Added support for lookaside IPsec protocol offload. Supported cases: -AEAD -Cipher+auth
Command used for testing: ./dpdk-test-crypto-perf -c 0xf -- --devtype crypto_octeontx2 --ptest throughput --optype ipsec --cipher-algo aes-cbc --pool-sz 16384 --cipher-op encrypt --cipher-key-sz 16 --cipher-iv-sz 16 --auth-algo sha1-hmac --auth-op generate --digest-sz 16 --total-ops 10000000 --burst-sz 32 --buffer-sz 64,128,256,512,1024,1280,2048 ./dpdk-test-crypto-perf -c 0xf -- --devtype crypto_octeontx2 --ptest throughput --optype ipsec --aead-algo aes-gcm --pool-sz 16384 --aead-op encrypt --aead-key-sz 32 --aead-iv-sz 12 --aead-aad-sz 16 --digest-sz 16 --total-ops 10000000 --burst-sz 32 --buffer-sz 64,128,256,512,1024,1280,2048 Signed-off-by: Akhil Goyal <gak...@marvell.com> --- This patch is rebased over following patch to avoid conflict https://mails.dpdk.org/archives/dev/2021-August/216795.html app/test-crypto-perf/cperf_ops.c | 179 ++++++++++++++++--- app/test-crypto-perf/cperf_options.h | 1 + app/test-crypto-perf/cperf_options_parsing.c | 4 + app/test-crypto-perf/cperf_test_throughput.c | 3 +- app/test-crypto-perf/cperf_test_vectors.c | 6 +- app/test-crypto-perf/main.c | 3 +- 6 files changed, 165 insertions(+), 31 deletions(-) diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c index 4b7d66edb2..b2073f0738 100644 --- a/app/test-crypto-perf/cperf_ops.c +++ b/app/test-crypto-perf/cperf_ops.c @@ -62,7 +62,13 @@ cperf_set_ops_security(struct rte_crypto_op **ops, sym_op->m_src = (struct rte_mbuf *)((uint8_t *)ops[i] + src_buf_offset); - if (options->op_type == CPERF_PDCP) { + if (options->op_type == CPERF_PDCP || + options->op_type == CPERF_IPSEC) { + /* In case of IPsec, headroom is consumed by PMD, + * hence resetting it. + */ + sym_op->m_src->data_off = options->headroom_sz; + sym_op->m_src->buf_len = options->segment_sz; sym_op->m_src->data_len = options->test_buffer_size; sym_op->m_src->pkt_len = sym_op->m_src->data_len; @@ -565,6 +571,123 @@ cperf_set_ops_aead(struct rte_crypto_op **ops, return 0; } +static struct rte_cryptodev_sym_session * +create_ipsec_session(struct rte_mempool *sess_mp, + struct rte_mempool *priv_mp, + uint8_t dev_id, + const struct cperf_options *options, + const struct cperf_test_vector *test_vector, + uint16_t iv_offset) +{ + struct rte_crypto_sym_xform xform = {0}; + struct rte_crypto_sym_xform auth_xform = {0}; + + if (options->aead_algo != 0) { + /* Setup AEAD Parameters */ + xform.type = RTE_CRYPTO_SYM_XFORM_AEAD; + xform.next = NULL; + xform.aead.algo = options->aead_algo; + xform.aead.op = options->aead_op; + xform.aead.iv.offset = iv_offset; + xform.aead.key.data = test_vector->aead_key.data; + xform.aead.key.length = test_vector->aead_key.length; + xform.aead.iv.length = test_vector->aead_iv.length; + xform.aead.digest_length = options->digest_sz; + xform.aead.aad_length = options->aead_aad_sz; + } else if (options->cipher_algo != 0 && options->auth_algo != 0) { + /* Setup Cipher Parameters */ + xform.type = RTE_CRYPTO_SYM_XFORM_CIPHER; + xform.next = NULL; + xform.cipher.algo = options->cipher_algo; + xform.cipher.op = options->cipher_op; + xform.cipher.iv.offset = iv_offset; + xform.cipher.iv.length = test_vector->cipher_iv.length; + /* cipher different than null */ + if (options->cipher_algo != RTE_CRYPTO_CIPHER_NULL) { + xform.cipher.key.data = test_vector->cipher_key.data; + xform.cipher.key.length = + test_vector->cipher_key.length; + } else { + xform.cipher.key.data = NULL; + xform.cipher.key.length = 0; + } + + /* Setup Auth Parameters */ + auth_xform.type = RTE_CRYPTO_SYM_XFORM_AUTH; + auth_xform.next = NULL; + auth_xform.auth.algo = options->auth_algo; + auth_xform.auth.op = options->auth_op; + auth_xform.auth.iv.offset = iv_offset + + xform.cipher.iv.length; + /* auth different than null */ + if (options->auth_algo != RTE_CRYPTO_AUTH_NULL) { + auth_xform.auth.digest_length = options->digest_sz; + auth_xform.auth.key.length = + test_vector->auth_key.length; + auth_xform.auth.key.data = test_vector->auth_key.data; + auth_xform.auth.iv.length = test_vector->auth_iv.length; + } else { + auth_xform.auth.digest_length = 0; + auth_xform.auth.key.length = 0; + auth_xform.auth.key.data = NULL; + auth_xform.auth.iv.length = 0; + } + + xform.next = &auth_xform; + } else { + return NULL; + } + +#define CPERF_IPSEC_SRC_IP 0x01010101 +#define CPERF_IPSEC_DST_IP 0x02020202 +#define CPERF_IPSEC_SALT 0x0 +#define CPERF_IPSEC_DEFTTL 64 + struct rte_security_ipsec_tunnel_param tunnel = { + .type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + {.ipv4 = { + .src_ip = { .s_addr = CPERF_IPSEC_SRC_IP}, + .dst_ip = { .s_addr = CPERF_IPSEC_DST_IP}, + .dscp = 0, + .df = 0, + .ttl = CPERF_IPSEC_DEFTTL, + } }, + }; + struct rte_security_session_conf sess_conf = { + .action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + {.ipsec = { + .spi = rte_lcore_id(), + /**< For testing sake, lcore_id is taken as SPI so that + * for every core a different session is created. + */ + .salt = CPERF_IPSEC_SALT, + .options = { 0 }, + .replay_win_sz = 0, + .direction = + ((options->cipher_op == + RTE_CRYPTO_CIPHER_OP_ENCRYPT) && + (options->auth_op == + RTE_CRYPTO_AUTH_OP_GENERATE)) || + (options->aead_op == + RTE_CRYPTO_AEAD_OP_ENCRYPT) ? + RTE_SECURITY_IPSEC_SA_DIR_EGRESS : + RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel = tunnel, + } }, + .userdata = NULL, + .crypto_xform = &xform + }; + + struct rte_security_ctx *ctx = (struct rte_security_ctx *) + rte_cryptodev_get_sec_ctx(dev_id); + + /* Create security session */ + return (void *)rte_security_session_create(ctx, + &sess_conf, sess_mp, priv_mp); +} + static struct rte_cryptodev_sym_session * cperf_create_session(struct rte_mempool *sess_mp, struct rte_mempool *priv_mp, @@ -675,6 +798,12 @@ cperf_create_session(struct rte_mempool *sess_mp, return (void *)rte_security_session_create(ctx, &sess_conf, sess_mp, priv_mp); } + + if (options->op_type == CPERF_IPSEC) { + return create_ipsec_session(sess_mp, priv_mp, dev_id, + options, test_vector, iv_offset); + } + if (options->op_type == CPERF_DOCSIS) { enum rte_security_docsis_direction direction; @@ -872,44 +1001,40 @@ cperf_get_op_functions(const struct cperf_options *options, op_fns->sess_create = cperf_create_session; - if (options->op_type == CPERF_ASYM_MODEX) { - op_fns->populate_ops = cperf_set_ops_asym; - return 0; - } - - if (options->op_type == CPERF_AEAD) { + switch (options->op_type) { + case CPERF_AEAD: op_fns->populate_ops = cperf_set_ops_aead; - return 0; - } + break; - if (options->op_type == CPERF_AUTH_THEN_CIPHER - || options->op_type == CPERF_CIPHER_THEN_AUTH) { + case CPERF_AUTH_THEN_CIPHER: + case CPERF_CIPHER_THEN_AUTH: op_fns->populate_ops = cperf_set_ops_cipher_auth; - return 0; - } - if (options->op_type == CPERF_AUTH_ONLY) { + break; + case CPERF_AUTH_ONLY: if (options->auth_algo == RTE_CRYPTO_AUTH_NULL) op_fns->populate_ops = cperf_set_ops_null_auth; else op_fns->populate_ops = cperf_set_ops_auth; - return 0; - } - if (options->op_type == CPERF_CIPHER_ONLY) { + break; + case CPERF_CIPHER_ONLY: if (options->cipher_algo == RTE_CRYPTO_CIPHER_NULL) op_fns->populate_ops = cperf_set_ops_null_cipher; else op_fns->populate_ops = cperf_set_ops_cipher; - return 0; - } + break; + case CPERF_ASYM_MODEX: + op_fns->populate_ops = cperf_set_ops_asym; + break; #ifdef RTE_LIB_SECURITY - if (options->op_type == CPERF_PDCP) { + case CPERF_PDCP: + case CPERF_IPSEC: + case CPERF_DOCSIS: op_fns->populate_ops = cperf_set_ops_security; - return 0; - } - if (options->op_type == CPERF_DOCSIS) { - op_fns->populate_ops = cperf_set_ops_security; - return 0; - } + break; #endif - return -1; + default: + return -1; + } + + return 0; } diff --git a/app/test-crypto-perf/cperf_options.h b/app/test-crypto-perf/cperf_options.h index f5ea2b90a5..031b238b20 100644 --- a/app/test-crypto-perf/cperf_options.h +++ b/app/test-crypto-perf/cperf_options.h @@ -80,6 +80,7 @@ enum cperf_op_type { CPERF_AEAD, CPERF_PDCP, CPERF_DOCSIS, + CPERF_IPSEC, CPERF_ASYM_MODEX }; diff --git a/app/test-crypto-perf/cperf_options_parsing.c b/app/test-crypto-perf/cperf_options_parsing.c index fcff187257..63a82c7938 100644 --- a/app/test-crypto-perf/cperf_options_parsing.c +++ b/app/test-crypto-perf/cperf_options_parsing.c @@ -458,6 +458,10 @@ parse_op_type(struct cperf_options *opts, const char *arg) cperf_op_type_strs[CPERF_DOCSIS], CPERF_DOCSIS }, + { + cperf_op_type_strs[CPERF_IPSEC], + CPERF_IPSEC + }, { cperf_op_type_strs[CPERF_ASYM_MODEX], CPERF_ASYM_MODEX diff --git a/app/test-crypto-perf/cperf_test_throughput.c b/app/test-crypto-perf/cperf_test_throughput.c index 76fcda47ff..ca65c3c883 100644 --- a/app/test-crypto-perf/cperf_test_throughput.c +++ b/app/test-crypto-perf/cperf_test_throughput.c @@ -42,7 +42,8 @@ cperf_throughput_test_free(struct cperf_throughput_ctx *ctx) } #ifdef RTE_LIB_SECURITY else if (ctx->options->op_type == CPERF_PDCP || - ctx->options->op_type == CPERF_DOCSIS) { + ctx->options->op_type == CPERF_DOCSIS || + ctx->options->op_type == CPERF_IPSEC) { struct rte_security_ctx *sec_ctx = (struct rte_security_ctx *) rte_cryptodev_get_sec_ctx(ctx->dev_id); diff --git a/app/test-crypto-perf/cperf_test_vectors.c b/app/test-crypto-perf/cperf_test_vectors.c index 4bba405961..e944583089 100644 --- a/app/test-crypto-perf/cperf_test_vectors.c +++ b/app/test-crypto-perf/cperf_test_vectors.c @@ -448,7 +448,8 @@ cperf_test_vector_get_dummy(struct cperf_options *options) t_vec->modex.elen = sizeof(perf_mod_e); } - if (options->op_type == CPERF_PDCP) { + if (options->op_type == CPERF_PDCP || + options->op_type == CPERF_IPSEC) { if (options->cipher_algo == RTE_CRYPTO_CIPHER_NULL) { t_vec->cipher_key.length = 0; t_vec->ciphertext.data = plaintext; @@ -579,7 +580,8 @@ cperf_test_vector_get_dummy(struct cperf_options *options) t_vec->auth_iv.length = options->auth_iv_sz; } - if (options->op_type == CPERF_AEAD) { + if (options->op_type == CPERF_AEAD || + options->op_type == CPERF_IPSEC) { t_vec->aead_key.length = options->aead_key_sz; t_vec->aead_key.data = aead_key; diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c index 390380898e..6fdb92fb7c 100644 --- a/app/test-crypto-perf/main.c +++ b/app/test-crypto-perf/main.c @@ -41,6 +41,7 @@ const char *cperf_op_type_strs[] = { [CPERF_AEAD] = "aead", [CPERF_PDCP] = "pdcp", [CPERF_DOCSIS] = "docsis", + [CPERF_IPSEC] = "ipsec", [CPERF_ASYM_MODEX] = "modex" }; @@ -278,9 +279,9 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs) /* Fall through */ case CPERF_PDCP: case CPERF_DOCSIS: + case CPERF_IPSEC: /* Fall through */ default: - conf.ff_disable |= RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO; } -- 2.25.1
