Re: [dpdk-dev] [PATCH v2 1/3] security: add SA config option for inner pkt csum

[Anoob Joseph <anoobj@marvell.com>]

Hi Konstanin,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Wednesday, September 29, 2021 4:26 PM
> To: Archana Muniganti <marchana@marvell.com>; Akhil Goyal
> <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>; Zhang, Roy
> Fan <roy.fan.zhang@intel.com>; hemant.agrawal@nxp.com
> Cc: Anoob Joseph <anoobj@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>; Jerin Jacob
> Kollanukkaran <jerinj@marvell.com>; dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 1/3] security: add SA config option for inner pkt
> csum
> 
> External Email
> 
> ----------------------------------------------------------------------
> > Add inner packet IPv4 hdr and L4 checksum enable options in conf.
> > These will be used in case of protocol offload.
> > Per SA, application could specify whether the
> > checksum(compute/verify) can be offloaded to security device.
> >
> > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > ---
> >  doc/guides/cryptodevs/features/default.ini |  1 +
> >  doc/guides/rel_notes/deprecation.rst       |  4 ++--
> >  doc/guides/rel_notes/release_21_11.rst     |  4 ++++
> >  lib/cryptodev/rte_cryptodev.h              |  2 ++
> >  lib/security/rte_security.h                | 18 ++++++++++++++++++
> >  5 files changed, 27 insertions(+), 2 deletions(-)
> >
> > diff --git a/doc/guides/cryptodevs/features/default.ini
> > b/doc/guides/cryptodevs/features/default.ini
> > index c24814de98..96d95ddc81 100644
> > --- a/doc/guides/cryptodevs/features/default.ini
> > +++ b/doc/guides/cryptodevs/features/default.ini
> > @@ -33,6 +33,7 @@ Non-Byte aligned data  =  Sym raw data path API  =
> > Cipher multiple data units =
> >  Cipher wrapped key     =
> > +Inner checksum         =
> >
> >  ;
> >  ; Supported crypto algorithms of a default crypto driver.
> > diff --git a/doc/guides/rel_notes/deprecation.rst
> > b/doc/guides/rel_notes/deprecation.rst
> > index 05fc2fdee7..8308e00ed4 100644
> > --- a/doc/guides/rel_notes/deprecation.rst
> > +++ b/doc/guides/rel_notes/deprecation.rst
> > @@ -232,8 +232,8 @@ Deprecation Notices
> >    IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence
> Number).
> >
> >  * security: The IPsec SA config options ``struct
> > rte_security_ipsec_sa_options``
> > -  will be updated with new fields to support new features like IPsec
> > inner
> > -  checksum, TSO in case of protocol offload.
> > +  will be updated with new fields to support new features like TSO in
> > + case of  protocol offload.
> >
> >  * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
> >    ``hdr_l3_len`` to configure tunnel L3 header length.
> > diff --git a/doc/guides/rel_notes/release_21_11.rst
> > b/doc/guides/rel_notes/release_21_11.rst
> > index 8da851cccc..93d1b36889 100644
> > --- a/doc/guides/rel_notes/release_21_11.rst
> > +++ b/doc/guides/rel_notes/release_21_11.rst
> > @@ -194,6 +194,10 @@ ABI Changes
> >    ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> >    and hard expiry limits. Limits can be either in number of packets or bytes.
> >
> > +* security: The new options ``ip_csum_enable`` and ``l4_csum_enable``
> > +were added
> > +  in structure ``rte_security_ipsec_sa_options`` to indicate whether
> > +inner
> > +  packet IPv4 header checksum and L4 checksum need to be offloaded to
> > +  security device.
> >
> >  Known Issues
> >  ------------
> > diff --git a/lib/cryptodev/rte_cryptodev.h
> > b/lib/cryptodev/rte_cryptodev.h index bb01f0f195..d9271a6c45 100644
> > --- a/lib/cryptodev/rte_cryptodev.h
> > +++ b/lib/cryptodev/rte_cryptodev.h
> > @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> > rte_crypto_asym_xform_type *xform_enum,  /**< Support operations on
> multiple data-units message */
> >  #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY		(1ULL << 26)
> >  /**< Support wrapped key in cipher xform  */
> > +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM		(1ULL
> << 27)
> > +/**< Support inner checksum computation/verification */
> >
> >  /**
> >   * Get the name of a crypto device feature flag diff --git
> > a/lib/security/rte_security.h b/lib/security/rte_security.h index
> > ab1a6e1f65..945f45ad76 100644
> > --- a/lib/security/rte_security.h
> > +++ b/lib/security/rte_security.h
> > @@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
> >  	 * * 0: Do not match UDP ports
> >  	 */
> >  	uint32_t udp_ports_verify : 1;
> > +
> > +	/** Compute/verify inner packet IPv4 header checksum in tunnel mode
> > +	 *
> > +	 * * 1: For outbound, compute inner packet IPv4 header checksum
> > +	 *      before tunnel encapsulation and for inbound, verify after
> > +	 *      tunnel decapsulation.
> > +	 * * 0: Inner packet IP header checksum is not computed/verified.
> > +	 */
> > +	uint32_t ip_csum_enable : 1;
> > +
> > +	/** Compute/verify inner packet L4 checksum in tunnel mode
> > +	 *
> > +	 * * 1: For outbound, compute inner packet L4 checksum before
> > +	 *      tunnel encapsulation and for inbound, verify after
> > +	 *      tunnel decapsulation.
> > +	 * * 0: Inner packet L4 checksum is not computed/verified.
> > +	 */
> > +	uint32_t l4_csum_enable : 1;
> 
> As I understand these 2 new flags serve two purposes:
> 1. report HW/PMD ability to perform these offloads.
> 2. allow user to enable/disable this offload on SA basis.

[Anoob] Correct
 
> 
> One question I have - how it will work on data-path?
> Would decision to perform these offloads be based on mbuf->ol_flags value
> (same as we doing for ethdev TX offloads)?
> Or some other approach is implied?

[Anoob] There will be two settings. It can enabled per SA or enabled per packet. 
 
> 
> >  };
> >
> >  /** IPSec security association direction */
> > --
> > 2.22.0