From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id A8E85439B0; Wed, 24 Jan 2024 07:49:39 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 76DDC4026F; Wed, 24 Jan 2024 07:49:39 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id C8A21400D5 for ; Wed, 24 Jan 2024 07:49:37 +0100 (CET) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 40NKRMbD004280; Tue, 23 Jan 2024 22:49:33 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h= from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding:content-type; s=pfpt0220; bh=rL1aRjzD AkVBwpPCgEkG9Myy59BQBXmH/ATcjEZqFnI=; b=Bo2sZmTNeJXxFja3PeRMNmm8 BUhux9sowWJcZM4oUSLT+WfBwikKFJG3t1lKB/RaRs5hFJF/bjz8NW96bUTPpOuJ VKFHO5DFjnzDPTNmKuwD3BoORTfNeOFk4oeuCHoH982t6TuG5I+JOQsTiiAUCcDJ tMCrLMi6Eh1wapTesjnXjx7mgLqFF+8FmASNlleif3+IfpIFPub2arCFHaVRkC9b 0TybIEv+TGFbf2LLz/mVhsJQTO0hpP4X06NN2O0zNL9NEfgT2uQeecC3nuQ8H5hL NhiSR+qWyftD5+CYTthdW75hk3t/BbKxGLmjf7TTu4M0nybyTgQsA4Wi56n3nw== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3vtmgs9mbc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 23 Jan 2024 22:49:33 -0800 (PST) Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 23 Jan 2024 22:49:31 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Tue, 23 Jan 2024 22:49:31 -0800 Received: from localhost.localdomain (unknown [10.28.36.102]) by maili.marvell.com (Postfix) with ESMTP id E9FE53F7041; Tue, 23 Jan 2024 22:49:27 -0800 (PST) From: Akhil Goyal To: CC: , , , , , , , , , , Akhil Goyal Subject: [PATCH] app/crypto-perf: support TLS record Date: Wed, 24 Jan 2024 12:19:24 +0530 Message-ID: <20240124064924.3277434-1-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: l-OhEUTCvP2fnjCc__Y6aLGOco8HVbv9 X-Proofpoint-ORIG-GUID: l-OhEUTCvP2fnjCc__Y6aLGOco8HVbv9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-24_02,2024-01-23_02,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Added support for latency and throughput measurement of TLS and DTLS security ops. Signed-off-by: Akhil Goyal --- app/test-crypto-perf/cperf_ops.c | 144 +++++++++++++++++++ app/test-crypto-perf/cperf_options.h | 5 +- app/test-crypto-perf/cperf_options_parsing.c | 60 +++++++- app/test-crypto-perf/cperf_test_latency.c | 1 + app/test-crypto-perf/cperf_test_throughput.c | 1 + app/test-crypto-perf/cperf_test_vectors.c | 4 +- app/test-crypto-perf/cperf_test_verify.c | 1 + app/test-crypto-perf/main.c | 4 +- doc/guides/tools/cryptoperf.rst | 6 + 9 files changed, 216 insertions(+), 10 deletions(-) diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c index 84945d1313..d3fd115bc0 100644 --- a/app/test-crypto-perf/cperf_ops.c +++ b/app/test-crypto-perf/cperf_ops.c @@ -175,6 +175,42 @@ cperf_set_ops_security_ipsec(struct rte_crypto_op **ops, *tsc_start += tsc_end_temp - tsc_start_temp; } +static void +cperf_set_ops_security_tls(struct rte_crypto_op **ops, + uint32_t src_buf_offset __rte_unused, + uint32_t dst_buf_offset __rte_unused, + uint16_t nb_ops, void *sess, + const struct cperf_options *options, + const struct cperf_test_vector *test_vector, + uint16_t iv_offset __rte_unused, uint32_t *imix_idx, + uint64_t *tsc_start) +{ + const uint32_t test_buffer_size = options->test_buffer_size; + const uint32_t headroom_sz = options->headroom_sz; + const uint32_t segment_sz = options->segment_sz; + uint16_t i = 0; + + RTE_SET_USED(imix_idx); + RTE_SET_USED(tsc_start); + RTE_SET_USED(test_vector); + + for (i = 0; i < nb_ops; i++) { + struct rte_crypto_sym_op *sym_op = ops[i]->sym; + struct rte_mbuf *m = sym_op->m_src; + + ops[i]->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + ops[i]->param1.tls_record.content_type = 0x17; + rte_security_attach_session(ops[i], sess); + sym_op->m_src = (struct rte_mbuf *)((uint8_t *)ops[i] + src_buf_offset); + + m->data_off = headroom_sz; + m->buf_len = segment_sz; + m->data_len = test_buffer_size; + m->pkt_len = test_buffer_size; + + sym_op->m_dst = NULL; + } +} #endif static void @@ -755,6 +791,106 @@ create_ipsec_session(struct rte_mempool *sess_mp, return (void *)rte_security_session_create(ctx, &sess_conf, sess_mp); } +static void * +create_tls_session(struct rte_mempool *sess_mp, + uint8_t dev_id, + const struct cperf_options *options, + const struct cperf_test_vector *test_vector, + uint16_t iv_offset) +{ + struct rte_crypto_sym_xform auth_xform = {0}; + struct rte_crypto_sym_xform *crypto_xform; + struct rte_crypto_sym_xform xform = {0}; + + if (options->aead_algo != 0) { + /* Setup AEAD Parameters */ + xform.type = RTE_CRYPTO_SYM_XFORM_AEAD; + xform.next = NULL; + xform.aead.algo = options->aead_algo; + xform.aead.op = options->aead_op; + xform.aead.iv.offset = iv_offset; + xform.aead.key.data = test_vector->aead_key.data; + xform.aead.key.length = test_vector->aead_key.length; + xform.aead.iv.length = test_vector->aead_iv.length; + xform.aead.digest_length = options->digest_sz; + xform.aead.aad_length = options->aead_aad_sz; + crypto_xform = &xform; + } else if (options->cipher_algo != 0 && options->auth_algo != 0) { + /* Setup Cipher Parameters */ + xform.type = RTE_CRYPTO_SYM_XFORM_CIPHER; + xform.cipher.algo = options->cipher_algo; + xform.cipher.op = options->cipher_op; + xform.cipher.iv.offset = iv_offset; + xform.cipher.iv.length = test_vector->cipher_iv.length; + /* cipher different than null */ + if (options->cipher_algo != RTE_CRYPTO_CIPHER_NULL) { + xform.cipher.key.data = test_vector->cipher_key.data; + xform.cipher.key.length = test_vector->cipher_key.length; + } else { + xform.cipher.key.data = NULL; + xform.cipher.key.length = 0; + } + + /* Setup Auth Parameters */ + auth_xform.type = RTE_CRYPTO_SYM_XFORM_AUTH; + auth_xform.auth.algo = options->auth_algo; + auth_xform.auth.op = options->auth_op; + auth_xform.auth.iv.offset = iv_offset + xform.cipher.iv.length; + /* auth different than null */ + if (options->auth_algo != RTE_CRYPTO_AUTH_NULL) { + auth_xform.auth.digest_length = options->digest_sz; + auth_xform.auth.key.length = test_vector->auth_key.length; + auth_xform.auth.key.data = test_vector->auth_key.data; + auth_xform.auth.iv.length = test_vector->auth_iv.length; + } else { + auth_xform.auth.digest_length = 0; + auth_xform.auth.key.length = 0; + auth_xform.auth.key.data = NULL; + auth_xform.auth.iv.length = 0; + } + + if (options->is_outbound) { + /* Currently supporting AUTH then Encrypt mode only for TLS. */ + crypto_xform = &auth_xform; + auth_xform.next = &xform; + xform.next = NULL; + } else { + crypto_xform = &xform; + xform.next = &auth_xform; + auth_xform.next = NULL; + } + } else { + return NULL; + } + + struct rte_security_tls_record_sess_options opts = { + .iv_gen_disable = 0, + .extra_padding_enable = 0, + }; + struct rte_security_session_conf sess_conf = { + .action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD, + {.tls_record = { + .ver = RTE_SECURITY_VERSION_TLS_1_2, + .options = opts, + } }, + .userdata = NULL, + .crypto_xform = crypto_xform, + }; + if (options->tls_version) + sess_conf.tls_record.ver = options->tls_version; + + if (options->is_outbound) + sess_conf.tls_record.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE; + else + sess_conf.tls_record.type = RTE_SECURITY_TLS_SESS_TYPE_READ; + + void *ctx = rte_cryptodev_get_sec_ctx(dev_id); + + /* Create security session */ + return (void *)rte_security_session_create(ctx, &sess_conf, sess_mp); +} + static void * cperf_create_session(struct rte_mempool *sess_mp, uint8_t dev_id, @@ -863,6 +999,11 @@ cperf_create_session(struct rte_mempool *sess_mp, options, test_vector, iv_offset); } + if (options->op_type == CPERF_TLS) { + return create_tls_session(sess_mp, dev_id, + options, test_vector, iv_offset); + } + if (options->op_type == CPERF_DOCSIS) { enum rte_security_docsis_direction direction; @@ -1089,6 +1230,9 @@ cperf_get_op_functions(const struct cperf_options *options, case CPERF_IPSEC: op_fns->populate_ops = cperf_set_ops_security_ipsec; break; + case CPERF_TLS: + op_fns->populate_ops = cperf_set_ops_security_tls; + break; #endif default: return -1; diff --git a/app/test-crypto-perf/cperf_options.h b/app/test-crypto-perf/cperf_options.h index 6966e0b286..be36c70be1 100644 --- a/app/test-crypto-perf/cperf_options.h +++ b/app/test-crypto-perf/cperf_options.h @@ -55,6 +55,7 @@ #define CPERF_PDCP_SES_HFN_EN ("pdcp-ses-hfn-en") #define PDCP_DEFAULT_HFN 0x1 #define CPERF_DOCSIS_HDR_SZ ("docsis-hdr-sz") +#define CPERF_TLS_VERSION ("tls-version") #endif #define CPERF_CSV ("csv-friendly") @@ -83,7 +84,8 @@ enum cperf_op_type { CPERF_PDCP, CPERF_DOCSIS, CPERF_IPSEC, - CPERF_ASYM_MODEX + CPERF_ASYM_MODEX, + CPERF_TLS, }; extern const char *cperf_op_type_strs[]; @@ -134,6 +136,7 @@ struct cperf_options { uint16_t pdcp_sdap; enum rte_security_pdcp_domain pdcp_domain; uint16_t docsis_hdr_sz; + enum rte_security_tls_version tls_version; #endif char device_type[RTE_CRYPTODEV_NAME_MAX_LEN]; enum cperf_op_type op_type; diff --git a/app/test-crypto-perf/cperf_options_parsing.c b/app/test-crypto-perf/cperf_options_parsing.c index 75afedc7fd..cba6d6bc42 100644 --- a/app/test-crypto-perf/cperf_options_parsing.c +++ b/app/test-crypto-perf/cperf_options_parsing.c @@ -36,8 +36,8 @@ usage(char *progname) " --segment-sz N: set the size of the segment to use\n" " --desc-nb N: set number of descriptors for each crypto device\n" " --devtype TYPE: set crypto device type to use\n" - " --optype cipher-only / auth-only / cipher-then-auth /\n" - " auth-then-cipher / aead : set operation type\n" + " --optype cipher-only / auth-only / cipher-then-auth / auth-then-cipher /\n" + " aead / pdcp / docsis / ipsec / modex / tls-record : set operation type\n" " --sessionless: enable session-less crypto operations\n" " --out-of-place: enable out-of-place crypto operations\n" " --test-file NAME: set the test vector file path\n" @@ -67,6 +67,7 @@ usage(char *progname) " --pdcp-ses-hfn-en: enable session based fixed HFN\n" " --enable-sdap: enable sdap\n" " --docsis-hdr-sz: set DOCSIS header size\n" + " --tls-version VER: set TLS VERSION \n" #endif " -h: prints this help\n", progname); @@ -480,7 +481,11 @@ parse_op_type(struct cperf_options *opts, const char *arg) { cperf_op_type_strs[CPERF_ASYM_MODEX], CPERF_ASYM_MODEX - } + }, + { + cperf_op_type_strs[CPERF_TLS], + CPERF_TLS + }, }; int id = get_str_key_id_mapping(optype_namemap, @@ -732,6 +737,45 @@ parse_pdcp_domain(struct cperf_options *opts, const char *arg) return 0; } +const char *cperf_tls_version_strs[] = { + [RTE_SECURITY_VERSION_TLS_1_2] = "TLS1.2", + [RTE_SECURITY_VERSION_TLS_1_3] = "TLS1.3", + [RTE_SECURITY_VERSION_DTLS_1_2] = "DTLS1.2" +}; + +static int +parse_tls_version(struct cperf_options *opts, const char *arg) +{ + struct name_id_map tls_version_namemap[] = { + { + cperf_tls_version_strs + [RTE_SECURITY_VERSION_TLS_1_2], + RTE_SECURITY_VERSION_TLS_1_2 + }, + { + cperf_tls_version_strs + [RTE_SECURITY_VERSION_TLS_1_3], + RTE_SECURITY_VERSION_TLS_1_3 + }, + { + cperf_tls_version_strs + [RTE_SECURITY_VERSION_DTLS_1_2], + RTE_SECURITY_VERSION_DTLS_1_2 + }, + }; + + int id = get_str_key_id_mapping(tls_version_namemap, + RTE_DIM(tls_version_namemap), arg); + if (id < 0) { + RTE_LOG(ERR, USER1, "invalid TLS version specified\n"); + return -1; + } + + opts->tls_version = (enum rte_security_tls_version)id; + + return 0; +} + static int parse_pdcp_ses_hfn_en(struct cperf_options *opts, const char *arg __rte_unused) { @@ -893,6 +937,7 @@ static struct option lgopts[] = { { CPERF_PDCP_SES_HFN_EN, no_argument, 0, 0 }, { CPERF_ENABLE_SDAP, no_argument, 0, 0 }, { CPERF_DOCSIS_HDR_SZ, required_argument, 0, 0 }, + { CPERF_TLS_VERSION, required_argument, 0, 0 }, #endif { CPERF_CSV, no_argument, 0, 0}, @@ -1010,6 +1055,7 @@ cperf_opts_parse_long(int opt_idx, struct cperf_options *opts) { CPERF_PDCP_SES_HFN_EN, parse_pdcp_ses_hfn_en }, { CPERF_ENABLE_SDAP, parse_enable_sdap }, { CPERF_DOCSIS_HDR_SZ, parse_docsis_hdr_sz }, + { CPERF_TLS_VERSION, parse_tls_version }, #endif { CPERF_CSV, parse_csv_friendly}, { CPERF_PMDCC_DELAY_MS, parse_pmd_cyclecount_delay_ms}, @@ -1190,12 +1236,12 @@ cperf_options_check(struct cperf_options *options) if (options->segment_sz == 0) { options->segment_sz = options->max_buffer_size + options->digest_sz; - /* In IPsec operation, packet length will be increased + /* In IPsec and TLS operation, packet length will be increased * by some bytes depend upon the algorithm, so increasing * the segment size by headroom to cover most of * the scenarios. */ - if (options->op_type == CPERF_IPSEC) + if (options->op_type == CPERF_IPSEC || options->op_type == CPERF_TLS) options->segment_sz += RTE_PKTMBUF_HEADROOM; } @@ -1328,7 +1374,7 @@ cperf_options_check(struct cperf_options *options) return -EINVAL; } - if (options->op_type == CPERF_IPSEC) { + if (options->op_type == CPERF_IPSEC || options->op_type == CPERF_TLS) { if (options->aead_algo) { if (options->aead_op == RTE_CRYPTO_AEAD_OP_ENCRYPT) options->is_outbound = 1; @@ -1356,6 +1402,8 @@ cperf_options_dump(struct cperf_options *opts) printf("#\n"); printf("# cperf test: %s\n", cperf_test_type_strs[opts->test]); printf("#\n"); + printf("# cperf operation type: %s\n", cperf_op_type_strs[opts->op_type]); + printf("#\n"); printf("# size of crypto op / mbuf pool: %u\n", opts->pool_sz); printf("# total number of ops: %u\n", opts->total_ops); if (opts->inc_buffer_size != 0) { diff --git a/app/test-crypto-perf/cperf_test_latency.c b/app/test-crypto-perf/cperf_test_latency.c index 484bc9eb4e..99b7d7c678 100644 --- a/app/test-crypto-perf/cperf_test_latency.c +++ b/app/test-crypto-perf/cperf_test_latency.c @@ -52,6 +52,7 @@ cperf_latency_test_free(struct cperf_latency_ctx *ctx) #ifdef RTE_LIB_SECURITY else if (ctx->options->op_type == CPERF_PDCP || ctx->options->op_type == CPERF_DOCSIS || + ctx->options->op_type == CPERF_TLS || ctx->options->op_type == CPERF_IPSEC) { void *sec_ctx = rte_cryptodev_get_sec_ctx(ctx->dev_id); rte_security_session_destroy(sec_ctx, ctx->sess); diff --git a/app/test-crypto-perf/cperf_test_throughput.c b/app/test-crypto-perf/cperf_test_throughput.c index f8f8bd717f..e3d266d7a4 100644 --- a/app/test-crypto-perf/cperf_test_throughput.c +++ b/app/test-crypto-perf/cperf_test_throughput.c @@ -43,6 +43,7 @@ cperf_throughput_test_free(struct cperf_throughput_ctx *ctx) #ifdef RTE_LIB_SECURITY else if (ctx->options->op_type == CPERF_PDCP || ctx->options->op_type == CPERF_DOCSIS || + ctx->options->op_type == CPERF_TLS || ctx->options->op_type == CPERF_IPSEC) { void *sec_ctx = rte_cryptodev_get_sec_ctx(ctx->dev_id); diff --git a/app/test-crypto-perf/cperf_test_vectors.c b/app/test-crypto-perf/cperf_test_vectors.c index 5cd7a229b8..3c35eea460 100644 --- a/app/test-crypto-perf/cperf_test_vectors.c +++ b/app/test-crypto-perf/cperf_test_vectors.c @@ -660,7 +660,7 @@ cperf_test_vector_get_dummy(struct cperf_options *options) t_vec->modex.elen = options->modex_data->exponent.len; } - if (options->op_type == CPERF_PDCP || + if (options->op_type == CPERF_PDCP || options->op_type == CPERF_TLS || options->op_type == CPERF_IPSEC) { if (options->cipher_algo == RTE_CRYPTO_CIPHER_NULL) { t_vec->cipher_key.length = 0; @@ -795,7 +795,7 @@ cperf_test_vector_get_dummy(struct cperf_options *options) t_vec->auth_iv.length = options->auth_iv_sz; } - if (options->op_type == CPERF_AEAD || + if (options->op_type == CPERF_AEAD || options->op_type == CPERF_TLS || options->op_type == CPERF_IPSEC) { t_vec->aead_key.length = options->aead_key_sz; t_vec->aead_key.data = aead_key; diff --git a/app/test-crypto-perf/cperf_test_verify.c b/app/test-crypto-perf/cperf_test_verify.c index a6c0ffe813..a57841dafb 100644 --- a/app/test-crypto-perf/cperf_test_verify.c +++ b/app/test-crypto-perf/cperf_test_verify.c @@ -47,6 +47,7 @@ cperf_verify_test_free(struct cperf_verify_ctx *ctx) #ifdef RTE_LIB_SECURITY else if (ctx->options->op_type == CPERF_PDCP || ctx->options->op_type == CPERF_DOCSIS || + ctx->options->op_type == CPERF_TLS || ctx->options->op_type == CPERF_IPSEC) { void *sec_ctx = rte_cryptodev_get_sec_ctx(ctx->dev_id); diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c index 6a2e5762a3..40c0b4b54f 100644 --- a/app/test-crypto-perf/main.c +++ b/app/test-crypto-perf/main.c @@ -43,7 +43,8 @@ const char *cperf_op_type_strs[] = { [CPERF_PDCP] = "pdcp", [CPERF_DOCSIS] = "docsis", [CPERF_IPSEC] = "ipsec", - [CPERF_ASYM_MODEX] = "modex" + [CPERF_ASYM_MODEX] = "modex", + [CPERF_TLS] = "tls-record" }; const struct cperf_test cperf_testmap[] = { @@ -236,6 +237,7 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs) case CPERF_PDCP: case CPERF_DOCSIS: case CPERF_IPSEC: + case CPERF_TLS: /* Fall through */ default: conf.ff_disable |= RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO; diff --git a/doc/guides/tools/cryptoperf.rst b/doc/guides/tools/cryptoperf.rst index f30784674d..facf412799 100644 --- a/doc/guides/tools/cryptoperf.rst +++ b/doc/guides/tools/cryptoperf.rst @@ -175,6 +175,8 @@ The following are the application command-line options: pdcp docsis modex + ipsec + tls-record For GCM/CCM algorithms you should use aead flag. @@ -340,6 +342,10 @@ The following are the application command-line options: Set modex length for asymmetric crypto perf test. Supported lengths are 60, 128, 255, 448. Default length is 128. +* ``--tls-version `` + + Set TLS/DTLS protocol version for perf test (default is TLS1.2). + Test Vector File ~~~~~~~~~~~~~~~~ -- 2.25.1