20.156.4 via Frontend Transport; Tue, 24 Oct 2017 14:19:12 +0000 Received: from netperf2.ap.freescale.net ([10.232.133.164]) by tx30smr01.am.freescale.net (8.14.3/8.14.0) with ESMTP id v9OEIVHZ029613; Tue, 24 Oct 2017 07:19:07 -0700 From: Akhil Goyal To: CC: , , , , , , , , , , , , Date: Tue, 24 Oct 2017 19:45:41 +0530 Message-ID: <20171024141545.30837-8-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20171024141545.30837-1-akhil.goyal@nxp.com> References: <20171014221734.15511-1-akhil.goyal@nxp.com> <20171024141545.30837-1-akhil.goyal@nxp.com> X-EOPAttributedMessage: 0 X-Matching-Connectors: 131533283527299024; (91ab9b29-cfa4-454e-5278-08d120cd25b8); () X-Forefront-Antispam-Report: CIP:192.88.168.50; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(336005)(39380400002)(346002)(376002)(39860400002)(2980300002)(1110001)(1109001)(339900001)(189002)(199003)(8656005)(8656005)(50226002)(8936002)(47776003)(53936002)(97736004)(36756003)(2950100002)(2351001)(6916009)(106466001)(105606002)(1076002)(33646002)(5660300001)(6666003)(50986999)(356003)(2906002)(7416002)(4326008)(85426001)(50466002)(76176999)(68736007)(16586007)(189998001)(8676002)(54906003)(305945005)(81166006)(77096006)(5003940100001)(498600001)(316002)(48376002)(81156014)(104016004)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR03MB2691; H:tx30smr01.am.freescale.net; FPR:; SPF:Fail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11OLC004; 1:m4xGEgk8v0kB2XV+iUsnRnpQevF4HEpPHv+Bw0mflg9vD/4HuCU++4WEwpg6wxM62N7wOLDeR93BE97lxX5kduBUjh1gJ/KFue2aFWDRrZ0mIwfZNHZzgFCh8vtydGo2 MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: adcbf381-d6a6-4554-ae72-08d51aea333d X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4628075)(201703131517081)(2017052603199); SRVR:BN6PR03MB2691; X-Microsoft-Exchange-Diagnostics: 1; BN6PR03MB2691; 3:L01U6Nz63cIXqDcz10C7svABiwbS/QKFXoBs2ZLF/dKQsqITsTjzK3pfyLGNKJSHDA4C72Bj0rrEis44gdVR2J2sEMIwWsXTk6IZYOIBRws9uZGYk077BqErcvOoa+ArE2i1JM9JGgfIe+3lvzHFFVMP1/vwcw2xR8SYjfj4TWUi7VpcE3CIhQ5F7u9qk5CJ8L97E7eqHJnEP+fGw0WNx96Mk5rDRfTwcjXGlETr5dKMroy+tZ5VeQx21PeSqIjy53//5+PDgzdqs5JNvYEE/5EBFw2UuDevXCQ/kgl2PO6433E+IOVkKe0I+ixUX2Nsi7CJcdqgqFI3xlU9ja4xBqwKZatuTQJJyAz2yb+sAzc=; 25:n5ZY5rcwLEDowJp9QiRUVYw0zgdUaT2WnYC1WgIUquj3ItxJwN6K95hZG+Gh8UEVFN52k6bwEAe8PDBggGzRtco+eSLn9BGg+s0qiUcgK99o6g1pcmTVlYiO/Kvug4pQvFAVxm8kvsOF5wzAHU1YqCNJJvngcMYtJ8wEXYGTpjglHMzhPm/FpqujFEIAsJ1T5KhrkKaWdcA7SA4Y8jm28UWcOV+AM8sNAInl+R0VxDOpRo/yFtXBW8d0LKNoyb01D6Djbm0hMwgZlBahfTvZ6r/VRWBs5ju86I4G/zaiQaT7tOgD5kGOvKb9K2OFBaujJifDx9/kUHI3VNly6hXMlA== X-MS-TrafficTypeDiagnostic: BN6PR03MB2691: X-Microsoft-Exchange-Diagnostics: 1; BN6PR03MB2691; 31:9MO6zoVSariKrm0i4aPi7CWSDgG1wvx+bN9CrwrUFvWZpotMhefFbyKCpPWx/c1ZlNHxxcHkeehAQ7LSHeri+uJWFEUSIbCX9CVF4KdnNTMcPd15F6Nsfmw7ETgzylmfjOf0s6l97EZb459guG/Bs0s+HJwSnal1Za1SPd5Kx6NhxyPNLtEFI3UK8b11ujm8D4xvcnvq20e1pzmGu/L0zxG0sFVw6GJh4wFLqcghixM=; 4:JX8rE/o9IMXH//C3acOm/6yjMr545oKhK16pby3jkC8ebZY+vff+7hGDv1OUg9wwTVHFZE188vpzD8ovWfl+tyPZq+ri9OLDZi+sg9GauP7PuPLQjZvWVz16/tq+MtlmEFHxK2Rf2lmwWl/TG4NOFZJBrfUc6T1PPaj9kzKWwD0gq0+EMHTXpZNirBWNoyf3NNp6hfHG7n61ss7UEhqk6ji/TZZxsLfyENJNMN5uR1uDH4ES3Xp/ukKMbjp4TOs48mCLLVEDeX44godflB7fjSBU24W7ommqSUWwIFTlqYWuv7lKwI2uQKDNbVF21QzvO+DGy+jZYqJ8Jik0tzCgLA== X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(228905959029699); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6095135)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231020)(100000703101)(100105400095)(3002001)(6055026)(6096035)(20161123565025)(20161123559100)(20161123563025)(20161123561025)(20161123556025)(201703131430075)(201703131448075)(201703131433075)(201703161259150)(201703151042153)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN6PR03MB2691; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(400006)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN6PR03MB2691; X-Forefront-PRVS: 047001DADA X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BN6PR03MB2691; 23:GBNPW/hT+qJZDRUk3Q1/Jo+5dsmE2LPAIDFhabarD?= FsjUvsCQ8LMuGrxbOTzOzHWVn34l6gIgxNsOoNeN6zJNbqF63iWOstLG1jgnNOJukn9kromlcA6tk3aZua+GuI52c7XqWAPC6L55hHeXUyhAvkR2hgkSfo9ZB4ZKcqZybDTzk90sV4/Ou8bMIeh5rxNvmUnr3Gzzpj7l8lbOzNy77E9SKZhoGb1OVPKUZkETcLR4dTzjlgcMgCB+O1T6WFLWUlYolCebPGakzEPW/pDTv/iAGHqAV60By2SpyxDtqeiPd6jP9Lt6OzGB1rWJwttdq7cbyVPBAVXlwZ8Fl6MqAaZiJciO+0hpTZlvOvBQA98qNBf/5RFthxW40KpuL6zpRqk6s3I3mm7LUDExRwQ8iRAZsX7JXy4A8SrPa7aJIZrZD21idWBtJYOUzvDzk+wLlfkS7Gk2JG2Y65CDAUpgZ99Lf9k8rwbEmuTvEuEunMuTDHwlu66HK8D7yOfENZHophwGME1sFi3Nv4OpLmCiyFoVTbmQGw3gyFscAg+fuYCGDoJlUbdmvKp5JlpfhjGqFClXre0a8m7VhArLpiIptoFar4BT/O5NJKAhL0kkVH6pzB5vlFLWp0g80A0feiwjXpxfIDZ2er9drOBj7S4cI0VdwvX/81K0eSZ+C0Bb2iZwP0H4sWi/R482Mp2uJF4Thw4PMtR2ry6/O+w/46sz/3l/Su0pu6DHKyWAd4SQlvICRO15nkNuifLaa24V+oYH6kBxDJVTK5c0Lvl/3kkI3Si2UoYzVc/iyId29v0x0OA9rL8sPDiD7vyIBGCI/MOlkxpF97ISmE9Nu8UZiDrxbds+X64cPlKPb9fNqnbjGvsm4aNAz6nbwH7Rpbom+v+P6JU63cbNGraWPkxGpM2bA7j8UVOqd8ktg3kXzdpNjsMU+8uTw6t8GDMjRouUkeq7SCkTBw4OIwn/wtLzL20o/+rj/nba0gaBCsJLsTGpXTnZawhHOTcmWOcy2Wg9tx89UQixntf3XOrwwK4BKShWolN/ns6WQAlMY69NwFSUgg3pqfqpdW06Io4/9CvCgCzM3BbihfloXRBNPuRtqKYanl62ILE3XAMOfKuHFwW515sjfXKVJk/JevJrs4uvaqkAFMVzQcqwlLcgHXPtni0/v9X/gmstP4klXdQpkGJ6l14m75tAGUEvoYkOKq51bd6JMx9tgFojBF8oviF97I/LA== X-Microsoft-Exchange-Diagnostics: 1; BN6PR03MB2691; 6:CY8vekC4Y+Ol+tbQMpB/cHCrq4GJOC/a8/zh08sh6Cx35QgO/z2Qd/RtfKBrtbldN4H0Fy9GYEi2Hhu6Ko0RCcwzFPfsGNJJtc1dMAn/+osjq59WPz0lw8Kh5Bza6S963X9xBcnb87jb8vi7GN5w8Z3CwqyAB9D5EfySl7LosiWUwn7+0XY2UO1EQgy6LRFoz/roHjV5oYpzcodUSB/F7BroFezRKI5Fw+7wKA/FmpSQcMA5iAk2yfIsB3PoagS41R/nDIe2Tb6xaos3wq+3ebOhZbcHP779qN99br21ERKWSd0TEiE2tXaozzA5XYFbR/Wldc27lJvRuW37UWzZpQ==; 5:hIhDVToHt7lZ0RbuuPiVG9r7zk2wRs80INh5Oor58/Zg1HN3HpyZ2kt17rFdkwWyKZLVdkbxlQK4k7A3zyVvG3qCeAVm7CG9zzL44v9cT779T3ke5lnA1O+Kmp7E68qp1g3mdKJgmBDAp6yIFisrhg==; 24:yblhq68FM6DO64HwqXfuWwHElOori3YHpnbc9GekTYmyIJqFuGvYErSs/YQZEQJ3VSBdS30LtAYqBBQAZzNlHv+oRWD9BMgred/VbLBAfbM=; 7:o14li6suKcI3eL+qSjvSUK495+UYc5Sq/uRocgyc0J0CihLzE0B9ikJm5t+0OXBSMOvN8wZ70WORd9HxBq1J5EWyZYCyFUkAujVGbMS5nbhxgyq/1qUF1Um3JEs2FgUwaPIeTMsqTQ60VXHzgJDXm1aiUVGtD01BuC06WYd3PcFJGtQz/hHjVX8NTZxdNwpP0N0Efhlb3b1x1N+qVP1aIT6su1CbmGc7awzECwcXT1o= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Oct 2017 14:19:12.5271 (UTC) X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[192.88.168.50]; Helo=[tx30smr01.am.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR03MB2691 Subject: [dpdk-dev] [PATCH v5 07/11] ethdev: add rte flow action for crypto X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Boris Pismenny The crypto action is specified by an application to request crypto offload for a flow. Signed-off-by: Boris Pismenny Signed-off-by: Aviad Yehezkel Reviewed-by: John McNamara Acked-by: John McNamara --- doc/guides/prog_guide/rte_flow.rst | 84 +++++++++++++++++++++++++++++++++++++- lib/librte_ether/rte_flow.h | 39 ++++++++++++++++++ 2 files changed, 121 insertions(+), 2 deletions(-) diff --git a/doc/guides/prog_guide/rte_flow.rst b/doc/guides/prog_guide/rte_flow.rst index bcb438e..d158be5 100644 --- a/doc/guides/prog_guide/rte_flow.rst +++ b/doc/guides/prog_guide/rte_flow.rst @@ -187,7 +187,7 @@ Pattern item Pattern items fall in two categories: - Matching protocol headers and packet data (ANY, RAW, ETH, VLAN, IPV4, - IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE and so on), usually + IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE, ESP and so on), usually associated with a specification structure. - Matching meta-data or affecting pattern processing (END, VOID, INVERT, PF, @@ -972,6 +972,14 @@ flow rules. - ``teid``: tunnel endpoint identifier. - Default ``mask`` matches teid only. +Item: ``ESP`` +^^^^^^^^^^^^^ + +Matches an ESP header. + +- ``hdr``: ESP header definition (``rte_esp.h``). +- Default ``mask`` matches SPI only. + Actions ~~~~~~~ @@ -989,7 +997,7 @@ They fall in three categories: additional processing by subsequent flow rules. - Other non-terminating meta actions that do not affect the fate of packets - (END, VOID, MARK, FLAG, COUNT). + (END, VOID, MARK, FLAG, COUNT, SECURITY). When several actions are combined in a flow rule, they should all have different types (e.g. dropping a packet twice is not possible). @@ -1394,6 +1402,78 @@ the rte_mtr* API. | ``mtr_id`` | MTR object ID | +--------------+---------------+ +Action: ``SECURITY`` +^^^^^^^^^^^^^^^^^^^^ + +Perform the security action on flows matched by the pattern items +according to the configuration of the security session. + +This action modifies the payload of matched flows. For INLINE_CRYPTO, the +security protocol headers and IV are fully provided by the application as +specified in the flow pattern. The payload of matching packets is +encrypted on egress, and decrypted and authenticated on ingress. +For INLINE_PROTOCOL, the security protocol is fully offloaded to HW, +providing full encapsulation and decapsulation of packets in security +protocols. The flow pattern specifies both the outer security header fields +and the inner packet fields. The security session specified in the action +must match the pattern parameters. + +The security session specified in the action must be created on the same +port as the flow action that is being specified. + +The ingress/egress flow attribute should match that specified in the +security session if the security session supports the definition of the +direction. + +Multiple flows can be configured to use the same security session. + +- Non-terminating by default. + +.. _table_rte_flow_action_security: + +.. table:: SECURITY + + +----------------------+--------------------------------------+ + | Field | Value | + +======================+======================================+ + | ``security_session`` | security session to apply | + +----------------------+--------------------------------------+ + +The following is an example of configuring IPsec inline using the +INLINE_CRYPTO security session: + +The encryption algorithm, keys and salt are part of the opaque +``rte_security_session``. The SA is identified according to the IP and ESP +fields in the pattern items. + +.. _table_rte_flow_item_esp_inline_example: + +.. table:: IPsec inline crypto flow pattern items. + + +-------+----------+ + | Index | Item | + +=======+==========+ + | 0 | Ethernet | + +-------+----------+ + | 1 | IPv4 | + +-------+----------+ + | 2 | ESP | + +-------+----------+ + | 3 | END | + +-------+----------+ + +.. _table_rte_flow_action_esp_inline_example: + +.. table:: IPsec inline flow actions. + + +-------+----------+ + | Index | Action | + +=======+==========+ + | 0 | SECURITY | + +-------+----------+ + | 1 | END | + +-------+----------+ + Negative types ~~~~~~~~~~~~~~ diff --git a/lib/librte_ether/rte_flow.h b/lib/librte_ether/rte_flow.h index bd8274d..47c88ea 100644 --- a/lib/librte_ether/rte_flow.h +++ b/lib/librte_ether/rte_flow.h @@ -1001,6 +1001,14 @@ enum rte_flow_action_type { * See file rte_mtr.h for MTR object configuration. */ RTE_FLOW_ACTION_TYPE_METER, + + /** + * Redirects packets to security engine of current device for security + * processing as specified by security session. + * + * See struct rte_flow_action_security. + */ + RTE_FLOW_ACTION_TYPE_SECURITY }; /** @@ -1108,6 +1116,37 @@ struct rte_flow_action_meter { }; /** + * RTE_FLOW_ACTION_TYPE_SECURITY + * + * Perform the security action on flows matched by the pattern items + * according to the configuration of the security session. + * + * This action modifies the payload of matched flows. For INLINE_CRYPTO, the + * security protocol headers and IV are fully provided by the application as + * specified in the flow pattern. The payload of matching packets is + * encrypted on egress, and decrypted and authenticated on ingress. + * For INLINE_PROTOCOL, the security protocol is fully offloaded to HW, + * providing full encapsulation and decapsulation of packets in security + * protocols. The flow pattern specifies both the outer security header fields + * and the inner packet fields. The security session specified in the action + * must match the pattern parameters. + * + * The security session specified in the action must be created on the same + * port as the flow action that is being specified. + * + * The ingress/egress flow attribute should match that specified in the + * security session if the security session supports the definition of the + * direction. + * + * Multiple flows can be configured to use the same security session. + * + * Non-terminating by default. + */ +struct rte_flow_action_security { + void *security_session; /**< Pointer to security session structure. */ +}; + +/** * Definition of a single action. * * A list of actions is terminated by a END action.