From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by dpdk.org (Postfix) with ESMTP id 1A03958C6 for ; Mon, 20 Nov 2017 13:12:59 +0100 (CET) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Nov 2017 04:12:58 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,426,1505804400"; d="scan'208";a="9829547" Received: from rnicolau-mobl.ger.corp.intel.com (HELO [10.237.221.73]) ([10.237.221.73]) by orsmga002.jf.intel.com with ESMTP; 20 Nov 2017 04:12:57 -0800 To: Anoob Joseph , Akhil Goyal , Declan Doherty , Sergio Gonzalez Monroy Cc: Narayana Prasad , Jerin Jacob , dev@dpdk.org References: <1511173905-22117-1-git-send-email-anoob.joseph@caviumnetworks.com> <1511173905-22117-2-git-send-email-anoob.joseph@caviumnetworks.com> From: Radu Nicolau Message-ID: Date: Mon, 20 Nov 2017 12:12:55 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <1511173905-22117-2-git-send-email-anoob.joseph@caviumnetworks.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Subject: Re: [dpdk-dev] [PATCH 1/2] lib/security: add support for saving app cookie X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Nov 2017 12:13:00 -0000 Hi, Why not have something similar to rte_security_set_pkt_metadata, for example: void * rte_security_get_pkt_metadata(struct rte_security_ctx *instance,                   struct rte_mbuf *mb); and keep internally in the PMD all the required references. The returned value will be device-specific, so it's flexible enough to include anything required (just as void *params is in the set_pkt_metadata). I think it will make a cleaner and more consistent implementation. Regards, Radu On 11/20/2017 10:31 AM, Anoob Joseph wrote: > In case of inline protocol processed ingress traffic, the packet may not > have enough information to determine the security parameters with which > the packet was processed. In such cases, the application could register > a cookie, which will be saved in the the security session. > > As the ingress packets are received in the application, it will have > some metadata set in the mbuf. Application can pass this metadata to > "rte_security_session_get" API to retrieve the security session. Once > the security session is determined, another driver call with the > security session will give the application the cookie it had registered. > > The cookie will be registered while creating the security session. > Without the cookie, the selector check (SP-SA check) for the incoming > IPsec traffic won't be possible in the application. > > Application can choose what it should register as the cookie. It can > register SPI or a pointer to SA. > > Signed-off-by: Anoob Joseph > --- > lib/librte_security/rte_security.c | 26 +++++++++++++++++++++++ > lib/librte_security/rte_security.h | 30 +++++++++++++++++++++++++++ > lib/librte_security/rte_security_driver.h | 34 +++++++++++++++++++++++++++++++ > 3 files changed, 90 insertions(+) > > diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c > index 1227fca..1c706fe 100644 > --- a/lib/librte_security/rte_security.c > +++ b/lib/librte_security/rte_security.c > @@ -98,6 +98,32 @@ rte_security_session_destroy(struct rte_security_ctx *instance, > return ret; > } > > +struct rte_security_session * > +rte_security_session_get(struct rte_security_ctx *instance, > + uint64_t mdata) > +{ > + struct rte_security_session *sess = NULL; > + > + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->session_get, NULL); > + if (instance->ops->session_get(instance->device, mdata, &sess)) > + return NULL; > + > + return sess; > +} > + > +uint64_t > +rte_security_cookie_get(struct rte_security_ctx *instance, > + struct rte_security_session *sess) > +{ > + uint64_t cookie = 0; > + > + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->cookie_get, 0); > + if (instance->ops->cookie_get(instance->device, sess, &cookie)) > + return 0; > + > + return cookie; > +} > + > int > rte_security_set_pkt_metadata(struct rte_security_ctx *instance, > struct rte_security_session *sess, > diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h > index 7e687d2..95f81ee 100644 > --- a/lib/librte_security/rte_security.h > +++ b/lib/librte_security/rte_security.h > @@ -273,6 +273,8 @@ struct rte_security_session_conf { > /**< Configuration parameters for security session */ > struct rte_crypto_sym_xform *crypto_xform; > /**< Security Session Crypto Transformations */ > + uint64_t cookie; > + /**< Cookie registered by application */ > }; > > struct rte_security_session { > @@ -327,6 +329,34 @@ rte_security_session_destroy(struct rte_security_ctx *instance, > struct rte_security_session *sess); > > /** > + * Get the security session from the metadata set in mbuf. > + * > + * @param instance security instance > + * @param mdata metadata set in mbuf during rx offload > + * @return > + * - On success, pointer to session > + * - On failure, NULL > + */ > +struct rte_security_session * > +rte_security_session_get(struct rte_security_ctx *instance, > + uint64_t mdata); > + > +/** > + * Get the cookie set by application while creating the session. This could be > + * used to identify the SA associated with the session. > + * > + * @param instance security instance > + * @param sess security session > + * > + * @return > + * - On success, cookie > + * - On failure, 0 > + */ > +uint64_t > +rte_security_cookie_get(struct rte_security_ctx *instance, > + struct rte_security_session *sess); > + > +/** > * Updates the buffer with device-specific defined metadata > * > * @param instance security instance > diff --git a/lib/librte_security/rte_security_driver.h b/lib/librte_security/rte_security_driver.h > index 997fbe7..f503be6a 100644 > --- a/lib/librte_security/rte_security_driver.h > +++ b/lib/librte_security/rte_security_driver.h > @@ -107,6 +107,36 @@ typedef int (*security_session_stats_get_t)(void *device, > struct rte_security_stats *stats); > > /** > + * Get the security session from the metadata set in mbuf. > + * > + * @param device Crypto/eth device pointer > + * @param mdata Metadata set in mbuf during rx offload > + * @param sess Pointer to return the security session retrieved > + * > + * @return > + * - Returns 0 if the security session was successfully retrieved. > + * - Returns -EINVAL if input parameters are invalid. > + */ > +typedef int (*security_session_get_t)(void *device, > + uint64_t mdata, > + struct rte_security_session **sess); > + > +/** > + * Get the cookie associated with the security session. > + * > + * @param device Crypto/eth device pointer > + * @param sess Security session > + * @param cookie Cookie associated with the security session > + * > + * @return > + * - Returns 0 if the cookie was successfully retrieved. > + * - Returns -EINVAL if input parameters are invalid. > + */ > +typedef int (*security_cookie_get_t)(void *device, > + struct rte_security_session *sess, > + uint64_t *cookie); > + > +/** > * Update the mbuf with provided metadata. > * > * @param sess Security session structure > @@ -143,6 +173,10 @@ struct rte_security_ops { > /**< Get security session statistics. */ > security_session_destroy_t session_destroy; > /**< Clear a security sessions private data. */ > + security_session_get_t session_get; > + /**< Get the security session associated with the metadata */ > + security_cookie_get_t cookie_get; > + /**< Get the cookie associated with the security session */ > security_set_pkt_metadata_t set_pkt_metadata; > /**< Update mbuf metadata. */ > security_capabilities_get_t capabilities_get;