From: Akhil Goyal <gakhil@marvell.com>
To: Anoob Joseph <anoobj@marvell.com>,
Jerin Jacob Kollanukkaran <jerinj@marvell.com>,
Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
Cc: Hemant Agrawal <hemant.agrawal@nxp.com>,
"dev@dpdk.org" <dev@dpdk.org>,
Vidya Sagar Velumuri <vvelumuri@marvell.com>,
"david.coyle@intel.com" <david.coyle@intel.com>,
"kai.ji@intel.com" <kai.ji@intel.com>,
"kevin.osullivan@intel.com" <kevin.osullivan@intel.com>,
Ciara Power <ciara.power@intel.com>,
"marcinx.smoczynski@intel.com" <marcinx.smoczynski@intel.com>
Subject: RE: [RFC PATCH 1/2] security: add fallback security processing and Rx inject
Date: Thu, 24 Aug 2023 07:55:19 +0000 [thread overview]
Message-ID: <CO6PR18MB4484B66B5A9F5BB23CD32175D81DA@CO6PR18MB4484.namprd18.prod.outlook.com> (raw)
In-Reply-To: <20230811114510.576-1-anoobj@marvell.com>
> +/**
> + * Perform security processing of packets and do Rx inject after processing.
> + *
> + * Rx inject would behave similarly to ethdev loopback but with the additional
> + * security processing. In case of ethdev loopback, application would be
> + * submitting packets to ethdev Tx queues and would be received as is from
> + * ethdev Rx queues. With Rx inject, packets would be received after security
> + * processing from ethdev Rx queues.
> + *
> + * With inline protocol offload capable ethdevs, Rx injection can be used to
> + * handle packets which failed the regular security Rx path. This can be due to
> + * cases such as outer fragmentation, in which case applications can
> reassemble
> + * the fragments and then subsequently submit for inbound processing and Rx
> + * injection, so that packets are received as regular security processed
> + * packets.
> + *
> + * With lookaside protocol offload capable cryptodevs, Rx injection can be
> used
> + * to perform packet parsing after security processing. This would allow for
> + * re-classification after security protocol processing is done. The ethdev port
> + * on which the packet would be received would be based on rte_flow rules
> + * matching the packet after security processing. Also, since the packet would
> + * be identical to an inline protocol processed packet, eth devices should have
> + * security enabled (`RTE_ETHDEV_RX_SECURITY_F`).
> + *
> + * Since the packet would be received back from ethdev Rx queues, it is
> expected
> + * that application retains/adds L2 header with the mbuf field 'l2_len'
> + * reflecting the size of L2 header in the packet.
> + *
> + * If `hash.fdir.h` field is set in mbuf, it would be treated as the value for
> + * `MARK` pattern for the subsequent rte_flow parsing.
> + *
> + * @param ctx Security ctx
> + * @param pkts The address of an array of *nb_pkts* pointers
> to
> + * *rte_mbuf* structures which contain the
> packets.
> + * @param sess The address of an array of *nb_pkts* pointers
> to
> + * *rte_security_session* structures
> corresponding
> + * to each packet.
> + * @param nb_pkts The maximum number of packets to process.
> + *
> + * @return
> + * The number of packets successfully injected to ethdev Rx. The return
> + * value can be less than the value of the *nb_pkts* parameter when the
> + * PMD internal queues have been filled up.
> + */
> +__rte_experimental
> +static inline uint16_t
> +rte_security_inb_pkt_rx_inject(struct rte_security_ctx *ctx,
> + struct rte_mbuf **pkts,
> + struct rte_security_session **sess,
> + uint16_t nb_pkts)
rte_security_session is internal to library and not exposed.
Also security_ctx is planned to be made internal.
Can we make this as non-inline function and add as part of rte_security_op?
I believe this is a fallback flow, which means not very performance intensive.
> +{
> +#ifdef RTE_DEBUG
> + RTE_PTR_OR_ERR_RET(ctx, 0);
> + RTE_PTR_OR_ERR_RET(ctx->ops, 0);
> + RTE_FUNC_PTR_OR_ERR_RET(ctx->inb_pkt_rx_inject, 0);
> +#endif
> + return ctx->inb_pkt_rx_inject(ctx->device, pkts, sess, nb_pkts);
> +}
> +
> +
> struct rte_security_macsec_secy_stats {
> uint64_t ctl_pkt_bcast_cnt;
> uint64_t ctl_pkt_mcast_cnt;
> diff --git a/lib/security/version.map b/lib/security/version.map
> index b2097a969d..99d43dbeef 100644
> --- a/lib/security/version.map
> +++ b/lib/security/version.map
> @@ -15,6 +15,7 @@ EXPERIMENTAL {
>
> __rte_security_set_pkt_metadata;
> rte_security_dynfield_offset;
> + rte_security_inb_pkt_rx_inject;
> rte_security_macsec_sa_create;
> rte_security_macsec_sa_destroy;
> rte_security_macsec_sa_stats_get;
> --
> 2.25.1
next prev parent reply other threads:[~2023-08-24 7:56 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-11 11:45 Anoob Joseph
2023-08-11 11:45 ` [RFC PATCH 2/2] test/cryptodev: add Rx inject test Anoob Joseph
2023-08-24 7:55 ` Akhil Goyal [this message]
2023-09-29 7:16 ` [PATCH v2 1/2] security: add fallback security processing and Rx inject Anoob Joseph
2023-09-29 7:16 ` [PATCH v2 2/2] test/cryptodev: add Rx inject test Anoob Joseph
2023-09-29 15:39 ` [PATCH v3 1/2] security: add fallback security processing and Rx inject Anoob Joseph
2023-09-29 15:39 ` [PATCH v3 2/2] test/cryptodev: add Rx inject test Anoob Joseph
2023-10-09 20:11 ` [PATCH v3 1/2] security: add fallback security processing and Rx inject Akhil Goyal
2023-10-10 10:32 ` [PATCH v4 " Anoob Joseph
2023-10-10 10:32 ` [PATCH v4 2/2] test/cryptodev: add Rx inject test Anoob Joseph
2023-10-10 16:48 ` [PATCH v4 1/2] security: add fallback security processing and Rx inject Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CO6PR18MB4484B66B5A9F5BB23CD32175D81DA@CO6PR18MB4484.namprd18.prod.outlook.com \
--to=gakhil@marvell.com \
--cc=anoobj@marvell.com \
--cc=ciara.power@intel.com \
--cc=david.coyle@intel.com \
--cc=dev@dpdk.org \
--cc=hemant.agrawal@nxp.com \
--cc=jerinj@marvell.com \
--cc=kai.ji@intel.com \
--cc=kevin.osullivan@intel.com \
--cc=konstantin.v.ananyev@yandex.ru \
--cc=marcinx.smoczynski@intel.com \
--cc=vvelumuri@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).