On Wed, Jul 22, 2015 at 11:26:03AM +0300, alexandru.badici...@linaro.org wrote:
> From: Alexandru Badicioiu <alexandru.badici...@linaro.org>
>
> This patch adds IPSec protocol processing capabilities to crypto
> sesssions. Implementations which have these capabilities in hardware
> crypto engines can use the extension to offload the application from
> IPSec protocol processing.
>
> Signed-off-by: Alexandru Badicioiu <alexandru.badici...@linaro.org>
> ---
> include/odp/api/crypto_ipsec.h | 110
> ++++++++++++++++++++
> platform/linux-generic/include/odp/crypto.h | 2 +
> .../include/odp/plat/crypto_ipsec_types.h | 53 ++++++++++
> 3 files changed, 165 insertions(+), 0 deletions(-)
> create mode 100644 include/odp/api/crypto_ipsec.h
> create mode 100644
> platform/linux-generic/include/odp/plat/crypto_ipsec_types.h
>
> diff --git a/include/odp/api/crypto_ipsec.h b/include/odp/api/crypto_ipsec.h
> new file mode 100644
> index 0000000..e59fea4
> --- /dev/null
> +++ b/include/odp/api/crypto_ipsec.h
> @@ -0,0 +1,110 @@
> +/* Copyright (c) 2014, Linaro Limited
> + * All rights reserved.
> + *
> + * SPDX-License-Identifier: BSD-3-Clause
> + */
> +
> +/**
> + * @file
> + *
> + * ODP crypto IPSec extension
> + */
> +
> +#ifndef ODP_API_CRYPTO_IPSEC_H_
> +#define ODP_API_CRYPTO_IPSEC_H_
> +
> +#ifdef __cplusplus
> +extern "C" {
> +#endif
> +
> +/**
> + * @enum odp_ipsec_outhdr_type
> + * IPSec tunnel outer header type
> + *
> + * @enum odp_ipsec_ar_ws
> + * IPSec Anti-replay window size
> + *
> + */
> +
> +typedef struct odp_ipsec_params {
> + uint32_t spi; /** SPI value */
> + uint32_t seq; /** Initial SEQ number */
> + enum odp_ipsec_ar_ws ar_ws; /** Anti-replay window size -
> + inbound session with authentication */
> + odp_bool_t esn; /** Use extended sequence numbers */
> + odp_bool_t auto_iv; /** Auto IV generation for each operation. */
> + uint16_t out_hdr_size; /** outer header size - tunnel mode */
> + uint8_t *out_hdr; /** outer header - tunnel mode */
> + enum odp_ipsec_outhdr_type out_hdr_type; /* outer header type -
> + tunnel mode */
> + odp_bool_t ip_csum; /** update/verify ip header checksum */
> + odp_bool_t ip_dttl; /** decrement ttl - tunnel mode encap & decap */
> + odp_bool_t remove_outer_hdr; /** remove outer header - tunnel mode
> decap */
> + odp_bool_t copy_dscp; /** DiffServ Copy - Copy the IPv4 TOS or
> + IPv6 Traffic Class byte from the inner/outer
> + IP header to the outer/inner IP header -
> + tunnel mode encap & decap */
> + odp_bool_t copy_df; /** Copy DF bit - copy the DF bit from
> + the inner IP header to the
> + outer IP header - tunnel mode encap */
> + odp_bool_t nat_t; /** NAT-T encapsulation enabled - tunnel mode */
> + odp_bool_t udp_csum; /** Update/verify UDP csum when NAT-T enabled */
> +
> +} odp_ipsec_params_t;
> +
> +/**
> + * @enum odp_ipsec_mode:ODP_IPSEC_MODE_TUNNEL
> + * IPSec tunnel mode
> + *
> + * @enum odp_ipsec_mode:ODP_IPSEC_MODE_TRANSPORT
> + * IPSec transport mode
> + *
> + * @enum odp_ipsec_proto
> + * IPSec protocol
> + */
> +
> +/**
> + * Configure crypto session for IPsec processing
> + *
> + * Configures a crypto session for IPSec protocol processing.
> + * Packets submitted to an IPSec enabled session will have
> + * relevant IPSec headers/trailers and tunnel headers
> + * added/removed by the crypto implementation.
> + * For example, the input packet for an IPSec ESP transport
> + * enabled session should be the clear text packet with
> + * no ESP headers/trailers prepared in advance for crypto operation.
> + * The output packet will have ESP header, IV, trailer and the ESP ICV
> + * added by crypto implementation.
> + * Depending on the particular capabilities of an implementation and
> + * the parameters enabled by application, the application may be
> + * partially or completely offloaded from IPSec protocol processing.
> + * For example, if an implementation does not support checksum
> + * update for IP header after adding ESP header the application
> + * should update after crypto IPSec operation.
How a portable application knows what are the pending operations ?
> + *
> + * If an implementation does not support a particular set of
> + * arguments it should return error.
> + *
> + * @param session Session handle
> + * @param ipsec_mode IPSec protocol mode
> + * @param ipsec_proto IPSec protocol
> + * @param ipsec_params IPSec parameters. Parameters which are not
> + * relevant for selected protocol & mode are ignored -
> + * e.g. outer_hdr/size set for ESP transport mode.
> + * @retval 0 on success
> + * @retval <0 on failure
> + */
> +int odp_crypto_session_config_ipsec(odp_crypto_session_t session,
> + enum odp_ipsec_mode ipsec_mode,
> + enum odp_ipsec_proto ipsec_proto,
> + odp_ipsec_params_t ipsec_params);
> +
IMO, We should have reference implementation of ipsec protocol offload
implementation with normal crypto operations so that it can be re used in the
platform which don't have platform offload
> +/**
> + * @}
> + */
> +
> +#ifdef __cplusplus
> +}
> +#endif
> +
> +#endif
> diff --git a/platform/linux-generic/include/odp/crypto.h
> b/platform/linux-generic/include/odp/crypto.h
> index 7684c1e..718ab7d 100644
> --- a/platform/linux-generic/include/odp/crypto.h
> +++ b/platform/linux-generic/include/odp/crypto.h
> @@ -20,6 +20,7 @@ extern "C" {
> #include <odp/std_types.h>
> #include <odp/plat/packet_types.h>
> #include <odp/plat/crypto_types.h>
> +#include <odp/plat/crypto_ipsec_types.h>
> #include <odp/plat/buffer_types.h>
> #include <odp/plat/pool_types.h>
> #include <odp/queue.h>
> @@ -33,6 +34,7 @@ extern "C" {
> */
>
> #include <odp/api/crypto.h>
> +#include <odp/api/crypto_ipsec.h>
>
> #ifdef __cplusplus
> }
> diff --git a/platform/linux-generic/include/odp/plat/crypto_ipsec_types.h
> b/platform/linux-generic/include/odp/plat/crypto_ipsec_types.h
> new file mode 100644
> index 0000000..74521da
> --- /dev/null
> +++ b/platform/linux-generic/include/odp/plat/crypto_ipsec_types.h
> @@ -0,0 +1,53 @@
> +/* Copyright (c) 2015, Linaro Limited
> + * All rights reserved.
> + *
> + * SPDX-License-Identifier: BSD-3-Clause
> + */
> +
> +/**
> + * @file
> + *
> + * ODP crypto
> + */
> +
> +#ifndef ODP_CRYPTO_IPSEC_TYPES_H_
> +#define ODP_CRYPTO_IPSEC_TYPES_H_
> +
> +#ifdef __cplusplus
> +extern "C" {
> +#endif
> +
> +/** @addtogroup odp_crypto
> + * @{
> + */
> +
> +enum odp_ipsec_mode {
> + ODP_IPSEC_MODE_TUNNEL, /**< IPSec tunnel mode */
> + ODP_IPSEC_MODE_TRANSPORT, /**< IPSec transport mode */
> +};
> +
> +enum odp_ipsec_proto {
> + ODP_IPSEC_ESP, /**< ESP protocol */
> +};
> +
> +enum odp_ipsec_outhdr_type {
> + ODP_IPSEC_OUTHDR_IPV4, /**< Outer header is IPv4 */
> + ODP_IPSEC_OUTHDR_IPV6, /**< Outer header is IPv6 */
> +};
> +
> +enum odp_ipsec_ar_ws {
> + ODP_IPSEC_AR_WS_NONE, /**< Anti-replay is not enabled */
> + ODP_IPSEC_AR_WS_32, /**< Anti-replay window size 32 */
> + ODP_IPSEC_AR_WS_64, /**< Anti-replay window size 64 */
> + ODP_IPSEC_AR_WS_128, /**< Anti-replay window size 128 */
> +};
> +
> +/**
> + * @}
> + */
> +
> +#ifdef __cplusplus
> +}
> +#endif
> +
> +#endif
> --
> 1.7.3.4
>
> _______________________________________________
> lng-odp mailing list
> lng-odp@lists.linaro.org
> https://lists.linaro.org/mailman/listinfo/lng-odp
_______________________________________________
lng-odp mailing list
lng-odp@lists.linaro.org
https://lists.linaro.org/mailman/listinfo/lng-odp
