security: add telemetry endpoint for capabilities

Add telemetry endpoint for cryptodev security capabilities.
Details of endpoints added in documentation.

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 46c9b51d1bf9328d57fda1f53c065966df956fcb..72ca0bd3304dbd4dcc02bcc22f169995fd8e5a91 100644 (file)
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -728,3 +728,31 @@ it is only valid to have a single flow to map to that security session.
         +-------+            +--------+    +-----+
         |  Eth  | ->  ... -> |   ESP  | -> | END |
         +-------+            +--------+    +-----+
+
+
+Telemetry support
+-----------------
+
+The Security library has support for displaying Crypto device information
+with respect to its Security capabilities. Telemetry commands that can be used
+are shown below.
+
+#. Get the list of available Crypto devices by ID, that supports Security features::
+
+     --> /security/cryptodev/list
+     {"/security/cryptodev/list": [0, 1, 2, 3]}
+
+#. Get the security capabilities of a Crypto device::
+
+     --> /security/cryptodev/sec_caps,0
+        {"/security/cryptodev/sec_caps": {"sec_caps": [<array of serialized bytes of
+        capabilities>], "sec_caps_n": <number of capabilities>}}
+
+ #. Get the security crypto capabilities of a Crypto device::
+
+     --> /security/cryptodev/crypto_caps,0,0
+        {"/security/cryptodev/crypto_caps": {"crypto_caps": [<array of serialized bytes of
+        capabilities>], "crypto_caps_n": <number of capabilities>}}
+
+For more information on how to use the Telemetry interface, see
+the :doc:`../howto/telemetry`.

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 845d32c21960673c8578976ad7c0610d20fb8d48..c1761ace232f0ff6025aec87ae3e456394578157 100644 (file)
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -239,6 +239,11 @@ New Features
   stats for a crypto device, and other device information to be queried.
   Also added callback to get cryptodev capabilities.
 
+* **Added telemetry to security library.**
+
+  Added telemetry callback functions to query security capabilities of
+  crypto device.
+
 * **Updated Marvell cnxk crypto PMD.**
 
   * Added AES-CBC SHA1-HMAC support in lookaside protocol (IPsec) for CN10K.

diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c
index fe81ed3e4cc17e386526967bb721741753cbe50a..6e45a03fa0ffb1414db46cc911f81e561340b3aa 100644 (file)
--- a/lib/security/rte_security.c
+++ b/lib/security/rte_security.c
@@ -4,8 +4,10 @@
  * Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
  */
 
+#include <rte_cryptodev.h>
 #include <rte_malloc.h>
 #include <rte_dev.h>
+#include <rte_telemetry.h>
 #include "rte_compat.h"
 #include "rte_security.h"
 #include "rte_security_driver.h"
@@ -203,3 +205,200 @@ rte_security_capability_get(struct rte_security_ctx *instance,
 
        return NULL;
 }
+
+static int
+security_handle_cryptodev_list(const char *cmd __rte_unused,
+                              const char *params __rte_unused,
+                              struct rte_tel_data *d)
+{
+       int dev_id;
+
+       if (rte_cryptodev_count() < 1)
+               return -1;
+
+       rte_tel_data_start_array(d, RTE_TEL_INT_VAL);
+       for (dev_id = 0; dev_id < RTE_CRYPTO_MAX_DEVS; dev_id++)
+               if (rte_cryptodev_is_valid_dev(dev_id) &&
+                   rte_cryptodev_get_sec_ctx(dev_id))
+                       rte_tel_data_add_array_int(d, dev_id);
+
+       return 0;
+}
+
+#define CRYPTO_CAPS_SZ                                             \
+       (RTE_ALIGN_CEIL(sizeof(struct rte_cryptodev_capabilities), \
+                       sizeof(uint64_t)) /     sizeof(uint64_t))
+
+static int
+crypto_caps_array(struct rte_tel_data *d,
+                 const struct rte_cryptodev_capabilities *capabilities)
+{
+       const struct rte_cryptodev_capabilities *dev_caps;
+       uint64_t caps_val[CRYPTO_CAPS_SZ];
+       unsigned int i = 0, j;
+
+       rte_tel_data_start_array(d, RTE_TEL_U64_VAL);
+
+       while ((dev_caps = &capabilities[i++])->op !=
+          RTE_CRYPTO_OP_TYPE_UNDEFINED) {
+               memset(&caps_val, 0, CRYPTO_CAPS_SZ * sizeof(caps_val[0]));
+               rte_memcpy(caps_val, dev_caps, sizeof(capabilities[0]));
+               for (j = 0; j < CRYPTO_CAPS_SZ; j++)
+                       rte_tel_data_add_array_u64(d, caps_val[j]);
+       }
+
+       return (i - 1);
+}
+
+#define SEC_CAPS_SZ                                            \
+       (RTE_ALIGN_CEIL(sizeof(struct rte_security_capability), \
+                       sizeof(uint64_t)) /     sizeof(uint64_t))
+
+static int
+sec_caps_array(struct rte_tel_data *d,
+              const struct rte_security_capability *capabilities)
+{
+       const struct rte_security_capability *dev_caps;
+       uint64_t caps_val[SEC_CAPS_SZ];
+       unsigned int i = 0, j;
+
+       rte_tel_data_start_array(d, RTE_TEL_U64_VAL);
+
+       while ((dev_caps = &capabilities[i++])->action !=
+          RTE_SECURITY_ACTION_TYPE_NONE) {
+               memset(&caps_val, 0, SEC_CAPS_SZ * sizeof(caps_val[0]));
+               rte_memcpy(caps_val, dev_caps, sizeof(capabilities[0]));
+               for (j = 0; j < SEC_CAPS_SZ; j++)
+                       rte_tel_data_add_array_u64(d, caps_val[j]);
+       }
+
+       return i - 1;
+}
+
+static const struct rte_security_capability *
+security_capability_by_index(const struct rte_security_capability *capabilities,
+                            int index)
+{
+       const struct rte_security_capability *dev_caps = NULL;
+       int i = 0;
+
+       while ((dev_caps = &capabilities[i])->action !=
+          RTE_SECURITY_ACTION_TYPE_NONE) {
+               if (i == index)
+                       return dev_caps;
+
+               ++i;
+       }
+
+       return NULL;
+}
+
+static int
+security_capabilities_from_dev_id(int dev_id, const void **caps)
+{
+       const struct rte_security_capability *capabilities;
+       struct rte_security_ctx *sec_ctx;
+
+       if (rte_cryptodev_is_valid_dev(dev_id) == 0)
+               return -EINVAL;
+
+       sec_ctx = (struct rte_security_ctx *)rte_cryptodev_get_sec_ctx(dev_id);
+       RTE_PTR_OR_ERR_RET(sec_ctx, -EINVAL);
+
+       capabilities = rte_security_capabilities_get(sec_ctx);
+       RTE_PTR_OR_ERR_RET(capabilities, -EINVAL);
+
+       *caps = capabilities;
+       return 0;
+}
+
+static int
+security_handle_cryptodev_sec_caps(const char *cmd __rte_unused, const char *params,
+                                  struct rte_tel_data *d)
+{
+       const struct rte_security_capability *capabilities;
+       struct rte_tel_data *sec_caps;
+       char *end_param;
+       int sec_caps_n;
+       int dev_id;
+       int rc;
+
+       if (!params || strlen(params) == 0 || !isdigit(*params))
+               return -EINVAL;
+
+       dev_id = strtoul(params, &end_param, 0);
+       if (*end_param != '\0')
+               CDEV_LOG_ERR("Extra parameters passed to command, ignoring");
+
+       rc = security_capabilities_from_dev_id(dev_id, (void *)&capabilities);
+       if (rc < 0)
+               return rc;
+
+       sec_caps = rte_tel_data_alloc();
+       RTE_PTR_OR_ERR_RET(sec_caps, -ENOMEM);
+
+       rte_tel_data_start_dict(d);
+       sec_caps_n = sec_caps_array(sec_caps, capabilities);
+       rte_tel_data_add_dict_container(d, "sec_caps", sec_caps, 0);
+       rte_tel_data_add_dict_int(d, "sec_caps_n", sec_caps_n);
+
+       return 0;
+}
+
+static int
+security_handle_cryptodev_crypto_caps(const char *cmd __rte_unused, const char *params,
+                                     struct rte_tel_data *d)
+{
+       const struct rte_security_capability *capabilities;
+       struct rte_tel_data *crypto_caps;
+       const char *capa_param;
+       int dev_id, capa_id;
+       int crypto_caps_n;
+       char *end_param;
+       int rc;
+
+       if (!params || strlen(params) == 0 || !isdigit(*params))
+               return -EINVAL;
+
+       dev_id = strtoul(params, &end_param, 0);
+       capa_param = strtok(end_param, ",");
+       if (!capa_param || strlen(capa_param) == 0 || !isdigit(*capa_param))
+               return -EINVAL;
+
+       capa_id = strtoul(capa_param, &end_param, 0);
+       if (*end_param != '\0')
+               CDEV_LOG_ERR("Extra parameters passed to command, ignoring");
+
+       rc = security_capabilities_from_dev_id(dev_id, (void *)&capabilities);
+       if (rc < 0)
+               return rc;
+
+       capabilities = security_capability_by_index(capabilities, capa_id);
+       RTE_PTR_OR_ERR_RET(capabilities, -EINVAL);
+
+       crypto_caps = rte_tel_data_alloc();
+       RTE_PTR_OR_ERR_RET(crypto_caps, -ENOMEM);
+
+       rte_tel_data_start_dict(d);
+       crypto_caps_n = crypto_caps_array(crypto_caps, capabilities->crypto_capabilities);
+
+       rte_tel_data_add_dict_container(d, "crypto_caps", crypto_caps, 0);
+       rte_tel_data_add_dict_int(d, "crypto_caps_n", crypto_caps_n);
+
+       return 0;
+}
+
+RTE_INIT(security_init_telemetry)
+{
+       rte_telemetry_register_cmd("/security/cryptodev/list",
+               security_handle_cryptodev_list,
+               "Returns list of available crypto devices by IDs. No parameters.");
+
+       rte_telemetry_register_cmd("/security/cryptodev/sec_caps",
+               security_handle_cryptodev_sec_caps,
+               "Returns security capabilities for a cryptodev. Parameters: int dev_id");
+
+       rte_telemetry_register_cmd("/security/cryptodev/crypto_caps",
+               security_handle_cryptodev_crypto_caps,
+               "Returns crypto capabilities for a security capability. Parameters: int dev_id, sec_cap_id");
+}