* [dpdk-dev] [PATCH 0/3] add SA config option for inner pkt csum
@ 2021-09-28 13:26 Archana Muniganti
2021-09-28 13:26 ` [dpdk-dev] [PATCH 1/3] security: " Archana Muniganti
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Archana Muniganti @ 2021-09-28 13:26 UTC (permalink / raw)
To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev
Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.
Depends on
https://patches.dpdk.org/project/dpdk/list/?series=18756
Archana Muniganti (3):
security: add SA config option for inner pkt csum
crypto/cnxk: add inner checksum
app/test: add inner checksum tests
app/test/test_cryptodev.c | 34 +++
app/test/test_cryptodev_security_ipsec.c | 195 ++++++++++++++++++
app/test/test_cryptodev_security_ipsec.h | 2 +
...st_cryptodev_security_ipsec_test_vectors.h | 118 +++++++++++
doc/guides/rel_notes/deprecation.rst | 4 +-
doc/guides/rel_notes/release_21_11.rst | 7 +
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 65 ++++--
drivers/crypto/cnxk/cn10k_ipsec.c | 49 ++++-
drivers/crypto/cnxk/cn10k_ipsec.h | 1 +
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 9 +-
drivers/crypto/cnxk/cnxk_cryptodev.c | 3 +
.../crypto/cnxk/cnxk_cryptodev_capabilities.c | 2 +
lib/cryptodev/rte_cryptodev.h | 2 +
lib/security/rte_security.h | 18 ++
14 files changed, 489 insertions(+), 20 deletions(-)
--
2.22.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [dpdk-dev] [PATCH 1/3] security: add SA config option for inner pkt csum
2021-09-28 13:26 [dpdk-dev] [PATCH 0/3] add SA config option for inner pkt csum Archana Muniganti
@ 2021-09-28 13:26 ` Archana Muniganti
2021-09-28 16:41 ` Akhil Goyal
2021-09-28 13:26 ` [dpdk-dev] [PATCH 2/3] crypto/cnxk: add inner checksum Archana Muniganti
2021-09-28 13:26 ` [dpdk-dev] [PATCH 3/3] app/test: add inner checksum tests Archana Muniganti
2 siblings, 1 reply; 5+ messages in thread
From: Archana Muniganti @ 2021-09-28 13:26 UTC (permalink / raw)
To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev
Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
doc/guides/rel_notes/deprecation.rst | 4 ++--
doc/guides/rel_notes/release_21_11.rst | 5 +++++
lib/cryptodev/rte_cryptodev.h | 2 ++
lib/security/rte_security.h | 18 ++++++++++++++++++
4 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 80ae9a6372..ae2d6ffe33 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -237,8 +237,8 @@ Deprecation Notices
IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
* security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
- will be updated with new fields to support new features like IPsec inner
- checksum, TSO in case of protocol offload.
+ will be updated with new fields to support new features like TSO in case of
+ protocol offload.
* ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
``hdr_l3_len`` to configure tunnel L3 header length.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index e84a8863e9..42ed9ee580 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -197,6 +197,11 @@ ABI Changes
* Added SA option to indicate whether UDP ports verification need to be
done as part of inbound IPsec processing.
+* security: add IPsec SA config option for inner packet checksum
+
+ * Added inner packet IPv4 hdr and L4 checksum enable options in conf.
+ Per SA, application could specify whether the checksum(compute/verify)
+ can be offloaded to security device.
Known Issues
------------
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index bb01f0f195..d9271a6c45 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
/**< Support operations on multiple data-units message */
#define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
/**< Support wrapped key in cipher xform */
+#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27)
+/**< Support inner checksum computation/verification */
/**
* Get the name of a crypto device feature flag
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index ae5a2e09c3..47d0b5689c 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
* source and destination IP addresses.
*/
uint32_t tunnel_hdr_verify : 2;
+
+ /** Compute/verify inner packet IPv4 header checksum in tunnel mode
+ *
+ * * 1: For outbound, compute inner packet IPv4 header checksum
+ * before tunnel encapsulation and for inbound, verify after
+ * tunnel decapsulation.
+ * * 0: Inner packet IP header checksum is not computed/verified.
+ */
+ uint32_t ip_csum_enable : 1;
+
+ /** Compute/verify inner packet L4 checksum in tunnel mode
+ *
+ * * 1: For outbound, compute inner packet L4 checksum before
+ * tunnel encapsulation and for inbound, verify after
+ * tunnel decapsulation.
+ * * 0: Inner packet L4 checksum is not computed/verified.
+ */
+ uint32_t l4_csum_enable : 1;
};
/** IPSec security association direction */
--
2.22.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [dpdk-dev] [PATCH 2/3] crypto/cnxk: add inner checksum
2021-09-28 13:26 [dpdk-dev] [PATCH 0/3] add SA config option for inner pkt csum Archana Muniganti
2021-09-28 13:26 ` [dpdk-dev] [PATCH 1/3] security: " Archana Muniganti
@ 2021-09-28 13:26 ` Archana Muniganti
2021-09-28 13:26 ` [dpdk-dev] [PATCH 3/3] app/test: add inner checksum tests Archana Muniganti
2 siblings, 0 replies; 5+ messages in thread
From: Archana Muniganti @ 2021-09-28 13:26 UTC (permalink / raw)
To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev
Add inner checksum support for cn10k
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
doc/guides/rel_notes/release_21_11.rst | 1 +
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 65 +++++++++++++++----
drivers/crypto/cnxk/cn10k_ipsec.c | 49 +++++++++++++-
drivers/crypto/cnxk/cn10k_ipsec.h | 1 +
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 9 ++-
drivers/crypto/cnxk/cnxk_cryptodev.c | 3 +
.../crypto/cnxk/cnxk_cryptodev_capabilities.c | 2 +
7 files changed, 112 insertions(+), 18 deletions(-)
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 42ed9ee580..8dc3008199 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -72,6 +72,7 @@ New Features
* Added Transport mode support in lookaside protocol (IPsec) for CN10K.
* Added UDP encapsulation support in lookaside protocol (IPsec) for CN10K.
* Added support for lookaside protocol (IPsec) offload for CN9K.
+ * Added inner checksum support in lookaside protocol (IPsec) for CN10K.
* **Added support for event crypto adapter on Marvell CN10K and CN9K.**
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 3caf05aab9..c25c8e67b2 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -50,7 +50,7 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
static __rte_always_inline int __rte_hot
cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
- struct cpt_inst_s *inst)
+ struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = op->sym;
union roc_ot_ipsec_sa_word2 *w2;
@@ -72,8 +72,10 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND)
ret = process_outb_sa(op, sa, inst);
- else
+ else {
+ infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
ret = process_inb_sa(op, sa, inst);
+ }
return ret;
}
@@ -122,7 +124,8 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
sec_sess = get_sec_session_private_data(
sym_op->sec_session);
- ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]);
+ ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
+ &inst[0]);
if (unlikely(ret))
return 0;
w7 = sec_sess->sa.inst.w7;
@@ -342,6 +345,49 @@ cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
m->pkt_len = m_len;
}
+static inline void
+cn10k_cpt_sec_ucc_process(struct rte_crypto_op *cop,
+ struct cpt_inflight_req *infl_req,
+ const uint8_t uc_compcode)
+{
+ struct cn10k_sec_session *sess;
+ struct cn10k_ipsec_sa *sa;
+ struct rte_mbuf *mbuf;
+
+ if (uc_compcode == ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST)
+ cop->aux_flags = RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+
+ if (!(infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND))
+ return;
+
+ sess = get_sec_session_private_data(cop->sym->sec_session);
+ sa = &sess->sa;
+
+ mbuf = cop->sym->m_src;
+
+ switch (uc_compcode) {
+ case ROC_IE_OT_UCC_SUCCESS:
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_IP_BADCSUM:
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_BAD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_L4_GOODCSUM:
+ mbuf->ol_flags |= PKT_RX_L4_CKSUM_GOOD;
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_L4_BADCSUM:
+ mbuf->ol_flags |= PKT_RX_L4_CKSUM_BAD;
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ default:
+ break;
+ }
+}
+
static inline void
cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
struct rte_crypto_op *cop,
@@ -357,17 +403,8 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
if (likely(compcode == CPT_COMP_WARN)) {
- if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
- /* Success with additional info */
- switch (uc_compcode) {
- case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
- cop->aux_flags =
- RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
- break;
- default:
- break;
- }
- }
+ /* Success with additional info */
+ cn10k_cpt_sec_ucc_process(cop, infl_req, uc_compcode);
cn10k_cpt_sec_post_process(cop, res);
} else {
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index ebb2a7ec48..defc792aa8 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -37,6 +37,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
struct rte_crypto_sym_xform *crypto_xfrm,
struct rte_security_session *sec_sess)
{
+ union roc_ot_ipsec_outb_param1 param1;
struct roc_ot_ipsec_outb_sa *out_sa;
struct cnxk_ipsec_outb_rlens rlens;
struct cn10k_sec_session *sess;
@@ -83,7 +84,27 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
/* pre-populate CPT INST word 4 */
inst_w4.u64 = 0;
inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
- inst_w4.s.param1 = 0;
+
+ param1.u16 = 0;
+
+ /* Disable IP checksum computation by default */
+ param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.ip_csum_enable) {
+ param1.s.ip_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+ }
+
+ /* Disable L4 checksum computation by default */
+ param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.l4_csum_enable) {
+ param1.s.l4_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+ }
+
+ inst_w4.s.param1 = param1.u16;
+
sa->inst.w4 = inst_w4.u64;
return 0;
@@ -95,6 +116,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
struct rte_crypto_sym_xform *crypto_xfrm,
struct rte_security_session *sec_sess)
{
+ union roc_ot_ipsec_inb_param1 param1;
struct roc_ot_ipsec_inb_sa *in_sa;
struct cn10k_sec_session *sess;
struct cn10k_ipsec_sa *sa;
@@ -121,8 +143,29 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
inst_w4.u64 = 0;
inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC;
- /* Disable checksum verification for now */
- inst_w4.s.param1 = 7;
+ param1.u16 = 0;
+
+ /* Disable IP checksum verification by default */
+ param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.ip_csum_enable) {
+ param1.s.ip_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+ sa->ip_csum_enable = true;
+ }
+
+ /* Disable L4 checksum verification by default */
+ param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.l4_csum_enable) {
+ param1.s.l4_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+ }
+
+ param1.s.esp_trailer_disable = 1;
+
+ inst_w4.s.param1 = param1.u16;
+
sa->inst.w4 = inst_w4.u64;
return 0;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 6f974b716d..86cd2483f5 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -23,6 +23,7 @@ struct cn10k_ipsec_sa {
uint16_t max_extended_len;
uint16_t iv_offset;
uint8_t iv_length;
+ bool ip_csum_enable;
};
struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 862476a72e..df1b0a3678 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -53,6 +53,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
+ uint64_t inst_w4_u64 = sess->inst.w4;
if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) {
plt_dp_err("Not enough tail room");
@@ -68,8 +69,14 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
}
#endif
+ if (m_src->ol_flags & PKT_TX_IP_CKSUM)
+ inst_w4_u64 &= ~BIT_ULL(33);
+
+ if (m_src->ol_flags & PKT_TX_L4_MASK)
+ inst_w4_u64 &= ~BIT_ULL(32);
+
/* Prepare CPT instruction */
- inst->w4.u64 = sess->inst.w4;
+ inst->w4.u64 = inst_w4_u64;
inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
inst->dptr = rte_pktmbuf_iova(m_src);
inst->rptr = inst->dptr;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.c b/drivers/crypto/cnxk/cnxk_cryptodev.c
index 5c7801ec48..d67de54a7b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.c
@@ -24,6 +24,9 @@ cnxk_cpt_default_ff_get(void)
RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED |
RTE_CRYPTODEV_FF_SECURITY;
+ if (roc_model_is_cn10k())
+ ff |= RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM;
+
return ff;
}
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index ba4166c56d..20df37709a 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -926,6 +926,8 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
sec_cap->ipsec.options.tunnel_hdr_verify =
RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
}
+ sec_cap->ipsec.options.ip_csum_enable = 1;
+ sec_cap->ipsec.options.l4_csum_enable = 1;
}
static void
--
2.22.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [dpdk-dev] [PATCH 3/3] app/test: add inner checksum tests
2021-09-28 13:26 [dpdk-dev] [PATCH 0/3] add SA config option for inner pkt csum Archana Muniganti
2021-09-28 13:26 ` [dpdk-dev] [PATCH 1/3] security: " Archana Muniganti
2021-09-28 13:26 ` [dpdk-dev] [PATCH 2/3] crypto/cnxk: add inner checksum Archana Muniganti
@ 2021-09-28 13:26 ` Archana Muniganti
2 siblings, 0 replies; 5+ messages in thread
From: Archana Muniganti @ 2021-09-28 13:26 UTC (permalink / raw)
To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev
This patch adds tests for inner IP and inner L4 checksum
in IPsec mode.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
app/test/test_cryptodev.c | 34 +++
app/test/test_cryptodev_security_ipsec.c | 195 ++++++++++++++++++
app/test/test_cryptodev_security_ipsec.h | 2 +
...st_cryptodev_security_ipsec_test_vectors.h | 118 +++++++++++
doc/guides/rel_notes/release_21_11.rst | 1 +
5 files changed, 350 insertions(+)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 5f0d023451..c127e6bc04 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -18,6 +18,8 @@
#include <rte_cryptodev.h>
#include <rte_ip.h>
#include <rte_string_fns.h>
+#include <rte_tcp.h>
+#include <rte_udp.h>
#ifdef RTE_CRYPTO_SCHEDULER
#include <rte_cryptodev_scheduler.h>
@@ -9275,6 +9277,30 @@ test_ipsec_proto_udp_ports_verify(const void *data __rte_unused)
return test_ipsec_proto_all(&flags);
}
+static int
+test_ipsec_proto_inner_ip_csum(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ip_csum = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_inner_l4_csum(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.l4_csum = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
static int
test_PDCP_PROTO_all(void)
{
@@ -14231,6 +14257,14 @@ static struct unit_test_suite ipsec_proto_testsuite = {
"Tunnel src and dst addr verification",
ut_setup_security, ut_teardown,
test_ipsec_proto_tunnel_src_dst_addr_verify),
+ TEST_CASE_NAMED_ST(
+ "Inner IP checksum",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_inner_ip_csum),
+ TEST_CASE_NAMED_ST(
+ "Inner L4 checksum",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_inner_l4_csum),
TEST_CASES_END() /**< NULL terminate unit test array */
}
};
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 764e77bbff..bcd9746c98 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -7,6 +7,7 @@
#include <rte_esp.h>
#include <rte_ip.h>
#include <rte_security.h>
+#include <rte_tcp.h>
#include <rte_udp.h>
#include "test.h"
@@ -103,6 +104,22 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
return -ENOTSUP;
}
+ if (ipsec_xform->options.ip_csum_enable == 1 &&
+ sec_cap->ipsec.options.ip_csum_enable == 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Inner IP checksum is not supported\n");
+ return -ENOTSUP;
+ }
+
+ if (ipsec_xform->options.l4_csum_enable == 1 &&
+ sec_cap->ipsec.options.l4_csum_enable == 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Inner L4 checksum is not supported\n");
+ return -ENOTSUP;
+ }
+
return 0;
}
@@ -160,6 +177,56 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
}
}
+static bool
+is_ipv4(void *ip)
+{
+ struct rte_ipv4_hdr *ipv4 = ip;
+ uint8_t ip_ver;
+
+ ip_ver = (ipv4->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER;
+ if (ip_ver == IPVERSION)
+ return true;
+ else
+ return false;
+}
+
+static void
+test_ipsec_csum_init(void *ip, bool l3, bool l4)
+{
+ struct rte_ipv4_hdr *ipv4;
+ struct rte_tcp_hdr *tcp;
+ struct rte_udp_hdr *udp;
+ uint8_t next_proto;
+ uint8_t size;
+
+ if (is_ipv4(ip)) {
+ ipv4 = ip;
+ size = sizeof(struct rte_ipv4_hdr);
+ next_proto = ipv4->next_proto_id;
+
+ if (l3)
+ ipv4->hdr_checksum = 0;
+ } else {
+ size = sizeof(struct rte_ipv6_hdr);
+ next_proto = ((struct rte_ipv6_hdr *)ip)->proto;
+ }
+
+ if (l4) {
+ switch (next_proto) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)RTE_PTR_ADD(ip, size);
+ tcp->cksum = 0;
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)RTE_PTR_ADD(ip, size);
+ udp->dgram_cksum = 0;
+ break;
+ default:
+ return;
+ }
+ }
+}
+
void
test_ipsec_td_prepare(const struct crypto_param *param1,
const struct crypto_param *param2,
@@ -194,6 +261,17 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
if (flags->sa_expiry_pkts_soft)
td->ipsec_xform.life.packets_soft_limit =
IPSEC_TEST_PACKETS_MAX - 1;
+
+ if (flags->ip_csum) {
+ td->ipsec_xform.options.ip_csum_enable = 1;
+ test_ipsec_csum_init(&td->input_text.data, true, false);
+ }
+
+ if (flags->l4_csum) {
+ td->ipsec_xform.options.l4_csum_enable = 1;
+ test_ipsec_csum_init(&td->input_text.data, false, true);
+ }
+
}
RTE_SET_USED(param2);
@@ -230,6 +308,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
flags->tunnel_hdr_verify;
+ if (flags->ip_csum)
+ td_inb[i].ipsec_xform.options.ip_csum_enable = 1;
+
+ if (flags->l4_csum)
+ td_inb[i].ipsec_xform.options.l4_csum_enable = 1;
+
/* Clear outbound specific flags */
td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
}
@@ -305,12 +389,96 @@ test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
return TEST_SUCCESS;
}
+static int
+test_ipsec_l3_csum_verify(struct rte_mbuf *m)
+{
+ uint16_t actual_cksum, expected_cksum;
+ struct rte_ipv4_hdr *ip;
+
+ ip = rte_pktmbuf_mtod(m, struct rte_ipv4_hdr *);
+
+ if (!is_ipv4((void *)ip))
+ return TEST_SKIPPED;
+
+ actual_cksum = ip->hdr_checksum;
+
+ ip->hdr_checksum = 0;
+
+ expected_cksum = rte_ipv4_cksum(ip);
+
+ if (actual_cksum != expected_cksum)
+ return TEST_FAILED;
+
+ return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_l4_csum_verify(struct rte_mbuf *m)
+{
+ uint16_t actual_cksum = 0, expected_cksum = 0;
+ struct rte_ipv4_hdr *ipv4;
+ struct rte_ipv6_hdr *ipv6;
+ struct rte_tcp_hdr *tcp;
+ struct rte_udp_hdr *udp;
+ void *ip, *l4;
+
+ ip = rte_pktmbuf_mtod(m, void *);
+
+ if (is_ipv4(ip)) {
+ ipv4 = ip;
+ l4 = RTE_PTR_ADD(ipv4, sizeof(struct rte_ipv4_hdr));
+
+ switch (ipv4->next_proto_id) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)l4;
+ actual_cksum = tcp->cksum;
+ tcp->cksum = 0;
+ expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)l4;
+ actual_cksum = udp->dgram_cksum;
+ udp->dgram_cksum = 0;
+ expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+ break;
+ default:
+ break;
+ }
+ } else {
+ ipv6 = ip;
+ l4 = RTE_PTR_ADD(ipv6, sizeof(struct rte_ipv6_hdr));
+
+ switch (ipv6->proto) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)l4;
+ actual_cksum = tcp->cksum;
+ tcp->cksum = 0;
+ expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)l4;
+ actual_cksum = udp->dgram_cksum;
+ udp->dgram_cksum = 0;
+ expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (actual_cksum != expected_cksum)
+ return TEST_FAILED;
+
+ return TEST_SUCCESS;
+}
+
static int
test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
bool silent, const struct ipsec_test_flags *flags)
{
uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+ int ret;
/* For tests with status as error for test success, skip verification */
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
@@ -354,6 +522,33 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
len -= skip;
output_text += skip;
+ if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ flags->ip_csum) {
+ if (m->ol_flags & PKT_RX_IP_CKSUM_GOOD)
+ ret = test_ipsec_l3_csum_verify(m);
+ else
+ ret = TEST_FAILED;
+
+ if (ret == TEST_FAILED)
+ printf("Inner IP checksum test failed\n");
+
+ return ret;
+ }
+
+ if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ flags->l4_csum) {
+ if (m->ol_flags & PKT_RX_L4_CKSUM_GOOD)
+ ret = test_ipsec_l4_csum_verify(m);
+ else
+ ret = TEST_FAILED;
+
+ if (ret == TEST_FAILED)
+ printf("Inner L4 checksum test failed\n");
+
+ return ret;
+ }
+
+
if (memcmp(output_text, td->output_text.data + skip, len)) {
if (silent)
return TEST_FAILED;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 0416005520..7628d0c42a 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -56,6 +56,8 @@ struct ipsec_test_flags {
uint32_t tunnel_hdr_verify;
bool udp_encap;
bool udp_ports_verify;
+ bool ip_csum;
+ bool l4_csum;
};
struct crypto_param {
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index 4e147ec19c..5d4518c39c 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -95,6 +95,8 @@ struct ipsec_test_data pkt_aes_128_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -192,6 +194,8 @@ struct ipsec_test_data pkt_aes_192_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -292,6 +296,8 @@ struct ipsec_test_data pkt_aes_256_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -318,4 +324,116 @@ struct ipsec_test_data pkt_aes_256_gcm = {
},
};
+/* Known vectors for AES-CBC
+ * https://datatracker.ietf.org/doc/html/rfc3602#section-4
+ */
+
+struct ipsec_test_data pkt_aes_128_cbc_null = {
+ .key = {
+ .data = {
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+ },
+ },
+ .input_text = {
+ .data = {
+ /* IP - outer header */
+ 0x45, 0x00, 0x00, 0x8c, 0x00, 0x02, 0x00, 0x00,
+ 0x40, 0x32, 0x27, 0xbc, 0x00, 0x01, 0xa8, 0xc0,
+ 0x01, 0x01, 0xa8, 0xc0,
+
+ /* ESP */
+ 0x00, 0x00, 0x87, 0x65, 0x00, 0x00, 0x00, 0x02,
+
+ /* IV */
+ 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad,
+ 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37,
+
+ /* Data */
+ 0x77, 0x3b, 0x52, 0x41, 0xa4, 0xc4, 0x49, 0x22,
+ 0x5e, 0x4f, 0x3c, 0xe5, 0xed, 0x61, 0x1b, 0x0c,
+ 0x23, 0x7c, 0xa9, 0x6c, 0xf7, 0x4a, 0x93, 0x01,
+ 0x3c, 0x1b, 0x0e, 0xa1, 0xa0, 0xcf, 0x70, 0xf8,
+ 0xe4, 0xec, 0xae, 0xc7, 0x8a, 0xc5, 0x3a, 0xad,
+ 0x7a, 0x0f, 0x02, 0x2b, 0x85, 0x92, 0x43, 0xc6,
+ 0x47, 0x75, 0x2e, 0x94, 0xa8, 0x59, 0x35, 0x2b,
+ 0x8a, 0x4d, 0x4d, 0x2d, 0xec, 0xd1, 0x36, 0xe5,
+ 0xc1, 0x77, 0xf1, 0x32, 0xad, 0x3f, 0xbf, 0xb2,
+ 0x20, 0x1a, 0xc9, 0x90, 0x4c, 0x74, 0xee, 0x0a,
+ 0x10, 0x9e, 0x0c, 0xa1, 0xe4, 0xdf, 0xe9, 0xd5,
+ 0xa1, 0x00, 0xb8, 0x42, 0xf1, 0xc2, 0x2f, 0x0d,
+ },
+ .len = 140,
+ },
+ .output_text = {
+ .data = {
+ /* IP */
+ 0x45, 0x00, 0x00, 0x54, 0x09, 0x04, 0x00, 0x00,
+ 0x40, 0x01, 0xf9, 0x88, 0xc0, 0xa8, 0x7b, 0x03,
+ 0xc0, 0xa8, 0x7b, 0xc8,
+
+ /* ICMP */
+ 0x08, 0x00, 0x9f, 0x76, 0xa9, 0x0a, 0x01, 0x00,
+ 0xb4, 0x9c, 0x08, 0x3d, 0x02, 0xa2, 0x04, 0x00,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+ 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+ 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x09, 0x0a, 0x0a, 0x04,
+ },
+ .len = 84,
+ },
+ .iv = {
+ .data = {
+ 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad,
+ 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37,
+ },
+ },
+
+ .ipsec_xform = {
+ .spi = 0x8765,
+ .options.esn = 0,
+ .options.udp_encap = 0,
+ .options.copy_dscp = 0,
+ .options.copy_flabel = 0,
+ .options.copy_df = 0,
+ .options.dec_ttl = 0,
+ .options.ecn = 0,
+ .options.stats = 0,
+ .options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+ .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+ .replay_win_sz = 0,
+ },
+
+ .aead = false,
+
+ .xform = {
+ .chain.cipher = {
+ .next = NULL,
+ .type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ .cipher = {
+ .op = RTE_CRYPTO_CIPHER_OP_DECRYPT,
+ .algo = RTE_CRYPTO_CIPHER_AES_CBC,
+ .key.length = 16,
+ .iv.length = 16,
+ },
+ },
+ .chain.auth = {
+ .next = NULL,
+ .type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ .auth = {
+ .algo = RTE_CRYPTO_AUTH_NULL,
+ },
+ },
+ },
+};
+
#endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 8dc3008199..09aaa0fe2b 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -103,6 +103,7 @@ New Features
* Added tests to verify error reporting with ICV corruption.
* Added tests to verify IV generation.
* Added tests to verify UDP encapsulation.
+ * Added tests to verify inner checksum.
Removed Items
--
2.22.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dpdk-dev] [PATCH 1/3] security: add SA config option for inner pkt csum
2021-09-28 13:26 ` [dpdk-dev] [PATCH 1/3] security: " Archana Muniganti
@ 2021-09-28 16:41 ` Akhil Goyal
0 siblings, 0 replies; 5+ messages in thread
From: Akhil Goyal @ 2021-09-28 16:41 UTC (permalink / raw)
To: Archana Muniganti, radu.nicolau, roy.fan.zhang, hemant.agrawal,
konstantin.ananyev
Cc: Archana Muniganti, Anoob Joseph, Tejasree Kondoj, Ankur Dwivedi,
Jerin Jacob Kollanukkaran, dev
> Add inner packet IPv4 hdr and L4 checksum enable options
> in conf. These will be used in case of protocol offload.
> Per SA, application could specify whether the
> checksum(compute/verify) can be offloaded to security device.
>
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> ---
> doc/guides/rel_notes/deprecation.rst | 4 ++--
> doc/guides/rel_notes/release_21_11.rst | 5 +++++
Reword release notes as per current TOT.
> lib/cryptodev/rte_cryptodev.h | 2 ++
> lib/security/rte_security.h | 18 ++++++++++++++++++
> 4 files changed, 27 insertions(+), 2 deletions(-)
New feature flag need to be added in
doc/guides/cryptodevs/features/default.ini As well.
Similarly it need to be updated in cn10k.ini file as well in the next patch.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-09-28 16:41 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-28 13:26 [dpdk-dev] [PATCH 0/3] add SA config option for inner pkt csum Archana Muniganti
2021-09-28 13:26 ` [dpdk-dev] [PATCH 1/3] security: " Archana Muniganti
2021-09-28 16:41 ` Akhil Goyal
2021-09-28 13:26 ` [dpdk-dev] [PATCH 2/3] crypto/cnxk: add inner checksum Archana Muniganti
2021-09-28 13:26 ` [dpdk-dev] [PATCH 3/3] app/test: add inner checksum tests Archana Muniganti
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).