From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
by dpdk.space (Postfix) with ESMTP id 3C59CA00E6
for <public@inbox.dpdk.org>; Mon, 13 May 2019 16:32:19 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
by dpdk.org (Postfix) with ESMTP id 680692BC1;
Mon, 13 May 2019 16:32:18 +0200 (CEST)
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
by dpdk.org (Postfix) with ESMTP id 5D2FC293B;
Mon, 13 May 2019 16:32:16 +0200 (CEST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga007.jf.intel.com ([10.7.209.58])
by fmsmga101.fm.intel.com with ESMTP; 13 May 2019 07:32:15 -0700
X-ExtLoop1: 1
Received: from irsmsx104.ger.corp.intel.com ([163.33.3.159])
by orsmga007.jf.intel.com with ESMTP; 13 May 2019 07:32:14 -0700
Received: from irsmsx105.ger.corp.intel.com ([169.254.7.155]) by
IRSMSX104.ger.corp.intel.com ([169.254.5.93]) with mapi id 14.03.0415.000;
Mon, 13 May 2019 15:29:05 +0100
From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: "Iremonger, Bernard" <bernard.iremonger@intel.com>, Akhil Goyal
<akhil.goyal@nxp.com>, "dev@dpdk.org" <dev@dpdk.org>
CC: "stable@dpdk.org" <stable@dpdk.org>
Thread-Topic: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped
for inline crypto
Thread-Index: AdT17cOXAWgCos0Egk2F6sufGT2n9wDz6F0AAATiOqD///9EgP//632ggAEyBgCAAETbgP/h1Fhw
Date: Mon, 13 May 2019 14:29:05 +0000
Message-ID:
<2601191342CEEE43887BDE71AB9772580161631312@irsmsx105.ger.corp.intel.com>
References: <VI1PR04MB48935FACF4F7C3E71B6D549AE6260@VI1PR04MB4893.eurprd04.prod.outlook.com>
<VI1PR04MB4893E33133A6B97BA2CE2067E6230@VI1PR04MB4893.eurprd04.prod.outlook.com>
<2601191342CEEE43887BDE71AB9772580148A9B0D4@irsmsx105.ger.corp.intel.com>
<VI1PR04MB4893B72E0C0CC702C42F67B9E6230@VI1PR04MB4893.eurprd04.prod.outlook.com>
<2601191342CEEE43887BDE71AB9772580148A9B10E@irsmsx105.ger.corp.intel.com>
<VI1PR04MB4893DCFF853106C84F2862E9E63C0@VI1PR04MB4893.eurprd04.prod.outlook.com>
<8CEF83825BEC744B83065625E567D7C260D8CB2D@IRSMSX108.ger.corp.intel.com>
In-Reply-To: <8CEF83825BEC744B83065625E567D7C260D8CB2D@IRSMSX108.ger.corp.intel.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzNiZWIyNWYtNjNkNi00MzE2LWJkNDMtNGUxMjRhN2FjZTJiIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoidkVBejhQRFZ5SjdMaDhRQWViQTNlV0dJN2dGTW9BTjhhQXpzSUdBWkt4UHVQUkg0YmtwV2lqTzJ2WHpNMkE3ZiJ9
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.600.7
dlp-reaction: no-action
x-originating-ip: [163.33.239.180]
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dpdk-dev] [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet
dropped for inline crypto
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
<mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
<mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>
Message-ID: <20190513142905._9uXHH9UJvswTEIcc_tCKRAdmCzho5SLK4k4vkF-Ug4@z>
> > > > > > > Subject: RE: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st
> > > > > > > packet
> > > dropped
> > > > > for
> > > > > > > inline crypto
> > > > > > >
> > > > > > > Hi Bernard,
> > > > > > >
> > > > > > > > - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi=
%u on
> > > > > cryptodev "
> > > > > > > > - "%u qp %u\n", sa->spi,
> > > > > > > > - ipsec_ctx->tbl[cdev_id_qp].id,
> > > > > > > > - ipsec_ctx->tbl[cdev_id_qp].qp);
> > > > > > > > + if ((sa =3D=3D NULL) || (pool =3D=3D NULL))
> > > > > > > > + return -EINVAL;
> > > > > > > >
> > > > > > > > - if (sa->type !=3D RTE_SECURITY_ACTION_TYPE_NONE) {
> > > > > > > > - struct rte_security_session_conf sess_conf =
=3D {
> > > > > > > > + struct rte_security_session_conf sess_conf =3D {
> > > > > > > > .action_type =3D sa->type,
> > > > > > > > .protocol =3D RTE_SECURITY_PROTOCOL=
_IPSEC,
> > > > > > > > {.ipsec =3D { @@ -90,247 +65,340 @@
> > > > > > > > create_session(struct ipsec_ctx *ipsec_ctx,
> > > > > struct
> > > > > > > > ipsec_sa *sa)
> > > > > > > > } },
> > > > > > > > .crypto_xform =3D sa->xforms,
> > > > > > > > .userdata =3D NULL,
> > > > > > > > -
> > > > > > > > };
> > > > > > > >
> > > > > > > > - if (sa->type =3D=3D
> > > > > > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
> > > > > > > > {
> > > > > > > > - struct rte_security_ctx *ctx =3D (s=
truct rte_security_ctx *)
> > > > > > > > - rte=
_cryptodev_get_sec_ctx(
> > > > > > > > - ips=
ec_ctx->tbl[cdev_id_qp].id);
> > > > > > > > -
> > > > > > > > - /* Set IPsec parameters in conf */
> > > > > > > > - set_ipsec_conf(sa, &(sess_conf.ipse=
c));
> > > > > > > > -
> > > > > > > > - sa->sec_session =3D rte_security_se=
ssion_create(ctx,
> > > > > > > > - &sess_conf, ipsec_c=
tx->session_pool);
> > > > > > > > - if (sa->sec_session =3D=3D NULL) {
> > > > > > > > - RTE_LOG(ERR, IPSEC,
> > > > > > > > - "SEC Session init failed: e=
rr: %d\n", ret);
> > > > > > > > - return -1;
> > > > > > > > - }
> > > > > > > > - } else if (sa->type =3D=3D
> > > > > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
> > > > > > > {
> > > > > > > > - struct rte_flow_error err;
> > > > > > > > - struct rte_security_ctx *ctx =3D (s=
truct rte_security_ctx *)
> > > > > > > > - rte=
_eth_dev_get_sec_ctx(
> > > > > > > > - sa-=
>portid);
> > > > > > > > - const struct rte_security_capabilit=
y *sec_cap;
> > > > > > > > - int ret =3D 0;
> > > > > > > > -
> > > > > > > > - sa->sec_session =3D rte_security_se=
ssion_create(ctx,
> > > > > > > > - &sess_conf, ipsec_c=
tx->session_pool);
> > > > > > > > - if (sa->sec_session =3D=3D NULL) {
> > > > > > > > - RTE_LOG(ERR, IPSEC,
> > > > > > > > - "SEC Session init failed: e=
rr: %d\n", ret);
> > > > > > > > - return -1;
> > > > > > > > - }
> > > > > > > > + if (sa->type =3D=3D
> > > > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
> > > > > > > > + ctx =3D (struct rte_security_ctx *)
> > > > > > > > +
> > > > > > > > + rte_eth_dev_get_sec_ctx(sa->portid);
> > > > > > >
> > > > > > > This is breaking the lookaside mode. Ctx was retrieved using
> > > > > > > the
> > > ipsec_ctx-
> > > > > >tbl
> > > > > > > struct rte_security_ctx *ctx =3D (struct rte_security_ctx *)
> > > > > > > rte_cryptodev_get_sec_ctx(
> > > > > > > ipsec_ctx->tbl[cdev_id_qp].id);
> > > > > > >
> > > > > > > I am looking into it, but I don't have time left to get it in=
tegrated in RC2.
> > > So
> > > > > this
> > > > > > > has to be pushed to RC3
> > > > > >
> > > > > > It looks like there are multiple issues in this patch wrt
> > > > > > lookaside and none
> > > cases.
> > > > > Only the inline cases seem to be working.
> > > > > >
> > > > > > 1. the patch removes the cdev_mapping concept completely.
> > > > > > Cdev_id_qp is
> > > > > not getting used.
> > > > >
> > > > > Not exactly.
> > > > > cdev_id_qp is still setup, and is still used to decide to which
> > > > > crypto-dev to enqueuer the crypto-op:
> > > > > ipsec_enqueue(...)
> > > > > {
> > > > > ...
> > > > > enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop);
> > > >
> > > > I don't see anybody filling "sa->cdev_id_qp". Please let me know if
> > > > I have
> > > missed it somewhere.
> > > > It is memset to 0 I guess.
> > >
> > >
> > > Yep, true we lost it somewhere during the rework.
> > >
> > > >
> > > > >
> > > > >
> > > > > Same in ipsec_process().
> > > > >
> > > > > For initialization, yes cdev_id_qp is not used anymore.
> > > > > As discussed here:
> > > > >
> > > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fm=
ail
> > > s.dp
> > > > > dk.org%2Farchives%2Fdev%2F2019-
> > > > >
> > >
> > March%2F127725.html&data=3D02%7C01%7Cakhil.goyal%40nxp.com%7C04
> > > > >
> > >
> > 194193cfc04c0b629008d6c7eea247%7C686ea1d3bc2b4c6fa92cd99c5c301635%
> > > > >
> > >
> > 7C0%7C0%7C636916225072561313&sdata=3Dga9IiqhYRWOz9QkRDIXNiigInk
> > > > > soVGgu1E5EetqvE%2FA%3D&reserved=3D0
> > > > >
> > > > > I think the problem you are hitting with lookaside-proto is that
> > > > > for it we use 2 different values here:
> > > > > a) In create_sec_session we use portid (it also should be
> > > > > rte_cryptodev_get_sec_ctx() here)
> > > > > if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOC=
OL) {
> > > > > ctx =3D (struct rte_security_ctx *)
> > > > >
> > > > > rte_eth_dev_get_sec_ctx(sa->portid);
> > > > It should be rte_cryptodev_get_sec_ctx in the first place. And it
> > > > needs a
> > > cdev_id as input based on the cdev mapping done while initializing
> > > > the cryptodev and neither the portid and nor cdev_id_qp.
> > > > > b) in enqueue() we use cdev_id_qp
> > > > >
> > > > > Right now these values could be different.
> > > > > As I understand we need to make sure that fro lookaside-proto
> > > > > cdev_id_qp
> > > =3D=3D
> > > > > portid provided by user, correct?
> > > > No it is not the case. Right now for lookaside there is no use of
> > > > portid in case
> > > of lookaside case.
> > > > As the cdev/qp/core mappings are managed internally and the user
> > > > cannot
> > > tweak it from cfg file.
> > > >
> > >
> > >
> > > Hmm, then at least that line is wrong here:
> > > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fd=
oc.
> > > dpdk
> > >
> > .org%2Fguides%2Fsample_app_ug%2Fipsec_secgw.html&data=3D02%7C01%
> > >
> > 7Cakhil.goyal%40nxp.com%7Cb1e931a9967943887a0c08d6c7f49d28%7C686ea
> > >
> > 1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C636916250754452306&sda
> > >
> > ta=3DtNjHCO0O2rfh8shhQXu93qrM0Hr0OZVXUVhMcsg53dw%3D&reserved=3D
> > > 0
> > >
> > > sa out 5 cipher_algo aes-128-cbc cipher_key
> > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > 172.16.1.5 dst 172.16.2.5 \ type lookaside-protocol-offload port_id 4
> > >
> > > And probably:
> > > "Port/device ID of the ethernet/crypto accelerator for which the SA i=
s
> > > configured."
> > > Need to be rephrased to remove crypto accelerator notice.
> > Yes.
> >
> > >
> > > Another question - why you guys don't consider using portid for looka=
side-
> > proto?
> > > As I can see add_mapping(function that fills cdev_id_qp) doesn't
> > > bother to check which rte_security protocols are supported (only
> > > crypto capabilities are checked).
> > > So not sure does current code will work ok with a mix of lookaside-
> > > none/lookaside-proto devices.
> > > Forcing user to specify crypto-dev id for lookaside-proto (via portid
> > > or so) will simplify things significantly.
> > I will think about it. Actually initially when portid was introduced, t=
he intent was
> > same but it did not work well.
> > Because there may be a case of a cryptodev with multiple queues, so the=
re will
> > be a mapping done internally in the application and matching it with th=
e user
> > provided portid will be difficult.
> >
> > I believe that this could be done but would need some rework.
> >
> > >
> > > Konstantin
>=20
> Could we consider going back to the V2 version of this patch set which fi=
xed the issue with the inline code and left the lookaside code
> unchanged?
Actually I have the same thoughts here:
considering the problems with lookaside-proto, it seems more pragmatic=20
to fix it as was suggested in V2:
split create_session() into 2 functions, and invoke create_session_inline()=
at startup,
while keeping create_session_lookaside() invocation at runtime.
At least it would fix the issue in a clean way.
If later ipsec-secgw will be reworked to allow lookaside session creation a=
t init time,
we can merge them back.=20
Konstantin=20
>=20
> We are not in a position test any changes to the lookaside code.
>=20
> Regards,
>=20
> Bernard.
>=20