DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support
@ 2019-12-08 11:54 Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
                   ` (16 more replies)
  0 siblings, 17 replies; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

This series adds inline IPsec support in OCTEONTX2 PMD.

In the inbound path, rte_flow framework need to be used to configure
the NPC block, which does the h/w lookup. The packets would get
processed by the crypto block and would submit to the scheduling block,
SSO. So inline IPsec mode can be enabled only when traffic is received
via event device using Rx adapter.

In the outbound path, the core would submit to the crypto block and the
crypto block would submit the packet for Tx internally.

Ankur Dwivedi (3):
  crypto/octeontx2: add eth security capabilities
  crypto/octeontx2: add datapath ops in eth security ctx
  crypto/octeontx2: add inline tx path changes

Anoob Joseph (4):
  common/octeontx2: add CPT LF mbox for inline inbound
  crypto/octeontx2: create eth security ctx
  crypto/octeontx2: enable CPT to share QP with ethdev
  crypto/octeontx2: add eth security session operations

Archana Muniganti (3):
  crypto/octeontx2: add lookup mem changes to hold sa indices
  drivers/octeontx2: add sec in compiler optimized RX fastpath framework
  drivers/octeontx2: add sec in compiler optimized TX fastpath framework

Tejasree Kondoj (3):
  crypto/octeontx2: configure for inline IPsec
  crypto/octeontx2: add security in eth dev configure
  net/octeontx2: add inline ipsec rx path changes

Vamsi Attunuru (2):
  common/octeontx2: add routine to check if rte_eth_dev belongs to otx2
  crypto/octeontx2: sync inline tag type cfg with Rx adapter
    configuration

 doc/guides/nics/octeontx2.rst                      |  20 +
 drivers/common/octeontx2/otx2_common.c             |  22 +
 drivers/common/octeontx2/otx2_common.h             |  38 +
 drivers/common/octeontx2/otx2_mbox.h               |   7 +
 .../octeontx2/rte_common_octeontx2_version.map     |   3 +
 drivers/crypto/octeontx2/Makefile                  |   7 +-
 drivers/crypto/octeontx2/meson.build               |   7 +-
 drivers/crypto/octeontx2/otx2_cryptodev.c          |   8 +
 .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  53 ++
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
 drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
 drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 348 ++++++++
 drivers/crypto/octeontx2/otx2_security.c           | 909 +++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h           | 158 ++++
 drivers/crypto/octeontx2/otx2_security_tx.h        | 176 ++++
 drivers/event/octeontx2/Makefile                   |   1 +
 drivers/event/octeontx2/meson.build                |   5 +-
 drivers/event/octeontx2/otx2_evdev.c               | 170 ++--
 drivers/event/octeontx2/otx2_evdev.h               |   4 +-
 drivers/event/octeontx2/otx2_worker.c              |   6 +-
 drivers/event/octeontx2/otx2_worker.h              |   6 +
 drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
 drivers/net/octeontx2/Makefile                     |   1 +
 drivers/net/octeontx2/meson.build                  |   3 +
 drivers/net/octeontx2/otx2_ethdev.c                |  46 +-
 drivers/net/octeontx2/otx2_ethdev.h                |   2 +
 drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
 drivers/net/octeontx2/otx2_flow.c                  |  26 +
 drivers/net/octeontx2/otx2_lookup.c                |   9 +-
 drivers/net/octeontx2/otx2_rx.c                    |  27 +-
 drivers/net/octeontx2/otx2_rx.h                    | 386 ++++++---
 drivers/net/octeontx2/otx2_tx.c                    |  29 +-
 drivers/net/octeontx2/otx2_tx.h                    | 271 ++++--
 35 files changed, 2596 insertions(+), 297 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
 create mode 100644 drivers/crypto/octeontx2/otx2_security.c
 create mode 100644 drivers/crypto/octeontx2/otx2_security.h
 create mode 100644 drivers/crypto/octeontx2/otx2_security_tx.h

-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 01/15] common/octeontx2: add CPT LF mbox for inline inbound
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-09  7:38   ` Jerin Jacob
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 02/15] common/octeontx2: add routine to check if rte_eth_dev belongs to otx2 Anoob Joseph
                   ` (15 subsequent siblings)
  16 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev, Tejasree Kondoj

Adding the new mbox introduced to configure CPT LF to be used for inline
inbound.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <kondoj.tejasree@cavium.com>
---
 drivers/common/octeontx2/otx2_mbox.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/common/octeontx2/otx2_mbox.h b/drivers/common/octeontx2/otx2_mbox.h
index e0e4e2f..70452d1 100644
--- a/drivers/common/octeontx2/otx2_mbox.h
+++ b/drivers/common/octeontx2/otx2_mbox.h
@@ -193,6 +193,8 @@ M(CPT_SET_CRYPTO_GRP,	0xA03, cpt_set_crypto_grp,			\
 			       msg_rsp)					\
 M(CPT_INLINE_IPSEC_CFG, 0xA04, cpt_inline_ipsec_cfg,			\
 			       cpt_inline_ipsec_cfg_msg, msg_rsp)	\
+M(CPT_RX_INLINE_LF_CFG, 0xBFE, cpt_rx_inline_lf_cfg,			\
+			       cpt_rx_inline_lf_cfg_msg, msg_rsp)	\
 /* NPC mbox IDs (range 0x6000 - 0x7FFF) */				\
 M(NPC_MCAM_ALLOC_ENTRY,	0x6000, npc_mcam_alloc_entry,			\
 				npc_mcam_alloc_entry_req,		\
@@ -1202,6 +1204,11 @@ struct cpt_inline_ipsec_cfg_msg {
 	uint16_t __otx2_io nix_pf_func; /* Outbound path NIX_PF_FUNC */
 };
 
+struct cpt_rx_inline_lf_cfg_msg {
+	struct mbox_msghdr hdr;
+	uint16_t __otx2_io sso_pf_func;
+};
+
 /* NPC mbox message structs */
 
 #define NPC_MCAM_ENTRY_INVALID	0xFFFF
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 02/15] common/octeontx2: add routine to check if rte_eth_dev belongs to otx2
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-09  7:42   ` Jerin Jacob
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
                   ` (14 subsequent siblings)
  16 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Vamsi Attunuru, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Lukasz Bartosik, dev

From: Vamsi Attunuru <vattunuru@marvell.com>

This routine returns true if given rte_eth_dev belongs to octeontx2

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_common.c               | 20 ++++++++++++++++++++
 drivers/common/octeontx2/otx2_common.h               |  2 ++
 .../octeontx2/rte_common_octeontx2_version.map       |  1 +
 3 files changed, 23 insertions(+)

diff --git a/drivers/common/octeontx2/otx2_common.c b/drivers/common/octeontx2/otx2_common.c
index 7e45366..116db0f 100644
--- a/drivers/common/octeontx2/otx2_common.c
+++ b/drivers/common/octeontx2/otx2_common.c
@@ -3,6 +3,7 @@
  */
 
 #include <rte_atomic.h>
+#include <rte_ethdev.h>
 #include <rte_malloc.h>
 #include <rte_log.h>
 
@@ -23,6 +24,25 @@ otx2_npa_set_defaults(struct otx2_idev_cfg *idev)
 
 /**
  * @internal
+ * Check if rte_eth_dev is otx2_eth_dev
+ */
+uint8_t
+otx2_is_ethdev(struct rte_eth_dev *eth_dev)
+{
+	struct rte_pci_device *pci_dev;
+
+	pci_dev = RTE_ETH_DEV_TO_PCI(eth_dev);
+
+	if (pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_PF ||
+	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_VF ||
+	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_AF_VF)
+		return 1;
+
+	return 0;
+}
+
+/**
+ * @internal
  * Get intra device config structure.
  */
 struct otx2_idev_cfg *
diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index f62c45d..d32e59a 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -8,6 +8,7 @@
 #include <rte_atomic.h>
 #include <rte_common.h>
 #include <rte_cycles.h>
+#include <rte_ethdev.h>
 #include <rte_memory.h>
 #include <rte_memzone.h>
 #include <rte_io.h>
@@ -70,6 +71,7 @@ struct otx2_idev_cfg *otx2_intra_dev_get_cfg(void);
 void otx2_sso_pf_func_set(uint16_t sso_pf_func);
 uint16_t otx2_sso_pf_func_get(void);
 uint16_t otx2_npa_pf_func_get(void);
+uint8_t otx2_is_ethdev(struct rte_eth_dev *eth_dev);
 struct otx2_npa_lf *otx2_npa_lf_obj_get(void);
 void otx2_npa_set_defaults(struct otx2_idev_cfg *idev);
 int otx2_npa_lf_active(void *dev);
diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
index adad21a..dac2283 100644
--- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
+++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
@@ -6,6 +6,7 @@ DPDK_20.0 {
 	otx2_dev_priv_init;
 	otx2_disable_irqs;
 	otx2_intra_dev_get_cfg;
+	otx2_is_ethdev;
 	otx2_logtype_base;
 	otx2_logtype_dpi;
 	otx2_logtype_mbox;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 03/15] crypto/octeontx2: configure for inline IPsec
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 02/15] common/octeontx2: add routine to check if rte_eth_dev belongs to otx2 Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-09  7:46   ` Jerin Jacob
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 04/15] crypto/octeontx2: create eth security ctx Anoob Joseph
                   ` (13 subsequent siblings)
  16 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

For enabling outbound inline IPsec, a CPT queue needs to be tied
to a NIX PF_FUNC. Distribute CPT queues fairly among all availble
otx2 eth ports.

For inbound, one CPT LF will be assigned and initialized by kernel.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/Makefile              |  3 +-
 drivers/crypto/octeontx2/meson.build           |  2 +
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.c | 53 ++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.h |  7 ++++
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c  | 38 ++++++++++++++++++
 5 files changed, 102 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index f7d6c37..3ba67ed 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -10,7 +10,7 @@ LIB = librte_pmd_octeontx2_crypto.a
 # build flags
 CFLAGS += $(WERROR_FLAGS)
 
-LDLIBS += -lrte_eal -lrte_mbuf -lrte_mempool -lrte_ring
+LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
 LDLIBS += -lrte_cryptodev
 LDLIBS += -lrte_pci -lrte_bus_pci
 LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
@@ -21,6 +21,7 @@ CFLAGS += -O3
 CFLAGS += -I$(RTE_SDK)/drivers/common/cpt
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -DALLOW_EXPERIMENTAL_API
 
 ifneq ($(CONFIG_RTE_ARCH_64),y)
diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build
index b6e5b73..67deca3 100644
--- a/drivers/crypto/octeontx2/meson.build
+++ b/drivers/crypto/octeontx2/meson.build
@@ -8,6 +8,7 @@ endif
 deps += ['bus_pci']
 deps += ['common_cpt']
 deps += ['common_octeontx2']
+deps += ['ethdev']
 name = 'octeontx2_crypto'
 
 allow_experimental_apis = true
@@ -32,3 +33,4 @@ endforeach
 includes += include_directories('../../common/cpt')
 includes += include_directories('../../common/octeontx2')
 includes += include_directories('../../mempool/octeontx2')
+includes += include_directories('../../net/octeontx2')
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
index b54e407..3183210 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
@@ -2,10 +2,13 @@
  * Copyright (C) 2019 Marvell International Ltd.
  */
 #include <rte_cryptodev.h>
+#include <rte_ethdev.h>
 
 #include "otx2_cryptodev.h"
+#include "otx2_cryptodev_hw_access.h"
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_dev.h"
+#include "otx2_ethdev.h"
 #include "otx2_mbox.h"
 
 #include "cpt_pmd_logs.h"
@@ -173,3 +176,53 @@ otx2_cpt_af_reg_write(const struct rte_cryptodev *dev, uint64_t reg,
 
 	return otx2_cpt_send_mbox_msg(vf);
 }
+
+int
+otx2_cpt_inline_init(const struct rte_cryptodev *dev)
+{
+	struct otx2_cpt_vf *vf = dev->data->dev_private;
+	struct otx2_mbox *mbox = vf->otx2_dev.mbox;
+	struct cpt_rx_inline_lf_cfg_msg *msg;
+	int ret;
+
+	msg = otx2_mbox_alloc_msg_cpt_rx_inline_lf_cfg(mbox);
+	msg->sso_pf_func = otx2_sso_pf_func_get();
+
+	otx2_mbox_msg_send(mbox, 0);
+	ret = otx2_mbox_process(mbox);
+	if (ret < 0)
+		return -EIO;
+
+	return 0;
+}
+
+int
+otx2_cpt_qp_ethdev_bind(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp,
+			uint16_t port_id)
+{
+	struct rte_eth_dev *eth_dev = &rte_eth_devices[port_id];
+	struct otx2_cpt_vf *vf = dev->data->dev_private;
+	struct otx2_mbox *mbox = vf->otx2_dev.mbox;
+	struct cpt_inline_ipsec_cfg_msg *msg;
+	struct otx2_eth_dev *otx2_eth_dev;
+	int ret;
+
+	if (!otx2_is_ethdev(&rte_eth_devices[port_id]))
+		return -EINVAL;
+
+	otx2_eth_dev = otx2_eth_pmd_priv(eth_dev);
+
+	msg = otx2_mbox_alloc_msg_cpt_inline_ipsec_cfg(mbox);
+	msg->dir = CPT_INLINE_OUTBOUND;
+	msg->enable = 1;
+	msg->slot = qp->id;
+
+	msg->nix_pf_func = otx2_eth_dev->pf_func;
+
+	otx2_mbox_msg_send(mbox, 0);
+	ret = otx2_mbox_process(mbox);
+	if (ret < 0)
+		return -EIO;
+
+	return 0;
+}
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
index a298718..ae66b08 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
@@ -7,6 +7,8 @@
 
 #include <rte_cryptodev.h>
 
+#include "otx2_cryptodev_hw_access.h"
+
 int otx2_cpt_available_queues_get(const struct rte_cryptodev *dev,
 				  uint16_t *nb_queues);
 
@@ -22,4 +24,9 @@ int otx2_cpt_af_reg_read(const struct rte_cryptodev *dev, uint64_t reg,
 int otx2_cpt_af_reg_write(const struct rte_cryptodev *dev, uint64_t reg,
 			  uint64_t val);
 
+int otx2_cpt_qp_ethdev_bind(const struct rte_cryptodev *dev,
+			    struct otx2_cpt_qp *qp, uint16_t port_id);
+
+int otx2_cpt_inline_init(const struct rte_cryptodev *dev);
+
 #endif /* _OTX2_CRYPTODEV_MBOX_H_ */
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index 65101b0..a1213ca 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -6,6 +6,7 @@
 
 #include <rte_cryptodev_pmd.h>
 #include <rte_errno.h>
+#include <rte_ethdev.h>
 
 #include "otx2_cryptodev.h"
 #include "otx2_cryptodev_capabilities.h"
@@ -125,6 +126,29 @@ otx2_cpt_metabuf_mempool_destroy(struct otx2_cpt_qp *qp)
 	meta_info->sg_mlen = 0;
 }
 
+static int
+otx2_cpt_qp_inline_cfg(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
+{
+	static rte_atomic16_t port_offset = RTE_ATOMIC16_INIT(-1);
+	uint16_t port_id, nb_ethport = rte_eth_dev_count_avail();
+	int i, ret;
+
+	for (i = 0; i < nb_ethport; i++) {
+		port_id = rte_atomic16_add_return(&port_offset, 1) % nb_ethport;
+		if (otx2_is_ethdev(&rte_eth_devices[port_id]))
+			break;
+	}
+
+	if (i >= nb_ethport)
+		return 0;
+
+	ret = otx2_cpt_qp_ethdev_bind(dev, qp, port_id);
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
 static struct otx2_cpt_qp *
 otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 		   uint8_t group)
@@ -218,6 +242,12 @@ otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 
 	otx2_cpt_iq_disable(qp);
 
+	ret = otx2_cpt_qp_inline_cfg(dev, qp);
+	if (ret) {
+		CPT_LOG_ERR("Could not configure queue for inline IPsec");
+		goto mempool_destroy;
+	}
+
 	ret = otx2_cpt_iq_enable(dev, qp, group, OTX2_CPT_QUEUE_HI_PRIO,
 				 size_div40);
 	if (ret) {
@@ -857,12 +887,20 @@ otx2_cpt_dev_config(struct rte_cryptodev *dev,
 		goto queues_detach;
 	}
 
+	ret = otx2_cpt_inline_init(dev);
+	if (ret) {
+		CPT_LOG_ERR("Could not enable inline IPsec");
+		goto intr_unregister;
+	}
+
 	dev->enqueue_burst = otx2_cpt_enqueue_burst;
 	dev->dequeue_burst = otx2_cpt_dequeue_burst;
 
 	rte_mb();
 	return 0;
 
+intr_unregister:
+	otx2_cpt_err_intr_unregister(dev);
 queues_detach:
 	otx2_cpt_queues_detach(dev);
 	return ret;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 04/15] crypto/octeontx2: create eth security ctx
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (2 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 05/15] crypto/octeontx2: add security in eth dev configure Anoob Joseph
                   ` (12 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding security ctx to the eth device.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_common.c             |  2 ++
 drivers/common/octeontx2/otx2_common.h             | 10 +++++++
 .../octeontx2/rte_common_octeontx2_version.map     |  2 ++
 drivers/crypto/octeontx2/Makefile                  |  3 +-
 drivers/crypto/octeontx2/meson.build               |  4 ++-
 drivers/crypto/octeontx2/otx2_cryptodev.c          |  4 +++
 drivers/crypto/octeontx2/otx2_security.c           | 35 ++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h           | 14 +++++++++
 drivers/net/octeontx2/otx2_ethdev.c                | 18 ++++++++++-
 9 files changed, 89 insertions(+), 3 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_security.c
 create mode 100644 drivers/crypto/octeontx2/otx2_security.h

diff --git a/drivers/common/octeontx2/otx2_common.c b/drivers/common/octeontx2/otx2_common.c
index 116db0f..764f6cd 100644
--- a/drivers/common/octeontx2/otx2_common.c
+++ b/drivers/common/octeontx2/otx2_common.c
@@ -11,6 +11,8 @@
 #include "otx2_dev.h"
 #include "otx2_mbox.h"
 
+struct otx2_sec_eth_crypto_idev_ops otx2_sec_idev_ops;
+
 /**
  * @internal
  * Set default NPA configuration.
diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index d32e59a..a1cb434 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -77,6 +77,16 @@ void otx2_npa_set_defaults(struct otx2_idev_cfg *idev);
 int otx2_npa_lf_active(void *dev);
 int otx2_npa_lf_obj_ref(void);
 
+typedef int (*otx2_sec_eth_ctx_create_t)(struct rte_eth_dev *eth_dev);
+typedef void (*otx2_sec_eth_ctx_destroy_t)(struct rte_eth_dev *eth_dev);
+
+struct otx2_sec_eth_crypto_idev_ops {
+	otx2_sec_eth_ctx_create_t ctx_create;
+	otx2_sec_eth_ctx_destroy_t ctx_destroy;
+};
+
+extern struct otx2_sec_eth_crypto_idev_ops otx2_sec_idev_ops;
+
 /* Log */
 extern int otx2_logtype_base;
 extern int otx2_logtype_mbox;
diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
index dac2283..d1dcb52 100644
--- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
+++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
@@ -32,5 +32,7 @@ DPDK_20.0 {
 	otx2_sso_pf_func_set;
 	otx2_unregister_irq;
 
+	otx2_sec_idev_ops;
+
 	local: *;
 };
diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index 3ba67ed..d2e9b9f 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -11,7 +11,7 @@ LIB = librte_pmd_octeontx2_crypto.a
 CFLAGS += $(WERROR_FLAGS)
 
 LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
-LDLIBS += -lrte_cryptodev
+LDLIBS += -lrte_cryptodev -lrte_security
 LDLIBS += -lrte_pci -lrte_bus_pci
 LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
 
@@ -38,6 +38,7 @@ SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_capabilities.c
 SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_hw_access.c
 SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_mbox.c
 SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_ops.c
+SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_security.c
 
 # export include files
 SYMLINK-y-include +=
diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build
index 67deca3..f7b2937 100644
--- a/drivers/crypto/octeontx2/meson.build
+++ b/drivers/crypto/octeontx2/meson.build
@@ -9,6 +9,7 @@ deps += ['bus_pci']
 deps += ['common_cpt']
 deps += ['common_octeontx2']
 deps += ['ethdev']
+deps += ['security']
 name = 'octeontx2_crypto'
 
 allow_experimental_apis = true
@@ -16,7 +17,8 @@ sources = files('otx2_cryptodev.c',
 		'otx2_cryptodev_capabilities.c',
 		'otx2_cryptodev_hw_access.c',
 		'otx2_cryptodev_mbox.c',
-		'otx2_cryptodev_ops.c')
+		'otx2_cryptodev_ops.c',
+		'otx2_security.c')
 
 extra_flags = []
 # This integrated controller runs only on a arm64 machine, remove 32bit warnings
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.c b/drivers/crypto/octeontx2/otx2_cryptodev.c
index 7fd216b..86c1188 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev.c
@@ -17,6 +17,7 @@
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_cryptodev_ops.h"
 #include "otx2_dev.h"
+#include "otx2_security.h"
 
 /* CPT common headers */
 #include "cpt_common.h"
@@ -154,4 +155,7 @@ RTE_INIT(otx2_cpt_init_log)
 	otx2_cpt_logtype = rte_log_register("pmd.crypto.octeontx2");
 	if (otx2_cpt_logtype >= 0)
 		rte_log_set_level(otx2_cpt_logtype, RTE_LOG_NOTICE);
+
+	otx2_sec_idev_ops.ctx_create = otx2_sec_eth_ctx_create;
+	otx2_sec_idev_ops.ctx_destroy = otx2_sec_eth_ctx_destroy;
 }
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
new file mode 100644
index 0000000..14394d2
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2019 Marvell International Ltd.
+ */
+
+#include <rte_ethdev.h>
+#include <rte_malloc.h>
+#include <rte_security.h>
+
+#include "otx2_security.h"
+
+int
+otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev)
+{
+	struct rte_security_ctx *ctx;
+
+	ctx = rte_malloc("otx2_sec_eth_ctx",
+			 sizeof(struct rte_security_ctx), 0);
+	if (ctx == NULL)
+		return -ENOMEM;
+
+	/* Populate ctx */
+
+	ctx->device = eth_dev;
+	ctx->sess_cnt = 0;
+
+	eth_dev->security_ctx = ctx;
+
+	return 0;
+}
+
+void
+otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev)
+{
+	rte_free(eth_dev->security_ctx);
+}
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
new file mode 100644
index 0000000..6ebf73f
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2019 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_SECURITY_H__
+#define __OTX2_SECURITY_H__
+
+#include <rte_ethdev.h>
+
+int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev);
+
+void otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev);
+
+#endif /* __OTX2_SECURITY_H__ */
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index ed32927..3e19ac2 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -2236,10 +2236,19 @@ otx2_eth_dev_init(struct rte_eth_dev *eth_dev)
 		dev->hwcap |= OTX2_FIXUP_F_LIMIT_CQ_FULL;
 	}
 
+	/* Create security ctx */
+	if (otx2_sec_idev_ops.ctx_create != NULL) {
+		rc = otx2_sec_idev_ops.ctx_create(eth_dev);
+		if (rc)
+			goto free_mac_addrs;
+		dev->tx_offload_capa |= DEV_TX_OFFLOAD_SECURITY;
+		dev->rx_offload_capa |= DEV_RX_OFFLOAD_SECURITY;
+	}
+
 	/* Initialize rte-flow */
 	rc = otx2_flow_init(dev);
 	if (rc)
-		goto free_mac_addrs;
+		goto sec_ctx_destroy;
 
 	otx2_nix_mc_filter_init(dev);
 
@@ -2250,6 +2259,9 @@ otx2_eth_dev_init(struct rte_eth_dev *eth_dev)
 		     dev->rx_offload_capa, dev->tx_offload_capa);
 	return 0;
 
+sec_ctx_destroy:
+	if (otx2_sec_idev_ops.ctx_destroy != NULL)
+		otx2_sec_idev_ops.ctx_destroy(eth_dev);
 free_mac_addrs:
 	rte_free(eth_dev->data->mac_addrs);
 unregister_irq:
@@ -2333,6 +2345,10 @@ otx2_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool mbox_close)
 	if (rc)
 		otx2_err("Failed to cleanup npa lf, rc=%d", rc);
 
+	/* Destroy security ctx */
+	if (otx2_sec_idev_ops.ctx_destroy != NULL)
+		otx2_sec_idev_ops.ctx_destroy(eth_dev);
+
 	rte_free(eth_dev->data->mac_addrs);
 	eth_dev->data->mac_addrs = NULL;
 	dev->drv_inited = false;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 05/15] crypto/octeontx2: add security in eth dev configure
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (3 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 04/15] crypto/octeontx2: create eth security ctx Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-09  7:51   ` Jerin Jacob
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 06/15] crypto/octeontx2: add eth security capabilities Anoob Joseph
                   ` (11 subsequent siblings)
  16 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding security in eth device configure.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 doc/guides/nics/octeontx2.rst               |  20 +++++
 drivers/common/octeontx2/otx2_common.h      |   4 +
 drivers/crypto/octeontx2/Makefile           |   2 +-
 drivers/crypto/octeontx2/meson.build        |   1 +
 drivers/crypto/octeontx2/otx2_cryptodev.c   |   2 +
 drivers/crypto/octeontx2/otx2_ipsec_fp.h    |  55 +++++++++++++
 drivers/crypto/octeontx2/otx2_security.c    | 122 ++++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h    |   4 +
 drivers/net/octeontx2/otx2_ethdev.c         |  22 ++++-
 drivers/net/octeontx2/otx2_ethdev.h         |   2 +
 drivers/net/octeontx2/otx2_ethdev_devargs.c |  19 +++++
 11 files changed, 251 insertions(+), 2 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h

diff --git a/doc/guides/nics/octeontx2.rst b/doc/guides/nics/octeontx2.rst
index db62a45..fd4e455 100644
--- a/doc/guides/nics/octeontx2.rst
+++ b/doc/guides/nics/octeontx2.rst
@@ -38,6 +38,7 @@ Features of the OCTEON TX2 Ethdev PMD are:
 - IEEE1588 timestamping
 - HW offloaded `ethdev Rx queue` to `eventdev event queue` packet injection
 - Support Rx interrupt
+- Inline IPsec processing support
 
 Prerequisites
 -------------
@@ -178,6 +179,17 @@ Runtime Config Options
    traffic on this port should be higig2 traffic only. Supported switch header
    types are "higig2" and "dsa".
 
+- ``Max SPI for inbound inline IPsec`` (default ``1``)
+
+   Max SPI supported for inbound inline IPsec processing can be specified by
+   ``ipsec_in_max_spi`` ``devargs`` parameter.
+
+   For example::
+      -w 0002:02:00.0,ipsec_in_max_spi=128
+
+   With the above configuration, application can enable inline IPsec processing
+   on 128 SAs (SPI 0-127).
+
 .. note::
 
    Above devarg parameters are configurable per device, user needs to pass the
@@ -211,6 +223,14 @@ SDP interface support
 ~~~~~~~~~~~~~~~~~~~~~
 OCTEON TX2 SDP interface support is limited to PF device, No VF support.
 
+Inline Protocol Processing
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+``net_octeontx2`` pmd doesn't support the following features for packets to be
+inline protocol processed.
+- TSO offload
+- VLAN/QinQ offload
+- Fragmentation
+
 Debugging Options
 -----------------
 
diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index a1cb434..9705a8d 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -79,10 +79,14 @@ int otx2_npa_lf_obj_ref(void);
 
 typedef int (*otx2_sec_eth_ctx_create_t)(struct rte_eth_dev *eth_dev);
 typedef void (*otx2_sec_eth_ctx_destroy_t)(struct rte_eth_dev *eth_dev);
+typedef int (*otx2_sec_eth_init_t)(struct rte_eth_dev *eth_dev);
+typedef void (*otx2_sec_eth_fini_t)(struct rte_eth_dev *eth_dev);
 
 struct otx2_sec_eth_crypto_idev_ops {
 	otx2_sec_eth_ctx_create_t ctx_create;
 	otx2_sec_eth_ctx_destroy_t ctx_destroy;
+	otx2_sec_eth_init_t init;
+	otx2_sec_eth_fini_t fini;
 };
 
 extern struct otx2_sec_eth_crypto_idev_ops otx2_sec_idev_ops;
diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index d2e9b9f..5966ddc 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -11,7 +11,7 @@ LIB = librte_pmd_octeontx2_crypto.a
 CFLAGS += $(WERROR_FLAGS)
 
 LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
-LDLIBS += -lrte_cryptodev -lrte_security
+LDLIBS += -lrte_cryptodev -lrte_security -lrte_eventdev
 LDLIBS += -lrte_pci -lrte_bus_pci
 LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
 
diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build
index f7b2937..f0f5043 100644
--- a/drivers/crypto/octeontx2/meson.build
+++ b/drivers/crypto/octeontx2/meson.build
@@ -9,6 +9,7 @@ deps += ['bus_pci']
 deps += ['common_cpt']
 deps += ['common_octeontx2']
 deps += ['ethdev']
+deps += ['eventdev']
 deps += ['security']
 name = 'octeontx2_crypto'
 
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.c b/drivers/crypto/octeontx2/otx2_cryptodev.c
index 86c1188..34feb82 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev.c
@@ -158,4 +158,6 @@ RTE_INIT(otx2_cpt_init_log)
 
 	otx2_sec_idev_ops.ctx_create = otx2_sec_eth_ctx_create;
 	otx2_sec_idev_ops.ctx_destroy = otx2_sec_eth_ctx_destroy;
+	otx2_sec_idev_ops.init = otx2_sec_eth_init;
+	otx2_sec_idev_ops.fini = otx2_sec_eth_fini;
 }
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_fp.h b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
new file mode 100644
index 0000000..520a3fe
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
@@ -0,0 +1,55 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2019 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_IPSEC_FP_H__
+#define __OTX2_IPSEC_FP_H__
+
+struct otx2_ipsec_fp_sa_ctl {
+	rte_be32_t spi          : 32;
+	uint64_t exp_proto_inter_frag : 8;
+	uint64_t rsvd_42_40   : 3;
+	uint64_t esn_en       : 1;
+	uint64_t rsvd_45_44   : 2;
+	uint64_t encap_type   : 2;
+	uint64_t enc_type     : 3;
+	uint64_t rsvd_48      : 1;
+	uint64_t auth_type    : 4;
+	uint64_t valid        : 1;
+	uint64_t direction    : 1;
+	uint64_t outer_ip_ver : 1;
+	uint64_t inner_ip_ver : 1;
+	uint64_t ipsec_mode   : 1;
+	uint64_t ipsec_proto  : 1;
+	uint64_t aes_key_len  : 2;
+};
+
+struct otx2_ipsec_fp_in_sa {
+	/* w0 */
+	struct otx2_ipsec_fp_sa_ctl ctl;
+
+	/* w1 */
+	uint8_t nonce[4]; /* Only for AES-GCM */
+	uint32_t unused;
+
+	/* w2 */
+	uint32_t esn_low;
+	uint32_t esn_hi;
+
+	/* w3-w6 */
+	uint8_t cipher_key[32];
+
+	/* w7-w12 */
+	uint8_t hmac_key[48];
+
+	RTE_STD_C11
+	union {
+		void *userdata;
+		uint64_t udata64;
+	};
+
+	uint64_t reserved1;
+	uint64_t reserved2;
+};
+
+#endif /* __OTX2_IPSEC_FP_H__ */
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 14394d2..9cd4683 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -3,11 +3,36 @@
  */
 
 #include <rte_ethdev.h>
+#include <rte_eventdev.h>
 #include <rte_malloc.h>
+#include <rte_memzone.h>
 #include <rte_security.h>
 
+#include "otx2_ethdev.h"
+#include "otx2_ipsec_fp.h"
 #include "otx2_security.h"
 
+#define SEC_ETH_MAX_PKT_LEN	1450
+
+struct sec_eth_tag_const {
+	RTE_STD_C11
+	union {
+		struct {
+			uint32_t rsvd_11_0  : 12;
+			uint32_t port       : 8;
+			uint32_t event_type : 4;
+			uint32_t rsvd_31_24 : 8;
+		};
+		uint32_t u32;
+	};
+};
+
+static inline void
+in_sa_mz_name_get(char *name, int size, uint16_t port)
+{
+	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
+}
+
 int
 otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev)
 {
@@ -33,3 +58,100 @@ otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev)
 {
 	rte_free(eth_dev->security_ctx);
 }
+
+static int
+sec_eth_ipsec_cfg(struct rte_eth_dev *eth_dev, uint8_t tt)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	struct nix_inline_ipsec_lf_cfg *req;
+	struct otx2_mbox *mbox = dev->mbox;
+	struct sec_eth_tag_const tag_const;
+	char name[RTE_MEMZONE_NAMESIZE];
+	const struct rte_memzone *mz;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL)
+		return -EINVAL;
+
+	req = otx2_mbox_alloc_msg_nix_inline_ipsec_lf_cfg(mbox);
+	req->enable = 1;
+	req->sa_base_addr = mz->iova;
+
+	req->ipsec_cfg0.tt = tt;
+
+	tag_const.u32 = 0;
+	tag_const.event_type = RTE_EVENT_TYPE_ETHDEV;
+	tag_const.port = port;
+	req->ipsec_cfg0.tag_const = tag_const.u32;
+
+	req->ipsec_cfg0.sa_pow2_size =
+			rte_log2_u32(sizeof(struct otx2_ipsec_fp_in_sa));
+	req->ipsec_cfg0.lenm1_max = SEC_ETH_MAX_PKT_LEN - 1;
+
+	req->ipsec_cfg1.sa_idx_w = rte_log2_u32(dev->ipsec_in_max_spi);
+	req->ipsec_cfg1.sa_idx_max = dev->ipsec_in_max_spi - 1;
+
+	return otx2_mbox_process(mbox);
+}
+
+int
+otx2_sec_eth_init(struct rte_eth_dev *eth_dev)
+{
+	const size_t sa_width = sizeof(struct otx2_ipsec_fp_in_sa);
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	char name[RTE_MEMZONE_NAMESIZE];
+	const struct rte_memzone *mz;
+	int mz_sz, ret;
+	uint16_t nb_sa;
+
+	RTE_BUILD_BUG_ON(sa_width < 32 || sa_width > 512 ||
+			 !RTE_IS_POWER_OF_2(sa_width));
+
+	if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) &&
+	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
+		return 0;
+
+	nb_sa = dev->ipsec_in_max_spi;
+	mz_sz = nb_sa * sa_width;
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_reserve_aligned(name, mz_sz, rte_socket_id(),
+					 RTE_MEMZONE_IOVA_CONTIG, OTX2_ALIGN);
+
+	if (mz == NULL) {
+		otx2_err("Could not allocate inbound SA DB");
+		return -ENOMEM;
+	}
+
+	memset(mz->addr, 0, mz_sz);
+
+	ret = sec_eth_ipsec_cfg(eth_dev, SSO_TT_ORDERED);
+	if (ret < 0) {
+		otx2_err("Could not configure inline IPsec");
+		goto sec_fini;
+	}
+
+	return 0;
+
+sec_fini:
+	otx2_err("Could not configure device for security");
+	otx2_sec_eth_fini(eth_dev);
+	return ret;
+}
+
+void
+otx2_sec_eth_fini(struct rte_eth_dev *eth_dev)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	char name[RTE_MEMZONE_NAMESIZE];
+
+	if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) &&
+	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
+		return;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	rte_memzone_free(rte_memzone_lookup(name));
+}
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 6ebf73f..4704781 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -11,4 +11,8 @@ int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev);
 
+int otx2_sec_eth_init(struct rte_eth_dev *eth_dev);
+
+void otx2_sec_eth_fini(struct rte_eth_dev *eth_dev);
+
 #endif /* __OTX2_SECURITY_H__ */
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index 3e19ac2..131e883 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -337,6 +337,10 @@ nix_cq_rq_init(struct rte_eth_dev *eth_dev, struct otx2_eth_dev *dev,
 	aq->op = NIX_AQ_INSTOP_INIT;
 
 	aq->rq.sso_ena = 0;
+
+	if (rxq->offloads & DEV_RX_OFFLOAD_SECURITY)
+		aq->rq.ipsech_ena = 1;
+
 	aq->rq.cq = qid; /* RQ to CQ 1:1 mapped */
 	aq->rq.spb_ena = 0;
 	aq->rq.lpb_aura = npa_lf_aura_handle_to_aura(mp->pool_id);
@@ -1610,6 +1614,8 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 
 	/* Free the resources allocated from the previous configure */
 	if (dev->configured == 1) {
+		if (otx2_sec_idev_ops.fini != NULL)
+			otx2_sec_idev_ops.fini(eth_dev);
 		otx2_nix_rxchan_bpid_cfg(eth_dev, false);
 		otx2_nix_vlan_fini(eth_dev);
 		otx2_nix_mc_addr_list_uninstall(eth_dev);
@@ -1714,10 +1720,17 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 		goto cq_fini;
 	}
 
+	/* Enable security */
+	if (otx2_sec_idev_ops.init != NULL) {
+		rc = otx2_sec_idev_ops.init(eth_dev);
+		if (rc)
+			goto cq_fini;
+	}
+
 	rc = otx2_nix_mc_addr_list_install(eth_dev);
 	if (rc < 0) {
 		otx2_err("Failed to install mc address list rc=%d", rc);
-		goto cq_fini;
+		goto sec_fini;
 	}
 
 	/*
@@ -1753,6 +1766,9 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 
 uninstall_mc_list:
 	otx2_nix_mc_addr_list_uninstall(eth_dev);
+sec_fini:
+	if (otx2_sec_idev_ops.fini != NULL)
+		otx2_sec_idev_ops.fini(eth_dev);
 cq_fini:
 	oxt2_nix_unregister_cq_irqs(eth_dev);
 q_irq_fini:
@@ -2345,6 +2361,10 @@ otx2_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool mbox_close)
 	if (rc)
 		otx2_err("Failed to cleanup npa lf, rc=%d", rc);
 
+	/* Disable security */
+	if (otx2_sec_idev_ops.fini != NULL)
+		otx2_sec_idev_ops.fini(eth_dev);
+
 	/* Destroy security ctx */
 	if (otx2_sec_idev_ops.ctx_destroy != NULL)
 		otx2_sec_idev_ops.ctx_destroy(eth_dev);
diff --git a/drivers/net/octeontx2/otx2_ethdev.h b/drivers/net/octeontx2/otx2_ethdev.h
index 987e760..41fef6e 100644
--- a/drivers/net/octeontx2/otx2_ethdev.h
+++ b/drivers/net/octeontx2/otx2_ethdev.h
@@ -324,6 +324,8 @@ struct otx2_eth_dev {
 	bool mc_tbl_set;
 	struct otx2_nix_mc_filter_tbl mc_fltr_tbl;
 	bool sdp_link; /* SDP flag */
+	/* Inline IPsec params */
+	uint16_t ipsec_in_max_spi;
 } __rte_cache_aligned;
 
 struct otx2_eth_txq {
diff --git a/drivers/net/octeontx2/otx2_ethdev_devargs.c b/drivers/net/octeontx2/otx2_ethdev_devargs.c
index 04da1ab..a3f7598 100644
--- a/drivers/net/octeontx2/otx2_ethdev_devargs.c
+++ b/drivers/net/octeontx2/otx2_ethdev_devargs.c
@@ -64,6 +64,19 @@ parse_reta_size(const char *key, const char *value, void *extra_args)
 }
 
 static int
+parse_ipsec_in_max_spi(const char *key, const char *value, void *extra_args)
+{
+	RTE_SET_USED(key);
+	uint32_t val;
+
+	val = atoi(value);
+
+	*(uint16_t *)extra_args = val;
+
+	return 0;
+}
+
+static int
 parse_flag(const char *key, const char *value, void *extra_args)
 {
 	RTE_SET_USED(key);
@@ -104,6 +117,7 @@ parse_switch_header_type(const char *key, const char *value, void *extra_args)
 }
 
 #define OTX2_RSS_RETA_SIZE "reta_size"
+#define OTX2_IPSEC_IN_MAX_SPI "ipsec_in_max_spi"
 #define OTX2_SCL_ENABLE "scalar_enable"
 #define OTX2_MAX_SQB_COUNT "max_sqb_count"
 #define OTX2_FLOW_PREALLOC_SIZE "flow_prealloc_size"
@@ -118,6 +132,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 	uint16_t flow_prealloc_size = 8;
 	uint16_t switch_header_type = 0;
 	uint16_t flow_max_priority = 3;
+	uint16_t ipsec_in_max_spi = 1;
 	uint16_t scalar_enable = 0;
 	struct rte_kvargs *kvlist;
 
@@ -130,6 +145,8 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 
 	rte_kvargs_process(kvlist, OTX2_RSS_RETA_SIZE,
 			   &parse_reta_size, &rss_size);
+	rte_kvargs_process(kvlist, OTX2_IPSEC_IN_MAX_SPI,
+			   &parse_ipsec_in_max_spi, &ipsec_in_max_spi);
 	rte_kvargs_process(kvlist, OTX2_SCL_ENABLE,
 			   &parse_flag, &scalar_enable);
 	rte_kvargs_process(kvlist, OTX2_MAX_SQB_COUNT,
@@ -143,6 +160,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 	rte_kvargs_free(kvlist);
 
 null_devargs:
+	dev->ipsec_in_max_spi = ipsec_in_max_spi;
 	dev->scalar_ena = scalar_enable;
 	dev->max_sqb_count = sqb_count;
 	dev->rss_info.rss_size = rss_size;
@@ -157,6 +175,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 
 RTE_PMD_REGISTER_PARAM_STRING(net_octeontx2,
 			      OTX2_RSS_RETA_SIZE "=<64|128|256>"
+			      OTX2_IPSEC_IN_MAX_SPI "=<1-65535>"
 			      OTX2_SCL_ENABLE "=1"
 			      OTX2_MAX_SQB_COUNT "=<8-512>"
 			      OTX2_FLOW_PREALLOC_SIZE "=<1-32>"
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 06/15] crypto/octeontx2: add eth security capabilities
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (4 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 05/15] crypto/octeontx2: add security in eth dev configure Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
                   ` (10 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding security capabilities supported by the eth PMD.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/otx2_security.c | 124 +++++++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h |  18 +++++
 2 files changed, 142 insertions(+)

diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 9cd4683..46b94e5 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -2,11 +2,13 @@
  * Copyright (C) 2019 Marvell International Ltd.
  */
 
+#include <rte_cryptodev.h>
 #include <rte_ethdev.h>
 #include <rte_eventdev.h>
 #include <rte_malloc.h>
 #include <rte_memzone.h>
 #include <rte_security.h>
+#include <rte_security_driver.h>
 
 #include "otx2_ethdev.h"
 #include "otx2_ipsec_fp.h"
@@ -27,12 +29,133 @@ struct sec_eth_tag_const {
 	};
 };
 
+static struct rte_cryptodev_capabilities otx2_sec_eth_crypto_caps[] = {
+	{	/* AES GCM */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			{.aead = {
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = {
+					.min = 8,
+					.max = 12,
+					.increment = 4
+				},
+				.iv_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{	/* AES CBC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{	/* SHA1 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 20,
+					.max = 64,
+					.increment = 1
+				},
+				.digest_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				},
+			}, }
+		}, }
+	},
+	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
+};
+
+static const struct rte_security_capability otx2_sec_eth_capabilities[] = {
+	{	/* IPsec Inline Protocol ESP Tunnel Ingress */
+		.action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+			.options = { 0 }
+		},
+		.crypto_capabilities = otx2_sec_eth_crypto_caps,
+		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+	},
+	{	/* IPsec Inline Protocol ESP Tunnel Egress */
+		.action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+			.options = { 0 }
+		},
+		.crypto_capabilities = otx2_sec_eth_crypto_caps,
+		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+	},
+	{
+		.action = RTE_SECURITY_ACTION_TYPE_NONE
+	}
+};
+
 static inline void
 in_sa_mz_name_get(char *name, int size, uint16_t port)
 {
 	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
 }
 
+static unsigned int
+otx2_sec_eth_session_get_size(void *device __rte_unused)
+{
+	return sizeof(struct otx2_sec_session);
+}
+
+static const struct rte_security_capability *
+otx2_sec_eth_capabilities_get(void *device __rte_unused)
+{
+	return otx2_sec_eth_capabilities;
+}
+
+static struct rte_security_ops otx2_sec_eth_ops = {
+	.session_get_size	= otx2_sec_eth_session_get_size,
+	.capabilities_get	= otx2_sec_eth_capabilities_get
+};
+
 int
 otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev)
 {
@@ -46,6 +169,7 @@ otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev)
 	/* Populate ctx */
 
 	ctx->device = eth_dev;
+	ctx->ops = &otx2_sec_eth_ops;
 	ctx->sess_cnt = 0;
 
 	eth_dev->security_ctx = ctx;
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 4704781..f819f01 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -7,6 +7,24 @@
 
 #include <rte_ethdev.h>
 
+#include "otx2_ipsec_fp.h"
+
+/*
+ * Security session for inline IPsec protocol offload. This is private data of
+ * inline capable PMD.
+ */
+struct otx2_sec_session_ipsec_ip {
+	int dummy;
+};
+
+struct otx2_sec_session_ipsec {
+	struct otx2_sec_session_ipsec_ip ip;
+};
+
+struct otx2_sec_session {
+	struct otx2_sec_session_ipsec ipsec;
+} __rte_cache_aligned;
+
 int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 07/15] crypto/octeontx2: enable CPT to share QP with ethdev
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (5 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 06/15] crypto/octeontx2: add eth security capabilities Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 08/15] crypto/octeontx2: add eth security session operations Anoob Joseph
                   ` (9 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding the infrastructure to save one opaque pointer in idev and
implement the consumer-producer in the PMDs which uses it accordingly.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 .../crypto/octeontx2/otx2_cryptodev_hw_access.h    | 22 +----
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c      | 18 ++++
 drivers/crypto/octeontx2/otx2_cryptodev_qp.h       | 35 ++++++++
 drivers/crypto/octeontx2/otx2_security.c           | 98 ++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h           | 20 +++++
 5 files changed, 172 insertions(+), 21 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h

diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h b/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
index 6f78aa4..43db6a6 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
@@ -15,6 +15,7 @@
 #include "cpt_mcode_defines.h"
 
 #include "otx2_dev.h"
+#include "otx2_cryptodev_qp.h"
 
 /* CPT instruction queue length */
 #define OTX2_CPT_IQ_LEN			8200
@@ -135,27 +136,6 @@ enum cpt_9x_comp_e {
 	CPT_9X_COMP_E_LAST_ENTRY = 0x06
 };
 
-struct otx2_cpt_qp {
-	uint32_t id;
-	/**< Queue pair id */
-	uintptr_t base;
-	/**< Base address where BAR is mapped */
-	void *lmtline;
-	/**< Address of LMTLINE */
-	rte_iova_t lf_nq_reg;
-	/**< LF enqueue register address */
-	struct pending_queue pend_q;
-	/**< Pending queue */
-	struct rte_mempool *sess_mp;
-	/**< Session mempool */
-	struct rte_mempool *sess_mp_priv;
-	/**< Session private data mempool */
-	struct cpt_qp_meta_info meta_info;
-	/**< Metabuf info required to support operations on the queue pair */
-	rte_iova_t iq_dma_addr;
-	/**< Instruction queue address */
-};
-
 void otx2_cpt_err_intr_unregister(const struct rte_cryptodev *dev);
 
 int otx2_cpt_err_intr_register(const struct rte_cryptodev *dev);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index a1213ca..702a653 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -13,6 +13,7 @@
 #include "otx2_cryptodev_hw_access.h"
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_cryptodev_ops.h"
+#include "otx2_security.h"
 #include "otx2_mbox.h"
 
 #include "cpt_hw_types.h"
@@ -146,6 +147,11 @@ otx2_cpt_qp_inline_cfg(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
 	if (ret)
 		return ret;
 
+	/* Publish inline Tx QP to eth dev security */
+	ret = otx2_sec_tx_cpt_qp_add(port_id, qp);
+	if (ret)
+		return ret;
+
 	return 0;
 }
 
@@ -240,6 +246,12 @@ otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 
 	qp->lf_nq_reg = qp->base + OTX2_CPT_LF_NQ(0);
 
+	ret = otx2_sec_tx_cpt_qp_remove(qp);
+	if (ret && (ret != -ENOENT)) {
+		CPT_LOG_ERR("Could not delete inline configuration");
+		goto mempool_destroy;
+	}
+
 	otx2_cpt_iq_disable(qp);
 
 	ret = otx2_cpt_qp_inline_cfg(dev, qp);
@@ -273,6 +285,12 @@ otx2_cpt_qp_destroy(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
 	char name[RTE_MEMZONE_NAMESIZE];
 	int ret;
 
+	ret = otx2_sec_tx_cpt_qp_remove(qp);
+	if (ret && (ret != -ENOENT)) {
+		CPT_LOG_ERR("Could not delete inline configuration");
+		return ret;
+	}
+
 	otx2_cpt_iq_disable(qp);
 
 	otx2_cpt_metabuf_mempool_destroy(qp);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_qp.h b/drivers/crypto/octeontx2/otx2_cryptodev_qp.h
new file mode 100644
index 0000000..caf8272
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_qp.h
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2019 Marvell International Ltd.
+ */
+
+#ifndef _OTX2_CRYPTODEV_QP_H_
+#define _OTX2_CRYPTODEV_QP_H_
+
+#include <rte_common.h>
+#include <rte_mempool.h>
+#include <rte_spinlock.h>
+
+#include "cpt_common.h"
+
+struct otx2_cpt_qp {
+	uint32_t id;
+	/**< Queue pair id */
+	uintptr_t base;
+	/**< Base address where BAR is mapped */
+	void *lmtline;
+	/**< Address of LMTLINE */
+	rte_iova_t lf_nq_reg;
+	/**< LF enqueue register address */
+	struct pending_queue pend_q;
+	/**< Pending queue */
+	struct rte_mempool *sess_mp;
+	/**< Session mempool */
+	struct rte_mempool *sess_mp_priv;
+	/**< Session private data mempool */
+	struct cpt_qp_meta_info meta_info;
+	/**< Metabuf info required to support operations on the queue pair */
+	rte_iova_t iq_dma_addr;
+	/**< Instruction queue address */
+};
+
+#endif /* _OTX2_CRYPTODEV_QP_H_ */
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 46b94e5..6e9063e 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -10,6 +10,7 @@
 #include <rte_security.h>
 #include <rte_security_driver.h>
 
+#include "otx2_cryptodev_qp.h"
 #include "otx2_ethdev.h"
 #include "otx2_ipsec_fp.h"
 #include "otx2_security.h"
@@ -29,6 +30,8 @@ struct sec_eth_tag_const {
 	};
 };
 
+static struct otx2_sec_eth_cfg sec_cfg[OTX2_MAX_INLINE_PORTS];
+
 static struct rte_cryptodev_capabilities otx2_sec_eth_crypto_caps[] = {
 	{	/* AES GCM */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
@@ -156,16 +159,41 @@ static struct rte_security_ops otx2_sec_eth_ops = {
 	.capabilities_get	= otx2_sec_eth_capabilities_get
 };
 
+static int
+otx2_sec_eth_cfg_init(int port_id)
+{
+	struct otx2_sec_eth_cfg *cfg;
+	int i;
+
+	cfg = &sec_cfg[port_id];
+	cfg->tx_cpt_idx = 0;
+	rte_spinlock_init(&cfg->tx_cpt_lock);
+
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		cfg->tx_cpt[i].qp = NULL;
+		rte_atomic16_set(&cfg->tx_cpt[i].ref_cnt, 0);
+	}
+
+	return 0;
+}
+
 int
 otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev)
 {
 	struct rte_security_ctx *ctx;
+	int ret;
 
 	ctx = rte_malloc("otx2_sec_eth_ctx",
 			 sizeof(struct rte_security_ctx), 0);
 	if (ctx == NULL)
 		return -ENOMEM;
 
+	ret = otx2_sec_eth_cfg_init(eth_dev->data->port_id);
+	if (ret) {
+		rte_free(ctx);
+		return ret;
+	}
+
 	/* Populate ctx */
 
 	ctx->device = eth_dev;
@@ -279,3 +307,73 @@ otx2_sec_eth_fini(struct rte_eth_dev *eth_dev)
 	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
 	rte_memzone_free(rte_memzone_lookup(name));
 }
+
+int
+otx2_sec_tx_cpt_qp_add(uint16_t port_id, struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_eth_cfg *cfg;
+	int i, ret;
+
+	if (qp == NULL || port_id > OTX2_MAX_INLINE_PORTS)
+		return -EINVAL;
+
+	cfg = &sec_cfg[port_id];
+
+	/* Find a free slot to save CPT LF */
+
+	rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		if (cfg->tx_cpt[i].qp == NULL) {
+			cfg->tx_cpt[i].qp = qp;
+			ret = 0;
+			goto unlock;
+		}
+	}
+
+	ret = -EINVAL;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
+
+int
+otx2_sec_tx_cpt_qp_remove(struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_eth_cfg *cfg;
+	uint16_t port_id;
+	int i, ret;
+
+	if (qp == NULL)
+		return -EINVAL;
+
+	for (port_id = 0; port_id < OTX2_MAX_INLINE_PORTS; port_id++) {
+		cfg = &sec_cfg[port_id];
+
+		rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+		for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+			if (cfg->tx_cpt[i].qp != qp)
+				continue;
+
+			/* Don't free if the QP is in use by any sec session */
+			if (rte_atomic16_read(&cfg->tx_cpt[i].ref_cnt)) {
+				ret = -EBUSY;
+			} else {
+				cfg->tx_cpt[i].qp = NULL;
+				ret = 0;
+			}
+
+			goto unlock;
+		}
+
+		rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	}
+
+	return -ENOENT;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index f819f01..c8aca7b 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -5,10 +5,27 @@
 #ifndef __OTX2_SECURITY_H__
 #define __OTX2_SECURITY_H__
 
+#include <rte_atomic.h>
 #include <rte_ethdev.h>
+#include <rte_spinlock.h>
 
 #include "otx2_ipsec_fp.h"
 
+#define OTX2_MAX_CPT_QP_PER_PORT 64
+#define OTX2_MAX_INLINE_PORTS 64
+
+struct otx2_cpt_qp;
+
+struct otx2_sec_eth_cfg {
+	struct {
+		struct otx2_cpt_qp *qp;
+		rte_atomic16_t ref_cnt;
+	} tx_cpt[OTX2_MAX_CPT_QP_PER_PORT];
+
+	uint16_t tx_cpt_idx;
+	rte_spinlock_t tx_cpt_lock;
+};
+
 /*
  * Security session for inline IPsec protocol offload. This is private data of
  * inline capable PMD.
@@ -33,4 +50,7 @@ int otx2_sec_eth_init(struct rte_eth_dev *eth_dev);
 
 void otx2_sec_eth_fini(struct rte_eth_dev *eth_dev);
 
+int otx2_sec_tx_cpt_qp_add(uint16_t port_id, struct otx2_cpt_qp *qp);
+
+int otx2_sec_tx_cpt_qp_remove(struct otx2_cpt_qp *qp);
 #endif /* __OTX2_SECURITY_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 08/15] crypto/octeontx2: add eth security session operations
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (6 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 09/15] crypto/octeontx2: add datapath ops in eth security ctx Anoob Joseph
                   ` (8 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding security session operations in eth security ctx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/otx2_ipsec_fp.h | 293 ++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.c | 340 +++++++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h |  23 ++-
 3 files changed, 655 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/octeontx2/otx2_ipsec_fp.h b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
index 520a3fe..be83c23 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_fp.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
@@ -5,6 +5,67 @@
 #ifndef __OTX2_IPSEC_FP_H__
 #define __OTX2_IPSEC_FP_H__
 
+#include <rte_crypto_sym.h>
+#include <rte_security.h>
+
+enum {
+	OTX2_IPSEC_FP_SA_DIRECTION_INBOUND = 0,
+	OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_IP_VERSION_4 = 0,
+	OTX2_IPSEC_FP_SA_IP_VERSION_6 = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_MODE_TRANSPORT = 0,
+	OTX2_IPSEC_FP_SA_MODE_TUNNEL = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_PROTOCOL_AH = 0,
+	OTX2_IPSEC_FP_SA_PROTOCOL_ESP = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_128 = 1,
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_192 = 2,
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_256 = 3,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_ENC_NULL = 0,
+	OTX2_IPSEC_FP_SA_ENC_DES_CBC = 1,
+	OTX2_IPSEC_FP_SA_ENC_3DES_CBC = 2,
+	OTX2_IPSEC_FP_SA_ENC_AES_CBC = 3,
+	OTX2_IPSEC_FP_SA_ENC_AES_CTR = 4,
+	OTX2_IPSEC_FP_SA_ENC_AES_GCM = 5,
+	OTX2_IPSEC_FP_SA_ENC_AES_CCM = 6,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_AUTH_NULL = 0,
+	OTX2_IPSEC_FP_SA_AUTH_MD5 = 1,
+	OTX2_IPSEC_FP_SA_AUTH_SHA1 = 2,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_224 = 3,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_256 = 4,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_384 = 5,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_512 = 6,
+	OTX2_IPSEC_FP_SA_AUTH_AES_GMAC = 7,
+	OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128 = 8,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_FRAG_POST = 0,
+	OTX2_IPSEC_FP_SA_FRAG_PRE = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_ENCAP_NONE = 0,
+	OTX2_IPSEC_FP_SA_ENCAP_UDP = 1,
+};
+
 struct otx2_ipsec_fp_sa_ctl {
 	rte_be32_t spi          : 32;
 	uint64_t exp_proto_inter_frag : 8;
@@ -24,6 +85,26 @@ struct otx2_ipsec_fp_sa_ctl {
 	uint64_t aes_key_len  : 2;
 };
 
+struct otx2_ipsec_fp_out_sa {
+	/* w0 */
+	struct otx2_ipsec_fp_sa_ctl ctl;
+
+	/* w1 */
+	uint8_t nonce[4];
+	uint16_t udp_src;
+	uint16_t udp_dst;
+
+	/* w2 */
+	uint32_t ip_src;
+	uint32_t ip_dst;
+
+	/* w3-w6 */
+	uint8_t cipher_key[32];
+
+	/* w7-w12 */
+	uint8_t hmac_key[48];
+};
+
 struct otx2_ipsec_fp_in_sa {
 	/* w0 */
 	struct otx2_ipsec_fp_sa_ctl ctl;
@@ -52,4 +133,216 @@ struct otx2_ipsec_fp_in_sa {
 	uint64_t reserved2;
 };
 
+static inline int
+ipsec_fp_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
+{
+	if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		switch (xform->cipher.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_auth_verify(struct rte_crypto_sym_xform *xform)
+{
+	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+		if (xform->auth.key.length == 64)
+			return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_aead_verify(struct rte_security_ipsec_xform *ipsec,
+			   struct rte_crypto_sym_xform *xform)
+{
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+	    xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+		return -EINVAL;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+	    xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+		return -EINVAL;
+
+	if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+		switch (xform->aead.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -EINVAL;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_verify(struct rte_security_ipsec_xform *ipsec,
+		      struct rte_crypto_sym_xform *xform)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	int ret;
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		return ipsec_fp_xform_aead_verify(ipsec, xform);
+
+	if (xform->next == NULL)
+		return -EINVAL;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		/* Ingress */
+		if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		/* Egress */
+		if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	}
+
+	ret = ipsec_fp_xform_cipher_verify(cipher_xform);
+	if (ret)
+		return ret;
+
+	ret = ipsec_fp_xform_auth_verify(auth_xform);
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
+static inline int
+ipsec_fp_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
+		    struct rte_crypto_sym_xform *xform,
+		    struct otx2_ipsec_fp_sa_ctl *ctl)
+{
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
+	int aes_key_len;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND;
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	} else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_INBOUND;
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		return -EINVAL;
+	}
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+			ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
+		else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
+			ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_6;
+		else
+			return -EINVAL;
+	}
+
+	ctl->inner_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+		ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TRANSPORT;
+	else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+		ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TUNNEL;
+	else
+		return -EINVAL;
+
+	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
+		ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_AH;
+	else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
+		ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_ESP;
+	else
+		return -EINVAL;
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+			ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_GCM;
+			aes_key_len = xform->aead.key.length;
+		} else {
+			return -ENOTSUP;
+		}
+	} else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_CCM;
+		aes_key_len = xform->cipher.key.length;
+	} else {
+		return -ENOTSUP;
+	}
+
+	switch (aes_key_len) {
+	case 16:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_128;
+		break;
+	case 24:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_192;
+		break;
+	case 32:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_256;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
+		switch (auth_xform->auth.algo) {
+		case RTE_CRYPTO_AUTH_NULL:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_NULL;
+			break;
+		case RTE_CRYPTO_AUTH_MD5_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_MD5;
+			break;
+		case RTE_CRYPTO_AUTH_SHA1_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA1;
+			break;
+		case RTE_CRYPTO_AUTH_SHA224_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_224;
+			break;
+		case RTE_CRYPTO_AUTH_SHA256_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_256;
+			break;
+		case RTE_CRYPTO_AUTH_SHA384_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_384;
+			break;
+		case RTE_CRYPTO_AUTH_SHA512_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_512;
+			break;
+		case RTE_CRYPTO_AUTH_AES_GMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_GMAC;
+			break;
+		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+	}
+
+	if (ipsec->options.esn == 1)
+		ctl->esn_en = 1;
+
+	ctl->spi = rte_cpu_to_be_32(ipsec->spi);
+	ctl->valid = 1;
+
+	return 0;
+}
+
 #endif /* __OTX2_IPSEC_FP_H__ */
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 6e9063e..393bc12 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -136,12 +136,350 @@ static const struct rte_security_capability otx2_sec_eth_capabilities[] = {
 	}
 };
 
+static int
+otx2_sec_eth_tx_cpt_qp_get(uint16_t port_id, struct otx2_cpt_qp **qp)
+{
+	struct otx2_sec_eth_cfg *cfg;
+	uint16_t index;
+	int i, ret;
+
+	if (port_id > OTX2_MAX_INLINE_PORTS || qp == NULL)
+		return -EINVAL;
+
+	cfg = &sec_cfg[port_id];
+
+	rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+	index = cfg->tx_cpt_idx;
+
+	/* Get the next index with valid data */
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		if (cfg->tx_cpt[index].qp != NULL)
+			break;
+		index = (index + 1) % OTX2_MAX_CPT_QP_PER_PORT;
+	}
+
+	if (i >= OTX2_MAX_CPT_QP_PER_PORT) {
+		ret = -EINVAL;
+		goto unlock;
+	}
+
+	*qp = cfg->tx_cpt[index].qp;
+	rte_atomic16_inc(&cfg->tx_cpt[index].ref_cnt);
+
+	cfg->tx_cpt_idx = (index + 1) % OTX2_MAX_CPT_QP_PER_PORT;
+
+	ret = 0;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
+
+static int
+otx2_sec_eth_tx_cpt_put(struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_eth_cfg *cfg;
+	uint16_t port_id;
+	int i;
+
+	if (qp == NULL)
+		return -EINVAL;
+
+	for (port_id = 0; port_id < OTX2_MAX_INLINE_PORTS; port_id++) {
+		cfg = &sec_cfg[port_id];
+		for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+			if (cfg->tx_cpt[i].qp == qp) {
+				rte_atomic16_dec(&cfg->tx_cpt[i].ref_cnt);
+				return 0;
+			}
+		}
+	}
+
+	return -EINVAL;
+}
+
 static inline void
 in_sa_mz_name_get(char *name, int size, uint16_t port)
 {
 	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
 }
 
+static struct otx2_ipsec_fp_in_sa *
+in_sa_get(uint16_t port, int sa_index)
+{
+	char name[RTE_MEMZONE_NAMESIZE];
+	struct otx2_ipsec_fp_in_sa *sa;
+	const struct rte_memzone *mz;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL) {
+		otx2_err("Could not get the memzone reserved for IN SA DB");
+		return NULL;
+	}
+
+	sa = mz->addr;
+
+	return sa + sa_index;
+}
+
+static int
+sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
+			      struct rte_security_ipsec_xform *ipsec,
+			      struct rte_crypto_sym_xform *crypto_xform,
+			      struct rte_security_session *sec_sess)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_sec_session_ipsec_ip *sess;
+	uint16_t port = eth_dev->data->port_id;
+	int cipher_key_len, auth_key_len, ret;
+	const uint8_t *cipher_key, *auth_key;
+	struct otx2_ipsec_fp_sa_ctl *ctl;
+	struct otx2_ipsec_fp_out_sa *sa;
+	struct otx2_sec_session *priv;
+	struct otx2_cpt_qp *qp;
+
+	priv = get_sec_session_private_data(sec_sess);
+	sess = &priv->ipsec.ip;
+
+	sa = &sess->out_sa;
+	ctl = &sa->ctl;
+	if (ctl->valid) {
+		otx2_err("SA already registered");
+		return -EINVAL;
+	}
+
+	memset(sess, 0, sizeof(struct otx2_sec_session_ipsec_ip));
+
+	memcpy(sa->nonce, &ipsec->salt, 4);
+
+	if (ipsec->options.udp_encap == 1) {
+		sa->udp_src = 4500;
+		sa->udp_dst = 4500;
+	}
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+			memcpy(&sa->ip_src, &ipsec->tunnel.ipv4.src_ip,
+			       sizeof(struct in_addr));
+			memcpy(&sa->ip_dst, &ipsec->tunnel.ipv4.dst_ip,
+			       sizeof(struct in_addr));
+		} else {
+			return -EINVAL;
+		}
+	} else {
+		return -EINVAL;
+	}
+
+	cipher_xform = crypto_xform;
+	auth_xform = crypto_xform->next;
+
+	cipher_key_len = 0;
+	auth_key_len = 0;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		cipher_key = crypto_xform->aead.key.data;
+		cipher_key_len = crypto_xform->aead.key.length;
+	} else {
+		cipher_key = cipher_xform->cipher.key.data;
+		cipher_key_len = cipher_xform->cipher.key.length;
+		auth_key = auth_xform->auth.key.data;
+		auth_key_len = auth_xform->auth.key.length;
+	}
+
+	if (cipher_key_len != 0)
+		memcpy(sa->cipher_key, cipher_key, cipher_key_len);
+	else
+		return -EINVAL;
+
+	/* Use OPAD & IPAD */
+	RTE_SET_USED(auth_key);
+	RTE_SET_USED(auth_key_len);
+
+	/* Get CPT QP to be used for this SA */
+	ret = otx2_sec_eth_tx_cpt_qp_get(port, &qp);
+	if (ret)
+		return ret;
+
+	sess->qp = qp;
+
+	sess->cpt_lmtline = qp->lmtline;
+	sess->cpt_nq_reg = qp->lf_nq_reg;
+
+	/* Populate control word */
+	ret = ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
+	if (ret)
+		goto cpt_put;
+
+	return 0;
+cpt_put:
+	otx2_sec_eth_tx_cpt_put(sess->qp);
+	return ret;
+}
+
+static int
+sec_eth_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
+			     struct rte_security_ipsec_xform *ipsec,
+			     struct rte_crypto_sym_xform *crypto_xform,
+			     struct rte_security_session *sec_sess)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	struct otx2_sec_session_ipsec_ip *sess;
+	uint16_t port = eth_dev->data->port_id;
+	const uint8_t *cipher_key, *auth_key;
+	int cipher_key_len, auth_key_len;
+	struct otx2_ipsec_fp_sa_ctl *ctl;
+	struct otx2_ipsec_fp_in_sa *sa;
+	struct otx2_sec_session *priv;
+
+	if (ipsec->spi >= dev->ipsec_in_max_spi) {
+		otx2_err("SPI exceeds max supported");
+		return -EINVAL;
+	}
+
+	sa = in_sa_get(port, ipsec->spi);
+	ctl = &sa->ctl;
+
+	priv = get_sec_session_private_data(sec_sess);
+	sess = &priv->ipsec.ip;
+
+	if (ctl->valid) {
+		otx2_err("SA already registered");
+		return -EINVAL;
+	}
+
+	memset(sa, 0, sizeof(struct otx2_ipsec_fp_in_sa));
+
+	auth_xform = crypto_xform;
+	cipher_xform = crypto_xform->next;
+
+	cipher_key_len = 0;
+	auth_key_len = 0;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
+			memcpy(sa->nonce, &ipsec->salt, 4);
+		cipher_key = crypto_xform->aead.key.data;
+		cipher_key_len = crypto_xform->aead.key.length;
+	} else {
+		cipher_key = cipher_xform->cipher.key.data;
+		cipher_key_len = cipher_xform->cipher.key.length;
+		auth_key = auth_xform->auth.key.data;
+		auth_key_len = auth_xform->auth.key.length;
+	}
+
+	if (cipher_key_len != 0)
+		memcpy(sa->cipher_key, cipher_key, cipher_key_len);
+	else
+		return -EINVAL;
+
+	/* Use OPAD & IPAD */
+	RTE_SET_USED(auth_key);
+	RTE_SET_USED(auth_key_len);
+
+	sess->in_sa = sa;
+
+	sa->userdata = priv->userdata;
+
+	return ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
+
+}
+
+static int
+sec_eth_ipsec_sess_create(struct rte_eth_dev *eth_dev,
+			  struct rte_security_ipsec_xform *ipsec,
+			  struct rte_crypto_sym_xform *crypto_xform,
+			  struct rte_security_session *sess)
+{
+	int ret;
+
+	ret = ipsec_fp_xform_verify(ipsec, crypto_xform);
+	if (ret)
+		return ret;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+		return sec_eth_ipsec_in_sess_create(eth_dev, ipsec,
+						    crypto_xform, sess);
+	else
+		return sec_eth_ipsec_out_sess_create(eth_dev, ipsec,
+						     crypto_xform, sess);
+}
+
+static int
+otx2_sec_eth_session_create(void *device,
+			    struct rte_security_session_conf *conf,
+			    struct rte_security_session *sess,
+			    struct rte_mempool *mempool)
+{
+	struct otx2_sec_session *priv;
+	int ret;
+
+	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
+		return -ENOTSUP;
+
+	if (rte_mempool_get(mempool, (void **)&priv)) {
+		otx2_err("Could not allocate security session private data");
+		return -ENOMEM;
+	}
+
+	set_sec_session_private_data(sess, priv);
+
+	/*
+	 * Save userdata provided by the application. For ingress packets, this
+	 * could be used to identify the SA.
+	 */
+	priv->userdata = conf->userdata;
+
+	if (conf->protocol == RTE_SECURITY_PROTOCOL_IPSEC)
+		ret = sec_eth_ipsec_sess_create(device, &conf->ipsec,
+						conf->crypto_xform,
+						sess);
+	else
+		ret = -ENOTSUP;
+
+	if (ret)
+		goto mempool_put;
+
+	return 0;
+
+mempool_put:
+	rte_mempool_put(mempool, priv);
+	set_sec_session_private_data(sess, NULL);
+	return ret;
+}
+
+static int
+otx2_sec_eth_session_destroy(void *device __rte_unused,
+			     struct rte_security_session *sess)
+{
+	struct otx2_sec_session_ipsec_ip *sess_ip;
+	struct otx2_sec_session *priv;
+	struct rte_mempool *sess_mp;
+	int ret;
+
+	priv = get_sec_session_private_data(sess);
+	if (priv == NULL)
+		return -EINVAL;
+
+	sess_ip = &priv->ipsec.ip;
+
+	/* Release CPT LF used for this session */
+	if (sess_ip->qp != NULL) {
+		ret = otx2_sec_eth_tx_cpt_put(sess_ip->qp);
+		if (ret)
+			return ret;
+	}
+
+	sess_mp = rte_mempool_from_obj(priv);
+
+	set_sec_session_private_data(sess, NULL);
+	rte_mempool_put(sess_mp, priv);
+
+	return 0;
+}
+
 static unsigned int
 otx2_sec_eth_session_get_size(void *device __rte_unused)
 {
@@ -155,6 +493,8 @@ otx2_sec_eth_capabilities_get(void *device __rte_unused)
 }
 
 static struct rte_security_ops otx2_sec_eth_ops = {
+	.session_create		= otx2_sec_eth_session_create,
+	.session_destroy	= otx2_sec_eth_session_destroy,
 	.session_get_size	= otx2_sec_eth_session_get_size,
 	.capabilities_get	= otx2_sec_eth_capabilities_get
 };
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index c8aca7b..adca00b 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -31,7 +31,26 @@ struct otx2_sec_eth_cfg {
  * inline capable PMD.
  */
 struct otx2_sec_session_ipsec_ip {
-	int dummy;
+	RTE_STD_C11
+	union {
+		/*
+		 * Inbound SA would accessed by crypto block. And so the memory
+		 * is allocated differently and shared with the h/w. Only
+		 * holding a pointer to this memory in the session private
+		 * space.
+		 */
+		void *in_sa;
+		/* Outbound SA */
+		struct otx2_ipsec_fp_out_sa out_sa;
+	};
+
+	/* Address of CPT LMTLINE */
+	void *cpt_lmtline;
+	/* CPT LF enqueue register address */
+	rte_iova_t cpt_nq_reg;
+
+	/* CPT QP used by SA */
+	struct otx2_cpt_qp *qp;
 };
 
 struct otx2_sec_session_ipsec {
@@ -40,6 +59,8 @@ struct otx2_sec_session_ipsec {
 
 struct otx2_sec_session {
 	struct otx2_sec_session_ipsec ipsec;
+	void *userdata;
+	/**< Userdata registered by the application */
 } __rte_cache_aligned;
 
 int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 09/15] crypto/octeontx2: add datapath ops in eth security ctx
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (7 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 08/15] crypto/octeontx2: add eth security session operations Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 10/15] crypto/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
                   ` (7 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding data path ops in eth security ctx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/otx2_security.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 393bc12..545c806 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -486,6 +486,27 @@ otx2_sec_eth_session_get_size(void *device __rte_unused)
 	return sizeof(struct otx2_sec_session);
 }
 
+static int
+otx2_sec_eth_set_pkt_mdata(void *device __rte_unused,
+			    struct rte_security_session *session,
+			    struct rte_mbuf *m, void *params __rte_unused)
+{
+	/* Set security session as the pkt metadata */
+	m->udata64 = (uint64_t)session;
+
+	return 0;
+}
+
+static int
+otx2_sec_eth_get_userdata(void *device __rte_unused, uint64_t md,
+			   void **userdata)
+{
+	/* Retrieve userdata  */
+	*userdata = (void *)md;
+
+	return 0;
+}
+
 static const struct rte_security_capability *
 otx2_sec_eth_capabilities_get(void *device __rte_unused)
 {
@@ -496,6 +517,8 @@ static struct rte_security_ops otx2_sec_eth_ops = {
 	.session_create		= otx2_sec_eth_session_create,
 	.session_destroy	= otx2_sec_eth_session_destroy,
 	.session_get_size	= otx2_sec_eth_session_get_size,
+	.set_pkt_metadata	= otx2_sec_eth_set_pkt_mdata,
+	.get_userdata		= otx2_sec_eth_get_userdata,
 	.capabilities_get	= otx2_sec_eth_capabilities_get
 };
 
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 10/15] crypto/octeontx2: add lookup mem changes to hold sa indices
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (8 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 09/15] crypto/octeontx2: add datapath ops in eth security ctx Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-09  8:02   ` Jerin Jacob
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 11/15] net/octeontx2: add inline ipsec rx path changes Anoob Joseph
                   ` (6 subsequent siblings)
  16 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

lookup_mem provides fast accessing of data path fields.
Storing sa indices in lookup_mem which are required in
inline rx data path.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_common.h   | 20 +++++++++++
 drivers/crypto/octeontx2/otx2_security.c | 59 +++++++++++++++++++++++++++++++-
 drivers/net/octeontx2/otx2_lookup.c      |  9 +----
 drivers/net/octeontx2/otx2_rx.h          | 10 ++----
 4 files changed, 81 insertions(+), 17 deletions(-)

diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index 9705a8d..6456c4b 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -170,4 +170,24 @@ extern int otx2_logtype_dpi;
 #include "otx2_io_generic.h"
 #endif
 
+/* Fastpath lookup */
+#define OTX2_NIX_FASTPATH_LOOKUP_MEM "otx2_nix_fastpath_lookup_mem"
+#define PTYPE_NON_TUNNEL_WIDTH		16
+#define PTYPE_TUNNEL_WIDTH		12
+#define PTYPE_NON_TUNNEL_ARRAY_SZ	BIT(PTYPE_NON_TUNNEL_WIDTH)
+#define PTYPE_TUNNEL_ARRAY_SZ		BIT(PTYPE_TUNNEL_WIDTH)
+#define PTYPE_ARRAY_SZ			((PTYPE_NON_TUNNEL_ARRAY_SZ +\
+					 PTYPE_TUNNEL_ARRAY_SZ) *\
+					 sizeof(uint16_t))
+
+/* NIX_RX_PARSE_S's ERRCODE + ERRLEV (12 bits) */
+#define ERRCODE_ERRLEN_WIDTH		12
+#define ERR_ARRAY_SZ			((BIT(ERRCODE_ERRLEN_WIDTH)) *\
+					sizeof(uint32_t))
+
+#define PORT_ARRAY_SZ			(RTE_MAX_ETHPORTS * sizeof(uint64_t))
+
+#define LOOKUP_ARRAY_SZ			(PTYPE_ARRAY_SZ + ERR_ARRAY_SZ +\
+					PORT_ARRAY_SZ)
+
 #endif /* _OTX2_COMMON_H_ */
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 545c806..4d762d9 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -136,6 +136,59 @@ static const struct rte_security_capability otx2_sec_eth_capabilities[] = {
 	}
 };
 
+static void
+lookup_mem_sa_tbl_clear(struct rte_eth_dev *eth_dev)
+{
+	static const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
+	uint16_t port = eth_dev->data->port_id;
+	const struct rte_memzone *mz;
+	uint64_t **sa_tbl;
+	uint8_t *mem;
+
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL)
+		return;
+
+	mem = mz->addr;
+
+	sa_tbl  = (uint64_t **)(mem + PTYPE_ARRAY_SZ + ERR_ARRAY_SZ);
+	if (sa_tbl[port] == NULL)
+		return;
+
+	rte_free(sa_tbl[port]);
+	sa_tbl[port] = NULL;
+}
+
+static int
+lookup_mem_sa_index_update(struct rte_eth_dev *eth_dev, int spi, void *sa)
+{
+	static const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	const struct rte_memzone *mz;
+	uint64_t **sa_tbl;
+	uint8_t *mem;
+
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL) {
+		otx2_err("Could not find fastpath lookup table");
+		return -EINVAL;
+	}
+
+	mem = mz->addr;
+
+	sa_tbl = (uint64_t **)(mem + PTYPE_ARRAY_SZ + ERR_ARRAY_SZ);
+
+	if (sa_tbl[port] == NULL) {
+		sa_tbl[port] = rte_malloc(NULL, dev->ipsec_in_max_spi *
+					  sizeof(uint64_t), 0);
+	}
+
+	sa_tbl[port][spi] = (uint64_t)sa;
+
+	return 0;
+}
+
 static int
 otx2_sec_eth_tx_cpt_qp_get(uint16_t port_id, struct otx2_cpt_qp **qp)
 {
@@ -383,8 +436,10 @@ sec_eth_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
 
 	sa->userdata = priv->userdata;
 
-	return ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
+	if (lookup_mem_sa_index_update(eth_dev, ipsec->spi, sa))
+		return -EINVAL;
 
+	return ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
 }
 
 static int
@@ -667,6 +722,8 @@ otx2_sec_eth_fini(struct rte_eth_dev *eth_dev)
 	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
 		return;
 
+	lookup_mem_sa_tbl_clear(eth_dev);
+
 	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
 	rte_memzone_free(rte_memzone_lookup(name));
 }
diff --git a/drivers/net/octeontx2/otx2_lookup.c b/drivers/net/octeontx2/otx2_lookup.c
index bcf2ff4..46fdbc8 100644
--- a/drivers/net/octeontx2/otx2_lookup.c
+++ b/drivers/net/octeontx2/otx2_lookup.c
@@ -7,13 +7,6 @@
 
 #include "otx2_ethdev.h"
 
-/* NIX_RX_PARSE_S's ERRCODE + ERRLEV (12 bits) */
-#define ERRCODE_ERRLEN_WIDTH		12
-#define ERR_ARRAY_SZ			((BIT(ERRCODE_ERRLEN_WIDTH)) *\
-					sizeof(uint32_t))
-
-#define LOOKUP_ARRAY_SZ			(PTYPE_ARRAY_SZ + ERR_ARRAY_SZ)
-
 const uint32_t *
 otx2_nix_supported_ptypes_get(struct rte_eth_dev *eth_dev)
 {
@@ -314,7 +307,7 @@ nix_create_rx_ol_flags_array(void *mem)
 void *
 otx2_nix_fastpath_lookup_mem_get(void)
 {
-	const char name[] = "otx2_nix_fastpath_lookup_mem";
+	const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
 	const struct rte_memzone *mz;
 	void *mem;
 
diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h
index 351ad0f..5e1d5a2 100644
--- a/drivers/net/octeontx2/otx2_rx.h
+++ b/drivers/net/octeontx2/otx2_rx.h
@@ -5,17 +5,11 @@
 #ifndef __OTX2_RX_H__
 #define __OTX2_RX_H__
 
+#include "otx2_common.h"
+
 /* Default mark value used when none is provided. */
 #define OTX2_FLOW_ACTION_FLAG_DEFAULT	0xffff
 
-#define PTYPE_NON_TUNNEL_WIDTH		16
-#define PTYPE_TUNNEL_WIDTH		12
-#define PTYPE_NON_TUNNEL_ARRAY_SZ	BIT(PTYPE_NON_TUNNEL_WIDTH)
-#define PTYPE_TUNNEL_ARRAY_SZ		BIT(PTYPE_TUNNEL_WIDTH)
-#define PTYPE_ARRAY_SZ			((PTYPE_NON_TUNNEL_ARRAY_SZ +\
-					 PTYPE_TUNNEL_ARRAY_SZ) *\
-					 sizeof(uint16_t))
-
 #define NIX_RX_OFFLOAD_NONE            (0)
 #define NIX_RX_OFFLOAD_RSS_F           BIT(0)
 #define NIX_RX_OFFLOAD_PTYPE_F         BIT(1)
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 11/15] net/octeontx2: add inline ipsec rx path changes
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (9 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 10/15] crypto/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 12/15] drivers/octeontx2: add sec in compiler optimized RX fastpath framework Anoob Joseph
                   ` (5 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding post-processing required for inline IPsec inbound packets.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/Makefile        |  1 +
 drivers/crypto/octeontx2/otx2_security.h | 19 +++++++++
 drivers/event/octeontx2/Makefile         |  1 +
 drivers/event/octeontx2/meson.build      |  2 +
 drivers/net/octeontx2/Makefile           |  1 +
 drivers/net/octeontx2/meson.build        |  3 ++
 drivers/net/octeontx2/otx2_rx.h          | 72 ++++++++++++++++++++++++++++++++
 7 files changed, 99 insertions(+)

diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index 5966ddc..62b630e 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -20,6 +20,7 @@ VPATH += $(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -O3
 CFLAGS += -I$(RTE_SDK)/drivers/common/cpt
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -DALLOW_EXPERIMENTAL_API
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index adca00b..1229685 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -26,6 +26,25 @@ struct otx2_sec_eth_cfg {
 	rte_spinlock_t tx_cpt_lock;
 };
 
+#define OTX2_SEC_CPT_COMP_GOOD	0x1
+#define OTX2_SEC_UC_COMP_GOOD	0x0
+#define OTX2_SEC_COMP_GOOD	(OTX2_SEC_UC_COMP_GOOD << 8 | \
+				 OTX2_SEC_CPT_COMP_GOOD)
+
+/* CPT Result */
+struct otx2_cpt_res {
+	union {
+		struct {
+			uint64_t compcode:8;
+			uint64_t uc_compcode:8;
+			uint64_t doneint:1;
+			uint64_t reserved_17_63:47;
+			uint64_t reserved_64_127;
+		};
+		uint16_t u16[8];
+	};
+};
+
 /*
  * Security session for inline IPsec protocol offload. This is private data of
  * inline capable PMD.
diff --git a/drivers/event/octeontx2/Makefile b/drivers/event/octeontx2/Makefile
index 6dab69c..bcd22ee 100644
--- a/drivers/event/octeontx2/Makefile
+++ b/drivers/event/octeontx2/Makefile
@@ -11,6 +11,7 @@ LIB = librte_pmd_octeontx2_event.a
 
 CFLAGS += $(WERROR_FLAGS)
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/event/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
diff --git a/drivers/event/octeontx2/meson.build b/drivers/event/octeontx2/meson.build
index 807818b..56febb8 100644
--- a/drivers/event/octeontx2/meson.build
+++ b/drivers/event/octeontx2/meson.build
@@ -32,3 +32,5 @@ foreach flag: extra_flags
 endforeach
 
 deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2', 'pmd_octeontx2']
+
+includes += include_directories('../../crypto/octeontx2')
diff --git a/drivers/net/octeontx2/Makefile b/drivers/net/octeontx2/Makefile
index 68f5765..d31ce0a 100644
--- a/drivers/net/octeontx2/Makefile
+++ b/drivers/net/octeontx2/Makefile
@@ -11,6 +11,7 @@ LIB = librte_pmd_octeontx2.a
 
 CFLAGS += $(WERROR_FLAGS)
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -O3
diff --git a/drivers/net/octeontx2/meson.build b/drivers/net/octeontx2/meson.build
index fad3076..4a06eb2 100644
--- a/drivers/net/octeontx2/meson.build
+++ b/drivers/net/octeontx2/meson.build
@@ -25,6 +25,7 @@ sources = files('otx2_rx.c',
 		)
 
 deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2']
+deps += ['cryptodev', 'security']
 
 cflags += ['-flax-vector-conversions']
 
@@ -39,3 +40,5 @@ foreach flag: extra_flags
 		cflags += flag
 	endif
 endforeach
+
+includes += include_directories('../../crypto/octeontx2')
diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h
index 5e1d5a2..f1dbfb7 100644
--- a/drivers/net/octeontx2/otx2_rx.h
+++ b/drivers/net/octeontx2/otx2_rx.h
@@ -5,7 +5,11 @@
 #ifndef __OTX2_RX_H__
 #define __OTX2_RX_H__
 
+#include <rte_ether.h>
+
 #include "otx2_common.h"
+#include "otx2_ipsec_fp.h"
+#include "otx2_security.h"
 
 /* Default mark value used when none is provided. */
 #define OTX2_FLOW_ACTION_FLAG_DEFAULT	0xffff
@@ -25,6 +29,12 @@
 #define NIX_RX_MULTI_SEG_F            BIT(15)
 #define NIX_TIMESYNC_RX_OFFSET		8
 
+/* Inline IPsec offsets */
+
+#define INLINE_INB_RPTR_HDR		16
+/* nix_cqe_hdr_s + nix_rx_parse_s + nix_rx_sg_s + nix_iova_s */
+#define INLINE_CPT_RESULT_OFFSET	80
+
 struct otx2_timesync_info {
 	uint64_t	rx_tstamp;
 	rte_iova_t	tx_tstamp_iova;
@@ -184,6 +194,61 @@ nix_cqe_xtract_mseg(const struct nix_rx_parse_s *rx,
 	}
 }
 
+static __rte_always_inline uint16_t
+nix_rx_sec_cptres_get(const void *cq)
+{
+	volatile const struct otx2_cpt_res *res;
+
+	res = (volatile const struct otx2_cpt_res *)((const char *)cq +
+			INLINE_CPT_RESULT_OFFSET);
+
+	return res->u16[0];
+}
+
+static __rte_always_inline void *
+nix_rx_sec_sa_get(const void * const lookup_mem, int spi, uint16_t port)
+{
+	const uint64_t *const *sa_tbl = (const uint64_t * const *)
+			((const uint8_t *)lookup_mem + PTYPE_ARRAY_SZ +
+			ERR_ARRAY_SZ);
+
+	return (void *)sa_tbl[port][spi];
+}
+
+static __rte_always_inline uint64_t
+nix_rx_sec_mbuf_update(const struct nix_cqe_hdr_s *cq, struct rte_mbuf *m,
+		       const void * const lookup_mem)
+{
+	struct otx2_ipsec_fp_in_sa *sa;
+	struct rte_ipv4_hdr *ipv4;
+	uint16_t m_len;
+	uint32_t spi;
+	char *data;
+
+	if (unlikely(nix_rx_sec_cptres_get(cq) != OTX2_SEC_COMP_GOOD))
+		return PKT_RX_SEC_OFFLOAD | PKT_RX_SEC_OFFLOAD_FAILED;
+
+	/* 20 bits of tag would have the SPI */
+	spi = cq->tag & 0xFFFFF;
+
+	sa = nix_rx_sec_sa_get(lookup_mem, spi, m->port);
+	m->udata64 = (uint64_t)sa->userdata;
+
+	data = rte_pktmbuf_mtod(m, char *);
+	memcpy(data + INLINE_INB_RPTR_HDR, data, RTE_ETHER_HDR_LEN);
+
+	m->data_off += INLINE_INB_RPTR_HDR;
+
+	ipv4 = (struct rte_ipv4_hdr *)(data + INLINE_INB_RPTR_HDR +
+				       RTE_ETHER_HDR_LEN);
+
+	m_len = rte_be_to_cpu_16(ipv4->total_length) + RTE_ETHER_HDR_LEN;
+
+	m->data_len = m_len;
+	m->pkt_len = m_len;
+	return PKT_RX_SEC_OFFLOAD;
+}
+
 static __rte_always_inline void
 otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 		     struct rte_mbuf *mbuf, const void *lookup_mem,
@@ -225,6 +290,13 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 	if (flag & NIX_RX_OFFLOAD_MARK_UPDATE_F)
 		ol_flags = nix_update_match_id(rx->match_id, ol_flags, mbuf);
 
+	if (cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
+		*(uint64_t *)(&mbuf->rearm_data) = val;
+		ol_flags |= nix_rx_sec_mbuf_update(cq, mbuf, lookup_mem);
+		mbuf->ol_flags = ol_flags;
+		return;
+	}
+
 	mbuf->ol_flags = ol_flags;
 	*(uint64_t *)(&mbuf->rearm_data) = val;
 	mbuf->pkt_len = len;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 12/15] drivers/octeontx2: add sec in compiler optimized RX fastpath framework
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (10 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 11/15] net/octeontx2: add inline ipsec rx path changes Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 13/15] drivers/octeontx2: add sec in compiler optimized TX " Anoob Joseph
                   ` (4 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

Added new flag for SECURITY in RX compiler optimized fastpath
framework. With this, compiler autogenerates functions which
have security enabled.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/event/octeontx2/otx2_evdev.c       | 134 ++++++++-----
 drivers/event/octeontx2/otx2_evdev.h       |   2 +-
 drivers/event/octeontx2/otx2_worker.c      |   2 +-
 drivers/event/octeontx2/otx2_worker_dual.c |   2 +-
 drivers/net/octeontx2/otx2_ethdev.c        |   3 +
 drivers/net/octeontx2/otx2_rx.c            |  27 +--
 drivers/net/octeontx2/otx2_rx.h            | 306 ++++++++++++++++++++---------
 7 files changed, 320 insertions(+), 156 deletions(-)

diff --git a/drivers/event/octeontx2/otx2_evdev.c b/drivers/event/octeontx2/otx2_evdev.c
index 2daeba4..f6c641a 100644
--- a/drivers/event/octeontx2/otx2_evdev.c
+++ b/drivers/event/octeontx2/otx2_evdev.c
@@ -44,61 +44,64 @@ sso_fastpath_fns_set(struct rte_eventdev *event_dev)
 {
 	struct otx2_sso_evdev *dev = sso_pmd_priv(event_dev);
 	/* Single WS modes */
-	const event_dequeue_t ssogws_deq[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_ ##name,
+	const event_dequeue_t ssogws_deq[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_deq_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_burst_ ##name,
+	const event_dequeue_burst_t ssogws_deq_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_timeout_ ##name,
+	const event_dequeue_t ssogws_deq_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_deq_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_deq_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_deq_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_seg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_ ##name,
+	const event_dequeue_t ssogws_deq_seg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_deq_seg_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_burst_ ##name,
+	const event_dequeue_burst_t
+		ssogws_deq_seg_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_deq_seg_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_seg_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_timeout_ ##name,
+	const event_dequeue_t ssogws_deq_seg_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_deq_seg_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_deq_seg_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_deq_seg_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 				otx2_ssogws_deq_seg_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
@@ -106,64 +109,69 @@ SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 
 
 	/* Dual WS modes */
-	const event_dequeue_t ssogws_dual_deq[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_ ##name,
+	const event_dequeue_t ssogws_dual_deq[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_dual_deq_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_burst_ ##name,
+	const event_dequeue_burst_t
+		ssogws_dual_deq_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_timeout_ ##name,
+	const event_dequeue_t ssogws_dual_deq_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_timeout_burst_ ##name,
+		ssogws_dual_deq_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =					\
+			otx2_ssogws_dual_deq_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_seg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_seg_ ##name,
+	const event_dequeue_t ssogws_dual_deq_seg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_seg_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_seg_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
-				otx2_ssogws_dual_deq_seg_burst_ ##name,
+		ssogws_dual_deq_seg_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_seg_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
-				otx2_ssogws_dual_deq_seg_timeout_ ##name,
+	const event_dequeue_t
+		ssogws_dual_deq_seg_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_seg_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =					\
-		otx2_ssogws_dual_deq_seg_timeout_burst_ ##name,
+		ssogws_dual_deq_seg_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
@@ -209,6 +217,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 	event_dev->enqueue_forward_burst	= otx2_ssogws_enq_fwd_burst;
 	if (dev->rx_offloads & NIX_RX_MULTI_SEG_F) {
 		event_dev->dequeue		= ssogws_deq_seg
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -216,6 +225,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		event_dev->dequeue_burst	= ssogws_deq_seg_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -224,6 +234,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		if (dev->is_timeout_deq) {
 			event_dev->dequeue	= ssogws_deq_seg_timeout
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -232,6 +243,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	=
 				ssogws_deq_seg_timeout_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -241,6 +253,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		}
 	} else {
 		event_dev->dequeue			= ssogws_deq
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -248,6 +261,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		event_dev->dequeue_burst		= ssogws_deq_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -256,6 +270,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		if (dev->is_timeout_deq) {
 			event_dev->dequeue		= ssogws_deq_timeout
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -264,6 +279,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	=
 				ssogws_deq_timeout_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -303,6 +319,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		if (dev->rx_offloads & NIX_RX_MULTI_SEG_F) {
 			event_dev->dequeue	= ssogws_dual_deq_seg
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -313,6 +331,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst = ssogws_dual_deq_seg_burst
+				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -326,6 +346,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue	=
 					ssogws_dual_deq_seg_timeout
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -340,6 +362,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue_burst =
 					ssogws_dual_deq_seg_timeout_burst
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -355,6 +379,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		} else {
 			event_dev->dequeue		= ssogws_dual_deq
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -366,6 +392,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	= ssogws_dual_deq_burst
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -379,6 +407,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue	=
 					ssogws_dual_deq_timeout
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -393,6 +423,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue_burst =
 					ssogws_dual_deq_timeout_burst
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
diff --git a/drivers/event/octeontx2/otx2_evdev.h b/drivers/event/octeontx2/otx2_evdev.h
index 231a12a..e20e251 100644
--- a/drivers/event/octeontx2/otx2_evdev.h
+++ b/drivers/event/octeontx2/otx2_evdev.h
@@ -278,7 +278,7 @@ uint16_t otx2_ssogws_dual_enq_fwd_burst(void *port, const struct rte_event ev[],
 					uint16_t nb_events);
 
 /* Auto generated API's */
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				       \
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			       \
 uint16_t otx2_ssogws_deq_ ##name(void *port, struct rte_event *ev,	       \
 				 uint64_t timeout_ticks);		       \
 uint16_t otx2_ssogws_deq_burst_ ##name(void *port, struct rte_event ev[],      \
diff --git a/drivers/event/octeontx2/otx2_worker.c b/drivers/event/octeontx2/otx2_worker.c
index 34d39f4..12445d9 100644
--- a/drivers/event/octeontx2/otx2_worker.c
+++ b/drivers/event/octeontx2/otx2_worker.c
@@ -81,7 +81,7 @@ otx2_ssogws_release_event(struct otx2_ssogws *ws)
 	otx2_ssogws_swtag_flush(ws);
 }
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
 uint16_t __hot								\
 otx2_ssogws_deq_ ##name(void *port, struct rte_event *ev,		\
 			uint64_t timeout_ticks)				\
diff --git a/drivers/event/octeontx2/otx2_worker_dual.c b/drivers/event/octeontx2/otx2_worker_dual.c
index 7016eee..22a4889 100644
--- a/drivers/event/octeontx2/otx2_worker_dual.c
+++ b/drivers/event/octeontx2/otx2_worker_dual.c
@@ -140,7 +140,7 @@ otx2_ssogws_dual_enq_fwd_burst(void *port, const struct rte_event ev[],
 	return 1;
 }
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_deq_ ##name(void *port, struct rte_event *ev,		\
 			     uint64_t timeout_ticks)			\
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index 131e883..c215078 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -626,6 +626,9 @@ nix_rx_offload_flags(struct rte_eth_dev *eth_dev)
 	if ((dev->rx_offloads & DEV_RX_OFFLOAD_TIMESTAMP))
 		flags |= NIX_RX_OFFLOAD_TSTAMP_F;
 
+	if (dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY)
+		flags |= NIX_RX_OFFLOAD_SECURITY_F;
+
 	if (!dev->ptype_disable)
 		flags |= NIX_RX_OFFLOAD_PTYPE_F;
 
diff --git a/drivers/net/octeontx2/otx2_rx.c b/drivers/net/octeontx2/otx2_rx.c
index 48565db..ffe6996 100644
--- a/drivers/net/octeontx2/otx2_rx.c
+++ b/drivers/net/octeontx2/otx2_rx.c
@@ -320,7 +320,7 @@ nix_recv_pkts_vector(void *rx_queue, struct rte_mbuf **rx_pkts,
 
 #endif
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			       \
 static uint16_t __rte_noinline	__hot					       \
 otx2_nix_recv_pkts_ ## name(void *rx_queue,				       \
 			struct rte_mbuf **rx_pkts, uint16_t pkts)	       \
@@ -351,12 +351,13 @@ NIX_RX_FASTPATH_MODES
 
 static inline void
 pick_rx_func(struct rte_eth_dev *eth_dev,
-	     const eth_rx_burst_t rx_burst[2][2][2][2][2][2])
+	     const eth_rx_burst_t rx_burst[2][2][2][2][2][2][2])
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	/* [TSTMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
+	/* [SEC] [TSTMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
 	eth_dev->rx_pkt_burst = rx_burst
+		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_SECURITY_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_TSTAMP_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -370,25 +371,25 @@ otx2_eth_set_rx_function(struct rte_eth_dev *eth_dev)
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	const eth_rx_burst_t nix_eth_rx_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_ ## name,
+	const eth_rx_burst_t nix_eth_rx_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
 	};
 
-	const eth_rx_burst_t nix_eth_rx_burst_mseg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_mseg_ ## name,
+	const eth_rx_burst_t nix_eth_rx_burst_mseg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_mseg_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
 	};
 
-	const eth_rx_burst_t nix_eth_rx_vec_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_vec_ ## name,
+	const eth_rx_burst_t nix_eth_rx_vec_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_vec_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
@@ -408,6 +409,6 @@ NIX_RX_FASTPATH_MODES
 	/* Copy multi seg version with no offload for tear down sequence */
 	if (rte_eal_process_type() == RTE_PROC_PRIMARY)
 		dev->rx_pkt_burst_no_offload =
-			nix_eth_rx_burst_mseg[0][0][0][0][0][0];
+			nix_eth_rx_burst_mseg[0][0][0][0][0][0][0];
 	rte_mb();
 }
diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h
index f1dbfb7..a523503 100644
--- a/drivers/net/octeontx2/otx2_rx.h
+++ b/drivers/net/octeontx2/otx2_rx.h
@@ -21,6 +21,7 @@
 #define NIX_RX_OFFLOAD_VLAN_STRIP_F    BIT(3)
 #define NIX_RX_OFFLOAD_MARK_UPDATE_F   BIT(4)
 #define NIX_RX_OFFLOAD_TSTAMP_F        BIT(5)
+#define NIX_RX_OFFLOAD_SECURITY_F      BIT(6)
 
 /* Flags to control cqe_to_mbuf conversion function.
  * Defining it from backwards to denote its been
@@ -290,7 +291,8 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 	if (flag & NIX_RX_OFFLOAD_MARK_UPDATE_F)
 		ol_flags = nix_update_match_id(rx->match_id, ol_flags, mbuf);
 
-	if (cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
+	if ((flag & NIX_RX_OFFLOAD_SECURITY_F) &&
+	    cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
 		*(uint64_t *)(&mbuf->rearm_data) = val;
 		ol_flags |= nix_rx_sec_mbuf_update(cq, mbuf, lookup_mem);
 		mbuf->ol_flags = ol_flags;
@@ -313,94 +315,220 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 #define RX_VLAN_F  NIX_RX_OFFLOAD_VLAN_STRIP_F
 #define MARK_F  NIX_RX_OFFLOAD_MARK_UPDATE_F
 #define TS_F	NIX_RX_OFFLOAD_TSTAMP_F
+#define RX_SEC_F   NIX_RX_OFFLOAD_SECURITY_F
 
-/* [TSMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
+/* [SEC] [TSMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
 #define NIX_RX_FASTPATH_MODES						       \
-R(no_offload,			0, 0, 0, 0, 0, 0, NIX_RX_OFFLOAD_NONE)	\
-R(rss,				0, 0, 0, 0, 0, 1, RSS_F)		\
-R(ptype,			0, 0, 0, 0, 1, 0, PTYPE_F)		\
-R(ptype_rss,			0, 0, 0, 0, 1, 1, PTYPE_F | RSS_F)	\
-R(cksum,			0, 0, 0, 1, 0, 0, CKSUM_F)		\
-R(cksum_rss,			0, 0, 0, 1, 0, 1, CKSUM_F | RSS_F)	\
-R(cksum_ptype,			0, 0, 0, 1, 1, 0, CKSUM_F | PTYPE_F)	\
-R(cksum_ptype_rss,		0, 0, 0, 1, 1, 1, CKSUM_F | PTYPE_F | RSS_F)\
-R(vlan,				0, 0, 1, 0, 0, 0, RX_VLAN_F)		\
-R(vlan_rss,			0, 0, 1, 0, 0, 1, RX_VLAN_F | RSS_F)	\
-R(vlan_ptype,			0, 0, 1, 0, 1, 0, RX_VLAN_F | PTYPE_F)	\
-R(vlan_ptype_rss,		0, 0, 1, 0, 1, 1, RX_VLAN_F | PTYPE_F | RSS_F)\
-R(vlan_cksum,			0, 0, 1, 1, 0, 0, RX_VLAN_F | CKSUM_F)	\
-R(vlan_cksum_rss,		0, 0, 1, 1, 0, 1, RX_VLAN_F | CKSUM_F | RSS_F)\
-R(vlan_cksum_ptype,		0, 0, 1, 1, 1, 0,			\
-			RX_VLAN_F | CKSUM_F | PTYPE_F)			\
-R(vlan_cksum_ptype_rss,		0, 0, 1, 1, 1, 1,			\
-			RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(mark,				0, 1, 0, 0, 0, 0, MARK_F)		\
-R(mark_rss,			0, 1, 0, 0, 0, 1, MARK_F | RSS_F)	\
-R(mark_ptype,			0, 1, 0, 0, 1, 0, MARK_F | PTYPE_F)	\
-R(mark_ptype_rss,		0, 1, 0, 0, 1, 1, MARK_F | PTYPE_F | RSS_F)\
-R(mark_cksum,			0, 1, 0, 1, 0, 0, MARK_F | CKSUM_F)	\
-R(mark_cksum_rss,		0, 1, 0, 1, 0, 1, MARK_F | CKSUM_F | RSS_F)\
-R(mark_cksum_ptype,		0, 1, 0, 1, 1, 0, MARK_F | CKSUM_F | PTYPE_F)\
-R(mark_cksum_ptype_rss,		0, 1, 0, 1, 1, 1,			\
-			MARK_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(mark_vlan,			0, 1, 1, 0, 0, 0, MARK_F | RX_VLAN_F)	\
-R(mark_vlan_rss,		0, 1, 1, 0, 0, 1, MARK_F | RX_VLAN_F | RSS_F)\
-R(mark_vlan_ptype,		0, 1, 1, 0, 1, 0,			\
-			MARK_F | RX_VLAN_F | PTYPE_F)			\
-R(mark_vlan_ptype_rss,		0, 1, 1, 0, 1, 1,			\
-			MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)		\
-R(mark_vlan_cksum,		0, 1, 1, 1, 0, 0,			\
-			MARK_F | RX_VLAN_F | CKSUM_F)			\
-R(mark_vlan_cksum_rss,		0, 1, 1, 1, 0, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		\
-R(mark_vlan_cksum_ptype,	0, 1, 1, 1, 1, 0,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		\
-R(mark_vlan_cksum_ptype_rss,	0, 1, 1, 1, 1, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts,				1, 0, 0, 0, 0, 0, TS_F)			\
-R(ts_rss,			1, 0, 0, 0, 0, 1, TS_F | RSS_F)		\
-R(ts_ptype,			1, 0, 0, 0, 1, 0, TS_F | PTYPE_F)	\
-R(ts_ptype_rss,			1, 0, 0, 0, 1, 1, TS_F | PTYPE_F | RSS_F)\
-R(ts_cksum,			1, 0, 0, 1, 0, 0, TS_F | CKSUM_F)	\
-R(ts_cksum_rss,			1, 0, 0, 1, 0, 1, TS_F | CKSUM_F | RSS_F)\
-R(ts_cksum_ptype,		1, 0, 0, 1, 1, 0, TS_F | CKSUM_F | PTYPE_F)\
-R(ts_cksum_ptype_rss,		1, 0, 0, 1, 1, 1,			\
-			TS_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(ts_vlan,			1, 0, 1, 0, 0, 0, TS_F | RX_VLAN_F)	\
-R(ts_vlan_rss,			1, 0, 1, 0, 0, 1, TS_F | RX_VLAN_F | RSS_F)\
-R(ts_vlan_ptype,		1, 0, 1, 0, 1, 0, TS_F | RX_VLAN_F | PTYPE_F)\
-R(ts_vlan_ptype_rss,		1, 0, 1, 0, 1, 1,			\
-			TS_F | RX_VLAN_F | PTYPE_F | RSS_F)		\
-R(ts_vlan_cksum,		1, 0, 1, 1, 0, 0,			\
-			TS_F | RX_VLAN_F | CKSUM_F)			\
-R(ts_vlan_cksum_rss,		1, 0, 1, 1, 0, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		\
-R(ts_vlan_cksum_ptype,		1, 0, 1, 1, 1, 0,			\
-			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		\
-R(ts_vlan_cksum_ptype_rss,	1, 0, 1, 1, 1, 1,			\
-			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts_mark,			1, 1, 0, 0, 0, 0, TS_F | MARK_F)	\
-R(ts_mark_rss,			1, 1, 0, 0, 0, 1, TS_F | MARK_F | RSS_F)\
-R(ts_mark_ptype,		1, 1, 0, 0, 1, 0, TS_F | MARK_F | PTYPE_F)\
-R(ts_mark_ptype_rss,		1, 1, 0, 0, 1, 1,			\
-			TS_F | MARK_F | PTYPE_F | RSS_F)		\
-R(ts_mark_cksum,		1, 1, 0, 1, 0, 0, TS_F | MARK_F | CKSUM_F)\
-R(ts_mark_cksum_rss,		1, 1, 0, 1, 0, 1,			\
-			TS_F | MARK_F | CKSUM_F | RSS_F)\
-R(ts_mark_cksum_ptype,		1, 1, 0, 1, 1, 0,			\
-			TS_F | MARK_F | CKSUM_F | PTYPE_F)		\
-R(ts_mark_cksum_ptype_rss,	1, 1, 0, 1, 1, 1,			\
-			TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts_mark_vlan,			1, 1, 1, 0, 0, 0, TS_F | MARK_F | RX_VLAN_F)\
-R(ts_mark_vlan_rss,		1, 1, 1, 0, 0, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | RSS_F)\
-R(ts_mark_vlan_ptype,		1, 1, 1, 0, 1, 0,			\
-			TS_F | MARK_F | RX_VLAN_F | PTYPE_F)		\
-R(ts_mark_vlan_ptype_rss,	1, 1, 1, 0, 1, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)	\
-R(ts_mark_vlan_cksum_ptype,	1, 1, 1, 1, 1, 0,			\
-			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	\
-R(ts_mark_vlan_cksum_ptype_rss,	1, 1, 1, 1, 1, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)
-
+R(no_offload,			0, 0, 0, 0, 0, 0, 0, NIX_RX_OFFLOAD_NONE)      \
+R(rss,				0, 0, 0, 0, 0, 0, 1, RSS_F)		       \
+R(ptype,			0, 0, 0, 0, 0, 1, 0, PTYPE_F)		       \
+R(ptype_rss,			0, 0, 0, 0, 0, 1, 1, PTYPE_F | RSS_F)	       \
+R(cksum,			0, 0, 0, 0, 1, 0, 0, CKSUM_F)		       \
+R(cksum_rss,			0, 0, 0, 0, 1, 0, 1, CKSUM_F | RSS_F)	       \
+R(cksum_ptype,			0, 0, 0, 0, 1, 1, 0, CKSUM_F | PTYPE_F)	       \
+R(cksum_ptype_rss,		0, 0, 0, 0, 1, 1, 1, CKSUM_F | PTYPE_F | RSS_F)\
+R(vlan,				0, 0, 0, 1, 0, 0, 0, RX_VLAN_F)		       \
+R(vlan_rss,			0, 0, 0, 1, 0, 0, 1, RX_VLAN_F | RSS_F)	       \
+R(vlan_ptype,			0, 0, 0, 1, 0, 1, 0, RX_VLAN_F | PTYPE_F)      \
+R(vlan_ptype_rss,		0, 0, 0, 1, 0, 1, 1,			       \
+			RX_VLAN_F | PTYPE_F | RSS_F)			       \
+R(vlan_cksum,			0, 0, 0, 1, 1, 0, 0, RX_VLAN_F | CKSUM_F)      \
+R(vlan_cksum_rss,		0, 0, 0, 1, 1, 0, 1,			       \
+			RX_VLAN_F | CKSUM_F | RSS_F)			       \
+R(vlan_cksum_ptype,		0, 0, 0, 1, 1, 1, 0,			       \
+			RX_VLAN_F | CKSUM_F | PTYPE_F)			       \
+R(vlan_cksum_ptype_rss,		0, 0, 0, 1, 1, 1, 1,			       \
+			RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(mark,				0, 0, 1, 0, 0, 0, 0, MARK_F)		       \
+R(mark_rss,			0, 0, 1, 0, 0, 0, 1, MARK_F | RSS_F)	       \
+R(mark_ptype,			0, 0, 1, 0, 0, 1, 0, MARK_F | PTYPE_F)	       \
+R(mark_ptype_rss,		0, 0, 1, 0, 0, 1, 1, MARK_F | PTYPE_F | RSS_F) \
+R(mark_cksum,			0, 0, 1, 0, 1, 0, 0, MARK_F | CKSUM_F)	       \
+R(mark_cksum_rss,		0, 0, 1, 0, 1, 0, 1, MARK_F | CKSUM_F | RSS_F) \
+R(mark_cksum_ptype,		0, 0, 1, 0, 1, 1, 0,			       \
+			MARK_F | CKSUM_F | PTYPE_F)			       \
+R(mark_cksum_ptype_rss,		0, 0, 1, 0, 1, 1, 1,			       \
+			MARK_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(mark_vlan,			0, 0, 1, 1, 0, 0, 0, MARK_F | RX_VLAN_F)       \
+R(mark_vlan_rss,		0, 0, 1, 1, 0, 0, 1,			       \
+			MARK_F | RX_VLAN_F | RSS_F)			       \
+R(mark_vlan_ptype,		0, 0, 1, 1, 0, 1, 0,			       \
+			MARK_F | RX_VLAN_F | PTYPE_F)			       \
+R(mark_vlan_ptype_rss,		0, 0, 1, 1, 0, 1, 1,			       \
+			MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(mark_vlan_cksum,		0, 0, 1, 1, 1, 0, 0,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F)			       \
+R(mark_vlan_cksum_rss,		0, 0, 1, 1, 1, 0, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(mark_vlan_cksum_ptype,	0, 0, 1, 1, 1, 1, 0,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		       \
+R(mark_vlan_cksum_ptype_rss,	0, 0, 1, 1, 1, 1, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts,				0, 1, 0, 0, 0, 0, 0, TS_F)		       \
+R(ts_rss,			0, 1, 0, 0, 0, 0, 1, TS_F | RSS_F)	       \
+R(ts_ptype,			0, 1, 0, 0, 0, 1, 0, TS_F | PTYPE_F)	       \
+R(ts_ptype_rss,			0, 1, 0, 0, 0, 1, 1, TS_F | PTYPE_F | RSS_F)   \
+R(ts_cksum,			0, 1, 0, 0, 1, 0, 0, TS_F | CKSUM_F)	       \
+R(ts_cksum_rss,			0, 1, 0, 0, 1, 0, 1, TS_F | CKSUM_F | RSS_F)   \
+R(ts_cksum_ptype,		0, 1, 0, 0, 1, 1, 0, TS_F | CKSUM_F | PTYPE_F) \
+R(ts_cksum_ptype_rss,		0, 1, 0, 0, 1, 1, 1,			       \
+			TS_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(ts_vlan,			0, 1, 0, 1, 0, 0, 0, TS_F | RX_VLAN_F)	       \
+R(ts_vlan_rss,			0, 1, 0, 1, 0, 0, 1, TS_F | RX_VLAN_F | RSS_F) \
+R(ts_vlan_ptype,		0, 1, 0, 1, 0, 1, 0,			       \
+			TS_F | RX_VLAN_F | PTYPE_F)			       \
+R(ts_vlan_ptype_rss,		0, 1, 0, 1, 0, 1, 1,			       \
+			TS_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(ts_vlan_cksum,		0, 1, 0, 1, 1, 0, 0,			       \
+			TS_F | RX_VLAN_F | CKSUM_F)			       \
+R(ts_vlan_cksum_rss,		0, 1, 0, 1, 1, 0, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(ts_vlan_cksum_ptype,		0, 1, 0, 1, 1, 1, 0,			       \
+			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		       \
+R(ts_vlan_cksum_ptype_rss,	0, 1, 0, 1, 1, 1, 1,			       \
+			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts_mark,			0, 1, 1, 0, 0, 0, 0, TS_F | MARK_F)	       \
+R(ts_mark_rss,			0, 1, 1, 0, 0, 0, 1, TS_F | MARK_F | RSS_F)    \
+R(ts_mark_ptype,		0, 1, 1, 0, 0, 1, 0, TS_F | MARK_F | PTYPE_F)  \
+R(ts_mark_ptype_rss,		0, 1, 1, 0, 0, 1, 1,			       \
+			TS_F | MARK_F | PTYPE_F | RSS_F)		       \
+R(ts_mark_cksum,		0, 1, 1, 0, 1, 0, 0, TS_F | MARK_F | CKSUM_F)  \
+R(ts_mark_cksum_rss,		0, 1, 1, 0, 1, 0, 1,			       \
+			TS_F | MARK_F | CKSUM_F | RSS_F)		       \
+R(ts_mark_cksum_ptype,		0, 1, 1, 0, 1, 1, 0,			       \
+			TS_F | MARK_F | CKSUM_F | PTYPE_F)		       \
+R(ts_mark_cksum_ptype_rss,	0, 1, 1, 0, 1, 1, 1,			       \
+			TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts_mark_vlan,			0, 1, 1, 1, 0, 0, 0, TS_F | MARK_F | RX_VLAN_F)\
+R(ts_mark_vlan_rss,		0, 1, 1, 1, 0, 0, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | RSS_F)		       \
+R(ts_mark_vlan_ptype,		0, 1, 1, 1, 0, 1, 0,			       \
+			TS_F | MARK_F | RX_VLAN_F | PTYPE_F)		       \
+R(ts_mark_vlan_ptype_rss,	0, 1, 1, 1, 0, 1, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)	       \
+R(ts_mark_vlan_cksum_ptype,	0, 1, 1, 1, 1, 1, 0,			       \
+			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	       \
+R(ts_mark_vlan_cksum_ptype_rss,	0, 1, 1, 1, 1, 1, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F) \
+R(sec,				1, 0, 0, 0, 0, 0, 0, RX_SEC_F)		       \
+R(sec_rss,			1, 0, 0, 0, 0, 0, 1, RX_SEC_F | RSS_F)	       \
+R(sec_ptype,			1, 0, 0, 0, 0, 1, 0, RX_SEC_F | PTYPE_F)       \
+R(sec_ptype_rss,		1, 0, 0, 0, 0, 1, 1,			       \
+			RX_SEC_F | PTYPE_F | RSS_F)			       \
+R(sec_cksum,			1, 0, 0, 0, 1, 0, 0, RX_SEC_F | CKSUM_F)       \
+R(sec_cksum_rss,		1, 0, 0, 0, 1, 0, 1,			       \
+			RX_SEC_F | CKSUM_F | RSS_F)			       \
+R(sec_cksum_ptype,		1, 0, 0, 0, 1, 1, 0,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F)			       \
+R(sec_cksum_ptype_rss,		1, 0, 0, 0, 1, 1, 1,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(sec_vlan,			1, 0, 0, 1, 0, 0, 0, RX_SEC_F | RX_VLAN_F)     \
+R(sec_vlan_rss,			1, 0, 0, 1, 0, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | RSS_F)			       \
+R(sec_vlan_ptype,		1, 0, 0, 1, 0, 1, 0,			       \
+			RX_SEC_F | RX_VLAN_F | PTYPE_F)			       \
+R(sec_vlan_ptype_rss,		1, 0, 0, 1, 0, 1, 1,			       \
+			RX_SEC_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(sec_vlan_cksum,		1, 0, 0, 1, 1, 0, 0,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F)			       \
+R(sec_vlan_cksum_rss,		1, 0, 0, 1, 1, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(sec_vlan_cksum_ptype,		1, 0, 0, 1, 1, 1, 0,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	       \
+R(sec_vlan_cksum_ptype_rss,	1, 0, 0, 1, 1, 1, 1,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)      \
+R(sec_mark,			1, 0, 1, 0, 0, 0, 0, RX_SEC_F | MARK_F)	       \
+R(sec_mark_rss,			1, 0, 1, 0, 0, 0, 1, RX_SEC_F | MARK_F | RSS_F)\
+R(sec_mark_ptype,		1, 0, 1, 0, 0, 1, 0,			       \
+			RX_SEC_F | MARK_F | PTYPE_F)			       \
+R(sec_mark_ptype_rss,		1, 0, 1, 0, 0, 1, 1,			       \
+			RX_SEC_F | MARK_F | PTYPE_F | RSS_F)		       \
+R(sec_mark_cksum,		1, 0, 1, 0, 1, 0, 0,			       \
+			RX_SEC_F | MARK_F | CKSUM_F)			       \
+R(sec_mark_cksum_rss,		1, 0, 1, 0, 1, 0, 1,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | RSS_F)		       \
+R(sec_mark_cksum_ptype,		1, 0, 1, 0, 1, 1, 0,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | PTYPE_F)		       \
+R(sec_mark_cksum_ptype_rss,	1, 0, 1, 0, 1, 1, 1,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(sec_mark_vlan,		1, 0, 1, 1, 0, 0, 0, RX_SEC_F | RX_VLAN_F)     \
+R(sec_mark_vlan_rss,		1, 0, 1, 1, 0, 0, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | RSS_F)		       \
+R(sec_mark_vlan_ptype,		1, 0, 1, 1, 0, 1, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | PTYPE_F)	       \
+R(sec_mark_vlan_ptype_rss,	1, 0, 1, 1, 0, 1, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)       \
+R(sec_mark_vlan_cksum,		1, 0, 1, 1, 1, 0, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F)	       \
+R(sec_mark_vlan_cksum_rss,	1, 0, 1, 1, 1, 0, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)       \
+R(sec_mark_vlan_cksum_ptype,	1, 0, 1, 1, 1, 1, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)     \
+R(sec_mark_vlan_cksum_ptype_rss,					       \
+				1, 0, 1, 1, 1, 1, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F |    \
+			RSS_F)						       \
+R(sec_ts,			1, 1, 0, 0, 0, 0, 0, RX_SEC_F | TS_F)	       \
+R(sec_ts_rss,			1, 1, 0, 0, 0, 0, 1, RX_SEC_F | TS_F | RSS_F)  \
+R(sec_ts_ptype,			1, 1, 0, 0, 0, 1, 0, RX_SEC_F | TS_F | PTYPE_F)\
+R(sec_ts_ptype_rss,		1, 1, 0, 0, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | PTYPE_F | RSS_F)		       \
+R(sec_ts_cksum,			1, 1, 0, 0, 1, 0, 0, RX_SEC_F | TS_F | CKSUM_F)\
+R(sec_ts_cksum_rss,		1, 1, 0, 0, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | CKSUM_F | RSS_F)		       \
+R(sec_ts_cksum_ptype,		1, 1, 0, 0, 1, 1, 0,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F)			       \
+R(sec_ts_cksum_ptype_rss,	1, 1, 0, 0, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_vlan,			1, 1, 0, 1, 0, 0, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F)			       \
+R(sec_ts_vlan_rss,		1, 1, 0, 1, 0, 0, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | RSS_F)		       \
+R(sec_ts_vlan_ptype,		1, 1, 0, 1, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | PTYPE_F)		       \
+R(sec_ts_vlan_ptype_rss,	1, 1, 0, 1, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_vlan_cksum,		1, 1, 0, 1, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F)		       \
+R(sec_ts_vlan_cksum_rss,	1, 1, 0, 1, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | RSS_F)	       \
+R(sec_ts_vlan_cksum_ptype,	1, 1, 0, 1, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)       \
+R(sec_ts_vlan_cksum_ptype_rss,	1, 1, 0, 1, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F |      \
+			RSS_F)						       \
+R(sec_ts_mark,			1, 1, 1, 0, 0, 0, 0, RX_SEC_F | TS_F | MARK_F) \
+R(sec_ts_mark_rss,		1, 1, 1, 0, 0, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RSS_F)		       \
+R(sec_ts_mark_ptype,		1, 1, 1, 0, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | PTYPE_F)		       \
+R(sec_ts_mark_ptype_rss,	1, 1, 1, 0, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_mark_cksum,		1, 1, 1, 0, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F)		       \
+R(sec_ts_mark_cksum_rss,	1, 1, 1, 0, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | RSS_F)	       \
+R(sec_ts_mark_cksum_ptype,	1, 1, 1, 0, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | PTYPE_F)	       \
+R(sec_ts_mark_cksum_ptype_rss,	1, 1, 1, 0, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)  \
+R(sec_ts_mark_vlan,		1, 1, 1, 1, 0, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F)		       \
+R(sec_ts_mark_vlan_rss,		1, 1, 1, 1, 0, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | RSS_F)			       \
+R(sec_ts_mark_vlan_ptype,	1, 1, 1, 1, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | PTYPE_F)	       \
+R(sec_ts_mark_vlan_ptype_rss,	1, 1, 1, 1, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)\
+R(sec_ts_mark_vlan_cksum,	1, 1, 1, 1, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F)	       \
+R(sec_ts_mark_vlan_cksum_rss,	1, 1, 1, 1, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)\
+R(sec_ts_mark_vlan_cksum_ptype,	1, 1, 1, 1, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F |       \
+			PTYPE_F)					       \
+R(sec_ts_mark_vlan_cksum_ptype_rss,					       \
+				1, 1, 1, 1, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F |       \
+			PTYPE_F | RSS_F)
 #endif /* __OTX2_RX_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 13/15] drivers/octeontx2: add sec in compiler optimized TX fastpath framework
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (11 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 12/15] drivers/octeontx2: add sec in compiler optimized RX fastpath framework Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 14/15] crypto/octeontx2: add inline tx path changes Anoob Joseph
                   ` (3 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

Added new flag for SECURITY in compiler optimized TX fastpath
framework. With this, compiler autogenerates functions which
have security enabled.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/event/octeontx2/otx2_evdev.c       |  36 ++--
 drivers/event/octeontx2/otx2_evdev.h       |   2 +-
 drivers/event/octeontx2/otx2_worker.c      |   4 +-
 drivers/event/octeontx2/otx2_worker_dual.c |   4 +-
 drivers/net/octeontx2/otx2_ethdev.c        |   3 +
 drivers/net/octeontx2/otx2_tx.c            |  29 +--
 drivers/net/octeontx2/otx2_tx.h            | 271 ++++++++++++++++++++++-------
 7 files changed, 250 insertions(+), 99 deletions(-)

diff --git a/drivers/event/octeontx2/otx2_evdev.c b/drivers/event/octeontx2/otx2_evdev.c
index f6c641a..d20213d 100644
--- a/drivers/event/octeontx2/otx2_evdev.c
+++ b/drivers/event/octeontx2/otx2_evdev.c
@@ -177,35 +177,37 @@ SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 	};
 
 	/* Tx modes */
-	const event_tx_adapter_enqueue ssogws_tx_adptr_enq[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =  otx2_ssogws_tx_adptr_enq_ ## name,
+	const event_tx_adapter_enqueue
+		ssogws_tx_adptr_enq[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_tx_adptr_enq_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_tx_adptr_enq_seg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_tx_adptr_enq_seg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_tx_adptr_enq_seg_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_dual_tx_adptr_enq[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_dual_tx_adptr_enq[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_dual_tx_adptr_enq_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_dual_tx_adptr_enq_seg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_dual_tx_adptr_enq_seg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_dual_tx_adptr_enq_seg_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
@@ -290,8 +292,9 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 	}
 
 	if (dev->tx_offloads & NIX_TX_MULTI_SEG_F) {
-		/* [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
+		/* [SEC] [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
 		event_dev->txa_enqueue = ssogws_tx_adptr_enq_seg
+			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_SECURITY_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -300,6 +303,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_L3_L4_CSUM_F)];
 	} else {
 		event_dev->txa_enqueue = ssogws_tx_adptr_enq
+			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_SECURITY_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -440,8 +444,10 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		}
 
 		if (dev->tx_offloads & NIX_TX_MULTI_SEG_F) {
-		/* [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
+		/* [SEC] [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
 			event_dev->txa_enqueue = ssogws_dual_tx_adptr_enq_seg
+				[!!(dev->tx_offloads &
+						NIX_TX_OFFLOAD_SECURITY_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->tx_offloads &
@@ -454,6 +460,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 						NIX_TX_OFFLOAD_L3_L4_CSUM_F)];
 		} else {
 			event_dev->txa_enqueue = ssogws_dual_tx_adptr_enq
+				[!!(dev->tx_offloads &
+						NIX_TX_OFFLOAD_SECURITY_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->tx_offloads &
diff --git a/drivers/event/octeontx2/otx2_evdev.h b/drivers/event/octeontx2/otx2_evdev.h
index e20e251..019e7a2 100644
--- a/drivers/event/octeontx2/otx2_evdev.h
+++ b/drivers/event/octeontx2/otx2_evdev.h
@@ -335,7 +335,7 @@ uint16_t otx2_ssogws_dual_deq_seg_timeout_burst_ ##name(void *port,	       \
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			     \
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			     \
 uint16_t otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],\
 					   uint16_t nb_events);		     \
 uint16_t otx2_ssogws_tx_adptr_enq_seg_ ## name(void *port,		     \
diff --git a/drivers/event/octeontx2/otx2_worker.c b/drivers/event/octeontx2/otx2_worker.c
index 12445d9..8bec59e 100644
--- a/drivers/event/octeontx2/otx2_worker.c
+++ b/drivers/event/octeontx2/otx2_worker.c
@@ -267,7 +267,7 @@ otx2_ssogws_enq_fwd_burst(void *port, const struct rte_event ev[],
 	return 1;
 }
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],	\
 				  uint16_t nb_events)			\
@@ -281,7 +281,7 @@ otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],	\
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_tx_adptr_enq_seg_ ## name(void *port, struct rte_event ev[],\
 				      uint16_t nb_events)		\
diff --git a/drivers/event/octeontx2/otx2_worker_dual.c b/drivers/event/octeontx2/otx2_worker_dual.c
index 22a4889..3cba09c 100644
--- a/drivers/event/octeontx2/otx2_worker_dual.c
+++ b/drivers/event/octeontx2/otx2_worker_dual.c
@@ -307,7 +307,7 @@ otx2_ssogws_dual_deq_seg_timeout_burst_ ##name(void *port,		\
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_tx_adptr_enq_ ## name(void *port,			\
 				       struct rte_event ev[],		\
@@ -324,7 +324,7 @@ otx2_ssogws_dual_tx_adptr_enq_ ## name(void *port,			\
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_tx_adptr_enq_seg_ ## name(void *port,			\
 					   struct rte_event ev[],	\
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index c215078..8801173 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -698,6 +698,9 @@ nix_tx_offload_flags(struct rte_eth_dev *eth_dev)
 			  NIX_TX_OFFLOAD_OL3_OL4_CSUM_F |
 			  NIX_TX_OFFLOAD_L3_L4_CSUM_F);
 
+	if (conf & DEV_TX_OFFLOAD_SECURITY)
+		flags |= NIX_TX_OFFLOAD_SECURITY_F;
+
 	if ((dev->rx_offloads & DEV_RX_OFFLOAD_TIMESTAMP))
 		flags |= NIX_TX_OFFLOAD_TSTAMP_F;
 
diff --git a/drivers/net/octeontx2/otx2_tx.c b/drivers/net/octeontx2/otx2_tx.c
index fa53300..e43590e 100644
--- a/drivers/net/octeontx2/otx2_tx.c
+++ b/drivers/net/octeontx2/otx2_tx.c
@@ -945,7 +945,7 @@ nix_xmit_pkts_vector(void *tx_queue, struct rte_mbuf **tx_pkts,
 }
 #endif
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_ ## name(void *tx_queue,				\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -962,7 +962,7 @@ otx2_nix_xmit_pkts_ ## name(void *tx_queue,				\
 NIX_TX_FASTPATH_MODES
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_mseg_ ## name(void *tx_queue,			\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -980,7 +980,7 @@ otx2_nix_xmit_pkts_mseg_ ## name(void *tx_queue,			\
 NIX_TX_FASTPATH_MODES
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_vec_ ## name(void *tx_queue,				\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -998,12 +998,13 @@ NIX_TX_FASTPATH_MODES
 
 static inline void
 pick_tx_func(struct rte_eth_dev *eth_dev,
-	     const eth_tx_burst_t tx_burst[2][2][2][2][2][2])
+	     const eth_tx_burst_t tx_burst[2][2][2][2][2][2][2])
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	/* [TSTMP] [NOFF] [VLAN] [OL3_OL4_CSUM] [IL3_IL4_CSUM] */
+	/* [SEC] [TSTMP] [NOFF] [VLAN] [OL3_OL4_CSUM] [IL3_IL4_CSUM] */
 	eth_dev->tx_pkt_burst = tx_burst
+		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_SECURITY_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_TSO_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_TSTAMP_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -1017,25 +1018,25 @@ otx2_eth_set_tx_function(struct rte_eth_dev *eth_dev)
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	const eth_tx_burst_t nix_eth_tx_burst[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_ ## name,
+	const eth_tx_burst_t nix_eth_tx_burst[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
 	};
 
-	const eth_tx_burst_t nix_eth_tx_burst_mseg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_mseg_ ## name,
+	const eth_tx_burst_t nix_eth_tx_burst_mseg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_mseg_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
 	};
 
-	const eth_tx_burst_t nix_eth_tx_vec_burst[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_vec_ ## name,
+	const eth_tx_burst_t nix_eth_tx_vec_burst[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_vec_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
diff --git a/drivers/net/octeontx2/otx2_tx.h b/drivers/net/octeontx2/otx2_tx.h
index 04e859b..3c43170 100644
--- a/drivers/net/octeontx2/otx2_tx.h
+++ b/drivers/net/octeontx2/otx2_tx.h
@@ -12,6 +12,7 @@
 #define NIX_TX_OFFLOAD_MBUF_NOFF_F	BIT(3)
 #define NIX_TX_OFFLOAD_TSTAMP_F		BIT(4)
 #define NIX_TX_OFFLOAD_TSO_F		BIT(5)
+#define NIX_TX_OFFLOAD_SECURITY_F	BIT(6)
 
 /* Flags to control xmit_prepare function.
  * Defining it from backwards to denote its been
@@ -470,136 +471,274 @@ otx2_nix_xmit_mseg_one(uint64_t *cmd, void *lmt_addr,
 #define NOFF_F       NIX_TX_OFFLOAD_MBUF_NOFF_F
 #define TSP_F        NIX_TX_OFFLOAD_TSTAMP_F
 #define TSO_F        NIX_TX_OFFLOAD_TSO_F
+#define TX_SEC_F     NIX_TX_OFFLOAD_SECURITY_F
 
-/* [TSO] [TSTMP] [NOFF] [VLAN] [OL3OL4CSUM] [L3L4CSUM] */
+/* [SEC] [TSO] [TSTMP] [NOFF] [VLAN] [OL3OL4CSUM] [L3L4CSUM] */
 #define NIX_TX_FASTPATH_MODES						\
-T(no_offload,				0, 0, 0, 0, 0, 0,	4,	\
+T(no_offload,				0, 0, 0, 0, 0, 0, 0,	4,	\
 		NIX_TX_OFFLOAD_NONE)					\
-T(l3l4csum,				0, 0, 0, 0, 0, 1,	4,	\
+T(l3l4csum,				0, 0, 0, 0, 0, 0, 1,	4,	\
 		L3L4CSUM_F)						\
-T(ol3ol4csum,				0, 0, 0, 0, 1, 0,	4,	\
+T(ol3ol4csum,				0, 0, 0, 0, 0, 1, 0,	4,	\
 		OL3OL4CSUM_F)						\
-T(ol3ol4csum_l3l4csum,			0, 0, 0, 0, 1, 1,	4,	\
+T(ol3ol4csum_l3l4csum,			0, 0, 0, 0, 0, 1, 1,	4,	\
 		OL3OL4CSUM_F | L3L4CSUM_F)				\
-T(vlan,					0, 0, 0, 1, 0, 0,	6,	\
+T(vlan,					0, 0, 0, 0, 1, 0, 0,	6,	\
 		VLAN_F)							\
-T(vlan_l3l4csum,			0, 0, 0, 1, 0, 1,	6,	\
+T(vlan_l3l4csum,			0, 0, 0, 0, 1, 0, 1,	6,	\
 		VLAN_F | L3L4CSUM_F)					\
-T(vlan_ol3ol4csum,			0, 0, 0, 1, 1, 0,	6,	\
+T(vlan_ol3ol4csum,			0, 0, 0, 0, 1, 1, 0,	6,	\
 		VLAN_F | OL3OL4CSUM_F)					\
-T(vlan_ol3ol4csum_l3l4csum,		0, 0, 0, 1, 1, 1,	6,	\
+T(vlan_ol3ol4csum_l3l4csum,		0, 0, 0, 0, 1, 1, 1,	6,	\
 		VLAN_F | OL3OL4CSUM_F |	L3L4CSUM_F)			\
-T(noff,					0, 0, 1, 0, 0, 0,	4,	\
+T(noff,					0, 0, 0, 1, 0, 0, 0,	4,	\
 		NOFF_F)							\
-T(noff_l3l4csum,			0, 0, 1, 0, 0, 1,	4,	\
+T(noff_l3l4csum,			0, 0, 0, 1, 0, 0, 1,	4,	\
 		NOFF_F | L3L4CSUM_F)					\
-T(noff_ol3ol4csum,			0, 0, 1, 0, 1, 0,	4,	\
+T(noff_ol3ol4csum,			0, 0, 0, 1, 0, 1, 0,	4,	\
 		NOFF_F | OL3OL4CSUM_F)					\
-T(noff_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 1, 1,	4,	\
+T(noff_ol3ol4csum_l3l4csum,		0, 0, 0, 1, 0, 1, 1,	4,	\
 		NOFF_F | OL3OL4CSUM_F |	L3L4CSUM_F)			\
-T(noff_vlan,				0, 0, 1, 1, 0, 0,	6,	\
+T(noff_vlan,				0, 0, 0, 1, 1, 0, 0,	6,	\
 		NOFF_F | VLAN_F)					\
-T(noff_vlan_l3l4csum,			0, 0, 1, 1, 0, 1,	6,	\
+T(noff_vlan_l3l4csum,			0, 0, 0, 1, 1, 0, 1,	6,	\
 		NOFF_F | VLAN_F | L3L4CSUM_F)				\
-T(noff_vlan_ol3ol4csum,			0, 0, 1, 1, 1, 0,	6,	\
+T(noff_vlan_ol3ol4csum,			0, 0, 0, 1, 1, 1, 0,	6,	\
 		NOFF_F | VLAN_F | OL3OL4CSUM_F)				\
-T(noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 1, 1, 1, 1,	6,	\
+T(noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 0, 1, 1, 1, 1,	6,	\
 		NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts,					0, 1, 0, 0, 0, 0,	8,	\
+T(ts,					0, 0, 1, 0, 0, 0, 0,	8,	\
 		TSP_F)							\
-T(ts_l3l4csum,				0, 1, 0, 0, 0, 1,	8,	\
+T(ts_l3l4csum,				0, 0, 1, 0, 0, 0, 1,	8,	\
 		TSP_F | L3L4CSUM_F)					\
-T(ts_ol3ol4csum,			0, 1, 0, 0, 1, 0,	8,	\
+T(ts_ol3ol4csum,			0, 0, 1, 0, 0, 1, 0,	8,	\
 		TSP_F | OL3OL4CSUM_F)					\
-T(ts_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 1, 1,	8,	\
+T(ts_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 0, 1, 1,	8,	\
 		TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
-T(ts_vlan,				0, 1, 0, 1, 0, 0,	8,	\
+T(ts_vlan,				0, 0, 1, 0, 1, 0, 0,	8,	\
 		TSP_F | VLAN_F)						\
-T(ts_vlan_l3l4csum,			0, 1, 0, 1, 0, 1,	8,	\
+T(ts_vlan_l3l4csum,			0, 0, 1, 0, 1, 0, 1,	8,	\
 		TSP_F | VLAN_F | L3L4CSUM_F)				\
-T(ts_vlan_ol3ol4csum,			0, 1, 0, 1, 1, 0,	8,	\
+T(ts_vlan_ol3ol4csum,			0, 0, 1, 0, 1, 1, 0,	8,	\
 		TSP_F | VLAN_F | OL3OL4CSUM_F)				\
-T(ts_vlan_ol3ol4csum_l3l4csum,		0, 1, 0, 1, 1, 1,	8,	\
+T(ts_vlan_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 1, 1, 1,	8,	\
 		TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts_noff,				0, 1, 1, 0, 0, 0,	8,	\
+T(ts_noff,				0, 0, 1, 1, 0, 0, 0,	8,	\
 		TSP_F | NOFF_F)						\
-T(ts_noff_l3l4csum,			0, 1, 1, 0, 0, 1,	8,	\
+T(ts_noff_l3l4csum,			0, 0, 1, 1, 0, 0, 1,	8,	\
 		TSP_F | NOFF_F | L3L4CSUM_F)				\
-T(ts_noff_ol3ol4csum,			0, 1, 1, 0, 1, 0,	8,	\
+T(ts_noff_ol3ol4csum,			0, 0, 1, 1, 0, 1, 0,	8,	\
 		TSP_F | NOFF_F | OL3OL4CSUM_F)				\
-T(ts_noff_ol3ol4csum_l3l4csum,		0, 1, 1, 0, 1, 1,	8,	\
+T(ts_noff_ol3ol4csum_l3l4csum,		0, 0, 1, 1, 0, 1, 1,	8,	\
 		TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts_noff_vlan,				0, 1, 1, 1, 0, 0,	8,	\
+T(ts_noff_vlan,				0, 0, 1, 1, 1, 0, 0,	8,	\
 		TSP_F | NOFF_F | VLAN_F)				\
-T(ts_noff_vlan_l3l4csum,		0, 1, 1, 1, 0, 1,	8,	\
+T(ts_noff_vlan_l3l4csum,		0, 0, 1, 1, 1, 0, 1,	8,	\
 		TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)			\
-T(ts_noff_vlan_ol3ol4csum,		0, 1, 1, 1, 1, 0,	8,	\
+T(ts_noff_vlan_ol3ol4csum,		0, 0, 1, 1, 1, 1, 0,	8,	\
 		TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)			\
-T(ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 1, 1,	8,	\
+T(ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 1, 1, 1, 1, 1,	8,	\
 		TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
 									\
-T(tso,					1, 0, 0, 0, 0, 0,	6,	\
+T(tso,					0, 1, 0, 0, 0, 0, 0,	6,	\
 		TSO_F)							\
-T(tso_l3l4csum,				1, 0, 0, 0, 0, 1,	6,	\
+T(tso_l3l4csum,				0, 1, 0, 0, 0, 0, 1,	6,	\
 		TSO_F | L3L4CSUM_F)					\
-T(tso_ol3ol4csum,			1, 0, 0, 0, 1, 0,	6,	\
+T(tso_ol3ol4csum,			0, 1, 0, 0, 0, 1, 0,	6,	\
 		TSO_F | OL3OL4CSUM_F)					\
-T(tso_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 1, 1,	6,	\
+T(tso_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 0, 1, 1,	6,	\
 		TSO_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
-T(tso_vlan,				1, 0, 0, 1, 0, 0,	6,	\
+T(tso_vlan,				0, 1, 0, 0, 1, 0, 0,	6,	\
 		TSO_F | VLAN_F)						\
-T(tso_vlan_l3l4csum,			1, 0, 0, 1, 0, 1,	6,	\
+T(tso_vlan_l3l4csum,			0, 1, 0, 0, 1, 0, 1,	6,	\
 		TSO_F | VLAN_F | L3L4CSUM_F)				\
-T(tso_vlan_ol3ol4csum,			1, 0, 0, 1, 1, 0,	6,	\
+T(tso_vlan_ol3ol4csum,			0, 1, 0, 0, 1, 1, 0,	6,	\
 		TSO_F | VLAN_F | OL3OL4CSUM_F)				\
-T(tso_vlan_ol3ol4csum_l3l4csum,		1, 0, 0, 1, 1, 1,	6,	\
+T(tso_vlan_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 1, 1, 1,	6,	\
 		TSO_F | VLAN_F | OL3OL4CSUM_F |	L3L4CSUM_F)		\
-T(tso_noff,				1, 0, 1, 0, 0, 0,	6,	\
+T(tso_noff,				0, 1, 0, 1, 0, 0, 0,	6,	\
 		TSO_F | NOFF_F)						\
-T(tso_noff_l3l4csum,			1, 0, 1, 0, 0, 1,	6,	\
+T(tso_noff_l3l4csum,			0, 1, 0, 1, 0, 0, 1,	6,	\
 		TSO_F | NOFF_F | L3L4CSUM_F)				\
-T(tso_noff_ol3ol4csum,			1, 0, 1, 0, 1, 0,	6,	\
+T(tso_noff_ol3ol4csum,			0, 1, 0, 1, 0, 1, 0,	6,	\
 		TSO_F | NOFF_F | OL3OL4CSUM_F)				\
-T(tso_noff_ol3ol4csum_l3l4csum,		1, 0, 1, 0, 1, 1,	6,	\
+T(tso_noff_ol3ol4csum_l3l4csum,		0, 1, 0, 1, 0, 1, 1,	6,	\
 		TSO_F | NOFF_F | OL3OL4CSUM_F |	L3L4CSUM_F)		\
-T(tso_noff_vlan,			1, 0, 1, 1, 0, 0,	6,	\
+T(tso_noff_vlan,			0, 1, 0, 1, 1, 0, 0,	6,	\
 		TSO_F | NOFF_F | VLAN_F)				\
-T(tso_noff_vlan_l3l4csum,		1, 0, 1, 1, 0, 1,	6,	\
+T(tso_noff_vlan_l3l4csum,		0, 1, 0, 1, 1, 0, 1,	6,	\
 		TSO_F | NOFF_F | VLAN_F | L3L4CSUM_F)			\
-T(tso_noff_vlan_ol3ol4csum,		1, 0, 1, 1, 1, 0,	6,	\
+T(tso_noff_vlan_ol3ol4csum,		0, 1, 0, 1, 1, 1, 0,	6,	\
 		TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)			\
-T(tso_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 1, 1,	6,	\
+T(tso_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 0, 1, 1, 1, 1,	6,	\
 		TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts,				1, 1, 0, 0, 0, 0,	8,	\
+T(tso_ts,				0, 1, 1, 0, 0, 0, 0,	8,	\
 		TSO_F | TSP_F)						\
-T(tso_ts_l3l4csum,			1, 1, 0, 0, 0, 1,	8,	\
+T(tso_ts_l3l4csum,			0, 1, 1, 0, 0, 0, 1,	8,	\
 		TSO_F | TSP_F | L3L4CSUM_F)				\
-T(tso_ts_ol3ol4csum,			1, 1, 0, 0, 1, 0,	8,	\
+T(tso_ts_ol3ol4csum,			0, 1, 1, 0, 0, 1, 0,	8,	\
 		TSO_F | TSP_F | OL3OL4CSUM_F)				\
-T(tso_ts_ol3ol4csum_l3l4csum,		1, 1, 0, 0, 1, 1,	8,	\
+T(tso_ts_ol3ol4csum_l3l4csum,		0, 1, 1, 0, 0, 1, 1,	8,	\
 		TSO_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(tso_ts_vlan,				1, 1, 0, 1, 0, 0,	8,	\
+T(tso_ts_vlan,				0, 1, 1, 0, 1, 0, 0,	8,	\
 		TSO_F | TSP_F | VLAN_F)					\
-T(tso_ts_vlan_l3l4csum,			1, 1, 0, 1, 0, 1,	8,	\
+T(tso_ts_vlan_l3l4csum,			0, 1, 1, 0, 1, 0, 1,	8,	\
 		TSO_F | TSP_F | VLAN_F | L3L4CSUM_F)			\
-T(tso_ts_vlan_ol3ol4csum,		1, 1, 0, 1, 1, 0,	8,	\
+T(tso_ts_vlan_ol3ol4csum,		0, 1, 1, 0, 1, 1, 0,	8,	\
 		TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F)			\
-T(tso_ts_vlan_ol3ol4csum_l3l4csum,	1, 1, 0, 1, 1, 1,	8,	\
+T(tso_ts_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 0, 1, 1, 1,	8,	\
 		TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts_noff,				1, 1, 1, 0, 0, 0,	8,	\
+T(tso_ts_noff,				0, 1, 1, 1, 0, 0, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F)					\
-T(tso_ts_noff_l3l4csum,			1, 1, 1, 0, 0, 1,	8,	\
+T(tso_ts_noff_l3l4csum,			0, 1, 1, 1, 0, 0, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | L3L4CSUM_F)			\
-T(tso_ts_noff_ol3ol4csum,		1, 1, 1, 0, 1, 0,	8,	\
+T(tso_ts_noff_ol3ol4csum,		0, 1, 1, 1, 0, 1, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F)			\
-T(tso_ts_noff_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 1, 1,	8,	\
+T(tso_ts_noff_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 0, 1, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts_noff_vlan,			1, 1, 1, 1, 0, 0,	8,	\
+T(tso_ts_noff_vlan,			0, 1, 1, 1, 1, 0, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F)			\
-T(tso_ts_noff_vlan_l3l4csum,		1, 1, 1, 1, 0, 1,	8,	\
+T(tso_ts_noff_vlan_l3l4csum,		0, 1, 1, 1, 1, 0, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)		\
-T(tso_ts_noff_vlan_ol3ol4csum,		1, 1, 1, 1, 1, 0,	8,	\
+T(tso_ts_noff_vlan_ol3ol4csum,		0, 1, 1, 1, 1, 1, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)		\
-T(tso_ts_noff_vlan_ol3ol4csum_l3l4csum,	1, 1, 1, 1, 1, 1,	8,	\
-		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)
+T(tso_ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 1, 1, 1,	8,	\
+		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec,					1, 0, 0, 0, 0, 0, 0,	8,	\
+		TX_SEC_F)						\
+T(sec_l3l4csum,				1, 0, 0, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | L3L4CSUM_F)					\
+T(sec_ol3ol4csum,			1, 0, 0, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | OL3OL4CSUM_F)				\
+T(sec_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
+T(sec_vlan,				1, 0, 0, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | VLAN_F)					\
+T(sec_vlan_l3l4csum,			1, 0, 0, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | VLAN_F | L3L4CSUM_F)				\
+T(sec_vlan_ol3ol4csum,			1, 0, 0, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | VLAN_F | OL3OL4CSUM_F)			\
+T(sec_vlan_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_noff,				1, 0, 0, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | NOFF_F)					\
+T(sec_noff_l3l4csum,			1, 0, 0, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | NOFF_F | L3L4CSUM_F)				\
+T(sec_noff_ol3ol4csum,			1, 0, 0, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | NOFF_F | OL3OL4CSUM_F)			\
+T(sec_noff_ol3ol4csum_l3l4csum,		1, 0, 0, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_noff_vlan,			1, 0, 0, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F)				\
+T(sec_noff_vlan_l3l4csum,		1, 0, 0, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | L3L4CSUM_F)		\
+T(sec_noff_vlan_ol3ol4csum,		1, 0, 0, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 0, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts,				1, 0, 1, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSP_F)					\
+T(sec_ts_l3l4csum,			1, 0, 1, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | L3L4CSUM_F)				\
+T(sec_ts_ol3ol4csum,			1, 0, 1, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | OL3OL4CSUM_F)			\
+T(sec_ts_ol3ol4csum_l3l4csum,		1, 0, 1, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_ts_vlan,				1, 0, 1, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F)				\
+T(sec_ts_vlan_l3l4csum,			1, 0, 1, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | L3L4CSUM_F)			\
+T(sec_ts_vlan_ol3ol4csum,		1, 0, 1, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_ts_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts_noff,				1, 0, 1, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F)				\
+T(sec_ts_noff_l3l4csum,			1, 0, 1, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | L3L4CSUM_F)			\
+T(sec_ts_noff_ol3ol4csum,		1, 0, 1, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | OL3OL4CSUM_F)		\
+T(sec_ts_noff_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts_noff_vlan,			1, 0, 1, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F)			\
+T(sec_ts_noff_vlan_l3l4csum,		1, 0, 1, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)	\
+T(sec_ts_noff_vlan_ol3ol4csum,		1, 0, 1, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_ts_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso,				1, 1, 0, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F)					\
+T(sec_tso_l3l4csum,			1, 1, 0, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | L3L4CSUM_F)				\
+T(sec_tso_ol3ol4csum,			1, 1, 0, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | OL3OL4CSUM_F)			\
+T(sec_tso_ol3ol4csum_l3l4csum,		1, 1, 0, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_tso_vlan,				1, 1, 0, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F)				\
+T(sec_tso_vlan_l3l4csum,		1, 1, 0, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | L3L4CSUM_F)			\
+T(sec_tso_vlan_ol3ol4csum,		1, 1, 0, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_tso_vlan_ol3ol4csum_l3l4csum,	1, 1, 0, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_noff,				1, 1, 0, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F)				\
+T(sec_tso_noff_l3l4csum,		1, 1, 0, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | L3L4CSUM_F)			\
+T(sec_tso_noff_ol3ol4csum,		1, 1, 0, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | OL3OL4CSUM_F)		\
+T(sec_tso_noff_ol3ol4csum_l3l4csum,	1, 1, 0, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_noff_vlan,			1, 1, 0, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F)			\
+T(sec_tso_noff_vlan_l3l4csum,		1, 1, 0, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | L3L4CSUM_F)	\
+T(sec_tso_noff_vlan_ol3ol4csum,		1, 1, 0, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_tso_noff_vlan_ol3ol4csum_l3l4csum,				\
+					1, 1, 0, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts,				1, 1, 1, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F)				\
+T(sec_tso_ts_l3l4csum,			1, 1, 1, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | L3L4CSUM_F)			\
+T(sec_tso_ts_ol3ol4csum,		1, 1, 1, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | OL3OL4CSUM_F)		\
+T(sec_tso_ts_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_ts_vlan,			1, 1, 1, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F)			\
+T(sec_tso_ts_vlan_l3l4csum,		1, 1, 1, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | L3L4CSUM_F)		\
+T(sec_tso_ts_vlan_ol3ol4csum,		1, 1, 1, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_tso_ts_vlan_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts_noff,			1, 1, 1, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F)			\
+T(sec_tso_ts_noff_l3l4csum,		1, 1, 1, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | L3L4CSUM_F)		\
+T(sec_tso_ts_noff_ol3ol4csum,		1, 1, 1, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F)	\
+T(sec_tso_ts_noff_ol3ol4csum_l3l4csum,	1, 1, 1, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts_noff_vlan,			1, 1, 1, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F)		\
+T(sec_tso_ts_noff_vlan_l3l4csum,	1, 1, 1, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)\
+T(sec_tso_ts_noff_vlan_ol3ol4csum,	1, 1, 1, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F |		\
+		OL3OL4CSUM_F)						\
+T(sec_tso_ts_noff_vlan_ol3ol4csum_l3l4csum,				\
+					1, 1, 1, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F |		\
+		OL3OL4CSUM_F | L3L4CSUM_F)
 #endif /* __OTX2_TX_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 14/15] crypto/octeontx2: add inline tx path changes
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (12 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 13/15] drivers/octeontx2: add sec in compiler optimized TX " Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-14 15:42   ` Gavin Hu (Arm Technology China)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 15/15] crypto/octeontx2: sync inline tag type cfg with Rx adapter configuration Anoob Joseph
                   ` (2 subsequent siblings)
  16 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding pre-processing required for inline IPsec outbound packets.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/otx2_security.c    |  82 +++++++++++++
 drivers/crypto/octeontx2/otx2_security.h    |  60 ++++++++++
 drivers/crypto/octeontx2/otx2_security_tx.h | 176 ++++++++++++++++++++++++++++
 drivers/event/octeontx2/meson.build         |   3 +-
 drivers/event/octeontx2/otx2_worker.h       |   6 +
 5 files changed, 326 insertions(+), 1 deletion(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_security_tx.h

diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 4d762d9..7bd5625 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -3,12 +3,15 @@
  */
 
 #include <rte_cryptodev.h>
+#include <rte_esp.h>
 #include <rte_ethdev.h>
 #include <rte_eventdev.h>
+#include <rte_ip.h>
 #include <rte_malloc.h>
 #include <rte_memzone.h>
 #include <rte_security.h>
 #include <rte_security_driver.h>
+#include <rte_udp.h>
 
 #include "otx2_cryptodev_qp.h"
 #include "otx2_ethdev.h"
@@ -17,6 +20,15 @@
 
 #define SEC_ETH_MAX_PKT_LEN	1450
 
+#define AH_HDR_LEN	12
+#define AES_GCM_IV_LEN	8
+#define AES_GCM_MAC_LEN	16
+#define AES_CBC_IV_LEN	16
+#define SHA1_HMAC_LEN	12
+
+#define AES_GCM_ROUNDUP_BYTE_LEN	4
+#define AES_CBC_ROUNDUP_BYTE_LEN	16
+
 struct sec_eth_tag_const {
 	RTE_STD_C11
 	union {
@@ -278,6 +290,60 @@ in_sa_get(uint16_t port, int sa_index)
 }
 
 static int
+ipsec_sa_const_set(struct rte_security_ipsec_xform *ipsec,
+		   struct rte_crypto_sym_xform *xform,
+		   struct otx2_sec_session_ipsec_ip *sess)
+{
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
+
+	sess->partial_len = sizeof(struct rte_ipv4_hdr);
+
+	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) {
+		sess->partial_len += sizeof(struct rte_esp_hdr);
+		sess->roundup_len = sizeof(struct rte_esp_tail);
+	} else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) {
+		sess->partial_len += AH_HDR_LEN;
+	} else {
+		return -EINVAL;
+	}
+
+	if (ipsec->options.udp_encap)
+		sess->partial_len += sizeof(struct rte_udp_hdr);
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+			sess->partial_len += AES_GCM_IV_LEN;
+			sess->partial_len += AES_GCM_MAC_LEN;
+			sess->roundup_byte = AES_GCM_ROUNDUP_BYTE_LEN;
+		}
+		return 0;
+	}
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	} else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		return -EINVAL;
+	}
+	if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		sess->partial_len += AES_CBC_IV_LEN;
+		sess->roundup_byte = AES_CBC_ROUNDUP_BYTE_LEN;
+	} else {
+		return -EINVAL;
+	}
+
+	if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+		sess->partial_len += SHA1_HMAC_LEN;
+	else
+		return -EINVAL;
+
+	return 0;
+}
+
+static int
 sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 			      struct rte_security_ipsec_xform *ipsec,
 			      struct rte_crypto_sym_xform *crypto_xform,
@@ -291,6 +357,7 @@ sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	struct otx2_ipsec_fp_sa_ctl *ctl;
 	struct otx2_ipsec_fp_out_sa *sa;
 	struct otx2_sec_session *priv;
+	struct otx2_cpt_inst_s inst;
 	struct otx2_cpt_qp *qp;
 
 	priv = get_sec_session_private_data(sec_sess);
@@ -305,6 +372,12 @@ sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 
 	memset(sess, 0, sizeof(struct otx2_sec_session_ipsec_ip));
 
+	sess->seq = 1;
+
+	ret = ipsec_sa_const_set(ipsec, crypto_xform, sess);
+	if (ret < 0)
+		return ret;
+
 	memcpy(sa->nonce, &ipsec->salt, 4);
 
 	if (ipsec->options.udp_encap == 1) {
@@ -313,6 +386,9 @@ sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	}
 
 	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		/* Start ip id from 1 */
+		sess->ip_id = 1;
+
 		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
 			memcpy(&sa->ip_src, &ipsec->tunnel.ipv4.src_ip,
 			       sizeof(struct in_addr));
@@ -346,6 +422,12 @@ sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	else
 		return -EINVAL;
 
+	/* Determine word 7 of CPT instruction */
+	inst.u64[7] = 0;
+	inst.egrp = OTX2_CPT_EGRP_INLINE_IPSEC;
+	inst.cptr = rte_mempool_virt2iova(sa);
+	sess->inst_w7 = inst.u64[7];
+
 	/* Use OPAD & IPAD */
 	RTE_SET_USED(auth_key);
 	RTE_SET_USED(auth_key_len);
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 1229685..e576f67 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -14,6 +14,15 @@
 #define OTX2_MAX_CPT_QP_PER_PORT 64
 #define OTX2_MAX_INLINE_PORTS 64
 
+#define OTX2_CPT_RES_ALIGN		16
+#define OTX2_NIX_SEND_DESC_ALIGN	16
+#define OTX2_CPT_INST_SIZE		64
+
+#define OTX2_CPT_EGRP_INLINE_IPSEC	1
+
+#define OTX2_CPT_OP_INLINE_IPSEC_OUTB	(0x40 | 0x25)
+#define OTX2_CPT_OP_INLINE_IPSEC_INB	(0x40 | 0x26)
+
 struct otx2_cpt_qp;
 
 struct otx2_sec_eth_cfg {
@@ -45,6 +54,42 @@ struct otx2_cpt_res {
 	};
 };
 
+struct otx2_cpt_inst_s {
+	union {
+		struct {
+			/* W0 */
+			uint64_t nixtxl : 3;
+			uint64_t doneint : 1;
+			uint64_t nixtx_addr : 60;
+			/* W1 */
+			uint64_t res_addr : 64;
+			/* W2 */
+			uint64_t tag : 32;
+			uint64_t tt : 2;
+			uint64_t grp : 10;
+			uint64_t rsvd_175_172 : 4;
+			uint64_t rvu_pf_func : 16;
+			/* W3 */
+			uint64_t qord : 1;
+			uint64_t rsvd_194_193 : 2;
+			uint64_t wqe_ptr : 61;
+			/* W4 */
+			uint64_t dlen : 16;
+			uint64_t param2 : 16;
+			uint64_t param1 : 16;
+			uint64_t opcode : 16;
+			/* W5 */
+			uint64_t dptr : 64;
+			/* W6 */
+			uint64_t rptr : 64;
+			/* W7 */
+			uint64_t cptr : 61;
+			uint64_t egrp : 3;
+		};
+		uint64_t u64[8];
+	};
+};
+
 /*
  * Security session for inline IPsec protocol offload. This is private data of
  * inline capable PMD.
@@ -68,6 +113,21 @@ struct otx2_sec_session_ipsec_ip {
 	/* CPT LF enqueue register address */
 	rte_iova_t cpt_nq_reg;
 
+	/* Pre calculated lengths and data for a session */
+	uint8_t partial_len;
+	uint8_t roundup_len;
+	uint8_t roundup_byte;
+	uint16_t ip_id;
+	union {
+		uint64_t esn;
+		struct {
+			uint32_t seq;
+			uint32_t esn_hi;
+		};
+	};
+
+	uint64_t inst_w7;
+
 	/* CPT QP used by SA */
 	struct otx2_cpt_qp *qp;
 };
diff --git a/drivers/crypto/octeontx2/otx2_security_tx.h b/drivers/crypto/octeontx2/otx2_security_tx.h
new file mode 100644
index 0000000..772ff90
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_security_tx.h
@@ -0,0 +1,176 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2019 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_SECURITY_TX_H__
+#define __OTX2_SECURITY_TX_H__
+
+#include <rte_security.h>
+#include <rte_mbuf.h>
+
+#include "otx2_security.h"
+
+struct otx2_ipsec_fp_out_hdr {
+	uint32_t ip_id;
+	uint32_t seq;
+	uint8_t iv[16];
+};
+
+static __rte_always_inline int32_t
+otx2_ipsec_fp_out_rlen_get(struct otx2_sec_session_ipsec_ip *sess,
+			   uint32_t plen)
+{
+	uint32_t enc_payload_len;
+
+	enc_payload_len = RTE_ALIGN_CEIL(plen + sess->roundup_len,
+			sess->roundup_byte);
+
+	return sess->partial_len + enc_payload_len;
+}
+
+static __rte_always_inline void
+otx2_ssogws_head_wait(struct otx2_ssogws *ws);
+
+static __rte_always_inline int
+otx2_sec_event_tx(struct otx2_ssogws *ws, struct rte_event *ev,
+		  struct rte_mbuf *m, const struct otx2_eth_txq *txq,
+		  const uint32_t offload_flags)
+{
+	uint32_t dlen, rlen, desc_headroom, extend_head, extend_tail;
+	struct otx2_sec_session_ipsec_ip *sess;
+	struct otx2_ipsec_fp_out_hdr *hdr;
+	struct otx2_ipsec_fp_out_sa *sa;
+	uint64_t data_addr, desc_addr;
+	struct otx2_sec_session *priv;
+	struct otx2_cpt_inst_s inst;
+	uint64_t lmt_status;
+	char *data;
+
+	struct desc {
+		struct otx2_cpt_res cpt_res __rte_aligned(OTX2_CPT_RES_ALIGN);
+		struct nix_send_hdr_s nix_hdr
+				__rte_aligned(OTX2_NIX_SEND_DESC_ALIGN);
+		union nix_send_sg_s nix_sg;
+		struct nix_iova_s nix_iova;
+	} *sd;
+
+	priv = get_sec_session_private_data((void *)(m->udata64));
+	sess = &priv->ipsec.ip;
+	sa = &sess->out_sa;
+
+	RTE_ASSERT(sess->cpt_lmtline != NULL);
+	RTE_ASSERT(!(offload_flags & (NIX_TX_OFFLOAD_MBUF_NOFF_F |
+				      NIX_TX_OFFLOAD_VLAN_QINQ)));
+
+	dlen = rte_pktmbuf_pkt_len(m) + sizeof(*hdr) - RTE_ETHER_HDR_LEN;
+	rlen = otx2_ipsec_fp_out_rlen_get(sess, dlen - sizeof(*hdr));
+
+	RTE_BUILD_BUG_ON(OTX2_CPT_RES_ALIGN % OTX2_NIX_SEND_DESC_ALIGN);
+	RTE_BUILD_BUG_ON(sizeof(sd->cpt_res) % OTX2_NIX_SEND_DESC_ALIGN);
+
+	extend_head = sizeof(*hdr);
+	extend_tail = rlen - dlen;
+
+	desc_headroom = (OTX2_CPT_RES_ALIGN - 1) + sizeof(*sd);
+
+	if (unlikely(!rte_pktmbuf_is_contiguous(m)) ||
+	    unlikely(rte_pktmbuf_headroom(m) < extend_head + desc_headroom) ||
+	    unlikely(rte_pktmbuf_tailroom(m) < extend_tail)) {
+		goto drop;
+	}
+
+	/*
+	 * Extend mbuf data to point to the expected packet buffer for NIX.
+	 * This includes the Ethernet header followed by the encrypted IPsec
+	 * payload
+	 */
+	rte_pktmbuf_append(m, extend_tail);
+	data = rte_pktmbuf_prepend(m, extend_head);
+	data_addr = rte_pktmbuf_mtophys(m);
+
+	/*
+	 * Move the Ethernet header, to insert otx2_ipsec_fp_out_hdr prior
+	 * to the IP header
+	 */
+	memcpy(data, data + sizeof(*hdr), RTE_ETHER_HDR_LEN);
+
+	hdr = (struct otx2_ipsec_fp_out_hdr *)(data + RTE_ETHER_HDR_LEN);
+
+	memcpy(hdr->iv, &sa->nonce, 4);
+	memset(hdr->iv + 4, 0, 12); //TODO: make it random
+
+	/* Keep CPT result and NIX send descriptors in headroom */
+	sd = (void *)RTE_PTR_ALIGN(data - desc_headroom, OTX2_CPT_RES_ALIGN);
+	desc_addr = data_addr - RTE_PTR_DIFF(data, sd);
+
+	/* Prepare CPT instruction */
+
+	inst.nixtx_addr = (desc_addr + offsetof(struct desc, nix_hdr)) >> 4;
+	inst.doneint = 0;
+	inst.nixtxl = 1;
+	inst.res_addr = desc_addr + offsetof(struct desc, cpt_res);
+	inst.u64[2] = 0;
+	inst.u64[3] = 0;
+	inst.wqe_ptr = desc_addr >> 3;	/* FIXME: Handle errors */
+	inst.qord = 1;
+	inst.opcode = OTX2_CPT_OP_INLINE_IPSEC_OUTB;
+	inst.dlen = dlen;
+	inst.dptr = data_addr + RTE_ETHER_HDR_LEN;
+	inst.rptr = sa->ctl.spi;
+	inst.u64[7] = sess->inst_w7;
+
+	/* First word contains 8 bit completion code & 8 bit uc comp code */
+	sd->cpt_res.u16[0] = 0;
+
+	/* Prepare NIX send descriptors for output expected from CPT */
+
+	sd->nix_hdr.w0.u = 0;
+	sd->nix_hdr.w1.u = 0;
+	sd->nix_hdr.w0.sq = txq->sq;
+	sd->nix_hdr.w0.sizem1 = 1;
+	sd->nix_hdr.w0.total = rte_pktmbuf_data_len(m);
+	sd->nix_hdr.w0.aura = npa_lf_aura_handle_to_aura(m->pool->pool_id);
+
+	sd->nix_sg.u = 0;
+	sd->nix_sg.subdc = NIX_SUBDC_SG;
+	sd->nix_sg.ld_type = NIX_SENDLDTYPE_LDD;
+	sd->nix_sg.segs = 1;
+	sd->nix_sg.seg1_size = rte_pktmbuf_data_len(m);
+
+	sd->nix_iova.addr = rte_mbuf_data_iova(m);
+
+	/* Mark mempool object as "put" since it is freed by NIX */
+	__mempool_check_cookies(m->pool, (void **)&m, 1, 0);
+
+	if (!ev->sched_type)
+		otx2_ssogws_head_wait(ws);
+
+	inst.param1 = sess->esn_hi >> 16;
+	inst.param2 = sess->esn_hi & 0xffff;
+
+	hdr->seq = rte_cpu_to_be_32(sess->seq);
+	hdr->ip_id = rte_cpu_to_be_32(sess->ip_id);
+
+	sess->ip_id++;
+	sess->esn++;
+
+	rte_cio_wmb();
+
+	do {
+		otx2_lmt_mov(sess->cpt_lmtline, &inst, 2);
+		lmt_status = otx2_lmt_submit(sess->cpt_nq_reg);
+	} while (lmt_status == 0);
+
+	return 1;
+
+drop:
+	if (offload_flags & NIX_TX_OFFLOAD_MBUF_NOFF_F) {
+		/* Don't free if reference count > 1 */
+		if (rte_pktmbuf_prefree_seg(m) == NULL)
+			return 0;
+	}
+	rte_pktmbuf_free(m);
+	return 0;
+}
+
+#endif /* __OTX2_SECURITY_TX_H__ */
diff --git a/drivers/event/octeontx2/meson.build b/drivers/event/octeontx2/meson.build
index 56febb8..be4b47a 100644
--- a/drivers/event/octeontx2/meson.build
+++ b/drivers/event/octeontx2/meson.build
@@ -31,6 +31,7 @@ foreach flag: extra_flags
 	endif
 endforeach
 
-deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2', 'pmd_octeontx2']
+deps += ['bus_pci', 'common_octeontx2', 'cryptodev', 'mempool_octeontx2', 'pmd_octeontx2',
+         'security']
 
 includes += include_directories('../../crypto/octeontx2')
diff --git a/drivers/event/octeontx2/otx2_worker.h b/drivers/event/octeontx2/otx2_worker.h
index 7d161c8..c5ea4dd 100644
--- a/drivers/event/octeontx2/otx2_worker.h
+++ b/drivers/event/octeontx2/otx2_worker.h
@@ -10,6 +10,7 @@
 
 #include <otx2_common.h>
 #include "otx2_evdev.h"
+#include "otx2_security_tx.h"
 
 /* SSO Operations */
 
@@ -281,6 +282,11 @@ otx2_ssogws_event_tx(struct otx2_ssogws *ws, struct rte_event ev[],
 	const struct otx2_eth_txq *txq = otx2_ssogws_xtract_meta(m);
 
 	rte_prefetch_non_temporal(txq);
+
+	if ((flags & NIX_TX_OFFLOAD_SECURITY_F) &&
+	    (m->ol_flags & PKT_TX_SEC_OFFLOAD))
+		return otx2_sec_event_tx(ws, ev, m, txq, flags);
+
 	/* Perform header writes before barrier for TSO */
 	otx2_nix_xmit_prepare_tso(m, flags);
 	otx2_ssogws_order(ws, !ev->sched_type);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH 15/15] crypto/octeontx2: sync inline tag type cfg with Rx adapter configuration
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (13 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 14/15] crypto/octeontx2: add inline tx path changes Anoob Joseph
@ 2019-12-08 11:54 ` Anoob Joseph
  2019-12-09  8:06 ` [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Jerin Jacob
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2019-12-08 11:54 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Vamsi Attunuru, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Lukasz Bartosik, dev

From: Vamsi Attunuru <vattunuru@marvell.com>

Tag type configuration for the inline processed packets is set during
ethdev configuration, it might conflict with tag type configuration
done during Rx adapter configuration which would be setup later.

This conflict is fixed as part of flow rule creation by updating
tag type config of inline same as Rx adapter configured tag type.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_common.h    |  2 ++
 drivers/crypto/octeontx2/otx2_cryptodev.c |  2 ++
 drivers/crypto/octeontx2/otx2_security.c  | 28 ++++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h  |  2 ++
 drivers/net/octeontx2/otx2_flow.c         | 26 ++++++++++++++++++++++++++
 5 files changed, 60 insertions(+)

diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index 6456c4b..3e53e5b 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -81,12 +81,14 @@ typedef int (*otx2_sec_eth_ctx_create_t)(struct rte_eth_dev *eth_dev);
 typedef void (*otx2_sec_eth_ctx_destroy_t)(struct rte_eth_dev *eth_dev);
 typedef int (*otx2_sec_eth_init_t)(struct rte_eth_dev *eth_dev);
 typedef void (*otx2_sec_eth_fini_t)(struct rte_eth_dev *eth_dev);
+typedef int (*otx2_sec_eth_update_tag_type_t)(struct rte_eth_dev *eth_dev);
 
 struct otx2_sec_eth_crypto_idev_ops {
 	otx2_sec_eth_ctx_create_t ctx_create;
 	otx2_sec_eth_ctx_destroy_t ctx_destroy;
 	otx2_sec_eth_init_t init;
 	otx2_sec_eth_fini_t fini;
+	otx2_sec_eth_update_tag_type_t update_tag_type;
 };
 
 extern struct otx2_sec_eth_crypto_idev_ops otx2_sec_idev_ops;
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.c b/drivers/crypto/octeontx2/otx2_cryptodev.c
index 34feb82..b944a51 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev.c
@@ -160,4 +160,6 @@ RTE_INIT(otx2_cpt_init_log)
 	otx2_sec_idev_ops.ctx_destroy = otx2_sec_eth_ctx_destroy;
 	otx2_sec_idev_ops.init = otx2_sec_eth_init;
 	otx2_sec_idev_ops.fini = otx2_sec_eth_fini;
+	otx2_sec_idev_ops.update_tag_type = otx2_sec_eth_update_tag_type;
+
 }
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 7bd5625..25fdc4e 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -749,6 +749,34 @@ sec_eth_ipsec_cfg(struct rte_eth_dev *eth_dev, uint8_t tt)
 }
 
 int
+otx2_sec_eth_update_tag_type(struct rte_eth_dev *eth_dev)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	struct otx2_mbox *mbox = dev->mbox;
+	struct nix_aq_enq_rsp *rsp;
+	struct nix_aq_enq_req *aq;
+	int ret;
+
+	aq = otx2_mbox_alloc_msg_nix_aq_enq(mbox);
+	aq->qidx = 0; /* Read RQ:0 context */
+	aq->ctype = NIX_AQ_CTYPE_RQ;
+	aq->op = NIX_AQ_INSTOP_READ;
+
+	ret = otx2_mbox_process_msg(mbox, (void *)&rsp);
+	if (ret < 0) {
+		otx2_err("Could not read RQ context");
+		return ret;
+	}
+
+	/* Update tag type */
+	ret = sec_eth_ipsec_cfg(eth_dev, rsp->rq.sso_tt);
+	if (ret < 0)
+		otx2_err("Could not update sec eth tag type");
+
+	return ret;
+}
+
+int
 otx2_sec_eth_init(struct rte_eth_dev *eth_dev)
 {
 	const size_t sa_width = sizeof(struct otx2_ipsec_fp_in_sa);
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index e576f67..3ae6dc6 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -146,6 +146,8 @@ int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev);
 
+int otx2_sec_eth_update_tag_type(struct rte_eth_dev *eth_dev);
+
 int otx2_sec_eth_init(struct rte_eth_dev *eth_dev);
 
 void otx2_sec_eth_fini(struct rte_eth_dev *eth_dev);
diff --git a/drivers/net/octeontx2/otx2_flow.c b/drivers/net/octeontx2/otx2_flow.c
index f1fb9f9..dea5337 100644
--- a/drivers/net/octeontx2/otx2_flow.c
+++ b/drivers/net/octeontx2/otx2_flow.c
@@ -299,6 +299,22 @@ flow_free_rss_action(struct rte_eth_dev *eth_dev,
 	return 0;
 }
 
+static int
+flow_update_sec_tt(struct rte_eth_dev *eth_dev,
+		   const struct rte_flow_action actions[])
+{
+	int rc = 0;
+
+	for (; actions->type != RTE_FLOW_ACTION_TYPE_END; actions++) {
+		if (actions->type == RTE_FLOW_ACTION_TYPE_SECURITY) {
+			if (otx2_sec_idev_ops.update_tag_type != NULL)
+				rc = otx2_sec_idev_ops.update_tag_type(eth_dev);
+			break;
+		}
+	}
+
+	return rc;
+}
 
 static int
 flow_parse_meta_items(__rte_unused struct otx2_parse_state *pst)
@@ -491,6 +507,16 @@ otx2_flow_create(struct rte_eth_dev *dev,
 		goto err_exit;
 	}
 
+	if (hw->rx_offloads & DEV_RX_OFFLOAD_SECURITY) {
+		rc = flow_update_sec_tt(dev, actions);
+		if (rc != 0) {
+			rte_flow_error_set(error, EIO,
+					   RTE_FLOW_ERROR_TYPE_UNSPECIFIED,
+					   NULL,
+					   "Failed to update tt with sec act");
+			goto err_exit;
+		}
+	}
 
 	list = &hw->npc_flow.flow_list[flow->priority];
 	/* List in ascending order of mcam entries */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH 01/15] common/octeontx2: add CPT LF mbox for inline inbound
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
@ 2019-12-09  7:38   ` Jerin Jacob
  0 siblings, 0 replies; 111+ messages in thread
From: Jerin Jacob @ 2019-12-09  7:38 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Jerin Jacob,
	Narayana Prasad, Kiran Kumar K, Nithin Dabilpuram,
	Pavan Nikhilesh, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dpdk-dev,
	Tejasree Kondoj

On Sun, Dec 8, 2019 at 5:25 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> Adding the new mbox introduced to configure CPT LF to be used for inline
> inbound.
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Tejasree Kondoj <kondoj.tejasree@cavium.com>

Acked-by: Jerin Jacob <jerinj@marvell.com>


> ---
>  drivers/common/octeontx2/otx2_mbox.h | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/drivers/common/octeontx2/otx2_mbox.h b/drivers/common/octeontx2/otx2_mbox.h
> index e0e4e2f..70452d1 100644
> --- a/drivers/common/octeontx2/otx2_mbox.h
> +++ b/drivers/common/octeontx2/otx2_mbox.h
> @@ -193,6 +193,8 @@ M(CPT_SET_CRYPTO_GRP,       0xA03, cpt_set_crypto_grp,                      \
>                                msg_rsp)                                 \
>  M(CPT_INLINE_IPSEC_CFG, 0xA04, cpt_inline_ipsec_cfg,                   \
>                                cpt_inline_ipsec_cfg_msg, msg_rsp)       \
> +M(CPT_RX_INLINE_LF_CFG, 0xBFE, cpt_rx_inline_lf_cfg,                   \
> +                              cpt_rx_inline_lf_cfg_msg, msg_rsp)       \
>  /* NPC mbox IDs (range 0x6000 - 0x7FFF) */                             \
>  M(NPC_MCAM_ALLOC_ENTRY,        0x6000, npc_mcam_alloc_entry,                   \
>                                 npc_mcam_alloc_entry_req,               \
> @@ -1202,6 +1204,11 @@ struct cpt_inline_ipsec_cfg_msg {
>         uint16_t __otx2_io nix_pf_func; /* Outbound path NIX_PF_FUNC */
>  };
>
> +struct cpt_rx_inline_lf_cfg_msg {
> +       struct mbox_msghdr hdr;
> +       uint16_t __otx2_io sso_pf_func;
> +};
> +
>  /* NPC mbox message structs */
>
>  #define NPC_MCAM_ENTRY_INVALID 0xFFFF
> --
> 2.7.4
>

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH 02/15] common/octeontx2: add routine to check if rte_eth_dev belongs to otx2
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 02/15] common/octeontx2: add routine to check if rte_eth_dev belongs to otx2 Anoob Joseph
@ 2019-12-09  7:42   ` Jerin Jacob
  0 siblings, 0 replies; 111+ messages in thread
From: Jerin Jacob @ 2019-12-09  7:42 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Vamsi Attunuru,
	Jerin Jacob, Narayana Prasad, Kiran Kumar K, Nithin Dabilpuram,
	Pavan Nikhilesh, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Lukasz Bartosik, dpdk-dev

On Sun, Dec 8, 2019 at 5:25 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> From: Vamsi Attunuru <vattunuru@marvell.com>
>
> This routine returns true if given rte_eth_dev belongs to octeontx2
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> ---
>  drivers/common/octeontx2/otx2_common.c               | 20 ++++++++++++++++++++
>  drivers/common/octeontx2/otx2_common.h               |  2 ++
>  .../octeontx2/rte_common_octeontx2_version.map       |  1 +
>  3 files changed, 23 insertions(+)
>
> diff --git a/drivers/common/octeontx2/otx2_common.c b/drivers/common/octeontx2/otx2_common.c
> index 7e45366..116db0f 100644
> --- a/drivers/common/octeontx2/otx2_common.c
> +++ b/drivers/common/octeontx2/otx2_common.c
> @@ -3,6 +3,7 @@
>   */
>
>  #include <rte_atomic.h>
> +#include <rte_ethdev.h>
>  #include <rte_malloc.h>
>  #include <rte_log.h>
>
> @@ -23,6 +24,25 @@ otx2_npa_set_defaults(struct otx2_idev_cfg *idev)
>
>  /**
>   * @internal
> + * Check if rte_eth_dev is otx2_eth_dev
> + */
> +uint8_t
> +otx2_is_ethdev(struct rte_eth_dev *eth_dev)
> +{
> +       struct rte_pci_device *pci_dev;
> +
> +       pci_dev = RTE_ETH_DEV_TO_PCI(eth_dev);
> +
> +       if (pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_PF ||
> +           pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_VF ||
> +           pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_AF_VF)

Is PCI_DEVID_OCTEONTX2_RVU_SDP_VF and PCI_DEVID_OCTEONTX2_RVU_SDP_PF
also comes here? If yes. update the patch.


> +               return 1;
> +
> +       return 0;
> +}
> +
> +/**
> + * @internal
>   * Get intra device config structure.
>   */
>  struct otx2_idev_cfg *
> diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
> index f62c45d..d32e59a 100644
> --- a/drivers/common/octeontx2/otx2_common.h
> +++ b/drivers/common/octeontx2/otx2_common.h
> @@ -8,6 +8,7 @@
>  #include <rte_atomic.h>
>  #include <rte_common.h>
>  #include <rte_cycles.h>
> +#include <rte_ethdev.h>
>  #include <rte_memory.h>
>  #include <rte_memzone.h>
>  #include <rte_io.h>
> @@ -70,6 +71,7 @@ struct otx2_idev_cfg *otx2_intra_dev_get_cfg(void);
>  void otx2_sso_pf_func_set(uint16_t sso_pf_func);
>  uint16_t otx2_sso_pf_func_get(void);
>  uint16_t otx2_npa_pf_func_get(void);
> +uint8_t otx2_is_ethdev(struct rte_eth_dev *eth_dev);
>  struct otx2_npa_lf *otx2_npa_lf_obj_get(void);
>  void otx2_npa_set_defaults(struct otx2_idev_cfg *idev);
>  int otx2_npa_lf_active(void *dev);
> diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
> index adad21a..dac2283 100644
> --- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
> +++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
> @@ -6,6 +6,7 @@ DPDK_20.0 {
>         otx2_dev_priv_init;
>         otx2_disable_irqs;
>         otx2_intra_dev_get_cfg;
> +       otx2_is_ethdev;
>         otx2_logtype_base;
>         otx2_logtype_dpi;
>         otx2_logtype_mbox;
> --
> 2.7.4
>

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH 03/15] crypto/octeontx2: configure for inline IPsec
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
@ 2019-12-09  7:46   ` Jerin Jacob
  2019-12-09  7:52     ` [dpdk-dev] [EXT] " Anoob Joseph
  0 siblings, 1 reply; 111+ messages in thread
From: Jerin Jacob @ 2019-12-09  7:46 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Tejasree Kondoj,
	Jerin Jacob, Narayana Prasad, Kiran Kumar K, Nithin Dabilpuram,
	Pavan Nikhilesh, Ankur Dwivedi, Archana Muniganti,
	Vamsi Attunuru, Lukasz Bartosik, dpdk-dev

On Sun, Dec 8, 2019 at 5:26 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> From: Tejasree Kondoj <ktejasree@marvell.com>
>
> For enabling outbound inline IPsec, a CPT queue needs to be tied
> to a NIX PF_FUNC. Distribute CPT queues fairly among all availble
> otx2 eth ports.
>
> For inbound, one CPT LF will be assigned and initialized by kernel.
>
> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>

>
> +static int
> +otx2_cpt_qp_inline_cfg(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
> +{
> +       static rte_atomic16_t port_offset = RTE_ATOMIC16_INIT(-1);
> +       uint16_t port_id, nb_ethport = rte_eth_dev_count_avail();
> +       int i, ret;
> +
> +       for (i = 0; i < nb_ethport; i++) {
> +               port_id = rte_atomic16_add_return(&port_offset, 1) % nb_ethport;
> +               if (otx2_is_ethdev(&rte_eth_devices[port_id]))
> +                       break;
> +       }
> +
> +       if (i >= nb_ethport)
> +               return 0;
> +
> +       ret = otx2_cpt_qp_ethdev_bind(dev, qp, port_id);
> +       if (ret)
> +               return ret;
> +
> +       return 0;

Last five lines can be replaced with "return
otx2_cpt_qp_ethdev_bind(dev, qp, port_id)"

Across the patch series, the above pattern is common, Please fix in
all relevant instances.

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH 05/15] crypto/octeontx2: add security in eth dev configure
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 05/15] crypto/octeontx2: add security in eth dev configure Anoob Joseph
@ 2019-12-09  7:51   ` Jerin Jacob
  2019-12-09  8:03     ` Anoob Joseph
  0 siblings, 1 reply; 111+ messages in thread
From: Jerin Jacob @ 2019-12-09  7:51 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Tejasree Kondoj,
	Jerin Jacob, Narayana Prasad, Kiran Kumar K, Nithin Dabilpuram,
	Pavan Nikhilesh, Ankur Dwivedi, Archana Muniganti,
	Vamsi Attunuru, Lukasz Bartosik, dpdk-dev

On Sun, Dec 8, 2019 at 5:26 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> From: Tejasree Kondoj <ktejasree@marvell.com>
>
> Adding security in eth device configure.
>
> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> ---
>  doc/guides/nics/octeontx2.rst               |  20 +++++
>  drivers/common/octeontx2/otx2_common.h      |   4 +
>  drivers/crypto/octeontx2/Makefile           |   2 +-
>  drivers/crypto/octeontx2/meson.build        |   1 +
>  drivers/crypto/octeontx2/otx2_cryptodev.c   |   2 +
>  drivers/crypto/octeontx2/otx2_ipsec_fp.h    |  55 +++++++++++++
>  drivers/crypto/octeontx2/otx2_security.c    | 122 ++++++++++++++++++++++++++++
>  drivers/crypto/octeontx2/otx2_security.h    |   4 +
>  drivers/net/octeontx2/otx2_ethdev.c         |  22 ++++-
>  drivers/net/octeontx2/otx2_ethdev.h         |   2 +
>  drivers/net/octeontx2/otx2_ethdev_devargs.c |  19 +++++

Add "Inline crypto" feature in doc/guides/nics/features/octeontx2*.ini

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [EXT] Re: [PATCH 03/15] crypto/octeontx2: configure for inline IPsec
  2019-12-09  7:46   ` Jerin Jacob
@ 2019-12-09  7:52     ` Anoob Joseph
  2019-12-09  7:53       ` Jerin Jacob
  0 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2019-12-09  7:52 UTC (permalink / raw)
  To: Jerin Jacob
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Tejasree Kondoj,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Archana Muniganti,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

Hi Jerin,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Jerin Jacob <jerinjacobk@gmail.com>
> Sent: Monday, December 9, 2019 1:17 PM
> To: Anoob Joseph <anoobj@marvell.com>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>;
> Tejasree Kondoj <ktejasree@marvell.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Vamsi Krishna Attunuru
> <vattunuru@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>; dpdk-dev
> <dev@dpdk.org>
> Subject: [EXT] Re: [dpdk-dev] [PATCH 03/15] crypto/octeontx2: configure for
> inline IPsec
> 
> External Email
> 
> ----------------------------------------------------------------------
> On Sun, Dec 8, 2019 at 5:26 PM Anoob Joseph <anoobj@marvell.com> wrote:
> >
> > From: Tejasree Kondoj <ktejasree@marvell.com>
> >
> > For enabling outbound inline IPsec, a CPT queue needs to be tied to a
> > NIX PF_FUNC. Distribute CPT queues fairly among all availble
> > otx2 eth ports.
> >
> > For inbound, one CPT LF will be assigned and initialized by kernel.
> >
> > Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> 
> >
> > +static int
> > +otx2_cpt_qp_inline_cfg(const struct rte_cryptodev *dev, struct
> > +otx2_cpt_qp *qp) {
> > +       static rte_atomic16_t port_offset = RTE_ATOMIC16_INIT(-1);
> > +       uint16_t port_id, nb_ethport = rte_eth_dev_count_avail();
> > +       int i, ret;
> > +
> > +       for (i = 0; i < nb_ethport; i++) {
> > +               port_id = rte_atomic16_add_return(&port_offset, 1) % nb_ethport;
> > +               if (otx2_is_ethdev(&rte_eth_devices[port_id]))
> > +                       break;
> > +       }
> > +
> > +       if (i >= nb_ethport)
> > +               return 0;
> > +
> > +       ret = otx2_cpt_qp_ethdev_bind(dev, qp, port_id);
> > +       if (ret)
> > +               return ret;
> > +
> > +       return 0;
> 
> Last five lines can be replaced with "return otx2_cpt_qp_ethdev_bind(dev, qp,
> port_id)"

[Anoob] In one of the following patches, one more call would be introduced after the call to otx2_cpt_qp_ethdev_bind(). So the above lines will have to be introduced anyway. For the last such addition, I'll make it return directly. Is that fine? 

> 
> Across the patch series, the above pattern is common, Please fix in all relevant
> instances.

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [EXT] Re: [PATCH 03/15] crypto/octeontx2: configure for inline IPsec
  2019-12-09  7:52     ` [dpdk-dev] [EXT] " Anoob Joseph
@ 2019-12-09  7:53       ` Jerin Jacob
  0 siblings, 0 replies; 111+ messages in thread
From: Jerin Jacob @ 2019-12-09  7:53 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Tejasree Kondoj,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Archana Muniganti,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

On Mon, Dec 9, 2019 at 1:22 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> Hi Jerin,
>
> Please see inline.
>
> Thanks,
> Anoob
>
> > -----Original Message-----
> > From: Jerin Jacob <jerinjacobk@gmail.com>
> > Sent: Monday, December 9, 2019 1:17 PM
> > To: Anoob Joseph <anoobj@marvell.com>
> > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Declan Doherty
> > <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>;
> > Tejasree Kondoj <ktejasree@marvell.com>; Jerin Jacob Kollanukkaran
> > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> > <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> > <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> > <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> > Archana Muniganti <marchana@marvell.com>; Vamsi Krishna Attunuru
> > <vattunuru@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>; dpdk-dev
> > <dev@dpdk.org>
> > Subject: [EXT] Re: [dpdk-dev] [PATCH 03/15] crypto/octeontx2: configure for
> > inline IPsec
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > On Sun, Dec 8, 2019 at 5:26 PM Anoob Joseph <anoobj@marvell.com> wrote:
> > >
> > > From: Tejasree Kondoj <ktejasree@marvell.com>
> > >
> > > For enabling outbound inline IPsec, a CPT queue needs to be tied to a
> > > NIX PF_FUNC. Distribute CPT queues fairly among all availble
> > > otx2 eth ports.
> > >
> > > For inbound, one CPT LF will be assigned and initialized by kernel.
> > >
> > > Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> > > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> >
> > >
> > > +static int
> > > +otx2_cpt_qp_inline_cfg(const struct rte_cryptodev *dev, struct
> > > +otx2_cpt_qp *qp) {
> > > +       static rte_atomic16_t port_offset = RTE_ATOMIC16_INIT(-1);
> > > +       uint16_t port_id, nb_ethport = rte_eth_dev_count_avail();
> > > +       int i, ret;
> > > +
> > > +       for (i = 0; i < nb_ethport; i++) {
> > > +               port_id = rte_atomic16_add_return(&port_offset, 1) % nb_ethport;
> > > +               if (otx2_is_ethdev(&rte_eth_devices[port_id]))
> > > +                       break;
> > > +       }
> > > +
> > > +       if (i >= nb_ethport)
> > > +               return 0;
> > > +
> > > +       ret = otx2_cpt_qp_ethdev_bind(dev, qp, port_id);
> > > +       if (ret)
> > > +               return ret;
> > > +
> > > +       return 0;
> >
> > Last five lines can be replaced with "return otx2_cpt_qp_ethdev_bind(dev, qp,
> > port_id)"
>
> [Anoob] In one of the following patches, one more call would be introduced after the call to otx2_cpt_qp_ethdev_bind(). So the above lines will have to be introduced anyway. For the last such addition, I'll make it return directly. Is that fine?

Yes,

>
> >
> > Across the patch series, the above pattern is common, Please fix in all relevant
> > instances.

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH 10/15] crypto/octeontx2: add lookup mem changes to hold sa indices
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 10/15] crypto/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
@ 2019-12-09  8:02   ` Jerin Jacob
  2019-12-13  7:12     ` [dpdk-dev] [EXT] " Anoob Joseph
  0 siblings, 1 reply; 111+ messages in thread
From: Jerin Jacob @ 2019-12-09  8:02 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Archana Muniganti,
	Jerin Jacob, Narayana Prasad, Kiran Kumar K, Nithin Dabilpuram,
	Pavan Nikhilesh, Ankur Dwivedi, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dpdk-dev

On Sun, Dec 8, 2019 at 5:27 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> From: Archana Muniganti <marchana@marvell.com>
>
> lookup_mem provides fast accessing of data path fields.
> Storing sa indices in lookup_mem which are required in
> inline rx data path.
>
> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> ---
>  drivers/common/octeontx2/otx2_common.h   | 20 +++++++++++
>  drivers/crypto/octeontx2/otx2_security.c | 59 +++++++++++++++++++++++++++++++-
>  drivers/net/octeontx2/otx2_lookup.c      |  9 +----
>  drivers/net/octeontx2/otx2_rx.h          | 10 ++----
>  4 files changed, 81 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
> index 9705a8d..6456c4b 100644
> --- a/drivers/common/octeontx2/otx2_common.h
> +++ b/drivers/common/octeontx2/otx2_common.h
> @@ -170,4 +170,24 @@ extern int otx2_logtype_dpi;
>  #include "otx2_io_generic.h"
>  #endif
>
> +/* Fastpath lookup */
> +#define OTX2_NIX_FASTPATH_LOOKUP_MEM "otx2_nix_fastpath_lookup_mem"
> +#define PTYPE_NON_TUNNEL_WIDTH         16
> +#define PTYPE_TUNNEL_WIDTH             12
> +#define PTYPE_NON_TUNNEL_ARRAY_SZ      BIT(PTYPE_NON_TUNNEL_WIDTH)
> +#define PTYPE_TUNNEL_ARRAY_SZ          BIT(PTYPE_TUNNEL_WIDTH)
> +#define PTYPE_ARRAY_SZ                 ((PTYPE_NON_TUNNEL_ARRAY_SZ +\
> +                                        PTYPE_TUNNEL_ARRAY_SZ) *\
> +                                        sizeof(uint16_t))
> +
> +/* NIX_RX_PARSE_S's ERRCODE + ERRLEV (12 bits) */
> +#define ERRCODE_ERRLEN_WIDTH           12
> +#define ERR_ARRAY_SZ                   ((BIT(ERRCODE_ERRLEN_WIDTH)) *\
> +                                       sizeof(uint32_t))
> +
> +#define PORT_ARRAY_SZ                  (RTE_MAX_ETHPORTS * sizeof(uint64_t))
> +
> +#define LOOKUP_ARRAY_SZ                        (PTYPE_ARRAY_SZ + ERR_ARRAY_SZ +\
> +                                       PORT_ARRAY_SZ)
> +

All these defines are not relevant to common code, But I understand
the security code needs
PORT_ARRAY_START

Please rector the logic to the following or similar way to keep the
lookup constants internal.

#define OTX2_PORT_ARRAY_START value

in otx2_nix_fastpath_lookup_mem_get()

RTE_BUILD_BUG_ON(OTX2_PORT_ARRAY_START != PTYPE_ARRAY_SZ + ERR_ARRAY_SZ)

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH 05/15] crypto/octeontx2: add security in eth dev configure
  2019-12-09  7:51   ` Jerin Jacob
@ 2019-12-09  8:03     ` Anoob Joseph
  2019-12-09  8:04       ` Jerin Jacob
  0 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2019-12-09  8:03 UTC (permalink / raw)
  To: Jerin Jacob, Ferruh Yigit
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Tejasree Kondoj,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Archana Muniganti,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

Hi Jerin,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Jerin Jacob
> Sent: Monday, December 9, 2019 1:22 PM
> To: Anoob Joseph <anoobj@marvell.com>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>;
> Tejasree Kondoj <ktejasree@marvell.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Vamsi Krishna Attunuru
> <vattunuru@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>; dpdk-dev
> <dev@dpdk.org>
> Subject: Re: [dpdk-dev] [PATCH 05/15] crypto/octeontx2: add security in eth dev
> configure
> 
> On Sun, Dec 8, 2019 at 5:26 PM Anoob Joseph <anoobj@marvell.com> wrote:
> >
> > From: Tejasree Kondoj <ktejasree@marvell.com>
> >
> > Adding security in eth device configure.
> >
> > Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> > ---
> >  doc/guides/nics/octeontx2.rst               |  20 +++++
> >  drivers/common/octeontx2/otx2_common.h      |   4 +
> >  drivers/crypto/octeontx2/Makefile           |   2 +-
> >  drivers/crypto/octeontx2/meson.build        |   1 +
> >  drivers/crypto/octeontx2/otx2_cryptodev.c   |   2 +
> >  drivers/crypto/octeontx2/otx2_ipsec_fp.h    |  55 +++++++++++++
> >  drivers/crypto/octeontx2/otx2_security.c    | 122
> ++++++++++++++++++++++++++++
> >  drivers/crypto/octeontx2/otx2_security.h    |   4 +
> >  drivers/net/octeontx2/otx2_ethdev.c         |  22 ++++-
> >  drivers/net/octeontx2/otx2_ethdev.h         |   2 +
> >  drivers/net/octeontx2/otx2_ethdev_devargs.c |  19 +++++
> 
> Add "Inline crypto" feature in doc/guides/nics/features/octeontx2*.ini

[Anoob] The feature is "Inline protocol" and it's not present in doc/guides/nics/features/default.ini. Shall I update that file also with this patch? 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH 05/15] crypto/octeontx2: add security in eth dev configure
  2019-12-09  8:03     ` Anoob Joseph
@ 2019-12-09  8:04       ` Jerin Jacob
  0 siblings, 0 replies; 111+ messages in thread
From: Jerin Jacob @ 2019-12-09  8:04 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Ferruh Yigit, Akhil Goyal, Declan Doherty, Thomas Monjalon,
	Tejasree Kondoj, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Vamsi Krishna Attunuru,
	Lukas Bartosik, dpdk-dev

On Mon, Dec 9, 2019 at 1:33 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> Hi Jerin,
>
> Please see inline.
>
> Thanks,
> Anoob
>
> > -----Original Message-----
> > From: dev <dev-bounces@dpdk.org> On Behalf Of Jerin Jacob
> > Sent: Monday, December 9, 2019 1:22 PM
> > To: Anoob Joseph <anoobj@marvell.com>
> > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Declan Doherty
> > <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>;
> > Tejasree Kondoj <ktejasree@marvell.com>; Jerin Jacob Kollanukkaran
> > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> > <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> > <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> > <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> > Archana Muniganti <marchana@marvell.com>; Vamsi Krishna Attunuru
> > <vattunuru@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>; dpdk-dev
> > <dev@dpdk.org>
> > Subject: Re: [dpdk-dev] [PATCH 05/15] crypto/octeontx2: add security in eth dev
> > configure
> >
> > On Sun, Dec 8, 2019 at 5:26 PM Anoob Joseph <anoobj@marvell.com> wrote:
> > >
> > > From: Tejasree Kondoj <ktejasree@marvell.com>
> > >
> > > Adding security in eth device configure.
> > >
> > > Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> > > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> > > ---
> > >  doc/guides/nics/octeontx2.rst               |  20 +++++
> > >  drivers/common/octeontx2/otx2_common.h      |   4 +
> > >  drivers/crypto/octeontx2/Makefile           |   2 +-
> > >  drivers/crypto/octeontx2/meson.build        |   1 +
> > >  drivers/crypto/octeontx2/otx2_cryptodev.c   |   2 +
> > >  drivers/crypto/octeontx2/otx2_ipsec_fp.h    |  55 +++++++++++++
> > >  drivers/crypto/octeontx2/otx2_security.c    | 122
> > ++++++++++++++++++++++++++++
> > >  drivers/crypto/octeontx2/otx2_security.h    |   4 +
> > >  drivers/net/octeontx2/otx2_ethdev.c         |  22 ++++-
> > >  drivers/net/octeontx2/otx2_ethdev.h         |   2 +
> > >  drivers/net/octeontx2/otx2_ethdev_devargs.c |  19 +++++
> >
> > Add "Inline crypto" feature in doc/guides/nics/features/octeontx2*.ini
>
> [Anoob] The feature is "Inline protocol" and it's not present in doc/guides/nics/features/default.ini. Shall I update that file also with this patch?

Yes. Please. Please update the generic doc update as a separate patch.

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (14 preceding siblings ...)
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 15/15] crypto/octeontx2: sync inline tag type cfg with Rx adapter configuration Anoob Joseph
@ 2019-12-09  8:06 ` Jerin Jacob
  2019-12-10 22:54   ` Thomas Monjalon
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
  16 siblings, 1 reply; 111+ messages in thread
From: Jerin Jacob @ 2019-12-09  8:06 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Jerin Jacob,
	Narayana Prasad, Kiran Kumar K, Nithin Dabilpuram,
	Pavan Nikhilesh, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dpdk-dev

On Sun, Dec 8, 2019 at 5:25 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> This series adds inline IPsec support in OCTEONTX2 PMD.
>
> In the inbound path, rte_flow framework need to be used to configure
> the NPC block, which does the h/w lookup. The packets would get
> processed by the crypto block and would submit to the scheduling block,
> SSO. So inline IPsec mode can be enabled only when traffic is received
> via event device using Rx adapter.
>
> In the outbound path, the core would submit to the crypto block and the
> crypto block would submit the packet for Tx internally.
>

The release note update is missing.

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support
  2019-12-09  8:06 ` [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Jerin Jacob
@ 2019-12-10 22:54   ` Thomas Monjalon
  2019-12-13  7:41     ` [dpdk-dev] [EXT] " Anoob Joseph
  0 siblings, 1 reply; 111+ messages in thread
From: Thomas Monjalon @ 2019-12-10 22:54 UTC (permalink / raw)
  To: Jerin Jacob, Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Jerin Jacob, Narayana Prasad,
	Kiran Kumar K, Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dpdk-dev

09/12/2019 09:06, Jerin Jacob:
> On Sun, Dec 8, 2019 at 5:25 PM Anoob Joseph <anoobj@marvell.com> wrote:
> >
> > This series adds inline IPsec support in OCTEONTX2 PMD.
> >
> > In the inbound path, rte_flow framework need to be used to configure
> > the NPC block, which does the h/w lookup. The packets would get
> > processed by the crypto block and would submit to the scheduling block,
> > SSO. So inline IPsec mode can be enabled only when traffic is received
> > via event device using Rx adapter.
> >
> > In the outbound path, the core would submit to the crypto block and the
> > crypto block would submit the packet for Tx internally.
> >
> 
> The release note update is missing.

Yes, and the MAINTAINERS file as well.



^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [EXT] Re: [PATCH 10/15] crypto/octeontx2: add lookup mem changes to hold sa indices
  2019-12-09  8:02   ` Jerin Jacob
@ 2019-12-13  7:12     ` Anoob Joseph
  0 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2019-12-13  7:12 UTC (permalink / raw)
  To: Jerin Jacob
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Archana Muniganti,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

Hi Jerin,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Jerin Jacob <jerinjacobk@gmail.com>
> Sent: Monday, December 9, 2019 1:32 PM
> To: Anoob Joseph <anoobj@marvell.com>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>;
> Archana Muniganti <marchana@marvell.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Tejasree Kondoj <ktejasree@marvell.com>; Vamsi Krishna Attunuru
> <vattunuru@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>; dpdk-
> dev <dev@dpdk.org>
> Subject: [EXT] Re: [dpdk-dev] [PATCH 10/15] crypto/octeontx2: add lookup
> mem changes to hold sa indices
> 
> External Email
> 
> ----------------------------------------------------------------------
> On Sun, Dec 8, 2019 at 5:27 PM Anoob Joseph <anoobj@marvell.com> wrote:
> >
> > From: Archana Muniganti <marchana@marvell.com>
> >
> > lookup_mem provides fast accessing of data path fields.
> > Storing sa indices in lookup_mem which are required in inline rx data
> > path.
> >
> > Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> > ---
> >  drivers/common/octeontx2/otx2_common.h   | 20 +++++++++++
> >  drivers/crypto/octeontx2/otx2_security.c | 59
> +++++++++++++++++++++++++++++++-
> >  drivers/net/octeontx2/otx2_lookup.c      |  9 +----
> >  drivers/net/octeontx2/otx2_rx.h          | 10 ++----
> >  4 files changed, 81 insertions(+), 17 deletions(-)
> >
> > diff --git a/drivers/common/octeontx2/otx2_common.h
> > b/drivers/common/octeontx2/otx2_common.h
> > index 9705a8d..6456c4b 100644
> > --- a/drivers/common/octeontx2/otx2_common.h
> > +++ b/drivers/common/octeontx2/otx2_common.h
> > @@ -170,4 +170,24 @@ extern int otx2_logtype_dpi;  #include
> > "otx2_io_generic.h"
> >  #endif
> >
> > +/* Fastpath lookup */
> > +#define OTX2_NIX_FASTPATH_LOOKUP_MEM
> "otx2_nix_fastpath_lookup_mem"
> > +#define PTYPE_NON_TUNNEL_WIDTH         16
> > +#define PTYPE_TUNNEL_WIDTH             12
> > +#define PTYPE_NON_TUNNEL_ARRAY_SZ
> BIT(PTYPE_NON_TUNNEL_WIDTH)
> > +#define PTYPE_TUNNEL_ARRAY_SZ          BIT(PTYPE_TUNNEL_WIDTH)
> > +#define PTYPE_ARRAY_SZ                 ((PTYPE_NON_TUNNEL_ARRAY_SZ +\
> > +                                        PTYPE_TUNNEL_ARRAY_SZ) *\
> > +                                        sizeof(uint16_t))
> > +
> > +/* NIX_RX_PARSE_S's ERRCODE + ERRLEV (12 bits) */
> > +#define ERRCODE_ERRLEN_WIDTH           12
> > +#define ERR_ARRAY_SZ                   ((BIT(ERRCODE_ERRLEN_WIDTH)) *\
> > +                                       sizeof(uint32_t))
> > +
> > +#define PORT_ARRAY_SZ                  (RTE_MAX_ETHPORTS *
> sizeof(uint64_t))
> > +
> > +#define LOOKUP_ARRAY_SZ                        (PTYPE_ARRAY_SZ +
> ERR_ARRAY_SZ +\
> > +                                       PORT_ARRAY_SZ)
> > +
> 
> All these defines are not relevant to common code, But I understand the
> security code needs PORT_ARRAY_START
> 
> Please rector the logic to the following or similar way to keep the lookup
> constants internal.
> 
> #define OTX2_PORT_ARRAY_START value
> 
> in otx2_nix_fastpath_lookup_mem_get()
> 
> RTE_BUILD_BUG_ON(OTX2_PORT_ARRAY_START != PTYPE_ARRAY_SZ +
> ERR_ARRAY_SZ)

[Anoob] Will make this change in v2. 


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [EXT] Re: [PATCH 00/15] add OCTEONTX2 inline IPsec support
  2019-12-10 22:54   ` Thomas Monjalon
@ 2019-12-13  7:41     ` Anoob Joseph
  2019-12-13 10:18       ` Thomas Monjalon
  0 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2019-12-13  7:41 UTC (permalink / raw)
  To: Thomas Monjalon, Jerin Jacob
  Cc: Akhil Goyal, Declan Doherty, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

Hi Thomas, Jerin,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Thomas Monjalon <thomas@monjalon.net>
> Sent: Wednesday, December 11, 2019 4:25 AM
> To: Jerin Jacob <jerinjacobk@gmail.com>; Anoob Joseph
> <anoobj@marvell.com>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Declan Doherty
> <declan.doherty@intel.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Vamsi Krishna Attunuru
> <vattunuru@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>; dpdk-
> dev <dev@dpdk.org>
> Subject: [EXT] Re: [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec
> support
> 
> External Email
> 
> ----------------------------------------------------------------------
> 09/12/2019 09:06, Jerin Jacob:
> > On Sun, Dec 8, 2019 at 5:25 PM Anoob Joseph <anoobj@marvell.com>
> wrote:
> > >
> > > This series adds inline IPsec support in OCTEONTX2 PMD.
> > >
> > > In the inbound path, rte_flow framework need to be used to configure
> > > the NPC block, which does the h/w lookup. The packets would get
> > > processed by the crypto block and would submit to the scheduling
> > > block, SSO. So inline IPsec mode can be enabled only when traffic is
> > > received via event device using Rx adapter.
> > >
> > > In the outbound path, the core would submit to the crypto block and
> > > the crypto block would submit the packet for Tx internally.
> > >
> >
> > The release note update is missing.
> 

[Anoob] Will update in v2. 

> Yes, and the MAINTAINERS file as well.

[Anoob]  The required files are added in crypto/octeontx2 directory, which already specifies the maintainers. Do we need inline ipsec mentioned separately?


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [EXT] Re: [PATCH 00/15] add OCTEONTX2 inline IPsec support
  2019-12-13  7:41     ` [dpdk-dev] [EXT] " Anoob Joseph
@ 2019-12-13 10:18       ` Thomas Monjalon
  0 siblings, 0 replies; 111+ messages in thread
From: Thomas Monjalon @ 2019-12-13 10:18 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Jerin Jacob, Akhil Goyal, Declan Doherty,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Krishna Attunuru, Lukas Bartosik,
	dpdk-dev

13/12/2019 08:41, Anoob Joseph:
> Hi Thomas, Jerin,
> 
> Please see inline.
> 
> Thanks,
> Anoob
> 
> From: Thomas Monjalon <thomas@monjalon.net>
> > 09/12/2019 09:06, Jerin Jacob:
> > > On Sun, Dec 8, 2019 at 5:25 PM Anoob Joseph <anoobj@marvell.com>
> > wrote:
> > > >
> > > > This series adds inline IPsec support in OCTEONTX2 PMD.
> > > >
> > > > In the inbound path, rte_flow framework need to be used to configure
> > > > the NPC block, which does the h/w lookup. The packets would get
> > > > processed by the crypto block and would submit to the scheduling
> > > > block, SSO. So inline IPsec mode can be enabled only when traffic is
> > > > received via event device using Rx adapter.
> > > >
> > > > In the outbound path, the core would submit to the crypto block and
> > > > the crypto block would submit the packet for Tx internally.
> > > >
> > >
> > > The release note update is missing.
> > 
> 
> [Anoob] Will update in v2. 
> 
> > Yes, and the MAINTAINERS file as well.
> 
> [Anoob]  The required files are added in crypto/octeontx2 directory, which already specifies the maintainers. Do we need inline ipsec mentioned separately?

No sorry, it's fine.




^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH 14/15] crypto/octeontx2: add inline tx path changes
  2019-12-08 11:54 ` [dpdk-dev] [PATCH 14/15] crypto/octeontx2: add inline tx path changes Anoob Joseph
@ 2019-12-14 15:42   ` Gavin Hu (Arm Technology China)
  0 siblings, 0 replies; 111+ messages in thread
From: Gavin Hu (Arm Technology China) @ 2019-12-14 15:42 UTC (permalink / raw)
  To: Anoob Joseph, Akhil.goyal@nxp.com, Declan Doherty, thomas
  Cc: Ankur Dwivedi, jerinj, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Archana Muniganti,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev, nd

Went through the patch, from the barrier usage perspective,
Reviewed-by: Gavin Hu <gavin.hu@arm.com> 

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 00/15]  add OCTEONTX2 inline IPsec support
  2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
                   ` (15 preceding siblings ...)
  2019-12-09  8:06 ` [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Jerin Jacob
@ 2020-01-18 10:48 ` Anoob Joseph
  2020-01-18 10:48   ` [dpdk-dev] [PATCH v2 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
                     ` (16 more replies)
  16 siblings, 17 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:48 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

This series adds inline IPsec support in OCTEONTX2 PMD.

In the inbound path, rte_flow framework need to be used to configure
the NPC block, which does the h/w lookup. The packets would get
processed by the crypto block and would submit to the scheduling block,
SSO. So inline IPsec mode can be enabled only when traffic is received
via event device using Rx adapter.

In the outbound path, the core would submit to the crypto block and the
crypto block would submit the packet for Tx internally.

v2:
* Minimized additions to common/octeontx2
* Updated release notes
* Renamed otx2_is_ethdev to otx2_ethdev_is_sec_capable

Ankur Dwivedi (3):
  crypto/octeontx2: add eth security capabilities
  crypto/octeontx2: add datapath ops in eth security ctx
  crypto/octeontx2: add inline tx path changes

Anoob Joseph (4):
  common/octeontx2: add CPT LF mbox for inline inbound
  crypto/octeontx2: create eth security ctx
  crypto/octeontx2: enable CPT to share QP with ethdev
  crypto/octeontx2: add eth security session operations

Archana Muniganti (3):
  crypto/octeontx2: add lookup mem changes to hold sa indices
  drivers/octeontx2: add sec in compiler optimized RX fastpath framework
  drivers/octeontx2: add sec in compiler optimized TX fastpath framework

Tejasree Kondoj (3):
  crypto/octeontx2: configure for inline IPsec
  crypto/octeontx2: add security in eth dev configure
  net/octeontx2: add inline ipsec rx path changes

Vamsi Attunuru (2):
  common/octeontx2: add routine to check if sec capable otx2
  crypto/octeontx2: sync inline tag type cfg with Rx adapter
    configuration

 doc/guides/nics/octeontx2.rst                      |  20 +
 doc/guides/rel_notes/release_20_02.rst             |   9 +
 drivers/common/octeontx2/otx2_common.c             |  22 +
 drivers/common/octeontx2/otx2_common.h             |  22 +
 drivers/common/octeontx2/otx2_mbox.h               |   7 +
 .../octeontx2/rte_common_octeontx2_version.map     |   3 +
 drivers/crypto/octeontx2/Makefile                  |   7 +-
 drivers/crypto/octeontx2/meson.build               |   7 +-
 drivers/crypto/octeontx2/otx2_cryptodev.c          |   8 +
 .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  53 ++
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
 drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
 drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 348 +++++++++
 drivers/crypto/octeontx2/otx2_security.c           | 870 +++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h           | 158 ++++
 drivers/crypto/octeontx2/otx2_security_tx.h        | 175 +++++
 drivers/event/octeontx2/Makefile                   |   1 +
 drivers/event/octeontx2/meson.build                |   5 +-
 drivers/event/octeontx2/otx2_evdev.c               | 170 ++--
 drivers/event/octeontx2/otx2_evdev.h               |   4 +-
 drivers/event/octeontx2/otx2_worker.c              |   6 +-
 drivers/event/octeontx2/otx2_worker.h              |   6 +
 drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
 drivers/net/octeontx2/Makefile                     |   1 +
 drivers/net/octeontx2/meson.build                  |   3 +
 drivers/net/octeontx2/otx2_ethdev.c                |  46 +-
 drivers/net/octeontx2/otx2_ethdev.h                |   2 +
 drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
 drivers/net/octeontx2/otx2_flow.c                  |  26 +
 drivers/net/octeontx2/otx2_lookup.c                |  11 +-
 drivers/net/octeontx2/otx2_rx.c                    |  27 +-
 drivers/net/octeontx2/otx2_rx.h                    | 377 ++++++---
 drivers/net/octeontx2/otx2_tx.c                    |  29 +-
 drivers/net/octeontx2/otx2_tx.h                    | 271 +++++--
 36 files changed, 2556 insertions(+), 283 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
 create mode 100644 drivers/crypto/octeontx2/otx2_security.c
 create mode 100644 drivers/crypto/octeontx2/otx2_security.h
 create mode 100644 drivers/crypto/octeontx2/otx2_security_tx.h

-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 01/15] common/octeontx2: add CPT LF mbox for inline inbound
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
@ 2020-01-18 10:48   ` Anoob Joseph
  2020-01-18 14:34     ` Jerin Jacob
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 02/15] common/octeontx2: add routine to check if sec capable otx2 Anoob Joseph
                     ` (15 subsequent siblings)
  16 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:48 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev, Tejasree Kondoj

Adding the new mbox introduced to configure CPT LF to be used for inline
inbound.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <kondoj.tejasree@cavium.com>
---
 drivers/common/octeontx2/otx2_mbox.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/common/octeontx2/otx2_mbox.h b/drivers/common/octeontx2/otx2_mbox.h
index e0e4e2f..70452d1 100644
--- a/drivers/common/octeontx2/otx2_mbox.h
+++ b/drivers/common/octeontx2/otx2_mbox.h
@@ -193,6 +193,8 @@ M(CPT_SET_CRYPTO_GRP,	0xA03, cpt_set_crypto_grp,			\
 			       msg_rsp)					\
 M(CPT_INLINE_IPSEC_CFG, 0xA04, cpt_inline_ipsec_cfg,			\
 			       cpt_inline_ipsec_cfg_msg, msg_rsp)	\
+M(CPT_RX_INLINE_LF_CFG, 0xBFE, cpt_rx_inline_lf_cfg,			\
+			       cpt_rx_inline_lf_cfg_msg, msg_rsp)	\
 /* NPC mbox IDs (range 0x6000 - 0x7FFF) */				\
 M(NPC_MCAM_ALLOC_ENTRY,	0x6000, npc_mcam_alloc_entry,			\
 				npc_mcam_alloc_entry_req,		\
@@ -1202,6 +1204,11 @@ struct cpt_inline_ipsec_cfg_msg {
 	uint16_t __otx2_io nix_pf_func; /* Outbound path NIX_PF_FUNC */
 };
 
+struct cpt_rx_inline_lf_cfg_msg {
+	struct mbox_msghdr hdr;
+	uint16_t __otx2_io sso_pf_func;
+};
+
 /* NPC mbox message structs */
 
 #define NPC_MCAM_ENTRY_INVALID	0xFFFF
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 02/15] common/octeontx2: add routine to check if sec capable otx2
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
  2020-01-18 10:48   ` [dpdk-dev] [PATCH v2 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 14:35     ` Jerin Jacob
  2020-01-27  7:01     ` Akhil Goyal
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
                     ` (14 subsequent siblings)
  16 siblings, 2 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Vamsi Attunuru, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Lukasz Bartosik, dev

From: Vamsi Attunuru <vattunuru@marvell.com>

This routine returns true if given rte_eth_dev is security offload
capable and belongs to octeontx2.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_common.c               | 20 ++++++++++++++++++++
 drivers/common/octeontx2/otx2_common.h               |  2 ++
 .../octeontx2/rte_common_octeontx2_version.map       |  1 +
 3 files changed, 23 insertions(+)

diff --git a/drivers/common/octeontx2/otx2_common.c b/drivers/common/octeontx2/otx2_common.c
index 7e45366..2f9b167 100644
--- a/drivers/common/octeontx2/otx2_common.c
+++ b/drivers/common/octeontx2/otx2_common.c
@@ -3,6 +3,7 @@
  */
 
 #include <rte_atomic.h>
+#include <rte_ethdev.h>
 #include <rte_malloc.h>
 #include <rte_log.h>
 
@@ -23,6 +24,25 @@ otx2_npa_set_defaults(struct otx2_idev_cfg *idev)
 
 /**
  * @internal
+ * Check if rte_eth_dev is security offload capable otx2_eth_dev
+ */
+uint8_t
+otx2_ethdev_is_sec_capable(struct rte_eth_dev *eth_dev)
+{
+	struct rte_pci_device *pci_dev;
+
+	pci_dev = RTE_ETH_DEV_TO_PCI(eth_dev);
+
+	if (pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_PF ||
+	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_VF ||
+	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_AF_VF)
+		return 1;
+
+	return 0;
+}
+
+/**
+ * @internal
  * Get intra device config structure.
  */
 struct otx2_idev_cfg *
diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index f62c45d..db0cde1 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -8,6 +8,7 @@
 #include <rte_atomic.h>
 #include <rte_common.h>
 #include <rte_cycles.h>
+#include <rte_ethdev.h>
 #include <rte_memory.h>
 #include <rte_memzone.h>
 #include <rte_io.h>
@@ -70,6 +71,7 @@ struct otx2_idev_cfg *otx2_intra_dev_get_cfg(void);
 void otx2_sso_pf_func_set(uint16_t sso_pf_func);
 uint16_t otx2_sso_pf_func_get(void);
 uint16_t otx2_npa_pf_func_get(void);
+uint8_t otx2_ethdev_is_sec_capable(struct rte_eth_dev *eth_dev);
 struct otx2_npa_lf *otx2_npa_lf_obj_get(void);
 void otx2_npa_set_defaults(struct otx2_idev_cfg *idev);
 int otx2_npa_lf_active(void *dev);
diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
index adad21a..bd9fc41 100644
--- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
+++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
@@ -6,6 +6,7 @@ DPDK_20.0 {
 	otx2_dev_priv_init;
 	otx2_disable_irqs;
 	otx2_intra_dev_get_cfg;
+	otx2_ethdev_is_sec_capable;
 	otx2_logtype_base;
 	otx2_logtype_dpi;
 	otx2_logtype_mbox;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 03/15] crypto/octeontx2: configure for inline IPsec
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
  2020-01-18 10:48   ` [dpdk-dev] [PATCH v2 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 02/15] common/octeontx2: add routine to check if sec capable otx2 Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 04/15] crypto/octeontx2: create eth security ctx Anoob Joseph
                     ` (13 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

For enabling outbound inline IPsec, a CPT queue needs to be tied
to a NIX PF_FUNC. Distribute CPT queues fairly among all available
otx2 eth ports.

For inbound, one CPT LF will be assigned and initialized by kernel.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/Makefile              |  3 +-
 drivers/crypto/octeontx2/meson.build           |  2 +
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.c | 53 ++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.h |  7 ++++
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c  | 38 ++++++++++++++++++
 5 files changed, 102 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index f7d6c37..3ba67ed 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -10,7 +10,7 @@ LIB = librte_pmd_octeontx2_crypto.a
 # build flags
 CFLAGS += $(WERROR_FLAGS)
 
-LDLIBS += -lrte_eal -lrte_mbuf -lrte_mempool -lrte_ring
+LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
 LDLIBS += -lrte_cryptodev
 LDLIBS += -lrte_pci -lrte_bus_pci
 LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
@@ -21,6 +21,7 @@ CFLAGS += -O3
 CFLAGS += -I$(RTE_SDK)/drivers/common/cpt
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -DALLOW_EXPERIMENTAL_API
 
 ifneq ($(CONFIG_RTE_ARCH_64),y)
diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build
index b6e5b73..67deca3 100644
--- a/drivers/crypto/octeontx2/meson.build
+++ b/drivers/crypto/octeontx2/meson.build
@@ -8,6 +8,7 @@ endif
 deps += ['bus_pci']
 deps += ['common_cpt']
 deps += ['common_octeontx2']
+deps += ['ethdev']
 name = 'octeontx2_crypto'
 
 allow_experimental_apis = true
@@ -32,3 +33,4 @@ endforeach
 includes += include_directories('../../common/cpt')
 includes += include_directories('../../common/octeontx2')
 includes += include_directories('../../mempool/octeontx2')
+includes += include_directories('../../net/octeontx2')
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
index b54e407..202832d 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
@@ -2,10 +2,13 @@
  * Copyright (C) 2019 Marvell International Ltd.
  */
 #include <rte_cryptodev.h>
+#include <rte_ethdev.h>
 
 #include "otx2_cryptodev.h"
+#include "otx2_cryptodev_hw_access.h"
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_dev.h"
+#include "otx2_ethdev.h"
 #include "otx2_mbox.h"
 
 #include "cpt_pmd_logs.h"
@@ -173,3 +176,53 @@ otx2_cpt_af_reg_write(const struct rte_cryptodev *dev, uint64_t reg,
 
 	return otx2_cpt_send_mbox_msg(vf);
 }
+
+int
+otx2_cpt_inline_init(const struct rte_cryptodev *dev)
+{
+	struct otx2_cpt_vf *vf = dev->data->dev_private;
+	struct otx2_mbox *mbox = vf->otx2_dev.mbox;
+	struct cpt_rx_inline_lf_cfg_msg *msg;
+	int ret;
+
+	msg = otx2_mbox_alloc_msg_cpt_rx_inline_lf_cfg(mbox);
+	msg->sso_pf_func = otx2_sso_pf_func_get();
+
+	otx2_mbox_msg_send(mbox, 0);
+	ret = otx2_mbox_process(mbox);
+	if (ret < 0)
+		return -EIO;
+
+	return 0;
+}
+
+int
+otx2_cpt_qp_ethdev_bind(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp,
+			uint16_t port_id)
+{
+	struct rte_eth_dev *eth_dev = &rte_eth_devices[port_id];
+	struct otx2_cpt_vf *vf = dev->data->dev_private;
+	struct otx2_mbox *mbox = vf->otx2_dev.mbox;
+	struct cpt_inline_ipsec_cfg_msg *msg;
+	struct otx2_eth_dev *otx2_eth_dev;
+	int ret;
+
+	if (!otx2_ethdev_is_sec_capable(&rte_eth_devices[port_id]))
+		return -EINVAL;
+
+	otx2_eth_dev = otx2_eth_pmd_priv(eth_dev);
+
+	msg = otx2_mbox_alloc_msg_cpt_inline_ipsec_cfg(mbox);
+	msg->dir = CPT_INLINE_OUTBOUND;
+	msg->enable = 1;
+	msg->slot = qp->id;
+
+	msg->nix_pf_func = otx2_eth_dev->pf_func;
+
+	otx2_mbox_msg_send(mbox, 0);
+	ret = otx2_mbox_process(mbox);
+	if (ret < 0)
+		return -EIO;
+
+	return 0;
+}
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
index a298718..ae66b08 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
@@ -7,6 +7,8 @@
 
 #include <rte_cryptodev.h>
 
+#include "otx2_cryptodev_hw_access.h"
+
 int otx2_cpt_available_queues_get(const struct rte_cryptodev *dev,
 				  uint16_t *nb_queues);
 
@@ -22,4 +24,9 @@ int otx2_cpt_af_reg_read(const struct rte_cryptodev *dev, uint64_t reg,
 int otx2_cpt_af_reg_write(const struct rte_cryptodev *dev, uint64_t reg,
 			  uint64_t val);
 
+int otx2_cpt_qp_ethdev_bind(const struct rte_cryptodev *dev,
+			    struct otx2_cpt_qp *qp, uint16_t port_id);
+
+int otx2_cpt_inline_init(const struct rte_cryptodev *dev);
+
 #endif /* _OTX2_CRYPTODEV_MBOX_H_ */
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index ec0e58d..b45cb82 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -6,6 +6,7 @@
 
 #include <rte_cryptodev_pmd.h>
 #include <rte_errno.h>
+#include <rte_ethdev.h>
 
 #include "otx2_cryptodev.h"
 #include "otx2_cryptodev_capabilities.h"
@@ -127,6 +128,29 @@ otx2_cpt_metabuf_mempool_destroy(struct otx2_cpt_qp *qp)
 	meta_info->sg_mlen = 0;
 }
 
+static int
+otx2_cpt_qp_inline_cfg(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
+{
+	static rte_atomic16_t port_offset = RTE_ATOMIC16_INIT(-1);
+	uint16_t port_id, nb_ethport = rte_eth_dev_count_avail();
+	int i, ret;
+
+	for (i = 0; i < nb_ethport; i++) {
+		port_id = rte_atomic16_add_return(&port_offset, 1) % nb_ethport;
+		if (otx2_ethdev_is_sec_capable(&rte_eth_devices[port_id]))
+			break;
+	}
+
+	if (i >= nb_ethport)
+		return 0;
+
+	ret = otx2_cpt_qp_ethdev_bind(dev, qp, port_id);
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
 static struct otx2_cpt_qp *
 otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 		   uint8_t group)
@@ -220,6 +244,12 @@ otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 
 	otx2_cpt_iq_disable(qp);
 
+	ret = otx2_cpt_qp_inline_cfg(dev, qp);
+	if (ret) {
+		CPT_LOG_ERR("Could not configure queue for inline IPsec");
+		goto mempool_destroy;
+	}
+
 	ret = otx2_cpt_iq_enable(dev, qp, group, OTX2_CPT_QUEUE_HI_PRIO,
 				 size_div40);
 	if (ret) {
@@ -913,12 +943,20 @@ otx2_cpt_dev_config(struct rte_cryptodev *dev,
 		goto queues_detach;
 	}
 
+	ret = otx2_cpt_inline_init(dev);
+	if (ret) {
+		CPT_LOG_ERR("Could not enable inline IPsec");
+		goto intr_unregister;
+	}
+
 	dev->enqueue_burst = otx2_cpt_enqueue_burst;
 	dev->dequeue_burst = otx2_cpt_dequeue_burst;
 
 	rte_mb();
 	return 0;
 
+intr_unregister:
+	otx2_cpt_err_intr_unregister(dev);
 queues_detach:
 	otx2_cpt_queues_detach(dev);
 	return ret;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 04/15] crypto/octeontx2: create eth security ctx
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (2 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 05/15] crypto/octeontx2: add security in eth dev configure Anoob Joseph
                     ` (12 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding security ctx to the eth device.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_common.c             |  2 ++
 drivers/common/octeontx2/otx2_common.h             | 10 +++++++
 .../octeontx2/rte_common_octeontx2_version.map     |  2 ++
 drivers/crypto/octeontx2/Makefile                  |  3 +-
 drivers/crypto/octeontx2/meson.build               |  4 ++-
 drivers/crypto/octeontx2/otx2_cryptodev.c          |  4 +++
 drivers/crypto/octeontx2/otx2_security.c           | 35 ++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h           | 14 +++++++++
 drivers/net/octeontx2/otx2_ethdev.c                | 18 ++++++++++-
 9 files changed, 89 insertions(+), 3 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_security.c
 create mode 100644 drivers/crypto/octeontx2/otx2_security.h

diff --git a/drivers/common/octeontx2/otx2_common.c b/drivers/common/octeontx2/otx2_common.c
index 2f9b167..5c41822 100644
--- a/drivers/common/octeontx2/otx2_common.c
+++ b/drivers/common/octeontx2/otx2_common.c
@@ -11,6 +11,8 @@
 #include "otx2_dev.h"
 #include "otx2_mbox.h"
 
+struct otx2_sec_eth_crypto_idev_ops otx2_sec_idev_ops;
+
 /**
  * @internal
  * Set default NPA configuration.
diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index db0cde1..4e8d0af 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -77,6 +77,16 @@ void otx2_npa_set_defaults(struct otx2_idev_cfg *idev);
 int otx2_npa_lf_active(void *dev);
 int otx2_npa_lf_obj_ref(void);
 
+typedef int (*otx2_sec_eth_ctx_create_t)(struct rte_eth_dev *eth_dev);
+typedef void (*otx2_sec_eth_ctx_destroy_t)(struct rte_eth_dev *eth_dev);
+
+struct otx2_sec_eth_crypto_idev_ops {
+	otx2_sec_eth_ctx_create_t ctx_create;
+	otx2_sec_eth_ctx_destroy_t ctx_destroy;
+};
+
+extern struct otx2_sec_eth_crypto_idev_ops otx2_sec_idev_ops;
+
 /* Log */
 extern int otx2_logtype_base;
 extern int otx2_logtype_mbox;
diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
index bd9fc41..1a43bb6 100644
--- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
+++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
@@ -32,5 +32,7 @@ DPDK_20.0 {
 	otx2_sso_pf_func_set;
 	otx2_unregister_irq;
 
+	otx2_sec_idev_ops;
+
 	local: *;
 };
diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index 3ba67ed..d2e9b9f 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -11,7 +11,7 @@ LIB = librte_pmd_octeontx2_crypto.a
 CFLAGS += $(WERROR_FLAGS)
 
 LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
-LDLIBS += -lrte_cryptodev
+LDLIBS += -lrte_cryptodev -lrte_security
 LDLIBS += -lrte_pci -lrte_bus_pci
 LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
 
@@ -38,6 +38,7 @@ SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_capabilities.c
 SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_hw_access.c
 SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_mbox.c
 SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_cryptodev_ops.c
+SRCS-$(CONFIG_RTE_LIBRTE_PMD_OCTEONTX2_CRYPTO) += otx2_security.c
 
 # export include files
 SYMLINK-y-include +=
diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build
index 67deca3..f7b2937 100644
--- a/drivers/crypto/octeontx2/meson.build
+++ b/drivers/crypto/octeontx2/meson.build
@@ -9,6 +9,7 @@ deps += ['bus_pci']
 deps += ['common_cpt']
 deps += ['common_octeontx2']
 deps += ['ethdev']
+deps += ['security']
 name = 'octeontx2_crypto'
 
 allow_experimental_apis = true
@@ -16,7 +17,8 @@ sources = files('otx2_cryptodev.c',
 		'otx2_cryptodev_capabilities.c',
 		'otx2_cryptodev_hw_access.c',
 		'otx2_cryptodev_mbox.c',
-		'otx2_cryptodev_ops.c')
+		'otx2_cryptodev_ops.c',
+		'otx2_security.c')
 
 extra_flags = []
 # This integrated controller runs only on a arm64 machine, remove 32bit warnings
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.c b/drivers/crypto/octeontx2/otx2_cryptodev.c
index 7fd216b..86c1188 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev.c
@@ -17,6 +17,7 @@
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_cryptodev_ops.h"
 #include "otx2_dev.h"
+#include "otx2_security.h"
 
 /* CPT common headers */
 #include "cpt_common.h"
@@ -154,4 +155,7 @@ RTE_INIT(otx2_cpt_init_log)
 	otx2_cpt_logtype = rte_log_register("pmd.crypto.octeontx2");
 	if (otx2_cpt_logtype >= 0)
 		rte_log_set_level(otx2_cpt_logtype, RTE_LOG_NOTICE);
+
+	otx2_sec_idev_ops.ctx_create = otx2_sec_eth_ctx_create;
+	otx2_sec_idev_ops.ctx_destroy = otx2_sec_eth_ctx_destroy;
 }
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
new file mode 100644
index 0000000..531c78b
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#include <rte_ethdev.h>
+#include <rte_malloc.h>
+#include <rte_security.h>
+
+#include "otx2_security.h"
+
+int
+otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev)
+{
+	struct rte_security_ctx *ctx;
+
+	ctx = rte_malloc("otx2_sec_eth_ctx",
+			 sizeof(struct rte_security_ctx), 0);
+	if (ctx == NULL)
+		return -ENOMEM;
+
+	/* Populate ctx */
+
+	ctx->device = eth_dev;
+	ctx->sess_cnt = 0;
+
+	eth_dev->security_ctx = ctx;
+
+	return 0;
+}
+
+void
+otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev)
+{
+	rte_free(eth_dev->security_ctx);
+}
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
new file mode 100644
index 0000000..21b7da4
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_SECURITY_H__
+#define __OTX2_SECURITY_H__
+
+#include <rte_ethdev.h>
+
+int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev);
+
+void otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev);
+
+#endif /* __OTX2_SECURITY_H__ */
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index ed32927..3e19ac2 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -2236,10 +2236,19 @@ otx2_eth_dev_init(struct rte_eth_dev *eth_dev)
 		dev->hwcap |= OTX2_FIXUP_F_LIMIT_CQ_FULL;
 	}
 
+	/* Create security ctx */
+	if (otx2_sec_idev_ops.ctx_create != NULL) {
+		rc = otx2_sec_idev_ops.ctx_create(eth_dev);
+		if (rc)
+			goto free_mac_addrs;
+		dev->tx_offload_capa |= DEV_TX_OFFLOAD_SECURITY;
+		dev->rx_offload_capa |= DEV_RX_OFFLOAD_SECURITY;
+	}
+
 	/* Initialize rte-flow */
 	rc = otx2_flow_init(dev);
 	if (rc)
-		goto free_mac_addrs;
+		goto sec_ctx_destroy;
 
 	otx2_nix_mc_filter_init(dev);
 
@@ -2250,6 +2259,9 @@ otx2_eth_dev_init(struct rte_eth_dev *eth_dev)
 		     dev->rx_offload_capa, dev->tx_offload_capa);
 	return 0;
 
+sec_ctx_destroy:
+	if (otx2_sec_idev_ops.ctx_destroy != NULL)
+		otx2_sec_idev_ops.ctx_destroy(eth_dev);
 free_mac_addrs:
 	rte_free(eth_dev->data->mac_addrs);
 unregister_irq:
@@ -2333,6 +2345,10 @@ otx2_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool mbox_close)
 	if (rc)
 		otx2_err("Failed to cleanup npa lf, rc=%d", rc);
 
+	/* Destroy security ctx */
+	if (otx2_sec_idev_ops.ctx_destroy != NULL)
+		otx2_sec_idev_ops.ctx_destroy(eth_dev);
+
 	rte_free(eth_dev->data->mac_addrs);
 	eth_dev->data->mac_addrs = NULL;
 	dev->drv_inited = false;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 05/15] crypto/octeontx2: add security in eth dev configure
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (3 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 04/15] crypto/octeontx2: create eth security ctx Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 06/15] crypto/octeontx2: add eth security capabilities Anoob Joseph
                     ` (11 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding security in eth device configure.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 doc/guides/nics/octeontx2.rst               |  20 +++++
 doc/guides/rel_notes/release_20_02.rst      |   9 ++
 drivers/common/octeontx2/otx2_common.h      |   4 +
 drivers/crypto/octeontx2/Makefile           |   2 +-
 drivers/crypto/octeontx2/meson.build        |   1 +
 drivers/crypto/octeontx2/otx2_cryptodev.c   |   2 +
 drivers/crypto/octeontx2/otx2_ipsec_fp.h    |  55 +++++++++++++
 drivers/crypto/octeontx2/otx2_security.c    | 122 ++++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h    |   4 +
 drivers/net/octeontx2/otx2_ethdev.c         |  22 ++++-
 drivers/net/octeontx2/otx2_ethdev.h         |   2 +
 drivers/net/octeontx2/otx2_ethdev_devargs.c |  19 +++++
 12 files changed, 260 insertions(+), 2 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h

diff --git a/doc/guides/nics/octeontx2.rst b/doc/guides/nics/octeontx2.rst
index db62a45..fd4e455 100644
--- a/doc/guides/nics/octeontx2.rst
+++ b/doc/guides/nics/octeontx2.rst
@@ -38,6 +38,7 @@ Features of the OCTEON TX2 Ethdev PMD are:
 - IEEE1588 timestamping
 - HW offloaded `ethdev Rx queue` to `eventdev event queue` packet injection
 - Support Rx interrupt
+- Inline IPsec processing support
 
 Prerequisites
 -------------
@@ -178,6 +179,17 @@ Runtime Config Options
    traffic on this port should be higig2 traffic only. Supported switch header
    types are "higig2" and "dsa".
 
+- ``Max SPI for inbound inline IPsec`` (default ``1``)
+
+   Max SPI supported for inbound inline IPsec processing can be specified by
+   ``ipsec_in_max_spi`` ``devargs`` parameter.
+
+   For example::
+      -w 0002:02:00.0,ipsec_in_max_spi=128
+
+   With the above configuration, application can enable inline IPsec processing
+   on 128 SAs (SPI 0-127).
+
 .. note::
 
    Above devarg parameters are configurable per device, user needs to pass the
@@ -211,6 +223,14 @@ SDP interface support
 ~~~~~~~~~~~~~~~~~~~~~
 OCTEON TX2 SDP interface support is limited to PF device, No VF support.
 
+Inline Protocol Processing
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+``net_octeontx2`` pmd doesn't support the following features for packets to be
+inline protocol processed.
+- TSO offload
+- VLAN/QinQ offload
+- Fragmentation
+
 Debugging Options
 -----------------
 
diff --git a/doc/guides/rel_notes/release_20_02.rst b/doc/guides/rel_notes/release_20_02.rst
index 6cbe457..8e71fef 100644
--- a/doc/guides/rel_notes/release_20_02.rst
+++ b/doc/guides/rel_notes/release_20_02.rst
@@ -82,6 +82,15 @@ New Features
 
   Added Chacha20-Poly1305 AEAD algorithm.
 
+* **Added inline IPsec support to Marvell OCTEONTX2 PMD.**
+
+  Added inline IPsec support to Marvell OCTEONTX2 PMD. With the feature,
+  applications would be able to offload entire IPsec offload to the hardware.
+  For the configured sessions, hardware will do the lookup and perform
+  decryption and IPsec transformation. For the outbound path, application
+  can submit a plain packet to the PMD, and it would be sent out on wire
+  after doing encryption and IPsec transformation of the packet.
+
 
 Removed Items
 -------------
diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index 4e8d0af..fbe7335 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -79,10 +79,14 @@ int otx2_npa_lf_obj_ref(void);
 
 typedef int (*otx2_sec_eth_ctx_create_t)(struct rte_eth_dev *eth_dev);
 typedef void (*otx2_sec_eth_ctx_destroy_t)(struct rte_eth_dev *eth_dev);
+typedef int (*otx2_sec_eth_init_t)(struct rte_eth_dev *eth_dev);
+typedef void (*otx2_sec_eth_fini_t)(struct rte_eth_dev *eth_dev);
 
 struct otx2_sec_eth_crypto_idev_ops {
 	otx2_sec_eth_ctx_create_t ctx_create;
 	otx2_sec_eth_ctx_destroy_t ctx_destroy;
+	otx2_sec_eth_init_t init;
+	otx2_sec_eth_fini_t fini;
 };
 
 extern struct otx2_sec_eth_crypto_idev_ops otx2_sec_idev_ops;
diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index d2e9b9f..5966ddc 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -11,7 +11,7 @@ LIB = librte_pmd_octeontx2_crypto.a
 CFLAGS += $(WERROR_FLAGS)
 
 LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
-LDLIBS += -lrte_cryptodev -lrte_security
+LDLIBS += -lrte_cryptodev -lrte_security -lrte_eventdev
 LDLIBS += -lrte_pci -lrte_bus_pci
 LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
 
diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build
index f7b2937..f0f5043 100644
--- a/drivers/crypto/octeontx2/meson.build
+++ b/drivers/crypto/octeontx2/meson.build
@@ -9,6 +9,7 @@ deps += ['bus_pci']
 deps += ['common_cpt']
 deps += ['common_octeontx2']
 deps += ['ethdev']
+deps += ['eventdev']
 deps += ['security']
 name = 'octeontx2_crypto'
 
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.c b/drivers/crypto/octeontx2/otx2_cryptodev.c
index 86c1188..34feb82 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev.c
@@ -158,4 +158,6 @@ RTE_INIT(otx2_cpt_init_log)
 
 	otx2_sec_idev_ops.ctx_create = otx2_sec_eth_ctx_create;
 	otx2_sec_idev_ops.ctx_destroy = otx2_sec_eth_ctx_destroy;
+	otx2_sec_idev_ops.init = otx2_sec_eth_init;
+	otx2_sec_idev_ops.fini = otx2_sec_eth_fini;
 }
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_fp.h b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
new file mode 100644
index 0000000..bf4181a
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
@@ -0,0 +1,55 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_IPSEC_FP_H__
+#define __OTX2_IPSEC_FP_H__
+
+struct otx2_ipsec_fp_sa_ctl {
+	rte_be32_t spi          : 32;
+	uint64_t exp_proto_inter_frag : 8;
+	uint64_t rsvd_42_40   : 3;
+	uint64_t esn_en       : 1;
+	uint64_t rsvd_45_44   : 2;
+	uint64_t encap_type   : 2;
+	uint64_t enc_type     : 3;
+	uint64_t rsvd_48      : 1;
+	uint64_t auth_type    : 4;
+	uint64_t valid        : 1;
+	uint64_t direction    : 1;
+	uint64_t outer_ip_ver : 1;
+	uint64_t inner_ip_ver : 1;
+	uint64_t ipsec_mode   : 1;
+	uint64_t ipsec_proto  : 1;
+	uint64_t aes_key_len  : 2;
+};
+
+struct otx2_ipsec_fp_in_sa {
+	/* w0 */
+	struct otx2_ipsec_fp_sa_ctl ctl;
+
+	/* w1 */
+	uint8_t nonce[4]; /* Only for AES-GCM */
+	uint32_t unused;
+
+	/* w2 */
+	uint32_t esn_low;
+	uint32_t esn_hi;
+
+	/* w3-w6 */
+	uint8_t cipher_key[32];
+
+	/* w7-w12 */
+	uint8_t hmac_key[48];
+
+	RTE_STD_C11
+	union {
+		void *userdata;
+		uint64_t udata64;
+	};
+
+	uint64_t reserved1;
+	uint64_t reserved2;
+};
+
+#endif /* __OTX2_IPSEC_FP_H__ */
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 531c78b..cdb7950 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -3,11 +3,36 @@
  */
 
 #include <rte_ethdev.h>
+#include <rte_eventdev.h>
 #include <rte_malloc.h>
+#include <rte_memzone.h>
 #include <rte_security.h>
 
+#include "otx2_ethdev.h"
+#include "otx2_ipsec_fp.h"
 #include "otx2_security.h"
 
+#define SEC_ETH_MAX_PKT_LEN	1450
+
+struct sec_eth_tag_const {
+	RTE_STD_C11
+	union {
+		struct {
+			uint32_t rsvd_11_0  : 12;
+			uint32_t port       : 8;
+			uint32_t event_type : 4;
+			uint32_t rsvd_31_24 : 8;
+		};
+		uint32_t u32;
+	};
+};
+
+static inline void
+in_sa_mz_name_get(char *name, int size, uint16_t port)
+{
+	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
+}
+
 int
 otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev)
 {
@@ -33,3 +58,100 @@ otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev)
 {
 	rte_free(eth_dev->security_ctx);
 }
+
+static int
+sec_eth_ipsec_cfg(struct rte_eth_dev *eth_dev, uint8_t tt)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	struct nix_inline_ipsec_lf_cfg *req;
+	struct otx2_mbox *mbox = dev->mbox;
+	struct sec_eth_tag_const tag_const;
+	char name[RTE_MEMZONE_NAMESIZE];
+	const struct rte_memzone *mz;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL)
+		return -EINVAL;
+
+	req = otx2_mbox_alloc_msg_nix_inline_ipsec_lf_cfg(mbox);
+	req->enable = 1;
+	req->sa_base_addr = mz->iova;
+
+	req->ipsec_cfg0.tt = tt;
+
+	tag_const.u32 = 0;
+	tag_const.event_type = RTE_EVENT_TYPE_ETHDEV;
+	tag_const.port = port;
+	req->ipsec_cfg0.tag_const = tag_const.u32;
+
+	req->ipsec_cfg0.sa_pow2_size =
+			rte_log2_u32(sizeof(struct otx2_ipsec_fp_in_sa));
+	req->ipsec_cfg0.lenm1_max = SEC_ETH_MAX_PKT_LEN - 1;
+
+	req->ipsec_cfg1.sa_idx_w = rte_log2_u32(dev->ipsec_in_max_spi);
+	req->ipsec_cfg1.sa_idx_max = dev->ipsec_in_max_spi - 1;
+
+	return otx2_mbox_process(mbox);
+}
+
+int
+otx2_sec_eth_init(struct rte_eth_dev *eth_dev)
+{
+	const size_t sa_width = sizeof(struct otx2_ipsec_fp_in_sa);
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	char name[RTE_MEMZONE_NAMESIZE];
+	const struct rte_memzone *mz;
+	int mz_sz, ret;
+	uint16_t nb_sa;
+
+	RTE_BUILD_BUG_ON(sa_width < 32 || sa_width > 512 ||
+			 !RTE_IS_POWER_OF_2(sa_width));
+
+	if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) &&
+	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
+		return 0;
+
+	nb_sa = dev->ipsec_in_max_spi;
+	mz_sz = nb_sa * sa_width;
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_reserve_aligned(name, mz_sz, rte_socket_id(),
+					 RTE_MEMZONE_IOVA_CONTIG, OTX2_ALIGN);
+
+	if (mz == NULL) {
+		otx2_err("Could not allocate inbound SA DB");
+		return -ENOMEM;
+	}
+
+	memset(mz->addr, 0, mz_sz);
+
+	ret = sec_eth_ipsec_cfg(eth_dev, SSO_TT_ORDERED);
+	if (ret < 0) {
+		otx2_err("Could not configure inline IPsec");
+		goto sec_fini;
+	}
+
+	return 0;
+
+sec_fini:
+	otx2_err("Could not configure device for security");
+	otx2_sec_eth_fini(eth_dev);
+	return ret;
+}
+
+void
+otx2_sec_eth_fini(struct rte_eth_dev *eth_dev)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	char name[RTE_MEMZONE_NAMESIZE];
+
+	if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) &&
+	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
+		return;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	rte_memzone_free(rte_memzone_lookup(name));
+}
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 21b7da4..023061d 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -11,4 +11,8 @@ int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev);
 
+int otx2_sec_eth_init(struct rte_eth_dev *eth_dev);
+
+void otx2_sec_eth_fini(struct rte_eth_dev *eth_dev);
+
 #endif /* __OTX2_SECURITY_H__ */
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index 3e19ac2..131e883 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -337,6 +337,10 @@ nix_cq_rq_init(struct rte_eth_dev *eth_dev, struct otx2_eth_dev *dev,
 	aq->op = NIX_AQ_INSTOP_INIT;
 
 	aq->rq.sso_ena = 0;
+
+	if (rxq->offloads & DEV_RX_OFFLOAD_SECURITY)
+		aq->rq.ipsech_ena = 1;
+
 	aq->rq.cq = qid; /* RQ to CQ 1:1 mapped */
 	aq->rq.spb_ena = 0;
 	aq->rq.lpb_aura = npa_lf_aura_handle_to_aura(mp->pool_id);
@@ -1610,6 +1614,8 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 
 	/* Free the resources allocated from the previous configure */
 	if (dev->configured == 1) {
+		if (otx2_sec_idev_ops.fini != NULL)
+			otx2_sec_idev_ops.fini(eth_dev);
 		otx2_nix_rxchan_bpid_cfg(eth_dev, false);
 		otx2_nix_vlan_fini(eth_dev);
 		otx2_nix_mc_addr_list_uninstall(eth_dev);
@@ -1714,10 +1720,17 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 		goto cq_fini;
 	}
 
+	/* Enable security */
+	if (otx2_sec_idev_ops.init != NULL) {
+		rc = otx2_sec_idev_ops.init(eth_dev);
+		if (rc)
+			goto cq_fini;
+	}
+
 	rc = otx2_nix_mc_addr_list_install(eth_dev);
 	if (rc < 0) {
 		otx2_err("Failed to install mc address list rc=%d", rc);
-		goto cq_fini;
+		goto sec_fini;
 	}
 
 	/*
@@ -1753,6 +1766,9 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 
 uninstall_mc_list:
 	otx2_nix_mc_addr_list_uninstall(eth_dev);
+sec_fini:
+	if (otx2_sec_idev_ops.fini != NULL)
+		otx2_sec_idev_ops.fini(eth_dev);
 cq_fini:
 	oxt2_nix_unregister_cq_irqs(eth_dev);
 q_irq_fini:
@@ -2345,6 +2361,10 @@ otx2_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool mbox_close)
 	if (rc)
 		otx2_err("Failed to cleanup npa lf, rc=%d", rc);
 
+	/* Disable security */
+	if (otx2_sec_idev_ops.fini != NULL)
+		otx2_sec_idev_ops.fini(eth_dev);
+
 	/* Destroy security ctx */
 	if (otx2_sec_idev_ops.ctx_destroy != NULL)
 		otx2_sec_idev_ops.ctx_destroy(eth_dev);
diff --git a/drivers/net/octeontx2/otx2_ethdev.h b/drivers/net/octeontx2/otx2_ethdev.h
index 987e760..41fef6e 100644
--- a/drivers/net/octeontx2/otx2_ethdev.h
+++ b/drivers/net/octeontx2/otx2_ethdev.h
@@ -324,6 +324,8 @@ struct otx2_eth_dev {
 	bool mc_tbl_set;
 	struct otx2_nix_mc_filter_tbl mc_fltr_tbl;
 	bool sdp_link; /* SDP flag */
+	/* Inline IPsec params */
+	uint16_t ipsec_in_max_spi;
 } __rte_cache_aligned;
 
 struct otx2_eth_txq {
diff --git a/drivers/net/octeontx2/otx2_ethdev_devargs.c b/drivers/net/octeontx2/otx2_ethdev_devargs.c
index 04da1ab..a3f7598 100644
--- a/drivers/net/octeontx2/otx2_ethdev_devargs.c
+++ b/drivers/net/octeontx2/otx2_ethdev_devargs.c
@@ -64,6 +64,19 @@ parse_reta_size(const char *key, const char *value, void *extra_args)
 }
 
 static int
+parse_ipsec_in_max_spi(const char *key, const char *value, void *extra_args)
+{
+	RTE_SET_USED(key);
+	uint32_t val;
+
+	val = atoi(value);
+
+	*(uint16_t *)extra_args = val;
+
+	return 0;
+}
+
+static int
 parse_flag(const char *key, const char *value, void *extra_args)
 {
 	RTE_SET_USED(key);
@@ -104,6 +117,7 @@ parse_switch_header_type(const char *key, const char *value, void *extra_args)
 }
 
 #define OTX2_RSS_RETA_SIZE "reta_size"
+#define OTX2_IPSEC_IN_MAX_SPI "ipsec_in_max_spi"
 #define OTX2_SCL_ENABLE "scalar_enable"
 #define OTX2_MAX_SQB_COUNT "max_sqb_count"
 #define OTX2_FLOW_PREALLOC_SIZE "flow_prealloc_size"
@@ -118,6 +132,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 	uint16_t flow_prealloc_size = 8;
 	uint16_t switch_header_type = 0;
 	uint16_t flow_max_priority = 3;
+	uint16_t ipsec_in_max_spi = 1;
 	uint16_t scalar_enable = 0;
 	struct rte_kvargs *kvlist;
 
@@ -130,6 +145,8 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 
 	rte_kvargs_process(kvlist, OTX2_RSS_RETA_SIZE,
 			   &parse_reta_size, &rss_size);
+	rte_kvargs_process(kvlist, OTX2_IPSEC_IN_MAX_SPI,
+			   &parse_ipsec_in_max_spi, &ipsec_in_max_spi);
 	rte_kvargs_process(kvlist, OTX2_SCL_ENABLE,
 			   &parse_flag, &scalar_enable);
 	rte_kvargs_process(kvlist, OTX2_MAX_SQB_COUNT,
@@ -143,6 +160,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 	rte_kvargs_free(kvlist);
 
 null_devargs:
+	dev->ipsec_in_max_spi = ipsec_in_max_spi;
 	dev->scalar_ena = scalar_enable;
 	dev->max_sqb_count = sqb_count;
 	dev->rss_info.rss_size = rss_size;
@@ -157,6 +175,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 
 RTE_PMD_REGISTER_PARAM_STRING(net_octeontx2,
 			      OTX2_RSS_RETA_SIZE "=<64|128|256>"
+			      OTX2_IPSEC_IN_MAX_SPI "=<1-65535>"
 			      OTX2_SCL_ENABLE "=1"
 			      OTX2_MAX_SQB_COUNT "=<8-512>"
 			      OTX2_FLOW_PREALLOC_SIZE "=<1-32>"
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 06/15] crypto/octeontx2: add eth security capabilities
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (4 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 05/15] crypto/octeontx2: add security in eth dev configure Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
                     ` (10 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding security capabilities supported by the eth PMD.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/otx2_security.c | 84 ++++++++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h | 18 +++++++
 2 files changed, 102 insertions(+)

diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index cdb7950..b8c8f91 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -2,11 +2,13 @@
  * Copyright (C) 2020 Marvell International Ltd.
  */
 
+#include <rte_cryptodev.h>
 #include <rte_ethdev.h>
 #include <rte_eventdev.h>
 #include <rte_malloc.h>
 #include <rte_memzone.h>
 #include <rte_security.h>
+#include <rte_security_driver.h>
 
 #include "otx2_ethdev.h"
 #include "otx2_ipsec_fp.h"
@@ -27,12 +29,93 @@ struct sec_eth_tag_const {
 	};
 };
 
+static struct rte_cryptodev_capabilities otx2_sec_eth_crypto_caps[] = {
+	{	/* AES GCM */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			{.aead = {
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = {
+					.min = 8,
+					.max = 12,
+					.increment = 4
+				},
+				.iv_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
+};
+
+static const struct rte_security_capability otx2_sec_eth_capabilities[] = {
+	{	/* IPsec Inline Protocol ESP Tunnel Ingress */
+		.action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+			.options = { 0 }
+		},
+		.crypto_capabilities = otx2_sec_eth_crypto_caps,
+		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+	},
+	{	/* IPsec Inline Protocol ESP Tunnel Egress */
+		.action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+			.options = { 0 }
+		},
+		.crypto_capabilities = otx2_sec_eth_crypto_caps,
+		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+	},
+	{
+		.action = RTE_SECURITY_ACTION_TYPE_NONE
+	}
+};
+
 static inline void
 in_sa_mz_name_get(char *name, int size, uint16_t port)
 {
 	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
 }
 
+static unsigned int
+otx2_sec_eth_session_get_size(void *device __rte_unused)
+{
+	return sizeof(struct otx2_sec_session);
+}
+
+static const struct rte_security_capability *
+otx2_sec_eth_capabilities_get(void *device __rte_unused)
+{
+	return otx2_sec_eth_capabilities;
+}
+
+static struct rte_security_ops otx2_sec_eth_ops = {
+	.session_get_size	= otx2_sec_eth_session_get_size,
+	.capabilities_get	= otx2_sec_eth_capabilities_get
+};
+
 int
 otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev)
 {
@@ -46,6 +129,7 @@ otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev)
 	/* Populate ctx */
 
 	ctx->device = eth_dev;
+	ctx->ops = &otx2_sec_eth_ops;
 	ctx->sess_cnt = 0;
 
 	eth_dev->security_ctx = ctx;
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 023061d..a442f5c 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -7,6 +7,24 @@
 
 #include <rte_ethdev.h>
 
+#include "otx2_ipsec_fp.h"
+
+/*
+ * Security session for inline IPsec protocol offload. This is private data of
+ * inline capable PMD.
+ */
+struct otx2_sec_session_ipsec_ip {
+	int dummy;
+};
+
+struct otx2_sec_session_ipsec {
+	struct otx2_sec_session_ipsec_ip ip;
+};
+
+struct otx2_sec_session {
+	struct otx2_sec_session_ipsec ipsec;
+} __rte_cache_aligned;
+
 int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 07/15] crypto/octeontx2: enable CPT to share QP with ethdev
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (5 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 06/15] crypto/octeontx2: add eth security capabilities Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 08/15] crypto/octeontx2: add eth security session operations Anoob Joseph
                     ` (9 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding the infrastructure to save one opaque pointer in idev and
implement the consumer-producer in the PMDs which uses it accordingly.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 .../crypto/octeontx2/otx2_cryptodev_hw_access.h    | 22 +----
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c      | 18 ++++
 drivers/crypto/octeontx2/otx2_cryptodev_qp.h       | 35 ++++++++
 drivers/crypto/octeontx2/otx2_security.c           | 98 ++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h           | 20 +++++
 5 files changed, 172 insertions(+), 21 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h

diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h b/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
index 6f78aa4..43db6a6 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
@@ -15,6 +15,7 @@
 #include "cpt_mcode_defines.h"
 
 #include "otx2_dev.h"
+#include "otx2_cryptodev_qp.h"
 
 /* CPT instruction queue length */
 #define OTX2_CPT_IQ_LEN			8200
@@ -135,27 +136,6 @@ enum cpt_9x_comp_e {
 	CPT_9X_COMP_E_LAST_ENTRY = 0x06
 };
 
-struct otx2_cpt_qp {
-	uint32_t id;
-	/**< Queue pair id */
-	uintptr_t base;
-	/**< Base address where BAR is mapped */
-	void *lmtline;
-	/**< Address of LMTLINE */
-	rte_iova_t lf_nq_reg;
-	/**< LF enqueue register address */
-	struct pending_queue pend_q;
-	/**< Pending queue */
-	struct rte_mempool *sess_mp;
-	/**< Session mempool */
-	struct rte_mempool *sess_mp_priv;
-	/**< Session private data mempool */
-	struct cpt_qp_meta_info meta_info;
-	/**< Metabuf info required to support operations on the queue pair */
-	rte_iova_t iq_dma_addr;
-	/**< Instruction queue address */
-};
-
 void otx2_cpt_err_intr_unregister(const struct rte_cryptodev *dev);
 
 int otx2_cpt_err_intr_register(const struct rte_cryptodev *dev);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index b45cb82..d275478 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -13,6 +13,7 @@
 #include "otx2_cryptodev_hw_access.h"
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_cryptodev_ops.h"
+#include "otx2_security.h"
 #include "otx2_mbox.h"
 
 #include "cpt_hw_types.h"
@@ -148,6 +149,11 @@ otx2_cpt_qp_inline_cfg(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
 	if (ret)
 		return ret;
 
+	/* Publish inline Tx QP to eth dev security */
+	ret = otx2_sec_tx_cpt_qp_add(port_id, qp);
+	if (ret)
+		return ret;
+
 	return 0;
 }
 
@@ -242,6 +248,12 @@ otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 
 	qp->lf_nq_reg = qp->base + OTX2_CPT_LF_NQ(0);
 
+	ret = otx2_sec_tx_cpt_qp_remove(qp);
+	if (ret && (ret != -ENOENT)) {
+		CPT_LOG_ERR("Could not delete inline configuration");
+		goto mempool_destroy;
+	}
+
 	otx2_cpt_iq_disable(qp);
 
 	ret = otx2_cpt_qp_inline_cfg(dev, qp);
@@ -275,6 +287,12 @@ otx2_cpt_qp_destroy(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
 	char name[RTE_MEMZONE_NAMESIZE];
 	int ret;
 
+	ret = otx2_sec_tx_cpt_qp_remove(qp);
+	if (ret && (ret != -ENOENT)) {
+		CPT_LOG_ERR("Could not delete inline configuration");
+		return ret;
+	}
+
 	otx2_cpt_iq_disable(qp);
 
 	otx2_cpt_metabuf_mempool_destroy(qp);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_qp.h b/drivers/crypto/octeontx2/otx2_cryptodev_qp.h
new file mode 100644
index 0000000..9d48da4
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_qp.h
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#ifndef _OTX2_CRYPTODEV_QP_H_
+#define _OTX2_CRYPTODEV_QP_H_
+
+#include <rte_common.h>
+#include <rte_mempool.h>
+#include <rte_spinlock.h>
+
+#include "cpt_common.h"
+
+struct otx2_cpt_qp {
+	uint32_t id;
+	/**< Queue pair id */
+	uintptr_t base;
+	/**< Base address where BAR is mapped */
+	void *lmtline;
+	/**< Address of LMTLINE */
+	rte_iova_t lf_nq_reg;
+	/**< LF enqueue register address */
+	struct pending_queue pend_q;
+	/**< Pending queue */
+	struct rte_mempool *sess_mp;
+	/**< Session mempool */
+	struct rte_mempool *sess_mp_priv;
+	/**< Session private data mempool */
+	struct cpt_qp_meta_info meta_info;
+	/**< Metabuf info required to support operations on the queue pair */
+	rte_iova_t iq_dma_addr;
+	/**< Instruction queue address */
+};
+
+#endif /* _OTX2_CRYPTODEV_QP_H_ */
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index b8c8f91..0534154 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -10,6 +10,7 @@
 #include <rte_security.h>
 #include <rte_security_driver.h>
 
+#include "otx2_cryptodev_qp.h"
 #include "otx2_ethdev.h"
 #include "otx2_ipsec_fp.h"
 #include "otx2_security.h"
@@ -29,6 +30,8 @@ struct sec_eth_tag_const {
 	};
 };
 
+static struct otx2_sec_eth_cfg sec_cfg[OTX2_MAX_INLINE_PORTS];
+
 static struct rte_cryptodev_capabilities otx2_sec_eth_crypto_caps[] = {
 	{	/* AES GCM */
 		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
@@ -116,16 +119,41 @@ static struct rte_security_ops otx2_sec_eth_ops = {
 	.capabilities_get	= otx2_sec_eth_capabilities_get
 };
 
+static int
+otx2_sec_eth_cfg_init(int port_id)
+{
+	struct otx2_sec_eth_cfg *cfg;
+	int i;
+
+	cfg = &sec_cfg[port_id];
+	cfg->tx_cpt_idx = 0;
+	rte_spinlock_init(&cfg->tx_cpt_lock);
+
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		cfg->tx_cpt[i].qp = NULL;
+		rte_atomic16_set(&cfg->tx_cpt[i].ref_cnt, 0);
+	}
+
+	return 0;
+}
+
 int
 otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev)
 {
 	struct rte_security_ctx *ctx;
+	int ret;
 
 	ctx = rte_malloc("otx2_sec_eth_ctx",
 			 sizeof(struct rte_security_ctx), 0);
 	if (ctx == NULL)
 		return -ENOMEM;
 
+	ret = otx2_sec_eth_cfg_init(eth_dev->data->port_id);
+	if (ret) {
+		rte_free(ctx);
+		return ret;
+	}
+
 	/* Populate ctx */
 
 	ctx->device = eth_dev;
@@ -239,3 +267,73 @@ otx2_sec_eth_fini(struct rte_eth_dev *eth_dev)
 	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
 	rte_memzone_free(rte_memzone_lookup(name));
 }
+
+int
+otx2_sec_tx_cpt_qp_add(uint16_t port_id, struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_eth_cfg *cfg;
+	int i, ret;
+
+	if (qp == NULL || port_id > OTX2_MAX_INLINE_PORTS)
+		return -EINVAL;
+
+	cfg = &sec_cfg[port_id];
+
+	/* Find a free slot to save CPT LF */
+
+	rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		if (cfg->tx_cpt[i].qp == NULL) {
+			cfg->tx_cpt[i].qp = qp;
+			ret = 0;
+			goto unlock;
+		}
+	}
+
+	ret = -EINVAL;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
+
+int
+otx2_sec_tx_cpt_qp_remove(struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_eth_cfg *cfg;
+	uint16_t port_id;
+	int i, ret;
+
+	if (qp == NULL)
+		return -EINVAL;
+
+	for (port_id = 0; port_id < OTX2_MAX_INLINE_PORTS; port_id++) {
+		cfg = &sec_cfg[port_id];
+
+		rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+		for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+			if (cfg->tx_cpt[i].qp != qp)
+				continue;
+
+			/* Don't free if the QP is in use by any sec session */
+			if (rte_atomic16_read(&cfg->tx_cpt[i].ref_cnt)) {
+				ret = -EBUSY;
+			} else {
+				cfg->tx_cpt[i].qp = NULL;
+				ret = 0;
+			}
+
+			goto unlock;
+		}
+
+		rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	}
+
+	return -ENOENT;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index a442f5c..6086efa 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -5,10 +5,27 @@
 #ifndef __OTX2_SECURITY_H__
 #define __OTX2_SECURITY_H__
 
+#include <rte_atomic.h>
 #include <rte_ethdev.h>
+#include <rte_spinlock.h>
 
 #include "otx2_ipsec_fp.h"
 
+#define OTX2_MAX_CPT_QP_PER_PORT 64
+#define OTX2_MAX_INLINE_PORTS 64
+
+struct otx2_cpt_qp;
+
+struct otx2_sec_eth_cfg {
+	struct {
+		struct otx2_cpt_qp *qp;
+		rte_atomic16_t ref_cnt;
+	} tx_cpt[OTX2_MAX_CPT_QP_PER_PORT];
+
+	uint16_t tx_cpt_idx;
+	rte_spinlock_t tx_cpt_lock;
+};
+
 /*
  * Security session for inline IPsec protocol offload. This is private data of
  * inline capable PMD.
@@ -33,4 +50,7 @@ int otx2_sec_eth_init(struct rte_eth_dev *eth_dev);
 
 void otx2_sec_eth_fini(struct rte_eth_dev *eth_dev);
 
+int otx2_sec_tx_cpt_qp_add(uint16_t port_id, struct otx2_cpt_qp *qp);
+
+int otx2_sec_tx_cpt_qp_remove(struct otx2_cpt_qp *qp);
 #endif /* __OTX2_SECURITY_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 08/15] crypto/octeontx2: add eth security session operations
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (6 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 09/15] crypto/octeontx2: add datapath ops in eth security ctx Anoob Joseph
                     ` (8 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding security session operations in eth security ctx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/otx2_ipsec_fp.h | 293 ++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.c | 339 +++++++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h |  23 ++-
 3 files changed, 654 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/octeontx2/otx2_ipsec_fp.h b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
index bf4181a..c100dc5 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_fp.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
@@ -5,6 +5,67 @@
 #ifndef __OTX2_IPSEC_FP_H__
 #define __OTX2_IPSEC_FP_H__
 
+#include <rte_crypto_sym.h>
+#include <rte_security.h>
+
+enum {
+	OTX2_IPSEC_FP_SA_DIRECTION_INBOUND = 0,
+	OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_IP_VERSION_4 = 0,
+	OTX2_IPSEC_FP_SA_IP_VERSION_6 = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_MODE_TRANSPORT = 0,
+	OTX2_IPSEC_FP_SA_MODE_TUNNEL = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_PROTOCOL_AH = 0,
+	OTX2_IPSEC_FP_SA_PROTOCOL_ESP = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_128 = 1,
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_192 = 2,
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_256 = 3,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_ENC_NULL = 0,
+	OTX2_IPSEC_FP_SA_ENC_DES_CBC = 1,
+	OTX2_IPSEC_FP_SA_ENC_3DES_CBC = 2,
+	OTX2_IPSEC_FP_SA_ENC_AES_CBC = 3,
+	OTX2_IPSEC_FP_SA_ENC_AES_CTR = 4,
+	OTX2_IPSEC_FP_SA_ENC_AES_GCM = 5,
+	OTX2_IPSEC_FP_SA_ENC_AES_CCM = 6,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_AUTH_NULL = 0,
+	OTX2_IPSEC_FP_SA_AUTH_MD5 = 1,
+	OTX2_IPSEC_FP_SA_AUTH_SHA1 = 2,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_224 = 3,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_256 = 4,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_384 = 5,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_512 = 6,
+	OTX2_IPSEC_FP_SA_AUTH_AES_GMAC = 7,
+	OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128 = 8,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_FRAG_POST = 0,
+	OTX2_IPSEC_FP_SA_FRAG_PRE = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_ENCAP_NONE = 0,
+	OTX2_IPSEC_FP_SA_ENCAP_UDP = 1,
+};
+
 struct otx2_ipsec_fp_sa_ctl {
 	rte_be32_t spi          : 32;
 	uint64_t exp_proto_inter_frag : 8;
@@ -24,6 +85,26 @@ struct otx2_ipsec_fp_sa_ctl {
 	uint64_t aes_key_len  : 2;
 };
 
+struct otx2_ipsec_fp_out_sa {
+	/* w0 */
+	struct otx2_ipsec_fp_sa_ctl ctl;
+
+	/* w1 */
+	uint8_t nonce[4];
+	uint16_t udp_src;
+	uint16_t udp_dst;
+
+	/* w2 */
+	uint32_t ip_src;
+	uint32_t ip_dst;
+
+	/* w3-w6 */
+	uint8_t cipher_key[32];
+
+	/* w7-w12 */
+	uint8_t hmac_key[48];
+};
+
 struct otx2_ipsec_fp_in_sa {
 	/* w0 */
 	struct otx2_ipsec_fp_sa_ctl ctl;
@@ -52,4 +133,216 @@ struct otx2_ipsec_fp_in_sa {
 	uint64_t reserved2;
 };
 
+static inline int
+ipsec_fp_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
+{
+	if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		switch (xform->cipher.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_auth_verify(struct rte_crypto_sym_xform *xform)
+{
+	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+		if (xform->auth.key.length == 64)
+			return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_aead_verify(struct rte_security_ipsec_xform *ipsec,
+			   struct rte_crypto_sym_xform *xform)
+{
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+	    xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+		return -EINVAL;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+	    xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+		return -EINVAL;
+
+	if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+		switch (xform->aead.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -EINVAL;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_verify(struct rte_security_ipsec_xform *ipsec,
+		      struct rte_crypto_sym_xform *xform)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	int ret;
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		return ipsec_fp_xform_aead_verify(ipsec, xform);
+
+	if (xform->next == NULL)
+		return -EINVAL;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		/* Ingress */
+		if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		/* Egress */
+		if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	}
+
+	ret = ipsec_fp_xform_cipher_verify(cipher_xform);
+	if (ret)
+		return ret;
+
+	ret = ipsec_fp_xform_auth_verify(auth_xform);
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
+static inline int
+ipsec_fp_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
+		    struct rte_crypto_sym_xform *xform,
+		    struct otx2_ipsec_fp_sa_ctl *ctl)
+{
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
+	int aes_key_len;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND;
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	} else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_INBOUND;
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		return -EINVAL;
+	}
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+			ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
+		else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
+			ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_6;
+		else
+			return -EINVAL;
+	}
+
+	ctl->inner_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+		ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TRANSPORT;
+	else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+		ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TUNNEL;
+	else
+		return -EINVAL;
+
+	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
+		ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_AH;
+	else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
+		ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_ESP;
+	else
+		return -EINVAL;
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+			ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_GCM;
+			aes_key_len = xform->aead.key.length;
+		} else {
+			return -ENOTSUP;
+		}
+	} else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_CCM;
+		aes_key_len = xform->cipher.key.length;
+	} else {
+		return -ENOTSUP;
+	}
+
+	switch (aes_key_len) {
+	case 16:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_128;
+		break;
+	case 24:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_192;
+		break;
+	case 32:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_256;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
+		switch (auth_xform->auth.algo) {
+		case RTE_CRYPTO_AUTH_NULL:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_NULL;
+			break;
+		case RTE_CRYPTO_AUTH_MD5_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_MD5;
+			break;
+		case RTE_CRYPTO_AUTH_SHA1_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA1;
+			break;
+		case RTE_CRYPTO_AUTH_SHA224_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_224;
+			break;
+		case RTE_CRYPTO_AUTH_SHA256_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_256;
+			break;
+		case RTE_CRYPTO_AUTH_SHA384_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_384;
+			break;
+		case RTE_CRYPTO_AUTH_SHA512_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_512;
+			break;
+		case RTE_CRYPTO_AUTH_AES_GMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_GMAC;
+			break;
+		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+	}
+
+	if (ipsec->options.esn == 1)
+		ctl->esn_en = 1;
+
+	ctl->spi = rte_cpu_to_be_32(ipsec->spi);
+	ctl->valid = 1;
+
+	return 0;
+}
+
 #endif /* __OTX2_IPSEC_FP_H__ */
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 0534154..b4f5c5c 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -96,12 +96,349 @@ static const struct rte_security_capability otx2_sec_eth_capabilities[] = {
 	}
 };
 
+static int
+otx2_sec_eth_tx_cpt_qp_get(uint16_t port_id, struct otx2_cpt_qp **qp)
+{
+	struct otx2_sec_eth_cfg *cfg;
+	uint16_t index;
+	int i, ret;
+
+	if (port_id > OTX2_MAX_INLINE_PORTS || qp == NULL)
+		return -EINVAL;
+
+	cfg = &sec_cfg[port_id];
+
+	rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+	index = cfg->tx_cpt_idx;
+
+	/* Get the next index with valid data */
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		if (cfg->tx_cpt[index].qp != NULL)
+			break;
+		index = (index + 1) % OTX2_MAX_CPT_QP_PER_PORT;
+	}
+
+	if (i >= OTX2_MAX_CPT_QP_PER_PORT) {
+		ret = -EINVAL;
+		goto unlock;
+	}
+
+	*qp = cfg->tx_cpt[index].qp;
+	rte_atomic16_inc(&cfg->tx_cpt[index].ref_cnt);
+
+	cfg->tx_cpt_idx = (index + 1) % OTX2_MAX_CPT_QP_PER_PORT;
+
+	ret = 0;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
+
+static int
+otx2_sec_eth_tx_cpt_put(struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_eth_cfg *cfg;
+	uint16_t port_id;
+	int i;
+
+	if (qp == NULL)
+		return -EINVAL;
+
+	for (port_id = 0; port_id < OTX2_MAX_INLINE_PORTS; port_id++) {
+		cfg = &sec_cfg[port_id];
+		for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+			if (cfg->tx_cpt[i].qp == qp) {
+				rte_atomic16_dec(&cfg->tx_cpt[i].ref_cnt);
+				return 0;
+			}
+		}
+	}
+
+	return -EINVAL;
+}
+
 static inline void
 in_sa_mz_name_get(char *name, int size, uint16_t port)
 {
 	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
 }
 
+static struct otx2_ipsec_fp_in_sa *
+in_sa_get(uint16_t port, int sa_index)
+{
+	char name[RTE_MEMZONE_NAMESIZE];
+	struct otx2_ipsec_fp_in_sa *sa;
+	const struct rte_memzone *mz;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL) {
+		otx2_err("Could not get the memzone reserved for IN SA DB");
+		return NULL;
+	}
+
+	sa = mz->addr;
+
+	return sa + sa_index;
+}
+
+static int
+sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
+			      struct rte_security_ipsec_xform *ipsec,
+			      struct rte_crypto_sym_xform *crypto_xform,
+			      struct rte_security_session *sec_sess)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_sec_session_ipsec_ip *sess;
+	uint16_t port = eth_dev->data->port_id;
+	int cipher_key_len, auth_key_len, ret;
+	const uint8_t *cipher_key, *auth_key;
+	struct otx2_ipsec_fp_sa_ctl *ctl;
+	struct otx2_ipsec_fp_out_sa *sa;
+	struct otx2_sec_session *priv;
+	struct otx2_cpt_qp *qp;
+
+	priv = get_sec_session_private_data(sec_sess);
+	sess = &priv->ipsec.ip;
+
+	sa = &sess->out_sa;
+	ctl = &sa->ctl;
+	if (ctl->valid) {
+		otx2_err("SA already registered");
+		return -EINVAL;
+	}
+
+	memset(sess, 0, sizeof(struct otx2_sec_session_ipsec_ip));
+
+	memcpy(sa->nonce, &ipsec->salt, 4);
+
+	if (ipsec->options.udp_encap == 1) {
+		sa->udp_src = 4500;
+		sa->udp_dst = 4500;
+	}
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+			memcpy(&sa->ip_src, &ipsec->tunnel.ipv4.src_ip,
+			       sizeof(struct in_addr));
+			memcpy(&sa->ip_dst, &ipsec->tunnel.ipv4.dst_ip,
+			       sizeof(struct in_addr));
+		} else {
+			return -EINVAL;
+		}
+	} else {
+		return -EINVAL;
+	}
+
+	cipher_xform = crypto_xform;
+	auth_xform = crypto_xform->next;
+
+	cipher_key_len = 0;
+	auth_key_len = 0;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		cipher_key = crypto_xform->aead.key.data;
+		cipher_key_len = crypto_xform->aead.key.length;
+	} else {
+		cipher_key = cipher_xform->cipher.key.data;
+		cipher_key_len = cipher_xform->cipher.key.length;
+		auth_key = auth_xform->auth.key.data;
+		auth_key_len = auth_xform->auth.key.length;
+	}
+
+	if (cipher_key_len != 0)
+		memcpy(sa->cipher_key, cipher_key, cipher_key_len);
+	else
+		return -EINVAL;
+
+	/* Use OPAD & IPAD */
+	RTE_SET_USED(auth_key);
+	RTE_SET_USED(auth_key_len);
+
+	/* Get CPT QP to be used for this SA */
+	ret = otx2_sec_eth_tx_cpt_qp_get(port, &qp);
+	if (ret)
+		return ret;
+
+	sess->qp = qp;
+
+	sess->cpt_lmtline = qp->lmtline;
+	sess->cpt_nq_reg = qp->lf_nq_reg;
+
+	/* Populate control word */
+	ret = ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
+	if (ret)
+		goto cpt_put;
+
+	return 0;
+cpt_put:
+	otx2_sec_eth_tx_cpt_put(sess->qp);
+	return ret;
+}
+
+static int
+sec_eth_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
+			     struct rte_security_ipsec_xform *ipsec,
+			     struct rte_crypto_sym_xform *crypto_xform,
+			     struct rte_security_session *sec_sess)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	struct otx2_sec_session_ipsec_ip *sess;
+	uint16_t port = eth_dev->data->port_id;
+	const uint8_t *cipher_key, *auth_key;
+	int cipher_key_len, auth_key_len;
+	struct otx2_ipsec_fp_sa_ctl *ctl;
+	struct otx2_ipsec_fp_in_sa *sa;
+	struct otx2_sec_session *priv;
+
+	if (ipsec->spi >= dev->ipsec_in_max_spi) {
+		otx2_err("SPI exceeds max supported");
+		return -EINVAL;
+	}
+
+	sa = in_sa_get(port, ipsec->spi);
+	ctl = &sa->ctl;
+
+	priv = get_sec_session_private_data(sec_sess);
+	sess = &priv->ipsec.ip;
+
+	if (ctl->valid) {
+		otx2_err("SA already registered");
+		return -EINVAL;
+	}
+
+	memset(sa, 0, sizeof(struct otx2_ipsec_fp_in_sa));
+
+	auth_xform = crypto_xform;
+	cipher_xform = crypto_xform->next;
+
+	cipher_key_len = 0;
+	auth_key_len = 0;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
+			memcpy(sa->nonce, &ipsec->salt, 4);
+		cipher_key = crypto_xform->aead.key.data;
+		cipher_key_len = crypto_xform->aead.key.length;
+	} else {
+		cipher_key = cipher_xform->cipher.key.data;
+		cipher_key_len = cipher_xform->cipher.key.length;
+		auth_key = auth_xform->auth.key.data;
+		auth_key_len = auth_xform->auth.key.length;
+	}
+
+	if (cipher_key_len != 0)
+		memcpy(sa->cipher_key, cipher_key, cipher_key_len);
+	else
+		return -EINVAL;
+
+	/* Use OPAD & IPAD */
+	RTE_SET_USED(auth_key);
+	RTE_SET_USED(auth_key_len);
+
+	sess->in_sa = sa;
+
+	sa->userdata = priv->userdata;
+
+	return ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
+}
+
+static int
+sec_eth_ipsec_sess_create(struct rte_eth_dev *eth_dev,
+			  struct rte_security_ipsec_xform *ipsec,
+			  struct rte_crypto_sym_xform *crypto_xform,
+			  struct rte_security_session *sess)
+{
+	int ret;
+
+	ret = ipsec_fp_xform_verify(ipsec, crypto_xform);
+	if (ret)
+		return ret;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+		return sec_eth_ipsec_in_sess_create(eth_dev, ipsec,
+						    crypto_xform, sess);
+	else
+		return sec_eth_ipsec_out_sess_create(eth_dev, ipsec,
+						     crypto_xform, sess);
+}
+
+static int
+otx2_sec_eth_session_create(void *device,
+			    struct rte_security_session_conf *conf,
+			    struct rte_security_session *sess,
+			    struct rte_mempool *mempool)
+{
+	struct otx2_sec_session *priv;
+	int ret;
+
+	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
+		return -ENOTSUP;
+
+	if (rte_mempool_get(mempool, (void **)&priv)) {
+		otx2_err("Could not allocate security session private data");
+		return -ENOMEM;
+	}
+
+	set_sec_session_private_data(sess, priv);
+
+	/*
+	 * Save userdata provided by the application. For ingress packets, this
+	 * could be used to identify the SA.
+	 */
+	priv->userdata = conf->userdata;
+
+	if (conf->protocol == RTE_SECURITY_PROTOCOL_IPSEC)
+		ret = sec_eth_ipsec_sess_create(device, &conf->ipsec,
+						conf->crypto_xform,
+						sess);
+	else
+		ret = -ENOTSUP;
+
+	if (ret)
+		goto mempool_put;
+
+	return 0;
+
+mempool_put:
+	rte_mempool_put(mempool, priv);
+	set_sec_session_private_data(sess, NULL);
+	return ret;
+}
+
+static int
+otx2_sec_eth_session_destroy(void *device __rte_unused,
+			     struct rte_security_session *sess)
+{
+	struct otx2_sec_session_ipsec_ip *sess_ip;
+	struct otx2_sec_session *priv;
+	struct rte_mempool *sess_mp;
+	int ret;
+
+	priv = get_sec_session_private_data(sess);
+	if (priv == NULL)
+		return -EINVAL;
+
+	sess_ip = &priv->ipsec.ip;
+
+	/* Release CPT LF used for this session */
+	if (sess_ip->qp != NULL) {
+		ret = otx2_sec_eth_tx_cpt_put(sess_ip->qp);
+		if (ret)
+			return ret;
+	}
+
+	sess_mp = rte_mempool_from_obj(priv);
+
+	set_sec_session_private_data(sess, NULL);
+	rte_mempool_put(sess_mp, priv);
+
+	return 0;
+}
+
 static unsigned int
 otx2_sec_eth_session_get_size(void *device __rte_unused)
 {
@@ -115,6 +452,8 @@ otx2_sec_eth_capabilities_get(void *device __rte_unused)
 }
 
 static struct rte_security_ops otx2_sec_eth_ops = {
+	.session_create		= otx2_sec_eth_session_create,
+	.session_destroy	= otx2_sec_eth_session_destroy,
 	.session_get_size	= otx2_sec_eth_session_get_size,
 	.capabilities_get	= otx2_sec_eth_capabilities_get
 };
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 6086efa..b1a401b 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -31,7 +31,26 @@ struct otx2_sec_eth_cfg {
  * inline capable PMD.
  */
 struct otx2_sec_session_ipsec_ip {
-	int dummy;
+	RTE_STD_C11
+	union {
+		/*
+		 * Inbound SA would accessed by crypto block. And so the memory
+		 * is allocated differently and shared with the h/w. Only
+		 * holding a pointer to this memory in the session private
+		 * space.
+		 */
+		void *in_sa;
+		/* Outbound SA */
+		struct otx2_ipsec_fp_out_sa out_sa;
+	};
+
+	/* Address of CPT LMTLINE */
+	void *cpt_lmtline;
+	/* CPT LF enqueue register address */
+	rte_iova_t cpt_nq_reg;
+
+	/* CPT QP used by SA */
+	struct otx2_cpt_qp *qp;
 };
 
 struct otx2_sec_session_ipsec {
@@ -40,6 +59,8 @@ struct otx2_sec_session_ipsec {
 
 struct otx2_sec_session {
 	struct otx2_sec_session_ipsec ipsec;
+	void *userdata;
+	/**< Userdata registered by the application */
 } __rte_cache_aligned;
 
 int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 09/15] crypto/octeontx2: add datapath ops in eth security ctx
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (7 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 08/15] crypto/octeontx2: add eth security session operations Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 10/15] crypto/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
                     ` (7 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding data path ops in eth security ctx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/otx2_security.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index b4f5c5c..5606851 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -445,6 +445,27 @@ otx2_sec_eth_session_get_size(void *device __rte_unused)
 	return sizeof(struct otx2_sec_session);
 }
 
+static int
+otx2_sec_eth_set_pkt_mdata(void *device __rte_unused,
+			    struct rte_security_session *session,
+			    struct rte_mbuf *m, void *params __rte_unused)
+{
+	/* Set security session as the pkt metadata */
+	m->udata64 = (uint64_t)session;
+
+	return 0;
+}
+
+static int
+otx2_sec_eth_get_userdata(void *device __rte_unused, uint64_t md,
+			   void **userdata)
+{
+	/* Retrieve userdata  */
+	*userdata = (void *)md;
+
+	return 0;
+}
+
 static const struct rte_security_capability *
 otx2_sec_eth_capabilities_get(void *device __rte_unused)
 {
@@ -455,6 +476,8 @@ static struct rte_security_ops otx2_sec_eth_ops = {
 	.session_create		= otx2_sec_eth_session_create,
 	.session_destroy	= otx2_sec_eth_session_destroy,
 	.session_get_size	= otx2_sec_eth_session_get_size,
+	.set_pkt_metadata	= otx2_sec_eth_set_pkt_mdata,
+	.get_userdata		= otx2_sec_eth_get_userdata,
 	.capabilities_get	= otx2_sec_eth_capabilities_get
 };
 
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 10/15] crypto/octeontx2: add lookup mem changes to hold sa indices
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (8 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 09/15] crypto/octeontx2: add datapath ops in eth security ctx Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 11/15] net/octeontx2: add inline ipsec rx path changes Anoob Joseph
                     ` (6 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

lookup_mem provides fast accessing of data path fields.
Storing sa indices in lookup_mem which are required in
inline rx data path.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_common.h   |  4 +++
 drivers/crypto/octeontx2/otx2_security.c | 59 ++++++++++++++++++++++++++++++++
 drivers/net/octeontx2/otx2_lookup.c      | 11 ++++--
 3 files changed, 72 insertions(+), 2 deletions(-)

diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index fbe7335..88b4b63 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -170,4 +170,8 @@ extern int otx2_logtype_dpi;
 #include "otx2_io_generic.h"
 #endif
 
+/* Fastpath lookup */
+#define OTX2_NIX_FASTPATH_LOOKUP_MEM	"otx2_nix_fastpath_lookup_mem"
+#define OTX2_NIX_SA_TBL_START		(4096*4 + 69632*2)
+
 #endif /* _OTX2_COMMON_H_ */
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 5606851..ab488a0 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -10,6 +10,7 @@
 #include <rte_security.h>
 #include <rte_security_driver.h>
 
+#include "otx2_common.h"
 #include "otx2_cryptodev_qp.h"
 #include "otx2_ethdev.h"
 #include "otx2_ipsec_fp.h"
@@ -96,6 +97,59 @@ static const struct rte_security_capability otx2_sec_eth_capabilities[] = {
 	}
 };
 
+static void
+lookup_mem_sa_tbl_clear(struct rte_eth_dev *eth_dev)
+{
+	static const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
+	uint16_t port = eth_dev->data->port_id;
+	const struct rte_memzone *mz;
+	uint64_t **sa_tbl;
+	uint8_t *mem;
+
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL)
+		return;
+
+	mem = mz->addr;
+
+	sa_tbl  = (uint64_t **)RTE_PTR_ADD(mem, OTX2_NIX_SA_TBL_START);
+	if (sa_tbl[port] == NULL)
+		return;
+
+	rte_free(sa_tbl[port]);
+	sa_tbl[port] = NULL;
+}
+
+static int
+lookup_mem_sa_index_update(struct rte_eth_dev *eth_dev, int spi, void *sa)
+{
+	static const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	const struct rte_memzone *mz;
+	uint64_t **sa_tbl;
+	uint8_t *mem;
+
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL) {
+		otx2_err("Could not find fastpath lookup table");
+		return -EINVAL;
+	}
+
+	mem = mz->addr;
+
+	sa_tbl = (uint64_t **)RTE_PTR_ADD(mem, OTX2_NIX_SA_TBL_START);
+
+	if (sa_tbl[port] == NULL) {
+		sa_tbl[port] = rte_malloc(NULL, dev->ipsec_in_max_spi *
+					  sizeof(uint64_t), 0);
+	}
+
+	sa_tbl[port][spi] = (uint64_t)sa;
+
+	return 0;
+}
+
 static int
 otx2_sec_eth_tx_cpt_qp_get(uint16_t port_id, struct otx2_cpt_qp **qp)
 {
@@ -343,6 +397,9 @@ sec_eth_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
 
 	sa->userdata = priv->userdata;
 
+	if (lookup_mem_sa_index_update(eth_dev, ipsec->spi, sa))
+		return -EINVAL;
+
 	return ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
 }
 
@@ -626,6 +683,8 @@ otx2_sec_eth_fini(struct rte_eth_dev *eth_dev)
 	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
 		return;
 
+	lookup_mem_sa_tbl_clear(eth_dev);
+
 	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
 	rte_memzone_free(rte_memzone_lookup(name));
 }
diff --git a/drivers/net/octeontx2/otx2_lookup.c b/drivers/net/octeontx2/otx2_lookup.c
index bcf2ff4..d1cf3c3 100644
--- a/drivers/net/octeontx2/otx2_lookup.c
+++ b/drivers/net/octeontx2/otx2_lookup.c
@@ -5,6 +5,7 @@
 #include <rte_common.h>
 #include <rte_memzone.h>
 
+#include "otx2_common.h"
 #include "otx2_ethdev.h"
 
 /* NIX_RX_PARSE_S's ERRCODE + ERRLEV (12 bits) */
@@ -12,7 +13,9 @@
 #define ERR_ARRAY_SZ			((BIT(ERRCODE_ERRLEN_WIDTH)) *\
 					sizeof(uint32_t))
 
-#define LOOKUP_ARRAY_SZ			(PTYPE_ARRAY_SZ + ERR_ARRAY_SZ)
+#define SA_TBL_SZ			(RTE_MAX_ETHPORTS * sizeof(uint64_t))
+#define LOOKUP_ARRAY_SZ			(PTYPE_ARRAY_SZ + ERR_ARRAY_SZ +\
+					SA_TBL_SZ)
 
 const uint32_t *
 otx2_nix_supported_ptypes_get(struct rte_eth_dev *eth_dev)
@@ -314,10 +317,14 @@ nix_create_rx_ol_flags_array(void *mem)
 void *
 otx2_nix_fastpath_lookup_mem_get(void)
 {
-	const char name[] = "otx2_nix_fastpath_lookup_mem";
+	const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
 	const struct rte_memzone *mz;
 	void *mem;
 
+	/* SA_TBL starts after PTYPE_ARRAY & ERR_ARRAY */
+	RTE_BUILD_BUG_ON(OTX2_NIX_SA_TBL_START != (PTYPE_ARRAY_SZ +
+						   ERR_ARRAY_SZ));
+
 	mz = rte_memzone_lookup(name);
 	if (mz != NULL)
 		return mz->addr;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 11/15] net/octeontx2: add inline ipsec rx path changes
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (9 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 10/15] crypto/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 12/15] drivers/octeontx2: add sec in compiler optimized RX fastpath framework Anoob Joseph
                     ` (5 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding post-processing required for inline IPsec inbound packets.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/Makefile        |  1 +
 drivers/crypto/octeontx2/otx2_security.h | 19 +++++++++
 drivers/event/octeontx2/Makefile         |  1 +
 drivers/event/octeontx2/meson.build      |  2 +
 drivers/net/octeontx2/Makefile           |  1 +
 drivers/net/octeontx2/meson.build        |  3 ++
 drivers/net/octeontx2/otx2_rx.h          | 73 ++++++++++++++++++++++++++++++++
 7 files changed, 100 insertions(+)

diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index 5966ddc..62b630e 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -20,6 +20,7 @@ VPATH += $(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -O3
 CFLAGS += -I$(RTE_SDK)/drivers/common/cpt
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -DALLOW_EXPERIMENTAL_API
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index b1a401b..6ec321d 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -26,6 +26,25 @@ struct otx2_sec_eth_cfg {
 	rte_spinlock_t tx_cpt_lock;
 };
 
+#define OTX2_SEC_CPT_COMP_GOOD	0x1
+#define OTX2_SEC_UC_COMP_GOOD	0x0
+#define OTX2_SEC_COMP_GOOD	(OTX2_SEC_UC_COMP_GOOD << 8 | \
+				 OTX2_SEC_CPT_COMP_GOOD)
+
+/* CPT Result */
+struct otx2_cpt_res {
+	union {
+		struct {
+			uint64_t compcode:8;
+			uint64_t uc_compcode:8;
+			uint64_t doneint:1;
+			uint64_t reserved_17_63:47;
+			uint64_t reserved_64_127;
+		};
+		uint16_t u16[8];
+	};
+};
+
 /*
  * Security session for inline IPsec protocol offload. This is private data of
  * inline capable PMD.
diff --git a/drivers/event/octeontx2/Makefile b/drivers/event/octeontx2/Makefile
index 6dab69c..bcd22ee 100644
--- a/drivers/event/octeontx2/Makefile
+++ b/drivers/event/octeontx2/Makefile
@@ -11,6 +11,7 @@ LIB = librte_pmd_octeontx2_event.a
 
 CFLAGS += $(WERROR_FLAGS)
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/event/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
diff --git a/drivers/event/octeontx2/meson.build b/drivers/event/octeontx2/meson.build
index 807818b..56febb8 100644
--- a/drivers/event/octeontx2/meson.build
+++ b/drivers/event/octeontx2/meson.build
@@ -32,3 +32,5 @@ foreach flag: extra_flags
 endforeach
 
 deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2', 'pmd_octeontx2']
+
+includes += include_directories('../../crypto/octeontx2')
diff --git a/drivers/net/octeontx2/Makefile b/drivers/net/octeontx2/Makefile
index 68f5765..d31ce0a 100644
--- a/drivers/net/octeontx2/Makefile
+++ b/drivers/net/octeontx2/Makefile
@@ -11,6 +11,7 @@ LIB = librte_pmd_octeontx2.a
 
 CFLAGS += $(WERROR_FLAGS)
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -O3
diff --git a/drivers/net/octeontx2/meson.build b/drivers/net/octeontx2/meson.build
index fad3076..4a06eb2 100644
--- a/drivers/net/octeontx2/meson.build
+++ b/drivers/net/octeontx2/meson.build
@@ -25,6 +25,7 @@ sources = files('otx2_rx.c',
 		)
 
 deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2']
+deps += ['cryptodev', 'security']
 
 cflags += ['-flax-vector-conversions']
 
@@ -39,3 +40,5 @@ foreach flag: extra_flags
 		cflags += flag
 	endif
 endforeach
+
+includes += include_directories('../../crypto/octeontx2')
diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h
index 351ad0f..e1715bd 100644
--- a/drivers/net/octeontx2/otx2_rx.h
+++ b/drivers/net/octeontx2/otx2_rx.h
@@ -5,6 +5,12 @@
 #ifndef __OTX2_RX_H__
 #define __OTX2_RX_H__
 
+#include <rte_ether.h>
+
+#include "otx2_common.h"
+#include "otx2_ipsec_fp.h"
+#include "otx2_security.h"
+
 /* Default mark value used when none is provided. */
 #define OTX2_FLOW_ACTION_FLAG_DEFAULT	0xffff
 
@@ -31,6 +37,12 @@
 #define NIX_RX_MULTI_SEG_F            BIT(15)
 #define NIX_TIMESYNC_RX_OFFSET		8
 
+/* Inline IPsec offsets */
+
+#define INLINE_INB_RPTR_HDR		16
+/* nix_cqe_hdr_s + nix_rx_parse_s + nix_rx_sg_s + nix_iova_s */
+#define INLINE_CPT_RESULT_OFFSET	80
+
 struct otx2_timesync_info {
 	uint64_t	rx_tstamp;
 	rte_iova_t	tx_tstamp_iova;
@@ -190,6 +202,60 @@ nix_cqe_xtract_mseg(const struct nix_rx_parse_s *rx,
 	}
 }
 
+static __rte_always_inline uint16_t
+nix_rx_sec_cptres_get(const void *cq)
+{
+	volatile const struct otx2_cpt_res *res;
+
+	res = (volatile const struct otx2_cpt_res *)((const char *)cq +
+			INLINE_CPT_RESULT_OFFSET);
+
+	return res->u16[0];
+}
+
+static __rte_always_inline void *
+nix_rx_sec_sa_get(const void * const lookup_mem, int spi, uint16_t port)
+{
+	const uint64_t *const *sa_tbl = (const uint64_t * const *)
+			((const uint8_t *)lookup_mem + OTX2_NIX_SA_TBL_START);
+
+	return (void *)sa_tbl[port][spi];
+}
+
+static __rte_always_inline uint64_t
+nix_rx_sec_mbuf_update(const struct nix_cqe_hdr_s *cq, struct rte_mbuf *m,
+		       const void * const lookup_mem)
+{
+	struct otx2_ipsec_fp_in_sa *sa;
+	struct rte_ipv4_hdr *ipv4;
+	uint16_t m_len;
+	uint32_t spi;
+	char *data;
+
+	if (unlikely(nix_rx_sec_cptres_get(cq) != OTX2_SEC_COMP_GOOD))
+		return PKT_RX_SEC_OFFLOAD | PKT_RX_SEC_OFFLOAD_FAILED;
+
+	/* 20 bits of tag would have the SPI */
+	spi = cq->tag & 0xFFFFF;
+
+	sa = nix_rx_sec_sa_get(lookup_mem, spi, m->port);
+	m->udata64 = (uint64_t)sa->userdata;
+
+	data = rte_pktmbuf_mtod(m, char *);
+	memcpy(data + INLINE_INB_RPTR_HDR, data, RTE_ETHER_HDR_LEN);
+
+	m->data_off += INLINE_INB_RPTR_HDR;
+
+	ipv4 = (struct rte_ipv4_hdr *)(data + INLINE_INB_RPTR_HDR +
+				       RTE_ETHER_HDR_LEN);
+
+	m_len = rte_be_to_cpu_16(ipv4->total_length) + RTE_ETHER_HDR_LEN;
+
+	m->data_len = m_len;
+	m->pkt_len = m_len;
+	return PKT_RX_SEC_OFFLOAD;
+}
+
 static __rte_always_inline void
 otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 		     struct rte_mbuf *mbuf, const void *lookup_mem,
@@ -231,6 +297,13 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 	if (flag & NIX_RX_OFFLOAD_MARK_UPDATE_F)
 		ol_flags = nix_update_match_id(rx->match_id, ol_flags, mbuf);
 
+	if (cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
+		*(uint64_t *)(&mbuf->rearm_data) = val;
+		ol_flags |= nix_rx_sec_mbuf_update(cq, mbuf, lookup_mem);
+		mbuf->ol_flags = ol_flags;
+		return;
+	}
+
 	mbuf->ol_flags = ol_flags;
 	*(uint64_t *)(&mbuf->rearm_data) = val;
 	mbuf->pkt_len = len;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 12/15] drivers/octeontx2: add sec in compiler optimized RX fastpath framework
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (10 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 11/15] net/octeontx2: add inline ipsec rx path changes Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 13/15] drivers/octeontx2: add sec in compiler optimized TX " Anoob Joseph
                     ` (4 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

Added new flag for SECURITY in RX compiler optimized fastpath
framework. With this, compiler autogenerates functions which
have security enabled.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/event/octeontx2/otx2_evdev.c       | 134 ++++++++-----
 drivers/event/octeontx2/otx2_evdev.h       |   2 +-
 drivers/event/octeontx2/otx2_worker.c      |   2 +-
 drivers/event/octeontx2/otx2_worker_dual.c |   2 +-
 drivers/net/octeontx2/otx2_ethdev.c        |   3 +
 drivers/net/octeontx2/otx2_rx.c            |  27 +--
 drivers/net/octeontx2/otx2_rx.h            | 306 ++++++++++++++++++++---------
 7 files changed, 320 insertions(+), 156 deletions(-)

diff --git a/drivers/event/octeontx2/otx2_evdev.c b/drivers/event/octeontx2/otx2_evdev.c
index 2daeba4..f6c641a 100644
--- a/drivers/event/octeontx2/otx2_evdev.c
+++ b/drivers/event/octeontx2/otx2_evdev.c
@@ -44,61 +44,64 @@ sso_fastpath_fns_set(struct rte_eventdev *event_dev)
 {
 	struct otx2_sso_evdev *dev = sso_pmd_priv(event_dev);
 	/* Single WS modes */
-	const event_dequeue_t ssogws_deq[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_ ##name,
+	const event_dequeue_t ssogws_deq[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_deq_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_burst_ ##name,
+	const event_dequeue_burst_t ssogws_deq_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_timeout_ ##name,
+	const event_dequeue_t ssogws_deq_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_deq_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_deq_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_deq_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_seg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_ ##name,
+	const event_dequeue_t ssogws_deq_seg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_deq_seg_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_burst_ ##name,
+	const event_dequeue_burst_t
+		ssogws_deq_seg_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_deq_seg_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_seg_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_timeout_ ##name,
+	const event_dequeue_t ssogws_deq_seg_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_deq_seg_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_deq_seg_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_deq_seg_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 				otx2_ssogws_deq_seg_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
@@ -106,64 +109,69 @@ SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 
 
 	/* Dual WS modes */
-	const event_dequeue_t ssogws_dual_deq[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_ ##name,
+	const event_dequeue_t ssogws_dual_deq[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_dual_deq_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_burst_ ##name,
+	const event_dequeue_burst_t
+		ssogws_dual_deq_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_timeout_ ##name,
+	const event_dequeue_t ssogws_dual_deq_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_timeout_burst_ ##name,
+		ssogws_dual_deq_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =					\
+			otx2_ssogws_dual_deq_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_seg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_seg_ ##name,
+	const event_dequeue_t ssogws_dual_deq_seg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_seg_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_seg_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
-				otx2_ssogws_dual_deq_seg_burst_ ##name,
+		ssogws_dual_deq_seg_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_seg_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
-				otx2_ssogws_dual_deq_seg_timeout_ ##name,
+	const event_dequeue_t
+		ssogws_dual_deq_seg_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_seg_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =					\
-		otx2_ssogws_dual_deq_seg_timeout_burst_ ##name,
+		ssogws_dual_deq_seg_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
@@ -209,6 +217,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 	event_dev->enqueue_forward_burst	= otx2_ssogws_enq_fwd_burst;
 	if (dev->rx_offloads & NIX_RX_MULTI_SEG_F) {
 		event_dev->dequeue		= ssogws_deq_seg
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -216,6 +225,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		event_dev->dequeue_burst	= ssogws_deq_seg_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -224,6 +234,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		if (dev->is_timeout_deq) {
 			event_dev->dequeue	= ssogws_deq_seg_timeout
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -232,6 +243,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	=
 				ssogws_deq_seg_timeout_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -241,6 +253,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		}
 	} else {
 		event_dev->dequeue			= ssogws_deq
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -248,6 +261,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		event_dev->dequeue_burst		= ssogws_deq_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -256,6 +270,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		if (dev->is_timeout_deq) {
 			event_dev->dequeue		= ssogws_deq_timeout
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -264,6 +279,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	=
 				ssogws_deq_timeout_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -303,6 +319,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		if (dev->rx_offloads & NIX_RX_MULTI_SEG_F) {
 			event_dev->dequeue	= ssogws_dual_deq_seg
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -313,6 +331,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst = ssogws_dual_deq_seg_burst
+				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -326,6 +346,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue	=
 					ssogws_dual_deq_seg_timeout
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -340,6 +362,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue_burst =
 					ssogws_dual_deq_seg_timeout_burst
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -355,6 +379,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		} else {
 			event_dev->dequeue		= ssogws_dual_deq
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -366,6 +392,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	= ssogws_dual_deq_burst
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -379,6 +407,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue	=
 					ssogws_dual_deq_timeout
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -393,6 +423,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue_burst =
 					ssogws_dual_deq_timeout_burst
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
diff --git a/drivers/event/octeontx2/otx2_evdev.h b/drivers/event/octeontx2/otx2_evdev.h
index ef523dc..5a44fd3 100644
--- a/drivers/event/octeontx2/otx2_evdev.h
+++ b/drivers/event/octeontx2/otx2_evdev.h
@@ -278,7 +278,7 @@ uint16_t otx2_ssogws_dual_enq_fwd_burst(void *port, const struct rte_event ev[],
 					uint16_t nb_events);
 
 /* Auto generated API's */
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				       \
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			       \
 uint16_t otx2_ssogws_deq_ ##name(void *port, struct rte_event *ev,	       \
 				 uint64_t timeout_ticks);		       \
 uint16_t otx2_ssogws_deq_burst_ ##name(void *port, struct rte_event ev[],      \
diff --git a/drivers/event/octeontx2/otx2_worker.c b/drivers/event/octeontx2/otx2_worker.c
index 34d39f4..12445d9 100644
--- a/drivers/event/octeontx2/otx2_worker.c
+++ b/drivers/event/octeontx2/otx2_worker.c
@@ -81,7 +81,7 @@ otx2_ssogws_release_event(struct otx2_ssogws *ws)
 	otx2_ssogws_swtag_flush(ws);
 }
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
 uint16_t __hot								\
 otx2_ssogws_deq_ ##name(void *port, struct rte_event *ev,		\
 			uint64_t timeout_ticks)				\
diff --git a/drivers/event/octeontx2/otx2_worker_dual.c b/drivers/event/octeontx2/otx2_worker_dual.c
index 7016eee..22a4889 100644
--- a/drivers/event/octeontx2/otx2_worker_dual.c
+++ b/drivers/event/octeontx2/otx2_worker_dual.c
@@ -140,7 +140,7 @@ otx2_ssogws_dual_enq_fwd_burst(void *port, const struct rte_event ev[],
 	return 1;
 }
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_deq_ ##name(void *port, struct rte_event *ev,		\
 			     uint64_t timeout_ticks)			\
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index 131e883..c215078 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -626,6 +626,9 @@ nix_rx_offload_flags(struct rte_eth_dev *eth_dev)
 	if ((dev->rx_offloads & DEV_RX_OFFLOAD_TIMESTAMP))
 		flags |= NIX_RX_OFFLOAD_TSTAMP_F;
 
+	if (dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY)
+		flags |= NIX_RX_OFFLOAD_SECURITY_F;
+
 	if (!dev->ptype_disable)
 		flags |= NIX_RX_OFFLOAD_PTYPE_F;
 
diff --git a/drivers/net/octeontx2/otx2_rx.c b/drivers/net/octeontx2/otx2_rx.c
index 48565db..ffe6996 100644
--- a/drivers/net/octeontx2/otx2_rx.c
+++ b/drivers/net/octeontx2/otx2_rx.c
@@ -320,7 +320,7 @@ nix_recv_pkts_vector(void *rx_queue, struct rte_mbuf **rx_pkts,
 
 #endif
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			       \
 static uint16_t __rte_noinline	__hot					       \
 otx2_nix_recv_pkts_ ## name(void *rx_queue,				       \
 			struct rte_mbuf **rx_pkts, uint16_t pkts)	       \
@@ -351,12 +351,13 @@ NIX_RX_FASTPATH_MODES
 
 static inline void
 pick_rx_func(struct rte_eth_dev *eth_dev,
-	     const eth_rx_burst_t rx_burst[2][2][2][2][2][2])
+	     const eth_rx_burst_t rx_burst[2][2][2][2][2][2][2])
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	/* [TSTMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
+	/* [SEC] [TSTMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
 	eth_dev->rx_pkt_burst = rx_burst
+		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_SECURITY_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_TSTAMP_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -370,25 +371,25 @@ otx2_eth_set_rx_function(struct rte_eth_dev *eth_dev)
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	const eth_rx_burst_t nix_eth_rx_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_ ## name,
+	const eth_rx_burst_t nix_eth_rx_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
 	};
 
-	const eth_rx_burst_t nix_eth_rx_burst_mseg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_mseg_ ## name,
+	const eth_rx_burst_t nix_eth_rx_burst_mseg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_mseg_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
 	};
 
-	const eth_rx_burst_t nix_eth_rx_vec_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_vec_ ## name,
+	const eth_rx_burst_t nix_eth_rx_vec_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_vec_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
@@ -408,6 +409,6 @@ NIX_RX_FASTPATH_MODES
 	/* Copy multi seg version with no offload for tear down sequence */
 	if (rte_eal_process_type() == RTE_PROC_PRIMARY)
 		dev->rx_pkt_burst_no_offload =
-			nix_eth_rx_burst_mseg[0][0][0][0][0][0];
+			nix_eth_rx_burst_mseg[0][0][0][0][0][0][0];
 	rte_mb();
 }
diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h
index e1715bd..2262777 100644
--- a/drivers/net/octeontx2/otx2_rx.h
+++ b/drivers/net/octeontx2/otx2_rx.h
@@ -29,6 +29,7 @@
 #define NIX_RX_OFFLOAD_VLAN_STRIP_F    BIT(3)
 #define NIX_RX_OFFLOAD_MARK_UPDATE_F   BIT(4)
 #define NIX_RX_OFFLOAD_TSTAMP_F        BIT(5)
+#define NIX_RX_OFFLOAD_SECURITY_F      BIT(6)
 
 /* Flags to control cqe_to_mbuf conversion function.
  * Defining it from backwards to denote its been
@@ -297,7 +298,8 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 	if (flag & NIX_RX_OFFLOAD_MARK_UPDATE_F)
 		ol_flags = nix_update_match_id(rx->match_id, ol_flags, mbuf);
 
-	if (cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
+	if ((flag & NIX_RX_OFFLOAD_SECURITY_F) &&
+	    cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
 		*(uint64_t *)(&mbuf->rearm_data) = val;
 		ol_flags |= nix_rx_sec_mbuf_update(cq, mbuf, lookup_mem);
 		mbuf->ol_flags = ol_flags;
@@ -320,94 +322,220 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 #define RX_VLAN_F  NIX_RX_OFFLOAD_VLAN_STRIP_F
 #define MARK_F  NIX_RX_OFFLOAD_MARK_UPDATE_F
 #define TS_F	NIX_RX_OFFLOAD_TSTAMP_F
+#define RX_SEC_F   NIX_RX_OFFLOAD_SECURITY_F
 
-/* [TSMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
+/* [SEC] [TSMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
 #define NIX_RX_FASTPATH_MODES						       \
-R(no_offload,			0, 0, 0, 0, 0, 0, NIX_RX_OFFLOAD_NONE)	\
-R(rss,				0, 0, 0, 0, 0, 1, RSS_F)		\
-R(ptype,			0, 0, 0, 0, 1, 0, PTYPE_F)		\
-R(ptype_rss,			0, 0, 0, 0, 1, 1, PTYPE_F | RSS_F)	\
-R(cksum,			0, 0, 0, 1, 0, 0, CKSUM_F)		\
-R(cksum_rss,			0, 0, 0, 1, 0, 1, CKSUM_F | RSS_F)	\
-R(cksum_ptype,			0, 0, 0, 1, 1, 0, CKSUM_F | PTYPE_F)	\
-R(cksum_ptype_rss,		0, 0, 0, 1, 1, 1, CKSUM_F | PTYPE_F | RSS_F)\
-R(vlan,				0, 0, 1, 0, 0, 0, RX_VLAN_F)		\
-R(vlan_rss,			0, 0, 1, 0, 0, 1, RX_VLAN_F | RSS_F)	\
-R(vlan_ptype,			0, 0, 1, 0, 1, 0, RX_VLAN_F | PTYPE_F)	\
-R(vlan_ptype_rss,		0, 0, 1, 0, 1, 1, RX_VLAN_F | PTYPE_F | RSS_F)\
-R(vlan_cksum,			0, 0, 1, 1, 0, 0, RX_VLAN_F | CKSUM_F)	\
-R(vlan_cksum_rss,		0, 0, 1, 1, 0, 1, RX_VLAN_F | CKSUM_F | RSS_F)\
-R(vlan_cksum_ptype,		0, 0, 1, 1, 1, 0,			\
-			RX_VLAN_F | CKSUM_F | PTYPE_F)			\
-R(vlan_cksum_ptype_rss,		0, 0, 1, 1, 1, 1,			\
-			RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(mark,				0, 1, 0, 0, 0, 0, MARK_F)		\
-R(mark_rss,			0, 1, 0, 0, 0, 1, MARK_F | RSS_F)	\
-R(mark_ptype,			0, 1, 0, 0, 1, 0, MARK_F | PTYPE_F)	\
-R(mark_ptype_rss,		0, 1, 0, 0, 1, 1, MARK_F | PTYPE_F | RSS_F)\
-R(mark_cksum,			0, 1, 0, 1, 0, 0, MARK_F | CKSUM_F)	\
-R(mark_cksum_rss,		0, 1, 0, 1, 0, 1, MARK_F | CKSUM_F | RSS_F)\
-R(mark_cksum_ptype,		0, 1, 0, 1, 1, 0, MARK_F | CKSUM_F | PTYPE_F)\
-R(mark_cksum_ptype_rss,		0, 1, 0, 1, 1, 1,			\
-			MARK_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(mark_vlan,			0, 1, 1, 0, 0, 0, MARK_F | RX_VLAN_F)	\
-R(mark_vlan_rss,		0, 1, 1, 0, 0, 1, MARK_F | RX_VLAN_F | RSS_F)\
-R(mark_vlan_ptype,		0, 1, 1, 0, 1, 0,			\
-			MARK_F | RX_VLAN_F | PTYPE_F)			\
-R(mark_vlan_ptype_rss,		0, 1, 1, 0, 1, 1,			\
-			MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)		\
-R(mark_vlan_cksum,		0, 1, 1, 1, 0, 0,			\
-			MARK_F | RX_VLAN_F | CKSUM_F)			\
-R(mark_vlan_cksum_rss,		0, 1, 1, 1, 0, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		\
-R(mark_vlan_cksum_ptype,	0, 1, 1, 1, 1, 0,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		\
-R(mark_vlan_cksum_ptype_rss,	0, 1, 1, 1, 1, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts,				1, 0, 0, 0, 0, 0, TS_F)			\
-R(ts_rss,			1, 0, 0, 0, 0, 1, TS_F | RSS_F)		\
-R(ts_ptype,			1, 0, 0, 0, 1, 0, TS_F | PTYPE_F)	\
-R(ts_ptype_rss,			1, 0, 0, 0, 1, 1, TS_F | PTYPE_F | RSS_F)\
-R(ts_cksum,			1, 0, 0, 1, 0, 0, TS_F | CKSUM_F)	\
-R(ts_cksum_rss,			1, 0, 0, 1, 0, 1, TS_F | CKSUM_F | RSS_F)\
-R(ts_cksum_ptype,		1, 0, 0, 1, 1, 0, TS_F | CKSUM_F | PTYPE_F)\
-R(ts_cksum_ptype_rss,		1, 0, 0, 1, 1, 1,			\
-			TS_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(ts_vlan,			1, 0, 1, 0, 0, 0, TS_F | RX_VLAN_F)	\
-R(ts_vlan_rss,			1, 0, 1, 0, 0, 1, TS_F | RX_VLAN_F | RSS_F)\
-R(ts_vlan_ptype,		1, 0, 1, 0, 1, 0, TS_F | RX_VLAN_F | PTYPE_F)\
-R(ts_vlan_ptype_rss,		1, 0, 1, 0, 1, 1,			\
-			TS_F | RX_VLAN_F | PTYPE_F | RSS_F)		\
-R(ts_vlan_cksum,		1, 0, 1, 1, 0, 0,			\
-			TS_F | RX_VLAN_F | CKSUM_F)			\
-R(ts_vlan_cksum_rss,		1, 0, 1, 1, 0, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		\
-R(ts_vlan_cksum_ptype,		1, 0, 1, 1, 1, 0,			\
-			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		\
-R(ts_vlan_cksum_ptype_rss,	1, 0, 1, 1, 1, 1,			\
-			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts_mark,			1, 1, 0, 0, 0, 0, TS_F | MARK_F)	\
-R(ts_mark_rss,			1, 1, 0, 0, 0, 1, TS_F | MARK_F | RSS_F)\
-R(ts_mark_ptype,		1, 1, 0, 0, 1, 0, TS_F | MARK_F | PTYPE_F)\
-R(ts_mark_ptype_rss,		1, 1, 0, 0, 1, 1,			\
-			TS_F | MARK_F | PTYPE_F | RSS_F)		\
-R(ts_mark_cksum,		1, 1, 0, 1, 0, 0, TS_F | MARK_F | CKSUM_F)\
-R(ts_mark_cksum_rss,		1, 1, 0, 1, 0, 1,			\
-			TS_F | MARK_F | CKSUM_F | RSS_F)\
-R(ts_mark_cksum_ptype,		1, 1, 0, 1, 1, 0,			\
-			TS_F | MARK_F | CKSUM_F | PTYPE_F)		\
-R(ts_mark_cksum_ptype_rss,	1, 1, 0, 1, 1, 1,			\
-			TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts_mark_vlan,			1, 1, 1, 0, 0, 0, TS_F | MARK_F | RX_VLAN_F)\
-R(ts_mark_vlan_rss,		1, 1, 1, 0, 0, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | RSS_F)\
-R(ts_mark_vlan_ptype,		1, 1, 1, 0, 1, 0,			\
-			TS_F | MARK_F | RX_VLAN_F | PTYPE_F)		\
-R(ts_mark_vlan_ptype_rss,	1, 1, 1, 0, 1, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)	\
-R(ts_mark_vlan_cksum_ptype,	1, 1, 1, 1, 1, 0,			\
-			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	\
-R(ts_mark_vlan_cksum_ptype_rss,	1, 1, 1, 1, 1, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)
-
+R(no_offload,			0, 0, 0, 0, 0, 0, 0, NIX_RX_OFFLOAD_NONE)      \
+R(rss,				0, 0, 0, 0, 0, 0, 1, RSS_F)		       \
+R(ptype,			0, 0, 0, 0, 0, 1, 0, PTYPE_F)		       \
+R(ptype_rss,			0, 0, 0, 0, 0, 1, 1, PTYPE_F | RSS_F)	       \
+R(cksum,			0, 0, 0, 0, 1, 0, 0, CKSUM_F)		       \
+R(cksum_rss,			0, 0, 0, 0, 1, 0, 1, CKSUM_F | RSS_F)	       \
+R(cksum_ptype,			0, 0, 0, 0, 1, 1, 0, CKSUM_F | PTYPE_F)	       \
+R(cksum_ptype_rss,		0, 0, 0, 0, 1, 1, 1, CKSUM_F | PTYPE_F | RSS_F)\
+R(vlan,				0, 0, 0, 1, 0, 0, 0, RX_VLAN_F)		       \
+R(vlan_rss,			0, 0, 0, 1, 0, 0, 1, RX_VLAN_F | RSS_F)	       \
+R(vlan_ptype,			0, 0, 0, 1, 0, 1, 0, RX_VLAN_F | PTYPE_F)      \
+R(vlan_ptype_rss,		0, 0, 0, 1, 0, 1, 1,			       \
+			RX_VLAN_F | PTYPE_F | RSS_F)			       \
+R(vlan_cksum,			0, 0, 0, 1, 1, 0, 0, RX_VLAN_F | CKSUM_F)      \
+R(vlan_cksum_rss,		0, 0, 0, 1, 1, 0, 1,			       \
+			RX_VLAN_F | CKSUM_F | RSS_F)			       \
+R(vlan_cksum_ptype,		0, 0, 0, 1, 1, 1, 0,			       \
+			RX_VLAN_F | CKSUM_F | PTYPE_F)			       \
+R(vlan_cksum_ptype_rss,		0, 0, 0, 1, 1, 1, 1,			       \
+			RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(mark,				0, 0, 1, 0, 0, 0, 0, MARK_F)		       \
+R(mark_rss,			0, 0, 1, 0, 0, 0, 1, MARK_F | RSS_F)	       \
+R(mark_ptype,			0, 0, 1, 0, 0, 1, 0, MARK_F | PTYPE_F)	       \
+R(mark_ptype_rss,		0, 0, 1, 0, 0, 1, 1, MARK_F | PTYPE_F | RSS_F) \
+R(mark_cksum,			0, 0, 1, 0, 1, 0, 0, MARK_F | CKSUM_F)	       \
+R(mark_cksum_rss,		0, 0, 1, 0, 1, 0, 1, MARK_F | CKSUM_F | RSS_F) \
+R(mark_cksum_ptype,		0, 0, 1, 0, 1, 1, 0,			       \
+			MARK_F | CKSUM_F | PTYPE_F)			       \
+R(mark_cksum_ptype_rss,		0, 0, 1, 0, 1, 1, 1,			       \
+			MARK_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(mark_vlan,			0, 0, 1, 1, 0, 0, 0, MARK_F | RX_VLAN_F)       \
+R(mark_vlan_rss,		0, 0, 1, 1, 0, 0, 1,			       \
+			MARK_F | RX_VLAN_F | RSS_F)			       \
+R(mark_vlan_ptype,		0, 0, 1, 1, 0, 1, 0,			       \
+			MARK_F | RX_VLAN_F | PTYPE_F)			       \
+R(mark_vlan_ptype_rss,		0, 0, 1, 1, 0, 1, 1,			       \
+			MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(mark_vlan_cksum,		0, 0, 1, 1, 1, 0, 0,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F)			       \
+R(mark_vlan_cksum_rss,		0, 0, 1, 1, 1, 0, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(mark_vlan_cksum_ptype,	0, 0, 1, 1, 1, 1, 0,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		       \
+R(mark_vlan_cksum_ptype_rss,	0, 0, 1, 1, 1, 1, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts,				0, 1, 0, 0, 0, 0, 0, TS_F)		       \
+R(ts_rss,			0, 1, 0, 0, 0, 0, 1, TS_F | RSS_F)	       \
+R(ts_ptype,			0, 1, 0, 0, 0, 1, 0, TS_F | PTYPE_F)	       \
+R(ts_ptype_rss,			0, 1, 0, 0, 0, 1, 1, TS_F | PTYPE_F | RSS_F)   \
+R(ts_cksum,			0, 1, 0, 0, 1, 0, 0, TS_F | CKSUM_F)	       \
+R(ts_cksum_rss,			0, 1, 0, 0, 1, 0, 1, TS_F | CKSUM_F | RSS_F)   \
+R(ts_cksum_ptype,		0, 1, 0, 0, 1, 1, 0, TS_F | CKSUM_F | PTYPE_F) \
+R(ts_cksum_ptype_rss,		0, 1, 0, 0, 1, 1, 1,			       \
+			TS_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(ts_vlan,			0, 1, 0, 1, 0, 0, 0, TS_F | RX_VLAN_F)	       \
+R(ts_vlan_rss,			0, 1, 0, 1, 0, 0, 1, TS_F | RX_VLAN_F | RSS_F) \
+R(ts_vlan_ptype,		0, 1, 0, 1, 0, 1, 0,			       \
+			TS_F | RX_VLAN_F | PTYPE_F)			       \
+R(ts_vlan_ptype_rss,		0, 1, 0, 1, 0, 1, 1,			       \
+			TS_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(ts_vlan_cksum,		0, 1, 0, 1, 1, 0, 0,			       \
+			TS_F | RX_VLAN_F | CKSUM_F)			       \
+R(ts_vlan_cksum_rss,		0, 1, 0, 1, 1, 0, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(ts_vlan_cksum_ptype,		0, 1, 0, 1, 1, 1, 0,			       \
+			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		       \
+R(ts_vlan_cksum_ptype_rss,	0, 1, 0, 1, 1, 1, 1,			       \
+			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts_mark,			0, 1, 1, 0, 0, 0, 0, TS_F | MARK_F)	       \
+R(ts_mark_rss,			0, 1, 1, 0, 0, 0, 1, TS_F | MARK_F | RSS_F)    \
+R(ts_mark_ptype,		0, 1, 1, 0, 0, 1, 0, TS_F | MARK_F | PTYPE_F)  \
+R(ts_mark_ptype_rss,		0, 1, 1, 0, 0, 1, 1,			       \
+			TS_F | MARK_F | PTYPE_F | RSS_F)		       \
+R(ts_mark_cksum,		0, 1, 1, 0, 1, 0, 0, TS_F | MARK_F | CKSUM_F)  \
+R(ts_mark_cksum_rss,		0, 1, 1, 0, 1, 0, 1,			       \
+			TS_F | MARK_F | CKSUM_F | RSS_F)		       \
+R(ts_mark_cksum_ptype,		0, 1, 1, 0, 1, 1, 0,			       \
+			TS_F | MARK_F | CKSUM_F | PTYPE_F)		       \
+R(ts_mark_cksum_ptype_rss,	0, 1, 1, 0, 1, 1, 1,			       \
+			TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts_mark_vlan,			0, 1, 1, 1, 0, 0, 0, TS_F | MARK_F | RX_VLAN_F)\
+R(ts_mark_vlan_rss,		0, 1, 1, 1, 0, 0, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | RSS_F)		       \
+R(ts_mark_vlan_ptype,		0, 1, 1, 1, 0, 1, 0,			       \
+			TS_F | MARK_F | RX_VLAN_F | PTYPE_F)		       \
+R(ts_mark_vlan_ptype_rss,	0, 1, 1, 1, 0, 1, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)	       \
+R(ts_mark_vlan_cksum_ptype,	0, 1, 1, 1, 1, 1, 0,			       \
+			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	       \
+R(ts_mark_vlan_cksum_ptype_rss,	0, 1, 1, 1, 1, 1, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F) \
+R(sec,				1, 0, 0, 0, 0, 0, 0, RX_SEC_F)		       \
+R(sec_rss,			1, 0, 0, 0, 0, 0, 1, RX_SEC_F | RSS_F)	       \
+R(sec_ptype,			1, 0, 0, 0, 0, 1, 0, RX_SEC_F | PTYPE_F)       \
+R(sec_ptype_rss,		1, 0, 0, 0, 0, 1, 1,			       \
+			RX_SEC_F | PTYPE_F | RSS_F)			       \
+R(sec_cksum,			1, 0, 0, 0, 1, 0, 0, RX_SEC_F | CKSUM_F)       \
+R(sec_cksum_rss,		1, 0, 0, 0, 1, 0, 1,			       \
+			RX_SEC_F | CKSUM_F | RSS_F)			       \
+R(sec_cksum_ptype,		1, 0, 0, 0, 1, 1, 0,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F)			       \
+R(sec_cksum_ptype_rss,		1, 0, 0, 0, 1, 1, 1,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(sec_vlan,			1, 0, 0, 1, 0, 0, 0, RX_SEC_F | RX_VLAN_F)     \
+R(sec_vlan_rss,			1, 0, 0, 1, 0, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | RSS_F)			       \
+R(sec_vlan_ptype,		1, 0, 0, 1, 0, 1, 0,			       \
+			RX_SEC_F | RX_VLAN_F | PTYPE_F)			       \
+R(sec_vlan_ptype_rss,		1, 0, 0, 1, 0, 1, 1,			       \
+			RX_SEC_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(sec_vlan_cksum,		1, 0, 0, 1, 1, 0, 0,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F)			       \
+R(sec_vlan_cksum_rss,		1, 0, 0, 1, 1, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(sec_vlan_cksum_ptype,		1, 0, 0, 1, 1, 1, 0,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	       \
+R(sec_vlan_cksum_ptype_rss,	1, 0, 0, 1, 1, 1, 1,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)      \
+R(sec_mark,			1, 0, 1, 0, 0, 0, 0, RX_SEC_F | MARK_F)	       \
+R(sec_mark_rss,			1, 0, 1, 0, 0, 0, 1, RX_SEC_F | MARK_F | RSS_F)\
+R(sec_mark_ptype,		1, 0, 1, 0, 0, 1, 0,			       \
+			RX_SEC_F | MARK_F | PTYPE_F)			       \
+R(sec_mark_ptype_rss,		1, 0, 1, 0, 0, 1, 1,			       \
+			RX_SEC_F | MARK_F | PTYPE_F | RSS_F)		       \
+R(sec_mark_cksum,		1, 0, 1, 0, 1, 0, 0,			       \
+			RX_SEC_F | MARK_F | CKSUM_F)			       \
+R(sec_mark_cksum_rss,		1, 0, 1, 0, 1, 0, 1,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | RSS_F)		       \
+R(sec_mark_cksum_ptype,		1, 0, 1, 0, 1, 1, 0,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | PTYPE_F)		       \
+R(sec_mark_cksum_ptype_rss,	1, 0, 1, 0, 1, 1, 1,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(sec_mark_vlan,		1, 0, 1, 1, 0, 0, 0, RX_SEC_F | RX_VLAN_F)     \
+R(sec_mark_vlan_rss,		1, 0, 1, 1, 0, 0, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | RSS_F)		       \
+R(sec_mark_vlan_ptype,		1, 0, 1, 1, 0, 1, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | PTYPE_F)	       \
+R(sec_mark_vlan_ptype_rss,	1, 0, 1, 1, 0, 1, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)       \
+R(sec_mark_vlan_cksum,		1, 0, 1, 1, 1, 0, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F)	       \
+R(sec_mark_vlan_cksum_rss,	1, 0, 1, 1, 1, 0, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)       \
+R(sec_mark_vlan_cksum_ptype,	1, 0, 1, 1, 1, 1, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)     \
+R(sec_mark_vlan_cksum_ptype_rss,					       \
+				1, 0, 1, 1, 1, 1, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F |    \
+			RSS_F)						       \
+R(sec_ts,			1, 1, 0, 0, 0, 0, 0, RX_SEC_F | TS_F)	       \
+R(sec_ts_rss,			1, 1, 0, 0, 0, 0, 1, RX_SEC_F | TS_F | RSS_F)  \
+R(sec_ts_ptype,			1, 1, 0, 0, 0, 1, 0, RX_SEC_F | TS_F | PTYPE_F)\
+R(sec_ts_ptype_rss,		1, 1, 0, 0, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | PTYPE_F | RSS_F)		       \
+R(sec_ts_cksum,			1, 1, 0, 0, 1, 0, 0, RX_SEC_F | TS_F | CKSUM_F)\
+R(sec_ts_cksum_rss,		1, 1, 0, 0, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | CKSUM_F | RSS_F)		       \
+R(sec_ts_cksum_ptype,		1, 1, 0, 0, 1, 1, 0,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F)			       \
+R(sec_ts_cksum_ptype_rss,	1, 1, 0, 0, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_vlan,			1, 1, 0, 1, 0, 0, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F)			       \
+R(sec_ts_vlan_rss,		1, 1, 0, 1, 0, 0, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | RSS_F)		       \
+R(sec_ts_vlan_ptype,		1, 1, 0, 1, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | PTYPE_F)		       \
+R(sec_ts_vlan_ptype_rss,	1, 1, 0, 1, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_vlan_cksum,		1, 1, 0, 1, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F)		       \
+R(sec_ts_vlan_cksum_rss,	1, 1, 0, 1, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | RSS_F)	       \
+R(sec_ts_vlan_cksum_ptype,	1, 1, 0, 1, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)       \
+R(sec_ts_vlan_cksum_ptype_rss,	1, 1, 0, 1, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F |      \
+			RSS_F)						       \
+R(sec_ts_mark,			1, 1, 1, 0, 0, 0, 0, RX_SEC_F | TS_F | MARK_F) \
+R(sec_ts_mark_rss,		1, 1, 1, 0, 0, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RSS_F)		       \
+R(sec_ts_mark_ptype,		1, 1, 1, 0, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | PTYPE_F)		       \
+R(sec_ts_mark_ptype_rss,	1, 1, 1, 0, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_mark_cksum,		1, 1, 1, 0, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F)		       \
+R(sec_ts_mark_cksum_rss,	1, 1, 1, 0, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | RSS_F)	       \
+R(sec_ts_mark_cksum_ptype,	1, 1, 1, 0, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | PTYPE_F)	       \
+R(sec_ts_mark_cksum_ptype_rss,	1, 1, 1, 0, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)  \
+R(sec_ts_mark_vlan,		1, 1, 1, 1, 0, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F)		       \
+R(sec_ts_mark_vlan_rss,		1, 1, 1, 1, 0, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | RSS_F)			       \
+R(sec_ts_mark_vlan_ptype,	1, 1, 1, 1, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | PTYPE_F)	       \
+R(sec_ts_mark_vlan_ptype_rss,	1, 1, 1, 1, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)\
+R(sec_ts_mark_vlan_cksum,	1, 1, 1, 1, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F)	       \
+R(sec_ts_mark_vlan_cksum_rss,	1, 1, 1, 1, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)\
+R(sec_ts_mark_vlan_cksum_ptype,	1, 1, 1, 1, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F |       \
+			PTYPE_F)					       \
+R(sec_ts_mark_vlan_cksum_ptype_rss,					       \
+				1, 1, 1, 1, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F |       \
+			PTYPE_F | RSS_F)
 #endif /* __OTX2_RX_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 13/15] drivers/octeontx2: add sec in compiler optimized TX fastpath framework
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (11 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 12/15] drivers/octeontx2: add sec in compiler optimized RX fastpath framework Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 14/15] crypto/octeontx2: add inline tx path changes Anoob Joseph
                     ` (3 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

Added new flag for SECURITY in compiler optimized TX fastpath
framework. With this, compiler autogenerates functions which
have security enabled.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/event/octeontx2/otx2_evdev.c       |  36 ++--
 drivers/event/octeontx2/otx2_evdev.h       |   2 +-
 drivers/event/octeontx2/otx2_worker.c      |   4 +-
 drivers/event/octeontx2/otx2_worker_dual.c |   4 +-
 drivers/net/octeontx2/otx2_ethdev.c        |   3 +
 drivers/net/octeontx2/otx2_tx.c            |  29 +--
 drivers/net/octeontx2/otx2_tx.h            | 271 ++++++++++++++++++++++-------
 7 files changed, 250 insertions(+), 99 deletions(-)

diff --git a/drivers/event/octeontx2/otx2_evdev.c b/drivers/event/octeontx2/otx2_evdev.c
index f6c641a..d20213d 100644
--- a/drivers/event/octeontx2/otx2_evdev.c
+++ b/drivers/event/octeontx2/otx2_evdev.c
@@ -177,35 +177,37 @@ SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 	};
 
 	/* Tx modes */
-	const event_tx_adapter_enqueue ssogws_tx_adptr_enq[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =  otx2_ssogws_tx_adptr_enq_ ## name,
+	const event_tx_adapter_enqueue
+		ssogws_tx_adptr_enq[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_tx_adptr_enq_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_tx_adptr_enq_seg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_tx_adptr_enq_seg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_tx_adptr_enq_seg_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_dual_tx_adptr_enq[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_dual_tx_adptr_enq[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_dual_tx_adptr_enq_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_dual_tx_adptr_enq_seg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_dual_tx_adptr_enq_seg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_dual_tx_adptr_enq_seg_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
@@ -290,8 +292,9 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 	}
 
 	if (dev->tx_offloads & NIX_TX_MULTI_SEG_F) {
-		/* [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
+		/* [SEC] [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
 		event_dev->txa_enqueue = ssogws_tx_adptr_enq_seg
+			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_SECURITY_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -300,6 +303,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_L3_L4_CSUM_F)];
 	} else {
 		event_dev->txa_enqueue = ssogws_tx_adptr_enq
+			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_SECURITY_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -440,8 +444,10 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		}
 
 		if (dev->tx_offloads & NIX_TX_MULTI_SEG_F) {
-		/* [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
+		/* [SEC] [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
 			event_dev->txa_enqueue = ssogws_dual_tx_adptr_enq_seg
+				[!!(dev->tx_offloads &
+						NIX_TX_OFFLOAD_SECURITY_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->tx_offloads &
@@ -454,6 +460,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 						NIX_TX_OFFLOAD_L3_L4_CSUM_F)];
 		} else {
 			event_dev->txa_enqueue = ssogws_dual_tx_adptr_enq
+				[!!(dev->tx_offloads &
+						NIX_TX_OFFLOAD_SECURITY_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->tx_offloads &
diff --git a/drivers/event/octeontx2/otx2_evdev.h b/drivers/event/octeontx2/otx2_evdev.h
index 5a44fd3..3b47782 100644
--- a/drivers/event/octeontx2/otx2_evdev.h
+++ b/drivers/event/octeontx2/otx2_evdev.h
@@ -335,7 +335,7 @@ uint16_t otx2_ssogws_dual_deq_seg_timeout_burst_ ##name(void *port,	       \
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			     \
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			     \
 uint16_t otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],\
 					   uint16_t nb_events);		     \
 uint16_t otx2_ssogws_tx_adptr_enq_seg_ ## name(void *port,		     \
diff --git a/drivers/event/octeontx2/otx2_worker.c b/drivers/event/octeontx2/otx2_worker.c
index 12445d9..8bec59e 100644
--- a/drivers/event/octeontx2/otx2_worker.c
+++ b/drivers/event/octeontx2/otx2_worker.c
@@ -267,7 +267,7 @@ otx2_ssogws_enq_fwd_burst(void *port, const struct rte_event ev[],
 	return 1;
 }
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],	\
 				  uint16_t nb_events)			\
@@ -281,7 +281,7 @@ otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],	\
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_tx_adptr_enq_seg_ ## name(void *port, struct rte_event ev[],\
 				      uint16_t nb_events)		\
diff --git a/drivers/event/octeontx2/otx2_worker_dual.c b/drivers/event/octeontx2/otx2_worker_dual.c
index 22a4889..3cba09c 100644
--- a/drivers/event/octeontx2/otx2_worker_dual.c
+++ b/drivers/event/octeontx2/otx2_worker_dual.c
@@ -307,7 +307,7 @@ otx2_ssogws_dual_deq_seg_timeout_burst_ ##name(void *port,		\
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_tx_adptr_enq_ ## name(void *port,			\
 				       struct rte_event ev[],		\
@@ -324,7 +324,7 @@ otx2_ssogws_dual_tx_adptr_enq_ ## name(void *port,			\
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_tx_adptr_enq_seg_ ## name(void *port,			\
 					   struct rte_event ev[],	\
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index c215078..8801173 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -698,6 +698,9 @@ nix_tx_offload_flags(struct rte_eth_dev *eth_dev)
 			  NIX_TX_OFFLOAD_OL3_OL4_CSUM_F |
 			  NIX_TX_OFFLOAD_L3_L4_CSUM_F);
 
+	if (conf & DEV_TX_OFFLOAD_SECURITY)
+		flags |= NIX_TX_OFFLOAD_SECURITY_F;
+
 	if ((dev->rx_offloads & DEV_RX_OFFLOAD_TIMESTAMP))
 		flags |= NIX_TX_OFFLOAD_TSTAMP_F;
 
diff --git a/drivers/net/octeontx2/otx2_tx.c b/drivers/net/octeontx2/otx2_tx.c
index fa53300..e43590e 100644
--- a/drivers/net/octeontx2/otx2_tx.c
+++ b/drivers/net/octeontx2/otx2_tx.c
@@ -945,7 +945,7 @@ nix_xmit_pkts_vector(void *tx_queue, struct rte_mbuf **tx_pkts,
 }
 #endif
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_ ## name(void *tx_queue,				\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -962,7 +962,7 @@ otx2_nix_xmit_pkts_ ## name(void *tx_queue,				\
 NIX_TX_FASTPATH_MODES
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_mseg_ ## name(void *tx_queue,			\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -980,7 +980,7 @@ otx2_nix_xmit_pkts_mseg_ ## name(void *tx_queue,			\
 NIX_TX_FASTPATH_MODES
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_vec_ ## name(void *tx_queue,				\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -998,12 +998,13 @@ NIX_TX_FASTPATH_MODES
 
 static inline void
 pick_tx_func(struct rte_eth_dev *eth_dev,
-	     const eth_tx_burst_t tx_burst[2][2][2][2][2][2])
+	     const eth_tx_burst_t tx_burst[2][2][2][2][2][2][2])
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	/* [TSTMP] [NOFF] [VLAN] [OL3_OL4_CSUM] [IL3_IL4_CSUM] */
+	/* [SEC] [TSTMP] [NOFF] [VLAN] [OL3_OL4_CSUM] [IL3_IL4_CSUM] */
 	eth_dev->tx_pkt_burst = tx_burst
+		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_SECURITY_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_TSO_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_TSTAMP_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -1017,25 +1018,25 @@ otx2_eth_set_tx_function(struct rte_eth_dev *eth_dev)
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	const eth_tx_burst_t nix_eth_tx_burst[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_ ## name,
+	const eth_tx_burst_t nix_eth_tx_burst[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
 	};
 
-	const eth_tx_burst_t nix_eth_tx_burst_mseg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_mseg_ ## name,
+	const eth_tx_burst_t nix_eth_tx_burst_mseg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_mseg_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
 	};
 
-	const eth_tx_burst_t nix_eth_tx_vec_burst[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_vec_ ## name,
+	const eth_tx_burst_t nix_eth_tx_vec_burst[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_vec_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
diff --git a/drivers/net/octeontx2/otx2_tx.h b/drivers/net/octeontx2/otx2_tx.h
index 04e859b..3c43170 100644
--- a/drivers/net/octeontx2/otx2_tx.h
+++ b/drivers/net/octeontx2/otx2_tx.h
@@ -12,6 +12,7 @@
 #define NIX_TX_OFFLOAD_MBUF_NOFF_F	BIT(3)
 #define NIX_TX_OFFLOAD_TSTAMP_F		BIT(4)
 #define NIX_TX_OFFLOAD_TSO_F		BIT(5)
+#define NIX_TX_OFFLOAD_SECURITY_F	BIT(6)
 
 /* Flags to control xmit_prepare function.
  * Defining it from backwards to denote its been
@@ -470,136 +471,274 @@ otx2_nix_xmit_mseg_one(uint64_t *cmd, void *lmt_addr,
 #define NOFF_F       NIX_TX_OFFLOAD_MBUF_NOFF_F
 #define TSP_F        NIX_TX_OFFLOAD_TSTAMP_F
 #define TSO_F        NIX_TX_OFFLOAD_TSO_F
+#define TX_SEC_F     NIX_TX_OFFLOAD_SECURITY_F
 
-/* [TSO] [TSTMP] [NOFF] [VLAN] [OL3OL4CSUM] [L3L4CSUM] */
+/* [SEC] [TSO] [TSTMP] [NOFF] [VLAN] [OL3OL4CSUM] [L3L4CSUM] */
 #define NIX_TX_FASTPATH_MODES						\
-T(no_offload,				0, 0, 0, 0, 0, 0,	4,	\
+T(no_offload,				0, 0, 0, 0, 0, 0, 0,	4,	\
 		NIX_TX_OFFLOAD_NONE)					\
-T(l3l4csum,				0, 0, 0, 0, 0, 1,	4,	\
+T(l3l4csum,				0, 0, 0, 0, 0, 0, 1,	4,	\
 		L3L4CSUM_F)						\
-T(ol3ol4csum,				0, 0, 0, 0, 1, 0,	4,	\
+T(ol3ol4csum,				0, 0, 0, 0, 0, 1, 0,	4,	\
 		OL3OL4CSUM_F)						\
-T(ol3ol4csum_l3l4csum,			0, 0, 0, 0, 1, 1,	4,	\
+T(ol3ol4csum_l3l4csum,			0, 0, 0, 0, 0, 1, 1,	4,	\
 		OL3OL4CSUM_F | L3L4CSUM_F)				\
-T(vlan,					0, 0, 0, 1, 0, 0,	6,	\
+T(vlan,					0, 0, 0, 0, 1, 0, 0,	6,	\
 		VLAN_F)							\
-T(vlan_l3l4csum,			0, 0, 0, 1, 0, 1,	6,	\
+T(vlan_l3l4csum,			0, 0, 0, 0, 1, 0, 1,	6,	\
 		VLAN_F | L3L4CSUM_F)					\
-T(vlan_ol3ol4csum,			0, 0, 0, 1, 1, 0,	6,	\
+T(vlan_ol3ol4csum,			0, 0, 0, 0, 1, 1, 0,	6,	\
 		VLAN_F | OL3OL4CSUM_F)					\
-T(vlan_ol3ol4csum_l3l4csum,		0, 0, 0, 1, 1, 1,	6,	\
+T(vlan_ol3ol4csum_l3l4csum,		0, 0, 0, 0, 1, 1, 1,	6,	\
 		VLAN_F | OL3OL4CSUM_F |	L3L4CSUM_F)			\
-T(noff,					0, 0, 1, 0, 0, 0,	4,	\
+T(noff,					0, 0, 0, 1, 0, 0, 0,	4,	\
 		NOFF_F)							\
-T(noff_l3l4csum,			0, 0, 1, 0, 0, 1,	4,	\
+T(noff_l3l4csum,			0, 0, 0, 1, 0, 0, 1,	4,	\
 		NOFF_F | L3L4CSUM_F)					\
-T(noff_ol3ol4csum,			0, 0, 1, 0, 1, 0,	4,	\
+T(noff_ol3ol4csum,			0, 0, 0, 1, 0, 1, 0,	4,	\
 		NOFF_F | OL3OL4CSUM_F)					\
-T(noff_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 1, 1,	4,	\
+T(noff_ol3ol4csum_l3l4csum,		0, 0, 0, 1, 0, 1, 1,	4,	\
 		NOFF_F | OL3OL4CSUM_F |	L3L4CSUM_F)			\
-T(noff_vlan,				0, 0, 1, 1, 0, 0,	6,	\
+T(noff_vlan,				0, 0, 0, 1, 1, 0, 0,	6,	\
 		NOFF_F | VLAN_F)					\
-T(noff_vlan_l3l4csum,			0, 0, 1, 1, 0, 1,	6,	\
+T(noff_vlan_l3l4csum,			0, 0, 0, 1, 1, 0, 1,	6,	\
 		NOFF_F | VLAN_F | L3L4CSUM_F)				\
-T(noff_vlan_ol3ol4csum,			0, 0, 1, 1, 1, 0,	6,	\
+T(noff_vlan_ol3ol4csum,			0, 0, 0, 1, 1, 1, 0,	6,	\
 		NOFF_F | VLAN_F | OL3OL4CSUM_F)				\
-T(noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 1, 1, 1, 1,	6,	\
+T(noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 0, 1, 1, 1, 1,	6,	\
 		NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts,					0, 1, 0, 0, 0, 0,	8,	\
+T(ts,					0, 0, 1, 0, 0, 0, 0,	8,	\
 		TSP_F)							\
-T(ts_l3l4csum,				0, 1, 0, 0, 0, 1,	8,	\
+T(ts_l3l4csum,				0, 0, 1, 0, 0, 0, 1,	8,	\
 		TSP_F | L3L4CSUM_F)					\
-T(ts_ol3ol4csum,			0, 1, 0, 0, 1, 0,	8,	\
+T(ts_ol3ol4csum,			0, 0, 1, 0, 0, 1, 0,	8,	\
 		TSP_F | OL3OL4CSUM_F)					\
-T(ts_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 1, 1,	8,	\
+T(ts_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 0, 1, 1,	8,	\
 		TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
-T(ts_vlan,				0, 1, 0, 1, 0, 0,	8,	\
+T(ts_vlan,				0, 0, 1, 0, 1, 0, 0,	8,	\
 		TSP_F | VLAN_F)						\
-T(ts_vlan_l3l4csum,			0, 1, 0, 1, 0, 1,	8,	\
+T(ts_vlan_l3l4csum,			0, 0, 1, 0, 1, 0, 1,	8,	\
 		TSP_F | VLAN_F | L3L4CSUM_F)				\
-T(ts_vlan_ol3ol4csum,			0, 1, 0, 1, 1, 0,	8,	\
+T(ts_vlan_ol3ol4csum,			0, 0, 1, 0, 1, 1, 0,	8,	\
 		TSP_F | VLAN_F | OL3OL4CSUM_F)				\
-T(ts_vlan_ol3ol4csum_l3l4csum,		0, 1, 0, 1, 1, 1,	8,	\
+T(ts_vlan_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 1, 1, 1,	8,	\
 		TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts_noff,				0, 1, 1, 0, 0, 0,	8,	\
+T(ts_noff,				0, 0, 1, 1, 0, 0, 0,	8,	\
 		TSP_F | NOFF_F)						\
-T(ts_noff_l3l4csum,			0, 1, 1, 0, 0, 1,	8,	\
+T(ts_noff_l3l4csum,			0, 0, 1, 1, 0, 0, 1,	8,	\
 		TSP_F | NOFF_F | L3L4CSUM_F)				\
-T(ts_noff_ol3ol4csum,			0, 1, 1, 0, 1, 0,	8,	\
+T(ts_noff_ol3ol4csum,			0, 0, 1, 1, 0, 1, 0,	8,	\
 		TSP_F | NOFF_F | OL3OL4CSUM_F)				\
-T(ts_noff_ol3ol4csum_l3l4csum,		0, 1, 1, 0, 1, 1,	8,	\
+T(ts_noff_ol3ol4csum_l3l4csum,		0, 0, 1, 1, 0, 1, 1,	8,	\
 		TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts_noff_vlan,				0, 1, 1, 1, 0, 0,	8,	\
+T(ts_noff_vlan,				0, 0, 1, 1, 1, 0, 0,	8,	\
 		TSP_F | NOFF_F | VLAN_F)				\
-T(ts_noff_vlan_l3l4csum,		0, 1, 1, 1, 0, 1,	8,	\
+T(ts_noff_vlan_l3l4csum,		0, 0, 1, 1, 1, 0, 1,	8,	\
 		TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)			\
-T(ts_noff_vlan_ol3ol4csum,		0, 1, 1, 1, 1, 0,	8,	\
+T(ts_noff_vlan_ol3ol4csum,		0, 0, 1, 1, 1, 1, 0,	8,	\
 		TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)			\
-T(ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 1, 1,	8,	\
+T(ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 1, 1, 1, 1, 1,	8,	\
 		TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
 									\
-T(tso,					1, 0, 0, 0, 0, 0,	6,	\
+T(tso,					0, 1, 0, 0, 0, 0, 0,	6,	\
 		TSO_F)							\
-T(tso_l3l4csum,				1, 0, 0, 0, 0, 1,	6,	\
+T(tso_l3l4csum,				0, 1, 0, 0, 0, 0, 1,	6,	\
 		TSO_F | L3L4CSUM_F)					\
-T(tso_ol3ol4csum,			1, 0, 0, 0, 1, 0,	6,	\
+T(tso_ol3ol4csum,			0, 1, 0, 0, 0, 1, 0,	6,	\
 		TSO_F | OL3OL4CSUM_F)					\
-T(tso_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 1, 1,	6,	\
+T(tso_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 0, 1, 1,	6,	\
 		TSO_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
-T(tso_vlan,				1, 0, 0, 1, 0, 0,	6,	\
+T(tso_vlan,				0, 1, 0, 0, 1, 0, 0,	6,	\
 		TSO_F | VLAN_F)						\
-T(tso_vlan_l3l4csum,			1, 0, 0, 1, 0, 1,	6,	\
+T(tso_vlan_l3l4csum,			0, 1, 0, 0, 1, 0, 1,	6,	\
 		TSO_F | VLAN_F | L3L4CSUM_F)				\
-T(tso_vlan_ol3ol4csum,			1, 0, 0, 1, 1, 0,	6,	\
+T(tso_vlan_ol3ol4csum,			0, 1, 0, 0, 1, 1, 0,	6,	\
 		TSO_F | VLAN_F | OL3OL4CSUM_F)				\
-T(tso_vlan_ol3ol4csum_l3l4csum,		1, 0, 0, 1, 1, 1,	6,	\
+T(tso_vlan_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 1, 1, 1,	6,	\
 		TSO_F | VLAN_F | OL3OL4CSUM_F |	L3L4CSUM_F)		\
-T(tso_noff,				1, 0, 1, 0, 0, 0,	6,	\
+T(tso_noff,				0, 1, 0, 1, 0, 0, 0,	6,	\
 		TSO_F | NOFF_F)						\
-T(tso_noff_l3l4csum,			1, 0, 1, 0, 0, 1,	6,	\
+T(tso_noff_l3l4csum,			0, 1, 0, 1, 0, 0, 1,	6,	\
 		TSO_F | NOFF_F | L3L4CSUM_F)				\
-T(tso_noff_ol3ol4csum,			1, 0, 1, 0, 1, 0,	6,	\
+T(tso_noff_ol3ol4csum,			0, 1, 0, 1, 0, 1, 0,	6,	\
 		TSO_F | NOFF_F | OL3OL4CSUM_F)				\
-T(tso_noff_ol3ol4csum_l3l4csum,		1, 0, 1, 0, 1, 1,	6,	\
+T(tso_noff_ol3ol4csum_l3l4csum,		0, 1, 0, 1, 0, 1, 1,	6,	\
 		TSO_F | NOFF_F | OL3OL4CSUM_F |	L3L4CSUM_F)		\
-T(tso_noff_vlan,			1, 0, 1, 1, 0, 0,	6,	\
+T(tso_noff_vlan,			0, 1, 0, 1, 1, 0, 0,	6,	\
 		TSO_F | NOFF_F | VLAN_F)				\
-T(tso_noff_vlan_l3l4csum,		1, 0, 1, 1, 0, 1,	6,	\
+T(tso_noff_vlan_l3l4csum,		0, 1, 0, 1, 1, 0, 1,	6,	\
 		TSO_F | NOFF_F | VLAN_F | L3L4CSUM_F)			\
-T(tso_noff_vlan_ol3ol4csum,		1, 0, 1, 1, 1, 0,	6,	\
+T(tso_noff_vlan_ol3ol4csum,		0, 1, 0, 1, 1, 1, 0,	6,	\
 		TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)			\
-T(tso_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 1, 1,	6,	\
+T(tso_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 0, 1, 1, 1, 1,	6,	\
 		TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts,				1, 1, 0, 0, 0, 0,	8,	\
+T(tso_ts,				0, 1, 1, 0, 0, 0, 0,	8,	\
 		TSO_F | TSP_F)						\
-T(tso_ts_l3l4csum,			1, 1, 0, 0, 0, 1,	8,	\
+T(tso_ts_l3l4csum,			0, 1, 1, 0, 0, 0, 1,	8,	\
 		TSO_F | TSP_F | L3L4CSUM_F)				\
-T(tso_ts_ol3ol4csum,			1, 1, 0, 0, 1, 0,	8,	\
+T(tso_ts_ol3ol4csum,			0, 1, 1, 0, 0, 1, 0,	8,	\
 		TSO_F | TSP_F | OL3OL4CSUM_F)				\
-T(tso_ts_ol3ol4csum_l3l4csum,		1, 1, 0, 0, 1, 1,	8,	\
+T(tso_ts_ol3ol4csum_l3l4csum,		0, 1, 1, 0, 0, 1, 1,	8,	\
 		TSO_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(tso_ts_vlan,				1, 1, 0, 1, 0, 0,	8,	\
+T(tso_ts_vlan,				0, 1, 1, 0, 1, 0, 0,	8,	\
 		TSO_F | TSP_F | VLAN_F)					\
-T(tso_ts_vlan_l3l4csum,			1, 1, 0, 1, 0, 1,	8,	\
+T(tso_ts_vlan_l3l4csum,			0, 1, 1, 0, 1, 0, 1,	8,	\
 		TSO_F | TSP_F | VLAN_F | L3L4CSUM_F)			\
-T(tso_ts_vlan_ol3ol4csum,		1, 1, 0, 1, 1, 0,	8,	\
+T(tso_ts_vlan_ol3ol4csum,		0, 1, 1, 0, 1, 1, 0,	8,	\
 		TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F)			\
-T(tso_ts_vlan_ol3ol4csum_l3l4csum,	1, 1, 0, 1, 1, 1,	8,	\
+T(tso_ts_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 0, 1, 1, 1,	8,	\
 		TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts_noff,				1, 1, 1, 0, 0, 0,	8,	\
+T(tso_ts_noff,				0, 1, 1, 1, 0, 0, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F)					\
-T(tso_ts_noff_l3l4csum,			1, 1, 1, 0, 0, 1,	8,	\
+T(tso_ts_noff_l3l4csum,			0, 1, 1, 1, 0, 0, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | L3L4CSUM_F)			\
-T(tso_ts_noff_ol3ol4csum,		1, 1, 1, 0, 1, 0,	8,	\
+T(tso_ts_noff_ol3ol4csum,		0, 1, 1, 1, 0, 1, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F)			\
-T(tso_ts_noff_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 1, 1,	8,	\
+T(tso_ts_noff_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 0, 1, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts_noff_vlan,			1, 1, 1, 1, 0, 0,	8,	\
+T(tso_ts_noff_vlan,			0, 1, 1, 1, 1, 0, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F)			\
-T(tso_ts_noff_vlan_l3l4csum,		1, 1, 1, 1, 0, 1,	8,	\
+T(tso_ts_noff_vlan_l3l4csum,		0, 1, 1, 1, 1, 0, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)		\
-T(tso_ts_noff_vlan_ol3ol4csum,		1, 1, 1, 1, 1, 0,	8,	\
+T(tso_ts_noff_vlan_ol3ol4csum,		0, 1, 1, 1, 1, 1, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)		\
-T(tso_ts_noff_vlan_ol3ol4csum_l3l4csum,	1, 1, 1, 1, 1, 1,	8,	\
-		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)
+T(tso_ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 1, 1, 1,	8,	\
+		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec,					1, 0, 0, 0, 0, 0, 0,	8,	\
+		TX_SEC_F)						\
+T(sec_l3l4csum,				1, 0, 0, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | L3L4CSUM_F)					\
+T(sec_ol3ol4csum,			1, 0, 0, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | OL3OL4CSUM_F)				\
+T(sec_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
+T(sec_vlan,				1, 0, 0, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | VLAN_F)					\
+T(sec_vlan_l3l4csum,			1, 0, 0, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | VLAN_F | L3L4CSUM_F)				\
+T(sec_vlan_ol3ol4csum,			1, 0, 0, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | VLAN_F | OL3OL4CSUM_F)			\
+T(sec_vlan_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_noff,				1, 0, 0, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | NOFF_F)					\
+T(sec_noff_l3l4csum,			1, 0, 0, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | NOFF_F | L3L4CSUM_F)				\
+T(sec_noff_ol3ol4csum,			1, 0, 0, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | NOFF_F | OL3OL4CSUM_F)			\
+T(sec_noff_ol3ol4csum_l3l4csum,		1, 0, 0, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_noff_vlan,			1, 0, 0, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F)				\
+T(sec_noff_vlan_l3l4csum,		1, 0, 0, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | L3L4CSUM_F)		\
+T(sec_noff_vlan_ol3ol4csum,		1, 0, 0, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 0, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts,				1, 0, 1, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSP_F)					\
+T(sec_ts_l3l4csum,			1, 0, 1, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | L3L4CSUM_F)				\
+T(sec_ts_ol3ol4csum,			1, 0, 1, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | OL3OL4CSUM_F)			\
+T(sec_ts_ol3ol4csum_l3l4csum,		1, 0, 1, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_ts_vlan,				1, 0, 1, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F)				\
+T(sec_ts_vlan_l3l4csum,			1, 0, 1, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | L3L4CSUM_F)			\
+T(sec_ts_vlan_ol3ol4csum,		1, 0, 1, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_ts_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts_noff,				1, 0, 1, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F)				\
+T(sec_ts_noff_l3l4csum,			1, 0, 1, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | L3L4CSUM_F)			\
+T(sec_ts_noff_ol3ol4csum,		1, 0, 1, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | OL3OL4CSUM_F)		\
+T(sec_ts_noff_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts_noff_vlan,			1, 0, 1, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F)			\
+T(sec_ts_noff_vlan_l3l4csum,		1, 0, 1, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)	\
+T(sec_ts_noff_vlan_ol3ol4csum,		1, 0, 1, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_ts_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso,				1, 1, 0, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F)					\
+T(sec_tso_l3l4csum,			1, 1, 0, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | L3L4CSUM_F)				\
+T(sec_tso_ol3ol4csum,			1, 1, 0, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | OL3OL4CSUM_F)			\
+T(sec_tso_ol3ol4csum_l3l4csum,		1, 1, 0, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_tso_vlan,				1, 1, 0, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F)				\
+T(sec_tso_vlan_l3l4csum,		1, 1, 0, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | L3L4CSUM_F)			\
+T(sec_tso_vlan_ol3ol4csum,		1, 1, 0, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_tso_vlan_ol3ol4csum_l3l4csum,	1, 1, 0, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_noff,				1, 1, 0, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F)				\
+T(sec_tso_noff_l3l4csum,		1, 1, 0, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | L3L4CSUM_F)			\
+T(sec_tso_noff_ol3ol4csum,		1, 1, 0, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | OL3OL4CSUM_F)		\
+T(sec_tso_noff_ol3ol4csum_l3l4csum,	1, 1, 0, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_noff_vlan,			1, 1, 0, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F)			\
+T(sec_tso_noff_vlan_l3l4csum,		1, 1, 0, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | L3L4CSUM_F)	\
+T(sec_tso_noff_vlan_ol3ol4csum,		1, 1, 0, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_tso_noff_vlan_ol3ol4csum_l3l4csum,				\
+					1, 1, 0, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts,				1, 1, 1, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F)				\
+T(sec_tso_ts_l3l4csum,			1, 1, 1, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | L3L4CSUM_F)			\
+T(sec_tso_ts_ol3ol4csum,		1, 1, 1, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | OL3OL4CSUM_F)		\
+T(sec_tso_ts_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_ts_vlan,			1, 1, 1, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F)			\
+T(sec_tso_ts_vlan_l3l4csum,		1, 1, 1, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | L3L4CSUM_F)		\
+T(sec_tso_ts_vlan_ol3ol4csum,		1, 1, 1, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_tso_ts_vlan_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts_noff,			1, 1, 1, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F)			\
+T(sec_tso_ts_noff_l3l4csum,		1, 1, 1, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | L3L4CSUM_F)		\
+T(sec_tso_ts_noff_ol3ol4csum,		1, 1, 1, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F)	\
+T(sec_tso_ts_noff_ol3ol4csum_l3l4csum,	1, 1, 1, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts_noff_vlan,			1, 1, 1, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F)		\
+T(sec_tso_ts_noff_vlan_l3l4csum,	1, 1, 1, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)\
+T(sec_tso_ts_noff_vlan_ol3ol4csum,	1, 1, 1, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F |		\
+		OL3OL4CSUM_F)						\
+T(sec_tso_ts_noff_vlan_ol3ol4csum_l3l4csum,				\
+					1, 1, 1, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F |		\
+		OL3OL4CSUM_F | L3L4CSUM_F)
 #endif /* __OTX2_TX_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 14/15] crypto/octeontx2: add inline tx path changes
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (12 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 13/15] drivers/octeontx2: add sec in compiler optimized TX " Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 15/15] crypto/octeontx2: sync inline tag type cfg with Rx adapter configuration Anoob Joseph
                     ` (2 subsequent siblings)
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding pre-processing required for inline IPsec outbound packets.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/otx2_security.c    |  82 +++++++++++++
 drivers/crypto/octeontx2/otx2_security.h    |  60 ++++++++++
 drivers/crypto/octeontx2/otx2_security_tx.h | 175 ++++++++++++++++++++++++++++
 drivers/event/octeontx2/meson.build         |   3 +-
 drivers/event/octeontx2/otx2_worker.h       |   6 +
 5 files changed, 325 insertions(+), 1 deletion(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_security_tx.h

diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index ab488a0..9a08849 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -3,12 +3,15 @@
  */
 
 #include <rte_cryptodev.h>
+#include <rte_esp.h>
 #include <rte_ethdev.h>
 #include <rte_eventdev.h>
+#include <rte_ip.h>
 #include <rte_malloc.h>
 #include <rte_memzone.h>
 #include <rte_security.h>
 #include <rte_security_driver.h>
+#include <rte_udp.h>
 
 #include "otx2_common.h"
 #include "otx2_cryptodev_qp.h"
@@ -18,6 +21,15 @@
 
 #define SEC_ETH_MAX_PKT_LEN	1450
 
+#define AH_HDR_LEN	12
+#define AES_GCM_IV_LEN	8
+#define AES_GCM_MAC_LEN	16
+#define AES_CBC_IV_LEN	16
+#define SHA1_HMAC_LEN	12
+
+#define AES_GCM_ROUNDUP_BYTE_LEN	4
+#define AES_CBC_ROUNDUP_BYTE_LEN	16
+
 struct sec_eth_tag_const {
 	RTE_STD_C11
 	union {
@@ -239,6 +251,60 @@ in_sa_get(uint16_t port, int sa_index)
 }
 
 static int
+ipsec_sa_const_set(struct rte_security_ipsec_xform *ipsec,
+		   struct rte_crypto_sym_xform *xform,
+		   struct otx2_sec_session_ipsec_ip *sess)
+{
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
+
+	sess->partial_len = sizeof(struct rte_ipv4_hdr);
+
+	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) {
+		sess->partial_len += sizeof(struct rte_esp_hdr);
+		sess->roundup_len = sizeof(struct rte_esp_tail);
+	} else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) {
+		sess->partial_len += AH_HDR_LEN;
+	} else {
+		return -EINVAL;
+	}
+
+	if (ipsec->options.udp_encap)
+		sess->partial_len += sizeof(struct rte_udp_hdr);
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+			sess->partial_len += AES_GCM_IV_LEN;
+			sess->partial_len += AES_GCM_MAC_LEN;
+			sess->roundup_byte = AES_GCM_ROUNDUP_BYTE_LEN;
+		}
+		return 0;
+	}
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	} else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		return -EINVAL;
+	}
+	if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		sess->partial_len += AES_CBC_IV_LEN;
+		sess->roundup_byte = AES_CBC_ROUNDUP_BYTE_LEN;
+	} else {
+		return -EINVAL;
+	}
+
+	if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+		sess->partial_len += SHA1_HMAC_LEN;
+	else
+		return -EINVAL;
+
+	return 0;
+}
+
+static int
 sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 			      struct rte_security_ipsec_xform *ipsec,
 			      struct rte_crypto_sym_xform *crypto_xform,
@@ -252,6 +318,7 @@ sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	struct otx2_ipsec_fp_sa_ctl *ctl;
 	struct otx2_ipsec_fp_out_sa *sa;
 	struct otx2_sec_session *priv;
+	struct otx2_cpt_inst_s inst;
 	struct otx2_cpt_qp *qp;
 
 	priv = get_sec_session_private_data(sec_sess);
@@ -266,6 +333,12 @@ sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 
 	memset(sess, 0, sizeof(struct otx2_sec_session_ipsec_ip));
 
+	sess->seq = 1;
+
+	ret = ipsec_sa_const_set(ipsec, crypto_xform, sess);
+	if (ret < 0)
+		return ret;
+
 	memcpy(sa->nonce, &ipsec->salt, 4);
 
 	if (ipsec->options.udp_encap == 1) {
@@ -274,6 +347,9 @@ sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	}
 
 	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		/* Start ip id from 1 */
+		sess->ip_id = 1;
+
 		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
 			memcpy(&sa->ip_src, &ipsec->tunnel.ipv4.src_ip,
 			       sizeof(struct in_addr));
@@ -307,6 +383,12 @@ sec_eth_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	else
 		return -EINVAL;
 
+	/* Determine word 7 of CPT instruction */
+	inst.u64[7] = 0;
+	inst.egrp = OTX2_CPT_EGRP_INLINE_IPSEC;
+	inst.cptr = rte_mempool_virt2iova(sa);
+	sess->inst_w7 = inst.u64[7];
+
 	/* Use OPAD & IPAD */
 	RTE_SET_USED(auth_key);
 	RTE_SET_USED(auth_key_len);
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index 6ec321d..fe7c883 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -14,6 +14,15 @@
 #define OTX2_MAX_CPT_QP_PER_PORT 64
 #define OTX2_MAX_INLINE_PORTS 64
 
+#define OTX2_CPT_RES_ALIGN		16
+#define OTX2_NIX_SEND_DESC_ALIGN	16
+#define OTX2_CPT_INST_SIZE		64
+
+#define OTX2_CPT_EGRP_INLINE_IPSEC	1
+
+#define OTX2_CPT_OP_INLINE_IPSEC_OUTB	(0x40 | 0x25)
+#define OTX2_CPT_OP_INLINE_IPSEC_INB	(0x40 | 0x26)
+
 struct otx2_cpt_qp;
 
 struct otx2_sec_eth_cfg {
@@ -45,6 +54,42 @@ struct otx2_cpt_res {
 	};
 };
 
+struct otx2_cpt_inst_s {
+	union {
+		struct {
+			/* W0 */
+			uint64_t nixtxl : 3;
+			uint64_t doneint : 1;
+			uint64_t nixtx_addr : 60;
+			/* W1 */
+			uint64_t res_addr : 64;
+			/* W2 */
+			uint64_t tag : 32;
+			uint64_t tt : 2;
+			uint64_t grp : 10;
+			uint64_t rsvd_175_172 : 4;
+			uint64_t rvu_pf_func : 16;
+			/* W3 */
+			uint64_t qord : 1;
+			uint64_t rsvd_194_193 : 2;
+			uint64_t wqe_ptr : 61;
+			/* W4 */
+			uint64_t dlen : 16;
+			uint64_t param2 : 16;
+			uint64_t param1 : 16;
+			uint64_t opcode : 16;
+			/* W5 */
+			uint64_t dptr : 64;
+			/* W6 */
+			uint64_t rptr : 64;
+			/* W7 */
+			uint64_t cptr : 61;
+			uint64_t egrp : 3;
+		};
+		uint64_t u64[8];
+	};
+};
+
 /*
  * Security session for inline IPsec protocol offload. This is private data of
  * inline capable PMD.
@@ -68,6 +113,21 @@ struct otx2_sec_session_ipsec_ip {
 	/* CPT LF enqueue register address */
 	rte_iova_t cpt_nq_reg;
 
+	/* Pre calculated lengths and data for a session */
+	uint8_t partial_len;
+	uint8_t roundup_len;
+	uint8_t roundup_byte;
+	uint16_t ip_id;
+	union {
+		uint64_t esn;
+		struct {
+			uint32_t seq;
+			uint32_t esn_hi;
+		};
+	};
+
+	uint64_t inst_w7;
+
 	/* CPT QP used by SA */
 	struct otx2_cpt_qp *qp;
 };
diff --git a/drivers/crypto/octeontx2/otx2_security_tx.h b/drivers/crypto/octeontx2/otx2_security_tx.h
new file mode 100644
index 0000000..16b8c66
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_security_tx.h
@@ -0,0 +1,175 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_SECURITY_TX_H__
+#define __OTX2_SECURITY_TX_H__
+
+#include <rte_security.h>
+#include <rte_mbuf.h>
+
+#include "otx2_security.h"
+
+struct otx2_ipsec_fp_out_hdr {
+	uint32_t ip_id;
+	uint32_t seq;
+	uint8_t iv[16];
+};
+
+static __rte_always_inline int32_t
+otx2_ipsec_fp_out_rlen_get(struct otx2_sec_session_ipsec_ip *sess,
+			   uint32_t plen)
+{
+	uint32_t enc_payload_len;
+
+	enc_payload_len = RTE_ALIGN_CEIL(plen + sess->roundup_len,
+			sess->roundup_byte);
+
+	return sess->partial_len + enc_payload_len;
+}
+
+static __rte_always_inline void
+otx2_ssogws_head_wait(struct otx2_ssogws *ws);
+
+static __rte_always_inline int
+otx2_sec_event_tx(struct otx2_ssogws *ws, struct rte_event *ev,
+		  struct rte_mbuf *m, const struct otx2_eth_txq *txq,
+		  const uint32_t offload_flags)
+{
+	uint32_t dlen, rlen, desc_headroom, extend_head, extend_tail;
+	struct otx2_sec_session_ipsec_ip *sess;
+	struct otx2_ipsec_fp_out_hdr *hdr;
+	struct otx2_ipsec_fp_out_sa *sa;
+	uint64_t data_addr, desc_addr;
+	struct otx2_sec_session *priv;
+	struct otx2_cpt_inst_s inst;
+	uint64_t lmt_status;
+	char *data;
+
+	struct desc {
+		struct otx2_cpt_res cpt_res __rte_aligned(OTX2_CPT_RES_ALIGN);
+		struct nix_send_hdr_s nix_hdr
+				__rte_aligned(OTX2_NIX_SEND_DESC_ALIGN);
+		union nix_send_sg_s nix_sg;
+		struct nix_iova_s nix_iova;
+	} *sd;
+
+	priv = get_sec_session_private_data((void *)(m->udata64));
+	sess = &priv->ipsec.ip;
+	sa = &sess->out_sa;
+
+	RTE_ASSERT(sess->cpt_lmtline != NULL);
+	RTE_ASSERT(!(offload_flags & (NIX_TX_OFFLOAD_MBUF_NOFF_F |
+				      NIX_TX_OFFLOAD_VLAN_QINQ)));
+
+	dlen = rte_pktmbuf_pkt_len(m) + sizeof(*hdr) - RTE_ETHER_HDR_LEN;
+	rlen = otx2_ipsec_fp_out_rlen_get(sess, dlen - sizeof(*hdr));
+
+	RTE_BUILD_BUG_ON(OTX2_CPT_RES_ALIGN % OTX2_NIX_SEND_DESC_ALIGN);
+	RTE_BUILD_BUG_ON(sizeof(sd->cpt_res) % OTX2_NIX_SEND_DESC_ALIGN);
+
+	extend_head = sizeof(*hdr);
+	extend_tail = rlen - dlen;
+
+	desc_headroom = (OTX2_CPT_RES_ALIGN - 1) + sizeof(*sd);
+
+	if (unlikely(!rte_pktmbuf_is_contiguous(m)) ||
+	    unlikely(rte_pktmbuf_headroom(m) < extend_head + desc_headroom) ||
+	    unlikely(rte_pktmbuf_tailroom(m) < extend_tail)) {
+		goto drop;
+	}
+
+	/*
+	 * Extend mbuf data to point to the expected packet buffer for NIX.
+	 * This includes the Ethernet header followed by the encrypted IPsec
+	 * payload
+	 */
+	rte_pktmbuf_append(m, extend_tail);
+	data = rte_pktmbuf_prepend(m, extend_head);
+	data_addr = rte_pktmbuf_mtophys(m);
+
+	/*
+	 * Move the Ethernet header, to insert otx2_ipsec_fp_out_hdr prior
+	 * to the IP header
+	 */
+	memcpy(data, data + sizeof(*hdr), RTE_ETHER_HDR_LEN);
+
+	hdr = (struct otx2_ipsec_fp_out_hdr *)(data + RTE_ETHER_HDR_LEN);
+
+	memcpy(hdr->iv, &sa->nonce, 4);
+	memset(hdr->iv + 4, 0, 12); //TODO: make it random
+
+	/* Keep CPT result and NIX send descriptors in headroom */
+	sd = (void *)RTE_PTR_ALIGN(data - desc_headroom, OTX2_CPT_RES_ALIGN);
+	desc_addr = data_addr - RTE_PTR_DIFF(data, sd);
+
+	/* Prepare CPT instruction */
+
+	inst.nixtx_addr = (desc_addr + offsetof(struct desc, nix_hdr)) >> 4;
+	inst.doneint = 0;
+	inst.nixtxl = 1;
+	inst.res_addr = desc_addr + offsetof(struct desc, cpt_res);
+	inst.u64[2] = 0;
+	inst.u64[3] = 0;
+	inst.wqe_ptr = desc_addr >> 3;	/* FIXME: Handle errors */
+	inst.qord = 1;
+	inst.opcode = OTX2_CPT_OP_INLINE_IPSEC_OUTB;
+	inst.dlen = dlen;
+	inst.dptr = data_addr + RTE_ETHER_HDR_LEN;
+	inst.u64[7] = sess->inst_w7;
+
+	/* First word contains 8 bit completion code & 8 bit uc comp code */
+	sd->cpt_res.u16[0] = 0;
+
+	/* Prepare NIX send descriptors for output expected from CPT */
+
+	sd->nix_hdr.w0.u = 0;
+	sd->nix_hdr.w1.u = 0;
+	sd->nix_hdr.w0.sq = txq->sq;
+	sd->nix_hdr.w0.sizem1 = 1;
+	sd->nix_hdr.w0.total = rte_pktmbuf_data_len(m);
+	sd->nix_hdr.w0.aura = npa_lf_aura_handle_to_aura(m->pool->pool_id);
+
+	sd->nix_sg.u = 0;
+	sd->nix_sg.subdc = NIX_SUBDC_SG;
+	sd->nix_sg.ld_type = NIX_SENDLDTYPE_LDD;
+	sd->nix_sg.segs = 1;
+	sd->nix_sg.seg1_size = rte_pktmbuf_data_len(m);
+
+	sd->nix_iova.addr = rte_mbuf_data_iova(m);
+
+	/* Mark mempool object as "put" since it is freed by NIX */
+	__mempool_check_cookies(m->pool, (void **)&m, 1, 0);
+
+	if (!ev->sched_type)
+		otx2_ssogws_head_wait(ws);
+
+	inst.param1 = sess->esn_hi >> 16;
+	inst.param2 = sess->esn_hi & 0xffff;
+
+	hdr->seq = rte_cpu_to_be_32(sess->seq);
+	hdr->ip_id = rte_cpu_to_be_32(sess->ip_id);
+
+	sess->ip_id++;
+	sess->esn++;
+
+	rte_cio_wmb();
+
+	do {
+		otx2_lmt_mov(sess->cpt_lmtline, &inst, 2);
+		lmt_status = otx2_lmt_submit(sess->cpt_nq_reg);
+	} while (lmt_status == 0);
+
+	return 1;
+
+drop:
+	if (offload_flags & NIX_TX_OFFLOAD_MBUF_NOFF_F) {
+		/* Don't free if reference count > 1 */
+		if (rte_pktmbuf_prefree_seg(m) == NULL)
+			return 0;
+	}
+	rte_pktmbuf_free(m);
+	return 0;
+}
+
+#endif /* __OTX2_SECURITY_TX_H__ */
diff --git a/drivers/event/octeontx2/meson.build b/drivers/event/octeontx2/meson.build
index 56febb8..be4b47a 100644
--- a/drivers/event/octeontx2/meson.build
+++ b/drivers/event/octeontx2/meson.build
@@ -31,6 +31,7 @@ foreach flag: extra_flags
 	endif
 endforeach
 
-deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2', 'pmd_octeontx2']
+deps += ['bus_pci', 'common_octeontx2', 'cryptodev', 'mempool_octeontx2', 'pmd_octeontx2',
+         'security']
 
 includes += include_directories('../../crypto/octeontx2')
diff --git a/drivers/event/octeontx2/otx2_worker.h b/drivers/event/octeontx2/otx2_worker.h
index 7d161c8..c5ea4dd 100644
--- a/drivers/event/octeontx2/otx2_worker.h
+++ b/drivers/event/octeontx2/otx2_worker.h
@@ -10,6 +10,7 @@
 
 #include <otx2_common.h>
 #include "otx2_evdev.h"
+#include "otx2_security_tx.h"
 
 /* SSO Operations */
 
@@ -281,6 +282,11 @@ otx2_ssogws_event_tx(struct otx2_ssogws *ws, struct rte_event ev[],
 	const struct otx2_eth_txq *txq = otx2_ssogws_xtract_meta(m);
 
 	rte_prefetch_non_temporal(txq);
+
+	if ((flags & NIX_TX_OFFLOAD_SECURITY_F) &&
+	    (m->ol_flags & PKT_TX_SEC_OFFLOAD))
+		return otx2_sec_event_tx(ws, ev, m, txq, flags);
+
 	/* Perform header writes before barrier for TSO */
 	otx2_nix_xmit_prepare_tso(m, flags);
 	otx2_ssogws_order(ws, !ev->sched_type);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v2 15/15] crypto/octeontx2: sync inline tag type cfg with Rx adapter configuration
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (13 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 14/15] crypto/octeontx2: add inline tx path changes Anoob Joseph
@ 2020-01-18 10:49   ` Anoob Joseph
  2020-01-18 14:38   ` [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support Jerin Jacob
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
  16 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-18 10:49 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Vamsi Attunuru, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Lukasz Bartosik, dev

From: Vamsi Attunuru <vattunuru@marvell.com>

Tag type configuration for the inline processed packets is set during
ethdev configuration, it might conflict with tag type configuration
done during Rx adapter configuration which would be setup later.

This conflict is fixed as part of flow rule creation by updating
tag type config of inline same as Rx adapter configured tag type.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_common.h    |  2 ++
 drivers/crypto/octeontx2/otx2_cryptodev.c |  2 ++
 drivers/crypto/octeontx2/otx2_security.c  | 28 ++++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_security.h  |  2 ++
 drivers/net/octeontx2/otx2_flow.c         | 26 ++++++++++++++++++++++++++
 5 files changed, 60 insertions(+)

diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index 88b4b63..01d3a35 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -81,12 +81,14 @@ typedef int (*otx2_sec_eth_ctx_create_t)(struct rte_eth_dev *eth_dev);
 typedef void (*otx2_sec_eth_ctx_destroy_t)(struct rte_eth_dev *eth_dev);
 typedef int (*otx2_sec_eth_init_t)(struct rte_eth_dev *eth_dev);
 typedef void (*otx2_sec_eth_fini_t)(struct rte_eth_dev *eth_dev);
+typedef int (*otx2_sec_eth_update_tag_type_t)(struct rte_eth_dev *eth_dev);
 
 struct otx2_sec_eth_crypto_idev_ops {
 	otx2_sec_eth_ctx_create_t ctx_create;
 	otx2_sec_eth_ctx_destroy_t ctx_destroy;
 	otx2_sec_eth_init_t init;
 	otx2_sec_eth_fini_t fini;
+	otx2_sec_eth_update_tag_type_t update_tag_type;
 };
 
 extern struct otx2_sec_eth_crypto_idev_ops otx2_sec_idev_ops;
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev.c b/drivers/crypto/octeontx2/otx2_cryptodev.c
index 34feb82..b944a51 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev.c
@@ -160,4 +160,6 @@ RTE_INIT(otx2_cpt_init_log)
 	otx2_sec_idev_ops.ctx_destroy = otx2_sec_eth_ctx_destroy;
 	otx2_sec_idev_ops.init = otx2_sec_eth_init;
 	otx2_sec_idev_ops.fini = otx2_sec_eth_fini;
+	otx2_sec_idev_ops.update_tag_type = otx2_sec_eth_update_tag_type;
+
 }
diff --git a/drivers/crypto/octeontx2/otx2_security.c b/drivers/crypto/octeontx2/otx2_security.c
index 9a08849..37b9e54 100644
--- a/drivers/crypto/octeontx2/otx2_security.c
+++ b/drivers/crypto/octeontx2/otx2_security.c
@@ -710,6 +710,34 @@ sec_eth_ipsec_cfg(struct rte_eth_dev *eth_dev, uint8_t tt)
 }
 
 int
+otx2_sec_eth_update_tag_type(struct rte_eth_dev *eth_dev)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	struct otx2_mbox *mbox = dev->mbox;
+	struct nix_aq_enq_rsp *rsp;
+	struct nix_aq_enq_req *aq;
+	int ret;
+
+	aq = otx2_mbox_alloc_msg_nix_aq_enq(mbox);
+	aq->qidx = 0; /* Read RQ:0 context */
+	aq->ctype = NIX_AQ_CTYPE_RQ;
+	aq->op = NIX_AQ_INSTOP_READ;
+
+	ret = otx2_mbox_process_msg(mbox, (void *)&rsp);
+	if (ret < 0) {
+		otx2_err("Could not read RQ context");
+		return ret;
+	}
+
+	/* Update tag type */
+	ret = sec_eth_ipsec_cfg(eth_dev, rsp->rq.sso_tt);
+	if (ret < 0)
+		otx2_err("Could not update sec eth tag type");
+
+	return ret;
+}
+
+int
 otx2_sec_eth_init(struct rte_eth_dev *eth_dev)
 {
 	const size_t sa_width = sizeof(struct otx2_ipsec_fp_in_sa);
diff --git a/drivers/crypto/octeontx2/otx2_security.h b/drivers/crypto/octeontx2/otx2_security.h
index fe7c883..3615273 100644
--- a/drivers/crypto/octeontx2/otx2_security.h
+++ b/drivers/crypto/octeontx2/otx2_security.h
@@ -146,6 +146,8 @@ int otx2_sec_eth_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_sec_eth_ctx_destroy(struct rte_eth_dev *eth_dev);
 
+int otx2_sec_eth_update_tag_type(struct rte_eth_dev *eth_dev);
+
 int otx2_sec_eth_init(struct rte_eth_dev *eth_dev);
 
 void otx2_sec_eth_fini(struct rte_eth_dev *eth_dev);
diff --git a/drivers/net/octeontx2/otx2_flow.c b/drivers/net/octeontx2/otx2_flow.c
index f1fb9f9..dea5337 100644
--- a/drivers/net/octeontx2/otx2_flow.c
+++ b/drivers/net/octeontx2/otx2_flow.c
@@ -299,6 +299,22 @@ flow_free_rss_action(struct rte_eth_dev *eth_dev,
 	return 0;
 }
 
+static int
+flow_update_sec_tt(struct rte_eth_dev *eth_dev,
+		   const struct rte_flow_action actions[])
+{
+	int rc = 0;
+
+	for (; actions->type != RTE_FLOW_ACTION_TYPE_END; actions++) {
+		if (actions->type == RTE_FLOW_ACTION_TYPE_SECURITY) {
+			if (otx2_sec_idev_ops.update_tag_type != NULL)
+				rc = otx2_sec_idev_ops.update_tag_type(eth_dev);
+			break;
+		}
+	}
+
+	return rc;
+}
 
 static int
 flow_parse_meta_items(__rte_unused struct otx2_parse_state *pst)
@@ -491,6 +507,16 @@ otx2_flow_create(struct rte_eth_dev *dev,
 		goto err_exit;
 	}
 
+	if (hw->rx_offloads & DEV_RX_OFFLOAD_SECURITY) {
+		rc = flow_update_sec_tt(dev, actions);
+		if (rc != 0) {
+			rte_flow_error_set(error, EIO,
+					   RTE_FLOW_ERROR_TYPE_UNSPECIFIED,
+					   NULL,
+					   "Failed to update tt with sec act");
+			goto err_exit;
+		}
+	}
 
 	list = &hw->npc_flow.flow_list[flow->priority];
 	/* List in ascending order of mcam entries */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 01/15] common/octeontx2: add CPT LF mbox for inline inbound
  2020-01-18 10:48   ` [dpdk-dev] [PATCH v2 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
@ 2020-01-18 14:34     ` Jerin Jacob
  0 siblings, 0 replies; 111+ messages in thread
From: Jerin Jacob @ 2020-01-18 14:34 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Jerin Jacob,
	Narayana Prasad, Kiran Kumar K, Nithin Dabilpuram,
	Pavan Nikhilesh, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dpdk-dev,
	Tejasree Kondoj

On Sat, Jan 18, 2020 at 4:19 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> Adding the new mbox introduced to configure CPT LF to be used for inline
> inbound.
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Tejasree Kondoj <kondoj.tejasree@cavium.com>

Acked-by: Jerin Jacob <jerinj@marvell.com>



> ---
>  drivers/common/octeontx2/otx2_mbox.h | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/drivers/common/octeontx2/otx2_mbox.h b/drivers/common/octeontx2/otx2_mbox.h
> index e0e4e2f..70452d1 100644
> --- a/drivers/common/octeontx2/otx2_mbox.h
> +++ b/drivers/common/octeontx2/otx2_mbox.h
> @@ -193,6 +193,8 @@ M(CPT_SET_CRYPTO_GRP,       0xA03, cpt_set_crypto_grp,                      \
>                                msg_rsp)                                 \
>  M(CPT_INLINE_IPSEC_CFG, 0xA04, cpt_inline_ipsec_cfg,                   \
>                                cpt_inline_ipsec_cfg_msg, msg_rsp)       \
> +M(CPT_RX_INLINE_LF_CFG, 0xBFE, cpt_rx_inline_lf_cfg,                   \
> +                              cpt_rx_inline_lf_cfg_msg, msg_rsp)       \
>  /* NPC mbox IDs (range 0x6000 - 0x7FFF) */                             \
>  M(NPC_MCAM_ALLOC_ENTRY,        0x6000, npc_mcam_alloc_entry,                   \
>                                 npc_mcam_alloc_entry_req,               \
> @@ -1202,6 +1204,11 @@ struct cpt_inline_ipsec_cfg_msg {
>         uint16_t __otx2_io nix_pf_func; /* Outbound path NIX_PF_FUNC */
>  };
>
> +struct cpt_rx_inline_lf_cfg_msg {
> +       struct mbox_msghdr hdr;
> +       uint16_t __otx2_io sso_pf_func;
> +};
> +
>  /* NPC mbox message structs */
>
>  #define NPC_MCAM_ENTRY_INVALID 0xFFFF
> --
> 2.7.4
>

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 02/15] common/octeontx2: add routine to check if sec capable otx2
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 02/15] common/octeontx2: add routine to check if sec capable otx2 Anoob Joseph
@ 2020-01-18 14:35     ` Jerin Jacob
  2020-01-27  7:01     ` Akhil Goyal
  1 sibling, 0 replies; 111+ messages in thread
From: Jerin Jacob @ 2020-01-18 14:35 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Vamsi Attunuru,
	Jerin Jacob, Narayana Prasad, Kiran Kumar K, Nithin Dabilpuram,
	Pavan Nikhilesh, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Lukasz Bartosik, dpdk-dev

On Sat, Jan 18, 2020 at 4:19 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> From: Vamsi Attunuru <vattunuru@marvell.com>
>
> This routine returns true if given rte_eth_dev is security offload
> capable and belongs to octeontx2.
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>

Acked-by: Jerin Jacob <jerinj@marvell.com>


> ---
>  drivers/common/octeontx2/otx2_common.c               | 20 ++++++++++++++++++++
>  drivers/common/octeontx2/otx2_common.h               |  2 ++
>  .../octeontx2/rte_common_octeontx2_version.map       |  1 +
>  3 files changed, 23 insertions(+)
>
> diff --git a/drivers/common/octeontx2/otx2_common.c b/drivers/common/octeontx2/otx2_common.c
> index 7e45366..2f9b167 100644
> --- a/drivers/common/octeontx2/otx2_common.c
> +++ b/drivers/common/octeontx2/otx2_common.c
> @@ -3,6 +3,7 @@
>   */
>
>  #include <rte_atomic.h>
> +#include <rte_ethdev.h>
>  #include <rte_malloc.h>
>  #include <rte_log.h>
>
> @@ -23,6 +24,25 @@ otx2_npa_set_defaults(struct otx2_idev_cfg *idev)
>
>  /**
>   * @internal
> + * Check if rte_eth_dev is security offload capable otx2_eth_dev
> + */
> +uint8_t
> +otx2_ethdev_is_sec_capable(struct rte_eth_dev *eth_dev)
> +{
> +       struct rte_pci_device *pci_dev;
> +
> +       pci_dev = RTE_ETH_DEV_TO_PCI(eth_dev);
> +
> +       if (pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_PF ||
> +           pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_VF ||
> +           pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_AF_VF)
> +               return 1;
> +
> +       return 0;
> +}
> +
> +/**
> + * @internal
>   * Get intra device config structure.
>   */
>  struct otx2_idev_cfg *
> diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
> index f62c45d..db0cde1 100644
> --- a/drivers/common/octeontx2/otx2_common.h
> +++ b/drivers/common/octeontx2/otx2_common.h
> @@ -8,6 +8,7 @@
>  #include <rte_atomic.h>
>  #include <rte_common.h>
>  #include <rte_cycles.h>
> +#include <rte_ethdev.h>
>  #include <rte_memory.h>
>  #include <rte_memzone.h>
>  #include <rte_io.h>
> @@ -70,6 +71,7 @@ struct otx2_idev_cfg *otx2_intra_dev_get_cfg(void);
>  void otx2_sso_pf_func_set(uint16_t sso_pf_func);
>  uint16_t otx2_sso_pf_func_get(void);
>  uint16_t otx2_npa_pf_func_get(void);
> +uint8_t otx2_ethdev_is_sec_capable(struct rte_eth_dev *eth_dev);
>  struct otx2_npa_lf *otx2_npa_lf_obj_get(void);
>  void otx2_npa_set_defaults(struct otx2_idev_cfg *idev);
>  int otx2_npa_lf_active(void *dev);
> diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
> index adad21a..bd9fc41 100644
> --- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
> +++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
> @@ -6,6 +6,7 @@ DPDK_20.0 {
>         otx2_dev_priv_init;
>         otx2_disable_irqs;
>         otx2_intra_dev_get_cfg;
> +       otx2_ethdev_is_sec_capable;
>         otx2_logtype_base;
>         otx2_logtype_dpi;
>         otx2_logtype_mbox;
> --
> 2.7.4
>

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (14 preceding siblings ...)
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 15/15] crypto/octeontx2: sync inline tag type cfg with Rx adapter configuration Anoob Joseph
@ 2020-01-18 14:38   ` Jerin Jacob
  2020-01-19 10:43     ` Anoob Joseph
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
  16 siblings, 1 reply; 111+ messages in thread
From: Jerin Jacob @ 2020-01-18 14:38 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon, Jerin Jacob,
	Narayana Prasad, Kiran Kumar K, Nithin Dabilpuram,
	Pavan Nikhilesh, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dpdk-dev

On Sat, Jan 18, 2020 at 4:19 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> This series adds inline IPsec support in OCTEONTX2 PMD.
>
> In the inbound path, rte_flow framework need to be used to configure
> the NPC block, which does the h/w lookup. The packets would get
> processed by the crypto block and would submit to the scheduling block,
> SSO. So inline IPsec mode can be enabled only when traffic is received
> via event device using Rx adapter.
>
> In the outbound path, the core would submit to the crypto block and the
> crypto block would submit the packet for Tx internally.


Please fix following check-git-log.sh issues.

Wrong headline lowercase:
        net/octeontx2: add inline ipsec rx path changes
        drivers/octeontx2: add sec in compiler optimized RX fastpath framework
        drivers/octeontx2: add sec in compiler optimized TX fastpath framework
        crypto/octeontx2: add inline tx path changes
Headline too long:
        drivers/octeontx2: add sec in compiler optimized RX fastpath framework
        drivers/octeontx2: add sec in compiler optimized TX fastpath framework
        crypto/octeontx2: sync inline tag type cfg with Rx adapter configuration

Changing to Rx and Tx will fix most of the issues.



> v2:
> * Minimized additions to common/octeontx2
> * Updated release notes
> * Renamed otx2_is_ethdev to otx2_ethdev_is_sec_capable
>
> Ankur Dwivedi (3):
>   crypto/octeontx2: add eth security capabilities
>   crypto/octeontx2: add datapath ops in eth security ctx
>   crypto/octeontx2: add inline tx path changes
>
> Anoob Joseph (4):
>   common/octeontx2: add CPT LF mbox for inline inbound
>   crypto/octeontx2: create eth security ctx
>   crypto/octeontx2: enable CPT to share QP with ethdev
>   crypto/octeontx2: add eth security session operations
>
> Archana Muniganti (3):
>   crypto/octeontx2: add lookup mem changes to hold sa indices
>   drivers/octeontx2: add sec in compiler optimized RX fastpath framework
>   drivers/octeontx2: add sec in compiler optimized TX fastpath framework
>
> Tejasree Kondoj (3):
>   crypto/octeontx2: configure for inline IPsec
>   crypto/octeontx2: add security in eth dev configure
>   net/octeontx2: add inline ipsec rx path changes
>
> Vamsi Attunuru (2):
>   common/octeontx2: add routine to check if sec capable otx2
>   crypto/octeontx2: sync inline tag type cfg with Rx adapter
>     configuration
>
>  doc/guides/nics/octeontx2.rst                      |  20 +
>  doc/guides/rel_notes/release_20_02.rst             |   9 +
>  drivers/common/octeontx2/otx2_common.c             |  22 +
>  drivers/common/octeontx2/otx2_common.h             |  22 +
>  drivers/common/octeontx2/otx2_mbox.h               |   7 +
>  .../octeontx2/rte_common_octeontx2_version.map     |   3 +
>  drivers/crypto/octeontx2/Makefile                  |   7 +-
>  drivers/crypto/octeontx2/meson.build               |   7 +-
>  drivers/crypto/octeontx2/otx2_cryptodev.c          |   8 +
>  .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
>  drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  53 ++
>  drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
>  drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
>  drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
>  drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 348 +++++++++
>  drivers/crypto/octeontx2/otx2_security.c           | 870 +++++++++++++++++++++
>  drivers/crypto/octeontx2/otx2_security.h           | 158 ++++
>  drivers/crypto/octeontx2/otx2_security_tx.h        | 175 +++++
>  drivers/event/octeontx2/Makefile                   |   1 +
>  drivers/event/octeontx2/meson.build                |   5 +-
>  drivers/event/octeontx2/otx2_evdev.c               | 170 ++--
>  drivers/event/octeontx2/otx2_evdev.h               |   4 +-
>  drivers/event/octeontx2/otx2_worker.c              |   6 +-
>  drivers/event/octeontx2/otx2_worker.h              |   6 +
>  drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
>  drivers/net/octeontx2/Makefile                     |   1 +
>  drivers/net/octeontx2/meson.build                  |   3 +
>  drivers/net/octeontx2/otx2_ethdev.c                |  46 +-
>  drivers/net/octeontx2/otx2_ethdev.h                |   2 +
>  drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
>  drivers/net/octeontx2/otx2_flow.c                  |  26 +
>  drivers/net/octeontx2/otx2_lookup.c                |  11 +-
>  drivers/net/octeontx2/otx2_rx.c                    |  27 +-
>  drivers/net/octeontx2/otx2_rx.h                    | 377 ++++++---
>  drivers/net/octeontx2/otx2_tx.c                    |  29 +-
>  drivers/net/octeontx2/otx2_tx.h                    | 271 +++++--
>  36 files changed, 2556 insertions(+), 283 deletions(-)
>  create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
>  create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
>  create mode 100644 drivers/crypto/octeontx2/otx2_security.c
>  create mode 100644 drivers/crypto/octeontx2/otx2_security.h
>  create mode 100644 drivers/crypto/octeontx2/otx2_security_tx.h
>
> --
> 2.7.4
>

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-18 14:38   ` [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support Jerin Jacob
@ 2020-01-19 10:43     ` Anoob Joseph
  2020-01-19 10:53       ` Thomas Monjalon
  2020-01-22 10:16       ` [dpdk-dev] " Akhil Goyal
  0 siblings, 2 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-19 10:43 UTC (permalink / raw)
  To: Jerin Jacob, Akhil Goyal
  Cc: Declan Doherty, Thomas Monjalon, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

Hi Jerin,

Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do you want me to trim the headline as well?

@Akhil, did you get a chance to review the series? Do you have any comments on the patches?

Thanks,
Anoob

> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Jerin Jacob
> Sent: Saturday, January 18, 2020 8:09 PM
> To: Anoob Joseph <anoobj@marvell.com>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>; Jerin
> Jacob Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Vamsi Krishna Attunuru <vattunuru@marvell.com>;
> Lukas Bartosik <lbartosik@marvell.com>; dpdk-dev <dev@dpdk.org>
> Subject: Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
> 
> On Sat, Jan 18, 2020 at 4:19 PM Anoob Joseph <anoobj@marvell.com> wrote:
> >
> > This series adds inline IPsec support in OCTEONTX2 PMD.
> >
> > In the inbound path, rte_flow framework need to be used to configure
> > the NPC block, which does the h/w lookup. The packets would get
> > processed by the crypto block and would submit to the scheduling
> > block, SSO. So inline IPsec mode can be enabled only when traffic is
> > received via event device using Rx adapter.
> >
> > In the outbound path, the core would submit to the crypto block and
> > the crypto block would submit the packet for Tx internally.
> 
> 
> Please fix following check-git-log.sh issues.
> 
> Wrong headline lowercase:
>         net/octeontx2: add inline ipsec rx path changes
>         drivers/octeontx2: add sec in compiler optimized RX fastpath framework
>         drivers/octeontx2: add sec in compiler optimized TX fastpath framework
>         crypto/octeontx2: add inline tx path changes Headline too long:
>         drivers/octeontx2: add sec in compiler optimized RX fastpath framework
>         drivers/octeontx2: add sec in compiler optimized TX fastpath framework
>         crypto/octeontx2: sync inline tag type cfg with Rx adapter configuration
> 
> Changing to Rx and Tx will fix most of the issues.
> 
> 
> 
> > v2:
> > * Minimized additions to common/octeontx2
> > * Updated release notes
> > * Renamed otx2_is_ethdev to otx2_ethdev_is_sec_capable
> >
> > Ankur Dwivedi (3):
> >   crypto/octeontx2: add eth security capabilities
> >   crypto/octeontx2: add datapath ops in eth security ctx
> >   crypto/octeontx2: add inline tx path changes
> >
> > Anoob Joseph (4):
> >   common/octeontx2: add CPT LF mbox for inline inbound
> >   crypto/octeontx2: create eth security ctx
> >   crypto/octeontx2: enable CPT to share QP with ethdev
> >   crypto/octeontx2: add eth security session operations
> >
> > Archana Muniganti (3):
> >   crypto/octeontx2: add lookup mem changes to hold sa indices
> >   drivers/octeontx2: add sec in compiler optimized RX fastpath framework
> >   drivers/octeontx2: add sec in compiler optimized TX fastpath
> > framework
> >
> > Tejasree Kondoj (3):
> >   crypto/octeontx2: configure for inline IPsec
> >   crypto/octeontx2: add security in eth dev configure
> >   net/octeontx2: add inline ipsec rx path changes
> >
> > Vamsi Attunuru (2):
> >   common/octeontx2: add routine to check if sec capable otx2
> >   crypto/octeontx2: sync inline tag type cfg with Rx adapter
> >     configuration
> >
> >  doc/guides/nics/octeontx2.rst                      |  20 +
> >  doc/guides/rel_notes/release_20_02.rst             |   9 +
> >  drivers/common/octeontx2/otx2_common.c             |  22 +
> >  drivers/common/octeontx2/otx2_common.h             |  22 +
> >  drivers/common/octeontx2/otx2_mbox.h               |   7 +
> >  .../octeontx2/rte_common_octeontx2_version.map     |   3 +
> >  drivers/crypto/octeontx2/Makefile                  |   7 +-
> >  drivers/crypto/octeontx2/meson.build               |   7 +-
> >  drivers/crypto/octeontx2/otx2_cryptodev.c          |   8 +
> >  .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
> >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  53 ++
> >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
> >  drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
> >  drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
> >  drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 348 +++++++++
> >  drivers/crypto/octeontx2/otx2_security.c           | 870
> +++++++++++++++++++++
> >  drivers/crypto/octeontx2/otx2_security.h           | 158 ++++
> >  drivers/crypto/octeontx2/otx2_security_tx.h        | 175 +++++
> >  drivers/event/octeontx2/Makefile                   |   1 +
> >  drivers/event/octeontx2/meson.build                |   5 +-
> >  drivers/event/octeontx2/otx2_evdev.c               | 170 ++--
> >  drivers/event/octeontx2/otx2_evdev.h               |   4 +-
> >  drivers/event/octeontx2/otx2_worker.c              |   6 +-
> >  drivers/event/octeontx2/otx2_worker.h              |   6 +
> >  drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
> >  drivers/net/octeontx2/Makefile                     |   1 +
> >  drivers/net/octeontx2/meson.build                  |   3 +
> >  drivers/net/octeontx2/otx2_ethdev.c                |  46 +-
> >  drivers/net/octeontx2/otx2_ethdev.h                |   2 +
> >  drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
> >  drivers/net/octeontx2/otx2_flow.c                  |  26 +
> >  drivers/net/octeontx2/otx2_lookup.c                |  11 +-
> >  drivers/net/octeontx2/otx2_rx.c                    |  27 +-
> >  drivers/net/octeontx2/otx2_rx.h                    | 377 ++++++---
> >  drivers/net/octeontx2/otx2_tx.c                    |  29 +-
> >  drivers/net/octeontx2/otx2_tx.h                    | 271 +++++--
> >  36 files changed, 2556 insertions(+), 283 deletions(-)  create mode
> > 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
> >  create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
> >  create mode 100644 drivers/crypto/octeontx2/otx2_security.c
> >  create mode 100644 drivers/crypto/octeontx2/otx2_security.h
> >  create mode 100644 drivers/crypto/octeontx2/otx2_security_tx.h
> >
> > --
> > 2.7.4
> >

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-19 10:43     ` Anoob Joseph
@ 2020-01-19 10:53       ` Thomas Monjalon
  2020-01-19 10:57         ` [dpdk-dev] [EXT] " Anoob Joseph
  2020-01-22 10:16       ` [dpdk-dev] " Akhil Goyal
  1 sibling, 1 reply; 111+ messages in thread
From: Thomas Monjalon @ 2020-01-19 10:53 UTC (permalink / raw)
  To: Jerin Jacob, Anoob Joseph, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik
  Cc: Akhil Goyal, Declan Doherty, dpdk-dev

19/01/2020 11:43, Anoob Joseph:
> Hi Jerin,
> 
> Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do you want me to trim the headline as well?

While you are in casing details,
I don't understand why I am alone taking care of the Marvell naming
(I am fixing it often while applying)
	OCTEONTX2 -> OCTEON TX2




^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [EXT] Re: [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-19 10:53       ` Thomas Monjalon
@ 2020-01-19 10:57         ` Anoob Joseph
  0 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-19 10:57 UTC (permalink / raw)
  To: Thomas Monjalon, Jerin Jacob, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik
  Cc: Akhil Goyal, Declan Doherty, dpdk-dev

Hi Thomas,

I'll have it fixed in v3. Thanks for pointing it out.

Thanks,
Anoob

> -----Original Message-----
> From: Thomas Monjalon <thomas@monjalon.net>
> Sent: Sunday, January 19, 2020 4:24 PM
> To: Jerin Jacob <jerinjacobk@gmail.com>; Anoob Joseph
> <anoobj@marvell.com>; Jerin Jacob Kollanukkaran <jerinj@marvell.com>;
> Narayana Prasad Raju Athreya <pathreya@marvell.com>; Kiran Kumar
> Kokkilagadda <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Vamsi Krishna Attunuru <vattunuru@marvell.com>;
> Lukas Bartosik <lbartosik@marvell.com>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Declan Doherty
> <declan.doherty@intel.com>; dpdk-dev <dev@dpdk.org>
> Subject: [EXT] Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec
> support
> 
> External Email
> 
> ----------------------------------------------------------------------
> 19/01/2020 11:43, Anoob Joseph:
> > Hi Jerin,
> >
> > Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do you want me to
> trim the headline as well?
> 
> While you are in casing details,
> I don't understand why I am alone taking care of the Marvell naming (I am fixing
> it often while applying)
> 	OCTEONTX2 -> OCTEON TX2
> 
> 


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-19 10:43     ` Anoob Joseph
  2020-01-19 10:53       ` Thomas Monjalon
@ 2020-01-22 10:16       ` Akhil Goyal
  2020-01-22 10:55         ` Anoob Joseph
  1 sibling, 1 reply; 111+ messages in thread
From: Akhil Goyal @ 2020-01-22 10:16 UTC (permalink / raw)
  To: Anoob Joseph, Jerin Jacob
  Cc: Declan Doherty, Thomas Monjalon, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev


> 
> Hi Jerin,
> 
> Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do you want me to trim
> the headline as well?
> 

Hi Anoob,

> @Akhil, did you get a chance to review the series? Do you have any comments
> on the patches?
> 

You are adding inline ipsec support to ethernet device and not a crypto device.
These patches should not be part of crypto PMD. There will be cyclic dependency
Between ethernet device and crypto device which can be easily avoided.


> > >
> > > This series adds inline IPsec support in OCTEONTX2 PMD.
> > >
> > > In the inbound path, rte_flow framework need to be used to configure
> > > the NPC block, which does the h/w lookup. The packets would get
> > > processed by the crypto block and would submit to the scheduling
> > > block, SSO. So inline IPsec mode can be enabled only when traffic is
> > > received via event device using Rx adapter.
> > >
> > > In the outbound path, the core would submit to the crypto block and
> > > the crypto block would submit the packet for Tx internally.
> >
> >
> > Please fix following check-git-log.sh issues.
> >
> > Wrong headline lowercase:
> >         net/octeontx2: add inline ipsec rx path changes
> >         drivers/octeontx2: add sec in compiler optimized RX fastpath framework
> >         drivers/octeontx2: add sec in compiler optimized TX fastpath framework
> >         crypto/octeontx2: add inline tx path changes Headline too long:
> >         drivers/octeontx2: add sec in compiler optimized RX fastpath framework
> >         drivers/octeontx2: add sec in compiler optimized TX fastpath framework
> >         crypto/octeontx2: sync inline tag type cfg with Rx adapter configuration
> >
> > Changing to Rx and Tx will fix most of the issues.
> >
> >
> >
> > > v2:
> > > * Minimized additions to common/octeontx2
> > > * Updated release notes
> > > * Renamed otx2_is_ethdev to otx2_ethdev_is_sec_capable
> > >
> > > Ankur Dwivedi (3):
> > >   crypto/octeontx2: add eth security capabilities
> > >   crypto/octeontx2: add datapath ops in eth security ctx
> > >   crypto/octeontx2: add inline tx path changes
> > >
> > > Anoob Joseph (4):
> > >   common/octeontx2: add CPT LF mbox for inline inbound
> > >   crypto/octeontx2: create eth security ctx
> > >   crypto/octeontx2: enable CPT to share QP with ethdev
> > >   crypto/octeontx2: add eth security session operations
> > >
> > > Archana Muniganti (3):
> > >   crypto/octeontx2: add lookup mem changes to hold sa indices
> > >   drivers/octeontx2: add sec in compiler optimized RX fastpath framework
> > >   drivers/octeontx2: add sec in compiler optimized TX fastpath
> > > framework
> > >
> > > Tejasree Kondoj (3):
> > >   crypto/octeontx2: configure for inline IPsec
> > >   crypto/octeontx2: add security in eth dev configure
> > >   net/octeontx2: add inline ipsec rx path changes
> > >
> > > Vamsi Attunuru (2):
> > >   common/octeontx2: add routine to check if sec capable otx2
> > >   crypto/octeontx2: sync inline tag type cfg with Rx adapter
> > >     configuration
> > >
> > >  doc/guides/nics/octeontx2.rst                      |  20 +
> > >  doc/guides/rel_notes/release_20_02.rst             |   9 +
> > >  drivers/common/octeontx2/otx2_common.c             |  22 +
> > >  drivers/common/octeontx2/otx2_common.h             |  22 +
> > >  drivers/common/octeontx2/otx2_mbox.h               |   7 +
> > >  .../octeontx2/rte_common_octeontx2_version.map     |   3 +
> > >  drivers/crypto/octeontx2/Makefile                  |   7 +-
> > >  drivers/crypto/octeontx2/meson.build               |   7 +-
> > >  drivers/crypto/octeontx2/otx2_cryptodev.c          |   8 +
> > >  .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
> > >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  53 ++
> > >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
> > >  drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
> > >  drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
> > >  drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 348 +++++++++
> > >  drivers/crypto/octeontx2/otx2_security.c           | 870
> > +++++++++++++++++++++
> > >  drivers/crypto/octeontx2/otx2_security.h           | 158 ++++
> > >  drivers/crypto/octeontx2/otx2_security_tx.h        | 175 +++++
> > >  drivers/event/octeontx2/Makefile                   |   1 +
> > >  drivers/event/octeontx2/meson.build                |   5 +-
> > >  drivers/event/octeontx2/otx2_evdev.c               | 170 ++--
> > >  drivers/event/octeontx2/otx2_evdev.h               |   4 +-
> > >  drivers/event/octeontx2/otx2_worker.c              |   6 +-
> > >  drivers/event/octeontx2/otx2_worker.h              |   6 +
> > >  drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
> > >  drivers/net/octeontx2/Makefile                     |   1 +
> > >  drivers/net/octeontx2/meson.build                  |   3 +
> > >  drivers/net/octeontx2/otx2_ethdev.c                |  46 +-
> > >  drivers/net/octeontx2/otx2_ethdev.h                |   2 +
> > >  drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
> > >  drivers/net/octeontx2/otx2_flow.c                  |  26 +
> > >  drivers/net/octeontx2/otx2_lookup.c                |  11 +-
> > >  drivers/net/octeontx2/otx2_rx.c                    |  27 +-
> > >  drivers/net/octeontx2/otx2_rx.h                    | 377 ++++++---
> > >  drivers/net/octeontx2/otx2_tx.c                    |  29 +-
> > >  drivers/net/octeontx2/otx2_tx.h                    | 271 +++++--
> > >  36 files changed, 2556 insertions(+), 283 deletions(-)  create mode
> > > 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
> > >  create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
> > >  create mode 100644 drivers/crypto/octeontx2/otx2_security.c
> > >  create mode 100644 drivers/crypto/octeontx2/otx2_security.h
> > >  create mode 100644 drivers/crypto/octeontx2/otx2_security_tx.h
> > >
> > > --
> > > 2.7.4
> > >

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-22 10:16       ` [dpdk-dev] " Akhil Goyal
@ 2020-01-22 10:55         ` Anoob Joseph
  2020-01-22 12:56           ` Akhil Goyal
  0 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2020-01-22 10:55 UTC (permalink / raw)
  To: Akhil Goyal, Jerin Jacob
  Cc: Declan Doherty, Thomas Monjalon, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

Hi Akhil,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Akhil Goyal <akhil.goyal@nxp.com>
> Sent: Wednesday, January 22, 2020 3:46 PM
> To: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob
> <jerinjacobk@gmail.com>
> Cc: Declan Doherty <declan.doherty@intel.com>; Thomas Monjalon
> <thomas@monjalon.net>; Jerin Jacob Kollanukkaran <jerinj@marvell.com>;
> Narayana Prasad Raju Athreya <pathreya@marvell.com>; Kiran Kumar
> Kokkilagadda <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Vamsi Krishna Attunuru
> <vattunuru@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>; dpdk-
> dev <dev@dpdk.org>
> Subject: [EXT] RE: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec
> support
> 
> External Email
> 
> ----------------------------------------------------------------------
> 
> >
> > Hi Jerin,
> >
> > Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do you want me
> > to trim the headline as well?
> >
> 
> Hi Anoob,
> 
> > @Akhil, did you get a chance to review the series? Do you have any
> > comments on the patches?
> >
> 
> You are adding inline ipsec support to ethernet device and not a crypto
> device.
> These patches should not be part of crypto PMD. There will be cyclic
> dependency Between ethernet device and crypto device which can be easily
> avoided.

[Anoob] We have plans to use lookaside protocol to handle the "fallback" session. And that involves session sharing between inline and lookaside protocol offloads. Also, though the feature is exposed as a feature of ethdev, on our platform, it's the crypto block which primarily implements the feature. And so, if the code is moved to ethdev dir, there would be lot of code duplication. The idea is to have all security related code in one place.

Also, the PMDs don't have any calls to each other. The communication between the two happens via common. The crypto dev PMD will register the required security ops to a common structure and ethdev would get it from there. So there won't be an issue of build dependency.

> 
> 
> > > >
> > > > This series adds inline IPsec support in OCTEONTX2 PMD.
> > > >
> > > > In the inbound path, rte_flow framework need to be used to
> > > > configure the NPC block, which does the h/w lookup. The packets
> > > > would get processed by the crypto block and would submit to the
> > > > scheduling block, SSO. So inline IPsec mode can be enabled only
> > > > when traffic is received via event device using Rx adapter.
> > > >
> > > > In the outbound path, the core would submit to the crypto block
> > > > and the crypto block would submit the packet for Tx internally.
> > >
> > >
> > > Please fix following check-git-log.sh issues.
> > >
> > > Wrong headline lowercase:
> > >         net/octeontx2: add inline ipsec rx path changes
> > >         drivers/octeontx2: add sec in compiler optimized RX fastpath
> framework
> > >         drivers/octeontx2: add sec in compiler optimized TX fastpath
> framework
> > >         crypto/octeontx2: add inline tx path changes Headline too long:
> > >         drivers/octeontx2: add sec in compiler optimized RX fastpath
> framework
> > >         drivers/octeontx2: add sec in compiler optimized TX fastpath
> framework
> > >         crypto/octeontx2: sync inline tag type cfg with Rx adapter
> > > configuration
> > >
> > > Changing to Rx and Tx will fix most of the issues.
> > >
> > >
> > >
> > > > v2:
> > > > * Minimized additions to common/octeontx2
> > > > * Updated release notes
> > > > * Renamed otx2_is_ethdev to otx2_ethdev_is_sec_capable
> > > >
> > > > Ankur Dwivedi (3):
> > > >   crypto/octeontx2: add eth security capabilities
> > > >   crypto/octeontx2: add datapath ops in eth security ctx
> > > >   crypto/octeontx2: add inline tx path changes
> > > >
> > > > Anoob Joseph (4):
> > > >   common/octeontx2: add CPT LF mbox for inline inbound
> > > >   crypto/octeontx2: create eth security ctx
> > > >   crypto/octeontx2: enable CPT to share QP with ethdev
> > > >   crypto/octeontx2: add eth security session operations
> > > >
> > > > Archana Muniganti (3):
> > > >   crypto/octeontx2: add lookup mem changes to hold sa indices
> > > >   drivers/octeontx2: add sec in compiler optimized RX fastpath
> framework
> > > >   drivers/octeontx2: add sec in compiler optimized TX fastpath
> > > > framework
> > > >
> > > > Tejasree Kondoj (3):
> > > >   crypto/octeontx2: configure for inline IPsec
> > > >   crypto/octeontx2: add security in eth dev configure
> > > >   net/octeontx2: add inline ipsec rx path changes
> > > >
> > > > Vamsi Attunuru (2):
> > > >   common/octeontx2: add routine to check if sec capable otx2
> > > >   crypto/octeontx2: sync inline tag type cfg with Rx adapter
> > > >     configuration
> > > >
> > > >  doc/guides/nics/octeontx2.rst                      |  20 +
> > > >  doc/guides/rel_notes/release_20_02.rst             |   9 +
> > > >  drivers/common/octeontx2/otx2_common.c             |  22 +
> > > >  drivers/common/octeontx2/otx2_common.h             |  22 +
> > > >  drivers/common/octeontx2/otx2_mbox.h               |   7 +
> > > >  .../octeontx2/rte_common_octeontx2_version.map     |   3 +
> > > >  drivers/crypto/octeontx2/Makefile                  |   7 +-
> > > >  drivers/crypto/octeontx2/meson.build               |   7 +-
> > > >  drivers/crypto/octeontx2/otx2_cryptodev.c          |   8 +
> > > >  .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
> > > >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  53 ++
> > > >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
> > > >  drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
> > > >  drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
> > > >  drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 348 +++++++++
> > > >  drivers/crypto/octeontx2/otx2_security.c           | 870
> > > +++++++++++++++++++++
> > > >  drivers/crypto/octeontx2/otx2_security.h           | 158 ++++
> > > >  drivers/crypto/octeontx2/otx2_security_tx.h        | 175 +++++
> > > >  drivers/event/octeontx2/Makefile                   |   1 +
> > > >  drivers/event/octeontx2/meson.build                |   5 +-
> > > >  drivers/event/octeontx2/otx2_evdev.c               | 170 ++--
> > > >  drivers/event/octeontx2/otx2_evdev.h               |   4 +-
> > > >  drivers/event/octeontx2/otx2_worker.c              |   6 +-
> > > >  drivers/event/octeontx2/otx2_worker.h              |   6 +
> > > >  drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
> > > >  drivers/net/octeontx2/Makefile                     |   1 +
> > > >  drivers/net/octeontx2/meson.build                  |   3 +
> > > >  drivers/net/octeontx2/otx2_ethdev.c                |  46 +-
> > > >  drivers/net/octeontx2/otx2_ethdev.h                |   2 +
> > > >  drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
> > > >  drivers/net/octeontx2/otx2_flow.c                  |  26 +
> > > >  drivers/net/octeontx2/otx2_lookup.c                |  11 +-
> > > >  drivers/net/octeontx2/otx2_rx.c                    |  27 +-
> > > >  drivers/net/octeontx2/otx2_rx.h                    | 377 ++++++---
> > > >  drivers/net/octeontx2/otx2_tx.c                    |  29 +-
> > > >  drivers/net/octeontx2/otx2_tx.h                    | 271 +++++--
> > > >  36 files changed, 2556 insertions(+), 283 deletions(-)  create
> > > > mode
> > > > 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
> > > >  create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
> > > >  create mode 100644 drivers/crypto/octeontx2/otx2_security.c
> > > >  create mode 100644 drivers/crypto/octeontx2/otx2_security.h
> > > >  create mode 100644 drivers/crypto/octeontx2/otx2_security_tx.h
> > > >
> > > > --
> > > > 2.7.4
> > > >

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-22 10:55         ` Anoob Joseph
@ 2020-01-22 12:56           ` Akhil Goyal
  2020-01-22 14:18             ` Jerin Jacob
  0 siblings, 1 reply; 111+ messages in thread
From: Akhil Goyal @ 2020-01-22 12:56 UTC (permalink / raw)
  To: Anoob Joseph, Jerin Jacob
  Cc: Declan Doherty, Thomas Monjalon, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

> > >
> > > Hi Jerin,
> > >
> > > Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do you want me
> > > to trim the headline as well?
> > >
> >
> > Hi Anoob,
> >
> > > @Akhil, did you get a chance to review the series? Do you have any
> > > comments on the patches?
> > >
> >
> > You are adding inline ipsec support to ethernet device and not a crypto
> > device.
> > These patches should not be part of crypto PMD. There will be cyclic
> > dependency Between ethernet device and crypto device which can be easily
> > avoided.
> 
> [Anoob] We have plans to use lookaside protocol to handle the "fallback"
> session. And that involves session sharing between inline and lookaside protocol
> offloads. Also, though the feature is exposed as a feature of ethdev, on our
> platform, it's the crypto block which primarily implements the feature. And so, if
> the code is moved to ethdev dir, there would be lot of code duplication. The
> idea is to have all security related code in one place.
> 
> Also, the PMDs don't have any calls to each other. The communication between
> the two happens via common. The crypto dev PMD will register the required
> security ops to a common structure and ethdev would get it from there. So there
> won't be an issue of build dependency.
> 

- The code that need to be duplicated can be moved to drivers/common/
- You may not need to include rte_ethdev.h inside drivers/crypto
- otx2_sec_eth_ctx_create should be part of ethdev and you would need similar API
for crypto device as well when you would support the fallback session support.
So that would go in crypto. Session creation code may be common and can go
in drivers/common.
- You would have separate security_ctx for both eth device and crypto device and that should
In net device and crypto device separately. Similarly security->ops should be different in both of them.
However if they may have same session creation code and that can go in common.

> >
> >
> > > > >
> > > > > This series adds inline IPsec support in OCTEONTX2 PMD.
> > > > >
> > > > > In the inbound path, rte_flow framework need to be used to
> > > > > configure the NPC block, which does the h/w lookup. The packets
> > > > > would get processed by the crypto block and would submit to the
> > > > > scheduling block, SSO. So inline IPsec mode can be enabled only
> > > > > when traffic is received via event device using Rx adapter.
> > > > >
> > > > > In the outbound path, the core would submit to the crypto block
> > > > > and the crypto block would submit the packet for Tx internally.
> > > >
> > > >
> > > > Please fix following check-git-log.sh issues.
> > > >
> > > > Wrong headline lowercase:
> > > >         net/octeontx2: add inline ipsec rx path changes
> > > >         drivers/octeontx2: add sec in compiler optimized RX fastpath
> > framework
> > > >         drivers/octeontx2: add sec in compiler optimized TX fastpath
> > framework
> > > >         crypto/octeontx2: add inline tx path changes Headline too long:
> > > >         drivers/octeontx2: add sec in compiler optimized RX fastpath
> > framework
> > > >         drivers/octeontx2: add sec in compiler optimized TX fastpath
> > framework
> > > >         crypto/octeontx2: sync inline tag type cfg with Rx adapter
> > > > configuration
> > > >
> > > > Changing to Rx and Tx will fix most of the issues.
> > > >
> > > >
> > > >
> > > > > v2:
> > > > > * Minimized additions to common/octeontx2
> > > > > * Updated release notes
> > > > > * Renamed otx2_is_ethdev to otx2_ethdev_is_sec_capable
> > > > >
> > > > > Ankur Dwivedi (3):
> > > > >   crypto/octeontx2: add eth security capabilities
> > > > >   crypto/octeontx2: add datapath ops in eth security ctx
> > > > >   crypto/octeontx2: add inline tx path changes
> > > > >
> > > > > Anoob Joseph (4):
> > > > >   common/octeontx2: add CPT LF mbox for inline inbound
> > > > >   crypto/octeontx2: create eth security ctx
> > > > >   crypto/octeontx2: enable CPT to share QP with ethdev
> > > > >   crypto/octeontx2: add eth security session operations
> > > > >
> > > > > Archana Muniganti (3):
> > > > >   crypto/octeontx2: add lookup mem changes to hold sa indices
> > > > >   drivers/octeontx2: add sec in compiler optimized RX fastpath
> > framework
> > > > >   drivers/octeontx2: add sec in compiler optimized TX fastpath
> > > > > framework
> > > > >
> > > > > Tejasree Kondoj (3):
> > > > >   crypto/octeontx2: configure for inline IPsec
> > > > >   crypto/octeontx2: add security in eth dev configure
> > > > >   net/octeontx2: add inline ipsec rx path changes
> > > > >
> > > > > Vamsi Attunuru (2):
> > > > >   common/octeontx2: add routine to check if sec capable otx2
> > > > >   crypto/octeontx2: sync inline tag type cfg with Rx adapter
> > > > >     configuration
> > > > >
> > > > >  doc/guides/nics/octeontx2.rst                      |  20 +
> > > > >  doc/guides/rel_notes/release_20_02.rst             |   9 +
> > > > >  drivers/common/octeontx2/otx2_common.c             |  22 +
> > > > >  drivers/common/octeontx2/otx2_common.h             |  22 +
> > > > >  drivers/common/octeontx2/otx2_mbox.h               |   7 +
> > > > >  .../octeontx2/rte_common_octeontx2_version.map     |   3 +
> > > > >  drivers/crypto/octeontx2/Makefile                  |   7 +-
> > > > >  drivers/crypto/octeontx2/meson.build               |   7 +-
> > > > >  drivers/crypto/octeontx2/otx2_cryptodev.c          |   8 +
> > > > >  .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
> > > > >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  53 ++
> > > > >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
> > > > >  drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
> > > > >  drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
> > > > >  drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 348 +++++++++
> > > > >  drivers/crypto/octeontx2/otx2_security.c           | 870
> > > > +++++++++++++++++++++
> > > > >  drivers/crypto/octeontx2/otx2_security.h           | 158 ++++
> > > > >  drivers/crypto/octeontx2/otx2_security_tx.h        | 175 +++++
> > > > >  drivers/event/octeontx2/Makefile                   |   1 +
> > > > >  drivers/event/octeontx2/meson.build                |   5 +-
> > > > >  drivers/event/octeontx2/otx2_evdev.c               | 170 ++--
> > > > >  drivers/event/octeontx2/otx2_evdev.h               |   4 +-
> > > > >  drivers/event/octeontx2/otx2_worker.c              |   6 +-
> > > > >  drivers/event/octeontx2/otx2_worker.h              |   6 +
> > > > >  drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
> > > > >  drivers/net/octeontx2/Makefile                     |   1 +
> > > > >  drivers/net/octeontx2/meson.build                  |   3 +
> > > > >  drivers/net/octeontx2/otx2_ethdev.c                |  46 +-
> > > > >  drivers/net/octeontx2/otx2_ethdev.h                |   2 +
> > > > >  drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
> > > > >  drivers/net/octeontx2/otx2_flow.c                  |  26 +
> > > > >  drivers/net/octeontx2/otx2_lookup.c                |  11 +-
> > > > >  drivers/net/octeontx2/otx2_rx.c                    |  27 +-
> > > > >  drivers/net/octeontx2/otx2_rx.h                    | 377 ++++++---
> > > > >  drivers/net/octeontx2/otx2_tx.c                    |  29 +-
> > > > >  drivers/net/octeontx2/otx2_tx.h                    | 271 +++++--
> > > > >  36 files changed, 2556 insertions(+), 283 deletions(-)  create
> > > > > mode
> > > > > 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
> > > > >  create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
> > > > >  create mode 100644 drivers/crypto/octeontx2/otx2_security.c
> > > > >  create mode 100644 drivers/crypto/octeontx2/otx2_security.h
> > > > >  create mode 100644 drivers/crypto/octeontx2/otx2_security_tx.h
> > > > >
> > > > > --
> > > > > 2.7.4
> > > > >

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-22 12:56           ` Akhil Goyal
@ 2020-01-22 14:18             ` Jerin Jacob
  2020-01-27  2:55               ` [dpdk-dev] [EXT] " Anoob Joseph
  2020-01-27 10:40               ` [dpdk-dev] " Akhil Goyal
  0 siblings, 2 replies; 111+ messages in thread
From: Jerin Jacob @ 2020-01-22 14:18 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Anoob Joseph, Declan Doherty, Thomas Monjalon,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Krishna Attunuru, Lukas Bartosik,
	dpdk-dev

On Wed, Jan 22, 2020 at 6:26 PM Akhil Goyal <akhil.goyal@nxp.com> wrote:
>
> > > >
> > > > Hi Jerin,
> > > >
> > > > Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do you want me
> > > > to trim the headline as well?
> > > >
> > >
> > > Hi Anoob,
> > >
> > > > @Akhil, did you get a chance to review the series? Do you have any
> > > > comments on the patches?
> > > >
> > >
> > > You are adding inline ipsec support to ethernet device and not a crypto
> > > device.
> > > These patches should not be part of crypto PMD. There will be cyclic
> > > dependency Between ethernet device and crypto device which can be easily
> > > avoided.
> >
> > [Anoob] We have plans to use lookaside protocol to handle the "fallback"
> > session. And that involves session sharing between inline and lookaside protocol
> > offloads. Also, though the feature is exposed as a feature of ethdev, on our
> > platform, it's the crypto block which primarily implements the feature. And so, if
> > the code is moved to ethdev dir, there would be lot of code duplication. The
> > idea is to have all security related code in one place.
> >
> > Also, the PMDs don't have any calls to each other. The communication between
> > the two happens via common. The crypto dev PMD will register the required
> > security ops to a common structure and ethdev would get it from there. So there
> > won't be an issue of build dependency.
> >
>
> - The code that need to be duplicated can be moved to drivers/common/

I would like to keep the common code that is common to all the coprocessors.

Moreover, there are logistic issues in that case where
a) drivers/common/octeontx2/ going through master repo. So we will be
creating unnecessary dependency with that 'master' tree.
b) crypto and ethdev work is done by different teams so we would like
to make responsibly clear wrt the review and ownership.

I would like to keep the security/crypto-related code to driver/crypto and
hook to driver/net/octeontx2 with required functionalities over the
driver/common
using a few function pointers to remove the cyclic build dependency.

Considering there is no cyclic build and shared library dependency
now, Can we make forward progress
with the existing scheme?

> - You may not need to include rte_ethdev.h inside drivers/crypto
> - otx2_sec_eth_ctx_create should be part of ethdev and you would need similar API
> for crypto device as well when you would support the fallback session support.
> So that would go in crypto. Session creation code may be common and can go
> in drivers/common.
> - You would have separate security_ctx for both eth device and crypto device and that should
> In net device and crypto device separately. Similarly security->ops should be different in both of them.
> However if they may have same session creation code and that can go in common.
>
> > >
> > >
> > > > > >
> > > > > > This series adds inline IPsec support in OCTEONTX2 PMD.
> > > > > >
> > > > > > In the inbound path, rte_flow framework need to be used to
> > > > > > configure the NPC block, which does the h/w lookup. The packets
> > > > > > would get processed by the crypto block and would submit to the
> > > > > > scheduling block, SSO. So inline IPsec mode can be enabled only
> > > > > > when traffic is received via event device using Rx adapter.
> > > > > >
> > > > > > In the outbound path, the core would submit to the crypto block
> > > > > > and the crypto block would submit the packet for Tx internally.
> > > > >
> > > > >
> > > > > Please fix following check-git-log.sh issues.
> > > > >
> > > > > Wrong headline lowercase:
> > > > >         net/octeontx2: add inline ipsec rx path changes
> > > > >         drivers/octeontx2: add sec in compiler optimized RX fastpath
> > > framework
> > > > >         drivers/octeontx2: add sec in compiler optimized TX fastpath
> > > framework
> > > > >         crypto/octeontx2: add inline tx path changes Headline too long:
> > > > >         drivers/octeontx2: add sec in compiler optimized RX fastpath
> > > framework
> > > > >         drivers/octeontx2: add sec in compiler optimized TX fastpath
> > > framework
> > > > >         crypto/octeontx2: sync inline tag type cfg with Rx adapter
> > > > > configuration
> > > > >
> > > > > Changing to Rx and Tx will fix most of the issues.
> > > > >
> > > > >
> > > > >
> > > > > > v2:
> > > > > > * Minimized additions to common/octeontx2
> > > > > > * Updated release notes
> > > > > > * Renamed otx2_is_ethdev to otx2_ethdev_is_sec_capable
> > > > > >
> > > > > > Ankur Dwivedi (3):
> > > > > >   crypto/octeontx2: add eth security capabilities
> > > > > >   crypto/octeontx2: add datapath ops in eth security ctx
> > > > > >   crypto/octeontx2: add inline tx path changes
> > > > > >
> > > > > > Anoob Joseph (4):
> > > > > >   common/octeontx2: add CPT LF mbox for inline inbound
> > > > > >   crypto/octeontx2: create eth security ctx
> > > > > >   crypto/octeontx2: enable CPT to share QP with ethdev
> > > > > >   crypto/octeontx2: add eth security session operations
> > > > > >
> > > > > > Archana Muniganti (3):
> > > > > >   crypto/octeontx2: add lookup mem changes to hold sa indices
> > > > > >   drivers/octeontx2: add sec in compiler optimized RX fastpath
> > > framework
> > > > > >   drivers/octeontx2: add sec in compiler optimized TX fastpath
> > > > > > framework
> > > > > >
> > > > > > Tejasree Kondoj (3):
> > > > > >   crypto/octeontx2: configure for inline IPsec
> > > > > >   crypto/octeontx2: add security in eth dev configure
> > > > > >   net/octeontx2: add inline ipsec rx path changes
> > > > > >
> > > > > > Vamsi Attunuru (2):
> > > > > >   common/octeontx2: add routine to check if sec capable otx2
> > > > > >   crypto/octeontx2: sync inline tag type cfg with Rx adapter
> > > > > >     configuration
> > > > > >
> > > > > >  doc/guides/nics/octeontx2.rst                      |  20 +
> > > > > >  doc/guides/rel_notes/release_20_02.rst             |   9 +
> > > > > >  drivers/common/octeontx2/otx2_common.c             |  22 +
> > > > > >  drivers/common/octeontx2/otx2_common.h             |  22 +
> > > > > >  drivers/common/octeontx2/otx2_mbox.h               |   7 +
> > > > > >  .../octeontx2/rte_common_octeontx2_version.map     |   3 +
> > > > > >  drivers/crypto/octeontx2/Makefile                  |   7 +-
> > > > > >  drivers/crypto/octeontx2/meson.build               |   7 +-
> > > > > >  drivers/crypto/octeontx2/otx2_cryptodev.c          |   8 +
> > > > > >  .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
> > > > > >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  53 ++
> > > > > >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
> > > > > >  drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
> > > > > >  drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
> > > > > >  drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 348 +++++++++
> > > > > >  drivers/crypto/octeontx2/otx2_security.c           | 870
> > > > > +++++++++++++++++++++
> > > > > >  drivers/crypto/octeontx2/otx2_security.h           | 158 ++++
> > > > > >  drivers/crypto/octeontx2/otx2_security_tx.h        | 175 +++++
> > > > > >  drivers/event/octeontx2/Makefile                   |   1 +
> > > > > >  drivers/event/octeontx2/meson.build                |   5 +-
> > > > > >  drivers/event/octeontx2/otx2_evdev.c               | 170 ++--
> > > > > >  drivers/event/octeontx2/otx2_evdev.h               |   4 +-
> > > > > >  drivers/event/octeontx2/otx2_worker.c              |   6 +-
> > > > > >  drivers/event/octeontx2/otx2_worker.h              |   6 +
> > > > > >  drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
> > > > > >  drivers/net/octeontx2/Makefile                     |   1 +
> > > > > >  drivers/net/octeontx2/meson.build                  |   3 +
> > > > > >  drivers/net/octeontx2/otx2_ethdev.c                |  46 +-
> > > > > >  drivers/net/octeontx2/otx2_ethdev.h                |   2 +
> > > > > >  drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
> > > > > >  drivers/net/octeontx2/otx2_flow.c                  |  26 +
> > > > > >  drivers/net/octeontx2/otx2_lookup.c                |  11 +-
> > > > > >  drivers/net/octeontx2/otx2_rx.c                    |  27 +-
> > > > > >  drivers/net/octeontx2/otx2_rx.h                    | 377 ++++++---
> > > > > >  drivers/net/octeontx2/otx2_tx.c                    |  29 +-
> > > > > >  drivers/net/octeontx2/otx2_tx.h                    | 271 +++++--
> > > > > >  36 files changed, 2556 insertions(+), 283 deletions(-)  create
> > > > > > mode
> > > > > > 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
> > > > > >  create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
> > > > > >  create mode 100644 drivers/crypto/octeontx2/otx2_security.c
> > > > > >  create mode 100644 drivers/crypto/octeontx2/otx2_security.h
> > > > > >  create mode 100644 drivers/crypto/octeontx2/otx2_security_tx.h
> > > > > >
> > > > > > --
> > > > > > 2.7.4
> > > > > >

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [EXT] Re: [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-22 14:18             ` Jerin Jacob
@ 2020-01-27  2:55               ` Anoob Joseph
  2020-01-27 10:40               ` [dpdk-dev] " Akhil Goyal
  1 sibling, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-27  2:55 UTC (permalink / raw)
  To: Jerin Jacob, Akhil Goyal
  Cc: Declan Doherty, Thomas Monjalon, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

Hi Akhil,

Shall I send v3 with the commit header updates that Jerin suggested?

Thanks,
Anoob

> -----Original Message-----
> From: Jerin Jacob <jerinjacobk@gmail.com>
> Sent: Wednesday, January 22, 2020 7:48 PM
> To: Akhil Goyal <akhil.goyal@nxp.com>
> Cc: Anoob Joseph <anoobj@marvell.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>; Jerin
> Jacob Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Vamsi Krishna Attunuru <vattunuru@marvell.com>;
> Lukas Bartosik <lbartosik@marvell.com>; dpdk-dev <dev@dpdk.org>
> Subject: [EXT] Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec
> support
> 
> External Email
> 
> ----------------------------------------------------------------------
> On Wed, Jan 22, 2020 at 6:26 PM Akhil Goyal <akhil.goyal@nxp.com> wrote:
> >
> > > > >
> > > > > Hi Jerin,
> > > > >
> > > > > Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do you
> > > > > want me to trim the headline as well?
> > > > >
> > > >
> > > > Hi Anoob,
> > > >
> > > > > @Akhil, did you get a chance to review the series? Do you have
> > > > > any comments on the patches?
> > > > >
> > > >
> > > > You are adding inline ipsec support to ethernet device and not a
> > > > crypto device.
> > > > These patches should not be part of crypto PMD. There will be
> > > > cyclic dependency Between ethernet device and crypto device which
> > > > can be easily avoided.
> > >
> > > [Anoob] We have plans to use lookaside protocol to handle the "fallback"
> > > session. And that involves session sharing between inline and
> > > lookaside protocol offloads. Also, though the feature is exposed as
> > > a feature of ethdev, on our platform, it's the crypto block which
> > > primarily implements the feature. And so, if the code is moved to
> > > ethdev dir, there would be lot of code duplication. The idea is to have all
> security related code in one place.
> > >
> > > Also, the PMDs don't have any calls to each other. The communication
> > > between the two happens via common. The crypto dev PMD will register
> > > the required security ops to a common structure and ethdev would get
> > > it from there. So there won't be an issue of build dependency.
> > >
> >
> > - The code that need to be duplicated can be moved to drivers/common/
> 
> I would like to keep the common code that is common to all the coprocessors.
> 
> Moreover, there are logistic issues in that case where
> a) drivers/common/octeontx2/ going through master repo. So we will be
> creating unnecessary dependency with that 'master' tree.
> b) crypto and ethdev work is done by different teams so we would like to make
> responsibly clear wrt the review and ownership.
> 
> I would like to keep the security/crypto-related code to driver/crypto and hook
> to driver/net/octeontx2 with required functionalities over the driver/common
> using a few function pointers to remove the cyclic build dependency.
> 
> Considering there is no cyclic build and shared library dependency now, Can we
> make forward progress with the existing scheme?
> 
> > - You may not need to include rte_ethdev.h inside drivers/crypto
> > - otx2_sec_eth_ctx_create should be part of ethdev and you would need
> > similar API for crypto device as well when you would support the fallback
> session support.
> > So that would go in crypto. Session creation code may be common and
> > can go in drivers/common.
> > - You would have separate security_ctx for both eth device and crypto
> > device and that should In net device and crypto device separately. Similarly
> security->ops should be different in both of them.
> > However if they may have same session creation code and that can go in
> common.
> >
> > > >
> > > >
> > > > > > >
> > > > > > > This series adds inline IPsec support in OCTEONTX2 PMD.
> > > > > > >
> > > > > > > In the inbound path, rte_flow framework need to be used to
> > > > > > > configure the NPC block, which does the h/w lookup. The
> > > > > > > packets would get processed by the crypto block and would
> > > > > > > submit to the scheduling block, SSO. So inline IPsec mode
> > > > > > > can be enabled only when traffic is received via event device using Rx
> adapter.
> > > > > > >
> > > > > > > In the outbound path, the core would submit to the crypto
> > > > > > > block and the crypto block would submit the packet for Tx internally.
> > > > > >
> > > > > >
> > > > > > Please fix following check-git-log.sh issues.
> > > > > >
> > > > > > Wrong headline lowercase:
> > > > > >         net/octeontx2: add inline ipsec rx path changes
> > > > > >         drivers/octeontx2: add sec in compiler optimized RX
> > > > > > fastpath
> > > > framework
> > > > > >         drivers/octeontx2: add sec in compiler optimized TX
> > > > > > fastpath
> > > > framework
> > > > > >         crypto/octeontx2: add inline tx path changes Headline too long:
> > > > > >         drivers/octeontx2: add sec in compiler optimized RX
> > > > > > fastpath
> > > > framework
> > > > > >         drivers/octeontx2: add sec in compiler optimized TX
> > > > > > fastpath
> > > > framework
> > > > > >         crypto/octeontx2: sync inline tag type cfg with Rx
> > > > > > adapter configuration
> > > > > >
> > > > > > Changing to Rx and Tx will fix most of the issues.
> > > > > >
> > > > > >
> > > > > >
> > > > > > > v2:
> > > > > > > * Minimized additions to common/octeontx2
> > > > > > > * Updated release notes
> > > > > > > * Renamed otx2_is_ethdev to otx2_ethdev_is_sec_capable
> > > > > > >
> > > > > > > Ankur Dwivedi (3):
> > > > > > >   crypto/octeontx2: add eth security capabilities
> > > > > > >   crypto/octeontx2: add datapath ops in eth security ctx
> > > > > > >   crypto/octeontx2: add inline tx path changes
> > > > > > >
> > > > > > > Anoob Joseph (4):
> > > > > > >   common/octeontx2: add CPT LF mbox for inline inbound
> > > > > > >   crypto/octeontx2: create eth security ctx
> > > > > > >   crypto/octeontx2: enable CPT to share QP with ethdev
> > > > > > >   crypto/octeontx2: add eth security session operations
> > > > > > >
> > > > > > > Archana Muniganti (3):
> > > > > > >   crypto/octeontx2: add lookup mem changes to hold sa indices
> > > > > > >   drivers/octeontx2: add sec in compiler optimized RX
> > > > > > > fastpath
> > > > framework
> > > > > > >   drivers/octeontx2: add sec in compiler optimized TX
> > > > > > > fastpath framework
> > > > > > >
> > > > > > > Tejasree Kondoj (3):
> > > > > > >   crypto/octeontx2: configure for inline IPsec
> > > > > > >   crypto/octeontx2: add security in eth dev configure
> > > > > > >   net/octeontx2: add inline ipsec rx path changes
> > > > > > >
> > > > > > > Vamsi Attunuru (2):
> > > > > > >   common/octeontx2: add routine to check if sec capable otx2
> > > > > > >   crypto/octeontx2: sync inline tag type cfg with Rx adapter
> > > > > > >     configuration
> > > > > > >
> > > > > > >  doc/guides/nics/octeontx2.rst                      |  20 +
> > > > > > >  doc/guides/rel_notes/release_20_02.rst             |   9 +
> > > > > > >  drivers/common/octeontx2/otx2_common.c             |  22 +
> > > > > > >  drivers/common/octeontx2/otx2_common.h             |  22 +
> > > > > > >  drivers/common/octeontx2/otx2_mbox.h               |   7 +
> > > > > > >  .../octeontx2/rte_common_octeontx2_version.map     |   3 +
> > > > > > >  drivers/crypto/octeontx2/Makefile                  |   7 +-
> > > > > > >  drivers/crypto/octeontx2/meson.build               |   7 +-
> > > > > > >  drivers/crypto/octeontx2/otx2_cryptodev.c          |   8 +
> > > > > > >  .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
> > > > > > >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  53 ++
> > > > > > >  drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
> > > > > > >  drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
> > > > > > >  drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
> > > > > > >  drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 348 +++++++++
> > > > > > >  drivers/crypto/octeontx2/otx2_security.c           | 870
> > > > > > +++++++++++++++++++++
> > > > > > >  drivers/crypto/octeontx2/otx2_security.h           | 158 ++++
> > > > > > >  drivers/crypto/octeontx2/otx2_security_tx.h        | 175 +++++
> > > > > > >  drivers/event/octeontx2/Makefile                   |   1 +
> > > > > > >  drivers/event/octeontx2/meson.build                |   5 +-
> > > > > > >  drivers/event/octeontx2/otx2_evdev.c               | 170 ++--
> > > > > > >  drivers/event/octeontx2/otx2_evdev.h               |   4 +-
> > > > > > >  drivers/event/octeontx2/otx2_worker.c              |   6 +-
> > > > > > >  drivers/event/octeontx2/otx2_worker.h              |   6 +
> > > > > > >  drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
> > > > > > >  drivers/net/octeontx2/Makefile                     |   1 +
> > > > > > >  drivers/net/octeontx2/meson.build                  |   3 +
> > > > > > >  drivers/net/octeontx2/otx2_ethdev.c                |  46 +-
> > > > > > >  drivers/net/octeontx2/otx2_ethdev.h                |   2 +
> > > > > > >  drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
> > > > > > >  drivers/net/octeontx2/otx2_flow.c                  |  26 +
> > > > > > >  drivers/net/octeontx2/otx2_lookup.c                |  11 +-
> > > > > > >  drivers/net/octeontx2/otx2_rx.c                    |  27 +-
> > > > > > >  drivers/net/octeontx2/otx2_rx.h                    | 377 ++++++---
> > > > > > >  drivers/net/octeontx2/otx2_tx.c                    |  29 +-
> > > > > > >  drivers/net/octeontx2/otx2_tx.h                    | 271 +++++--
> > > > > > >  36 files changed, 2556 insertions(+), 283 deletions(-)
> > > > > > > create mode
> > > > > > > 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
> > > > > > >  create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
> > > > > > >  create mode 100644 drivers/crypto/octeontx2/otx2_security.c
> > > > > > >  create mode 100644 drivers/crypto/octeontx2/otx2_security.h
> > > > > > >  create mode 100644
> > > > > > > drivers/crypto/octeontx2/otx2_security_tx.h
> > > > > > >
> > > > > > > --
> > > > > > > 2.7.4
> > > > > > >

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 02/15] common/octeontx2: add routine to check if sec capable otx2
  2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 02/15] common/octeontx2: add routine to check if sec capable otx2 Anoob Joseph
  2020-01-18 14:35     ` Jerin Jacob
@ 2020-01-27  7:01     ` Akhil Goyal
  2020-01-27  8:02       ` Anoob Joseph
  1 sibling, 1 reply; 111+ messages in thread
From: Akhil Goyal @ 2020-01-27  7:01 UTC (permalink / raw)
  To: Anoob Joseph, Declan Doherty, Thomas Monjalon
  Cc: Vamsi Attunuru, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Lukasz Bartosik, dev

Hi Anoob,

> 
> From: Vamsi Attunuru <vattunuru@marvell.com>
> 
> This routine returns true if given rte_eth_dev is security offload
> capable and belongs to octeontx2.
> 
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> ---
>  drivers/common/octeontx2/otx2_common.c               | 20
> ++++++++++++++++++++
>  drivers/common/octeontx2/otx2_common.h               |  2 ++
>  .../octeontx2/rte_common_octeontx2_version.map       |  1 +
>  3 files changed, 23 insertions(+)
> 
> diff --git a/drivers/common/octeontx2/otx2_common.c
> b/drivers/common/octeontx2/otx2_common.c
> index 7e45366..2f9b167 100644
> --- a/drivers/common/octeontx2/otx2_common.c
> +++ b/drivers/common/octeontx2/otx2_common.c
> @@ -3,6 +3,7 @@
>   */
> 
>  #include <rte_atomic.h>
> +#include <rte_ethdev.h>
>  #include <rte_malloc.h>
>  #include <rte_log.h>
> 
> @@ -23,6 +24,25 @@ otx2_npa_set_defaults(struct otx2_idev_cfg *idev)
> 
>  /**
>   * @internal
> + * Check if rte_eth_dev is security offload capable otx2_eth_dev
> + */
> +uint8_t
> +otx2_ethdev_is_sec_capable(struct rte_eth_dev *eth_dev)
> +{
> +	struct rte_pci_device *pci_dev;
> +
> +	pci_dev = RTE_ETH_DEV_TO_PCI(eth_dev);
> +
> +	if (pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_PF ||
> +	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_VF ||
> +	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_AF_VF)
> +		return 1;
> +
> +	return 0;
> +}

Why is this API defined in common?
This is a capability of ethernet device and is only specific to OCTEONTX2 driver.

- Akhil

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 02/15] common/octeontx2: add routine to check if sec capable otx2
  2020-01-27  7:01     ` Akhil Goyal
@ 2020-01-27  8:02       ` Anoob Joseph
  2020-01-27  8:12         ` Anoob Joseph
  0 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2020-01-27  8:02 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Vamsi Krishna Attunuru, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Lukas Bartosik, dev

Hi Akhil,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Akhil Goyal <akhil.goyal@nxp.com>
> Sent: Monday, January 27, 2020 12:31 PM
> To: Anoob Joseph <anoobj@marvell.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>
> Cc: Vamsi Krishna Attunuru <vattunuru@marvell.com>; Jerin Jacob
> Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 02/15] common/octeontx2: add routine to check if
> sec capable otx2
> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi Anoob,
> 
> >
> > From: Vamsi Attunuru <vattunuru@marvell.com>
> >
> > This routine returns true if given rte_eth_dev is security offload
> > capable and belongs to octeontx2.
> >
> > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> > ---
> >  drivers/common/octeontx2/otx2_common.c               | 20
> > ++++++++++++++++++++
> >  drivers/common/octeontx2/otx2_common.h               |  2 ++
> >  .../octeontx2/rte_common_octeontx2_version.map       |  1 +
> >  3 files changed, 23 insertions(+)
> >
> > diff --git a/drivers/common/octeontx2/otx2_common.c
> > b/drivers/common/octeontx2/otx2_common.c
> > index 7e45366..2f9b167 100644
> > --- a/drivers/common/octeontx2/otx2_common.c
> > +++ b/drivers/common/octeontx2/otx2_common.c
> > @@ -3,6 +3,7 @@
> >   */
> >
> >  #include <rte_atomic.h>
> > +#include <rte_ethdev.h>
> >  #include <rte_malloc.h>
> >  #include <rte_log.h>
> >
> > @@ -23,6 +24,25 @@ otx2_npa_set_defaults(struct otx2_idev_cfg *idev)
> >
> >  /**
> >   * @internal
> > + * Check if rte_eth_dev is security offload capable otx2_eth_dev  */
> > +uint8_t otx2_ethdev_is_sec_capable(struct rte_eth_dev *eth_dev) {
> > +	struct rte_pci_device *pci_dev;
> > +
> > +	pci_dev = RTE_ETH_DEV_TO_PCI(eth_dev);
> > +
> > +	if (pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_PF ||
> > +	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_VF ||
> > +	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_AF_VF)
> > +		return 1;
> > +
> > +	return 0;
> > +}
> 
> Why is this API defined in common?
> This is a capability of ethernet device and is only specific to OCTEONTX2 driver.

[Anoob] Crypto PMD is querying eth dev device for 'security' capability. If we put the call in ethdev PMD, then there will be a build dependency. 

This is required because we need to map crypto queues to eth devices. This is required for outbound processing.
 
> 
> - Akhil

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 02/15] common/octeontx2: add routine to check if sec capable otx2
  2020-01-27  8:02       ` Anoob Joseph
@ 2020-01-27  8:12         ` Anoob Joseph
  0 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-27  8:12 UTC (permalink / raw)
  To: Anoob Joseph, Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Vamsi Krishna Attunuru, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Lukas Bartosik, dev

Hi Akhil,

Minor correction. Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Anoob Joseph
> Sent: Monday, January 27, 2020 1:33 PM
> To: Akhil Goyal <akhil.goyal@nxp.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>
> Cc: Vamsi Krishna Attunuru <vattunuru@marvell.com>; Jerin Jacob
> Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>;
> dev@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH v2 02/15] common/octeontx2: add routine to
> check if sec capable otx2
> 
> Hi Akhil,
> 
> Please see inline.
> 
> Thanks,
> Anoob
> 
> > -----Original Message-----
> > From: Akhil Goyal <akhil.goyal@nxp.com>
> > Sent: Monday, January 27, 2020 12:31 PM
> > To: Anoob Joseph <anoobj@marvell.com>; Declan Doherty
> > <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>
> > Cc: Vamsi Krishna Attunuru <vattunuru@marvell.com>; Jerin Jacob
> > Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> > <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> > <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> > <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> > Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> > <ktejasree@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>;
> > dev@dpdk.org
> > Subject: [EXT] RE: [PATCH v2 02/15] common/octeontx2: add routine to
> > check if sec capable otx2
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > Hi Anoob,
> >
> > >
> > > From: Vamsi Attunuru <vattunuru@marvell.com>
> > >
> > > This routine returns true if given rte_eth_dev is security offload
> > > capable and belongs to octeontx2.
> > >
> > > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> > > ---
> > >  drivers/common/octeontx2/otx2_common.c               | 20
> > > ++++++++++++++++++++
> > >  drivers/common/octeontx2/otx2_common.h               |  2 ++
> > >  .../octeontx2/rte_common_octeontx2_version.map       |  1 +
> > >  3 files changed, 23 insertions(+)
> > >
> > > diff --git a/drivers/common/octeontx2/otx2_common.c
> > > b/drivers/common/octeontx2/otx2_common.c
> > > index 7e45366..2f9b167 100644
> > > --- a/drivers/common/octeontx2/otx2_common.c
> > > +++ b/drivers/common/octeontx2/otx2_common.c
> > > @@ -3,6 +3,7 @@
> > >   */
> > >
> > >  #include <rte_atomic.h>
> > > +#include <rte_ethdev.h>
> > >  #include <rte_malloc.h>
> > >  #include <rte_log.h>
> > >
> > > @@ -23,6 +24,25 @@ otx2_npa_set_defaults(struct otx2_idev_cfg *idev)
> > >
> > >  /**
> > >   * @internal
> > > + * Check if rte_eth_dev is security offload capable otx2_eth_dev
> > > +*/ uint8_t otx2_ethdev_is_sec_capable(struct rte_eth_dev *eth_dev) {
> > > +	struct rte_pci_device *pci_dev;
> > > +
> > > +	pci_dev = RTE_ETH_DEV_TO_PCI(eth_dev);
> > > +
> > > +	if (pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_PF ||
> > > +	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_VF ||
> > > +	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_AF_VF)
> > > +		return 1;
> > > +
> > > +	return 0;
> > > +}
> >
> > Why is this API defined in common?
> > This is a capability of ethernet device and is only specific to OCTEONTX2 driver.
> 
> [Anoob] Crypto PMD is querying eth dev device for 'security' capability. If we put
> the "definition" in ethdev PMD, then there will be a build dependency.

[Anoob] Minor correction in the above line. 

> 
> This is required because we need to map crypto queues to eth devices. This is
> required for outbound processing.
> 
> >
> > - Akhil

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-22 14:18             ` Jerin Jacob
  2020-01-27  2:55               ` [dpdk-dev] [EXT] " Anoob Joseph
@ 2020-01-27 10:40               ` Akhil Goyal
  2020-01-27 11:25                 ` Jerin Jacob
  1 sibling, 1 reply; 111+ messages in thread
From: Akhil Goyal @ 2020-01-27 10:40 UTC (permalink / raw)
  To: Jerin Jacob, Anoob Joseph
  Cc: Declan Doherty, Thomas Monjalon, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev


> 
> On Wed, Jan 22, 2020 at 6:26 PM Akhil Goyal <akhil.goyal@nxp.com> wrote:
> >
> > > > >
> > > > > Hi Jerin,
> > > > >
> > > > > Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do you want me
> > > > > to trim the headline as well?
> > > > >
> > > >
> > > > Hi Anoob,
> > > >
> > > > > @Akhil, did you get a chance to review the series? Do you have any
> > > > > comments on the patches?
> > > > >
> > > >
> > > > You are adding inline ipsec support to ethernet device and not a crypto
> > > > device.
> > > > These patches should not be part of crypto PMD. There will be cyclic
> > > > dependency Between ethernet device and crypto device which can be
> easily
> > > > avoided.
> > >
> > > [Anoob] We have plans to use lookaside protocol to handle the "fallback"
> > > session. And that involves session sharing between inline and lookaside
> protocol
> > > offloads. Also, though the feature is exposed as a feature of ethdev, on our
> > > platform, it's the crypto block which primarily implements the feature. And
> so, if
> > > the code is moved to ethdev dir, there would be lot of code duplication. The
> > > idea is to have all security related code in one place.
> > >
> > > Also, the PMDs don't have any calls to each other. The communication
> between
> > > the two happens via common. The crypto dev PMD will register the required
> > > security ops to a common structure and ethdev would get it from there. So
> there
> > > won't be an issue of build dependency.
> > >
> >
> > - The code that need to be duplicated can be moved to drivers/common/
> 
> I would like to keep the common code that is common to all the coprocessors.
> 
> Moreover, there are logistic issues in that case where
> a) drivers/common/octeontx2/ going through master repo. So we will be
> creating unnecessary dependency with that 'master' tree.
> b) crypto and ethdev work is done by different teams so we would like
> to make responsibly clear wrt the review and ownership.

I can agree upon that the code shall not be placed in the common/octeontx2, 
But you can have a header file in crypto/octeontx2/ which has some inline functions
Which can be called from the ethernet as well as crypto device for inline proto
And lookaside cases respectively. I think with that the maintainability would not
be an issue.

IMO, following approach can be looked upon and may be cleaner
- define security ctx and its ops in net/octeontx2.c or net/octeontx2_security.c 
These are all control path and should not be any issue.

- define crypto specific code (inline functions) in crypto/octeontx2_security.h
Which can be called for both inline protocol as well as lookaside proto case.

- for data path you can have the processing as is. I hope all dependencies can
Be dealt with as the code will be there in crypto driver for all the mapping of 
Event and crypto queues.

- all APIs which are common for ethernet device and crypto device in
octeontx2_security.h should not prefix eth as is the case in current APIs.

I hope this will clear the ugliness of the code.
> 
> I would like to keep the security/crypto-related code to driver/crypto and
> hook to driver/net/octeontx2 with required functionalities over the
> driver/common
> using a few function pointers to remove the cyclic build dependency.
> 
> Considering there is no cyclic build and shared library dependency
> now, Can we make forward progress
> with the existing scheme?
> 
> > - You may not need to include rte_ethdev.h inside drivers/crypto
> > - otx2_sec_eth_ctx_create should be part of ethdev and you would need
> similar API
> > for crypto device as well when you would support the fallback session support.
> > So that would go in crypto. Session creation code may be common and can go
> > in drivers/common.
> > - You would have separate security_ctx for both eth device and crypto device
> and that should
> > In net device and crypto device separately. Similarly security->ops should be
> different in both of them.
> > However if they may have same session creation code and that can go in
> common.
> >


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-27 10:40               ` [dpdk-dev] " Akhil Goyal
@ 2020-01-27 11:25                 ` Jerin Jacob
  2020-01-27 11:47                   ` Akhil Goyal
  0 siblings, 1 reply; 111+ messages in thread
From: Jerin Jacob @ 2020-01-27 11:25 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Anoob Joseph, Declan Doherty, Thomas Monjalon,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Krishna Attunuru, Lukas Bartosik,
	dpdk-dev

On Mon, Jan 27, 2020 at 4:10 PM Akhil Goyal <akhil.goyal@nxp.com> wrote:
>
>
> >
> > On Wed, Jan 22, 2020 at 6:26 PM Akhil Goyal <akhil.goyal@nxp.com> wrote:
> > >
> > > > > >
> > > > > > Hi Jerin,
> > > > > >
> > > > > > Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do you want me
> > > > > > to trim the headline as well?
> > > > > >
> > > > >
> > > > > Hi Anoob,
> > > > >
> > > > > > @Akhil, did you get a chance to review the series? Do you have any
> > > > > > comments on the patches?
> > > > > >
> > > > >
> > > > > You are adding inline ipsec support to ethernet device and not a crypto
> > > > > device.
> > > > > These patches should not be part of crypto PMD. There will be cyclic
> > > > > dependency Between ethernet device and crypto device which can be
> > easily
> > > > > avoided.
> > > >
> > > > [Anoob] We have plans to use lookaside protocol to handle the "fallback"
> > > > session. And that involves session sharing between inline and lookaside
> > protocol
> > > > offloads. Also, though the feature is exposed as a feature of ethdev, on our
> > > > platform, it's the crypto block which primarily implements the feature. And
> > so, if
> > > > the code is moved to ethdev dir, there would be lot of code duplication. The
> > > > idea is to have all security related code in one place.
> > > >
> > > > Also, the PMDs don't have any calls to each other. The communication
> > between
> > > > the two happens via common. The crypto dev PMD will register the required
> > > > security ops to a common structure and ethdev would get it from there. So
> > there
> > > > won't be an issue of build dependency.
> > > >
> > >
> > > - The code that need to be duplicated can be moved to drivers/common/
> >
> > I would like to keep the common code that is common to all the coprocessors.
> >
> > Moreover, there are logistic issues in that case where
> > a) drivers/common/octeontx2/ going through master repo. So we will be
> > creating unnecessary dependency with that 'master' tree.
> > b) crypto and ethdev work is done by different teams so we would like
> > to make responsibly clear wrt the review and ownership.
>
> I can agree upon that the code shall not be placed in the common/octeontx2,
> But you can have a header file in crypto/octeontx2/ which has some inline functions
> Which can be called from the ethernet as well as crypto device for inline proto
> And lookaside cases respectively. I think with that the maintainability would not
> be an issue.
>
> IMO, following approach can be looked upon and may be cleaner
> - define security ctx and its ops in net/octeontx2.c or net/octeontx2_security.c
> These are all control path and should not be any issue.
>
> - define crypto specific code (inline functions) in crypto/octeontx2_security.h
> Which can be called for both inline protocol as well as lookaside proto case.

One problem with such an approach is we need to have fat inline functions.
In some case, those inline functions to needs  accessing the
array/driver specific symbols
in another driver namespace then those array needs to be exported in
map file and hence the
build dependency comes.


>
> - for data path you can have the processing as is. I hope all dependencies can
> Be dealt with as the code will be there in crypto driver for all the mapping of
> Event and crypto queues.
>
> - all APIs which are common for ethernet device and crypto device in
> octeontx2_security.h should not prefix eth as is the case in current APIs.

If I understand it correctly, You have a concern in having the
*rte_eth* symbols in driver/crypto/octeontx2?
If so, we can check what can be done. Let us know the exact your
concern in managing the code in this
model?

>
> I hope this will clear the ugliness of the code.

It is relative, I think, having fat inline functions and accessing
both drivers is ugly.

> >
> > I would like to keep the security/crypto-related code to driver/crypto and
> > hook to driver/net/octeontx2 with required functionalities over the
> > driver/common
> > using a few function pointers to remove the cyclic build dependency.
> >
> > Considering there is no cyclic build and shared library dependency
> > now, Can we make forward progress
> > with the existing scheme?
> >
> > > - You may not need to include rte_ethdev.h inside drivers/crypto
> > > - otx2_sec_eth_ctx_create should be part of ethdev and you would need
> > similar API
> > > for crypto device as well when you would support the fallback session support.
> > > So that would go in crypto. Session creation code may be common and can go
> > > in drivers/common.
> > > - You would have separate security_ctx for both eth device and crypto device
> > and that should
> > > In net device and crypto device separately. Similarly security->ops should be
> > different in both of them.
> > > However if they may have same session creation code and that can go in
> > common.
> > >
>

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-27 11:25                 ` Jerin Jacob
@ 2020-01-27 11:47                   ` Akhil Goyal
  2020-01-27 14:54                     ` Anoob Joseph
  0 siblings, 1 reply; 111+ messages in thread
From: Akhil Goyal @ 2020-01-27 11:47 UTC (permalink / raw)
  To: Jerin Jacob
  Cc: Anoob Joseph, Declan Doherty, Thomas Monjalon,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Krishna Attunuru, Lukas Bartosik,
	dpdk-dev

Hi Jerin,

> 
> On Mon, Jan 27, 2020 at 4:10 PM Akhil Goyal <akhil.goyal@nxp.com> wrote:
> >
> >
> > >
> > > On Wed, Jan 22, 2020 at 6:26 PM Akhil Goyal <akhil.goyal@nxp.com> wrote:
> > > >
> > > > > > >
> > > > > > > Hi Jerin,
> > > > > > >
> > > > > > > Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do you want
> me
> > > > > > > to trim the headline as well?
> > > > > > >
> > > > > >
> > > > > > Hi Anoob,
> > > > > >
> > > > > > > @Akhil, did you get a chance to review the series? Do you have any
> > > > > > > comments on the patches?
> > > > > > >
> > > > > >
> > > > > > You are adding inline ipsec support to ethernet device and not a crypto
> > > > > > device.
> > > > > > These patches should not be part of crypto PMD. There will be cyclic
> > > > > > dependency Between ethernet device and crypto device which can be
> > > easily
> > > > > > avoided.
> > > > >
> > > > > [Anoob] We have plans to use lookaside protocol to handle the "fallback"
> > > > > session. And that involves session sharing between inline and lookaside
> > > protocol
> > > > > offloads. Also, though the feature is exposed as a feature of ethdev, on
> our
> > > > > platform, it's the crypto block which primarily implements the feature.
> And
> > > so, if
> > > > > the code is moved to ethdev dir, there would be lot of code duplication.
> The
> > > > > idea is to have all security related code in one place.
> > > > >
> > > > > Also, the PMDs don't have any calls to each other. The communication
> > > between
> > > > > the two happens via common. The crypto dev PMD will register the
> required
> > > > > security ops to a common structure and ethdev would get it from there.
> So
> > > there
> > > > > won't be an issue of build dependency.
> > > > >
> > > >
> > > > - The code that need to be duplicated can be moved to drivers/common/
> > >
> > > I would like to keep the common code that is common to all the
> coprocessors.
> > >
> > > Moreover, there are logistic issues in that case where
> > > a) drivers/common/octeontx2/ going through master repo. So we will be
> > > creating unnecessary dependency with that 'master' tree.
> > > b) crypto and ethdev work is done by different teams so we would like
> > > to make responsibly clear wrt the review and ownership.
> >
> > I can agree upon that the code shall not be placed in the common/octeontx2,
> > But you can have a header file in crypto/octeontx2/ which has some inline
> functions
> > Which can be called from the ethernet as well as crypto device for inline proto
> > And lookaside cases respectively. I think with that the maintainability would
> not
> > be an issue.
> >
> > IMO, following approach can be looked upon and may be cleaner
> > - define security ctx and its ops in net/octeontx2.c or net/octeontx2_security.c
> > These are all control path and should not be any issue.
> >
> > - define crypto specific code (inline functions) in crypto/octeontx2_security.h
> > Which can be called for both inline protocol as well as lookaside proto case.
> 
> One problem with such an approach is we need to have fat inline functions.
> In some case, those inline functions to needs  accessing the
> array/driver specific symbols
> in another driver namespace then those array needs to be exported in
> map file and hence the
> build dependency comes.

How many such symbols are there. I don’t they will be many. Can they be
Passed as argument in the APIs to avoid build dependencies.

> 
> 
> >
> > - for data path you can have the processing as is. I hope all dependencies can
> > Be dealt with as the code will be there in crypto driver for all the mapping of
> > Event and crypto queues.
> >
> > - all APIs which are common for ethernet device and crypto device in
> > octeontx2_security.h should not prefix eth as is the case in current APIs.
> 
> If I understand it correctly, You have a concern in having the
> *rte_eth* symbols in driver/crypto/octeontx2?
> If so, we can check what can be done. Let us know the exact your
> concern in managing the code in this
> model?

Yes, rte_eth* symbols should not be there in crypto driver.
Because crypto driver is not leveraging any ethernet functionality,
It is the other way, ethernet device is using the crypto functionality/
Structs etc for supporting inline IPSEC.

Also, the security ctx should be part of ethdev  and its ops should be
Defined in ethernet device which may call some inline APIs placed in
Drivers/crypto/octeontx2/

> 
> >
> > I hope this will clear the ugliness of the code.
> 
> It is relative, I think, having fat inline functions and accessing
> both drivers is ugly.

Breaking the way an API need to be defined and used is even more uglier.
IMO, having fat inline functions will act as external library functions which
Are independent of the device which is calling it.
Something similar to drivers/common/dpaax/caamflib/.

My original suggestion was to put it in common, but I am ok, if you want that
In the crypto driver. I agree with the decision that all crypto/ipsec related stuff
Should be there under drivers/crypto if it is getting used from both the net and
Crypto driver. But atleast the API definitions should be there where it should be.


> 
> > >
> > > I would like to keep the security/crypto-related code to driver/crypto and
> > > hook to driver/net/octeontx2 with required functionalities over the
> > > driver/common
> > > using a few function pointers to remove the cyclic build dependency.
> > >
> > > Considering there is no cyclic build and shared library dependency
> > > now, Can we make forward progress
> > > with the existing scheme?
> > >
> > > > - You may not need to include rte_ethdev.h inside drivers/crypto
> > > > - otx2_sec_eth_ctx_create should be part of ethdev and you would need
> > > similar API
> > > > for crypto device as well when you would support the fallback session
> support.
> > > > So that would go in crypto. Session creation code may be common and can
> go
> > > > in drivers/common.
> > > > - You would have separate security_ctx for both eth device and crypto
> device
> > > and that should
> > > > In net device and crypto device separately. Similarly security->ops should
> be
> > > different in both of them.
> > > > However if they may have same session creation code and that can go in
> > > common.
> > > >
> >

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-27 11:47                   ` Akhil Goyal
@ 2020-01-27 14:54                     ` Anoob Joseph
  2020-01-28  8:29                       ` Jerin Jacob
  2020-01-28 17:27                       ` [dpdk-dev] " Ferruh Yigit
  0 siblings, 2 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-27 14:54 UTC (permalink / raw)
  To: Akhil Goyal, Jerin Jacob, Ferruh Yigit
  Cc: Declan Doherty, Thomas Monjalon, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

Hi Jerin, Akhil,

Let me summarize the design changes from the discussions below.

Currently, drivers/crypto/octeontx2/otx2_security.c defines all security ctx ops for the ethdev (idea was to add all crypto security ctx for lookaside also there). That will be moved to drivers/net/octeontx2 as is. The routines which are doing qp_add & qp_remove would be moved to common (discussed below). Otherwise, the rest should remain as is. If Jerin/Akhil wants further isolation, please do share specifics. Almost all functions in otx2_security.c is dereferencing 'rte_eth_dev'. So having (void *) will not help.

The functions in otx2_security.c is calling inline functions in otx2_ipsec_fp.h (which has lower level implementations of session create etc). This will remain as is in drivers/crypto/octeontx2 but would be called from drivers/net/octeontx2/otx2_security.c.

We will need to include otx2_cryptodev_qp.h (internal header in drivers/crypto/octeontx2) since the crypto queue pair is required for outbound processing. Since otx2_cryptodev_qp.h has dependency on rte_cryptodev.h, the ethdev file will have dependency on rte_cryptodev.h.

I want all the maintainers (Akhil, Jerin & Ferruh) to ack the above behavior so that I can proceed with the restructuring. (Currently issue is rte_ethdev.h getting included in a cryptodev PMD file. The case we are proposing is the exact mirror of that)

Currently, the cryptodev has to do qp-eth port mapping and save it somewhere for eth dev to use during security session create. This will have to be saved in drivers/common/octeontx2.

@Ferruh, do you agree with the suggestions here? With the proposed changes, parts of the patches would go into ethdev space (for reviews and merge), and the rest would be in crypto space.

Thanks,
Anoob

> -----Original Message-----
> From: Akhil Goyal <akhil.goyal@nxp.com>
> Sent: Monday, January 27, 2020 5:18 PM
> To: Jerin Jacob <jerinjacobk@gmail.com>
> Cc: Anoob Joseph <anoobj@marvell.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>; Jerin
> Jacob Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Vamsi Krishna Attunuru <vattunuru@marvell.com>;
> Lukas Bartosik <lbartosik@marvell.com>; dpdk-dev <dev@dpdk.org>
> Subject: [EXT] RE: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec
> support
> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi Jerin,
> 
> >
> > On Mon, Jan 27, 2020 at 4:10 PM Akhil Goyal <akhil.goyal@nxp.com> wrote:
> > >
> > >
> > > >
> > > > On Wed, Jan 22, 2020 at 6:26 PM Akhil Goyal <akhil.goyal@nxp.com>
> wrote:
> > > > >
> > > > > > > >
> > > > > > > > Hi Jerin,
> > > > > > > >
> > > > > > > > Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do
> > > > > > > > you want
> > me
> > > > > > > > to trim the headline as well?
> > > > > > > >
> > > > > > >
> > > > > > > Hi Anoob,
> > > > > > >
> > > > > > > > @Akhil, did you get a chance to review the series? Do you
> > > > > > > > have any comments on the patches?
> > > > > > > >
> > > > > > >
> > > > > > > You are adding inline ipsec support to ethernet device and
> > > > > > > not a crypto device.
> > > > > > > These patches should not be part of crypto PMD. There will
> > > > > > > be cyclic dependency Between ethernet device and crypto
> > > > > > > device which can be
> > > > easily
> > > > > > > avoided.
> > > > > >
> > > > > > [Anoob] We have plans to use lookaside protocol to handle the
> "fallback"
> > > > > > session. And that involves session sharing between inline and
> > > > > > lookaside
> > > > protocol
> > > > > > offloads. Also, though the feature is exposed as a feature of
> > > > > > ethdev, on
> > our
> > > > > > platform, it's the crypto block which primarily implements the feature.
> > And
> > > > so, if
> > > > > > the code is moved to ethdev dir, there would be lot of code duplication.
> > The
> > > > > > idea is to have all security related code in one place.
> > > > > >
> > > > > > Also, the PMDs don't have any calls to each other. The
> > > > > > communication
> > > > between
> > > > > > the two happens via common. The crypto dev PMD will register
> > > > > > the
> > required
> > > > > > security ops to a common structure and ethdev would get it from there.
> > So
> > > > there
> > > > > > won't be an issue of build dependency.
> > > > > >
> > > > >
> > > > > - The code that need to be duplicated can be moved to
> > > > > drivers/common/
> > > >
> > > > I would like to keep the common code that is common to all the
> > coprocessors.
> > > >
> > > > Moreover, there are logistic issues in that case where
> > > > a) drivers/common/octeontx2/ going through master repo. So we will
> > > > be creating unnecessary dependency with that 'master' tree.
> > > > b) crypto and ethdev work is done by different teams so we would
> > > > like to make responsibly clear wrt the review and ownership.
> > >
> > > I can agree upon that the code shall not be placed in the
> > > common/octeontx2, But you can have a header file in
> > > crypto/octeontx2/ which has some inline
> > functions
> > > Which can be called from the ethernet as well as crypto device for
> > > inline proto And lookaside cases respectively. I think with that the
> > > maintainability would
> > not
> > > be an issue.
> > >
> > > IMO, following approach can be looked upon and may be cleaner
> > > - define security ctx and its ops in net/octeontx2.c or
> > > net/octeontx2_security.c These are all control path and should not be any
> issue.
> > >
> > > - define crypto specific code (inline functions) in
> > > crypto/octeontx2_security.h Which can be called for both inline protocol as
> well as lookaside proto case.
> >
> > One problem with such an approach is we need to have fat inline functions.
> > In some case, those inline functions to needs  accessing the
> > array/driver specific symbols in another driver namespace then those
> > array needs to be exported in map file and hence the build dependency
> > comes.
> 
> How many such symbols are there. I don’t they will be many. Can they be Passed
> as argument in the APIs to avoid build dependencies.
> 
> >
> >
> > >
> > > - for data path you can have the processing as is. I hope all
> > > dependencies can Be dealt with as the code will be there in crypto
> > > driver for all the mapping of Event and crypto queues.
> > >
> > > - all APIs which are common for ethernet device and crypto device in
> > > octeontx2_security.h should not prefix eth as is the case in current APIs.
> >
> > If I understand it correctly, You have a concern in having the
> > *rte_eth* symbols in driver/crypto/octeontx2?
> > If so, we can check what can be done. Let us know the exact your
> > concern in managing the code in this model?
> 
> Yes, rte_eth* symbols should not be there in crypto driver.
> Because crypto driver is not leveraging any ethernet functionality, It is the other
> way, ethernet device is using the crypto functionality/ Structs etc for supporting
> inline IPSEC.
> 
> Also, the security ctx should be part of ethdev  and its ops should be Defined in
> ethernet device which may call some inline APIs placed in
> Drivers/crypto/octeontx2/
> 
> >
> > >
> > > I hope this will clear the ugliness of the code.
> >
> > It is relative, I think, having fat inline functions and accessing
> > both drivers is ugly.
> 
> Breaking the way an API need to be defined and used is even more uglier.
> IMO, having fat inline functions will act as external library functions which Are
> independent of the device which is calling it.
> Something similar to drivers/common/dpaax/caamflib/.
> 
> My original suggestion was to put it in common, but I am ok, if you want that In
> the crypto driver. I agree with the decision that all crypto/ipsec related stuff
> Should be there under drivers/crypto if it is getting used from both the net and
> Crypto driver. But atleast the API definitions should be there where it should be.
> 
> 
> >
> > > >
> > > > I would like to keep the security/crypto-related code to
> > > > driver/crypto and hook to driver/net/octeontx2 with required
> > > > functionalities over the driver/common using a few function
> > > > pointers to remove the cyclic build dependency.
> > > >
> > > > Considering there is no cyclic build and shared library dependency
> > > > now, Can we make forward progress with the existing scheme?
> > > >
> > > > > - You may not need to include rte_ethdev.h inside drivers/crypto
> > > > > - otx2_sec_eth_ctx_create should be part of ethdev and you would
> > > > > need
> > > > similar API
> > > > > for crypto device as well when you would support the fallback
> > > > > session
> > support.
> > > > > So that would go in crypto. Session creation code may be common
> > > > > and can
> > go
> > > > > in drivers/common.
> > > > > - You would have separate security_ctx for both eth device and
> > > > > crypto
> > device
> > > > and that should
> > > > > In net device and crypto device separately. Similarly
> > > > > security->ops should
> > be
> > > > different in both of them.
> > > > > However if they may have same session creation code and that can
> > > > > go in
> > > > common.
> > > > >
> > >

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-27 14:54                     ` Anoob Joseph
@ 2020-01-28  8:29                       ` Jerin Jacob
  2020-01-28  8:38                         ` Akhil Goyal
  2020-01-28 17:28                         ` Ferruh Yigit
  2020-01-28 17:27                       ` [dpdk-dev] " Ferruh Yigit
  1 sibling, 2 replies; 111+ messages in thread
From: Jerin Jacob @ 2020-01-28  8:29 UTC (permalink / raw)
  To: Anoob Joseph
  Cc: Akhil Goyal, Ferruh Yigit, Declan Doherty, Thomas Monjalon,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Krishna Attunuru, Lukas Bartosik,
	dpdk-dev

On Mon, Jan 27, 2020 at 8:24 PM Anoob Joseph <anoobj@marvell.com> wrote:
>
> Hi Jerin, Akhil,
>
> Let me summarize the design changes from the discussions below.
>
> Currently, drivers/crypto/octeontx2/otx2_security.c defines all security ctx ops for the ethdev (idea was to add all crypto security ctx for lookaside also there). That will be moved to drivers/net/octeontx2 as is. The routines which are doing qp_add & qp_remove would be moved to common (discussed below). Otherwise, the rest should remain as is. If Jerin/Akhil wants further isolation, please do share specifics. Almost all functions in otx2_security.c is dereferencing 'rte_eth_dev'. So having (void *) will not help.
>
> The functions in otx2_security.c is calling inline functions in otx2_ipsec_fp.h (which has lower level implementations of session create etc). This will remain as is in drivers/crypto/octeontx2 but would be called from drivers/net/octeontx2/otx2_security.c.
>
> We will need to include otx2_cryptodev_qp.h (internal header in drivers/crypto/octeontx2) since the crypto queue pair is required for outbound processing. Since otx2_cryptodev_qp.h has dependency on rte_cryptodev.h, the ethdev file will have dependency on rte_cryptodev.h.
>
> I want all the maintainers (Akhil, Jerin & Ferruh) to ack the above behavior so that I can proceed with the restructuring. (Currently issue is rte_ethdev.h getting included in a cryptodev PMD file. The case we are proposing is the exact mirror of that)

I think, Following rework would be required.

1) Don't access rte_eth_dev symbols in driver/crypto/octeontx2
2) Don't access rte_crypto_dev symbols in drier/net/octeontx2
3) Communication between both drivers should both through "custom
structure"(say struct otx2_eth_sec or so for inline, otx2_crypto_sec
for look side)
defined in driver/common/octeonxt2 which holds data.
Processing function through "function pointer" registration provided
through in driver/common/octeonx2 as idev framework to avoid build
dependency.

I am not sure anything else can be done beyond the above.

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-28  8:29                       ` Jerin Jacob
@ 2020-01-28  8:38                         ` Akhil Goyal
  2020-01-28  8:56                           ` Jerin Jacob
  2020-01-28 17:28                         ` Ferruh Yigit
  1 sibling, 1 reply; 111+ messages in thread
From: Akhil Goyal @ 2020-01-28  8:38 UTC (permalink / raw)
  To: Jerin Jacob, Anoob Joseph
  Cc: Ferruh Yigit, Declan Doherty, Thomas Monjalon,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Krishna Attunuru, Lukas Bartosik,
	dpdk-dev

Hi Jerin,
> 
> On Mon, Jan 27, 2020 at 8:24 PM Anoob Joseph <anoobj@marvell.com> wrote:
> >
> > Hi Jerin, Akhil,
> >
> > Let me summarize the design changes from the discussions below.
> >
> > Currently, drivers/crypto/octeontx2/otx2_security.c defines all security ctx ops
> for the ethdev (idea was to add all crypto security ctx for lookaside also there).
> That will be moved to drivers/net/octeontx2 as is. The routines which are doing
> qp_add & qp_remove would be moved to common (discussed below). Otherwise,
> the rest should remain as is. If Jerin/Akhil wants further isolation, please do
> share specifics. Almost all functions in otx2_security.c is dereferencing
> 'rte_eth_dev'. So having (void *) will not help.
> >
> > The functions in otx2_security.c is calling inline functions in otx2_ipsec_fp.h
> (which has lower level implementations of session create etc). This will remain
> as is in drivers/crypto/octeontx2 but would be called from
> drivers/net/octeontx2/otx2_security.c.
> >
> > We will need to include otx2_cryptodev_qp.h (internal header in
> drivers/crypto/octeontx2) since the crypto queue pair is required for outbound
> processing. Since otx2_cryptodev_qp.h has dependency on rte_cryptodev.h, the
> ethdev file will have dependency on rte_cryptodev.h.
> >
> > I want all the maintainers (Akhil, Jerin & Ferruh) to ack the above behavior so
> that I can proceed with the restructuring. (Currently issue is rte_ethdev.h getting
> included in a cryptodev PMD file. The case we are proposing is the exact mirror
> of that)
> 
> I think, Following rework would be required.
> 
> 1) Don't access rte_eth_dev symbols in driver/crypto/octeontx2
Yes

> 2) Don't access rte_crypto_dev symbols in drier/net/octeontx2
I am not sure how you can work without rte_cryptodev.h in net driver.
As I mentioned, security_ctx for ethernet device along with it's ops should 
Be defined in ethernet driver. And call crypto specific inline functions 
Placed in a header file in drivers/crypto/octeontx2/

I believe you would need cryptodev.h included in ethernet driver like it is
Getting used in ixgbe driver. The difference would be, all crypto
Base functionality would be inside the crypto driver(inline functions in .h).

> 3) Communication between both drivers should both through "custom
> structure"(say struct otx2_eth_sec or so for inline, otx2_crypto_sec
> for look side)
> defined in driver/common/octeonxt2 which holds data.
> Processing function through "function pointer" registration provided
> through in driver/common/octeonx2 as idev framework to avoid build
> dependency.
> 
> I am not sure anything else can be done beyond the above.

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-28  8:38                         ` Akhil Goyal
@ 2020-01-28  8:56                           ` Jerin Jacob
  0 siblings, 0 replies; 111+ messages in thread
From: Jerin Jacob @ 2020-01-28  8:56 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: Anoob Joseph, Ferruh Yigit, Declan Doherty, Thomas Monjalon,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Krishna Attunuru, Lukas Bartosik,
	dpdk-dev

On Tue, Jan 28, 2020 at 2:08 PM Akhil Goyal <akhil.goyal@nxp.com> wrote:
>
> Hi Jerin,

Hi Akhil,

> >
> > On Mon, Jan 27, 2020 at 8:24 PM Anoob Joseph <anoobj@marvell.com> wrote:
> > >
> > > Hi Jerin, Akhil,
> > >
> > > Let me summarize the design changes from the discussions below.
> > >
> > > Currently, drivers/crypto/octeontx2/otx2_security.c defines all security ctx ops
> > for the ethdev (idea was to add all crypto security ctx for lookaside also there).
> > That will be moved to drivers/net/octeontx2 as is. The routines which are doing
> > qp_add & qp_remove would be moved to common (discussed below). Otherwise,
> > the rest should remain as is. If Jerin/Akhil wants further isolation, please do
> > share specifics. Almost all functions in otx2_security.c is dereferencing
> > 'rte_eth_dev'. So having (void *) will not help.
> > >
> > > The functions in otx2_security.c is calling inline functions in otx2_ipsec_fp.h
> > (which has lower level implementations of session create etc). This will remain
> > as is in drivers/crypto/octeontx2 but would be called from
> > drivers/net/octeontx2/otx2_security.c.
> > >
> > > We will need to include otx2_cryptodev_qp.h (internal header in
> > drivers/crypto/octeontx2) since the crypto queue pair is required for outbound
> > processing. Since otx2_cryptodev_qp.h has dependency on rte_cryptodev.h, the
> > ethdev file will have dependency on rte_cryptodev.h.
> > >
> > > I want all the maintainers (Akhil, Jerin & Ferruh) to ack the above behavior so
> > that I can proceed with the restructuring. (Currently issue is rte_ethdev.h getting
> > included in a cryptodev PMD file. The case we are proposing is the exact mirror
> > of that)
> >
> > I think, Following rework would be required.
> >
> > 1) Don't access rte_eth_dev symbols in driver/crypto/octeontx2
> Yes
>
> > 2) Don't access rte_crypto_dev symbols in drier/net/octeontx2
> I am not sure how you can work without rte_cryptodev.h in net driver.

We would need to include the only rte_security.h. Right?
Meaning access should be limited to rte_securty_* symbols.

> As I mentioned, security_ctx for ethernet device along with it's ops should
> Be defined in ethernet driver. And call crypto specific inline functions

Yes. Ops should should be defined in an ethernet driver.

It can be the hook to the real implementation in driver/crypto/octeontx2
have some code for ethdev specific locally and other in crypto-specific.

> Placed in a header file in drivers/crypto/octeontx2/
>
> I believe you would need cryptodev.h included in ethernet driver like it is
> Getting used in ixgbe driver. The difference would be, all crypto
> Base functionality would be inside the crypto driver(inline functions in .h).
>
> > 3) Communication between both drivers should both through "custom
> > structure"(say struct otx2_eth_sec or so for inline, otx2_crypto_sec
> > for look side)
> > defined in driver/common/octeonxt2 which holds data.
> > Processing function through "function pointer" registration provided
> > through in driver/common/octeonx2 as idev framework to avoid build
> > dependency.
> >
> > I am not sure anything else can be done beyond the above.

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-27 14:54                     ` Anoob Joseph
  2020-01-28  8:29                       ` Jerin Jacob
@ 2020-01-28 17:27                       ` Ferruh Yigit
  1 sibling, 0 replies; 111+ messages in thread
From: Ferruh Yigit @ 2020-01-28 17:27 UTC (permalink / raw)
  To: Anoob Joseph, Akhil Goyal, Jerin Jacob
  Cc: Declan Doherty, Thomas Monjalon, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

On 1/27/2020 2:54 PM, Anoob Joseph wrote:
> Hi Jerin, Akhil,
> 
> Let me summarize the design changes from the discussions below.
> 
> Currently, drivers/crypto/octeontx2/otx2_security.c defines all security ctx ops for the ethdev (idea was to add all crypto security ctx for lookaside also there). That will be moved to drivers/net/octeontx2 as is. The routines which are doing qp_add & qp_remove would be moved to common (discussed below). Otherwise, the rest should remain as is. If Jerin/Akhil wants further isolation, please do share specifics. Almost all functions in otx2_security.c is dereferencing 'rte_eth_dev'. So having (void *) will not help.
> 
> The functions in otx2_security.c is calling inline functions in otx2_ipsec_fp.h (which has lower level implementations of session create etc). This will remain as is in drivers/crypto/octeontx2 but would be called from drivers/net/octeontx2/otx2_security.c.
> 
> We will need to include otx2_cryptodev_qp.h (internal header in drivers/crypto/octeontx2) since the crypto queue pair is required for outbound processing. Since otx2_cryptodev_qp.h has dependency on rte_cryptodev.h, the ethdev file will have dependency on rte_cryptodev.h.
> 
> I want all the maintainers (Akhil, Jerin & Ferruh) to ack the above behavior so that I can proceed with the restructuring. (Currently issue is rte_ethdev.h getting included in a cryptodev PMD file. The case we are proposing is the exact mirror of that)
> 
> Currently, the cryptodev has to do qp-eth port mapping and save it somewhere for eth dev to use during security session create. This will have to be saved in drivers/common/octeontx2.
> 
> @Ferruh, do you agree with the suggestions here? With the proposed changes, parts of the patches would go into ethdev space (for reviews and merge), and the rest would be in crypto space.

Hi Anoob,

It is OK to move the 'rte_security_ops' to net driver, as far as I can see there
is no way to isolate ethdev and cryptodev completely, at least having one way
ethdev->crypto dependency is better.

Not sure about using inline functions though, existing solution to use common/x
looks OK to me.

> 
> Thanks,
> Anoob
> 
>> -----Original Message-----
>> From: Akhil Goyal <akhil.goyal@nxp.com>
>> Sent: Monday, January 27, 2020 5:18 PM
>> To: Jerin Jacob <jerinjacobk@gmail.com>
>> Cc: Anoob Joseph <anoobj@marvell.com>; Declan Doherty
>> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>; Jerin
>> Jacob Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
>> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
>> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
>> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
>> Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
>> <ktejasree@marvell.com>; Vamsi Krishna Attunuru <vattunuru@marvell.com>;
>> Lukas Bartosik <lbartosik@marvell.com>; dpdk-dev <dev@dpdk.org>
>> Subject: [EXT] RE: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec
>> support
>>
>> External Email
>>
>> ----------------------------------------------------------------------
>> Hi Jerin,
>>
>>>
>>> On Mon, Jan 27, 2020 at 4:10 PM Akhil Goyal <akhil.goyal@nxp.com> wrote:
>>>>
>>>>
>>>>>
>>>>> On Wed, Jan 22, 2020 at 6:26 PM Akhil Goyal <akhil.goyal@nxp.com>
>> wrote:
>>>>>>
>>>>>>>>>
>>>>>>>>> Hi Jerin,
>>>>>>>>>
>>>>>>>>> Will  do the suggested change (RX/rx-> Rx & TX/tx->Tx). Do
>>>>>>>>> you want
>>> me
>>>>>>>>> to trim the headline as well?
>>>>>>>>>
>>>>>>>>
>>>>>>>> Hi Anoob,
>>>>>>>>
>>>>>>>>> @Akhil, did you get a chance to review the series? Do you
>>>>>>>>> have any comments on the patches?
>>>>>>>>>
>>>>>>>>
>>>>>>>> You are adding inline ipsec support to ethernet device and
>>>>>>>> not a crypto device.
>>>>>>>> These patches should not be part of crypto PMD. There will
>>>>>>>> be cyclic dependency Between ethernet device and crypto
>>>>>>>> device which can be
>>>>> easily
>>>>>>>> avoided.
>>>>>>>
>>>>>>> [Anoob] We have plans to use lookaside protocol to handle the
>> "fallback"
>>>>>>> session. And that involves session sharing between inline and
>>>>>>> lookaside
>>>>> protocol
>>>>>>> offloads. Also, though the feature is exposed as a feature of
>>>>>>> ethdev, on
>>> our
>>>>>>> platform, it's the crypto block which primarily implements the feature.
>>> And
>>>>> so, if
>>>>>>> the code is moved to ethdev dir, there would be lot of code duplication.
>>> The
>>>>>>> idea is to have all security related code in one place.
>>>>>>>
>>>>>>> Also, the PMDs don't have any calls to each other. The
>>>>>>> communication
>>>>> between
>>>>>>> the two happens via common. The crypto dev PMD will register
>>>>>>> the
>>> required
>>>>>>> security ops to a common structure and ethdev would get it from there.
>>> So
>>>>> there
>>>>>>> won't be an issue of build dependency.
>>>>>>>
>>>>>>
>>>>>> - The code that need to be duplicated can be moved to
>>>>>> drivers/common/
>>>>>
>>>>> I would like to keep the common code that is common to all the
>>> coprocessors.
>>>>>
>>>>> Moreover, there are logistic issues in that case where
>>>>> a) drivers/common/octeontx2/ going through master repo. So we will
>>>>> be creating unnecessary dependency with that 'master' tree.
>>>>> b) crypto and ethdev work is done by different teams so we would
>>>>> like to make responsibly clear wrt the review and ownership.
>>>>
>>>> I can agree upon that the code shall not be placed in the
>>>> common/octeontx2, But you can have a header file in
>>>> crypto/octeontx2/ which has some inline
>>> functions
>>>> Which can be called from the ethernet as well as crypto device for
>>>> inline proto And lookaside cases respectively. I think with that the
>>>> maintainability would
>>> not
>>>> be an issue.
>>>>
>>>> IMO, following approach can be looked upon and may be cleaner
>>>> - define security ctx and its ops in net/octeontx2.c or
>>>> net/octeontx2_security.c These are all control path and should not be any
>> issue.
>>>>
>>>> - define crypto specific code (inline functions) in
>>>> crypto/octeontx2_security.h Which can be called for both inline protocol as
>> well as lookaside proto case.
>>>
>>> One problem with such an approach is we need to have fat inline functions.
>>> In some case, those inline functions to needs  accessing the
>>> array/driver specific symbols in another driver namespace then those
>>> array needs to be exported in map file and hence the build dependency
>>> comes.
>>
>> How many such symbols are there. I don’t they will be many. Can they be Passed
>> as argument in the APIs to avoid build dependencies.
>>
>>>
>>>
>>>>
>>>> - for data path you can have the processing as is. I hope all
>>>> dependencies can Be dealt with as the code will be there in crypto
>>>> driver for all the mapping of Event and crypto queues.
>>>>
>>>> - all APIs which are common for ethernet device and crypto device in
>>>> octeontx2_security.h should not prefix eth as is the case in current APIs.
>>>
>>> If I understand it correctly, You have a concern in having the
>>> *rte_eth* symbols in driver/crypto/octeontx2?
>>> If so, we can check what can be done. Let us know the exact your
>>> concern in managing the code in this model?
>>
>> Yes, rte_eth* symbols should not be there in crypto driver.
>> Because crypto driver is not leveraging any ethernet functionality, It is the other
>> way, ethernet device is using the crypto functionality/ Structs etc for supporting
>> inline IPSEC.
>>
>> Also, the security ctx should be part of ethdev  and its ops should be Defined in
>> ethernet device which may call some inline APIs placed in
>> Drivers/crypto/octeontx2/
>>
>>>
>>>>
>>>> I hope this will clear the ugliness of the code.
>>>
>>> It is relative, I think, having fat inline functions and accessing
>>> both drivers is ugly.
>>
>> Breaking the way an API need to be defined and used is even more uglier.
>> IMO, having fat inline functions will act as external library functions which Are
>> independent of the device which is calling it.
>> Something similar to drivers/common/dpaax/caamflib/.
>>
>> My original suggestion was to put it in common, but I am ok, if you want that In
>> the crypto driver. I agree with the decision that all crypto/ipsec related stuff
>> Should be there under drivers/crypto if it is getting used from both the net and
>> Crypto driver. But atleast the API definitions should be there where it should be.
>>
>>
>>>
>>>>>
>>>>> I would like to keep the security/crypto-related code to
>>>>> driver/crypto and hook to driver/net/octeontx2 with required
>>>>> functionalities over the driver/common using a few function
>>>>> pointers to remove the cyclic build dependency.
>>>>>
>>>>> Considering there is no cyclic build and shared library dependency
>>>>> now, Can we make forward progress with the existing scheme?
>>>>>
>>>>>> - You may not need to include rte_ethdev.h inside drivers/crypto
>>>>>> - otx2_sec_eth_ctx_create should be part of ethdev and you would
>>>>>> need
>>>>> similar API
>>>>>> for crypto device as well when you would support the fallback
>>>>>> session
>>> support.
>>>>>> So that would go in crypto. Session creation code may be common
>>>>>> and can
>>> go
>>>>>> in drivers/common.
>>>>>> - You would have separate security_ctx for both eth device and
>>>>>> crypto
>>> device
>>>>> and that should
>>>>>> In net device and crypto device separately. Similarly
>>>>>> security->ops should
>>> be
>>>>> different in both of them.
>>>>>> However if they may have same session creation code and that can
>>>>>> go in
>>>>> common.
>>>>>>
>>>>


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-28  8:29                       ` Jerin Jacob
  2020-01-28  8:38                         ` Akhil Goyal
@ 2020-01-28 17:28                         ` Ferruh Yigit
  2020-01-29  4:01                           ` [dpdk-dev] [EXT] " Anoob Joseph
  1 sibling, 1 reply; 111+ messages in thread
From: Ferruh Yigit @ 2020-01-28 17:28 UTC (permalink / raw)
  To: Jerin Jacob, Anoob Joseph
  Cc: Akhil Goyal, Declan Doherty, Thomas Monjalon,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Kiran Kumar Kokkilagadda, Nithin Kumar Dabilpuram,
	Pavan Nikhilesh Bhagavatula, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Krishna Attunuru, Lukas Bartosik,
	dpdk-dev

On 1/28/2020 8:29 AM, Jerin Jacob wrote:
> On Mon, Jan 27, 2020 at 8:24 PM Anoob Joseph <anoobj@marvell.com> wrote:
>>
>> Hi Jerin, Akhil,
>>
>> Let me summarize the design changes from the discussions below.
>>
>> Currently, drivers/crypto/octeontx2/otx2_security.c defines all security ctx ops for the ethdev (idea was to add all crypto security ctx for lookaside also there). That will be moved to drivers/net/octeontx2 as is. The routines which are doing qp_add & qp_remove would be moved to common (discussed below). Otherwise, the rest should remain as is. If Jerin/Akhil wants further isolation, please do share specifics. Almost all functions in otx2_security.c is dereferencing 'rte_eth_dev'. So having (void *) will not help.
>>
>> The functions in otx2_security.c is calling inline functions in otx2_ipsec_fp.h (which has lower level implementations of session create etc). This will remain as is in drivers/crypto/octeontx2 but would be called from drivers/net/octeontx2/otx2_security.c.
>>
>> We will need to include otx2_cryptodev_qp.h (internal header in drivers/crypto/octeontx2) since the crypto queue pair is required for outbound processing. Since otx2_cryptodev_qp.h has dependency on rte_cryptodev.h, the ethdev file will have dependency on rte_cryptodev.h.
>>
>> I want all the maintainers (Akhil, Jerin & Ferruh) to ack the above behavior so that I can proceed with the restructuring. (Currently issue is rte_ethdev.h getting included in a cryptodev PMD file. The case we are proposing is the exact mirror of that)
> 
> I think, Following rework would be required.
> 
> 1) Don't access rte_eth_dev symbols in driver/crypto/octeontx2
> 2) Don't access rte_crypto_dev symbols in drier/net/octeontx2
> 3) Communication between both drivers should both through "custom
> structure"(say struct otx2_eth_sec or so for inline, otx2_crypto_sec
> for look side)
> defined in driver/common/octeonxt2 which holds data.
> Processing function through "function pointer" registration provided
> through in driver/common/octeonx2 as idev framework to avoid build
> dependency.
> 

In high level this looks good to me.

> I am not sure anything else can be done beyond the above.
> 



^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [EXT] Re: [PATCH v2 00/15] add OCTEONTX2 inline IPsec support
  2020-01-28 17:28                         ` Ferruh Yigit
@ 2020-01-29  4:01                           ` Anoob Joseph
  0 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-29  4:01 UTC (permalink / raw)
  To: Ferruh Yigit, Jerin Jacob, Thomas Monjalon, Akhil Goyal
  Cc: Declan Doherty, Thomas Monjalon, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Tejasree Kondoj,
	Vamsi Krishna Attunuru, Lukas Bartosik, dpdk-dev

Hi Ferruh, Akhil, Thomas,

I would like to make the following modifications to MAINTAINERS file to better isolate security additions.

diff --git a/MAINTAINERS b/MAINTAINERS
index 94bccae..76171ce 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -724,6 +724,12 @@ F: drivers/net/octeontx2/
 F: doc/guides/nics/features/octeontx2*.ini
 F: doc/guides/nics/octeontx2.rst

+Marvell OCTEON TX2 - security
+M: Anoob Joseph <anoobj@marvell.com>
+T: git://dpdk.org/next/dpdk-next-crypto
+F: drivers/net/octeontx2/otx2_ethdev_sec*
+F: drivers/common/octeontx2/otx2_sec*
+
 Mellanox mlx4
 M: Matan Azrad <matan@mellanox.com>
 M: Shahaf Shuler <shahafs@mellanox.com>

Can you confirm if this is fine?

@Akhil, can the security changes (in both ethdev & common) go via dpdk-next-crypto? Once the interface is set, there won't be any changes in the rest of the ethdev related routines. All the further changes would be feature additions in the security specific files and so would be contained in the above mentioned files.

Thanks,
Anoob

> -----Original Message-----
> From: Ferruh Yigit <ferruh.yigit@intel.com>
> Sent: Tuesday, January 28, 2020 10:58 PM
> To: Jerin Jacob <jerinjacobk@gmail.com>; Anoob Joseph
> <anoobj@marvell.com>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>; Jerin
> Jacob Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Vamsi Krishna Attunuru <vattunuru@marvell.com>;
> Lukas Bartosik <lbartosik@marvell.com>; dpdk-dev <dev@dpdk.org>
> Subject: [EXT] Re: [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec
> support
> 
> External Email
> 
> ----------------------------------------------------------------------
> On 1/28/2020 8:29 AM, Jerin Jacob wrote:
> > On Mon, Jan 27, 2020 at 8:24 PM Anoob Joseph <anoobj@marvell.com>
> wrote:
> >>
> >> Hi Jerin, Akhil,
> >>
> >> Let me summarize the design changes from the discussions below.
> >>
> >> Currently, drivers/crypto/octeontx2/otx2_security.c defines all security ctx
> ops for the ethdev (idea was to add all crypto security ctx for lookaside also
> there). That will be moved to drivers/net/octeontx2 as is. The routines which are
> doing qp_add & qp_remove would be moved to common (discussed below).
> Otherwise, the rest should remain as is. If Jerin/Akhil wants further isolation,
> please do share specifics. Almost all functions in otx2_security.c is dereferencing
> 'rte_eth_dev'. So having (void *) will not help.
> >>
> >> The functions in otx2_security.c is calling inline functions in otx2_ipsec_fp.h
> (which has lower level implementations of session create etc). This will remain
> as is in drivers/crypto/octeontx2 but would be called from
> drivers/net/octeontx2/otx2_security.c.
> >>
> >> We will need to include otx2_cryptodev_qp.h (internal header in
> drivers/crypto/octeontx2) since the crypto queue pair is required for outbound
> processing. Since otx2_cryptodev_qp.h has dependency on rte_cryptodev.h, the
> ethdev file will have dependency on rte_cryptodev.h.
> >>
> >> I want all the maintainers (Akhil, Jerin & Ferruh) to ack the above
> >> behavior so that I can proceed with the restructuring. (Currently
> >> issue is rte_ethdev.h getting included in a cryptodev PMD file. The
> >> case we are proposing is the exact mirror of that)
> >
> > I think, Following rework would be required.
> >
> > 1) Don't access rte_eth_dev symbols in driver/crypto/octeontx2
> > 2) Don't access rte_crypto_dev symbols in drier/net/octeontx2
> > 3) Communication between both drivers should both through "custom
> > structure"(say struct otx2_eth_sec or so for inline, otx2_crypto_sec
> > for look side) defined in driver/common/octeonxt2 which holds data.
> > Processing function through "function pointer" registration provided
> > through in driver/common/octeonx2 as idev framework to avoid build
> > dependency.
> >
> 
> In high level this looks good to me.
> 
> > I am not sure anything else can be done beyond the above.
> >
> 


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 00/15]  add OCTEON TX2 inline IPsec support
  2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
                     ` (15 preceding siblings ...)
  2020-01-18 14:38   ` [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support Jerin Jacob
@ 2020-01-31 10:03   ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
                       ` (15 more replies)
  16 siblings, 16 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

This series adds inline IPsec support in OCTEON TX2 PMD.

In the inbound path, rte_flow framework need to be used to configure
the NPC block, which does the h/w lookup. The packets would get
processed by the crypto block and would submit to the scheduling block,
SSO. So inline IPsec mode can be enabled only when traffic is received
via event device using Rx adapter.

In the outbound path, the core would submit to the crypto block and the
crypto block would submit the packet for Tx internally.

v3:
* Moved ethdev security ops to net/octeontx2
* Segregated all security related code in common to
  common/octeontx2/otx2_sec* files
* Segregated all security related control code in net to
  net/octeontx2/otx2_ethdev_sec* files
* Claimed maintainership for all files added above
* Added support for AES-CBC

v2:
* Minimized additions to common/octeontx2
* Updated release notes
* Renamed otx2_is_ethdev to otx2_ethdev_is_sec_capable

Ankur Dwivedi (3):
  net/octeontx2: add eth security capabilities
  net/octeontx2: add datapath ops in eth security ctx
  net/octeontx2: add inline Tx path changes

Anoob Joseph (4):
  common/octeontx2: add CPT LF mbox for inline inbound
  net/octeontx2: create eth security ctx
  crypto/octeontx2: enable CPT to share QP with ethdev
  net/octeontx2: add eth security session operations

Archana Muniganti (3):
  net/octeontx2: add lookup mem changes to hold sa indices
  drivers/octeontx2: add sec in Rx fastpath framework
  drivers/octeontx2: add sec in Tx fastpath framework

Tejasree Kondoj (3):
  crypto/octeontx2: configure for inline IPsec
  net/octeontx2: add security in eth dev configure
  net/octeontx2: add inline ipsec Rx path changes

Vamsi Attunuru (2):
  common/octeontx2: add routine to check if sec capable otx2
  net/octeontx2: sync inline tag type

 MAINTAINERS                                        |   6 +
 doc/guides/nics/octeontx2.rst                      |  20 +
 doc/guides/rel_notes/release_20_02.rst             |   9 +
 drivers/common/octeontx2/Makefile                  |   1 +
 drivers/common/octeontx2/meson.build               |   1 +
 drivers/common/octeontx2/otx2_common.h             |   4 +
 drivers/common/octeontx2/otx2_mbox.h               |   7 +
 drivers/common/octeontx2/otx2_sec_idev.c           | 183 +++++
 drivers/common/octeontx2/otx2_sec_idev.h           |  37 +
 .../octeontx2/rte_common_octeontx2_version.map     |   6 +
 drivers/crypto/octeontx2/Makefile                  |   6 +-
 drivers/crypto/octeontx2/meson.build               |   4 +
 .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  54 ++
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
 drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
 drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 350 +++++++++
 drivers/event/octeontx2/Makefile                   |   1 +
 drivers/event/octeontx2/meson.build                |   5 +-
 drivers/event/octeontx2/otx2_evdev.c               | 170 +++--
 drivers/event/octeontx2/otx2_evdev.h               |   4 +-
 drivers/event/octeontx2/otx2_worker.c              |   6 +-
 drivers/event/octeontx2/otx2_worker.h              |   6 +
 drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
 drivers/net/octeontx2/Makefile                     |   4 +
 drivers/net/octeontx2/meson.build                  |   7 +-
 drivers/net/octeontx2/otx2_ethdev.c                |  38 +-
 drivers/net/octeontx2/otx2_ethdev.h                |   2 +
 drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
 drivers/net/octeontx2/otx2_ethdev_sec.c            | 844 +++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h            | 139 ++++
 drivers/net/octeontx2/otx2_ethdev_sec_tx.h         | 181 +++++
 drivers/net/octeontx2/otx2_flow.c                  |  26 +
 drivers/net/octeontx2/otx2_lookup.c                |  11 +-
 drivers/net/octeontx2/otx2_rx.c                    |  27 +-
 drivers/net/octeontx2/otx2_rx.h                    | 377 ++++++---
 drivers/net/octeontx2/otx2_tx.c                    |  29 +-
 drivers/net/octeontx2/otx2_tx.h                    | 271 +++++--
 39 files changed, 2698 insertions(+), 283 deletions(-)
 create mode 100644 drivers/common/octeontx2/otx2_sec_idev.c
 create mode 100644 drivers/common/octeontx2/otx2_sec_idev.h
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec.c
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec.h
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec_tx.h

-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 01/15] common/octeontx2: add CPT LF mbox for inline inbound
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 02/15] common/octeontx2: add routine to check if sec capable otx2 Anoob Joseph
                       ` (14 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev, Tejasree Kondoj

Adding the new mbox introduced to configure CPT LF to be used for inline
inbound.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <kondoj.tejasree@cavium.com>
---
 drivers/common/octeontx2/otx2_mbox.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/common/octeontx2/otx2_mbox.h b/drivers/common/octeontx2/otx2_mbox.h
index e0e4e2f..70452d1 100644
--- a/drivers/common/octeontx2/otx2_mbox.h
+++ b/drivers/common/octeontx2/otx2_mbox.h
@@ -193,6 +193,8 @@ M(CPT_SET_CRYPTO_GRP,	0xA03, cpt_set_crypto_grp,			\
 			       msg_rsp)					\
 M(CPT_INLINE_IPSEC_CFG, 0xA04, cpt_inline_ipsec_cfg,			\
 			       cpt_inline_ipsec_cfg_msg, msg_rsp)	\
+M(CPT_RX_INLINE_LF_CFG, 0xBFE, cpt_rx_inline_lf_cfg,			\
+			       cpt_rx_inline_lf_cfg_msg, msg_rsp)	\
 /* NPC mbox IDs (range 0x6000 - 0x7FFF) */				\
 M(NPC_MCAM_ALLOC_ENTRY,	0x6000, npc_mcam_alloc_entry,			\
 				npc_mcam_alloc_entry_req,		\
@@ -1202,6 +1204,11 @@ struct cpt_inline_ipsec_cfg_msg {
 	uint16_t __otx2_io nix_pf_func; /* Outbound path NIX_PF_FUNC */
 };
 
+struct cpt_rx_inline_lf_cfg_msg {
+	struct mbox_msghdr hdr;
+	uint16_t __otx2_io sso_pf_func;
+};
+
 /* NPC mbox message structs */
 
 #define NPC_MCAM_ENTRY_INVALID	0xFFFF
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 02/15] common/octeontx2: add routine to check if sec capable otx2
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
                       ` (13 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Vamsi Attunuru, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Lukasz Bartosik, dev

From: Vamsi Attunuru <vattunuru@marvell.com>

This routine returns true if given rte_eth_dev is security offload
capable and belongs to octeontx2.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 MAINTAINERS                                        |  5 ++++
 drivers/common/octeontx2/Makefile                  |  1 +
 drivers/common/octeontx2/meson.build               |  1 +
 drivers/common/octeontx2/otx2_sec_idev.c           | 28 ++++++++++++++++++++++
 drivers/common/octeontx2/otx2_sec_idev.h           | 12 ++++++++++
 .../octeontx2/rte_common_octeontx2_version.map     |  1 +
 6 files changed, 48 insertions(+)
 create mode 100644 drivers/common/octeontx2/otx2_sec_idev.c
 create mode 100644 drivers/common/octeontx2/otx2_sec_idev.h

diff --git a/MAINTAINERS b/MAINTAINERS
index 94bccae..7b1ea56 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -724,6 +724,11 @@ F: drivers/net/octeontx2/
 F: doc/guides/nics/features/octeontx2*.ini
 F: doc/guides/nics/octeontx2.rst
 
+Marvell OCTEON TX2 - security
+M: Anoob Joseph <anoobj@marvell.com>
+T: git://dpdk.org/next/dpdk-next-crypto
+F: drivers/common/octeontx2/otx2_sec*
+
 Mellanox mlx4
 M: Matan Azrad <matan@mellanox.com>
 M: Shahaf Shuler <shahafs@mellanox.com>
diff --git a/drivers/common/octeontx2/Makefile b/drivers/common/octeontx2/Makefile
index eaff294..efe3da2 100644
--- a/drivers/common/octeontx2/Makefile
+++ b/drivers/common/octeontx2/Makefile
@@ -31,6 +31,7 @@ SRCS-y += otx2_dev.c
 SRCS-y += otx2_irq.c
 SRCS-y += otx2_mbox.c
 SRCS-y += otx2_common.c
+SRCS-y += otx2_sec_idev.c
 
 LDLIBS += -lrte_eal
 LDLIBS += -lrte_ethdev
diff --git a/drivers/common/octeontx2/meson.build b/drivers/common/octeontx2/meson.build
index b791457..996ddba 100644
--- a/drivers/common/octeontx2/meson.build
+++ b/drivers/common/octeontx2/meson.build
@@ -6,6 +6,7 @@ sources= files('otx2_dev.c',
 		'otx2_irq.c',
 		'otx2_mbox.c',
 		'otx2_common.c',
+		'otx2_sec_idev.c',
 	       )
 
 extra_flags = []
diff --git a/drivers/common/octeontx2/otx2_sec_idev.c b/drivers/common/octeontx2/otx2_sec_idev.c
new file mode 100644
index 0000000..532abde
--- /dev/null
+++ b/drivers/common/octeontx2/otx2_sec_idev.c
@@ -0,0 +1,28 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2020 Marvell International Ltd.
+ */
+
+#include <rte_bus_pci.h>
+#include <rte_ethdev.h>
+
+#include "otx2_common.h"
+#include "otx2_sec_idev.h"
+
+/**
+ * @internal
+ * Check if rte_eth_dev is security offload capable otx2_eth_dev
+ */
+uint8_t
+otx2_eth_dev_is_sec_capable(struct rte_eth_dev *eth_dev)
+{
+	struct rte_pci_device *pci_dev;
+
+	pci_dev = RTE_ETH_DEV_TO_PCI(eth_dev);
+
+	if (pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_PF ||
+	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_VF ||
+	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_AF_VF)
+		return 1;
+
+	return 0;
+}
diff --git a/drivers/common/octeontx2/otx2_sec_idev.h b/drivers/common/octeontx2/otx2_sec_idev.h
new file mode 100644
index 0000000..a5d929e
--- /dev/null
+++ b/drivers/common/octeontx2/otx2_sec_idev.h
@@ -0,0 +1,12 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2020 Marvell International Ltd.
+ */
+
+#ifndef _OTX2_SEC_IDEV_H_
+#define _OTX2_SEC_IDEV_H_
+
+#include <rte_ethdev.h>
+
+uint8_t otx2_eth_dev_is_sec_capable(struct rte_eth_dev *eth_dev);
+
+#endif /* _OTX2_SEC_IDEV_H_ */
diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
index a51d719..724fa35 100644
--- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
+++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
@@ -5,6 +5,7 @@ DPDK_20.0 {
 	otx2_dev_fini;
 	otx2_dev_priv_init;
 	otx2_disable_irqs;
+	otx2_eth_dev_is_sec_capable;
 	otx2_intra_dev_get_cfg;
 	otx2_logtype_base;
 	otx2_logtype_dpi;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 03/15] crypto/octeontx2: configure for inline IPsec
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 02/15] common/octeontx2: add routine to check if sec capable otx2 Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 04/15] net/octeontx2: create eth security ctx Anoob Joseph
                       ` (12 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

For enabling outbound inline IPsec, a CPT queue needs to be tied
to a NIX PF_FUNC. Distribute CPT queues fairly among all available
otx2 eth ports.

For inbound, one CPT LF will be assigned and initialized by kernel.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/Makefile              |  3 +-
 drivers/crypto/octeontx2/meson.build           |  2 +
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.c | 54 ++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.h |  7 ++++
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c  | 39 +++++++++++++++++++
 5 files changed, 104 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index f7d6c37..3ba67ed 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -10,7 +10,7 @@ LIB = librte_pmd_octeontx2_crypto.a
 # build flags
 CFLAGS += $(WERROR_FLAGS)
 
-LDLIBS += -lrte_eal -lrte_mbuf -lrte_mempool -lrte_ring
+LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
 LDLIBS += -lrte_cryptodev
 LDLIBS += -lrte_pci -lrte_bus_pci
 LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
@@ -21,6 +21,7 @@ CFLAGS += -O3
 CFLAGS += -I$(RTE_SDK)/drivers/common/cpt
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -DALLOW_EXPERIMENTAL_API
 
 ifneq ($(CONFIG_RTE_ARCH_64),y)
diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build
index b6e5b73..67deca3 100644
--- a/drivers/crypto/octeontx2/meson.build
+++ b/drivers/crypto/octeontx2/meson.build
@@ -8,6 +8,7 @@ endif
 deps += ['bus_pci']
 deps += ['common_cpt']
 deps += ['common_octeontx2']
+deps += ['ethdev']
 name = 'octeontx2_crypto'
 
 allow_experimental_apis = true
@@ -32,3 +33,4 @@ endforeach
 includes += include_directories('../../common/cpt')
 includes += include_directories('../../common/octeontx2')
 includes += include_directories('../../mempool/octeontx2')
+includes += include_directories('../../net/octeontx2')
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
index b54e407..6bb8316 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
@@ -2,10 +2,14 @@
  * Copyright (C) 2019 Marvell International Ltd.
  */
 #include <rte_cryptodev.h>
+#include <rte_ethdev.h>
 
 #include "otx2_cryptodev.h"
+#include "otx2_cryptodev_hw_access.h"
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_dev.h"
+#include "otx2_ethdev.h"
+#include "otx2_sec_idev.h"
 #include "otx2_mbox.h"
 
 #include "cpt_pmd_logs.h"
@@ -173,3 +177,53 @@ otx2_cpt_af_reg_write(const struct rte_cryptodev *dev, uint64_t reg,
 
 	return otx2_cpt_send_mbox_msg(vf);
 }
+
+int
+otx2_cpt_inline_init(const struct rte_cryptodev *dev)
+{
+	struct otx2_cpt_vf *vf = dev->data->dev_private;
+	struct otx2_mbox *mbox = vf->otx2_dev.mbox;
+	struct cpt_rx_inline_lf_cfg_msg *msg;
+	int ret;
+
+	msg = otx2_mbox_alloc_msg_cpt_rx_inline_lf_cfg(mbox);
+	msg->sso_pf_func = otx2_sso_pf_func_get();
+
+	otx2_mbox_msg_send(mbox, 0);
+	ret = otx2_mbox_process(mbox);
+	if (ret < 0)
+		return -EIO;
+
+	return 0;
+}
+
+int
+otx2_cpt_qp_ethdev_bind(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp,
+			uint16_t port_id)
+{
+	struct rte_eth_dev *eth_dev = &rte_eth_devices[port_id];
+	struct otx2_cpt_vf *vf = dev->data->dev_private;
+	struct otx2_mbox *mbox = vf->otx2_dev.mbox;
+	struct cpt_inline_ipsec_cfg_msg *msg;
+	struct otx2_eth_dev *otx2_eth_dev;
+	int ret;
+
+	if (!otx2_eth_dev_is_sec_capable(&rte_eth_devices[port_id]))
+		return -EINVAL;
+
+	otx2_eth_dev = otx2_eth_pmd_priv(eth_dev);
+
+	msg = otx2_mbox_alloc_msg_cpt_inline_ipsec_cfg(mbox);
+	msg->dir = CPT_INLINE_OUTBOUND;
+	msg->enable = 1;
+	msg->slot = qp->id;
+
+	msg->nix_pf_func = otx2_eth_dev->pf_func;
+
+	otx2_mbox_msg_send(mbox, 0);
+	ret = otx2_mbox_process(mbox);
+	if (ret < 0)
+		return -EIO;
+
+	return 0;
+}
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
index a298718..ae66b08 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
@@ -7,6 +7,8 @@
 
 #include <rte_cryptodev.h>
 
+#include "otx2_cryptodev_hw_access.h"
+
 int otx2_cpt_available_queues_get(const struct rte_cryptodev *dev,
 				  uint16_t *nb_queues);
 
@@ -22,4 +24,9 @@ int otx2_cpt_af_reg_read(const struct rte_cryptodev *dev, uint64_t reg,
 int otx2_cpt_af_reg_write(const struct rte_cryptodev *dev, uint64_t reg,
 			  uint64_t val);
 
+int otx2_cpt_qp_ethdev_bind(const struct rte_cryptodev *dev,
+			    struct otx2_cpt_qp *qp, uint16_t port_id);
+
+int otx2_cpt_inline_init(const struct rte_cryptodev *dev);
+
 #endif /* _OTX2_CRYPTODEV_MBOX_H_ */
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index ec0e58d..005b0a9 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -6,6 +6,7 @@
 
 #include <rte_cryptodev_pmd.h>
 #include <rte_errno.h>
+#include <rte_ethdev.h>
 
 #include "otx2_cryptodev.h"
 #include "otx2_cryptodev_capabilities.h"
@@ -13,6 +14,7 @@
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_cryptodev_ops.h"
 #include "otx2_mbox.h"
+#include "otx2_sec_idev.h"
 
 #include "cpt_hw_types.h"
 #include "cpt_pmd_logs.h"
@@ -127,6 +129,29 @@ otx2_cpt_metabuf_mempool_destroy(struct otx2_cpt_qp *qp)
 	meta_info->sg_mlen = 0;
 }
 
+static int
+otx2_cpt_qp_inline_cfg(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
+{
+	static rte_atomic16_t port_offset = RTE_ATOMIC16_INIT(-1);
+	uint16_t port_id, nb_ethport = rte_eth_dev_count_avail();
+	int i, ret;
+
+	for (i = 0; i < nb_ethport; i++) {
+		port_id = rte_atomic16_add_return(&port_offset, 1) % nb_ethport;
+		if (otx2_eth_dev_is_sec_capable(&rte_eth_devices[port_id]))
+			break;
+	}
+
+	if (i >= nb_ethport)
+		return 0;
+
+	ret = otx2_cpt_qp_ethdev_bind(dev, qp, port_id);
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
 static struct otx2_cpt_qp *
 otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 		   uint8_t group)
@@ -220,6 +245,12 @@ otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 
 	otx2_cpt_iq_disable(qp);
 
+	ret = otx2_cpt_qp_inline_cfg(dev, qp);
+	if (ret) {
+		CPT_LOG_ERR("Could not configure queue for inline IPsec");
+		goto mempool_destroy;
+	}
+
 	ret = otx2_cpt_iq_enable(dev, qp, group, OTX2_CPT_QUEUE_HI_PRIO,
 				 size_div40);
 	if (ret) {
@@ -913,12 +944,20 @@ otx2_cpt_dev_config(struct rte_cryptodev *dev,
 		goto queues_detach;
 	}
 
+	ret = otx2_cpt_inline_init(dev);
+	if (ret) {
+		CPT_LOG_ERR("Could not enable inline IPsec");
+		goto intr_unregister;
+	}
+
 	dev->enqueue_burst = otx2_cpt_enqueue_burst;
 	dev->dequeue_burst = otx2_cpt_dequeue_burst;
 
 	rte_mb();
 	return 0;
 
+intr_unregister:
+	otx2_cpt_err_intr_unregister(dev);
 queues_detach:
 	otx2_cpt_queues_detach(dev);
 	return ret;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 04/15] net/octeontx2: create eth security ctx
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (2 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 05/15] net/octeontx2: add security in eth dev configure Anoob Joseph
                       ` (11 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding security ctx to the eth device.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 MAINTAINERS                             |  1 +
 drivers/net/octeontx2/Makefile          |  1 +
 drivers/net/octeontx2/meson.build       |  4 +++-
 drivers/net/octeontx2/otx2_ethdev.c     | 15 +++++++++++++-
 drivers/net/octeontx2/otx2_ethdev_sec.c | 35 +++++++++++++++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h | 14 +++++++++++++
 6 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec.c
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec.h

diff --git a/MAINTAINERS b/MAINTAINERS
index 7b1ea56..5d05b29 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -728,6 +728,7 @@ Marvell OCTEON TX2 - security
 M: Anoob Joseph <anoobj@marvell.com>
 T: git://dpdk.org/next/dpdk-next-crypto
 F: drivers/common/octeontx2/otx2_sec*
+F: drivers/net/octeontx2/otx2_ethdev_sec*
 
 Mellanox mlx4
 M: Matan Azrad <matan@mellanox.com>
diff --git a/drivers/net/octeontx2/Makefile b/drivers/net/octeontx2/Makefile
index 68f5765..8649f89 100644
--- a/drivers/net/octeontx2/Makefile
+++ b/drivers/net/octeontx2/Makefile
@@ -50,6 +50,7 @@ SRCS-$(CONFIG_RTE_LIBRTE_OCTEONTX2_PMD) += \
 	otx2_flow_utils.c \
 	otx2_ethdev_irq.c \
 	otx2_ethdev_ops.c \
+	otx2_ethdev_sec.c \
 	otx2_ethdev_debug.c \
 	otx2_ethdev_devargs.c
 
diff --git a/drivers/net/octeontx2/meson.build b/drivers/net/octeontx2/meson.build
index fad3076..dfbf99a 100644
--- a/drivers/net/octeontx2/meson.build
+++ b/drivers/net/octeontx2/meson.build
@@ -20,11 +20,13 @@ sources = files('otx2_rx.c',
 		'otx2_flow_utils.c',
 		'otx2_ethdev_irq.c',
 		'otx2_ethdev_ops.c',
+		'otx2_ethdev_sec.c',
 		'otx2_ethdev_debug.c',
 		'otx2_ethdev_devargs.c'
 		)
 
-deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2']
+deps += ['bus_pci', 'cryptodev', 'security']
+deps += ['common_octeontx2', 'mempool_octeontx2']
 
 cflags += ['-flax-vector-conversions']
 
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index 268b383..7fd5254 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -12,6 +12,7 @@
 #include <rte_mempool.h>
 
 #include "otx2_ethdev.h"
+#include "otx2_ethdev_sec.h"
 
 static inline uint64_t
 nix_get_rx_offload_capa(struct otx2_eth_dev *dev)
@@ -2243,10 +2244,17 @@ otx2_eth_dev_init(struct rte_eth_dev *eth_dev)
 		dev->hwcap |= OTX2_FIXUP_F_LIMIT_CQ_FULL;
 	}
 
+	/* Create security ctx */
+	rc = otx2_eth_sec_ctx_create(eth_dev);
+	if (rc)
+		goto free_mac_addrs;
+	dev->tx_offload_capa |= DEV_TX_OFFLOAD_SECURITY;
+	dev->rx_offload_capa |= DEV_RX_OFFLOAD_SECURITY;
+
 	/* Initialize rte-flow */
 	rc = otx2_flow_init(dev);
 	if (rc)
-		goto free_mac_addrs;
+		goto sec_ctx_destroy;
 
 	otx2_nix_mc_filter_init(dev);
 
@@ -2257,6 +2265,8 @@ otx2_eth_dev_init(struct rte_eth_dev *eth_dev)
 		     dev->rx_offload_capa, dev->tx_offload_capa);
 	return 0;
 
+sec_ctx_destroy:
+	otx2_eth_sec_ctx_destroy(eth_dev);
 free_mac_addrs:
 	rte_free(eth_dev->data->mac_addrs);
 unregister_irq:
@@ -2340,6 +2350,9 @@ otx2_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool mbox_close)
 	if (rc)
 		otx2_err("Failed to cleanup npa lf, rc=%d", rc);
 
+	/* Destroy security ctx */
+	otx2_eth_sec_ctx_destroy(eth_dev);
+
 	rte_free(eth_dev->data->mac_addrs);
 	eth_dev->data->mac_addrs = NULL;
 	dev->drv_inited = false;
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
new file mode 100644
index 0000000..80c5689
--- /dev/null
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#include <rte_ethdev.h>
+#include <rte_malloc.h>
+#include <rte_security.h>
+
+#include "otx2_ethdev_sec.h"
+
+int
+otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev)
+{
+	struct rte_security_ctx *ctx;
+
+	ctx = rte_malloc("otx2_eth_sec_ctx",
+			 sizeof(struct rte_security_ctx), 0);
+	if (ctx == NULL)
+		return -ENOMEM;
+
+	/* Populate ctx */
+
+	ctx->device = eth_dev;
+	ctx->sess_cnt = 0;
+
+	eth_dev->security_ctx = ctx;
+
+	return 0;
+}
+
+void
+otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev)
+{
+	rte_free(eth_dev->security_ctx);
+}
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
new file mode 100644
index 0000000..4a925e9
--- /dev/null
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_ETHDEV_SEC_H__
+#define __OTX2_ETHDEV_SEC_H__
+
+#include <rte_ethdev.h>
+
+int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev);
+
+void otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev);
+
+#endif /* __OTX2_ETHDEV_SEC_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 05/15] net/octeontx2: add security in eth dev configure
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (3 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 04/15] net/octeontx2: create eth security ctx Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 06/15] net/octeontx2: add eth security capabilities Anoob Joseph
                       ` (10 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding security in eth device configure.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 doc/guides/nics/octeontx2.rst               |  20 +++++
 doc/guides/rel_notes/release_20_02.rst      |   9 ++
 drivers/crypto/octeontx2/otx2_ipsec_fp.h    |  55 +++++++++++++
 drivers/net/octeontx2/Makefile              |   3 +
 drivers/net/octeontx2/meson.build           |   5 +-
 drivers/net/octeontx2/otx2_ethdev.c         |  17 +++-
 drivers/net/octeontx2/otx2_ethdev.h         |   2 +
 drivers/net/octeontx2/otx2_ethdev_devargs.c |  19 +++++
 drivers/net/octeontx2/otx2_ethdev_sec.c     | 122 ++++++++++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h     |   4 +
 10 files changed, 254 insertions(+), 2 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h

diff --git a/doc/guides/nics/octeontx2.rst b/doc/guides/nics/octeontx2.rst
index db62a45..fd4e455 100644
--- a/doc/guides/nics/octeontx2.rst
+++ b/doc/guides/nics/octeontx2.rst
@@ -38,6 +38,7 @@ Features of the OCTEON TX2 Ethdev PMD are:
 - IEEE1588 timestamping
 - HW offloaded `ethdev Rx queue` to `eventdev event queue` packet injection
 - Support Rx interrupt
+- Inline IPsec processing support
 
 Prerequisites
 -------------
@@ -178,6 +179,17 @@ Runtime Config Options
    traffic on this port should be higig2 traffic only. Supported switch header
    types are "higig2" and "dsa".
 
+- ``Max SPI for inbound inline IPsec`` (default ``1``)
+
+   Max SPI supported for inbound inline IPsec processing can be specified by
+   ``ipsec_in_max_spi`` ``devargs`` parameter.
+
+   For example::
+      -w 0002:02:00.0,ipsec_in_max_spi=128
+
+   With the above configuration, application can enable inline IPsec processing
+   on 128 SAs (SPI 0-127).
+
 .. note::
 
    Above devarg parameters are configurable per device, user needs to pass the
@@ -211,6 +223,14 @@ SDP interface support
 ~~~~~~~~~~~~~~~~~~~~~
 OCTEON TX2 SDP interface support is limited to PF device, No VF support.
 
+Inline Protocol Processing
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+``net_octeontx2`` pmd doesn't support the following features for packets to be
+inline protocol processed.
+- TSO offload
+- VLAN/QinQ offload
+- Fragmentation
+
 Debugging Options
 -----------------
 
diff --git a/doc/guides/rel_notes/release_20_02.rst b/doc/guides/rel_notes/release_20_02.rst
index d19a7f5..916ce88 100644
--- a/doc/guides/rel_notes/release_20_02.rst
+++ b/doc/guides/rel_notes/release_20_02.rst
@@ -166,6 +166,15 @@ New Features
   armv8 crypto library is not used anymore. Library name is changed
   from armv8_crypto to AArch64crypto.
 
+* **Added inline IPsec support to Marvell OCTEON TX2 PMD.**
+
+  Added inline IPsec support to Marvell OCTEON TX2 PMD. With the feature,
+  applications would be able to offload entire IPsec offload to the hardware.
+  For the configured sessions, hardware will do the lookup and perform
+  decryption and IPsec transformation. For the outbound path, application
+  can submit a plain packet to the PMD, and it would be sent out on wire
+  after doing encryption and IPsec transformation of the packet.
+
 Removed Items
 -------------
 
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_fp.h b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
new file mode 100644
index 0000000..bf4181a
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
@@ -0,0 +1,55 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_IPSEC_FP_H__
+#define __OTX2_IPSEC_FP_H__
+
+struct otx2_ipsec_fp_sa_ctl {
+	rte_be32_t spi          : 32;
+	uint64_t exp_proto_inter_frag : 8;
+	uint64_t rsvd_42_40   : 3;
+	uint64_t esn_en       : 1;
+	uint64_t rsvd_45_44   : 2;
+	uint64_t encap_type   : 2;
+	uint64_t enc_type     : 3;
+	uint64_t rsvd_48      : 1;
+	uint64_t auth_type    : 4;
+	uint64_t valid        : 1;
+	uint64_t direction    : 1;
+	uint64_t outer_ip_ver : 1;
+	uint64_t inner_ip_ver : 1;
+	uint64_t ipsec_mode   : 1;
+	uint64_t ipsec_proto  : 1;
+	uint64_t aes_key_len  : 2;
+};
+
+struct otx2_ipsec_fp_in_sa {
+	/* w0 */
+	struct otx2_ipsec_fp_sa_ctl ctl;
+
+	/* w1 */
+	uint8_t nonce[4]; /* Only for AES-GCM */
+	uint32_t unused;
+
+	/* w2 */
+	uint32_t esn_low;
+	uint32_t esn_hi;
+
+	/* w3-w6 */
+	uint8_t cipher_key[32];
+
+	/* w7-w12 */
+	uint8_t hmac_key[48];
+
+	RTE_STD_C11
+	union {
+		void *userdata;
+		uint64_t udata64;
+	};
+
+	uint64_t reserved1;
+	uint64_t reserved2;
+};
+
+#endif /* __OTX2_IPSEC_FP_H__ */
diff --git a/drivers/net/octeontx2/Makefile b/drivers/net/octeontx2/Makefile
index 8649f89..0de43e3 100644
--- a/drivers/net/octeontx2/Makefile
+++ b/drivers/net/octeontx2/Makefile
@@ -10,7 +10,9 @@ include $(RTE_SDK)/mk/rte.vars.mk
 LIB = librte_pmd_octeontx2.a
 
 CFLAGS += $(WERROR_FLAGS)
+CFLAGS += -I$(RTE_SDK)/drivers/common/cpt
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -O3
@@ -56,5 +58,6 @@ SRCS-$(CONFIG_RTE_LIBRTE_OCTEONTX2_PMD) += \
 
 LDLIBS += -lrte_common_octeontx2 -lrte_mempool_octeontx2 -lrte_eal -lrte_net
 LDLIBS += -lrte_ethdev -lrte_bus_pci -lrte_kvargs -lrte_mbuf  -lrte_mempool -lm
+LDLIBS += -lrte_cryptodev -lrte_eventdev -lrte_security
 
 include $(RTE_SDK)/mk/rte.lib.mk
diff --git a/drivers/net/octeontx2/meson.build b/drivers/net/octeontx2/meson.build
index dfbf99a..04cf58f 100644
--- a/drivers/net/octeontx2/meson.build
+++ b/drivers/net/octeontx2/meson.build
@@ -25,7 +25,7 @@ sources = files('otx2_rx.c',
 		'otx2_ethdev_devargs.c'
 		)
 
-deps += ['bus_pci', 'cryptodev', 'security']
+deps += ['bus_pci', 'cryptodev', 'eventdev', 'security']
 deps += ['common_octeontx2', 'mempool_octeontx2']
 
 cflags += ['-flax-vector-conversions']
@@ -41,3 +41,6 @@ foreach flag: extra_flags
 		cflags += flag
 	endif
 endforeach
+
+includes += include_directories('../../common/cpt')
+includes += include_directories('../../crypto/octeontx2')
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index 7fd5254..e8ae779 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -339,6 +339,10 @@ nix_cq_rq_init(struct rte_eth_dev *eth_dev, struct otx2_eth_dev *dev,
 	aq->op = NIX_AQ_INSTOP_INIT;
 
 	aq->rq.sso_ena = 0;
+
+	if (rxq->offloads & DEV_RX_OFFLOAD_SECURITY)
+		aq->rq.ipsech_ena = 1;
+
 	aq->rq.cq = qid; /* RQ to CQ 1:1 mapped */
 	aq->rq.spb_ena = 0;
 	aq->rq.lpb_aura = npa_lf_aura_handle_to_aura(mp->pool_id);
@@ -1612,6 +1616,7 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 
 	/* Free the resources allocated from the previous configure */
 	if (dev->configured == 1) {
+		otx2_eth_sec_fini(eth_dev);
 		otx2_nix_rxchan_bpid_cfg(eth_dev, false);
 		otx2_nix_vlan_fini(eth_dev);
 		otx2_nix_mc_addr_list_uninstall(eth_dev);
@@ -1722,10 +1727,15 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 		goto cq_fini;
 	}
 
+	/* Enable security */
+	rc = otx2_eth_sec_init(eth_dev);
+	if (rc)
+		goto cq_fini;
+
 	rc = otx2_nix_mc_addr_list_install(eth_dev);
 	if (rc < 0) {
 		otx2_err("Failed to install mc address list rc=%d", rc);
-		goto cq_fini;
+		goto sec_fini;
 	}
 
 	/*
@@ -1761,6 +1771,8 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 
 uninstall_mc_list:
 	otx2_nix_mc_addr_list_uninstall(eth_dev);
+sec_fini:
+	otx2_eth_sec_fini(eth_dev);
 cq_fini:
 	oxt2_nix_unregister_cq_irqs(eth_dev);
 q_irq_fini:
@@ -2350,6 +2362,9 @@ otx2_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool mbox_close)
 	if (rc)
 		otx2_err("Failed to cleanup npa lf, rc=%d", rc);
 
+	/* Disable security */
+	otx2_eth_sec_fini(eth_dev);
+
 	/* Destroy security ctx */
 	otx2_eth_sec_ctx_destroy(eth_dev);
 
diff --git a/drivers/net/octeontx2/otx2_ethdev.h b/drivers/net/octeontx2/otx2_ethdev.h
index 3f3fdec..60b535a 100644
--- a/drivers/net/octeontx2/otx2_ethdev.h
+++ b/drivers/net/octeontx2/otx2_ethdev.h
@@ -324,6 +324,8 @@ struct otx2_eth_dev {
 	bool mc_tbl_set;
 	struct otx2_nix_mc_filter_tbl mc_fltr_tbl;
 	bool sdp_link; /* SDP flag */
+	/* Inline IPsec params */
+	uint16_t ipsec_in_max_spi;
 } __rte_cache_aligned;
 
 struct otx2_eth_txq {
diff --git a/drivers/net/octeontx2/otx2_ethdev_devargs.c b/drivers/net/octeontx2/otx2_ethdev_devargs.c
index 04da1ab..a3f7598 100644
--- a/drivers/net/octeontx2/otx2_ethdev_devargs.c
+++ b/drivers/net/octeontx2/otx2_ethdev_devargs.c
@@ -64,6 +64,19 @@ parse_reta_size(const char *key, const char *value, void *extra_args)
 }
 
 static int
+parse_ipsec_in_max_spi(const char *key, const char *value, void *extra_args)
+{
+	RTE_SET_USED(key);
+	uint32_t val;
+
+	val = atoi(value);
+
+	*(uint16_t *)extra_args = val;
+
+	return 0;
+}
+
+static int
 parse_flag(const char *key, const char *value, void *extra_args)
 {
 	RTE_SET_USED(key);
@@ -104,6 +117,7 @@ parse_switch_header_type(const char *key, const char *value, void *extra_args)
 }
 
 #define OTX2_RSS_RETA_SIZE "reta_size"
+#define OTX2_IPSEC_IN_MAX_SPI "ipsec_in_max_spi"
 #define OTX2_SCL_ENABLE "scalar_enable"
 #define OTX2_MAX_SQB_COUNT "max_sqb_count"
 #define OTX2_FLOW_PREALLOC_SIZE "flow_prealloc_size"
@@ -118,6 +132,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 	uint16_t flow_prealloc_size = 8;
 	uint16_t switch_header_type = 0;
 	uint16_t flow_max_priority = 3;
+	uint16_t ipsec_in_max_spi = 1;
 	uint16_t scalar_enable = 0;
 	struct rte_kvargs *kvlist;
 
@@ -130,6 +145,8 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 
 	rte_kvargs_process(kvlist, OTX2_RSS_RETA_SIZE,
 			   &parse_reta_size, &rss_size);
+	rte_kvargs_process(kvlist, OTX2_IPSEC_IN_MAX_SPI,
+			   &parse_ipsec_in_max_spi, &ipsec_in_max_spi);
 	rte_kvargs_process(kvlist, OTX2_SCL_ENABLE,
 			   &parse_flag, &scalar_enable);
 	rte_kvargs_process(kvlist, OTX2_MAX_SQB_COUNT,
@@ -143,6 +160,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 	rte_kvargs_free(kvlist);
 
 null_devargs:
+	dev->ipsec_in_max_spi = ipsec_in_max_spi;
 	dev->scalar_ena = scalar_enable;
 	dev->max_sqb_count = sqb_count;
 	dev->rss_info.rss_size = rss_size;
@@ -157,6 +175,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 
 RTE_PMD_REGISTER_PARAM_STRING(net_octeontx2,
 			      OTX2_RSS_RETA_SIZE "=<64|128|256>"
+			      OTX2_IPSEC_IN_MAX_SPI "=<1-65535>"
 			      OTX2_SCL_ENABLE "=1"
 			      OTX2_MAX_SQB_COUNT "=<8-512>"
 			      OTX2_FLOW_PREALLOC_SIZE "=<1-32>"
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index 80c5689..ed68152 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -3,10 +3,35 @@
  */
 
 #include <rte_ethdev.h>
+#include <rte_eventdev.h>
 #include <rte_malloc.h>
+#include <rte_memzone.h>
 #include <rte_security.h>
 
+#include "otx2_ethdev.h"
 #include "otx2_ethdev_sec.h"
+#include "otx2_ipsec_fp.h"
+
+#define ETH_SEC_MAX_PKT_LEN	1450
+
+struct eth_sec_tag_const {
+	RTE_STD_C11
+	union {
+		struct {
+			uint32_t rsvd_11_0  : 12;
+			uint32_t port       : 8;
+			uint32_t event_type : 4;
+			uint32_t rsvd_31_24 : 8;
+		};
+		uint32_t u32;
+	};
+};
+
+static inline void
+in_sa_mz_name_get(char *name, int size, uint16_t port)
+{
+	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
+}
 
 int
 otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev)
@@ -33,3 +58,100 @@ otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev)
 {
 	rte_free(eth_dev->security_ctx);
 }
+
+static int
+eth_sec_ipsec_cfg(struct rte_eth_dev *eth_dev, uint8_t tt)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	struct nix_inline_ipsec_lf_cfg *req;
+	struct otx2_mbox *mbox = dev->mbox;
+	struct eth_sec_tag_const tag_const;
+	char name[RTE_MEMZONE_NAMESIZE];
+	const struct rte_memzone *mz;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL)
+		return -EINVAL;
+
+	req = otx2_mbox_alloc_msg_nix_inline_ipsec_lf_cfg(mbox);
+	req->enable = 1;
+	req->sa_base_addr = mz->iova;
+
+	req->ipsec_cfg0.tt = tt;
+
+	tag_const.u32 = 0;
+	tag_const.event_type = RTE_EVENT_TYPE_ETHDEV;
+	tag_const.port = port;
+	req->ipsec_cfg0.tag_const = tag_const.u32;
+
+	req->ipsec_cfg0.sa_pow2_size =
+			rte_log2_u32(sizeof(struct otx2_ipsec_fp_in_sa));
+	req->ipsec_cfg0.lenm1_max = ETH_SEC_MAX_PKT_LEN - 1;
+
+	req->ipsec_cfg1.sa_idx_w = rte_log2_u32(dev->ipsec_in_max_spi);
+	req->ipsec_cfg1.sa_idx_max = dev->ipsec_in_max_spi - 1;
+
+	return otx2_mbox_process(mbox);
+}
+
+int
+otx2_eth_sec_init(struct rte_eth_dev *eth_dev)
+{
+	const size_t sa_width = sizeof(struct otx2_ipsec_fp_in_sa);
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	char name[RTE_MEMZONE_NAMESIZE];
+	const struct rte_memzone *mz;
+	int mz_sz, ret;
+	uint16_t nb_sa;
+
+	RTE_BUILD_BUG_ON(sa_width < 32 || sa_width > 512 ||
+			 !RTE_IS_POWER_OF_2(sa_width));
+
+	if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) &&
+	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
+		return 0;
+
+	nb_sa = dev->ipsec_in_max_spi;
+	mz_sz = nb_sa * sa_width;
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_reserve_aligned(name, mz_sz, rte_socket_id(),
+					 RTE_MEMZONE_IOVA_CONTIG, OTX2_ALIGN);
+
+	if (mz == NULL) {
+		otx2_err("Could not allocate inbound SA DB");
+		return -ENOMEM;
+	}
+
+	memset(mz->addr, 0, mz_sz);
+
+	ret = eth_sec_ipsec_cfg(eth_dev, SSO_TT_ORDERED);
+	if (ret < 0) {
+		otx2_err("Could not configure inline IPsec");
+		goto sec_fini;
+	}
+
+	return 0;
+
+sec_fini:
+	otx2_err("Could not configure device for security");
+	otx2_eth_sec_fini(eth_dev);
+	return ret;
+}
+
+void
+otx2_eth_sec_fini(struct rte_eth_dev *eth_dev)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	char name[RTE_MEMZONE_NAMESIZE];
+
+	if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) &&
+	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
+		return;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	rte_memzone_free(rte_memzone_lookup(name));
+}
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index 4a925e9..60d4a29 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -11,4 +11,8 @@ int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev);
 
+int otx2_eth_sec_init(struct rte_eth_dev *eth_dev);
+
+void otx2_eth_sec_fini(struct rte_eth_dev *eth_dev);
+
 #endif /* __OTX2_ETHDEV_SEC_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 06/15] net/octeontx2: add eth security capabilities
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (4 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 05/15] net/octeontx2: add security in eth dev configure Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
                       ` (9 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding security capabilities supported by the eth PMD.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/net/octeontx2/otx2_ethdev_sec.c | 124 ++++++++++++++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h |  18 +++++
 2 files changed, 142 insertions(+)

diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index ed68152..d0b2dba 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -2,11 +2,13 @@
  * Copyright (C) 2020 Marvell International Ltd.
  */
 
+#include <rte_cryptodev.h>
 #include <rte_ethdev.h>
 #include <rte_eventdev.h>
 #include <rte_malloc.h>
 #include <rte_memzone.h>
 #include <rte_security.h>
+#include <rte_security_driver.h>
 
 #include "otx2_ethdev.h"
 #include "otx2_ethdev_sec.h"
@@ -27,12 +29,133 @@ struct eth_sec_tag_const {
 	};
 };
 
+static struct rte_cryptodev_capabilities otx2_eth_sec_crypto_caps[] = {
+	{	/* AES GCM */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			{.aead = {
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = {
+					.min = 8,
+					.max = 12,
+					.increment = 4
+				},
+				.iv_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{	/* AES CBC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{	/* SHA1 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 20,
+					.max = 64,
+					.increment = 1
+				},
+				.digest_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				},
+			}, }
+		}, }
+	},
+	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
+};
+
+static const struct rte_security_capability otx2_eth_sec_capabilities[] = {
+	{	/* IPsec Inline Protocol ESP Tunnel Ingress */
+		.action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+			.options = { 0 }
+		},
+		.crypto_capabilities = otx2_eth_sec_crypto_caps,
+		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+	},
+	{	/* IPsec Inline Protocol ESP Tunnel Egress */
+		.action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+			.options = { 0 }
+		},
+		.crypto_capabilities = otx2_eth_sec_crypto_caps,
+		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+	},
+	{
+		.action = RTE_SECURITY_ACTION_TYPE_NONE
+	}
+};
+
 static inline void
 in_sa_mz_name_get(char *name, int size, uint16_t port)
 {
 	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
 }
 
+static unsigned int
+otx2_eth_sec_session_get_size(void *device __rte_unused)
+{
+	return sizeof(struct otx2_sec_session);
+}
+
+static const struct rte_security_capability *
+otx2_eth_sec_capabilities_get(void *device __rte_unused)
+{
+	return otx2_eth_sec_capabilities;
+}
+
+static struct rte_security_ops otx2_eth_sec_ops = {
+	.session_get_size	= otx2_eth_sec_session_get_size,
+	.capabilities_get	= otx2_eth_sec_capabilities_get
+};
+
 int
 otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev)
 {
@@ -46,6 +169,7 @@ otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev)
 	/* Populate ctx */
 
 	ctx->device = eth_dev;
+	ctx->ops = &otx2_eth_sec_ops;
 	ctx->sess_cnt = 0;
 
 	eth_dev->security_ctx = ctx;
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index 60d4a29..8bdc9f0 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -7,6 +7,24 @@
 
 #include <rte_ethdev.h>
 
+#include "otx2_ipsec_fp.h"
+
+/*
+ * Security session for inline IPsec protocol offload. This is private data of
+ * inline capable PMD.
+ */
+struct otx2_sec_session_ipsec_ip {
+	int dummy;
+};
+
+struct otx2_sec_session_ipsec {
+	struct otx2_sec_session_ipsec_ip ip;
+};
+
+struct otx2_sec_session {
+	struct otx2_sec_session_ipsec ipsec;
+} __rte_cache_aligned;
+
 int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 07/15] crypto/octeontx2: enable CPT to share QP with ethdev
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (5 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 06/15] net/octeontx2: add eth security capabilities Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 08/15] net/octeontx2: add eth security session operations Anoob Joseph
                       ` (8 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding the infrastructure to save one opaque pointer in idev and
implement the consumer-producer in the PMDs which uses it accordingly.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_sec_idev.c           | 92 ++++++++++++++++++++++
 drivers/common/octeontx2/otx2_sec_idev.h           | 21 +++++
 .../octeontx2/rte_common_octeontx2_version.map     |  3 +
 .../crypto/octeontx2/otx2_cryptodev_hw_access.h    | 22 +-----
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c      | 17 ++++
 drivers/crypto/octeontx2/otx2_cryptodev_qp.h       | 35 ++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.c            |  9 +++
 7 files changed, 178 insertions(+), 21 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h

diff --git a/drivers/common/octeontx2/otx2_sec_idev.c b/drivers/common/octeontx2/otx2_sec_idev.c
index 532abde..e924078 100644
--- a/drivers/common/octeontx2/otx2_sec_idev.c
+++ b/drivers/common/octeontx2/otx2_sec_idev.c
@@ -2,12 +2,16 @@
  * Copyright(C) 2020 Marvell International Ltd.
  */
 
+#include <rte_atomic.h>
 #include <rte_bus_pci.h>
 #include <rte_ethdev.h>
+#include <rte_spinlock.h>
 
 #include "otx2_common.h"
 #include "otx2_sec_idev.h"
 
+static struct otx2_sec_idev_cfg sec_cfg[OTX2_MAX_INLINE_PORTS];
+
 /**
  * @internal
  * Check if rte_eth_dev is security offload capable otx2_eth_dev
@@ -26,3 +30,91 @@ otx2_eth_dev_is_sec_capable(struct rte_eth_dev *eth_dev)
 
 	return 0;
 }
+
+int
+otx2_sec_idev_cfg_init(int port_id)
+{
+	struct otx2_sec_idev_cfg *cfg;
+	int i;
+
+	cfg = &sec_cfg[port_id];
+	cfg->tx_cpt_idx = 0;
+	rte_spinlock_init(&cfg->tx_cpt_lock);
+
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		cfg->tx_cpt[i].qp = NULL;
+		rte_atomic16_set(&cfg->tx_cpt[i].ref_cnt, 0);
+	}
+
+	return 0;
+}
+
+int
+otx2_sec_idev_tx_cpt_qp_add(uint16_t port_id, struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_idev_cfg *cfg;
+	int i, ret;
+
+	if (qp == NULL || port_id > OTX2_MAX_INLINE_PORTS)
+		return -EINVAL;
+
+	cfg = &sec_cfg[port_id];
+
+	/* Find a free slot to save CPT LF */
+
+	rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		if (cfg->tx_cpt[i].qp == NULL) {
+			cfg->tx_cpt[i].qp = qp;
+			ret = 0;
+			goto unlock;
+		}
+	}
+
+	ret = -EINVAL;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
+
+int
+otx2_sec_idev_tx_cpt_qp_remove(struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_idev_cfg *cfg;
+	uint16_t port_id;
+	int i, ret;
+
+	if (qp == NULL)
+		return -EINVAL;
+
+	for (port_id = 0; port_id < OTX2_MAX_INLINE_PORTS; port_id++) {
+		cfg = &sec_cfg[port_id];
+
+		rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+		for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+			if (cfg->tx_cpt[i].qp != qp)
+				continue;
+
+			/* Don't free if the QP is in use by any sec session */
+			if (rte_atomic16_read(&cfg->tx_cpt[i].ref_cnt)) {
+				ret = -EBUSY;
+			} else {
+				cfg->tx_cpt[i].qp = NULL;
+				ret = 0;
+			}
+
+			goto unlock;
+		}
+
+		rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	}
+
+	return -ENOENT;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
diff --git a/drivers/common/octeontx2/otx2_sec_idev.h b/drivers/common/octeontx2/otx2_sec_idev.h
index a5d929e..20d71d0 100644
--- a/drivers/common/octeontx2/otx2_sec_idev.h
+++ b/drivers/common/octeontx2/otx2_sec_idev.h
@@ -7,6 +7,27 @@
 
 #include <rte_ethdev.h>
 
+#define OTX2_MAX_CPT_QP_PER_PORT 64
+#define OTX2_MAX_INLINE_PORTS 64
+
+struct otx2_cpt_qp;
+
+struct otx2_sec_idev_cfg {
+	struct {
+		struct otx2_cpt_qp *qp;
+		rte_atomic16_t ref_cnt;
+	} tx_cpt[OTX2_MAX_CPT_QP_PER_PORT];
+
+	uint16_t tx_cpt_idx;
+	rte_spinlock_t tx_cpt_lock;
+};
+
 uint8_t otx2_eth_dev_is_sec_capable(struct rte_eth_dev *eth_dev);
 
+int otx2_sec_idev_cfg_init(int port_id);
+
+int otx2_sec_idev_tx_cpt_qp_add(uint16_t port_id, struct otx2_cpt_qp *qp);
+
+int otx2_sec_idev_tx_cpt_qp_remove(struct otx2_cpt_qp *qp);
+
 #endif /* _OTX2_SEC_IDEV_H_ */
diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
index 724fa35..775aca8 100644
--- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
+++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
@@ -28,6 +28,9 @@ DPDK_20.0 {
 	otx2_npa_pf_func_get;
 	otx2_npa_set_defaults;
 	otx2_register_irq;
+	otx2_sec_idev_cfg_init;
+	otx2_sec_idev_tx_cpt_qp_add;
+	otx2_sec_idev_tx_cpt_qp_remove;
 	otx2_sso_pf_func_get;
 	otx2_sso_pf_func_set;
 	otx2_unregister_irq;
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h b/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
index 6f78aa4..43db6a6 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
@@ -15,6 +15,7 @@
 #include "cpt_mcode_defines.h"
 
 #include "otx2_dev.h"
+#include "otx2_cryptodev_qp.h"
 
 /* CPT instruction queue length */
 #define OTX2_CPT_IQ_LEN			8200
@@ -135,27 +136,6 @@ enum cpt_9x_comp_e {
 	CPT_9X_COMP_E_LAST_ENTRY = 0x06
 };
 
-struct otx2_cpt_qp {
-	uint32_t id;
-	/**< Queue pair id */
-	uintptr_t base;
-	/**< Base address where BAR is mapped */
-	void *lmtline;
-	/**< Address of LMTLINE */
-	rte_iova_t lf_nq_reg;
-	/**< LF enqueue register address */
-	struct pending_queue pend_q;
-	/**< Pending queue */
-	struct rte_mempool *sess_mp;
-	/**< Session mempool */
-	struct rte_mempool *sess_mp_priv;
-	/**< Session private data mempool */
-	struct cpt_qp_meta_info meta_info;
-	/**< Metabuf info required to support operations on the queue pair */
-	rte_iova_t iq_dma_addr;
-	/**< Instruction queue address */
-};
-
 void otx2_cpt_err_intr_unregister(const struct rte_cryptodev *dev);
 
 int otx2_cpt_err_intr_register(const struct rte_cryptodev *dev);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index 005b0a9..7eebb49 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -149,6 +149,11 @@ otx2_cpt_qp_inline_cfg(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
 	if (ret)
 		return ret;
 
+	/* Publish inline Tx QP to eth dev security */
+	ret = otx2_sec_idev_tx_cpt_qp_add(port_id, qp);
+	if (ret)
+		return ret;
+
 	return 0;
 }
 
@@ -243,6 +248,12 @@ otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 
 	qp->lf_nq_reg = qp->base + OTX2_CPT_LF_NQ(0);
 
+	ret = otx2_sec_idev_tx_cpt_qp_remove(qp);
+	if (ret && (ret != -ENOENT)) {
+		CPT_LOG_ERR("Could not delete inline configuration");
+		goto mempool_destroy;
+	}
+
 	otx2_cpt_iq_disable(qp);
 
 	ret = otx2_cpt_qp_inline_cfg(dev, qp);
@@ -276,6 +287,12 @@ otx2_cpt_qp_destroy(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
 	char name[RTE_MEMZONE_NAMESIZE];
 	int ret;
 
+	ret = otx2_sec_idev_tx_cpt_qp_remove(qp);
+	if (ret && (ret != -ENOENT)) {
+		CPT_LOG_ERR("Could not delete inline configuration");
+		return ret;
+	}
+
 	otx2_cpt_iq_disable(qp);
 
 	otx2_cpt_metabuf_mempool_destroy(qp);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_qp.h b/drivers/crypto/octeontx2/otx2_cryptodev_qp.h
new file mode 100644
index 0000000..9d48da4
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_qp.h
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#ifndef _OTX2_CRYPTODEV_QP_H_
+#define _OTX2_CRYPTODEV_QP_H_
+
+#include <rte_common.h>
+#include <rte_mempool.h>
+#include <rte_spinlock.h>
+
+#include "cpt_common.h"
+
+struct otx2_cpt_qp {
+	uint32_t id;
+	/**< Queue pair id */
+	uintptr_t base;
+	/**< Base address where BAR is mapped */
+	void *lmtline;
+	/**< Address of LMTLINE */
+	rte_iova_t lf_nq_reg;
+	/**< LF enqueue register address */
+	struct pending_queue pend_q;
+	/**< Pending queue */
+	struct rte_mempool *sess_mp;
+	/**< Session mempool */
+	struct rte_mempool *sess_mp_priv;
+	/**< Session private data mempool */
+	struct cpt_qp_meta_info meta_info;
+	/**< Metabuf info required to support operations on the queue pair */
+	rte_iova_t iq_dma_addr;
+	/**< Instruction queue address */
+};
+
+#endif /* _OTX2_CRYPTODEV_QP_H_ */
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index d0b2dba..8859042 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -10,9 +10,11 @@
 #include <rte_security.h>
 #include <rte_security_driver.h>
 
+#include "otx2_cryptodev_qp.h"
 #include "otx2_ethdev.h"
 #include "otx2_ethdev_sec.h"
 #include "otx2_ipsec_fp.h"
+#include "otx2_sec_idev.h"
 
 #define ETH_SEC_MAX_PKT_LEN	1450
 
@@ -160,12 +162,19 @@ int
 otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev)
 {
 	struct rte_security_ctx *ctx;
+	int ret;
 
 	ctx = rte_malloc("otx2_eth_sec_ctx",
 			 sizeof(struct rte_security_ctx), 0);
 	if (ctx == NULL)
 		return -ENOMEM;
 
+	ret = otx2_sec_idev_cfg_init(eth_dev->data->port_id);
+	if (ret) {
+		rte_free(ctx);
+		return ret;
+	}
+
 	/* Populate ctx */
 
 	ctx->device = eth_dev;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 08/15] net/octeontx2: add eth security session operations
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (6 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 09/15] net/octeontx2: add datapath ops in eth security ctx Anoob Joseph
                       ` (7 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding security session operations in eth security ctx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_sec_idev.c           |  63 ++++
 drivers/common/octeontx2/otx2_sec_idev.h           |   4 +
 .../octeontx2/rte_common_octeontx2_version.map     |   2 +
 drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 295 +++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.c            | 362 +++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h            |  84 ++++-
 6 files changed, 809 insertions(+), 1 deletion(-)

diff --git a/drivers/common/octeontx2/otx2_sec_idev.c b/drivers/common/octeontx2/otx2_sec_idev.c
index e924078..4e65ce2 100644
--- a/drivers/common/octeontx2/otx2_sec_idev.c
+++ b/drivers/common/octeontx2/otx2_sec_idev.c
@@ -118,3 +118,66 @@ otx2_sec_idev_tx_cpt_qp_remove(struct otx2_cpt_qp *qp)
 	rte_spinlock_unlock(&cfg->tx_cpt_lock);
 	return ret;
 }
+
+int
+otx2_sec_idev_tx_cpt_qp_get(uint16_t port_id, struct otx2_cpt_qp **qp)
+{
+	struct otx2_sec_idev_cfg *cfg;
+	uint16_t index;
+	int i, ret;
+
+	if (port_id > OTX2_MAX_INLINE_PORTS || qp == NULL)
+		return -EINVAL;
+
+	cfg = &sec_cfg[port_id];
+
+	rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+	index = cfg->tx_cpt_idx;
+
+	/* Get the next index with valid data */
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		if (cfg->tx_cpt[index].qp != NULL)
+			break;
+		index = (index + 1) % OTX2_MAX_CPT_QP_PER_PORT;
+	}
+
+	if (i >= OTX2_MAX_CPT_QP_PER_PORT) {
+		ret = -EINVAL;
+		goto unlock;
+	}
+
+	*qp = cfg->tx_cpt[index].qp;
+	rte_atomic16_inc(&cfg->tx_cpt[index].ref_cnt);
+
+	cfg->tx_cpt_idx = (index + 1) % OTX2_MAX_CPT_QP_PER_PORT;
+
+	ret = 0;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
+
+int
+otx2_sec_idev_tx_cpt_qp_put(struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_idev_cfg *cfg;
+	uint16_t port_id;
+	int i;
+
+	if (qp == NULL)
+		return -EINVAL;
+
+	for (port_id = 0; port_id < OTX2_MAX_INLINE_PORTS; port_id++) {
+		cfg = &sec_cfg[port_id];
+		for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+			if (cfg->tx_cpt[i].qp == qp) {
+				rte_atomic16_dec(&cfg->tx_cpt[i].ref_cnt);
+				return 0;
+			}
+		}
+	}
+
+	return -EINVAL;
+}
diff --git a/drivers/common/octeontx2/otx2_sec_idev.h b/drivers/common/octeontx2/otx2_sec_idev.h
index 20d71d0..c681f50 100644
--- a/drivers/common/octeontx2/otx2_sec_idev.h
+++ b/drivers/common/octeontx2/otx2_sec_idev.h
@@ -30,4 +30,8 @@ int otx2_sec_idev_tx_cpt_qp_add(uint16_t port_id, struct otx2_cpt_qp *qp);
 
 int otx2_sec_idev_tx_cpt_qp_remove(struct otx2_cpt_qp *qp);
 
+int otx2_sec_idev_tx_cpt_qp_put(struct otx2_cpt_qp *qp);
+
+int otx2_sec_idev_tx_cpt_qp_get(uint16_t port_id, struct otx2_cpt_qp **qp);
+
 #endif /* _OTX2_SEC_IDEV_H_ */
diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
index 775aca8..19a7b19 100644
--- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
+++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
@@ -31,6 +31,8 @@ DPDK_20.0 {
 	otx2_sec_idev_cfg_init;
 	otx2_sec_idev_tx_cpt_qp_add;
 	otx2_sec_idev_tx_cpt_qp_remove;
+	otx2_sec_idev_tx_cpt_qp_get;
+	otx2_sec_idev_tx_cpt_qp_put;
 	otx2_sso_pf_func_get;
 	otx2_sso_pf_func_set;
 	otx2_unregister_irq;
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_fp.h b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
index bf4181a..52b3b41 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_fp.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
@@ -5,6 +5,67 @@
 #ifndef __OTX2_IPSEC_FP_H__
 #define __OTX2_IPSEC_FP_H__
 
+#include <rte_crypto_sym.h>
+#include <rte_security.h>
+
+enum {
+	OTX2_IPSEC_FP_SA_DIRECTION_INBOUND = 0,
+	OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_IP_VERSION_4 = 0,
+	OTX2_IPSEC_FP_SA_IP_VERSION_6 = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_MODE_TRANSPORT = 0,
+	OTX2_IPSEC_FP_SA_MODE_TUNNEL = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_PROTOCOL_AH = 0,
+	OTX2_IPSEC_FP_SA_PROTOCOL_ESP = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_128 = 1,
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_192 = 2,
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_256 = 3,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_ENC_NULL = 0,
+	OTX2_IPSEC_FP_SA_ENC_DES_CBC = 1,
+	OTX2_IPSEC_FP_SA_ENC_3DES_CBC = 2,
+	OTX2_IPSEC_FP_SA_ENC_AES_CBC = 3,
+	OTX2_IPSEC_FP_SA_ENC_AES_CTR = 4,
+	OTX2_IPSEC_FP_SA_ENC_AES_GCM = 5,
+	OTX2_IPSEC_FP_SA_ENC_AES_CCM = 6,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_AUTH_NULL = 0,
+	OTX2_IPSEC_FP_SA_AUTH_MD5 = 1,
+	OTX2_IPSEC_FP_SA_AUTH_SHA1 = 2,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_224 = 3,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_256 = 4,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_384 = 5,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_512 = 6,
+	OTX2_IPSEC_FP_SA_AUTH_AES_GMAC = 7,
+	OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128 = 8,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_FRAG_POST = 0,
+	OTX2_IPSEC_FP_SA_FRAG_PRE = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_ENCAP_NONE = 0,
+	OTX2_IPSEC_FP_SA_ENCAP_UDP = 1,
+};
+
 struct otx2_ipsec_fp_sa_ctl {
 	rte_be32_t spi          : 32;
 	uint64_t exp_proto_inter_frag : 8;
@@ -24,6 +85,26 @@ struct otx2_ipsec_fp_sa_ctl {
 	uint64_t aes_key_len  : 2;
 };
 
+struct otx2_ipsec_fp_out_sa {
+	/* w0 */
+	struct otx2_ipsec_fp_sa_ctl ctl;
+
+	/* w1 */
+	uint8_t nonce[4];
+	uint16_t udp_src;
+	uint16_t udp_dst;
+
+	/* w2 */
+	uint32_t ip_src;
+	uint32_t ip_dst;
+
+	/* w3-w6 */
+	uint8_t cipher_key[32];
+
+	/* w7-w12 */
+	uint8_t hmac_key[48];
+};
+
 struct otx2_ipsec_fp_in_sa {
 	/* w0 */
 	struct otx2_ipsec_fp_sa_ctl ctl;
@@ -52,4 +133,218 @@ struct otx2_ipsec_fp_in_sa {
 	uint64_t reserved2;
 };
 
+static inline int
+ipsec_fp_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
+{
+	if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		switch (xform->cipher.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_auth_verify(struct rte_crypto_sym_xform *xform)
+{
+	uint16_t keylen = xform->auth.key.length;
+
+	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+		if (keylen >= 20 && keylen <= 64)
+			return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_aead_verify(struct rte_security_ipsec_xform *ipsec,
+			   struct rte_crypto_sym_xform *xform)
+{
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+	    xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+		return -EINVAL;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+	    xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+		return -EINVAL;
+
+	if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+		switch (xform->aead.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -EINVAL;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_verify(struct rte_security_ipsec_xform *ipsec,
+		      struct rte_crypto_sym_xform *xform)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	int ret;
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		return ipsec_fp_xform_aead_verify(ipsec, xform);
+
+	if (xform->next == NULL)
+		return -EINVAL;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		/* Ingress */
+		if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		/* Egress */
+		if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	}
+
+	ret = ipsec_fp_xform_cipher_verify(cipher_xform);
+	if (ret)
+		return ret;
+
+	ret = ipsec_fp_xform_auth_verify(auth_xform);
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
+static inline int
+ipsec_fp_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
+		    struct rte_crypto_sym_xform *xform,
+		    struct otx2_ipsec_fp_sa_ctl *ctl)
+{
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
+	int aes_key_len;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND;
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	} else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_INBOUND;
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		return -EINVAL;
+	}
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+			ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
+		else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
+			ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_6;
+		else
+			return -EINVAL;
+	}
+
+	ctl->inner_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+		ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TRANSPORT;
+	else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+		ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TUNNEL;
+	else
+		return -EINVAL;
+
+	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
+		ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_AH;
+	else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
+		ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_ESP;
+	else
+		return -EINVAL;
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+			ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_GCM;
+			aes_key_len = xform->aead.key.length;
+		} else {
+			return -ENOTSUP;
+		}
+	} else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_CBC;
+		aes_key_len = cipher_xform->cipher.key.length;
+	} else {
+		return -ENOTSUP;
+	}
+
+	switch (aes_key_len) {
+	case 16:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_128;
+		break;
+	case 24:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_192;
+		break;
+	case 32:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_256;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
+		switch (auth_xform->auth.algo) {
+		case RTE_CRYPTO_AUTH_NULL:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_NULL;
+			break;
+		case RTE_CRYPTO_AUTH_MD5_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_MD5;
+			break;
+		case RTE_CRYPTO_AUTH_SHA1_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA1;
+			break;
+		case RTE_CRYPTO_AUTH_SHA224_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_224;
+			break;
+		case RTE_CRYPTO_AUTH_SHA256_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_256;
+			break;
+		case RTE_CRYPTO_AUTH_SHA384_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_384;
+			break;
+		case RTE_CRYPTO_AUTH_SHA512_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_512;
+			break;
+		case RTE_CRYPTO_AUTH_AES_GMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_GMAC;
+			break;
+		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+	}
+
+	if (ipsec->options.esn == 1)
+		ctl->esn_en = 1;
+
+	ctl->spi = rte_cpu_to_be_32(ipsec->spi);
+	ctl->valid = 1;
+
+	return 0;
+}
+
 #endif /* __OTX2_IPSEC_FP_H__ */
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index 8859042..2ec2598 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -141,6 +141,366 @@ in_sa_mz_name_get(char *name, int size, uint16_t port)
 	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
 }
 
+static struct otx2_ipsec_fp_in_sa *
+in_sa_get(uint16_t port, int sa_index)
+{
+	char name[RTE_MEMZONE_NAMESIZE];
+	struct otx2_ipsec_fp_in_sa *sa;
+	const struct rte_memzone *mz;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL) {
+		otx2_err("Could not get the memzone reserved for IN SA DB");
+		return NULL;
+	}
+
+	sa = mz->addr;
+
+	return sa + sa_index;
+}
+
+static int
+hmac_init(struct otx2_ipsec_fp_sa_ctl *ctl, struct otx2_cpt_qp *qp,
+	  const uint8_t *auth_key, int len, uint8_t *hmac_key)
+{
+	struct inst_data {
+		struct otx2_cpt_res cpt_res;
+		uint8_t buffer[64];
+	} *md;
+
+	volatile struct otx2_cpt_res *res;
+	uint64_t timeout, lmt_status;
+	struct otx2_cpt_inst_s inst;
+	rte_iova_t md_iova;
+	int ret;
+
+	memset(&inst, 0, sizeof(struct otx2_cpt_inst_s));
+
+	md = rte_zmalloc(NULL, sizeof(struct inst_data), OTX2_CPT_RES_ALIGN);
+	if (md == NULL)
+		return -ENOMEM;
+
+	memcpy(md->buffer, auth_key, len);
+
+	md_iova = rte_malloc_virt2iova(md);
+	if (md_iova == RTE_BAD_IOVA) {
+		ret = -EINVAL;
+		goto free_md;
+	}
+
+	inst.res_addr = md_iova + offsetof(struct inst_data, cpt_res);
+	inst.opcode = OTX2_CPT_OP_WRITE_HMAC_IPAD_OPAD;
+	inst.param2 = ctl->auth_type;
+	inst.dlen = len;
+	inst.dptr = md_iova + offsetof(struct inst_data, buffer);
+	inst.rptr = inst.dptr;
+	inst.egrp = OTX2_CPT_EGRP_INLINE_IPSEC;
+
+	md->cpt_res.compcode = 0;
+	md->cpt_res.uc_compcode = 0xff;
+
+	timeout = rte_get_timer_cycles() + 5 * rte_get_timer_hz();
+
+	rte_cio_wmb();
+
+	do {
+		otx2_lmt_mov(qp->lmtline, &inst, 2);
+		lmt_status = otx2_lmt_submit(qp->lf_nq_reg);
+	} while (lmt_status == 0);
+
+	res = (volatile struct otx2_cpt_res *)&md->cpt_res;
+
+	/* Wait until instruction completes or times out */
+	while (res->uc_compcode == 0xff) {
+		if (rte_get_timer_cycles() > timeout)
+			break;
+	}
+
+	if (res->u16[0] != OTX2_SEC_COMP_GOOD) {
+		ret = -EIO;
+		goto free_md;
+	}
+
+	/* Retrieve the ipad and opad from rptr */
+	memcpy(hmac_key, md->buffer, 48);
+
+	ret = 0;
+
+free_md:
+	rte_free(md);
+	return ret;
+}
+
+static int
+eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
+			      struct rte_security_ipsec_xform *ipsec,
+			      struct rte_crypto_sym_xform *crypto_xform,
+			      struct rte_security_session *sec_sess)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_sec_session_ipsec_ip *sess;
+	uint16_t port = eth_dev->data->port_id;
+	int cipher_key_len, auth_key_len, ret;
+	const uint8_t *cipher_key, *auth_key;
+	struct otx2_ipsec_fp_sa_ctl *ctl;
+	struct otx2_ipsec_fp_out_sa *sa;
+	struct otx2_sec_session *priv;
+	struct otx2_cpt_qp *qp;
+
+	priv = get_sec_session_private_data(sec_sess);
+	sess = &priv->ipsec.ip;
+
+	sa = &sess->out_sa;
+	ctl = &sa->ctl;
+	if (ctl->valid) {
+		otx2_err("SA already registered");
+		return -EINVAL;
+	}
+
+	memset(sess, 0, sizeof(struct otx2_sec_session_ipsec_ip));
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		memcpy(sa->nonce, &ipsec->salt, 4);
+
+	if (ipsec->options.udp_encap == 1) {
+		sa->udp_src = 4500;
+		sa->udp_dst = 4500;
+	}
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+			memcpy(&sa->ip_src, &ipsec->tunnel.ipv4.src_ip,
+			       sizeof(struct in_addr));
+			memcpy(&sa->ip_dst, &ipsec->tunnel.ipv4.dst_ip,
+			       sizeof(struct in_addr));
+		} else {
+			return -EINVAL;
+		}
+	} else {
+		return -EINVAL;
+	}
+
+	cipher_xform = crypto_xform;
+	auth_xform = crypto_xform->next;
+
+	cipher_key_len = 0;
+	auth_key_len = 0;
+	auth_key = NULL;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		cipher_key = crypto_xform->aead.key.data;
+		cipher_key_len = crypto_xform->aead.key.length;
+	} else {
+		cipher_key = cipher_xform->cipher.key.data;
+		cipher_key_len = cipher_xform->cipher.key.length;
+		auth_key = auth_xform->auth.key.data;
+		auth_key_len = auth_xform->auth.key.length;
+	}
+
+	if (cipher_key_len != 0)
+		memcpy(sa->cipher_key, cipher_key, cipher_key_len);
+	else
+		return -EINVAL;
+
+	/* Get CPT QP to be used for this SA */
+	ret = otx2_sec_idev_tx_cpt_qp_get(port, &qp);
+	if (ret)
+		return ret;
+
+	sess->qp = qp;
+
+	sess->cpt_lmtline = qp->lmtline;
+	sess->cpt_nq_reg = qp->lf_nq_reg;
+
+	/* Populate control word */
+	ret = ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
+	if (ret)
+		goto cpt_put;
+
+	if (auth_key_len && auth_key) {
+		ret = hmac_init(ctl, qp, auth_key, auth_key_len, sa->hmac_key);
+		if (ret)
+			goto cpt_put;
+	}
+
+	return 0;
+cpt_put:
+	otx2_sec_idev_tx_cpt_qp_put(sess->qp);
+	return ret;
+}
+
+static int
+eth_sec_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
+			     struct rte_security_ipsec_xform *ipsec,
+			     struct rte_crypto_sym_xform *crypto_xform,
+			     struct rte_security_session *sec_sess)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	struct otx2_sec_session_ipsec_ip *sess;
+	uint16_t port = eth_dev->data->port_id;
+	int cipher_key_len, auth_key_len, ret;
+	const uint8_t *cipher_key, *auth_key;
+	struct otx2_ipsec_fp_sa_ctl *ctl;
+	struct otx2_ipsec_fp_in_sa *sa;
+	struct otx2_sec_session *priv;
+	struct otx2_cpt_qp *qp;
+
+	if (ipsec->spi >= dev->ipsec_in_max_spi) {
+		otx2_err("SPI exceeds max supported");
+		return -EINVAL;
+	}
+
+	sa = in_sa_get(port, ipsec->spi);
+	ctl = &sa->ctl;
+
+	priv = get_sec_session_private_data(sec_sess);
+	sess = &priv->ipsec.ip;
+
+	if (ctl->valid) {
+		otx2_err("SA already registered");
+		return -EINVAL;
+	}
+
+	memset(sa, 0, sizeof(struct otx2_ipsec_fp_in_sa));
+
+	auth_xform = crypto_xform;
+	cipher_xform = crypto_xform->next;
+
+	cipher_key_len = 0;
+	auth_key_len = 0;
+	auth_key = NULL;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
+			memcpy(sa->nonce, &ipsec->salt, 4);
+		cipher_key = crypto_xform->aead.key.data;
+		cipher_key_len = crypto_xform->aead.key.length;
+	} else {
+		cipher_key = cipher_xform->cipher.key.data;
+		cipher_key_len = cipher_xform->cipher.key.length;
+		auth_key = auth_xform->auth.key.data;
+		auth_key_len = auth_xform->auth.key.length;
+	}
+
+	if (cipher_key_len != 0)
+		memcpy(sa->cipher_key, cipher_key, cipher_key_len);
+	else
+		return -EINVAL;
+
+	sess->in_sa = sa;
+
+	sa->userdata = priv->userdata;
+
+	ret = ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
+	if (ret)
+		return ret;
+
+	if (auth_key_len && auth_key) {
+		/* Get a queue pair for HMAC init */
+		ret = otx2_sec_idev_tx_cpt_qp_get(port, &qp);
+		if (ret)
+			return ret;
+		ret = hmac_init(ctl, qp, auth_key, auth_key_len, sa->hmac_key);
+		otx2_sec_idev_tx_cpt_qp_put(qp);
+	}
+	return ret;
+}
+
+static int
+eth_sec_ipsec_sess_create(struct rte_eth_dev *eth_dev,
+			  struct rte_security_ipsec_xform *ipsec,
+			  struct rte_crypto_sym_xform *crypto_xform,
+			  struct rte_security_session *sess)
+{
+	int ret;
+
+	ret = ipsec_fp_xform_verify(ipsec, crypto_xform);
+	if (ret)
+		return ret;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+		return eth_sec_ipsec_in_sess_create(eth_dev, ipsec,
+						    crypto_xform, sess);
+	else
+		return eth_sec_ipsec_out_sess_create(eth_dev, ipsec,
+						     crypto_xform, sess);
+}
+
+static int
+otx2_eth_sec_session_create(void *device,
+			    struct rte_security_session_conf *conf,
+			    struct rte_security_session *sess,
+			    struct rte_mempool *mempool)
+{
+	struct otx2_sec_session *priv;
+	int ret;
+
+	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
+		return -ENOTSUP;
+
+	if (rte_mempool_get(mempool, (void **)&priv)) {
+		otx2_err("Could not allocate security session private data");
+		return -ENOMEM;
+	}
+
+	set_sec_session_private_data(sess, priv);
+
+	/*
+	 * Save userdata provided by the application. For ingress packets, this
+	 * could be used to identify the SA.
+	 */
+	priv->userdata = conf->userdata;
+
+	if (conf->protocol == RTE_SECURITY_PROTOCOL_IPSEC)
+		ret = eth_sec_ipsec_sess_create(device, &conf->ipsec,
+						conf->crypto_xform,
+						sess);
+	else
+		ret = -ENOTSUP;
+
+	if (ret)
+		goto mempool_put;
+
+	return 0;
+
+mempool_put:
+	rte_mempool_put(mempool, priv);
+	set_sec_session_private_data(sess, NULL);
+	return ret;
+}
+
+static int
+otx2_eth_sec_session_destroy(void *device __rte_unused,
+			     struct rte_security_session *sess)
+{
+	struct otx2_sec_session_ipsec_ip *sess_ip;
+	struct otx2_sec_session *priv;
+	struct rte_mempool *sess_mp;
+	int ret;
+
+	priv = get_sec_session_private_data(sess);
+	if (priv == NULL)
+		return -EINVAL;
+
+	sess_ip = &priv->ipsec.ip;
+
+	/* Release CPT LF used for this session */
+	if (sess_ip->qp != NULL) {
+		ret = otx2_sec_idev_tx_cpt_qp_put(sess_ip->qp);
+		if (ret)
+			return ret;
+	}
+
+	sess_mp = rte_mempool_from_obj(priv);
+
+	set_sec_session_private_data(sess, NULL);
+	rte_mempool_put(sess_mp, priv);
+
+	return 0;
+}
+
 static unsigned int
 otx2_eth_sec_session_get_size(void *device __rte_unused)
 {
@@ -154,6 +514,8 @@ otx2_eth_sec_capabilities_get(void *device __rte_unused)
 }
 
 static struct rte_security_ops otx2_eth_sec_ops = {
+	.session_create		= otx2_eth_sec_session_create,
+	.session_destroy	= otx2_eth_sec_session_destroy,
 	.session_get_size	= otx2_eth_sec_session_get_size,
 	.capabilities_get	= otx2_eth_sec_capabilities_get
 };
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index 8bdc9f0..87342ef 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -9,12 +9,92 @@
 
 #include "otx2_ipsec_fp.h"
 
+#define OTX2_CPT_RES_ALIGN		16
+
+#define OTX2_CPT_EGRP_INLINE_IPSEC	1
+
+#define OTX2_CPT_OP_WRITE_HMAC_IPAD_OPAD	(0x40 | 0x27)
+
+#define OTX2_SEC_CPT_COMP_GOOD	0x1
+#define OTX2_SEC_UC_COMP_GOOD	0x0
+#define OTX2_SEC_COMP_GOOD	(OTX2_SEC_UC_COMP_GOOD << 8 | \
+				 OTX2_SEC_CPT_COMP_GOOD)
+
+/* CPT Result */
+struct otx2_cpt_res {
+	union {
+		struct {
+			uint64_t compcode:8;
+			uint64_t uc_compcode:8;
+			uint64_t doneint:1;
+			uint64_t reserved_17_63:47;
+			uint64_t reserved_64_127;
+		};
+		uint16_t u16[8];
+	};
+};
+
+struct otx2_cpt_inst_s {
+	union {
+		struct {
+			/* W0 */
+			uint64_t nixtxl : 3;
+			uint64_t doneint : 1;
+			uint64_t nixtx_addr : 60;
+			/* W1 */
+			uint64_t res_addr : 64;
+			/* W2 */
+			uint64_t tag : 32;
+			uint64_t tt : 2;
+			uint64_t grp : 10;
+			uint64_t rsvd_175_172 : 4;
+			uint64_t rvu_pf_func : 16;
+			/* W3 */
+			uint64_t qord : 1;
+			uint64_t rsvd_194_193 : 2;
+			uint64_t wqe_ptr : 61;
+			/* W4 */
+			uint64_t dlen : 16;
+			uint64_t param2 : 16;
+			uint64_t param1 : 16;
+			uint64_t opcode : 16;
+			/* W5 */
+			uint64_t dptr : 64;
+			/* W6 */
+			uint64_t rptr : 64;
+			/* W7 */
+			uint64_t cptr : 61;
+			uint64_t egrp : 3;
+		};
+		uint64_t u64[8];
+	};
+};
+
 /*
  * Security session for inline IPsec protocol offload. This is private data of
  * inline capable PMD.
  */
 struct otx2_sec_session_ipsec_ip {
-	int dummy;
+	RTE_STD_C11
+	union {
+		/*
+		 * Inbound SA would accessed by crypto block. And so the memory
+		 * is allocated differently and shared with the h/w. Only
+		 * holding a pointer to this memory in the session private
+		 * space.
+		 */
+		void *in_sa;
+		/* Outbound SA */
+		struct otx2_ipsec_fp_out_sa out_sa;
+	};
+
+	/* Address of CPT LMTLINE */
+	void *cpt_lmtline;
+	/* CPT LF enqueue register address */
+	rte_iova_t cpt_nq_reg;
+
+	/* CPT QP used by SA */
+	struct otx2_cpt_qp *qp;
 };
 
 struct otx2_sec_session_ipsec {
@@ -23,6 +103,8 @@ struct otx2_sec_session_ipsec {
 
 struct otx2_sec_session {
 	struct otx2_sec_session_ipsec ipsec;
+	void *userdata;
+	/**< Userdata registered by the application */
 } __rte_cache_aligned;
 
 int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 09/15] net/octeontx2: add datapath ops in eth security ctx
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (7 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 08/15] net/octeontx2: add eth security session operations Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 10/15] net/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
                       ` (6 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding data path ops in eth security ctx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/net/octeontx2/otx2_ethdev_sec.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index 2ec2598..e61d383 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -507,6 +507,27 @@ otx2_eth_sec_session_get_size(void *device __rte_unused)
 	return sizeof(struct otx2_sec_session);
 }
 
+static int
+otx2_eth_sec_set_pkt_mdata(void *device __rte_unused,
+			    struct rte_security_session *session,
+			    struct rte_mbuf *m, void *params __rte_unused)
+{
+	/* Set security session as the pkt metadata */
+	m->udata64 = (uint64_t)session;
+
+	return 0;
+}
+
+static int
+otx2_eth_sec_get_userdata(void *device __rte_unused, uint64_t md,
+			   void **userdata)
+{
+	/* Retrieve userdata  */
+	*userdata = (void *)md;
+
+	return 0;
+}
+
 static const struct rte_security_capability *
 otx2_eth_sec_capabilities_get(void *device __rte_unused)
 {
@@ -517,6 +538,8 @@ static struct rte_security_ops otx2_eth_sec_ops = {
 	.session_create		= otx2_eth_sec_session_create,
 	.session_destroy	= otx2_eth_sec_session_destroy,
 	.session_get_size	= otx2_eth_sec_session_get_size,
+	.set_pkt_metadata	= otx2_eth_sec_set_pkt_mdata,
+	.get_userdata		= otx2_eth_sec_get_userdata,
 	.capabilities_get	= otx2_eth_sec_capabilities_get
 };
 
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 10/15] net/octeontx2: add lookup mem changes to hold sa indices
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (8 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 09/15] net/octeontx2: add datapath ops in eth security ctx Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 11/15] net/octeontx2: add inline ipsec Rx path changes Anoob Joseph
                       ` (5 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

lookup_mem provides fast accessing of data path fields.
Storing sa indices in lookup_mem which are required in
inline rx data path.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_common.h  |  4 +++
 drivers/net/octeontx2/otx2_ethdev_sec.c | 59 +++++++++++++++++++++++++++++++++
 drivers/net/octeontx2/otx2_lookup.c     | 11 ++++--
 3 files changed, 72 insertions(+), 2 deletions(-)

diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index 81d5a71..bf5ea86 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -155,4 +155,8 @@ extern int otx2_logtype_ep;
 #include "otx2_io_generic.h"
 #endif
 
+/* Fastpath lookup */
+#define OTX2_NIX_FASTPATH_LOOKUP_MEM	"otx2_nix_fastpath_lookup_mem"
+#define OTX2_NIX_SA_TBL_START		(4096*4 + 69632*2)
+
 #endif /* _OTX2_COMMON_H_ */
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index e61d383..4b219b3 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -10,6 +10,7 @@
 #include <rte_security.h>
 #include <rte_security_driver.h>
 
+#include "otx2_common.h"
 #include "otx2_cryptodev_qp.h"
 #include "otx2_ethdev.h"
 #include "otx2_ethdev_sec.h"
@@ -135,6 +136,59 @@ static const struct rte_security_capability otx2_eth_sec_capabilities[] = {
 	}
 };
 
+static void
+lookup_mem_sa_tbl_clear(struct rte_eth_dev *eth_dev)
+{
+	static const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
+	uint16_t port = eth_dev->data->port_id;
+	const struct rte_memzone *mz;
+	uint64_t **sa_tbl;
+	uint8_t *mem;
+
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL)
+		return;
+
+	mem = mz->addr;
+
+	sa_tbl  = (uint64_t **)RTE_PTR_ADD(mem, OTX2_NIX_SA_TBL_START);
+	if (sa_tbl[port] == NULL)
+		return;
+
+	rte_free(sa_tbl[port]);
+	sa_tbl[port] = NULL;
+}
+
+static int
+lookup_mem_sa_index_update(struct rte_eth_dev *eth_dev, int spi, void *sa)
+{
+	static const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	const struct rte_memzone *mz;
+	uint64_t **sa_tbl;
+	uint8_t *mem;
+
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL) {
+		otx2_err("Could not find fastpath lookup table");
+		return -EINVAL;
+	}
+
+	mem = mz->addr;
+
+	sa_tbl = (uint64_t **)RTE_PTR_ADD(mem, OTX2_NIX_SA_TBL_START);
+
+	if (sa_tbl[port] == NULL) {
+		sa_tbl[port] = rte_malloc(NULL, dev->ipsec_in_max_spi *
+					  sizeof(uint64_t), 0);
+	}
+
+	sa_tbl[port][spi] = (uint64_t)sa;
+
+	return 0;
+}
+
 static inline void
 in_sa_mz_name_get(char *name, int size, uint16_t port)
 {
@@ -393,6 +447,9 @@ eth_sec_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
 
 	sa->userdata = priv->userdata;
 
+	if (lookup_mem_sa_index_update(eth_dev, ipsec->spi, sa))
+		return -EINVAL;
+
 	ret = ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
 	if (ret)
 		return ret;
@@ -670,6 +727,8 @@ otx2_eth_sec_fini(struct rte_eth_dev *eth_dev)
 	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
 		return;
 
+	lookup_mem_sa_tbl_clear(eth_dev);
+
 	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
 	rte_memzone_free(rte_memzone_lookup(name));
 }
diff --git a/drivers/net/octeontx2/otx2_lookup.c b/drivers/net/octeontx2/otx2_lookup.c
index 5685571..89365ff 100644
--- a/drivers/net/octeontx2/otx2_lookup.c
+++ b/drivers/net/octeontx2/otx2_lookup.c
@@ -5,6 +5,7 @@
 #include <rte_common.h>
 #include <rte_memzone.h>
 
+#include "otx2_common.h"
 #include "otx2_ethdev.h"
 
 /* NIX_RX_PARSE_S's ERRCODE + ERRLEV (12 bits) */
@@ -12,7 +13,9 @@
 #define ERR_ARRAY_SZ			((BIT(ERRCODE_ERRLEN_WIDTH)) *\
 					sizeof(uint32_t))
 
-#define LOOKUP_ARRAY_SZ			(PTYPE_ARRAY_SZ + ERR_ARRAY_SZ)
+#define SA_TBL_SZ			(RTE_MAX_ETHPORTS * sizeof(uint64_t))
+#define LOOKUP_ARRAY_SZ			(PTYPE_ARRAY_SZ + ERR_ARRAY_SZ +\
+					SA_TBL_SZ)
 
 const uint32_t *
 otx2_nix_supported_ptypes_get(struct rte_eth_dev *eth_dev)
@@ -311,10 +314,14 @@ nix_create_rx_ol_flags_array(void *mem)
 void *
 otx2_nix_fastpath_lookup_mem_get(void)
 {
-	const char name[] = "otx2_nix_fastpath_lookup_mem";
+	const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
 	const struct rte_memzone *mz;
 	void *mem;
 
+	/* SA_TBL starts after PTYPE_ARRAY & ERR_ARRAY */
+	RTE_BUILD_BUG_ON(OTX2_NIX_SA_TBL_START != (PTYPE_ARRAY_SZ +
+						   ERR_ARRAY_SZ));
+
 	mz = rte_memzone_lookup(name);
 	if (mz != NULL)
 		return mz->addr;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 11/15] net/octeontx2: add inline ipsec Rx path changes
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (9 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 10/15] net/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 13:39       ` Akhil Goyal
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 12/15] drivers/octeontx2: add sec in Rx fastpath framework Anoob Joseph
                       ` (4 subsequent siblings)
  15 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding post-processing required for inline IPsec inbound packets.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/Makefile    |  3 +-
 drivers/crypto/octeontx2/meson.build |  2 +
 drivers/event/octeontx2/Makefile     |  1 +
 drivers/event/octeontx2/meson.build  |  2 +
 drivers/net/octeontx2/otx2_rx.h      | 73 ++++++++++++++++++++++++++++++++++++
 5 files changed, 80 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index 3ba67ed..1458e2b 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -11,7 +11,7 @@ LIB = librte_pmd_octeontx2_crypto.a
 CFLAGS += $(WERROR_FLAGS)
 
 LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
-LDLIBS += -lrte_cryptodev
+LDLIBS += -lrte_cryptodev -lrte_security
 LDLIBS += -lrte_pci -lrte_bus_pci
 LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
 
@@ -20,6 +20,7 @@ VPATH += $(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -O3
 CFLAGS += -I$(RTE_SDK)/drivers/common/cpt
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -DALLOW_EXPERIMENTAL_API
diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build
index 67deca3..a531799 100644
--- a/drivers/crypto/octeontx2/meson.build
+++ b/drivers/crypto/octeontx2/meson.build
@@ -9,6 +9,7 @@ deps += ['bus_pci']
 deps += ['common_cpt']
 deps += ['common_octeontx2']
 deps += ['ethdev']
+deps += ['security']
 name = 'octeontx2_crypto'
 
 allow_experimental_apis = true
@@ -32,5 +33,6 @@ endforeach
 
 includes += include_directories('../../common/cpt')
 includes += include_directories('../../common/octeontx2')
+includes += include_directories('../../crypto/octeontx2')
 includes += include_directories('../../mempool/octeontx2')
 includes += include_directories('../../net/octeontx2')
diff --git a/drivers/event/octeontx2/Makefile b/drivers/event/octeontx2/Makefile
index 6dab69c..bcd22ee 100644
--- a/drivers/event/octeontx2/Makefile
+++ b/drivers/event/octeontx2/Makefile
@@ -11,6 +11,7 @@ LIB = librte_pmd_octeontx2_event.a
 
 CFLAGS += $(WERROR_FLAGS)
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/event/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
diff --git a/drivers/event/octeontx2/meson.build b/drivers/event/octeontx2/meson.build
index 807818b..56febb8 100644
--- a/drivers/event/octeontx2/meson.build
+++ b/drivers/event/octeontx2/meson.build
@@ -32,3 +32,5 @@ foreach flag: extra_flags
 endforeach
 
 deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2', 'pmd_octeontx2']
+
+includes += include_directories('../../crypto/octeontx2')
diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h
index 351ad0f..eac4717 100644
--- a/drivers/net/octeontx2/otx2_rx.h
+++ b/drivers/net/octeontx2/otx2_rx.h
@@ -5,6 +5,12 @@
 #ifndef __OTX2_RX_H__
 #define __OTX2_RX_H__
 
+#include <rte_ether.h>
+
+#include "otx2_common.h"
+#include "otx2_ethdev_sec.h"
+#include "otx2_ipsec_fp.h"
+
 /* Default mark value used when none is provided. */
 #define OTX2_FLOW_ACTION_FLAG_DEFAULT	0xffff
 
@@ -31,6 +37,12 @@
 #define NIX_RX_MULTI_SEG_F            BIT(15)
 #define NIX_TIMESYNC_RX_OFFSET		8
 
+/* Inline IPsec offsets */
+
+#define INLINE_INB_RPTR_HDR		16
+/* nix_cqe_hdr_s + nix_rx_parse_s + nix_rx_sg_s + nix_iova_s */
+#define INLINE_CPT_RESULT_OFFSET	80
+
 struct otx2_timesync_info {
 	uint64_t	rx_tstamp;
 	rte_iova_t	tx_tstamp_iova;
@@ -190,6 +202,60 @@ nix_cqe_xtract_mseg(const struct nix_rx_parse_s *rx,
 	}
 }
 
+static __rte_always_inline uint16_t
+nix_rx_sec_cptres_get(const void *cq)
+{
+	volatile const struct otx2_cpt_res *res;
+
+	res = (volatile const struct otx2_cpt_res *)((const char *)cq +
+			INLINE_CPT_RESULT_OFFSET);
+
+	return res->u16[0];
+}
+
+static __rte_always_inline void *
+nix_rx_sec_sa_get(const void * const lookup_mem, int spi, uint16_t port)
+{
+	const uint64_t *const *sa_tbl = (const uint64_t * const *)
+			((const uint8_t *)lookup_mem + OTX2_NIX_SA_TBL_START);
+
+	return (void *)sa_tbl[port][spi];
+}
+
+static __rte_always_inline uint64_t
+nix_rx_sec_mbuf_update(const struct nix_cqe_hdr_s *cq, struct rte_mbuf *m,
+		       const void * const lookup_mem)
+{
+	struct otx2_ipsec_fp_in_sa *sa;
+	struct rte_ipv4_hdr *ipv4;
+	uint16_t m_len;
+	uint32_t spi;
+	char *data;
+
+	if (unlikely(nix_rx_sec_cptres_get(cq) != OTX2_SEC_COMP_GOOD))
+		return PKT_RX_SEC_OFFLOAD | PKT_RX_SEC_OFFLOAD_FAILED;
+
+	/* 20 bits of tag would have the SPI */
+	spi = cq->tag & 0xFFFFF;
+
+	sa = nix_rx_sec_sa_get(lookup_mem, spi, m->port);
+	m->udata64 = (uint64_t)sa->userdata;
+
+	data = rte_pktmbuf_mtod(m, char *);
+	memcpy(data + INLINE_INB_RPTR_HDR, data, RTE_ETHER_HDR_LEN);
+
+	m->data_off += INLINE_INB_RPTR_HDR;
+
+	ipv4 = (struct rte_ipv4_hdr *)(data + INLINE_INB_RPTR_HDR +
+				       RTE_ETHER_HDR_LEN);
+
+	m_len = rte_be_to_cpu_16(ipv4->total_length) + RTE_ETHER_HDR_LEN;
+
+	m->data_len = m_len;
+	m->pkt_len = m_len;
+	return PKT_RX_SEC_OFFLOAD;
+}
+
 static __rte_always_inline void
 otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 		     struct rte_mbuf *mbuf, const void *lookup_mem,
@@ -231,6 +297,13 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 	if (flag & NIX_RX_OFFLOAD_MARK_UPDATE_F)
 		ol_flags = nix_update_match_id(rx->match_id, ol_flags, mbuf);
 
+	if (cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
+		*(uint64_t *)(&mbuf->rearm_data) = val;
+		ol_flags |= nix_rx_sec_mbuf_update(cq, mbuf, lookup_mem);
+		mbuf->ol_flags = ol_flags;
+		return;
+	}
+
 	mbuf->ol_flags = ol_flags;
 	*(uint64_t *)(&mbuf->rearm_data) = val;
 	mbuf->pkt_len = len;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 12/15] drivers/octeontx2: add sec in Rx fastpath framework
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (10 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 11/15] net/octeontx2: add inline ipsec Rx path changes Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 13/15] drivers/octeontx2: add sec in Tx " Anoob Joseph
                       ` (3 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

Added new flag for SECURITY in Rx compiler optimized fastpath
framework. With this, compiler autogenerates functions which
have security enabled.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/event/octeontx2/otx2_evdev.c       | 134 ++++++++-----
 drivers/event/octeontx2/otx2_evdev.h       |   2 +-
 drivers/event/octeontx2/otx2_worker.c      |   2 +-
 drivers/event/octeontx2/otx2_worker_dual.c |   2 +-
 drivers/net/octeontx2/otx2_ethdev.c        |   3 +
 drivers/net/octeontx2/otx2_rx.c            |  27 +--
 drivers/net/octeontx2/otx2_rx.h            | 306 ++++++++++++++++++++---------
 7 files changed, 320 insertions(+), 156 deletions(-)

diff --git a/drivers/event/octeontx2/otx2_evdev.c b/drivers/event/octeontx2/otx2_evdev.c
index 2daeba4..f6c641a 100644
--- a/drivers/event/octeontx2/otx2_evdev.c
+++ b/drivers/event/octeontx2/otx2_evdev.c
@@ -44,61 +44,64 @@ sso_fastpath_fns_set(struct rte_eventdev *event_dev)
 {
 	struct otx2_sso_evdev *dev = sso_pmd_priv(event_dev);
 	/* Single WS modes */
-	const event_dequeue_t ssogws_deq[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_ ##name,
+	const event_dequeue_t ssogws_deq[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_deq_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_burst_ ##name,
+	const event_dequeue_burst_t ssogws_deq_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_timeout_ ##name,
+	const event_dequeue_t ssogws_deq_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_deq_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_deq_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_deq_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_seg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_ ##name,
+	const event_dequeue_t ssogws_deq_seg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_deq_seg_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_burst_ ##name,
+	const event_dequeue_burst_t
+		ssogws_deq_seg_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_deq_seg_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_seg_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_timeout_ ##name,
+	const event_dequeue_t ssogws_deq_seg_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_deq_seg_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_deq_seg_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_deq_seg_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 				otx2_ssogws_deq_seg_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
@@ -106,64 +109,69 @@ SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 
 
 	/* Dual WS modes */
-	const event_dequeue_t ssogws_dual_deq[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_ ##name,
+	const event_dequeue_t ssogws_dual_deq[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_dual_deq_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_burst_ ##name,
+	const event_dequeue_burst_t
+		ssogws_dual_deq_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_timeout_ ##name,
+	const event_dequeue_t ssogws_dual_deq_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_timeout_burst_ ##name,
+		ssogws_dual_deq_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =					\
+			otx2_ssogws_dual_deq_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_seg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_seg_ ##name,
+	const event_dequeue_t ssogws_dual_deq_seg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_seg_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_seg_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
-				otx2_ssogws_dual_deq_seg_burst_ ##name,
+		ssogws_dual_deq_seg_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_seg_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
-				otx2_ssogws_dual_deq_seg_timeout_ ##name,
+	const event_dequeue_t
+		ssogws_dual_deq_seg_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_seg_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =					\
-		otx2_ssogws_dual_deq_seg_timeout_burst_ ##name,
+		ssogws_dual_deq_seg_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
@@ -209,6 +217,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 	event_dev->enqueue_forward_burst	= otx2_ssogws_enq_fwd_burst;
 	if (dev->rx_offloads & NIX_RX_MULTI_SEG_F) {
 		event_dev->dequeue		= ssogws_deq_seg
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -216,6 +225,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		event_dev->dequeue_burst	= ssogws_deq_seg_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -224,6 +234,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		if (dev->is_timeout_deq) {
 			event_dev->dequeue	= ssogws_deq_seg_timeout
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -232,6 +243,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	=
 				ssogws_deq_seg_timeout_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -241,6 +253,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		}
 	} else {
 		event_dev->dequeue			= ssogws_deq
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -248,6 +261,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		event_dev->dequeue_burst		= ssogws_deq_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -256,6 +270,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		if (dev->is_timeout_deq) {
 			event_dev->dequeue		= ssogws_deq_timeout
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -264,6 +279,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	=
 				ssogws_deq_timeout_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -303,6 +319,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		if (dev->rx_offloads & NIX_RX_MULTI_SEG_F) {
 			event_dev->dequeue	= ssogws_dual_deq_seg
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -313,6 +331,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst = ssogws_dual_deq_seg_burst
+				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -326,6 +346,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue	=
 					ssogws_dual_deq_seg_timeout
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -340,6 +362,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue_burst =
 					ssogws_dual_deq_seg_timeout_burst
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -355,6 +379,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		} else {
 			event_dev->dequeue		= ssogws_dual_deq
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -366,6 +392,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	= ssogws_dual_deq_burst
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -379,6 +407,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue	=
 					ssogws_dual_deq_timeout
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -393,6 +423,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue_burst =
 					ssogws_dual_deq_timeout_burst
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
diff --git a/drivers/event/octeontx2/otx2_evdev.h b/drivers/event/octeontx2/otx2_evdev.h
index ef523dc..5a44fd3 100644
--- a/drivers/event/octeontx2/otx2_evdev.h
+++ b/drivers/event/octeontx2/otx2_evdev.h
@@ -278,7 +278,7 @@ uint16_t otx2_ssogws_dual_enq_fwd_burst(void *port, const struct rte_event ev[],
 					uint16_t nb_events);
 
 /* Auto generated API's */
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				       \
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			       \
 uint16_t otx2_ssogws_deq_ ##name(void *port, struct rte_event *ev,	       \
 				 uint64_t timeout_ticks);		       \
 uint16_t otx2_ssogws_deq_burst_ ##name(void *port, struct rte_event ev[],      \
diff --git a/drivers/event/octeontx2/otx2_worker.c b/drivers/event/octeontx2/otx2_worker.c
index 34d39f4..12445d9 100644
--- a/drivers/event/octeontx2/otx2_worker.c
+++ b/drivers/event/octeontx2/otx2_worker.c
@@ -81,7 +81,7 @@ otx2_ssogws_release_event(struct otx2_ssogws *ws)
 	otx2_ssogws_swtag_flush(ws);
 }
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
 uint16_t __hot								\
 otx2_ssogws_deq_ ##name(void *port, struct rte_event *ev,		\
 			uint64_t timeout_ticks)				\
diff --git a/drivers/event/octeontx2/otx2_worker_dual.c b/drivers/event/octeontx2/otx2_worker_dual.c
index 7016eee..22a4889 100644
--- a/drivers/event/octeontx2/otx2_worker_dual.c
+++ b/drivers/event/octeontx2/otx2_worker_dual.c
@@ -140,7 +140,7 @@ otx2_ssogws_dual_enq_fwd_burst(void *port, const struct rte_event ev[],
 	return 1;
 }
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_deq_ ##name(void *port, struct rte_event *ev,		\
 			     uint64_t timeout_ticks)			\
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index e8ae779..cd7bb6a 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -628,6 +628,9 @@ nix_rx_offload_flags(struct rte_eth_dev *eth_dev)
 	if ((dev->rx_offloads & DEV_RX_OFFLOAD_TIMESTAMP))
 		flags |= NIX_RX_OFFLOAD_TSTAMP_F;
 
+	if (dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY)
+		flags |= NIX_RX_OFFLOAD_SECURITY_F;
+
 	if (!dev->ptype_disable)
 		flags |= NIX_RX_OFFLOAD_PTYPE_F;
 
diff --git a/drivers/net/octeontx2/otx2_rx.c b/drivers/net/octeontx2/otx2_rx.c
index dbf6ea6..47641c7 100644
--- a/drivers/net/octeontx2/otx2_rx.c
+++ b/drivers/net/octeontx2/otx2_rx.c
@@ -330,7 +330,7 @@ nix_recv_pkts_vector(void *rx_queue, struct rte_mbuf **rx_pkts,
 
 #endif
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			       \
 static uint16_t __rte_noinline	__hot					       \
 otx2_nix_recv_pkts_ ## name(void *rx_queue,				       \
 			struct rte_mbuf **rx_pkts, uint16_t pkts)	       \
@@ -361,12 +361,13 @@ NIX_RX_FASTPATH_MODES
 
 static inline void
 pick_rx_func(struct rte_eth_dev *eth_dev,
-	     const eth_rx_burst_t rx_burst[2][2][2][2][2][2])
+	     const eth_rx_burst_t rx_burst[2][2][2][2][2][2][2])
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	/* [TSTMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
+	/* [SEC] [TSTMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
 	eth_dev->rx_pkt_burst = rx_burst
+		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_SECURITY_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_TSTAMP_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -380,25 +381,25 @@ otx2_eth_set_rx_function(struct rte_eth_dev *eth_dev)
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	const eth_rx_burst_t nix_eth_rx_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_ ## name,
+	const eth_rx_burst_t nix_eth_rx_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
 	};
 
-	const eth_rx_burst_t nix_eth_rx_burst_mseg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_mseg_ ## name,
+	const eth_rx_burst_t nix_eth_rx_burst_mseg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_mseg_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
 	};
 
-	const eth_rx_burst_t nix_eth_rx_vec_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_vec_ ## name,
+	const eth_rx_burst_t nix_eth_rx_vec_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_vec_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
@@ -418,6 +419,6 @@ NIX_RX_FASTPATH_MODES
 	/* Copy multi seg version with no offload for tear down sequence */
 	if (rte_eal_process_type() == RTE_PROC_PRIMARY)
 		dev->rx_pkt_burst_no_offload =
-			nix_eth_rx_burst_mseg[0][0][0][0][0][0];
+			nix_eth_rx_burst_mseg[0][0][0][0][0][0][0];
 	rte_mb();
 }
diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h
index eac4717..d8648b6 100644
--- a/drivers/net/octeontx2/otx2_rx.h
+++ b/drivers/net/octeontx2/otx2_rx.h
@@ -29,6 +29,7 @@
 #define NIX_RX_OFFLOAD_VLAN_STRIP_F    BIT(3)
 #define NIX_RX_OFFLOAD_MARK_UPDATE_F   BIT(4)
 #define NIX_RX_OFFLOAD_TSTAMP_F        BIT(5)
+#define NIX_RX_OFFLOAD_SECURITY_F      BIT(6)
 
 /* Flags to control cqe_to_mbuf conversion function.
  * Defining it from backwards to denote its been
@@ -297,7 +298,8 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 	if (flag & NIX_RX_OFFLOAD_MARK_UPDATE_F)
 		ol_flags = nix_update_match_id(rx->match_id, ol_flags, mbuf);
 
-	if (cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
+	if ((flag & NIX_RX_OFFLOAD_SECURITY_F) &&
+	    cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
 		*(uint64_t *)(&mbuf->rearm_data) = val;
 		ol_flags |= nix_rx_sec_mbuf_update(cq, mbuf, lookup_mem);
 		mbuf->ol_flags = ol_flags;
@@ -320,94 +322,220 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 #define RX_VLAN_F  NIX_RX_OFFLOAD_VLAN_STRIP_F
 #define MARK_F  NIX_RX_OFFLOAD_MARK_UPDATE_F
 #define TS_F	NIX_RX_OFFLOAD_TSTAMP_F
+#define RX_SEC_F   NIX_RX_OFFLOAD_SECURITY_F
 
-/* [TSMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
+/* [SEC] [TSMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
 #define NIX_RX_FASTPATH_MODES						       \
-R(no_offload,			0, 0, 0, 0, 0, 0, NIX_RX_OFFLOAD_NONE)	\
-R(rss,				0, 0, 0, 0, 0, 1, RSS_F)		\
-R(ptype,			0, 0, 0, 0, 1, 0, PTYPE_F)		\
-R(ptype_rss,			0, 0, 0, 0, 1, 1, PTYPE_F | RSS_F)	\
-R(cksum,			0, 0, 0, 1, 0, 0, CKSUM_F)		\
-R(cksum_rss,			0, 0, 0, 1, 0, 1, CKSUM_F | RSS_F)	\
-R(cksum_ptype,			0, 0, 0, 1, 1, 0, CKSUM_F | PTYPE_F)	\
-R(cksum_ptype_rss,		0, 0, 0, 1, 1, 1, CKSUM_F | PTYPE_F | RSS_F)\
-R(vlan,				0, 0, 1, 0, 0, 0, RX_VLAN_F)		\
-R(vlan_rss,			0, 0, 1, 0, 0, 1, RX_VLAN_F | RSS_F)	\
-R(vlan_ptype,			0, 0, 1, 0, 1, 0, RX_VLAN_F | PTYPE_F)	\
-R(vlan_ptype_rss,		0, 0, 1, 0, 1, 1, RX_VLAN_F | PTYPE_F | RSS_F)\
-R(vlan_cksum,			0, 0, 1, 1, 0, 0, RX_VLAN_F | CKSUM_F)	\
-R(vlan_cksum_rss,		0, 0, 1, 1, 0, 1, RX_VLAN_F | CKSUM_F | RSS_F)\
-R(vlan_cksum_ptype,		0, 0, 1, 1, 1, 0,			\
-			RX_VLAN_F | CKSUM_F | PTYPE_F)			\
-R(vlan_cksum_ptype_rss,		0, 0, 1, 1, 1, 1,			\
-			RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(mark,				0, 1, 0, 0, 0, 0, MARK_F)		\
-R(mark_rss,			0, 1, 0, 0, 0, 1, MARK_F | RSS_F)	\
-R(mark_ptype,			0, 1, 0, 0, 1, 0, MARK_F | PTYPE_F)	\
-R(mark_ptype_rss,		0, 1, 0, 0, 1, 1, MARK_F | PTYPE_F | RSS_F)\
-R(mark_cksum,			0, 1, 0, 1, 0, 0, MARK_F | CKSUM_F)	\
-R(mark_cksum_rss,		0, 1, 0, 1, 0, 1, MARK_F | CKSUM_F | RSS_F)\
-R(mark_cksum_ptype,		0, 1, 0, 1, 1, 0, MARK_F | CKSUM_F | PTYPE_F)\
-R(mark_cksum_ptype_rss,		0, 1, 0, 1, 1, 1,			\
-			MARK_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(mark_vlan,			0, 1, 1, 0, 0, 0, MARK_F | RX_VLAN_F)	\
-R(mark_vlan_rss,		0, 1, 1, 0, 0, 1, MARK_F | RX_VLAN_F | RSS_F)\
-R(mark_vlan_ptype,		0, 1, 1, 0, 1, 0,			\
-			MARK_F | RX_VLAN_F | PTYPE_F)			\
-R(mark_vlan_ptype_rss,		0, 1, 1, 0, 1, 1,			\
-			MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)		\
-R(mark_vlan_cksum,		0, 1, 1, 1, 0, 0,			\
-			MARK_F | RX_VLAN_F | CKSUM_F)			\
-R(mark_vlan_cksum_rss,		0, 1, 1, 1, 0, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		\
-R(mark_vlan_cksum_ptype,	0, 1, 1, 1, 1, 0,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		\
-R(mark_vlan_cksum_ptype_rss,	0, 1, 1, 1, 1, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts,				1, 0, 0, 0, 0, 0, TS_F)			\
-R(ts_rss,			1, 0, 0, 0, 0, 1, TS_F | RSS_F)		\
-R(ts_ptype,			1, 0, 0, 0, 1, 0, TS_F | PTYPE_F)	\
-R(ts_ptype_rss,			1, 0, 0, 0, 1, 1, TS_F | PTYPE_F | RSS_F)\
-R(ts_cksum,			1, 0, 0, 1, 0, 0, TS_F | CKSUM_F)	\
-R(ts_cksum_rss,			1, 0, 0, 1, 0, 1, TS_F | CKSUM_F | RSS_F)\
-R(ts_cksum_ptype,		1, 0, 0, 1, 1, 0, TS_F | CKSUM_F | PTYPE_F)\
-R(ts_cksum_ptype_rss,		1, 0, 0, 1, 1, 1,			\
-			TS_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(ts_vlan,			1, 0, 1, 0, 0, 0, TS_F | RX_VLAN_F)	\
-R(ts_vlan_rss,			1, 0, 1, 0, 0, 1, TS_F | RX_VLAN_F | RSS_F)\
-R(ts_vlan_ptype,		1, 0, 1, 0, 1, 0, TS_F | RX_VLAN_F | PTYPE_F)\
-R(ts_vlan_ptype_rss,		1, 0, 1, 0, 1, 1,			\
-			TS_F | RX_VLAN_F | PTYPE_F | RSS_F)		\
-R(ts_vlan_cksum,		1, 0, 1, 1, 0, 0,			\
-			TS_F | RX_VLAN_F | CKSUM_F)			\
-R(ts_vlan_cksum_rss,		1, 0, 1, 1, 0, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		\
-R(ts_vlan_cksum_ptype,		1, 0, 1, 1, 1, 0,			\
-			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		\
-R(ts_vlan_cksum_ptype_rss,	1, 0, 1, 1, 1, 1,			\
-			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts_mark,			1, 1, 0, 0, 0, 0, TS_F | MARK_F)	\
-R(ts_mark_rss,			1, 1, 0, 0, 0, 1, TS_F | MARK_F | RSS_F)\
-R(ts_mark_ptype,		1, 1, 0, 0, 1, 0, TS_F | MARK_F | PTYPE_F)\
-R(ts_mark_ptype_rss,		1, 1, 0, 0, 1, 1,			\
-			TS_F | MARK_F | PTYPE_F | RSS_F)		\
-R(ts_mark_cksum,		1, 1, 0, 1, 0, 0, TS_F | MARK_F | CKSUM_F)\
-R(ts_mark_cksum_rss,		1, 1, 0, 1, 0, 1,			\
-			TS_F | MARK_F | CKSUM_F | RSS_F)\
-R(ts_mark_cksum_ptype,		1, 1, 0, 1, 1, 0,			\
-			TS_F | MARK_F | CKSUM_F | PTYPE_F)		\
-R(ts_mark_cksum_ptype_rss,	1, 1, 0, 1, 1, 1,			\
-			TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts_mark_vlan,			1, 1, 1, 0, 0, 0, TS_F | MARK_F | RX_VLAN_F)\
-R(ts_mark_vlan_rss,		1, 1, 1, 0, 0, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | RSS_F)\
-R(ts_mark_vlan_ptype,		1, 1, 1, 0, 1, 0,			\
-			TS_F | MARK_F | RX_VLAN_F | PTYPE_F)		\
-R(ts_mark_vlan_ptype_rss,	1, 1, 1, 0, 1, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)	\
-R(ts_mark_vlan_cksum_ptype,	1, 1, 1, 1, 1, 0,			\
-			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	\
-R(ts_mark_vlan_cksum_ptype_rss,	1, 1, 1, 1, 1, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)
-
+R(no_offload,			0, 0, 0, 0, 0, 0, 0, NIX_RX_OFFLOAD_NONE)      \
+R(rss,				0, 0, 0, 0, 0, 0, 1, RSS_F)		       \
+R(ptype,			0, 0, 0, 0, 0, 1, 0, PTYPE_F)		       \
+R(ptype_rss,			0, 0, 0, 0, 0, 1, 1, PTYPE_F | RSS_F)	       \
+R(cksum,			0, 0, 0, 0, 1, 0, 0, CKSUM_F)		       \
+R(cksum_rss,			0, 0, 0, 0, 1, 0, 1, CKSUM_F | RSS_F)	       \
+R(cksum_ptype,			0, 0, 0, 0, 1, 1, 0, CKSUM_F | PTYPE_F)	       \
+R(cksum_ptype_rss,		0, 0, 0, 0, 1, 1, 1, CKSUM_F | PTYPE_F | RSS_F)\
+R(vlan,				0, 0, 0, 1, 0, 0, 0, RX_VLAN_F)		       \
+R(vlan_rss,			0, 0, 0, 1, 0, 0, 1, RX_VLAN_F | RSS_F)	       \
+R(vlan_ptype,			0, 0, 0, 1, 0, 1, 0, RX_VLAN_F | PTYPE_F)      \
+R(vlan_ptype_rss,		0, 0, 0, 1, 0, 1, 1,			       \
+			RX_VLAN_F | PTYPE_F | RSS_F)			       \
+R(vlan_cksum,			0, 0, 0, 1, 1, 0, 0, RX_VLAN_F | CKSUM_F)      \
+R(vlan_cksum_rss,		0, 0, 0, 1, 1, 0, 1,			       \
+			RX_VLAN_F | CKSUM_F | RSS_F)			       \
+R(vlan_cksum_ptype,		0, 0, 0, 1, 1, 1, 0,			       \
+			RX_VLAN_F | CKSUM_F | PTYPE_F)			       \
+R(vlan_cksum_ptype_rss,		0, 0, 0, 1, 1, 1, 1,			       \
+			RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(mark,				0, 0, 1, 0, 0, 0, 0, MARK_F)		       \
+R(mark_rss,			0, 0, 1, 0, 0, 0, 1, MARK_F | RSS_F)	       \
+R(mark_ptype,			0, 0, 1, 0, 0, 1, 0, MARK_F | PTYPE_F)	       \
+R(mark_ptype_rss,		0, 0, 1, 0, 0, 1, 1, MARK_F | PTYPE_F | RSS_F) \
+R(mark_cksum,			0, 0, 1, 0, 1, 0, 0, MARK_F | CKSUM_F)	       \
+R(mark_cksum_rss,		0, 0, 1, 0, 1, 0, 1, MARK_F | CKSUM_F | RSS_F) \
+R(mark_cksum_ptype,		0, 0, 1, 0, 1, 1, 0,			       \
+			MARK_F | CKSUM_F | PTYPE_F)			       \
+R(mark_cksum_ptype_rss,		0, 0, 1, 0, 1, 1, 1,			       \
+			MARK_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(mark_vlan,			0, 0, 1, 1, 0, 0, 0, MARK_F | RX_VLAN_F)       \
+R(mark_vlan_rss,		0, 0, 1, 1, 0, 0, 1,			       \
+			MARK_F | RX_VLAN_F | RSS_F)			       \
+R(mark_vlan_ptype,		0, 0, 1, 1, 0, 1, 0,			       \
+			MARK_F | RX_VLAN_F | PTYPE_F)			       \
+R(mark_vlan_ptype_rss,		0, 0, 1, 1, 0, 1, 1,			       \
+			MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(mark_vlan_cksum,		0, 0, 1, 1, 1, 0, 0,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F)			       \
+R(mark_vlan_cksum_rss,		0, 0, 1, 1, 1, 0, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(mark_vlan_cksum_ptype,	0, 0, 1, 1, 1, 1, 0,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		       \
+R(mark_vlan_cksum_ptype_rss,	0, 0, 1, 1, 1, 1, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts,				0, 1, 0, 0, 0, 0, 0, TS_F)		       \
+R(ts_rss,			0, 1, 0, 0, 0, 0, 1, TS_F | RSS_F)	       \
+R(ts_ptype,			0, 1, 0, 0, 0, 1, 0, TS_F | PTYPE_F)	       \
+R(ts_ptype_rss,			0, 1, 0, 0, 0, 1, 1, TS_F | PTYPE_F | RSS_F)   \
+R(ts_cksum,			0, 1, 0, 0, 1, 0, 0, TS_F | CKSUM_F)	       \
+R(ts_cksum_rss,			0, 1, 0, 0, 1, 0, 1, TS_F | CKSUM_F | RSS_F)   \
+R(ts_cksum_ptype,		0, 1, 0, 0, 1, 1, 0, TS_F | CKSUM_F | PTYPE_F) \
+R(ts_cksum_ptype_rss,		0, 1, 0, 0, 1, 1, 1,			       \
+			TS_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(ts_vlan,			0, 1, 0, 1, 0, 0, 0, TS_F | RX_VLAN_F)	       \
+R(ts_vlan_rss,			0, 1, 0, 1, 0, 0, 1, TS_F | RX_VLAN_F | RSS_F) \
+R(ts_vlan_ptype,		0, 1, 0, 1, 0, 1, 0,			       \
+			TS_F | RX_VLAN_F | PTYPE_F)			       \
+R(ts_vlan_ptype_rss,		0, 1, 0, 1, 0, 1, 1,			       \
+			TS_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(ts_vlan_cksum,		0, 1, 0, 1, 1, 0, 0,			       \
+			TS_F | RX_VLAN_F | CKSUM_F)			       \
+R(ts_vlan_cksum_rss,		0, 1, 0, 1, 1, 0, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(ts_vlan_cksum_ptype,		0, 1, 0, 1, 1, 1, 0,			       \
+			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		       \
+R(ts_vlan_cksum_ptype_rss,	0, 1, 0, 1, 1, 1, 1,			       \
+			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts_mark,			0, 1, 1, 0, 0, 0, 0, TS_F | MARK_F)	       \
+R(ts_mark_rss,			0, 1, 1, 0, 0, 0, 1, TS_F | MARK_F | RSS_F)    \
+R(ts_mark_ptype,		0, 1, 1, 0, 0, 1, 0, TS_F | MARK_F | PTYPE_F)  \
+R(ts_mark_ptype_rss,		0, 1, 1, 0, 0, 1, 1,			       \
+			TS_F | MARK_F | PTYPE_F | RSS_F)		       \
+R(ts_mark_cksum,		0, 1, 1, 0, 1, 0, 0, TS_F | MARK_F | CKSUM_F)  \
+R(ts_mark_cksum_rss,		0, 1, 1, 0, 1, 0, 1,			       \
+			TS_F | MARK_F | CKSUM_F | RSS_F)		       \
+R(ts_mark_cksum_ptype,		0, 1, 1, 0, 1, 1, 0,			       \
+			TS_F | MARK_F | CKSUM_F | PTYPE_F)		       \
+R(ts_mark_cksum_ptype_rss,	0, 1, 1, 0, 1, 1, 1,			       \
+			TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts_mark_vlan,			0, 1, 1, 1, 0, 0, 0, TS_F | MARK_F | RX_VLAN_F)\
+R(ts_mark_vlan_rss,		0, 1, 1, 1, 0, 0, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | RSS_F)		       \
+R(ts_mark_vlan_ptype,		0, 1, 1, 1, 0, 1, 0,			       \
+			TS_F | MARK_F | RX_VLAN_F | PTYPE_F)		       \
+R(ts_mark_vlan_ptype_rss,	0, 1, 1, 1, 0, 1, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)	       \
+R(ts_mark_vlan_cksum_ptype,	0, 1, 1, 1, 1, 1, 0,			       \
+			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	       \
+R(ts_mark_vlan_cksum_ptype_rss,	0, 1, 1, 1, 1, 1, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F) \
+R(sec,				1, 0, 0, 0, 0, 0, 0, RX_SEC_F)		       \
+R(sec_rss,			1, 0, 0, 0, 0, 0, 1, RX_SEC_F | RSS_F)	       \
+R(sec_ptype,			1, 0, 0, 0, 0, 1, 0, RX_SEC_F | PTYPE_F)       \
+R(sec_ptype_rss,		1, 0, 0, 0, 0, 1, 1,			       \
+			RX_SEC_F | PTYPE_F | RSS_F)			       \
+R(sec_cksum,			1, 0, 0, 0, 1, 0, 0, RX_SEC_F | CKSUM_F)       \
+R(sec_cksum_rss,		1, 0, 0, 0, 1, 0, 1,			       \
+			RX_SEC_F | CKSUM_F | RSS_F)			       \
+R(sec_cksum_ptype,		1, 0, 0, 0, 1, 1, 0,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F)			       \
+R(sec_cksum_ptype_rss,		1, 0, 0, 0, 1, 1, 1,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(sec_vlan,			1, 0, 0, 1, 0, 0, 0, RX_SEC_F | RX_VLAN_F)     \
+R(sec_vlan_rss,			1, 0, 0, 1, 0, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | RSS_F)			       \
+R(sec_vlan_ptype,		1, 0, 0, 1, 0, 1, 0,			       \
+			RX_SEC_F | RX_VLAN_F | PTYPE_F)			       \
+R(sec_vlan_ptype_rss,		1, 0, 0, 1, 0, 1, 1,			       \
+			RX_SEC_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(sec_vlan_cksum,		1, 0, 0, 1, 1, 0, 0,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F)			       \
+R(sec_vlan_cksum_rss,		1, 0, 0, 1, 1, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(sec_vlan_cksum_ptype,		1, 0, 0, 1, 1, 1, 0,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	       \
+R(sec_vlan_cksum_ptype_rss,	1, 0, 0, 1, 1, 1, 1,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)      \
+R(sec_mark,			1, 0, 1, 0, 0, 0, 0, RX_SEC_F | MARK_F)	       \
+R(sec_mark_rss,			1, 0, 1, 0, 0, 0, 1, RX_SEC_F | MARK_F | RSS_F)\
+R(sec_mark_ptype,		1, 0, 1, 0, 0, 1, 0,			       \
+			RX_SEC_F | MARK_F | PTYPE_F)			       \
+R(sec_mark_ptype_rss,		1, 0, 1, 0, 0, 1, 1,			       \
+			RX_SEC_F | MARK_F | PTYPE_F | RSS_F)		       \
+R(sec_mark_cksum,		1, 0, 1, 0, 1, 0, 0,			       \
+			RX_SEC_F | MARK_F | CKSUM_F)			       \
+R(sec_mark_cksum_rss,		1, 0, 1, 0, 1, 0, 1,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | RSS_F)		       \
+R(sec_mark_cksum_ptype,		1, 0, 1, 0, 1, 1, 0,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | PTYPE_F)		       \
+R(sec_mark_cksum_ptype_rss,	1, 0, 1, 0, 1, 1, 1,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(sec_mark_vlan,		1, 0, 1, 1, 0, 0, 0, RX_SEC_F | RX_VLAN_F)     \
+R(sec_mark_vlan_rss,		1, 0, 1, 1, 0, 0, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | RSS_F)		       \
+R(sec_mark_vlan_ptype,		1, 0, 1, 1, 0, 1, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | PTYPE_F)	       \
+R(sec_mark_vlan_ptype_rss,	1, 0, 1, 1, 0, 1, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)       \
+R(sec_mark_vlan_cksum,		1, 0, 1, 1, 1, 0, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F)	       \
+R(sec_mark_vlan_cksum_rss,	1, 0, 1, 1, 1, 0, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)       \
+R(sec_mark_vlan_cksum_ptype,	1, 0, 1, 1, 1, 1, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)     \
+R(sec_mark_vlan_cksum_ptype_rss,					       \
+				1, 0, 1, 1, 1, 1, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F |    \
+			RSS_F)						       \
+R(sec_ts,			1, 1, 0, 0, 0, 0, 0, RX_SEC_F | TS_F)	       \
+R(sec_ts_rss,			1, 1, 0, 0, 0, 0, 1, RX_SEC_F | TS_F | RSS_F)  \
+R(sec_ts_ptype,			1, 1, 0, 0, 0, 1, 0, RX_SEC_F | TS_F | PTYPE_F)\
+R(sec_ts_ptype_rss,		1, 1, 0, 0, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | PTYPE_F | RSS_F)		       \
+R(sec_ts_cksum,			1, 1, 0, 0, 1, 0, 0, RX_SEC_F | TS_F | CKSUM_F)\
+R(sec_ts_cksum_rss,		1, 1, 0, 0, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | CKSUM_F | RSS_F)		       \
+R(sec_ts_cksum_ptype,		1, 1, 0, 0, 1, 1, 0,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F)			       \
+R(sec_ts_cksum_ptype_rss,	1, 1, 0, 0, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_vlan,			1, 1, 0, 1, 0, 0, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F)			       \
+R(sec_ts_vlan_rss,		1, 1, 0, 1, 0, 0, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | RSS_F)		       \
+R(sec_ts_vlan_ptype,		1, 1, 0, 1, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | PTYPE_F)		       \
+R(sec_ts_vlan_ptype_rss,	1, 1, 0, 1, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_vlan_cksum,		1, 1, 0, 1, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F)		       \
+R(sec_ts_vlan_cksum_rss,	1, 1, 0, 1, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | RSS_F)	       \
+R(sec_ts_vlan_cksum_ptype,	1, 1, 0, 1, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)       \
+R(sec_ts_vlan_cksum_ptype_rss,	1, 1, 0, 1, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F |      \
+			RSS_F)						       \
+R(sec_ts_mark,			1, 1, 1, 0, 0, 0, 0, RX_SEC_F | TS_F | MARK_F) \
+R(sec_ts_mark_rss,		1, 1, 1, 0, 0, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RSS_F)		       \
+R(sec_ts_mark_ptype,		1, 1, 1, 0, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | PTYPE_F)		       \
+R(sec_ts_mark_ptype_rss,	1, 1, 1, 0, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_mark_cksum,		1, 1, 1, 0, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F)		       \
+R(sec_ts_mark_cksum_rss,	1, 1, 1, 0, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | RSS_F)	       \
+R(sec_ts_mark_cksum_ptype,	1, 1, 1, 0, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | PTYPE_F)	       \
+R(sec_ts_mark_cksum_ptype_rss,	1, 1, 1, 0, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)  \
+R(sec_ts_mark_vlan,		1, 1, 1, 1, 0, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F)		       \
+R(sec_ts_mark_vlan_rss,		1, 1, 1, 1, 0, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | RSS_F)			       \
+R(sec_ts_mark_vlan_ptype,	1, 1, 1, 1, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | PTYPE_F)	       \
+R(sec_ts_mark_vlan_ptype_rss,	1, 1, 1, 1, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)\
+R(sec_ts_mark_vlan_cksum,	1, 1, 1, 1, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F)	       \
+R(sec_ts_mark_vlan_cksum_rss,	1, 1, 1, 1, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)\
+R(sec_ts_mark_vlan_cksum_ptype,	1, 1, 1, 1, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F |       \
+			PTYPE_F)					       \
+R(sec_ts_mark_vlan_cksum_ptype_rss,					       \
+				1, 1, 1, 1, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F |       \
+			PTYPE_F | RSS_F)
 #endif /* __OTX2_RX_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 13/15] drivers/octeontx2: add sec in Tx fastpath framework
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (11 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 12/15] drivers/octeontx2: add sec in Rx fastpath framework Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 14/15] net/octeontx2: add inline Tx path changes Anoob Joseph
                       ` (2 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

Added new flag for SECURITY in compiler optimized Tx fastpath
framework. With this, compiler autogenerates functions which
have security enabled.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/event/octeontx2/otx2_evdev.c       |  36 ++--
 drivers/event/octeontx2/otx2_evdev.h       |   2 +-
 drivers/event/octeontx2/otx2_worker.c      |   4 +-
 drivers/event/octeontx2/otx2_worker_dual.c |   4 +-
 drivers/net/octeontx2/otx2_ethdev.c        |   3 +
 drivers/net/octeontx2/otx2_tx.c            |  29 +--
 drivers/net/octeontx2/otx2_tx.h            | 271 ++++++++++++++++++++++-------
 7 files changed, 250 insertions(+), 99 deletions(-)

diff --git a/drivers/event/octeontx2/otx2_evdev.c b/drivers/event/octeontx2/otx2_evdev.c
index f6c641a..d20213d 100644
--- a/drivers/event/octeontx2/otx2_evdev.c
+++ b/drivers/event/octeontx2/otx2_evdev.c
@@ -177,35 +177,37 @@ SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 	};
 
 	/* Tx modes */
-	const event_tx_adapter_enqueue ssogws_tx_adptr_enq[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =  otx2_ssogws_tx_adptr_enq_ ## name,
+	const event_tx_adapter_enqueue
+		ssogws_tx_adptr_enq[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_tx_adptr_enq_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_tx_adptr_enq_seg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_tx_adptr_enq_seg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_tx_adptr_enq_seg_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_dual_tx_adptr_enq[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_dual_tx_adptr_enq[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_dual_tx_adptr_enq_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_dual_tx_adptr_enq_seg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_dual_tx_adptr_enq_seg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_dual_tx_adptr_enq_seg_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
@@ -290,8 +292,9 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 	}
 
 	if (dev->tx_offloads & NIX_TX_MULTI_SEG_F) {
-		/* [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
+		/* [SEC] [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
 		event_dev->txa_enqueue = ssogws_tx_adptr_enq_seg
+			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_SECURITY_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -300,6 +303,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_L3_L4_CSUM_F)];
 	} else {
 		event_dev->txa_enqueue = ssogws_tx_adptr_enq
+			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_SECURITY_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -440,8 +444,10 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		}
 
 		if (dev->tx_offloads & NIX_TX_MULTI_SEG_F) {
-		/* [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
+		/* [SEC] [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
 			event_dev->txa_enqueue = ssogws_dual_tx_adptr_enq_seg
+				[!!(dev->tx_offloads &
+						NIX_TX_OFFLOAD_SECURITY_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->tx_offloads &
@@ -454,6 +460,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 						NIX_TX_OFFLOAD_L3_L4_CSUM_F)];
 		} else {
 			event_dev->txa_enqueue = ssogws_dual_tx_adptr_enq
+				[!!(dev->tx_offloads &
+						NIX_TX_OFFLOAD_SECURITY_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->tx_offloads &
diff --git a/drivers/event/octeontx2/otx2_evdev.h b/drivers/event/octeontx2/otx2_evdev.h
index 5a44fd3..3b47782 100644
--- a/drivers/event/octeontx2/otx2_evdev.h
+++ b/drivers/event/octeontx2/otx2_evdev.h
@@ -335,7 +335,7 @@ uint16_t otx2_ssogws_dual_deq_seg_timeout_burst_ ##name(void *port,	       \
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			     \
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			     \
 uint16_t otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],\
 					   uint16_t nb_events);		     \
 uint16_t otx2_ssogws_tx_adptr_enq_seg_ ## name(void *port,		     \
diff --git a/drivers/event/octeontx2/otx2_worker.c b/drivers/event/octeontx2/otx2_worker.c
index 12445d9..8bec59e 100644
--- a/drivers/event/octeontx2/otx2_worker.c
+++ b/drivers/event/octeontx2/otx2_worker.c
@@ -267,7 +267,7 @@ otx2_ssogws_enq_fwd_burst(void *port, const struct rte_event ev[],
 	return 1;
 }
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],	\
 				  uint16_t nb_events)			\
@@ -281,7 +281,7 @@ otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],	\
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_tx_adptr_enq_seg_ ## name(void *port, struct rte_event ev[],\
 				      uint16_t nb_events)		\
diff --git a/drivers/event/octeontx2/otx2_worker_dual.c b/drivers/event/octeontx2/otx2_worker_dual.c
index 22a4889..3cba09c 100644
--- a/drivers/event/octeontx2/otx2_worker_dual.c
+++ b/drivers/event/octeontx2/otx2_worker_dual.c
@@ -307,7 +307,7 @@ otx2_ssogws_dual_deq_seg_timeout_burst_ ##name(void *port,		\
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_tx_adptr_enq_ ## name(void *port,			\
 				       struct rte_event ev[],		\
@@ -324,7 +324,7 @@ otx2_ssogws_dual_tx_adptr_enq_ ## name(void *port,			\
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_tx_adptr_enq_seg_ ## name(void *port,			\
 					   struct rte_event ev[],	\
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index cd7bb6a..2719e71 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -700,6 +700,9 @@ nix_tx_offload_flags(struct rte_eth_dev *eth_dev)
 			  NIX_TX_OFFLOAD_OL3_OL4_CSUM_F |
 			  NIX_TX_OFFLOAD_L3_L4_CSUM_F);
 
+	if (conf & DEV_TX_OFFLOAD_SECURITY)
+		flags |= NIX_TX_OFFLOAD_SECURITY_F;
+
 	if ((dev->rx_offloads & DEV_RX_OFFLOAD_TIMESTAMP))
 		flags |= NIX_TX_OFFLOAD_TSTAMP_F;
 
diff --git a/drivers/net/octeontx2/otx2_tx.c b/drivers/net/octeontx2/otx2_tx.c
index 5011460..4f2036c 100644
--- a/drivers/net/octeontx2/otx2_tx.c
+++ b/drivers/net/octeontx2/otx2_tx.c
@@ -946,7 +946,7 @@ nix_xmit_pkts_vector(void *tx_queue, struct rte_mbuf **tx_pkts,
 }
 #endif
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_ ## name(void *tx_queue,				\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -963,7 +963,7 @@ otx2_nix_xmit_pkts_ ## name(void *tx_queue,				\
 NIX_TX_FASTPATH_MODES
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_mseg_ ## name(void *tx_queue,			\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -981,7 +981,7 @@ otx2_nix_xmit_pkts_mseg_ ## name(void *tx_queue,			\
 NIX_TX_FASTPATH_MODES
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_vec_ ## name(void *tx_queue,				\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -1001,12 +1001,13 @@ NIX_TX_FASTPATH_MODES
 
 static inline void
 pick_tx_func(struct rte_eth_dev *eth_dev,
-	     const eth_tx_burst_t tx_burst[2][2][2][2][2][2])
+	     const eth_tx_burst_t tx_burst[2][2][2][2][2][2][2])
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	/* [TSTMP] [NOFF] [VLAN] [OL3_OL4_CSUM] [IL3_IL4_CSUM] */
+	/* [SEC] [TSTMP] [NOFF] [VLAN] [OL3_OL4_CSUM] [IL3_IL4_CSUM] */
 	eth_dev->tx_pkt_burst = tx_burst
+		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_SECURITY_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_TSO_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_TSTAMP_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -1020,25 +1021,25 @@ otx2_eth_set_tx_function(struct rte_eth_dev *eth_dev)
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	const eth_tx_burst_t nix_eth_tx_burst[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_ ## name,
+	const eth_tx_burst_t nix_eth_tx_burst[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
 	};
 
-	const eth_tx_burst_t nix_eth_tx_burst_mseg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_mseg_ ## name,
+	const eth_tx_burst_t nix_eth_tx_burst_mseg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_mseg_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
 	};
 
-	const eth_tx_burst_t nix_eth_tx_vec_burst[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_vec_ ## name,
+	const eth_tx_burst_t nix_eth_tx_vec_burst[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_vec_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
diff --git a/drivers/net/octeontx2/otx2_tx.h b/drivers/net/octeontx2/otx2_tx.h
index 04e859b..3c43170 100644
--- a/drivers/net/octeontx2/otx2_tx.h
+++ b/drivers/net/octeontx2/otx2_tx.h
@@ -12,6 +12,7 @@
 #define NIX_TX_OFFLOAD_MBUF_NOFF_F	BIT(3)
 #define NIX_TX_OFFLOAD_TSTAMP_F		BIT(4)
 #define NIX_TX_OFFLOAD_TSO_F		BIT(5)
+#define NIX_TX_OFFLOAD_SECURITY_F	BIT(6)
 
 /* Flags to control xmit_prepare function.
  * Defining it from backwards to denote its been
@@ -470,136 +471,274 @@ otx2_nix_xmit_mseg_one(uint64_t *cmd, void *lmt_addr,
 #define NOFF_F       NIX_TX_OFFLOAD_MBUF_NOFF_F
 #define TSP_F        NIX_TX_OFFLOAD_TSTAMP_F
 #define TSO_F        NIX_TX_OFFLOAD_TSO_F
+#define TX_SEC_F     NIX_TX_OFFLOAD_SECURITY_F
 
-/* [TSO] [TSTMP] [NOFF] [VLAN] [OL3OL4CSUM] [L3L4CSUM] */
+/* [SEC] [TSO] [TSTMP] [NOFF] [VLAN] [OL3OL4CSUM] [L3L4CSUM] */
 #define NIX_TX_FASTPATH_MODES						\
-T(no_offload,				0, 0, 0, 0, 0, 0,	4,	\
+T(no_offload,				0, 0, 0, 0, 0, 0, 0,	4,	\
 		NIX_TX_OFFLOAD_NONE)					\
-T(l3l4csum,				0, 0, 0, 0, 0, 1,	4,	\
+T(l3l4csum,				0, 0, 0, 0, 0, 0, 1,	4,	\
 		L3L4CSUM_F)						\
-T(ol3ol4csum,				0, 0, 0, 0, 1, 0,	4,	\
+T(ol3ol4csum,				0, 0, 0, 0, 0, 1, 0,	4,	\
 		OL3OL4CSUM_F)						\
-T(ol3ol4csum_l3l4csum,			0, 0, 0, 0, 1, 1,	4,	\
+T(ol3ol4csum_l3l4csum,			0, 0, 0, 0, 0, 1, 1,	4,	\
 		OL3OL4CSUM_F | L3L4CSUM_F)				\
-T(vlan,					0, 0, 0, 1, 0, 0,	6,	\
+T(vlan,					0, 0, 0, 0, 1, 0, 0,	6,	\
 		VLAN_F)							\
-T(vlan_l3l4csum,			0, 0, 0, 1, 0, 1,	6,	\
+T(vlan_l3l4csum,			0, 0, 0, 0, 1, 0, 1,	6,	\
 		VLAN_F | L3L4CSUM_F)					\
-T(vlan_ol3ol4csum,			0, 0, 0, 1, 1, 0,	6,	\
+T(vlan_ol3ol4csum,			0, 0, 0, 0, 1, 1, 0,	6,	\
 		VLAN_F | OL3OL4CSUM_F)					\
-T(vlan_ol3ol4csum_l3l4csum,		0, 0, 0, 1, 1, 1,	6,	\
+T(vlan_ol3ol4csum_l3l4csum,		0, 0, 0, 0, 1, 1, 1,	6,	\
 		VLAN_F | OL3OL4CSUM_F |	L3L4CSUM_F)			\
-T(noff,					0, 0, 1, 0, 0, 0,	4,	\
+T(noff,					0, 0, 0, 1, 0, 0, 0,	4,	\
 		NOFF_F)							\
-T(noff_l3l4csum,			0, 0, 1, 0, 0, 1,	4,	\
+T(noff_l3l4csum,			0, 0, 0, 1, 0, 0, 1,	4,	\
 		NOFF_F | L3L4CSUM_F)					\
-T(noff_ol3ol4csum,			0, 0, 1, 0, 1, 0,	4,	\
+T(noff_ol3ol4csum,			0, 0, 0, 1, 0, 1, 0,	4,	\
 		NOFF_F | OL3OL4CSUM_F)					\
-T(noff_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 1, 1,	4,	\
+T(noff_ol3ol4csum_l3l4csum,		0, 0, 0, 1, 0, 1, 1,	4,	\
 		NOFF_F | OL3OL4CSUM_F |	L3L4CSUM_F)			\
-T(noff_vlan,				0, 0, 1, 1, 0, 0,	6,	\
+T(noff_vlan,				0, 0, 0, 1, 1, 0, 0,	6,	\
 		NOFF_F | VLAN_F)					\
-T(noff_vlan_l3l4csum,			0, 0, 1, 1, 0, 1,	6,	\
+T(noff_vlan_l3l4csum,			0, 0, 0, 1, 1, 0, 1,	6,	\
 		NOFF_F | VLAN_F | L3L4CSUM_F)				\
-T(noff_vlan_ol3ol4csum,			0, 0, 1, 1, 1, 0,	6,	\
+T(noff_vlan_ol3ol4csum,			0, 0, 0, 1, 1, 1, 0,	6,	\
 		NOFF_F | VLAN_F | OL3OL4CSUM_F)				\
-T(noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 1, 1, 1, 1,	6,	\
+T(noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 0, 1, 1, 1, 1,	6,	\
 		NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts,					0, 1, 0, 0, 0, 0,	8,	\
+T(ts,					0, 0, 1, 0, 0, 0, 0,	8,	\
 		TSP_F)							\
-T(ts_l3l4csum,				0, 1, 0, 0, 0, 1,	8,	\
+T(ts_l3l4csum,				0, 0, 1, 0, 0, 0, 1,	8,	\
 		TSP_F | L3L4CSUM_F)					\
-T(ts_ol3ol4csum,			0, 1, 0, 0, 1, 0,	8,	\
+T(ts_ol3ol4csum,			0, 0, 1, 0, 0, 1, 0,	8,	\
 		TSP_F | OL3OL4CSUM_F)					\
-T(ts_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 1, 1,	8,	\
+T(ts_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 0, 1, 1,	8,	\
 		TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
-T(ts_vlan,				0, 1, 0, 1, 0, 0,	8,	\
+T(ts_vlan,				0, 0, 1, 0, 1, 0, 0,	8,	\
 		TSP_F | VLAN_F)						\
-T(ts_vlan_l3l4csum,			0, 1, 0, 1, 0, 1,	8,	\
+T(ts_vlan_l3l4csum,			0, 0, 1, 0, 1, 0, 1,	8,	\
 		TSP_F | VLAN_F | L3L4CSUM_F)				\
-T(ts_vlan_ol3ol4csum,			0, 1, 0, 1, 1, 0,	8,	\
+T(ts_vlan_ol3ol4csum,			0, 0, 1, 0, 1, 1, 0,	8,	\
 		TSP_F | VLAN_F | OL3OL4CSUM_F)				\
-T(ts_vlan_ol3ol4csum_l3l4csum,		0, 1, 0, 1, 1, 1,	8,	\
+T(ts_vlan_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 1, 1, 1,	8,	\
 		TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts_noff,				0, 1, 1, 0, 0, 0,	8,	\
+T(ts_noff,				0, 0, 1, 1, 0, 0, 0,	8,	\
 		TSP_F | NOFF_F)						\
-T(ts_noff_l3l4csum,			0, 1, 1, 0, 0, 1,	8,	\
+T(ts_noff_l3l4csum,			0, 0, 1, 1, 0, 0, 1,	8,	\
 		TSP_F | NOFF_F | L3L4CSUM_F)				\
-T(ts_noff_ol3ol4csum,			0, 1, 1, 0, 1, 0,	8,	\
+T(ts_noff_ol3ol4csum,			0, 0, 1, 1, 0, 1, 0,	8,	\
 		TSP_F | NOFF_F | OL3OL4CSUM_F)				\
-T(ts_noff_ol3ol4csum_l3l4csum,		0, 1, 1, 0, 1, 1,	8,	\
+T(ts_noff_ol3ol4csum_l3l4csum,		0, 0, 1, 1, 0, 1, 1,	8,	\
 		TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts_noff_vlan,				0, 1, 1, 1, 0, 0,	8,	\
+T(ts_noff_vlan,				0, 0, 1, 1, 1, 0, 0,	8,	\
 		TSP_F | NOFF_F | VLAN_F)				\
-T(ts_noff_vlan_l3l4csum,		0, 1, 1, 1, 0, 1,	8,	\
+T(ts_noff_vlan_l3l4csum,		0, 0, 1, 1, 1, 0, 1,	8,	\
 		TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)			\
-T(ts_noff_vlan_ol3ol4csum,		0, 1, 1, 1, 1, 0,	8,	\
+T(ts_noff_vlan_ol3ol4csum,		0, 0, 1, 1, 1, 1, 0,	8,	\
 		TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)			\
-T(ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 1, 1,	8,	\
+T(ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 1, 1, 1, 1, 1,	8,	\
 		TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
 									\
-T(tso,					1, 0, 0, 0, 0, 0,	6,	\
+T(tso,					0, 1, 0, 0, 0, 0, 0,	6,	\
 		TSO_F)							\
-T(tso_l3l4csum,				1, 0, 0, 0, 0, 1,	6,	\
+T(tso_l3l4csum,				0, 1, 0, 0, 0, 0, 1,	6,	\
 		TSO_F | L3L4CSUM_F)					\
-T(tso_ol3ol4csum,			1, 0, 0, 0, 1, 0,	6,	\
+T(tso_ol3ol4csum,			0, 1, 0, 0, 0, 1, 0,	6,	\
 		TSO_F | OL3OL4CSUM_F)					\
-T(tso_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 1, 1,	6,	\
+T(tso_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 0, 1, 1,	6,	\
 		TSO_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
-T(tso_vlan,				1, 0, 0, 1, 0, 0,	6,	\
+T(tso_vlan,				0, 1, 0, 0, 1, 0, 0,	6,	\
 		TSO_F | VLAN_F)						\
-T(tso_vlan_l3l4csum,			1, 0, 0, 1, 0, 1,	6,	\
+T(tso_vlan_l3l4csum,			0, 1, 0, 0, 1, 0, 1,	6,	\
 		TSO_F | VLAN_F | L3L4CSUM_F)				\
-T(tso_vlan_ol3ol4csum,			1, 0, 0, 1, 1, 0,	6,	\
+T(tso_vlan_ol3ol4csum,			0, 1, 0, 0, 1, 1, 0,	6,	\
 		TSO_F | VLAN_F | OL3OL4CSUM_F)				\
-T(tso_vlan_ol3ol4csum_l3l4csum,		1, 0, 0, 1, 1, 1,	6,	\
+T(tso_vlan_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 1, 1, 1,	6,	\
 		TSO_F | VLAN_F | OL3OL4CSUM_F |	L3L4CSUM_F)		\
-T(tso_noff,				1, 0, 1, 0, 0, 0,	6,	\
+T(tso_noff,				0, 1, 0, 1, 0, 0, 0,	6,	\
 		TSO_F | NOFF_F)						\
-T(tso_noff_l3l4csum,			1, 0, 1, 0, 0, 1,	6,	\
+T(tso_noff_l3l4csum,			0, 1, 0, 1, 0, 0, 1,	6,	\
 		TSO_F | NOFF_F | L3L4CSUM_F)				\
-T(tso_noff_ol3ol4csum,			1, 0, 1, 0, 1, 0,	6,	\
+T(tso_noff_ol3ol4csum,			0, 1, 0, 1, 0, 1, 0,	6,	\
 		TSO_F | NOFF_F | OL3OL4CSUM_F)				\
-T(tso_noff_ol3ol4csum_l3l4csum,		1, 0, 1, 0, 1, 1,	6,	\
+T(tso_noff_ol3ol4csum_l3l4csum,		0, 1, 0, 1, 0, 1, 1,	6,	\
 		TSO_F | NOFF_F | OL3OL4CSUM_F |	L3L4CSUM_F)		\
-T(tso_noff_vlan,			1, 0, 1, 1, 0, 0,	6,	\
+T(tso_noff_vlan,			0, 1, 0, 1, 1, 0, 0,	6,	\
 		TSO_F | NOFF_F | VLAN_F)				\
-T(tso_noff_vlan_l3l4csum,		1, 0, 1, 1, 0, 1,	6,	\
+T(tso_noff_vlan_l3l4csum,		0, 1, 0, 1, 1, 0, 1,	6,	\
 		TSO_F | NOFF_F | VLAN_F | L3L4CSUM_F)			\
-T(tso_noff_vlan_ol3ol4csum,		1, 0, 1, 1, 1, 0,	6,	\
+T(tso_noff_vlan_ol3ol4csum,		0, 1, 0, 1, 1, 1, 0,	6,	\
 		TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)			\
-T(tso_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 1, 1,	6,	\
+T(tso_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 0, 1, 1, 1, 1,	6,	\
 		TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts,				1, 1, 0, 0, 0, 0,	8,	\
+T(tso_ts,				0, 1, 1, 0, 0, 0, 0,	8,	\
 		TSO_F | TSP_F)						\
-T(tso_ts_l3l4csum,			1, 1, 0, 0, 0, 1,	8,	\
+T(tso_ts_l3l4csum,			0, 1, 1, 0, 0, 0, 1,	8,	\
 		TSO_F | TSP_F | L3L4CSUM_F)				\
-T(tso_ts_ol3ol4csum,			1, 1, 0, 0, 1, 0,	8,	\
+T(tso_ts_ol3ol4csum,			0, 1, 1, 0, 0, 1, 0,	8,	\
 		TSO_F | TSP_F | OL3OL4CSUM_F)				\
-T(tso_ts_ol3ol4csum_l3l4csum,		1, 1, 0, 0, 1, 1,	8,	\
+T(tso_ts_ol3ol4csum_l3l4csum,		0, 1, 1, 0, 0, 1, 1,	8,	\
 		TSO_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(tso_ts_vlan,				1, 1, 0, 1, 0, 0,	8,	\
+T(tso_ts_vlan,				0, 1, 1, 0, 1, 0, 0,	8,	\
 		TSO_F | TSP_F | VLAN_F)					\
-T(tso_ts_vlan_l3l4csum,			1, 1, 0, 1, 0, 1,	8,	\
+T(tso_ts_vlan_l3l4csum,			0, 1, 1, 0, 1, 0, 1,	8,	\
 		TSO_F | TSP_F | VLAN_F | L3L4CSUM_F)			\
-T(tso_ts_vlan_ol3ol4csum,		1, 1, 0, 1, 1, 0,	8,	\
+T(tso_ts_vlan_ol3ol4csum,		0, 1, 1, 0, 1, 1, 0,	8,	\
 		TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F)			\
-T(tso_ts_vlan_ol3ol4csum_l3l4csum,	1, 1, 0, 1, 1, 1,	8,	\
+T(tso_ts_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 0, 1, 1, 1,	8,	\
 		TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts_noff,				1, 1, 1, 0, 0, 0,	8,	\
+T(tso_ts_noff,				0, 1, 1, 1, 0, 0, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F)					\
-T(tso_ts_noff_l3l4csum,			1, 1, 1, 0, 0, 1,	8,	\
+T(tso_ts_noff_l3l4csum,			0, 1, 1, 1, 0, 0, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | L3L4CSUM_F)			\
-T(tso_ts_noff_ol3ol4csum,		1, 1, 1, 0, 1, 0,	8,	\
+T(tso_ts_noff_ol3ol4csum,		0, 1, 1, 1, 0, 1, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F)			\
-T(tso_ts_noff_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 1, 1,	8,	\
+T(tso_ts_noff_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 0, 1, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts_noff_vlan,			1, 1, 1, 1, 0, 0,	8,	\
+T(tso_ts_noff_vlan,			0, 1, 1, 1, 1, 0, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F)			\
-T(tso_ts_noff_vlan_l3l4csum,		1, 1, 1, 1, 0, 1,	8,	\
+T(tso_ts_noff_vlan_l3l4csum,		0, 1, 1, 1, 1, 0, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)		\
-T(tso_ts_noff_vlan_ol3ol4csum,		1, 1, 1, 1, 1, 0,	8,	\
+T(tso_ts_noff_vlan_ol3ol4csum,		0, 1, 1, 1, 1, 1, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)		\
-T(tso_ts_noff_vlan_ol3ol4csum_l3l4csum,	1, 1, 1, 1, 1, 1,	8,	\
-		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)
+T(tso_ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 1, 1, 1,	8,	\
+		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec,					1, 0, 0, 0, 0, 0, 0,	8,	\
+		TX_SEC_F)						\
+T(sec_l3l4csum,				1, 0, 0, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | L3L4CSUM_F)					\
+T(sec_ol3ol4csum,			1, 0, 0, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | OL3OL4CSUM_F)				\
+T(sec_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
+T(sec_vlan,				1, 0, 0, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | VLAN_F)					\
+T(sec_vlan_l3l4csum,			1, 0, 0, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | VLAN_F | L3L4CSUM_F)				\
+T(sec_vlan_ol3ol4csum,			1, 0, 0, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | VLAN_F | OL3OL4CSUM_F)			\
+T(sec_vlan_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_noff,				1, 0, 0, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | NOFF_F)					\
+T(sec_noff_l3l4csum,			1, 0, 0, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | NOFF_F | L3L4CSUM_F)				\
+T(sec_noff_ol3ol4csum,			1, 0, 0, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | NOFF_F | OL3OL4CSUM_F)			\
+T(sec_noff_ol3ol4csum_l3l4csum,		1, 0, 0, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_noff_vlan,			1, 0, 0, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F)				\
+T(sec_noff_vlan_l3l4csum,		1, 0, 0, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | L3L4CSUM_F)		\
+T(sec_noff_vlan_ol3ol4csum,		1, 0, 0, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 0, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts,				1, 0, 1, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSP_F)					\
+T(sec_ts_l3l4csum,			1, 0, 1, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | L3L4CSUM_F)				\
+T(sec_ts_ol3ol4csum,			1, 0, 1, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | OL3OL4CSUM_F)			\
+T(sec_ts_ol3ol4csum_l3l4csum,		1, 0, 1, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_ts_vlan,				1, 0, 1, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F)				\
+T(sec_ts_vlan_l3l4csum,			1, 0, 1, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | L3L4CSUM_F)			\
+T(sec_ts_vlan_ol3ol4csum,		1, 0, 1, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_ts_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts_noff,				1, 0, 1, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F)				\
+T(sec_ts_noff_l3l4csum,			1, 0, 1, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | L3L4CSUM_F)			\
+T(sec_ts_noff_ol3ol4csum,		1, 0, 1, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | OL3OL4CSUM_F)		\
+T(sec_ts_noff_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts_noff_vlan,			1, 0, 1, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F)			\
+T(sec_ts_noff_vlan_l3l4csum,		1, 0, 1, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)	\
+T(sec_ts_noff_vlan_ol3ol4csum,		1, 0, 1, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_ts_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso,				1, 1, 0, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F)					\
+T(sec_tso_l3l4csum,			1, 1, 0, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | L3L4CSUM_F)				\
+T(sec_tso_ol3ol4csum,			1, 1, 0, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | OL3OL4CSUM_F)			\
+T(sec_tso_ol3ol4csum_l3l4csum,		1, 1, 0, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_tso_vlan,				1, 1, 0, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F)				\
+T(sec_tso_vlan_l3l4csum,		1, 1, 0, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | L3L4CSUM_F)			\
+T(sec_tso_vlan_ol3ol4csum,		1, 1, 0, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_tso_vlan_ol3ol4csum_l3l4csum,	1, 1, 0, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_noff,				1, 1, 0, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F)				\
+T(sec_tso_noff_l3l4csum,		1, 1, 0, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | L3L4CSUM_F)			\
+T(sec_tso_noff_ol3ol4csum,		1, 1, 0, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | OL3OL4CSUM_F)		\
+T(sec_tso_noff_ol3ol4csum_l3l4csum,	1, 1, 0, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_noff_vlan,			1, 1, 0, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F)			\
+T(sec_tso_noff_vlan_l3l4csum,		1, 1, 0, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | L3L4CSUM_F)	\
+T(sec_tso_noff_vlan_ol3ol4csum,		1, 1, 0, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_tso_noff_vlan_ol3ol4csum_l3l4csum,				\
+					1, 1, 0, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts,				1, 1, 1, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F)				\
+T(sec_tso_ts_l3l4csum,			1, 1, 1, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | L3L4CSUM_F)			\
+T(sec_tso_ts_ol3ol4csum,		1, 1, 1, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | OL3OL4CSUM_F)		\
+T(sec_tso_ts_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_ts_vlan,			1, 1, 1, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F)			\
+T(sec_tso_ts_vlan_l3l4csum,		1, 1, 1, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | L3L4CSUM_F)		\
+T(sec_tso_ts_vlan_ol3ol4csum,		1, 1, 1, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_tso_ts_vlan_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts_noff,			1, 1, 1, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F)			\
+T(sec_tso_ts_noff_l3l4csum,		1, 1, 1, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | L3L4CSUM_F)		\
+T(sec_tso_ts_noff_ol3ol4csum,		1, 1, 1, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F)	\
+T(sec_tso_ts_noff_ol3ol4csum_l3l4csum,	1, 1, 1, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts_noff_vlan,			1, 1, 1, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F)		\
+T(sec_tso_ts_noff_vlan_l3l4csum,	1, 1, 1, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)\
+T(sec_tso_ts_noff_vlan_ol3ol4csum,	1, 1, 1, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F |		\
+		OL3OL4CSUM_F)						\
+T(sec_tso_ts_noff_vlan_ol3ol4csum_l3l4csum,				\
+					1, 1, 1, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F |		\
+		OL3OL4CSUM_F | L3L4CSUM_F)
 #endif /* __OTX2_TX_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 14/15] net/octeontx2: add inline Tx path changes
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (12 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 13/15] drivers/octeontx2: add sec in Tx " Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-01-31 13:36       ` Akhil Goyal
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 15/15] net/octeontx2: sync inline tag type Anoob Joseph
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
  15 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding pre-processing required for inline IPsec outbound packets.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/event/octeontx2/meson.build        |   3 +-
 drivers/event/octeontx2/otx2_worker.h      |   6 +
 drivers/net/octeontx2/otx2_ethdev_sec.c    |  82 +++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h    |  19 +++
 drivers/net/octeontx2/otx2_ethdev_sec_tx.h | 181 +++++++++++++++++++++++++++++
 5 files changed, 290 insertions(+), 1 deletion(-)
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec_tx.h

diff --git a/drivers/event/octeontx2/meson.build b/drivers/event/octeontx2/meson.build
index 56febb8..be4b47a 100644
--- a/drivers/event/octeontx2/meson.build
+++ b/drivers/event/octeontx2/meson.build
@@ -31,6 +31,7 @@ foreach flag: extra_flags
 	endif
 endforeach
 
-deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2', 'pmd_octeontx2']
+deps += ['bus_pci', 'common_octeontx2', 'cryptodev', 'mempool_octeontx2', 'pmd_octeontx2',
+         'security']
 
 includes += include_directories('../../crypto/octeontx2')
diff --git a/drivers/event/octeontx2/otx2_worker.h b/drivers/event/octeontx2/otx2_worker.h
index 7d161c8..5f5aa87 100644
--- a/drivers/event/octeontx2/otx2_worker.h
+++ b/drivers/event/octeontx2/otx2_worker.h
@@ -10,6 +10,7 @@
 
 #include <otx2_common.h>
 #include "otx2_evdev.h"
+#include "otx2_ethdev_sec_tx.h"
 
 /* SSO Operations */
 
@@ -281,6 +282,11 @@ otx2_ssogws_event_tx(struct otx2_ssogws *ws, struct rte_event ev[],
 	const struct otx2_eth_txq *txq = otx2_ssogws_xtract_meta(m);
 
 	rte_prefetch_non_temporal(txq);
+
+	if ((flags & NIX_TX_OFFLOAD_SECURITY_F) &&
+	    (m->ol_flags & PKT_TX_SEC_OFFLOAD))
+		return otx2_sec_event_tx(ws, ev, m, txq, flags);
+
 	/* Perform header writes before barrier for TSO */
 	otx2_nix_xmit_prepare_tso(m, flags);
 	otx2_ssogws_order(ws, !ev->sched_type);
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index 4b219b3..9ea0dc4 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -3,12 +3,15 @@
  */
 
 #include <rte_cryptodev.h>
+#include <rte_esp.h>
 #include <rte_ethdev.h>
 #include <rte_eventdev.h>
+#include <rte_ip.h>
 #include <rte_malloc.h>
 #include <rte_memzone.h>
 #include <rte_security.h>
 #include <rte_security_driver.h>
+#include <rte_udp.h>
 
 #include "otx2_common.h"
 #include "otx2_cryptodev_qp.h"
@@ -19,6 +22,15 @@
 
 #define ETH_SEC_MAX_PKT_LEN	1450
 
+#define AH_HDR_LEN	12
+#define AES_GCM_IV_LEN	8
+#define AES_GCM_MAC_LEN	16
+#define AES_CBC_IV_LEN	16
+#define SHA1_HMAC_LEN	12
+
+#define AES_GCM_ROUNDUP_BYTE_LEN	4
+#define AES_CBC_ROUNDUP_BYTE_LEN	16
+
 struct eth_sec_tag_const {
 	RTE_STD_C11
 	union {
@@ -215,6 +227,60 @@ in_sa_get(uint16_t port, int sa_index)
 }
 
 static int
+ipsec_sa_const_set(struct rte_security_ipsec_xform *ipsec,
+		   struct rte_crypto_sym_xform *xform,
+		   struct otx2_sec_session_ipsec_ip *sess)
+{
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
+
+	sess->partial_len = sizeof(struct rte_ipv4_hdr);
+
+	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) {
+		sess->partial_len += sizeof(struct rte_esp_hdr);
+		sess->roundup_len = sizeof(struct rte_esp_tail);
+	} else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) {
+		sess->partial_len += AH_HDR_LEN;
+	} else {
+		return -EINVAL;
+	}
+
+	if (ipsec->options.udp_encap)
+		sess->partial_len += sizeof(struct rte_udp_hdr);
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+			sess->partial_len += AES_GCM_IV_LEN;
+			sess->partial_len += AES_GCM_MAC_LEN;
+			sess->roundup_byte = AES_GCM_ROUNDUP_BYTE_LEN;
+		}
+		return 0;
+	}
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	} else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		return -EINVAL;
+	}
+	if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		sess->partial_len += AES_CBC_IV_LEN;
+		sess->roundup_byte = AES_CBC_ROUNDUP_BYTE_LEN;
+	} else {
+		return -EINVAL;
+	}
+
+	if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+		sess->partial_len += SHA1_HMAC_LEN;
+	else
+		return -EINVAL;
+
+	return 0;
+}
+
+static int
 hmac_init(struct otx2_ipsec_fp_sa_ctl *ctl, struct otx2_cpt_qp *qp,
 	  const uint8_t *auth_key, int len, uint8_t *hmac_key)
 {
@@ -300,6 +366,7 @@ eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	struct otx2_ipsec_fp_sa_ctl *ctl;
 	struct otx2_ipsec_fp_out_sa *sa;
 	struct otx2_sec_session *priv;
+	struct otx2_cpt_inst_s inst;
 	struct otx2_cpt_qp *qp;
 
 	priv = get_sec_session_private_data(sec_sess);
@@ -314,6 +381,12 @@ eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 
 	memset(sess, 0, sizeof(struct otx2_sec_session_ipsec_ip));
 
+	sess->seq = 1;
+
+	ret = ipsec_sa_const_set(ipsec, crypto_xform, sess);
+	if (ret < 0)
+		return ret;
+
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 		memcpy(sa->nonce, &ipsec->salt, 4);
 
@@ -323,6 +396,9 @@ eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	}
 
 	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		/* Start ip id from 1 */
+		sess->ip_id = 1;
+
 		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
 			memcpy(&sa->ip_src, &ipsec->tunnel.ipv4.src_ip,
 			       sizeof(struct in_addr));
@@ -357,6 +433,12 @@ eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	else
 		return -EINVAL;
 
+	/* Determine word 7 of CPT instruction */
+	inst.u64[7] = 0;
+	inst.egrp = OTX2_CPT_EGRP_INLINE_IPSEC;
+	inst.cptr = rte_mempool_virt2iova(sa);
+	sess->inst_w7 = inst.u64[7];
+
 	/* Get CPT QP to be used for this SA */
 	ret = otx2_sec_idev_tx_cpt_qp_get(port, &qp);
 	if (ret)
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index 87342ef..783e41d 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -10,9 +10,13 @@
 #include "otx2_ipsec_fp.h"
 
 #define OTX2_CPT_RES_ALIGN		16
+#define OTX2_NIX_SEND_DESC_ALIGN	16
+#define OTX2_CPT_INST_SIZE		64
 
 #define OTX2_CPT_EGRP_INLINE_IPSEC	1
 
+#define OTX2_CPT_OP_INLINE_IPSEC_OUTB		(0x40 | 0x25)
+#define OTX2_CPT_OP_INLINE_IPSEC_INB		(0x40 | 0x26)
 #define OTX2_CPT_OP_WRITE_HMAC_IPAD_OPAD	(0x40 | 0x27)
 
 #define OTX2_SEC_CPT_COMP_GOOD	0x1
@@ -93,6 +97,21 @@ struct otx2_sec_session_ipsec_ip {
 	/* CPT LF enqueue register address */
 	rte_iova_t cpt_nq_reg;
 
+	/* Pre calculated lengths and data for a session */
+	uint8_t partial_len;
+	uint8_t roundup_len;
+	uint8_t roundup_byte;
+	uint16_t ip_id;
+	union {
+		uint64_t esn;
+		struct {
+			uint32_t seq;
+			uint32_t esn_hi;
+		};
+	};
+
+	uint64_t inst_w7;
+
 	/* CPT QP used by SA */
 	struct otx2_cpt_qp *qp;
 };
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec_tx.h b/drivers/net/octeontx2/otx2_ethdev_sec_tx.h
new file mode 100644
index 0000000..4f10eb7
--- /dev/null
+++ b/drivers/net/octeontx2/otx2_ethdev_sec_tx.h
@@ -0,0 +1,181 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_ETHDEV_SEC_TX_H__
+#define __OTX2_ETHDEV_SEC_TX_H__
+
+#include <rte_security.h>
+#include <rte_mbuf.h>
+
+#include "otx2_ethdev_sec.h"
+
+struct otx2_ipsec_fp_out_hdr {
+	uint32_t ip_id;
+	uint32_t seq;
+	uint8_t iv[16];
+};
+
+static __rte_always_inline int32_t
+otx2_ipsec_fp_out_rlen_get(struct otx2_sec_session_ipsec_ip *sess,
+			   uint32_t plen)
+{
+	uint32_t enc_payload_len;
+
+	enc_payload_len = RTE_ALIGN_CEIL(plen + sess->roundup_len,
+			sess->roundup_byte);
+
+	return sess->partial_len + enc_payload_len;
+}
+
+static __rte_always_inline void
+otx2_ssogws_head_wait(struct otx2_ssogws *ws);
+
+static __rte_always_inline int
+otx2_sec_event_tx(struct otx2_ssogws *ws, struct rte_event *ev,
+		  struct rte_mbuf *m, const struct otx2_eth_txq *txq,
+		  const uint32_t offload_flags)
+{
+	uint32_t dlen, rlen, desc_headroom, extend_head, extend_tail;
+	struct otx2_sec_session_ipsec_ip *sess;
+	struct otx2_ipsec_fp_out_hdr *hdr;
+	struct otx2_ipsec_fp_out_sa *sa;
+	uint64_t data_addr, desc_addr;
+	struct otx2_sec_session *priv;
+	struct otx2_cpt_inst_s inst;
+	uint64_t lmt_status;
+	char *data;
+
+	struct desc {
+		struct otx2_cpt_res cpt_res __rte_aligned(OTX2_CPT_RES_ALIGN);
+		struct nix_send_hdr_s nix_hdr
+				__rte_aligned(OTX2_NIX_SEND_DESC_ALIGN);
+		union nix_send_sg_s nix_sg;
+		struct nix_iova_s nix_iova;
+	} *sd;
+
+	priv = get_sec_session_private_data((void *)(m->udata64));
+	sess = &priv->ipsec.ip;
+	sa = &sess->out_sa;
+
+	RTE_ASSERT(sess->cpt_lmtline != NULL);
+	RTE_ASSERT(!(offload_flags & (NIX_TX_OFFLOAD_MBUF_NOFF_F |
+				      NIX_TX_OFFLOAD_VLAN_QINQ)));
+
+	dlen = rte_pktmbuf_pkt_len(m) + sizeof(*hdr) - RTE_ETHER_HDR_LEN;
+	rlen = otx2_ipsec_fp_out_rlen_get(sess, dlen - sizeof(*hdr));
+
+	RTE_BUILD_BUG_ON(OTX2_CPT_RES_ALIGN % OTX2_NIX_SEND_DESC_ALIGN);
+	RTE_BUILD_BUG_ON(sizeof(sd->cpt_res) % OTX2_NIX_SEND_DESC_ALIGN);
+
+	extend_head = sizeof(*hdr);
+	extend_tail = rlen - dlen;
+
+	desc_headroom = (OTX2_CPT_RES_ALIGN - 1) + sizeof(*sd);
+
+	if (unlikely(!rte_pktmbuf_is_contiguous(m)) ||
+	    unlikely(rte_pktmbuf_headroom(m) < extend_head + desc_headroom) ||
+	    unlikely(rte_pktmbuf_tailroom(m) < extend_tail)) {
+		goto drop;
+	}
+
+	/*
+	 * Extend mbuf data to point to the expected packet buffer for NIX.
+	 * This includes the Ethernet header followed by the encrypted IPsec
+	 * payload
+	 */
+	rte_pktmbuf_append(m, extend_tail);
+	data = rte_pktmbuf_prepend(m, extend_head);
+	data_addr = rte_pktmbuf_mtophys(m);
+
+	/*
+	 * Move the Ethernet header, to insert otx2_ipsec_fp_out_hdr prior
+	 * to the IP header
+	 */
+	memcpy(data, data + sizeof(*hdr), RTE_ETHER_HDR_LEN);
+
+	hdr = (struct otx2_ipsec_fp_out_hdr *)(data + RTE_ETHER_HDR_LEN);
+
+	if (sa->ctl.enc_type == OTX2_IPSEC_FP_SA_ENC_AES_GCM) {
+		/* AES-128-GCM */
+		memcpy(hdr->iv, &sa->nonce, 4);
+		memset(hdr->iv + 4, 0, 12); //TODO: make it random
+	} else {
+		/* AES-128-[CBC] + [SHA1] */
+		memset(hdr->iv, 0, 16); //TODO: make it random
+	}
+
+	/* Keep CPT result and NIX send descriptors in headroom */
+	sd = (void *)RTE_PTR_ALIGN(data - desc_headroom, OTX2_CPT_RES_ALIGN);
+	desc_addr = data_addr - RTE_PTR_DIFF(data, sd);
+
+	/* Prepare CPT instruction */
+
+	inst.nixtx_addr = (desc_addr + offsetof(struct desc, nix_hdr)) >> 4;
+	inst.doneint = 0;
+	inst.nixtxl = 1;
+	inst.res_addr = desc_addr + offsetof(struct desc, cpt_res);
+	inst.u64[2] = 0;
+	inst.u64[3] = 0;
+	inst.wqe_ptr = desc_addr >> 3;	/* FIXME: Handle errors */
+	inst.qord = 1;
+	inst.opcode = OTX2_CPT_OP_INLINE_IPSEC_OUTB;
+	inst.dlen = dlen;
+	inst.dptr = data_addr + RTE_ETHER_HDR_LEN;
+	inst.u64[7] = sess->inst_w7;
+
+	/* First word contains 8 bit completion code & 8 bit uc comp code */
+	sd->cpt_res.u16[0] = 0;
+
+	/* Prepare NIX send descriptors for output expected from CPT */
+
+	sd->nix_hdr.w0.u = 0;
+	sd->nix_hdr.w1.u = 0;
+	sd->nix_hdr.w0.sq = txq->sq;
+	sd->nix_hdr.w0.sizem1 = 1;
+	sd->nix_hdr.w0.total = rte_pktmbuf_data_len(m);
+	sd->nix_hdr.w0.aura = npa_lf_aura_handle_to_aura(m->pool->pool_id);
+
+	sd->nix_sg.u = 0;
+	sd->nix_sg.subdc = NIX_SUBDC_SG;
+	sd->nix_sg.ld_type = NIX_SENDLDTYPE_LDD;
+	sd->nix_sg.segs = 1;
+	sd->nix_sg.seg1_size = rte_pktmbuf_data_len(m);
+
+	sd->nix_iova.addr = rte_mbuf_data_iova(m);
+
+	/* Mark mempool object as "put" since it is freed by NIX */
+	__mempool_check_cookies(m->pool, (void **)&m, 1, 0);
+
+	if (!ev->sched_type)
+		otx2_ssogws_head_wait(ws);
+
+	inst.param1 = sess->esn_hi >> 16;
+	inst.param2 = sess->esn_hi & 0xffff;
+
+	hdr->seq = rte_cpu_to_be_32(sess->seq);
+	hdr->ip_id = rte_cpu_to_be_32(sess->ip_id);
+
+	sess->ip_id++;
+	sess->esn++;
+
+	rte_cio_wmb();
+
+	do {
+		otx2_lmt_mov(sess->cpt_lmtline, &inst, 2);
+		lmt_status = otx2_lmt_submit(sess->cpt_nq_reg);
+	} while (lmt_status == 0);
+
+	return 1;
+
+drop:
+	if (offload_flags & NIX_TX_OFFLOAD_MBUF_NOFF_F) {
+		/* Don't free if reference count > 1 */
+		if (rte_pktmbuf_prefree_seg(m) == NULL)
+			return 0;
+	}
+	rte_pktmbuf_free(m);
+	return 0;
+}
+
+#endif /* __OTX2_ETHDEV_SEC_TX_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v3 15/15] net/octeontx2: sync inline tag type
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (13 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 14/15] net/octeontx2: add inline Tx path changes Anoob Joseph
@ 2020-01-31 10:03     ` Anoob Joseph
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 10:03 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Vamsi Attunuru, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Lukasz Bartosik, dev

From: Vamsi Attunuru <vattunuru@marvell.com>

Tag type configuration for the inline processed packets is set during
ethdev configuration, it might conflict with tag type configuration
done during Rx adapter configuration which would be setup later.

This conflict is fixed as part of flow rule creation by updating
tag type config of inline same as Rx adapter configured tag type.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/net/octeontx2/otx2_ethdev_sec.c | 28 ++++++++++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h |  2 ++
 drivers/net/octeontx2/otx2_flow.c       | 26 ++++++++++++++++++++++++++
 3 files changed, 56 insertions(+)

diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index 9ea0dc4..3858218 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -754,6 +754,34 @@ eth_sec_ipsec_cfg(struct rte_eth_dev *eth_dev, uint8_t tt)
 }
 
 int
+otx2_eth_sec_update_tag_type(struct rte_eth_dev *eth_dev)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	struct otx2_mbox *mbox = dev->mbox;
+	struct nix_aq_enq_rsp *rsp;
+	struct nix_aq_enq_req *aq;
+	int ret;
+
+	aq = otx2_mbox_alloc_msg_nix_aq_enq(mbox);
+	aq->qidx = 0; /* Read RQ:0 context */
+	aq->ctype = NIX_AQ_CTYPE_RQ;
+	aq->op = NIX_AQ_INSTOP_READ;
+
+	ret = otx2_mbox_process_msg(mbox, (void *)&rsp);
+	if (ret < 0) {
+		otx2_err("Could not read RQ context");
+		return ret;
+	}
+
+	/* Update tag type */
+	ret = eth_sec_ipsec_cfg(eth_dev, rsp->rq.sso_tt);
+	if (ret < 0)
+		otx2_err("Could not update sec eth tag type");
+
+	return ret;
+}
+
+int
 otx2_eth_sec_init(struct rte_eth_dev *eth_dev)
 {
 	const size_t sa_width = sizeof(struct otx2_ipsec_fp_in_sa);
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index 783e41d..e24358a 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -130,6 +130,8 @@ int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev);
 
+int otx2_eth_sec_update_tag_type(struct rte_eth_dev *eth_dev);
+
 int otx2_eth_sec_init(struct rte_eth_dev *eth_dev);
 
 void otx2_eth_sec_fini(struct rte_eth_dev *eth_dev);
diff --git a/drivers/net/octeontx2/otx2_flow.c b/drivers/net/octeontx2/otx2_flow.c
index f1fb9f9..13a76e4 100644
--- a/drivers/net/octeontx2/otx2_flow.c
+++ b/drivers/net/octeontx2/otx2_flow.c
@@ -3,6 +3,7 @@
  */
 
 #include "otx2_ethdev.h"
+#include "otx2_ethdev_sec.h"
 #include "otx2_flow.h"
 
 int
@@ -299,6 +300,21 @@ flow_free_rss_action(struct rte_eth_dev *eth_dev,
 	return 0;
 }
 
+static int
+flow_update_sec_tt(struct rte_eth_dev *eth_dev,
+		   const struct rte_flow_action actions[])
+{
+	int rc = 0;
+
+	for (; actions->type != RTE_FLOW_ACTION_TYPE_END; actions++) {
+		if (actions->type == RTE_FLOW_ACTION_TYPE_SECURITY) {
+			rc = otx2_eth_sec_update_tag_type(eth_dev);
+			break;
+		}
+	}
+
+	return rc;
+}
 
 static int
 flow_parse_meta_items(__rte_unused struct otx2_parse_state *pst)
@@ -491,6 +507,16 @@ otx2_flow_create(struct rte_eth_dev *dev,
 		goto err_exit;
 	}
 
+	if (hw->rx_offloads & DEV_RX_OFFLOAD_SECURITY) {
+		rc = flow_update_sec_tt(dev, actions);
+		if (rc != 0) {
+			rte_flow_error_set(error, EIO,
+					   RTE_FLOW_ERROR_TYPE_UNSPECIFIED,
+					   NULL,
+					   "Failed to update tt with sec act");
+			goto err_exit;
+		}
+	}
 
 	list = &hw->npc_flow.flow_list[flow->priority];
 	/* List in ascending order of mcam entries */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v3 14/15] net/octeontx2: add inline Tx path changes
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 14/15] net/octeontx2: add inline Tx path changes Anoob Joseph
@ 2020-01-31 13:36       ` Akhil Goyal
  2020-01-31 15:33         ` Anoob Joseph
  0 siblings, 1 reply; 111+ messages in thread
From: Akhil Goyal @ 2020-01-31 13:36 UTC (permalink / raw)
  To: Anoob Joseph, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Archana Muniganti,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

Hi Anoob,

> 
> From: Ankur Dwivedi <adwivedi@marvell.com>
> 
> Adding pre-processing required for inline IPsec outbound packets.
> 
> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> ---
>  drivers/event/octeontx2/meson.build        |   3 +-
>  drivers/event/octeontx2/otx2_worker.h      |   6 +
>  drivers/net/octeontx2/otx2_ethdev_sec.c    |  82 +++++++++++++
>  drivers/net/octeontx2/otx2_ethdev_sec.h    |  19 +++
>  drivers/net/octeontx2/otx2_ethdev_sec_tx.h | 181
> +++++++++++++++++++++++++++++
>  5 files changed, 290 insertions(+), 1 deletion(-)
>  create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec_tx.h
> 
> diff --git a/drivers/event/octeontx2/meson.build
> b/drivers/event/octeontx2/meson.build
> index 56febb8..be4b47a 100644
> --- a/drivers/event/octeontx2/meson.build
> +++ b/drivers/event/octeontx2/meson.build
> @@ -31,6 +31,7 @@ foreach flag: extra_flags
>  	endif
>  endforeach
> 
> -deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2',
> 'pmd_octeontx2']
> +deps += ['bus_pci', 'common_octeontx2', 'cryptodev', 'mempool_octeontx2',
> 'pmd_octeontx2',
> +         'security']
> 
>  includes += include_directories('../../crypto/octeontx2')


Why would you need cryptodev in event driver meson.build?
If you really need it, then why only in meson.build, Makefile should also have some change.

Please make sure that all individual patches compile for both meson and Makefile.
I have not run the test yet. Will run it on Monday.

Regards,
Akhil

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v3 11/15] net/octeontx2: add inline ipsec Rx path changes
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 11/15] net/octeontx2: add inline ipsec Rx path changes Anoob Joseph
@ 2020-01-31 13:39       ` Akhil Goyal
  2020-01-31 15:05         ` Anoob Joseph
  0 siblings, 1 reply; 111+ messages in thread
From: Akhil Goyal @ 2020-01-31 13:39 UTC (permalink / raw)
  To: Anoob Joseph, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

Hi Anoob,
> 
> From: Tejasree Kondoj <ktejasree@marvell.com>
> 
> Adding post-processing required for inline IPsec inbound packets.
> 
> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> ---
>  drivers/crypto/octeontx2/Makefile    |  3 +-
>  drivers/crypto/octeontx2/meson.build |  2 +
>  drivers/event/octeontx2/Makefile     |  1 +
>  drivers/event/octeontx2/meson.build  |  2 +
>  drivers/net/octeontx2/otx2_rx.h      | 73
> ++++++++++++++++++++++++++++++++++++
>  5 files changed, 80 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/crypto/octeontx2/Makefile
> b/drivers/crypto/octeontx2/Makefile
> index 3ba67ed..1458e2b 100644
> --- a/drivers/crypto/octeontx2/Makefile
> +++ b/drivers/crypto/octeontx2/Makefile
> @@ -11,7 +11,7 @@ LIB = librte_pmd_octeontx2_crypto.a
>  CFLAGS += $(WERROR_FLAGS)
> 
>  LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
> -LDLIBS += -lrte_cryptodev
> +LDLIBS += -lrte_cryptodev -lrte_security
>  LDLIBS += -lrte_pci -lrte_bus_pci
>  LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
> 
> @@ -20,6 +20,7 @@ VPATH += $(RTE_SDK)/drivers/crypto/octeontx2
>  CFLAGS += -O3
>  CFLAGS += -I$(RTE_SDK)/drivers/common/cpt
>  CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
> +CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2

Why do you need to include self path for the driver?

>  CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
>  CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
>  CFLAGS += -DALLOW_EXPERIMENTAL_API
> diff --git a/drivers/crypto/octeontx2/meson.build
> b/drivers/crypto/octeontx2/meson.build
> index 67deca3..a531799 100644
> --- a/drivers/crypto/octeontx2/meson.build
> +++ b/drivers/crypto/octeontx2/meson.build
> @@ -9,6 +9,7 @@ deps += ['bus_pci']
>  deps += ['common_cpt']
>  deps += ['common_octeontx2']
>  deps += ['ethdev']
> +deps += ['security']
>  name = 'octeontx2_crypto'
> 
>  allow_experimental_apis = true
> @@ -32,5 +33,6 @@ endforeach
> 
>  includes += include_directories('../../common/cpt')
>  includes += include_directories('../../common/octeontx2')
> +includes += include_directories('../../crypto/octeontx2')

Same here.

>  includes += include_directories('../../mempool/octeontx2')
>  includes += include_directories('../../net/octeontx2')
> diff --git a/drivers/event/octeontx2/Makefile
> b/drivers/event/octeontx2/Makefile
> index 6dab69c..bcd22ee 100644
> --- a/drivers/event/octeontx2/Makefile
> +++ b/drivers/event/octeontx2/Makefile
> @@ -11,6 +11,7 @@ LIB = librte_pmd_octeontx2_event.a
> 
>  CFLAGS += $(WERROR_FLAGS)
>  CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
> +CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
>  CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
>  CFLAGS += -I$(RTE_SDK)/drivers/event/octeontx2
>  CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
> diff --git a/drivers/event/octeontx2/meson.build
> b/drivers/event/octeontx2/meson.build
> index 807818b..56febb8 100644
> --- a/drivers/event/octeontx2/meson.build
> +++ b/drivers/event/octeontx2/meson.build
> @@ -32,3 +32,5 @@ foreach flag: extra_flags
>  endforeach
> 
>  deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2',
> 'pmd_octeontx2']
> +
> +includes += include_directories('../../crypto/octeontx2')


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v3 11/15] net/octeontx2: add inline ipsec Rx path changes
  2020-01-31 13:39       ` Akhil Goyal
@ 2020-01-31 15:05         ` Anoob Joseph
  0 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 15:05 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Ankur Dwivedi, Archana Muniganti, Vamsi Krishna Attunuru,
	Lukas Bartosik, dev

Hi Akhil,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Akhil Goyal
> Sent: Friday, January 31, 2020 7:09 PM
> To: Anoob Joseph <anoobj@marvell.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>
> Cc: Tejasree Kondoj <ktejasree@marvell.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>;
> Archana Muniganti <marchana@marvell.com>; Vamsi Krishna Attunuru
> <vattunuru@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>;
> dev@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH v3 11/15] net/octeontx2: add inline ipsec Rx
> path changes
> 
> Hi Anoob,
> >
> > From: Tejasree Kondoj <ktejasree@marvell.com>
> >
> > Adding post-processing required for inline IPsec inbound packets.
> >
> > Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> > ---
> >  drivers/crypto/octeontx2/Makefile    |  3 +-
> >  drivers/crypto/octeontx2/meson.build |  2 +
> >  drivers/event/octeontx2/Makefile     |  1 +
> >  drivers/event/octeontx2/meson.build  |  2 +
> >  drivers/net/octeontx2/otx2_rx.h      | 73
> > ++++++++++++++++++++++++++++++++++++
> >  5 files changed, 80 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/crypto/octeontx2/Makefile
> > b/drivers/crypto/octeontx2/Makefile
> > index 3ba67ed..1458e2b 100644
> > --- a/drivers/crypto/octeontx2/Makefile
> > +++ b/drivers/crypto/octeontx2/Makefile
> > @@ -11,7 +11,7 @@ LIB = librte_pmd_octeontx2_crypto.a  CFLAGS +=
> > $(WERROR_FLAGS)
> >
> >  LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
> > -LDLIBS += -lrte_cryptodev
> > +LDLIBS += -lrte_cryptodev -lrte_security
> >  LDLIBS += -lrte_pci -lrte_bus_pci
> >  LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
> >
> > @@ -20,6 +20,7 @@ VPATH += $(RTE_SDK)/drivers/crypto/octeontx2
> >  CFLAGS += -O3
> >  CFLAGS += -I$(RTE_SDK)/drivers/common/cpt  CFLAGS +=
> > -I$(RTE_SDK)/drivers/common/octeontx2
> > +CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
> 
> Why do you need to include self path for the driver?

[Anoob] Well this is interesting. I cannot explain this but when I'm building otx2_cryptodev*.c files which include otx2_ethdev_sec.h, it's throwing an error that otx2_ipsec_fp.h is not found (in case of shared build and meson, I guess). The file otx2_ethdev_sec.h is in net/octeontx2 and it includes otx2_ipsec_fp.h which is in crypto/octeontx2.

I'll cross check and let you know if it's needed in both Makefile & meson.
 
> 
> >  CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
> >  CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
> >  CFLAGS += -DALLOW_EXPERIMENTAL_API
> > diff --git a/drivers/crypto/octeontx2/meson.build
> > b/drivers/crypto/octeontx2/meson.build
> > index 67deca3..a531799 100644
> > --- a/drivers/crypto/octeontx2/meson.build
> > +++ b/drivers/crypto/octeontx2/meson.build
> > @@ -9,6 +9,7 @@ deps += ['bus_pci']
> >  deps += ['common_cpt']
> >  deps += ['common_octeontx2']
> >  deps += ['ethdev']
> > +deps += ['security']
> >  name = 'octeontx2_crypto'
> >
> >  allow_experimental_apis = true
> > @@ -32,5 +33,6 @@ endforeach
> >
> >  includes += include_directories('../../common/cpt')
> >  includes += include_directories('../../common/octeontx2')
> > +includes += include_directories('../../crypto/octeontx2')
> 
> Same here.
> 
> >  includes += include_directories('../../mempool/octeontx2')
> >  includes += include_directories('../../net/octeontx2')
> > diff --git a/drivers/event/octeontx2/Makefile
> > b/drivers/event/octeontx2/Makefile
> > index 6dab69c..bcd22ee 100644
> > --- a/drivers/event/octeontx2/Makefile
> > +++ b/drivers/event/octeontx2/Makefile
> > @@ -11,6 +11,7 @@ LIB = librte_pmd_octeontx2_event.a
> >
> >  CFLAGS += $(WERROR_FLAGS)
> >  CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
> > +CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
> >  CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
> >  CFLAGS += -I$(RTE_SDK)/drivers/event/octeontx2
> >  CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
> > diff --git a/drivers/event/octeontx2/meson.build
> > b/drivers/event/octeontx2/meson.build
> > index 807818b..56febb8 100644
> > --- a/drivers/event/octeontx2/meson.build
> > +++ b/drivers/event/octeontx2/meson.build
> > @@ -32,3 +32,5 @@ foreach flag: extra_flags  endforeach
> >
> >  deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2',
> > 'pmd_octeontx2']
> > +
> > +includes += include_directories('../../crypto/octeontx2')


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v3 14/15] net/octeontx2: add inline Tx path changes
  2020-01-31 13:36       ` Akhil Goyal
@ 2020-01-31 15:33         ` Anoob Joseph
  2020-02-01  9:35           ` Anoob Joseph
  0 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2020-01-31 15:33 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Archana Muniganti, Tejasree Kondoj, Vamsi Krishna Attunuru,
	Lukas Bartosik, dev

Hi Akhil,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Akhil Goyal <akhil.goyal@nxp.com>
> Sent: Friday, January 31, 2020 7:06 PM
> To: Anoob Joseph <anoobj@marvell.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>
> Cc: Ankur Dwivedi <adwivedi@marvell.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Archana Muniganti <marchana@marvell.com>;
> Tejasree Kondoj <ktejasree@marvell.com>; Vamsi Krishna Attunuru
> <vattunuru@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v3 14/15] net/octeontx2: add inline Tx path changes
> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi Anoob,
> 
> >
> > From: Ankur Dwivedi <adwivedi@marvell.com>
> >
> > Adding pre-processing required for inline IPsec outbound packets.
> >
> > Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> > ---
> >  drivers/event/octeontx2/meson.build        |   3 +-
> >  drivers/event/octeontx2/otx2_worker.h      |   6 +
> >  drivers/net/octeontx2/otx2_ethdev_sec.c    |  82 +++++++++++++
> >  drivers/net/octeontx2/otx2_ethdev_sec.h    |  19 +++
> >  drivers/net/octeontx2/otx2_ethdev_sec_tx.h | 181
> > +++++++++++++++++++++++++++++
> >  5 files changed, 290 insertions(+), 1 deletion(-)  create mode 100644
> > drivers/net/octeontx2/otx2_ethdev_sec_tx.h
> >
> > diff --git a/drivers/event/octeontx2/meson.build
> > b/drivers/event/octeontx2/meson.build
> > index 56febb8..be4b47a 100644
> > --- a/drivers/event/octeontx2/meson.build
> > +++ b/drivers/event/octeontx2/meson.build
> > @@ -31,6 +31,7 @@ foreach flag: extra_flags
> >  	endif
> >  endforeach
> >
> > -deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2',
> > 'pmd_octeontx2']
> > +deps += ['bus_pci', 'common_octeontx2', 'cryptodev',
> > +'mempool_octeontx2',
> > 'pmd_octeontx2',
> > +         'security']
> >
> >  includes += include_directories('../../crypto/octeontx2')
> 
> 
> Why would you need cryptodev in event driver meson.build?
> If you really need it, then why only in meson.build, Makefile should also have
> some change.

[Anoob] On our platform, it's the eventdev which does packet I/O during inline processing. So the Tx and Rx paths are embedded into event_dequeue_burst() and tx_adapter_enqueue(). Hence the need for such dependency.

I'll have the meson and Makefiles synced. Can send the updated series once you are done with the rest of the reviews. The dependency was added in meson.build file when some build failure was observed.

> 
> Please make sure that all individual patches compile for both meson and
> Makefile.
> I have not run the test yet. Will run it on Monday.

[Anoob] Sure. From our end, we have all the patches passing the build stages. In case if there is any failure, I'll have it addressed with the next version.
 
> 
> Regards,
> Akhil

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v3 14/15] net/octeontx2: add inline Tx path changes
  2020-01-31 15:33         ` Anoob Joseph
@ 2020-02-01  9:35           ` Anoob Joseph
  2020-02-03 13:25             ` Akhil Goyal
  0 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2020-02-01  9:35 UTC (permalink / raw)
  To: Anoob Joseph, Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Archana Muniganti, Tejasree Kondoj, Vamsi Krishna Attunuru,
	Lukas Bartosik, dev

Hi Akhil,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Anoob Joseph
> Sent: Friday, January 31, 2020 9:04 PM
> To: Akhil Goyal <akhil.goyal@nxp.com>; Declan Doherty
> <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>
> Cc: Ankur Dwivedi <adwivedi@marvell.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> <pbhagavatula@marvell.com>; Archana Muniganti <marchana@marvell.com>;
> Tejasree Kondoj <ktejasree@marvell.com>; Vamsi Krishna Attunuru
> <vattunuru@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>;
> dev@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH v3 14/15] net/octeontx2: add inline Tx path
> changes
> 
> Hi Akhil,
> 
> Please see inline.
> 
> Thanks,
> Anoob
> 
> > -----Original Message-----
> > From: Akhil Goyal <akhil.goyal@nxp.com>
> > Sent: Friday, January 31, 2020 7:06 PM
> > To: Anoob Joseph <anoobj@marvell.com>; Declan Doherty
> > <declan.doherty@intel.com>; Thomas Monjalon <thomas@monjalon.net>
> > Cc: Ankur Dwivedi <adwivedi@marvell.com>; Jerin Jacob Kollanukkaran
> > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > <pathreya@marvell.com>; Kiran Kumar Kokkilagadda
> > <kirankumark@marvell.com>; Nithin Kumar Dabilpuram
> > <ndabilpuram@marvell.com>; Pavan Nikhilesh Bhagavatula
> > <pbhagavatula@marvell.com>; Archana Muniganti
> <marchana@marvell.com>;
> > Tejasree Kondoj <ktejasree@marvell.com>; Vamsi Krishna Attunuru
> > <vattunuru@marvell.com>; Lukas Bartosik <lbartosik@marvell.com>;
> > dev@dpdk.org
> > Subject: [EXT] RE: [PATCH v3 14/15] net/octeontx2: add inline Tx path
> > changes
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > Hi Anoob,
> >
> > >
> > > From: Ankur Dwivedi <adwivedi@marvell.com>
> > >
> > > Adding pre-processing required for inline IPsec outbound packets.
> > >
> > > Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> > > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> > > ---
> > >  drivers/event/octeontx2/meson.build        |   3 +-
> > >  drivers/event/octeontx2/otx2_worker.h      |   6 +
> > >  drivers/net/octeontx2/otx2_ethdev_sec.c    |  82 +++++++++++++
> > >  drivers/net/octeontx2/otx2_ethdev_sec.h    |  19 +++
> > >  drivers/net/octeontx2/otx2_ethdev_sec_tx.h | 181
> > > +++++++++++++++++++++++++++++
> > >  5 files changed, 290 insertions(+), 1 deletion(-)  create mode
> > > 100644 drivers/net/octeontx2/otx2_ethdev_sec_tx.h
> > >
> > > diff --git a/drivers/event/octeontx2/meson.build
> > > b/drivers/event/octeontx2/meson.build
> > > index 56febb8..be4b47a 100644
> > > --- a/drivers/event/octeontx2/meson.build
> > > +++ b/drivers/event/octeontx2/meson.build
> > > @@ -31,6 +31,7 @@ foreach flag: extra_flags
> > >  	endif
> > >  endforeach
> > >
> > > -deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2',
> > > 'pmd_octeontx2']
> > > +deps += ['bus_pci', 'common_octeontx2', 'cryptodev',
> > > +'mempool_octeontx2',
> > > 'pmd_octeontx2',
> > > +         'security']
> > >
> > >  includes += include_directories('../../crypto/octeontx2')
> >
> >
> > Why would you need cryptodev in event driver meson.build?
> > If you really need it, then why only in meson.build, Makefile should
> > also have some change.
> 
> [Anoob] On our platform, it's the eventdev which does packet I/O during inline
> processing. So the Tx and Rx paths are embedded into event_dequeue_burst()
> and tx_adapter_enqueue(). Hence the need for such dependency.
> 
> I'll have the meson and Makefiles synced. Can send the updated series once you
> are done with the rest of the reviews. The dependency was added in
> meson.build file when some build failure was observed.

[Anoob] You are right. The above change is not necessary. I've confirmed that the build is not failing even without the above. Do you want me to send a new version with this fix? 
 
> 
> >
> > Please make sure that all individual patches compile for both meson
> > and Makefile.
> > I have not run the test yet. Will run it on Monday.
> 
> [Anoob] Sure. From our end, we have all the patches passing the build stages. In
> case if there is any failure, I'll have it addressed with the next version.
> 
> >
> > Regards,
> > Akhil

^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v3 14/15] net/octeontx2: add inline Tx path changes
  2020-02-01  9:35           ` Anoob Joseph
@ 2020-02-03 13:25             ` Akhil Goyal
  0 siblings, 0 replies; 111+ messages in thread
From: Akhil Goyal @ 2020-02-03 13:25 UTC (permalink / raw)
  To: Anoob Joseph, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob Kollanukkaran,
	Narayana Prasad Raju Athreya, Kiran Kumar Kokkilagadda,
	Nithin Kumar Dabilpuram, Pavan Nikhilesh Bhagavatula,
	Archana Muniganti, Tejasree Kondoj, Vamsi Krishna Attunuru,
	Lukas Bartosik, dev

> > >
> > > >
> > > > From: Ankur Dwivedi <adwivedi@marvell.com>
> > > >
> > > > Adding pre-processing required for inline IPsec outbound packets.
> > > >
> > > > Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> > > > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > > > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > > > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > > Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> > > > ---
> > > >  drivers/event/octeontx2/meson.build        |   3 +-
> > > >  drivers/event/octeontx2/otx2_worker.h      |   6 +
> > > >  drivers/net/octeontx2/otx2_ethdev_sec.c    |  82 +++++++++++++
> > > >  drivers/net/octeontx2/otx2_ethdev_sec.h    |  19 +++
> > > >  drivers/net/octeontx2/otx2_ethdev_sec_tx.h | 181
> > > > +++++++++++++++++++++++++++++
> > > >  5 files changed, 290 insertions(+), 1 deletion(-)  create mode
> > > > 100644 drivers/net/octeontx2/otx2_ethdev_sec_tx.h
> > > >
> > > > diff --git a/drivers/event/octeontx2/meson.build
> > > > b/drivers/event/octeontx2/meson.build
> > > > index 56febb8..be4b47a 100644
> > > > --- a/drivers/event/octeontx2/meson.build
> > > > +++ b/drivers/event/octeontx2/meson.build
> > > > @@ -31,6 +31,7 @@ foreach flag: extra_flags
> > > >  	endif
> > > >  endforeach
> > > >
> > > > -deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2',
> > > > 'pmd_octeontx2']
> > > > +deps += ['bus_pci', 'common_octeontx2', 'cryptodev',
> > > > +'mempool_octeontx2',
> > > > 'pmd_octeontx2',
> > > > +         'security']
> > > >
> > > >  includes += include_directories('../../crypto/octeontx2')
> > >
> > >
> > > Why would you need cryptodev in event driver meson.build?
> > > If you really need it, then why only in meson.build, Makefile should
> > > also have some change.
> >
> > [Anoob] On our platform, it's the eventdev which does packet I/O during inline
> > processing. So the Tx and Rx paths are embedded into event_dequeue_burst()
> > and tx_adapter_enqueue(). Hence the need for such dependency.
> >
> > I'll have the meson and Makefiles synced. Can send the updated series once
> you
> > are done with the rest of the reviews. The dependency was added in
> > meson.build file when some build failure was observed.
> 
> [Anoob] You are right. The above change is not necessary. I've confirmed that
> the build is not failing even without the above. Do you want me to send a new
> version with this fix?
> 

Yes, please send the patches and make sure that all individual patches gets compiled
With meson and makefile properly.

> >
> > >
> > > Please make sure that all individual patches compile for both meson
> > > and Makefile.
> > > I have not run the test yet. Will run it on Monday.
> >
> > [Anoob] Sure. From our end, we have all the patches passing the build stages.
> In
> > case if there is any failure, I'll have it addressed with the next version.
> >
> > >
> > > Regards,
> > > Akhil

^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support
  2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
                       ` (14 preceding siblings ...)
  2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 15/15] net/octeontx2: sync inline tag type Anoob Joseph
@ 2020-02-04 11:17     ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
                         ` (15 more replies)
  15 siblings, 16 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

This series adds inline IPsec support in OCTEON TX2 PMD.

In the inbound path, rte_flow framework need to be used to configure
the NPC block, which does the h/w lookup. The packets would get
processed by the crypto block and would submit to the scheduling block,
SSO. So inline IPsec mode can be enabled only when traffic is received
via event device using Rx adapter.

In the outbound path, the core would submit to the crypto block and the
crypto block would submit the packet for Tx internally.

v4:
* Reverted meson.build file edit in patch 14/15

v3:
* Moved ethdev security ops to net/octeontx2
* Segregated all security related code in common to
  common/octeontx2/otx2_sec* files
* Segregated all security related control code in net to
  net/octeontx2/otx2_ethdev_sec* files
* Claimed maintainership for all files added above
* Added support for AES-CBC

v2:
* Minimized additions to common/octeontx2
* Updated release notes
* Renamed otx2_is_ethdev to otx2_ethdev_is_sec_capable

Ankur Dwivedi (3):
  net/octeontx2: add eth security capabilities
  net/octeontx2: add datapath ops in eth security ctx
  net/octeontx2: add inline Tx path changes

Anoob Joseph (4):
  common/octeontx2: add CPT LF mbox for inline inbound
  net/octeontx2: create eth security ctx
  crypto/octeontx2: enable CPT to share QP with ethdev
  net/octeontx2: add eth security session operations

Archana Muniganti (3):
  net/octeontx2: add lookup mem changes to hold sa indices
  drivers/octeontx2: add sec in Rx fastpath framework
  drivers/octeontx2: add sec in Tx fastpath framework

Tejasree Kondoj (3):
  crypto/octeontx2: configure for inline IPsec
  net/octeontx2: add security in eth dev configure
  net/octeontx2: add inline ipsec Rx path changes

Vamsi Attunuru (2):
  common/octeontx2: add routine to check if sec capable otx2
  net/octeontx2: sync inline tag type

 MAINTAINERS                                        |   6 +
 doc/guides/nics/octeontx2.rst                      |  20 +
 doc/guides/rel_notes/release_20_02.rst             |   9 +
 drivers/common/octeontx2/Makefile                  |   1 +
 drivers/common/octeontx2/meson.build               |   1 +
 drivers/common/octeontx2/otx2_common.h             |   4 +
 drivers/common/octeontx2/otx2_mbox.h               |   7 +
 drivers/common/octeontx2/otx2_sec_idev.c           | 183 +++++
 drivers/common/octeontx2/otx2_sec_idev.h           |  37 +
 .../octeontx2/rte_common_octeontx2_version.map     |   6 +
 drivers/crypto/octeontx2/Makefile                  |   6 +-
 drivers/crypto/octeontx2/meson.build               |   4 +
 .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  54 ++
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
 drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
 drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 350 +++++++++
 drivers/event/octeontx2/Makefile                   |   1 +
 drivers/event/octeontx2/meson.build                |   2 +
 drivers/event/octeontx2/otx2_evdev.c               | 170 +++--
 drivers/event/octeontx2/otx2_evdev.h               |   4 +-
 drivers/event/octeontx2/otx2_worker.c              |   6 +-
 drivers/event/octeontx2/otx2_worker.h              |   6 +
 drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
 drivers/net/octeontx2/Makefile                     |   4 +
 drivers/net/octeontx2/meson.build                  |   7 +-
 drivers/net/octeontx2/otx2_ethdev.c                |  38 +-
 drivers/net/octeontx2/otx2_ethdev.h                |   2 +
 drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
 drivers/net/octeontx2/otx2_ethdev_sec.c            | 844 +++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h            | 139 ++++
 drivers/net/octeontx2/otx2_ethdev_sec_tx.h         | 181 +++++
 drivers/net/octeontx2/otx2_flow.c                  |  26 +
 drivers/net/octeontx2/otx2_lookup.c                |  11 +-
 drivers/net/octeontx2/otx2_rx.c                    |  27 +-
 drivers/net/octeontx2/otx2_rx.h                    | 377 ++++++---
 drivers/net/octeontx2/otx2_tx.c                    |  29 +-
 drivers/net/octeontx2/otx2_tx.h                    | 271 +++++--
 39 files changed, 2696 insertions(+), 282 deletions(-)
 create mode 100644 drivers/common/octeontx2/otx2_sec_idev.c
 create mode 100644 drivers/common/octeontx2/otx2_sec_idev.h
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec.c
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec.h
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec_tx.h

-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 01/15] common/octeontx2: add CPT LF mbox for inline inbound
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 02/15] common/octeontx2: add routine to check if sec capable otx2 Anoob Joseph
                         ` (14 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev, Tejasree Kondoj

Adding the new mbox introduced to configure CPT LF to be used for inline
inbound.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <kondoj.tejasree@cavium.com>
---
 drivers/common/octeontx2/otx2_mbox.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/common/octeontx2/otx2_mbox.h b/drivers/common/octeontx2/otx2_mbox.h
index e0e4e2f..70452d1 100644
--- a/drivers/common/octeontx2/otx2_mbox.h
+++ b/drivers/common/octeontx2/otx2_mbox.h
@@ -193,6 +193,8 @@ M(CPT_SET_CRYPTO_GRP,	0xA03, cpt_set_crypto_grp,			\
 			       msg_rsp)					\
 M(CPT_INLINE_IPSEC_CFG, 0xA04, cpt_inline_ipsec_cfg,			\
 			       cpt_inline_ipsec_cfg_msg, msg_rsp)	\
+M(CPT_RX_INLINE_LF_CFG, 0xBFE, cpt_rx_inline_lf_cfg,			\
+			       cpt_rx_inline_lf_cfg_msg, msg_rsp)	\
 /* NPC mbox IDs (range 0x6000 - 0x7FFF) */				\
 M(NPC_MCAM_ALLOC_ENTRY,	0x6000, npc_mcam_alloc_entry,			\
 				npc_mcam_alloc_entry_req,		\
@@ -1202,6 +1204,11 @@ struct cpt_inline_ipsec_cfg_msg {
 	uint16_t __otx2_io nix_pf_func; /* Outbound path NIX_PF_FUNC */
 };
 
+struct cpt_rx_inline_lf_cfg_msg {
+	struct mbox_msghdr hdr;
+	uint16_t __otx2_io sso_pf_func;
+};
+
 /* NPC mbox message structs */
 
 #define NPC_MCAM_ENTRY_INVALID	0xFFFF
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 02/15] common/octeontx2: add routine to check if sec capable otx2
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
                         ` (13 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Vamsi Attunuru, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Lukasz Bartosik, dev

From: Vamsi Attunuru <vattunuru@marvell.com>

This routine returns true if given rte_eth_dev is security offload
capable and belongs to octeontx2.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 MAINTAINERS                                        |  5 ++++
 drivers/common/octeontx2/Makefile                  |  1 +
 drivers/common/octeontx2/meson.build               |  1 +
 drivers/common/octeontx2/otx2_sec_idev.c           | 28 ++++++++++++++++++++++
 drivers/common/octeontx2/otx2_sec_idev.h           | 12 ++++++++++
 .../octeontx2/rte_common_octeontx2_version.map     |  1 +
 6 files changed, 48 insertions(+)
 create mode 100644 drivers/common/octeontx2/otx2_sec_idev.c
 create mode 100644 drivers/common/octeontx2/otx2_sec_idev.h

diff --git a/MAINTAINERS b/MAINTAINERS
index 94bccae..7b1ea56 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -724,6 +724,11 @@ F: drivers/net/octeontx2/
 F: doc/guides/nics/features/octeontx2*.ini
 F: doc/guides/nics/octeontx2.rst
 
+Marvell OCTEON TX2 - security
+M: Anoob Joseph <anoobj@marvell.com>
+T: git://dpdk.org/next/dpdk-next-crypto
+F: drivers/common/octeontx2/otx2_sec*
+
 Mellanox mlx4
 M: Matan Azrad <matan@mellanox.com>
 M: Shahaf Shuler <shahafs@mellanox.com>
diff --git a/drivers/common/octeontx2/Makefile b/drivers/common/octeontx2/Makefile
index eaff294..efe3da2 100644
--- a/drivers/common/octeontx2/Makefile
+++ b/drivers/common/octeontx2/Makefile
@@ -31,6 +31,7 @@ SRCS-y += otx2_dev.c
 SRCS-y += otx2_irq.c
 SRCS-y += otx2_mbox.c
 SRCS-y += otx2_common.c
+SRCS-y += otx2_sec_idev.c
 
 LDLIBS += -lrte_eal
 LDLIBS += -lrte_ethdev
diff --git a/drivers/common/octeontx2/meson.build b/drivers/common/octeontx2/meson.build
index b791457..996ddba 100644
--- a/drivers/common/octeontx2/meson.build
+++ b/drivers/common/octeontx2/meson.build
@@ -6,6 +6,7 @@ sources= files('otx2_dev.c',
 		'otx2_irq.c',
 		'otx2_mbox.c',
 		'otx2_common.c',
+		'otx2_sec_idev.c',
 	       )
 
 extra_flags = []
diff --git a/drivers/common/octeontx2/otx2_sec_idev.c b/drivers/common/octeontx2/otx2_sec_idev.c
new file mode 100644
index 0000000..532abde
--- /dev/null
+++ b/drivers/common/octeontx2/otx2_sec_idev.c
@@ -0,0 +1,28 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2020 Marvell International Ltd.
+ */
+
+#include <rte_bus_pci.h>
+#include <rte_ethdev.h>
+
+#include "otx2_common.h"
+#include "otx2_sec_idev.h"
+
+/**
+ * @internal
+ * Check if rte_eth_dev is security offload capable otx2_eth_dev
+ */
+uint8_t
+otx2_eth_dev_is_sec_capable(struct rte_eth_dev *eth_dev)
+{
+	struct rte_pci_device *pci_dev;
+
+	pci_dev = RTE_ETH_DEV_TO_PCI(eth_dev);
+
+	if (pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_PF ||
+	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_VF ||
+	    pci_dev->id.device_id == PCI_DEVID_OCTEONTX2_RVU_AF_VF)
+		return 1;
+
+	return 0;
+}
diff --git a/drivers/common/octeontx2/otx2_sec_idev.h b/drivers/common/octeontx2/otx2_sec_idev.h
new file mode 100644
index 0000000..a5d929e
--- /dev/null
+++ b/drivers/common/octeontx2/otx2_sec_idev.h
@@ -0,0 +1,12 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2020 Marvell International Ltd.
+ */
+
+#ifndef _OTX2_SEC_IDEV_H_
+#define _OTX2_SEC_IDEV_H_
+
+#include <rte_ethdev.h>
+
+uint8_t otx2_eth_dev_is_sec_capable(struct rte_eth_dev *eth_dev);
+
+#endif /* _OTX2_SEC_IDEV_H_ */
diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
index a51d719..724fa35 100644
--- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
+++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
@@ -5,6 +5,7 @@ DPDK_20.0 {
 	otx2_dev_fini;
 	otx2_dev_priv_init;
 	otx2_disable_irqs;
+	otx2_eth_dev_is_sec_capable;
 	otx2_intra_dev_get_cfg;
 	otx2_logtype_base;
 	otx2_logtype_dpi;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 03/15] crypto/octeontx2: configure for inline IPsec
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 02/15] common/octeontx2: add routine to check if sec capable otx2 Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 04/15] net/octeontx2: create eth security ctx Anoob Joseph
                         ` (12 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

For enabling outbound inline IPsec, a CPT queue needs to be tied
to a NIX PF_FUNC. Distribute CPT queues fairly among all available
otx2 eth ports.

For inbound, one CPT LF will be assigned and initialized by kernel.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/Makefile              |  3 +-
 drivers/crypto/octeontx2/meson.build           |  2 +
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.c | 54 ++++++++++++++++++++++++++
 drivers/crypto/octeontx2/otx2_cryptodev_mbox.h |  7 ++++
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c  | 39 +++++++++++++++++++
 5 files changed, 104 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index f7d6c37..3ba67ed 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -10,7 +10,7 @@ LIB = librte_pmd_octeontx2_crypto.a
 # build flags
 CFLAGS += $(WERROR_FLAGS)
 
-LDLIBS += -lrte_eal -lrte_mbuf -lrte_mempool -lrte_ring
+LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
 LDLIBS += -lrte_cryptodev
 LDLIBS += -lrte_pci -lrte_bus_pci
 LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
@@ -21,6 +21,7 @@ CFLAGS += -O3
 CFLAGS += -I$(RTE_SDK)/drivers/common/cpt
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -DALLOW_EXPERIMENTAL_API
 
 ifneq ($(CONFIG_RTE_ARCH_64),y)
diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build
index b6e5b73..67deca3 100644
--- a/drivers/crypto/octeontx2/meson.build
+++ b/drivers/crypto/octeontx2/meson.build
@@ -8,6 +8,7 @@ endif
 deps += ['bus_pci']
 deps += ['common_cpt']
 deps += ['common_octeontx2']
+deps += ['ethdev']
 name = 'octeontx2_crypto'
 
 allow_experimental_apis = true
@@ -32,3 +33,4 @@ endforeach
 includes += include_directories('../../common/cpt')
 includes += include_directories('../../common/octeontx2')
 includes += include_directories('../../mempool/octeontx2')
+includes += include_directories('../../net/octeontx2')
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
index b54e407..6bb8316 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.c
@@ -2,10 +2,14 @@
  * Copyright (C) 2019 Marvell International Ltd.
  */
 #include <rte_cryptodev.h>
+#include <rte_ethdev.h>
 
 #include "otx2_cryptodev.h"
+#include "otx2_cryptodev_hw_access.h"
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_dev.h"
+#include "otx2_ethdev.h"
+#include "otx2_sec_idev.h"
 #include "otx2_mbox.h"
 
 #include "cpt_pmd_logs.h"
@@ -173,3 +177,53 @@ otx2_cpt_af_reg_write(const struct rte_cryptodev *dev, uint64_t reg,
 
 	return otx2_cpt_send_mbox_msg(vf);
 }
+
+int
+otx2_cpt_inline_init(const struct rte_cryptodev *dev)
+{
+	struct otx2_cpt_vf *vf = dev->data->dev_private;
+	struct otx2_mbox *mbox = vf->otx2_dev.mbox;
+	struct cpt_rx_inline_lf_cfg_msg *msg;
+	int ret;
+
+	msg = otx2_mbox_alloc_msg_cpt_rx_inline_lf_cfg(mbox);
+	msg->sso_pf_func = otx2_sso_pf_func_get();
+
+	otx2_mbox_msg_send(mbox, 0);
+	ret = otx2_mbox_process(mbox);
+	if (ret < 0)
+		return -EIO;
+
+	return 0;
+}
+
+int
+otx2_cpt_qp_ethdev_bind(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp,
+			uint16_t port_id)
+{
+	struct rte_eth_dev *eth_dev = &rte_eth_devices[port_id];
+	struct otx2_cpt_vf *vf = dev->data->dev_private;
+	struct otx2_mbox *mbox = vf->otx2_dev.mbox;
+	struct cpt_inline_ipsec_cfg_msg *msg;
+	struct otx2_eth_dev *otx2_eth_dev;
+	int ret;
+
+	if (!otx2_eth_dev_is_sec_capable(&rte_eth_devices[port_id]))
+		return -EINVAL;
+
+	otx2_eth_dev = otx2_eth_pmd_priv(eth_dev);
+
+	msg = otx2_mbox_alloc_msg_cpt_inline_ipsec_cfg(mbox);
+	msg->dir = CPT_INLINE_OUTBOUND;
+	msg->enable = 1;
+	msg->slot = qp->id;
+
+	msg->nix_pf_func = otx2_eth_dev->pf_func;
+
+	otx2_mbox_msg_send(mbox, 0);
+	ret = otx2_mbox_process(mbox);
+	if (ret < 0)
+		return -EIO;
+
+	return 0;
+}
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
index a298718..ae66b08 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_mbox.h
@@ -7,6 +7,8 @@
 
 #include <rte_cryptodev.h>
 
+#include "otx2_cryptodev_hw_access.h"
+
 int otx2_cpt_available_queues_get(const struct rte_cryptodev *dev,
 				  uint16_t *nb_queues);
 
@@ -22,4 +24,9 @@ int otx2_cpt_af_reg_read(const struct rte_cryptodev *dev, uint64_t reg,
 int otx2_cpt_af_reg_write(const struct rte_cryptodev *dev, uint64_t reg,
 			  uint64_t val);
 
+int otx2_cpt_qp_ethdev_bind(const struct rte_cryptodev *dev,
+			    struct otx2_cpt_qp *qp, uint16_t port_id);
+
+int otx2_cpt_inline_init(const struct rte_cryptodev *dev);
+
 #endif /* _OTX2_CRYPTODEV_MBOX_H_ */
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index ec0e58d..005b0a9 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -6,6 +6,7 @@
 
 #include <rte_cryptodev_pmd.h>
 #include <rte_errno.h>
+#include <rte_ethdev.h>
 
 #include "otx2_cryptodev.h"
 #include "otx2_cryptodev_capabilities.h"
@@ -13,6 +14,7 @@
 #include "otx2_cryptodev_mbox.h"
 #include "otx2_cryptodev_ops.h"
 #include "otx2_mbox.h"
+#include "otx2_sec_idev.h"
 
 #include "cpt_hw_types.h"
 #include "cpt_pmd_logs.h"
@@ -127,6 +129,29 @@ otx2_cpt_metabuf_mempool_destroy(struct otx2_cpt_qp *qp)
 	meta_info->sg_mlen = 0;
 }
 
+static int
+otx2_cpt_qp_inline_cfg(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
+{
+	static rte_atomic16_t port_offset = RTE_ATOMIC16_INIT(-1);
+	uint16_t port_id, nb_ethport = rte_eth_dev_count_avail();
+	int i, ret;
+
+	for (i = 0; i < nb_ethport; i++) {
+		port_id = rte_atomic16_add_return(&port_offset, 1) % nb_ethport;
+		if (otx2_eth_dev_is_sec_capable(&rte_eth_devices[port_id]))
+			break;
+	}
+
+	if (i >= nb_ethport)
+		return 0;
+
+	ret = otx2_cpt_qp_ethdev_bind(dev, qp, port_id);
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
 static struct otx2_cpt_qp *
 otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 		   uint8_t group)
@@ -220,6 +245,12 @@ otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 
 	otx2_cpt_iq_disable(qp);
 
+	ret = otx2_cpt_qp_inline_cfg(dev, qp);
+	if (ret) {
+		CPT_LOG_ERR("Could not configure queue for inline IPsec");
+		goto mempool_destroy;
+	}
+
 	ret = otx2_cpt_iq_enable(dev, qp, group, OTX2_CPT_QUEUE_HI_PRIO,
 				 size_div40);
 	if (ret) {
@@ -913,12 +944,20 @@ otx2_cpt_dev_config(struct rte_cryptodev *dev,
 		goto queues_detach;
 	}
 
+	ret = otx2_cpt_inline_init(dev);
+	if (ret) {
+		CPT_LOG_ERR("Could not enable inline IPsec");
+		goto intr_unregister;
+	}
+
 	dev->enqueue_burst = otx2_cpt_enqueue_burst;
 	dev->dequeue_burst = otx2_cpt_dequeue_burst;
 
 	rte_mb();
 	return 0;
 
+intr_unregister:
+	otx2_cpt_err_intr_unregister(dev);
 queues_detach:
 	otx2_cpt_queues_detach(dev);
 	return ret;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 04/15] net/octeontx2: create eth security ctx
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (2 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 05/15] net/octeontx2: add security in eth dev configure Anoob Joseph
                         ` (11 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding security ctx to the eth device.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 MAINTAINERS                             |  1 +
 drivers/net/octeontx2/Makefile          |  1 +
 drivers/net/octeontx2/meson.build       |  4 +++-
 drivers/net/octeontx2/otx2_ethdev.c     | 15 +++++++++++++-
 drivers/net/octeontx2/otx2_ethdev_sec.c | 35 +++++++++++++++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h | 14 +++++++++++++
 6 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec.c
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec.h

diff --git a/MAINTAINERS b/MAINTAINERS
index 7b1ea56..5d05b29 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -728,6 +728,7 @@ Marvell OCTEON TX2 - security
 M: Anoob Joseph <anoobj@marvell.com>
 T: git://dpdk.org/next/dpdk-next-crypto
 F: drivers/common/octeontx2/otx2_sec*
+F: drivers/net/octeontx2/otx2_ethdev_sec*
 
 Mellanox mlx4
 M: Matan Azrad <matan@mellanox.com>
diff --git a/drivers/net/octeontx2/Makefile b/drivers/net/octeontx2/Makefile
index 68f5765..8649f89 100644
--- a/drivers/net/octeontx2/Makefile
+++ b/drivers/net/octeontx2/Makefile
@@ -50,6 +50,7 @@ SRCS-$(CONFIG_RTE_LIBRTE_OCTEONTX2_PMD) += \
 	otx2_flow_utils.c \
 	otx2_ethdev_irq.c \
 	otx2_ethdev_ops.c \
+	otx2_ethdev_sec.c \
 	otx2_ethdev_debug.c \
 	otx2_ethdev_devargs.c
 
diff --git a/drivers/net/octeontx2/meson.build b/drivers/net/octeontx2/meson.build
index fad3076..dfbf99a 100644
--- a/drivers/net/octeontx2/meson.build
+++ b/drivers/net/octeontx2/meson.build
@@ -20,11 +20,13 @@ sources = files('otx2_rx.c',
 		'otx2_flow_utils.c',
 		'otx2_ethdev_irq.c',
 		'otx2_ethdev_ops.c',
+		'otx2_ethdev_sec.c',
 		'otx2_ethdev_debug.c',
 		'otx2_ethdev_devargs.c'
 		)
 
-deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2']
+deps += ['bus_pci', 'cryptodev', 'security']
+deps += ['common_octeontx2', 'mempool_octeontx2']
 
 cflags += ['-flax-vector-conversions']
 
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index 268b383..7fd5254 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -12,6 +12,7 @@
 #include <rte_mempool.h>
 
 #include "otx2_ethdev.h"
+#include "otx2_ethdev_sec.h"
 
 static inline uint64_t
 nix_get_rx_offload_capa(struct otx2_eth_dev *dev)
@@ -2243,10 +2244,17 @@ otx2_eth_dev_init(struct rte_eth_dev *eth_dev)
 		dev->hwcap |= OTX2_FIXUP_F_LIMIT_CQ_FULL;
 	}
 
+	/* Create security ctx */
+	rc = otx2_eth_sec_ctx_create(eth_dev);
+	if (rc)
+		goto free_mac_addrs;
+	dev->tx_offload_capa |= DEV_TX_OFFLOAD_SECURITY;
+	dev->rx_offload_capa |= DEV_RX_OFFLOAD_SECURITY;
+
 	/* Initialize rte-flow */
 	rc = otx2_flow_init(dev);
 	if (rc)
-		goto free_mac_addrs;
+		goto sec_ctx_destroy;
 
 	otx2_nix_mc_filter_init(dev);
 
@@ -2257,6 +2265,8 @@ otx2_eth_dev_init(struct rte_eth_dev *eth_dev)
 		     dev->rx_offload_capa, dev->tx_offload_capa);
 	return 0;
 
+sec_ctx_destroy:
+	otx2_eth_sec_ctx_destroy(eth_dev);
 free_mac_addrs:
 	rte_free(eth_dev->data->mac_addrs);
 unregister_irq:
@@ -2340,6 +2350,9 @@ otx2_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool mbox_close)
 	if (rc)
 		otx2_err("Failed to cleanup npa lf, rc=%d", rc);
 
+	/* Destroy security ctx */
+	otx2_eth_sec_ctx_destroy(eth_dev);
+
 	rte_free(eth_dev->data->mac_addrs);
 	eth_dev->data->mac_addrs = NULL;
 	dev->drv_inited = false;
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
new file mode 100644
index 0000000..80c5689
--- /dev/null
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#include <rte_ethdev.h>
+#include <rte_malloc.h>
+#include <rte_security.h>
+
+#include "otx2_ethdev_sec.h"
+
+int
+otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev)
+{
+	struct rte_security_ctx *ctx;
+
+	ctx = rte_malloc("otx2_eth_sec_ctx",
+			 sizeof(struct rte_security_ctx), 0);
+	if (ctx == NULL)
+		return -ENOMEM;
+
+	/* Populate ctx */
+
+	ctx->device = eth_dev;
+	ctx->sess_cnt = 0;
+
+	eth_dev->security_ctx = ctx;
+
+	return 0;
+}
+
+void
+otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev)
+{
+	rte_free(eth_dev->security_ctx);
+}
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
new file mode 100644
index 0000000..4a925e9
--- /dev/null
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_ETHDEV_SEC_H__
+#define __OTX2_ETHDEV_SEC_H__
+
+#include <rte_ethdev.h>
+
+int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev);
+
+void otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev);
+
+#endif /* __OTX2_ETHDEV_SEC_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 05/15] net/octeontx2: add security in eth dev configure
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (3 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 04/15] net/octeontx2: create eth security ctx Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 06/15] net/octeontx2: add eth security capabilities Anoob Joseph
                         ` (10 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding security in eth device configure.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 doc/guides/nics/octeontx2.rst               |  20 +++++
 doc/guides/rel_notes/release_20_02.rst      |   9 ++
 drivers/crypto/octeontx2/otx2_ipsec_fp.h    |  55 +++++++++++++
 drivers/net/octeontx2/Makefile              |   3 +
 drivers/net/octeontx2/meson.build           |   5 +-
 drivers/net/octeontx2/otx2_ethdev.c         |  17 +++-
 drivers/net/octeontx2/otx2_ethdev.h         |   2 +
 drivers/net/octeontx2/otx2_ethdev_devargs.c |  19 +++++
 drivers/net/octeontx2/otx2_ethdev_sec.c     | 122 ++++++++++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h     |   4 +
 10 files changed, 254 insertions(+), 2 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h

diff --git a/doc/guides/nics/octeontx2.rst b/doc/guides/nics/octeontx2.rst
index db62a45..fd4e455 100644
--- a/doc/guides/nics/octeontx2.rst
+++ b/doc/guides/nics/octeontx2.rst
@@ -38,6 +38,7 @@ Features of the OCTEON TX2 Ethdev PMD are:
 - IEEE1588 timestamping
 - HW offloaded `ethdev Rx queue` to `eventdev event queue` packet injection
 - Support Rx interrupt
+- Inline IPsec processing support
 
 Prerequisites
 -------------
@@ -178,6 +179,17 @@ Runtime Config Options
    traffic on this port should be higig2 traffic only. Supported switch header
    types are "higig2" and "dsa".
 
+- ``Max SPI for inbound inline IPsec`` (default ``1``)
+
+   Max SPI supported for inbound inline IPsec processing can be specified by
+   ``ipsec_in_max_spi`` ``devargs`` parameter.
+
+   For example::
+      -w 0002:02:00.0,ipsec_in_max_spi=128
+
+   With the above configuration, application can enable inline IPsec processing
+   on 128 SAs (SPI 0-127).
+
 .. note::
 
    Above devarg parameters are configurable per device, user needs to pass the
@@ -211,6 +223,14 @@ SDP interface support
 ~~~~~~~~~~~~~~~~~~~~~
 OCTEON TX2 SDP interface support is limited to PF device, No VF support.
 
+Inline Protocol Processing
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+``net_octeontx2`` pmd doesn't support the following features for packets to be
+inline protocol processed.
+- TSO offload
+- VLAN/QinQ offload
+- Fragmentation
+
 Debugging Options
 -----------------
 
diff --git a/doc/guides/rel_notes/release_20_02.rst b/doc/guides/rel_notes/release_20_02.rst
index d19a7f5..7b9139c 100644
--- a/doc/guides/rel_notes/release_20_02.rst
+++ b/doc/guides/rel_notes/release_20_02.rst
@@ -166,6 +166,15 @@ New Features
   armv8 crypto library is not used anymore. Library name is changed
   from armv8_crypto to AArch64crypto.
 
+* **Added inline IPsec support to Marvell OCTEON TX2 PMD.**
+
+  Added inline IPsec support to Marvell OCTEON TX2 PMD. With the feature,
+  applications would be able to offload entire IPsec offload to the hardware.
+  For the configured sessions, hardware will do the lookup and perform
+  decryption and IPsec transformation. For the outbound path, application
+  can submit a plain packet to the PMD, and it would be sent out on wire
+  after doing encryption and IPsec transformation of the packet.
+
 Removed Items
 -------------
 
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_fp.h b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
new file mode 100644
index 0000000..bf4181a
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
@@ -0,0 +1,55 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_IPSEC_FP_H__
+#define __OTX2_IPSEC_FP_H__
+
+struct otx2_ipsec_fp_sa_ctl {
+	rte_be32_t spi          : 32;
+	uint64_t exp_proto_inter_frag : 8;
+	uint64_t rsvd_42_40   : 3;
+	uint64_t esn_en       : 1;
+	uint64_t rsvd_45_44   : 2;
+	uint64_t encap_type   : 2;
+	uint64_t enc_type     : 3;
+	uint64_t rsvd_48      : 1;
+	uint64_t auth_type    : 4;
+	uint64_t valid        : 1;
+	uint64_t direction    : 1;
+	uint64_t outer_ip_ver : 1;
+	uint64_t inner_ip_ver : 1;
+	uint64_t ipsec_mode   : 1;
+	uint64_t ipsec_proto  : 1;
+	uint64_t aes_key_len  : 2;
+};
+
+struct otx2_ipsec_fp_in_sa {
+	/* w0 */
+	struct otx2_ipsec_fp_sa_ctl ctl;
+
+	/* w1 */
+	uint8_t nonce[4]; /* Only for AES-GCM */
+	uint32_t unused;
+
+	/* w2 */
+	uint32_t esn_low;
+	uint32_t esn_hi;
+
+	/* w3-w6 */
+	uint8_t cipher_key[32];
+
+	/* w7-w12 */
+	uint8_t hmac_key[48];
+
+	RTE_STD_C11
+	union {
+		void *userdata;
+		uint64_t udata64;
+	};
+
+	uint64_t reserved1;
+	uint64_t reserved2;
+};
+
+#endif /* __OTX2_IPSEC_FP_H__ */
diff --git a/drivers/net/octeontx2/Makefile b/drivers/net/octeontx2/Makefile
index 8649f89..0de43e3 100644
--- a/drivers/net/octeontx2/Makefile
+++ b/drivers/net/octeontx2/Makefile
@@ -10,7 +10,9 @@ include $(RTE_SDK)/mk/rte.vars.mk
 LIB = librte_pmd_octeontx2.a
 
 CFLAGS += $(WERROR_FLAGS)
+CFLAGS += -I$(RTE_SDK)/drivers/common/cpt
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -O3
@@ -56,5 +58,6 @@ SRCS-$(CONFIG_RTE_LIBRTE_OCTEONTX2_PMD) += \
 
 LDLIBS += -lrte_common_octeontx2 -lrte_mempool_octeontx2 -lrte_eal -lrte_net
 LDLIBS += -lrte_ethdev -lrte_bus_pci -lrte_kvargs -lrte_mbuf  -lrte_mempool -lm
+LDLIBS += -lrte_cryptodev -lrte_eventdev -lrte_security
 
 include $(RTE_SDK)/mk/rte.lib.mk
diff --git a/drivers/net/octeontx2/meson.build b/drivers/net/octeontx2/meson.build
index dfbf99a..04cf58f 100644
--- a/drivers/net/octeontx2/meson.build
+++ b/drivers/net/octeontx2/meson.build
@@ -25,7 +25,7 @@ sources = files('otx2_rx.c',
 		'otx2_ethdev_devargs.c'
 		)
 
-deps += ['bus_pci', 'cryptodev', 'security']
+deps += ['bus_pci', 'cryptodev', 'eventdev', 'security']
 deps += ['common_octeontx2', 'mempool_octeontx2']
 
 cflags += ['-flax-vector-conversions']
@@ -41,3 +41,6 @@ foreach flag: extra_flags
 		cflags += flag
 	endif
 endforeach
+
+includes += include_directories('../../common/cpt')
+includes += include_directories('../../crypto/octeontx2')
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index 7fd5254..e8ae779 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -339,6 +339,10 @@ nix_cq_rq_init(struct rte_eth_dev *eth_dev, struct otx2_eth_dev *dev,
 	aq->op = NIX_AQ_INSTOP_INIT;
 
 	aq->rq.sso_ena = 0;
+
+	if (rxq->offloads & DEV_RX_OFFLOAD_SECURITY)
+		aq->rq.ipsech_ena = 1;
+
 	aq->rq.cq = qid; /* RQ to CQ 1:1 mapped */
 	aq->rq.spb_ena = 0;
 	aq->rq.lpb_aura = npa_lf_aura_handle_to_aura(mp->pool_id);
@@ -1612,6 +1616,7 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 
 	/* Free the resources allocated from the previous configure */
 	if (dev->configured == 1) {
+		otx2_eth_sec_fini(eth_dev);
 		otx2_nix_rxchan_bpid_cfg(eth_dev, false);
 		otx2_nix_vlan_fini(eth_dev);
 		otx2_nix_mc_addr_list_uninstall(eth_dev);
@@ -1722,10 +1727,15 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 		goto cq_fini;
 	}
 
+	/* Enable security */
+	rc = otx2_eth_sec_init(eth_dev);
+	if (rc)
+		goto cq_fini;
+
 	rc = otx2_nix_mc_addr_list_install(eth_dev);
 	if (rc < 0) {
 		otx2_err("Failed to install mc address list rc=%d", rc);
-		goto cq_fini;
+		goto sec_fini;
 	}
 
 	/*
@@ -1761,6 +1771,8 @@ otx2_nix_configure(struct rte_eth_dev *eth_dev)
 
 uninstall_mc_list:
 	otx2_nix_mc_addr_list_uninstall(eth_dev);
+sec_fini:
+	otx2_eth_sec_fini(eth_dev);
 cq_fini:
 	oxt2_nix_unregister_cq_irqs(eth_dev);
 q_irq_fini:
@@ -2350,6 +2362,9 @@ otx2_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool mbox_close)
 	if (rc)
 		otx2_err("Failed to cleanup npa lf, rc=%d", rc);
 
+	/* Disable security */
+	otx2_eth_sec_fini(eth_dev);
+
 	/* Destroy security ctx */
 	otx2_eth_sec_ctx_destroy(eth_dev);
 
diff --git a/drivers/net/octeontx2/otx2_ethdev.h b/drivers/net/octeontx2/otx2_ethdev.h
index 3f3fdec..60b535a 100644
--- a/drivers/net/octeontx2/otx2_ethdev.h
+++ b/drivers/net/octeontx2/otx2_ethdev.h
@@ -324,6 +324,8 @@ struct otx2_eth_dev {
 	bool mc_tbl_set;
 	struct otx2_nix_mc_filter_tbl mc_fltr_tbl;
 	bool sdp_link; /* SDP flag */
+	/* Inline IPsec params */
+	uint16_t ipsec_in_max_spi;
 } __rte_cache_aligned;
 
 struct otx2_eth_txq {
diff --git a/drivers/net/octeontx2/otx2_ethdev_devargs.c b/drivers/net/octeontx2/otx2_ethdev_devargs.c
index 04da1ab..a3f7598 100644
--- a/drivers/net/octeontx2/otx2_ethdev_devargs.c
+++ b/drivers/net/octeontx2/otx2_ethdev_devargs.c
@@ -64,6 +64,19 @@ parse_reta_size(const char *key, const char *value, void *extra_args)
 }
 
 static int
+parse_ipsec_in_max_spi(const char *key, const char *value, void *extra_args)
+{
+	RTE_SET_USED(key);
+	uint32_t val;
+
+	val = atoi(value);
+
+	*(uint16_t *)extra_args = val;
+
+	return 0;
+}
+
+static int
 parse_flag(const char *key, const char *value, void *extra_args)
 {
 	RTE_SET_USED(key);
@@ -104,6 +117,7 @@ parse_switch_header_type(const char *key, const char *value, void *extra_args)
 }
 
 #define OTX2_RSS_RETA_SIZE "reta_size"
+#define OTX2_IPSEC_IN_MAX_SPI "ipsec_in_max_spi"
 #define OTX2_SCL_ENABLE "scalar_enable"
 #define OTX2_MAX_SQB_COUNT "max_sqb_count"
 #define OTX2_FLOW_PREALLOC_SIZE "flow_prealloc_size"
@@ -118,6 +132,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 	uint16_t flow_prealloc_size = 8;
 	uint16_t switch_header_type = 0;
 	uint16_t flow_max_priority = 3;
+	uint16_t ipsec_in_max_spi = 1;
 	uint16_t scalar_enable = 0;
 	struct rte_kvargs *kvlist;
 
@@ -130,6 +145,8 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 
 	rte_kvargs_process(kvlist, OTX2_RSS_RETA_SIZE,
 			   &parse_reta_size, &rss_size);
+	rte_kvargs_process(kvlist, OTX2_IPSEC_IN_MAX_SPI,
+			   &parse_ipsec_in_max_spi, &ipsec_in_max_spi);
 	rte_kvargs_process(kvlist, OTX2_SCL_ENABLE,
 			   &parse_flag, &scalar_enable);
 	rte_kvargs_process(kvlist, OTX2_MAX_SQB_COUNT,
@@ -143,6 +160,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 	rte_kvargs_free(kvlist);
 
 null_devargs:
+	dev->ipsec_in_max_spi = ipsec_in_max_spi;
 	dev->scalar_ena = scalar_enable;
 	dev->max_sqb_count = sqb_count;
 	dev->rss_info.rss_size = rss_size;
@@ -157,6 +175,7 @@ otx2_ethdev_parse_devargs(struct rte_devargs *devargs, struct otx2_eth_dev *dev)
 
 RTE_PMD_REGISTER_PARAM_STRING(net_octeontx2,
 			      OTX2_RSS_RETA_SIZE "=<64|128|256>"
+			      OTX2_IPSEC_IN_MAX_SPI "=<1-65535>"
 			      OTX2_SCL_ENABLE "=1"
 			      OTX2_MAX_SQB_COUNT "=<8-512>"
 			      OTX2_FLOW_PREALLOC_SIZE "=<1-32>"
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index 80c5689..ed68152 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -3,10 +3,35 @@
  */
 
 #include <rte_ethdev.h>
+#include <rte_eventdev.h>
 #include <rte_malloc.h>
+#include <rte_memzone.h>
 #include <rte_security.h>
 
+#include "otx2_ethdev.h"
 #include "otx2_ethdev_sec.h"
+#include "otx2_ipsec_fp.h"
+
+#define ETH_SEC_MAX_PKT_LEN	1450
+
+struct eth_sec_tag_const {
+	RTE_STD_C11
+	union {
+		struct {
+			uint32_t rsvd_11_0  : 12;
+			uint32_t port       : 8;
+			uint32_t event_type : 4;
+			uint32_t rsvd_31_24 : 8;
+		};
+		uint32_t u32;
+	};
+};
+
+static inline void
+in_sa_mz_name_get(char *name, int size, uint16_t port)
+{
+	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
+}
 
 int
 otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev)
@@ -33,3 +58,100 @@ otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev)
 {
 	rte_free(eth_dev->security_ctx);
 }
+
+static int
+eth_sec_ipsec_cfg(struct rte_eth_dev *eth_dev, uint8_t tt)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	struct nix_inline_ipsec_lf_cfg *req;
+	struct otx2_mbox *mbox = dev->mbox;
+	struct eth_sec_tag_const tag_const;
+	char name[RTE_MEMZONE_NAMESIZE];
+	const struct rte_memzone *mz;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL)
+		return -EINVAL;
+
+	req = otx2_mbox_alloc_msg_nix_inline_ipsec_lf_cfg(mbox);
+	req->enable = 1;
+	req->sa_base_addr = mz->iova;
+
+	req->ipsec_cfg0.tt = tt;
+
+	tag_const.u32 = 0;
+	tag_const.event_type = RTE_EVENT_TYPE_ETHDEV;
+	tag_const.port = port;
+	req->ipsec_cfg0.tag_const = tag_const.u32;
+
+	req->ipsec_cfg0.sa_pow2_size =
+			rte_log2_u32(sizeof(struct otx2_ipsec_fp_in_sa));
+	req->ipsec_cfg0.lenm1_max = ETH_SEC_MAX_PKT_LEN - 1;
+
+	req->ipsec_cfg1.sa_idx_w = rte_log2_u32(dev->ipsec_in_max_spi);
+	req->ipsec_cfg1.sa_idx_max = dev->ipsec_in_max_spi - 1;
+
+	return otx2_mbox_process(mbox);
+}
+
+int
+otx2_eth_sec_init(struct rte_eth_dev *eth_dev)
+{
+	const size_t sa_width = sizeof(struct otx2_ipsec_fp_in_sa);
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	char name[RTE_MEMZONE_NAMESIZE];
+	const struct rte_memzone *mz;
+	int mz_sz, ret;
+	uint16_t nb_sa;
+
+	RTE_BUILD_BUG_ON(sa_width < 32 || sa_width > 512 ||
+			 !RTE_IS_POWER_OF_2(sa_width));
+
+	if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) &&
+	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
+		return 0;
+
+	nb_sa = dev->ipsec_in_max_spi;
+	mz_sz = nb_sa * sa_width;
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_reserve_aligned(name, mz_sz, rte_socket_id(),
+					 RTE_MEMZONE_IOVA_CONTIG, OTX2_ALIGN);
+
+	if (mz == NULL) {
+		otx2_err("Could not allocate inbound SA DB");
+		return -ENOMEM;
+	}
+
+	memset(mz->addr, 0, mz_sz);
+
+	ret = eth_sec_ipsec_cfg(eth_dev, SSO_TT_ORDERED);
+	if (ret < 0) {
+		otx2_err("Could not configure inline IPsec");
+		goto sec_fini;
+	}
+
+	return 0;
+
+sec_fini:
+	otx2_err("Could not configure device for security");
+	otx2_eth_sec_fini(eth_dev);
+	return ret;
+}
+
+void
+otx2_eth_sec_fini(struct rte_eth_dev *eth_dev)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	char name[RTE_MEMZONE_NAMESIZE];
+
+	if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) &&
+	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
+		return;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	rte_memzone_free(rte_memzone_lookup(name));
+}
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index 4a925e9..60d4a29 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -11,4 +11,8 @@ int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev);
 
+int otx2_eth_sec_init(struct rte_eth_dev *eth_dev);
+
+void otx2_eth_sec_fini(struct rte_eth_dev *eth_dev);
+
 #endif /* __OTX2_ETHDEV_SEC_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 06/15] net/octeontx2: add eth security capabilities
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (4 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 05/15] net/octeontx2: add security in eth dev configure Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
                         ` (9 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding security capabilities supported by the eth PMD.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/net/octeontx2/otx2_ethdev_sec.c | 124 ++++++++++++++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h |  18 +++++
 2 files changed, 142 insertions(+)

diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index ed68152..d0b2dba 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -2,11 +2,13 @@
  * Copyright (C) 2020 Marvell International Ltd.
  */
 
+#include <rte_cryptodev.h>
 #include <rte_ethdev.h>
 #include <rte_eventdev.h>
 #include <rte_malloc.h>
 #include <rte_memzone.h>
 #include <rte_security.h>
+#include <rte_security_driver.h>
 
 #include "otx2_ethdev.h"
 #include "otx2_ethdev_sec.h"
@@ -27,12 +29,133 @@ struct eth_sec_tag_const {
 	};
 };
 
+static struct rte_cryptodev_capabilities otx2_eth_sec_crypto_caps[] = {
+	{	/* AES GCM */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			{.aead = {
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = {
+					.min = 8,
+					.max = 12,
+					.increment = 4
+				},
+				.iv_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{	/* AES CBC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{	/* SHA1 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 20,
+					.max = 64,
+					.increment = 1
+				},
+				.digest_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				},
+			}, }
+		}, }
+	},
+	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
+};
+
+static const struct rte_security_capability otx2_eth_sec_capabilities[] = {
+	{	/* IPsec Inline Protocol ESP Tunnel Ingress */
+		.action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+			.options = { 0 }
+		},
+		.crypto_capabilities = otx2_eth_sec_crypto_caps,
+		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+	},
+	{	/* IPsec Inline Protocol ESP Tunnel Egress */
+		.action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = {
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+			.options = { 0 }
+		},
+		.crypto_capabilities = otx2_eth_sec_crypto_caps,
+		.ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
+	},
+	{
+		.action = RTE_SECURITY_ACTION_TYPE_NONE
+	}
+};
+
 static inline void
 in_sa_mz_name_get(char *name, int size, uint16_t port)
 {
 	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
 }
 
+static unsigned int
+otx2_eth_sec_session_get_size(void *device __rte_unused)
+{
+	return sizeof(struct otx2_sec_session);
+}
+
+static const struct rte_security_capability *
+otx2_eth_sec_capabilities_get(void *device __rte_unused)
+{
+	return otx2_eth_sec_capabilities;
+}
+
+static struct rte_security_ops otx2_eth_sec_ops = {
+	.session_get_size	= otx2_eth_sec_session_get_size,
+	.capabilities_get	= otx2_eth_sec_capabilities_get
+};
+
 int
 otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev)
 {
@@ -46,6 +169,7 @@ otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev)
 	/* Populate ctx */
 
 	ctx->device = eth_dev;
+	ctx->ops = &otx2_eth_sec_ops;
 	ctx->sess_cnt = 0;
 
 	eth_dev->security_ctx = ctx;
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index 60d4a29..8bdc9f0 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -7,6 +7,24 @@
 
 #include <rte_ethdev.h>
 
+#include "otx2_ipsec_fp.h"
+
+/*
+ * Security session for inline IPsec protocol offload. This is private data of
+ * inline capable PMD.
+ */
+struct otx2_sec_session_ipsec_ip {
+	int dummy;
+};
+
+struct otx2_sec_session_ipsec {
+	struct otx2_sec_session_ipsec_ip ip;
+};
+
+struct otx2_sec_session {
+	struct otx2_sec_session_ipsec ipsec;
+} __rte_cache_aligned;
+
 int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 07/15] crypto/octeontx2: enable CPT to share QP with ethdev
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (5 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 06/15] net/octeontx2: add eth security capabilities Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 08/15] net/octeontx2: add eth security session operations Anoob Joseph
                         ` (8 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding the infrastructure to save one opaque pointer in idev and
implement the consumer-producer in the PMDs which uses it accordingly.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_sec_idev.c           | 92 ++++++++++++++++++++++
 drivers/common/octeontx2/otx2_sec_idev.h           | 21 +++++
 .../octeontx2/rte_common_octeontx2_version.map     |  3 +
 .../crypto/octeontx2/otx2_cryptodev_hw_access.h    | 22 +-----
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c      | 17 ++++
 drivers/crypto/octeontx2/otx2_cryptodev_qp.h       | 35 ++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.c            |  9 +++
 7 files changed, 178 insertions(+), 21 deletions(-)
 create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h

diff --git a/drivers/common/octeontx2/otx2_sec_idev.c b/drivers/common/octeontx2/otx2_sec_idev.c
index 532abde..e924078 100644
--- a/drivers/common/octeontx2/otx2_sec_idev.c
+++ b/drivers/common/octeontx2/otx2_sec_idev.c
@@ -2,12 +2,16 @@
  * Copyright(C) 2020 Marvell International Ltd.
  */
 
+#include <rte_atomic.h>
 #include <rte_bus_pci.h>
 #include <rte_ethdev.h>
+#include <rte_spinlock.h>
 
 #include "otx2_common.h"
 #include "otx2_sec_idev.h"
 
+static struct otx2_sec_idev_cfg sec_cfg[OTX2_MAX_INLINE_PORTS];
+
 /**
  * @internal
  * Check if rte_eth_dev is security offload capable otx2_eth_dev
@@ -26,3 +30,91 @@ otx2_eth_dev_is_sec_capable(struct rte_eth_dev *eth_dev)
 
 	return 0;
 }
+
+int
+otx2_sec_idev_cfg_init(int port_id)
+{
+	struct otx2_sec_idev_cfg *cfg;
+	int i;
+
+	cfg = &sec_cfg[port_id];
+	cfg->tx_cpt_idx = 0;
+	rte_spinlock_init(&cfg->tx_cpt_lock);
+
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		cfg->tx_cpt[i].qp = NULL;
+		rte_atomic16_set(&cfg->tx_cpt[i].ref_cnt, 0);
+	}
+
+	return 0;
+}
+
+int
+otx2_sec_idev_tx_cpt_qp_add(uint16_t port_id, struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_idev_cfg *cfg;
+	int i, ret;
+
+	if (qp == NULL || port_id > OTX2_MAX_INLINE_PORTS)
+		return -EINVAL;
+
+	cfg = &sec_cfg[port_id];
+
+	/* Find a free slot to save CPT LF */
+
+	rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		if (cfg->tx_cpt[i].qp == NULL) {
+			cfg->tx_cpt[i].qp = qp;
+			ret = 0;
+			goto unlock;
+		}
+	}
+
+	ret = -EINVAL;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
+
+int
+otx2_sec_idev_tx_cpt_qp_remove(struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_idev_cfg *cfg;
+	uint16_t port_id;
+	int i, ret;
+
+	if (qp == NULL)
+		return -EINVAL;
+
+	for (port_id = 0; port_id < OTX2_MAX_INLINE_PORTS; port_id++) {
+		cfg = &sec_cfg[port_id];
+
+		rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+		for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+			if (cfg->tx_cpt[i].qp != qp)
+				continue;
+
+			/* Don't free if the QP is in use by any sec session */
+			if (rte_atomic16_read(&cfg->tx_cpt[i].ref_cnt)) {
+				ret = -EBUSY;
+			} else {
+				cfg->tx_cpt[i].qp = NULL;
+				ret = 0;
+			}
+
+			goto unlock;
+		}
+
+		rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	}
+
+	return -ENOENT;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
diff --git a/drivers/common/octeontx2/otx2_sec_idev.h b/drivers/common/octeontx2/otx2_sec_idev.h
index a5d929e..20d71d0 100644
--- a/drivers/common/octeontx2/otx2_sec_idev.h
+++ b/drivers/common/octeontx2/otx2_sec_idev.h
@@ -7,6 +7,27 @@
 
 #include <rte_ethdev.h>
 
+#define OTX2_MAX_CPT_QP_PER_PORT 64
+#define OTX2_MAX_INLINE_PORTS 64
+
+struct otx2_cpt_qp;
+
+struct otx2_sec_idev_cfg {
+	struct {
+		struct otx2_cpt_qp *qp;
+		rte_atomic16_t ref_cnt;
+	} tx_cpt[OTX2_MAX_CPT_QP_PER_PORT];
+
+	uint16_t tx_cpt_idx;
+	rte_spinlock_t tx_cpt_lock;
+};
+
 uint8_t otx2_eth_dev_is_sec_capable(struct rte_eth_dev *eth_dev);
 
+int otx2_sec_idev_cfg_init(int port_id);
+
+int otx2_sec_idev_tx_cpt_qp_add(uint16_t port_id, struct otx2_cpt_qp *qp);
+
+int otx2_sec_idev_tx_cpt_qp_remove(struct otx2_cpt_qp *qp);
+
 #endif /* _OTX2_SEC_IDEV_H_ */
diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
index 724fa35..775aca8 100644
--- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
+++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
@@ -28,6 +28,9 @@ DPDK_20.0 {
 	otx2_npa_pf_func_get;
 	otx2_npa_set_defaults;
 	otx2_register_irq;
+	otx2_sec_idev_cfg_init;
+	otx2_sec_idev_tx_cpt_qp_add;
+	otx2_sec_idev_tx_cpt_qp_remove;
 	otx2_sso_pf_func_get;
 	otx2_sso_pf_func_set;
 	otx2_unregister_irq;
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h b/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
index 6f78aa4..43db6a6 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_hw_access.h
@@ -15,6 +15,7 @@
 #include "cpt_mcode_defines.h"
 
 #include "otx2_dev.h"
+#include "otx2_cryptodev_qp.h"
 
 /* CPT instruction queue length */
 #define OTX2_CPT_IQ_LEN			8200
@@ -135,27 +136,6 @@ enum cpt_9x_comp_e {
 	CPT_9X_COMP_E_LAST_ENTRY = 0x06
 };
 
-struct otx2_cpt_qp {
-	uint32_t id;
-	/**< Queue pair id */
-	uintptr_t base;
-	/**< Base address where BAR is mapped */
-	void *lmtline;
-	/**< Address of LMTLINE */
-	rte_iova_t lf_nq_reg;
-	/**< LF enqueue register address */
-	struct pending_queue pend_q;
-	/**< Pending queue */
-	struct rte_mempool *sess_mp;
-	/**< Session mempool */
-	struct rte_mempool *sess_mp_priv;
-	/**< Session private data mempool */
-	struct cpt_qp_meta_info meta_info;
-	/**< Metabuf info required to support operations on the queue pair */
-	rte_iova_t iq_dma_addr;
-	/**< Instruction queue address */
-};
-
 void otx2_cpt_err_intr_unregister(const struct rte_cryptodev *dev);
 
 int otx2_cpt_err_intr_register(const struct rte_cryptodev *dev);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index 005b0a9..7eebb49 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -149,6 +149,11 @@ otx2_cpt_qp_inline_cfg(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
 	if (ret)
 		return ret;
 
+	/* Publish inline Tx QP to eth dev security */
+	ret = otx2_sec_idev_tx_cpt_qp_add(port_id, qp);
+	if (ret)
+		return ret;
+
 	return 0;
 }
 
@@ -243,6 +248,12 @@ otx2_cpt_qp_create(const struct rte_cryptodev *dev, uint16_t qp_id,
 
 	qp->lf_nq_reg = qp->base + OTX2_CPT_LF_NQ(0);
 
+	ret = otx2_sec_idev_tx_cpt_qp_remove(qp);
+	if (ret && (ret != -ENOENT)) {
+		CPT_LOG_ERR("Could not delete inline configuration");
+		goto mempool_destroy;
+	}
+
 	otx2_cpt_iq_disable(qp);
 
 	ret = otx2_cpt_qp_inline_cfg(dev, qp);
@@ -276,6 +287,12 @@ otx2_cpt_qp_destroy(const struct rte_cryptodev *dev, struct otx2_cpt_qp *qp)
 	char name[RTE_MEMZONE_NAMESIZE];
 	int ret;
 
+	ret = otx2_sec_idev_tx_cpt_qp_remove(qp);
+	if (ret && (ret != -ENOENT)) {
+		CPT_LOG_ERR("Could not delete inline configuration");
+		return ret;
+	}
+
 	otx2_cpt_iq_disable(qp);
 
 	otx2_cpt_metabuf_mempool_destroy(qp);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_qp.h b/drivers/crypto/octeontx2/otx2_cryptodev_qp.h
new file mode 100644
index 0000000..9d48da4
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_qp.h
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#ifndef _OTX2_CRYPTODEV_QP_H_
+#define _OTX2_CRYPTODEV_QP_H_
+
+#include <rte_common.h>
+#include <rte_mempool.h>
+#include <rte_spinlock.h>
+
+#include "cpt_common.h"
+
+struct otx2_cpt_qp {
+	uint32_t id;
+	/**< Queue pair id */
+	uintptr_t base;
+	/**< Base address where BAR is mapped */
+	void *lmtline;
+	/**< Address of LMTLINE */
+	rte_iova_t lf_nq_reg;
+	/**< LF enqueue register address */
+	struct pending_queue pend_q;
+	/**< Pending queue */
+	struct rte_mempool *sess_mp;
+	/**< Session mempool */
+	struct rte_mempool *sess_mp_priv;
+	/**< Session private data mempool */
+	struct cpt_qp_meta_info meta_info;
+	/**< Metabuf info required to support operations on the queue pair */
+	rte_iova_t iq_dma_addr;
+	/**< Instruction queue address */
+};
+
+#endif /* _OTX2_CRYPTODEV_QP_H_ */
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index d0b2dba..8859042 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -10,9 +10,11 @@
 #include <rte_security.h>
 #include <rte_security_driver.h>
 
+#include "otx2_cryptodev_qp.h"
 #include "otx2_ethdev.h"
 #include "otx2_ethdev_sec.h"
 #include "otx2_ipsec_fp.h"
+#include "otx2_sec_idev.h"
 
 #define ETH_SEC_MAX_PKT_LEN	1450
 
@@ -160,12 +162,19 @@ int
 otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev)
 {
 	struct rte_security_ctx *ctx;
+	int ret;
 
 	ctx = rte_malloc("otx2_eth_sec_ctx",
 			 sizeof(struct rte_security_ctx), 0);
 	if (ctx == NULL)
 		return -ENOMEM;
 
+	ret = otx2_sec_idev_cfg_init(eth_dev->data->port_id);
+	if (ret) {
+		rte_free(ctx);
+		return ret;
+	}
+
 	/* Populate ctx */
 
 	ctx->device = eth_dev;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 08/15] net/octeontx2: add eth security session operations
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (6 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 09/15] net/octeontx2: add datapath ops in eth security ctx Anoob Joseph
                         ` (7 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Anoob Joseph, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

Adding security session operations in eth security ctx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_sec_idev.c           |  63 ++++
 drivers/common/octeontx2/otx2_sec_idev.h           |   4 +
 .../octeontx2/rte_common_octeontx2_version.map     |   2 +
 drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 295 +++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.c            | 362 +++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h            |  84 ++++-
 6 files changed, 809 insertions(+), 1 deletion(-)

diff --git a/drivers/common/octeontx2/otx2_sec_idev.c b/drivers/common/octeontx2/otx2_sec_idev.c
index e924078..4e65ce2 100644
--- a/drivers/common/octeontx2/otx2_sec_idev.c
+++ b/drivers/common/octeontx2/otx2_sec_idev.c
@@ -118,3 +118,66 @@ otx2_sec_idev_tx_cpt_qp_remove(struct otx2_cpt_qp *qp)
 	rte_spinlock_unlock(&cfg->tx_cpt_lock);
 	return ret;
 }
+
+int
+otx2_sec_idev_tx_cpt_qp_get(uint16_t port_id, struct otx2_cpt_qp **qp)
+{
+	struct otx2_sec_idev_cfg *cfg;
+	uint16_t index;
+	int i, ret;
+
+	if (port_id > OTX2_MAX_INLINE_PORTS || qp == NULL)
+		return -EINVAL;
+
+	cfg = &sec_cfg[port_id];
+
+	rte_spinlock_lock(&cfg->tx_cpt_lock);
+
+	index = cfg->tx_cpt_idx;
+
+	/* Get the next index with valid data */
+	for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+		if (cfg->tx_cpt[index].qp != NULL)
+			break;
+		index = (index + 1) % OTX2_MAX_CPT_QP_PER_PORT;
+	}
+
+	if (i >= OTX2_MAX_CPT_QP_PER_PORT) {
+		ret = -EINVAL;
+		goto unlock;
+	}
+
+	*qp = cfg->tx_cpt[index].qp;
+	rte_atomic16_inc(&cfg->tx_cpt[index].ref_cnt);
+
+	cfg->tx_cpt_idx = (index + 1) % OTX2_MAX_CPT_QP_PER_PORT;
+
+	ret = 0;
+
+unlock:
+	rte_spinlock_unlock(&cfg->tx_cpt_lock);
+	return ret;
+}
+
+int
+otx2_sec_idev_tx_cpt_qp_put(struct otx2_cpt_qp *qp)
+{
+	struct otx2_sec_idev_cfg *cfg;
+	uint16_t port_id;
+	int i;
+
+	if (qp == NULL)
+		return -EINVAL;
+
+	for (port_id = 0; port_id < OTX2_MAX_INLINE_PORTS; port_id++) {
+		cfg = &sec_cfg[port_id];
+		for (i = 0; i < OTX2_MAX_CPT_QP_PER_PORT; i++) {
+			if (cfg->tx_cpt[i].qp == qp) {
+				rte_atomic16_dec(&cfg->tx_cpt[i].ref_cnt);
+				return 0;
+			}
+		}
+	}
+
+	return -EINVAL;
+}
diff --git a/drivers/common/octeontx2/otx2_sec_idev.h b/drivers/common/octeontx2/otx2_sec_idev.h
index 20d71d0..c681f50 100644
--- a/drivers/common/octeontx2/otx2_sec_idev.h
+++ b/drivers/common/octeontx2/otx2_sec_idev.h
@@ -30,4 +30,8 @@ int otx2_sec_idev_tx_cpt_qp_add(uint16_t port_id, struct otx2_cpt_qp *qp);
 
 int otx2_sec_idev_tx_cpt_qp_remove(struct otx2_cpt_qp *qp);
 
+int otx2_sec_idev_tx_cpt_qp_put(struct otx2_cpt_qp *qp);
+
+int otx2_sec_idev_tx_cpt_qp_get(uint16_t port_id, struct otx2_cpt_qp **qp);
+
 #endif /* _OTX2_SEC_IDEV_H_ */
diff --git a/drivers/common/octeontx2/rte_common_octeontx2_version.map b/drivers/common/octeontx2/rte_common_octeontx2_version.map
index 775aca8..19a7b19 100644
--- a/drivers/common/octeontx2/rte_common_octeontx2_version.map
+++ b/drivers/common/octeontx2/rte_common_octeontx2_version.map
@@ -31,6 +31,8 @@ DPDK_20.0 {
 	otx2_sec_idev_cfg_init;
 	otx2_sec_idev_tx_cpt_qp_add;
 	otx2_sec_idev_tx_cpt_qp_remove;
+	otx2_sec_idev_tx_cpt_qp_get;
+	otx2_sec_idev_tx_cpt_qp_put;
 	otx2_sso_pf_func_get;
 	otx2_sso_pf_func_set;
 	otx2_unregister_irq;
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_fp.h b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
index bf4181a..52b3b41 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_fp.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_fp.h
@@ -5,6 +5,67 @@
 #ifndef __OTX2_IPSEC_FP_H__
 #define __OTX2_IPSEC_FP_H__
 
+#include <rte_crypto_sym.h>
+#include <rte_security.h>
+
+enum {
+	OTX2_IPSEC_FP_SA_DIRECTION_INBOUND = 0,
+	OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_IP_VERSION_4 = 0,
+	OTX2_IPSEC_FP_SA_IP_VERSION_6 = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_MODE_TRANSPORT = 0,
+	OTX2_IPSEC_FP_SA_MODE_TUNNEL = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_PROTOCOL_AH = 0,
+	OTX2_IPSEC_FP_SA_PROTOCOL_ESP = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_128 = 1,
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_192 = 2,
+	OTX2_IPSEC_FP_SA_AES_KEY_LEN_256 = 3,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_ENC_NULL = 0,
+	OTX2_IPSEC_FP_SA_ENC_DES_CBC = 1,
+	OTX2_IPSEC_FP_SA_ENC_3DES_CBC = 2,
+	OTX2_IPSEC_FP_SA_ENC_AES_CBC = 3,
+	OTX2_IPSEC_FP_SA_ENC_AES_CTR = 4,
+	OTX2_IPSEC_FP_SA_ENC_AES_GCM = 5,
+	OTX2_IPSEC_FP_SA_ENC_AES_CCM = 6,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_AUTH_NULL = 0,
+	OTX2_IPSEC_FP_SA_AUTH_MD5 = 1,
+	OTX2_IPSEC_FP_SA_AUTH_SHA1 = 2,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_224 = 3,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_256 = 4,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_384 = 5,
+	OTX2_IPSEC_FP_SA_AUTH_SHA2_512 = 6,
+	OTX2_IPSEC_FP_SA_AUTH_AES_GMAC = 7,
+	OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128 = 8,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_FRAG_POST = 0,
+	OTX2_IPSEC_FP_SA_FRAG_PRE = 1,
+};
+
+enum {
+	OTX2_IPSEC_FP_SA_ENCAP_NONE = 0,
+	OTX2_IPSEC_FP_SA_ENCAP_UDP = 1,
+};
+
 struct otx2_ipsec_fp_sa_ctl {
 	rte_be32_t spi          : 32;
 	uint64_t exp_proto_inter_frag : 8;
@@ -24,6 +85,26 @@ struct otx2_ipsec_fp_sa_ctl {
 	uint64_t aes_key_len  : 2;
 };
 
+struct otx2_ipsec_fp_out_sa {
+	/* w0 */
+	struct otx2_ipsec_fp_sa_ctl ctl;
+
+	/* w1 */
+	uint8_t nonce[4];
+	uint16_t udp_src;
+	uint16_t udp_dst;
+
+	/* w2 */
+	uint32_t ip_src;
+	uint32_t ip_dst;
+
+	/* w3-w6 */
+	uint8_t cipher_key[32];
+
+	/* w7-w12 */
+	uint8_t hmac_key[48];
+};
+
 struct otx2_ipsec_fp_in_sa {
 	/* w0 */
 	struct otx2_ipsec_fp_sa_ctl ctl;
@@ -52,4 +133,218 @@ struct otx2_ipsec_fp_in_sa {
 	uint64_t reserved2;
 };
 
+static inline int
+ipsec_fp_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
+{
+	if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		switch (xform->cipher.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -ENOTSUP;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_auth_verify(struct rte_crypto_sym_xform *xform)
+{
+	uint16_t keylen = xform->auth.key.length;
+
+	if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+		if (keylen >= 20 && keylen <= 64)
+			return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_aead_verify(struct rte_security_ipsec_xform *ipsec,
+			   struct rte_crypto_sym_xform *xform)
+{
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+	    xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+		return -EINVAL;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+	    xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+		return -EINVAL;
+
+	if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+		switch (xform->aead.key.length) {
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return -EINVAL;
+		}
+		return 0;
+	}
+
+	return -ENOTSUP;
+}
+
+static inline int
+ipsec_fp_xform_verify(struct rte_security_ipsec_xform *ipsec,
+		      struct rte_crypto_sym_xform *xform)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	int ret;
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		return ipsec_fp_xform_aead_verify(ipsec, xform);
+
+	if (xform->next == NULL)
+		return -EINVAL;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		/* Ingress */
+		if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+		    xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return -EINVAL;
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		/* Egress */
+		if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+		    xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+			return -EINVAL;
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	}
+
+	ret = ipsec_fp_xform_cipher_verify(cipher_xform);
+	if (ret)
+		return ret;
+
+	ret = ipsec_fp_xform_auth_verify(auth_xform);
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
+static inline int
+ipsec_fp_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
+		    struct rte_crypto_sym_xform *xform,
+		    struct otx2_ipsec_fp_sa_ctl *ctl)
+{
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
+	int aes_key_len;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND;
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	} else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_INBOUND;
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		return -EINVAL;
+	}
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+			ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
+		else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
+			ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_6;
+		else
+			return -EINVAL;
+	}
+
+	ctl->inner_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+		ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TRANSPORT;
+	else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+		ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TUNNEL;
+	else
+		return -EINVAL;
+
+	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
+		ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_AH;
+	else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
+		ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_ESP;
+	else
+		return -EINVAL;
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+			ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_GCM;
+			aes_key_len = xform->aead.key.length;
+		} else {
+			return -ENOTSUP;
+		}
+	} else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_CBC;
+		aes_key_len = cipher_xform->cipher.key.length;
+	} else {
+		return -ENOTSUP;
+	}
+
+	switch (aes_key_len) {
+	case 16:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_128;
+		break;
+	case 24:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_192;
+		break;
+	case 32:
+		ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_256;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
+		switch (auth_xform->auth.algo) {
+		case RTE_CRYPTO_AUTH_NULL:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_NULL;
+			break;
+		case RTE_CRYPTO_AUTH_MD5_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_MD5;
+			break;
+		case RTE_CRYPTO_AUTH_SHA1_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA1;
+			break;
+		case RTE_CRYPTO_AUTH_SHA224_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_224;
+			break;
+		case RTE_CRYPTO_AUTH_SHA256_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_256;
+			break;
+		case RTE_CRYPTO_AUTH_SHA384_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_384;
+			break;
+		case RTE_CRYPTO_AUTH_SHA512_HMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_512;
+			break;
+		case RTE_CRYPTO_AUTH_AES_GMAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_GMAC;
+			break;
+		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+			ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128;
+			break;
+		default:
+			return -ENOTSUP;
+		}
+	}
+
+	if (ipsec->options.esn == 1)
+		ctl->esn_en = 1;
+
+	ctl->spi = rte_cpu_to_be_32(ipsec->spi);
+	ctl->valid = 1;
+
+	return 0;
+}
+
 #endif /* __OTX2_IPSEC_FP_H__ */
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index 8859042..2ec2598 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -141,6 +141,366 @@ in_sa_mz_name_get(char *name, int size, uint16_t port)
 	snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
 }
 
+static struct otx2_ipsec_fp_in_sa *
+in_sa_get(uint16_t port, int sa_index)
+{
+	char name[RTE_MEMZONE_NAMESIZE];
+	struct otx2_ipsec_fp_in_sa *sa;
+	const struct rte_memzone *mz;
+
+	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL) {
+		otx2_err("Could not get the memzone reserved for IN SA DB");
+		return NULL;
+	}
+
+	sa = mz->addr;
+
+	return sa + sa_index;
+}
+
+static int
+hmac_init(struct otx2_ipsec_fp_sa_ctl *ctl, struct otx2_cpt_qp *qp,
+	  const uint8_t *auth_key, int len, uint8_t *hmac_key)
+{
+	struct inst_data {
+		struct otx2_cpt_res cpt_res;
+		uint8_t buffer[64];
+	} *md;
+
+	volatile struct otx2_cpt_res *res;
+	uint64_t timeout, lmt_status;
+	struct otx2_cpt_inst_s inst;
+	rte_iova_t md_iova;
+	int ret;
+
+	memset(&inst, 0, sizeof(struct otx2_cpt_inst_s));
+
+	md = rte_zmalloc(NULL, sizeof(struct inst_data), OTX2_CPT_RES_ALIGN);
+	if (md == NULL)
+		return -ENOMEM;
+
+	memcpy(md->buffer, auth_key, len);
+
+	md_iova = rte_malloc_virt2iova(md);
+	if (md_iova == RTE_BAD_IOVA) {
+		ret = -EINVAL;
+		goto free_md;
+	}
+
+	inst.res_addr = md_iova + offsetof(struct inst_data, cpt_res);
+	inst.opcode = OTX2_CPT_OP_WRITE_HMAC_IPAD_OPAD;
+	inst.param2 = ctl->auth_type;
+	inst.dlen = len;
+	inst.dptr = md_iova + offsetof(struct inst_data, buffer);
+	inst.rptr = inst.dptr;
+	inst.egrp = OTX2_CPT_EGRP_INLINE_IPSEC;
+
+	md->cpt_res.compcode = 0;
+	md->cpt_res.uc_compcode = 0xff;
+
+	timeout = rte_get_timer_cycles() + 5 * rte_get_timer_hz();
+
+	rte_cio_wmb();
+
+	do {
+		otx2_lmt_mov(qp->lmtline, &inst, 2);
+		lmt_status = otx2_lmt_submit(qp->lf_nq_reg);
+	} while (lmt_status == 0);
+
+	res = (volatile struct otx2_cpt_res *)&md->cpt_res;
+
+	/* Wait until instruction completes or times out */
+	while (res->uc_compcode == 0xff) {
+		if (rte_get_timer_cycles() > timeout)
+			break;
+	}
+
+	if (res->u16[0] != OTX2_SEC_COMP_GOOD) {
+		ret = -EIO;
+		goto free_md;
+	}
+
+	/* Retrieve the ipad and opad from rptr */
+	memcpy(hmac_key, md->buffer, 48);
+
+	ret = 0;
+
+free_md:
+	rte_free(md);
+	return ret;
+}
+
+static int
+eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
+			      struct rte_security_ipsec_xform *ipsec,
+			      struct rte_crypto_sym_xform *crypto_xform,
+			      struct rte_security_session *sec_sess)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_sec_session_ipsec_ip *sess;
+	uint16_t port = eth_dev->data->port_id;
+	int cipher_key_len, auth_key_len, ret;
+	const uint8_t *cipher_key, *auth_key;
+	struct otx2_ipsec_fp_sa_ctl *ctl;
+	struct otx2_ipsec_fp_out_sa *sa;
+	struct otx2_sec_session *priv;
+	struct otx2_cpt_qp *qp;
+
+	priv = get_sec_session_private_data(sec_sess);
+	sess = &priv->ipsec.ip;
+
+	sa = &sess->out_sa;
+	ctl = &sa->ctl;
+	if (ctl->valid) {
+		otx2_err("SA already registered");
+		return -EINVAL;
+	}
+
+	memset(sess, 0, sizeof(struct otx2_sec_session_ipsec_ip));
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		memcpy(sa->nonce, &ipsec->salt, 4);
+
+	if (ipsec->options.udp_encap == 1) {
+		sa->udp_src = 4500;
+		sa->udp_dst = 4500;
+	}
+
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+			memcpy(&sa->ip_src, &ipsec->tunnel.ipv4.src_ip,
+			       sizeof(struct in_addr));
+			memcpy(&sa->ip_dst, &ipsec->tunnel.ipv4.dst_ip,
+			       sizeof(struct in_addr));
+		} else {
+			return -EINVAL;
+		}
+	} else {
+		return -EINVAL;
+	}
+
+	cipher_xform = crypto_xform;
+	auth_xform = crypto_xform->next;
+
+	cipher_key_len = 0;
+	auth_key_len = 0;
+	auth_key = NULL;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		cipher_key = crypto_xform->aead.key.data;
+		cipher_key_len = crypto_xform->aead.key.length;
+	} else {
+		cipher_key = cipher_xform->cipher.key.data;
+		cipher_key_len = cipher_xform->cipher.key.length;
+		auth_key = auth_xform->auth.key.data;
+		auth_key_len = auth_xform->auth.key.length;
+	}
+
+	if (cipher_key_len != 0)
+		memcpy(sa->cipher_key, cipher_key, cipher_key_len);
+	else
+		return -EINVAL;
+
+	/* Get CPT QP to be used for this SA */
+	ret = otx2_sec_idev_tx_cpt_qp_get(port, &qp);
+	if (ret)
+		return ret;
+
+	sess->qp = qp;
+
+	sess->cpt_lmtline = qp->lmtline;
+	sess->cpt_nq_reg = qp->lf_nq_reg;
+
+	/* Populate control word */
+	ret = ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
+	if (ret)
+		goto cpt_put;
+
+	if (auth_key_len && auth_key) {
+		ret = hmac_init(ctl, qp, auth_key, auth_key_len, sa->hmac_key);
+		if (ret)
+			goto cpt_put;
+	}
+
+	return 0;
+cpt_put:
+	otx2_sec_idev_tx_cpt_qp_put(sess->qp);
+	return ret;
+}
+
+static int
+eth_sec_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
+			     struct rte_security_ipsec_xform *ipsec,
+			     struct rte_crypto_sym_xform *crypto_xform,
+			     struct rte_security_session *sec_sess)
+{
+	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	struct otx2_sec_session_ipsec_ip *sess;
+	uint16_t port = eth_dev->data->port_id;
+	int cipher_key_len, auth_key_len, ret;
+	const uint8_t *cipher_key, *auth_key;
+	struct otx2_ipsec_fp_sa_ctl *ctl;
+	struct otx2_ipsec_fp_in_sa *sa;
+	struct otx2_sec_session *priv;
+	struct otx2_cpt_qp *qp;
+
+	if (ipsec->spi >= dev->ipsec_in_max_spi) {
+		otx2_err("SPI exceeds max supported");
+		return -EINVAL;
+	}
+
+	sa = in_sa_get(port, ipsec->spi);
+	ctl = &sa->ctl;
+
+	priv = get_sec_session_private_data(sec_sess);
+	sess = &priv->ipsec.ip;
+
+	if (ctl->valid) {
+		otx2_err("SA already registered");
+		return -EINVAL;
+	}
+
+	memset(sa, 0, sizeof(struct otx2_ipsec_fp_in_sa));
+
+	auth_xform = crypto_xform;
+	cipher_xform = crypto_xform->next;
+
+	cipher_key_len = 0;
+	auth_key_len = 0;
+	auth_key = NULL;
+
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
+			memcpy(sa->nonce, &ipsec->salt, 4);
+		cipher_key = crypto_xform->aead.key.data;
+		cipher_key_len = crypto_xform->aead.key.length;
+	} else {
+		cipher_key = cipher_xform->cipher.key.data;
+		cipher_key_len = cipher_xform->cipher.key.length;
+		auth_key = auth_xform->auth.key.data;
+		auth_key_len = auth_xform->auth.key.length;
+	}
+
+	if (cipher_key_len != 0)
+		memcpy(sa->cipher_key, cipher_key, cipher_key_len);
+	else
+		return -EINVAL;
+
+	sess->in_sa = sa;
+
+	sa->userdata = priv->userdata;
+
+	ret = ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
+	if (ret)
+		return ret;
+
+	if (auth_key_len && auth_key) {
+		/* Get a queue pair for HMAC init */
+		ret = otx2_sec_idev_tx_cpt_qp_get(port, &qp);
+		if (ret)
+			return ret;
+		ret = hmac_init(ctl, qp, auth_key, auth_key_len, sa->hmac_key);
+		otx2_sec_idev_tx_cpt_qp_put(qp);
+	}
+	return ret;
+}
+
+static int
+eth_sec_ipsec_sess_create(struct rte_eth_dev *eth_dev,
+			  struct rte_security_ipsec_xform *ipsec,
+			  struct rte_crypto_sym_xform *crypto_xform,
+			  struct rte_security_session *sess)
+{
+	int ret;
+
+	ret = ipsec_fp_xform_verify(ipsec, crypto_xform);
+	if (ret)
+		return ret;
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+		return eth_sec_ipsec_in_sess_create(eth_dev, ipsec,
+						    crypto_xform, sess);
+	else
+		return eth_sec_ipsec_out_sess_create(eth_dev, ipsec,
+						     crypto_xform, sess);
+}
+
+static int
+otx2_eth_sec_session_create(void *device,
+			    struct rte_security_session_conf *conf,
+			    struct rte_security_session *sess,
+			    struct rte_mempool *mempool)
+{
+	struct otx2_sec_session *priv;
+	int ret;
+
+	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
+		return -ENOTSUP;
+
+	if (rte_mempool_get(mempool, (void **)&priv)) {
+		otx2_err("Could not allocate security session private data");
+		return -ENOMEM;
+	}
+
+	set_sec_session_private_data(sess, priv);
+
+	/*
+	 * Save userdata provided by the application. For ingress packets, this
+	 * could be used to identify the SA.
+	 */
+	priv->userdata = conf->userdata;
+
+	if (conf->protocol == RTE_SECURITY_PROTOCOL_IPSEC)
+		ret = eth_sec_ipsec_sess_create(device, &conf->ipsec,
+						conf->crypto_xform,
+						sess);
+	else
+		ret = -ENOTSUP;
+
+	if (ret)
+		goto mempool_put;
+
+	return 0;
+
+mempool_put:
+	rte_mempool_put(mempool, priv);
+	set_sec_session_private_data(sess, NULL);
+	return ret;
+}
+
+static int
+otx2_eth_sec_session_destroy(void *device __rte_unused,
+			     struct rte_security_session *sess)
+{
+	struct otx2_sec_session_ipsec_ip *sess_ip;
+	struct otx2_sec_session *priv;
+	struct rte_mempool *sess_mp;
+	int ret;
+
+	priv = get_sec_session_private_data(sess);
+	if (priv == NULL)
+		return -EINVAL;
+
+	sess_ip = &priv->ipsec.ip;
+
+	/* Release CPT LF used for this session */
+	if (sess_ip->qp != NULL) {
+		ret = otx2_sec_idev_tx_cpt_qp_put(sess_ip->qp);
+		if (ret)
+			return ret;
+	}
+
+	sess_mp = rte_mempool_from_obj(priv);
+
+	set_sec_session_private_data(sess, NULL);
+	rte_mempool_put(sess_mp, priv);
+
+	return 0;
+}
+
 static unsigned int
 otx2_eth_sec_session_get_size(void *device __rte_unused)
 {
@@ -154,6 +514,8 @@ otx2_eth_sec_capabilities_get(void *device __rte_unused)
 }
 
 static struct rte_security_ops otx2_eth_sec_ops = {
+	.session_create		= otx2_eth_sec_session_create,
+	.session_destroy	= otx2_eth_sec_session_destroy,
 	.session_get_size	= otx2_eth_sec_session_get_size,
 	.capabilities_get	= otx2_eth_sec_capabilities_get
 };
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index 8bdc9f0..87342ef 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -9,12 +9,92 @@
 
 #include "otx2_ipsec_fp.h"
 
+#define OTX2_CPT_RES_ALIGN		16
+
+#define OTX2_CPT_EGRP_INLINE_IPSEC	1
+
+#define OTX2_CPT_OP_WRITE_HMAC_IPAD_OPAD	(0x40 | 0x27)
+
+#define OTX2_SEC_CPT_COMP_GOOD	0x1
+#define OTX2_SEC_UC_COMP_GOOD	0x0
+#define OTX2_SEC_COMP_GOOD	(OTX2_SEC_UC_COMP_GOOD << 8 | \
+				 OTX2_SEC_CPT_COMP_GOOD)
+
+/* CPT Result */
+struct otx2_cpt_res {
+	union {
+		struct {
+			uint64_t compcode:8;
+			uint64_t uc_compcode:8;
+			uint64_t doneint:1;
+			uint64_t reserved_17_63:47;
+			uint64_t reserved_64_127;
+		};
+		uint16_t u16[8];
+	};
+};
+
+struct otx2_cpt_inst_s {
+	union {
+		struct {
+			/* W0 */
+			uint64_t nixtxl : 3;
+			uint64_t doneint : 1;
+			uint64_t nixtx_addr : 60;
+			/* W1 */
+			uint64_t res_addr : 64;
+			/* W2 */
+			uint64_t tag : 32;
+			uint64_t tt : 2;
+			uint64_t grp : 10;
+			uint64_t rsvd_175_172 : 4;
+			uint64_t rvu_pf_func : 16;
+			/* W3 */
+			uint64_t qord : 1;
+			uint64_t rsvd_194_193 : 2;
+			uint64_t wqe_ptr : 61;
+			/* W4 */
+			uint64_t dlen : 16;
+			uint64_t param2 : 16;
+			uint64_t param1 : 16;
+			uint64_t opcode : 16;
+			/* W5 */
+			uint64_t dptr : 64;
+			/* W6 */
+			uint64_t rptr : 64;
+			/* W7 */
+			uint64_t cptr : 61;
+			uint64_t egrp : 3;
+		};
+		uint64_t u64[8];
+	};
+};
+
 /*
  * Security session for inline IPsec protocol offload. This is private data of
  * inline capable PMD.
  */
 struct otx2_sec_session_ipsec_ip {
-	int dummy;
+	RTE_STD_C11
+	union {
+		/*
+		 * Inbound SA would accessed by crypto block. And so the memory
+		 * is allocated differently and shared with the h/w. Only
+		 * holding a pointer to this memory in the session private
+		 * space.
+		 */
+		void *in_sa;
+		/* Outbound SA */
+		struct otx2_ipsec_fp_out_sa out_sa;
+	};
+
+	/* Address of CPT LMTLINE */
+	void *cpt_lmtline;
+	/* CPT LF enqueue register address */
+	rte_iova_t cpt_nq_reg;
+
+	/* CPT QP used by SA */
+	struct otx2_cpt_qp *qp;
 };
 
 struct otx2_sec_session_ipsec {
@@ -23,6 +103,8 @@ struct otx2_sec_session_ipsec {
 
 struct otx2_sec_session {
 	struct otx2_sec_session_ipsec ipsec;
+	void *userdata;
+	/**< Userdata registered by the application */
 } __rte_cache_aligned;
 
 int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev);
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 09/15] net/octeontx2: add datapath ops in eth security ctx
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (7 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 08/15] net/octeontx2: add eth security session operations Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 10/15] net/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
                         ` (6 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding data path ops in eth security ctx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/net/octeontx2/otx2_ethdev_sec.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index 2ec2598..e61d383 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -507,6 +507,27 @@ otx2_eth_sec_session_get_size(void *device __rte_unused)
 	return sizeof(struct otx2_sec_session);
 }
 
+static int
+otx2_eth_sec_set_pkt_mdata(void *device __rte_unused,
+			    struct rte_security_session *session,
+			    struct rte_mbuf *m, void *params __rte_unused)
+{
+	/* Set security session as the pkt metadata */
+	m->udata64 = (uint64_t)session;
+
+	return 0;
+}
+
+static int
+otx2_eth_sec_get_userdata(void *device __rte_unused, uint64_t md,
+			   void **userdata)
+{
+	/* Retrieve userdata  */
+	*userdata = (void *)md;
+
+	return 0;
+}
+
 static const struct rte_security_capability *
 otx2_eth_sec_capabilities_get(void *device __rte_unused)
 {
@@ -517,6 +538,8 @@ static struct rte_security_ops otx2_eth_sec_ops = {
 	.session_create		= otx2_eth_sec_session_create,
 	.session_destroy	= otx2_eth_sec_session_destroy,
 	.session_get_size	= otx2_eth_sec_session_get_size,
+	.set_pkt_metadata	= otx2_eth_sec_set_pkt_mdata,
+	.get_userdata		= otx2_eth_sec_get_userdata,
 	.capabilities_get	= otx2_eth_sec_capabilities_get
 };
 
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 10/15] net/octeontx2: add lookup mem changes to hold sa indices
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (8 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 09/15] net/octeontx2: add datapath ops in eth security ctx Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 11/15] net/octeontx2: add inline ipsec Rx path changes Anoob Joseph
                         ` (5 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

lookup_mem provides fast accessing of data path fields.
Storing sa indices in lookup_mem which are required in
inline rx data path.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/common/octeontx2/otx2_common.h  |  4 +++
 drivers/net/octeontx2/otx2_ethdev_sec.c | 59 +++++++++++++++++++++++++++++++++
 drivers/net/octeontx2/otx2_lookup.c     | 11 ++++--
 3 files changed, 72 insertions(+), 2 deletions(-)

diff --git a/drivers/common/octeontx2/otx2_common.h b/drivers/common/octeontx2/otx2_common.h
index 81d5a71..bf5ea86 100644
--- a/drivers/common/octeontx2/otx2_common.h
+++ b/drivers/common/octeontx2/otx2_common.h
@@ -155,4 +155,8 @@ extern int otx2_logtype_ep;
 #include "otx2_io_generic.h"
 #endif
 
+/* Fastpath lookup */
+#define OTX2_NIX_FASTPATH_LOOKUP_MEM	"otx2_nix_fastpath_lookup_mem"
+#define OTX2_NIX_SA_TBL_START		(4096*4 + 69632*2)
+
 #endif /* _OTX2_COMMON_H_ */
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index e61d383..4b219b3 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -10,6 +10,7 @@
 #include <rte_security.h>
 #include <rte_security_driver.h>
 
+#include "otx2_common.h"
 #include "otx2_cryptodev_qp.h"
 #include "otx2_ethdev.h"
 #include "otx2_ethdev_sec.h"
@@ -135,6 +136,59 @@ static const struct rte_security_capability otx2_eth_sec_capabilities[] = {
 	}
 };
 
+static void
+lookup_mem_sa_tbl_clear(struct rte_eth_dev *eth_dev)
+{
+	static const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
+	uint16_t port = eth_dev->data->port_id;
+	const struct rte_memzone *mz;
+	uint64_t **sa_tbl;
+	uint8_t *mem;
+
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL)
+		return;
+
+	mem = mz->addr;
+
+	sa_tbl  = (uint64_t **)RTE_PTR_ADD(mem, OTX2_NIX_SA_TBL_START);
+	if (sa_tbl[port] == NULL)
+		return;
+
+	rte_free(sa_tbl[port]);
+	sa_tbl[port] = NULL;
+}
+
+static int
+lookup_mem_sa_index_update(struct rte_eth_dev *eth_dev, int spi, void *sa)
+{
+	static const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	uint16_t port = eth_dev->data->port_id;
+	const struct rte_memzone *mz;
+	uint64_t **sa_tbl;
+	uint8_t *mem;
+
+	mz = rte_memzone_lookup(name);
+	if (mz == NULL) {
+		otx2_err("Could not find fastpath lookup table");
+		return -EINVAL;
+	}
+
+	mem = mz->addr;
+
+	sa_tbl = (uint64_t **)RTE_PTR_ADD(mem, OTX2_NIX_SA_TBL_START);
+
+	if (sa_tbl[port] == NULL) {
+		sa_tbl[port] = rte_malloc(NULL, dev->ipsec_in_max_spi *
+					  sizeof(uint64_t), 0);
+	}
+
+	sa_tbl[port][spi] = (uint64_t)sa;
+
+	return 0;
+}
+
 static inline void
 in_sa_mz_name_get(char *name, int size, uint16_t port)
 {
@@ -393,6 +447,9 @@ eth_sec_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
 
 	sa->userdata = priv->userdata;
 
+	if (lookup_mem_sa_index_update(eth_dev, ipsec->spi, sa))
+		return -EINVAL;
+
 	ret = ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
 	if (ret)
 		return ret;
@@ -670,6 +727,8 @@ otx2_eth_sec_fini(struct rte_eth_dev *eth_dev)
 	    !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
 		return;
 
+	lookup_mem_sa_tbl_clear(eth_dev);
+
 	in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
 	rte_memzone_free(rte_memzone_lookup(name));
 }
diff --git a/drivers/net/octeontx2/otx2_lookup.c b/drivers/net/octeontx2/otx2_lookup.c
index 5685571..89365ff 100644
--- a/drivers/net/octeontx2/otx2_lookup.c
+++ b/drivers/net/octeontx2/otx2_lookup.c
@@ -5,6 +5,7 @@
 #include <rte_common.h>
 #include <rte_memzone.h>
 
+#include "otx2_common.h"
 #include "otx2_ethdev.h"
 
 /* NIX_RX_PARSE_S's ERRCODE + ERRLEV (12 bits) */
@@ -12,7 +13,9 @@
 #define ERR_ARRAY_SZ			((BIT(ERRCODE_ERRLEN_WIDTH)) *\
 					sizeof(uint32_t))
 
-#define LOOKUP_ARRAY_SZ			(PTYPE_ARRAY_SZ + ERR_ARRAY_SZ)
+#define SA_TBL_SZ			(RTE_MAX_ETHPORTS * sizeof(uint64_t))
+#define LOOKUP_ARRAY_SZ			(PTYPE_ARRAY_SZ + ERR_ARRAY_SZ +\
+					SA_TBL_SZ)
 
 const uint32_t *
 otx2_nix_supported_ptypes_get(struct rte_eth_dev *eth_dev)
@@ -311,10 +314,14 @@ nix_create_rx_ol_flags_array(void *mem)
 void *
 otx2_nix_fastpath_lookup_mem_get(void)
 {
-	const char name[] = "otx2_nix_fastpath_lookup_mem";
+	const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
 	const struct rte_memzone *mz;
 	void *mem;
 
+	/* SA_TBL starts after PTYPE_ARRAY & ERR_ARRAY */
+	RTE_BUILD_BUG_ON(OTX2_NIX_SA_TBL_START != (PTYPE_ARRAY_SZ +
+						   ERR_ARRAY_SZ));
+
 	mz = rte_memzone_lookup(name);
 	if (mz != NULL)
 		return mz->addr;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 11/15] net/octeontx2: add inline ipsec Rx path changes
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (9 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 10/15] net/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 12/15] drivers/octeontx2: add sec in Rx fastpath framework Anoob Joseph
                         ` (4 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Tejasree Kondoj, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Vamsi Attunuru, Lukasz Bartosik, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding post-processing required for inline IPsec inbound packets.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/crypto/octeontx2/Makefile    |  3 +-
 drivers/crypto/octeontx2/meson.build |  2 +
 drivers/event/octeontx2/Makefile     |  1 +
 drivers/event/octeontx2/meson.build  |  2 +
 drivers/net/octeontx2/otx2_rx.h      | 73 ++++++++++++++++++++++++++++++++++++
 5 files changed, 80 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/octeontx2/Makefile b/drivers/crypto/octeontx2/Makefile
index 3ba67ed..1458e2b 100644
--- a/drivers/crypto/octeontx2/Makefile
+++ b/drivers/crypto/octeontx2/Makefile
@@ -11,7 +11,7 @@ LIB = librte_pmd_octeontx2_crypto.a
 CFLAGS += $(WERROR_FLAGS)
 
 LDLIBS += -lrte_eal -lrte_ethdev -lrte_mbuf -lrte_mempool -lrte_ring
-LDLIBS += -lrte_cryptodev
+LDLIBS += -lrte_cryptodev -lrte_security
 LDLIBS += -lrte_pci -lrte_bus_pci
 LDLIBS += -lrte_common_cpt -lrte_common_octeontx2
 
@@ -20,6 +20,7 @@ VPATH += $(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -O3
 CFLAGS += -I$(RTE_SDK)/drivers/common/cpt
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
 CFLAGS += -DALLOW_EXPERIMENTAL_API
diff --git a/drivers/crypto/octeontx2/meson.build b/drivers/crypto/octeontx2/meson.build
index 67deca3..a531799 100644
--- a/drivers/crypto/octeontx2/meson.build
+++ b/drivers/crypto/octeontx2/meson.build
@@ -9,6 +9,7 @@ deps += ['bus_pci']
 deps += ['common_cpt']
 deps += ['common_octeontx2']
 deps += ['ethdev']
+deps += ['security']
 name = 'octeontx2_crypto'
 
 allow_experimental_apis = true
@@ -32,5 +33,6 @@ endforeach
 
 includes += include_directories('../../common/cpt')
 includes += include_directories('../../common/octeontx2')
+includes += include_directories('../../crypto/octeontx2')
 includes += include_directories('../../mempool/octeontx2')
 includes += include_directories('../../net/octeontx2')
diff --git a/drivers/event/octeontx2/Makefile b/drivers/event/octeontx2/Makefile
index 6dab69c..bcd22ee 100644
--- a/drivers/event/octeontx2/Makefile
+++ b/drivers/event/octeontx2/Makefile
@@ -11,6 +11,7 @@ LIB = librte_pmd_octeontx2_event.a
 
 CFLAGS += $(WERROR_FLAGS)
 CFLAGS += -I$(RTE_SDK)/drivers/common/octeontx2
+CFLAGS += -I$(RTE_SDK)/drivers/crypto/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/mempool/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/event/octeontx2
 CFLAGS += -I$(RTE_SDK)/drivers/net/octeontx2
diff --git a/drivers/event/octeontx2/meson.build b/drivers/event/octeontx2/meson.build
index 807818b..56febb8 100644
--- a/drivers/event/octeontx2/meson.build
+++ b/drivers/event/octeontx2/meson.build
@@ -32,3 +32,5 @@ foreach flag: extra_flags
 endforeach
 
 deps += ['bus_pci', 'common_octeontx2', 'mempool_octeontx2', 'pmd_octeontx2']
+
+includes += include_directories('../../crypto/octeontx2')
diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h
index 351ad0f..eac4717 100644
--- a/drivers/net/octeontx2/otx2_rx.h
+++ b/drivers/net/octeontx2/otx2_rx.h
@@ -5,6 +5,12 @@
 #ifndef __OTX2_RX_H__
 #define __OTX2_RX_H__
 
+#include <rte_ether.h>
+
+#include "otx2_common.h"
+#include "otx2_ethdev_sec.h"
+#include "otx2_ipsec_fp.h"
+
 /* Default mark value used when none is provided. */
 #define OTX2_FLOW_ACTION_FLAG_DEFAULT	0xffff
 
@@ -31,6 +37,12 @@
 #define NIX_RX_MULTI_SEG_F            BIT(15)
 #define NIX_TIMESYNC_RX_OFFSET		8
 
+/* Inline IPsec offsets */
+
+#define INLINE_INB_RPTR_HDR		16
+/* nix_cqe_hdr_s + nix_rx_parse_s + nix_rx_sg_s + nix_iova_s */
+#define INLINE_CPT_RESULT_OFFSET	80
+
 struct otx2_timesync_info {
 	uint64_t	rx_tstamp;
 	rte_iova_t	tx_tstamp_iova;
@@ -190,6 +202,60 @@ nix_cqe_xtract_mseg(const struct nix_rx_parse_s *rx,
 	}
 }
 
+static __rte_always_inline uint16_t
+nix_rx_sec_cptres_get(const void *cq)
+{
+	volatile const struct otx2_cpt_res *res;
+
+	res = (volatile const struct otx2_cpt_res *)((const char *)cq +
+			INLINE_CPT_RESULT_OFFSET);
+
+	return res->u16[0];
+}
+
+static __rte_always_inline void *
+nix_rx_sec_sa_get(const void * const lookup_mem, int spi, uint16_t port)
+{
+	const uint64_t *const *sa_tbl = (const uint64_t * const *)
+			((const uint8_t *)lookup_mem + OTX2_NIX_SA_TBL_START);
+
+	return (void *)sa_tbl[port][spi];
+}
+
+static __rte_always_inline uint64_t
+nix_rx_sec_mbuf_update(const struct nix_cqe_hdr_s *cq, struct rte_mbuf *m,
+		       const void * const lookup_mem)
+{
+	struct otx2_ipsec_fp_in_sa *sa;
+	struct rte_ipv4_hdr *ipv4;
+	uint16_t m_len;
+	uint32_t spi;
+	char *data;
+
+	if (unlikely(nix_rx_sec_cptres_get(cq) != OTX2_SEC_COMP_GOOD))
+		return PKT_RX_SEC_OFFLOAD | PKT_RX_SEC_OFFLOAD_FAILED;
+
+	/* 20 bits of tag would have the SPI */
+	spi = cq->tag & 0xFFFFF;
+
+	sa = nix_rx_sec_sa_get(lookup_mem, spi, m->port);
+	m->udata64 = (uint64_t)sa->userdata;
+
+	data = rte_pktmbuf_mtod(m, char *);
+	memcpy(data + INLINE_INB_RPTR_HDR, data, RTE_ETHER_HDR_LEN);
+
+	m->data_off += INLINE_INB_RPTR_HDR;
+
+	ipv4 = (struct rte_ipv4_hdr *)(data + INLINE_INB_RPTR_HDR +
+				       RTE_ETHER_HDR_LEN);
+
+	m_len = rte_be_to_cpu_16(ipv4->total_length) + RTE_ETHER_HDR_LEN;
+
+	m->data_len = m_len;
+	m->pkt_len = m_len;
+	return PKT_RX_SEC_OFFLOAD;
+}
+
 static __rte_always_inline void
 otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 		     struct rte_mbuf *mbuf, const void *lookup_mem,
@@ -231,6 +297,13 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 	if (flag & NIX_RX_OFFLOAD_MARK_UPDATE_F)
 		ol_flags = nix_update_match_id(rx->match_id, ol_flags, mbuf);
 
+	if (cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
+		*(uint64_t *)(&mbuf->rearm_data) = val;
+		ol_flags |= nix_rx_sec_mbuf_update(cq, mbuf, lookup_mem);
+		mbuf->ol_flags = ol_flags;
+		return;
+	}
+
 	mbuf->ol_flags = ol_flags;
 	*(uint64_t *)(&mbuf->rearm_data) = val;
 	mbuf->pkt_len = len;
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 12/15] drivers/octeontx2: add sec in Rx fastpath framework
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (10 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 11/15] net/octeontx2: add inline ipsec Rx path changes Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 13/15] drivers/octeontx2: add sec in Tx " Anoob Joseph
                         ` (3 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

Added new flag for SECURITY in Rx compiler optimized fastpath
framework. With this, compiler autogenerates functions which
have security enabled.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/event/octeontx2/otx2_evdev.c       | 134 ++++++++-----
 drivers/event/octeontx2/otx2_evdev.h       |   2 +-
 drivers/event/octeontx2/otx2_worker.c      |   2 +-
 drivers/event/octeontx2/otx2_worker_dual.c |   2 +-
 drivers/net/octeontx2/otx2_ethdev.c        |   3 +
 drivers/net/octeontx2/otx2_rx.c            |  27 +--
 drivers/net/octeontx2/otx2_rx.h            | 306 ++++++++++++++++++++---------
 7 files changed, 320 insertions(+), 156 deletions(-)

diff --git a/drivers/event/octeontx2/otx2_evdev.c b/drivers/event/octeontx2/otx2_evdev.c
index 2daeba4..f6c641a 100644
--- a/drivers/event/octeontx2/otx2_evdev.c
+++ b/drivers/event/octeontx2/otx2_evdev.c
@@ -44,61 +44,64 @@ sso_fastpath_fns_set(struct rte_eventdev *event_dev)
 {
 	struct otx2_sso_evdev *dev = sso_pmd_priv(event_dev);
 	/* Single WS modes */
-	const event_dequeue_t ssogws_deq[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_ ##name,
+	const event_dequeue_t ssogws_deq[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_deq_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_burst_ ##name,
+	const event_dequeue_burst_t ssogws_deq_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_timeout_ ##name,
+	const event_dequeue_t ssogws_deq_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_deq_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_deq_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_deq_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_seg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_ ##name,
+	const event_dequeue_t ssogws_deq_seg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_deq_seg_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_burst_ ##name,
+	const event_dequeue_burst_t
+		ssogws_deq_seg_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_deq_seg_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_deq_seg_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_deq_seg_timeout_ ##name,
+	const event_dequeue_t ssogws_deq_seg_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_deq_seg_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_deq_seg_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_deq_seg_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 				otx2_ssogws_deq_seg_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
@@ -106,64 +109,69 @@ SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 
 
 	/* Dual WS modes */
-	const event_dequeue_t ssogws_dual_deq[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_ ##name,
+	const event_dequeue_t ssogws_dual_deq[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_burst_t ssogws_dual_deq_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_burst_ ##name,
+	const event_dequeue_burst_t
+		ssogws_dual_deq_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_timeout_ ##name,
+	const event_dequeue_t ssogws_dual_deq_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_timeout_burst_ ##name,
+		ssogws_dual_deq_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =					\
+			otx2_ssogws_dual_deq_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_seg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_seg_ ##name,
+	const event_dequeue_t ssogws_dual_deq_seg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] = otx2_ssogws_dual_deq_seg_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_seg_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
-				otx2_ssogws_dual_deq_seg_burst_ ##name,
+		ssogws_dual_deq_seg_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
-	const event_dequeue_t ssogws_dual_deq_seg_timeout[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-		[f5][f4][f3][f2][f1][f0] =				\
-				otx2_ssogws_dual_deq_seg_timeout_ ##name,
+	const event_dequeue_t
+		ssogws_dual_deq_seg_timeout[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_timeout_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
 
 	const event_dequeue_burst_t
-		ssogws_dual_deq_seg_timeout_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =					\
-		otx2_ssogws_dual_deq_seg_timeout_burst_ ##name,
+		ssogws_dual_deq_seg_timeout_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_dual_deq_seg_timeout_burst_ ##name,
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 	};
@@ -209,6 +217,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 	event_dev->enqueue_forward_burst	= otx2_ssogws_enq_fwd_burst;
 	if (dev->rx_offloads & NIX_RX_MULTI_SEG_F) {
 		event_dev->dequeue		= ssogws_deq_seg
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -216,6 +225,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		event_dev->dequeue_burst	= ssogws_deq_seg_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -224,6 +234,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		if (dev->is_timeout_deq) {
 			event_dev->dequeue	= ssogws_deq_seg_timeout
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -232,6 +243,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	=
 				ssogws_deq_seg_timeout_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -241,6 +253,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		}
 	} else {
 		event_dev->dequeue			= ssogws_deq
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -248,6 +261,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		event_dev->dequeue_burst		= ssogws_deq_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -256,6 +270,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 		if (dev->is_timeout_deq) {
 			event_dev->dequeue		= ssogws_deq_timeout
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -264,6 +279,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	=
 				ssogws_deq_timeout_burst
+			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_SECURITY_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 			[!!(dev->rx_offloads & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -303,6 +319,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		if (dev->rx_offloads & NIX_RX_MULTI_SEG_F) {
 			event_dev->dequeue	= ssogws_dual_deq_seg
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -313,6 +331,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_PTYPE_F)]
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst = ssogws_dual_deq_seg_burst
+				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -326,6 +346,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue	=
 					ssogws_dual_deq_seg_timeout
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -340,6 +362,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue_burst =
 					ssogws_dual_deq_seg_timeout_burst
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -355,6 +379,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		} else {
 			event_dev->dequeue		= ssogws_dual_deq
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -366,6 +392,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				[!!(dev->rx_offloads & NIX_RX_OFFLOAD_RSS_F)];
 			event_dev->dequeue_burst	= ssogws_dual_deq_burst
 				[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -379,6 +407,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue	=
 					ssogws_dual_deq_timeout
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
@@ -393,6 +423,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 				event_dev->dequeue_burst =
 					ssogws_dual_deq_timeout_burst
 					[!!(dev->rx_offloads &
+						NIX_RX_OFFLOAD_SECURITY_F)]
+					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_TSTAMP_F)]
 					[!!(dev->rx_offloads &
 						NIX_RX_OFFLOAD_MARK_UPDATE_F)]
diff --git a/drivers/event/octeontx2/otx2_evdev.h b/drivers/event/octeontx2/otx2_evdev.h
index ef523dc..5a44fd3 100644
--- a/drivers/event/octeontx2/otx2_evdev.h
+++ b/drivers/event/octeontx2/otx2_evdev.h
@@ -278,7 +278,7 @@ uint16_t otx2_ssogws_dual_enq_fwd_burst(void *port, const struct rte_event ev[],
 					uint16_t nb_events);
 
 /* Auto generated API's */
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				       \
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			       \
 uint16_t otx2_ssogws_deq_ ##name(void *port, struct rte_event *ev,	       \
 				 uint64_t timeout_ticks);		       \
 uint16_t otx2_ssogws_deq_burst_ ##name(void *port, struct rte_event ev[],      \
diff --git a/drivers/event/octeontx2/otx2_worker.c b/drivers/event/octeontx2/otx2_worker.c
index 34d39f4..12445d9 100644
--- a/drivers/event/octeontx2/otx2_worker.c
+++ b/drivers/event/octeontx2/otx2_worker.c
@@ -81,7 +81,7 @@ otx2_ssogws_release_event(struct otx2_ssogws *ws)
 	otx2_ssogws_swtag_flush(ws);
 }
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
 uint16_t __hot								\
 otx2_ssogws_deq_ ##name(void *port, struct rte_event *ev,		\
 			uint64_t timeout_ticks)				\
diff --git a/drivers/event/octeontx2/otx2_worker_dual.c b/drivers/event/octeontx2/otx2_worker_dual.c
index 7016eee..22a4889 100644
--- a/drivers/event/octeontx2/otx2_worker_dual.c
+++ b/drivers/event/octeontx2/otx2_worker_dual.c
@@ -140,7 +140,7 @@ otx2_ssogws_dual_enq_fwd_burst(void *port, const struct rte_event ev[],
 	return 1;
 }
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_deq_ ##name(void *port, struct rte_event *ev,		\
 			     uint64_t timeout_ticks)			\
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index e8ae779..cd7bb6a 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -628,6 +628,9 @@ nix_rx_offload_flags(struct rte_eth_dev *eth_dev)
 	if ((dev->rx_offloads & DEV_RX_OFFLOAD_TIMESTAMP))
 		flags |= NIX_RX_OFFLOAD_TSTAMP_F;
 
+	if (dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY)
+		flags |= NIX_RX_OFFLOAD_SECURITY_F;
+
 	if (!dev->ptype_disable)
 		flags |= NIX_RX_OFFLOAD_PTYPE_F;
 
diff --git a/drivers/net/octeontx2/otx2_rx.c b/drivers/net/octeontx2/otx2_rx.c
index dbf6ea6..47641c7 100644
--- a/drivers/net/octeontx2/otx2_rx.c
+++ b/drivers/net/octeontx2/otx2_rx.c
@@ -330,7 +330,7 @@ nix_recv_pkts_vector(void *rx_queue, struct rte_mbuf **rx_pkts,
 
 #endif
 
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			       \
 static uint16_t __rte_noinline	__hot					       \
 otx2_nix_recv_pkts_ ## name(void *rx_queue,				       \
 			struct rte_mbuf **rx_pkts, uint16_t pkts)	       \
@@ -361,12 +361,13 @@ NIX_RX_FASTPATH_MODES
 
 static inline void
 pick_rx_func(struct rte_eth_dev *eth_dev,
-	     const eth_rx_burst_t rx_burst[2][2][2][2][2][2])
+	     const eth_rx_burst_t rx_burst[2][2][2][2][2][2][2])
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	/* [TSTMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
+	/* [SEC] [TSTMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
 	eth_dev->rx_pkt_burst = rx_burst
+		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_SECURITY_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_TSTAMP_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_MARK_UPDATE_F)]
 		[!!(dev->rx_offload_flags & NIX_RX_OFFLOAD_VLAN_STRIP_F)]
@@ -380,25 +381,25 @@ otx2_eth_set_rx_function(struct rte_eth_dev *eth_dev)
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	const eth_rx_burst_t nix_eth_rx_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_ ## name,
+	const eth_rx_burst_t nix_eth_rx_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
 	};
 
-	const eth_rx_burst_t nix_eth_rx_burst_mseg[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_mseg_ ## name,
+	const eth_rx_burst_t nix_eth_rx_burst_mseg[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_mseg_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
 	};
 
-	const eth_rx_burst_t nix_eth_rx_vec_burst[2][2][2][2][2][2] = {
-#define R(name, f5, f4, f3, f2, f1, f0, flags)				\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_vec_ ## name,
+	const eth_rx_burst_t nix_eth_rx_vec_burst[2][2][2][2][2][2][2] = {
+#define R(name, f6, f5, f4, f3, f2, f1, f0, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_recv_pkts_vec_ ## name,
 
 NIX_RX_FASTPATH_MODES
 #undef R
@@ -418,6 +419,6 @@ NIX_RX_FASTPATH_MODES
 	/* Copy multi seg version with no offload for tear down sequence */
 	if (rte_eal_process_type() == RTE_PROC_PRIMARY)
 		dev->rx_pkt_burst_no_offload =
-			nix_eth_rx_burst_mseg[0][0][0][0][0][0];
+			nix_eth_rx_burst_mseg[0][0][0][0][0][0][0];
 	rte_mb();
 }
diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h
index eac4717..d8648b6 100644
--- a/drivers/net/octeontx2/otx2_rx.h
+++ b/drivers/net/octeontx2/otx2_rx.h
@@ -29,6 +29,7 @@
 #define NIX_RX_OFFLOAD_VLAN_STRIP_F    BIT(3)
 #define NIX_RX_OFFLOAD_MARK_UPDATE_F   BIT(4)
 #define NIX_RX_OFFLOAD_TSTAMP_F        BIT(5)
+#define NIX_RX_OFFLOAD_SECURITY_F      BIT(6)
 
 /* Flags to control cqe_to_mbuf conversion function.
  * Defining it from backwards to denote its been
@@ -297,7 +298,8 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 	if (flag & NIX_RX_OFFLOAD_MARK_UPDATE_F)
 		ol_flags = nix_update_match_id(rx->match_id, ol_flags, mbuf);
 
-	if (cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
+	if ((flag & NIX_RX_OFFLOAD_SECURITY_F) &&
+	    cq->cqe_type == NIX_XQE_TYPE_RX_IPSECH) {
 		*(uint64_t *)(&mbuf->rearm_data) = val;
 		ol_flags |= nix_rx_sec_mbuf_update(cq, mbuf, lookup_mem);
 		mbuf->ol_flags = ol_flags;
@@ -320,94 +322,220 @@ otx2_nix_cqe_to_mbuf(const struct nix_cqe_hdr_s *cq, const uint32_t tag,
 #define RX_VLAN_F  NIX_RX_OFFLOAD_VLAN_STRIP_F
 #define MARK_F  NIX_RX_OFFLOAD_MARK_UPDATE_F
 #define TS_F	NIX_RX_OFFLOAD_TSTAMP_F
+#define RX_SEC_F   NIX_RX_OFFLOAD_SECURITY_F
 
-/* [TSMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
+/* [SEC] [TSMP] [MARK] [VLAN] [CKSUM] [PTYPE] [RSS] */
 #define NIX_RX_FASTPATH_MODES						       \
-R(no_offload,			0, 0, 0, 0, 0, 0, NIX_RX_OFFLOAD_NONE)	\
-R(rss,				0, 0, 0, 0, 0, 1, RSS_F)		\
-R(ptype,			0, 0, 0, 0, 1, 0, PTYPE_F)		\
-R(ptype_rss,			0, 0, 0, 0, 1, 1, PTYPE_F | RSS_F)	\
-R(cksum,			0, 0, 0, 1, 0, 0, CKSUM_F)		\
-R(cksum_rss,			0, 0, 0, 1, 0, 1, CKSUM_F | RSS_F)	\
-R(cksum_ptype,			0, 0, 0, 1, 1, 0, CKSUM_F | PTYPE_F)	\
-R(cksum_ptype_rss,		0, 0, 0, 1, 1, 1, CKSUM_F | PTYPE_F | RSS_F)\
-R(vlan,				0, 0, 1, 0, 0, 0, RX_VLAN_F)		\
-R(vlan_rss,			0, 0, 1, 0, 0, 1, RX_VLAN_F | RSS_F)	\
-R(vlan_ptype,			0, 0, 1, 0, 1, 0, RX_VLAN_F | PTYPE_F)	\
-R(vlan_ptype_rss,		0, 0, 1, 0, 1, 1, RX_VLAN_F | PTYPE_F | RSS_F)\
-R(vlan_cksum,			0, 0, 1, 1, 0, 0, RX_VLAN_F | CKSUM_F)	\
-R(vlan_cksum_rss,		0, 0, 1, 1, 0, 1, RX_VLAN_F | CKSUM_F | RSS_F)\
-R(vlan_cksum_ptype,		0, 0, 1, 1, 1, 0,			\
-			RX_VLAN_F | CKSUM_F | PTYPE_F)			\
-R(vlan_cksum_ptype_rss,		0, 0, 1, 1, 1, 1,			\
-			RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(mark,				0, 1, 0, 0, 0, 0, MARK_F)		\
-R(mark_rss,			0, 1, 0, 0, 0, 1, MARK_F | RSS_F)	\
-R(mark_ptype,			0, 1, 0, 0, 1, 0, MARK_F | PTYPE_F)	\
-R(mark_ptype_rss,		0, 1, 0, 0, 1, 1, MARK_F | PTYPE_F | RSS_F)\
-R(mark_cksum,			0, 1, 0, 1, 0, 0, MARK_F | CKSUM_F)	\
-R(mark_cksum_rss,		0, 1, 0, 1, 0, 1, MARK_F | CKSUM_F | RSS_F)\
-R(mark_cksum_ptype,		0, 1, 0, 1, 1, 0, MARK_F | CKSUM_F | PTYPE_F)\
-R(mark_cksum_ptype_rss,		0, 1, 0, 1, 1, 1,			\
-			MARK_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(mark_vlan,			0, 1, 1, 0, 0, 0, MARK_F | RX_VLAN_F)	\
-R(mark_vlan_rss,		0, 1, 1, 0, 0, 1, MARK_F | RX_VLAN_F | RSS_F)\
-R(mark_vlan_ptype,		0, 1, 1, 0, 1, 0,			\
-			MARK_F | RX_VLAN_F | PTYPE_F)			\
-R(mark_vlan_ptype_rss,		0, 1, 1, 0, 1, 1,			\
-			MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)		\
-R(mark_vlan_cksum,		0, 1, 1, 1, 0, 0,			\
-			MARK_F | RX_VLAN_F | CKSUM_F)			\
-R(mark_vlan_cksum_rss,		0, 1, 1, 1, 0, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		\
-R(mark_vlan_cksum_ptype,	0, 1, 1, 1, 1, 0,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		\
-R(mark_vlan_cksum_ptype_rss,	0, 1, 1, 1, 1, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts,				1, 0, 0, 0, 0, 0, TS_F)			\
-R(ts_rss,			1, 0, 0, 0, 0, 1, TS_F | RSS_F)		\
-R(ts_ptype,			1, 0, 0, 0, 1, 0, TS_F | PTYPE_F)	\
-R(ts_ptype_rss,			1, 0, 0, 0, 1, 1, TS_F | PTYPE_F | RSS_F)\
-R(ts_cksum,			1, 0, 0, 1, 0, 0, TS_F | CKSUM_F)	\
-R(ts_cksum_rss,			1, 0, 0, 1, 0, 1, TS_F | CKSUM_F | RSS_F)\
-R(ts_cksum_ptype,		1, 0, 0, 1, 1, 0, TS_F | CKSUM_F | PTYPE_F)\
-R(ts_cksum_ptype_rss,		1, 0, 0, 1, 1, 1,			\
-			TS_F | CKSUM_F | PTYPE_F | RSS_F)		\
-R(ts_vlan,			1, 0, 1, 0, 0, 0, TS_F | RX_VLAN_F)	\
-R(ts_vlan_rss,			1, 0, 1, 0, 0, 1, TS_F | RX_VLAN_F | RSS_F)\
-R(ts_vlan_ptype,		1, 0, 1, 0, 1, 0, TS_F | RX_VLAN_F | PTYPE_F)\
-R(ts_vlan_ptype_rss,		1, 0, 1, 0, 1, 1,			\
-			TS_F | RX_VLAN_F | PTYPE_F | RSS_F)		\
-R(ts_vlan_cksum,		1, 0, 1, 1, 0, 0,			\
-			TS_F | RX_VLAN_F | CKSUM_F)			\
-R(ts_vlan_cksum_rss,		1, 0, 1, 1, 0, 1,			\
-			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		\
-R(ts_vlan_cksum_ptype,		1, 0, 1, 1, 1, 0,			\
-			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		\
-R(ts_vlan_cksum_ptype_rss,	1, 0, 1, 1, 1, 1,			\
-			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts_mark,			1, 1, 0, 0, 0, 0, TS_F | MARK_F)	\
-R(ts_mark_rss,			1, 1, 0, 0, 0, 1, TS_F | MARK_F | RSS_F)\
-R(ts_mark_ptype,		1, 1, 0, 0, 1, 0, TS_F | MARK_F | PTYPE_F)\
-R(ts_mark_ptype_rss,		1, 1, 0, 0, 1, 1,			\
-			TS_F | MARK_F | PTYPE_F | RSS_F)		\
-R(ts_mark_cksum,		1, 1, 0, 1, 0, 0, TS_F | MARK_F | CKSUM_F)\
-R(ts_mark_cksum_rss,		1, 1, 0, 1, 0, 1,			\
-			TS_F | MARK_F | CKSUM_F | RSS_F)\
-R(ts_mark_cksum_ptype,		1, 1, 0, 1, 1, 0,			\
-			TS_F | MARK_F | CKSUM_F | PTYPE_F)		\
-R(ts_mark_cksum_ptype_rss,	1, 1, 0, 1, 1, 1,			\
-			TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	\
-R(ts_mark_vlan,			1, 1, 1, 0, 0, 0, TS_F | MARK_F | RX_VLAN_F)\
-R(ts_mark_vlan_rss,		1, 1, 1, 0, 0, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | RSS_F)\
-R(ts_mark_vlan_ptype,		1, 1, 1, 0, 1, 0,			\
-			TS_F | MARK_F | RX_VLAN_F | PTYPE_F)		\
-R(ts_mark_vlan_ptype_rss,	1, 1, 1, 0, 1, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)	\
-R(ts_mark_vlan_cksum_ptype,	1, 1, 1, 1, 1, 0,			\
-			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	\
-R(ts_mark_vlan_cksum_ptype_rss,	1, 1, 1, 1, 1, 1,			\
-			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)
-
+R(no_offload,			0, 0, 0, 0, 0, 0, 0, NIX_RX_OFFLOAD_NONE)      \
+R(rss,				0, 0, 0, 0, 0, 0, 1, RSS_F)		       \
+R(ptype,			0, 0, 0, 0, 0, 1, 0, PTYPE_F)		       \
+R(ptype_rss,			0, 0, 0, 0, 0, 1, 1, PTYPE_F | RSS_F)	       \
+R(cksum,			0, 0, 0, 0, 1, 0, 0, CKSUM_F)		       \
+R(cksum_rss,			0, 0, 0, 0, 1, 0, 1, CKSUM_F | RSS_F)	       \
+R(cksum_ptype,			0, 0, 0, 0, 1, 1, 0, CKSUM_F | PTYPE_F)	       \
+R(cksum_ptype_rss,		0, 0, 0, 0, 1, 1, 1, CKSUM_F | PTYPE_F | RSS_F)\
+R(vlan,				0, 0, 0, 1, 0, 0, 0, RX_VLAN_F)		       \
+R(vlan_rss,			0, 0, 0, 1, 0, 0, 1, RX_VLAN_F | RSS_F)	       \
+R(vlan_ptype,			0, 0, 0, 1, 0, 1, 0, RX_VLAN_F | PTYPE_F)      \
+R(vlan_ptype_rss,		0, 0, 0, 1, 0, 1, 1,			       \
+			RX_VLAN_F | PTYPE_F | RSS_F)			       \
+R(vlan_cksum,			0, 0, 0, 1, 1, 0, 0, RX_VLAN_F | CKSUM_F)      \
+R(vlan_cksum_rss,		0, 0, 0, 1, 1, 0, 1,			       \
+			RX_VLAN_F | CKSUM_F | RSS_F)			       \
+R(vlan_cksum_ptype,		0, 0, 0, 1, 1, 1, 0,			       \
+			RX_VLAN_F | CKSUM_F | PTYPE_F)			       \
+R(vlan_cksum_ptype_rss,		0, 0, 0, 1, 1, 1, 1,			       \
+			RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(mark,				0, 0, 1, 0, 0, 0, 0, MARK_F)		       \
+R(mark_rss,			0, 0, 1, 0, 0, 0, 1, MARK_F | RSS_F)	       \
+R(mark_ptype,			0, 0, 1, 0, 0, 1, 0, MARK_F | PTYPE_F)	       \
+R(mark_ptype_rss,		0, 0, 1, 0, 0, 1, 1, MARK_F | PTYPE_F | RSS_F) \
+R(mark_cksum,			0, 0, 1, 0, 1, 0, 0, MARK_F | CKSUM_F)	       \
+R(mark_cksum_rss,		0, 0, 1, 0, 1, 0, 1, MARK_F | CKSUM_F | RSS_F) \
+R(mark_cksum_ptype,		0, 0, 1, 0, 1, 1, 0,			       \
+			MARK_F | CKSUM_F | PTYPE_F)			       \
+R(mark_cksum_ptype_rss,		0, 0, 1, 0, 1, 1, 1,			       \
+			MARK_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(mark_vlan,			0, 0, 1, 1, 0, 0, 0, MARK_F | RX_VLAN_F)       \
+R(mark_vlan_rss,		0, 0, 1, 1, 0, 0, 1,			       \
+			MARK_F | RX_VLAN_F | RSS_F)			       \
+R(mark_vlan_ptype,		0, 0, 1, 1, 0, 1, 0,			       \
+			MARK_F | RX_VLAN_F | PTYPE_F)			       \
+R(mark_vlan_ptype_rss,		0, 0, 1, 1, 0, 1, 1,			       \
+			MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(mark_vlan_cksum,		0, 0, 1, 1, 1, 0, 0,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F)			       \
+R(mark_vlan_cksum_rss,		0, 0, 1, 1, 1, 0, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(mark_vlan_cksum_ptype,	0, 0, 1, 1, 1, 1, 0,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		       \
+R(mark_vlan_cksum_ptype_rss,	0, 0, 1, 1, 1, 1, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts,				0, 1, 0, 0, 0, 0, 0, TS_F)		       \
+R(ts_rss,			0, 1, 0, 0, 0, 0, 1, TS_F | RSS_F)	       \
+R(ts_ptype,			0, 1, 0, 0, 0, 1, 0, TS_F | PTYPE_F)	       \
+R(ts_ptype_rss,			0, 1, 0, 0, 0, 1, 1, TS_F | PTYPE_F | RSS_F)   \
+R(ts_cksum,			0, 1, 0, 0, 1, 0, 0, TS_F | CKSUM_F)	       \
+R(ts_cksum_rss,			0, 1, 0, 0, 1, 0, 1, TS_F | CKSUM_F | RSS_F)   \
+R(ts_cksum_ptype,		0, 1, 0, 0, 1, 1, 0, TS_F | CKSUM_F | PTYPE_F) \
+R(ts_cksum_ptype_rss,		0, 1, 0, 0, 1, 1, 1,			       \
+			TS_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(ts_vlan,			0, 1, 0, 1, 0, 0, 0, TS_F | RX_VLAN_F)	       \
+R(ts_vlan_rss,			0, 1, 0, 1, 0, 0, 1, TS_F | RX_VLAN_F | RSS_F) \
+R(ts_vlan_ptype,		0, 1, 0, 1, 0, 1, 0,			       \
+			TS_F | RX_VLAN_F | PTYPE_F)			       \
+R(ts_vlan_ptype_rss,		0, 1, 0, 1, 0, 1, 1,			       \
+			TS_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(ts_vlan_cksum,		0, 1, 0, 1, 1, 0, 0,			       \
+			TS_F | RX_VLAN_F | CKSUM_F)			       \
+R(ts_vlan_cksum_rss,		0, 1, 0, 1, 1, 0, 1,			       \
+			MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(ts_vlan_cksum_ptype,		0, 1, 0, 1, 1, 1, 0,			       \
+			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)		       \
+R(ts_vlan_cksum_ptype_rss,	0, 1, 0, 1, 1, 1, 1,			       \
+			TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts_mark,			0, 1, 1, 0, 0, 0, 0, TS_F | MARK_F)	       \
+R(ts_mark_rss,			0, 1, 1, 0, 0, 0, 1, TS_F | MARK_F | RSS_F)    \
+R(ts_mark_ptype,		0, 1, 1, 0, 0, 1, 0, TS_F | MARK_F | PTYPE_F)  \
+R(ts_mark_ptype_rss,		0, 1, 1, 0, 0, 1, 1,			       \
+			TS_F | MARK_F | PTYPE_F | RSS_F)		       \
+R(ts_mark_cksum,		0, 1, 1, 0, 1, 0, 0, TS_F | MARK_F | CKSUM_F)  \
+R(ts_mark_cksum_rss,		0, 1, 1, 0, 1, 0, 1,			       \
+			TS_F | MARK_F | CKSUM_F | RSS_F)		       \
+R(ts_mark_cksum_ptype,		0, 1, 1, 0, 1, 1, 0,			       \
+			TS_F | MARK_F | CKSUM_F | PTYPE_F)		       \
+R(ts_mark_cksum_ptype_rss,	0, 1, 1, 0, 1, 1, 1,			       \
+			TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(ts_mark_vlan,			0, 1, 1, 1, 0, 0, 0, TS_F | MARK_F | RX_VLAN_F)\
+R(ts_mark_vlan_rss,		0, 1, 1, 1, 0, 0, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | RSS_F)		       \
+R(ts_mark_vlan_ptype,		0, 1, 1, 1, 0, 1, 0,			       \
+			TS_F | MARK_F | RX_VLAN_F | PTYPE_F)		       \
+R(ts_mark_vlan_ptype_rss,	0, 1, 1, 1, 0, 1, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)	       \
+R(ts_mark_vlan_cksum_ptype,	0, 1, 1, 1, 1, 1, 0,			       \
+			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	       \
+R(ts_mark_vlan_cksum_ptype_rss,	0, 1, 1, 1, 1, 1, 1,			       \
+			TS_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F) \
+R(sec,				1, 0, 0, 0, 0, 0, 0, RX_SEC_F)		       \
+R(sec_rss,			1, 0, 0, 0, 0, 0, 1, RX_SEC_F | RSS_F)	       \
+R(sec_ptype,			1, 0, 0, 0, 0, 1, 0, RX_SEC_F | PTYPE_F)       \
+R(sec_ptype_rss,		1, 0, 0, 0, 0, 1, 1,			       \
+			RX_SEC_F | PTYPE_F | RSS_F)			       \
+R(sec_cksum,			1, 0, 0, 0, 1, 0, 0, RX_SEC_F | CKSUM_F)       \
+R(sec_cksum_rss,		1, 0, 0, 0, 1, 0, 1,			       \
+			RX_SEC_F | CKSUM_F | RSS_F)			       \
+R(sec_cksum_ptype,		1, 0, 0, 0, 1, 1, 0,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F)			       \
+R(sec_cksum_ptype_rss,		1, 0, 0, 0, 1, 1, 1,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F | RSS_F)		       \
+R(sec_vlan,			1, 0, 0, 1, 0, 0, 0, RX_SEC_F | RX_VLAN_F)     \
+R(sec_vlan_rss,			1, 0, 0, 1, 0, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | RSS_F)			       \
+R(sec_vlan_ptype,		1, 0, 0, 1, 0, 1, 0,			       \
+			RX_SEC_F | RX_VLAN_F | PTYPE_F)			       \
+R(sec_vlan_ptype_rss,		1, 0, 0, 1, 0, 1, 1,			       \
+			RX_SEC_F | RX_VLAN_F | PTYPE_F | RSS_F)		       \
+R(sec_vlan_cksum,		1, 0, 0, 1, 1, 0, 0,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F)			       \
+R(sec_vlan_cksum_rss,		1, 0, 0, 1, 1, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | RSS_F)		       \
+R(sec_vlan_cksum_ptype,		1, 0, 0, 1, 1, 1, 0,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | PTYPE_F)	       \
+R(sec_vlan_cksum_ptype_rss,	1, 0, 0, 1, 1, 1, 1,			       \
+			RX_SEC_F | RX_VLAN_F | CKSUM_F | PTYPE_F | RSS_F)      \
+R(sec_mark,			1, 0, 1, 0, 0, 0, 0, RX_SEC_F | MARK_F)	       \
+R(sec_mark_rss,			1, 0, 1, 0, 0, 0, 1, RX_SEC_F | MARK_F | RSS_F)\
+R(sec_mark_ptype,		1, 0, 1, 0, 0, 1, 0,			       \
+			RX_SEC_F | MARK_F | PTYPE_F)			       \
+R(sec_mark_ptype_rss,		1, 0, 1, 0, 0, 1, 1,			       \
+			RX_SEC_F | MARK_F | PTYPE_F | RSS_F)		       \
+R(sec_mark_cksum,		1, 0, 1, 0, 1, 0, 0,			       \
+			RX_SEC_F | MARK_F | CKSUM_F)			       \
+R(sec_mark_cksum_rss,		1, 0, 1, 0, 1, 0, 1,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | RSS_F)		       \
+R(sec_mark_cksum_ptype,		1, 0, 1, 0, 1, 1, 0,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | PTYPE_F)		       \
+R(sec_mark_cksum_ptype_rss,	1, 0, 1, 0, 1, 1, 1,			       \
+			RX_SEC_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(sec_mark_vlan,		1, 0, 1, 1, 0, 0, 0, RX_SEC_F | RX_VLAN_F)     \
+R(sec_mark_vlan_rss,		1, 0, 1, 1, 0, 0, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | RSS_F)		       \
+R(sec_mark_vlan_ptype,		1, 0, 1, 1, 0, 1, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | PTYPE_F)	       \
+R(sec_mark_vlan_ptype_rss,	1, 0, 1, 1, 0, 1, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)       \
+R(sec_mark_vlan_cksum,		1, 0, 1, 1, 1, 0, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F)	       \
+R(sec_mark_vlan_cksum_rss,	1, 0, 1, 1, 1, 0, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)       \
+R(sec_mark_vlan_cksum_ptype,	1, 0, 1, 1, 1, 1, 0,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F)     \
+R(sec_mark_vlan_cksum_ptype_rss,					       \
+				1, 0, 1, 1, 1, 1, 1,			       \
+			RX_SEC_F | MARK_F | RX_VLAN_F | CKSUM_F | PTYPE_F |    \
+			RSS_F)						       \
+R(sec_ts,			1, 1, 0, 0, 0, 0, 0, RX_SEC_F | TS_F)	       \
+R(sec_ts_rss,			1, 1, 0, 0, 0, 0, 1, RX_SEC_F | TS_F | RSS_F)  \
+R(sec_ts_ptype,			1, 1, 0, 0, 0, 1, 0, RX_SEC_F | TS_F | PTYPE_F)\
+R(sec_ts_ptype_rss,		1, 1, 0, 0, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | PTYPE_F | RSS_F)		       \
+R(sec_ts_cksum,			1, 1, 0, 0, 1, 0, 0, RX_SEC_F | TS_F | CKSUM_F)\
+R(sec_ts_cksum_rss,		1, 1, 0, 0, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | CKSUM_F | RSS_F)		       \
+R(sec_ts_cksum_ptype,		1, 1, 0, 0, 1, 1, 0,			       \
+			RX_SEC_F | CKSUM_F | PTYPE_F)			       \
+R(sec_ts_cksum_ptype_rss,	1, 1, 0, 0, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | CKSUM_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_vlan,			1, 1, 0, 1, 0, 0, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F)			       \
+R(sec_ts_vlan_rss,		1, 1, 0, 1, 0, 0, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | RSS_F)		       \
+R(sec_ts_vlan_ptype,		1, 1, 0, 1, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | PTYPE_F)		       \
+R(sec_ts_vlan_ptype_rss,	1, 1, 0, 1, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_vlan_cksum,		1, 1, 0, 1, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F)		       \
+R(sec_ts_vlan_cksum_rss,	1, 1, 0, 1, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | RSS_F)	       \
+R(sec_ts_vlan_cksum_ptype,	1, 1, 0, 1, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F)       \
+R(sec_ts_vlan_cksum_ptype_rss,	1, 1, 0, 1, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | RX_VLAN_F | CKSUM_F | PTYPE_F |      \
+			RSS_F)						       \
+R(sec_ts_mark,			1, 1, 1, 0, 0, 0, 0, RX_SEC_F | TS_F | MARK_F) \
+R(sec_ts_mark_rss,		1, 1, 1, 0, 0, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RSS_F)		       \
+R(sec_ts_mark_ptype,		1, 1, 1, 0, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | PTYPE_F)		       \
+R(sec_ts_mark_ptype_rss,	1, 1, 1, 0, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | PTYPE_F | RSS_F)	       \
+R(sec_ts_mark_cksum,		1, 1, 1, 0, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F)		       \
+R(sec_ts_mark_cksum_rss,	1, 1, 1, 0, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | RSS_F)	       \
+R(sec_ts_mark_cksum_ptype,	1, 1, 1, 0, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | PTYPE_F)	       \
+R(sec_ts_mark_cksum_ptype_rss,	1, 1, 1, 0, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | CKSUM_F | PTYPE_F | RSS_F)  \
+R(sec_ts_mark_vlan,		1, 1, 1, 1, 0, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F)		       \
+R(sec_ts_mark_vlan_rss,		1, 1, 1, 1, 0, 0, 1,			       \
+			RX_SEC_F | RX_VLAN_F | RSS_F)			       \
+R(sec_ts_mark_vlan_ptype,	1, 1, 1, 1, 0, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | PTYPE_F)	       \
+R(sec_ts_mark_vlan_ptype_rss,	1, 1, 1, 1, 0, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | PTYPE_F | RSS_F)\
+R(sec_ts_mark_vlan_cksum,	1, 1, 1, 1, 1, 0, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F)	       \
+R(sec_ts_mark_vlan_cksum_rss,	1, 1, 1, 1, 1, 0, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F | RSS_F)\
+R(sec_ts_mark_vlan_cksum_ptype,	1, 1, 1, 1, 1, 1, 0,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F |       \
+			PTYPE_F)					       \
+R(sec_ts_mark_vlan_cksum_ptype_rss,					       \
+				1, 1, 1, 1, 1, 1, 1,			       \
+			RX_SEC_F | TS_F | MARK_F | RX_VLAN_F | CKSUM_F |       \
+			PTYPE_F | RSS_F)
 #endif /* __OTX2_RX_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 13/15] drivers/octeontx2: add sec in Tx fastpath framework
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (11 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 12/15] drivers/octeontx2: add sec in Rx fastpath framework Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 14/15] net/octeontx2: add inline Tx path changes Anoob Joseph
                         ` (2 subsequent siblings)
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Archana Muniganti, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev

From: Archana Muniganti <marchana@marvell.com>

Added new flag for SECURITY in compiler optimized Tx fastpath
framework. With this, compiler autogenerates functions which
have security enabled.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/event/octeontx2/otx2_evdev.c       |  36 ++--
 drivers/event/octeontx2/otx2_evdev.h       |   2 +-
 drivers/event/octeontx2/otx2_worker.c      |   4 +-
 drivers/event/octeontx2/otx2_worker_dual.c |   4 +-
 drivers/net/octeontx2/otx2_ethdev.c        |   3 +
 drivers/net/octeontx2/otx2_tx.c            |  29 +--
 drivers/net/octeontx2/otx2_tx.h            | 271 ++++++++++++++++++++++-------
 7 files changed, 250 insertions(+), 99 deletions(-)

diff --git a/drivers/event/octeontx2/otx2_evdev.c b/drivers/event/octeontx2/otx2_evdev.c
index f6c641a..d20213d 100644
--- a/drivers/event/octeontx2/otx2_evdev.c
+++ b/drivers/event/octeontx2/otx2_evdev.c
@@ -177,35 +177,37 @@ SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 	};
 
 	/* Tx modes */
-	const event_tx_adapter_enqueue ssogws_tx_adptr_enq[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =  otx2_ssogws_tx_adptr_enq_ ## name,
+	const event_tx_adapter_enqueue
+		ssogws_tx_adptr_enq[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
+			otx2_ssogws_tx_adptr_enq_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_tx_adptr_enq_seg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_tx_adptr_enq_seg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_tx_adptr_enq_seg_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_dual_tx_adptr_enq[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_dual_tx_adptr_enq[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_dual_tx_adptr_enq_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 	};
 
 	const event_tx_adapter_enqueue
-		ssogws_dual_tx_adptr_enq_seg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-		[f5][f4][f3][f2][f1][f0] =				\
+		ssogws_dual_tx_adptr_enq_seg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+		[f6][f5][f4][f3][f2][f1][f0] =				\
 			otx2_ssogws_dual_tx_adptr_enq_seg_ ## name,
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
@@ -290,8 +292,9 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 	}
 
 	if (dev->tx_offloads & NIX_TX_MULTI_SEG_F) {
-		/* [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
+		/* [SEC] [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
 		event_dev->txa_enqueue = ssogws_tx_adptr_enq_seg
+			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_SECURITY_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -300,6 +303,7 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_L3_L4_CSUM_F)];
 	} else {
 		event_dev->txa_enqueue = ssogws_tx_adptr_enq
+			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_SECURITY_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 			[!!(dev->tx_offloads & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -440,8 +444,10 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 		}
 
 		if (dev->tx_offloads & NIX_TX_MULTI_SEG_F) {
-		/* [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
+		/* [SEC] [TSMP] [MBUF_NOFF] [VLAN] [OL3_L4_CSUM] [L3_L4_CSUM] */
 			event_dev->txa_enqueue = ssogws_dual_tx_adptr_enq_seg
+				[!!(dev->tx_offloads &
+						NIX_TX_OFFLOAD_SECURITY_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->tx_offloads &
@@ -454,6 +460,8 @@ SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 						NIX_TX_OFFLOAD_L3_L4_CSUM_F)];
 		} else {
 			event_dev->txa_enqueue = ssogws_dual_tx_adptr_enq
+				[!!(dev->tx_offloads &
+						NIX_TX_OFFLOAD_SECURITY_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSO_F)]
 				[!!(dev->tx_offloads & NIX_TX_OFFLOAD_TSTAMP_F)]
 				[!!(dev->tx_offloads &
diff --git a/drivers/event/octeontx2/otx2_evdev.h b/drivers/event/octeontx2/otx2_evdev.h
index 5a44fd3..3b47782 100644
--- a/drivers/event/octeontx2/otx2_evdev.h
+++ b/drivers/event/octeontx2/otx2_evdev.h
@@ -335,7 +335,7 @@ uint16_t otx2_ssogws_dual_deq_seg_timeout_burst_ ##name(void *port,	       \
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			     \
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			     \
 uint16_t otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],\
 					   uint16_t nb_events);		     \
 uint16_t otx2_ssogws_tx_adptr_enq_seg_ ## name(void *port,		     \
diff --git a/drivers/event/octeontx2/otx2_worker.c b/drivers/event/octeontx2/otx2_worker.c
index 12445d9..8bec59e 100644
--- a/drivers/event/octeontx2/otx2_worker.c
+++ b/drivers/event/octeontx2/otx2_worker.c
@@ -267,7 +267,7 @@ otx2_ssogws_enq_fwd_burst(void *port, const struct rte_event ev[],
 	return 1;
 }
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],	\
 				  uint16_t nb_events)			\
@@ -281,7 +281,7 @@ otx2_ssogws_tx_adptr_enq_ ## name(void *port, struct rte_event ev[],	\
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_tx_adptr_enq_seg_ ## name(void *port, struct rte_event ev[],\
 				      uint16_t nb_events)		\
diff --git a/drivers/event/octeontx2/otx2_worker_dual.c b/drivers/event/octeontx2/otx2_worker_dual.c
index 22a4889..3cba09c 100644
--- a/drivers/event/octeontx2/otx2_worker_dual.c
+++ b/drivers/event/octeontx2/otx2_worker_dual.c
@@ -307,7 +307,7 @@ otx2_ssogws_dual_deq_seg_timeout_burst_ ##name(void *port,		\
 SSO_RX_ADPTR_ENQ_FASTPATH_FUNC
 #undef R
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_tx_adptr_enq_ ## name(void *port,			\
 				       struct rte_event ev[],		\
@@ -324,7 +324,7 @@ otx2_ssogws_dual_tx_adptr_enq_ ## name(void *port,			\
 SSO_TX_ADPTR_ENQ_FASTPATH_FUNC
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 uint16_t __hot								\
 otx2_ssogws_dual_tx_adptr_enq_seg_ ## name(void *port,			\
 					   struct rte_event ev[],	\
diff --git a/drivers/net/octeontx2/otx2_ethdev.c b/drivers/net/octeontx2/otx2_ethdev.c
index cd7bb6a..2719e71 100644
--- a/drivers/net/octeontx2/otx2_ethdev.c
+++ b/drivers/net/octeontx2/otx2_ethdev.c
@@ -700,6 +700,9 @@ nix_tx_offload_flags(struct rte_eth_dev *eth_dev)
 			  NIX_TX_OFFLOAD_OL3_OL4_CSUM_F |
 			  NIX_TX_OFFLOAD_L3_L4_CSUM_F);
 
+	if (conf & DEV_TX_OFFLOAD_SECURITY)
+		flags |= NIX_TX_OFFLOAD_SECURITY_F;
+
 	if ((dev->rx_offloads & DEV_RX_OFFLOAD_TIMESTAMP))
 		flags |= NIX_TX_OFFLOAD_TSTAMP_F;
 
diff --git a/drivers/net/octeontx2/otx2_tx.c b/drivers/net/octeontx2/otx2_tx.c
index 5011460..4f2036c 100644
--- a/drivers/net/octeontx2/otx2_tx.c
+++ b/drivers/net/octeontx2/otx2_tx.c
@@ -946,7 +946,7 @@ nix_xmit_pkts_vector(void *tx_queue, struct rte_mbuf **tx_pkts,
 }
 #endif
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_ ## name(void *tx_queue,				\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -963,7 +963,7 @@ otx2_nix_xmit_pkts_ ## name(void *tx_queue,				\
 NIX_TX_FASTPATH_MODES
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_mseg_ ## name(void *tx_queue,			\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -981,7 +981,7 @@ otx2_nix_xmit_pkts_mseg_ ## name(void *tx_queue,			\
 NIX_TX_FASTPATH_MODES
 #undef T
 
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
 static uint16_t __rte_noinline	__hot					\
 otx2_nix_xmit_pkts_vec_ ## name(void *tx_queue,				\
 			struct rte_mbuf **tx_pkts, uint16_t pkts)	\
@@ -1001,12 +1001,13 @@ NIX_TX_FASTPATH_MODES
 
 static inline void
 pick_tx_func(struct rte_eth_dev *eth_dev,
-	     const eth_tx_burst_t tx_burst[2][2][2][2][2][2])
+	     const eth_tx_burst_t tx_burst[2][2][2][2][2][2][2])
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	/* [TSTMP] [NOFF] [VLAN] [OL3_OL4_CSUM] [IL3_IL4_CSUM] */
+	/* [SEC] [TSTMP] [NOFF] [VLAN] [OL3_OL4_CSUM] [IL3_IL4_CSUM] */
 	eth_dev->tx_pkt_burst = tx_burst
+		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_SECURITY_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_TSO_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_TSTAMP_F)]
 		[!!(dev->tx_offload_flags & NIX_TX_OFFLOAD_MBUF_NOFF_F)]
@@ -1020,25 +1021,25 @@ otx2_eth_set_tx_function(struct rte_eth_dev *eth_dev)
 {
 	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
 
-	const eth_tx_burst_t nix_eth_tx_burst[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_ ## name,
+	const eth_tx_burst_t nix_eth_tx_burst[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
 	};
 
-	const eth_tx_burst_t nix_eth_tx_burst_mseg[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_mseg_ ## name,
+	const eth_tx_burst_t nix_eth_tx_burst_mseg[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_mseg_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
 	};
 
-	const eth_tx_burst_t nix_eth_tx_vec_burst[2][2][2][2][2][2] = {
-#define T(name, f5, f4, f3, f2, f1, f0, sz, flags)			\
-	[f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_vec_ ## name,
+	const eth_tx_burst_t nix_eth_tx_vec_burst[2][2][2][2][2][2][2] = {
+#define T(name, f6, f5, f4, f3, f2, f1, f0, sz, flags)			\
+	[f6][f5][f4][f3][f2][f1][f0] =  otx2_nix_xmit_pkts_vec_ ## name,
 
 NIX_TX_FASTPATH_MODES
 #undef T
diff --git a/drivers/net/octeontx2/otx2_tx.h b/drivers/net/octeontx2/otx2_tx.h
index 04e859b..3c43170 100644
--- a/drivers/net/octeontx2/otx2_tx.h
+++ b/drivers/net/octeontx2/otx2_tx.h
@@ -12,6 +12,7 @@
 #define NIX_TX_OFFLOAD_MBUF_NOFF_F	BIT(3)
 #define NIX_TX_OFFLOAD_TSTAMP_F		BIT(4)
 #define NIX_TX_OFFLOAD_TSO_F		BIT(5)
+#define NIX_TX_OFFLOAD_SECURITY_F	BIT(6)
 
 /* Flags to control xmit_prepare function.
  * Defining it from backwards to denote its been
@@ -470,136 +471,274 @@ otx2_nix_xmit_mseg_one(uint64_t *cmd, void *lmt_addr,
 #define NOFF_F       NIX_TX_OFFLOAD_MBUF_NOFF_F
 #define TSP_F        NIX_TX_OFFLOAD_TSTAMP_F
 #define TSO_F        NIX_TX_OFFLOAD_TSO_F
+#define TX_SEC_F     NIX_TX_OFFLOAD_SECURITY_F
 
-/* [TSO] [TSTMP] [NOFF] [VLAN] [OL3OL4CSUM] [L3L4CSUM] */
+/* [SEC] [TSO] [TSTMP] [NOFF] [VLAN] [OL3OL4CSUM] [L3L4CSUM] */
 #define NIX_TX_FASTPATH_MODES						\
-T(no_offload,				0, 0, 0, 0, 0, 0,	4,	\
+T(no_offload,				0, 0, 0, 0, 0, 0, 0,	4,	\
 		NIX_TX_OFFLOAD_NONE)					\
-T(l3l4csum,				0, 0, 0, 0, 0, 1,	4,	\
+T(l3l4csum,				0, 0, 0, 0, 0, 0, 1,	4,	\
 		L3L4CSUM_F)						\
-T(ol3ol4csum,				0, 0, 0, 0, 1, 0,	4,	\
+T(ol3ol4csum,				0, 0, 0, 0, 0, 1, 0,	4,	\
 		OL3OL4CSUM_F)						\
-T(ol3ol4csum_l3l4csum,			0, 0, 0, 0, 1, 1,	4,	\
+T(ol3ol4csum_l3l4csum,			0, 0, 0, 0, 0, 1, 1,	4,	\
 		OL3OL4CSUM_F | L3L4CSUM_F)				\
-T(vlan,					0, 0, 0, 1, 0, 0,	6,	\
+T(vlan,					0, 0, 0, 0, 1, 0, 0,	6,	\
 		VLAN_F)							\
-T(vlan_l3l4csum,			0, 0, 0, 1, 0, 1,	6,	\
+T(vlan_l3l4csum,			0, 0, 0, 0, 1, 0, 1,	6,	\
 		VLAN_F | L3L4CSUM_F)					\
-T(vlan_ol3ol4csum,			0, 0, 0, 1, 1, 0,	6,	\
+T(vlan_ol3ol4csum,			0, 0, 0, 0, 1, 1, 0,	6,	\
 		VLAN_F | OL3OL4CSUM_F)					\
-T(vlan_ol3ol4csum_l3l4csum,		0, 0, 0, 1, 1, 1,	6,	\
+T(vlan_ol3ol4csum_l3l4csum,		0, 0, 0, 0, 1, 1, 1,	6,	\
 		VLAN_F | OL3OL4CSUM_F |	L3L4CSUM_F)			\
-T(noff,					0, 0, 1, 0, 0, 0,	4,	\
+T(noff,					0, 0, 0, 1, 0, 0, 0,	4,	\
 		NOFF_F)							\
-T(noff_l3l4csum,			0, 0, 1, 0, 0, 1,	4,	\
+T(noff_l3l4csum,			0, 0, 0, 1, 0, 0, 1,	4,	\
 		NOFF_F | L3L4CSUM_F)					\
-T(noff_ol3ol4csum,			0, 0, 1, 0, 1, 0,	4,	\
+T(noff_ol3ol4csum,			0, 0, 0, 1, 0, 1, 0,	4,	\
 		NOFF_F | OL3OL4CSUM_F)					\
-T(noff_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 1, 1,	4,	\
+T(noff_ol3ol4csum_l3l4csum,		0, 0, 0, 1, 0, 1, 1,	4,	\
 		NOFF_F | OL3OL4CSUM_F |	L3L4CSUM_F)			\
-T(noff_vlan,				0, 0, 1, 1, 0, 0,	6,	\
+T(noff_vlan,				0, 0, 0, 1, 1, 0, 0,	6,	\
 		NOFF_F | VLAN_F)					\
-T(noff_vlan_l3l4csum,			0, 0, 1, 1, 0, 1,	6,	\
+T(noff_vlan_l3l4csum,			0, 0, 0, 1, 1, 0, 1,	6,	\
 		NOFF_F | VLAN_F | L3L4CSUM_F)				\
-T(noff_vlan_ol3ol4csum,			0, 0, 1, 1, 1, 0,	6,	\
+T(noff_vlan_ol3ol4csum,			0, 0, 0, 1, 1, 1, 0,	6,	\
 		NOFF_F | VLAN_F | OL3OL4CSUM_F)				\
-T(noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 1, 1, 1, 1,	6,	\
+T(noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 0, 1, 1, 1, 1,	6,	\
 		NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts,					0, 1, 0, 0, 0, 0,	8,	\
+T(ts,					0, 0, 1, 0, 0, 0, 0,	8,	\
 		TSP_F)							\
-T(ts_l3l4csum,				0, 1, 0, 0, 0, 1,	8,	\
+T(ts_l3l4csum,				0, 0, 1, 0, 0, 0, 1,	8,	\
 		TSP_F | L3L4CSUM_F)					\
-T(ts_ol3ol4csum,			0, 1, 0, 0, 1, 0,	8,	\
+T(ts_ol3ol4csum,			0, 0, 1, 0, 0, 1, 0,	8,	\
 		TSP_F | OL3OL4CSUM_F)					\
-T(ts_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 1, 1,	8,	\
+T(ts_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 0, 1, 1,	8,	\
 		TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
-T(ts_vlan,				0, 1, 0, 1, 0, 0,	8,	\
+T(ts_vlan,				0, 0, 1, 0, 1, 0, 0,	8,	\
 		TSP_F | VLAN_F)						\
-T(ts_vlan_l3l4csum,			0, 1, 0, 1, 0, 1,	8,	\
+T(ts_vlan_l3l4csum,			0, 0, 1, 0, 1, 0, 1,	8,	\
 		TSP_F | VLAN_F | L3L4CSUM_F)				\
-T(ts_vlan_ol3ol4csum,			0, 1, 0, 1, 1, 0,	8,	\
+T(ts_vlan_ol3ol4csum,			0, 0, 1, 0, 1, 1, 0,	8,	\
 		TSP_F | VLAN_F | OL3OL4CSUM_F)				\
-T(ts_vlan_ol3ol4csum_l3l4csum,		0, 1, 0, 1, 1, 1,	8,	\
+T(ts_vlan_ol3ol4csum_l3l4csum,		0, 0, 1, 0, 1, 1, 1,	8,	\
 		TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts_noff,				0, 1, 1, 0, 0, 0,	8,	\
+T(ts_noff,				0, 0, 1, 1, 0, 0, 0,	8,	\
 		TSP_F | NOFF_F)						\
-T(ts_noff_l3l4csum,			0, 1, 1, 0, 0, 1,	8,	\
+T(ts_noff_l3l4csum,			0, 0, 1, 1, 0, 0, 1,	8,	\
 		TSP_F | NOFF_F | L3L4CSUM_F)				\
-T(ts_noff_ol3ol4csum,			0, 1, 1, 0, 1, 0,	8,	\
+T(ts_noff_ol3ol4csum,			0, 0, 1, 1, 0, 1, 0,	8,	\
 		TSP_F | NOFF_F | OL3OL4CSUM_F)				\
-T(ts_noff_ol3ol4csum_l3l4csum,		0, 1, 1, 0, 1, 1,	8,	\
+T(ts_noff_ol3ol4csum_l3l4csum,		0, 0, 1, 1, 0, 1, 1,	8,	\
 		TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(ts_noff_vlan,				0, 1, 1, 1, 0, 0,	8,	\
+T(ts_noff_vlan,				0, 0, 1, 1, 1, 0, 0,	8,	\
 		TSP_F | NOFF_F | VLAN_F)				\
-T(ts_noff_vlan_l3l4csum,		0, 1, 1, 1, 0, 1,	8,	\
+T(ts_noff_vlan_l3l4csum,		0, 0, 1, 1, 1, 0, 1,	8,	\
 		TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)			\
-T(ts_noff_vlan_ol3ol4csum,		0, 1, 1, 1, 1, 0,	8,	\
+T(ts_noff_vlan_ol3ol4csum,		0, 0, 1, 1, 1, 1, 0,	8,	\
 		TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)			\
-T(ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 1, 1,	8,	\
+T(ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 0, 1, 1, 1, 1, 1,	8,	\
 		TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
 									\
-T(tso,					1, 0, 0, 0, 0, 0,	6,	\
+T(tso,					0, 1, 0, 0, 0, 0, 0,	6,	\
 		TSO_F)							\
-T(tso_l3l4csum,				1, 0, 0, 0, 0, 1,	6,	\
+T(tso_l3l4csum,				0, 1, 0, 0, 0, 0, 1,	6,	\
 		TSO_F | L3L4CSUM_F)					\
-T(tso_ol3ol4csum,			1, 0, 0, 0, 1, 0,	6,	\
+T(tso_ol3ol4csum,			0, 1, 0, 0, 0, 1, 0,	6,	\
 		TSO_F | OL3OL4CSUM_F)					\
-T(tso_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 1, 1,	6,	\
+T(tso_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 0, 1, 1,	6,	\
 		TSO_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
-T(tso_vlan,				1, 0, 0, 1, 0, 0,	6,	\
+T(tso_vlan,				0, 1, 0, 0, 1, 0, 0,	6,	\
 		TSO_F | VLAN_F)						\
-T(tso_vlan_l3l4csum,			1, 0, 0, 1, 0, 1,	6,	\
+T(tso_vlan_l3l4csum,			0, 1, 0, 0, 1, 0, 1,	6,	\
 		TSO_F | VLAN_F | L3L4CSUM_F)				\
-T(tso_vlan_ol3ol4csum,			1, 0, 0, 1, 1, 0,	6,	\
+T(tso_vlan_ol3ol4csum,			0, 1, 0, 0, 1, 1, 0,	6,	\
 		TSO_F | VLAN_F | OL3OL4CSUM_F)				\
-T(tso_vlan_ol3ol4csum_l3l4csum,		1, 0, 0, 1, 1, 1,	6,	\
+T(tso_vlan_ol3ol4csum_l3l4csum,		0, 1, 0, 0, 1, 1, 1,	6,	\
 		TSO_F | VLAN_F | OL3OL4CSUM_F |	L3L4CSUM_F)		\
-T(tso_noff,				1, 0, 1, 0, 0, 0,	6,	\
+T(tso_noff,				0, 1, 0, 1, 0, 0, 0,	6,	\
 		TSO_F | NOFF_F)						\
-T(tso_noff_l3l4csum,			1, 0, 1, 0, 0, 1,	6,	\
+T(tso_noff_l3l4csum,			0, 1, 0, 1, 0, 0, 1,	6,	\
 		TSO_F | NOFF_F | L3L4CSUM_F)				\
-T(tso_noff_ol3ol4csum,			1, 0, 1, 0, 1, 0,	6,	\
+T(tso_noff_ol3ol4csum,			0, 1, 0, 1, 0, 1, 0,	6,	\
 		TSO_F | NOFF_F | OL3OL4CSUM_F)				\
-T(tso_noff_ol3ol4csum_l3l4csum,		1, 0, 1, 0, 1, 1,	6,	\
+T(tso_noff_ol3ol4csum_l3l4csum,		0, 1, 0, 1, 0, 1, 1,	6,	\
 		TSO_F | NOFF_F | OL3OL4CSUM_F |	L3L4CSUM_F)		\
-T(tso_noff_vlan,			1, 0, 1, 1, 0, 0,	6,	\
+T(tso_noff_vlan,			0, 1, 0, 1, 1, 0, 0,	6,	\
 		TSO_F | NOFF_F | VLAN_F)				\
-T(tso_noff_vlan_l3l4csum,		1, 0, 1, 1, 0, 1,	6,	\
+T(tso_noff_vlan_l3l4csum,		0, 1, 0, 1, 1, 0, 1,	6,	\
 		TSO_F | NOFF_F | VLAN_F | L3L4CSUM_F)			\
-T(tso_noff_vlan_ol3ol4csum,		1, 0, 1, 1, 1, 0,	6,	\
+T(tso_noff_vlan_ol3ol4csum,		0, 1, 0, 1, 1, 1, 0,	6,	\
 		TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)			\
-T(tso_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 1, 1,	6,	\
+T(tso_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 0, 1, 1, 1, 1,	6,	\
 		TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts,				1, 1, 0, 0, 0, 0,	8,	\
+T(tso_ts,				0, 1, 1, 0, 0, 0, 0,	8,	\
 		TSO_F | TSP_F)						\
-T(tso_ts_l3l4csum,			1, 1, 0, 0, 0, 1,	8,	\
+T(tso_ts_l3l4csum,			0, 1, 1, 0, 0, 0, 1,	8,	\
 		TSO_F | TSP_F | L3L4CSUM_F)				\
-T(tso_ts_ol3ol4csum,			1, 1, 0, 0, 1, 0,	8,	\
+T(tso_ts_ol3ol4csum,			0, 1, 1, 0, 0, 1, 0,	8,	\
 		TSO_F | TSP_F | OL3OL4CSUM_F)				\
-T(tso_ts_ol3ol4csum_l3l4csum,		1, 1, 0, 0, 1, 1,	8,	\
+T(tso_ts_ol3ol4csum_l3l4csum,		0, 1, 1, 0, 0, 1, 1,	8,	\
 		TSO_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
-T(tso_ts_vlan,				1, 1, 0, 1, 0, 0,	8,	\
+T(tso_ts_vlan,				0, 1, 1, 0, 1, 0, 0,	8,	\
 		TSO_F | TSP_F | VLAN_F)					\
-T(tso_ts_vlan_l3l4csum,			1, 1, 0, 1, 0, 1,	8,	\
+T(tso_ts_vlan_l3l4csum,			0, 1, 1, 0, 1, 0, 1,	8,	\
 		TSO_F | TSP_F | VLAN_F | L3L4CSUM_F)			\
-T(tso_ts_vlan_ol3ol4csum,		1, 1, 0, 1, 1, 0,	8,	\
+T(tso_ts_vlan_ol3ol4csum,		0, 1, 1, 0, 1, 1, 0,	8,	\
 		TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F)			\
-T(tso_ts_vlan_ol3ol4csum_l3l4csum,	1, 1, 0, 1, 1, 1,	8,	\
+T(tso_ts_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 0, 1, 1, 1,	8,	\
 		TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts_noff,				1, 1, 1, 0, 0, 0,	8,	\
+T(tso_ts_noff,				0, 1, 1, 1, 0, 0, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F)					\
-T(tso_ts_noff_l3l4csum,			1, 1, 1, 0, 0, 1,	8,	\
+T(tso_ts_noff_l3l4csum,			0, 1, 1, 1, 0, 0, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | L3L4CSUM_F)			\
-T(tso_ts_noff_ol3ol4csum,		1, 1, 1, 0, 1, 0,	8,	\
+T(tso_ts_noff_ol3ol4csum,		0, 1, 1, 1, 0, 1, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F)			\
-T(tso_ts_noff_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 1, 1,	8,	\
+T(tso_ts_noff_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 0, 1, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
-T(tso_ts_noff_vlan,			1, 1, 1, 1, 0, 0,	8,	\
+T(tso_ts_noff_vlan,			0, 1, 1, 1, 1, 0, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F)			\
-T(tso_ts_noff_vlan_l3l4csum,		1, 1, 1, 1, 0, 1,	8,	\
+T(tso_ts_noff_vlan_l3l4csum,		0, 1, 1, 1, 1, 0, 1,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)		\
-T(tso_ts_noff_vlan_ol3ol4csum,		1, 1, 1, 1, 1, 0,	8,	\
+T(tso_ts_noff_vlan_ol3ol4csum,		0, 1, 1, 1, 1, 1, 0,	8,	\
 		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)		\
-T(tso_ts_noff_vlan_ol3ol4csum_l3l4csum,	1, 1, 1, 1, 1, 1,	8,	\
-		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)
+T(tso_ts_noff_vlan_ol3ol4csum_l3l4csum,	0, 1, 1, 1, 1, 1, 1,	8,	\
+		TSO_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec,					1, 0, 0, 0, 0, 0, 0,	8,	\
+		TX_SEC_F)						\
+T(sec_l3l4csum,				1, 0, 0, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | L3L4CSUM_F)					\
+T(sec_ol3ol4csum,			1, 0, 0, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | OL3OL4CSUM_F)				\
+T(sec_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | OL3OL4CSUM_F | L3L4CSUM_F)			\
+T(sec_vlan,				1, 0, 0, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | VLAN_F)					\
+T(sec_vlan_l3l4csum,			1, 0, 0, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | VLAN_F | L3L4CSUM_F)				\
+T(sec_vlan_ol3ol4csum,			1, 0, 0, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | VLAN_F | OL3OL4CSUM_F)			\
+T(sec_vlan_ol3ol4csum_l3l4csum,		1, 0, 0, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_noff,				1, 0, 0, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | NOFF_F)					\
+T(sec_noff_l3l4csum,			1, 0, 0, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | NOFF_F | L3L4CSUM_F)				\
+T(sec_noff_ol3ol4csum,			1, 0, 0, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | NOFF_F | OL3OL4CSUM_F)			\
+T(sec_noff_ol3ol4csum_l3l4csum,		1, 0, 0, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_noff_vlan,			1, 0, 0, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F)				\
+T(sec_noff_vlan_l3l4csum,		1, 0, 0, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | L3L4CSUM_F)		\
+T(sec_noff_vlan_ol3ol4csum,		1, 0, 0, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 0, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | NOFF_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts,				1, 0, 1, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSP_F)					\
+T(sec_ts_l3l4csum,			1, 0, 1, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | L3L4CSUM_F)				\
+T(sec_ts_ol3ol4csum,			1, 0, 1, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | OL3OL4CSUM_F)			\
+T(sec_ts_ol3ol4csum_l3l4csum,		1, 0, 1, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_ts_vlan,				1, 0, 1, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F)				\
+T(sec_ts_vlan_l3l4csum,			1, 0, 1, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | L3L4CSUM_F)			\
+T(sec_ts_vlan_ol3ol4csum,		1, 0, 1, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_ts_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts_noff,				1, 0, 1, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F)				\
+T(sec_ts_noff_l3l4csum,			1, 0, 1, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | L3L4CSUM_F)			\
+T(sec_ts_noff_ol3ol4csum,		1, 0, 1, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | OL3OL4CSUM_F)		\
+T(sec_ts_noff_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_ts_noff_vlan,			1, 0, 1, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F)			\
+T(sec_ts_noff_vlan_l3l4csum,		1, 0, 1, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)	\
+T(sec_ts_noff_vlan_ol3ol4csum,		1, 0, 1, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_ts_noff_vlan_ol3ol4csum_l3l4csum,	1, 0, 1, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSP_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso,				1, 1, 0, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F)					\
+T(sec_tso_l3l4csum,			1, 1, 0, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | L3L4CSUM_F)				\
+T(sec_tso_ol3ol4csum,			1, 1, 0, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | OL3OL4CSUM_F)			\
+T(sec_tso_ol3ol4csum_l3l4csum,		1, 1, 0, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | OL3OL4CSUM_F | L3L4CSUM_F)		\
+T(sec_tso_vlan,				1, 1, 0, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F)				\
+T(sec_tso_vlan_l3l4csum,		1, 1, 0, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | L3L4CSUM_F)			\
+T(sec_tso_vlan_ol3ol4csum,		1, 1, 0, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | OL3OL4CSUM_F)		\
+T(sec_tso_vlan_ol3ol4csum_l3l4csum,	1, 1, 0, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | VLAN_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_noff,				1, 1, 0, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F)				\
+T(sec_tso_noff_l3l4csum,		1, 1, 0, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | L3L4CSUM_F)			\
+T(sec_tso_noff_ol3ol4csum,		1, 1, 0, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | OL3OL4CSUM_F)		\
+T(sec_tso_noff_ol3ol4csum_l3l4csum,	1, 1, 0, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_noff_vlan,			1, 1, 0, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F)			\
+T(sec_tso_noff_vlan_l3l4csum,		1, 1, 0, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | L3L4CSUM_F)	\
+T(sec_tso_noff_vlan_ol3ol4csum,		1, 1, 0, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_tso_noff_vlan_ol3ol4csum_l3l4csum,				\
+					1, 1, 0, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | NOFF_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts,				1, 1, 1, 0, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F)				\
+T(sec_tso_ts_l3l4csum,			1, 1, 1, 0, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | L3L4CSUM_F)			\
+T(sec_tso_ts_ol3ol4csum,		1, 1, 1, 0, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | OL3OL4CSUM_F)		\
+T(sec_tso_ts_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | OL3OL4CSUM_F | L3L4CSUM_F)	\
+T(sec_tso_ts_vlan,			1, 1, 1, 0, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F)			\
+T(sec_tso_ts_vlan_l3l4csum,		1, 1, 1, 0, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | L3L4CSUM_F)		\
+T(sec_tso_ts_vlan_ol3ol4csum,		1, 1, 1, 0, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F)	\
+T(sec_tso_ts_vlan_ol3ol4csum_l3l4csum,	1, 1, 1, 0, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | VLAN_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts_noff,			1, 1, 1, 1, 0, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F)			\
+T(sec_tso_ts_noff_l3l4csum,		1, 1, 1, 1, 0, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | L3L4CSUM_F)		\
+T(sec_tso_ts_noff_ol3ol4csum,		1, 1, 1, 1, 0, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F)	\
+T(sec_tso_ts_noff_ol3ol4csum_l3l4csum,	1, 1, 1, 1, 0, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | OL3OL4CSUM_F |	\
+		L3L4CSUM_F)						\
+T(sec_tso_ts_noff_vlan,			1, 1, 1, 1, 1, 0, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F)		\
+T(sec_tso_ts_noff_vlan_l3l4csum,	1, 1, 1, 1, 1, 0, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F | L3L4CSUM_F)\
+T(sec_tso_ts_noff_vlan_ol3ol4csum,	1, 1, 1, 1, 1, 1, 0,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F |		\
+		OL3OL4CSUM_F)						\
+T(sec_tso_ts_noff_vlan_ol3ol4csum_l3l4csum,				\
+					1, 1, 1, 1, 1, 1, 1,	8,	\
+		TX_SEC_F | TSO_F | TSP_F | NOFF_F | VLAN_F |		\
+		OL3OL4CSUM_F | L3L4CSUM_F)
 #endif /* __OTX2_TX_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 14/15] net/octeontx2: add inline Tx path changes
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (12 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 13/15] drivers/octeontx2: add sec in Tx " Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-05 23:19         ` Thomas Monjalon
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 15/15] net/octeontx2: sync inline tag type Anoob Joseph
  2020-02-04 16:10       ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Akhil Goyal
  15 siblings, 1 reply; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Ankur Dwivedi, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik, dev

From: Ankur Dwivedi <adwivedi@marvell.com>

Adding pre-processing required for inline IPsec outbound packets.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/event/octeontx2/otx2_worker.h      |   6 +
 drivers/net/octeontx2/otx2_ethdev_sec.c    |  82 +++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h    |  19 +++
 drivers/net/octeontx2/otx2_ethdev_sec_tx.h | 181 +++++++++++++++++++++++++++++
 4 files changed, 288 insertions(+)
 create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec_tx.h

diff --git a/drivers/event/octeontx2/otx2_worker.h b/drivers/event/octeontx2/otx2_worker.h
index 7d161c8..5f5aa87 100644
--- a/drivers/event/octeontx2/otx2_worker.h
+++ b/drivers/event/octeontx2/otx2_worker.h
@@ -10,6 +10,7 @@
 
 #include <otx2_common.h>
 #include "otx2_evdev.h"
+#include "otx2_ethdev_sec_tx.h"
 
 /* SSO Operations */
 
@@ -281,6 +282,11 @@ otx2_ssogws_event_tx(struct otx2_ssogws *ws, struct rte_event ev[],
 	const struct otx2_eth_txq *txq = otx2_ssogws_xtract_meta(m);
 
 	rte_prefetch_non_temporal(txq);
+
+	if ((flags & NIX_TX_OFFLOAD_SECURITY_F) &&
+	    (m->ol_flags & PKT_TX_SEC_OFFLOAD))
+		return otx2_sec_event_tx(ws, ev, m, txq, flags);
+
 	/* Perform header writes before barrier for TSO */
 	otx2_nix_xmit_prepare_tso(m, flags);
 	otx2_ssogws_order(ws, !ev->sched_type);
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index 4b219b3..9ea0dc4 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -3,12 +3,15 @@
  */
 
 #include <rte_cryptodev.h>
+#include <rte_esp.h>
 #include <rte_ethdev.h>
 #include <rte_eventdev.h>
+#include <rte_ip.h>
 #include <rte_malloc.h>
 #include <rte_memzone.h>
 #include <rte_security.h>
 #include <rte_security_driver.h>
+#include <rte_udp.h>
 
 #include "otx2_common.h"
 #include "otx2_cryptodev_qp.h"
@@ -19,6 +22,15 @@
 
 #define ETH_SEC_MAX_PKT_LEN	1450
 
+#define AH_HDR_LEN	12
+#define AES_GCM_IV_LEN	8
+#define AES_GCM_MAC_LEN	16
+#define AES_CBC_IV_LEN	16
+#define SHA1_HMAC_LEN	12
+
+#define AES_GCM_ROUNDUP_BYTE_LEN	4
+#define AES_CBC_ROUNDUP_BYTE_LEN	16
+
 struct eth_sec_tag_const {
 	RTE_STD_C11
 	union {
@@ -215,6 +227,60 @@ in_sa_get(uint16_t port, int sa_index)
 }
 
 static int
+ipsec_sa_const_set(struct rte_security_ipsec_xform *ipsec,
+		   struct rte_crypto_sym_xform *xform,
+		   struct otx2_sec_session_ipsec_ip *sess)
+{
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
+
+	sess->partial_len = sizeof(struct rte_ipv4_hdr);
+
+	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) {
+		sess->partial_len += sizeof(struct rte_esp_hdr);
+		sess->roundup_len = sizeof(struct rte_esp_tail);
+	} else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) {
+		sess->partial_len += AH_HDR_LEN;
+	} else {
+		return -EINVAL;
+	}
+
+	if (ipsec->options.udp_encap)
+		sess->partial_len += sizeof(struct rte_udp_hdr);
+
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+		if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+			sess->partial_len += AES_GCM_IV_LEN;
+			sess->partial_len += AES_GCM_MAC_LEN;
+			sess->roundup_byte = AES_GCM_ROUNDUP_BYTE_LEN;
+		}
+		return 0;
+	}
+
+	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		cipher_xform = xform;
+		auth_xform = xform->next;
+	} else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+		auth_xform = xform;
+		cipher_xform = xform->next;
+	} else {
+		return -EINVAL;
+	}
+	if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		sess->partial_len += AES_CBC_IV_LEN;
+		sess->roundup_byte = AES_CBC_ROUNDUP_BYTE_LEN;
+	} else {
+		return -EINVAL;
+	}
+
+	if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
+		sess->partial_len += SHA1_HMAC_LEN;
+	else
+		return -EINVAL;
+
+	return 0;
+}
+
+static int
 hmac_init(struct otx2_ipsec_fp_sa_ctl *ctl, struct otx2_cpt_qp *qp,
 	  const uint8_t *auth_key, int len, uint8_t *hmac_key)
 {
@@ -300,6 +366,7 @@ eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	struct otx2_ipsec_fp_sa_ctl *ctl;
 	struct otx2_ipsec_fp_out_sa *sa;
 	struct otx2_sec_session *priv;
+	struct otx2_cpt_inst_s inst;
 	struct otx2_cpt_qp *qp;
 
 	priv = get_sec_session_private_data(sec_sess);
@@ -314,6 +381,12 @@ eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 
 	memset(sess, 0, sizeof(struct otx2_sec_session_ipsec_ip));
 
+	sess->seq = 1;
+
+	ret = ipsec_sa_const_set(ipsec, crypto_xform, sess);
+	if (ret < 0)
+		return ret;
+
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 		memcpy(sa->nonce, &ipsec->salt, 4);
 
@@ -323,6 +396,9 @@ eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	}
 
 	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		/* Start ip id from 1 */
+		sess->ip_id = 1;
+
 		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
 			memcpy(&sa->ip_src, &ipsec->tunnel.ipv4.src_ip,
 			       sizeof(struct in_addr));
@@ -357,6 +433,12 @@ eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
 	else
 		return -EINVAL;
 
+	/* Determine word 7 of CPT instruction */
+	inst.u64[7] = 0;
+	inst.egrp = OTX2_CPT_EGRP_INLINE_IPSEC;
+	inst.cptr = rte_mempool_virt2iova(sa);
+	sess->inst_w7 = inst.u64[7];
+
 	/* Get CPT QP to be used for this SA */
 	ret = otx2_sec_idev_tx_cpt_qp_get(port, &qp);
 	if (ret)
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index 87342ef..783e41d 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -10,9 +10,13 @@
 #include "otx2_ipsec_fp.h"
 
 #define OTX2_CPT_RES_ALIGN		16
+#define OTX2_NIX_SEND_DESC_ALIGN	16
+#define OTX2_CPT_INST_SIZE		64
 
 #define OTX2_CPT_EGRP_INLINE_IPSEC	1
 
+#define OTX2_CPT_OP_INLINE_IPSEC_OUTB		(0x40 | 0x25)
+#define OTX2_CPT_OP_INLINE_IPSEC_INB		(0x40 | 0x26)
 #define OTX2_CPT_OP_WRITE_HMAC_IPAD_OPAD	(0x40 | 0x27)
 
 #define OTX2_SEC_CPT_COMP_GOOD	0x1
@@ -93,6 +97,21 @@ struct otx2_sec_session_ipsec_ip {
 	/* CPT LF enqueue register address */
 	rte_iova_t cpt_nq_reg;
 
+	/* Pre calculated lengths and data for a session */
+	uint8_t partial_len;
+	uint8_t roundup_len;
+	uint8_t roundup_byte;
+	uint16_t ip_id;
+	union {
+		uint64_t esn;
+		struct {
+			uint32_t seq;
+			uint32_t esn_hi;
+		};
+	};
+
+	uint64_t inst_w7;
+
 	/* CPT QP used by SA */
 	struct otx2_cpt_qp *qp;
 };
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec_tx.h b/drivers/net/octeontx2/otx2_ethdev_sec_tx.h
new file mode 100644
index 0000000..4f10eb7
--- /dev/null
+++ b/drivers/net/octeontx2/otx2_ethdev_sec_tx.h
@@ -0,0 +1,181 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_ETHDEV_SEC_TX_H__
+#define __OTX2_ETHDEV_SEC_TX_H__
+
+#include <rte_security.h>
+#include <rte_mbuf.h>
+
+#include "otx2_ethdev_sec.h"
+
+struct otx2_ipsec_fp_out_hdr {
+	uint32_t ip_id;
+	uint32_t seq;
+	uint8_t iv[16];
+};
+
+static __rte_always_inline int32_t
+otx2_ipsec_fp_out_rlen_get(struct otx2_sec_session_ipsec_ip *sess,
+			   uint32_t plen)
+{
+	uint32_t enc_payload_len;
+
+	enc_payload_len = RTE_ALIGN_CEIL(plen + sess->roundup_len,
+			sess->roundup_byte);
+
+	return sess->partial_len + enc_payload_len;
+}
+
+static __rte_always_inline void
+otx2_ssogws_head_wait(struct otx2_ssogws *ws);
+
+static __rte_always_inline int
+otx2_sec_event_tx(struct otx2_ssogws *ws, struct rte_event *ev,
+		  struct rte_mbuf *m, const struct otx2_eth_txq *txq,
+		  const uint32_t offload_flags)
+{
+	uint32_t dlen, rlen, desc_headroom, extend_head, extend_tail;
+	struct otx2_sec_session_ipsec_ip *sess;
+	struct otx2_ipsec_fp_out_hdr *hdr;
+	struct otx2_ipsec_fp_out_sa *sa;
+	uint64_t data_addr, desc_addr;
+	struct otx2_sec_session *priv;
+	struct otx2_cpt_inst_s inst;
+	uint64_t lmt_status;
+	char *data;
+
+	struct desc {
+		struct otx2_cpt_res cpt_res __rte_aligned(OTX2_CPT_RES_ALIGN);
+		struct nix_send_hdr_s nix_hdr
+				__rte_aligned(OTX2_NIX_SEND_DESC_ALIGN);
+		union nix_send_sg_s nix_sg;
+		struct nix_iova_s nix_iova;
+	} *sd;
+
+	priv = get_sec_session_private_data((void *)(m->udata64));
+	sess = &priv->ipsec.ip;
+	sa = &sess->out_sa;
+
+	RTE_ASSERT(sess->cpt_lmtline != NULL);
+	RTE_ASSERT(!(offload_flags & (NIX_TX_OFFLOAD_MBUF_NOFF_F |
+				      NIX_TX_OFFLOAD_VLAN_QINQ)));
+
+	dlen = rte_pktmbuf_pkt_len(m) + sizeof(*hdr) - RTE_ETHER_HDR_LEN;
+	rlen = otx2_ipsec_fp_out_rlen_get(sess, dlen - sizeof(*hdr));
+
+	RTE_BUILD_BUG_ON(OTX2_CPT_RES_ALIGN % OTX2_NIX_SEND_DESC_ALIGN);
+	RTE_BUILD_BUG_ON(sizeof(sd->cpt_res) % OTX2_NIX_SEND_DESC_ALIGN);
+
+	extend_head = sizeof(*hdr);
+	extend_tail = rlen - dlen;
+
+	desc_headroom = (OTX2_CPT_RES_ALIGN - 1) + sizeof(*sd);
+
+	if (unlikely(!rte_pktmbuf_is_contiguous(m)) ||
+	    unlikely(rte_pktmbuf_headroom(m) < extend_head + desc_headroom) ||
+	    unlikely(rte_pktmbuf_tailroom(m) < extend_tail)) {
+		goto drop;
+	}
+
+	/*
+	 * Extend mbuf data to point to the expected packet buffer for NIX.
+	 * This includes the Ethernet header followed by the encrypted IPsec
+	 * payload
+	 */
+	rte_pktmbuf_append(m, extend_tail);
+	data = rte_pktmbuf_prepend(m, extend_head);
+	data_addr = rte_pktmbuf_mtophys(m);
+
+	/*
+	 * Move the Ethernet header, to insert otx2_ipsec_fp_out_hdr prior
+	 * to the IP header
+	 */
+	memcpy(data, data + sizeof(*hdr), RTE_ETHER_HDR_LEN);
+
+	hdr = (struct otx2_ipsec_fp_out_hdr *)(data + RTE_ETHER_HDR_LEN);
+
+	if (sa->ctl.enc_type == OTX2_IPSEC_FP_SA_ENC_AES_GCM) {
+		/* AES-128-GCM */
+		memcpy(hdr->iv, &sa->nonce, 4);
+		memset(hdr->iv + 4, 0, 12); //TODO: make it random
+	} else {
+		/* AES-128-[CBC] + [SHA1] */
+		memset(hdr->iv, 0, 16); //TODO: make it random
+	}
+
+	/* Keep CPT result and NIX send descriptors in headroom */
+	sd = (void *)RTE_PTR_ALIGN(data - desc_headroom, OTX2_CPT_RES_ALIGN);
+	desc_addr = data_addr - RTE_PTR_DIFF(data, sd);
+
+	/* Prepare CPT instruction */
+
+	inst.nixtx_addr = (desc_addr + offsetof(struct desc, nix_hdr)) >> 4;
+	inst.doneint = 0;
+	inst.nixtxl = 1;
+	inst.res_addr = desc_addr + offsetof(struct desc, cpt_res);
+	inst.u64[2] = 0;
+	inst.u64[3] = 0;
+	inst.wqe_ptr = desc_addr >> 3;	/* FIXME: Handle errors */
+	inst.qord = 1;
+	inst.opcode = OTX2_CPT_OP_INLINE_IPSEC_OUTB;
+	inst.dlen = dlen;
+	inst.dptr = data_addr + RTE_ETHER_HDR_LEN;
+	inst.u64[7] = sess->inst_w7;
+
+	/* First word contains 8 bit completion code & 8 bit uc comp code */
+	sd->cpt_res.u16[0] = 0;
+
+	/* Prepare NIX send descriptors for output expected from CPT */
+
+	sd->nix_hdr.w0.u = 0;
+	sd->nix_hdr.w1.u = 0;
+	sd->nix_hdr.w0.sq = txq->sq;
+	sd->nix_hdr.w0.sizem1 = 1;
+	sd->nix_hdr.w0.total = rte_pktmbuf_data_len(m);
+	sd->nix_hdr.w0.aura = npa_lf_aura_handle_to_aura(m->pool->pool_id);
+
+	sd->nix_sg.u = 0;
+	sd->nix_sg.subdc = NIX_SUBDC_SG;
+	sd->nix_sg.ld_type = NIX_SENDLDTYPE_LDD;
+	sd->nix_sg.segs = 1;
+	sd->nix_sg.seg1_size = rte_pktmbuf_data_len(m);
+
+	sd->nix_iova.addr = rte_mbuf_data_iova(m);
+
+	/* Mark mempool object as "put" since it is freed by NIX */
+	__mempool_check_cookies(m->pool, (void **)&m, 1, 0);
+
+	if (!ev->sched_type)
+		otx2_ssogws_head_wait(ws);
+
+	inst.param1 = sess->esn_hi >> 16;
+	inst.param2 = sess->esn_hi & 0xffff;
+
+	hdr->seq = rte_cpu_to_be_32(sess->seq);
+	hdr->ip_id = rte_cpu_to_be_32(sess->ip_id);
+
+	sess->ip_id++;
+	sess->esn++;
+
+	rte_cio_wmb();
+
+	do {
+		otx2_lmt_mov(sess->cpt_lmtline, &inst, 2);
+		lmt_status = otx2_lmt_submit(sess->cpt_nq_reg);
+	} while (lmt_status == 0);
+
+	return 1;
+
+drop:
+	if (offload_flags & NIX_TX_OFFLOAD_MBUF_NOFF_F) {
+		/* Don't free if reference count > 1 */
+		if (rte_pktmbuf_prefree_seg(m) == NULL)
+			return 0;
+	}
+	rte_pktmbuf_free(m);
+	return 0;
+}
+
+#endif /* __OTX2_ETHDEV_SEC_TX_H__ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* [dpdk-dev] [PATCH v4 15/15] net/octeontx2: sync inline tag type
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (13 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 14/15] net/octeontx2: add inline Tx path changes Anoob Joseph
@ 2020-02-04 11:17       ` Anoob Joseph
  2020-02-04 16:10       ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Akhil Goyal
  15 siblings, 0 replies; 111+ messages in thread
From: Anoob Joseph @ 2020-02-04 11:17 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Thomas Monjalon
  Cc: Vamsi Attunuru, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Ankur Dwivedi, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Lukasz Bartosik, dev

From: Vamsi Attunuru <vattunuru@marvell.com>

Tag type configuration for the inline processed packets is set during
ethdev configuration, it might conflict with tag type configuration
done during Rx adapter configuration which would be setup later.

This conflict is fixed as part of flow rule creation by updating
tag type config of inline same as Rx adapter configured tag type.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Archana Muniganti <marchana@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
 drivers/net/octeontx2/otx2_ethdev_sec.c | 28 ++++++++++++++++++++++++++++
 drivers/net/octeontx2/otx2_ethdev_sec.h |  2 ++
 drivers/net/octeontx2/otx2_flow.c       | 26 ++++++++++++++++++++++++++
 3 files changed, 56 insertions(+)

diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c
index 9ea0dc4..3858218 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.c
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.c
@@ -754,6 +754,34 @@ eth_sec_ipsec_cfg(struct rte_eth_dev *eth_dev, uint8_t tt)
 }
 
 int
+otx2_eth_sec_update_tag_type(struct rte_eth_dev *eth_dev)
+{
+	struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
+	struct otx2_mbox *mbox = dev->mbox;
+	struct nix_aq_enq_rsp *rsp;
+	struct nix_aq_enq_req *aq;
+	int ret;
+
+	aq = otx2_mbox_alloc_msg_nix_aq_enq(mbox);
+	aq->qidx = 0; /* Read RQ:0 context */
+	aq->ctype = NIX_AQ_CTYPE_RQ;
+	aq->op = NIX_AQ_INSTOP_READ;
+
+	ret = otx2_mbox_process_msg(mbox, (void *)&rsp);
+	if (ret < 0) {
+		otx2_err("Could not read RQ context");
+		return ret;
+	}
+
+	/* Update tag type */
+	ret = eth_sec_ipsec_cfg(eth_dev, rsp->rq.sso_tt);
+	if (ret < 0)
+		otx2_err("Could not update sec eth tag type");
+
+	return ret;
+}
+
+int
 otx2_eth_sec_init(struct rte_eth_dev *eth_dev)
 {
 	const size_t sa_width = sizeof(struct otx2_ipsec_fp_in_sa);
diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.h b/drivers/net/octeontx2/otx2_ethdev_sec.h
index 783e41d..e24358a 100644
--- a/drivers/net/octeontx2/otx2_ethdev_sec.h
+++ b/drivers/net/octeontx2/otx2_ethdev_sec.h
@@ -130,6 +130,8 @@ int otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev);
 
 void otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev);
 
+int otx2_eth_sec_update_tag_type(struct rte_eth_dev *eth_dev);
+
 int otx2_eth_sec_init(struct rte_eth_dev *eth_dev);
 
 void otx2_eth_sec_fini(struct rte_eth_dev *eth_dev);
diff --git a/drivers/net/octeontx2/otx2_flow.c b/drivers/net/octeontx2/otx2_flow.c
index f1fb9f9..13a76e4 100644
--- a/drivers/net/octeontx2/otx2_flow.c
+++ b/drivers/net/octeontx2/otx2_flow.c
@@ -3,6 +3,7 @@
  */
 
 #include "otx2_ethdev.h"
+#include "otx2_ethdev_sec.h"
 #include "otx2_flow.h"
 
 int
@@ -299,6 +300,21 @@ flow_free_rss_action(struct rte_eth_dev *eth_dev,
 	return 0;
 }
 
+static int
+flow_update_sec_tt(struct rte_eth_dev *eth_dev,
+		   const struct rte_flow_action actions[])
+{
+	int rc = 0;
+
+	for (; actions->type != RTE_FLOW_ACTION_TYPE_END; actions++) {
+		if (actions->type == RTE_FLOW_ACTION_TYPE_SECURITY) {
+			rc = otx2_eth_sec_update_tag_type(eth_dev);
+			break;
+		}
+	}
+
+	return rc;
+}
 
 static int
 flow_parse_meta_items(__rte_unused struct otx2_parse_state *pst)
@@ -491,6 +507,16 @@ otx2_flow_create(struct rte_eth_dev *dev,
 		goto err_exit;
 	}
 
+	if (hw->rx_offloads & DEV_RX_OFFLOAD_SECURITY) {
+		rc = flow_update_sec_tt(dev, actions);
+		if (rc != 0) {
+			rte_flow_error_set(error, EIO,
+					   RTE_FLOW_ERROR_TYPE_UNSPECIFIED,
+					   NULL,
+					   "Failed to update tt with sec act");
+			goto err_exit;
+		}
+	}
 
 	list = &hw->npc_flow.flow_list[flow->priority];
 	/* List in ascending order of mcam entries */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support
  2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
                         ` (14 preceding siblings ...)
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 15/15] net/octeontx2: sync inline tag type Anoob Joseph
@ 2020-02-04 16:10       ` Akhil Goyal
  15 siblings, 0 replies; 111+ messages in thread
From: Akhil Goyal @ 2020-02-04 16:10 UTC (permalink / raw)
  To: Anoob Joseph, Declan Doherty, Thomas Monjalon
  Cc: Jerin Jacob, Narayana Prasad, Kiran Kumar K, Nithin Dabilpuram,
	Pavan Nikhilesh, Ankur Dwivedi, Archana Muniganti,
	Tejasree Kondoj, Vamsi Attunuru, Lukasz Bartosik, dev


> 
> This series adds inline IPsec support in OCTEON TX2 PMD.
> 
> In the inbound path, rte_flow framework need to be used to configure
> the NPC block, which does the h/w lookup. The packets would get
> processed by the crypto block and would submit to the scheduling block,
> SSO. So inline IPsec mode can be enabled only when traffic is received
> via event device using Rx adapter.
> 
> In the outbound path, the core would submit to the crypto block and the
> crypto block would submit the packet for Tx internally.
> 
> v4:
> * Reverted meson.build file edit in patch 14/15
> 
> v3:
> * Moved ethdev security ops to net/octeontx2
> * Segregated all security related code in common to
>   common/octeontx2/otx2_sec* files
> * Segregated all security related control code in net to
>   net/octeontx2/otx2_ethdev_sec* files
> * Claimed maintainership for all files added above
> * Added support for AES-CBC
> 
> v2:
> * Minimized additions to common/octeontx2
> * Updated release notes
> * Renamed otx2_is_ethdev to otx2_ethdev_is_sec_capable
> 
> Ankur Dwivedi (3):
>   net/octeontx2: add eth security capabilities
>   net/octeontx2: add datapath ops in eth security ctx
>   net/octeontx2: add inline Tx path changes
> 
> Anoob Joseph (4):
>   common/octeontx2: add CPT LF mbox for inline inbound
>   net/octeontx2: create eth security ctx
>   crypto/octeontx2: enable CPT to share QP with ethdev
>   net/octeontx2: add eth security session operations
> 
> Archana Muniganti (3):
>   net/octeontx2: add lookup mem changes to hold sa indices
>   drivers/octeontx2: add sec in Rx fastpath framework
>   drivers/octeontx2: add sec in Tx fastpath framework
> 
> Tejasree Kondoj (3):
>   crypto/octeontx2: configure for inline IPsec
>   net/octeontx2: add security in eth dev configure
>   net/octeontx2: add inline ipsec Rx path changes
> 
> Vamsi Attunuru (2):
>   common/octeontx2: add routine to check if sec capable otx2
>   net/octeontx2: sync inline tag type
> 
>  MAINTAINERS                                        |   6 +
>  doc/guides/nics/octeontx2.rst                      |  20 +
>  doc/guides/rel_notes/release_20_02.rst             |   9 +
>  drivers/common/octeontx2/Makefile                  |   1 +
>  drivers/common/octeontx2/meson.build               |   1 +
>  drivers/common/octeontx2/otx2_common.h             |   4 +
>  drivers/common/octeontx2/otx2_mbox.h               |   7 +
>  drivers/common/octeontx2/otx2_sec_idev.c           | 183 +++++
>  drivers/common/octeontx2/otx2_sec_idev.h           |  37 +
>  .../octeontx2/rte_common_octeontx2_version.map     |   6 +
>  drivers/crypto/octeontx2/Makefile                  |   6 +-
>  drivers/crypto/octeontx2/meson.build               |   4 +
>  .../crypto/octeontx2/otx2_cryptodev_hw_access.h    |  22 +-
>  drivers/crypto/octeontx2/otx2_cryptodev_mbox.c     |  54 ++
>  drivers/crypto/octeontx2/otx2_cryptodev_mbox.h     |   7 +
>  drivers/crypto/octeontx2/otx2_cryptodev_ops.c      |  56 ++
>  drivers/crypto/octeontx2/otx2_cryptodev_qp.h       |  35 +
>  drivers/crypto/octeontx2/otx2_ipsec_fp.h           | 350 +++++++++
>  drivers/event/octeontx2/Makefile                   |   1 +
>  drivers/event/octeontx2/meson.build                |   2 +
>  drivers/event/octeontx2/otx2_evdev.c               | 170 +++--
>  drivers/event/octeontx2/otx2_evdev.h               |   4 +-
>  drivers/event/octeontx2/otx2_worker.c              |   6 +-
>  drivers/event/octeontx2/otx2_worker.h              |   6 +
>  drivers/event/octeontx2/otx2_worker_dual.c         |   6 +-
>  drivers/net/octeontx2/Makefile                     |   4 +
>  drivers/net/octeontx2/meson.build                  |   7 +-
>  drivers/net/octeontx2/otx2_ethdev.c                |  38 +-
>  drivers/net/octeontx2/otx2_ethdev.h                |   2 +
>  drivers/net/octeontx2/otx2_ethdev_devargs.c        |  19 +
>  drivers/net/octeontx2/otx2_ethdev_sec.c            | 844
> +++++++++++++++++++++
>  drivers/net/octeontx2/otx2_ethdev_sec.h            | 139 ++++
>  drivers/net/octeontx2/otx2_ethdev_sec_tx.h         | 181 +++++
>  drivers/net/octeontx2/otx2_flow.c                  |  26 +
>  drivers/net/octeontx2/otx2_lookup.c                |  11 +-
>  drivers/net/octeontx2/otx2_rx.c                    |  27 +-
>  drivers/net/octeontx2/otx2_rx.h                    | 377 ++++++---
>  drivers/net/octeontx2/otx2_tx.c                    |  29 +-
>  drivers/net/octeontx2/otx2_tx.h                    | 271 +++++--
>  39 files changed, 2696 insertions(+), 282 deletions(-)
>  create mode 100644 drivers/common/octeontx2/otx2_sec_idev.c
>  create mode 100644 drivers/common/octeontx2/otx2_sec_idev.h
>  create mode 100644 drivers/crypto/octeontx2/otx2_cryptodev_qp.h
>  create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_fp.h
>  create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec.c
>  create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec.h
>  create mode 100644 drivers/net/octeontx2/otx2_ethdev_sec_tx.h
> 
Applied to dpdk-next-crypto

Thanks.


^ permalink raw reply	[flat|nested] 111+ messages in thread

* Re: [dpdk-dev] [PATCH v4 14/15] net/octeontx2: add inline Tx path changes
  2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 14/15] net/octeontx2: add inline Tx path changes Anoob Joseph
@ 2020-02-05 23:19         ` Thomas Monjalon
  0 siblings, 0 replies; 111+ messages in thread
From: Thomas Monjalon @ 2020-02-05 23:19 UTC (permalink / raw)
  To: Akhil Goyal, Ankur Dwivedi
  Cc: Declan Doherty, dev, Jerin Jacob, Narayana Prasad, Kiran Kumar K,
	Nithin Dabilpuram, Pavan Nikhilesh, Anoob Joseph,
	Archana Muniganti, Tejasree Kondoj, Vamsi Attunuru,
	Lukasz Bartosik

04/02/2020 12:17, Anoob Joseph:
> From: Ankur Dwivedi <adwivedi@marvell.com>
> 
> Adding pre-processing required for inline IPsec outbound packets.
> 
> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> ---
> +	RTE_ASSERT(!(offload_flags & (NIX_TX_OFFLOAD_MBUF_NOFF_F |
> +				      NIX_TX_OFFLOAD_VLAN_QINQ)));

This line does not compile if assert is enabled:
drivers/net/octeontx2/otx2_ethdev_sec_tx.h:63:11:
fatal error: use of undeclared identifier 'NIX_TX_OFFLOAD_VLAN_QINQ'

Will replace with NIX_TX_OFFLOAD_VLAN_QINQ_F while pulling in mainline.



^ permalink raw reply	[flat|nested] 111+ messages in thread

end of thread, other threads:[~2020-02-05 23:20 UTC | newest]

Thread overview: 111+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-08 11:54 [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Anoob Joseph
2019-12-08 11:54 ` [dpdk-dev] [PATCH 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
2019-12-09  7:38   ` Jerin Jacob
2019-12-08 11:54 ` [dpdk-dev] [PATCH 02/15] common/octeontx2: add routine to check if rte_eth_dev belongs to otx2 Anoob Joseph
2019-12-09  7:42   ` Jerin Jacob
2019-12-08 11:54 ` [dpdk-dev] [PATCH 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
2019-12-09  7:46   ` Jerin Jacob
2019-12-09  7:52     ` [dpdk-dev] [EXT] " Anoob Joseph
2019-12-09  7:53       ` Jerin Jacob
2019-12-08 11:54 ` [dpdk-dev] [PATCH 04/15] crypto/octeontx2: create eth security ctx Anoob Joseph
2019-12-08 11:54 ` [dpdk-dev] [PATCH 05/15] crypto/octeontx2: add security in eth dev configure Anoob Joseph
2019-12-09  7:51   ` Jerin Jacob
2019-12-09  8:03     ` Anoob Joseph
2019-12-09  8:04       ` Jerin Jacob
2019-12-08 11:54 ` [dpdk-dev] [PATCH 06/15] crypto/octeontx2: add eth security capabilities Anoob Joseph
2019-12-08 11:54 ` [dpdk-dev] [PATCH 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
2019-12-08 11:54 ` [dpdk-dev] [PATCH 08/15] crypto/octeontx2: add eth security session operations Anoob Joseph
2019-12-08 11:54 ` [dpdk-dev] [PATCH 09/15] crypto/octeontx2: add datapath ops in eth security ctx Anoob Joseph
2019-12-08 11:54 ` [dpdk-dev] [PATCH 10/15] crypto/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
2019-12-09  8:02   ` Jerin Jacob
2019-12-13  7:12     ` [dpdk-dev] [EXT] " Anoob Joseph
2019-12-08 11:54 ` [dpdk-dev] [PATCH 11/15] net/octeontx2: add inline ipsec rx path changes Anoob Joseph
2019-12-08 11:54 ` [dpdk-dev] [PATCH 12/15] drivers/octeontx2: add sec in compiler optimized RX fastpath framework Anoob Joseph
2019-12-08 11:54 ` [dpdk-dev] [PATCH 13/15] drivers/octeontx2: add sec in compiler optimized TX " Anoob Joseph
2019-12-08 11:54 ` [dpdk-dev] [PATCH 14/15] crypto/octeontx2: add inline tx path changes Anoob Joseph
2019-12-14 15:42   ` Gavin Hu (Arm Technology China)
2019-12-08 11:54 ` [dpdk-dev] [PATCH 15/15] crypto/octeontx2: sync inline tag type cfg with Rx adapter configuration Anoob Joseph
2019-12-09  8:06 ` [dpdk-dev] [PATCH 00/15] add OCTEONTX2 inline IPsec support Jerin Jacob
2019-12-10 22:54   ` Thomas Monjalon
2019-12-13  7:41     ` [dpdk-dev] [EXT] " Anoob Joseph
2019-12-13 10:18       ` Thomas Monjalon
2020-01-18 10:48 ` [dpdk-dev] [PATCH v2 " Anoob Joseph
2020-01-18 10:48   ` [dpdk-dev] [PATCH v2 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
2020-01-18 14:34     ` Jerin Jacob
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 02/15] common/octeontx2: add routine to check if sec capable otx2 Anoob Joseph
2020-01-18 14:35     ` Jerin Jacob
2020-01-27  7:01     ` Akhil Goyal
2020-01-27  8:02       ` Anoob Joseph
2020-01-27  8:12         ` Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 04/15] crypto/octeontx2: create eth security ctx Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 05/15] crypto/octeontx2: add security in eth dev configure Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 06/15] crypto/octeontx2: add eth security capabilities Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 08/15] crypto/octeontx2: add eth security session operations Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 09/15] crypto/octeontx2: add datapath ops in eth security ctx Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 10/15] crypto/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 11/15] net/octeontx2: add inline ipsec rx path changes Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 12/15] drivers/octeontx2: add sec in compiler optimized RX fastpath framework Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 13/15] drivers/octeontx2: add sec in compiler optimized TX " Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 14/15] crypto/octeontx2: add inline tx path changes Anoob Joseph
2020-01-18 10:49   ` [dpdk-dev] [PATCH v2 15/15] crypto/octeontx2: sync inline tag type cfg with Rx adapter configuration Anoob Joseph
2020-01-18 14:38   ` [dpdk-dev] [PATCH v2 00/15] add OCTEONTX2 inline IPsec support Jerin Jacob
2020-01-19 10:43     ` Anoob Joseph
2020-01-19 10:53       ` Thomas Monjalon
2020-01-19 10:57         ` [dpdk-dev] [EXT] " Anoob Joseph
2020-01-22 10:16       ` [dpdk-dev] " Akhil Goyal
2020-01-22 10:55         ` Anoob Joseph
2020-01-22 12:56           ` Akhil Goyal
2020-01-22 14:18             ` Jerin Jacob
2020-01-27  2:55               ` [dpdk-dev] [EXT] " Anoob Joseph
2020-01-27 10:40               ` [dpdk-dev] " Akhil Goyal
2020-01-27 11:25                 ` Jerin Jacob
2020-01-27 11:47                   ` Akhil Goyal
2020-01-27 14:54                     ` Anoob Joseph
2020-01-28  8:29                       ` Jerin Jacob
2020-01-28  8:38                         ` Akhil Goyal
2020-01-28  8:56                           ` Jerin Jacob
2020-01-28 17:28                         ` Ferruh Yigit
2020-01-29  4:01                           ` [dpdk-dev] [EXT] " Anoob Joseph
2020-01-28 17:27                       ` [dpdk-dev] " Ferruh Yigit
2020-01-31 10:03   ` [dpdk-dev] [PATCH v3 00/15] add OCTEON TX2 " Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 02/15] common/octeontx2: add routine to check if sec capable otx2 Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 04/15] net/octeontx2: create eth security ctx Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 05/15] net/octeontx2: add security in eth dev configure Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 06/15] net/octeontx2: add eth security capabilities Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 08/15] net/octeontx2: add eth security session operations Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 09/15] net/octeontx2: add datapath ops in eth security ctx Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 10/15] net/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 11/15] net/octeontx2: add inline ipsec Rx path changes Anoob Joseph
2020-01-31 13:39       ` Akhil Goyal
2020-01-31 15:05         ` Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 12/15] drivers/octeontx2: add sec in Rx fastpath framework Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 13/15] drivers/octeontx2: add sec in Tx " Anoob Joseph
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 14/15] net/octeontx2: add inline Tx path changes Anoob Joseph
2020-01-31 13:36       ` Akhil Goyal
2020-01-31 15:33         ` Anoob Joseph
2020-02-01  9:35           ` Anoob Joseph
2020-02-03 13:25             ` Akhil Goyal
2020-01-31 10:03     ` [dpdk-dev] [PATCH v3 15/15] net/octeontx2: sync inline tag type Anoob Joseph
2020-02-04 11:17     ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 01/15] common/octeontx2: add CPT LF mbox for inline inbound Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 02/15] common/octeontx2: add routine to check if sec capable otx2 Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 03/15] crypto/octeontx2: configure for inline IPsec Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 04/15] net/octeontx2: create eth security ctx Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 05/15] net/octeontx2: add security in eth dev configure Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 06/15] net/octeontx2: add eth security capabilities Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 07/15] crypto/octeontx2: enable CPT to share QP with ethdev Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 08/15] net/octeontx2: add eth security session operations Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 09/15] net/octeontx2: add datapath ops in eth security ctx Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 10/15] net/octeontx2: add lookup mem changes to hold sa indices Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 11/15] net/octeontx2: add inline ipsec Rx path changes Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 12/15] drivers/octeontx2: add sec in Rx fastpath framework Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 13/15] drivers/octeontx2: add sec in Tx " Anoob Joseph
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 14/15] net/octeontx2: add inline Tx path changes Anoob Joseph
2020-02-05 23:19         ` Thomas Monjalon
2020-02-04 11:17       ` [dpdk-dev] [PATCH v4 15/15] net/octeontx2: sync inline tag type Anoob Joseph
2020-02-04 16:10       ` [dpdk-dev] [PATCH v4 00/15] add OCTEON TX2 inline IPsec support Akhil Goyal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).