From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0084.outbound.protection.outlook.com [104.47.34.84]) by dpdk.org (Postfix) with ESMTP id 0F9B111F5 for ; Tue, 29 Aug 2017 14:04:18 +0200 (CEST) Received: from MWHPR03CA0009.namprd03.prod.outlook.com (2603:10b6:300:117::19) by DM2PR03MB557.namprd03.prod.outlook.com (2a01:111:e400:241b::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1385.9; Tue, 29 Aug 2017 12:04:17 +0000 Received: from BL2FFO11OLC011.protection.gbl (2a01:111:f400:7c09::189) by MWHPR03CA0009.outlook.office365.com (2603:10b6:300:117::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.13.10 via Frontend Transport; Tue, 29 Aug 2017 12:04:16 +0000 Authentication-Results: spf=fail (sender IP is 192.88.168.50) smtp.mailfrom=nxp.com; intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=fail action=none header.from=nxp.com; Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.168.50 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.168.50; helo=tx30smr01.am.freescale.net; Received: from tx30smr01.am.freescale.net (192.88.168.50) by BL2FFO11OLC011.mail.protection.outlook.com (10.173.160.157) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1341.15 via Frontend Transport; Tue, 29 Aug 2017 12:04:16 +0000 Received: from [10.232.134.49] (B35197-11.ap.freescale.net [10.232.134.49]) by tx30smr01.am.freescale.net (8.14.3/8.14.0) with ESMTP id v7TC4CHh014578; Tue, 29 Aug 2017 05:04:13 -0700 To: Radu Nicolau , References: <1503673046-30651-1-git-send-email-radu.nicolau@intel.com> <1503673046-30651-6-git-send-email-radu.nicolau@intel.com> From: Akhil Goyal CC: "hemant.agrawal@nxp.com" , Boris Pismenny , Declan Doherty Message-ID: <1f3791f9-0902-3446-b8cf-195de851662d@nxp.com> Date: Tue, 29 Aug 2017 17:34:11 +0530 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <1503673046-30651-6-git-send-email-radu.nicolau@intel.com> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-EOPAttributedMessage: 0 X-Matching-Connectors: 131484818564441482; (91ab9b29-cfa4-454e-5278-08d120cd25b8); () X-Forefront-Antispam-Report: CIP:192.88.168.50; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(336005)(39860400002)(39380400002)(2980300002)(1109001)(1110001)(3190300001)(339900001)(199003)(377454003)(189002)(24454002)(31686004)(54906002)(498600001)(626005)(6246003)(77096006)(68736007)(229853002)(2950100002)(53936002)(106466001)(36756003)(50986999)(2906002)(5890100001)(54356999)(305945005)(97736004)(4001350100001)(76176999)(85426001)(356003)(83506001)(81166006)(23676002)(81156014)(8936002)(8676002)(53546010)(86362001)(189998001)(31696002)(65806001)(64126003)(105606002)(104016004)(5660300001)(65826007)(4326008)(50466002)(230700001)(65956001)(33646002)(47776003)(8656003)(217873001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR03MB557; H:tx30smr01.am.freescale.net; FPR:; SPF:Fail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11OLC011; 1:x2OWsc2gDhdk9DKsJWQwSr0wYF80x1udZ+b4NDWlozXzfE/BNFyaIZhbYpQIeoSHAsB2lLnKmP0MTeZzjKrwiO68BD3fHCLjObKVSfEbYqtseJkkGr9YKFWSdUOXf5Fb X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d47580b3-7ac3-43b4-e58a-08d4eed6125a X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(2017052603199)(201703131430075)(201703131517081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM2PR03MB557; X-Microsoft-Exchange-Diagnostics: 1; DM2PR03MB557; 3:gwNmDclfjmrevZbmt1HOMcrWtwJaHn9VxvHoLmXjA6N0nutqP6GcsN+sI1y9+FKbw9iSiv1AuuWSN0/YVONq6lKSQzmNy/VS4Umhj0Mwi7b+V1Lr+rAKzlrzuedY+1sYfC5KD04c9gG0R+Gza2FjtLcBF2TnsHPk5NNBIlvYjIa8V6BcwryGcCsa7UuM/bmzyKZRe0lNZBJMZGXpUUCYcPm0xkRnMrli4MNqOWk59dAfFQonbYBM39FGb0slx5xuYB8ZGWMZCPWWaNpIjOFzTaGpB1+qZf6RVdT80DFarE1S5Hh+bWNc6MThsS71N9xDVa5EgwPBVZdVI9Gr5EOj57uK7xYjtQ1j5jx12OCnhWk=; 25:GRd2b2+dYAMDG2UL3HxYzj8R53HiGop4O4NoVVYoWLtY+tbzc03v8f3BDhR4TeKll6ihzv+vLDjvl/gK/xKvZbDnQbpBDU7vwjpFD+w3WTBVroS6LP5VyXNe8G4nxUogqRfosGRsBaxFm3FT6otI3Vpycfd39TAkLHdkR0wxp30nTubw105A3w7OKot87zsWy77xssLgHZPO/plxxP1nPSj7vDAG6sBl9izPbkBRNArkHTYEg/QljMHNkuyB/OlIlFOcsIXthYy/LG1Fd4lNlglxoBBeX8UFGqDNW20o8vIAhye+Qe1ZtF+nXFjJ748rjPj+A718E+BvGiLO4D3wzQ== X-MS-TrafficTypeDiagnostic: DM2PR03MB557: X-Microsoft-Exchange-Diagnostics: 1; DM2PR03MB557; 31:5lW4PSDORU0ROSsM1Tk5PBOw+ibztcrCOcpjJkaHraHx9oHtHY6dyzT2vtm2RAIm02gKr72p/gfMXEVBHqZl56SgxuO5x4I3xZCc7aunDQ6X5QjLvSTeVlnWjFYixYX4qWzfzcMD4IKvZdGPmH6afjkiFFtbLnVuMsX7k87mpYcU0ovSgy+sOHmsrzAbXH0xKxZ1TohAVB7T52UolJtAmY5GdHvll4m1ZUjIXLk3aBg=; 4:5tnFHy9c3PVfQdAUt7OzLLTeWmmXHz+3ibeGBiBQ4eu2YfeRgElt6nrZa56IXs4lwKpc5qWARtXBhuIXL+pQuNTduz0MQozvH0QGsm1oUW9iLRR50dlePX8Kval11KUD6OTPUDAlN1vXaCaMm9fhvIBMLSepp/0qSbOzSnj4gbL6jE/alS3CcEm+2I47PGfLbvDwKbkXPAljI4fMP3OnZq6I8S1h08uDZ3miDl6kAW+MhGx4LS7v98NBZwILWQoe1V0kwnuKupb4CIRuK31E3EpPbc+gXCXKyd7xzk2s4dw= X-Exchange-Antispam-Report-Test: UriScan:(228905959029699); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6095135)(601004)(2401047)(5005006)(13018025)(8121501046)(13016025)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3002001)(6055026)(6096035)(201703131430075)(201703131441075)(201703131448075)(201703131433075)(201703161259150)(20161123563025)(20161123559100)(20161123556025)(20161123565025)(20161123561025)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM2PR03MB557; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(400006)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM2PR03MB557; X-Forefront-PRVS: 0414DF926F X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTJQUjAzTUI1NTc7MjM6dXRSOXdRazhQby9adGZWUTN4eWdqbmN0UmlK?= =?utf-8?B?eUl2UFdxYUdwS2RFTkkzWXdET0dzNFhwWkJSZDZlRzN4cFIzQ0JZT0ZUR2tE?= =?utf-8?B?aU1UNGZSZnk3M2FoVzhJZFNxeGVTWjB5UmN3TFhOQjQ1MW55L3MvNnJQYUtu?= =?utf-8?B?YWMvcnVhbjFMdlpNdnNMYUJUdXpUR3Znakh6eXhtbjdHbHVXY1RVamRsYnFj?= =?utf-8?B?YUdRbHJCWFV6TGFsNFY2cms3NURzR3VNUXk4VDJGdmdMcFluNERFVElmZWpS?= =?utf-8?B?OU1tU05wcDRiNTk4TFI4RGU0TXNJTW9zejRmTVpRRVBiYlhjZ3daL2M5bnkz?= =?utf-8?B?V0drMU1TWG10TDZ0a1hKNzNjNUxWT0Y4VTVvZUJmbGVaVW5ZZVVGSGc5R3Qw?= =?utf-8?B?bkF2Y3dzNkRic2xXcUJJcXBWb1JJelh4NU0wWXNvUTlPMFBJSGFlYlhIRlg1?= =?utf-8?B?ZzBndGZZNHJUQjVNbmJROTNxVFBObXNmS3VxNy81T1ArdXk5UHM0eGY4TDhy?= =?utf-8?B?ODhQeWg3UkVkUmlZZUZLR1dvb3dpN1NXVFM4YnYxK0NtL012WlJpQ2xqMGpP?= =?utf-8?B?OE51cGpWRWl4WnQ2R3FDZ1RTWWo2cWVBRk4yVHZJM0E5QlI2b3VMTHo2Wmdz?= =?utf-8?B?S0xUNkxoRU1EWGJFbWlGUWJCTk9oK0dTUElzY3VsM0IzaGR0OTkyMkl4akJW?= =?utf-8?B?YzI0TXE5RitwMFYxcDIxS3RMaXVWRE54N09mRm9GNlAzamtkREhlVjBqQmFs?= =?utf-8?B?c1lpdk1wNUpCZmZZVzJtTGR4akJQQ0RzSXJjT1NvaEYyM3VOKzJ5aE1xQ0RU?= =?utf-8?B?ZE42RVBuWlRvWUxscjBCUlFPcGlueC8wVUpvQnNzL2EySm1FL1h0cGN1d21x?= =?utf-8?B?MVZLUmNWWDhJQ3J5K2Q4OXNieE85SFhwMVQzRTlQaTVYVzNLSFBnOTFHWHMr?= =?utf-8?B?VzR4K1pTY2JSSXNqWFRKUGJkNTV6ZjNUVkxqQmU4cVROdVRVVmRqR0F3bTlM?= =?utf-8?B?aFJ4MGRWemo4R1M5MGlvN3QyV01pdHBlNENTNWhSckQ3bGQ2VitoU2F0UHc1?= =?utf-8?B?cjN4ZGZ4Mi9mdmYrNUhJL2pyVlZFSHFQU1MrUEJNWCtaL2lCekdRc1Q1eGp3?= =?utf-8?B?S0M4eFdORDV5WXpIbVVmQTgrVS9JcnRjcVRENS91WVlRT1FSVjR0M2MyODlT?= =?utf-8?B?amdxc0N5K3UzSVJxN1UyT25OeitZS3lEa0NYWDlGNDVEclh3QzQwKzJLY05w?= =?utf-8?B?MUVUbFJYUWdVSVR0aXhTUjVFaHlqTzR3YWxrakx4WkxEUnRFb0w5UWVpN0xt?= =?utf-8?B?dFUxeXF6TWZSWURZUWhKWVE3YXRuTHIzaVNuVHpyUU1yelhueUV0RmxTdFN3?= =?utf-8?B?SGswZWZUQUp0MGZDWThQZW1weVBiRzZmaVBxdXNRUDlRc1BXSTROM0h5eFd6?= =?utf-8?B?MTJIVFRDYnNzU2xxdUJ5aWRsTlVnQ2l2WG8yUkI5YWxBQzFUMTNReDE1UWpv?= =?utf-8?B?am1NeEFTUndEeWxIRWJYNGdzeldxQ0FBaTMrQk44RGhjMG9yZ1JPSW5SQW4r?= =?utf-8?B?UmFSWlR0S1VMcjA1UzdoSStGVXNvSXc3aUgxVEhYelFGMDF1ZjQraGt2ZXZ2?= =?utf-8?B?MWhTRTZrMGg0ZTNia1UwMkNSdEZjWjBsM1RpTnBEUng0YkVnZ2NIYVhqWU9l?= =?utf-8?B?WjIzS2YyZ1hPSUZlOWtLcDI0aHpYa0ZrWElkem1NbHFSS2d3MW1Ub3hlNXdx?= =?utf-8?B?L0NQUG9hemZRR1p4OFY3QnZZUk9JMGpaWHJDWmJYVUphdWVEZ0dRQzhFdlhi?= =?utf-8?B?YkFEQjVnc0x4dVlzRFBkSFFXZktuWEI0Zkd6VkhsR0RKdGczMkc1cFdYVHln?= =?utf-8?Q?F7oG7U4RyVuJJE9YTfmjEGMF2imC7/K?= X-Microsoft-Exchange-Diagnostics: 1; DM2PR03MB557; 6:uwptL693oTIPYIb8YWYBgqaTHQLzQGkoSn4t7PA3Qna2dDxS9OTKeULS6zBcPkdeHCBbF9M0TvRuijuwo7L5zqERyUVWHnPsVLZGn23KVTquH+qOQ1q9x6HuYFLpejFCSyo88hudTh6Wj+3O6+CnF39ur9NT/K+IqPeCFyA1Nh1Dqpe1DbcXMa4UVOkRXhVGzi72j7OqDjox8mgc7AbDXk5P8Rem61lD1zkZOY9W7fBLgYtA/yc894lgG5u6jnhtJvm7uZUYoQELyvJgZLYn0muD6u22VQTu2sqHfPQbCX9DWWTgbo1rsWTZzOlbx493HObuw0lPvYMkG3Nxd2IVoQ==; 5:Lo6t7eWzJ11i2YNNwd+g+5gd8ozJ/GcLxbkm9C2XNNAmGvEs2IdX5WrP09C3AtPnbthf0FwiB1xiLgbRk9FR0xaXAMHmzcdLJJc34jcMaIuQa4SXGQW94EX6FX7Hj1++G7CMzAftoFB8bZ62jfkIaQ==; 24:nPp+KgAvrVKriDxZB08H2GYhEeTJ5jUTQ5LnjQnC1+Fjy5FWYBdYMGcRUkWTLdHO/nIwd5KYtUmqy5QIkCgOH+aJTU4kKI+8xwxge6Bc9wY=; 7:LQo5k7kfSVBlefcTXM0o0lyP207unxvtCcd5PU80KGJn/ZKvlw7YGAs+oFx3QGj3NGf6TU5ir70JAnUFFVyOidIa+my1picDbB2xvN5xl+rBiRCOA/+LdZkI5m5K4IGsjypYl9muicBxvKmoOi0XTaLmgpxTmXMUXTUeicZ5as3MnCHRyIHBHntHxnhJSWRMJofBYdlrTVwRvW0hEKHfEo2wMER1tXtU567Yx0pBUaw= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Aug 2017 12:04:16.1945 (UTC) X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[192.88.168.50]; Helo=[tx30smr01.am.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR03MB557 Subject: Re: [dpdk-dev] [RFC PATCH 5/5] examples/ipsec-secgw: enabled inline ipsec X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2017 12:04:19 -0000 Hi Radu, On 8/25/2017 8:27 PM, Radu Nicolau wrote: > Signed-off-by: Radu Nicolau > --- > examples/ipsec-secgw/esp.c | 26 ++++++++++++++++-- > examples/ipsec-secgw/ipsec.c | 61 +++++++++++++++++++++++++++++++++++------ > examples/ipsec-secgw/ipsec.h | 2 ++ > examples/ipsec-secgw/sa.c | 65 +++++++++++++++++++++++++++++++------------- > 4 files changed, 123 insertions(+), 31 deletions(-) > > diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c > index 70bb81f..77ab232 100644 > --- a/examples/ipsec-secgw/esp.c > +++ b/examples/ipsec-secgw/esp.c > @@ -58,6 +58,9 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa, > struct rte_crypto_sym_op *sym_cop; > int32_t payload_len, ip_hdr_len; > > + if (sa->type == RTE_SECURITY_SESS_ETH_INLINE_CRYPTO) > + return 0; > + > RTE_ASSERT(m != NULL); > RTE_ASSERT(sa != NULL); > RTE_ASSERT(cop != NULL); > @@ -175,6 +178,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, > RTE_ASSERT(sa != NULL); > RTE_ASSERT(cop != NULL); > > + > + if (sa->type == RTE_SECURITY_SESS_ETH_INLINE_CRYPTO) { > + if (m->ol_flags & PKT_RX_SECURITY_OFFLOAD > + && m->ol_flags & PKT_RX_SECURITY_OFFLOAD_FAILED) > + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; > + else > + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; > + } > + > + > if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { > RTE_LOG(ERR, IPSEC_ESP, "failed crypto op\n"); > return -1; > @@ -321,6 +334,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, > esp->spi = rte_cpu_to_be_32(sa->spi); > esp->seq = rte_cpu_to_be_32((uint32_t)sa->seq); > > + if (sa->type == RTE_SECURITY_SESS_ETH_INLINE_CRYPTO) > + return 0; > + > uint64_t *iv = (uint64_t *)(esp + 1); > > sym_cop = get_sym_cop(cop); > @@ -419,9 +435,13 @@ esp_outbound_post(struct rte_mbuf *m __rte_unused, > RTE_ASSERT(sa != NULL); > RTE_ASSERT(cop != NULL); > > - if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { > - RTE_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); > - return -1; > + if (sa->type == RTE_SECURITY_SESS_ETH_INLINE_CRYPTO) { > + m->ol_flags |= PKT_TX_SECURITY_OFFLOAD; > + } else { > + if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { > + RTE_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); > + return -1; > + } > } > > return 0; > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index c8fde1c..b14b23d 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -58,13 +58,17 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) > key.cipher_algo = (uint8_t)sa->cipher_algo; > key.auth_algo = (uint8_t)sa->auth_algo; > > - ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key, > - (void **)&cdev_id_qp); > - if (ret < 0) { > - RTE_LOG(ERR, IPSEC, "No cryptodev: core %u, cipher_algo %u, " > - "auth_algo %u\n", key.lcore_id, key.cipher_algo, > - key.auth_algo); > - return -1; > + if (sa->type == RTE_SECURITY_SESS_NONE) { I believe cdev_id_qp will be needed by all the sa->type. I can see that it is being used by ipsec inline case, but it is not getting set anywhere. > + ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key, > + (void **)&cdev_id_qp); > + if (ret < 0) { > + RTE_LOG(ERR, IPSEC, "No cryptodev: core %u, " > + "cipher_algo %u, " > + "auth_algo %u\n", > + key.lcore_id, key.cipher_algo, > + key.auth_algo); > + return -1; > + } > } > > RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev " > @@ -79,7 +83,8 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) > sa->crypto_session, sa->xforms, > ipsec_ctx->session_pool); > > - rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id, &cdev_info); > + rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id, > + &cdev_info); > if (cdev_info.sym.max_nb_sessions_per_qp > 0) { > ret = rte_cryptodev_queue_pair_attach_sym_session( > ipsec_ctx->tbl[cdev_id_qp].id, > @@ -146,6 +151,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, > struct ipsec_mbuf_metadata *priv; > struct rte_crypto_sym_op *sym_cop; > struct ipsec_sa *sa; > + struct cdev_qp *cqp; > > for (i = 0; i < nb_pkts; i++) { > if (unlikely(sas[i] == NULL)) { > @@ -202,8 +208,31 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, > } > break; > case RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD: > - case RTE_SECURITY_SESS_ETH_INLINE_CRYPTO: > break; > + case RTE_SECURITY_SESS_ETH_INLINE_CRYPTO: > + priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; > + priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; > + > + rte_prefetch0(&priv->sym_cop); > + > + if ((unlikely(sa->sec_session == NULL)) && > + create_session(ipsec_ctx, sa)) { > + rte_pktmbuf_free(pkts[i]); > + continue; > + } > + > + rte_security_attach_session(&priv->cop, > + sa->sec_session); > + > + ret = xform_func(pkts[i], sa, &priv->cop); I believe you are returning from the xform_func (esp_inbound and esp_outbound) without doing anything. It is better that you do not call it from here. It will save some of your cycles. > + if (unlikely(ret)) { > + rte_pktmbuf_free(pkts[i]); > + continue; > + } > + > + cqp = &ipsec_ctx->tbl[sa->cdev_id_qp]; > + cqp->ol_pkts[cqp->ol_pkts_cnt++] = pkts[i]; > + continue; > } > > RTE_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps); > @@ -228,6 +257,20 @@ ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, > if (ipsec_ctx->last_qp == ipsec_ctx->nb_qps) > ipsec_ctx->last_qp %= ipsec_ctx->nb_qps; > > + > + while (cqp->ol_pkts_cnt > 0 && nb_pkts < max_pkts) { > + pkt = cqp->ol_pkts[--cqp->ol_pkts_cnt]; > + rte_prefetch0(pkt); > + priv = get_priv(pkt); > + sa = priv->sa; > + ret = xform_func(pkt, sa, &priv->cop); > + if (unlikely(ret)) { > + rte_pktmbuf_free(pkt); > + continue; > + } > + pkts[nb_pkts++] = pkt; > + } > + > if (cqp->in_flight == 0) > continue; > > diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h > index 6291d86..685304b 100644 > --- a/examples/ipsec-secgw/ipsec.h > +++ b/examples/ipsec-secgw/ipsec.h > @@ -142,6 +142,8 @@ struct cdev_qp { > uint16_t in_flight; > uint16_t len; > struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *)); > + struct rte_mbuf *ol_pkts[MAX_PKT_BURST] __rte_aligned(sizeof(void *)); > + uint16_t ol_pkts_cnt; > }; > > struct ipsec_ctx { > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index 851262b..11b31d0 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -613,11 +613,13 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > if (status->status < 0) > return; > } else { > - APP_CHECK(cipher_algo_p == 1, status, "missing cipher or AEAD options"); > + APP_CHECK(cipher_algo_p == 1, status, > + "missing cipher or AEAD options"); > if (status->status < 0) > return; > > - APP_CHECK(auth_algo_p == 1, status, "missing auth or AEAD options"); > + APP_CHECK(auth_algo_p == 1, status, > + "missing auth or AEAD options"); > if (status->status < 0) > return; > } > @@ -763,14 +765,31 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > sa->dst.ip.ip4 = rte_cpu_to_be_32(sa->dst.ip.ip4); > } > > - if (sa->type == RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD) { > - sa_ctx->xf[idx].c.cipher_alg = sa->cipher_algo; > - sa_ctx->xf[idx].c.auth_alg = sa->auth_algo; > - sa_ctx->xf[idx].c.cipher_key.data = sa->cipher_key; > - sa_ctx->xf[idx].c.auth_key.data = sa->auth_key; > - sa_ctx->xf[idx].c.cipher_key.length = > + if (sa->type == RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD || > + sa->type == RTE_SECURITY_SESS_ETH_INLINE_CRYPTO) { > + > + if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) { > + sa_ctx->xf[idx].c.aead_alg = > + sa->aead_algo; > + sa_ctx->xf[idx].c.aead_key.data = > + sa->cipher_key; > + sa_ctx->xf[idx].c.aead_key.length = > + sa->cipher_key_len; > + > + } else { > + sa_ctx->xf[idx].c.cipher_alg = sa->cipher_algo; > + sa_ctx->xf[idx].c.auth_alg = sa->auth_algo; > + sa_ctx->xf[idx].c.cipher_key.data = > + sa->cipher_key; > + sa_ctx->xf[idx].c.auth_key.data = > + sa->auth_key; > + sa_ctx->xf[idx].c.cipher_key.length = > sa->cipher_key_len; > - sa_ctx->xf[idx].c.auth_key.length = sa->auth_key_len; > + sa_ctx->xf[idx].c.auth_key.length = > + sa->auth_key_len; > + sa_ctx->xf[idx].c.salt = sa->salt; > + } > + > sa_ctx->xf[idx].c.op = (inbound == 1)? > RTE_SECURITY_IPSEC_OP_DECAP : > RTE_SECURITY_IPSEC_OP_ENCAP; > @@ -835,9 +854,11 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > } > > if (inbound) { > - sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_CIPHER; > + sa_ctx->xf[idx].b.type = > + RTE_CRYPTO_SYM_XFORM_CIPHER; We are not touching this code here. Is it not recommended to handle the checkpatch errors separately. Similar comment for other changes in this patch also. > sa_ctx->xf[idx].b.cipher.algo = sa->cipher_algo; > - sa_ctx->xf[idx].b.cipher.key.data = sa->cipher_key; > + sa_ctx->xf[idx].b.cipher.key.data = > + sa->cipher_key; > sa_ctx->xf[idx].b.cipher.key.length = > sa->cipher_key_len; > sa_ctx->xf[idx].b.cipher.op = > @@ -846,7 +867,8 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > sa_ctx->xf[idx].b.cipher.iv.offset = IV_OFFSET; > sa_ctx->xf[idx].b.cipher.iv.length = iv_length; > > - sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AUTH; > + sa_ctx->xf[idx].a.type = > + RTE_CRYPTO_SYM_XFORM_AUTH; > sa_ctx->xf[idx].a.auth.algo = sa->auth_algo; > sa_ctx->xf[idx].a.auth.key.data = sa->auth_key; > sa_ctx->xf[idx].a.auth.key.length = > @@ -856,9 +878,11 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > sa_ctx->xf[idx].a.auth.op = > RTE_CRYPTO_AUTH_OP_VERIFY; > } else { /* outbound */ > - sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_CIPHER; > + sa_ctx->xf[idx].a.type = > + RTE_CRYPTO_SYM_XFORM_CIPHER; > sa_ctx->xf[idx].a.cipher.algo = sa->cipher_algo; > - sa_ctx->xf[idx].a.cipher.key.data = sa->cipher_key; > + sa_ctx->xf[idx].a.cipher.key.data = > + sa->cipher_key; > sa_ctx->xf[idx].a.cipher.key.length = > sa->cipher_key_len; > sa_ctx->xf[idx].a.cipher.op = > @@ -867,9 +891,12 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > sa_ctx->xf[idx].a.cipher.iv.offset = IV_OFFSET; > sa_ctx->xf[idx].a.cipher.iv.length = iv_length; > > - sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_AUTH; > - sa_ctx->xf[idx].b.auth.algo = sa->auth_algo; > - sa_ctx->xf[idx].b.auth.key.data = sa->auth_key; > + sa_ctx->xf[idx].b.type = > + RTE_CRYPTO_SYM_XFORM_AUTH; > + sa_ctx->xf[idx].b.auth.algo = > + sa->auth_algo; > + sa_ctx->xf[idx].b.auth.key.data = > + sa->auth_key; > sa_ctx->xf[idx].b.auth.key.length = > sa->auth_key_len; > sa_ctx->xf[idx].b.auth.digest_length = > @@ -991,8 +1018,8 @@ single_inbound_lookup(struct ipsec_sa *sadb, struct rte_mbuf *pkt, > case IP6_TUNNEL: > src6_addr = RTE_PTR_ADD(ip, offsetof(struct ip6_hdr, ip6_src)); > if ((ip->ip_v == IP6_VERSION) && > - !memcmp(&sa->src.ip.ip6.ip6, src6_addr, 16) && > - !memcmp(&sa->dst.ip.ip6.ip6, src6_addr + 16, 16)) > + !memcmp(&sa->src.ip.ip6.ip6, src6_addr, 16) && > + !memcmp(&sa->dst.ip.ip6.ip6, src6_addr + 16, 16)) > *sa_ret = sa; > break; > case TRANSPORT: > Regards, Akhil