From patchwork Wed Nov 6 06:54:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178622 Delivered-To: patch@linaro.org Received: by 2002:a92:38d5:0:0:0:0:0 with SMTP id g82csp207650ilf; Tue, 5 Nov 2019 22:57:25 -0800 (PST) X-Google-Smtp-Source: APXvYqxuaxUabk63pBTWOVX0r9HJkXmnpJ1D1/hs+Wz5rc30KrfIhvIB/fypU5ZqJ4/dmTH1mz1Z X-Received: by 2002:aa7:c887:: with SMTP id p7mr962351eds.268.1573023445200; Tue, 05 Nov 2019 22:57:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573023445; cv=none; d=google.com; s=arc-20160816; b=kFJGUjT5WwRqfN4Xj6r89ezgW/ORT+p/hqqKfJEWWIYy3W3wFEW3gEuWvvSJM/rA4R HLCCzojFLri18WKrFY5OSlYNDyhQOMYGb02NHD/h1nD7eoLiDB9akumPW6cShVvaUbwZ lOCpgGZGLJU6zSiVcz2NumpSlQFuF5JhLLNKjtvBM/+dL129kkycinAsEbZkPMygHSKQ /hx3ysHFTVzfhkPPMA+mK57hxuaWFQeabpzmBYgHbGLB3ecq7/kEtNf4AFHM/H3fPiN6 43YnkB7wau0DN4PtNuUkbcaRjThGGwyxtDr5fdv35f+hXblZrlDaVqjheVU9WEozOujh tmXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=sNtkJCTxLRMua5c0vkpOMYIvVu7lruu65bbhOaHn7JI=; b=WwFgKz02YWXql03VLZEbFtL22oQjHgzXtg+YM8fGN5OJrEbC4UQOgl6MvtcgdqugyC SWUqI8RGOXpBIem/PC2Sp74bX4zYISY+mEnfYXeS+oqKRMgoNUmtWAVS1w55u9O4U738 e8e1KLlvTuuQvfQ/cBR0kqaWPVX0E7Av0j3qd7HCSa5N1sOZg9t7eZRuP3a61qHNPgfx rHWCWjZGMTqbHCTVyGXX8SQLZEPI2/wSRanY4heuShTo4/EhAMv4dEE/WiVADHcQkb0L 0YdO3ZKqTY/cgvFKdqrPzlUV0HsrUHxh27SxWt9prcs/ihGipITBr3UoinfJMNLQeoPI iqXQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id y14si11308384edu.250.2019.11.05.22.57.24; Tue, 05 Nov 2019 22:57:25 -0800 (PST) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 373451BFB8; Wed, 6 Nov 2019 07:57:24 +0100 (CET) Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21]) by dpdk.org (Postfix) with ESMTP id D19771BFB5 for ; Wed, 6 Nov 2019 07:57:22 +0100 (CET) Received: from inva021.nxp.com (localhost [127.0.0.1]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 6F85120031B; Wed, 6 Nov 2019 07:57:22 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 0AC8F2001C8; Wed, 6 Nov 2019 07:57:21 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id C5357402A9; Wed, 6 Nov 2019 14:57:18 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org Cc: akhil.goyal@nxp.com Date: Wed, 6 Nov 2019 12:24:12 +0530 Message-Id: <20191106065414.4311-1-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191031131502.12504-1-hemant.agrawal@nxp.com> References: <20191031131502.12504-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v6 1/3] security: add anti replay window size X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal Acked-by: Konstantin Ananyev Acked-by: Anoob Joseph --- doc/guides/rel_notes/release_19_11.rst | 6 +++++- lib/librte_security/Makefile | 2 +- lib/librte_security/meson.build | 2 +- lib/librte_security/rte_security.h | 8 ++++++++ 4 files changed, 15 insertions(+), 3 deletions(-) -- 2.17.1 diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index 2eec0a2c1..dcae08002 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -369,6 +369,10 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. +* security: A new field ''replay_win_sz'' has been added to the structure + ``rte_security_ipsec_xform``, which specify the Anti replay window size + to enable sequence replay attack handling. + Shared Library Versions ----------------------- @@ -441,7 +445,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_reorder.so.1 librte_ring.so.2 + librte_sched.so.4 - librte_security.so.2 + + librte_security.so.3 librte_stack.so.1 librte_table.so.3 librte_timer.so.1 diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 --- a/lib/librte_security/Makefile +++ b/lib/librte_security/Makefile @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a # library version -LIBABIVER := 2 +LIBABIVER := 3 # build flags CFLAGS += -O3 diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 --- a/lib/librte_security/meson.build +++ b/lib/librte_security/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel Corporation -version = 2 +version = 3 sources = files('rte_security.c') headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', 'cryptodev'] diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..216e5370f 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** @@ -563,6 +567,10 @@ struct rte_security_capability { /**< IPsec SA direction */ struct rte_security_ipsec_sa_options options; /**< IPsec SA supported options */ + uint32_t replay_win_sz_max; + /**< IPsec Anti Replay Window Size. A '0' value + * indicates that Anti Replay Window is not supported. + */ } ipsec; /**< IPsec capability */ struct {