* [dpdk-test-report] |WARNING| pw99892-99897 [PATCH] [v4, 6/6] examples/ipsec-secgw: clear soft expiry configuration
@ 2021-10-05 22:13 dpdklab
0 siblings, 0 replies; only message in thread
From: dpdklab @ 2021-10-05 22:13 UTC (permalink / raw)
To: test-report; +Cc: dpdk-test-reports
[-- Attachment #1: Type: text/plain, Size: 29940 bytes --]
Test-Label: iol-testing
Test-Status: WARNING
http://dpdk.org/patch/99892
_apply patch failure_
Submitter: Anoob Joseph <anoobj@marvell.com>
Date: Tuesday, September 28 2021 10:59:59
Applied on: CommitID:2700326085033fd13339a8de31f58a95d1ee9c3f
Apply patch set 99892-99897 failed:
Checking patch app/test/test_cryptodev_security_ipsec_test_vectors.h...
error: while searching for:
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
.esn_soft_limit = 0,
.replay_win_sz = 0,
},
error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:98
error: while searching for:
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
.esn_soft_limit = 0,
.replay_win_sz = 0,
},
error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:195
error: while searching for:
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
.esn_soft_limit = 0,
.replay_win_sz = 0,
},
error: patch failed: app/test/test_cryptodev_security_ipsec_test_vectors.h:295
Checking patch doc/guides/rel_notes/deprecation.rst...
error: while searching for:
* cmdline: ``cmdline`` structure will be made opaque to hide platform-specific
content. On Linux and FreeBSD, supported prior to DPDK 20.11,
original structure will be kept until DPDK 21.11.
* cryptodev: The structure ``rte_crypto_op`` would be updated to reduce
reserved bytes to 2 (from 3), and use 1 byte to indicate warnings and other
information from the crypto/security operation. This field will be used to
communicate events such as soft expiry with IPsec in lookaside mode.
error: patch failed: doc/guides/rel_notes/deprecation.rst:275
Checking patch doc/guides/rel_notes/release_21_11.rst...
error: while searching for:
as it is for drivers only and should be private to DPDK, and not
installed for app use.
ABI Changes
-----------
error: patch failed: doc/guides/rel_notes/release_21_11.rst:152
error: while searching for:
have much processing in PMD specific callbacks but just 64-bit set/get.
This avoids a per pkt function pointer jump overhead for such PMD's.
Known Issues
------------
error: patch failed: doc/guides/rel_notes/release_21_11.rst:174
Checking patch examples/ipsec-secgw/ipsec.c...
error: while searching for:
}
/* TODO support for Transport */
}
ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
ipsec->options.udp_encap = sa->udp_encap;
error: patch failed: examples/ipsec-secgw/ipsec.c:49
Checking patch examples/ipsec-secgw/ipsec.h...
error: while searching for:
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
error: patch failed: examples/ipsec-secgw/ipsec.h:23
Checking patch lib/cryptodev/rte_crypto.h...
error: while searching for:
RTE_CRYPTO_OP_SECURITY_SESSION /**< Security session crypto operation */
};
/**
* Cryptographic Operation.
*
error: patch failed: lib/cryptodev/rte_crypto.h:65
error: while searching for:
*/
uint8_t sess_type;
/**< operation session type */
uint8_t reserved[3];
/**< Reserved bytes to fill 64 bits for
* future additions
*/
error: patch failed: lib/cryptodev/rte_crypto.h:93
Checking patch lib/security/rte_security.h...
Hunk #1 succeeded at 258 (offset 41 lines).
error: while searching for:
/**< IPsec SA Mode - transport/tunnel */
struct rte_security_ipsec_tunnel_param tunnel;
/**< Tunnel parameters, NULL for transport mode */
uint64_t esn_soft_limit;
/**< ESN for which the overflow event need to be raised */
uint32_t replay_win_sz;
/**< Anti replay window size to enable sequence replay attack handling.
* replay checking is disabled if the window size is 0.
error: patch failed: lib/security/rte_security.h:236
Applying patch app/test/test_cryptodev_security_ipsec_test_vectors.h with 3 rejects...
Rejected hunk #1.
Rejected hunk #2.
Rejected hunk #3.
Applying patch doc/guides/rel_notes/deprecation.rst with 1 reject...
Rejected hunk #1.
Applying patch doc/guides/rel_notes/release_21_11.rst with 2 rejects...
Rejected hunk #1.
Rejected hunk #2.
Applying patch examples/ipsec-secgw/ipsec.c with 1 reject...
Rejected hunk #1.
Applying patch examples/ipsec-secgw/ipsec.h with 1 reject...
Rejected hunk #1.
Applying patch lib/cryptodev/rte_crypto.h with 2 rejects...
Rejected hunk #1.
Rejected hunk #2.
Applying patch lib/security/rte_security.h with 1 reject...
Hunk #1 applied cleanly.
Rejected hunk #2.
diff a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h (rejected hunks)
@@ -98,7 +98,6 @@ struct ipsec_test_data pkt_aes_128_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
@@ -195,7 +194,6 @@ struct ipsec_test_data pkt_aes_192_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
@@ -295,7 +293,6 @@ struct ipsec_test_data pkt_aes_256_gcm = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
- .esn_soft_limit = 0,
.replay_win_sz = 0,
},
diff a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst (rejected hunks)
@@ -275,8 +275,3 @@ Deprecation Notices
* cmdline: ``cmdline`` structure will be made opaque to hide platform-specific
content. On Linux and FreeBSD, supported prior to DPDK 20.11,
original structure will be kept until DPDK 21.11.
-
-* cryptodev: The structure ``rte_crypto_op`` would be updated to reduce
- reserved bytes to 2 (from 3), and use 1 byte to indicate warnings and other
- information from the crypto/security operation. This field will be used to
- communicate events such as soft expiry with IPsec in lookaside mode.
diff a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst (rejected hunks)
@@ -152,6 +152,13 @@ API Changes
as it is for drivers only and should be private to DPDK, and not
installed for app use.
+* cryptodev: use 1 reserved byte from ``rte_crypto_op`` for aux flags
+
+ * Updated the structure ``rte_crypto_op`` to reduce reserved bytes to
+ 2 (from 3), and use 1 byte to indicate warnings and other information from
+ the crypto/security operation. This field will be used to communicate events
+ such as soft expiry with IPsec in lookaside mode.
+
ABI Changes
-----------
@@ -174,6 +181,12 @@ ABI Changes
have much processing in PMD specific callbacks but just 64-bit set/get.
This avoids a per pkt function pointer jump overhead for such PMD's.
+* security: add IPsec SA lifetime configuration
+
+ * Added IPsec SA lifetime configuration to allow applications to configure
+ soft and hard SA expiry limits. Limits can be either in units of packets or
+ bytes.
+
Known Issues
------------
diff a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c (rejected hunks)
@@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
/* TODO support for Transport */
}
- ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
+ ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
ipsec->options.udp_encap = sa->udp_encap;
diff a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h (rejected hunks)
@@ -23,7 +23,7 @@
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
-#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
+#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
diff a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h (rejected hunks)
@@ -65,6 +65,11 @@ enum rte_crypto_op_sess_type {
RTE_CRYPTO_OP_SECURITY_SESSION /**< Security session crypto operation */
};
+/* Auxiliary flags related to IPsec offload with RTE_SECURITY */
+
+#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0)
+/**< SA soft expiry limit has been reached */
+
/**
* Cryptographic Operation.
*
@@ -93,7 +98,12 @@ struct rte_crypto_op {
*/
uint8_t sess_type;
/**< operation session type */
- uint8_t reserved[3];
+ uint8_t aux_flags;
+ /**< Operation specific auxiliary/additional flags.
+ * These flags carry additional information from the
+ * operation. Processing of the same is optional.
+ */
+ uint8_t reserved[2];
/**< Reserved bytes to fill 64 bits for
* future additions
*/
diff a/lib/security/rte_security.h b/lib/security/rte_security.h (rejected hunks)
@@ -236,8 +260,8 @@ struct rte_security_ipsec_xform {
/**< IPsec SA Mode - transport/tunnel */
struct rte_security_ipsec_tunnel_param tunnel;
/**< Tunnel parameters, NULL for transport mode */
- uint64_t esn_soft_limit;
- /**< ESN for which the overflow event need to be raised */
+ struct rte_security_ipsec_lifetime life;
+ /**< IPsec SA lifetime */
uint32_t replay_win_sz;
/**< Anti replay window size to enable sequence replay attack handling.
* replay checking is disabled if the window size is 0.
Checking patch drivers/common/cnxk/cnxk_security.c...
error: while searching for:
return -EINVAL;
}
return 0;
}
error: patch failed: drivers/common/cnxk/cnxk_security.c:161
error: while searching for:
ROC_CTX_UNIT_128B) -
1;
/* There are two words of CPT_CTX_HW_S for ucode to skip */
sa->w0.s.ctx_hdr_size = 1;
sa->w0.s.aop_valid = 1;
error: patch failed: drivers/common/cnxk/cnxk_security.c:236
error: while searching for:
/* IPID gen */
sa->w2.s.ipid_gen = 1;
/* There are two words of CPT_CTX_HW_S for ucode to skip */
sa->w0.s.ctx_hdr_size = 1;
sa->w0.s.aop_valid = 1;
error: patch failed: drivers/common/cnxk/cnxk_security.c:360
Checking patch drivers/crypto/cnxk/cn10k_cryptodev_ops.c...
error: while searching for:
struct cpt_inflight_req *infl_req)
{
struct cpt_cn10k_res_s *res = (struct cpt_cn10k_res_s *)&infl_req->res;
unsigned int sz;
if (likely(res->compcode == CPT_COMP_GOOD ||
res->compcode == CPT_COMP_WARN)) {
if (unlikely(res->uc_compcode)) {
if (res->uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
cop->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
else
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
error: patch failed: drivers/crypto/cnxk/cn10k_cryptodev_ops.c:348
error: while searching for:
goto temp_sess_free;
}
cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
cn10k_cpt_sec_post_process(cop, res);
return;
}
/* Verify authentication data if required */
if (unlikely(infl_req->op_flags &
CPT_OP_FLAGS_AUTH_VERIFY)) {
error: patch failed: drivers/crypto/cnxk/cn10k_cryptodev_ops.c:364
error: while searching for:
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
plt_dp_info("HW completion code 0x%x", res->compcode);
switch (res->compcode) {
case CPT_COMP_INSTERR:
plt_dp_err("Request failed with instruction error");
break;
error: patch failed: drivers/crypto/cnxk/cn10k_cryptodev_ops.c:392
Checking patch drivers/crypto/cnxk/cn9k_ipsec.c...
error: while searching for:
static inline int
cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
{
RTE_SET_USED(ipsec);
return 0;
}
error: patch failed: drivers/crypto/cnxk/cn9k_ipsec.c:485
Applying patch drivers/common/cnxk/cnxk_security.c with 3 rejects...
Rejected hunk #1.
Rejected hunk #2.
Rejected hunk #3.
Applying patch drivers/crypto/cnxk/cn10k_cryptodev_ops.c with 3 rejects...
Rejected hunk #1.
Rejected hunk #2.
Rejected hunk #3.
Applying patch drivers/crypto/cnxk/cn9k_ipsec.c with 1 reject...
Rejected hunk #1.
diff a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c (rejected hunks)
@@ -161,6 +161,26 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
return -EINVAL;
}
+ if (ipsec_xfrm->life.packets_soft_limit != 0 ||
+ ipsec_xfrm->life.packets_hard_limit != 0) {
+ if (ipsec_xfrm->life.bytes_soft_limit != 0 ||
+ ipsec_xfrm->life.bytes_hard_limit != 0) {
+ plt_err("Expiry tracking with both packets & bytes is not supported");
+ return -EINVAL;
+ }
+ w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_PKTS;
+ }
+
+ if (ipsec_xfrm->life.bytes_soft_limit != 0 ||
+ ipsec_xfrm->life.bytes_hard_limit != 0) {
+ if (ipsec_xfrm->life.packets_soft_limit != 0 ||
+ ipsec_xfrm->life.packets_hard_limit != 0) {
+ plt_err("Expiry tracking with both packets & bytes is not supported");
+ return -EINVAL;
+ }
+ w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_OCTETS;
+ }
+
return 0;
}
@@ -236,6 +256,31 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
ROC_CTX_UNIT_128B) -
1;
+ /**
+ * CPT MC triggers expiry when counter value changes from 2 to 1. To
+ * mitigate this behaviour add 1 to the life counter values provided.
+ */
+
+ if (ipsec_xfrm->life.bytes_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.bytes_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
/* There are two words of CPT_CTX_HW_S for ucode to skip */
sa->w0.s.ctx_hdr_size = 1;
sa->w0.s.aop_valid = 1;
@@ -360,6 +405,31 @@ cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa,
/* IPID gen */
sa->w2.s.ipid_gen = 1;
+ /**
+ * CPT MC triggers expiry when counter value changes from 2 to 1. To
+ * mitigate this behaviour add 1 to the life counter values provided.
+ */
+
+ if (ipsec_xfrm->life.bytes_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_soft_limit) {
+ sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1;
+ sa->w0.s.soft_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.bytes_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
+ if (ipsec_xfrm->life.packets_hard_limit) {
+ sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1;
+ sa->w0.s.hard_life_dec = 1;
+ }
+
/* There are two words of CPT_CTX_HW_S for ucode to skip */
sa->w0.s.ctx_hdr_size = 1;
sa->w0.s.aop_valid = 1;
diff a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c (rejected hunks)
@@ -348,12 +348,44 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
struct cpt_inflight_req *infl_req)
{
struct cpt_cn10k_res_s *res = (struct cpt_cn10k_res_s *)&infl_req->res;
+ const uint8_t uc_compcode = res->uc_compcode;
+ const uint8_t compcode = res->compcode;
unsigned int sz;
- if (likely(res->compcode == CPT_COMP_GOOD ||
- res->compcode == CPT_COMP_WARN)) {
- if (unlikely(res->uc_compcode)) {
- if (res->uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+
+ if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+ cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+ if (likely(compcode == CPT_COMP_WARN)) {
+ if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
+ /* Success with additional info */
+ switch (uc_compcode) {
+ case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
+ cop->aux_flags =
+ RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+ break;
+ default:
+ break;
+ }
+ }
+ cn10k_cpt_sec_post_process(cop, res);
+ } else {
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ plt_dp_info("HW completion code 0x%x", res->compcode);
+ if (compcode == CPT_COMP_GOOD) {
+ plt_dp_info(
+ "Request failed with microcode error");
+ plt_dp_info("MC completion code 0x%x",
+ uc_compcode);
+ }
+ }
+
+ return;
+ }
+
+ if (likely(compcode == CPT_COMP_GOOD || compcode == CPT_COMP_WARN)) {
+ if (unlikely(uc_compcode)) {
+ if (uc_compcode == ROC_SE_ERR_GC_ICV_MISCOMPARE)
cop->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
else
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
@@ -364,13 +396,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
goto temp_sess_free;
}
- cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
- if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
- cn10k_cpt_sec_post_process(cop, res);
- return;
- }
-
/* Verify authentication data if required */
if (unlikely(infl_req->op_flags &
CPT_OP_FLAGS_AUTH_VERIFY)) {
@@ -392,7 +418,7 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
plt_dp_info("HW completion code 0x%x", res->compcode);
- switch (res->compcode) {
+ switch (compcode) {
case CPT_COMP_INSTERR:
plt_dp_err("Request failed with instruction error");
break;
diff a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c (rejected hunks)
@@ -485,7 +485,11 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
static inline int
cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
{
- RTE_SET_USED(ipsec);
+ if (ipsec->life.bytes_hard_limit != 0 ||
+ ipsec->life.bytes_soft_limit != 0 ||
+ ipsec->life.packets_hard_limit != 0 ||
+ ipsec->life.packets_soft_limit != 0)
+ return -ENOTSUP;
return 0;
}
Checking patch drivers/crypto/octeontx2/otx2_ipsec_po.h...
error: while searching for:
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
int ret;
if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
return ipsec_po_xform_aead_verify(ipsec, xform);
error: patch failed: drivers/crypto/octeontx2/otx2_ipsec_po.h:293
Applying patch drivers/crypto/octeontx2/otx2_ipsec_po.h with 1 reject...
Rejected hunk #1.
diff a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h (rejected hunks)
@@ -293,6 +293,12 @@ ipsec_po_xform_verify(struct rte_security_ipsec_xform *ipsec,
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
int ret;
+ if (ipsec->life.bytes_hard_limit != 0 ||
+ ipsec->life.bytes_soft_limit != 0 ||
+ ipsec->life.packets_hard_limit != 0 ||
+ ipsec->life.packets_soft_limit != 0)
+ return -ENOTSUP;
+
if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
return ipsec_po_xform_aead_verify(ipsec, xform);
Checking patch app/test/test_cryptodev.c...
error: while searching for:
/* Process crypto operation */
process_crypto_request(dev_id, ut_params->op);
ret = test_ipsec_status_check(ut_params->op, flags, dir);
if (ret != TEST_SUCCESS)
goto crypto_op_free;
error: patch failed: app/test/test_cryptodev.c:9045
error: while searching for:
unsigned int i, nb_pkts = 1, pass_cnt = 0;
int ret;
if (flags->iv_gen)
nb_pkts = IPSEC_TEST_PACKETS_MAX;
for (i = 0; i < RTE_DIM(aead_list); i++) {
error: patch failed: app/test/test_cryptodev.c:9115
Hunk #3 succeeded at 9215 (offset 34 lines).
error: while searching for:
ut_setup_security, ut_teardown,
test_ipsec_proto_udp_encap),
TEST_CASE_NAMED_ST(
"Negative test: ICV corruption",
ut_setup_security, ut_teardown,
test_ipsec_proto_err_icv_corrupt),
error: patch failed: app/test/test_cryptodev.c:14136
Checking patch app/test/test_cryptodev_security_ipsec.c...
error: while searching for:
if (flags->iv_gen)
td->ipsec_xform.options.iv_gen_disable = 0;
}
RTE_SET_USED(param2);
error: patch failed: app/test/test_cryptodev_security_ipsec.c:173
error: while searching for:
int
test_ipsec_status_check(struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
enum rte_security_ipsec_sa_direction dir)
{
int ret = TEST_SUCCESS;
error: patch failed: app/test/test_cryptodev_security_ipsec.c:395
error: while searching for:
}
} else {
if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
printf("Security op processing failed\n");
ret = TEST_FAILED;
}
}
error: patch failed: app/test/test_cryptodev_security_ipsec.c:406
Checking patch app/test/test_cryptodev_security_ipsec.h...
error: while searching for:
struct ipsec_test_flags {
bool display_alg;
bool icv_corrupt;
bool iv_gen;
bool udp_encap;
error: patch failed: app/test/test_cryptodev_security_ipsec.h:49
error: while searching for:
int test_ipsec_status_check(struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
enum rte_security_ipsec_sa_direction dir);
#endif
error: patch failed: app/test/test_cryptodev_security_ipsec.h:114
Applying patch app/test/test_cryptodev.c with 3 rejects...
Rejected hunk #1.
Rejected hunk #2.
Hunk #3 applied cleanly.
Rejected hunk #4.
Applying patch app/test/test_cryptodev_security_ipsec.c with 3 rejects...
Rejected hunk #1.
Rejected hunk #2.
Rejected hunk #3.
Applying patch app/test/test_cryptodev_security_ipsec.h with 2 rejects...
Rejected hunk #1.
Rejected hunk #2.
diff a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c (rejected hunks)
@@ -9045,7 +9045,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
/* Process crypto operation */
process_crypto_request(dev_id, ut_params->op);
- ret = test_ipsec_status_check(ut_params->op, flags, dir);
+ ret = test_ipsec_status_check(ut_params->op, flags, dir, i + 1);
if (ret != TEST_SUCCESS)
goto crypto_op_free;
@@ -9115,7 +9115,8 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
unsigned int i, nb_pkts = 1, pass_cnt = 0;
int ret;
- if (flags->iv_gen)
+ if (flags->iv_gen ||
+ flags->sa_expiry_pkts_soft)
nb_pkts = IPSEC_TEST_PACKETS_MAX;
for (i = 0; i < RTE_DIM(aead_list); i++) {
@@ -14136,6 +14149,10 @@ static struct unit_test_suite ipsec_proto_testsuite = {
ut_setup_security, ut_teardown,
test_ipsec_proto_udp_encap),
TEST_CASE_NAMED_ST(
+ "SA expiry packets soft",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_sa_exp_pkts_soft),
+ TEST_CASE_NAMED_ST(
"Negative test: ICV corruption",
ut_setup_security, ut_teardown,
test_ipsec_proto_err_icv_corrupt),
diff a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c (rejected hunks)
@@ -173,6 +173,10 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
if (flags->iv_gen)
td->ipsec_xform.options.iv_gen_disable = 0;
+
+ if (flags->sa_expiry_pkts_soft)
+ td->ipsec_xform.life.packets_soft_limit =
+ IPSEC_TEST_PACKETS_MAX - 1;
}
RTE_SET_USED(param2);
@@ -395,7 +399,8 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
int
test_ipsec_status_check(struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
- enum rte_security_ipsec_sa_direction dir)
+ enum rte_security_ipsec_sa_direction dir,
+ int pkt_num)
{
int ret = TEST_SUCCESS;
@@ -406,7 +411,16 @@ test_ipsec_status_check(struct rte_crypto_op *op,
}
} else {
if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
- printf("Security op processing failed\n");
+ printf("Security op processing failed [pkt_num: %d]\n",
+ pkt_num);
+ ret = TEST_FAILED;
+ }
+ }
+
+ if (flags->sa_expiry_pkts_soft && pkt_num == IPSEC_TEST_PACKETS_MAX) {
+ if (!(op->aux_flags &
+ RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY)) {
+ printf("SA soft expiry (pkts) test failed\n");
ret = TEST_FAILED;
}
}
diff a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h (rejected hunks)
@@ -49,6 +49,7 @@ struct ipsec_test_data {
struct ipsec_test_flags {
bool display_alg;
+ bool sa_expiry_pkts_soft;
bool icv_corrupt;
bool iv_gen;
bool udp_encap;
@@ -114,6 +115,7 @@ int test_ipsec_post_process(struct rte_mbuf *m,
int test_ipsec_status_check(struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
- enum rte_security_ipsec_sa_direction dir);
+ enum rte_security_ipsec_sa_direction dir,
+ int pkt_num);
#endif
Checking patch app/test/test_cryptodev.c...
error: app/test/test_cryptodev.c: does not match index
Checking patch app/test/test_cryptodev_security_ipsec.c...
error: while searching for:
td_inb[i].input_text.data[icv_pos] += 1;
}
if (flags->udp_encap)
td_inb[i].ipsec_xform.options.udp_encap = 1;
error: patch failed: app/test/test_cryptodev_security_ipsec.c:200
error: while searching for:
uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
uint32_t skip, len = rte_pktmbuf_pkt_len(m);
/* For negative tests, no need to do verification */
if (flags->icv_corrupt &&
td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
return TEST_SUCCESS;
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
error: patch failed: app/test/test_cryptodev_security_ipsec.c:285
error: while searching for:
{
int ret = TEST_SUCCESS;
if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
printf("ICV corruption test case failed\n");
error: patch failed: app/test/test_cryptodev_security_ipsec.c:404
Checking patch app/test/test_cryptodev_security_ipsec.h...
error: while searching for:
struct ipsec_test_flags {
bool display_alg;
bool sa_expiry_pkts_soft;
bool icv_corrupt;
bool iv_gen;
bool udp_encap;
error: patch failed: app/test/test_cryptodev_security_ipsec.h:50
Applying patch app/test/test_cryptodev_security_ipsec.c with 3 rejects...
Rejected hunk #1.
Rejected hunk #2.
Rejected hunk #3.
Applying patch app/test/test_cryptodev_security_ipsec.h with 1 reject...
Rejected hunk #1.
diff a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c (rejected hunks)
@@ -200,6 +200,10 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
td_inb[i].input_text.data[icv_pos] += 1;
}
+ if (flags->sa_expiry_pkts_hard)
+ td_inb[i].ipsec_xform.life.packets_hard_limit =
+ IPSEC_TEST_PACKETS_MAX - 1;
+
if (flags->udp_encap)
td_inb[i].ipsec_xform.options.udp_encap = 1;
@@ -285,9 +289,10 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
uint32_t skip, len = rte_pktmbuf_pkt_len(m);
- /* For negative tests, no need to do verification */
- if (flags->icv_corrupt &&
- td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+ /* For tests with status as error for test success, skip verification */
+ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ (flags->icv_corrupt ||
+ flags->sa_expiry_pkts_hard))
return TEST_SUCCESS;
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
@@ -404,6 +409,17 @@ test_ipsec_status_check(struct rte_crypto_op *op,
{
int ret = TEST_SUCCESS;
+ if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ flags->sa_expiry_pkts_hard &&
+ pkt_num == IPSEC_TEST_PACKETS_MAX) {
+ if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+ printf("SA hard expiry (pkts) test failed\n");
+ return TEST_FAILED;
+ } else {
+ return TEST_SUCCESS;
+ }
+ }
+
if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
printf("ICV corruption test case failed\n");
diff a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h (rejected hunks)
@@ -50,6 +50,7 @@ struct ipsec_test_data {
struct ipsec_test_flags {
bool display_alg;
bool sa_expiry_pkts_soft;
+ bool sa_expiry_pkts_hard;
bool icv_corrupt;
bool iv_gen;
bool udp_encap;
Checking patch examples/ipsec-secgw/ipsec.c...
error: while searching for:
}
/* TODO support for Transport */
}
ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
ipsec->options.udp_encap = sa->udp_encap;
error: patch failed: examples/ipsec-secgw/ipsec.c:49
Checking patch examples/ipsec-secgw/ipsec.h...
error: while searching for:
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
error: patch failed: examples/ipsec-secgw/ipsec.h:23
Applying patch examples/ipsec-secgw/ipsec.c with 1 reject...
Rejected hunk #1.
Applying patch examples/ipsec-secgw/ipsec.h with 1 reject...
Rejected hunk #1.
diff a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c (rejected hunks)
@@ -49,7 +49,6 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
/* TODO support for Transport */
}
- ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
ipsec->options.udp_encap = sa->udp_encap;
diff a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h (rejected hunks)
@@ -23,8 +23,6 @@
#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
-#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
-
#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
sizeof(struct rte_crypto_sym_op))
https://lab.dpdk.org/results/dashboard/patchsets/19016/
UNH-IOL DPDK Community Lab
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-10-05 22:13 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-05 22:13 [dpdk-test-report] |WARNING| pw99892-99897 [PATCH] [v4, 6/6] examples/ipsec-secgw: clear soft expiry configuration dpdklab
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).