From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9F131A2EEB for ; Wed, 11 Sep 2019 14:29:36 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id C24F41E916; Wed, 11 Sep 2019 14:29:35 +0200 (CEST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by dpdk.org (Postfix) with ESMTP id 9E9F21E915 for ; Wed, 11 Sep 2019 14:29:33 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Sep 2019 05:29:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,493,1559545200"; d="scan'208";a="200513645" Received: from irsmsx152.ger.corp.intel.com ([163.33.192.66]) by fmsmga001.fm.intel.com with ESMTP; 11 Sep 2019 05:29:31 -0700 Received: from irsmsx105.ger.corp.intel.com ([169.254.7.164]) by IRSMSX152.ger.corp.intel.com ([169.254.6.150]) with mapi id 14.03.0439.000; Wed, 11 Sep 2019 13:29:30 +0100 From: "Ananyev, Konstantin" To: Akhil Goyal , "dev@dpdk.org" CC: "Zhang, Roy Fan" , "Doherty, Declan" , "De Lara Guarch, Pablo" Thread-Topic: [RFC PATCH 1/9] security: introduce CPU Crypto action type and API Thread-Index: AQHVYm4Y+AedzaNgY0qWMAmu5GwNVqcbQpEAgAArCICAAuADAIAARA4AgAYiKoCAAbQS0A== Date: Wed, 11 Sep 2019 12:29:29 +0000 Message-ID: <2601191342CEEE43887BDE71AB9772580191962CD5@irsmsx105.ger.corp.intel.com> References: <20190903154046.55992-1-roy.fan.zhang@intel.com> <20190903154046.55992-2-roy.fan.zhang@intel.com> <9F7182E3F746AB4EA17801C148F3C6043369D686@IRSMSX101.ger.corp.intel.com> <2601191342CEEE43887BDE71AB9772580191926A17@irsmsx105.ger.corp.intel.com> In-Reply-To: Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiOWNiNGU2ZTMtOTZkMS00N2FlLTk5ZTMtMGM5YTQ1MmU2OWE3IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoibzdEeUpLdkZDbGNnVGpVZjFpRWlnKzVMSmdqNkNwTVN2WUkyZkdsbjkwVm9JeFBKTXNtMHp6TGdXRVc4bENuQiJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [163.33.239.182] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [RFC PATCH 1/9] security: introduce CPU Crypto action type and API X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Akhil, > > > > > > This action type allows the burst of symmetric crypto workload usin= g the > > same > > > > algorithm, key, and direction being processed by CPU cycles synchro= nously. > > > > This flexible action type does not require external hardware involv= ement, > > > > having the crypto workload processed synchronously, and is more > > performant > > > > than Cryptodev SW PMD due to the saved cycles on removed "async mod= e > > > > simulation" as well as 3 cacheline access of the crypto ops. > > > > > > Does that mean application will not call the cryptodev_enqueue_burst = and > > corresponding dequeue burst. > > > > Yes, instead it just call rte_security_process_cpu_crypto_bulk(...) > > > > > It would be a new API something like process_packets and it will have= the > > crypto processed packets while returning from the API? > > > > Yes, though the plan is that API will operate on raw data buffers, not = mbufs. > > > > > > > > I still do not understand why we cannot do with the conventional cryp= to lib > > only. > > > As far as I can understand, you are not doing any protocol processing= or any > > value add > > > To the crypto processing. IMO, you just need a synchronous crypto pro= cessing > > API which > > > Can be defined in cryptodev, you don't need to re-create a crypto ses= sion in > > the name of > > > Security session in the driver just to do a synchronous processing. > > > > I suppose your question is why not to have > > rte_crypot_process_cpu_crypto_bulk(...) instead? > > The main reason is that would require disruptive changes in existing cr= yptodev > > API > > (would cause ABI/API breakage). > > Session for RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO need some extra > > information > > that normal crypto_sym_xform doesn't contain > > (cipher offset from the start of the buffer, might be something extra i= n future). >=20 > Cipher offset will be part of rte_crypto_op. fill/read (+ alloc/free) is one of the main things that slowdown current cr= ypto-op approach. That's why the general idea - have all data that wouldn't change from packe= t to packet included into the session and setup it once at session_init(). > If you intend not to use rte_crypto_op > You can pass this as an argument in the new cryptodev API. You mean extra parameter in rte_security_process_cpu_crypto_bulk()? It can be in theory, but that solution looks a bit ugly: why to pass for each call something that would be constant per session? Again having that value constant per session might allow some extra optimi= sations That would be hard to achieve for dynamic case.=20 and not extendable: Suppose tomorrow will need to add something extra (some new algorithm suppo= rt or so). With what you proposing will need to new parameter to the function, which means API breakage.=20 > Something extra will also cause ABI breakage in security as well. > So it will be same. I don't think it would. AFAIK, right now this patch doesn't introduce any API/ABI breakage. Iinside struct rte_security_session_conf we have a union of xforms depending on session type. So as long as cpu_crypto_xform wouldn't exceed sizes of other xform - I believe no ABI breakage will appear. >=20 > > Also right now there is no way to add new type of crypto_sym_session wi= thout > > either breaking existing crypto-dev ABI/API or introducing new structur= e > > (rte_crypto_sym_cpu_session or so) for that. >=20 > What extra info is required in rte_cryptodev_sym_session to get the rte_c= rypto_sym_cpu_session. Right now - just cipher_offset (see above). What else in future (if any) - don't know. > I don't think there is any. > I believe the same crypto session will be able to work synchronously as w= ell. Exactly the same - problematically, see above. > We would only need a new API to perform synchronous actions. > That will reduce the duplication code significantly > in the driver to support 2 different kind of APIs with similar code insid= e. > Please correct me in case I am missing something. To add new API into crypto-dev would also require changes in the PMD, it wouldn't come totally free and I believe would require roughly the same = amount of changes.=20 >=20 >=20 > > While rte_security is designed in a way that we can add new session typ= es and > > related parameters without causing API/ABI breakage. >=20 > Yes the intent is to add new sessions based on various protocols that can= be supported by the driver. Various protocols and different types of sessions (and devices they belong = to). Let say right now we have INLINE_CRYPTO, INLINE_PROTO, LOOKASIDE_PROTO, etc= . Here we introduce new type of session. > It is not that we should find it as an alternative to cryptodev and using= it just because it will not cause > ABI/API breakage. I am considering this new API as an alternative to existing ones, but as an= extension. Existing crypto-op API has its own advantages (generic), and I think we sho= uld keep it supported by all crypto-devs.=20 >From other side rte_security is an extendable framework that suits the purp= ose: allows easily (and yes without ABI breakage) introduce new API for special = type of crypto-dev (SW based). =20 > IMO the code should be placed where its intent is. >=20 > > > > BTW, what is your concern with proposed approach (via rte_security)? > > From my perspective it is a lightweight change and it is totally option= al > > for the crypto PMDs to support it or not. > > Konstantin > > > > > > > > > > AESNI-GCM and AESNI-MB PMDs are updated with this support. There is= a > > small > > > > performance test app under app/test/security_aesni_gcm(mb)_perftest= to > > > > prove. > > > > > > > > For the new API > > > > The packet is sent to the crypto device for symmetric crypto > > > > processing. The device will encrypt or decrypt the buffer based on = the > > session > > > > data specified and preprocessed in the security session. Different > > > > than the inline or lookaside modes, when the function exits, the us= er will > > > > expect the buffers are either processed successfully, or having the= error > > number > > > > assigned to the appropriate index of the status array. > > > > > > > > Will update the program's guide in the v1 patch. > > > > > > > > Regards, > > > > Fan > > > > > > > > > -----Original Message----- > > > > > From: Akhil Goyal [mailto:akhil.goyal@nxp.com] > > > > > Sent: Wednesday, September 4, 2019 11:33 AM > > > > > To: Zhang, Roy Fan ; dev@dpdk.org > > > > > Cc: Ananyev, Konstantin ; Doherty, > > Declan > > > > > ; De Lara Guarch, Pablo > > > > > > > > > > Subject: RE: [RFC PATCH 1/9] security: introduce CPU Crypto actio= n type > > and > > > > > API > > > > > > > > > > Hi Fan, > > > > > > > > > > > > > > > > > This patch introduce new RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO > > > > > action > > > > > > type to security library. The type represents performing crypto > > > > > > operation with CPU cycles. The patch also includes a new API to > > > > > > process crypto operations in bulk and the function pointers for= PMDs. > > > > > > > > > > > I am not able to get the flow of execution for this action type. = Could you > > > > > please elaborate the flow in the documentation. If not in documen= tation > > > > > right now, then please elaborate the flow in cover letter. > > > > > Also I see that there are new APIs for processing crypto operatio= ns in bulk. > > > > > What does that mean. How are they different from the existing API= s which > > > > > are also handling bulk crypto ops depending on the budget. > > > > > > > > > > > > > > > -Akhil