Hi Anoob, On 10/16/2018 4:19 PM, Joseph, Anoob wrote: > Hi Akhil, > > The HFN threshold comment is still not right I guess, > >> + uint32_t hfn; >> + /**< HFN Threshold for key renegotiation */ >> + uint32_t hfn_threshold; > The above code snippet is there in the rte_security.rst file also. You may > need to fix that also. > > And the following also need to be fixed,
I think there is some issue in your mail client. please check patchworks. Everything looks good to me http://patches.dpdk.org/patch/46886/ >> + * @PDCP_SN_SIZE_18: 18bit sequence number */ enum >> +rte_security_pdcp_sn_size { > .... >> + RTE_SECURITY_PDCP_SN_SIZE_18 = 18 }; > With the above changes, > Acked-by: Anoob Joseph <anoob.jos...@caviumnetworks.com> Thanks. > > Thanks, > Anoob >> -----Original Message----- >> From: Akhil Goyal <akhil.go...@nxp.com> >> Sent: 16 October 2018 16:09 >> To: dev@dpdk.org >> Cc: pablo.de.lara.gua...@intel.com; radu.nico...@intel.com; Jacob, Jerin >> <jerin.jacobkollanukka...@cavium.com>; Athreya, Narayana Prasad >> <narayanaprasad.athr...@cavium.com>; Verma, Shally >> <shally.ve...@cavium.com>; Joseph, Anoob <anoob.jos...@cavium.com>; >> Velumuri, Vidya <vidya.velum...@cavium.com>; Hemant Agrawal >> <hemant.agra...@nxp.com>; Akhil Goyal <akhil.go...@nxp.com> >> Subject: [PATCH v5 1/3] security: support pdcp protocol >> >> External Email >> >> From: Akhil Goyal <akhil.go...@nxp.com> >> >> Packet Data Convergence Protocol (PDCP) is added in rte_security for 3GPP TS >> 36.323 for LTE. >> >> The patchset provide the structure definitions for configuring the PDCP >> sessions >> and relevant documentation is added. >> >> Signed-off-by: Hemant Agrawal <hemant.agra...@nxp.com> >> Signed-off-by: Akhil Goyal <akhil.go...@nxp.com> >> --- >> doc/guides/prog_guide/rte_security.rst | 107 +++++++++++++++++++++++-- >> lib/librte_security/rte_security.c | 4 + >> lib/librte_security/rte_security.h | 92 +++++++++++++++++++++ >> 3 files changed, 196 insertions(+), 7 deletions(-) >> >> diff --git a/doc/guides/prog_guide/rte_security.rst >> b/doc/guides/prog_guide/rte_security.rst >> index 0812abe77..e43f1554c 100644 >> --- a/doc/guides/prog_guide/rte_security.rst >> +++ b/doc/guides/prog_guide/rte_security.rst >> @@ -10,8 +10,8 @@ The security library provides a framework for management >> and provisioning of security protocol operations offloaded to hardware based >> devices. The library defines generic APIs to create and free security >> sessions >> which can support full protocol offload as well as inline crypto operation >> with - >> NIC or crypto devices. The framework currently only supports the IPSec >> protocol >> -and associated operations, other protocols will be added in future. >> +NIC or crypto devices. The framework currently only supports the IPsec >> +and PDCP protocol and associated operations, other protocols will be added >> in >> future. >> >> Design Principles >> ----------------- >> @@ -253,6 +253,49 @@ for any protocol header addition. >> +--------|--------+ >> V >> >> +PDCP Flow Diagram >> +~~~~~~~~~~~~~~~~~ >> + >> +Based on 3GPP TS 36.323 Evolved Universal Terrestrial Radio Access >> +(E-UTRA); Packet Data Convergence Protocol (PDCP) specification >> + >> +.. code-block:: c >> + >> + Transmitting PDCP Entity Receiving PDCP Entity >> + | ^ >> + | +-----------|-----------+ >> + V | In order delivery and | >> + +---------|----------+ | Duplicate detection | >> + | Sequence Numbering | | (Data Plane only) | >> + +---------|----------+ +-----------|-----------+ >> + | | >> + +---------|----------+ +-----------|----------+ >> + | Header Compression*| | Header Decompression*| >> + | (Data-Plane only) | | (Data Plane only) | >> + +---------|----------+ +-----------|----------+ >> + | | >> + +---------|-----------+ +-----------|----------+ >> + | Integrity Protection| |Integrity Verification| >> + | (Control Plane only)| | (Control Plane only) | >> + +---------|-----------+ +-----------|----------+ >> + +---------|-----------+ +----------|----------+ >> + | Ciphering | | Deciphering | >> + +---------|-----------+ +----------|----------+ >> + +---------|-----------+ +----------|----------+ >> + | Add PDCP header | | Remove PDCP Header | >> + +---------|-----------+ +----------|----------+ >> + | | >> + +----------------->>----------------+ >> + >> + >> +.. note:: >> + >> + * Header Compression and decompression are not supported currently. >> + >> +Just like IPsec, in case of PDCP also header addition/deletion, cipher/ >> +de-cipher, integrity protection/verification is done based on the >> +action type chosen. >> + >> Device Features and Capabilities >> --------------------------------- >> >> @@ -271,7 +314,7 @@ structure in the *DPDK API Reference*. >> >> Each driver (crypto or ethernet) defines its own private array of >> capabilities for >> the operations it supports. Below is an example of the capabilities for a >> -PMD >> which supports the IPSec protocol. >> +PMD which supports the IPsec and PDCP protocol. >> >> .. code-block:: c >> >> @@ -298,6 +341,24 @@ PMD which supports the IPSec protocol. >> }, >> .crypto_capabilities = pmd_capabilities >> }, >> + { /* PDCP Lookaside Protocol offload Data Plane */ >> + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, >> + .protocol = RTE_SECURITY_PROTOCOL_PDCP, >> + .pdcp = { >> + .domain = RTE_SECURITY_PDCP_MODE_DATA, >> + .capa_flags = 0 >> + }, >> + .crypto_capabilities = pmd_capabilities >> + }, >> + { /* PDCP Lookaside Protocol offload Control */ >> + .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, >> + .protocol = RTE_SECURITY_PROTOCOL_PDCP, >> + .pdcp = { >> + .domain = RTE_SECURITY_PDCP_MODE_CONTROL, >> + .capa_flags = 0 >> + }, >> + .crypto_capabilities = pmd_capabilities >> + }, >> { >> .action = RTE_SECURITY_ACTION_TYPE_NONE >> } >> @@ -429,6 +490,7 @@ Security Session configuration structure is defined as >> ``rte_security_session_co >> union { >> struct rte_security_ipsec_xform ipsec; >> struct rte_security_macsec_xform macsec; >> + struct rte_security_pdcp_xform pdcp; >> }; >> /**< Configuration parameters for security session */ >> struct rte_crypto_sym_xform *crypto_xform; @@ -463,15 +525,17 @@ >> The ``rte_security_session_protocol`` is defined as .. code-block:: c >> >> enum rte_security_session_protocol { >> - RTE_SECURITY_PROTOCOL_IPSEC, >> + RTE_SECURITY_PROTOCOL_IPSEC = 1, >> /**< IPsec Protocol */ >> RTE_SECURITY_PROTOCOL_MACSEC, >> /**< MACSec Protocol */ >> + RTE_SECURITY_PROTOCOL_PDCP, >> + /**< PDCP Protocol */ >> }; >> >> -Currently the library defines configuration parameters for IPSec only. For >> other >> -protocols like MACSec, structures and enums are defined as place holders >> which -will be updated in the future. >> +Currently the library defines configuration parameters for IPsec and PDCP >> only. >> +For other protocols like MACSec, structures and enums are defined as >> +place holders which will be updated in the future. >> >> IPsec related configuration parameters are defined in >> ``rte_security_ipsec_xform`` >> >> @@ -494,6 +558,35 @@ IPsec related configuration parameters are defined in >> ``rte_security_ipsec_xform >> /**< Tunnel parameters, NULL for transport mode */ >> }; >> >> +PDCP related configuration parameters are defined in >> +``rte_security_pdcp_xform`` >> + >> +.. code-block:: c >> + >> + struct rte_security_pdcp_xform { >> + int8_t bearer; /**< PDCP bearer ID */ >> + /**< Enable in order delivery, this field shall be set only if >> + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. >> + */ >> + uint8_t en_ordering; >> + /**< Notify driver/HW to detect and remove duplicate packets. >> + * This field should be set only when driver/hw is capable. >> + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. >> + */ >> + uint8_t remove_duplicates; >> + /**< PDCP mode of operation: Control or data */ >> + enum rte_security_pdcp_domain domain; >> + /**< PDCP Frame Direction 0:UL 1:DL */ >> + enum rte_security_pdcp_direction pkt_dir; >> + /**< Sequence number size, 5/7/12/15/18 */ >> + enum rte_security_pdcp_sn_size sn_size; >> + /**< Starting Hyper Frame Number to be used together with the SN >> + * from the PDCP frames >> + */ >> + uint32_t hfn; >> + /**< HFN Threshold for key renegotiation */ >> + uint32_t hfn_threshold; >> + }; >> + >> >> Security API >> ~~~~~~~~~~~~ >> diff --git a/lib/librte_security/rte_security.c >> b/lib/librte_security/rte_security.c >> index 1954960a5..c6355de95 100644 >> --- a/lib/librte_security/rte_security.c >> +++ b/lib/librte_security/rte_security.c >> @@ -131,6 +131,10 @@ rte_security_capability_get(struct rte_security_ctx >> *instance, >> capability->ipsec.direction == >> >> idx->ipsec.direction) >> return capability; >> + } else if (idx->protocol == >> RTE_SECURITY_PROTOCOL_PDCP) { >> + if (capability->pdcp.domain == >> + idx->pdcp.domain) >> + return capability; >> } >> } >> } >> diff --git a/lib/librte_security/rte_security.h >> b/lib/librte_security/rte_security.h >> index b0d1b97ee..de49017e1 100644 >> --- a/lib/librte_security/rte_security.h >> +++ b/lib/librte_security/rte_security.h >> @@ -206,6 +206,66 @@ struct rte_security_macsec_xform { >> int dummy; >> }; >> >> +/** >> + * PDCP Mode of session >> + */ >> +enum rte_security_pdcp_domain { >> + RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ >> + RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ >> +}; >> + >> +/** PDCP Frame direction */ >> +enum rte_security_pdcp_direction { >> + RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ >> + RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ >> +}; >> + >> +/** >> + * PDCP Sequence Number Size selectors >> + * @PDCP_SN_SIZE_5: 5bit sequence number >> + * @PDCP_SN_SIZE_7: 7bit sequence number >> + * @PDCP_SN_SIZE_12: 12bit sequence number >> + * @PDCP_SN_SIZE_15: 15bit sequence number >> + * @PDCP_SN_SIZE_18: 18bit sequence number */ enum >> +rte_security_pdcp_sn_size { >> + RTE_SECURITY_PDCP_SN_SIZE_5 = 5, >> + RTE_SECURITY_PDCP_SN_SIZE_7 = 7, >> + RTE_SECURITY_PDCP_SN_SIZE_12 = 12, >> + RTE_SECURITY_PDCP_SN_SIZE_15 = 15, >> + RTE_SECURITY_PDCP_SN_SIZE_18 = 18 }; >> + >> +/** >> + * PDCP security association configuration data. >> + * >> + * This structure contains data required to create a PDCP security session. >> + */ >> +struct rte_security_pdcp_xform { >> + int8_t bearer; /**< PDCP bearer ID */ >> + /**< Enable in order delivery, this field shall be set only if >> + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. >> + */ >> + uint8_t en_ordering; >> + /**< Notify driver/HW to detect and remove duplicate packets. >> + * This field should be set only when driver/hw is capable. >> + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. >> + */ >> + uint8_t remove_duplicates; >> + /**< PDCP mode of operation: Control or data */ >> + enum rte_security_pdcp_domain domain; >> + /**< PDCP Frame Direction 0:UL 1:DL */ >> + enum rte_security_pdcp_direction pkt_dir; >> + /**< Sequence number size, 5/7/12/15/18 */ >> + enum rte_security_pdcp_sn_size sn_size; >> + /**< Starting Hyper Frame Number to be used together with the SN >> + * from the PDCP frames >> + */ >> + uint32_t hfn; >> + /**< HFN Threshold for key renegotiation */ >> + uint32_t hfn_threshold; >> +}; >> + >> /** >> * Security session action type. >> */ >> @@ -232,6 +292,8 @@ enum rte_security_session_protocol { >> /**< IPsec Protocol */ >> RTE_SECURITY_PROTOCOL_MACSEC, >> /**< MACSec Protocol */ >> + RTE_SECURITY_PROTOCOL_PDCP, >> + /**< PDCP Protocol */ >> }; >> >> /** >> @@ -246,6 +308,7 @@ struct rte_security_session_conf { >> union { >> struct rte_security_ipsec_xform ipsec; >> struct rte_security_macsec_xform macsec; >> + struct rte_security_pdcp_xform pdcp; >> }; >> /**< Configuration parameters for security session */ >> struct rte_crypto_sym_xform *crypto_xform; @@ -413,6 +476,10 @@ >> struct rte_security_ipsec_stats { >> >> }; >> >> +struct rte_security_pdcp_stats { >> + uint64_t reserved; >> +}; >> + >> struct rte_security_stats { >> enum rte_security_session_protocol protocol; >> /**< Security protocol to be configured */ @@ -421,6 +488,7 @@ >> struct >> rte_security_stats { >> union { >> struct rte_security_macsec_stats macsec; >> struct rte_security_ipsec_stats ipsec; >> + struct rte_security_pdcp_stats pdcp; >> }; >> }; >> >> @@ -465,6 +533,13 @@ struct rte_security_capability { >> int dummy; >> } macsec; >> /**< MACsec capability */ >> + struct { >> + enum rte_security_pdcp_domain domain; >> + /** < PDCP mode of operation: Control or data */ >> + uint32_t capa_flags; >> + /** < Capabilitity flags, see RTE_SECURITY_PDCP_* */ >> + } pdcp; >> + /**< PDCP capability */ >> }; >> >> const struct rte_cryptodev_capabilities *crypto_capabilities; @@ >> -474,6 >> +549,19 @@ struct rte_security_capability { >> /**< Device offload flags */ >> }; >> >> +/**< Underlying Hardware/driver which support PDCP may or may not >> +support >> + * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. >> + * If it is not set, driver/HW assumes packets received are in order >> + * and it will be application's responsibility to maintain ordering. >> + */ >> +#define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 >> + >> +/**< Underlying Hardware/driver which support PDCP may or may not >> +detect >> + * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. >> + * If it is not set, driver/HW assumes there is no duplicate packet >> received. >> + */ >> +#define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 >> + >> #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 >> /**< HW needs metadata update, see rte_security_set_pkt_metadata(). >> */ >> @@ -506,6 +594,10 @@ struct rte_security_capability_idx { >> enum rte_security_ipsec_sa_mode mode; >> enum rte_security_ipsec_sa_direction direction; >> } ipsec; >> + struct { >> + enum rte_security_pdcp_domain domain; >> + uint32_t capa_flags; >> + } pdcp; >> }; >> }; >> >> -- >> 2.17.1
