From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id CF286A0C49; Tue, 20 Jul 2021 08:20:10 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5A1124068F; Tue, 20 Jul 2021 08:20:10 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id EC12C4068B for ; Tue, 20 Jul 2021 08:20:08 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K66Tmo022699; Mon, 19 Jul 2021 23:20:08 -0700 Received: from nam02-bn1-obe.outbound.protection.outlook.com (mail-bn1nam07lp2045.outbound.protection.outlook.com [104.47.51.45]) by mx0a-0016f401.pphosted.com with ESMTP id 39wa68b9fu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 Jul 2021 23:20:07 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Be7jsTB1t38tpK8WjnidOeF1VmK3ogVl0QvaBTJKD+B4IM/DpuUyMszgGuRvvxXAozobOf/543xNJyNBd273ae6TWZ5vOHuvh6RLfIxhc8fcau9XOfN7sb5DeHfQtdELZZnLpxnr2vb+txaf+yajezqJ+60BLY1H/WL2DOlMwS+aPEdvhNqODMU4uFpp0RE7L0vYXqkCebphv8TcJEPMWmIUXoEGtpQ3uWwyXfwfmbdzKRqGcuuTbFnjKlnb/XTHezcKtM2+e+r7D9iTA1dlFxcYvyUus3JELDNDjTNrQSF5OZZayBKV1PT7gOVMdkrc8MCNGD6DssU4nnqKWRywkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s/GUfDrxzMT7Hj9rZMxJuTH5rWj0WpPIpFHj/Y0WwsI=; b=RsVT4wXix26L80j9lxiN8rGcyhaTfuzCDReVx2QEUzvFeNnAat6iUdt192qCsN/j6BsYFV9OP5N7x0GZ640oeF0ymWLEoBBbHcDvwMlOMzMi2FYDYtYWpqm3UMSTfQt1Rt2YqdpVI+tqxDwo4zlET4pEWsWhpzO8Wb6VMzJhDS8d3ZwlfkJ0wPqlcHt4CAeHP6qaqExkFibzCAyGJ71KSQtZcbAItne3VXPGxjLcW0DsUHN2nEJC+jWsPrWw2BcIPZ26/c8071PFeJw4cOVQqyrxhFEGBvwQ4LfXSjEPhN+tup6gvcb5W12senyYy7umHWB7+evGpUSpQpD7CIo/mA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=marvell.com; dmarc=pass action=none header.from=marvell.com; dkim=pass header.d=marvell.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.onmicrosoft.com; s=selector1-marvell-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s/GUfDrxzMT7Hj9rZMxJuTH5rWj0WpPIpFHj/Y0WwsI=; b=H5LMH7Un+1I1Xu2C6NR4wY+0gBG2OvbZv6WyeMWPRBJDi2YpnBB8o+pumRnlSWVEklppcCqpiS88BXpRlmGsHuR+zyVWjHXSYcDLmOc1ut9XzV/J8Lfp9VwfT/ZFDfQECWCS4tOOODR6wAh0PfYQXe+rkuD7M0RbYQuu/totltY= Received: from PH0PR18MB4672.namprd18.prod.outlook.com (2603:10b6:510:c9::16) by PH0PR18MB4829.namprd18.prod.outlook.com (2603:10b6:510:c3::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.22; Tue, 20 Jul 2021 06:20:05 +0000 Received: from PH0PR18MB4672.namprd18.prod.outlook.com ([fe80::b5e6:2157:8ceb:2197]) by PH0PR18MB4672.namprd18.prod.outlook.com ([fe80::b5e6:2157:8ceb:2197%7]) with mapi id 15.20.4331.034; Tue, 20 Jul 2021 06:20:04 +0000 From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Fan Zhang , "hemant.agrawal@nxp.com" , Konstantin Ananyev CC: Jerin Jacob Kollanukkaran , Ankur Dwivedi , Tejasree Kondoj , "dev@dpdk.org" , Anoob Joseph , Archana Muniganti Thread-Topic: [PATCH 2/2] lib/security: add SA lifetime configuration Thread-Index: AQHXfSwXL7es0wlhlEaNZgD4WrFrVatLXl5g Date: Tue, 20 Jul 2021 06:20:04 +0000 Message-ID: References: <1626759974-334-1-git-send-email-anoobj@marvell.com> <1626759974-334-3-git-send-email-anoobj@marvell.com> In-Reply-To: <1626759974-334-3-git-send-email-anoobj@marvell.com> Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 683e5230-f7bd-46ac-654d-08d94b466a0d x-ms-traffictypediagnostic: PH0PR18MB4829: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: AdL0Wn5SP6VUT4lpyx70ywAypHKK8f1Lme/qd6ojoY+L1YGCqI0DY5s5zVfMMVa9GllPYx8xfAq3l7ackgRLm51c12cDLHhp1L5iNmarUOrifcd5FA8vWxyAKRFXfNwUfx526xWKSlUgZG5cJTBxrQx4vsxSQSLn2frRLLBuxjFMqwc8xAnBCBES3xHrnVQtXM/fWQ5a26lyDHyqjWEgdVqXfVl4T8pR4KTqBq/VKA3CH7AziK6u1GcI444O6u8h8ALi81NAszJEQO+uZcJb1nfJV8pqvpxvKtFtMIOfsljjgJ0rfzDW7zqNPYl/DPr4tNCKbFwWaE+wV8JodSriAA7n0MjHdC86mo2vRJNDeKDeEe6zmNv7jLLsw6kTy/EU/PS46iE4aY2a1cwbkzCC77xiVmofgL1sSSxD5ndmBspiqcaOS/ZiHGFy6Z5nCSYEDvVykdcn9MvnVayoTYxPaqIZxBS+pNbiywcvzbAcisRWvZ+k2ltUm+rUUxaL3llXu42IYpKnL/fkDbUgTeine5Xub1zaGcefh0mfyvdpBjy7RYrp92GadBMdlgmhetHB5gjlGuI12JjGo2VcR29R2j/+E1su0qH9QbNFBmhWQ3wrNBK+kHC4a7aALMzaqCXiPpZ7bdpxtHrHoLG/UGirCdR1QfEMcbZ0sqKRxc0mzrkLyHJYeT419uvSBRzGxEIHqbYNjWEUiCukbWP9FGN2lQwIdVFprJ7VoyTjp5lke3hPhDC0r4SDLUjsieZv4ZIMaH26l92fwEtflMJA+QgL96hTbS+gYCx+QKXpetabq2qi6sp3U2LUOzCmRnaPGqYaHalHmYUjti/1VXVDx8KFrg== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR18MB4672.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(39860400002)(396003)(346002)(136003)(366004)(52536014)(478600001)(66946007)(86362001)(8936002)(76116006)(66476007)(64756008)(66556008)(66446008)(71200400001)(107886003)(53546011)(122000001)(966005)(5660300002)(4326008)(38100700002)(9686003)(6506007)(316002)(54906003)(83380400001)(110136005)(8676002)(7696005)(186003)(15650500001)(55016002)(33656002)(2906002)(38070700004); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?AwExpXwpp4dYIKoWHR5OSxuv0KE9gnyIuFR/ennBBxCzsJsqp4S3khl4G1Q+?= =?us-ascii?Q?mPNPZGT5XB9Z+YvItdI9UslilmdJxHJdYP2DazeBHsqcmWxGjEI1DrTt7UPI?= =?us-ascii?Q?4AXncPq3xh06T2NCmK7ItQxv4fAmggeKawqZqR+BXLje6bd9lt8XD8Zn4H6K?= =?us-ascii?Q?Gpt3HkLAF1MUcKrTHuoTGP+W3V5cNzH77MWLnN3KqAfUWtppSFgN1lIzjBa9?= =?us-ascii?Q?ylFQ2pImyBUFBQ8CbauVpGhDvxw7hzaNoJP6Z4vnBVF8gvAvNZ2414ljg1cN?= =?us-ascii?Q?IOFuOjz5vxGXtORw+KW1AHLQQ69911t9NjTTvpqD/HPr48SYHThi3M7RCFjV?= =?us-ascii?Q?ZsZRH+cFd6ZJvumJmDr7Yw5T2bSuJ/iUYCxdCgjNQqNIpfjlvcOHjCDMaEVi?= =?us-ascii?Q?f2K6wo22oqhrtvUb7X62NrABZhHQe43IiWECY5qJqkb8I86sOW55AOJ2CONN?= =?us-ascii?Q?O/UaRkI5zntUOtPKbqewN0gSHvA8fMSsXmuLR0EdU2Ac3hsvB7sYUM65c3ZN?= =?us-ascii?Q?ZCM8qRYZHG0hxv1YeLffa2QHYhIF/CPT4GGk3pK5/wNh0B1KMh5cgVgRjFvz?= =?us-ascii?Q?EAUcVPCm58pQ7ehuEvKsEJED44Et76mCjx8v5QmoT9iL2XgJxbiYhZjR7eQ7?= =?us-ascii?Q?bIiMRQuWTHiV75nCoUR1m/DlfWDwsM+j+gQiqEHUEZMsHnu39SwlQwfckAb3?= =?us-ascii?Q?0U3vkf6+Jz3EHzymkf7QOHe1DAsj9wHbRN06/VUPblqsRpmLiO7zP0sUqwyR?= =?us-ascii?Q?DqmtqFt9LmxvECCWbI++EEgz4Gcs1B0hSNgyMx4+T3GnhGnavUueQNp7KXN3?= =?us-ascii?Q?dHdLJrcaIVqpEwtNUMRB0Um0hZB6HVjc0ZBuYDoAJfqj1mFu8oTEso6BIqyv?= =?us-ascii?Q?s0ErvBiRK+0eltxWHiT5gWFQNasEXNv071ZXIXIVTJGIpB1+gfKLiet+RDF2?= =?us-ascii?Q?iVcR/cev1KwqIZermX6/Khh/5We1uGilsr3cLvmD2zZFGYl9q9CVDhXMRCl1?= =?us-ascii?Q?4P/IfiwbaQl1TU7VvemznZRzabYgItIjkcS+O8KKw0eqa+ZrsympeiOGMA46?= =?us-ascii?Q?3OsMzodYA+LGg1k9x1V5IU8LLeyPOtQNwsataUkQ9OqR/TJAChKaHnlPfFlf?= =?us-ascii?Q?sYpmFGXa6jSMs7QziMfRDmRLMXOqbZNRZLY1D5DAOS7BUFYNnHok908hk6gB?= =?us-ascii?Q?rY4guyxIiqu6fRROtAmR5QDrnhAE6ZXipQcD/ZluTsUeqPz2V/H6JS0SHkbI?= =?us-ascii?Q?BOAzaiZOyPHCG8+i4egPPHbHUl03VY0SpL7nVTrr6pr7qMWcCJrDqAd5gT2j?= =?us-ascii?Q?DoEv55ClH8Mr/drsMq3A3oYZL8GJnKq8c4Pj35Q6yx9hJpZJZk27FEXQeg1G?= =?us-ascii?Q?WRmVrozl3XK8Rvn7wSHbjw038Mh5?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: marvell.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR18MB4672.namprd18.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 683e5230-f7bd-46ac-654d-08d94b466a0d X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2021 06:20:04.7179 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70e1fb47-1155-421d-87fc-2e58f638b6e0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: GGOh6Ez7Bo4KjuWTgHOXZWqZjRp23GHD440+3jsHjxApx618Ti8J11WTvV4cKsODsXWEYjFG697DV3N82UrfLg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR18MB4829 X-Proofpoint-GUID: yIjiAaGprjZaj6kOmmJ5DKNsoTooDxyV X-Proofpoint-ORIG-GUID: yIjiAaGprjZaj6kOmmJ5DKNsoTooDxyV X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-20_04:2021-07-19, 2021-07-20 signatures=0 Subject: Re: [dpdk-dev] [PATCH 2/2] lib/security: add SA lifetime configuration X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Akhil, Declan, Fan, Hemant, Konstantin, This patch & and a patch submitted by Archana earlier (http://patches.dpdk.= org/project/dpdk/patch/20210630111248.746-1-marchana@marvell.com/), aims at= extending rte_crypto_op so that it can be used to communicate any warnings= from the rte_security offload, such as, 1. Soft expiry : application requires a notification to renegotiate SA 2. L3/L4 checksum : when application offloads checksum verification of plai= n packet after IPsec processing. This need not be treated as an error as IP= sec operation was successful and checksum generation/verification can be re= done in software, especially if the checksum operation failed due to some l= imitations of the underlying device. Both the above will be an IPsec operation completed successfully but with a= dditional information that PMD can pass on to application for indicating st= atus of offloads. There are two options that we considered, 1. Extend the enum, rte_crypto_op_status, to cover warnings [1] 2. There are reserved fields in rte_cryto_op structure. So we can use bits = in them to indicate various cases. [2] Both the submitted patches follow approach 1 (following how it's done curre= ntly), but we can switch to approach 2 if we think there can be more such "= warnings" that can occur simultaneously. Can you share your thoughts on how= we should extend the library to handle such cases? [1] https://doc.dpdk.org/api/rte__crypto_8h.html#afe16508b77c2a8dc5caf74a4e= 9850171 [2] https://doc.dpdk.org/api/rte__crypto_8h_source.html Thanks, Anoob > -----Original Message----- > From: Anoob Joseph > Sent: Tuesday, July 20, 2021 11:16 AM > To: Akhil Goyal ; Declan Doherty > ; Fan Zhang ; > Konstantin Ananyev > Cc: Anoob Joseph ; Jerin Jacob Kollanukkaran > ; Ankur Dwivedi ; Tejasree > Kondoj ; dev@dpdk.org > Subject: [PATCH 2/2] lib/security: add SA lifetime configuration >=20 > Add SA lifetime configuration to register soft and hard expiry limits. > Expiry can be in units of number of packets or bytes. Crypto op status is= also > updated to cover warnings indicating soft expiry in case of lookaside pro= tocol > operations. >=20 > In case of soft expiry, the packets are successfully IPsec processed but = the > soft expiry would indicate that SA needs to be reconfigured. For inline > protocol capable ethdev, this would result in an eth event while for look= aside > protocol capable cryptodev, this can be communicated via > `rte_crypto_op.status` field. >=20 > In case of hard expiry, the packets will not be IPsec processed and would > result in error. >=20 > Signed-off-by: Anoob Joseph > --- > examples/ipsec-secgw/ipsec.c | 2 +- > examples/ipsec-secgw/ipsec.h | 2 +- > lib/cryptodev/rte_crypto.h | 7 +++++++ > lib/security/rte_security.h | 28 ++++++++++++++++++++++++++-- > 4 files changed, 35 insertions(+), 4 deletions(-) >=20 > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index 5b032fe..4868294 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > rte_security_ipsec_xform *ipsec) > } > /* TODO support for Transport */ > } > - ipsec->esn_soft_limit =3D IPSEC_OFFLOAD_ESN_SOFTLIMIT; > + ipsec->life.packets_soft_limit =3D IPSEC_OFFLOAD_PKTS_SOFTLIMIT; > ipsec->replay_win_sz =3D app_sa_prm.window_size; > ipsec->options.esn =3D app_sa_prm.enable_esn; > ipsec->options.udp_encap =3D sa->udp_encap; diff --git > a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index > ae5058d..90c81c1 100644 > --- a/examples/ipsec-secgw/ipsec.h > +++ b/examples/ipsec-secgw/ipsec.h > @@ -23,7 +23,7 @@ >=20 > #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ >=20 > -#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00 > +#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00 >=20 > #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ > sizeof(struct rte_crypto_sym_op)) > diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h inde= x > fd5ef3a..c5a0897 100644 > --- a/lib/cryptodev/rte_crypto.h > +++ b/lib/cryptodev/rte_crypto.h > @@ -52,6 +52,13 @@ enum rte_crypto_op_status { > /**< Operation failed due to invalid arguments in request */ > RTE_CRYPTO_OP_STATUS_ERROR, > /**< Error handling operation */ > + RTE_CRYPTO_OP_STATUS_WAR =3D 128, > + /**< > + * Operation completed successfully with warnings. > + * Note: All the warnings starts from here. > + */ > + RTE_CRYPTO_OPSTATUS_WAR_SOFT_EXPIRY, > + /**< Operation completed successfully with soft expiry of lifetime */ > }; >=20 > /** > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h in= dex > d61a55d..d633c8d 100644 > --- a/lib/security/rte_security.h > +++ b/lib/security/rte_security.h > @@ -206,6 +206,30 @@ enum rte_security_ipsec_sa_direction { }; >=20 > /** > + * Configure soft and hard lifetime of an IPsec SA > + * > + * Lifetime of an IPsec SA would specify the maximum number of packets > +or bytes > + * that can be processed. IPsec operations would start failing once any > +hard > + * limit is reached. > + * > + * Soft limits can be specified to generate notification when the SA is > + * approaching hard limits for lifetime. For inline operations, > +reaching soft > + * expiry limit would result in raising an eth event for the same. For > +lookaside > + * operations, this would result in a warning returned in > + * ``rte_crypto_op.status``. > + */ > +struct rte_security_ipsec_lifetime { > + uint64_t packets_soft_limit; > + /**< Soft expiry limit in number of packets */ > + uint64_t bytes_soft_limit; > + /**< Soft expiry limit in bytes */ > + uint64_t packets_hard_limit; > + /**< Soft expiry limit in number of packets */ > + uint64_t bytes_hard_limit; > + /**< Soft expiry limit in bytes */ > +}; > + > +/** > * IPsec security association configuration data. > * > * This structure contains data required to create an IPsec SA security > session. > @@ -225,8 +249,8 @@ struct rte_security_ipsec_xform { > /**< IPsec SA Mode - transport/tunnel */ > struct rte_security_ipsec_tunnel_param tunnel; > /**< Tunnel parameters, NULL for transport mode */ > - uint64_t esn_soft_limit; > - /**< ESN for which the overflow event need to be raised */ > + struct rte_security_ipsec_lifetime life; > + /**< IPsec SA lifetime */ > uint32_t replay_win_sz; > /**< Anti replay window size to enable sequence replay attack > handling. > * replay checking is disabled if the window size is 0. > -- > 2.7.4