* [dpdk-dev] [PATCH v4 1/3] security: add SA config option for inner pkt csum
2021-09-30 12:58 [dpdk-dev] [PATCH v4 0/3] add SA config option for inner pkt csum Archana Muniganti
@ 2021-09-30 12:58 ` Archana Muniganti
2021-10-03 21:09 ` Ananyev, Konstantin
2021-09-30 12:58 ` [dpdk-dev] [PATCH v4 2/3] crypto/cnxk: add inner checksum Archana Muniganti
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Archana Muniganti @ 2021-09-30 12:58 UTC (permalink / raw)
To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev
Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
doc/guides/cryptodevs/features/default.ini | 1 +
doc/guides/rel_notes/deprecation.rst | 4 +--
doc/guides/rel_notes/release_21_11.rst | 4 +++
lib/cryptodev/rte_cryptodev.h | 2 ++
lib/security/rte_security.h | 31 ++++++++++++++++++++++
5 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini
index c24814de98..96d95ddc81 100644
--- a/doc/guides/cryptodevs/features/default.ini
+++ b/doc/guides/cryptodevs/features/default.ini
@@ -33,6 +33,7 @@ Non-Byte aligned data =
Sym raw data path API =
Cipher multiple data units =
Cipher wrapped key =
+Inner checksum =
;
; Supported crypto algorithms of a default crypto driver.
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 05fc2fdee7..8308e00ed4 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -232,8 +232,8 @@ Deprecation Notices
IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
* security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
- will be updated with new fields to support new features like IPsec inner
- checksum, TSO in case of protocol offload.
+ will be updated with new fields to support new features like TSO in case of
+ protocol offload.
* ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
``hdr_l3_len`` to configure tunnel L3 header length.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 3ade7fe5ac..5480f05a99 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -196,6 +196,10 @@ ABI Changes
``rte_security_ipsec_xform`` to allow applications to configure SA soft
and hard expiry limits. Limits can be either in number of packets or bytes.
+* security: The new options ``ip_csum_enable`` and ``l4_csum_enable`` were added
+ in structure ``rte_security_ipsec_sa_options`` to indicate whether inner
+ packet IPv4 header checksum and L4 checksum need to be offloaded to
+ security device.
Known Issues
------------
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index bb01f0f195..d9271a6c45 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
/**< Support operations on multiple data-units message */
#define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
/**< Support wrapped key in cipher xform */
+#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27)
+/**< Support inner checksum computation/verification */
/**
* Get the name of a crypto device feature flag
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index ab1a6e1f65..0c5636377e 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -230,6 +230,37 @@ struct rte_security_ipsec_sa_options {
* * 0: Do not match UDP ports
*/
uint32_t udp_ports_verify : 1;
+
+ /** Compute/verify inner packet IPv4 header checksum in tunnel mode
+ *
+ * * 1: For outbound, compute inner packet IPv4 header checksum
+ * before tunnel encapsulation and for inbound, verify after
+ * tunnel decapsulation.
+ * * 0: Inner packet IP header checksum is not computed/verified.
+ *
+ * The checksum verification status would be set in mbuf using
+ * PKT_RX_IP_CKSUM_xxx flags.
+ *
+ * Inner IP checksum computation can also be enabled(per operation)
+ * by setting the flag PKT_TX_IP_CKSUM in mbuf.
+ */
+ uint32_t ip_csum_enable : 1;
+
+ /** Compute/verify inner packet L4 checksum in tunnel mode
+ *
+ * * 1: For outbound, compute inner packet L4 checksum before
+ * tunnel encapsulation and for inbound, verify after
+ * tunnel decapsulation.
+ * * 0: Inner packet L4 checksum is not computed/verified.
+ *
+ * The checksum verification status would be set in mbuf using
+ * PKT_RX_L4_CKSUM_xxx flags.
+ *
+ * Inner L4 checksum computation can also be enabled(per operation)
+ * by setting the flags PKT_TX_TCP_CKSUM or PKT_TX_SCTP_CKSUM or
+ * PKT_TX_UDP_CKSUM or PKT_TX_L4_MASK in mbuf.
+ */
+ uint32_t l4_csum_enable : 1;
};
/** IPSec security association direction */
--
2.22.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dpdk-dev] [PATCH v4 1/3] security: add SA config option for inner pkt csum
2021-09-30 12:58 ` [dpdk-dev] [PATCH v4 1/3] security: " Archana Muniganti
@ 2021-10-03 21:09 ` Ananyev, Konstantin
0 siblings, 0 replies; 6+ messages in thread
From: Ananyev, Konstantin @ 2021-10-03 21:09 UTC (permalink / raw)
To: Archana Muniganti, gakhil, Nicolau, Radu, Zhang, Roy Fan, hemant.agrawal
Cc: anoobj, ktejasree, adwivedi, jerinj, dev
>
> Add inner packet IPv4 hdr and L4 checksum enable options
> in conf. These will be used in case of protocol offload.
> Per SA, application could specify whether the
> checksum(compute/verify) can be offloaded to security device.
>
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> ---
> doc/guides/cryptodevs/features/default.ini | 1 +
> doc/guides/rel_notes/deprecation.rst | 4 +--
> doc/guides/rel_notes/release_21_11.rst | 4 +++
> lib/cryptodev/rte_cryptodev.h | 2 ++
> lib/security/rte_security.h | 31 ++++++++++++++++++++++
> 5 files changed, 40 insertions(+), 2 deletions(-)
>
> diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini
> index c24814de98..96d95ddc81 100644
> --- a/doc/guides/cryptodevs/features/default.ini
> +++ b/doc/guides/cryptodevs/features/default.ini
> @@ -33,6 +33,7 @@ Non-Byte aligned data =
> Sym raw data path API =
> Cipher multiple data units =
> Cipher wrapped key =
> +Inner checksum =
>
> ;
> ; Supported crypto algorithms of a default crypto driver.
> diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
> index 05fc2fdee7..8308e00ed4 100644
> --- a/doc/guides/rel_notes/deprecation.rst
> +++ b/doc/guides/rel_notes/deprecation.rst
> @@ -232,8 +232,8 @@ Deprecation Notices
> IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
>
> * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
> - will be updated with new fields to support new features like IPsec inner
> - checksum, TSO in case of protocol offload.
> + will be updated with new fields to support new features like TSO in case of
> + protocol offload.
>
> * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
> ``hdr_l3_len`` to configure tunnel L3 header length.
> diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
> index 3ade7fe5ac..5480f05a99 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -196,6 +196,10 @@ ABI Changes
> ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> and hard expiry limits. Limits can be either in number of packets or bytes.
>
> +* security: The new options ``ip_csum_enable`` and ``l4_csum_enable`` were added
> + in structure ``rte_security_ipsec_sa_options`` to indicate whether inner
> + packet IPv4 header checksum and L4 checksum need to be offloaded to
> + security device.
>
> Known Issues
> ------------
> diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
> index bb01f0f195..d9271a6c45 100644
> --- a/lib/cryptodev/rte_cryptodev.h
> +++ b/lib/cryptodev/rte_cryptodev.h
> @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
> /**< Support operations on multiple data-units message */
> #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
> /**< Support wrapped key in cipher xform */
> +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27)
> +/**< Support inner checksum computation/verification */
>
> /**
> * Get the name of a crypto device feature flag
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index ab1a6e1f65..0c5636377e 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -230,6 +230,37 @@ struct rte_security_ipsec_sa_options {
> * * 0: Do not match UDP ports
> */
> uint32_t udp_ports_verify : 1;
> +
> + /** Compute/verify inner packet IPv4 header checksum in tunnel mode
> + *
> + * * 1: For outbound, compute inner packet IPv4 header checksum
> + * before tunnel encapsulation and for inbound, verify after
> + * tunnel decapsulation.
> + * * 0: Inner packet IP header checksum is not computed/verified.
> + *
> + * The checksum verification status would be set in mbuf using
> + * PKT_RX_IP_CKSUM_xxx flags.
> + *
> + * Inner IP checksum computation can also be enabled(per operation)
> + * by setting the flag PKT_TX_IP_CKSUM in mbuf.
> + */
> + uint32_t ip_csum_enable : 1;
> +
> + /** Compute/verify inner packet L4 checksum in tunnel mode
> + *
> + * * 1: For outbound, compute inner packet L4 checksum before
> + * tunnel encapsulation and for inbound, verify after
> + * tunnel decapsulation.
> + * * 0: Inner packet L4 checksum is not computed/verified.
> + *
> + * The checksum verification status would be set in mbuf using
> + * PKT_RX_L4_CKSUM_xxx flags.
> + *
> + * Inner L4 checksum computation can also be enabled(per operation)
> + * by setting the flags PKT_TX_TCP_CKSUM or PKT_TX_SCTP_CKSUM or
> + * PKT_TX_UDP_CKSUM or PKT_TX_L4_MASK in mbuf.
> + */
> + uint32_t l4_csum_enable : 1;
> };
>
> /** IPSec security association direction */
> --
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> 2.22.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [dpdk-dev] [PATCH v4 2/3] crypto/cnxk: add inner checksum
2021-09-30 12:58 [dpdk-dev] [PATCH v4 0/3] add SA config option for inner pkt csum Archana Muniganti
2021-09-30 12:58 ` [dpdk-dev] [PATCH v4 1/3] security: " Archana Muniganti
@ 2021-09-30 12:58 ` Archana Muniganti
2021-09-30 12:58 ` [dpdk-dev] [PATCH v4 3/3] test/crypto: add inner checksum cases Archana Muniganti
2021-10-07 13:44 ` [dpdk-dev] [PATCH v4 0/3] add SA config option for inner pkt csum Akhil Goyal
3 siblings, 0 replies; 6+ messages in thread
From: Archana Muniganti @ 2021-09-30 12:58 UTC (permalink / raw)
To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev
Add inner checksum support for cn10k.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
doc/guides/cryptodevs/features/cn10k.ini | 1 +
doc/guides/rel_notes/release_21_11.rst | 1 +
drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 65 +++++++++++++++----
drivers/crypto/cnxk/cn10k_ipsec.c | 49 +++++++++++++-
drivers/crypto/cnxk/cn10k_ipsec.h | 1 +
drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 9 ++-
drivers/crypto/cnxk/cnxk_cryptodev.c | 3 +
.../crypto/cnxk/cnxk_cryptodev_capabilities.c | 2 +
8 files changed, 113 insertions(+), 18 deletions(-)
diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini
index f5552feca3..9d08bd5c04 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -15,6 +15,7 @@ OOP SGL In SGL Out = Y
OOP LB In LB Out = Y
Symmetric sessionless = Y
Digest encrypted = Y
+Inner checksum = Y
;
; Supported crypto algorithms of 'cn10k' crypto driver.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 5480f05a99..576bc01a87 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -73,6 +73,7 @@ New Features
* Added UDP encapsulation support in lookaside protocol (IPsec) for CN10K.
* Added support for lookaside protocol (IPsec) offload for CN9K.
* Added support for ZUC algorithm with 256 bit key length for CN10K.
+ * Added inner checksum support in lookaside protocol (IPsec) for CN10K.
* **Added support for event crypto adapter on Marvell CN10K and CN9K.**
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 3caf05aab9..c25c8e67b2 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -50,7 +50,7 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
static __rte_always_inline int __rte_hot
cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
- struct cpt_inst_s *inst)
+ struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
{
struct rte_crypto_sym_op *sym_op = op->sym;
union roc_ot_ipsec_sa_word2 *w2;
@@ -72,8 +72,10 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND)
ret = process_outb_sa(op, sa, inst);
- else
+ else {
+ infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
ret = process_inb_sa(op, sa, inst);
+ }
return ret;
}
@@ -122,7 +124,8 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
sec_sess = get_sec_session_private_data(
sym_op->sec_session);
- ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]);
+ ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
+ &inst[0]);
if (unlikely(ret))
return 0;
w7 = sec_sess->sa.inst.w7;
@@ -342,6 +345,49 @@ cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
m->pkt_len = m_len;
}
+static inline void
+cn10k_cpt_sec_ucc_process(struct rte_crypto_op *cop,
+ struct cpt_inflight_req *infl_req,
+ const uint8_t uc_compcode)
+{
+ struct cn10k_sec_session *sess;
+ struct cn10k_ipsec_sa *sa;
+ struct rte_mbuf *mbuf;
+
+ if (uc_compcode == ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST)
+ cop->aux_flags = RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+
+ if (!(infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND))
+ return;
+
+ sess = get_sec_session_private_data(cop->sym->sec_session);
+ sa = &sess->sa;
+
+ mbuf = cop->sym->m_src;
+
+ switch (uc_compcode) {
+ case ROC_IE_OT_UCC_SUCCESS:
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_IP_BADCSUM:
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_BAD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_L4_GOODCSUM:
+ mbuf->ol_flags |= PKT_RX_L4_CKSUM_GOOD;
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ case ROC_IE_OT_UCC_SUCCESS_PKT_L4_BADCSUM:
+ mbuf->ol_flags |= PKT_RX_L4_CKSUM_BAD;
+ if (sa->ip_csum_enable)
+ mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+ break;
+ default:
+ break;
+ }
+}
+
static inline void
cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
struct rte_crypto_op *cop,
@@ -357,17 +403,8 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
if (likely(compcode == CPT_COMP_WARN)) {
- if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
- /* Success with additional info */
- switch (uc_compcode) {
- case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
- cop->aux_flags =
- RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
- break;
- default:
- break;
- }
- }
+ /* Success with additional info */
+ cn10k_cpt_sec_ucc_process(cop, infl_req, uc_compcode);
cn10k_cpt_sec_post_process(cop, res);
} else {
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index ebb2a7ec48..defc792aa8 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -37,6 +37,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
struct rte_crypto_sym_xform *crypto_xfrm,
struct rte_security_session *sec_sess)
{
+ union roc_ot_ipsec_outb_param1 param1;
struct roc_ot_ipsec_outb_sa *out_sa;
struct cnxk_ipsec_outb_rlens rlens;
struct cn10k_sec_session *sess;
@@ -83,7 +84,27 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
/* pre-populate CPT INST word 4 */
inst_w4.u64 = 0;
inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
- inst_w4.s.param1 = 0;
+
+ param1.u16 = 0;
+
+ /* Disable IP checksum computation by default */
+ param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.ip_csum_enable) {
+ param1.s.ip_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+ }
+
+ /* Disable L4 checksum computation by default */
+ param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.l4_csum_enable) {
+ param1.s.l4_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+ }
+
+ inst_w4.s.param1 = param1.u16;
+
sa->inst.w4 = inst_w4.u64;
return 0;
@@ -95,6 +116,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
struct rte_crypto_sym_xform *crypto_xfrm,
struct rte_security_session *sec_sess)
{
+ union roc_ot_ipsec_inb_param1 param1;
struct roc_ot_ipsec_inb_sa *in_sa;
struct cn10k_sec_session *sess;
struct cn10k_ipsec_sa *sa;
@@ -121,8 +143,29 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
inst_w4.u64 = 0;
inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC;
- /* Disable checksum verification for now */
- inst_w4.s.param1 = 7;
+ param1.u16 = 0;
+
+ /* Disable IP checksum verification by default */
+ param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.ip_csum_enable) {
+ param1.s.ip_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+ sa->ip_csum_enable = true;
+ }
+
+ /* Disable L4 checksum verification by default */
+ param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+ if (ipsec_xfrm->options.l4_csum_enable) {
+ param1.s.l4_csum_disable =
+ ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+ }
+
+ param1.s.esp_trailer_disable = 1;
+
+ inst_w4.s.param1 = param1.u16;
+
sa->inst.w4 = inst_w4.u64;
return 0;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 6f974b716d..86cd2483f5 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -23,6 +23,7 @@ struct cn10k_ipsec_sa {
uint16_t max_extended_len;
uint16_t iv_offset;
uint8_t iv_length;
+ bool ip_csum_enable;
};
struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 862476a72e..df1b0a3678 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -53,6 +53,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
{
struct rte_crypto_sym_op *sym_op = cop->sym;
struct rte_mbuf *m_src = sym_op->m_src;
+ uint64_t inst_w4_u64 = sess->inst.w4;
if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) {
plt_dp_err("Not enough tail room");
@@ -68,8 +69,14 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
}
#endif
+ if (m_src->ol_flags & PKT_TX_IP_CKSUM)
+ inst_w4_u64 &= ~BIT_ULL(33);
+
+ if (m_src->ol_flags & PKT_TX_L4_MASK)
+ inst_w4_u64 &= ~BIT_ULL(32);
+
/* Prepare CPT instruction */
- inst->w4.u64 = sess->inst.w4;
+ inst->w4.u64 = inst_w4_u64;
inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
inst->dptr = rte_pktmbuf_iova(m_src);
inst->rptr = inst->dptr;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.c b/drivers/crypto/cnxk/cnxk_cryptodev.c
index 5c7801ec48..d67de54a7b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.c
@@ -24,6 +24,9 @@ cnxk_cpt_default_ff_get(void)
RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED |
RTE_CRYPTODEV_FF_SECURITY;
+ if (roc_model_is_cn10k())
+ ff |= RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM;
+
return ff;
}
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 34eb441ab3..a227e6981c 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -961,6 +961,8 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
sec_cap->ipsec.options.tunnel_hdr_verify =
RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
}
+ sec_cap->ipsec.options.ip_csum_enable = 1;
+ sec_cap->ipsec.options.l4_csum_enable = 1;
}
static void
--
2.22.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [dpdk-dev] [PATCH v4 3/3] test/crypto: add inner checksum cases
2021-09-30 12:58 [dpdk-dev] [PATCH v4 0/3] add SA config option for inner pkt csum Archana Muniganti
2021-09-30 12:58 ` [dpdk-dev] [PATCH v4 1/3] security: " Archana Muniganti
2021-09-30 12:58 ` [dpdk-dev] [PATCH v4 2/3] crypto/cnxk: add inner checksum Archana Muniganti
@ 2021-09-30 12:58 ` Archana Muniganti
2021-10-07 13:44 ` [dpdk-dev] [PATCH v4 0/3] add SA config option for inner pkt csum Akhil Goyal
3 siblings, 0 replies; 6+ messages in thread
From: Archana Muniganti @ 2021-09-30 12:58 UTC (permalink / raw)
To: gakhil, radu.nicolau, roy.fan.zhang, hemant.agrawal, konstantin.ananyev
Cc: Archana Muniganti, anoobj, ktejasree, adwivedi, jerinj, dev
This patch adds tests for inner IP and inner L4 checksum
in IPsec mode.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
app/test/test_cryptodev.c | 34 +++
app/test/test_cryptodev_security_ipsec.c | 195 ++++++++++++++++++
app/test/test_cryptodev_security_ipsec.h | 2 +
...st_cryptodev_security_ipsec_test_vectors.h | 6 +
doc/guides/rel_notes/release_21_11.rst | 1 +
5 files changed, 238 insertions(+)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index e6ceeb487f..65b64e1af0 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -18,6 +18,8 @@
#include <rte_cryptodev.h>
#include <rte_ip.h>
#include <rte_string_fns.h>
+#include <rte_tcp.h>
+#include <rte_udp.h>
#ifdef RTE_CRYPTO_SCHEDULER
#include <rte_cryptodev_scheduler.h>
@@ -9299,6 +9301,30 @@ test_ipsec_proto_udp_ports_verify(const void *data __rte_unused)
return test_ipsec_proto_all(&flags);
}
+static int
+test_ipsec_proto_inner_ip_csum(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ip_csum = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_inner_l4_csum(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.l4_csum = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
static int
test_PDCP_PROTO_all(void)
{
@@ -14255,6 +14281,14 @@ static struct unit_test_suite ipsec_proto_testsuite = {
"Tunnel src and dst addr verification",
ut_setup_security, ut_teardown,
test_ipsec_proto_tunnel_src_dst_addr_verify),
+ TEST_CASE_NAMED_ST(
+ "Inner IP checksum",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_inner_ip_csum),
+ TEST_CASE_NAMED_ST(
+ "Inner L4 checksum",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_inner_l4_csum),
TEST_CASES_END() /**< NULL terminate unit test array */
}
};
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 764e77bbff..bcd9746c98 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -7,6 +7,7 @@
#include <rte_esp.h>
#include <rte_ip.h>
#include <rte_security.h>
+#include <rte_tcp.h>
#include <rte_udp.h>
#include "test.h"
@@ -103,6 +104,22 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
return -ENOTSUP;
}
+ if (ipsec_xform->options.ip_csum_enable == 1 &&
+ sec_cap->ipsec.options.ip_csum_enable == 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Inner IP checksum is not supported\n");
+ return -ENOTSUP;
+ }
+
+ if (ipsec_xform->options.l4_csum_enable == 1 &&
+ sec_cap->ipsec.options.l4_csum_enable == 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Inner L4 checksum is not supported\n");
+ return -ENOTSUP;
+ }
+
return 0;
}
@@ -160,6 +177,56 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
}
}
+static bool
+is_ipv4(void *ip)
+{
+ struct rte_ipv4_hdr *ipv4 = ip;
+ uint8_t ip_ver;
+
+ ip_ver = (ipv4->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER;
+ if (ip_ver == IPVERSION)
+ return true;
+ else
+ return false;
+}
+
+static void
+test_ipsec_csum_init(void *ip, bool l3, bool l4)
+{
+ struct rte_ipv4_hdr *ipv4;
+ struct rte_tcp_hdr *tcp;
+ struct rte_udp_hdr *udp;
+ uint8_t next_proto;
+ uint8_t size;
+
+ if (is_ipv4(ip)) {
+ ipv4 = ip;
+ size = sizeof(struct rte_ipv4_hdr);
+ next_proto = ipv4->next_proto_id;
+
+ if (l3)
+ ipv4->hdr_checksum = 0;
+ } else {
+ size = sizeof(struct rte_ipv6_hdr);
+ next_proto = ((struct rte_ipv6_hdr *)ip)->proto;
+ }
+
+ if (l4) {
+ switch (next_proto) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)RTE_PTR_ADD(ip, size);
+ tcp->cksum = 0;
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)RTE_PTR_ADD(ip, size);
+ udp->dgram_cksum = 0;
+ break;
+ default:
+ return;
+ }
+ }
+}
+
void
test_ipsec_td_prepare(const struct crypto_param *param1,
const struct crypto_param *param2,
@@ -194,6 +261,17 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
if (flags->sa_expiry_pkts_soft)
td->ipsec_xform.life.packets_soft_limit =
IPSEC_TEST_PACKETS_MAX - 1;
+
+ if (flags->ip_csum) {
+ td->ipsec_xform.options.ip_csum_enable = 1;
+ test_ipsec_csum_init(&td->input_text.data, true, false);
+ }
+
+ if (flags->l4_csum) {
+ td->ipsec_xform.options.l4_csum_enable = 1;
+ test_ipsec_csum_init(&td->input_text.data, false, true);
+ }
+
}
RTE_SET_USED(param2);
@@ -230,6 +308,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
flags->tunnel_hdr_verify;
+ if (flags->ip_csum)
+ td_inb[i].ipsec_xform.options.ip_csum_enable = 1;
+
+ if (flags->l4_csum)
+ td_inb[i].ipsec_xform.options.l4_csum_enable = 1;
+
/* Clear outbound specific flags */
td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
}
@@ -305,12 +389,96 @@ test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
return TEST_SUCCESS;
}
+static int
+test_ipsec_l3_csum_verify(struct rte_mbuf *m)
+{
+ uint16_t actual_cksum, expected_cksum;
+ struct rte_ipv4_hdr *ip;
+
+ ip = rte_pktmbuf_mtod(m, struct rte_ipv4_hdr *);
+
+ if (!is_ipv4((void *)ip))
+ return TEST_SKIPPED;
+
+ actual_cksum = ip->hdr_checksum;
+
+ ip->hdr_checksum = 0;
+
+ expected_cksum = rte_ipv4_cksum(ip);
+
+ if (actual_cksum != expected_cksum)
+ return TEST_FAILED;
+
+ return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_l4_csum_verify(struct rte_mbuf *m)
+{
+ uint16_t actual_cksum = 0, expected_cksum = 0;
+ struct rte_ipv4_hdr *ipv4;
+ struct rte_ipv6_hdr *ipv6;
+ struct rte_tcp_hdr *tcp;
+ struct rte_udp_hdr *udp;
+ void *ip, *l4;
+
+ ip = rte_pktmbuf_mtod(m, void *);
+
+ if (is_ipv4(ip)) {
+ ipv4 = ip;
+ l4 = RTE_PTR_ADD(ipv4, sizeof(struct rte_ipv4_hdr));
+
+ switch (ipv4->next_proto_id) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)l4;
+ actual_cksum = tcp->cksum;
+ tcp->cksum = 0;
+ expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)l4;
+ actual_cksum = udp->dgram_cksum;
+ udp->dgram_cksum = 0;
+ expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+ break;
+ default:
+ break;
+ }
+ } else {
+ ipv6 = ip;
+ l4 = RTE_PTR_ADD(ipv6, sizeof(struct rte_ipv6_hdr));
+
+ switch (ipv6->proto) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)l4;
+ actual_cksum = tcp->cksum;
+ tcp->cksum = 0;
+ expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)l4;
+ actual_cksum = udp->dgram_cksum;
+ udp->dgram_cksum = 0;
+ expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (actual_cksum != expected_cksum)
+ return TEST_FAILED;
+
+ return TEST_SUCCESS;
+}
+
static int
test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
bool silent, const struct ipsec_test_flags *flags)
{
uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+ int ret;
/* For tests with status as error for test success, skip verification */
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
@@ -354,6 +522,33 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
len -= skip;
output_text += skip;
+ if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ flags->ip_csum) {
+ if (m->ol_flags & PKT_RX_IP_CKSUM_GOOD)
+ ret = test_ipsec_l3_csum_verify(m);
+ else
+ ret = TEST_FAILED;
+
+ if (ret == TEST_FAILED)
+ printf("Inner IP checksum test failed\n");
+
+ return ret;
+ }
+
+ if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ flags->l4_csum) {
+ if (m->ol_flags & PKT_RX_L4_CKSUM_GOOD)
+ ret = test_ipsec_l4_csum_verify(m);
+ else
+ ret = TEST_FAILED;
+
+ if (ret == TEST_FAILED)
+ printf("Inner L4 checksum test failed\n");
+
+ return ret;
+ }
+
+
if (memcmp(output_text, td->output_text.data + skip, len)) {
if (silent)
return TEST_FAILED;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 0416005520..7628d0c42a 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -56,6 +56,8 @@ struct ipsec_test_flags {
uint32_t tunnel_hdr_verify;
bool udp_encap;
bool udp_ports_verify;
+ bool ip_csum;
+ bool l4_csum;
};
struct crypto_param {
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index 4e147ec19c..bb95d00641 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -95,6 +95,8 @@ struct ipsec_test_data pkt_aes_128_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -192,6 +194,8 @@ struct ipsec_test_data pkt_aes_192_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -292,6 +296,8 @@ struct ipsec_test_data pkt_aes_256_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 576bc01a87..8d1752ef39 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -108,6 +108,7 @@ New Features
* Added tests to validate packets soft expiry.
* Added tests to validate packets hard expiry.
* Added tests to verify tunnel header verification in IPsec inbound.
+ * Added tests to verify inner checksum.
Removed Items
--
2.22.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dpdk-dev] [PATCH v4 0/3] add SA config option for inner pkt csum
2021-09-30 12:58 [dpdk-dev] [PATCH v4 0/3] add SA config option for inner pkt csum Archana Muniganti
` (2 preceding siblings ...)
2021-09-30 12:58 ` [dpdk-dev] [PATCH v4 3/3] test/crypto: add inner checksum cases Archana Muniganti
@ 2021-10-07 13:44 ` Akhil Goyal
3 siblings, 0 replies; 6+ messages in thread
From: Akhil Goyal @ 2021-10-07 13:44 UTC (permalink / raw)
To: Archana Muniganti, radu.nicolau, roy.fan.zhang, hemant.agrawal,
konstantin.ananyev
Cc: Archana Muniganti, Anoob Joseph, Tejasree Kondoj, Ankur Dwivedi,
Jerin Jacob Kollanukkaran, dev
> Add inner packet IPv4 hdr and L4 checksum enable options
> in conf. These will be used in case of protocol offload.
> Per SA, application could specify whether the
> checksum(compute/verify) can be offloaded to security device.
>
> Changes in v4:
> - Rebased to ToT
> - Added documentation for per packet checksum(comment from Konstantin)
>
> Changes in v3:
> - Removed code unrelated to this series.
>
> Changes in v2:
> - Fixed release notes
> - Added feature flag in default.ini and cn10k.ini
> - Fixed test patch subject
>
> Archana Muniganti (3):
> security: add SA config option for inner pkt csum
> crypto/cnxk: add inner checksum
> test/crypto: add inner checksum cases
Series
Acked-by: Akhil Goyal <gakhil@mavell.com>
Applied to dpdk-next-crypto
Thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread