* [dpdk-dev] [PATCH v2 1/6] security: add SA lifetime configuration
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 0/6] Add SA lifetime in security Anoob Joseph
@ 2021-09-07 16:32 ` Anoob Joseph
2021-09-16 11:06 ` Ananyev, Konstantin
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 2/6] common/cnxk: support " Anoob Joseph
` (5 subsequent siblings)
6 siblings, 1 reply; 31+ messages in thread
From: Anoob Joseph @ 2021-09-07 16:32 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated to include new field, aux_flags, which can be
used to indicate cases such as soft expiry in case of lookaside
protocol operations.
In case of soft expiry, the packets are successfully IPsec processed but
the soft expiry would indicate that SA needs to be reconfigured. For
inline protocol capable ethdev, this would result in an eth event while
for lookaside protocol capable cryptodev, this can be communicated via
`rte_crypto_op.aux_flags` field.
In case of hard expiry, the packets will not be IPsec processed and
would result in error.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
.../test_cryptodev_security_ipsec_test_vectors.h | 3 ---
doc/guides/rel_notes/deprecation.rst | 5 ----
doc/guides/rel_notes/release_21_11.rst | 13 ++++++++++
examples/ipsec-secgw/ipsec.c | 2 +-
examples/ipsec-secgw/ipsec.h | 2 +-
lib/cryptodev/rte_crypto.h | 18 +++++++++++++-
lib/security/rte_security.h | 28 ++++++++++++++++++++--
7 files changed, 58 insertions(+), 13 deletions(-)
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index ae9cd24..38ea43d 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -98,7 +98,6 @@ struct ipsec_test_data pkt_aes_128_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
@@ -195,7 +194,6 @@ struct ipsec_test_data pkt_aes_192_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
@@ -295,7 +293,6 @@ struct ipsec_test_data pkt_aes_256_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 76a4abf..6118f06 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -282,8 +282,3 @@ Deprecation Notices
* security: The functions ``rte_security_set_pkt_metadata`` and
``rte_security_get_userdata`` will be made inline functions and additional
flags will be added in structure ``rte_security_ctx`` in DPDK 21.11.
-
-* cryptodev: The structure ``rte_crypto_op`` would be updated to reduce
- reserved bytes to 2 (from 3), and use 1 byte to indicate warnings and other
- information from the crypto/security operation. This field will be used to
- communicate events such as soft expiry with IPsec in lookaside mode.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 9b14c84..0e3ed28 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -102,6 +102,13 @@ API Changes
Also, make sure to start the actual text at the margin.
=======================================================
+* cryptodev: use 1 reserved byte from ``rte_crypto_op`` for aux flags
+
+ * Updated the structure ``rte_crypto_op`` to reduce reserved bytes to
+ 2 (from 3), and use 1 byte to indicate warnings and other information from
+ the crypto/security operation. This field will be used to communicate events
+ such as soft expiry with IPsec in lookaside mode.
+
ABI Changes
-----------
@@ -123,6 +130,12 @@ ABI Changes
* Added IPsec SA option to disable IV generation to allow known vector
tests as well as usage of application provided IV on supported PMDs.
+* security: add IPsec SA lifetime configuration
+
+ * Added IPsec SA lifetime configuration to allow applications to configure
+ soft and hard SA expiry limits. Limits can be either in units of packets or
+ bytes.
+
Known Issues
------------
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 5b032fe..4868294 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
/* TODO support for Transport */
}
- ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
+ ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
ipsec->options.udp_encap = sa->udp_encap;
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index ae5058d..90c81c1 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -23,7 +23,7 @@
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
-#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
+#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h
index fd5ef3a..d602183 100644
--- a/lib/cryptodev/rte_crypto.h
+++ b/lib/cryptodev/rte_crypto.h
@@ -66,6 +66,17 @@ enum rte_crypto_op_sess_type {
};
/**
+ * Auxiliary flags to indicate additional info from the operation
+ */
+
+/**
+ * Auxiliary flags related to IPsec offload with RTE_SECURITY
+ */
+
+#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0)
+/**< SA soft expiry limit has been reached */
+
+/**
* Cryptographic Operation.
*
* This structure contains data relating to performing cryptographic
@@ -93,7 +104,12 @@ struct rte_crypto_op {
*/
uint8_t sess_type;
/**< operation session type */
- uint8_t reserved[3];
+ uint8_t aux_flags;
+ /**< Operation specific auxiliary/additional flags.
+ * These flags carry additional information from the
+ * operation. Processing of the same is optional.
+ */
+ uint8_t reserved[2];
/**< Reserved bytes to fill 64 bits for
* future additions
*/
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index b4b6776..95c169d 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -206,6 +206,30 @@ enum rte_security_ipsec_sa_direction {
};
/**
+ * Configure soft and hard lifetime of an IPsec SA
+ *
+ * Lifetime of an IPsec SA would specify the maximum number of packets or bytes
+ * that can be processed. IPsec operations would start failing once any hard
+ * limit is reached.
+ *
+ * Soft limits can be specified to generate notification when the SA is
+ * approaching hard limits for lifetime. For inline operations, reaching soft
+ * expiry limit would result in raising an eth event for the same. For lookaside
+ * operations, this would result in a warning returned in
+ * ``rte_crypto_op.aux_flags``.
+ */
+struct rte_security_ipsec_lifetime {
+ uint64_t packets_soft_limit;
+ /**< Soft expiry limit in number of packets */
+ uint64_t bytes_soft_limit;
+ /**< Soft expiry limit in bytes */
+ uint64_t packets_hard_limit;
+ /**< Soft expiry limit in number of packets */
+ uint64_t bytes_hard_limit;
+ /**< Soft expiry limit in bytes */
+};
+
+/**
* IPsec security association configuration data.
*
* This structure contains data required to create an IPsec SA security session.
@@ -225,8 +249,8 @@ struct rte_security_ipsec_xform {
/**< IPsec SA Mode - transport/tunnel */
struct rte_security_ipsec_tunnel_param tunnel;
/**< Tunnel parameters, NULL for transport mode */
- uint64_t esn_soft_limit;
- /**< ESN for which the overflow event need to be raised */
+ struct rte_security_ipsec_lifetime life;
+ /**< IPsec SA lifetime */
uint32_t replay_win_sz;
/**< Anti replay window size to enable sequence replay attack handling.
* replay checking is disabled if the window size is 0.
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* Re: [dpdk-dev] [PATCH v2 1/6] security: add SA lifetime configuration
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 1/6] security: add SA lifetime configuration Anoob Joseph
@ 2021-09-16 11:06 ` Ananyev, Konstantin
2021-09-17 4:48 ` Anoob Joseph
0 siblings, 1 reply; 31+ messages in thread
From: Ananyev, Konstantin @ 2021-09-16 11:06 UTC (permalink / raw)
To: Anoob Joseph, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan
Cc: Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal,
Nicolau, Radu, Power, Ciara, Gagandeep Singh, dev
> Add SA lifetime configuration to register soft and hard expiry limits.
> Expiry can be in units of number of packets or bytes. Crypto op
> status is also updated to include new field, aux_flags, which can be
> used to indicate cases such as soft expiry in case of lookaside
> protocol operations.
>
> In case of soft expiry, the packets are successfully IPsec processed but
> the soft expiry would indicate that SA needs to be reconfigured. For
> inline protocol capable ethdev, this would result in an eth event while
> for lookaside protocol capable cryptodev, this can be communicated via
> `rte_crypto_op.aux_flags` field.
>
> In case of hard expiry, the packets will not be IPsec processed and
> would result in error.
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> ---
> .../test_cryptodev_security_ipsec_test_vectors.h | 3 ---
> doc/guides/rel_notes/deprecation.rst | 5 ----
> doc/guides/rel_notes/release_21_11.rst | 13 ++++++++++
> examples/ipsec-secgw/ipsec.c | 2 +-
> examples/ipsec-secgw/ipsec.h | 2 +-
> lib/cryptodev/rte_crypto.h | 18 +++++++++++++-
> lib/security/rte_security.h | 28 ++++++++++++++++++++--
> 7 files changed, 58 insertions(+), 13 deletions(-)
>
> diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
> index ae9cd24..38ea43d 100644
> --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
> +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
> @@ -98,7 +98,6 @@ struct ipsec_test_data pkt_aes_128_gcm = {
> .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
> .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
> - .esn_soft_limit = 0,
> .replay_win_sz = 0,
> },
>
> @@ -195,7 +194,6 @@ struct ipsec_test_data pkt_aes_192_gcm = {
> .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
> .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
> - .esn_soft_limit = 0,
> .replay_win_sz = 0,
> },
>
> @@ -295,7 +293,6 @@ struct ipsec_test_data pkt_aes_256_gcm = {
> .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
> .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
> - .esn_soft_limit = 0,
> .replay_win_sz = 0,
> },
>
> diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
> index 76a4abf..6118f06 100644
> --- a/doc/guides/rel_notes/deprecation.rst
> +++ b/doc/guides/rel_notes/deprecation.rst
> @@ -282,8 +282,3 @@ Deprecation Notices
> * security: The functions ``rte_security_set_pkt_metadata`` and
> ``rte_security_get_userdata`` will be made inline functions and additional
> flags will be added in structure ``rte_security_ctx`` in DPDK 21.11.
> -
> -* cryptodev: The structure ``rte_crypto_op`` would be updated to reduce
> - reserved bytes to 2 (from 3), and use 1 byte to indicate warnings and other
> - information from the crypto/security operation. This field will be used to
> - communicate events such as soft expiry with IPsec in lookaside mode.
> diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
> index 9b14c84..0e3ed28 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -102,6 +102,13 @@ API Changes
> Also, make sure to start the actual text at the margin.
> =======================================================
>
> +* cryptodev: use 1 reserved byte from ``rte_crypto_op`` for aux flags
> +
> + * Updated the structure ``rte_crypto_op`` to reduce reserved bytes to
> + 2 (from 3), and use 1 byte to indicate warnings and other information from
> + the crypto/security operation. This field will be used to communicate events
> + such as soft expiry with IPsec in lookaside mode.
> +
>
> ABI Changes
> -----------
> @@ -123,6 +130,12 @@ ABI Changes
> * Added IPsec SA option to disable IV generation to allow known vector
> tests as well as usage of application provided IV on supported PMDs.
>
> +* security: add IPsec SA lifetime configuration
> +
> + * Added IPsec SA lifetime configuration to allow applications to configure
> + soft and hard SA expiry limits. Limits can be either in units of packets or
> + bytes.
> +
>
> Known Issues
> ------------
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index 5b032fe..4868294 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
> }
> /* TODO support for Transport */
> }
> - ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> + ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
> ipsec->replay_win_sz = app_sa_prm.window_size;
> ipsec->options.esn = app_sa_prm.enable_esn;
> ipsec->options.udp_encap = sa->udp_encap;
> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> index ae5058d..90c81c1 100644
> --- a/examples/ipsec-secgw/ipsec.h
> +++ b/examples/ipsec-secgw/ipsec.h
> @@ -23,7 +23,7 @@
>
> #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
>
> -#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
> +#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
>
> #define IV_OFFSET (sizeof(struct rte_crypto_op) + \
> sizeof(struct rte_crypto_sym_op))
> diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h
> index fd5ef3a..d602183 100644
> --- a/lib/cryptodev/rte_crypto.h
> +++ b/lib/cryptodev/rte_crypto.h
> @@ -66,6 +66,17 @@ enum rte_crypto_op_sess_type {
> };
>
> /**
> + * Auxiliary flags to indicate additional info from the operation
> + */
> +
> +/**
> + * Auxiliary flags related to IPsec offload with RTE_SECURITY
> + */
Duplicate comments.
> +
> +#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0)
> +/**< SA soft expiry limit has been reached */
> +
> +/**
> * Cryptographic Operation.
> *
> * This structure contains data relating to performing cryptographic
> @@ -93,7 +104,12 @@ struct rte_crypto_op {
> */
> uint8_t sess_type;
> /**< operation session type */
> - uint8_t reserved[3];
> + uint8_t aux_flags;
> + /**< Operation specific auxiliary/additional flags.
> + * These flags carry additional information from the
> + * operation. Processing of the same is optional.
> + */
> + uint8_t reserved[2];
> /**< Reserved bytes to fill 64 bits for
> * future additions
> */
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index b4b6776..95c169d 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -206,6 +206,30 @@ enum rte_security_ipsec_sa_direction {
> };
>
> /**
> + * Configure soft and hard lifetime of an IPsec SA
> + *
> + * Lifetime of an IPsec SA would specify the maximum number of packets or bytes
> + * that can be processed. IPsec operations would start failing once any hard
> + * limit is reached.
> + *
> + * Soft limits can be specified to generate notification when the SA is
> + * approaching hard limits for lifetime. For inline operations, reaching soft
> + * expiry limit would result in raising an eth event for the same. For lookaside
> + * operations, this would result in a warning returned in
> + * ``rte_crypto_op.aux_flags``.
> + */
> +struct rte_security_ipsec_lifetime {
> + uint64_t packets_soft_limit;
> + /**< Soft expiry limit in number of packets */
> + uint64_t bytes_soft_limit;
> + /**< Soft expiry limit in bytes */
> + uint64_t packets_hard_limit;
> + /**< Soft expiry limit in number of packets */
> + uint64_t bytes_hard_limit;
> + /**< Soft expiry limit in bytes */
> +};
> +
> +/**
> * IPsec security association configuration data.
> *
> * This structure contains data required to create an IPsec SA security session.
> @@ -225,8 +249,8 @@ struct rte_security_ipsec_xform {
> /**< IPsec SA Mode - transport/tunnel */
> struct rte_security_ipsec_tunnel_param tunnel;
> /**< Tunnel parameters, NULL for transport mode */
> - uint64_t esn_soft_limit;
> - /**< ESN for which the overflow event need to be raised */
> + struct rte_security_ipsec_lifetime life;
> + /**< IPsec SA lifetime */
> uint32_t replay_win_sz;
> /**< Anti replay window size to enable sequence replay attack handling.
> * replay checking is disabled if the window size is 0.
> --
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> 2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* Re: [dpdk-dev] [PATCH v2 1/6] security: add SA lifetime configuration
2021-09-16 11:06 ` Ananyev, Konstantin
@ 2021-09-17 4:48 ` Anoob Joseph
0 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-17 4:48 UTC (permalink / raw)
To: Ananyev, Konstantin, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan
Cc: Jerin Jacob Kollanukkaran, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Nicolau, Radu, Power, Ciara, Gagandeep Singh,
dev
Hi Konstantin,
Please see inline.
Thanks,
Anoob
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Thursday, September 16, 2021 4:36 PM
> To: Anoob Joseph <anoobj@marvell.com>; Akhil Goyal
> <gakhil@marvell.com>; Doherty, Declan <declan.doherty@intel.com>;
> Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
> <marchana@marvell.com>; Tejasree Kondoj <ktejasree@marvell.com>;
> Hemant Agrawal <hemant.agrawal@nxp.com>; Nicolau, Radu
> <radu.nicolau@intel.com>; Power, Ciara <ciara.power@intel.com>;
> Gagandeep Singh <g.singh@nxp.com>; dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 1/6] security: add SA lifetime configuration
>
> External Email
>
> ----------------------------------------------------------------------
>
> > Add SA lifetime configuration to register soft and hard expiry limits.
> > Expiry can be in units of number of packets or bytes. Crypto op status
> > is also updated to include new field, aux_flags, which can be used to
> > indicate cases such as soft expiry in case of lookaside protocol
> > operations.
> >
> > In case of soft expiry, the packets are successfully IPsec processed
> > but the soft expiry would indicate that SA needs to be reconfigured.
> > For inline protocol capable ethdev, this would result in an eth event
> > while for lookaside protocol capable cryptodev, this can be
> > communicated via `rte_crypto_op.aux_flags` field.
> >
> > In case of hard expiry, the packets will not be IPsec processed and
> > would result in error.
> >
> > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > ---
> > .../test_cryptodev_security_ipsec_test_vectors.h | 3 ---
> > doc/guides/rel_notes/deprecation.rst | 5 ----
> > doc/guides/rel_notes/release_21_11.rst | 13 ++++++++++
> > examples/ipsec-secgw/ipsec.c | 2 +-
> > examples/ipsec-secgw/ipsec.h | 2 +-
> > lib/cryptodev/rte_crypto.h | 18 +++++++++++++-
> > lib/security/rte_security.h | 28 ++++++++++++++++++++--
> > 7 files changed, 58 insertions(+), 13 deletions(-)
> >
> > diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h
> > b/app/test/test_cryptodev_security_ipsec_test_vectors.h
> > index ae9cd24..38ea43d 100644
> > --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
> > +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
> > @@ -98,7 +98,6 @@ struct ipsec_test_data pkt_aes_128_gcm = {
> > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> > .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
> > .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
> > - .esn_soft_limit = 0,
> > .replay_win_sz = 0,
> > },
> >
> > @@ -195,7 +194,6 @@ struct ipsec_test_data pkt_aes_192_gcm = {
> > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> > .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
> > .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
> > - .esn_soft_limit = 0,
> > .replay_win_sz = 0,
> > },
> >
> > @@ -295,7 +293,6 @@ struct ipsec_test_data pkt_aes_256_gcm = {
> > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> > .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
> > .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
> > - .esn_soft_limit = 0,
> > .replay_win_sz = 0,
> > },
> >
> > diff --git a/doc/guides/rel_notes/deprecation.rst
> > b/doc/guides/rel_notes/deprecation.rst
> > index 76a4abf..6118f06 100644
> > --- a/doc/guides/rel_notes/deprecation.rst
> > +++ b/doc/guides/rel_notes/deprecation.rst
> > @@ -282,8 +282,3 @@ Deprecation Notices
> > * security: The functions ``rte_security_set_pkt_metadata`` and
> > ``rte_security_get_userdata`` will be made inline functions and additional
> > flags will be added in structure ``rte_security_ctx`` in DPDK 21.11.
> > -
> > -* cryptodev: The structure ``rte_crypto_op`` would be updated to
> > reduce
> > - reserved bytes to 2 (from 3), and use 1 byte to indicate warnings
> > and other
> > - information from the crypto/security operation. This field will be
> > used to
> > - communicate events such as soft expiry with IPsec in lookaside mode.
> > diff --git a/doc/guides/rel_notes/release_21_11.rst
> > b/doc/guides/rel_notes/release_21_11.rst
> > index 9b14c84..0e3ed28 100644
> > --- a/doc/guides/rel_notes/release_21_11.rst
> > +++ b/doc/guides/rel_notes/release_21_11.rst
> > @@ -102,6 +102,13 @@ API Changes
> > Also, make sure to start the actual text at the margin.
> > =======================================================
> >
> > +* cryptodev: use 1 reserved byte from ``rte_crypto_op`` for aux flags
> > +
> > + * Updated the structure ``rte_crypto_op`` to reduce reserved bytes
> > + to
> > + 2 (from 3), and use 1 byte to indicate warnings and other
> > + information from the crypto/security operation. This field will be
> > + used to communicate events such as soft expiry with IPsec in lookaside
> mode.
> > +
> >
> > ABI Changes
> > -----------
> > @@ -123,6 +130,12 @@ ABI Changes
> > * Added IPsec SA option to disable IV generation to allow known vector
> > tests as well as usage of application provided IV on supported PMDs.
> >
> > +* security: add IPsec SA lifetime configuration
> > +
> > + * Added IPsec SA lifetime configuration to allow applications to configure
> > + soft and hard SA expiry limits. Limits can be either in units of packets or
> > + bytes.
> > +
> >
> > Known Issues
> > ------------
> > diff --git a/examples/ipsec-secgw/ipsec.c
> > b/examples/ipsec-secgw/ipsec.c index 5b032fe..4868294 100644
> > --- a/examples/ipsec-secgw/ipsec.c
> > +++ b/examples/ipsec-secgw/ipsec.c
> > @@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
> rte_security_ipsec_xform *ipsec)
> > }
> > /* TODO support for Transport */
> > }
> > - ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> > + ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
> > ipsec->replay_win_sz = app_sa_prm.window_size;
> > ipsec->options.esn = app_sa_prm.enable_esn;
> > ipsec->options.udp_encap = sa->udp_encap; diff --git
> > a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index
> > ae5058d..90c81c1 100644
> > --- a/examples/ipsec-secgw/ipsec.h
> > +++ b/examples/ipsec-secgw/ipsec.h
> > @@ -23,7 +23,7 @@
> >
> > #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
> >
> > -#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
> > +#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
> >
> > #define IV_OFFSET (sizeof(struct rte_crypto_op) + \
> > sizeof(struct rte_crypto_sym_op)) diff --git
> > a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h index
> > fd5ef3a..d602183 100644
> > --- a/lib/cryptodev/rte_crypto.h
> > +++ b/lib/cryptodev/rte_crypto.h
> > @@ -66,6 +66,17 @@ enum rte_crypto_op_sess_type { };
> >
> > /**
> > + * Auxiliary flags to indicate additional info from the operation */
> > +
> > +/**
> > + * Auxiliary flags related to IPsec offload with RTE_SECURITY */
>
> Duplicate comments.
[Anoob] The proposal is to make auxiliary flags custom to operation. Like, flags related to IPsec offload may not be applicable for PDCP offload (and vice versa). But then, I agree these could be updated as we add new fields related to other kinds of operations. I'll drop the extra comments in the next version.
>
> > +
> > +#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0) /**<
> SA
> > +soft expiry limit has been reached */
> > +
> > +/**
> > * Cryptographic Operation.
> > *
> > * This structure contains data relating to performing cryptographic
> > @@ -93,7 +104,12 @@ struct rte_crypto_op {
> > */
> > uint8_t sess_type;
> > /**< operation session type */
> > - uint8_t reserved[3];
> > + uint8_t aux_flags;
> > + /**< Operation specific auxiliary/additional flags.
> > + * These flags carry additional information from the
> > + * operation. Processing of the same is optional.
> > + */
> > + uint8_t reserved[2];
> > /**< Reserved bytes to fill 64 bits for
> > * future additions
> > */
> > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> > index b4b6776..95c169d 100644
> > --- a/lib/security/rte_security.h
> > +++ b/lib/security/rte_security.h
> > @@ -206,6 +206,30 @@ enum rte_security_ipsec_sa_direction { };
> >
> > /**
> > + * Configure soft and hard lifetime of an IPsec SA
> > + *
> > + * Lifetime of an IPsec SA would specify the maximum number of
> > +packets or bytes
> > + * that can be processed. IPsec operations would start failing once
> > +any hard
> > + * limit is reached.
> > + *
> > + * Soft limits can be specified to generate notification when the SA
> > +is
> > + * approaching hard limits for lifetime. For inline operations,
> > +reaching soft
> > + * expiry limit would result in raising an eth event for the same.
> > +For lookaside
> > + * operations, this would result in a warning returned in
> > + * ``rte_crypto_op.aux_flags``.
> > + */
> > +struct rte_security_ipsec_lifetime {
> > + uint64_t packets_soft_limit;
> > + /**< Soft expiry limit in number of packets */
> > + uint64_t bytes_soft_limit;
> > + /**< Soft expiry limit in bytes */
> > + uint64_t packets_hard_limit;
> > + /**< Soft expiry limit in number of packets */
> > + uint64_t bytes_hard_limit;
> > + /**< Soft expiry limit in bytes */
> > +};
> > +
> > +/**
> > * IPsec security association configuration data.
> > *
> > * This structure contains data required to create an IPsec SA security
> session.
> > @@ -225,8 +249,8 @@ struct rte_security_ipsec_xform {
> > /**< IPsec SA Mode - transport/tunnel */
> > struct rte_security_ipsec_tunnel_param tunnel;
> > /**< Tunnel parameters, NULL for transport mode */
> > - uint64_t esn_soft_limit;
> > - /**< ESN for which the overflow event need to be raised */
> > + struct rte_security_ipsec_lifetime life;
> > + /**< IPsec SA lifetime */
> > uint32_t replay_win_sz;
> > /**< Anti replay window size to enable sequence replay attack
> handling.
> > * replay checking is disabled if the window size is 0.
> > --
>
> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
>
> > 2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v2 2/6] common/cnxk: support lifetime configuration
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 0/6] Add SA lifetime in security Anoob Joseph
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 1/6] security: add SA lifetime configuration Anoob Joseph
@ 2021-09-07 16:32 ` Anoob Joseph
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 3/6] crypto/octeontx2: add checks for life configuration Anoob Joseph
` (4 subsequent siblings)
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-07 16:32 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add support for SA lifetime configuration. Expiry can
be either in units of octets or packets.
Also, updated cryptodev dequeue path to update crypto op result to
indicate soft expiry.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/common/cnxk/cnxk_security.c | 70 +++++++++++++++++++++++++++++++
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 48 ++++++++++++++++-----
drivers/crypto/cnxk/cn9k_ipsec.c | 6 ++-
3 files changed, 112 insertions(+), 12 deletions(-)
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 4f7fd1b..215d9fd 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -161,6 +161,26 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
return -EINVAL;
}
+ if (ipsec_xfrm->life.packets_soft_limit != 0 ||
+ ipsec_xfrm->life.packets_hard_limit != 0) {
+ if (ipsec_xfrm->life.bytes_soft_limit != 0 ||
+ ipsec_xfrm->life.bytes_hard_limit != 0) {
+ plt_err("Expiry tracking with both packets & bytes is not supported");
+ return -EINVAL;
+ }
+ w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_PKTS;
+ }
+
+ if (ipsec_xfrm->life.bytes_soft_limit != 0 ||
+ ipsec_xfrm->life.bytes_hard_limit != 0) {
+ if (ipsec_xfrm->life.packets_soft_limit != 0 ||
+ ipsec_xfrm->life.packets_hard_limit != 0) {
+ plt_err("Expiry tracking with both packets & bytes is not supported");
+ return -EINVAL;
+ }
+ w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_OCTETS;
+ }
+
return 0;
}
@@ -236,6 +256,31 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
ROC_CTX_UNIT_128B) -
1;
+ /**
+ * CPT MC triggers expiry when counter value changes from 2 to 1. To
+ * mitigate this behaviour add 1 to the life counter values provided.
+ */
+
+ if (ipsec_xfrm->life.bytes_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.bytes_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
/* There are two words of CPT_CTX_HW_S for ucode to skip */
sa->w0.s.ctx_hdr_size = 1;
sa->w0.s.aop_valid = 1;
@@ -360,6 +405,31 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
/* IPID gen */
sa->w2.s.ipid_gen = 1;
+ /**
+ * CPT MC triggers expiry when counter value changes from 2 to 1. To
+ * mitigate this behaviour add 1 to the life counter values provided.
+ */
+
+ if (ipsec_xfrm->life.bytes_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.bytes_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
/* There are two words of CPT_CTX_HW_S for ucode to skip */
sa->w0.s.ctx_hdr_size = 1;
sa->w0.s.aop_valid = 1;
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index cccca77..e6ed733 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -348,12 +348,44 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
struct cpt_inflight_req *infl_req)
{
struct cpt_cn10k_res_s *res = (struct cpt_cn10k_res_s *)&infl_req->res;
+ const uint8_t uc_compcode = res->uc_compcode;
+ const uint8_t compcode = res->compcode;
unsigned int sz;
- if (likely(res->compcode == CPT_COMP_GOOD ||
- res->compcode == CPT_COMP_WARN)) {
- if (unlikely(res->uc_compcode)) {
- if (res->uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+
+ if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+ cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+ if (likely(compcode == CPT_COMP_WARN)) {
+ if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
+ /* Success with additional info */
+ switch (uc_compcode) {
+ case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
+ cop->aux_flags =
+ RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+ break;
+ default:
+ break;
+ }
+ }
+ cn10k_cpt_sec_post_process(cop, res);
+ } else {
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ plt_dp_info("HW completion code 0x%x", res->compcode);
+ if (compcode == CPT_COMP_GOOD) {
+ plt_dp_info(
+ "Request failed with microcode error");
+ plt_dp_info("MC completion code 0x%x",
+ uc_compcode);
+ }
+ }
+
+ return;
+ }
+
+ if (likely(compcode == CPT_COMP_GOOD || compcode == CPT_COMP_WARN)) {
+ if (unlikely(uc_compcode)) {
+ if (uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
cop->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
else
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -364,13 +396,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
goto temp_sess_free;
}
- cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
- if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- cn10k_cpt_sec_post_process(cop, res);
- return;
- }
-
/* Verify authentication data if required */
if (unlikely(infl_req->op_flags &
CPT_OP_FLAGS_AUTH_VERIFY)) {
@@ -392,7 +418,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
plt_dp_info("HW completion code 0x%x", res->compcode);
- switch (res->compcode) {
+ switch (compcode) {
case CPT_COMP_INSTERR:
plt_dp_err("Request failed with instruction error");
break;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index 0b63cc4..63ae025 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -485,7 +485,11 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
static inline int
cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
{
- RTE_SET_USED(ipsec);
+ if (ipsec->life.bytes_hard_limit != 0 ||
+ ipsec->life.bytes_soft_limit != 0 ||
+ ipsec->life.packets_hard_limit != 0 ||
+ ipsec->life.packets_soft_limit != 0)
+ return -ENOTSUP;
return 0;
}
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v2 3/6] crypto/octeontx2: add checks for life configuration
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 0/6] Add SA lifetime in security Anoob Joseph
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 1/6] security: add SA lifetime configuration Anoob Joseph
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 2/6] common/cnxk: support " Anoob Joseph
@ 2021-09-07 16:32 ` Anoob Joseph
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 4/6] test/crypto: add packets soft expiry tests Anoob Joseph
` (3 subsequent siblings)
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-07 16:32 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Lifetime tracking is not supported by hardware and is not implemented in
software either. Return failure when lifetime is configured.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/crypto/octeontx2/otx2_ipsec_po.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index b3e7456..b61c5e0 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -293,6 +293,12 @@ ipsec_po_xform_verify(struct rte_security_ipsec_xform *ipsec,
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
int ret;
+ if (ipsec->life.bytes_hard_limit != 0 ||
+ ipsec->life.bytes_soft_limit != 0 ||
+ ipsec->life.packets_hard_limit != 0 ||
+ ipsec->life.packets_soft_limit != 0)
+ return -ENOTSUP;
+
if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
return ipsec_po_xform_aead_verify(ipsec, xform);
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v2 4/6] test/crypto: add packets soft expiry tests
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 0/6] Add SA lifetime in security Anoob Joseph
` (2 preceding siblings ...)
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 3/6] crypto/octeontx2: add checks for life configuration Anoob Joseph
@ 2021-09-07 16:32 ` Anoob Joseph
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 5/6] test/crypto: add packets hard " Anoob Joseph
` (2 subsequent siblings)
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-07 16:32 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add tests to validate packets soft expiry handling.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
app/test/test_cryptodev.c | 21 +++++++++++++++++++--
app/test/test_cryptodev_security_ipsec.c | 18 ++++++++++++++++--
app/test/test_cryptodev_security_ipsec.h | 4 +++-
3 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index dd68080..7eeba57 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8997,7 +8997,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
/* Process crypto operation */
process_crypto_request(dev_id, ut_params->op);
- ret = test_ipsec_status_check(ut_params->op, flags, dir);
+ ret = test_ipsec_status_check(ut_params->op, flags, dir, i + 1);
if (ret != TEST_SUCCESS)
goto crypto_op_free;
@@ -9067,7 +9067,8 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
unsigned int i, nb_pkts = 1, pass_cnt = 0;
int ret;
- if (flags->iv_gen)
+ if (flags->iv_gen ||
+ flags->sa_expiry_pkts_soft)
nb_pkts = IPSEC_TEST_PACKETS_MAX;
for (i = 0; i < RTE_DIM(aead_list); i++) {
@@ -9132,6 +9133,18 @@ test_ipsec_proto_iv_gen(const void *data __rte_unused)
}
static int
+test_ipsec_proto_sa_exp_pkts_soft(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.sa_expiry_pkts_soft = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
{
struct ipsec_test_flags flags;
@@ -14087,6 +14100,10 @@ static struct unit_test_suite ipsec_proto_testsuite = {
ut_setup_security, ut_teardown,
test_ipsec_proto_udp_encap),
TEST_CASE_NAMED_ST(
+ "SA expiry packets soft",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_sa_exp_pkts_soft),
+ TEST_CASE_NAMED_ST(
"Negative test: ICV corruption",
ut_setup_security, ut_teardown,
test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index f371b15..56a44b5 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -173,6 +173,10 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
if (flags->iv_gen)
td->ipsec_xform.options.iv_gen_disable = 0;
+
+ if (flags->sa_expiry_pkts_soft)
+ td->ipsec_xform.life.packets_soft_limit =
+ IPSEC_TEST_PACKETS_MAX - 1;
}
RTE_SET_USED(param2);
@@ -395,7 +399,8 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
int
test_ipsec_status_check(struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
- enum rte_security_ipsec_sa_direction dir)
+ enum rte_security_ipsec_sa_direction dir,
+ int pkt_num)
{
int ret = TEST_SUCCESS;
@@ -406,7 +411,16 @@ test_ipsec_status_check(struct rte_crypto_op *op,
}
} else {
if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
- printf("Security op processing failed\n");
+ printf("Security op processing failed [pkt_num: %d]\n",
+ pkt_num);
+ ret = TEST_FAILED;
+ }
+ }
+
+ if (flags->sa_expiry_pkts_soft && pkt_num == IPSEC_TEST_PACKETS_MAX) {
+ if (!(op->aux_flags &
+ RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY)) {
+ printf("SA soft expiry (pkts) test failed\n");
ret = TEST_FAILED;
}
}
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index e1645f4..eed3476 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -49,6 +49,7 @@ struct ipsec_test_data {
struct ipsec_test_flags {
bool display_alg;
+ bool sa_expiry_pkts_soft;
bool icv_corrupt;
bool iv_gen;
bool udp_encap;
@@ -114,6 +115,7 @@ int test_ipsec_post_process(struct rte_mbuf *m,
int test_ipsec_status_check(struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
- enum rte_security_ipsec_sa_direction dir);
+ enum rte_security_ipsec_sa_direction dir,
+ int pkt_num);
#endif
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v2 5/6] test/crypto: add packets hard expiry tests
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 0/6] Add SA lifetime in security Anoob Joseph
` (3 preceding siblings ...)
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 4/6] test/crypto: add packets soft expiry tests Anoob Joseph
@ 2021-09-07 16:32 ` Anoob Joseph
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 6/6] examples/ipsec-secgw: clear soft expiry configuration Anoob Joseph
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 0/6] Add SA lifetime in security Anoob Joseph
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-07 16:32 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add tests to validate packets hard expiry handling.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
app/test/test_cryptodev.c | 19 ++++++++++++++++++-
app/test/test_cryptodev_security_ipsec.c | 22 +++++++++++++++++++---
app/test/test_cryptodev_security_ipsec.h | 1 +
3 files changed, 38 insertions(+), 4 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 7eeba57..e513f38 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9068,7 +9068,8 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
int ret;
if (flags->iv_gen ||
- flags->sa_expiry_pkts_soft)
+ flags->sa_expiry_pkts_soft ||
+ flags->sa_expiry_pkts_hard)
nb_pkts = IPSEC_TEST_PACKETS_MAX;
for (i = 0; i < RTE_DIM(aead_list); i++) {
@@ -9145,6 +9146,18 @@ test_ipsec_proto_sa_exp_pkts_soft(const void *data __rte_unused)
}
static int
+test_ipsec_proto_sa_exp_pkts_hard(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.sa_expiry_pkts_hard = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
{
struct ipsec_test_flags flags;
@@ -14104,6 +14117,10 @@ static struct unit_test_suite ipsec_proto_testsuite = {
ut_setup_security, ut_teardown,
test_ipsec_proto_sa_exp_pkts_soft),
TEST_CASE_NAMED_ST(
+ "SA expiry packets hard",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_sa_exp_pkts_hard),
+ TEST_CASE_NAMED_ST(
"Negative test: ICV corruption",
ut_setup_security, ut_teardown,
test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 56a44b5..046536c 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -200,6 +200,10 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
td_inb[i].input_text.data[icv_pos] += 1;
}
+ if (flags->sa_expiry_pkts_hard)
+ td_inb[i].ipsec_xform.life.packets_hard_limit =
+ IPSEC_TEST_PACKETS_MAX - 1;
+
if (flags->udp_encap)
td_inb[i].ipsec_xform.options.udp_encap = 1;
@@ -285,9 +289,10 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
uint32_t skip, len = rte_pktmbuf_pkt_len(m);
- /* For negative tests, no need to do verification */
- if (flags->icv_corrupt &&
- td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+ /* For tests with status as error for test success, skip verification */
+ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ (flags->icv_corrupt ||
+ flags->sa_expiry_pkts_hard))
return TEST_SUCCESS;
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
@@ -404,6 +409,17 @@ test_ipsec_status_check(struct rte_crypto_op *op,
{
int ret = TEST_SUCCESS;
+ if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ flags->sa_expiry_pkts_hard &&
+ pkt_num == IPSEC_TEST_PACKETS_MAX) {
+ if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+ printf("SA hard expiry (pkts) test failed\n");
+ return TEST_FAILED;
+ } else {
+ return TEST_SUCCESS;
+ }
+ }
+
if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
printf("ICV corruption test case failed\n");
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index eed3476..18f3c64 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -50,6 +50,7 @@ struct ipsec_test_data {
struct ipsec_test_flags {
bool display_alg;
bool sa_expiry_pkts_soft;
+ bool sa_expiry_pkts_hard;
bool icv_corrupt;
bool iv_gen;
bool udp_encap;
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v2 6/6] examples/ipsec-secgw: clear soft expiry configuration
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 0/6] Add SA lifetime in security Anoob Joseph
` (4 preceding siblings ...)
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 5/6] test/crypto: add packets hard " Anoob Joseph
@ 2021-09-07 16:32 ` Anoob Joseph
2021-09-16 11:11 ` Ananyev, Konstantin
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 0/6] Add SA lifetime in security Anoob Joseph
6 siblings, 1 reply; 31+ messages in thread
From: Anoob Joseph @ 2021-09-07 16:32 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Also, soft expiry tracking can cause perf degradation with some PMDs.
Since a separate UT is available and the same setting in ipsec-secgw is
not verifying the functionality, remove the same by clearing life
configuration.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
examples/ipsec-secgw/ipsec.c | 5 ++++-
examples/ipsec-secgw/ipsec.h | 2 --
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 4868294..7f936c7 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -49,7 +49,10 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
/* TODO support for Transport */
}
- ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
+ ipsec->life.packets_soft_limit = 0;
+ ipsec->life.packets_hard_limit = 0;
+ ipsec->life.bytes_soft_limit = 0;
+ ipsec->life.bytes_hard_limit = 0;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
ipsec->options.udp_encap = sa->udp_encap;
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 90c81c1..8405c48 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -23,8 +23,6 @@
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
-#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
-
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* Re: [dpdk-dev] [PATCH v2 6/6] examples/ipsec-secgw: clear soft expiry configuration
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 6/6] examples/ipsec-secgw: clear soft expiry configuration Anoob Joseph
@ 2021-09-16 11:11 ` Ananyev, Konstantin
0 siblings, 0 replies; 31+ messages in thread
From: Ananyev, Konstantin @ 2021-09-16 11:11 UTC (permalink / raw)
To: Anoob Joseph, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan
Cc: Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal,
Nicolau, Radu, Power, Ciara, Gagandeep Singh, dev
>
> Soft expiry is not a mandatory IPsec feature. It is verified separately
> with IPsec unit tests. So configuration of the same is not required.
> Also, soft expiry tracking can cause perf degradation with some PMDs.
> Since a separate UT is available and the same setting in ipsec-secgw is
> not verifying the functionality, remove the same by clearing life
> configuration.
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> ---
> examples/ipsec-secgw/ipsec.c | 5 ++++-
> examples/ipsec-secgw/ipsec.h | 2 --
> 2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index 4868294..7f936c7 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -49,7 +49,10 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
> }
> /* TODO support for Transport */
> }
> - ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
> + ipsec->life.packets_soft_limit = 0;
> + ipsec->life.packets_hard_limit = 0;
> + ipsec->life.bytes_soft_limit = 0;
> + ipsec->life.bytes_hard_limit = 0;
As a nit: as I can read the code it would be already zeroed at entrance to this function,
so explicit zeroing is not really required.
> ipsec->replay_win_sz = app_sa_prm.window_size;
> ipsec->options.esn = app_sa_prm.enable_esn;
> ipsec->options.udp_encap = sa->udp_encap;
> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> index 90c81c1..8405c48 100644
> --- a/examples/ipsec-secgw/ipsec.h
> +++ b/examples/ipsec-secgw/ipsec.h
> @@ -23,8 +23,6 @@
>
> #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
>
> -#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
> -
> #define IV_OFFSET (sizeof(struct rte_crypto_op) + \
> sizeof(struct rte_crypto_sym_op))
>
> --
> 2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v3 0/6] Add SA lifetime in security
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 0/6] Add SA lifetime in security Anoob Joseph
` (5 preceding siblings ...)
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 6/6] examples/ipsec-secgw: clear soft expiry configuration Anoob Joseph
@ 2021-09-28 10:07 ` Anoob Joseph
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 1/6] security: add SA lifetime configuration Anoob Joseph
` (6 more replies)
6 siblings, 7 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:07 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add SA lifetime configuration in security. SA lifetime tracking can be
offloaded on supported PMDs.
SA lifetime would cover soft & hard expiry in units of number of packets and
bytes. When SA soft expiry happens, the packet is successfuly processed but
with additional expiry notification. Crypto op structure, ``rte_crypto_op``
is updated to cover such notifications with lookaside protocol offloads.
SA hard expiration would cause IPsec processing to return an error.
PMDs crypto_cn10k, crypto_cn9k and crypto_octeontx2 are updated with their
respective lifetime tracking capabilities. Unit tests are added for soft and
hard expiry with number of packets.
Changes in v3:
- Removed explicit 0 setting of soft expiry configuration in
ipsec-secgw (comment from Konstantin)
Changes in v2:
- Clear soft expiry configuration in ipsec-secgw
- Rebased on v3 of dependent series
Anoob Joseph (6):
security: add SA lifetime configuration
common/cnxk: support lifetime configuration
crypto/octeontx2: add checks for life configuration
test/crypto: add packets soft expiry tests
test/crypto: add packets hard expiry tests
examples/ipsec-secgw: clear soft expiry configuration
app/test/test_cryptodev.c | 38 +++++++++++-
app/test/test_cryptodev_security_ipsec.c | 40 +++++++++++--
app/test/test_cryptodev_security_ipsec.h | 5 +-
.../test_cryptodev_security_ipsec_test_vectors.h | 3 -
doc/guides/rel_notes/deprecation.rst | 5 --
doc/guides/rel_notes/release_21_11.rst | 13 ++++
drivers/common/cnxk/cnxk_security.c | 70 ++++++++++++++++++++++
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 48 +++++++++++----
drivers/crypto/cnxk/cn9k_ipsec.c | 6 +-
drivers/crypto/octeontx2/otx2_ipsec_po.h | 6 ++
examples/ipsec-secgw/ipsec.c | 1 -
examples/ipsec-secgw/ipsec.h | 2 -
lib/cryptodev/rte_crypto.h | 18 +++++-
lib/security/rte_security.h | 28 ++++++++-
14 files changed, 249 insertions(+), 34 deletions(-)
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v3 1/6] security: add SA lifetime configuration
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 0/6] Add SA lifetime in security Anoob Joseph
@ 2021-09-28 10:07 ` Anoob Joseph
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 2/6] common/cnxk: support " Anoob Joseph
` (5 subsequent siblings)
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:07 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated to include new field, aux_flags, which can be
used to indicate cases such as soft expiry in case of lookaside
protocol operations.
In case of soft expiry, the packets are successfully IPsec processed but
the soft expiry would indicate that SA needs to be reconfigured. For
inline protocol capable ethdev, this would result in an eth event while
for lookaside protocol capable cryptodev, this can be communicated via
`rte_crypto_op.aux_flags` field.
In case of hard expiry, the packets will not be IPsec processed and
would result in error.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
.../test_cryptodev_security_ipsec_test_vectors.h | 3 ---
doc/guides/rel_notes/deprecation.rst | 5 ----
doc/guides/rel_notes/release_21_11.rst | 13 ++++++++++
examples/ipsec-secgw/ipsec.c | 2 +-
examples/ipsec-secgw/ipsec.h | 2 +-
lib/cryptodev/rte_crypto.h | 18 +++++++++++++-
lib/security/rte_security.h | 28 ++++++++++++++++++++--
7 files changed, 58 insertions(+), 13 deletions(-)
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index ae9cd24..38ea43d 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -98,7 +98,6 @@ struct ipsec_test_data pkt_aes_128_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
@@ -195,7 +194,6 @@ struct ipsec_test_data pkt_aes_192_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
@@ -295,7 +293,6 @@ struct ipsec_test_data pkt_aes_256_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 70ef45e..69fbde0 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -275,8 +275,3 @@ Deprecation Notices
* cmdline: ``cmdline`` structure will be made opaque to hide platform-specific
content. On Linux and FreeBSD, supported prior to DPDK 20.11,
original structure will be kept until DPDK 21.11.
-
-* cryptodev: The structure ``rte_crypto_op`` would be updated to reduce
- reserved bytes to 2 (from 3), and use 1 byte to indicate warnings and other
- information from the crypto/security operation. This field will be used to
- communicate events such as soft expiry with IPsec in lookaside mode.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index eef7f79..0b7ffa5 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -147,6 +147,13 @@ API Changes
as it is for drivers only and should be private to DPDK, and not
installed for app use.
+* cryptodev: use 1 reserved byte from ``rte_crypto_op`` for aux flags
+
+ * Updated the structure ``rte_crypto_op`` to reduce reserved bytes to
+ 2 (from 3), and use 1 byte to indicate warnings and other information from
+ the crypto/security operation. This field will be used to communicate events
+ such as soft expiry with IPsec in lookaside mode.
+
ABI Changes
-----------
@@ -168,6 +175,12 @@ ABI Changes
* Added IPsec SA option to disable IV generation to allow known vector
tests as well as usage of application provided IV on supported PMDs.
+* security: add IPsec SA lifetime configuration
+
+ * Added IPsec SA lifetime configuration to allow applications to configure
+ soft and hard SA expiry limits. Limits can be either in units of packets or
+ bytes.
+
Known Issues
------------
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 5b032fe..4868294 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
/* TODO support for Transport */
}
- ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
+ ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
ipsec->options.udp_encap = sa->udp_encap;
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index ae5058d..90c81c1 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -23,7 +23,7 @@
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
-#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
+#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h
index fd5ef3a..d602183 100644
--- a/lib/cryptodev/rte_crypto.h
+++ b/lib/cryptodev/rte_crypto.h
@@ -66,6 +66,17 @@ enum rte_crypto_op_sess_type {
};
/**
+ * Auxiliary flags to indicate additional info from the operation
+ */
+
+/**
+ * Auxiliary flags related to IPsec offload with RTE_SECURITY
+ */
+
+#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0)
+/**< SA soft expiry limit has been reached */
+
+/**
* Cryptographic Operation.
*
* This structure contains data relating to performing cryptographic
@@ -93,7 +104,12 @@ struct rte_crypto_op {
*/
uint8_t sess_type;
/**< operation session type */
- uint8_t reserved[3];
+ uint8_t aux_flags;
+ /**< Operation specific auxiliary/additional flags.
+ * These flags carry additional information from the
+ * operation. Processing of the same is optional.
+ */
+ uint8_t reserved[2];
/**< Reserved bytes to fill 64 bits for
* future additions
*/
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index f9e6591..88147e1 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -217,6 +217,30 @@ enum rte_security_ipsec_sa_direction {
};
/**
+ * Configure soft and hard lifetime of an IPsec SA
+ *
+ * Lifetime of an IPsec SA would specify the maximum number of packets or bytes
+ * that can be processed. IPsec operations would start failing once any hard
+ * limit is reached.
+ *
+ * Soft limits can be specified to generate notification when the SA is
+ * approaching hard limits for lifetime. For inline operations, reaching soft
+ * expiry limit would result in raising an eth event for the same. For lookaside
+ * operations, this would result in a warning returned in
+ * ``rte_crypto_op.aux_flags``.
+ */
+struct rte_security_ipsec_lifetime {
+ uint64_t packets_soft_limit;
+ /**< Soft expiry limit in number of packets */
+ uint64_t bytes_soft_limit;
+ /**< Soft expiry limit in bytes */
+ uint64_t packets_hard_limit;
+ /**< Soft expiry limit in number of packets */
+ uint64_t bytes_hard_limit;
+ /**< Soft expiry limit in bytes */
+};
+
+/**
* IPsec security association configuration data.
*
* This structure contains data required to create an IPsec SA security session.
@@ -236,8 +260,8 @@ struct rte_security_ipsec_xform {
/**< IPsec SA Mode - transport/tunnel */
struct rte_security_ipsec_tunnel_param tunnel;
/**< Tunnel parameters, NULL for transport mode */
- uint64_t esn_soft_limit;
- /**< ESN for which the overflow event need to be raised */
+ struct rte_security_ipsec_lifetime life;
+ /**< IPsec SA lifetime */
uint32_t replay_win_sz;
/**< Anti replay window size to enable sequence replay attack handling.
* replay checking is disabled if the window size is 0.
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v3 2/6] common/cnxk: support lifetime configuration
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 0/6] Add SA lifetime in security Anoob Joseph
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 1/6] security: add SA lifetime configuration Anoob Joseph
@ 2021-09-28 10:07 ` Anoob Joseph
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 3/6] crypto/octeontx2: add checks for life configuration Anoob Joseph
` (4 subsequent siblings)
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:07 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add support for SA lifetime configuration. Expiry can
be either in units of octets or packets.
Also, updated cryptodev dequeue path to update crypto op result to
indicate soft expiry.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/common/cnxk/cnxk_security.c | 70 +++++++++++++++++++++++++++++++
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 48 ++++++++++++++++-----
drivers/crypto/cnxk/cn9k_ipsec.c | 6 ++-
3 files changed, 112 insertions(+), 12 deletions(-)
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 4f7fd1b..215d9fd 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -161,6 +161,26 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
return -EINVAL;
}
+ if (ipsec_xfrm->life.packets_soft_limit != 0 ||
+ ipsec_xfrm->life.packets_hard_limit != 0) {
+ if (ipsec_xfrm->life.bytes_soft_limit != 0 ||
+ ipsec_xfrm->life.bytes_hard_limit != 0) {
+ plt_err("Expiry tracking with both packets & bytes is not supported");
+ return -EINVAL;
+ }
+ w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_PKTS;
+ }
+
+ if (ipsec_xfrm->life.bytes_soft_limit != 0 ||
+ ipsec_xfrm->life.bytes_hard_limit != 0) {
+ if (ipsec_xfrm->life.packets_soft_limit != 0 ||
+ ipsec_xfrm->life.packets_hard_limit != 0) {
+ plt_err("Expiry tracking with both packets & bytes is not supported");
+ return -EINVAL;
+ }
+ w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_OCTETS;
+ }
+
return 0;
}
@@ -236,6 +256,31 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
ROC_CTX_UNIT_128B) -
1;
+ /**
+ * CPT MC triggers expiry when counter value changes from 2 to 1. To
+ * mitigate this behaviour add 1 to the life counter values provided.
+ */
+
+ if (ipsec_xfrm->life.bytes_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.bytes_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
/* There are two words of CPT_CTX_HW_S for ucode to skip */
sa->w0.s.ctx_hdr_size = 1;
sa->w0.s.aop_valid = 1;
@@ -360,6 +405,31 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
/* IPID gen */
sa->w2.s.ipid_gen = 1;
+ /**
+ * CPT MC triggers expiry when counter value changes from 2 to 1. To
+ * mitigate this behaviour add 1 to the life counter values provided.
+ */
+
+ if (ipsec_xfrm->life.bytes_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.bytes_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
/* There are two words of CPT_CTX_HW_S for ucode to skip */
sa->w0.s.ctx_hdr_size = 1;
sa->w0.s.aop_valid = 1;
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 3a1a4a2..3caf05a 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -348,12 +348,44 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
struct cpt_inflight_req *infl_req)
{
struct cpt_cn10k_res_s *res = (struct cpt_cn10k_res_s *)&infl_req->res;
+ const uint8_t uc_compcode = res->uc_compcode;
+ const uint8_t compcode = res->compcode;
unsigned int sz;
- if (likely(res->compcode == CPT_COMP_GOOD ||
- res->compcode == CPT_COMP_WARN)) {
- if (unlikely(res->uc_compcode)) {
- if (res->uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+
+ if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+ cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+ if (likely(compcode == CPT_COMP_WARN)) {
+ if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
+ /* Success with additional info */
+ switch (uc_compcode) {
+ case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
+ cop->aux_flags =
+ RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+ break;
+ default:
+ break;
+ }
+ }
+ cn10k_cpt_sec_post_process(cop, res);
+ } else {
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ plt_dp_info("HW completion code 0x%x", res->compcode);
+ if (compcode == CPT_COMP_GOOD) {
+ plt_dp_info(
+ "Request failed with microcode error");
+ plt_dp_info("MC completion code 0x%x",
+ uc_compcode);
+ }
+ }
+
+ return;
+ }
+
+ if (likely(compcode == CPT_COMP_GOOD || compcode == CPT_COMP_WARN)) {
+ if (unlikely(uc_compcode)) {
+ if (uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
cop->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
else
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -364,13 +396,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
goto temp_sess_free;
}
- cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
- if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- cn10k_cpt_sec_post_process(cop, res);
- return;
- }
-
/* Verify authentication data if required */
if (unlikely(infl_req->op_flags &
CPT_OP_FLAGS_AUTH_VERIFY)) {
@@ -392,7 +418,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
plt_dp_info("HW completion code 0x%x", res->compcode);
- switch (res->compcode) {
+ switch (compcode) {
case CPT_COMP_INSTERR:
plt_dp_err("Request failed with instruction error");
break;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index 0b63cc4..63ae025 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -485,7 +485,11 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
static inline int
cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
{
- RTE_SET_USED(ipsec);
+ if (ipsec->life.bytes_hard_limit != 0 ||
+ ipsec->life.bytes_soft_limit != 0 ||
+ ipsec->life.packets_hard_limit != 0 ||
+ ipsec->life.packets_soft_limit != 0)
+ return -ENOTSUP;
return 0;
}
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v3 3/6] crypto/octeontx2: add checks for life configuration
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 0/6] Add SA lifetime in security Anoob Joseph
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 1/6] security: add SA lifetime configuration Anoob Joseph
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 2/6] common/cnxk: support " Anoob Joseph
@ 2021-09-28 10:07 ` Anoob Joseph
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 4/6] test/crypto: add packets soft expiry tests Anoob Joseph
` (3 subsequent siblings)
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:07 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Lifetime tracking is not supported by hardware and is not implemented in
software either. Return failure when lifetime is configured.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/crypto/octeontx2/otx2_ipsec_po.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index b3e7456..b61c5e0 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -293,6 +293,12 @@ ipsec_po_xform_verify(struct rte_security_ipsec_xform *ipsec,
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
int ret;
+ if (ipsec->life.bytes_hard_limit != 0 ||
+ ipsec->life.bytes_soft_limit != 0 ||
+ ipsec->life.packets_hard_limit != 0 ||
+ ipsec->life.packets_soft_limit != 0)
+ return -ENOTSUP;
+
if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
return ipsec_po_xform_aead_verify(ipsec, xform);
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v3 4/6] test/crypto: add packets soft expiry tests
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 0/6] Add SA lifetime in security Anoob Joseph
` (2 preceding siblings ...)
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 3/6] crypto/octeontx2: add checks for life configuration Anoob Joseph
@ 2021-09-28 10:07 ` Anoob Joseph
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 5/6] test/crypto: add packets hard " Anoob Joseph
` (2 subsequent siblings)
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:07 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add tests to validate packets soft expiry handling.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
app/test/test_cryptodev.c | 21 +++++++++++++++++++--
app/test/test_cryptodev_security_ipsec.c | 18 ++++++++++++++++--
app/test/test_cryptodev_security_ipsec.h | 4 +++-
3 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index f57a1a4..1befbeb 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9045,7 +9045,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
/* Process crypto operation */
process_crypto_request(dev_id, ut_params->op);
- ret = test_ipsec_status_check(ut_params->op, flags, dir);
+ ret = test_ipsec_status_check(ut_params->op, flags, dir, i + 1);
if (ret != TEST_SUCCESS)
goto crypto_op_free;
@@ -9115,7 +9115,8 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
unsigned int i, nb_pkts = 1, pass_cnt = 0;
int ret;
- if (flags->iv_gen)
+ if (flags->iv_gen ||
+ flags->sa_expiry_pkts_soft)
nb_pkts = IPSEC_TEST_PACKETS_MAX;
for (i = 0; i < RTE_DIM(aead_list); i++) {
@@ -9180,6 +9181,18 @@ test_ipsec_proto_iv_gen(const void *data __rte_unused)
}
static int
+test_ipsec_proto_sa_exp_pkts_soft(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.sa_expiry_pkts_soft = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
{
struct ipsec_test_flags flags;
@@ -14136,6 +14149,10 @@ static struct unit_test_suite ipsec_proto_testsuite = {
ut_setup_security, ut_teardown,
test_ipsec_proto_udp_encap),
TEST_CASE_NAMED_ST(
+ "SA expiry packets soft",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_sa_exp_pkts_soft),
+ TEST_CASE_NAMED_ST(
"Negative test: ICV corruption",
ut_setup_security, ut_teardown,
test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index f371b15..56a44b5 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -173,6 +173,10 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
if (flags->iv_gen)
td->ipsec_xform.options.iv_gen_disable = 0;
+
+ if (flags->sa_expiry_pkts_soft)
+ td->ipsec_xform.life.packets_soft_limit =
+ IPSEC_TEST_PACKETS_MAX - 1;
}
RTE_SET_USED(param2);
@@ -395,7 +399,8 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
int
test_ipsec_status_check(struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
- enum rte_security_ipsec_sa_direction dir)
+ enum rte_security_ipsec_sa_direction dir,
+ int pkt_num)
{
int ret = TEST_SUCCESS;
@@ -406,7 +411,16 @@ test_ipsec_status_check(struct rte_crypto_op *op,
}
} else {
if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
- printf("Security op processing failed\n");
+ printf("Security op processing failed [pkt_num: %d]\n",
+ pkt_num);
+ ret = TEST_FAILED;
+ }
+ }
+
+ if (flags->sa_expiry_pkts_soft && pkt_num == IPSEC_TEST_PACKETS_MAX) {
+ if (!(op->aux_flags &
+ RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY)) {
+ printf("SA soft expiry (pkts) test failed\n");
ret = TEST_FAILED;
}
}
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index e1645f4..eed3476 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -49,6 +49,7 @@ struct ipsec_test_data {
struct ipsec_test_flags {
bool display_alg;
+ bool sa_expiry_pkts_soft;
bool icv_corrupt;
bool iv_gen;
bool udp_encap;
@@ -114,6 +115,7 @@ int test_ipsec_post_process(struct rte_mbuf *m,
int test_ipsec_status_check(struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
- enum rte_security_ipsec_sa_direction dir);
+ enum rte_security_ipsec_sa_direction dir,
+ int pkt_num);
#endif
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v3 5/6] test/crypto: add packets hard expiry tests
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 0/6] Add SA lifetime in security Anoob Joseph
` (3 preceding siblings ...)
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 4/6] test/crypto: add packets soft expiry tests Anoob Joseph
@ 2021-09-28 10:07 ` Anoob Joseph
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 6/6] examples/ipsec-secgw: clear soft expiry configuration Anoob Joseph
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Anoob Joseph
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:07 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add tests to validate packets hard expiry handling.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
app/test/test_cryptodev.c | 19 ++++++++++++++++++-
app/test/test_cryptodev_security_ipsec.c | 22 +++++++++++++++++++---
app/test/test_cryptodev_security_ipsec.h | 1 +
3 files changed, 38 insertions(+), 4 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 1befbeb..34b55a9 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9116,7 +9116,8 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
int ret;
if (flags->iv_gen ||
- flags->sa_expiry_pkts_soft)
+ flags->sa_expiry_pkts_soft ||
+ flags->sa_expiry_pkts_hard)
nb_pkts = IPSEC_TEST_PACKETS_MAX;
for (i = 0; i < RTE_DIM(aead_list); i++) {
@@ -9193,6 +9194,18 @@ test_ipsec_proto_sa_exp_pkts_soft(const void *data __rte_unused)
}
static int
+test_ipsec_proto_sa_exp_pkts_hard(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.sa_expiry_pkts_hard = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
{
struct ipsec_test_flags flags;
@@ -14153,6 +14166,10 @@ static struct unit_test_suite ipsec_proto_testsuite = {
ut_setup_security, ut_teardown,
test_ipsec_proto_sa_exp_pkts_soft),
TEST_CASE_NAMED_ST(
+ "SA expiry packets hard",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_sa_exp_pkts_hard),
+ TEST_CASE_NAMED_ST(
"Negative test: ICV corruption",
ut_setup_security, ut_teardown,
test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 56a44b5..046536c 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -200,6 +200,10 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
td_inb[i].input_text.data[icv_pos] += 1;
}
+ if (flags->sa_expiry_pkts_hard)
+ td_inb[i].ipsec_xform.life.packets_hard_limit =
+ IPSEC_TEST_PACKETS_MAX - 1;
+
if (flags->udp_encap)
td_inb[i].ipsec_xform.options.udp_encap = 1;
@@ -285,9 +289,10 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
uint32_t skip, len = rte_pktmbuf_pkt_len(m);
- /* For negative tests, no need to do verification */
- if (flags->icv_corrupt &&
- td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+ /* For tests with status as error for test success, skip verification */
+ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ (flags->icv_corrupt ||
+ flags->sa_expiry_pkts_hard))
return TEST_SUCCESS;
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
@@ -404,6 +409,17 @@ test_ipsec_status_check(struct rte_crypto_op *op,
{
int ret = TEST_SUCCESS;
+ if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ flags->sa_expiry_pkts_hard &&
+ pkt_num == IPSEC_TEST_PACKETS_MAX) {
+ if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+ printf("SA hard expiry (pkts) test failed\n");
+ return TEST_FAILED;
+ } else {
+ return TEST_SUCCESS;
+ }
+ }
+
if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
printf("ICV corruption test case failed\n");
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index eed3476..18f3c64 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -50,6 +50,7 @@ struct ipsec_test_data {
struct ipsec_test_flags {
bool display_alg;
bool sa_expiry_pkts_soft;
+ bool sa_expiry_pkts_hard;
bool icv_corrupt;
bool iv_gen;
bool udp_encap;
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v3 6/6] examples/ipsec-secgw: clear soft expiry configuration
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 0/6] Add SA lifetime in security Anoob Joseph
` (4 preceding siblings ...)
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 5/6] test/crypto: add packets hard " Anoob Joseph
@ 2021-09-28 10:07 ` Anoob Joseph
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Anoob Joseph
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:07 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Also, soft expiry tracking can cause perf degradation with some PMDs.
Since a separate UT is available and the same setting in ipsec-secgw is
not verifying the functionality, remove the same by clearing life
configuration.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
examples/ipsec-secgw/ipsec.c | 1 -
examples/ipsec-secgw/ipsec.h | 2 --
2 files changed, 3 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 4868294..6817139 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -49,7 +49,6 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
/* TODO support for Transport */
}
- ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
ipsec->options.udp_encap = sa->udp_encap;
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 90c81c1..8405c48 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -23,8 +23,6 @@
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
-#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
-
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 0/6] Add SA lifetime in security Anoob Joseph
` (5 preceding siblings ...)
2021-09-28 10:07 ` [dpdk-dev] [PATCH v3 6/6] examples/ipsec-secgw: clear soft expiry configuration Anoob Joseph
@ 2021-09-28 10:59 ` Anoob Joseph
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 1/6] security: add SA lifetime configuration Anoob Joseph
` (6 more replies)
6 siblings, 7 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:59 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add SA lifetime configuration in security. SA lifetime tracking can be
offloaded on supported PMDs.
SA lifetime would cover soft & hard expiry in units of number of packets and
bytes. When SA soft expiry happens, the packet is successfuly processed but
with additional expiry notification. Crypto op structure, ``rte_crypto_op``
is updated to cover such notifications with lookaside protocol offloads.
SA hard expiration would cause IPsec processing to return an error.
PMDs crypto_cn10k, crypto_cn9k and crypto_octeontx2 are updated with their
respective lifetime tracking capabilities. Unit tests are added for soft and
hard expiry with number of packets.
Changes in v4:
- Removed extra comments around auxilliary flag macros
(comment from Konstantin)
Changes in v3:
- Removed explicit 0 setting of soft expiry configuration in
ipsec-secgw (comment from Konstantin)
Changes in v2:
- Clear soft expiry configuration in ipsec-secgw
- Rebased on v3 of dependent series
Anoob Joseph (6):
security: add SA lifetime configuration
common/cnxk: support lifetime configuration
crypto/octeontx2: add checks for life configuration
test/crypto: add packets soft expiry cases
test/crypto: add packets hard expiry cases
examples/ipsec-secgw: clear soft expiry configuration
app/test/test_cryptodev.c | 38 +++++++++++-
app/test/test_cryptodev_security_ipsec.c | 40 +++++++++++--
app/test/test_cryptodev_security_ipsec.h | 5 +-
.../test_cryptodev_security_ipsec_test_vectors.h | 3 -
doc/guides/rel_notes/deprecation.rst | 5 --
doc/guides/rel_notes/release_21_11.rst | 13 ++++
drivers/common/cnxk/cnxk_security.c | 70 ++++++++++++++++++++++
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 48 +++++++++++----
drivers/crypto/cnxk/cn9k_ipsec.c | 6 +-
drivers/crypto/octeontx2/otx2_ipsec_po.h | 6 ++
examples/ipsec-secgw/ipsec.c | 1 -
examples/ipsec-secgw/ipsec.h | 2 -
lib/cryptodev/rte_crypto.h | 12 +++-
lib/security/rte_security.h | 28 ++++++++-
14 files changed, 243 insertions(+), 34 deletions(-)
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v4 1/6] security: add SA lifetime configuration
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Anoob Joseph
@ 2021-09-28 10:59 ` Anoob Joseph
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 2/6] common/cnxk: support " Anoob Joseph
` (5 subsequent siblings)
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:59 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated to include new field, aux_flags, which can be
used to indicate cases such as soft expiry in case of lookaside
protocol operations.
In case of soft expiry, the packets are successfully IPsec processed but
the soft expiry would indicate that SA needs to be reconfigured. For
inline protocol capable ethdev, this would result in an eth event while
for lookaside protocol capable cryptodev, this can be communicated via
`rte_crypto_op.aux_flags` field.
In case of hard expiry, the packets will not be IPsec processed and
would result in error.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
.../test_cryptodev_security_ipsec_test_vectors.h | 3 ---
doc/guides/rel_notes/deprecation.rst | 5 ----
doc/guides/rel_notes/release_21_11.rst | 13 ++++++++++
examples/ipsec-secgw/ipsec.c | 2 +-
examples/ipsec-secgw/ipsec.h | 2 +-
lib/cryptodev/rte_crypto.h | 12 +++++++++-
lib/security/rte_security.h | 28 ++++++++++++++++++++--
7 files changed, 52 insertions(+), 13 deletions(-)
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index ae9cd24..38ea43d 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -98,7 +98,6 @@ struct ipsec_test_data pkt_aes_128_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
@@ -195,7 +194,6 @@ struct ipsec_test_data pkt_aes_192_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
@@ -295,7 +293,6 @@ struct ipsec_test_data pkt_aes_256_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 70ef45e..69fbde0 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -275,8 +275,3 @@ Deprecation Notices
* cmdline: ``cmdline`` structure will be made opaque to hide platform-specific
content. On Linux and FreeBSD, supported prior to DPDK 20.11,
original structure will be kept until DPDK 21.11.
-
-* cryptodev: The structure ``rte_crypto_op`` would be updated to reduce
- reserved bytes to 2 (from 3), and use 1 byte to indicate warnings and other
- information from the crypto/security operation. This field will be used to
- communicate events such as soft expiry with IPsec in lookaside mode.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index c93cc20..114631e 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -152,6 +152,13 @@ API Changes
as it is for drivers only and should be private to DPDK, and not
installed for app use.
+* cryptodev: use 1 reserved byte from ``rte_crypto_op`` for aux flags
+
+ * Updated the structure ``rte_crypto_op`` to reduce reserved bytes to
+ 2 (from 3), and use 1 byte to indicate warnings and other information from
+ the crypto/security operation. This field will be used to communicate events
+ such as soft expiry with IPsec in lookaside mode.
+
ABI Changes
-----------
@@ -174,6 +181,12 @@ ABI Changes
have much processing in PMD specific callbacks but just 64-bit set/get.
This avoids a per pkt function pointer jump overhead for such PMD's.
+* security: add IPsec SA lifetime configuration
+
+ * Added IPsec SA lifetime configuration to allow applications to configure
+ soft and hard SA expiry limits. Limits can be either in units of packets or
+ bytes.
+
Known Issues
------------
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 5b032fe..4868294 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
/* TODO support for Transport */
}
- ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
+ ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
ipsec->options.udp_encap = sa->udp_encap;
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index ae5058d..90c81c1 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -23,7 +23,7 @@
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
-#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
+#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h
index fd5ef3a..a864f50 100644
--- a/lib/cryptodev/rte_crypto.h
+++ b/lib/cryptodev/rte_crypto.h
@@ -65,6 +65,11 @@ enum rte_crypto_op_sess_type {
RTE_CRYPTO_OP_SECURITY_SESSION /**< Security session crypto operation */
};
+/* Auxiliary flags related to IPsec offload with RTE_SECURITY */
+
+#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0)
+/**< SA soft expiry limit has been reached */
+
/**
* Cryptographic Operation.
*
@@ -93,7 +98,12 @@ struct rte_crypto_op {
*/
uint8_t sess_type;
/**< operation session type */
- uint8_t reserved[3];
+ uint8_t aux_flags;
+ /**< Operation specific auxiliary/additional flags.
+ * These flags carry additional information from the
+ * operation. Processing of the same is optional.
+ */
+ uint8_t reserved[2];
/**< Reserved bytes to fill 64 bits for
* future additions
*/
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index f9e6591..88147e1 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -217,6 +217,30 @@ enum rte_security_ipsec_sa_direction {
};
/**
+ * Configure soft and hard lifetime of an IPsec SA
+ *
+ * Lifetime of an IPsec SA would specify the maximum number of packets or bytes
+ * that can be processed. IPsec operations would start failing once any hard
+ * limit is reached.
+ *
+ * Soft limits can be specified to generate notification when the SA is
+ * approaching hard limits for lifetime. For inline operations, reaching soft
+ * expiry limit would result in raising an eth event for the same. For lookaside
+ * operations, this would result in a warning returned in
+ * ``rte_crypto_op.aux_flags``.
+ */
+struct rte_security_ipsec_lifetime {
+ uint64_t packets_soft_limit;
+ /**< Soft expiry limit in number of packets */
+ uint64_t bytes_soft_limit;
+ /**< Soft expiry limit in bytes */
+ uint64_t packets_hard_limit;
+ /**< Soft expiry limit in number of packets */
+ uint64_t bytes_hard_limit;
+ /**< Soft expiry limit in bytes */
+};
+
+/**
* IPsec security association configuration data.
*
* This structure contains data required to create an IPsec SA security session.
@@ -236,8 +260,8 @@ struct rte_security_ipsec_xform {
/**< IPsec SA Mode - transport/tunnel */
struct rte_security_ipsec_tunnel_param tunnel;
/**< Tunnel parameters, NULL for transport mode */
- uint64_t esn_soft_limit;
- /**< ESN for which the overflow event need to be raised */
+ struct rte_security_ipsec_lifetime life;
+ /**< IPsec SA lifetime */
uint32_t replay_win_sz;
/**< Anti replay window size to enable sequence replay attack handling.
* replay checking is disabled if the window size is 0.
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v4 2/6] common/cnxk: support lifetime configuration
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Anoob Joseph
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 1/6] security: add SA lifetime configuration Anoob Joseph
@ 2021-09-28 10:59 ` Anoob Joseph
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 3/6] crypto/octeontx2: add checks for life configuration Anoob Joseph
` (4 subsequent siblings)
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:59 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add support for SA lifetime configuration. Expiry can
be either in units of octets or packets.
Also, updated cryptodev dequeue path to update crypto op result to
indicate soft expiry.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/common/cnxk/cnxk_security.c | 70 +++++++++++++++++++++++++++++++
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 48 ++++++++++++++++-----
drivers/crypto/cnxk/cn9k_ipsec.c | 6 ++-
3 files changed, 112 insertions(+), 12 deletions(-)
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 4f7fd1b..215d9fd 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -161,6 +161,26 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
return -EINVAL;
}
+ if (ipsec_xfrm->life.packets_soft_limit != 0 ||
+ ipsec_xfrm->life.packets_hard_limit != 0) {
+ if (ipsec_xfrm->life.bytes_soft_limit != 0 ||
+ ipsec_xfrm->life.bytes_hard_limit != 0) {
+ plt_err("Expiry tracking with both packets & bytes is not supported");
+ return -EINVAL;
+ }
+ w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_PKTS;
+ }
+
+ if (ipsec_xfrm->life.bytes_soft_limit != 0 ||
+ ipsec_xfrm->life.bytes_hard_limit != 0) {
+ if (ipsec_xfrm->life.packets_soft_limit != 0 ||
+ ipsec_xfrm->life.packets_hard_limit != 0) {
+ plt_err("Expiry tracking with both packets & bytes is not supported");
+ return -EINVAL;
+ }
+ w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_OCTETS;
+ }
+
return 0;
}
@@ -236,6 +256,31 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
ROC_CTX_UNIT_128B) -
1;
+ /**
+ * CPT MC triggers expiry when counter value changes from 2 to 1. To
+ * mitigate this behaviour add 1 to the life counter values provided.
+ */
+
+ if (ipsec_xfrm->life.bytes_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.bytes_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
/* There are two words of CPT_CTX_HW_S for ucode to skip */
sa->w0.s.ctx_hdr_size = 1;
sa->w0.s.aop_valid = 1;
@@ -360,6 +405,31 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
/* IPID gen */
sa->w2.s.ipid_gen = 1;
+ /**
+ * CPT MC triggers expiry when counter value changes from 2 to 1. To
+ * mitigate this behaviour add 1 to the life counter values provided.
+ */
+
+ if (ipsec_xfrm->life.bytes_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.bytes_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
/* There are two words of CPT_CTX_HW_S for ucode to skip */
sa->w0.s.ctx_hdr_size = 1;
sa->w0.s.aop_valid = 1;
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 3a1a4a2..3caf05a 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -348,12 +348,44 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
struct cpt_inflight_req *infl_req)
{
struct cpt_cn10k_res_s *res = (struct cpt_cn10k_res_s *)&infl_req->res;
+ const uint8_t uc_compcode = res->uc_compcode;
+ const uint8_t compcode = res->compcode;
unsigned int sz;
- if (likely(res->compcode == CPT_COMP_GOOD ||
- res->compcode == CPT_COMP_WARN)) {
- if (unlikely(res->uc_compcode)) {
- if (res->uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+
+ if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+ cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+ if (likely(compcode == CPT_COMP_WARN)) {
+ if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
+ /* Success with additional info */
+ switch (uc_compcode) {
+ case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
+ cop->aux_flags =
+ RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+ break;
+ default:
+ break;
+ }
+ }
+ cn10k_cpt_sec_post_process(cop, res);
+ } else {
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ plt_dp_info("HW completion code 0x%x", res->compcode);
+ if (compcode == CPT_COMP_GOOD) {
+ plt_dp_info(
+ "Request failed with microcode error");
+ plt_dp_info("MC completion code 0x%x",
+ uc_compcode);
+ }
+ }
+
+ return;
+ }
+
+ if (likely(compcode == CPT_COMP_GOOD || compcode == CPT_COMP_WARN)) {
+ if (unlikely(uc_compcode)) {
+ if (uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
cop->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
else
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -364,13 +396,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
goto temp_sess_free;
}
- cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
- if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- cn10k_cpt_sec_post_process(cop, res);
- return;
- }
-
/* Verify authentication data if required */
if (unlikely(infl_req->op_flags &
CPT_OP_FLAGS_AUTH_VERIFY)) {
@@ -392,7 +418,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
plt_dp_info("HW completion code 0x%x", res->compcode);
- switch (res->compcode) {
+ switch (compcode) {
case CPT_COMP_INSTERR:
plt_dp_err("Request failed with instruction error");
break;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index 0b63cc4..63ae025 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -485,7 +485,11 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
static inline int
cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
{
- RTE_SET_USED(ipsec);
+ if (ipsec->life.bytes_hard_limit != 0 ||
+ ipsec->life.bytes_soft_limit != 0 ||
+ ipsec->life.packets_hard_limit != 0 ||
+ ipsec->life.packets_soft_limit != 0)
+ return -ENOTSUP;
return 0;
}
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v4 3/6] crypto/octeontx2: add checks for life configuration
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Anoob Joseph
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 1/6] security: add SA lifetime configuration Anoob Joseph
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 2/6] common/cnxk: support " Anoob Joseph
@ 2021-09-28 10:59 ` Anoob Joseph
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 4/6] test/crypto: add packets soft expiry cases Anoob Joseph
` (3 subsequent siblings)
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:59 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Lifetime tracking is not supported by hardware and is not implemented in
software either. Return failure when lifetime is configured.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/crypto/octeontx2/otx2_ipsec_po.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index b3e7456..b61c5e0 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -293,6 +293,12 @@ ipsec_po_xform_verify(struct rte_security_ipsec_xform *ipsec,
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
int ret;
+ if (ipsec->life.bytes_hard_limit != 0 ||
+ ipsec->life.bytes_soft_limit != 0 ||
+ ipsec->life.packets_hard_limit != 0 ||
+ ipsec->life.packets_soft_limit != 0)
+ return -ENOTSUP;
+
if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
return ipsec_po_xform_aead_verify(ipsec, xform);
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v4 4/6] test/crypto: add packets soft expiry cases
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Anoob Joseph
` (2 preceding siblings ...)
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 3/6] crypto/octeontx2: add checks for life configuration Anoob Joseph
@ 2021-09-28 10:59 ` Anoob Joseph
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 5/6] test/crypto: add packets hard " Anoob Joseph
` (2 subsequent siblings)
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:59 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add tests to validate packets soft expiry handling.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
app/test/test_cryptodev.c | 21 +++++++++++++++++++--
app/test/test_cryptodev_security_ipsec.c | 18 ++++++++++++++++--
app/test/test_cryptodev_security_ipsec.h | 4 +++-
3 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index f57a1a4..1befbeb 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9045,7 +9045,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
/* Process crypto operation */
process_crypto_request(dev_id, ut_params->op);
- ret = test_ipsec_status_check(ut_params->op, flags, dir);
+ ret = test_ipsec_status_check(ut_params->op, flags, dir, i + 1);
if (ret != TEST_SUCCESS)
goto crypto_op_free;
@@ -9115,7 +9115,8 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
unsigned int i, nb_pkts = 1, pass_cnt = 0;
int ret;
- if (flags->iv_gen)
+ if (flags->iv_gen ||
+ flags->sa_expiry_pkts_soft)
nb_pkts = IPSEC_TEST_PACKETS_MAX;
for (i = 0; i < RTE_DIM(aead_list); i++) {
@@ -9180,6 +9181,18 @@ test_ipsec_proto_iv_gen(const void *data __rte_unused)
}
static int
+test_ipsec_proto_sa_exp_pkts_soft(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.sa_expiry_pkts_soft = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
{
struct ipsec_test_flags flags;
@@ -14136,6 +14149,10 @@ static struct unit_test_suite ipsec_proto_testsuite = {
ut_setup_security, ut_teardown,
test_ipsec_proto_udp_encap),
TEST_CASE_NAMED_ST(
+ "SA expiry packets soft",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_sa_exp_pkts_soft),
+ TEST_CASE_NAMED_ST(
"Negative test: ICV corruption",
ut_setup_security, ut_teardown,
test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index f371b15..56a44b5 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -173,6 +173,10 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
if (flags->iv_gen)
td->ipsec_xform.options.iv_gen_disable = 0;
+
+ if (flags->sa_expiry_pkts_soft)
+ td->ipsec_xform.life.packets_soft_limit =
+ IPSEC_TEST_PACKETS_MAX - 1;
}
RTE_SET_USED(param2);
@@ -395,7 +399,8 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
int
test_ipsec_status_check(struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
- enum rte_security_ipsec_sa_direction dir)
+ enum rte_security_ipsec_sa_direction dir,
+ int pkt_num)
{
int ret = TEST_SUCCESS;
@@ -406,7 +411,16 @@ test_ipsec_status_check(struct rte_crypto_op *op,
}
} else {
if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
- printf("Security op processing failed\n");
+ printf("Security op processing failed [pkt_num: %d]\n",
+ pkt_num);
+ ret = TEST_FAILED;
+ }
+ }
+
+ if (flags->sa_expiry_pkts_soft && pkt_num == IPSEC_TEST_PACKETS_MAX) {
+ if (!(op->aux_flags &
+ RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY)) {
+ printf("SA soft expiry (pkts) test failed\n");
ret = TEST_FAILED;
}
}
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index e1645f4..eed3476 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -49,6 +49,7 @@ struct ipsec_test_data {
struct ipsec_test_flags {
bool display_alg;
+ bool sa_expiry_pkts_soft;
bool icv_corrupt;
bool iv_gen;
bool udp_encap;
@@ -114,6 +115,7 @@ int test_ipsec_post_process(struct rte_mbuf *m,
int test_ipsec_status_check(struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
- enum rte_security_ipsec_sa_direction dir);
+ enum rte_security_ipsec_sa_direction dir,
+ int pkt_num);
#endif
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v4 5/6] test/crypto: add packets hard expiry cases
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Anoob Joseph
` (3 preceding siblings ...)
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 4/6] test/crypto: add packets soft expiry cases Anoob Joseph
@ 2021-09-28 10:59 ` Anoob Joseph
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 6/6] examples/ipsec-secgw: clear soft expiry configuration Anoob Joseph
2021-09-28 14:40 ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Akhil Goyal
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:59 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Add tests to validate packets hard expiry handling.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
app/test/test_cryptodev.c | 19 ++++++++++++++++++-
app/test/test_cryptodev_security_ipsec.c | 22 +++++++++++++++++++---
app/test/test_cryptodev_security_ipsec.h | 1 +
3 files changed, 38 insertions(+), 4 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 1befbeb..34b55a9 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9116,7 +9116,8 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
int ret;
if (flags->iv_gen ||
- flags->sa_expiry_pkts_soft)
+ flags->sa_expiry_pkts_soft ||
+ flags->sa_expiry_pkts_hard)
nb_pkts = IPSEC_TEST_PACKETS_MAX;
for (i = 0; i < RTE_DIM(aead_list); i++) {
@@ -9193,6 +9194,18 @@ test_ipsec_proto_sa_exp_pkts_soft(const void *data __rte_unused)
}
static int
+test_ipsec_proto_sa_exp_pkts_hard(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.sa_expiry_pkts_hard = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
{
struct ipsec_test_flags flags;
@@ -14153,6 +14166,10 @@ static struct unit_test_suite ipsec_proto_testsuite = {
ut_setup_security, ut_teardown,
test_ipsec_proto_sa_exp_pkts_soft),
TEST_CASE_NAMED_ST(
+ "SA expiry packets hard",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_sa_exp_pkts_hard),
+ TEST_CASE_NAMED_ST(
"Negative test: ICV corruption",
ut_setup_security, ut_teardown,
test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 56a44b5..046536c 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -200,6 +200,10 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
td_inb[i].input_text.data[icv_pos] += 1;
}
+ if (flags->sa_expiry_pkts_hard)
+ td_inb[i].ipsec_xform.life.packets_hard_limit =
+ IPSEC_TEST_PACKETS_MAX - 1;
+
if (flags->udp_encap)
td_inb[i].ipsec_xform.options.udp_encap = 1;
@@ -285,9 +289,10 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
uint32_t skip, len = rte_pktmbuf_pkt_len(m);
- /* For negative tests, no need to do verification */
- if (flags->icv_corrupt &&
- td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+ /* For tests with status as error for test success, skip verification */
+ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ (flags->icv_corrupt ||
+ flags->sa_expiry_pkts_hard))
return TEST_SUCCESS;
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
@@ -404,6 +409,17 @@ test_ipsec_status_check(struct rte_crypto_op *op,
{
int ret = TEST_SUCCESS;
+ if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ flags->sa_expiry_pkts_hard &&
+ pkt_num == IPSEC_TEST_PACKETS_MAX) {
+ if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+ printf("SA hard expiry (pkts) test failed\n");
+ return TEST_FAILED;
+ } else {
+ return TEST_SUCCESS;
+ }
+ }
+
if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
printf("ICV corruption test case failed\n");
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index eed3476..18f3c64 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -50,6 +50,7 @@ struct ipsec_test_data {
struct ipsec_test_flags {
bool display_alg;
bool sa_expiry_pkts_soft;
+ bool sa_expiry_pkts_hard;
bool icv_corrupt;
bool iv_gen;
bool udp_encap;
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* [dpdk-dev] [PATCH v4 6/6] examples/ipsec-secgw: clear soft expiry configuration
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Anoob Joseph
` (4 preceding siblings ...)
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 5/6] test/crypto: add packets hard " Anoob Joseph
@ 2021-09-28 10:59 ` Anoob Joseph
2021-09-28 14:40 ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Akhil Goyal
6 siblings, 0 replies; 31+ messages in thread
From: Anoob Joseph @ 2021-09-28 10:59 UTC (permalink / raw)
To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev
Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Also, soft expiry tracking can cause perf degradation with some PMDs.
Since a separate UT is available and the same setting in ipsec-secgw is
not verifying the functionality, remove the same by clearing life
configuration.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
examples/ipsec-secgw/ipsec.c | 1 -
examples/ipsec-secgw/ipsec.h | 2 --
2 files changed, 3 deletions(-)
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 4868294..6817139 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -49,7 +49,6 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
/* TODO support for Transport */
}
- ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
ipsec->options.udp_encap = sa->udp_encap;
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 90c81c1..8405c48 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -23,8 +23,6 @@
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
-#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
-
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
--
2.7.4
^ permalink raw reply [flat|nested] 31+ messages in thread
* Re: [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Anoob Joseph
` (5 preceding siblings ...)
2021-09-28 10:59 ` [dpdk-dev] [PATCH v4 6/6] examples/ipsec-secgw: clear soft expiry configuration Anoob Joseph
@ 2021-09-28 14:40 ` Akhil Goyal
6 siblings, 0 replies; 31+ messages in thread
From: Akhil Goyal @ 2021-09-28 14:40 UTC (permalink / raw)
To: Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev
Cc: Anoob Joseph, Jerin Jacob Kollanukkaran, Archana Muniganti,
Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power,
Gagandeep Singh, dev
> Add SA lifetime configuration in security. SA lifetime tracking can be
> offloaded on supported PMDs.
>
> SA lifetime would cover soft & hard expiry in units of number of packets and
> bytes. When SA soft expiry happens, the packet is successfuly processed but
> with additional expiry notification. Crypto op structure, ``rte_crypto_op``
> is updated to cover such notifications with lookaside protocol offloads.
>
> SA hard expiration would cause IPsec processing to return an error.
>
> PMDs crypto_cn10k, crypto_cn9k and crypto_octeontx2 are updated with
> their
> respective lifetime tracking capabilities. Unit tests are added for soft and
> hard expiry with number of packets.
>
> Changes in v4:
> - Removed extra comments around auxilliary flag macros
> (comment from Konstantin)
Series
Acked-by: Akhil Goyal <gakhil@marvell.com>
Applied to dpdk-next-crypto
Deprecation notice removed for the feature supported.
Release notes are also reworded.
^ permalink raw reply [flat|nested] 31+ messages in thread