DPDK patches and discussions
 help / color / Atom feed
* [dpdk-dev] [PATCH] security: update session create API
@ 2020-09-03 20:09 ` akhil.goyal
  2020-09-04 16:04   ` Lukasz Wojciechowski
                     ` (2 more replies)
  0 siblings, 3 replies; 21+ messages in thread
From: akhil.goyal @ 2020-09-03 20:09 UTC (permalink / raw)
  To: dev, thomas, mdr, anoobj
  Cc: hemant.agrawal, konstantin.ananyev, declan.doherty, david.coyle,
	radu.nicolau, Akhil Goyal

From: Akhil Goyal <akhil.goyal@nxp.com>

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the number of
sessions needed and will also lead to wastage of memory as
session private data need more memory compared to session.
Hence the API is modified to take two mempool pointers
- one for session and one for private data.
This is very similar to crypto based session create APIs.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
 app/test-crypto-perf/cperf_ops.c       |  4 +--
 app/test/test_cryptodev.c              |  8 +++--
 app/test/test_ipsec.c                  |  3 +-
 app/test/test_security.c               | 42 ++++++++++++++++++++------
 doc/guides/prog_guide/rte_security.rst |  6 ++--
 doc/guides/rel_notes/deprecation.rst   |  7 -----
 doc/guides/rel_notes/release_20_11.rst |  6 ++++
 examples/ipsec-secgw/ipsec-secgw.c     | 12 ++------
 examples/ipsec-secgw/ipsec.c           |  9 ++++--
 lib/librte_security/rte_security.c     |  6 ++--
 lib/librte_security/rte_security.h     |  4 ++-
 11 files changed, 68 insertions(+), 39 deletions(-)

diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
index 3da835a9c..3a64a2c34 100644
--- a/app/test-crypto-perf/cperf_ops.c
+++ b/app/test-crypto-perf/cperf_ops.c
@@ -621,7 +621,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
 
 		/* Create security session */
 		return (void *)rte_security_session_create(ctx,
-					&sess_conf, sess_mp);
+					&sess_conf, sess_mp, priv_mp);
 	}
 	if (options->op_type == CPERF_DOCSIS) {
 		enum rte_security_docsis_direction direction;
@@ -664,7 +664,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
 
 		/* Create security session */
 		return (void *)rte_security_session_create(ctx,
-					&sess_conf, priv_mp);
+					&sess_conf, sess_mp, priv_mp);
 	}
 #endif
 	sess = rte_cryptodev_sym_session_create(sess_mp);
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 70bf6fe2c..6d7da1408 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -7219,7 +7219,8 @@ test_pdcp_proto(int i, int oop,
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx,
-				&sess_conf, ts_params->session_priv_mpool);
+				&sess_conf, ts_params->session_mpool,
+				ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
 		printf("TestCase %s()-%d line %d failed %s: ",
@@ -7479,7 +7480,8 @@ test_pdcp_proto_SGL(int i, int oop,
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx,
-				&sess_conf, ts_params->session_priv_mpool);
+				&sess_conf, ts_params->session_mpool,
+				ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
 		printf("TestCase %s()-%d line %d failed %s: ",
@@ -7836,6 +7838,7 @@ test_docsis_proto_uplink(int i, struct docsis_test_data *d_td)
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
 					ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
@@ -8011,6 +8014,7 @@ test_docsis_proto_downlink(int i, struct docsis_test_data *d_td)
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
 					ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
index 79d00d7e0..9ad07a179 100644
--- a/app/test/test_ipsec.c
+++ b/app/test/test_ipsec.c
@@ -632,7 +632,8 @@ create_dummy_sec_session(struct ipsec_unitest_params *ut,
 	static struct rte_security_session_conf conf;
 
 	ut->ss[j].security.ses = rte_security_session_create(&dummy_sec_ctx,
-					&conf, qp->mp_session_private);
+					&conf, qp->mp_session,
+					qp->mp_session_private);
 
 	if (ut->ss[j].security.ses == NULL)
 		return -ENOMEM;
diff --git a/app/test/test_security.c b/app/test/test_security.c
index 77fd5adc6..ed7de348f 100644
--- a/app/test/test_security.c
+++ b/app/test/test_security.c
@@ -237,6 +237,7 @@ static struct mock_session_create_data {
 	struct rte_security_session_conf *conf;
 	struct rte_security_session *sess;
 	struct rte_mempool *mp;
+	struct rte_mempool *priv_mp;
 
 	int ret;
 
@@ -502,6 +503,7 @@ struct rte_security_ops mock_ops = {
  */
 static struct security_testsuite_params {
 	struct rte_mempool *session_mpool;
+	struct rte_mempool *session_priv_mpool;
 } testsuite_params = { NULL };
 
 /**
@@ -525,6 +527,7 @@ static struct security_unittest_params {
 };
 
 #define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
+#define SECURITY_TEST_PRIV_MEMPOOL_NAME "SecurityTestsPrivMempoolName"
 #define SECURITY_TEST_MEMPOOL_SIZE 15
 #define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct rte_security_session)
 
@@ -545,6 +548,17 @@ testsuite_setup(void)
 			SOCKET_ID_ANY, 0);
 	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
 			"Cannot create mempool %s\n", rte_strerror(rte_errno));
+
+	ts_params->session_priv_mpool = rte_mempool_create(
+			SECURITY_TEST_PRIV_MEMPOOL_NAME,
+			SECURITY_TEST_MEMPOOL_SIZE,
+			rte_security_session_get_size(&unittest_params.ctx),
+			0, 0, NULL, NULL, NULL, NULL,
+			SOCKET_ID_ANY, 0);
+	TEST_ASSERT_NOT_NULL(ts_params->session_priv_mpool,
+			"Cannot create priv mempool %s\n",
+			rte_strerror(rte_errno));
+
 	return TEST_SUCCESS;
 }
 
@@ -659,7 +673,8 @@ ut_setup_with_session(void)
 	mock_session_create_exp.ret = 0;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
 			sess);
 	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
@@ -701,7 +716,8 @@ test_session_create_inv_context(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(NULL, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -725,7 +741,8 @@ test_session_create_inv_context_ops(void)
 	ut_params->ctx.ops = NULL;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -749,7 +766,8 @@ test_session_create_inv_context_ops_fun(void)
 	ut_params->ctx.ops = &empty_ops;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -770,7 +788,8 @@ test_session_create_inv_configuration(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(&ut_params->ctx, NULL,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -790,7 +809,7 @@ test_session_create_inv_mempool(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			NULL);
+			NULL, NULL);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -824,7 +843,8 @@ test_session_create_mempool_empty(void)
 	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -853,10 +873,12 @@ test_session_create_ops_failure(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = -1;	/* Return failure status. */
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
@@ -879,10 +901,12 @@ test_session_create_success(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = 0;	/* Return success status. */
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
 			sess);
 	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 127da2e4f..cff0653f5 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -533,8 +533,10 @@ and this allows further acceleration of the offload of Crypto workloads.
 
 The Security framework provides APIs to create and free sessions for crypto/ethernet
 devices, where sessions are mempool objects. It is the application's responsibility
-to create and manage the session mempools. The mempool object size should be able to
-accommodate the driver's private data of security session.
+to create and manage two session mempools - one for session and other for session
+private data. The mempool object size should be able to accommodate the driver's
+private data of security session. The application can get the size of session private
+data using API ``rte_security_session_get_size``.
 
 Once the session mempools have been created, ``rte_security_session_create()``
 is used to allocate and initialize a session for the required crypto/ethernet device.
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 345c38d5b..84be88a13 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -263,13 +263,6 @@ Deprecation Notices
   This feature faces reliability issues and is often conflicting with
   new features being implemented.
 
-* security: The API ``rte_security_session_create`` takes only single mempool
-  for session and session private data. So the application need to create
-  mempool for twice the number of sessions needed and will also lead to
-  wastage of memory as session private data need more memory compared to session.
-  Hence the API will be modified to take two mempool pointers - one for session
-  and one for private data.
-
 * cryptodev: ``RTE_CRYPTO_AEAD_LIST_END`` from ``enum rte_crypto_aead_algorithm``,
   ``RTE_CRYPTO_CIPHER_LIST_END`` from ``enum rte_crypto_cipher_algorithm`` and
   ``RTE_CRYPTO_AUTH_LIST_END`` from ``enum rte_crypto_auth_algorithm``
diff --git a/doc/guides/rel_notes/release_20_11.rst b/doc/guides/rel_notes/release_20_11.rst
index df227a177..04c1a1b81 100644
--- a/doc/guides/rel_notes/release_20_11.rst
+++ b/doc/guides/rel_notes/release_20_11.rst
@@ -84,6 +84,12 @@ API Changes
    Also, make sure to start the actual text at the margin.
    =======================================================
 
+* security: The API ``rte_security_session_create`` is updated to take two
+  mempool objects one for session and other for session private data.
+  So the application need to create two mempools and get the size of session
+  private data using API ``rte_security_session_get_size`` for private session
+  mempool.
+
 
 ABI Changes
 -----------
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 8ba15d23c..55a5ea9f4 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -2351,12 +2351,8 @@ session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess_sz)
 
 	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
 			"sess_mp_%u", socket_id);
-	/*
-	 * Doubled due to rte_security_session_create() uses one mempool for
-	 * session and for session private data.
-	 */
 	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
-		rte_lcore_count()) * 2;
+		rte_lcore_count());
 	sess_mp = rte_cryptodev_sym_session_pool_create(
 			mp_name, nb_sess, sess_sz, CDEV_MP_CACHE_SZ, 0,
 			socket_id);
@@ -2379,12 +2375,8 @@ session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
 
 	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
 			"sess_mp_priv_%u", socket_id);
-	/*
-	 * Doubled due to rte_security_session_create() uses one mempool for
-	 * session and for session private data.
-	 */
 	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
-		rte_lcore_count()) * 2;
+		rte_lcore_count());
 	sess_mp = rte_mempool_create(mp_name,
 			nb_sess,
 			sess_sz,
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 01faa7ac7..6baeeb342 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -117,7 +117,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
 			set_ipsec_conf(sa, &(sess_conf.ipsec));
 
 			ips->security.ses = rte_security_session_create(ctx,
-					&sess_conf, ipsec_ctx->session_priv_pool);
+					&sess_conf, ipsec_ctx->session_pool,
+					ipsec_ctx->session_priv_pool);
 			if (ips->security.ses == NULL) {
 				RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
@@ -198,7 +199,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 		}
 
 		ips->security.ses = rte_security_session_create(sec_ctx,
-				&sess_conf, skt_ctx->session_pool);
+				&sess_conf, skt_ctx->session_pool,
+				skt_ctx->session_priv_pool);
 		if (ips->security.ses == NULL) {
 			RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
@@ -378,7 +380,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 		sess_conf.userdata = (void *) sa;
 
 		ips->security.ses = rte_security_session_create(sec_ctx,
-					&sess_conf, skt_ctx->session_pool);
+					&sess_conf, skt_ctx->session_pool,
+					skt_ctx->session_priv_pool);
 		if (ips->security.ses == NULL) {
 			RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
index 515c29e04..293ca747d 100644
--- a/lib/librte_security/rte_security.c
+++ b/lib/librte_security/rte_security.c
@@ -26,7 +26,8 @@
 struct rte_security_session *
 rte_security_session_create(struct rte_security_ctx *instance,
 			    struct rte_security_session_conf *conf,
-			    struct rte_mempool *mp)
+			    struct rte_mempool *mp,
+			    struct rte_mempool *priv_mp)
 {
 	struct rte_security_session *sess = NULL;
 
@@ -37,7 +38,8 @@ rte_security_session_create(struct rte_security_ctx *instance,
 	if (rte_mempool_get(mp, (void **)&sess))
 		return NULL;
 
-	if (instance->ops->session_create(instance->device, conf, sess, mp)) {
+	if (instance->ops->session_create(instance->device, conf,
+				sess, priv_mp)) {
 		rte_mempool_put(mp, (void *)sess);
 		return NULL;
 	}
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index 16839e539..1710cdd6a 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -386,6 +386,7 @@ struct rte_security_session {
  * @param   instance	security instance
  * @param   conf	session configuration parameters
  * @param   mp		mempool to allocate session objects from
+ * @param   priv_mp	mempool to allocate session private data objects from
  * @return
  *  - On success, pointer to session
  *  - On failure, NULL
@@ -393,7 +394,8 @@ struct rte_security_session {
 struct rte_security_session *
 rte_security_session_create(struct rte_security_ctx *instance,
 			    struct rte_security_session_conf *conf,
-			    struct rte_mempool *mp);
+			    struct rte_mempool *mp,
+			    struct rte_mempool *priv_mp);
 
 /**
  * Update security session as specified by the session configuration
-- 
2.17.1


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH] security: update session create API
  2020-09-03 20:09 ` [dpdk-dev] [PATCH] security: update session create API akhil.goyal
@ 2020-09-04 16:04   ` Lukasz Wojciechowski
  2020-10-10 22:09     ` Akhil Goyal
  2020-09-24 16:22   ` Coyle, David
  2020-10-10 22:11   ` [dpdk-dev] [PATCH v2] " Akhil Goyal
  2 siblings, 1 reply; 21+ messages in thread
From: Lukasz Wojciechowski @ 2020-09-04 16:04 UTC (permalink / raw)
  To: akhil.goyal, dev, thomas, mdr, anoobj
  Cc: hemant.agrawal, konstantin.ananyev, declan.doherty, david.coyle,
	radu.nicolau


W dniu 03.09.2020 o 22:09, akhil.goyal@nxp.com pisze:
> From: Akhil Goyal <akhil.goyal@nxp.com>
>
> The API ``rte_security_session_create`` takes only single
> mempool for session and session private data. So the
> application need to create mempool for twice the number of
> sessions needed and will also lead to wastage of memory as
> session private data need more memory compared to session.
> Hence the API is modified to take two mempool pointers
> - one for session and one for private data.
> This is very similar to crypto based session create APIs.
>
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> ---
>   app/test-crypto-perf/cperf_ops.c       |  4 +--
>   app/test/test_cryptodev.c              |  8 +++--
>   app/test/test_ipsec.c                  |  3 +-
>   app/test/test_security.c               | 42 ++++++++++++++++++++------
>   doc/guides/prog_guide/rte_security.rst |  6 ++--
>   doc/guides/rel_notes/deprecation.rst   |  7 -----
>   doc/guides/rel_notes/release_20_11.rst |  6 ++++
>   examples/ipsec-secgw/ipsec-secgw.c     | 12 ++------
>   examples/ipsec-secgw/ipsec.c           |  9 ++++--
>   lib/librte_security/rte_security.c     |  6 ++--
>   lib/librte_security/rte_security.h     |  4 ++-
>   11 files changed, 68 insertions(+), 39 deletions(-)
>
> diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
> index 3da835a9c..3a64a2c34 100644
> --- a/app/test-crypto-perf/cperf_ops.c
> +++ b/app/test-crypto-perf/cperf_ops.c
> @@ -621,7 +621,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
>   
>   		/* Create security session */
>   		return (void *)rte_security_session_create(ctx,
> -					&sess_conf, sess_mp);
> +					&sess_conf, sess_mp, priv_mp);
>   	}
>   	if (options->op_type == CPERF_DOCSIS) {
>   		enum rte_security_docsis_direction direction;
> @@ -664,7 +664,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
>   
>   		/* Create security session */
>   		return (void *)rte_security_session_create(ctx,
> -					&sess_conf, priv_mp);
> +					&sess_conf, sess_mp, priv_mp);
>   	}
>   #endif
>   	sess = rte_cryptodev_sym_session_create(sess_mp);
> diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
> index 70bf6fe2c..6d7da1408 100644
> --- a/app/test/test_cryptodev.c
> +++ b/app/test/test_cryptodev.c
> @@ -7219,7 +7219,8 @@ test_pdcp_proto(int i, int oop,
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx,
> -				&sess_conf, ts_params->session_priv_mpool);
> +				&sess_conf, ts_params->session_mpool,
> +				ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
>   		printf("TestCase %s()-%d line %d failed %s: ",
> @@ -7479,7 +7480,8 @@ test_pdcp_proto_SGL(int i, int oop,
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx,
> -				&sess_conf, ts_params->session_priv_mpool);
> +				&sess_conf, ts_params->session_mpool,
> +				ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
>   		printf("TestCase %s()-%d line %d failed %s: ",
> @@ -7836,6 +7838,7 @@ test_docsis_proto_uplink(int i, struct docsis_test_data *d_td)
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
> +					ts_params->session_mpool,
>   					ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
> @@ -8011,6 +8014,7 @@ test_docsis_proto_downlink(int i, struct docsis_test_data *d_td)
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
> +					ts_params->session_mpool,
>   					ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
> diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> index 79d00d7e0..9ad07a179 100644
> --- a/app/test/test_ipsec.c
> +++ b/app/test/test_ipsec.c
> @@ -632,7 +632,8 @@ create_dummy_sec_session(struct ipsec_unitest_params *ut,
>   	static struct rte_security_session_conf conf;
>   
>   	ut->ss[j].security.ses = rte_security_session_create(&dummy_sec_ctx,
> -					&conf, qp->mp_session_private);
> +					&conf, qp->mp_session,
> +					qp->mp_session_private);
>   
>   	if (ut->ss[j].security.ses == NULL)
>   		return -ENOMEM;
> diff --git a/app/test/test_security.c b/app/test/test_security.c
> index 77fd5adc6..ed7de348f 100644
> --- a/app/test/test_security.c
> +++ b/app/test/test_security.c
> @@ -237,6 +237,7 @@ static struct mock_session_create_data {
>   	struct rte_security_session_conf *conf;
>   	struct rte_security_session *sess;
>   	struct rte_mempool *mp;
> +	struct rte_mempool *priv_mp;
>   
>   	int ret;
>   
session_create op is now called with private mbuf, so you need also to 
update assert in mock session_create:

@@ -248,13 +249,13 @@ static int
  mock_session_create(void *device,
                 struct rte_security_session_conf *conf,
                 struct rte_security_session *sess,
-               struct rte_mempool *mp)
+               struct rte_mempool *priv_mp)
  {
         mock_session_create_exp.called++;

         MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, 
device);
         MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, conf);
-       MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, mp);
+       MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, 
priv_mp);

         mock_session_create_exp.sess = sess;



> @@ -502,6 +503,7 @@ struct rte_security_ops mock_ops = {
>    */
>   static struct security_testsuite_params {
>   	struct rte_mempool *session_mpool;
> +	struct rte_mempool *session_priv_mpool;
>   } testsuite_params = { NULL };
>   
>   /**
> @@ -525,6 +527,7 @@ static struct security_unittest_params {
>   };
>   
>   #define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
> +#define SECURITY_TEST_PRIV_MEMPOOL_NAME "SecurityTestsPrivMempoolName"
Please make the mempool name shorter, otherwise it causes tests to fail:

EAL: Test assert testsuite_setup line 558 failed: Cannot create priv 
mempool File name too long

>   #define SECURITY_TEST_MEMPOOL_SIZE 15
>   #define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct rte_security_session)
>   
> @@ -545,6 +548,17 @@ testsuite_setup(void)
>   			SOCKET_ID_ANY, 0);
>   	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
>   			"Cannot create mempool %s\n", rte_strerror(rte_errno));
> +
> +	ts_params->session_priv_mpool = rte_mempool_create(
> +			SECURITY_TEST_PRIV_MEMPOOL_NAME,
> +			SECURITY_TEST_MEMPOOL_SIZE,
> +			rte_security_session_get_size(&unittest_params.ctx),
> +			0, 0, NULL, NULL, NULL, NULL,
> +			SOCKET_ID_ANY, 0);
> +	TEST_ASSERT_NOT_NULL(ts_params->session_priv_mpool,
> +			"Cannot create priv mempool %s\n",
> +			rte_strerror(rte_errno));
> +
If creation of private data mpool fails, primary mempool need to be 
freed before function returns failure code.
>   	return TEST_SUCCESS;
>   }
>   
> @@ -659,7 +673,8 @@ ut_setup_with_session(void)
>   	mock_session_create_exp.ret = 0;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
>   			sess);
>   	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
> @@ -701,7 +716,8 @@ test_session_create_inv_context(void)
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(NULL, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -725,7 +741,8 @@ test_session_create_inv_context_ops(void)
>   	ut_params->ctx.ops = NULL;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -749,7 +766,8 @@ test_session_create_inv_context_ops_fun(void)
>   	ut_params->ctx.ops = &empty_ops;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -770,7 +788,8 @@ test_session_create_inv_configuration(void)
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, NULL,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -790,7 +809,7 @@ test_session_create_inv_mempool(void)
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			NULL);
> +			NULL, NULL);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -824,7 +843,8 @@ test_session_create_mempool_empty(void)
>   	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -853,10 +873,12 @@ test_session_create_ops_failure(void)
>   	mock_session_create_exp.device = NULL;
>   	mock_session_create_exp.conf = &ut_params->conf;
>   	mock_session_create_exp.mp = ts_params->session_mpool;
> +	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
>   	mock_session_create_exp.ret = -1;	/* Return failure status. */
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
> @@ -879,10 +901,12 @@ test_session_create_success(void)
>   	mock_session_create_exp.device = NULL;
>   	mock_session_create_exp.conf = &ut_params->conf;
>   	mock_session_create_exp.mp = ts_params->session_mpool;
> +	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
>   	mock_session_create_exp.ret = 0;	/* Return success status. */
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
>   			sess);
>   	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
> diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
> index 127da2e4f..cff0653f5 100644
> --- a/doc/guides/prog_guide/rte_security.rst
> +++ b/doc/guides/prog_guide/rte_security.rst
> @@ -533,8 +533,10 @@ and this allows further acceleration of the offload of Crypto workloads.
>   
>   The Security framework provides APIs to create and free sessions for crypto/ethernet
>   devices, where sessions are mempool objects. It is the application's responsibility
> -to create and manage the session mempools. The mempool object size should be able to
> -accommodate the driver's private data of security session.
> +to create and manage two session mempools - one for session and other for session
> +private data. The mempool object size should be able to accommodate the driver's
> +private data of security session. The application can get the size of session private
> +data using API ``rte_security_session_get_size``.
>   
>   Once the session mempools have been created, ``rte_security_session_create()``
>   is used to allocate and initialize a session for the required crypto/ethernet device.
> diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
> index 345c38d5b..84be88a13 100644
> --- a/doc/guides/rel_notes/deprecation.rst
> +++ b/doc/guides/rel_notes/deprecation.rst
> @@ -263,13 +263,6 @@ Deprecation Notices
>     This feature faces reliability issues and is often conflicting with
>     new features being implemented.
>   
> -* security: The API ``rte_security_session_create`` takes only single mempool
> -  for session and session private data. So the application need to create
> -  mempool for twice the number of sessions needed and will also lead to
> -  wastage of memory as session private data need more memory compared to session.
> -  Hence the API will be modified to take two mempool pointers - one for session
> -  and one for private data.
> -
>   * cryptodev: ``RTE_CRYPTO_AEAD_LIST_END`` from ``enum rte_crypto_aead_algorithm``,
>     ``RTE_CRYPTO_CIPHER_LIST_END`` from ``enum rte_crypto_cipher_algorithm`` and
>     ``RTE_CRYPTO_AUTH_LIST_END`` from ``enum rte_crypto_auth_algorithm``
> diff --git a/doc/guides/rel_notes/release_20_11.rst b/doc/guides/rel_notes/release_20_11.rst
> index df227a177..04c1a1b81 100644
> --- a/doc/guides/rel_notes/release_20_11.rst
> +++ b/doc/guides/rel_notes/release_20_11.rst
> @@ -84,6 +84,12 @@ API Changes
>      Also, make sure to start the actual text at the margin.
>      =======================================================
>   
> +* security: The API ``rte_security_session_create`` is updated to take two
> +  mempool objects one for session and other for session private data.
> +  So the application need to create two mempools and get the size of session
> +  private data using API ``rte_security_session_get_size`` for private session
> +  mempool.
> +
>   
>   ABI Changes
>   -----------
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 8ba15d23c..55a5ea9f4 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -2351,12 +2351,8 @@ session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess_sz)
>   
>   	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
>   			"sess_mp_%u", socket_id);
> -	/*
> -	 * Doubled due to rte_security_session_create() uses one mempool for
> -	 * session and for session private data.
> -	 */
>   	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
> -		rte_lcore_count()) * 2;
> +		rte_lcore_count());
>   	sess_mp = rte_cryptodev_sym_session_pool_create(
>   			mp_name, nb_sess, sess_sz, CDEV_MP_CACHE_SZ, 0,
>   			socket_id);
> @@ -2379,12 +2375,8 @@ session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
>   
>   	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
>   			"sess_mp_priv_%u", socket_id);
> -	/*
> -	 * Doubled due to rte_security_session_create() uses one mempool for
> -	 * session and for session private data.
> -	 */
>   	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
> -		rte_lcore_count()) * 2;
> +		rte_lcore_count());
>   	sess_mp = rte_mempool_create(mp_name,
>   			nb_sess,
>   			sess_sz,
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index 01faa7ac7..6baeeb342 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -117,7 +117,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
>   			set_ipsec_conf(sa, &(sess_conf.ipsec));
>   
>   			ips->security.ses = rte_security_session_create(ctx,
> -					&sess_conf, ipsec_ctx->session_priv_pool);
> +					&sess_conf, ipsec_ctx->session_pool,
> +					ipsec_ctx->session_priv_pool);
>   			if (ips->security.ses == NULL) {
>   				RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> @@ -198,7 +199,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
>   		}
>   
>   		ips->security.ses = rte_security_session_create(sec_ctx,
> -				&sess_conf, skt_ctx->session_pool);
> +				&sess_conf, skt_ctx->session_pool,
> +				skt_ctx->session_priv_pool);
>   		if (ips->security.ses == NULL) {
>   			RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> @@ -378,7 +380,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
>   		sess_conf.userdata = (void *) sa;
>   
>   		ips->security.ses = rte_security_session_create(sec_ctx,
> -					&sess_conf, skt_ctx->session_pool);
> +					&sess_conf, skt_ctx->session_pool,
> +					skt_ctx->session_priv_pool);
>   		if (ips->security.ses == NULL) {
>   			RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
> index 515c29e04..293ca747d 100644
> --- a/lib/librte_security/rte_security.c
> +++ b/lib/librte_security/rte_security.c
> @@ -26,7 +26,8 @@
>   struct rte_security_session *
>   rte_security_session_create(struct rte_security_ctx *instance,
>   			    struct rte_security_session_conf *conf,
> -			    struct rte_mempool *mp)
> +			    struct rte_mempool *mp,
> +			    struct rte_mempool *priv_mp)
>   {
>   	struct rte_security_session *sess = NULL;
>   
> @@ -37,7 +38,8 @@ rte_security_session_create(struct rte_security_ctx *instance,
>   	if (rte_mempool_get(mp, (void **)&sess))
>   		return NULL;
>   
> -	if (instance->ops->session_create(instance->device, conf, sess, mp)) {
> +	if (instance->ops->session_create(instance->device, conf,
> +				sess, priv_mp)) {
>   		rte_mempool_put(mp, (void *)sess);
>   		return NULL;
>   	}
> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
> index 16839e539..1710cdd6a 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -386,6 +386,7 @@ struct rte_security_session {
>    * @param   instance	security instance
>    * @param   conf	session configuration parameters
>    * @param   mp		mempool to allocate session objects from
> + * @param   priv_mp	mempool to allocate session private data objects from
>    * @return
>    *  - On success, pointer to session
>    *  - On failure, NULL
> @@ -393,7 +394,8 @@ struct rte_security_session {
>   struct rte_security_session *
>   rte_security_session_create(struct rte_security_ctx *instance,
>   			    struct rte_security_session_conf *conf,
> -			    struct rte_mempool *mp);
> +			    struct rte_mempool *mp,
> +			    struct rte_mempool *priv_mp);
>   
>   /**
>    * Update security session as specified by the session configuration

-- 
Lukasz Wojciechowski
Principal Software Engineer

Samsung R&D Institute Poland
Samsung Electronics
Office +48 22 377 88 25
l.wojciechow@partner.samsung.com


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH] security: update session create API
  2020-09-03 20:09 ` [dpdk-dev] [PATCH] security: update session create API akhil.goyal
  2020-09-04 16:04   ` Lukasz Wojciechowski
@ 2020-09-24 16:22   ` Coyle, David
  2020-10-10 22:06     ` Akhil Goyal
  2020-10-10 22:11   ` [dpdk-dev] [PATCH v2] " Akhil Goyal
  2 siblings, 1 reply; 21+ messages in thread
From: Coyle, David @ 2020-09-24 16:22 UTC (permalink / raw)
  To: akhil.goyal, dev, thomas, mdr, anoobj
  Cc: hemant.agrawal, Ananyev, Konstantin, Doherty, Declan, Nicolau, Radu

Hi Akhil

> -----Original Message-----
> From: akhil.goyal@nxp.com <akhil.goyal@nxp.com>
> Sent: Thursday, September 3, 2020 9:10 PM

<snip>

> diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index
> 70bf6fe2c..6d7da1408 100644
> --- a/app/test/test_cryptodev.c
> +++ b/app/test/test_cryptodev.c
> @@ -7219,7 +7219,8 @@ test_pdcp_proto(int i, int oop,
> 
>  	/* Create security session */
>  	ut_params->sec_session = rte_security_session_create(ctx,
> -				&sess_conf, ts_params-
> >session_priv_mpool);
> +				&sess_conf, ts_params->session_mpool,
> +				ts_params->session_priv_mpool);

[DC] ts_params->session_mpool is a cryptodev sym session pool. The assumption then in these security tests is that
security sessions are smaller than cryptodev sym sessions. This is currently true, but may not always be.

There should possibly be a new mempool created for security sessions.
Or at least an assert somewhere to check a security session is smaller than a cryptodev sym session, so that this doesn't
catch someone out in the future if security session grows in size.

The same comment applies to the crypto-perf-test and test_ipsec too
 
<snip>

> diff --git a/app/test/test_security.c b/app/test/test_security.c index
> 77fd5adc6..ed7de348f 100644
> --- a/app/test/test_security.c
> +++ b/app/test/test_security.c
> @@ -237,6 +237,7 @@ static struct mock_session_create_data {
>  	struct rte_security_session_conf *conf;
>  	struct rte_security_session *sess;
>  	struct rte_mempool *mp;
> +	struct rte_mempool *priv_mp;
> 

<snip>

> 790,7 +809,7 @@ test_session_create_inv_mempool(void)
>  	struct rte_security_session *sess;
> 
>  	sess = rte_security_session_create(&ut_params->ctx, &ut_params-
> >conf,
> -			NULL);
> +			NULL, NULL);

[DC] This test test_session_create_inv_mempool() should have the priv_mp set to a valid
value (i.e. ts_params->session_priv_mpool), and a new test function should be added where
mp is valid, but priv_mp is NULL - this way we test for validity of both mempools independently.

<snip>

> a/doc/guides/prog_guide/rte_security.rst
> b/doc/guides/prog_guide/rte_security.rst
> index 127da2e4f..cff0653f5 100644
> --- a/doc/guides/prog_guide/rte_security.rst
> +++ b/doc/guides/prog_guide/rte_security.rst
> @@ -533,8 +533,10 @@ and this allows further acceleration of the offload of
> Crypto workloads.
> 
>  The Security framework provides APIs to create and free sessions for
> crypto/ethernet  devices, where sessions are mempool objects. It is the
> application's responsibility -to create and manage the session mempools. The
> mempool object size should be able to -accommodate the driver's private
> data of security session.
> +to create and manage two session mempools - one for session and other
> +for session private data. The mempool object size should be able to
> +accommodate the driver's private data of security session. The
> +application can get the size of session private data using API
> ``rte_security_session_get_size``.

[DC] This sentence should be updated to specify it's the private session data mempool that is being referred to

"The mempool object size should be able to accommodate the driver's private data of security session."
=> 
"The private session data mempool object size should be able to accommodate the driver's private data of security
session."

Also, a sentence about the required size of the session mempool should also be added.

<snip>

> diff --git a/doc/guides/rel_notes/release_20_11.rst
> b/doc/guides/rel_notes/release_20_11.rst
> index df227a177..04c1a1b81 100644
> --- a/doc/guides/rel_notes/release_20_11.rst
> +++ b/doc/guides/rel_notes/release_20_11.rst
> @@ -84,6 +84,12 @@ API Changes
>     Also, make sure to start the actual text at the margin.
>     =======================================================
> 
> +* security: The API ``rte_security_session_create`` is updated to take
> +two
> +  mempool objects one for session and other for session private data.
> +  So the application need to create two mempools and get the size of
> +session
> +  private data using API ``rte_security_session_get_size`` for private
> +session
> +  mempool.
> +

[DC]  Many of the PMDs which support security don't implement the session_get_size
callback. There's probably a job here for each PMD owner to add support for this callback.

> 
>  ABI Changes
>  -----------
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-
> secgw/ipsec-secgw.c
> index 8ba15d23c..55a5ea9f4 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c

<snip>

> @@ -2379,12 +2375,8 @@ session_priv_pool_init(struct socket_ctx *ctx,
> int32_t socket_id,
> 
>  	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
>  			"sess_mp_priv_%u", socket_id);
> -	/*
> -	 * Doubled due to rte_security_session_create() uses one mempool
> for
> -	 * session and for session private data.
> -	 */
>  	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
> -		rte_lcore_count()) * 2;
> +		rte_lcore_count());

[DC] A change to double the number of sessions was made in test-crypto-perf when adding DOCSIS security protocol to this tester.
It was needed as both session and private session data was pulled from same mempool.
This change can now be reverted like this...

diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
index 8f8e580e4..6a71aff5f 100644
--- a/app/test-crypto-perf/main.c
+++ b/app/test-crypto-perf/main.c
@@ -248,7 +248,7 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
 #endif
                } else
                        sessions_needed = enabled_cdev_count *
-                                               opts->nb_qps * 2;
+                                               opts->nb_qps;

<snip>

> git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
> index 515c29e04..293ca747d 100644
> --- a/lib/librte_security/rte_security.c
> +++ b/lib/librte_security/rte_security.c
> @@ -26,7 +26,8 @@
>  struct rte_security_session *
>  rte_security_session_create(struct rte_security_ctx *instance,
>  			    struct rte_security_session_conf *conf,
> -			    struct rte_mempool *mp)
> +			    struct rte_mempool *mp,
> +			    struct rte_mempool *priv_mp)
>  {
>  	struct rte_security_session *sess = NULL;

[DC] Need to add a validity check for priv_mp to rte_security_session_create().
The cryptodev API checks both mp and priv_mp are not NULL, so security should do the same

RTE_PTR_OR_ERR_RET(priv_mp, NULL);

> 

<snip>

> --
> 2.17.1

[DC] This API change has highlighted a bug in the security callbacks in the AESNi-MB PMD, specifically in
aesni_mb_pmd_sec_sess_destroy() in drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c

Before putting the private session data back to the mempool, this function clears the data with a memset.
But the bug is that it cleared the security session struct instead of the private aesni_mb_session struct.
This didn't show up previously because the elements of the mempool were large, because both security session and private session
data came from the same mempool with large objects . But now that the security session mempool object are much smaller, this causes
a seg fault

The fix is as follows:

diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
index 2362f0c3c..b11d7f12b 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
@@ -911,7 +911,7 @@ aesni_mb_pmd_sec_sess_destroy(void *dev __rte_unused,

        if (sess_priv) {
                struct rte_mempool *sess_mp = rte_mempool_from_obj(sess_priv);
-               memset(sess, 0, sizeof(struct aesni_mb_session));
+               memset(sess_priv, 0, sizeof(struct aesni_mb_session));
                set_sec_session_private_data(sess, NULL);
                rte_mempool_put(sess_mp, sess_priv);
        }

Can this be fixed as part of this patchset or separate fix needed?


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH] security: update session create API
  2020-09-24 16:22   ` Coyle, David
@ 2020-10-10 22:06     ` Akhil Goyal
  0 siblings, 0 replies; 21+ messages in thread
From: Akhil Goyal @ 2020-10-10 22:06 UTC (permalink / raw)
  To: Coyle, David, dev, thomas, mdr, anoobj
  Cc: Hemant Agrawal, Ananyev, Konstantin, Doherty, Declan, Nicolau, Radu

Hi David,
> Hi Akhil
> 
> > -----Original Message-----
> > From: akhil.goyal@nxp.com <akhil.goyal@nxp.com>
> > Sent: Thursday, September 3, 2020 9:10 PM
> 
> <snip>
> 
> > diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index
> > 70bf6fe2c..6d7da1408 100644
> > --- a/app/test/test_cryptodev.c
> > +++ b/app/test/test_cryptodev.c
> > @@ -7219,7 +7219,8 @@ test_pdcp_proto(int i, int oop,
> >
> >  	/* Create security session */
> >  	ut_params->sec_session = rte_security_session_create(ctx,
> > -				&sess_conf, ts_params-
> > >session_priv_mpool);
> > +				&sess_conf, ts_params->session_mpool,
> > +				ts_params->session_priv_mpool);
> 
> [DC] ts_params->session_mpool is a cryptodev sym session pool. The
> assumption then in these security tests is that
> security sessions are smaller than cryptodev sym sessions. This is currently true,
> but may not always be.
> 
> There should possibly be a new mempool created for security sessions.
> Or at least an assert somewhere to check a security session is smaller than a
> cryptodev sym session, so that this doesn't
> catch someone out in the future if security session grows in size.
> 
> The same comment applies to the crypto-perf-test and test_ipsec too

Fixed for test and crypto-perf. Test_ipsec is not exactly using a security session.
Fixing that is out of scope of this patch.

> 
> <snip>
> 
> > diff --git a/app/test/test_security.c b/app/test/test_security.c index
> > 77fd5adc6..ed7de348f 100644
> > --- a/app/test/test_security.c
> > +++ b/app/test/test_security.c
> > @@ -237,6 +237,7 @@ static struct mock_session_create_data {
> >  	struct rte_security_session_conf *conf;
> >  	struct rte_security_session *sess;
> >  	struct rte_mempool *mp;
> > +	struct rte_mempool *priv_mp;
> >
> 
> <snip>
> 
> > 790,7 +809,7 @@ test_session_create_inv_mempool(void)
> >  	struct rte_security_session *sess;
> >
> >  	sess = rte_security_session_create(&ut_params->ctx, &ut_params-
> > >conf,
> > -			NULL);
> > +			NULL, NULL);
> 
> [DC] This test test_session_create_inv_mempool() should have the priv_mp set
> to a valid
> value (i.e. ts_params->session_priv_mpool), and a new test function should be
> added where
> mp is valid, but priv_mp is NULL - this way we test for validity of both mempools
> independently.

I would say that would be an overkill with not much gain.
Both mempool should be created before session is created. That is quite obvious. Isn't it?

> 
> <snip>
> 
> > a/doc/guides/prog_guide/rte_security.rst
> > b/doc/guides/prog_guide/rte_security.rst
> > index 127da2e4f..cff0653f5 100644
> > --- a/doc/guides/prog_guide/rte_security.rst
> > +++ b/doc/guides/prog_guide/rte_security.rst
> > @@ -533,8 +533,10 @@ and this allows further acceleration of the offload of
> > Crypto workloads.
> >
> >  The Security framework provides APIs to create and free sessions for
> > crypto/ethernet  devices, where sessions are mempool objects. It is the
> > application's responsibility -to create and manage the session mempools. The
> > mempool object size should be able to -accommodate the driver's private
> > data of security session.
> > +to create and manage two session mempools - one for session and other
> > +for session private data. The mempool object size should be able to
> > +accommodate the driver's private data of security session. The
> > +application can get the size of session private data using API
> > ``rte_security_session_get_size``.
> 
> [DC] This sentence should be updated to specify it's the private session data
> mempool that is being referred to
> 
> "The mempool object size should be able to accommodate the driver's private
> data of security session."
> =>
> "The private session data mempool object size should be able to accommodate
> the driver's private data of security
> session."
> 
> Also, a sentence about the required size of the session mempool should also be
> added.

Fixed in v2

> 
> <snip>
> 
> > diff --git a/doc/guides/rel_notes/release_20_11.rst
> > b/doc/guides/rel_notes/release_20_11.rst
> > index df227a177..04c1a1b81 100644
> > --- a/doc/guides/rel_notes/release_20_11.rst
> > +++ b/doc/guides/rel_notes/release_20_11.rst
> > @@ -84,6 +84,12 @@ API Changes
> >     Also, make sure to start the actual text at the margin.
> >     =======================================================
> >
> > +* security: The API ``rte_security_session_create`` is updated to take
> > +two
> > +  mempool objects one for session and other for session private data.
> > +  So the application need to create two mempools and get the size of
> > +session
> > +  private data using API ``rte_security_session_get_size`` for private
> > +session
> > +  mempool.
> > +
> 
> [DC]  Many of the PMDs which support security don't implement the
> session_get_size
> callback. There's probably a job here for each PMD owner to add support for this
> callback.
> 
If a PMD is supporting rte_security, then it should comply with the APIs which are required.

> >
> >  ABI Changes
> >  -----------
> > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-
> > secgw/ipsec-secgw.c
> > index 8ba15d23c..55a5ea9f4 100644
> > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> 
> <snip>
> 
> > @@ -2379,12 +2375,8 @@ session_priv_pool_init(struct socket_ctx *ctx,
> > int32_t socket_id,
> >
> >  	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
> >  			"sess_mp_priv_%u", socket_id);
> > -	/*
> > -	 * Doubled due to rte_security_session_create() uses one mempool
> > for
> > -	 * session and for session private data.
> > -	 */
> >  	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
> > -		rte_lcore_count()) * 2;
> > +		rte_lcore_count());
> 
> [DC] A change to double the number of sessions was made in test-crypto-perf
> when adding DOCSIS security protocol to this tester.
> It was needed as both session and private session data was pulled from same
> mempool.
> This change can now be reverted like this...

Fixed in v2

> 
> diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
> index 8f8e580e4..6a71aff5f 100644
> --- a/app/test-crypto-perf/main.c
> +++ b/app/test-crypto-perf/main.c
> @@ -248,7 +248,7 @@ cperf_initialize_cryptodev(struct cperf_options *opts,
> uint8_t *enabled_cdevs)
>  #endif
>                 } else
>                         sessions_needed = enabled_cdev_count *
> -                                               opts->nb_qps * 2;
> +                                               opts->nb_qps;
> 
> <snip>
> 
> > git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
> > index 515c29e04..293ca747d 100644
> > --- a/lib/librte_security/rte_security.c
> > +++ b/lib/librte_security/rte_security.c
> > @@ -26,7 +26,8 @@
> >  struct rte_security_session *
> >  rte_security_session_create(struct rte_security_ctx *instance,
> >  			    struct rte_security_session_conf *conf,
> > -			    struct rte_mempool *mp)
> > +			    struct rte_mempool *mp,
> > +			    struct rte_mempool *priv_mp)
> >  {
> >  	struct rte_security_session *sess = NULL;
> 
> [DC] Need to add a validity check for priv_mp to rte_security_session_create().
> The cryptodev API checks both mp and priv_mp are not NULL, so security should
> do the same
> 
> RTE_PTR_OR_ERR_RET(priv_mp, NULL);

Fixed in v2
> 
> >
> 
> <snip>
> 
> > --
> > 2.17.1
> 
> [DC] This API change has highlighted a bug in the security callbacks in the AESNi-
> MB PMD, specifically in
> aesni_mb_pmd_sec_sess_destroy() in
> drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
> 
> Before putting the private session data back to the mempool, this function
> clears the data with a memset.
> But the bug is that it cleared the security session struct instead of the private
> aesni_mb_session struct.
> This didn't show up previously because the elements of the mempool were large,
> because both security session and private session
> data came from the same mempool with large objects . But now that the
> security session mempool object are much smaller, this causes
> a seg fault
> 
> The fix is as follows:
> 
> diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
> b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
> index 2362f0c3c..b11d7f12b 100644
> --- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
> +++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
> @@ -911,7 +911,7 @@ aesni_mb_pmd_sec_sess_destroy(void *dev
> __rte_unused,
> 
>         if (sess_priv) {
>                 struct rte_mempool *sess_mp = rte_mempool_from_obj(sess_priv);
> -               memset(sess, 0, sizeof(struct aesni_mb_session));
> +               memset(sess_priv, 0, sizeof(struct aesni_mb_session));
>                 set_sec_session_private_data(sess, NULL);
>                 rte_mempool_put(sess_mp, sess_priv);
>         }
> 
> Can this be fixed as part of this patchset or separate fix needed?

This patch is already applied on the tree now.


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH] security: update session create API
  2020-09-04 16:04   ` Lukasz Wojciechowski
@ 2020-10-10 22:09     ` Akhil Goyal
  0 siblings, 0 replies; 21+ messages in thread
From: Akhil Goyal @ 2020-10-10 22:09 UTC (permalink / raw)
  To: Lukasz Wojciechowski, dev, thomas, mdr, anoobj
  Cc: Hemant Agrawal, konstantin.ananyev, declan.doherty, david.coyle,
	radu.nicolau

Hi Lukasz,

Thanks for the review.

> > diff --git a/app/test/test_security.c b/app/test/test_security.c
> > index 77fd5adc6..ed7de348f 100644
> > --- a/app/test/test_security.c
> > +++ b/app/test/test_security.c
> > @@ -237,6 +237,7 @@ static struct mock_session_create_data {
> >   	struct rte_security_session_conf *conf;
> >   	struct rte_security_session *sess;
> >   	struct rte_mempool *mp;
> > +	struct rte_mempool *priv_mp;
> >
> >   	int ret;
> >
> session_create op is now called with private mbuf, so you need also to
> update assert in mock session_create:

OK will be fixed in v2

> 
> @@ -248,13 +249,13 @@ static int
>   mock_session_create(void *device,
>                  struct rte_security_session_conf *conf,
>                  struct rte_security_session *sess,
> -               struct rte_mempool *mp)
> +               struct rte_mempool *priv_mp)
>   {
>          mock_session_create_exp.called++;
> 
>          MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp,
> device);
>          MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp,
> conf);
> -       MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp,
> mp);
> +       MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp,
> priv_mp);
> 
>          mock_session_create_exp.sess = sess;
> 
> 
> 
> > @@ -502,6 +503,7 @@ struct rte_security_ops mock_ops = {
> >    */
> >   static struct security_testsuite_params {
> >   	struct rte_mempool *session_mpool;
> > +	struct rte_mempool *session_priv_mpool;
> >   } testsuite_params = { NULL };
> >
> >   /**
> > @@ -525,6 +527,7 @@ static struct security_unittest_params {
> >   };
> >
> >   #define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
> > +#define SECURITY_TEST_PRIV_MEMPOOL_NAME
> "SecurityTestsPrivMempoolName"
> Please make the mempool name shorter, otherwise it causes tests to fail:
> 
> EAL: Test assert testsuite_setup line 558 failed: Cannot create priv
> mempool File name too long
> 

Fixed in v2

> >   #define SECURITY_TEST_MEMPOOL_SIZE 15
> >   #define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct
> rte_security_session)
> >
> > @@ -545,6 +548,17 @@ testsuite_setup(void)
> >   			SOCKET_ID_ANY, 0);
> >   	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
> >   			"Cannot create mempool %s\n",
> rte_strerror(rte_errno));
> > +
> > +	ts_params->session_priv_mpool = rte_mempool_create(
> > +			SECURITY_TEST_PRIV_MEMPOOL_NAME,
> > +			SECURITY_TEST_MEMPOOL_SIZE,
> > +			rte_security_session_get_size(&unittest_params.ctx),
> > +			0, 0, NULL, NULL, NULL, NULL,
> > +			SOCKET_ID_ANY, 0);
> > +	TEST_ASSERT_NOT_NULL(ts_params->session_priv_mpool,
> > +			"Cannot create priv mempool %s\n",
> > +			rte_strerror(rte_errno));
> > +
> If creation of private data mpool fails, primary mempool need to be
> freed before function returns failure code.
This is an issue in whole of the file.
However, have fixed it in v2 for this particular case in v2.


^ permalink raw reply	[flat|nested] 21+ messages in thread

* [dpdk-dev] [PATCH v2] security: update session create API
  2020-09-03 20:09 ` [dpdk-dev] [PATCH] security: update session create API akhil.goyal
  2020-09-04 16:04   ` Lukasz Wojciechowski
  2020-09-24 16:22   ` Coyle, David
@ 2020-10-10 22:11   ` " Akhil Goyal
  2020-10-12 17:46     ` Akhil Goyal
                       ` (2 more replies)
  2 siblings, 3 replies; 21+ messages in thread
From: Akhil Goyal @ 2020-10-10 22:11 UTC (permalink / raw)
  To: dev
  Cc: thomas, mdr, anoobj, hemant.agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau, david.coyle, l.wojciechow,
	Akhil Goyal

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the number of
sessions needed and will also lead to wastage of memory as
session private data need more memory compared to session.
Hence the API is modified to take two mempool pointers
- one for session and one for private data.
This is very similar to crypto based session create APIs.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---

Changes in V2:
incorporated comments from Lukasz and David.

 app/test-crypto-perf/cperf_ops.c       |  4 +-
 app/test-crypto-perf/main.c            | 12 +++--
 app/test/test_cryptodev.c              | 18 ++++++--
 app/test/test_ipsec.c                  |  3 +-
 app/test/test_security.c               | 61 ++++++++++++++++++++------
 doc/guides/prog_guide/rte_security.rst |  8 +++-
 doc/guides/rel_notes/deprecation.rst   |  7 ---
 doc/guides/rel_notes/release_20_11.rst |  6 +++
 examples/ipsec-secgw/ipsec-secgw.c     | 12 +----
 examples/ipsec-secgw/ipsec.c           |  9 ++--
 lib/librte_security/rte_security.c     |  7 ++-
 lib/librte_security/rte_security.h     |  4 +-
 12 files changed, 102 insertions(+), 49 deletions(-)

diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
index 3da835a9c..3a64a2c34 100644
--- a/app/test-crypto-perf/cperf_ops.c
+++ b/app/test-crypto-perf/cperf_ops.c
@@ -621,7 +621,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
 
 		/* Create security session */
 		return (void *)rte_security_session_create(ctx,
-					&sess_conf, sess_mp);
+					&sess_conf, sess_mp, priv_mp);
 	}
 	if (options->op_type == CPERF_DOCSIS) {
 		enum rte_security_docsis_direction direction;
@@ -664,7 +664,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
 
 		/* Create security session */
 		return (void *)rte_security_session_create(ctx,
-					&sess_conf, priv_mp);
+					&sess_conf, sess_mp, priv_mp);
 	}
 #endif
 	sess = rte_cryptodev_sym_session_create(sess_mp);
diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
index 62ae6048b..53864ffdd 100644
--- a/app/test-crypto-perf/main.c
+++ b/app/test-crypto-perf/main.c
@@ -156,7 +156,14 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
 		if (sess_size > max_sess_size)
 			max_sess_size = sess_size;
 	}
-
+#ifdef RTE_LIBRTE_SECURITY
+	for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
+		sess_size = rte_security_session_get_size(
+				rte_cryptodev_get_sec_ctx(cdev_id));
+		if (sess_size > max_sess_size)
+			max_sess_size = sess_size;
+	}
+#endif
 	/*
 	 * Calculate number of needed queue pairs, based on the amount
 	 * of available number of logical cores and crypto devices.
@@ -247,8 +254,7 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
 				opts->nb_qps * nb_slaves;
 #endif
 		} else
-			sessions_needed = enabled_cdev_count *
-						opts->nb_qps * 2;
+			sessions_needed = enabled_cdev_count * opts->nb_qps;
 
 		/*
 		 * A single session is required per queue pair
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index ac2a36bc2..4bd9d8aff 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -553,9 +553,15 @@ testsuite_setup(void)
 	unsigned int session_size =
 		rte_cryptodev_sym_get_private_session_size(dev_id);
 
+#ifdef RTE_LIBRTE_SECURITY
+	unsigned int security_session_size = rte_security_session_get_size(
+			rte_cryptodev_get_sec_ctx(dev_id));
+
+	if (session_size < security_session_size)
+			session_size = security_session_size;
+#endif
 	/*
-	 * Create mempool with maximum number of sessions * 2,
-	 * to include the session headers
+	 * Create mempool with maximum number of sessions.
 	 */
 	if (info.sym.max_nb_sessions != 0 &&
 			info.sym.max_nb_sessions < MAX_NB_SESSIONS) {
@@ -7219,7 +7225,8 @@ test_pdcp_proto(int i, int oop,
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx,
-				&sess_conf, ts_params->session_priv_mpool);
+				&sess_conf, ts_params->session_mpool,
+				ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
 		printf("TestCase %s()-%d line %d failed %s: ",
@@ -7479,7 +7486,8 @@ test_pdcp_proto_SGL(int i, int oop,
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx,
-				&sess_conf, ts_params->session_priv_mpool);
+				&sess_conf, ts_params->session_mpool,
+				ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
 		printf("TestCase %s()-%d line %d failed %s: ",
@@ -7836,6 +7844,7 @@ test_docsis_proto_uplink(int i, struct docsis_test_data *d_td)
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
 					ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
@@ -8011,6 +8020,7 @@ test_docsis_proto_downlink(int i, struct docsis_test_data *d_td)
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
 					ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
index 79d00d7e0..9ad07a179 100644
--- a/app/test/test_ipsec.c
+++ b/app/test/test_ipsec.c
@@ -632,7 +632,8 @@ create_dummy_sec_session(struct ipsec_unitest_params *ut,
 	static struct rte_security_session_conf conf;
 
 	ut->ss[j].security.ses = rte_security_session_create(&dummy_sec_ctx,
-					&conf, qp->mp_session_private);
+					&conf, qp->mp_session,
+					qp->mp_session_private);
 
 	if (ut->ss[j].security.ses == NULL)
 		return -ENOMEM;
diff --git a/app/test/test_security.c b/app/test/test_security.c
index 77fd5adc6..bf6a3e9de 100644
--- a/app/test/test_security.c
+++ b/app/test/test_security.c
@@ -237,24 +237,25 @@ static struct mock_session_create_data {
 	struct rte_security_session_conf *conf;
 	struct rte_security_session *sess;
 	struct rte_mempool *mp;
+	struct rte_mempool *priv_mp;
 
 	int ret;
 
 	int called;
 	int failed;
-} mock_session_create_exp = {NULL, NULL, NULL, NULL, 0, 0, 0};
+} mock_session_create_exp = {NULL, NULL, NULL, NULL, NULL, 0, 0, 0};
 
 static int
 mock_session_create(void *device,
 		struct rte_security_session_conf *conf,
 		struct rte_security_session *sess,
-		struct rte_mempool *mp)
+		struct rte_mempool *priv_mp)
 {
 	mock_session_create_exp.called++;
 
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, device);
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, conf);
-	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, mp);
+	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, priv_mp);
 
 	mock_session_create_exp.sess = sess;
 
@@ -502,6 +503,7 @@ struct rte_security_ops mock_ops = {
  */
 static struct security_testsuite_params {
 	struct rte_mempool *session_mpool;
+	struct rte_mempool *session_priv_mpool;
 } testsuite_params = { NULL };
 
 /**
@@ -524,7 +526,8 @@ static struct security_unittest_params {
 	.sess = NULL,
 };
 
-#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
+#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestMp"
+#define SECURITY_TEST_PRIV_MEMPOOL_NAME "SecurityTestPrivMp"
 #define SECURITY_TEST_MEMPOOL_SIZE 15
 #define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct rte_security_session)
 
@@ -545,6 +548,22 @@ testsuite_setup(void)
 			SOCKET_ID_ANY, 0);
 	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
 			"Cannot create mempool %s\n", rte_strerror(rte_errno));
+
+	ts_params->session_priv_mpool = rte_mempool_create(
+			SECURITY_TEST_PRIV_MEMPOOL_NAME,
+			SECURITY_TEST_MEMPOOL_SIZE,
+			rte_security_session_get_size(&unittest_params.ctx),
+			0, 0, NULL, NULL, NULL, NULL,
+			SOCKET_ID_ANY, 0);
+	if (ts_params->session_priv_mpool == NULL) {
+		printf("TestCase %s() line %d failed (null): "
+				"Cannot create priv mempool %s\n",
+				__func__, __LINE__, rte_strerror(rte_errno));
+		rte_mempool_free(ts_params->session_mpool);
+		ts_params->session_mpool = NULL;
+		return TEST_FAILED;
+	}
+
 	return TEST_SUCCESS;
 }
 
@@ -559,6 +578,10 @@ testsuite_teardown(void)
 		rte_mempool_free(ts_params->session_mpool);
 		ts_params->session_mpool = NULL;
 	}
+	if (ts_params->session_priv_mpool) {
+		rte_mempool_free(ts_params->session_priv_mpool);
+		ts_params->session_priv_mpool = NULL;
+	}
 }
 
 /**
@@ -659,7 +682,8 @@ ut_setup_with_session(void)
 	mock_session_create_exp.ret = 0;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
 			sess);
 	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
@@ -701,7 +725,8 @@ test_session_create_inv_context(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(NULL, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -725,7 +750,8 @@ test_session_create_inv_context_ops(void)
 	ut_params->ctx.ops = NULL;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -749,7 +775,8 @@ test_session_create_inv_context_ops_fun(void)
 	ut_params->ctx.ops = &empty_ops;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -770,7 +797,8 @@ test_session_create_inv_configuration(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(&ut_params->ctx, NULL,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -781,7 +809,7 @@ test_session_create_inv_configuration(void)
 }
 
 /**
- * Test execution of rte_security_session_create with NULL mp parameter
+ * Test execution of rte_security_session_create with NULL mempools
  */
 static int
 test_session_create_inv_mempool(void)
@@ -790,7 +818,7 @@ test_session_create_inv_mempool(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			NULL);
+			NULL, NULL);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -824,7 +852,8 @@ test_session_create_mempool_empty(void)
 	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
@@ -853,10 +882,12 @@ test_session_create_ops_failure(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = -1;	/* Return failure status. */
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
@@ -879,10 +910,12 @@ test_session_create_success(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = 0;	/* Return success status. */
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
 			sess);
 	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 127da2e4f..fdb469d5f 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -533,8 +533,12 @@ and this allows further acceleration of the offload of Crypto workloads.
 
 The Security framework provides APIs to create and free sessions for crypto/ethernet
 devices, where sessions are mempool objects. It is the application's responsibility
-to create and manage the session mempools. The mempool object size should be able to
-accommodate the driver's private data of security session.
+to create and manage two session mempools - one for session and other for session
+private data. The private session data mempool object size should be able to
+accommodate the driver's private data of security session. The application can get
+the size of session private data using API ``rte_security_session_get_size``.
+And the session mempool object size should be enough to accomodate
+``rte_security_session``.
 
 Once the session mempools have been created, ``rte_security_session_create()``
 is used to allocate and initialize a session for the required crypto/ethernet device.
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 52f413e21..d956a76e7 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -164,13 +164,6 @@ Deprecation Notices
   following the IPv6 header, as proposed in RFC
   https://mails.dpdk.org/archives/dev/2020-August/177257.html.
 
-* security: The API ``rte_security_session_create`` takes only single mempool
-  for session and session private data. So the application need to create
-  mempool for twice the number of sessions needed and will also lead to
-  wastage of memory as session private data need more memory compared to session.
-  Hence the API will be modified to take two mempool pointers - one for session
-  and one for private data.
-
 * cryptodev: ``RTE_CRYPTO_AEAD_LIST_END`` from ``enum rte_crypto_aead_algorithm``,
   ``RTE_CRYPTO_CIPHER_LIST_END`` from ``enum rte_crypto_cipher_algorithm`` and
   ``RTE_CRYPTO_AUTH_LIST_END`` from ``enum rte_crypto_auth_algorithm``
diff --git a/doc/guides/rel_notes/release_20_11.rst b/doc/guides/rel_notes/release_20_11.rst
index c34ab5493..68b82ae4e 100644
--- a/doc/guides/rel_notes/release_20_11.rst
+++ b/doc/guides/rel_notes/release_20_11.rst
@@ -307,6 +307,12 @@ API Changes
   ``rte_fpga_lte_fec_configure`` and structure ``fpga_lte_fec_conf`` to
   ``rte_fpga_lte_fec_conf``.
 
+* security: The API ``rte_security_session_create`` is updated to take two
+  mempool objects one for session and other for session private data.
+  So the application need to create two mempools and get the size of session
+  private data using API ``rte_security_session_get_size`` for private session
+  mempool.
+
 
 ABI Changes
 -----------
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 60132c4bd..2326089bb 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -2348,12 +2348,8 @@ session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess_sz)
 
 	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
 			"sess_mp_%u", socket_id);
-	/*
-	 * Doubled due to rte_security_session_create() uses one mempool for
-	 * session and for session private data.
-	 */
 	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
-		rte_lcore_count()) * 2;
+		rte_lcore_count());
 	sess_mp = rte_cryptodev_sym_session_pool_create(
 			mp_name, nb_sess, sess_sz, CDEV_MP_CACHE_SZ, 0,
 			socket_id);
@@ -2376,12 +2372,8 @@ session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
 
 	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
 			"sess_mp_priv_%u", socket_id);
-	/*
-	 * Doubled due to rte_security_session_create() uses one mempool for
-	 * session and for session private data.
-	 */
 	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
-		rte_lcore_count()) * 2;
+		rte_lcore_count());
 	sess_mp = rte_mempool_create(mp_name,
 			nb_sess,
 			sess_sz,
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 01faa7ac7..6baeeb342 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -117,7 +117,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
 			set_ipsec_conf(sa, &(sess_conf.ipsec));
 
 			ips->security.ses = rte_security_session_create(ctx,
-					&sess_conf, ipsec_ctx->session_priv_pool);
+					&sess_conf, ipsec_ctx->session_pool,
+					ipsec_ctx->session_priv_pool);
 			if (ips->security.ses == NULL) {
 				RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
@@ -198,7 +199,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 		}
 
 		ips->security.ses = rte_security_session_create(sec_ctx,
-				&sess_conf, skt_ctx->session_pool);
+				&sess_conf, skt_ctx->session_pool,
+				skt_ctx->session_priv_pool);
 		if (ips->security.ses == NULL) {
 			RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
@@ -378,7 +380,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 		sess_conf.userdata = (void *) sa;
 
 		ips->security.ses = rte_security_session_create(sec_ctx,
-					&sess_conf, skt_ctx->session_pool);
+					&sess_conf, skt_ctx->session_pool,
+					skt_ctx->session_priv_pool);
 		if (ips->security.ses == NULL) {
 			RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
index 515c29e04..ee4666026 100644
--- a/lib/librte_security/rte_security.c
+++ b/lib/librte_security/rte_security.c
@@ -26,18 +26,21 @@
 struct rte_security_session *
 rte_security_session_create(struct rte_security_ctx *instance,
 			    struct rte_security_session_conf *conf,
-			    struct rte_mempool *mp)
+			    struct rte_mempool *mp,
+			    struct rte_mempool *priv_mp)
 {
 	struct rte_security_session *sess = NULL;
 
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_create, NULL, NULL);
 	RTE_PTR_OR_ERR_RET(conf, NULL);
 	RTE_PTR_OR_ERR_RET(mp, NULL);
+	RTE_PTR_OR_ERR_RET(priv_mp, NULL);
 
 	if (rte_mempool_get(mp, (void **)&sess))
 		return NULL;
 
-	if (instance->ops->session_create(instance->device, conf, sess, mp)) {
+	if (instance->ops->session_create(instance->device, conf,
+				sess, priv_mp)) {
 		rte_mempool_put(mp, (void *)sess);
 		return NULL;
 	}
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index 16839e539..1710cdd6a 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -386,6 +386,7 @@ struct rte_security_session {
  * @param   instance	security instance
  * @param   conf	session configuration parameters
  * @param   mp		mempool to allocate session objects from
+ * @param   priv_mp	mempool to allocate session private data objects from
  * @return
  *  - On success, pointer to session
  *  - On failure, NULL
@@ -393,7 +394,8 @@ struct rte_security_session {
 struct rte_security_session *
 rte_security_session_create(struct rte_security_ctx *instance,
 			    struct rte_security_session_conf *conf,
-			    struct rte_mempool *mp);
+			    struct rte_mempool *mp,
+			    struct rte_mempool *priv_mp);
 
 /**
  * Update security session as specified by the session configuration
-- 
2.17.1


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v2] security: update session create API
  2020-10-10 22:11   ` [dpdk-dev] [PATCH v2] " Akhil Goyal
@ 2020-10-12 17:46     ` Akhil Goyal
  2020-10-13  2:12     ` Lukasz Wojciechowski
  2020-10-14 18:56     ` [dpdk-dev] [PATCH v3] " Akhil Goyal
  2 siblings, 0 replies; 21+ messages in thread
From: Akhil Goyal @ 2020-10-12 17:46 UTC (permalink / raw)
  To: dev, david.coyle, l.wojciechow
  Cc: thomas, mdr, anoobj, Hemant Agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau

> 
> The API ``rte_security_session_create`` takes only single
> mempool for session and session private data. So the
> application need to create mempool for twice the number of
> sessions needed and will also lead to wastage of memory as
> session private data need more memory compared to session.
> Hence the API is modified to take two mempool pointers
> - one for session and one for private data.
> This is very similar to crypto based session create APIs.
> 
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> ---
> 
> Changes in V2:
> incorporated comments from Lukasz and David.
> 
Hi Lukasz/David,

If no further comments, could you please ack the patch?

Thanks,
Akhil

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v2] security: update session create API
  2020-10-10 22:11   ` [dpdk-dev] [PATCH v2] " Akhil Goyal
  2020-10-12 17:46     ` Akhil Goyal
@ 2020-10-13  2:12     ` Lukasz Wojciechowski
  2020-10-14 19:00       ` Akhil Goyal
  2020-10-14 18:56     ` [dpdk-dev] [PATCH v3] " Akhil Goyal
  2 siblings, 1 reply; 21+ messages in thread
From: Lukasz Wojciechowski @ 2020-10-13  2:12 UTC (permalink / raw)
  To: Akhil Goyal, dev
  Cc: thomas, mdr, anoobj, hemant.agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau, david.coyle,
	\"'Lukasz Wojciechowski'\",

Hi Akhil,

comments inline

W dniu 11.10.2020 o 00:11, Akhil Goyal pisze:
> The API ``rte_security_session_create`` takes only single
> mempool for session and session private data. So the
> application need to create mempool for twice the number of
> sessions needed and will also lead to wastage of memory as
> session private data need more memory compared to session.
> Hence the API is modified to take two mempool pointers
> - one for session and one for private data.
> This is very similar to crypto based session create APIs.
>
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> ---
>
> Changes in V2:
> incorporated comments from Lukasz and David.
>
>   app/test-crypto-perf/cperf_ops.c       |  4 +-
>   app/test-crypto-perf/main.c            | 12 +++--
>   app/test/test_cryptodev.c              | 18 ++++++--
>   app/test/test_ipsec.c                  |  3 +-
>   app/test/test_security.c               | 61 ++++++++++++++++++++------
>   doc/guides/prog_guide/rte_security.rst |  8 +++-
>   doc/guides/rel_notes/deprecation.rst   |  7 ---
>   doc/guides/rel_notes/release_20_11.rst |  6 +++
>   examples/ipsec-secgw/ipsec-secgw.c     | 12 +----
>   examples/ipsec-secgw/ipsec.c           |  9 ++--
>   lib/librte_security/rte_security.c     |  7 ++-
>   lib/librte_security/rte_security.h     |  4 +-
>   12 files changed, 102 insertions(+), 49 deletions(-)
>
> diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
> index 3da835a9c..3a64a2c34 100644
> --- a/app/test-crypto-perf/cperf_ops.c
> +++ b/app/test-crypto-perf/cperf_ops.c
> @@ -621,7 +621,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
>   
>   		/* Create security session */
>   		return (void *)rte_security_session_create(ctx,
> -					&sess_conf, sess_mp);
> +					&sess_conf, sess_mp, priv_mp);
>   	}
>   	if (options->op_type == CPERF_DOCSIS) {
>   		enum rte_security_docsis_direction direction;
> @@ -664,7 +664,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
>   
>   		/* Create security session */
>   		return (void *)rte_security_session_create(ctx,
> -					&sess_conf, priv_mp);
> +					&sess_conf, sess_mp, priv_mp);
>   	}
>   #endif
>   	sess = rte_cryptodev_sym_session_create(sess_mp);
> diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
> index 62ae6048b..53864ffdd 100644
> --- a/app/test-crypto-perf/main.c
> +++ b/app/test-crypto-perf/main.c
> @@ -156,7 +156,14 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
>   		if (sess_size > max_sess_size)
>   			max_sess_size = sess_size;
>   	}
> -
> +#ifdef RTE_LIBRTE_SECURITY
> +	for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
> +		sess_size = rte_security_session_get_size(
> +				rte_cryptodev_get_sec_ctx(cdev_id));
> +		if (sess_size > max_sess_size)
> +			max_sess_size = sess_size;
> +	}
> +#endif
>   	/*
>   	 * Calculate number of needed queue pairs, based on the amount
>   	 * of available number of logical cores and crypto devices.
> @@ -247,8 +254,7 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
>   				opts->nb_qps * nb_slaves;
>   #endif
>   		} else
> -			sessions_needed = enabled_cdev_count *
> -						opts->nb_qps * 2;
> +			sessions_needed = enabled_cdev_count * opts->nb_qps;
>   
>   		/*
>   		 * A single session is required per queue pair
> diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
> index ac2a36bc2..4bd9d8aff 100644
> --- a/app/test/test_cryptodev.c
> +++ b/app/test/test_cryptodev.c
> @@ -553,9 +553,15 @@ testsuite_setup(void)
>   	unsigned int session_size =
>   		rte_cryptodev_sym_get_private_session_size(dev_id);
>   
> +#ifdef RTE_LIBRTE_SECURITY
> +	unsigned int security_session_size = rte_security_session_get_size(
> +			rte_cryptodev_get_sec_ctx(dev_id));
> +
> +	if (session_size < security_session_size)
> +			session_size = security_session_size;
> +#endif
>   	/*
> -	 * Create mempool with maximum number of sessions * 2,
> -	 * to include the session headers
> +	 * Create mempool with maximum number of sessions.
>   	 */
>   	if (info.sym.max_nb_sessions != 0 &&
>   			info.sym.max_nb_sessions < MAX_NB_SESSIONS) {
> @@ -7219,7 +7225,8 @@ test_pdcp_proto(int i, int oop,
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx,
> -				&sess_conf, ts_params->session_priv_mpool);
> +				&sess_conf, ts_params->session_mpool,
> +				ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
>   		printf("TestCase %s()-%d line %d failed %s: ",
> @@ -7479,7 +7486,8 @@ test_pdcp_proto_SGL(int i, int oop,
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx,
> -				&sess_conf, ts_params->session_priv_mpool);
> +				&sess_conf, ts_params->session_mpool,
> +				ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
>   		printf("TestCase %s()-%d line %d failed %s: ",
> @@ -7836,6 +7844,7 @@ test_docsis_proto_uplink(int i, struct docsis_test_data *d_td)
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
> +					ts_params->session_mpool,
>   					ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
> @@ -8011,6 +8020,7 @@ test_docsis_proto_downlink(int i, struct docsis_test_data *d_td)
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
> +					ts_params->session_mpool,
>   					ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
> diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> index 79d00d7e0..9ad07a179 100644
> --- a/app/test/test_ipsec.c
> +++ b/app/test/test_ipsec.c
> @@ -632,7 +632,8 @@ create_dummy_sec_session(struct ipsec_unitest_params *ut,
>   	static struct rte_security_session_conf conf;
>   
>   	ut->ss[j].security.ses = rte_security_session_create(&dummy_sec_ctx,
> -					&conf, qp->mp_session_private);
> +					&conf, qp->mp_session,
> +					qp->mp_session_private);
>   
>   	if (ut->ss[j].security.ses == NULL)
>   		return -ENOMEM;
> diff --git a/app/test/test_security.c b/app/test/test_security.c
> index 77fd5adc6..bf6a3e9de 100644
> --- a/app/test/test_security.c
> +++ b/app/test/test_security.c
> @@ -237,24 +237,25 @@ static struct mock_session_create_data {
>   	struct rte_security_session_conf *conf;
>   	struct rte_security_session *sess;
>   	struct rte_mempool *mp;
> +	struct rte_mempool *priv_mp;
>   
>   	int ret;
>   
>   	int called;
>   	int failed;
> -} mock_session_create_exp = {NULL, NULL, NULL, NULL, 0, 0, 0};
> +} mock_session_create_exp = {NULL, NULL, NULL, NULL, NULL, 0, 0, 0};
>   
>   static int
>   mock_session_create(void *device,
>   		struct rte_security_session_conf *conf,
>   		struct rte_security_session *sess,
> -		struct rte_mempool *mp)
> +		struct rte_mempool *priv_mp)
>   {
>   	mock_session_create_exp.called++;
>   
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, device);
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, conf);
> -	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, mp);
> +	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, priv_mp);
>   
>   	mock_session_create_exp.sess = sess;
>   
> @@ -502,6 +503,7 @@ struct rte_security_ops mock_ops = {
>    */
>   static struct security_testsuite_params {
>   	struct rte_mempool *session_mpool;
> +	struct rte_mempool *session_priv_mpool;
>   } testsuite_params = { NULL };
>   
>   /**
> @@ -524,7 +526,8 @@ static struct security_unittest_params {
>   	.sess = NULL,
>   };
>   
> -#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
> +#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestMp"
> +#define SECURITY_TEST_PRIV_MEMPOOL_NAME "SecurityTestPrivMp"
>   #define SECURITY_TEST_MEMPOOL_SIZE 15
>   #define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct rte_security_session)
>   
> @@ -545,6 +548,22 @@ testsuite_setup(void)
>   			SOCKET_ID_ANY, 0);
>   	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
>   			"Cannot create mempool %s\n", rte_strerror(rte_errno));
> +
> +	ts_params->session_priv_mpool = rte_mempool_create(
> +			SECURITY_TEST_PRIV_MEMPOOL_NAME,
> +			SECURITY_TEST_MEMPOOL_SIZE,
> +			rte_security_session_get_size(&unittest_params.ctx),
Call to rte_security_session_get_size() will cause a mockup function 
mock_session_get_size() to be called, which will return 0.
Why do you call this function instead of defining some value for private 
mempool element size?
> +			0, 0, NULL, NULL, NULL, NULL,
> +			SOCKET_ID_ANY, 0);
> +	if (ts_params->session_priv_mpool == NULL) {
> +		printf("TestCase %s() line %d failed (null): "
> +				"Cannot create priv mempool %s\n",
> +				__func__, __LINE__, rte_strerror(rte_errno));
Instead of printf() use RTE_LOG(ERR, EAL,...). All other messages are 
printed this way. It allows control of error messages if required.
> +		rte_mempool_free(ts_params->session_mpool);
> +		ts_params->session_mpool = NULL;
> +		return TEST_FAILED;
> +	}
> +
>   	return TEST_SUCCESS;
>   }
>   
> @@ -559,6 +578,10 @@ testsuite_teardown(void)
>   		rte_mempool_free(ts_params->session_mpool);
>   		ts_params->session_mpool = NULL;
>   	}
> +	if (ts_params->session_priv_mpool) {
> +		rte_mempool_free(ts_params->session_priv_mpool);
> +		ts_params->session_priv_mpool = NULL;
> +	}
>   }
>   
>   /**
> @@ -659,7 +682,8 @@ ut_setup_with_session(void)
>   	mock_session_create_exp.ret = 0;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
>   			sess);
>   	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
> @@ -701,7 +725,8 @@ test_session_create_inv_context(void)
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(NULL, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -725,7 +750,8 @@ test_session_create_inv_context_ops(void)
>   	ut_params->ctx.ops = NULL;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -749,7 +775,8 @@ test_session_create_inv_context_ops_fun(void)
>   	ut_params->ctx.ops = &empty_ops;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -770,7 +797,8 @@ test_session_create_inv_configuration(void)
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, NULL,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -781,7 +809,7 @@ test_session_create_inv_configuration(void)
>   }
>   
>   /**
> - * Test execution of rte_security_session_create with NULL mp parameter
> + * Test execution of rte_security_session_create with NULL mempools
>    */
>   static int
>   test_session_create_inv_mempool(void)
> @@ -790,7 +818,7 @@ test_session_create_inv_mempool(void)
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			NULL);
> +			NULL, NULL);
It would be best to add a new testcase for verification of passing NULL 
private mempool.
If you pass NULL as the primary mempool as in this testcase, the 
verification of priv mempool (rte_securitry.c:37) won't ever happen 
because rte_security_session_create() will return in line 36.
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -824,7 +852,8 @@ test_session_create_mempool_empty(void)
>   	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> @@ -853,10 +882,12 @@ test_session_create_ops_failure(void)
>   	mock_session_create_exp.device = NULL;
>   	mock_session_create_exp.conf = &ut_params->conf;
>   	mock_session_create_exp.mp = ts_params->session_mpool;
> +	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
>   	mock_session_create_exp.ret = -1;	/* Return failure status. */
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
> @@ -879,10 +910,12 @@ test_session_create_success(void)
>   	mock_session_create_exp.device = NULL;
>   	mock_session_create_exp.conf = &ut_params->conf;
>   	mock_session_create_exp.mp = ts_params->session_mpool;
> +	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
>   	mock_session_create_exp.ret = 0;	/* Return success status. */
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
>   			sess);
>   	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
> diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
> index 127da2e4f..fdb469d5f 100644
> --- a/doc/guides/prog_guide/rte_security.rst
> +++ b/doc/guides/prog_guide/rte_security.rst
> @@ -533,8 +533,12 @@ and this allows further acceleration of the offload of Crypto workloads.
>   
>   The Security framework provides APIs to create and free sessions for crypto/ethernet
>   devices, where sessions are mempool objects. It is the application's responsibility
> -to create and manage the session mempools. The mempool object size should be able to
> -accommodate the driver's private data of security session.
> +to create and manage two session mempools - one for session and other for session
> +private data. The private session data mempool object size should be able to
> +accommodate the driver's private data of security session. The application can get
> +the size of session private data using API ``rte_security_session_get_size``.
> +And the session mempool object size should be enough to accomodate
> +``rte_security_session``.
>   
>   Once the session mempools have been created, ``rte_security_session_create()``
>   is used to allocate and initialize a session for the required crypto/ethernet device.
> diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
> index 52f413e21..d956a76e7 100644
> --- a/doc/guides/rel_notes/deprecation.rst
> +++ b/doc/guides/rel_notes/deprecation.rst
> @@ -164,13 +164,6 @@ Deprecation Notices
>     following the IPv6 header, as proposed in RFC
>     https://protect2.fireeye.com/v1/url?k=6c464261-31d8d98b-6c47c92e-0cc47a6cba04-7bff9381095a3baf&q=1&e=1d514a47-c7a4-4d29-b9af-8fe8863e27eb&u=https%3A%2F%2Fmails.dpdk.org%2Farchives%2Fdev%2F2020-August%2F177257.html.
>   
> -* security: The API ``rte_security_session_create`` takes only single mempool
> -  for session and session private data. So the application need to create
> -  mempool for twice the number of sessions needed and will also lead to
> -  wastage of memory as session private data need more memory compared to session.
> -  Hence the API will be modified to take two mempool pointers - one for session
> -  and one for private data.
> -
>   * cryptodev: ``RTE_CRYPTO_AEAD_LIST_END`` from ``enum rte_crypto_aead_algorithm``,
>     ``RTE_CRYPTO_CIPHER_LIST_END`` from ``enum rte_crypto_cipher_algorithm`` and
>     ``RTE_CRYPTO_AUTH_LIST_END`` from ``enum rte_crypto_auth_algorithm``
> diff --git a/doc/guides/rel_notes/release_20_11.rst b/doc/guides/rel_notes/release_20_11.rst
> index c34ab5493..68b82ae4e 100644
> --- a/doc/guides/rel_notes/release_20_11.rst
> +++ b/doc/guides/rel_notes/release_20_11.rst
> @@ -307,6 +307,12 @@ API Changes
>     ``rte_fpga_lte_fec_configure`` and structure ``fpga_lte_fec_conf`` to
>     ``rte_fpga_lte_fec_conf``.
>   
> +* security: The API ``rte_security_session_create`` is updated to take two
> +  mempool objects one for session and other for session private data.
> +  So the application need to create two mempools and get the size of session
> +  private data using API ``rte_security_session_get_size`` for private session
> +  mempool.
> +
>   
>   ABI Changes
>   -----------
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 60132c4bd..2326089bb 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -2348,12 +2348,8 @@ session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess_sz)
>   
>   	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
>   			"sess_mp_%u", socket_id);
> -	/*
> -	 * Doubled due to rte_security_session_create() uses one mempool for
> -	 * session and for session private data.
> -	 */
>   	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
> -		rte_lcore_count()) * 2;
> +		rte_lcore_count());
>   	sess_mp = rte_cryptodev_sym_session_pool_create(
>   			mp_name, nb_sess, sess_sz, CDEV_MP_CACHE_SZ, 0,
>   			socket_id);
> @@ -2376,12 +2372,8 @@ session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
>   
>   	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
>   			"sess_mp_priv_%u", socket_id);
> -	/*
> -	 * Doubled due to rte_security_session_create() uses one mempool for
> -	 * session and for session private data.
> -	 */
>   	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
> -		rte_lcore_count()) * 2;
> +		rte_lcore_count());
>   	sess_mp = rte_mempool_create(mp_name,
>   			nb_sess,
>   			sess_sz,
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index 01faa7ac7..6baeeb342 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -117,7 +117,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
>   			set_ipsec_conf(sa, &(sess_conf.ipsec));
>   
>   			ips->security.ses = rte_security_session_create(ctx,
> -					&sess_conf, ipsec_ctx->session_priv_pool);
> +					&sess_conf, ipsec_ctx->session_pool,
> +					ipsec_ctx->session_priv_pool);
>   			if (ips->security.ses == NULL) {
>   				RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> @@ -198,7 +199,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
>   		}
>   
>   		ips->security.ses = rte_security_session_create(sec_ctx,
> -				&sess_conf, skt_ctx->session_pool);
> +				&sess_conf, skt_ctx->session_pool,
> +				skt_ctx->session_priv_pool);
>   		if (ips->security.ses == NULL) {
>   			RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> @@ -378,7 +380,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
>   		sess_conf.userdata = (void *) sa;
>   
>   		ips->security.ses = rte_security_session_create(sec_ctx,
> -					&sess_conf, skt_ctx->session_pool);
> +					&sess_conf, skt_ctx->session_pool,
> +					skt_ctx->session_priv_pool);
>   		if (ips->security.ses == NULL) {
>   			RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
> index 515c29e04..ee4666026 100644
> --- a/lib/librte_security/rte_security.c
> +++ b/lib/librte_security/rte_security.c
> @@ -26,18 +26,21 @@
>   struct rte_security_session *
>   rte_security_session_create(struct rte_security_ctx *instance,
>   			    struct rte_security_session_conf *conf,
> -			    struct rte_mempool *mp)
> +			    struct rte_mempool *mp,
> +			    struct rte_mempool *priv_mp)
>   {
>   	struct rte_security_session *sess = NULL;
>   
>   	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_create, NULL, NULL);
>   	RTE_PTR_OR_ERR_RET(conf, NULL);
>   	RTE_PTR_OR_ERR_RET(mp, NULL);
> +	RTE_PTR_OR_ERR_RET(priv_mp, NULL);
>   
>   	if (rte_mempool_get(mp, (void **)&sess))
>   		return NULL;
>   
> -	if (instance->ops->session_create(instance->device, conf, sess, mp)) {
> +	if (instance->ops->session_create(instance->device, conf,
> +				sess, priv_mp)) {
>   		rte_mempool_put(mp, (void *)sess);
>   		return NULL;
>   	}
> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
> index 16839e539..1710cdd6a 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -386,6 +386,7 @@ struct rte_security_session {
>    * @param   instance	security instance
>    * @param   conf	session configuration parameters
>    * @param   mp		mempool to allocate session objects from
> + * @param   priv_mp	mempool to allocate session private data objects from
>    * @return
>    *  - On success, pointer to session
>    *  - On failure, NULL
> @@ -393,7 +394,8 @@ struct rte_security_session {
>   struct rte_security_session *
>   rte_security_session_create(struct rte_security_ctx *instance,
>   			    struct rte_security_session_conf *conf,
> -			    struct rte_mempool *mp);
> +			    struct rte_mempool *mp,
> +			    struct rte_mempool *priv_mp);
>   
>   /**
>    * Update security session as specified by the session configuration

Best regards

Lukasz

-- 
Lukasz Wojciechowski
Principal Software Engineer

Samsung R&D Institute Poland
Samsung Electronics
Office +48 22 377 88 25
l.wojciechow@partner.samsung.com


^ permalink raw reply	[flat|nested] 21+ messages in thread

* [dpdk-dev] [PATCH v3] security: update session create API
  2020-10-10 22:11   ` [dpdk-dev] [PATCH v2] " Akhil Goyal
  2020-10-12 17:46     ` Akhil Goyal
  2020-10-13  2:12     ` Lukasz Wojciechowski
@ 2020-10-14 18:56     ` " Akhil Goyal
  2020-10-15  1:11       ` Lukasz Wojciechowski
  2020-10-17 11:50       ` [dpdk-dev] [PATCH v4] " Akhil Goyal
  2 siblings, 2 replies; 21+ messages in thread
From: Akhil Goyal @ 2020-10-14 18:56 UTC (permalink / raw)
  To: dev
  Cc: thomas, mdr, anoobj, hemant.agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau, david.coyle, l.wojciechow,
	Akhil Goyal

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the number of
sessions needed and will also lead to wastage of memory as
session private data need more memory compared to session.
Hence the API is modified to take two mempool pointers
- one for session and one for private data.
This is very similar to crypto based session create APIs.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
Changes in v3:
fixed checkpatch issues.
Added new test in test_security.c for priv_mempool

Changes in V2:
incorporated comments from Lukasz and David.

 app/test-crypto-perf/cperf_ops.c       |   4 +-
 app/test-crypto-perf/main.c            |  12 +-
 app/test/test_cryptodev.c              |  18 ++-
 app/test/test_ipsec.c                  |   3 +-
 app/test/test_security.c               | 160 ++++++++++++++++++++++---
 doc/guides/prog_guide/rte_security.rst |   8 +-
 doc/guides/rel_notes/deprecation.rst   |   7 --
 doc/guides/rel_notes/release_20_11.rst |   6 +
 examples/ipsec-secgw/ipsec-secgw.c     |  12 +-
 examples/ipsec-secgw/ipsec.c           |   9 +-
 lib/librte_security/rte_security.c     |   7 +-
 lib/librte_security/rte_security.h     |   4 +-
 12 files changed, 196 insertions(+), 54 deletions(-)

diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
index 3da835a9c..3a64a2c34 100644
--- a/app/test-crypto-perf/cperf_ops.c
+++ b/app/test-crypto-perf/cperf_ops.c
@@ -621,7 +621,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
 
 		/* Create security session */
 		return (void *)rte_security_session_create(ctx,
-					&sess_conf, sess_mp);
+					&sess_conf, sess_mp, priv_mp);
 	}
 	if (options->op_type == CPERF_DOCSIS) {
 		enum rte_security_docsis_direction direction;
@@ -664,7 +664,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
 
 		/* Create security session */
 		return (void *)rte_security_session_create(ctx,
-					&sess_conf, priv_mp);
+					&sess_conf, sess_mp, priv_mp);
 	}
 #endif
 	sess = rte_cryptodev_sym_session_create(sess_mp);
diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
index 62ae6048b..53864ffdd 100644
--- a/app/test-crypto-perf/main.c
+++ b/app/test-crypto-perf/main.c
@@ -156,7 +156,14 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
 		if (sess_size > max_sess_size)
 			max_sess_size = sess_size;
 	}
-
+#ifdef RTE_LIBRTE_SECURITY
+	for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
+		sess_size = rte_security_session_get_size(
+				rte_cryptodev_get_sec_ctx(cdev_id));
+		if (sess_size > max_sess_size)
+			max_sess_size = sess_size;
+	}
+#endif
 	/*
 	 * Calculate number of needed queue pairs, based on the amount
 	 * of available number of logical cores and crypto devices.
@@ -247,8 +254,7 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
 				opts->nb_qps * nb_slaves;
 #endif
 		} else
-			sessions_needed = enabled_cdev_count *
-						opts->nb_qps * 2;
+			sessions_needed = enabled_cdev_count * opts->nb_qps;
 
 		/*
 		 * A single session is required per queue pair
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index c7975ed01..9f1b92c51 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -773,9 +773,15 @@ testsuite_setup(void)
 	unsigned int session_size =
 		rte_cryptodev_sym_get_private_session_size(dev_id);
 
+#ifdef RTE_LIBRTE_SECURITY
+	unsigned int security_session_size = rte_security_session_get_size(
+			rte_cryptodev_get_sec_ctx(dev_id));
+
+	if (session_size < security_session_size)
+		session_size = security_session_size;
+#endif
 	/*
-	 * Create mempool with maximum number of sessions * 2,
-	 * to include the session headers
+	 * Create mempool with maximum number of sessions.
 	 */
 	if (info.sym.max_nb_sessions != 0 &&
 			info.sym.max_nb_sessions < MAX_NB_SESSIONS) {
@@ -7751,7 +7757,8 @@ test_pdcp_proto(int i, int oop,
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx,
-				&sess_conf, ts_params->session_priv_mpool);
+				&sess_conf, ts_params->session_mpool,
+				ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
 		printf("TestCase %s()-%d line %d failed %s: ",
@@ -8011,7 +8018,8 @@ test_pdcp_proto_SGL(int i, int oop,
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx,
-				&sess_conf, ts_params->session_priv_mpool);
+				&sess_conf, ts_params->session_mpool,
+				ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
 		printf("TestCase %s()-%d line %d failed %s: ",
@@ -8368,6 +8376,7 @@ test_docsis_proto_uplink(int i, struct docsis_test_data *d_td)
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
 					ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
@@ -8543,6 +8552,7 @@ test_docsis_proto_downlink(int i, struct docsis_test_data *d_td)
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
 					ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
index 79d00d7e0..9ad07a179 100644
--- a/app/test/test_ipsec.c
+++ b/app/test/test_ipsec.c
@@ -632,7 +632,8 @@ create_dummy_sec_session(struct ipsec_unitest_params *ut,
 	static struct rte_security_session_conf conf;
 
 	ut->ss[j].security.ses = rte_security_session_create(&dummy_sec_ctx,
-					&conf, qp->mp_session_private);
+					&conf, qp->mp_session,
+					qp->mp_session_private);
 
 	if (ut->ss[j].security.ses == NULL)
 		return -ENOMEM;
diff --git a/app/test/test_security.c b/app/test/test_security.c
index 77fd5adc6..35ed6ff10 100644
--- a/app/test/test_security.c
+++ b/app/test/test_security.c
@@ -200,6 +200,24 @@
 			expected_mempool_usage, mempool_usage);		\
 } while (0)
 
+/**
+ * Verify usage of mempool by checking if number of allocated objects matches
+ * expectations. The mempool is used to manage objects for sessions priv data.
+ * A single object is acquired from mempool during session_create
+ * and put back in session_destroy.
+ *
+ * @param   expected_priv_mp_usage	expected number of used priv mp objects
+ */
+#define TEST_ASSERT_PRIV_MP_USAGE(expected_priv_mp_usage) do {		\
+	struct security_testsuite_params *ts_params = &testsuite_params;\
+	unsigned int priv_mp_usage;					\
+	priv_mp_usage = rte_mempool_in_use_count(			\
+			ts_params->session_priv_mpool);			\
+	TEST_ASSERT_EQUAL(expected_priv_mp_usage, priv_mp_usage,	\
+			"Expecting %u priv mempool allocations, "		\
+			"but there are %u allocated objects",		\
+			expected_priv_mp_usage, priv_mp_usage);		\
+} while (0)
 
 /**
  * Mockup structures and functions for rte_security_ops;
@@ -237,27 +255,38 @@ static struct mock_session_create_data {
 	struct rte_security_session_conf *conf;
 	struct rte_security_session *sess;
 	struct rte_mempool *mp;
+	struct rte_mempool *priv_mp;
 
 	int ret;
 
 	int called;
 	int failed;
-} mock_session_create_exp = {NULL, NULL, NULL, NULL, 0, 0, 0};
+} mock_session_create_exp = {NULL, NULL, NULL, NULL, NULL, 0, 0, 0};
 
 static int
 mock_session_create(void *device,
 		struct rte_security_session_conf *conf,
 		struct rte_security_session *sess,
-		struct rte_mempool *mp)
+		struct rte_mempool *priv_mp)
 {
+	void *sess_priv;
+	int ret;
+
 	mock_session_create_exp.called++;
 
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, device);
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, conf);
-	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, mp);
+	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, priv_mp);
+	ret = rte_mempool_get(priv_mp, &sess_priv);
+	TEST_ASSERT_EQUAL(0, ret,
+		"priv mempool does not have enough objects");
 
+	set_sec_session_private_data(sess, sess_priv);
 	mock_session_create_exp.sess = sess;
 
+	if (mock_session_create_exp.ret != 0)
+		rte_mempool_put(priv_mp, sess_priv);
+
 	return mock_session_create_exp.ret;
 }
 
@@ -363,8 +392,10 @@ static struct mock_session_destroy_data {
 static int
 mock_session_destroy(void *device, struct rte_security_session *sess)
 {
-	mock_session_destroy_exp.called++;
+	void *sess_priv = get_sec_session_private_data(sess);
 
+	mock_session_destroy_exp.called++;
+	rte_mempool_put(rte_mempool_from_obj(sess_priv), sess_priv);
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, device);
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, sess);
 
@@ -502,6 +533,7 @@ struct rte_security_ops mock_ops = {
  */
 static struct security_testsuite_params {
 	struct rte_mempool *session_mpool;
+	struct rte_mempool *session_priv_mpool;
 } testsuite_params = { NULL };
 
 /**
@@ -524,9 +556,11 @@ static struct security_unittest_params {
 	.sess = NULL,
 };
 
-#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
+#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestMp"
+#define SECURITY_TEST_PRIV_MEMPOOL_NAME "SecurityTestPrivMp"
 #define SECURITY_TEST_MEMPOOL_SIZE 15
-#define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct rte_security_session)
+#define SECURITY_TEST_SESSION_OBJ_SZ sizeof(struct rte_security_session)
+#define SECURITY_TEST_SESSION_PRIV_OBJ_SZ 64
 
 /**
  * testsuite_setup initializes whole test suite parameters.
@@ -540,11 +574,27 @@ testsuite_setup(void)
 	ts_params->session_mpool = rte_mempool_create(
 			SECURITY_TEST_MEMPOOL_NAME,
 			SECURITY_TEST_MEMPOOL_SIZE,
-			SECURITY_TEST_SESSION_OBJECT_SIZE,
+			SECURITY_TEST_SESSION_OBJ_SZ,
 			0, 0, NULL, NULL, NULL, NULL,
 			SOCKET_ID_ANY, 0);
 	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
 			"Cannot create mempool %s\n", rte_strerror(rte_errno));
+
+	ts_params->session_priv_mpool = rte_mempool_create(
+			SECURITY_TEST_PRIV_MEMPOOL_NAME,
+			SECURITY_TEST_MEMPOOL_SIZE,
+			SECURITY_TEST_SESSION_PRIV_OBJ_SZ,
+			0, 0, NULL, NULL, NULL, NULL,
+			SOCKET_ID_ANY, 0);
+	if (ts_params->session_priv_mpool == NULL) {
+		RTE_LOG(ERR, USER1, "TestCase %s() line %d failed (null): "
+				"Cannot create priv mempool %s\n",
+				__func__, __LINE__, rte_strerror(rte_errno));
+		rte_mempool_free(ts_params->session_mpool);
+		ts_params->session_mpool = NULL;
+		return TEST_FAILED;
+	}
+
 	return TEST_SUCCESS;
 }
 
@@ -559,6 +609,10 @@ testsuite_teardown(void)
 		rte_mempool_free(ts_params->session_mpool);
 		ts_params->session_mpool = NULL;
 	}
+	if (ts_params->session_priv_mpool) {
+		rte_mempool_free(ts_params->session_priv_mpool);
+		ts_params->session_priv_mpool = NULL;
+	}
 }
 
 /**
@@ -656,10 +710,12 @@ ut_setup_with_session(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = 0;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
 			sess);
 	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
@@ -701,11 +757,13 @@ test_session_create_inv_context(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(NULL, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -725,11 +783,13 @@ test_session_create_inv_context_ops(void)
 	ut_params->ctx.ops = NULL;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -749,11 +809,13 @@ test_session_create_inv_context_ops_fun(void)
 	ut_params->ctx.ops = &empty_ops;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -770,18 +832,21 @@ test_session_create_inv_configuration(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(&ut_params->ctx, NULL,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
 }
 
 /**
- * Test execution of rte_security_session_create with NULL mp parameter
+ * Test execution of rte_security_session_create with NULL session
+ * mempool
  */
 static int
 test_session_create_inv_mempool(void)
@@ -790,11 +855,35 @@ test_session_create_inv_mempool(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			NULL);
+			NULL, NULL);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
+	TEST_ASSERT_SESSION_COUNT(0);
+
+	return TEST_SUCCESS;
+}
+
+/**
+ * Test execution of rte_security_session_create with NULL session
+ * priv mempool
+ */
+static int
+test_session_create_inv_sess_priv_mempool(void)
+{
+	struct security_unittest_params *ut_params = &unittest_params;
+	struct security_testsuite_params *ts_params = &testsuite_params;
+	struct rte_security_session *sess;
+
+	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
+			ts_params->session_mpool, NULL);
+	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
+			sess, NULL, "%p");
+	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
+	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -810,6 +899,7 @@ test_session_create_mempool_empty(void)
 	struct security_testsuite_params *ts_params = &testsuite_params;
 	struct security_unittest_params *ut_params = &unittest_params;
 	struct rte_security_session *tmp[SECURITY_TEST_MEMPOOL_SIZE];
+	void *tmp1[SECURITY_TEST_MEMPOOL_SIZE];
 	struct rte_security_session *sess;
 
 	/* Get all available objects from mempool. */
@@ -820,21 +910,34 @@ test_session_create_mempool_empty(void)
 		TEST_ASSERT_EQUAL(0, ret,
 				"Expect getting %d object from mempool"
 				" to succeed", i);
+		ret = rte_mempool_get(ts_params->session_priv_mpool,
+				(void **)(&tmp1[i]));
+		TEST_ASSERT_EQUAL(0, ret,
+				"Expect getting %d object from priv mempool"
+				" to succeed", i);
 	}
 	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
+	TEST_ASSERT_PRIV_MP_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
+	TEST_ASSERT_PRIV_MP_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	/* Put objects back to the pool. */
-	for (i = 0; i < SECURITY_TEST_MEMPOOL_SIZE; ++i)
-		rte_mempool_put(ts_params->session_mpool, (void *)(tmp[i]));
+	for (i = 0; i < SECURITY_TEST_MEMPOOL_SIZE; ++i) {
+		rte_mempool_put(ts_params->session_mpool,
+				(void *)(tmp[i]));
+		rte_mempool_put(ts_params->session_priv_mpool,
+				(tmp1[i]));
+	}
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 
 	return TEST_SUCCESS;
 }
@@ -853,14 +956,17 @@ test_session_create_ops_failure(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = -1;	/* Return failure status. */
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -879,10 +985,12 @@ test_session_create_success(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = 0;	/* Return success status. */
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
 			sess);
 	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
@@ -891,6 +999,7 @@ test_session_create_success(void)
 			sess, mock_session_create_exp.sess);
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	/*
@@ -1276,6 +1385,7 @@ test_session_destroy_inv_context(void)
 	struct security_unittest_params *ut_params = &unittest_params;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(NULL, ut_params->sess);
@@ -1283,6 +1393,7 @@ test_session_destroy_inv_context(void)
 			ret, -EINVAL, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1299,6 +1410,7 @@ test_session_destroy_inv_context_ops(void)
 	ut_params->ctx.ops = NULL;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1307,6 +1419,7 @@ test_session_destroy_inv_context_ops(void)
 			ret, -EINVAL, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1323,6 +1436,7 @@ test_session_destroy_inv_context_ops_fun(void)
 	ut_params->ctx.ops = &empty_ops;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1331,6 +1445,7 @@ test_session_destroy_inv_context_ops_fun(void)
 			ret, -ENOTSUP, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1345,6 +1460,7 @@ test_session_destroy_inv_session(void)
 	struct security_unittest_params *ut_params = &unittest_params;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx, NULL);
@@ -1352,6 +1468,7 @@ test_session_destroy_inv_session(void)
 			ret, -EINVAL, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1371,6 +1488,7 @@ test_session_destroy_ops_failure(void)
 	mock_session_destroy_exp.ret = -1;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1396,6 +1514,7 @@ test_session_destroy_success(void)
 	mock_session_destroy_exp.sess = ut_params->sess;
 	mock_session_destroy_exp.ret = 0;
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1404,6 +1523,7 @@ test_session_destroy_success(void)
 			ret, 0, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	/*
@@ -2370,6 +2490,8 @@ static struct unit_test_suite security_testsuite  = {
 				test_session_create_inv_configuration),
 		TEST_CASE_ST(ut_setup, ut_teardown,
 				test_session_create_inv_mempool),
+		TEST_CASE_ST(ut_setup, ut_teardown,
+				test_session_create_inv_sess_priv_mempool),
 		TEST_CASE_ST(ut_setup, ut_teardown,
 				test_session_create_mempool_empty),
 		TEST_CASE_ST(ut_setup, ut_teardown,
diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 127da2e4f..d30a79576 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -533,8 +533,12 @@ and this allows further acceleration of the offload of Crypto workloads.
 
 The Security framework provides APIs to create and free sessions for crypto/ethernet
 devices, where sessions are mempool objects. It is the application's responsibility
-to create and manage the session mempools. The mempool object size should be able to
-accommodate the driver's private data of security session.
+to create and manage two session mempools - one for session and other for session
+private data. The private session data mempool object size should be able to
+accommodate the driver's private data of security session. The application can get
+the size of session private data using API ``rte_security_session_get_size``.
+And the session mempool object size should be enough to accommodate
+``rte_security_session``.
 
 Once the session mempools have been created, ``rte_security_session_create()``
 is used to allocate and initialize a session for the required crypto/ethernet device.
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 43cdd3c58..26be1b3de 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -164,13 +164,6 @@ Deprecation Notices
   following the IPv6 header, as proposed in RFC
   https://mails.dpdk.org/archives/dev/2020-August/177257.html.
 
-* security: The API ``rte_security_session_create`` takes only single mempool
-  for session and session private data. So the application need to create
-  mempool for twice the number of sessions needed and will also lead to
-  wastage of memory as session private data need more memory compared to session.
-  Hence the API will be modified to take two mempool pointers - one for session
-  and one for private data.
-
 * cryptodev: support for using IV with all sizes is added, J0 still can
   be used but only when IV length in following structs ``rte_crypto_auth_xform``,
   ``rte_crypto_aead_xform`` is set to zero. When IV length is greater or equal
diff --git a/doc/guides/rel_notes/release_20_11.rst b/doc/guides/rel_notes/release_20_11.rst
index f1b9b4dfe..0fb1b20cb 100644
--- a/doc/guides/rel_notes/release_20_11.rst
+++ b/doc/guides/rel_notes/release_20_11.rst
@@ -344,6 +344,12 @@ API Changes
 * The structure ``rte_crypto_sym_vec`` is updated to support both
   cpu_crypto synchrounous operation and asynchronous raw data-path APIs.
 
+* security: The API ``rte_security_session_create`` is updated to take two
+  mempool objects one for session and other for session private data.
+  So the application need to create two mempools and get the size of session
+  private data using API ``rte_security_session_get_size`` for private session
+  mempool.
+
 
 ABI Changes
 -----------
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 60132c4bd..2326089bb 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -2348,12 +2348,8 @@ session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess_sz)
 
 	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
 			"sess_mp_%u", socket_id);
-	/*
-	 * Doubled due to rte_security_session_create() uses one mempool for
-	 * session and for session private data.
-	 */
 	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
-		rte_lcore_count()) * 2;
+		rte_lcore_count());
 	sess_mp = rte_cryptodev_sym_session_pool_create(
 			mp_name, nb_sess, sess_sz, CDEV_MP_CACHE_SZ, 0,
 			socket_id);
@@ -2376,12 +2372,8 @@ session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
 
 	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
 			"sess_mp_priv_%u", socket_id);
-	/*
-	 * Doubled due to rte_security_session_create() uses one mempool for
-	 * session and for session private data.
-	 */
 	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
-		rte_lcore_count()) * 2;
+		rte_lcore_count());
 	sess_mp = rte_mempool_create(mp_name,
 			nb_sess,
 			sess_sz,
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 01faa7ac7..6baeeb342 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -117,7 +117,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
 			set_ipsec_conf(sa, &(sess_conf.ipsec));
 
 			ips->security.ses = rte_security_session_create(ctx,
-					&sess_conf, ipsec_ctx->session_priv_pool);
+					&sess_conf, ipsec_ctx->session_pool,
+					ipsec_ctx->session_priv_pool);
 			if (ips->security.ses == NULL) {
 				RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
@@ -198,7 +199,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 		}
 
 		ips->security.ses = rte_security_session_create(sec_ctx,
-				&sess_conf, skt_ctx->session_pool);
+				&sess_conf, skt_ctx->session_pool,
+				skt_ctx->session_priv_pool);
 		if (ips->security.ses == NULL) {
 			RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
@@ -378,7 +380,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 		sess_conf.userdata = (void *) sa;
 
 		ips->security.ses = rte_security_session_create(sec_ctx,
-					&sess_conf, skt_ctx->session_pool);
+					&sess_conf, skt_ctx->session_pool,
+					skt_ctx->session_priv_pool);
 		if (ips->security.ses == NULL) {
 			RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
index 515c29e04..ee4666026 100644
--- a/lib/librte_security/rte_security.c
+++ b/lib/librte_security/rte_security.c
@@ -26,18 +26,21 @@
 struct rte_security_session *
 rte_security_session_create(struct rte_security_ctx *instance,
 			    struct rte_security_session_conf *conf,
-			    struct rte_mempool *mp)
+			    struct rte_mempool *mp,
+			    struct rte_mempool *priv_mp)
 {
 	struct rte_security_session *sess = NULL;
 
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_create, NULL, NULL);
 	RTE_PTR_OR_ERR_RET(conf, NULL);
 	RTE_PTR_OR_ERR_RET(mp, NULL);
+	RTE_PTR_OR_ERR_RET(priv_mp, NULL);
 
 	if (rte_mempool_get(mp, (void **)&sess))
 		return NULL;
 
-	if (instance->ops->session_create(instance->device, conf, sess, mp)) {
+	if (instance->ops->session_create(instance->device, conf,
+				sess, priv_mp)) {
 		rte_mempool_put(mp, (void *)sess);
 		return NULL;
 	}
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index 16839e539..1710cdd6a 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -386,6 +386,7 @@ struct rte_security_session {
  * @param   instance	security instance
  * @param   conf	session configuration parameters
  * @param   mp		mempool to allocate session objects from
+ * @param   priv_mp	mempool to allocate session private data objects from
  * @return
  *  - On success, pointer to session
  *  - On failure, NULL
@@ -393,7 +394,8 @@ struct rte_security_session {
 struct rte_security_session *
 rte_security_session_create(struct rte_security_ctx *instance,
 			    struct rte_security_session_conf *conf,
-			    struct rte_mempool *mp);
+			    struct rte_mempool *mp,
+			    struct rte_mempool *priv_mp);
 
 /**
  * Update security session as specified by the session configuration
-- 
2.17.1


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v2] security: update session create API
  2020-10-13  2:12     ` Lukasz Wojciechowski
@ 2020-10-14 19:00       ` Akhil Goyal
  2020-10-15  1:14         ` Lukasz Wojciechowski
  0 siblings, 1 reply; 21+ messages in thread
From: Akhil Goyal @ 2020-10-14 19:00 UTC (permalink / raw)
  To: Lukasz Wojciechowski, dev
  Cc: thomas, mdr, anoobj, Hemant Agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau, david.coyle

Hi Lukasz,

> Hi Akhil,
> > -#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
> > +#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestMp"
> > +#define SECURITY_TEST_PRIV_MEMPOOL_NAME "SecurityTestPrivMp"
> >   #define SECURITY_TEST_MEMPOOL_SIZE 15
> >   #define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct
> rte_security_session)
> >
> > @@ -545,6 +548,22 @@ testsuite_setup(void)
> >   			SOCKET_ID_ANY, 0);
> >   	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
> >   			"Cannot create mempool %s\n",
> rte_strerror(rte_errno));
> > +
> > +	ts_params->session_priv_mpool = rte_mempool_create(
> > +			SECURITY_TEST_PRIV_MEMPOOL_NAME,
> > +			SECURITY_TEST_MEMPOOL_SIZE,
> > +			rte_security_session_get_size(&unittest_params.ctx),
> Call to rte_security_session_get_size() will cause a mockup function
> mock_session_get_size() to be called, which will return 0.
> Why do you call this function instead of defining some value for private
> mempool element size?

Fixed in v3

> > +			0, 0, NULL, NULL, NULL, NULL,
> > +			SOCKET_ID_ANY, 0);
> > +	if (ts_params->session_priv_mpool == NULL) {
> > +		printf("TestCase %s() line %d failed (null): "
> > +				"Cannot create priv mempool %s\n",
> > +				__func__, __LINE__, rte_strerror(rte_errno));
> Instead of printf() use RTE_LOG(ERR, EAL,...). All other messages are
> printed this way. It allows control of error messages if required.

Fixed in v3, should be USER1 instead of EAL though.

> > +		rte_mempool_free(ts_params->session_mpool);
> > +		ts_params->session_mpool = NULL;
> > +		return TEST_FAILED;
> > +	}
> > +
> >   	return TEST_SUCCESS;
> >   }
> >
> > @@ -559,6 +578,10 @@ testsuite_teardown(void)
> >   		rte_mempool_free(ts_params->session_mpool);
> >   		ts_params->session_mpool = NULL;
> >   	}
> > +	if (ts_params->session_priv_mpool) {
> > +		rte_mempool_free(ts_params->session_priv_mpool);
> > +		ts_params->session_priv_mpool = NULL;
> > +	}
> >   }
> >
> >   /**
> > @@ -659,7 +682,8 @@ ut_setup_with_session(void)
> >   	mock_session_create_exp.ret = 0;
> >
> >   	sess = rte_security_session_create(&ut_params->ctx, &ut_params-
> >conf,
> > -			ts_params->session_mpool);
> > +			ts_params->session_mpool,
> > +			ts_params->session_priv_mpool);
> >
> 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_sessio
> n_create,
> >   			sess);
> >   	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
> > @@ -701,7 +725,8 @@ test_session_create_inv_context(void)
> >   	struct rte_security_session *sess;
> >
> >   	sess = rte_security_session_create(NULL, &ut_params->conf,
> > -			ts_params->session_mpool);
> > +			ts_params->session_mpool,
> > +			ts_params->session_priv_mpool);
> >
> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_creat
> e,
> >   			sess, NULL, "%p");
> >   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> > @@ -725,7 +750,8 @@ test_session_create_inv_context_ops(void)
> >   	ut_params->ctx.ops = NULL;
> >
> >   	sess = rte_security_session_create(&ut_params->ctx, &ut_params-
> >conf,
> > -			ts_params->session_mpool);
> > +			ts_params->session_mpool,
> > +			ts_params->session_priv_mpool);
> >
> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_creat
> e,
> >   			sess, NULL, "%p");
> >   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> > @@ -749,7 +775,8 @@ test_session_create_inv_context_ops_fun(void)
> >   	ut_params->ctx.ops = &empty_ops;
> >
> >   	sess = rte_security_session_create(&ut_params->ctx, &ut_params-
> >conf,
> > -			ts_params->session_mpool);
> > +			ts_params->session_mpool,
> > +			ts_params->session_priv_mpool);
> >
> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_creat
> e,
> >   			sess, NULL, "%p");
> >   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> > @@ -770,7 +797,8 @@ test_session_create_inv_configuration(void)
> >   	struct rte_security_session *sess;
> >
> >   	sess = rte_security_session_create(&ut_params->ctx, NULL,
> > -			ts_params->session_mpool);
> > +			ts_params->session_mpool,
> > +			ts_params->session_priv_mpool);
> >
> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_creat
> e,
> >   			sess, NULL, "%p");
> >   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> > @@ -781,7 +809,7 @@ test_session_create_inv_configuration(void)
> >   }
> >
> >   /**
> > - * Test execution of rte_security_session_create with NULL mp parameter
> > + * Test execution of rte_security_session_create with NULL mempools
> >    */
> >   static int
> >   test_session_create_inv_mempool(void)
> > @@ -790,7 +818,7 @@ test_session_create_inv_mempool(void)
> >   	struct rte_security_session *sess;
> >
> >   	sess = rte_security_session_create(&ut_params->ctx, &ut_params-
> >conf,
> > -			NULL);
> > +			NULL, NULL);
> It would be best to add a new testcase for verification of passing NULL
> private mempool.
> If you pass NULL as the primary mempool as in this testcase, the
> verification of priv mempool (rte_securitry.c:37) won't ever happen
> because rte_security_session_create() will return in line 36.

Added a new test. However that was really unnecessary and was an overkill
To add a new case for so many negative cases.

Please have a look at v3 and ack it if no further comments.

Regards,
Akhil


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v3] security: update session create API
  2020-10-14 18:56     ` [dpdk-dev] [PATCH v3] " Akhil Goyal
@ 2020-10-15  1:11       ` Lukasz Wojciechowski
  2020-10-17 11:50       ` [dpdk-dev] [PATCH v4] " Akhil Goyal
  1 sibling, 0 replies; 21+ messages in thread
From: Lukasz Wojciechowski @ 2020-10-15  1:11 UTC (permalink / raw)
  To: Akhil Goyal, dev
  Cc: thomas, mdr, anoobj, hemant.agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau, david.coyle,
	\"'Lukasz Wojciechowski'\",

Hi Akhil,

thank you for responding to review and for v3.

You patch currently does not apply:
dpdk$ git apply v3-security-update-session-create-API.patch
error: patch failed: doc/guides/rel_notes/deprecation.rst:164
error: doc/guides/rel_notes/deprecation.rst: patch does not apply
error: patch failed: doc/guides/rel_notes/release_20_11.rst:344
error: doc/guides/rel_notes/release_20_11.rst: patch does not apply

and I'm sorry but there are still few things - see inline comments

W dniu 14.10.2020 o 20:56, Akhil Goyal pisze:
> The API ``rte_security_session_create`` takes only single
> mempool for session and session private data. So the
> application need to create mempool for twice the number of
> sessions needed and will also lead to wastage of memory as
> session private data need more memory compared to session.
> Hence the API is modified to take two mempool pointers
> - one for session and one for private data.
> This is very similar to crypto based session create APIs.
>
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> ---
> Changes in v3:
> fixed checkpatch issues.
> Added new test in test_security.c for priv_mempool
>
> Changes in V2:
> incorporated comments from Lukasz and David.
>
>   app/test-crypto-perf/cperf_ops.c       |   4 +-
>   app/test-crypto-perf/main.c            |  12 +-
>   app/test/test_cryptodev.c              |  18 ++-
>   app/test/test_ipsec.c                  |   3 +-
>   app/test/test_security.c               | 160 ++++++++++++++++++++++---
>   doc/guides/prog_guide/rte_security.rst |   8 +-
>   doc/guides/rel_notes/deprecation.rst   |   7 --
>   doc/guides/rel_notes/release_20_11.rst |   6 +
>   examples/ipsec-secgw/ipsec-secgw.c     |  12 +-
>   examples/ipsec-secgw/ipsec.c           |   9 +-
>   lib/librte_security/rte_security.c     |   7 +-
>   lib/librte_security/rte_security.h     |   4 +-
>   12 files changed, 196 insertions(+), 54 deletions(-)
>
> diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
> index 3da835a9c..3a64a2c34 100644
> --- a/app/test-crypto-perf/cperf_ops.c
> +++ b/app/test-crypto-perf/cperf_ops.c
> @@ -621,7 +621,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
>   
>   		/* Create security session */
>   		return (void *)rte_security_session_create(ctx,
> -					&sess_conf, sess_mp);
> +					&sess_conf, sess_mp, priv_mp);
>   	}
>   	if (options->op_type == CPERF_DOCSIS) {
>   		enum rte_security_docsis_direction direction;
> @@ -664,7 +664,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
>   
>   		/* Create security session */
>   		return (void *)rte_security_session_create(ctx,
> -					&sess_conf, priv_mp);
> +					&sess_conf, sess_mp, priv_mp);
>   	}
>   #endif
>   	sess = rte_cryptodev_sym_session_create(sess_mp);
> diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
> index 62ae6048b..53864ffdd 100644
> --- a/app/test-crypto-perf/main.c
> +++ b/app/test-crypto-perf/main.c
> @@ -156,7 +156,14 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
>   		if (sess_size > max_sess_size)
>   			max_sess_size = sess_size;
>   	}
> -
> +#ifdef RTE_LIBRTE_SECURITY
> +	for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
> +		sess_size = rte_security_session_get_size(
> +				rte_cryptodev_get_sec_ctx(cdev_id));
> +		if (sess_size > max_sess_size)
> +			max_sess_size = sess_size;
> +	}
> +#endif
>   	/*
>   	 * Calculate number of needed queue pairs, based on the amount
>   	 * of available number of logical cores and crypto devices.
> @@ -247,8 +254,7 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
>   				opts->nb_qps * nb_slaves;
>   #endif
>   		} else
> -			sessions_needed = enabled_cdev_count *
> -						opts->nb_qps * 2;
> +			sessions_needed = enabled_cdev_count * opts->nb_qps;
>   
>   		/*
>   		 * A single session is required per queue pair
> diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
> index c7975ed01..9f1b92c51 100644
> --- a/app/test/test_cryptodev.c
> +++ b/app/test/test_cryptodev.c
> @@ -773,9 +773,15 @@ testsuite_setup(void)
>   	unsigned int session_size =
>   		rte_cryptodev_sym_get_private_session_size(dev_id);
>   
> +#ifdef RTE_LIBRTE_SECURITY
> +	unsigned int security_session_size = rte_security_session_get_size(
> +			rte_cryptodev_get_sec_ctx(dev_id));
> +
> +	if (session_size < security_session_size)
> +		session_size = security_session_size;
> +#endif
>   	/*
> -	 * Create mempool with maximum number of sessions * 2,
> -	 * to include the session headers
> +	 * Create mempool with maximum number of sessions.
>   	 */
>   	if (info.sym.max_nb_sessions != 0 &&
>   			info.sym.max_nb_sessions < MAX_NB_SESSIONS) {
> @@ -7751,7 +7757,8 @@ test_pdcp_proto(int i, int oop,
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx,
> -				&sess_conf, ts_params->session_priv_mpool);
> +				&sess_conf, ts_params->session_mpool,
> +				ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
>   		printf("TestCase %s()-%d line %d failed %s: ",
> @@ -8011,7 +8018,8 @@ test_pdcp_proto_SGL(int i, int oop,
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx,
> -				&sess_conf, ts_params->session_priv_mpool);
> +				&sess_conf, ts_params->session_mpool,
> +				ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
>   		printf("TestCase %s()-%d line %d failed %s: ",
> @@ -8368,6 +8376,7 @@ test_docsis_proto_uplink(int i, struct docsis_test_data *d_td)
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
> +					ts_params->session_mpool,
>   					ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
> @@ -8543,6 +8552,7 @@ test_docsis_proto_downlink(int i, struct docsis_test_data *d_td)
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
> +					ts_params->session_mpool,
>   					ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
> diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> index 79d00d7e0..9ad07a179 100644
> --- a/app/test/test_ipsec.c
> +++ b/app/test/test_ipsec.c
> @@ -632,7 +632,8 @@ create_dummy_sec_session(struct ipsec_unitest_params *ut,
>   	static struct rte_security_session_conf conf;
>   
>   	ut->ss[j].security.ses = rte_security_session_create(&dummy_sec_ctx,
> -					&conf, qp->mp_session_private);
> +					&conf, qp->mp_session,
> +					qp->mp_session_private);
>   
>   	if (ut->ss[j].security.ses == NULL)
>   		return -ENOMEM;
> diff --git a/app/test/test_security.c b/app/test/test_security.c
> index 77fd5adc6..35ed6ff10 100644
> --- a/app/test/test_security.c
> +++ b/app/test/test_security.c
> @@ -200,6 +200,24 @@
>   			expected_mempool_usage, mempool_usage);		\
>   } while (0)
>   
> +/**
> + * Verify usage of mempool by checking if number of allocated objects matches
> + * expectations. The mempool is used to manage objects for sessions priv data.
> + * A single object is acquired from mempool during session_create
> + * and put back in session_destroy.
> + *
> + * @param   expected_priv_mp_usage	expected number of used priv mp objects
> + */
> +#define TEST_ASSERT_PRIV_MP_USAGE(expected_priv_mp_usage) do {		\
> +	struct security_testsuite_params *ts_params = &testsuite_params;\
> +	unsigned int priv_mp_usage;					\
> +	priv_mp_usage = rte_mempool_in_use_count(			\
> +			ts_params->session_priv_mpool);			\
> +	TEST_ASSERT_EQUAL(expected_priv_mp_usage, priv_mp_usage,	\
> +			"Expecting %u priv mempool allocations, "		\
one tab less
> +			"but there are %u allocated objects",		\
> +			expected_priv_mp_usage, priv_mp_usage);		\
> +} while (0)
>   
>   /**
>    * Mockup structures and functions for rte_security_ops;
> @@ -237,27 +255,38 @@ static struct mock_session_create_data {
>   	struct rte_security_session_conf *conf;
>   	struct rte_security_session *sess;
>   	struct rte_mempool *mp;
> +	struct rte_mempool *priv_mp;
>   
>   	int ret;
>   
>   	int called;
>   	int failed;
> -} mock_session_create_exp = {NULL, NULL, NULL, NULL, 0, 0, 0};
> +} mock_session_create_exp = {NULL, NULL, NULL, NULL, NULL, 0, 0, 0};
>   
>   static int
>   mock_session_create(void *device,
>   		struct rte_security_session_conf *conf,
>   		struct rte_security_session *sess,
> -		struct rte_mempool *mp)
> +		struct rte_mempool *priv_mp)
>   {
> +	void *sess_priv;
> +	int ret;
> +
>   	mock_session_create_exp.called++;
>   
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, device);
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, conf);
> -	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, mp);
> +	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, priv_mp);
> +	ret = rte_mempool_get(priv_mp, &sess_priv);
> +	TEST_ASSERT_EQUAL(0, ret,
> +		"priv mempool does not have enough objects");
>   
> +	set_sec_session_private_data(sess, sess_priv);

if op function doesn't return 0, it shouldn't leave also sess_priv set 
in sess.
Maybe put the code for getting sess_priv from mempool and setting it in 
session inside:
if (mock_session_create_exp.ret == 0) {
...
}

>   	mock_session_create_exp.sess = sess;
>   
> +	if (mock_session_create_exp.ret != 0)
> +		rte_mempool_put(priv_mp, sess_priv);
> +
>   	return mock_session_create_exp.ret;
>   }
>   
> @@ -363,8 +392,10 @@ static struct mock_session_destroy_data {
>   static int
>   mock_session_destroy(void *device, struct rte_security_session *sess)
>   {
> -	mock_session_destroy_exp.called++;
> +	void *sess_priv = get_sec_session_private_data(sess);
>   
> +	mock_session_destroy_exp.called++;
> +	rte_mempool_put(rte_mempool_from_obj(sess_priv), sess_priv);
sess_priv should be released only if op function is going to succeed.
You can check that in similar way as you did in create op by checking 
mock_session_destroy_exp.ret
Otherwise testcase test_session_destroy_ops_failure might cause a 
problem because your are putting same object twice into the mempool 
(once in mock_session_destroy and 2nd time in ut_teardown when session 
is destroyed)
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, device);
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, sess);
>   
> @@ -502,6 +533,7 @@ struct rte_security_ops mock_ops = {
>    */
>   static struct security_testsuite_params {
>   	struct rte_mempool *session_mpool;
> +	struct rte_mempool *session_priv_mpool;
>   } testsuite_params = { NULL };
>   
>   /**
> @@ -524,9 +556,11 @@ static struct security_unittest_params {
>   	.sess = NULL,
>   };
>   
> -#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
> +#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestMp"
> +#define SECURITY_TEST_PRIV_MEMPOOL_NAME "SecurityTestPrivMp"
>   #define SECURITY_TEST_MEMPOOL_SIZE 15
> -#define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct rte_security_session)
> +#define SECURITY_TEST_SESSION_OBJ_SZ sizeof(struct rte_security_session)
> +#define SECURITY_TEST_SESSION_PRIV_OBJ_SZ 64
>   
>   /**
>    * testsuite_setup initializes whole test suite parameters.
> @@ -540,11 +574,27 @@ testsuite_setup(void)
>   	ts_params->session_mpool = rte_mempool_create(
>   			SECURITY_TEST_MEMPOOL_NAME,
>   			SECURITY_TEST_MEMPOOL_SIZE,
> -			SECURITY_TEST_SESSION_OBJECT_SIZE,
> +			SECURITY_TEST_SESSION_OBJ_SZ,
>   			0, 0, NULL, NULL, NULL, NULL,
>   			SOCKET_ID_ANY, 0);
>   	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
>   			"Cannot create mempool %s\n", rte_strerror(rte_errno));
> +
> +	ts_params->session_priv_mpool = rte_mempool_create(
> +			SECURITY_TEST_PRIV_MEMPOOL_NAME,
> +			SECURITY_TEST_MEMPOOL_SIZE,
> +			SECURITY_TEST_SESSION_PRIV_OBJ_SZ,
> +			0, 0, NULL, NULL, NULL, NULL,
> +			SOCKET_ID_ANY, 0);
> +	if (ts_params->session_priv_mpool == NULL) {
> +		RTE_LOG(ERR, USER1, "TestCase %s() line %d failed (null): "
> +				"Cannot create priv mempool %s\n",
> +				__func__, __LINE__, rte_strerror(rte_errno));
> +		rte_mempool_free(ts_params->session_mpool);
> +		ts_params->session_mpool = NULL;
> +		return TEST_FAILED;
> +	}
> +
>   	return TEST_SUCCESS;
>   }
>   
> @@ -559,6 +609,10 @@ testsuite_teardown(void)
>   		rte_mempool_free(ts_params->session_mpool);
>   		ts_params->session_mpool = NULL;
>   	}
> +	if (ts_params->session_priv_mpool) {
> +		rte_mempool_free(ts_params->session_priv_mpool);
> +		ts_params->session_priv_mpool = NULL;
> +	}
>   }
>   
>   /**
> @@ -656,10 +710,12 @@ ut_setup_with_session(void)
>   	mock_session_create_exp.device = NULL;
>   	mock_session_create_exp.conf = &ut_params->conf;
>   	mock_session_create_exp.mp = ts_params->session_mpool;
> +	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
>   	mock_session_create_exp.ret = 0;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
>   			sess);
>   	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
> @@ -701,11 +757,13 @@ test_session_create_inv_context(void)
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(NULL, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
> @@ -725,11 +783,13 @@ test_session_create_inv_context_ops(void)
>   	ut_params->ctx.ops = NULL;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
> @@ -749,11 +809,13 @@ test_session_create_inv_context_ops_fun(void)
>   	ut_params->ctx.ops = &empty_ops;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
> @@ -770,18 +832,21 @@ test_session_create_inv_configuration(void)
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, NULL,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
>   }
>   
>   /**
> - * Test execution of rte_security_session_create with NULL mp parameter
> + * Test execution of rte_security_session_create with NULL session
> + * mempool
>    */
>   static int
>   test_session_create_inv_mempool(void)
> @@ -790,11 +855,35 @@ test_session_create_inv_mempool(void)
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			NULL);
> +			NULL, NULL);
...NULL, ts_params->session_priv_mpool); would be better as it would 
test if making primary mempool NULL is the cause of session_create failure.
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
> +	TEST_ASSERT_SESSION_COUNT(0);
> +
> +	return TEST_SUCCESS;
> +}
> +
> +/**
> + * Test execution of rte_security_session_create with NULL session
> + * priv mempool
> + */
> +static int
> +test_session_create_inv_sess_priv_mempool(void)
> +{
> +	struct security_unittest_params *ut_params = &unittest_params;
> +	struct security_testsuite_params *ts_params = &testsuite_params;
> +	struct rte_security_session *sess;
> +
> +	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> +			ts_params->session_mpool, NULL);
> +	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
> +			sess, NULL, "%p");
> +	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> +	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
> @@ -810,6 +899,7 @@ test_session_create_mempool_empty(void)
>   	struct security_testsuite_params *ts_params = &testsuite_params;
>   	struct security_unittest_params *ut_params = &unittest_params;
>   	struct rte_security_session *tmp[SECURITY_TEST_MEMPOOL_SIZE];
> +	void *tmp1[SECURITY_TEST_MEMPOOL_SIZE];
>   	struct rte_security_session *sess;
>   
>   	/* Get all available objects from mempool. */
> @@ -820,21 +910,34 @@ test_session_create_mempool_empty(void)
>   		TEST_ASSERT_EQUAL(0, ret,
>   				"Expect getting %d object from mempool"
>   				" to succeed", i);
> +		ret = rte_mempool_get(ts_params->session_priv_mpool,
> +				(void **)(&tmp1[i]));
> +		TEST_ASSERT_EQUAL(0, ret,
> +				"Expect getting %d object from priv mempool"
> +				" to succeed", i);
>   	}
>   	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
> +	TEST_ASSERT_PRIV_MP_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
> +	TEST_ASSERT_PRIV_MP_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	/* Put objects back to the pool. */
> -	for (i = 0; i < SECURITY_TEST_MEMPOOL_SIZE; ++i)
> -		rte_mempool_put(ts_params->session_mpool, (void *)(tmp[i]));
> +	for (i = 0; i < SECURITY_TEST_MEMPOOL_SIZE; ++i) {
> +		rte_mempool_put(ts_params->session_mpool,
> +				(void *)(tmp[i]));
> +		rte_mempool_put(ts_params->session_priv_mpool,
> +				(tmp1[i]));
> +	}
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   
>   	return TEST_SUCCESS;
>   }
> @@ -853,14 +956,17 @@ test_session_create_ops_failure(void)
>   	mock_session_create_exp.device = NULL;
>   	mock_session_create_exp.conf = &ut_params->conf;
>   	mock_session_create_exp.mp = ts_params->session_mpool;
> +	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
>   	mock_session_create_exp.ret = -1;	/* Return failure status. */
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
> @@ -879,10 +985,12 @@ test_session_create_success(void)
>   	mock_session_create_exp.device = NULL;
>   	mock_session_create_exp.conf = &ut_params->conf;
>   	mock_session_create_exp.mp = ts_params->session_mpool;
> +	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
>   	mock_session_create_exp.ret = 0;	/* Return success status. */
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
>   			sess);
>   	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
> @@ -891,6 +999,7 @@ test_session_create_success(void)
>   			sess, mock_session_create_exp.sess);
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	/*
> @@ -1276,6 +1385,7 @@ test_session_destroy_inv_context(void)
>   	struct security_unittest_params *ut_params = &unittest_params;
>   
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(NULL, ut_params->sess);
> @@ -1283,6 +1393,7 @@ test_session_destroy_inv_context(void)
>   			ret, -EINVAL, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	return TEST_SUCCESS;
> @@ -1299,6 +1410,7 @@ test_session_destroy_inv_context_ops(void)
>   	ut_params->ctx.ops = NULL;
>   
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx,
> @@ -1307,6 +1419,7 @@ test_session_destroy_inv_context_ops(void)
>   			ret, -EINVAL, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	return TEST_SUCCESS;
> @@ -1323,6 +1436,7 @@ test_session_destroy_inv_context_ops_fun(void)
>   	ut_params->ctx.ops = &empty_ops;
>   
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx,
> @@ -1331,6 +1445,7 @@ test_session_destroy_inv_context_ops_fun(void)
>   			ret, -ENOTSUP, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	return TEST_SUCCESS;
> @@ -1345,6 +1460,7 @@ test_session_destroy_inv_session(void)
>   	struct security_unittest_params *ut_params = &unittest_params;
>   
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx, NULL);
> @@ -1352,6 +1468,7 @@ test_session_destroy_inv_session(void)
>   			ret, -EINVAL, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	return TEST_SUCCESS;
> @@ -1371,6 +1488,7 @@ test_session_destroy_ops_failure(void)
>   	mock_session_destroy_exp.ret = -1;
>   
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx,
You can add also:
     TEST_ASSERT_PRIV_MP_USAGE(1);
in line 1500 after rte_security_session_destroy() returned to verify 
that private mempool usage stays on same level after failure of destroy op.
Currently adding it without fixing mock of session_destroy op, will 
cause test failure:

EAL: Test assert test_session_destroy_ops_failure line 1500 failed: 
Expecting 1 priv mempool allocations, but there are 0 allocated objects
EAL: in ../app/test/test_security.c:1500 test_session_destroy_ops_failure

> @@ -1396,6 +1514,7 @@ test_session_destroy_success(void)
>   	mock_session_destroy_exp.sess = ut_params->sess;
>   	mock_session_destroy_exp.ret = 0;
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx,
> @@ -1404,6 +1523,7 @@ test_session_destroy_success(void)
>   			ret, 0, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	/*
> @@ -2370,6 +2490,8 @@ static struct unit_test_suite security_testsuite  = {
>   				test_session_create_inv_configuration),
>   		TEST_CASE_ST(ut_setup, ut_teardown,
>   				test_session_create_inv_mempool),
> +		TEST_CASE_ST(ut_setup, ut_teardown,
> +				test_session_create_inv_sess_priv_mempool),
>   		TEST_CASE_ST(ut_setup, ut_teardown,
>   				test_session_create_mempool_empty),
>   		TEST_CASE_ST(ut_setup, ut_teardown,
> diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
> index 127da2e4f..d30a79576 100644
> --- a/doc/guides/prog_guide/rte_security.rst
> +++ b/doc/guides/prog_guide/rte_security.rst
> @@ -533,8 +533,12 @@ and this allows further acceleration of the offload of Crypto workloads.
>   
>   The Security framework provides APIs to create and free sessions for crypto/ethernet
>   devices, where sessions are mempool objects. It is the application's responsibility
> -to create and manage the session mempools. The mempool object size should be able to
> -accommodate the driver's private data of security session.
> +to create and manage two session mempools - one for session and other for session
> +private data. The private session data mempool object size should be able to
> +accommodate the driver's private data of security session. The application can get
> +the size of session private data using API ``rte_security_session_get_size``.
> +And the session mempool object size should be enough to accommodate
> +``rte_security_session``.
>   
>   Once the session mempools have been created, ``rte_security_session_create()``
>   is used to allocate and initialize a session for the required crypto/ethernet device.
> diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
> index 43cdd3c58..26be1b3de 100644
> --- a/doc/guides/rel_notes/deprecation.rst
> +++ b/doc/guides/rel_notes/deprecation.rst
> @@ -164,13 +164,6 @@ Deprecation Notices
>     following the IPv6 header, as proposed in RFC
>     https://protect2.fireeye.com/v1/url?k=0ff8f153-529fb575-0ff97a1c-0cc47a31384a-da56d065c0f960ba&q=1&e=4b8cafbf-ec0f-4a52-9c77-e1c5a4efcfc5&u=https%3A%2F%2Fmails.dpdk.org%2Farchives%2Fdev%2F2020-August%2F177257.html.
>   
> -* security: The API ``rte_security_session_create`` takes only single mempool
> -  for session and session private data. So the application need to create
> -  mempool for twice the number of sessions needed and will also lead to
> -  wastage of memory as session private data need more memory compared to session.
> -  Hence the API will be modified to take two mempool pointers - one for session
> -  and one for private data.
> -
>   * cryptodev: support for using IV with all sizes is added, J0 still can
>     be used but only when IV length in following structs ``rte_crypto_auth_xform``,
>     ``rte_crypto_aead_xform`` is set to zero. When IV length is greater or equal
> diff --git a/doc/guides/rel_notes/release_20_11.rst b/doc/guides/rel_notes/release_20_11.rst
> index f1b9b4dfe..0fb1b20cb 100644
> --- a/doc/guides/rel_notes/release_20_11.rst
> +++ b/doc/guides/rel_notes/release_20_11.rst
> @@ -344,6 +344,12 @@ API Changes
>   * The structure ``rte_crypto_sym_vec`` is updated to support both
>     cpu_crypto synchrounous operation and asynchronous raw data-path APIs.
>   
> +* security: The API ``rte_security_session_create`` is updated to take two
> +  mempool objects one for session and other for session private data.
> +  So the application need to create two mempools and get the size of session
> +  private data using API ``rte_security_session_get_size`` for private session
> +  mempool.
> +
>   
>   ABI Changes
>   -----------
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 60132c4bd..2326089bb 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -2348,12 +2348,8 @@ session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess_sz)
>   
>   	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
>   			"sess_mp_%u", socket_id);
> -	/*
> -	 * Doubled due to rte_security_session_create() uses one mempool for
> -	 * session and for session private data.
> -	 */
>   	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
> -		rte_lcore_count()) * 2;
> +		rte_lcore_count());
>   	sess_mp = rte_cryptodev_sym_session_pool_create(
>   			mp_name, nb_sess, sess_sz, CDEV_MP_CACHE_SZ, 0,
>   			socket_id);
> @@ -2376,12 +2372,8 @@ session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
>   
>   	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
>   			"sess_mp_priv_%u", socket_id);
> -	/*
> -	 * Doubled due to rte_security_session_create() uses one mempool for
> -	 * session and for session private data.
> -	 */
>   	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
> -		rte_lcore_count()) * 2;
> +		rte_lcore_count());
>   	sess_mp = rte_mempool_create(mp_name,
>   			nb_sess,
>   			sess_sz,
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index 01faa7ac7..6baeeb342 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -117,7 +117,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
>   			set_ipsec_conf(sa, &(sess_conf.ipsec));
>   
>   			ips->security.ses = rte_security_session_create(ctx,
> -					&sess_conf, ipsec_ctx->session_priv_pool);
> +					&sess_conf, ipsec_ctx->session_pool,
> +					ipsec_ctx->session_priv_pool);
>   			if (ips->security.ses == NULL) {
>   				RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> @@ -198,7 +199,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
>   		}
>   
>   		ips->security.ses = rte_security_session_create(sec_ctx,
> -				&sess_conf, skt_ctx->session_pool);
> +				&sess_conf, skt_ctx->session_pool,
> +				skt_ctx->session_priv_pool);
>   		if (ips->security.ses == NULL) {
>   			RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> @@ -378,7 +380,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
>   		sess_conf.userdata = (void *) sa;
>   
>   		ips->security.ses = rte_security_session_create(sec_ctx,
> -					&sess_conf, skt_ctx->session_pool);
> +					&sess_conf, skt_ctx->session_pool,
> +					skt_ctx->session_priv_pool);
>   		if (ips->security.ses == NULL) {
>   			RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
> index 515c29e04..ee4666026 100644
> --- a/lib/librte_security/rte_security.c
> +++ b/lib/librte_security/rte_security.c
> @@ -26,18 +26,21 @@
>   struct rte_security_session *
>   rte_security_session_create(struct rte_security_ctx *instance,
>   			    struct rte_security_session_conf *conf,
> -			    struct rte_mempool *mp)
> +			    struct rte_mempool *mp,
> +			    struct rte_mempool *priv_mp)
>   {
>   	struct rte_security_session *sess = NULL;
>   
>   	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_create, NULL, NULL);
>   	RTE_PTR_OR_ERR_RET(conf, NULL);
>   	RTE_PTR_OR_ERR_RET(mp, NULL);
> +	RTE_PTR_OR_ERR_RET(priv_mp, NULL);
>   
>   	if (rte_mempool_get(mp, (void **)&sess))
>   		return NULL;
>   
> -	if (instance->ops->session_create(instance->device, conf, sess, mp)) {
> +	if (instance->ops->session_create(instance->device, conf,
> +				sess, priv_mp)) {
>   		rte_mempool_put(mp, (void *)sess);
>   		return NULL;
>   	}
> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
> index 16839e539..1710cdd6a 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -386,6 +386,7 @@ struct rte_security_session {
>    * @param   instance	security instance
>    * @param   conf	session configuration parameters
>    * @param   mp		mempool to allocate session objects from
> + * @param   priv_mp	mempool to allocate session private data objects from
>    * @return
>    *  - On success, pointer to session
>    *  - On failure, NULL
> @@ -393,7 +394,8 @@ struct rte_security_session {
>   struct rte_security_session *
>   rte_security_session_create(struct rte_security_ctx *instance,
>   			    struct rte_security_session_conf *conf,
> -			    struct rte_mempool *mp);
> +			    struct rte_mempool *mp,
> +			    struct rte_mempool *priv_mp);
>   
>   /**
>    * Update security session as specified by the session configuration

-- 
Lukasz Wojciechowski
Principal Software Engineer

Samsung R&D Institute Poland
Samsung Electronics
Office +48 22 377 88 25
l.wojciechow@partner.samsung.com


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v2] security: update session create API
  2020-10-14 19:00       ` Akhil Goyal
@ 2020-10-15  1:14         ` Lukasz Wojciechowski
  0 siblings, 0 replies; 21+ messages in thread
From: Lukasz Wojciechowski @ 2020-10-15  1:14 UTC (permalink / raw)
  To: Akhil Goyal, dev
  Cc: thomas, mdr, anoobj, Hemant Agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau, david.coyle,
	\"'Lukasz Wojciechowski'\",


W dniu 14.10.2020 o 21:00, Akhil Goyal pisze:
> Hi Lukasz,
>
>> Hi Akhil,
>>> -#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
>>> +#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestMp"
>>> +#define SECURITY_TEST_PRIV_MEMPOOL_NAME "SecurityTestPrivMp"
>>>    #define SECURITY_TEST_MEMPOOL_SIZE 15
>>>    #define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct
>> rte_security_session)
>>> @@ -545,6 +548,22 @@ testsuite_setup(void)
>>>    			SOCKET_ID_ANY, 0);
>>>    	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
>>>    			"Cannot create mempool %s\n",
>> rte_strerror(rte_errno));
>>> +
>>> +	ts_params->session_priv_mpool = rte_mempool_create(
>>> +			SECURITY_TEST_PRIV_MEMPOOL_NAME,
>>> +			SECURITY_TEST_MEMPOOL_SIZE,
>>> +			rte_security_session_get_size(&unittest_params.ctx),
>> Call to rte_security_session_get_size() will cause a mockup function
>> mock_session_get_size() to be called, which will return 0.
>> Why do you call this function instead of defining some value for private
>> mempool element size?
> Fixed in v3
>
>>> +			0, 0, NULL, NULL, NULL, NULL,
>>> +			SOCKET_ID_ANY, 0);
>>> +	if (ts_params->session_priv_mpool == NULL) {
>>> +		printf("TestCase %s() line %d failed (null): "
>>> +				"Cannot create priv mempool %s\n",
>>> +				__func__, __LINE__, rte_strerror(rte_errno));
>> Instead of printf() use RTE_LOG(ERR, EAL,...). All other messages are
>> printed this way. It allows control of error messages if required.
> Fixed in v3, should be USER1 instead of EAL though.
Can you explain me why, there should be USER1?
All other errors are printed with EAL tag.
>
>>> +		rte_mempool_free(ts_params->session_mpool);
>>> +		ts_params->session_mpool = NULL;
>>> +		return TEST_FAILED;
>>> +	}
>>> +
>>>    	return TEST_SUCCESS;
>>>    }
>>>
>>> @@ -559,6 +578,10 @@ testsuite_teardown(void)
>>>    		rte_mempool_free(ts_params->session_mpool);
>>>    		ts_params->session_mpool = NULL;
>>>    	}
>>> +	if (ts_params->session_priv_mpool) {
>>> +		rte_mempool_free(ts_params->session_priv_mpool);
>>> +		ts_params->session_priv_mpool = NULL;
>>> +	}
>>>    }
>>>
>>>    /**
>>> @@ -659,7 +682,8 @@ ut_setup_with_session(void)
>>>    	mock_session_create_exp.ret = 0;
>>>
>>>    	sess = rte_security_session_create(&ut_params->ctx, &ut_params-
>>> conf,
>>> -			ts_params->session_mpool);
>>> +			ts_params->session_mpool,
>>> +			ts_params->session_priv_mpool);
>>>
>> 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_sessio
>> n_create,
>>>    			sess);
>>>    	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
>>> @@ -701,7 +725,8 @@ test_session_create_inv_context(void)
>>>    	struct rte_security_session *sess;
>>>
>>>    	sess = rte_security_session_create(NULL, &ut_params->conf,
>>> -			ts_params->session_mpool);
>>> +			ts_params->session_mpool,
>>> +			ts_params->session_priv_mpool);
>>>
>> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_creat
>> e,
>>>    			sess, NULL, "%p");
>>>    	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>>> @@ -725,7 +750,8 @@ test_session_create_inv_context_ops(void)
>>>    	ut_params->ctx.ops = NULL;
>>>
>>>    	sess = rte_security_session_create(&ut_params->ctx, &ut_params-
>>> conf,
>>> -			ts_params->session_mpool);
>>> +			ts_params->session_mpool,
>>> +			ts_params->session_priv_mpool);
>>>
>> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_creat
>> e,
>>>    			sess, NULL, "%p");
>>>    	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>>> @@ -749,7 +775,8 @@ test_session_create_inv_context_ops_fun(void)
>>>    	ut_params->ctx.ops = &empty_ops;
>>>
>>>    	sess = rte_security_session_create(&ut_params->ctx, &ut_params-
>>> conf,
>>> -			ts_params->session_mpool);
>>> +			ts_params->session_mpool,
>>> +			ts_params->session_priv_mpool);
>>>
>> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_creat
>> e,
>>>    			sess, NULL, "%p");
>>>    	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>>> @@ -770,7 +797,8 @@ test_session_create_inv_configuration(void)
>>>    	struct rte_security_session *sess;
>>>
>>>    	sess = rte_security_session_create(&ut_params->ctx, NULL,
>>> -			ts_params->session_mpool);
>>> +			ts_params->session_mpool,
>>> +			ts_params->session_priv_mpool);
>>>
>> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_creat
>> e,
>>>    			sess, NULL, "%p");
>>>    	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>>> @@ -781,7 +809,7 @@ test_session_create_inv_configuration(void)
>>>    }
>>>
>>>    /**
>>> - * Test execution of rte_security_session_create with NULL mp parameter
>>> + * Test execution of rte_security_session_create with NULL mempools
>>>     */
>>>    static int
>>>    test_session_create_inv_mempool(void)
>>> @@ -790,7 +818,7 @@ test_session_create_inv_mempool(void)
>>>    	struct rte_security_session *sess;
>>>
>>>    	sess = rte_security_session_create(&ut_params->ctx, &ut_params-
>>> conf,
>>> -			NULL);
>>> +			NULL, NULL);
>> It would be best to add a new testcase for verification of passing NULL
>> private mempool.
>> If you pass NULL as the primary mempool as in this testcase, the
>> verification of priv mempool (rte_securitry.c:37) won't ever happen
>> because rte_security_session_create() will return in line 36.
> Added a new test. However that was really unnecessary and was an overkill
> To add a new case for so many negative cases.
>
> Please have a look at v3 and ack it if no further comments.
>
> Regards,
> Akhil
>
-- 
Lukasz Wojciechowski
Principal Software Engineer

Samsung R&D Institute Poland
Samsung Electronics
Office +48 22 377 88 25
l.wojciechow@partner.samsung.com


^ permalink raw reply	[flat|nested] 21+ messages in thread

* [dpdk-dev] [PATCH v4] security: update session create API
  2020-10-14 18:56     ` [dpdk-dev] [PATCH v3] " Akhil Goyal
  2020-10-15  1:11       ` Lukasz Wojciechowski
@ 2020-10-17 11:50       ` " Akhil Goyal
  2020-10-17 13:13         ` Lukasz Wojciechowski
  2020-10-18  9:40         ` [dpdk-dev] [PATCH v5] " Akhil Goyal
  1 sibling, 2 replies; 21+ messages in thread
From: Akhil Goyal @ 2020-10-17 11:50 UTC (permalink / raw)
  To: dev
  Cc: thomas, mdr, anoobj, hemant.agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau, david.coyle, l.wojciechow,
	Akhil Goyal

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the number of
sessions needed and will also lead to wastage of memory as
session private data need more memory compared to session.
Hence the API is modified to take two mempool pointers
- one for session and one for private data.
This is very similar to crypto based session create APIs.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
Changes in v4:
rebase on TOT
addressed comments from Lukasz on v3

Changes in v3:
fixed checkpatch issues.
Added new test in test_security.c for priv_mempool

Changes in V2:
incorporated comments from Lukasz and David.


 app/test-crypto-perf/cperf_ops.c       |   4 +-
 app/test-crypto-perf/main.c            |  12 +-
 app/test/test_cryptodev.c              |  18 ++-
 app/test/test_ipsec.c                  |   3 +-
 app/test/test_security.c               | 166 ++++++++++++++++++++++---
 doc/guides/prog_guide/rte_security.rst |   8 +-
 doc/guides/rel_notes/deprecation.rst   |   7 --
 doc/guides/rel_notes/release_20_11.rst |   6 +
 examples/ipsec-secgw/ipsec-secgw.c     |  12 +-
 examples/ipsec-secgw/ipsec.c           |   9 +-
 lib/librte_security/rte_security.c     |   7 +-
 lib/librte_security/rte_security.h     |   4 +-
 12 files changed, 201 insertions(+), 55 deletions(-)

diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
index 3da835a9c..3a64a2c34 100644
--- a/app/test-crypto-perf/cperf_ops.c
+++ b/app/test-crypto-perf/cperf_ops.c
@@ -621,7 +621,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
 
 		/* Create security session */
 		return (void *)rte_security_session_create(ctx,
-					&sess_conf, sess_mp);
+					&sess_conf, sess_mp, priv_mp);
 	}
 	if (options->op_type == CPERF_DOCSIS) {
 		enum rte_security_docsis_direction direction;
@@ -664,7 +664,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
 
 		/* Create security session */
 		return (void *)rte_security_session_create(ctx,
-					&sess_conf, priv_mp);
+					&sess_conf, sess_mp, priv_mp);
 	}
 #endif
 	sess = rte_cryptodev_sym_session_create(sess_mp);
diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
index 62ae6048b..53864ffdd 100644
--- a/app/test-crypto-perf/main.c
+++ b/app/test-crypto-perf/main.c
@@ -156,7 +156,14 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
 		if (sess_size > max_sess_size)
 			max_sess_size = sess_size;
 	}
-
+#ifdef RTE_LIBRTE_SECURITY
+	for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
+		sess_size = rte_security_session_get_size(
+				rte_cryptodev_get_sec_ctx(cdev_id));
+		if (sess_size > max_sess_size)
+			max_sess_size = sess_size;
+	}
+#endif
 	/*
 	 * Calculate number of needed queue pairs, based on the amount
 	 * of available number of logical cores and crypto devices.
@@ -247,8 +254,7 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
 				opts->nb_qps * nb_slaves;
 #endif
 		} else
-			sessions_needed = enabled_cdev_count *
-						opts->nb_qps * 2;
+			sessions_needed = enabled_cdev_count * opts->nb_qps;
 
 		/*
 		 * A single session is required per queue pair
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 1d4c46f08..3afc1d809 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -782,9 +782,15 @@ testsuite_setup(void)
 	unsigned int session_size =
 		rte_cryptodev_sym_get_private_session_size(dev_id);
 
+#ifdef RTE_LIBRTE_SECURITY
+	unsigned int security_session_size = rte_security_session_get_size(
+			rte_cryptodev_get_sec_ctx(dev_id));
+
+	if (session_size < security_session_size)
+		session_size = security_session_size;
+#endif
 	/*
-	 * Create mempool with maximum number of sessions * 2,
-	 * to include the session headers
+	 * Create mempool with maximum number of sessions.
 	 */
 	if (info.sym.max_nb_sessions != 0 &&
 			info.sym.max_nb_sessions < MAX_NB_SESSIONS) {
@@ -7762,7 +7768,8 @@ static int test_pdcp_proto(int i, int oop, enum rte_crypto_cipher_operation opc,
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx,
-				&sess_conf, ts_params->session_priv_mpool);
+				&sess_conf, ts_params->session_mpool,
+				ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
 		printf("TestCase %s()-%d line %d failed %s: ",
@@ -8022,7 +8029,8 @@ test_pdcp_proto_SGL(int i, int oop,
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx,
-				&sess_conf, ts_params->session_priv_mpool);
+				&sess_conf, ts_params->session_mpool,
+				ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
 		printf("TestCase %s()-%d line %d failed %s: ",
@@ -8488,6 +8496,7 @@ test_docsis_proto_uplink(int i, struct docsis_test_data *d_td)
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
 					ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
@@ -8663,6 +8672,7 @@ test_docsis_proto_downlink(int i, struct docsis_test_data *d_td)
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
 					ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
index 79d00d7e0..9ad07a179 100644
--- a/app/test/test_ipsec.c
+++ b/app/test/test_ipsec.c
@@ -632,7 +632,8 @@ create_dummy_sec_session(struct ipsec_unitest_params *ut,
 	static struct rte_security_session_conf conf;
 
 	ut->ss[j].security.ses = rte_security_session_create(&dummy_sec_ctx,
-					&conf, qp->mp_session_private);
+					&conf, qp->mp_session,
+					qp->mp_session_private);
 
 	if (ut->ss[j].security.ses == NULL)
 		return -ENOMEM;
diff --git a/app/test/test_security.c b/app/test/test_security.c
index 77fd5adc6..62e4991eb 100644
--- a/app/test/test_security.c
+++ b/app/test/test_security.c
@@ -200,6 +200,24 @@
 			expected_mempool_usage, mempool_usage);		\
 } while (0)
 
+/**
+ * Verify usage of mempool by checking if number of allocated objects matches
+ * expectations. The mempool is used to manage objects for sessions priv data.
+ * A single object is acquired from mempool during session_create
+ * and put back in session_destroy.
+ *
+ * @param   expected_priv_mp_usage	expected number of used priv mp objects
+ */
+#define TEST_ASSERT_PRIV_MP_USAGE(expected_priv_mp_usage) do {		\
+	struct security_testsuite_params *ts_params = &testsuite_params;\
+	unsigned int priv_mp_usage;					\
+	priv_mp_usage = rte_mempool_in_use_count(			\
+			ts_params->session_priv_mpool);			\
+	TEST_ASSERT_EQUAL(expected_priv_mp_usage, priv_mp_usage,	\
+			"Expecting %u priv mempool allocations, "	\
+			"but there are %u allocated objects",		\
+			expected_priv_mp_usage, priv_mp_usage);		\
+} while (0)
 
 /**
  * Mockup structures and functions for rte_security_ops;
@@ -237,26 +255,37 @@ static struct mock_session_create_data {
 	struct rte_security_session_conf *conf;
 	struct rte_security_session *sess;
 	struct rte_mempool *mp;
+	struct rte_mempool *priv_mp;
 
 	int ret;
 
 	int called;
 	int failed;
-} mock_session_create_exp = {NULL, NULL, NULL, NULL, 0, 0, 0};
+} mock_session_create_exp = {NULL, NULL, NULL, NULL, NULL, 0, 0, 0};
 
 static int
 mock_session_create(void *device,
 		struct rte_security_session_conf *conf,
 		struct rte_security_session *sess,
-		struct rte_mempool *mp)
+		struct rte_mempool *priv_mp)
 {
+	void *sess_priv;
+	int ret;
+
 	mock_session_create_exp.called++;
 
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, device);
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, conf);
-	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, mp);
+	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, priv_mp);
+
+	if (mock_session_create_exp.ret == 0) {
+		ret = rte_mempool_get(priv_mp, &sess_priv);
+		TEST_ASSERT_EQUAL(0, ret,
+			"priv mempool does not have enough objects");
 
-	mock_session_create_exp.sess = sess;
+		set_sec_session_private_data(sess, sess_priv);
+		mock_session_create_exp.sess = sess;
+	}
 
 	return mock_session_create_exp.ret;
 }
@@ -363,8 +392,13 @@ static struct mock_session_destroy_data {
 static int
 mock_session_destroy(void *device, struct rte_security_session *sess)
 {
-	mock_session_destroy_exp.called++;
+	void *sess_priv = get_sec_session_private_data(sess);
 
+	mock_session_destroy_exp.called++;
+	if ((mock_session_create_exp.ret == 0) && (sess_priv != NULL)) {
+		rte_mempool_put(rte_mempool_from_obj(sess_priv), sess_priv);
+		set_sec_session_private_data(sess, NULL);
+	}
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, device);
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, sess);
 
@@ -502,6 +536,7 @@ struct rte_security_ops mock_ops = {
  */
 static struct security_testsuite_params {
 	struct rte_mempool *session_mpool;
+	struct rte_mempool *session_priv_mpool;
 } testsuite_params = { NULL };
 
 /**
@@ -524,9 +559,11 @@ static struct security_unittest_params {
 	.sess = NULL,
 };
 
-#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
+#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestMp"
+#define SECURITY_TEST_PRIV_MEMPOOL_NAME "SecurityTestPrivMp"
 #define SECURITY_TEST_MEMPOOL_SIZE 15
-#define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct rte_security_session)
+#define SECURITY_TEST_SESSION_OBJ_SZ sizeof(struct rte_security_session)
+#define SECURITY_TEST_SESSION_PRIV_OBJ_SZ 64
 
 /**
  * testsuite_setup initializes whole test suite parameters.
@@ -540,11 +577,27 @@ testsuite_setup(void)
 	ts_params->session_mpool = rte_mempool_create(
 			SECURITY_TEST_MEMPOOL_NAME,
 			SECURITY_TEST_MEMPOOL_SIZE,
-			SECURITY_TEST_SESSION_OBJECT_SIZE,
+			SECURITY_TEST_SESSION_OBJ_SZ,
 			0, 0, NULL, NULL, NULL, NULL,
 			SOCKET_ID_ANY, 0);
 	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
 			"Cannot create mempool %s\n", rte_strerror(rte_errno));
+
+	ts_params->session_priv_mpool = rte_mempool_create(
+			SECURITY_TEST_PRIV_MEMPOOL_NAME,
+			SECURITY_TEST_MEMPOOL_SIZE,
+			SECURITY_TEST_SESSION_PRIV_OBJ_SZ,
+			0, 0, NULL, NULL, NULL, NULL,
+			SOCKET_ID_ANY, 0);
+	if (ts_params->session_priv_mpool == NULL) {
+		RTE_LOG(ERR, USER1, "TestCase %s() line %d failed (null): "
+				"Cannot create priv mempool %s\n",
+				__func__, __LINE__, rte_strerror(rte_errno));
+		rte_mempool_free(ts_params->session_mpool);
+		ts_params->session_mpool = NULL;
+		return TEST_FAILED;
+	}
+
 	return TEST_SUCCESS;
 }
 
@@ -559,6 +612,10 @@ testsuite_teardown(void)
 		rte_mempool_free(ts_params->session_mpool);
 		ts_params->session_mpool = NULL;
 	}
+	if (ts_params->session_priv_mpool) {
+		rte_mempool_free(ts_params->session_priv_mpool);
+		ts_params->session_priv_mpool = NULL;
+	}
 }
 
 /**
@@ -656,10 +713,12 @@ ut_setup_with_session(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = 0;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
 			sess);
 	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
@@ -701,11 +760,13 @@ test_session_create_inv_context(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(NULL, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -725,11 +786,13 @@ test_session_create_inv_context_ops(void)
 	ut_params->ctx.ops = NULL;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -749,11 +812,13 @@ test_session_create_inv_context_ops_fun(void)
 	ut_params->ctx.ops = &empty_ops;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -770,31 +835,59 @@ test_session_create_inv_configuration(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(&ut_params->ctx, NULL,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
 }
 
 /**
- * Test execution of rte_security_session_create with NULL mp parameter
+ * Test execution of rte_security_session_create with NULL session
+ * mempool
  */
 static int
 test_session_create_inv_mempool(void)
 {
 	struct security_unittest_params *ut_params = &unittest_params;
+	struct security_testsuite_params *ts_params = &testsuite_params;
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			NULL);
+			NULL, ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
+	TEST_ASSERT_SESSION_COUNT(0);
+
+	return TEST_SUCCESS;
+}
+
+/**
+ * Test execution of rte_security_session_create with NULL session
+ * priv mempool
+ */
+static int
+test_session_create_inv_sess_priv_mempool(void)
+{
+	struct security_unittest_params *ut_params = &unittest_params;
+	struct security_testsuite_params *ts_params = &testsuite_params;
+	struct rte_security_session *sess;
+
+	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
+			ts_params->session_mpool, NULL);
+	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
+			sess, NULL, "%p");
+	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
+	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -810,6 +903,7 @@ test_session_create_mempool_empty(void)
 	struct security_testsuite_params *ts_params = &testsuite_params;
 	struct security_unittest_params *ut_params = &unittest_params;
 	struct rte_security_session *tmp[SECURITY_TEST_MEMPOOL_SIZE];
+	void *tmp1[SECURITY_TEST_MEMPOOL_SIZE];
 	struct rte_security_session *sess;
 
 	/* Get all available objects from mempool. */
@@ -820,21 +914,34 @@ test_session_create_mempool_empty(void)
 		TEST_ASSERT_EQUAL(0, ret,
 				"Expect getting %d object from mempool"
 				" to succeed", i);
+		ret = rte_mempool_get(ts_params->session_priv_mpool,
+				(void **)(&tmp1[i]));
+		TEST_ASSERT_EQUAL(0, ret,
+				"Expect getting %d object from priv mempool"
+				" to succeed", i);
 	}
 	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
+	TEST_ASSERT_PRIV_MP_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
+	TEST_ASSERT_PRIV_MP_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	/* Put objects back to the pool. */
-	for (i = 0; i < SECURITY_TEST_MEMPOOL_SIZE; ++i)
-		rte_mempool_put(ts_params->session_mpool, (void *)(tmp[i]));
+	for (i = 0; i < SECURITY_TEST_MEMPOOL_SIZE; ++i) {
+		rte_mempool_put(ts_params->session_mpool,
+				(void *)(tmp[i]));
+		rte_mempool_put(ts_params->session_priv_mpool,
+				(tmp1[i]));
+	}
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 
 	return TEST_SUCCESS;
 }
@@ -853,14 +960,17 @@ test_session_create_ops_failure(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = -1;	/* Return failure status. */
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -879,10 +989,12 @@ test_session_create_success(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = 0;	/* Return success status. */
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
 			sess);
 	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
@@ -891,6 +1003,7 @@ test_session_create_success(void)
 			sess, mock_session_create_exp.sess);
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	/*
@@ -1276,6 +1389,7 @@ test_session_destroy_inv_context(void)
 	struct security_unittest_params *ut_params = &unittest_params;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(NULL, ut_params->sess);
@@ -1283,6 +1397,7 @@ test_session_destroy_inv_context(void)
 			ret, -EINVAL, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1299,6 +1414,7 @@ test_session_destroy_inv_context_ops(void)
 	ut_params->ctx.ops = NULL;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1307,6 +1423,7 @@ test_session_destroy_inv_context_ops(void)
 			ret, -EINVAL, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1323,6 +1440,7 @@ test_session_destroy_inv_context_ops_fun(void)
 	ut_params->ctx.ops = &empty_ops;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1331,6 +1449,7 @@ test_session_destroy_inv_context_ops_fun(void)
 			ret, -ENOTSUP, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1345,6 +1464,7 @@ test_session_destroy_inv_session(void)
 	struct security_unittest_params *ut_params = &unittest_params;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx, NULL);
@@ -1352,6 +1472,7 @@ test_session_destroy_inv_session(void)
 			ret, -EINVAL, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1371,6 +1492,7 @@ test_session_destroy_ops_failure(void)
 	mock_session_destroy_exp.ret = -1;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1396,6 +1518,7 @@ test_session_destroy_success(void)
 	mock_session_destroy_exp.sess = ut_params->sess;
 	mock_session_destroy_exp.ret = 0;
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1404,6 +1527,7 @@ test_session_destroy_success(void)
 			ret, 0, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	/*
@@ -2370,6 +2494,8 @@ static struct unit_test_suite security_testsuite  = {
 				test_session_create_inv_configuration),
 		TEST_CASE_ST(ut_setup, ut_teardown,
 				test_session_create_inv_mempool),
+		TEST_CASE_ST(ut_setup, ut_teardown,
+				test_session_create_inv_sess_priv_mempool),
 		TEST_CASE_ST(ut_setup, ut_teardown,
 				test_session_create_mempool_empty),
 		TEST_CASE_ST(ut_setup, ut_teardown,
diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 41c95aa52..c64aef3de 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -533,8 +533,12 @@ and this allows further acceleration of the offload of Crypto workloads.
 
 The Security framework provides APIs to create and free sessions for crypto/ethernet
 devices, where sessions are mempool objects. It is the application's responsibility
-to create and manage the session mempools. The mempool object size should be able to
-accommodate the driver's private data of security session.
+to create and manage two session mempools - one for session and other for session
+private data. The private session data mempool object size should be able to
+accommodate the driver's private data of security session. The application can get
+the size of session private data using API ``rte_security_session_get_size``.
+And the session mempool object size should be enough to accommodate
+``rte_security_session``.
 
 Once the session mempools have been created, ``rte_security_session_create()``
 is used to allocate and initialize a session for the required crypto/ethernet device.
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 6cbfd1184..000e82cce 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -164,13 +164,6 @@ Deprecation Notices
   following the IPv6 header, as proposed in RFC
   https://mails.dpdk.org/archives/dev/2020-August/177257.html.
 
-* security: The API ``rte_security_session_create`` takes only single mempool
-  for session and session private data. So the application need to create
-  mempool for twice the number of sessions needed and will also lead to
-  wastage of memory as session private data need more memory compared to session.
-  Hence the API will be modified to take two mempool pointers - one for session
-  and one for private data.
-
 * cryptodev: support for using IV with all sizes is added, J0 still can
   be used but only when IV length in following structs ``rte_crypto_auth_xform``,
   ``rte_crypto_aead_xform`` is set to zero. When IV length is greater or equal
diff --git a/doc/guides/rel_notes/release_20_11.rst b/doc/guides/rel_notes/release_20_11.rst
index 48717ee53..03ef28b68 100644
--- a/doc/guides/rel_notes/release_20_11.rst
+++ b/doc/guides/rel_notes/release_20_11.rst
@@ -404,6 +404,12 @@ API Changes
   ``uint32_t`` to ``uint8_t`` so that a new field ``sdap_enabled`` can be added
   to support SDAP.
 
+* security: The API ``rte_security_session_create`` is updated to take two
+  mempool objects one for session and other for session private data.
+  So the application need to create two mempools and get the size of session
+  private data using API ``rte_security_session_get_size`` for private session
+  mempool.
+
 * ipsec: ``RTE_SATP_LOG2_NUM`` has been dropped from ``enum`` and
   subsequently moved ``rte_ipsec`` lib from experimental to stable.
 
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 60132c4bd..2326089bb 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -2348,12 +2348,8 @@ session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess_sz)
 
 	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
 			"sess_mp_%u", socket_id);
-	/*
-	 * Doubled due to rte_security_session_create() uses one mempool for
-	 * session and for session private data.
-	 */
 	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
-		rte_lcore_count()) * 2;
+		rte_lcore_count());
 	sess_mp = rte_cryptodev_sym_session_pool_create(
 			mp_name, nb_sess, sess_sz, CDEV_MP_CACHE_SZ, 0,
 			socket_id);
@@ -2376,12 +2372,8 @@ session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
 
 	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
 			"sess_mp_priv_%u", socket_id);
-	/*
-	 * Doubled due to rte_security_session_create() uses one mempool for
-	 * session and for session private data.
-	 */
 	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
-		rte_lcore_count()) * 2;
+		rte_lcore_count());
 	sess_mp = rte_mempool_create(mp_name,
 			nb_sess,
 			sess_sz,
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 01faa7ac7..6baeeb342 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -117,7 +117,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
 			set_ipsec_conf(sa, &(sess_conf.ipsec));
 
 			ips->security.ses = rte_security_session_create(ctx,
-					&sess_conf, ipsec_ctx->session_priv_pool);
+					&sess_conf, ipsec_ctx->session_pool,
+					ipsec_ctx->session_priv_pool);
 			if (ips->security.ses == NULL) {
 				RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
@@ -198,7 +199,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 		}
 
 		ips->security.ses = rte_security_session_create(sec_ctx,
-				&sess_conf, skt_ctx->session_pool);
+				&sess_conf, skt_ctx->session_pool,
+				skt_ctx->session_priv_pool);
 		if (ips->security.ses == NULL) {
 			RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
@@ -378,7 +380,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 		sess_conf.userdata = (void *) sa;
 
 		ips->security.ses = rte_security_session_create(sec_ctx,
-					&sess_conf, skt_ctx->session_pool);
+					&sess_conf, skt_ctx->session_pool,
+					skt_ctx->session_priv_pool);
 		if (ips->security.ses == NULL) {
 			RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
index 515c29e04..ee4666026 100644
--- a/lib/librte_security/rte_security.c
+++ b/lib/librte_security/rte_security.c
@@ -26,18 +26,21 @@
 struct rte_security_session *
 rte_security_session_create(struct rte_security_ctx *instance,
 			    struct rte_security_session_conf *conf,
-			    struct rte_mempool *mp)
+			    struct rte_mempool *mp,
+			    struct rte_mempool *priv_mp)
 {
 	struct rte_security_session *sess = NULL;
 
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_create, NULL, NULL);
 	RTE_PTR_OR_ERR_RET(conf, NULL);
 	RTE_PTR_OR_ERR_RET(mp, NULL);
+	RTE_PTR_OR_ERR_RET(priv_mp, NULL);
 
 	if (rte_mempool_get(mp, (void **)&sess))
 		return NULL;
 
-	if (instance->ops->session_create(instance->device, conf, sess, mp)) {
+	if (instance->ops->session_create(instance->device, conf,
+				sess, priv_mp)) {
 		rte_mempool_put(mp, (void *)sess);
 		return NULL;
 	}
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index c259b35e0..271531af1 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -394,6 +394,7 @@ struct rte_security_session {
  * @param   instance	security instance
  * @param   conf	session configuration parameters
  * @param   mp		mempool to allocate session objects from
+ * @param   priv_mp	mempool to allocate session private data objects from
  * @return
  *  - On success, pointer to session
  *  - On failure, NULL
@@ -401,7 +402,8 @@ struct rte_security_session {
 struct rte_security_session *
 rte_security_session_create(struct rte_security_ctx *instance,
 			    struct rte_security_session_conf *conf,
-			    struct rte_mempool *mp);
+			    struct rte_mempool *mp,
+			    struct rte_mempool *priv_mp);
 
 /**
  * Update security session as specified by the session configuration
-- 
2.17.1


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v4] security: update session create API
  2020-10-17 11:50       ` [dpdk-dev] [PATCH v4] " Akhil Goyal
@ 2020-10-17 13:13         ` Lukasz Wojciechowski
  2020-10-18  8:47           ` Akhil Goyal
  2020-10-18  9:40         ` [dpdk-dev] [PATCH v5] " Akhil Goyal
  1 sibling, 1 reply; 21+ messages in thread
From: Lukasz Wojciechowski @ 2020-10-17 13:13 UTC (permalink / raw)
  To: Akhil Goyal, dev
  Cc: thomas, mdr, anoobj, hemant.agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau, david.coyle,
	\"'Lukasz Wojciechowski'\",

Hi Akhil,

just one more thing, rest looks good

<snip>
> diff --git a/app/test/test_security.c b/app/test/test_security.c
> index 77fd5adc6..62e4991eb 100644
> --- a/app/test/test_security.c
> +++ b/app/test/test_security.c
> @@ -363,8 +392,13 @@ static struct mock_session_destroy_data {
>   static int
>   mock_session_destroy(void *device, struct rte_security_session *sess)
>   {
> -	mock_session_destroy_exp.called++;
> +	void *sess_priv = get_sec_session_private_data(sess);
>   
> +	mock_session_destroy_exp.called++;
> +	if ((mock_session_create_exp.ret == 0) && (sess_priv != NULL)) {
mock_session_destroy_exp.ret
> +		rte_mempool_put(rte_mempool_from_obj(sess_priv), sess_priv);
> +		set_sec_session_private_data(sess, NULL);
> +	}
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, device);
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, sess);
>   
<snip>
> @@ -1371,6 +1492,7 @@ test_session_destroy_ops_failure(void)
>   	mock_session_destroy_exp.ret = -1;
>   
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx,
> @@ -1396,6 +1518,7 @@ test_session_destroy_success(void)
>   	mock_session_destroy_exp.sess = ut_params->sess;
>   	mock_session_destroy_exp.ret = 0;
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx,
>   			ut_params->sess);
> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_destroy,
> 			ret, -1, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
nit: you can add and assertion here as well: TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>
> 	return TEST_SUCCESS;
> }
>   
<snip>

-- 
Lukasz Wojciechowski
Principal Software Engineer

Samsung R&D Institute Poland
Samsung Electronics
Office +48 22 377 88 25
l.wojciechow@partner.samsung.com


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v4] security: update session create API
  2020-10-17 13:13         ` Lukasz Wojciechowski
@ 2020-10-18  8:47           ` Akhil Goyal
  2020-10-18  9:30             ` Lukasz Wojciechowski
  0 siblings, 1 reply; 21+ messages in thread
From: Akhil Goyal @ 2020-10-18  8:47 UTC (permalink / raw)
  To: Lukasz Wojciechowski, dev, thomas, anoobj, konstantin.ananyev
  Cc: mdr, Hemant Agrawal, declan.doherty, radu.nicolau, david.coyle

Hi Lukasz,
> Hi Akhil,
> 
> just one more thing, rest looks good
> 
> <snip>
> > diff --git a/app/test/test_security.c b/app/test/test_security.c
> > index 77fd5adc6..62e4991eb 100644
> > --- a/app/test/test_security.c
> > +++ b/app/test/test_security.c
> > @@ -363,8 +392,13 @@ static struct mock_session_destroy_data {
> >   static int
> >   mock_session_destroy(void *device, struct rte_security_session *sess)
> >   {
> > -	mock_session_destroy_exp.called++;
> > +	void *sess_priv = get_sec_session_private_data(sess);
> >
> > +	mock_session_destroy_exp.called++;
> > +	if ((mock_session_create_exp.ret == 0) && (sess_priv != NULL)) {
> mock_session_destroy_exp.ret
> > +		rte_mempool_put(rte_mempool_from_obj(sess_priv),
> sess_priv);
> > +		set_sec_session_private_data(sess, NULL);
> > +	}
> >
> 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_ex
> p, device);
> >
> 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_ex
> p, sess);
> >
> <snip>
> > @@ -1371,6 +1492,7 @@ test_session_destroy_ops_failure(void)
> >   	mock_session_destroy_exp.ret = -1;
> >
> >   	TEST_ASSERT_MEMPOOL_USAGE(1);
> > +	TEST_ASSERT_PRIV_MP_USAGE(1);
> >   	TEST_ASSERT_SESSION_COUNT(1);
> >
> >   	int ret = rte_security_session_destroy(&ut_params->ctx,
> > @@ -1396,6 +1518,7 @@ test_session_destroy_success(void)
> >   	mock_session_destroy_exp.sess = ut_params->sess;
> >   	mock_session_destroy_exp.ret = 0;
> >   	TEST_ASSERT_MEMPOOL_USAGE(1);
> > +	TEST_ASSERT_PRIV_MP_USAGE(1);
> >   	TEST_ASSERT_SESSION_COUNT(1);
> >
> >   	int ret = rte_security_session_destroy(&ut_params->ctx,
> >   			ut_params->sess);
> >
> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_destr
> oy,
> > 			ret, -1, "%d");
> >   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
> >   	TEST_ASSERT_MEMPOOL_USAGE(1);
> nit: you can add and assertion here as well: TEST_ASSERT_PRIV_MP_USAGE(1);

Thanks for the review of the patch.

This is causing the test to fail. And I cannot spend more time in debugging this right now.
Since we are approaching RC1 deadline and the intent of the patch is to add a new
Parameter in session create API and which is complete. The issue is with the security
Tests which are trying to create mock driver APIs with no real usage.

Hence, I reckon we can go ahead with this patch in RC1 and fix it later.


@thomas@monjalon.net, @anoobj@marvell.com, @Ananyev, Konstantin.
Any thoughts from your side?

Regards,
Akhil



^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v4] security: update session create API
  2020-10-18  8:47           ` Akhil Goyal
@ 2020-10-18  9:30             ` Lukasz Wojciechowski
  2020-10-18  9:37               ` Lukasz Wojciechowski
  2020-10-18  9:42               ` Akhil Goyal
  0 siblings, 2 replies; 21+ messages in thread
From: Lukasz Wojciechowski @ 2020-10-18  9:30 UTC (permalink / raw)
  To: Akhil Goyal, dev, thomas, anoobj, konstantin.ananyev
  Cc: mdr, Hemant Agrawal, declan.doherty, radu.nicolau, david.coyle,
	\"'Lukasz Wojciechowski'\",

Hi Akhil,

If you replace mock_session_create_exp.ret with mock_session_destroy_exp.ret
in mock_session_destroy() everything works fine and all test cases pass.

W dniu 18.10.2020 o 10:47, Akhil Goyal pisze:
> Hi Lukasz,
>> Hi Akhil,
>>
>> just one more thing, rest looks good
>>
>> <snip>
>>> diff --git a/app/test/test_security.c b/app/test/test_security.c
>>> index 77fd5adc6..62e4991eb 100644
>>> --- a/app/test/test_security.c
>>> +++ b/app/test/test_security.c
>>> @@ -363,8 +392,13 @@ static struct mock_session_destroy_data {
>>>    static int
>>>    mock_session_destroy(void *device, struct rte_security_session *sess)
>>>    {
>>> -	mock_session_destroy_exp.called++;
>>> +	void *sess_priv = get_sec_session_private_data(sess);
>>>
>>> +	mock_session_destroy_exp.called++;
>>> +	if ((mock_session_create_exp.ret == 0) && (sess_priv != NULL)) {
>> mock_session_destroy_exp.ret
Here is the place you need to change. Sorry that my comment was not 
clear enough.
>>> +		rte_mempool_put(rte_mempool_from_obj(sess_priv),
>> sess_priv);
>>> +		set_sec_session_private_data(sess, NULL);
>>> +	}
>>>
>> 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_ex
>> p, device);
>> 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_ex
>> p, sess);
>> <snip>
>>> @@ -1371,6 +1492,7 @@ test_session_destroy_ops_failure(void)
>>>    	mock_session_destroy_exp.ret = -1;
>>>
>>>    	TEST_ASSERT_MEMPOOL_USAGE(1);
>>> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>>>    	TEST_ASSERT_SESSION_COUNT(1);
>>>
>>>    	int ret = rte_security_session_destroy(&ut_params->ctx,
>>> @@ -1396,6 +1518,7 @@ test_session_destroy_success(void)
>>>    	mock_session_destroy_exp.sess = ut_params->sess;
>>>    	mock_session_destroy_exp.ret = 0;
>>>    	TEST_ASSERT_MEMPOOL_USAGE(1);
>>> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>>>    	TEST_ASSERT_SESSION_COUNT(1);
>>>
>>>    	int ret = rte_security_session_destroy(&ut_params->ctx,
>>>    			ut_params->sess);
>>>
>> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_destr
>> oy,
>>> 			ret, -1, "%d");
>>>    	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
>>>    	TEST_ASSERT_MEMPOOL_USAGE(1);
>> nit: you can add and assertion here as well: TEST_ASSERT_PRIV_MP_USAGE(1);
> Thanks for the review of the patch.
>
> This is causing the test to fail. And I cannot spend more time in debugging this right now.
> Since we are approaching RC1 deadline and the intent of the patch is to add a new
> Parameter in session create API and which is complete. The issue is with the security
> Tests which are trying to create mock driver APIs with no real usage.
>
> Hence, I reckon we can go ahead with this patch in RC1 and fix it later.
>
>
> @thomas@monjalon.net, @anoobj@marvell.com, @Ananyev, Konstantin.
> Any thoughts from your side?
>
> Regards,
> Akhil
>
>
-- 
Lukasz Wojciechowski
Principal Software Engineer

Samsung R&D Institute Poland
Samsung Electronics
Office +48 22 377 88 25
l.wojciechow@partner.samsung.com


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v4] security: update session create API
  2020-10-18  9:30             ` Lukasz Wojciechowski
@ 2020-10-18  9:37               ` Lukasz Wojciechowski
  2020-10-18  9:42               ` Akhil Goyal
  1 sibling, 0 replies; 21+ messages in thread
From: Lukasz Wojciechowski @ 2020-10-18  9:37 UTC (permalink / raw)
  To: Akhil Goyal, dev, thomas, anoobj, konstantin.ananyev
  Cc: mdr, Hemant Agrawal, declan.doherty, radu.nicolau, david.coyle,
	\"'Lukasz Wojciechowski'\",

Just to be clear, these are the changes that will fix v4:

diff --git a/app/test/test_security.c b/app/test/test_security.c
index 62e4991eb..060cf1ffa 100644
--- a/app/test/test_security.c
+++ b/app/test/test_security.c
@@ -395,7 +395,7 @@ mock_session_destroy(void *device, struct 
rte_security_session *sess)
         void *sess_priv = get_sec_session_private_data(sess);

         mock_session_destroy_exp.called++;
-       if ((mock_session_create_exp.ret == 0) && (sess_priv != NULL)) {
+       if ((mock_session_destroy_exp.ret == 0) && (sess_priv != NULL)) {
rte_mempool_put(rte_mempool_from_obj(sess_priv), sess_priv);
                 set_sec_session_private_data(sess, NULL);
         }
@@ -1501,6 +1501,7 @@ test_session_destroy_ops_failure(void)
                         ret, -1, "%d");
         TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
         TEST_ASSERT_MEMPOOL_USAGE(1);
+       TEST_ASSERT_PRIV_MP_USAGE(1);
         TEST_ASSERT_SESSION_COUNT(1);

         return TEST_SUCCESS;

Best regards
Lukasz

W dniu 18.10.2020 o 11:30, Lukasz Wojciechowski pisze:
> Hi Akhil,
>
> If you replace mock_session_create_exp.ret with mock_session_destroy_exp.ret
> in mock_session_destroy() everything works fine and all test cases pass.
>
> W dniu 18.10.2020 o 10:47, Akhil Goyal pisze:
>> Hi Lukasz,
>>> Hi Akhil,
>>>
>>> just one more thing, rest looks good
>>>
>>> <snip>
>>>> diff --git a/app/test/test_security.c b/app/test/test_security.c
>>>> index 77fd5adc6..62e4991eb 100644
>>>> --- a/app/test/test_security.c
>>>> +++ b/app/test/test_security.c
>>>> @@ -363,8 +392,13 @@ static struct mock_session_destroy_data {
>>>>     static int
>>>>     mock_session_destroy(void *device, struct rte_security_session *sess)
>>>>     {
>>>> -	mock_session_destroy_exp.called++;
>>>> +	void *sess_priv = get_sec_session_private_data(sess);
>>>>
>>>> +	mock_session_destroy_exp.called++;
>>>> +	if ((mock_session_create_exp.ret == 0) && (sess_priv != NULL)) {
>>> mock_session_destroy_exp.ret
> Here is the place you need to change. Sorry that my comment was not
> clear enough.
>>>> +		rte_mempool_put(rte_mempool_from_obj(sess_priv),
>>> sess_priv);
>>>> +		set_sec_session_private_data(sess, NULL);
>>>> +	}
>>>>
>>> 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_ex
>>> p, device);
>>> 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_ex
>>> p, sess);
>>> <snip>
>>>> @@ -1371,6 +1492,7 @@ test_session_destroy_ops_failure(void)
>>>>     	mock_session_destroy_exp.ret = -1;
>>>>
>>>>     	TEST_ASSERT_MEMPOOL_USAGE(1);
>>>> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>>>>     	TEST_ASSERT_SESSION_COUNT(1);
>>>>
>>>>     	int ret = rte_security_session_destroy(&ut_params->ctx,
>>>> @@ -1396,6 +1518,7 @@ test_session_destroy_success(void)
>>>>     	mock_session_destroy_exp.sess = ut_params->sess;
>>>>     	mock_session_destroy_exp.ret = 0;
>>>>     	TEST_ASSERT_MEMPOOL_USAGE(1);
>>>> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>>>>     	TEST_ASSERT_SESSION_COUNT(1);
>>>>
>>>>     	int ret = rte_security_session_destroy(&ut_params->ctx,
>>>>     			ut_params->sess);
>>>>
>>> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_destr
>>> oy,
>>>> 			ret, -1, "%d");
>>>>     	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
>>>>     	TEST_ASSERT_MEMPOOL_USAGE(1);
>>> nit: you can add and assertion here as well: TEST_ASSERT_PRIV_MP_USAGE(1);
>> Thanks for the review of the patch.
>>
>> This is causing the test to fail. And I cannot spend more time in debugging this right now.
>> Since we are approaching RC1 deadline and the intent of the patch is to add a new
>> Parameter in session create API and which is complete. The issue is with the security
>> Tests which are trying to create mock driver APIs with no real usage.
>>
>> Hence, I reckon we can go ahead with this patch in RC1 and fix it later.
>>
>>
>> @thomas@monjalon.net, @anoobj@marvell.com, @Ananyev, Konstantin.
>> Any thoughts from your side?
>>
>> Regards,
>> Akhil
>>
>>
-- 
Lukasz Wojciechowski
Principal Software Engineer

Samsung R&D Institute Poland
Samsung Electronics
Office +48 22 377 88 25
l.wojciechow@partner.samsung.com


^ permalink raw reply	[flat|nested] 21+ messages in thread

* [dpdk-dev] [PATCH v5] security: update session create API
  2020-10-17 11:50       ` [dpdk-dev] [PATCH v4] " Akhil Goyal
  2020-10-17 13:13         ` Lukasz Wojciechowski
@ 2020-10-18  9:40         ` " Akhil Goyal
  2020-10-18 11:03           ` Lukasz Wojciechowski
  1 sibling, 1 reply; 21+ messages in thread
From: Akhil Goyal @ 2020-10-18  9:40 UTC (permalink / raw)
  To: dev
  Cc: thomas, mdr, anoobj, hemant.agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau, david.coyle, l.wojciechow,
	Akhil Goyal

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the number of
sessions needed and will also lead to wastage of memory as
session private data need more memory compared to session.
Hence the API is modified to take two mempool pointers
- one for session and one for private data.
This is very similar to crypto based session create APIs.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
Changes in v5:
fixed security test.

Changes in v4:
rebase on TOT
addressed comments from Lukasz on v3

Changes in v3:
fixed checkpatch issues.
Added new test in test_security.c for priv_mempool

Changes in V2:
incorporated comments from Lukasz and David.


 app/test-crypto-perf/cperf_ops.c       |   4 +-
 app/test-crypto-perf/main.c            |  12 +-
 app/test/test_cryptodev.c              |  18 ++-
 app/test/test_ipsec.c                  |   3 +-
 app/test/test_security.c               | 167 ++++++++++++++++++++++---
 doc/guides/prog_guide/rte_security.rst |   8 +-
 doc/guides/rel_notes/deprecation.rst   |   7 --
 doc/guides/rel_notes/release_20_11.rst |   6 +
 examples/ipsec-secgw/ipsec-secgw.c     |  12 +-
 examples/ipsec-secgw/ipsec.c           |   9 +-
 lib/librte_security/rte_security.c     |   7 +-
 lib/librte_security/rte_security.h     |   4 +-
 12 files changed, 202 insertions(+), 55 deletions(-)

diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
index 3da835a9c..3a64a2c34 100644
--- a/app/test-crypto-perf/cperf_ops.c
+++ b/app/test-crypto-perf/cperf_ops.c
@@ -621,7 +621,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
 
 		/* Create security session */
 		return (void *)rte_security_session_create(ctx,
-					&sess_conf, sess_mp);
+					&sess_conf, sess_mp, priv_mp);
 	}
 	if (options->op_type == CPERF_DOCSIS) {
 		enum rte_security_docsis_direction direction;
@@ -664,7 +664,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
 
 		/* Create security session */
 		return (void *)rte_security_session_create(ctx,
-					&sess_conf, priv_mp);
+					&sess_conf, sess_mp, priv_mp);
 	}
 #endif
 	sess = rte_cryptodev_sym_session_create(sess_mp);
diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
index 62ae6048b..53864ffdd 100644
--- a/app/test-crypto-perf/main.c
+++ b/app/test-crypto-perf/main.c
@@ -156,7 +156,14 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
 		if (sess_size > max_sess_size)
 			max_sess_size = sess_size;
 	}
-
+#ifdef RTE_LIBRTE_SECURITY
+	for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
+		sess_size = rte_security_session_get_size(
+				rte_cryptodev_get_sec_ctx(cdev_id));
+		if (sess_size > max_sess_size)
+			max_sess_size = sess_size;
+	}
+#endif
 	/*
 	 * Calculate number of needed queue pairs, based on the amount
 	 * of available number of logical cores and crypto devices.
@@ -247,8 +254,7 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
 				opts->nb_qps * nb_slaves;
 #endif
 		} else
-			sessions_needed = enabled_cdev_count *
-						opts->nb_qps * 2;
+			sessions_needed = enabled_cdev_count * opts->nb_qps;
 
 		/*
 		 * A single session is required per queue pair
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 1d4c46f08..3afc1d809 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -782,9 +782,15 @@ testsuite_setup(void)
 	unsigned int session_size =
 		rte_cryptodev_sym_get_private_session_size(dev_id);
 
+#ifdef RTE_LIBRTE_SECURITY
+	unsigned int security_session_size = rte_security_session_get_size(
+			rte_cryptodev_get_sec_ctx(dev_id));
+
+	if (session_size < security_session_size)
+		session_size = security_session_size;
+#endif
 	/*
-	 * Create mempool with maximum number of sessions * 2,
-	 * to include the session headers
+	 * Create mempool with maximum number of sessions.
 	 */
 	if (info.sym.max_nb_sessions != 0 &&
 			info.sym.max_nb_sessions < MAX_NB_SESSIONS) {
@@ -7762,7 +7768,8 @@ static int test_pdcp_proto(int i, int oop, enum rte_crypto_cipher_operation opc,
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx,
-				&sess_conf, ts_params->session_priv_mpool);
+				&sess_conf, ts_params->session_mpool,
+				ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
 		printf("TestCase %s()-%d line %d failed %s: ",
@@ -8022,7 +8029,8 @@ test_pdcp_proto_SGL(int i, int oop,
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx,
-				&sess_conf, ts_params->session_priv_mpool);
+				&sess_conf, ts_params->session_mpool,
+				ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
 		printf("TestCase %s()-%d line %d failed %s: ",
@@ -8488,6 +8496,7 @@ test_docsis_proto_uplink(int i, struct docsis_test_data *d_td)
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
 					ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
@@ -8663,6 +8672,7 @@ test_docsis_proto_downlink(int i, struct docsis_test_data *d_td)
 
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
 					ts_params->session_priv_mpool);
 
 	if (!ut_params->sec_session) {
diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
index 79d00d7e0..9ad07a179 100644
--- a/app/test/test_ipsec.c
+++ b/app/test/test_ipsec.c
@@ -632,7 +632,8 @@ create_dummy_sec_session(struct ipsec_unitest_params *ut,
 	static struct rte_security_session_conf conf;
 
 	ut->ss[j].security.ses = rte_security_session_create(&dummy_sec_ctx,
-					&conf, qp->mp_session_private);
+					&conf, qp->mp_session,
+					qp->mp_session_private);
 
 	if (ut->ss[j].security.ses == NULL)
 		return -ENOMEM;
diff --git a/app/test/test_security.c b/app/test/test_security.c
index 77fd5adc6..060cf1ffa 100644
--- a/app/test/test_security.c
+++ b/app/test/test_security.c
@@ -200,6 +200,24 @@
 			expected_mempool_usage, mempool_usage);		\
 } while (0)
 
+/**
+ * Verify usage of mempool by checking if number of allocated objects matches
+ * expectations. The mempool is used to manage objects for sessions priv data.
+ * A single object is acquired from mempool during session_create
+ * and put back in session_destroy.
+ *
+ * @param   expected_priv_mp_usage	expected number of used priv mp objects
+ */
+#define TEST_ASSERT_PRIV_MP_USAGE(expected_priv_mp_usage) do {		\
+	struct security_testsuite_params *ts_params = &testsuite_params;\
+	unsigned int priv_mp_usage;					\
+	priv_mp_usage = rte_mempool_in_use_count(			\
+			ts_params->session_priv_mpool);			\
+	TEST_ASSERT_EQUAL(expected_priv_mp_usage, priv_mp_usage,	\
+			"Expecting %u priv mempool allocations, "	\
+			"but there are %u allocated objects",		\
+			expected_priv_mp_usage, priv_mp_usage);		\
+} while (0)
 
 /**
  * Mockup structures and functions for rte_security_ops;
@@ -237,26 +255,37 @@ static struct mock_session_create_data {
 	struct rte_security_session_conf *conf;
 	struct rte_security_session *sess;
 	struct rte_mempool *mp;
+	struct rte_mempool *priv_mp;
 
 	int ret;
 
 	int called;
 	int failed;
-} mock_session_create_exp = {NULL, NULL, NULL, NULL, 0, 0, 0};
+} mock_session_create_exp = {NULL, NULL, NULL, NULL, NULL, 0, 0, 0};
 
 static int
 mock_session_create(void *device,
 		struct rte_security_session_conf *conf,
 		struct rte_security_session *sess,
-		struct rte_mempool *mp)
+		struct rte_mempool *priv_mp)
 {
+	void *sess_priv;
+	int ret;
+
 	mock_session_create_exp.called++;
 
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, device);
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, conf);
-	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, mp);
+	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, priv_mp);
+
+	if (mock_session_create_exp.ret == 0) {
+		ret = rte_mempool_get(priv_mp, &sess_priv);
+		TEST_ASSERT_EQUAL(0, ret,
+			"priv mempool does not have enough objects");
 
-	mock_session_create_exp.sess = sess;
+		set_sec_session_private_data(sess, sess_priv);
+		mock_session_create_exp.sess = sess;
+	}
 
 	return mock_session_create_exp.ret;
 }
@@ -363,8 +392,13 @@ static struct mock_session_destroy_data {
 static int
 mock_session_destroy(void *device, struct rte_security_session *sess)
 {
-	mock_session_destroy_exp.called++;
+	void *sess_priv = get_sec_session_private_data(sess);
 
+	mock_session_destroy_exp.called++;
+	if ((mock_session_destroy_exp.ret == 0) && (sess_priv != NULL)) {
+		rte_mempool_put(rte_mempool_from_obj(sess_priv), sess_priv);
+		set_sec_session_private_data(sess, NULL);
+	}
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, device);
 	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, sess);
 
@@ -502,6 +536,7 @@ struct rte_security_ops mock_ops = {
  */
 static struct security_testsuite_params {
 	struct rte_mempool *session_mpool;
+	struct rte_mempool *session_priv_mpool;
 } testsuite_params = { NULL };
 
 /**
@@ -524,9 +559,11 @@ static struct security_unittest_params {
 	.sess = NULL,
 };
 
-#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
+#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestMp"
+#define SECURITY_TEST_PRIV_MEMPOOL_NAME "SecurityTestPrivMp"
 #define SECURITY_TEST_MEMPOOL_SIZE 15
-#define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct rte_security_session)
+#define SECURITY_TEST_SESSION_OBJ_SZ sizeof(struct rte_security_session)
+#define SECURITY_TEST_SESSION_PRIV_OBJ_SZ 64
 
 /**
  * testsuite_setup initializes whole test suite parameters.
@@ -540,11 +577,27 @@ testsuite_setup(void)
 	ts_params->session_mpool = rte_mempool_create(
 			SECURITY_TEST_MEMPOOL_NAME,
 			SECURITY_TEST_MEMPOOL_SIZE,
-			SECURITY_TEST_SESSION_OBJECT_SIZE,
+			SECURITY_TEST_SESSION_OBJ_SZ,
 			0, 0, NULL, NULL, NULL, NULL,
 			SOCKET_ID_ANY, 0);
 	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
 			"Cannot create mempool %s\n", rte_strerror(rte_errno));
+
+	ts_params->session_priv_mpool = rte_mempool_create(
+			SECURITY_TEST_PRIV_MEMPOOL_NAME,
+			SECURITY_TEST_MEMPOOL_SIZE,
+			SECURITY_TEST_SESSION_PRIV_OBJ_SZ,
+			0, 0, NULL, NULL, NULL, NULL,
+			SOCKET_ID_ANY, 0);
+	if (ts_params->session_priv_mpool == NULL) {
+		RTE_LOG(ERR, USER1, "TestCase %s() line %d failed (null): "
+				"Cannot create priv mempool %s\n",
+				__func__, __LINE__, rte_strerror(rte_errno));
+		rte_mempool_free(ts_params->session_mpool);
+		ts_params->session_mpool = NULL;
+		return TEST_FAILED;
+	}
+
 	return TEST_SUCCESS;
 }
 
@@ -559,6 +612,10 @@ testsuite_teardown(void)
 		rte_mempool_free(ts_params->session_mpool);
 		ts_params->session_mpool = NULL;
 	}
+	if (ts_params->session_priv_mpool) {
+		rte_mempool_free(ts_params->session_priv_mpool);
+		ts_params->session_priv_mpool = NULL;
+	}
 }
 
 /**
@@ -656,10 +713,12 @@ ut_setup_with_session(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = 0;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
 			sess);
 	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
@@ -701,11 +760,13 @@ test_session_create_inv_context(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(NULL, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -725,11 +786,13 @@ test_session_create_inv_context_ops(void)
 	ut_params->ctx.ops = NULL;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -749,11 +812,13 @@ test_session_create_inv_context_ops_fun(void)
 	ut_params->ctx.ops = &empty_ops;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -770,31 +835,59 @@ test_session_create_inv_configuration(void)
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(&ut_params->ctx, NULL,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
 }
 
 /**
- * Test execution of rte_security_session_create with NULL mp parameter
+ * Test execution of rte_security_session_create with NULL session
+ * mempool
  */
 static int
 test_session_create_inv_mempool(void)
 {
 	struct security_unittest_params *ut_params = &unittest_params;
+	struct security_testsuite_params *ts_params = &testsuite_params;
 	struct rte_security_session *sess;
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			NULL);
+			NULL, ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
+	TEST_ASSERT_SESSION_COUNT(0);
+
+	return TEST_SUCCESS;
+}
+
+/**
+ * Test execution of rte_security_session_create with NULL session
+ * priv mempool
+ */
+static int
+test_session_create_inv_sess_priv_mempool(void)
+{
+	struct security_unittest_params *ut_params = &unittest_params;
+	struct security_testsuite_params *ts_params = &testsuite_params;
+	struct rte_security_session *sess;
+
+	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
+			ts_params->session_mpool, NULL);
+	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
+			sess, NULL, "%p");
+	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
+	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -810,6 +903,7 @@ test_session_create_mempool_empty(void)
 	struct security_testsuite_params *ts_params = &testsuite_params;
 	struct security_unittest_params *ut_params = &unittest_params;
 	struct rte_security_session *tmp[SECURITY_TEST_MEMPOOL_SIZE];
+	void *tmp1[SECURITY_TEST_MEMPOOL_SIZE];
 	struct rte_security_session *sess;
 
 	/* Get all available objects from mempool. */
@@ -820,21 +914,34 @@ test_session_create_mempool_empty(void)
 		TEST_ASSERT_EQUAL(0, ret,
 				"Expect getting %d object from mempool"
 				" to succeed", i);
+		ret = rte_mempool_get(ts_params->session_priv_mpool,
+				(void **)(&tmp1[i]));
+		TEST_ASSERT_EQUAL(0, ret,
+				"Expect getting %d object from priv mempool"
+				" to succeed", i);
 	}
 	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
+	TEST_ASSERT_PRIV_MP_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
+	TEST_ASSERT_PRIV_MP_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	/* Put objects back to the pool. */
-	for (i = 0; i < SECURITY_TEST_MEMPOOL_SIZE; ++i)
-		rte_mempool_put(ts_params->session_mpool, (void *)(tmp[i]));
+	for (i = 0; i < SECURITY_TEST_MEMPOOL_SIZE; ++i) {
+		rte_mempool_put(ts_params->session_mpool,
+				(void *)(tmp[i]));
+		rte_mempool_put(ts_params->session_priv_mpool,
+				(tmp1[i]));
+	}
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 
 	return TEST_SUCCESS;
 }
@@ -853,14 +960,17 @@ test_session_create_ops_failure(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = -1;	/* Return failure status. */
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
 			sess, NULL, "%p");
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	return TEST_SUCCESS;
@@ -879,10 +989,12 @@ test_session_create_success(void)
 	mock_session_create_exp.device = NULL;
 	mock_session_create_exp.conf = &ut_params->conf;
 	mock_session_create_exp.mp = ts_params->session_mpool;
+	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
 	mock_session_create_exp.ret = 0;	/* Return success status. */
 
 	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
-			ts_params->session_mpool);
+			ts_params->session_mpool,
+			ts_params->session_priv_mpool);
 	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
 			sess);
 	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
@@ -891,6 +1003,7 @@ test_session_create_success(void)
 			sess, mock_session_create_exp.sess);
 	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	/*
@@ -1276,6 +1389,7 @@ test_session_destroy_inv_context(void)
 	struct security_unittest_params *ut_params = &unittest_params;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(NULL, ut_params->sess);
@@ -1283,6 +1397,7 @@ test_session_destroy_inv_context(void)
 			ret, -EINVAL, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1299,6 +1414,7 @@ test_session_destroy_inv_context_ops(void)
 	ut_params->ctx.ops = NULL;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1307,6 +1423,7 @@ test_session_destroy_inv_context_ops(void)
 			ret, -EINVAL, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1323,6 +1440,7 @@ test_session_destroy_inv_context_ops_fun(void)
 	ut_params->ctx.ops = &empty_ops;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1331,6 +1449,7 @@ test_session_destroy_inv_context_ops_fun(void)
 			ret, -ENOTSUP, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1345,6 +1464,7 @@ test_session_destroy_inv_session(void)
 	struct security_unittest_params *ut_params = &unittest_params;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx, NULL);
@@ -1352,6 +1472,7 @@ test_session_destroy_inv_session(void)
 			ret, -EINVAL, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1371,6 +1492,7 @@ test_session_destroy_ops_failure(void)
 	mock_session_destroy_exp.ret = -1;
 
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1379,6 +1501,7 @@ test_session_destroy_ops_failure(void)
 			ret, -1, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	return TEST_SUCCESS;
@@ -1396,6 +1519,7 @@ test_session_destroy_success(void)
 	mock_session_destroy_exp.sess = ut_params->sess;
 	mock_session_destroy_exp.ret = 0;
 	TEST_ASSERT_MEMPOOL_USAGE(1);
+	TEST_ASSERT_PRIV_MP_USAGE(1);
 	TEST_ASSERT_SESSION_COUNT(1);
 
 	int ret = rte_security_session_destroy(&ut_params->ctx,
@@ -1404,6 +1528,7 @@ test_session_destroy_success(void)
 			ret, 0, "%d");
 	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
 	TEST_ASSERT_MEMPOOL_USAGE(0);
+	TEST_ASSERT_PRIV_MP_USAGE(0);
 	TEST_ASSERT_SESSION_COUNT(0);
 
 	/*
@@ -2370,6 +2495,8 @@ static struct unit_test_suite security_testsuite  = {
 				test_session_create_inv_configuration),
 		TEST_CASE_ST(ut_setup, ut_teardown,
 				test_session_create_inv_mempool),
+		TEST_CASE_ST(ut_setup, ut_teardown,
+				test_session_create_inv_sess_priv_mempool),
 		TEST_CASE_ST(ut_setup, ut_teardown,
 				test_session_create_mempool_empty),
 		TEST_CASE_ST(ut_setup, ut_teardown,
diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 41c95aa52..c64aef3de 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -533,8 +533,12 @@ and this allows further acceleration of the offload of Crypto workloads.
 
 The Security framework provides APIs to create and free sessions for crypto/ethernet
 devices, where sessions are mempool objects. It is the application's responsibility
-to create and manage the session mempools. The mempool object size should be able to
-accommodate the driver's private data of security session.
+to create and manage two session mempools - one for session and other for session
+private data. The private session data mempool object size should be able to
+accommodate the driver's private data of security session. The application can get
+the size of session private data using API ``rte_security_session_get_size``.
+And the session mempool object size should be enough to accommodate
+``rte_security_session``.
 
 Once the session mempools have been created, ``rte_security_session_create()``
 is used to allocate and initialize a session for the required crypto/ethernet device.
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 6cbfd1184..000e82cce 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -164,13 +164,6 @@ Deprecation Notices
   following the IPv6 header, as proposed in RFC
   https://mails.dpdk.org/archives/dev/2020-August/177257.html.
 
-* security: The API ``rte_security_session_create`` takes only single mempool
-  for session and session private data. So the application need to create
-  mempool for twice the number of sessions needed and will also lead to
-  wastage of memory as session private data need more memory compared to session.
-  Hence the API will be modified to take two mempool pointers - one for session
-  and one for private data.
-
 * cryptodev: support for using IV with all sizes is added, J0 still can
   be used but only when IV length in following structs ``rte_crypto_auth_xform``,
   ``rte_crypto_aead_xform`` is set to zero. When IV length is greater or equal
diff --git a/doc/guides/rel_notes/release_20_11.rst b/doc/guides/rel_notes/release_20_11.rst
index 48717ee53..03ef28b68 100644
--- a/doc/guides/rel_notes/release_20_11.rst
+++ b/doc/guides/rel_notes/release_20_11.rst
@@ -404,6 +404,12 @@ API Changes
   ``uint32_t`` to ``uint8_t`` so that a new field ``sdap_enabled`` can be added
   to support SDAP.
 
+* security: The API ``rte_security_session_create`` is updated to take two
+  mempool objects one for session and other for session private data.
+  So the application need to create two mempools and get the size of session
+  private data using API ``rte_security_session_get_size`` for private session
+  mempool.
+
 * ipsec: ``RTE_SATP_LOG2_NUM`` has been dropped from ``enum`` and
   subsequently moved ``rte_ipsec`` lib from experimental to stable.
 
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 60132c4bd..2326089bb 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -2348,12 +2348,8 @@ session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess_sz)
 
 	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
 			"sess_mp_%u", socket_id);
-	/*
-	 * Doubled due to rte_security_session_create() uses one mempool for
-	 * session and for session private data.
-	 */
 	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
-		rte_lcore_count()) * 2;
+		rte_lcore_count());
 	sess_mp = rte_cryptodev_sym_session_pool_create(
 			mp_name, nb_sess, sess_sz, CDEV_MP_CACHE_SZ, 0,
 			socket_id);
@@ -2376,12 +2372,8 @@ session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
 
 	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
 			"sess_mp_priv_%u", socket_id);
-	/*
-	 * Doubled due to rte_security_session_create() uses one mempool for
-	 * session and for session private data.
-	 */
 	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
-		rte_lcore_count()) * 2;
+		rte_lcore_count());
 	sess_mp = rte_mempool_create(mp_name,
 			nb_sess,
 			sess_sz,
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 01faa7ac7..6baeeb342 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -117,7 +117,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
 			set_ipsec_conf(sa, &(sess_conf.ipsec));
 
 			ips->security.ses = rte_security_session_create(ctx,
-					&sess_conf, ipsec_ctx->session_priv_pool);
+					&sess_conf, ipsec_ctx->session_pool,
+					ipsec_ctx->session_priv_pool);
 			if (ips->security.ses == NULL) {
 				RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
@@ -198,7 +199,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 		}
 
 		ips->security.ses = rte_security_session_create(sec_ctx,
-				&sess_conf, skt_ctx->session_pool);
+				&sess_conf, skt_ctx->session_pool,
+				skt_ctx->session_priv_pool);
 		if (ips->security.ses == NULL) {
 			RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
@@ -378,7 +380,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 		sess_conf.userdata = (void *) sa;
 
 		ips->security.ses = rte_security_session_create(sec_ctx,
-					&sess_conf, skt_ctx->session_pool);
+					&sess_conf, skt_ctx->session_pool,
+					skt_ctx->session_priv_pool);
 		if (ips->security.ses == NULL) {
 			RTE_LOG(ERR, IPSEC,
 				"SEC Session init failed: err: %d\n", ret);
diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
index 515c29e04..ee4666026 100644
--- a/lib/librte_security/rte_security.c
+++ b/lib/librte_security/rte_security.c
@@ -26,18 +26,21 @@
 struct rte_security_session *
 rte_security_session_create(struct rte_security_ctx *instance,
 			    struct rte_security_session_conf *conf,
-			    struct rte_mempool *mp)
+			    struct rte_mempool *mp,
+			    struct rte_mempool *priv_mp)
 {
 	struct rte_security_session *sess = NULL;
 
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_create, NULL, NULL);
 	RTE_PTR_OR_ERR_RET(conf, NULL);
 	RTE_PTR_OR_ERR_RET(mp, NULL);
+	RTE_PTR_OR_ERR_RET(priv_mp, NULL);
 
 	if (rte_mempool_get(mp, (void **)&sess))
 		return NULL;
 
-	if (instance->ops->session_create(instance->device, conf, sess, mp)) {
+	if (instance->ops->session_create(instance->device, conf,
+				sess, priv_mp)) {
 		rte_mempool_put(mp, (void *)sess);
 		return NULL;
 	}
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index c259b35e0..271531af1 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -394,6 +394,7 @@ struct rte_security_session {
  * @param   instance	security instance
  * @param   conf	session configuration parameters
  * @param   mp		mempool to allocate session objects from
+ * @param   priv_mp	mempool to allocate session private data objects from
  * @return
  *  - On success, pointer to session
  *  - On failure, NULL
@@ -401,7 +402,8 @@ struct rte_security_session {
 struct rte_security_session *
 rte_security_session_create(struct rte_security_ctx *instance,
 			    struct rte_security_session_conf *conf,
-			    struct rte_mempool *mp);
+			    struct rte_mempool *mp,
+			    struct rte_mempool *priv_mp);
 
 /**
  * Update security session as specified by the session configuration
-- 
2.17.1


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v4] security: update session create API
  2020-10-18  9:30             ` Lukasz Wojciechowski
  2020-10-18  9:37               ` Lukasz Wojciechowski
@ 2020-10-18  9:42               ` Akhil Goyal
  1 sibling, 0 replies; 21+ messages in thread
From: Akhil Goyal @ 2020-10-18  9:42 UTC (permalink / raw)
  To: Lukasz Wojciechowski, dev, thomas, anoobj, konstantin.ananyev
  Cc: mdr, Hemant Agrawal, declan.doherty, radu.nicolau, david.coyle

> Hi Akhil,
> 
> If you replace mock_session_create_exp.ret with
> mock_session_destroy_exp.ret
> in mock_session_destroy() everything works fine and all test cases pass.
> 
Thanks for pointing this out. V5 sent.


> >>> @@ -1396,6 +1518,7 @@ test_session_destroy_success(void)
> >>>    	mock_session_destroy_exp.sess = ut_params->sess;
> >>>    	mock_session_destroy_exp.ret = 0;
> >>>    	TEST_ASSERT_MEMPOOL_USAGE(1);
> >>> +	TEST_ASSERT_PRIV_MP_USAGE(1);
> >>>    	TEST_ASSERT_SESSION_COUNT(1);
> >>>
> >>>    	int ret = rte_security_session_destroy(&ut_params->ctx,
> >>>    			ut_params->sess);
> >>>
> >> 	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_destr
> >> oy,
> >>> 			ret, -1, "%d");
> >>>    	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
> >>>    	TEST_ASSERT_MEMPOOL_USAGE(1);
> >> nit: you can add and assertion here as well:
> TEST_ASSERT_PRIV_MP_USAGE(1);
> > Thanks for the review of the patch.
> >
> > This is causing the test to fail. And I cannot spend more time in debugging this
> right now.
> > Since we are approaching RC1 deadline and the intent of the patch is to add a
> new
> > Parameter in session create API and which is complete. The issue is with the
> security
> > Tests which are trying to create mock driver APIs with no real usage.
> >
> > Hence, I reckon we can go ahead with this patch in RC1 and fix it later.
> >
> >
> > @thomas@monjalon.net, @anoobj@marvell.com, @Ananyev, Konstantin.
> > Any thoughts from your side?
> >
> > Regards,
> > Akhil
> >
> >
> --
> Lukasz Wojciechowski
> Principal Software Engineer
> 
> Samsung R&D Institute Poland
> Samsung Electronics
> Office +48 22 377 88 25
> l.wojciechow@partner.samsung.com


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v5] security: update session create API
  2020-10-18  9:40         ` [dpdk-dev] [PATCH v5] " Akhil Goyal
@ 2020-10-18 11:03           ` Lukasz Wojciechowski
  2020-10-19  7:51             ` Thomas Monjalon
  0 siblings, 1 reply; 21+ messages in thread
From: Lukasz Wojciechowski @ 2020-10-18 11:03 UTC (permalink / raw)
  To: Akhil Goyal, dev
  Cc: thomas, mdr, anoobj, hemant.agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau, david.coyle,
	\"'Lukasz Wojciechowski'\",

Hi Akhil,
Thanks for your patience.

I reviewed all files and run tests. IMO everything is OK now.

W dniu 18.10.2020 o 11:40, Akhil Goyal pisze:
> The API ``rte_security_session_create`` takes only single
> mempool for session and session private data. So the
> application need to create mempool for twice the number of
> sessions needed and will also lead to wastage of memory as
> session private data need more memory compared to session.
> Hence the API is modified to take two mempool pointers
> - one for session and one for private data.
> This is very similar to crypto based session create APIs.
>
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Reviewed-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Tested-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
> ---
> Changes in v5:
> fixed security test.
>
> Changes in v4:
> rebase on TOT
> addressed comments from Lukasz on v3
>
> Changes in v3:
> fixed checkpatch issues.
> Added new test in test_security.c for priv_mempool
>
> Changes in V2:
> incorporated comments from Lukasz and David.
>
>
>   app/test-crypto-perf/cperf_ops.c       |   4 +-
>   app/test-crypto-perf/main.c            |  12 +-
>   app/test/test_cryptodev.c              |  18 ++-
>   app/test/test_ipsec.c                  |   3 +-
>   app/test/test_security.c               | 167 ++++++++++++++++++++++---
>   doc/guides/prog_guide/rte_security.rst |   8 +-
>   doc/guides/rel_notes/deprecation.rst   |   7 --
>   doc/guides/rel_notes/release_20_11.rst |   6 +
>   examples/ipsec-secgw/ipsec-secgw.c     |  12 +-
>   examples/ipsec-secgw/ipsec.c           |   9 +-
>   lib/librte_security/rte_security.c     |   7 +-
>   lib/librte_security/rte_security.h     |   4 +-
>   12 files changed, 202 insertions(+), 55 deletions(-)
>
> diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
> index 3da835a9c..3a64a2c34 100644
> --- a/app/test-crypto-perf/cperf_ops.c
> +++ b/app/test-crypto-perf/cperf_ops.c
> @@ -621,7 +621,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
>   
>   		/* Create security session */
>   		return (void *)rte_security_session_create(ctx,
> -					&sess_conf, sess_mp);
> +					&sess_conf, sess_mp, priv_mp);
>   	}
>   	if (options->op_type == CPERF_DOCSIS) {
>   		enum rte_security_docsis_direction direction;
> @@ -664,7 +664,7 @@ cperf_create_session(struct rte_mempool *sess_mp,
>   
>   		/* Create security session */
>   		return (void *)rte_security_session_create(ctx,
> -					&sess_conf, priv_mp);
> +					&sess_conf, sess_mp, priv_mp);
>   	}
>   #endif
>   	sess = rte_cryptodev_sym_session_create(sess_mp);
> diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
> index 62ae6048b..53864ffdd 100644
> --- a/app/test-crypto-perf/main.c
> +++ b/app/test-crypto-perf/main.c
> @@ -156,7 +156,14 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
>   		if (sess_size > max_sess_size)
>   			max_sess_size = sess_size;
>   	}
> -
> +#ifdef RTE_LIBRTE_SECURITY
> +	for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
> +		sess_size = rte_security_session_get_size(
> +				rte_cryptodev_get_sec_ctx(cdev_id));
> +		if (sess_size > max_sess_size)
> +			max_sess_size = sess_size;
> +	}
> +#endif
>   	/*
>   	 * Calculate number of needed queue pairs, based on the amount
>   	 * of available number of logical cores and crypto devices.
> @@ -247,8 +254,7 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
>   				opts->nb_qps * nb_slaves;
>   #endif
>   		} else
> -			sessions_needed = enabled_cdev_count *
> -						opts->nb_qps * 2;
> +			sessions_needed = enabled_cdev_count * opts->nb_qps;
>   
>   		/*
>   		 * A single session is required per queue pair
> diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
> index 1d4c46f08..3afc1d809 100644
> --- a/app/test/test_cryptodev.c
> +++ b/app/test/test_cryptodev.c
> @@ -782,9 +782,15 @@ testsuite_setup(void)
>   	unsigned int session_size =
>   		rte_cryptodev_sym_get_private_session_size(dev_id);
>   
> +#ifdef RTE_LIBRTE_SECURITY
> +	unsigned int security_session_size = rte_security_session_get_size(
> +			rte_cryptodev_get_sec_ctx(dev_id));
> +
> +	if (session_size < security_session_size)
> +		session_size = security_session_size;
> +#endif
>   	/*
> -	 * Create mempool with maximum number of sessions * 2,
> -	 * to include the session headers
> +	 * Create mempool with maximum number of sessions.
>   	 */
>   	if (info.sym.max_nb_sessions != 0 &&
>   			info.sym.max_nb_sessions < MAX_NB_SESSIONS) {
> @@ -7762,7 +7768,8 @@ static int test_pdcp_proto(int i, int oop, enum rte_crypto_cipher_operation opc,
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx,
> -				&sess_conf, ts_params->session_priv_mpool);
> +				&sess_conf, ts_params->session_mpool,
> +				ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
>   		printf("TestCase %s()-%d line %d failed %s: ",
> @@ -8022,7 +8029,8 @@ test_pdcp_proto_SGL(int i, int oop,
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx,
> -				&sess_conf, ts_params->session_priv_mpool);
> +				&sess_conf, ts_params->session_mpool,
> +				ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
>   		printf("TestCase %s()-%d line %d failed %s: ",
> @@ -8488,6 +8496,7 @@ test_docsis_proto_uplink(int i, struct docsis_test_data *d_td)
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
> +					ts_params->session_mpool,
>   					ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
> @@ -8663,6 +8672,7 @@ test_docsis_proto_downlink(int i, struct docsis_test_data *d_td)
>   
>   	/* Create security session */
>   	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
> +					ts_params->session_mpool,
>   					ts_params->session_priv_mpool);
>   
>   	if (!ut_params->sec_session) {
> diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> index 79d00d7e0..9ad07a179 100644
> --- a/app/test/test_ipsec.c
> +++ b/app/test/test_ipsec.c
> @@ -632,7 +632,8 @@ create_dummy_sec_session(struct ipsec_unitest_params *ut,
>   	static struct rte_security_session_conf conf;
>   
>   	ut->ss[j].security.ses = rte_security_session_create(&dummy_sec_ctx,
> -					&conf, qp->mp_session_private);
> +					&conf, qp->mp_session,
> +					qp->mp_session_private);
>   
>   	if (ut->ss[j].security.ses == NULL)
>   		return -ENOMEM;
> diff --git a/app/test/test_security.c b/app/test/test_security.c
> index 77fd5adc6..060cf1ffa 100644
> --- a/app/test/test_security.c
> +++ b/app/test/test_security.c
> @@ -200,6 +200,24 @@
>   			expected_mempool_usage, mempool_usage);		\
>   } while (0)
>   
> +/**
> + * Verify usage of mempool by checking if number of allocated objects matches
> + * expectations. The mempool is used to manage objects for sessions priv data.
> + * A single object is acquired from mempool during session_create
> + * and put back in session_destroy.
> + *
> + * @param   expected_priv_mp_usage	expected number of used priv mp objects
> + */
> +#define TEST_ASSERT_PRIV_MP_USAGE(expected_priv_mp_usage) do {		\
> +	struct security_testsuite_params *ts_params = &testsuite_params;\
> +	unsigned int priv_mp_usage;					\
> +	priv_mp_usage = rte_mempool_in_use_count(			\
> +			ts_params->session_priv_mpool);			\
> +	TEST_ASSERT_EQUAL(expected_priv_mp_usage, priv_mp_usage,	\
> +			"Expecting %u priv mempool allocations, "	\
> +			"but there are %u allocated objects",		\
> +			expected_priv_mp_usage, priv_mp_usage);		\
> +} while (0)
>   
>   /**
>    * Mockup structures and functions for rte_security_ops;
> @@ -237,26 +255,37 @@ static struct mock_session_create_data {
>   	struct rte_security_session_conf *conf;
>   	struct rte_security_session *sess;
>   	struct rte_mempool *mp;
> +	struct rte_mempool *priv_mp;
>   
>   	int ret;
>   
>   	int called;
>   	int failed;
> -} mock_session_create_exp = {NULL, NULL, NULL, NULL, 0, 0, 0};
> +} mock_session_create_exp = {NULL, NULL, NULL, NULL, NULL, 0, 0, 0};
>   
>   static int
>   mock_session_create(void *device,
>   		struct rte_security_session_conf *conf,
>   		struct rte_security_session *sess,
> -		struct rte_mempool *mp)
> +		struct rte_mempool *priv_mp)
>   {
> +	void *sess_priv;
> +	int ret;
> +
>   	mock_session_create_exp.called++;
>   
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, device);
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, conf);
> -	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, mp);
> +	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_create_exp, priv_mp);
> +
> +	if (mock_session_create_exp.ret == 0) {
> +		ret = rte_mempool_get(priv_mp, &sess_priv);
> +		TEST_ASSERT_EQUAL(0, ret,
> +			"priv mempool does not have enough objects");
>   
> -	mock_session_create_exp.sess = sess;
> +		set_sec_session_private_data(sess, sess_priv);
> +		mock_session_create_exp.sess = sess;
> +	}
>   
>   	return mock_session_create_exp.ret;
>   }
> @@ -363,8 +392,13 @@ static struct mock_session_destroy_data {
>   static int
>   mock_session_destroy(void *device, struct rte_security_session *sess)
>   {
> -	mock_session_destroy_exp.called++;
> +	void *sess_priv = get_sec_session_private_data(sess);
>   
> +	mock_session_destroy_exp.called++;
> +	if ((mock_session_destroy_exp.ret == 0) && (sess_priv != NULL)) {
> +		rte_mempool_put(rte_mempool_from_obj(sess_priv), sess_priv);
> +		set_sec_session_private_data(sess, NULL);
> +	}
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, device);
>   	MOCK_TEST_ASSERT_POINTER_PARAMETER(mock_session_destroy_exp, sess);
>   
> @@ -502,6 +536,7 @@ struct rte_security_ops mock_ops = {
>    */
>   static struct security_testsuite_params {
>   	struct rte_mempool *session_mpool;
> +	struct rte_mempool *session_priv_mpool;
>   } testsuite_params = { NULL };
>   
>   /**
> @@ -524,9 +559,11 @@ static struct security_unittest_params {
>   	.sess = NULL,
>   };
>   
> -#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestsMempoolName"
> +#define SECURITY_TEST_MEMPOOL_NAME "SecurityTestMp"
> +#define SECURITY_TEST_PRIV_MEMPOOL_NAME "SecurityTestPrivMp"
>   #define SECURITY_TEST_MEMPOOL_SIZE 15
> -#define SECURITY_TEST_SESSION_OBJECT_SIZE sizeof(struct rte_security_session)
> +#define SECURITY_TEST_SESSION_OBJ_SZ sizeof(struct rte_security_session)
> +#define SECURITY_TEST_SESSION_PRIV_OBJ_SZ 64
>   
>   /**
>    * testsuite_setup initializes whole test suite parameters.
> @@ -540,11 +577,27 @@ testsuite_setup(void)
>   	ts_params->session_mpool = rte_mempool_create(
>   			SECURITY_TEST_MEMPOOL_NAME,
>   			SECURITY_TEST_MEMPOOL_SIZE,
> -			SECURITY_TEST_SESSION_OBJECT_SIZE,
> +			SECURITY_TEST_SESSION_OBJ_SZ,
>   			0, 0, NULL, NULL, NULL, NULL,
>   			SOCKET_ID_ANY, 0);
>   	TEST_ASSERT_NOT_NULL(ts_params->session_mpool,
>   			"Cannot create mempool %s\n", rte_strerror(rte_errno));
> +
> +	ts_params->session_priv_mpool = rte_mempool_create(
> +			SECURITY_TEST_PRIV_MEMPOOL_NAME,
> +			SECURITY_TEST_MEMPOOL_SIZE,
> +			SECURITY_TEST_SESSION_PRIV_OBJ_SZ,
> +			0, 0, NULL, NULL, NULL, NULL,
> +			SOCKET_ID_ANY, 0);
> +	if (ts_params->session_priv_mpool == NULL) {
> +		RTE_LOG(ERR, USER1, "TestCase %s() line %d failed (null): "
> +				"Cannot create priv mempool %s\n",
> +				__func__, __LINE__, rte_strerror(rte_errno));
> +		rte_mempool_free(ts_params->session_mpool);
> +		ts_params->session_mpool = NULL;
> +		return TEST_FAILED;
> +	}
> +
>   	return TEST_SUCCESS;
>   }
>   
> @@ -559,6 +612,10 @@ testsuite_teardown(void)
>   		rte_mempool_free(ts_params->session_mpool);
>   		ts_params->session_mpool = NULL;
>   	}
> +	if (ts_params->session_priv_mpool) {
> +		rte_mempool_free(ts_params->session_priv_mpool);
> +		ts_params->session_priv_mpool = NULL;
> +	}
>   }
>   
>   /**
> @@ -656,10 +713,12 @@ ut_setup_with_session(void)
>   	mock_session_create_exp.device = NULL;
>   	mock_session_create_exp.conf = &ut_params->conf;
>   	mock_session_create_exp.mp = ts_params->session_mpool;
> +	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
>   	mock_session_create_exp.ret = 0;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
>   			sess);
>   	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
> @@ -701,11 +760,13 @@ test_session_create_inv_context(void)
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(NULL, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
> @@ -725,11 +786,13 @@ test_session_create_inv_context_ops(void)
>   	ut_params->ctx.ops = NULL;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
> @@ -749,11 +812,13 @@ test_session_create_inv_context_ops_fun(void)
>   	ut_params->ctx.ops = &empty_ops;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
> @@ -770,31 +835,59 @@ test_session_create_inv_configuration(void)
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, NULL,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
>   }
>   
>   /**
> - * Test execution of rte_security_session_create with NULL mp parameter
> + * Test execution of rte_security_session_create with NULL session
> + * mempool
>    */
>   static int
>   test_session_create_inv_mempool(void)
>   {
>   	struct security_unittest_params *ut_params = &unittest_params;
> +	struct security_testsuite_params *ts_params = &testsuite_params;
>   	struct rte_security_session *sess;
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			NULL);
> +			NULL, ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
> +	TEST_ASSERT_SESSION_COUNT(0);
> +
> +	return TEST_SUCCESS;
> +}
> +
> +/**
> + * Test execution of rte_security_session_create with NULL session
> + * priv mempool
> + */
> +static int
> +test_session_create_inv_sess_priv_mempool(void)
> +{
> +	struct security_unittest_params *ut_params = &unittest_params;
> +	struct security_testsuite_params *ts_params = &testsuite_params;
> +	struct rte_security_session *sess;
> +
> +	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> +			ts_params->session_mpool, NULL);
> +	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
> +			sess, NULL, "%p");
> +	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
> +	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
> @@ -810,6 +903,7 @@ test_session_create_mempool_empty(void)
>   	struct security_testsuite_params *ts_params = &testsuite_params;
>   	struct security_unittest_params *ut_params = &unittest_params;
>   	struct rte_security_session *tmp[SECURITY_TEST_MEMPOOL_SIZE];
> +	void *tmp1[SECURITY_TEST_MEMPOOL_SIZE];
>   	struct rte_security_session *sess;
>   
>   	/* Get all available objects from mempool. */
> @@ -820,21 +914,34 @@ test_session_create_mempool_empty(void)
>   		TEST_ASSERT_EQUAL(0, ret,
>   				"Expect getting %d object from mempool"
>   				" to succeed", i);
> +		ret = rte_mempool_get(ts_params->session_priv_mpool,
> +				(void **)(&tmp1[i]));
> +		TEST_ASSERT_EQUAL(0, ret,
> +				"Expect getting %d object from priv mempool"
> +				" to succeed", i);
>   	}
>   	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
> +	TEST_ASSERT_PRIV_MP_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
> +	TEST_ASSERT_PRIV_MP_USAGE(SECURITY_TEST_MEMPOOL_SIZE);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	/* Put objects back to the pool. */
> -	for (i = 0; i < SECURITY_TEST_MEMPOOL_SIZE; ++i)
> -		rte_mempool_put(ts_params->session_mpool, (void *)(tmp[i]));
> +	for (i = 0; i < SECURITY_TEST_MEMPOOL_SIZE; ++i) {
> +		rte_mempool_put(ts_params->session_mpool,
> +				(void *)(tmp[i]));
> +		rte_mempool_put(ts_params->session_priv_mpool,
> +				(tmp1[i]));
> +	}
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   
>   	return TEST_SUCCESS;
>   }
> @@ -853,14 +960,17 @@ test_session_create_ops_failure(void)
>   	mock_session_create_exp.device = NULL;
>   	mock_session_create_exp.conf = &ut_params->conf;
>   	mock_session_create_exp.mp = ts_params->session_mpool;
> +	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
>   	mock_session_create_exp.ret = -1;	/* Return failure status. */
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_session_create,
>   			sess, NULL, "%p");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	return TEST_SUCCESS;
> @@ -879,10 +989,12 @@ test_session_create_success(void)
>   	mock_session_create_exp.device = NULL;
>   	mock_session_create_exp.conf = &ut_params->conf;
>   	mock_session_create_exp.mp = ts_params->session_mpool;
> +	mock_session_create_exp.priv_mp = ts_params->session_priv_mpool;
>   	mock_session_create_exp.ret = 0;	/* Return success status. */
>   
>   	sess = rte_security_session_create(&ut_params->ctx, &ut_params->conf,
> -			ts_params->session_mpool);
> +			ts_params->session_mpool,
> +			ts_params->session_priv_mpool);
>   	TEST_ASSERT_MOCK_FUNCTION_CALL_NOT_NULL(rte_security_session_create,
>   			sess);
>   	TEST_ASSERT_EQUAL(sess, mock_session_create_exp.sess,
> @@ -891,6 +1003,7 @@ test_session_create_success(void)
>   			sess, mock_session_create_exp.sess);
>   	TEST_ASSERT_MOCK_CALLS(mock_session_create_exp, 1);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	/*
> @@ -1276,6 +1389,7 @@ test_session_destroy_inv_context(void)
>   	struct security_unittest_params *ut_params = &unittest_params;
>   
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(NULL, ut_params->sess);
> @@ -1283,6 +1397,7 @@ test_session_destroy_inv_context(void)
>   			ret, -EINVAL, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	return TEST_SUCCESS;
> @@ -1299,6 +1414,7 @@ test_session_destroy_inv_context_ops(void)
>   	ut_params->ctx.ops = NULL;
>   
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx,
> @@ -1307,6 +1423,7 @@ test_session_destroy_inv_context_ops(void)
>   			ret, -EINVAL, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	return TEST_SUCCESS;
> @@ -1323,6 +1440,7 @@ test_session_destroy_inv_context_ops_fun(void)
>   	ut_params->ctx.ops = &empty_ops;
>   
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx,
> @@ -1331,6 +1449,7 @@ test_session_destroy_inv_context_ops_fun(void)
>   			ret, -ENOTSUP, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	return TEST_SUCCESS;
> @@ -1345,6 +1464,7 @@ test_session_destroy_inv_session(void)
>   	struct security_unittest_params *ut_params = &unittest_params;
>   
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx, NULL);
> @@ -1352,6 +1472,7 @@ test_session_destroy_inv_session(void)
>   			ret, -EINVAL, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 0);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	return TEST_SUCCESS;
> @@ -1371,6 +1492,7 @@ test_session_destroy_ops_failure(void)
>   	mock_session_destroy_exp.ret = -1;
>   
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx,
> @@ -1379,6 +1501,7 @@ test_session_destroy_ops_failure(void)
>   			ret, -1, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	return TEST_SUCCESS;
> @@ -1396,6 +1519,7 @@ test_session_destroy_success(void)
>   	mock_session_destroy_exp.sess = ut_params->sess;
>   	mock_session_destroy_exp.ret = 0;
>   	TEST_ASSERT_MEMPOOL_USAGE(1);
> +	TEST_ASSERT_PRIV_MP_USAGE(1);
>   	TEST_ASSERT_SESSION_COUNT(1);
>   
>   	int ret = rte_security_session_destroy(&ut_params->ctx,
> @@ -1404,6 +1528,7 @@ test_session_destroy_success(void)
>   			ret, 0, "%d");
>   	TEST_ASSERT_MOCK_CALLS(mock_session_destroy_exp, 1);
>   	TEST_ASSERT_MEMPOOL_USAGE(0);
> +	TEST_ASSERT_PRIV_MP_USAGE(0);
>   	TEST_ASSERT_SESSION_COUNT(0);
>   
>   	/*
> @@ -2370,6 +2495,8 @@ static struct unit_test_suite security_testsuite  = {
>   				test_session_create_inv_configuration),
>   		TEST_CASE_ST(ut_setup, ut_teardown,
>   				test_session_create_inv_mempool),
> +		TEST_CASE_ST(ut_setup, ut_teardown,
> +				test_session_create_inv_sess_priv_mempool),
>   		TEST_CASE_ST(ut_setup, ut_teardown,
>   				test_session_create_mempool_empty),
>   		TEST_CASE_ST(ut_setup, ut_teardown,
> diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
> index 41c95aa52..c64aef3de 100644
> --- a/doc/guides/prog_guide/rte_security.rst
> +++ b/doc/guides/prog_guide/rte_security.rst
> @@ -533,8 +533,12 @@ and this allows further acceleration of the offload of Crypto workloads.
>   
>   The Security framework provides APIs to create and free sessions for crypto/ethernet
>   devices, where sessions are mempool objects. It is the application's responsibility
> -to create and manage the session mempools. The mempool object size should be able to
> -accommodate the driver's private data of security session.
> +to create and manage two session mempools - one for session and other for session
> +private data. The private session data mempool object size should be able to
> +accommodate the driver's private data of security session. The application can get
> +the size of session private data using API ``rte_security_session_get_size``.
> +And the session mempool object size should be enough to accommodate
> +``rte_security_session``.
>   
>   Once the session mempools have been created, ``rte_security_session_create()``
>   is used to allocate and initialize a session for the required crypto/ethernet device.
> diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
> index 6cbfd1184..000e82cce 100644
> --- a/doc/guides/rel_notes/deprecation.rst
> +++ b/doc/guides/rel_notes/deprecation.rst
> @@ -164,13 +164,6 @@ Deprecation Notices
>     following the IPv6 header, as proposed in RFC
>     https://protect2.fireeye.com/v1/url?k=c01a96eb-9dc88db3-c01b1da4-0cc47a31c8b4-b59bae941a26f568&q=1&e=bb91da3e-ca68-49fb-9578-d771844b2f86&u=https%3A%2F%2Fmails.dpdk.org%2Farchives%2Fdev%2F2020-August%2F177257.html.
>   
> -* security: The API ``rte_security_session_create`` takes only single mempool
> -  for session and session private data. So the application need to create
> -  mempool for twice the number of sessions needed and will also lead to
> -  wastage of memory as session private data need more memory compared to session.
> -  Hence the API will be modified to take two mempool pointers - one for session
> -  and one for private data.
> -
>   * cryptodev: support for using IV with all sizes is added, J0 still can
>     be used but only when IV length in following structs ``rte_crypto_auth_xform``,
>     ``rte_crypto_aead_xform`` is set to zero. When IV length is greater or equal
> diff --git a/doc/guides/rel_notes/release_20_11.rst b/doc/guides/rel_notes/release_20_11.rst
> index 48717ee53..03ef28b68 100644
> --- a/doc/guides/rel_notes/release_20_11.rst
> +++ b/doc/guides/rel_notes/release_20_11.rst
> @@ -404,6 +404,12 @@ API Changes
>     ``uint32_t`` to ``uint8_t`` so that a new field ``sdap_enabled`` can be added
>     to support SDAP.
>   
> +* security: The API ``rte_security_session_create`` is updated to take two
> +  mempool objects one for session and other for session private data.
> +  So the application need to create two mempools and get the size of session
> +  private data using API ``rte_security_session_get_size`` for private session
> +  mempool.
> +
>   * ipsec: ``RTE_SATP_LOG2_NUM`` has been dropped from ``enum`` and
>     subsequently moved ``rte_ipsec`` lib from experimental to stable.
>   
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 60132c4bd..2326089bb 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -2348,12 +2348,8 @@ session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess_sz)
>   
>   	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
>   			"sess_mp_%u", socket_id);
> -	/*
> -	 * Doubled due to rte_security_session_create() uses one mempool for
> -	 * session and for session private data.
> -	 */
>   	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
> -		rte_lcore_count()) * 2;
> +		rte_lcore_count());
>   	sess_mp = rte_cryptodev_sym_session_pool_create(
>   			mp_name, nb_sess, sess_sz, CDEV_MP_CACHE_SZ, 0,
>   			socket_id);
> @@ -2376,12 +2372,8 @@ session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
>   
>   	snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
>   			"sess_mp_priv_%u", socket_id);
> -	/*
> -	 * Doubled due to rte_security_session_create() uses one mempool for
> -	 * session and for session private data.
> -	 */
>   	nb_sess = (get_nb_crypto_sessions() + CDEV_MP_CACHE_SZ *
> -		rte_lcore_count()) * 2;
> +		rte_lcore_count());
>   	sess_mp = rte_mempool_create(mp_name,
>   			nb_sess,
>   			sess_sz,
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index 01faa7ac7..6baeeb342 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -117,7 +117,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
>   			set_ipsec_conf(sa, &(sess_conf.ipsec));
>   
>   			ips->security.ses = rte_security_session_create(ctx,
> -					&sess_conf, ipsec_ctx->session_priv_pool);
> +					&sess_conf, ipsec_ctx->session_pool,
> +					ipsec_ctx->session_priv_pool);
>   			if (ips->security.ses == NULL) {
>   				RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> @@ -198,7 +199,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
>   		}
>   
>   		ips->security.ses = rte_security_session_create(sec_ctx,
> -				&sess_conf, skt_ctx->session_pool);
> +				&sess_conf, skt_ctx->session_pool,
> +				skt_ctx->session_priv_pool);
>   		if (ips->security.ses == NULL) {
>   			RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> @@ -378,7 +380,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
>   		sess_conf.userdata = (void *) sa;
>   
>   		ips->security.ses = rte_security_session_create(sec_ctx,
> -					&sess_conf, skt_ctx->session_pool);
> +					&sess_conf, skt_ctx->session_pool,
> +					skt_ctx->session_priv_pool);
>   		if (ips->security.ses == NULL) {
>   			RTE_LOG(ERR, IPSEC,
>   				"SEC Session init failed: err: %d\n", ret);
> diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
> index 515c29e04..ee4666026 100644
> --- a/lib/librte_security/rte_security.c
> +++ b/lib/librte_security/rte_security.c
> @@ -26,18 +26,21 @@
>   struct rte_security_session *
>   rte_security_session_create(struct rte_security_ctx *instance,
>   			    struct rte_security_session_conf *conf,
> -			    struct rte_mempool *mp)
> +			    struct rte_mempool *mp,
> +			    struct rte_mempool *priv_mp)
>   {
>   	struct rte_security_session *sess = NULL;
>   
>   	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, session_create, NULL, NULL);
>   	RTE_PTR_OR_ERR_RET(conf, NULL);
>   	RTE_PTR_OR_ERR_RET(mp, NULL);
> +	RTE_PTR_OR_ERR_RET(priv_mp, NULL);
>   
>   	if (rte_mempool_get(mp, (void **)&sess))
>   		return NULL;
>   
> -	if (instance->ops->session_create(instance->device, conf, sess, mp)) {
> +	if (instance->ops->session_create(instance->device, conf,
> +				sess, priv_mp)) {
>   		rte_mempool_put(mp, (void *)sess);
>   		return NULL;
>   	}
> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
> index c259b35e0..271531af1 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -394,6 +394,7 @@ struct rte_security_session {
>    * @param   instance	security instance
>    * @param   conf	session configuration parameters
>    * @param   mp		mempool to allocate session objects from
> + * @param   priv_mp	mempool to allocate session private data objects from
>    * @return
>    *  - On success, pointer to session
>    *  - On failure, NULL
> @@ -401,7 +402,8 @@ struct rte_security_session {
>   struct rte_security_session *
>   rte_security_session_create(struct rte_security_ctx *instance,
>   			    struct rte_security_session_conf *conf,
> -			    struct rte_mempool *mp);
> +			    struct rte_mempool *mp,
> +			    struct rte_mempool *priv_mp);
>   
>   /**
>    * Update security session as specified by the session configuration

-- 
Lukasz Wojciechowski
Principal Software Engineer

Samsung R&D Institute Poland
Samsung Electronics
Office +48 22 377 88 25
l.wojciechow@partner.samsung.com


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: [dpdk-dev] [PATCH v5] security: update session create API
  2020-10-18 11:03           ` Lukasz Wojciechowski
@ 2020-10-19  7:51             ` Thomas Monjalon
  0 siblings, 0 replies; 21+ messages in thread
From: Thomas Monjalon @ 2020-10-19  7:51 UTC (permalink / raw)
  To: Akhil Goyal
  Cc: dev, mdr, anoobj, hemant.agrawal, konstantin.ananyev,
	declan.doherty, radu.nicolau, david.coyle, Lukasz Wojciechowski

18/10/2020 13:03, Lukasz Wojciechowski:
> W dniu 18.10.2020 o 11:40, Akhil Goyal pisze:
> > The API ``rte_security_session_create`` takes only single
> > mempool for session and session private data. So the
> > application need to create mempool for twice the number of
> > sessions needed and will also lead to wastage of memory as
> > session private data need more memory compared to session.
> > Hence the API is modified to take two mempool pointers
> > - one for session and one for private data.
> > This is very similar to crypto based session create APIs.
> >
> > Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> Reviewed-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
> Tested-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>

Applied, thanks




^ permalink raw reply	[flat|nested] 21+ messages in thread

end of thread, back to index

Thread overview: 21+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <CGME20200903201022eucas1p19a5154b9fb7063f72b18dea1114eeed3@eucas1p1.samsung.com>
2020-09-03 20:09 ` [dpdk-dev] [PATCH] security: update session create API akhil.goyal
2020-09-04 16:04   ` Lukasz Wojciechowski
2020-10-10 22:09     ` Akhil Goyal
2020-09-24 16:22   ` Coyle, David
2020-10-10 22:06     ` Akhil Goyal
2020-10-10 22:11   ` [dpdk-dev] [PATCH v2] " Akhil Goyal
2020-10-12 17:46     ` Akhil Goyal
2020-10-13  2:12     ` Lukasz Wojciechowski
2020-10-14 19:00       ` Akhil Goyal
2020-10-15  1:14         ` Lukasz Wojciechowski
2020-10-14 18:56     ` [dpdk-dev] [PATCH v3] " Akhil Goyal
2020-10-15  1:11       ` Lukasz Wojciechowski
2020-10-17 11:50       ` [dpdk-dev] [PATCH v4] " Akhil Goyal
2020-10-17 13:13         ` Lukasz Wojciechowski
2020-10-18  8:47           ` Akhil Goyal
2020-10-18  9:30             ` Lukasz Wojciechowski
2020-10-18  9:37               ` Lukasz Wojciechowski
2020-10-18  9:42               ` Akhil Goyal
2020-10-18  9:40         ` [dpdk-dev] [PATCH v5] " Akhil Goyal
2020-10-18 11:03           ` Lukasz Wojciechowski
2020-10-19  7:51             ` Thomas Monjalon

DPDK patches and discussions

Archives are clonable:
	git clone --mirror http://inbox.dpdk.org/dev/0 dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dev dev/ http://inbox.dpdk.org/dev \
		dev@dpdk.org
	public-inbox-index dev


Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dev


AGPL code for this site: git clone https://public-inbox.org/ public-inbox