* [dpdk-dev] [PATCH v2 0/3] add SA config option for inner pkt csum
@ 2021-09-29 9:08 Archana Muniganti
2021-09-29 9:08 ` [dpdk-dev] [PATCH v2 1/3] security: " Archana Muniganti
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Archana Muniganti @ 2021-09-29 9:08 UTC (permalink / raw)
To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev
Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.
Depends on
https://patches.dpdk.org/project/dpdk/list/?series=19243
Changes in v2:
- Fixed release notes
- Added feature flag in default.ini and cn10k.ini
- Fixed test patch subject
Archana Muniganti (3):
security: add SA config option for inner pkt csum
crypto/cnxk: add inner checksum
test/crypto: add inner checksum cases
app/test/test_cryptodev.c | 34 +++
app/test/test_cryptodev_security_ipsec.c | 195 ++++++++++++++++++
app/test/test_cryptodev_security_ipsec.h | 2 +
...st_cryptodev_security_ipsec_test_vectors.h | 118 +++++++++++
doc/guides/cryptodevs/features/cn10k.ini | 1 +
doc/guides/cryptodevs/features/default.ini | 1 +
doc/guides/rel_notes/deprecation.rst | 4 +-
doc/guides/rel_notes/release_21_11.rst | 6 +
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 65 ++++--
drivers/crypto/cnxk/cn10k_ipsec.c | 49 ++++-
drivers/crypto/cnxk/cn10k_ipsec.h | 1 +
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 9 +-
drivers/crypto/cnxk/cnxk_cryptodev.c | 3 +
.../crypto/cnxk/cnxk_cryptodev_capabilities.c | 2 +
lib/cryptodev/rte_cryptodev.h | 2 +
lib/security/rte_security.h | 18 ++
16 files changed, 490 insertions(+), 20 deletions(-)
--
2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH v2 1/3] security: add SA config option for inner pkt csum
2021-09-29 9:08 [dpdk-dev] [PATCH v2 0/3] add SA config option for inner pkt csum Archana Muniganti
@ 2021-09-29 9:08 ` Archana Muniganti
2021-09-29 10:56 ` Ananyev, Konstantin
2021-09-29 9:08 ` [dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add inner checksum Archana Muniganti
2021-09-29 9:08 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add inner checksum cases Archana Muniganti
2 siblings, 1 reply; 9+ messages in thread
From: Archana Muniganti @ 2021-09-29 9:08 UTC (permalink / raw)
To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev
Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
doc/guides/cryptodevs/features/default.ini | 1 +
doc/guides/rel_notes/deprecation.rst | 4 ++--
doc/guides/rel_notes/release_21_11.rst | 4 ++++
lib/cryptodev/rte_cryptodev.h | 2 ++
lib/security/rte_security.h | 18 ++++++++++++++++++
5 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini
index c24814de98..96d95ddc81 100644
--- a/doc/guides/cryptodevs/features/default.ini
+++ b/doc/guides/cryptodevs/features/default.ini
@@ -33,6 +33,7 @@ Non-Byte aligned data =
Sym raw data path API =
Cipher multiple data units =
Cipher wrapped key =
+Inner checksum =
;
; Supported crypto algorithms of a default crypto driver.
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 05fc2fdee7..8308e00ed4 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -232,8 +232,8 @@ Deprecation Notices
IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
* security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
- will be updated with new fields to support new features like IPsec inner
- checksum, TSO in case of protocol offload.
+ will be updated with new fields to support new features like TSO in case of
+ protocol offload.
* ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
``hdr_l3_len`` to configure tunnel L3 header length.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 8da851cccc..93d1b36889 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -194,6 +194,10 @@ ABI Changes
``rte_security_ipsec_xform`` to allow applications to configure SA soft
and hard expiry limits. Limits can be either in number of packets or bytes.
+* security: The new options ``ip_csum_enable`` and ``l4_csum_enable`` were added
+ in structure ``rte_security_ipsec_sa_options`` to indicate whether inner
+ packet IPv4 header checksum and L4 checksum need to be offloaded to
+ security device.
Known Issues
------------
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index bb01f0f195..d9271a6c45 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
/**< Support operations on multiple data-units message */
#define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
/**< Support wrapped key in cipher xform */
+#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27)
+/**< Support inner checksum computation/verification */
/**
* Get the name of a crypto device feature flag
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index ab1a6e1f65..945f45ad76 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
* * 0: Do not match UDP ports
*/
uint32_t udp_ports_verify : 1;
+
+ /** Compute/verify inner packet IPv4 header checksum in tunnel mode
+ *
+ * * 1: For outbound, compute inner packet IPv4 header checksum
+ * before tunnel encapsulation and for inbound, verify after
+ * tunnel decapsulation.
+ * * 0: Inner packet IP header checksum is not computed/verified.
+ */
+ uint32_t ip_csum_enable : 1;
+
+ /** Compute/verify inner packet L4 checksum in tunnel mode
+ *
+ * * 1: For outbound, compute inner packet L4 checksum before
+ * tunnel encapsulation and for inbound, verify after
+ * tunnel decapsulation.
+ * * 0: Inner packet L4 checksum is not computed/verified.
+ */
+ uint32_t l4_csum_enable : 1;
};
/** IPSec security association direction */
--
2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add inner checksum
2021-09-29 9:08 [dpdk-dev] [PATCH v2 0/3] add SA config option for inner pkt csum Archana Muniganti
2021-09-29 9:08 ` [dpdk-dev] [PATCH v2 1/3] security: " Archana Muniganti
@ 2021-09-29 9:08 ` Archana Muniganti
2021-09-29 9:08 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add inner checksum cases Archana Muniganti
2 siblings, 0 replies; 9+ messages in thread
From: Archana Muniganti @ 2021-09-29 9:08 UTC (permalink / raw)
To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev
Add inner checksum support for cn10k.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
doc/guides/cryptodevs/features/cn10k.ini | 1 +
doc/guides/rel_notes/release_21_11.rst | 1 +
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 65 +++++++++++++++----
drivers/crypto/cnxk/cn10k_ipsec.c | 49 +++++++++++++-
drivers/crypto/cnxk/cn10k_ipsec.h | 1 +
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 9 ++-
drivers/crypto/cnxk/cnxk_cryptodev.c | 3 +
.../crypto/cnxk/cnxk_cryptodev_capabilities.c | 2 +
8 files changed, 113 insertions(+), 18 deletions(-)
diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini
index f5552feca3..9d08bd5c04 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -15,6 +15,7 @@ OOP SGL In SGL Out = Y
OOP LB In LB Out = Y
Symmetric sessionless = Y
Digest encrypted = Y
+Inner checksum = Y
;
; Supported crypto algorithms of 'cn10k' crypto driver.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 93d1b36889..163cdaa800 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -72,6 +72,7 @@ New Features
* Added Transport mode support in lookaside protocol (IPsec) for CN10K.
* Added UDP encapsulation support in lookaside protocol (IPsec) for CN10K.
* Added support for lookaside protocol (IPsec) offload for CN9K.
+ * Added inner checksum support in lookaside protocol (IPsec) for CN10K.
* **Added support for event crypto adapter on Marvell CN10K and CN9K.**
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 3caf05aab9..c25c8e67b2 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -50,7 +50,7 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
static __rte_always_inline int __rte_hot
cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
- struct cpt_inst_s *inst)
+ struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = op->sym;
union roc_ot_ipsec_sa_word2 *w2;
@@ -72,8 +72,10 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND)
ret = process_outb_sa(op, sa, inst);
- else
+ else {
+ infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
ret = process_inb_sa(op, sa, inst);
+ }
return ret;
}
@@ -122,7 +124,8 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
sec_sess = get_sec_session_private_data(
sym_op->sec_session);
- ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]);
+ ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
+ &inst[0]);
if (unlikely(ret))
return 0;
w7 = sec_sess->sa.inst.w7;
@@ -342,6 +345,49 @@ cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
m->pkt_len = m_len;
}
+static inline void
+cn10k_cpt_sec_ucc_process(struct rte_crypto_op *cop,
+ struct cpt_inflight_req *infl_req,
+ const uint8_t uc_compcode)
+{
+ struct cn10k_sec_session *sess;
+ struct cn10k_ipsec_sa *sa;
+ struct rte_mbuf *mbuf;
+
+ if (uc_compcode == ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST)
+ cop->aux_flags = RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+
+ if (!(infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND))
+ return;
+
+ sess = get_sec_session_private_data(cop->sym->sec_session);
+ sa = &sess->sa;
+
+ mbuf = cop->sym->m_src;
+
+ switch (uc_compcode) {
+ case ROC_IE_OT_UCC_SUCCESS:
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_IP_BADCSUM:
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_BAD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_L4_GOODCSUM:
+ mbuf->ol_flags |= PKT_RX_L4_CKSUM_GOOD;
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_L4_BADCSUM:
+ mbuf->ol_flags |= PKT_RX_L4_CKSUM_BAD;
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ default:
+ break;
+ }
+}
+
static inline void
cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
struct rte_crypto_op *cop,
@@ -357,17 +403,8 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
if (likely(compcode == CPT_COMP_WARN)) {
- if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
- /* Success with additional info */
- switch (uc_compcode) {
- case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
- cop->aux_flags =
- RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
- break;
- default:
- break;
- }
- }
+ /* Success with additional info */
+ cn10k_cpt_sec_ucc_process(cop, infl_req, uc_compcode);
cn10k_cpt_sec_post_process(cop, res);
} else {
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index ebb2a7ec48..defc792aa8 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -37,6 +37,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
struct rte_crypto_sym_xform *crypto_xfrm,
struct rte_security_session *sec_sess)
{
+ union roc_ot_ipsec_outb_param1 param1;
struct roc_ot_ipsec_outb_sa *out_sa;
struct cnxk_ipsec_outb_rlens rlens;
struct cn10k_sec_session *sess;
@@ -83,7 +84,27 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
/* pre-populate CPT INST word 4 */
inst_w4.u64 = 0;
inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
- inst_w4.s.param1 = 0;
+
+ param1.u16 = 0;
+
+ /* Disable IP checksum computation by default */
+ param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.ip_csum_enable) {
+ param1.s.ip_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+ }
+
+ /* Disable L4 checksum computation by default */
+ param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.l4_csum_enable) {
+ param1.s.l4_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+ }
+
+ inst_w4.s.param1 = param1.u16;
+
sa->inst.w4 = inst_w4.u64;
return 0;
@@ -95,6 +116,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
struct rte_crypto_sym_xform *crypto_xfrm,
struct rte_security_session *sec_sess)
{
+ union roc_ot_ipsec_inb_param1 param1;
struct roc_ot_ipsec_inb_sa *in_sa;
struct cn10k_sec_session *sess;
struct cn10k_ipsec_sa *sa;
@@ -121,8 +143,29 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
inst_w4.u64 = 0;
inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC;
- /* Disable checksum verification for now */
- inst_w4.s.param1 = 7;
+ param1.u16 = 0;
+
+ /* Disable IP checksum verification by default */
+ param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.ip_csum_enable) {
+ param1.s.ip_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+ sa->ip_csum_enable = true;
+ }
+
+ /* Disable L4 checksum verification by default */
+ param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.l4_csum_enable) {
+ param1.s.l4_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+ }
+
+ param1.s.esp_trailer_disable = 1;
+
+ inst_w4.s.param1 = param1.u16;
+
sa->inst.w4 = inst_w4.u64;
return 0;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 6f974b716d..86cd2483f5 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -23,6 +23,7 @@ struct cn10k_ipsec_sa {
uint16_t max_extended_len;
uint16_t iv_offset;
uint8_t iv_length;
+ bool ip_csum_enable;
};
struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 862476a72e..df1b0a3678 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -53,6 +53,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
+ uint64_t inst_w4_u64 = sess->inst.w4;
if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) {
plt_dp_err("Not enough tail room");
@@ -68,8 +69,14 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
}
#endif
+ if (m_src->ol_flags & PKT_TX_IP_CKSUM)
+ inst_w4_u64 &= ~BIT_ULL(33);
+
+ if (m_src->ol_flags & PKT_TX_L4_MASK)
+ inst_w4_u64 &= ~BIT_ULL(32);
+
/* Prepare CPT instruction */
- inst->w4.u64 = sess->inst.w4;
+ inst->w4.u64 = inst_w4_u64;
inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
inst->dptr = rte_pktmbuf_iova(m_src);
inst->rptr = inst->dptr;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.c b/drivers/crypto/cnxk/cnxk_cryptodev.c
index 5c7801ec48..d67de54a7b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.c
@@ -24,6 +24,9 @@ cnxk_cpt_default_ff_get(void)
RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED |
RTE_CRYPTODEV_FF_SECURITY;
+ if (roc_model_is_cn10k())
+ ff |= RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM;
+
return ff;
}
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index ba4166c56d..20df37709a 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -926,6 +926,8 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
sec_cap->ipsec.options.tunnel_hdr_verify =
RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
}
+ sec_cap->ipsec.options.ip_csum_enable = 1;
+ sec_cap->ipsec.options.l4_csum_enable = 1;
}
static void
--
2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [dpdk-dev] [PATCH v2 3/3] test/crypto: add inner checksum cases
2021-09-29 9:08 [dpdk-dev] [PATCH v2 0/3] add SA config option for inner pkt csum Archana Muniganti
2021-09-29 9:08 ` [dpdk-dev] [PATCH v2 1/3] security: " Archana Muniganti
2021-09-29 9:08 ` [dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add inner checksum Archana Muniganti
@ 2021-09-29 9:08 ` Archana Muniganti
2 siblings, 0 replies; 9+ messages in thread
From: Archana Muniganti @ 2021-09-29 9:08 UTC (permalink / raw)
To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev
This patch adds tests for inner IP and inner L4 checksum
in IPsec mode.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
app/test/test_cryptodev.c | 34 +++
app/test/test_cryptodev_security_ipsec.c | 195 ++++++++++++++++++
app/test/test_cryptodev_security_ipsec.h | 2 +
...st_cryptodev_security_ipsec_test_vectors.h | 118 +++++++++++
doc/guides/rel_notes/release_21_11.rst | 1 +
5 files changed, 350 insertions(+)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 5f0d023451..c127e6bc04 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -18,6 +18,8 @@
#include <rte_cryptodev.h>
#include <rte_ip.h>
#include <rte_string_fns.h>
+#include <rte_tcp.h>
+#include <rte_udp.h>
#ifdef RTE_CRYPTO_SCHEDULER
#include <rte_cryptodev_scheduler.h>
@@ -9275,6 +9277,30 @@ test_ipsec_proto_udp_ports_verify(const void *data __rte_unused)
return test_ipsec_proto_all(&flags);
}
+static int
+test_ipsec_proto_inner_ip_csum(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ip_csum = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_inner_l4_csum(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.l4_csum = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
static int
test_PDCP_PROTO_all(void)
{
@@ -14231,6 +14257,14 @@ static struct unit_test_suite ipsec_proto_testsuite = {
"Tunnel src and dst addr verification",
ut_setup_security, ut_teardown,
test_ipsec_proto_tunnel_src_dst_addr_verify),
+ TEST_CASE_NAMED_ST(
+ "Inner IP checksum",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_inner_ip_csum),
+ TEST_CASE_NAMED_ST(
+ "Inner L4 checksum",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_inner_l4_csum),
TEST_CASES_END() /**< NULL terminate unit test array */
}
};
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 764e77bbff..bcd9746c98 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -7,6 +7,7 @@
#include <rte_esp.h>
#include <rte_ip.h>
#include <rte_security.h>
+#include <rte_tcp.h>
#include <rte_udp.h>
#include "test.h"
@@ -103,6 +104,22 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
return -ENOTSUP;
}
+ if (ipsec_xform->options.ip_csum_enable == 1 &&
+ sec_cap->ipsec.options.ip_csum_enable == 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Inner IP checksum is not supported\n");
+ return -ENOTSUP;
+ }
+
+ if (ipsec_xform->options.l4_csum_enable == 1 &&
+ sec_cap->ipsec.options.l4_csum_enable == 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Inner L4 checksum is not supported\n");
+ return -ENOTSUP;
+ }
+
return 0;
}
@@ -160,6 +177,56 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
}
}
+static bool
+is_ipv4(void *ip)
+{
+ struct rte_ipv4_hdr *ipv4 = ip;
+ uint8_t ip_ver;
+
+ ip_ver = (ipv4->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER;
+ if (ip_ver == IPVERSION)
+ return true;
+ else
+ return false;
+}
+
+static void
+test_ipsec_csum_init(void *ip, bool l3, bool l4)
+{
+ struct rte_ipv4_hdr *ipv4;
+ struct rte_tcp_hdr *tcp;
+ struct rte_udp_hdr *udp;
+ uint8_t next_proto;
+ uint8_t size;
+
+ if (is_ipv4(ip)) {
+ ipv4 = ip;
+ size = sizeof(struct rte_ipv4_hdr);
+ next_proto = ipv4->next_proto_id;
+
+ if (l3)
+ ipv4->hdr_checksum = 0;
+ } else {
+ size = sizeof(struct rte_ipv6_hdr);
+ next_proto = ((struct rte_ipv6_hdr *)ip)->proto;
+ }
+
+ if (l4) {
+ switch (next_proto) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)RTE_PTR_ADD(ip, size);
+ tcp->cksum = 0;
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)RTE_PTR_ADD(ip, size);
+ udp->dgram_cksum = 0;
+ break;
+ default:
+ return;
+ }
+ }
+}
+
void
test_ipsec_td_prepare(const struct crypto_param *param1,
const struct crypto_param *param2,
@@ -194,6 +261,17 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
if (flags->sa_expiry_pkts_soft)
td->ipsec_xform.life.packets_soft_limit =
IPSEC_TEST_PACKETS_MAX - 1;
+
+ if (flags->ip_csum) {
+ td->ipsec_xform.options.ip_csum_enable = 1;
+ test_ipsec_csum_init(&td->input_text.data, true, false);
+ }
+
+ if (flags->l4_csum) {
+ td->ipsec_xform.options.l4_csum_enable = 1;
+ test_ipsec_csum_init(&td->input_text.data, false, true);
+ }
+
}
RTE_SET_USED(param2);
@@ -230,6 +308,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
flags->tunnel_hdr_verify;
+ if (flags->ip_csum)
+ td_inb[i].ipsec_xform.options.ip_csum_enable = 1;
+
+ if (flags->l4_csum)
+ td_inb[i].ipsec_xform.options.l4_csum_enable = 1;
+
/* Clear outbound specific flags */
td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
}
@@ -305,12 +389,96 @@ test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
return TEST_SUCCESS;
}
+static int
+test_ipsec_l3_csum_verify(struct rte_mbuf *m)
+{
+ uint16_t actual_cksum, expected_cksum;
+ struct rte_ipv4_hdr *ip;
+
+ ip = rte_pktmbuf_mtod(m, struct rte_ipv4_hdr *);
+
+ if (!is_ipv4((void *)ip))
+ return TEST_SKIPPED;
+
+ actual_cksum = ip->hdr_checksum;
+
+ ip->hdr_checksum = 0;
+
+ expected_cksum = rte_ipv4_cksum(ip);
+
+ if (actual_cksum != expected_cksum)
+ return TEST_FAILED;
+
+ return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_l4_csum_verify(struct rte_mbuf *m)
+{
+ uint16_t actual_cksum = 0, expected_cksum = 0;
+ struct rte_ipv4_hdr *ipv4;
+ struct rte_ipv6_hdr *ipv6;
+ struct rte_tcp_hdr *tcp;
+ struct rte_udp_hdr *udp;
+ void *ip, *l4;
+
+ ip = rte_pktmbuf_mtod(m, void *);
+
+ if (is_ipv4(ip)) {
+ ipv4 = ip;
+ l4 = RTE_PTR_ADD(ipv4, sizeof(struct rte_ipv4_hdr));
+
+ switch (ipv4->next_proto_id) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)l4;
+ actual_cksum = tcp->cksum;
+ tcp->cksum = 0;
+ expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)l4;
+ actual_cksum = udp->dgram_cksum;
+ udp->dgram_cksum = 0;
+ expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+ break;
+ default:
+ break;
+ }
+ } else {
+ ipv6 = ip;
+ l4 = RTE_PTR_ADD(ipv6, sizeof(struct rte_ipv6_hdr));
+
+ switch (ipv6->proto) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)l4;
+ actual_cksum = tcp->cksum;
+ tcp->cksum = 0;
+ expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)l4;
+ actual_cksum = udp->dgram_cksum;
+ udp->dgram_cksum = 0;
+ expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (actual_cksum != expected_cksum)
+ return TEST_FAILED;
+
+ return TEST_SUCCESS;
+}
+
static int
test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
bool silent, const struct ipsec_test_flags *flags)
{
uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+ int ret;
/* For tests with status as error for test success, skip verification */
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
@@ -354,6 +522,33 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
len -= skip;
output_text += skip;
+ if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ flags->ip_csum) {
+ if (m->ol_flags & PKT_RX_IP_CKSUM_GOOD)
+ ret = test_ipsec_l3_csum_verify(m);
+ else
+ ret = TEST_FAILED;
+
+ if (ret == TEST_FAILED)
+ printf("Inner IP checksum test failed\n");
+
+ return ret;
+ }
+
+ if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ flags->l4_csum) {
+ if (m->ol_flags & PKT_RX_L4_CKSUM_GOOD)
+ ret = test_ipsec_l4_csum_verify(m);
+ else
+ ret = TEST_FAILED;
+
+ if (ret == TEST_FAILED)
+ printf("Inner L4 checksum test failed\n");
+
+ return ret;
+ }
+
+
if (memcmp(output_text, td->output_text.data + skip, len)) {
if (silent)
return TEST_FAILED;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 0416005520..7628d0c42a 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -56,6 +56,8 @@ struct ipsec_test_flags {
uint32_t tunnel_hdr_verify;
bool udp_encap;
bool udp_ports_verify;
+ bool ip_csum;
+ bool l4_csum;
};
struct crypto_param {
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index 4e147ec19c..5d4518c39c 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -95,6 +95,8 @@ struct ipsec_test_data pkt_aes_128_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -192,6 +194,8 @@ struct ipsec_test_data pkt_aes_192_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -292,6 +296,8 @@ struct ipsec_test_data pkt_aes_256_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -318,4 +324,116 @@ struct ipsec_test_data pkt_aes_256_gcm = {
},
};
+/* Known vectors for AES-CBC
+ * https://datatracker.ietf.org/doc/html/rfc3602#section-4
+ */
+
+struct ipsec_test_data pkt_aes_128_cbc_null = {
+ .key = {
+ .data = {
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+ },
+ },
+ .input_text = {
+ .data = {
+ /* IP - outer header */
+ 0x45, 0x00, 0x00, 0x8c, 0x00, 0x02, 0x00, 0x00,
+ 0x40, 0x32, 0x27, 0xbc, 0x00, 0x01, 0xa8, 0xc0,
+ 0x01, 0x01, 0xa8, 0xc0,
+
+ /* ESP */
+ 0x00, 0x00, 0x87, 0x65, 0x00, 0x00, 0x00, 0x02,
+
+ /* IV */
+ 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad,
+ 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37,
+
+ /* Data */
+ 0x77, 0x3b, 0x52, 0x41, 0xa4, 0xc4, 0x49, 0x22,
+ 0x5e, 0x4f, 0x3c, 0xe5, 0xed, 0x61, 0x1b, 0x0c,
+ 0x23, 0x7c, 0xa9, 0x6c, 0xf7, 0x4a, 0x93, 0x01,
+ 0x3c, 0x1b, 0x0e, 0xa1, 0xa0, 0xcf, 0x70, 0xf8,
+ 0xe4, 0xec, 0xae, 0xc7, 0x8a, 0xc5, 0x3a, 0xad,
+ 0x7a, 0x0f, 0x02, 0x2b, 0x85, 0x92, 0x43, 0xc6,
+ 0x47, 0x75, 0x2e, 0x94, 0xa8, 0x59, 0x35, 0x2b,
+ 0x8a, 0x4d, 0x4d, 0x2d, 0xec, 0xd1, 0x36, 0xe5,
+ 0xc1, 0x77, 0xf1, 0x32, 0xad, 0x3f, 0xbf, 0xb2,
+ 0x20, 0x1a, 0xc9, 0x90, 0x4c, 0x74, 0xee, 0x0a,
+ 0x10, 0x9e, 0x0c, 0xa1, 0xe4, 0xdf, 0xe9, 0xd5,
+ 0xa1, 0x00, 0xb8, 0x42, 0xf1, 0xc2, 0x2f, 0x0d,
+ },
+ .len = 140,
+ },
+ .output_text = {
+ .data = {
+ /* IP */
+ 0x45, 0x00, 0x00, 0x54, 0x09, 0x04, 0x00, 0x00,
+ 0x40, 0x01, 0xf9, 0x88, 0xc0, 0xa8, 0x7b, 0x03,
+ 0xc0, 0xa8, 0x7b, 0xc8,
+
+ /* ICMP */
+ 0x08, 0x00, 0x9f, 0x76, 0xa9, 0x0a, 0x01, 0x00,
+ 0xb4, 0x9c, 0x08, 0x3d, 0x02, 0xa2, 0x04, 0x00,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+ 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+ 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x09, 0x0a, 0x0a, 0x04,
+ },
+ .len = 84,
+ },
+ .iv = {
+ .data = {
+ 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad,
+ 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37,
+ },
+ },
+
+ .ipsec_xform = {
+ .spi = 0x8765,
+ .options.esn = 0,
+ .options.udp_encap = 0,
+ .options.copy_dscp = 0,
+ .options.copy_flabel = 0,
+ .options.copy_df = 0,
+ .options.dec_ttl = 0,
+ .options.ecn = 0,
+ .options.stats = 0,
+ .options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+ .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+ .replay_win_sz = 0,
+ },
+
+ .aead = false,
+
+ .xform = {
+ .chain.cipher = {
+ .next = NULL,
+ .type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ .cipher = {
+ .op = RTE_CRYPTO_CIPHER_OP_DECRYPT,
+ .algo = RTE_CRYPTO_CIPHER_AES_CBC,
+ .key.length = 16,
+ .iv.length = 16,
+ },
+ },
+ .chain.auth = {
+ .next = NULL,
+ .type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ .auth = {
+ .algo = RTE_CRYPTO_AUTH_NULL,
+ },
+ },
+ },
+};
+
#endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 163cdaa800..e2e1e1547f 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -106,6 +106,7 @@ New Features
* Added tests to validate packets soft expiry.
* Added tests to validate packets hard expiry.
* Added tests to verify tunnel header verification in IPsec inbound.
+ * Added tests to verify inner checksum.
Removed Items
--
2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [dpdk-dev] [PATCH v2 1/3] security: add SA config option for inner pkt csum
2021-09-29 9:08 ` [dpdk-dev] [PATCH v2 1/3] security: " Archana Muniganti
@ 2021-09-29 10:56 ` Ananyev, Konstantin
2021-09-29 11:03 ` Anoob Joseph
0 siblings, 1 reply; 9+ messages in thread
From: Ananyev, Konstantin @ 2021-09-29 10:56 UTC (permalink / raw)
To: Archana Muniganti, gakhil, Nicolau, Radu, Zhang, Roy Fan, hemant.agrawal
Cc: anoobj, ktejasree, adwivedi, jerinj, dev
> Add inner packet IPv4 hdr and L4 checksum enable options
> in conf. These will be used in case of protocol offload.
> Per SA, application could specify whether the
> checksum(compute/verify) can be offloaded to security device.
>
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> ---
> doc/guides/cryptodevs/features/default.ini | 1 +
> doc/guides/rel_notes/deprecation.rst | 4 ++--
> doc/guides/rel_notes/release_21_11.rst | 4 ++++
> lib/cryptodev/rte_cryptodev.h | 2 ++
> lib/security/rte_security.h | 18 ++++++++++++++++++
> 5 files changed, 27 insertions(+), 2 deletions(-)
>
> diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini
> index c24814de98..96d95ddc81 100644
> --- a/doc/guides/cryptodevs/features/default.ini
> +++ b/doc/guides/cryptodevs/features/default.ini
> @@ -33,6 +33,7 @@ Non-Byte aligned data =
> Sym raw data path API =
> Cipher multiple data units =
> Cipher wrapped key =
> +Inner checksum =
>
> ;
> ; Supported crypto algorithms of a default crypto driver.
> diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
> index 05fc2fdee7..8308e00ed4 100644
> --- a/doc/guides/rel_notes/deprecation.rst
> +++ b/doc/guides/rel_notes/deprecation.rst
> @@ -232,8 +232,8 @@ Deprecation Notices
> IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
>
> * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
> - will be updated with new fields to support new features like IPsec inner
> - checksum, TSO in case of protocol offload.
> + will be updated with new fields to support new features like TSO in case of
> + protocol offload.
>
> * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
> ``hdr_l3_len`` to configure tunnel L3 header length.
> diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
> index 8da851cccc..93d1b36889 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -194,6 +194,10 @@ ABI Changes
> ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> and hard expiry limits. Limits can be either in number of packets or bytes.
>
> +* security: The new options ``ip_csum_enable`` and ``l4_csum_enable`` were added
> + in structure ``rte_security_ipsec_sa_options`` to indicate whether inner
> + packet IPv4 header checksum and L4 checksum need to be offloaded to
> + security device.
>
> Known Issues
> ------------
> diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
> index bb01f0f195..d9271a6c45 100644
> --- a/lib/cryptodev/rte_cryptodev.h
> +++ b/lib/cryptodev/rte_cryptodev.h
> @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
> /**< Support operations on multiple data-units message */
> #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
> /**< Support wrapped key in cipher xform */
> +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27)
> +/**< Support inner checksum computation/verification */
>
> /**
> * Get the name of a crypto device feature flag
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index ab1a6e1f65..945f45ad76 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
> * * 0: Do not match UDP ports
> */
> uint32_t udp_ports_verify : 1;
> +
> + /** Compute/verify inner packet IPv4 header checksum in tunnel mode
> + *
> + * * 1: For outbound, compute inner packet IPv4 header checksum
> + * before tunnel encapsulation and for inbound, verify after
> + * tunnel decapsulation.
> + * * 0: Inner packet IP header checksum is not computed/verified.
> + */
> + uint32_t ip_csum_enable : 1;
> +
> + /** Compute/verify inner packet L4 checksum in tunnel mode
> + *
> + * * 1: For outbound, compute inner packet L4 checksum before
> + * tunnel encapsulation and for inbound, verify after
> + * tunnel decapsulation.
> + * * 0: Inner packet L4 checksum is not computed/verified.
> + */
> + uint32_t l4_csum_enable : 1;
As I understand these 2 new flags serve two purposes:
1. report HW/PMD ability to perform these offloads.
2. allow user to enable/disable this offload on SA basis.
One question I have - how it will work on data-path?
Would decision to perform these offloads be based on mbuf->ol_flags value
(same as we doing for ethdev TX offloads)?
Or some other approach is implied?
> };
>
> /** IPSec security association direction */
> --
> 2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [dpdk-dev] [PATCH v2 1/3] security: add SA config option for inner pkt csum
2021-09-29 10:56 ` Ananyev, Konstantin
@ 2021-09-29 11:03 ` Anoob Joseph
2021-09-29 11:39 ` Ananyev, Konstantin
0 siblings, 1 reply; 9+ messages in thread
From: Anoob Joseph @ 2021-09-29 11:03 UTC (permalink / raw)
To: Ananyev, Konstantin, Archana Muniganti, Akhil Goyal, Nicolau,
Radu, Zhang, Roy Fan, hemant.agrawal
Cc: Tejasree Kondoj, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev
Hi Konstanin,
Please see inline.
Thanks,
Anoob
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Wednesday, September 29, 2021 4:26 PM
> To: Archana Muniganti <marchana@marvell.com>; Akhil Goyal
> <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>; Zhang, Roy
> Fan <roy.fan.zhang@intel.com>; hemant.agrawal@nxp.com
> Cc: Anoob Joseph <anoobj@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>; Jerin Jacob
> Kollanukkaran <jerinj@marvell.com>; dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 1/3] security: add SA config option for inner pkt
> csum
>
> External Email
>
> ----------------------------------------------------------------------
> > Add inner packet IPv4 hdr and L4 checksum enable options in conf.
> > These will be used in case of protocol offload.
> > Per SA, application could specify whether the
> > checksum(compute/verify) can be offloaded to security device.
> >
> > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > ---
> > doc/guides/cryptodevs/features/default.ini | 1 +
> > doc/guides/rel_notes/deprecation.rst | 4 ++--
> > doc/guides/rel_notes/release_21_11.rst | 4 ++++
> > lib/cryptodev/rte_cryptodev.h | 2 ++
> > lib/security/rte_security.h | 18 ++++++++++++++++++
> > 5 files changed, 27 insertions(+), 2 deletions(-)
> >
> > diff --git a/doc/guides/cryptodevs/features/default.ini
> > b/doc/guides/cryptodevs/features/default.ini
> > index c24814de98..96d95ddc81 100644
> > --- a/doc/guides/cryptodevs/features/default.ini
> > +++ b/doc/guides/cryptodevs/features/default.ini
> > @@ -33,6 +33,7 @@ Non-Byte aligned data = Sym raw data path API =
> > Cipher multiple data units =
> > Cipher wrapped key =
> > +Inner checksum =
> >
> > ;
> > ; Supported crypto algorithms of a default crypto driver.
> > diff --git a/doc/guides/rel_notes/deprecation.rst
> > b/doc/guides/rel_notes/deprecation.rst
> > index 05fc2fdee7..8308e00ed4 100644
> > --- a/doc/guides/rel_notes/deprecation.rst
> > +++ b/doc/guides/rel_notes/deprecation.rst
> > @@ -232,8 +232,8 @@ Deprecation Notices
> > IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence
> Number).
> >
> > * security: The IPsec SA config options ``struct
> > rte_security_ipsec_sa_options``
> > - will be updated with new fields to support new features like IPsec
> > inner
> > - checksum, TSO in case of protocol offload.
> > + will be updated with new fields to support new features like TSO in
> > + case of protocol offload.
> >
> > * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
> > ``hdr_l3_len`` to configure tunnel L3 header length.
> > diff --git a/doc/guides/rel_notes/release_21_11.rst
> > b/doc/guides/rel_notes/release_21_11.rst
> > index 8da851cccc..93d1b36889 100644
> > --- a/doc/guides/rel_notes/release_21_11.rst
> > +++ b/doc/guides/rel_notes/release_21_11.rst
> > @@ -194,6 +194,10 @@ ABI Changes
> > ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> > and hard expiry limits. Limits can be either in number of packets or bytes.
> >
> > +* security: The new options ``ip_csum_enable`` and ``l4_csum_enable``
> > +were added
> > + in structure ``rte_security_ipsec_sa_options`` to indicate whether
> > +inner
> > + packet IPv4 header checksum and L4 checksum need to be offloaded to
> > + security device.
> >
> > Known Issues
> > ------------
> > diff --git a/lib/cryptodev/rte_cryptodev.h
> > b/lib/cryptodev/rte_cryptodev.h index bb01f0f195..d9271a6c45 100644
> > --- a/lib/cryptodev/rte_cryptodev.h
> > +++ b/lib/cryptodev/rte_cryptodev.h
> > @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> > rte_crypto_asym_xform_type *xform_enum, /**< Support operations on
> multiple data-units message */
> > #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
> > /**< Support wrapped key in cipher xform */
> > +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL
> << 27)
> > +/**< Support inner checksum computation/verification */
> >
> > /**
> > * Get the name of a crypto device feature flag diff --git
> > a/lib/security/rte_security.h b/lib/security/rte_security.h index
> > ab1a6e1f65..945f45ad76 100644
> > --- a/lib/security/rte_security.h
> > +++ b/lib/security/rte_security.h
> > @@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
> > * * 0: Do not match UDP ports
> > */
> > uint32_t udp_ports_verify : 1;
> > +
> > + /** Compute/verify inner packet IPv4 header checksum in tunnel mode
> > + *
> > + * * 1: For outbound, compute inner packet IPv4 header checksum
> > + * before tunnel encapsulation and for inbound, verify after
> > + * tunnel decapsulation.
> > + * * 0: Inner packet IP header checksum is not computed/verified.
> > + */
> > + uint32_t ip_csum_enable : 1;
> > +
> > + /** Compute/verify inner packet L4 checksum in tunnel mode
> > + *
> > + * * 1: For outbound, compute inner packet L4 checksum before
> > + * tunnel encapsulation and for inbound, verify after
> > + * tunnel decapsulation.
> > + * * 0: Inner packet L4 checksum is not computed/verified.
> > + */
> > + uint32_t l4_csum_enable : 1;
>
> As I understand these 2 new flags serve two purposes:
> 1. report HW/PMD ability to perform these offloads.
> 2. allow user to enable/disable this offload on SA basis.
[Anoob] Correct
>
> One question I have - how it will work on data-path?
> Would decision to perform these offloads be based on mbuf->ol_flags value
> (same as we doing for ethdev TX offloads)?
> Or some other approach is implied?
[Anoob] There will be two settings. It can enabled per SA or enabled per packet.
>
> > };
> >
> > /** IPSec security association direction */
> > --
> > 2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [dpdk-dev] [PATCH v2 1/3] security: add SA config option for inner pkt csum
2021-09-29 11:03 ` Anoob Joseph
@ 2021-09-29 11:39 ` Ananyev, Konstantin
2021-09-30 5:05 ` Anoob Joseph
0 siblings, 1 reply; 9+ messages in thread
From: Ananyev, Konstantin @ 2021-09-29 11:39 UTC (permalink / raw)
To: Anoob Joseph, Archana Muniganti, Akhil Goyal, Nicolau, Radu,
Zhang, Roy Fan, hemant.agrawal
Cc: Tejasree Kondoj, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev
Hi Anoob,
> Hi Konstanin,
>
> Please see inline.
>
> Thanks,
> Anoob
>
> > -----Original Message-----
> > From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> > Sent: Wednesday, September 29, 2021 4:26 PM
> > To: Archana Muniganti <marchana@marvell.com>; Akhil Goyal
> > <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>; Zhang, Roy
> > Fan <roy.fan.zhang@intel.com>; hemant.agrawal@nxp.com
> > Cc: Anoob Joseph <anoobj@marvell.com>; Tejasree Kondoj
> > <ktejasree@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>; Jerin Jacob
> > Kollanukkaran <jerinj@marvell.com>; dev@dpdk.org
> > Subject: [EXT] RE: [PATCH v2 1/3] security: add SA config option for inner pkt
> > csum
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > > Add inner packet IPv4 hdr and L4 checksum enable options in conf.
> > > These will be used in case of protocol offload.
> > > Per SA, application could specify whether the
> > > checksum(compute/verify) can be offloaded to security device.
> > >
> > > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > > ---
> > > doc/guides/cryptodevs/features/default.ini | 1 +
> > > doc/guides/rel_notes/deprecation.rst | 4 ++--
> > > doc/guides/rel_notes/release_21_11.rst | 4 ++++
> > > lib/cryptodev/rte_cryptodev.h | 2 ++
> > > lib/security/rte_security.h | 18 ++++++++++++++++++
> > > 5 files changed, 27 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/doc/guides/cryptodevs/features/default.ini
> > > b/doc/guides/cryptodevs/features/default.ini
> > > index c24814de98..96d95ddc81 100644
> > > --- a/doc/guides/cryptodevs/features/default.ini
> > > +++ b/doc/guides/cryptodevs/features/default.ini
> > > @@ -33,6 +33,7 @@ Non-Byte aligned data = Sym raw data path API =
> > > Cipher multiple data units =
> > > Cipher wrapped key =
> > > +Inner checksum =
> > >
> > > ;
> > > ; Supported crypto algorithms of a default crypto driver.
> > > diff --git a/doc/guides/rel_notes/deprecation.rst
> > > b/doc/guides/rel_notes/deprecation.rst
> > > index 05fc2fdee7..8308e00ed4 100644
> > > --- a/doc/guides/rel_notes/deprecation.rst
> > > +++ b/doc/guides/rel_notes/deprecation.rst
> > > @@ -232,8 +232,8 @@ Deprecation Notices
> > > IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence
> > Number).
> > >
> > > * security: The IPsec SA config options ``struct
> > > rte_security_ipsec_sa_options``
> > > - will be updated with new fields to support new features like IPsec
> > > inner
> > > - checksum, TSO in case of protocol offload.
> > > + will be updated with new fields to support new features like TSO in
> > > + case of protocol offload.
> > >
> > > * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
> > > ``hdr_l3_len`` to configure tunnel L3 header length.
> > > diff --git a/doc/guides/rel_notes/release_21_11.rst
> > > b/doc/guides/rel_notes/release_21_11.rst
> > > index 8da851cccc..93d1b36889 100644
> > > --- a/doc/guides/rel_notes/release_21_11.rst
> > > +++ b/doc/guides/rel_notes/release_21_11.rst
> > > @@ -194,6 +194,10 @@ ABI Changes
> > > ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> > > and hard expiry limits. Limits can be either in number of packets or bytes.
> > >
> > > +* security: The new options ``ip_csum_enable`` and ``l4_csum_enable``
> > > +were added
> > > + in structure ``rte_security_ipsec_sa_options`` to indicate whether
> > > +inner
> > > + packet IPv4 header checksum and L4 checksum need to be offloaded to
> > > + security device.
> > >
> > > Known Issues
> > > ------------
> > > diff --git a/lib/cryptodev/rte_cryptodev.h
> > > b/lib/cryptodev/rte_cryptodev.h index bb01f0f195..d9271a6c45 100644
> > > --- a/lib/cryptodev/rte_cryptodev.h
> > > +++ b/lib/cryptodev/rte_cryptodev.h
> > > @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> > > rte_crypto_asym_xform_type *xform_enum, /**< Support operations on
> > multiple data-units message */
> > > #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
> > > /**< Support wrapped key in cipher xform */
> > > +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL
> > << 27)
> > > +/**< Support inner checksum computation/verification */
> > >
> > > /**
> > > * Get the name of a crypto device feature flag diff --git
> > > a/lib/security/rte_security.h b/lib/security/rte_security.h index
> > > ab1a6e1f65..945f45ad76 100644
> > > --- a/lib/security/rte_security.h
> > > +++ b/lib/security/rte_security.h
> > > @@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
> > > * * 0: Do not match UDP ports
> > > */
> > > uint32_t udp_ports_verify : 1;
> > > +
> > > + /** Compute/verify inner packet IPv4 header checksum in tunnel mode
> > > + *
> > > + * * 1: For outbound, compute inner packet IPv4 header checksum
> > > + * before tunnel encapsulation and for inbound, verify after
> > > + * tunnel decapsulation.
> > > + * * 0: Inner packet IP header checksum is not computed/verified.
> > > + */
> > > + uint32_t ip_csum_enable : 1;
> > > +
> > > + /** Compute/verify inner packet L4 checksum in tunnel mode
> > > + *
> > > + * * 1: For outbound, compute inner packet L4 checksum before
> > > + * tunnel encapsulation and for inbound, verify after
> > > + * tunnel decapsulation.
> > > + * * 0: Inner packet L4 checksum is not computed/verified.
> > > + */
> > > + uint32_t l4_csum_enable : 1;
> >
> > As I understand these 2 new flags serve two purposes:
> > 1. report HW/PMD ability to perform these offloads.
> > 2. allow user to enable/disable this offload on SA basis.
>
> [Anoob] Correct
>
> >
> > One question I have - how it will work on data-path?
> > Would decision to perform these offloads be based on mbuf->ol_flags value
> > (same as we doing for ethdev TX offloads)?
> > Or some other approach is implied?
>
> [Anoob] There will be two settings. It can enabled per SA or enabled per packet.
Ok, will it be documented somewhere?
Or probably it already is, and I just missed/forgot it somehow?
> >
> > > };
> > >
> > > /** IPSec security association direction */
> > > --
> > > 2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [dpdk-dev] [PATCH v2 1/3] security: add SA config option for inner pkt csum
2021-09-29 11:39 ` Ananyev, Konstantin
@ 2021-09-30 5:05 ` Anoob Joseph
2021-09-30 9:09 ` Ananyev, Konstantin
0 siblings, 1 reply; 9+ messages in thread
From: Anoob Joseph @ 2021-09-30 5:05 UTC (permalink / raw)
To: Ananyev, Konstantin, Archana Muniganti, Akhil Goyal, Nicolau,
Radu, Zhang, Roy Fan, hemant.agrawal
Cc: Tejasree Kondoj, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev
Hi Konstantin,
Please see inline.
Thanks,
Anoob
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Wednesday, September 29, 2021 5:09 PM
> To: Anoob Joseph <anoobj@marvell.com>; Archana Muniganti
> <marchana@marvell.com>; Akhil Goyal <gakhil@marvell.com>; Nicolau, Radu
> <radu.nicolau@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
> hemant.agrawal@nxp.com
> Cc: Tejasree Kondoj <ktejasree@marvell.com>; Ankur Dwivedi
> <adwivedi@marvell.com>; Jerin Jacob Kollanukkaran <jerinj@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 1/3] security: add SA config option for inner pkt
> csum
>
> External Email
>
> ----------------------------------------------------------------------
> Hi Anoob,
>
> > Hi Konstanin,
> >
> > Please see inline.
> >
> > Thanks,
> > Anoob
> >
> > > -----Original Message-----
> > > From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> > > Sent: Wednesday, September 29, 2021 4:26 PM
> > > To: Archana Muniganti <marchana@marvell.com>; Akhil Goyal
> > > <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>; Zhang,
> > > Roy Fan <roy.fan.zhang@intel.com>; hemant.agrawal@nxp.com
> > > Cc: Anoob Joseph <anoobj@marvell.com>; Tejasree Kondoj
> > > <ktejasree@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>; Jerin
> > > Jacob Kollanukkaran <jerinj@marvell.com>; dev@dpdk.org
> > > Subject: [EXT] RE: [PATCH v2 1/3] security: add SA config option for
> > > inner pkt csum
> > >
> > > External Email
> > >
> > > --------------------------------------------------------------------
> > > --
> > > > Add inner packet IPv4 hdr and L4 checksum enable options in conf.
> > > > These will be used in case of protocol offload.
> > > > Per SA, application could specify whether the
> > > > checksum(compute/verify) can be offloaded to security device.
> > > >
> > > > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > > > ---
> > > > doc/guides/cryptodevs/features/default.ini | 1 +
> > > > doc/guides/rel_notes/deprecation.rst | 4 ++--
> > > > doc/guides/rel_notes/release_21_11.rst | 4 ++++
> > > > lib/cryptodev/rte_cryptodev.h | 2 ++
> > > > lib/security/rte_security.h | 18 ++++++++++++++++++
> > > > 5 files changed, 27 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/doc/guides/cryptodevs/features/default.ini
> > > > b/doc/guides/cryptodevs/features/default.ini
> > > > index c24814de98..96d95ddc81 100644
> > > > --- a/doc/guides/cryptodevs/features/default.ini
> > > > +++ b/doc/guides/cryptodevs/features/default.ini
> > > > @@ -33,6 +33,7 @@ Non-Byte aligned data = Sym raw data path API
> > > > = Cipher multiple data units =
> > > > Cipher wrapped key =
> > > > +Inner checksum =
> > > >
> > > > ;
> > > > ; Supported crypto algorithms of a default crypto driver.
> > > > diff --git a/doc/guides/rel_notes/deprecation.rst
> > > > b/doc/guides/rel_notes/deprecation.rst
> > > > index 05fc2fdee7..8308e00ed4 100644
> > > > --- a/doc/guides/rel_notes/deprecation.rst
> > > > +++ b/doc/guides/rel_notes/deprecation.rst
> > > > @@ -232,8 +232,8 @@ Deprecation Notices
> > > > IPsec payload MSS (Maximum Segment Size), and ESN (Extended
> > > > Sequence
> > > Number).
> > > >
> > > > * security: The IPsec SA config options ``struct
> > > > rte_security_ipsec_sa_options``
> > > > - will be updated with new fields to support new features like
> > > > IPsec inner
> > > > - checksum, TSO in case of protocol offload.
> > > > + will be updated with new fields to support new features like
> > > > + TSO in case of protocol offload.
> > > >
> > > > * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new
> field
> > > > ``hdr_l3_len`` to configure tunnel L3 header length.
> > > > diff --git a/doc/guides/rel_notes/release_21_11.rst
> > > > b/doc/guides/rel_notes/release_21_11.rst
> > > > index 8da851cccc..93d1b36889 100644
> > > > --- a/doc/guides/rel_notes/release_21_11.rst
> > > > +++ b/doc/guides/rel_notes/release_21_11.rst
> > > > @@ -194,6 +194,10 @@ ABI Changes
> > > > ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> > > > and hard expiry limits. Limits can be either in number of packets or bytes.
> > > >
> > > > +* security: The new options ``ip_csum_enable`` and
> > > > +``l4_csum_enable`` were added
> > > > + in structure ``rte_security_ipsec_sa_options`` to indicate
> > > > +whether inner
> > > > + packet IPv4 header checksum and L4 checksum need to be
> > > > +offloaded to
> > > > + security device.
> > > >
> > > > Known Issues
> > > > ------------
> > > > diff --git a/lib/cryptodev/rte_cryptodev.h
> > > > b/lib/cryptodev/rte_cryptodev.h index bb01f0f195..d9271a6c45
> > > > 100644
> > > > --- a/lib/cryptodev/rte_cryptodev.h
> > > > +++ b/lib/cryptodev/rte_cryptodev.h
> > > > @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> > > > rte_crypto_asym_xform_type *xform_enum, /**< Support operations
> > > > on
> > > multiple data-units message */
> > > > #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL
> << 26)
> > > > /**< Support wrapped key in cipher xform */
> > > > +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL
> > > << 27)
> > > > +/**< Support inner checksum computation/verification */
> > > >
> > > > /**
> > > > * Get the name of a crypto device feature flag diff --git
> > > > a/lib/security/rte_security.h b/lib/security/rte_security.h index
> > > > ab1a6e1f65..945f45ad76 100644
> > > > --- a/lib/security/rte_security.h
> > > > +++ b/lib/security/rte_security.h
> > > > @@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
> > > > * * 0: Do not match UDP ports
> > > > */
> > > > uint32_t udp_ports_verify : 1;
> > > > +
> > > > + /** Compute/verify inner packet IPv4 header checksum in tunnel mode
> > > > + *
> > > > + * * 1: For outbound, compute inner packet IPv4 header checksum
> > > > + * before tunnel encapsulation and for inbound, verify after
> > > > + * tunnel decapsulation.
> > > > + * * 0: Inner packet IP header checksum is not computed/verified.
> > > > + */
> > > > + uint32_t ip_csum_enable : 1;
> > > > +
> > > > + /** Compute/verify inner packet L4 checksum in tunnel mode
> > > > + *
> > > > + * * 1: For outbound, compute inner packet L4 checksum before
> > > > + * tunnel encapsulation and for inbound, verify after
> > > > + * tunnel decapsulation.
> > > > + * * 0: Inner packet L4 checksum is not computed/verified.
> > > > + */
> > > > + uint32_t l4_csum_enable : 1;
> > >
> > > As I understand these 2 new flags serve two purposes:
> > > 1. report HW/PMD ability to perform these offloads.
> > > 2. allow user to enable/disable this offload on SA basis.
> >
> > [Anoob] Correct
> >
> > >
> > > One question I have - how it will work on data-path?
> > > Would decision to perform these offloads be based on mbuf->ol_flags
> > > value (same as we doing for ethdev TX offloads)?
> > > Or some other approach is implied?
> >
> > [Anoob] There will be two settings. It can enabled per SA or enabled per
> packet.
>
> Ok, will it be documented somewhere?
> Or probably it already is, and I just missed/forgot it somehow?
[Anoob] Looks like we missed documenting this. Will update in the next version. Should we add documentation around SA options or around TX offload flags? I think it's better around SA options. Do you suggest either?
>
> > >
> > > > };
> > > >
> > > > /** IPSec security association direction */
> > > > --
> > > > 2.22.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [dpdk-dev] [PATCH v2 1/3] security: add SA config option for inner pkt csum
2021-09-30 5:05 ` Anoob Joseph
@ 2021-09-30 9:09 ` Ananyev, Konstantin
0 siblings, 0 replies; 9+ messages in thread
From: Ananyev, Konstantin @ 2021-09-30 9:09 UTC (permalink / raw)
To: Anoob Joseph, Archana Muniganti, Akhil Goyal, Nicolau, Radu,
Zhang, Roy Fan, hemant.agrawal
Cc: Tejasree Kondoj, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev
Hi Anoob,
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > Hi Anoob,
> >
> > > Hi Konstanin,
> > >
> > > Please see inline.
> > >
> > > Thanks,
> > > Anoob
> > >
> > > > -----Original Message-----
> > > > From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> > > > Sent: Wednesday, September 29, 2021 4:26 PM
> > > > To: Archana Muniganti <marchana@marvell.com>; Akhil Goyal
> > > > <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>; Zhang,
> > > > Roy Fan <roy.fan.zhang@intel.com>; hemant.agrawal@nxp.com
> > > > Cc: Anoob Joseph <anoobj@marvell.com>; Tejasree Kondoj
> > > > <ktejasree@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>; Jerin
> > > > Jacob Kollanukkaran <jerinj@marvell.com>; dev@dpdk.org
> > > > Subject: [EXT] RE: [PATCH v2 1/3] security: add SA config option for
> > > > inner pkt csum
> > > >
> > > > External Email
> > > >
> > > > --------------------------------------------------------------------
> > > > --
> > > > > Add inner packet IPv4 hdr and L4 checksum enable options in conf.
> > > > > These will be used in case of protocol offload.
> > > > > Per SA, application could specify whether the
> > > > > checksum(compute/verify) can be offloaded to security device.
> > > > >
> > > > > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > > > > ---
> > > > > doc/guides/cryptodevs/features/default.ini | 1 +
> > > > > doc/guides/rel_notes/deprecation.rst | 4 ++--
> > > > > doc/guides/rel_notes/release_21_11.rst | 4 ++++
> > > > > lib/cryptodev/rte_cryptodev.h | 2 ++
> > > > > lib/security/rte_security.h | 18 ++++++++++++++++++
> > > > > 5 files changed, 27 insertions(+), 2 deletions(-)
> > > > >
> > > > > diff --git a/doc/guides/cryptodevs/features/default.ini
> > > > > b/doc/guides/cryptodevs/features/default.ini
> > > > > index c24814de98..96d95ddc81 100644
> > > > > --- a/doc/guides/cryptodevs/features/default.ini
> > > > > +++ b/doc/guides/cryptodevs/features/default.ini
> > > > > @@ -33,6 +33,7 @@ Non-Byte aligned data = Sym raw data path API
> > > > > = Cipher multiple data units =
> > > > > Cipher wrapped key =
> > > > > +Inner checksum =
> > > > >
> > > > > ;
> > > > > ; Supported crypto algorithms of a default crypto driver.
> > > > > diff --git a/doc/guides/rel_notes/deprecation.rst
> > > > > b/doc/guides/rel_notes/deprecation.rst
> > > > > index 05fc2fdee7..8308e00ed4 100644
> > > > > --- a/doc/guides/rel_notes/deprecation.rst
> > > > > +++ b/doc/guides/rel_notes/deprecation.rst
> > > > > @@ -232,8 +232,8 @@ Deprecation Notices
> > > > > IPsec payload MSS (Maximum Segment Size), and ESN (Extended
> > > > > Sequence
> > > > Number).
> > > > >
> > > > > * security: The IPsec SA config options ``struct
> > > > > rte_security_ipsec_sa_options``
> > > > > - will be updated with new fields to support new features like
> > > > > IPsec inner
> > > > > - checksum, TSO in case of protocol offload.
> > > > > + will be updated with new fields to support new features like
> > > > > + TSO in case of protocol offload.
> > > > >
> > > > > * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new
> > field
> > > > > ``hdr_l3_len`` to configure tunnel L3 header length.
> > > > > diff --git a/doc/guides/rel_notes/release_21_11.rst
> > > > > b/doc/guides/rel_notes/release_21_11.rst
> > > > > index 8da851cccc..93d1b36889 100644
> > > > > --- a/doc/guides/rel_notes/release_21_11.rst
> > > > > +++ b/doc/guides/rel_notes/release_21_11.rst
> > > > > @@ -194,6 +194,10 @@ ABI Changes
> > > > > ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> > > > > and hard expiry limits. Limits can be either in number of packets or bytes.
> > > > >
> > > > > +* security: The new options ``ip_csum_enable`` and
> > > > > +``l4_csum_enable`` were added
> > > > > + in structure ``rte_security_ipsec_sa_options`` to indicate
> > > > > +whether inner
> > > > > + packet IPv4 header checksum and L4 checksum need to be
> > > > > +offloaded to
> > > > > + security device.
> > > > >
> > > > > Known Issues
> > > > > ------------
> > > > > diff --git a/lib/cryptodev/rte_cryptodev.h
> > > > > b/lib/cryptodev/rte_cryptodev.h index bb01f0f195..d9271a6c45
> > > > > 100644
> > > > > --- a/lib/cryptodev/rte_cryptodev.h
> > > > > +++ b/lib/cryptodev/rte_cryptodev.h
> > > > > @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> > > > > rte_crypto_asym_xform_type *xform_enum, /**< Support operations
> > > > > on
> > > > multiple data-units message */
> > > > > #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL
> > << 26)
> > > > > /**< Support wrapped key in cipher xform */
> > > > > +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL
> > > > << 27)
> > > > > +/**< Support inner checksum computation/verification */
> > > > >
> > > > > /**
> > > > > * Get the name of a crypto device feature flag diff --git
> > > > > a/lib/security/rte_security.h b/lib/security/rte_security.h index
> > > > > ab1a6e1f65..945f45ad76 100644
> > > > > --- a/lib/security/rte_security.h
> > > > > +++ b/lib/security/rte_security.h
> > > > > @@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
> > > > > * * 0: Do not match UDP ports
> > > > > */
> > > > > uint32_t udp_ports_verify : 1;
> > > > > +
> > > > > + /** Compute/verify inner packet IPv4 header checksum in tunnel mode
> > > > > + *
> > > > > + * * 1: For outbound, compute inner packet IPv4 header checksum
> > > > > + * before tunnel encapsulation and for inbound, verify after
> > > > > + * tunnel decapsulation.
> > > > > + * * 0: Inner packet IP header checksum is not computed/verified.
> > > > > + */
> > > > > + uint32_t ip_csum_enable : 1;
> > > > > +
> > > > > + /** Compute/verify inner packet L4 checksum in tunnel mode
> > > > > + *
> > > > > + * * 1: For outbound, compute inner packet L4 checksum before
> > > > > + * tunnel encapsulation and for inbound, verify after
> > > > > + * tunnel decapsulation.
> > > > > + * * 0: Inner packet L4 checksum is not computed/verified.
> > > > > + */
> > > > > + uint32_t l4_csum_enable : 1;
> > > >
> > > > As I understand these 2 new flags serve two purposes:
> > > > 1. report HW/PMD ability to perform these offloads.
> > > > 2. allow user to enable/disable this offload on SA basis.
> > >
> > > [Anoob] Correct
> > >
> > > >
> > > > One question I have - how it will work on data-path?
> > > > Would decision to perform these offloads be based on mbuf->ol_flags
> > > > value (same as we doing for ethdev TX offloads)?
> > > > Or some other approach is implied?
> > >
> > > [Anoob] There will be two settings. It can enabled per SA or enabled per
> > packet.
> >
> > Ok, will it be documented somewhere?
> > Or probably it already is, and I just missed/forgot it somehow?
>
> [Anoob] Looks like we missed documenting this. Will update in the next version. Should we add documentation around SA options or around
> TX offload flags? I think it's better around SA options.
Same thought here.
Thanks
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-09-30 9:11 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-29 9:08 [dpdk-dev] [PATCH v2 0/3] add SA config option for inner pkt csum Archana Muniganti
2021-09-29 9:08 ` [dpdk-dev] [PATCH v2 1/3] security: " Archana Muniganti
2021-09-29 10:56 ` Ananyev, Konstantin
2021-09-29 11:03 ` Anoob Joseph
2021-09-29 11:39 ` Ananyev, Konstantin
2021-09-30 5:05 ` Anoob Joseph
2021-09-30 9:09 ` Ananyev, Konstantin
2021-09-29 9:08 ` [dpdk-dev] [PATCH v2 2/3] crypto/cnxk: add inner checksum Archana Muniganti
2021-09-29 9:08 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add inner checksum cases Archana Muniganti
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).