From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0053.outbound.protection.outlook.com [104.47.0.53]) by dpdk.org (Postfix) with ESMTP id 024DB1396 for ; Sun, 17 Sep 2017 15:31:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Mellanox.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Ooy9s408UL17HG8bFdKVJzQ1RPGJx8AGYjdq4Kk3/Nw=; b=Sv9GYFvddT0uvYSD67cqQVN+LRySytsOF4LdUV6BHzgXgolXbRlbGt/vQ872Q9r9NsltGgw6YOryQ5heTGUr+7Sa3qxV1ggDLydH4SunNTa4X0GErv3kokFkFE1yAr+/izwOVqcn23HdUOcIEJe7WIFWE7kAEd3UozvEGhdh1h8= Received: from DB6PR05MB3176.eurprd05.prod.outlook.com (10.170.221.26) by DB6PR05MB3206.eurprd05.prod.outlook.com (10.170.221.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.56.11; Sun, 17 Sep 2017 13:31:19 +0000 Received: from DB6PR05MB3176.eurprd05.prod.outlook.com ([fe80::6950:5fb1:cff1:35b7]) by DB6PR05MB3176.eurprd05.prod.outlook.com ([fe80::6950:5fb1:cff1:35b7%13]) with mapi id 15.20.0056.010; Sun, 17 Sep 2017 13:31:19 +0000 From: Boris Pismenny To: Hemant Agrawal , Akhil Goyal , "dev@dpdk.org" CC: "declan.doherty@intel.com" , "pablo.de.lara.guarch@intel.com" , "radu.nicolau@intel.com" , Aviad Yehezkel , Thomas Monjalon , "sandeep.malik@nxp.com" , "jerin.jacob@caviumnetworks.com" Thread-Topic: [PATCH 01/11] lib/rte_security: add security library Thread-Index: AQHTLUNst+YteOgOREqSTlZ8XbOKxaK1bYwAgAOn3qA= Date: Sun, 17 Sep 2017 13:31:19 +0000 Message-ID: References: <20170914082651.26232-1-akhil.goyal@nxp.com> <20170914082651.26232-2-akhil.goyal@nxp.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=borisp@mellanox.com; x-originating-ip: [37.142.231.231] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; DB6PR05MB3206; 6:JE+7ucNMcLBufL+8Mj4UFQ8UWy9Bprg+ssx51dfk0w7V3ZIiGHoVgxUiFLb6RUJdgMQTD8eTekkTwHs95MEwVpd0TEIgY1CPVmXQUxH0yb1FOlVEnRTikMwJg2dGoyLFc5gnb8blamwyY3P90uDCU8e82V7yQr4ii15i/xlA/PS1OoY/hr2nlZXv7/iuK7itrKlvy1bwpwF8mZSXmR975GLAycAuMR2ueC+xlAhTyiJ4gfPu/7pWAmNzIIBe5Nu+emu+xz/AOKfeccd7Rt0U/xDswkuk+NAiiBNYfc4MA6LEtSypZJemtBwVwPere7QOKnixlwcEyhL11f76zD4UAA==; 5:rQLpkGjMVtFAEvU4J1sj5bukmwi1zkYCci+RTgKo3b+cVs/w1sWGLgEfjBx5QH2GCbj6Dfd2tbAI1zpLpBUntp1X3FCZzugWHkiYgyqhxs59qgU0LN8TBylWft+kUocmgEIhxHeKwVUwpmjVuhBGZw==; 24:oEYxyXyiW29DBv69rq+CgGhenN1N3NlQFenPJ5Xc0Nd1BIGmqtGsqOzYZ0Lz6sZaDJNjMVWi7eqO59b4FHPOd+tVozvahErPFEgtmpePQWY=; 7:sSYcqnZy3tED3K4To1pxrV2VGSqkbZwtTCgs2KGW5T+7bSkgMRDrEftyN9aKZETAjWiZAwtQvyenagX0qR4ogo7Gj/qsf/yoq0Hxc51Hz2jECHzZqcxr5GYwpH/qJSK+F+c2HQyZwuxNF8RikLdly3htckMHBH9AnqBp2nBtY2iIGHPTaviOFmHJKYGW2qj4TRV3qB58zHvSNee+5B1I9A/hhMSk36UozPmXFcyHMgk= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ld-processed: a652971c-7d2e-4d9b-a6a4-d149256f461b,ExtAddr x-ms-office365-filtering-correlation-id: 99a907c2-d195-406c-ac54-08d4fdd0616a x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DB6PR05MB3206; x-ms-traffictypediagnostic: DB6PR05MB3206: x-exchange-antispam-report-test: UriScan:(192374486261705); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(3002001)(93006095)(93001095)(6055026)(6041248)(20161123558100)(20161123555025)(20161123562025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DB6PR05MB3206; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DB6PR05MB3206; x-forefront-prvs: 0433DB2766 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(346002)(376002)(39860400002)(377454003)(24454002)(199003)(189002)(6436002)(6246003)(86362001)(3846002)(53936002)(99286003)(102836003)(54906002)(55016002)(25786009)(9686003)(6116002)(8936002)(81166006)(81156014)(66066001)(8676002)(74316002)(305945005)(4326008)(15650500001)(8656003)(53946003)(2906002)(101416001)(54356999)(76176999)(50986999)(3660700001)(3280700002)(7736002)(53546010)(229853002)(68736007)(2900100001)(33656002)(5660300001)(106356001)(189998001)(97736004)(14454004)(5250100002)(316002)(7696004)(2950100002)(2501003)(6506006)(478600001)(105586002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR05MB3206; H:DB6PR05MB3176.eurprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: mellanox.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: Mellanox.com X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2017 13:31:19.4238 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a652971c-7d2e-4d9b-a6a4-d149256f461b X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR05MB3206 Subject: Re: [dpdk-dev] [PATCH 01/11] lib/rte_security: add security library X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Sep 2017 13:31:23 -0000 Hi Hemant, On 9/15/2017 8:33 AM, Hemant Agrawal wrote: >=20 > Hi, >=20 > On 9/14/2017 1:56 PM, Akhil Goyal wrote: > .. >=20 > > diff --git a/lib/librte_security/rte_security.c > > b/lib/librte_security/rte_security.c > > new file mode 100644 > > index 0000000..5776246 > > --- /dev/null > > +++ b/lib/librte_security/rte_security.c > > @@ -0,0 +1,252 @@ > > +/*- > > + * BSD LICENSE > > + * > > + * Copyright 2017 NXP. > > + * Copyright(c) 2017 Intel Corporation. All rights reserved. > > + * > > + * Redistribution and use in source and binary forms, with or withou= t > > + * modification, are permitted provided that the following condition= s > > + * are met: > > + * > > + * * Redistributions of source code must retain the above copyrigh= t > > + * notice, this list of conditions and the following disclaimer. > > + * * Redistributions in binary form must reproduce the above copyr= ight > > + * notice, this list of conditions and the following disclaimer = in > > + * the documentation and/or other materials provided with the > > + * distribution. > > + * * Neither the name of NXP nor the names of its > > + * contributors may be used to endorse or promote products deriv= ed > > + * from this software without specific prior written permission. > > + * > > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND > CONTRIBUTORS > > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT > NOT > > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND > FITNESS FOR > > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE > COPYRIGHT > > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, > INCIDENTAL, > > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, > BUT NOT > > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; > LOSS OF USE, > > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED > AND ON ANY > > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR > TORT > > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT > OF THE USE > > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH > DAMAGE. > > + */ > > + > > +#include > > +#include > > + > > +#include "rte_security.h" > > +#include "rte_security_driver.h" > > + > > +#define RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ (8) > > + > > +struct rte_security_ctx { > > + uint16_t id; > > + enum { > > + RTE_SECURITY_INSTANCE_INVALID =3D 0, > > + RTE_SECURITY_INSTANCE_VALID > > + } state; > > + void *device; > > + struct rte_security_ops *ops; > > +}; > > + > > +static struct rte_security_ctx *security_instances; static uint16_t > > +max_nb_security_instances; static uint16_t nb_security_instances; > > + > > +static int > > +rte_security_is_valid_id(uint16_t id) { > > + if (id >=3D nb_security_instances || > > + (security_instances[id].state !=3D RTE_SECURITY_INSTANCE_VALID)) > > + return 0; > > + else > > + return 1; > > +} > > + > > +/* Macros to check for valid id */ > > +#define RTE_SEC_VALID_ID_OR_ERR_RET(id, retval) do { \ > > + if (!rte_security_is_valid_id(id)) { \ > > + RTE_PMD_DEBUG_TRACE("Invalid sec_id=3D%d\n", id); \ > > + return retval; \ > > + } \ > > +} while (0) > > + > > +#define RTE_SEC_VALID_ID_OR_RET(id) do { \ > > + if (!rte_security_is_valid_id(id)) { \ > > + RTE_PMD_DEBUG_TRACE("Invalid sec_id=3D%d\n", id); \ > > + return; \ > > + } \ > > +} while (0) > > + > > +int > > +rte_security_register(uint16_t *id, void *device, > > + struct rte_security_ops *ops) { > > + if (max_nb_security_instances =3D=3D 0) { > > + security_instances =3D rte_malloc( > > + "rte_security_instances_ops", > > + sizeof(*security_instances) * > > + > RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ, 0); > > + > > + if (security_instances =3D=3D NULL) > > + return -ENOMEM; > > + max_nb_security_instances =3D > > + > RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ; > > + } else if (nb_security_instances >=3D max_nb_security_instances) { > > + uint16_t *instances =3D rte_realloc(security_instances, > > + sizeof(struct rte_security_ops *) * > > + (max_nb_security_instances + > > + > RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ), 0); >=20 > I think "RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ" value as 8 is relatively > small. you may want to keep it "64" or more. >=20 > you may change it into two parts > - Initial block size and incremental block size for realloc. >=20 Shouldn't the resize be double the original size to get the amortized O(1)? > Also, do you want to make it a configurable variable. as some > implementation may need really large number of SAs. >=20 > > + > > + if (instances =3D=3D NULL) > > + return -ENOMEM; > > + > > + max_nb_security_instances +=3D > > + > RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ; > > + } > > + > > + *id =3D nb_security_instances++; > > + > > + security_instances[*id].id =3D *id; > > + security_instances[*id].state =3D RTE_SECURITY_INSTANCE_VALID; > > + security_instances[*id].device =3D device; > > + security_instances[*id].ops =3D ops; > > + > > + return 0; > > +} > > + > > +int > > +rte_security_unregister(__rte_unused uint16_t *id) { > > + /* To be implemented */ > > + return 0; > > +} > > + > > +struct rte_security_session * > > +rte_security_session_create(uint16_t id, > > + struct rte_security_session_conf *conf, > > + struct rte_mempool *mp) > > +{ > > + struct rte_security_ctx *instance; > > + struct rte_security_session *sess =3D NULL; > > + > > + RTE_SEC_VALID_ID_OR_ERR_RET(id, NULL); > > + instance =3D &security_instances[id]; > > + > > + if (conf =3D=3D NULL) > > + return NULL; > > + > > + if (rte_mempool_get(mp, (void *)&sess)) > > + return NULL; > > + > > + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_create, > NULL); >=20 > it will leak the sess memory, if returned on error. >=20 > > + if (instance->ops->session_create(instance->device, conf, sess, mp)) > { > > + rte_mempool_put(mp, (void *)sess); > > + return NULL; > > + } >=20 > can the mempool operations be part of session_create api? >=20 > it will be similar to destroy, which is expected to free the 'sess' > object to mempool? >=20 > > + return sess; > > +} > > + >=20 > .. >=20 > > diff --git a/lib/librte_security/rte_security.h > > b/lib/librte_security/rte_security.h > > new file mode 100644 > > index 0000000..2faac96 > > --- /dev/null > > +++ b/lib/librte_security/rte_security.h > > @@ -0,0 +1,494 @@ > > +/*- > > + * BSD LICENSE > > + * > > + * Copyright 2017 NXP. > > + * Copyright(c) 2017 Intel Corporation. All rights reserved. > > + * > > + * Redistribution and use in source and binary forms, with or withou= t > > + * modification, are permitted provided that the following condition= s > > + * are met: > > + * > > + * * Redistributions of source code must retain the above copyrigh= t > > + * notice, this list of conditions and the following disclaimer. > > + * * Redistributions in binary form must reproduce the above copyr= ight > > + * notice, this list of conditions and the following disclaimer = in > > + * the documentation and/or other materials provided with the > > + * distribution. > > + * * Neither the name of NXP nor the names of its > > + * contributors may be used to endorse or promote products deriv= ed > > + * from this software without specific prior written permission. > > + * > > + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND > CONTRIBUTORS > > + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT > NOT > > + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND > FITNESS FOR > > + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE > COPYRIGHT > > + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, > INCIDENTAL, > > + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, > BUT NOT > > + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; > LOSS OF USE, > > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED > AND ON ANY > > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR > TORT > > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT > OF THE USE > > + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH > DAMAGE. > > + */ > > + > > +#ifndef _RTE_SECURITY_H_ > > +#define _RTE_SECURITY_H_ > > + > > +/** > > + * @file rte_security.h > > + * > > + * RTE Security Common Definitions > > + * > > + */ > > + > > +#ifdef __cplusplus > > +extern "C" { > > +#endif > > + > > +#include > > +#include > > +#include > > + > > +#include > > +#include > > +#include > > +#include > > +#include > > + > > +/** IPSec protocol mode */ > > +enum rte_security_ipsec_sa_mode { > > + RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT, > > + /**< IPSec Transport mode */ > > + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > > + /**< IPSec Tunnel mode */ > > +}; > > + > > +/** IPSec Protocol */ > > +enum rte_security_ipsec_sa_protocol { > > + RTE_SECURITY_IPSEC_SA_PROTO_AH, > > + /**< AH protocol */ > > + RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > + /**< ESP protocol */ > > +}; > > + > > +/** IPSEC tunnel type */ > > +enum rte_security_ipsec_tunnel_type { > > + RTE_SECURITY_IPSEC_TUNNEL_IPV4 =3D 0, > > + /**< Outer header is IPv4 */ > > + RTE_SECURITY_IPSEC_TUNNEL_IPV6, > > + /**< Outer header is IPv6 */ > > +}; > > + > > +/** > > + * IPSEC tunnel parameters > > + * > > + * These parameters are used to build outbound tunnel headers. > > + */ > > +struct rte_security_ipsec_tunnel_param { > > + enum rte_security_ipsec_tunnel_type type; > > + /**< Tunnel type: IPv4 or IPv6 */ > > + union { > > + struct { > > + struct in_addr src_ip; > > + /**< IPv4 source address */ > > + struct in_addr dst_ip; > > + /**< IPv4 destination address */ > > + uint8_t dscp; > > + /**< IPv4 Differentiated Services Code Point */ > > + uint8_t df; > > + /**< IPv4 Don't Fragment bit */ > > + uint8_t ttl; > > + /**< IPv4 Time To Live */ > > + } ipv4; > > + /**< IPv4 header parameters */ > > + struct { > > + struct in6_addr src_addr; > > + /**< IPv6 source address */ > > + struct in6_addr dst_addr; > > + /**< IPv6 destination address */ > > + uint8_t dscp; > > + /**< IPv6 Differentiated Services Code Point */ > > + uint32_t flabel; > > + /**< IPv6 flow label */ > > + uint8_t hlimit; > > + /**< IPv6 hop limit */ > > + } ipv6; > > + /**< IPv6 header parameters */ > > + }; > > +}; > > + > > +/** > > + * IPsec Security Association option flags */ struct > > +rte_security_ipsec_sa_options { > > + /** Extended Sequence Numbers (ESN) > > + * > > + * * 1: Use extended (64 bit) sequence numbers > > + * * 0: Use normal sequence numbers > > + */ > > + uint32_t esn : 1; > > + > > + /** UDP encapsulation > > + * > > + * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets > can > > + * traverse through NAT boxes. > > + * * 0: No UDP encapsulation > > + */ > > + uint32_t udp_encap : 1; > > + > > + /** Copy DSCP bits > > + * > > + * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to > > + * the outer IP header in encapsulation, and vice versa in > > + * decapsulation. > > + * * 0: Use values from odp_ipsec_tunnel_param_t in encapsulation > and > > + * do not change DSCP field in decapsulation. > > + */ > > + uint32_t copy_dscp : 1; > > + > > + /** Copy IPv6 Flow Label > > + * > > + * * 1: Copy IPv6 flow label from inner IPv6 header to the > > + * outer IPv6 header. > > + * * 0: Use value from odp_ipsec_tunnel_param_t > > + */ > > + uint32_t copy_flabel : 1; > > + > > + /** Copy IPv4 Don't Fragment bit > > + * > > + * * 1: Copy the DF bit from the inner IPv4 header to the outer > > + * IPv4 header. > > + * * 0: Use value from odp_ipsec_tunnel_param_t > > + */ > > + uint32_t copy_df : 1; > > + > > + /** Decrement inner packet Time To Live (TTL) field > > + * > > + * * 1: In tunnel mode, decrement inner packet IPv4 TTL or > > + * IPv6 Hop Limit after tunnel decapsulation, or before tunnel > > + * encapsulation. > > + * * 0: Inner packet is not modified. > > + */ > > + uint32_t dec_ttl : 1; > > + > > + /** HW constructs/removes trailer of packets > > + * > > + * * 1: Transmitted packets will have the trailer added to them by > > + * hardawre. The next protocol field will be based on the > > + * mbuf->inner_esp_next_proto field. > > + * Received packets have no trailer, the next protocol field is > > + * supplied in the mbuf->inner_esp_next_proto field. > > + * * 0: Inner packet is not modified. > > + */ > > + uint32_t no_trailer : 1; > > +}; > > + > > +/** IPSec security association direction */ enum > > +rte_security_ipsec_sa_direction { > > + RTE_SECURITY_IPSEC_SA_DIR_EGRESS, > > + /**< Encrypt and generate digest */ > > + RTE_SECURITY_IPSEC_SA_DIR_INGRESS, > > + /**< Verify digest and decrypt */ > > +}; > > + > > +/** > > + * IPsec security association configuration data. > > + * > > + * This structure contains data required to create an IPsec SA securit= y > session. > > + */ > > +struct rte_security_ipsec_xform { > > + uint32_t spi; > > + /**< SA security parameter index */ > > + uint32_t salt; > > + /**< SA salt */ > > + struct rte_security_ipsec_sa_options options; > > + /**< various SA options */ > > + enum rte_security_ipsec_sa_direction direction; > > + /**< IPSec SA Direction - Egress/Ingress */ > > + enum rte_security_ipsec_sa_protocol proto; > > + /**< IPsec SA Protocol - AH/ESP */ > > + enum rte_security_ipsec_sa_mode mode; > > + /**< IPsec SA Mode - transport/tunnel */ > > + struct rte_security_ipsec_tunnel_param tunnel; > > + /**< Tunnel parameters, NULL for transport mode */ }; > > + > > +/** > > + * MACsec security session configuration */ struct > > +rte_security_macsec_xform { > > + /** To be Filled */ > > +}; > > + > > +/** > > + * Security session action type. > > + */ > > +enum rte_security_session_action_type { > > + RTE_SECURITY_ACTION_TYPE_NONE, > > + /**< No security actions */ >=20 > This is not being used, it seems that you are only using it as marker to = indicate > end of capability set? >=20 > > + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, > > + /**< Crypto processing for security protocol is processed inline > > + * during transmission */ > > + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, > > + /**< All security protocol processing is performed inline during > > + * transmission */ > > + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL > > + /**< All security protocol processing including crypto is performed > > + * on a lookaside accelerator */ > > +}; > > + > > +/** Security session protocol definition */ enum > > +rte_security_session_protocol { > > + RTE_SECURITY_PROTOCOL_IPSEC, > > + /**< IPsec Protocol */ > > + RTE_SECURITY_PROTOCOL_MACSEC, > > + /**< MACSec Protocol */ > > +}; > > + > > +/** > > + * Security session configuration > > + */ > > +struct rte_security_session_conf { > > + enum rte_security_session_action_type action_type; > > + /**< Type of action to be performed on the session */ > > + enum rte_security_session_protocol protocol; > > + /**< Security protocol to be configured */ > > + union { > > + struct rte_security_ipsec_xform ipsec; > > + struct rte_security_macsec_xform macsec; > > + }; > > + /**< Configuration parameters for security session */ > > + struct rte_crypto_sym_xform *crypto_xform; > > + /**< Security Session Crypto Transformations */ }; > > + > > +struct rte_security_session { > > + __extension__ void *sess_private_data; > > + /**< Private session material */ > > +}; > > + >=20 >=20 > Do you need specific error handling for security sessions as well? > In case of full protocol offloads, you will need indications for 1. SEQ n= umber > overflow (egress side, if the SA is not refreshed on time) 2. Anti replay > window config and err handlings? >=20 That's a good point.=20 I've been think about it for some time. For inline we don't need any notifi= cations, but as we approach full offload it might be unavoidable. I hope that we could cover some cases using the existing rte_flow facilitie= s like the MARK action which could indicate when the anti-replay window has reache= d a critical point for both cases you've mentioned above. >=20 > > +/** > > + * Create security session as specified by the session configuration > > + * > > + * @param id security instance identifier id > > + * @param conf session configuration parameters >=20 > fix the indentation here and other places in this file. >=20 > > + * @param mp mempool to allocate session objects from > > + * @return > > + * - On success, pointer to session > > + * - On failure, NULL > > + */ > > +struct rte_security_session * > > +rte_security_session_create(uint16_t id, > > + struct rte_security_session_conf *conf, > > + struct rte_mempool *mp); > > + > > +/** >=20 >=20