From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 0D9ABA0C47; Tue, 6 Jul 2021 16:07:26 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C08154128B; Tue, 6 Jul 2021 16:07:25 +0200 (CEST) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mails.dpdk.org (Postfix) with ESMTP id 351EE4120E for ; Tue, 6 Jul 2021 16:07:24 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10036"; a="206110990" X-IronPort-AV: E=Sophos;i="5.83,328,1616482800"; d="scan'208";a="206110990" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Jul 2021 07:07:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.83,328,1616482800"; d="scan'208";a="427599552" Received: from orsmsx606.amr.corp.intel.com ([10.22.229.19]) by orsmga002.jf.intel.com with ESMTP; 06 Jul 2021 07:07:22 -0700 Received: from orsmsx607.amr.corp.intel.com (10.22.229.20) by ORSMSX606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Tue, 6 Jul 2021 07:07:22 -0700 Received: from orsmsx602.amr.corp.intel.com (10.22.229.15) by ORSMSX607.amr.corp.intel.com (10.22.229.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Tue, 6 Jul 2021 07:07:22 -0700 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Tue, 6 Jul 2021 07:07:22 -0700 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.170) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.4; Tue, 6 Jul 2021 07:07:21 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aGZpZZqgs63KbLg2ETFFF3TP40Z92QU0JikrTeaYKwhStfpT/P7SgGff8OrKrZATrob4libFSqKYwQAdaA8xIEIF9ZjvewvhkSLYaq+pO0cUSDaI3vJxpR6RZdzmEkGpTlH8fyJOgYFPIwFMSeB/ix5p7tK1aOfU6hLSLmx7QqMusUav4WLbnTewHFbIqBX0E9xaVJ/waLMdTG7tBR/EzVu9qIwIHkwNTlIuMxj5BaY/3aMahSlTvCiKBjfB9vylmfHcYFU8ARCUNukzP/swqQIvAQyDU/TB1JtTvTyqsFJ34SKVz0IMHG9HARxwdSg07SDeIsCkAm+KfENtqB+lTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YDeVPDTSrMORKyh7pfJt4yusehqmy4UI/LUlsGPohtc=; b=FSr+6KyojEYoiCMpQowuqjbN1py+9dFEsE8L1B/f2QW66c6+7Cqelxlphuv94Qa0tf6RAgS9OP73F4ZeVUXH0C3kgkKoEld1uCQIJYnv4b1qaWJD7m+5RGc7KefCqaqMByeo5/mgyRaqzVky0pvLIugrRwoLe7TB3Pyccsr2ObI1gR+r9ZAyntiINCg86wvrL7r2jWFhUELI1oDlucPHvcinMe93oSHG2R8i9Rj5ZGUt2XkHip/5YY+Os2MkESHjkQ64UEo1HbtGc98Ep7rBj30Bvl0ccxm30wOL4G9/IaK3WBMMJsJEwTzl0mlDdCN6st7dkYCBGtJh9VhqjIJU/Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YDeVPDTSrMORKyh7pfJt4yusehqmy4UI/LUlsGPohtc=; b=IUHrFNM9tairgueDdG7rFojF+r8O+Y2Tpj87l5Stnpttp1xgCkdgSNj9z4K5pjB+A/vr0sgXCDxrgBAAX5l0gS/NUDezLLyNrmL+JKHE0Rph4b2nlpMVM1y5vHgzA3Hos+FWjfTzHioOv13APpIB8dQLUsp7edS2clCaY/pxX+c= Received: from DM6PR11MB4491.namprd11.prod.outlook.com (2603:10b6:5:204::19) by DM6PR11MB3690.namprd11.prod.outlook.com (2603:10b6:5:13d::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.23; Tue, 6 Jul 2021 14:07:17 +0000 Received: from DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::7dc4:66b0:f76b:6d48]) by DM6PR11MB4491.namprd11.prod.outlook.com ([fe80::7dc4:66b0:f76b:6d48%7]) with mapi id 15.20.4287.033; Tue, 6 Jul 2021 14:07:17 +0000 From: "Ananyev, Konstantin" To: Nithin Dabilpuram CC: Akhil Goyal , "dev@dpdk.org" , "hemant.agrawal@nxp.com" , "thomas@monjalon.net" , "g.singh@nxp.com" , "Yigit, Ferruh" , "Zhang, Roy Fan" , "olivier.matz@6wind.com" , "jerinj@marvell.com" Thread-Topic: [dpdk-dev] [PATCH 1/2] security: enforce semantics for Tx inline processing Thread-Index: AQHXaOPPEvFIqFhEn0C8QRoI7a/e16s12L8QgAAaAACAAAK4QIAABe0AgAAQV7A= Date: Tue, 6 Jul 2021 14:07:17 +0000 Message-ID: References: <20210624102848.3878788-1-gakhil@marvell.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: ab7a336c-50ca-45b7-35ca-08d940875d18 x-ms-traffictypediagnostic: DM6PR11MB3690: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: XvohfyFh5zlxo1H1BvArZa5Xc4I39vPaxppLSyo4WNJ/+YNZyaS/zmqegBpWWM52+0eIM33NqThhtZR+dAybN8yF2KwAnR0IN6tHtq0Y9ceB9S7m/RjCy9DRgalfFj7pip/kOiMse9Gwg3B/S91tOlDkajC98nDyOD+EtiFRnB+MmcXNcWJpjakgIU5xNbOcz5W32JSm3YiWqwiaWJHV7IsmTvk9HL7hEdQj/4fMEaWbJkrJ/7uY4WuA6STWFl+2Gt7rseBtgI83mVOIg+vUlWVL9wLx8q/RTHM1rk21Ey5ZzuJdeOAZ/ClSrrObeIjNq2SwvsE1A9oKVGwRyyDlF1LPggatYgxw0qC38b515WTzM4/U45u4e80QjI58lp6UfQdasZHP4UkU4H8GUqO0ZH+42GtIbOPcnMx2q3UDDs/rGMaMYlL+3wUu8v6tFyVTx9/Oo1nIfPC5z01g6SK/MeZY4Qv/W+LwgT8P0z227qeC3f69fyD4Wovng0WcUiImhQpRrCg6WQ9EhiS2iQVOpRCtEhK8WKS1/f/C+9mHfsOza94X0Ie5NlQNykzamBkd7v/QUUj55X1evSOw3CaCNpPxiVL7pqvq/PocL5HmNElzF7TvYw66rc9MaBqgBZdI6vLQjzoEacHHz/HS2GavKw== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB4491.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(376002)(366004)(39860400002)(396003)(136003)(33656002)(7696005)(66946007)(55236004)(86362001)(5660300002)(66476007)(64756008)(316002)(54906003)(6506007)(186003)(66556008)(71200400001)(26005)(66446008)(8936002)(122000001)(83380400001)(8676002)(76116006)(52536014)(9686003)(4326008)(38100700002)(55016002)(6916009)(478600001)(15650500001)(2906002); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?e1Hzxbl50q2h47fKQkYOFZmzkSebfj8BoaqbK42FCioUq8zM9vFEO6woexzm?= =?us-ascii?Q?ElohPmzTmnvNvJEKAlo1esqJT/On4YMdIg+wSa0X0Y5sJOE//3kRvMeNkTHN?= =?us-ascii?Q?ZTolWBlT72b28LpDNLZDFiiIElEOACH6w1ZYtWYkRsOQZd8p28rmWTuw6Wbh?= =?us-ascii?Q?3tUEu2tCNeKfJLp6AasiRAIiFSmrKUs/PnMGBe8f7PAdG1/DVf79n0lnpGHd?= =?us-ascii?Q?TMiswwMREhYUw29McPfUb5MrNCIsDtKH4mwLSMPUZIYfV1vUmT6dHSH1MsIr?= =?us-ascii?Q?8kOqT9D7/+JhXq3o6QqQbOXijpES0ZyY5PpWTrwZyl3JW5SjPycNF4CGD7BJ?= =?us-ascii?Q?wHdTcN8vP9G+/dXKzinE+YE5r34rtD6E6nSTxbSIogpYAh3Xhp2/+Qa69DAi?= =?us-ascii?Q?AvQAd9bCMUL+8r2itia7rGkqhaJypyFWNEevnyc8Hqe7NmmxoVIzdvO16zhd?= =?us-ascii?Q?H3NIggIAqte2CNtmJhGHUEKjhg5vVdL7oVf0n+/jmXTykh231rgEQjCZYaB+?= =?us-ascii?Q?VBnpIv/rJYr9dpL0Hrl/XnAxyoU6et82kjI8ezeRo6o20jXiSRpZBJk75Qi5?= =?us-ascii?Q?ktNo1Hru4UL6b00fJuYZSwLQgQnt7LqdEz7xXEA7XT/zgjAaQaRJ2VTtelTl?= =?us-ascii?Q?ZFHm9e0O9NikiXTj6YwYBDJjACz4dJ/lDkcty6bKvoRdZiQ8E4a5tUaU/tbd?= =?us-ascii?Q?yxjJkKyLxZs8PtSQgv9rx2Kc9rgnL2cCJX3VfMOBrYrJkeQPGeDcqNZXZF3P?= =?us-ascii?Q?j7x3yartayND1s4nCis4Lmz9+7tC2EUV07SyovE/pcaw84E26GzRNfRVgipl?= =?us-ascii?Q?70MBe0wYFnQ45i/Kkk0wCksuA5b++ZDUPVpyJAacE95Mneg8y+6c3NrBA5uW?= =?us-ascii?Q?51e2nRLGQ/GUm9JmDzSwpyVhtAZ8RDPS6Cza6mx0dyWC1T8xsWqeXqOPTU0B?= =?us-ascii?Q?xDQjnxzyQuRuxZkdPXzowTmH+UY0L+ukwXUjzknxTDQcn0ZyHL/6iWwJ4xZU?= =?us-ascii?Q?CcUy4jrXgqPrBqiqWnc+vvKBCBGX4HU87yV0zZE5IOSO5noq9oXzEDmtac+/?= =?us-ascii?Q?p6QfOhgW2CVSugRK9ZAnuZ47jXiX2BNnbAtsJ/E7E+sLkt6doBnZBgaHNLm9?= =?us-ascii?Q?RAajUbpgZOshJvKTNZmfmJyHLwuN/dufpG3KclIj4OwVaA7kQUFGUVNSYZIh?= =?us-ascii?Q?hHFR83MD8ndSUr2LfTSFEWjC8pYOA7zEMEbmPoEmUMJo2HIOv6ySMlXoVR5p?= =?us-ascii?Q?4HS54/JIuojjqyYm0XFta8SrBBpPH2nomE6F0iBSJqVE0TYoUxPeh6iIBONc?= =?us-ascii?Q?oekW4Si1HSD/s1UZM4cmWU+M?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4491.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: ab7a336c-50ca-45b7-35ca-08d940875d18 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2021 14:07:17.5166 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: hhNzHClRMRXDcpNy8Be/tR3TLrbvUlx5d9xLTACej9jLUtrQTd83lLh2AQqV2soV3GQoyspwMPXPU7JMkjwuWWO92AFtGOlHMs9mXnKp4mY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3690 X-OriginatorOrg: intel.com Subject: Re: [dpdk-dev] [PATCH 1/2] security: enforce semantics for Tx inline processing X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" > > > > > For Tx inline processing, when RTE_SECURITY_TX_OLOAD_NEED_MDATA i= s > > > > > set, rte_security_set_pkt_metadata() needs to be called for pkts > > > > > to associate a Security session with a mbuf before submitting > > > > > to Ethdev Tx. This is apart from setting PKT_TX_SEC_OFFLOAD in > > > > > mbuf.ol_flags. rte_security_set_pkt_metadata() is also used to > > > > > set some opaque metadata in mbuf for PMD's use. > > > > > This patch updates documentation that rte_security_set_pkt_metada= ta() > > > > > should be called only with mbuf containing Layer 3 and above data= . > > > > > This behaviour is consistent with existing PMD's such as ixgbe. > > > > > > > > > > On Tx, not all net PMD's/HW can parse packet and identify > > > > > L2 header and L3 header locations on Tx. This is inline with othe= r > > > > > Tx offloads requirements such as L3 checksum, L4 checksum offload= , > > > > > etc, where mbuf.l2_len, mbuf.l3_len etc, needs to be set for > > > > > HW to be able to generate checksum. Since Inline IPSec is also > > > > > such a Tx offload, some PMD's at least need mbuf.l2_len to be > > > > > valid to find L3 header and perform Outbound IPSec processing. > > > > > Hence, this patch updates documentation to enforce setting > > > > > mbuf.l2_len while setting PKT_TX_SEC_OFFLOAD in mbuf.ol_flags > > > > > for Inline IPSec Crypto / Protocol offload processing to > > > > > work on Tx. > > > > > > > > > > Signed-off-by: Nithin Dabilpuram > > > > > Reviewed-by: Akhil Goyal > > > > > --- > > > > > doc/guides/nics/features.rst | 2 ++ > > > > > doc/guides/prog_guide/rte_security.rst | 6 +++++- > > > > > lib/mbuf/rte_mbuf_core.h | 2 ++ > > > > > 3 files changed, 9 insertions(+), 1 deletion(-) > > > > > > > > > > diff --git a/doc/guides/nics/features.rst b/doc/guides/nics/featu= res.rst > > > > > index 403c2b03a..414baf14f 100644 > > > > > --- a/doc/guides/nics/features.rst > > > > > +++ b/doc/guides/nics/features.rst > > > > > @@ -430,6 +430,7 @@ of protocol operations. See Security library = and PMD documentation for more deta > > > > > > > > > > * **[uses] rte_eth_rxconf,rte_eth_rxmode**: ``offloads:DEV= _RX_OFFLOAD_SECURITY``, > > > > > * **[uses] rte_eth_txconf,rte_eth_txmode**: ``offloads:DEV= _TX_OFFLOAD_SECURITY``. > > > > > +* **[uses] mbuf**: ``mbuf.l2_len``. > > > > > * **[implements] rte_security_ops**: ``session_create``, ``sessi= on_update``, > > > > > ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata= ``, ``capabilities_get``. > > > > > * **[provides] rte_eth_dev_info**: ``rx_offload_capa,rx_queue_of= fload_capa:DEV_RX_OFFLOAD_SECURITY``, > > > > > @@ -451,6 +452,7 @@ protocol operations. See security library and= PMD documentation for more details > > > > > > > > > > * **[uses] rte_eth_rxconf,rte_eth_rxmode**: ``offloads:DEV= _RX_OFFLOAD_SECURITY``, > > > > > * **[uses] rte_eth_txconf,rte_eth_txmode**: ``offloads:DEV= _TX_OFFLOAD_SECURITY``. > > > > > +* **[uses] mbuf**: ``mbuf.l2_len``. > > > > > * **[implements] rte_security_ops**: ``session_create``, ``sessi= on_update``, > > > > > ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata= ``, ``get_userdata``, > > > > > ``capabilities_get``. > > > > > diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/= prog_guide/rte_security.rst > > > > > index f72bc8a78..7b68c698d 100644 > > > > > --- a/doc/guides/prog_guide/rte_security.rst > > > > > +++ b/doc/guides/prog_guide/rte_security.rst > > > > > @@ -560,7 +560,11 @@ created by the application is attached to th= e security session by the API > > > > > > > > > > For Inline Crypto and Inline protocol offload, device specific d= efined metadata is > > > > > updated in the mbuf using ``rte_security_set_pkt_metadata()`` if > > > > > -``DEV_TX_OFFLOAD_SEC_NEED_MDATA`` is set. > > > > > +``RTE_SECURITY_TX_OLOAD_NEED_MDATA`` is set. ``rte_security_set_= pkt_metadata()`` > > > > > +should be called on mbuf only with Layer 3 and above data presen= t and > > > > > +``mbuf.data_off`` should be pointing to Layer 3 Header. > > > > > > > > Hmm... not sure why mbuf.data_off should point to L3 hdr. > > > > Who will add L2 hdr to the packet in that case? > > > > Or did you mean ``mbuf.data_off + mbuf.l2_len`` here? > > > > > > That is the semantics I was trying to define. I think below are the s= equence of > > > operations to be done for ipsec processing, > > > > > > 1. receive_pkt() > > > 2. strip_l2_hdr() > > > 3. Do policy lookup () > > > 4. Call rte_security_set_pkt_metadata() if pkt needs to be encrypted = with a > > > particular SA. Now pkt only has L3 and above data. > > > 5. Do route_lookup() > > > 6. add_l2hdr() which might be different from stripped l2hdr. > > > 7. Send packet out. > > > > > > The above sequence is what I believe the current poll mode worker thr= ead in > > > ipsec-secgw is following. > > > > That's just a sample app, it doesn't mean it has to be the only possibl= e way. > > > > > While in event mode, step 2 and step 6 are missing. > > > > I think this L2 hdr manipulation is totally optional. > > If your rte_security_set_pkt_metadata() implementation really needs to = know L3 hdr offset (not sure why?), > Since rte_security_set_pkt_metadata() is PMD specific function ptr call, = we are currently doing some pre-processing > here before submitting packet to inline IPSec via rte_eth_tx_burst(). Thi= s saves us cycles later in rte_eth_tx_burst(). > If we cannot know for sure, the pkt content at the time of rte_security_s= et_pkt_metadata() call, then I think > having a PMD specific callback is not much of use except for saving SA pr= iv data to rte_mbuf. >=20 > > then I suppose we can add a requirement that l2_len has to be set prope= rly before calling rte_security_set_pkt_metadata(). >=20 > This is also fine with us. Ok, so to make sure we are on the same page, you propose: 1. before calling rte_security_set_pkt_metadata() mbuf.l2_len should be pro= perly set. 2. after rte_security_set_pkt_metadata() and before rte_eth_tx_burst() pack= et contents at [mbuf.l2_len, mbuf.pkt_len) can't be modified? Is that correct understanding? If yes, I wonder how 2) will correlate with rte_eth_tx_prepare() concept? = =20 > > > > > > > > This patch is trying to enforce semantics as above so that > > > rte_security_set_pkt_metadata() can predict what comes in the pkt whe= n he is > > > called. > > > > > > I also think above sequence is what Linux kernel stack or other stack= s follow. > > > Does it makes sense ? > > > > > > > > > > > > Once called, > > > > > +Layer 3 and above data cannot be modified or moved around unless > > > > > +``rte_security_set_pkt_metadata()`` is called again. > > > > > > > > > > For inline protocol offloaded ingress traffic, the application c= an register a > > > > > pointer, ``userdata`` , in the security session. When the packet= is received, > > > > > diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h > > > > > index bb38d7f58..9d8e3ddc8 100644 > > > > > --- a/lib/mbuf/rte_mbuf_core.h > > > > > +++ b/lib/mbuf/rte_mbuf_core.h > > > > > @@ -228,6 +228,8 @@ extern "C" { > > > > > > > > > > /** > > > > > * Request security offload processing on the TX packet. > > > > > + * To use Tx security offload, the user needs to fill l2_len in = mbuf > > > > > + * indicating L2 header size and where L3 header starts. > > > > > */ > > > > > #define PKT_TX_SEC_OFFLOAD (1ULL << 43) > > > > > > > > > > -- > > > > > 2.25.1 > > > >