DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH v3 0/3] add SA config option for inner pkt csum
@ 2021-09-29 11:23 Archana Muniganti
  2021-09-29 11:23 ` [dpdk-dev] [PATCH v3 1/3] security: " Archana Muniganti
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Archana Muniganti @ 2021-09-29 11:23 UTC (permalink / raw)
  To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
  Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev

Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.

Depends on
https://patches.dpdk.org/project/dpdk/list/?series=19243

Changes in v3:
- Removed code unrelated to this series.

Changes in v2:
- Fixed release notes
- Added feature flag in default.ini and cn10k.ini
- Fixed test patch subject

Archana Muniganti (3):
  security: add SA config option for inner pkt csum
  crypto/cnxk: add inner checksum
  test/crypto: add inner checksum cases

 app/test/test_cryptodev.c                     |  34 +++
 app/test/test_cryptodev_security_ipsec.c      | 195 ++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h      |   2 +
 ...st_cryptodev_security_ipsec_test_vectors.h |   6 +
 doc/guides/cryptodevs/features/cn10k.ini      |   1 +
 doc/guides/cryptodevs/features/default.ini    |   1 +
 doc/guides/rel_notes/deprecation.rst          |   4 +-
 doc/guides/rel_notes/release_21_11.rst        |   6 +
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c     |  65 ++++--
 drivers/crypto/cnxk/cn10k_ipsec.c             |  49 ++++-
 drivers/crypto/cnxk/cn10k_ipsec.h             |   1 +
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h      |   9 +-
 drivers/crypto/cnxk/cnxk_cryptodev.c          |   3 +
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |   2 +
 lib/cryptodev/rte_cryptodev.h                 |   2 +
 lib/security/rte_security.h                   |  18 ++
 16 files changed, 378 insertions(+), 20 deletions(-)

-- 
2.22.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [dpdk-dev] [PATCH v3 1/3] security: add SA config option for inner pkt csum
  2021-09-29 11:23 [dpdk-dev] [PATCH v3 0/3] add SA config option for inner pkt csum Archana Muniganti
@ 2021-09-29 11:23 ` Archana Muniganti
  2021-09-29 11:23 ` [dpdk-dev] [PATCH v3 2/3] crypto/cnxk: add inner checksum Archana Muniganti
  2021-09-29 11:23 ` [dpdk-dev] [PATCH v3 3/3] test/crypto: add inner checksum cases Archana Muniganti
  2 siblings, 0 replies; 4+ messages in thread
From: Archana Muniganti @ 2021-09-29 11:23 UTC (permalink / raw)
  To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
  Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev

Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 doc/guides/cryptodevs/features/default.ini |  1 +
 doc/guides/rel_notes/deprecation.rst       |  4 ++--
 doc/guides/rel_notes/release_21_11.rst     |  4 ++++
 lib/cryptodev/rte_cryptodev.h              |  2 ++
 lib/security/rte_security.h                | 18 ++++++++++++++++++
 5 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini
index c24814de98..96d95ddc81 100644
--- a/doc/guides/cryptodevs/features/default.ini
+++ b/doc/guides/cryptodevs/features/default.ini
@@ -33,6 +33,7 @@ Non-Byte aligned data  =
 Sym raw data path API  =
 Cipher multiple data units =
 Cipher wrapped key     =
+Inner checksum         =
 
 ;
 ; Supported crypto algorithms of a default crypto driver.
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 05fc2fdee7..8308e00ed4 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -232,8 +232,8 @@ Deprecation Notices
   IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
 
 * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
-  will be updated with new fields to support new features like IPsec inner
-  checksum, TSO in case of protocol offload.
+  will be updated with new fields to support new features like TSO in case of
+  protocol offload.
 
 * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
   ``hdr_l3_len`` to configure tunnel L3 header length.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 8da851cccc..93d1b36889 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -194,6 +194,10 @@ ABI Changes
   ``rte_security_ipsec_xform`` to allow applications to configure SA soft
   and hard expiry limits. Limits can be either in number of packets or bytes.
 
+* security: The new options ``ip_csum_enable`` and ``l4_csum_enable`` were added
+  in structure ``rte_security_ipsec_sa_options`` to indicate whether inner
+  packet IPv4 header checksum and L4 checksum need to be offloaded to
+  security device.
 
 Known Issues
 ------------
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index bb01f0f195..d9271a6c45 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
 /**< Support operations on multiple data-units message */
 #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY		(1ULL << 26)
 /**< Support wrapped key in cipher xform  */
+#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM		(1ULL << 27)
+/**< Support inner checksum computation/verification */
 
 /**
  * Get the name of a crypto device feature flag
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index ab1a6e1f65..945f45ad76 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
 	 * * 0: Do not match UDP ports
 	 */
 	uint32_t udp_ports_verify : 1;
+
+	/** Compute/verify inner packet IPv4 header checksum in tunnel mode
+	 *
+	 * * 1: For outbound, compute inner packet IPv4 header checksum
+	 *      before tunnel encapsulation and for inbound, verify after
+	 *      tunnel decapsulation.
+	 * * 0: Inner packet IP header checksum is not computed/verified.
+	 */
+	uint32_t ip_csum_enable : 1;
+
+	/** Compute/verify inner packet L4 checksum in tunnel mode
+	 *
+	 * * 1: For outbound, compute inner packet L4 checksum before
+	 *      tunnel encapsulation and for inbound, verify after
+	 *      tunnel decapsulation.
+	 * * 0: Inner packet L4 checksum is not computed/verified.
+	 */
+	uint32_t l4_csum_enable : 1;
 };
 
 /** IPSec security association direction */
-- 
2.22.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [dpdk-dev] [PATCH v3 2/3] crypto/cnxk: add inner checksum
  2021-09-29 11:23 [dpdk-dev] [PATCH v3 0/3] add SA config option for inner pkt csum Archana Muniganti
  2021-09-29 11:23 ` [dpdk-dev] [PATCH v3 1/3] security: " Archana Muniganti
@ 2021-09-29 11:23 ` Archana Muniganti
  2021-09-29 11:23 ` [dpdk-dev] [PATCH v3 3/3] test/crypto: add inner checksum cases Archana Muniganti
  2 siblings, 0 replies; 4+ messages in thread
From: Archana Muniganti @ 2021-09-29 11:23 UTC (permalink / raw)
  To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
  Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev

Add inner checksum support for cn10k.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 doc/guides/cryptodevs/features/cn10k.ini      |  1 +
 doc/guides/rel_notes/release_21_11.rst        |  1 +
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c     | 65 +++++++++++++++----
 drivers/crypto/cnxk/cn10k_ipsec.c             | 49 +++++++++++++-
 drivers/crypto/cnxk/cn10k_ipsec.h             |  1 +
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h      |  9 ++-
 drivers/crypto/cnxk/cnxk_cryptodev.c          |  3 +
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  2 +
 8 files changed, 113 insertions(+), 18 deletions(-)

diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini
index f5552feca3..9d08bd5c04 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -15,6 +15,7 @@ OOP SGL In SGL Out     = Y
 OOP LB  In LB  Out     = Y
 Symmetric sessionless  = Y
 Digest encrypted       = Y
+Inner checksum         = Y
 
 ;
 ; Supported crypto algorithms of 'cn10k' crypto driver.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 93d1b36889..163cdaa800 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -72,6 +72,7 @@ New Features
   * Added Transport mode support in lookaside protocol (IPsec) for CN10K.
   * Added UDP encapsulation support in lookaside protocol (IPsec) for CN10K.
   * Added support for lookaside protocol (IPsec) offload for CN9K.
+  * Added inner checksum support in lookaside protocol (IPsec) for CN10K.
 
 * **Added support for event crypto adapter on Marvell CN10K and CN9K.**
 
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 3caf05aab9..c25c8e67b2 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -50,7 +50,7 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
 
 static __rte_always_inline int __rte_hot
 cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
-		  struct cpt_inst_s *inst)
+		  struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
 {
 	struct rte_crypto_sym_op *sym_op = op->sym;
 	union roc_ot_ipsec_sa_word2 *w2;
@@ -72,8 +72,10 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
 
 	if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND)
 		ret = process_outb_sa(op, sa, inst);
-	else
+	else {
+		infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
 		ret = process_inb_sa(op, sa, inst);
+	}
 
 	return ret;
 }
@@ -122,7 +124,8 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
 		if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
 			sec_sess = get_sec_session_private_data(
 				sym_op->sec_session);
-			ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]);
+			ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
+						&inst[0]);
 			if (unlikely(ret))
 				return 0;
 			w7 = sec_sess->sa.inst.w7;
@@ -342,6 +345,49 @@ cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
 	m->pkt_len = m_len;
 }
 
+static inline void
+cn10k_cpt_sec_ucc_process(struct rte_crypto_op *cop,
+			  struct cpt_inflight_req *infl_req,
+			  const uint8_t uc_compcode)
+{
+	struct cn10k_sec_session *sess;
+	struct cn10k_ipsec_sa *sa;
+	struct rte_mbuf *mbuf;
+
+	if (uc_compcode == ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST)
+		cop->aux_flags = RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+
+	if (!(infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND))
+		return;
+
+	sess = get_sec_session_private_data(cop->sym->sec_session);
+	sa = &sess->sa;
+
+	mbuf = cop->sym->m_src;
+
+	switch (uc_compcode) {
+	case ROC_IE_OT_UCC_SUCCESS:
+		if (sa->ip_csum_enable)
+			mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+		break;
+	case ROC_IE_OT_UCC_SUCCESS_PKT_IP_BADCSUM:
+		mbuf->ol_flags |= PKT_RX_IP_CKSUM_BAD;
+		break;
+	case ROC_IE_OT_UCC_SUCCESS_PKT_L4_GOODCSUM:
+		mbuf->ol_flags |= PKT_RX_L4_CKSUM_GOOD;
+		if (sa->ip_csum_enable)
+			mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+		break;
+	case ROC_IE_OT_UCC_SUCCESS_PKT_L4_BADCSUM:
+		mbuf->ol_flags |= PKT_RX_L4_CKSUM_BAD;
+		if (sa->ip_csum_enable)
+			mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+		break;
+	default:
+		break;
+	}
+}
+
 static inline void
 cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
 			       struct rte_crypto_op *cop,
@@ -357,17 +403,8 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
 	if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
 	    cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
 		if (likely(compcode == CPT_COMP_WARN)) {
-			if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
-				/* Success with additional info */
-				switch (uc_compcode) {
-				case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
-					cop->aux_flags =
-						RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
-					break;
-				default:
-					break;
-				}
-			}
+			/* Success with additional info */
+			cn10k_cpt_sec_ucc_process(cop, infl_req, uc_compcode);
 			cn10k_cpt_sec_post_process(cop, res);
 		} else {
 			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index ebb2a7ec48..defc792aa8 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -37,6 +37,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 			   struct rte_crypto_sym_xform *crypto_xfrm,
 			   struct rte_security_session *sec_sess)
 {
+	union roc_ot_ipsec_outb_param1 param1;
 	struct roc_ot_ipsec_outb_sa *out_sa;
 	struct cnxk_ipsec_outb_rlens rlens;
 	struct cn10k_sec_session *sess;
@@ -83,7 +84,27 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 	/* pre-populate CPT INST word 4 */
 	inst_w4.u64 = 0;
 	inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
-	inst_w4.s.param1 = 0;
+
+	param1.u16 = 0;
+
+	/* Disable IP checksum computation by default */
+	param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.ip_csum_enable) {
+		param1.s.ip_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+	}
+
+	/* Disable L4 checksum computation by default */
+	param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.l4_csum_enable) {
+		param1.s.l4_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+	}
+
+	inst_w4.s.param1 = param1.u16;
+
 	sa->inst.w4 = inst_w4.u64;
 
 	return 0;
@@ -95,6 +116,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
 			  struct rte_crypto_sym_xform *crypto_xfrm,
 			  struct rte_security_session *sec_sess)
 {
+	union roc_ot_ipsec_inb_param1 param1;
 	struct roc_ot_ipsec_inb_sa *in_sa;
 	struct cn10k_sec_session *sess;
 	struct cn10k_ipsec_sa *sa;
@@ -121,8 +143,29 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
 	inst_w4.u64 = 0;
 	inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC;
 
-	/* Disable checksum verification for now */
-	inst_w4.s.param1 = 7;
+	param1.u16 = 0;
+
+	/* Disable IP checksum verification by default */
+	param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.ip_csum_enable) {
+		param1.s.ip_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+		sa->ip_csum_enable = true;
+	}
+
+	/* Disable L4 checksum verification by default */
+	param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.l4_csum_enable) {
+		param1.s.l4_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+	}
+
+	param1.s.esp_trailer_disable = 1;
+
+	inst_w4.s.param1 = param1.u16;
+
 	sa->inst.w4 = inst_w4.u64;
 
 	return 0;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 6f974b716d..86cd2483f5 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -23,6 +23,7 @@ struct cn10k_ipsec_sa {
 	uint16_t max_extended_len;
 	uint16_t iv_offset;
 	uint8_t iv_length;
+	bool ip_csum_enable;
 };
 
 struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 862476a72e..df1b0a3678 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -53,6 +53,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 {
 	struct rte_crypto_sym_op *sym_op = cop->sym;
 	struct rte_mbuf *m_src = sym_op->m_src;
+	uint64_t inst_w4_u64 = sess->inst.w4;
 
 	if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) {
 		plt_dp_err("Not enough tail room");
@@ -68,8 +69,14 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 	}
 #endif
 
+	if (m_src->ol_flags & PKT_TX_IP_CKSUM)
+		inst_w4_u64 &= ~BIT_ULL(33);
+
+	if (m_src->ol_flags & PKT_TX_L4_MASK)
+		inst_w4_u64 &= ~BIT_ULL(32);
+
 	/* Prepare CPT instruction */
-	inst->w4.u64 = sess->inst.w4;
+	inst->w4.u64 = inst_w4_u64;
 	inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
 	inst->dptr = rte_pktmbuf_iova(m_src);
 	inst->rptr = inst->dptr;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.c b/drivers/crypto/cnxk/cnxk_cryptodev.c
index 5c7801ec48..d67de54a7b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.c
@@ -24,6 +24,9 @@ cnxk_cpt_default_ff_get(void)
 		      RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED |
 		      RTE_CRYPTODEV_FF_SECURITY;
 
+	if (roc_model_is_cn10k())
+		ff |= RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM;
+
 	return ff;
 }
 
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index ba4166c56d..20df37709a 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -926,6 +926,8 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
 			sec_cap->ipsec.options.tunnel_hdr_verify =
 				RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
 	}
+	sec_cap->ipsec.options.ip_csum_enable = 1;
+	sec_cap->ipsec.options.l4_csum_enable = 1;
 }
 
 static void
-- 
2.22.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [dpdk-dev] [PATCH v3 3/3] test/crypto: add inner checksum cases
  2021-09-29 11:23 [dpdk-dev] [PATCH v3 0/3] add SA config option for inner pkt csum Archana Muniganti
  2021-09-29 11:23 ` [dpdk-dev] [PATCH v3 1/3] security: " Archana Muniganti
  2021-09-29 11:23 ` [dpdk-dev] [PATCH v3 2/3] crypto/cnxk: add inner checksum Archana Muniganti
@ 2021-09-29 11:23 ` Archana Muniganti
  2 siblings, 0 replies; 4+ messages in thread
From: Archana Muniganti @ 2021-09-29 11:23 UTC (permalink / raw)
  To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
  Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev

This patch adds tests for inner IP and inner L4 checksum
in IPsec mode.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 app/test/test_cryptodev.c                     |  34 +++
 app/test/test_cryptodev_security_ipsec.c      | 195 ++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h      |   2 +
 ...st_cryptodev_security_ipsec_test_vectors.h |   6 +
 doc/guides/rel_notes/release_21_11.rst        |   1 +
 5 files changed, 238 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 5f0d023451..c127e6bc04 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -18,6 +18,8 @@
 #include <rte_cryptodev.h>
 #include <rte_ip.h>
 #include <rte_string_fns.h>
+#include <rte_tcp.h>
+#include <rte_udp.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
 #include <rte_cryptodev_scheduler.h>
@@ -9275,6 +9277,30 @@ test_ipsec_proto_udp_ports_verify(const void *data __rte_unused)
 	return test_ipsec_proto_all(&flags);
 }
 
+static int
+test_ipsec_proto_inner_ip_csum(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.ip_csum = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_inner_l4_csum(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.l4_csum = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
 static int
 test_PDCP_PROTO_all(void)
 {
@@ -14231,6 +14257,14 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Tunnel src and dst addr verification",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_tunnel_src_dst_addr_verify),
+		TEST_CASE_NAMED_ST(
+			"Inner IP checksum",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_inner_ip_csum),
+		TEST_CASE_NAMED_ST(
+			"Inner L4 checksum",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_inner_l4_csum),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 764e77bbff..bcd9746c98 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -7,6 +7,7 @@
 #include <rte_esp.h>
 #include <rte_ip.h>
 #include <rte_security.h>
+#include <rte_tcp.h>
 #include <rte_udp.h>
 
 #include "test.h"
@@ -103,6 +104,22 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 		return -ENOTSUP;
 	}
 
+	if (ipsec_xform->options.ip_csum_enable == 1 &&
+	    sec_cap->ipsec.options.ip_csum_enable == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1,
+				"Inner IP checksum is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.l4_csum_enable == 1 &&
+	    sec_cap->ipsec.options.l4_csum_enable == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1,
+				"Inner L4 checksum is not supported\n");
+		return -ENOTSUP;
+	}
+
 	return 0;
 }
 
@@ -160,6 +177,56 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 	}
 }
 
+static bool
+is_ipv4(void *ip)
+{
+	struct rte_ipv4_hdr *ipv4 = ip;
+	uint8_t ip_ver;
+
+	ip_ver = (ipv4->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER;
+	if (ip_ver == IPVERSION)
+		return true;
+	else
+		return false;
+}
+
+static void
+test_ipsec_csum_init(void *ip, bool l3, bool l4)
+{
+	struct rte_ipv4_hdr *ipv4;
+	struct rte_tcp_hdr *tcp;
+	struct rte_udp_hdr *udp;
+	uint8_t next_proto;
+	uint8_t size;
+
+	if (is_ipv4(ip)) {
+		ipv4 = ip;
+		size = sizeof(struct rte_ipv4_hdr);
+		next_proto = ipv4->next_proto_id;
+
+		if (l3)
+			ipv4->hdr_checksum = 0;
+	} else {
+		size = sizeof(struct rte_ipv6_hdr);
+		next_proto = ((struct rte_ipv6_hdr *)ip)->proto;
+	}
+
+	if (l4) {
+		switch (next_proto) {
+		case IPPROTO_TCP:
+			tcp = (struct rte_tcp_hdr *)RTE_PTR_ADD(ip, size);
+			tcp->cksum = 0;
+			break;
+		case IPPROTO_UDP:
+			udp = (struct rte_udp_hdr *)RTE_PTR_ADD(ip, size);
+			udp->dgram_cksum = 0;
+			break;
+		default:
+			return;
+		}
+	}
+}
+
 void
 test_ipsec_td_prepare(const struct crypto_param *param1,
 		      const struct crypto_param *param2,
@@ -194,6 +261,17 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
 		if (flags->sa_expiry_pkts_soft)
 			td->ipsec_xform.life.packets_soft_limit =
 					IPSEC_TEST_PACKETS_MAX - 1;
+
+		if (flags->ip_csum) {
+			td->ipsec_xform.options.ip_csum_enable = 1;
+			test_ipsec_csum_init(&td->input_text.data, true, false);
+		}
+
+		if (flags->l4_csum) {
+			td->ipsec_xform.options.l4_csum_enable = 1;
+			test_ipsec_csum_init(&td->input_text.data, false, true);
+		}
+
 	}
 
 	RTE_SET_USED(param2);
@@ -230,6 +308,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 		td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
 			flags->tunnel_hdr_verify;
 
+		if (flags->ip_csum)
+			td_inb[i].ipsec_xform.options.ip_csum_enable = 1;
+
+		if (flags->l4_csum)
+			td_inb[i].ipsec_xform.options.l4_csum_enable = 1;
+
 		/* Clear outbound specific flags */
 		td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
 	}
@@ -305,12 +389,96 @@ test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
 	return TEST_SUCCESS;
 }
 
+static int
+test_ipsec_l3_csum_verify(struct rte_mbuf *m)
+{
+	uint16_t actual_cksum, expected_cksum;
+	struct rte_ipv4_hdr *ip;
+
+	ip = rte_pktmbuf_mtod(m, struct rte_ipv4_hdr *);
+
+	if (!is_ipv4((void *)ip))
+		return TEST_SKIPPED;
+
+	actual_cksum = ip->hdr_checksum;
+
+	ip->hdr_checksum = 0;
+
+	expected_cksum = rte_ipv4_cksum(ip);
+
+	if (actual_cksum != expected_cksum)
+		return TEST_FAILED;
+
+	return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_l4_csum_verify(struct rte_mbuf *m)
+{
+	uint16_t actual_cksum = 0, expected_cksum = 0;
+	struct rte_ipv4_hdr *ipv4;
+	struct rte_ipv6_hdr *ipv6;
+	struct rte_tcp_hdr *tcp;
+	struct rte_udp_hdr *udp;
+	void *ip, *l4;
+
+	ip = rte_pktmbuf_mtod(m, void *);
+
+	if (is_ipv4(ip)) {
+		ipv4 = ip;
+		l4 = RTE_PTR_ADD(ipv4, sizeof(struct rte_ipv4_hdr));
+
+		switch (ipv4->next_proto_id) {
+		case IPPROTO_TCP:
+			tcp = (struct rte_tcp_hdr *)l4;
+			actual_cksum = tcp->cksum;
+			tcp->cksum = 0;
+			expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+			break;
+		case IPPROTO_UDP:
+			udp = (struct rte_udp_hdr *)l4;
+			actual_cksum = udp->dgram_cksum;
+			udp->dgram_cksum = 0;
+			expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+			break;
+		default:
+			break;
+		}
+	} else {
+		ipv6 = ip;
+		l4 = RTE_PTR_ADD(ipv6, sizeof(struct rte_ipv6_hdr));
+
+		switch (ipv6->proto) {
+		case IPPROTO_TCP:
+			tcp = (struct rte_tcp_hdr *)l4;
+			actual_cksum = tcp->cksum;
+			tcp->cksum = 0;
+			expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+			break;
+		case IPPROTO_UDP:
+			udp = (struct rte_udp_hdr *)l4;
+			actual_cksum = udp->dgram_cksum;
+			udp->dgram_cksum = 0;
+			expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+			break;
+		default:
+			break;
+		}
+	}
+
+	if (actual_cksum != expected_cksum)
+		return TEST_FAILED;
+
+	return TEST_SUCCESS;
+}
+
 static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		     bool silent, const struct ipsec_test_flags *flags)
 {
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+	int ret;
 
 	/* For tests with status as error for test success, skip verification */
 	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
@@ -354,6 +522,33 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	len -= skip;
 	output_text += skip;
 
+	if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+				flags->ip_csum) {
+		if (m->ol_flags & PKT_RX_IP_CKSUM_GOOD)
+			ret = test_ipsec_l3_csum_verify(m);
+		else
+			ret = TEST_FAILED;
+
+		if (ret == TEST_FAILED)
+			printf("Inner IP checksum test failed\n");
+
+		return ret;
+	}
+
+	if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+				flags->l4_csum) {
+		if (m->ol_flags & PKT_RX_L4_CKSUM_GOOD)
+			ret = test_ipsec_l4_csum_verify(m);
+		else
+			ret = TEST_FAILED;
+
+		if (ret == TEST_FAILED)
+			printf("Inner L4 checksum test failed\n");
+
+		return ret;
+	}
+
+
 	if (memcmp(output_text, td->output_text.data + skip, len)) {
 		if (silent)
 			return TEST_FAILED;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 0416005520..7628d0c42a 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -56,6 +56,8 @@ struct ipsec_test_flags {
 	uint32_t tunnel_hdr_verify;
 	bool udp_encap;
 	bool udp_ports_verify;
+	bool ip_csum;
+	bool l4_csum;
 };
 
 struct crypto_param {
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index 4e147ec19c..bb95d00641 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -95,6 +95,8 @@ struct ipsec_test_data pkt_aes_128_gcm = {
 		.options.ecn = 0,
 		.options.stats = 0,
 		.options.tunnel_hdr_verify = 0,
+		.options.ip_csum_enable = 0,
+		.options.l4_csum_enable = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -192,6 +194,8 @@ struct ipsec_test_data pkt_aes_192_gcm = {
 		.options.ecn = 0,
 		.options.stats = 0,
 		.options.tunnel_hdr_verify = 0,
+		.options.ip_csum_enable = 0,
+		.options.l4_csum_enable = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -292,6 +296,8 @@ struct ipsec_test_data pkt_aes_256_gcm = {
 		.options.ecn = 0,
 		.options.stats = 0,
 		.options.tunnel_hdr_verify = 0,
+		.options.ip_csum_enable = 0,
+		.options.l4_csum_enable = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 163cdaa800..e2e1e1547f 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -106,6 +106,7 @@ New Features
   * Added tests to validate packets soft expiry.
   * Added tests to validate packets hard expiry.
   * Added tests to verify tunnel header verification in IPsec inbound.
+  * Added tests to verify inner checksum.
 
 
 Removed Items
-- 
2.22.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-09-29 11:24 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-29 11:23 [dpdk-dev] [PATCH v3 0/3] add SA config option for inner pkt csum Archana Muniganti
2021-09-29 11:23 ` [dpdk-dev] [PATCH v3 1/3] security: " Archana Muniganti
2021-09-29 11:23 ` [dpdk-dev] [PATCH v3 2/3] crypto/cnxk: add inner checksum Archana Muniganti
2021-09-29 11:23 ` [dpdk-dev] [PATCH v3 3/3] test/crypto: add inner checksum cases Archana Muniganti

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).