* [PATCH 1/2] crypto/cnxk: align HW accessible field to ROC align
@ 2022-10-12 6:04 Anoob Joseph
2022-10-12 6:04 ` [PATCH 2/2] crypto/cnxk: fix failure from session rework Anoob Joseph
2022-10-12 12:10 ` [PATCH v2 1/2] crypto/cnxk: align HW accessible field to ROC align Anoob Joseph
0 siblings, 2 replies; 5+ messages in thread
From: Anoob Joseph @ 2022-10-12 6:04 UTC (permalink / raw)
To: Akhil Goyal, Jerin Jacob; +Cc: Ankur Dwivedi, Tejasree Kondoj, dev
Hardware accessible memory need to be aligned to ROC. Enforce the same.
Move software specific fields to padding space.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 33 ++++------
drivers/crypto/cnxk/cn10k_ipsec.c | 77 +++++++++++------------
drivers/crypto/cnxk/cn10k_ipsec.h | 25 ++++----
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 40 +++++-------
4 files changed, 80 insertions(+), 95 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 1d7a9e2952..2942617615 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -72,7 +72,6 @@ cpt_sec_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op,
struct cn10k_sec_session *sess, struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = op->sym;
- struct cn10k_ipsec_sa *sa;
int ret;
if (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) {
@@ -85,12 +84,10 @@ cpt_sec_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op,
return -ENOTSUP;
}
- sa = &sess->sa;
-
- if (sa->is_outbound)
- ret = process_outb_sa(&qp->lf, op, sa, inst);
+ if (sess->is_outbound)
+ ret = process_outb_sa(&qp->lf, op, sess, inst);
else
- ret = process_inb_sa(op, sa, inst);
+ ret = process_inb_sa(op, sess, inst);
return ret;
}
@@ -122,11 +119,11 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- sec_sess = SECURITY_GET_SESS_PRIV(sym_op->session);
+ sec_sess = (struct cn10k_sec_session *)(sym_op->session);
ret = cpt_sec_inst_fill(qp, op, sec_sess, &inst[0]);
if (unlikely(ret))
return 0;
- w7 = sec_sess->sa.inst.w7;
+ w7 = sec_sess->inst.w7;
} else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
sess = CRYPTODEV_GET_SYM_SESS_PRIV(sym_op->session);
ret = cpt_sym_inst_fill(qp, op, sess, infl_req,
@@ -298,13 +295,10 @@ cn10k_cpt_crypto_adapter_ev_mdata_set(struct rte_cryptodev *dev __rte_unused,
/* Set meta according to session type */
if (op_type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- struct cn10k_sec_session *priv;
- struct cn10k_ipsec_sa *sa;
+ struct cn10k_sec_session *sec_sess = (struct cn10k_sec_session *)sess;
- priv = SECURITY_GET_SESS_PRIV(sess);
- sa = &priv->sa;
- sa->qp = qp;
- sa->inst.w2 = w2;
+ sec_sess->qp = qp;
+ sec_sess->inst.w2 = w2;
} else if (sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
struct cnxk_se_sess *priv;
@@ -335,13 +329,12 @@ cn10k_ca_meta_info_extract(struct rte_crypto_op *op,
{
if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- struct cn10k_sec_session *priv;
- struct cn10k_ipsec_sa *sa;
+ struct cn10k_sec_session *sec_sess;
+
+ sec_sess = (struct cn10k_sec_session *)op->sym->session;
- priv = SECURITY_GET_SESS_PRIV(op->sym->session);
- sa = &priv->sa;
- *qp = sa->qp;
- *w2 = sa->inst.w2;
+ *qp = sec_sess->qp;
+ *w2 = sec_sess->inst.w2;
} else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
struct cnxk_se_sess *priv;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 1ebdf7793a..ef013c8bae 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -36,19 +36,17 @@ static int
cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
struct rte_security_ipsec_xform *ipsec_xfrm,
struct rte_crypto_sym_xform *crypto_xfrm,
- struct rte_security_session *sec_sess)
+ struct cn10k_sec_session *sec_sess)
{
union roc_ot_ipsec_outb_param1 param1;
struct roc_ot_ipsec_outb_sa *sa_dptr;
struct cnxk_ipsec_outb_rlens rlens;
- struct cn10k_sec_session *sess;
struct cn10k_ipsec_sa *sa;
union cpt_inst_w4 inst_w4;
void *out_sa;
int ret = 0;
- sess = SECURITY_GET_SESS_PRIV(sec_sess);
- sa = &sess->sa;
+ sa = &sec_sess->sa;
out_sa = &sa->out_sa;
/* Allocate memory to be used as dptr for CPT ucode WRITE_SA op */
@@ -65,21 +63,21 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
goto sa_dptr_free;
}
- sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, out_sa);
+ sec_sess->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, out_sa);
#ifdef LA_IPSEC_DEBUG
/* Use IV from application in debug mode */
if (ipsec_xfrm->options.iv_gen_disable == 1) {
sa_dptr->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
- sa->iv_offset = crypto_xfrm->aead.iv.offset;
- sa->iv_length = crypto_xfrm->aead.iv.length;
+ sec_sess->iv_offset = crypto_xfrm->aead.iv.offset;
+ sec_sess->iv_length = crypto_xfrm->aead.iv.length;
} else if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
- sa->iv_offset = crypto_xfrm->cipher.iv.offset;
- sa->iv_length = crypto_xfrm->cipher.iv.length;
+ sec_sess->iv_offset = crypto_xfrm->cipher.iv.offset;
+ sec_sess->iv_length = crypto_xfrm->cipher.iv.length;
} else {
- sa->iv_offset = crypto_xfrm->auth.iv.offset;
- sa->iv_length = crypto_xfrm->auth.iv.length;
+ sec_sess->iv_offset = crypto_xfrm->auth.iv.offset;
+ sec_sess->iv_length = crypto_xfrm->auth.iv.length;
}
}
#else
@@ -90,14 +88,14 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
}
#endif
- sa->is_outbound = true;
+ sec_sess->is_outbound = true;
/* Get Rlen calculation data */
ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm);
if (ret)
goto sa_dptr_free;
- sa->max_extended_len = rlens.max_extended_len;
+ sec_sess->max_extended_len = rlens.max_extended_len;
/* pre-populate CPT INST word 4 */
inst_w4.u64 = 0;
@@ -125,7 +123,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
inst_w4.s.param1 = param1.u16;
- sa->inst.w4 = inst_w4.u64;
+ sec_sess->inst.w4 = inst_w4.u64;
if (ipsec_xfrm->options.stats == 1) {
/* Enable mib counters */
@@ -163,18 +161,16 @@ static int
cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
struct rte_security_ipsec_xform *ipsec_xfrm,
struct rte_crypto_sym_xform *crypto_xfrm,
- struct rte_security_session *sec_sess)
+ struct cn10k_sec_session *sec_sess)
{
union roc_ot_ipsec_inb_param1 param1;
struct roc_ot_ipsec_inb_sa *sa_dptr;
- struct cn10k_sec_session *sess;
struct cn10k_ipsec_sa *sa;
union cpt_inst_w4 inst_w4;
void *in_sa;
int ret = 0;
- sess = SECURITY_GET_SESS_PRIV(sec_sess);
- sa = &sess->sa;
+ sa = &sec_sess->sa;
in_sa = &sa->in_sa;
/* Allocate memory to be used as dptr for CPT ucode WRITE_SA op */
@@ -192,8 +188,8 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
goto sa_dptr_free;
}
- sa->is_outbound = false;
- sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, in_sa);
+ sec_sess->is_outbound = false;
+ sec_sess->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, in_sa);
/* pre-populate CPT INST word 4 */
inst_w4.u64 = 0;
@@ -221,7 +217,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
inst_w4.s.param1 = param1.u16;
- sa->inst.w4 = inst_w4.u64;
+ sec_sess->inst.w4 = inst_w4.u64;
if (ipsec_xfrm->options.stats == 1) {
/* Enable mib counters */
@@ -281,11 +277,11 @@ cn10k_ipsec_session_create(void *dev,
roc_cpt = &vf->cpt;
if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
- return cn10k_ipsec_inb_sa_create(roc_cpt, &qp->lf, ipsec_xfrm,
- crypto_xfrm, sess);
+ return cn10k_ipsec_inb_sa_create(roc_cpt, &qp->lf, ipsec_xfrm, crypto_xfrm,
+ (struct cn10k_sec_session *)sess);
else
- return cn10k_ipsec_outb_sa_create(roc_cpt, &qp->lf, ipsec_xfrm,
- crypto_xfrm, sess);
+ return cn10k_ipsec_outb_sa_create(roc_cpt, &qp->lf, ipsec_xfrm, crypto_xfrm,
+ (struct cn10k_sec_session *)sess);
}
static int
@@ -314,13 +310,14 @@ cn10k_sec_session_destroy(void *dev, struct rte_security_session *sec_sess)
void *sa_dptr = NULL;
int ret;
- sess = SECURITY_GET_SESS_PRIV(sec_sess);
- if (sess == NULL)
- return 0;
+ if (unlikely(sec_sess == NULL))
+ return -EINVAL;
+
+ sess = (struct cn10k_sec_session *)sec_sess;
qp = crypto_dev->data->queue_pairs[0];
- if (qp == NULL)
- return 0;
+ if (unlikely(qp == NULL))
+ return -ENOTSUP;
lf = &qp->lf;
@@ -331,7 +328,7 @@ cn10k_sec_session_destroy(void *dev, struct rte_security_session *sec_sess)
ret = -1;
- if (sa->is_outbound) {
+ if (sess->is_outbound) {
sa_dptr = plt_zmalloc(sizeof(struct roc_ot_ipsec_outb_sa), 8);
if (sa_dptr != NULL) {
roc_ot_ipsec_outb_sa_init(sa_dptr);
@@ -374,7 +371,7 @@ cn10k_sec_session_destroy(void *dev, struct rte_security_session *sec_sess)
static unsigned int
cn10k_sec_session_get_size(void *device __rte_unused)
{
- return sizeof(struct cn10k_sec_session);
+ return sizeof(struct cn10k_sec_session) - sizeof(struct rte_security_session);
}
static int
@@ -384,25 +381,23 @@ cn10k_sec_session_stats_get(void *device, struct rte_security_session *sess,
struct rte_cryptodev *crypto_dev = device;
struct roc_ot_ipsec_outb_sa *out_sa;
struct roc_ot_ipsec_inb_sa *in_sa;
- union roc_ot_ipsec_sa_word2 *w2;
struct cn10k_sec_session *priv;
struct cn10k_ipsec_sa *sa;
struct cnxk_cpt_qp *qp;
- priv = SECURITY_GET_SESS_PRIV(sess);
- if (priv == NULL)
+ if (unlikely(sess == NULL))
return -EINVAL;
+ priv = (struct cn10k_sec_session *)sess;
+
qp = crypto_dev->data->queue_pairs[0];
if (qp == NULL)
return -EINVAL;
- sa = &priv->sa;
- w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
-
stats->protocol = RTE_SECURITY_PROTOCOL_IPSEC;
+ sa = &priv->sa;
- if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND) {
+ if (priv->is_outbound) {
out_sa = &sa->out_sa;
roc_cpt_lf_ctx_flush(&qp->lf, out_sa, false);
rte_delay_ms(1);
@@ -448,8 +443,8 @@ cn10k_sec_session_update(void *device, struct rte_security_session *sess,
vf = crypto_dev->data->dev_private;
roc_cpt = &vf->cpt;
- return cn10k_ipsec_outb_sa_create(roc_cpt, &qp->lf, &conf->ipsec,
- conf->crypto_xform, sess);
+ return cn10k_ipsec_outb_sa_create(roc_cpt, &qp->lf, &conf->ipsec, conf->crypto_xform,
+ (struct cn10k_sec_session *)sess);
}
/* Update platform specific security ops */
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 1c1d904799..044fe33046 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -6,6 +6,7 @@
#define __CN10K_IPSEC_H__
#include <rte_security.h>
+#include <rte_security_driver.h>
#include "roc_api.h"
@@ -14,6 +15,19 @@
typedef void *CN10K_SA_CONTEXT_MARKER[0];
struct cn10k_ipsec_sa {
+ union {
+ /** Inbound SA */
+ struct roc_ot_ipsec_inb_sa in_sa;
+ /** Outbound SA */
+ struct roc_ot_ipsec_outb_sa out_sa;
+ };
+} __rte_aligned(ROC_ALIGN);
+
+struct cn10k_sec_session {
+ struct rte_security_session rte_sess;
+
+ /** PMD private space */
+
/** Pre-populated CPT inst words */
struct cnxk_cpt_inst_tmpl inst;
uint16_t max_extended_len;
@@ -26,17 +40,6 @@ struct cn10k_ipsec_sa {
/**
* End of SW mutable area
*/
- CN10K_SA_CONTEXT_MARKER sw_area_end __rte_aligned(ROC_ALIGN);
-
- union {
- /** Inbound SA */
- struct roc_ot_ipsec_inb_sa in_sa;
- /** Outbound SA */
- struct roc_ot_ipsec_outb_sa out_sa;
- };
-} __rte_aligned(ROC_ALIGN);
-
-struct cn10k_sec_session {
struct cn10k_ipsec_sa sa;
} __rte_aligned(ROC_ALIGN);
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 21502e0eb2..a75e88cb28 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -13,13 +13,12 @@
#include "cnxk_cryptodev.h"
static inline void
-ipsec_po_sa_iv_set(struct cn10k_ipsec_sa *sess, struct rte_crypto_op *cop)
+ipsec_po_sa_iv_set(struct cn10k_sec_session *sess, struct rte_crypto_op *cop)
{
- uint64_t *iv = &sess->out_sa.iv.u64[0];
+ uint64_t *iv = &sess->sa.out_sa.iv.u64[0];
uint64_t *tmp_iv;
- memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
- 16);
+ memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset), 16);
tmp_iv = (uint64_t *)iv;
*tmp_iv = rte_be_to_cpu_64(*tmp_iv);
@@ -28,28 +27,24 @@ ipsec_po_sa_iv_set(struct cn10k_ipsec_sa *sess, struct rte_crypto_op *cop)
}
static inline void
-ipsec_po_sa_aes_gcm_iv_set(struct cn10k_ipsec_sa *sess,
- struct rte_crypto_op *cop)
+ipsec_po_sa_aes_gcm_iv_set(struct cn10k_sec_session *sess, struct rte_crypto_op *cop)
{
- uint8_t *iv = &sess->out_sa.iv.s.iv_dbg1[0];
+ uint8_t *iv = &sess->sa.out_sa.iv.s.iv_dbg1[0];
uint32_t *tmp_iv;
- memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
- 4);
+ memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset), 4);
tmp_iv = (uint32_t *)iv;
*tmp_iv = rte_be_to_cpu_32(*tmp_iv);
- iv = &sess->out_sa.iv.s.iv_dbg2[0];
- memcpy(iv,
- rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset + 4),
- 4);
+ iv = &sess->sa.out_sa.iv.s.iv_dbg2[0];
+ memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset + 4), 4);
tmp_iv = (uint32_t *)iv;
*tmp_iv = rte_be_to_cpu_32(*tmp_iv);
}
static __rte_always_inline int
-process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop,
- struct cn10k_ipsec_sa *sess, struct cpt_inst_s *inst)
+process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop, struct cn10k_sec_session *sess,
+ struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
@@ -64,17 +59,17 @@ process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop,
RTE_SET_USED(lf);
#ifdef LA_IPSEC_DEBUG
- if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
- if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
- sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM ||
- sess->out_sa.w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC)
+ if (sess->sa.out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
+ if (sess->sa.out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
+ sess->sa.out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM ||
+ sess->sa.out_sa.w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC)
ipsec_po_sa_aes_gcm_iv_set(sess, cop);
else
ipsec_po_sa_iv_set(sess, cop);
}
/* Trigger CTX reload to fetch new data from DRAM */
- roc_cpt_lf_ctx_reload(lf, &sess->out_sa);
+ roc_cpt_lf_ctx_reload(lf, &sess->sa.out_sa);
rte_delay_ms(1);
#endif
@@ -94,15 +89,14 @@ process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop,
}
static __rte_always_inline int
-process_inb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sa,
- struct cpt_inst_s *inst)
+process_inb_sa(struct rte_crypto_op *cop, struct cn10k_sec_session *sess, struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
uint64_t dptr;
/* Prepare CPT instruction */
- inst->w4.u64 = sa->inst.w4 | rte_pktmbuf_pkt_len(m_src);
+ inst->w4.u64 = sess->inst.w4 | rte_pktmbuf_pkt_len(m_src);
dptr = rte_pktmbuf_mtod(m_src, uint64_t);
inst->dptr = dptr;
inst->rptr = dptr;
--
2.25.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/2] crypto/cnxk: fix failure from session rework
2022-10-12 6:04 [PATCH 1/2] crypto/cnxk: align HW accessible field to ROC align Anoob Joseph
@ 2022-10-12 6:04 ` Anoob Joseph
2022-10-12 12:10 ` [PATCH v2 1/2] crypto/cnxk: align HW accessible field to ROC align Anoob Joseph
1 sibling, 0 replies; 5+ messages in thread
From: Anoob Joseph @ 2022-10-12 6:04 UTC (permalink / raw)
To: Akhil Goyal, Jerin Jacob; +Cc: Ankur Dwivedi, Tejasree Kondoj, dev
Post security session rework, CPTR got changed affecting cn9k IPsec
functionality. Address the same. Also, move all s/w accessible
fastpath fields to rte_security_session cacheline for better perf.
Fixes: 3f3fc3308bd0 ("security: remove private mempool usage")
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 46 ++++++++-----------
drivers/crypto/cnxk/cn9k_ipsec.c | 56 ++++++++++++------------
drivers/crypto/cnxk/cn9k_ipsec.h | 44 ++++++++++---------
drivers/crypto/cnxk/cn9k_ipsec_la_ops.h | 30 ++++++-------
4 files changed, 84 insertions(+), 92 deletions(-)
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
index 2ed298e01f..289601330e 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
@@ -23,12 +23,10 @@ cn9k_cpt_sec_inst_fill(struct rte_crypto_op *op,
struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = op->sym;
- struct cn9k_sec_session *priv;
- struct cn9k_ipsec_sa *sa;
+ struct cn9k_sec_session *sec_sess;
int ret;
- priv = SECURITY_GET_SESS_PRIV(op->sym->session);
- sa = &priv->sa;
+ sec_sess = (struct cn9k_sec_session *)(op->sym->session);
if (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) {
plt_dp_err("Out of place is not supported");
@@ -40,12 +38,12 @@ cn9k_cpt_sec_inst_fill(struct rte_crypto_op *op,
return -ENOTSUP;
}
- if (sa->dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
- ret = process_outb_sa(op, sa, inst);
+ if (sec_sess->is_outbound)
+ ret = process_outb_sa(op, sec_sess, inst);
else {
infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
- process_inb_sa(op, sa, inst);
- if (unlikely(sa->replay_win_sz))
+ process_inb_sa(op, sec_sess, inst);
+ if (unlikely(sec_sess->replay_win_sz))
infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_INB_REPLAY;
ret = 0;
}
@@ -335,12 +333,10 @@ cn9k_cpt_crypto_adapter_ev_mdata_set(struct rte_cryptodev *dev __rte_unused,
if (op_type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
struct cn9k_sec_session *priv;
- struct cn9k_ipsec_sa *sa;
- priv = SECURITY_GET_SESS_PRIV(sess);
- sa = &priv->sa;
- sa->qp = qp;
- sa->inst.w2 = w2;
+ priv = (struct cn9k_sec_session *)sess;
+ priv->qp = qp;
+ priv->inst.w2 = w2;
} else if (sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
struct cnxk_se_sess *priv;
@@ -372,12 +368,10 @@ cn9k_ca_meta_info_extract(struct rte_crypto_op *op,
if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
struct cn9k_sec_session *priv;
- struct cn9k_ipsec_sa *sa;
- priv = SECURITY_GET_SESS_PRIV(op->sym->session);
- sa = &priv->sa;
- *qp = sa->qp;
- inst->w2.u64 = sa->inst.w2;
+ priv = (struct cn9k_sec_session *)(op->sym->session);
+ *qp = priv->qp;
+ inst->w2.u64 = priv->inst.w2;
} else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
struct cnxk_se_sess *priv;
@@ -480,7 +474,8 @@ cn9k_cpt_crypto_adapter_enqueue(uintptr_t base, struct rte_crypto_op *op)
}
static inline int
-ipsec_antireplay_check(struct cn9k_ipsec_sa *sa, uint32_t win_sz, struct roc_ie_on_inb_hdr *data)
+ipsec_antireplay_check(struct cn9k_sec_session *sess, uint32_t win_sz,
+ struct roc_ie_on_inb_hdr *data)
{
uint32_t esn_low, esn_hi, seql, seqh = 0;
struct roc_ie_on_common_sa *common_sa;
@@ -489,7 +484,7 @@ ipsec_antireplay_check(struct cn9k_ipsec_sa *sa, uint32_t win_sz, struct roc_ie_
uint8_t esn;
int ret;
- in_sa = &sa->in_sa;
+ in_sa = &sess->sa.in_sa;
common_sa = &in_sa->common_sa;
esn = common_sa->ctl.esn_en;
@@ -505,7 +500,7 @@ ipsec_antireplay_check(struct cn9k_ipsec_sa *sa, uint32_t win_sz, struct roc_ie_
if (unlikely(seq == 0))
return IPSEC_ANTI_REPLAY_FAILED;
- ret = cnxk_on_anti_replay_check(seq, &sa->ar, win_sz);
+ ret = cnxk_on_anti_replay_check(seq, &sess->ar, win_sz);
if (esn && !ret) {
esn_low = rte_be_to_cpu_32(common_sa->seq_t.tl);
esn_hi = rte_be_to_cpu_32(common_sa->seq_t.th);
@@ -526,7 +521,6 @@ cn9k_cpt_sec_post_process(struct rte_crypto_op *cop,
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m = sym_op->m_src;
struct cn9k_sec_session *priv;
- struct cn9k_ipsec_sa *sa;
struct rte_ipv6_hdr *ip6;
struct rte_ipv4_hdr *ip;
uint16_t m_len = 0;
@@ -539,12 +533,10 @@ cn9k_cpt_sec_post_process(struct rte_crypto_op *cop,
CPT_OP_FLAGS_IPSEC_INB_REPLAY)) {
int ret;
- priv = SECURITY_GET_SESS_PRIV(sym_op->session);
- sa = &priv->sa;
+ priv = (struct cn9k_sec_session *)(sym_op->session);
- ret = ipsec_antireplay_check(
- sa, sa->replay_win_sz,
- (struct roc_ie_on_inb_hdr *)data);
+ ret = ipsec_antireplay_check(priv, priv->replay_win_sz,
+ (struct roc_ie_on_inb_hdr *)data);
if (unlikely(ret)) {
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
return;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index b56843f49b..66c450f941 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -32,22 +32,23 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
uint8_t egrp;
int ret;
- sess = SECURITY_GET_SESS_PRIV(sec_sess);
+ sess = (struct cn9k_sec_session *)sec_sess;
sa = &sess->sa;
+ /* Initialize lookaside IPsec private data */
+
memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
- /* Initialize lookaside IPsec private data */
- sa->dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
+ sess->is_outbound = 1;
if (ipsec->esn.value)
- sa->esn = ipsec->esn.value - 1;
+ sess->esn = ipsec->esn.value - 1;
- ret = cnxk_ipsec_outb_rlens_get(&sa->rlens, ipsec, crypto_xform);
+ ret = cnxk_ipsec_outb_rlens_get(&sess->rlens, ipsec, crypto_xform);
if (ret)
return ret;
- sa->custom_hdr_len =
+ sess->custom_hdr_len =
sizeof(struct roc_ie_on_outb_hdr) - ROC_IE_ON_MAX_IV_LEN;
#ifdef LA_IPSEC_DEBUG
@@ -80,8 +81,7 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
ctx_len = ret;
egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
- ret = roc_on_cpt_ctx_write(&qp->lf, SECURITY_GET_SESS_PRIV_IOVA(sec_sess),
- false, ctx_len, egrp);
+ ret = roc_on_cpt_ctx_write(&qp->lf, (uintptr_t)sa, false, ctx_len, egrp);
if (ret)
return ret;
@@ -108,9 +108,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
w7.u64 = 0;
w7.s.egrp = egrp;
- w7.s.cptr = SECURITY_GET_SESS_PRIV_IOVA(sec_sess);
+ w7.s.cptr = (uintptr_t)&sess->sa;
- inst_tmpl = &sa->inst;
+ inst_tmpl = &sess->inst;
inst_tmpl->w4 = w4.u64;
inst_tmpl->w7 = w7.u64;
@@ -134,31 +134,30 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
uint8_t egrp;
int ret = 0;
- sess = SECURITY_GET_SESS_PRIV(sec_sess);
+ sess = (struct cn9k_sec_session *)sec_sess;
sa = &sess->sa;
memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
- sa->dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
- sa->replay_win_sz = ipsec->replay_win_sz;
+ sess->is_outbound = 0;
+ sess->replay_win_sz = ipsec->replay_win_sz;
- if (sa->replay_win_sz) {
- if (sa->replay_win_sz > CNXK_ON_AR_WIN_SIZE_MAX) {
- plt_err("Replay window size:%u is not supported",
- sa->replay_win_sz);
+ if (sess->replay_win_sz) {
+ if (sess->replay_win_sz > CNXK_ON_AR_WIN_SIZE_MAX) {
+ plt_err("Replay window size:%u is not supported", sess->replay_win_sz);
return -ENOTSUP;
}
/* Set window bottom to 1, base and top to size of window */
- sa->ar.winb = 1;
- sa->ar.wint = sa->replay_win_sz;
- sa->ar.base = sa->replay_win_sz;
+ sess->ar.winb = 1;
+ sess->ar.wint = sess->replay_win_sz;
+ sess->ar.base = sess->replay_win_sz;
- sa->seq_lo = ipsec->esn.low;
- sa->seq_hi = ipsec->esn.hi;
+ sess->seq_lo = ipsec->esn.low;
+ sess->seq_hi = ipsec->esn.hi;
- sa->in_sa.common_sa.seq_t.tl = sa->seq_lo;
- sa->in_sa.common_sa.seq_t.th = sa->seq_hi;
+ sess->sa.in_sa.common_sa.seq_t.tl = sess->seq_lo;
+ sess->sa.in_sa.common_sa.seq_t.th = sess->seq_hi;
}
ret = cnxk_on_ipsec_inb_sa_create(ipsec, crypto_xform, &sa->in_sa);
@@ -166,12 +165,11 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
return ret;
if (sa->in_sa.common_sa.ctl.esn_en)
- sa->esn_en = 1;
+ sess->esn_en = 1;
ctx_len = ret;
egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
- ret = roc_on_cpt_ctx_write(&qp->lf, SECURITY_GET_SESS_PRIV_IOVA(sec_sess),
- true, ctx_len, egrp);
+ ret = roc_on_cpt_ctx_write(&qp->lf, (uint64_t)sa, true, ctx_len, egrp);
if (ret)
return ret;
@@ -184,9 +182,9 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
w4.s.param2 = param2.u16;
w7.s.egrp = egrp;
- w7.s.cptr = SECURITY_GET_SESS_PRIV_IOVA(sec_sess);
+ w7.s.cptr = (uintptr_t)&sess->sa;
- inst_tmpl = &sa->inst;
+ inst_tmpl = &sess->inst;
inst_tmpl->w4 = w4.u64;
inst_tmpl->w7 = w7.u64;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.h b/drivers/crypto/cnxk/cn9k_ipsec.h
index bed5976096..1ea946afd8 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.h
+++ b/drivers/crypto/cnxk/cn9k_ipsec.h
@@ -5,6 +5,8 @@
#ifndef __CN9K_IPSEC_H__
#define __CN9K_IPSEC_H__
+#include <rte_security_driver.h>
+
#include "cnxk_ipsec.h"
#include "cnxk_security.h"
#include "cnxk_security_ar.h"
@@ -16,40 +18,42 @@ struct cn9k_ipsec_sa {
/** Outbound SA */
struct roc_ie_on_outb_sa out_sa;
};
+} __rte_aligned(8);
+
+struct cn9k_sec_session {
+ struct rte_security_session rte_sess;
+
+ /** PMD private space */
+
+ /** ESN */
+ union {
+ uint64_t esn;
+ struct {
+ uint32_t seq_lo;
+ uint32_t seq_hi;
+ };
+ };
/** IPsec SA direction */
- enum rte_security_ipsec_sa_direction dir;
+ uint8_t is_outbound;
+ /* ESN enable flag */
+ uint8_t esn_en;
/** Pre-populated CPT inst words */
struct cnxk_cpt_inst_tmpl inst;
+ /** Response length calculation data */
+ struct cnxk_ipsec_outb_rlens rlens;
+ /** Anti replay window size */
+ uint32_t replay_win_sz;
/** Cipher IV offset in bytes */
uint16_t cipher_iv_off;
/** Cipher IV length in bytes */
uint8_t cipher_iv_len;
/** Outbound custom header length */
uint8_t custom_hdr_len;
- /** Response length calculation data */
- struct cnxk_ipsec_outb_rlens rlens;
- /** ESN */
- union {
- uint64_t esn;
- struct {
- uint32_t seq_lo;
- uint32_t seq_hi;
- };
- };
/** Anti replay */
struct cnxk_on_ipsec_ar ar;
- /** Anti replay window size */
- uint32_t replay_win_sz;
- /*
- * ESN enable flag. Copy of in_sa ctl.esn_en to have single cache line
- * access in the non-esn fastpath.
- */
- uint8_t esn_en;
/** Queue pair */
struct cnxk_cpt_qp *qp;
-};
-struct cn9k_sec_session {
struct cn9k_ipsec_sa sa;
} __rte_cache_aligned;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
index 8b68e4c728..0763f3a42d 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
@@ -13,21 +13,20 @@
#include "cnxk_security_ar.h"
static __rte_always_inline int32_t
-ipsec_po_out_rlen_get(struct cn9k_ipsec_sa *sa, uint32_t plen)
+ipsec_po_out_rlen_get(struct cn9k_sec_session *sess, uint32_t plen)
{
uint32_t enc_payload_len;
- enc_payload_len = RTE_ALIGN_CEIL(plen + sa->rlens.roundup_len,
- sa->rlens.roundup_byte);
+ enc_payload_len = RTE_ALIGN_CEIL(plen + sess->rlens.roundup_len,
+ sess->rlens.roundup_byte);
- return sa->custom_hdr_len + sa->rlens.partial_len + enc_payload_len;
+ return sess->custom_hdr_len + sess->rlens.partial_len + enc_payload_len;
}
static __rte_always_inline int
-process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
- struct cpt_inst_s *inst)
+process_outb_sa(struct rte_crypto_op *cop, struct cn9k_sec_session *sess, struct cpt_inst_s *inst)
{
- const unsigned int hdr_len = sa->custom_hdr_len;
+ const unsigned int hdr_len = sess->custom_hdr_len;
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
uint32_t dlen, rlen, pkt_len, seq_lo;
@@ -38,7 +37,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
pkt_len = rte_pktmbuf_pkt_len(m_src);
dlen = pkt_len + hdr_len;
- rlen = ipsec_po_out_rlen_get(sa, pkt_len);
+ rlen = ipsec_po_out_rlen_get(sess, pkt_len);
extend_tail = rlen - dlen;
if (unlikely(extend_tail > rte_pktmbuf_tailroom(m_src))) {
@@ -61,7 +60,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
hdr = PLT_PTR_ADD(m_src->buf_addr, data_off - hdr_len);
#ifdef LA_IPSEC_DEBUG
- if (sa->inst.w4 & ROC_IE_ON_PER_PKT_IV) {
+ if (sess->inst.w4 & ROC_IE_ON_PER_PKT_IV) {
memcpy(&hdr->iv[0],
rte_crypto_op_ctod_offset(cop, uint8_t *,
sa->cipher_iv_off),
@@ -69,7 +68,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
}
#endif
- esn = ++sa->esn;
+ esn = ++sess->esn;
/* Set ESN seq hi */
hdr->esn = rte_cpu_to_be_32(esn >> 32);
@@ -82,24 +81,23 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
hdr->ip_id = seq_lo;
/* Prepare CPT instruction */
- inst->w4.u64 = sa->inst.w4 | dlen;
+ inst->w4.u64 = sess->inst.w4 | dlen;
inst->dptr = PLT_U64_CAST(hdr);
inst->rptr = PLT_U64_CAST(hdr);
- inst->w7.u64 = sa->inst.w7;
+ inst->w7.u64 = sess->inst.w7;
return 0;
}
static __rte_always_inline void
-process_inb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
- struct cpt_inst_s *inst)
+process_inb_sa(struct rte_crypto_op *cop, struct cn9k_sec_session *sess, struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
/* Prepare CPT instruction */
- inst->w4.u64 = sa->inst.w4 | rte_pktmbuf_pkt_len(m_src);
+ inst->w4.u64 = sess->inst.w4 | rte_pktmbuf_pkt_len(m_src);
inst->dptr = inst->rptr = rte_pktmbuf_mtod(m_src, uint64_t);
- inst->w7.u64 = sa->inst.w7;
+ inst->w7.u64 = sess->inst.w7;
}
#endif /* __CN9K_IPSEC_LA_OPS_H__ */
--
2.25.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 1/2] crypto/cnxk: align HW accessible field to ROC align
2022-10-12 6:04 [PATCH 1/2] crypto/cnxk: align HW accessible field to ROC align Anoob Joseph
2022-10-12 6:04 ` [PATCH 2/2] crypto/cnxk: fix failure from session rework Anoob Joseph
@ 2022-10-12 12:10 ` Anoob Joseph
2022-10-12 12:10 ` [PATCH v2 2/2] crypto/cnxk: fix failure from session rework Anoob Joseph
1 sibling, 1 reply; 5+ messages in thread
From: Anoob Joseph @ 2022-10-12 12:10 UTC (permalink / raw)
To: Akhil Goyal, Jerin Jacob; +Cc: Ankur Dwivedi, Tejasree Kondoj, dev
Hardware accessible memory need to be aligned to ROC. Enforce the same.
Move software specific fields to padding space.
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 33 ++++------
drivers/crypto/cnxk/cn10k_ipsec.c | 77 +++++++++++------------
drivers/crypto/cnxk/cn10k_ipsec.h | 25 ++++----
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 40 +++++-------
4 files changed, 80 insertions(+), 95 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 1d7a9e2952..2942617615 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -72,7 +72,6 @@ cpt_sec_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op,
struct cn10k_sec_session *sess, struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = op->sym;
- struct cn10k_ipsec_sa *sa;
int ret;
if (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) {
@@ -85,12 +84,10 @@ cpt_sec_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op,
return -ENOTSUP;
}
- sa = &sess->sa;
-
- if (sa->is_outbound)
- ret = process_outb_sa(&qp->lf, op, sa, inst);
+ if (sess->is_outbound)
+ ret = process_outb_sa(&qp->lf, op, sess, inst);
else
- ret = process_inb_sa(op, sa, inst);
+ ret = process_inb_sa(op, sess, inst);
return ret;
}
@@ -122,11 +119,11 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- sec_sess = SECURITY_GET_SESS_PRIV(sym_op->session);
+ sec_sess = (struct cn10k_sec_session *)(sym_op->session);
ret = cpt_sec_inst_fill(qp, op, sec_sess, &inst[0]);
if (unlikely(ret))
return 0;
- w7 = sec_sess->sa.inst.w7;
+ w7 = sec_sess->inst.w7;
} else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
sess = CRYPTODEV_GET_SYM_SESS_PRIV(sym_op->session);
ret = cpt_sym_inst_fill(qp, op, sess, infl_req,
@@ -298,13 +295,10 @@ cn10k_cpt_crypto_adapter_ev_mdata_set(struct rte_cryptodev *dev __rte_unused,
/* Set meta according to session type */
if (op_type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- struct cn10k_sec_session *priv;
- struct cn10k_ipsec_sa *sa;
+ struct cn10k_sec_session *sec_sess = (struct cn10k_sec_session *)sess;
- priv = SECURITY_GET_SESS_PRIV(sess);
- sa = &priv->sa;
- sa->qp = qp;
- sa->inst.w2 = w2;
+ sec_sess->qp = qp;
+ sec_sess->inst.w2 = w2;
} else if (sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
struct cnxk_se_sess *priv;
@@ -335,13 +329,12 @@ cn10k_ca_meta_info_extract(struct rte_crypto_op *op,
{
if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- struct cn10k_sec_session *priv;
- struct cn10k_ipsec_sa *sa;
+ struct cn10k_sec_session *sec_sess;
+
+ sec_sess = (struct cn10k_sec_session *)op->sym->session;
- priv = SECURITY_GET_SESS_PRIV(op->sym->session);
- sa = &priv->sa;
- *qp = sa->qp;
- *w2 = sa->inst.w2;
+ *qp = sec_sess->qp;
+ *w2 = sec_sess->inst.w2;
} else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
struct cnxk_se_sess *priv;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 1ebdf7793a..ef013c8bae 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -36,19 +36,17 @@ static int
cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
struct rte_security_ipsec_xform *ipsec_xfrm,
struct rte_crypto_sym_xform *crypto_xfrm,
- struct rte_security_session *sec_sess)
+ struct cn10k_sec_session *sec_sess)
{
union roc_ot_ipsec_outb_param1 param1;
struct roc_ot_ipsec_outb_sa *sa_dptr;
struct cnxk_ipsec_outb_rlens rlens;
- struct cn10k_sec_session *sess;
struct cn10k_ipsec_sa *sa;
union cpt_inst_w4 inst_w4;
void *out_sa;
int ret = 0;
- sess = SECURITY_GET_SESS_PRIV(sec_sess);
- sa = &sess->sa;
+ sa = &sec_sess->sa;
out_sa = &sa->out_sa;
/* Allocate memory to be used as dptr for CPT ucode WRITE_SA op */
@@ -65,21 +63,21 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
goto sa_dptr_free;
}
- sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, out_sa);
+ sec_sess->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, out_sa);
#ifdef LA_IPSEC_DEBUG
/* Use IV from application in debug mode */
if (ipsec_xfrm->options.iv_gen_disable == 1) {
sa_dptr->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
- sa->iv_offset = crypto_xfrm->aead.iv.offset;
- sa->iv_length = crypto_xfrm->aead.iv.length;
+ sec_sess->iv_offset = crypto_xfrm->aead.iv.offset;
+ sec_sess->iv_length = crypto_xfrm->aead.iv.length;
} else if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
- sa->iv_offset = crypto_xfrm->cipher.iv.offset;
- sa->iv_length = crypto_xfrm->cipher.iv.length;
+ sec_sess->iv_offset = crypto_xfrm->cipher.iv.offset;
+ sec_sess->iv_length = crypto_xfrm->cipher.iv.length;
} else {
- sa->iv_offset = crypto_xfrm->auth.iv.offset;
- sa->iv_length = crypto_xfrm->auth.iv.length;
+ sec_sess->iv_offset = crypto_xfrm->auth.iv.offset;
+ sec_sess->iv_length = crypto_xfrm->auth.iv.length;
}
}
#else
@@ -90,14 +88,14 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
}
#endif
- sa->is_outbound = true;
+ sec_sess->is_outbound = true;
/* Get Rlen calculation data */
ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm);
if (ret)
goto sa_dptr_free;
- sa->max_extended_len = rlens.max_extended_len;
+ sec_sess->max_extended_len = rlens.max_extended_len;
/* pre-populate CPT INST word 4 */
inst_w4.u64 = 0;
@@ -125,7 +123,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
inst_w4.s.param1 = param1.u16;
- sa->inst.w4 = inst_w4.u64;
+ sec_sess->inst.w4 = inst_w4.u64;
if (ipsec_xfrm->options.stats == 1) {
/* Enable mib counters */
@@ -163,18 +161,16 @@ static int
cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
struct rte_security_ipsec_xform *ipsec_xfrm,
struct rte_crypto_sym_xform *crypto_xfrm,
- struct rte_security_session *sec_sess)
+ struct cn10k_sec_session *sec_sess)
{
union roc_ot_ipsec_inb_param1 param1;
struct roc_ot_ipsec_inb_sa *sa_dptr;
- struct cn10k_sec_session *sess;
struct cn10k_ipsec_sa *sa;
union cpt_inst_w4 inst_w4;
void *in_sa;
int ret = 0;
- sess = SECURITY_GET_SESS_PRIV(sec_sess);
- sa = &sess->sa;
+ sa = &sec_sess->sa;
in_sa = &sa->in_sa;
/* Allocate memory to be used as dptr for CPT ucode WRITE_SA op */
@@ -192,8 +188,8 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
goto sa_dptr_free;
}
- sa->is_outbound = false;
- sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, in_sa);
+ sec_sess->is_outbound = false;
+ sec_sess->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, in_sa);
/* pre-populate CPT INST word 4 */
inst_w4.u64 = 0;
@@ -221,7 +217,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
inst_w4.s.param1 = param1.u16;
- sa->inst.w4 = inst_w4.u64;
+ sec_sess->inst.w4 = inst_w4.u64;
if (ipsec_xfrm->options.stats == 1) {
/* Enable mib counters */
@@ -281,11 +277,11 @@ cn10k_ipsec_session_create(void *dev,
roc_cpt = &vf->cpt;
if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
- return cn10k_ipsec_inb_sa_create(roc_cpt, &qp->lf, ipsec_xfrm,
- crypto_xfrm, sess);
+ return cn10k_ipsec_inb_sa_create(roc_cpt, &qp->lf, ipsec_xfrm, crypto_xfrm,
+ (struct cn10k_sec_session *)sess);
else
- return cn10k_ipsec_outb_sa_create(roc_cpt, &qp->lf, ipsec_xfrm,
- crypto_xfrm, sess);
+ return cn10k_ipsec_outb_sa_create(roc_cpt, &qp->lf, ipsec_xfrm, crypto_xfrm,
+ (struct cn10k_sec_session *)sess);
}
static int
@@ -314,13 +310,14 @@ cn10k_sec_session_destroy(void *dev, struct rte_security_session *sec_sess)
void *sa_dptr = NULL;
int ret;
- sess = SECURITY_GET_SESS_PRIV(sec_sess);
- if (sess == NULL)
- return 0;
+ if (unlikely(sec_sess == NULL))
+ return -EINVAL;
+
+ sess = (struct cn10k_sec_session *)sec_sess;
qp = crypto_dev->data->queue_pairs[0];
- if (qp == NULL)
- return 0;
+ if (unlikely(qp == NULL))
+ return -ENOTSUP;
lf = &qp->lf;
@@ -331,7 +328,7 @@ cn10k_sec_session_destroy(void *dev, struct rte_security_session *sec_sess)
ret = -1;
- if (sa->is_outbound) {
+ if (sess->is_outbound) {
sa_dptr = plt_zmalloc(sizeof(struct roc_ot_ipsec_outb_sa), 8);
if (sa_dptr != NULL) {
roc_ot_ipsec_outb_sa_init(sa_dptr);
@@ -374,7 +371,7 @@ cn10k_sec_session_destroy(void *dev, struct rte_security_session *sec_sess)
static unsigned int
cn10k_sec_session_get_size(void *device __rte_unused)
{
- return sizeof(struct cn10k_sec_session);
+ return sizeof(struct cn10k_sec_session) - sizeof(struct rte_security_session);
}
static int
@@ -384,25 +381,23 @@ cn10k_sec_session_stats_get(void *device, struct rte_security_session *sess,
struct rte_cryptodev *crypto_dev = device;
struct roc_ot_ipsec_outb_sa *out_sa;
struct roc_ot_ipsec_inb_sa *in_sa;
- union roc_ot_ipsec_sa_word2 *w2;
struct cn10k_sec_session *priv;
struct cn10k_ipsec_sa *sa;
struct cnxk_cpt_qp *qp;
- priv = SECURITY_GET_SESS_PRIV(sess);
- if (priv == NULL)
+ if (unlikely(sess == NULL))
return -EINVAL;
+ priv = (struct cn10k_sec_session *)sess;
+
qp = crypto_dev->data->queue_pairs[0];
if (qp == NULL)
return -EINVAL;
- sa = &priv->sa;
- w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
-
stats->protocol = RTE_SECURITY_PROTOCOL_IPSEC;
+ sa = &priv->sa;
- if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND) {
+ if (priv->is_outbound) {
out_sa = &sa->out_sa;
roc_cpt_lf_ctx_flush(&qp->lf, out_sa, false);
rte_delay_ms(1);
@@ -448,8 +443,8 @@ cn10k_sec_session_update(void *device, struct rte_security_session *sess,
vf = crypto_dev->data->dev_private;
roc_cpt = &vf->cpt;
- return cn10k_ipsec_outb_sa_create(roc_cpt, &qp->lf, &conf->ipsec,
- conf->crypto_xform, sess);
+ return cn10k_ipsec_outb_sa_create(roc_cpt, &qp->lf, &conf->ipsec, conf->crypto_xform,
+ (struct cn10k_sec_session *)sess);
}
/* Update platform specific security ops */
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 1c1d904799..044fe33046 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -6,6 +6,7 @@
#define __CN10K_IPSEC_H__
#include <rte_security.h>
+#include <rte_security_driver.h>
#include "roc_api.h"
@@ -14,6 +15,19 @@
typedef void *CN10K_SA_CONTEXT_MARKER[0];
struct cn10k_ipsec_sa {
+ union {
+ /** Inbound SA */
+ struct roc_ot_ipsec_inb_sa in_sa;
+ /** Outbound SA */
+ struct roc_ot_ipsec_outb_sa out_sa;
+ };
+} __rte_aligned(ROC_ALIGN);
+
+struct cn10k_sec_session {
+ struct rte_security_session rte_sess;
+
+ /** PMD private space */
+
/** Pre-populated CPT inst words */
struct cnxk_cpt_inst_tmpl inst;
uint16_t max_extended_len;
@@ -26,17 +40,6 @@ struct cn10k_ipsec_sa {
/**
* End of SW mutable area
*/
- CN10K_SA_CONTEXT_MARKER sw_area_end __rte_aligned(ROC_ALIGN);
-
- union {
- /** Inbound SA */
- struct roc_ot_ipsec_inb_sa in_sa;
- /** Outbound SA */
- struct roc_ot_ipsec_outb_sa out_sa;
- };
-} __rte_aligned(ROC_ALIGN);
-
-struct cn10k_sec_session {
struct cn10k_ipsec_sa sa;
} __rte_aligned(ROC_ALIGN);
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 21502e0eb2..a75e88cb28 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -13,13 +13,12 @@
#include "cnxk_cryptodev.h"
static inline void
-ipsec_po_sa_iv_set(struct cn10k_ipsec_sa *sess, struct rte_crypto_op *cop)
+ipsec_po_sa_iv_set(struct cn10k_sec_session *sess, struct rte_crypto_op *cop)
{
- uint64_t *iv = &sess->out_sa.iv.u64[0];
+ uint64_t *iv = &sess->sa.out_sa.iv.u64[0];
uint64_t *tmp_iv;
- memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
- 16);
+ memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset), 16);
tmp_iv = (uint64_t *)iv;
*tmp_iv = rte_be_to_cpu_64(*tmp_iv);
@@ -28,28 +27,24 @@ ipsec_po_sa_iv_set(struct cn10k_ipsec_sa *sess, struct rte_crypto_op *cop)
}
static inline void
-ipsec_po_sa_aes_gcm_iv_set(struct cn10k_ipsec_sa *sess,
- struct rte_crypto_op *cop)
+ipsec_po_sa_aes_gcm_iv_set(struct cn10k_sec_session *sess, struct rte_crypto_op *cop)
{
- uint8_t *iv = &sess->out_sa.iv.s.iv_dbg1[0];
+ uint8_t *iv = &sess->sa.out_sa.iv.s.iv_dbg1[0];
uint32_t *tmp_iv;
- memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset),
- 4);
+ memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset), 4);
tmp_iv = (uint32_t *)iv;
*tmp_iv = rte_be_to_cpu_32(*tmp_iv);
- iv = &sess->out_sa.iv.s.iv_dbg2[0];
- memcpy(iv,
- rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset + 4),
- 4);
+ iv = &sess->sa.out_sa.iv.s.iv_dbg2[0];
+ memcpy(iv, rte_crypto_op_ctod_offset(cop, uint8_t *, sess->iv_offset + 4), 4);
tmp_iv = (uint32_t *)iv;
*tmp_iv = rte_be_to_cpu_32(*tmp_iv);
}
static __rte_always_inline int
-process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop,
- struct cn10k_ipsec_sa *sess, struct cpt_inst_s *inst)
+process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop, struct cn10k_sec_session *sess,
+ struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
@@ -64,17 +59,17 @@ process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop,
RTE_SET_USED(lf);
#ifdef LA_IPSEC_DEBUG
- if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
- if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
- sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM ||
- sess->out_sa.w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC)
+ if (sess->sa.out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
+ if (sess->sa.out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
+ sess->sa.out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM ||
+ sess->sa.out_sa.w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC)
ipsec_po_sa_aes_gcm_iv_set(sess, cop);
else
ipsec_po_sa_iv_set(sess, cop);
}
/* Trigger CTX reload to fetch new data from DRAM */
- roc_cpt_lf_ctx_reload(lf, &sess->out_sa);
+ roc_cpt_lf_ctx_reload(lf, &sess->sa.out_sa);
rte_delay_ms(1);
#endif
@@ -94,15 +89,14 @@ process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop,
}
static __rte_always_inline int
-process_inb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sa,
- struct cpt_inst_s *inst)
+process_inb_sa(struct rte_crypto_op *cop, struct cn10k_sec_session *sess, struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
uint64_t dptr;
/* Prepare CPT instruction */
- inst->w4.u64 = sa->inst.w4 | rte_pktmbuf_pkt_len(m_src);
+ inst->w4.u64 = sess->inst.w4 | rte_pktmbuf_pkt_len(m_src);
dptr = rte_pktmbuf_mtod(m_src, uint64_t);
inst->dptr = dptr;
inst->rptr = dptr;
--
2.25.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 2/2] crypto/cnxk: fix failure from session rework
2022-10-12 12:10 ` [PATCH v2 1/2] crypto/cnxk: align HW accessible field to ROC align Anoob Joseph
@ 2022-10-12 12:10 ` Anoob Joseph
2022-10-12 19:03 ` Akhil Goyal
0 siblings, 1 reply; 5+ messages in thread
From: Anoob Joseph @ 2022-10-12 12:10 UTC (permalink / raw)
To: Akhil Goyal, Jerin Jacob; +Cc: Ankur Dwivedi, Tejasree Kondoj, dev
Post security session rework, CPTR got changed affecting cn9k IPsec
functionality. Address the same. Also, move all s/w accessible
fast path fields to rte_security_session cacheline for better perf.
Fixes: 3f3fc3308bd0 ("security: remove private mempool usage")
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
v2:
* Fixed debug build failure
drivers/crypto/cnxk/cn9k_cryptodev_ops.c | 46 +++++++---------
drivers/crypto/cnxk/cn9k_ipsec.c | 70 ++++++++++++------------
drivers/crypto/cnxk/cn9k_ipsec.h | 44 ++++++++-------
drivers/crypto/cnxk/cn9k_ipsec_la_ops.h | 35 ++++++------
4 files changed, 93 insertions(+), 102 deletions(-)
diff --git a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
index 2ed298e01f..289601330e 100644
--- a/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn9k_cryptodev_ops.c
@@ -23,12 +23,10 @@ cn9k_cpt_sec_inst_fill(struct rte_crypto_op *op,
struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = op->sym;
- struct cn9k_sec_session *priv;
- struct cn9k_ipsec_sa *sa;
+ struct cn9k_sec_session *sec_sess;
int ret;
- priv = SECURITY_GET_SESS_PRIV(op->sym->session);
- sa = &priv->sa;
+ sec_sess = (struct cn9k_sec_session *)(op->sym->session);
if (unlikely(sym_op->m_dst && sym_op->m_dst != sym_op->m_src)) {
plt_dp_err("Out of place is not supported");
@@ -40,12 +38,12 @@ cn9k_cpt_sec_inst_fill(struct rte_crypto_op *op,
return -ENOTSUP;
}
- if (sa->dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
- ret = process_outb_sa(op, sa, inst);
+ if (sec_sess->is_outbound)
+ ret = process_outb_sa(op, sec_sess, inst);
else {
infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
- process_inb_sa(op, sa, inst);
- if (unlikely(sa->replay_win_sz))
+ process_inb_sa(op, sec_sess, inst);
+ if (unlikely(sec_sess->replay_win_sz))
infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_INB_REPLAY;
ret = 0;
}
@@ -335,12 +333,10 @@ cn9k_cpt_crypto_adapter_ev_mdata_set(struct rte_cryptodev *dev __rte_unused,
if (op_type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
struct cn9k_sec_session *priv;
- struct cn9k_ipsec_sa *sa;
- priv = SECURITY_GET_SESS_PRIV(sess);
- sa = &priv->sa;
- sa->qp = qp;
- sa->inst.w2 = w2;
+ priv = (struct cn9k_sec_session *)sess;
+ priv->qp = qp;
+ priv->inst.w2 = w2;
} else if (sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
struct cnxk_se_sess *priv;
@@ -372,12 +368,10 @@ cn9k_ca_meta_info_extract(struct rte_crypto_op *op,
if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
struct cn9k_sec_session *priv;
- struct cn9k_ipsec_sa *sa;
- priv = SECURITY_GET_SESS_PRIV(op->sym->session);
- sa = &priv->sa;
- *qp = sa->qp;
- inst->w2.u64 = sa->inst.w2;
+ priv = (struct cn9k_sec_session *)(op->sym->session);
+ *qp = priv->qp;
+ inst->w2.u64 = priv->inst.w2;
} else if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
struct cnxk_se_sess *priv;
@@ -480,7 +474,8 @@ cn9k_cpt_crypto_adapter_enqueue(uintptr_t base, struct rte_crypto_op *op)
}
static inline int
-ipsec_antireplay_check(struct cn9k_ipsec_sa *sa, uint32_t win_sz, struct roc_ie_on_inb_hdr *data)
+ipsec_antireplay_check(struct cn9k_sec_session *sess, uint32_t win_sz,
+ struct roc_ie_on_inb_hdr *data)
{
uint32_t esn_low, esn_hi, seql, seqh = 0;
struct roc_ie_on_common_sa *common_sa;
@@ -489,7 +484,7 @@ ipsec_antireplay_check(struct cn9k_ipsec_sa *sa, uint32_t win_sz, struct roc_ie_
uint8_t esn;
int ret;
- in_sa = &sa->in_sa;
+ in_sa = &sess->sa.in_sa;
common_sa = &in_sa->common_sa;
esn = common_sa->ctl.esn_en;
@@ -505,7 +500,7 @@ ipsec_antireplay_check(struct cn9k_ipsec_sa *sa, uint32_t win_sz, struct roc_ie_
if (unlikely(seq == 0))
return IPSEC_ANTI_REPLAY_FAILED;
- ret = cnxk_on_anti_replay_check(seq, &sa->ar, win_sz);
+ ret = cnxk_on_anti_replay_check(seq, &sess->ar, win_sz);
if (esn && !ret) {
esn_low = rte_be_to_cpu_32(common_sa->seq_t.tl);
esn_hi = rte_be_to_cpu_32(common_sa->seq_t.th);
@@ -526,7 +521,6 @@ cn9k_cpt_sec_post_process(struct rte_crypto_op *cop,
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m = sym_op->m_src;
struct cn9k_sec_session *priv;
- struct cn9k_ipsec_sa *sa;
struct rte_ipv6_hdr *ip6;
struct rte_ipv4_hdr *ip;
uint16_t m_len = 0;
@@ -539,12 +533,10 @@ cn9k_cpt_sec_post_process(struct rte_crypto_op *cop,
CPT_OP_FLAGS_IPSEC_INB_REPLAY)) {
int ret;
- priv = SECURITY_GET_SESS_PRIV(sym_op->session);
- sa = &priv->sa;
+ priv = (struct cn9k_sec_session *)(sym_op->session);
- ret = ipsec_antireplay_check(
- sa, sa->replay_win_sz,
- (struct roc_ie_on_inb_hdr *)data);
+ ret = ipsec_antireplay_check(priv, priv->replay_win_sz,
+ (struct roc_ie_on_inb_hdr *)data);
if (unlikely(ret)) {
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
return;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index b56843f49b..5f3a74107b 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -32,38 +32,39 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
uint8_t egrp;
int ret;
- sess = SECURITY_GET_SESS_PRIV(sec_sess);
+ sess = (struct cn9k_sec_session *)sec_sess;
sa = &sess->sa;
+ /* Initialize lookaside IPsec private data */
+
memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
- /* Initialize lookaside IPsec private data */
- sa->dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
+ sess->is_outbound = 1;
if (ipsec->esn.value)
- sa->esn = ipsec->esn.value - 1;
+ sess->esn = ipsec->esn.value - 1;
- ret = cnxk_ipsec_outb_rlens_get(&sa->rlens, ipsec, crypto_xform);
+ ret = cnxk_ipsec_outb_rlens_get(&sess->rlens, ipsec, crypto_xform);
if (ret)
return ret;
- sa->custom_hdr_len =
+ sess->custom_hdr_len =
sizeof(struct roc_ie_on_outb_hdr) - ROC_IE_ON_MAX_IV_LEN;
#ifdef LA_IPSEC_DEBUG
/* Use IV from application in debug mode */
if (ipsec->options.iv_gen_disable == 1) {
- sa->custom_hdr_len = sizeof(struct roc_ie_on_outb_hdr);
+ sess->custom_hdr_len = sizeof(struct roc_ie_on_outb_hdr);
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
- sa->cipher_iv_off = crypto_xform->aead.iv.offset;
- sa->cipher_iv_len = crypto_xform->aead.iv.length;
+ sess->cipher_iv_off = crypto_xform->aead.iv.offset;
+ sess->cipher_iv_len = crypto_xform->aead.iv.length;
} else if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
- sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
- sa->cipher_iv_len = crypto_xform->cipher.iv.length;
+ sess->cipher_iv_off = crypto_xform->cipher.iv.offset;
+ sess->cipher_iv_len = crypto_xform->cipher.iv.length;
} else {
- sa->cipher_iv_off = crypto_xform->auth.iv.offset;
- sa->cipher_iv_len = crypto_xform->auth.iv.length;
+ sess->cipher_iv_off = crypto_xform->auth.iv.offset;
+ sess->cipher_iv_len = crypto_xform->auth.iv.length;
}
}
#else
@@ -80,8 +81,7 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
ctx_len = ret;
egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
- ret = roc_on_cpt_ctx_write(&qp->lf, SECURITY_GET_SESS_PRIV_IOVA(sec_sess),
- false, ctx_len, egrp);
+ ret = roc_on_cpt_ctx_write(&qp->lf, (uintptr_t)sa, false, ctx_len, egrp);
if (ret)
return ret;
@@ -108,9 +108,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
w7.u64 = 0;
w7.s.egrp = egrp;
- w7.s.cptr = SECURITY_GET_SESS_PRIV_IOVA(sec_sess);
+ w7.s.cptr = (uintptr_t)&sess->sa;
- inst_tmpl = &sa->inst;
+ inst_tmpl = &sess->inst;
inst_tmpl->w4 = w4.u64;
inst_tmpl->w7 = w7.u64;
@@ -134,31 +134,30 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
uint8_t egrp;
int ret = 0;
- sess = SECURITY_GET_SESS_PRIV(sec_sess);
+ sess = (struct cn9k_sec_session *)sec_sess;
sa = &sess->sa;
memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
- sa->dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
- sa->replay_win_sz = ipsec->replay_win_sz;
+ sess->is_outbound = 0;
+ sess->replay_win_sz = ipsec->replay_win_sz;
- if (sa->replay_win_sz) {
- if (sa->replay_win_sz > CNXK_ON_AR_WIN_SIZE_MAX) {
- plt_err("Replay window size:%u is not supported",
- sa->replay_win_sz);
+ if (sess->replay_win_sz) {
+ if (sess->replay_win_sz > CNXK_ON_AR_WIN_SIZE_MAX) {
+ plt_err("Replay window size:%u is not supported", sess->replay_win_sz);
return -ENOTSUP;
}
/* Set window bottom to 1, base and top to size of window */
- sa->ar.winb = 1;
- sa->ar.wint = sa->replay_win_sz;
- sa->ar.base = sa->replay_win_sz;
+ sess->ar.winb = 1;
+ sess->ar.wint = sess->replay_win_sz;
+ sess->ar.base = sess->replay_win_sz;
- sa->seq_lo = ipsec->esn.low;
- sa->seq_hi = ipsec->esn.hi;
+ sess->seq_lo = ipsec->esn.low;
+ sess->seq_hi = ipsec->esn.hi;
- sa->in_sa.common_sa.seq_t.tl = sa->seq_lo;
- sa->in_sa.common_sa.seq_t.th = sa->seq_hi;
+ sess->sa.in_sa.common_sa.seq_t.tl = sess->seq_lo;
+ sess->sa.in_sa.common_sa.seq_t.th = sess->seq_hi;
}
ret = cnxk_on_ipsec_inb_sa_create(ipsec, crypto_xform, &sa->in_sa);
@@ -166,12 +165,11 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
return ret;
if (sa->in_sa.common_sa.ctl.esn_en)
- sa->esn_en = 1;
+ sess->esn_en = 1;
ctx_len = ret;
egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
- ret = roc_on_cpt_ctx_write(&qp->lf, SECURITY_GET_SESS_PRIV_IOVA(sec_sess),
- true, ctx_len, egrp);
+ ret = roc_on_cpt_ctx_write(&qp->lf, (uint64_t)sa, true, ctx_len, egrp);
if (ret)
return ret;
@@ -184,9 +182,9 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
w4.s.param2 = param2.u16;
w7.s.egrp = egrp;
- w7.s.cptr = SECURITY_GET_SESS_PRIV_IOVA(sec_sess);
+ w7.s.cptr = (uintptr_t)&sess->sa;
- inst_tmpl = &sa->inst;
+ inst_tmpl = &sess->inst;
inst_tmpl->w4 = w4.u64;
inst_tmpl->w7 = w7.u64;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.h b/drivers/crypto/cnxk/cn9k_ipsec.h
index bed5976096..1ea946afd8 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.h
+++ b/drivers/crypto/cnxk/cn9k_ipsec.h
@@ -5,6 +5,8 @@
#ifndef __CN9K_IPSEC_H__
#define __CN9K_IPSEC_H__
+#include <rte_security_driver.h>
+
#include "cnxk_ipsec.h"
#include "cnxk_security.h"
#include "cnxk_security_ar.h"
@@ -16,40 +18,42 @@ struct cn9k_ipsec_sa {
/** Outbound SA */
struct roc_ie_on_outb_sa out_sa;
};
+} __rte_aligned(8);
+
+struct cn9k_sec_session {
+ struct rte_security_session rte_sess;
+
+ /** PMD private space */
+
+ /** ESN */
+ union {
+ uint64_t esn;
+ struct {
+ uint32_t seq_lo;
+ uint32_t seq_hi;
+ };
+ };
/** IPsec SA direction */
- enum rte_security_ipsec_sa_direction dir;
+ uint8_t is_outbound;
+ /* ESN enable flag */
+ uint8_t esn_en;
/** Pre-populated CPT inst words */
struct cnxk_cpt_inst_tmpl inst;
+ /** Response length calculation data */
+ struct cnxk_ipsec_outb_rlens rlens;
+ /** Anti replay window size */
+ uint32_t replay_win_sz;
/** Cipher IV offset in bytes */
uint16_t cipher_iv_off;
/** Cipher IV length in bytes */
uint8_t cipher_iv_len;
/** Outbound custom header length */
uint8_t custom_hdr_len;
- /** Response length calculation data */
- struct cnxk_ipsec_outb_rlens rlens;
- /** ESN */
- union {
- uint64_t esn;
- struct {
- uint32_t seq_lo;
- uint32_t seq_hi;
- };
- };
/** Anti replay */
struct cnxk_on_ipsec_ar ar;
- /** Anti replay window size */
- uint32_t replay_win_sz;
- /*
- * ESN enable flag. Copy of in_sa ctl.esn_en to have single cache line
- * access in the non-esn fastpath.
- */
- uint8_t esn_en;
/** Queue pair */
struct cnxk_cpt_qp *qp;
-};
-struct cn9k_sec_session {
struct cn9k_ipsec_sa sa;
} __rte_cache_aligned;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
index 8b68e4c728..8b4e636c70 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
@@ -13,21 +13,20 @@
#include "cnxk_security_ar.h"
static __rte_always_inline int32_t
-ipsec_po_out_rlen_get(struct cn9k_ipsec_sa *sa, uint32_t plen)
+ipsec_po_out_rlen_get(struct cn9k_sec_session *sess, uint32_t plen)
{
uint32_t enc_payload_len;
- enc_payload_len = RTE_ALIGN_CEIL(plen + sa->rlens.roundup_len,
- sa->rlens.roundup_byte);
+ enc_payload_len = RTE_ALIGN_CEIL(plen + sess->rlens.roundup_len,
+ sess->rlens.roundup_byte);
- return sa->custom_hdr_len + sa->rlens.partial_len + enc_payload_len;
+ return sess->custom_hdr_len + sess->rlens.partial_len + enc_payload_len;
}
static __rte_always_inline int
-process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
- struct cpt_inst_s *inst)
+process_outb_sa(struct rte_crypto_op *cop, struct cn9k_sec_session *sess, struct cpt_inst_s *inst)
{
- const unsigned int hdr_len = sa->custom_hdr_len;
+ const unsigned int hdr_len = sess->custom_hdr_len;
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
uint32_t dlen, rlen, pkt_len, seq_lo;
@@ -38,7 +37,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
pkt_len = rte_pktmbuf_pkt_len(m_src);
dlen = pkt_len + hdr_len;
- rlen = ipsec_po_out_rlen_get(sa, pkt_len);
+ rlen = ipsec_po_out_rlen_get(sess, pkt_len);
extend_tail = rlen - dlen;
if (unlikely(extend_tail > rte_pktmbuf_tailroom(m_src))) {
@@ -61,15 +60,14 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
hdr = PLT_PTR_ADD(m_src->buf_addr, data_off - hdr_len);
#ifdef LA_IPSEC_DEBUG
- if (sa->inst.w4 & ROC_IE_ON_PER_PKT_IV) {
+ if (sess->inst.w4 & ROC_IE_ON_PER_PKT_IV) {
memcpy(&hdr->iv[0],
- rte_crypto_op_ctod_offset(cop, uint8_t *,
- sa->cipher_iv_off),
- sa->cipher_iv_len);
+ rte_crypto_op_ctod_offset(cop, uint8_t *, sess->cipher_iv_off),
+ sess->cipher_iv_len);
}
#endif
- esn = ++sa->esn;
+ esn = ++sess->esn;
/* Set ESN seq hi */
hdr->esn = rte_cpu_to_be_32(esn >> 32);
@@ -82,24 +80,23 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
hdr->ip_id = seq_lo;
/* Prepare CPT instruction */
- inst->w4.u64 = sa->inst.w4 | dlen;
+ inst->w4.u64 = sess->inst.w4 | dlen;
inst->dptr = PLT_U64_CAST(hdr);
inst->rptr = PLT_U64_CAST(hdr);
- inst->w7.u64 = sa->inst.w7;
+ inst->w7.u64 = sess->inst.w7;
return 0;
}
static __rte_always_inline void
-process_inb_sa(struct rte_crypto_op *cop, struct cn9k_ipsec_sa *sa,
- struct cpt_inst_s *inst)
+process_inb_sa(struct rte_crypto_op *cop, struct cn9k_sec_session *sess, struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
/* Prepare CPT instruction */
- inst->w4.u64 = sa->inst.w4 | rte_pktmbuf_pkt_len(m_src);
+ inst->w4.u64 = sess->inst.w4 | rte_pktmbuf_pkt_len(m_src);
inst->dptr = inst->rptr = rte_pktmbuf_mtod(m_src, uint64_t);
- inst->w7.u64 = sa->inst.w7;
+ inst->w7.u64 = sess->inst.w7;
}
#endif /* __CN9K_IPSEC_LA_OPS_H__ */
--
2.25.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [PATCH v2 2/2] crypto/cnxk: fix failure from session rework
2022-10-12 12:10 ` [PATCH v2 2/2] crypto/cnxk: fix failure from session rework Anoob Joseph
@ 2022-10-12 19:03 ` Akhil Goyal
0 siblings, 0 replies; 5+ messages in thread
From: Akhil Goyal @ 2022-10-12 19:03 UTC (permalink / raw)
To: Anoob Joseph, Jerin Jacob Kollanukkaran
Cc: Ankur Dwivedi, Tejasree Kondoj, dev
> Subject: [PATCH v2 2/2] crypto/cnxk: fix failure from session rework
>
> Post security session rework, CPTR got changed affecting cn9k IPsec
> functionality. Address the same. Also, move all s/w accessible
> fast path fields to rte_security_session cacheline for better perf.
>
> Fixes: 3f3fc3308bd0 ("security: remove private mempool usage")
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> ---
Series Acked-by: Akhil Goyal <gakhil@marvell.com>
Applied to dpdk-next-crypto
Thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-10-12 19:03 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-12 6:04 [PATCH 1/2] crypto/cnxk: align HW accessible field to ROC align Anoob Joseph
2022-10-12 6:04 ` [PATCH 2/2] crypto/cnxk: fix failure from session rework Anoob Joseph
2022-10-12 12:10 ` [PATCH v2 1/2] crypto/cnxk: align HW accessible field to ROC align Anoob Joseph
2022-10-12 12:10 ` [PATCH v2 2/2] crypto/cnxk: fix failure from session rework Anoob Joseph
2022-10-12 19:03 ` Akhil Goyal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).