Re: [dpdk-dev] [PATCH v2 01/10] security: introduce CPU Crypto action type and API

Tue, 08 Oct 2019 06:43:42 -0700 

Hi Fan,

> 
> This patch introduce new RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO action type to
> security library. The type represents performing crypto operation with CPU
> cycles. The patch also includes a new API to process crypto operations in
> bulk and the function pointers for PMDs.
> 
> Signed-off-by: Fan Zhang <roy.fan.zh...@intel.com>
> ---
>  lib/librte_security/rte_security.c           | 11 ++++++
>  lib/librte_security/rte_security.h           | 53 
> +++++++++++++++++++++++++++-
>  lib/librte_security/rte_security_driver.h    | 22 ++++++++++++
>  lib/librte_security/rte_security_version.map |  1 +
>  4 files changed, 86 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/librte_security/rte_security.c 
> b/lib/librte_security/rte_security.c
> index bc81ce15d..cdd1ee6af 100644
> --- a/lib/librte_security/rte_security.c
> +++ b/lib/librte_security/rte_security.c
> @@ -141,3 +141,14 @@ rte_security_capability_get(struct rte_security_ctx 
> *instance,
> 
>       return NULL;
>  }
> +
> +int
> +rte_security_process_cpu_crypto_bulk(struct rte_security_ctx *instance,
> +             struct rte_security_session *sess,
> +             struct rte_security_vec buf[], void *iv[], void *aad[],
> +             void *digest[], int status[], uint32_t num)
> +{
> +     RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->process_cpu_crypto_bulk, -1);
> +     return instance->ops->process_cpu_crypto_bulk(sess, buf, iv,
> +                     aad, digest, status, num);
> +}
> diff --git a/lib/librte_security/rte_security.h 
> b/lib/librte_security/rte_security.h
> index aaafdfcd7..0caf5d697 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -18,6 +18,7 @@ extern "C" {
>  #endif
> 
>  #include <sys/types.h>
> +#include <sys/uio.h>
> 
>  #include <netinet/in.h>
>  #include <netinet/ip.h>
> @@ -289,6 +290,20 @@ struct rte_security_pdcp_xform {
>       uint32_t hfn_ovrd;
>  };
> 
> +struct rte_security_cpu_crypto_xform {
> +     /** For cipher/authentication crypto operation the authentication may
> +      * cover more content then the cipher. E.g., for IPSec ESP encryption
> +      * with AES-CBC and SHA1-HMAC, the encryption happens after the ESP
> +      * header but whole packet (apart from MAC header) is authenticated.
> +      * The cipher_offset field is used to deduct the cipher data pointer
> +      * from the buffer to be processed.
> +      *
> +      * NOTE this parameter shall be ignored by AEAD algorithms, since it
> +      * uses the same offset for cipher and authentication.
> +      */
> +     int32_t cipher_offset;
> +};
> +
>  /**
>   * Security session action type.
>   */
> @@ -303,10 +318,14 @@ enum rte_security_session_action_type {
>       /**< All security protocol processing is performed inline during
>        * transmission
>        */
> -     RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
> +     RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
>       /**< All security protocol processing including crypto is performed
>        * on a lookaside accelerator
>        */
> +     RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
> +     /**< Crypto processing for security protocol is processed by CPU
> +      * synchronously
> +      */
>  };
> 
>  /** Security session protocol definition */
> @@ -332,6 +351,7 @@ struct rte_security_session_conf {
>               struct rte_security_ipsec_xform ipsec;
>               struct rte_security_macsec_xform macsec;
>               struct rte_security_pdcp_xform pdcp;
> +             struct rte_security_cpu_crypto_xform cpucrypto;
>       };
>       /**< Configuration parameters for security session */
>       struct rte_crypto_sym_xform *crypto_xform;
> @@ -665,6 +685,37 @@ const struct rte_security_capability *
>  rte_security_capability_get(struct rte_security_ctx *instance,
>                           struct rte_security_capability_idx *idx);
> 
> +/**
> + * Security vector structure, contains pointer to vector array and the length
> + * of the array
> + */
> +struct rte_security_vec {
> +     struct iovec *vec;
> +     uint32_t num;
> +};
> +
> +/**
> + * Processing bulk crypto workload with CPU
> + *
> + * @param    instance        security instance.
> + * @param    sess            security session
> + * @param    buf             array of buffer SGL vectors
> + * @param    iv              array of IV pointers
> + * @param    aad             array of AAD pointers
> + * @param    digest          array of digest pointers
> + * @param    status          array of status for the function to return
> + * @param    num             number of elements in each array
> + * @return
> + *  - On success, 0
> + *  - On any failure, -1

I think it is much better to retrun number of successfully process entries
(or number of failed entries - whatever is your preference).
Then user can easily determine does he need to walk through status
(and if yes till what point) or not at all.
Sorry if I wasn't clear in my previous comment.

> + */
> +__rte_experimental
> +int
> +rte_security_process_cpu_crypto_bulk(struct rte_security_ctx *instance,
> +             struct rte_security_session *sess,
> +             struct rte_security_vec buf[], void *iv[], void *aad[],
> +             void *digest[], int status[], uint32_t num);
> +
>  #ifdef __cplusplus
>  }
>  #endif
> diff --git a/lib/librte_security/rte_security_driver.h 
> b/lib/librte_security/rte_security_driver.h
> index 1b561f852..fe940fffa 100644
> --- a/lib/librte_security/rte_security_driver.h
> +++ b/lib/librte_security/rte_security_driver.h
> @@ -132,6 +132,26 @@ typedef int (*security_get_userdata_t)(void *device,
>  typedef const struct rte_security_capability *(*security_capabilities_get_t)(
>               void *device);
> 
> +/**
> + * Process security operations in bulk using CPU accelerated method.
> + *
> + * @param    sess            Security session structure.
> + * @param    buf             Buffer to the vectors to be processed.
> + * @param    iv              IV pointers.
> + * @param    aad             AAD pointers.
> + * @param    digest          Digest pointers.
> + * @param    status          Array of status value.
> + * @param    num             Number of elements in each array.
> + * @return
> + *  - On success, 0
> + *  - On any failure, -1
> + */
> +
> +typedef int (*security_process_cpu_crypto_bulk_t)(
> +             struct rte_security_session *sess,
> +             struct rte_security_vec buf[], void *iv[], void *aad[],
> +             void *digest[], int status[], uint32_t num);
> +
>  /** Security operations function pointer table */
>  struct rte_security_ops {
>       security_session_create_t session_create;
> @@ -150,6 +170,8 @@ struct rte_security_ops {
>       /**< Get userdata associated with session which processed the packet. */
>       security_capabilities_get_t capabilities_get;
>       /**< Get security capabilities. */
> +     security_process_cpu_crypto_bulk_t process_cpu_crypto_bulk;
> +     /**< Process data in bulk. */
>  };
> 
>  #ifdef __cplusplus
> diff --git a/lib/librte_security/rte_security_version.map 
> b/lib/librte_security/rte_security_version.map
> index 53267bf3c..2132e7a00 100644
> --- a/lib/librte_security/rte_security_version.map
> +++ b/lib/librte_security/rte_security_version.map
> @@ -18,4 +18,5 @@ EXPERIMENTAL {
>       rte_security_get_userdata;
>       rte_security_session_stats_get;
>       rte_security_session_update;
> +     rte_security_process_cpu_crypto_bulk;
>  };
> --
> 2.14.5

Reply via email to