From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id E6590A0C47; Mon, 26 Jul 2021 15:50:23 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8102D40F35; Mon, 26 Jul 2021 15:50:23 +0200 (CEST) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mails.dpdk.org (Postfix) with ESMTP id 044E540DDA for ; Mon, 26 Jul 2021 15:50:21 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10056"; a="209121950" X-IronPort-AV: E=Sophos;i="5.84,270,1620716400"; d="scan'208";a="209121950" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Jul 2021 06:50:20 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.84,270,1620716400"; d="scan'208";a="664672450" Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by fmsmga005.fm.intel.com with ESMTP; 26 Jul 2021 06:50:20 -0700 Received: from orsmsx609.amr.corp.intel.com (10.22.229.22) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Mon, 26 Jul 2021 06:50:20 -0700 Received: from orsmsx603.amr.corp.intel.com (10.22.229.16) by ORSMSX609.amr.corp.intel.com (10.22.229.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Mon, 26 Jul 2021 06:50:19 -0700 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Mon, 26 Jul 2021 06:50:19 -0700 Received: from NAM04-DM6-obe.outbound.protection.outlook.com (104.47.73.46) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.10; Mon, 26 Jul 2021 06:50:19 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fLeFdPBB/4Hi7lrOkhFSiXk9o7lAZtQU1f5V31kt5CQnucfiwwBVJWV5ZXrNkhT84liOwdXcGBFctp9728+nTVX8ZJgzYaVvxn5fyKTgonRav9H6eiBiUdkTWLZYc6N+auEkauJ6LtPo9AYnVyrNZ6LE5zAGUJRJTFicDyxtp0gmgsASEVpaXd4vD7S/nYqBTUmc6wka9yRWvKCjsKCJnVEsYrmgu5g0DTFanmwU7uvv0oZtaTAim9FbwL8rrStyvqbcyg5R6ByrVW+dEgZoIn2J6XqSE5h0TSncDGge/0YuEHMLK0aQdS6qQ2JTbvLwrh9XN7bFHOkt5k3VRJE64w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0vqCTPHzIaylwvP4zzBvWFp/Thk5FnR3imZJblfxPVk=; b=moS0vnAxsahQD77281MOH6S6EVf3ZGytEsrEc1uUAp8N57Ru2N2lEx2vftpnnJEC8hOkfe/94dokkJnPFLjJLd0x/6h5HgRDdOWnEWE8INtXru+3YdCreiGLvSlEhbn+nMSzRDkYfPJX9mqTEa0uy8vRcoPgIFyEa5VtEhyoDaXIOmWVku7og6iXYZk+uD6Bred+IzSZpmF+aMY96cBmaYf5kVRfzRy+6Pl/3j2MCzq1Nqf9uHGSdSZoAgY6MhtHZvGCq+PpzHJH2GT2Ql4j3ECfewv+wz4QLLV6gsQnUyuo5/SkmcAt8+RI4bVpj4m45IyLd+3en6cY2HsAVcmwaw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0vqCTPHzIaylwvP4zzBvWFp/Thk5FnR3imZJblfxPVk=; b=UujN8rHwnvc9inPKoZb8Mca2hI3IJsAqVplUdTHpQkd7VDFlsB3e2XAoZc6kZWvPss4ae9aYfjs6lX6bvLYM9lXkVC/clM9t1NnYEnbYF55bd5rLw2Gh2qFrA427THLiwl1ZipkiguyiNxF4IuvwFlVDAiJkTJpfk/CixBK3s0o= Received: from DM6PR11MB4491.namprd11.prod.outlook.com (2603:10b6:5:204::19) by DM5PR1101MB2169.namprd11.prod.outlook.com (2603:10b6:4:51::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26; Mon, 26 Jul 2021 13:50:18 +0000 Received: from DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::7dc4:66b0:f76b:6d48]) by DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::7dc4:66b0:f76b:6d48%7]) with mapi id 15.20.4352.031; Mon, 26 Jul 2021 13:50:18 +0000 From: "Ananyev, Konstantin" To: Anoob Joseph , Akhil Goyal , "Doherty, Declan" , "Zhang, Roy Fan" , "hemant.agrawal@nxp.com" CC: Jerin Jacob Kollanukkaran , Ankur Dwivedi , Tejasree Kondoj , "dev@dpdk.org" , Archana Muniganti Thread-Topic: [PATCH 2/2] lib/security: add SA lifetime configuration Thread-Index: AQHXfSwfZZ8LQxx0IUyMwgdib0ZEGKtLZDUAgAnqBmA= Date: Mon, 26 Jul 2021 13:50:18 +0000 Message-ID: References: <1626759974-334-1-git-send-email-anoobj@marvell.com> <1626759974-334-3-git-send-email-anoobj@marvell.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: marvell.com; dkim=none (message not signed) header.d=none;marvell.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b2c14002-f733-4774-819c-08d9503c4dd6 x-ms-traffictypediagnostic: DM5PR1101MB2169: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 3jJIhx/Sq2yuRM1UbgO7X/6XYkb6gjEkWHJiipFskW3Po8GbckQjQ99Iqxricp9ZF/KsQDUxm+9afFge+1zznyMI3CSIQHzBx47oUqaZBkTr5/RsD2K7uMD1/1sHQIpNVTIJyHpxG2CX1qWgmzJWEeOeQVLbOH//6YXqePDcdWgpnxvYlJK1noekLrKdpBUd96cnWMa3VhdzHQ7hWjx1CAfuSEfd710m8wcKNNy20x5dv9FwJxxV5zDdccq8HDQajkuj2RRxNLYZZU9qZG1gk0kjeHl97BlAGA82y1hiTx1h5EuWzVWGdhS17o3aIRJbdvOE477dv813WPHoHAP2jF7B6gUiMiV7AIkjSaB0+DB3TGhZR2MMzKVlB7gXGj+QVmFQ2ZZAdYiiZNzMHfLHm6VYUM9Hqy5yry6SOJ3PiAooNN00F7YF4H50qIYp9WOHZ5xClh3ykehnj4JwbNn/hPaJCZrVs5R1xkLFzxLFEmRWjwLJfyTaFRUZSuToWubFc1/wpdtpV1REaqgA4Rvns5gYGsVyIcVpZnaOT+abyfUruOJ7VE7uj9WTKFocFuYIHoKnPCNDzmY66K+6yb80SFMt0+eJ/Wcl7HF2rzJ82w2I3W1XXdEKm4aLDuR2qWODFikKCdUXmcc+iX+zwp2IOFmPYEfhxzEd0JQRCXhCnp2dL96z8Ie0WwENZtsU048witU9U9GYNSMW/uP3SFiDKcMpMr7rNGaQE5F/mNWMCOFmW7HSeK/fQjlyDHjKhlfBT9Vlekw0uugzITtwIyLq5JZu3JydtV+klmMNh/ISZWOH89S0+eOu8aq8MQxpYes0/c3/YeyTx/qeXR07MZ1J+w== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB4491.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(39860400002)(396003)(136003)(366004)(110136005)(66946007)(54906003)(966005)(66446008)(186003)(2906002)(5660300002)(15650500001)(8676002)(4326008)(316002)(8936002)(9686003)(55016002)(478600001)(66476007)(76116006)(64756008)(66556008)(33656002)(52536014)(83380400001)(38100700002)(86362001)(122000001)(7696005)(6506007)(53546011)(55236004)(71200400001)(26005)(38070700004); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?2qL4uP+woFbpth5nHRud+z1sfos7x3lf+MkHac3gb8dRFF9XNozaWt7XdZNw?= =?us-ascii?Q?viDpfkOX5JMWABcIaZ6pPbWF+GoTiFiD2P+Es4rxtx3gCTzH4KpYQdbsNlxG?= =?us-ascii?Q?ir1H9z8GOH5u4vhTo/0hwi0NDed/yv2ijNVv0fBA79UMu+xnpdydv/+Brkxj?= =?us-ascii?Q?L19GKHzkU0bPzOCC//OJlrHJn793k64y+WewCjH8JGl6Cjh6Shq33XN0cdT3?= =?us-ascii?Q?WOrGFeabAZPUC+F7DoAooBicbTQzOKtSfYSwHGTCAA2geUanfeJeDNF8CJSL?= =?us-ascii?Q?N3UppPxI9QA4EynMxU6vfDR5EGbtwckJIpb68cV6e8Ys++GGAJ9A1J7u+Bd8?= =?us-ascii?Q?7zvgsC0I5j8IYYRrY4pwGKtPu8mDyQR7XBNc2EW3yDSHKzV3DK4Q+TcknCd3?= =?us-ascii?Q?P7lMAxK0hJT1vpoh6fXnwiTjtECdAcr9zmrQp+aG2aAMAZ2pRlkQCtv1FgQ8?= =?us-ascii?Q?EwQDgziVfl8xGqt8za9CW6TjqXtVgobcZqBJIA4inGiF9nJCTmsqg5F7bWZm?= =?us-ascii?Q?lUWUuW8/l0VqWKoUKXde285UKiL3v/1R6j4nI/YqCvHZZlyiyNBOe+A4hmFA?= =?us-ascii?Q?ynb0Fv/sR1S/y1630jGomUOAwfLQHT425QUTX91ZjDRDCy2rIg6ov35wvJCP?= =?us-ascii?Q?xKVchlZYfWvQ/ENNrPDZnKoX1p96Kom+0/aKPEBTVNrK+vzzE/fyScYuaVhI?= =?us-ascii?Q?dbo//FkTmCkmN2DO6bwVuv+vfjHXTxmTudsrs7DQNX0G/1CsBC0eAPIdmZki?= =?us-ascii?Q?Y+QxgkflhVWhlbNqAPynBUiuziqcIstOsAJHS/T4592Vj9tez6yQFf39SsQI?= =?us-ascii?Q?OsIZY8pSmEXLAW2IvM4cFTNtZkilu8+6/NbkcA9NpZvBvEHgsTpXup8cDmmO?= =?us-ascii?Q?1MWgNkxeuCi9O5hnhBrMv4Co/T3k/0zTGNbiPXNQSCzTsAknXkTVjQisWSrA?= =?us-ascii?Q?PIGja6pVyh7LYyKrbZGyrhkOdILOWv4z8OqwkRIy32f6NIIbOgu0wZ3EOQyW?= =?us-ascii?Q?q7g3yFZ2fl0PGzOz5+X96YyC5FSqrXjmQ701s39Dmdo4veEsX77hUBzUGIz1?= =?us-ascii?Q?WLA8ePvowxaKGFQqBUc913ZcaQ1JJ67HEx4nogliR9Ri5ArYEhblL+hhcRpV?= =?us-ascii?Q?MWjkazi0w9gG6RGumuhtnB8otLGg5xMVcRyzeQ6KeSrWCmY5HRhgnEwheepC?= =?us-ascii?Q?gXF3I64O6wbv7iPz51CN7RrRuUX/zpUm4YgHJrXjB02U31gVJ20lIBcLH80E?= =?us-ascii?Q?NVS8tNHnm4UMTJkGWna6HJCoS2E+FTtQduBkJe6uEIy1wQrnx0TsXatNzWUr?= =?us-ascii?Q?Dnkb9eJ6II9sPrOp7EBMdGPG?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4491.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: b2c14002-f733-4774-819c-08d9503c4dd6 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2021 13:50:18.2849 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 3onig/OmW9zOFqWenU3FF9oTu8m+MohItM6geQxB29h9pvq6tMRD85mb52Jy+c9gm7BToTgJUSBvTy6r/oY2rE+/XIpcvwK6ZI/SWnUzTpo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1101MB2169 X-OriginatorOrg: intel.com Subject: Re: [dpdk-dev] [PATCH 2/2] lib/security: add SA lifetime configuration X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Anoob, >=20 > Hi Akhil, Declan, Fan, Hemant, Konstantin, >=20 > This patch & and a patch submitted by Archana earlier (http://patches.dpd= k.org/project/dpdk/patch/20210630111248.746-1- > marchana@marvell.com/), aims at extending rte_crypto_op so that it can be= used to communicate any warnings from the rte_security > offload, such as, >=20 > 1. Soft expiry : application requires a notification to renegotiate SA > 2. L3/L4 checksum : when application offloads checksum verification of pl= ain packet after IPsec processing. This need not be treated as an > error as IPsec operation was successful and checksum generation/verificat= ion can be redone in software, especially if the checksum > operation failed due to some limitations of the underlying device. >=20 > Both the above will be an IPsec operation completed successfully but with= additional information that PMD can pass on to application for > indicating status of offloads. >=20 > There are two options that we considered, > 1. Extend the enum, rte_crypto_op_status, to cover warnings [1] > 2. There are reserved fields in rte_cryto_op structure. So we can use bit= s in them to indicate various cases. [2] >=20 > Both the submitted patches follow approach 1 (following how it's done cur= rently), but we can switch to approach 2 if we think there can be > more such "warnings" that can occur simultaneously. Can you share your th= oughts on how we should extend the library to handle such > cases? >=20 > [1] https://doc.dpdk.org/api/rte__crypto_8h.html#afe16508b77c2a8dc5caf74a= 4e9850171 > [2] https://doc.dpdk.org/api/rte__crypto_8h_source.html My vote would probably be for option #2 (use one of the reserved fields for= it). That way - existing code wouldn't need to be changed. Again these warnings, it probably needs to be a bit-flags, correct? Konstantin > Thanks, > Anoob >=20 > > -----Original Message----- > > From: Anoob Joseph > > Sent: Tuesday, July 20, 2021 11:16 AM > > To: Akhil Goyal ; Declan Doherty > > ; Fan Zhang ; > > Konstantin Ananyev > > Cc: Anoob Joseph ; Jerin Jacob Kollanukkaran > > ; Ankur Dwivedi ; Tejasree > > Kondoj ; dev@dpdk.org > > Subject: [PATCH 2/2] lib/security: add SA lifetime configuration > > > > Add SA lifetime configuration to register soft and hard expiry limits. > > Expiry can be in units of number of packets or bytes. Crypto op status = is also > > updated to cover warnings indicating soft expiry in case of lookaside p= rotocol > > operations. > > > > In case of soft expiry, the packets are successfully IPsec processed bu= t the > > soft expiry would indicate that SA needs to be reconfigured. For inline > > protocol capable ethdev, this would result in an eth event while for lo= okaside > > protocol capable cryptodev, this can be communicated via > > `rte_crypto_op.status` field. > > > > In case of hard expiry, the packets will not be IPsec processed and wou= ld > > result in error. > > > > Signed-off-by: Anoob Joseph > > --- > > examples/ipsec-secgw/ipsec.c | 2 +- > > examples/ipsec-secgw/ipsec.h | 2 +- > > lib/cryptodev/rte_crypto.h | 7 +++++++ > > lib/security/rte_security.h | 28 ++++++++++++++++++++++++++-- > > 4 files changed, 35 insertions(+), 4 deletions(-) > > > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.= c > > index 5b032fe..4868294 100644 > > --- a/examples/ipsec-secgw/ipsec.c > > +++ b/examples/ipsec-secgw/ipsec.c > > @@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > > rte_security_ipsec_xform *ipsec) > > } > > /* TODO support for Transport */ > > } > > - ipsec->esn_soft_limit =3D IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > + ipsec->life.packets_soft_limit =3D IPSEC_OFFLOAD_PKTS_SOFTLIMIT; > > ipsec->replay_win_sz =3D app_sa_prm.window_size; > > ipsec->options.esn =3D app_sa_prm.enable_esn; > > ipsec->options.udp_encap =3D sa->udp_encap; diff --git > > a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index > > ae5058d..90c81c1 100644 > > --- a/examples/ipsec-secgw/ipsec.h > > +++ b/examples/ipsec-secgw/ipsec.h > > @@ -23,7 +23,7 @@ > > > > #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ > > > > -#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00 > > +#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00 > > > > #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ > > sizeof(struct rte_crypto_sym_op)) > > diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h in= dex > > fd5ef3a..c5a0897 100644 > > --- a/lib/cryptodev/rte_crypto.h > > +++ b/lib/cryptodev/rte_crypto.h > > @@ -52,6 +52,13 @@ enum rte_crypto_op_status { > > /**< Operation failed due to invalid arguments in request */ > > RTE_CRYPTO_OP_STATUS_ERROR, > > /**< Error handling operation */ > > + RTE_CRYPTO_OP_STATUS_WAR =3D 128, > > + /**< > > + * Operation completed successfully with warnings. > > + * Note: All the warnings starts from here. > > + */ > > + RTE_CRYPTO_OPSTATUS_WAR_SOFT_EXPIRY, > > + /**< Operation completed successfully with soft expiry of lifetime */ > > }; > > > > /** > > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h = index > > d61a55d..d633c8d 100644 > > --- a/lib/security/rte_security.h > > +++ b/lib/security/rte_security.h > > @@ -206,6 +206,30 @@ enum rte_security_ipsec_sa_direction { }; > > > > /** > > + * Configure soft and hard lifetime of an IPsec SA > > + * > > + * Lifetime of an IPsec SA would specify the maximum number of packets > > +or bytes > > + * that can be processed. IPsec operations would start failing once an= y > > +hard > > + * limit is reached. > > + * > > + * Soft limits can be specified to generate notification when the SA i= s > > + * approaching hard limits for lifetime. For inline operations, > > +reaching soft > > + * expiry limit would result in raising an eth event for the same. For > > +lookaside > > + * operations, this would result in a warning returned in > > + * ``rte_crypto_op.status``. > > + */ > > +struct rte_security_ipsec_lifetime { > > + uint64_t packets_soft_limit; > > + /**< Soft expiry limit in number of packets */ > > + uint64_t bytes_soft_limit; > > + /**< Soft expiry limit in bytes */ > > + uint64_t packets_hard_limit; > > + /**< Soft expiry limit in number of packets */ > > + uint64_t bytes_hard_limit; > > + /**< Soft expiry limit in bytes */ > > +}; > > + > > +/** > > * IPsec security association configuration data. > > * > > * This structure contains data required to create an IPsec SA securit= y > > session. > > @@ -225,8 +249,8 @@ struct rte_security_ipsec_xform { > > /**< IPsec SA Mode - transport/tunnel */ > > struct rte_security_ipsec_tunnel_param tunnel; > > /**< Tunnel parameters, NULL for transport mode */ > > - uint64_t esn_soft_limit; > > - /**< ESN for which the overflow event need to be raised */ > > + struct rte_security_ipsec_lifetime life; > > + /**< IPsec SA lifetime */ > > uint32_t replay_win_sz; > > /**< Anti replay window size to enable sequence replay attack > > handling. > > * replay checking is disabled if the window size is 0. > > -- > > 2.7.4