Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/48147/?format=api
{ "id": 48147, "url": "http://patchwork.dpdk.org/api/patches/48147/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/patch/1542326031-5263-6-git-send-email-konstantin.ananyev@intel.com/", "project": { "id": 1, "url": "http://patchwork.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<1542326031-5263-6-git-send-email-konstantin.ananyev@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/1542326031-5263-6-git-send-email-konstantin.ananyev@intel.com", "date": "2018-11-15T23:53:47", "name": "[5/9] ipsec: add SA data-path API", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "cc8ef1aec1658f29316a460253ed28a36448fd97", "submitter": { "id": 33, "url": "http://patchwork.dpdk.org/api/people/33/?format=api", "name": "Ananyev, Konstantin", "email": "konstantin.ananyev@intel.com" }, "delegate": { "id": 1, "url": "http://patchwork.dpdk.org/api/users/1/?format=api", "username": "tmonjalo", "first_name": "Thomas", "last_name": "Monjalon", "email": "thomas@monjalon.net" }, "mbox": "http://patchwork.dpdk.org/project/dpdk/patch/1542326031-5263-6-git-send-email-konstantin.ananyev@intel.com/mbox/", "series": [ { "id": 2455, "url": "http://patchwork.dpdk.org/api/series/2455/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/list/?series=2455", "date": "2018-11-15T23:53:47", "name": null, "version": 1, "mbox": "http://patchwork.dpdk.org/series/2455/mbox/" } ], "comments": "http://patchwork.dpdk.org/api/patches/48147/comments/", "check": "fail", "checks": "http://patchwork.dpdk.org/api/patches/48147/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@dpdk.org", "Delivered-To": "patchwork@dpdk.org", "Received": [ "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id 1F1744F9B;\n\tFri, 16 Nov 2018 00:54:15 +0100 (CET)", "from mga09.intel.com (mga09.intel.com [134.134.136.24])\n\tby dpdk.org (Postfix) with ESMTP id 45FBA4CB5\n\tfor <dev@dpdk.org>; Fri, 16 Nov 2018 00:54:07 +0100 (CET)", "from orsmga007.jf.intel.com ([10.7.209.58])\n\tby orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n\t15 Nov 2018 15:54:06 -0800", "from sivswdev08.ir.intel.com (HELO localhost.localdomain)\n\t([10.237.217.47])\n\tby orsmga007.jf.intel.com with ESMTP; 15 Nov 2018 15:54:05 -0800" ], "X-Amp-Result": "SKIPPED(no attachment in message)", "X-Amp-File-Uploaded": "False", "X-ExtLoop1": "1", "X-IronPort-AV": "E=Sophos;i=\"5.56,238,1539673200\"; d=\"scan'208\";a=\"89697375\"", "From": "Konstantin Ananyev <konstantin.ananyev@intel.com>", "To": "dev@dpdk.org", "Cc": "Konstantin Ananyev <konstantin.ananyev@intel.com>,\n\tMohammad Abdul Awal <mohammad.abdul.awal@intel.com>", "Date": "Thu, 15 Nov 2018 23:53:47 +0000", "Message-Id": "<1542326031-5263-6-git-send-email-konstantin.ananyev@intel.com>", "X-Mailer": "git-send-email 1.7.0.7", "In-Reply-To": "<1535129598-27301-1-git-send-email-konstantin.ananyev@intel.com>", "References": "<1535129598-27301-1-git-send-email-konstantin.ananyev@intel.com>", "Subject": "[dpdk-dev] [PATCH 5/9] ipsec: add SA data-path API", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n\t<mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n\t<mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Introduce Security Association (SA-level) data-path API\nOperates at SA level, provides functions to:\n - initialize/teardown SA object\n - process inbound/outbound ESP/AH packets associated with the given SA\n (decrypt/encrypt, authenticate, check integrity,\n add/remove ESP/AH related headers and data, etc.).\n\nSigned-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com>\nSigned-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>\n---\n lib/librte_ipsec/Makefile | 2 +\n lib/librte_ipsec/meson.build | 4 +-\n lib/librte_ipsec/rte_ipsec.h | 154 +++++++++++++++++++++++++\n lib/librte_ipsec/rte_ipsec_version.map | 3 +\n lib/librte_ipsec/sa.c | 21 +++-\n lib/librte_ipsec/sa.h | 4 +\n lib/librte_ipsec/ses.c | 45 ++++++++\n 7 files changed, 230 insertions(+), 3 deletions(-)\n create mode 100644 lib/librte_ipsec/rte_ipsec.h\n create mode 100644 lib/librte_ipsec/ses.c", "diff": "diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile\nindex 7758dcc6d..79f187fae 100644\n--- a/lib/librte_ipsec/Makefile\n+++ b/lib/librte_ipsec/Makefile\n@@ -17,8 +17,10 @@ LIBABIVER := 1\n \n # all source are stored in SRCS-y\n SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += sa.c\n+SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += ses.c\n \n # install header files\n+SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec.h\n SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_sa.h\n \n include $(RTE_SDK)/mk/rte.lib.mk\ndiff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build\nindex 52c78eaeb..6e8c6fabe 100644\n--- a/lib/librte_ipsec/meson.build\n+++ b/lib/librte_ipsec/meson.build\n@@ -3,8 +3,8 @@\n \n allow_experimental_apis = true\n \n-sources=files('sa.c')\n+sources=files('sa.c', 'ses.c')\n \n-install_headers = files('rte_ipsec_sa.h')\n+install_headers = files('rte_ipsec.h', 'rte_ipsec_sa.h')\n \n deps += ['mbuf', 'net', 'cryptodev', 'security']\ndiff --git a/lib/librte_ipsec/rte_ipsec.h b/lib/librte_ipsec/rte_ipsec.h\nnew file mode 100644\nindex 000000000..429d4bf38\n--- /dev/null\n+++ b/lib/librte_ipsec/rte_ipsec.h\n@@ -0,0 +1,154 @@\n+/* SPDX-License-Identifier: BSD-3-Clause\n+ * Copyright(c) 2018 Intel Corporation\n+ */\n+\n+#ifndef _RTE_IPSEC_H_\n+#define _RTE_IPSEC_H_\n+\n+/**\n+ * @file rte_ipsec.h\n+ * @b EXPERIMENTAL: this API may change without prior notice\n+ *\n+ * RTE IPsec support.\n+ * librte_ipsec provides a framework for data-path IPsec protocol\n+ * processing (ESP/AH).\n+ * IKEv2 protocol support right now is out of scope of that draft.\n+ * Though it tries to define related API in such way, that it could be adopted\n+ * by IKEv2 implementation.\n+ */\n+\n+#include <rte_ipsec_sa.h>\n+#include <rte_mbuf.h>\n+\n+#ifdef __cplusplus\n+extern \"C\" {\n+#endif\n+\n+struct rte_ipsec_session;\n+\n+/**\n+ * IPsec session specific functions that will be used to:\n+ * - prepare - for input mbufs and given IPsec session prepare crypto ops\n+ * that can be enqueued into the cryptodev associated with given session\n+ * (see *rte_ipsec_pkt_crypto_prepare* below for more details).\n+ * - process - finalize processing of packets after crypto-dev finished\n+ * with them or process packets that are subjects to inline IPsec offload\n+ * (see rte_ipsec_pkt_process for more details).\n+ */\n+struct rte_ipsec_sa_pkt_func {\n+\tuint16_t (*prepare)(const struct rte_ipsec_session *ss,\n+\t\t\t\tstruct rte_mbuf *mb[],\n+\t\t\t\tstruct rte_crypto_op *cop[],\n+\t\t\t\tuint16_t num);\n+\tuint16_t (*process)(const struct rte_ipsec_session *ss,\n+\t\t\t\tstruct rte_mbuf *mb[],\n+\t\t\t\tuint16_t num);\n+};\n+\n+/**\n+ * rte_ipsec_session is an aggregate structure that defines particular\n+ * IPsec Security Association IPsec (SA) on given security/crypto device:\n+ * - pointer to the SA object\n+ * - security session action type\n+ * - pointer to security/crypto session, plus other related data\n+ * - session/device specific functions to prepare/process IPsec packets.\n+ */\n+struct rte_ipsec_session {\n+\n+\t/**\n+\t * SA that session belongs to.\n+\t * Note that multiple sessions can belong to the same SA.\n+\t */\n+\tstruct rte_ipsec_sa *sa;\n+\t/** session action type */\n+\tenum rte_security_session_action_type type;\n+\t/** session and related data */\n+\tunion {\n+\t\tstruct {\n+\t\t\tstruct rte_cryptodev_sym_session *ses;\n+\t\t} crypto;\n+\t\tstruct {\n+\t\t\tstruct rte_security_session *ses;\n+\t\t\tstruct rte_security_ctx *ctx;\n+\t\t\tuint32_t ol_flags;\n+\t\t} security;\n+\t};\n+\t/** functions to prepare/process IPsec packets */\n+\tstruct rte_ipsec_sa_pkt_func pkt_func;\n+} __rte_cache_aligned;\n+\n+/**\n+ * Checks that inside given rte_ipsec_session crypto/security fields\n+ * are filled correctly and setups function pointers based on these values.\n+ * @param ss\n+ * Pointer to the *rte_ipsec_session* object\n+ * @return\n+ * - Zero if operation completed successfully.\n+ * - -EINVAL if the parameters are invalid.\n+ */\n+int __rte_experimental\n+rte_ipsec_session_prepare(struct rte_ipsec_session *ss);\n+\n+/**\n+ * For input mbufs and given IPsec session prepare crypto ops that can be\n+ * enqueued into the cryptodev associated with given session.\n+ * expects that for each input packet:\n+ * - l2_len, l3_len are setup correctly\n+ * Note that erroneous mbufs are not freed by the function,\n+ * but are placed beyond last valid mbuf in the *mb* array.\n+ * It is a user responsibility to handle them further.\n+ * @param ss\n+ * Pointer to the *rte_ipsec_session* object the packets belong to.\n+ * @param mb\n+ * The address of an array of *num* pointers to *rte_mbuf* structures\n+ * which contain the input packets.\n+ * @param cop\n+ * The address of an array of *num* pointers to the output *rte_crypto_op*\n+ * structures.\n+ * @param num\n+ * The maximum number of packets to process.\n+ * @return\n+ * Number of successfully processed packets, with error code set in rte_errno.\n+ */\n+static inline uint16_t __rte_experimental\n+rte_ipsec_pkt_crypto_prepare(const struct rte_ipsec_session *ss,\n+\tstruct rte_mbuf *mb[], struct rte_crypto_op *cop[], uint16_t num)\n+{\n+\treturn ss->pkt_func.prepare(ss, mb, cop, num);\n+}\n+\n+/**\n+ * Finalise processing of packets after crypto-dev finished with them or\n+ * process packets that are subjects to inline IPsec offload.\n+ * Expects that for each input packet:\n+ * - l2_len, l3_len are setup correctly\n+ * Output mbufs will be:\n+ * inbound - decrypted & authenticated, ESP(AH) related headers removed,\n+ * *l2_len* and *l3_len* fields are updated.\n+ * outbound - appropriate mbuf fields (ol_flags, tx_offloads, etc.)\n+ * properly setup, if necessary - IP headers updated, ESP(AH) fields added,\n+ * Note that erroneous mbufs are not freed by the function,\n+ * but are placed beyond last valid mbuf in the *mb* array.\n+ * It is a user responsibility to handle them further.\n+ * @param ss\n+ * Pointer to the *rte_ipsec_session* object the packets belong to.\n+ * @param mb\n+ * The address of an array of *num* pointers to *rte_mbuf* structures\n+ * which contain the input packets.\n+ * @param num\n+ * The maximum number of packets to process.\n+ * @return\n+ * Number of successfully processed packets, with error code set in rte_errno.\n+ */\n+static inline uint16_t __rte_experimental\n+rte_ipsec_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],\n+\tuint16_t num)\n+{\n+\treturn ss->pkt_func.process(ss, mb, num);\n+}\n+\n+#ifdef __cplusplus\n+}\n+#endif\n+\n+#endif /* _RTE_IPSEC_H_ */\ndiff --git a/lib/librte_ipsec/rte_ipsec_version.map b/lib/librte_ipsec/rte_ipsec_version.map\nindex 1a66726b8..d1c52d7ca 100644\n--- a/lib/librte_ipsec/rte_ipsec_version.map\n+++ b/lib/librte_ipsec/rte_ipsec_version.map\n@@ -1,6 +1,9 @@\n EXPERIMENTAL {\n \tglobal:\n \n+\trte_ipsec_pkt_crypto_prepare;\n+\trte_ipsec_session_prepare;\n+\trte_ipsec_pkt_process;\n \trte_ipsec_sa_fini;\n \trte_ipsec_sa_init;\n \trte_ipsec_sa_size;\ndiff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c\nindex c814e5384..7f9baa602 100644\n--- a/lib/librte_ipsec/sa.c\n+++ b/lib/librte_ipsec/sa.c\n@@ -2,7 +2,7 @@\n * Copyright(c) 2018 Intel Corporation\n */\n \n-#include <rte_ipsec_sa.h>\n+#include <rte_ipsec.h>\n #include <rte_esp.h>\n #include <rte_ip.h>\n #include <rte_errno.h>\n@@ -305,3 +305,22 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,\n \n \treturn sz;\n }\n+\n+int\n+ipsec_sa_pkt_func_select(const struct rte_ipsec_session *ss,\n+\tconst struct rte_ipsec_sa *sa, struct rte_ipsec_sa_pkt_func *pf)\n+{\n+\tint32_t rc;\n+\n+\tRTE_SET_USED(sa);\n+\n+\trc = 0;\n+\tpf[0] = (struct rte_ipsec_sa_pkt_func) { 0 };\n+\n+\tswitch (ss->type) {\n+\tdefault:\n+\t\trc = -ENOTSUP;\n+\t}\n+\n+\treturn rc;\n+}\ndiff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h\nindex 5d113891a..050a6d7ae 100644\n--- a/lib/librte_ipsec/sa.h\n+++ b/lib/librte_ipsec/sa.h\n@@ -74,4 +74,8 @@ struct rte_ipsec_sa {\n \n } __rte_cache_aligned;\n \n+int\n+ipsec_sa_pkt_func_select(const struct rte_ipsec_session *ss,\n+\tconst struct rte_ipsec_sa *sa, struct rte_ipsec_sa_pkt_func *pf);\n+\n #endif /* _SA_H_ */\ndiff --git a/lib/librte_ipsec/ses.c b/lib/librte_ipsec/ses.c\nnew file mode 100644\nindex 000000000..562c1423e\n--- /dev/null\n+++ b/lib/librte_ipsec/ses.c\n@@ -0,0 +1,45 @@\n+/* SPDX-License-Identifier: BSD-3-Clause\n+ * Copyright(c) 2018 Intel Corporation\n+ */\n+\n+#include <rte_ipsec.h>\n+#include \"sa.h\"\n+\n+static int\n+session_check(struct rte_ipsec_session *ss)\n+{\n+\tif (ss == NULL || ss->sa == NULL)\n+\t\treturn -EINVAL;\n+\n+\tif (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {\n+\t\tif (ss->crypto.ses == NULL)\n+\t\t\treturn -EINVAL;\n+\t} else if (ss->security.ses == NULL || ss->security.ctx == NULL)\n+\t\treturn -EINVAL;\n+\n+\treturn 0;\n+}\n+\n+int __rte_experimental\n+rte_ipsec_session_prepare(struct rte_ipsec_session *ss)\n+{\n+\tint32_t rc;\n+\tstruct rte_ipsec_sa_pkt_func fp;\n+\n+\trc = session_check(ss);\n+\tif (rc != 0)\n+\t\treturn rc;\n+\n+\trc = ipsec_sa_pkt_func_select(ss, ss->sa, &fp);\n+\tif (rc != 0)\n+\t\treturn rc;\n+\n+\tss->pkt_func = fp;\n+\n+\tif (ss->type == RTE_SECURITY_ACTION_TYPE_NONE)\n+\t\tss->crypto.ses->opaque_data = (uintptr_t)ss;\n+\telse\n+\t\tss->security.ses->opaque_data = (uintptr_t)ss;\n+\n+\treturn 0;\n+}\n", "prefixes": [ "5/9" ] }