[dpdk-dev] [PATCH v5 1/3] security: support pdcp protocol
Joseph, Anoob
Anoob.Joseph at cavium.com
Tue Oct 16 12:49:33 CEST 2018
Hi Akhil,
The HFN threshold comment is still not right I guess,
> + uint32_t hfn;
> + /**< HFN Threshold for key renegotiation */
> + uint32_t hfn_threshold;
The above code snippet is there in the rte_security.rst file also. You may need to fix that also.
And the following also need to be fixed,
> + * @PDCP_SN_SIZE_18: 18bit sequence number */ enum
> +rte_security_pdcp_sn_size {
....
> + RTE_SECURITY_PDCP_SN_SIZE_18 = 18 };
With the above changes,
Acked-by: Anoob Joseph <anoob.joseph at caviumnetworks.com>
Thanks,
Anoob
> -----Original Message-----
> From: Akhil Goyal <akhil.goyal at nxp.com>
> Sent: 16 October 2018 16:09
> To: dev at dpdk.org
> Cc: pablo.de.lara.guarch at intel.com; radu.nicolau at intel.com; Jacob, Jerin
> <Jerin.JacobKollanukkaran at cavium.com>; Athreya, Narayana Prasad
> <NarayanaPrasad.Athreya at cavium.com>; Verma, Shally
> <Shally.Verma at cavium.com>; Joseph, Anoob <Anoob.Joseph at cavium.com>;
> Velumuri, Vidya <Vidya.Velumuri at cavium.com>; Hemant Agrawal
> <hemant.agrawal at nxp.com>; Akhil Goyal <akhil.goyal at nxp.com>
> Subject: [PATCH v5 1/3] security: support pdcp protocol
>
> External Email
>
> From: Akhil Goyal <akhil.goyal at nxp.com>
>
> Packet Data Convergence Protocol (PDCP) is added in rte_security for 3GPP TS
> 36.323 for LTE.
>
> The patchset provide the structure definitions for configuring the PDCP sessions
> and relevant documentation is added.
>
> Signed-off-by: Hemant Agrawal <hemant.agrawal at nxp.com>
> Signed-off-by: Akhil Goyal <akhil.goyal at nxp.com>
> ---
> doc/guides/prog_guide/rte_security.rst | 107 +++++++++++++++++++++++--
> lib/librte_security/rte_security.c | 4 +
> lib/librte_security/rte_security.h | 92 +++++++++++++++++++++
> 3 files changed, 196 insertions(+), 7 deletions(-)
>
> diff --git a/doc/guides/prog_guide/rte_security.rst
> b/doc/guides/prog_guide/rte_security.rst
> index 0812abe77..e43f1554c 100644
> --- a/doc/guides/prog_guide/rte_security.rst
> +++ b/doc/guides/prog_guide/rte_security.rst
> @@ -10,8 +10,8 @@ The security library provides a framework for management
> and provisioning of security protocol operations offloaded to hardware based
> devices. The library defines generic APIs to create and free security sessions
> which can support full protocol offload as well as inline crypto operation with -
> NIC or crypto devices. The framework currently only supports the IPSec protocol
> -and associated operations, other protocols will be added in future.
> +NIC or crypto devices. The framework currently only supports the IPsec
> +and PDCP protocol and associated operations, other protocols will be added in
> future.
>
> Design Principles
> -----------------
> @@ -253,6 +253,49 @@ for any protocol header addition.
> +--------|--------+
> V
>
> +PDCP Flow Diagram
> +~~~~~~~~~~~~~~~~~
> +
> +Based on 3GPP TS 36.323 Evolved Universal Terrestrial Radio Access
> +(E-UTRA); Packet Data Convergence Protocol (PDCP) specification
> +
> +.. code-block:: c
> +
> + Transmitting PDCP Entity Receiving PDCP Entity
> + | ^
> + | +-----------|-----------+
> + V | In order delivery and |
> + +---------|----------+ | Duplicate detection |
> + | Sequence Numbering | | (Data Plane only) |
> + +---------|----------+ +-----------|-----------+
> + | |
> + +---------|----------+ +-----------|----------+
> + | Header Compression*| | Header Decompression*|
> + | (Data-Plane only) | | (Data Plane only) |
> + +---------|----------+ +-----------|----------+
> + | |
> + +---------|-----------+ +-----------|----------+
> + | Integrity Protection| |Integrity Verification|
> + | (Control Plane only)| | (Control Plane only) |
> + +---------|-----------+ +-----------|----------+
> + +---------|-----------+ +----------|----------+
> + | Ciphering | | Deciphering |
> + +---------|-----------+ +----------|----------+
> + +---------|-----------+ +----------|----------+
> + | Add PDCP header | | Remove PDCP Header |
> + +---------|-----------+ +----------|----------+
> + | |
> + +----------------->>----------------+
> +
> +
> +.. note::
> +
> + * Header Compression and decompression are not supported currently.
> +
> +Just like IPsec, in case of PDCP also header addition/deletion, cipher/
> +de-cipher, integrity protection/verification is done based on the
> +action type chosen.
> +
> Device Features and Capabilities
> ---------------------------------
>
> @@ -271,7 +314,7 @@ structure in the *DPDK API Reference*.
>
> Each driver (crypto or ethernet) defines its own private array of capabilities for
> the operations it supports. Below is an example of the capabilities for a -PMD
> which supports the IPSec protocol.
> +PMD which supports the IPsec and PDCP protocol.
>
> .. code-block:: c
>
> @@ -298,6 +341,24 @@ PMD which supports the IPSec protocol.
> },
> .crypto_capabilities = pmd_capabilities
> },
> + { /* PDCP Lookaside Protocol offload Data Plane */
> + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> + .protocol = RTE_SECURITY_PROTOCOL_PDCP,
> + .pdcp = {
> + .domain = RTE_SECURITY_PDCP_MODE_DATA,
> + .capa_flags = 0
> + },
> + .crypto_capabilities = pmd_capabilities
> + },
> + { /* PDCP Lookaside Protocol offload Control */
> + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> + .protocol = RTE_SECURITY_PROTOCOL_PDCP,
> + .pdcp = {
> + .domain = RTE_SECURITY_PDCP_MODE_CONTROL,
> + .capa_flags = 0
> + },
> + .crypto_capabilities = pmd_capabilities
> + },
> {
> .action = RTE_SECURITY_ACTION_TYPE_NONE
> }
> @@ -429,6 +490,7 @@ Security Session configuration structure is defined as
> ``rte_security_session_co
> union {
> struct rte_security_ipsec_xform ipsec;
> struct rte_security_macsec_xform macsec;
> + struct rte_security_pdcp_xform pdcp;
> };
> /**< Configuration parameters for security session */
> struct rte_crypto_sym_xform *crypto_xform; @@ -463,15 +525,17 @@
> The ``rte_security_session_protocol`` is defined as .. code-block:: c
>
> enum rte_security_session_protocol {
> - RTE_SECURITY_PROTOCOL_IPSEC,
> + RTE_SECURITY_PROTOCOL_IPSEC = 1,
> /**< IPsec Protocol */
> RTE_SECURITY_PROTOCOL_MACSEC,
> /**< MACSec Protocol */
> + RTE_SECURITY_PROTOCOL_PDCP,
> + /**< PDCP Protocol */
> };
>
> -Currently the library defines configuration parameters for IPSec only. For other
> -protocols like MACSec, structures and enums are defined as place holders
> which -will be updated in the future.
> +Currently the library defines configuration parameters for IPsec and PDCP only.
> +For other protocols like MACSec, structures and enums are defined as
> +place holders which will be updated in the future.
>
> IPsec related configuration parameters are defined in
> ``rte_security_ipsec_xform``
>
> @@ -494,6 +558,35 @@ IPsec related configuration parameters are defined in
> ``rte_security_ipsec_xform
> /**< Tunnel parameters, NULL for transport mode */
> };
>
> +PDCP related configuration parameters are defined in
> +``rte_security_pdcp_xform``
> +
> +.. code-block:: c
> +
> + struct rte_security_pdcp_xform {
> + int8_t bearer; /**< PDCP bearer ID */
> + /**< Enable in order delivery, this field shall be set only if
> + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
> + */
> + uint8_t en_ordering;
> + /**< Notify driver/HW to detect and remove duplicate packets.
> + * This field should be set only when driver/hw is capable.
> + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
> + */
> + uint8_t remove_duplicates;
> + /**< PDCP mode of operation: Control or data */
> + enum rte_security_pdcp_domain domain;
> + /**< PDCP Frame Direction 0:UL 1:DL */
> + enum rte_security_pdcp_direction pkt_dir;
> + /**< Sequence number size, 5/7/12/15/18 */
> + enum rte_security_pdcp_sn_size sn_size;
> + /**< Starting Hyper Frame Number to be used together with the SN
> + * from the PDCP frames
> + */
> + uint32_t hfn;
> + /**< HFN Threshold for key renegotiation */
> + uint32_t hfn_threshold;
> + };
> +
>
> Security API
> ~~~~~~~~~~~~
> diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
> index 1954960a5..c6355de95 100644
> --- a/lib/librte_security/rte_security.c
> +++ b/lib/librte_security/rte_security.c
> @@ -131,6 +131,10 @@ rte_security_capability_get(struct rte_security_ctx
> *instance,
> capability->ipsec.direction ==
> idx->ipsec.direction)
> return capability;
> + } else if (idx->protocol == RTE_SECURITY_PROTOCOL_PDCP) {
> + if (capability->pdcp.domain ==
> + idx->pdcp.domain)
> + return capability;
> }
> }
> }
> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
> index b0d1b97ee..de49017e1 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -206,6 +206,66 @@ struct rte_security_macsec_xform {
> int dummy;
> };
>
> +/**
> + * PDCP Mode of session
> + */
> +enum rte_security_pdcp_domain {
> + RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */
> + RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */
> +};
> +
> +/** PDCP Frame direction */
> +enum rte_security_pdcp_direction {
> + RTE_SECURITY_PDCP_UPLINK, /**< Uplink */
> + RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */
> +};
> +
> +/**
> + * PDCP Sequence Number Size selectors
> + * @PDCP_SN_SIZE_5: 5bit sequence number
> + * @PDCP_SN_SIZE_7: 7bit sequence number
> + * @PDCP_SN_SIZE_12: 12bit sequence number
> + * @PDCP_SN_SIZE_15: 15bit sequence number
> + * @PDCP_SN_SIZE_18: 18bit sequence number */ enum
> +rte_security_pdcp_sn_size {
> + RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
> + RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
> + RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
> + RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
> + RTE_SECURITY_PDCP_SN_SIZE_18 = 18 };
> +
> +/**
> + * PDCP security association configuration data.
> + *
> + * This structure contains data required to create a PDCP security session.
> + */
> +struct rte_security_pdcp_xform {
> + int8_t bearer; /**< PDCP bearer ID */
> + /**< Enable in order delivery, this field shall be set only if
> + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
> + */
> + uint8_t en_ordering;
> + /**< Notify driver/HW to detect and remove duplicate packets.
> + * This field should be set only when driver/hw is capable.
> + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
> + */
> + uint8_t remove_duplicates;
> + /**< PDCP mode of operation: Control or data */
> + enum rte_security_pdcp_domain domain;
> + /**< PDCP Frame Direction 0:UL 1:DL */
> + enum rte_security_pdcp_direction pkt_dir;
> + /**< Sequence number size, 5/7/12/15/18 */
> + enum rte_security_pdcp_sn_size sn_size;
> + /**< Starting Hyper Frame Number to be used together with the SN
> + * from the PDCP frames
> + */
> + uint32_t hfn;
> + /**< HFN Threshold for key renegotiation */
> + uint32_t hfn_threshold;
> +};
> +
> /**
> * Security session action type.
> */
> @@ -232,6 +292,8 @@ enum rte_security_session_protocol {
> /**< IPsec Protocol */
> RTE_SECURITY_PROTOCOL_MACSEC,
> /**< MACSec Protocol */
> + RTE_SECURITY_PROTOCOL_PDCP,
> + /**< PDCP Protocol */
> };
>
> /**
> @@ -246,6 +308,7 @@ struct rte_security_session_conf {
> union {
> struct rte_security_ipsec_xform ipsec;
> struct rte_security_macsec_xform macsec;
> + struct rte_security_pdcp_xform pdcp;
> };
> /**< Configuration parameters for security session */
> struct rte_crypto_sym_xform *crypto_xform; @@ -413,6 +476,10 @@
> struct rte_security_ipsec_stats {
>
> };
>
> +struct rte_security_pdcp_stats {
> + uint64_t reserved;
> +};
> +
> struct rte_security_stats {
> enum rte_security_session_protocol protocol;
> /**< Security protocol to be configured */ @@ -421,6 +488,7 @@ struct
> rte_security_stats {
> union {
> struct rte_security_macsec_stats macsec;
> struct rte_security_ipsec_stats ipsec;
> + struct rte_security_pdcp_stats pdcp;
> };
> };
>
> @@ -465,6 +533,13 @@ struct rte_security_capability {
> int dummy;
> } macsec;
> /**< MACsec capability */
> + struct {
> + enum rte_security_pdcp_domain domain;
> + /** < PDCP mode of operation: Control or data */
> + uint32_t capa_flags;
> + /** < Capabilitity flags, see RTE_SECURITY_PDCP_* */
> + } pdcp;
> + /**< PDCP capability */
> };
>
> const struct rte_cryptodev_capabilities *crypto_capabilities; @@ -474,6
> +549,19 @@ struct rte_security_capability {
> /**< Device offload flags */
> };
>
> +/**< Underlying Hardware/driver which support PDCP may or may not
> +support
> + * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
> + * If it is not set, driver/HW assumes packets received are in order
> + * and it will be application's responsibility to maintain ordering.
> + */
> +#define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
> +
> +/**< Underlying Hardware/driver which support PDCP may or may not
> +detect
> + * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
> + * If it is not set, driver/HW assumes there is no duplicate packet received.
> + */
> +#define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
> +
> #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
> /**< HW needs metadata update, see rte_security_set_pkt_metadata().
> */
> @@ -506,6 +594,10 @@ struct rte_security_capability_idx {
> enum rte_security_ipsec_sa_mode mode;
> enum rte_security_ipsec_sa_direction direction;
> } ipsec;
> + struct {
> + enum rte_security_pdcp_domain domain;
> + uint32_t capa_flags;
> + } pdcp;
> };
> };
>
> --
> 2.17.1
More information about the dev
mailing list