From patchwork Wed Oct 25 15:07:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 30882 Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 45FBB1BA0A; Wed, 25 Oct 2017 17:11:05 +0200 (CEST) Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0076.outbound.protection.outlook.com [104.47.38.76]) by dpdk.org (Postfix) with ESMTP id 43D0D1B9FC for ; Wed, 25 Oct 2017 17:10:49 +0200 (CEST) Received: from MWHPR03CA0018.namprd03.prod.outlook.com (10.175.133.156) by CY1PR03MB2362.namprd03.prod.outlook.com (10.166.207.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.178.6; Wed, 25 Oct 2017 15:10:47 +0000 Received: from BN1AFFO11FD025.protection.gbl (2a01:111:f400:7c10::157) by MWHPR03CA0018.outlook.office365.com (2603:10b6:300:117::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7 via Frontend Transport; Wed, 25 Oct 2017 15:10:47 +0000 Authentication-Results: spf=fail (sender IP is 192.88.168.50) smtp.mailfrom=nxp.com; NXP1.onmicrosoft.com; dkim=none (message not signed) header.d=none;NXP1.onmicrosoft.com; dmarc=fail action=none header.from=nxp.com; Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.168.50 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.168.50; helo=tx30smr01.am.freescale.net; Received: from tx30smr01.am.freescale.net (192.88.168.50) by BN1AFFO11FD025.mail.protection.outlook.com (10.58.52.85) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.20.156.4 via Frontend Transport; Wed, 25 Oct 2017 15:10:46 +0000 Received: from netperf2.ap.freescale.net ([10.232.133.164]) by tx30smr01.am.freescale.net (8.14.3/8.14.0) with ESMTP id v9PFAECZ009577; Wed, 25 Oct 2017 08:10:41 -0700 From: Akhil Goyal To: CC: , , , , , , , , , , , , Date: Wed, 25 Oct 2017 20:37:22 +0530 Message-ID: <20171025150727.30364-6-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20171025150727.30364-1-akhil.goyal@nxp.com> References: <20171024141545.30837-1-akhil.goyal@nxp.com> <20171025150727.30364-1-akhil.goyal@nxp.com> X-EOPAttributedMessage: 0 X-Matching-Connectors: 131534178465909914; (91ab9b29-cfa4-454e-5278-08d120cd25b8); () X-Forefront-Antispam-Report: CIP:192.88.168.50; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(7966004)(336005)(346002)(376002)(39380400002)(39860400002)(2980300002)(1109001)(1110001)(339900001)(189002)(199003)(47776003)(189998001)(2351001)(86362001)(106466001)(105606002)(48376002)(54906003)(6916009)(2950100002)(6666003)(8656006)(7416002)(50986999)(5003940100001)(76176999)(2906002)(104016004)(5660300001)(77096006)(50466002)(50226002)(36756003)(305945005)(4326008)(85426001)(356003)(68736007)(8936002)(16586007)(1076002)(81156014)(81166006)(97736004)(8676002)(316002)(53936002)(33646002)(498600001); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR03MB2362; H:tx30smr01.am.freescale.net; FPR:; SPF:Fail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD025; 1:MGdgF1X3JbWn4uH6OgkS+WUCwFk1k7S9vwywH3odTYb+1FZRAO0P92oBqRYBnHbN1IiylKQak91h2b9SjxwgECqPE4VfXGoJvI8wVTy+SECzIvJYX+ryc8VZXNwIUXNT MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 88c5e4e8-2aae-4025-8c9a-08d51bba91bf X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4628075)(201703131517081)(2017052603199); SRVR:CY1PR03MB2362; X-Microsoft-Exchange-Diagnostics: 1; CY1PR03MB2362; 3:etym5p1GqSgkDo5uczL93Yb+HcdgisqT5JTwQiv9GywpGJ4YTEdUreo3Qg4XEbFBb+1nc1V5mwiJHQPWyrLgvtgKDwIgH9NogGoMa73DWoP6bL5wts7IkXnjiVTkrgIfDePCPxfoUtRrt2JK5E9aX8yFc02obA1pjQsbmuq/rJ0RSyAcE8B3iRBKIWMTBwygForCrd3xJ63jhF6Eq2p/Wm8goE97YKAaFPJTtjyhaO8OExCxcLg3CEPVX6YKc9nKi8sQjFPl6elM/iCAcKozb2iZO7afBw0hptHFI/ZpumdUpWKd+GSj6w2m9hWhOxAXkvTS1q/HOp0Tewy8kmj6+pmexbOMV/c3+2ZM+szyV9o=; 25:3pix+8zTYQ93v96BgL/ZVDvhg1doE5JbJW0AihPQ96IvlcKRB6mGfU2Lr/yIv97q5T4NgtExNUfC6qTrilJVycvgTdA00tbTW0ijLzWTEu7V10ccb7t9HsnC9iaNNK64gXem69eIvQSVjs3CDdS1RZGCu0AAKa2CJwm1Gbw5ctw0ZFF9ZtiXPmFGJSqlf0wIUQah7IAlsHQIzAb3X/LnObghxI9PJiIrLo26PeuwXaJPEf8aLUsbvk4cX2fvHiL7f0y2/hqMwfpoZ7NgxGKlGLif8F6gX62xQaFIhjnMWKCbJSpsPou1VAdaVjFGqvtj2BUuW4Lc15H45Gb2Ga2Bww== X-MS-TrafficTypeDiagnostic: CY1PR03MB2362: X-Microsoft-Exchange-Diagnostics: 1; CY1PR03MB2362; 31:1cuVCHwzkCldUxHVIby2KktVgiCm9kz2EMjIIWgMxzBH3EqIiBMLqhQfLpLVFSJJAEK2paXn/doW9NPTK+O9WS1ga0AV8GgZUCOMWrMdf56ds4PuA8kTYB85rKO6y4L/kR3GSHUO0IbRK83djNuBPprLKm05xFxPlgbnhSgSgMMSHssQGZ+iVkLIEhkChaf/NRqg61HAhkxgYsQsrpV1L0/jwAlCaCzA+HVLam1ZrNg=; 4:E7eXnQQ2HEyQlslnZVChewcXJitoxdziuCrijg6MQ1QgX/wOyuWpowAaNBoB8g5H/SBAy9fikjxZ0VzD2zIc83KXy89vUeTSUou3IU6dHTk818U+86+yfnNpbkBw6ZoHePjvyoyUlqyAHM1+GVYc4gVu0Ch93zz5Am19/ox75eQ5VIUc2NNYTGtNaUQpuw6gt8lWrY3nSJQkiH2mG6ogQmWUrYXH+DKFAk1za5FxISoSfk5J42b+/OhFCq5DcuQuUvD+ThtFJLq9xV7Dkhv+q5bsupk6zkkL9ZXoNKYYyPTg+nCYlNOCmuCe0tq6anI4xKg/CplFNizTAnyTeVLTo1JZkwq9USKWjPaHQrwoVLQ= X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(228905959029699); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6095135)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(3231020)(10201501046)(3002001)(6055026)(6096035)(201703131430075)(201703131433075)(201703131441075)(201703131448075)(201703161259150)(20161123559100)(20161123565025)(20161123561025)(20161123556025)(20161123563025)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY1PR03MB2362; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(400006)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY1PR03MB2362; X-Forefront-PRVS: 0471B73328 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY1PR03MB2362; 23:oeYP4C+nO25qJh6Fp5+nshMcLlxG8DhJFsU/iACmS?= sKSH1Nayuc21xx9CLTMvFS9PiTOOf+71Mdw33Dzcd0Es1zv3j8WaBMpFdlZ+7DbPXrgNkNRQuNDrbWBGVtIpXkV6g3h9OszmVhixOHNVdfL0/Cmxzmtfux4g/rFrq6QwuSRjgjXey0p5DYLN+OgfQop9tXPZNyRCuGYmSp8v7Rf3Y7r7Czu/DDDiTZKRq0RPhkL/29oS2LmOGxxRg53rqPYrA0mxlZHNP8rfr31NzQV60wQog38Mbv7CeAk4cKTSQXdHBTCWb7c/lMfh3P6sLNdAh2xrUVPvqEj2cLCrdFDnG3Bmwro+KrsOvkHPnf+C7gboFN1hvICCK3swS+tH5CZPUrWS/aLPd9zqTVJTtTe5KPcVTh06qURBJB9I/mmYXY2pGRYzKsGRsmzNO4zbSJiRQIwYjxjsivbjuKP7cHdw8ZjI/3OzTM1duxCCy1I9rAux2GgNxU5RSluWqSLlJTSTNlqj4GRg5hAECq1xKDK2hpqUpQ23nNIvUuVbXIE1FEJdvAEeAwRcJwGWaNDKE8FK3TbfrsZAHh9juEYB4eq0jtF9oRD1XPjxMfVfrJ3HiXVFxN6dwBeNMfCfuYbmx+qzw8qf8LkAp7Vx6QseXSw4MeFBtWzOiPn1YJGcmEv2+LVZaS4Ysk94XHWOOXXt6PXOlNJ8UjFSFp7ErIriDHgnt6n+ptLEZO1TRdY4v0T7DOWYRA/LMO3BZGWhaLs96AEo/c2ch5Y0O2pLB+7n2lkBqn2W6YZyTBb4NoK3384Bz8DTd3ZmxICMJ/f3rJTaEyiile7PyskhlFwPry2Xqo9QVUQ2Zi0SZegWxcrmfdMCeqFUA6xixK7rKTvfVBnLe0P9MHMgYq9ZKyjlK336NZusU3yFJGbdLtuEPAyp3kiRZTSjS54OzDs4EAo9FHoWN9vrT4SMbhAQYC0B5vcn1a+k29+ZMIz/Fc6FDpoeuWGE3+x5A4Ae+5yTcLG/hrqua0BRPwHiPlbAYpYiZ358JJc4EEBRKy2y9DgqJcmtbTsIq80aZGOEz5sAbxtlCOl8V22V00qe9XBb8mDzCKcrk3/4cgTwNWVzHVeFGlqT7VmlYbJb8UpqutbGTn3h/Dc7KWgyvRpsJLZ9xIZdmzZGEjc6rZEeg6C9o/hBe+9vqy+Uxqrklxn4Ceu1caNQz0iWLp2njaOsaoXBiMpaoYWGG8s/Q== X-Microsoft-Exchange-Diagnostics: 1; CY1PR03MB2362; 6:is93igGYmpTWB4NEDXDYZC8jPh+H83TAP5ptOyO1sjxvIxnjBy7FiWWlRjM74S4139t1ER9MT0yQeICxAtYM0O4QaIjiFR/gN91t90fqRm46kOwe4e7uUll/8fY2kGK5o1FOaEiyNs1IejuP7RkXB5KyxP3y1Zpq3noCi4WoxjhYKrfLZGnKRCATyItI/hsSFFpvrk1q0w4aV1vVrLau8b0eYNYbSJ+1RLjL/tc6RQhE5nhXjp4Y3qsiGNn7M6VSRJRW9kRreItdBG33cb+47CVzU7mimxG6lA1TYK2Mpktp/J3/RlmFFen5zYJiO3vsp2rX27N1TPX7fkpnyjdLYCwSvHGNYnRIz06iorZoRp8=; 5:F+5TzFNSVBZda19JVrOxOipRpe3TwNgoD6erCCKMD5xvwBoXEe8/CE07TGkEkeh3+F+S+QL/4WneUuTVP0e4rQpFVbFSBlLWD1hEIKLMs3UOBHmO0SJKCxQSD6nvCAu1gFS2Q9SeB5W7ZUZiojAVT2GFi+xzN4ugbL8/QqR/NyU=; 24:EOrUlX7W34YTmUlPJHvm6T4Djpjs+GmOmNP01CXeVzdxp/h/ctCVvtRZ7YWz9ylPanJ+MtlsV3evguXJXe5lfYSSxDmHIm3mgVPgZfxtrUU=; 7:7t+nfi3I99pn6KmKc1sI3YjRDSzL7qTBxddWbIY1ImVX5wrj5AgjDRjOKsC4pVZofR9hr6rZv7DIjXSpzulkEElnIdk4irBvRDevHAvSs+L1kT2u4tz5XJb6Alzw0m/zPMQUb7KYWqbwNdKIA6Gslbb/l9aXYbKKNrx9d79vwdv6qKGF4ub0us2GZ2s6w9L7kMHRVlaD68E9wd78h3U8kFVujFsYgtQ/Mrf8riJNnIrDQXe+RJxei6V7UQOETbfz SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Oct 2017 15:10:46.4193 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 88c5e4e8-2aae-4025-8c9a-08d51bba91bf X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[192.88.168.50]; Helo=[tx30smr01.am.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB2362 Subject: [dpdk-dev] [PATCH v6 05/10] ethdev: add rte flow action for crypto X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Boris Pismenny The crypto action is specified by an application to request crypto offload for a flow. Signed-off-by: Boris Pismenny Signed-off-by: Aviad Yehezkel Reviewed-by: John McNamara Acked-by: John McNamara --- doc/guides/prog_guide/rte_flow.rst | 84 +++++++++++++++++++++++++++++++++++++- lib/librte_ether/rte_flow.h | 39 ++++++++++++++++++ 2 files changed, 121 insertions(+), 2 deletions(-) diff --git a/doc/guides/prog_guide/rte_flow.rst b/doc/guides/prog_guide/rte_flow.rst index bcb438e..d158be5 100644 --- a/doc/guides/prog_guide/rte_flow.rst +++ b/doc/guides/prog_guide/rte_flow.rst @@ -187,7 +187,7 @@ Pattern item Pattern items fall in two categories: - Matching protocol headers and packet data (ANY, RAW, ETH, VLAN, IPV4, - IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE and so on), usually + IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE, ESP and so on), usually associated with a specification structure. - Matching meta-data or affecting pattern processing (END, VOID, INVERT, PF, @@ -972,6 +972,14 @@ flow rules. - ``teid``: tunnel endpoint identifier. - Default ``mask`` matches teid only. +Item: ``ESP`` +^^^^^^^^^^^^^ + +Matches an ESP header. + +- ``hdr``: ESP header definition (``rte_esp.h``). +- Default ``mask`` matches SPI only. + Actions ~~~~~~~ @@ -989,7 +997,7 @@ They fall in three categories: additional processing by subsequent flow rules. - Other non-terminating meta actions that do not affect the fate of packets - (END, VOID, MARK, FLAG, COUNT). + (END, VOID, MARK, FLAG, COUNT, SECURITY). When several actions are combined in a flow rule, they should all have different types (e.g. dropping a packet twice is not possible). @@ -1394,6 +1402,78 @@ the rte_mtr* API. | ``mtr_id`` | MTR object ID | +--------------+---------------+ +Action: ``SECURITY`` +^^^^^^^^^^^^^^^^^^^^ + +Perform the security action on flows matched by the pattern items +according to the configuration of the security session. + +This action modifies the payload of matched flows. For INLINE_CRYPTO, the +security protocol headers and IV are fully provided by the application as +specified in the flow pattern. The payload of matching packets is +encrypted on egress, and decrypted and authenticated on ingress. +For INLINE_PROTOCOL, the security protocol is fully offloaded to HW, +providing full encapsulation and decapsulation of packets in security +protocols. The flow pattern specifies both the outer security header fields +and the inner packet fields. The security session specified in the action +must match the pattern parameters. + +The security session specified in the action must be created on the same +port as the flow action that is being specified. + +The ingress/egress flow attribute should match that specified in the +security session if the security session supports the definition of the +direction. + +Multiple flows can be configured to use the same security session. + +- Non-terminating by default. + +.. _table_rte_flow_action_security: + +.. table:: SECURITY + + +----------------------+--------------------------------------+ + | Field | Value | + +======================+======================================+ + | ``security_session`` | security session to apply | + +----------------------+--------------------------------------+ + +The following is an example of configuring IPsec inline using the +INLINE_CRYPTO security session: + +The encryption algorithm, keys and salt are part of the opaque +``rte_security_session``. The SA is identified according to the IP and ESP +fields in the pattern items. + +.. _table_rte_flow_item_esp_inline_example: + +.. table:: IPsec inline crypto flow pattern items. + + +-------+----------+ + | Index | Item | + +=======+==========+ + | 0 | Ethernet | + +-------+----------+ + | 1 | IPv4 | + +-------+----------+ + | 2 | ESP | + +-------+----------+ + | 3 | END | + +-------+----------+ + +.. _table_rte_flow_action_esp_inline_example: + +.. table:: IPsec inline flow actions. + + +-------+----------+ + | Index | Action | + +=======+==========+ + | 0 | SECURITY | + +-------+----------+ + | 1 | END | + +-------+----------+ + Negative types ~~~~~~~~~~~~~~ diff --git a/lib/librte_ether/rte_flow.h b/lib/librte_ether/rte_flow.h index bd8274d..47c88ea 100644 --- a/lib/librte_ether/rte_flow.h +++ b/lib/librte_ether/rte_flow.h @@ -1001,6 +1001,14 @@ enum rte_flow_action_type { * See file rte_mtr.h for MTR object configuration. */ RTE_FLOW_ACTION_TYPE_METER, + + /** + * Redirects packets to security engine of current device for security + * processing as specified by security session. + * + * See struct rte_flow_action_security. + */ + RTE_FLOW_ACTION_TYPE_SECURITY }; /** @@ -1108,6 +1116,37 @@ struct rte_flow_action_meter { }; /** + * RTE_FLOW_ACTION_TYPE_SECURITY + * + * Perform the security action on flows matched by the pattern items + * according to the configuration of the security session. + * + * This action modifies the payload of matched flows. For INLINE_CRYPTO, the + * security protocol headers and IV are fully provided by the application as + * specified in the flow pattern. The payload of matching packets is + * encrypted on egress, and decrypted and authenticated on ingress. + * For INLINE_PROTOCOL, the security protocol is fully offloaded to HW, + * providing full encapsulation and decapsulation of packets in security + * protocols. The flow pattern specifies both the outer security header fields + * and the inner packet fields. The security session specified in the action + * must match the pattern parameters. + * + * The security session specified in the action must be created on the same + * port as the flow action that is being specified. + * + * The ingress/egress flow attribute should match that specified in the + * security session if the security session supports the definition of the + * direction. + * + * Multiple flows can be configured to use the same security session. + * + * Non-terminating by default. + */ +struct rte_flow_action_security { + void *security_session; /**< Pointer to security session structure. */ +}; + +/** * Definition of a single action. * * A list of actions is terminated by a END action.