Re: [PATCH] ipsec: use sym_session_opaque_data for RTE_SECURITY_TYPE_CPU_CRYPTO

[Garry Marshall <gazmarsh@meaningfulname.net>]

Hi Konstantin, Akhil,

The patch is based on an issue I encountered when using the CPU_CRYPTO
support - I was having problems where the ipsec session lookup was
failing / was inconsistent.

Examining the code in DPDK and looking for the use of
RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO I could see a reasonably
consistent pattern where if TYPE_NONE or TYPE_CPU_CRYPTO was set -
then the code was making use of ss->crypto.ses instead of
ss->security.ses.

For example - see examples/ipsec-secgw.c where the one_session_free
function has the following code:

    if (ips->type == RTE_SECURITY_ACTION_TYPE_NONE ||
        ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
        /* Session has not been created */
        if (ips->crypto.ses == NULL)
            return 0;

        ret = rte_cryptodev_sym_session_free(ips->crypto.dev_id,
                ips->crypto.ses);
    } else {
        /* Session has not been created */
        if (ips->security.ctx == NULL || ips->security.ses == NULL)
            return 0;

        ret = rte_security_session_destroy(ips->security.ctx,
                           ips->security.ses);
    }

And similarly - if we look at the session_check function in lib/ipsec/ses.c:

    if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
        ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
        if (ss->crypto.ses == NULL)
            return -EINVAL;
    } else {
        if (ss->security.ses == NULL)
            return -EINVAL;
        if ((ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
                ss->type ==
                RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) &&
                ss->security.ctx == NULL)
            return -EINVAL;
    }

Without the patch in rte_ipsec_session_prepare - for the
RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO type, then ss->crypto.ses will not
be set.

Regards,

Garry.


On Tue, Oct 31, 2023 at 1:09 AM Konstantin Ananyev
<konstantin.v.ananyev@yandex.ru> wrote:
>
> >
> >
> > ipsec related processing in dpdk makes use of the crypto.ses opaque
> > data pointer.  This patch updates rte_ipsec_session_prepare to set
> > ss->crypto.ses in the RTE_SECURITY_TYPE_CPU_CRYPTO case.
>
>
> Hmm.. not sure why we need to do that for CPU_CRYPTO?
> As I remember CPU_CRYPTO is synchronous operation and before calling
> rte_ipsec_pkt_cpu_prepare() should already know ipsec session these
> packets belong to.
> Can you probably explain the logic behind this patch a bit more?
> Konstantin
>
> >
> > Signed-off-by: Garry Marshall <gazmarsh@meaningfulname.net>
> > ---
> >  lib/ipsec/ses.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/lib/ipsec/ses.c b/lib/ipsec/ses.c
> > index d9ab1e6d2b..29eb5ff6ca 100644
> > --- a/lib/ipsec/ses.c
> > +++ b/lib/ipsec/ses.c
> > @@ -44,7 +44,8 @@ rte_ipsec_session_prepare(struct rte_ipsec_session *ss)
> >
> >       ss->pkt_func = fp;
> >
> > -     if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE)
> > +     if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
> > +             ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
> >               rte_cryptodev_sym_session_opaque_data_set(ss->crypto.ses,
> >                       (uintptr_t)ss);
> >       else
> > --
> > 2.39.2