From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 77908A0032; Tue, 28 Sep 2021 12:09:01 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 69917410E4; Tue, 28 Sep 2021 12:09:01 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 639A1410D7 for ; Tue, 28 Sep 2021 12:08:56 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18SA6Txt002880; Tue, 28 Sep 2021 03:08:55 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=7zQb45r5y0i3bFSTc9gOKvTP/UYxWbO9zyv3O/5/siA=; b=LJ3igttKM9QEI1vfPKRjTuFdnPjz1+HctK+gzhgwWvAUry5QpShIZFm2XTcFPa/9lOMP 89vdddqxAOZ69yXlC9M8nwjpGpviePKhuOzSExyTfLg+MAJgL8O+x3Xk5hAHPfadmeUI 50y/h0V3PwOIZ/6bSDM0W983P8IEMEgBmNfXB/vvci7cyeE9IwjCElg5QsU291T+eoSc 16/LsjaMYLB8lKaq4X6SzfItoEXTYB8b2cPLX5jW0a6bO9t5V67T5W7tVcWzGgbe0Hdl mY+SeZno0F2nzLitSykqN/D4cLrRBolbBViYnwh3lvEqdGd6XQ6fS7zfNYlolwjETv1H JQ== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com with ESMTP id 3bbdmjv9r3-13 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 28 Sep 2021 03:08:55 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 28 Sep 2021 03:08:15 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Tue, 28 Sep 2021 03:08:15 -0700 Received: from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218]) by maili.marvell.com (Postfix) with ESMTP id 2B3013F707E; Tue, 28 Sep 2021 03:08:10 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Fan Zhang , "Konstantin Ananyev" CC: Anoob Joseph , Jerin Jacob , Archana Muniganti , Tejasree Kondoj , Hemant Agrawal , "Radu Nicolau" , Ciara Power , Gagandeep Singh , Date: Tue, 28 Sep 2021 15:37:37 +0530 Message-ID: <1632823662-384-3-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1632823662-384-1-git-send-email-anoobj@marvell.com> References: <1631032372-275-1-git-send-email-anoobj@marvell.com> <1632823662-384-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: 85KNxRmr1kXu4SWvJJy2l8OmSeCNUKiY X-Proofpoint-ORIG-GUID: 85KNxRmr1kXu4SWvJJy2l8OmSeCNUKiY X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-28_05,2021-09-28_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v3 2/6] common/cnxk: support lifetime configuration X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add support for SA lifetime configuration. Expiry can be either in units of octets or packets. Also, updated cryptodev dequeue path to update crypto op result to indicate soft expiry. Signed-off-by: Anoob Joseph --- drivers/common/cnxk/cnxk_security.c | 70 +++++++++++++++++++++++++++++++ drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 48 ++++++++++++++++----- drivers/crypto/cnxk/cn9k_ipsec.c | 6 ++- 3 files changed, 112 insertions(+), 12 deletions(-) diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 4f7fd1b..215d9fd 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -161,6 +161,26 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, return -EINVAL; } + if (ipsec_xfrm->life.packets_soft_limit != 0 || + ipsec_xfrm->life.packets_hard_limit != 0) { + if (ipsec_xfrm->life.bytes_soft_limit != 0 || + ipsec_xfrm->life.bytes_hard_limit != 0) { + plt_err("Expiry tracking with both packets & bytes is not supported"); + return -EINVAL; + } + w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_PKTS; + } + + if (ipsec_xfrm->life.bytes_soft_limit != 0 || + ipsec_xfrm->life.bytes_hard_limit != 0) { + if (ipsec_xfrm->life.packets_soft_limit != 0 || + ipsec_xfrm->life.packets_hard_limit != 0) { + plt_err("Expiry tracking with both packets & bytes is not supported"); + return -EINVAL; + } + w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_OCTETS; + } + return 0; } @@ -236,6 +256,31 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, ROC_CTX_UNIT_128B) - 1; + /** + * CPT MC triggers expiry when counter value changes from 2 to 1. To + * mitigate this behaviour add 1 to the life counter values provided. + */ + + if (ipsec_xfrm->life.bytes_soft_limit) { + sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1; + sa->w0.s.soft_life_dec = 1; + } + + if (ipsec_xfrm->life.packets_soft_limit) { + sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1; + sa->w0.s.soft_life_dec = 1; + } + + if (ipsec_xfrm->life.bytes_hard_limit) { + sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1; + sa->w0.s.hard_life_dec = 1; + } + + if (ipsec_xfrm->life.packets_hard_limit) { + sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1; + sa->w0.s.hard_life_dec = 1; + } + /* There are two words of CPT_CTX_HW_S for ucode to skip */ sa->w0.s.ctx_hdr_size = 1; sa->w0.s.aop_valid = 1; @@ -360,6 +405,31 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa, /* IPID gen */ sa->w2.s.ipid_gen = 1; + /** + * CPT MC triggers expiry when counter value changes from 2 to 1. To + * mitigate this behaviour add 1 to the life counter values provided. + */ + + if (ipsec_xfrm->life.bytes_soft_limit) { + sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1; + sa->w0.s.soft_life_dec = 1; + } + + if (ipsec_xfrm->life.packets_soft_limit) { + sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1; + sa->w0.s.soft_life_dec = 1; + } + + if (ipsec_xfrm->life.bytes_hard_limit) { + sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1; + sa->w0.s.hard_life_dec = 1; + } + + if (ipsec_xfrm->life.packets_hard_limit) { + sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1; + sa->w0.s.hard_life_dec = 1; + } + /* There are two words of CPT_CTX_HW_S for ucode to skip */ sa->w0.s.ctx_hdr_size = 1; sa->w0.s.aop_valid = 1; diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c index 3a1a4a2..3caf05a 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c @@ -348,12 +348,44 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, struct cpt_inflight_req *infl_req) { struct cpt_cn10k_res_s *res = (struct cpt_cn10k_res_s *)&infl_req->res; + const uint8_t uc_compcode = res->uc_compcode; + const uint8_t compcode = res->compcode; unsigned int sz; - if (likely(res->compcode == CPT_COMP_GOOD || - res->compcode == CPT_COMP_WARN)) { - if (unlikely(res->uc_compcode)) { - if (res->uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE) + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + + if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + if (likely(compcode == CPT_COMP_WARN)) { + if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) { + /* Success with additional info */ + switch (uc_compcode) { + case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST: + cop->aux_flags = + RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY; + break; + default: + break; + } + } + cn10k_cpt_sec_post_process(cop, res); + } else { + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + plt_dp_info("HW completion code 0x%x", res->compcode); + if (compcode == CPT_COMP_GOOD) { + plt_dp_info( + "Request failed with microcode error"); + plt_dp_info("MC completion code 0x%x", + uc_compcode); + } + } + + return; + } + + if (likely(compcode == CPT_COMP_GOOD || compcode == CPT_COMP_WARN)) { + if (unlikely(uc_compcode)) { + if (uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE) cop->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED; else cop->status = RTE_CRYPTO_OP_STATUS_ERROR; @@ -364,13 +396,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, goto temp_sess_free; } - cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { - if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { - cn10k_cpt_sec_post_process(cop, res); - return; - } - /* Verify authentication data if required */ if (unlikely(infl_req->op_flags & CPT_OP_FLAGS_AUTH_VERIFY)) { @@ -392,7 +418,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, cop->status = RTE_CRYPTO_OP_STATUS_ERROR; plt_dp_info("HW completion code 0x%x", res->compcode); - switch (res->compcode) { + switch (compcode) { case CPT_COMP_INSTERR: plt_dp_err("Request failed with instruction error"); break; diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c index 0b63cc4..63ae025 100644 --- a/drivers/crypto/cnxk/cn9k_ipsec.c +++ b/drivers/crypto/cnxk/cn9k_ipsec.c @@ -485,7 +485,11 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp, static inline int cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec) { - RTE_SET_USED(ipsec); + if (ipsec->life.bytes_hard_limit != 0 || + ipsec->life.bytes_soft_limit != 0 || + ipsec->life.packets_hard_limit != 0 || + ipsec->life.packets_soft_limit != 0) + return -ENOTSUP; return 0; } -- 2.7.4