[PATCH v2 5/5] cryptodev: add details of datapath handling of TLS records
Anoob Joseph
anoobj at marvell.com
Tue Oct 3 12:48:54 CEST 2023
From: Vidya Sagar Velumuri <vvelumuri at marvell.com>
TLS/DTLS record processing requires content type to be provided per
packet (for record write operation). Extend usage of reserved fields in
rte_crypto_op for the same purpose.
Signed-off-by: Anoob Joseph <anoobj at marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri at marvell.com>
---
doc/guides/prog_guide/rte_security.rst | 12 ++++++++++++
doc/guides/rel_notes/release_23_11.rst | 6 ++++++
lib/cryptodev/rte_crypto.h | 25 ++++++++++++++++++++++++-
3 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index f90dee5df0..7a25a7e649 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -453,6 +453,18 @@ Protocol. The TLS Record Protocol provides connection security that has two basi
V V
TLSCiphertext TLSPlaintext
+TLS and DTLS header formation (in record write operation) would depend on
+type of content. It is a per packet variable and would need to be handled by
+the same session. Application may pass this info to a cryptodev performing
+lookaside protocol offload by passing the same in ``rte_crypto_op.param1``.
+
+In record read operation, application is required to preserve any info it may
+need from the TLS/DTLS header (such as content type and sequence number) as the
+cryptodev would remove the header and padding as part of the lookaside protocol
+processing. With TLS 1.3, the actual content type is part of the trailer (before
+padding) and would be stripped by the PMD. For applications that may need this
+info, PMD would return the value in ``rte_crypto_op.param1`` field.
+
Supported Versions
^^^^^^^^^^^^^^^^^^
diff --git a/doc/guides/rel_notes/release_23_11.rst b/doc/guides/rel_notes/release_23_11.rst
index 250735efa9..663d1e9cf9 100644
--- a/doc/guides/rel_notes/release_23_11.rst
+++ b/doc/guides/rel_notes/release_23_11.rst
@@ -83,6 +83,12 @@ New Features
Similar to out of place processing support for lookaside security session, added
the same support for inline ingress security session.
+* **Added support for TLS and DTLS record in rte_security.**
+
+ Added TLS and DTLS record transform for rte_security session and added
+ enhancements to ``rte_crypto_op`` fields to handle all datapath requirements
+ of TLS and DTLS. The support is added for TLS 1.2, TLS 1.3 and DTLS 1.2.
+
* **Updated ipsec_mb crypto driver.**
Added support for digest encrypted to AESNI_MB asynchronous crypto driver.
diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h
index 9fe3e3d529..34aacd9312 100644
--- a/lib/cryptodev/rte_crypto.h
+++ b/lib/cryptodev/rte_crypto.h
@@ -123,7 +123,30 @@ struct rte_crypto_op {
*
* @see struct rte_security_tls_record_sess_options
*/
- uint8_t reserved[2];
+ union {
+ struct {
+ uint8_t content_type;
+ /**< Content type. The field can act both as input
+ * and output.
+ *
+ * As input, for passing message type in case of record
+ * write (encrypt) operation. Applicable for,
+ * 1. TLS 1.2
+ * 2. TLS 1.3
+ * 3. DTLS 1.2
+ *
+ * As output, for returning message type in case of record
+ * read (decrypt) operation. Applicable for,
+ * 1. TLS 1.3
+ *
+ * Message types are listed as RTE_TLS_TYPE_* and
+ * RTE_DTLS_TYPE_*.
+ */
+ } tls_record;
+ /**< TLS record */
+ } param1;
+ /**< Additional per operation parameter 1. */
+ uint8_t reserved[1];
/**< Reserved bytes to fill 64 bits for
* future additions
*/
--
2.25.1
More information about the dev
mailing list