[dpdk-dev] [PATCH v5 00/11] introduce security offload library
Akhil Goyal
akhil.goyal at nxp.com
Tue Oct 24 16:15:34 CEST 2017
This patchset introduce the rte_security library in DPDK.
This also includes the sample implementation of drivers and
changes in ipsec gateway application to demonstrate its usage.
rte_security library is implemented on the idea proposed earlier [1],[2],[3]
to support IPsec Inline and look aside crypto offload. Though
the current focus is only on IPsec protocol, but the library is
not limited to IPsec, it can be extended to other security
protocols e.g. MACSEC, PDCP or DTLS.
In this library, crypto/ethernet devices can register itself to
the security library to support security offload.
The library support 3 modes of operation
1. full protocol offload using crypto devices.
(RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
2. inline ipsec using ethernet devices to perform crypto operations
(RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
3. full protocol offload using ethernet devices.
(RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
The details for each mode is documented in the patchset in
doc/guides/prog_guide/rte_security.rst
The modification in the application ipsec-secgw is also doocumented in
doc/guides/sample_app_ug/ipsec_secgw.rst
This patchset is also available at:
git://dpdk.org/draft/dpdk-draft-ipsec
branch: integration_v5
changes in v5:
1. Incorporated comments from Shahaf, Konstantin and Thomas
2. Rebased over latest crypto-next tree(which is rebased over master) +
Aviad's v3 of ipsec-secgw fixes.
changes in v4:
1. Incorporated comments from Konstantin.
2. rebased over master
3. rebased over ipsec patches sent by Aviad
http://dpdk.org/ml/archives/dev/2017-October/079192.html
4. resolved multi process limitation
5. minor updates in documentation and drivers
changes in v3:
1. fixed compilation for FreeBSD
2. Incorporated comments from Pablo, John, Shahaf
3. Updated drivers for dpaa2_sec and ixgbe for some minor fixes
4. patch titles updated
5. fixed return type of rte_cryptodev_get_sec_id
changes in v2:
1. update documentation for rte_flow.
2. fixed API to unregister device to security library.
3. incorporated most of the comments from Jerin.
4. updated rte_security documentation as per the review comments from John.
5. Certain application updates for some cases.
6. updated changes in mbuf as per the comments from Olivier.
Future enhancements:
1. for full protocol offload - error handling and notification cases
2. add more security protocols
3. test application support
4. anti-replay support
5. SA time out support
6. Support Multi process use case
Reference:
[1] http://dpdk.org/ml/archives/dev/2017-July/070793.html
[2] http://dpdk.org/ml/archives/dev/2017-July/071893.html
[3] http://dpdk.org/ml/archives/dev/2017-August/072900.html
Akhil Goyal (6):
lib/rte_security: add security library
doc: add details of rte security
cryptodev: support security APIs
mk: add rte security into build system
crypto/dpaa2_sec: add support for protocol offload ipsec
examples/ipsec-secgw: add support for security offload
Boris Pismenny (3):
net: add ESP header to generic flow steering
mbuf: add security crypto flags and mbuf fields
ethdev: add rte flow action for crypto
Declan Doherty (1):
ethdev: support security APIs
Radu Nicolau (1):
net/ixgbe: enable inline ipsec
MAINTAINERS | 5 +
config/common_base | 5 +
doc/api/doxy-api-index.md | 2 +
doc/api/doxy-api.conf | 1 +
doc/guides/cryptodevs/features/default.ini | 1 +
doc/guides/cryptodevs/features/dpaa2_sec.ini | 1 +
doc/guides/prog_guide/index.rst | 1 +
doc/guides/prog_guide/rte_flow.rst | 84 ++-
doc/guides/prog_guide/rte_security.rst | 564 +++++++++++++++++++
doc/guides/rel_notes/release_17_11.rst | 1 +
doc/guides/sample_app_ug/ipsec_secgw.rst | 52 +-
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 422 +++++++++++++-
drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 62 +++
drivers/net/ixgbe/Makefile | 2 +-
drivers/net/ixgbe/base/ixgbe_osdep.h | 8 +
drivers/net/ixgbe/ixgbe_ethdev.c | 11 +
drivers/net/ixgbe/ixgbe_ethdev.h | 6 +-
drivers/net/ixgbe/ixgbe_flow.c | 47 ++
drivers/net/ixgbe/ixgbe_ipsec.c | 737 +++++++++++++++++++++++++
drivers/net/ixgbe/ixgbe_ipsec.h | 151 +++++
drivers/net/ixgbe/ixgbe_rxtx.c | 59 +-
drivers/net/ixgbe/ixgbe_rxtx.h | 11 +-
drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c | 57 ++
examples/ipsec-secgw/esp.c | 120 ++--
examples/ipsec-secgw/esp.h | 10 -
examples/ipsec-secgw/ipsec-secgw.c | 5 +
examples/ipsec-secgw/ipsec.c | 308 +++++++++--
examples/ipsec-secgw/ipsec.h | 32 +-
examples/ipsec-secgw/sa.c | 151 +++--
lib/Makefile | 5 +
lib/librte_cryptodev/rte_crypto.h | 3 +-
lib/librte_cryptodev/rte_crypto_sym.h | 2 +
lib/librte_cryptodev/rte_cryptodev.c | 10 +
lib/librte_cryptodev/rte_cryptodev.h | 8 +
lib/librte_cryptodev/rte_cryptodev_version.map | 1 +
lib/librte_ether/rte_ethdev.c | 7 +
lib/librte_ether/rte_ethdev.h | 8 +
lib/librte_ether/rte_ethdev_version.map | 1 +
lib/librte_ether/rte_flow.h | 65 +++
lib/librte_mbuf/rte_mbuf.c | 6 +
lib/librte_mbuf/rte_mbuf.h | 35 +-
lib/librte_mbuf/rte_mbuf_ptype.c | 1 +
lib/librte_mbuf/rte_mbuf_ptype.h | 11 +
lib/librte_net/Makefile | 2 +-
lib/librte_net/rte_esp.h | 60 ++
lib/librte_security/Makefile | 53 ++
lib/librte_security/rte_security.c | 149 +++++
lib/librte_security/rte_security.h | 528 ++++++++++++++++++
lib/librte_security/rte_security_driver.h | 155 ++++++
lib/librte_security/rte_security_version.map | 13 +
mk/rte.app.mk | 1 +
51 files changed, 3882 insertions(+), 158 deletions(-)
create mode 100644 doc/guides/prog_guide/rte_security.rst
create mode 100644 drivers/net/ixgbe/ixgbe_ipsec.c
create mode 100644 drivers/net/ixgbe/ixgbe_ipsec.h
create mode 100644 lib/librte_net/rte_esp.h
create mode 100644 lib/librte_security/Makefile
create mode 100644 lib/librte_security/rte_security.c
create mode 100644 lib/librte_security/rte_security.h
create mode 100644 lib/librte_security/rte_security_driver.h
create mode 100644 lib/librte_security/rte_security_version.map
--
2.9.3
More information about the dev
mailing list