DPDK patches and discussions
 help / color / mirror / Atom feed
From: Akhil Goyal <gakhil@marvell.com>
To: Radu Nicolau <radu.nicolau@intel.com>,
	"Medvedkin, Vladimir" <vladimir.medvedkin@intel.com>,
	Chaoyong He <chaoyong.he@corigine.com>,
	"dev@dpdk.org" <dev@dpdk.org>, Anoob Joseph <anoobj@marvell.com>,
	Nithin Kumar Dabilpuram <ndabilpuram@marvell.com>,
	Gagandeep Singh <g.singh@nxp.com>, Kai Ji <kai.ji@intel.com>,
	Brian Dooley <brian.dooley@intel.com>,
	Jack Bond-Preston <jack.bond-preston@foss.arm.com>,
	"pablo.de.lara.guarch@intel.com" <pablo.de.lara.guarch@intel.com>,
	"hemant.agrawal@nxp.com" <hemant.agrawal@nxp.com>,
	"suanmingm@nvidia.com" <suanmingm@nvidia.com>
Cc: "oss-drivers@corigine.com" <oss-drivers@corigine.com>,
	Shihong Wang <shihong.wang@corigine.com>,
	"stable@dpdk.org" <stable@dpdk.org>
Subject: RE: [EXTERNAL] [PATCH v2] examples/ipsec-secgw: fix SA salt endianness problem
Date: Wed, 24 Jul 2024 13:04:23 +0000	[thread overview]
Message-ID: <CO6PR18MB4484CB54DFA63C08342AECE0D8AA2@CO6PR18MB4484.namprd18.prod.outlook.com> (raw)
In-Reply-To: <7d006696-9a40-4c23-824d-1e984743632a@intel.com>

> On 24-Jul-24 12:20 PM, Akhil Goyal wrote:
> >> On 23-Jul-24 5:57 PM, Akhil Goyal wrote:
> >>>> Hi all,
> >>>>
> >>>> This patch breaks ipsec tests with ipsec-secgw:
> >>>>
> >>>>
> >>>> ./examples/ipsec-secgw/test/run_test.sh -4 trs_aesctr_sha1
> >>>> ...
> >>>> ERROR: ./examples/ipsec-secgw/test/linux_test.sh failed for
> >> dst=192.168.31.14,
> >>>> sz=1
> >>>>    test IPv4 trs_aesctr_sha1 finished with status 1
> >>>> ERROR  test trs_aesctr_sha1 FAILED
> >>>>
> >>> The patch seems to be correct.
> >>> Please check endianness in the PMD you are testing.
> >> In my opinion salt should not be affected by endianness and it should be
> >> used as it is in the key parameter. I think the patch is wrong to make
> >> it CPU endianness dependent before being passed to the PMDs, any PMD
> >> that needs the endianness swapped should do it in the PMD code. Indeed
> >> it's passed around as a 32 bit integer but it's not used as such, and
> >> when it's actually used it should be evaluated as a byte array.
> >>
> > As per the rfc, it should be treated as byte order(i.e. big endian).
> > But here the problem is we treat it as uint32_t which makes it CPU endian
> when stored in ipsec_sa struct.
> > The keys are stored as an array of uint8_t, so keys are stored in byte order(Big
> endian).
> >
> > So either we save salt as "uint8_t salt[4]" or do a conversion of cpu_to_be
> > So that when it is stored in PMD/HW, and we convert it from uint32_t to uint_8
> *, there wont be issue.
> 
> RFC treats it as a "four octet value" - there is no endianness until
> it's treated like an integer, which it never is. Even if it code it's
> being stored and passed as an unsigned 32bit integer it is never
> evaluated as such so its endianness doesn't matter.

The endianness matters the moment it is stored as uint32_t in ipsec_sa
It means the value is stored in CPU endianness in that integer unless it is specified.

Now looking at the code again, I see the patch is incomplete for the case of lookaside crypto
Where the salt is copied as cnt_blk in the mbuf priv without conversion.

So, this patch can be reverted and a simple fix can be added to mark ipsec_sa-> salt as rte_be32_t
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index a83fd2283b..1fe6b97168 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -117,7 +117,7 @@ struct __rte_cache_aligned ipsec_sa {
        uint32_t spi;
        struct cdev_qp *cqp[RTE_MAX_LCORE];
        uint64_t seq;
-       uint32_t salt;
+       rte_be32_t salt;
        uint32_t fallback_sessions;
        enum rte_crypto_cipher_algorithm cipher_algo;
        enum rte_crypto_auth_algorithm auth_algo;

Can you verify and send the patch?
And this may be updated in cryptodev and security lib as well in next release.


> 
> I agree that we should have it everywhere as "uint8_t salt[4]" but that
> implies API changes and it doesn't change how the bytes are stored, so
> the patch will still be wrong.
> 
> 
> >
> >>>
> >>>>
> >>>> On 03/07/2024 18:58, Akhil Goyal wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> 		-----Original Message-----
> >>>> 		From: Akhil Goyal <gakhil@marvell.com>
> >>>> <mailto:gakhil@marvell.com>
> >>>> 		Sent: Friday, March 15, 2024 12:42 AM
> >>>> 		To: Akhil Goyal <gakhil@marvell.com>
> >>>> <mailto:gakhil@marvell.com> ; Chaoyong He
> >>>> 		<chaoyong.he@corigine.com>
> >>>> <mailto:chaoyong.he@corigine.com> ; dev@dpdk.org
> <mailto:dev@dpdk.org>
> >>>> 		Cc: oss-drivers@corigine.com <mailto:oss-
> >>>> drivers@corigine.com> ; Shihong Wang <shihong.wang@corigine.com>
> >>>> <mailto:shihong.wang@corigine.com> ;
> >>>> 		stable@dpdk.org <mailto:stable@dpdk.org>
> >>>> 		Subject: RE: [EXTERNAL] [PATCH v2] examples/ipsec-secgw: fix
> >>>> SA salt
> >>>> 		endianness problem
> >>>>
> >>>>
> >>>> 			Subject: RE: [EXTERNAL] [PATCH v2] examples/ipsec-
> >>>> secgw: fix SA salt
> >>>> 			endianness problem
> >>>>
> >>>>
> >>>> 				From: Shihong Wang
> >>>> <shihong.wang@corigine.com> <mailto:shihong.wang@corigine.com>
> >>>>
> >>>> 				The SA salt of struct ipsec_sa is a CPU-endian
> >>>> u32 variable, but it’s
> >>>> 				value is stored in an array of encryption or
> >>>> authentication keys
> >>>> 				according to big-endian. So it maybe need to
> >>>> convert the endianness
> >>>> 				order to ensure that the value assigned to the
> >>>> SA salt is CPU-endian.
> >>>>
> >>>> 				Fixes: 50d75cae2a2c ("examples/ipsec-secgw:
> >>>> initialize SA salt")
> >>>> 				Fixes: 9413c3901f31 ("examples/ipsec-secgw:
> >>>> support additional algorithms")
> >>>> 				Fixes: 501e9c226adf ("examples/ipsec-secgw:
> >>>> add AEAD parameters")
> >>>> 				Cc: stable@dpdk.org <mailto:stable@dpdk.org>
> >>>>
> >>>> 				Signed-off-by: Shihong Wang
> >>>> <shihong.wang@corigine.com> <mailto:shihong.wang@corigine.com>
> >>>> 				Reviewed-by: Chaoyong He
> >>>> <chaoyong.he@corigine.com> <mailto:chaoyong.he@corigine.com>
> >>>>
> >>>>
> >>>> 			Acked-by: Akhil Goyal <gakhil@marvell.com>
> >>>> <mailto:gakhil@marvell.com>
> >>>>
> >>>> 			Applied to dpdk-next-crypto
> >>>>
> >>>>
> >>>> 		The patch is pulled back from dpdk-next-crypto.
> >>>> 		This change may cause all the PMDs to fail these cases.
> >>>> 		Would need acks from PMDs.
> >>>>
> >>>>
> >>>> 	Applied to dpdk-next-crypto
> >>>> 	No update from PMD owners.
> >>>> 	Applying it before RC2 so that we have time for fixes if needed.
> >>>>
> >>>>
> >>>> --
> >>>> Regards,
> >>>> Vladimir

  reply	other threads:[~2024-07-24 13:04 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-11  2:49 [PATCH 0/2] fix IPSec " Chaoyong He
2024-03-11  2:49 ` [PATCH 1/2] examples/ipsec-secgw: fix SA salt " Chaoyong He
2024-03-13 18:33   ` [EXTERNAL] " Akhil Goyal
2024-03-14  1:41     ` Chaoyong He
2024-03-14  2:00   ` [PATCH v2] " Chaoyong He
2024-03-14 18:17     ` [EXTERNAL] " Akhil Goyal
2024-03-14 19:11       ` Akhil Goyal
2024-07-03 17:58         ` Akhil Goyal
2024-07-23 16:04           ` Medvedkin, Vladimir
2024-07-23 16:57             ` Akhil Goyal
2024-07-24 10:59               ` Radu Nicolau
2024-07-24 11:20                 ` Akhil Goyal
2024-07-24 11:33                   ` Radu Nicolau
2024-07-24 13:04                     ` Akhil Goyal [this message]
2024-07-24 14:44                       ` Radu Nicolau
2024-07-25  4:47                         ` Akhil Goyal
2024-07-25 10:16                           ` Radu Nicolau
2024-07-25 10:19                             ` Akhil Goyal
2024-03-11  2:49 ` [PATCH 2/2] net/nfp: fix data " Chaoyong He
2024-03-13 15:39   ` Ferruh Yigit
2024-03-12 10:37 ` [PATCH 0/2] fix IPSec " Ferruh Yigit

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CO6PR18MB4484CB54DFA63C08342AECE0D8AA2@CO6PR18MB4484.namprd18.prod.outlook.com \
    --to=gakhil@marvell.com \
    --cc=anoobj@marvell.com \
    --cc=brian.dooley@intel.com \
    --cc=chaoyong.he@corigine.com \
    --cc=dev@dpdk.org \
    --cc=g.singh@nxp.com \
    --cc=hemant.agrawal@nxp.com \
    --cc=jack.bond-preston@foss.arm.com \
    --cc=kai.ji@intel.com \
    --cc=ndabilpuram@marvell.com \
    --cc=oss-drivers@corigine.com \
    --cc=pablo.de.lara.guarch@intel.com \
    --cc=radu.nicolau@intel.com \
    --cc=shihong.wang@corigine.com \
    --cc=stable@dpdk.org \
    --cc=suanmingm@nvidia.com \
    --cc=vladimir.medvedkin@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).