diff mbox series

[v2,4/5] security: support TLS record lifetime notification

Message ID 20231003104854.1381-5-anoobj@marvell.com (mailing list archive)
State Accepted, archived
Delegated to: akhil goyal
Headers
Series add TLS record processing security offload |

Checks

Context Check Description
ci/checkpatch success coding style OK

Commit Message

Anoob Joseph Oct. 3, 2023, 10:48 a.m. UTC 
  From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Support TLS record lifetime notification. TLS record sessions may need
to be renegotiated after a specific number of records are processed. For
devices that are capable of tracking lifetime, application may request
to do so by configuring the lifetime parameters in session. Upon soft
expiry, PMD will set the notification in `rte_crypto_op.aux_flags` field.

Hard expiration of the session would mean any subsequent crypto
operation would fail.

Extend `rte_crypto_op.aux_flags` to support all sessions that may have a
lifetime notification and include TLS record lifetime under the same.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 lib/cryptodev/rte_crypto.h  | 11 ++++++++++-
 lib/security/rte_security.h | 18 ++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h
index 7b8f2bdc6d..9fe3e3d529 100644
--- a/lib/cryptodev/rte_crypto.h
+++ b/lib/cryptodev/rte_crypto.h
@@ -64,9 +64,18 @@  enum rte_crypto_op_sess_type {
 	RTE_CRYPTO_OP_SECURITY_SESSION	/**< Security session crypto operation */
 };
 
+/* Auxiliary flags related to crypto operation */
+#define RTE_CRYPTO_OP_AUX_FLAGS_SESS_SOFT_EXPIRY (1 << 0)
+/**< Session soft expiry limit has been reached. Applicable for any session that has a soft lifetime
+ * feature supported.
+ *
+ * @see rte_security_ipsec_lifetime
+ * @see rte_security_tls_record_lifetime
+ */
+
 /* Auxiliary flags related to IPsec offload with RTE_SECURITY */
 
-#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0)
+#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY RTE_CRYPTO_OP_AUX_FLAGS_SESS_SOFT_EXPIRY
 /**< SA soft expiry limit has been reached */
 
 /**
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 89e61e10ad..00d2a29a01 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -654,6 +654,22 @@  struct rte_security_tls_record_sess_options {
 	uint32_t extra_padding_enable : 1;
 };
 
+/**
+ * Configure soft and hard lifetime of a TLS record session
+ *
+ * Lifetime of a TLS record session would specify the maximum number of packets that can be
+ * processed. TLS record processing operations would start failing once hard limit is reached.
+ *
+ * Soft limits can be specified to generate notification when the TLS record session is approaching
+ * hard limits for lifetime. This would result in a warning returned in ``rte_crypto_op.aux_flags``.
+ */
+struct rte_security_tls_record_lifetime {
+	/** Soft expiry limit in number of packets */
+	uint64_t packets_soft_limit;
+	/** Hard expiry limit in number of packets */
+	uint64_t packets_hard_limit;
+};
+
 /**
  * TLS record protocol session configuration.
  *
@@ -666,6 +682,8 @@  struct rte_security_tls_record_xform {
 	enum rte_security_tls_sess_type type;
 	/** TLS record session options. */
 	struct rte_security_tls_record_sess_options options;
+	/** TLS record session lifetime. */
+	struct rte_security_tls_record_lifetime life;
 	union {
 		/** TLS 1.2 parameters. */
 		struct {