cryptodev: formalize key wrap method in API

The Key Wrap approach is used by applications in order to protect keys
located in untrusted storage or transmitted over untrusted
communications networks. The constructions are typically built from
standard primitives such as block ciphers and cryptographic hash
functions.

The Key Wrap method and its parameters are a secret between the keys
provider and the device, means that the device is preconfigured for
this method using very secured way.

The key wrap method may change the key length and layout.

Add a description for the cipher transformation key to allow wrapped key
to be forwarded by the same API.

Add a new feature flag RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY to be enabled
by PMDs support wrapped key in cipher trasformation.

Signed-off-by: Matan Azrad <matan@nvidia.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini
index 978bb30cc1cd26cd8cf9c1aaa9fbe3665b1d33fe..c24814de986ad6fbb0b11baf234844ccbdb6db79 100644 (file)
--- a/doc/guides/cryptodevs/features/default.ini
+++ b/doc/guides/cryptodevs/features/default.ini
@@ -32,6 +32,7 @@ Symmetric sessionless  =
 Non-Byte aligned data  =
 Sym raw data path API  =
 Cipher multiple data units =
+Cipher wrapped key     =
 
 ;
 ; Supported crypto algorithms of a default crypto driver.

diff --git a/doc/guides/cryptodevs/overview.rst b/doc/guides/cryptodevs/overview.rst
index e24e3e19931fbd93e0dcccff74a3e8b6e2846a5a..b87c4c6a275f220883ca74944cfe793b55b638d4 100644 (file)
--- a/doc/guides/cryptodevs/overview.rst
+++ b/doc/guides/cryptodevs/overview.rst
@@ -49,6 +49,9 @@ Supported Feature Flags
    - "CIPHER_MULTIPLE_DATA_UNITS" feature flag means PMD support operations
       on multiple data-units message.
 
+   - "CIPHER_WRAPPED_KEY" feature flag means PMD support wrapped key in cipher
+      xform.
+
 
 Supported Cipher Algorithms
 ---------------------------

diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
index c0492b61b9f889df4deb5cf4d78dbd3fb2602728..d7f16fc90b7d799499a95b9d914afa05bce53f9a 100644 (file)
--- a/doc/guides/rel_notes/release_21_05.rst
+++ b/doc/guides/rel_notes/release_21_05.rst
@@ -156,6 +156,11 @@ New Features
   data-units for AES-XTS algorithm, the data-unit length should be set in the
   transformation. A capability for it was added too.
 
+* **Added a cryptodev feature flag to support cipher wrapped keys.**
+
+  A new feature flag has been added to allow application to provide
+  cipher wrapped keys in session xforms.
+
 * **Updated the OCTEON TX crypto PMD.**
 
   * Added support for DIGEST_ENCRYPTED mode in OCTEON TX crypto PMD.

diff --git a/lib/librte_cryptodev/rte_crypto_sym.h b/lib/librte_cryptodev/rte_crypto_sym.h
index 4e365b1eab2a2a47148c46d5847a174e1cf1d2de..58c0724743cbc0dfa290a562686bebf8da7578bd 100644 (file)
--- a/lib/librte_cryptodev/rte_crypto_sym.h
+++ b/lib/librte_cryptodev/rte_crypto_sym.h
@@ -203,6 +203,14 @@ struct rte_crypto_cipher_xform {
                uint16_t length;        /**< key length in bytes */
        } key;
        /**< Cipher key
+        *
+        * In case the PMD supports RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY, the
+        * original key data provided may be wrapped(encrypted) using key wrap
+        * algorithm such as AES key wrap (rfc3394) and hence length of the key
+        * may increase beyond the PMD advertised supported key size.
+        * PMD shall validate the key length and report EMSGSIZE error while
+        * configuring the session and application can skip checking the
+        * capability key length in such cases.
         *
         * For the RTE_CRYPTO_CIPHER_AES_F8 mode of operation, key.data will
         * point to a concatenation of the AES encryption key followed by a

diff --git a/lib/librte_cryptodev/rte_cryptodev.c b/lib/librte_cryptodev/rte_cryptodev.c
index 25d86a1081208efe753888d9cc82f1f1a4ce7cb6..447aa9d519f595179c7b52c5917a458cc0c29f5a 100644 (file)
--- a/lib/librte_cryptodev/rte_cryptodev.c
+++ b/lib/librte_cryptodev/rte_cryptodev.c
@@ -619,6 +619,8 @@ rte_cryptodev_get_feature_name(uint64_t flag)
                return "NON_BYTE_ALIGNED_DATA";
        case RTE_CRYPTODEV_FF_CIPHER_MULTIPLE_DATA_UNITS:
                return "CIPHER_MULTIPLE_DATA_UNITS";
+       case RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY:
+               return "CIPHER_WRAPPED_KEY";
        default:
                return NULL;
        }

diff --git a/lib/librte_cryptodev/rte_cryptodev.h b/lib/librte_cryptodev/rte_cryptodev.h
index 307f0fa8632a6385369b30167b087310badefef4..11f4e6fdbf189e1c1251e4e2b4fef03f2fe08f74 100644 (file)
--- a/lib/librte_cryptodev/rte_cryptodev.h
+++ b/lib/librte_cryptodev/rte_cryptodev.h
@@ -477,6 +477,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
 /**< Support accelerator specific symmetric raw data-path APIs */
 #define RTE_CRYPTODEV_FF_CIPHER_MULTIPLE_DATA_UNITS    (1ULL << 25)
 /**< Support operations on multiple data-units message */
+#define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY            (1ULL << 26)
+/**< Support wrapped key in cipher xform  */
 
 /**
  * Get the name of a crypto device feature flag