Hi Anoob,
>
> Hi Akhil, Declan, Fan, Hemant, Konstantin,
>
> This patch & and a patch submitted by Archana earlier
> (http://patches.dpdk.org/project/dpdk/patch/20210630111248.746-1-
> march...@marvell.com/), aims at extending rte_crypto_op so that it can be
> used to communicate any warnings from the rte_security
> offload, such as,
>
> 1. Soft expiry : application requires a notification to renegotiate SA
> 2. L3/L4 checksum : when application offloads checksum verification of plain
> packet after IPsec processing. This need not be treated as an
> error as IPsec operation was successful and checksum generation/verification
> can be redone in software, especially if the checksum
> operation failed due to some limitations of the underlying device.
>
> Both the above will be an IPsec operation completed successfully but with
> additional information that PMD can pass on to application for
> indicating status of offloads.
>
> There are two options that we considered,
> 1. Extend the enum, rte_crypto_op_status, to cover warnings [1]
> 2. There are reserved fields in rte_cryto_op structure. So we can use bits in
> them to indicate various cases. [2]
>
> Both the submitted patches follow approach 1 (following how it's done
> currently), but we can switch to approach 2 if we think there can be
> more such "warnings" that can occur simultaneously. Can you share your
> thoughts on how we should extend the library to handle such
> cases?
>
> [1]
> https://doc.dpdk.org/api/rte__crypto_8h.html#afe16508b77c2a8dc5caf74a4e9850171
> [2] https://doc.dpdk.org/api/rte__crypto_8h_source.html
My vote would probably be for option #2 (use one of the reserved fields for it).
That way - existing code wouldn't need to be changed.
Again these warnings, it probably needs to be a bit-flags, correct?
Konstantin
> Thanks,
> Anoob
>
> > -----Original Message-----
> > From: Anoob Joseph <ano...@marvell.com>
> > Sent: Tuesday, July 20, 2021 11:16 AM
> > To: Akhil Goyal <gak...@marvell.com>; Declan Doherty
> > <declan.dohe...@intel.com>; Fan Zhang <roy.fan.zh...@intel.com>;
> > Konstantin Ananyev <konstantin.anan...@intel.com>
> > Cc: Anoob Joseph <ano...@marvell.com>; Jerin Jacob Kollanukkaran
> > <jer...@marvell.com>; Ankur Dwivedi <adwiv...@marvell.com>; Tejasree
> > Kondoj <ktejas...@marvell.com>; dev@dpdk.org
> > Subject: [PATCH 2/2] lib/security: add SA lifetime configuration
> >
> > Add SA lifetime configuration to register soft and hard expiry limits.
> > Expiry can be in units of number of packets or bytes. Crypto op status is
> > also
> > updated to cover warnings indicating soft expiry in case of lookaside
> > protocol
> > operations.
> >
> > In case of soft expiry, the packets are successfully IPsec processed but the
> > soft expiry would indicate that SA needs to be reconfigured. For inline
> > protocol capable ethdev, this would result in an eth event while for
> > lookaside
> > protocol capable cryptodev, this can be communicated via
> > `rte_crypto_op.status` field.
> >
> > In case of hard expiry, the packets will not be IPsec processed and would
> > result in error.
> >
> > Signed-off-by: Anoob Joseph <ano...@marvell.com>
> > ---
> > examples/ipsec-secgw/ipsec.c | 2 +-
> > examples/ipsec-secgw/ipsec.h | 2 +-
> > lib/cryptodev/rte_crypto.h | 7 +++++++
> > lib/security/rte_security.h | 28 ++++++++++++++++++++++++++--
> > 4 files changed, 35 insertions(+), 4 deletions(-)
> >
> > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> > index 5b032fe..4868294 100644
> > --- a/examples/ipsec-secgw/ipsec.c
> > +++ b/examples/ipsec-secgw/ipsec.c
> > @@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
> > rte_security_ipsec_xform *ipsec)
> > }
> > /* TODO support for Transport */
> > }
> > - ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> > + ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
> > ipsec->replay_win_sz = app_sa_prm.window_size;
> > ipsec->options.esn = app_sa_prm.enable_esn;
> > ipsec->options.udp_encap = sa->udp_encap; diff --git
> > a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index
> > ae5058d..90c81c1 100644
> > --- a/examples/ipsec-secgw/ipsec.h
> > +++ b/examples/ipsec-secgw/ipsec.h
> > @@ -23,7 +23,7 @@
> >
> > #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
> >
> > -#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
> > +#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
> >
> > #define IV_OFFSET (sizeof(struct rte_crypto_op) + \
> > sizeof(struct rte_crypto_sym_op))
> > diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h index
> > fd5ef3a..c5a0897 100644
> > --- a/lib/cryptodev/rte_crypto.h
> > +++ b/lib/cryptodev/rte_crypto.h
> > @@ -52,6 +52,13 @@ enum rte_crypto_op_status {
> > /**< Operation failed due to invalid arguments in request */
> > RTE_CRYPTO_OP_STATUS_ERROR,
> > /**< Error handling operation */
> > + RTE_CRYPTO_OP_STATUS_WAR = 128,
> > + /**<
> > + * Operation completed successfully with warnings.
> > + * Note: All the warnings starts from here.
> > + */
> > + RTE_CRYPTO_OPSTATUS_WAR_SOFT_EXPIRY,
> > + /**< Operation completed successfully with soft expiry of lifetime */
> > };
> >
> > /**
> > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index
> > d61a55d..d633c8d 100644
> > --- a/lib/security/rte_security.h
> > +++ b/lib/security/rte_security.h
> > @@ -206,6 +206,30 @@ enum rte_security_ipsec_sa_direction { };
> >
> > /**
> > + * Configure soft and hard lifetime of an IPsec SA
> > + *
> > + * Lifetime of an IPsec SA would specify the maximum number of packets
> > +or bytes
> > + * that can be processed. IPsec operations would start failing once any
> > +hard
> > + * limit is reached.
> > + *
> > + * Soft limits can be specified to generate notification when the SA is
> > + * approaching hard limits for lifetime. For inline operations,
> > +reaching soft
> > + * expiry limit would result in raising an eth event for the same. For
> > +lookaside
> > + * operations, this would result in a warning returned in
> > + * ``rte_crypto_op.status``.
> > + */
> > +struct rte_security_ipsec_lifetime {
> > + uint64_t packets_soft_limit;
> > + /**< Soft expiry limit in number of packets */
> > + uint64_t bytes_soft_limit;
> > + /**< Soft expiry limit in bytes */
> > + uint64_t packets_hard_limit;
> > + /**< Soft expiry limit in number of packets */
> > + uint64_t bytes_hard_limit;
> > + /**< Soft expiry limit in bytes */
> > +};
> > +
> > +/**
> > * IPsec security association configuration data.
> > *
> > * This structure contains data required to create an IPsec SA security
> > session.
> > @@ -225,8 +249,8 @@ struct rte_security_ipsec_xform {
> > /**< IPsec SA Mode - transport/tunnel */
> > struct rte_security_ipsec_tunnel_param tunnel;
> > /**< Tunnel parameters, NULL for transport mode */
> > - uint64_t esn_soft_limit;
> > - /**< ESN for which the overflow event need to be raised */
> > + struct rte_security_ipsec_lifetime life;
> > + /**< IPsec SA lifetime */
> > uint32_t replay_win_sz;
> > /**< Anti replay window size to enable sequence replay attack
> > handling.
> > * replay checking is disabled if the window size is 0.
> > --
> > 2.7.4
