Add: PoC of video frames encryption using AES-CTR

Sakoram · Sakoram · commit 51c53e9d9e13 · 2025-02-25T08:51:19.000Z
This PoC demonstrates the use of AES-CTR encryption of video frames transmitted between the Tx and Rx sessions. It shows that video frames can be treated as binary blobs that could be encrypted. The PoC uses https://github.com/intel/intel-ipsec-mb for the AES-CTR encryption. Sample file can be generated with: ``` ffmpeg -an -y -f lavfi -i \ testsrc=d=5:s=1920x1080:r=25,format=yuv422p10be -f rawvideo \ /tmp/yuv422p10le.yuv ``` To run PoC: ``` ./tests/tools/RxTxApp/build/RxTxApp --config_file \ config/tx-rx-encryption.json --test_time=10 ``` RxTxApp sends the input file in a loop, the output file can have data from the input file written to in multiple times. known issues: - There is no key exchange mechanism implemented in this PoC, the key is hardcoded in the code. - Transport format has to be the same as the input format. Mismatch causes corruption of the data - It works only for uncompressed video formats. (not for SMPTE 2110-22) - Everything is done in an application instead of in the library
diff --git a/config/tx-rx-encryption.json b/config/tx-rx-encryption.json
@@ -0,0 +1,84 @@
+{
+    "tx_no_chain": false,
+    "interfaces": [
+        {
+            "name": "0000:4b:01.0",
+            "ip": "192.168.17.101"
+        },
+        {
+            "name": "0000:4b:01.1",
+            "ip": "192.168.17.102"
+        }
+    ],
+    "tx_sessions": [
+        {
+            "dip": [
+                "192.168.17.102"
+            ],
+            "interface": [
+                0
+            ],
+            "video": [],
+            "st20p": [
+                {
+                    "replicas": 1,
+                    "start_port": 20000,
+                    "payload_type": 112,
+                    "width": 1920,
+                    "height": 1080,
+                    "fps": "p25",
+                    "interlaced": false,
+                    "device": "AUTO",
+                    "pacing": "gap",
+                    "packing": "BPM",
+                    "input_format": "YUV422RFC4175PG2BE10",
+                    "transport_format": "YUV_422_10bit",
+                    "st20p_url": "/tmp/yuv422p10be.yuv",
+                    "display": false,
+                    "enable_rtcp": false
+                }
+            ],
+            "st22p": [],
+            "st30p": [],
+            "audio": [],
+            "ancillary": [],
+            "fastmetadata": []
+        }
+    ],
+    "rx_sessions": [
+        {
+            "ip": [
+                "192.168.17.101"
+            ],
+            "interface": [
+                1
+            ],
+            "video": [],
+            "st20p": [
+                {
+                    "replicas": 1,
+                    "start_port": 20000,
+                    "payload_type": 112,
+                    "width": 1920,
+                    "height": 1080,
+                    "fps": "p25",
+                    "interlaced": false,
+                    "device": "AUTO",
+                    "pacing": "gap",
+                    "packing": "BPM",
+                    "output_format": "YUV422RFC4175PG2BE10",
+                    "transport_format": "YUV_422_10bit",
+                    "measure_latency": false,
+                    "display": false,
+                    "enable_rtcp": false,
+                    "st20p_url": "/tmp/out.yuv"
+                }
+            ],
+            "st22p": [],
+            "st30p": [],
+            "audio": [],
+            "ancillary": [],
+            "fastmetadata": []
+        }
+    ]
+}
diff --git a/tests/tools/RxTxApp/meson.build b/tests/tools/RxTxApp/meson.build
@@ -24,6 +24,8 @@ libm = cc.find_library('m', required : true)
 libpthread = cc.find_library('pthread', required : true)
 libjson_c = dependency('json-c', required : true)
 libpcap = dependency('pcap', required: true)
+libIPSec_MB = cc.find_library('IPSec_MB', required: true)
+
 
 libsdl2 = dependency('sdl2', required: false)
 if libsdl2.found()
@@ -90,5 +92,5 @@ executable('RxTxApp', sources,
   c_args : app_c_args,
   link_args: app_ld_args,
   # asan should be always the first dep
-  dependencies: [asan_dep, mtl, libjson_c, libpcap, libsdl2, libsdl2_ttf, libm, libpthread, ws2_32_dep, mman_dep, libopenssl]
+  dependencies: [asan_dep, mtl, libjson_c, libpcap, libsdl2, libsdl2_ttf, libm, libpthread, ws2_32_dep, mman_dep, libopenssl, libIPSec_MB]
 )
diff --git a/tests/tools/RxTxApp/src/app_base.h b/tests/tools/RxTxApp/src/app_base.h
@@ -558,6 +558,8 @@ struct st_app_rx_st20p_session {
 
   bool measure_latency;
   uint64_t stat_latency_us_sum;
+
+  void* tmp_framebuff;
 };
 
 struct st_app_tx_st30p_session {
diff --git a/tests/tools/RxTxApp/src/rx_st20p_app.c b/tests/tools/RxTxApp/src/rx_st20p_app.c
@@ -4,13 +4,54 @@
 
 #include "rx_st20p_app.h"
 
+#include <intel-ipsec-mb.h>
+
+static IMB_MGR* mgr;
+
+static uint8_t cipher_key[16] = {0};
+static uint8_t cipher_iv[16] = {0};
+DECLARE_ALIGNED(static uint32_t exp_enc_key[4 * 15], 16);
+DECLARE_ALIGNED(static uint32_t exp_dec_key[4 * 15], 16);
+static IMB_JOB* job;
+
 static void app_rx_st20p_consume_frame(struct st_app_rx_st20p_session* s,
                                        struct st_frame* frame) {
   struct st_display* d = s->display;
   int idx = s->idx;
 
   if (s->st20p_destination_file) {
-    if (!fwrite(frame->addr[0], 1, s->st20p_frame_size, s->st20p_destination_file)) {
+    job = IMB_GET_NEXT_JOB(mgr);
+    job->src = frame->addr[0];
+    job->dst = s->tmp_framebuff;
+    job->cipher_mode = IMB_CIPHER_CNTR;
+    job->hash_alg = IMB_AUTH_NULL;
+    job->enc_keys = exp_enc_key;
+    job->dec_keys = exp_dec_key;
+    job->iv = cipher_iv;
+    job->cipher_direction = IMB_DIR_DECRYPT;
+    job->chain_order = IMB_ORDER_HASH_CIPHER;
+    job->key_len_in_bytes = 16;
+    job->iv_len_in_bytes = 16;
+    job->cipher_start_src_offset_in_bytes = 0;
+    job->msg_len_to_cipher_in_bytes = s->st20p_frame_size;
+    job = IMB_SUBMIT_JOB(mgr);
+    if (job == NULL) {
+      const int err = imb_get_errno(mgr);
+      printf(
+          "%d Unexpected null return from submit job()\n"
+          "\t Error code %d, %s\n",
+          __LINE__, err, imb_get_strerror(err));
+      exit(1);
+    }
+    if (job->status != IMB_STATUS_COMPLETED) {
+      const int err = imb_get_errno(mgr);
+      printf(
+          "%d Wrong job status\n"
+          "\t Error code %d, %s\n",
+          __LINE__, err, imb_get_strerror(err));
+    }
+
+    if (!fwrite(s->tmp_framebuff, 1, s->st20p_frame_size, s->st20p_destination_file)) {
       err("%s(%d), failed to write frame to file %s\n", __func__, idx,
           s->st20p_destination_url);
     }
@@ -57,6 +98,10 @@ static void* app_rx_st20p_frame_thread(void* arg) {
   uint8_t shas[SHA256_DIGEST_LENGTH];
   int idx = s->idx;
 
+  mgr = alloc_mb_mgr(0);
+  init_mb_mgr_auto(mgr, NULL);
+  IMB_AES_KEYEXP_128(mgr, cipher_key, exp_enc_key, exp_dec_key);
+
   info("%s(%d), start\n", __func__, s->idx);
   while (!s->st20p_app_thread_stop) {
     frame = st20p_rx_get_frame(s->handle);
@@ -103,6 +148,8 @@ static void* app_rx_st20p_frame_thread(void* arg) {
   }
   info("%s(%d), stop\n", __func__, s->idx);
 
+  free_mb_mgr(mgr);
+
   return NULL;
 }
 
@@ -286,6 +333,12 @@ static int app_rx_st20p_init(struct st_app_context* ctx,
   s->handle = handle;
 
   s->st20p_frame_size = st20p_rx_frame_size(handle);
+  s->tmp_framebuff = malloc(s->st20p_frame_size);
+  if (!s->tmp_framebuff) {
+    err("%s(%d), failed to allocate tmp frame buffer\n", __func__, idx);
+    app_rx_st20p_uinit(s);
+    return -ENOMEM;
+  }
 
   ret = app_rx_st20p_init_frame_thread(s);
   if (ret < 0) {
@@ -374,6 +427,7 @@ int st_app_rx_st20p_sessions_uinit(struct st_app_context* ctx) {
   for (i = 0; i < ctx->rx_st20p_session_cnt; i++) {
     s = &ctx->rx_st20p_sessions[i];
     app_rx_st20p_uinit(s);
+    free(s->tmp_framebuff);
   }
   st_app_free(ctx->rx_st20p_sessions);
 
diff --git a/tests/tools/RxTxApp/src/tx_st20p_app.c b/tests/tools/RxTxApp/src/tx_st20p_app.c
@@ -4,6 +4,16 @@
 
 #include "tx_st20p_app.h"
 
+#include <intel-ipsec-mb.h>
+
+static IMB_MGR* mgr;
+
+static uint8_t cipher_key[16] = {0};
+static uint8_t cipher_iv[16] = {0};
+DECLARE_ALIGNED(static uint32_t exp_enc_key[4 * 15], 16);
+DECLARE_ALIGNED(static uint32_t exp_dec_key[4 * 15], 16);
+static IMB_JOB* job;
+
 static void app_tx_st20p_display_frame(struct st_app_tx_st20p_session* s,
                                        struct st_frame* frame) {
   struct st_display* d = s->display;
@@ -46,7 +56,38 @@ static void app_tx_st20p_build_frame(struct st_app_tx_st20p_session* s,
   uint8_t* src = s->st20p_frame_cursor;
 
   if (!s->ctx->tx_copy_once || !s->st20p_frames_copied) {
-    mtl_memcpy(frame->addr[0], src, frame_size);
+    // mtl_memcpy(frame->addr[0], src, frame_size);
+    job = IMB_GET_NEXT_JOB(mgr);
+    job->src = src;
+    job->dst = frame->addr[0];
+    job->cipher_mode = IMB_CIPHER_CNTR;
+    job->hash_alg = IMB_AUTH_NULL;
+    job->enc_keys = exp_enc_key;
+    job->dec_keys = exp_dec_key;
+    job->iv = cipher_iv;
+    job->cipher_direction = IMB_DIR_ENCRYPT;
+    job->chain_order = IMB_ORDER_CIPHER_HASH;
+    job->key_len_in_bytes = 16;
+    job->iv_len_in_bytes = 16;
+    job->cipher_start_src_offset_in_bytes = 0;
+    job->msg_len_to_cipher_in_bytes = frame_size;
+    job = IMB_SUBMIT_JOB(mgr);
+    if (job == NULL) {
+      const int err = imb_get_errno(mgr);
+      printf(
+          "%d Unexpected null return from submit job()\n"
+          "\t Error code %d, %s\n",
+          __LINE__, err, imb_get_strerror(err));
+      exit(1);
+    }
+    if (job->status != IMB_STATUS_COMPLETED) {
+      const int err = imb_get_errno(mgr);
+      printf(
+          "%d Wrong job status\n"
+          "\t Error code %d, %s\n",
+          __LINE__, err, imb_get_strerror(err));
+      exit(1);
+    }
   }
   /* point to next frame */
   s->st20p_frame_cursor += frame_size;
@@ -65,6 +106,10 @@ static void* app_tx_st20p_frame_thread(void* arg) {
   struct st_frame* frame;
   uint8_t shas[SHA256_DIGEST_LENGTH];
 
+  mgr = alloc_mb_mgr(0);
+  init_mb_mgr_auto(mgr, NULL);
+  IMB_AES_KEYEXP_128(mgr, cipher_key, exp_enc_key, exp_dec_key);
+
   info("%s(%d), start\n", __func__, idx);
   while (!s->st20p_app_thread_stop) {
     frame = st20p_tx_get_frame(handle);
@@ -82,6 +127,8 @@ static void* app_tx_st20p_frame_thread(void* arg) {
   }
   info("%s(%d), stop\n", __func__, idx);
 
+  free_mb_mgr(mgr);
+
   return NULL;
 }
 
