From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 81DF8A0A0C; Sat, 10 Jul 2021 14:58:02 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 6207140DDD; Sat, 10 Jul 2021 14:58:01 +0200 (CEST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mails.dpdk.org (Postfix) with ESMTP id 1E53940DDB for ; Sat, 10 Jul 2021 14:57:57 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10040"; a="270940121" X-IronPort-AV: E=Sophos;i="5.84,229,1620716400"; d="scan'208";a="270940121" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Jul 2021 05:57:55 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.84,229,1620716400"; d="scan'208";a="650168749" Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by fmsmga005.fm.intel.com with ESMTP; 10 Jul 2021 05:57:55 -0700 Received: from orsmsx604.amr.corp.intel.com (10.22.229.17) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Sat, 10 Jul 2021 05:57:54 -0700 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Sat, 10 Jul 2021 05:57:54 -0700 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.102) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.4; Sat, 10 Jul 2021 05:57:54 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ILi4RU+f0DZQEA+aH83pSodFJ1O+TbK017daX0c/Pu3rP31+iaWZ+Y5dzVCO8wPD4K6rP0UxrwbzoCBXAWfLv6haRH10JsKWzamEtGT6nqR1SUZCisV6CR4pkpLoL9jnjwrrd+gfdtdqbv+YSPvE0jdrTTAoWaD/byxl7F8y5WxjBpDMElijTIG+O/S5oj6he9lWizObAds5G7RdM64x7ffBT7LnEo/pAIO/y6tzbkQHqFfdfVu3MIGedOuQYwFhH+iGwtzFhJTc8sQzXa4Mr28K6cqWY2WXzA6TTzsutSeUMbrkeNyM9PGoRCA2bTbm5E+GE7WmYANscTYgL8FkYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nPg925EUjSlIGRPP3WYMuXnF4YTrgOkMuq7bbc4F+nU=; b=WJCgWpPfDYfnwf3hOLKNI0ZZD3Ny7Xi3UEWNkAi4tCLe4r2GEwsoRERv3dwHvzoC8yuvTGQLC/gcFzrOrtXmSc3i4sqaumD4ZEIpCxr1fa85ck5ISqjQ4ath8q4oq3ux50d/7XTck41wZoKdN3sdVM329znjmtJbFxrjDxaqTU+pi3erI1KLpk2rHeGBfTv4hkKcrRH1HjL+WANjGSkSEQqBsugIkHFvqUaXaSLfEx5JFwnAtqQ1nhhncrzXjZFMk+iVOyuYILoc1sT0v7l2apmfGZOhvTpSPZb/ugq/oFshCkxRCgQXAHMZYcgX7oEYXYIutM1aF+57wHDw+padnw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nPg925EUjSlIGRPP3WYMuXnF4YTrgOkMuq7bbc4F+nU=; b=rwajEex59YtxWKRR3cTj3jtKNI5MQssUyJtpFYTh+9pjR8Kep8c4u5Zh5VykyTk84j/wQGVkGFFnHJZS5tVa0vq4piKCsd9Kfh4Cdg7GI31KxxgcJ950m0biXzSukDRECgzHbLmoIQNPEtAYu4+vUuTYQANBb2Hrf5M7vGdQAAc= Received: from DM6PR11MB4491.namprd11.prod.outlook.com (2603:10b6:5:204::19) by DM6PR11MB2827.namprd11.prod.outlook.com (2603:10b6:5:c8::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.23; Sat, 10 Jul 2021 12:57:19 +0000 Received: from DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::7dc4:66b0:f76b:6d48]) by DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::7dc4:66b0:f76b:6d48%7]) with mapi id 15.20.4308.026; Sat, 10 Jul 2021 12:57:19 +0000 From: "Ananyev, Konstantin" To: Nithin Dabilpuram CC: Akhil Goyal , "dev@dpdk.org" , "hemant.agrawal@nxp.com" , "thomas@monjalon.net" , "g.singh@nxp.com" , "Yigit, Ferruh" , "Zhang, Roy Fan" , "olivier.matz@6wind.com" , "jerinj@marvell.com" Thread-Topic: [dpdk-dev] [PATCH 1/2] security: enforce semantics for Tx inline processing Thread-Index: AQHXaOPPEvFIqFhEn0C8QRoI7a/e16s12L8QgAAaAACAAAK4QIAABe0AgAAQV7CAAUGeAIAACA8AgAAdpACABMZzgA== Date: Sat, 10 Jul 2021 12:57:19 +0000 Message-ID: References: <20210624102848.3878788-1-gakhil@marvell.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 59655b37-5310-4d58-1490-08d943a24072 x-ms-traffictypediagnostic: DM6PR11MB2827: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: JQ5LX1XKwPT56B5ANRnOVQe4vhVTypnERB8iJeSvMAweKTqj28syUfSbe008ogUTw9HwZMrYynWfkGZp7OuP3yUOcA2+/+PtMy+Sn72wPTaDwwnoxW/IfOBjJGtpHl5sN6kVQ0CumhKvvr+Dg7ZlAruCvVE2Oo6Dj5zf6SgwGdq3zBc4ifUVb6GbAYU0NDBdQoaZrNnA01bdXZGr1jlTANNQCPWzLXDsLR+mV4grjk+oUUZyWqFPAfviVCHEWfmz1dAv0piWWCisQ5gNK69rMxGBXcP1TSkgD5E3ZY7yYQqTas0FjYP/2UOZjxdwnR2KwLRoMkL7yOb2mwIPlVosdAMK6y76x1Qo4YrQrLFVaCJebFysnbD+2q0ux52SgwVd/VLUIDN5v3J1HTgLVSTEyi+lKWO5fGLd5MfpQZS08zECvxEOYAgAtqrDmXlgSbmxG/lW69u8fiOEaJyUdP2Cavmi2jF3iwEhNYOL3akyaYrql0CipkDwXYa7NjmUhyj29cpp4UouJ6lZ4bZRrN38xr+qwwdFBfHoM4JlPB+nuJMTRCQBgVwi+VnrVyC12VMClyPO5q2MSzVEIqUKzyuYavkNA531YD8dTsn5nEbCQI3NOvkFdrARsvzVnPfrKwQb3F0yxkmcTrdByXb1kvnCKA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB4491.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(376002)(396003)(346002)(136003)(366004)(55016002)(6506007)(316002)(38100700002)(4326008)(8676002)(54906003)(9686003)(71200400001)(2906002)(122000001)(86362001)(7696005)(83380400001)(8936002)(66946007)(478600001)(66446008)(66556008)(76116006)(52536014)(66476007)(64756008)(186003)(26005)(55236004)(6916009)(15650500001)(5660300002)(30864003)(33656002); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?n+VNoK5VYvXxsA+zzq5H9o4iR1eD2kDPe7GW4tAi+jJZiPgeyQ/vIEH1Znv3?= =?us-ascii?Q?tMCXsfJtXPlVf+XVQldbI0s4979lIHMRnYLs90ymQds/7p8b0JUvBzRFoy3z?= =?us-ascii?Q?4mq7Sot7mFAGWlQ9ocgIKBTmafIwBj4hucY7ZzbYsAHzUX7ZDvCzfaxHwKlB?= =?us-ascii?Q?BA+bkgN442EN21GO2EwXsEnlbN4owVYQOdxGjf4uKHoNUtajmgz2U8C2vC7i?= =?us-ascii?Q?CZM/H+SElvIYxAaMdVThCxhhlUqGrNpIQKvpJvMd1jEiOLzEt6gt0YaLm6TB?= =?us-ascii?Q?NmQu3k35wg+IYK8GxVXffPT6P7X5YYUzlEZYIzv8NllKUA4GTBElTa4g9LKC?= =?us-ascii?Q?Hw7ahYtjgpf6ZEoLN6vaQZqCD6zIFjt8EHIg2RvUtIzhG8pV+7nB/n2LZMpi?= =?us-ascii?Q?c0faMRa6SGEhPcu9sVm4Oy+N5suW8KwxTrK5ubtbs1NLf8KoILMZb99HjkIO?= =?us-ascii?Q?tO4T3gqHpjVtEF3FWpLqZdAXoroOi1pyemX0julKEaNaNkk4SlLhsBrV+mhH?= =?us-ascii?Q?zDIRnYG4TS+b5ByxBQ+6mjVp5QpXrhW0wyw4jErBgyHgy7NyJ6CPJt034DlM?= =?us-ascii?Q?xuqBqOqBVNZsTrBsCfwrQqA43kaoSUMPzswEKFZb3NG3YtKPsiCcPi3YV0oX?= =?us-ascii?Q?bnC7rIR4ODuOZFLoYhDgnEcxTVT5EROQKDdTy+sd9kUF/emr4SMOfAHMdtqF?= =?us-ascii?Q?aQrKua21yTbwST4XQjOPNIIbVZ78RUMB3kbbSwOcEzfxi6imqE+lZNlq2+id?= =?us-ascii?Q?ZLflEbmxbB3JjBaSKJLTWmj5PMbSZzrhJfhOhge4DBRz0d5wfvgSM62IImds?= =?us-ascii?Q?g+XTQX4Kc3Lm3A3CHB08fS1rAM2lvMRebKezCaVA1i/eEvfNMNWsUqYtIZth?= =?us-ascii?Q?j4gq/GI5KFf8QXmDoBWWJ1F1UUaKMiqUc6hq79jnVDfKChUcc3hIOcQjC4Ta?= =?us-ascii?Q?e7BvVZUBU8hITZELbNdNRYad2yiHeQjkto4mc0xsbLYFTxnWBWg+qgZKTbZJ?= =?us-ascii?Q?wM4gkMN6Zd57HqUdFAmGu71rcWxJ15XtYp2JzdbCeFYpaxXC4zvOZYu1TSnm?= =?us-ascii?Q?qBlfOyVEqy9jE0PfswCJ/b+wJr84kuT9UOtyIOUAjcm8GFrGJ/rec2Ch6mF6?= =?us-ascii?Q?qqM3FxSeJAXlLTXepd3t+BO0f600mBrnurDLCX/HM7b6ArrQb5N6TCdWWA0L?= =?us-ascii?Q?FrJppI/5R18CGxAMdyyHMwg8ds7AgBY1JLcvFhmlMuVFGX3ff/PLkiy6EApo?= =?us-ascii?Q?uQnAhty0d01xuv76qTLfqVuWC/pikJ9GOCwdScsJMygJ2ZrYcTUt4hvEDk48?= =?us-ascii?Q?a/LMlGEllwQ4k1z8ajVuBXO9?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4491.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 59655b37-5310-4d58-1490-08d943a24072 X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2021 12:57:19.2937 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: pvYMmcMmxOvPUOKIBDndxNXjRV+qMjZlV+RIdLOCstFdsmK/YeytOZ++9S3cwsyFsQDWT4DfEm9krtUWUXJO87/Mb3AJMHKinfvxVA9cKW4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2827 X-OriginatorOrg: intel.com Subject: Re: [dpdk-dev] [PATCH 1/2] security: enforce semantics for Tx inline processing X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" > > > > > > > > > For Tx inline processing, when RTE_SECURITY_TX_OLOAD_NEED= _MDATA is > > > > > > > > > set, rte_security_set_pkt_metadata() needs to be called f= or pkts > > > > > > > > > to associate a Security session with a mbuf before submit= ting > > > > > > > > > to Ethdev Tx. This is apart from setting PKT_TX_SEC_OFFLO= AD in > > > > > > > > > mbuf.ol_flags. rte_security_set_pkt_metadata() is also us= ed to > > > > > > > > > set some opaque metadata in mbuf for PMD's use. > > > > > > > > > This patch updates documentation that rte_security_set_pk= t_metadata() > > > > > > > > > should be called only with mbuf containing Layer 3 and ab= ove data. > > > > > > > > > This behaviour is consistent with existing PMD's such as = ixgbe. > > > > > > > > > > > > > > > > > > On Tx, not all net PMD's/HW can parse packet and identify > > > > > > > > > L2 header and L3 header locations on Tx. This is inline w= ith other > > > > > > > > > Tx offloads requirements such as L3 checksum, L4 checksum= offload, > > > > > > > > > etc, where mbuf.l2_len, mbuf.l3_len etc, needs to be set = for > > > > > > > > > HW to be able to generate checksum. Since Inline IPSec is= also > > > > > > > > > such a Tx offload, some PMD's at least need mbuf.l2_len t= o be > > > > > > > > > valid to find L3 header and perform Outbound IPSec proces= sing. > > > > > > > > > Hence, this patch updates documentation to enforce settin= g > > > > > > > > > mbuf.l2_len while setting PKT_TX_SEC_OFFLOAD in mbuf.ol_f= lags > > > > > > > > > for Inline IPSec Crypto / Protocol offload processing to > > > > > > > > > work on Tx. > > > > > > > > > > > > > > > > > > Signed-off-by: Nithin Dabilpuram > > > > > > > > > Reviewed-by: Akhil Goyal > > > > > > > > > --- > > > > > > > > > doc/guides/nics/features.rst | 2 ++ > > > > > > > > > doc/guides/prog_guide/rte_security.rst | 6 +++++- > > > > > > > > > lib/mbuf/rte_mbuf_core.h | 2 ++ > > > > > > > > > 3 files changed, 9 insertions(+), 1 deletion(-) > > > > > > > > > > > > > > > > > > diff --git a/doc/guides/nics/features.rst b/doc/guides/ni= cs/features.rst > > > > > > > > > index 403c2b03a..414baf14f 100644 > > > > > > > > > --- a/doc/guides/nics/features.rst > > > > > > > > > +++ b/doc/guides/nics/features.rst > > > > > > > > > @@ -430,6 +430,7 @@ of protocol operations. See Security = library and PMD documentation for more deta > > > > > > > > > > > > > > > > > > * **[uses] rte_eth_rxconf,rte_eth_rxmode**: ``offl= oads:DEV_RX_OFFLOAD_SECURITY``, > > > > > > > > > * **[uses] rte_eth_txconf,rte_eth_txmode**: ``offl= oads:DEV_TX_OFFLOAD_SECURITY``. > > > > > > > > > +* **[uses] mbuf**: ``mbuf.l2_len``. > > > > > > > > > * **[implements] rte_security_ops**: ``session_create``,= ``session_update``, > > > > > > > > > ``session_stats_get``, ``session_destroy``, ``set_pkt_= metadata``, ``capabilities_get``. > > > > > > > > > * **[provides] rte_eth_dev_info**: ``rx_offload_capa,rx_= queue_offload_capa:DEV_RX_OFFLOAD_SECURITY``, > > > > > > > > > @@ -451,6 +452,7 @@ protocol operations. See security lib= rary and PMD documentation for more details > > > > > > > > > > > > > > > > > > * **[uses] rte_eth_rxconf,rte_eth_rxmode**: ``offl= oads:DEV_RX_OFFLOAD_SECURITY``, > > > > > > > > > * **[uses] rte_eth_txconf,rte_eth_txmode**: ``offl= oads:DEV_TX_OFFLOAD_SECURITY``. > > > > > > > > > +* **[uses] mbuf**: ``mbuf.l2_len``. > > > > > > > > > * **[implements] rte_security_ops**: ``session_create``,= ``session_update``, > > > > > > > > > ``session_stats_get``, ``session_destroy``, ``set_pkt_= metadata``, ``get_userdata``, > > > > > > > > > ``capabilities_get``. > > > > > > > > > diff --git a/doc/guides/prog_guide/rte_security.rst b/doc= /guides/prog_guide/rte_security.rst > > > > > > > > > index f72bc8a78..7b68c698d 100644 > > > > > > > > > --- a/doc/guides/prog_guide/rte_security.rst > > > > > > > > > +++ b/doc/guides/prog_guide/rte_security.rst > > > > > > > > > @@ -560,7 +560,11 @@ created by the application is attach= ed to the security session by the API > > > > > > > > > > > > > > > > > > For Inline Crypto and Inline protocol offload, device sp= ecific defined metadata is > > > > > > > > > updated in the mbuf using ``rte_security_set_pkt_metadat= a()`` if > > > > > > > > > -``DEV_TX_OFFLOAD_SEC_NEED_MDATA`` is set. > > > > > > > > > +``RTE_SECURITY_TX_OLOAD_NEED_MDATA`` is set. ``rte_secur= ity_set_pkt_metadata()`` > > > > > > > > > +should be called on mbuf only with Layer 3 and above dat= a present and > > > > > > > > > +``mbuf.data_off`` should be pointing to Layer 3 Header. > > > > > > > > > > > > > > > > Hmm... not sure why mbuf.data_off should point to L3 hdr. > > > > > > > > Who will add L2 hdr to the packet in that case? > > > > > > > > Or did you mean ``mbuf.data_off + mbuf.l2_len`` here? > > > > > > > > > > > > > > That is the semantics I was trying to define. I think below a= re the sequence of > > > > > > > operations to be done for ipsec processing, > > > > > > > > > > > > > > 1. receive_pkt() > > > > > > > 2. strip_l2_hdr() > > > > > > > 3. Do policy lookup () > > > > > > > 4. Call rte_security_set_pkt_metadata() if pkt needs to be en= crypted with a > > > > > > > particular SA. Now pkt only has L3 and above data. > > > > > > > 5. Do route_lookup() > > > > > > > 6. add_l2hdr() which might be different from stripped l2hdr. > > > > > > > 7. Send packet out. > > > > > > > > > > > > > > The above sequence is what I believe the current poll mode wo= rker thread in > > > > > > > ipsec-secgw is following. > > > > > > > > > > > > That's just a sample app, it doesn't mean it has to be the only= possible way. > > > > > > > > > > > > > While in event mode, step 2 and step 6 are missing. > > > > > > > > > > > > I think this L2 hdr manipulation is totally optional. > > > > > > If your rte_security_set_pkt_metadata() implementation really n= eeds to know L3 hdr offset (not sure why?), > > > > > Since rte_security_set_pkt_metadata() is PMD specific function pt= r call, we are currently doing some pre-processing > > > > > here before submitting packet to inline IPSec via rte_eth_tx_burs= t(). This saves us cycles later in rte_eth_tx_burst(). > > > > > If we cannot know for sure, the pkt content at the time of rte_se= curity_set_pkt_metadata() call, then I think > > > > > having a PMD specific callback is not much of use except for savi= ng SA priv data to rte_mbuf. > > > > > > > > > > > then I suppose we can add a requirement that l2_len has to be s= et properly before calling rte_security_set_pkt_metadata(). > > > > > > > > > > This is also fine with us. > > > > > > > > Ok, so to make sure we are on the same page, you propose: > > > > 1. before calling rte_security_set_pkt_metadata() mbuf.l2_len shoul= d be properly set. > > > > 2. after rte_security_set_pkt_metadata() and before rte_eth_tx_burs= t() packet contents > > > > at [mbuf.l2_len, mbuf.pkt_len) can't be modified? > > > Yes. > > > > > > > > > > > Is that correct understanding? > > > > If yes, I wonder how 2) will correlate with rte_eth_tx_prepare() co= ncept? > > > > > > Since our PMD doesn't have a prepare function, I missed that but, sin= ce > > > rte_security_set_pkt_metadata() is only used for Inline Crypto/Protoc= ol via > > > a rte_eth_dev, and both rte_security_set_pkt_metadata() and rte_eth_t= x_prepare() > > > are callbacks from same PMD, do you see any issue ? > > > > > > The restriction is from user side, data is not supposed to be modifie= d unless > > > rte_security_set_pkt_metadata() is called again. > > > > Yep, I do have a concern here. > > Right now it is perfectly valid to do something like that: > > rte_security_set_pkt_metadata(..., mb, ...); > > /* can modify contents of the packet */ > > rte_eth_tx_prepare(..., &mb, 1); > > rte_eth_tx_burst(..., &mb, 1); > > > > With the new restrictions you are proposing it wouldn't be allowed any = more. > You can still modify L2 header and IPSEC is only concerned about L3 and a= bove. >=20 > I think insisting that rte_security_set_pkt_metadata() be called after al= l L3 > and above header modifications is no a problem. I guess existing ixgbe/tx= gbe > PMD which are the ones only implementing the call back are already expect= ing the > same ? AFAIK, no there are no such requirements for ixgbe or txgbe. All that ixgbe callback does - store session related data inside mbuf. It's only expectation to have ESP trailer at the proper place (after ICV): union ixgbe_crypto_tx_desc_md *mdata =3D (union ixgbe_crypto_tx_desc_md *) rte_security_dynfield(m); mdata->enc =3D 1; mdata->sa_idx =3D ic_session->sa_index; mdata->pad_len =3D ixgbe_crypto_compute_pad_len(m); Then this data will be used by tx_burst() function. >=20 > > > > > > > > If your question is can't we do the preprocessing in rte_eth_tx_prepa= re() for > > > security, > > > > Yes, that was my thought. > > > > > my only argument was that since there is already a hit in > > > rte_security_set_pkt_metadata() to PMD specific callback and > > > struct rte_security_session is passed as an argument to it, it is mor= e benefitial to > > > do security related pre-processing there. > > > > Yes, it would be extra callback call that way. > > Though tx_prepare() accepts burst of packets, so the overhead > > of function call will be spread around the whole burst, and I presume > > shouldn't be too high. > > > > > Also rte_eth_tx_prepare() if implemented will be called for both secu= rity and > > > non-security pkts. > > > > Yes, but tx_prepare() can distinguish (by ol_flags and/or other field c= ontents) which > > modifications are required for the packet. >=20 > But the major issues I see are >=20 > 1. tx_prepare() doesn't take rte_security_session as argument though ol_f= lags has security flag. > In our case, we need to know the security session details to do things= . I suppose you can store pointer to session (or so) inside mbuf in rte_secur= ity_dynfield, no? > 2. AFAIU tx_prepare() is not mandatory as per spec and even by default di= sabled under compile time > macro RTE_ETHDEV_TX_PREPARE_NOOP. > 3. Even if we do tx_prepare(), rte_security_set_pkt_mdata() is mandatory = to associate > struct rte_security_session to a pkt as unlike ol_flags, there is no d= irect space to do the same. Didn't get you here, obviously we do have rte_security_dynfield inside mbuf= , specially for that - to store secuiryt related data inside the mbuf. Yes your PMD has to request it at initialization time, but I suppose it is = not a big deal.=20 > So I think instead of enforcing yet another callback tx_prepare() for inl= ine security > processing, it can be done via security specific set_pkt_metadata().=20 But what you proposing introduces new limitations and might existing functi= onality. BTW, if you don't like to use tx_prepare() - why doing these calculations i= nside tx_burst() itself is not an option? > I'm fine to > introduce a burst call for the same(I was thinking to propose it in futur= e) to > compensate for the overhead. >=20 > If rte_security_set_pkt_metadata() was not a PMD specific function ptr ca= ll and > rte_mbuf had space for struct rte_security_session pointer, But it does, see above. In fact it even more flexible - because it is driver specific, you are not = limited to one 64-bit field.=20 If your PMD requires more data to be associated with mbuf - you can request it via mbuf_dynfield and store there whatever is needed. > then then I guess it would have been better to do the way you proposed. >=20 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This patch is trying to enforce semantics as above so that > > > > > > > rte_security_set_pkt_metadata() can predict what comes in the= pkt when he is > > > > > > > called. > > > > > > > > > > > > > > I also think above sequence is what Linux kernel stack or oth= er stacks follow. > > > > > > > Does it makes sense ? > > > > > > > > > > > > > > > > > > > > > > > > Once called, > > > > > > > > > +Layer 3 and above data cannot be modified or moved aroun= d unless > > > > > > > > > +``rte_security_set_pkt_metadata()`` is called again. > > > > > > > > > > > > > > > > > > For inline protocol offloaded ingress traffic, the appli= cation can register a > > > > > > > > > pointer, ``userdata`` , in the security session. When th= e packet is received, > > > > > > > > > diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf= _core.h > > > > > > > > > index bb38d7f58..9d8e3ddc8 100644 > > > > > > > > > --- a/lib/mbuf/rte_mbuf_core.h > > > > > > > > > +++ b/lib/mbuf/rte_mbuf_core.h > > > > > > > > > @@ -228,6 +228,8 @@ extern "C" { > > > > > > > > > > > > > > > > > > /** > > > > > > > > > * Request security offload processing on the TX packet. > > > > > > > > > + * To use Tx security offload, the user needs to fill l2= _len in mbuf > > > > > > > > > + * indicating L2 header size and where L3 header starts. > > > > > > > > > */ > > > > > > > > > #define PKT_TX_SEC_OFFLOAD (1ULL << 43) > > > > > > > > > > > > > > > > > > -- > > > > > > > > > 2.25.1 > > > > > > > >