From patchwork Thu Oct 31 13:15:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178173 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp2831122ill; Thu, 31 Oct 2019 06:18:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqzQikUAHjjwoGF8aHr+M6Ci0n1x4YBB+TXx7gm5PNQCh3dti/AWc0p54owyMOIUCISl/vhE X-Received: by 2002:a50:eb92:: with SMTP id y18mr5951997edr.244.1572527892254; Thu, 31 Oct 2019 06:18:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572527892; cv=none; d=google.com; s=arc-20160816; b=eGr8aZiERxiciHgfW9GBA1hYqTxALWYkNN1uGtlEaOXxzKJM2QgOKlUbAfj1fuAjEr cX0Ox6SlltQy7cZthJVR4j4IaBLvJ5N/a557mFJBc7Ap/dAdRV1NSfVTKuxBRGPBeaXH cC/cZDE1zctbGuagLMMKoj24/2/Tjx9AiEq94qlVQavhnKeJwnFM024PshOf8wHN0eEL yg4ZSQrkKYvOashqUZr4GXJPgsHtcXoArJo0N5snLu8mf/hSKdTMeTvCBgmzwgXOe5G1 7WVQc3/tVV3SwQZ7gSudAoYgX+FdcFY/qzIUnNsdBub1xpLt0y0+30ibNsIk94+1LMST +r3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=ineFBYKHAyT6r7jPJa/mLMtIG++WC8fkyIOtYz4abio=; b=YfvsNcOz9wKxAnqxaHljscX+iQNjHws0SJuZwyOStNCtqq5GvDWLlaWogwsOlu/yjj 151AzSrE0wbMmGw2zyrKwyuByMdvqiOEitCY5Y+HHRy5f95Xdw20LpwQl/7w+BeCUq7R 7wddHveX+tEbKcZWnNXAom6V9aMneeJVYc2pcTztaAo7DbcRZ5nUPhGUVAr4yvgYfLZW RtICHXLW0RMzCZjvFjXCkdD0rBqx7vGUVqLRM9EjYZcoaWNiWuRfKdVJjFeg97Wgvihq z/JHHHrsqsQhzoTlZ4ihVWfFxwHfeyzZl0MYc8dfRIdjeub2DJdak8TzqQ+1VK/iYsEk 7b1g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id i52si4059827ede.65.2019.10.31.06.18.11; Thu, 31 Oct 2019 06:18:12 -0700 (PDT) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 629701C232; Thu, 31 Oct 2019 14:18:11 +0100 (CET) Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13]) by dpdk.org (Postfix) with ESMTP id C2B181C230 for ; Thu, 31 Oct 2019 14:18:09 +0100 (CET) Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 8F4791A087A; Thu, 31 Oct 2019 14:18:09 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 032411A04FC; Thu, 31 Oct 2019 14:18:07 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id B093A402FC; Thu, 31 Oct 2019 21:18:01 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org, akhil.goyal@nxp.com Cc: konstantin.ananyev@intel.com, anoobj@marvell.com, Hemant Agrawal Date: Thu, 31 Oct 2019 18:45:00 +0530 Message-Id: <20191031131502.12504-1-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191031045458.29166-1-hemant.agrawal@nxp.com> References: <20191031045458.29166-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v5 1/3] security: add anti replay window size X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal Acked-by: Konstantin Ananyev --- doc/guides/rel_notes/release_19_11.rst | 6 +++++- lib/librte_security/Makefile | 2 +- lib/librte_security/meson.build | 2 +- lib/librte_security/rte_security.h | 8 ++++++++ 4 files changed, 15 insertions(+), 3 deletions(-) -- 2.17.1 Acked-by: Anoob Joseph diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index ae8e7b2f0..0508ec545 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,6 +365,10 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. +* security: A new field ''replay_win_sz'' has been added to the structure + ``rte_security_ipsec_xform``, which specify the Anti replay window size + to enable sequence replay attack handling. + Shared Library Versions ----------------------- @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_reorder.so.1 librte_ring.so.2 + librte_sched.so.4 - librte_security.so.2 + + librte_security.so.3 librte_stack.so.1 librte_table.so.3 librte_timer.so.1 diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 --- a/lib/librte_security/Makefile +++ b/lib/librte_security/Makefile @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a # library version -LIBABIVER := 2 +LIBABIVER := 3 # build flags CFLAGS += -O3 diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 --- a/lib/librte_security/meson.build +++ b/lib/librte_security/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel Corporation -version = 2 +version = 3 sources = files('rte_security.c') headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', 'cryptodev'] diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..216e5370f 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** @@ -563,6 +567,10 @@ struct rte_security_capability { /**< IPsec SA direction */ struct rte_security_ipsec_sa_options options; /**< IPsec SA supported options */ + uint32_t replay_win_sz_max; + /**< IPsec Anti Replay Window Size. A '0' value + * indicates that Anti Replay Window is not supported. + */ } ipsec; /**< IPsec capability */ struct {