DPDK
24.07.0
|
#include <sys/types.h>
#include <rte_compat.h>
#include <rte_common.h>
#include <rte_crypto.h>
#include <rte_ip.h>
#include <rte_mbuf_dyn.h>
Go to the source code of this file.
Data Structures | |
struct | rte_security_ipsec_tunnel_param |
struct | rte_security_ipsec_sa_options |
struct | rte_security_ipsec_lifetime |
struct | rte_security_ipsec_xform |
struct | rte_security_macsec_sa |
struct | rte_security_macsec_sc |
struct | rte_security_macsec_xform |
struct | rte_security_pdcp_xform |
struct | rte_security_docsis_xform |
struct | rte_security_tls_record_sess_options |
struct | rte_security_tls_record_lifetime |
struct | rte_security_tls_record_xform |
struct | rte_security_session_conf |
struct | rte_security_capability |
struct | rte_security_capability_idx |
Macros | |
#define | RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 |
#define | RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 |
#define | RTE_SECURITY_MACSEC_NUM_AN 4 |
#define | RTE_SECURITY_MACSEC_SALT_LEN 12 |
#define | RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0 |
#define | RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1 |
#define | RTE_SECURITY_MACSEC_VALIDATE_STRICT 2 |
#define | RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3 |
#define | RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN 4 |
#define | RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN 12 |
#define | RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN 4 |
#define | RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 |
#define | RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 |
#define | RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 |
#define | RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 |
#define | RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 |
Typedefs | |
typedef uint64_t | rte_security_dynfield_t |
typedef struct rte_mbuf * | rte_security_oop_dynfield_t |
Functions | |
void * | rte_security_session_create (void *instance, struct rte_security_session_conf *conf, struct rte_mempool *mp) |
int | rte_security_session_update (void *instance, void *sess, struct rte_security_session_conf *conf) |
unsigned int | rte_security_session_get_size (void *instance) |
int | rte_security_session_destroy (void *instance, void *sess) |
int | rte_security_macsec_sc_create (void *instance, struct rte_security_macsec_sc *conf) |
int | rte_security_macsec_sc_destroy (void *instance, uint16_t sc_id, enum rte_security_macsec_direction dir) |
int | rte_security_macsec_sa_create (void *instance, struct rte_security_macsec_sa *conf) |
int | rte_security_macsec_sa_destroy (void *instance, uint16_t sa_id, enum rte_security_macsec_direction dir) |
static rte_security_dynfield_t * | rte_security_dynfield (struct rte_mbuf *mbuf) |
static __rte_experimental rte_security_oop_dynfield_t * | rte_security_oop_dynfield (struct rte_mbuf *mbuf) |
static bool | rte_security_dynfield_is_registered (void) |
static uint32_t | rte_security_ctx_flags_get (void *ctx) |
static void | rte_security_ctx_flags_set (void *ctx, uint32_t flags) |
static uint64_t | rte_security_session_opaque_data_get (void *sess) |
static void | rte_security_session_opaque_data_set (void *sess, uint64_t opaque) |
static uint64_t | rte_security_session_fast_mdata_get (void *sess) |
static void | rte_security_session_fast_mdata_set (void *sess, uint64_t fdata) |
int | __rte_security_set_pkt_metadata (void *instance, void *sess, struct rte_mbuf *m, void *params) |
static int | rte_security_set_pkt_metadata (void *instance, void *sess, struct rte_mbuf *mb, void *params) |
static int | __rte_security_attach_session (struct rte_crypto_sym_op *sym_op, void *sess) |
static int | rte_security_attach_session (struct rte_crypto_op *op, void *sess) |
int | rte_security_session_stats_get (void *instance, void *sess, struct rte_security_stats *stats) |
int | rte_security_macsec_sa_stats_get (void *instance, uint16_t sa_id, enum rte_security_macsec_direction dir, struct rte_security_macsec_sa_stats *stats) |
int | rte_security_macsec_sc_stats_get (void *instance, uint16_t sc_id, enum rte_security_macsec_direction dir, struct rte_security_macsec_sc_stats *stats) |
const struct rte_security_capability * | rte_security_capabilities_get (void *instance) |
const struct rte_security_capability * | rte_security_capability_get (void *instance, struct rte_security_capability_idx *idx) |
__rte_experimental int | rte_security_rx_inject_configure (void *ctx, uint16_t port_id, bool enable) |
__rte_experimental uint16_t | rte_security_inb_pkt_rx_inject (void *ctx, struct rte_mbuf **pkts, void **sess, uint16_t nb_pkts) |
Variables | |
int | rte_security_dynfield_offset |
int | rte_security_oop_dynfield_offset |
RTE Security Common Definitions
Definition in file rte_security.h.
#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 |
IPSEC tunnel header verification mode
Controls how outer IP header is verified in inbound.
Definition at line 56 of file rte_security.h.
#define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 |
Driver uses fast metadata update without using driver specific callback. For fast mdata, mbuf dynamic field would be registered by driver via rte_security_dynfield_register().
Definition at line 59 of file rte_security.h.
#define RTE_SECURITY_MACSEC_NUM_AN 4 |
Maximum number of association numbers for a secure channel.
Definition at line 345 of file rte_security.h.
#define RTE_SECURITY_MACSEC_SALT_LEN 12 |
Salt length for MACsec SA.
Definition at line 347 of file rte_security.h.
#define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0 |
Disable Validation of MACsec frame.
Definition at line 418 of file rte_security.h.
#define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1 |
Validate MACsec frame but do not discard invalid frame.
Definition at line 420 of file rte_security.h.
#define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2 |
Validate MACsec frame and discart invalid frame.
Definition at line 422 of file rte_security.h.
#define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3 |
Do not perform any MACsec operation.
Definition at line 424 of file rte_security.h.
#define RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN 4 |
Implicit nonce length to be used with AEAD algos in TLS 1.2
Definition at line 601 of file rte_security.h.
#define RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN 12 |
Implicit nonce length to be used with AEAD algos in TLS 1.3
Definition at line 603 of file rte_security.h.
#define RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN 4 |
Implicit nonce length to be used with AEAD algos in DTLS 1.2
Definition at line 605 of file rte_security.h.
#define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 |
Underlying Hardware/driver which support PDCP may or may not support packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. If it is not set, driver/HW assumes packets received are in order and it will be application's responsibility to maintain ordering.
Definition at line 1340 of file rte_security.h.
#define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 |
Underlying Hardware/driver which support PDCP may or may not detect duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. If it is not set, driver/HW assumes there is no duplicate packet received.
Definition at line 1346 of file rte_security.h.
#define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 |
HW needs metadata update, see rte_security_set_pkt_metadata().
Definition at line 1348 of file rte_security.h.
#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 |
HW constructs trailer of packets Transmitted packets will have the trailer added to them by hardware. The next protocol field will be based on the mbuf->inner_esp_next_proto field.
Definition at line 1352 of file rte_security.h.
#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 |
HW removes trailer of packets Received packets have no trailer, the next protocol field is supplied in the mbuf->inner_esp_next_proto field. Inner packet is not modified.
Definition at line 1358 of file rte_security.h.
typedef uint64_t rte_security_dynfield_t |
Device-specific metadata field type
Definition at line 915 of file rte_security.h.
Out-of-Place(OOP) processing field type
Definition at line 920 of file rte_security.h.
IPSec protocol mode
Enumerator | |
---|---|
RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT | IPSec Transport mode |
RTE_SECURITY_IPSEC_SA_MODE_TUNNEL | IPSec Tunnel mode |
Definition at line 28 of file rte_security.h.
IPSec Protocol
Enumerator | |
---|---|
RTE_SECURITY_IPSEC_SA_PROTO_AH | AH protocol |
RTE_SECURITY_IPSEC_SA_PROTO_ESP | ESP protocol |
Definition at line 36 of file rte_security.h.
IPSEC tunnel type
Enumerator | |
---|---|
RTE_SECURITY_IPSEC_TUNNEL_IPV4 | Outer header is IPv4 |
RTE_SECURITY_IPSEC_TUNNEL_IPV6 | Outer header is IPv6 |
Definition at line 44 of file rte_security.h.
IPSec security association direction
Enumerator | |
---|---|
RTE_SECURITY_IPSEC_SA_DIR_EGRESS | Encrypt and generate digest |
RTE_SECURITY_IPSEC_SA_DIR_INGRESS | Verify digest and decrypt |
Definition at line 265 of file rte_security.h.
MACSec packet flow direction
Enumerator | |
---|---|
RTE_SECURITY_MACSEC_DIR_TX | Generate SecTag and encrypt/authenticate |
RTE_SECURITY_MACSEC_DIR_RX | Remove SecTag and decrypt/verify |
Definition at line 337 of file rte_security.h.
MACsec Supported Algorithm list as per IEEE Std 802.1AE.
Definition at line 410 of file rte_security.h.
PDCP Mode of session
Enumerator | |
---|---|
RTE_SECURITY_PDCP_MODE_CONTROL | PDCP control plane |
RTE_SECURITY_PDCP_MODE_DATA | PDCP data plane |
RTE_SECURITY_PDCP_MODE_SHORT_MAC | PDCP short mac |
Definition at line 505 of file rte_security.h.
PDCP Frame direction
Enumerator | |
---|---|
RTE_SECURITY_PDCP_UPLINK | Uplink |
RTE_SECURITY_PDCP_DOWNLINK | Downlink |
Definition at line 512 of file rte_security.h.
PDCP Sequence Number Size selectors
Definition at line 518 of file rte_security.h.
DOCSIS direction
Enumerator | |
---|---|
RTE_SECURITY_DOCSIS_UPLINK | Uplink
|
RTE_SECURITY_DOCSIS_DOWNLINK | Downlink
|
Definition at line 579 of file rte_security.h.
TLS version
Enumerator | |
---|---|
RTE_SECURITY_VERSION_TLS_1_2 | TLS 1.2 |
RTE_SECURITY_VERSION_TLS_1_3 | TLS 1.3 |
RTE_SECURITY_VERSION_DTLS_1_2 | DTLS 1.2 |
Definition at line 608 of file rte_security.h.
TLS session type
Enumerator | |
---|---|
RTE_SECURITY_TLS_SESS_TYPE_READ | Record read session
|
RTE_SECURITY_TLS_SESS_TYPE_WRITE | Record write session
|
Definition at line 615 of file rte_security.h.
Security session action type.
Definition at line 731 of file rte_security.h.
Security session protocol definition
Definition at line 755 of file rte_security.h.
void* rte_security_session_create | ( | void * | instance, |
struct rte_security_session_conf * | conf, | ||
struct rte_mempool * | mp | ||
) |
Create security session as specified by the session configuration
instance | security instance |
conf | session configuration parameters |
mp | mempool to allocate session objects from |
int rte_security_session_update | ( | void * | instance, |
void * | sess, | ||
struct rte_security_session_conf * | conf | ||
) |
Update security session as specified by the session configuration
instance | security instance |
sess | session to update parameters |
conf | update configuration parameters |
unsigned int rte_security_session_get_size | ( | void * | instance | ) |
Get the size of the security session data for a device.
instance | security instance. |
int rte_security_session_destroy | ( | void * | instance, |
void * | sess | ||
) |
Free security session header and the session private data and return it to its original mempool.
instance | security instance |
sess | security session to be freed |
int rte_security_macsec_sc_create | ( | void * | instance, |
struct rte_security_macsec_sc * | conf | ||
) |
Create MACsec security channel (SC).
instance | security instance |
conf | MACsec SC configuration params |
int rte_security_macsec_sc_destroy | ( | void * | instance, |
uint16_t | sc_id, | ||
enum rte_security_macsec_direction | dir | ||
) |
Destroy MACsec security channel (SC).
instance | security instance |
sc_id | SC ID to be destroyed |
dir | direction of the SC |
int rte_security_macsec_sa_create | ( | void * | instance, |
struct rte_security_macsec_sa * | conf | ||
) |
Create MACsec security association (SA).
instance | security instance |
conf | MACsec SA configuration params |
int rte_security_macsec_sa_destroy | ( | void * | instance, |
uint16_t | sa_id, | ||
enum rte_security_macsec_direction | dir | ||
) |
Destroy MACsec security association (SA).
instance | security instance |
sa_id | SA ID to be destroyed |
dir | direction of the SA |
|
inlinestatic |
Get pointer to mbuf field for device-specific metadata.
For performance reason, no check is done, the dynamic field may not be registered.
mbuf | packet to access |
Definition at line 937 of file rte_security.h.
|
inlinestatic |
Get pointer to mbuf field for original mbuf pointer when Out-Of-Place(OOP) processing is enabled in security session.
mbuf | packet to access |
Definition at line 956 of file rte_security.h.
|
inlinestatic |
Check whether the dynamic field is registered.
Definition at line 968 of file rte_security.h.
|
inlinestatic |
Get security flags from security instance.
Definition at line 978 of file rte_security.h.
|
inlinestatic |
Set security flags in security instance.
Definition at line 987 of file rte_security.h.
|
inlinestatic |
Get opaque data from session handle
Definition at line 1000 of file rte_security.h.
|
inlinestatic |
Set opaque data in session handle
Definition at line 1009 of file rte_security.h.
|
inlinestatic |
Get fast mdata from session handle
Definition at line 1020 of file rte_security.h.
|
inlinestatic |
Set fast mdata in session handle
Definition at line 1029 of file rte_security.h.
int __rte_security_set_pkt_metadata | ( | void * | instance, |
void * | sess, | ||
struct rte_mbuf * | m, | ||
void * | params | ||
) |
Function to call PMD specific function pointer set_pkt_metadata()
|
inlinestatic |
Updates the buffer with device-specific defined metadata
instance | security instance |
sess | security session |
mb | packet mbuf to set metadata on. |
params | device-specific defined parameters required for metadata |
Definition at line 1055 of file rte_security.h.
|
inlinestatic |
Attach a session to a symmetric crypto operation
sym_op | crypto operation |
sess | security session |
Definition at line 1077 of file rte_security.h.
|
inlinestatic |
Attach a session to a crypto operation. This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD For other rte_security_session_action_type, ol_flags in rte_mbuf may be defined to perform security operations.
op | crypto operation |
sess | security session |
Definition at line 1094 of file rte_security.h.
int rte_security_session_stats_get | ( | void * | instance, |
void * | sess, | ||
struct rte_security_stats * | stats | ||
) |
Get security session statistics
instance | security instance |
sess | security session If security session is NULL then global (per security instance) statistics will be retrieved, if supported. Global statistics collection is not dependent on the per session statistics configuration. |
stats | statistics |
int rte_security_macsec_sa_stats_get | ( | void * | instance, |
uint16_t | sa_id, | ||
enum rte_security_macsec_direction | dir, | ||
struct rte_security_macsec_sa_stats * | stats | ||
) |
Get MACsec SA statistics.
instance | security instance |
sa_id | SA ID for which stats are needed |
dir | direction of the SA |
stats | statistics |
int rte_security_macsec_sc_stats_get | ( | void * | instance, |
uint16_t | sc_id, | ||
enum rte_security_macsec_direction | dir, | ||
struct rte_security_macsec_sc_stats * | stats | ||
) |
Get MACsec SC statistics.
instance | security instance |
sc_id | SC ID for which stats are needed |
dir | direction of the SC |
stats | SC statistics |
const struct rte_security_capability* rte_security_capabilities_get | ( | void * | instance | ) |
Returns array of security instance capabilities
instance | Security instance. |
const struct rte_security_capability* rte_security_capability_get | ( | void * | instance, |
struct rte_security_capability_idx * | idx | ||
) |
Query if a specific capability is available on security instance
instance | security instance. |
idx | security capability index to match against |
__rte_experimental int rte_security_rx_inject_configure | ( | void * | ctx, |
uint16_t | port_id, | ||
bool | enable | ||
) |
Configure security device to inject packets to an ethdev port.
This API must be called only when both security device and the ethdev is in stopped state. The security device need to be configured before any packets are submitted to rte_security_inb_pkt_rx_inject
API.
ctx | Security ctx |
port_id | Port identifier of the ethernet device to which packets need to be injected. |
enable | Flag to enable and disable connection between a security device and an ethdev port. |
__rte_experimental uint16_t rte_security_inb_pkt_rx_inject | ( | void * | ctx, |
struct rte_mbuf ** | pkts, | ||
void ** | sess, | ||
uint16_t | nb_pkts | ||
) |
Perform security processing of packets and inject the processed packet to ethdev Rx.
Rx inject would behave similarly to ethdev loopback but with the additional security processing. In case of ethdev loopback, application would be submitting packets to ethdev Tx queues and would be received as is from ethdev Rx queues. With Rx inject, packets would be received after security processing from ethdev Rx queues.
With inline protocol offload capable ethdevs, Rx injection can be used to handle packets which failed the regular security Rx path. This can be due to cases such as outer fragmentation, in which case applications can reassemble the fragments and then subsequently submit for inbound processing and Rx injection, so that packets are received as regular security processed packets.
With lookaside protocol offload capable cryptodevs, Rx injection can be used to perform packet parsing after security processing. This would allow for re-classification after security protocol processing is done (ie, inner packet parsing). The ethdev queue on which the packet would be received would be based on rte_flow rules matching the packet after security processing.
The security device which is injecting packets to ethdev Rx need to be configured using rte_security_rx_inject_configure
with enable flag set to true
before any packets are submitted.
If hash.fdir.h
field is set in mbuf, it would be treated as the value for MARK
pattern for the subsequent rte_flow parsing. The packet would appear as if it is received from port
field in mbuf.
Since the packet would be received back from ethdev Rx queues, it is expected that application retains/adds L2 header with the mbuf field 'l2_len' reflecting the size of L2 header in the packet.
ctx | Security ctx |
pkts | The address of an array of nb_pkts pointers to rte_mbuf structures which contain the packets. |
sess | The address of an array of nb_pkts pointers to security sessions corresponding to each packet. |
nb_pkts | The maximum number of packets to process. |
int rte_security_dynfield_offset |
Dynamic mbuf field for device-specific metadata
int rte_security_oop_dynfield_offset |
Dynamic mbuf field for pointer to original mbuf for OOP processing session.