security: introduce security API and framework
authorAkhil Goyal <akhil.goyal@nxp.com>
Wed, 25 Oct 2017 15:07:23 +0000 (20:37 +0530)
committerThomas Monjalon <thomas@monjalon.net>
Thu, 26 Oct 2017 01:10:51 +0000 (03:10 +0200)
rte_security library provides APIs for security session
create/free for protocol offload or offloaded crypto
operation to ethernet device.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Signed-off-by: Declan Doherty <declan.doherty@intel.com>
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
12 files changed:
MAINTAINERS
config/common_base
doc/api/doxy-api-index.md
doc/api/doxy-api.conf
doc/guides/rel_notes/release_17_11.rst
lib/Makefile
lib/librte_security/Makefile [new file with mode: 0644]
lib/librte_security/rte_security.c [new file with mode: 0644]
lib/librte_security/rte_security.h [new file with mode: 0644]
lib/librte_security/rte_security_driver.h [new file with mode: 0644]
lib/librte_security/rte_security_version.map [new file with mode: 0644]
mk/rte.app.mk

index 99e001d..bfba41f 100644 (file)
@@ -267,6 +267,11 @@ F: lib/librte_cryptodev/
 F: test/test/test_cryptodev*
 F: examples/l2fwd-crypto/
 
+Security API - EXPERIMENTAL
+M: Akhil Goyal <akhil.goyal@nxp.com>
+M: Declan Doherty <declan.doherty@intel.com>
+F: lib/librte_security/
+
 Eventdev API - EXPERIMENTAL
 M: Jerin Jacob <jerin.jacob@caviumnetworks.com>
 T: git://dpdk.org/next/dpdk-next-eventdev
index 4ddde59..75aa0e1 100644 (file)
@@ -547,6 +547,11 @@ CONFIG_RTE_LIBRTE_PMD_NULL_CRYPTO=y
 CONFIG_RTE_LIBRTE_PMD_MRVL_CRYPTO=n
 CONFIG_RTE_LIBRTE_PMD_MRVL_CRYPTO_DEBUG=n
 
+#
+# Compile generic security library
+#
+CONFIG_RTE_LIBRTE_SECURITY=y
+
 #
 # Compile generic event device library
 #
index 59e1b15..3492702 100644 (file)
@@ -43,6 +43,7 @@ The public API headers are grouped by topics:
   [rte_tm]             (@ref rte_tm.h),
   [rte_mtr]            (@ref rte_mtr.h),
   [cryptodev]          (@ref rte_cryptodev.h),
+  [security]           (@ref rte_security.h),
   [eventdev]           (@ref rte_eventdev.h),
   [event_eth_rx_adapter]   (@ref rte_event_eth_rx_adapter.h),
   [metrics]            (@ref rte_metrics.h),
index 9edb6fd..65549dc 100644 (file)
@@ -71,6 +71,7 @@ INPUT                   = doc/api/doxy-api-index.md \
                           lib/librte_reorder \
                           lib/librte_ring \
                           lib/librte_sched \
+                          lib/librte_security \
                           lib/librte_table \
                           lib/librte_timer \
                           lib/librte_vhost
index 4267c26..a2d5fa8 100644 (file)
@@ -410,6 +410,7 @@ The libraries prepended with a plus sign were incremented in this version.
      librte_reorder.so.1
      librte_ring.so.1
      librte_sched.so.1
+   + librte_security.so.1
    + librte_table.so.3
      librte_timer.so.1
      librte_vhost.so.3
index 6e45700..8693cda 100644 (file)
@@ -50,6 +50,10 @@ DEPDIRS-librte_ether += librte_mbuf
 DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += librte_cryptodev
 DEPDIRS-librte_cryptodev := librte_eal librte_mempool librte_ring librte_mbuf
 DEPDIRS-librte_cryptodev += librte_kvargs
+DIRS-$(CONFIG_RTE_LIBRTE_SECURITY) += librte_security
+DEPDIRS-librte_security := librte_eal librte_mempool librte_ring librte_mbuf
+DEPDIRS-librte_security += librte_ether
+DEPDIRS-librte_security += librte_cryptodev
 DIRS-$(CONFIG_RTE_LIBRTE_EVENTDEV) += librte_eventdev
 DEPDIRS-librte_eventdev := librte_eal librte_ring librte_ether librte_hash
 DIRS-$(CONFIG_RTE_LIBRTE_VHOST) += librte_vhost
diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile
new file mode 100644 (file)
index 0000000..bb93ec3
--- /dev/null
@@ -0,0 +1,54 @@
+#   BSD LICENSE
+#
+#   Copyright(c) 2017 Intel Corporation. All rights reserved.
+#
+#   Redistribution and use in source and binary forms, with or without
+#   modification, are permitted provided that the following conditions
+#   are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in
+#       the documentation and/or other materials provided with the
+#       distribution.
+#     * Neither the name of Intel Corporation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+#   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+#   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+#   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+#   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+#   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+#   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+#   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+#   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+#   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+#   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+include $(RTE_SDK)/mk/rte.vars.mk
+
+# library name
+LIB = librte_security.a
+
+# library version
+LIBABIVER := 1
+
+# build flags
+CFLAGS += -O3
+CFLAGS += $(WERROR_FLAGS)
+LDLIBS += -lrte_eal -lrte_mempool
+
+# library source files
+SRCS-y += rte_security.c
+
+# export include files
+SYMLINK-y-include += rte_security.h
+SYMLINK-y-include += rte_security_driver.h
+
+# versioning export map
+EXPORT_MAP := rte_security_version.map
+
+include $(RTE_SDK)/mk/rte.lib.mk
diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
new file mode 100644 (file)
index 0000000..1227fca
--- /dev/null
@@ -0,0 +1,149 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright 2017 NXP.
+ *   Copyright(c) 2017 Intel Corporation. All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of NXP nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <rte_malloc.h>
+#include <rte_dev.h>
+
+#include "rte_security.h"
+#include "rte_security_driver.h"
+
+struct rte_security_session *
+rte_security_session_create(struct rte_security_ctx *instance,
+                           struct rte_security_session_conf *conf,
+                           struct rte_mempool *mp)
+{
+       struct rte_security_session *sess = NULL;
+
+       if (conf == NULL)
+               return NULL;
+
+       RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_create, NULL);
+
+       if (rte_mempool_get(mp, (void *)&sess))
+               return NULL;
+
+       if (instance->ops->session_create(instance->device, conf, sess, mp)) {
+               rte_mempool_put(mp, (void *)sess);
+               return NULL;
+       }
+       instance->sess_cnt++;
+
+       return sess;
+}
+
+int
+rte_security_session_update(struct rte_security_ctx *instance,
+                           struct rte_security_session *sess,
+                           struct rte_security_session_conf *conf)
+{
+       RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_update, -ENOTSUP);
+       return instance->ops->session_update(instance->device, sess, conf);
+}
+
+int
+rte_security_session_stats_get(struct rte_security_ctx *instance,
+                              struct rte_security_session *sess,
+                              struct rte_security_stats *stats)
+{
+       RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_stats_get, -ENOTSUP);
+       return instance->ops->session_stats_get(instance->device, sess, stats);
+}
+
+int
+rte_security_session_destroy(struct rte_security_ctx *instance,
+                            struct rte_security_session *sess)
+{
+       int ret;
+       struct rte_mempool *mp = rte_mempool_from_obj(sess);
+
+       RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_destroy, -ENOTSUP);
+
+       if (instance->sess_cnt)
+               instance->sess_cnt--;
+
+       ret = instance->ops->session_destroy(instance->device, sess);
+       if (!ret)
+               rte_mempool_put(mp, (void *)sess);
+
+       return ret;
+}
+
+int
+rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
+                             struct rte_security_session *sess,
+                             struct rte_mbuf *m, void *params)
+{
+       RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->set_pkt_metadata, -ENOTSUP);
+       return instance->ops->set_pkt_metadata(instance->device,
+                                              sess, m, params);
+}
+
+const struct rte_security_capability *
+rte_security_capabilities_get(struct rte_security_ctx *instance)
+{
+       RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL);
+       return instance->ops->capabilities_get(instance->device);
+}
+
+const struct rte_security_capability *
+rte_security_capability_get(struct rte_security_ctx *instance,
+                           struct rte_security_capability_idx *idx)
+{
+       const struct rte_security_capability *capabilities;
+       const struct rte_security_capability *capability;
+       uint16_t i = 0;
+
+       RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->capabilities_get, NULL);
+       capabilities = instance->ops->capabilities_get(instance->device);
+
+       if (capabilities == NULL)
+               return NULL;
+
+       while ((capability = &capabilities[i++])->action
+                       != RTE_SECURITY_ACTION_TYPE_NONE) {
+               if (capability->action  == idx->action &&
+                               capability->protocol == idx->protocol) {
+                       if (idx->protocol == RTE_SECURITY_PROTOCOL_IPSEC) {
+                               if (capability->ipsec.proto ==
+                                               idx->ipsec.proto &&
+                                       capability->ipsec.mode ==
+                                                       idx->ipsec.mode &&
+                                       capability->ipsec.direction ==
+                                                       idx->ipsec.direction)
+                                       return capability;
+                       }
+               }
+       }
+
+       return NULL;
+}
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
new file mode 100644 (file)
index 0000000..7e687d2
--- /dev/null
@@ -0,0 +1,529 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright 2017 NXP.
+ *   Copyright(c) 2017 Intel Corporation. All rights reserved.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of NXP nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _RTE_SECURITY_H_
+#define _RTE_SECURITY_H_
+
+/**
+ * @file rte_security.h
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * RTE Security Common Definitions
+ *
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+
+#include <rte_common.h>
+#include <rte_crypto.h>
+#include <rte_mbuf.h>
+#include <rte_memory.h>
+#include <rte_mempool.h>
+
+/** IPSec protocol mode */
+enum rte_security_ipsec_sa_mode {
+       RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+       /**< IPSec Transport mode */
+       RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+       /**< IPSec Tunnel mode */
+};
+
+/** IPSec Protocol */
+enum rte_security_ipsec_sa_protocol {
+       RTE_SECURITY_IPSEC_SA_PROTO_AH,
+       /**< AH protocol */
+       RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+       /**< ESP protocol */
+};
+
+/** IPSEC tunnel type */
+enum rte_security_ipsec_tunnel_type {
+       RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+       /**< Outer header is IPv4 */
+       RTE_SECURITY_IPSEC_TUNNEL_IPV6,
+       /**< Outer header is IPv6 */
+};
+
+/**
+ * Security context for crypto/eth devices
+ *
+ * Security instance for each driver to register security operations.
+ * The application can get the security context from the crypto/eth device id
+ * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
+ * This structure is used to identify the device(crypto/eth) for which the
+ * security operations need to be performed.
+ */
+struct rte_security_ctx {
+       void *device;
+       /**< Crypto/ethernet device attached */
+       struct rte_security_ops *ops;
+       /**< Pointer to security ops for the device */
+       uint16_t sess_cnt;
+       /**< Number of sessions attached to this context */
+};
+
+/**
+ * IPSEC tunnel parameters
+ *
+ * These parameters are used to build outbound tunnel headers.
+ */
+struct rte_security_ipsec_tunnel_param {
+       enum rte_security_ipsec_tunnel_type type;
+       /**< Tunnel type: IPv4 or IPv6 */
+       RTE_STD_C11
+       union {
+               struct {
+                       struct in_addr src_ip;
+                       /**< IPv4 source address */
+                       struct in_addr dst_ip;
+                       /**< IPv4 destination address */
+                       uint8_t dscp;
+                       /**< IPv4 Differentiated Services Code Point */
+                       uint8_t df;
+                       /**< IPv4 Don't Fragment bit */
+                       uint8_t ttl;
+                       /**< IPv4 Time To Live */
+               } ipv4;
+               /**< IPv4 header parameters */
+               struct {
+                       struct in6_addr src_addr;
+                       /**< IPv6 source address */
+                       struct in6_addr dst_addr;
+                       /**< IPv6 destination address */
+                       uint8_t dscp;
+                       /**< IPv6 Differentiated Services Code Point */
+                       uint32_t flabel;
+                       /**< IPv6 flow label */
+                       uint8_t hlimit;
+                       /**< IPv6 hop limit */
+               } ipv6;
+               /**< IPv6 header parameters */
+       };
+};
+
+/**
+ * IPsec Security Association option flags
+ */
+struct rte_security_ipsec_sa_options {
+       /**< Extended Sequence Numbers (ESN)
+        *
+        * * 1: Use extended (64 bit) sequence numbers
+        * * 0: Use normal sequence numbers
+        */
+       uint32_t esn : 1;
+
+       /**< UDP encapsulation
+        *
+        * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
+        *      traverse through NAT boxes.
+        * * 0: No UDP encapsulation
+        */
+       uint32_t udp_encap : 1;
+
+       /**< Copy DSCP bits
+        *
+        * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
+        *      the outer IP header in encapsulation, and vice versa in
+        *      decapsulation.
+        * * 0: Do not change DSCP field.
+        */
+       uint32_t copy_dscp : 1;
+
+       /**< Copy IPv6 Flow Label
+        *
+        * * 1: Copy IPv6 flow label from inner IPv6 header to the
+        *      outer IPv6 header.
+        * * 0: Outer header is not modified.
+        */
+       uint32_t copy_flabel : 1;
+
+       /**< Copy IPv4 Don't Fragment bit
+        *
+        * * 1: Copy the DF bit from the inner IPv4 header to the outer
+        *      IPv4 header.
+        * * 0: Outer header is not modified.
+        */
+       uint32_t copy_df : 1;
+
+       /**< Decrement inner packet Time To Live (TTL) field
+        *
+        * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
+        *      IPv6 Hop Limit after tunnel decapsulation, or before tunnel
+        *      encapsulation.
+        * * 0: Inner packet is not modified.
+        */
+       uint32_t dec_ttl : 1;
+};
+
+/** IPSec security association direction */
+enum rte_security_ipsec_sa_direction {
+       RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+       /**< Encrypt and generate digest */
+       RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+       /**< Verify digest and decrypt */
+};
+
+/**
+ * IPsec security association configuration data.
+ *
+ * This structure contains data required to create an IPsec SA security session.
+ */
+struct rte_security_ipsec_xform {
+       uint32_t spi;
+       /**< SA security parameter index */
+       uint32_t salt;
+       /**< SA salt */
+       struct rte_security_ipsec_sa_options options;
+       /**< various SA options */
+       enum rte_security_ipsec_sa_direction direction;
+       /**< IPSec SA Direction - Egress/Ingress */
+       enum rte_security_ipsec_sa_protocol proto;
+       /**< IPsec SA Protocol - AH/ESP */
+       enum rte_security_ipsec_sa_mode mode;
+       /**< IPsec SA Mode - transport/tunnel */
+       struct rte_security_ipsec_tunnel_param tunnel;
+       /**< Tunnel parameters, NULL for transport mode */
+};
+
+/**
+ * MACsec security session configuration
+ */
+struct rte_security_macsec_xform {
+       /** To be Filled */
+};
+
+/**
+ * Security session action type.
+ */
+enum rte_security_session_action_type {
+       RTE_SECURITY_ACTION_TYPE_NONE,
+       /**< No security actions */
+       RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
+       /**< Crypto processing for security protocol is processed inline
+        * during transmission
+        */
+       RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+       /**< All security protocol processing is performed inline during
+        * transmission
+        */
+       RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
+       /**< All security protocol processing including crypto is performed
+        * on a lookaside accelerator
+        */
+};
+
+/** Security session protocol definition */
+enum rte_security_session_protocol {
+       RTE_SECURITY_PROTOCOL_IPSEC,
+       /**< IPsec Protocol */
+       RTE_SECURITY_PROTOCOL_MACSEC,
+       /**< MACSec Protocol */
+};
+
+/**
+ * Security session configuration
+ */
+struct rte_security_session_conf {
+       enum rte_security_session_action_type action_type;
+       /**< Type of action to be performed on the session */
+       enum rte_security_session_protocol protocol;
+       /**< Security protocol to be configured */
+       union {
+               struct rte_security_ipsec_xform ipsec;
+               struct rte_security_macsec_xform macsec;
+       };
+       /**< Configuration parameters for security session */
+       struct rte_crypto_sym_xform *crypto_xform;
+       /**< Security Session Crypto Transformations */
+};
+
+struct rte_security_session {
+       void *sess_private_data;
+       /**< Private session material */
+};
+
+/**
+ * Create security session as specified by the session configuration
+ *
+ * @param   instance   security instance
+ * @param   conf       session configuration parameters
+ * @param   mp         mempool to allocate session objects from
+ * @return
+ *  - On success, pointer to session
+ *  - On failure, NULL
+ */
+struct rte_security_session *
+rte_security_session_create(struct rte_security_ctx *instance,
+                           struct rte_security_session_conf *conf,
+                           struct rte_mempool *mp);
+
+/**
+ * Update security session as specified by the session configuration
+ *
+ * @param   instance   security instance
+ * @param   sess       session to update parameters
+ * @param   conf       update configuration parameters
+ * @return
+ *  - On success returns 0
+ *  - On failure return errno
+ */
+int
+rte_security_session_update(struct rte_security_ctx *instance,
+                           struct rte_security_session *sess,
+                           struct rte_security_session_conf *conf);
+
+/**
+ * Free security session header and the session private data and
+ * return it to its original mempool.
+ *
+ * @param   instance   security instance
+ * @param   sess       security session to freed
+ *
+ * @return
+ *  - 0 if successful.
+ *  - -EINVAL if session is NULL.
+ *  - -EBUSY if not all device private data has been freed.
+ */
+int
+rte_security_session_destroy(struct rte_security_ctx *instance,
+                            struct rte_security_session *sess);
+
+/**
+ *  Updates the buffer with device-specific defined metadata
+ *
+ * @param      instance        security instance
+ * @param      sess            security session
+ * @param      mb              packet mbuf to set metadata on.
+ * @param      params          device-specific defined parameters
+ *                             required for metadata
+ *
+ * @return
+ *  - On success, zero.
+ *  - On failure, a negative value.
+ */
+int
+rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
+                             struct rte_security_session *sess,
+                             struct rte_mbuf *mb, void *params);
+
+/**
+ * Attach a session to a symmetric crypto operation
+ *
+ * @param      sym_op  crypto operation
+ * @param      sess    security session
+ */
+static inline int
+__rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
+                             struct rte_security_session *sess)
+{
+       sym_op->sec_session = sess;
+
+       return 0;
+}
+
+static inline void *
+get_sec_session_private_data(const struct rte_security_session *sess)
+{
+       return sess->sess_private_data;
+}
+
+static inline void
+set_sec_session_private_data(struct rte_security_session *sess,
+                            void *private_data)
+{
+       sess->sess_private_data = private_data;
+}
+
+/**
+ * Attach a session to a crypto operation.
+ * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
+ * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
+ * defined to perform security operations.
+ *
+ * @param      op      crypto operation
+ * @param      sess    security session
+ */
+static inline int
+rte_security_attach_session(struct rte_crypto_op *op,
+                           struct rte_security_session *sess)
+{
+       if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
+               return -EINVAL;
+
+       op->sess_type =  RTE_CRYPTO_OP_SECURITY_SESSION;
+
+       return __rte_security_attach_session(op->sym, sess);
+}
+
+struct rte_security_macsec_stats {
+       uint64_t reserved;
+};
+
+struct rte_security_ipsec_stats {
+       uint64_t reserved;
+
+};
+
+struct rte_security_stats {
+       enum rte_security_session_protocol protocol;
+       /**< Security protocol to be configured */
+
+       union {
+               struct rte_security_macsec_stats macsec;
+               struct rte_security_ipsec_stats ipsec;
+       };
+};
+
+/**
+ * Get security session statistics
+ *
+ * @param      instance        security instance
+ * @param      sess            security session
+ * @param      stats           statistics
+ * @return
+ *  - On success return 0
+ *  - On failure errno
+ */
+int
+rte_security_session_stats_get(struct rte_security_ctx *instance,
+                              struct rte_security_session *sess,
+                              struct rte_security_stats *stats);
+
+/**
+ * Security capability definition
+ */
+struct rte_security_capability {
+       enum rte_security_session_action_type action;
+       /**< Security action type*/
+       enum rte_security_session_protocol protocol;
+       /**< Security protocol */
+       RTE_STD_C11
+       union {
+               struct {
+                       enum rte_security_ipsec_sa_protocol proto;
+                       /**< IPsec SA protocol */
+                       enum rte_security_ipsec_sa_mode mode;
+                       /**< IPsec SA mode */
+                       enum rte_security_ipsec_sa_direction direction;
+                       /**< IPsec SA direction */
+                       struct rte_security_ipsec_sa_options options;
+                       /**< IPsec SA supported options */
+               } ipsec;
+               /**< IPsec capability */
+               struct {
+                       /* To be Filled */
+               } macsec;
+               /**< MACsec capability */
+       };
+
+       const struct rte_cryptodev_capabilities *crypto_capabilities;
+       /**< Corresponding crypto capabilities for security capability  */
+
+       uint32_t ol_flags;
+       /**< Device offload flags */
+};
+
+#define RTE_SECURITY_TX_OLOAD_NEED_MDATA       0x00000001
+/**< HW needs metadata update, see rte_security_set_pkt_metadata().
+ */
+
+#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD     0x00000002
+/**< HW constructs trailer of packets
+ * Transmitted packets will have the trailer added to them
+ * by hardawre. The next protocol field will be based on
+ * the mbuf->inner_esp_next_proto field.
+ */
+#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD     0x00010000
+/**< HW removes trailer of packets
+ * Received packets have no trailer, the next protocol field
+ * is supplied in the mbuf->inner_esp_next_proto field.
+ * Inner packet is not modified.
+ */
+
+/**
+ * Security capability index used to query a security instance for a specific
+ * security capability
+ */
+struct rte_security_capability_idx {
+       enum rte_security_session_action_type action;
+       enum rte_security_session_protocol protocol;
+
+       union {
+               struct {
+                       enum rte_security_ipsec_sa_protocol proto;
+                       enum rte_security_ipsec_sa_mode mode;
+                       enum rte_security_ipsec_sa_direction direction;
+               } ipsec;
+       };
+};
+
+/**
+ *  Returns array of security instance capabilities
+ *
+ * @param      instance        Security instance.
+ *
+ * @return
+ *   - Returns array of security capabilities.
+ *   - Return NULL if no capabilities available.
+ */
+const struct rte_security_capability *
+rte_security_capabilities_get(struct rte_security_ctx *instance);
+
+/**
+ * Query if a specific capability is available on security instance
+ *
+ * @param      instance        security instance.
+ * @param      idx             security capability index to match against
+ *
+ * @return
+ *   - Returns pointer to security capability on match of capability
+ *     index criteria.
+ *   - Return NULL if the capability not matched on security instance.
+ */
+const struct rte_security_capability *
+rte_security_capability_get(struct rte_security_ctx *instance,
+                           struct rte_security_capability_idx *idx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _RTE_SECURITY_H_ */
diff --git a/lib/librte_security/rte_security_driver.h b/lib/librte_security/rte_security_driver.h
new file mode 100644 (file)
index 0000000..997fbe7
--- /dev/null
@@ -0,0 +1,156 @@
+/*-
+ *   BSD LICENSE
+ *
+ *   Copyright(c) 2017 Intel Corporation. All rights reserved.
+ *   Copyright 2017 NXP.
+ *
+ *   Redistribution and use in source and binary forms, with or without
+ *   modification, are permitted provided that the following conditions
+ *   are met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in
+ *       the documentation and/or other materials provided with the
+ *       distribution.
+ *     * Neither the name of Intel Corporation nor the names of its
+ *       contributors may be used to endorse or promote products derived
+ *       from this software without specific prior written permission.
+ *
+ *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _RTE_SECURITY_DRIVER_H_
+#define _RTE_SECURITY_DRIVER_H_
+
+/**
+ * @file rte_security_driver.h
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * RTE Security Common Definitions
+ *
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "rte_security.h"
+
+/**
+ * Configure a security session on a device.
+ *
+ * @param      device          Crypto/eth device pointer
+ * @param      conf            Security session configuration
+ * @param      sess            Pointer to Security private session structure
+ * @param      mp              Mempool where the private session is allocated
+ *
+ * @return
+ *  - Returns 0 if private session structure have been created successfully.
+ *  - Returns -EINVAL if input parameters are invalid.
+ *  - Returns -ENOTSUP if crypto device does not support the crypto transform.
+ *  - Returns -ENOMEM if the private session could not be allocated.
+ */
+typedef int (*security_session_create_t)(void *device,
+               struct rte_security_session_conf *conf,
+               struct rte_security_session *sess,
+               struct rte_mempool *mp);
+
+/**
+ * Free driver private session data.
+ *
+ * @param      dev             Crypto/eth device pointer
+ * @param      sess            Security session structure
+ */
+typedef int (*security_session_destroy_t)(void *device,
+               struct rte_security_session *sess);
+
+/**
+ * Update driver private session data.
+ *
+ * @param      device          Crypto/eth device pointer
+ * @param      sess            Pointer to Security private session structure
+ * @param      conf            Security session configuration
+ *
+ * @return
+ *  - Returns 0 if private session structure have been updated successfully.
+ *  - Returns -EINVAL if input parameters are invalid.
+ *  - Returns -ENOTSUP if crypto device does not support the crypto transform.
+ */
+typedef int (*security_session_update_t)(void *device,
+               struct rte_security_session *sess,
+               struct rte_security_session_conf *conf);
+/**
+ * Get stats from the PMD.
+ *
+ * @param      device          Crypto/eth device pointer
+ * @param      sess            Pointer to Security private session structure
+ * @param      stats           Security stats of the driver
+ *
+ * @return
+ *  - Returns 0 if private session structure have been updated successfully.
+ *  - Returns -EINVAL if session parameters are invalid.
+ */
+typedef int (*security_session_stats_get_t)(void *device,
+               struct rte_security_session *sess,
+               struct rte_security_stats *stats);
+
+/**
+ * Update the mbuf with provided metadata.
+ *
+ * @param      sess            Security session structure
+ * @param      mb              Packet buffer
+ * @param      mt              Metadata
+ *
+ * @return
+ *  - Returns 0 if metadata updated successfully.
+ *  - Returns -ve value for errors.
+ */
+typedef int (*security_set_pkt_metadata_t)(void *device,
+               struct rte_security_session *sess, struct rte_mbuf *m,
+               void *params);
+
+/**
+ * Get security capabilities of the device.
+ *
+ * @param      device          crypto/eth device pointer
+ *
+ * @return
+ *  - Returns rte_security_capability pointer on success.
+ *  - Returns NULL on error.
+ */
+typedef const struct rte_security_capability *(*security_capabilities_get_t)(
+               void *device);
+
+/** Security operations function pointer table */
+struct rte_security_ops {
+       security_session_create_t session_create;
+       /**< Configure a security session. */
+       security_session_update_t session_update;
+       /**< Update a security session. */
+       security_session_stats_get_t session_stats_get;
+       /**< Get security session statistics. */
+       security_session_destroy_t session_destroy;
+       /**< Clear a security sessions private data. */
+       security_set_pkt_metadata_t set_pkt_metadata;
+       /**< Update mbuf metadata. */
+       security_capabilities_get_t capabilities_get;
+       /**< Get security capabilities. */
+};
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _RTE_SECURITY_DRIVER_H_ */
diff --git a/lib/librte_security/rte_security_version.map b/lib/librte_security/rte_security_version.map
new file mode 100644 (file)
index 0000000..e12c04b
--- /dev/null
@@ -0,0 +1,14 @@
+EXPERIMENTAL {
+       global:
+
+       rte_security_attach_session;
+       rte_security_capabilities_get;
+       rte_security_capability_get;
+       rte_security_session_create;
+       rte_security_session_destroy;
+       rte_security_session_stats_get;
+       rte_security_session_update;
+       rte_security_set_pkt_metadata;
+
+       local: *;
+};
index 482656c..fbb4bc6 100644 (file)
@@ -94,6 +94,7 @@ _LDLIBS-$(CONFIG_RTE_LIBRTE_MBUF)           += -lrte_mbuf
 _LDLIBS-$(CONFIG_RTE_LIBRTE_NET)            += -lrte_net
 _LDLIBS-$(CONFIG_RTE_LIBRTE_ETHER)          += -lrte_ethdev
 _LDLIBS-$(CONFIG_RTE_LIBRTE_CRYPTODEV)      += -lrte_cryptodev
+_LDLIBS-$(CONFIG_RTE_LIBRTE_SECURITY)       += -lrte_security
 _LDLIBS-$(CONFIG_RTE_LIBRTE_EVENTDEV)       += -lrte_eventdev
 _LDLIBS-$(CONFIG_RTE_LIBRTE_MEMPOOL)        += -lrte_mempool
 _LDLIBS-$(CONFIG_RTE_DRIVER_MEMPOOL_RING)   += -lrte_mempool_ring