[dpdk-dev] [PATCH v5 1/3] security: support pdcp protocol

Joseph, Anoob Anoob.Joseph at cavium.com
Tue Oct 16 12:49:33 CEST 2018


Hi Akhil,

The HFN threshold comment is still not right I guess,

> +        uint32_t hfn;
> +        /**< HFN Threshold for key renegotiation */
> +        uint32_t hfn_threshold;
The above code snippet is there in the rte_security.rst file also. You may need to fix that also.

And the following also need to be fixed,
> + * @PDCP_SN_SIZE_18: 18bit sequence number  */ enum
> +rte_security_pdcp_sn_size {
....
> +       RTE_SECURITY_PDCP_SN_SIZE_18 = 18 };

With the above changes,
Acked-by: Anoob Joseph <anoob.joseph at caviumnetworks.com>

Thanks,
Anoob
> -----Original Message-----
> From: Akhil Goyal <akhil.goyal at nxp.com>
> Sent: 16 October 2018 16:09
> To: dev at dpdk.org
> Cc: pablo.de.lara.guarch at intel.com; radu.nicolau at intel.com; Jacob, Jerin
> <Jerin.JacobKollanukkaran at cavium.com>; Athreya, Narayana Prasad
> <NarayanaPrasad.Athreya at cavium.com>; Verma, Shally
> <Shally.Verma at cavium.com>; Joseph, Anoob <Anoob.Joseph at cavium.com>;
> Velumuri, Vidya <Vidya.Velumuri at cavium.com>; Hemant Agrawal
> <hemant.agrawal at nxp.com>; Akhil Goyal <akhil.goyal at nxp.com>
> Subject: [PATCH v5 1/3] security: support pdcp protocol
> 
> External Email
> 
> From: Akhil Goyal <akhil.goyal at nxp.com>
> 
> Packet Data Convergence Protocol (PDCP) is added in rte_security for 3GPP TS
> 36.323 for LTE.
> 
> The patchset provide the structure definitions for configuring the PDCP sessions
> and relevant documentation is added.
> 
> Signed-off-by: Hemant Agrawal <hemant.agrawal at nxp.com>
> Signed-off-by: Akhil Goyal <akhil.goyal at nxp.com>
> ---
>  doc/guides/prog_guide/rte_security.rst | 107 +++++++++++++++++++++++--
>  lib/librte_security/rte_security.c     |   4 +
>  lib/librte_security/rte_security.h     |  92 +++++++++++++++++++++
>  3 files changed, 196 insertions(+), 7 deletions(-)
> 
> diff --git a/doc/guides/prog_guide/rte_security.rst
> b/doc/guides/prog_guide/rte_security.rst
> index 0812abe77..e43f1554c 100644
> --- a/doc/guides/prog_guide/rte_security.rst
> +++ b/doc/guides/prog_guide/rte_security.rst
> @@ -10,8 +10,8 @@ The security library provides a framework for management
> and provisioning  of security protocol operations offloaded to hardware based
> devices. The  library defines generic APIs to create and free security sessions
> which can  support full protocol offload as well as inline crypto operation with -
> NIC or crypto devices. The framework currently only supports the IPSec protocol
> -and associated operations, other protocols will be added in future.
> +NIC or crypto devices. The framework currently only supports the IPsec
> +and PDCP protocol and associated operations, other protocols will be added in
> future.
> 
>  Design Principles
>  -----------------
> @@ -253,6 +253,49 @@ for any protocol header addition.
>          +--------|--------+
>                   V
> 
> +PDCP Flow Diagram
> +~~~~~~~~~~~~~~~~~
> +
> +Based on 3GPP TS 36.323 Evolved Universal Terrestrial Radio Access
> +(E-UTRA); Packet Data Convergence Protocol (PDCP) specification
> +
> +.. code-block:: c
> +
> +        Transmitting PDCP Entity          Receiving PDCP Entity
> +                  |                                   ^
> +                  |                       +-----------|-----------+
> +                  V                       | In order delivery and |
> +        +---------|----------+            | Duplicate detection   |
> +        | Sequence Numbering |            |  (Data Plane only)    |
> +        +---------|----------+            +-----------|-----------+
> +                  |                                   |
> +        +---------|----------+            +-----------|----------+
> +        | Header Compression*|            | Header Decompression*|
> +        | (Data-Plane only)  |            |   (Data Plane only)  |
> +        +---------|----------+            +-----------|----------+
> +                  |                                   |
> +        +---------|-----------+           +-----------|----------+
> +        | Integrity Protection|           |Integrity Verification|
> +        | (Control Plane only)|           | (Control Plane only) |
> +        +---------|-----------+           +-----------|----------+
> +        +---------|-----------+            +----------|----------+
> +        |     Ciphering       |            |     Deciphering     |
> +        +---------|-----------+            +----------|----------+
> +        +---------|-----------+            +----------|----------+
> +        |   Add PDCP header   |            | Remove PDCP Header  |
> +        +---------|-----------+            +----------|----------+
> +                  |                                   |
> +                  +----------------->>----------------+
> +
> +
> +.. note::
> +
> +    * Header Compression and decompression are not supported currently.
> +
> +Just like IPsec, in case of PDCP also header addition/deletion, cipher/
> +de-cipher, integrity protection/verification is done based on the
> +action type chosen.
> +
>  Device Features and Capabilities
>  ---------------------------------
> 
> @@ -271,7 +314,7 @@ structure in the *DPDK API Reference*.
> 
>  Each driver (crypto or ethernet) defines its own private array of capabilities  for
> the operations it supports. Below is an example of the capabilities for a -PMD
> which supports the IPSec protocol.
> +PMD which supports the IPsec and PDCP protocol.
> 
>  .. code-block:: c
> 
> @@ -298,6 +341,24 @@ PMD which supports the IPSec protocol.
>                  },
>                  .crypto_capabilities = pmd_capabilities
>          },
> +        { /* PDCP Lookaside Protocol offload Data Plane */
> +                .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> +                .protocol = RTE_SECURITY_PROTOCOL_PDCP,
> +                .pdcp = {
> +                        .domain = RTE_SECURITY_PDCP_MODE_DATA,
> +                        .capa_flags = 0
> +                },
> +                .crypto_capabilities = pmd_capabilities
> +        },
> +        { /* PDCP Lookaside Protocol offload Control */
> +                .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> +                .protocol = RTE_SECURITY_PROTOCOL_PDCP,
> +                .pdcp = {
> +                        .domain = RTE_SECURITY_PDCP_MODE_CONTROL,
> +                        .capa_flags = 0
> +                },
> +                .crypto_capabilities = pmd_capabilities
> +        },
>          {
>                  .action = RTE_SECURITY_ACTION_TYPE_NONE
>          }
> @@ -429,6 +490,7 @@ Security Session configuration structure is defined as
> ``rte_security_session_co
>          union {
>                  struct rte_security_ipsec_xform ipsec;
>                  struct rte_security_macsec_xform macsec;
> +                struct rte_security_pdcp_xform pdcp;
>          };
>          /**< Configuration parameters for security session */
>          struct rte_crypto_sym_xform *crypto_xform; @@ -463,15 +525,17 @@
> The ``rte_security_session_protocol`` is defined as  .. code-block:: c
> 
>      enum rte_security_session_protocol {
> -        RTE_SECURITY_PROTOCOL_IPSEC,
> +        RTE_SECURITY_PROTOCOL_IPSEC = 1,
>          /**< IPsec Protocol */
>          RTE_SECURITY_PROTOCOL_MACSEC,
>          /**< MACSec Protocol */
> +        RTE_SECURITY_PROTOCOL_PDCP,
> +        /**< PDCP Protocol */
>      };
> 
> -Currently the library defines configuration parameters for IPSec only. For other
> -protocols like MACSec, structures and enums are defined as place holders
> which -will be updated in the future.
> +Currently the library defines configuration parameters for IPsec and PDCP only.
> +For other protocols like MACSec, structures and enums are defined as
> +place holders which will be updated in the future.
> 
>  IPsec related configuration parameters are defined in
> ``rte_security_ipsec_xform``
> 
> @@ -494,6 +558,35 @@ IPsec related configuration parameters are defined in
> ``rte_security_ipsec_xform
>          /**< Tunnel parameters, NULL for transport mode */
>      };
> 
> +PDCP related configuration parameters are defined in
> +``rte_security_pdcp_xform``
> +
> +.. code-block:: c
> +
> +    struct rte_security_pdcp_xform {
> +        int8_t bearer; /**< PDCP bearer ID */
> +        /**< Enable in order delivery, this field shall be set only if
> +         * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
> +         */
> +        uint8_t en_ordering;
> +        /**< Notify driver/HW to detect and remove duplicate packets.
> +         * This field should be set only when driver/hw is capable.
> +         * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
> +         */
> +        uint8_t remove_duplicates;
> +        /**< PDCP mode of operation: Control or data */
> +        enum rte_security_pdcp_domain domain;
> +        /**< PDCP Frame Direction 0:UL 1:DL */
> +        enum rte_security_pdcp_direction pkt_dir;
> +        /**< Sequence number size, 5/7/12/15/18 */
> +        enum rte_security_pdcp_sn_size sn_size;
> +        /**< Starting Hyper Frame Number to be used together with the SN
> +         * from the PDCP frames
> +         */
> +        uint32_t hfn;
> +        /**< HFN Threshold for key renegotiation */
> +        uint32_t hfn_threshold;
> +    };
> +
> 
>  Security API
>  ~~~~~~~~~~~~
> diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
> index 1954960a5..c6355de95 100644
> --- a/lib/librte_security/rte_security.c
> +++ b/lib/librte_security/rte_security.c
> @@ -131,6 +131,10 @@ rte_security_capability_get(struct rte_security_ctx
> *instance,
>                                         capability->ipsec.direction ==
>                                                         idx->ipsec.direction)
>                                         return capability;
> +                       } else if (idx->protocol == RTE_SECURITY_PROTOCOL_PDCP) {
> +                               if (capability->pdcp.domain ==
> +                                                       idx->pdcp.domain)
> +                                       return capability;
>                         }
>                 }
>         }
> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
> index b0d1b97ee..de49017e1 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -206,6 +206,66 @@ struct rte_security_macsec_xform {
>         int dummy;
>  };
> 
> +/**
> + * PDCP Mode of session
> + */
> +enum rte_security_pdcp_domain {
> +       RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */
> +       RTE_SECURITY_PDCP_MODE_DATA,    /**< PDCP data plane */
> +};
> +
> +/** PDCP Frame direction */
> +enum rte_security_pdcp_direction {
> +       RTE_SECURITY_PDCP_UPLINK,       /**< Uplink */
> +       RTE_SECURITY_PDCP_DOWNLINK,     /**< Downlink */
> +};
> +
> +/**
> + * PDCP Sequence Number Size selectors
> + * @PDCP_SN_SIZE_5: 5bit sequence number
> + * @PDCP_SN_SIZE_7: 7bit sequence number
> + * @PDCP_SN_SIZE_12: 12bit sequence number
> + * @PDCP_SN_SIZE_15: 15bit sequence number
> + * @PDCP_SN_SIZE_18: 18bit sequence number  */ enum
> +rte_security_pdcp_sn_size {
> +       RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
> +       RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
> +       RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
> +       RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
> +       RTE_SECURITY_PDCP_SN_SIZE_18 = 18 };
> +
> +/**
> + * PDCP security association configuration data.
> + *
> + * This structure contains data required to create a PDCP security session.
> + */
> +struct rte_security_pdcp_xform {
> +       int8_t bearer;  /**< PDCP bearer ID */
> +       /**< Enable in order delivery, this field shall be set only if
> +        * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
> +        */
> +       uint8_t en_ordering;
> +       /**< Notify driver/HW to detect and remove duplicate packets.
> +        * This field should be set only when driver/hw is capable.
> +        * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
> +        */
> +       uint8_t remove_duplicates;
> +       /**< PDCP mode of operation: Control or data */
> +       enum rte_security_pdcp_domain domain;
> +       /**< PDCP Frame Direction 0:UL 1:DL */
> +       enum rte_security_pdcp_direction pkt_dir;
> +       /**< Sequence number size, 5/7/12/15/18 */
> +       enum rte_security_pdcp_sn_size sn_size;
> +       /**< Starting Hyper Frame Number to be used together with the SN
> +        * from the PDCP frames
> +        */
> +       uint32_t hfn;
> +       /**< HFN Threshold for key renegotiation */
> +       uint32_t hfn_threshold;
> +};
> +
>  /**
>   * Security session action type.
>   */
> @@ -232,6 +292,8 @@ enum rte_security_session_protocol {
>         /**< IPsec Protocol */
>         RTE_SECURITY_PROTOCOL_MACSEC,
>         /**< MACSec Protocol */
> +       RTE_SECURITY_PROTOCOL_PDCP,
> +       /**< PDCP Protocol */
>  };
> 
>  /**
> @@ -246,6 +308,7 @@ struct rte_security_session_conf {
>         union {
>                 struct rte_security_ipsec_xform ipsec;
>                 struct rte_security_macsec_xform macsec;
> +               struct rte_security_pdcp_xform pdcp;
>         };
>         /**< Configuration parameters for security session */
>         struct rte_crypto_sym_xform *crypto_xform; @@ -413,6 +476,10 @@
> struct rte_security_ipsec_stats {
> 
>  };
> 
> +struct rte_security_pdcp_stats {
> +       uint64_t reserved;
> +};
> +
>  struct rte_security_stats {
>         enum rte_security_session_protocol protocol;
>         /**< Security protocol to be configured */ @@ -421,6 +488,7 @@ struct
> rte_security_stats {
>         union {
>                 struct rte_security_macsec_stats macsec;
>                 struct rte_security_ipsec_stats ipsec;
> +               struct rte_security_pdcp_stats pdcp;
>         };
>  };
> 
> @@ -465,6 +533,13 @@ struct rte_security_capability {
>                         int dummy;
>                 } macsec;
>                 /**< MACsec capability */
> +               struct {
> +                       enum rte_security_pdcp_domain domain;
> +                       /** < PDCP mode of operation: Control or data */
> +                       uint32_t capa_flags;
> +                       /** < Capabilitity flags, see RTE_SECURITY_PDCP_* */
> +               } pdcp;
> +               /**< PDCP capability */
>         };
> 
>         const struct rte_cryptodev_capabilities *crypto_capabilities; @@ -474,6
> +549,19 @@ struct rte_security_capability {
>         /**< Device offload flags */
>  };
> 
> +/**< Underlying Hardware/driver which support PDCP may or may not
> +support
> + * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
> + * If it is not set, driver/HW assumes packets received are in order
> + * and it will be application's responsibility to maintain ordering.
> + */
> +#define RTE_SECURITY_PDCP_ORDERING_CAP         0x00000001
> +
> +/**< Underlying Hardware/driver which support PDCP may or may not
> +detect
> + * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
> + * If it is not set, driver/HW assumes there is no duplicate packet received.
> + */
> +#define RTE_SECURITY_PDCP_DUP_DETECT_CAP       0x00000002
> +
>  #define RTE_SECURITY_TX_OLOAD_NEED_MDATA       0x00000001
>  /**< HW needs metadata update, see rte_security_set_pkt_metadata().
>   */
> @@ -506,6 +594,10 @@ struct rte_security_capability_idx {
>                         enum rte_security_ipsec_sa_mode mode;
>                         enum rte_security_ipsec_sa_direction direction;
>                 } ipsec;
> +               struct {
> +                       enum rte_security_pdcp_domain domain;
> +                       uint32_t capa_flags;
> +               } pdcp;
>         };
>  };
> 
> --
> 2.17.1



More information about the dev mailing list