Upload
phamhuong
View
216
Download
0
Embed Size (px)
Citation preview
11/7/2010
1
KeyStone Training
Network Coprocessor (NETCP)
Security Accelerator (SA)Secu ty cce e ato (S )
Agenda
• Motivation • Firmwarea e• SA Low Level Driver (LLD)• IPsec Encryption Example• IPsec Decryption Example
11/7/2010
2
Security Accelerator: Motivation
• Motivation • FirmwareFirmware• SA Low Level Driver (LLD)• IPsec Encryption Example• IPsec Decryption Example
SA: Motivation
• Motivation
– Hardware Encryption, Decryption, and Authentication
NETCP Block Diagram
PKTDMA Controller
PKTDMA
Authentication
• Faster than software
– Supported Protocols
• IPsec ESP
• IPsec AH
• SRTP
• 3GPP
• Software Provided
SA
PA
• Software Provided
– Firmware
• Needed for SA operation
– SA LLD
• Simplify programming
GbE SwitchSubsystem
INTD
SGMII0
SGMII1
PHY
stat_pend_raw[1:0]
misc_int
buf_starve_intr
mdio_link_intr[1:0]mdio_user_intr[1:0]
11/7/2010
3
Security Accelerator: Firmware
• Motivation • FirmwareFirmware• SA Low Level Driver (LLD)• IPsec Encryption Example• IPsec Decryption Example
SA Firmware
CPU/3 CFG TeraNet SCR
PKTDMA_VBUSM_TXRX
Config 32-bits
PKTDMA
Pass 1 LUT
CDE
PDSP+1
Timer16 1
Timer16 2
32-bit VBUSP TeraNet SCR• Download firmware images toSA PDSPs prior
i S
3 PCPSGMII
CP_ACESecurity
Unit
Switch Status INTS
SGMII 0
CPU/3 Main TeraNet SCR
128 bitsPKTDMAController Pass 1 LUT
CDE
PDSP+2
Pass 1 LUT
CDE
PDSP+3
CDE
PDSP+5
Timer16 2
Timer16 3
Timer16 4
PDSPScratchpad RAM 1
PDSPScratchpad RAM 2
.:
PDSP
Timer16 5
32
-bit V
BU
SP
Tera
Ne
t SC
R
Stre
am
ing In
terfa
ce S
witch
Pass 2 LUT
CDE
PDSP+4
CDE
PDSP+6
Timer16 6
SERDES
CP_ACESecurity
Unit
to running SA:
1. php1 image(IPsec); Download to SA PDSP1
2. php2 image(SRTP and
3-PortEthernetSwitch
CPSGMII
MDIO 0 INTS
SGMII 1
SGMII 0 PDSPScratchpad RAM nCDE 6
CPMDIO
PAStats
INTD
SERDES3GPP); Download to SA PDSP2
11/7/2010
4
SA Low Level Driver (LLD)
• Motivation • FirmwareFirmware• SA Low Level Driver (LLD)• IPsec Encryption Example• IPsec Decryption Example
SA LLD Overview• SA LLD provides an abstraction layer between the application and the SA Sub‐system. It
provides both the system level interface and the channel level interface with a set of APIs • System Level interface
– Reset, download and update the SA PDSP images.– Query SA states and statistics.
Read a 64 bit true random number– Read a 64‐bit true random number– Perform the large integer arithmetic through the PKA module– Monitor and report SA system error
• Channel Level interface– Convert the channel configuration information into the security contexts defined by the
SA.– Perform protocol‐specific packet operations such as insertion of the ESP header, padding
and ESP tail.– Decrypt and authenticate the received SRTP packet if the SA is not able to perform the
operations due to the key validation failure.Generate the command labels in data mode operation– Generate the command labels in data mode operation.
– Maintain the protocol‐specific channel statistics.• SA LLD does not provide transport layer and all API calls are non‐blocking• The software layers above the SA LLD must call the appropriate SA LLD APIs, and then call the
appropriate CPPI and QMSS APIs to actually send packets to the SA.
For more information on SA LLD, refer to the Security Accelerator (SA) User Guide.
11/7/2010
5
SA LLD API: Common Interface (1/2)int16_t Sa_getBufferReq (Sa_SizeCfg_t *sizeCfg, int sizes[], int aligns[])
Sa_getBufferReq returns the memory requirements for the SALLD instance. It returns the memory buffer requirements in terms of the size and alignment array.
int16_t Sa_create (Sa_Config_t *cfg, void *bases[], Sa_Handle *pHandle)
Sa_create creates the SA LLD instance. It initializes the SALLD instance and its corresponding instance structure based on channel configuration data such as the call‐out table and etcout table, and etc.
int16_t Sa_close (Sa_Handle handle, void *bases[])
Sa_close decativates the SA LLD instance.
int16_t Sa_getSysStats (Sa_Handle handle, Sa_SysStats_t *stats)
This function obtains SALLD system statistics.
Sa_State_t Sa_resetControl (Sa_Handle handle, Sa_State_t newState)
This function controls the reset state of the SA Sub‐System.
int16_t Sa_downloadImage (Sa_Handle handle, int modId, void *image, int sizeBytes)
This function downloads a PDSP image to a PDSP core within the SA sub‐system.
uint16_t Sa_getID (Sa_Handle handle)
This function returns the SA system ID associated with the specified handle.
SA LLD API: Common Interface (2/2)int16_t Sa_rngInit (Sa_Handle handle, Sa_RngConfigParams_t *cfg)
The function is called to initialize and configure the RNG (Random Number Generator) module inside SA.
int16_t Sa_getRandonNum (Sa_Handle handle, uint16_t f_isr, Sa_RngData_t *rnd)
This function returns a 64‐bit true random number.
int16_t Sa_rngClose (Sa_Handle handle)
Sa rngClose decativates the SA RNGmodule.Sa_rngClose decativates the SA RNG module.
int16_t Sa_pkaInit (Sa_Handle handle)
This function initializes the PKA (Public Key Accelerator) module inside SA.
int16_t Sa_pkaOperation (Sa_Handle handle, Sa_PkaReqInfo_t *pkaReqInfo)
This function triggers a large vector arithmetic operation through the PKA module.
int16_t Sa_pkaClose (Sa_Handle handle)
Sa_pkaClose decativates the SA PKA module.
11/7/2010
6
SA LLD API: Channel‐Interfaceint16_t
Sa_chanGetBufferReq (Sa_ChanSizeCfg_t *sizeCfg, int sizes[], int aligns[])
Sa_chanGetBufferReq returns the memory requirements for an SALLD channel. It returns the memory buffer requirements in terms of the size and alignment array.
int16_tSa_chanCreate (Sa_Handle handle, Sa_ChanConfig_t *cfg, void *bases[], Sa_ChanHandle *pChanHdl)
Sa_chanCreate creates the SALLD channel. It initializes an instance of SALLD channel and its corresponding instance structure based on channel configuration data such as the security protocol, and etc.
int16 tint16_tSa_chanClose (Sa_ChanHandle handle, void *bases[])
Sa_chanClose decativates the SALLD channel. It clears the SALLD channel instance. All the associated memory buffers can be freed after this call.
int16_tSa_chanControl (Sa_ChanHandle handle, Sa_ChanCtrlInfo_t *chanCtrlInfo)
This function controls the operations of a channel instance of SALLD. It is used to configure and/or re‐configure the SALLD channel with various control information. This function should be called multiple times to configure and activate the SALLD channel during the call setup period. Then it is typically called to perform re‐key operation subsequently.
int16_tSa_chanReceiveData (Sa_ChanHandle handle, Sa_PktInfo_t *pktInfo)
This function processes packets received from the network. It performs protocol‐specific post‐SA operations on the decrypted and/or integrity‐verified data packet. It also performs the actual decryption/authentication operation in SW‐only mode.
int16_tS h S dD t (S Ch H dl h dl S PktI f t * ktI f i t16 t l )Sa_chanSendData (Sa_ChanHandle handle, Sa_PktInfo_t *pktInfo, uint16_t clear)
This function processes the data packet to the networks. It performs protocol‐specific operations to prepare the data packets to be encrypted and/or authenticated by the SA. It also performs the actual encryption and/or authentication in the SW‐only mode.
int16_tSa_chanGetStats (Sa_ChanHandle handle, uint16_t flags, Sa_Stats_t *stats)
This function obtains SALLD channel protocol‐specific statistics.
uint16_t Sa_chanGetID (Sa_ChanHandle handle)
Sa_chanGetID returns the SA channel ID associated with the specified handle.
SA LLD API: Utility Functionsuint16_t
Sa_isScBufFree (uint8_t *scBuf)
This function verifies whether the security context buffer has been freed by SA.
11/7/2010
7
SA LLD API: Callout Functions (1/2)void(* DebugTrace )(Sa_ChanHandle handle, uint16_t msgType, uint16_t msgCode, uint16_t msgLength, uint16_t *msgData)
A callout to the system code's debug and exception handling function. This is a function pointer and must point to a valid function which meets the API requirements.
void(* ChanKeyRequest )(Sa_ChanHandle handle, Sa_KeyRequest_t *keyReq)
Callout to externally supplied system to request a new security key. This function may be triggered by either the Sa_chanSendData() or Sa_chanReceiveData() APIs. The application should call the Sa_chanControl() API to pass the new key when it is available. This is a function pointer and must point to a valid function which meets the API requirements.
void(* ScAlloc )(Sa_ChanHandle handle, Sa_ScReqInfo_t *scReqInfo)
Callout to externally supplied system to allocate the security context with the specified size. This function must be implemented as a simple non‐blocking function. This is a function pointer and must point to a valid function which meets the API requirements.
void(* ScFree )(Sa_ChanHandle handle, uint16_t scID)
Callout to externally supplied system to release the security context with the specified ID. This function must be implemented as a simple non‐blocking function. This is a function pointer and must point to a valid function which meets the API requirements.
SA LLD API: Callout Functions (2/2)void(* ChanRegister )(Sa_ChanHandle handle, Sa_SWInfo_t *chanSwInfo)
Callout to externally supplied system to register the security channel with its software routing information to be programmed into the PASS lookup table in the from‐Network direction. It may be triggered by the Sa_chanControl(), Sa_chanSendData() and Sa_chanReceiveData() APIs. This is a function pointer and must point to a valid function which meets the API requirements.
void(* ChanUnRegister )(Sa_ChanHandle handle, Sa_SWInfo_t *chanSwInfo)
Callout to externally supplied system to un‐register the security channel with its software routing information to be removed from the PASS lookup tables It may be triggered by the sSa chanClose() Sa chanSendData() andremoved from the PASS lookup tables. It may be triggered by the sSa_chanClose(), Sa_chanSendData() and Sa_chanReceiveData() APIs. This is a function pointer and must point to a valid function which meets the API requirements.
void(* ChanSendNullPkt )(Sa_ChanHandle handle, Sa_PktInfo_t *pktInfo)
Callout to externally supplied system to send an Null packet to the SA sub‐system. The null packet is used to evict and/or tear down the security context associated with the channel. It may be triggered by the Sa_chanClose(), Sa_chanSendData() and Sa_chanReceiveData() APIs. This is a function pointer and must point to a valid function which meets the API requirements.
11/7/2010
8
Step 2: Load FW:
SA LLD: Basic Configuration
Configuration Information
SA LLD
Step 1: Set up memory:Sa_getBufferReq()Sa_create()
Step 2: Load FW:Sa_resetControl(DISABLE)Sa_downloadImage()Sa_resetControl(ENABLE)
CorePacNETCP
PA
SA Multicore
Navigator
QMSS
PKTDMANavigator
PKTDMA
IPsec Encryption Example
• Motivation • FirmwareFirmware• SA Low Level Driver (LLD)• IPsec Encryption Example• IPsec Decryption Example
11/7/2010
9
IPsec Encryption: Packets
• Starting Packet (before IPsec Encryption)
PayloadUDPIPv4IPv4MAC
PayloadUDPIPv4IPsecIPv4MAC
• Final Packet (after IPsec Encryption)
IPsec Encryption: Configuration
PayloadUDPIPv4IPv4MAC
IPsec Step 1: Set up IPsec channel:Sa_chanGetBufferReq()Sa chanCreate()
NOTE: Currently, only reserving room for IPsec tail.
Configuration Information
CorePac SA LLD
_ ()//Setup Security ContextSa_chanControl() //setup general cfgSa_chanControl() //setup key cfgSa_chanControl() //setup TX chan
NETCP
NOTE: Currently, only reserving room for IPsec header. The actual header has not been created yet!
gThe actual tail has not been created yet!
Step 2: Prepare packet for IPsec encryption:/* Reserve room for ESP Header andthe initialization vector in front of
Set up routing for decryption in Sa_DestInfo_t structure.
PA
SA Multicore
Navigator
QMSS
Step 3: Create command to be sent with the packet to SA:PASAHO_SINFO_FORMAT_CMD()
ESP payload, calculate ESP padding size, insert ESP padding and ESP Tail, adjust payload length and packet size */Sa_chanSendData()
PKTDMANavigator
PKTDMA
11/7/2010
10
IPsec Encryption: SA Tx QueueTransmit Data Packet
Receive Data PacketPayloadUDPIPv4IPv4MAC IPsec
Step 4: Set command, link buffer, and push descriptor onto SA Tx queue:Cppi setPSData(command) // Link “command” from Step 3
Multicore
Navigator
QMSS CorePacNETCP SA LLD
Cppi_setPSData(command) // Link command from Step 3/* Provide info from Sa_chanControl() allow SA to access security context */Cppi_setSoftwareInfo()descriptor->buffPtr = pkt // Link Packet Qmss_queuePush() // Push descriptor onto SA TX queue
PA
SA
Navigator
PKTDMA
Step 5: PKTDMA automatically pops descriptor from the Tx queue and sends the packet to NETCP. After PKTDMA finishes the data transfer, the Tx descriptor is returned to the specified packet completion queue.
PKTDMA
PKTDMA Controller
PKTDMA
IPsec Encryption: PKTDMA to SA
Q640: PDSP0
Step 6: Once the data transfer from SA0 queue to the NETCP has completed, the PKTDMA controller transfers the packet through the packet streaming switch to the SA.
SA
PA
Q643: PDSP3
Q644: PDSP4
Q645: PDSP5
Q641: PDSP1
Q642: PDSP2
GbE SwitchSubsystem
INTD
SGMII0
SGMII1
PHY
stat_pend_raw[1:0]
misc_int
buf_starve_intr
mdio_link_intr[1:0]mdio_user_intr[1:0]
Q646: SA0
Q647: SA1
Q648: GbE SW
Q900: RXQUEUE
11/7/2010
11
PKTDMA Controller
PKTDMA
IPsec Encryption: SA to PKTDMA
Q640: PDSP0
Step 7: SA encrypts the packet with IPsec ESP encryption and transfers the packet through the packet streaming switch to the PKTDMA controller and into the RXQUEUE.
SA
PA
Q643: PDSP3
Q644: PDSP4
Q645: PDSP5
Q641: PDSP1
Q642: PDSP2
GbE SwitchSubsystem
INTD
SGMII0
SGMII1
PHY
stat_pend_raw[1:0]
misc_int
buf_starve_intr
mdio_link_intr[1:0]mdio_user_intr[1:0]
Q646: SA0
Q647: SA1
Q648: GbE SW
Q900: RXQUEUE
IPsec Encryption: PKTDMA to CorePacRepeat steps 5-7 to encrypt more packets. Transmit Data Packet
PayloadUDPIPv4IPv4MAC IPsec
NOTE: Contains encrypted
Receive Data Packet
Multicore
Navigator
QMSS CorePacNETCP SA LLD
NOTE: Contains encrypted IPsec data.
PA
SA
Navigator
PKTDMA
Step 8: The packet is transferred from the PKTDMA controller to host memory via the PKTDMA. Once the transfer is complete, the Rx flow pushes the descriptor onto the Rx queue specified in Sa_DestInfo_tstructure during setup.
Step 9: Pop the descriptor to process the packet:QMSS_queuePop()
PKTDMA
11/7/2010
12
IPsec Decryption Example
• Motivation • FirmwareFirmware• SA Low Level Driver (LLD)• IPsec Encryption Example• IPsec Decryption Example
IPsec Decryption: Packets
• Starting Packet (before IPsec Decryption)
O_IPEMAC PayloadUDPI_IPIPsec
PayloadUDPI_IPO_IPEMAC
• Final Packet (after IPsec Decryption)
11/7/2010
13
IPsec Decryption: Config & SA Tx Queue
IPv4MAC PayloadUDPIPv4IPsec
Step 2: Set command, link buffer, and push descriptor onto SA Tx Step 3: PKTDMA automatically pops the descriptor from TX queue and sends the
Configuration Information
Transmit Data Packet
Multicore
Navigator
QMSS CorePacNETCP SA LLD
queue:Cppi_setPSData()/* Provide info from Sa_chanControl() allow SA to access security context */Cppi_setSoftwareInfo()Descriptor->buffPtr = pkt //Link packet bufferQmss_queuePush() //Push descriptor onto SA TX queue
descriptor from TX queue and sends the packet to NETCP via PKTDMA. After PKTDMA finishes the data transfer, the Tx descriptor is returned to the specified packet completion queue.
PA
SA
Navigator
PKTDMA Step 1: Set up IPsec Channel:Sa_chanGetBufferReq()Sa_chanCreate()//Setup Security ContextSa_chanControl() //setup general cfgSa_chanControl() //setup key cfgSa_chanControl() //setup RX chan
Sets up routing for decryption in Sa_DestInfo_t structure.
PKTDMA
PKTDMA Controller
PKTDMA
IPsec Decryption: PKTDMA to SA
Q640: PDSP0
Step 4: Once the data transfer from SA0 queue to the NETCP has completed, the PKTDMA controller transfers the packet through the packet streaming switch to the SA.
SA
PA
Q643: PDSP3
Q644: PDSP4
Q645: PDSP5
Q641: PDSP1
Q642: PDSP2
GbE SwitchSubsystem
INTD
SGMII0
SGMII1
PHY
stat_pend_raw[1:0]
misc_int
buf_starve_intr
mdio_link_intr[1:0]mdio_user_intr[1:0]
Q646: SA0
Q647: SA1
Q648: GbE SW
Q900: RXQUEUE
11/7/2010
14
PKTDMA Controller
PKTDMA
IPsec Decryption: SA to PKTDMA
Q640: PDSP0
Step 5: SA decrypts the IPsec ESP packet and transfers the packet through the packet streaming switch to the PKTDMA controller and into the RXQUEUE.
SA
PA
Q643: PDSP3
Q644: PDSP4
Q645: PDSP5
Q641: PDSP1
Q642: PDSP2
GbE SwitchSubsystem
INTD
SGMII0
SGMII1
PHY
stat_pend_raw[1:0]
misc_int
buf_starve_intr
mdio_link_intr[1:0]mdio_user_intr[1:0]
Q646: SA0
Q647: SA1
Q648: GbE SW
Q900: RXQUEUE
IPsec Decryption: PKTDMA to CorePac
Receive Data PacketPayloadUDPIPv4IPv4MAC
IPsecNOTE: Remove space reserved for
NOTE: Decrypted data
CorePacNETCP SA LLD
Multicore
Navigator
NOTE: Remove space reserved for IPsec header in Step 8.
space reserved for IPsec tail in Step 8.
Step 8: Remove IPsec header and tail:/* Update the packet size and protocol payload size in the header parsing
PA
SA
QMSS
Navigator
Step 6: The packet is transferred from the PKTDMA controller to host memory via the PKTDMA. Once the transfer is complete, the Rx flow pushes the descriptor onto the queue specified in Sa_DestInfo_tstructure during setup.
Step 7: Pop descriptor to process the packet:QMSS_queuePop()
p y p ginformation */Sa_chanReceiveData()
PKTDMA
PKTDMA
11/7/2010
15
For More Information
• For more information, refer to the Security Accelerator (SA) User Guide.
• For questions regarding topics covered in this training, visit the support forums at the TI E2E Community website.