* [dpdk-dev] [PATCH 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload
@ 2019-08-05 5:38 Akhil Goyal
2019-08-05 5:38 ` [dpdk-dev] [PATCH 2/3] crypto/dpaa2_sec: " Akhil Goyal
` (3 more replies)
0 siblings, 4 replies; 15+ messages in thread
From: Akhil Goyal @ 2019-08-05 5:38 UTC (permalink / raw)
To: dev; +Cc: hemant.agrawal, konstantin.ananyev, Akhil Goyal
outer IP header is formed at the time of session initialization
using the ipsec xform. This outer IP header will be appended by
hardware for each packet.
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 69 ++++++++++++++++++++++--------
drivers/crypto/dpaa_sec/dpaa_sec.h | 11 ++++-
2 files changed, 61 insertions(+), 19 deletions(-)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 122c80a07..abb107b55 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2230,26 +2230,56 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
}
if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
- memset(&session->encap_pdb, 0, sizeof(struct ipsec_encap_pdb) +
+ if (ipsec_xform->tunnel.type ==
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+ memset(&session->encap_pdb, 0,
+ sizeof(struct ipsec_encap_pdb) +
sizeof(session->ip4_hdr));
- session->ip4_hdr.ip_v = IPVERSION;
- session->ip4_hdr.ip_hl = 5;
- session->ip4_hdr.ip_len = rte_cpu_to_be_16(
+ session->ip4_hdr.ip_v = IPVERSION;
+ session->ip4_hdr.ip_hl = 5;
+ session->ip4_hdr.ip_len = rte_cpu_to_be_16(
sizeof(session->ip4_hdr));
- session->ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp;
- session->ip4_hdr.ip_id = 0;
- session->ip4_hdr.ip_off = 0;
- session->ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl;
- session->ip4_hdr.ip_p = (ipsec_xform->proto ==
- RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? IPPROTO_ESP
- : IPPROTO_AH;
- session->ip4_hdr.ip_sum = 0;
- session->ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip;
- session->ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip;
- session->ip4_hdr.ip_sum = calc_chksum((uint16_t *)
+ session->ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp;
+ session->ip4_hdr.ip_id = 0;
+ session->ip4_hdr.ip_off = 0;
+ session->ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl;
+ session->ip4_hdr.ip_p = (ipsec_xform->proto ==
+ RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
+ IPPROTO_ESP : IPPROTO_AH;
+ session->ip4_hdr.ip_sum = 0;
+ session->ip4_hdr.ip_src =
+ ipsec_xform->tunnel.ipv4.src_ip;
+ session->ip4_hdr.ip_dst =
+ ipsec_xform->tunnel.ipv4.dst_ip;
+ session->ip4_hdr.ip_sum = calc_chksum((uint16_t *)
(void *)&session->ip4_hdr,
sizeof(struct ip));
-
+ session->encap_pdb.ip_hdr_len = sizeof(struct ip);
+ } else if (ipsec_xform->tunnel.type ==
+ RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
+ memset(&session->encap_pdb, 0,
+ sizeof(struct ipsec_encap_pdb) +
+ sizeof(session->ip6_hdr));
+ session->ip6_hdr.vtc_flow = rte_cpu_to_be_32(
+ DPAA_IPv6_DEFAULT_VTC_FLOW |
+ ((ipsec_xform->tunnel.ipv6.dscp <<
+ IPv6_TC_SHIFT) & IPv6_TC_MASK) |
+ ((ipsec_xform->tunnel.ipv6.flabel <<
+ IPv6_FLOW_SHIFT) & IPv6_FLOW_MASK));
+ /* Payload length will be updated by HW */
+ session->ip6_hdr.payload_len = 0;
+ session->ip6_hdr.hop_limits =
+ ipsec_xform->tunnel.ipv6.hlimit;
+ session->ip6_hdr.proto = (ipsec_xform->proto ==
+ RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
+ IPPROTO_ESP : IPPROTO_AH;
+ memcpy(&session->ip6_hdr.src_addr,
+ &ipsec_xform->tunnel.ipv6.src_addr, 16);
+ memcpy(&session->ip6_hdr.dst_addr,
+ &ipsec_xform->tunnel.ipv6.dst_addr, 16);
+ session->encap_pdb.ip_hdr_len =
+ sizeof(struct rte_ipv6_hdr);
+ }
session->encap_pdb.options =
(IPVERSION << PDBNH_ESP_ENCAP_SHIFT) |
PDBOPTS_ESP_OIHI_PDB_INL |
@@ -2257,13 +2287,16 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
PDBHMO_ESP_ENCAP_DTTL |
PDBHMO_ESP_SNR;
session->encap_pdb.spi = ipsec_xform->spi;
- session->encap_pdb.ip_hdr_len = sizeof(struct ip);
session->dir = DIR_ENC;
} else if (ipsec_xform->direction ==
RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
- session->decap_pdb.options = sizeof(struct ip) << 16;
+ if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+ session->decap_pdb.options = sizeof(struct ip) << 16;
+ else
+ session->decap_pdb.options =
+ sizeof(struct rte_ipv6_hdr) << 16;
session->dir = DIR_DEC;
} else
goto out;
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index 75c0960a9..3851f3e2c 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -19,6 +19,12 @@
#define AES_CTR_IV_LEN 16
#define AES_GCM_IV_LEN 12
+#define DPAA_IPv6_DEFAULT_VTC_FLOW 0x60000000
+#define IPv6_TC_SHIFT 20
+#define IPv6_FLOW_SHIFT 0
+#define IPv6_TC_MASK 0x0FF00000
+#define IPv6_FLOW_MASK 0x000FFFFF
+
/* Minimum job descriptor consists of a oneword job descriptor HEADER and
* a pointer to the shared descriptor.
*/
@@ -139,7 +145,10 @@ typedef struct dpaa_sec_session_entry {
uint32_t digest_length;
struct ipsec_decap_pdb decap_pdb;
struct ipsec_encap_pdb encap_pdb;
- struct ip ip4_hdr;
+ union {
+ struct ip ip4_hdr;
+ struct rte_ipv6_hdr ip6_hdr;
+ };
};
struct sec_pdcp_ctxt pdcp;
};
--
2.17.1
^ permalink raw reply related [flat|nested] 15+ messages in thread* [dpdk-dev] [PATCH 2/3] crypto/dpaa2_sec: support IPv6 tunnel for protocol offload 2019-08-05 5:38 [dpdk-dev] [PATCH 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal @ 2019-08-05 5:38 ` Akhil Goyal 2019-08-05 5:38 ` [dpdk-dev] [PATCH 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto Akhil Goyal ` (2 subsequent siblings) 3 siblings, 0 replies; 15+ messages in thread From: Akhil Goyal @ 2019-08-05 5:38 UTC (permalink / raw) To: dev; +Cc: hemant.agrawal, konstantin.ananyev, Akhil Goyal outer IP header is formed at the time of session initialization using the ipsec xform. This outer IP header will be appended by hardware for each packet. Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 71 +++++++++++++++------ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 6 ++ 2 files changed, 57 insertions(+), 20 deletions(-) diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 26458e5d1..f1cc86812 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -9,6 +9,7 @@ #include <net/if.h> #include <unistd.h> +#include <rte_ip.h> #include <rte_mbuf.h> #include <rte_cryptodev.h> #include <rte_malloc.h> @@ -2465,23 +2466,9 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, session->ctxt_type = DPAA2_SEC_IPSEC; if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - struct ip ip4_hdr; + uint8_t *hdr = NULL; flc->dhr = SEC_FLC_DHR_OUTBOUND; - ip4_hdr.ip_v = IPVERSION; - ip4_hdr.ip_hl = 5; - ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); - ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; - ip4_hdr.ip_id = 0; - ip4_hdr.ip_off = 0; - ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; - ip4_hdr.ip_p = IPPROTO_ESP; - ip4_hdr.ip_sum = 0; - ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; - ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; - ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *)&ip4_hdr, - sizeof(struct ip)); - /* For Sec Proto only one descriptor is required. */ memset(&encap_pdb, 0, sizeof(struct ipsec_encap_pdb)); encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | @@ -2490,18 +2477,62 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, PDBHMO_ESP_ENCAP_DTTL | PDBHMO_ESP_SNR; encap_pdb.spi = ipsec_xform->spi; - encap_pdb.ip_hdr_len = sizeof(struct ip); - session->dir = DIR_ENC; + + if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + struct ip ip4_hdr; + + encap_pdb.ip_hdr_len = sizeof(struct ip); + ip4_hdr.ip_v = IPVERSION; + ip4_hdr.ip_hl = 5; + ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); + ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; + ip4_hdr.ip_id = 0; + ip4_hdr.ip_off = 0; + ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; + ip4_hdr.ip_p = IPPROTO_ESP; + ip4_hdr.ip_sum = 0; + ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; + ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; + ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *) + &ip4_hdr, sizeof(struct ip)); + hdr = (uint8_t *)&ip4_hdr; + } else if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + struct rte_ipv6_hdr ip6_hdr; + + ip6_hdr.vtc_flow = rte_cpu_to_be_32( + DPAA2_IPv6_DEFAULT_VTC_FLOW | + ((ipsec_xform->tunnel.ipv6.dscp << + IPv6_TC_SHIFT) & IPv6_TC_MASK) | + ((ipsec_xform->tunnel.ipv6.flabel << + IPv6_FLOW_SHIFT) & IPv6_FLOW_MASK)); + /* Payload length will be updated by HW */ + ip6_hdr.payload_len = 0; + ip6_hdr.hop_limits = + ipsec_xform->tunnel.ipv6.hlimit; + ip6_hdr.proto = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + memcpy(&ip6_hdr.src_addr, + &ipsec_xform->tunnel.ipv6.src_addr, 16); + memcpy(&ip6_hdr.dst_addr, + &ipsec_xform->tunnel.ipv6.dst_addr, 16); + encap_pdb.ip_hdr_len = sizeof(struct rte_ipv6_hdr); + hdr = (uint8_t *)&ip6_hdr; + } bufsize = cnstr_shdsc_ipsec_new_encap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, &encap_pdb, - (uint8_t *)&ip4_hdr, - &cipherdata, &authdata); + hdr, &cipherdata, &authdata); } else if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { flc->dhr = SEC_FLC_DHR_INBOUND; memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); - decap_pdb.options = sizeof(struct ip) << 16; + decap_pdb.options = (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) ? + sizeof(struct ip) << 16 : + sizeof(struct rte_ipv6_hdr) << 16; session->dir = DIR_DEC; bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h index 51751103d..2a446be30 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h @@ -41,6 +41,12 @@ enum shr_desc_type { #define DIR_ENC 1 #define DIR_DEC 0 +#define DPAA2_IPv6_DEFAULT_VTC_FLOW 0x60000000 +#define IPv6_TC_SHIFT 20 +#define IPv6_FLOW_SHIFT 0 +#define IPv6_TC_MASK 0x0FF00000 +#define IPv6_FLOW_MASK 0x000FFFFF + #define DPAA2_SET_FLC_EWS(flc) (flc->word1_bits23_16 |= 0x1) #define DPAA2_SET_FLC_RSC(flc) (flc->word1_bits31_24 |= 0x1) #define DPAA2_SET_FLC_REUSE_BS(flc) (flc->mode_bits |= 0x8000) -- 2.17.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto 2019-08-05 5:38 [dpdk-dev] [PATCH 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal 2019-08-05 5:38 ` [dpdk-dev] [PATCH 2/3] crypto/dpaa2_sec: " Akhil Goyal @ 2019-08-05 5:38 ` Akhil Goyal 2019-08-05 7:26 ` [dpdk-dev] [PATCH 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 3 siblings, 0 replies; 15+ messages in thread From: Akhil Goyal @ 2019-08-05 5:38 UTC (permalink / raw) To: dev; +Cc: hemant.agrawal, konstantin.ananyev, Akhil Goyal IPv6 tunnels are already supported in case of inline and lookaside none cases. In case of protocol offload, the details for IPv6 header need to be added in session configuration for security session create. Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> --- examples/ipsec-secgw/ipsec.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index dc85adfe5..317faed7a 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -33,8 +33,20 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) memcpy((uint8_t *)&tunnel->ipv4.dst_ip, (uint8_t *)&sa->dst.ip.ip4, 4); + } else if (IS_IP6_TUNNEL(sa->flags)) { + tunnel->type = + RTE_SECURITY_IPSEC_TUNNEL_IPV6; + tunnel->ipv6.hlimit = IPDEFTTL; + tunnel->ipv6.dscp = 0; + tunnel->ipv6.flabel = 0; + + memcpy((uint8_t *)&tunnel->ipv6.src_addr, + (uint8_t *)&sa->src.ip.ip6.ip6_b, 16); + + memcpy((uint8_t *)&tunnel->ipv6.dst_addr, + (uint8_t *)&sa->dst.ip.ip6.ip6_b, 16); } - /* TODO support for Transport and IPV6 tunnel */ + /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload 2019-08-05 5:38 [dpdk-dev] [PATCH 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal 2019-08-05 5:38 ` [dpdk-dev] [PATCH 2/3] crypto/dpaa2_sec: " Akhil Goyal 2019-08-05 5:38 ` [dpdk-dev] [PATCH 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto Akhil Goyal @ 2019-08-05 7:26 ` Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 3 siblings, 0 replies; 15+ messages in thread From: Akhil Goyal @ 2019-08-05 7:26 UTC (permalink / raw) To: Akhil Goyal, dev; +Cc: Hemant Agrawal, konstantin.ananyev > > outer IP header is formed at the time of session initialization > using the ipsec xform. This outer IP header will be appended by > hardware for each packet. > > Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> > --- Self NACK Will send it again. ^ permalink raw reply [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v2 0/3] support IPv6 tunnel for lookaside crypto 2019-08-05 5:38 [dpdk-dev] [PATCH 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal ` (2 preceding siblings ...) 2019-08-05 7:26 ` [dpdk-dev] [PATCH 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal @ 2019-08-05 8:22 ` Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal ` (3 more replies) 3 siblings, 4 replies; 15+ messages in thread From: Akhil Goyal @ 2019-08-05 8:22 UTC (permalink / raw) To: dev; +Cc: hemant.agrawal, konstantin.ananyev, Akhil Goyal changes in v2: used RTE_IPV6_HDR_* macros instead of localized driver specific macros. Akhil Goyal (3): crypto/dpaa_sec: support IPv6 tunnel for protocol offload crypto/dpaa2_sec: support IPv6 tunnel for protocol offload examples/ipsec-secgw: support IPv6 tunnel for lookaside proto drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 73 +++++++++++++++------ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 2 + drivers/crypto/dpaa_sec/dpaa_sec.c | 71 +++++++++++++++----- drivers/crypto/dpaa_sec/dpaa_sec.h | 7 +- examples/ipsec-secgw/ipsec.c | 14 +++- 5 files changed, 127 insertions(+), 40 deletions(-) -- 2.17.1 ^ permalink raw reply [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v2 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal @ 2019-08-05 8:22 ` Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 2/3] crypto/dpaa2_sec: " Akhil Goyal ` (2 subsequent siblings) 3 siblings, 0 replies; 15+ messages in thread From: Akhil Goyal @ 2019-08-05 8:22 UTC (permalink / raw) To: dev; +Cc: hemant.agrawal, konstantin.ananyev, Akhil Goyal outer IP header is formed at the time of session initialization using the ipsec xform. This outer IP header will be appended by hardware for each packet. Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> --- drivers/crypto/dpaa_sec/dpaa_sec.c | 71 ++++++++++++++++++++++-------- drivers/crypto/dpaa_sec/dpaa_sec.h | 7 ++- 2 files changed, 59 insertions(+), 19 deletions(-) diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c index 122c80a07..e6f57ce3d 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.c +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c @@ -2230,26 +2230,58 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, } if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - memset(&session->encap_pdb, 0, sizeof(struct ipsec_encap_pdb) + + if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + memset(&session->encap_pdb, 0, + sizeof(struct ipsec_encap_pdb) + sizeof(session->ip4_hdr)); - session->ip4_hdr.ip_v = IPVERSION; - session->ip4_hdr.ip_hl = 5; - session->ip4_hdr.ip_len = rte_cpu_to_be_16( + session->ip4_hdr.ip_v = IPVERSION; + session->ip4_hdr.ip_hl = 5; + session->ip4_hdr.ip_len = rte_cpu_to_be_16( sizeof(session->ip4_hdr)); - session->ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; - session->ip4_hdr.ip_id = 0; - session->ip4_hdr.ip_off = 0; - session->ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; - session->ip4_hdr.ip_p = (ipsec_xform->proto == - RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? IPPROTO_ESP - : IPPROTO_AH; - session->ip4_hdr.ip_sum = 0; - session->ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; - session->ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; - session->ip4_hdr.ip_sum = calc_chksum((uint16_t *) + session->ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; + session->ip4_hdr.ip_id = 0; + session->ip4_hdr.ip_off = 0; + session->ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; + session->ip4_hdr.ip_p = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + session->ip4_hdr.ip_sum = 0; + session->ip4_hdr.ip_src = + ipsec_xform->tunnel.ipv4.src_ip; + session->ip4_hdr.ip_dst = + ipsec_xform->tunnel.ipv4.dst_ip; + session->ip4_hdr.ip_sum = calc_chksum((uint16_t *) (void *)&session->ip4_hdr, sizeof(struct ip)); - + session->encap_pdb.ip_hdr_len = sizeof(struct ip); + } else if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + memset(&session->encap_pdb, 0, + sizeof(struct ipsec_encap_pdb) + + sizeof(session->ip6_hdr)); + session->ip6_hdr.vtc_flow = rte_cpu_to_be_32( + DPAA_IPv6_DEFAULT_VTC_FLOW | + ((ipsec_xform->tunnel.ipv6.dscp << + RTE_IPV6_HDR_TC_SHIFT) & + RTE_IPV6_HDR_TC_MASK) | + ((ipsec_xform->tunnel.ipv6.flabel << + RTE_IPV6_HDR_FL_SHIFT) & + RTE_IPV6_HDR_FL_MASK)); + /* Payload length will be updated by HW */ + session->ip6_hdr.payload_len = 0; + session->ip6_hdr.hop_limits = + ipsec_xform->tunnel.ipv6.hlimit; + session->ip6_hdr.proto = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + memcpy(&session->ip6_hdr.src_addr, + &ipsec_xform->tunnel.ipv6.src_addr, 16); + memcpy(&session->ip6_hdr.dst_addr, + &ipsec_xform->tunnel.ipv6.dst_addr, 16); + session->encap_pdb.ip_hdr_len = + sizeof(struct rte_ipv6_hdr); + } session->encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | PDBOPTS_ESP_OIHI_PDB_INL | @@ -2257,13 +2289,16 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, PDBHMO_ESP_ENCAP_DTTL | PDBHMO_ESP_SNR; session->encap_pdb.spi = ipsec_xform->spi; - session->encap_pdb.ip_hdr_len = sizeof(struct ip); session->dir = DIR_ENC; } else if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); - session->decap_pdb.options = sizeof(struct ip) << 16; + if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) + session->decap_pdb.options = sizeof(struct ip) << 16; + else + session->decap_pdb.options = + sizeof(struct rte_ipv6_hdr) << 16; session->dir = DIR_DEC; } else goto out; diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h index 75c0960a9..08e7d66e5 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.h +++ b/drivers/crypto/dpaa_sec/dpaa_sec.h @@ -19,6 +19,8 @@ #define AES_CTR_IV_LEN 16 #define AES_GCM_IV_LEN 12 +#define DPAA_IPv6_DEFAULT_VTC_FLOW 0x60000000 + /* Minimum job descriptor consists of a oneword job descriptor HEADER and * a pointer to the shared descriptor. */ @@ -139,7 +141,10 @@ typedef struct dpaa_sec_session_entry { uint32_t digest_length; struct ipsec_decap_pdb decap_pdb; struct ipsec_encap_pdb encap_pdb; - struct ip ip4_hdr; + union { + struct ip ip4_hdr; + struct rte_ipv6_hdr ip6_hdr; + }; }; struct sec_pdcp_ctxt pdcp; }; -- 2.17.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v2 2/3] crypto/dpaa2_sec: support IPv6 tunnel for protocol offload 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal @ 2019-08-05 8:22 ` Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 3 siblings, 0 replies; 15+ messages in thread From: Akhil Goyal @ 2019-08-05 8:22 UTC (permalink / raw) To: dev; +Cc: hemant.agrawal, konstantin.ananyev, Akhil Goyal outer IP header is formed at the time of session initialization using the ipsec xform. This outer IP header will be appended by hardware for each packet. Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 73 +++++++++++++++------ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 2 + 2 files changed, 55 insertions(+), 20 deletions(-) diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 26458e5d1..12961e313 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -9,6 +9,7 @@ #include <net/if.h> #include <unistd.h> +#include <rte_ip.h> #include <rte_mbuf.h> #include <rte_cryptodev.h> #include <rte_malloc.h> @@ -2465,23 +2466,9 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, session->ctxt_type = DPAA2_SEC_IPSEC; if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - struct ip ip4_hdr; + uint8_t *hdr = NULL; flc->dhr = SEC_FLC_DHR_OUTBOUND; - ip4_hdr.ip_v = IPVERSION; - ip4_hdr.ip_hl = 5; - ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); - ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; - ip4_hdr.ip_id = 0; - ip4_hdr.ip_off = 0; - ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; - ip4_hdr.ip_p = IPPROTO_ESP; - ip4_hdr.ip_sum = 0; - ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; - ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; - ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *)&ip4_hdr, - sizeof(struct ip)); - /* For Sec Proto only one descriptor is required. */ memset(&encap_pdb, 0, sizeof(struct ipsec_encap_pdb)); encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | @@ -2490,18 +2477,64 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, PDBHMO_ESP_ENCAP_DTTL | PDBHMO_ESP_SNR; encap_pdb.spi = ipsec_xform->spi; - encap_pdb.ip_hdr_len = sizeof(struct ip); - session->dir = DIR_ENC; + + if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + struct ip ip4_hdr; + + encap_pdb.ip_hdr_len = sizeof(struct ip); + ip4_hdr.ip_v = IPVERSION; + ip4_hdr.ip_hl = 5; + ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); + ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; + ip4_hdr.ip_id = 0; + ip4_hdr.ip_off = 0; + ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; + ip4_hdr.ip_p = IPPROTO_ESP; + ip4_hdr.ip_sum = 0; + ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; + ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; + ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *) + &ip4_hdr, sizeof(struct ip)); + hdr = (uint8_t *)&ip4_hdr; + } else if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + struct rte_ipv6_hdr ip6_hdr; + + ip6_hdr.vtc_flow = rte_cpu_to_be_32( + DPAA2_IPv6_DEFAULT_VTC_FLOW | + ((ipsec_xform->tunnel.ipv6.dscp << + RTE_IPV6_HDR_TC_SHIFT) & + RTE_IPV6_HDR_TC_MASK) | + ((ipsec_xform->tunnel.ipv6.flabel << + RTE_IPV6_HDR_FL_SHIFT) & + RTE_IPV6_HDR_FL_MASK)); + /* Payload length will be updated by HW */ + ip6_hdr.payload_len = 0; + ip6_hdr.hop_limits = + ipsec_xform->tunnel.ipv6.hlimit; + ip6_hdr.proto = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + memcpy(&ip6_hdr.src_addr, + &ipsec_xform->tunnel.ipv6.src_addr, 16); + memcpy(&ip6_hdr.dst_addr, + &ipsec_xform->tunnel.ipv6.dst_addr, 16); + encap_pdb.ip_hdr_len = sizeof(struct rte_ipv6_hdr); + hdr = (uint8_t *)&ip6_hdr; + } bufsize = cnstr_shdsc_ipsec_new_encap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, &encap_pdb, - (uint8_t *)&ip4_hdr, - &cipherdata, &authdata); + hdr, &cipherdata, &authdata); } else if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { flc->dhr = SEC_FLC_DHR_INBOUND; memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); - decap_pdb.options = sizeof(struct ip) << 16; + decap_pdb.options = (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) ? + sizeof(struct ip) << 16 : + sizeof(struct rte_ipv6_hdr) << 16; session->dir = DIR_DEC; bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h index 51751103d..a05deaebd 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h @@ -41,6 +41,8 @@ enum shr_desc_type { #define DIR_ENC 1 #define DIR_DEC 0 +#define DPAA2_IPv6_DEFAULT_VTC_FLOW 0x60000000 + #define DPAA2_SET_FLC_EWS(flc) (flc->word1_bits23_16 |= 0x1) #define DPAA2_SET_FLC_RSC(flc) (flc->word1_bits31_24 |= 0x1) #define DPAA2_SET_FLC_REUSE_BS(flc) (flc->mode_bits |= 0x8000) -- 2.17.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v2 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 2/3] crypto/dpaa2_sec: " Akhil Goyal @ 2019-08-05 8:22 ` Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 3 siblings, 0 replies; 15+ messages in thread From: Akhil Goyal @ 2019-08-05 8:22 UTC (permalink / raw) To: dev; +Cc: hemant.agrawal, konstantin.ananyev, Akhil Goyal IPv6 tunnels are already supported in case of inline and lookaside none cases. In case of protocol offload, the details for IPv6 header need to be added in session configuration for security session create. Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> --- examples/ipsec-secgw/ipsec.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index dc85adfe5..317faed7a 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -33,8 +33,20 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) memcpy((uint8_t *)&tunnel->ipv4.dst_ip, (uint8_t *)&sa->dst.ip.ip4, 4); + } else if (IS_IP6_TUNNEL(sa->flags)) { + tunnel->type = + RTE_SECURITY_IPSEC_TUNNEL_IPV6; + tunnel->ipv6.hlimit = IPDEFTTL; + tunnel->ipv6.dscp = 0; + tunnel->ipv6.flabel = 0; + + memcpy((uint8_t *)&tunnel->ipv6.src_addr, + (uint8_t *)&sa->src.ip.ip6.ip6_b, 16); + + memcpy((uint8_t *)&tunnel->ipv6.dst_addr, + (uint8_t *)&sa->dst.ip.ip6.ip6_b, 16); } - /* TODO support for Transport and IPV6 tunnel */ + /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal ` (2 preceding siblings ...) 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto Akhil Goyal @ 2019-09-05 12:48 ` Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal ` (3 more replies) 3 siblings, 4 replies; 15+ messages in thread From: Akhil Goyal @ 2019-09-05 12:48 UTC (permalink / raw) To: dev; +Cc: hemant.agrawal, konstantin.ananyev, Akhil Goyal changes in v3: fix ipheader initialization scope changes in v2: used RTE_IPV6_HDR_* macros instead of localized driver specific macros. Akhil Goyal (3): crypto/dpaa_sec: support IPv6 tunnel for protocol offload crypto/dpaa2_sec: support IPv6 tunnel for protocol offload examples/ipsec-secgw: support IPv6 tunnel for lookaside proto drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 69 ++++++++++++++------ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 2 + drivers/crypto/dpaa_sec/dpaa_sec.c | 71 +++++++++++++++------ drivers/crypto/dpaa_sec/dpaa_sec.h | 7 +- examples/ipsec-secgw/ipsec.c | 14 +++- 5 files changed, 124 insertions(+), 39 deletions(-) -- 2.17.1 ^ permalink raw reply [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v3 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal @ 2019-09-05 12:48 ` Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 2/3] crypto/dpaa2_sec: " Akhil Goyal ` (2 subsequent siblings) 3 siblings, 0 replies; 15+ messages in thread From: Akhil Goyal @ 2019-09-05 12:48 UTC (permalink / raw) To: dev; +Cc: hemant.agrawal, konstantin.ananyev, Akhil Goyal outer IP header is formed at the time of session initialization using the ipsec xform. This outer IP header will be appended by hardware for each packet. Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> --- drivers/crypto/dpaa_sec/dpaa_sec.c | 71 ++++++++++++++++++++++-------- drivers/crypto/dpaa_sec/dpaa_sec.h | 7 ++- 2 files changed, 59 insertions(+), 19 deletions(-) diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c index 122c80a07..e6f57ce3d 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.c +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c @@ -2230,26 +2230,58 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, } if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - memset(&session->encap_pdb, 0, sizeof(struct ipsec_encap_pdb) + + if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + memset(&session->encap_pdb, 0, + sizeof(struct ipsec_encap_pdb) + sizeof(session->ip4_hdr)); - session->ip4_hdr.ip_v = IPVERSION; - session->ip4_hdr.ip_hl = 5; - session->ip4_hdr.ip_len = rte_cpu_to_be_16( + session->ip4_hdr.ip_v = IPVERSION; + session->ip4_hdr.ip_hl = 5; + session->ip4_hdr.ip_len = rte_cpu_to_be_16( sizeof(session->ip4_hdr)); - session->ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; - session->ip4_hdr.ip_id = 0; - session->ip4_hdr.ip_off = 0; - session->ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; - session->ip4_hdr.ip_p = (ipsec_xform->proto == - RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? IPPROTO_ESP - : IPPROTO_AH; - session->ip4_hdr.ip_sum = 0; - session->ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; - session->ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; - session->ip4_hdr.ip_sum = calc_chksum((uint16_t *) + session->ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; + session->ip4_hdr.ip_id = 0; + session->ip4_hdr.ip_off = 0; + session->ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; + session->ip4_hdr.ip_p = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + session->ip4_hdr.ip_sum = 0; + session->ip4_hdr.ip_src = + ipsec_xform->tunnel.ipv4.src_ip; + session->ip4_hdr.ip_dst = + ipsec_xform->tunnel.ipv4.dst_ip; + session->ip4_hdr.ip_sum = calc_chksum((uint16_t *) (void *)&session->ip4_hdr, sizeof(struct ip)); - + session->encap_pdb.ip_hdr_len = sizeof(struct ip); + } else if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + memset(&session->encap_pdb, 0, + sizeof(struct ipsec_encap_pdb) + + sizeof(session->ip6_hdr)); + session->ip6_hdr.vtc_flow = rte_cpu_to_be_32( + DPAA_IPv6_DEFAULT_VTC_FLOW | + ((ipsec_xform->tunnel.ipv6.dscp << + RTE_IPV6_HDR_TC_SHIFT) & + RTE_IPV6_HDR_TC_MASK) | + ((ipsec_xform->tunnel.ipv6.flabel << + RTE_IPV6_HDR_FL_SHIFT) & + RTE_IPV6_HDR_FL_MASK)); + /* Payload length will be updated by HW */ + session->ip6_hdr.payload_len = 0; + session->ip6_hdr.hop_limits = + ipsec_xform->tunnel.ipv6.hlimit; + session->ip6_hdr.proto = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + memcpy(&session->ip6_hdr.src_addr, + &ipsec_xform->tunnel.ipv6.src_addr, 16); + memcpy(&session->ip6_hdr.dst_addr, + &ipsec_xform->tunnel.ipv6.dst_addr, 16); + session->encap_pdb.ip_hdr_len = + sizeof(struct rte_ipv6_hdr); + } session->encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | PDBOPTS_ESP_OIHI_PDB_INL | @@ -2257,13 +2289,16 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, PDBHMO_ESP_ENCAP_DTTL | PDBHMO_ESP_SNR; session->encap_pdb.spi = ipsec_xform->spi; - session->encap_pdb.ip_hdr_len = sizeof(struct ip); session->dir = DIR_ENC; } else if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); - session->decap_pdb.options = sizeof(struct ip) << 16; + if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) + session->decap_pdb.options = sizeof(struct ip) << 16; + else + session->decap_pdb.options = + sizeof(struct rte_ipv6_hdr) << 16; session->dir = DIR_DEC; } else goto out; diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h index 75c0960a9..08e7d66e5 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.h +++ b/drivers/crypto/dpaa_sec/dpaa_sec.h @@ -19,6 +19,8 @@ #define AES_CTR_IV_LEN 16 #define AES_GCM_IV_LEN 12 +#define DPAA_IPv6_DEFAULT_VTC_FLOW 0x60000000 + /* Minimum job descriptor consists of a oneword job descriptor HEADER and * a pointer to the shared descriptor. */ @@ -139,7 +141,10 @@ typedef struct dpaa_sec_session_entry { uint32_t digest_length; struct ipsec_decap_pdb decap_pdb; struct ipsec_encap_pdb encap_pdb; - struct ip ip4_hdr; + union { + struct ip ip4_hdr; + struct rte_ipv6_hdr ip6_hdr; + }; }; struct sec_pdcp_ctxt pdcp; }; -- 2.17.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v3 2/3] crypto/dpaa2_sec: support IPv6 tunnel for protocol offload 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal @ 2019-09-05 12:48 ` Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto Akhil Goyal 2019-09-27 14:16 ` [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 3 siblings, 0 replies; 15+ messages in thread From: Akhil Goyal @ 2019-09-05 12:48 UTC (permalink / raw) To: dev; +Cc: hemant.agrawal, konstantin.ananyev, Akhil Goyal outer IP header is formed at the time of session initialization using the ipsec xform. This outer IP header will be appended by hardware for each packet. Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 69 +++++++++++++++------ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 2 + 2 files changed, 52 insertions(+), 19 deletions(-) diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 26458e5d1..9047b5c19 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -9,6 +9,7 @@ #include <net/if.h> #include <unistd.h> +#include <rte_ip.h> #include <rte_mbuf.h> #include <rte_cryptodev.h> #include <rte_malloc.h> @@ -2465,23 +2466,11 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, session->ctxt_type = DPAA2_SEC_IPSEC; if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + uint8_t *hdr = NULL; struct ip ip4_hdr; + struct rte_ipv6_hdr ip6_hdr; flc->dhr = SEC_FLC_DHR_OUTBOUND; - ip4_hdr.ip_v = IPVERSION; - ip4_hdr.ip_hl = 5; - ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); - ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; - ip4_hdr.ip_id = 0; - ip4_hdr.ip_off = 0; - ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; - ip4_hdr.ip_p = IPPROTO_ESP; - ip4_hdr.ip_sum = 0; - ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; - ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; - ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *)&ip4_hdr, - sizeof(struct ip)); - /* For Sec Proto only one descriptor is required. */ memset(&encap_pdb, 0, sizeof(struct ipsec_encap_pdb)); encap_pdb.options = (IPVERSION << PDBNH_ESP_ENCAP_SHIFT) | @@ -2490,18 +2479,60 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, PDBHMO_ESP_ENCAP_DTTL | PDBHMO_ESP_SNR; encap_pdb.spi = ipsec_xform->spi; - encap_pdb.ip_hdr_len = sizeof(struct ip); - session->dir = DIR_ENC; + + if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + encap_pdb.ip_hdr_len = sizeof(struct ip); + ip4_hdr.ip_v = IPVERSION; + ip4_hdr.ip_hl = 5; + ip4_hdr.ip_len = rte_cpu_to_be_16(sizeof(ip4_hdr)); + ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp; + ip4_hdr.ip_id = 0; + ip4_hdr.ip_off = 0; + ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl; + ip4_hdr.ip_p = IPPROTO_ESP; + ip4_hdr.ip_sum = 0; + ip4_hdr.ip_src = ipsec_xform->tunnel.ipv4.src_ip; + ip4_hdr.ip_dst = ipsec_xform->tunnel.ipv4.dst_ip; + ip4_hdr.ip_sum = calc_chksum((uint16_t *)(void *) + &ip4_hdr, sizeof(struct ip)); + hdr = (uint8_t *)&ip4_hdr; + } else if (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV6) { + ip6_hdr.vtc_flow = rte_cpu_to_be_32( + DPAA2_IPv6_DEFAULT_VTC_FLOW | + ((ipsec_xform->tunnel.ipv6.dscp << + RTE_IPV6_HDR_TC_SHIFT) & + RTE_IPV6_HDR_TC_MASK) | + ((ipsec_xform->tunnel.ipv6.flabel << + RTE_IPV6_HDR_FL_SHIFT) & + RTE_IPV6_HDR_FL_MASK)); + /* Payload length will be updated by HW */ + ip6_hdr.payload_len = 0; + ip6_hdr.hop_limits = + ipsec_xform->tunnel.ipv6.hlimit; + ip6_hdr.proto = (ipsec_xform->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + memcpy(&ip6_hdr.src_addr, + &ipsec_xform->tunnel.ipv6.src_addr, 16); + memcpy(&ip6_hdr.dst_addr, + &ipsec_xform->tunnel.ipv6.dst_addr, 16); + encap_pdb.ip_hdr_len = sizeof(struct rte_ipv6_hdr); + hdr = (uint8_t *)&ip6_hdr; + } bufsize = cnstr_shdsc_ipsec_new_encap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, &encap_pdb, - (uint8_t *)&ip4_hdr, - &cipherdata, &authdata); + hdr, &cipherdata, &authdata); } else if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { flc->dhr = SEC_FLC_DHR_INBOUND; memset(&decap_pdb, 0, sizeof(struct ipsec_decap_pdb)); - decap_pdb.options = sizeof(struct ip) << 16; + decap_pdb.options = (ipsec_xform->tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) ? + sizeof(struct ip) << 16 : + sizeof(struct rte_ipv6_hdr) << 16; session->dir = DIR_DEC; bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h index 51751103d..a05deaebd 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h @@ -41,6 +41,8 @@ enum shr_desc_type { #define DIR_ENC 1 #define DIR_DEC 0 +#define DPAA2_IPv6_DEFAULT_VTC_FLOW 0x60000000 + #define DPAA2_SET_FLC_EWS(flc) (flc->word1_bits23_16 |= 0x1) #define DPAA2_SET_FLC_RSC(flc) (flc->word1_bits31_24 |= 0x1) #define DPAA2_SET_FLC_REUSE_BS(flc) (flc->mode_bits |= 0x8000) -- 2.17.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 2/3] crypto/dpaa2_sec: " Akhil Goyal @ 2019-09-05 12:48 ` Akhil Goyal 2019-09-19 15:17 ` Akhil Goyal 2019-09-24 11:25 ` Ananyev, Konstantin 2019-09-27 14:16 ` [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 3 siblings, 2 replies; 15+ messages in thread From: Akhil Goyal @ 2019-09-05 12:48 UTC (permalink / raw) To: dev; +Cc: hemant.agrawal, konstantin.ananyev, Akhil Goyal IPv6 tunnels are already supported in case of inline and lookaside none cases. In case of protocol offload, the details for IPv6 header need to be added in session configuration for security session create. Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> --- examples/ipsec-secgw/ipsec.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index dc85adfe5..317faed7a 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -33,8 +33,20 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) memcpy((uint8_t *)&tunnel->ipv4.dst_ip, (uint8_t *)&sa->dst.ip.ip4, 4); + } else if (IS_IP6_TUNNEL(sa->flags)) { + tunnel->type = + RTE_SECURITY_IPSEC_TUNNEL_IPV6; + tunnel->ipv6.hlimit = IPDEFTTL; + tunnel->ipv6.dscp = 0; + tunnel->ipv6.flabel = 0; + + memcpy((uint8_t *)&tunnel->ipv6.src_addr, + (uint8_t *)&sa->src.ip.ip6.ip6_b, 16); + + memcpy((uint8_t *)&tunnel->ipv6.dst_addr, + (uint8_t *)&sa->dst.ip.ip6.ip6_b, 16); } - /* TODO support for Transport and IPV6 tunnel */ + /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto Akhil Goyal @ 2019-09-19 15:17 ` Akhil Goyal 2019-09-24 11:25 ` Ananyev, Konstantin 1 sibling, 0 replies; 15+ messages in thread From: Akhil Goyal @ 2019-09-19 15:17 UTC (permalink / raw) To: konstantin.ananyev; +Cc: Hemant Agrawal, dev Hi Konstantin, Could you please review this patch. Thanks, Akhil > > IPv6 tunnels are already supported in case of inline and > lookaside none cases. In case of protocol offload, the details > for IPv6 header need to be added in session configuration > for security session create. > > Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> > --- > examples/ipsec-secgw/ipsec.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index dc85adfe5..317faed7a 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -33,8 +33,20 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > rte_security_ipsec_xform *ipsec) > > memcpy((uint8_t *)&tunnel->ipv4.dst_ip, > (uint8_t *)&sa->dst.ip.ip4, 4); > + } else if (IS_IP6_TUNNEL(sa->flags)) { > + tunnel->type = > + RTE_SECURITY_IPSEC_TUNNEL_IPV6; > + tunnel->ipv6.hlimit = IPDEFTTL; > + tunnel->ipv6.dscp = 0; > + tunnel->ipv6.flabel = 0; > + > + memcpy((uint8_t *)&tunnel->ipv6.src_addr, > + (uint8_t *)&sa->src.ip.ip6.ip6_b, 16); > + > + memcpy((uint8_t *)&tunnel->ipv6.dst_addr, > + (uint8_t *)&sa->dst.ip.ip6.ip6_b, 16); > } > - /* TODO support for Transport and IPV6 tunnel */ > + /* TODO support for Transport */ > } > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > } > -- > 2.17.1 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto Akhil Goyal 2019-09-19 15:17 ` Akhil Goyal @ 2019-09-24 11:25 ` Ananyev, Konstantin 1 sibling, 0 replies; 15+ messages in thread From: Ananyev, Konstantin @ 2019-09-24 11:25 UTC (permalink / raw) To: Akhil Goyal, dev; +Cc: hemant.agrawal > -----Original Message----- > From: Akhil Goyal [mailto:akhil.goyal@nxp.com] > Sent: Thursday, September 5, 2019 1:48 PM > To: dev@dpdk.org > Cc: hemant.agrawal@nxp.com; Ananyev, Konstantin <konstantin.ananyev@intel.com>; Akhil Goyal <akhil.goyal@nxp.com> > Subject: [PATCH v3 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto > > IPv6 tunnels are already supported in case of inline and > lookaside none cases. In case of protocol offload, the details > for IPv6 header need to be added in session configuration > for security session create. > > Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> > --- > examples/ipsec-secgw/ipsec.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index dc85adfe5..317faed7a 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -33,8 +33,20 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) > > memcpy((uint8_t *)&tunnel->ipv4.dst_ip, > (uint8_t *)&sa->dst.ip.ip4, 4); > + } else if (IS_IP6_TUNNEL(sa->flags)) { > + tunnel->type = > + RTE_SECURITY_IPSEC_TUNNEL_IPV6; > + tunnel->ipv6.hlimit = IPDEFTTL; > + tunnel->ipv6.dscp = 0; > + tunnel->ipv6.flabel = 0; > + > + memcpy((uint8_t *)&tunnel->ipv6.src_addr, > + (uint8_t *)&sa->src.ip.ip6.ip6_b, 16); > + > + memcpy((uint8_t *)&tunnel->ipv6.dst_addr, > + (uint8_t *)&sa->dst.ip.ip6.ip6_b, 16); > } > - /* TODO support for Transport and IPV6 tunnel */ > + /* TODO support for Transport */ > } > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > } > -- Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > 2.17.1 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal ` (2 preceding siblings ...) 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto Akhil Goyal @ 2019-09-27 14:16 ` Akhil Goyal 3 siblings, 0 replies; 15+ messages in thread From: Akhil Goyal @ 2019-09-27 14:16 UTC (permalink / raw) To: Akhil Goyal, dev; +Cc: Hemant Agrawal, konstantin.ananyev > > changes in v3: > fix ipheader initialization scope > > changes in v2: > used RTE_IPV6_HDR_* macros instead of localized driver specific macros. > > Akhil Goyal (3): > crypto/dpaa_sec: support IPv6 tunnel for protocol offload > crypto/dpaa2_sec: support IPv6 tunnel for protocol offload > examples/ipsec-secgw: support IPv6 tunnel for lookaside proto > > drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 69 ++++++++++++++------ > drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 2 + > drivers/crypto/dpaa_sec/dpaa_sec.c | 71 +++++++++++++++------ > drivers/crypto/dpaa_sec/dpaa_sec.h | 7 +- > examples/ipsec-secgw/ipsec.c | 14 +++- > 5 files changed, 124 insertions(+), 39 deletions(-) > Rebased and applied to dpdk-next-crypto ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2019-09-27 14:16 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-08-05 5:38 [dpdk-dev] [PATCH 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal 2019-08-05 5:38 ` [dpdk-dev] [PATCH 2/3] crypto/dpaa2_sec: " Akhil Goyal 2019-08-05 5:38 ` [dpdk-dev] [PATCH 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto Akhil Goyal 2019-08-05 7:26 ` [dpdk-dev] [PATCH 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 2/3] crypto/dpaa2_sec: " Akhil Goyal 2019-08-05 8:22 ` [dpdk-dev] [PATCH v2 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 1/3] crypto/dpaa_sec: support IPv6 tunnel for protocol offload Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 2/3] crypto/dpaa2_sec: " Akhil Goyal 2019-09-05 12:48 ` [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: support IPv6 tunnel for lookaside proto Akhil Goyal 2019-09-19 15:17 ` Akhil Goyal 2019-09-24 11:25 ` Ananyev, Konstantin 2019-09-27 14:16 ` [dpdk-dev] [PATCH v3 0/3] support IPv6 tunnel for lookaside crypto Akhil Goyal
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.