From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 7601842641; Tue, 26 Sep 2023 10:09:16 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 92B9040685; Tue, 26 Sep 2023 10:09:10 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 472F8402E2 for ; Tue, 26 Sep 2023 10:09:07 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 38PNnVUG021747; Tue, 26 Sep 2023 01:09:01 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=t5QVdsG8pQwNi2oASxQHzQ7D0By6jFgw4pXeeyr6YrE=; b=Ux7v4FIa3J6kUabp1eoV2qFbMMVckQVhqQaZhJLPc9Da7GbyZE5t79mYACJ3u7mRpjjs WafJeIQZXDkNuQ2EDIv2wgC3dCBh6l3MCHacqGl9NXwoeOC0RSeysaC6AwoMao7E3e/P +zh1kJuwKPo0h6ZITrtNRgGNIx1QVTsPaU+rXu7ms36cZ7ZLte2SzoIVMnkBdKWlJBtQ VG9C2KDkX4/SYMkPECHq9xozVU6+fRYMEwEBlP6HktWh/qNDbffIqMgoBmaMhaoSFQik vWRMivsRXgro4wpo619eo3y4pSTLb0KiwIthooPyyURgoB0gv5SjrGWesk5IMdKAamgN 6w== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3t9wcqresn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 26 Sep 2023 01:09:01 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 26 Sep 2023 01:08:59 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Tue, 26 Sep 2023 01:08:59 -0700 Received: from localhost.localdomain (unknown [10.28.36.102]) by maili.marvell.com (Postfix) with ESMTP id C30683F7053; Tue, 26 Sep 2023 01:08:52 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , , , , , , , , , , , Akhil Goyal Subject: [PATCH v4] security: hide security context Date: Tue, 26 Sep 2023 13:38:50 +0530 Message-ID: <20230926080850.4016718-1-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230926071953.3958515-1-gakhil@marvell.com> References: <20230926071953.3958515-1-gakhil@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-ORIG-GUID: IHznBzhw5gpdaTA8rRTJEVw-ZQzD4pUh X-Proofpoint-GUID: IHznBzhw5gpdaTA8rRTJEVw-ZQzD4pUh X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-09-26_06,2023-09-25_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org rte_security_ctx is used by all security APIs to identify which device security_op it need to call and hence it should be opaque to the application. Hence, it is now moved to internal header file and all APIs will now take an opaque pointer for it. The fast path inline APIs like set metadata need to get flags from security_ctx. The flags are now retrieved using inline APIs which use macros to get the offset of flags in security_ctx. Signed-off-by: Akhil Goyal Acked-by: Ciara Power --- Changes in v4: Updated rte_security doc. Changes in v3: Updated release notes and removed deprecation notice. Changes in v2: Rebased. app/test-crypto-perf/cperf_ops.c | 9 +-- app/test-crypto-perf/cperf_test_latency.c | 3 +- .../cperf_test_pmd_cyclecount.c | 8 +- app/test-crypto-perf/cperf_test_throughput.c | 9 +-- app/test-crypto-perf/cperf_test_verify.c | 4 +- app/test-security-perf/test_security_perf.c | 2 +- app/test/test_cryptodev.c | 22 ++---- app/test/test_cryptodev_security_ipsec.c | 2 +- app/test/test_cryptodev_security_ipsec.h | 2 +- app/test/test_security_inline_macsec.c | 10 +-- app/test/test_security_inline_proto.c | 14 ++-- doc/guides/prog_guide/rte_security.rst | 2 +- doc/guides/rel_notes/deprecation.rst | 3 - doc/guides/rel_notes/release_23_11.rst | 3 + examples/ipsec-secgw/ipsec-secgw.c | 2 +- examples/ipsec-secgw/ipsec.c | 15 ++-- examples/ipsec-secgw/ipsec.h | 2 +- examples/ipsec-secgw/ipsec_worker.c | 2 +- examples/ipsec-secgw/ipsec_worker.h | 4 +- lib/security/rte_security.c | 61 +++++++++------ lib/security/rte_security.h | 77 +++++++++---------- lib/security/rte_security_driver.h | 24 ++++++ 22 files changed, 144 insertions(+), 136 deletions(-) diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c index 93b9bfb240..84945d1313 100644 --- a/app/test-crypto-perf/cperf_ops.c +++ b/app/test-crypto-perf/cperf_ops.c @@ -749,8 +749,7 @@ create_ipsec_session(struct rte_mempool *sess_mp, else sess_conf.ipsec.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS; - struct rte_security_ctx *ctx = (struct rte_security_ctx *) - rte_cryptodev_get_sec_ctx(dev_id); + void *ctx = rte_cryptodev_get_sec_ctx(dev_id); /* Create security session */ return (void *)rte_security_session_create(ctx, &sess_conf, sess_mp); @@ -853,8 +852,7 @@ cperf_create_session(struct rte_mempool *sess_mp, .crypto_xform = &cipher_xform }; - struct rte_security_ctx *ctx = (struct rte_security_ctx *) - rte_cryptodev_get_sec_ctx(dev_id); + void *ctx = rte_cryptodev_get_sec_ctx(dev_id); /* Create security session */ return (void *)rte_security_session_create(ctx, &sess_conf, sess_mp); @@ -901,8 +899,7 @@ cperf_create_session(struct rte_mempool *sess_mp, } }, .crypto_xform = &cipher_xform }; - struct rte_security_ctx *ctx = (struct rte_security_ctx *) - rte_cryptodev_get_sec_ctx(dev_id); + void *ctx = rte_cryptodev_get_sec_ctx(dev_id); /* Create security session */ return (void *)rte_security_session_create(ctx, &sess_conf, sess_mp); diff --git a/app/test-crypto-perf/cperf_test_latency.c b/app/test-crypto-perf/cperf_test_latency.c index f1676a9aa9..484bc9eb4e 100644 --- a/app/test-crypto-perf/cperf_test_latency.c +++ b/app/test-crypto-perf/cperf_test_latency.c @@ -53,8 +53,7 @@ cperf_latency_test_free(struct cperf_latency_ctx *ctx) else if (ctx->options->op_type == CPERF_PDCP || ctx->options->op_type == CPERF_DOCSIS || ctx->options->op_type == CPERF_IPSEC) { - struct rte_security_ctx *sec_ctx = - rte_cryptodev_get_sec_ctx(ctx->dev_id); + void *sec_ctx = rte_cryptodev_get_sec_ctx(ctx->dev_id); rte_security_session_destroy(sec_ctx, ctx->sess); } #endif diff --git a/app/test-crypto-perf/cperf_test_pmd_cyclecount.c b/app/test-crypto-perf/cperf_test_pmd_cyclecount.c index 0307e82996..4a60f6d558 100644 --- a/app/test-crypto-perf/cperf_test_pmd_cyclecount.c +++ b/app/test-crypto-perf/cperf_test_pmd_cyclecount.c @@ -67,11 +67,9 @@ cperf_pmd_cyclecount_test_free(struct cperf_pmd_cyclecount_ctx *ctx) #ifdef RTE_LIB_SECURITY if (ctx->options->op_type == CPERF_PDCP || ctx->options->op_type == CPERF_DOCSIS) { - struct rte_security_ctx *sec_ctx = - (struct rte_security_ctx *) - rte_cryptodev_get_sec_ctx(ctx->dev_id); - rte_security_session_destroy(sec_ctx, - (void *)ctx->sess); + void *sec_ctx = rte_cryptodev_get_sec_ctx(ctx->dev_id); + + rte_security_session_destroy(sec_ctx, (void *)ctx->sess); } else #endif rte_cryptodev_sym_session_free(ctx->dev_id, ctx->sess); diff --git a/app/test-crypto-perf/cperf_test_throughput.c b/app/test-crypto-perf/cperf_test_throughput.c index e892a70699..f8f8bd717f 100644 --- a/app/test-crypto-perf/cperf_test_throughput.c +++ b/app/test-crypto-perf/cperf_test_throughput.c @@ -44,12 +44,9 @@ cperf_throughput_test_free(struct cperf_throughput_ctx *ctx) else if (ctx->options->op_type == CPERF_PDCP || ctx->options->op_type == CPERF_DOCSIS || ctx->options->op_type == CPERF_IPSEC) { - struct rte_security_ctx *sec_ctx = - (struct rte_security_ctx *) - rte_cryptodev_get_sec_ctx(ctx->dev_id); - rte_security_session_destroy( - sec_ctx, - (void *)ctx->sess); + void *sec_ctx = rte_cryptodev_get_sec_ctx(ctx->dev_id); + + rte_security_session_destroy(sec_ctx, (void *)ctx->sess); } #endif else diff --git a/app/test-crypto-perf/cperf_test_verify.c b/app/test-crypto-perf/cperf_test_verify.c index 8042c94e04..a6c0ffe813 100644 --- a/app/test-crypto-perf/cperf_test_verify.c +++ b/app/test-crypto-perf/cperf_test_verify.c @@ -48,8 +48,8 @@ cperf_verify_test_free(struct cperf_verify_ctx *ctx) else if (ctx->options->op_type == CPERF_PDCP || ctx->options->op_type == CPERF_DOCSIS || ctx->options->op_type == CPERF_IPSEC) { - struct rte_security_ctx *sec_ctx = - rte_cryptodev_get_sec_ctx(ctx->dev_id); + void *sec_ctx = rte_cryptodev_get_sec_ctx(ctx->dev_id); + rte_security_session_destroy(sec_ctx, ctx->sess); } #endif diff --git a/app/test-security-perf/test_security_perf.c b/app/test-security-perf/test_security_perf.c index 9bb50689e3..4dfaca4800 100644 --- a/app/test-security-perf/test_security_perf.c +++ b/app/test-security-perf/test_security_perf.c @@ -344,7 +344,7 @@ test_security_session_perf(void *arg) struct rte_security_session_conf sess_conf; int i, ret, nb_sessions, nb_sess_total; struct rte_security_session **sess; - struct rte_security_ctx *sec_ctx; + void *sec_ctx; double setup_rate, destroy_rate; uint64_t setup_ms, destroy_ms; struct lcore_conf *conf = arg; diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 3a51a5d00f..fcac108511 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -8931,9 +8931,7 @@ security_proto_supported(enum rte_security_session_action_type action, const struct rte_security_capability *capability; uint16_t i = 0; - struct rte_security_ctx *ctx = (struct rte_security_ctx *) - rte_cryptodev_get_sec_ctx( - ts_params->valid_devs[0]); + void *ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]); capabilities = rte_security_capabilities_get(ctx); @@ -8973,9 +8971,7 @@ static int test_pdcp_proto(int i, int oop, enum rte_crypto_cipher_operation opc, struct crypto_unittest_params *ut_params = &unittest_params; uint8_t *plaintext; int ret = TEST_SUCCESS; - struct rte_security_ctx *ctx = (struct rte_security_ctx *) - rte_cryptodev_get_sec_ctx( - ts_params->valid_devs[0]); + void *ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]); struct rte_cryptodev_info dev_info; uint64_t feat_flags; @@ -9180,9 +9176,7 @@ test_pdcp_proto_SGL(int i, int oop, unsigned int trn_data = 0; struct rte_cryptodev_info dev_info; uint64_t feat_flags; - struct rte_security_ctx *ctx = (struct rte_security_ctx *) - rte_cryptodev_get_sec_ctx( - ts_params->valid_devs[0]); + void *ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]); struct rte_mbuf *temp_mbuf; rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info); @@ -9905,7 +9899,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], struct ipsec_test_data *res_d_tmp = NULL; uint8_t input_text[IPSEC_TEXT_MAX_LEN]; int salt_len, i, ret = TEST_SUCCESS; - struct rte_security_ctx *ctx; + void *ctx; uint32_t src, dst; uint32_t verify; @@ -11088,9 +11082,7 @@ test_docsis_proto_uplink(const void *data) uint32_t crc_data_len; int ret = TEST_SUCCESS; - struct rte_security_ctx *ctx = (struct rte_security_ctx *) - rte_cryptodev_get_sec_ctx( - ts_params->valid_devs[0]); + void *ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]); /* Verify the capabilities */ struct rte_security_capability_idx sec_cap_idx; @@ -11272,9 +11264,7 @@ test_docsis_proto_downlink(const void *data) int32_t cipher_len, crc_len; int ret = TEST_SUCCESS; - struct rte_security_ctx *ctx = (struct rte_security_ctx *) - rte_cryptodev_get_sec_ctx( - ts_params->valid_devs[0]); + void *ctx = rte_cryptodev_get_sec_ctx(ts_params->valid_devs[0]); /* Verify the capabilities */ struct rte_security_capability_idx sec_cap_idx; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index be9e246bfe..205714b270 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -1249,7 +1249,7 @@ test_ipsec_status_check(const struct ipsec_test_data *td, } int -test_ipsec_stats_verify(struct rte_security_ctx *ctx, +test_ipsec_stats_verify(void *ctx, void *sess, const struct ipsec_test_flags *flags, enum rte_security_ipsec_sa_direction dir) diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index e7903e9334..8587fc4577 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -302,7 +302,7 @@ int test_ipsec_status_check(const struct ipsec_test_data *td, enum rte_security_ipsec_sa_direction dir, int pkt_num); -int test_ipsec_stats_verify(struct rte_security_ctx *ctx, +int test_ipsec_stats_verify(void *ctx, void *sess, const struct ipsec_test_flags *flags, enum rte_security_ipsec_sa_direction dir); diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c index 40fdfda942..59b1b8a6a6 100644 --- a/app/test/test_security_inline_macsec.c +++ b/app/test/test_security_inline_macsec.c @@ -136,7 +136,7 @@ init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len) static int init_mempools(unsigned int nb_mbuf) { - struct rte_security_ctx *sec_ctx; + void *sec_ctx; uint16_t nb_sess = 512; uint32_t sess_sz; char s[64]; @@ -482,7 +482,7 @@ test_macsec_post_process(struct rte_mbuf *m, const struct mcs_test_vector *td, } static void -mcs_stats_dump(struct rte_security_ctx *ctx, enum mcs_op op, +mcs_stats_dump(void *ctx, enum mcs_op op, void *rx_sess, void *tx_sess, uint8_t rx_sc_id, uint8_t tx_sc_id, uint16_t rx_sa_id[], uint16_t tx_sa_id[]) @@ -667,7 +667,7 @@ mcs_stats_dump(struct rte_security_ctx *ctx, enum mcs_op op, } static int -mcs_stats_check(struct rte_security_ctx *ctx, enum mcs_op op, +mcs_stats_check(void *ctx, enum mcs_op op, const struct mcs_test_opts *opts, const struct mcs_test_vector *td, void *rx_sess, void *tx_sess, @@ -900,7 +900,7 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs struct rte_security_macsec_sa sa_conf = {0}; struct rte_security_macsec_sc sc_conf = {0}; struct mcs_err_vector err_vector = {0}; - struct rte_security_ctx *ctx; + void *ctx; int nb_rx = 0, nb_sent; int i, j = 0, ret, id, an = 0; uint8_t tci_off; @@ -908,7 +908,7 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * opts->nb_td); - ctx = (struct rte_security_ctx *)rte_eth_dev_get_sec_ctx(port_id); + ctx = rte_eth_dev_get_sec_ctx(port_id); if (ctx == NULL) { printf("Ethernet device doesn't support security features.\n"); return TEST_SKIPPED; diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c index 33eb1dd201..78a2064b65 100644 --- a/app/test/test_security_inline_proto.c +++ b/app/test/test_security_inline_proto.c @@ -136,7 +136,7 @@ static struct rte_flow *default_flow[RTE_MAX_ETHPORTS]; /* Create Inline IPsec session */ static int create_inline_ipsec_session(struct ipsec_test_data *sa, uint16_t portid, - void **sess, struct rte_security_ctx **ctx, + void **sess, void **ctx, uint32_t *ol_flags, const struct ipsec_test_flags *flags, struct rte_security_session_conf *sess_conf) { @@ -149,7 +149,7 @@ create_inline_ipsec_session(struct ipsec_test_data *sa, uint16_t portid, struct rte_security_capability_idx sec_cap_idx; const struct rte_security_capability *sec_cap; enum rte_security_ipsec_sa_direction dir; - struct rte_security_ctx *sec_ctx; + void *sec_ctx; uint32_t verify; sess_conf->action_type = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL; @@ -221,7 +221,7 @@ create_inline_ipsec_session(struct ipsec_test_data *sa, uint16_t portid, sess_conf->userdata = (void *) sa; - sec_ctx = (struct rte_security_ctx *)rte_eth_dev_get_sec_ctx(portid); + sec_ctx = rte_eth_dev_get_sec_ctx(portid); if (sec_ctx == NULL) { printf("Ethernet device doesn't support security features.\n"); return TEST_SKIPPED; @@ -503,7 +503,7 @@ init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len, bool static int init_mempools(unsigned int nb_mbuf) { - struct rte_security_ctx *sec_ctx; + void *sec_ctx; uint16_t nb_sess = 512; uint32_t sess_sz; char s[64]; @@ -846,7 +846,7 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector, struct rte_crypto_sym_xform auth_in = {0}; struct rte_crypto_sym_xform aead_in = {0}; struct ipsec_test_data sa_data; - struct rte_security_ctx *ctx; + void *ctx; unsigned int i, nb_rx = 0, j; uint32_t ol_flags; bool outer_ipv4; @@ -1113,7 +1113,7 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td, struct rte_crypto_sym_xform auth = {0}; struct rte_crypto_sym_xform aead = {0}; struct sa_expiry_vector vector = {0}; - struct rte_security_ctx *ctx; + void *ctx; int nb_rx = 0, nb_sent; uint32_t ol_flags; int i, j = 0, ret; @@ -1398,7 +1398,7 @@ test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[], struct rte_mbuf *tx_pkt = NULL; int nb_rx, nb_sent; void *ses; - struct rte_security_ctx *ctx; + void *ctx; uint32_t ol_flags; bool outer_ipv4; int i, ret; diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst index b4db4a7bfd..ad8c6374bd 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -637,7 +637,7 @@ And the session mempool object size should be enough to accommodate Once the session mempools have been created, ``rte_security_session_create()`` is used to allocate and initialize a session for the required crypto/ethernet device. -Session APIs need a parameter ``rte_security_ctx`` to identify the crypto/ethernet +Session APIs need an opaque handle to identify the crypto/ethernet security ops. This parameter can be retrieved using the APIs ``rte_cryptodev_get_sec_ctx()`` (for crypto device) or ``rte_eth_dev_get_sec_ctx`` (for ethernet port). diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index 4ec4953f6e..c776efebd9 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -139,9 +139,6 @@ Deprecation Notices which got error interrupt to the application, so that application can reset that particular queue pair. -* security: Hide structures ``rte_security_ops`` and ``rte_security_ctx`` - as these are internal to DPDK library and drivers. - * eventdev: The single-event (non-burst) enqueue and dequeue operations, used by static inline burst enqueue and dequeue functions in ``rte_eventdev.h``, will be removed in DPDK 23.11. diff --git a/doc/guides/rel_notes/release_23_11.rst b/doc/guides/rel_notes/release_23_11.rst index d0bfb7f5d2..250735efa9 100644 --- a/doc/guides/rel_notes/release_23_11.rst +++ b/doc/guides/rel_notes/release_23_11.rst @@ -144,6 +144,9 @@ API Changes except ``rte_thread_setname()`` and ``rte_ctrl_thread_create()`` which are replaced with ``rte_thread_set_name()`` and ``rte_thread_create_control()``. +* security: Structures ``rte_security_ops`` and ``rte_security_ctx`` were moved to + internal library headers not visible to application. + ABI Changes ----------- diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index 3ab7995fd5..bf98d2618b 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -568,7 +568,7 @@ process_pkts_outbound_nosp(struct ipsec_ctx *ipsec_ctx, static inline void process_pkts(struct lcore_conf *qconf, struct rte_mbuf **pkts, - uint8_t nb_pkts, uint16_t portid, struct rte_security_ctx *ctx) + uint8_t nb_pkts, uint16_t portid, void *ctx) { struct ipsec_traffic traffic; diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index a5706bed24..f5cec4a928 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -205,7 +205,7 @@ verify_ipsec_capabilities(struct rte_security_ipsec_xform *ipsec_xform, static inline int -verify_security_capabilities(struct rte_security_ctx *ctx, +verify_security_capabilities(void *ctx, struct rte_security_session_conf *sess_conf, uint32_t *ol_flags) { @@ -327,9 +327,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[], }; if (ips->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { - struct rte_security_ctx *ctx = (struct rte_security_ctx *) - rte_cryptodev_get_sec_ctx( - cdev_id); + void *ctx = rte_cryptodev_get_sec_ctx(cdev_id); /* Set IPsec parameters in conf */ set_ipsec_conf(sa, &(sess_conf.ipsec)); @@ -411,7 +409,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, struct rte_ipsec_session *ips) { int32_t ret = 0; - struct rte_security_ctx *sec_ctx; + void *sec_ctx; struct rte_security_session_conf sess_conf = { .action_type = ips->type, .protocol = RTE_SECURITY_PROTOCOL_IPSEC, @@ -490,9 +488,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, struct rte_flow_error err; int ret = 0; - sec_ctx = (struct rte_security_ctx *) - rte_eth_dev_get_sec_ctx( - sa->portid); + sec_ctx = rte_eth_dev_get_sec_ctx(sa->portid); if (sec_ctx == NULL) { RTE_LOG(ERR, IPSEC, " rte_eth_dev_get_sec_ctx failed\n"); @@ -657,8 +653,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, return -1; } } else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { - sec_ctx = (struct rte_security_ctx *) - rte_eth_dev_get_sec_ctx(sa->portid); + sec_ctx = rte_eth_dev_get_sec_ctx(sa->portid); if (sec_ctx == NULL) { RTE_LOG(ERR, IPSEC, diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 6bef2a7285..5059418456 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -279,7 +279,7 @@ struct cnt_blk { struct lcore_rx_queue { uint16_t port_id; uint8_t queue_id; - struct rte_security_ctx *sec_ctx; + void *sec_ctx; } __rte_cache_aligned; struct buffer { diff --git a/examples/ipsec-secgw/ipsec_worker.c b/examples/ipsec-secgw/ipsec_worker.c index 58c80c73f0..8d122e8519 100644 --- a/examples/ipsec-secgw/ipsec_worker.c +++ b/examples/ipsec-secgw/ipsec_worker.c @@ -20,7 +20,7 @@ struct port_drv_mode_data { void *sess; - struct rte_security_ctx *ctx; + void *ctx; }; typedef void (*ipsec_worker_fn_t)(void); diff --git a/examples/ipsec-secgw/ipsec_worker.h b/examples/ipsec-secgw/ipsec_worker.h index cf59b9b5ab..ac980b8bcf 100644 --- a/examples/ipsec-secgw/ipsec_worker.h +++ b/examples/ipsec-secgw/ipsec_worker.h @@ -119,7 +119,7 @@ adjust_ipv6_pktlen(struct rte_mbuf *m, const struct rte_ipv6_hdr *iph, } static __rte_always_inline void -prepare_one_packet(struct rte_security_ctx *ctx, struct rte_mbuf *pkt, +prepare_one_packet(void *ctx, struct rte_mbuf *pkt, struct ipsec_traffic *t) { uint32_t ptype = pkt->packet_type; @@ -230,7 +230,7 @@ prepare_one_packet(struct rte_security_ctx *ctx, struct rte_mbuf *pkt, } static __rte_always_inline void -prepare_traffic(struct rte_security_ctx *ctx, struct rte_mbuf **pkts, +prepare_traffic(void *ctx, struct rte_mbuf **pkts, struct ipsec_traffic *t, uint16_t nb_pkts) { int32_t i; diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c index 42af4a2c35..ab44bbe0f0 100644 --- a/lib/security/rte_security.c +++ b/lib/security/rte_security.c @@ -60,11 +60,12 @@ rte_security_oop_dynfield_register(void) } void * -rte_security_session_create(struct rte_security_ctx *instance, +rte_security_session_create(void *ctx, struct rte_security_session_conf *conf, struct rte_mempool *mp) { struct rte_security_session *sess = NULL; + struct rte_security_ctx *instance = ctx; uint32_t sess_priv_size; RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_create, NULL, NULL); @@ -93,10 +94,10 @@ rte_security_session_create(struct rte_security_ctx *instance, } int -rte_security_session_update(struct rte_security_ctx *instance, - void *sess, - struct rte_security_session_conf *conf) +rte_security_session_update(void *ctx, void *sess, struct rte_security_session_conf *conf) { + struct rte_security_ctx *instance = ctx; + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_update, -EINVAL, -ENOTSUP); RTE_PTR_OR_ERR_RET(sess, -EINVAL); @@ -106,8 +107,10 @@ rte_security_session_update(struct rte_security_ctx *instance, } unsigned int -rte_security_session_get_size(struct rte_security_ctx *instance) +rte_security_session_get_size(void *ctx) { + struct rte_security_ctx *instance = ctx; + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_get_size, 0, 0); return (sizeof(struct rte_security_session) + @@ -115,10 +118,10 @@ rte_security_session_get_size(struct rte_security_ctx *instance) } int -rte_security_session_stats_get(struct rte_security_ctx *instance, - void *sess, - struct rte_security_stats *stats) +rte_security_session_stats_get(void *ctx, void *sess, struct rte_security_stats *stats) { + struct rte_security_ctx *instance = ctx; + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_stats_get, -EINVAL, -ENOTSUP); /* Parameter sess can be NULL in case of getting global statistics. */ @@ -128,8 +131,9 @@ rte_security_session_stats_get(struct rte_security_ctx *instance, } int -rte_security_session_destroy(struct rte_security_ctx *instance, void *sess) +rte_security_session_destroy(void *ctx, void *sess) { + struct rte_security_ctx *instance = ctx; int ret; RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_destroy, -EINVAL, @@ -149,9 +153,9 @@ rte_security_session_destroy(struct rte_security_ctx *instance, void *sess) } int -rte_security_macsec_sc_create(struct rte_security_ctx *instance, - struct rte_security_macsec_sc *conf) +rte_security_macsec_sc_create(void *ctx, struct rte_security_macsec_sc *conf) { + struct rte_security_ctx *instance = ctx; int sc_id; RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_create, -EINVAL, -ENOTSUP); @@ -165,9 +169,9 @@ rte_security_macsec_sc_create(struct rte_security_ctx *instance, } int -rte_security_macsec_sa_create(struct rte_security_ctx *instance, - struct rte_security_macsec_sa *conf) +rte_security_macsec_sa_create(void *ctx, struct rte_security_macsec_sa *conf) { + struct rte_security_ctx *instance = ctx; int sa_id; RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_create, -EINVAL, -ENOTSUP); @@ -181,9 +185,10 @@ rte_security_macsec_sa_create(struct rte_security_ctx *instance, } int -rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id, +rte_security_macsec_sc_destroy(void *ctx, uint16_t sc_id, enum rte_security_macsec_direction dir) { + struct rte_security_ctx *instance = ctx; int ret; RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_destroy, -EINVAL, -ENOTSUP); @@ -199,9 +204,10 @@ rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id } int -rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id, +rte_security_macsec_sa_destroy(void *ctx, uint16_t sa_id, enum rte_security_macsec_direction dir) { + struct rte_security_ctx *instance = ctx; int ret; RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_destroy, -EINVAL, -ENOTSUP); @@ -217,10 +223,12 @@ rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id } int -rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id, +rte_security_macsec_sc_stats_get(void *ctx, uint16_t sc_id, enum rte_security_macsec_direction dir, struct rte_security_macsec_sc_stats *stats) { + struct rte_security_ctx *instance = ctx; + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_stats_get, -EINVAL, -ENOTSUP); RTE_PTR_OR_ERR_RET(stats, -EINVAL); @@ -228,10 +236,12 @@ rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_ } int -rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id, +rte_security_macsec_sa_stats_get(void *ctx, uint16_t sa_id, enum rte_security_macsec_direction dir, struct rte_security_macsec_sa_stats *stats) { + struct rte_security_ctx *instance = ctx; + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_stats_get, -EINVAL, -ENOTSUP); RTE_PTR_OR_ERR_RET(stats, -EINVAL); @@ -239,10 +249,9 @@ rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_ } int -__rte_security_set_pkt_metadata(struct rte_security_ctx *instance, - void *sess, - struct rte_mbuf *m, void *params) +__rte_security_set_pkt_metadata(void *ctx, void *sess, struct rte_mbuf *m, void *params) { + struct rte_security_ctx *instance = ctx; #ifdef RTE_DEBUG RTE_PTR_OR_ERR_RET(sess, -EINVAL); RTE_PTR_OR_ERR_RET(instance, -EINVAL); @@ -255,19 +264,21 @@ __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, } const struct rte_security_capability * -rte_security_capabilities_get(struct rte_security_ctx *instance) +rte_security_capabilities_get(void *ctx) { + struct rte_security_ctx *instance = ctx; + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, capabilities_get, NULL, NULL); return instance->ops->capabilities_get(instance->device); } const struct rte_security_capability * -rte_security_capability_get(struct rte_security_ctx *instance, - struct rte_security_capability_idx *idx) +rte_security_capability_get(void *ctx, struct rte_security_capability_idx *idx) { const struct rte_security_capability *capabilities; const struct rte_security_capability *capability; + struct rte_security_ctx *instance = ctx; uint16_t i = 0; RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, capabilities_get, NULL, NULL); @@ -401,12 +412,12 @@ static int security_capabilities_from_dev_id(int dev_id, const void **caps) { const struct rte_security_capability *capabilities; - struct rte_security_ctx *sec_ctx; + void *sec_ctx; if (rte_cryptodev_is_valid_dev(dev_id) == 0) return -EINVAL; - sec_ctx = (struct rte_security_ctx *)rte_cryptodev_get_sec_ctx(dev_id); + sec_ctx = rte_cryptodev_get_sec_ctx(dev_id); RTE_PTR_OR_ERR_RET(sec_ctx, -EINVAL); capabilities = rte_security_capabilities_get(sec_ctx); diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index da58fe1f14..c9cc7a45a6 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -56,30 +56,6 @@ enum rte_security_ipsec_tunnel_type { #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 -/** - * Security context for crypto/eth devices - * - * Security instance for each driver to register security operations. - * The application can get the security context from the crypto/eth device id - * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() - * This structure is used to identify the device(crypto/eth) for which the - * security operations need to be performed. - */ -struct rte_security_ctx { - void *device; - /**< Crypto/ethernet device attached */ - const struct rte_security_ops *ops; - /**< Pointer to security ops for the device */ - uint16_t sess_cnt; - /**< Number of sessions attached to this context */ - uint16_t macsec_sc_cnt; - /**< Number of MACsec SC attached to this context */ - uint16_t macsec_sa_cnt; - /**< Number of MACsec SA attached to this context */ - uint32_t flags; - /**< Flags for security context */ -}; - #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 /**< Driver uses fast metadata update without using driver specific callback. * For fast mdata, mbuf dynamic field would be registered by driver @@ -695,7 +671,7 @@ struct rte_security_session_conf { * - On failure, NULL */ void * -rte_security_session_create(struct rte_security_ctx *instance, +rte_security_session_create(void *instance, struct rte_security_session_conf *conf, struct rte_mempool *mp); @@ -711,7 +687,7 @@ rte_security_session_create(struct rte_security_ctx *instance, */ __rte_experimental int -rte_security_session_update(struct rte_security_ctx *instance, +rte_security_session_update(void *instance, void *sess, struct rte_security_session_conf *conf); @@ -725,7 +701,7 @@ rte_security_session_update(struct rte_security_ctx *instance, * - 0 if device is invalid or does not support the operation. */ unsigned int -rte_security_session_get_size(struct rte_security_ctx *instance); +rte_security_session_get_size(void *instance); /** * Free security session header and the session private data and @@ -742,7 +718,7 @@ rte_security_session_get_size(struct rte_security_ctx *instance); * - other negative values in case of freeing private data errors. */ int -rte_security_session_destroy(struct rte_security_ctx *instance, void *sess); +rte_security_session_destroy(void *instance, void *sess); /** * @warning @@ -761,7 +737,7 @@ rte_security_session_destroy(struct rte_security_ctx *instance, void *sess); */ __rte_experimental int -rte_security_macsec_sc_create(struct rte_security_ctx *instance, +rte_security_macsec_sc_create(void *instance, struct rte_security_macsec_sc *conf); /** @@ -780,7 +756,7 @@ rte_security_macsec_sc_create(struct rte_security_ctx *instance, */ __rte_experimental int -rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id, +rte_security_macsec_sc_destroy(void *instance, uint16_t sc_id, enum rte_security_macsec_direction dir); /** @@ -800,7 +776,7 @@ rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id */ __rte_experimental int -rte_security_macsec_sa_create(struct rte_security_ctx *instance, +rte_security_macsec_sa_create(void *instance, struct rte_security_macsec_sa *conf); /** @@ -819,7 +795,7 @@ rte_security_macsec_sa_create(struct rte_security_ctx *instance, */ __rte_experimental int -rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id, +rte_security_macsec_sa_destroy(void *instance, uint16_t sa_id, enum rte_security_macsec_direction dir); /** Device-specific metadata field type */ @@ -889,6 +865,27 @@ static inline bool rte_security_dynfield_is_registered(void) return rte_security_dynfield_offset >= 0; } +#define RTE_SECURITY_CTX_FLAGS_OFF 4 +/** + * Get security flags from security instance. + */ +static inline uint32_t +rte_security_ctx_flags_get(void *ctx) +{ + return *((uint32_t *)ctx + RTE_SECURITY_CTX_FLAGS_OFF); +} + +/** + * Set security flags in security instance. + */ +static inline void +rte_security_ctx_flags_set(void *ctx, uint32_t flags) +{ + uint32_t *data; + data = (((uint32_t *)ctx) + RTE_SECURITY_CTX_FLAGS_OFF); + *data = flags; +} + #define RTE_SECURITY_SESS_OPAQUE_DATA_OFF 0 #define RTE_SECURITY_SESS_FAST_MDATA_OFF 1 /** @@ -933,7 +930,7 @@ rte_security_session_fast_mdata_set(void *sess, uint64_t fdata) /** Function to call PMD specific function pointer set_pkt_metadata() */ __rte_experimental -int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, +int __rte_security_set_pkt_metadata(void *instance, void *sess, struct rte_mbuf *m, void *params); @@ -951,12 +948,12 @@ int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, * - On failure, a negative value. */ static inline int -rte_security_set_pkt_metadata(struct rte_security_ctx *instance, +rte_security_set_pkt_metadata(void *instance, void *sess, struct rte_mbuf *mb, void *params) { /* Fast Path */ - if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) { + if (rte_security_ctx_flags_get(instance) & RTE_SEC_CTX_F_FAST_SET_MDATA) { *rte_security_dynfield(mb) = (rte_security_dynfield_t) rte_security_session_fast_mdata_get(sess); return 0; @@ -1105,7 +1102,7 @@ struct rte_security_stats { */ __rte_experimental int -rte_security_session_stats_get(struct rte_security_ctx *instance, +rte_security_session_stats_get(void *instance, void *sess, struct rte_security_stats *stats); @@ -1125,7 +1122,7 @@ rte_security_session_stats_get(struct rte_security_ctx *instance, */ __rte_experimental int -rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, +rte_security_macsec_sa_stats_get(void *instance, uint16_t sa_id, enum rte_security_macsec_direction dir, struct rte_security_macsec_sa_stats *stats); @@ -1145,7 +1142,7 @@ rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, */ __rte_experimental int -rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, +rte_security_macsec_sc_stats_get(void *instance, uint16_t sc_id, enum rte_security_macsec_direction dir, struct rte_security_macsec_sc_stats *stats); @@ -1296,7 +1293,7 @@ struct rte_security_capability_idx { * - Return NULL if no capabilities available. */ const struct rte_security_capability * -rte_security_capabilities_get(struct rte_security_ctx *instance); +rte_security_capabilities_get(void *instance); /** * Query if a specific capability is available on security instance @@ -1310,7 +1307,7 @@ rte_security_capabilities_get(struct rte_security_ctx *instance); * - Return NULL if the capability not matched on security instance. */ const struct rte_security_capability * -rte_security_capability_get(struct rte_security_ctx *instance, +rte_security_capability_get(void *instance, struct rte_security_capability_idx *idx); #ifdef __cplusplus diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h index 1e6a6ef8e3..e5e1c4cfe8 100644 --- a/lib/security/rte_security_driver.h +++ b/lib/security/rte_security_driver.h @@ -37,6 +37,30 @@ struct rte_security_session { /**< Private session material, variable size (depends on driver) */ }; +/** + * Security context for crypto/eth devices + * + * Security instance for each driver to register security operations. + * The application can get the security context from the crypto/eth device id + * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() + * This structure is used to identify the device(crypto/eth) for which the + * security operations need to be performed. + */ +struct rte_security_ctx { + void *device; + /**< Crypto/ethernet device attached */ + const struct rte_security_ops *ops; + /**< Pointer to security ops for the device */ + uint32_t flags; + /**< Flags for security context */ + uint16_t sess_cnt; + /**< Number of sessions attached to this context */ + uint16_t macsec_sc_cnt; + /**< Number of MACsec SC attached to this context */ + uint16_t macsec_sa_cnt; + /**< Number of MACsec SA attached to this context */ +}; + /** * Helper macro to get driver private data */ -- 2.25.1