DPDK patches and discussions
 help / color / mirror / Atom feed
From: Anoob Joseph <anoobj@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>,
	Declan Doherty <declan.doherty@intel.com>,
	Fan Zhang <roy.fan.zhang@intel.com>,
	"Konstantin Ananyev" <konstantin.ananyev@intel.com>
Cc: Anoob Joseph <anoobj@marvell.com>,
	Jerin Jacob <jerinj@marvell.com>,
	Archana Muniganti <marchana@marvell.com>,
	Tejasree Kondoj <ktejasree@marvell.com>,
	Hemant Agrawal <hemant.agrawal@nxp.com>,
	"Radu Nicolau" <radu.nicolau@intel.com>,
	Ciara Power <ciara.power@intel.com>,
	Gagandeep Singh <g.singh@nxp.com>, <dev@dpdk.org>
Subject: [dpdk-dev] [PATCH v4 2/6] common/cnxk: support lifetime configuration
Date: Tue, 28 Sep 2021 16:29:55 +0530	[thread overview]
Message-ID: <1632826799-454-3-git-send-email-anoobj@marvell.com> (raw)
In-Reply-To: <1632826799-454-1-git-send-email-anoobj@marvell.com>

Add support for SA lifetime configuration. Expiry can
be either in units of octets or packets.

Also, updated cryptodev dequeue path to update crypto op result to
indicate soft expiry.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>

---
 drivers/common/cnxk/cnxk_security.c       | 70 +++++++++++++++++++++++++++++++
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 48 ++++++++++++++++-----
 drivers/crypto/cnxk/cn9k_ipsec.c          |  6 ++-
 3 files changed, 112 insertions(+), 12 deletions(-)

diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 4f7fd1b..215d9fd 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -161,6 +161,26 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 		return -EINVAL;
 	}
 
+	if (ipsec_xfrm->life.packets_soft_limit != 0 ||
+	    ipsec_xfrm->life.packets_hard_limit != 0) {
+		if (ipsec_xfrm->life.bytes_soft_limit != 0 ||
+		    ipsec_xfrm->life.bytes_hard_limit != 0) {
+			plt_err("Expiry tracking with both packets & bytes is not supported");
+			return -EINVAL;
+		}
+		w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_PKTS;
+	}
+
+	if (ipsec_xfrm->life.bytes_soft_limit != 0 ||
+	    ipsec_xfrm->life.bytes_hard_limit != 0) {
+		if (ipsec_xfrm->life.packets_soft_limit != 0 ||
+		    ipsec_xfrm->life.packets_hard_limit != 0) {
+			plt_err("Expiry tracking with both packets & bytes is not supported");
+			return -EINVAL;
+		}
+		w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_OCTETS;
+	}
+
 	return 0;
 }
 
@@ -236,6 +256,31 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
 		 ROC_CTX_UNIT_128B) -
 		1;
 
+	/**
+	 * CPT MC triggers expiry when counter value changes from 2 to 1. To
+	 * mitigate this behaviour add 1 to the life counter values provided.
+	 */
+
+	if (ipsec_xfrm->life.bytes_soft_limit) {
+		sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1;
+		sa->w0.s.soft_life_dec = 1;
+	}
+
+	if (ipsec_xfrm->life.packets_soft_limit) {
+		sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1;
+		sa->w0.s.soft_life_dec = 1;
+	}
+
+	if (ipsec_xfrm->life.bytes_hard_limit) {
+		sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1;
+		sa->w0.s.hard_life_dec = 1;
+	}
+
+	if (ipsec_xfrm->life.packets_hard_limit) {
+		sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1;
+		sa->w0.s.hard_life_dec = 1;
+	}
+
 	/* There are two words of CPT_CTX_HW_S for ucode to skip */
 	sa->w0.s.ctx_hdr_size = 1;
 	sa->w0.s.aop_valid = 1;
@@ -360,6 +405,31 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
 	/* IPID gen */
 	sa->w2.s.ipid_gen = 1;
 
+	/**
+	 * CPT MC triggers expiry when counter value changes from 2 to 1. To
+	 * mitigate this behaviour add 1 to the life counter values provided.
+	 */
+
+	if (ipsec_xfrm->life.bytes_soft_limit) {
+		sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1;
+		sa->w0.s.soft_life_dec = 1;
+	}
+
+	if (ipsec_xfrm->life.packets_soft_limit) {
+		sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1;
+		sa->w0.s.soft_life_dec = 1;
+	}
+
+	if (ipsec_xfrm->life.bytes_hard_limit) {
+		sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1;
+		sa->w0.s.hard_life_dec = 1;
+	}
+
+	if (ipsec_xfrm->life.packets_hard_limit) {
+		sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1;
+		sa->w0.s.hard_life_dec = 1;
+	}
+
 	/* There are two words of CPT_CTX_HW_S for ucode to skip */
 	sa->w0.s.ctx_hdr_size = 1;
 	sa->w0.s.aop_valid = 1;
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 3a1a4a2..3caf05a 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -348,12 +348,44 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
 			       struct cpt_inflight_req *infl_req)
 {
 	struct cpt_cn10k_res_s *res = (struct cpt_cn10k_res_s *)&infl_req->res;
+	const uint8_t uc_compcode = res->uc_compcode;
+	const uint8_t compcode = res->compcode;
 	unsigned int sz;
 
-	if (likely(res->compcode == CPT_COMP_GOOD ||
-		   res->compcode == CPT_COMP_WARN)) {
-		if (unlikely(res->uc_compcode)) {
-			if (res->uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
+	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+
+	if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+	    cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+		if (likely(compcode == CPT_COMP_WARN)) {
+			if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
+				/* Success with additional info */
+				switch (uc_compcode) {
+				case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
+					cop->aux_flags =
+						RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+					break;
+				default:
+					break;
+				}
+			}
+			cn10k_cpt_sec_post_process(cop, res);
+		} else {
+			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+			plt_dp_info("HW completion code 0x%x", res->compcode);
+			if (compcode == CPT_COMP_GOOD) {
+				plt_dp_info(
+					"Request failed with microcode error");
+				plt_dp_info("MC completion code 0x%x",
+					    uc_compcode);
+			}
+		}
+
+		return;
+	}
+
+	if (likely(compcode == CPT_COMP_GOOD || compcode == CPT_COMP_WARN)) {
+		if (unlikely(uc_compcode)) {
+			if (uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
 				cop->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 			else
 				cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -364,13 +396,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
 			goto temp_sess_free;
 		}
 
-		cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
 		if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
-			if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
-				cn10k_cpt_sec_post_process(cop, res);
-				return;
-			}
-
 			/* Verify authentication data if required */
 			if (unlikely(infl_req->op_flags &
 				     CPT_OP_FLAGS_AUTH_VERIFY)) {
@@ -392,7 +418,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
 		cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
 		plt_dp_info("HW completion code 0x%x", res->compcode);
 
-		switch (res->compcode) {
+		switch (compcode) {
 		case CPT_COMP_INSTERR:
 			plt_dp_err("Request failed with instruction error");
 			break;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index 0b63cc4..63ae025 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -485,7 +485,11 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
 static inline int
 cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
 {
-	RTE_SET_USED(ipsec);
+	if (ipsec->life.bytes_hard_limit != 0 ||
+	    ipsec->life.bytes_soft_limit != 0 ||
+	    ipsec->life.packets_hard_limit != 0 ||
+	    ipsec->life.packets_soft_limit != 0)
+		return -ENOTSUP;
 
 	return 0;
 }
-- 
2.7.4


  parent reply	other threads:[~2021-09-28 11:00 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-17 13:42 [dpdk-dev] [PATCH 0/5] Add SA lifetime in security Anoob Joseph
2021-08-17 13:42 ` [dpdk-dev] [PATCH 1/5] security: add SA lifetime configuration Anoob Joseph
2021-08-17 13:42 ` [dpdk-dev] [PATCH 2/5] common/cnxk: support " Anoob Joseph
2021-08-17 13:42 ` [dpdk-dev] [PATCH 3/5] crypto/octeontx2: add checks for life configuration Anoob Joseph
2021-08-17 13:42 ` [dpdk-dev] [PATCH 4/5] test/crypto: add packets soft expiry tests Anoob Joseph
2021-08-17 13:42 ` [dpdk-dev] [PATCH 5/5] test/crypto: add packets hard " Anoob Joseph
2021-09-07 16:32 ` [dpdk-dev] [PATCH v2 0/6] Add SA lifetime in security Anoob Joseph
2021-09-07 16:32   ` [dpdk-dev] [PATCH v2 1/6] security: add SA lifetime configuration Anoob Joseph
2021-09-16 11:06     ` Ananyev, Konstantin
2021-09-17  4:48       ` Anoob Joseph
2021-09-07 16:32   ` [dpdk-dev] [PATCH v2 2/6] common/cnxk: support " Anoob Joseph
2021-09-07 16:32   ` [dpdk-dev] [PATCH v2 3/6] crypto/octeontx2: add checks for life configuration Anoob Joseph
2021-09-07 16:32   ` [dpdk-dev] [PATCH v2 4/6] test/crypto: add packets soft expiry tests Anoob Joseph
2021-09-07 16:32   ` [dpdk-dev] [PATCH v2 5/6] test/crypto: add packets hard " Anoob Joseph
2021-09-07 16:32   ` [dpdk-dev] [PATCH v2 6/6] examples/ipsec-secgw: clear soft expiry configuration Anoob Joseph
2021-09-16 11:11     ` Ananyev, Konstantin
2021-09-28 10:07   ` [dpdk-dev] [PATCH v3 0/6] Add SA lifetime in security Anoob Joseph
2021-09-28 10:07     ` [dpdk-dev] [PATCH v3 1/6] security: add SA lifetime configuration Anoob Joseph
2021-09-28 10:07     ` [dpdk-dev] [PATCH v3 2/6] common/cnxk: support " Anoob Joseph
2021-09-28 10:07     ` [dpdk-dev] [PATCH v3 3/6] crypto/octeontx2: add checks for life configuration Anoob Joseph
2021-09-28 10:07     ` [dpdk-dev] [PATCH v3 4/6] test/crypto: add packets soft expiry tests Anoob Joseph
2021-09-28 10:07     ` [dpdk-dev] [PATCH v3 5/6] test/crypto: add packets hard " Anoob Joseph
2021-09-28 10:07     ` [dpdk-dev] [PATCH v3 6/6] examples/ipsec-secgw: clear soft expiry configuration Anoob Joseph
2021-09-28 10:59     ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Anoob Joseph
2021-09-28 10:59       ` [dpdk-dev] [PATCH v4 1/6] security: add SA lifetime configuration Anoob Joseph
2021-09-28 10:59       ` Anoob Joseph [this message]
2021-09-28 10:59       ` [dpdk-dev] [PATCH v4 3/6] crypto/octeontx2: add checks for life configuration Anoob Joseph
2021-09-28 10:59       ` [dpdk-dev] [PATCH v4 4/6] test/crypto: add packets soft expiry cases Anoob Joseph
2021-09-28 10:59       ` [dpdk-dev] [PATCH v4 5/6] test/crypto: add packets hard " Anoob Joseph
2021-09-28 10:59       ` [dpdk-dev] [PATCH v4 6/6] examples/ipsec-secgw: clear soft expiry configuration Anoob Joseph
2021-09-28 14:40       ` [dpdk-dev] [PATCH v4 0/6] Add SA lifetime in security Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1632826799-454-3-git-send-email-anoobj@marvell.com \
    --to=anoobj@marvell.com \
    --cc=ciara.power@intel.com \
    --cc=declan.doherty@intel.com \
    --cc=dev@dpdk.org \
    --cc=g.singh@nxp.com \
    --cc=gakhil@marvell.com \
    --cc=hemant.agrawal@nxp.com \
    --cc=jerinj@marvell.com \
    --cc=konstantin.ananyev@intel.com \
    --cc=ktejasree@marvell.com \
    --cc=marchana@marvell.com \
    --cc=radu.nicolau@intel.com \
    --cc=roy.fan.zhang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).