From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0070.outbound.protection.outlook.com [104.47.42.70]) by dpdk.org (Postfix) with ESMTP id 11281325A for ; Mon, 18 Sep 2017 15:14:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=CAVIUMNETWORKS.onmicrosoft.com; s=selector1-cavium-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LdeLLmLleEHIfa3Ee+kBz8TM6672PKqP/kGdWRSJ7qQ=; b=jUuen2isKlwh8iqQ4vGnCeWtCPWTLSFD1L+oH04WQVYfeTl18rhUmER/UH+eCzs6W6kI+F8Z3I/JNYWiTaATUjU9BFN9TuAIlVs/FW7cR5Io2CGWbvgf5aI/vCC404Rzke3yUpuFb8AOhq/lR49Hh2V1izilTibAuczPKYKZ+6g= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Jerin.JacobKollanukkaran@cavium.com; Received: from jerin (111.93.218.67) by SN2PR07MB2527.namprd07.prod.outlook.com (2603:10b6:804:6::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.56.11; Mon, 18 Sep 2017 13:14:16 +0000 Date: Mon, 18 Sep 2017 18:43:34 +0530 From: Jerin Jacob To: Akhil Goyal Cc: dev@dpdk.org, declan.doherty@intel.com, pablo.de.lara.guarch@intel.com, hemant.agrawal@nxp.com, radu.nicolau@intel.com, borisp@mellanox.com, aviadye@mellanox.com, thomas@monjalon.net, sandeep.malik@nxp.com Message-ID: <20170918131333.GA23830@jerin> References: <20170914082651.26232-1-akhil.goyal@nxp.com> <20170914082651.26232-2-akhil.goyal@nxp.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170914082651.26232-2-akhil.goyal@nxp.com> User-Agent: Mutt/1.9.0 (2017-09-02) X-Originating-IP: [111.93.218.67] X-ClientProxiedBy: PN1PR01CA0090.INDPRD01.PROD.OUTLOOK.COM (2603:1096:c00:1::30) To SN2PR07MB2527.namprd07.prod.outlook.com (2603:10b6:804:6::27) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 76165181-787b-4c0b-db58-08d4fe972c30 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:SN2PR07MB2527; X-Microsoft-Exchange-Diagnostics: 1; SN2PR07MB2527; 3:Ll90wi+M0QG1bpu9RRAkzze7d2CAc4aqDofpnMTCNn8L5RCLyyJH8tkpIm/dq745JRAqiRui0i6klTWgkspxsQ0CPTRClRrAHQ0L17TvDVbW4d155B7eSOK6a6IC+ZFnRE9t0SF+QjJFZ73sQaz6pRKRApO9fWha/18RZzDiBjCjbZ+pE8ayxEyQh17Gwk0ioaU7g+gowYjkCQmMMbcop3lMMSZsdBMVOoI7/74KeHfDTZT1SsFe5/0AjKvoT0L/; 25:JECD4k3zylpzg5WktKuLuH51JVboEf5XMbypZau3ShOpXJqxGA/7Jp580Kca35jvCrTZRAtZxI1Qdfox5x6XwaORU4hI5mflVgC1asjj99k3Er+u5JrkUR+5rXMch4XuhOA5UOL7flWO5ZM32JgdEVK3ocR8LnDVxa/sJuwpkruimZMnMVaam4sTQU/aCY+3BsgYPEbYeYX7jgkocw0DPv6pw0E+miTBsRsfVoB/CKSxgyQWeofktQMmvaDtEia6jCHXFagPtq9ORNz59K4HnvGKZ4EPxN4gRJ24U5aHPueoUeG83mVgOjTC+nJAnfaRJ9cwi/RwmRsFf7F6kkAB2g==; 31:FeS+y6j6g/7qL808IN6oHcNIbHsAsQUM5Ovkl3lnRduebLzGOzXdM7wVLu4uu6KI42Adiu0CVTbOon1646HBIU8Ejbplqe6vkdNHLuLyh1j7giaieGxEAl4YVR2+uaZJcBeuEHIdN8icUtV+kL82s63f5xGilH49a4Xu0Fdm/IaAp6B0G7OZZIpBL9AWqrKLZXOzeIlIjaqObuFoc4eVWRBTekCObTpuCIN/XzWy9C0= X-MS-TrafficTypeDiagnostic: SN2PR07MB2527: X-Microsoft-Exchange-Diagnostics: 1; SN2PR07MB2527; 20:u8B9IqLc7j4gSlyTu3pE+IqxHdgqouNEi/x9fVVuyyy2MS0tYUkMd5JkfqhpKbqPuqFylGD3kF8SP83jDbkO5VEGZ1PSEmX1HbiCt4iaGlW9og6/5w6QvTaS/ybCflVVvauy8Evdq1sSQWHw7dEfbme8HVSlgZPidlFK/L8hjbYATu4mxbcae63bomlCwaRjPsXCT+uFzRDTPTu7NkNOjygicUmHmndAu26rKCHMdU6XHpr6mLZAyihHrN9mxTHCe67v7Ki5Dov+PGwy47LowcOxweqzJNZDlawx+oNqJwbhgISShmZZeWOfswb8UKaYivdFUZYpNNpyCsTHfq4nDxzZ/yx67VPbV+5WHqJeUOUhvPXNCasybpGqn7GbSh6AqnQ2WZ7zgzAFbK7IeuMrUx5Vrs1+L9NwsFRDHfL2A71Vyo5roa25a2KYeZlANnvGQIZnARnFC7gy7ntZsYq9TkLr5wG1tj+YpoZ4jfW7tDpz2qyTokemwXY7rLHN2BHOBv8BiVLg8Zg1t0Y3IARnpyyLXwHPX573rIUbpptjXU6LqPn3XmAYEworAMvsprDqFu1YKciZ13J5QSM87Au58esUyhkdtPKpf7ayQtNKIi4= X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(131327999870524)(185117386973197)(228905959029699); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(93006095)(10201501046)(100000703101)(100105400095)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123555025)(20161123564025)(20161123558100)(20161123560025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:SN2PR07MB2527; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:SN2PR07MB2527; X-Microsoft-Exchange-Diagnostics: 1; SN2PR07MB2527; 4:tuRzQdTAVS43KFKue1uWG0pONj9obK3gAYzNl6UC+gnMu88CgPljSPCfZyfFI0hEFuAFAY7I98RahEiNKGCejlheKBvTFpU09M1VYoiJhy4V+9Y4NpkC7qX7XQJxJfTffwT26FrDjFXbCTGeAdpD0qCmqz2XSiPBP0cLh6KM04QFfI0+RjFfL/vz5zARKp9s1ervHBqcPt0BHNmICG0QCIz4oR1o2AHbAzj6nuOBoOLZKMEoIgr5gJMyHBh/3gc3eY1AS+wbyt7oma+wgNPsqFGh//TtunHEUep7fdCPdyqaBZ++c2yyff16L4Z+aPXAeOIFmtQnxMujvethNp1vRLUOQjM9Ghn8avWRTXcWhWQcyJoTlPXxtOWF/iRPZyRaRsNemLqRbMsOrVcGpTIvLw== X-Forefront-PRVS: 04347F8039 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(376002)(346002)(57704003)(13464003)(189002)(199003)(66066001)(50986999)(15650500001)(33656002)(55016002)(6496005)(53936002)(6116002)(3846002)(5660300001)(9686003)(1076002)(23726003)(7416002)(7736002)(81156014)(8936002)(81166006)(8676002)(305945005)(8656003)(68736007)(16526017)(16586007)(316002)(33716001)(58126008)(83506001)(97736004)(2906002)(5890100001)(50466002)(105586002)(106356001)(110136004)(6246003)(6666003)(229853002)(189998001)(478600001)(25786009)(42882006)(6916009)(5009440100003)(72206003)(2950100002)(101416001)(76176999)(4326008)(47776003)(54356999)(18370500001); DIR:OUT; SFP:1101; SCL:1; SRVR:SN2PR07MB2527; H:jerin; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: cavium.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; SN2PR07MB2527; 23:ReF/4FrzQavPzCEEjt5HO1f7wb3SAXGo1omUoyI9E?= =?us-ascii?Q?jSBIeo1sDjpH5Ms6MIK/3THcjJXqNdTq6mPD1bK692Dm0h9kaln18nC3/Za+?= =?us-ascii?Q?nC47fOEcQAQPH8rOWoVkSiBnXHz/vlto8iVSWRdgeDvEfO3AY1xxf8pS0DR+?= =?us-ascii?Q?Kjx5yMZD9RuSBxwmQiJSDU/O4o9vGGNGp0vB7RQhmHV8KQUvUVWvEgk1bRva?= =?us-ascii?Q?Z8KJzWko/KpXDeL9Vj2uLRcWctVj5Itzv4a6BI7srg7xa/rNkEWJuhOX1A/n?= =?us-ascii?Q?hRqElVqEWiN+P56QYlN9Ncadr6/NhHEFYDsnsFsrIWBPffu+4DF9we25/Fga?= =?us-ascii?Q?+ZHLRj4HX+ydGwEsEzg5jIXfDV9aJ93qQFG0V+y787Df7VgUAF91ZVOWCxze?= =?us-ascii?Q?wcDT57R38qDvmONU2mxORucITHpuV7mz4sKcDPDbMRDRfvQ+x88mJU5cj3+R?= =?us-ascii?Q?3Q9tqhmm7AzH7N9zyJJkl7EWhQH7dlrTiC8FT/pQrEtkXZ077Jg2TfjF+I6r?= =?us-ascii?Q?4hReH0hHSdHsVN4FvgmWgfis12AX5QGpudzMBD1wlRRnnAFNcNKDijcW0KOD?= =?us-ascii?Q?J1MColdibEU7Yn9rpoUoIvCkBfo/YzgDhTh4lxA/ZbayalfQ+fIxgp1cuom9?= =?us-ascii?Q?wvfNx0PWM7P4aLA3FBeqaNQiJTpCrO6+UuS0ncUX9TJJxfbqdb5TFcPNLEKs?= =?us-ascii?Q?8Cafu+45EeqBuHAKeXsdV/PdbXwdlgfz9egvGaPL143Ob5XpHgShIbq0dOWV?= =?us-ascii?Q?U2iPNtJ5YfyGPP54QRIdZTljrb1j/wKA4Wg2CgnoBk0jb2mZIaAujBOkuORN?= =?us-ascii?Q?r2nBBWh9xyQpIfshUu3ENT/UQSXUAwqS/fcNGOhmYHFSejcOASy7UrZHmvji?= =?us-ascii?Q?4P/+ZVSWnOa0SNpz+w4YOw3YtX+BH/PPB/7ZRdQYQibXy7dh5pgxh4xOYsdN?= =?us-ascii?Q?Q5GzZikvWbi35fH1gmZewlN6we3noG/2Bq1B/ILHEFHDVN9pf0HyMgOYyByN?= =?us-ascii?Q?Z+NfFAh9/b/Hf512jSNzhE6UIVRcyCMHQXCXUTRRRXO2vSxZDZSwNYR29ELc?= =?us-ascii?Q?jlktb00M/Y9xU7Qelxv9AsOuuhaUd6GVyy1lSisc6B3mSeZRKfGxo2yWF1r/?= =?us-ascii?Q?foHkYIGF8wtbafads0zMybISaQ9nrfIaVRPi7lbBnwL66sNEMHNLYgnmWhuR?= =?us-ascii?Q?T3sI1WebqHUz+RIYkJTEayym2NSPM+6RbdOWcLDL3+cylOw3dxEG2JwmMRxu?= =?us-ascii?Q?nBYAiwSVYsA4pAN2W3upWCu/KOdItjCmu0D6GuoTu2uZC/faLnAvaks3kAED?= =?us-ascii?Q?PKSHNgCxItv5NwfrWVTyyQRq3AOQ6gke3uceLu4WrzWSGvLNJGMMYRweFLcb?= =?us-ascii?Q?DfnXJd8zpbW6Zi0xVTcvUgiAZ4=3D?= X-Microsoft-Exchange-Diagnostics: 1; SN2PR07MB2527; 6:uybUzi5O2syoQwE98YmSp+alJpqZFcBXuQJBCk9gu03Nv2dbW7M1af+HenvPLupx29UNxfXqeoA8uBr9jo7f/DCLs+4nj6eR9Nb8KEJVvVtxLk5p4IGc42bO8eO9Xwd0p57KhO13SgXeSAVy5TOTfZ3SktPl0g+GXCdElX3TBONossAU8FCtwhz7lhvvsjZItnDxPInv0G8HFFYCgsIJnl4no+gWgD7jk7GtKhMrsX2FnzAtZGw/TfIflXkvCweVRKGAi12IFI7CiU+zFcB5Ogl2jZPNYnObBU7okyOK5TI1YDjGNXoC5UBQB5KtVR3ShCswR8rhhl9vhkxxUuWgAA==; 5:VF/PJ8e86lAy3Z7mR7JFCPjrMJRrnDKv4kAsMgtIfVfNak+QOANfV2Pr7qsZVWNMv6MrH//DU1MDHDZIQAgVc6L3ZDkpMcr3w5WnbBjvtYeEAcgwMkbvKccGwGtO7OHIOr083HXce4Wi/YrwAlKD/w==; 24:LvnYAhuNtY2jnjg8YAcIGUqJg6r3qpy3gkbpy2nhI6JHtVweBDJrl3z9bF4/NiB5CYh0SwUTLhkHMEcV2HOPhlAd23Aa1uUhq7u3Q0LSXfM=; 7:NX2VCmQtD/iqOJnpbck0FxhEzkaOpnyKgYwmT7dO0C9qyAaeM88Urm9CNKpFw/ObBZaoRJPWSs+rK3SujfCicbugo4qoqIsv4j70L4nR14Xa7IhHgJunlFXb+zo7njyZ0b5ubKCLfJYrYg+GMVBtXkhFT75V3Us+BLphMy7ZFq9yMoUIlFxXxoOuI+6Gfa9m+cMrPlmXLy3RlGlhc5fYHSO0MXVWILOGJEO5m7/Zy3Y= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: caviumnetworks.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Sep 2017 13:14:16.7248 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 711e4ccf-2e9b-4bcf-a551-4094005b6194 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR07MB2527 Subject: Re: [dpdk-dev] [PATCH 01/11] lib/rte_security: add security library X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2017 13:14:23 -0000 -----Original Message----- > Date: Thu, 14 Sep 2017 13:56:41 +0530 > From: Akhil Goyal > To: dev@dpdk.org > CC: declan.doherty@intel.com, pablo.de.lara.guarch@intel.com, > hemant.agrawal@nxp.com, radu.nicolau@intel.com, borisp@mellanox.com, > aviadye@mellanox.com, thomas@monjalon.net, sandeep.malik@nxp.com, > jerin.jacob@caviumnetworks.com > Subject: [PATCH 01/11] lib/rte_security: add security library > X-Mailer: git-send-email 2.9.3 > > rte_security library provides APIs for security session > create/free for protocol offload or offloaded crypto > operation to ethernet device. Overall the API semantic looks good. A few comments inlined. I think, This patch should split as minimum two. One just the specification header file and other one implementation. > > Signed-off-by: Akhil Goyal > Signed-off-by: Boris Pismenny > Signed-off-by: Radu Nicolau > Signed-off-by: Declan Doherty > --- > + > +#include > +#include > + > +#include "rte_security.h" > +#include "rte_security_driver.h" > + > +#define RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ (8) > + > +struct rte_security_ctx { > + uint16_t id; > + enum { > + RTE_SECURITY_INSTANCE_INVALID = 0, explicit zero is not required. > + RTE_SECURITY_INSTANCE_VALID > + } state; > + void *device; > + struct rte_security_ops *ops; > +}; > + > + > +int > +rte_security_register(uint16_t *id, void *device, > + struct rte_security_ops *ops) > +{ > + if (max_nb_security_instances == 0) { > + security_instances = rte_malloc( > + "rte_security_instances_ops", > + sizeof(*security_instances) * > + RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ, 0); > + > + if (security_instances == NULL) > + return -ENOMEM; > + max_nb_security_instances = > + RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ; > + } else if (nb_security_instances >= max_nb_security_instances) { > + uint16_t *instances = rte_realloc(security_instances, > + sizeof(struct rte_security_ops *) * > + (max_nb_security_instances + > + RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ), 0); > + > + if (instances == NULL) > + return -ENOMEM; > + > + max_nb_security_instances += > + RTE_SECURITY_INSTANCES_BLOCK_ALLOC_SZ; > + } > + > + *id = nb_security_instances++; > + > + security_instances[*id].id = *id; > + security_instances[*id].state = RTE_SECURITY_INSTANCE_VALID; > + security_instances[*id].device = device; > + security_instances[*id].ops = ops; This whole thing will break in multi process case where ops needs to cloned for each process. Check the mempool library as reference. > + > + return 0; > +} > + > +int > +rte_security_unregister(__rte_unused uint16_t *id) > +{ > + /* To be implemented */ This should implemented before it reaches to master. > + return 0; > +} > + > +struct rte_security_session * > +int > +rte_security_set_pkt_metadata(uint16_t id, > + struct rte_security_session *sess, > + struct rte_mbuf *m, void *params) > +{ > + struct rte_security_ctx *instance; > + > + RTE_SEC_VALID_ID_OR_ERR_RET(id, -ENODEV); > + instance = &security_instances[id]; > + > + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->set_pkt_metadata, -ENOTSUP); Do you need all this checking for a fastpath function? > + return instance->ops->set_pkt_metadata(instance->device, > + sess, m, params); > +} > + > + > +/** > + * @file rte_security.h > + * > + * RTE Security Common Definitions > + * > + */ > + > +#ifdef __cplusplus > +extern "C" { > +#endif > + > +#include > +#include > +#include > + > +#include > +#include > +#include > +#include > +#include Nice to have it in alphabetical order. > + > +/** IPSec protocol mode */ > +enum rte_security_ipsec_sa_mode { > + RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT, > + /**< IPSec Transport mode */ > + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > + /**< IPSec Tunnel mode */ > +}; > + > +/** IPSec Protocol */ > +enum rte_security_ipsec_sa_protocol { > + RTE_SECURITY_IPSEC_SA_PROTO_AH, > + /**< AH protocol */ > + RTE_SECURITY_IPSEC_SA_PROTO_ESP, > + /**< ESP protocol */ > +}; > + > +/** IPSEC tunnel type */ > +enum rte_security_ipsec_tunnel_type { > + RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 0, Explicit zero may not be required. > + /**< Outer header is IPv4 */ > + RTE_SECURITY_IPSEC_TUNNEL_IPV6, > + /**< Outer header is IPv6 */ > +}; > +struct rte_security_ipsec_tunnel_param { > + enum rte_security_ipsec_tunnel_type type; > + /**< Tunnel type: IPv4 or IPv6 */ > + Anonymous union, You need RTE_STD_C11 here. > + > + union { > + > + > +/** > + * IPsec Security Association option flags > + */ > +struct rte_security_ipsec_sa_options { > + /** Extended Sequence Numbers (ESN) All the elements in this structure is missing the doxygen commenting scheme. i.e starting with /**< > + * > + * * 1: Use extended (64 bit) sequence numbers > + * * 0: Use normal sequence numbers > + */ > + uint32_t esn : 1; > + > + /** UDP encapsulation > + * > + * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can > + * traverse through NAT boxes. > + * * 0: No UDP encapsulation > + */ > + uint32_t udp_encap : 1; > + > + > +struct rte_security_session { > + __extension__ void *sess_private_data; Do we need an __extension__ here? > + /**< Private session material */ > +}; > + > +/** > + * Create security session as specified by the session configuration > + * > + * @param id security instance identifier id Bad alignment. Check the doxygen alignment everywhere. > + * @param conf session configuration parameters > + * @param mp mempool to allocate session objects from > + * @return > + * - On success, pointer to session > + * - On failure, NULL > + */ > +struct rte_security_session * > +rte_security_session_create(uint16_t id, > + struct rte_security_session_conf *conf, const struct rte_security_session_conf *conf ? > + struct rte_mempool *mp); const struct rte_mempool *mp? > + > +/** > + * Update security session as specified by the session configuration > + * > + * @param id security instance identifier id > + * @param sess session to update parameters > + * @param conf update configuration parameters > + * @return > + * - On success returns 0 > + * - On failure return errno > + */ > +int > +rte_security_session_update(uint16_t id, > + struct rte_security_session *sess, > + struct rte_security_session_conf *conf); const ? > + > +/** > + * Free security session header and the session private data and > + * return it to its original mempool. > + * > + * @param id security instance identifier id > + * @param sess security session to freed > + * > + * @return > + * - 0 if successful. > + * - -EINVAL if session is NULL. > + * - -EBUSY if not all device private data has been freed. > + */ > +int > +rte_security_session_destroy(uint16_t id, struct rte_security_session *sess); > + > +/** > + * Updates the buffer with device-specific defined metadata > + * Mention that it needs to be called when DEV_TX_OFFLOAD_SEC_NEED_MDATA is set or whatever name we are coming up for DEV_TX_OFFLOAD_SEC_NEED_MDATA. > + * @param id security instance identifier id > + * @param sess security session > + * @param m packet mbuf to set metadata on. > + * @param params device-specific defined parameters required for metadata > + * > + * @return > + * - On success, zero. > + * - On failure, a negative value. > + */ > +int > +rte_security_set_pkt_metadata(uint16_t id, > + struct rte_security_session *sess, > + struct rte_mbuf *mb, void *params); > + > +/** > + * Attach a session to a crypto operation. > + * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD > + * For other rte_security_session_action_type, ol_flags in rte_mbuf may be > + * defined to perform security operations. > + * > + * @param op crypto operation > + * @param sess security session > + */ > +static inline int > +rte_security_attach_session(struct rte_crypto_op *op, > + struct rte_security_session *sess) > +{ > + if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) > + return -1; -EINVAL? > + > + op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; > + > + return __rte_security_attach_session(op->sym, sess); > +} > + > +struct rte_security_macsec_stats { > + uint64_t reserved; > +}; > + > +struct rte_security_ipsec_stats { > + uint64_t reserved; > + > +}; > + > +struct rte_security_stats { > + enum rte_security_session_protocol protocol; > + /**< Security protocol to be configured */ > + > + union { > + struct rte_security_macsec_stats macsec; > + struct rte_security_ipsec_stats ipsec; > + }; > +}; > + > +/** > + * Query security session statistics > + * > + * @param id security instance identifier id > + * @param sess security session > + * @param stats statistics > + * @return > + * - On success return 0 > + * - On failure errno > + */ > +int > +rte_security_session_query(uint16_t id, > + struct rte_security_session *sess, > + struct rte_security_stats *stats); IMO, Changing to something with "stats" makes more sense and it will be inline with another subsystems as well. > + > +/** > + * Security capability definition > + */ > +struct rte_security_capability { > + enum rte_security_session_action_type action; > + /**< Security action type*/ > + enum rte_security_session_protocol protocol; > + /**< Security protocol */ > + RTE_STD_C11 > + union { > + struct { > + enum rte_security_ipsec_sa_protocol proto; > + /**< IPsec SA protocol */ > + enum rte_security_ipsec_sa_mode mode; > + /**< IPsec SA mode */ > + enum rte_security_ipsec_sa_direction direction; > + /**< IPsec SA direction */ > + struct rte_security_ipsec_sa_options options; > + /**< IPsec SA supported options */ > + } ipsec; > + /**< IPsec capability */ > + struct { > + /* To be Filled */ > + } macsec; > + /**< MACsec capability */ > + }; > + > + const struct rte_cryptodev_capabilities *crypto_capabilities; > + /**< Corresponding crypto capabilities for security capability */ > +}; > + > +/** > + * Security capability index used to query a security instance for a specific > + * security capability > + */ > +struct rte_security_capability_idx { > + enum rte_security_session_action_type action; > + enum rte_security_session_protocol protocol; > + > + union { > + struct { > + enum rte_security_ipsec_sa_protocol proto; > + enum rte_security_ipsec_sa_mode mode; > + enum rte_security_ipsec_sa_direction direction; > + } ipsec; Why to duplicate elements in this structure. Can we have common structure which can be used for rte_security_capability and rte_security_capability_idx > + }; > +}; > + > +/** > + * Returns array of security instance capabilities > + * > + * @param id Security instance identifier. > + * > + * @return > + * - Returns array of security capabilities. > + * - Return NULL if no capabilities available. > + */ > +const struct rte_security_capability * > +rte_security_capabilities_get(uint16_t id); > + > +/** > + * Query if a specific capability is available on security instance > + * > + * @param id security instance identifier. > + * @param idx security capability index to match against > + * > + * @return > + * - Returns pointer to security capability on match of capability > + * index criteria. > + * - Return NULL if the capability not matched on security instance. > + */ > +const struct rte_security_capability * > +rte_security_capability_get(uint16_t id, > + struct rte_security_capability_idx *idx); const struct rte_security_capability_idx *idx ? > + > +#ifdef __cplusplus > +} > +#endif > + > +#endif /* _RTE_SECURITY_H_ */ > +/** > + * Query stats from the PMD. > + * > + * @param device Crypto/eth device pointer > + * @param sess Pointer to Security private session structure > + * @param stats Security stats of the driver > + * > + * @return > + * - Returns 0 if private session structure have been updated successfully. > + * - Returns -EINVAL if session parameters are invalid. > + */ > +typedef int (*security_session_query_t)(void *device, > + struct rte_security_session *sess, > + struct rte_security_stats *stats); > + > +/** > + * Update buffer with provided metadata. Update the mbuf ? > + * > + * @param sess Security session structure > + * @param mb Packet buffer > + * @param mt Metadata > + * > + * @return > + * - Returns 0 if metadata updated successfully. > + * - Returns -ve value for errors. > + */ > +typedef int (*security_set_pkt_metadata_t)(void *device, > + struct rte_security_session *sess, struct rte_mbuf *m, > + void *params); > +