keystone training (netcp) secusecu tyrity accecce e ... · pdf file11/7/2010 1 keystone...

11/7/2010

1

KeyStone Training

Network Coprocessor (NETCP)

Security Accelerator (SA)Secu ty cce e ato (S )

Agenda

• Motivation • Firmwarea e• SA Low Level Driver (LLD)• IPsec Encryption Example• IPsec Decryption Example

11/7/2010

2

Security Accelerator: Motivation

• Motivation • FirmwareFirmware• SA Low Level Driver (LLD)• IPsec Encryption Example• IPsec Decryption Example

SA: Motivation

• Motivation

– Hardware Encryption, Decryption, and Authentication

NETCP Block Diagram

PKTDMA Controller

PKTDMA

Authentication

• Faster than software

– Supported Protocols

• IPsec ESP

• IPsec AH

• SRTP

• 3GPP

• Software Provided

SA

PA

• Software Provided

– Firmware

• Needed for SA operation

– SA LLD

• Simplify programming

GbE SwitchSubsystem

INTD

SGMII0

SGMII1

PHY

stat_pend_raw[1:0]

misc_int

buf_starve_intr

mdio_link_intr[1:0]mdio_user_intr[1:0]

11/7/2010

3

Security Accelerator: Firmware


SA Firmware

CPU/3 CFG TeraNet SCR

PKTDMA_VBUSM_TXRX

Config 32-bits

PKTDMA

Pass 1 LUT

CDE

PDSP+1

Timer16 1

Timer16 2

32-bit VBUSP TeraNet SCR• Download firmware images toSA PDSPs prior

i S

3 PCPSGMII

CP_ACESecurity

Unit

Switch Status INTS

SGMII 0

CPU/3 Main TeraNet SCR

128 bitsPKTDMAController Pass 1 LUT

CDE

PDSP+2

Pass 1 LUT

CDE

PDSP+3

CDE

PDSP+5

Timer16 2

Timer16 3

Timer16 4

PDSPScratchpad RAM 1

PDSPScratchpad RAM 2

.:

PDSP

Timer16 5

32

-bit V

BU

SP

Tera

Ne

t SC

R

Stre

am

ing In

terfa

ce S

witch

Pass 2 LUT

CDE

PDSP+4

CDE

PDSP+6

Timer16 6

SERDES

CP_ACESecurity

Unit

to running SA:

1. php1 image(IPsec); Download to SA PDSP1

2. php2 image(SRTP and

3-PortEthernetSwitch

CPSGMII

MDIO 0 INTS

SGMII 1

SGMII 0 PDSPScratchpad RAM nCDE 6

CPMDIO

PAStats

INTD

SERDES3GPP); Download to SA PDSP2

11/7/2010

4

SA Low Level Driver (LLD)


SA LLD Overview• SA LLD provides an abstraction layer between the application and the SA Sub‐system. It

provides both the system level interface and the channel level interface with a set of APIs • System Level interface

– Reset, download and update the SA PDSP images.– Query SA states and statistics.

Read a 64 bit true random number– Read a 64‐bit true random number– Perform the large integer arithmetic through the PKA module– Monitor and report SA system error

• Channel Level interface– Convert the channel configuration information into the security contexts defined by the

SA.– Perform protocol‐specific packet operations such as insertion of the ESP header, padding

and ESP tail.– Decrypt and authenticate the received SRTP packet if the SA is not able to perform the

operations due to the key validation failure.Generate the command labels in data mode operation– Generate the command labels in data mode operation.

– Maintain the protocol‐specific channel statistics.• SA LLD does not provide transport layer and all API calls are non‐blocking• The software layers above the SA LLD must call the appropriate SA LLD APIs, and then call the

appropriate CPPI and QMSS APIs to actually send packets to the SA.

For more information on SA LLD, refer to the Security Accelerator (SA) User Guide.

11/7/2010

5

SA LLD API: Common Interface (1/2)int16_t Sa_getBufferReq (Sa_SizeCfg_t *sizeCfg, int sizes[], int aligns[])

Sa_getBufferReq returns the memory requirements for the SALLD instance. It returns the memory buffer requirements in terms of the size and alignment array.

int16_t Sa_create (Sa_Config_t *cfg, void *bases[], Sa_Handle *pHandle)

Sa_create creates the SA LLD instance. It initializes the SALLD instance and its corresponding instance structure based on channel configuration data such as the call‐out table and etcout table, and etc.

int16_t Sa_close (Sa_Handle handle, void *bases[])

Sa_close decativates the SA LLD instance.

int16_t Sa_getSysStats (Sa_Handle handle, Sa_SysStats_t *stats)

This function obtains SALLD system statistics.

Sa_State_t Sa_resetControl (Sa_Handle handle, Sa_State_t newState)

This function controls the reset state of the SA Sub‐System.

int16_t Sa_downloadImage (Sa_Handle handle, int modId, void *image, int sizeBytes)

This function downloads a PDSP image to a PDSP core within the SA sub‐system.

uint16_t Sa_getID (Sa_Handle handle)

This function returns the SA system ID associated with the specified handle.

SA LLD API: Common Interface (2/2)int16_t Sa_rngInit (Sa_Handle handle, Sa_RngConfigParams_t *cfg)

The function is called to initialize and configure the RNG (Random Number Generator) module inside SA.

int16_t Sa_getRandonNum (Sa_Handle handle, uint16_t f_isr, Sa_RngData_t *rnd)

This function returns a 64‐bit true random number.

int16_t Sa_rngClose (Sa_Handle handle)

Sa rngClose decativates the SA RNGmodule.Sa_rngClose decativates the SA RNG module.

int16_t Sa_pkaInit (Sa_Handle handle)

This function initializes the PKA (Public Key Accelerator) module inside SA.

int16_t Sa_pkaOperation (Sa_Handle handle, Sa_PkaReqInfo_t *pkaReqInfo)

This function triggers a large vector arithmetic operation through the PKA module.

int16_t Sa_pkaClose (Sa_Handle handle)

Sa_pkaClose decativates the SA PKA module.

11/7/2010

6

SA LLD API: Channel‐Interfaceint16_t

Sa_chanGetBufferReq (Sa_ChanSizeCfg_t *sizeCfg, int sizes[], int aligns[])

Sa_chanGetBufferReq returns the memory requirements for an SALLD channel. It returns the memory buffer requirements in terms of the size and alignment array.

int16_tSa_chanCreate (Sa_Handle handle, Sa_ChanConfig_t *cfg, void *bases[], Sa_ChanHandle *pChanHdl)

Sa_chanCreate creates the SALLD channel. It initializes an instance of SALLD channel and its corresponding instance structure based on channel configuration data such as the security protocol, and etc.

int16 tint16_tSa_chanClose (Sa_ChanHandle handle, void *bases[])

Sa_chanClose decativates the SALLD channel. It clears the SALLD channel instance. All the associated memory buffers can be freed after this call.

int16_tSa_chanControl (Sa_ChanHandle handle, Sa_ChanCtrlInfo_t *chanCtrlInfo)

This function controls the operations of a channel instance of SALLD. It is used to configure and/or re‐configure the SALLD channel with various control information. This function should be called multiple times to configure and activate the SALLD channel during the call setup period. Then it is typically called to perform re‐key operation subsequently.

int16_tSa_chanReceiveData (Sa_ChanHandle handle, Sa_PktInfo_t *pktInfo)

This function processes packets received from the network. It performs protocol‐specific post‐SA operations on the decrypted and/or integrity‐verified data packet. It also performs the actual decryption/authentication operation in SW‐only mode.

int16_tS h S dD t (S Ch H dl h dl S PktI f t * ktI f i t16 t l )Sa_chanSendData (Sa_ChanHandle handle, Sa_PktInfo_t *pktInfo, uint16_t clear)

This function processes the data packet to the networks. It performs protocol‐specific operations to prepare the data packets to be encrypted and/or authenticated by the SA. It also performs the actual encryption and/or authentication in the SW‐only mode.

int16_tSa_chanGetStats (Sa_ChanHandle handle, uint16_t flags, Sa_Stats_t *stats)

This function obtains SALLD channel protocol‐specific statistics.

uint16_t Sa_chanGetID (Sa_ChanHandle handle)

Sa_chanGetID returns the SA channel ID associated with the specified handle.

SA LLD API: Utility Functionsuint16_t

Sa_isScBufFree (uint8_t *scBuf)

This function verifies whether the security context buffer has been freed by SA.

11/7/2010

7

SA LLD API: Callout Functions (1/2)void(* DebugTrace )(Sa_ChanHandle handle, uint16_t msgType, uint16_t msgCode, uint16_t msgLength, uint16_t *msgData)

A callout to the system code's debug and exception handling function. This is a function pointer and must point to a valid function which meets the API requirements.

void(* ChanKeyRequest )(Sa_ChanHandle handle, Sa_KeyRequest_t *keyReq)

Callout to externally supplied system to request a new security key. This function may be triggered by either the Sa_chanSendData() or Sa_chanReceiveData() APIs. The application should call the Sa_chanControl() API to pass the new key when it is available. This is a function pointer and must point to a valid function which meets the API requirements.

void(* ScAlloc )(Sa_ChanHandle handle, Sa_ScReqInfo_t *scReqInfo)

Callout to externally supplied system to allocate the security context with the specified size. This function must be implemented as a simple non‐blocking function. This is a function pointer and must point to a valid function which meets the API requirements.

void(* ScFree )(Sa_ChanHandle handle, uint16_t scID)

Callout to externally supplied system to release the security context with the specified ID. This function must be implemented as a simple non‐blocking function. This is a function pointer and must point to a valid function which meets the API requirements.

SA LLD API: Callout Functions (2/2)void(* ChanRegister )(Sa_ChanHandle handle, Sa_SWInfo_t *chanSwInfo)

Callout to externally supplied system to register the security channel with its software routing information to be programmed into the PASS lookup table in the from‐Network direction. It may be triggered by the Sa_chanControl(), Sa_chanSendData() and Sa_chanReceiveData() APIs. This is a function pointer and must point to a valid function which meets the API requirements.

void(* ChanUnRegister )(Sa_ChanHandle handle, Sa_SWInfo_t *chanSwInfo)

Callout to externally supplied system to un‐register the security channel with its software routing information to be removed from the PASS lookup tables It may be triggered by the sSa chanClose() Sa chanSendData() andremoved from the PASS lookup tables. It may be triggered by the sSa_chanClose(), Sa_chanSendData() and Sa_chanReceiveData() APIs. This is a function pointer and must point to a valid function which meets the API requirements.

void(* ChanSendNullPkt )(Sa_ChanHandle handle, Sa_PktInfo_t *pktInfo)

Callout to externally supplied system to send an Null packet to the SA sub‐system. The null packet is used to evict and/or tear down the security context associated with the channel. It may be triggered by the Sa_chanClose(), Sa_chanSendData() and Sa_chanReceiveData() APIs. This is a function pointer and must point to a valid function which meets the API requirements.

11/7/2010

8

Step 2: Load FW:

SA LLD: Basic Configuration

Configuration Information

SA LLD

Step 1: Set up memory:Sa_getBufferReq()Sa_create()

Step 2: Load FW:Sa_resetControl(DISABLE)Sa_downloadImage()Sa_resetControl(ENABLE)

CorePacNETCP

PA

SA Multicore

Navigator

QMSS

PKTDMANavigator

PKTDMA

IPsec Encryption Example


11/7/2010

9

IPsec Encryption: Packets

• Starting Packet (before IPsec Encryption)

PayloadUDPIPv4IPv4MAC

PayloadUDPIPv4IPsecIPv4MAC

• Final Packet (after IPsec Encryption)

IPsec Encryption: Configuration

PayloadUDPIPv4IPv4MAC

IPsec Step 1: Set up IPsec channel:Sa_chanGetBufferReq()Sa chanCreate()

NOTE: Currently, only reserving room for IPsec tail.


CorePac SA LLD

_ ()//Setup Security ContextSa_chanControl() //setup general cfgSa_chanControl() //setup key cfgSa_chanControl() //setup TX chan

NETCP

NOTE: Currently, only reserving room for IPsec header. The actual header has not been created yet!

gThe actual tail has not been created yet!

Step 2: Prepare packet for IPsec encryption:/* Reserve room for ESP Header andthe initialization vector in front of

Set up routing for decryption in Sa_DestInfo_t structure.

PA

SA Multicore

Navigator

QMSS

Step 3: Create command to be sent with the packet to SA:PASAHO_SINFO_FORMAT_CMD()

ESP payload, calculate ESP padding size, insert ESP padding and ESP Tail, adjust payload length and packet size */Sa_chanSendData()

PKTDMANavigator

PKTDMA

11/7/2010

10

IPsec Encryption: SA Tx QueueTransmit Data Packet

Receive Data PacketPayloadUDPIPv4IPv4MAC IPsec

Step 4: Set command, link buffer, and push descriptor onto SA Tx queue:Cppi setPSData(command) // Link “command” from Step 3

Multicore

Navigator

QMSS CorePacNETCP SA LLD

Cppi_setPSData(command) // Link command from Step 3/* Provide info from Sa_chanControl() allow SA to access security context */Cppi_setSoftwareInfo()descriptor->buffPtr = pkt // Link Packet Qmss_queuePush() // Push descriptor onto SA TX queue

PA

SA

Navigator

PKTDMA

Step 5: PKTDMA automatically pops descriptor from the Tx queue and sends the packet to NETCP. After PKTDMA finishes the data transfer, the Tx descriptor is returned to the specified packet completion queue.

PKTDMA

PKTDMA Controller

PKTDMA

IPsec Encryption: PKTDMA to SA

Q640: PDSP0

Step 6: Once the data transfer from SA0 queue to the NETCP has completed, the PKTDMA controller transfers the packet through the packet streaming switch to the SA.

SA

PA

Q643: PDSP3

Q644: PDSP4

Q645: PDSP5

Q641: PDSP1

Q642: PDSP2

GbE SwitchSubsystem

INTD

SGMII0

SGMII1

PHY

stat_pend_raw[1:0]

misc_int

buf_starve_intr


Q646: SA0

Q647: SA1

Q648: GbE SW

Q900: RXQUEUE

11/7/2010

11

PKTDMA Controller

PKTDMA

IPsec Encryption: SA to PKTDMA

Q640: PDSP0

Step 7: SA encrypts the packet with IPsec ESP encryption and transfers the packet through the packet streaming switch to the PKTDMA controller and into the RXQUEUE.

SA

PA

Q643: PDSP3

Q644: PDSP4

Q645: PDSP5

Q641: PDSP1

Q642: PDSP2

GbE SwitchSubsystem

INTD

SGMII0

SGMII1

PHY

stat_pend_raw[1:0]

misc_int

buf_starve_intr


Q646: SA0

Q647: SA1

Q648: GbE SW

Q900: RXQUEUE

IPsec Encryption: PKTDMA to CorePacRepeat steps 5-7 to encrypt more packets. Transmit Data Packet

PayloadUDPIPv4IPv4MAC IPsec

NOTE: Contains encrypted

Receive Data Packet

Multicore

Navigator


NOTE: Contains encrypted IPsec data.

PA

SA

Navigator

PKTDMA

Step 8: The packet is transferred from the PKTDMA controller to host memory via the PKTDMA. Once the transfer is complete, the Rx flow pushes the descriptor onto the Rx queue specified in Sa_DestInfo_tstructure during setup.

Step 9: Pop the descriptor to process the packet:QMSS_queuePop()

PKTDMA

11/7/2010

12

IPsec Decryption Example


IPsec Decryption: Packets

• Starting Packet (before IPsec Decryption)

O_IPEMAC PayloadUDPI_IPIPsec

PayloadUDPI_IPO_IPEMAC

• Final Packet (after IPsec Decryption)

11/7/2010

13

IPsec Decryption: Config & SA Tx Queue

IPv4MAC PayloadUDPIPv4IPsec

Step 2: Set command, link buffer, and push descriptor onto SA Tx Step 3: PKTDMA automatically pops the descriptor from TX queue and sends the


Transmit Data Packet

Multicore

Navigator


queue:Cppi_setPSData()/* Provide info from Sa_chanControl() allow SA to access security context */Cppi_setSoftwareInfo()Descriptor->buffPtr = pkt //Link packet bufferQmss_queuePush() //Push descriptor onto SA TX queue

descriptor from TX queue and sends the packet to NETCP via PKTDMA. After PKTDMA finishes the data transfer, the Tx descriptor is returned to the specified packet completion queue.

PA

SA

Navigator

PKTDMA Step 1: Set up IPsec Channel:Sa_chanGetBufferReq()Sa_chanCreate()//Setup Security ContextSa_chanControl() //setup general cfgSa_chanControl() //setup key cfgSa_chanControl() //setup RX chan

Sets up routing for decryption in Sa_DestInfo_t structure.

PKTDMA

PKTDMA Controller

PKTDMA

IPsec Decryption: PKTDMA to SA

Q640: PDSP0

Step 4: Once the data transfer from SA0 queue to the NETCP has completed, the PKTDMA controller transfers the packet through the packet streaming switch to the SA.

SA

PA

Q643: PDSP3

Q644: PDSP4

Q645: PDSP5

Q641: PDSP1

Q642: PDSP2

GbE SwitchSubsystem

INTD

SGMII0

SGMII1

PHY

stat_pend_raw[1:0]

misc_int

buf_starve_intr


Q646: SA0

Q647: SA1

Q648: GbE SW

Q900: RXQUEUE

11/7/2010

14

PKTDMA Controller

PKTDMA

IPsec Decryption: SA to PKTDMA

Q640: PDSP0

Step 5: SA decrypts the IPsec ESP packet and transfers the packet through the packet streaming switch to the PKTDMA controller and into the RXQUEUE.

SA

PA

Q643: PDSP3

Q644: PDSP4

Q645: PDSP5

Q641: PDSP1

Q642: PDSP2

GbE SwitchSubsystem

INTD

SGMII0

SGMII1

PHY

stat_pend_raw[1:0]

misc_int

buf_starve_intr


Q646: SA0

Q647: SA1

Q648: GbE SW

Q900: RXQUEUE

IPsec Decryption: PKTDMA to CorePac

Receive Data PacketPayloadUDPIPv4IPv4MAC

IPsecNOTE: Remove space reserved for

NOTE: Decrypted data

CorePacNETCP SA LLD

Multicore

Navigator

NOTE: Remove space reserved for IPsec header in Step 8.

space reserved for IPsec tail in Step 8.

Step 8: Remove IPsec header and tail:/* Update the packet size and protocol payload size in the header parsing

PA

SA

QMSS

Navigator

Step 6: The packet is transferred from the PKTDMA controller to host memory via the PKTDMA. Once the transfer is complete, the Rx flow pushes the descriptor onto the queue specified in Sa_DestInfo_tstructure during setup.

Step 7: Pop descriptor to process the packet:QMSS_queuePop()

p y p ginformation */Sa_chanReceiveData()

PKTDMA

PKTDMA

11/7/2010

15

For More Information

• For more information, refer to the Security Accelerator (SA) User Guide.

• For questions regarding topics covered in this training, visit the support forums at the TI E2E Community website.

keystone training (netcp) secusecu tyrity accecce e ... · pdf file11/7/2010 1 keystone...

Documents