________________________________ From: Alexandru Badicioiu <[email protected]> Sent: Thursday, July 30, 2015 6:44 PM To: Jacob, Jerin Cc: LNG ODP Mailman List Subject: Re: [lng-odp] [API-NEXT PATCH] api: crypto: add crypto IPSec extension On 30 July 2015 at 16:00, Jerin Jacob <[email protected]<mailto:[email protected]>> wrote: On Wed, Jul 22, 2015 at 11:26:03AM +0300, [email protected]<mailto:[email protected]> wrote: > From: Alexandru Badicioiu > <[email protected]<mailto:[email protected]>> > > This patch adds IPSec protocol processing capabilities to crypto > sesssions. Implementations which have these capabilities in hardware > crypto engines can use the extension to offload the application from > IPSec protocol processing. > > Signed-off-by: Alexandru Badicioiu > <[email protected]<mailto:[email protected]>> > --- > include/odp/api/crypto_ipsec.h | 110 > ++++++++++++++++++++ > platform/linux-generic/include/odp/crypto.h | 2 + > .../include/odp/plat/crypto_ipsec_types.h | 53 ++++++++++ > 3 files changed, 165 insertions(+), 0 deletions(-) > create mode 100644 include/odp/api/crypto_ipsec.h > create mode 100644 > platform/linux-generic/include/odp/plat/crypto_ipsec_types.h > > diff --git a/include/odp/api/crypto_ipsec.h b/include/odp/api/crypto_ipsec.h > new file mode 100644 > index 0000000..e59fea4 > --- /dev/null > +++ b/include/odp/api/crypto_ipsec.h > @@ -0,0 +1,110 @@ > +/* Copyright (c) 2014, Linaro Limited > + * All rights reserved. > + * > + * SPDX-License-Identifier: BSD-3-Clause > + */ > + > +/** > + * @file > + * > + * ODP crypto IPSec extension > + */ > + > +#ifndef ODP_API_CRYPTO_IPSEC_H_ > +#define ODP_API_CRYPTO_IPSEC_H_ > + > +#ifdef __cplusplus > +extern "C" { > +#endif > + > +/** > + * @enum odp_ipsec_outhdr_type > + * IPSec tunnel outer header type > + * > + * @enum odp_ipsec_ar_ws > + * IPSec Anti-replay window size > + * > + */ > + > +typedef struct odp_ipsec_params { > + uint32_t spi; /** SPI value */ > + uint32_t seq; /** Initial SEQ number */ > + enum odp_ipsec_ar_ws ar_ws; /** Anti-replay window size - > + inbound session with authentication */ > + odp_bool_t esn; /** Use extended sequence numbers */ > + odp_bool_t auto_iv; /** Auto IV generation for each operation. */ > + uint16_t out_hdr_size; /** outer header size - tunnel mode */ > + uint8_t *out_hdr; /** outer header - tunnel mode */ > + enum odp_ipsec_outhdr_type out_hdr_type; /* outer header type - > + tunnel mode */ > + odp_bool_t ip_csum; /** update/verify ip header checksum */ > + odp_bool_t ip_dttl; /** decrement ttl - tunnel mode encap & decap */ > + odp_bool_t remove_outer_hdr; /** remove outer header - tunnel mode > decap */ > + odp_bool_t copy_dscp; /** DiffServ Copy - Copy the IPv4 TOS or > + IPv6 Traffic Class byte from the inner/outer > + IP header to the outer/inner IP header - > + tunnel mode encap & decap */ > + odp_bool_t copy_df; /** Copy DF bit - copy the DF bit from > + the inner IP header to the > + outer IP header - tunnel mode encap */ > + odp_bool_t nat_t; /** NAT-T encapsulation enabled - tunnel mode */ > + odp_bool_t udp_csum; /** Update/verify UDP csum when NAT-T enabled */ > + > +} odp_ipsec_params_t; > + > +/** > + * @enum odp_ipsec_mode:ODP_IPSEC_MODE_TUNNEL > + * IPSec tunnel mode > + * > + * @enum odp_ipsec_mode:ODP_IPSEC_MODE_TRANSPORT > + * IPSec transport mode > + * > + * @enum odp_ipsec_proto > + * IPSec protocol > + */ > + > +/** > + * Configure crypto session for IPsec processing > + * > + * Configures a crypto session for IPSec protocol processing. > + * Packets submitted to an IPSec enabled session will have > + * relevant IPSec headers/trailers and tunnel headers > + * added/removed by the crypto implementation. > + * For example, the input packet for an IPSec ESP transport > + * enabled session should be the clear text packet with > + * no ESP headers/trailers prepared in advance for crypto operation. > + * The output packet will have ESP header, IV, trailer and the ESP ICV > + * added by crypto implementation. > + * Depending on the particular capabilities of an implementation and > + * the parameters enabled by application, the application may be > + * partially or completely offloaded from IPSec protocol processing. > + * For example, if an implementation does not support checksum > + * update for IP header after adding ESP header the application > + * should update after crypto IPSec operation. How a portable application knows what are the pending operations ? [Alex] I assume your question is related to asynchronous mode. A crypto operation can have an associated user context which can be retrieved from the results when operation completed. Such context can contain information about what the application is supposed to do next on the packets depending on the type of the session (raw, ipsec, etc). [Jerin] Yes, The question was for asynchronous mode. We need to spec out the contract definition for how application recognize the pending operations. > + * > + * If an implementation does not support a particular set of > + * arguments it should return error. > + * > + * @param session Session handle > + * @param ipsec_mode IPSec protocol mode > + * @param ipsec_proto IPSec protocol > + * @param ipsec_params IPSec parameters. Parameters which are not > + * relevant for selected protocol & mode are ignored - > + * e.g. outer_hdr/size set for ESP transport mode. > + * @retval 0 on success > + * @retval <0 on failure > + */ > +int odp_crypto_session_config_ipsec(odp_crypto_session_t session, > + enum odp_ipsec_mode ipsec_mode, > + enum odp_ipsec_proto ipsec_proto, > + odp_ipsec_params_t ipsec_params); > + IMO, We should have reference implementation of ipsec protocol offload implementation with normal crypto operations so that it can be re used in the platform which don't have platform offload [Alex] Do you mean a version of odp_ipsec with ipsec offloading running and a linux-generic implementation of IPSec protocol? [Jerin] Yes for linux-generic. it can be re used for all the platform. > +/** > + * @} > + */ > + > +#ifdef __cplusplus > +} > +#endif > + > +#endif > diff --git a/platform/linux-generic/include/odp/crypto.h > b/platform/linux-generic/include/odp/crypto.h > index 7684c1e..718ab7d 100644 > --- a/platform/linux-generic/include/odp/crypto.h > +++ b/platform/linux-generic/include/odp/crypto.h > @@ -20,6 +20,7 @@ extern "C" { > #include <odp/std_types.h> > #include <odp/plat/packet_types.h> > #include <odp/plat/crypto_types.h> > +#include <odp/plat/crypto_ipsec_types.h> > #include <odp/plat/buffer_types.h> > #include <odp/plat/pool_types.h> > #include <odp/queue.h> > @@ -33,6 +34,7 @@ extern "C" { > */ > > #include <odp/api/crypto.h> > +#include <odp/api/crypto_ipsec.h> > > #ifdef __cplusplus > } > diff --git a/platform/linux-generic/include/odp/plat/crypto_ipsec_types.h > b/platform/linux-generic/include/odp/plat/crypto_ipsec_types.h > new file mode 100644 > index 0000000..74521da > --- /dev/null > +++ b/platform/linux-generic/include/odp/plat/crypto_ipsec_types.h > @@ -0,0 +1,53 @@ > +/* Copyright (c) 2015, Linaro Limited > + * All rights reserved. > + * > + * SPDX-License-Identifier: BSD-3-Clause > + */ > + > +/** > + * @file > + * > + * ODP crypto > + */ > + > +#ifndef ODP_CRYPTO_IPSEC_TYPES_H_ > +#define ODP_CRYPTO_IPSEC_TYPES_H_ > + > +#ifdef __cplusplus > +extern "C" { > +#endif > + > +/** @addtogroup odp_crypto > + * @{ > + */ > + > +enum odp_ipsec_mode { > + ODP_IPSEC_MODE_TUNNEL, /**< IPSec tunnel mode */ > + ODP_IPSEC_MODE_TRANSPORT, /**< IPSec transport mode */ > +}; > + > +enum odp_ipsec_proto { > + ODP_IPSEC_ESP, /**< ESP protocol */ > +}; > + > +enum odp_ipsec_outhdr_type { > + ODP_IPSEC_OUTHDR_IPV4, /**< Outer header is IPv4 */ > + ODP_IPSEC_OUTHDR_IPV6, /**< Outer header is IPv6 */ > +}; > + > +enum odp_ipsec_ar_ws { > + ODP_IPSEC_AR_WS_NONE, /**< Anti-replay is not enabled */ > + ODP_IPSEC_AR_WS_32, /**< Anti-replay window size 32 */ > + ODP_IPSEC_AR_WS_64, /**< Anti-replay window size 64 */ > + ODP_IPSEC_AR_WS_128, /**< Anti-replay window size 128 */ > +}; > + > +/** > + * @} > + */ > + > +#ifdef __cplusplus > +} > +#endif > + > +#endif > -- > 1.7.3.4 > > _______________________________________________ > lng-odp mailing list > [email protected]<mailto:[email protected]> > https://lists.linaro.org/mailman/listinfo/lng-odp
_______________________________________________ lng-odp mailing list [email protected] https://lists.linaro.org/mailman/listinfo/lng-odp
