From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id E25C4A2E1B for ; Tue, 3 Sep 2019 17:43:04 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id E75EA1ED1A; Tue, 3 Sep 2019 17:41:52 +0200 (CEST) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by dpdk.org (Postfix) with ESMTP id 685791ED0E for ; Tue, 3 Sep 2019 17:41:50 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Sep 2019 08:41:50 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,463,1559545200"; d="scan'208";a="212032739" Received: from silpixa00398673.ir.intel.com (HELO silpixa00398673.ger.corp.intel.com) ([10.237.223.136]) by fmsmga002.fm.intel.com with ESMTP; 03 Sep 2019 08:41:48 -0700 From: Fan Zhang To: dev@dpdk.org Cc: akhil.goyal@nxp.com, konstantin.ananyev@intel.com, declan.doherty@intel.com, pablo.de.lara.guarch@intel.com, Fan Zhang Date: Tue, 3 Sep 2019 16:40:46 +0100 Message-Id: <20190903154046.55992-10-roy.fan.zhang@intel.com> X-Mailer: git-send-email 2.14.5 In-Reply-To: <20190903154046.55992-1-roy.fan.zhang@intel.com> References: <20190903154046.55992-1-roy.fan.zhang@intel.com> Subject: [dpdk-dev] [RFC PATCH 9/9] examples/ipsec-secgw: add security cpu_crypto action support X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Since ipsec library is added cpu_crypto security action type support, this patch updates ipsec-secgw sample application with added action type "cpu-crypto". The patch also includes a number of test scripts to prove the correctness of the implementation. Signed-off-by: Fan Zhang --- examples/ipsec-secgw/ipsec.c | 22 ++++++++++++++++++++++ examples/ipsec-secgw/ipsec_process.c | 4 ++-- examples/ipsec-secgw/sa.c | 13 +++++++++++-- examples/ipsec-secgw/test/run_test.sh | 10 ++++++++++ .../test/trs_3descbc_sha1_cpu_crypto_defs.sh | 5 +++++ .../test/trs_aescbc_sha1_cpu_crypto_defs.sh | 5 +++++ .../test/trs_aesctr_sha1_cpu_crypto_defs.sh | 5 +++++ .../ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh | 5 +++++ .../test/trs_aesgcm_mb_cpu_crypto_defs.sh | 7 +++++++ .../test/tun_3descbc_sha1_cpu_crypto_defs.sh | 5 +++++ .../test/tun_aescbc_sha1_cpu_crypto_defs.sh | 5 +++++ .../test/tun_aesctr_sha1_cpu_crypto_defs.sh | 5 +++++ .../ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh | 5 +++++ .../test/tun_aesgcm_mb_cpu_crypto_defs.sh | 7 +++++++ 14 files changed, 99 insertions(+), 4 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_mb_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_mb_cpu_crypto_defs.sh diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index dc85adfe5..4c39a7de6 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include #include @@ -105,6 +106,26 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) "SEC Session init failed: err: %d\n", ret); return -1; } + } else if (sa->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) { + struct rte_security_ctx *ctx = + (struct rte_security_ctx *) + rte_cryptodev_get_sec_ctx( + ipsec_ctx->tbl[cdev_id_qp].id); + int32_t offset = sizeof(struct rte_esp_hdr) + + sa->iv_len; + + /* Set IPsec parameters in conf */ + sess_conf.cpucrypto.cipher_offset = offset; + + set_ipsec_conf(sa, &(sess_conf.ipsec)); + sa->security_ctx = ctx; + sa->sec_session = rte_security_session_create(ctx, + &sess_conf, ipsec_ctx->session_priv_pool); + if (sa->sec_session == NULL) { + RTE_LOG(ERR, IPSEC, + "SEC Session init failed: err: %d\n", ret); + return -1; + } } else { RTE_LOG(ERR, IPSEC, "Inline not supported\n"); return -1; @@ -473,6 +494,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, sa->sec_session, pkts[i], NULL); continue; case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: + case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO: RTE_ASSERT(sa->sec_session != NULL); priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c index 868f1a28d..73bfb314e 100644 --- a/examples/ipsec-secgw/ipsec_process.c +++ b/examples/ipsec-secgw/ipsec_process.c @@ -227,8 +227,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf) /* process packets inline */ else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || - sa->type == - RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { + sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || + sa->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) { satp = rte_ipsec_sa_type(ips->sa); diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index c3cf3bd1f..ba773346f 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -570,6 +570,9 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; else if (strcmp(tokens[ti], "no-offload") == 0) rule->type = RTE_SECURITY_ACTION_TYPE_NONE; + else if (strcmp(tokens[ti], "cpu-crypto") == 0) + rule->type = + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO; else { APP_CHECK(0, status, "Invalid input \"%s\"", tokens[ti]); @@ -624,10 +627,13 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - if ((rule->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0)) + if ((rule->type != RTE_SECURITY_ACTION_TYPE_NONE && rule->type != + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) && + (portid_p == 0)) printf("Missing portid option, falling back to non-offload\n"); - if (!type_p || !portid_p) { + if (!type_p || (!portid_p && rule->type != + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) { rule->type = RTE_SECURITY_ACTION_TYPE_NONE; rule->portid = -1; } @@ -709,6 +715,9 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL: printf("lookaside-protocol-offload "); break; + case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO: + printf("cpu-crypto-accelerated"); + break; } printf("\n"); } diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 8055a4c04..f322aa785 100755 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -32,15 +32,21 @@ usage() } LINUX_TEST="tun_aescbc_sha1 \ +tun_aescbc_sha1_cpu_crypto \ tun_aescbc_sha1_esn \ tun_aescbc_sha1_esn_atom \ tun_aesgcm \ +tun_aesgcm_cpu_crypto \ +tun_aesgcm_mb_cpu_crypto \ tun_aesgcm_esn \ tun_aesgcm_esn_atom \ trs_aescbc_sha1 \ +trs_aescbc_sha1_cpu_crypto \ trs_aescbc_sha1_esn \ trs_aescbc_sha1_esn_atom \ trs_aesgcm \ +trs_aesgcm_cpu_crypto \ +trs_aesgcm_mb_cpu_crypto \ trs_aesgcm_esn \ trs_aesgcm_esn_atom \ tun_aescbc_sha1_old \ @@ -49,17 +55,21 @@ trs_aescbc_sha1_old \ trs_aesgcm_old \ tun_aesctr_sha1 \ tun_aesctr_sha1_old \ +tun_aesctr_cpu_crypto \ tun_aesctr_sha1_esn \ tun_aesctr_sha1_esn_atom \ trs_aesctr_sha1 \ +trs_aesctr_sha1_cpu_crypto \ trs_aesctr_sha1_old \ trs_aesctr_sha1_esn \ trs_aesctr_sha1_esn_atom \ tun_3descbc_sha1 \ +tun_3descbc_sha1_cpu_crypto \ tun_3descbc_sha1_old \ tun_3descbc_sha1_esn \ tun_3descbc_sha1_esn_atom \ trs_3descbc_sha1 \ +trs_3descbc_sha1 \ trs_3descbc_sha1_old \ trs_3descbc_sha1_esn \ trs_3descbc_sha1_esn_atom" diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..a864a8886 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..a4d83e9c4 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aescbc_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..745a2a02b --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh new file mode 100644 index 000000000..8917122da --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/trs_aesgcm_mb_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_mb_cpu_crypto_defs.sh new file mode 100644 index 000000000..26943321f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_mb_cpu_crypto_defs.sh @@ -0,0 +1,7 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_defs.sh + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..747141f62 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..56076fa50 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aescbc_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..3af680533 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh new file mode 100644 index 000000000..5bf1c0ae5 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/tun_aesgcm_mb_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_mb_cpu_crypto_defs.sh new file mode 100644 index 000000000..039b8095e --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_mb_cpu_crypto_defs.sh @@ -0,0 +1,7 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_defs.sh + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +SGW_CFG_XPRM='type cpu-crypto' -- 2.14.5