[dpdk-dev] [PATCH v3 2/6] crypto/aesni_gcm: cpu crypto support
Add support for CPU crypto mode by introducing required handler.
Crypto mode (sync/async) is chosen during sym session create if an
appropriate flag is set in an xform type number.
Authenticated encryption and decryption are supported with tag
generation/verification.
Signed-off-by: Marcin Smoczynski
---
drivers/crypto/aesni_gcm/aesni_gcm_ops.h | 9 ++
drivers/crypto/aesni_gcm/aesni_gcm_pmd.c | 149 +-
drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c | 3 +
.../crypto/aesni_gcm/aesni_gcm_pmd_private.h | 18 ++-
4 files changed, 169 insertions(+), 10 deletions(-)
diff --git a/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
b/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
index e272f1067..404c0adff 100644
--- a/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
+++ b/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
@@ -65,4 +65,13 @@ struct aesni_gcm_ops {
aesni_gcm_finalize_t finalize_dec;
};
+/** GCM per-session operation handlers */
+struct aesni_gcm_session_ops {
+ aesni_gcm_t cipher;
+ aesni_gcm_pre_t pre;
+ aesni_gcm_init_t init;
+ aesni_gcm_update_t update;
+ aesni_gcm_finalize_t finalize;
+};
+
#endif /* _AESNI_GCM_OPS_H_ */
diff --git a/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
b/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
index 1a03be31d..860e9b369 100644
--- a/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
+++ b/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
@@ -25,9 +25,16 @@ aesni_gcm_set_session_parameters(const struct aesni_gcm_ops
*gcm_ops,
const struct rte_crypto_sym_xform *aead_xform;
uint8_t key_length;
const uint8_t *key;
+ uint32_t xform_type;
+
+ /* check for CPU-crypto mode */
+ xform_type = xform->type;
+ sess->mode = xform_type | RTE_CRYPTO_SYM_CPU_CRYPTO ?
+ AESNI_GCM_MODE_SYNC : AESNI_GCM_MODE_ASYNC;
+ xform_type &= RTE_CRYPTO_SYM_XFORM_TYPE_MASK;
/* AES-GMAC */
- if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ if (xform_type == RTE_CRYPTO_SYM_XFORM_AUTH) {
auth_xform = xform;
if (auth_xform->auth.algo != RTE_CRYPTO_AUTH_AES_GMAC) {
AESNI_GCM_LOG(ERR, "Only AES GMAC is supported as an "
@@ -49,7 +56,7 @@ aesni_gcm_set_session_parameters(const struct aesni_gcm_ops
*gcm_ops,
sess->req_digest_length = auth_xform->auth.digest_length;
/* AES-GCM */
- } else if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ } else if (xform_type == RTE_CRYPTO_SYM_XFORM_AEAD) {
aead_xform = xform;
if (aead_xform->aead.algo != RTE_CRYPTO_AEAD_AES_GCM) {
@@ -62,11 +69,24 @@ aesni_gcm_set_session_parameters(const struct aesni_gcm_ops
*gcm_ops,
sess->iv.offset = aead_xform->aead.iv.offset;
sess->iv.length = aead_xform->aead.iv.length;
+ /* setup session handlers */
+ sess->ops.pre = gcm_ops->pre;
+ sess->ops.init = gcm_ops->init;
+
/* Select Crypto operation */
- if (aead_xform->aead.op == RTE_CRYPTO_AEAD_OP_ENCRYPT)
+ if (aead_xform->aead.op == RTE_CRYPTO_AEAD_OP_ENCRYPT) {
sess->op = AESNI_GCM_OP_AUTHENTICATED_ENCRYPTION;
- else
+ sess->ops.cipher = gcm_ops->enc;
+ sess->ops.update = gcm_ops->update_enc;
+ sess->ops.finalize = gcm_ops->finalize_enc;
+ }
+ /* op == RTE_CRYPTO_AEAD_OP_DECRYPT */
+ else {
sess->op = AESNI_GCM_OP_AUTHENTICATED_DECRYPTION;
+ sess->ops.cipher = gcm_ops->dec;
+ sess->ops.update = gcm_ops->update_dec;
+ sess->ops.finalize = gcm_ops->finalize_dec;
+ }
key_length = aead_xform->aead.key.length;
key = aead_xform->aead.key.data;
@@ -78,7 +98,6 @@ aesni_gcm_set_session_parameters(const struct aesni_gcm_ops
*gcm_ops,
return -ENOTSUP;
}
-
/* IV check */
if (sess->iv.length != 16 && sess->iv.length != 12 &&
sess->iv.length != 0) {
@@ -356,6 +375,122 @@ process_gcm_crypto_op(struct aesni_gcm_qp *qp, struct
rte_crypto_op *op,
return 0;
}
+static inline void
+aesni_gcm_fill_error_code(struct rte_crypto_sym_vec *vec, int32_t errnum)
+{
+ uint32_t i;
+
+ for (i = 0; i < vec->num; i++)
+ vec->status[i] = errnum;
+}
+
+
+static inline int32_t
+aesni_gcm_sgl_op_finalize_encryption(struct aesni_gcm_session *s,
+ struct gcm_context_data *gdata_ctx, uint8_t *digest)
+{
+ if (s->req_digest_length != s->gen_digest_length) {
+ uint8_t tmpdigest[s->gen_digest_length];
+
[dpdk-dev] [PATCH v3 0/6] Introduce CPU crypto mode
Originally both SW and HW crypto PMDs use rte_crypot_op based API to process the crypto workload asynchronously. This way provides uniformity to both PMD types, but also introduce unnecessary performance penalty to SW PMDs that have to "simulate" HW async behavior (crypto-ops enqueue/dequeue, HW addresses computations, storing/dereferencing user provided data (mbuf) for each crypto-op, etc). The aim is to introduce a new optional API for SW crypto-devices to perform crypto processing in a synchronous manner. Marcin Smoczynski (6): cryptodev: introduce cpu crypto support API crypto/aesni_gcm: cpu crypto support security: add cpu crypto action type ipsec: introduce support for cpu crypto mode examples/ipsec-secgw: cpu crypto support examples/ipsec-secgw: cpu crypto testing drivers/crypto/aesni_gcm/aesni_gcm_ops.h | 9 + drivers/crypto/aesni_gcm/aesni_gcm_pmd.c | 149 - drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c | 3 + .../crypto/aesni_gcm/aesni_gcm_pmd_private.h | 18 +- examples/ipsec-secgw/ipsec.c | 12 +- examples/ipsec-secgw/ipsec_process.c | 134 +-- examples/ipsec-secgw/sa.c | 33 +++- examples/ipsec-secgw/test/common_defs.sh | 21 +++ examples/ipsec-secgw/test/linux_test4.sh | 11 +- examples/ipsec-secgw/test/linux_test6.sh | 11 +- .../test/trs_3descbc_sha1_common_defs.sh | 8 +- .../test/trs_aescbc_sha1_common_defs.sh | 8 +- .../test/trs_aesctr_sha1_common_defs.sh | 8 +- .../test/tun_3descbc_sha1_common_defs.sh | 8 +- .../test/tun_aescbc_sha1_common_defs.sh | 8 +- .../test/tun_aesctr_sha1_common_defs.sh | 8 +- lib/librte_cryptodev/rte_crypto_sym.h | 62 ++- lib/librte_cryptodev/rte_cryptodev.c | 30 lib/librte_cryptodev/rte_cryptodev.h | 20 +++ lib/librte_cryptodev/rte_cryptodev_pmd.h | 19 +++ .../rte_cryptodev_version.map | 1 + lib/librte_ipsec/esp_inb.c| 154 +++--- lib/librte_ipsec/esp_outb.c | 134 +-- lib/librte_ipsec/misc.h | 118 ++ lib/librte_ipsec/rte_ipsec.h | 18 +- lib/librte_ipsec/sa.c | 126 +++--- lib/librte_ipsec/sa.h | 17 ++ lib/librte_ipsec/ses.c| 3 +- lib/librte_security/rte_security.h| 6 +- 29 files changed, 990 insertions(+), 167 deletions(-) -- 2.17.1
[dpdk-dev] [PATCH v3 3/6] security: add cpu crypto action type
Introduce CPU crypto action type allowing to differentiate between
regular async 'none security' and synchronous, CPU crypto accelerated
sessions.
Signed-off-by: Marcin Smoczynski
---
lib/librte_security/rte_security.h | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/librte_security/rte_security.h
b/lib/librte_security/rte_security.h
index 546779df2..309f7311c 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -307,10 +307,14 @@ enum rte_security_session_action_type {
/**< All security protocol processing is performed inline during
* transmission
*/
- RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
+ RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
/**< All security protocol processing including crypto is performed
* on a lookaside accelerator
*/
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
+ /**< Crypto processing for security protocol is processed by CPU
+* synchronously
+*/
};
/** Security session protocol definition */
--
2.17.1
[dpdk-dev] [PATCH v3 1/6] cryptodev: introduce cpu crypto support API
Add new API allowing to process crypto operations in a synchronous
manner. Operations are performed on a set of SG arrays.
Sync mode is selected by setting appropriate flag in an xform
type number. Cryptodevs which allows CPU crypto operation mode have to
use RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO capability.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
lib/librte_cryptodev/rte_crypto_sym.h | 62 ++-
lib/librte_cryptodev/rte_cryptodev.c | 30 +
lib/librte_cryptodev/rte_cryptodev.h | 20 ++
lib/librte_cryptodev/rte_cryptodev_pmd.h | 19 ++
.../rte_cryptodev_version.map | 1 +
5 files changed, 131 insertions(+), 1 deletion(-)
diff --git a/lib/librte_cryptodev/rte_crypto_sym.h
b/lib/librte_cryptodev/rte_crypto_sym.h
index ffa038dc4..f5dd05ab0 100644
--- a/lib/librte_cryptodev/rte_crypto_sym.h
+++ b/lib/librte_cryptodev/rte_crypto_sym.h
@@ -25,6 +25,59 @@ extern "C" {
#include
#include
+/**
+ * Crypto IO Vector (in analogy with struct iovec)
+ * Supposed be used to pass input/output data buffers for crypto data-path
+ * functions.
+ */
+struct rte_crypto_vec {
+ /** virtual address of the data buffer */
+ void *base;
+ /** IOVA of the data buffer */
+ rte_iova_t *iova;
+ /** length of the data buffer */
+ uint32_t len;
+};
+
+struct rte_crypto_sgl {
+ /** start of an array of vectors */
+ struct rte_crypto_vec *vec;
+ /** size of an array of vectors */
+ uint32_t num;
+};
+
+struct rte_crypto_sym_vec {
+ /** array of SGL vectors */
+ struct rte_crypto_sgl *sgl;
+ /** array of pointers to IV */
+ void **iv;
+ /** array of pointers to AAD */
+ void **aad;
+ /** array of pointers to digest */
+ void **digest;
+ /**
+* array of statuses for each operation:
+* - 0 on success
+* - errno on error
+*/
+ int32_t *status;
+ /** number of operations to perform */
+ uint32_t num;
+};
+
+/**
+ * used for cpu_crypto_process_bulk() to specify head/tail offsets
+ * for auth/cipher processing.
+ */
+union rte_crypto_sym_ofs {
+ uint64_t raw;
+ struct {
+ struct {
+ uint16_t head;
+ uint16_t tail;
+ } auth, cipher;
+ } ofs;
+};
/** Symmetric Cipher Algorithms */
enum rte_crypto_cipher_algorithm {
@@ -425,7 +478,14 @@ enum rte_crypto_sym_xform_type {
RTE_CRYPTO_SYM_XFORM_NOT_SPECIFIED = 0, /**< No xform specified */
RTE_CRYPTO_SYM_XFORM_AUTH, /**< Authentication xform */
RTE_CRYPTO_SYM_XFORM_CIPHER,/**< Cipher xform */
- RTE_CRYPTO_SYM_XFORM_AEAD /**< AEAD xform */
+ RTE_CRYPTO_SYM_XFORM_AEAD, /**< AEAD xform */
+
+ RTE_CRYPTO_SYM_XFORM_TYPE_MASK = 0x,
+ /**< xform type mask value */
+ RTE_CRYPTO_SYM_XFORM_FLAG_MASK = 0x,
+ /**< xform flag mask value */
+ RTE_CRYPTO_SYM_CPU_CRYPTO = 0x8000,
+ /**< xform flag for cpu-crypto */
};
/**
diff --git a/lib/librte_cryptodev/rte_cryptodev.c
b/lib/librte_cryptodev/rte_cryptodev.c
index 89aa2ed3e..157fda890 100644
--- a/lib/librte_cryptodev/rte_cryptodev.c
+++ b/lib/librte_cryptodev/rte_cryptodev.c
@@ -1616,6 +1616,36 @@ rte_cryptodev_sym_session_get_user_data(
return (void *)(sess->sess_data + sess->nb_drivers);
}
+static inline void
+sym_crypto_fill_status(struct rte_crypto_sym_vec *vec, int32_t errnum)
+{
+ uint32_t i;
+ for (i = 0; i < vec->num; i++)
+ vec->status[i] = errnum;
+}
+
+uint32_t
+rte_cryptodev_sym_cpu_crypto_process(uint8_t dev_id,
+ struct rte_cryptodev_sym_session *sess, union rte_crypto_sym_ofs ofs,
+ struct rte_crypto_sym_vec *vec)
+{
+ struct rte_cryptodev *dev;
+
+ if (!rte_cryptodev_pmd_is_valid_dev(dev_id)) {
+ sym_crypto_fill_status(vec, EINVAL);
+ return 0;
+ }
+
+ dev = rte_cryptodev_pmd_get_dev(dev_id);
+
+ if (*dev->dev_ops->sym_cpu_process == NULL) {
+ sym_crypto_fill_status(vec, ENOTSUP);
+ return 0;
+ }
+
+ return dev->dev_ops->sym_cpu_process(dev, sess, ofs, vec);
+}
+
/** Initialise rte_crypto_op mempool element */
static void
rte_crypto_op_init(struct rte_mempool *mempool,
diff --git a/lib/librte_cryptodev/rte_cryptodev.h
b/lib/librte_cryptodev/rte_cryptodev.h
index c6ffa3b35..8786dfb90 100644
--- a/lib/librte_cryptodev/rte_cryptodev.h
+++ b/lib/librte_cryptodev/rte_cryptodev.h
@@ -450,6 +450,8 @@ rte_cryptodev_asym_get_xform_enum(enum
rte_crypto_asym_xform_type *xform_enum,
/**< Support encrypted-digest operations where digest is appended to data */
#define RTE_CRYPTODEV_FF_ASYM_SESSIONLESS (1ULL <
[dpdk-dev] [PATCH v3 4/6] ipsec: introduce support for cpu crypto mode
Update library to handle CPU cypto security mode which utilizes
cryptodev's synchronous, CPU accelerated crypto operations.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
lib/librte_ipsec/esp_inb.c | 154 ++-
lib/librte_ipsec/esp_outb.c | 134 +++---
lib/librte_ipsec/misc.h | 118 +++
lib/librte_ipsec/rte_ipsec.h | 18 +++-
lib/librte_ipsec/sa.c| 126 ++--
lib/librte_ipsec/sa.h| 17
lib/librte_ipsec/ses.c | 3 +-
7 files changed, 515 insertions(+), 55 deletions(-)
diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c
index 5c653dd39..58b3dec1b 100644
--- a/lib/librte_ipsec/esp_inb.c
+++ b/lib/librte_ipsec/esp_inb.c
@@ -105,6 +105,39 @@ inb_cop_prepare(struct rte_crypto_op *cop,
}
}
+static inline uint32_t
+inb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb,
+ uint32_t *pofs, uint32_t plen, void *iv)
+{
+ struct aead_gcm_iv *gcm;
+ struct aesctr_cnt_blk *ctr;
+ uint64_t *ivp;
+ uint32_t clen;
+
+ ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
+ *pofs + sizeof(struct rte_esp_hdr));
+ clen = 0;
+
+ switch (sa->algo_type) {
+ case ALGO_TYPE_AES_GCM:
+ gcm = (struct aead_gcm_iv *)iv;
+ aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
+ break;
+ case ALGO_TYPE_AES_CBC:
+ case ALGO_TYPE_3DES_CBC:
+ copy_iv(iv, ivp, sa->iv_len);
+ break;
+ case ALGO_TYPE_AES_CTR:
+ ctr = (struct aesctr_cnt_blk *)iv;
+ aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+ break;
+ }
+
+ *pofs += sa->ctp.auth.offset;
+ clen = plen - sa->ctp.auth.length;
+ return clen;
+}
+
/*
* Helper function for prepare() to deal with situation when
* ICV is spread by two segments. Tries to move ICV completely into the
@@ -157,17 +190,12 @@ inb_pkt_xprepare(const struct rte_ipsec_sa *sa,
rte_be64_t sqc,
}
}
-/*
- * setup/update packet data and metadata for ESP inbound tunnel case.
- */
-static inline int32_t
-inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn,
- struct rte_mbuf *mb, uint32_t hlen, union sym_op_data *icv)
+static inline int
+inb_get_sqn(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn,
+ struct rte_mbuf *mb, uint32_t hlen, rte_be64_t *sqc)
{
int32_t rc;
uint64_t sqn;
- uint32_t clen, icv_len, icv_ofs, plen;
- struct rte_mbuf *ml;
struct rte_esp_hdr *esph;
esph = rte_pktmbuf_mtod_offset(mb, struct rte_esp_hdr *, hlen);
@@ -179,12 +207,21 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const
struct replay_sqn *rsn,
sqn = rte_be_to_cpu_32(esph->seq);
if (IS_ESN(sa))
sqn = reconstruct_esn(rsn->sqn, sqn, sa->replay.win_sz);
+ *sqc = rte_cpu_to_be_64(sqn);
+ /* check IPsec window */
rc = esn_inb_check_sqn(rsn, sa, sqn);
- if (rc != 0)
- return rc;
- sqn = rte_cpu_to_be_64(sqn);
+ return rc;
+}
+
+/* prepare packet for upcoming processing */
+static inline int32_t
+inb_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb,
+ uint32_t hlen, union sym_op_data *icv)
+{
+ uint32_t clen, icv_len, icv_ofs, plen;
+ struct rte_mbuf *ml;
/* start packet manipulation */
plen = mb->pkt_len;
@@ -217,7 +254,8 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct
replay_sqn *rsn,
icv_ofs += sa->sqh_len;
- /* we have to allocate space for AAD somewhere,
+ /*
+* we have to allocate space for AAD somewhere,
* right now - just use free trailing space at the last segment.
* Would probably be more convenient to reserve space for AAD
* inside rte_crypto_op itself
@@ -238,10 +276,28 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const
struct replay_sqn *rsn,
mb->pkt_len += sa->sqh_len;
ml->data_len += sa->sqh_len;
- inb_pkt_xprepare(sa, sqn, icv);
return plen;
}
+static inline int32_t
+inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn,
+ struct rte_mbuf *mb, uint32_t hlen, union sym_op_data *icv)
+{
+ int rc;
+ rte_be64_t sqn;
+
+ rc = inb_get_sqn(sa, rsn, mb, hlen, &sqn);
+ if (rc != 0)
+ return rc;
+
+ rc = inb_prepare(sa, mb, hlen, icv);
+ if (rc < 0)
+ return rc;
+
+ inb_pkt_xprepare(sa, sqn, icv);
+ return rc;
+}
+
/*
* setup/update packets and crypto ops for ESP inbound case.
*/
@@ -270,17 +326,17 @@ esp_inb_pkt_prepare(const struct rte_ipsec_session *ss,
struct rte_mbuf *mb[],
[dpdk-dev] [PATCH v3 5/6] examples/ipsec-secgw: cpu crypto support
Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.
Legacy mode is not currently supported.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/ipsec.c | 12 ++-
examples/ipsec-secgw/ipsec_process.c | 134 +--
examples/ipsec-secgw/sa.c| 33 +--
3 files changed, 123 insertions(+), 56 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index d4b57121a..55b83bb8d 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -10,6 +10,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -86,7 +87,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct
ipsec_sa *sa,
ipsec_ctx->tbl[cdev_id_qp].id,
ipsec_ctx->tbl[cdev_id_qp].qp);
- if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE &&
+ ips->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
struct rte_security_session_conf sess_conf = {
.action_type = ips->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
@@ -126,6 +128,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx,
struct ipsec_sa *sa,
return -1;
}
} else {
+ ips->crypto.dev_id = ipsec_ctx->tbl[cdev_id_qp].id;
ips->crypto.ses = rte_cryptodev_sym_session_create(
ipsec_ctx->session_pool);
rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,
@@ -476,6 +479,13 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx
*ipsec_ctx,
rte_security_attach_session(&priv->cop,
ips->security.ses);
break;
+
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ RTE_LOG(ERR, IPSEC, "CPU crypto is not supported by the"
+ " legacy mode.");
+ rte_pktmbuf_free(pkts[i]);
+ continue;
+
case RTE_SECURITY_ACTION_TYPE_NONE:
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
diff --git a/examples/ipsec-secgw/ipsec_process.c
b/examples/ipsec-secgw/ipsec_process.c
index 2eb5c8b34..576a9fa8a 100644
--- a/examples/ipsec-secgw/ipsec_process.c
+++ b/examples/ipsec-secgw/ipsec_process.c
@@ -92,7 +92,8 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct
ipsec_ctx *ctx,
int32_t rc;
/* setup crypto section */
- if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
+ ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
RTE_ASSERT(ss->crypto.ses == NULL);
rc = create_lookaside_session(ctx, sa, ss);
if (rc != 0)
@@ -215,6 +216,62 @@ ipsec_prepare_crypto_group(struct ipsec_ctx *ctx, struct
ipsec_sa *sa,
return k;
}
+/*
+ * helper routine for inline and cpu(synchronous) processing
+ * this is just to satisfy inbound_sa_check() and get_hop_for_offload_pkt().
+ * Should be removed in future.
+ */
+static inline void
+prep_process_group(void *sa, struct rte_mbuf *mb[], uint32_t cnt)
+{
+ uint32_t j;
+ struct ipsec_mbuf_metadata *priv;
+
+ for (j = 0; j != cnt; j++) {
+ priv = get_priv(mb[j]);
+ priv->sa = sa;
+ }
+}
+
+/*
+ * finish processing of packets successfully decrypted by an inline processor
+ */
+static uint32_t
+ipsec_process_inline_group(struct rte_ipsec_session *ips, void *sa,
+ struct ipsec_traffic *trf, struct rte_mbuf *mb[], uint32_t cnt)
+{
+ uint64_t satp;
+ uint32_t k;
+
+ /* get SA type */
+ satp = rte_ipsec_sa_type(ips->sa);
+ prep_process_group(sa, mb, cnt);
+
+ k = rte_ipsec_pkt_process(ips, mb, cnt);
+ copy_to_trf(trf, satp, mb, k);
+ return k;
+}
+
+/*
+ * process packets synchronously
+ */
+static uint32_t
+ipsec_process_cpu_group(struct rte_ipsec_session *ips, void *sa,
+ struct ipsec_traffic *trf, struct rte_mbuf *mb[], uint32_t cnt)
+{
+ uint64_t satp;
+ uint32_t k;
+
+ /* get SA type */
+ satp = rte_ipsec_sa_type(ips->sa);
+ prep_process_group(sa, mb, cnt);
+
+ k = rte_ipsec_pkt_cpu_prepare(ips, mb, cnt);
+ k = rte_ipsec_pkt_process(ips, mb, k);
+ copy_to_trf(trf, satp, mb, k);
+ return k;
+}
+
/*
* Process ipsec packets.
* If packet belong to SA that is subject of inline-crypto,
@@ -225,10 +282,8 @@ ipsec_prepare_crypto_group(struct ipsec_ctx *ctx, struct
ipse
[dpdk-dev] [PATCH v3 6/6] examples/ipsec-secgw: cpu crypto testing
Enable cpu-crypto mode testing by adding dedicated environmental
variable CRYPTO_PRIM_TYPE. Setting it to 'type cpu-crypto' allows
to run test scenario with cpu crypto acceleration.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/test/common_defs.sh | 21 +++
examples/ipsec-secgw/test/linux_test4.sh | 11 +-
examples/ipsec-secgw/test/linux_test6.sh | 11 +-
.../test/trs_3descbc_sha1_common_defs.sh | 8 +++
.../test/trs_aescbc_sha1_common_defs.sh | 8 +++
.../test/trs_aesctr_sha1_common_defs.sh | 8 +++
.../test/tun_3descbc_sha1_common_defs.sh | 8 +++
.../test/tun_aescbc_sha1_common_defs.sh | 8 +++
.../test/tun_aesctr_sha1_common_defs.sh | 8 +++
9 files changed, 47 insertions(+), 44 deletions(-)
diff --git a/examples/ipsec-secgw/test/common_defs.sh
b/examples/ipsec-secgw/test/common_defs.sh
index 4aac4981a..6b6ae06f3 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -42,6 +42,27 @@ DPDK_BUILD=${RTE_TARGET:-x86_64-native-linux-gcc}
DEF_MTU_LEN=1400
DEF_PING_LEN=1200
+#upsate operation mode based on env vars values
+select_mode()
+{
+ # select sync/async mode
+ if [[ -n "${CRYPTO_PRIM_TYPE}" && -n "${SGW_CMD_XPRM}" ]]; then
+ echo "${CRYPTO_PRIM_TYPE} is enabled"
+ SGW_CFG_XPRM="${SGW_CFG_XPRM} ${CRYPTO_PRIM_TYPE}"
+ fi
+
+ #make linux to generate fragmented packets
+ if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
+ echo "multi-segment test is enabled"
+ SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
+ PING_LEN=5000
+ MTU_LEN=1500
+ else
+ PING_LEN=${DEF_PING_LEN}
+ MTU_LEN=${DEF_MTU_LEN}
+ fi
+}
+
#setup mtu on local iface
set_local_mtu()
{
diff --git a/examples/ipsec-secgw/test/linux_test4.sh
b/examples/ipsec-secgw/test/linux_test4.sh
index 760451000..fb8ae1023 100644
--- a/examples/ipsec-secgw/test/linux_test4.sh
+++ b/examples/ipsec-secgw/test/linux_test4.sh
@@ -45,16 +45,7 @@ MODE=$1
. ${DIR}/common_defs.sh
. ${DIR}/${MODE}_defs.sh
-#make linux to generate fragmented packets
-if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
- echo "multi-segment test is enabled"
- SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
- PING_LEN=5000
- MTU_LEN=1500
-else
- PING_LEN=${DEF_PING_LEN}
- MTU_LEN=${DEF_MTU_LEN}
-fi
+select_mode
config_secgw
diff --git a/examples/ipsec-secgw/test/linux_test6.sh
b/examples/ipsec-secgw/test/linux_test6.sh
index 479f29be3..dbcca7936 100644
--- a/examples/ipsec-secgw/test/linux_test6.sh
+++ b/examples/ipsec-secgw/test/linux_test6.sh
@@ -46,16 +46,7 @@ MODE=$1
. ${DIR}/common_defs.sh
. ${DIR}/${MODE}_defs.sh
-#make linux to generate fragmented packets
-if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
- echo "multi-segment test is enabled"
- SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
- PING_LEN=5000
- MTU_LEN=1500
-else
- PING_LEN=${DEF_PING_LEN}
- MTU_LEN=${DEF_MTU_LEN}
-fi
+select_mode
config_secgw
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
index 3c5c18afd..62118bb3f 100644
--- a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
@@ -33,14 +33,14 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
sa in 9 cipher_algo 3des-cbc \
cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 7 cipher_algo 3des-cbc \
@@ -48,7 +48,7 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 9 cipher_algo 3des-cbc \
@@ -56,7 +56,7 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#Routing rules
rt ipv4 dst ${REMOTE_IPV4}/32 port 0
diff --git a/examples/ipsec-secgw/test/
[dpdk-dev] [PATCH v4 0/8] Introduce CPU crypto mode
Originally both SW and HW crypto PMDs use rte_crypot_op based API to process the crypto workload asynchronously. This way provides uniformity to both PMD types, but also introduce unnecessary performance penalty to SW PMDs that have to "simulate" HW async behavior (crypto-ops enqueue/dequeue, HW addresses computations, storing/dereferencing user provided data (mbuf) for each crypto-op, etc). The aim is to introduce a new optional API for SW crypto-devices to perform crypto processing in a synchronous manner. v3 to v4 changes: - add feature discovery in the ipsec example application when using cpu-crypto - add gmac in aesni-gcm - add tests for aesni-gcm/cpu crypto mode - add documentation: pg and rel notes - remove xform flags as no longer needed - add some extra API comments - remove compilation error from v3 Marcin Smoczynski (8): cryptodev: introduce cpu crypto support API crypto/aesni_gcm: cpu crypto support test/crypto: add CPU crypto tests security: add cpu crypto action type ipsec: introduce support for cpu crypto mode examples/ipsec-secgw: cpu crypto support examples/ipsec-secgw: cpu crypto testing doc: add cpu crypto related documentation app/test/Makefile | 1 + app/test/cpu_crypto_all_gcm_perf_test_cases.h | 11 + app/test/cpu_crypto_all_gcm_unit_test_cases.h | 49 + .../cpu_crypto_all_gmac_unit_test_cases.h | 7 + app/test/meson.build | 1 + app/test/test_cryptodev_cpu_crypto.c | 930 ++ doc/guides/cryptodevs/aesni_gcm.rst | 5 + doc/guides/prog_guide/cryptodev_lib.rst | 31 + doc/guides/prog_guide/ipsec_lib.rst | 8 + doc/guides/prog_guide/rte_security.rst| 15 +- doc/guides/rel_notes/release_20_02.rst| 8 + drivers/crypto/aesni_gcm/aesni_gcm_ops.h | 9 + drivers/crypto/aesni_gcm/aesni_gcm_pmd.c | 220 - drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c | 3 + .../crypto/aesni_gcm/aesni_gcm_pmd_private.h | 11 +- examples/ipsec-secgw/ipsec.c | 23 +- examples/ipsec-secgw/ipsec_process.c | 134 ++- examples/ipsec-secgw/sa.c | 28 +- examples/ipsec-secgw/test/common_defs.sh | 21 + examples/ipsec-secgw/test/linux_test4.sh | 11 +- examples/ipsec-secgw/test/linux_test6.sh | 11 +- .../test/trs_3descbc_sha1_common_defs.sh | 8 +- .../test/trs_aescbc_sha1_common_defs.sh | 8 +- .../test/trs_aesctr_sha1_common_defs.sh | 8 +- .../test/tun_3descbc_sha1_common_defs.sh | 8 +- .../test/tun_aescbc_sha1_common_defs.sh | 8 +- .../test/tun_aesctr_sha1_common_defs.sh | 8 +- lib/librte_cryptodev/rte_crypto_sym.h | 61 ++ lib/librte_cryptodev/rte_cryptodev.c | 33 + lib/librte_cryptodev/rte_cryptodev.h | 20 + lib/librte_cryptodev/rte_cryptodev_pmd.h | 19 + .../rte_cryptodev_version.map | 1 + lib/librte_ipsec/esp_inb.c| 154 ++- lib/librte_ipsec/esp_outb.c | 134 ++- lib/librte_ipsec/misc.h | 118 +++ lib/librte_ipsec/rte_ipsec.h | 18 +- lib/librte_ipsec/sa.c | 112 ++- lib/librte_ipsec/sa.h | 17 + lib/librte_ipsec/ses.c| 3 +- lib/librte_security/rte_security.h| 6 +- 40 files changed, 2119 insertions(+), 162 deletions(-) create mode 100644 app/test/cpu_crypto_all_gcm_perf_test_cases.h create mode 100644 app/test/cpu_crypto_all_gcm_unit_test_cases.h create mode 100644 app/test/cpu_crypto_all_gmac_unit_test_cases.h create mode 100644 app/test/test_cryptodev_cpu_crypto.c -- 2.17.1
[dpdk-dev] [PATCH v4 1/8] cryptodev: introduce cpu crypto support API
Add new API allowing to process crypto operations in a synchronous
manner. Operations are performed on a set of SG arrays.
Sync mode is selected by setting appropriate flag in an xform
type number. Cryptodevs which allows CPU crypto operation mode have to
use RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO capability.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
lib/librte_cryptodev/rte_crypto_sym.h | 61 +++
lib/librte_cryptodev/rte_cryptodev.c | 33 ++
lib/librte_cryptodev/rte_cryptodev.h | 20 ++
lib/librte_cryptodev/rte_cryptodev_pmd.h | 19 ++
.../rte_cryptodev_version.map | 1 +
5 files changed, 134 insertions(+)
diff --git a/lib/librte_cryptodev/rte_crypto_sym.h
b/lib/librte_cryptodev/rte_crypto_sym.h
index bc356f6ff..da1530093 100644
--- a/lib/librte_cryptodev/rte_crypto_sym.h
+++ b/lib/librte_cryptodev/rte_crypto_sym.h
@@ -25,6 +25,67 @@ extern "C" {
#include
#include
+/**
+ * Crypto IO Vector (in analogy with struct iovec)
+ * Supposed be used to pass input/output data buffers for crypto data-path
+ * functions.
+ */
+struct rte_crypto_vec {
+ /** virtual address of the data buffer */
+ void *base;
+ /** IOVA of the data buffer */
+ rte_iova_t *iova;
+ /** length of the data buffer */
+ uint32_t len;
+};
+
+/**
+ * Crypto scatter-gather list descriptor. Consists of a pointer to an array
+ * of Crypto IO vectors with its size.
+ */
+struct rte_crypto_sgl {
+ /** start of an array of vectors */
+ struct rte_crypto_vec *vec;
+ /** size of an array of vectors */
+ uint32_t num;
+};
+
+/**
+ * Synchronous operation descriptor.
+ * Supposed to be used with CPU crypto API call.
+ */
+struct rte_crypto_sym_vec {
+ /** array of SGL vectors */
+ struct rte_crypto_sgl *sgl;
+ /** array of pointers to IV */
+ void **iv;
+ /** array of pointers to AAD */
+ void **aad;
+ /** array of pointers to digest */
+ void **digest;
+ /**
+* array of statuses for each operation:
+* - 0 on success
+* - errno on error
+*/
+ int32_t *status;
+ /** number of operations to perform */
+ uint32_t num;
+};
+
+/**
+ * used for cpu_crypto_process_bulk() to specify head/tail offsets
+ * for auth/cipher processing.
+ */
+union rte_crypto_sym_ofs {
+ uint64_t raw;
+ struct {
+ struct {
+ uint16_t head;
+ uint16_t tail;
+ } auth, cipher;
+ } ofs;
+};
/** Symmetric Cipher Algorithms */
enum rte_crypto_cipher_algorithm {
diff --git a/lib/librte_cryptodev/rte_cryptodev.c
b/lib/librte_cryptodev/rte_cryptodev.c
index 5c6359b5c..410b22867 100644
--- a/lib/librte_cryptodev/rte_cryptodev.c
+++ b/lib/librte_cryptodev/rte_cryptodev.c
@@ -494,6 +494,8 @@ rte_cryptodev_get_feature_name(uint64_t flag)
return "RSA_PRIV_OP_KEY_QT";
case RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED:
return "DIGEST_ENCRYPTED";
+ case RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO:
+ return "SYM_CPU_CRYPTO";
default:
return NULL;
}
@@ -1619,6 +1621,37 @@ rte_cryptodev_sym_session_get_user_data(
return (void *)(sess->sess_data + sess->nb_drivers);
}
+static inline void
+sym_crypto_fill_status(struct rte_crypto_sym_vec *vec, int32_t errnum)
+{
+ uint32_t i;
+ for (i = 0; i < vec->num; i++)
+ vec->status[i] = errnum;
+}
+
+uint32_t
+rte_cryptodev_sym_cpu_crypto_process(uint8_t dev_id,
+ struct rte_cryptodev_sym_session *sess, union rte_crypto_sym_ofs ofs,
+ struct rte_crypto_sym_vec *vec)
+{
+ struct rte_cryptodev *dev;
+
+ if (!rte_cryptodev_pmd_is_valid_dev(dev_id)) {
+ sym_crypto_fill_status(vec, EINVAL);
+ return 0;
+ }
+
+ dev = rte_cryptodev_pmd_get_dev(dev_id);
+
+ if (*dev->dev_ops->sym_cpu_process == NULL ||
+ !(dev->feature_flags & RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO)) {
+ sym_crypto_fill_status(vec, ENOTSUP);
+ return 0;
+ }
+
+ return dev->dev_ops->sym_cpu_process(dev, sess, ofs, vec);
+}
+
/** Initialise rte_crypto_op mempool element */
static void
rte_crypto_op_init(struct rte_mempool *mempool,
diff --git a/lib/librte_cryptodev/rte_cryptodev.h
b/lib/librte_cryptodev/rte_cryptodev.h
index c6ffa3b35..8786dfb90 100644
--- a/lib/librte_cryptodev/rte_cryptodev.h
+++ b/lib/librte_cryptodev/rte_cryptodev.h
@@ -450,6 +450,8 @@ rte_cryptodev_asym_get_xform_enum(enum
rte_crypto_asym_xform_type *xform_enum,
/**< Support encrypted-digest operations where digest is appended to data */
#define RTE_CRYPTODEV_FF_ASYM_SESSIONLESS (1ULL << 20)
/**< Support asymmetric session-less ope
[dpdk-dev] [PATCH v4 2/8] crypto/aesni_gcm: cpu crypto support
Add support for CPU crypto mode by introducing required handler.
Crypto mode (sync/async) is chosen during sym session create if an
appropriate flag is set in an xform type number.
Authenticated encryption and decryption are supported with tag
generation/verification.
Signed-off-by: Marcin Smoczynski
---
drivers/crypto/aesni_gcm/aesni_gcm_ops.h | 9 +
drivers/crypto/aesni_gcm/aesni_gcm_pmd.c | 220 +-
drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c | 3 +
.../crypto/aesni_gcm/aesni_gcm_pmd_private.h | 11 +-
4 files changed, 237 insertions(+), 6 deletions(-)
diff --git a/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
b/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
index e272f1067..404c0adff 100644
--- a/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
+++ b/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
@@ -65,4 +65,13 @@ struct aesni_gcm_ops {
aesni_gcm_finalize_t finalize_dec;
};
+/** GCM per-session operation handlers */
+struct aesni_gcm_session_ops {
+ aesni_gcm_t cipher;
+ aesni_gcm_pre_t pre;
+ aesni_gcm_init_t init;
+ aesni_gcm_update_t update;
+ aesni_gcm_finalize_t finalize;
+};
+
#endif /* _AESNI_GCM_OPS_H_ */
diff --git a/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
b/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
index 1a03be31d..9901c811b 100644
--- a/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
+++ b/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
@@ -15,6 +15,31 @@
static uint8_t cryptodev_driver_id;
+/* setup session handlers */
+static void
+set_func_ops(struct aesni_gcm_session *s, const struct aesni_gcm_ops *gcm_ops)
+{
+ s->ops.pre = gcm_ops->pre;
+ s->ops.init = gcm_ops->init;
+
+ switch (s->op) {
+ case AESNI_GCM_OP_AUTHENTICATED_ENCRYPTION:
+ s->ops.cipher = gcm_ops->enc;
+ s->ops.update = gcm_ops->update_enc;
+ s->ops.finalize = gcm_ops->finalize_enc;
+ break;
+ case AESNI_GCM_OP_AUTHENTICATED_DECRYPTION:
+ s->ops.cipher = gcm_ops->dec;
+ s->ops.update = gcm_ops->update_dec;
+ s->ops.finalize = gcm_ops->finalize_dec;
+ break;
+ case AESNI_GMAC_OP_GENERATE:
+ case AESNI_GMAC_OP_VERIFY:
+ s->ops.finalize = gcm_ops->finalize_enc;
+ break;
+ }
+}
+
/** Parse crypto xform chain and set private session parameters */
int
aesni_gcm_set_session_parameters(const struct aesni_gcm_ops *gcm_ops,
@@ -65,6 +90,7 @@ aesni_gcm_set_session_parameters(const struct aesni_gcm_ops
*gcm_ops,
/* Select Crypto operation */
if (aead_xform->aead.op == RTE_CRYPTO_AEAD_OP_ENCRYPT)
sess->op = AESNI_GCM_OP_AUTHENTICATED_ENCRYPTION;
+ /* op == RTE_CRYPTO_AEAD_OP_DECRYPT */
else
sess->op = AESNI_GCM_OP_AUTHENTICATED_DECRYPTION;
@@ -78,7 +104,6 @@ aesni_gcm_set_session_parameters(const struct aesni_gcm_ops
*gcm_ops,
return -ENOTSUP;
}
-
/* IV check */
if (sess->iv.length != 16 && sess->iv.length != 12 &&
sess->iv.length != 0) {
@@ -102,6 +127,10 @@ aesni_gcm_set_session_parameters(const struct
aesni_gcm_ops *gcm_ops,
return -EINVAL;
}
+ /* setup session handlers */
+ set_func_ops(sess, &gcm_ops[sess->key]);
+
+ /* pre-generate key */
gcm_ops[sess->key].pre(key, &sess->gdata_key);
/* Digest check */
@@ -356,6 +385,191 @@ process_gcm_crypto_op(struct aesni_gcm_qp *qp, struct
rte_crypto_op *op,
return 0;
}
+static inline void
+aesni_gcm_fill_error_code(struct rte_crypto_sym_vec *vec, int32_t errnum)
+{
+ uint32_t i;
+
+ for (i = 0; i < vec->num; i++)
+ vec->status[i] = errnum;
+}
+
+
+static inline int32_t
+aesni_gcm_sgl_op_finalize_encryption(const struct aesni_gcm_session *s,
+ struct gcm_context_data *gdata_ctx, uint8_t *digest)
+{
+ if (s->req_digest_length != s->gen_digest_length) {
+ uint8_t tmpdigest[s->gen_digest_length];
+
+ s->ops.finalize(&s->gdata_key, gdata_ctx, tmpdigest,
+ s->gen_digest_length);
+ memcpy(digest, tmpdigest, s->req_digest_length);
+ } else {
+ s->ops.finalize(&s->gdata_key, gdata_ctx, digest,
+ s->gen_digest_length);
+ }
+
+ return 0;
+}
+
+static inline int32_t
+aesni_gcm_sgl_op_finalize_decryption(const struct aesni_gcm_session *s,
+ struct gcm_context_data *gdata_ctx, uint8_t *digest)
+{
+ uint8_t tmpdigest[s->gen_digest_length];
+
+ s->ops.finalize(&s->gdata_key, gdata_ctx, tmpdigest,
+ s->gen_digest_length);
+
+ return memcmp(digest, tm
[dpdk-dev] [PATCH v4 4/8] security: add cpu crypto action type
Introduce CPU crypto action type allowing to differentiate between
regular async 'none security' and synchronous, CPU crypto accelerated
sessions.
Signed-off-by: Marcin Smoczynski
---
lib/librte_security/rte_security.h | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/librte_security/rte_security.h
b/lib/librte_security/rte_security.h
index 546779df2..309f7311c 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -307,10 +307,14 @@ enum rte_security_session_action_type {
/**< All security protocol processing is performed inline during
* transmission
*/
- RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
+ RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
/**< All security protocol processing including crypto is performed
* on a lookaside accelerator
*/
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
+ /**< Crypto processing for security protocol is processed by CPU
+* synchronously
+*/
};
/** Security session protocol definition */
--
2.17.1
[dpdk-dev] [PATCH v4 3/8] test/crypto: add CPU crypto tests
Add unit and performance tests for CPU crypto mode currently implemented
by AESNI-GCM cryptodev. Unit tests cover AES-GCM and GMAC test vectors.
Signed-off-by: Marcin Smoczynski
---
app/test/Makefile | 1 +
app/test/cpu_crypto_all_gcm_perf_test_cases.h | 11 +
app/test/cpu_crypto_all_gcm_unit_test_cases.h | 49 +
.../cpu_crypto_all_gmac_unit_test_cases.h | 7 +
app/test/meson.build | 1 +
app/test/test_cryptodev_cpu_crypto.c | 930 ++
6 files changed, 999 insertions(+)
create mode 100644 app/test/cpu_crypto_all_gcm_perf_test_cases.h
create mode 100644 app/test/cpu_crypto_all_gcm_unit_test_cases.h
create mode 100644 app/test/cpu_crypto_all_gmac_unit_test_cases.h
create mode 100644 app/test/test_cryptodev_cpu_crypto.c
diff --git a/app/test/Makefile b/app/test/Makefile
index 57930c00b..b8f0169ef 100644
--- a/app/test/Makefile
+++ b/app/test/Makefile
@@ -203,6 +203,7 @@ SRCS-$(CONFIG_RTE_LIBRTE_PMD_RING) += test_pmd_ring_perf.c
SRCS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += test_cryptodev_blockcipher.c
SRCS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += test_cryptodev.c
SRCS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += test_cryptodev_asym.c
+SRCS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += test_cryptodev_cpu_crypto.c
SRCS-$(CONFIG_RTE_LIBRTE_SECURITY) += test_cryptodev_security_pdcp.c
SRCS-$(CONFIG_RTE_LIBRTE_METRICS) += test_metrics.c
diff --git a/app/test/cpu_crypto_all_gcm_perf_test_cases.h
b/app/test/cpu_crypto_all_gcm_perf_test_cases.h
new file mode 100644
index 0..ee9545abc
--- /dev/null
+++ b/app/test/cpu_crypto_all_gcm_perf_test_cases.h
@@ -0,0 +1,11 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2019 Intel Corporation
+ */
+
+TEST_EXPAND(_128, 16, SGL_ONE_SEG)
+TEST_EXPAND(_192, 24, SGL_ONE_SEG)
+TEST_EXPAND(_256, 32, SGL_ONE_SEG)
+
+TEST_EXPAND(_128, 16, SGL_MAX_SEG)
+TEST_EXPAND(_192, 24, SGL_MAX_SEG)
+TEST_EXPAND(_256, 32, SGL_MAX_SEG)
diff --git a/app/test/cpu_crypto_all_gcm_unit_test_cases.h
b/app/test/cpu_crypto_all_gcm_unit_test_cases.h
new file mode 100644
index 0..ed40c1632
--- /dev/null
+++ b/app/test/cpu_crypto_all_gcm_unit_test_cases.h
@@ -0,0 +1,49 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2019 Intel Corporation
+ */
+
+TEST_EXPAND(gcm_test_case_1, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_2, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_3, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_4, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_5, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_6, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_7, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_8, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_192_1, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_192_2, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_192_3, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_192_4, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_192_5, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_192_6, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_192_7, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_256_1, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_256_2, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_256_3, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_256_4, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_256_5, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_256_6, SGL_ONE_SEG)
+TEST_EXPAND(gcm_test_case_256_7, SGL_ONE_SEG)
+
+TEST_EXPAND(gcm_test_case_1, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_2, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_3, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_4, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_5, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_6, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_7, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_8, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_192_1, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_192_2, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_192_3, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_192_4, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_192_5, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_192_6, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_192_7, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_256_1, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_256_2, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_256_3, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_256_4, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_256_5, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_256_6, SGL_MAX_SEG)
+TEST_EXPAND(gcm_test_case_256_7, SGL_MAX_SEG)
diff --git a/app/test/cpu_crypto_all_gmac_unit_test_cases.h
b/app/test/cpu_crypto_all_gmac_unit_test_cases.h
new file mode 100644
index 0..b6ebce936
--- /dev/null
+++ b/app/test/cpu_crypto_all_gmac_unit_test_cases.h
@@ -0,0 +1,7 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2019 Intel Corporation
+ */
+
+TEST_EXPAND(gmac_test_case_1, SGL_ONE_SEG)
+TEST_EXPAND(gmac_test_case_2, SGL_ONE_SEG)
+TEST_EXPAND(gmac_test_case_3, SGL_ONE_SEG)
diff --git a/app/test/meson.build b/app/test/meson.build
index 22b0cefaa..5a218affe 100644
--- a/app/test/meson.build
+++ b/app/test/meson.build
@@ -30,6 +30,7 @@ test_sources = files('commands.c',
't
[dpdk-dev] [PATCH v4 5/8] ipsec: introduce support for cpu crypto mode
Update library to handle CPU cypto security mode which utilizes
cryptodev's synchronous, CPU accelerated crypto operations.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
lib/librte_ipsec/esp_inb.c | 154 ++-
lib/librte_ipsec/esp_outb.c | 134 +++---
lib/librte_ipsec/misc.h | 118 +++
lib/librte_ipsec/rte_ipsec.h | 18 +++-
lib/librte_ipsec/sa.c| 112 +
lib/librte_ipsec/sa.h| 17
lib/librte_ipsec/ses.c | 3 +-
7 files changed, 506 insertions(+), 50 deletions(-)
diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c
index 5c653dd39..58b3dec1b 100644
--- a/lib/librte_ipsec/esp_inb.c
+++ b/lib/librte_ipsec/esp_inb.c
@@ -105,6 +105,39 @@ inb_cop_prepare(struct rte_crypto_op *cop,
}
}
+static inline uint32_t
+inb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb,
+ uint32_t *pofs, uint32_t plen, void *iv)
+{
+ struct aead_gcm_iv *gcm;
+ struct aesctr_cnt_blk *ctr;
+ uint64_t *ivp;
+ uint32_t clen;
+
+ ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
+ *pofs + sizeof(struct rte_esp_hdr));
+ clen = 0;
+
+ switch (sa->algo_type) {
+ case ALGO_TYPE_AES_GCM:
+ gcm = (struct aead_gcm_iv *)iv;
+ aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
+ break;
+ case ALGO_TYPE_AES_CBC:
+ case ALGO_TYPE_3DES_CBC:
+ copy_iv(iv, ivp, sa->iv_len);
+ break;
+ case ALGO_TYPE_AES_CTR:
+ ctr = (struct aesctr_cnt_blk *)iv;
+ aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+ break;
+ }
+
+ *pofs += sa->ctp.auth.offset;
+ clen = plen - sa->ctp.auth.length;
+ return clen;
+}
+
/*
* Helper function for prepare() to deal with situation when
* ICV is spread by two segments. Tries to move ICV completely into the
@@ -157,17 +190,12 @@ inb_pkt_xprepare(const struct rte_ipsec_sa *sa,
rte_be64_t sqc,
}
}
-/*
- * setup/update packet data and metadata for ESP inbound tunnel case.
- */
-static inline int32_t
-inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn,
- struct rte_mbuf *mb, uint32_t hlen, union sym_op_data *icv)
+static inline int
+inb_get_sqn(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn,
+ struct rte_mbuf *mb, uint32_t hlen, rte_be64_t *sqc)
{
int32_t rc;
uint64_t sqn;
- uint32_t clen, icv_len, icv_ofs, plen;
- struct rte_mbuf *ml;
struct rte_esp_hdr *esph;
esph = rte_pktmbuf_mtod_offset(mb, struct rte_esp_hdr *, hlen);
@@ -179,12 +207,21 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const
struct replay_sqn *rsn,
sqn = rte_be_to_cpu_32(esph->seq);
if (IS_ESN(sa))
sqn = reconstruct_esn(rsn->sqn, sqn, sa->replay.win_sz);
+ *sqc = rte_cpu_to_be_64(sqn);
+ /* check IPsec window */
rc = esn_inb_check_sqn(rsn, sa, sqn);
- if (rc != 0)
- return rc;
- sqn = rte_cpu_to_be_64(sqn);
+ return rc;
+}
+
+/* prepare packet for upcoming processing */
+static inline int32_t
+inb_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb,
+ uint32_t hlen, union sym_op_data *icv)
+{
+ uint32_t clen, icv_len, icv_ofs, plen;
+ struct rte_mbuf *ml;
/* start packet manipulation */
plen = mb->pkt_len;
@@ -217,7 +254,8 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct
replay_sqn *rsn,
icv_ofs += sa->sqh_len;
- /* we have to allocate space for AAD somewhere,
+ /*
+* we have to allocate space for AAD somewhere,
* right now - just use free trailing space at the last segment.
* Would probably be more convenient to reserve space for AAD
* inside rte_crypto_op itself
@@ -238,10 +276,28 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const
struct replay_sqn *rsn,
mb->pkt_len += sa->sqh_len;
ml->data_len += sa->sqh_len;
- inb_pkt_xprepare(sa, sqn, icv);
return plen;
}
+static inline int32_t
+inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn,
+ struct rte_mbuf *mb, uint32_t hlen, union sym_op_data *icv)
+{
+ int rc;
+ rte_be64_t sqn;
+
+ rc = inb_get_sqn(sa, rsn, mb, hlen, &sqn);
+ if (rc != 0)
+ return rc;
+
+ rc = inb_prepare(sa, mb, hlen, icv);
+ if (rc < 0)
+ return rc;
+
+ inb_pkt_xprepare(sa, sqn, icv);
+ return rc;
+}
+
/*
* setup/update packets and crypto ops for ESP inbound case.
*/
@@ -270,17 +326,17 @@ esp_inb_pkt_prepare(const struct rte_ipsec_session *ss,
struct rte_mbuf *mb[],
[dpdk-dev] [PATCH v4 8/8] doc: add cpu crypto related documentation
Update documentation with a description of cpu crypto in cryptodev, ipsec and security libraries. Add release notes for 20.02. Signed-off-by: Marcin Smoczynski --- doc/guides/cryptodevs/aesni_gcm.rst | 5 doc/guides/prog_guide/cryptodev_lib.rst | 31 + doc/guides/prog_guide/ipsec_lib.rst | 8 +++ doc/guides/prog_guide/rte_security.rst | 15 doc/guides/rel_notes/release_20_02.rst | 8 +++ 5 files changed, 63 insertions(+), 4 deletions(-) diff --git a/doc/guides/cryptodevs/aesni_gcm.rst b/doc/guides/cryptodevs/aesni_gcm.rst index 151aa3060..6b1a3d2a0 100644 --- a/doc/guides/cryptodevs/aesni_gcm.rst +++ b/doc/guides/cryptodevs/aesni_gcm.rst @@ -9,6 +9,11 @@ The AES-NI GCM PMD (**librte_pmd_aesni_gcm**) provides poll mode crypto driver support for utilizing Intel multi buffer library (see AES-NI Multi-buffer PMD documentation to learn more about it, including installation). +The AES-NI GCM PMD supports synchronous mode of operation with +``rte_cryptodev_sym_cpu_crypto_process`` function call for both AES-GCM and +GMAC, however GMAC support is limited to one segment per operation. Please +refer to ``rte_crypto`` programmer's guide for more detail. + Features diff --git a/doc/guides/prog_guide/cryptodev_lib.rst b/doc/guides/prog_guide/cryptodev_lib.rst index ac1643774..1a01e1bda 100644 --- a/doc/guides/prog_guide/cryptodev_lib.rst +++ b/doc/guides/prog_guide/cryptodev_lib.rst @@ -600,6 +600,37 @@ chain. }; }; +Synchronous mode + + +Some cryptodevs support synchronous mode alongside with a standard asynchronous +mode. In that case operations are performed directly when calling +``rte_cryptodev_sym_cpu_crypto_process`` method instead of enqueuing and +dequeuing an operation before. This mode of operation allows cryptodevs which +utilize CPU cryptographic acceleration to have significant performance boost +comparing to standard asynchronous approach. Cryptodevs supporting synchronous +mode have ``RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO`` feature flag set. + +To perform a synchronous operation a call to +``rte_cryptodev_sym_cpu_crypto_process`` has to be made with vectorized +operation descriptor (``struct rte_crypto_sym_vec``) containing: + +- ``num`` - number of operations to perform, +- pointer to an array of size ``num`` containing a scatter-gather list + descriptors of performed operations (``struct rte_crypto_sgl``). Each instance + of ``struct rte_crypto_sgl`` consists of a number of segments and a pointer to + an array of segment descriptors ``struct rte_crypto_vec``; +- pointers to arrays of size ``num`` containing IV, AAD and digest information, +- pointer to an array of size ``num`` where status information will be stored + for each operation. + +Function returns a number of successfully completed operations and sets +appropriate status number for each operation in the status array provided as +a call argument. Status different than zero must be treated as error. + +For more details, e.g. how to convert an mbuf to an SGL, please refer to an +example usage in the IPsec library implementation. + Sample code --- diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst index 1ce0db453..e6a21fae6 100644 --- a/doc/guides/prog_guide/ipsec_lib.rst +++ b/doc/guides/prog_guide/ipsec_lib.rst @@ -81,6 +81,14 @@ In that mode the library functions perform - verify that crypto device operations (encryption, ICV generation) were completed successfully +RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO +~~~ + +In that mode the library functions perform same operations as in +``RTE_SECURITY_ACTION_TYPE_NONE``. The only differnce is that crypto operations +are performed with CPU crypto synchronous API. + + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ~~ diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst index f77fb89dc..a911c676b 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -511,13 +511,20 @@ Offload. /**< No security actions */ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, /**< Crypto processing for security protocol is processed inline - * during transmission */ + * during transmission + */ RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, /**< All security protocol processing is performed inline during - * transmission */ -RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL + * transmission + */ +RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, /**< All security protocol processing including crypto is performed - * on a lookaside accelerator */ + * on a lookaside accelerator + */ +RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO +/**< Crypto processing for security p
[dpdk-dev] [PATCH v4 6/8] examples/ipsec-secgw: cpu crypto support
Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.
Legacy mode is not currently supported.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/ipsec.c | 23 -
examples/ipsec-secgw/ipsec_process.c | 134 +--
examples/ipsec-secgw/sa.c| 28 --
3 files changed, 128 insertions(+), 57 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index d4b57121a..49a947990 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -10,6 +10,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -86,7 +87,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct
ipsec_sa *sa,
ipsec_ctx->tbl[cdev_id_qp].id,
ipsec_ctx->tbl[cdev_id_qp].qp);
- if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE &&
+ ips->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
struct rte_security_session_conf sess_conf = {
.action_type = ips->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
@@ -126,6 +128,18 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx,
struct ipsec_sa *sa,
return -1;
}
} else {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
+ struct rte_cryptodev_info info;
+ uint16_t cdev_id;
+
+ cdev_id = ipsec_ctx->tbl[cdev_id_qp].id;
+ rte_cryptodev_info_get(cdev_id, &info);
+ if (!(info.feature_flags &
+ RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO))
+ return -ENOTSUP;
+
+ ips->crypto.dev_id = cdev_id;
+ }
ips->crypto.ses = rte_cryptodev_sym_session_create(
ipsec_ctx->session_pool);
rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,
@@ -476,6 +490,13 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx
*ipsec_ctx,
rte_security_attach_session(&priv->cop,
ips->security.ses);
break;
+
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ RTE_LOG(ERR, IPSEC, "CPU crypto is not supported by the"
+ " legacy mode.");
+ rte_pktmbuf_free(pkts[i]);
+ continue;
+
case RTE_SECURITY_ACTION_TYPE_NONE:
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
diff --git a/examples/ipsec-secgw/ipsec_process.c
b/examples/ipsec-secgw/ipsec_process.c
index 2eb5c8b34..576a9fa8a 100644
--- a/examples/ipsec-secgw/ipsec_process.c
+++ b/examples/ipsec-secgw/ipsec_process.c
@@ -92,7 +92,8 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct
ipsec_ctx *ctx,
int32_t rc;
/* setup crypto section */
- if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
+ ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
RTE_ASSERT(ss->crypto.ses == NULL);
rc = create_lookaside_session(ctx, sa, ss);
if (rc != 0)
@@ -215,6 +216,62 @@ ipsec_prepare_crypto_group(struct ipsec_ctx *ctx, struct
ipsec_sa *sa,
return k;
}
+/*
+ * helper routine for inline and cpu(synchronous) processing
+ * this is just to satisfy inbound_sa_check() and get_hop_for_offload_pkt().
+ * Should be removed in future.
+ */
+static inline void
+prep_process_group(void *sa, struct rte_mbuf *mb[], uint32_t cnt)
+{
+ uint32_t j;
+ struct ipsec_mbuf_metadata *priv;
+
+ for (j = 0; j != cnt; j++) {
+ priv = get_priv(mb[j]);
+ priv->sa = sa;
+ }
+}
+
+/*
+ * finish processing of packets successfully decrypted by an inline processor
+ */
+static uint32_t
+ipsec_process_inline_group(struct rte_ipsec_session *ips, void *sa,
+ struct ipsec_traffic *trf, struct rte_mbuf *mb[], uint32_t cnt)
+{
+ uint64_t satp;
+ uint32_t k;
+
+ /* get SA type */
+ satp = rte_ipsec_sa_type(ips->sa);
+ prep_process_group(sa, mb, cnt);
+
+ k = rte_ipsec_pkt_process(ips, mb, cnt);
+ copy_to_trf(trf, satp, mb, k);
+ return k;
+}
+
+/*
+ * process packets synchronously
+ */
+static uint32_t
+ipsec_process_cpu_group(struct rte_ipsec_session *ips, void *sa,
+ struct ipsec_traffic *trf, struct rte_mbuf *mb[], uint32_t cnt)
+
[dpdk-dev] [PATCH v4 7/8] examples/ipsec-secgw: cpu crypto testing
Enable cpu-crypto mode testing by adding dedicated environmental
variable CRYPTO_PRIM_TYPE. Setting it to 'type cpu-crypto' allows
to run test scenario with cpu crypto acceleration.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/test/common_defs.sh | 21 +++
examples/ipsec-secgw/test/linux_test4.sh | 11 +-
examples/ipsec-secgw/test/linux_test6.sh | 11 +-
.../test/trs_3descbc_sha1_common_defs.sh | 8 +++
.../test/trs_aescbc_sha1_common_defs.sh | 8 +++
.../test/trs_aesctr_sha1_common_defs.sh | 8 +++
.../test/tun_3descbc_sha1_common_defs.sh | 8 +++
.../test/tun_aescbc_sha1_common_defs.sh | 8 +++
.../test/tun_aesctr_sha1_common_defs.sh | 8 +++
9 files changed, 47 insertions(+), 44 deletions(-)
diff --git a/examples/ipsec-secgw/test/common_defs.sh
b/examples/ipsec-secgw/test/common_defs.sh
index 4aac4981a..6b6ae06f3 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -42,6 +42,27 @@ DPDK_BUILD=${RTE_TARGET:-x86_64-native-linux-gcc}
DEF_MTU_LEN=1400
DEF_PING_LEN=1200
+#upsate operation mode based on env vars values
+select_mode()
+{
+ # select sync/async mode
+ if [[ -n "${CRYPTO_PRIM_TYPE}" && -n "${SGW_CMD_XPRM}" ]]; then
+ echo "${CRYPTO_PRIM_TYPE} is enabled"
+ SGW_CFG_XPRM="${SGW_CFG_XPRM} ${CRYPTO_PRIM_TYPE}"
+ fi
+
+ #make linux to generate fragmented packets
+ if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
+ echo "multi-segment test is enabled"
+ SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
+ PING_LEN=5000
+ MTU_LEN=1500
+ else
+ PING_LEN=${DEF_PING_LEN}
+ MTU_LEN=${DEF_MTU_LEN}
+ fi
+}
+
#setup mtu on local iface
set_local_mtu()
{
diff --git a/examples/ipsec-secgw/test/linux_test4.sh
b/examples/ipsec-secgw/test/linux_test4.sh
index 760451000..fb8ae1023 100644
--- a/examples/ipsec-secgw/test/linux_test4.sh
+++ b/examples/ipsec-secgw/test/linux_test4.sh
@@ -45,16 +45,7 @@ MODE=$1
. ${DIR}/common_defs.sh
. ${DIR}/${MODE}_defs.sh
-#make linux to generate fragmented packets
-if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
- echo "multi-segment test is enabled"
- SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
- PING_LEN=5000
- MTU_LEN=1500
-else
- PING_LEN=${DEF_PING_LEN}
- MTU_LEN=${DEF_MTU_LEN}
-fi
+select_mode
config_secgw
diff --git a/examples/ipsec-secgw/test/linux_test6.sh
b/examples/ipsec-secgw/test/linux_test6.sh
index 479f29be3..dbcca7936 100644
--- a/examples/ipsec-secgw/test/linux_test6.sh
+++ b/examples/ipsec-secgw/test/linux_test6.sh
@@ -46,16 +46,7 @@ MODE=$1
. ${DIR}/common_defs.sh
. ${DIR}/${MODE}_defs.sh
-#make linux to generate fragmented packets
-if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
- echo "multi-segment test is enabled"
- SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
- PING_LEN=5000
- MTU_LEN=1500
-else
- PING_LEN=${DEF_PING_LEN}
- MTU_LEN=${DEF_MTU_LEN}
-fi
+select_mode
config_secgw
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
index 3c5c18afd..62118bb3f 100644
--- a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
@@ -33,14 +33,14 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
sa in 9 cipher_algo 3des-cbc \
cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 7 cipher_algo 3des-cbc \
@@ -48,7 +48,7 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 9 cipher_algo 3des-cbc \
@@ -56,7 +56,7 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#Routing rules
rt ipv4 dst ${REMOTE_IPV4}/32 port 0
diff --git a/examples/ipsec-secgw/test/
[dpdk-dev] [PATCH v5 0/8] Introduce CPU crypto mode
Originally both SW and HW crypto PMDs use rte_crypot_op based API to process the crypto workload asynchronously. This way provides uniformity to both PMD types, but also introduce unnecessary performance penalty to SW PMDs that have to "simulate" HW async behavior (crypto-ops enqueue/dequeue, HW addresses computations, storing/dereferencing user provided data (mbuf) for each crypto-op, etc). The aim is to introduce a new optional API for SW crypto-devices to perform crypto processing in a synchronous manner. v3 to v4 changes: - add feature discovery in the ipsec example application when using cpu-crypto - add gmac in aesni-gcm - add tests for aesni-gcm/cpu crypto mode - add documentation: pg and rel notes - remove xform flags as no longer needed - add some extra API comments - remove compilation error from v3 v4 to v5 changes: - fixed build error for arm64 (missing header include) - update licensing information Marcin Smoczynski (8): cryptodev: introduce cpu crypto support API crypto/aesni_gcm: cpu crypto support test/crypto: add CPU crypto tests security: add cpu crypto action type ipsec: introduce support for cpu crypto mode examples/ipsec-secgw: cpu crypto support examples/ipsec-secgw: cpu crypto testing doc: add cpu crypto related documentation app/test/Makefile | 3 +- app/test/cpu_crypto_all_gcm_perf_test_cases.h | 11 + app/test/cpu_crypto_all_gcm_unit_test_cases.h | 49 + .../cpu_crypto_all_gmac_unit_test_cases.h | 7 + app/test/meson.build | 3 +- app/test/test_cryptodev_cpu_crypto.c | 931 ++ doc/guides/cryptodevs/aesni_gcm.rst | 7 +- doc/guides/prog_guide/cryptodev_lib.rst | 33 +- doc/guides/prog_guide/ipsec_lib.rst | 10 +- doc/guides/prog_guide/rte_security.rst| 15 +- doc/guides/rel_notes/release_20_02.rst| 8 + drivers/crypto/aesni_gcm/aesni_gcm_ops.h | 11 +- drivers/crypto/aesni_gcm/aesni_gcm_pmd.c | 222 - drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c | 4 +- .../crypto/aesni_gcm/aesni_gcm_pmd_private.h | 13 +- examples/ipsec-secgw/ipsec.c | 25 +- examples/ipsec-secgw/ipsec_process.c | 136 ++- examples/ipsec-secgw/sa.c | 30 +- examples/ipsec-secgw/test/common_defs.sh | 21 + examples/ipsec-secgw/test/linux_test4.sh | 11 +- examples/ipsec-secgw/test/linux_test6.sh | 11 +- .../test/trs_3descbc_sha1_common_defs.sh | 8 +- .../test/trs_aescbc_sha1_common_defs.sh | 8 +- .../test/trs_aesctr_sha1_common_defs.sh | 8 +- .../test/tun_3descbc_sha1_common_defs.sh | 8 +- .../test/tun_aescbc_sha1_common_defs.sh | 8 +- .../test/tun_aesctr_sha1_common_defs.sh | 8 +- lib/librte_cryptodev/rte_crypto_sym.h | 63 +- lib/librte_cryptodev/rte_cryptodev.c | 35 +- lib/librte_cryptodev/rte_cryptodev.h | 22 +- lib/librte_cryptodev/rte_cryptodev_pmd.h | 21 +- .../rte_cryptodev_version.map | 1 + lib/librte_ipsec/esp_inb.c| 156 ++- lib/librte_ipsec/esp_outb.c | 136 ++- lib/librte_ipsec/misc.h | 120 ++- lib/librte_ipsec/rte_ipsec.h | 20 +- lib/librte_ipsec/sa.c | 114 ++- lib/librte_ipsec/sa.h | 19 +- lib/librte_ipsec/ses.c| 5 +- lib/librte_security/rte_security.h| 8 +- 40 files changed, 2143 insertions(+), 186 deletions(-) create mode 100644 app/test/cpu_crypto_all_gcm_perf_test_cases.h create mode 100644 app/test/cpu_crypto_all_gcm_unit_test_cases.h create mode 100644 app/test/cpu_crypto_all_gmac_unit_test_cases.h create mode 100644 app/test/test_cryptodev_cpu_crypto.c -- 2.17.1
[dpdk-dev] [PATCH v5 1/8] cryptodev: introduce cpu crypto support API
Add new API allowing to process crypto operations in a synchronous
manner. Operations are performed on a set of SG arrays.
Sync mode is selected by setting appropriate flag in an xform
type number. Cryptodevs which allows CPU crypto operation mode have to
use RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO capability.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
lib/librte_cryptodev/rte_crypto_sym.h | 63 ++-
lib/librte_cryptodev/rte_cryptodev.c | 35 ++-
lib/librte_cryptodev/rte_cryptodev.h | 22 ++-
lib/librte_cryptodev/rte_cryptodev_pmd.h | 21 ++-
.../rte_cryptodev_version.map | 1 +
5 files changed, 138 insertions(+), 4 deletions(-)
diff --git a/lib/librte_cryptodev/rte_crypto_sym.h
b/lib/librte_cryptodev/rte_crypto_sym.h
index bc356f6ff..d6f3105fe 100644
--- a/lib/librte_cryptodev/rte_crypto_sym.h
+++ b/lib/librte_cryptodev/rte_crypto_sym.h
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2019 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#ifndef _RTE_CRYPTO_SYM_H_
@@ -25,6 +25,67 @@ extern "C" {
#include
#include
+/**
+ * Crypto IO Vector (in analogy with struct iovec)
+ * Supposed be used to pass input/output data buffers for crypto data-path
+ * functions.
+ */
+struct rte_crypto_vec {
+ /** virtual address of the data buffer */
+ void *base;
+ /** IOVA of the data buffer */
+ rte_iova_t *iova;
+ /** length of the data buffer */
+ uint32_t len;
+};
+
+/**
+ * Crypto scatter-gather list descriptor. Consists of a pointer to an array
+ * of Crypto IO vectors with its size.
+ */
+struct rte_crypto_sgl {
+ /** start of an array of vectors */
+ struct rte_crypto_vec *vec;
+ /** size of an array of vectors */
+ uint32_t num;
+};
+
+/**
+ * Synchronous operation descriptor.
+ * Supposed to be used with CPU crypto API call.
+ */
+struct rte_crypto_sym_vec {
+ /** array of SGL vectors */
+ struct rte_crypto_sgl *sgl;
+ /** array of pointers to IV */
+ void **iv;
+ /** array of pointers to AAD */
+ void **aad;
+ /** array of pointers to digest */
+ void **digest;
+ /**
+* array of statuses for each operation:
+* - 0 on success
+* - errno on error
+*/
+ int32_t *status;
+ /** number of operations to perform */
+ uint32_t num;
+};
+
+/**
+ * used for cpu_crypto_process_bulk() to specify head/tail offsets
+ * for auth/cipher processing.
+ */
+union rte_crypto_sym_ofs {
+ uint64_t raw;
+ struct {
+ struct {
+ uint16_t head;
+ uint16_t tail;
+ } auth, cipher;
+ } ofs;
+};
/** Symmetric Cipher Algorithms */
enum rte_crypto_cipher_algorithm {
diff --git a/lib/librte_cryptodev/rte_cryptodev.c
b/lib/librte_cryptodev/rte_cryptodev.c
index 5c6359b5c..889d61319 100644
--- a/lib/librte_cryptodev/rte_cryptodev.c
+++ b/lib/librte_cryptodev/rte_cryptodev.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2015-2017 Intel Corporation
+ * Copyright(c) 2015-2020 Intel Corporation
*/
#include
@@ -494,6 +494,8 @@ rte_cryptodev_get_feature_name(uint64_t flag)
return "RSA_PRIV_OP_KEY_QT";
case RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED:
return "DIGEST_ENCRYPTED";
+ case RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO:
+ return "SYM_CPU_CRYPTO";
default:
return NULL;
}
@@ -1619,6 +1621,37 @@ rte_cryptodev_sym_session_get_user_data(
return (void *)(sess->sess_data + sess->nb_drivers);
}
+static inline void
+sym_crypto_fill_status(struct rte_crypto_sym_vec *vec, int32_t errnum)
+{
+ uint32_t i;
+ for (i = 0; i < vec->num; i++)
+ vec->status[i] = errnum;
+}
+
+uint32_t
+rte_cryptodev_sym_cpu_crypto_process(uint8_t dev_id,
+ struct rte_cryptodev_sym_session *sess, union rte_crypto_sym_ofs ofs,
+ struct rte_crypto_sym_vec *vec)
+{
+ struct rte_cryptodev *dev;
+
+ if (!rte_cryptodev_pmd_is_valid_dev(dev_id)) {
+ sym_crypto_fill_status(vec, EINVAL);
+ return 0;
+ }
+
+ dev = rte_cryptodev_pmd_get_dev(dev_id);
+
+ if (*dev->dev_ops->sym_cpu_process == NULL ||
+ !(dev->feature_flags & RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO)) {
+ sym_crypto_fill_status(vec, ENOTSUP);
+ return 0;
+ }
+
+ return dev->dev_ops->sym_cpu_process(dev, sess, ofs, vec);
+}
+
/** Initialise rte_crypto_op mempool element */
static void
rte_crypto_op_init(struct rte_mempool *mempool,
diff --git a/lib/librte_cryptodev/rte_cryptodev.h
b/lib/librte_cryptodev/rte_cryptodev.h
index c6ffa3b35..7603af9f6 100644
--- a/lib/librte_cryptod
[dpdk-dev] [PATCH v5 4/8] security: add cpu crypto action type
Introduce CPU crypto action type allowing to differentiate between
regular async 'none security' and synchronous, CPU crypto accelerated
sessions.
Signed-off-by: Marcin Smoczynski
Acked-by: Konstantin Ananyev
Acked-by: Fan Zhang
---
lib/librte_security/rte_security.h | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/librte_security/rte_security.h
b/lib/librte_security/rte_security.h
index 546779df2..c8b2dd5ed 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -1,6 +1,6 @@
/* SPDX-License-Identifier: BSD-3-Clause
* Copyright 2017,2019 NXP
- * Copyright(c) 2017 Intel Corporation.
+ * Copyright(c) 2017-2020 Intel Corporation.
*/
#ifndef _RTE_SECURITY_H_
@@ -307,10 +307,14 @@ enum rte_security_session_action_type {
/**< All security protocol processing is performed inline during
* transmission
*/
- RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
+ RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
/**< All security protocol processing including crypto is performed
* on a lookaside accelerator
*/
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
+ /**< Crypto processing for security protocol is processed by CPU
+* synchronously
+*/
};
/** Security session protocol definition */
--
2.17.1
[dpdk-dev] [PATCH v5 2/8] crypto/aesni_gcm: cpu crypto support
Add support for CPU crypto mode by introducing required handler.
Crypto mode (sync/async) is chosen during sym session create if an
appropriate flag is set in an xform type number.
Authenticated encryption and decryption are supported with tag
generation/verification.
Signed-off-by: Marcin Smoczynski
Acked-by: Pablo de Lara
Acked-by: Fan Zhang
---
drivers/crypto/aesni_gcm/aesni_gcm_ops.h | 11 +-
drivers/crypto/aesni_gcm/aesni_gcm_pmd.c | 222 +-
drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c | 4 +-
.../crypto/aesni_gcm/aesni_gcm_pmd_private.h | 13 +-
4 files changed, 240 insertions(+), 10 deletions(-)
diff --git a/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
b/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
index e272f1067..74acac09c 100644
--- a/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
+++ b/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#ifndef _AESNI_GCM_OPS_H_
@@ -65,4 +65,13 @@ struct aesni_gcm_ops {
aesni_gcm_finalize_t finalize_dec;
};
+/** GCM per-session operation handlers */
+struct aesni_gcm_session_ops {
+ aesni_gcm_t cipher;
+ aesni_gcm_pre_t pre;
+ aesni_gcm_init_t init;
+ aesni_gcm_update_t update;
+ aesni_gcm_finalize_t finalize;
+};
+
#endif /* _AESNI_GCM_OPS_H_ */
diff --git a/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
b/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
index 1a03be31d..a1caab993 100644
--- a/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
+++ b/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#include
@@ -15,6 +15,31 @@
static uint8_t cryptodev_driver_id;
+/* setup session handlers */
+static void
+set_func_ops(struct aesni_gcm_session *s, const struct aesni_gcm_ops *gcm_ops)
+{
+ s->ops.pre = gcm_ops->pre;
+ s->ops.init = gcm_ops->init;
+
+ switch (s->op) {
+ case AESNI_GCM_OP_AUTHENTICATED_ENCRYPTION:
+ s->ops.cipher = gcm_ops->enc;
+ s->ops.update = gcm_ops->update_enc;
+ s->ops.finalize = gcm_ops->finalize_enc;
+ break;
+ case AESNI_GCM_OP_AUTHENTICATED_DECRYPTION:
+ s->ops.cipher = gcm_ops->dec;
+ s->ops.update = gcm_ops->update_dec;
+ s->ops.finalize = gcm_ops->finalize_dec;
+ break;
+ case AESNI_GMAC_OP_GENERATE:
+ case AESNI_GMAC_OP_VERIFY:
+ s->ops.finalize = gcm_ops->finalize_enc;
+ break;
+ }
+}
+
/** Parse crypto xform chain and set private session parameters */
int
aesni_gcm_set_session_parameters(const struct aesni_gcm_ops *gcm_ops,
@@ -65,6 +90,7 @@ aesni_gcm_set_session_parameters(const struct aesni_gcm_ops
*gcm_ops,
/* Select Crypto operation */
if (aead_xform->aead.op == RTE_CRYPTO_AEAD_OP_ENCRYPT)
sess->op = AESNI_GCM_OP_AUTHENTICATED_ENCRYPTION;
+ /* op == RTE_CRYPTO_AEAD_OP_DECRYPT */
else
sess->op = AESNI_GCM_OP_AUTHENTICATED_DECRYPTION;
@@ -78,7 +104,6 @@ aesni_gcm_set_session_parameters(const struct aesni_gcm_ops
*gcm_ops,
return -ENOTSUP;
}
-
/* IV check */
if (sess->iv.length != 16 && sess->iv.length != 12 &&
sess->iv.length != 0) {
@@ -102,6 +127,10 @@ aesni_gcm_set_session_parameters(const struct
aesni_gcm_ops *gcm_ops,
return -EINVAL;
}
+ /* setup session handlers */
+ set_func_ops(sess, &gcm_ops[sess->key]);
+
+ /* pre-generate key */
gcm_ops[sess->key].pre(key, &sess->gdata_key);
/* Digest check */
@@ -356,6 +385,191 @@ process_gcm_crypto_op(struct aesni_gcm_qp *qp, struct
rte_crypto_op *op,
return 0;
}
+static inline void
+aesni_gcm_fill_error_code(struct rte_crypto_sym_vec *vec, int32_t errnum)
+{
+ uint32_t i;
+
+ for (i = 0; i < vec->num; i++)
+ vec->status[i] = errnum;
+}
+
+
+static inline int32_t
+aesni_gcm_sgl_op_finalize_encryption(const struct aesni_gcm_session *s,
+ struct gcm_context_data *gdata_ctx, uint8_t *digest)
+{
+ if (s->req_digest_length != s->gen_digest_length) {
+ uint8_t tmpdigest[s->gen_digest_length];
+
+ s->ops.finalize(&s->gdata_key, gdata_ctx, tmpdigest,
+ s->gen_digest_length);
+ memcpy(digest, tmpdigest, s->req_digest_length);
+ } else {
+ s->ops.finalize(&s->gdata_key, gdata_ctx, digest,
+ s->gen_digest_length);
+
[dpdk-dev] [PATCH v5 3/8] test/crypto: add CPU crypto tests
Add unit and performance tests for CPU crypto mode currently implemented by AESNI-GCM cryptodev. Unit tests cover AES-GCM and GMAC test vectors. Signed-off-by: Marcin Smoczynski Acked-by: Pablo de Lara --- app/test/Makefile | 3 +- app/test/cpu_crypto_all_gcm_perf_test_cases.h | 11 + app/test/cpu_crypto_all_gcm_unit_test_cases.h | 49 + .../cpu_crypto_all_gmac_unit_test_cases.h | 7 + app/test/meson.build | 3 +- app/test/test_cryptodev_cpu_crypto.c | 931 ++ 6 files changed, 1002 insertions(+), 2 deletions(-) create mode 100644 app/test/cpu_crypto_all_gcm_perf_test_cases.h create mode 100644 app/test/cpu_crypto_all_gcm_unit_test_cases.h create mode 100644 app/test/cpu_crypto_all_gmac_unit_test_cases.h create mode 100644 app/test/test_cryptodev_cpu_crypto.c diff --git a/app/test/Makefile b/app/test/Makefile index 57930c00b..bbe26bd0c 100644 --- a/app/test/Makefile +++ b/app/test/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: BSD-3-Clause -# Copyright(c) 2010-2017 Intel Corporation +# Copyright(c) 2010-2020 Intel Corporation include $(RTE_SDK)/mk/rte.vars.mk @@ -203,6 +203,7 @@ SRCS-$(CONFIG_RTE_LIBRTE_PMD_RING) += test_pmd_ring_perf.c SRCS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += test_cryptodev_blockcipher.c SRCS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += test_cryptodev.c SRCS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += test_cryptodev_asym.c +SRCS-$(CONFIG_RTE_LIBRTE_CRYPTODEV) += test_cryptodev_cpu_crypto.c SRCS-$(CONFIG_RTE_LIBRTE_SECURITY) += test_cryptodev_security_pdcp.c SRCS-$(CONFIG_RTE_LIBRTE_METRICS) += test_metrics.c diff --git a/app/test/cpu_crypto_all_gcm_perf_test_cases.h b/app/test/cpu_crypto_all_gcm_perf_test_cases.h new file mode 100644 index 0..425fcb510 --- /dev/null +++ b/app/test/cpu_crypto_all_gcm_perf_test_cases.h @@ -0,0 +1,11 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(c) 2020 Intel Corporation + */ + +TEST_EXPAND(_128, 16, SGL_ONE_SEG) +TEST_EXPAND(_192, 24, SGL_ONE_SEG) +TEST_EXPAND(_256, 32, SGL_ONE_SEG) + +TEST_EXPAND(_128, 16, SGL_MAX_SEG) +TEST_EXPAND(_192, 24, SGL_MAX_SEG) +TEST_EXPAND(_256, 32, SGL_MAX_SEG) diff --git a/app/test/cpu_crypto_all_gcm_unit_test_cases.h b/app/test/cpu_crypto_all_gcm_unit_test_cases.h new file mode 100644 index 0..a2bc11b39 --- /dev/null +++ b/app/test/cpu_crypto_all_gcm_unit_test_cases.h @@ -0,0 +1,49 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(c) 2020 Intel Corporation + */ + +TEST_EXPAND(gcm_test_case_1, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_2, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_3, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_4, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_5, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_6, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_7, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_8, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_192_1, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_192_2, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_192_3, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_192_4, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_192_5, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_192_6, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_192_7, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_256_1, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_256_2, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_256_3, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_256_4, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_256_5, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_256_6, SGL_ONE_SEG) +TEST_EXPAND(gcm_test_case_256_7, SGL_ONE_SEG) + +TEST_EXPAND(gcm_test_case_1, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_2, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_3, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_4, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_5, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_6, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_7, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_8, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_192_1, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_192_2, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_192_3, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_192_4, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_192_5, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_192_6, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_192_7, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_256_1, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_256_2, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_256_3, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_256_4, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_256_5, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_256_6, SGL_MAX_SEG) +TEST_EXPAND(gcm_test_case_256_7, SGL_MAX_SEG) diff --git a/app/test/cpu_crypto_all_gmac_unit_test_cases.h b/app/test/cpu_crypto_all_gmac_unit_test_cases.h new file mode 100644 index 0..97f9c2bec --- /dev/null +++ b/app/test/cpu_crypto_all_gmac_unit_test_cases.h @@ -0,0 +1,7 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(c) 2020 Intel Corporation + */ + +TEST_EXPAND(gmac_test_case_1, SGL_ONE_SEG) +TEST_EXPAND(gmac_test_case_2, SGL_ONE_SEG) +TEST_EXPAND(gmac_test_case_3, SGL_ONE_SEG) diff --git
[dpdk-dev] [PATCH v5 5/8] ipsec: introduce support for cpu crypto mode
Update library to handle CPU cypto security mode which utilizes
cryptodev's synchronous, CPU accelerated crypto operations.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
Acked-by: Fan Zhang
---
lib/librte_ipsec/esp_inb.c | 156 ++-
lib/librte_ipsec/esp_outb.c | 136 +++---
lib/librte_ipsec/misc.h | 120 ++-
lib/librte_ipsec/rte_ipsec.h | 20 -
lib/librte_ipsec/sa.c| 114 -
lib/librte_ipsec/sa.h| 19 -
lib/librte_ipsec/ses.c | 5 +-
7 files changed, 513 insertions(+), 57 deletions(-)
diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c
index 5c653dd39..7b8ab81f6 100644
--- a/lib/librte_ipsec/esp_inb.c
+++ b/lib/librte_ipsec/esp_inb.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2018 Intel Corporation
+ * Copyright(c) 2018-2020 Intel Corporation
*/
#include
@@ -105,6 +105,39 @@ inb_cop_prepare(struct rte_crypto_op *cop,
}
}
+static inline uint32_t
+inb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb,
+ uint32_t *pofs, uint32_t plen, void *iv)
+{
+ struct aead_gcm_iv *gcm;
+ struct aesctr_cnt_blk *ctr;
+ uint64_t *ivp;
+ uint32_t clen;
+
+ ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
+ *pofs + sizeof(struct rte_esp_hdr));
+ clen = 0;
+
+ switch (sa->algo_type) {
+ case ALGO_TYPE_AES_GCM:
+ gcm = (struct aead_gcm_iv *)iv;
+ aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
+ break;
+ case ALGO_TYPE_AES_CBC:
+ case ALGO_TYPE_3DES_CBC:
+ copy_iv(iv, ivp, sa->iv_len);
+ break;
+ case ALGO_TYPE_AES_CTR:
+ ctr = (struct aesctr_cnt_blk *)iv;
+ aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+ break;
+ }
+
+ *pofs += sa->ctp.auth.offset;
+ clen = plen - sa->ctp.auth.length;
+ return clen;
+}
+
/*
* Helper function for prepare() to deal with situation when
* ICV is spread by two segments. Tries to move ICV completely into the
@@ -157,17 +190,12 @@ inb_pkt_xprepare(const struct rte_ipsec_sa *sa,
rte_be64_t sqc,
}
}
-/*
- * setup/update packet data and metadata for ESP inbound tunnel case.
- */
-static inline int32_t
-inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn,
- struct rte_mbuf *mb, uint32_t hlen, union sym_op_data *icv)
+static inline int
+inb_get_sqn(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn,
+ struct rte_mbuf *mb, uint32_t hlen, rte_be64_t *sqc)
{
int32_t rc;
uint64_t sqn;
- uint32_t clen, icv_len, icv_ofs, plen;
- struct rte_mbuf *ml;
struct rte_esp_hdr *esph;
esph = rte_pktmbuf_mtod_offset(mb, struct rte_esp_hdr *, hlen);
@@ -179,12 +207,21 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const
struct replay_sqn *rsn,
sqn = rte_be_to_cpu_32(esph->seq);
if (IS_ESN(sa))
sqn = reconstruct_esn(rsn->sqn, sqn, sa->replay.win_sz);
+ *sqc = rte_cpu_to_be_64(sqn);
+ /* check IPsec window */
rc = esn_inb_check_sqn(rsn, sa, sqn);
- if (rc != 0)
- return rc;
- sqn = rte_cpu_to_be_64(sqn);
+ return rc;
+}
+
+/* prepare packet for upcoming processing */
+static inline int32_t
+inb_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb,
+ uint32_t hlen, union sym_op_data *icv)
+{
+ uint32_t clen, icv_len, icv_ofs, plen;
+ struct rte_mbuf *ml;
/* start packet manipulation */
plen = mb->pkt_len;
@@ -217,7 +254,8 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct
replay_sqn *rsn,
icv_ofs += sa->sqh_len;
- /* we have to allocate space for AAD somewhere,
+ /*
+* we have to allocate space for AAD somewhere,
* right now - just use free trailing space at the last segment.
* Would probably be more convenient to reserve space for AAD
* inside rte_crypto_op itself
@@ -238,10 +276,28 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const
struct replay_sqn *rsn,
mb->pkt_len += sa->sqh_len;
ml->data_len += sa->sqh_len;
- inb_pkt_xprepare(sa, sqn, icv);
return plen;
}
+static inline int32_t
+inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn,
+ struct rte_mbuf *mb, uint32_t hlen, union sym_op_data *icv)
+{
+ int rc;
+ rte_be64_t sqn;
+
+ rc = inb_get_sqn(sa, rsn, mb, hlen, &sqn);
+ if (rc != 0)
+ return rc;
+
+ rc = inb_prepare(sa, mb, hlen, icv);
+ if (rc < 0)
+ return rc;
+
+ inb_pkt_xprepare(sa, sqn, icv);
+ return rc;
+}
+
/*
* setup/update packets and
[dpdk-dev] [PATCH v5 8/8] doc: add cpu crypto related documentation
Update documentation with a description of cpu crypto in cryptodev, ipsec and security libraries. Add release notes for 20.02. Signed-off-by: Marcin Smoczynski --- doc/guides/cryptodevs/aesni_gcm.rst | 7 +- doc/guides/prog_guide/cryptodev_lib.rst | 33 - doc/guides/prog_guide/ipsec_lib.rst | 10 +++- doc/guides/prog_guide/rte_security.rst | 15 --- doc/guides/rel_notes/release_20_02.rst | 8 ++ 5 files changed, 66 insertions(+), 7 deletions(-) diff --git a/doc/guides/cryptodevs/aesni_gcm.rst b/doc/guides/cryptodevs/aesni_gcm.rst index 151aa3060..a25b63109 100644 --- a/doc/guides/cryptodevs/aesni_gcm.rst +++ b/doc/guides/cryptodevs/aesni_gcm.rst @@ -1,5 +1,5 @@ .. SPDX-License-Identifier: BSD-3-Clause -Copyright(c) 2016-2019 Intel Corporation. +Copyright(c) 2016-2020 Intel Corporation. AES-NI GCM Crypto Poll Mode Driver == @@ -9,6 +9,11 @@ The AES-NI GCM PMD (**librte_pmd_aesni_gcm**) provides poll mode crypto driver support for utilizing Intel multi buffer library (see AES-NI Multi-buffer PMD documentation to learn more about it, including installation). +The AES-NI GCM PMD supports synchronous mode of operation with +``rte_cryptodev_sym_cpu_crypto_process`` function call for both AES-GCM and +GMAC, however GMAC support is limited to one segment per operation. Please +refer to ``rte_crypto`` programmer's guide for more detail. + Features diff --git a/doc/guides/prog_guide/cryptodev_lib.rst b/doc/guides/prog_guide/cryptodev_lib.rst index ac1643774..b91f7c8b7 100644 --- a/doc/guides/prog_guide/cryptodev_lib.rst +++ b/doc/guides/prog_guide/cryptodev_lib.rst @@ -1,5 +1,5 @@ .. SPDX-License-Identifier: BSD-3-Clause -Copyright(c) 2016-2017 Intel Corporation. +Copyright(c) 2016-2020 Intel Corporation. Cryptography Device Library === @@ -600,6 +600,37 @@ chain. }; }; +Synchronous mode + + +Some cryptodevs support synchronous mode alongside with a standard asynchronous +mode. In that case operations are performed directly when calling +``rte_cryptodev_sym_cpu_crypto_process`` method instead of enqueuing and +dequeuing an operation before. This mode of operation allows cryptodevs which +utilize CPU cryptographic acceleration to have significant performance boost +comparing to standard asynchronous approach. Cryptodevs supporting synchronous +mode have ``RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO`` feature flag set. + +To perform a synchronous operation a call to +``rte_cryptodev_sym_cpu_crypto_process`` has to be made with vectorized +operation descriptor (``struct rte_crypto_sym_vec``) containing: + +- ``num`` - number of operations to perform, +- pointer to an array of size ``num`` containing a scatter-gather list + descriptors of performed operations (``struct rte_crypto_sgl``). Each instance + of ``struct rte_crypto_sgl`` consists of a number of segments and a pointer to + an array of segment descriptors ``struct rte_crypto_vec``; +- pointers to arrays of size ``num`` containing IV, AAD and digest information, +- pointer to an array of size ``num`` where status information will be stored + for each operation. + +Function returns a number of successfully completed operations and sets +appropriate status number for each operation in the status array provided as +a call argument. Status different than zero must be treated as error. + +For more details, e.g. how to convert an mbuf to an SGL, please refer to an +example usage in the IPsec library implementation. + Sample code --- diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst index 1ce0db453..0a860eb47 100644 --- a/doc/guides/prog_guide/ipsec_lib.rst +++ b/doc/guides/prog_guide/ipsec_lib.rst @@ -1,5 +1,5 @@ .. SPDX-License-Identifier: BSD-3-Clause -Copyright(c) 2018 Intel Corporation. +Copyright(c) 2018-2020 Intel Corporation. IPsec Packet Processing Library === @@ -81,6 +81,14 @@ In that mode the library functions perform - verify that crypto device operations (encryption, ICV generation) were completed successfully +RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO +~~~ + +In that mode the library functions perform same operations as in +``RTE_SECURITY_ACTION_TYPE_NONE``. The only differnce is that crypto operations +are performed with CPU crypto synchronous API. + + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ~~ diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst index f77fb89dc..a911c676b 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -511,13 +511,20 @@ Offload. /**< No security actions */ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, /**< Crypto processing for security protocol is proce
[dpdk-dev] [PATCH v5 7/8] examples/ipsec-secgw: cpu crypto testing
Enable cpu-crypto mode testing by adding dedicated environmental
variable CRYPTO_PRIM_TYPE. Setting it to 'type cpu-crypto' allows
to run test scenario with cpu crypto acceleration.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
Acked-by: Fan Zhang
---
examples/ipsec-secgw/test/common_defs.sh | 21 +++
examples/ipsec-secgw/test/linux_test4.sh | 11 +-
examples/ipsec-secgw/test/linux_test6.sh | 11 +-
.../test/trs_3descbc_sha1_common_defs.sh | 8 +++
.../test/trs_aescbc_sha1_common_defs.sh | 8 +++
.../test/trs_aesctr_sha1_common_defs.sh | 8 +++
.../test/tun_3descbc_sha1_common_defs.sh | 8 +++
.../test/tun_aescbc_sha1_common_defs.sh | 8 +++
.../test/tun_aesctr_sha1_common_defs.sh | 8 +++
9 files changed, 47 insertions(+), 44 deletions(-)
diff --git a/examples/ipsec-secgw/test/common_defs.sh
b/examples/ipsec-secgw/test/common_defs.sh
index 4aac4981a..6b6ae06f3 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -42,6 +42,27 @@ DPDK_BUILD=${RTE_TARGET:-x86_64-native-linux-gcc}
DEF_MTU_LEN=1400
DEF_PING_LEN=1200
+#upsate operation mode based on env vars values
+select_mode()
+{
+ # select sync/async mode
+ if [[ -n "${CRYPTO_PRIM_TYPE}" && -n "${SGW_CMD_XPRM}" ]]; then
+ echo "${CRYPTO_PRIM_TYPE} is enabled"
+ SGW_CFG_XPRM="${SGW_CFG_XPRM} ${CRYPTO_PRIM_TYPE}"
+ fi
+
+ #make linux to generate fragmented packets
+ if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
+ echo "multi-segment test is enabled"
+ SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
+ PING_LEN=5000
+ MTU_LEN=1500
+ else
+ PING_LEN=${DEF_PING_LEN}
+ MTU_LEN=${DEF_MTU_LEN}
+ fi
+}
+
#setup mtu on local iface
set_local_mtu()
{
diff --git a/examples/ipsec-secgw/test/linux_test4.sh
b/examples/ipsec-secgw/test/linux_test4.sh
index 760451000..fb8ae1023 100644
--- a/examples/ipsec-secgw/test/linux_test4.sh
+++ b/examples/ipsec-secgw/test/linux_test4.sh
@@ -45,16 +45,7 @@ MODE=$1
. ${DIR}/common_defs.sh
. ${DIR}/${MODE}_defs.sh
-#make linux to generate fragmented packets
-if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
- echo "multi-segment test is enabled"
- SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
- PING_LEN=5000
- MTU_LEN=1500
-else
- PING_LEN=${DEF_PING_LEN}
- MTU_LEN=${DEF_MTU_LEN}
-fi
+select_mode
config_secgw
diff --git a/examples/ipsec-secgw/test/linux_test6.sh
b/examples/ipsec-secgw/test/linux_test6.sh
index 479f29be3..dbcca7936 100644
--- a/examples/ipsec-secgw/test/linux_test6.sh
+++ b/examples/ipsec-secgw/test/linux_test6.sh
@@ -46,16 +46,7 @@ MODE=$1
. ${DIR}/common_defs.sh
. ${DIR}/${MODE}_defs.sh
-#make linux to generate fragmented packets
-if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
- echo "multi-segment test is enabled"
- SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
- PING_LEN=5000
- MTU_LEN=1500
-else
- PING_LEN=${DEF_PING_LEN}
- MTU_LEN=${DEF_MTU_LEN}
-fi
+select_mode
config_secgw
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
index 3c5c18afd..62118bb3f 100644
--- a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
@@ -33,14 +33,14 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
sa in 9 cipher_algo 3des-cbc \
cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 7 cipher_algo 3des-cbc \
@@ -48,7 +48,7 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 9 cipher_algo 3des-cbc \
@@ -56,7 +56,7 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#Routing rules
rt ipv4 dst ${REMOTE_IPV4}/32
[dpdk-dev] [PATCH v5 6/8] examples/ipsec-secgw: cpu crypto support
Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.
Legacy mode is not currently supported.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
Acked-by: Fan Zhang
---
examples/ipsec-secgw/ipsec.c | 25 -
examples/ipsec-secgw/ipsec_process.c | 136 +--
examples/ipsec-secgw/sa.c| 30 --
3 files changed, 131 insertions(+), 60 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index d4b57121a..6e8120702 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#include
#include
@@ -10,6 +10,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -86,7 +87,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct
ipsec_sa *sa,
ipsec_ctx->tbl[cdev_id_qp].id,
ipsec_ctx->tbl[cdev_id_qp].qp);
- if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE &&
+ ips->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
struct rte_security_session_conf sess_conf = {
.action_type = ips->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
@@ -126,6 +128,18 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx,
struct ipsec_sa *sa,
return -1;
}
} else {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
+ struct rte_cryptodev_info info;
+ uint16_t cdev_id;
+
+ cdev_id = ipsec_ctx->tbl[cdev_id_qp].id;
+ rte_cryptodev_info_get(cdev_id, &info);
+ if (!(info.feature_flags &
+ RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO))
+ return -ENOTSUP;
+
+ ips->crypto.dev_id = cdev_id;
+ }
ips->crypto.ses = rte_cryptodev_sym_session_create(
ipsec_ctx->session_pool);
rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,
@@ -476,6 +490,13 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx
*ipsec_ctx,
rte_security_attach_session(&priv->cop,
ips->security.ses);
break;
+
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ RTE_LOG(ERR, IPSEC, "CPU crypto is not supported by the"
+ " legacy mode.");
+ rte_pktmbuf_free(pkts[i]);
+ continue;
+
case RTE_SECURITY_ACTION_TYPE_NONE:
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
diff --git a/examples/ipsec-secgw/ipsec_process.c
b/examples/ipsec-secgw/ipsec_process.c
index 2eb5c8b34..bb2f2b82d 100644
--- a/examples/ipsec-secgw/ipsec_process.c
+++ b/examples/ipsec-secgw/ipsec_process.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#include
#include
@@ -92,7 +92,8 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct
ipsec_ctx *ctx,
int32_t rc;
/* setup crypto section */
- if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
+ ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
RTE_ASSERT(ss->crypto.ses == NULL);
rc = create_lookaside_session(ctx, sa, ss);
if (rc != 0)
@@ -215,6 +216,62 @@ ipsec_prepare_crypto_group(struct ipsec_ctx *ctx, struct
ipsec_sa *sa,
return k;
}
+/*
+ * helper routine for inline and cpu(synchronous) processing
+ * this is just to satisfy inbound_sa_check() and get_hop_for_offload_pkt().
+ * Should be removed in future.
+ */
+static inline void
+prep_process_group(void *sa, struct rte_mbuf *mb[], uint32_t cnt)
+{
+ uint32_t j;
+ struct ipsec_mbuf_metadata *priv;
+
+ for (j = 0; j != cnt; j++) {
+ priv = get_priv(mb[j]);
+ priv->sa = sa;
+ }
+}
+
+/*
+ * finish processing of packets successfully decrypted by an inline processor
+ */
+static uint32_t
+ipsec_process_inline_group(struct rte_ipsec_session *ips, void *sa,
+ struct ipsec_traffic *trf, struct rte_mbuf *mb[], uint32_t cnt)
+{
+ uint64_t satp;
+ uint32_t k;
+
+ /* get SA type */
+ satp = rte_ipsec_sa_type(ips->sa)
[dpdk-dev] [PATCH v6 2/8] crypto/aesni_gcm: cpu crypto support
Add support for CPU crypto mode by introducing required handler.
Authenticated encryption and decryption are supported with tag
generation/verification.
CPU crypto support include both AES-GCM and GMAC algorithms.
Signed-off-by: Marcin Smoczynski
Acked-by: Pablo de Lara
Acked-by: Fan Zhang
Tested-by: Konstantin Ananyev
Acked-by: Konstantin Ananyev
---
doc/guides/cryptodevs/aesni_gcm.rst | 7 +-
doc/guides/cryptodevs/features/aesni_gcm.ini | 1 +
drivers/crypto/aesni_gcm/aesni_gcm_ops.h | 11 +-
drivers/crypto/aesni_gcm/aesni_gcm_pmd.c | 222 +-
drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c | 4 +-
.../crypto/aesni_gcm/aesni_gcm_pmd_private.h | 13 +-
6 files changed, 247 insertions(+), 11 deletions(-)
diff --git a/doc/guides/cryptodevs/aesni_gcm.rst
b/doc/guides/cryptodevs/aesni_gcm.rst
index 151aa3060..a25b63109 100644
--- a/doc/guides/cryptodevs/aesni_gcm.rst
+++ b/doc/guides/cryptodevs/aesni_gcm.rst
@@ -1,5 +1,5 @@
.. SPDX-License-Identifier: BSD-3-Clause
-Copyright(c) 2016-2019 Intel Corporation.
+Copyright(c) 2016-2020 Intel Corporation.
AES-NI GCM Crypto Poll Mode Driver
==
@@ -9,6 +9,11 @@ The AES-NI GCM PMD (**librte_pmd_aesni_gcm**) provides poll
mode crypto driver
support for utilizing Intel multi buffer library (see AES-NI Multi-buffer PMD
documentation
to learn more about it, including installation).
+The AES-NI GCM PMD supports synchronous mode of operation with
+``rte_cryptodev_sym_cpu_crypto_process`` function call for both AES-GCM and
+GMAC, however GMAC support is limited to one segment per operation. Please
+refer to ``rte_crypto`` programmer's guide for more detail.
+
Features
diff --git a/doc/guides/cryptodevs/features/aesni_gcm.ini
b/doc/guides/cryptodevs/features/aesni_gcm.ini
index 87eac0fbf..949d6a088 100644
--- a/doc/guides/cryptodevs/features/aesni_gcm.ini
+++ b/doc/guides/cryptodevs/features/aesni_gcm.ini
@@ -14,6 +14,7 @@ CPU AVX512 = Y
In Place SGL = Y
OOP SGL In LB Out = Y
OOP LB In LB Out = Y
+CPU crypto = Y
;
; Supported crypto algorithms of the 'aesni_gcm' crypto driver.
;
diff --git a/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
b/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
index e272f1067..74acac09c 100644
--- a/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
+++ b/drivers/crypto/aesni_gcm/aesni_gcm_ops.h
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#ifndef _AESNI_GCM_OPS_H_
@@ -65,4 +65,13 @@ struct aesni_gcm_ops {
aesni_gcm_finalize_t finalize_dec;
};
+/** GCM per-session operation handlers */
+struct aesni_gcm_session_ops {
+ aesni_gcm_t cipher;
+ aesni_gcm_pre_t pre;
+ aesni_gcm_init_t init;
+ aesni_gcm_update_t update;
+ aesni_gcm_finalize_t finalize;
+};
+
#endif /* _AESNI_GCM_OPS_H_ */
diff --git a/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
b/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
index 1a03be31d..a1caab993 100644
--- a/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
+++ b/drivers/crypto/aesni_gcm/aesni_gcm_pmd.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#include
@@ -15,6 +15,31 @@
static uint8_t cryptodev_driver_id;
+/* setup session handlers */
+static void
+set_func_ops(struct aesni_gcm_session *s, const struct aesni_gcm_ops *gcm_ops)
+{
+ s->ops.pre = gcm_ops->pre;
+ s->ops.init = gcm_ops->init;
+
+ switch (s->op) {
+ case AESNI_GCM_OP_AUTHENTICATED_ENCRYPTION:
+ s->ops.cipher = gcm_ops->enc;
+ s->ops.update = gcm_ops->update_enc;
+ s->ops.finalize = gcm_ops->finalize_enc;
+ break;
+ case AESNI_GCM_OP_AUTHENTICATED_DECRYPTION:
+ s->ops.cipher = gcm_ops->dec;
+ s->ops.update = gcm_ops->update_dec;
+ s->ops.finalize = gcm_ops->finalize_dec;
+ break;
+ case AESNI_GMAC_OP_GENERATE:
+ case AESNI_GMAC_OP_VERIFY:
+ s->ops.finalize = gcm_ops->finalize_enc;
+ break;
+ }
+}
+
/** Parse crypto xform chain and set private session parameters */
int
aesni_gcm_set_session_parameters(const struct aesni_gcm_ops *gcm_ops,
@@ -65,6 +90,7 @@ aesni_gcm_set_session_parameters(const struct aesni_gcm_ops
*gcm_ops,
/* Select Crypto operation */
if (aead_xform->aead.op == RTE_CRYPTO_AEAD_OP_ENCRYPT)
sess->op = AESNI_GCM_OP_AUTHENTICATED_ENCRYPTION;
+ /* op == RTE_CRYPTO_AEAD_OP_DECRYPT */
else
sess->op = AESNI_GCM_OP_AUTHENTICATED_DECRYPTION;
@@ -78,7 +104,6 @@ aesni_gcm_set_session
[dpdk-dev] [PATCH v6 1/8] cryptodev: introduce cpu crypto support API
Add new API allowing to process crypto operations in a synchronous
manner. Operations are performed on a set of SG arrays.
Cryptodevs which allows CPU crypto operation mode have to
use RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO capability.
Add a helper method to easily convert mbufs to a SGL form.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
doc/guides/cryptodevs/features/default.ini| 1 +
doc/guides/prog_guide/cryptodev_lib.rst | 33 -
lib/librte_cryptodev/rte_crypto_sym.h | 128 +-
lib/librte_cryptodev/rte_cryptodev.c | 35 -
lib/librte_cryptodev/rte_cryptodev.h | 22 ++-
lib/librte_cryptodev/rte_cryptodev_pmd.h | 21 ++-
.../rte_cryptodev_version.map | 1 +
7 files changed, 236 insertions(+), 5 deletions(-)
diff --git a/doc/guides/cryptodevs/features/default.ini
b/doc/guides/cryptodevs/features/default.ini
index 304a6a94f..a14ee87d9 100644
--- a/doc/guides/cryptodevs/features/default.ini
+++ b/doc/guides/cryptodevs/features/default.ini
@@ -27,6 +27,7 @@ RSA PRIV OP KEY EXP=
RSA PRIV OP KEY QT =
Digest encrypted =
Asymmetric sessionless =
+CPU crypto =
;
; Supported crypto algorithms of a default crypto driver.
diff --git a/doc/guides/prog_guide/cryptodev_lib.rst
b/doc/guides/prog_guide/cryptodev_lib.rst
index ac1643774..b91f7c8b7 100644
--- a/doc/guides/prog_guide/cryptodev_lib.rst
+++ b/doc/guides/prog_guide/cryptodev_lib.rst
@@ -1,5 +1,5 @@
.. SPDX-License-Identifier: BSD-3-Clause
-Copyright(c) 2016-2017 Intel Corporation.
+Copyright(c) 2016-2020 Intel Corporation.
Cryptography Device Library
===
@@ -600,6 +600,37 @@ chain.
};
};
+Synchronous mode
+
+
+Some cryptodevs support synchronous mode alongside with a standard asynchronous
+mode. In that case operations are performed directly when calling
+``rte_cryptodev_sym_cpu_crypto_process`` method instead of enqueuing and
+dequeuing an operation before. This mode of operation allows cryptodevs which
+utilize CPU cryptographic acceleration to have significant performance boost
+comparing to standard asynchronous approach. Cryptodevs supporting synchronous
+mode have ``RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO`` feature flag set.
+
+To perform a synchronous operation a call to
+``rte_cryptodev_sym_cpu_crypto_process`` has to be made with vectorized
+operation descriptor (``struct rte_crypto_sym_vec``) containing:
+
+- ``num`` - number of operations to perform,
+- pointer to an array of size ``num`` containing a scatter-gather list
+ descriptors of performed operations (``struct rte_crypto_sgl``). Each
instance
+ of ``struct rte_crypto_sgl`` consists of a number of segments and a pointer
to
+ an array of segment descriptors ``struct rte_crypto_vec``;
+- pointers to arrays of size ``num`` containing IV, AAD and digest information,
+- pointer to an array of size ``num`` where status information will be stored
+ for each operation.
+
+Function returns a number of successfully completed operations and sets
+appropriate status number for each operation in the status array provided as
+a call argument. Status different than zero must be treated as error.
+
+For more details, e.g. how to convert an mbuf to an SGL, please refer to an
+example usage in the IPsec library implementation.
+
Sample code
---
diff --git a/lib/librte_cryptodev/rte_crypto_sym.h
b/lib/librte_cryptodev/rte_crypto_sym.h
index bc356f6ff..5ca55a5e0 100644
--- a/lib/librte_cryptodev/rte_crypto_sym.h
+++ b/lib/librte_cryptodev/rte_crypto_sym.h
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2019 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#ifndef _RTE_CRYPTO_SYM_H_
@@ -25,6 +25,67 @@ extern "C" {
#include
#include
+/**
+ * Crypto IO Vector (in analogy with struct iovec)
+ * Supposed be used to pass input/output data buffers for crypto data-path
+ * functions.
+ */
+struct rte_crypto_vec {
+ /** virtual address of the data buffer */
+ void *base;
+ /** IOVA of the data buffer */
+ rte_iova_t iova;
+ /** length of the data buffer */
+ uint32_t len;
+};
+
+/**
+ * Crypto scatter-gather list descriptor. Consists of a pointer to an array
+ * of Crypto IO vectors with its size.
+ */
+struct rte_crypto_sgl {
+ /** start of an array of vectors */
+ struct rte_crypto_vec *vec;
+ /** size of an array of vectors */
+ uint32_t num;
+};
+
+/**
+ * Synchronous operation descriptor.
+ * Supposed to be used with CPU crypto API call.
+ */
+struct rte_crypto_sym_vec {
+ /** array of SGL vectors */
+ struct rte_crypto_sgl *sgl;
+ /** array of pointers to IV */
+ void **iv;
+ /** array of pointers to AAD */
+ void **aad;
+ /** array of pointers to digest */
+ void **digest;
+ /**
+* array of statuse
[dpdk-dev] [PATCH v6 3/8] security: add cpu crypto action type
Introduce CPU crypto action type allowing to differentiate between
regular async 'none security' and synchronous, CPU crypto accelerated
sessions.
This mode is similar to ACTION_TYPE_NONE but crypto processing is
performed synchronously on a CPU.
Signed-off-by: Marcin Smoczynski
Acked-by: Konstantin Ananyev
Acked-by: Fan Zhang
---
doc/guides/prog_guide/rte_security.rst | 15 +++
lib/librte_security/rte_security.h | 8 ++--
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/doc/guides/prog_guide/rte_security.rst
b/doc/guides/prog_guide/rte_security.rst
index f77fb89dc..9b5d249de 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -511,13 +511,20 @@ Offload.
/**< No security actions */
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
/**< Crypto processing for security protocol is processed inline
- * during transmission */
+ * during transmission
+ */
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
/**< All security protocol processing is performed inline during
- * transmission */
-RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
+ * transmission
+ */
+RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
/**< All security protocol processing including crypto is performed
- * on a lookaside accelerator */
+ * on a lookaside accelerator
+ */
+RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
+/**< Similar to ACTION_TYPE_NONE but crypto processing for security
+ * protocol is processed synchronously by a CPU.
+ */
};
The ``rte_security_session_protocol`` is defined as
diff --git a/lib/librte_security/rte_security.h
b/lib/librte_security/rte_security.h
index 546779df2..ef47118fa 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -1,6 +1,6 @@
/* SPDX-License-Identifier: BSD-3-Clause
* Copyright 2017,2019 NXP
- * Copyright(c) 2017 Intel Corporation.
+ * Copyright(c) 2017-2020 Intel Corporation.
*/
#ifndef _RTE_SECURITY_H_
@@ -307,10 +307,14 @@ enum rte_security_session_action_type {
/**< All security protocol processing is performed inline during
* transmission
*/
- RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
+ RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
/**< All security protocol processing including crypto is performed
* on a lookaside accelerator
*/
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
+ /**< Similar to ACTION_TYPE_NONE but crypto processing for security
+* protocol is processed synchronously by a CPU.
+*/
};
/** Security session protocol definition */
--
2.17.1
[dpdk-dev] [PATCH v6 0/8] Introduce CPU crypto mode
Originally both SW and HW crypto PMDs use rte_crypot_op based API to process the crypto workload asynchronously. This way provides uniformity to both PMD types, but also introduce unnecessary performance penalty to SW PMDs that have to "simulate" HW async behavior (crypto-ops enqueue/dequeue, HW addresses computations, storing/dereferencing user provided data (mbuf) for each crypto-op, etc). The aim is to introduce a new optional API for SW crypto-devices to perform crypto processing in a synchronous manner. v3 to v4 changes: - add feature discovery in the ipsec example application when using cpu-crypto - add gmac in aesni-gcm - add tests for aesni-gcm/cpu crypto mode - add documentation: pg and rel notes - remove xform flags as no longer needed - add some extra API comments - remove compilation error from v3 v4 to v5 changes: - fixed build error for arm64 (missing header include) - update licensing information v5 to v6 changes: - unit tests integrated in the current test application for cryptodev - iova fix - moved mbuf to sgl helper function to crypo sym header Marcin Smoczynski (8): cryptodev: introduce cpu crypto support API crypto/aesni_gcm: cpu crypto support security: add cpu crypto action type test/crypto: add cpu crypto mode to tests ipsec: introduce support for cpu crypto mode examples/ipsec-secgw: cpu crypto support examples/ipsec-secgw: cpu crypto testing doc: add release notes for cpu crypto app/test/test_cryptodev.c | 161 - doc/guides/cryptodevs/aesni_gcm.rst | 7 +- doc/guides/cryptodevs/features/aesni_gcm.ini | 1 + doc/guides/cryptodevs/features/default.ini| 1 + doc/guides/prog_guide/cryptodev_lib.rst | 33 ++- doc/guides/prog_guide/ipsec_lib.rst | 10 +- doc/guides/prog_guide/rte_security.rst| 15 +- doc/guides/rel_notes/release_20_02.rst| 7 + drivers/crypto/aesni_gcm/aesni_gcm_ops.h | 11 +- drivers/crypto/aesni_gcm/aesni_gcm_pmd.c | 222 +- drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c | 4 +- .../crypto/aesni_gcm/aesni_gcm_pmd_private.h | 13 +- examples/ipsec-secgw/ipsec.c | 25 +- examples/ipsec-secgw/ipsec_process.c | 136 +++ examples/ipsec-secgw/sa.c | 30 ++- examples/ipsec-secgw/test/common_defs.sh | 21 ++ examples/ipsec-secgw/test/linux_test4.sh | 11 +- examples/ipsec-secgw/test/linux_test6.sh | 11 +- .../test/trs_3descbc_sha1_common_defs.sh | 8 +- .../test/trs_aescbc_sha1_common_defs.sh | 8 +- .../test/trs_aesctr_sha1_common_defs.sh | 8 +- .../test/tun_3descbc_sha1_common_defs.sh | 8 +- .../test/tun_aescbc_sha1_common_defs.sh | 8 +- .../test/tun_aesctr_sha1_common_defs.sh | 8 +- lib/librte_cryptodev/rte_crypto_sym.h | 128 +- lib/librte_cryptodev/rte_cryptodev.c | 35 ++- lib/librte_cryptodev/rte_cryptodev.h | 22 +- lib/librte_cryptodev/rte_cryptodev_pmd.h | 21 +- .../rte_cryptodev_version.map | 1 + lib/librte_ipsec/esp_inb.c| 156 ++-- lib/librte_ipsec/esp_outb.c | 136 ++- lib/librte_ipsec/misc.h | 73 +- lib/librte_ipsec/rte_ipsec.h | 20 +- lib/librte_ipsec/sa.c | 114 +++-- lib/librte_ipsec/sa.h | 19 +- lib/librte_ipsec/ses.c| 5 +- lib/librte_security/rte_security.h| 8 +- 37 files changed, 1311 insertions(+), 194 deletions(-) -- 2.17.1
[dpdk-dev] [PATCH v6 4/8] test/crypto: add cpu crypto mode to tests
This patch adds ability to run unit tests in cpu crypto mode and
provides test for aesni_gcm's cpu crypto implementation.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
app/test/test_cryptodev.c | 161 +++---
1 file changed, 151 insertions(+), 10 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index b5aaca131..8748a6796 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2015-2019 Intel Corporation
+ * Copyright(c) 2015-2020 Intel Corporation
*/
#include
@@ -52,6 +52,9 @@
static int gbl_driver_id;
+static enum rte_security_session_action_type gbl_action_type =
+ RTE_SECURITY_ACTION_TYPE_NONE;
+
struct crypto_testsuite_params {
struct rte_mempool *mbuf_pool;
struct rte_mempool *large_mbuf_pool;
@@ -139,9 +142,95 @@ ceil_byte_length(uint32_t num_bits)
return (num_bits >> 3);
}
+static void
+process_cpu_gmac_op(uint8_t dev_id, struct rte_crypto_op *op)
+{
+ int32_t n, st;
+ void *iv;
+ struct rte_crypto_sym_op *sop;
+ union rte_crypto_sym_ofs ofs;
+ struct rte_crypto_sgl sgl;
+ struct rte_crypto_sym_vec symvec;
+ struct rte_crypto_vec vec[UINT8_MAX];
+
+ sop = op->sym;
+
+ n = rte_crypto_mbuf_to_vec(sop->m_src, sop->auth.data.offset,
+ sop->auth.data.length, vec, RTE_DIM(vec));
+
+ if (n < 0 || n != sop->m_src->nb_segs) {
+ op->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ return;
+ }
+
+ sgl.vec = vec;
+ sgl.num = n;
+ symvec.sgl = &sgl;
+ iv = rte_crypto_op_ctod_offset(op, void *, IV_OFFSET);
+ symvec.iv = &iv;
+ symvec.aad = NULL;
+ symvec.digest = (void **)&sop->auth.digest.data;
+ symvec.status = &st;
+ symvec.num = 1;
+
+ ofs.raw = 0;
+
+ n = rte_cryptodev_sym_cpu_crypto_process(dev_id, sop->session, ofs,
+ &symvec);
+
+ if (n != 1)
+ op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
+ else
+ op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+}
+
+
+static void
+process_cpu_aead_op(uint8_t dev_id, struct rte_crypto_op *op)
+{
+ int32_t n, st;
+ void *iv;
+ struct rte_crypto_sym_op *sop;
+ union rte_crypto_sym_ofs ofs;
+ struct rte_crypto_sgl sgl;
+ struct rte_crypto_sym_vec symvec;
+ struct rte_crypto_vec vec[UINT8_MAX];
+
+ sop = op->sym;
+
+ n = rte_crypto_mbuf_to_vec(sop->m_src, sop->aead.data.offset,
+ sop->aead.data.length, vec, RTE_DIM(vec));
+
+ if (n < 0 || n != sop->m_src->nb_segs) {
+ op->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ return;
+ }
+
+ sgl.vec = vec;
+ sgl.num = n;
+ symvec.sgl = &sgl;
+ iv = rte_crypto_op_ctod_offset(op, void *, IV_OFFSET);
+ symvec.iv = &iv;
+ symvec.aad = (void **)&sop->aead.aad.data;
+ symvec.digest = (void **)&sop->aead.digest.data;
+ symvec.status = &st;
+ symvec.num = 1;
+
+ ofs.raw = 0;
+
+ n = rte_cryptodev_sym_cpu_crypto_process(dev_id, sop->session, ofs,
+ &symvec);
+
+ if (n != 1)
+ op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
+ else
+ op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+}
+
static struct rte_crypto_op *
process_crypto_request(uint8_t dev_id, struct rte_crypto_op *op)
{
+
if (rte_cryptodev_enqueue_burst(dev_id, 0, &op, 1) != 1) {
RTE_LOG(ERR, USER1, "Error sending packet for encryption\n");
return NULL;
@@ -7862,7 +7951,11 @@ test_authenticated_encryption(const struct
aead_test_data *tdata)
ut_params->op->sym->m_src = ut_params->ibuf;
/* Process crypto operation */
- TEST_ASSERT_NOT_NULL(process_crypto_request(ts_params->valid_devs[0],
+ if (gbl_action_type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
+ process_cpu_aead_op(ts_params->valid_devs[0], ut_params->op);
+ else
+ TEST_ASSERT_NOT_NULL(
+ process_crypto_request(ts_params->valid_devs[0],
ut_params->op), "failed to process sym crypto op");
TEST_ASSERT_EQUAL(ut_params->op->status, RTE_CRYPTO_OP_STATUS_SUCCESS,
@@ -8760,7 +8853,11 @@ test_authenticated_decryption(const struct
aead_test_data *tdata)
ut_params->op->sym->m_src = ut_params->ibuf;
/* Process crypto operation */
- TEST_ASSERT_NOT_NULL(process_crypto_request(ts_params->valid_devs[0],
+ if (gbl_action_type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
+ process_cpu_aead_op(t
[dpdk-dev] [PATCH v6 8/8] doc: add release notes for cpu crypto
Add release note for cpu crypto, a new features added to the cryptodev API. Signed-off-by: Marcin Smoczynski --- doc/guides/rel_notes/release_20_02.rst | 7 +++ 1 file changed, 7 insertions(+) diff --git a/doc/guides/rel_notes/release_20_02.rst b/doc/guides/rel_notes/release_20_02.rst index 50e2c1484..c4144ef44 100644 --- a/doc/guides/rel_notes/release_20_02.rst +++ b/doc/guides/rel_notes/release_20_02.rst @@ -143,6 +143,13 @@ New Features Added a new OCTEON TX2 rawdev PMD for End Point mode of operation. See the :doc:`../rawdevs/octeontx2_ep` for more details on this new PMD. +* **Added synchronous Crypto burst API.** + + A new API is introduced in crypto library to handle synchronous cryptographic + operations allowing to achieve performance gain for cryptodevs which use + CPU based acceleration, such as Intel AES-NI. An implementation for aesni_gcm + cryptodev is provided including unit tests. The IPsec example application and + ipsec library itself were changed to allow utilization of this new feature. Removed Items - -- 2.17.1
[dpdk-dev] [PATCH v6 6/8] examples/ipsec-secgw: cpu crypto support
Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.
Legacy mode is not currently supported.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
Acked-by: Fan Zhang
---
examples/ipsec-secgw/ipsec.c | 25 -
examples/ipsec-secgw/ipsec_process.c | 136 +--
examples/ipsec-secgw/sa.c| 30 --
3 files changed, 131 insertions(+), 60 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index d4b57121a..6e8120702 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#include
#include
@@ -10,6 +10,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -86,7 +87,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct
ipsec_sa *sa,
ipsec_ctx->tbl[cdev_id_qp].id,
ipsec_ctx->tbl[cdev_id_qp].qp);
- if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE &&
+ ips->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
struct rte_security_session_conf sess_conf = {
.action_type = ips->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
@@ -126,6 +128,18 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx,
struct ipsec_sa *sa,
return -1;
}
} else {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
+ struct rte_cryptodev_info info;
+ uint16_t cdev_id;
+
+ cdev_id = ipsec_ctx->tbl[cdev_id_qp].id;
+ rte_cryptodev_info_get(cdev_id, &info);
+ if (!(info.feature_flags &
+ RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO))
+ return -ENOTSUP;
+
+ ips->crypto.dev_id = cdev_id;
+ }
ips->crypto.ses = rte_cryptodev_sym_session_create(
ipsec_ctx->session_pool);
rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,
@@ -476,6 +490,13 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx
*ipsec_ctx,
rte_security_attach_session(&priv->cop,
ips->security.ses);
break;
+
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ RTE_LOG(ERR, IPSEC, "CPU crypto is not supported by the"
+ " legacy mode.");
+ rte_pktmbuf_free(pkts[i]);
+ continue;
+
case RTE_SECURITY_ACTION_TYPE_NONE:
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
diff --git a/examples/ipsec-secgw/ipsec_process.c
b/examples/ipsec-secgw/ipsec_process.c
index 2eb5c8b34..bb2f2b82d 100644
--- a/examples/ipsec-secgw/ipsec_process.c
+++ b/examples/ipsec-secgw/ipsec_process.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#include
#include
@@ -92,7 +92,8 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct
ipsec_ctx *ctx,
int32_t rc;
/* setup crypto section */
- if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
+ ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
RTE_ASSERT(ss->crypto.ses == NULL);
rc = create_lookaside_session(ctx, sa, ss);
if (rc != 0)
@@ -215,6 +216,62 @@ ipsec_prepare_crypto_group(struct ipsec_ctx *ctx, struct
ipsec_sa *sa,
return k;
}
+/*
+ * helper routine for inline and cpu(synchronous) processing
+ * this is just to satisfy inbound_sa_check() and get_hop_for_offload_pkt().
+ * Should be removed in future.
+ */
+static inline void
+prep_process_group(void *sa, struct rte_mbuf *mb[], uint32_t cnt)
+{
+ uint32_t j;
+ struct ipsec_mbuf_metadata *priv;
+
+ for (j = 0; j != cnt; j++) {
+ priv = get_priv(mb[j]);
+ priv->sa = sa;
+ }
+}
+
+/*
+ * finish processing of packets successfully decrypted by an inline processor
+ */
+static uint32_t
+ipsec_process_inline_group(struct rte_ipsec_session *ips, void *sa,
+ struct ipsec_traffic *trf, struct rte_mbuf *mb[], uint32_t cnt)
+{
+ uint64_t satp;
+ uint32_t k;
+
+ /* get SA type */
+ satp = rte_ipsec_sa_type(ips->sa)
[dpdk-dev] [PATCH v6 5/8] ipsec: introduce support for cpu crypto mode
Update library to handle CPU cypto security mode which utilizes
cryptodev's synchronous, CPU accelerated crypto operations.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
Acked-by: Fan Zhang
Tested-by: Konstantin Ananyev
---
doc/guides/prog_guide/ipsec_lib.rst | 10 +-
lib/librte_ipsec/esp_inb.c | 156
lib/librte_ipsec/esp_outb.c | 136 ++--
lib/librte_ipsec/misc.h | 73 -
lib/librte_ipsec/rte_ipsec.h| 20 +++-
lib/librte_ipsec/sa.c | 114
lib/librte_ipsec/sa.h | 19 +++-
lib/librte_ipsec/ses.c | 5 +-
8 files changed, 475 insertions(+), 58 deletions(-)
diff --git a/doc/guides/prog_guide/ipsec_lib.rst
b/doc/guides/prog_guide/ipsec_lib.rst
index 1ce0db453..0a860eb47 100644
--- a/doc/guides/prog_guide/ipsec_lib.rst
+++ b/doc/guides/prog_guide/ipsec_lib.rst
@@ -1,5 +1,5 @@
.. SPDX-License-Identifier: BSD-3-Clause
-Copyright(c) 2018 Intel Corporation.
+Copyright(c) 2018-2020 Intel Corporation.
IPsec Packet Processing Library
===
@@ -81,6 +81,14 @@ In that mode the library functions perform
- verify that crypto device operations (encryption, ICV generation)
were completed successfully
+RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
+~~~
+
+In that mode the library functions perform same operations as in
+``RTE_SECURITY_ACTION_TYPE_NONE``. The only differnce is that crypto operations
+are performed with CPU crypto synchronous API.
+
+
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO
~~
diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c
index 5c653dd39..7b8ab81f6 100644
--- a/lib/librte_ipsec/esp_inb.c
+++ b/lib/librte_ipsec/esp_inb.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2018 Intel Corporation
+ * Copyright(c) 2018-2020 Intel Corporation
*/
#include
@@ -105,6 +105,39 @@ inb_cop_prepare(struct rte_crypto_op *cop,
}
}
+static inline uint32_t
+inb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb,
+ uint32_t *pofs, uint32_t plen, void *iv)
+{
+ struct aead_gcm_iv *gcm;
+ struct aesctr_cnt_blk *ctr;
+ uint64_t *ivp;
+ uint32_t clen;
+
+ ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
+ *pofs + sizeof(struct rte_esp_hdr));
+ clen = 0;
+
+ switch (sa->algo_type) {
+ case ALGO_TYPE_AES_GCM:
+ gcm = (struct aead_gcm_iv *)iv;
+ aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
+ break;
+ case ALGO_TYPE_AES_CBC:
+ case ALGO_TYPE_3DES_CBC:
+ copy_iv(iv, ivp, sa->iv_len);
+ break;
+ case ALGO_TYPE_AES_CTR:
+ ctr = (struct aesctr_cnt_blk *)iv;
+ aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+ break;
+ }
+
+ *pofs += sa->ctp.auth.offset;
+ clen = plen - sa->ctp.auth.length;
+ return clen;
+}
+
/*
* Helper function for prepare() to deal with situation when
* ICV is spread by two segments. Tries to move ICV completely into the
@@ -157,17 +190,12 @@ inb_pkt_xprepare(const struct rte_ipsec_sa *sa,
rte_be64_t sqc,
}
}
-/*
- * setup/update packet data and metadata for ESP inbound tunnel case.
- */
-static inline int32_t
-inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn,
- struct rte_mbuf *mb, uint32_t hlen, union sym_op_data *icv)
+static inline int
+inb_get_sqn(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn,
+ struct rte_mbuf *mb, uint32_t hlen, rte_be64_t *sqc)
{
int32_t rc;
uint64_t sqn;
- uint32_t clen, icv_len, icv_ofs, plen;
- struct rte_mbuf *ml;
struct rte_esp_hdr *esph;
esph = rte_pktmbuf_mtod_offset(mb, struct rte_esp_hdr *, hlen);
@@ -179,12 +207,21 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const
struct replay_sqn *rsn,
sqn = rte_be_to_cpu_32(esph->seq);
if (IS_ESN(sa))
sqn = reconstruct_esn(rsn->sqn, sqn, sa->replay.win_sz);
+ *sqc = rte_cpu_to_be_64(sqn);
+ /* check IPsec window */
rc = esn_inb_check_sqn(rsn, sa, sqn);
- if (rc != 0)
- return rc;
- sqn = rte_cpu_to_be_64(sqn);
+ return rc;
+}
+
+/* prepare packet for upcoming processing */
+static inline int32_t
+inb_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb,
+ uint32_t hlen, union sym_op_data *icv)
+{
+ uint32_t clen, icv_len, icv_ofs, plen;
+ struct rte_mbuf *ml;
/* start packet manipulation */
plen = mb->pkt_len;
@@ -217,7 +254,8 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct
replay_sqn *rsn,
icv_ofs += sa->sqh_len;
- /* we ha
[dpdk-dev] [PATCH v6 7/8] examples/ipsec-secgw: cpu crypto testing
Enable cpu-crypto mode testing by adding dedicated environmental
variable CRYPTO_PRIM_TYPE. Setting it to 'type cpu-crypto' allows
to run test scenario with cpu crypto acceleration.
Signed-off-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
Acked-by: Fan Zhang
---
examples/ipsec-secgw/test/common_defs.sh | 21 +++
examples/ipsec-secgw/test/linux_test4.sh | 11 +-
examples/ipsec-secgw/test/linux_test6.sh | 11 +-
.../test/trs_3descbc_sha1_common_defs.sh | 8 +++
.../test/trs_aescbc_sha1_common_defs.sh | 8 +++
.../test/trs_aesctr_sha1_common_defs.sh | 8 +++
.../test/tun_3descbc_sha1_common_defs.sh | 8 +++
.../test/tun_aescbc_sha1_common_defs.sh | 8 +++
.../test/tun_aesctr_sha1_common_defs.sh | 8 +++
9 files changed, 47 insertions(+), 44 deletions(-)
diff --git a/examples/ipsec-secgw/test/common_defs.sh
b/examples/ipsec-secgw/test/common_defs.sh
index 4aac4981a..6b6ae06f3 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -42,6 +42,27 @@ DPDK_BUILD=${RTE_TARGET:-x86_64-native-linux-gcc}
DEF_MTU_LEN=1400
DEF_PING_LEN=1200
+#upsate operation mode based on env vars values
+select_mode()
+{
+ # select sync/async mode
+ if [[ -n "${CRYPTO_PRIM_TYPE}" && -n "${SGW_CMD_XPRM}" ]]; then
+ echo "${CRYPTO_PRIM_TYPE} is enabled"
+ SGW_CFG_XPRM="${SGW_CFG_XPRM} ${CRYPTO_PRIM_TYPE}"
+ fi
+
+ #make linux to generate fragmented packets
+ if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
+ echo "multi-segment test is enabled"
+ SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
+ PING_LEN=5000
+ MTU_LEN=1500
+ else
+ PING_LEN=${DEF_PING_LEN}
+ MTU_LEN=${DEF_MTU_LEN}
+ fi
+}
+
#setup mtu on local iface
set_local_mtu()
{
diff --git a/examples/ipsec-secgw/test/linux_test4.sh
b/examples/ipsec-secgw/test/linux_test4.sh
index 760451000..fb8ae1023 100644
--- a/examples/ipsec-secgw/test/linux_test4.sh
+++ b/examples/ipsec-secgw/test/linux_test4.sh
@@ -45,16 +45,7 @@ MODE=$1
. ${DIR}/common_defs.sh
. ${DIR}/${MODE}_defs.sh
-#make linux to generate fragmented packets
-if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
- echo "multi-segment test is enabled"
- SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
- PING_LEN=5000
- MTU_LEN=1500
-else
- PING_LEN=${DEF_PING_LEN}
- MTU_LEN=${DEF_MTU_LEN}
-fi
+select_mode
config_secgw
diff --git a/examples/ipsec-secgw/test/linux_test6.sh
b/examples/ipsec-secgw/test/linux_test6.sh
index 479f29be3..dbcca7936 100644
--- a/examples/ipsec-secgw/test/linux_test6.sh
+++ b/examples/ipsec-secgw/test/linux_test6.sh
@@ -46,16 +46,7 @@ MODE=$1
. ${DIR}/common_defs.sh
. ${DIR}/${MODE}_defs.sh
-#make linux to generate fragmented packets
-if [[ -n "${MULTI_SEG_TEST}" && -n "${SGW_CMD_XPRM}" ]]; then
- echo "multi-segment test is enabled"
- SGW_CMD_XPRM="${SGW_CMD_XPRM} ${MULTI_SEG_TEST}"
- PING_LEN=5000
- MTU_LEN=1500
-else
- PING_LEN=${DEF_PING_LEN}
- MTU_LEN=${DEF_MTU_LEN}
-fi
+select_mode
config_secgw
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
index 3c5c18afd..62118bb3f 100644
--- a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
@@ -33,14 +33,14 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
sa in 9 cipher_algo 3des-cbc \
cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 7 cipher_algo 3des-cbc \
@@ -48,7 +48,7 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 9 cipher_algo 3des-cbc \
@@ -56,7 +56,7 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#Routing rules
rt ipv4 dst ${REMOTE_IPV4}/32
[dpdk-dev] [PATCH] cryptodev: fix missing doxygen comment
Add missing doxygen comment of rte_crypto_mbuf_to_vec's fields. Signed-off-by: Marcin Smoczynski --- lib/librte_cryptodev/rte_crypto_sym.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/librte_cryptodev/rte_crypto_sym.h b/lib/librte_cryptodev/rte_crypto_sym.h index deb46971f..9e887c110 100644 --- a/lib/librte_cryptodev/rte_crypto_sym.h +++ b/lib/librte_cryptodev/rte_crypto_sym.h @@ -861,7 +861,9 @@ __rte_crypto_sym_op_attach_sym_session(struct rte_crypto_sym_op *sym_op, * @param len * Length of data to represent. * @param vec + * Pointer to an output array of IO vectors. * @param num + * Size of an output array. * @return * - number of successfully filled entries in *vec* array. * - negative number of elements in *vec* array required. -- 2.17.1
[dpdk-dev] [PATCH] test/crypto: add cpu crypto mode tests
This patch adds ability to run unit tests in cpu crypto mode for AESNI
GCM cryptodev.
Signed-off-by: Marcin Smoczynski
---
app/test/test_cryptodev.c | 181 --
1 file changed, 172 insertions(+), 9 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index e6abc22b6..7b1ef5c86 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2015-2019 Intel Corporation
+ * Copyright(c) 2015-2020 Intel Corporation
*/
#include
@@ -52,6 +52,9 @@
static int gbl_driver_id;
+static enum rte_security_session_action_type gbl_action_type =
+ RTE_SECURITY_ACTION_TYPE_NONE;
+
struct crypto_testsuite_params {
struct rte_mempool *mbuf_pool;
struct rte_mempool *large_mbuf_pool;
@@ -139,9 +142,97 @@ ceil_byte_length(uint32_t num_bits)
return (num_bits >> 3);
}
+static void
+process_cpu_gmac_op(uint8_t dev_id, struct rte_crypto_op *op)
+{
+ int32_t n, st;
+ void *iv;
+ struct rte_crypto_sym_op *sop;
+ union rte_crypto_sym_ofs ofs;
+ struct rte_crypto_sgl sgl;
+ struct rte_crypto_sym_vec symvec;
+ struct rte_crypto_vec vec[UINT8_MAX];
+
+ sop = op->sym;
+
+ n = rte_crypto_mbuf_to_vec(sop->m_src, sop->auth.data.offset,
+ sop->auth.data.length, vec, RTE_DIM(vec));
+
+ if (n < 0 || n != sop->m_src->nb_segs) {
+ op->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ return;
+ }
+
+ sgl.vec = vec;
+ sgl.num = n;
+ symvec.sgl = &sgl;
+ iv = rte_crypto_op_ctod_offset(op, void *, IV_OFFSET);
+ symvec.iv = &iv;
+ symvec.aad = NULL;
+ symvec.digest = (void **)&sop->auth.digest.data;
+ symvec.status = &st;
+ symvec.num = 1;
+
+ ofs.raw = 0;
+
+ n = rte_cryptodev_sym_cpu_crypto_process(dev_id, sop->session, ofs,
+ &symvec);
+
+ if (n != 1)
+ op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
+ else
+ op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+}
+
+
+static void
+process_cpu_aead_op(uint8_t dev_id, struct rte_crypto_op *op)
+{
+ int32_t n, st;
+ void *iv;
+ struct rte_crypto_sym_op *sop;
+ union rte_crypto_sym_ofs ofs;
+ struct rte_crypto_sgl sgl;
+ struct rte_crypto_sym_vec symvec;
+ struct rte_crypto_vec vec[UINT8_MAX];
+
+ sop = op->sym;
+
+ n = rte_crypto_mbuf_to_vec(sop->m_src, sop->aead.data.offset,
+ sop->aead.data.length, vec, RTE_DIM(vec));
+
+ if (n < 0 || n != sop->m_src->nb_segs) {
+ op->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ return;
+ }
+
+ sgl.vec = vec;
+ sgl.num = n;
+ symvec.sgl = &sgl;
+ iv = rte_crypto_op_ctod_offset(op, void *, IV_OFFSET);
+ symvec.iv = &iv;
+ symvec.aad = (void **)&sop->aead.aad.data;
+ symvec.digest = (void **)&sop->aead.digest.data;
+ symvec.status = &st;
+ symvec.num = 1;
+
+ ofs.raw = 0;
+
+ n = rte_cryptodev_sym_cpu_crypto_process(dev_id, sop->session, ofs,
+ &symvec);
+
+ if (n != 1)
+ op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
+ else
+ op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+}
+
static struct rte_crypto_op *
process_crypto_request(uint8_t dev_id, struct rte_crypto_op *op)
{
+
+ RTE_VERIFY(gbl_action_type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO);
+
if (rte_cryptodev_enqueue_burst(dev_id, 0, &op, 1) != 1) {
RTE_LOG(ERR, USER1, "Error sending packet for encryption\n");
return NULL;
@@ -6937,7 +7028,11 @@ test_authenticated_encryption(const struct
aead_test_data *tdata)
ut_params->op->sym->m_src = ut_params->ibuf;
/* Process crypto operation */
- TEST_ASSERT_NOT_NULL(process_crypto_request(ts_params->valid_devs[0],
+ if (gbl_action_type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
+ process_cpu_aead_op(ts_params->valid_devs[0], ut_params->op);
+ else
+ TEST_ASSERT_NOT_NULL(
+ process_crypto_request(ts_params->valid_devs[0],
ut_params->op), "failed to process sym crypto op");
TEST_ASSERT_EQUAL(ut_params->op->status, RTE_CRYPTO_OP_STATUS_SUCCESS,
@@ -7868,7 +7963,11 @@ test_authenticated_decryption(const struct
aead_test_data *tdata)
ut_params->op->sym->m_src = ut_params->ibuf;
/* Process crypto operation */
- TEST_ASSERT_NOT_NULL(process_crypto_request(ts_params->valid_devs[0],
+ if (gbl_action_type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
+ process_cpu_aead_op(ts
[dpdk-dev] [PATCH] examples/ipsec-secgw: add missing SPDX license tag
Add missing BSD-3 license tag to inline fallback testing scripts.
Signed-off-by: Marcin Smoczynski
---
.../ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh | 1 +
.../ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh | 1 +
2 files changed, 2 insertions(+)
diff --git
a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
index 875a7457d..f21b01d63 100644
--- a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
+++ b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
@@ -1,4 +1,5 @@
#! /bin/bash
+# SPDX-License-Identifier: BSD-3-Clause
. ${DIR}/trs_aesgcm_defs.sh
diff --git
a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
index 696848432..97b9431f4 100644
--- a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
+++ b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
@@ -1,4 +1,5 @@
#! /bin/bash
+# SPDX-License-Identifier: BSD-3-Clause
. ${DIR}/tun_aesgcm_defs.sh
--
2.17.1
[dpdk-dev] [PATCH v1 0/2] examples/ipsec-secgw: add fallback session
Inline processing is limited to a specified subset of traffic. It is often unable to handle more complicated situations, such as fragmented traffic. When using inline processing such traffic is dropped. Introduce multiple sessions per SA allowing to configure a fallback lookaside session for packets that normally would be dropped. A fallback session type in the SA configuration by adding 'fallback' with 'lookaside-none' or 'lookaside-protocol' parameter to determine type of session. Fallback session feature is available only when using librte_ipsec. Marcin Smoczynski (2): examples/ipsec-secgw: ipsec_sa structure cleanup examples/ipsec-secgw: add fallback session feature doc/guides/sample_app_ug/ipsec_secgw.rst | 17 ++- examples/ipsec-secgw/esp.c | 35 -- examples/ipsec-secgw/ipsec-secgw.c | 16 ++- examples/ipsec-secgw/ipsec.c | 99 --- examples/ipsec-secgw/ipsec.h | 61 +++-- examples/ipsec-secgw/ipsec_process.c | 113 ++--- examples/ipsec-secgw/sa.c| 153 +-- 7 files changed, 334 insertions(+), 160 deletions(-) -- 2.17.1
[dpdk-dev] [PATCH v1 1/2] examples/ipsec-secgw: ipsec_sa structure cleanup
Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.
Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/esp.c | 35 +++
examples/ipsec-secgw/ipsec.c | 91 +++-
examples/ipsec-secgw/ipsec.h | 27 ++---
examples/ipsec-secgw/ipsec_process.c | 30 -
examples/ipsec-secgw/sa.c| 66 ++--
5 files changed, 137 insertions(+), 112 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index d6d7b1256..c1b49da1e 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -30,7 +30,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
int32_t payload_len, ip_hdr_len;
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
return 0;
RTE_ASSERT(m != NULL);
@@ -148,13 +149,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
uint8_t *nexthdr, *pad_len;
uint8_t *padding;
uint16_t i;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
+ ips = ipsec_get_session(sa);
+
+ if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -169,8 +173,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
return -1;
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
- sa->ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+ ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
nexthdr = &m->inner_esp_next_proto;
} else {
nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
@@ -225,10 +229,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
struct rte_crypto_sym_op *sym_cop;
int32_t i;
uint16_t pad_payload_len, pad_len, ip_hdr_len;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
+ ips = ipsec_get_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
@@ -277,9 +283,10 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
/* Add trailer padding if it is not constructed by HW */
- if (sa->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
-!(sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+!(ips->security.ol_flags &
+RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
padding = (uint8_t *)rte_pktmbuf_append(m, pad_len +
sa->digest_len);
if (unlikely(padding == NULL)) {
@@ -344,8 +351,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- if (sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
/* Set the inner esp next protocol for HW trailer */
m->inner_esp_next_proto = nlp;
m->packet_type |= RTE_PTYPE_TUNNEL_ESP;
@@ -448,11 +456,14 @@ esp_outbound_post(struct rte_mbuf *m,
struct ipsec_sa *sa,
struct rte_crypto_op *cop)
{
+ enum rte_security_session_action_type type;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- if ((sa-
[dpdk-dev] [PATCH v1 2/2] examples/ipsec-secgw: add fallback session feature
Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.
Introduce multiple sessions per SA allowing to configure a fallback
lookaside session for packets that normally would be dropped.
A fallback session type in the SA configuration by adding 'fallback'
with 'lookaside-none' or 'lookaside-protocol' parameter to determine
type of session.
Fallback session feature is available only when using librte_ipsec.
Signed-off-by: Marcin Smoczynski
---
doc/guides/sample_app_ug/ipsec_secgw.rst | 17 +++-
examples/ipsec-secgw/esp.c | 4 +-
examples/ipsec-secgw/ipsec-secgw.c | 16 ++--
examples/ipsec-secgw/ipsec.c | 10 +--
examples/ipsec-secgw/ipsec.h | 40 --
examples/ipsec-secgw/ipsec_process.c | 85 +---
examples/ipsec-secgw/sa.c| 99
7 files changed, 210 insertions(+), 61 deletions(-)
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index ad2d79e75..9ded5fb70 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -401,7 +401,7 @@ The SA rule syntax is shown as follows:
.. code-block:: console
sa
-
+
where each options means:
@@ -573,6 +573,21 @@ where each options means:
* *port_id X* X is a valid device number in decimal
+
+
+ * Action type for packets that inline processor failed to process.
+
+ * Optional: Yes, by default there is *no fallback* session type.
+
+ * Available options:
+
+ * *lookaside-none*: use automatically chosen cryptodev to process packets
+ * *lookaside-protocol*: lookaside protocol offload to HW accelerator
+
+ * Syntax:
+
+ * *fallback lookaside-none*
+ * *fallback lookaside-protocol*
Example SA rules:
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index c1b49da1e..bfa7ff721 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -155,7 +155,7 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
(ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
@@ -234,7 +234,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 0d1fd6af6..641ed3767 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -189,6 +189,7 @@ static uint32_t mtu_size = RTE_ETHER_MTU;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {.enable = 0};
+static const char *cfgfile;
struct lcore_rx_queue {
uint16_t port_id;
@@ -1462,12 +1463,7 @@ parse_args(int32_t argc, char **argv)
print_usage(prgname);
return -1;
}
- if (parse_cfg_file(optarg) < 0) {
- printf("parsing file \"%s\" failed\n",
- optarg);
- print_usage(prgname);
- return -1;
- }
+ cfgfile = optarg;
f_present = 1;
break;
case 'j':
@@ -2398,6 +2394,14 @@ main(int32_t argc, char **argv)
if (ret < 0)
rte_exit(EXIT_FAILURE, "Invalid parameters\n");
+ /* parse configuration file */
+ if (parse_cfg_file(cfgfile) < 0) {
+ printf("parsing file \"%s\" failed\n",
+ optarg);
+ print_usage(argv[0]);
+ return -1;
+ }
+
if ((unprotected_port_mask & enabled_port_mask) !=
unprotected_port_mask)
rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n",
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 8c60bd84b..8b0441028 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -404,7 +404,7 @@ enqueue_cop(struct cdev_qp *cqp, struct rte_crypto_op *cop)
static inline void
ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
- struct rte_mbuf *pkts[], struct ipsec_sa *sas[]
[dpdk-dev] [PATCH] examples/ipsec-secgw: fix gcm iv length
The example IPsec application does not work properly when using
AES-GCM with crypto_openssl.
ESP with AES-GCM uses standard 96bit long algorithm IV ([1]) which
later concatenated with be32(1) forms a J0 block. GCM specification
([2], chapter 7.1) states that when length of IV is different than
96b, in order to format a J0 block, GHASH function must be used.
According to specification ([2], chapter 5.1.1) GCM implementations
should support standard 96bit IVs, other lengths are optional. Every
DPDK cryptodev supports 96bit IV and few of them supports 128bit
IV as well (openssl, mrvl, ccp). When passing iv::length=16 to a
cryptodev which does support standard IVs only (e.g. qat) it
implicitly uses starting 96 bits. On the other hand, openssl follows
specification and uses GHASH to compute J0 for that case which results
in different than expected J0 values used for encryption/decryption.
Fix an inability to use AES-GCM with crypto_openssl by changing IV
length to the standard value of 12.
[1] RFC4106, section "4. Nonce format" and "3.1. Initialization Vector"
https://tools.ietf.org/html/rfc4106
[2] NIST SP800-38D
https://csrc.nist.gov/publications/detail/sp/800-38d/final
Fixes: 0fbd75a99f ("cryptodev: move IV parameters to session")
Cc: sta...@dpdk.org
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/sa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 14ee94731..041e402a9 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -926,7 +926,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa
entries[],
}
if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
- iv_length = 16;
+ iv_length = 12;
sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD;
sa_ctx->xf[idx].a.aead.algo = sa->aead_algo;
--
2.17.1
[dpdk-dev] [PATCH v2 0/4] IPv6 with options support for IPsec transport
Add support for IPv6 with header extensions (IPv6 options) and IPsec transport mode: 1. Add IPv6 header extension parsing method in librte_net 2. Fix IPv6 header with extension parsing in both librte_ipsec and ipsec sample application using abovementioned function 3. Add new testing mechanism for ipsec-secgw sample application which allows to automatically check how custom packets are processed. This patchset depends on the following patch: http://patchwork.dpdk.org/patch/53406/ Marcin Smoczynski (4): net: new ipv6 header extension parsing function ipsec: fix transport mode for ipv6 with extensions examples/ipsec-secgw: add support for ipv6 options examples/ipsec-secgw: add scapy based unittests examples/ipsec-secgw/ipsec-secgw.c| 35 +++- examples/ipsec-secgw/sa.c | 5 +- examples/ipsec-secgw/test/common_defs.sh | 58 +- .../ipsec-secgw/test/common_defs_secgw.sh | 65 +++ examples/ipsec-secgw/test/pkttest.py | 127 examples/ipsec-secgw/test/pkttest.sh | 65 +++ examples/ipsec-secgw/test/run_test.sh | 108 --- examples/ipsec-secgw/test/trs_ipv6opts.py | 181 ++ lib/Makefile | 3 +- lib/librte_ipsec/iph.h| 55 +- lib/librte_net/rte_ip.h | 49 + lib/meson.build | 2 +- 12 files changed, 649 insertions(+), 104 deletions(-) create mode 100644 examples/ipsec-secgw/test/common_defs_secgw.sh create mode 100755 examples/ipsec-secgw/test/pkttest.py create mode 100755 examples/ipsec-secgw/test/pkttest.sh mode change 100644 => 100755 examples/ipsec-secgw/test/run_test.sh create mode 100755 examples/ipsec-secgw/test/trs_ipv6opts.py -- 2.17.1
[dpdk-dev] [PATCH v2 4/4] examples/ipsec-secgw: add scapy based unittests
Add new unittest-like mechanism which uses scapy to craft custom
packets and a set of assertions to check how ipsec-secgw example
application is processing them. Python3 with scapy module is
required by pkttest.sh to run test scripts.
A new mechanism is used to test IPv6 transport mode traffic with
header extensions (trs_ipv6opts.py).
Fix incomplete test log problem by disabling buffering of ipsec-secgw
standard output with stdbuf application.
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/test/common_defs.sh | 58 +-
.../ipsec-secgw/test/common_defs_secgw.sh | 65 +++
examples/ipsec-secgw/test/pkttest.py | 127
examples/ipsec-secgw/test/pkttest.sh | 65 +++
examples/ipsec-secgw/test/run_test.sh | 108 ---
examples/ipsec-secgw/test/trs_ipv6opts.py | 181 ++
6 files changed, 519 insertions(+), 85 deletions(-)
create mode 100644 examples/ipsec-secgw/test/common_defs_secgw.sh
create mode 100755 examples/ipsec-secgw/test/pkttest.py
create mode 100755 examples/ipsec-secgw/test/pkttest.sh
mode change 100644 => 100755 examples/ipsec-secgw/test/run_test.sh
create mode 100755 examples/ipsec-secgw/test/trs_ipv6opts.py
diff --git a/examples/ipsec-secgw/test/common_defs.sh
b/examples/ipsec-secgw/test/common_defs.sh
index 8dc574b50..63ad5415d 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -1,22 +1,10 @@
#! /bin/bash
-#check that env vars are properly defined
-
-#check SGW_PATH
-if [[ -z "${SGW_PATH}" || ! -x ${SGW_PATH} ]]; then
- echo "SGW_PATH is invalid"
- exit 127
-fi
-
#check ETH_DEV
if [[ -z "${ETH_DEV}" ]]; then
echo "ETH_DEV is invalid"
exit 127
fi
-
-#setup SGW_LCORE
-SGW_LCORE=${SGW_LCORE:-0}
-
#check that REMOTE_HOST is reachable
ssh ${REMOTE_HOST} echo
st=$?
@@ -47,14 +35,6 @@ LOCAL_IPV6=fd12:3456:789a:0031::::0092
DPDK_PATH=${RTE_SDK:-${PWD}}
DPDK_BUILD=${RTE_TARGET:-x86_64-native-linux-gcc}
-SGW_OUT_FILE=./ipsec-secgw.out1
-
-SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}"
-SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})"
-SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\""
-
-SGW_CFG_FILE=$(mktemp)
-
# configure local host/ifaces
config_local_iface()
{
@@ -126,37 +106,7 @@ config6_iface()
config6_remote_iface
}
-#start ipsec-secgw
-secgw_start()
-{
- SGW_EXEC_FILE=$(mktemp)
- cat < ${SGW_EXEC_FILE}
-${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \
---vdev="net_tap0,mac=fixed" \
--- ${SGW_CMD_PRM} ${SGW_CMD_XPRM} -f ${SGW_CFG_FILE} > \
-${SGW_OUT_FILE} 2>&1 &
-p=\$!
-echo \$p
-EOF
-
- cat ${SGW_EXEC_FILE}
- SGW_PID=`/bin/bash -x ${SGW_EXEC_FILE}`
-
- # wait till ipsec-secgw start properly
- i=0
- st=1
- while [[ $i -ne 10 && st -ne 0 ]]; do
- sleep 1
- ifconfig ${LOCAL_IFACE}
- st=$?
- let i++
- done
-}
-
-#stop ipsec-secgw and cleanup
-secgw_stop()
-{
- kill ${SGW_PID}
- rm -f ${SGW_EXEC_FILE}
- rm -f ${SGW_CFG_FILE}
-}
+# secgw application parameters setup
+SGW_PORT_CFG="--vdev=\"net_tap0,mac=fixed\" ${ETH_DEV}"
+SGW_WAIT_DEV="${LOCAL_IFACE}"
+. ${DIR}/common_defs_secgw.sh
diff --git a/examples/ipsec-secgw/test/common_defs_secgw.sh
b/examples/ipsec-secgw/test/common_defs_secgw.sh
new file mode 100644
index 0..a50c03cb3
--- /dev/null
+++ b/examples/ipsec-secgw/test/common_defs_secgw.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# check required parameters
+SGW_REQ_VARS="SGW_PATH SGW_PORT_CFG SGW_WAIT_DEV"
+for reqvar in ${SGW_REQ_VARS}
+do
+ if [[ -z "${!reqvar}" ]]; then
+ echo "Required parameter ${reqvar} is empty"
+ exit 127
+ fi
+done
+
+# check if SGW_PATH point to an executable
+if [[ ! -x ${SGW_PATH} ]]; then
+ echo "${SGW_PATH} is not executable"
+ exit 127
+fi
+
+# setup SGW_LCORE
+SGW_LCORE=${SGW_LCORE:-0}
+
+# setup config and output filenames
+SGW_OUT_FILE=./ipsec-secgw.out1
+SGW_CFG_FILE=$(mktemp)
+
+# setup secgw parameters
+SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4"
+SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})"
+SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\""
+
+# start ipsec-secgw
+secgw_start()
+{
+ SGW_EXEC_FILE=$(mktemp)
+ cat < ${SGW_EXEC_FILE}
+stdbuf -o0 ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \
+${SGW_PORT_CFG} ${SGW_EAL_XPRM} \
+-- ${SGW_CMD_PRM} ${SGW_CMD_XPRM} -f ${SGW_CFG_FILE} > \
+${SGW_OUT_FILE} 2>&1 &
+p=\$!
+echo \$p
+EOF
+
+ cat ${SGW_EXEC_FILE}
+ cat ${SGW_CFG_FILE}
+ SGW_PID=`/bin/bash -x ${SGW_EXEC_FILE}`
+
+ # wait till ipsec-secgw st
[dpdk-dev] [PATCH v2 1/4] net: new ipv6 header extension parsing function
Introduce new function for IPv6 header extension parsing able to
determine extension length and next protocol number.
This function is helpful when implementing IPv6 header traversing.
Signed-off-by: Marcin Smoczynski
---
lib/librte_net/rte_ip.h | 49 +
1 file changed, 49 insertions(+)
diff --git a/lib/librte_net/rte_ip.h b/lib/librte_net/rte_ip.h
index ae3b7e730..c2c67b85d 100644
--- a/lib/librte_net/rte_ip.h
+++ b/lib/librte_net/rte_ip.h
@@ -428,6 +428,55 @@ rte_ipv6_udptcp_cksum(const struct rte_ipv6_hdr *ipv6_hdr,
const void *l4_hdr)
return (uint16_t)cksum;
}
+/* IPv6 fragmentation header size */
+#define RTE_IPV6_FRAG_HDR_SIZE 8
+
+/**
+ * Parse next IPv6 header extension
+ *
+ * This function checks if proto number is an IPv6 extensions and parses its
+ * data if so, providing information on next header and extension length.
+ *
+ * @param p
+ * Pointer to an extension raw data.
+ * @param proto
+ * Protocol number extracted from the "next header" field from
+ * the IPv6 header or the previous extension.
+ * @param ext_len
+ * Extension data length.
+ * @return
+ * next protocol number if proto is an IPv6 extension, -EINVAL otherwise
+ */
+static inline int __rte_experimental
+rte_ipv6_get_next_ext(uint8_t *p, int proto, size_t *ext_len)
+{
+ int next_proto;
+
+ switch (proto) {
+ case IPPROTO_AH:
+ next_proto = *p++;
+ *ext_len = (*p + 2) * sizeof(uint32_t);
+ break;
+
+ case IPPROTO_HOPOPTS:
+ case IPPROTO_ROUTING:
+ case IPPROTO_DSTOPTS:
+ next_proto = *p++;
+ *ext_len = (*p + 1) * sizeof(uint64_t);
+ break;
+
+ case IPPROTO_FRAGMENT:
+ next_proto = *p;
+ *ext_len = RTE_IPV6_FRAG_HDR_SIZE;
+ break;
+
+ default:
+ return -EINVAL;
+ }
+
+ return next_proto;
+}
+
#ifdef __cplusplus
}
#endif
--
2.17.1
[dpdk-dev] [PATCH v2 2/4] ipsec: fix transport mode for ipv6 with extensions
Reconstructing IPv6 header after encryption or decryption requires
updating 'next header' value in the preceding protocol header, which
is determined by parsing IPv6 header and iteratively looking for
next IPv6 header extension.
It is required that 'l3_len' in the mbuf metadata contains a total
length of the IPv6 header with header extensions up to ESP header.
Signed-off-by: Marcin Smoczynski
---
lib/Makefile | 3 ++-
lib/librte_ipsec/iph.h | 55 --
lib/meson.build| 2 +-
3 files changed, 50 insertions(+), 10 deletions(-)
diff --git a/lib/Makefile b/lib/Makefile
index 791e0d991..3ad579f68 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -108,7 +108,8 @@ DEPDIRS-librte_gso += librte_mempool
DIRS-$(CONFIG_RTE_LIBRTE_BPF) += librte_bpf
DEPDIRS-librte_bpf := librte_eal librte_mempool librte_mbuf librte_ethdev
DIRS-$(CONFIG_RTE_LIBRTE_IPSEC) += librte_ipsec
-DEPDIRS-librte_ipsec := librte_eal librte_mbuf librte_cryptodev librte_security
+DEPDIRS-librte_ipsec := librte_eal librte_mbuf librte_cryptodev
librte_security \
+ librte_net
DIRS-$(CONFIG_RTE_LIBRTE_TELEMETRY) += librte_telemetry
DEPDIRS-librte_telemetry := librte_eal librte_metrics librte_ethdev
DIRS-$(CONFIG_RTE_LIBRTE_RCU) += librte_rcu
diff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h
index a0ca41d51..62d78b7b1 100644
--- a/lib/librte_ipsec/iph.h
+++ b/lib/librte_ipsec/iph.h
@@ -5,6 +5,8 @@
#ifndef _IPH_H_
#define _IPH_H_
+#include
+
/**
* @file iph.h
* Contains functions/structures/macros to manipulate IPv4/IPv6 headers
@@ -40,24 +42,61 @@ static inline int
update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
uint32_t l2len, uint32_t l3len, uint8_t proto)
{
- struct rte_ipv4_hdr *v4h;
- struct rte_ipv6_hdr *v6h;
int32_t rc;
+ /* IPv4 */
if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) == RTE_IPSEC_SATP_IPV4) {
+ struct rte_ipv4_hdr *v4h;
+
v4h = p;
rc = v4h->next_proto_id;
v4h->next_proto_id = proto;
v4h->total_length = rte_cpu_to_be_16(plen - l2len);
- } else if (l3len == sizeof(*v6h)) {
+ /* IPv6 */
+ } else {
+ struct rte_ipv6_hdr *v6h;
+ uint8_t *p_nh;
+
v6h = p;
- rc = v6h->proto;
- v6h->proto = proto;
+
+ /* basic IPv6 header with no extensions */
+ if (l3len == sizeof(struct rte_ipv6_hdr))
+ p_nh = &v6h->proto;
+
+ /* IPv6 with extensions */
+ else {
+ size_t ext_len;
+ int nh;
+ uint8_t *pd, *plimit;
+
+ /* locate last extension within l3len bytes */
+ pd = (uint8_t *)p;
+ plimit = pd + l3len;
+ ext_len = sizeof(struct rte_ipv6_hdr);
+ nh = v6h->proto;
+ while (pd + ext_len < plimit) {
+ pd += ext_len;
+ nh = rte_ipv6_get_next_ext(pd, nh, &ext_len);
+ if (unlikely(nh < 0))
+ return -EINVAL;
+ }
+
+ /* invalid l3len - extension exceeds header length */
+ if (unlikely(pd + ext_len != plimit))
+ return -EINVAL;
+
+ /* save last extension offset */
+ p_nh = pd;
+ }
+
+ /* update header type; return original value */
+ rc = *p_nh;
+ *p_nh = proto;
+
+ /* fix packet length */
v6h->payload_len = rte_cpu_to_be_16(plen - l2len -
sizeof(*v6h));
- /* need to add support for IPv6 with options */
- } else
- rc = -ENOTSUP;
+ }
return rc;
}
diff --git a/lib/meson.build b/lib/meson.build
index 992091a94..e93797ede 100644
--- a/lib/meson.build
+++ b/lib/meson.build
@@ -23,7 +23,7 @@ libraries = [
'kni', 'latencystats', 'lpm', 'member',
'power', 'pdump', 'rawdev',
'rcu', 'reorder', 'sched', 'security', 'stack', 'vhost',
- #ipsec lib depends on crypto and security
+ # ipsec lib depends on net, crypto and security
'ipsec',
# add pkt framework libs which use other libs from above
'port', 'table', 'pipeline',
--
2.17.1
[dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add support for ipv6 options
Using transport with IPv6 and header extensions requires calculating
total header length including extensions up to ESP header which is
achieved with iteratively parsing extensions when preparing traffic
for processing. Calculated l3_len is later used to determine SPI
field offset for an inbound traffic and to reconstruct L3 header by
librte_ipsec.
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/ipsec-secgw.c | 35 +-
examples/ipsec-secgw/sa.c | 5 +
2 files changed, 31 insertions(+), 9 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 6c626fa5f..17012caf9 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -41,6 +41,7 @@
#include
#include
#include
+#include
#include "ipsec.h"
#include "parser.h"
@@ -248,16 +249,40 @@ prepare_one_packet(struct rte_mbuf *pkt, struct
ipsec_traffic *t)
pkt->l2_len = 0;
pkt->l3_len = sizeof(struct ip);
} else if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV6)) {
- nlp = (uint8_t *)rte_pktmbuf_adj(pkt, RTE_ETHER_HDR_LEN);
- nlp = RTE_PTR_ADD(nlp, offsetof(struct ip6_hdr, ip6_nxt));
- if (*nlp == IPPROTO_ESP)
+ int next_proto;
+ size_t l3len, ext_len;
+ struct rte_ipv6_hdr *v6h;
+ uint8_t *p;
+
+ /* get protocol type */
+ v6h = (struct rte_ipv6_hdr *)rte_pktmbuf_adj(pkt,
+ RTE_ETHER_HDR_LEN);
+ next_proto = v6h->proto;
+
+ /* determine l3 header size up to ESP extension */
+ l3len = sizeof(struct ip6_hdr);
+ p = rte_pktmbuf_mtod(pkt, uint8_t *);
+ while (next_proto != IPPROTO_ESP && l3len < pkt->data_len &&
+ (next_proto = rte_ipv6_get_next_ext(p + l3len,
+ next_proto, &ext_len)) >= 0)
+ l3len += ext_len;
+
+ /* drop packet when IPv6 header exceeds first segment length */
+ if (unlikely(l3len > pkt->data_len)) {
+ rte_pktmbuf_free(pkt);
+ return;
+ }
+
+ if (next_proto == IPPROTO_ESP)
t->ipsec.pkts[(t->ipsec.num)++] = pkt;
else {
- t->ip6.data[t->ip6.num] = nlp;
+ t->ip6.data[t->ip6.num] = rte_pktmbuf_mtod_offset(pkt,
+ uint8_t *,
+ offsetof(struct rte_ipv6_hdr, proto));
t->ip6.pkts[(t->ip6.num)++] = pkt;
}
pkt->l2_len = 0;
- pkt->l3_len = sizeof(struct ip6_hdr);
+ pkt->l3_len = l3len;
} else {
/* Unknown/Unsupported type, drop the packet */
RTE_LOG(ERR, IPSEC, "Unsupported packet type 0x%x\n",
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 8d47d1def..7262ccee8 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -1228,10 +1228,7 @@ single_inbound_lookup(struct ipsec_sa *sadb, struct
rte_mbuf *pkt,
*sa_ret = NULL;
ip = rte_pktmbuf_mtod(pkt, struct ip *);
- if (ip->ip_v == IPVERSION)
- esp = (struct rte_esp_hdr *)(ip + 1);
- else
- esp = (struct rte_esp_hdr *)(((struct ip6_hdr *)ip) + 1);
+ esp = rte_pktmbuf_mtod_offset(pkt, struct rte_esp_hdr *, pkt->l3_len);
if (esp->spi == INVALID_SPI)
return;
--
2.17.1
[dpdk-dev] [PATCH] examples/ipsec-secgw: update pkttest requirements
Update Scapy version requirement from 2.4.3rc1 to 2.4.3, which has been used because 2.4.2 had a bug which made this version unable to install. Accept future versions of Scapy too. Signed-off-by: Marcin Smoczynski --- examples/ipsec-secgw/test/pkttest.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/ipsec-secgw/test/pkttest.py b/examples/ipsec-secgw/test/pkttest.py index bcad2156b..5250727f4 100755 --- a/examples/ipsec-secgw/test/pkttest.py +++ b/examples/ipsec-secgw/test/pkttest.py @@ -21,7 +21,7 @@ PKTTEST_REQ = [ -"scapy==2.4.3rc1", +"scapy>=2.4.3", ] -- 2.17.1
[dpdk-dev] [PATCH v6 0/4] add fallback session
Add fallback session feature allowing to process packets that inline processor is unable to handle (e.g. fragmented traffic). Processing takes place in a secondary session defined for SA in a configuration file. This feature is limited to ingress IPsec traffic only. IPsec anti-replay window and ESN are supported in conjunction with fallback session when following conditions are met: * primary session is 'inline-crypto-offload, * fallback sessions is 'lookaside-none'. Due to different processing times of inline and lookaside modes, fallback session introduces some packet reordering, therefore when using with IPsec window, its value should be increased. v5 to v6 changes: - add sanity check: fail to parse SA configuration if fallback session is configured but primary session is not inline crypto - update documentation for ipsec-secgw tests (MULTI_SEG_TESTS var described) - add release notes - minor commit log changes v4 to v5 changes: - fix build errors related to frag TTL command line option and parse_decimal method v3 to v4 changes: - add info about packet reordering to the documentation regarding fallback session - add patch with --frag-ttl command line option which allows to change fragment lifetime v2 to v3 changes: - doc and commit log update - explicitly state feature limitations v1 to v2 changes: - disable fallback offload for outbound SAs - add test scripts Marcin Smoczynski (4): examples/ipsec-secgw: sa structure cleanup examples/ipsec-secgw: add fallback session feature examples/ipsec-secgw: add frag TTL cmdline option examples/ipsec-secgw: add offload fallback tests doc/guides/rel_notes/release_19_11.rst| 8 + doc/guides/sample_app_ug/ipsec_secgw.rst | 36 +++- examples/ipsec-secgw/esp.c| 35 ++-- examples/ipsec-secgw/ipsec-secgw.c| 56 -- examples/ipsec-secgw/ipsec.c | 99 +- examples/ipsec-secgw/ipsec.h | 61 +-- examples/ipsec-secgw/ipsec_process.c | 113 +++- examples/ipsec-secgw/sa.c | 170 +- .../test/trs_aesgcm_common_defs.sh| 4 +- .../trs_aesgcm_inline_crypto_fallback_defs.sh | 5 + .../test/tun_aesgcm_common_defs.sh| 6 +- .../tun_aesgcm_inline_crypto_fallback_defs.sh | 5 + 12 files changed, 421 insertions(+), 177 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh -- 2.17.1
[dpdk-dev] [PATCH v6 3/4] examples/ipsec-secgw: add frag TTL cmdline option
Due to fragment loss on highly saturated links and long fragment
lifetime, ipsec-secgw application quickly runs out of free reassembly
buckets. As a result new fragments are being dropped.
Introduce --frag-ttl option which allow user to lower default fragment
lifitime which solves problem of saturated reassembly buckets with high
bandwidth fragmented traffic.
Acked-by: Konstantin Ananyev
Tested-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
doc/guides/sample_app_ug/ipsec_secgw.rst | 7 +
examples/ipsec-secgw/ipsec-secgw.c | 40 ++--
2 files changed, 37 insertions(+), 10 deletions(-)
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 45478e2a5..279ad4126 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -154,6 +154,13 @@ Where:
Incoming packets with length bigger then MTU will be discarded.
Default value: 1500.
+* ``--frag-ttl FRAG_TTL_NS``: fragment lifetime (in nanoseconds).
+If packet is not reassembled within this time, received fragments
+will be discarded. Fragment lifetime should be decreased when
+there is a high fragmented traffic loss in high bandwidth networks.
+Should be lower for for low number of reassembly buckets.
+Valid values: from 1 ns to 10 s. Default value: 1000 (10 s).
+
* ``--reassemble NUM``: max number of entries in reassemble fragment table.
Zero value disables reassembly functionality.
Default value: 0.
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 641ed3767..1d415ace8 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -112,7 +112,7 @@ static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
0, 0)
#defineFRAG_TBL_BUCKET_ENTRIES 4
-#defineFRAG_TTL_MS (10 * MS_PER_S)
+#defineMAX_FRAG_TTL_NS (10LL * NS_PER_S)
#define MTU_TO_FRAMELEN(x) ((x) + RTE_ETHER_HDR_LEN + RTE_ETHER_CRC_LEN)
@@ -135,6 +135,7 @@ struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
#define CMD_LINE_OPT_TX_OFFLOAD"txoffload"
#define CMD_LINE_OPT_REASSEMBLE"reassemble"
#define CMD_LINE_OPT_MTU "mtu"
+#define CMD_LINE_OPT_FRAG_TTL "frag-ttl"
enum {
/* long options mapped to a short option */
@@ -150,6 +151,7 @@ enum {
CMD_LINE_OPT_TX_OFFLOAD_NUM,
CMD_LINE_OPT_REASSEMBLE_NUM,
CMD_LINE_OPT_MTU_NUM,
+ CMD_LINE_OPT_FRAG_TTL_NUM,
};
static const struct option lgopts[] = {
@@ -160,6 +162,7 @@ static const struct option lgopts[] = {
{CMD_LINE_OPT_TX_OFFLOAD, 1, 0, CMD_LINE_OPT_TX_OFFLOAD_NUM},
{CMD_LINE_OPT_REASSEMBLE, 1, 0, CMD_LINE_OPT_REASSEMBLE_NUM},
{CMD_LINE_OPT_MTU, 1, 0, CMD_LINE_OPT_MTU_NUM},
+ {CMD_LINE_OPT_FRAG_TTL, 1, 0, CMD_LINE_OPT_FRAG_TTL_NUM},
{NULL, 0, 0, 0}
};
@@ -186,6 +189,7 @@ static uint64_t dev_tx_offload = UINT64_MAX;
static uint32_t frag_tbl_sz;
static uint32_t frame_buf_size = RTE_MBUF_DEFAULT_BUF_SIZE;
static uint32_t mtu_size = RTE_ETHER_MTU;
+static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {.enable = 0};
@@ -1302,6 +1306,9 @@ print_usage(const char *prgname)
": MTU value on all ports (default value: 1500)\n"
"outgoing packets with bigger size will be fragmented\n"
"incoming packets with bigger size will be discarded\n"
+ " --" CMD_LINE_OPT_FRAG_TTL " FRAG_TTL_NS"
+ ": fragments lifetime in nanoseconds, default\n"
+ "and maximum value is 10.000.000.000 ns (10 s)\n"
"\n",
prgname);
}
@@ -1338,14 +1345,15 @@ parse_portmask(const char *portmask)
return pm;
}
-static int32_t
+static int64_t
parse_decimal(const char *str)
{
char *end = NULL;
- unsigned long num;
+ uint64_t num;
- num = strtoul(str, &end, 10);
- if ((str[0] == '\0') || (end == NULL) || (*end != '\0'))
+ num = strtoull(str, &end, 10);
+ if ((str[0] == '\0') || (end == NULL) || (*end != '\0')
+ || num > INT64_MAX)
return -1;
return num;
@@ -1419,12 +1427,14 @@ print_app_sa_prm(const struct app_sa_prm *prm)
printf("replay window size: %u\n", prm->window_size);
printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
printf("SA flags: %#" PRIx64 "\n", prm->flags);
+ printf("Frag TTL: %" PRIu64 " ns\n", frag_ttl_ns);
}
[dpdk-dev] [PATCH v6 1/4] examples/ipsec-secgw: sa structure cleanup
Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.
Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.
Acked-by: Konstantin Ananyev
Acked-by: Radu Nicolau
Tested-by: Bernard Iremonger
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/esp.c | 35 +++
examples/ipsec-secgw/ipsec.c | 91 +++-
examples/ipsec-secgw/ipsec.h | 27 ++---
examples/ipsec-secgw/ipsec_process.c | 30 -
examples/ipsec-secgw/sa.c| 66 ++--
5 files changed, 137 insertions(+), 112 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index d6d7b1256..c1b49da1e 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -30,7 +30,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
int32_t payload_len, ip_hdr_len;
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
return 0;
RTE_ASSERT(m != NULL);
@@ -148,13 +149,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
uint8_t *nexthdr, *pad_len;
uint8_t *padding;
uint16_t i;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
+ ips = ipsec_get_session(sa);
+
+ if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -169,8 +173,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
return -1;
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
- sa->ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+ ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
nexthdr = &m->inner_esp_next_proto;
} else {
nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
@@ -225,10 +229,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
struct rte_crypto_sym_op *sym_cop;
int32_t i;
uint16_t pad_payload_len, pad_len, ip_hdr_len;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
+ ips = ipsec_get_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
@@ -277,9 +283,10 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
/* Add trailer padding if it is not constructed by HW */
- if (sa->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
-!(sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+!(ips->security.ol_flags &
+RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
padding = (uint8_t *)rte_pktmbuf_append(m, pad_len +
sa->digest_len);
if (unlikely(padding == NULL)) {
@@ -344,8 +351,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- if (sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
/* Set the inner esp next protocol for HW trailer */
m->inner_esp_next_proto = nlp;
m->packet_type |= RTE_PTYPE_TUNNEL_ESP;
@@ -448,11 +456,14 @@ esp_outbound_post(struct rte_mbuf *m,
struct ipsec_sa *sa,
struct rte_crypto_op *cop)
{
+ enum rte_security_session_ac
[dpdk-dev] [PATCH v6 4/4] examples/ipsec-secgw: add offload fallback tests
Add tests for offload fallback feature; add inbound config modificator
SGW_CFG_XPRM_IN (offload fallback setting can be set only for inbound
SAs). Tests are using cryptodev for outbound SA.
To test fragmentation with QAT set:
MULTI_SEG_TEST="--reassemble=4096 --cryptodev_mask=0x"
Acked-by: Konstantin Ananyev
Tested-by: Bernard Iremonger
Signed-off-by: Marcin Smoczynski
---
doc/guides/sample_app_ug/ipsec_secgw.rst| 5 +
examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh | 4 ++--
.../test/trs_aesgcm_inline_crypto_fallback_defs.sh | 5 +
examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh | 6 --
.../test/tun_aesgcm_inline_crypto_fallback_defs.sh | 5 +
5 files changed, 21 insertions(+), 4 deletions(-)
create mode 100644
examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
create mode 100644
examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 279ad4126..0dc81fbb4 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -755,6 +755,11 @@ Also the user can optionally setup:
* ``CRYPTO_DEV``: crypto device to be used ('-w '). If none specified
appropriate vdevs will be created by the script
+* ``MULTI_SEG_TEST``: ipsec-secgw option to enable reassembly support and
+specify size of reassembly table (e.g.
+``MULTI_SEG_TEST='--reassemble 128'``). This option must be set for
+fallback session tests.
+
Note that most of the tests require the appropriate crypto PMD/device to be
available.
diff --git a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
index f6c5bf5a7..17f2f86d2 100644
--- a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
@@ -29,11 +29,11 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..875a7457d
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
diff --git a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
index 278377967..7490baded 100644
--- a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
@@ -29,11 +29,13 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM}
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM}
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..696848432
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
--
2.17.1
[dpdk-dev] [PATCH v6 2/4] examples/ipsec-secgw: add fallback session feature
Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.
Introduce fallback session for inline processing allowing processing
packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' or
'lookaside-protocol' parameter to an SA configuration.
Using IPsec anti-replay window or ESN feature with fallback session is
not yet supported when primary session is of type
'inline-protocol-offload' or fallback session is 'lookaside-protocol'
because SA sequence number is not synchronized between software and
hardware sessions. Fallback sessions are also limited to ingress IPsec
traffic.
Fallback session feature is not available in the legacy mode.
Acked-by: Konstantin Ananyev
Tested-by: Bernard Iremonger
Signed-off-by: Marcin Smoczynski
---
doc/guides/rel_notes/release_19_11.rst | 8 ++
doc/guides/sample_app_ug/ipsec_secgw.rst | 24 -
examples/ipsec-secgw/esp.c | 4 +-
examples/ipsec-secgw/ipsec-secgw.c | 16 ++--
examples/ipsec-secgw/ipsec.c | 10 +-
examples/ipsec-secgw/ipsec.h | 40 ++--
examples/ipsec-secgw/ipsec_process.c | 85 +++--
examples/ipsec-secgw/sa.c| 116 +++
8 files changed, 239 insertions(+), 64 deletions(-)
diff --git a/doc/guides/rel_notes/release_19_11.rst
b/doc/guides/rel_notes/release_19_11.rst
index 27cfbd9e3..f2ed040e9 100644
--- a/doc/guides/rel_notes/release_19_11.rst
+++ b/doc/guides/rel_notes/release_19_11.rst
@@ -56,6 +56,14 @@ New Features
Also, make sure to start the actual text at the margin.
=
+* **Updated the IPSec library and IPsec Security Gateway application.**
+
+ Added the following features to ``librte_ipsec`` and the ``ipsec-secgw``
+ sample application:
+
+ * Support fragmented packets in inline crypto processing mode with fallback
+lookaside session.
+
Removed Items
-
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index ad2d79e75..45478e2a5 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -401,7 +401,7 @@ The SA rule syntax is shown as follows:
.. code-block:: console
sa
-
+
where each options means:
@@ -573,6 +573,28 @@ where each options means:
* *port_id X* X is a valid device number in decimal
+
+
+ * Action type for ingress IPsec packets that inline processor failed to
+ process. IPsec anti-replay window and ESN is supported with fallback
+ processing session only when primary session is *inline-crypto-offload*
+ and fallback session is *lookaside-none*.
+
+ If used in conjunction with IPsec window, its width needs be increased
+ due to different processing times of inline and lookaside modes which
+ results in packet reordering.
+
+ * Optional: Yes.
+
+ * Available options:
+
+ * *lookaside-none*: use automatically chosen cryptodev to process packets
+ * *lookaside-protocol*: lookaside protocol hardware offload
+
+ * Syntax:
+
+ * *fallback lookaside-none*
+ * *fallback lookaside-protocol*
Example SA rules:
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index c1b49da1e..bfa7ff721 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -155,7 +155,7 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
(ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
@@ -234,7 +234,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 0d1fd6af6..641ed3767 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -189,6 +189,7 @@ static uint32_t mtu_size = RTE_ETHER_MTU;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {.enable = 0};
+static const char *cfgfile;
struct lcore_rx_queue {
uint16_t port_id;
@@ -1462,12 +1463,7 @@ parse_args(int32_t argc, char **argv)
print_usage(prgname);
return -1;
}
- if (parse_cfg_file(optarg) < 0)
[dpdk-dev] [PATCH v7 2/4] examples/ipsec-secgw: add fallback session feature
Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.
Introduce fallback session for inline crypto processing allowing
handling packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' parameter
to an SA configuration. Only 'inline-crypto-offload" as a primary
session and 'lookaside-none' as a fall-back session combination is
supported by this patch.
Fallback session feature is not available in the legacy mode.
Acked-by: Konstantin Ananyev
Tested-by: Bernard Iremonger
Signed-off-by: Marcin Smoczynski
---
doc/guides/rel_notes/release_19_11.rst | 8 ++
doc/guides/sample_app_ug/ipsec_secgw.rst | 22 -
examples/ipsec-secgw/esp.c | 4 +-
examples/ipsec-secgw/ipsec-secgw.c | 16 ++--
examples/ipsec-secgw/ipsec.c | 10 +--
examples/ipsec-secgw/ipsec.h | 40 +++--
examples/ipsec-secgw/ipsec_process.c | 85 --
examples/ipsec-secgw/sa.c| 105 +++
8 files changed, 226 insertions(+), 64 deletions(-)
diff --git a/doc/guides/rel_notes/release_19_11.rst
b/doc/guides/rel_notes/release_19_11.rst
index 85953b962..7e1205be7 100644
--- a/doc/guides/rel_notes/release_19_11.rst
+++ b/doc/guides/rel_notes/release_19_11.rst
@@ -115,6 +115,14 @@ New Features
Added eBPF JIT support for arm64 architecture to improve the eBPF program
performance.
+* **Updated the IPSec library and IPsec Security Gateway application.**
+
+ Added the following features to ``librte_ipsec`` and the ``ipsec-secgw``
+ sample application:
+
+ * Support fragmented packets in inline crypto processing mode with fallback
+``lookaside-none`` session.
+
Removed Items
-
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index ad2d79e75..cb6fadb35 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -401,7 +401,7 @@ The SA rule syntax is shown as follows:
.. code-block:: console
sa
-
+
where each options means:
@@ -573,6 +573,26 @@ where each options means:
* *port_id X* X is a valid device number in decimal
+
+
+ * Action type for ingress IPsec packets that inline processor failed to
+ process. Only a combination of *inline-crypto-offload* as a primary
+ session and *lookaside-none* as a fall-back session is supported at the
+ moment.
+
+ If used in conjunction with IPsec window, its width needs be increased
+ due to different processing times of inline and lookaside modes which
+ results in packet reordering.
+
+ * Optional: Yes.
+
+ * Available options:
+
+ * *lookaside-none*: use automatically chosen cryptodev to process packets
+
+ * Syntax:
+
+ * *fallback lookaside-none*
Example SA rules:
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index c1b49da1e..bfa7ff721 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -155,7 +155,7 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
(ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
@@ -234,7 +234,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index f52ca5297..904ee65d9 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -189,6 +189,7 @@ static uint32_t mtu_size = RTE_ETHER_MTU;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {.enable = 0};
+static const char *cfgfile;
struct lcore_rx_queue {
uint16_t port_id;
@@ -1465,12 +1466,7 @@ parse_args(int32_t argc, char **argv)
print_usage(prgname);
return -1;
}
- if (parse_cfg_file(optarg) < 0) {
- printf("parsing file \"%s\" failed\n",
- optarg);
- print_usage(prgname);
- return -1;
- }
+ cfgfile = optarg;
f_present = 1;
break;
[dpdk-dev] [PATCH v7 0/4] add fallback session
Add fallback session feature allowing to process packets that inline processor is unable to handle (e.g. fragmented traffic). Processing takes place in a secondary session defined for SA in a configuration file. This feature is limited to ingress IPsec traffic only. IPsec anti-replay window and ESN are supported in conjunction with fallback session when following conditions are met: * primary session is 'inline-crypto-offload, * fallback sessions is 'lookaside-none'. Due to different processing times of inline and lookaside modes, fallback session introduces some packet reordering, therefore when using with IPsec window, its value should be increased. v6 to v7 changes: - remove partial support for "*-protocol" fall-back session types - rebase on master (31b798a) v5 to v6 changes: - add sanity check: fail to parse SA configuration if fallback session is configured but primary session is not inline crypto - update documentation for ipsec-secgw tests (MULTI_SEG_TESTS var described) - add release notes - minor commit log changes v4 to v5 changes: - fix build errors related to frag TTL command line option and parse_decimal method v3 to v4 changes: - add info about packet reordering to the documentation regarding fallback session - add patch with --frag-ttl command line option which allows to change fragment lifetime v2 to v3 changes: - doc and commit log update - explicitly state feature limitations v1 to v2 changes: - disable fallback offload for outbound SAs - add test scripts Marcin Smoczynski (4): examples/ipsec-secgw: sa structure cleanup examples/ipsec-secgw: add fallback session feature examples/ipsec-secgw: add frag TTL cmdline option examples/ipsec-secgw: add offload fallback tests doc/guides/rel_notes/release_19_11.rst| 8 + doc/guides/sample_app_ug/ipsec_secgw.rst | 34 +++- examples/ipsec-secgw/esp.c| 35 ++-- examples/ipsec-secgw/ipsec-secgw.c| 56 -- examples/ipsec-secgw/ipsec.c | 101 +-- examples/ipsec-secgw/ipsec.h | 61 +-- examples/ipsec-secgw/ipsec_process.c | 113 - examples/ipsec-secgw/sa.c | 159 +- .../test/trs_aesgcm_common_defs.sh| 4 +- .../trs_aesgcm_inline_crypto_fallback_defs.sh | 5 + .../test/tun_aesgcm_common_defs.sh| 6 +- .../tun_aesgcm_inline_crypto_fallback_defs.sh | 5 + 12 files changed, 409 insertions(+), 178 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh -- 2.17.1
[dpdk-dev] [PATCH v7 3/4] examples/ipsec-secgw: add frag TTL cmdline option
Due to fragment loss on highly saturated links and long fragment
lifetime, ipsec-secgw application quickly runs out of free reassembly
buckets. As a result new fragments are being dropped.
Introduce --frag-ttl option which allow user to lower default fragment
lifitime which solves problem of saturated reassembly buckets with high
bandwidth fragmented traffic.
Acked-by: Konstantin Ananyev
Tested-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
doc/guides/sample_app_ug/ipsec_secgw.rst | 7 +
examples/ipsec-secgw/ipsec-secgw.c | 40 ++--
2 files changed, 37 insertions(+), 10 deletions(-)
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index cb6fadb35..c1e8a0bda 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -154,6 +154,13 @@ Where:
Incoming packets with length bigger then MTU will be discarded.
Default value: 1500.
+* ``--frag-ttl FRAG_TTL_NS``: fragment lifetime (in nanoseconds).
+If packet is not reassembled within this time, received fragments
+will be discarded. Fragment lifetime should be decreased when
+there is a high fragmented traffic loss in high bandwidth networks.
+Should be lower for for low number of reassembly buckets.
+Valid values: from 1 ns to 10 s. Default value: 1000 (10 s).
+
* ``--reassemble NUM``: max number of entries in reassemble fragment table.
Zero value disables reassembly functionality.
Default value: 0.
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 904ee65d9..b12936470 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -112,7 +112,7 @@ static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
0, 0)
#defineFRAG_TBL_BUCKET_ENTRIES 4
-#defineFRAG_TTL_MS (10 * MS_PER_S)
+#defineMAX_FRAG_TTL_NS (10LL * NS_PER_S)
#define MTU_TO_FRAMELEN(x) ((x) + RTE_ETHER_HDR_LEN + RTE_ETHER_CRC_LEN)
@@ -135,6 +135,7 @@ struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
#define CMD_LINE_OPT_TX_OFFLOAD"txoffload"
#define CMD_LINE_OPT_REASSEMBLE"reassemble"
#define CMD_LINE_OPT_MTU "mtu"
+#define CMD_LINE_OPT_FRAG_TTL "frag-ttl"
enum {
/* long options mapped to a short option */
@@ -150,6 +151,7 @@ enum {
CMD_LINE_OPT_TX_OFFLOAD_NUM,
CMD_LINE_OPT_REASSEMBLE_NUM,
CMD_LINE_OPT_MTU_NUM,
+ CMD_LINE_OPT_FRAG_TTL_NUM,
};
static const struct option lgopts[] = {
@@ -160,6 +162,7 @@ static const struct option lgopts[] = {
{CMD_LINE_OPT_TX_OFFLOAD, 1, 0, CMD_LINE_OPT_TX_OFFLOAD_NUM},
{CMD_LINE_OPT_REASSEMBLE, 1, 0, CMD_LINE_OPT_REASSEMBLE_NUM},
{CMD_LINE_OPT_MTU, 1, 0, CMD_LINE_OPT_MTU_NUM},
+ {CMD_LINE_OPT_FRAG_TTL, 1, 0, CMD_LINE_OPT_FRAG_TTL_NUM},
{NULL, 0, 0, 0}
};
@@ -186,6 +189,7 @@ static uint64_t dev_tx_offload = UINT64_MAX;
static uint32_t frag_tbl_sz;
static uint32_t frame_buf_size = RTE_MBUF_DEFAULT_BUF_SIZE;
static uint32_t mtu_size = RTE_ETHER_MTU;
+static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {.enable = 0};
@@ -1305,6 +1309,9 @@ print_usage(const char *prgname)
": MTU value on all ports (default value: 1500)\n"
"outgoing packets with bigger size will be fragmented\n"
"incoming packets with bigger size will be discarded\n"
+ " --" CMD_LINE_OPT_FRAG_TTL " FRAG_TTL_NS"
+ ": fragments lifetime in nanoseconds, default\n"
+ "and maximum value is 10.000.000.000 ns (10 s)\n"
"\n",
prgname);
}
@@ -1341,14 +1348,15 @@ parse_portmask(const char *portmask)
return pm;
}
-static int32_t
+static int64_t
parse_decimal(const char *str)
{
char *end = NULL;
- unsigned long num;
+ uint64_t num;
- num = strtoul(str, &end, 10);
- if ((str[0] == '\0') || (end == NULL) || (*end != '\0'))
+ num = strtoull(str, &end, 10);
+ if ((str[0] == '\0') || (end == NULL) || (*end != '\0')
+ || num > INT64_MAX)
return -1;
return num;
@@ -1422,12 +1430,14 @@ print_app_sa_prm(const struct app_sa_prm *prm)
printf("replay window size: %u\n", prm->window_size);
printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
printf("SA flags: %#" PRIx64 "\n", prm->flags);
+ printf("Frag TTL: %" PRIu64 " ns\n", frag_ttl_ns);
}
[dpdk-dev] [PATCH v7 1/4] examples/ipsec-secgw: sa structure cleanup
Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.
Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.
Acked-by: Konstantin Ananyev
Acked-by: Radu Nicolau
Tested-by: Bernard Iremonger
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/esp.c | 35 +++
examples/ipsec-secgw/ipsec.c | 93 +++-
examples/ipsec-secgw/ipsec.h | 27 +---
examples/ipsec-secgw/ipsec_process.c | 30 -
examples/ipsec-secgw/sa.c| 66 ++--
5 files changed, 138 insertions(+), 113 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index d6d7b1256..c1b49da1e 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -30,7 +30,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
int32_t payload_len, ip_hdr_len;
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
return 0;
RTE_ASSERT(m != NULL);
@@ -148,13 +149,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
uint8_t *nexthdr, *pad_len;
uint8_t *padding;
uint16_t i;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
+ ips = ipsec_get_session(sa);
+
+ if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -169,8 +173,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
return -1;
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
- sa->ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+ ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
nexthdr = &m->inner_esp_next_proto;
} else {
nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
@@ -225,10 +229,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
struct rte_crypto_sym_op *sym_cop;
int32_t i;
uint16_t pad_payload_len, pad_len, ip_hdr_len;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
+ ips = ipsec_get_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
@@ -277,9 +283,10 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
/* Add trailer padding if it is not constructed by HW */
- if (sa->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
-!(sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+!(ips->security.ol_flags &
+RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
padding = (uint8_t *)rte_pktmbuf_append(m, pad_len +
sa->digest_len);
if (unlikely(padding == NULL)) {
@@ -344,8 +351,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- if (sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
/* Set the inner esp next protocol for HW trailer */
m->inner_esp_next_proto = nlp;
m->packet_type |= RTE_PTYPE_TUNNEL_ESP;
@@ -448,11 +456,14 @@ esp_outbound_post(struct rte_mbuf *m,
struct ipsec_sa *sa,
struct rte_crypto_op *cop)
{
+ enum rte_security_session_ac
[dpdk-dev] [PATCH v7 4/4] examples/ipsec-secgw: add offload fallback tests
Add tests for offload fallback feature; add inbound config modificator
SGW_CFG_XPRM_IN (offload fallback setting can be set only for inbound
SAs). Tests are using cryptodev for outbound SA.
To test fragmentation with QAT set:
MULTI_SEG_TEST="--reassemble=4096 --cryptodev_mask=0x"
Acked-by: Konstantin Ananyev
Tested-by: Bernard Iremonger
Signed-off-by: Marcin Smoczynski
---
doc/guides/sample_app_ug/ipsec_secgw.rst| 5 +
examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh | 4 ++--
.../test/trs_aesgcm_inline_crypto_fallback_defs.sh | 5 +
examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh | 6 --
.../test/tun_aesgcm_inline_crypto_fallback_defs.sh | 5 +
5 files changed, 21 insertions(+), 4 deletions(-)
create mode 100644
examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
create mode 100644
examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index c1e8a0bda..ae8cce235 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -753,6 +753,11 @@ Also the user can optionally setup:
* ``CRYPTO_DEV``: crypto device to be used ('-w '). If none specified
appropriate vdevs will be created by the script
+* ``MULTI_SEG_TEST``: ipsec-secgw option to enable reassembly support and
+specify size of reassembly table (e.g.
+``MULTI_SEG_TEST='--reassemble 128'``). This option must be set for
+fallback session tests.
+
Note that most of the tests require the appropriate crypto PMD/device to be
available.
diff --git a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
index f6c5bf5a7..17f2f86d2 100644
--- a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
@@ -29,11 +29,11 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..875a7457d
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
diff --git a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
index 278377967..7490baded 100644
--- a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
@@ -29,11 +29,13 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM}
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM}
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..696848432
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
--
2.17.1
[dpdk-dev] [PATCH 1/3] net: new ipv6 header extension parsing function
Introduce new function for IPv6 header extension parsing able to
determine extension length and next protocol number.
This function is helpful when implementing IPv6 header traversing.
Signed-off-by: Marcin Smoczynski
---
lib/librte_net/rte_ip.h | 49 +
1 file changed, 49 insertions(+)
diff --git a/lib/librte_net/rte_ip.h b/lib/librte_net/rte_ip.h
index f9b909090..be64da662 100644
--- a/lib/librte_net/rte_ip.h
+++ b/lib/librte_net/rte_ip.h
@@ -425,6 +425,55 @@ rte_ipv6_udptcp_cksum(const struct ipv6_hdr *ipv6_hdr,
const void *l4_hdr)
return (uint16_t)cksum;
}
+/* IPv6 fragmentation header size */
+#define RTE_IPV6_FRAG_HDR_SIZE 8
+
+/**
+ * Parse next IPv6 header extension
+ *
+ * This function checks if proto number is an IPv6 extensions and parses its
+ * data if so, providing information on next header and extension length.
+ *
+ * @param p
+ * Pointer to an extension raw data.
+ * @param proto
+ * Protocol number extracted from the "next header" field from
+ * the IPv6 header or the previous extension.
+ * @param ext_len
+ * Extension data length.
+ * @return
+ * next protocol number if proto is an IPv6 extension, -EINVAL otherwise
+ */
+static inline int __rte_experimental
+rte_ipv6_get_next_ext(uint8_t *p, int proto, size_t *ext_len)
+{
+ int next_proto;
+
+ switch (proto) {
+ case IPPROTO_AH:
+ next_proto = *p++;
+ *ext_len = (*p + 2) * sizeof(uint32_t);
+ break;
+
+ case IPPROTO_HOPOPTS:
+ case IPPROTO_ROUTING:
+ case IPPROTO_DSTOPTS:
+ next_proto = *p++;
+ *ext_len = (*p + 1) * sizeof(uint64_t);
+ break;
+
+ case IPPROTO_FRAGMENT:
+ next_proto = *p;
+ *ext_len = RTE_IPV6_FRAG_HDR_SIZE;
+ break;
+
+ default:
+ return -EINVAL;
+ }
+
+ return next_proto;
+}
+
#ifdef __cplusplus
}
#endif
--
2.21.0.windows.1
[dpdk-dev] [PATCH 2/3] ipsec: fix transport mode for ipv6 with extensions
Reconstructing IPv6 header after encryption or decryption requires
updating 'next header' value in the preceding protocol header, which
is determined by parsing IPv6 header and iteratively looking for
next IPv6 header extension.
It is required that 'l3_len' in the mbuf metadata contains a total
length of the IPv6 header with header extensions up to ESP header.
Signed-off-by: Marcin Smoczynski
---
lib/Makefile | 3 ++-
lib/librte_ipsec/iph.h | 55 --
2 files changed, 49 insertions(+), 9 deletions(-)
diff --git a/lib/Makefile b/lib/Makefile
index 791e0d991..3ad579f68 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -108,7 +108,8 @@ DEPDIRS-librte_gso += librte_mempool
DIRS-$(CONFIG_RTE_LIBRTE_BPF) += librte_bpf
DEPDIRS-librte_bpf := librte_eal librte_mempool librte_mbuf librte_ethdev
DIRS-$(CONFIG_RTE_LIBRTE_IPSEC) += librte_ipsec
-DEPDIRS-librte_ipsec := librte_eal librte_mbuf librte_cryptodev librte_security
+DEPDIRS-librte_ipsec := librte_eal librte_mbuf librte_cryptodev
librte_security \
+ librte_net
DIRS-$(CONFIG_RTE_LIBRTE_TELEMETRY) += librte_telemetry
DEPDIRS-librte_telemetry := librte_eal librte_metrics librte_ethdev
DIRS-$(CONFIG_RTE_LIBRTE_RCU) += librte_rcu
diff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h
index 58930cf18..082e4e73e 100644
--- a/lib/librte_ipsec/iph.h
+++ b/lib/librte_ipsec/iph.h
@@ -5,6 +5,8 @@
#ifndef _IPH_H_
#define _IPH_H_
+#include
+
/**
* @file iph.h
* Contains functions/structures/macros to manipulate IPv4/IPv6 headers
@@ -40,24 +42,61 @@ static inline int
update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
uint32_t l2len, uint32_t l3len, uint8_t proto)
{
- struct ipv4_hdr *v4h;
- struct ipv6_hdr *v6h;
int32_t rc;
+ /* IPv4 */
if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) == RTE_IPSEC_SATP_IPV4) {
+ struct ipv4_hdr *v4h;
+
v4h = p;
rc = v4h->next_proto_id;
v4h->next_proto_id = proto;
v4h->total_length = rte_cpu_to_be_16(plen - l2len);
- } else if (l3len == sizeof(*v6h)) {
+ /* IPv6 */
+ } else {
+ struct ipv6_hdr *v6h;
+ uint8_t *next_proto_off;
+
v6h = p;
- rc = v6h->proto;
- v6h->proto = proto;
+
+ /* basic IPv6 header with no extensions */
+ if (l3len == sizeof(struct ipv6_hdr))
+ next_proto_off = &v6h->proto;
+
+ /* IPv6 with extensions */
+ else {
+ size_t ext_len;
+ int nh;
+ uint8_t *pd, *plimit;
+
+ /* locate last extension within l3len bytes */
+ pd = (uint8_t *)p;
+ plimit = pd + l3len;
+ ext_len = sizeof(struct ipv6_hdr);
+ nh = v6h->proto;
+ while (pd + ext_len < plimit) {
+ pd += ext_len;
+ nh = rte_ipv6_get_next_ext(pd, nh, &ext_len);
+ if (unlikely(nh < 0))
+ return -EINVAL;
+ }
+
+ /* invalid l3len - extension exceeds header length */
+ if (unlikely(pd + ext_len != plimit))
+ return -EINVAL;
+
+ /* save last extension offset */
+ next_proto_off = pd;
+ }
+
+ /* update header type; return original value */
+ rc = *next_proto_off;
+ *next_proto_off = proto;
+
+ /* fix packet length */
v6h->payload_len = rte_cpu_to_be_16(plen - l2len -
sizeof(*v6h));
- /* need to add support for IPv6 with options */
- } else
- rc = -ENOTSUP;
+ }
return rc;
}
--
2.21.0.windows.1
[dpdk-dev] [PATCH 3/3] examples/ipsec-secgw: add support for ipv6 options
Using transport with IPv6 and header extensions requires calculating
total header length including extensions up to ESP header which is
achieved with iteratively parsing extensions when preparing traffic
for processing. Calculated l3_len is later used to determine SPI
field offset for an inbound traffic and to reconstruct L3 header by
librte_ipsec.
A simple unittest script is provided to test various headers for the
IPv6 transport mode. Within each test case a test packet is crafted
with Scapy and sent as an inbound or outbound traffic. Application
response is then checked with a set of assertions.
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/ipsec-secgw.c | 33 +++-
examples/ipsec-secgw/sa.c | 5 +-
examples/ipsec-secgw/test/test-scapy.py | 231
3 files changed, 260 insertions(+), 9 deletions(-)
create mode 100755 examples/ipsec-secgw/test/test-scapy.py
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 478dd80c2..1c49aa22c 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -41,6 +41,7 @@
#include
#include
#include
+#include
#include "ipsec.h"
#include "parser.h"
@@ -248,16 +249,38 @@ prepare_one_packet(struct rte_mbuf *pkt, struct
ipsec_traffic *t)
pkt->l2_len = 0;
pkt->l3_len = sizeof(struct ip);
} else if (eth->ether_type == rte_cpu_to_be_16(ETHER_TYPE_IPv6)) {
- nlp = (uint8_t *)rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
- nlp = RTE_PTR_ADD(nlp, offsetof(struct ip6_hdr, ip6_nxt));
- if (*nlp == IPPROTO_ESP)
+ int next_proto;
+ size_t l3len, ext_len;
+ struct ipv6_hdr *v6h;
+ uint8_t *p;
+
+ /* get protocol type */
+ v6h = (struct ipv6_hdr *)rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);
+ next_proto = v6h->proto;
+
+ /* determine l3 header size up to ESP extension */
+ l3len = sizeof(struct ip6_hdr);
+ p = rte_pktmbuf_mtod(pkt, uint8_t *);
+ while (next_proto != IPPROTO_ESP && l3len < pkt->data_len &&
+ (next_proto = rte_ipv6_get_next_ext(p + l3len,
+ next_proto, &ext_len)) >= 0)
+ l3len += ext_len;
+
+ /* drop packet when IPv6 header exceeds first segment length */
+ if (unlikely(l3len > pkt->data_len)) {
+ rte_pktmbuf_free(pkt);
+ return;
+ }
+
+ if (next_proto == IPPROTO_ESP)
t->ipsec.pkts[(t->ipsec.num)++] = pkt;
else {
- t->ip6.data[t->ip6.num] = nlp;
+ t->ip6.data[t->ip6.num] = rte_pktmbuf_mtod_offset(pkt,
+ uint8_t *, offsetof(struct ipv6_hdr, proto));
t->ip6.pkts[(t->ip6.num)++] = pkt;
}
pkt->l2_len = 0;
- pkt->l3_len = sizeof(struct ip6_hdr);
+ pkt->l3_len = l3len;
} else {
/* Unknown/Unsupported type, drop the packet */
RTE_LOG(ERR, IPSEC, "Unsupported packet type 0x%x\n",
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index b850e9839..607527d08 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -1228,10 +1228,7 @@ single_inbound_lookup(struct ipsec_sa *sadb, struct
rte_mbuf *pkt,
*sa_ret = NULL;
ip = rte_pktmbuf_mtod(pkt, struct ip *);
- if (ip->ip_v == IPVERSION)
- esp = (struct esp_hdr *)(ip + 1);
- else
- esp = (struct esp_hdr *)(((struct ip6_hdr *)ip) + 1);
+ esp = rte_pktmbuf_mtod_offset(pkt, struct esp_hdr *, pkt->l3_len);
if (esp->spi == INVALID_SPI)
return;
diff --git a/examples/ipsec-secgw/test/test-scapy.py
b/examples/ipsec-secgw/test/test-scapy.py
new file mode 100755
index 0..d7f66b734
--- /dev/null
+++ b/examples/ipsec-secgw/test/test-scapy.py
@@ -0,0 +1,231 @@
+#!/usr/bin/env python3
+
+# Run DPDK IPsec example with following arguments:
+# ./dpdk-ipsec-secgw --log-level=31 -l 0 --vdev=crypto_openssl --vdev=net_tap0
--vdev=net_tap1 -- -P -p 0x3 -u 0x1 --config "(0,0,0),(1,0,0)" -f
test-transport.cfg -l
+# Two tap ports are expected: 0: unprotected (remote), 1: protected (local)
+
+# sample configuration:
+# sp ipv6 out esp protect 5 pri 1 \
+# src :::::::/64 \
+# dst :::::::/64 \
+# sport 0:65535 dport 0:65535
+#
+# sp ipv6 in esp protect 6 pri 1 \
+# src :::::::/64 \
+# dst ::0
[dpdk-dev] [PATCH] ipsec: fix missing ipsec headers after install
Invalid statement is used to indicate header files to install.
Fixed the statement and reformatted recipe file.
Signed-off-by: Marcin Smoczynski
---
lib/librte_ipsec/meson.build | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
index 18fb2a143..7ea0c7dbb 100644
--- a/lib/librte_ipsec/meson.build
+++ b/lib/librte_ipsec/meson.build
@@ -3,8 +3,8 @@
allow_experimental_apis = true
-sources=files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c')
+sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c')
-install_headers = files('rte_ipsec.h', 'rte_ipsec_group.h', 'rte_ipsec_sa.h')
+headers = files('rte_ipsec.h', 'rte_ipsec_group.h', 'rte_ipsec_sa.h')
deps += ['mbuf', 'net', 'cryptodev', 'security']
--
2.21.0.windows.1
[dpdk-dev] [PATCH] examples/ipsec-secgw: fix Makefile indentation
Fix invalid indentation - extra whitespace before error directive which is causing syntax error when no pkgconfig file for the DPDK is found and RTE_SDK is not specified. Signed-off-by: Marcin Smoczynski --- examples/ipsec-secgw/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile index ac042e4ce..75f2bcd00 100644 --- a/examples/ipsec-secgw/Makefile +++ b/examples/ipsec-secgw/Makefile @@ -53,7 +53,7 @@ clean: else ifeq ($(RTE_SDK),) - $(error "Please define RTE_SDK environment variable") +$(error "Please define RTE_SDK environment variable") endif # Default target, detect a build directory, by looking for a path with a .config -- 2.21.0.windows.1
[dpdk-dev] [PATCH] build: enable BSD features visibility for FreeBSD
When a component uses either XOPEN_SOURCE or POSIX_C_SOURCE macro explicitly in its build recipe, it restricts visibility of a non POSIX features subset, such as IANA protocol numbers (IPPROTO_* macros). Non standard features are enabled by default for DPDK both for Linux thanks to _GNU_SOURCE and for FreeBSD thanks to __BSD_VISIBLE. However using XOPEN_SOURCE or POSIX_(C_)SOURCE in a component causes __BSD_VISIBLE to be defined to 0 for FreeBSD, causing different feature sets visibility for Linux and FreeBSD. It restricts from using IPPROTO macros in public headers, such as rte_ip.h, despite the fact they are already widely used in sources. Add __BSD_VISIBLE macro specified unconditionally for FreeBSD targets which enforces feature sets visibility unification between Linux and FreeBSD. This patch solves the problem of build breaks for [1] on FreeBSD [2] following the discussion [3]. [1] https://mails.dpdk.org/archives/dev/2019-May/131885.html [2] http://mails.dpdk.org/archives/test-report/2019-May/082263.html [3] https://mails.dpdk.org/archives/dev/2019-May/132110.html Signed-off-by: Marcin Smoczynski --- app/meson.build | 5 + drivers/meson.build | 5 + examples/meson.build | 5 + lib/meson.build | 5 + mk/target/generic/rte.vars.mk | 5 + 5 files changed, 25 insertions(+) diff --git a/app/meson.build b/app/meson.build index 2b9fdef74..eb04c4e46 100644 --- a/app/meson.build +++ b/app/meson.build @@ -25,6 +25,11 @@ default_cflags = machine_args # specify -D_GNU_SOURCE unconditionally default_cflags += '-D_GNU_SOURCE' +# specify -D__BSD_VISIBLE for FreeBSD +if is_freebsd + default_cflags += '-D__BSD_VISIBLE' +endif + foreach app:apps build = true name = app diff --git a/drivers/meson.build b/drivers/meson.build index 4c444f495..a1a2dfcca 100644 --- a/drivers/meson.build +++ b/drivers/meson.build @@ -24,6 +24,11 @@ endif # specify -D_GNU_SOURCE unconditionally default_cflags += '-D_GNU_SOURCE' +# specify -D__BSD_VISIBLE for FreeBSD +if is_freebsd + default_cflags += '-D__BSD_VISIBLE' +endif + foreach class:dpdk_driver_classes drivers = [] std_deps = [] diff --git a/examples/meson.build b/examples/meson.build index 1a6134f12..44dfdc97f 100644 --- a/examples/meson.build +++ b/examples/meson.build @@ -34,6 +34,11 @@ endif # specify -D_GNU_SOURCE unconditionally default_cflags += '-D_GNU_SOURCE' +# specify -D__BSD_VISIBLE for FreeBSD +if is_freebsd + default_cflags += '-D__BSD_VISIBLE' +endif + foreach example: examples name = example build = true diff --git a/lib/meson.build b/lib/meson.build index e067ce5ea..48592c35a 100644 --- a/lib/meson.build +++ b/lib/meson.build @@ -44,6 +44,11 @@ enabled_libs = [] # used to print summary at the end # -D_GNU_SOURCE unconditionally default_cflags += '-D_GNU_SOURCE' +# specify -D__BSD_VISIBLE for FreeBSD +if is_freebsd + default_cflags += '-D__BSD_VISIBLE' +endif + foreach l:libraries build = true name = l diff --git a/mk/target/generic/rte.vars.mk b/mk/target/generic/rte.vars.mk index 25a578ad7..5f00a0bfa 100644 --- a/mk/target/generic/rte.vars.mk +++ b/mk/target/generic/rte.vars.mk @@ -111,6 +111,11 @@ endif # always define _GNU_SOURCE CFLAGS += -D_GNU_SOURCE +# define __BSD_VISIBLE when building for FreeBSD +ifeq ($(CONFIG_RTE_EXEC_ENV_FREEBSD),y) +CFLAGS += -D__BSD_VISIBLE +endif + export CFLAGS export LDFLAGS -- 2.21.0.windows.1
[dpdk-dev] [PATCH v2 0/1] Enable BSD features visibility for FreeBSD
v1 -> v2 * merge multiple -D__BSD_VISIBLE into one * merge multiple -D_GNU_SOURCE into one * add -D__BSD_VISIBLE to pc file for FreeBSD Marcin Smoczynski (1): build: enable BSD features visibility for FreeBSD app/meson.build | 3 --- config/meson.build| 8 drivers/meson.build | 3 --- examples/meson.build | 3 --- lib/meson.build | 3 --- meson.build | 6 +- mk/target/generic/rte.vars.mk | 5 + 7 files changed, 18 insertions(+), 13 deletions(-) -- 2.17.1
[dpdk-dev] [PATCH v2 1/1] build: enable BSD features visibility for FreeBSD
When a component uses either XOPEN_SOURCE or POSIX_C_SOURCE macro
explicitly in its build recipe, it restricts visibility of a non POSIX
features subset, such as IANA protocol numbers (IPPROTO_* macros).
Non standard features are enabled by default for DPDK both for Linux
thanks to _GNU_SOURCE and for FreeBSD thanks to __BSD_VISIBLE. However
using XOPEN_SOURCE or POSIX_(C_)SOURCE in a component causes
__BSD_VISIBLE to be defined to 0 for FreeBSD, causing different feature
sets visibility for Linux and FreeBSD. It restricts from using IPPROTO
macros in public headers, such as rte_ip.h, despite the fact they are
already widely used in sources.
Add __BSD_VISIBLE macro specified unconditionally for FreeBSD targets
which enforces feature sets visibility unification between Linux and
FreeBSD.
Add single -D_GNU_SOURCE to config/meson.build as a project argument
instead of adding separate directive for each project subtree.
This patch solves the problem of build breaks for [1] on FreeBSD [2]
following the discussion [3].
[1] https://mails.dpdk.org/archives/dev/2019-May/131885.html
[2] http://mails.dpdk.org/archives/test-report/2019-May/082263.html
[3] https://mails.dpdk.org/archives/dev/2019-May/132110.html
Signed-off-by: Marcin Smoczynski
---
app/meson.build | 3 ---
config/meson.build| 8
drivers/meson.build | 3 ---
examples/meson.build | 3 ---
lib/meson.build | 3 ---
meson.build | 6 +-
mk/target/generic/rte.vars.mk | 5 +
7 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/app/meson.build b/app/meson.build
index 2b9fdef74..b0e6afbbe 100644
--- a/app/meson.build
+++ b/app/meson.build
@@ -22,9 +22,6 @@ lib_execinfo = cc.find_library('execinfo', required: false)
default_cflags = machine_args
-# specify -D_GNU_SOURCE unconditionally
-default_cflags += '-D_GNU_SOURCE'
-
foreach app:apps
build = true
name = app
diff --git a/config/meson.build b/config/meson.build
index 0d25646f5..b77c87811 100644
--- a/config/meson.build
+++ b/config/meson.build
@@ -187,3 +187,11 @@ install_headers('rte_config.h', subdir:
get_option('include_subdir_arch'))
# enable VFIO only if it is linux OS
dpdk_conf.set('RTE_EAL_VFIO', is_linux)
+
+# specify -D_GNU_SOURCE unconditionally
+add_project_arguments('-D_GNU_SOURCE', language: 'c')
+
+# specify -D__BSD_VISIBLE for FreeBSD
+if is_freebsd
+ add_project_arguments('-D__BSD_VISIBLE', language: 'c')
+endif
diff --git a/drivers/meson.build b/drivers/meson.build
index 4c444f495..dc47b45ec 100644
--- a/drivers/meson.build
+++ b/drivers/meson.build
@@ -21,9 +21,6 @@ if cc.has_argument('-Wno-format-truncation')
default_cflags += '-Wno-format-truncation'
endif
-# specify -D_GNU_SOURCE unconditionally
-default_cflags += '-D_GNU_SOURCE'
-
foreach class:dpdk_driver_classes
drivers = []
std_deps = []
diff --git a/examples/meson.build b/examples/meson.build
index 1a6134f12..6e18ca8ec 100644
--- a/examples/meson.build
+++ b/examples/meson.build
@@ -31,9 +31,6 @@ if cc.has_argument('-Wno-format-truncation')
default_cflags += '-Wno-format-truncation'
endif
-# specify -D_GNU_SOURCE unconditionally
-default_cflags += '-D_GNU_SOURCE'
-
foreach example: examples
name = example
build = true
diff --git a/lib/meson.build b/lib/meson.build
index e067ce5ea..dd7c94c03 100644
--- a/lib/meson.build
+++ b/lib/meson.build
@@ -41,9 +41,6 @@ endif
enabled_libs = [] # used to print summary at the end
-# -D_GNU_SOURCE unconditionally
-default_cflags += '-D_GNU_SOURCE'
-
foreach l:libraries
build = true
name = l
diff --git a/meson.build b/meson.build
index 46f9c5683..05c816a9e 100644
--- a/meson.build
+++ b/meson.build
@@ -64,6 +64,10 @@ configure_file(output: build_cfg,
dpdk_drivers = ['-Wl,--whole-archive'] + dpdk_drivers +
['-Wl,--no-whole-archive']
pkg = import('pkgconfig')
+pkg_extra_cflags = ['-include', 'rte_config.h'] + machine_args
+if is_freebsd
+ pkg_extra_cflags += ['-D__BSD_VISIBLE']
+endif
pkg.generate(name: meson.project_name(),
filebase: 'lib' + meson.project_name().to_lower(),
version: meson.project_version(),
@@ -76,7 +80,7 @@ pkg.generate(name: meson.project_name(),
Note that CFLAGS might contain an -march flag higher than typical baseline.
This is required for a number of static inline functions in the public
headers.''',
subdirs: [get_option('include_subdir_arch'), '.'],
- extra_cflags: ['-include', 'rte_config.h'] + machine_args
+ extra_cflags: pkg_extra_cflags
)
# final output, list all the libs and drivers to be built
diff --git a/mk/targ
[dpdk-dev] [PATCH v1] net/tap: fix blocked rx packets error
When OS sends more packets than are beaing read with a single
'rte_eth_rx_burst' call, rx packets are getting stucked in the tap pmd
and are unable to receive, because trigger_seen is getting updated
and consecutive calls are not getting any packets.
Do not update trigger_seen unless less than a max number of packets were
received allowing next call to receive the rest.
Fixes: a0d8e807d9 ("net/tap: add Rx trigger")
Cc: sta...@dpdk.org
Tested-by: Mariusz Drost
Signed-off-by: Marcin Smoczynski
---
drivers/net/tap/rte_eth_tap.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c
index 64bd04911..60121ae56 100644
--- a/drivers/net/tap/rte_eth_tap.c
+++ b/drivers/net/tap/rte_eth_tap.c
@@ -353,8 +353,7 @@ pmd_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t
nb_pkts)
if (trigger == rxq->trigger_seen)
return 0;
- if (trigger)
- rxq->trigger_seen = trigger;
+
process_private = rte_eth_devices[rxq->in_port].process_private;
rte_compiler_barrier();
for (num_rx = 0; num_rx < nb_pkts; ) {
@@ -433,6 +432,9 @@ pmd_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t
nb_pkts)
rxq->stats.ipackets += num_rx;
rxq->stats.ibytes += num_rx_bytes;
+ if (trigger && num_rx < nb_pkts)
+ rxq->trigger_seen = trigger;
+
return num_rx;
}
--
2.17.1
[dpdk-dev] [PATCH v2 1/3] examples/ipsec-secgw: ipsec_sa structure cleanup
Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.
Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/esp.c | 35 +++
examples/ipsec-secgw/ipsec.c | 91 +++-
examples/ipsec-secgw/ipsec.h | 27 ++---
examples/ipsec-secgw/ipsec_process.c | 30 -
examples/ipsec-secgw/sa.c| 66 ++--
5 files changed, 137 insertions(+), 112 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index d6d7b1256..c1b49da1e 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -30,7 +30,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
int32_t payload_len, ip_hdr_len;
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
return 0;
RTE_ASSERT(m != NULL);
@@ -148,13 +149,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
uint8_t *nexthdr, *pad_len;
uint8_t *padding;
uint16_t i;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
+ ips = ipsec_get_session(sa);
+
+ if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -169,8 +173,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
return -1;
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
- sa->ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+ ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
nexthdr = &m->inner_esp_next_proto;
} else {
nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
@@ -225,10 +229,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
struct rte_crypto_sym_op *sym_cop;
int32_t i;
uint16_t pad_payload_len, pad_len, ip_hdr_len;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
+ ips = ipsec_get_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
@@ -277,9 +283,10 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
/* Add trailer padding if it is not constructed by HW */
- if (sa->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
-!(sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+!(ips->security.ol_flags &
+RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
padding = (uint8_t *)rte_pktmbuf_append(m, pad_len +
sa->digest_len);
if (unlikely(padding == NULL)) {
@@ -344,8 +351,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- if (sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
/* Set the inner esp next protocol for HW trailer */
m->inner_esp_next_proto = nlp;
m->packet_type |= RTE_PTYPE_TUNNEL_ESP;
@@ -448,11 +456,14 @@ esp_outbound_post(struct rte_mbuf *m,
struct ipsec_sa *sa,
struct rte_crypto_op *cop)
{
+ enum rte_security_session_action_type type;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- if ((sa-
[dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add fallback session
Inline processing is limited to a specified subset of traffic. It is often unable to handle more complicated situations, such as fragmented traffic. When using inline processing such traffic is dropped. Introduce multiple sessions per SA allowing to configure a fallback lookaside session for packets that normally would be dropped. A fallback session type in the SA configuration by adding 'fallback' with 'lookaside-none' or 'lookaside-protocol' parameter to determine type of session. Fallback session feature is available only when using librte_ipsec. v1 to v2 changes: - disable fallback offload for outbound SAs - add test scripts Marcin Smoczynski (3): examples/ipsec-secgw: ipsec_sa structure cleanup examples/ipsec-secgw: add fallback session feature examples/ipsec-secgw: add offload fallback tests doc/guides/sample_app_ug/ipsec_secgw.rst | 17 +- examples/ipsec-secgw/esp.c| 35 ++-- examples/ipsec-secgw/ipsec-secgw.c| 16 +- examples/ipsec-secgw/ipsec.c | 99 ++- examples/ipsec-secgw/ipsec.h | 61 +-- examples/ipsec-secgw/ipsec_process.c | 113 +++- examples/ipsec-secgw/sa.c | 164 +- .../test/trs_aesgcm_common_defs.sh| 4 +- .../trs_aesgcm_inline_crypto_fallback_defs.sh | 5 + .../test/tun_aesgcm_common_defs.sh| 6 +- .../tun_aesgcm_inline_crypto_fallback_defs.sh | 5 + 11 files changed, 358 insertions(+), 167 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh -- 2.21.0.windows.1
[dpdk-dev] [PATCH v2 2/3] examples/ipsec-secgw: add fallback session feature
Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.
Introduce multiple sessions per SA allowing to configure a fallback
lookaside session for packets that normally would be dropped.
A fallback session type in the SA configuration by adding 'fallback'
with 'lookaside-none' or 'lookaside-protocol' parameter to determine
type of session.
Fallback session feature is available only when using librte_ipsec.
Signed-off-by: Marcin Smoczynski
---
doc/guides/sample_app_ug/ipsec_secgw.rst | 17 +++-
examples/ipsec-secgw/esp.c | 4 +-
examples/ipsec-secgw/ipsec-secgw.c | 16 ++--
examples/ipsec-secgw/ipsec.c | 10 +--
examples/ipsec-secgw/ipsec.h | 40 +++--
examples/ipsec-secgw/ipsec_process.c | 85 --
examples/ipsec-secgw/sa.c| 110 +++
7 files changed, 218 insertions(+), 64 deletions(-)
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index ad2d79e75..9ded5fb70 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -401,7 +401,7 @@ The SA rule syntax is shown as follows:
.. code-block:: console
sa
-
+
where each options means:
@@ -573,6 +573,21 @@ where each options means:
* *port_id X* X is a valid device number in decimal
+
+
+ * Action type for packets that inline processor failed to process.
+
+ * Optional: Yes, by default there is *no fallback* session type.
+
+ * Available options:
+
+ * *lookaside-none*: use automatically chosen cryptodev to process packets
+ * *lookaside-protocol*: lookaside protocol offload to HW accelerator
+
+ * Syntax:
+
+ * *fallback lookaside-none*
+ * *fallback lookaside-protocol*
Example SA rules:
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index c1b49da1e..bfa7ff721 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -155,7 +155,7 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
(ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
@@ -234,7 +234,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 0d1fd6af6..641ed3767 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -189,6 +189,7 @@ static uint32_t mtu_size = RTE_ETHER_MTU;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {.enable = 0};
+static const char *cfgfile;
struct lcore_rx_queue {
uint16_t port_id;
@@ -1462,12 +1463,7 @@ parse_args(int32_t argc, char **argv)
print_usage(prgname);
return -1;
}
- if (parse_cfg_file(optarg) < 0) {
- printf("parsing file \"%s\" failed\n",
- optarg);
- print_usage(prgname);
- return -1;
- }
+ cfgfile = optarg;
f_present = 1;
break;
case 'j':
@@ -2398,6 +2394,14 @@ main(int32_t argc, char **argv)
if (ret < 0)
rte_exit(EXIT_FAILURE, "Invalid parameters\n");
+ /* parse configuration file */
+ if (parse_cfg_file(cfgfile) < 0) {
+ printf("parsing file \"%s\" failed\n",
+ optarg);
+ print_usage(argv[0]);
+ return -1;
+ }
+
if ((unprotected_port_mask & enabled_port_mask) !=
unprotected_port_mask)
rte_exit(EXIT_FAILURE, "Invalid unprotected portmask 0x%x\n",
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 8c60bd84b..8b0441028 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -404,7 +404,7 @@ enqueue_cop(struct cdev_qp *cqp, struct rte_crypto_op *cop)
static inline void
ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
- struct rte_mbuf *pkts[], struct ipsec_sa *sas[]
[dpdk-dev] [PATCH v2 3/3] examples/ipsec-secgw: add offload fallback tests
Add tests for offload fallback feature; add inbound config modificator
SGW_CFG_XPRM_IN (offload fallback setting can be set only for inbound
SAs). Tests are using cryptodev for outbound SA.
To test fragmentation with QAT set:
MULTI_SEG_TEST="--reassemble=4096 --cryptodev_mask=0x"
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh | 4 ++--
.../test/trs_aesgcm_inline_crypto_fallback_defs.sh | 5 +
examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh | 6 --
.../test/tun_aesgcm_inline_crypto_fallback_defs.sh | 5 +
4 files changed, 16 insertions(+), 4 deletions(-)
create mode 100644
examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
create mode 100644
examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
diff --git a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
index f6c5bf5a7..17f2f86d2 100644
--- a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
@@ -29,11 +29,11 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..875a7457d
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
diff --git a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
index 278377967..7490baded 100644
--- a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
@@ -29,11 +29,13 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM}
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM}
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..696848432
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
--
2.21.0.windows.1
[dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: add offload fallback tests
Add tests for offload fallback feature; add inbound config modificator
SGW_CFG_XPRM_IN (offload fallback setting can be set only for inbound
SAs). Tests are using cryptodev for outbound SA.
To test fragmentation with QAT set:
MULTI_SEG_TEST="--reassemble=4096 --cryptodev_mask=0x"
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh | 4 ++--
.../test/trs_aesgcm_inline_crypto_fallback_defs.sh | 5 +
examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh | 6 --
.../test/tun_aesgcm_inline_crypto_fallback_defs.sh | 5 +
4 files changed, 16 insertions(+), 4 deletions(-)
create mode 100644
examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
create mode 100644
examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
diff --git a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
index f6c5bf5a7..17f2f86d2 100644
--- a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
@@ -29,11 +29,11 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..875a7457d
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
diff --git a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
index 278377967..7490baded 100644
--- a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
@@ -29,11 +29,13 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM}
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM}
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..696848432
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
--
2.17.1
[dpdk-dev] [PATCH v3 2/3] examples/ipsec-secgw: add fallback session feature
Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.
Introduce fallback session for inline processing allowing processing
packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' or
'lookaside-protocol' parameter to an SA configuration.
Using IPsec anti-replay window or ESN feature with fallback session is
not yet supported when primary session is of type
'inline-protocol-offload' or fallback session is 'lookaside-protocol'
because SA sequence number is not synchronized between software and
hardware sessions. Fallback sessions are also limited to ingress IPsec
traffic.
Fallback session feature is not available in the legacy mode.
Signed-off-by: Marcin Smoczynski
---
doc/guides/sample_app_ug/ipsec_secgw.rst | 20 -
examples/ipsec-secgw/esp.c | 4 +-
examples/ipsec-secgw/ipsec-secgw.c | 16 ++--
examples/ipsec-secgw/ipsec.c | 10 +--
examples/ipsec-secgw/ipsec.h | 40 +++--
examples/ipsec-secgw/ipsec_process.c | 85 --
examples/ipsec-secgw/sa.c| 110 +++
7 files changed, 221 insertions(+), 64 deletions(-)
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index ad2d79e75..6a39c56ce 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -401,7 +401,7 @@ The SA rule syntax is shown as follows:
.. code-block:: console
sa
-
+
where each options means:
@@ -573,6 +573,24 @@ where each options means:
* *port_id X* X is a valid device number in decimal
+
+
+ * Action type for ingress IPsec packets that inline processor failed to
+ process. IPsec anti-replay window and ESN is supported with fallback
+ processing session only when primary session is *lookaside-crypto-offload*
+ and fallback session is *lookaside-none*.
+
+ * Optional: Yes.
+
+ * Available options:
+
+ * *lookaside-none*: use automatically chosen cryptodev to process packets
+ * *lookaside-protocol*: lookaside protocol hardware offload
+
+ * Syntax:
+
+ * *fallback lookaside-none*
+ * *fallback lookaside-protocol*
Example SA rules:
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index c1b49da1e..bfa7ff721 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -155,7 +155,7 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
(ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
@@ -234,7 +234,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 0d1fd6af6..641ed3767 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -189,6 +189,7 @@ static uint32_t mtu_size = RTE_ETHER_MTU;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {.enable = 0};
+static const char *cfgfile;
struct lcore_rx_queue {
uint16_t port_id;
@@ -1462,12 +1463,7 @@ parse_args(int32_t argc, char **argv)
print_usage(prgname);
return -1;
}
- if (parse_cfg_file(optarg) < 0) {
- printf("parsing file \"%s\" failed\n",
- optarg);
- print_usage(prgname);
- return -1;
- }
+ cfgfile = optarg;
f_present = 1;
break;
case 'j':
@@ -2398,6 +2394,14 @@ main(int32_t argc, char **argv)
if (ret < 0)
rte_exit(EXIT_FAILURE, "Invalid parameters\n");
+ /* parse configuration file */
+ if (parse_cfg_file(cfgfile) < 0) {
+ printf("parsing file \"%s\" failed\n",
+ optarg);
+ print_usage(argv[0]);
+ return -1;
+ }
+
if ((unprotected_port_mask & enabled_port_mask) !=
unprotected_port_mask)
rte_exit(EXIT_FAILURE
[dpdk-dev] [PATCH v3 1/3] examples/ipsec-secgw: ipsec_sa structure cleanup
Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.
Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/esp.c | 35 +++
examples/ipsec-secgw/ipsec.c | 91 +++-
examples/ipsec-secgw/ipsec.h | 27 ++---
examples/ipsec-secgw/ipsec_process.c | 30 -
examples/ipsec-secgw/sa.c| 66 ++--
5 files changed, 137 insertions(+), 112 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index d6d7b1256..c1b49da1e 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -30,7 +30,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
int32_t payload_len, ip_hdr_len;
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
return 0;
RTE_ASSERT(m != NULL);
@@ -148,13 +149,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
uint8_t *nexthdr, *pad_len;
uint8_t *padding;
uint16_t i;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
+ ips = ipsec_get_session(sa);
+
+ if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -169,8 +173,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
return -1;
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
- sa->ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+ ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
nexthdr = &m->inner_esp_next_proto;
} else {
nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
@@ -225,10 +229,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
struct rte_crypto_sym_op *sym_cop;
int32_t i;
uint16_t pad_payload_len, pad_len, ip_hdr_len;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
+ ips = ipsec_get_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
@@ -277,9 +283,10 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
/* Add trailer padding if it is not constructed by HW */
- if (sa->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
-!(sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+!(ips->security.ol_flags &
+RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
padding = (uint8_t *)rte_pktmbuf_append(m, pad_len +
sa->digest_len);
if (unlikely(padding == NULL)) {
@@ -344,8 +351,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- if (sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
/* Set the inner esp next protocol for HW trailer */
m->inner_esp_next_proto = nlp;
m->packet_type |= RTE_PTYPE_TUNNEL_ESP;
@@ -448,11 +456,14 @@ esp_outbound_post(struct rte_mbuf *m,
struct ipsec_sa *sa,
struct rte_crypto_op *cop)
{
+ enum rte_security_session_action_type type;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- if ((sa-
[dpdk-dev] [PATCH v3 0/3] add fallback session
Add fallback session feature allowing to process packets that inline processor is unable to handle (e.g. fragmented traffic). Processing takes place in a secondary session defined for SA in a configuration file. This feature is limited to ingress IPsec traffic only. IPsec anti-replay window and ESN are supported in conjunction with fallback session when following conditions are met: * primary session is 'inline-crypto-offload, * fallback sessions is 'lookaside-none'. v2 to v3 changes: - doc and commit log update - explicitly state feature limitations v1 to v2 changes: - disable fallback offload for outbound SAs - add test scripts Marcin Smoczynski (3): examples/ipsec-secgw: ipsec_sa structure cleanup examples/ipsec-secgw: add fallback session feature examples/ipsec-secgw: add offload fallback tests doc/guides/sample_app_ug/ipsec_secgw.rst | 20 ++- examples/ipsec-secgw/esp.c| 35 ++-- examples/ipsec-secgw/ipsec-secgw.c| 16 +- examples/ipsec-secgw/ipsec.c | 99 ++- examples/ipsec-secgw/ipsec.h | 61 +-- examples/ipsec-secgw/ipsec_process.c | 113 +++- examples/ipsec-secgw/sa.c | 164 +- .../test/trs_aesgcm_common_defs.sh| 4 +- .../trs_aesgcm_inline_crypto_fallback_defs.sh | 5 + .../test/tun_aesgcm_common_defs.sh| 6 +- .../tun_aesgcm_inline_crypto_fallback_defs.sh | 5 + 11 files changed, 361 insertions(+), 167 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh -- 2.17.1
[dpdk-dev] [PATCH v2 1/1] net/tap: fix blocked rx packets error
When OS sends more packets than are being read with a single
'rte_eth_rx_burst' call, rx packets are getting stucked in the tap pmd
and are unable to receive, because trigger_seen is getting updated
and consecutive calls are not getting any packets.
Do not update trigger_seen unless less than a max number of packets were
received allowing next call to receive the rest.
Remove unnecessary compiler barrier.
Fixes: a0d8e807d9 ("net/tap: add Rx trigger")
Cc: sta...@dpdk.org
Tested-by: Mariusz Drost
Tested-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
drivers/net/tap/rte_eth_tap.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c
index 64bd04911..9c3adb832 100644
--- a/drivers/net/tap/rte_eth_tap.c
+++ b/drivers/net/tap/rte_eth_tap.c
@@ -353,10 +353,8 @@ pmd_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t
nb_pkts)
if (trigger == rxq->trigger_seen)
return 0;
- if (trigger)
- rxq->trigger_seen = trigger;
+
process_private = rte_eth_devices[rxq->in_port].process_private;
- rte_compiler_barrier();
for (num_rx = 0; num_rx < nb_pkts; ) {
struct rte_mbuf *mbuf = rxq->pool;
struct rte_mbuf *seg = NULL;
@@ -433,6 +431,9 @@ pmd_rx_burst(void *queue, struct rte_mbuf **bufs, uint16_t
nb_pkts)
rxq->stats.ipackets += num_rx;
rxq->stats.ibytes += num_rx_bytes;
+ if (trigger && num_rx < nb_pkts)
+ rxq->trigger_seen = trigger;
+
return num_rx;
}
--
2.17.1
[dpdk-dev] [PATCH v2 0/1] net/tap: fix blocked rx packets error
When OS sends more packets than are being read with a single 'rte_eth_rx_burst' call, rx packets are getting stucked in the tap pmd and are unable to receive, because trigger_seen is getting updated and consecutive calls are not getting any packets. Do not update trigger_seen unless less than a max number of packets were received allowing next call to receive the rest. v1 to v2 changes: - fix typo in commit description - remove unnecessary compiler barrier Marcin Smoczynski (1): net/tap: fix blocked rx packets error drivers/net/tap/rte_eth_tap.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) -- 2.17.1
[dpdk-dev] [PATCH] examples/ipsec-secgw: fix over MTU packet crash
When sending an encrypted packet which size after encapsulation exceeds
MTU, ipsec-secgw application tries to fragment it. If --reassemble
option has not been set it results with a segmantation fault, because
fragmentation buckets have not been initialized.
Fix crashing by adding extra check: if --ressemble option has not been
set and packet exceeds MTU after encapsulation - drop it.
Fixes: b01d1cd213 ("examples/ipsec-secgw: support fragmentation and reassembly")
Cc: sta...@dpdk.org
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/ipsec-secgw.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 0d1fd6af6..91c602436 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -548,8 +548,10 @@ send_single_packet(struct rte_mbuf *m, uint16_t port,
uint8_t proto)
len++;
/* need to fragment the packet */
- } else
+ } else if (frag_tbl_sz > 0)
len = send_fragment_packet(qconf, m, port, proto);
+ else
+ rte_pktmbuf_free(m);
/* enough pkts to be sent */
if (unlikely(len == MAX_PKT_BURST)) {
--
2.17.1
[dpdk-dev] [PATCH v4 1/4] examples/ipsec-secgw: ipsec_sa structure cleanup
Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.
Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.
Acked-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/esp.c | 35 +++
examples/ipsec-secgw/ipsec.c | 91 +++-
examples/ipsec-secgw/ipsec.h | 27 ++---
examples/ipsec-secgw/ipsec_process.c | 30 -
examples/ipsec-secgw/sa.c| 66 ++--
5 files changed, 137 insertions(+), 112 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index d6d7b1256..c1b49da1e 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -30,7 +30,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
int32_t payload_len, ip_hdr_len;
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
return 0;
RTE_ASSERT(m != NULL);
@@ -148,13 +149,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
uint8_t *nexthdr, *pad_len;
uint8_t *padding;
uint16_t i;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
+ ips = ipsec_get_session(sa);
+
+ if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -169,8 +173,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
return -1;
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
- sa->ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+ ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
nexthdr = &m->inner_esp_next_proto;
} else {
nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
@@ -225,10 +229,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
struct rte_crypto_sym_op *sym_cop;
int32_t i;
uint16_t pad_payload_len, pad_len, ip_hdr_len;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
+ ips = ipsec_get_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
@@ -277,9 +283,10 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
/* Add trailer padding if it is not constructed by HW */
- if (sa->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
-!(sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+!(ips->security.ol_flags &
+RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
padding = (uint8_t *)rte_pktmbuf_append(m, pad_len +
sa->digest_len);
if (unlikely(padding == NULL)) {
@@ -344,8 +351,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- if (sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
/* Set the inner esp next protocol for HW trailer */
m->inner_esp_next_proto = nlp;
m->packet_type |= RTE_PTYPE_TUNNEL_ESP;
@@ -448,11 +456,14 @@ esp_outbound_post(struct rte_mbuf *m,
struct ipsec_sa *sa,
struct rte_crypto_op *cop)
{
+ enum rte_security_session_action_type type;
RTE_ASSERT(m !
[dpdk-dev] [PATCH v4 2/4] examples/ipsec-secgw: add fallback session feature
Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.
Introduce fallback session for inline processing allowing processing
packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' or
'lookaside-protocol' parameter to an SA configuration.
Using IPsec anti-replay window or ESN feature with fallback session is
not yet supported when primary session is of type
'inline-protocol-offload' or fallback session is 'lookaside-protocol'
because SA sequence number is not synchronized between software and
hardware sessions. Fallback sessions are also limited to ingress IPsec
traffic.
Fallback session feature is not available in the legacy mode.
Acked-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
doc/guides/sample_app_ug/ipsec_secgw.rst | 24 -
examples/ipsec-secgw/esp.c | 4 +-
examples/ipsec-secgw/ipsec-secgw.c | 16 ++--
examples/ipsec-secgw/ipsec.c | 10 +--
examples/ipsec-secgw/ipsec.h | 40 +++--
examples/ipsec-secgw/ipsec_process.c | 85 --
examples/ipsec-secgw/sa.c| 110 +++
7 files changed, 225 insertions(+), 64 deletions(-)
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index ad2d79e75..21b4b4418 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -401,7 +401,7 @@ The SA rule syntax is shown as follows:
.. code-block:: console
sa
-
+
where each options means:
@@ -573,6 +573,28 @@ where each options means:
* *port_id X* X is a valid device number in decimal
+
+
+ * Action type for ingress IPsec packets that inline processor failed to
+ process. IPsec anti-replay window and ESN is supported with fallback
+ processing session only when primary session is *lookaside-crypto-offload*
+ and fallback session is *lookaside-none*.
+
+ If used in conjunction with IPsec window, its width needs be increased
+ due to different processing times of inline and lookaside modes which
+ results in packet reordering.
+
+ * Optional: Yes.
+
+ * Available options:
+
+ * *lookaside-none*: use automatically chosen cryptodev to process packets
+ * *lookaside-protocol*: lookaside protocol hardware offload
+
+ * Syntax:
+
+ * *fallback lookaside-none*
+ * *fallback lookaside-protocol*
Example SA rules:
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index c1b49da1e..bfa7ff721 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -155,7 +155,7 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
(ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
@@ -234,7 +234,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 0d1fd6af6..641ed3767 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -189,6 +189,7 @@ static uint32_t mtu_size = RTE_ETHER_MTU;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {.enable = 0};
+static const char *cfgfile;
struct lcore_rx_queue {
uint16_t port_id;
@@ -1462,12 +1463,7 @@ parse_args(int32_t argc, char **argv)
print_usage(prgname);
return -1;
}
- if (parse_cfg_file(optarg) < 0) {
- printf("parsing file \"%s\" failed\n",
- optarg);
- print_usage(prgname);
- return -1;
- }
+ cfgfile = optarg;
f_present = 1;
break;
case 'j':
@@ -2398,6 +2394,14 @@ main(int32_t argc, char **argv)
if (ret < 0)
rte_exit(EXIT_FAILURE, "Invalid parameters\n");
+ /* parse configuration file */
+ if (parse_cfg_file(cfgfile) < 0) {
+ printf("parsing file \"%s\" failed\n",
+ optarg);
+
[dpdk-dev] [PATCH v4 0/4] add fallback session
Add fallback session feature allowing to process packets that inline processor is unable to handle (e.g. fragmented traffic). Processing takes place in a secondary session defined for SA in a configuration file. This feature is limited to ingress IPsec traffic only. IPsec anti-replay window and ESN are supported in conjunction with fallback session when following conditions are met: * primary session is 'inline-crypto-offload, * fallback sessions is 'lookaside-none'. Due to different processing times of inline and lookaside modes, fallback session introduces some packet reordering, therefore when using with IPsec window, its value should be increased. v3 to v4 changes: - add info about packet reordering to the documentation regarding fallback session - add patch with --frag-ttl command line option which allows to change fragment lifetime v2 to v3 changes: - doc and commit log update - explicitly state feature limitations v1 to v2 changes: - disable fallback offload for outbound SAs - add test scripts Marcin Smoczynski (4): examples/ipsec-secgw: ipsec_sa structure cleanup examples/ipsec-secgw: add fallback session feature examples/ipsec-secgw: add frag TTL cmdline option examples/ipsec-secgw: add offload fallback tests doc/guides/sample_app_ug/ipsec_secgw.rst | 31 +++- examples/ipsec-secgw/esp.c| 35 ++-- examples/ipsec-secgw/ipsec-secgw.c| 56 -- examples/ipsec-secgw/ipsec.c | 99 ++- examples/ipsec-secgw/ipsec.h | 61 +-- examples/ipsec-secgw/ipsec_process.c | 113 +++- examples/ipsec-secgw/sa.c | 164 +- .../test/trs_aesgcm_common_defs.sh| 4 +- .../trs_aesgcm_inline_crypto_fallback_defs.sh | 5 + .../test/tun_aesgcm_common_defs.sh| 6 +- .../tun_aesgcm_inline_crypto_fallback_defs.sh | 5 + 11 files changed, 402 insertions(+), 177 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh -- 2.17.1
[dpdk-dev] [PATCH v4 4/4] examples/ipsec-secgw: add offload fallback tests
Add tests for offload fallback feature; add inbound config modificator
SGW_CFG_XPRM_IN (offload fallback setting can be set only for inbound
SAs). Tests are using cryptodev for outbound SA.
To test fragmentation with QAT set:
MULTI_SEG_TEST="--reassemble=4096 --cryptodev_mask=0x"
Acked-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh | 4 ++--
.../test/trs_aesgcm_inline_crypto_fallback_defs.sh | 5 +
examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh | 6 --
.../test/tun_aesgcm_inline_crypto_fallback_defs.sh | 5 +
4 files changed, 16 insertions(+), 4 deletions(-)
create mode 100644
examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
create mode 100644
examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
diff --git a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
index f6c5bf5a7..17f2f86d2 100644
--- a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
@@ -29,11 +29,11 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..875a7457d
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
diff --git a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
index 278377967..7490baded 100644
--- a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
@@ -29,11 +29,13 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM}
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM}
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..696848432
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
--
2.17.1
[dpdk-dev] [PATCH v4 3/4] examples/ipsec-secgw: add frag TTL cmdline option
Due to fragment loss on highly saturated links and long fragment
lifetime, ipsec-secgw application quickly runs out of free reassembly
buckets. As a result new fragments are being dropped.
Introduce --frag-ttl option which allow user to lower default fragment
lifitime which solves problem of saturated reassembly buckets with high
bandwidth fragmented traffic.
Signed-off-by: Marcin Smoczynski
---
doc/guides/sample_app_ug/ipsec_secgw.rst | 7 +
examples/ipsec-secgw/ipsec-secgw.c | 40 ++--
2 files changed, 37 insertions(+), 10 deletions(-)
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 21b4b4418..55b65d7bc 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -154,6 +154,13 @@ Where:
Incoming packets with length bigger then MTU will be discarded.
Default value: 1500.
+* ``--frag-ttl FRAG_TTL_NS``: fragment lifetime (in nanoseconds).
+If packet is not reassembled within this time, received fragments
+will be discarded. Fragment lifetime should be decreased when
+there is a high fragmented traffic loss in high bandwidth networks.
+Should be lower for for low number of reassembly buckets.
+Valid values: from 1 ns to 10 s. Default value: 1000 (10 s).
+
* ``--reassemble NUM``: max number of entries in reassemble fragment table.
Zero value disables reassembly functionality.
Default value: 0.
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 641ed3767..7b246cc60 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -112,7 +112,7 @@ static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
0, 0)
#defineFRAG_TBL_BUCKET_ENTRIES 4
-#defineFRAG_TTL_MS (10 * MS_PER_S)
+#defineMAX_FRAG_TTL_NS (10LL * NS_PER_S)
#define MTU_TO_FRAMELEN(x) ((x) + RTE_ETHER_HDR_LEN + RTE_ETHER_CRC_LEN)
@@ -135,6 +135,7 @@ struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
#define CMD_LINE_OPT_TX_OFFLOAD"txoffload"
#define CMD_LINE_OPT_REASSEMBLE"reassemble"
#define CMD_LINE_OPT_MTU "mtu"
+#define CMD_LINE_OPT_FRAG_TTL "frag-ttl"
enum {
/* long options mapped to a short option */
@@ -150,6 +151,7 @@ enum {
CMD_LINE_OPT_TX_OFFLOAD_NUM,
CMD_LINE_OPT_REASSEMBLE_NUM,
CMD_LINE_OPT_MTU_NUM,
+ CMD_LINE_OPT_FRAG_TTL_NUM,
};
static const struct option lgopts[] = {
@@ -160,6 +162,7 @@ static const struct option lgopts[] = {
{CMD_LINE_OPT_TX_OFFLOAD, 1, 0, CMD_LINE_OPT_TX_OFFLOAD_NUM},
{CMD_LINE_OPT_REASSEMBLE, 1, 0, CMD_LINE_OPT_REASSEMBLE_NUM},
{CMD_LINE_OPT_MTU, 1, 0, CMD_LINE_OPT_MTU_NUM},
+ {CMD_LINE_OPT_FRAG_TTL, 1, 0, CMD_LINE_OPT_FRAG_TTL_NUM},
{NULL, 0, 0, 0}
};
@@ -186,6 +189,7 @@ static uint64_t dev_tx_offload = UINT64_MAX;
static uint32_t frag_tbl_sz;
static uint32_t frame_buf_size = RTE_MBUF_DEFAULT_BUF_SIZE;
static uint32_t mtu_size = RTE_ETHER_MTU;
+static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {.enable = 0};
@@ -1302,6 +1306,9 @@ print_usage(const char *prgname)
": MTU value on all ports (default value: 1500)\n"
"outgoing packets with bigger size will be fragmented\n"
"incoming packets with bigger size will be discarded\n"
+ " --" CMD_LINE_OPT_FRAG_TTL " FRAG_TTL_NS"
+ ": fragments lifetime in nanoseconds, default\n"
+ "and maximum value is 10.000.000.000 ns (10 s)\n"
"\n",
prgname);
}
@@ -1338,14 +1345,15 @@ parse_portmask(const char *portmask)
return pm;
}
-static int32_t
+static int64_t
parse_decimal(const char *str)
{
char *end = NULL;
- unsigned long num;
+ unsigned long long num;
- num = strtoul(str, &end, 10);
- if ((str[0] == '\0') || (end == NULL) || (*end != '\0'))
+ num = strtoull(str, &end, 10);
+ if ((str[0] == '\0') || (end == NULL) || (*end != '\0')
+ || num > INT64_MAX || num < 0)
return -1;
return num;
@@ -1419,12 +1427,14 @@ print_app_sa_prm(const struct app_sa_prm *prm)
printf("replay window size: %u\n", prm->window_size);
printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
printf("SA flags: %#" PRIx64 "\n", prm->flags);
+ printf("Frag TTL: %lu ns\n", frag_ttl_ns);
}
static int32_t
parse_args(int32_t argc, cha
[dpdk-dev] [PATCH v5 0/4] add fallback session
Add fallback session feature allowing to process packets that inline processor is unable to handle (e.g. fragmented traffic). Processing takes place in a secondary session defined for SA in a configuration file. This feature is limited to ingress IPsec traffic only. IPsec anti-replay window and ESN are supported in conjunction with fallback session when following conditions are met: * primary session is 'inline-crypto-offload, * fallback sessions is 'lookaside-none'. Due to different processing times of inline and lookaside modes, fallback session introduces some packet reordering, therefore when using with IPsec window, its value should be increased. v4 to v5 changes: - fix build errors related to frag TTL command line option and parse_decimal method v3 to v4 changes: - add info about packet reordering to the documentation regarding fallback session - add patch with --frag-ttl command line option which allows to change fragment lifetime v2 to v3 changes: - doc and commit log update - explicitly state feature limitations v1 to v2 changes: - disable fallback offload for outbound SAs - add test scripts Marcin Smoczynski (4): examples/ipsec-secgw: ipsec_sa structure cleanup examples/ipsec-secgw: add fallback session feature examples/ipsec-secgw: add frag TTL cmdline option examples/ipsec-secgw: add offload fallback tests doc/guides/sample_app_ug/ipsec_secgw.rst | 31 +++- examples/ipsec-secgw/esp.c| 35 ++-- examples/ipsec-secgw/ipsec-secgw.c| 56 -- examples/ipsec-secgw/ipsec.c | 99 ++- examples/ipsec-secgw/ipsec.h | 61 +-- examples/ipsec-secgw/ipsec_process.c | 113 +++- examples/ipsec-secgw/sa.c | 164 +- .../test/trs_aesgcm_common_defs.sh| 4 +- .../trs_aesgcm_inline_crypto_fallback_defs.sh | 5 + .../test/tun_aesgcm_common_defs.sh| 6 +- .../tun_aesgcm_inline_crypto_fallback_defs.sh | 5 + 11 files changed, 402 insertions(+), 177 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh -- 2.17.1
[dpdk-dev] [PATCH v5 1/4] examples/ipsec-secgw: ipsec_sa structure cleanup
Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.
Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.
Acked-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/esp.c | 35 +++
examples/ipsec-secgw/ipsec.c | 91 +++-
examples/ipsec-secgw/ipsec.h | 27 ++---
examples/ipsec-secgw/ipsec_process.c | 30 -
examples/ipsec-secgw/sa.c| 66 ++--
5 files changed, 137 insertions(+), 112 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index d6d7b1256..c1b49da1e 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -30,7 +30,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
int32_t payload_len, ip_hdr_len;
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
return 0;
RTE_ASSERT(m != NULL);
@@ -148,13 +149,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
uint8_t *nexthdr, *pad_len;
uint8_t *padding;
uint16_t i;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
+ ips = ipsec_get_session(sa);
+
+ if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD) {
if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -169,8 +173,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
return -1;
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
- sa->ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+ ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
nexthdr = &m->inner_esp_next_proto;
} else {
nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
@@ -225,10 +229,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
struct rte_crypto_sym_op *sym_cop;
int32_t i;
uint16_t pad_payload_len, pad_len, ip_hdr_len;
+ struct rte_ipsec_session *ips;
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
+ ips = ipsec_get_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
@@ -277,9 +283,10 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
/* Add trailer padding if it is not constructed by HW */
- if (sa->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
-!(sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
+ (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
+!(ips->security.ol_flags &
+RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
padding = (uint8_t *)rte_pktmbuf_append(m, pad_len +
sa->digest_len);
if (unlikely(padding == NULL)) {
@@ -344,8 +351,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
}
}
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- if (sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
/* Set the inner esp next protocol for HW trailer */
m->inner_esp_next_proto = nlp;
m->packet_type |= RTE_PTYPE_TUNNEL_ESP;
@@ -448,11 +456,14 @@ esp_outbound_post(struct rte_mbuf *m,
struct ipsec_sa *sa,
struct rte_crypto_op *cop)
{
+ enum rte_security_session_action_type type;
RTE_ASSERT(m !
[dpdk-dev] [PATCH v5 2/4] examples/ipsec-secgw: add fallback session feature
Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.
Introduce fallback session for inline processing allowing processing
packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' or
'lookaside-protocol' parameter to an SA configuration.
Using IPsec anti-replay window or ESN feature with fallback session is
not yet supported when primary session is of type
'inline-protocol-offload' or fallback session is 'lookaside-protocol'
because SA sequence number is not synchronized between software and
hardware sessions. Fallback sessions are also limited to ingress IPsec
traffic.
Fallback session feature is not available in the legacy mode.
Acked-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
doc/guides/sample_app_ug/ipsec_secgw.rst | 24 -
examples/ipsec-secgw/esp.c | 4 +-
examples/ipsec-secgw/ipsec-secgw.c | 16 ++--
examples/ipsec-secgw/ipsec.c | 10 +--
examples/ipsec-secgw/ipsec.h | 40 +++--
examples/ipsec-secgw/ipsec_process.c | 85 --
examples/ipsec-secgw/sa.c| 110 +++
7 files changed, 225 insertions(+), 64 deletions(-)
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index ad2d79e75..21b4b4418 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -401,7 +401,7 @@ The SA rule syntax is shown as follows:
.. code-block:: console
sa
-
+
where each options means:
@@ -573,6 +573,28 @@ where each options means:
* *port_id X* X is a valid device number in decimal
+
+
+ * Action type for ingress IPsec packets that inline processor failed to
+ process. IPsec anti-replay window and ESN is supported with fallback
+ processing session only when primary session is *lookaside-crypto-offload*
+ and fallback session is *lookaside-none*.
+
+ If used in conjunction with IPsec window, its width needs be increased
+ due to different processing times of inline and lookaside modes which
+ results in packet reordering.
+
+ * Optional: Yes.
+
+ * Available options:
+
+ * *lookaside-none*: use automatically chosen cryptodev to process packets
+ * *lookaside-protocol*: lookaside protocol hardware offload
+
+ * Syntax:
+
+ * *fallback lookaside-none*
+ * *fallback lookaside-protocol*
Example SA rules:
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index c1b49da1e..bfa7ff721 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -155,7 +155,7 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(sa != NULL);
RTE_ASSERT(cop != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
(ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
@@ -234,7 +234,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
RTE_ASSERT(m != NULL);
RTE_ASSERT(sa != NULL);
- ips = ipsec_get_session(sa);
+ ips = ipsec_get_primary_session(sa);
ip_hdr_len = 0;
ip4 = rte_pktmbuf_mtod(m, struct ip *);
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 0d1fd6af6..641ed3767 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -189,6 +189,7 @@ static uint32_t mtu_size = RTE_ETHER_MTU;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {.enable = 0};
+static const char *cfgfile;
struct lcore_rx_queue {
uint16_t port_id;
@@ -1462,12 +1463,7 @@ parse_args(int32_t argc, char **argv)
print_usage(prgname);
return -1;
}
- if (parse_cfg_file(optarg) < 0) {
- printf("parsing file \"%s\" failed\n",
- optarg);
- print_usage(prgname);
- return -1;
- }
+ cfgfile = optarg;
f_present = 1;
break;
case 'j':
@@ -2398,6 +2394,14 @@ main(int32_t argc, char **argv)
if (ret < 0)
rte_exit(EXIT_FAILURE, "Invalid parameters\n");
+ /* parse configuration file */
+ if (parse_cfg_file(cfgfile) < 0) {
+ printf("parsing file \"%s\" failed\n",
+ optarg);
+
[dpdk-dev] [PATCH v5 3/4] examples/ipsec-secgw: add frag TTL cmdline option
Due to fragment loss on highly saturated links and long fragment
lifetime, ipsec-secgw application quickly runs out of free reassembly
buckets. As a result new fragments are being dropped.
Introduce --frag-ttl option which allow user to lower default fragment
lifitime which solves problem of saturated reassembly buckets with high
bandwidth fragmented traffic.
Signed-off-by: Marcin Smoczynski
---
doc/guides/sample_app_ug/ipsec_secgw.rst | 7 +
examples/ipsec-secgw/ipsec-secgw.c | 40 ++--
2 files changed, 37 insertions(+), 10 deletions(-)
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 21b4b4418..55b65d7bc 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -154,6 +154,13 @@ Where:
Incoming packets with length bigger then MTU will be discarded.
Default value: 1500.
+* ``--frag-ttl FRAG_TTL_NS``: fragment lifetime (in nanoseconds).
+If packet is not reassembled within this time, received fragments
+will be discarded. Fragment lifetime should be decreased when
+there is a high fragmented traffic loss in high bandwidth networks.
+Should be lower for for low number of reassembly buckets.
+Valid values: from 1 ns to 10 s. Default value: 1000 (10 s).
+
* ``--reassemble NUM``: max number of entries in reassemble fragment table.
Zero value disables reassembly functionality.
Default value: 0.
diff --git a/examples/ipsec-secgw/ipsec-secgw.c
b/examples/ipsec-secgw/ipsec-secgw.c
index 641ed3767..1d415ace8 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -112,7 +112,7 @@ static uint16_t nb_txd = IPSEC_SECGW_TX_DESC_DEFAULT;
0, 0)
#defineFRAG_TBL_BUCKET_ENTRIES 4
-#defineFRAG_TTL_MS (10 * MS_PER_S)
+#defineMAX_FRAG_TTL_NS (10LL * NS_PER_S)
#define MTU_TO_FRAMELEN(x) ((x) + RTE_ETHER_HDR_LEN + RTE_ETHER_CRC_LEN)
@@ -135,6 +135,7 @@ struct ethaddr_info ethaddr_tbl[RTE_MAX_ETHPORTS] = {
#define CMD_LINE_OPT_TX_OFFLOAD"txoffload"
#define CMD_LINE_OPT_REASSEMBLE"reassemble"
#define CMD_LINE_OPT_MTU "mtu"
+#define CMD_LINE_OPT_FRAG_TTL "frag-ttl"
enum {
/* long options mapped to a short option */
@@ -150,6 +151,7 @@ enum {
CMD_LINE_OPT_TX_OFFLOAD_NUM,
CMD_LINE_OPT_REASSEMBLE_NUM,
CMD_LINE_OPT_MTU_NUM,
+ CMD_LINE_OPT_FRAG_TTL_NUM,
};
static const struct option lgopts[] = {
@@ -160,6 +162,7 @@ static const struct option lgopts[] = {
{CMD_LINE_OPT_TX_OFFLOAD, 1, 0, CMD_LINE_OPT_TX_OFFLOAD_NUM},
{CMD_LINE_OPT_REASSEMBLE, 1, 0, CMD_LINE_OPT_REASSEMBLE_NUM},
{CMD_LINE_OPT_MTU, 1, 0, CMD_LINE_OPT_MTU_NUM},
+ {CMD_LINE_OPT_FRAG_TTL, 1, 0, CMD_LINE_OPT_FRAG_TTL_NUM},
{NULL, 0, 0, 0}
};
@@ -186,6 +189,7 @@ static uint64_t dev_tx_offload = UINT64_MAX;
static uint32_t frag_tbl_sz;
static uint32_t frame_buf_size = RTE_MBUF_DEFAULT_BUF_SIZE;
static uint32_t mtu_size = RTE_ETHER_MTU;
+static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {.enable = 0};
@@ -1302,6 +1306,9 @@ print_usage(const char *prgname)
": MTU value on all ports (default value: 1500)\n"
"outgoing packets with bigger size will be fragmented\n"
"incoming packets with bigger size will be discarded\n"
+ " --" CMD_LINE_OPT_FRAG_TTL " FRAG_TTL_NS"
+ ": fragments lifetime in nanoseconds, default\n"
+ "and maximum value is 10.000.000.000 ns (10 s)\n"
"\n",
prgname);
}
@@ -1338,14 +1345,15 @@ parse_portmask(const char *portmask)
return pm;
}
-static int32_t
+static int64_t
parse_decimal(const char *str)
{
char *end = NULL;
- unsigned long num;
+ uint64_t num;
- num = strtoul(str, &end, 10);
- if ((str[0] == '\0') || (end == NULL) || (*end != '\0'))
+ num = strtoull(str, &end, 10);
+ if ((str[0] == '\0') || (end == NULL) || (*end != '\0')
+ || num > INT64_MAX)
return -1;
return num;
@@ -1419,12 +1427,14 @@ print_app_sa_prm(const struct app_sa_prm *prm)
printf("replay window size: %u\n", prm->window_size);
printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
printf("SA flags: %#" PRIx64 "\n", prm->flags);
+ printf("Frag TTL: %" PRIu64 " ns\n", frag_ttl_ns);
}
static int32_t
parse_args(int32_t argc, char **argv)
{
-
[dpdk-dev] [PATCH v5 4/4] examples/ipsec-secgw: add offload fallback tests
Add tests for offload fallback feature; add inbound config modificator
SGW_CFG_XPRM_IN (offload fallback setting can be set only for inbound
SAs). Tests are using cryptodev for outbound SA.
To test fragmentation with QAT set:
MULTI_SEG_TEST="--reassemble=4096 --cryptodev_mask=0x"
Acked-by: Konstantin Ananyev
Signed-off-by: Marcin Smoczynski
---
examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh | 4 ++--
.../test/trs_aesgcm_inline_crypto_fallback_defs.sh | 5 +
examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh | 6 --
.../test/tun_aesgcm_inline_crypto_fallback_defs.sh | 5 +
4 files changed, 16 insertions(+), 4 deletions(-)
create mode 100644
examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
create mode 100644
examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
diff --git a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
index f6c5bf5a7..17f2f86d2 100644
--- a/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh
@@ -29,11 +29,11 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport ${SGW_CFG_XPRM}
+mode transport ${SGW_CFG_XPRM} ${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..875a7457d
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
diff --git a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
index 278377967..7490baded 100644
--- a/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
+++ b/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh
@@ -29,11 +29,13 @@ sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
#SA in rules
sa in 7 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM}
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
sa in 9 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM}
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} \
+${SGW_CFG_XPRM_IN}
#SA out rules
sa out 7 aead_algo aes-128-gcm \
diff --git
a/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
new file mode 100644
index 0..696848432
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesgcm_defs.sh
+
+SGW_CFG_XPRM_IN='port_id 0 type inline-crypto-offload fallback lookaside-none'
--
2.17.1
