[dpdk-dev] [PATCH v9 1/3] app/test-pmd: add CLI for TM capability and stats
Add following CLIs to testpmd application for device traffic management;
- commands to display TM capability information.
(per port, per hierarchy level and per hierarchy node)
- command to display hiearchy node type
- stats collection
Signed-off-by: Jasvinder Singh
Tested-by: Yulong Pei
Reviewed-by: Jingjing Wu
Acked-by: Cristian Dumitrescu
---
v9 change:
- fix checkpatch warnings
v6 change:
- fix compilation warning
- change port_id type to uint16_t
v4 change:
- remove softnic specific checks to make it generic for the devices
v3 change:
- Implements feedback from Pablo[1]
- move TM API related CLIs into cmdline_tm.c
- split patch into small patches
- replace link status check with testpmd fn port_is_started()
[1]http://dpdk.org/ml/archives/dev/2017-September/075748.html
app/test-pmd/Makefile | 1 +
app/test-pmd/cmdline.c| 20 ++
app/test-pmd/cmdline_tm.c | 681 ++
app/test-pmd/cmdline_tm.h | 44 +++
4 files changed, 746 insertions(+)
create mode 100644 app/test-pmd/cmdline_tm.c
create mode 100644 app/test-pmd/cmdline_tm.h
diff --git a/app/test-pmd/Makefile b/app/test-pmd/Makefile
index 2c50f68..e4a6352 100644
--- a/app/test-pmd/Makefile
+++ b/app/test-pmd/Makefile
@@ -48,6 +48,7 @@ SRCS-y := testpmd.c
SRCS-y += parameters.c
SRCS-$(CONFIG_RTE_LIBRTE_CMDLINE) += cmdline.c
SRCS-$(CONFIG_RTE_LIBRTE_CMDLINE) += cmdline_flow.c
+SRCS-y += cmdline_tm.c
SRCS-y += config.c
SRCS-y += iofwd.c
SRCS-y += macfwd.c
diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
index bb19d72..72e0628 100644
--- a/app/test-pmd/cmdline.c
+++ b/app/test-pmd/cmdline.c
@@ -99,6 +99,7 @@
#include
#endif
#include "testpmd.h"
+#include "cmdline_tm.h"
static struct cmdline *testpmd_cl;
@@ -234,6 +235,20 @@ static void cmd_help_long_parsed(void *parsed_result,
"show port (port_id) pctype mapping\n"
"Get flow ptype to pctype mapping on a port\n\n"
+ "show port tm cap (port_id)\n"
+ " Display the port TM capability.\n\n"
+
+ "show port tm level cap (port_id) (level_id)\n"
+ " Display the port TM hierarchical level
capability.\n\n"
+
+ "show port tm node cap (port_id) (node_id)\n"
+ " Display the port TM node capability.\n\n"
+
+ "show port tm node type (port_id) (node_id)\n"
+ " Display the port TM node type.\n\n"
+
+ "show port tm node stats (port_id) (node_id) (clear)\n"
+ " Display the port TM node stats.\n\n"
);
}
@@ -15596,6 +15611,11 @@ cmdline_parse_ctx_t main_ctx[] = {
(cmdline_parse_inst_t *)&cmd_user_priority_region,
(cmdline_parse_inst_t *)&cmd_flush_queue_region,
(cmdline_parse_inst_t *)&cmd_show_queue_region_info_all,
+ (cmdline_parse_inst_t *)&cmd_show_port_tm_cap,
+ (cmdline_parse_inst_t *)&cmd_show_port_tm_level_cap,
+ (cmdline_parse_inst_t *)&cmd_show_port_tm_node_cap,
+ (cmdline_parse_inst_t *)&cmd_show_port_tm_node_type,
+ (cmdline_parse_inst_t *)&cmd_show_port_tm_node_stats,
NULL,
};
diff --git a/app/test-pmd/cmdline_tm.c b/app/test-pmd/cmdline_tm.c
new file mode 100644
index 000..f024372
--- /dev/null
+++ b/app/test-pmd/cmdline_tm.c
@@ -0,0 +1,681 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright(c) 2017 Intel Corporation. All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIAB
[dpdk-dev] [PATCH v9 3/3] app/test-pmd: add CLI for TM nodes and hierarchy commit
Add following CLIs in testpmd application for device traffic management;
- commands to add TM hierarchy nodes (leaf and nonleaf).
- command for runtime update of node weight.
- command to commit the TM hierarchy
Signed-off-by: Jasvinder Singh
Acked-by: Cristian Dumitrescu
---
v8 change:
- change command defintion for leaf and nonleaf nodes (mulitple shared
shapers can be specified)
- pre-allocate memory for shared shaper ids array in nonleaf and leaf
node add cli.
- change clean_on_fail to string type in hierarchy commit cli
v7 change:
- fix the help info on leaf node add
v5 change:
- add shaper related parameters to leaf node add command
v4 change:
- remove softnic specific checks to make it generic for the devices
app/test-pmd/cmdline.c| 27 ++
app/test-pmd/cmdline_tm.c | 651 ++
app/test-pmd/cmdline_tm.h | 5 +
3 files changed, 683 insertions(+)
diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
index 4259012..094cbb8 100644
--- a/app/test-pmd/cmdline.c
+++ b/app/test-pmd/cmdline.c
@@ -720,6 +720,28 @@ static void cmd_help_long_parsed(void *parsed_result,
"del port tm node wred profile (port_id)
(wred_profile_id)\n"
" Delete port tm node wred profile.\n\n"
+ "add port tm nonleaf node (port_id) (node_id)
(parent_node_id)"
+ " (priority) (weight) (level_id) (shaper_profile_id)"
+ " (n_sp_priorities) (stats_mask) (n_shared_shapers)"
+ " [(shared_shaper_id_0) (shared_shaper_id_1)...]\n"
+ " Add port tm nonleaf node.\n\n"
+
+ "add port tm leaf node (port_id) (node_id)
(parent_node_id)"
+ " (priority) (weight) (level_id) (shaper_profile_id)"
+ " (cman_mode) (wred_profile_id) (stats_mask)
(n_shared_shapers)"
+ " [(shared_shaper_id_0) (shared_shaper_id_1)...]\n"
+ " Add port tm leaf node.\n\n"
+
+ "del port tm node (port_id) (node_id)\n"
+ " Delete port tm node.\n\n"
+
+ "set port tm node parent (port_id) (node_id)
(parent_node_id)"
+ " (priority) (weight)\n"
+ " Set port tm node parent.\n\n"
+
+ "port tm hierarchy commit (port_id) (clean_on_fail)\n"
+ " Commit tm hierarchy.\n\n"
+
, list_pkt_forwarding_modes()
);
}
@@ -15650,6 +15672,11 @@ cmdline_parse_ctx_t main_ctx[] = {
(cmdline_parse_inst_t *)&cmd_add_port_tm_node_wred_profile,
(cmdline_parse_inst_t *)&cmd_del_port_tm_node_wred_profile,
(cmdline_parse_inst_t *)&cmd_set_port_tm_node_shaper_profile,
+ (cmdline_parse_inst_t *)&cmd_add_port_tm_nonleaf_node,
+ (cmdline_parse_inst_t *)&cmd_add_port_tm_leaf_node,
+ (cmdline_parse_inst_t *)&cmd_del_port_tm_node,
+ (cmdline_parse_inst_t *)&cmd_set_port_tm_node_parent,
+ (cmdline_parse_inst_t *)&cmd_port_tm_hierarchy_commit,
NULL,
};
diff --git a/app/test-pmd/cmdline_tm.c b/app/test-pmd/cmdline_tm.c
index 38048ae..002209c 100644
--- a/app/test-pmd/cmdline_tm.c
+++ b/app/test-pmd/cmdline_tm.c
@@ -42,6 +42,17 @@
#include "testpmd.h"
#include "cmdline_tm.h"
+#define PARSE_DELIMITER" \f\n\r\t\v"
+#define MAX_NUM_SHARED_SHAPERS 256
+
+#define skip_white_spaces(pos) \
+({ \
+ __typeof__(pos) _p = (pos); \
+ for ( ; isspace(*_p); _p++) \
+ ; \
+ _p; \
+})
+
/** Display TM Error Message */
static void
print_err_msg(struct rte_tm_error *error)
@@ -118,6 +129,100 @@ print_err_msg(struct rte_tm_error *error)
error->type);
}
+static int
+read_uint64(uint64_t *value, const char *p)
+{
+ char *next;
+ uint64_t val;
+
+ p = skip_white_spaces(p);
+ if (!isdigit(*p))
+ return -EINVAL;
+
+ val = strtoul(p, &next, 10);
+ if (p == next)
+ return -EINVAL;
+
+ p = next;
+ switch (*p) {
+ case 'T':
+ val *= 1024ULL;
+ /* fall through */
+ case 'G':
+ val *= 1024ULL;
+ /* fall through */
+ case 'M':
+ val *= 1024ULL;
+ /* fall through */
+ case 'k':
+ case 'K':
+ val *= 1024ULL;
+ p++;
+ break;
+ }
+
+ p = skip_white_spaces(p);
+ if (*p != '\0')
+ return -EINVAL;
+
+ *value = val;
+ return 0;
+}
+
+static int
+read_uint32(uint32_t *value, const char *p)
+{
+ uint64_t val = 0;
+
[dpdk-dev] [PATCH v9 2/3] app/test-pmd: add CLI for shaper and wred profiles
Add following CLIs in testpmd application for device traffic management;
- commands to add/del shaper profile for TM hieraqrchy nodes.
- commands to add/update shared shapers
- commands to add/del WRED profiles for TM hiearchy leaf nodes.
Signed-off-by: Jasvinder Singh
Acked-by: Cristian Dumitrescu
---
v7 change:
- remove unnecessary checks on wred profile color string, api doesn't
allow to set WRED with less than 3 colors.
v6 change:
- change port id type to uint16_t
v5 change:
- add packet length adjust parameter to add shaper profile command
v4 change:
- remove softnic specific checks to make it generic for the devices
app/test-pmd/cmdline.c| 34 +++
app/test-pmd/cmdline_tm.c | 731 ++
app/test-pmd/cmdline_tm.h | 7 +
3 files changed, 772 insertions(+)
diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
index 72e0628..4259012 100644
--- a/app/test-pmd/cmdline.c
+++ b/app/test-pmd/cmdline.c
@@ -693,6 +693,33 @@ static void cmd_help_long_parsed(void *parsed_result,
"show port (port_id) queue-region\n"
"show all queue region related configuration
info\n\n"
+ "add port tm node shaper profile (port_id)
(shaper_profile_id)"
+ " (tb_rate) (tb_size) (packet_length_adjust)\n"
+ " Add port tm node private shaper profile.\n\n"
+
+ "del port tm node shaper profile (port_id)
(shaper_profile_id)\n"
+ " Delete port tm node private shaper profile.\n\n"
+
+ "add port tm node shared shaper (port_id)
(shared_shaper_id)"
+ " (shaper_profile_id)\n"
+ " Add/update port tm node shared shaper.\n\n"
+
+ "del port tm node shared shaper (port_id)
(shared_shaper_id)\n"
+ " Delete port tm node shared shaper.\n\n"
+
+ "set port tm node shaper profile (port_id) (node_id)"
+ " (shaper_profile_id)\n"
+ " Set port tm node shaper profile.\n\n"
+
+ "add port tm node wred profile (port_id)
(wred_profile_id)"
+ " (color_g) (min_th_g) (max_th_g) (maxp_inv_g)
(wq_log2_g)"
+ " (color_y) (min_th_y) (max_th_y) (maxp_inv_y)
(wq_log2_y)"
+ " (color_r) (min_th_r) (max_th_r) (maxp_inv_r)
(wq_log2_r)\n"
+ " Add port tm node wred profile.\n\n"
+
+ "del port tm node wred profile (port_id)
(wred_profile_id)\n"
+ " Delete port tm node wred profile.\n\n"
+
, list_pkt_forwarding_modes()
);
}
@@ -15616,6 +15643,13 @@ cmdline_parse_ctx_t main_ctx[] = {
(cmdline_parse_inst_t *)&cmd_show_port_tm_node_cap,
(cmdline_parse_inst_t *)&cmd_show_port_tm_node_type,
(cmdline_parse_inst_t *)&cmd_show_port_tm_node_stats,
+ (cmdline_parse_inst_t *)&cmd_add_port_tm_node_shaper_profile,
+ (cmdline_parse_inst_t *)&cmd_del_port_tm_node_shaper_profile,
+ (cmdline_parse_inst_t *)&cmd_add_port_tm_node_shared_shaper,
+ (cmdline_parse_inst_t *)&cmd_del_port_tm_node_shared_shaper,
+ (cmdline_parse_inst_t *)&cmd_add_port_tm_node_wred_profile,
+ (cmdline_parse_inst_t *)&cmd_del_port_tm_node_wred_profile,
+ (cmdline_parse_inst_t *)&cmd_set_port_tm_node_shaper_profile,
NULL,
};
diff --git a/app/test-pmd/cmdline_tm.c b/app/test-pmd/cmdline_tm.c
index f024372..38048ae 100644
--- a/app/test-pmd/cmdline_tm.c
+++ b/app/test-pmd/cmdline_tm.c
@@ -679,3 +679,734 @@ cmdline_parse_inst_t cmd_show_port_tm_node_type = {
NULL,
},
};
+
+/* *** Add Port TM Private Shaper Profile *** */
+struct cmd_add_port_tm_node_shaper_profile_result {
+ cmdline_fixed_string_t add;
+ cmdline_fixed_string_t port;
+ cmdline_fixed_string_t tm;
+ cmdline_fixed_string_t node;
+ cmdline_fixed_string_t shaper;
+ cmdline_fixed_string_t profile;
+ uint16_t port_id;
+ uint32_t shaper_id;
+ uint64_t tb_rate;
+ uint64_t tb_size;
+ uint32_t pktlen_adjust;
+};
+
+cmdline_parse_token_string_t cmd_add_port_tm_node_shaper_profile_add =
+ TOKEN_STRING_INITIALIZER(
+ struct cmd_add_port_tm_node_shaper_profile_result, add, "add");
+cmdline_parse_token_string_t cmd_add_port_tm_node_shaper_profile_port =
+ TOKEN_STRING_INITIALIZER(
+ struct cmd_add_port_tm_node_shaper_profile_result,
+ port, "port");
+cmdline_parse_token_string_t cmd_add_port_tm_node_shaper_profile_tm =
+ TOKEN_STRING_INITIALIZER(
+ struct cmd_add_port_tm_node_shaper_profile_result,
+ tm, "tm");
+cmdline_parse_token_string_t cmd_add_port_tm_node_sha
[dpdk-dev] [PATCH 03/11] examples/ipsec-secgw: Fixed create session also for aead
From: Aviad Yehezkel
Search for session also with aead key
Signed-off-by: Aviad Yehezkel
---
examples/ipsec-secgw/ipsec.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 0afb9d6..daa1d7b 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -56,13 +56,17 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa
*sa)
key.cipher_algo = (uint8_t)sa->cipher_algo;
key.auth_algo = (uint8_t)sa->auth_algo;
+ key.aead_algo = (uint8_t)sa->aead_algo;
ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
(void **)&cdev_id_qp);
if (ret < 0) {
RTE_LOG(ERR, IPSEC, "No cryptodev: core %u, cipher_algo %u, "
- "auth_algo %u\n", key.lcore_id, key.cipher_algo,
- key.auth_algo);
+ "auth_algo %u aead_algo %u\n",
+ key.lcore_id,
+ key.cipher_algo,
+ key.auth_algo,
+ key.aead_algo);
return -1;
}
--
2.7.4
[dpdk-dev] [PATCH 02/11] examples/ipsec-secgw: Fixed init of aead crypto devices
From: Aviad Yehezkel
This was broken since new aead xfrom was introduced
Signed-off-by: Aviad Yehezkel
---
examples/ipsec-secgw/ipsec-secgw.c | 29 +++--
examples/ipsec-secgw/ipsec.h | 1 +
2 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 99dc270..7bf692c 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -1113,7 +1113,8 @@ add_mapping(struct rte_hash *map, const char *str,
uint16_t cdev_id,
uint16_t qp, struct lcore_params *params,
struct ipsec_ctx *ipsec_ctx,
const struct rte_cryptodev_capabilities *cipher,
- const struct rte_cryptodev_capabilities *auth)
+ const struct rte_cryptodev_capabilities *auth,
+ const struct rte_cryptodev_capabilities *aead)
{
int32_t ret = 0;
unsigned long i;
@@ -1124,6 +1125,8 @@ add_mapping(struct rte_hash *map, const char *str,
uint16_t cdev_id,
key.cipher_algo = cipher->sym.cipher.algo;
if (auth)
key.auth_algo = auth->sym.auth.algo;
+ if (aead)
+ key.aead_algo = aead->sym.aead.algo;
ret = rte_hash_lookup(map, &key);
if (ret != -ENOENT)
@@ -1192,19 +1195,25 @@ add_cdev_mapping(struct rte_cryptodev_info *dev_info,
uint16_t cdev_id,
if (i->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
continue;
- if (i->sym.xform_type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+ if (i->sym.xform_type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ ret |= add_mapping(map, str, cdev_id, qp, params,
+ ipsec_ctx, NULL, NULL, i);
continue;
+ }
- for (j = dev_info->capabilities;
- j->op != RTE_CRYPTO_OP_TYPE_UNDEFINED; j++) {
- if (j->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
- continue;
+ if (i->sym.xform_type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+ for (j = dev_info->capabilities;
+ j->op != RTE_CRYPTO_OP_TYPE_UNDEFINED;
j++) {
+ if (j->op != RTE_CRYPTO_OP_TYPE_SYMMETRIC)
+ continue;
- if (j->sym.xform_type != RTE_CRYPTO_SYM_XFORM_AUTH)
- continue;
+ if (j->sym.xform_type !=
RTE_CRYPTO_SYM_XFORM_AUTH)
+ continue;
- ret |= add_mapping(map, str, cdev_id, qp, params,
- ipsec_ctx, i, j);
+ ret |= add_mapping(map, str, cdev_id, qp,
params,
+ ipsec_ctx, i, j, NULL);
+ }
+ continue;
}
}
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index da1fb1b..7d057ae 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -150,6 +150,7 @@ struct cdev_key {
uint16_t lcore_id;
uint8_t cipher_algo;
uint8_t auth_algo;
+ uint8_t aead_algo;
};
struct socket_ctx {
--
2.7.4
[dpdk-dev] [PATCH 06/11] examples/ipsec-secgw: Added correct padding to tunnel mode
From: Aviad Yehezkel
Signed-off-by: Aviad Yehezkel
---
examples/ipsec-secgw/esp.c | 51 ++
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index 56ad7a0..689e917 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -229,25 +229,26 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
uint8_t *padding, *new_ip, nlp;
struct rte_crypto_sym_op *sym_cop;
int32_t i;
- uint16_t pad_payload_len, pad_len, ip_hdr_len;
+ uint16_t pad_payload_len, pad_len = 0;
+ uint16_t inner_ip_hdr_len = 0, ip_hdr_len = 0;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
+ RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
+ sa->flags == TRANSPORT);
RTE_ASSERT(cop != NULL);
- ip_hdr_len = 0;
-
ip4 = rte_pktmbuf_mtod(m, struct ip *);
if (likely(ip4->ip_v == IPVERSION)) {
- if (unlikely(sa->flags == TRANSPORT)) {
- ip_hdr_len = ip4->ip_hl * 4;
+ ip_hdr_len = ip4->ip_hl * 4;
+ if (unlikely(sa->flags == TRANSPORT))
nlp = ip4->ip_p;
- } else
+ else
nlp = IPPROTO_IPIP;
} else if (ip4->ip_v == IP6_VERSION) {
+ /* XXX No option headers supported */
+ ip_hdr_len = sizeof(struct ip6_hdr);
if (unlikely(sa->flags == TRANSPORT)) {
- /* XXX No option headers supported */
- ip_hdr_len = sizeof(struct ip6_hdr);
ip6 = (struct ip6_hdr *)ip4;
nlp = ip6->ip6_nxt;
} else
@@ -259,22 +260,28 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
/* Padded payload length */
- pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) -
- ip_hdr_len + 2, sa->block_size);
- pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
-
- RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
- sa->flags == TRANSPORT);
-
- if (likely(sa->flags == IP4_TUNNEL))
+ if (unlikely(sa->flags == TRANSPORT)) {
+ pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
+sizeof(nlp) + 1 - ip_hdr_len,
+sa->block_size);
+ pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
+ } else {
+ inner_ip_hdr_len = ip_hdr_len;
ip_hdr_len = sizeof(struct ip);
- else if (sa->flags == IP6_TUNNEL)
- ip_hdr_len = sizeof(struct ip6_hdr);
- else if (sa->flags != TRANSPORT) {
- RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
- sa->flags);
- return -EINVAL;
+ if (sa->flags == IP6_TUNNEL)
+ ip_hdr_len = sizeof(struct ip6_hdr);
+
+ pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) +
+sizeof(nlp) + 1,
+sa->block_size);
+ pad_len = pad_payload_len - rte_pktmbuf_pkt_len(m);
}
+ RTE_LOG(DEBUG, IPSEC_ESP, "rte_pktmbuf_pkt_len=%u "
+ "inner_ip_hdr_len=%u ip_hdr_len=%u "
+ "pad_payload_len=%u pad_len=%u\n",
+ rte_pktmbuf_pkt_len(m),
+ inner_ip_hdr_len, ip_hdr_len,
+ pad_payload_len, pad_len);
/* Check maximum packet size */
if (unlikely(ip_hdr_len + sizeof(struct esp_hdr) + sa->iv_len +
--
2.7.4
[dpdk-dev] [PATCH 01/11] examples/ipsec-secgw: updated MAINTAINERS file
From: Aviad Yehezkel As agreed with Sergio and Pablo Signed-off-by: Aviad Yehezkel --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index c00d6d8..d814ac1 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -919,6 +919,7 @@ F: examples/helloworld/ F: doc/guides/sample_app_ug/hello_world.rst M: Sergio Gonzalez Monroy +M: Aviad Shaul Yehezkel F: examples/ipsec-secgw/ F: doc/guides/sample_app_ug/ipsec_secgw.rst -- 2.7.4
[dpdk-dev] [PATCH 04/11] examples/ipsec-secgw: Fix aad_len for for aes-gcm support
From: Aviad Yehezkel This cause auth failure issue Seems like this was broken for aes-gcm for a long time Signed-off-by: Aviad Yehezkel --- examples/ipsec-secgw/sa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 7be0e62..ef94475 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -431,7 +431,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, rule->aead_algo = algo->algo; rule->cipher_key_len = algo->key_len; rule->digest_len = algo->digest_len; - rule->aad_len = algo->key_len; + rule->aad_len = algo->aad_len; rule->block_size = algo->block_size; rule->iv_len = algo->iv_len; -- 2.7.4
[dpdk-dev] [PATCH 09/11] examples/ipsec-secgw: Fixed ip length in case of transport
From: Aviad Yehezkel
IP length was incorrect causing corrupted ICMP packets for example
Signed-off-by: Aviad Yehezkel
---
examples/ipsec-secgw/esp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index 81ebf55..12c6f8c 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -205,13 +205,13 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
if (likely(ip->ip_v == IPVERSION)) {
memmove(ip4, ip, ip->ip_hl * 4);
ip4->ip_p = *nexthdr;
- ip4->ip_len = htons(rte_pktmbuf_data_len(m));
+ ip4->ip_len = htons(rte_pktmbuf_pkt_len(m));
} else {
ip6 = (struct ip6_hdr *)ip4;
/* XXX No option headers supported */
memmove(ip6, ip, sizeof(struct ip6_hdr));
ip6->ip6_nxt = *nexthdr;
- ip6->ip6_plen = htons(rte_pktmbuf_data_len(m));
+ ip6->ip6_plen = htons(rte_pktmbuf_pkt_len(m));
}
} else
ipip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);
--
2.7.4
[dpdk-dev] [PATCH 05/11] examples/ipsec-secgw: Fixed transport
From: Aviad Yehezkel
Seems like transport was broken for a long time
Signed-off-by: Aviad Yehezkel
---
examples/ipsec-secgw/esp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index 70bb81f..56ad7a0 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -306,8 +306,8 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
sizeof(struct esp_hdr) + sa->iv_len);
memmove(new_ip, ip4, ip_hdr_len);
esp = (struct esp_hdr *)(new_ip + ip_hdr_len);
+ ip4 = (struct ip *)new_ip;
if (likely(ip4->ip_v == IPVERSION)) {
- ip4 = (struct ip *)new_ip;
ip4->ip_p = IPPROTO_ESP;
ip4->ip_len = htons(rte_pktmbuf_data_len(m));
} else {
--
2.7.4
[dpdk-dev] [PATCH 08/11] examples/ipsec-secgw: iv should be be64
From: Aviad Yehezkel
To be compatibile with Linux kernel
Signed-off-by: Aviad Yehezkel
---
examples/ipsec-secgw/esp.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index aa2233d..81ebf55 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -336,7 +336,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
uint8_t *aad;
- *iv = sa->seq;
+ *iv = rte_cpu_to_be_64(sa->seq);
sym_cop->aead.data.offset = ip_hdr_len +
sizeof(struct esp_hdr) + sa->iv_len;
sym_cop->aead.data.length = pad_payload_len;
@@ -349,7 +349,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
struct cnt_blk *icb = get_cnt_blk(m);
icb->salt = sa->salt;
- icb->iv = sa->seq;
+ icb->iv = rte_cpu_to_be_64(sa->seq);
icb->cnt = rte_cpu_to_be_32(1);
aad = get_aad(m);
@@ -371,7 +371,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
sym_cop->cipher.data.length = pad_payload_len +
sa->iv_len;
break;
case RTE_CRYPTO_CIPHER_AES_CTR:
- *iv = sa->seq;
+ *iv = rte_cpu_to_be_64(sa->seq);
sym_cop->cipher.data.offset = ip_hdr_len +
sizeof(struct esp_hdr) + sa->iv_len;
sym_cop->cipher.data.length = pad_payload_len;
@@ -390,7 +390,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
struct cnt_blk *icb = get_cnt_blk(m);
icb->salt = sa->salt;
- icb->iv = sa->seq;
+ icb->iv = rte_cpu_to_be_64(sa->seq);
icb->cnt = rte_cpu_to_be_32(1);
switch (sa->auth_algo) {
--
2.7.4
[dpdk-dev] [PATCH 11/11] examples/ipsec-secgw: Ethernet MAC configuration is now dynamic throw conf file
From: Aviad Yehezkel
Signed-off-by: Aviad Yehezkel
---
examples/ipsec-secgw/Makefile | 1 +
examples/ipsec-secgw/ep0.cfg | 6 +
examples/ipsec-secgw/ep1.cfg | 6 +
examples/ipsec-secgw/eth.c | 238 +
examples/ipsec-secgw/ipsec-secgw.c | 79 +++-
examples/ipsec-secgw/ipsec.h | 8 ++
examples/ipsec-secgw/parser.c | 69 +++
examples/ipsec-secgw/parser.h | 35 ++
8 files changed, 378 insertions(+), 64 deletions(-)
create mode 100644 examples/ipsec-secgw/eth.c
diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile
index 17e9155..0dacd3c 100644
--- a/examples/ipsec-secgw/Makefile
+++ b/examples/ipsec-secgw/Makefile
@@ -60,6 +60,7 @@ SRCS-y += sp4.c
SRCS-y += sp6.c
SRCS-y += sa.c
SRCS-y += rt.c
+SRCS-y += eth.c
SRCS-y += ipsec-secgw.c
include $(RTE_SDK)/mk/rte.extapp.mk
diff --git a/examples/ipsec-secgw/ep0.cfg b/examples/ipsec-secgw/ep0.cfg
index 299aa9e..eda4499 100644
--- a/examples/ipsec-secgw/ep0.cfg
+++ b/examples/ipsec-secgw/ep0.cfg
@@ -158,3 +158,9 @@ rt ipv6 dst :::::::/116
port 2
rt ipv6 dst :::::::/116 port 3
rt ipv6 dst :::::::/116 port 2
rt ipv6 dst :::::::/116 port 3
+
+#ETH Addresses
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:7e:94:9a port 0
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:22:a1:d9 port 1
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:08:69:26 port 2
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:49:9e:dd port 3
diff --git a/examples/ipsec-secgw/ep1.cfg b/examples/ipsec-secgw/ep1.cfg
index 3f6ff81..e6d4e26 100644
--- a/examples/ipsec-secgw/ep1.cfg
+++ b/examples/ipsec-secgw/ep1.cfg
@@ -158,3 +158,9 @@ rt ipv6 dst :::::::/116
port 2
rt ipv6 dst :::::::/116 port 3
rt ipv6 dst :::::::/116 port 2
rt ipv6 dst :::::::/116 port 3
+
+#ETH Addresses
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:7e:94:9a port 0
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:22:a1:d9 port 1
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:08:69:26 port 2
+eth addr src 00:00:00:00:00:00 dst 00:16:3e:49:9e:dd port 3
diff --git a/examples/ipsec-secgw/eth.c b/examples/ipsec-secgw/eth.c
new file mode 100644
index 000..b4f7120
--- /dev/null
+++ b/examples/ipsec-secgw/eth.c
@@ -0,0 +1,238 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright(c) 2016 Intel Corporation. All rights reserved.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Ethernet Address
+ */
+#include
+#include
+#include
+#include
+#include
+
+#include "ipsec.h"
+#include "parser.h"
+
+#define ETH_DST_MAX_RULES 1024
+
+struct addr {
+ uint8_t port;
+ struct ether_addr src;
+ struct ether_addr dst;
+};
+
+struct addr eth_addr[ETH_DST_MAX_RULES];
+uint32_t nb_eth_addr;
+
+void
+parse_eth_tokens(char **tokens, uint32_t n_tokens,
+ struct parse_status *status)
+{
+ uint32_t ti;
+ uint32_t *n_addr = NULL;
+ struct addr *addr = NULL;
+
+ if (strcmp(tokens[0], "addr") == 0) {
+ n_addr = &nb_eth_addr;
+ addr = ð_addr[*n_addr];
+
+ APP_CHECK(*n_addr <= ETH_DST_MAX_RULES - 1, status,
+ "too many eth
[dpdk-dev] [PATCH 07/11] examples/ipsec-secgw: Fixed phyiscal address of aad
From: Aviad Yehezkel Signed-off-by: Aviad Yehezkel --- examples/ipsec-secgw/esp.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c index 689e917..aa2233d 100644 --- a/examples/ipsec-secgw/esp.c +++ b/examples/ipsec-secgw/esp.c @@ -355,8 +355,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, aad = get_aad(m); memcpy(aad, esp, 8); sym_cop->aead.aad.data = aad; - sym_cop->aead.aad.phys_addr = rte_pktmbuf_mtophys_offset(m, - aad - rte_pktmbuf_mtod(m, uint8_t *)); + sym_cop->aead.aad.phys_addr = rte_mem_virt2phy(aad); sym_cop->aead.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *, rte_pktmbuf_pkt_len(m) - sa->digest_len); -- 2.7.4
[dpdk-dev] [PATCH 10/11] app/testpmd: compile even if ixgbe anf bnxt pmds are not compiling
From: Aviad Yehezkel
Signed-off-by: Aviad Yehezkel
Signed-off-by: Nicolai Radu
---
app/test-pmd/cmdline.c | 13 ++---
app/test-pmd/config.c | 12 +++-
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/app/test-pmd/cmdline.c b/app/test-pmd/cmdline.c
index bb19d72..e4a636e 100644
--- a/app/test-pmd/cmdline.c
+++ b/app/test-pmd/cmdline.c
@@ -7377,11 +7377,17 @@ struct cmd_set_vf_rxmode {
};
static void
-cmd_set_vf_rxmode_parsed(void *parsed_result,
- __attribute__((unused)) struct cmdline *cl,
- __attribute__((unused)) void *data)
+cmd_set_vf_rxmode_parsed(
+#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
+ void *parsed_result,
+#else
+ __attribute__((unused)) void *parsed_result,
+#endif
+ __attribute__((unused)) struct cmdline *cl,
+ __attribute__((unused)) void *data)
{
int ret = -ENOTSUP;
+#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
uint16_t rx_mode = 0;
struct cmd_set_vf_rxmode *res = parsed_result;
@@ -7396,6 +7402,7 @@ cmd_set_vf_rxmode_parsed(void *parsed_result,
else if (!strncmp(res->mode, "MPE",3))
rx_mode |= ETH_VMDQ_ACCEPT_MULTICAST;
}
+#endif
#ifdef RTE_LIBRTE_IXGBE_PMD
if (ret == -ENOTSUP)
diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c
index bafe76c..d38ba82 100644
--- a/app/test-pmd/config.c
+++ b/app/test-pmd/config.c
@@ -3181,7 +3181,17 @@ set_queue_rate_limit(portid_t port_id, uint16_t
queue_idx, uint16_t rate)
}
int
-set_vf_rate_limit(portid_t port_id, uint16_t vf, uint16_t rate, uint64_t q_msk)
+set_vf_rate_limit(
+ portid_t port_id,
+#if defined(RTE_LIBRTE_IXGBE_PMD) || defined(RTE_LIBRTE_BNXT_PMD)
+ uint16_t vf,
+ uint16_t rate,
+ uint64_t q_msk)
+#else
+ __attribute__((unused)) uint16_t vf,
+ __attribute__((unused)) uint16_t rate,
+ __attribute__((unused)) uint64_t q_msk)
+#endif
{
int diag = -ENOTSUP;
--
2.7.4
Re: [dpdk-dev] Shared compilation issue - mempool/octeontx: add build and log infrastructure
On Saturday 14 October 2017 11:37 AM, Hemant Agrawal wrote: > Santosh/jerin, > Your patch "mempool/octeontx: add build and log infrastructure" is > causing shared build failure for NXP's patch "event/dpaa2: support event eth > adapter", which is still under review. > http://dpdk.org/dev/patchwork/patch/30248/ > > In your patch, you have added mempool to be dependent on event, which is not > correct. > > "+DEPDIRS-mempool := bus event" Yes, Octeontx needed mbox definitions and it was defined at event area. But You are right that adding event dependency in mempool may create issues for future feature like you mentioned. > Ideally, if you have common code, you should put that in bus or mempool . > This way you can make event, net or sec etc dependent on bus or mempool and > not the otherway around. Right. Proposed change for makefile will be: diff --git a/drivers/Makefile b/drivers/Makefile index 3a5b22342..0467250aa 100644 --- a/drivers/Makefile +++ b/drivers/Makefile @@ -32,13 +32,13 @@ include $(RTE_SDK)/mk/rte.vars.mk DIRS-y += bus -DIRS-$(CONFIG_RTE_LIBRTE_EVENTDEV) += event -DEPDIRS-event := bus DIRS-y += mempool -DEPDIRS-mempool := bus event +DEPDIRS-mempool := bus DIRS-y += net DEPDIRS-net := bus mempool DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += crypto DEPDIRS-crypto := bus mempool +DIRS-$(CONFIG_RTE_LIBRTE_EVENTDEV) += event +DEPDIRS-event := bus mempool include $(RTE_SDK)/mk/rte.subdir.mk Can you give it a try and let me know your feedback. Thanks.
[dpdk-dev] [PATCH v4 00/12] introduce security offload library
This patchset introduce the rte_security library in DPDK. This also includes the sample implementation of drivers and changes in ipsec gateway application to demonstrate its usage. rte_security library is implemented on the idea proposed earlier [1],[2],[3] to support IPsec Inline and look aside crypto offload. Though the current focus is only on IPsec protocol, but the library is not limited to IPsec, it can be extended to other security protocols e.g. MACSEC, PDCP or DTLS. In this library, crypto/ethernet devices can register itself to the security library to support security offload. The library support 3 modes of operation 1. full protocol offload using crypto devices. (RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) 2. inline ipsec using ethernet devices to perform crypto operations (RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) 3. full protocol offload using ethernet devices. (RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) The details for each mode is documented in the patchset in doc/guides/prog_guide/rte_security.rst The modification in the application ipsec-secgw is also doocumented in doc/guides/sample_app_ug/ipsec_secgw.rst This patchset is also available at: git://dpdk.org/draft/dpdk-draft-ipsec branch: integration_v4 changes in v4: 1. Incorporated comments from Konstantin. 2. rebased over master 3. rebased over ipsec patches sent by Aviad http://dpdk.org/ml/archives/dev/2017-October/079192.html 4. resolved multi process limitation 5. minor updates in documentation and drivers changes in v3: 1. fixed compilation for FreeBSD 2. Incorporated comments from Pablo, John, Shahaf 3. Updated drivers for dpaa2_sec and ixgbe for some minor fixes 4. patch titles updated 5. fixed return type of rte_cryptodev_get_sec_id changes in v2: 1. update documentation for rte_flow. 2. fixed API to unregister device to security library. 3. incorporated most of the comments from Jerin. 4. updated rte_security documentation as per the review comments from John. 5. Certain application updates for some cases. 6. updated changes in mbuf as per the comments from Olivier. Future enhancements: 1. for full protocol offload - error handling and notification cases 2. add more security protocols 3. test application support 4. anti-replay support 5. SA time out support Reference: [1] http://dpdk.org/ml/archives/dev/2017-July/070793.html [2] http://dpdk.org/ml/archives/dev/2017-July/071893.html [3] http://dpdk.org/ml/archives/dev/2017-August/072900.html *** BLURB HERE *** Akhil Goyal (6): lib/rte_security: add security library doc: add details of rte security cryptodev: support security APIs mk: add rte security into build system crypto/dpaa2_sec: add support for protocol offload ipsec examples/ipsec-secgw: add support for security offload Boris Pismenny (4): net: add ESP header to generic flow steering mbuf: add security crypto flags and mbuf fields ethdev: add rte flow action for crypto doc: add details of rte_flow security actions Declan Doherty (1): ethdev: support security APIs Radu Nicolau (1): net/ixgbe: enable inline ipsec MAINTAINERS| 6 + config/common_base | 6 + doc/api/doxy-api-index.md | 6 +- doc/api/doxy-api.conf | 1 + doc/guides/cryptodevs/features/default.ini | 1 + doc/guides/cryptodevs/features/dpaa2_sec.ini | 1 + doc/guides/prog_guide/index.rst| 1 + doc/guides/prog_guide/rte_flow.rst | 84 ++- doc/guides/prog_guide/rte_security.rst | 559 +++ doc/guides/sample_app_ug/ipsec_secgw.rst | 52 +- drivers/crypto/Makefile| 2 +- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c| 420 +- drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 62 +++ drivers/net/Makefile | 2 +- drivers/net/ixgbe/Makefile | 2 +- drivers/net/ixgbe/base/ixgbe_osdep.h | 8 + drivers/net/ixgbe/ixgbe_ethdev.c | 19 + drivers/net/ixgbe/ixgbe_ethdev.h | 6 +- drivers/net/ixgbe/ixgbe_flow.c | 47 ++ drivers/net/ixgbe/ixgbe_ipsec.c| 744 + drivers/net/ixgbe/ixgbe_ipsec.h| 147 + drivers/net/ixgbe/ixgbe_rxtx.c | 53 +- drivers/net/ixgbe/ixgbe_rxtx.h | 11 +- drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c | 50 +- examples/ipsec-secgw/esp.c | 120 ++-- examples/ipsec-secgw/esp.h | 10 - examples/ipsec-secgw/ipsec-secgw.c | 5 + examples/ipsec-secgw/ipsec.c | 308 -- examples/ipsec-secgw/ipsec.h | 32 +- examples/ipsec-secgw/sa.c | 151 +++-- lib/Makefile | 5 + lib/librte_cryptodev/rte_crypto.h | 3 +- lib/librte_crypt
[dpdk-dev] [PATCH v4 02/12] doc: add details of rte security
Signed-off-by: Hemant Agrawal Signed-off-by: Akhil Goyal Acked-by: John McNamara --- doc/api/doxy-api-index.md | 3 +- doc/api/doxy-api.conf | 1 + doc/guides/prog_guide/index.rst| 1 + doc/guides/prog_guide/rte_security.rst | 559 + 4 files changed, 563 insertions(+), 1 deletion(-) create mode 100644 doc/guides/prog_guide/rte_security.rst diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md index 990815f..7c680dc 100644 --- a/doc/api/doxy-api-index.md +++ b/doc/api/doxy-api-index.md @@ -58,7 +58,8 @@ The public API headers are grouped by topics: [ixgbe] (@ref rte_pmd_ixgbe.h), [i40e] (@ref rte_pmd_i40e.h), [bnxt] (@ref rte_pmd_bnxt.h), - [crypto_scheduler] (@ref rte_cryptodev_scheduler.h) + [crypto_scheduler] (@ref rte_cryptodev_scheduler.h), + [security] (@ref rte_security.h) - **memory**: [memseg] (@ref rte_memory.h), diff --git a/doc/api/doxy-api.conf b/doc/api/doxy-api.conf index 9e9fa56..567691b 100644 --- a/doc/api/doxy-api.conf +++ b/doc/api/doxy-api.conf @@ -70,6 +70,7 @@ INPUT = doc/api/doxy-api-index.md \ lib/librte_reorder \ lib/librte_ring \ lib/librte_sched \ + lib/librte_security \ lib/librte_table \ lib/librte_timer \ lib/librte_vhost diff --git a/doc/guides/prog_guide/index.rst b/doc/guides/prog_guide/index.rst index b5ad6b8..46cb4fe 100644 --- a/doc/guides/prog_guide/index.rst +++ b/doc/guides/prog_guide/index.rst @@ -46,6 +46,7 @@ Programmer's Guide rte_flow traffic_management cryptodev_lib +rte_security link_bonding_poll_mode_drv_lib timer_lib hash_lib diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst new file mode 100644 index 000..0708856 --- /dev/null +++ b/doc/guides/prog_guide/rte_security.rst @@ -0,0 +1,559 @@ +.. BSD LICENSE +Copyright 2017 NXP. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +* Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in +the documentation and/or other materials provided with the +distribution. +* Neither the name of NXP nor the names of its +contributors may be used to endorse or promote products derived +from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +Security Library + + +The security library provides a framework for management and provisioning +of security protocol operations offloaded to hardware based devices. The +library defines generic APIs to create and free security sessions which can +support full protocol offload as well as inline crypto operation with +NIC or crypto devices. The framework currently only supports the IPSec protocol +and associated operations, other protocols will be added in future. + +Design Principles +- + +The security library provides an additional offload capability to an existing +crypto device and/or ethernet device. + +.. code-block:: console + + +---+ + | rte_security | + +---+ + \/ ++---++--+ +| NIC PMD || CRYPTO PMD | ++---++--+ + +The supported offload types are explained in the sections below. + +Inline Crypto +~ + +RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: +The crypto processing for security protocol (e.g. IPSec) is processed +inline during receive and transmission on NIC port. The flow based +security action should be configured on the port. + +Ingress Data path - The
[dpdk-dev] [PATCH v4 01/12] lib/rte_security: add security library
rte_security library provides APIs for security session create/free for protocol offload or offloaded crypto operation to ethernet device. Signed-off-by: Akhil Goyal Signed-off-by: Boris Pismenny Signed-off-by: Radu Nicolau Signed-off-by: Declan Doherty Signed-off-by: Aviad Yehezkel --- lib/librte_security/Makefile | 53 +++ lib/librte_security/rte_security.c | 149 lib/librte_security/rte_security.h | 535 +++ lib/librte_security/rte_security_driver.h| 155 lib/librte_security/rte_security_version.map | 13 + 5 files changed, 905 insertions(+) create mode 100644 lib/librte_security/Makefile create mode 100644 lib/librte_security/rte_security.c create mode 100644 lib/librte_security/rte_security.h create mode 100644 lib/librte_security/rte_security_driver.h create mode 100644 lib/librte_security/rte_security_version.map diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile new file mode 100644 index 000..af87bb2 --- /dev/null +++ b/lib/librte_security/Makefile @@ -0,0 +1,53 @@ +# BSD LICENSE +# +# Copyright(c) 2017 Intel Corporation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +include $(RTE_SDK)/mk/rte.vars.mk + +# library name +LIB = librte_security.a + +# library version +LIBABIVER := 1 + +# build flags +CFLAGS += -O3 +CFLAGS += $(WERROR_FLAGS) + +# library source files +SRCS-y += rte_security.c + +# export include files +SYMLINK-y-include += rte_security.h +SYMLINK-y-include += rte_security_driver.h + +# versioning export map +EXPORT_MAP := rte_security_version.map + +include $(RTE_SDK)/mk/rte.lib.mk diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c new file mode 100644 index 000..1227fca --- /dev/null +++ b/lib/librte_security/rte_security.c @@ -0,0 +1,149 @@ +/*- + * BSD LICENSE + * + * Copyright 2017 NXP. + * Copyright(c) 2017 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of NXP nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) A
[dpdk-dev] [PATCH v4 03/12] cryptodev: support security APIs
Security ops are added to crypto device to support
protocol offloaded security operations.
Signed-off-by: Akhil Goyal
Signed-off-by: Declan Doherty
---
doc/guides/cryptodevs/features/default.ini | 1 +
lib/librte_cryptodev/rte_crypto.h | 3 ++-
lib/librte_cryptodev/rte_crypto_sym.h | 2 ++
lib/librte_cryptodev/rte_cryptodev.c | 10 ++
lib/librte_cryptodev/rte_cryptodev.h | 7 +++
lib/librte_cryptodev/rte_cryptodev_version.map | 1 +
6 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/doc/guides/cryptodevs/features/default.ini
b/doc/guides/cryptodevs/features/default.ini
index c98717a..18d66cb 100644
--- a/doc/guides/cryptodevs/features/default.ini
+++ b/doc/guides/cryptodevs/features/default.ini
@@ -10,6 +10,7 @@ Symmetric crypto =
Asymmetric crypto =
Sym operation chaining =
HW Accelerated =
+Protocol offload =
CPU SSE=
CPU AVX=
CPU AVX2 =
diff --git a/lib/librte_cryptodev/rte_crypto.h
b/lib/librte_cryptodev/rte_crypto.h
index 10fe080..3eb9ef9 100644
--- a/lib/librte_cryptodev/rte_crypto.h
+++ b/lib/librte_cryptodev/rte_crypto.h
@@ -86,7 +86,8 @@ enum rte_crypto_op_status {
*/
enum rte_crypto_op_sess_type {
RTE_CRYPTO_OP_WITH_SESSION, /**< Session based crypto operation */
- RTE_CRYPTO_OP_SESSIONLESS /**< Session-less crypto operation */
+ RTE_CRYPTO_OP_SESSIONLESS, /**< Session-less crypto operation */
+ RTE_CRYPTO_OP_SECURITY_SESSION /**< Security session crypto operation
*/
};
/**
diff --git a/lib/librte_cryptodev/rte_crypto_sym.h
b/lib/librte_cryptodev/rte_crypto_sym.h
index 0a0ea59..5992063 100644
--- a/lib/librte_cryptodev/rte_crypto_sym.h
+++ b/lib/librte_cryptodev/rte_crypto_sym.h
@@ -508,6 +508,8 @@ struct rte_crypto_sym_op {
/**< Handle for the initialised session context */
struct rte_crypto_sym_xform *xform;
/**< Session-less API crypto operation parameters */
+ struct rte_security_session *sec_session;
+ /**< Handle for the initialised security session context */
};
RTE_STD_C11
diff --git a/lib/librte_cryptodev/rte_cryptodev.c
b/lib/librte_cryptodev/rte_cryptodev.c
index e48d562..5a2495b 100644
--- a/lib/librte_cryptodev/rte_cryptodev.c
+++ b/lib/librte_cryptodev/rte_cryptodev.c
@@ -488,6 +488,16 @@ rte_cryptodev_devices_get(const char *driver_name, uint8_t
*devices,
return count;
}
+void *
+rte_cryptodev_get_sec_ctx(uint8_t dev_id)
+{
+ if (rte_crypto_devices[dev_id].feature_flags &
+ RTE_CRYPTODEV_FF_SECURITY)
+ return rte_crypto_devices[dev_id].data->security_ctx;
+
+ return NULL;
+}
+
int
rte_cryptodev_socket_id(uint8_t dev_id)
{
diff --git a/lib/librte_cryptodev/rte_cryptodev.h
b/lib/librte_cryptodev/rte_cryptodev.h
index fd0e3f1..546454b 100644
--- a/lib/librte_cryptodev/rte_cryptodev.h
+++ b/lib/librte_cryptodev/rte_cryptodev.h
@@ -351,6 +351,8 @@ rte_cryptodev_get_aead_algo_enum(enum
rte_crypto_aead_algorithm *algo_enum,
/**< Utilises CPU NEON instructions */
#defineRTE_CRYPTODEV_FF_CPU_ARM_CE (1ULL << 11)
/**< Utilises ARM CPU Cryptographic Extensions */
+#defineRTE_CRYPTODEV_FF_SECURITY (1ULL << 12)
+/**< Support Security Protocol Processing */
/**
@@ -774,6 +776,9 @@ struct rte_cryptodev {
/**< Flag indicating the device is attached */
} __rte_cache_aligned;
+void *
+rte_cryptodev_get_sec_ctx(uint8_t dev_id);
+
/**
*
* The data part, with no function pointers, associated with each device.
@@ -802,6 +807,8 @@ struct rte_cryptodev_data {
void *dev_private;
/**< PMD-specific private data */
+ void *security_ctx;
+ /**< Context for security ops */
} __rte_cache_aligned;
extern struct rte_cryptodev *rte_cryptodevs;
diff --git a/lib/librte_cryptodev/rte_cryptodev_version.map
b/lib/librte_cryptodev/rte_cryptodev_version.map
index 919b6cc..7ef1b0f 100644
--- a/lib/librte_cryptodev/rte_cryptodev_version.map
+++ b/lib/librte_cryptodev/rte_cryptodev_version.map
@@ -84,5 +84,6 @@ DPDK_17.11 {
global:
rte_cryptodev_name_get;
+ rte_cryptodev_get_sec_ctx;
} DPDK_17.08;
--
2.9.3
[dpdk-dev] [PATCH v4 04/12] net: add ESP header to generic flow steering
From: Boris Pismenny
The ESP header is required for IPsec crypto actions.
Signed-off-by: Boris Pismenny
Signed-off-by: Aviad Yehezkel
---
doc/api/doxy-api-index.md | 3 ++-
lib/librte_ether/rte_flow.h | 26
lib/librte_net/Makefile | 2 +-
lib/librte_net/rte_esp.h| 60 +
4 files changed, 89 insertions(+), 2 deletions(-)
create mode 100644 lib/librte_net/rte_esp.h
diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md
index 7c680dc..d59893b 100644
--- a/doc/api/doxy-api-index.md
+++ b/doc/api/doxy-api-index.md
@@ -111,7 +111,8 @@ The public API headers are grouped by topics:
[LPM IPv6 route] (@ref rte_lpm6.h),
[ACL](@ref rte_acl.h),
[EFD](@ref rte_efd.h),
- [member] (@ref rte_member.h)
+ [member] (@ref rte_member.h),
+ [ESP](@ref rte_esp.h)
- **QoS**:
[metering] (@ref rte_meter.h),
diff --git a/lib/librte_ether/rte_flow.h b/lib/librte_ether/rte_flow.h
index a0ffb71..7c89089 100644
--- a/lib/librte_ether/rte_flow.h
+++ b/lib/librte_ether/rte_flow.h
@@ -50,6 +50,7 @@
#include
#include
#include
+#include
#ifdef __cplusplus
extern "C" {
@@ -336,6 +337,13 @@ enum rte_flow_item_type {
* See struct rte_flow_item_gtp.
*/
RTE_FLOW_ITEM_TYPE_GTPU,
+
+ /**
+* Matches a ESP header.
+*
+* See struct rte_flow_item_esp.
+*/
+ RTE_FLOW_ITEM_TYPE_ESP,
};
/**
@@ -787,6 +795,24 @@ static const struct rte_flow_item_gtp
rte_flow_item_gtp_mask = {
#endif
/**
+ * RTE_FLOW_ITEM_TYPE_ESP
+ *
+ * Matches an ESP header.
+ */
+struct rte_flow_item_esp {
+ struct esp_hdr hdr; /**< ESP header definition. */
+};
+
+/** Default mask for RTE_FLOW_ITEM_TYPE_ESP. */
+#ifndef __cplusplus
+static const struct rte_flow_item_esp rte_flow_item_esp_mask = {
+ .hdr = {
+ .spi = 0x,
+ },
+};
+#endif
+
+/**
* Matching pattern item definition.
*
* A pattern is formed by stacking items starting from the lowest protocol
diff --git a/lib/librte_net/Makefile b/lib/librte_net/Makefile
index 56727c4..0f87b23 100644
--- a/lib/librte_net/Makefile
+++ b/lib/librte_net/Makefile
@@ -42,7 +42,7 @@ SRCS-$(CONFIG_RTE_LIBRTE_NET) := rte_net.c
SRCS-$(CONFIG_RTE_LIBRTE_NET) += rte_net_crc.c
# install includes
-SYMLINK-$(CONFIG_RTE_LIBRTE_NET)-include := rte_ip.h rte_tcp.h rte_udp.h
+SYMLINK-$(CONFIG_RTE_LIBRTE_NET)-include := rte_ip.h rte_tcp.h rte_udp.h
rte_esp.h
SYMLINK-$(CONFIG_RTE_LIBRTE_NET)-include += rte_sctp.h rte_icmp.h rte_arp.h
SYMLINK-$(CONFIG_RTE_LIBRTE_NET)-include += rte_ether.h rte_gre.h rte_net.h
SYMLINK-$(CONFIG_RTE_LIBRTE_NET)-include += rte_net_crc.h
diff --git a/lib/librte_net/rte_esp.h b/lib/librte_net/rte_esp.h
new file mode 100644
index 000..e228af0
--- /dev/null
+++ b/lib/librte_net/rte_esp.h
@@ -0,0 +1,60 @@
+/*-
+ * BSD LICENSE
+ *
+ * Copyright (c) 2016-2017, Mellanox Technologies. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _RTE_ESP_H_
+#define _RTE_ESP_H_
+
+/**
+ * @file
+ *
+ * ESP-related defines
+ */
+
+#include
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * ESP Header
+ */
+struct esp_hdr {
+ uint32_t spi; /**< Security Parameters Index */
+ uint32_t seq; /**< packet sequence number */
+} __attribute__((__p
[dpdk-dev] [PATCH v4 05/12] mbuf: add security crypto flags and mbuf fields
From: Boris Pismenny
Add security crypto flags and update mbuf fields to support
IPsec crypto offload for transmitted packets, and to indicate
crypto result for received packets.
Signed-off-by: Aviad Yehezkel
Signed-off-by: Boris Pismenny
Signed-off-by: Radu Nicolau
---
lib/librte_mbuf/rte_mbuf.c | 6 ++
lib/librte_mbuf/rte_mbuf.h | 35 ---
lib/librte_mbuf/rte_mbuf_ptype.c | 1 +
lib/librte_mbuf/rte_mbuf_ptype.h | 11 +++
4 files changed, 50 insertions(+), 3 deletions(-)
diff --git a/lib/librte_mbuf/rte_mbuf.c b/lib/librte_mbuf/rte_mbuf.c
index 0e18709..6659261 100644
--- a/lib/librte_mbuf/rte_mbuf.c
+++ b/lib/librte_mbuf/rte_mbuf.c
@@ -324,6 +324,8 @@ const char *rte_get_rx_ol_flag_name(uint64_t mask)
case PKT_RX_QINQ_STRIPPED: return "PKT_RX_QINQ_STRIPPED";
case PKT_RX_LRO: return "PKT_RX_LRO";
case PKT_RX_TIMESTAMP: return "PKT_RX_TIMESTAMP";
+ case PKT_RX_SEC_OFFLOAD: return "PKT_RX_SEC_OFFLOAD";
+ case PKT_RX_SEC_OFFLOAD_FAILED: return "PKT_RX_SEC_OFFLOAD_FAILED";
default: return NULL;
}
}
@@ -359,6 +361,8 @@ rte_get_rx_ol_flag_list(uint64_t mask, char *buf, size_t
buflen)
{ PKT_RX_QINQ_STRIPPED, PKT_RX_QINQ_STRIPPED, NULL },
{ PKT_RX_LRO, PKT_RX_LRO, NULL },
{ PKT_RX_TIMESTAMP, PKT_RX_TIMESTAMP, NULL },
+ { PKT_RX_SEC_OFFLOAD, PKT_RX_SEC_OFFLOAD, NULL },
+ { PKT_RX_SEC_OFFLOAD_FAILED, PKT_RX_SEC_OFFLOAD_FAILED, NULL },
};
const char *name;
unsigned int i;
@@ -411,6 +415,7 @@ const char *rte_get_tx_ol_flag_name(uint64_t mask)
case PKT_TX_TUNNEL_GENEVE: return "PKT_TX_TUNNEL_GENEVE";
case PKT_TX_TUNNEL_MPLSINUDP: return "PKT_TX_TUNNEL_MPLSINUDP";
case PKT_TX_MACSEC: return "PKT_TX_MACSEC";
+ case PKT_TX_SEC_OFFLOAD: return "PKT_TX_SEC_OFFLOAD";
default: return NULL;
}
}
@@ -444,6 +449,7 @@ rte_get_tx_ol_flag_list(uint64_t mask, char *buf, size_t
buflen)
{ PKT_TX_TUNNEL_MPLSINUDP, PKT_TX_TUNNEL_MASK,
"PKT_TX_TUNNEL_NONE" },
{ PKT_TX_MACSEC, PKT_TX_MACSEC, NULL },
+ { PKT_TX_SEC_OFFLOAD, PKT_TX_SEC_OFFLOAD, NULL },
};
const char *name;
unsigned int i;
diff --git a/lib/librte_mbuf/rte_mbuf.h b/lib/librte_mbuf/rte_mbuf.h
index cc38040..5d478da 100644
--- a/lib/librte_mbuf/rte_mbuf.h
+++ b/lib/librte_mbuf/rte_mbuf.h
@@ -189,11 +189,26 @@ extern "C" {
*/
#define PKT_RX_TIMESTAMP (1ULL << 17)
+/**
+ * Indicate that security offload processing was applied on the RX packet.
+ */
+#define PKT_RX_SEC_OFFLOAD (1ULL << 18)
+
+/**
+ * Indicate that security offload processing failed on the RX packet.
+ */
+#define PKT_RX_SEC_OFFLOAD_FAILED (1ULL << 19)
+
/* add new RX flags here */
/* add new TX flags here */
/**
+ * Request security offload processing on the TX packet.
+ */
+#define PKT_TX_SEC_OFFLOAD (1ULL << 43)
+
+/**
* Offload the MACsec. This flag must be set by the application to enable
* this offload feature for a packet to be transmitted.
*/
@@ -316,7 +331,8 @@ extern "C" {
PKT_TX_QINQ_PKT |\
PKT_TX_VLAN_PKT |\
PKT_TX_TUNNEL_MASK | \
- PKT_TX_MACSEC)
+ PKT_TX_MACSEC | \
+ PKT_TX_SEC_OFFLOAD)
#define __RESERVED (1ULL << 61) /**< reserved for future mbuf use */
@@ -456,8 +472,21 @@ struct rte_mbuf {
uint32_t l3_type:4; /**< (Outer) L3 type. */
uint32_t l4_type:4; /**< (Outer) L4 type. */
uint32_t tun_type:4; /**< Tunnel type. */
- uint32_t inner_l2_type:4; /**< Inner L2 type. */
- uint32_t inner_l3_type:4; /**< Inner L3 type. */
+ RTE_STD_C11
+ union {
+ uint8_t inner_esp_next_proto;
+ /**< ESP next protocol type, valid if
+* RTE_PTYPE_TUNNEL_ESP tunnel type is set
+* on both Tx and Rx.
+*/
+ __extension__
+ struct {
+ uint8_t inner_l2_type:4;
+ /**< Inner L2 type. */
+ uint8_t inner_l3_type:4;
+ /**< Inner L3 type. */
+ };
+ };
uint32_t inner_l4_type:4; /**< Inner L4 type. */
};
};
diff --git a/lib/librte_mbuf/rte_mbuf_ptype.c b/lib/librte_mbuf/rte_mbuf_ptype.c
index a450814..a623226 100644
--- a/lib/librte_mbuf/rte_mbuf_ptype.c
+++ b/lib/librte_mbuf/rte_mbuf_ptype.c
@@ -91,6 +
[dpdk-dev] [PATCH v4 07/12] ethdev: add rte flow action for crypto
From: Boris Pismenny
The crypto action is specified by an application to request
crypto offload for a flow.
Signed-off-by: Boris Pismenny
Signed-off-by: Aviad Yehezkel
---
lib/librte_ether/rte_flow.h | 38 ++
1 file changed, 38 insertions(+)
diff --git a/lib/librte_ether/rte_flow.h b/lib/librte_ether/rte_flow.h
index 7c89089..39f66c2 100644
--- a/lib/librte_ether/rte_flow.h
+++ b/lib/librte_ether/rte_flow.h
@@ -993,6 +993,13 @@ enum rte_flow_action_type {
* See struct rte_flow_action_vf.
*/
RTE_FLOW_ACTION_TYPE_VF,
+ /**
+* Redirects packets to security engine of current device for security
+* processing as specified by security session.
+*
+* See struct rte_flow_action_security.
+*/
+ RTE_FLOW_ACTION_TYPE_SECURITY
};
/**
@@ -1086,6 +1093,37 @@ struct rte_flow_action_vf {
};
/**
+ * RTE_FLOW_ACTION_TYPE_SECURITY
+ *
+ * Perform the security action on flows matched by the pattern items
+ * according to the configuration of the security session.
+ *
+ * This action modifies the payload of matched flows. For INLINE_CRYPTO, the
+ * security protocol headers and IV are fully provided by the application as
+ * specified in the flow pattern. The payload of matching packets is
+ * encrypted on egress, and decrypted and authenticated on ingress.
+ * For INLINE_PROTOCOL, the security protocol is fully offloaded to HW,
+ * providing full encapsulation and decapsulation of packets in security
+ * protocols. The flow pattern specifies both the outer security header fields
+ * and the inner packet fields. The security session specified in the action
+ * must match the pattern parameters.
+ *
+ * The security session specified in the action must be created on the same
+ * port as the flow action that is being specified.
+ *
+ * The ingress/egress flow attribute should match that specified in the
+ * security session if the security session supports the definition of the
+ * direction.
+ *
+ * Multiple flows can be configured to use the same security session.
+ *
+ * Non-terminating by default.
+ */
+struct rte_flow_action_security {
+ void *security_session; /**< Pointer to security session structure. */
+};
+
+/**
* Definition of a single action.
*
* A list of actions is terminated by a END action.
--
2.9.3
[dpdk-dev] [PATCH v4 06/12] ethdev: support security APIs
From: Declan Doherty
rte_flow_action type and ethdev updated to support rte_security
sessions for crypto offload to ethernet device.
Signed-off-by: Boris Pismenny
Signed-off-by: Aviad Yehezkel
Signed-off-by: Radu Nicolau
Signed-off-by: Declan Doherty
---
lib/librte_ether/rte_ethdev.c | 11 +++
lib/librte_ether/rte_ethdev.h | 18 --
lib/librte_ether/rte_ethdev_version.map | 1 +
3 files changed, 28 insertions(+), 2 deletions(-)
diff --git a/lib/librte_ether/rte_ethdev.c b/lib/librte_ether/rte_ethdev.c
index 0b1e928..9520f1e 100644
--- a/lib/librte_ether/rte_ethdev.c
+++ b/lib/librte_ether/rte_ethdev.c
@@ -301,6 +301,17 @@ rte_eth_dev_socket_id(uint16_t port_id)
return rte_eth_devices[port_id].data->numa_node;
}
+void *
+rte_eth_dev_get_sec_ctx(uint8_t port_id)
+{
+ RTE_ETH_VALID_PORTID_OR_ERR_RET(port_id, NULL);
+
+ if (rte_eth_devices[port_id].data->dev_flags & RTE_ETH_DEV_SECURITY)
+ return rte_eth_devices[port_id].data->security_ctx;
+
+ return NULL;
+}
+
uint16_t
rte_eth_dev_count(void)
{
diff --git a/lib/librte_ether/rte_ethdev.h b/lib/librte_ether/rte_ethdev.h
index aaf02b3..159bb73 100644
--- a/lib/librte_ether/rte_ethdev.h
+++ b/lib/librte_ether/rte_ethdev.h
@@ -180,6 +180,8 @@ extern "C" {
#include
#include
#include
+#include
+
#include "rte_ether.h"
#include "rte_eth_ctrl.h"
#include "rte_dev_info.h"
@@ -379,7 +381,8 @@ struct rte_eth_rxmode {
* This bit is temporary till rxmode bitfield offloads API will
* be deprecated.
*/
- ignore_offload_bitfield : 1;
+ ignore_offload_bitfield : 1,
+ enable_sec : 1; /**< Enable security offload */
};
/**
@@ -707,8 +710,10 @@ struct rte_eth_txmode {
/**< If set, reject sending out tagged pkts */
hw_vlan_reject_untagged : 1,
/**< If set, reject sending out untagged pkts */
- hw_vlan_insert_pvid : 1;
+ hw_vlan_insert_pvid : 1,
/**< If set, enable port based VLAN insertion */
+ enable_sec : 1;
+ /**< Enable security offload */
};
/**
@@ -969,6 +974,7 @@ struct rte_eth_conf {
#define DEV_RX_OFFLOAD_VLAN (DEV_RX_OFFLOAD_VLAN_STRIP | \
DEV_RX_OFFLOAD_VLAN_FILTER | \
DEV_RX_OFFLOAD_VLAN_EXTEND)
+#define DEV_RX_OFFLOAD_SECURITY 0x0100
/**
* TX offload capabilities of a device.
@@ -998,6 +1004,7 @@ struct rte_eth_conf {
* When set application must guarantee that per-queue all mbufs comes from
* the same mempool and has refcnt = 1.
*/
+#define DEV_TX_OFFLOAD_SECURITY 0x8000
struct rte_pci_device;
@@ -1736,6 +1743,9 @@ struct rte_eth_dev {
enum rte_eth_dev_state state; /**< Flag indicating the port state */
} __rte_cache_aligned;
+void *
+rte_eth_dev_get_sec_ctx(uint8_t port_id);
+
struct rte_eth_dev_sriov {
uint8_t active; /**< SRIOV is active with 16, 32 or 64
pools */
uint8_t nb_q_per_pool;/**< rx queue number per pool */
@@ -1796,6 +1806,8 @@ struct rte_eth_dev_data {
int numa_node; /**< NUMA node connection */
struct rte_vlan_filter_conf vlan_filter_conf;
/**< VLAN filter configuration. */
+ void *security_ctx;
+ /**< Context for security ops */
};
/** Device supports hotplug detach */
@@ -1806,6 +1818,8 @@ struct rte_eth_dev_data {
#define RTE_ETH_DEV_BONDED_SLAVE 0x0004
/** Device supports device removal interrupt */
#define RTE_ETH_DEV_INTR_RMV 0x0008
+/** Device supports inline security processing */
+#define RTE_ETH_DEV_SECURITY0x0010
/**
* @internal
diff --git a/lib/librte_ether/rte_ethdev_version.map
b/lib/librte_ether/rte_ethdev_version.map
index e27f596..3cc6a64 100644
--- a/lib/librte_ether/rte_ethdev_version.map
+++ b/lib/librte_ether/rte_ethdev_version.map
@@ -194,5 +194,6 @@ DPDK_17.11 {
rte_eth_dev_pool_ops_supported;
rte_eth_dev_reset;
rte_flow_error_set;
+ rte_eth_dev_get_sec_ctx;
} DPDK_17.08;
--
2.9.3
[dpdk-dev] [PATCH v4 08/12] doc: add details of rte_flow security actions
From: Boris Pismenny Signed-off-by: Boris Pismenny Reviewed-by: John McNamara --- doc/guides/prog_guide/rte_flow.rst | 84 +- 1 file changed, 82 insertions(+), 2 deletions(-) diff --git a/doc/guides/prog_guide/rte_flow.rst b/doc/guides/prog_guide/rte_flow.rst index 13e3dbe..ac1adf9 100644 --- a/doc/guides/prog_guide/rte_flow.rst +++ b/doc/guides/prog_guide/rte_flow.rst @@ -187,7 +187,7 @@ Pattern item Pattern items fall in two categories: - Matching protocol headers and packet data (ANY, RAW, ETH, VLAN, IPV4, - IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE and so on), usually + IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE, ESP and so on), usually associated with a specification structure. - Matching meta-data or affecting pattern processing (END, VOID, INVERT, PF, @@ -972,6 +972,14 @@ flow rules. - ``teid``: tunnel endpoint identifier. - Default ``mask`` matches teid only. +Item: ``ESP`` +^ + +Matches an ESP header. + +- ``hdr``: ESP header definition (``rte_esp.h``). +- Default ``mask`` matches SPI only. + Actions ~~~ @@ -989,7 +997,7 @@ They fall in three categories: additional processing by subsequent flow rules. - Other non-terminating meta actions that do not affect the fate of packets - (END, VOID, MARK, FLAG, COUNT). + (END, VOID, MARK, FLAG, COUNT, SECURITY). When several actions are combined in a flow rule, they should all have different types (e.g. dropping a packet twice is not possible). @@ -1371,6 +1379,78 @@ rule or if packets are not addressed to a VF in the first place. | ``vf`` | VF ID to redirect packets to | +--++ +Action: ``SECURITY`` + + +Perform the security action on flows matched by the pattern items +according to the configuration of the security session. + +This action modifies the payload of matched flows. For INLINE_CRYPTO, the +security protocol headers and IV are fully provided by the application as +specified in the flow pattern. The payload of matching packets is +encrypted on egress, and decrypted and authenticated on ingress. +For INLINE_PROTOCOL, the security protocol is fully offloaded to HW, +providing full encapsulation and decapsulation of packets in security +protocols. The flow pattern specifies both the outer security header fields +and the inner packet fields. The security session specified in the action +must match the pattern parameters. + +The security session specified in the action must be created on the same +port as the flow action that is being specified. + +The ingress/egress flow attribute should match that specified in the +security session if the security session supports the definition of the +direction. + +Multiple flows can be configured to use the same security session. + +- Non-terminating by default. + +.. _table_rte_flow_action_security: + +.. table:: SECURITY + + +--+--+ + | Field| Value| + +==+==+ + | ``security_session`` | security session to apply| + +--+--+ + +The following is an example of configuring IPsec inline using the +INLINE_CRYPTO security session: + +The encryption algorithm, keys and salt are part of the opaque +``rte_security_session``. The SA is identified according to the IP and ESP +fields in the pattern items. + +.. _table_rte_flow_item_esp_inline_example: + +.. table:: IPsec inline crypto flow pattern items. + + +---+--+ + | Index | Item | + +===+==+ + | 0 | Ethernet | + +---+--+ + | 1 | IPv4 | + +---+--+ + | 2 | ESP | + +---+--+ + | 3 | END | + +---+--+ + +.. _table_rte_flow_action_esp_inline_example: + +.. table:: IPsec inline flow actions. + + +---+--+ + | Index | Action | + +===+==+ + | 0 | SECURITY | + +---+--+ + | 1 | END | + +---+--+ + Negative types ~~ -- 2.9.3
[dpdk-dev] [PATCH v4 09/12] mk: add rte security into build system
Signed-off-by: Akhil Goyal Signed-off-by: Radu Nicolau --- MAINTAINERS| 6 ++ config/common_base | 6 ++ lib/Makefile | 5 + mk/rte.app.mk | 1 + 4 files changed, 18 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 8518a99..bc9f9cf 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -275,6 +275,12 @@ T: git://dpdk.org/next/dpdk-next-eventdev F: lib/librte_eventdev/*eth_rx_adapter* F: test/test/test_event_eth_rx_adapter.c +Security API - EXPERIMENTAL +M: Akhil Goyal +M: Declan Doherty +T: git://dpdk.org/draft/dpdk-draft-ipsec +F: lib/librte_security/ +F: doc/guides/prog_guide/rte_security.rst Networking Drivers -- diff --git a/config/common_base b/config/common_base index d9471e8..2b15f1e 100644 --- a/config/common_base +++ b/config/common_base @@ -548,6 +548,12 @@ CONFIG_RTE_LIBRTE_PMD_MRVL_CRYPTO=n CONFIG_RTE_LIBRTE_PMD_MRVL_CRYPTO_DEBUG=n # +# Compile generic security library +# +CONFIG_RTE_LIBRTE_SECURITY=y +CONFIG_RTE_LIBRTE_SECURITY_DEBUG=n + +# # Compile generic event device library # CONFIG_RTE_LIBRTE_EVENTDEV=y diff --git a/lib/Makefile b/lib/Makefile index 86d475f..379515a 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -50,6 +50,11 @@ DEPDIRS-librte_ether += librte_mbuf DIRS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += librte_cryptodev DEPDIRS-librte_cryptodev := librte_eal librte_mempool librte_ring librte_mbuf DEPDIRS-librte_cryptodev += librte_kvargs +DEPDIRS-librte_cryptodev += librte_ether +DIRS-$(CONFIG_RTE_LIBRTE_SECURITY) += librte_security +DEPDIRS-librte_security := librte_eal librte_mempool librte_ring librte_mbuf +DEPDIRS-librte_security += librte_ether +DEPDIRS-librte_security += librte_cryptodev DIRS-$(CONFIG_RTE_LIBRTE_EVENTDEV) += librte_eventdev DEPDIRS-librte_eventdev := librte_eal librte_ring librte_ether librte_hash DIRS-$(CONFIG_RTE_LIBRTE_VHOST) += librte_vhost diff --git a/mk/rte.app.mk b/mk/rte.app.mk index 8192b98..d975fad 100644 --- a/mk/rte.app.mk +++ b/mk/rte.app.mk @@ -93,6 +93,7 @@ _LDLIBS-$(CONFIG_RTE_LIBRTE_MBUF) += -lrte_mbuf _LDLIBS-$(CONFIG_RTE_LIBRTE_NET)+= -lrte_net _LDLIBS-$(CONFIG_RTE_LIBRTE_ETHER) += -lrte_ethdev _LDLIBS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += -lrte_cryptodev +_LDLIBS-$(CONFIG_RTE_LIBRTE_SECURITY) += -lrte_security _LDLIBS-$(CONFIG_RTE_LIBRTE_EVENTDEV) += -lrte_eventdev _LDLIBS-$(CONFIG_RTE_LIBRTE_MEMPOOL)+= -lrte_mempool _LDLIBS-$(CONFIG_RTE_DRIVER_MEMPOOL_RING) += -lrte_mempool_ring -- 2.9.3
[dpdk-dev] [PATCH v4 10/12] net/ixgbe: enable inline ipsec
From: Radu Nicolau
Signed-off-by: Radu Nicolau
Signed-off-by: Declan Doherty
---
drivers/net/Makefile | 2 +-
drivers/net/ixgbe/Makefile | 2 +-
drivers/net/ixgbe/base/ixgbe_osdep.h | 8 +
drivers/net/ixgbe/ixgbe_ethdev.c | 19 +
drivers/net/ixgbe/ixgbe_ethdev.h | 6 +-
drivers/net/ixgbe/ixgbe_flow.c | 47 +++
drivers/net/ixgbe/ixgbe_ipsec.c| 744 +
drivers/net/ixgbe/ixgbe_ipsec.h| 147 +++
drivers/net/ixgbe/ixgbe_rxtx.c | 53 ++-
drivers/net/ixgbe/ixgbe_rxtx.h | 11 +-
drivers/net/ixgbe/ixgbe_rxtx_vec_sse.c | 50 ++-
11 files changed, 1079 insertions(+), 10 deletions(-)
create mode 100644 drivers/net/ixgbe/ixgbe_ipsec.c
create mode 100644 drivers/net/ixgbe/ixgbe_ipsec.h
diff --git a/drivers/net/Makefile b/drivers/net/Makefile
index 5d2ad2f..339ff36 100644
--- a/drivers/net/Makefile
+++ b/drivers/net/Makefile
@@ -68,7 +68,7 @@ DEPDIRS-fm10k = $(core-libs) librte_hash
DIRS-$(CONFIG_RTE_LIBRTE_I40E_PMD) += i40e
DEPDIRS-i40e = $(core-libs) librte_hash
DIRS-$(CONFIG_RTE_LIBRTE_IXGBE_PMD) += ixgbe
-DEPDIRS-ixgbe = $(core-libs) librte_hash
+DEPDIRS-ixgbe = $(core-libs) librte_hash librte_security
DIRS-$(CONFIG_RTE_LIBRTE_LIO_PMD) += liquidio
DEPDIRS-liquidio = $(core-libs)
DIRS-$(CONFIG_RTE_LIBRTE_MLX4_PMD) += mlx4
diff --git a/drivers/net/ixgbe/Makefile b/drivers/net/ixgbe/Makefile
index 95c806d..6e963c7 100644
--- a/drivers/net/ixgbe/Makefile
+++ b/drivers/net/ixgbe/Makefile
@@ -118,11 +118,11 @@ SRCS-$(CONFIG_RTE_IXGBE_INC_VECTOR) +=
ixgbe_rxtx_vec_neon.c
else
SRCS-$(CONFIG_RTE_IXGBE_INC_VECTOR) += ixgbe_rxtx_vec_sse.c
endif
-
ifeq ($(CONFIG_RTE_LIBRTE_IXGBE_BYPASS),y)
SRCS-$(CONFIG_RTE_LIBRTE_IXGBE_PMD) += ixgbe_bypass.c
SRCS-$(CONFIG_RTE_LIBRTE_IXGBE_PMD) += ixgbe_82599_bypass.c
endif
+SRCS-$(CONFIG_RTE_LIBRTE_IXGBE_PMD) += ixgbe_ipsec.c
SRCS-$(CONFIG_RTE_LIBRTE_IXGBE_PMD) += rte_pmd_ixgbe.c
SRCS-$(CONFIG_RTE_LIBRTE_IXGBE_PMD) += ixgbe_tm.c
diff --git a/drivers/net/ixgbe/base/ixgbe_osdep.h
b/drivers/net/ixgbe/base/ixgbe_osdep.h
index 4aab278..b132a0f 100644
--- a/drivers/net/ixgbe/base/ixgbe_osdep.h
+++ b/drivers/net/ixgbe/base/ixgbe_osdep.h
@@ -161,4 +161,12 @@ static inline uint32_t ixgbe_read_addr(volatile void* addr)
#define IXGBE_WRITE_REG_ARRAY(hw, reg, index, value) \
IXGBE_PCI_REG_WRITE(IXGBE_PCI_REG_ARRAY_ADDR((hw), (reg), (index)),
(value))
+#define IXGBE_WRITE_REG_THEN_POLL_MASK(hw, reg, val, mask, poll_ms)\
+{ \
+ uint32_t cnt = poll_ms; \
+ IXGBE_WRITE_REG(hw, (reg), (val)); \
+ while (((IXGBE_READ_REG(hw, (reg))) & (mask)) && (cnt--)) \
+ rte_delay_ms(1);\
+}
+
#endif /* _IXGBE_OS_H_ */
diff --git a/drivers/net/ixgbe/ixgbe_ethdev.c b/drivers/net/ixgbe/ixgbe_ethdev.c
index 14b9c53..fcabd5e 100644
--- a/drivers/net/ixgbe/ixgbe_ethdev.c
+++ b/drivers/net/ixgbe/ixgbe_ethdev.c
@@ -61,6 +61,7 @@
#include
#include
#include
+#include
#include "ixgbe_logs.h"
#include "base/ixgbe_api.h"
@@ -1132,6 +1133,7 @@ eth_ixgbe_dev_init(struct rte_eth_dev *eth_dev)
IXGBE_DEV_PRIVATE_TO_FILTER_INFO(eth_dev->data->dev_private);
struct ixgbe_bw_conf *bw_conf =
IXGBE_DEV_PRIVATE_TO_BW_CONF(eth_dev->data->dev_private);
+ struct rte_security_ctx *security_instance;
uint32_t ctrl_ext;
uint16_t csum;
int diag, i;
@@ -1139,6 +1141,17 @@ eth_ixgbe_dev_init(struct rte_eth_dev *eth_dev)
PMD_INIT_FUNC_TRACE();
eth_dev->dev_ops = &ixgbe_eth_dev_ops;
+ security_instance = rte_malloc("rte_security_instances_ops",
+ sizeof(struct rte_security_ctx), 0);
+ if (security_instance == NULL)
+ return -ENOMEM;
+ security_instance->state = RTE_SECURITY_INSTANCE_VALID;
+ security_instance->device = (void *)eth_dev;
+ security_instance->ops = &ixgbe_security_ops;
+ security_instance->sess_cnt = 0;
+
+ eth_dev->data->security_ctx = security_instance;
+
eth_dev->rx_pkt_burst = &ixgbe_recv_pkts;
eth_dev->tx_pkt_burst = &ixgbe_xmit_pkts;
eth_dev->tx_pkt_prepare = &ixgbe_prep_pkts;
@@ -1169,6 +1182,7 @@ eth_ixgbe_dev_init(struct rte_eth_dev *eth_dev)
rte_eth_copy_pci_info(eth_dev, pci_dev);
eth_dev->data->dev_flags |= RTE_ETH_DEV_DETACHABLE;
+ eth_dev->data->dev_flags |= RTE_ETH_DEV_SECURITY;
/* Vendor and Device ID need to be set before init of shared code */
hw->device_id = pci_dev->id.device_id;
@@ -1401,6 +1415,8 @@ eth_ixgbe_dev_uninit(struct rte_eth_dev *eth_dev)
/* Remove all Traffic Manager configuration */
ixgbe_tm_conf_uninit(eth_dev);
+ rte_free(eth_dev->data->security_ctx);
+
[dpdk-dev] [PATCH v4 12/12] examples/ipsec-secgw: add support for security offload
Ipsec-secgw application is modified so that it can support following type of actions for crypto operations 1. full protocol offload using crypto devices. 2. inline ipsec using ethernet devices to perform crypto operations 3. full protocol offload using ethernet devices. 4. non protocol offload Signed-off-by: Akhil Goyal Signed-off-by: Radu Nicolau Signed-off-by: Boris Pismenny Signed-off-by: Declan Doherty Signed-off-by: Aviad Yehezkel --- doc/guides/sample_app_ug/ipsec_secgw.rst | 52 +- examples/ipsec-secgw/esp.c | 120 examples/ipsec-secgw/esp.h | 10 - examples/ipsec-secgw/ipsec-secgw.c | 5 + examples/ipsec-secgw/ipsec.c | 308 ++- examples/ipsec-secgw/ipsec.h | 32 +++- examples/ipsec-secgw/sa.c| 151 +++ 7 files changed, 545 insertions(+), 133 deletions(-) diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index b675cba..892977e 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -52,13 +52,22 @@ The application classifies the ports as *Protected* and *Unprotected*. Thus, traffic received on an Unprotected or Protected port is consider Inbound or Outbound respectively. +The application also supports complete IPSec protocol offload to hardware +(Look aside crypto accelarator or using ethernet device). It also support +inline ipsec processing by the supported ethernet device during transmission. +These modes can be selected during the SA creation configuration. + +In case of complete protocol offload, the processing of headers(ESP and outer +IP header) is done by the hardware and the application does not need to +add/remove them during outbound/inbound processing. + The Path for IPsec Inbound traffic is: * Read packets from the port. * Classify packets between IPv4 and ESP. * Perform Inbound SA lookup for ESP packets based on their SPI. -* Perform Verification/Decryption. -* Remove ESP and outer IP header +* Perform Verification/Decryption (Not needed in case of inline ipsec). +* Remove ESP and outer IP header (Not needed in case of protocol offload). * Inbound SP check using ACL of decrypted packets and any other IPv4 packets. * Routing. * Write packet to port. @@ -68,8 +77,8 @@ The Path for the IPsec Outbound traffic is: * Read packets from the port. * Perform Outbound SP check using ACL of all IPv4 traffic. * Perform Outbound SA lookup for packets that need IPsec protection. -* Add ESP and outer IP header. -* Perform Encryption/Digest. +* Add ESP and outer IP header (Not needed in case protocol offload). +* Perform Encryption/Digest (Not needed in case of inline ipsec). * Routing. * Write packet to port. @@ -385,7 +394,7 @@ The SA rule syntax is shown as follows: .. code-block:: console sa - + where each options means: @@ -526,6 +535,34 @@ where each options means: * *dst X.X.X.X* for IPv4 * *dst :::::::* for IPv6 + + + * Action type to specify the security action. This option specify + the SA to be performed with look aside protocol offload to HW + accelerator or protocol offload on ethernet device or inline + crypto processing on the ethernet device during transmission. + + * Optional: Yes, default type *no-offload* + + * Available options: + + * *lookaside-protocol-offload*: look aside protocol offload to HW accelerator + * *inline-protocol-offload*: inline protocol offload on ethernet device + * *inline-crypto-offload*: inline crypto processing on ethernet device + * *no-offload*: no offloading to hardware + + + + * Port/device ID of the ethernet/crypto accelerator for which the SA is + configured. This option is used when *type* is NOT *no-offload* + + * Optional: No, if *type* is not *no-offload* + + * Syntax: + + * *port_id X* X is a valid device number in decimal + + Example SA rules: .. code-block:: console @@ -545,6 +582,11 @@ Example SA rules: aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5 +sa out 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ +auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ +type lookaside-protocol-offload port_id 4 + Routing rule syntax ^^^ diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c index 12c6f8c..781b162 100644 --- a/examples/ipsec-secgw/esp.c +++ b/examples/ipsec-secgw/esp.c @@ -58,8 +58,11 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_sym_op *sym_cop; int32_t payload_len, ip_hdr_len; - RTE_ASSERT(m != NULL); RTE_ASSERT(sa != NULL); + if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE
[dpdk-dev] [PATCH v4 11/12] crypto/dpaa2_sec: add support for protocol offload ipsec
Driver implementation to support rte_security APIs
Signed-off-by: Akhil Goyal
---
doc/guides/cryptodevs/features/dpaa2_sec.ini | 1 +
drivers/crypto/Makefile | 2 +-
drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 420 ++-
drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h| 62
4 files changed, 473 insertions(+), 12 deletions(-)
diff --git a/doc/guides/cryptodevs/features/dpaa2_sec.ini
b/doc/guides/cryptodevs/features/dpaa2_sec.ini
index c3bb3dd..8fd07d6 100644
--- a/doc/guides/cryptodevs/features/dpaa2_sec.ini
+++ b/doc/guides/cryptodevs/features/dpaa2_sec.ini
@@ -7,6 +7,7 @@
Symmetric crypto = Y
Sym operation chaining = Y
HW Accelerated = Y
+Protocol offload = Y
;
; Supported crypto algorithms of the 'dpaa2_sec' crypto driver.
diff --git a/drivers/crypto/Makefile b/drivers/crypto/Makefile
index d8c8740..ec297f2 100644
--- a/drivers/crypto/Makefile
+++ b/drivers/crypto/Makefile
@@ -56,7 +56,7 @@ DEPDIRS-mrvl = $(core-libs)
DIRS-$(CONFIG_RTE_LIBRTE_PMD_NULL_CRYPTO) += null
DEPDIRS-null = $(core-libs)
DIRS-$(CONFIG_RTE_LIBRTE_PMD_DPAA2_SEC) += dpaa2_sec
-DEPDIRS-dpaa2_sec = $(core-libs)
+DEPDIRS-dpaa2_sec = $(core-libs) librte_security
DIRS-$(CONFIG_RTE_LIBRTE_PMD_DPAA_SEC) += dpaa_sec
DEPDIRS-dpaa_sec = $(core-libs)
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 672cacf..c768313 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -36,6 +36,7 @@
#include
#include
+#include
#include
#include
#include
@@ -73,12 +74,44 @@
#define FLE_POOL_NUM_BUFS 32000
#define FLE_POOL_BUF_SIZE 256
#define FLE_POOL_CACHE_SIZE512
+#define SEC_FLC_DHR_OUTBOUND -114
+#define SEC_FLC_DHR_INBOUND0
enum rta_sec_era rta_sec_era = RTA_SEC_ERA_8;
static uint8_t cryptodev_driver_id;
static inline int
+build_proto_fd(dpaa2_sec_session *sess,
+ struct rte_crypto_op *op,
+ struct qbman_fd *fd, uint16_t bpid)
+{
+ struct rte_crypto_sym_op *sym_op = op->sym;
+ struct ctxt_priv *priv = sess->ctxt;
+ struct sec_flow_context *flc;
+ struct rte_mbuf *mbuf = sym_op->m_src;
+
+ if (likely(bpid < MAX_BPID))
+ DPAA2_SET_FD_BPID(fd, bpid);
+ else
+ DPAA2_SET_FD_IVP(fd);
+
+ /* Save the shared descriptor */
+ flc = &priv->flc_desc[0].flc;
+
+ DPAA2_SET_FD_ADDR(fd, DPAA2_MBUF_VADDR_TO_IOVA(sym_op->m_src));
+ DPAA2_SET_FD_OFFSET(fd, sym_op->m_src->data_off);
+ DPAA2_SET_FD_LEN(fd, sym_op->m_src->pkt_len);
+ DPAA2_SET_FD_FLC(fd, ((uint64_t)flc));
+
+ /* save physical address of mbuf */
+ op->sym->aead.digest.phys_addr = mbuf->buf_physaddr;
+ mbuf->buf_physaddr = (uint64_t)op;
+
+ return 0;
+}
+
+static inline int
build_authenc_gcm_fd(dpaa2_sec_session *sess,
struct rte_crypto_op *op,
struct qbman_fd *fd, uint16_t bpid)
@@ -545,13 +578,23 @@ build_cipher_fd(dpaa2_sec_session *sess, struct
rte_crypto_op *op,
}
static inline int
-build_sec_fd(dpaa2_sec_session *sess, struct rte_crypto_op *op,
+build_sec_fd(struct rte_crypto_op *op,
struct qbman_fd *fd, uint16_t bpid)
{
int ret = -1;
+ dpaa2_sec_session *sess;
PMD_INIT_FUNC_TRACE();
+ if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION)
+ sess = (dpaa2_sec_session *)get_session_private_data(
+ op->sym->session, cryptodev_driver_id);
+ else if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION)
+ sess = (dpaa2_sec_session *)get_sec_session_private_data(
+ op->sym->sec_session);
+ else
+ return -1;
+
switch (sess->ctxt_type) {
case DPAA2_SEC_CIPHER:
ret = build_cipher_fd(sess, op, fd, bpid);
@@ -565,6 +608,9 @@ build_sec_fd(dpaa2_sec_session *sess, struct rte_crypto_op
*op,
case DPAA2_SEC_CIPHER_HASH:
ret = build_authenc_fd(sess, op, fd, bpid);
break;
+ case DPAA2_SEC_IPSEC:
+ ret = build_proto_fd(sess, op, fd, bpid);
+ break;
case DPAA2_SEC_HASH_CIPHER:
default:
RTE_LOG(ERR, PMD, "error: Unsupported session\n");
@@ -588,12 +634,11 @@ dpaa2_sec_enqueue_burst(void *qp, struct rte_crypto_op
**ops,
/*todo - need to support multiple buffer pools */
uint16_t bpid;
struct rte_mempool *mb_pool;
- dpaa2_sec_session *sess;
if (unlikely(nb_ops == 0))
return 0;
- if (ops[0]->sess_type != RTE_CRYPTO_OP_WITH_SESSION) {
+ if (ops[0]->sess_type == RTE_CRYPTO_OP_SESSIONLESS) {
RTE_LOG(ERR, PMD, "sessionless crypto op not supported\n");
return 0;
}
@@ -618,13 +663,9 @@ dpaa2_sec_enqueue
Re: [dpdk-dev] [PATCH v2 2/2] igb_uio: fix interrupt enablement after FLR in VM
I'll start to build setup environment this week. Regards, Gregory On Sat, Oct 14, 2017 at 12:11 AM, Ferruh Yigit wrote: > On 10/13/2017 9:12 AM, Shijith Thotton wrote: > <...> > > > Hi Jingjing, > > > > This patch perfectly meets requirements as both resets are retained > > (open and release). Tested it with LiquidIO NIC and it works fine. > > I can see MSI-X re-enabled on each run with new patch. > > > > Gregory, Harish, > > Please verify the patch on your setup if possible. > > Hi Gregory, Harish, > > Did you able to test this patch? > > Thanks, > ferruh > > > > > Thanks, > > Shijith > > > >
Re: [dpdk-dev] Vendor specific sub-trees under next-net
Friday, October 13, 2017 2:31 AM, Ferruh Yigit: > On 10/13/2017 12:29 AM, Ferruh Yigit wrote: > > Hi Thomas, et al > > > > Previously it has been mentioned [1] to have vendor specific driver > > trees under next-net. > > > > And recently Mellanox agreed to have a Mellanox tree [2]. > > > > Intel also agrees to have next-net-intel, and Helin will be > > maintaining it, thanks to Helin for volunteering. > > > > Other vendors with multiple drivers are Cavium, 6wind and NXP. > > > > > > - Is there a name for Mellanox maintainer? I will be the maintainer of Mellanox tree. > > > > - What do other vendors, mentioned above, thinks about creating their > > own sub-tree? > > > > - Are the vendor sub-trees and their maintainers need to be approved > > by tech-board? > > > > > > And what I understand from vendor specific sub-trees is, instead of > > driver patches going into next-net directly, they will go into vendor > > tree and next-net will pull from them. We need to define this more carefully. Sometimes a patchset has driver patches but also some patches for ethdev and testpmd/example. What if other vendor would like to use those patches? How frequent will be the merging between the vendor-specific tree and next-net? Am not saying there is an issue here, just need to define the rules. > > > > This will distribute the maintenance work among the vendors, also will > > give more control to vendors on their patches. > > > > > > Thanks, > > ferruh > > > > > > [1] > > > https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdpd > k > > .org%2Fml%2Farchives%2Fdev%2F2017- > September%2F075094.html&data=02%7C01 > > > %7Cshahafs%40mellanox.com%7Cb9cdfab0a0544608bd4708d511c9597f%7Ca > 652971 > > > c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636434478859873082&sdata=A15 > iL0two > > 9nLROmTBRUf54xCZxn%2BwLCAuZNLLyNnTqE%3D&reserved=0 > > > > [2] > > > https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdpd > k > > .org%2Fml%2Farchives%2Fdev%2F2017- > October%2F078277.html&data=02%7C01%7 > > > Cshahafs%40mellanox.com%7Cb9cdfab0a0544608bd4708d511c9597f%7Ca652 > 971c7 > > > d2e4d9ba6a4d149256f461b%7C0%7C0%7C636434478859873082&sdata=%2B9 > tWsEXRf > > PDZJfPqYrcRCuYmRCB3Ix7I%2FzjGwHZNbSI%3D&reserved=0 > > > > Using correct mail address for Thomas.
