* [dpdk-test-report] |WARNING| pw99901-99903 [PATCH] [v2, 3/3] test/crypto: add tunnel header verification tests
@ 2021-10-05 21:13 dpdklab
0 siblings, 0 replies; only message in thread
From: dpdklab @ 2021-10-05 21:13 UTC (permalink / raw)
To: test-report; +Cc: dpdk-test-reports
[-- Attachment #1: Type: text/plain, Size: 15731 bytes --]
Test-Label: iol-testing
Test-Status: WARNING
http://dpdk.org/patch/99901
_apply patch failure_
Submitter: Tejasree Kondoj <ktejasree@marvell.com>
Date: Tuesday, September 28 2021 12:07:41
Applied on: CommitID:086d426406bd3f6fac96a15bbd871c7fe714bc2d
Apply patch set 99901-99903 failed:
Checking patch doc/guides/rel_notes/deprecation.rst...
error: while searching for:
* security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
will be updated with new fields to support new features like IPsec inner
checksum, tunnel header verification, TSO in case of protocol offload.
* ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
``hdr_l3_len`` to configure tunnel L3 header length.
error: patch failed: doc/guides/rel_notes/deprecation.rst:238
Checking patch doc/guides/rel_notes/release_21_11.rst...
error: while searching for:
soft and hard SA expiry limits. Limits can be either in units of packets or
bytes.
Known Issues
------------
error: patch failed: doc/guides/rel_notes/release_21_11.rst:181
Checking patch lib/security/rte_security.h...
error: while searching for:
/**< Outer header is IPv6 */
};
/**
* Security context for crypto/eth devices
*
error: patch failed: lib/security/rte_security.h:55
error: while searching for:
* by the PMD.
*/
uint32_t iv_gen_disable : 1;
};
/** IPSec security association direction */
error: patch failed: lib/security/rte_security.h:206
Applying patch doc/guides/rel_notes/deprecation.rst with 1 reject...
Rejected hunk #1.
Applying patch doc/guides/rel_notes/release_21_11.rst with 1 reject...
Rejected hunk #1.
Applying patch lib/security/rte_security.h with 2 rejects...
Rejected hunk #1.
Rejected hunk #2.
diff a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst (rejected hunks)
@@ -238,7 +238,7 @@ Deprecation Notices
* security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
will be updated with new fields to support new features like IPsec inner
- checksum, tunnel header verification, TSO in case of protocol offload.
+ checksum, TSO in case of protocol offload.
* ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
``hdr_l3_len`` to configure tunnel L3 header length.
diff a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst (rejected hunks)
@@ -181,6 +181,11 @@ ABI Changes
soft and hard SA expiry limits. Limits can be either in units of packets or
bytes.
+* security: add IPsec SA option to configure tunnel header verification
+
+ * Added SA option to indicate whether outer header verification need to be
+ done as part of inbound IPsec processing.
+
Known Issues
------------
diff a/lib/security/rte_security.h b/lib/security/rte_security.h (rejected hunks)
@@ -55,6 +55,14 @@ enum rte_security_ipsec_tunnel_type {
/**< Outer header is IPv6 */
};
+/**
+ * IPSEC tunnel header verification mode
+ *
+ * Controls how outer IP header is verified in inbound.
+ */
+#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
+#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
+
/**
* Security context for crypto/eth devices
*
@@ -206,6 +214,15 @@ struct rte_security_ipsec_sa_options {
* by the PMD.
*/
uint32_t iv_gen_disable : 1;
+
+ /** Verify tunnel header in inbound
+ * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination
+ * IP address.
+ *
+ * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both
+ * source and destination IP addresses.
+ */
+ uint32_t tunnel_hdr_verify : 2;
};
/** IPSec security association direction */
Checking patch drivers/common/cnxk/cnxk_security.c...
error: while searching for:
return size;
}
int
cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
struct rte_security_ipsec_xform *ipsec_xfrm,
error: patch failed: drivers/common/cnxk/cnxk_security.c:199
error: while searching for:
sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5;
}
/* Default options for pkt_out and pkt_fmt are with
* second pass meta and no defrag.
*/
error: patch failed: drivers/common/cnxk/cnxk_security.c:229
Checking patch drivers/common/cnxk/roc_ie_ot.h...
error: while searching for:
uint64_t auth_type : 4;
uint64_t encap_type : 2;
uint64_t rsvd1 : 6;
uint64_t rsvd2 : 7;
uint64_t async_mode : 1;
error: patch failed: drivers/common/cnxk/roc_ie_ot.h:180
Checking patch drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c...
error: while searching for:
#ifdef LA_IPSEC_DEBUG
sec_cap->ipsec.options.iv_gen_disable = 1;
#endif
}
}
error: patch failed: drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c:920
Applying patch drivers/common/cnxk/cnxk_security.c with 2 rejects...
Rejected hunk #1.
Rejected hunk #2.
Applying patch drivers/common/cnxk/roc_ie_ot.h with 1 reject...
Rejected hunk #1.
Applying patch drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c with 1 reject...
Rejected hunk #1.
diff a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c (rejected hunks)
@@ -199,6 +199,62 @@ ot_ipsec_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa)
return size;
}
+static int
+ot_ipsec_inb_tunnel_hdr_fill(struct roc_ot_ipsec_inb_sa *sa,
+ struct rte_security_ipsec_xform *ipsec_xfrm)
+{
+ struct rte_security_ipsec_tunnel_param *tunnel;
+
+ if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+ return 0;
+
+ if (ipsec_xfrm->options.tunnel_hdr_verify == 0)
+ return 0;
+
+ tunnel = &ipsec_xfrm->tunnel;
+
+ switch (tunnel->type) {
+ case RTE_SECURITY_IPSEC_TUNNEL_IPV4:
+ sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
+ memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip,
+ sizeof(struct in_addr));
+ memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip,
+ sizeof(struct in_addr));
+
+ /* IP Source and Dest are in LE/CPU endian */
+ sa->outer_hdr.ipv4.src_addr =
+ rte_be_to_cpu_32(sa->outer_hdr.ipv4.src_addr);
+ sa->outer_hdr.ipv4.dst_addr =
+ rte_be_to_cpu_32(sa->outer_hdr.ipv4.dst_addr);
+
+ break;
+ case RTE_SECURITY_IPSEC_TUNNEL_IPV6:
+ sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
+ memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr,
+ sizeof(struct in6_addr));
+ memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr,
+ sizeof(struct in6_addr));
+
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ switch (ipsec_xfrm->options.tunnel_hdr_verify) {
+ case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR:
+ sa->w2.s.ip_hdr_verify = ROC_IE_OT_SA_IP_HDR_VERIFY_DST_ADDR;
+ break;
+ case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR:
+ sa->w2.s.ip_hdr_verify =
+ ROC_IE_OT_SA_IP_HDR_VERIFY_SRC_DST_ADDR;
+ break;
+ default:
+ return -ENOTSUP;
+ }
+
+ return 0;
+}
+
int
cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
struct rte_security_ipsec_xform *ipsec_xfrm,
@@ -229,6 +285,10 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5;
}
+ rc = ot_ipsec_inb_tunnel_hdr_fill(sa, ipsec_xfrm);
+ if (rc)
+ return rc;
+
/* Default options for pkt_out and pkt_fmt are with
* second pass meta and no defrag.
*/
diff a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h (rejected hunks)
@@ -180,7 +180,11 @@ union roc_ot_ipsec_sa_word2 {
uint64_t auth_type : 4;
uint64_t encap_type : 2;
- uint64_t rsvd1 : 6;
+ uint64_t et_ovrwr_ddr_en : 1;
+ uint64_t esn_en : 1;
+ uint64_t tport_l4_incr_csum : 1;
+ uint64_t ip_hdr_verify : 2;
+ uint64_t rsvd5 : 1;
uint64_t rsvd2 : 7;
uint64_t async_mode : 1;
diff a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c (rejected hunks)
@@ -920,6 +920,10 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
#ifdef LA_IPSEC_DEBUG
sec_cap->ipsec.options.iv_gen_disable = 1;
#endif
+ } else {
+ if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+ sec_cap->ipsec.options.tunnel_hdr_verify =
+ RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
}
}
Checking patch app/test/test_cryptodev.c...
error: while searching for:
int salt_len, i, ret = TEST_SUCCESS;
struct rte_security_ctx *ctx;
uint8_t *input_text;
ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
error: patch failed: app/test/test_cryptodev.c:8924
error: while searching for:
/* Copy IPsec xform */
memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
dir = ipsec_xform.direction;
ctx = rte_cryptodev_get_sec_ctx(dev_id);
sec_cap_idx.action = ut_params->type;
error: patch failed: app/test/test_cryptodev.c:8933
Hunk #3 succeeded at 9262 (offset 24 lines).
error: while searching for:
"Negative test: ICV corruption",
ut_setup_security, ut_teardown,
test_ipsec_proto_err_icv_corrupt),
TEST_CASES_END() /**< NULL terminate unit test array */
}
};
error: patch failed: app/test/test_cryptodev.c:14173
Checking patch app/test/test_cryptodev_security_ipsec.c...
Hunk #1 succeeded at 95 (offset 9 lines).
error: while searching for:
if (flags->udp_encap)
td_inb[i].ipsec_xform.options.udp_encap = 1;
/* Clear outbound specific flags */
td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
}
error: patch failed: app/test/test_cryptodev_security_ipsec.c:207
error: while searching for:
/* For tests with status as error for test success, skip verification */
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
(flags->icv_corrupt ||
flags->sa_expiry_pkts_hard))
return TEST_SUCCESS;
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
error: patch failed: app/test/test_cryptodev_security_ipsec.c:292
Hunk #4 succeeded at 452 (offset 19 lines).
Checking patch app/test/test_cryptodev_security_ipsec.h...
error: while searching for:
bool sa_expiry_pkts_hard;
bool icv_corrupt;
bool iv_gen;
bool udp_encap;
};
error: patch failed: app/test/test_cryptodev_security_ipsec.h:53
Checking patch app/test/test_cryptodev_security_ipsec_test_vectors.h...
error: while searching for:
.options.dec_ttl = 0,
.options.ecn = 0,
.options.stats = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:94
error: while searching for:
.options.dec_ttl = 0,
.options.ecn = 0,
.options.stats = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:190
error: while searching for:
.options.dec_ttl = 0,
.options.ecn = 0,
.options.stats = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:289
Applying patch app/test/test_cryptodev.c with 3 rejects...
Rejected hunk #1.
Rejected hunk #2.
Hunk #3 applied cleanly.
Rejected hunk #4.
Applying patch app/test/test_cryptodev_security_ipsec.c with 2 rejects...
Hunk #1 applied cleanly.
Rejected hunk #2.
Rejected hunk #3.
Hunk #4 applied cleanly.
Applying patch app/test/test_cryptodev_security_ipsec.h with 1 reject...
Rejected hunk #1.
Applying patch app/test/test_cryptodev_security_ipsec_test_vectors.h with 3 rejects...
Rejected hunk #1.
Rejected hunk #2.
Rejected hunk #3.
diff a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c (rejected hunks)
@@ -8924,6 +8924,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
int salt_len, i, ret = TEST_SUCCESS;
struct rte_security_ctx *ctx;
uint8_t *input_text;
+ uint32_t verify;
ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
@@ -8933,11 +8934,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
/* Copy IPsec xform */
memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
+ dir = ipsec_xform.direction;
+ verify = flags->tunnel_hdr_verify;
+
+ if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) {
+ if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR)
+ src += 1;
+ else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR)
+ dst += 1;
+ }
+
memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
- dir = ipsec_xform.direction;
-
ctx = rte_cryptodev_get_sec_ctx(dev_id);
sec_cap_idx.action = ut_params->type;
@@ -14173,6 +14206,14 @@ static struct unit_test_suite ipsec_proto_testsuite = {
"Negative test: ICV corruption",
ut_setup_security, ut_teardown,
test_ipsec_proto_err_icv_corrupt),
+ TEST_CASE_NAMED_ST(
+ "Tunnel dst addr verification",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_tunnel_dst_addr_verify),
+ TEST_CASE_NAMED_ST(
+ "Tunnel src and dst addr verification",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_tunnel_src_dst_addr_verify),
TEST_CASES_END() /**< NULL terminate unit test array */
}
};
diff a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c (rejected hunks)
@@ -207,6 +216,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
if (flags->udp_encap)
td_inb[i].ipsec_xform.options.udp_encap = 1;
+ td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
+ flags->tunnel_hdr_verify;
+
/* Clear outbound specific flags */
td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
}
@@ -292,7 +304,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
/* For tests with status as error for test success, skip verification */
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
(flags->icv_corrupt ||
- flags->sa_expiry_pkts_hard))
+ flags->sa_expiry_pkts_hard ||
+ flags->tunnel_hdr_verify))
return TEST_SUCCESS;
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
diff a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h (rejected hunks)
@@ -53,6 +53,7 @@ struct ipsec_test_flags {
bool sa_expiry_pkts_hard;
bool icv_corrupt;
bool iv_gen;
+ uint32_t tunnel_hdr_verify;
bool udp_encap;
};
diff a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h (rejected hunks)
@@ -94,6 +94,7 @@ struct ipsec_test_data pkt_aes_128_gcm = {
.options.dec_ttl = 0,
.options.ecn = 0,
.options.stats = 0,
+ .options.tunnel_hdr_verify = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -190,6 +191,7 @@ struct ipsec_test_data pkt_aes_192_gcm = {
.options.dec_ttl = 0,
.options.ecn = 0,
.options.stats = 0,
+ .options.tunnel_hdr_verify = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -289,6 +291,7 @@ struct ipsec_test_data pkt_aes_256_gcm = {
.options.dec_ttl = 0,
.options.ecn = 0,
.options.stats = 0,
+ .options.tunnel_hdr_verify = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
https://lab.dpdk.org/results/dashboard/patchsets/19019/
UNH-IOL DPDK Community Lab
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-10-05 21:13 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-05 21:13 [dpdk-test-report] |WARNING| pw99901-99903 [PATCH] [v2, 3/3] test/crypto: add tunnel header verification tests dpdklab
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).