bdev: Add crypto virtual bdev module

spdk_bdev_alias_del_all() was added to delete all alias from block device.

A new virtual bdev module has been added to perform at rest data encryption using the DPDK CryptoDev

Framework.  The module initially uses a software AESNI CBC cipher with experimental support for the

Intel QAT hardware accelerator also currently implemented with support for CBC cipher. Future work

may include additional ciphers as well as consideration for authentication. NOTE: this module is

currently marked as experimental.  Do not use in production.

### Environment Abstraction Layer and Event Framework

The size parameter of spdk_mem_map_translate is now a pointer. This allows the

fi

if [[ "$CONFIG_CRYPTO" = "y" ]]; then

	echo NOTE: Crypto is currently marked as experimental.  Do not use in production.

	set +e

	nasm_ver=$(nasm -v | sed 's/[^0-9]*//g' | awk '{print substr ($0, 0, 5)}')

	ipsec="$(find /usr -name intel-ipsec-mb.h 2>/dev/null)"

`rpc.py delete_rbd_bdev Rbd0`

# Crypto Virtual Bdev Module {#bdev_config_crypto}

The crypto virtual bdev module can be configured to provide at rest data encryption

for any underlying bdev. The module relies on the DPDK CryptoDev Framework to provide

all cryptographic functionality. The framework provides support for many different software

only cryptographic modules as well hardware assisted support for the Intel QAT board. The

framework also provides support for cipher, hash, authentication and AEAD functions. At this

time the SPDK virtual bdev module supports cipher only as follows:

- AESN-NI Multi Buffer Crypto Poll Mode Driver: RTE_CRYPTO_CIPHER_AES128_CBC

- Intel(R) QuickAssist (QAT) Crypto Poll Mode Driver: RTE_CRYPTO_CIPHER_AES128_CBC

(Note: QAT is functional however is marked as experimental until the hardware has

been fully integrated with the SPDK CI system.)

Support for other DPDK drivers and capabilities may be added programmatically. Existing

functionality is configured through a .conf file as shown here:

[crypto]<br>

 \# CRY \<bdev name\> \<vbdev name\> \<key\> \<PMD\><br>

 \# key size depends on cipher<br>

 \# supported PMD names: crypto_aesni_mb, crypto_qat<br>

 \# Note: QAT is experimental while test HW is being setup<br>

 CRY Malloc4 crypto_ram 0123456789123456 crypto_aesni_mb

In order to support using the bdev block offset (LBA) as the initialization vector (IV),

the crypto module break up all I/O into crypto operations of a size equal to the block

size of the underlying bdev.  For example, a 4K I/O to a bdev with a 512B block size,

would result in 8 cryptographic operations.

For reads, the buffer provided to the crypto module will be used as the destination buffer

for unencrypted data.  For writes, however, a temporary scratch buffer is used as the

destination buffer for encryption which is then passed on to the underlying bdev as the

write buffer.  This is done to avoid encrypting the data in the original source buffer which

may cause problems in some use cases.

# GPT (GUID Partition Table) {#bdev_config_gpt}

The GPT virtual bdev driver is enabled by default and does not require any configuration.

INTEL_IPSEC_MB_LIB=$(SPDK_ROOT_DIR)/intel-ipsec-mb/libIPSec_MB.a

IPSEC_MB_CFLAGS = -fPIC

CRYPTO_ENABLED = y

DPDK_OPTS += AESNI_MULTI_BUFFER_LIB_PATH=$(SPDK_ROOT_DIR)/intel-ipsec-mb

DPDK_OPTS += CONFIG_RTE_LIBRTE_PMD_AESNI_MB=y

DPDK_OPTS += CONFIG_RTE_LIBRTE_CRYPTODEV=y

DPDK_OPTS += CONFIG_RTE_LIBRTE_REORDER=y

DPDK_OPTS += CONFIG_RTE_LIBRTE_PMD_QAT=n

endif

endif

endif

DPDK_OPTS += CONFIG_RTE_LIBRTE_PMD_AESNI_MB=n

DPDK_OPTS += CONFIG_RTE_LIBRTE_CRYPTODEV=n

DPDK_OPTS += CONFIG_RTE_LIBRTE_REORDER=n

DPDK_OPTS += CONFIG_RTE_LIBRTE_PMD_QAT=n

endif

ifeq ($(TARGET_MACHINE),aarch64)

DIRS-y += error gpt lvol malloc null nvme passthru rpc split

ifeq ($(CONFIG_CRYPTO),y)

DIRS-y += crypto

endif

ifeq ($(OS),Linux)

DIRS-y += aio

DIRS-$(CONFIG_ISCSI_INITIATOR) += iscsi