Test-Label: iol-testing Test-Status: WARNING http://dpdk.org/patch/99892 _apply patch failure_ Submitter: Anoob Joseph Date: Tuesday, September 28 2021 10:59:59 Applied on: CommitID:2700326085033fd13339a8de31f58a95d1ee9c3f Apply patch set 99892-99897 failed: Checking patch app/test/test_cryptodev_security_ipsec_test_vectors.h... error: while searching for: .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, .esn_soft_limit = 0, .replay_win_sz = 0, }, error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:98 error: while searching for: .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, .esn_soft_limit = 0, .replay_win_sz = 0, }, error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:195 error: while searching for: .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, .esn_soft_limit = 0, .replay_win_sz = 0, }, error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:295 Checking patch doc/guides/rel_notes/deprecation.rst... error: while searching for: * cmdline: ``cmdline`` structure will be made opaque to hide platform-specific content. On Linux and FreeBSD, supported prior to DPDK 20.11, original structure will be kept until DPDK 21.11. * cryptodev: The structure ``rte_crypto_op`` would be updated to reduce reserved bytes to 2 (from 3), and use 1 byte to indicate warnings and other information from the crypto/security operation. This field will be used to communicate events such as soft expiry with IPsec in lookaside mode. error: patch failed: doc/guides/rel_notes/deprecation.rst:275 Checking patch doc/guides/rel_notes/release_21_11.rst... error: while searching for: as it is for drivers only and should be private to DPDK, and not installed for app use. ABI Changes ----------- error: patch failed: doc/guides/rel_notes/release_21_11.rst:152 error: while searching for: have much processing in PMD specific callbacks but just 64-bit set/get. This avoids a per pkt function pointer jump overhead for such PMD's. Known Issues ------------ error: patch failed: doc/guides/rel_notes/release_21_11.rst:174 Checking patch examples/ipsec-secgw/ipsec.c... error: while searching for: } /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; ipsec->replay_win_sz = app_sa_prm.window_size; ipsec->options.esn = app_sa_prm.enable_esn; ipsec->options.udp_encap = sa->udp_encap; error: patch failed: examples/ipsec-secgw/ipsec.c:49 Checking patch examples/ipsec-secgw/ipsec.h... error: while searching for: #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ #define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00 #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ sizeof(struct rte_crypto_sym_op)) error: patch failed: examples/ipsec-secgw/ipsec.h:23 Checking patch lib/cryptodev/rte_crypto.h... error: while searching for: RTE_CRYPTO_OP_SECURITY_SESSION /**< Security session crypto operation */ }; /** * Cryptographic Operation. * error: patch failed: lib/cryptodev/rte_crypto.h:65 error: while searching for: */ uint8_t sess_type; /**< operation session type */ uint8_t reserved[3]; /**< Reserved bytes to fill 64 bits for * future additions */ error: patch failed: lib/cryptodev/rte_crypto.h:93 Checking patch lib/security/rte_security.h... Hunk #1 succeeded at 258 (offset 41 lines). error: while searching for: /**< IPsec SA Mode - transport/tunnel */ struct rte_security_ipsec_tunnel_param tunnel; /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ uint32_t replay_win_sz; /**< Anti replay window size to enable sequence replay attack handling. * replay checking is disabled if the window size is 0. error: patch failed: lib/security/rte_security.h:236 Applying patch app/test/test_cryptodev_security_ipsec_test_vectors.h with 3 rejects... Rejected hunk #1. Rejected hunk #2. Rejected hunk #3. Applying patch doc/guides/rel_notes/deprecation.rst with 1 reject... Rejected hunk #1. Applying patch doc/guides/rel_notes/release_21_11.rst with 2 rejects... Rejected hunk #1. Rejected hunk #2. Applying patch examples/ipsec-secgw/ipsec.c with 1 reject... Rejected hunk #1. Applying patch examples/ipsec-secgw/ipsec.h with 1 reject... Rejected hunk #1. Applying patch lib/cryptodev/rte_crypto.h with 2 rejects... Rejected hunk #1. Rejected hunk #2. Applying patch lib/security/rte_security.h with 1 reject... Hunk #1 applied cleanly. Rejected hunk #2. diff a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h (rejected hunks) @@ -98,7 +98,6 @@ struct ipsec_test_data pkt_aes_128_gcm = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, - .esn_soft_limit = 0, .replay_win_sz = 0, }, @@ -195,7 +194,6 @@ struct ipsec_test_data pkt_aes_192_gcm = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, - .esn_soft_limit = 0, .replay_win_sz = 0, }, @@ -295,7 +293,6 @@ struct ipsec_test_data pkt_aes_256_gcm = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, - .esn_soft_limit = 0, .replay_win_sz = 0, }, diff a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst (rejected hunks) @@ -275,8 +275,3 @@ Deprecation Notices * cmdline: ``cmdline`` structure will be made opaque to hide platform-specific content. On Linux and FreeBSD, supported prior to DPDK 20.11, original structure will be kept until DPDK 21.11. - -* cryptodev: The structure ``rte_crypto_op`` would be updated to reduce - reserved bytes to 2 (from 3), and use 1 byte to indicate warnings and other - information from the crypto/security operation. This field will be used to - communicate events such as soft expiry with IPsec in lookaside mode. diff a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst (rejected hunks) @@ -152,6 +152,13 @@ API Changes as it is for drivers only and should be private to DPDK, and not installed for app use. +* cryptodev: use 1 reserved byte from ``rte_crypto_op`` for aux flags + + * Updated the structure ``rte_crypto_op`` to reduce reserved bytes to + 2 (from 3), and use 1 byte to indicate warnings and other information from + the crypto/security operation. This field will be used to communicate events + such as soft expiry with IPsec in lookaside mode. + ABI Changes ----------- @@ -174,6 +181,12 @@ ABI Changes have much processing in PMD specific callbacks but just 64-bit set/get. This avoids a per pkt function pointer jump overhead for such PMD's. +* security: add IPsec SA lifetime configuration + + * Added IPsec SA lifetime configuration to allow applications to configure + soft and hard SA expiry limits. Limits can be either in units of packets or + bytes. + Known Issues ------------ diff a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c (rejected hunks) @@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) } /* TODO support for Transport */ } - ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT; ipsec->replay_win_sz = app_sa_prm.window_size; ipsec->options.esn = app_sa_prm.enable_esn; ipsec->options.udp_encap = sa->udp_encap; diff a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h (rejected hunks) @@ -23,7 +23,7 @@ #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ -#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00 +#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00 #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ sizeof(struct rte_crypto_sym_op)) diff a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h (rejected hunks) @@ -65,6 +65,11 @@ enum rte_crypto_op_sess_type { RTE_CRYPTO_OP_SECURITY_SESSION /**< Security session crypto operation */ }; +/* Auxiliary flags related to IPsec offload with RTE_SECURITY */ + +#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0) +/**< SA soft expiry limit has been reached */ + /** * Cryptographic Operation. * @@ -93,7 +98,12 @@ struct rte_crypto_op { */ uint8_t sess_type; /**< operation session type */ - uint8_t reserved[3]; + uint8_t aux_flags; + /**< Operation specific auxiliary/additional flags. + * These flags carry additional information from the + * operation. Processing of the same is optional. + */ + uint8_t reserved[2]; /**< Reserved bytes to fill 64 bits for * future additions */ diff a/lib/security/rte_security.h b/lib/security/rte_security.h (rejected hunks) @@ -236,8 +260,8 @@ struct rte_security_ipsec_xform { /**< IPsec SA Mode - transport/tunnel */ struct rte_security_ipsec_tunnel_param tunnel; /**< Tunnel parameters, NULL for transport mode */ - uint64_t esn_soft_limit; - /**< ESN for which the overflow event need to be raised */ + struct rte_security_ipsec_lifetime life; + /**< IPsec SA lifetime */ uint32_t replay_win_sz; /**< Anti replay window size to enable sequence replay attack handling. * replay checking is disabled if the window size is 0. Checking patch drivers/common/cnxk/cnxk_security.c... error: while searching for: return -EINVAL; } return 0; } error: patch failed: drivers/common/cnxk/cnxk_security.c:161 error: while searching for: ROC_CTX_UNIT_128B) - 1; /* There are two words of CPT_CTX_HW_S for ucode to skip */ sa->w0.s.ctx_hdr_size = 1; sa->w0.s.aop_valid = 1; error: patch failed: drivers/common/cnxk/cnxk_security.c:236 error: while searching for: /* IPID gen */ sa->w2.s.ipid_gen = 1; /* There are two words of CPT_CTX_HW_S for ucode to skip */ sa->w0.s.ctx_hdr_size = 1; sa->w0.s.aop_valid = 1; error: patch failed: drivers/common/cnxk/cnxk_security.c:360 Checking patch drivers/crypto/cnxk/cn10k_cryptodev_ops.c... error: while searching for: struct cpt_inflight_req *infl_req) { struct cpt_cn10k_res_s *res = (struct cpt_cn10k_res_s *)&infl_req->res; unsigned int sz; if (likely(res->compcode == CPT_COMP_GOOD || res->compcode == CPT_COMP_WARN)) { if (unlikely(res->uc_compcode)) { if (res->uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE) cop->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED; else cop->status = RTE_CRYPTO_OP_STATUS_ERROR; error: patch failed: drivers/crypto/cnxk/cn10k_cryptodev_ops.c:348 error: while searching for: goto temp_sess_free; } cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { cn10k_cpt_sec_post_process(cop, res); return; } /* Verify authentication data if required */ if (unlikely(infl_req->op_flags & CPT_OP_FLAGS_AUTH_VERIFY)) { error: patch failed: drivers/crypto/cnxk/cn10k_cryptodev_ops.c:364 error: while searching for: cop->status = RTE_CRYPTO_OP_STATUS_ERROR; plt_dp_info("HW completion code 0x%x", res->compcode); switch (res->compcode) { case CPT_COMP_INSTERR: plt_dp_err("Request failed with instruction error"); break; error: patch failed: drivers/crypto/cnxk/cn10k_cryptodev_ops.c:392 Checking patch drivers/crypto/cnxk/cn9k_ipsec.c... error: while searching for: static inline int cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec) { RTE_SET_USED(ipsec); return 0; } error: patch failed: drivers/crypto/cnxk/cn9k_ipsec.c:485 Applying patch drivers/common/cnxk/cnxk_security.c with 3 rejects... Rejected hunk #1. Rejected hunk #2. Rejected hunk #3. Applying patch drivers/crypto/cnxk/cn10k_cryptodev_ops.c with 3 rejects... Rejected hunk #1. Rejected hunk #2. Rejected hunk #3. Applying patch drivers/crypto/cnxk/cn9k_ipsec.c with 1 reject... Rejected hunk #1. diff a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c (rejected hunks) @@ -161,6 +161,26 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, return -EINVAL; } + if (ipsec_xfrm->life.packets_soft_limit != 0 || + ipsec_xfrm->life.packets_hard_limit != 0) { + if (ipsec_xfrm->life.bytes_soft_limit != 0 || + ipsec_xfrm->life.bytes_hard_limit != 0) { + plt_err("Expiry tracking with both packets & bytes is not supported"); + return -EINVAL; + } + w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_PKTS; + } + + if (ipsec_xfrm->life.bytes_soft_limit != 0 || + ipsec_xfrm->life.bytes_hard_limit != 0) { + if (ipsec_xfrm->life.packets_soft_limit != 0 || + ipsec_xfrm->life.packets_hard_limit != 0) { + plt_err("Expiry tracking with both packets & bytes is not supported"); + return -EINVAL; + } + w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_OCTETS; + } + return 0; } @@ -236,6 +256,31 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, ROC_CTX_UNIT_128B) - 1; + /** + * CPT MC triggers expiry when counter value changes from 2 to 1. To + * mitigate this behaviour add 1 to the life counter values provided. + */ + + if (ipsec_xfrm->life.bytes_soft_limit) { + sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1; + sa->w0.s.soft_life_dec = 1; + } + + if (ipsec_xfrm->life.packets_soft_limit) { + sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1; + sa->w0.s.soft_life_dec = 1; + } + + if (ipsec_xfrm->life.bytes_hard_limit) { + sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1; + sa->w0.s.hard_life_dec = 1; + } + + if (ipsec_xfrm->life.packets_hard_limit) { + sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1; + sa->w0.s.hard_life_dec = 1; + } + /* There are two words of CPT_CTX_HW_S for ucode to skip */ sa->w0.s.ctx_hdr_size = 1; sa->w0.s.aop_valid = 1; @@ -360,6 +405,31 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa, /* IPID gen */ sa->w2.s.ipid_gen = 1; + /** + * CPT MC triggers expiry when counter value changes from 2 to 1. To + * mitigate this behaviour add 1 to the life counter values provided. + */ + + if (ipsec_xfrm->life.bytes_soft_limit) { + sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1; + sa->w0.s.soft_life_dec = 1; + } + + if (ipsec_xfrm->life.packets_soft_limit) { + sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1; + sa->w0.s.soft_life_dec = 1; + } + + if (ipsec_xfrm->life.bytes_hard_limit) { + sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1; + sa->w0.s.hard_life_dec = 1; + } + + if (ipsec_xfrm->life.packets_hard_limit) { + sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1; + sa->w0.s.hard_life_dec = 1; + } + /* There are two words of CPT_CTX_HW_S for ucode to skip */ sa->w0.s.ctx_hdr_size = 1; sa->w0.s.aop_valid = 1; diff a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c (rejected hunks) @@ -348,12 +348,44 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, struct cpt_inflight_req *infl_req) { struct cpt_cn10k_res_s *res = (struct cpt_cn10k_res_s *)&infl_req->res; + const uint8_t uc_compcode = res->uc_compcode; + const uint8_t compcode = res->compcode; unsigned int sz; - if (likely(res->compcode == CPT_COMP_GOOD || - res->compcode == CPT_COMP_WARN)) { - if (unlikely(res->uc_compcode)) { - if (res->uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE) + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + + if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { + if (likely(compcode == CPT_COMP_WARN)) { + if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) { + /* Success with additional info */ + switch (uc_compcode) { + case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST: + cop->aux_flags = + RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY; + break; + default: + break; + } + } + cn10k_cpt_sec_post_process(cop, res); + } else { + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + plt_dp_info("HW completion code 0x%x", res->compcode); + if (compcode == CPT_COMP_GOOD) { + plt_dp_info( + "Request failed with microcode error"); + plt_dp_info("MC completion code 0x%x", + uc_compcode); + } + } + + return; + } + + if (likely(compcode == CPT_COMP_GOOD || compcode == CPT_COMP_WARN)) { + if (unlikely(uc_compcode)) { + if (uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE) cop->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED; else cop->status = RTE_CRYPTO_OP_STATUS_ERROR; @@ -364,13 +396,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, goto temp_sess_free; } - cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { - if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { - cn10k_cpt_sec_post_process(cop, res); - return; - } - /* Verify authentication data if required */ if (unlikely(infl_req->op_flags & CPT_OP_FLAGS_AUTH_VERIFY)) { @@ -392,7 +418,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, cop->status = RTE_CRYPTO_OP_STATUS_ERROR; plt_dp_info("HW completion code 0x%x", res->compcode); - switch (res->compcode) { + switch (compcode) { case CPT_COMP_INSTERR: plt_dp_err("Request failed with instruction error"); break; diff a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c (rejected hunks) @@ -485,7 +485,11 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp, static inline int cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec) { - RTE_SET_USED(ipsec); + if (ipsec->life.bytes_hard_limit != 0 || + ipsec->life.bytes_soft_limit != 0 || + ipsec->life.packets_hard_limit != 0 || + ipsec->life.packets_soft_limit != 0) + return -ENOTSUP; return 0; } Checking patch drivers/crypto/octeontx2/otx2_ipsec_po.h... error: while searching for: struct rte_crypto_sym_xform *auth_xform, *cipher_xform; int ret; if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) return ipsec_po_xform_aead_verify(ipsec, xform); error: patch failed: drivers/crypto/octeontx2/otx2_ipsec_po.h:293 Applying patch drivers/crypto/octeontx2/otx2_ipsec_po.h with 1 reject... Rejected hunk #1. diff a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h (rejected hunks) @@ -293,6 +293,12 @@ ipsec_po_xform_verify(struct rte_security_ipsec_xform *ipsec, struct rte_crypto_sym_xform *auth_xform, *cipher_xform; int ret; + if (ipsec->life.bytes_hard_limit != 0 || + ipsec->life.bytes_soft_limit != 0 || + ipsec->life.packets_hard_limit != 0 || + ipsec->life.packets_soft_limit != 0) + return -ENOTSUP; + if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) return ipsec_po_xform_aead_verify(ipsec, xform); Checking patch app/test/test_cryptodev.c... error: while searching for: /* Process crypto operation */ process_crypto_request(dev_id, ut_params->op); ret = test_ipsec_status_check(ut_params->op, flags, dir); if (ret != TEST_SUCCESS) goto crypto_op_free; error: patch failed: app/test/test_cryptodev.c:9045 error: while searching for: unsigned int i, nb_pkts = 1, pass_cnt = 0; int ret; if (flags->iv_gen) nb_pkts = IPSEC_TEST_PACKETS_MAX; for (i = 0; i < RTE_DIM(aead_list); i++) { error: patch failed: app/test/test_cryptodev.c:9115 Hunk #3 succeeded at 9215 (offset 34 lines). error: while searching for: ut_setup_security, ut_teardown, test_ipsec_proto_udp_encap), TEST_CASE_NAMED_ST( "Negative test: ICV corruption", ut_setup_security, ut_teardown, test_ipsec_proto_err_icv_corrupt), error: patch failed: app/test/test_cryptodev.c:14136 Checking patch app/test/test_cryptodev_security_ipsec.c... error: while searching for: if (flags->iv_gen) td->ipsec_xform.options.iv_gen_disable = 0; } RTE_SET_USED(param2); error: patch failed: app/test/test_cryptodev_security_ipsec.c:173 error: while searching for: int test_ipsec_status_check(struct rte_crypto_op *op, const struct ipsec_test_flags *flags, enum rte_security_ipsec_sa_direction dir) { int ret = TEST_SUCCESS; error: patch failed: app/test/test_cryptodev_security_ipsec.c:395 error: while searching for: } } else { if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { printf("Security op processing failed\n"); ret = TEST_FAILED; } } error: patch failed: app/test/test_cryptodev_security_ipsec.c:406 Checking patch app/test/test_cryptodev_security_ipsec.h... error: while searching for: struct ipsec_test_flags { bool display_alg; bool icv_corrupt; bool iv_gen; bool udp_encap; error: patch failed: app/test/test_cryptodev_security_ipsec.h:49 error: while searching for: int test_ipsec_status_check(struct rte_crypto_op *op, const struct ipsec_test_flags *flags, enum rte_security_ipsec_sa_direction dir); #endif error: patch failed: app/test/test_cryptodev_security_ipsec.h:114 Applying patch app/test/test_cryptodev.c with 3 rejects... Rejected hunk #1. Rejected hunk #2. Hunk #3 applied cleanly. Rejected hunk #4. Applying patch app/test/test_cryptodev_security_ipsec.c with 3 rejects... Rejected hunk #1. Rejected hunk #2. Rejected hunk #3. Applying patch app/test/test_cryptodev_security_ipsec.h with 2 rejects... Rejected hunk #1. Rejected hunk #2. diff a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c (rejected hunks) @@ -9045,7 +9045,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], /* Process crypto operation */ process_crypto_request(dev_id, ut_params->op); - ret = test_ipsec_status_check(ut_params->op, flags, dir); + ret = test_ipsec_status_check(ut_params->op, flags, dir, i + 1); if (ret != TEST_SUCCESS) goto crypto_op_free; @@ -9115,7 +9115,8 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags) unsigned int i, nb_pkts = 1, pass_cnt = 0; int ret; - if (flags->iv_gen) + if (flags->iv_gen || + flags->sa_expiry_pkts_soft) nb_pkts = IPSEC_TEST_PACKETS_MAX; for (i = 0; i < RTE_DIM(aead_list); i++) { @@ -14136,6 +14149,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { ut_setup_security, ut_teardown, test_ipsec_proto_udp_encap), TEST_CASE_NAMED_ST( + "SA expiry packets soft", + ut_setup_security, ut_teardown, + test_ipsec_proto_sa_exp_pkts_soft), + TEST_CASE_NAMED_ST( "Negative test: ICV corruption", ut_setup_security, ut_teardown, test_ipsec_proto_err_icv_corrupt), diff a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c (rejected hunks) @@ -173,6 +173,10 @@ test_ipsec_td_prepare(const struct crypto_param *param1, if (flags->iv_gen) td->ipsec_xform.options.iv_gen_disable = 0; + + if (flags->sa_expiry_pkts_soft) + td->ipsec_xform.life.packets_soft_limit = + IPSEC_TEST_PACKETS_MAX - 1; } RTE_SET_USED(param2); @@ -395,7 +399,8 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, int test_ipsec_status_check(struct rte_crypto_op *op, const struct ipsec_test_flags *flags, - enum rte_security_ipsec_sa_direction dir) + enum rte_security_ipsec_sa_direction dir, + int pkt_num) { int ret = TEST_SUCCESS; @@ -406,7 +411,16 @@ test_ipsec_status_check(struct rte_crypto_op *op, } } else { if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { - printf("Security op processing failed\n"); + printf("Security op processing failed [pkt_num: %d]\n", + pkt_num); + ret = TEST_FAILED; + } + } + + if (flags->sa_expiry_pkts_soft && pkt_num == IPSEC_TEST_PACKETS_MAX) { + if (!(op->aux_flags & + RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY)) { + printf("SA soft expiry (pkts) test failed\n"); ret = TEST_FAILED; } } diff a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h (rejected hunks) @@ -49,6 +49,7 @@ struct ipsec_test_data { struct ipsec_test_flags { bool display_alg; + bool sa_expiry_pkts_soft; bool icv_corrupt; bool iv_gen; bool udp_encap; @@ -114,6 +115,7 @@ int test_ipsec_post_process(struct rte_mbuf *m, int test_ipsec_status_check(struct rte_crypto_op *op, const struct ipsec_test_flags *flags, - enum rte_security_ipsec_sa_direction dir); + enum rte_security_ipsec_sa_direction dir, + int pkt_num); #endif Checking patch app/test/test_cryptodev.c... error: app/test/test_cryptodev.c: does not match index Checking patch app/test/test_cryptodev_security_ipsec.c... error: while searching for: td_inb[i].input_text.data[icv_pos] += 1; } if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; error: patch failed: app/test/test_cryptodev_security_ipsec.c:200 error: while searching for: uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); uint32_t skip, len = rte_pktmbuf_pkt_len(m); /* For negative tests, no need to do verification */ if (flags->icv_corrupt && td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) return TEST_SUCCESS; if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && error: patch failed: app/test/test_cryptodev_security_ipsec.c:285 error: while searching for: { int ret = TEST_SUCCESS; if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) { if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { printf("ICV corruption test case failed\n"); error: patch failed: app/test/test_cryptodev_security_ipsec.c:404 Checking patch app/test/test_cryptodev_security_ipsec.h... error: while searching for: struct ipsec_test_flags { bool display_alg; bool sa_expiry_pkts_soft; bool icv_corrupt; bool iv_gen; bool udp_encap; error: patch failed: app/test/test_cryptodev_security_ipsec.h:50 Applying patch app/test/test_cryptodev_security_ipsec.c with 3 rejects... Rejected hunk #1. Rejected hunk #2. Rejected hunk #3. Applying patch app/test/test_cryptodev_security_ipsec.h with 1 reject... Rejected hunk #1. diff a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c (rejected hunks) @@ -200,6 +200,10 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], td_inb[i].input_text.data[icv_pos] += 1; } + if (flags->sa_expiry_pkts_hard) + td_inb[i].ipsec_xform.life.packets_hard_limit = + IPSEC_TEST_PACKETS_MAX - 1; + if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; @@ -285,9 +289,10 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); uint32_t skip, len = rte_pktmbuf_pkt_len(m); - /* For negative tests, no need to do verification */ - if (flags->icv_corrupt && - td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + /* For tests with status as error for test success, skip verification */ + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && + (flags->icv_corrupt || + flags->sa_expiry_pkts_hard)) return TEST_SUCCESS; if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && @@ -404,6 +409,17 @@ test_ipsec_status_check(struct rte_crypto_op *op, { int ret = TEST_SUCCESS; + if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && + flags->sa_expiry_pkts_hard && + pkt_num == IPSEC_TEST_PACKETS_MAX) { + if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { + printf("SA hard expiry (pkts) test failed\n"); + return TEST_FAILED; + } else { + return TEST_SUCCESS; + } + } + if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) { if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { printf("ICV corruption test case failed\n"); diff a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h (rejected hunks) @@ -50,6 +50,7 @@ struct ipsec_test_data { struct ipsec_test_flags { bool display_alg; bool sa_expiry_pkts_soft; + bool sa_expiry_pkts_hard; bool icv_corrupt; bool iv_gen; bool udp_encap; Checking patch examples/ipsec-secgw/ipsec.c... error: while searching for: } /* TODO support for Transport */ } ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT; ipsec->replay_win_sz = app_sa_prm.window_size; ipsec->options.esn = app_sa_prm.enable_esn; ipsec->options.udp_encap = sa->udp_encap; error: patch failed: examples/ipsec-secgw/ipsec.c:49 Checking patch examples/ipsec-secgw/ipsec.h... error: while searching for: #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ #define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00 #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ sizeof(struct rte_crypto_sym_op)) error: patch failed: examples/ipsec-secgw/ipsec.h:23 Applying patch examples/ipsec-secgw/ipsec.c with 1 reject... Rejected hunk #1. Applying patch examples/ipsec-secgw/ipsec.h with 1 reject... Rejected hunk #1. diff a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c (rejected hunks) @@ -49,7 +49,6 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) } /* TODO support for Transport */ } - ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT; ipsec->replay_win_sz = app_sa_prm.window_size; ipsec->options.esn = app_sa_prm.enable_esn; ipsec->options.udp_encap = sa->udp_encap; diff a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h (rejected hunks) @@ -23,8 +23,6 @@ #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ -#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00 - #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ sizeof(struct rte_crypto_sym_op)) https://lab.dpdk.org/results/dashboard/patchsets/19016/ UNH-IOL DPDK Community Lab