From patchwork Tue Aug 15 06:35:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 27605 Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [IPv6:::1]) by dpdk.org (Postfix) with ESMTP id D1A859105; Tue, 15 Aug 2017 08:37:31 +0200 (CEST) Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0081.outbound.protection.outlook.com [104.47.40.81]) by dpdk.org (Postfix) with ESMTP id 79ADD9105 for ; Tue, 15 Aug 2017 08:37:30 +0200 (CEST) Received: from BN6PR03CA0064.namprd03.prod.outlook.com (10.173.137.26) by BN3PR03MB2257.namprd03.prod.outlook.com (10.166.74.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1341.21; Tue, 15 Aug 2017 06:37:28 +0000 Received: from BN1BFFO11FD038.protection.gbl (2a01:111:f400:7c10::1:118) by BN6PR03CA0064.outlook.office365.com (2603:10b6:404:4c::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1341.21 via Frontend Transport; Tue, 15 Aug 2017 06:37:28 +0000 Authentication-Results: spf=fail (sender IP is 192.88.158.2) smtp.mailfrom=nxp.com; nxp.com; dkim=none (message not signed) header.d=none;nxp.com; dmarc=fail action=none header.from=nxp.com; Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.158.2 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.158.2; helo=az84smr01.freescale.net; Received: from az84smr01.freescale.net (192.88.158.2) by BN1BFFO11FD038.mail.protection.outlook.com (10.58.144.101) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1304.16 via Frontend Transport; Tue, 15 Aug 2017 06:37:27 +0000 Received: from netperf2.ap.freescale.net ([10.232.133.164]) by az84smr01.freescale.net (8.14.3/8.14.0) with ESMTP id v7F6atQH015692; Mon, 14 Aug 2017 23:37:23 -0700 From: Akhil Goyal To: , , , , , , , CC: , , Akhil Goyal Date: Tue, 15 Aug 2017 12:05:05 +0530 Message-ID: <20170815063505.22032-5-akhil.goyal@nxp.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170815063505.22032-1-akhil.goyal@nxp.com> References: <20170725112153.29699-1-akhil.goyal@nxp.com> <20170815063505.22032-1-akhil.goyal@nxp.com> X-EOPAttributedMessage: 0 X-Matching-Connectors: 131472526484719335; (91ab9b29-cfa4-454e-5278-08d120cd25b8); () X-Forefront-Antispam-Report: CIP:192.88.158.2; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(6009001)(336005)(39860400002)(39380400002)(2980300002)(1109001)(1110001)(339900001)(189002)(199003)(33646002)(189998001)(8676002)(8936002)(53936002)(50466002)(50226002)(2906002)(48376002)(81156014)(81166006)(86362001)(5660300001)(85426001)(76176999)(575784001)(498600001)(97736004)(7416002)(69596002)(2201001)(50986999)(68736007)(5003940100001)(5890100001)(8656003)(4326008)(626005)(106466001)(105606002)(305945005)(1076002)(54906002)(6666003)(356003)(2950100002)(104016004)(77096006)(47776003)(36756003)(2101003)(217873001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN3PR03MB2257; H:az84smr01.freescale.net; FPR:; SPF:Fail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BN1BFFO11FD038; 1:LASn1dc+LXIb9eV4w0itjXXKwAIv3ibhBeI3MSa9/?= //20mphNnbj5fIanjJIXmGTSBR5KeRITD9KLPdH/k0U8mcNk9OK1SmcobXOl0CZ5NHiYkuH+15IEioZDfT1tk3VCR5syA1/ks3hKBqNh0L1L2xg2zHDCIY0wPbCBe/YMFjQfnYXbZEJcPiLAj/R54NWAJqOMTfPFfGAoncVAvUy0ncTmhl/g3FpIGGDOnDWb4eHDRTMa4hCy+MQyZj57UGbL7oKjWX2tXlG9UkoDEC8q3/LtUIPdXJLcCoDqMd9ZqU8XmVxla2vmEO96UZ05w8JGlIp/JYxKiRxvVkgszPlsmTspWQzKAm2nNoyUA3vcuuoMguXnGpEqTv0QjI3UGZ3xM6pwG6Rt1bhwfk8FauphaziR5K3z8oq4TKp8nXKSgO1SC8r6K11R3RDT/pNCrrijO1ufm2NxjnwGSaijoUhO1EJsRkahUQqIQ3a/gdeJ+HsHkquQmg5+Y7YoU8iUqR/dBXsymkV3HW4fckC19CyqhnNyH3X8d7kh44aCgupZoDvmVsAZBmXt+tBSDNP73ZyrFbeQpm8OQMjGpUsyFUZeaH29JLgYWj7NrGDMhUelEJwAHFwW21fa+ko/1L5VzUKxfJICYv7s33VHyjHPPA+fcfG5NivRbn16k8ZnvFm5C77G1cJYm9guKZPRLwUU8Mo4Xb5+Mc6Fb8ipVy2L52oIhrWCDXUijGv37swT9ft0/MQ/nkB+k2olpDLB+zVl1BnujRWcR7RXZBxZGU7zavX3DiT7diTmIenoewi4H/gvRfW9CJj3Qxm/gUSdAMrA/mUiyoxrFboPl8oGGN+/Op6OiZ0u+fC1vDuYqZYvxMVtPTpHamBXAZav65gXdhp6XXNJ2I7c2TySaOVNhS1dL5YQBjYgBqCcmWmIQj1juPLehut41JDG1ZqhEGMQZ2BVzUGmIiXx2PW9I/vBci2F4xEC0gv5goexwgqBNrrinh2yjnHJ6JpgSwwn3UBBVZvloVY MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 80ae4b95-e53c-435e-3bdf-08d4e3a8193c X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(2017052603031)(201703131430075)(201703131517081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR03MB2257; X-Microsoft-Exchange-Diagnostics: 1; BN3PR03MB2257; 3:gvs1BNsYks/xtRGFi0w0F2sG5+4JfBXB8GRpweLkTuAayU6MlWjCzhZPfNYz496UGeNSgZYfX9RTJsU4UflKbl3BOqwB6G3NsNU488z7ypjQsVplzxguug+CPbwb5UVuIY0w2qrEAol1C9UINOx7QBuTwhOtxlHwZXWU65FA1AobbIzpHExo/XoamdxNM1EagbVi3rLHfHbi4FdmWyXDGxEaZU+csZfmWQH2kKL3Jk2xORVir1o4wZ/Bd1ZUQ0qd43Fm6FBsOXip9fJYO8vJIR9ZjIFtQpdrtFRDZ4q214g2pxV3zRpS05f4bFB1578z+yHMdn20tMMagMgge7WTaQ==; 25:7LSdqgxiSEdr5IC/eRBRWv/hHupkjXQQtB+/qwq/s0ZS3gsi5PD+2He4UJqDBuoHR6ykDZLk4j3oNlC5mcsMk6U5e7P4TxZSv8gILbIaWR/t4Zx+GGH5JGhhKPAhjLGiJHV2iLvwP8kVmU/N3+hitUCDFlxqdHeE/CqoVZW4Bz1S2Kx+zmhkz+izh1ghfuWOmesMoWbZovSLlj0Arf/m+s3qYIFmVQF/Fg+yoHkThl73DSvtX3IoYWbKwUaNc6Ia0c0kEPvstMtBO0X2crdBx9ZHrapjQjcANTimXC+yuhgjTj2YXp7Ofx9Y/397VDR2WnAoDO+NwmNy9P6jjKpJoA==; 31:IH8IuD+YE2BzC4tRg31F46tA8vwnAR+Tgw1AFPy5cE4HxcpSCoyq6MysLQoJ8jrqUkWC99AvyQ1wrsIu6kebNo9kIu+NnwZ5MUbmxjcBMIHhpI1wbR6HLRX8B/C1AxV4sLfmJAcjKYRkPZKrL7NFw9Tr7iMU8OxOlad2HdwFg4KsjlCYxz8XDgowXYquxhW9pbWb7y/xY8mhHmI57CZu24weDkj3qGrgiwRUATVItr4= X-MS-TrafficTypeDiagnostic: BN3PR03MB2257: X-Exchange-Antispam-Report-Test: UriScan:(185117386973197); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6095135)(601004)(2401047)(13018025)(8121501046)(5005006)(13016025)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(3002001)(6055026)(6096035)(20161123556025)(20161123559100)(20161123565025)(20161123563025)(20161123561025)(201703131430075)(201703131433075)(201703131441075)(201703131448075)(201703161259150)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR03MB2257; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(400006)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR03MB2257; X-Microsoft-Exchange-Diagnostics: 1; BN3PR03MB2257; 4:wzcUXj05+1uABHH0ZpVmdeniKuviCX1SNP9ZjdTQtXm2bh4BEhNu8dwkByqk3YuCLKtDKfU5sjktwZuhwwTwParSkNen0kTDjhKEx3mQ6Rn26HSUQiQ3+PfejI7WLwVkCqDtuC7WFhGJ1e0VK7vqal04SzVrD5f0PFmqdDc7KgGHSuKPJW50v5+wHDC2Zj9FdDIH8ICyMuAoVHPIln4dqnyRMFuEPsLW2li/3+NnUAO81R/SKJjXt9joUKSC6ziCLxtB8Z+Kfwu2lvcEL/geQfghTU5hLdT1+fivZpYiORM= X-Forefront-PRVS: 04004D94E2 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BN3PR03MB2257; 23:sy4Ev4AGA+RafSPteFzyuj2XVHsbmj5U9L5NMjEiI?= RJhBfW1bkGLfsCFo44qDRaxpcMFjzUeu/dHOTtf3i7jcXVM/8HRuyqbdRHmk/BjYorMuJAZElajvtchaZpu+rDaDnrFwVID8vap8n4mg6yPNJZF/kWVlwLLi1soW0TE22KK4A6bIG3hlvEbAt2XLoB0WhDHt0ZIS+1oldM2667/0kqM1NbWUlGAU34bkgyBbhMO1ZGQlP/1rmIukXejAW5x3OHwY6jdqb+40Bg7+QIoqPSLkZRKb6JXBaw/QlSLG47ofLcTACA2IZtNW/AhlGFdVk0pR6N7iOQxQy37XDU64vDsJd8CSGHcMb5gfm7pEh4w15wxD1bZOR6KcDqchGV3ep6ZHKYFMbjr70kpsg1yX+1NbkWqxUSskmpNxNA0G8LKn8zQRkN5DlWQ/nTHDX+tc1yLV6L8BKWu89cL9FLOXT5sAgW+xG9th1bo+mZvabaxJ/uZn9vTctwtHEstGo6Z+6iEoD0ec1ZYGZu7T0BKoIIuwyO6T8KzSU02bFEC3dPTBKjHjJxIAFZ2E5gFThUPNLHOclU4IAxASW+E+VLfYI7XgN0IjB0f+G8/InCd/uYA+j8CKcsVjg4+5bOg6xb4mSDkItqaTg/fWOPXERXSmwYzmKTAZ3zG4qBMF8gJb61cLw8A82IVyLqr2PCRBriflOcNxtrj9XXbqRlCpOz6GxTS/vlUdY8x0JrNJR6LRjvRzmOtTiKE8cdAeYgFYM8yAeDDH++Gm1yBx7pEbl7JQKD59qNDzN1meQhgRrBdOU3/exoteSNCAHfI+1ZQ8HsQxGZ3bGnd3GYPNmwWJv4SiqX+oHPFLDnpjLv6GTnN5aKt+suxroMQc2mBIBpwK6dmG+jg3xOt0pPTwCWMwxYB+ZHj/HEAbnkyl27QHSvXHESu1iw1s9kLb0bMmzx4dUqsaw2gwdTA0JEWqwKlLaaeF9F8fNmCpZOsVVfpHjpp5qtAErjFjWtX+o09NaFEXbe0CCYy88YEIkEsJArwT7BPQzEfbs9aoW5xLPnEqcGhoj8h9ZzPWvnlVELWLXP+poDILrDz9fsEDebYrFx3YTQAK+2til6fbD0QMH4M/nuXmxkOoLXkrsUk5Xd3w5WrhoTA6pAyqfdssodgLzWx/JHZMC25I8W/rOKwD//r8VRmFq9OM9KZg6aRxDCfdinhqYJwnw5ZEdyRKylQwjfU50OhP1Zq0/5GVFHSw+4NIzK5qnU= X-Microsoft-Exchange-Diagnostics: 1; BN3PR03MB2257; 6:yGfoDmrioYR+xJKFGW9wP1YvspsKx1EeGGU1SBNaF7jcfcvmfRk9hHvAD1fqDEM+r1E++Kf75gOvjvt/9uT0UxBSUYoQkiJo6hf0BnVgmhbNcaAOmmyL7Z6mSTsgdKvfF9ZAaU97cAlQnqbcBRD25Tb6PuJGTwaLrR+lo6IpP6lZRKYGHS6G8KagHqWMXlKViLsRWj8aTHLIWGkVpUJ+eCUrtY3mleGJfXhzVW40w+RSNC00FxVkP3dVwEMIDDWbpJ8W7ZkDMhx6EZ/lnuMXodR//b2GO+T2CPjeyAmeEAfOA0q4ZgrokakqyVeOu2DqZB1zSxoUKidh0COz3ndXrw==; 5:bWBeosYAHsFRf2IDtT96/Z7gzpWrzkmDsPA6HaGZPT6bO4kx/pRNujwxgyb5H0QVbWguWQagXSJiodf6Q0ffeQqBOMeJOiuVPfZzsNpxPbrdsc7W+kt+K+nEU/lrm5VwK3rxNQpVue3ZXD9i7B+fRA==; 24:EoFgsjTbAyxjPkqetgd0P9p2xUtD7aJ58f5PqIQhfGiTVD+KENAsCX2LmaJgR/lAlH2LrY5gmMMt4g+E0Gk/B5g/g4RvBPAexuJG05FLY1Q=; 7:V9h/hMCpQ+VP6vr7fG9C6vHsbKeNutajhDQZZQf2h5tlq+OwFqGp6dq4qpcFcVVTQnDZ4cF8F8QGVy6ysyNJZDurgiCeZDnQ5Jf40qiXQj+nrsVkeklI0wSaNIYVZwJiq5BTwzu9iCIPIc85LT0sf5WMxINS9cPWtHMg9Yaf8uaYEBtm8D0pM/bDZU5dEiaZPtbqYwl/9kenpKvrKg/6GQ6AnV+wDlQbW21PyYKFiA0= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Aug 2017 06:37:27.9883 (UTC) X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[192.88.158.2]; Helo=[az84smr01.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR03MB2257 Subject: [dpdk-dev] [RFC PATCH 4/4] example/ipsec-secgw: add support for offloading crypto op X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" ipsec-secgw application is modified so that it can support following type of actions for crypto operations 1. full protocol offload using crypto devices. 2. inline ipsec using ethernet devices to perform crypto operations 3. full protocol offload using ethernet devices. 4. non protocol offload action type 1 is implemented as part of this patch. action type 2 and 3 will be added as part of the original RFC in this thread. action type 4 is already supported. Signed-off-by: Akhil Goyal --- examples/ipsec-secgw/ipsec.c | 125 +++++++++++++++++++++++++------------ examples/ipsec-secgw/ipsec.h | 13 +++- examples/ipsec-secgw/sa.c | 142 ++++++++++++++++++++++++++++++++----------- 3 files changed, 206 insertions(+), 74 deletions(-) diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 0afb9d6..c8fde1c 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -71,22 +72,40 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) ipsec_ctx->tbl[cdev_id_qp].id, ipsec_ctx->tbl[cdev_id_qp].qp); - sa->crypto_session = rte_cryptodev_sym_session_create( - ipsec_ctx->session_pool); - rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id, - sa->crypto_session, sa->xforms, - ipsec_ctx->session_pool); - - rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id, &cdev_info); - if (cdev_info.sym.max_nb_sessions_per_qp > 0) { - ret = rte_cryptodev_queue_pair_attach_sym_session( - ipsec_ctx->tbl[cdev_id_qp].id, - ipsec_ctx->tbl[cdev_id_qp].qp, - sa->crypto_session); + if (sa->type == RTE_SECURITY_SESS_NONE) { + sa->crypto_session = rte_cryptodev_sym_session_create( + ipsec_ctx->session_pool); + rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id, + sa->crypto_session, sa->xforms, + ipsec_ctx->session_pool); + + rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id, &cdev_info); + if (cdev_info.sym.max_nb_sessions_per_qp > 0) { + ret = rte_cryptodev_queue_pair_attach_sym_session( + ipsec_ctx->tbl[cdev_id_qp].id, + ipsec_ctx->tbl[cdev_id_qp].qp, + sa->crypto_session); + if (ret < 0) { + RTE_LOG(ERR, IPSEC, + "Session cannot be attached to qp %u ", + ipsec_ctx->tbl[cdev_id_qp].qp); + return -1; + } + } + } else { + struct rte_security_sess_conf sess_conf; + + sa->sec_session = rte_security_session_create( + ipsec_ctx->session_pool); + sess_conf.action_type = sa->type; + sess_conf.protocol = RTE_SEC_CONF_IPSEC; + sess_conf.ipsec_xform = sa->sec_xform; + + ret = rte_security_session_init(sa->portid, sa->sec_session, + &sess_conf, ipsec_ctx->session_pool); if (ret < 0) { - RTE_LOG(ERR, IPSEC, - "Session cannot be attached to qp %u ", - ipsec_ctx->tbl[cdev_id_qp].qp); + RTE_LOG(ERR, IPSEC, "SEC Session init failed: err: %d", + ret); return -1; } } @@ -125,6 +144,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, { int32_t ret = 0, i; struct ipsec_mbuf_metadata *priv; + struct rte_crypto_sym_op *sym_cop; struct ipsec_sa *sa; for (i = 0; i < nb_pkts; i++) { @@ -140,24 +160,50 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, sa = sas[i]; priv->sa = sa; - priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; - priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; - - rte_prefetch0(&priv->sym_cop); - - if ((unlikely(sa->crypto_session == NULL)) && - create_session(ipsec_ctx, sa)) { - rte_pktmbuf_free(pkts[i]); - continue; - } - - rte_crypto_op_attach_sym_session(&priv->cop, - sa->crypto_session); - - ret = xform_func(pkts[i], sa, &priv->cop); - if (unlikely(ret)) { - rte_pktmbuf_free(pkts[i]); - continue; + switch (sa->type) { + case RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD: + priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; + priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + + rte_prefetch0(&priv->sym_cop); + + if ((unlikely(sa->sec_session == NULL)) && + create_session(ipsec_ctx, sa)) { + rte_pktmbuf_free(pkts[i]); + continue; + } + + sym_cop = get_sym_cop(&priv->cop); + sym_cop->m_src = pkts[i]; + + rte_security_attach_session(&priv->cop, + sa->sec_session); + break; + case RTE_SECURITY_SESS_NONE: + + priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; + priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + + rte_prefetch0(&priv->sym_cop); + + if ((unlikely(sa->crypto_session == NULL)) && + create_session(ipsec_ctx, sa)) { + rte_pktmbuf_free(pkts[i]); + continue; + } + + rte_crypto_op_attach_sym_session(&priv->cop, + sa->crypto_session); + + ret = xform_func(pkts[i], sa, &priv->cop); + if (unlikely(ret)) { + rte_pktmbuf_free(pkts[i]); + continue; + } + break; + case RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD: + case RTE_SECURITY_SESS_ETH_INLINE_CRYPTO: + break; } RTE_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps); @@ -199,11 +245,14 @@ ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, RTE_ASSERT(sa != NULL); - ret = xform_func(pkt, sa, cops[j]); - if (unlikely(ret)) - rte_pktmbuf_free(pkt); - else - pkts[nb_pkts++] = pkt; + if (sa->type == RTE_SECURITY_SESS_NONE) { + ret = xform_func(pkt, sa, cops[j]); + if (unlikely(ret)) { + rte_pktmbuf_free(pkt); + continue; + } + } + pkts[nb_pkts++] = pkt; } } diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index da1fb1b..6291d86 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -38,6 +38,7 @@ #include #include +#include #define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 #define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2 @@ -99,7 +100,10 @@ struct ipsec_sa { uint32_t cdev_id_qp; uint64_t seq; uint32_t salt; - struct rte_cryptodev_sym_session *crypto_session; + union { + struct rte_cryptodev_sym_session *crypto_session; + struct rte_security_session *sec_session; + }; enum rte_crypto_cipher_algorithm cipher_algo; enum rte_crypto_auth_algorithm auth_algo; enum rte_crypto_aead_algorithm aead_algo; @@ -117,7 +121,12 @@ struct ipsec_sa { uint8_t auth_key[MAX_KEY_SIZE]; uint16_t auth_key_len; uint16_t aad_len; - struct rte_crypto_sym_xform *xforms; + union { + struct rte_crypto_sym_xform *xforms; + struct rte_security_ipsec_xform *sec_xform; + }; + enum rte_security_session_action_type type; + uint16_t portid; } __rte_cache_aligned; struct ipsec_mbuf_metadata { diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 7be0e62..851262b 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -41,6 +41,7 @@ #include #include +#include #include #include #include @@ -51,6 +52,8 @@ #include "esp.h" #include "parser.h" +#define IPDEFTTL 64 + struct supported_cipher_algo { const char *keyword; enum rte_crypto_cipher_algorithm algo; @@ -238,6 +241,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, uint32_t src_p = 0; uint32_t dst_p = 0; uint32_t mode_p = 0; + uint32_t type_p = 0; + uint32_t portid_p = 0; if (strcmp(tokens[0], "in") == 0) { ri = &nb_sa_in; @@ -550,6 +555,47 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, continue; } + if (strcmp(tokens[ti], "type") == 0) { + APP_CHECK_PRESENCE(type_p, tokens[ti], status); + if (status->status < 0) + return; + + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + + if (strcmp(tokens[ti], "eth-inline-crypto") == 0) + rule->type = RTE_SECURITY_SESS_ETH_INLINE_CRYPTO; + else if (strcmp(tokens[ti], "eth-proto-offload") == 0) + rule->type = RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD; + else if (strcmp(tokens[ti], "crypto-proto-offload") == 0) + rule->type = RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD; + else if (strcmp(tokens[ti], "non-proto") == 0) + rule->type = RTE_SECURITY_SESS_NONE; + else { + APP_CHECK(0, status, "unrecognized " + "input \"%s\"", tokens[ti]); + return; + } + + type_p = 1; + continue; + } + + if (strcmp(tokens[ti], "port_id") == 0) { + APP_CHECK_PRESENCE(portid_p, tokens[ti], status); + if (status->status < 0) + return; + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + rule->portid = atoi(tokens[ti]); + if (status->status < 0) + return; + portid_p = 1; + continue; + } + /* unrecognizeable input */ APP_CHECK(0, status, "unrecognized input \"%s\"", tokens[ti]); @@ -580,6 +626,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; + if ((rule->type != RTE_SECURITY_SESS_NONE) && (portid_p == 0)) + printf("Missing portid option, falling back to non-offload"); + + if (!type_p || !portid_p) { + rule->type = RTE_SECURITY_SESS_NONE; + rule->portid = -1; + } + *ri = *ri + 1; } @@ -647,9 +701,12 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) struct sa_ctx { struct ipsec_sa sa[IPSEC_SA_MAX_ENTRIES]; - struct { - struct rte_crypto_sym_xform a; - struct rte_crypto_sym_xform b; + union { + struct { + struct rte_crypto_sym_xform a; + struct rte_crypto_sym_xform b; + }; + struct rte_security_ipsec_xform c; } xf[IPSEC_SA_MAX_ENTRIES]; }; @@ -706,40 +763,57 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], sa->dst.ip.ip4 = rte_cpu_to_be_32(sa->dst.ip.ip4); } + if (sa->type == RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD) { + sa_ctx->xf[idx].c.cipher_alg = sa->cipher_algo; + sa_ctx->xf[idx].c.auth_alg = sa->auth_algo; + sa_ctx->xf[idx].c.cipher_key.data = sa->cipher_key; + sa_ctx->xf[idx].c.auth_key.data = sa->auth_key; + sa_ctx->xf[idx].c.cipher_key.length = + sa->cipher_key_len; + sa_ctx->xf[idx].c.auth_key.length = sa->auth_key_len; + sa_ctx->xf[idx].c.op = (inbound == 1)? + RTE_SECURITY_IPSEC_OP_DECAP : + RTE_SECURITY_IPSEC_OP_ENCAP; + sa_ctx->xf[idx].c.salt = sa->salt; + sa_ctx->xf[idx].c.spi = sa->spi; + if (sa->flags == IP4_TUNNEL) { + sa_ctx->xf[idx].c.mode = + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL; + sa_ctx->xf[idx].c.tunnel.ipv4.ttl = IPDEFTTL; + memcpy((uint8_t *)&sa_ctx->xf[idx].c.tunnel.ipv4.src_ip, + (uint8_t *)&sa->src.ip.ip4, 4); + memcpy((uint8_t *)&sa_ctx->xf[idx].c.tunnel.ipv4.dst_ip, + (uint8_t *)&sa->dst.ip.ip4, 4); +// sa_ctx->xf[idx].c.tunnel.ipv4.src_ip = +// (struct in_addr)sa->src.ip.ip4; +// sa_ctx->xf[idx].c.tunnel.ipv4.dst_ip = +// (struct in_addr)sa->dst.ip.ip4; + } + /* TODO support for Transport and IPV6 tunnel */ + sa->sec_xform = &sa_ctx->xf[idx].c; + + print_one_sa_rule(sa, inbound); + continue; + } + if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) { iv_length = 16; - if (inbound) { - sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD; - sa_ctx->xf[idx].a.aead.algo = sa->aead_algo; - sa_ctx->xf[idx].a.aead.key.data = sa->cipher_key; - sa_ctx->xf[idx].a.aead.key.length = - sa->cipher_key_len; - sa_ctx->xf[idx].a.aead.op = - RTE_CRYPTO_AEAD_OP_DECRYPT; - sa_ctx->xf[idx].a.next = NULL; - sa_ctx->xf[idx].a.aead.iv.offset = IV_OFFSET; - sa_ctx->xf[idx].a.aead.iv.length = iv_length; - sa_ctx->xf[idx].a.aead.aad_length = - sa->aad_len; - sa_ctx->xf[idx].a.aead.digest_length = - sa->digest_len; - } else { /* outbound */ - sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD; - sa_ctx->xf[idx].a.aead.algo = sa->aead_algo; - sa_ctx->xf[idx].a.aead.key.data = sa->cipher_key; - sa_ctx->xf[idx].a.aead.key.length = - sa->cipher_key_len; - sa_ctx->xf[idx].a.aead.op = - RTE_CRYPTO_AEAD_OP_ENCRYPT; - sa_ctx->xf[idx].a.next = NULL; - sa_ctx->xf[idx].a.aead.iv.offset = IV_OFFSET; - sa_ctx->xf[idx].a.aead.iv.length = iv_length; - sa_ctx->xf[idx].a.aead.aad_length = - sa->aad_len; - sa_ctx->xf[idx].a.aead.digest_length = - sa->digest_len; - } + sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD; + sa_ctx->xf[idx].a.aead.algo = sa->aead_algo; + sa_ctx->xf[idx].a.aead.key.data = sa->cipher_key; + sa_ctx->xf[idx].a.aead.key.length = + sa->cipher_key_len; + sa_ctx->xf[idx].a.aead.op = (inbound == 1) ? + RTE_CRYPTO_AEAD_OP_DECRYPT : + RTE_CRYPTO_AEAD_OP_ENCRYPT; + sa_ctx->xf[idx].a.next = NULL; + sa_ctx->xf[idx].a.aead.iv.offset = IV_OFFSET; + sa_ctx->xf[idx].a.aead.iv.length = iv_length; + sa_ctx->xf[idx].a.aead.aad_length = + sa->aad_len; + sa_ctx->xf[idx].a.aead.digest_length = + sa->digest_len; sa->xforms = &sa_ctx->xf[idx].a;