| #
99783e21 |
| 27-Apr-2022 |
Anoob Joseph <[email protected]> |
security: fix SA lifetime comments
Fix comments to reflect the hard expiry fields.
Fixes: ad7515a39f2a ("security: add SA lifetime configuration")
Cc: [email protected]
Reported-by: Thomas Monjalon
security: fix SA lifetime comments
Fix comments to reflect the hard expiry fields.
Fixes: ad7515a39f2a ("security: add SA lifetime configuration")
Cc: [email protected]
Reported-by: Thomas Monjalon <[email protected]>
Signed-off-by: Anoob Joseph <[email protected]>
Reviewed-by: Morten Brørup <[email protected]>
show more ...
|
|
Revision tags: v22.03, v22.03-rc4, v22.03-rc3, v22.03-rc2 |
|
| #
30a1de10 |
| 15-Feb-2022 |
Sean Morrissey <[email protected]> |
lib: remove unneeded header includes
These header includes have been flagged by the iwyu_tool
and removed.
Signed-off-by: Sean Morrissey <[email protected]>
|
|
Revision tags: v22.03-rc1 |
|
| #
8507a169 |
| 08-Feb-2022 |
Akhil Goyal <[email protected]> |
security: add IPsec option for IP reassembly
A new option is added in IPsec to enable and attempt reassembly
of inbound IP packets.
Signed-off-by: Akhil Goyal <[email protected]>
|
|
Revision tags: v21.11, v21.11-rc4, v21.11-rc3, v21.11-rc2, v21.11-rc1 |
|
| #
daa02b5c |
| 15-Oct-2021 |
Olivier Matz <[email protected]> |
mbuf: add namespace to offload flags
Fix the mbuf offload flags namespace by adding an RTE_ prefix to the
name. The old flags remain usable, but a deprecation warning is issued
at compilation.
Sign
mbuf: add namespace to offload flags
Fix the mbuf offload flags namespace by adding an RTE_ prefix to the
name. The old flags remain usable, but a deprecation warning is issued
at compilation.
Signed-off-by: Olivier Matz <[email protected]>
Acked-by: Andrew Rybchenko <[email protected]>
Acked-by: Ajit Khaparde <[email protected]>
Acked-by: Somnath Kotur <[email protected]>
show more ...
|
| #
fb545457 |
| 18-Oct-2021 |
Akhil Goyal <[email protected]> |
security: add reserved bit fields
In struct rte_security_ipsec_sa_options, for every new option
added, there is an ABI breakage, to avoid, a reserved_opts
bitfield is added to for the remaining bits
security: add reserved bit fields
In struct rte_security_ipsec_sa_options, for every new option
added, there is an ABI breakage, to avoid, a reserved_opts
bitfield is added to for the remaining bits available in the
structure.
Now for every new sa option, these reserved_opts can be reduced
and new option can be added.
Signed-off-by: Akhil Goyal <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Ray Kinsella <[email protected]>
show more ...
|
| #
17344c02 |
| 14-Oct-2021 |
Radu Nicolau <[email protected]> |
security: add UDP parameters for IPsec NAT-T
Add support for specifying UDP port params for UDP encapsulation option.
RFC3948 section-2.1 does not enforce using specific the UDP ports for
UDP-Encaps
security: add UDP parameters for IPsec NAT-T
Add support for specifying UDP port params for UDP encapsulation option.
RFC3948 section-2.1 does not enforce using specific the UDP ports for
UDP-Encapsulated ESP Header
Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Signed-off-by: Abhijit Sinha <[email protected]>
Signed-off-by: Daniel Martin Buckley <[email protected]>
Acked-by: Fan Zhang <[email protected]>
Acked-by: Anoob Joseph <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
show more ...
|
| #
199fcba1 |
| 14-Oct-2021 |
Radu Nicolau <[email protected]> |
security: add ESN field to IPsec xform
Update ipsec_xform definition to include ESN field.
This allows the application to control the ESN starting value.
Signed-off-by: Declan Doherty <declan.doher
security: add ESN field to IPsec xform
Update ipsec_xform definition to include ESN field.
This allows the application to control the ESN starting value.
Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Signed-off-by: Abhijit Sinha <[email protected]>
Signed-off-by: Daniel Martin Buckley <[email protected]>
Acked-by: Fan Zhang <[email protected]>
Acked-by: Anoob Joseph <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
show more ...
|
| #
03ab51ea |
| 30-Sep-2021 |
Archana Muniganti <[email protected]> |
security: add SA config option for inner checksum
Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify
security: add SA config option for inner checksum
Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.
Signed-off-by: Archana Muniganti <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
show more ...
|
| #
f7e3aa69 |
| 29-Sep-2021 |
Tejasree Kondoj <[email protected]> |
security: add option to configure UDP ports verification
Add option to indicate whether UDP encapsulation ports
verification need to be done as part of inbound
IPsec processing.
Signed-off-by: Teja
security: add option to configure UDP ports verification
Add option to indicate whether UDP encapsulation ports
verification need to be done as part of inbound
IPsec processing.
Signed-off-by: Tejasree Kondoj <[email protected]>
Acked-by: Hemant Agrawal <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
show more ...
|
| #
f9b2a75e |
| 06-Oct-2021 |
Tal Shnaiderman <[email protected]> |
security: use net library to include IP structs
Remove the netinet includes and replaces them
with rte_ip.h to support the in_addr/in6_addr structs
on all operating systems.
Signed-off-by: Tal Shna
security: use net library to include IP structs
Remove the netinet includes and replaces them
with rte_ip.h to support the in_addr/in6_addr structs
on all operating systems.
Signed-off-by: Tal Shnaiderman <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: William Tu <[email protected]>
show more ...
|
| #
f0b538a5 |
| 28-Sep-2021 |
Tejasree Kondoj <[email protected]> |
security: add option to configure tunnel header verification
Add option to indicate whether outer header verification
need to be done as part of inbound IPsec processing.
With inline IPsec processi
security: add option to configure tunnel header verification
Add option to indicate whether outer header verification
need to be done as part of inbound IPsec processing.
With inline IPsec processing, SA lookup would be happening
in the Rx path of rte_ethdev. When rte_flow is configured to
support more than one SA, SPI would be used to lookup SA.
In such cases, additional verification would be required to
ensure duplicate SPIs are not getting processed in the inline path.
For lookaside cases, the same option can be used by application
to offload tunnel verification to the PMD.
These verifications would help in averting possible DoS attacks.
Signed-off-by: Tejasree Kondoj <[email protected]>
Acked-by: Hemant Agrawal <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
show more ...
|
| #
ad7515a3 |
| 28-Sep-2021 |
Anoob Joseph <[email protected]> |
security: add SA lifetime configuration
Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated
security: add SA lifetime configuration
Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated to include new field, aux_flags, which can be
used to indicate cases such as soft expiry in case of lookaside
protocol operations.
In case of soft expiry, the packets are successfully IPsec processed but
the soft expiry would indicate that SA needs to be reconfigured. For
inline protocol capable ethdev, this would result in an eth event while
for lookaside protocol capable cryptodev, this can be communicated via
`rte_crypto_op.aux_flags` field.
In case of hard expiry, the packets will not be IPsec processed and
would result in error.
Signed-off-by: Anoob Joseph <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
show more ...
|
| #
63992166 |
| 07-Sep-2021 |
Anoob Joseph <[email protected]> |
security: support user-specified IV
Enabled user to provide IV to be used per security
operation. This would be used with lookaside protocol
offload for comparing against known vectors.
By default,
security: support user-specified IV
Enabled user to provide IV to be used per security
operation. This would be used with lookaside protocol
offload for comparing against known vectors.
By default, PMD would internally generate random IV.
Signed-off-by: Anoob Joseph <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
show more ...
|
| #
d08dcd28 |
| 15-Sep-2021 |
Nithin Dabilpuram <[email protected]> |
security: add option for faster user/meta data access
Currently rte_security_set_pkt_metadata() and rte_security_get_userdata()
methods to set pkt metadata on Inline outbound and get userdata
after
security: add option for faster user/meta data access
Currently rte_security_set_pkt_metadata() and rte_security_get_userdata()
methods to set pkt metadata on Inline outbound and get userdata
after Inline inbound processing is always driver specific callbacks.
For drivers that do not have much to do in the callbacks but just
to update metadata in rte_security dynamic field and get userdata
from rte_security dynamic field, having to just to PMD specific
callback is costly per packet operation. This patch provides
a mechanism to do the same in inline function and avoid function
pointer jump if a driver supports the same.
Signed-off-by: Nithin Dabilpuram <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
show more ...
|
| #
864c1a40 |
| 08-Sep-2021 |
Hemant Agrawal <[email protected]> |
security: support PDCP short MAC-I
This patch add support to handle PDCP short MAC-I domain
along with standard control and data domains as it has to
be treaty as special case with PDCP protocol off
security: support PDCP short MAC-I
This patch add support to handle PDCP short MAC-I domain
along with standard control and data domains as it has to
be treaty as special case with PDCP protocol offload support.
ShortMAC-I is the 16 least significant bits of calculated MAC-I. Usually
when a RRC message is exchanged between UE and eNodeB it is integrity &
ciphered protected.
MAC-I = f(key, varShortMAC-I, count, bearer, direction).
Here varShortMAC-I is prepared by using (current cellId, pci of source cell
and C-RNTI of old cell). Other parameters like count, bearer and
direction set to all 1.
crypto-perf app is updated to take short MAC as input mode.
Signed-off-by: Gagandeep Singh <[email protected]>
Signed-off-by: Hemant Agrawal <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
show more ...
|
|
Revision tags: v21.08, v21.08-rc4, v21.08-rc3, v21.08-rc2, v21.08-rc1, v21.05, v21.05-rc4, v21.05-rc3, v21.05-rc2, v21.05-rc1 |
|
| #
99a2dd95 |
| 20-Apr-2021 |
Bruce Richardson <[email protected]> |
lib: remove librte_ prefix from directory names
There is no reason for the DPDK libraries to all have 'librte_' prefix on
the directory names. This prefix makes the directory names longer and also
m
lib: remove librte_ prefix from directory names
There is no reason for the DPDK libraries to all have 'librte_' prefix on
the directory names. This prefix makes the directory names longer and also
makes it awkward to add features referring to individual libraries in the
build - should the lib names be specified with or without the prefix.
Therefore, we can just remove the library prefix and use the library's
unique name as the directory name, i.e. 'eal' rather than 'librte_eal'
Signed-off-by: Bruce Richardson <[email protected]>
show more ...
|