Skip to content

Commit

Permalink
This example expands on the definition of crypto_accelerator (#53).
Browse files Browse the repository at this point in the history
The example adds two methods for encrypt/decrypt that assumes that inline accelerators operate immediately on the packet (e.g. deparse, decrypt and reparse).  Packet recirculation is not necessary for either inline method.
The example shows the use of inline encrypt and decrypt, as well as how the crypto accelerator results can be used.
  • Loading branch information
loalan authored and Alan Lo committed Nov 21, 2022
1 parent ebb2b6c commit 37ca96c
Show file tree
Hide file tree
Showing 2 changed files with 467 additions and 0 deletions.
55 changes: 55 additions & 0 deletions examples/include/crypto-accelerator.p4
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,12 @@ enum crypto_results_e {
HW_ERROR
}

enum crypto_mode_e {
TUNNEL,
TRANSPORT,
TRANSPORT_NAT_T
}

/// special value to indicate that ICV is after the crypto payload
#define ICV_AFTER_PAYLOAD ((int<32>)-1)

Expand Down Expand Up @@ -122,6 +128,55 @@ extern crypto_accelerator {
void enable_encrypt<T>(in T enable_auth);
void enable_decrypt<T>(in T enable_auth);

// crypto accelerator runs immediately and returns control flow to the current pipeline
// stage. The method is responsible for defining the contents of the ESP header,
// calculating the payload offset and lengths, encrypting the payload appropriately and
// reparsing the packet. User can decide if to proceed or reinject.
//
// Pre-conditions: The parser must have been executed prior to this extern. The packet
// headers and metadata from the parser are provided as inout params.
// Post-conditions: The deparser will be executed prior to encapsulation, the packet
// bytestream will be updated and encryption will be performed on the payload. The
// packet will be reparsed and parser states updated.
// Side-effects: parser states will be re-evaluated if crypto has succeeded.
//
// H - inout Headers is the output of the parser block
// M - inout Metadata is from the parser block and shared with the control
// T - in enable_auth flag enables authentication check
// S - in seq is the optional sequence number
// I - in iv is the initialization vector
crypto_results_e encrypt_inline<H,M,T,S,I>(packet_in pkt,
inout H hdr,
inout M meta,
in crypto_mode_e mode,
in T enable_auth,
in bit<32> spi,
in S seq,
in I iv);

// crypto accelerator runs immediately and returns control flow to the current pipeline
// stage. The method is responsible for decrypting the payload appropriately, removing
// the ESP header, calculating the payload offset and lengths, and reparsing the packet.
// The user should then check the status.
//
// Pre-conditions: The parser will have been executed prior to this extern. The packet
// headers and metadata from the parser are provided as inout params.
// Post-conditions: The deparser will be executed prior to decapsulation, the packet
// bytestream will be updated and decryption will be performed on the payload. The
// packet will be reparsed and parser states recalculated.
// Side-effects: parser states will be re-evaluated if crypto has succeeded.
//
// H - inout Headers is the output of the parser block
// M - inout Metadata is from the parser block and shared with the control
// T - in enable_auth flag enables authentication check
// S - in seq is the optional sequence number
crypto_results_e decrypt_inline<H,M,T,S>(packet_in pkt,
inout H hdr,
inout M meta,
in crypto_mode_e mode,
in T enable_auth,
in S seq);

// disable crypto engine. Between enable and disable methods,
// whichever method is called last overrides the previous calls
void disable();
Expand Down
Loading

0 comments on commit 37ca96c

Please sign in to comment.