Can't you send this as a patch? That will make it easier to review and see the impact.
Cheers, Anders On 23 September 2014 15:58, Mike Holmes <[email protected]> wrote: > Lets touch on this on next Tuesdays call. > > On 16 September 2014 05:33, Job Abraham <[email protected]> wrote: > >> Hi All, >> >> >> Here is a proposal for enhancing ODP crypto APIs to support security >> protocols like IPsec. >> >> >> As part of the ODP crypto API definitions, the framework for supporting a >> wide variety of security protocols is defined. The definition of data >> structures and APIs for crypto functions is defined below. Specifically, a >> detailed presentation of IPsec related parameters and their usage are >> defined. IPsec implementation is done by means of specialized offload >> engines that interface with general cores/other specific cores that perform >> other network processing functions. >> >> >> >> >> >> >> >> *Crypto Session Create:-* >> >> Crypto engine can be used by any of the Security protocols like >> IPsec/SRTP/SRTCP/TLS etc, hence protocol specific parameters shall be >> passed during crypto session create. >> >> >> >> These protocol specific parameters allow accelerator engines to provide >> more offloaded functionality in NPU. >> >> >> >> Following APIs are expected to undergo changes during crypto session >> create: >> >> *Crypto session create APIs* >> >> int odp_crypto_session_create(odp_crypto_session_params_t *params, >> >> odp_crypto_session_t *session, >> >> enum odp_crypto_ses_create_err *status ) >> >> >> >> >> >> int odp_crypto_session_create_async(odp_crypto_session_params_t * >> params, >> >> odp_buffer_t completion_event, >> >> odp_queue_t completion_queue ) >> >> >> >> These API creates the crypto session (blocking/non-blocking). Changes >> proposed to these API are below. >> >> >> >> *New Enums or Structures:-* >> >> /** >> >> * Crypto protocol - more types can be added based on Security >> Accelerator capability. >> >> */ >> >> enum odp_crypto_protocol_type { >> >> CRYPTO_IPSEC, >> >> CRYPTO_SRTP, >> >> CRYPTO_TLS, >> >> NONE >> >> }; >> >> >> >> /** >> >> * Crypto IPsec direction >> >> */ >> >> enum odp_ipsec_direction { >> >> IPSEC_INBOUND, >> >> IPSEC_OUTBOUND >> >> }; >> >> >> >> /** >> >> * Crypto IPsec mode >> >> */ >> >> enum odp_ipsec_mode{ >> >> IPSEC_TUNNEL, >> >> IPSEC_TRANSPORT >> >> }; >> >> >> >> /** >> >> * Crypto IPsec protocol >> >> */ >> >> enum odp_ipsec_proto{ >> >> IPSEC_AH, >> >> IPSEC_ESP >> >> }; >> >> >> >> >> >> /** >> >> * Crypto protocol specific parameters >> >> * IPsec parameters >> >> * softLifetime: Soft lifetime of an SA, shall be specified either in >> time or bytes >> >> * hardLifetime: Hard lifetime of an SA, shall be specified either in >> time or bytes >> >> * dir: IPsec direction based on operation either INBOUND/OUTBOUND >> >> * mode: IPsec mode, can be Tunnel or Transport mode >> >> * proto: IPsec Protocol, can be ESP/AH >> >> * spi: Security Parameter Index for the IPsec SA session >> >> * srcAddr: Source address of tunnel header, (Valid only in Tunnel mode) >> >> * dstAddr: Destination address of tunnel header, (Valid only in Tunnel >> mode) >> >> * seqOverFlowFlag: Flag to indicate that the sequence number Over flow >> is enabled >> >> */ >> >> struct odp_crypto_protocol_params{ >> >> >> >> odp_crypto_protocol_type type; >> >> >> >> union{ >> >> /* IPsec Protocol specific parameters */ >> >> struct{ >> >> uint64_t softLifetime; >> >> uint64_t hardLifetime; >> >> odp_ipsec_direction dir; >> >> odp_ipsec_mode mode; >> >> odp_ipsec_proto proto; >> >> uint32_t spi; >> >> uint32_t srcAddr; >> >> uint32_t dstAddr; >> >> bool seqOverFlowFlag; >> >> }ipsec; >> >> >> >> >> >> /* SRTP Protocol specific parameters */ >> >> struct{ >> >> }srtp; >> >> >> >> >> >> /* TLS Protocol specific parameters */ >> >> struct{ >> >> }tls; >> >> }; >> >> }; >> >> >> >> >> >> *Modified Structure:-* >> >> >> >> /** >> >> * Crypto API session creation paramters >> >> * >> >> * TODO: add "odp_session_proc_info_t" >> >> */ >> >> struct odp_crypto_session_params { >> >> enum odp_crypto_op op; /**< Encode versus decode */ >> >> enum odp_crypto_combination comb; /**< Operation order */ >> >> enum odp_crypto_op_mode pref_mode; /**< Preferred sync vs async */ >> >> enum odp_cipher_alg cipher_alg; /**< Cipher algorithm */ >> >> odp_key_t *cipher_key; /**< Cipher key */ >> >> uint8_t *iv; /**< Cipher Initialization Vector >> (IV) */ >> >> size_t iv_len; /**< Cipher IV length */ >> >> enum odp_auth_alg auth_alg; /**< Authentication algorithm */ >> >> odp_key_t *auth_key; /**< Authentication key */ >> >> odp_queue_t compl_queue; /**< Async mode completion event >> queue */ >> >> odp_crypto_protocol proto_params; /**< ##new Param## Protocol >> specific params */ >> >> }; >> >> >> >> >> >> >> >> >> >> >> >> >> >> *Crypto Operation in data-path:-* >> >> int odp_crypto_operation(odp_crypto_op_params_t *params, >> >> bool * posted, >> >> odp_buffer_t completion_event) >> >> >> >> This API does the Crypto operation (Encryption/Decryption) in data-path. >> This API prototype is not changed. But based on crypto protocol defined in >> crypto session creation, the operation varies. If crypto protocol is none, >> the existing behavior continues (only the crypto) >> >> >> >> If the Security protocol is "CRYPTO_IPSEC" during crypto session create, >> then this API is expected to do following specific IPsec offload >> functionality. >> >> >> >> *IPsec Encryption:-* >> >> Plain IP packet with payload is passed to this API to do >> the IPsec Encryption. API is expected to add the IP tunnel header if >> required, add the ESP/AH protocol & encrypt the packet. >> >> >> >> ODP APIs can use crypto accelerators to do the following, else partial >> functionality can be implemented in CPU & rest can be offloaded to crypto >> accelerators. >> >> >> >> o Tunnel IP headers are encapsulated during Tunnel Encryption scenario. >> >> o AH/ESP headers are encapsulated during Tunnel/Transport Encryption >> scenario >> >> · Sequence number generation, >> >> · Sequence number overflow, >> >> · Adding Padding bytes for crypto algorithm block size >> >> >> >> >> >> After completion of crypto operation, application can expect the complete >> encrypted buffer with Tunnel IP header if any, IPsec protocol ESP/AH & >> encrypted payload. >> >> >> >> *IPsec Decryption:-* >> >> Encrypted IP packet with IP header is passed to this API to do the IPsec >> Decryption. API is expected to remove the IP tunnel header if any, remove >> the ESP/AH protocol & decrypt the packet. >> >> >> >> ODP APIs can use crypto accelerators to do the following, else partial >> functionality can be implemented in CPU & rest can be offloaded to crypto >> accelerators. >> >> >> >> o Tunnel IP headers are removed during Tunnel Decryption scenario. >> >> o AH/ESP headers removed during Tunnel/Transport Decryption scenario >> >> · Anti replay Window mechanism shall be taken care by this API >> >> >> >> >> >> After completion of crypto operation, application can expect the complete >> decrypted buffer (with removal Tunnel IP header if any, with removal of >> IPsec protocol ESP/AH). >> >> >> >> Please share your thoughts on this proposal. >> >> >> >> Regards, >> >> Job >> >> >> >> >> _______________________________________________ >> lng-odp mailing list >> [email protected] >> http://lists.linaro.org/mailman/listinfo/lng-odp >> >> > > > -- > *Mike Holmes* > Linaro Technical Manager / Lead > LNG - ODP > > _______________________________________________ > lng-odp mailing list > [email protected] > http://lists.linaro.org/mailman/listinfo/lng-odp > >
_______________________________________________ lng-odp mailing list [email protected] http://lists.linaro.org/mailman/listinfo/lng-odp
