Add: PoC of video frames encryption using AES-CTR

This PoC demonstrates the use of AES-CTR encryption of video frames
transmitted between the Tx and Rx sessions. It shows that video frames
can be treated as binary blobs that could be encrypted. The PoC uses
https://github.com/intel/intel-ipsec-mb for the AES-CTR encryption.

Sample file can be generated with:
```
ffmpeg -an -y -f lavfi -i \
testsrc=d=5:s=1920x1080:r=25,format=yuv422p10be -f rawvideo \
/tmp/yuv422p10le.yuv
```

To run PoC:
```
./tests/tools/RxTxApp/build/RxTxApp --config_file \
config/tx-rx-encryption.json  --test_time=10
```

Author: Sakoram

config/tx-rx-encryption.json

@@ -0,0 +1,84 @@
+{
+    "tx_no_chain": false,
+    "interfaces": [
+        {
+            "name": "0000:4b:01.0",
+            "ip": "192.168.17.101"
+        },
+        {
+            "name": "0000:4b:01.1",
+            "ip": "192.168.17.102"
+        }
+    ],
+    "tx_sessions": [
+        {
+            "dip": [
+                "192.168.17.102"
+            ],
+            "interface": [
+                0
+            ],
+            "video": [],
+            "st20p": [
+                {
+                    "replicas": 1,
+                    "start_port": 20000,
+                    "payload_type": 112,
+                    "width": 1920,
+                    "height": 1080,
+                    "fps": "p25",
+                    "interlaced": false,
+                    "device": "AUTO",
+                    "pacing": "gap",
+                    "packing": "BPM",
+                    "input_format": "YUV422RFC4175PG2BE10",
+                    "transport_format": "YUV_422_10bit",
+                    "st20p_url": "/tmp/yuv422p10be.yuv",
+                    "display": false,
+                    "enable_rtcp": false
+                }
+            ],
+            "st22p": [],
+            "st30p": [],
+            "audio": [],
+            "ancillary": [],
+            "fastmetadata": []
+        }
+    ],
+    "rx_sessions": [
+        {
+            "ip": [
+                "192.168.17.101"
+            ],
+            "interface": [
+                1
+            ],
+            "video": [],
+            "st20p": [
+                {
+                    "replicas": 1,
+                    "start_port": 20000,
+                    "payload_type": 112,
+                    "width": 1920,
+                    "height": 1080,
+                    "fps": "p25",
+                    "interlaced": false,
+                    "device": "AUTO",
+                    "pacing": "gap",
+                    "packing": "BPM",
+                    "output_format": "YUV422RFC4175PG2BE10",
+                    "transport_format": "YUV_422_10bit",
+                    "measure_latency": false,
+                    "display": false,
+                    "enable_rtcp": false,
+                    "st20p_url": "/tmp/out.yuv"
+                }
+            ],
+            "st22p": [],
+            "st30p": [],
+            "audio": [],
+            "ancillary": [],
+            "fastmetadata": []
+        }
+    ]
+}

tests/tools/RxTxApp/meson.build

@@ -24,6 +24,8 @@ libm = cc.find_library('m', required : true)
 libpthread = cc.find_library('pthread', required : true)
 libjson_c = dependency('json-c', required : true)
 libpcap = dependency('pcap', required: true)
+libIPSec_MB = cc.find_library('IPSec_MB', required: true)
+
 
 libsdl2 = dependency('sdl2', required: false)
 if libsdl2.found()
@@ -90,5 +92,5 @@ executable('RxTxApp', sources,
   c_args : app_c_args,
   link_args: app_ld_args,
   # asan should be always the first dep
-  dependencies: [asan_dep, mtl, libjson_c, libpcap, libsdl2, libsdl2_ttf, libm, libpthread, ws2_32_dep, mman_dep, libopenssl]
+  dependencies: [asan_dep, mtl, libjson_c, libpcap, libsdl2, libsdl2_ttf, libm, libpthread, ws2_32_dep, mman_dep, libopenssl, libIPSec_MB]
 )

tests/tools/RxTxApp/src/app_base.h

@@ -558,6 +558,8 @@ struct st_app_rx_st20p_session {
 
   bool measure_latency;
   uint64_t stat_latency_us_sum;
+
+  void* tmp_framebuff;
 };
 
 struct st_app_tx_st30p_session {

tests/tools/RxTxApp/src/rx_st20p_app.c

@@ -3,14 +3,52 @@
  */
 
 #include "rx_st20p_app.h"
+#include <intel-ipsec-mb.h>
+
+static IMB_MGR *mgr;
+
+static uint8_t cipher_key[16] = {0};
+static uint8_t cipher_iv[16] = {0};
+DECLARE_ALIGNED(static uint32_t exp_enc_key[4*15], 16);
+DECLARE_ALIGNED(static uint32_t exp_dec_key[4*15], 16);
+static IMB_JOB *job;
 
 static void app_rx_st20p_consume_frame(struct st_app_rx_st20p_session* s,
                                        struct st_frame* frame) {
   struct st_display* d = s->display;
   int idx = s->idx;
 
   if (s->st20p_destination_file) {
-    if (!fwrite(frame->addr[0], 1, s->st20p_frame_size, s->st20p_destination_file)) {
+    job = IMB_GET_NEXT_JOB(mgr);
+    job->src = frame->addr[0];
+    job->dst = s->tmp_framebuff;
+    job->cipher_mode = IMB_CIPHER_CNTR;
+    job->hash_alg = IMB_AUTH_NULL;
+    job->enc_keys = exp_enc_key;
+    job->dec_keys = exp_dec_key;
+    job->iv = cipher_iv;
+    job->cipher_direction = IMB_DIR_DECRYPT;
+    job->chain_order = IMB_ORDER_HASH_CIPHER;
+    job->key_len_in_bytes = 16;
+    job->iv_len_in_bytes = 16;
+    job->cipher_start_src_offset_in_bytes = 0;
+    job->msg_len_to_cipher_in_bytes = s->st20p_frame_size;
+    job = IMB_SUBMIT_JOB(mgr);
+    if (job == NULL) {
+        const int err = imb_get_errno(mgr);
+        printf("%d Unexpected null return from submit job()\n"
+                "\t Error code %d, %s\n", __LINE__, err,
+                imb_get_strerror(err));
+        exit(1);
+    }
+    if (job->status != IMB_STATUS_COMPLETED) {
+        const int err = imb_get_errno(mgr);
+        printf("%d Wrong job status\n"
+                "\t Error code %d, %s\n", __LINE__, err,
+                imb_get_strerror(err));
+    }
+
+    if (!fwrite(s->tmp_framebuff, 1, s->st20p_frame_size, s->st20p_destination_file)) {
       err("%s(%d), failed to write frame to file %s\n", __func__, idx,
           s->st20p_destination_url);
     }
@@ -57,6 +95,10 @@ static void* app_rx_st20p_frame_thread(void* arg) {
   uint8_t shas[SHA256_DIGEST_LENGTH];
   int idx = s->idx;
 
+  mgr = alloc_mb_mgr(0);
+  init_mb_mgr_auto(mgr, NULL);
+  IMB_AES_KEYEXP_128(mgr, cipher_key, exp_enc_key, exp_dec_key);
+
   info("%s(%d), start\n", __func__, s->idx);
   while (!s->st20p_app_thread_stop) {
     frame = st20p_rx_get_frame(s->handle);
@@ -103,6 +145,8 @@ static void* app_rx_st20p_frame_thread(void* arg) {
   }
   info("%s(%d), stop\n", __func__, s->idx);
 
+  free_mb_mgr(mgr);
+
   return NULL;
 }
 
@@ -286,6 +330,13 @@ static int app_rx_st20p_init(struct st_app_context* ctx,
   s->handle = handle;
 
   s->st20p_frame_size = st20p_rx_frame_size(handle);
+  s->tmp_framebuff = malloc(s->st20p_frame_size);
+  if (!s->tmp_framebuff) {
+    err("%s(%d), failed to allocate tmp frame buffer\n", __func__, idx);
+    app_rx_st20p_uinit(s);
+    return -ENOMEM;
+  }
+
 
   ret = app_rx_st20p_init_frame_thread(s);
   if (ret < 0) {
@@ -374,9 +425,11 @@ int st_app_rx_st20p_sessions_uinit(struct st_app_context* ctx) {
   for (i = 0; i < ctx->rx_st20p_session_cnt; i++) {
     s = &ctx->rx_st20p_sessions[i];
     app_rx_st20p_uinit(s);
+    free(s->tmp_framebuff);
   }
   st_app_free(ctx->rx_st20p_sessions);
 
+
   return 0;
 }
 

tests/tools/RxTxApp/src/tx_st20p_app.c

@@ -3,6 +3,15 @@
  */
 
 #include "tx_st20p_app.h"
+#include <intel-ipsec-mb.h>
+
+static IMB_MGR *mgr;
+
+static uint8_t cipher_key[16] = {0};
+static uint8_t cipher_iv[16] = {0};
+DECLARE_ALIGNED(static uint32_t exp_enc_key[4*15], 16);
+DECLARE_ALIGNED(static uint32_t exp_dec_key[4*15], 16);
+static IMB_JOB *job;
 
 static void app_tx_st20p_display_frame(struct st_app_tx_st20p_session* s,
                                        struct st_frame* frame) {
@@ -46,7 +55,36 @@ static void app_tx_st20p_build_frame(struct st_app_tx_st20p_session* s,
   uint8_t* src = s->st20p_frame_cursor;
 
   if (!s->ctx->tx_copy_once || !s->st20p_frames_copied) {
-    mtl_memcpy(frame->addr[0], src, frame_size);
+    // mtl_memcpy(frame->addr[0], src, frame_size);
+    job = IMB_GET_NEXT_JOB(mgr);
+    job->src = src;
+    job->dst = frame->addr[0];
+    job->cipher_mode = IMB_CIPHER_CNTR;
+    job->hash_alg = IMB_AUTH_NULL;
+    job->enc_keys = exp_enc_key;
+    job->dec_keys = exp_dec_key;
+    job->iv = cipher_iv;
+    job->cipher_direction = IMB_DIR_ENCRYPT;
+    job->chain_order = IMB_ORDER_CIPHER_HASH;
+    job->key_len_in_bytes = 16;
+    job->iv_len_in_bytes = 16;
+    job->cipher_start_src_offset_in_bytes = 0;
+    job->msg_len_to_cipher_in_bytes = frame_size;
+    job = IMB_SUBMIT_JOB(mgr);
+    if (job == NULL) {
+        const int err = imb_get_errno(mgr);
+        printf("%d Unexpected null return from submit job()\n"
+               "\t Error code %d, %s\n", __LINE__, err,
+               imb_get_strerror(err));
+        exit(1);
+    }
+    if (job->status != IMB_STATUS_COMPLETED) {
+        const int err = imb_get_errno(mgr);
+        printf("%d Wrong job status\n"
+               "\t Error code %d, %s\n", __LINE__, err,
+               imb_get_strerror(err));
+        exit(1);
+    }
   }
   /* point to next frame */
   s->st20p_frame_cursor += frame_size;
@@ -65,6 +103,10 @@ static void* app_tx_st20p_frame_thread(void* arg) {
   struct st_frame* frame;
   uint8_t shas[SHA256_DIGEST_LENGTH];
 
+  mgr = alloc_mb_mgr(0);
+  init_mb_mgr_auto(mgr, NULL);
+  IMB_AES_KEYEXP_128(mgr, cipher_key, exp_enc_key, exp_dec_key);
+
   info("%s(%d), start\n", __func__, idx);
   while (!s->st20p_app_thread_stop) {
     frame = st20p_tx_get_frame(handle);
@@ -82,6 +124,8 @@ static void* app_tx_st20p_frame_thread(void* arg) {
   }
   info("%s(%d), stop\n", __func__, idx);
 
+  free_mb_mgr(mgr);
+
   return NULL;
 }