From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60082.outbound.protection.outlook.com [40.107.6.82]) by dpdk.org (Postfix) with ESMTP id 870101B4D9; Wed, 24 Apr 2019 08:34:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CkFGdc/Tk0emSptlk1neBYp0E2CBARYAB8+v0AKW6yo=; b=XsYjhv8sYquzo5/cLb+j4WSiRTqHtyobJyQO617Z7bXdm3iryYsQJsMVv2DJfvq7kl2kcjRrx13zBgRRrF/6Bsin75ErF1EaoygOlZQR4Wzvu6Vpy4GISB66AiC/NCQdDbf3d6IKC0jyBLHo9vVJspa0qaIas36jpaqpY8yKXyU= Received: from VI1PR04MB4893.eurprd04.prod.outlook.com (20.177.49.154) by VI1PR04MB5215.eurprd04.prod.outlook.com (20.177.51.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.12; Wed, 24 Apr 2019 06:34:00 +0000 Received: from VI1PR04MB4893.eurprd04.prod.outlook.com ([fe80::98b0:84a6:1c08:57c7]) by VI1PR04MB4893.eurprd04.prod.outlook.com ([fe80::98b0:84a6:1c08:57c7%3]) with mapi id 15.20.1813.017; Wed, 24 Apr 2019 06:34:00 +0000 From: Akhil Goyal To: "Ananyev, Konstantin" , "Iremonger, Bernard" , "dev@dpdk.org" CC: "stable@dpdk.org" Thread-Topic: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Thread-Index: AdT17cOXKHHL5EBLSxux3RG5b2/emQD1mybgAATSl4AAAA1EEAABciQAACIq4cA= Date: Wed, 24 Apr 2019 06:34:00 +0000 Message-ID: References: <2601191342CEEE43887BDE71AB9772580148A9B0D4@irsmsx105.ger.corp.intel.com> <2601191342CEEE43887BDE71AB9772580148A9B10E@irsmsx105.ger.corp.intel.com> In-Reply-To: <2601191342CEEE43887BDE71AB9772580148A9B10E@irsmsx105.ger.corp.intel.com> Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=akhil.goyal@nxp.com; x-originating-ip: [92.120.1.65] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b5bfbed0-6637-4d66-01a3-08d6c87ed656 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:VI1PR04MB5215; x-ms-traffictypediagnostic: VI1PR04MB5215: x-ms-exchange-purlcount: 2 x-microsoft-antispam-prvs: x-forefront-prvs: 00179089FD x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(396003)(39860400002)(366004)(346002)(376002)(189003)(199004)(13464003)(55016002)(53936002)(6306002)(25786009)(76176011)(7696005)(71200400001)(33656002)(6246003)(2501003)(71190400001)(45080400002)(4326008)(2906002)(256004)(9686003)(14444005)(68736007)(186003)(6506007)(53546011)(66066001)(74316002)(8676002)(81166006)(81156014)(11346002)(446003)(478600001)(7736002)(102836004)(476003)(305945005)(26005)(6116002)(3846002)(52536014)(5660300002)(44832011)(486006)(8936002)(76116006)(86362001)(6436002)(97736004)(66476007)(64756008)(14454004)(99286004)(66556008)(966005)(66446008)(73956011)(316002)(93886005)(66946007)(229853002)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR04MB5215; H:VI1PR04MB4893.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: XKZx8Yb1INSG2eS1Gf0XSKZkG3uKMXjIvgkS8zvK2VKR2t05BWSW7JUJPMKBTw5kZ7cW8omkaUrXFMNfSApI5McywRnbQeRLAGvsy/n3hGGQQyQki4UsMgAVfJni+r3TlCVaY7BkeIhxOYHPe3XgyRsNouY3KDvKDV0M9Wvza23j/3WMwaNJlcS5Oh0u8X8INTD6XhYvg9sHu+t/ta/+/HhcCp+42odOnVKEWokKxibaG0gBk8ZjWU4uTfMCzX1sNf2lnHqvENnbTyguKg8ro7USbbW1G9pRhXVQHC5zSxroOPFY3bt1Vbw08RDAzP4Dw6xsOPrtSSo98K5wNDWGBkh6gdb8Cd1hXFCXVV7E20IZ1lkRQ95gg7wmGXbjfmNbJhbSX1NLlo8J9C7hsfFZoAtsHKn7p7sWOdmATh5l1yg= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: b5bfbed0-6637-4d66-01a3-08d6c87ed656 X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Apr 2019 06:34:00.5297 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB5215 Subject: Re: [dpdk-dev] [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2019 06:34:02 -0000 > -----Original Message----- > From: Ananyev, Konstantin > Sent: Tuesday, April 23, 2019 7:35 PM > To: Akhil Goyal ; Iremonger, Bernard > ; dev@dpdk.org > Cc: stable@dpdk.org > Subject: RE: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped = for > inline crypto >=20 >=20 >=20 > > > > > > > > > > > > -----Original Message----- > > > > > From: Akhil Goyal > > > > > Sent: Thursday, April 18, 2019 7:21 PM > > > > > To: Bernard Iremonger ; dev@dpdk.org= ; > > > > > konstantin.ananyev@intel.com > > > > > Cc: stable@dpdk.org > > > > > Subject: RE: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet > dropped > > > for > > > > > inline crypto > > > > > > > > > > Hi Bernard, > > > > > > > > > > > - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u = on > > > cryptodev " > > > > > > - "%u qp %u\n", sa->spi, > > > > > > - ipsec_ctx->tbl[cdev_id_qp].id, > > > > > > - ipsec_ctx->tbl[cdev_id_qp].qp); > > > > > > + if ((sa =3D=3D NULL) || (pool =3D=3D NULL)) > > > > > > + return -EINVAL; > > > > > > > > > > > > - if (sa->type !=3D RTE_SECURITY_ACTION_TYPE_NONE) { > > > > > > - struct rte_security_session_conf sess_conf =3D = { > > > > > > + struct rte_security_session_conf sess_conf =3D { > > > > > > .action_type =3D sa->type, > > > > > > .protocol =3D RTE_SECURITY_PROTOCOL_IPS= EC, > > > > > > {.ipsec =3D { > > > > > > @@ -90,247 +65,340 @@ create_session(struct ipsec_ctx *ipsec_ct= x, > > > struct > > > > > > ipsec_sa *sa) > > > > > > } }, > > > > > > .crypto_xform =3D sa->xforms, > > > > > > .userdata =3D NULL, > > > > > > - > > > > > > }; > > > > > > > > > > > > - if (sa->type =3D=3D > > > > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) > > > > > > { > > > > > > - struct rte_security_ctx *ctx =3D (struc= t rte_security_ctx *) > > > > > > - rte_cry= ptodev_get_sec_ctx( > > > > > > - ipsec_c= tx->tbl[cdev_id_qp].id); > > > > > > - > > > > > > - /* Set IPsec parameters in conf */ > > > > > > - set_ipsec_conf(sa, &(sess_conf.ipsec)); > > > > > > - > > > > > > - sa->sec_session =3D rte_security_sessio= n_create(ctx, > > > > > > - &sess_conf, ipsec_ctx->= session_pool); > > > > > > - if (sa->sec_session =3D=3D NULL) { > > > > > > - RTE_LOG(ERR, IPSEC, > > > > > > - "SEC Session init failed: err: = %d\n", ret); > > > > > > - return -1; > > > > > > - } > > > > > > - } else if (sa->type =3D=3D > > > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) > > > > > { > > > > > > - struct rte_flow_error err; > > > > > > - struct rte_security_ctx *ctx =3D (struc= t rte_security_ctx *) > > > > > > - rte_eth= _dev_get_sec_ctx( > > > > > > - sa->por= tid); > > > > > > - const struct rte_security_capability *s= ec_cap; > > > > > > - int ret =3D 0; > > > > > > - > > > > > > - sa->sec_session =3D rte_security_sessio= n_create(ctx, > > > > > > - &sess_conf, ipsec_ctx->= session_pool); > > > > > > - if (sa->sec_session =3D=3D NULL) { > > > > > > - RTE_LOG(ERR, IPSEC, > > > > > > - "SEC Session init failed: err: = %d\n", ret); > > > > > > - return -1; > > > > > > - } > > > > > > + if (sa->type =3D=3D > > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { > > > > > > + ctx =3D (struct rte_security_ctx *) > > > > > > + rte_eth_dev_get_sec_ctx(sa->por= tid); > > > > > > > > > > This is breaking the lookaside mode. Ctx was retrieved using the > ipsec_ctx- > > > >tbl > > > > > struct rte_security_ctx *ctx =3D (struct rte_security_ctx *) > > > > > rte_cryptodev_get_sec_ctx( > > > > > ipsec_ctx->tbl[cdev_id_qp].id); > > > > > > > > > > I am looking into it, but I don't have time left to get it integr= ated in RC2. > So > > > this > > > > > has to be pushed to RC3 > > > > > > > > It looks like there are multiple issues in this patch wrt lookaside= and none > cases. > > > Only the inline cases seem to be working. > > > > > > > > 1. the patch removes the cdev_mapping concept completely. Cdev_id_q= p is > > > not getting used. > > > > > > Not exactly. > > > cdev_id_qp is still setup, and is still used to decide to which crypt= o-dev to > > > enqueuer the crypto-op: > > > ipsec_enqueue(...) > > > { > > > ... > > > enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop); > > > > I don't see anybody filling "sa->cdev_id_qp". Please let me know if I h= ave > missed it somewhere. > > It is memset to 0 I guess. >=20 >=20 > Yep, true we lost it somewhere during the rework. >=20 > > > > > > > > > > > Same in ipsec_process(). > > > > > > For initialization, yes cdev_id_qp is not used anymore. > > > As discussed here: > > > > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fmails= .dp > > > dk.org%2Farchives%2Fdev%2F2019- > > > > March%2F127725.html&data=3D02%7C01%7Cakhil.goyal%40nxp.com%7C04 > > > > 194193cfc04c0b629008d6c7eea247%7C686ea1d3bc2b4c6fa92cd99c5c301635% > > > > 7C0%7C0%7C636916225072561313&sdata=3Dga9IiqhYRWOz9QkRDIXNiigInk > > > soVGgu1E5EetqvE%2FA%3D&reserved=3D0 > > > > > > I think the problem you are hitting with lookaside-proto is that for = it > > > we use 2 different values here: > > > a) In create_sec_session we use portid (it also should be > > > rte_cryptodev_get_sec_ctx() here) > > > if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) = { > > > ctx =3D (struct rte_security_ctx *) > > > rte_eth_dev_get_sec_ctx(sa->portid); > > It should be rte_cryptodev_get_sec_ctx in the first place. And it needs= a > cdev_id as input based on the cdev mapping done while initializing > > the cryptodev and neither the portid and nor cdev_id_qp. > > > b) in enqueue() we use cdev_id_qp > > > > > > Right now these values could be different. > > > As I understand we need to make sure that fro lookaside-proto cdev_id= _qp > =3D=3D > > > portid provided by user, correct? > > No it is not the case. Right now for lookaside there is no use of porti= d in case > of lookaside case. > > As the cdev/qp/core mappings are managed internally and the user cannot > tweak it from cfg file. > > >=20 >=20 > Hmm, then at least that line is wrong here: > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdoc.d= pdk > .org%2Fguides%2Fsample_app_ug%2Fipsec_secgw.html&data=3D02%7C01% > 7Cakhil.goyal%40nxp.com%7Cb1e931a9967943887a0c08d6c7f49d28%7C686ea > 1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C636916250754452306&sda > ta=3DtNjHCO0O2rfh8shhQXu93qrM0Hr0OZVXUVhMcsg53dw%3D&reserved=3D > 0 >=20 > sa out 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0= :0 \ > auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ > mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ > type lookaside-protocol-offload port_id 4 >=20 > And probably: > "Port/device ID of the ethernet/crypto accelerator for which the SA is > configured." > Need to be rephrased to remove crypto accelerator notice. Yes. >=20 > Another question - why you guys don't consider using portid for lookaside= -proto? > As I can see add_mapping(function that fills cdev_id_qp) doesn't bother = to > check > which rte_security protocols are supported (only crypto capabilities are = checked). > So not sure does current code will work ok with a mix of lookaside- > none/lookaside-proto devices. > Forcing user to specify crypto-dev id for lookaside-proto (via portid or = so) > will simplify things significantly. I will think about it. Actually initially when portid was introduced, the i= ntent was same but it did not work well. Because there may be a case of a cryptodev with multiple queues, so there w= ill be a mapping done internally in the application and matching it with th= e user provided portid will be difficult. I believe that this could be done but would need some rework. >=20 > Konstantin From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id 1238DA05D3 for ; Wed, 24 Apr 2019 08:34:05 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id BBC931B4F3; Wed, 24 Apr 2019 08:34:03 +0200 (CEST) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60082.outbound.protection.outlook.com [40.107.6.82]) by dpdk.org (Postfix) with ESMTP id 870101B4D9; Wed, 24 Apr 2019 08:34:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CkFGdc/Tk0emSptlk1neBYp0E2CBARYAB8+v0AKW6yo=; b=XsYjhv8sYquzo5/cLb+j4WSiRTqHtyobJyQO617Z7bXdm3iryYsQJsMVv2DJfvq7kl2kcjRrx13zBgRRrF/6Bsin75ErF1EaoygOlZQR4Wzvu6Vpy4GISB66AiC/NCQdDbf3d6IKC0jyBLHo9vVJspa0qaIas36jpaqpY8yKXyU= Received: from VI1PR04MB4893.eurprd04.prod.outlook.com (20.177.49.154) by VI1PR04MB5215.eurprd04.prod.outlook.com (20.177.51.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.12; Wed, 24 Apr 2019 06:34:00 +0000 Received: from VI1PR04MB4893.eurprd04.prod.outlook.com ([fe80::98b0:84a6:1c08:57c7]) by VI1PR04MB4893.eurprd04.prod.outlook.com ([fe80::98b0:84a6:1c08:57c7%3]) with mapi id 15.20.1813.017; Wed, 24 Apr 2019 06:34:00 +0000 From: Akhil Goyal To: "Ananyev, Konstantin" , "Iremonger, Bernard" , "dev@dpdk.org" CC: "stable@dpdk.org" Thread-Topic: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Thread-Index: AdT17cOXKHHL5EBLSxux3RG5b2/emQD1mybgAATSl4AAAA1EEAABciQAACIq4cA= Date: Wed, 24 Apr 2019 06:34:00 +0000 Message-ID: References: <2601191342CEEE43887BDE71AB9772580148A9B0D4@irsmsx105.ger.corp.intel.com> <2601191342CEEE43887BDE71AB9772580148A9B10E@irsmsx105.ger.corp.intel.com> In-Reply-To: <2601191342CEEE43887BDE71AB9772580148A9B10E@irsmsx105.ger.corp.intel.com> Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=akhil.goyal@nxp.com; x-originating-ip: [92.120.1.65] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b5bfbed0-6637-4d66-01a3-08d6c87ed656 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:VI1PR04MB5215; x-ms-traffictypediagnostic: VI1PR04MB5215: x-ms-exchange-purlcount: 2 x-microsoft-antispam-prvs: x-forefront-prvs: 00179089FD x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(396003)(39860400002)(366004)(346002)(376002)(189003)(199004)(13464003)(55016002)(53936002)(6306002)(25786009)(76176011)(7696005)(71200400001)(33656002)(6246003)(2501003)(71190400001)(45080400002)(4326008)(2906002)(256004)(9686003)(14444005)(68736007)(186003)(6506007)(53546011)(66066001)(74316002)(8676002)(81166006)(81156014)(11346002)(446003)(478600001)(7736002)(102836004)(476003)(305945005)(26005)(6116002)(3846002)(52536014)(5660300002)(44832011)(486006)(8936002)(76116006)(86362001)(6436002)(97736004)(66476007)(64756008)(14454004)(99286004)(66556008)(966005)(66446008)(73956011)(316002)(93886005)(66946007)(229853002)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR04MB5215; H:VI1PR04MB4893.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: XKZx8Yb1INSG2eS1Gf0XSKZkG3uKMXjIvgkS8zvK2VKR2t05BWSW7JUJPMKBTw5kZ7cW8omkaUrXFMNfSApI5McywRnbQeRLAGvsy/n3hGGQQyQki4UsMgAVfJni+r3TlCVaY7BkeIhxOYHPe3XgyRsNouY3KDvKDV0M9Wvza23j/3WMwaNJlcS5Oh0u8X8INTD6XhYvg9sHu+t/ta/+/HhcCp+42odOnVKEWokKxibaG0gBk8ZjWU4uTfMCzX1sNf2lnHqvENnbTyguKg8ro7USbbW1G9pRhXVQHC5zSxroOPFY3bt1Vbw08RDAzP4Dw6xsOPrtSSo98K5wNDWGBkh6gdb8Cd1hXFCXVV7E20IZ1lkRQ95gg7wmGXbjfmNbJhbSX1NLlo8J9C7hsfFZoAtsHKn7p7sWOdmATh5l1yg= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: b5bfbed0-6637-4d66-01a3-08d6c87ed656 X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Apr 2019 06:34:00.5297 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB5215 Subject: Re: [dpdk-dev] [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Message-ID: <20190424063400.XuZIcCELJAraINe-rIQA9RddIiq0rYIg80hvqAnar-4@z> > -----Original Message----- > From: Ananyev, Konstantin > Sent: Tuesday, April 23, 2019 7:35 PM > To: Akhil Goyal ; Iremonger, Bernard > ; dev@dpdk.org > Cc: stable@dpdk.org > Subject: RE: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped = for > inline crypto >=20 >=20 >=20 > > > > > > > > > > > > -----Original Message----- > > > > > From: Akhil Goyal > > > > > Sent: Thursday, April 18, 2019 7:21 PM > > > > > To: Bernard Iremonger ; dev@dpdk.org= ; > > > > > konstantin.ananyev@intel.com > > > > > Cc: stable@dpdk.org > > > > > Subject: RE: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet > dropped > > > for > > > > > inline crypto > > > > > > > > > > Hi Bernard, > > > > > > > > > > > - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u = on > > > cryptodev " > > > > > > - "%u qp %u\n", sa->spi, > > > > > > - ipsec_ctx->tbl[cdev_id_qp].id, > > > > > > - ipsec_ctx->tbl[cdev_id_qp].qp); > > > > > > + if ((sa =3D=3D NULL) || (pool =3D=3D NULL)) > > > > > > + return -EINVAL; > > > > > > > > > > > > - if (sa->type !=3D RTE_SECURITY_ACTION_TYPE_NONE) { > > > > > > - struct rte_security_session_conf sess_conf =3D = { > > > > > > + struct rte_security_session_conf sess_conf =3D { > > > > > > .action_type =3D sa->type, > > > > > > .protocol =3D RTE_SECURITY_PROTOCOL_IPS= EC, > > > > > > {.ipsec =3D { > > > > > > @@ -90,247 +65,340 @@ create_session(struct ipsec_ctx *ipsec_ct= x, > > > struct > > > > > > ipsec_sa *sa) > > > > > > } }, > > > > > > .crypto_xform =3D sa->xforms, > > > > > > .userdata =3D NULL, > > > > > > - > > > > > > }; > > > > > > > > > > > > - if (sa->type =3D=3D > > > > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) > > > > > > { > > > > > > - struct rte_security_ctx *ctx =3D (struc= t rte_security_ctx *) > > > > > > - rte_cry= ptodev_get_sec_ctx( > > > > > > - ipsec_c= tx->tbl[cdev_id_qp].id); > > > > > > - > > > > > > - /* Set IPsec parameters in conf */ > > > > > > - set_ipsec_conf(sa, &(sess_conf.ipsec)); > > > > > > - > > > > > > - sa->sec_session =3D rte_security_sessio= n_create(ctx, > > > > > > - &sess_conf, ipsec_ctx->= session_pool); > > > > > > - if (sa->sec_session =3D=3D NULL) { > > > > > > - RTE_LOG(ERR, IPSEC, > > > > > > - "SEC Session init failed: err: = %d\n", ret); > > > > > > - return -1; > > > > > > - } > > > > > > - } else if (sa->type =3D=3D > > > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) > > > > > { > > > > > > - struct rte_flow_error err; > > > > > > - struct rte_security_ctx *ctx =3D (struc= t rte_security_ctx *) > > > > > > - rte_eth= _dev_get_sec_ctx( > > > > > > - sa->por= tid); > > > > > > - const struct rte_security_capability *s= ec_cap; > > > > > > - int ret =3D 0; > > > > > > - > > > > > > - sa->sec_session =3D rte_security_sessio= n_create(ctx, > > > > > > - &sess_conf, ipsec_ctx->= session_pool); > > > > > > - if (sa->sec_session =3D=3D NULL) { > > > > > > - RTE_LOG(ERR, IPSEC, > > > > > > - "SEC Session init failed: err: = %d\n", ret); > > > > > > - return -1; > > > > > > - } > > > > > > + if (sa->type =3D=3D > > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { > > > > > > + ctx =3D (struct rte_security_ctx *) > > > > > > + rte_eth_dev_get_sec_ctx(sa->por= tid); > > > > > > > > > > This is breaking the lookaside mode. Ctx was retrieved using the > ipsec_ctx- > > > >tbl > > > > > struct rte_security_ctx *ctx =3D (struct rte_security_ctx *) > > > > > rte_cryptodev_get_sec_ctx( > > > > > ipsec_ctx->tbl[cdev_id_qp].id); > > > > > > > > > > I am looking into it, but I don't have time left to get it integr= ated in RC2. > So > > > this > > > > > has to be pushed to RC3 > > > > > > > > It looks like there are multiple issues in this patch wrt lookaside= and none > cases. > > > Only the inline cases seem to be working. > > > > > > > > 1. the patch removes the cdev_mapping concept completely. Cdev_id_q= p is > > > not getting used. > > > > > > Not exactly. > > > cdev_id_qp is still setup, and is still used to decide to which crypt= o-dev to > > > enqueuer the crypto-op: > > > ipsec_enqueue(...) > > > { > > > ... > > > enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop); > > > > I don't see anybody filling "sa->cdev_id_qp". Please let me know if I h= ave > missed it somewhere. > > It is memset to 0 I guess. >=20 >=20 > Yep, true we lost it somewhere during the rework. >=20 > > > > > > > > > > > Same in ipsec_process(). > > > > > > For initialization, yes cdev_id_qp is not used anymore. > > > As discussed here: > > > > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fmails= .dp > > > dk.org%2Farchives%2Fdev%2F2019- > > > > March%2F127725.html&data=3D02%7C01%7Cakhil.goyal%40nxp.com%7C04 > > > > 194193cfc04c0b629008d6c7eea247%7C686ea1d3bc2b4c6fa92cd99c5c301635% > > > > 7C0%7C0%7C636916225072561313&sdata=3Dga9IiqhYRWOz9QkRDIXNiigInk > > > soVGgu1E5EetqvE%2FA%3D&reserved=3D0 > > > > > > I think the problem you are hitting with lookaside-proto is that for = it > > > we use 2 different values here: > > > a) In create_sec_session we use portid (it also should be > > > rte_cryptodev_get_sec_ctx() here) > > > if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) = { > > > ctx =3D (struct rte_security_ctx *) > > > rte_eth_dev_get_sec_ctx(sa->portid); > > It should be rte_cryptodev_get_sec_ctx in the first place. And it needs= a > cdev_id as input based on the cdev mapping done while initializing > > the cryptodev and neither the portid and nor cdev_id_qp. > > > b) in enqueue() we use cdev_id_qp > > > > > > Right now these values could be different. > > > As I understand we need to make sure that fro lookaside-proto cdev_id= _qp > =3D=3D > > > portid provided by user, correct? > > No it is not the case. Right now for lookaside there is no use of porti= d in case > of lookaside case. > > As the cdev/qp/core mappings are managed internally and the user cannot > tweak it from cfg file. > > >=20 >=20 > Hmm, then at least that line is wrong here: > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdoc.d= pdk > .org%2Fguides%2Fsample_app_ug%2Fipsec_secgw.html&data=3D02%7C01% > 7Cakhil.goyal%40nxp.com%7Cb1e931a9967943887a0c08d6c7f49d28%7C686ea > 1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C636916250754452306&sda > ta=3DtNjHCO0O2rfh8shhQXu93qrM0Hr0OZVXUVhMcsg53dw%3D&reserved=3D > 0 >=20 > sa out 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0= :0 \ > auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ > mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ > type lookaside-protocol-offload port_id 4 >=20 > And probably: > "Port/device ID of the ethernet/crypto accelerator for which the SA is > configured." > Need to be rephrased to remove crypto accelerator notice. Yes. >=20 > Another question - why you guys don't consider using portid for lookaside= -proto? > As I can see add_mapping(function that fills cdev_id_qp) doesn't bother = to > check > which rte_security protocols are supported (only crypto capabilities are = checked). > So not sure does current code will work ok with a mix of lookaside- > none/lookaside-proto devices. > Forcing user to specify crypto-dev id for lookaside-proto (via portid or = so) > will simplify things significantly. I will think about it. Actually initially when portid was introduced, the i= ntent was same but it did not work well. Because there may be a case of a cryptodev with multiple queues, so there w= ill be a mapping done internally in the application and matching it with th= e user provided portid will be difficult. I believe that this could be done but would need some rework. >=20 > Konstantin