On Wed, Jul 22, 2015 at 11:26:03AM +0300, alexandru.badici...@linaro.org wrote: > From: Alexandru Badicioiu <alexandru.badici...@linaro.org> > > This patch adds IPSec protocol processing capabilities to crypto > sesssions. Implementations which have these capabilities in hardware > crypto engines can use the extension to offload the application from > IPSec protocol processing. > > Signed-off-by: Alexandru Badicioiu <alexandru.badici...@linaro.org> > --- > include/odp/api/crypto_ipsec.h | 110 > ++++++++++++++++++++ > platform/linux-generic/include/odp/crypto.h | 2 + > .../include/odp/plat/crypto_ipsec_types.h | 53 ++++++++++ > 3 files changed, 165 insertions(+), 0 deletions(-) > create mode 100644 include/odp/api/crypto_ipsec.h > create mode 100644 > platform/linux-generic/include/odp/plat/crypto_ipsec_types.h > > diff --git a/include/odp/api/crypto_ipsec.h b/include/odp/api/crypto_ipsec.h > new file mode 100644 > index 0000000..e59fea4 > --- /dev/null > +++ b/include/odp/api/crypto_ipsec.h > @@ -0,0 +1,110 @@ > +/* Copyright (c) 2014, Linaro Limited > + * All rights reserved. > + * > + * SPDX-License-Identifier: BSD-3-Clause > + */ > + > +/** > + * @file > + * > + * ODP crypto IPSec extension > + */ > + > +#ifndef ODP_API_CRYPTO_IPSEC_H_ > +#define ODP_API_CRYPTO_IPSEC_H_ > + > +#ifdef __cplusplus > +extern "C" { > +#endif > + > +/** > + * @enum odp_ipsec_outhdr_type > + * IPSec tunnel outer header type > + * > + * @enum odp_ipsec_ar_ws > + * IPSec Anti-replay window size > + * > + */ > + > +typedef struct odp_ipsec_params { > + uint32_t spi; /** SPI value */ > + uint32_t seq; /** Initial SEQ number */ > + enum odp_ipsec_ar_ws ar_ws; /** Anti-replay window size - > + inbound session with authentication */ > + odp_bool_t esn; /** Use extended sequence numbers */ > + odp_bool_t auto_iv; /** Auto IV generation for each operation. */ > + uint16_t out_hdr_size; /** outer header size - tunnel mode */ > + uint8_t *out_hdr; /** outer header - tunnel mode */ > + enum odp_ipsec_outhdr_type out_hdr_type; /* outer header type - > + tunnel mode */ > + odp_bool_t ip_csum; /** update/verify ip header checksum */ > + odp_bool_t ip_dttl; /** decrement ttl - tunnel mode encap & decap */ > + odp_bool_t remove_outer_hdr; /** remove outer header - tunnel mode > decap */ > + odp_bool_t copy_dscp; /** DiffServ Copy - Copy the IPv4 TOS or > + IPv6 Traffic Class byte from the inner/outer > + IP header to the outer/inner IP header - > + tunnel mode encap & decap */ > + odp_bool_t copy_df; /** Copy DF bit - copy the DF bit from > + the inner IP header to the > + outer IP header - tunnel mode encap */ > + odp_bool_t nat_t; /** NAT-T encapsulation enabled - tunnel mode */ > + odp_bool_t udp_csum; /** Update/verify UDP csum when NAT-T enabled */ > + > +} odp_ipsec_params_t; > + > +/** > + * @enum odp_ipsec_mode:ODP_IPSEC_MODE_TUNNEL > + * IPSec tunnel mode > + * > + * @enum odp_ipsec_mode:ODP_IPSEC_MODE_TRANSPORT > + * IPSec transport mode > + * > + * @enum odp_ipsec_proto > + * IPSec protocol > + */ > + > +/** > + * Configure crypto session for IPsec processing > + * > + * Configures a crypto session for IPSec protocol processing. > + * Packets submitted to an IPSec enabled session will have > + * relevant IPSec headers/trailers and tunnel headers > + * added/removed by the crypto implementation. > + * For example, the input packet for an IPSec ESP transport > + * enabled session should be the clear text packet with > + * no ESP headers/trailers prepared in advance for crypto operation. > + * The output packet will have ESP header, IV, trailer and the ESP ICV > + * added by crypto implementation. > + * Depending on the particular capabilities of an implementation and > + * the parameters enabled by application, the application may be > + * partially or completely offloaded from IPSec protocol processing. > + * For example, if an implementation does not support checksum > + * update for IP header after adding ESP header the application > + * should update after crypto IPSec operation.
How a portable application knows what are the pending operations ? > + * > + * If an implementation does not support a particular set of > + * arguments it should return error. > + * > + * @param session Session handle > + * @param ipsec_mode IPSec protocol mode > + * @param ipsec_proto IPSec protocol > + * @param ipsec_params IPSec parameters. Parameters which are not > + * relevant for selected protocol & mode are ignored - > + * e.g. outer_hdr/size set for ESP transport mode. > + * @retval 0 on success > + * @retval <0 on failure > + */ > +int odp_crypto_session_config_ipsec(odp_crypto_session_t session, > + enum odp_ipsec_mode ipsec_mode, > + enum odp_ipsec_proto ipsec_proto, > + odp_ipsec_params_t ipsec_params); > + IMO, We should have reference implementation of ipsec protocol offload implementation with normal crypto operations so that it can be re used in the platform which don't have platform offload > +/** > + * @} > + */ > + > +#ifdef __cplusplus > +} > +#endif > + > +#endif > diff --git a/platform/linux-generic/include/odp/crypto.h > b/platform/linux-generic/include/odp/crypto.h > index 7684c1e..718ab7d 100644 > --- a/platform/linux-generic/include/odp/crypto.h > +++ b/platform/linux-generic/include/odp/crypto.h > @@ -20,6 +20,7 @@ extern "C" { > #include <odp/std_types.h> > #include <odp/plat/packet_types.h> > #include <odp/plat/crypto_types.h> > +#include <odp/plat/crypto_ipsec_types.h> > #include <odp/plat/buffer_types.h> > #include <odp/plat/pool_types.h> > #include <odp/queue.h> > @@ -33,6 +34,7 @@ extern "C" { > */ > > #include <odp/api/crypto.h> > +#include <odp/api/crypto_ipsec.h> > > #ifdef __cplusplus > } > diff --git a/platform/linux-generic/include/odp/plat/crypto_ipsec_types.h > b/platform/linux-generic/include/odp/plat/crypto_ipsec_types.h > new file mode 100644 > index 0000000..74521da > --- /dev/null > +++ b/platform/linux-generic/include/odp/plat/crypto_ipsec_types.h > @@ -0,0 +1,53 @@ > +/* Copyright (c) 2015, Linaro Limited > + * All rights reserved. > + * > + * SPDX-License-Identifier: BSD-3-Clause > + */ > + > +/** > + * @file > + * > + * ODP crypto > + */ > + > +#ifndef ODP_CRYPTO_IPSEC_TYPES_H_ > +#define ODP_CRYPTO_IPSEC_TYPES_H_ > + > +#ifdef __cplusplus > +extern "C" { > +#endif > + > +/** @addtogroup odp_crypto > + * @{ > + */ > + > +enum odp_ipsec_mode { > + ODP_IPSEC_MODE_TUNNEL, /**< IPSec tunnel mode */ > + ODP_IPSEC_MODE_TRANSPORT, /**< IPSec transport mode */ > +}; > + > +enum odp_ipsec_proto { > + ODP_IPSEC_ESP, /**< ESP protocol */ > +}; > + > +enum odp_ipsec_outhdr_type { > + ODP_IPSEC_OUTHDR_IPV4, /**< Outer header is IPv4 */ > + ODP_IPSEC_OUTHDR_IPV6, /**< Outer header is IPv6 */ > +}; > + > +enum odp_ipsec_ar_ws { > + ODP_IPSEC_AR_WS_NONE, /**< Anti-replay is not enabled */ > + ODP_IPSEC_AR_WS_32, /**< Anti-replay window size 32 */ > + ODP_IPSEC_AR_WS_64, /**< Anti-replay window size 64 */ > + ODP_IPSEC_AR_WS_128, /**< Anti-replay window size 128 */ > +}; > + > +/** > + * @} > + */ > + > +#ifdef __cplusplus > +} > +#endif > + > +#endif > -- > 1.7.3.4 > > _______________________________________________ > lng-odp mailing list > lng-odp@lists.linaro.org > https://lists.linaro.org/mailman/listinfo/lng-odp _______________________________________________ lng-odp mailing list lng-odp@lists.linaro.org https://lists.linaro.org/mailman/listinfo/lng-odp