doc: describe security protocols in a dedicated guide

This is a new document covering security protocols implemented in DPDK
and more.

Signed-off-by: Nandini Persad <nandinipersad361@gmail.com>
Sig

doc: describe security protocols in a dedicated guide

This is a new document covering security protocols implemented in DPDK
and more.

Signed-off-by: Nandini Persad <nandinipersad361@gmail.com>
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Hemant Agrawal <hemant.agrawal@nxp.com>

show more ...

doc: reorganize prog guide

Create categories in the index of the programmer's guide,
sort chapters and rewrite some titles for consistency.

Subdirectories are created for ethdev and eventdev
for gr

doc: reorganize prog guide

Create categories in the index of the programmer's guide,
sort chapters and rewrite some titles for consistency.

Subdirectories are created for ethdev and eventdev
for grouping the files together.

Useless link anchors at the beginning of files are removed,
the corresponding :ref: are replaced with :doc: links.

Signed-off-by: David Young <dave@youngcopy.com>
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>

show more ...

cryptodev: add details of datapath handling of TLS records

TLS/DTLS record processing requires content type to be provided per
packet (for record write operation). Extend usage of reserved fields in

cryptodev: add details of datapath handling of TLS records

TLS/DTLS record processing requires content type to be provided per
packet (for record write operation). Extend usage of reserved fields in
rte_crypto_op for the same purpose.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
Acked-by: Harry van Haaren <harry.van.haaren@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: add TLS record processing

Add Transport Layer Security (TLS) and Datagram Transport Layer Security
(DTLS). The protocols provide communications privacy for L4 protocols
such as TCP & UDP.

security: add TLS record processing

Add Transport Layer Security (TLS) and Datagram Transport Layer Security
(DTLS). The protocols provide communications privacy for L4 protocols
such as TCP & UDP.

TLS (and DTLS) protocol is composed of two layers,
1. TLS Record Protocol
2. TLS Handshake Protocol

While TLS Handshake Protocol helps in establishing security parameters
by which client and server can communicate, TLS Record Protocol provides
the connection security. TLS Record Protocol leverages symmetric
cryptographic operations such as data encryption and authentication for
providing security to the communications.

Cryptodevs that are capable of offloading TLS Record Protocol may
perform other operations like IV generation, header insertion, atomic
sequence number updates and anti-replay window check in addition to
cryptographic transformations.

Support for TLS record protocol is added for TLS 1.2, TLS 1.3 and
DTLS 1.2.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
Acked-by: Harry van Haaren <harry.van.haaren@intel.com>

show more ...

security: hide security context

rte_security_ctx is used by all security APIs to identify
which device security_op it need to call and hence it should
be opaque to the application.
Hence, it is now

security: hide security context

rte_security_ctx is used by all security APIs to identify
which device security_op it need to call and hence it should
be opaque to the application.
Hence, it is now moved to internal header file and all
APIs will now take an opaque pointer for it.
The fast path inline APIs like set metadata need to get flags
from security_ctx. The flags are now retrieved using inline APIs
which use macros to get the offset of flags in security_ctx.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>

show more ...

doc: update security guide

Security library has definitions for configuration parameters
of DOCSIS and MACsec. Remove obsolete comments.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: A

doc: update security guide

Security library has definitions for configuration parameters
of DOCSIS and MACsec. Remove obsolete comments.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

doc: replace code blocks with includes in security guide

Add literal includes to copy code block while compiling. Having a copy
may lead to mismatch if code is updated without updating the doc.

Fix

doc: replace code blocks with includes in security guide

Add literal includes to copy code block while compiling. Having a copy
may lead to mismatch if code is updated without updating the doc.

Fixes: 40ff8c99ea99 ("doc: add details of security library")
Cc: stable@dpdk.org

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: remove user data get API

The API rte_security_get_userdata() was being unused by most of
the drivers and it was retrieving userdata from mbuf dynamic field.
Hence, the API was removed and

security: remove user data get API

The API rte_security_get_userdata() was being unused by most of
the drivers and it was retrieving userdata from mbuf dynamic field.
Hence, the API was removed and the application can directly get the
userdata from dynamic field. This helps in removing extra checks
in datapath.

Signed-off-by: Srujana Challa <schalla@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: support MACsec

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one securit

security: support MACsec

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one security session and
send with the packet to process it. MACsec specifications suggest,
it has 3 different entities - SECY Entity, SC (secure channel) and
SA (security association). And same SA can be used by multiple SCs and
similarly many SECY can have same SCs. Hence, in order to support this
many to one relationships between all entities, 2 new APIs are created -
rte_security_macsec_sc_create and rte_security_macsec_sa_create.
Flow of execution of the APIs would be as
- rte_security_macsec_sa_create
- rte_security_macsec_sc_create
- rte_security_session_create (for secy)
And in case of inline protocol processing rte_flow can be created with
rte_security action. A new flow item will be added for MACsec header.
New APIs are also created for getting SC and SA stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: clarify L2 header requirement for inline IPsec

Clarify that for Outbound Inline IPsec processing, L2 header
needs to be up to date with ether type which will be applicable
post IPsec proce

security: clarify L2 header requirement for inline IPsec

Clarify that for Outbound Inline IPsec processing, L2 header
needs to be up to date with ether type which will be applicable
post IPsec processing as the IPsec offload only touches L3 and above.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: add telemetry endpoint for capabilities

Add telemetry endpoint for cryptodev security capabilities.
Details of endpoints added in documentation.

Signed-off-by: Gowrishankar Muthukrishnan

security: add telemetry endpoint for capabilities

Add telemetry endpoint for cryptodev security capabilities.
Details of endpoints added in documentation.

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

ethdev: add namespace

Add 'RTE_ETH' namespace to all enums & macros in a backward compatible
way. The macros for backward compatibility can be removed in next LTS.
Also updated some struct names to

ethdev: add namespace

Add 'RTE_ETH' namespace to all enums & macros in a backward compatible
way. The macros for backward compatibility can be removed in next LTS.
Also updated some struct names to have 'rte_eth' prefix.

All internal components switched to using new names.

Syntax fixed on lines that this patch touches.

Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
Acked-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
Acked-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Acked-by: Jerin Jacob <jerinj@marvell.com>
Acked-by: Wisam Jaddo <wisamm@nvidia.com>
Acked-by: Rosen Xu <rosen.xu@intel.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Somnath Kotur <somnath.kotur@broadcom.com>

show more ...

security: support PDCP short MAC-I

This patch add support to handle PDCP short MAC-I domain
along with standard control and data domains as it has to
be treaty as special case with PDCP protocol off

security: support PDCP short MAC-I

This patch add support to handle PDCP short MAC-I domain
along with standard control and data domains as it has to
be treaty as special case with PDCP protocol offload support.

ShortMAC-I is the 16 least significant bits of calculated MAC-I. Usually
when a RRC message is exchanged between UE and eNodeB it is integrity &
ciphered protected.

MAC-I = f(key, varShortMAC-I, count, bearer, direction).
Here varShortMAC-I is prepared by using (current cellId, pci of source cell
and C-RNTI of old cell). Other parameters like count, bearer and
direction set to all 1.

crypto-perf app is updated to take short MAC as input mode.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: switch metadata to dynamic mbuf field

The device-specific metadata was stored in the deprecated field udata64.
It is moved to a dynamic mbuf field in order to allow removal of udata64.

Th

security: switch metadata to dynamic mbuf field

The device-specific metadata was stored in the deprecated field udata64.
It is moved to a dynamic mbuf field in order to allow removal of udata64.

The name rte_security_dynfield is not very descriptive
but it should be replaced later by separate fields for each type of data
that drivers pass to the upper layer.

Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Acked-by: Haiyue Wang <haiyue.wang@intel.com>

show more ...

security: update session create API

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the nu

security: update session create API

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the number of
sessions needed and will also lead to wastage of memory as
session private data need more memory compared to session.
Hence the API is modified to take two mempool pointers
- one for session and one for private data.
This is very similar to crypto based session create APIs.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Reviewed-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Tested-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>

show more ...

doc: remove unnecessary API code from security guide

Various xform structures are being copied in
rte_security guide which can be referred from the
API documentation generated by Doxygen. The securi

doc: remove unnecessary API code from security guide

Various xform structures are being copied in
rte_security guide which can be referred from the
API documentation generated by Doxygen. The security guide
does not talk about specific details of these xforms and
thus are removed from the security guide.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

security: support DOCSIS protocol

Add support for DOCSIS protocol to rte_security library. This support
currently comprises the combination of Crypto and CRC operations.

Signed-off-by: David Coyle

security: support DOCSIS protocol

Add support for DOCSIS protocol to rte_security library. This support
currently comprises the combination of Crypto and CRC operations.

Signed-off-by: David Coyle <david.coyle@intel.com>
Signed-off-by: Mairtin o Loingsigh <mairtin.oloingsigh@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

show more ...

security: add CPU crypto action type

Introduce CPU crypto action type allowing to differentiate between
regular async 'none security' and synchronous, CPU crypto accelerated
sessions.

This mode is

security: add CPU crypto action type

Introduce CPU crypto action type allowing to differentiate between
regular async 'none security' and synchronous, CPU crypto accelerated
sessions.

This mode is similar to ACTION_TYPE_NONE but crypto processing is
performed synchronously on a CPU.

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

doc/guides: clean repeated words

Shoot repeated words in all our guides.

Cc: stable@dpdk.org

Signed-off-by: David Marchand <david.marchand@redhat.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>

doc: fix spelling reported by aspell in guides

Fix spelling errors in the guide docs.

Signed-off-by: John McNamara <john.mcnamara@intel.com>
Acked-by: Rami Rosen <ramirose@gmail.com>

security: support PDCP

Packet Data Convergence Protocol (PDCP) is added in rte_security
for 3GPP TS 36.323 for LTE.

The patchset provide the structure definitions for configuring the
PDCP sessions

security: support PDCP

Packet Data Convergence Protocol (PDCP) is added in rte_security
for 3GPP TS 36.323 for LTE.

The patchset provide the structure definitions for configuring the
PDCP sessions and relevant documentation is added.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>

show more ...

security: support user data retrieval

In case of inline protocol processed ingress traffic, the packet may not
have enough information to determine the security parameters with which
the packet was

security: support user data retrieval

In case of inline protocol processed ingress traffic, the packet may not
have enough information to determine the security parameters with which
the packet was processed. In such cases, application could get metadata
from the packet which could be used to identify the security parameters
with which the packet was processed.

Application could register "userdata" with the security session, and
this could be retrieved from the metadata of inline processed packets.
The metadata returned by "rte_security_get_pkt_metadata()" will be
device specific. Also the driver is expected to return the application
registered "userdata" as is, without any modifications.

Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

drivers: use SPDX tag in NXP dpaa files

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>

doc: add details of security library

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: John McNamara <john.mcnamara@intel.com>