From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 04EFAA0C47; Tue, 6 Jul 2021 14:42:43 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id D2AC541262; Tue, 6 Jul 2021 14:42:42 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 414C24120E for ; Tue, 6 Jul 2021 14:42:41 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10036"; a="196272448" X-IronPort-AV: E=Sophos;i="5.83,328,1616482800"; d="scan'208";a="196272448" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Jul 2021 05:42:40 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.83,328,1616482800"; d="scan'208";a="410478558" Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by orsmga003.jf.intel.com with ESMTP; 06 Jul 2021 05:42:40 -0700 Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Tue, 6 Jul 2021 05:42:39 -0700 Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Tue, 6 Jul 2021 05:42:39 -0700 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Tue, 6 Jul 2021 05:42:39 -0700 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.103) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.4; Tue, 6 Jul 2021 05:42:38 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CBRHZOORUvVboRu1Z422dqZ5A/7DM1YhyTH/SugTQ7TJBlNPaDroVZjH11jqjl5yS+/r2Vw1fNkQi1mfVHkUkxQZmES6hxV/VHIhkC0U8TZ12bQhv0b0cyx3F1IMr3oUDU8ZZFLimx/+T3ysRMgSYzPJIg2qL/AFCIA/tdDT75OcfW4Lmr+MkGq0BmUAAYzIiAmZljSSANBdhLuJyEf5rhxRGflkGyXsn2qWAeJdqTmjjDOMjQo85gOPMZvzUtjxYSded7CYC4RIpiz0Qdzf1cTKfady5kvsuKEQ+rKhjR7Xc/3lOAMxnR0UVAkLUWX/vZTqy4O72/7lpzVP/rWpsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0NAw5aVH7Z6DuZljKN2UNsBkzCkOsZkUrPJgBybt5Ak=; b=MM0bsLa4PlvUIfDaWXH0HPw9iJcDV+FOgsaHNsR68OZAet/MrC4Lq5bEElwrlPGpVZqgQTZkH5lP8KzCMOnHu3lO5q/4+yq4eFEA4miG2sl0wHvztwhVcvDmfRvPMIPfrQ9K7UgRvw8ClEZOt1tLo+luk+gbcNqWRaMgCSOg7cJBEwr7O5+SWnPel1+ruFMX5sxbT8XpQCwhmY+VoeMYFeLH51+NPRxSXusnHgSFItuBliE0NaysOH+k+zqJQQKB09K+apFHySj9J+pbnOdne38Ul9EEJm93+dJEb3grOlhkAQ+jU4iDW2ojS6zC/05ItG9o5HnlCvM3WIMJyd8oNg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0NAw5aVH7Z6DuZljKN2UNsBkzCkOsZkUrPJgBybt5Ak=; b=EJr4XPbkVOzYxtqtanFf8ycRySCA+EEZRjFHchHhlAA34a8ckunY6UMN2kWiASPwxSvgZssQTI++d3urldmYkI99gc60IGvsxE23IGSlnGdyjCqxqFghRKxM2DMO2RiXkSLnXWiUUZNWxU/wLyaH+K/fgsHJNVeoSEF484+5TaI= Received: from DM6PR11MB4491.namprd11.prod.outlook.com (2603:10b6:5:204::19) by DM6PR11MB3129.namprd11.prod.outlook.com (2603:10b6:5:65::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.33; Tue, 6 Jul 2021 12:42:34 +0000 Received: from DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::7dc4:66b0:f76b:6d48]) by DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::7dc4:66b0:f76b:6d48%7]) with mapi id 15.20.4287.033; Tue, 6 Jul 2021 12:42:34 +0000 From: "Ananyev, Konstantin" To: Nithin Dabilpuram CC: Akhil Goyal , "dev@dpdk.org" , "hemant.agrawal@nxp.com" , "thomas@monjalon.net" , "g.singh@nxp.com" , "Yigit, Ferruh" , "Zhang, Roy Fan" , "olivier.matz@6wind.com" , "jerinj@marvell.com" Thread-Topic: [dpdk-dev] [PATCH 1/2] security: enforce semantics for Tx inline processing Thread-Index: AQHXaOPPEvFIqFhEn0C8QRoI7a/e16s12L8QgAAaAACAAAK4QA== Date: Tue, 6 Jul 2021 12:42:34 +0000 Message-ID: References: <20210624102848.3878788-1-gakhil@marvell.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d2f87318-bc9d-4f8e-f309-08d9407b8765 x-ms-traffictypediagnostic: DM6PR11MB3129: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: JN2e/24656sc8Q3pN6W9aBiLArT6rffg8Kua3lpaOBZdDfwDqjNW5XZTU2GHpLiyIO1yWzit0gwPS6j1cFFQ1ESAdLCrn6VFFFFgxHO+IAXOvCfqtlvXVU7mWMYS3zjAatqZ6E/dkvnEcXk6awDRXquBIuVLr00ZRjkY9Ntd5Bq75qJzcRZQG5cogunf74CYESomxS1pprYUUZOmoisnxhj0jMu/QCzrpiFL8KiL8ds1JPLEewIbqaWFsNve2F+EuVchdWMXxIGjt2KWma+n9gEalED6tjlv74ljvUG3fuH6h288j6ql5Vtex5vFbkUAiLAqzNUj+E0U6iJzeJM0GnPAYSy/ccdSlKcwgmy+7CPI6D69fwAJK3up15iyCPMoRau9Nb1qcXnKCP6m+zReIu0DM/EQl5DuQdbWFqSqLKsmwvqLQXFF2XafnDuZBhQ45cyHwGEbCWj+DtoTykUxcjUWaTqddLzFiAv7eOKYFVviJ2vpzT1uWFmT8vo81AbIx+rVqTgsowvd4weJgsaW8EfbUFYNIRW7wtf89SwmdfyNsLCB2IbIhlun6aiVfou/pJfG91c8liWc1NfM3NYs/8IPWksGNn7JxBERwQo7lwa3GEIATnUHf7DYbILFm/gHkh86BjKnxITsa95MxqpejA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB4491.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(136003)(39860400002)(396003)(366004)(376002)(83380400001)(186003)(15650500001)(38100700002)(76116006)(122000001)(26005)(66476007)(6916009)(7696005)(8676002)(8936002)(86362001)(66446008)(64756008)(52536014)(9686003)(33656002)(2906002)(54906003)(55236004)(478600001)(55016002)(6506007)(66556008)(316002)(71200400001)(66946007)(4326008)(5660300002); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?bpdKNR37SUYid6s28MEC7ChxCzqBKNzeIJKwr9b8VyHWGwi1DHd8bIcEVvoX?= =?us-ascii?Q?XPrMPqV+Jh9dXxmvV1nAg6wmvPCDTlFDdCKYKPSIcqHpWERoFeHY7k4SSNRT?= =?us-ascii?Q?dFC/1cpBF5/2uurunZkjE3Z4PSO8gKrMAcXBw3X/fELY/yiPIx7/ATWZGi8n?= =?us-ascii?Q?Pnf2onhQqcc7W37YVG2TVPyctieX/0aii5qAMRexdoY/iq8FrF/92mUCGt7B?= =?us-ascii?Q?WqgzpIiAcPBK+i206KwxA2Tss6A+P8z500t5kC6wcWFP52aeY1UoHrm5CGt5?= =?us-ascii?Q?bnkB66qlv0NmTEC8SqfpHXZ/I28P7rHutJSd3pnyGK4PC9STexLkLExdAiX8?= =?us-ascii?Q?xII2Tpta8B4GlRRTFI8dEUoxtE2QkKIn9NnC3vcbAWrWA3EvYcLp16bfaZOa?= =?us-ascii?Q?/ZPWzim5EUKNSMzq7B81C1oh3G4X4xEW883cZ2hik9pqODVuTa041RbMTqQG?= =?us-ascii?Q?vbIH0hwhl8BO5JcLY7p5QesurX/joGD8vRAFcevLOniClbxenPEGpoMDngSs?= =?us-ascii?Q?SiLAti9idHv5tLcafOpOvfkR+kBvT8KO+5b0O7iG8hloc7cW/PN1MHoV3jXb?= =?us-ascii?Q?pXt0CkxXS6UpC62rkLin9ROY9fh+Pw2pNQKaxxHClfclpOfJcCdZJK1RJX6N?= =?us-ascii?Q?ND/pM9Fmc5jdTgQ2OqJAXAw9l6b2UR1+WubnPogXH8u8nPyDtzZc4XGP9LZm?= =?us-ascii?Q?yGSRWj7G4KvObKvfoiOyv/l0D2WX+uDZbkeFrrmOfylWeurJ7DyNhunq5wwV?= =?us-ascii?Q?SsbIAVbX6qCjzy+XR5f3bCnyAZGEbnJjEh4nUG058NAkdCqAYLjO866ggLVf?= =?us-ascii?Q?X7ITyYvtV2A+bbAqvtl2s2Ky/AcKtSHFY1bhgCgCNPAgq8iAOZlicZotrRyF?= =?us-ascii?Q?86vVzEyA8I3J9eXr2DRPohdd9uHNZU5Y5vFukF0tFTtoALuNzWVvyV066T8s?= =?us-ascii?Q?di+rtGakz1W0qLfEbMrxo9L7tyoUuT+51mzL18btKEDyXci4+2Jrb4ZAkY+3?= =?us-ascii?Q?Xc506521/4nj/yTsYFPfzwWVKLM1EjaVkBPeWVliUvnJ3WiDRqJHDsEXE5w7?= =?us-ascii?Q?m1+VqsNcNYHG4kNfwhTUMA/v8FeBzja41Pdd6k5Lrn4a78yBS69xtvCs/h51?= =?us-ascii?Q?A2slgcgcaEGa+811cF4/suhA0JZ1ohrhKdvA04Tac3fCVPKlsZc5vkmzZecP?= =?us-ascii?Q?7c3UBVu9uTyJ76w7eJiGvHTWbziFohtdlLtroOYhzSEpdNiEAjJlynOt3qO8?= =?us-ascii?Q?uDFmhfWdgk8wLC7dqpfoSH13l6GZuGq1i8o73b7x19RFLxCO9V+k0Ebg2Zj5?= =?us-ascii?Q?bF2iV2NOJ8gQI4cwL0D00eJC?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4491.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: d2f87318-bc9d-4f8e-f309-08d9407b8765 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2021 12:42:34.4757 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: pf/5AJNzDKtA+r2V/Tx1q7iFvWyXtbTyf791EFQLvQ4DJABIM2Q6zZVtT2yZypTjsnKtowF9Hf8vbUlCalq8ZqBX8BMH+nRZk3edOYbK/sw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3129 X-OriginatorOrg: intel.com Subject: Re: [dpdk-dev] [PATCH 1/2] security: enforce semantics for Tx inline processing X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" > On Tue, Jul 06, 2021 at 10:56:10AM +0000, Ananyev, Konstantin wrote: > > > > > > > > From: Nithin Dabilpuram > > > > > > For Tx inline processing, when RTE_SECURITY_TX_OLOAD_NEED_MDATA is > > > set, rte_security_set_pkt_metadata() needs to be called for pkts > > > to associate a Security session with a mbuf before submitting > > > to Ethdev Tx. This is apart from setting PKT_TX_SEC_OFFLOAD in > > > mbuf.ol_flags. rte_security_set_pkt_metadata() is also used to > > > set some opaque metadata in mbuf for PMD's use. > > > This patch updates documentation that rte_security_set_pkt_metadata() > > > should be called only with mbuf containing Layer 3 and above data. > > > This behaviour is consistent with existing PMD's such as ixgbe. > > > > > > On Tx, not all net PMD's/HW can parse packet and identify > > > L2 header and L3 header locations on Tx. This is inline with other > > > Tx offloads requirements such as L3 checksum, L4 checksum offload, > > > etc, where mbuf.l2_len, mbuf.l3_len etc, needs to be set for > > > HW to be able to generate checksum. Since Inline IPSec is also > > > such a Tx offload, some PMD's at least need mbuf.l2_len to be > > > valid to find L3 header and perform Outbound IPSec processing. > > > Hence, this patch updates documentation to enforce setting > > > mbuf.l2_len while setting PKT_TX_SEC_OFFLOAD in mbuf.ol_flags > > > for Inline IPSec Crypto / Protocol offload processing to > > > work on Tx. > > > > > > Signed-off-by: Nithin Dabilpuram > > > Reviewed-by: Akhil Goyal > > > --- > > > doc/guides/nics/features.rst | 2 ++ > > > doc/guides/prog_guide/rte_security.rst | 6 +++++- > > > lib/mbuf/rte_mbuf_core.h | 2 ++ > > > 3 files changed, 9 insertions(+), 1 deletion(-) > > > > > > diff --git a/doc/guides/nics/features.rst b/doc/guides/nics/features.= rst > > > index 403c2b03a..414baf14f 100644 > > > --- a/doc/guides/nics/features.rst > > > +++ b/doc/guides/nics/features.rst > > > @@ -430,6 +430,7 @@ of protocol operations. See Security library and = PMD documentation for more deta > > > > > > * **[uses] rte_eth_rxconf,rte_eth_rxmode**: ``offloads:DEV_RX_= OFFLOAD_SECURITY``, > > > * **[uses] rte_eth_txconf,rte_eth_txmode**: ``offloads:DEV_TX_= OFFLOAD_SECURITY``. > > > +* **[uses] mbuf**: ``mbuf.l2_len``. > > > * **[implements] rte_security_ops**: ``session_create``, ``session_u= pdate``, > > > ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, = ``capabilities_get``. > > > * **[provides] rte_eth_dev_info**: ``rx_offload_capa,rx_queue_offloa= d_capa:DEV_RX_OFFLOAD_SECURITY``, > > > @@ -451,6 +452,7 @@ protocol operations. See security library and PMD= documentation for more details > > > > > > * **[uses] rte_eth_rxconf,rte_eth_rxmode**: ``offloads:DEV_RX_= OFFLOAD_SECURITY``, > > > * **[uses] rte_eth_txconf,rte_eth_txmode**: ``offloads:DEV_TX_= OFFLOAD_SECURITY``. > > > +* **[uses] mbuf**: ``mbuf.l2_len``. > > > * **[implements] rte_security_ops**: ``session_create``, ``session_u= pdate``, > > > ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, = ``get_userdata``, > > > ``capabilities_get``. > > > diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog= _guide/rte_security.rst > > > index f72bc8a78..7b68c698d 100644 > > > --- a/doc/guides/prog_guide/rte_security.rst > > > +++ b/doc/guides/prog_guide/rte_security.rst > > > @@ -560,7 +560,11 @@ created by the application is attached to the se= curity session by the API > > > > > > For Inline Crypto and Inline protocol offload, device specific defin= ed metadata is > > > updated in the mbuf using ``rte_security_set_pkt_metadata()`` if > > > -``DEV_TX_OFFLOAD_SEC_NEED_MDATA`` is set. > > > +``RTE_SECURITY_TX_OLOAD_NEED_MDATA`` is set. ``rte_security_set_pkt_= metadata()`` > > > +should be called on mbuf only with Layer 3 and above data present an= d > > > +``mbuf.data_off`` should be pointing to Layer 3 Header. > > > > Hmm... not sure why mbuf.data_off should point to L3 hdr. > > Who will add L2 hdr to the packet in that case? > > Or did you mean ``mbuf.data_off + mbuf.l2_len`` here? >=20 > That is the semantics I was trying to define. I think below are the seque= nce of > operations to be done for ipsec processing, >=20 > 1. receive_pkt() > 2. strip_l2_hdr() > 3. Do policy lookup () > 4. Call rte_security_set_pkt_metadata() if pkt needs to be encrypted with= a > particular SA. Now pkt only has L3 and above data. > 5. Do route_lookup() > 6. add_l2hdr() which might be different from stripped l2hdr. > 7. Send packet out. >=20 > The above sequence is what I believe the current poll mode worker thread = in > ipsec-secgw is following. That's just a sample app, it doesn't mean it has to be the only possible wa= y. > While in event mode, step 2 and step 6 are missing. I think this L2 hdr manipulation is totally optional. If your rte_security_set_pkt_metadata() implementation really needs to know= L3 hdr offset (not sure why?), then I suppose we can add a requirement that l2_len has to be set properly = before calling rte_security_set_pkt_metadata(). =20 >=20 > This patch is trying to enforce semantics as above so that > rte_security_set_pkt_metadata() can predict what comes in the pkt when he= is > called. >=20 > I also think above sequence is what Linux kernel stack or other stacks fo= llow. > Does it makes sense ? >=20 > > > > > Once called, > > > +Layer 3 and above data cannot be modified or moved around unless > > > +``rte_security_set_pkt_metadata()`` is called again. > > > > > > For inline protocol offloaded ingress traffic, the application can r= egister a > > > pointer, ``userdata`` , in the security session. When the packet is = received, > > > diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h > > > index bb38d7f58..9d8e3ddc8 100644 > > > --- a/lib/mbuf/rte_mbuf_core.h > > > +++ b/lib/mbuf/rte_mbuf_core.h > > > @@ -228,6 +228,8 @@ extern "C" { > > > > > > /** > > > * Request security offload processing on the TX packet. > > > + * To use Tx security offload, the user needs to fill l2_len in mbuf > > > + * indicating L2 header size and where L3 header starts. > > > */ > > > #define PKT_TX_SEC_OFFLOAD (1ULL << 43) > > > > > > -- > > > 2.25.1 > >