From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: "Zhang, Roy Fan" <roy.fan.zhang@intel.com>,
"dev@dpdk.org" <dev@dpdk.org>
Cc: "Doherty, Declan" <declan.doherty@intel.com>,
"akhil.goyal@nxp.com" <akhil.goyal@nxp.com>
Subject: Re: [dpdk-dev] [PATCH 08/10] ipsec: add rte_security cpu_crypto action support
Date: Fri, 27 Sep 2019 10:38:51 +0000 [thread overview]
Message-ID: <2601191342CEEE43887BDE71AB977258019196BFF6@irsmsx105.ger.corp.intel.com> (raw)
In-Reply-To: <20190906131330.40185-9-roy.fan.zhang@intel.com>
Hi Fan,
>
> This patch updates the ipsec library to handle the newly introduced
> RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO action.
>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
> lib/librte_ipsec/esp_inb.c | 174 +++++++++++++++++++++++++-
> lib/librte_ipsec/esp_outb.c | 290 +++++++++++++++++++++++++++++++++++++++++++-
> lib/librte_ipsec/sa.c | 53 ++++++--
> lib/librte_ipsec/sa.h | 29 +++++
> lib/librte_ipsec/ses.c | 4 +-
> 5 files changed, 539 insertions(+), 11 deletions(-)
>
> diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c
> index 8e3ecbc64..6077dcb1e 100644
> --- a/lib/librte_ipsec/esp_inb.c
> +++ b/lib/librte_ipsec/esp_inb.c
> @@ -105,6 +105,73 @@ inb_cop_prepare(struct rte_crypto_op *cop,
> }
> }
>
> +static inline int
> +inb_sync_crypto_proc_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb,
> + const union sym_op_data *icv, uint32_t pofs, uint32_t plen,
> + struct rte_security_vec *buf, struct iovec *cur_vec,
> + void *iv, void **aad, void **digest)
> +{
> + struct rte_mbuf *ms;
> + struct iovec *vec = cur_vec;
> + struct aead_gcm_iv *gcm;
> + struct aesctr_cnt_blk *ctr;
> + uint64_t *ivp;
> + uint32_t algo, left, off = 0, n_seg = 0;
Same thing as for outbound pls keep definitions and assignments separated.
> +
> + ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
> + pofs + sizeof(struct rte_esp_hdr));
> + algo = sa->algo_type;
> +
> + switch (algo) {
> + case ALGO_TYPE_AES_GCM:
> + gcm = (struct aead_gcm_iv *)iv;
> + aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
> + *aad = icv->va + sa->icv_len;
> + off = sa->ctp.cipher.offset + pofs;
> + break;
> + case ALGO_TYPE_AES_CBC:
> + case ALGO_TYPE_3DES_CBC:
> + off = sa->ctp.auth.offset + pofs;
> + break;
> + case ALGO_TYPE_AES_CTR:
> + off = sa->ctp.auth.offset + pofs;
> + ctr = (struct aesctr_cnt_blk *)iv;
> + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
> + break;
> + case ALGO_TYPE_NULL:
> + break;
> + }
> +
> + *digest = icv->va;
> +
> + left = plen - sa->ctp.cipher.length;
> +
> + ms = mbuf_get_seg_ofs(mb, &off);
> + if (!ms)
> + return -1;
Same as for outbound: I think no need to check/return failure.
This function could be split into two.
> +
> + while (n_seg < RTE_LIBRTE_IP_FRAG_MAX_FRAG && left && ms) {
Same thing - we shouldn't limt ourselves to 5 segs per packet.
Pretty much same comments about code restructuring as for outbound case.
> + uint32_t len = RTE_MIN(left, ms->data_len - off);
> +
> + vec->iov_base = rte_pktmbuf_mtod_offset(ms, void *, off);
> + vec->iov_len = len;
> +
> + left -= len;
> + vec++;
> + n_seg++;
> + ms = ms->next;
> + off = 0;
> + }
> +
> + if (left)
> + return -1;
> +
> + buf->vec = cur_vec;
> + buf->num = n_seg;
> +
> + return n_seg;
> +}
> +
> /*
> * Helper function for prepare() to deal with situation when
> * ICV is spread by two segments. Tries to move ICV completely into the
> @@ -512,7 +579,6 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
> return k;
> }
>
> -
> /*
> * *process* function for tunnel packets
> */
> @@ -625,6 +691,112 @@ esp_inb_pkt_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
> return n;
> }
>
> +/*
> + * process packets using sync crypto engine
> + */
> +static uint16_t
> +esp_inb_sync_crypto_pkt_process(const struct rte_ipsec_session *ss,
> + struct rte_mbuf *mb[], uint16_t num, uint8_t sqh_len,
> + esp_inb_process_t process)
> +{
> + int32_t rc;
> + uint32_t i, k, hl, n, p;
> + struct rte_ipsec_sa *sa;
> + struct replay_sqn *rsn;
> + union sym_op_data icv;
> + uint32_t sqn[num];
> + uint32_t dr[num];
> + struct rte_security_vec buf[num];
> + struct iovec vec[RTE_LIBRTE_IP_FRAG_MAX_FRAG * num];
> + uint32_t vec_idx = 0;
> + uint8_t ivs[num][IPSEC_MAX_IV_SIZE];
> + void *iv[num];
> + void *aad[num];
> + void *digest[num];
> + int status[num];
> +
> + sa = ss->sa;
> + rsn = rsn_acquire(sa);
> +
> + k = 0;
> + for (i = 0; i != num; i++) {
> + hl = mb[i]->l2_len + mb[i]->l3_len;
> + rc = inb_pkt_prepare(sa, rsn, mb[i], hl, &icv);
> + if (rc >= 0) {
> + iv[k] = (void *)ivs[k];
> + rc = inb_sync_crypto_proc_prepare(sa, mb[i], &icv, hl,
> + rc, &buf[k], &vec[vec_idx], iv[k],
> + &aad[k], &digest[k]);
> + if (rc < 0) {
> + dr[i - k] = i;
> + continue;
> + }
> +
> + vec_idx += rc;
> + k++;
> + } else
> + dr[i - k] = i;
> + }
> +
> + /* copy not prepared mbufs beyond good ones */
> + if (k != num) {
> + rte_errno = EBADMSG;
> +
> + if (unlikely(k == 0))
> + return 0;
> +
> + move_bad_mbufs(mb, dr, num, num - k);
> + }
> +
> + /* process the packets */
> + n = 0;
> + rte_security_process_cpu_crypto_bulk(ss->security.ctx,
> + ss->security.ses, buf, iv, aad, digest, status,
> + k);
> + /* move failed process packets to dr */
> + for (i = 0; i < k; i++) {
> + if (status[i]) {
> + dr[n++] = i;
> + rte_errno = EBADMSG;
> + }
> + }
> +
> + /* move bad packets to the back */
> + if (n)
> + move_bad_mbufs(mb, dr, k, n);
I don't think you need to set dr[] here and call that function, see below.
> +
> + /* process packets */
> + p = process(sa, mb, sqn, dr, k - n, sqh_len);
tun_process(), etc. expects PKT_RX_SEC_OFFLOAD_FAILED to be set in mb->ol_flags
for failed packets.
So you either need to set this value in ol_flags based on status,
or tweak existing process functions, or introduce new ones.
> +
> + if (p != k - n && p != 0)
> + move_bad_mbufs(mb, dr, k - n, k - n - p);
> +
> + if (p != num)
> + rte_errno = EBADMSG;
> +
> + return p;
> +}
> +
> +uint16_t
> +esp_inb_tun_sync_crypto_pkt_process(const struct rte_ipsec_session *ss,
> + struct rte_mbuf *mb[], uint16_t num)
> +{
> + struct rte_ipsec_sa *sa = ss->sa;
> +
> + return esp_inb_sync_crypto_pkt_process(ss, mb, num, sa->sqh_len,
> + tun_process);
> +}
> +
> +uint16_t
> +esp_inb_trs_sync_crypto_pkt_process(const struct rte_ipsec_session *ss,
> + struct rte_mbuf *mb[], uint16_t num)
> +{
> + struct rte_ipsec_sa *sa = ss->sa;
> +
> + return esp_inb_sync_crypto_pkt_process(ss, mb, num, sa->sqh_len,
> + trs_process);
> +}
> +
> /*
> * process group of ESP inbound tunnel packets.
> */
next prev parent reply other threads:[~2019-09-27 10:38 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-03 15:40 [dpdk-dev] [RFC PATCH 0/9] security: add software synchronous crypto process Fan Zhang
2019-09-03 15:40 ` [dpdk-dev] [RFC PATCH 1/9] security: introduce CPU Crypto action type and API Fan Zhang
2019-09-04 10:32 ` Akhil Goyal
2019-09-04 13:06 ` Zhang, Roy Fan
2019-09-06 9:01 ` Akhil Goyal
2019-09-06 13:12 ` Zhang, Roy Fan
2019-09-10 11:25 ` Akhil Goyal
2019-09-11 13:01 ` Ananyev, Konstantin
2019-09-06 13:27 ` Ananyev, Konstantin
2019-09-10 10:44 ` Akhil Goyal
2019-09-11 12:29 ` Ananyev, Konstantin
2019-09-12 14:12 ` Akhil Goyal
2019-09-16 14:53 ` Ananyev, Konstantin
2019-09-16 15:08 ` Ananyev, Konstantin
2019-09-17 6:02 ` Akhil Goyal
2019-09-18 7:44 ` Ananyev, Konstantin
2019-09-25 18:24 ` Ananyev, Konstantin
2019-09-27 9:26 ` Akhil Goyal
2019-09-30 12:22 ` Ananyev, Konstantin
2019-09-30 13:43 ` Akhil Goyal
2019-10-01 14:49 ` Ananyev, Konstantin
2019-10-03 13:24 ` Akhil Goyal
2019-10-07 12:53 ` Ananyev, Konstantin
2019-10-09 7:20 ` Akhil Goyal
2019-10-09 13:43 ` Ananyev, Konstantin
2019-10-11 13:23 ` Akhil Goyal
2019-10-13 23:07 ` Zhang, Roy Fan
2019-10-14 11:10 ` Ananyev, Konstantin
2019-10-15 15:02 ` Akhil Goyal
2019-10-16 13:04 ` Ananyev, Konstantin
2019-10-15 15:00 ` Akhil Goyal
2019-10-16 22:07 ` Ananyev, Konstantin
2019-10-17 12:49 ` Ananyev, Konstantin
2019-10-18 13:17 ` Akhil Goyal
2019-10-21 13:47 ` Ananyev, Konstantin
2019-10-22 13:31 ` Akhil Goyal
2019-10-22 17:44 ` Ananyev, Konstantin
2019-10-22 22:21 ` Ananyev, Konstantin
2019-10-23 10:05 ` Akhil Goyal
2019-10-30 14:23 ` Ananyev, Konstantin
2019-11-01 13:53 ` Akhil Goyal
2019-09-03 15:40 ` [dpdk-dev] [RFC PATCH 2/9] crypto/aesni_gcm: add rte_security handler Fan Zhang
2019-09-03 15:40 ` [dpdk-dev] [RFC PATCH 3/9] app/test: add security cpu crypto autotest Fan Zhang
2019-09-03 15:40 ` [dpdk-dev] [RFC PATCH 4/9] app/test: add security cpu crypto perftest Fan Zhang
2019-09-03 15:40 ` [dpdk-dev] [RFC PATCH 5/9] crypto/aesni_mb: add rte_security handler Fan Zhang
2019-09-03 15:40 ` [dpdk-dev] [RFC PATCH 6/9] app/test: add aesni_mb security cpu crypto autotest Fan Zhang
2019-09-03 15:40 ` [dpdk-dev] [RFC PATCH 7/9] app/test: add aesni_mb security cpu crypto perftest Fan Zhang
2019-09-03 15:40 ` [dpdk-dev] [RFC PATCH 8/9] ipsec: add rte_security cpu_crypto action support Fan Zhang
2019-09-03 15:40 ` [dpdk-dev] [RFC PATCH 9/9] examples/ipsec-secgw: add security " Fan Zhang
2019-09-06 13:13 ` [dpdk-dev] [PATCH 00/10] security: add software synchronous crypto process Fan Zhang
2019-09-06 13:13 ` [dpdk-dev] [PATCH 01/10] security: introduce CPU Crypto action type and API Fan Zhang
2019-09-18 12:45 ` Ananyev, Konstantin
2019-09-29 6:00 ` Hemant Agrawal
2019-09-29 16:59 ` Ananyev, Konstantin
2019-09-30 9:43 ` Hemant Agrawal
2019-10-01 15:27 ` Ananyev, Konstantin
2019-10-02 2:47 ` Hemant Agrawal
2019-09-06 13:13 ` [dpdk-dev] [PATCH 02/10] crypto/aesni_gcm: add rte_security handler Fan Zhang
2019-09-18 10:24 ` Ananyev, Konstantin
2019-09-06 13:13 ` [dpdk-dev] [PATCH 03/10] app/test: add security cpu crypto autotest Fan Zhang
2019-09-06 13:13 ` [dpdk-dev] [PATCH 04/10] app/test: add security cpu crypto perftest Fan Zhang
2019-09-06 13:13 ` [dpdk-dev] [PATCH 05/10] crypto/aesni_mb: add rte_security handler Fan Zhang
2019-09-18 15:20 ` Ananyev, Konstantin
2019-09-06 13:13 ` [dpdk-dev] [PATCH 06/10] app/test: add aesni_mb security cpu crypto autotest Fan Zhang
2019-09-06 13:13 ` [dpdk-dev] [PATCH 07/10] app/test: add aesni_mb security cpu crypto perftest Fan Zhang
2019-09-06 13:13 ` [dpdk-dev] [PATCH 08/10] ipsec: add rte_security cpu_crypto action support Fan Zhang
2019-09-26 23:20 ` Ananyev, Konstantin
2019-09-27 10:38 ` Ananyev, Konstantin [this message]
2019-09-06 13:13 ` [dpdk-dev] [PATCH 09/10] examples/ipsec-secgw: add security " Fan Zhang
2019-09-06 13:13 ` [dpdk-dev] [PATCH 10/10] doc: update security cpu process description Fan Zhang
2019-09-09 12:43 ` [dpdk-dev] [PATCH 00/10] security: add software synchronous crypto process Aaron Conole
2019-10-07 16:28 ` [dpdk-dev] [PATCH v2 " Fan Zhang
2019-10-07 16:28 ` [dpdk-dev] [PATCH v2 01/10] security: introduce CPU Crypto action type and API Fan Zhang
2019-10-08 13:42 ` Ananyev, Konstantin
2019-10-07 16:28 ` [dpdk-dev] [PATCH v2 02/10] crypto/aesni_gcm: add rte_security handler Fan Zhang
2019-10-08 13:44 ` Ananyev, Konstantin
2019-10-07 16:28 ` [dpdk-dev] [PATCH v2 03/10] app/test: add security cpu crypto autotest Fan Zhang
2019-10-07 16:28 ` [dpdk-dev] [PATCH v2 04/10] app/test: add security cpu crypto perftest Fan Zhang
2019-10-07 16:28 ` [dpdk-dev] [PATCH v2 05/10] crypto/aesni_mb: add rte_security handler Fan Zhang
2019-10-08 16:23 ` Ananyev, Konstantin
2019-10-09 8:29 ` Ananyev, Konstantin
2019-10-07 16:28 ` [dpdk-dev] [PATCH v2 06/10] app/test: add aesni_mb security cpu crypto autotest Fan Zhang
2019-10-07 16:28 ` [dpdk-dev] [PATCH v2 07/10] app/test: add aesni_mb security cpu crypto perftest Fan Zhang
2019-10-07 16:28 ` [dpdk-dev] [PATCH v2 08/10] ipsec: add rte_security cpu_crypto action support Fan Zhang
2019-10-08 23:28 ` Ananyev, Konstantin
2019-10-07 16:28 ` [dpdk-dev] [PATCH v2 09/10] examples/ipsec-secgw: add security " Fan Zhang
2019-10-07 16:28 ` [dpdk-dev] [PATCH v2 10/10] doc: update security cpu process description Fan Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2601191342CEEE43887BDE71AB977258019196BFF6@irsmsx105.ger.corp.intel.com \
--to=konstantin.ananyev@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=roy.fan.zhang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).