/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
/*
#include <rte_byteorder.h>
#include <rte_errno.h>
#include <rte_ip.h>
+#include <rte_udp.h>
#include <rte_random.h>
#include <rte_ethdev.h>
#include <rte_malloc.h>
#define IP6_FULL_MASK (sizeof(((struct ip_addr *)NULL)->ip.ip6.ip6) * CHAR_BIT)
-#define MBUF_NO_SEC_OFFLOAD(m) ((m->ol_flags & PKT_RX_SEC_OFFLOAD) == 0)
+#define MBUF_NO_SEC_OFFLOAD(m) ((m->ol_flags & RTE_MBUF_F_RX_SEC_OFFLOAD) == 0)
struct supported_cipher_algo {
const char *keyword;
.block_size = 16,
.key_len = 16
},
+ {
+ .keyword = "aes-192-cbc",
+ .algo = RTE_CRYPTO_CIPHER_AES_CBC,
+ .iv_len = 16,
+ .block_size = 16,
+ .key_len = 24
+ },
{
.keyword = "aes-256-cbc",
.algo = RTE_CRYPTO_CIPHER_AES_CBC,
.key_len = 20,
.digest_len = 16,
.aad_len = 8,
+ },
+ {
+ .keyword = "aes-192-gcm",
+ .algo = RTE_CRYPTO_AEAD_AES_GCM,
+ .iv_len = 8,
+ .block_size = 4,
+ .key_len = 28,
+ .digest_len = 16,
+ .aad_len = 8,
+ },
+ {
+ .keyword = "aes-256-gcm",
+ .algo = RTE_CRYPTO_AEAD_AES_GCM,
+ .iv_len = 8,
+ .block_size = 4,
+ .key_len = 36,
+ .digest_len = 16,
+ .aad_len = 8,
}
};
#define SA_INIT_NB 128
-static struct ipsec_sa *sa_out;
+static uint32_t nb_crypto_sessions;
+struct ipsec_sa *sa_out;
+uint32_t nb_sa_out;
static uint32_t sa_out_sz;
-static uint32_t nb_sa_out;
static struct ipsec_sa_cnt sa_out_cnt;
-static struct ipsec_sa *sa_in;
+struct ipsec_sa *sa_in;
+uint32_t nb_sa_in;
static uint32_t sa_in_sz;
-static uint32_t nb_sa_in;
static struct ipsec_sa_cnt sa_in_cnt;
static const struct supported_cipher_algo *
uint32_t type_p = 0;
uint32_t portid_p = 0;
uint32_t fallback_p = 0;
+ int16_t status_p = 0;
+ uint16_t udp_encap_p = 0;
if (strcmp(tokens[0], "in") == 0) {
ri = &nb_sa_in;
return;
if (atoi(tokens[1]) == INVALID_SPI)
return;
+ rule->flags = 0;
rule->spi = atoi(tokens[1]);
+ rule->portid = UINT16_MAX;
ips = ipsec_get_primary_session(rule);
for (ti = 2; ti < n_tokens; ti++) {
if (strcmp(tokens[ti], "ipv4-tunnel") == 0) {
sa_cnt->nb_v4++;
- rule->flags = IP4_TUNNEL;
+ rule->flags |= IP4_TUNNEL;
} else if (strcmp(tokens[ti], "ipv6-tunnel") == 0) {
sa_cnt->nb_v6++;
- rule->flags = IP6_TUNNEL;
+ rule->flags |= IP6_TUNNEL;
} else if (strcmp(tokens[ti], "transport") == 0) {
sa_cnt->nb_v4++;
sa_cnt->nb_v6++;
- rule->flags = TRANSPORT;
+ rule->flags |= TRANSPORT;
} else {
APP_CHECK(0, status, "unrecognized "
"input \"%s\"", tokens[ti]);
continue;
}
+ if (strcmp(tokens[ti], "telemetry") == 0) {
+ rule->flags |= SA_TELEMETRY_ENABLE;
+ continue;
+ }
+
if (strcmp(tokens[ti], "cipher_algo") == 0) {
const struct supported_cipher_algo *algo;
uint32_t key_len;
RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
else if (strcmp(tokens[ti], "no-offload") == 0)
ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
+ else if (strcmp(tokens[ti], "cpu-crypto") == 0)
+ ips->type = RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO;
else {
APP_CHECK(0, status, "Invalid input \"%s\"",
tokens[ti]);
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
- rule->portid = atoi(tokens[ti]);
- if (status->status < 0)
+ if (rule->portid == UINT16_MAX)
+ rule->portid = atoi(tokens[ti]);
+ else if (rule->portid != atoi(tokens[ti])) {
+ APP_CHECK(0, status,
+ "portid %s not matching with already assigned portid %u",
+ tokens[ti], rule->portid);
return;
+ }
portid_p = 1;
continue;
}
+ if (strcmp(tokens[ti], "mss") == 0) {
+ INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+ if (status->status < 0)
+ return;
+ rule->mss = atoi(tokens[ti]);
+ if (status->status < 0)
+ return;
+ continue;
+ }
+
+ if (strcmp(tokens[ti], "esn") == 0) {
+ INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+ if (status->status < 0)
+ return;
+ rule->esn = atoll(tokens[ti]);
+ if (status->status < 0)
+ return;
+ continue;
+ }
+
if (strcmp(tokens[ti], "fallback") == 0) {
struct rte_ipsec_session *fb;
if (status->status < 0)
return;
fb = ipsec_get_fallback_session(rule);
- if (strcmp(tokens[ti], "lookaside-none") == 0) {
+ if (strcmp(tokens[ti], "lookaside-none") == 0)
fb->type = RTE_SECURITY_ACTION_TYPE_NONE;
- } else {
+ else if (strcmp(tokens[ti], "cpu-crypto") == 0)
+ fb->type = RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO;
+ else {
APP_CHECK(0, status, "unrecognized fallback "
"type %s.", tokens[ti]);
return;
}
rule->fallback_sessions = 1;
+ nb_crypto_sessions++;
fallback_p = 1;
continue;
}
+ if (strcmp(tokens[ti], "flow-direction") == 0) {
+ switch (ips->type) {
+ case RTE_SECURITY_ACTION_TYPE_NONE:
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ rule->fdir_flag = 1;
+ INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+ if (status->status < 0)
+ return;
+ if (rule->portid == UINT16_MAX)
+ rule->portid = atoi(tokens[ti]);
+ else if (rule->portid != atoi(tokens[ti])) {
+ APP_CHECK(0, status,
+ "portid %s not matching with already assigned portid %u",
+ tokens[ti], rule->portid);
+ return;
+ }
+ INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+ if (status->status < 0)
+ return;
+ rule->fdir_qid = atoi(tokens[ti]);
+ /* validating portid and queueid */
+ status_p = check_flow_params(rule->portid,
+ rule->fdir_qid);
+ if (status_p < 0) {
+ printf("port id %u / queue id %u is "
+ "not valid\n", rule->portid,
+ rule->fdir_qid);
+ }
+ break;
+ case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:
+ case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
+ case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
+ default:
+ APP_CHECK(0, status,
+ "flow director not supported for security session type %d",
+ ips->type);
+ return;
+ }
+ continue;
+ }
+ if (strcmp(tokens[ti], "udp-encap") == 0) {
+ switch (ips->type) {
+ case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
+ case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
+ APP_CHECK_PRESENCE(udp_encap_p, tokens[ti],
+ status);
+ if (status->status < 0)
+ return;
+
+ rule->udp_encap = 1;
+ app_sa_prm.udp_encap = 1;
+ udp_encap_p = 1;
+ break;
+ case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:
+ rule->udp_encap = 1;
+ rule->udp.sport = 0;
+ rule->udp.dport = 4500;
+ break;
+ default:
+ APP_CHECK(0, status,
+ "UDP encapsulation not supported for "
+ "security session type %d",
+ ips->type);
+ return;
+ }
+ continue;
+ }
/* unrecognizeable input */
APP_CHECK(0, status, "unrecognized input \"%s\"",
if (status->status < 0)
return;
- if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0))
+ if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE && ips->type !=
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) && (portid_p == 0))
printf("Missing portid option, falling back to non-offload\n");
- if (!type_p || !portid_p) {
+ if (!type_p || (!portid_p && ips->type !=
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) {
ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
- rule->portid = -1;
}
+ nb_crypto_sessions++;
*ri = *ri + 1;
}
}
for (i = 0; i < RTE_DIM(aead_algos); i++) {
- if (aead_algos[i].algo == sa->aead_algo) {
+ if (aead_algos[i].algo == sa->aead_algo &&
+ aead_algos[i].key_len-4 == sa->cipher_key_len) {
printf("%s ", aead_algos[i].keyword);
break;
}
}
printf("mode:");
+ if (sa->udp_encap)
+ printf("UDP encapsulated ");
switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) {
case IP4_TUNNEL:
case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
printf("lookaside-protocol-offload ");
break;
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ printf("cpu-crypto-accelerated ");
+ break;
}
fallback_ips = &sa->sessions[IPSEC_SESSION_FALLBACK];
if (fallback_ips != NULL && sa->fallback_sessions > 0) {
printf("inline fallback: ");
- if (fallback_ips->type == RTE_SECURITY_ACTION_TYPE_NONE)
+ switch (fallback_ips->type) {
+ case RTE_SECURITY_ACTION_TYPE_NONE:
printf("lookaside-none");
- else
+ break;
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ printf("cpu-crypto-accelerated");
+ break;
+ default:
printf("invalid");
+ break;
+ }
}
+ if (sa->fdir_flag == 1)
+ printf("flow-direction port %d queue %d", sa->portid,
+ sa->fdir_qid);
+
printf("\n");
}
-struct ipsec_xf {
- struct rte_crypto_sym_xform a;
- struct rte_crypto_sym_xform b;
-};
-
-struct sa_ctx {
- void *satbl; /* pointer to array of rte_ipsec_sa objects*/
- struct ipsec_sad sad;
- struct ipsec_xf *xf;
- uint32_t nb_sa;
- struct ipsec_sa sa[];
-};
-
static struct sa_ctx *
sa_create(const char *name, int32_t socket_id, uint32_t nb_sa)
{
}
static int
-check_eth_dev_caps(uint16_t portid, uint32_t inbound)
+check_eth_dev_caps(uint16_t portid, uint32_t inbound, uint32_t tso)
{
struct rte_eth_dev_info dev_info;
int retval;
if (inbound) {
if ((dev_info.rx_offload_capa &
- DEV_RX_OFFLOAD_SECURITY) == 0) {
+ RTE_ETH_RX_OFFLOAD_SECURITY) == 0) {
RTE_LOG(WARNING, PORT,
"hardware RX IPSec offload is not supported\n");
return -EINVAL;
} else { /* outbound */
if ((dev_info.tx_offload_capa &
- DEV_TX_OFFLOAD_SECURITY) == 0) {
+ RTE_ETH_TX_OFFLOAD_SECURITY) == 0) {
RTE_LOG(WARNING, PORT,
"hardware TX IPSec offload is not supported\n");
return -EINVAL;
}
+ if (tso && (dev_info.tx_offload_capa &
+ RTE_ETH_TX_OFFLOAD_TCP_TSO) == 0) {
+ RTE_LOG(WARNING, PORT,
+ "hardware TCP TSO offload is not supported\n");
+ return -EINVAL;
+ }
}
return 0;
}
if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- if (check_eth_dev_caps(sa->portid, inbound))
+ if (check_eth_dev_caps(sa->portid, inbound, sa->mss))
return -EINVAL;
}
-
switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) {
case IP4_TUNNEL:
sa->src.ip.ip4 = rte_cpu_to_be_32(sa->src.ip.ip4);
}
if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
- struct rte_ipsec_session *ips;
iv_length = 12;
sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD;
sa->digest_len;
sa->xforms = &sa_ctx->xf[idx].a;
-
- ips = ipsec_get_primary_session(sa);
- if (ips->type ==
- RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
- ips->type ==
- RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- rc = create_inline_session(skt_ctx, sa, ips);
- if (rc != 0) {
- RTE_LOG(ERR, IPSEC_ESP,
- "create_inline_session() failed\n");
- return -EINVAL;
- }
- }
- print_one_sa_rule(sa, inbound);
} else {
switch (sa->cipher_algo) {
case RTE_CRYPTO_CIPHER_NULL:
sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
sa_ctx->xf[idx].b.next = NULL;
sa->xforms = &sa_ctx->xf[idx].a;
+ }
+
+ if (ips->type ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
+ ips->type ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ rc = create_inline_session(skt_ctx, sa, ips);
+ if (rc != 0) {
+ RTE_LOG(ERR, IPSEC_ESP,
+ "create_inline_session() failed\n");
+ return -EINVAL;
+ }
+ }
- print_one_sa_rule(sa, inbound);
+ if (sa->fdir_flag && inbound) {
+ rc = create_ipsec_esp_flow(sa);
+ if (rc != 0)
+ RTE_LOG(ERR, IPSEC_ESP,
+ "create_ipsec_esp_flow() failed\n");
}
+ print_one_sa_rule(sa, inbound);
}
return 0;
prm->ipsec_xform.mode = (IS_TRANSPORT(ss->flags)) ?
RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT :
RTE_SECURITY_IPSEC_SA_MODE_TUNNEL;
+ prm->ipsec_xform.options.udp_encap = ss->udp_encap;
prm->ipsec_xform.options.ecn = 1;
prm->ipsec_xform.options.copy_dscp = 1;
if (rc < 0)
return rc;
+ if (lsa->flags & SA_TELEMETRY_ENABLE)
+ rte_ipsec_telemetry_sa_add(sa);
+
/* init primary processing session */
ips = ipsec_get_primary_session(lsa);
rc = fill_ipsec_session(ips, sa);
rule_type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
&& rule->portid == port_id)
- *rx_offloads |= DEV_RX_OFFLOAD_SECURITY;
+ *rx_offloads |= RTE_ETH_RX_OFFLOAD_SECURITY;
}
/* Check for outbound rules that use offloads and use this port */
if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
rule_type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
- && rule->portid == port_id)
- *tx_offloads |= DEV_TX_OFFLOAD_SECURITY;
+ && rule->portid == port_id) {
+ *tx_offloads |= RTE_ETH_TX_OFFLOAD_SECURITY;
+ if (rule->mss)
+ *tx_offloads |= RTE_ETH_TX_OFFLOAD_TCP_TSO;
+ }
}
return 0;
}
qsort(sa_in, nb_sa_in, sizeof(struct ipsec_sa), sa_cmp);
qsort(sa_out, nb_sa_out, sizeof(struct ipsec_sa), sa_cmp);
}
+
+uint32_t
+get_nb_crypto_sessions(void)
+{
+ return nb_crypto_sessions;
+}