Test-Label: iol-testing Test-Status: WARNING http://dpdk.org/patch/99901 _apply patch failure_ Submitter: Tejasree Kondoj Date: Tuesday, September 28 2021 12:07:41 Applied on: CommitID:086d426406bd3f6fac96a15bbd871c7fe714bc2d Apply patch set 99901-99903 failed: Checking patch doc/guides/rel_notes/deprecation.rst... error: while searching for: * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options`` will be updated with new fields to support new features like IPsec inner checksum, tunnel header verification, TSO in case of protocol offload. * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field ``hdr_l3_len`` to configure tunnel L3 header length. error: patch failed: doc/guides/rel_notes/deprecation.rst:238 Checking patch doc/guides/rel_notes/release_21_11.rst... error: while searching for: soft and hard SA expiry limits. Limits can be either in units of packets or bytes. Known Issues ------------ error: patch failed: doc/guides/rel_notes/release_21_11.rst:181 Checking patch lib/security/rte_security.h... error: while searching for: /**< Outer header is IPv6 */ }; /** * Security context for crypto/eth devices * error: patch failed: lib/security/rte_security.h:55 error: while searching for: * by the PMD. */ uint32_t iv_gen_disable : 1; }; /** IPSec security association direction */ error: patch failed: lib/security/rte_security.h:206 Applying patch doc/guides/rel_notes/deprecation.rst with 1 reject... Rejected hunk #1. Applying patch doc/guides/rel_notes/release_21_11.rst with 1 reject... Rejected hunk #1. Applying patch lib/security/rte_security.h with 2 rejects... Rejected hunk #1. Rejected hunk #2. diff a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst (rejected hunks) @@ -238,7 +238,7 @@ Deprecation Notices * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options`` will be updated with new fields to support new features like IPsec inner - checksum, tunnel header verification, TSO in case of protocol offload. + checksum, TSO in case of protocol offload. * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field ``hdr_l3_len`` to configure tunnel L3 header length. diff a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst (rejected hunks) @@ -181,6 +181,11 @@ ABI Changes soft and hard SA expiry limits. Limits can be either in units of packets or bytes. +* security: add IPsec SA option to configure tunnel header verification + + * Added SA option to indicate whether outer header verification need to be + done as part of inbound IPsec processing. + Known Issues ------------ diff a/lib/security/rte_security.h b/lib/security/rte_security.h (rejected hunks) @@ -55,6 +55,14 @@ enum rte_security_ipsec_tunnel_type { /**< Outer header is IPv6 */ }; +/** + * IPSEC tunnel header verification mode + * + * Controls how outer IP header is verified in inbound. + */ +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 + /** * Security context for crypto/eth devices * @@ -206,6 +214,15 @@ struct rte_security_ipsec_sa_options { * by the PMD. */ uint32_t iv_gen_disable : 1; + + /** Verify tunnel header in inbound + * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination + * IP address. + * + * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both + * source and destination IP addresses. + */ + uint32_t tunnel_hdr_verify : 2; }; /** IPSec security association direction */ Checking patch drivers/common/cnxk/cnxk_security.c... error: while searching for: return size; } int cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, struct rte_security_ipsec_xform *ipsec_xfrm, error: patch failed: drivers/common/cnxk/cnxk_security.c:199 error: while searching for: sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5; } /* Default options for pkt_out and pkt_fmt are with * second pass meta and no defrag. */ error: patch failed: drivers/common/cnxk/cnxk_security.c:229 Checking patch drivers/common/cnxk/roc_ie_ot.h... error: while searching for: uint64_t auth_type : 4; uint64_t encap_type : 2; uint64_t rsvd1 : 6; uint64_t rsvd2 : 7; uint64_t async_mode : 1; error: patch failed: drivers/common/cnxk/roc_ie_ot.h:180 Checking patch drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c... error: while searching for: #ifdef LA_IPSEC_DEBUG sec_cap->ipsec.options.iv_gen_disable = 1; #endif } } error: patch failed: drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c:920 Applying patch drivers/common/cnxk/cnxk_security.c with 2 rejects... Rejected hunk #1. Rejected hunk #2. Applying patch drivers/common/cnxk/roc_ie_ot.h with 1 reject... Rejected hunk #1. Applying patch drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c with 1 reject... Rejected hunk #1. diff a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c (rejected hunks) @@ -199,6 +199,62 @@ ot_ipsec_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa) return size; } +static int +ot_ipsec_inb_tunnel_hdr_fill(struct roc_ot_ipsec_inb_sa *sa, + struct rte_security_ipsec_xform *ipsec_xfrm) +{ + struct rte_security_ipsec_tunnel_param *tunnel; + + if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + return 0; + + if (ipsec_xfrm->options.tunnel_hdr_verify == 0) + return 0; + + tunnel = &ipsec_xfrm->tunnel; + + switch (tunnel->type) { + case RTE_SECURITY_IPSEC_TUNNEL_IPV4: + sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4; + memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip, + sizeof(struct in_addr)); + memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip, + sizeof(struct in_addr)); + + /* IP Source and Dest are in LE/CPU endian */ + sa->outer_hdr.ipv4.src_addr = + rte_be_to_cpu_32(sa->outer_hdr.ipv4.src_addr); + sa->outer_hdr.ipv4.dst_addr = + rte_be_to_cpu_32(sa->outer_hdr.ipv4.dst_addr); + + break; + case RTE_SECURITY_IPSEC_TUNNEL_IPV6: + sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6; + memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr, + sizeof(struct in6_addr)); + memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr, + sizeof(struct in6_addr)); + + break; + default: + return -EINVAL; + } + + switch (ipsec_xfrm->options.tunnel_hdr_verify) { + case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR: + sa->w2.s.ip_hdr_verify = ROC_IE_OT_SA_IP_HDR_VERIFY_DST_ADDR; + break; + case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR: + sa->w2.s.ip_hdr_verify = + ROC_IE_OT_SA_IP_HDR_VERIFY_SRC_DST_ADDR; + break; + default: + return -ENOTSUP; + } + + return 0; +} + int cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, struct rte_security_ipsec_xform *ipsec_xfrm, @@ -229,6 +285,10 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5; } + rc = ot_ipsec_inb_tunnel_hdr_fill(sa, ipsec_xfrm); + if (rc) + return rc; + /* Default options for pkt_out and pkt_fmt are with * second pass meta and no defrag. */ diff a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h (rejected hunks) @@ -180,7 +180,11 @@ union roc_ot_ipsec_sa_word2 { uint64_t auth_type : 4; uint64_t encap_type : 2; - uint64_t rsvd1 : 6; + uint64_t et_ovrwr_ddr_en : 1; + uint64_t esn_en : 1; + uint64_t tport_l4_incr_csum : 1; + uint64_t ip_hdr_verify : 2; + uint64_t rsvd5 : 1; uint64_t rsvd2 : 7; uint64_t async_mode : 1; diff a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c (rejected hunks) @@ -920,6 +920,10 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap) #ifdef LA_IPSEC_DEBUG sec_cap->ipsec.options.iv_gen_disable = 1; #endif + } else { + if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + sec_cap->ipsec.options.tunnel_hdr_verify = + RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; } } Checking patch app/test/test_cryptodev.c... error: while searching for: int salt_len, i, ret = TEST_SUCCESS; struct rte_security_ctx *ctx; uint8_t *input_text; ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; error: patch failed: app/test/test_cryptodev.c:8924 error: while searching for: /* Copy IPsec xform */ memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform)); memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); dir = ipsec_xform.direction; ctx = rte_cryptodev_get_sec_ctx(dev_id); sec_cap_idx.action = ut_params->type; error: patch failed: app/test/test_cryptodev.c:8933 Hunk #3 succeeded at 9262 (offset 24 lines). error: while searching for: "Negative test: ICV corruption", ut_setup_security, ut_teardown, test_ipsec_proto_err_icv_corrupt), TEST_CASES_END() /**< NULL terminate unit test array */ } }; error: patch failed: app/test/test_cryptodev.c:14173 Checking patch app/test/test_cryptodev_security_ipsec.c... Hunk #1 succeeded at 95 (offset 9 lines). error: while searching for: if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; /* Clear outbound specific flags */ td_inb[i].ipsec_xform.options.iv_gen_disable = 0; } error: patch failed: app/test/test_cryptodev_security_ipsec.c:207 error: while searching for: /* For tests with status as error for test success, skip verification */ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && (flags->icv_corrupt || flags->sa_expiry_pkts_hard)) return TEST_SUCCESS; if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && error: patch failed: app/test/test_cryptodev_security_ipsec.c:292 Hunk #4 succeeded at 452 (offset 19 lines). Checking patch app/test/test_cryptodev_security_ipsec.h... error: while searching for: bool sa_expiry_pkts_hard; bool icv_corrupt; bool iv_gen; bool udp_encap; }; error: patch failed: app/test/test_cryptodev_security_ipsec.h:53 Checking patch app/test/test_cryptodev_security_ipsec_test_vectors.h... error: while searching for: .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:94 error: while searching for: .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:190 error: while searching for: .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:289 Applying patch app/test/test_cryptodev.c with 3 rejects... Rejected hunk #1. Rejected hunk #2. Hunk #3 applied cleanly. Rejected hunk #4. Applying patch app/test/test_cryptodev_security_ipsec.c with 2 rejects... Hunk #1 applied cleanly. Rejected hunk #2. Rejected hunk #3. Hunk #4 applied cleanly. Applying patch app/test/test_cryptodev_security_ipsec.h with 1 reject... Rejected hunk #1. Applying patch app/test/test_cryptodev_security_ipsec_test_vectors.h with 3 rejects... Rejected hunk #1. Rejected hunk #2. Rejected hunk #3. diff a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c (rejected hunks) @@ -8924,6 +8924,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], int salt_len, i, ret = TEST_SUCCESS; struct rte_security_ctx *ctx; uint8_t *input_text; + uint32_t verify; ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; @@ -8933,11 +8934,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], /* Copy IPsec xform */ memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform)); + dir = ipsec_xform.direction; + verify = flags->tunnel_hdr_verify; + + if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) { + if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR) + src += 1; + else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR) + dst += 1; + } + memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); - dir = ipsec_xform.direction; - ctx = rte_cryptodev_get_sec_ctx(dev_id); sec_cap_idx.action = ut_params->type; @@ -14173,6 +14206,14 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Negative test: ICV corruption", ut_setup_security, ut_teardown, test_ipsec_proto_err_icv_corrupt), + TEST_CASE_NAMED_ST( + "Tunnel dst addr verification", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_dst_addr_verify), + TEST_CASE_NAMED_ST( + "Tunnel src and dst addr verification", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_src_dst_addr_verify), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c (rejected hunks) @@ -207,6 +216,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; + td_inb[i].ipsec_xform.options.tunnel_hdr_verify = + flags->tunnel_hdr_verify; + /* Clear outbound specific flags */ td_inb[i].ipsec_xform.options.iv_gen_disable = 0; } @@ -292,7 +304,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, /* For tests with status as error for test success, skip verification */ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && (flags->icv_corrupt || - flags->sa_expiry_pkts_hard)) + flags->sa_expiry_pkts_hard || + flags->tunnel_hdr_verify)) return TEST_SUCCESS; if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && diff a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h (rejected hunks) @@ -53,6 +53,7 @@ struct ipsec_test_flags { bool sa_expiry_pkts_hard; bool icv_corrupt; bool iv_gen; + uint32_t tunnel_hdr_verify; bool udp_encap; }; diff a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h (rejected hunks) @@ -94,6 +94,7 @@ struct ipsec_test_data pkt_aes_128_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -190,6 +191,7 @@ struct ipsec_test_data pkt_aes_192_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -289,6 +291,7 @@ struct ipsec_test_data pkt_aes_256_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, https://lab.dpdk.org/results/dashboard/patchsets/19019/ UNH-IOL DPDK Community Lab