From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B1EC043032; Fri, 11 Aug 2023 10:54:52 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 370AE40F16; Fri, 11 Aug 2023 10:54:52 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id F29EB40E03 for ; Fri, 11 Aug 2023 10:54:49 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37AN18u8008578; Fri, 11 Aug 2023 01:54:49 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=gI6QQnmfrUofl9C8+3gNMBhw2ZQ/ZxB0P4ZjX8TBSng=; b=NtN5YJxkrg1OlS9vBXK3jtMdDdOQvWwCfDujB0St5IJqkM1Rioj9MI7cb/0GzJ8+cIeh 7BYsj10MM9Xx8+n6cSF55vl5+eMMpyIG1U4RqCWI3Sv2A3VtABP60KCmmu5/u4aPSm5k mcuOPONyBr/LMWFOENBghhiwtf1v+5LRVxNWQYfquvniR1V0KZPTxccj38w7JCFlM4xA tuZHitnwS8RYdKcppss/JrFuS9Oew/3azAuuJ3zScwC7RSAMKK2TNbXoI1HWEuYua3I0 +WPLzWJFnv1LlDL9gZefmgsH1u/BMA+NHjSxXnPOR5KK8QsL/udwXGJZnTZ6egjoqRWa tw== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3sd8ya1fxy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 11 Aug 2023 01:54:49 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Fri, 11 Aug 2023 01:54:47 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Fri, 11 Aug 2023 01:54:47 -0700 Received: from hyd1588t430.caveonetworks.com (unknown [10.29.52.204]) by maili.marvell.com (Postfix) with ESMTP id 36CB43F706A; Fri, 11 Aug 2023 01:54:44 -0700 (PDT) From: Nithin Dabilpuram To: , Cristian Dumitrescu CC: , , Nithin Dabilpuram Subject: [PATCH 1/3] security: introduce out of place support for inline ingress Date: Fri, 11 Aug 2023 14:24:38 +0530 Message-ID: <20230811085440.415916-1-ndabilpuram@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230309085645.1630826-1-ndabilpuram@marvell.com> References: <20230309085645.1630826-1-ndabilpuram@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-ORIG-GUID: d9nphZK2f1ujve9I1eHn9hhzpiV-uXy1 X-Proofpoint-GUID: d9nphZK2f1ujve9I1eHn9hhzpiV-uXy1 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-10_20,2023-08-10_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Similar to out of place(OOP) processing support that exists for Lookaside crypto/security sessions, Inline ingress security sessions may also need out of place processing in usecases where original encrypted packet needs to be retained for post processing. So for NIC's which have such a kind of HW support, a new SA option is provided to indicate whether OOP needs to be enabled on that Inline ingress security session or not. Since for inline ingress sessions, packet is not received by CPU until the processing is done, we can only have per-SA option and not per-packet option like Lookaside sessions. Also remove reserved_opts field from the rte_security_ipsec_sa_options struct as mentioned in deprecation notice. Signed-off-by: Nithin Dabilpuram --- v1: - Removed reserved_opts field from sa_options struct lib/pipeline/rte_swx_ipsec.c | 1 - lib/security/rte_security.c | 17 +++++++++++++ lib/security/rte_security.h | 40 +++++++++++++++++++++++++----- lib/security/rte_security_driver.h | 8 ++++++ lib/security/version.map | 2 ++ 5 files changed, 61 insertions(+), 7 deletions(-) diff --git a/lib/pipeline/rte_swx_ipsec.c b/lib/pipeline/rte_swx_ipsec.c index 6c217ee797..28576c2a48 100644 --- a/lib/pipeline/rte_swx_ipsec.c +++ b/lib/pipeline/rte_swx_ipsec.c @@ -1555,7 +1555,6 @@ ipsec_xform_get(struct rte_swx_ipsec_sa_params *p, ipsec_xform->options.ip_csum_enable = 0; ipsec_xform->options.l4_csum_enable = 0; ipsec_xform->options.ip_reassembly_en = 0; - ipsec_xform->options.reserved_opts = 0; ipsec_xform->direction = p->encrypt ? RTE_SECURITY_IPSEC_SA_DIR_EGRESS : diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c index c4d64bb8e9..2391cd0aa2 100644 --- a/lib/security/rte_security.c +++ b/lib/security/rte_security.c @@ -27,7 +27,10 @@ } while (0) #define RTE_SECURITY_DYNFIELD_NAME "rte_security_dynfield_metadata" +#define RTE_SECURITY_OOP_DYNFIELD_NAME "rte_security_oop_dynfield_metadata" + int rte_security_dynfield_offset = -1; +int rte_security_oop_dynfield_offset = -1; int rte_security_dynfield_register(void) @@ -42,6 +45,20 @@ rte_security_dynfield_register(void) return rte_security_dynfield_offset; } +int +rte_security_oop_dynfield_register(void) +{ + static const struct rte_mbuf_dynfield dynfield_desc = { + .name = RTE_SECURITY_OOP_DYNFIELD_NAME, + .size = sizeof(rte_security_oop_dynfield_t), + .align = __alignof__(rte_security_oop_dynfield_t), + }; + + rte_security_oop_dynfield_offset = + rte_mbuf_dynfield_register(&dynfield_desc); + return rte_security_oop_dynfield_offset; +} + void * rte_security_session_create(struct rte_security_ctx *instance, struct rte_security_session_conf *conf, diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 3b2df526ba..3996ab21a1 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -274,14 +274,16 @@ struct rte_security_ipsec_sa_options { */ uint32_t ip_reassembly_en : 1; - /** Reserved bit fields for future extension + /** Enable out of place processing on inline inbound packets. * - * User should ensure reserved_opts is cleared as it may change in - * subsequent releases to support new options. - * - * Note: Reduce number of bits in reserved_opts for every new option. + * * 1: Enable driver to perform Out-of-place(OOP) processing for this inline + * inbound SA if supported by driver. PMD need to register mbuf + * dynamic field using rte_security_oop_dynfield_register() + * and security session creation would fail if dynfield is not + * registered successfully. + * * 0: Disable OOP processing for this session (default). */ - uint32_t reserved_opts : 17; + uint32_t ingress_oop : 1; }; /** IPSec security association direction */ @@ -821,6 +823,13 @@ typedef uint64_t rte_security_dynfield_t; /** Dynamic mbuf field for device-specific metadata */ extern int rte_security_dynfield_offset; +/** Out-of-Place(OOP) processing field type */ +typedef struct rte_mbuf *rte_security_oop_dynfield_t; +/** Dynamic mbuf field for pointer to original mbuf for + * OOP processing session. + */ +extern int rte_security_oop_dynfield_offset; + /** * @warning * @b EXPERIMENTAL: this API may change without prior notice @@ -843,6 +852,25 @@ rte_security_dynfield(struct rte_mbuf *mbuf) rte_security_dynfield_t *); } +/** + * @warning + * @b EXPERIMENTAL: this API may change without prior notice + * + * Get pointer to mbuf field for original mbuf pointer when + * Out-Of-Place(OOP) processing is enabled in security session. + * + * @param mbuf packet to access + * @return pointer to mbuf field + */ +__rte_experimental +static inline rte_security_oop_dynfield_t * +rte_security_oop_dynfield(struct rte_mbuf *mbuf) +{ + return RTE_MBUF_DYNFIELD(mbuf, + rte_security_oop_dynfield_offset, + rte_security_oop_dynfield_t *); +} + /** * @warning * @b EXPERIMENTAL: this API may change without prior notice diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h index 31444a05d3..d5602650c2 100644 --- a/lib/security/rte_security_driver.h +++ b/lib/security/rte_security_driver.h @@ -197,6 +197,14 @@ typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id, __rte_internal int rte_security_dynfield_register(void); +/** + * @internal + * Register mbuf dynamic field for Security inline ingress Out-of-Place(OOP) + * processing. + */ +__rte_internal +int rte_security_oop_dynfield_register(void); + /** * Update the mbuf with provided metadata. * diff --git a/lib/security/version.map b/lib/security/version.map index b2097a969d..86f976a302 100644 --- a/lib/security/version.map +++ b/lib/security/version.map @@ -23,10 +23,12 @@ EXPERIMENTAL { rte_security_macsec_sc_stats_get; rte_security_session_stats_get; rte_security_session_update; + rte_security_oop_dynfield_offset; }; INTERNAL { global: rte_security_dynfield_register; + rte_security_oop_dynfield_register; }; -- 2.25.1