| Message ID | 20230811102401.12552-1-david.coyle@intel.com (mailing list archive) |
|---|---|
| Headers |
Return-Path: <dev-bounces@dpdk.org> X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 61CEB43033; Fri, 11 Aug 2023 12:24:27 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 2324840F16; Fri, 11 Aug 2023 12:24:27 +0200 (CEST) Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 816BE40E03 for <dev@dpdk.org>; Fri, 11 Aug 2023 12:24:25 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1691749465; x=1723285465; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=dwHgKMGx2jMzmfuRZjIHKgTbc+mI/C3P/rvHQGwBkhc=; b=FwAADsqRhMoz5WMT2KJ7HO894tS3PqmYLbCR+H3Qo0TI3L/dIVUFMMef BifReXiZ0o1I+k9Qkeq2EFVTXMkCgTPztNcxfwGz5fkHMfFpTX7CIeJdW 1TPr6EdHD5znEuZqfeAXN3+yg0iHSpg5UZrhwKi6u6cLtn6Z3kkJYFfc5 oqhHzlQCQqDUxEsn5GO1RfUWM4dnJUQwyuOJW5tCNwzfhxyvDd5IdagV9 W92UO/6uwbNd4sFoEeQGGlGuZCFe1EF+l4BM09XzN/MDNLq4u1VL10nsr jC9lI6W2Phst9j6oABulnY3o2sECxQiGLSm0Jur5ZqMDG+cyJwYOWS4H3 g==; X-IronPort-AV: E=McAfee;i="6600,9927,10798"; a="361786810" X-IronPort-AV: E=Sophos;i="6.01,165,1684825200"; d="scan'208";a="361786810" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Aug 2023 03:24:21 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10798"; a="906395560" X-IronPort-AV: E=Sophos;i="6.01,165,1684825200"; d="scan'208";a="906395560" Received: from silpixa00399912.ir.intel.com (HELO silpixa00399912.ger.corp.intel.com) ([10.237.222.210]) by orsmga005.jf.intel.com with ESMTP; 11 Aug 2023 03:24:20 -0700 From: David Coyle <david.coyle@intel.com> To: dev@dpdk.org Cc: kai.ji@intel.com, kevin.osullivan@intel.com, David Coyle <david.coyle@intel.com> Subject: [PATCH v2 0/2] crypto/scheduler: add support for security protocols Date: Fri, 11 Aug 2023 10:23:59 +0000 Message-Id: <20230811102401.12552-1-david.coyle@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230809101436.9942-1-david.coyle@intel.com> References: <20230809101436.9942-1-david.coyle@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions <dev.dpdk.org> List-Unsubscribe: <https://mails.dpdk.org/options/dev>, <mailto:dev-request@dpdk.org?subject=unsubscribe> List-Archive: <http://mails.dpdk.org/archives/dev/> List-Post: <mailto:dev@dpdk.org> List-Help: <mailto:dev-request@dpdk.org?subject=help> List-Subscribe: <https://mails.dpdk.org/listinfo/dev>, <mailto:dev-request@dpdk.org?subject=subscribe> Errors-To: dev-bounces@dpdk.org |
| Series |
crypto/scheduler: add support for security protocols
|
|
Message
Coyle, David
Aug. 11, 2023, 10:23 a.m. UTC
This patchset adds support to the cryptodev scheduler PMD and unit tests for the existing security protocols in the security library, namely IPSec, MACSec, PDCP and DOCSIS. v2: * Improve inclusion of rte_security header files * Fix typo in commit message David Coyle (2): crypto/scheduler: support security protocols test/crypto: add security tests for cryptodev scheduler app/test/test_cryptodev.c | 14 +- doc/guides/rel_notes/release_23_11.rst | 3 + drivers/crypto/scheduler/meson.build | 2 +- .../scheduler/rte_cryptodev_scheduler.c | 229 ++++++++++- drivers/crypto/scheduler/scheduler_failover.c | 12 +- .../crypto/scheduler/scheduler_multicore.c | 10 +- .../scheduler/scheduler_pkt_size_distr.c | 54 +-- drivers/crypto/scheduler/scheduler_pmd.c | 33 ++ drivers/crypto/scheduler/scheduler_pmd_ops.c | 375 +++++++++++++----- .../crypto/scheduler/scheduler_pmd_private.h | 148 ++++--- .../crypto/scheduler/scheduler_roundrobin.c | 6 +- 11 files changed, 656 insertions(+), 230 deletions(-)
Comments
Hi David, While it is desirable to add security under crypto/scheduler, would it be functionally possible if the PMDs perform stateful processing? For example, with lookaside protocol mode of IPsec, fields such as seq no & AR defines how the crypto operation can be performed. Without two PMDs sharing this (actively), how can the load balancing happen? Said that, I agree utility of scheduler for stateless operations. My understanding is, PDCP offload that is available today is not stateful and that can leverage this. I'm not sure of DOCSIS and MACsec. Should we make it such that only specific security sessions would be eligible for scheduler operation? Thanks, Anoob > -----Original Message----- > From: David Coyle <david.coyle@intel.com> > Sent: Friday, August 11, 2023 3:54 PM > To: dev@dpdk.org > Cc: kai.ji@intel.com; kevin.osullivan@intel.com; David Coyle > <david.coyle@intel.com> > Subject: [EXT] [PATCH v2 0/2] crypto/scheduler: add support for security > protocols > > External Email > > ---------------------------------------------------------------------- > This patchset adds support to the cryptodev scheduler PMD and unit tests > for the existing security protocols in the security library, namely IPSec, > MACSec, PDCP and DOCSIS. > > v2: > * Improve inclusion of rte_security header files > * Fix typo in commit message > > David Coyle (2): > crypto/scheduler: support security protocols > test/crypto: add security tests for cryptodev scheduler > > app/test/test_cryptodev.c | 14 +- > doc/guides/rel_notes/release_23_11.rst | 3 + > drivers/crypto/scheduler/meson.build | 2 +- > .../scheduler/rte_cryptodev_scheduler.c | 229 ++++++++++- > drivers/crypto/scheduler/scheduler_failover.c | 12 +- > .../crypto/scheduler/scheduler_multicore.c | 10 +- > .../scheduler/scheduler_pkt_size_distr.c | 54 +-- > drivers/crypto/scheduler/scheduler_pmd.c | 33 ++ > drivers/crypto/scheduler/scheduler_pmd_ops.c | 375 +++++++++++++----- > .../crypto/scheduler/scheduler_pmd_private.h | 148 ++++--- > .../crypto/scheduler/scheduler_roundrobin.c | 6 +- > 11 files changed, 656 insertions(+), 230 deletions(-) > > -- > 2.25.1
Hi Anoob, Thank you for that feedback - I was on extended leave so only just getting back to it now. See replies below. Regards, David > -----Original Message----- > From: Anoob Joseph <anoobj@marvell.com> > Sent: Friday, August 11, 2023 12:09 PM > To: Coyle, David <david.coyle@intel.com>; dev@dpdk.org > Cc: Ji, Kai <kai.ji@intel.com>; O'Sullivan, Kevin <kevin.osullivan@intel.com>; > Jerin Jacob Kollanukkaran <jerinj@marvell.com> > Subject: RE: [EXT] [PATCH v2 0/2] crypto/scheduler: add support for security > protocols > > Hi David, > > While it is desirable to add security under crypto/scheduler, would it be > functionally possible if the PMDs perform stateful processing? For example, > with lookaside protocol mode of IPsec, fields such as seq no & AR defines how > the crypto operation can be performed. Without two PMDs sharing this > (actively), how can the load balancing happen? [DC] So if some fields such as seq numbers are maintained within the PMDs for some protocols, then yes you are right - this would not work without some synchronization across PMD instances which I think we'd want to avoid at this point. I tried to find some cases where a crypto PMD that supports IPSec, for example, maintains some global stateful parameters, but I could not find these cases. I'm not at all familiar with these PMDs (cnxk, mvsam, dpaa_sec, dpaa2_sec) though, so maybe you could guide me as to where they are maintained? > > Said that, I agree utility of scheduler for stateless operations. My > understanding is, PDCP offload that is available today is not stateful and that > can leverage this. I'm not sure of DOCSIS and MACsec. [DC] I notice that the PDCP security xform struct has a seq number related field, which would also suggest it could be stateful, but I could be wrong. From a google search MACSec is stateless, but again I'm not an expert. The protocol I am familiar with is DOCSIS, and it is for this protocol that we have added security support to the cryptodev scheduler. DOCSIS is 100% stateless, so will work no problem with the scheduler. > > Should we make it such that only specific security sessions would be eligible for > scheduler operation? [DC] Do you think it would be acceptable to limit the scheduler to the DOCSIS protocol only for now, and let the IPSec, MACSec and PDCP experts add these later if applicable? If you think this would be ok, I can easily make that change. > > Thanks, > Anoob > > > -----Original Message----- > > From: David Coyle <david.coyle@intel.com> > > Sent: Friday, August 11, 2023 3:54 PM > > To: dev@dpdk.org > > Cc: kai.ji@intel.com; kevin.osullivan@intel.com; David Coyle > > <david.coyle@intel.com> > > Subject: [EXT] [PATCH v2 0/2] crypto/scheduler: add support for > > security protocols > > > > External Email > > > > ---------------------------------------------------------------------- > > This patchset adds support to the cryptodev scheduler PMD and unit > > tests for the existing security protocols in the security library, > > namely IPSec, MACSec, PDCP and DOCSIS. > > > > v2: > > * Improve inclusion of rte_security header files > > * Fix typo in commit message > > > > David Coyle (2): > > crypto/scheduler: support security protocols > > test/crypto: add security tests for cryptodev scheduler > > > > app/test/test_cryptodev.c | 14 +- > > doc/guides/rel_notes/release_23_11.rst | 3 + > > drivers/crypto/scheduler/meson.build | 2 +- > > .../scheduler/rte_cryptodev_scheduler.c | 229 ++++++++++- > > drivers/crypto/scheduler/scheduler_failover.c | 12 +- > > .../crypto/scheduler/scheduler_multicore.c | 10 +- > > .../scheduler/scheduler_pkt_size_distr.c | 54 +-- > > drivers/crypto/scheduler/scheduler_pmd.c | 33 ++ > > drivers/crypto/scheduler/scheduler_pmd_ops.c | 375 > > +++++++++++++----- .../crypto/scheduler/scheduler_pmd_private.h | 148 > ++++--- > > .../crypto/scheduler/scheduler_roundrobin.c | 6 +- > > 11 files changed, 656 insertions(+), 230 deletions(-) > > > > -- > > 2.25.1
Hi David, Please see inline. Thanks, Anoob > -----Original Message----- > From: Coyle, David <david.coyle@intel.com> > Sent: Monday, September 11, 2023 9:32 PM > To: Anoob Joseph <anoobj@marvell.com>; dev@dpdk.org > Cc: Ji, Kai <kai.ji@intel.com>; O'Sullivan, Kevin <kevin.osullivan@intel.com>; > Jerin Jacob Kollanukkaran <jerinj@marvell.com> > Subject: RE: [EXT] [PATCH v2 0/2] crypto/scheduler: add support for security > protocols > > Hi Anoob, > > Thank you for that feedback - I was on extended leave so only just getting > back to it now. > See replies below. > > Regards, > David > > > -----Original Message----- > > From: Anoob Joseph <anoobj@marvell.com> > > Sent: Friday, August 11, 2023 12:09 PM > > To: Coyle, David <david.coyle@intel.com>; dev@dpdk.org > > Cc: Ji, Kai <kai.ji@intel.com>; O'Sullivan, Kevin > > <kevin.osullivan@intel.com>; Jerin Jacob Kollanukkaran > > <jerinj@marvell.com> > > Subject: RE: [EXT] [PATCH v2 0/2] crypto/scheduler: add support for > > security protocols > > > > Hi David, > > > > While it is desirable to add security under crypto/scheduler, would it > > be functionally possible if the PMDs perform stateful processing? For > > example, with lookaside protocol mode of IPsec, fields such as seq no > > & AR defines how the crypto operation can be performed. Without two > > PMDs sharing this (actively), how can the load balancing happen? > > [DC] So if some fields such as seq numbers are maintained within the PMDs > for some protocols, then yes you are right - this would not work without > some synchronization across PMD instances which I think we'd want to avoid > at this point. > > I tried to find some cases where a crypto PMD that supports IPSec, for > example, maintains some global stateful parameters, but I could not find > these cases. > I'm not at all familiar with these PMDs (cnxk, mvsam, dpaa_sec, dpaa2_sec) > though, so maybe you could guide me as to where they are maintained? [Anoob] I can comment about cnxk. In cn9k, PMD updates the states. https://elixir.bootlin.com/dpdk/v23.07/source/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h#L177 In cn10k, hw updates the states. Please check the corresponding fields, https://elixir.bootlin.com/dpdk/v23.07/source/drivers/common/cnxk/roc_ie_ot.h#L258 > > > > > Said that, I agree utility of scheduler for stateless operations. My > > understanding is, PDCP offload that is available today is not stateful > > and that can leverage this. I'm not sure of DOCSIS and MACsec. > > [DC] I notice that the PDCP security xform struct has a seq number related > field, which would also suggest it could be stateful, but I could be wrong. [Anoob] The field there is seq no size. That is not stateful. But then, it has HFN field which is the upper few bits of seq no. It is unclear if HFN is expected to be incremented when lower bits overflow. May be it's better PDCP is also left unsupported. I'll let Hemanth confirm. > > From a google search MACSec is stateless, but again I'm not an expert. > > The protocol I am familiar with is DOCSIS, and it is for this protocol that we > have added security support to the cryptodev scheduler. > DOCSIS is 100% stateless, so will work no problem with the scheduler. > > > > > Should we make it such that only specific security sessions would be > > eligible for scheduler operation? > > [DC] Do you think it would be acceptable to limit the scheduler to the DOCSIS > protocol only for now, and let the IPSec, MACSec and PDCP experts add > these later if applicable? > If you think this would be ok, I can easily make that change. [Anoob] I think that would be a good approach. For any stateless protocols, addition of crypto scheduler is a huge plus. > > > > > Thanks, > > Anoob > > > > > -----Original Message----- > > > From: David Coyle <david.coyle@intel.com> > > > Sent: Friday, August 11, 2023 3:54 PM > > > To: dev@dpdk.org > > > Cc: kai.ji@intel.com; kevin.osullivan@intel.com; David Coyle > > > <david.coyle@intel.com> > > > Subject: [EXT] [PATCH v2 0/2] crypto/scheduler: add support for > > > security protocols > > > > > > External Email > > > > > > -------------------------------------------------------------------- > > > -- This patchset adds support to the cryptodev scheduler PMD and > > > unit tests for the existing security protocols in the security > > > library, namely IPSec, MACSec, PDCP and DOCSIS. > > > > > > v2: > > > * Improve inclusion of rte_security header files > > > * Fix typo in commit message > > > > > > David Coyle (2): > > > crypto/scheduler: support security protocols > > > test/crypto: add security tests for cryptodev scheduler > > > > > > app/test/test_cryptodev.c | 14 +- > > > doc/guides/rel_notes/release_23_11.rst | 3 + > > > drivers/crypto/scheduler/meson.build | 2 +- > > > .../scheduler/rte_cryptodev_scheduler.c | 229 ++++++++++- > > > drivers/crypto/scheduler/scheduler_failover.c | 12 +- > > > .../crypto/scheduler/scheduler_multicore.c | 10 +- > > > .../scheduler/scheduler_pkt_size_distr.c | 54 +-- > > > drivers/crypto/scheduler/scheduler_pmd.c | 33 ++ > > > drivers/crypto/scheduler/scheduler_pmd_ops.c | 375 > > > +++++++++++++----- .../crypto/scheduler/scheduler_pmd_private.h | > > > +++++++++++++148 > > ++++--- > > > .../crypto/scheduler/scheduler_roundrobin.c | 6 +- > > > 11 files changed, 656 insertions(+), 230 deletions(-) > > > > > > -- > > > 2.25.1