Type: feature
This patch update the Intel IPsec-MB lib to v1.4
Remove v0.54 and v0.55 support, as the compatible IMB APIs
are deprecated in v1.4
Signed-off-by: Ranjan Raj <ranjanx.raj@intel.com>
Change-Id: I01f71134c6bd17a68ec20b7bb4b0b0ff43fc644b
IV requirements vary wildly with the selected mode of operation. For
example, for AES-CBC the IV must be unpredictable whereas for AES
counter mode (CTR or GCM), it can be predictable but reusing an IV with
the same key material is catastrophic.
Because of that, it is hard to generate IV in a generic way, and it is
better left to the crypto user (eg. IPsec).
Type: improvement
Change-Id: I32689c591d8c6572b8d37c4d24f175ea6132d3ec
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Plugin checks just for AVX2 instruction set, while the v1.3 of IPsec
Multi-Buffer library checks for both AVX2 and BMI2 sets during init.
VirtualBox VM doesn't provide BMI2 by default to guest operating system.
Result is that VPP plugin decides to use AVX2 initialization and library
then doesn't do it. Since flush_job remains empty, the self-check fails
and with that the whole VPP crashes on start-up.
Type: fix
Signed-off-by: Maros Ondrejicka <maros.ondrejicka@pantheon.tech>
Change-Id: I6b661f2b9bbe6dd03b499c55c38a9b814e6d718a
Backward compatibility was broken when updating ipsecmb version to 1.3.
Type: improvement
Signed-off-by: marcel.d.cornu@intel.com
Change-Id: I87a76859ec5e2ef6be0bc2af0960fa2494ce4297
- Use the latest IPsec Multi-Buffer library release v1.3
- Use ipsec-mb burst API for HMAC-SHAx algorithms
- Use ipsec-mb burst API for AES-CBC and AES-CTR algorithms
The new burst API available in ipsecmb v1.3 brings significant
performance improvements for certain algorithms compared to the job API.
Type: feature
Signed-off-by: marcel.d.cornu@intel.com
Change-Id: I3490b35a616a2ea77607f103426df62438c22b2b
Type: fix
This patch fixes the chacha20-poly1305 support check in ipsecmb
engine build.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Change-Id: I74b52a27f78a0f6a65c867dbd44a44a8f4a2ed60
The 0.55 version of libipsec_mb does not support the chacha functions
used in the plugin.
The missing symobls are:
ipsecmb_ops_chacha_poly
ipsecmb_ops_chacha_poly_chained
IMB_CIPHER_DIRECTION
Check for ipsecmb_ops_chacha_poly() and conditionalise the chacha code
in the plugin on this.
ipsec_mb 0.55 is the version currently found in Debian Stable (bullseye)
Type: make
Signed-off-by: Nick Brown <nickbroon@gmail.com>
Change-Id: I88c962ac4f99a58b5cd61fb9b75f692e27d4ec30
Type: feature
This patch adds chacha20-poly1305 single and chained algorithm
support to ipsecmb crypto engine.
Signed-off-by: DariuszX Kazimierski <dariuszx.kazimierski@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Change-Id: If04ee0c8f985b07fd31dad1ce29000ec6f1733c5
Use error counters related to ipsec-mb return codes instead of
'bad-hmac' only.
Type: improvement
Change-Id: I9329da300a70d76b4d4ab30fa45f0a2a85d6519b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Do not access data structures based on uninitialized key->alg.
Type: fix
Fixes: f539578bac
Change-Id: I6bfb7e7a51af2c131b8bdf3bca6a38fcf1094760
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Type: refactor
Use ipsecmb single GCM enc/dec API to furthuer improve single
buffer performance for small packets.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Change-Id: I2d34ff50d34b09f194fc0c88b6e9a3928a86fc33
This patch improves the GCM encrypt and decrypt performance using
the dedicated API provided by intel-ipsec-mb library. This helps
remove the overhead caused by the JOB API.
Type: feature
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Change-Id: I00c9ab3ed9f2660093fb2584feb8bca4979acee8
IPsec zero-es all allocated key memory including memory sur-allocated by
the allocator.
Move it to its own function in clib mem infra to make it easier to
instrument.
Type: refactor
Change-Id: Icd1c44d18b741e723864abce75ac93e2eff74b61
Signed-off-by: Benoît Ganne <bganne@cisco.com>
AES intrinsics use builtins available only with the -maes and GCC 9 just
started to enforce it.
Type: fix
Change-Id: Ia6825ea3eae7191a4bfee47f9fa93fad16ccf76c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
The vlib init function subsystem now supports a mix of procedural and
formally-specified ordering constraints. We should eliminate procedural
knowledge wherever possible.
The following schemes are *roughly* equivalent:
static clib_error_t *init_runs_first (vlib_main_t *vm)
{
clib_error_t *error;
... do some stuff...
if ((error = vlib_call_init_function (init_runs_next)))
return error;
...
}
VLIB_INIT_FUNCTION (init_runs_first);
and
static clib_error_t *init_runs_first (vlib_main_t *vm)
{
... do some stuff...
}
VLIB_INIT_FUNCTION (init_runs_first) =
{
.runs_before = VLIB_INITS("init_runs_next"),
};
The first form will [most likely] call "init_runs_next" on the
spot. The second form means that "init_runs_first" runs before
"init_runs_next," possibly much earlier in the sequence.
Please DO NOT construct sets of init functions where A before B
actually means A *right before* B. It's not necessary - simply combine
A and B - and it leads to hugely annoying debugging exercises when
trying to switch from ad-hoc procedural ordering constraints to formal
ordering constraints.
Change-Id: I5e4353503bf43b4acb11a45fb33c79a5ade8426c
Signed-off-by: Dave Barach <dave@barachs.net>
"make test" fails with invalid instruction on non-AESNI platform,
so do not register the ipsec-mb crypto backend in this case.
Change-Id: I61887e40ce3d39880e7da534b9dee00fd677d8fd
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
- Make plugin descriptions more consistent
so the output of "show plugin" can be
used in the wiki.
Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
- nonce construction out of salt and iv is ipsec specific so it should be
handled in ipsec code
- fixes GCM unit tests
- GCM IV is constructed out of simple counter, per RFC4106 section 3.1
Change-Id: Ib7712cc9612830daa737f5171d8384f1d361bb61
Signed-off-by: Damjan Marion <damarion@cisco.com>
hard code IV and key lengths based on cipher.
Init IV from random data, use AES instruction to rotate.
Change-Id: I13a6507d12267b823c528660a903787baeba47a0
Signed-off-by: Neale Ranns <nranns@cisco.com>
A plugin to use Intel IPSec MB library as a VPP crypto engine
This changes uses concepts from:
https://gerrit.fd.io/r/#/c/17301/
hence that author's work is acknowledge below
Change-Id: I2bf3beeb10f3c9706fa5efbdc9bc023e310f5a92
Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Klement Sekera <ksekera@cisco.com>
