diff options
Diffstat (limited to 'src/vnet')
-rw-r--r-- | src/vnet/CMakeLists.txt | 1 | ||||
-rw-r--r-- | src/vnet/crypto/config.c | 105 | ||||
-rw-r--r-- | src/vnet/crypto/crypto.c | 30 | ||||
-rw-r--r-- | src/vnet/crypto/crypto.h | 11 |
4 files changed, 147 insertions, 0 deletions
diff --git a/src/vnet/CMakeLists.txt b/src/vnet/CMakeLists.txt index 9e7734e20cb..5c9c5cc0dc5 100644 --- a/src/vnet/CMakeLists.txt +++ b/src/vnet/CMakeLists.txt @@ -522,6 +522,7 @@ list(APPEND VNET_API_FILES bfd/bfd.api) list(APPEND VNET_SOURCES crypto/cli.c + crypto/config.c crypto/crypto.c crypto/format.c crypto/main.c diff --git a/src/vnet/crypto/config.c b/src/vnet/crypto/config.c new file mode 100644 index 00000000000..09f39b38b4e --- /dev/null +++ b/src/vnet/crypto/config.c @@ -0,0 +1,105 @@ +/* + * config.c: crypto engines configuration + * + * Copyright (c) 2025 Cisco and/or its affiliates. + * SPDX-License-Identifier: Apache-2.0 + * https://spdx.org/licenses/Apache-2.0.html + */ + +#include <vlib/vlib.h> +#include <vnet/crypto/crypto.h> + +static clib_error_t * +config_one_crypto (vlib_main_t *vm, char *name, unformat_input_t *input) +{ + vnet_crypto_main_t *cm = &crypto_main; + vnet_crypto_config_t *pc; + clib_error_t *error = 0; + uword *p; + int is_enable = 0; + int is_disable = 0; + + if (cm->config_index_by_name == 0) + cm->config_index_by_name = hash_create_string (0, sizeof (uword)); + + p = hash_get_mem (cm->config_index_by_name, name); + if (p) + { + error = clib_error_return (0, "crypto '%s' already configured", name); + goto done; + } + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (input, "enable")) + is_enable = 1; + else if (unformat (input, "disable")) + is_disable = 1; + else + { + error = clib_error_return (0, "unknown input '%U'", + format_unformat_error, input); + goto done; + } + } + + if (is_enable && is_disable) + { + error = clib_error_return (0, + "please specify either enable or disable" + " for crypto '%s'", + name); + goto done; + } + + vec_add2 (cm->configs, pc, 1); + pc->is_enabled = is_enable; + pc->is_disabled = is_disable; + pc->name = vec_dup (name); + hash_set_mem (cm->config_index_by_name, pc->name, pc - cm->configs); + +done: + return error; +} + +static clib_error_t * +crypto_engines_config (vlib_main_t *vm, unformat_input_t *input) +{ + vnet_crypto_main_t *cm = &crypto_main; + clib_error_t *error = 0; + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + unformat_input_t sub_input; + u8 *s = 0; + if (unformat (input, "default %U", unformat_vlib_cli_sub_input, + &sub_input)) + { + cm->default_disabled = unformat (&sub_input, "disable") ? 1 : 0; + unformat_free (&sub_input); + } + else if (unformat (input, "%s %U", &s, unformat_vlib_cli_sub_input, + &sub_input)) + { + error = config_one_crypto (vm, (char *) s, &sub_input); + vec_free (s); + unformat_free (&sub_input); + if (error) + goto done; + } + else + { + error = clib_error_return (0, "unknown input '%U'", + format_unformat_error, input); + { + vec_free (s); + goto done; + } + } + } + +done: + return error; +} + +VLIB_EARLY_CONFIG_FUNCTION (crypto_engines_config, "crypto-engines"); diff --git a/src/vnet/crypto/crypto.c b/src/vnet/crypto/crypto.c index d1a6a6b12a1..765dc499078 100644 --- a/src/vnet/crypto/crypto.c +++ b/src/vnet/crypto/crypto.c @@ -18,6 +18,8 @@ VLIB_REGISTER_LOG_CLASS (crypto_main_log, static) = { #define log_debug(f, ...) \ vlib_log (VLIB_LOG_LEVEL_DEBUG, crypto_main_log.class, f, ##__VA_ARGS__) +#define log_notice(f, ...) \ + vlib_log (VLIB_LOG_LEVEL_NOTICE, crypto_main_log.class, f, ##__VA_ARGS__) #define log_err(f, ...) \ vlib_log (VLIB_LOG_LEVEL_ERR, crypto_main_log.class, f, ##__VA_ARGS__) @@ -564,11 +566,14 @@ static void vnet_crypto_load_engines (vlib_main_t *vm) { vlib_thread_main_t *tm = vlib_get_thread_main (); + vnet_crypto_main_t *cm = &crypto_main; + vnet_crypto_config_t *pc; u8 *path; char *p; u32 path_len; struct dirent *entry; DIR *dp; + uword *config_index; path = os_get_exec_path (); log_debug ("exec path is %s", path); @@ -623,6 +628,31 @@ vnet_crypto_load_engines (vlib_main_t *vm) continue; } + /* follow crypto-engines config section directive */ + config_index = hash_get_mem (cm->config_index_by_name, r->name); + if (config_index) + { + pc = vec_elt_at_index (cm->configs, config_index[0]); + if (pc->is_disabled) + { + log_notice ("crypto disabled: %s", r->name); + dlclose (handle); + continue; + } + if (cm->default_disabled && pc->is_enabled == 0) + { + log_notice ("crypto disabled (default): %s", r->name); + dlclose (handle); + continue; + } + } + else if (cm->default_disabled) + { + log_notice ("crypto disabled (default): %s", r->name); + dlclose (handle); + continue; + } + if (r->per_thread_data_sz) { u64 sz = diff --git a/src/vnet/crypto/crypto.h b/src/vnet/crypto/crypto.h index 0a021282b5d..c80987ecff7 100644 --- a/src/vnet/crypto/crypto.h +++ b/src/vnet/crypto/crypto.h @@ -420,17 +420,28 @@ typedef struct typedef struct { + char *name; + u8 is_disabled; + u8 is_enabled; +} vnet_crypto_config_t; + +typedef struct +{ vnet_crypto_key_t **keys; u8 keys_lock; u32 crypto_node_index; vnet_crypto_thread_t *threads; vnet_crypto_frame_dequeue_t **dequeue_handlers; vnet_crypto_engine_t *engines; + /* configs and hash by name */ + vnet_crypto_config_t *configs; + uword *config_index_by_name; uword *engine_index_by_name; uword *alg_index_by_name; vnet_crypto_async_next_node_t *next_nodes; vnet_crypto_alg_data_t algs[VNET_CRYPTO_N_ALGS]; vnet_crypto_op_data_t opt_data[VNET_CRYPTO_N_OP_IDS]; + u8 default_disabled; } vnet_crypto_main_t; extern vnet_crypto_main_t crypto_main; |