From: Radu Nicolau <radu.nicolau@intel.com>
To: Akhil Goyal <gakhil@marvell.com>,
"Medvedkin, Vladimir" <vladimir.medvedkin@intel.com>,
Chaoyong He <chaoyong.he@corigine.com>,
"dev@dpdk.org" <dev@dpdk.org>, Anoob Joseph <anoobj@marvell.com>,
"Nithin Kumar Dabilpuram" <ndabilpuram@marvell.com>,
Gagandeep Singh <g.singh@nxp.com>, Kai Ji <kai.ji@intel.com>,
Brian Dooley <brian.dooley@intel.com>,
Jack Bond-Preston <jack.bond-preston@foss.arm.com>,
"pablo.de.lara.guarch@intel.com"
<pablo.de.lara.guarch@intel.com>,
"hemant.agrawal@nxp.com" <hemant.agrawal@nxp.com>,
"suanmingm@nvidia.com" <suanmingm@nvidia.com>
Cc: "oss-drivers@corigine.com" <oss-drivers@corigine.com>,
Shihong Wang <shihong.wang@corigine.com>,
"stable@dpdk.org" <stable@dpdk.org>
Subject: Re: [EXTERNAL] [PATCH v2] examples/ipsec-secgw: fix SA salt endianness problem
Date: Wed, 24 Jul 2024 15:44:09 +0100 [thread overview]
Message-ID: <b6faba49-f286-4233-bd05-c01d4f05cd8b@intel.com> (raw)
In-Reply-To: <CO6PR18MB4484CB54DFA63C08342AECE0D8AA2@CO6PR18MB4484.namprd18.prod.outlook.com>
On 24-Jul-24 2:04 PM, Akhil Goyal wrote:
>> On 24-Jul-24 12:20 PM, Akhil Goyal wrote:
>>>> On 23-Jul-24 5:57 PM, Akhil Goyal wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> This patch breaks ipsec tests with ipsec-secgw:
>>>>>>
>>>>>>
>>>>>> ./examples/ipsec-secgw/test/run_test.sh -4 trs_aesctr_sha1
>>>>>> ...
>>>>>> ERROR: ./examples/ipsec-secgw/test/linux_test.sh failed for
>>>> dst=192.168.31.14,
>>>>>> sz=1
>>>>>> test IPv4 trs_aesctr_sha1 finished with status 1
>>>>>> ERROR test trs_aesctr_sha1 FAILED
>>>>>>
>>>>> The patch seems to be correct.
>>>>> Please check endianness in the PMD you are testing.
>>>> In my opinion salt should not be affected by endianness and it should be
>>>> used as it is in the key parameter. I think the patch is wrong to make
>>>> it CPU endianness dependent before being passed to the PMDs, any PMD
>>>> that needs the endianness swapped should do it in the PMD code. Indeed
>>>> it's passed around as a 32 bit integer but it's not used as such, and
>>>> when it's actually used it should be evaluated as a byte array.
>>>>
>>> As per the rfc, it should be treated as byte order(i.e. big endian).
>>> But here the problem is we treat it as uint32_t which makes it CPU endian
>> when stored in ipsec_sa struct.
>>> The keys are stored as an array of uint8_t, so keys are stored in byte order(Big
>> endian).
>>> So either we save salt as "uint8_t salt[4]" or do a conversion of cpu_to_be
>>> So that when it is stored in PMD/HW, and we convert it from uint32_t to uint_8
>> *, there wont be issue.
>>
>> RFC treats it as a "four octet value" - there is no endianness until
>> it's treated like an integer, which it never is. Even if it code it's
>> being stored and passed as an unsigned 32bit integer it is never
>> evaluated as such so its endianness doesn't matter.
> The endianness matters the moment it is stored as uint32_t in ipsec_sa
> It means the value is stored in CPU endianness in that integer unless it is specified.
What matters is that the four byte value in the key ends up in the
memory in the same order, and that was always the case before the patch,
regardless of the endianness of the CPU because load and store
operations are not affected by endianness. With the patch the same four
bytes from the configuration file will be stored differently in memory
depending on the CPU. There is no need to fix the endianness of the
salt, just as there is no need to fix the byte order of the key itself.
>
> Now looking at the code again, I see the patch is incomplete for the case of lookaside crypto
> Where the salt is copied as cnt_blk in the mbuf priv without conversion.
>
> So, this patch can be reverted and a simple fix can be added to mark ipsec_sa-> salt as rte_be32_t
> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> index a83fd2283b..1fe6b97168 100644
> --- a/examples/ipsec-secgw/ipsec.h
> +++ b/examples/ipsec-secgw/ipsec.h
> @@ -117,7 +117,7 @@ struct __rte_cache_aligned ipsec_sa {
> uint32_t spi;
> struct cdev_qp *cqp[RTE_MAX_LCORE];
> uint64_t seq;
> - uint32_t salt;
> + rte_be32_t salt;
> uint32_t fallback_sessions;
> enum rte_crypto_cipher_algorithm cipher_algo;
> enum rte_crypto_auth_algorithm auth_algo;
>
> Can you verify and send the patch?
> And this may be updated in cryptodev and security lib as well in next release.
>
>
>> I agree that we should have it everywhere as "uint8_t salt[4]" but that
>> implies API changes and it doesn't change how the bytes are stored, so
>> the patch will still be wrong.
>>
>>
>>>>>> On 03/07/2024 18:58, Akhil Goyal wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Akhil Goyal <gakhil@marvell.com>
>>>>>> <mailto:gakhil@marvell.com>
>>>>>> Sent: Friday, March 15, 2024 12:42 AM
>>>>>> To: Akhil Goyal <gakhil@marvell.com>
>>>>>> <mailto:gakhil@marvell.com> ; Chaoyong He
>>>>>> <chaoyong.he@corigine.com>
>>>>>> <mailto:chaoyong.he@corigine.com> ; dev@dpdk.org
>> <mailto:dev@dpdk.org>
>>>>>> Cc: oss-drivers@corigine.com <mailto:oss-
>>>>>> drivers@corigine.com> ; Shihong Wang <shihong.wang@corigine.com>
>>>>>> <mailto:shihong.wang@corigine.com> ;
>>>>>> stable@dpdk.org <mailto:stable@dpdk.org>
>>>>>> Subject: RE: [EXTERNAL] [PATCH v2] examples/ipsec-secgw: fix
>>>>>> SA salt
>>>>>> endianness problem
>>>>>>
>>>>>>
>>>>>> Subject: RE: [EXTERNAL] [PATCH v2] examples/ipsec-
>>>>>> secgw: fix SA salt
>>>>>> endianness problem
>>>>>>
>>>>>>
>>>>>> From: Shihong Wang
>>>>>> <shihong.wang@corigine.com> <mailto:shihong.wang@corigine.com>
>>>>>>
>>>>>> The SA salt of struct ipsec_sa is a CPU-endian
>>>>>> u32 variable, but it’s
>>>>>> value is stored in an array of encryption or
>>>>>> authentication keys
>>>>>> according to big-endian. So it maybe need to
>>>>>> convert the endianness
>>>>>> order to ensure that the value assigned to the
>>>>>> SA salt is CPU-endian.
>>>>>>
>>>>>> Fixes: 50d75cae2a2c ("examples/ipsec-secgw:
>>>>>> initialize SA salt")
>>>>>> Fixes: 9413c3901f31 ("examples/ipsec-secgw:
>>>>>> support additional algorithms")
>>>>>> Fixes: 501e9c226adf ("examples/ipsec-secgw:
>>>>>> add AEAD parameters")
>>>>>> Cc: stable@dpdk.org <mailto:stable@dpdk.org>
>>>>>>
>>>>>> Signed-off-by: Shihong Wang
>>>>>> <shihong.wang@corigine.com> <mailto:shihong.wang@corigine.com>
>>>>>> Reviewed-by: Chaoyong He
>>>>>> <chaoyong.he@corigine.com> <mailto:chaoyong.he@corigine.com>
>>>>>>
>>>>>>
>>>>>> Acked-by: Akhil Goyal <gakhil@marvell.com>
>>>>>> <mailto:gakhil@marvell.com>
>>>>>>
>>>>>> Applied to dpdk-next-crypto
>>>>>>
>>>>>>
>>>>>> The patch is pulled back from dpdk-next-crypto.
>>>>>> This change may cause all the PMDs to fail these cases.
>>>>>> Would need acks from PMDs.
>>>>>>
>>>>>>
>>>>>> Applied to dpdk-next-crypto
>>>>>> No update from PMD owners.
>>>>>> Applying it before RC2 so that we have time for fixes if needed.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Vladimir
next prev parent reply other threads:[~2024-07-24 14:44 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-11 2:49 [PATCH 0/2] fix IPSec " Chaoyong He
2024-03-11 2:49 ` [PATCH 1/2] examples/ipsec-secgw: fix SA salt " Chaoyong He
2024-03-13 18:33 ` [EXTERNAL] " Akhil Goyal
2024-03-14 1:41 ` Chaoyong He
2024-03-14 2:00 ` [PATCH v2] " Chaoyong He
2024-03-14 18:17 ` [EXTERNAL] " Akhil Goyal
2024-03-14 19:11 ` Akhil Goyal
2024-07-03 17:58 ` Akhil Goyal
2024-07-23 16:04 ` Medvedkin, Vladimir
2024-07-23 16:57 ` Akhil Goyal
2024-07-24 10:59 ` Radu Nicolau
2024-07-24 11:20 ` Akhil Goyal
2024-07-24 11:33 ` Radu Nicolau
2024-07-24 13:04 ` Akhil Goyal
2024-07-24 14:44 ` Radu Nicolau [this message]
2024-07-25 4:47 ` Akhil Goyal
2024-07-25 10:16 ` Radu Nicolau
2024-07-25 10:19 ` Akhil Goyal
2024-03-11 2:49 ` [PATCH 2/2] net/nfp: fix data " Chaoyong He
2024-03-13 15:39 ` Ferruh Yigit
2024-03-12 10:37 ` [PATCH 0/2] fix IPSec " Ferruh Yigit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b6faba49-f286-4233-bd05-c01d4f05cd8b@intel.com \
--to=radu.nicolau@intel.com \
--cc=anoobj@marvell.com \
--cc=brian.dooley@intel.com \
--cc=chaoyong.he@corigine.com \
--cc=dev@dpdk.org \
--cc=g.singh@nxp.com \
--cc=gakhil@marvell.com \
--cc=hemant.agrawal@nxp.com \
--cc=jack.bond-preston@foss.arm.com \
--cc=kai.ji@intel.com \
--cc=ndabilpuram@marvell.com \
--cc=oss-drivers@corigine.com \
--cc=pablo.de.lara.guarch@intel.com \
--cc=shihong.wang@corigine.com \
--cc=stable@dpdk.org \
--cc=suanmingm@nvidia.com \
--cc=vladimir.medvedkin@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).