security: use IPv6 address structure

For consistency with the rest of the code base, update
rte_security_ipsec_tunnel_param to use rte_ipv6_addr structures instead
of in6_addr.

Signed-off-by: Robin

security: use IPv6 address structure

For consistency with the rest of the code base, update
rte_security_ipsec_tunnel_param to use rte_ipv6_addr structures instead
of in6_addr.

Signed-off-by: Robin Jarry <rjarry@redhat.com>

show more ...

use C linkage where appropriate in headers

Assure that 'extern "C" { /../ }' do not cover files included from a
particular header file, and address minor issues resulting from this
change of order.

use C linkage where appropriate in headers

Assure that 'extern "C" { /../ }' do not cover files included from a
particular header file, and address minor issues resulting from this
change of order.

Dealing with C++ should delegate to the individual include file level,
rather than being imposed by the user of that file. For example,
forcing C linkage prevents __Generic macros being replaced with
overloaded static inline functions in C++ translation units.

Eliminate 'extern "C"' from files which do not declare any symbols
(e.g., only macros or struct types).

On the other hand, the headers check is too naive in assuming that all
headers must contain a 'extern "C"'. Such a check was added in commit
1ee492bdc4ff ("buildtools/chkincs: check missing C++ guards").
Since this current change results in many headers not containing such
a token, remove the check for 'extern "C"' until we have a better
implementation.

Signed-off-by: Mattias Rönnblom <mattias.ronnblom@ericsson.com>
Acked-by: Morten Brørup <mb@smartsharesystems.com>
Signed-off-by: David Marchand <david.marchand@redhat.com>

show more ...

security: promote some functions as stable

Update security API's to stable:
__rte_security_set_pkt_metadata 21.11
rte_security_dynfield_offset 20.11
rte_security_macsec_XXX 22.11
rte_securit

security: promote some functions as stable

Update security API's to stable:
__rte_security_set_pkt_metadata 21.11
rte_security_dynfield_offset 20.11
rte_security_macsec_XXX 22.11
rte_security_session_stats_get 18.11

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: add fallback security processing and Rx inject

Add alternate datapath API for security processing which would do Rx
injection (similar to loopback) after successful security processing.

W

security: add fallback security processing and Rx inject

Add alternate datapath API for security processing which would do Rx
injection (similar to loopback) after successful security processing.

With inline protocol offload, variable part of the session context
(AR windows, lifetime etc in case of IPsec), is not accessible to the
application. If packets are not getting processed in the inline path
due to non security reasons (such as outer fragmentation or rte_flow
packet steering limitations), then the packet cannot be security
processed as the session context is private to the PMD and security
library doesn't provide alternate APIs to make use of the same session.

Introduce new API and Rx injection as fallback mechanism to security
processing failures due to non-security reasons. For example, when there
is outer fragmentation and PMD doesn't support reassembly of outer
fragments, application would receive fragments which it can then
reassemble. Post successful reassembly, packet can be submitted for
security processing and Rx inject. The packets can be then received in
the application as normal inline protocol processed packets.

Same API can be leveraged in lookaside protocol offload mode to inject
packet to Rx. This would help in using rte_flow based packet parsing
after security processing. For example, with IPsec, this will help in
flow splitting after IPsec processing is done.

In both inline protocol capable ethdevs and lookaside protocol capable
cryptodevs, the packet would be received back in eth port & queue based
on rte_flow rules and packet parsing after security processing. The API
would behave like a loopback but with the additional security
processing.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: support TLS record lifetime notification

Supported TLS record lifetime notification. TLS record sessions may need
to be renegotiated after a specific number of records are processed.
For d

security: support TLS record lifetime notification

Supported TLS record lifetime notification. TLS record sessions may need
to be renegotiated after a specific number of records are processed.
For devices that are capable of tracking lifetime, application may request
to do so by configuring the lifetime parameters in session. Upon soft
expiry, PMD will set the notification in `rte_crypto_op.aux_flags` field.

Hard expiry of the session would mean any subsequent crypto
operation would fail.

Extended `rte_crypto_op.aux_flags` to support all sessions that may have a
lifetime notification and include TLS record lifetime under the same.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
Acked-by: Harry van Haaren <harry.van.haaren@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: support extra padding with TLS

In TLS record write protocol (encrypt), application may request for
extra padding in addition to the default padding which ensures that
crypto payload is ali

security: support extra padding with TLS

In TLS record write protocol (encrypt), application may request for
extra padding in addition to the default padding which ensures that
crypto payload is aligned to block size. This is required to hide
the size of the traffic from an observer.

Extend the usage of ``rte_crypto_op.aux_flags`` to allow users to
provide extra padding in units of 8B. It is an optional feature and any
device that supports the same can declare so by making use of
corresponding capability.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
Acked-by: Harry van Haaren <harry.van.haaren@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: add TLS record processing

Add Transport Layer Security (TLS) and Datagram Transport Layer Security
(DTLS). The protocols provide communications privacy for L4 protocols
such as TCP & UDP.

security: add TLS record processing

Add Transport Layer Security (TLS) and Datagram Transport Layer Security
(DTLS). The protocols provide communications privacy for L4 protocols
such as TCP & UDP.

TLS (and DTLS) protocol is composed of two layers,
1. TLS Record Protocol
2. TLS Handshake Protocol

While TLS Handshake Protocol helps in establishing security parameters
by which client and server can communicate, TLS Record Protocol provides
the connection security. TLS Record Protocol leverages symmetric
cryptographic operations such as data encryption and authentication for
providing security to the communications.

Cryptodevs that are capable of offloading TLS Record Protocol may
perform other operations like IV generation, header insertion, atomic
sequence number updates and anti-replay window check in addition to
cryptographic transformations.

Support for TLS record protocol is added for TLS 1.2, TLS 1.3 and
DTLS 1.2.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
Acked-by: Harry van Haaren <harry.van.haaren@intel.com>

show more ...

security: hide security context

rte_security_ctx is used by all security APIs to identify
which device security_op it need to call and hence it should
be opaque to the application.
Hence, it is now

security: hide security context

rte_security_ctx is used by all security APIs to identify
which device security_op it need to call and hence it should
be opaque to the application.
Hence, it is now moved to internal header file and all
APIs will now take an opaque pointer for it.
The fast path inline APIs like set metadata need to get flags
from security_ctx. The flags are now retrieved using inline APIs
which use macros to get the offset of flags in security_ctx.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>

show more ...

security: introduce out-of-place inline ingress

Similar to out-of-place (OOP) processing support that exists for
Lookaside crypto/security sessions, Inline ingress security
sessions may also need ou

security: introduce out-of-place inline ingress

Similar to out-of-place (OOP) processing support that exists for
Lookaside crypto/security sessions, Inline ingress security
sessions may also need out of place processing in usecases
where original encrypted packet needs to be retained for post
processing. So for NIC's which have such a kind of HW support,
a new SA option is provided to indicate whether OOP needs to
be enabled on that Inline ingress security session or not.

Since for inline ingress sessions, packet is not received by
CPU until the processing is done, we can only have per-SA
option and not per-packet option like Lookaside sessions.

Also remove reserved_opts field from the rte_security_ipsec_sa_options
struct as mentioned in deprecation notice.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: add MACsec algo in capability index

This patch adds the MACsec algorithm field in security capability index
structure. This field is compared against the MACsec alg to return the
correct c

security: add MACsec algo in capability index

This patch adds the MACsec algorithm field in security capability index
structure. This field is compared against the MACsec alg to return the
correct capability.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

doc: replace code blocks with includes in security guide

Add literal includes to copy code block while compiling. Having a copy
may lead to mismatch if code is updated without updating the doc.

Fix

doc: replace code blocks with includes in security guide

Add literal includes to copy code block while compiling. Having a copy
may lead to mismatch if code is updated without updating the doc.

Fixes: 40ff8c99ea99 ("doc: add details of security library")
Cc: stable@dpdk.org

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

remove C11 compatibility macro

C11 conformant compiler is documented as a minimum requirement to build
and consume DPDK.
Remove use of RTE_STD_C11 macro marking use of C11 features with
__extension_

remove C11 compatibility macro

C11 conformant compiler is documented as a minimum requirement to build
and consume DPDK.
Remove use of RTE_STD_C11 macro marking use of C11 features with
__extension__ since it is no longer necessary and then remove definition
of RTE_STD_C11 macro.

Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
Reviewed-by: Morten Brørup <mb@smartsharesystems.com>

show more ...

lib: restrict use of keyword extern

Variable declarations in header files are using extern, it is valid.
But function declarations do not need the keyword extern.

Also, extern "C" should have a spa

lib: restrict use of keyword extern

Variable declarations in header files are using extern, it is valid.
But function declarations do not need the keyword extern.

Also, extern "C" should have a space after the keyword extern.

Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>

show more ...

lib: remove blank line ending comment blocks

At the end of a comment, no need for an extra line.

This pattern was fixed with the following command:
git ls lib | xargs sed -i '/^ *\* *$/{N;/ *\*\/ *

lib: remove blank line ending comment blocks

At the end of a comment, no need for an extra line.

This pattern was fixed with the following command:
git ls lib | xargs sed -i '/^ *\* *$/{N;/ *\*\/ *$/D;}'

Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>

show more ...

security: add MACsec packet number threshold

Added Packet number threshold parameter in MACsec SC
configuration to identify the maximum allowed threshold
for packet number field in the packet.
A fie

security: add MACsec packet number threshold

Added Packet number threshold parameter in MACsec SC
configuration to identify the maximum allowed threshold
for packet number field in the packet.
A field is_xpn is also added to identify if the SAs are
configured for extended packet number or not so that
packet number threshold can be configured accordingly.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: add direction in SA/SC configuration

MACsec SC/SA ids are created based on direction of the flow.
Hence, added the missing field for configuration and cleanup
of the SCs and SAs.

Signed-o

security: add direction in SA/SC configuration

MACsec SC/SA ids are created based on direction of the flow.
Hence, added the missing field for configuration and cleanup
of the SCs and SAs.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: hide session structure

Structure rte_security_session is moved to internal
headers which are not visible to applications.
The only field which should be used by app is opaque_data.
This fi

security: hide session structure

Structure rte_security_session is moved to internal
headers which are not visible to applications.
The only field which should be used by app is opaque_data.
This field can now be accessed via set/get APIs added in this
patch.
Subsequent changes in app and lib are made to compile the code.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Tested-by: Gagandeep Singh <g.singh@nxp.com>
Tested-by: David Coyle <david.coyle@intel.com>
Tested-by: Kevin O'Sullivan <kevin.osullivan@intel.com>

show more ...

security: remove private mempool usage

As per current design, rte_security_session_create()
unnecessarily use 2 mempool objects for a single session.

To address this, the API will now take only 1 m

security: remove private mempool usage

As per current design, rte_security_session_create()
unnecessarily use 2 mempool objects for a single session.

To address this, the API will now take only 1 mempool
object instead of 2. With this change, the library layer
will get the object from mempool and session priv data is
stored contiguously in the same mempool object.

User need to ensure that the mempool created in application
is big enough for session private data as well. This can be
ensured if the pool is created after getting size of session
priv data using API rte_security_session_get_size().

Since set and get pkt metadata for security sessions are now
made inline for Inline crypto/proto mode, a new member fast_mdata
is added to the rte_security_session.
To access opaque data and fast_mdata will be accessed via inline
APIs which can do pointer manipulations inside library from
session_private_data pointer coming from application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Tested-by: Gagandeep Singh <g.singh@nxp.com>
Tested-by: David Coyle <david.coyle@intel.com>
Tested-by: Kevin O'Sullivan <kevin.osullivan@intel.com>

show more ...

security: remove user data get API

The API rte_security_get_userdata() was being unused by most of
the drivers and it was retrieving userdata from mbuf dynamic field.
Hence, the API was removed and

security: remove user data get API

The API rte_security_get_userdata() was being unused by most of
the drivers and it was retrieving userdata from mbuf dynamic field.
Hence, the API was removed and the application can directly get the
userdata from dynamic field. This helps in removing extra checks
in datapath.

Signed-off-by: Srujana Challa <schalla@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: support MACsec

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one securit

security: support MACsec

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one security session and
send with the packet to process it. MACsec specifications suggest,
it has 3 different entities - SECY Entity, SC (secure channel) and
SA (security association). And same SA can be used by multiple SCs and
similarly many SECY can have same SCs. Hence, in order to support this
many to one relationships between all entities, 2 new APIs are created -
rte_security_macsec_sc_create and rte_security_macsec_sa_create.
Flow of execution of the APIs would be as
- rte_security_macsec_sa_create
- rte_security_macsec_sc_create
- rte_security_session_create (for secy)
And in case of inline protocol processing rte_flow can be created with
rte_security action. A new flow item will be added for MACsec header.
New APIs are also created for getting SC and SA stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: fix SA lifetime comments

Fix comments to reflect the hard expiry fields.

Fixes: ad7515a39f2a ("security: add SA lifetime configuration")
Cc: stable@dpdk.org

Reported-by: Thomas Monjalon

security: fix SA lifetime comments

Fix comments to reflect the hard expiry fields.

Fixes: ad7515a39f2a ("security: add SA lifetime configuration")
Cc: stable@dpdk.org

Reported-by: Thomas Monjalon <thomas@monjalon.net>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Reviewed-by: Morten Brørup <mb@smartsharesystems.com>

show more ...

lib: remove unneeded header includes

These header includes have been flagged by the iwyu_tool
and removed.

Signed-off-by: Sean Morrissey <sean.morrissey@intel.com>

security: add IPsec option for IP reassembly

A new option is added in IPsec to enable and attempt reassembly
of inbound IP packets.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>

mbuf: add namespace to offload flags

Fix the mbuf offload flags namespace by adding an RTE_ prefix to the
name. The old flags remain usable, but a deprecation warning is issued
at compilation.

Sign

mbuf: add namespace to offload flags

Fix the mbuf offload flags namespace by adding an RTE_ prefix to the
name. The old flags remain usable, but a deprecation warning is issued
at compilation.

Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Acked-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Acked-by: Somnath Kotur <somnath.kotur@broadcom.com>

show more ...

security: add reserved bit fields

In struct rte_security_ipsec_sa_options, for every new option
added, there is an ABI breakage, to avoid, a reserved_opts
bitfield is added to for the remaining bits

security: add reserved bit fields

In struct rte_security_ipsec_sa_options, for every new option
added, there is an ABI breakage, to avoid, a reserved_opts
bitfield is added to for the remaining bits available in the
structure.
Now for every new sa option, these reserved_opts can be reduced
and new option can be added.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Ray Kinsella <mdr@ashroe.eu>

show more ...