From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4178442601; Thu, 21 Sep 2023 04:18:12 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id BCBDC4026D; Thu, 21 Sep 2023 04:18:11 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 1E6854014F for ; Thu, 21 Sep 2023 04:18:09 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 38KILawT001328; Wed, 20 Sep 2023 19:18:08 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=WKs4n77lF4hWeX9QwPPCAFcwK+/PsRMTAoYmtOyJIUw=; b=QEMFiNsJ7/j8OoXSpJ/umGO0BlRbmSNUvp8V8ZyesjKQuo6NwK3SPMFq81twtxS7bT6M 4ZzyHSupn7z45MP2L6tUHZLIgsNawENSS5n6dtDpSnKaZXE3hFkfxniXjiKq2eNLaO8K Zo0s6RSdTF5viZnGd3l9RVxscxU9zNIZHbnh1R7aw2l1RbMfhn9u6yURaes+apLL4jCu RPhBTOMlyw0GVY0WLeN2KTvld3oOyhfmqTg8JFdwviuhGjqDUE+60VeqjYhtzYSHtIEV OsiT52O4IcMPOFTX5YOYlE4fNvL64w2xLApRa+PI3B1wCy53wRrcLa+iph1CH7BlwjFU AA== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3t7u4dcaj8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 20 Sep 2023 19:18:08 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Wed, 20 Sep 2023 19:18:06 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Wed, 20 Sep 2023 19:18:07 -0700 Received: from hyd1588t430.caveonetworks.com (unknown [10.29.52.204]) by maili.marvell.com (Postfix) with ESMTP id 5C1E85B693F; Wed, 20 Sep 2023 19:18:05 -0700 (PDT) From: Nithin Dabilpuram To: , Cristian Dumitrescu CC: , , Nithin Dabilpuram Subject: [PATCH v2 1/3] security: introduce out of place support for inline ingress Date: Thu, 21 Sep 2023 07:45:46 +0530 Message-ID: <20230921021548.1196858-1-ndabilpuram@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230309085645.1630826-1-ndabilpuram@marvell.com> References: <20230309085645.1630826-1-ndabilpuram@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-ORIG-GUID: rZ_cl1DXeZi5ZwIxIH1tUxNRSsZxWR5I X-Proofpoint-GUID: rZ_cl1DXeZi5ZwIxIH1tUxNRSsZxWR5I X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-09-20_14,2023-09-20_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Similar to out of place(OOP) processing support that exists for Lookaside crypto/security sessions, Inline ingress security sessions may also need out of place processing in usecases where original encrypted packet needs to be retained for post processing. So for NIC's which have such a kind of HW support, a new SA option is provided to indicate whether OOP needs to be enabled on that Inline ingress security session or not. Since for inline ingress sessions, packet is not received by CPU until the processing is done, we can only have per-SA option and not per-packet option like Lookaside sessions. Also remove reserved_opts field from the rte_security_ipsec_sa_options struct as mentioned in deprecation notice. Signed-off-by: Nithin Dabilpuram --- v2: - Fix documentation issue in 1/3 and update release notes v1: - Removed reserved_opts field from sa_options struct doc/guides/rel_notes/deprecation.rst | 5 ---- doc/guides/rel_notes/release_23_11.rst | 8 ++++++ lib/pipeline/rte_swx_ipsec.c | 1 - lib/security/rte_security.c | 17 +++++++++++ lib/security/rte_security.h | 40 ++++++++++++++++++++++---- lib/security/rte_security_driver.h | 8 ++++++ lib/security/version.map | 2 ++ 7 files changed, 69 insertions(+), 12 deletions(-) diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index bcd02e7762..8311035f2d 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -147,11 +147,6 @@ Deprecation Notices * security: Hide structures ``rte_security_ops`` and ``rte_security_ctx`` as these are internal to DPDK library and drivers. -* security: New SA option ``ingress_oop`` would be added in structure - ``rte_security_ipsec_sa_options`` to support out of place processing - for inline inbound SA from DPDK 23.11. ``reserved_opts`` field in the - same struct would be removed as discussed in techboard meeting. - * eventdev: The single-event (non-burst) enqueue and dequeue operations, used by static inline burst enqueue and dequeue functions in ``rte_eventdev.h``, will be removed in DPDK 23.11. diff --git a/doc/guides/rel_notes/release_23_11.rst b/doc/guides/rel_notes/release_23_11.rst index 55ba7c16ae..85d4a929b0 100644 --- a/doc/guides/rel_notes/release_23_11.rst +++ b/doc/guides/rel_notes/release_23_11.rst @@ -86,6 +86,10 @@ New Features Enabled support for QAT 2.0c (4944) devices in QAT crypto driver. +* **Added out of place processing support for inline ingress security session.** + + Similar to out of place processing support for lookaside security session, added + the same support for inline ingress security session. Removed Items ------------- @@ -109,6 +113,8 @@ Removed Items ``rte_crypto_auth_algorithm_strings``, ``rte_crypto_aead_algorithm_strings`` and ``rte_crypto_asym_xform_strings``. +* security: Removed deprecated field ``reserved_opts`` from struct + ``rte_security_ipsec_sa_options``. API Changes ----------- @@ -141,6 +147,8 @@ ABI Changes Also, make sure to start the actual text at the margin. ======================================================= +* security: struct ``rte_security_ipsec_sa_options`` was updated due to inline + out-of-place feature addition. Known Issues ------------ diff --git a/lib/pipeline/rte_swx_ipsec.c b/lib/pipeline/rte_swx_ipsec.c index 6c217ee797..28576c2a48 100644 --- a/lib/pipeline/rte_swx_ipsec.c +++ b/lib/pipeline/rte_swx_ipsec.c @@ -1555,7 +1555,6 @@ ipsec_xform_get(struct rte_swx_ipsec_sa_params *p, ipsec_xform->options.ip_csum_enable = 0; ipsec_xform->options.l4_csum_enable = 0; ipsec_xform->options.ip_reassembly_en = 0; - ipsec_xform->options.reserved_opts = 0; ipsec_xform->direction = p->encrypt ? RTE_SECURITY_IPSEC_SA_DIR_EGRESS : diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c index 2d729b735b..42af4a2c35 100644 --- a/lib/security/rte_security.c +++ b/lib/security/rte_security.c @@ -27,7 +27,10 @@ } while (0) #define RTE_SECURITY_DYNFIELD_NAME "rte_security_dynfield_metadata" +#define RTE_SECURITY_OOP_DYNFIELD_NAME "rte_security_oop_dynfield_metadata" + int rte_security_dynfield_offset = -1; +int rte_security_oop_dynfield_offset = -1; int rte_security_dynfield_register(void) @@ -42,6 +45,20 @@ rte_security_dynfield_register(void) return rte_security_dynfield_offset; } +int +rte_security_oop_dynfield_register(void) +{ + static const struct rte_mbuf_dynfield dynfield_desc = { + .name = RTE_SECURITY_OOP_DYNFIELD_NAME, + .size = sizeof(rte_security_oop_dynfield_t), + .align = __alignof__(rte_security_oop_dynfield_t), + }; + + rte_security_oop_dynfield_offset = + rte_mbuf_dynfield_register(&dynfield_desc); + return rte_security_oop_dynfield_offset; +} + void * rte_security_session_create(struct rte_security_ctx *instance, struct rte_security_session_conf *conf, diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 439bbb957f..da58fe1f14 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -273,14 +273,16 @@ struct rte_security_ipsec_sa_options { */ uint32_t ip_reassembly_en : 1; - /** Reserved bit fields for future extension + /** Enable out of place processing on inline inbound packets. * - * User should ensure reserved_opts is cleared as it may change in - * subsequent releases to support new options. - * - * Note: Reduce number of bits in reserved_opts for every new option. + * * 1: Enable driver to perform Out-of-place(OOP) processing for this inline + * inbound SA if supported by driver. PMD need to register mbuf + * dynamic field using rte_security_oop_dynfield_register() + * and security session creation would fail if dynfield is not + * registered successfully. + * * 0: Disable OOP processing for this session (default). */ - uint32_t reserved_opts : 17; + uint32_t ingress_oop : 1; }; /** IPSec security association direction */ @@ -825,6 +827,13 @@ typedef uint64_t rte_security_dynfield_t; /** Dynamic mbuf field for device-specific metadata */ extern int rte_security_dynfield_offset; +/** Out-of-Place(OOP) processing field type */ +typedef struct rte_mbuf *rte_security_oop_dynfield_t; +/** Dynamic mbuf field for pointer to original mbuf for + * OOP processing session. + */ +extern int rte_security_oop_dynfield_offset; + /** * @warning * @b EXPERIMENTAL: this API may change without prior notice @@ -847,6 +856,25 @@ rte_security_dynfield(struct rte_mbuf *mbuf) rte_security_dynfield_t *); } +/** + * @warning + * @b EXPERIMENTAL: this API may change without prior notice + * + * Get pointer to mbuf field for original mbuf pointer when + * Out-Of-Place(OOP) processing is enabled in security session. + * + * @param mbuf packet to access + * @return pointer to mbuf field + */ +__rte_experimental +static inline rte_security_oop_dynfield_t * +rte_security_oop_dynfield(struct rte_mbuf *mbuf) +{ + return RTE_MBUF_DYNFIELD(mbuf, + rte_security_oop_dynfield_offset, + rte_security_oop_dynfield_t *); +} + /** * @warning * @b EXPERIMENTAL: this API may change without prior notice diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h index 31444a05d3..1e6a6ef8e3 100644 --- a/lib/security/rte_security_driver.h +++ b/lib/security/rte_security_driver.h @@ -197,6 +197,14 @@ typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id, __rte_internal int rte_security_dynfield_register(void); +/** + * @internal + * Register mbuf dynamic field for security inline ingress Out-of-Place(OOP) + * processing. + */ +__rte_internal +int rte_security_oop_dynfield_register(void); + /** * Update the mbuf with provided metadata. * diff --git a/lib/security/version.map b/lib/security/version.map index b2097a969d..86f976a302 100644 --- a/lib/security/version.map +++ b/lib/security/version.map @@ -23,10 +23,12 @@ EXPERIMENTAL { rte_security_macsec_sc_stats_get; rte_security_session_stats_get; rte_security_session_update; + rte_security_oop_dynfield_offset; }; INTERNAL { global: rte_security_dynfield_register; + rte_security_oop_dynfield_register; }; -- 2.25.1