From patchwork Thu Oct 31 13:15:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hemant Agrawal <hemant.agrawal@nxp.com>
X-Patchwork-Id: 178173
Delivered-To: patch@linaro.org
Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp2831122ill;
 Thu, 31 Oct 2019 06:18:12 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzQikUAHjjwoGF8aHr+M6Ci0n1x4YBB+TXx7gm5PNQCh3dti/AWc0p54owyMOIUCISl/vhE
X-Received: by 2002:a50:eb92:: with SMTP id y18mr5951997edr.244.1572527892254; 
 Thu, 31 Oct 2019 06:18:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1572527892; cv=none;
 d=google.com; s=arc-20160816;
 b=eGr8aZiERxiciHgfW9GBA1hYqTxALWYkNN1uGtlEaOXxzKJM2QgOKlUbAfj1fuAjEr
 cX0Ox6SlltQy7cZthJVR4j4IaBLvJ5N/a557mFJBc7Ap/dAdRV1NSfVTKuxBRGPBeaXH
 cC/cZDE1zctbGuagLMMKoj24/2/Tjx9AiEq94qlVQavhnKeJwnFM024PshOf8wHN0eEL
 yg4ZSQrkKYvOashqUZr4GXJPgsHtcXoArJo0N5snLu8mf/hSKdTMeTvCBgmzwgXOe5G1
 7WVQc3/tVV3SwQZ7gSudAoYgX+FdcFY/qzIUnNsdBub1xpLt0y0+30ibNsIk94+1LMST
 +r3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:references:in-reply-to
 :message-id:date:cc:to:from;
 bh=ineFBYKHAyT6r7jPJa/mLMtIG++WC8fkyIOtYz4abio=;
 b=YfvsNcOz9wKxAnqxaHljscX+iQNjHws0SJuZwyOStNCtqq5GvDWLlaWogwsOlu/yjj
 151AzSrE0wbMmGw2zyrKwyuByMdvqiOEitCY5Y+HHRy5f95Xdw20LpwQl/7w+BeCUq7R
 7wddHveX+tEbKcZWnNXAom6V9aMneeJVYc2pcTztaAo7DbcRZ5nUPhGUVAr4yvgYfLZW
 RtICHXLW0RMzCZjvFjXCkdD0rBqx7vGUVqLRM9EjYZcoaWNiWuRfKdVJjFeg97Wgvihq
 z/JHHHrsqsQhzoTlZ4ihVWfFxwHfeyzZl0MYc8dfRIdjeub2DJdak8TzqQ+1VK/iYsEk
 7b1g==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender)
 smtp.mailfrom=dev-bounces@dpdk.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org. [92.243.14.124])
 by mx.google.com with ESMTP id i52si4059827ede.65.2019.10.31.06.18.11;
 Thu, 31 Oct 2019 06:18:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender) client-ip=92.243.14.124; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender)
 smtp.mailfrom=dev-bounces@dpdk.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Received: from [92.243.14.124] (localhost [127.0.0.1])
 by dpdk.org (Postfix) with ESMTP id 629701C232;
 Thu, 31 Oct 2019 14:18:11 +0100 (CET)
Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13])
 by dpdk.org (Postfix) with ESMTP id C2B181C230
 for <dev@dpdk.org>; Thu, 31 Oct 2019 14:18:09 +0100 (CET)
Received: from inva020.nxp.com (localhost [127.0.0.1])
 by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 8F4791A087A;
 Thu, 31 Oct 2019 14:18:09 +0100 (CET)
Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com
 [165.114.16.14])
 by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 032411A04FC;
 Thu, 31 Oct 2019 14:18:07 +0100 (CET)
Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net
 [10.232.133.63])
 by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id B093A402FC;
 Thu, 31 Oct 2019 21:18:01 +0800 (SGT)
From: Hemant Agrawal <hemant.agrawal@nxp.com>
To: dev@dpdk.org,
	akhil.goyal@nxp.com
Cc: konstantin.ananyev@intel.com, anoobj@marvell.com,
 Hemant Agrawal <hemant.agrawal@nxp.com>
Date: Thu, 31 Oct 2019 18:45:00 +0530
Message-Id: <20191031131502.12504-1-hemant.agrawal@nxp.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20191031045458.29166-1-hemant.agrawal@nxp.com>
References: <20191031045458.29166-1-hemant.agrawal@nxp.com>
X-Virus-Scanned: ClamAV using ClamSMTP
Subject: [dpdk-dev] [PATCH v5 1/3] security: add anti replay window size
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

At present the ipsec xfrom is missing the important step
to configure the anti replay window size.
The newly added field will also help in to enable or disable
the anti replay checking, if available in offload by means
of non-zero or zero value.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 doc/guides/rel_notes/release_19_11.rst | 6 +++++-
 lib/librte_security/Makefile           | 2 +-
 lib/librte_security/meson.build        | 2 +-
 lib/librte_security/rte_security.h     | 8 ++++++++
 4 files changed, 15 insertions(+), 3 deletions(-)

-- 
2.17.1
Acked-by: Anoob Joseph <anoobj@marvell.com>

diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst
index ae8e7b2f0..0508ec545 100644
--- a/doc/guides/rel_notes/release_19_11.rst
+++ b/doc/guides/rel_notes/release_19_11.rst
@@ -365,6 +365,10 @@ ABI Changes
   align the Ethernet header on receive and all known encapsulations
   preserve the alignment of the header.
 
+* security: A new field ''replay_win_sz'' has been added to the structure
+  ``rte_security_ipsec_xform``, which specify the Anti replay window size
+  to enable sequence replay attack handling.
+
 
 Shared Library Versions
 -----------------------
@@ -437,7 +441,7 @@ The libraries prepended with a plus sign were incremented in this version.
      librte_reorder.so.1
      librte_ring.so.2
    + librte_sched.so.4
-     librte_security.so.2
+   + librte_security.so.3
      librte_stack.so.1
      librte_table.so.3
      librte_timer.so.1
diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile
index 6708effdb..6a268ee2a 100644
--- a/lib/librte_security/Makefile
+++ b/lib/librte_security/Makefile
@@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk
 LIB = librte_security.a
 
 # library version
-LIBABIVER := 2
+LIBABIVER := 3
 
 # build flags
 CFLAGS += -O3
diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build
index a5130d2f6..6fed01273 100644
--- a/lib/librte_security/meson.build
+++ b/lib/librte_security/meson.build
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: BSD-3-Clause
 # Copyright(c) 2017-2019 Intel Corporation
 
-version = 2
+version = 3
 sources = files('rte_security.c')
 headers = files('rte_security.h', 'rte_security_driver.h')
 deps += ['mempool', 'cryptodev']
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index aaafdfcd7..216e5370f 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
 	/**< Tunnel parameters, NULL for transport mode */
 	uint64_t esn_soft_limit;
 	/**< ESN for which the overflow event need to be raised */
+	uint32_t replay_win_sz;
+	/**< Anti replay window size to enable sequence replay attack handling.
+	 * replay checking is disabled if the window size is 0.
+	 */
 };
 
 /**
@@ -563,6 +567,10 @@ struct rte_security_capability {
 			/**< IPsec SA direction */
 			struct rte_security_ipsec_sa_options options;
 			/**< IPsec SA supported options */
+			uint32_t replay_win_sz_max;
+			/**< IPsec Anti Replay Window Size. A '0' value
+			 * indicates that Anti Replay Window is not supported.
+			 */
 		} ipsec;
 		/**< IPsec capability */
 		struct {