KeyStone Training. Network Coprocessor (NETCP)

Transcription

1 KeyStone Training Network Coprocessor (NETCP) Security Accelerator e () Agenda Motivation Firmware ae Low Level Driver (LLD) IPsec Encryption Example IPsec Decryption Example 1

2 Security Accelerator: Motivation Motivation Firmware Low Level Driver (LLD) IPsec Encryption Example IPsec Decryption Example : Motivation Motivation Hardware Encryption, Decryption, and Authentication Faster than software Supported Protocols IPsec ESP IPsec AH SRTP 3GPP Software Provided Firmware Needed for operation LLD Simplify programming SGMII0 SGMII1 PHY mdio_link_intr[1:0] mdio_user_intr[1:0] misc_int buf_starve_intr NETCP Block Diagram Controller GbE Switch Subsystem INTD stat_pend_raw[1:0] 2

3 Security Accelerator: Firmware Motivation Firmware Low Level Driver (LLD) IPsec Encryption Example IPsec Decryption Example Firmware Download firmware images to PDSPs prior to running : 1. php1 image (IPsec); Download to PDSP1 2. php2 image (SRTP and 3GPP); Download to PDSP2 CPU/3 CFG TeraNet SCR CPU/3 Main TeraNet SCR SGMII 0 SGMII 1 Config 32-bits _VBUSM_TXRX 128 bits SERDES SERDES MDIO 0 INTS Controller CP_ACE Security Unit Switch Status INTS CPSGMII CPSGMII CPMDIO 3-Port Ethernet Switch 32-bit VBUSP TeraNet SCR Streaming Interface Switch Pass 1 LUT CDE Pass 1 LUT CDE Pass 1 LUT CDE Pass 2 LUT CDE CDE PDSP+ 1 PDSP+ 2 PDSP+ 3 PDSP+ 4 PDSP+ 5 PDSP+ CDE 6 Stats 32-bit VBUSP TeraNet SCR Timer16 1 Timer16 2 Timer16 3 Timer16 4 Timer16 5 Timer16 6 PDSP Scratchpad RAM 1 PDSP Scratchpad RAM 2. : PDSP Scratchpad RAM n INTD 3

4 Low Level Driver (LLD) Motivation Firmware Low Level Driver (LLD) IPsec Encryption Example IPsec Decryption Example LLD Overview LLD provides an abstraction layer between the application and the Sub system. It provides both the system level interface and the channel level interface with a set of APIs System Level interface Reset, download and update the PDSP images. Query states and statistics. Read a 64 bit true random number Perform the large integer arithmetic through the PKA module Monitor and report system error Channel Level interface Convert the channel configuration information into the security contexts defined by the. Perform protocol specific packet operations such as insertion of the ESP header, padding and ESP tail. Decrypt and authenticate the received SRTP packet if the is not able to perform the operations due to the key validation failure. Generate the command labels in data mode operation. Maintain the protocol specific channel statistics. LLD does not provide transport layer and all API calls are non blocking The software layers above the LLD must call the appropriate LLD APIs, and then call the appropriate CPPI and QMSS APIs to actually send packets to the. For more information on LLD, refer to the Security Accelerator () User Guide. 4

5 LLD API: Common Interface (1/2) Sa_getBufferReq (Sa_SizeCfg_t *sizecfg, int sizes[], int aligns[]) Sa_getBufferReq returns the memory requirements for the LLD instance. It returns the memory buffer requirements in terms of the size and alignment array. Sa_create (Sa_Config_t *cfg, void *bases[], Sa_Handle *phandle) Sa_create creates the LLD instance. It initializes the LLD instance and its corresponding instance structure based on channel configuration data such as the call out table, and etc. Sa_close (Sa_Handle handle, void *bases[]) Sa_close decativates the LLD instance. Sa_getSysStats (Sa_Handle handle, Sa_SysStats_t *stats) This function obtains LLD system statistics. Sa_State_ t Sa_resetControl (Sa_Handle handle, Sa_State_t newstate) This function controls the reset state of the Sub System. Sa_downloadImage (Sa_Handle handle, int modid, void *image, int sizebytes) This function downloads a PDSP image to a PDSP core within the sub system. u Sa_getID (Sa_Handle handle) This function returns the system ID associated with the specified handle. LLD API: Common Interface (2/2) Sa_rngInit (Sa_Handle handle, Sa_RngConfigParams_t *cfg) The function is called to initialize and configure the RNG (Random Number Generator) module inside. Sa_getRandonNum (Sa_Handle handle, u f_isr, Sa_RngData_t *rnd) This function returns a 64 bit true random number. Sa_rngClose (Sa_Handle handle) Sa_rngClose decativates the RNG module. Sa_pkaInit (Sa_Handle handle) This function initializes the PKA (Public Key Accelerator) module inside. Sa_pkaOperation (Sa_Handle handle, Sa_PkaReqInfo_t *pkareqinfo) This function triggers a large vector arithmetic operation through the PKA module. Sa_pkaClose (Sa_Handle handle) Sa_pkaClose decativates the PKA module. 5

6 LLD API: Channel Interface Sa_chanGetBufferReq (Sa_ChanSizeCfg_t *sizecfg, int sizes[], int aligns[]) Sa_chanGetBufferReq returns the memory requirements for an LLD channel. It returns the memory buffer requirements in terms of the size and alignment array. Sa_chanCreate (Sa_Handle handle, Sa_ChanConfig_t *cfg, void *bases[], Sa_ChanHandle *pchanhdl) Sa_chanCreate creates the LLD channel. It initializes an instance of LLD channel and its corresponding instance structure based on channel configuration data such as the security protocol, and etc. t Sa_chanClose (Sa_ChanHandle handle, void *bases[]) Sa_chanClose decativates the LLD channel. It clears the LLD channel instance. All the associated memory buffers can be freed after this call. Sa_chanControl (Sa_ChanHandle handle, Sa_ChanCtrlInfo_t *chanctrlinfo) This function controls the operations of a channel instance of LLD. It is used to configure and/or re configure the LLD channel with various control information. This function should be called multiple times to configure and activate the LLD channel during the call setup period. Then it is typically called to perform re key operation subsequently. Sa_chanReceiveData (Sa_ChanHandle handle, Sa_PktInfo_t *pktinfo) This function processes packets received from the network. It performs protocol specific post operations on the decrypted and/or integrity verified data packet. It also performs the actual decryption/authentication operation in SW only mode. Sa_chanSendData S (Sa_ChanHandle H handle, Sa_PktInfo_t t *pktinfo, u tclear) This function processes the data packet to the networks. It performs protocol specific operations to prepare the data packets to be encrypted and/or authenticated by the. It also performs the actual encryption and/or authentication in the SW only mode. Sa_chanGetStats (Sa_ChanHandle handle, u flags, Sa_Stats_t *stats) This function obtains LLD channel protocol specific statistics. uint16 _t Sa_chanGetID (Sa_ChanHandle handle) Sa_chanGetID returns the channel ID associated with the specified handle. u LLD API: Utility Functions Sa_isScBufFree (uint8_t *scbuf) This function verifies whether the security context buffer has been freed by. 6

7 LLD API: Callout Functions (1/2) void(* void(* void(* void(* DebugTrace )(Sa_ChanHandle handle, u msgtype, u msgcode, u msglength, u *msgdata) A callout to the system code's debug and exception handling function. This is a function pointer and must point to a valid function which meets the API requirements. ChanKeyRequest )(Sa_ChanHandle handle, Sa_KeyRequest_t *keyreq) Callout to externally supplied system to request a new security key. This function may be triggered by either the Sa_chanSendData() or Sa_chanReceiveData() APIs. The application should call the Sa_chanControl() API to pass the new key when it is available. This is a function pointer and must point to a valid function which meets the API requirements. ScAlloc )(Sa_ChanHandle handle, Sa_ScReqInfo_t *screqinfo) Callout to externally supplied system to allocate the security context with the specified size. This function must be implemented as a simple non blocking function. This is a function pointer and must point to a valid function which meets the API requirements. ScFree )(Sa_ChanHandle handle, u scid) Callout to externally supplied system to release the security context with the specified ID. This function must be implemented as a simple non blocking function. This is a function pointer and must point to a valid function which meets the API requirements. LLD API: Callout Functions (2/2) void(* void(* void(* ChanRegister )(Sa_ChanHandle handle, Sa_SWInfo_t *chanswinfo) Callout to externally supplied system to register the security channel with its software routing information to be programmed into the SS lookup table in the from Network direction. It may be triggered by the Sa_chanControl(), Sa_chanSendData() and Sa_chanReceiveData() APIs. This is a function pointer and must point to a valid function which meets the API requirements. ChanUnRegister )(Sa_ChanHandle handle, Sa_SWInfo_t *chanswinfo) Callout to externally supplied system to un register the security channel with its software routing information to be removed from the SS lookup tables. It may be triggered by the ssa_chanclose(), Sa_chanSendData() and Sa_chanReceiveData() APIs. This is a function pointer and must point to a valid function which meets the API requirements. ChanSendNullPkt )(Sa_ChanHandle handle, Sa_PktInfo_t *pktinfo) Callout to externally supplied system to send an Null packet to the sub system. The null packet is used to evict and/or tear down the security context associated with the channel. It may be triggered by the Sa_chanClose(), Sa_chanSendData() and Sa_chanReceiveData() APIs. This is a function pointer and must point to a valid function which meets the API requirements. 7

8 LLD: Basic Configuration Configuration Information Step 2: Load FW: Sa_resetControl(DIBLE) Sa_downloadImage() Sa_resetControl(ENABLE) Step 1: Set up memory: Sa_getBufferReq() Sa_create() NETCP QMSS CorePac LLD Multicore Navigator IPsec Encryption Example Motivation Firmware Low Level Driver (LLD) IPsec Encryption Example IPsec Decryption Example 8

9 IPsec Encryption: Packets Starting Packet (before IPsec Encryption) MAC Final Packet (after IPsec Encryption) MAC IPsec IPsec Encryption: Configuration MAC Configuration Information NOTE: Currently, only reserving room for IPsec header. The actual header has not been created yet! NETCP IPsec QMSS Multicore Navigator NOTE: Currently, only reserving room for IPsec tail. The actual tail has not been created yet! Set up routing for decryption in Sa_DestInfo_t structure. CorePac Step 1: Set up IPsec channel: Sa_chanGetBufferReq() Sa_ chancreate() //Setup Security Context Sa_chanControl() //setup general cfg Sa_chanControl() //setup key cfg Sa_chanControl() //setup TX chan LLD Step 2: Prepare packet for IPsec encryption: /* Reserve room for ESP Header and the initialization vector in front of ESP payload, calculate ESP padding size, insert ESP padding and ESP Tail, adjust payload length and packet size */ Sa_chanSendData() Step 3: Create command to be sent with the packet to : HO_SINFO_FORMAT_CMD() 9

10 IPsec Encryption: Tx Queue Transmit Data Packet MAC IPsec Receive Data Packet Step 4: Set command, link buffer, and push descriptor onto Tx queue: Cppi_setPSData(command) // Link command from Step 3 /* Provide info from Sa_chanControl() allow to access security context */ Cppi_setSoftwareInfo() descriptor->buffptr = pkt // Link Packet Qmss_queuePush() // Push descriptor onto TX queue NETCP QMSS CorePac LLD Multicore Navigator Step 5: automatically pops descriptor from the Tx queue and sends the packet to NETCP. After finishes the data transfer, the Tx descriptor is returned to the specified packet completion queue. IPsec Encryption: to Step 6: Once the data transfer from 0 queue to the NETCP has completed, the controller transfers the packet through the packet streaming switch to the. Q640: PDSP0 Controller Q641: PDSP1 Q642: PDSP2 Q643: PDSP3 Q644: PDSP4 Q645: PDSP5 Q646: 0 Q647: 1 Q648: GbE SW Q900: RXQUEUE SGMII0 SGMII1 PHY mdio_link_intr[1:0] mdio_user_intr[1:0] misc_int buf_starve_intr GbE Switch Subsystem INTD stat_pend_raw[1:0] 10

11 IPsec Encryption: to Step 7: encrypts the packet with IPsec ESP encryption and transfers the packet through the packet streaming switch to the controller and into the RXQUEUE. Q640: PDSP0 Controller Q641: PDSP1 Q642: PDSP2 Q643: PDSP3 Q644: PDSP4 Q645: PDSP5 Q646: 0 Q647: 1 Q648: GbE SW Q900: RXQUEUE SGMII0 SGMII1 PHY mdio_link_intr[1:0] mdio_user_intr[1:0] misc_int buf_starve_intr GbE Switch Subsystem INTD stat_pend_raw[1:0] IPsec Encryption: to CorePac Repeat steps 5-7 to encrypt more packets. Transmit Data Packet MAC IPsec Receive Data Packet NOTE: Contains encrypted IPsec data. NETCP QMSS Multicore Navigator Step 8: The packet is transferred from the controller to host memory via the. Once the transfer is complete, the Rx flow pushes the descriptor onto the Rx queue specified in Sa_DestInfo_t structure during setup. CorePac Step 9: Pop the descriptor to process the packet: QMSS_queuePop() LLD 11

12 IPsec Decryption Example Motivation Firmware Low Level Driver (LLD) IPsec Encryption Example IPsec Decryption Example IPsec Decryption: Packets Starting Packet (before IPsec Decryption) EMAC O_IP IPsec I_IP Final Packet (after IPsec Decryption) EMAC O_IP I_IP 12

13 IPsec Decryption: Config & Tx Queue Configuration Information MAC IPsec Transmit Data Packet Step 3: automatically pops the descriptor from TX queue and sends the packet to NETCP via. After finishes the data transfer, the Tx descriptor is returned to the specified packet completion queue. NETCP QMSS Multicore Navigator Step 2: Set command, link buffer, and push descriptor onto Tx queue: Cppi_setPSData() /* Provide info from Sa_chanControl() allow to access security context */ Cppi_setSoftwareInfo() Descriptor->buffPtr = pkt //Link packet buffer Qmss_queuePush() //Push descriptor onto TX queue CorePac Sets up routing for decryption in Sa_DestInfo_t structure. LLD Step 1: Set up IPsec Channel: Sa_chanGetBufferReq() Sa_chanCreate() //Setup Security Context Sa_chanControl() //setup general cfg Sa_chanControl() //setup key cfg Sa_chanControl() //setup RX chan IPsec Decryption: to Step 4: Once the data transfer from 0 queue to the NETCP has completed, the controller transfers the packet through the packet streaming switch to the. Q640: PDSP0 Controller Q641: PDSP1 Q642: PDSP2 Q643: PDSP3 Q644: PDSP4 Q645: PDSP5 Q646: 0 Q647: 1 Q648: GbE SW Q900: RXQUEUE SGMII0 SGMII1 PHY mdio_link_intr[1:0] mdio_user_intr[1:0] misc_int buf_starve_intr GbE Switch Subsystem INTD stat_pend_raw[1:0] 13

14 IPsec Decryption: to Step 5: decrypts the IPsec ESP packet and transfers the packet through the packet streaming switch to the controller and into the RXQUEUE. Q640: PDSP0 Controller Q641: PDSP1 Q642: PDSP2 Q643: PDSP3 Q644: PDSP4 Q645: PDSP5 Q646: 0 Q647: 1 Q648: GbE SW Q900: RXQUEUE SGMII0 SGMII1 PHY mdio_link_intr[1:0] mdio_user_intr[1:0] misc_int buf_starve_intr GbE Switch Subsystem INTD stat_pend_raw[1:0] IPsec Decryption: to CorePac MAC Receive Data Packet IPsec NOTE: Remove space reserved for IPsec header in Step 8. NOTE: Decrypted data NOTE: Remove space reserved for IPsec tail in Step 8. NETCP QMSS CorePac LLD Multicore Navigator Step 8: Remove IPsec header and tail: /* Update the packet size and protocol payload size in the header parsing information */ Sa_chanReceiveData() Step 6: The packet is transferred from the controller to host memory via the. Once the transfer is complete, the Rx flow pushes the descriptor onto the queue specified in Sa_DestInfo_t structure during setup. Step 7: Pop descriptor to process the packet: QMSS_queuePop() 14

15 For More Information For more information, refer to the Security Accelerator () User Guide. For questions regarding topics covered in this training, visit the support forums at the TI E2E Community website. 15