[dpdk-dev] [PATCH 0/3] add SA config option for inner pkt csum

[dpdk-dev] [PATCH 0/3] add SA config option for inner pkt csum

[Archana Muniganti]

Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.

Depends on
https://patches.dpdk.org/project/dpdk/list/?series=18756

Archana Muniganti (3):
  security: add SA config option for inner pkt csum
  crypto/cnxk: add inner checksum
  app/test: add inner checksum tests

 app/test/test_cryptodev.c                     |  34 +++
 app/test/test_cryptodev_security_ipsec.c      | 195 ++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h      |   2 +
 ...st_cryptodev_security_ipsec_test_vectors.h | 118 +++++++++++
 doc/guides/rel_notes/deprecation.rst          |   4 +-
 doc/guides/rel_notes/release_21_11.rst        |   7 +
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c     |  65 ++++--
 drivers/crypto/cnxk/cn10k_ipsec.c             |  49 ++++-
 drivers/crypto/cnxk/cn10k_ipsec.h             |   1 +
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h      |   9 +-
 drivers/crypto/cnxk/cnxk_cryptodev.c          |   3 +
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |   2 +
 lib/cryptodev/rte_cryptodev.h                 |   2 +
 lib/security/rte_security.h                   |  18 ++
 14 files changed, 489 insertions(+), 20 deletions(-)

-- 
2.22.0

[dpdk-dev] [PATCH 1/3] security: add SA config option for inner pkt csum

[Archana Muniganti]

Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 doc/guides/rel_notes/deprecation.rst   |  4 ++--
 doc/guides/rel_notes/release_21_11.rst |  5 +++++
 lib/cryptodev/rte_cryptodev.h          |  2 ++
 lib/security/rte_security.h            | 18 ++++++++++++++++++
 4 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 80ae9a6372..ae2d6ffe33 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -237,8 +237,8 @@ Deprecation Notices
   IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
 
 * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
-  will be updated with new fields to support new features like IPsec inner
-  checksum, TSO in case of protocol offload.
+  will be updated with new fields to support new features like TSO in case of
+  protocol offload.
 
 * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
   ``hdr_l3_len`` to configure tunnel L3 header length.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index e84a8863e9..42ed9ee580 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -197,6 +197,11 @@ ABI Changes
   * Added SA option to indicate whether UDP ports verification need to be
     done as part of inbound IPsec processing.
 
+* security: add IPsec SA config option for inner packet checksum
+
+  * Added inner packet IPv4 hdr and L4 checksum enable options in conf.
+    Per SA, application could specify whether the checksum(compute/verify)
+    can be offloaded to security device.
 
 Known Issues
 ------------
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index bb01f0f195..d9271a6c45 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
 /**< Support operations on multiple data-units message */
 #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY		(1ULL << 26)
 /**< Support wrapped key in cipher xform  */
+#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM		(1ULL << 27)
+/**< Support inner checksum computation/verification */
 
 /**
  * Get the name of a crypto device feature flag
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index ae5a2e09c3..47d0b5689c 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
 	 *   source and destination IP addresses.
 	 */
 	uint32_t tunnel_hdr_verify : 2;
+
+	/** Compute/verify inner packet IPv4 header checksum in tunnel mode
+	 *
+	 * * 1: For outbound, compute inner packet IPv4 header checksum
+	 *      before tunnel encapsulation and for inbound, verify after
+	 *      tunnel decapsulation.
+	 * * 0: Inner packet IP header checksum is not computed/verified.
+	 */
+	uint32_t ip_csum_enable : 1;
+
+	/** Compute/verify inner packet L4 checksum in tunnel mode
+	 *
+	 * * 1: For outbound, compute inner packet L4 checksum before
+	 *      tunnel encapsulation and for inbound, verify after
+	 *      tunnel decapsulation.
+	 * * 0: Inner packet L4 checksum is not computed/verified.
+	 */
+	uint32_t l4_csum_enable : 1;
 };
 
 /** IPSec security association direction */
-- 
2.22.0

[dpdk-dev] [PATCH 2/3] crypto/cnxk: add inner checksum

[Archana Muniganti]

Add inner checksum support for cn10k

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 doc/guides/rel_notes/release_21_11.rst        |  1 +
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c     | 65 +++++++++++++++----
 drivers/crypto/cnxk/cn10k_ipsec.c             | 49 +++++++++++++-
 drivers/crypto/cnxk/cn10k_ipsec.h             |  1 +
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h      |  9 ++-
 drivers/crypto/cnxk/cnxk_cryptodev.c          |  3 +
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  2 +
 7 files changed, 112 insertions(+), 18 deletions(-)

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 42ed9ee580..8dc3008199 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -72,6 +72,7 @@ New Features
   * Added Transport mode support in lookaside protocol (IPsec) for CN10K.
   * Added UDP encapsulation support in lookaside protocol (IPsec) for CN10K.
   * Added support for lookaside protocol (IPsec) offload for CN9K.
+  * Added inner checksum support in lookaside protocol (IPsec) for CN10K.
 
 * **Added support for event crypto adapter on Marvell CN10K and CN9K.**
 
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 3caf05aab9..c25c8e67b2 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -50,7 +50,7 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
 
 static __rte_always_inline int __rte_hot
 cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
-		  struct cpt_inst_s *inst)
+		  struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
 {
 	struct rte_crypto_sym_op *sym_op = op->sym;
 	union roc_ot_ipsec_sa_word2 *w2;
@@ -72,8 +72,10 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
 
 	if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND)
 		ret = process_outb_sa(op, sa, inst);
-	else
+	else {
+		infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
 		ret = process_inb_sa(op, sa, inst);
+	}
 
 	return ret;
 }
@@ -122,7 +124,8 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
 		if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
 			sec_sess = get_sec_session_private_data(
 				sym_op->sec_session);
-			ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]);
+			ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
+						&inst[0]);
 			if (unlikely(ret))
 				return 0;
 			w7 = sec_sess->sa.inst.w7;
@@ -342,6 +345,49 @@ cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
 	m->pkt_len = m_len;
 }
 
+static inline void
+cn10k_cpt_sec_ucc_process(struct rte_crypto_op *cop,
+			  struct cpt_inflight_req *infl_req,
+			  const uint8_t uc_compcode)
+{
+	struct cn10k_sec_session *sess;
+	struct cn10k_ipsec_sa *sa;
+	struct rte_mbuf *mbuf;
+
+	if (uc_compcode == ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST)
+		cop->aux_flags = RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+
+	if (!(infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND))
+		return;
+
+	sess = get_sec_session_private_data(cop->sym->sec_session);
+	sa = &sess->sa;
+
+	mbuf = cop->sym->m_src;
+
+	switch (uc_compcode) {
+	case ROC_IE_OT_UCC_SUCCESS:
+		if (sa->ip_csum_enable)
+			mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+		break;
+	case ROC_IE_OT_UCC_SUCCESS_PKT_IP_BADCSUM:
+		mbuf->ol_flags |= PKT_RX_IP_CKSUM_BAD;
+		break;
+	case ROC_IE_OT_UCC_SUCCESS_PKT_L4_GOODCSUM:
+		mbuf->ol_flags |= PKT_RX_L4_CKSUM_GOOD;
+		if (sa->ip_csum_enable)
+			mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+		break;
+	case ROC_IE_OT_UCC_SUCCESS_PKT_L4_BADCSUM:
+		mbuf->ol_flags |= PKT_RX_L4_CKSUM_BAD;
+		if (sa->ip_csum_enable)
+			mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+		break;
+	default:
+		break;
+	}
+}
+
 static inline void
 cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
 			       struct rte_crypto_op *cop,
@@ -357,17 +403,8 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
 	if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
 	    cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
 		if (likely(compcode == CPT_COMP_WARN)) {
-			if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
-				/* Success with additional info */
-				switch (uc_compcode) {
-				case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
-					cop->aux_flags =
-						RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
-					break;
-				default:
-					break;
-				}
-			}
+			/* Success with additional info */
+			cn10k_cpt_sec_ucc_process(cop, infl_req, uc_compcode);
 			cn10k_cpt_sec_post_process(cop, res);
 		} else {
 			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index ebb2a7ec48..defc792aa8 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -37,6 +37,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 			   struct rte_crypto_sym_xform *crypto_xfrm,
 			   struct rte_security_session *sec_sess)
 {
+	union roc_ot_ipsec_outb_param1 param1;
 	struct roc_ot_ipsec_outb_sa *out_sa;
 	struct cnxk_ipsec_outb_rlens rlens;
 	struct cn10k_sec_session *sess;
@@ -83,7 +84,27 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 	/* pre-populate CPT INST word 4 */
 	inst_w4.u64 = 0;
 	inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
-	inst_w4.s.param1 = 0;
+
+	param1.u16 = 0;
+
+	/* Disable IP checksum computation by default */
+	param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.ip_csum_enable) {
+		param1.s.ip_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+	}
+
+	/* Disable L4 checksum computation by default */
+	param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.l4_csum_enable) {
+		param1.s.l4_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+	}
+
+	inst_w4.s.param1 = param1.u16;
+
 	sa->inst.w4 = inst_w4.u64;
 
 	return 0;
@@ -95,6 +116,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
 			  struct rte_crypto_sym_xform *crypto_xfrm,
 			  struct rte_security_session *sec_sess)
 {
+	union roc_ot_ipsec_inb_param1 param1;
 	struct roc_ot_ipsec_inb_sa *in_sa;
 	struct cn10k_sec_session *sess;
 	struct cn10k_ipsec_sa *sa;
@@ -121,8 +143,29 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
 	inst_w4.u64 = 0;
 	inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC;
 
-	/* Disable checksum verification for now */
-	inst_w4.s.param1 = 7;
+	param1.u16 = 0;
+
+	/* Disable IP checksum verification by default */
+	param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.ip_csum_enable) {
+		param1.s.ip_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+		sa->ip_csum_enable = true;
+	}
+
+	/* Disable L4 checksum verification by default */
+	param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.l4_csum_enable) {
+		param1.s.l4_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+	}
+
+	param1.s.esp_trailer_disable = 1;
+
+	inst_w4.s.param1 = param1.u16;
+
 	sa->inst.w4 = inst_w4.u64;
 
 	return 0;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 6f974b716d..86cd2483f5 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -23,6 +23,7 @@ struct cn10k_ipsec_sa {
 	uint16_t max_extended_len;
 	uint16_t iv_offset;
 	uint8_t iv_length;
+	bool ip_csum_enable;
 };
 
 struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 862476a72e..df1b0a3678 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -53,6 +53,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 {
 	struct rte_crypto_sym_op *sym_op = cop->sym;
 	struct rte_mbuf *m_src = sym_op->m_src;
+	uint64_t inst_w4_u64 = sess->inst.w4;
 
 	if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) {
 		plt_dp_err("Not enough tail room");
@@ -68,8 +69,14 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 	}
 #endif
 
+	if (m_src->ol_flags & PKT_TX_IP_CKSUM)
+		inst_w4_u64 &= ~BIT_ULL(33);
+
+	if (m_src->ol_flags & PKT_TX_L4_MASK)
+		inst_w4_u64 &= ~BIT_ULL(32);
+
 	/* Prepare CPT instruction */
-	inst->w4.u64 = sess->inst.w4;
+	inst->w4.u64 = inst_w4_u64;
 	inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
 	inst->dptr = rte_pktmbuf_iova(m_src);
 	inst->rptr = inst->dptr;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.c b/drivers/crypto/cnxk/cnxk_cryptodev.c
index 5c7801ec48..d67de54a7b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.c
@@ -24,6 +24,9 @@ cnxk_cpt_default_ff_get(void)
 		      RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED |
 		      RTE_CRYPTODEV_FF_SECURITY;
 
+	if (roc_model_is_cn10k())
+		ff |= RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM;
+
 	return ff;
 }
 
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index ba4166c56d..20df37709a 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -926,6 +926,8 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
 			sec_cap->ipsec.options.tunnel_hdr_verify =
 				RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
 	}
+	sec_cap->ipsec.options.ip_csum_enable = 1;
+	sec_cap->ipsec.options.l4_csum_enable = 1;
 }
 
 static void
-- 
2.22.0

[dpdk-dev] [PATCH 3/3] app/test: add inner checksum tests

[Archana Muniganti]

This patch adds tests for inner IP and inner L4 checksum
in IPsec mode.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 app/test/test_cryptodev.c                     |  34 +++
 app/test/test_cryptodev_security_ipsec.c      | 195 ++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h      |   2 +
 ...st_cryptodev_security_ipsec_test_vectors.h | 118 +++++++++++
 doc/guides/rel_notes/release_21_11.rst        |   1 +
 5 files changed, 350 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 5f0d023451..c127e6bc04 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -18,6 +18,8 @@
 #include <rte_cryptodev.h>
 #include <rte_ip.h>
 #include <rte_string_fns.h>
+#include <rte_tcp.h>
+#include <rte_udp.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
 #include <rte_cryptodev_scheduler.h>
@@ -9275,6 +9277,30 @@ test_ipsec_proto_udp_ports_verify(const void *data __rte_unused)
 	return test_ipsec_proto_all(&flags);
 }
 
+static int
+test_ipsec_proto_inner_ip_csum(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.ip_csum = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_inner_l4_csum(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.l4_csum = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
 static int
 test_PDCP_PROTO_all(void)
 {
@@ -14231,6 +14257,14 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Tunnel src and dst addr verification",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_tunnel_src_dst_addr_verify),
+		TEST_CASE_NAMED_ST(
+			"Inner IP checksum",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_inner_ip_csum),
+		TEST_CASE_NAMED_ST(
+			"Inner L4 checksum",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_inner_l4_csum),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 764e77bbff..bcd9746c98 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -7,6 +7,7 @@
 #include <rte_esp.h>
 #include <rte_ip.h>
 #include <rte_security.h>
+#include <rte_tcp.h>
 #include <rte_udp.h>
 
 #include "test.h"
@@ -103,6 +104,22 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 		return -ENOTSUP;
 	}
 
+	if (ipsec_xform->options.ip_csum_enable == 1 &&
+	    sec_cap->ipsec.options.ip_csum_enable == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1,
+				"Inner IP checksum is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.l4_csum_enable == 1 &&
+	    sec_cap->ipsec.options.l4_csum_enable == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1,
+				"Inner L4 checksum is not supported\n");
+		return -ENOTSUP;
+	}
+
 	return 0;
 }
 
@@ -160,6 +177,56 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 	}
 }
 
+static bool
+is_ipv4(void *ip)
+{
+	struct rte_ipv4_hdr *ipv4 = ip;
+	uint8_t ip_ver;
+
+	ip_ver = (ipv4->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER;
+	if (ip_ver == IPVERSION)
+		return true;
+	else
+		return false;
+}
+
+static void
+test_ipsec_csum_init(void *ip, bool l3, bool l4)
+{
+	struct rte_ipv4_hdr *ipv4;
+	struct rte_tcp_hdr *tcp;
+	struct rte_udp_hdr *udp;
+	uint8_t next_proto;
+	uint8_t size;
+
+	if (is_ipv4(ip)) {
+		ipv4 = ip;
+		size = sizeof(struct rte_ipv4_hdr);
+		next_proto = ipv4->next_proto_id;
+
+		if (l3)
+			ipv4->hdr_checksum = 0;
+	} else {
+		size = sizeof(struct rte_ipv6_hdr);
+		next_proto = ((struct rte_ipv6_hdr *)ip)->proto;
+	}
+
+	if (l4) {
+		switch (next_proto) {
+		case IPPROTO_TCP:
+			tcp = (struct rte_tcp_hdr *)RTE_PTR_ADD(ip, size);
+			tcp->cksum = 0;
+			break;
+		case IPPROTO_UDP:
+			udp = (struct rte_udp_hdr *)RTE_PTR_ADD(ip, size);
+			udp->dgram_cksum = 0;
+			break;
+		default:
+			return;
+		}
+	}
+}
+
 void
 test_ipsec_td_prepare(const struct crypto_param *param1,
 		      const struct crypto_param *param2,
@@ -194,6 +261,17 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
 		if (flags->sa_expiry_pkts_soft)
 			td->ipsec_xform.life.packets_soft_limit =
 					IPSEC_TEST_PACKETS_MAX - 1;
+
+		if (flags->ip_csum) {
+			td->ipsec_xform.options.ip_csum_enable = 1;
+			test_ipsec_csum_init(&td->input_text.data, true, false);
+		}
+
+		if (flags->l4_csum) {
+			td->ipsec_xform.options.l4_csum_enable = 1;
+			test_ipsec_csum_init(&td->input_text.data, false, true);
+		}
+
 	}
 
 	RTE_SET_USED(param2);
@@ -230,6 +308,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 		td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
 			flags->tunnel_hdr_verify;
 
+		if (flags->ip_csum)
+			td_inb[i].ipsec_xform.options.ip_csum_enable = 1;
+
+		if (flags->l4_csum)
+			td_inb[i].ipsec_xform.options.l4_csum_enable = 1;
+
 		/* Clear outbound specific flags */
 		td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
 	}
@@ -305,12 +389,96 @@ test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
 	return TEST_SUCCESS;
 }
 
+static int
+test_ipsec_l3_csum_verify(struct rte_mbuf *m)
+{
+	uint16_t actual_cksum, expected_cksum;
+	struct rte_ipv4_hdr *ip;
+
+	ip = rte_pktmbuf_mtod(m, struct rte_ipv4_hdr *);
+
+	if (!is_ipv4((void *)ip))
+		return TEST_SKIPPED;
+
+	actual_cksum = ip->hdr_checksum;
+
+	ip->hdr_checksum = 0;
+
+	expected_cksum = rte_ipv4_cksum(ip);
+
+	if (actual_cksum != expected_cksum)
+		return TEST_FAILED;
+
+	return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_l4_csum_verify(struct rte_mbuf *m)
+{
+	uint16_t actual_cksum = 0, expected_cksum = 0;
+	struct rte_ipv4_hdr *ipv4;
+	struct rte_ipv6_hdr *ipv6;
+	struct rte_tcp_hdr *tcp;
+	struct rte_udp_hdr *udp;
+	void *ip, *l4;
+
+	ip = rte_pktmbuf_mtod(m, void *);
+
+	if (is_ipv4(ip)) {
+		ipv4 = ip;
+		l4 = RTE_PTR_ADD(ipv4, sizeof(struct rte_ipv4_hdr));
+
+		switch (ipv4->next_proto_id) {
+		case IPPROTO_TCP:
+			tcp = (struct rte_tcp_hdr *)l4;
+			actual_cksum = tcp->cksum;
+			tcp->cksum = 0;
+			expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+			break;
+		case IPPROTO_UDP:
+			udp = (struct rte_udp_hdr *)l4;
+			actual_cksum = udp->dgram_cksum;
+			udp->dgram_cksum = 0;
+			expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+			break;
+		default:
+			break;
+		}
+	} else {
+		ipv6 = ip;
+		l4 = RTE_PTR_ADD(ipv6, sizeof(struct rte_ipv6_hdr));
+
+		switch (ipv6->proto) {
+		case IPPROTO_TCP:
+			tcp = (struct rte_tcp_hdr *)l4;
+			actual_cksum = tcp->cksum;
+			tcp->cksum = 0;
+			expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+			break;
+		case IPPROTO_UDP:
+			udp = (struct rte_udp_hdr *)l4;
+			actual_cksum = udp->dgram_cksum;
+			udp->dgram_cksum = 0;
+			expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+			break;
+		default:
+			break;
+		}
+	}
+
+	if (actual_cksum != expected_cksum)
+		return TEST_FAILED;
+
+	return TEST_SUCCESS;
+}
+
 static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		     bool silent, const struct ipsec_test_flags *flags)
 {
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+	int ret;
 
 	/* For tests with status as error for test success, skip verification */
 	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
@@ -354,6 +522,33 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	len -= skip;
 	output_text += skip;
 
+	if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+				flags->ip_csum) {
+		if (m->ol_flags & PKT_RX_IP_CKSUM_GOOD)
+			ret = test_ipsec_l3_csum_verify(m);
+		else
+			ret = TEST_FAILED;
+
+		if (ret == TEST_FAILED)
+			printf("Inner IP checksum test failed\n");
+
+		return ret;
+	}
+
+	if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+				flags->l4_csum) {
+		if (m->ol_flags & PKT_RX_L4_CKSUM_GOOD)
+			ret = test_ipsec_l4_csum_verify(m);
+		else
+			ret = TEST_FAILED;
+
+		if (ret == TEST_FAILED)
+			printf("Inner L4 checksum test failed\n");
+
+		return ret;
+	}
+
+
 	if (memcmp(output_text, td->output_text.data + skip, len)) {
 		if (silent)
 			return TEST_FAILED;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 0416005520..7628d0c42a 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -56,6 +56,8 @@ struct ipsec_test_flags {
 	uint32_t tunnel_hdr_verify;
 	bool udp_encap;
 	bool udp_ports_verify;
+	bool ip_csum;
+	bool l4_csum;
 };
 
 struct crypto_param {
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index 4e147ec19c..5d4518c39c 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -95,6 +95,8 @@ struct ipsec_test_data pkt_aes_128_gcm = {
 		.options.ecn = 0,
 		.options.stats = 0,
 		.options.tunnel_hdr_verify = 0,
+		.options.ip_csum_enable = 0,
+		.options.l4_csum_enable = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -192,6 +194,8 @@ struct ipsec_test_data pkt_aes_192_gcm = {
 		.options.ecn = 0,
 		.options.stats = 0,
 		.options.tunnel_hdr_verify = 0,
+		.options.ip_csum_enable = 0,
+		.options.l4_csum_enable = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -292,6 +296,8 @@ struct ipsec_test_data pkt_aes_256_gcm = {
 		.options.ecn = 0,
 		.options.stats = 0,
 		.options.tunnel_hdr_verify = 0,
+		.options.ip_csum_enable = 0,
+		.options.l4_csum_enable = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -318,4 +324,116 @@ struct ipsec_test_data pkt_aes_256_gcm = {
 	},
 };
 
+/* Known vectors for AES-CBC
+ * https://datatracker.ietf.org/doc/html/rfc3602#section-4
+ */
+
+struct ipsec_test_data pkt_aes_128_cbc_null = {
+	.key = {
+		.data = {
+			0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+			0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x8c, 0x00, 0x02, 0x00, 0x00,
+			0x40, 0x32, 0x27, 0xbc, 0x00, 0x01, 0xa8, 0xc0,
+			0x01, 0x01, 0xa8, 0xc0,
+
+			/* ESP */
+			0x00, 0x00, 0x87, 0x65,	0x00, 0x00, 0x00, 0x02,
+
+			/* IV */
+			0xf4, 0xe7, 0x65, 0x24,	0x4f, 0x64, 0x07, 0xad,
+			0xf1, 0x3d, 0xc1, 0x38,	0x0f, 0x67, 0x3f, 0x37,
+
+			/* Data */
+			0x77, 0x3b, 0x52, 0x41,	0xa4, 0xc4, 0x49, 0x22,
+			0x5e, 0x4f, 0x3c, 0xe5, 0xed, 0x61, 0x1b, 0x0c,
+			0x23, 0x7c, 0xa9, 0x6c, 0xf7, 0x4a, 0x93, 0x01,
+			0x3c, 0x1b, 0x0e, 0xa1, 0xa0, 0xcf, 0x70, 0xf8,
+			0xe4, 0xec, 0xae, 0xc7, 0x8a, 0xc5, 0x3a, 0xad,
+			0x7a, 0x0f, 0x02, 0x2b, 0x85, 0x92, 0x43, 0xc6,
+			0x47, 0x75, 0x2e, 0x94, 0xa8, 0x59, 0x35, 0x2b,
+			0x8a, 0x4d, 0x4d, 0x2d, 0xec, 0xd1, 0x36, 0xe5,
+			0xc1, 0x77, 0xf1, 0x32,	0xad, 0x3f, 0xbf, 0xb2,
+			0x20, 0x1a, 0xc9, 0x90,	0x4c, 0x74, 0xee, 0x0a,
+			0x10, 0x9e, 0x0c, 0xa1,	0xe4, 0xdf, 0xe9, 0xd5,
+			0xa1, 0x00, 0xb8, 0x42,	0xf1, 0xc2, 0x2f, 0x0d,
+		},
+		.len = 140,
+	},
+	.output_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x54, 0x09, 0x04, 0x00, 0x00,
+			0x40, 0x01, 0xf9, 0x88, 0xc0, 0xa8, 0x7b, 0x03,
+			0xc0, 0xa8, 0x7b, 0xc8,
+
+			/* ICMP */
+			0x08, 0x00, 0x9f, 0x76,	0xa9, 0x0a, 0x01, 0x00,
+			0xb4, 0x9c, 0x08, 0x3d,	0x02, 0xa2, 0x04, 0x00,
+			0x08, 0x09, 0x0a, 0x0b,	0x0c, 0x0d, 0x0e, 0x0f,
+			0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+			0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+			0x20, 0x21, 0x22, 0x23,	0x24, 0x25, 0x26, 0x27,
+			0x28, 0x29, 0x2a, 0x2b,	0x2c, 0x2d, 0x2e, 0x2f,
+			0x30, 0x31, 0x32, 0x33,	0x34, 0x35, 0x36, 0x37,
+			0x01, 0x02, 0x03, 0x04,	0x05, 0x06, 0x07, 0x08,
+			0x09, 0x0a, 0x0a, 0x04,
+		},
+		.len = 84,
+	},
+	.iv = {
+		.data = {
+			0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad,
+			0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37,
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0x8765,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.options.tunnel_hdr_verify = 0,
+		.options.ip_csum_enable = 0,
+		.options.l4_csum_enable = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.replay_win_sz = 0,
+	},
+
+	.aead = false,
+
+	.xform = {
+		.chain.cipher = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			.cipher = {
+				.op = RTE_CRYPTO_CIPHER_OP_DECRYPT,
+				.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+				.key.length = 16,
+				.iv.length = 16,
+			},
+		},
+		.chain.auth = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			.auth = {
+				.algo = RTE_CRYPTO_AUTH_NULL,
+			},
+		},
+	},
+};
+
 #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 8dc3008199..09aaa0fe2b 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -103,6 +103,7 @@ New Features
   * Added tests to verify error reporting with ICV corruption.
   * Added tests to verify IV generation.
   * Added tests to verify UDP encapsulation.
+  * Added tests to verify inner checksum.
 
 
 Removed Items
-- 
2.22.0

Re: [dpdk-dev] [PATCH 1/3] security: add SA config option for inner pkt csum

[Akhil Goyal]

> Add inner packet IPv4 hdr and L4 checksum enable options
> in conf. These will be used in case of protocol offload.
> Per SA, application could specify whether the
> checksum(compute/verify) can be offloaded to security device.
> 
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> ---
>  doc/guides/rel_notes/deprecation.rst   |  4 ++--
>  doc/guides/rel_notes/release_21_11.rst |  5 +++++

Reword release notes as per current TOT.

>  lib/cryptodev/rte_cryptodev.h          |  2 ++
>  lib/security/rte_security.h            | 18 ++++++++++++++++++
>  4 files changed, 27 insertions(+), 2 deletions(-)
New feature flag need to be added in
doc/guides/cryptodevs/features/default.ini As well.

Similarly it need to be updated in cn10k.ini file as well in the next patch.