[v2,1/3] security: add SA config option for inner pkt csum
Checks
Commit Message
Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
doc/guides/cryptodevs/features/default.ini | 1 +
doc/guides/rel_notes/deprecation.rst | 4 ++--
doc/guides/rel_notes/release_21_11.rst | 4 ++++
lib/cryptodev/rte_cryptodev.h | 2 ++
lib/security/rte_security.h | 18 ++++++++++++++++++
5 files changed, 27 insertions(+), 2 deletions(-)
Comments
> Add inner packet IPv4 hdr and L4 checksum enable options
> in conf. These will be used in case of protocol offload.
> Per SA, application could specify whether the
> checksum(compute/verify) can be offloaded to security device.
>
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> ---
> doc/guides/cryptodevs/features/default.ini | 1 +
> doc/guides/rel_notes/deprecation.rst | 4 ++--
> doc/guides/rel_notes/release_21_11.rst | 4 ++++
> lib/cryptodev/rte_cryptodev.h | 2 ++
> lib/security/rte_security.h | 18 ++++++++++++++++++
> 5 files changed, 27 insertions(+), 2 deletions(-)
>
> diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini
> index c24814de98..96d95ddc81 100644
> --- a/doc/guides/cryptodevs/features/default.ini
> +++ b/doc/guides/cryptodevs/features/default.ini
> @@ -33,6 +33,7 @@ Non-Byte aligned data =
> Sym raw data path API =
> Cipher multiple data units =
> Cipher wrapped key =
> +Inner checksum =
>
> ;
> ; Supported crypto algorithms of a default crypto driver.
> diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
> index 05fc2fdee7..8308e00ed4 100644
> --- a/doc/guides/rel_notes/deprecation.rst
> +++ b/doc/guides/rel_notes/deprecation.rst
> @@ -232,8 +232,8 @@ Deprecation Notices
> IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
>
> * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
> - will be updated with new fields to support new features like IPsec inner
> - checksum, TSO in case of protocol offload.
> + will be updated with new fields to support new features like TSO in case of
> + protocol offload.
>
> * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
> ``hdr_l3_len`` to configure tunnel L3 header length.
> diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
> index 8da851cccc..93d1b36889 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -194,6 +194,10 @@ ABI Changes
> ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> and hard expiry limits. Limits can be either in number of packets or bytes.
>
> +* security: The new options ``ip_csum_enable`` and ``l4_csum_enable`` were added
> + in structure ``rte_security_ipsec_sa_options`` to indicate whether inner
> + packet IPv4 header checksum and L4 checksum need to be offloaded to
> + security device.
>
> Known Issues
> ------------
> diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
> index bb01f0f195..d9271a6c45 100644
> --- a/lib/cryptodev/rte_cryptodev.h
> +++ b/lib/cryptodev/rte_cryptodev.h
> @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
> /**< Support operations on multiple data-units message */
> #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
> /**< Support wrapped key in cipher xform */
> +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27)
> +/**< Support inner checksum computation/verification */
>
> /**
> * Get the name of a crypto device feature flag
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index ab1a6e1f65..945f45ad76 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
> * * 0: Do not match UDP ports
> */
> uint32_t udp_ports_verify : 1;
> +
> + /** Compute/verify inner packet IPv4 header checksum in tunnel mode
> + *
> + * * 1: For outbound, compute inner packet IPv4 header checksum
> + * before tunnel encapsulation and for inbound, verify after
> + * tunnel decapsulation.
> + * * 0: Inner packet IP header checksum is not computed/verified.
> + */
> + uint32_t ip_csum_enable : 1;
> +
> + /** Compute/verify inner packet L4 checksum in tunnel mode
> + *
> + * * 1: For outbound, compute inner packet L4 checksum before
> + * tunnel encapsulation and for inbound, verify after
> + * tunnel decapsulation.
> + * * 0: Inner packet L4 checksum is not computed/verified.
> + */
> + uint32_t l4_csum_enable : 1;
As I understand these 2 new flags serve two purposes:
1. report HW/PMD ability to perform these offloads.
2. allow user to enable/disable this offload on SA basis.
One question I have - how it will work on data-path?
Would decision to perform these offloads be based on mbuf->ol_flags value
(same as we doing for ethdev TX offloads)?
Or some other approach is implied?
> };
>
> /** IPSec security association direction */
> --
> 2.22.0
Hi Konstanin,
Please see inline.
Thanks,
Anoob
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Wednesday, September 29, 2021 4:26 PM
> To: Archana Muniganti <marchana@marvell.com>; Akhil Goyal
> <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>; Zhang, Roy
> Fan <roy.fan.zhang@intel.com>; hemant.agrawal@nxp.com
> Cc: Anoob Joseph <anoobj@marvell.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>; Jerin Jacob
> Kollanukkaran <jerinj@marvell.com>; dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 1/3] security: add SA config option for inner pkt
> csum
>
> External Email
>
> ----------------------------------------------------------------------
> > Add inner packet IPv4 hdr and L4 checksum enable options in conf.
> > These will be used in case of protocol offload.
> > Per SA, application could specify whether the
> > checksum(compute/verify) can be offloaded to security device.
> >
> > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > ---
> > doc/guides/cryptodevs/features/default.ini | 1 +
> > doc/guides/rel_notes/deprecation.rst | 4 ++--
> > doc/guides/rel_notes/release_21_11.rst | 4 ++++
> > lib/cryptodev/rte_cryptodev.h | 2 ++
> > lib/security/rte_security.h | 18 ++++++++++++++++++
> > 5 files changed, 27 insertions(+), 2 deletions(-)
> >
> > diff --git a/doc/guides/cryptodevs/features/default.ini
> > b/doc/guides/cryptodevs/features/default.ini
> > index c24814de98..96d95ddc81 100644
> > --- a/doc/guides/cryptodevs/features/default.ini
> > +++ b/doc/guides/cryptodevs/features/default.ini
> > @@ -33,6 +33,7 @@ Non-Byte aligned data = Sym raw data path API =
> > Cipher multiple data units =
> > Cipher wrapped key =
> > +Inner checksum =
> >
> > ;
> > ; Supported crypto algorithms of a default crypto driver.
> > diff --git a/doc/guides/rel_notes/deprecation.rst
> > b/doc/guides/rel_notes/deprecation.rst
> > index 05fc2fdee7..8308e00ed4 100644
> > --- a/doc/guides/rel_notes/deprecation.rst
> > +++ b/doc/guides/rel_notes/deprecation.rst
> > @@ -232,8 +232,8 @@ Deprecation Notices
> > IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence
> Number).
> >
> > * security: The IPsec SA config options ``struct
> > rte_security_ipsec_sa_options``
> > - will be updated with new fields to support new features like IPsec
> > inner
> > - checksum, TSO in case of protocol offload.
> > + will be updated with new fields to support new features like TSO in
> > + case of protocol offload.
> >
> > * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
> > ``hdr_l3_len`` to configure tunnel L3 header length.
> > diff --git a/doc/guides/rel_notes/release_21_11.rst
> > b/doc/guides/rel_notes/release_21_11.rst
> > index 8da851cccc..93d1b36889 100644
> > --- a/doc/guides/rel_notes/release_21_11.rst
> > +++ b/doc/guides/rel_notes/release_21_11.rst
> > @@ -194,6 +194,10 @@ ABI Changes
> > ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> > and hard expiry limits. Limits can be either in number of packets or bytes.
> >
> > +* security: The new options ``ip_csum_enable`` and ``l4_csum_enable``
> > +were added
> > + in structure ``rte_security_ipsec_sa_options`` to indicate whether
> > +inner
> > + packet IPv4 header checksum and L4 checksum need to be offloaded to
> > + security device.
> >
> > Known Issues
> > ------------
> > diff --git a/lib/cryptodev/rte_cryptodev.h
> > b/lib/cryptodev/rte_cryptodev.h index bb01f0f195..d9271a6c45 100644
> > --- a/lib/cryptodev/rte_cryptodev.h
> > +++ b/lib/cryptodev/rte_cryptodev.h
> > @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> > rte_crypto_asym_xform_type *xform_enum, /**< Support operations on
> multiple data-units message */
> > #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
> > /**< Support wrapped key in cipher xform */
> > +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL
> << 27)
> > +/**< Support inner checksum computation/verification */
> >
> > /**
> > * Get the name of a crypto device feature flag diff --git
> > a/lib/security/rte_security.h b/lib/security/rte_security.h index
> > ab1a6e1f65..945f45ad76 100644
> > --- a/lib/security/rte_security.h
> > +++ b/lib/security/rte_security.h
> > @@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
> > * * 0: Do not match UDP ports
> > */
> > uint32_t udp_ports_verify : 1;
> > +
> > + /** Compute/verify inner packet IPv4 header checksum in tunnel mode
> > + *
> > + * * 1: For outbound, compute inner packet IPv4 header checksum
> > + * before tunnel encapsulation and for inbound, verify after
> > + * tunnel decapsulation.
> > + * * 0: Inner packet IP header checksum is not computed/verified.
> > + */
> > + uint32_t ip_csum_enable : 1;
> > +
> > + /** Compute/verify inner packet L4 checksum in tunnel mode
> > + *
> > + * * 1: For outbound, compute inner packet L4 checksum before
> > + * tunnel encapsulation and for inbound, verify after
> > + * tunnel decapsulation.
> > + * * 0: Inner packet L4 checksum is not computed/verified.
> > + */
> > + uint32_t l4_csum_enable : 1;
>
> As I understand these 2 new flags serve two purposes:
> 1. report HW/PMD ability to perform these offloads.
> 2. allow user to enable/disable this offload on SA basis.
[Anoob] Correct
>
> One question I have - how it will work on data-path?
> Would decision to perform these offloads be based on mbuf->ol_flags value
> (same as we doing for ethdev TX offloads)?
> Or some other approach is implied?
[Anoob] There will be two settings. It can enabled per SA or enabled per packet.
>
> > };
> >
> > /** IPSec security association direction */
> > --
> > 2.22.0
Hi Anoob,
> Hi Konstanin,
>
> Please see inline.
>
> Thanks,
> Anoob
>
> > -----Original Message-----
> > From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> > Sent: Wednesday, September 29, 2021 4:26 PM
> > To: Archana Muniganti <marchana@marvell.com>; Akhil Goyal
> > <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>; Zhang, Roy
> > Fan <roy.fan.zhang@intel.com>; hemant.agrawal@nxp.com
> > Cc: Anoob Joseph <anoobj@marvell.com>; Tejasree Kondoj
> > <ktejasree@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>; Jerin Jacob
> > Kollanukkaran <jerinj@marvell.com>; dev@dpdk.org
> > Subject: [EXT] RE: [PATCH v2 1/3] security: add SA config option for inner pkt
> > csum
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > > Add inner packet IPv4 hdr and L4 checksum enable options in conf.
> > > These will be used in case of protocol offload.
> > > Per SA, application could specify whether the
> > > checksum(compute/verify) can be offloaded to security device.
> > >
> > > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > > ---
> > > doc/guides/cryptodevs/features/default.ini | 1 +
> > > doc/guides/rel_notes/deprecation.rst | 4 ++--
> > > doc/guides/rel_notes/release_21_11.rst | 4 ++++
> > > lib/cryptodev/rte_cryptodev.h | 2 ++
> > > lib/security/rte_security.h | 18 ++++++++++++++++++
> > > 5 files changed, 27 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/doc/guides/cryptodevs/features/default.ini
> > > b/doc/guides/cryptodevs/features/default.ini
> > > index c24814de98..96d95ddc81 100644
> > > --- a/doc/guides/cryptodevs/features/default.ini
> > > +++ b/doc/guides/cryptodevs/features/default.ini
> > > @@ -33,6 +33,7 @@ Non-Byte aligned data = Sym raw data path API =
> > > Cipher multiple data units =
> > > Cipher wrapped key =
> > > +Inner checksum =
> > >
> > > ;
> > > ; Supported crypto algorithms of a default crypto driver.
> > > diff --git a/doc/guides/rel_notes/deprecation.rst
> > > b/doc/guides/rel_notes/deprecation.rst
> > > index 05fc2fdee7..8308e00ed4 100644
> > > --- a/doc/guides/rel_notes/deprecation.rst
> > > +++ b/doc/guides/rel_notes/deprecation.rst
> > > @@ -232,8 +232,8 @@ Deprecation Notices
> > > IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence
> > Number).
> > >
> > > * security: The IPsec SA config options ``struct
> > > rte_security_ipsec_sa_options``
> > > - will be updated with new fields to support new features like IPsec
> > > inner
> > > - checksum, TSO in case of protocol offload.
> > > + will be updated with new fields to support new features like TSO in
> > > + case of protocol offload.
> > >
> > > * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
> > > ``hdr_l3_len`` to configure tunnel L3 header length.
> > > diff --git a/doc/guides/rel_notes/release_21_11.rst
> > > b/doc/guides/rel_notes/release_21_11.rst
> > > index 8da851cccc..93d1b36889 100644
> > > --- a/doc/guides/rel_notes/release_21_11.rst
> > > +++ b/doc/guides/rel_notes/release_21_11.rst
> > > @@ -194,6 +194,10 @@ ABI Changes
> > > ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> > > and hard expiry limits. Limits can be either in number of packets or bytes.
> > >
> > > +* security: The new options ``ip_csum_enable`` and ``l4_csum_enable``
> > > +were added
> > > + in structure ``rte_security_ipsec_sa_options`` to indicate whether
> > > +inner
> > > + packet IPv4 header checksum and L4 checksum need to be offloaded to
> > > + security device.
> > >
> > > Known Issues
> > > ------------
> > > diff --git a/lib/cryptodev/rte_cryptodev.h
> > > b/lib/cryptodev/rte_cryptodev.h index bb01f0f195..d9271a6c45 100644
> > > --- a/lib/cryptodev/rte_cryptodev.h
> > > +++ b/lib/cryptodev/rte_cryptodev.h
> > > @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> > > rte_crypto_asym_xform_type *xform_enum, /**< Support operations on
> > multiple data-units message */
> > > #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
> > > /**< Support wrapped key in cipher xform */
> > > +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL
> > << 27)
> > > +/**< Support inner checksum computation/verification */
> > >
> > > /**
> > > * Get the name of a crypto device feature flag diff --git
> > > a/lib/security/rte_security.h b/lib/security/rte_security.h index
> > > ab1a6e1f65..945f45ad76 100644
> > > --- a/lib/security/rte_security.h
> > > +++ b/lib/security/rte_security.h
> > > @@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
> > > * * 0: Do not match UDP ports
> > > */
> > > uint32_t udp_ports_verify : 1;
> > > +
> > > + /** Compute/verify inner packet IPv4 header checksum in tunnel mode
> > > + *
> > > + * * 1: For outbound, compute inner packet IPv4 header checksum
> > > + * before tunnel encapsulation and for inbound, verify after
> > > + * tunnel decapsulation.
> > > + * * 0: Inner packet IP header checksum is not computed/verified.
> > > + */
> > > + uint32_t ip_csum_enable : 1;
> > > +
> > > + /** Compute/verify inner packet L4 checksum in tunnel mode
> > > + *
> > > + * * 1: For outbound, compute inner packet L4 checksum before
> > > + * tunnel encapsulation and for inbound, verify after
> > > + * tunnel decapsulation.
> > > + * * 0: Inner packet L4 checksum is not computed/verified.
> > > + */
> > > + uint32_t l4_csum_enable : 1;
> >
> > As I understand these 2 new flags serve two purposes:
> > 1. report HW/PMD ability to perform these offloads.
> > 2. allow user to enable/disable this offload on SA basis.
>
> [Anoob] Correct
>
> >
> > One question I have - how it will work on data-path?
> > Would decision to perform these offloads be based on mbuf->ol_flags value
> > (same as we doing for ethdev TX offloads)?
> > Or some other approach is implied?
>
> [Anoob] There will be two settings. It can enabled per SA or enabled per packet.
Ok, will it be documented somewhere?
Or probably it already is, and I just missed/forgot it somehow?
> >
> > > };
> > >
> > > /** IPSec security association direction */
> > > --
> > > 2.22.0
Hi Konstantin,
Please see inline.
Thanks,
Anoob
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Wednesday, September 29, 2021 5:09 PM
> To: Anoob Joseph <anoobj@marvell.com>; Archana Muniganti
> <marchana@marvell.com>; Akhil Goyal <gakhil@marvell.com>; Nicolau, Radu
> <radu.nicolau@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
> hemant.agrawal@nxp.com
> Cc: Tejasree Kondoj <ktejasree@marvell.com>; Ankur Dwivedi
> <adwivedi@marvell.com>; Jerin Jacob Kollanukkaran <jerinj@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 1/3] security: add SA config option for inner pkt
> csum
>
> External Email
>
> ----------------------------------------------------------------------
> Hi Anoob,
>
> > Hi Konstanin,
> >
> > Please see inline.
> >
> > Thanks,
> > Anoob
> >
> > > -----Original Message-----
> > > From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> > > Sent: Wednesday, September 29, 2021 4:26 PM
> > > To: Archana Muniganti <marchana@marvell.com>; Akhil Goyal
> > > <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>; Zhang,
> > > Roy Fan <roy.fan.zhang@intel.com>; hemant.agrawal@nxp.com
> > > Cc: Anoob Joseph <anoobj@marvell.com>; Tejasree Kondoj
> > > <ktejasree@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>; Jerin
> > > Jacob Kollanukkaran <jerinj@marvell.com>; dev@dpdk.org
> > > Subject: [EXT] RE: [PATCH v2 1/3] security: add SA config option for
> > > inner pkt csum
> > >
> > > External Email
> > >
> > > --------------------------------------------------------------------
> > > --
> > > > Add inner packet IPv4 hdr and L4 checksum enable options in conf.
> > > > These will be used in case of protocol offload.
> > > > Per SA, application could specify whether the
> > > > checksum(compute/verify) can be offloaded to security device.
> > > >
> > > > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > > > ---
> > > > doc/guides/cryptodevs/features/default.ini | 1 +
> > > > doc/guides/rel_notes/deprecation.rst | 4 ++--
> > > > doc/guides/rel_notes/release_21_11.rst | 4 ++++
> > > > lib/cryptodev/rte_cryptodev.h | 2 ++
> > > > lib/security/rte_security.h | 18 ++++++++++++++++++
> > > > 5 files changed, 27 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/doc/guides/cryptodevs/features/default.ini
> > > > b/doc/guides/cryptodevs/features/default.ini
> > > > index c24814de98..96d95ddc81 100644
> > > > --- a/doc/guides/cryptodevs/features/default.ini
> > > > +++ b/doc/guides/cryptodevs/features/default.ini
> > > > @@ -33,6 +33,7 @@ Non-Byte aligned data = Sym raw data path API
> > > > = Cipher multiple data units =
> > > > Cipher wrapped key =
> > > > +Inner checksum =
> > > >
> > > > ;
> > > > ; Supported crypto algorithms of a default crypto driver.
> > > > diff --git a/doc/guides/rel_notes/deprecation.rst
> > > > b/doc/guides/rel_notes/deprecation.rst
> > > > index 05fc2fdee7..8308e00ed4 100644
> > > > --- a/doc/guides/rel_notes/deprecation.rst
> > > > +++ b/doc/guides/rel_notes/deprecation.rst
> > > > @@ -232,8 +232,8 @@ Deprecation Notices
> > > > IPsec payload MSS (Maximum Segment Size), and ESN (Extended
> > > > Sequence
> > > Number).
> > > >
> > > > * security: The IPsec SA config options ``struct
> > > > rte_security_ipsec_sa_options``
> > > > - will be updated with new fields to support new features like
> > > > IPsec inner
> > > > - checksum, TSO in case of protocol offload.
> > > > + will be updated with new fields to support new features like
> > > > + TSO in case of protocol offload.
> > > >
> > > > * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new
> field
> > > > ``hdr_l3_len`` to configure tunnel L3 header length.
> > > > diff --git a/doc/guides/rel_notes/release_21_11.rst
> > > > b/doc/guides/rel_notes/release_21_11.rst
> > > > index 8da851cccc..93d1b36889 100644
> > > > --- a/doc/guides/rel_notes/release_21_11.rst
> > > > +++ b/doc/guides/rel_notes/release_21_11.rst
> > > > @@ -194,6 +194,10 @@ ABI Changes
> > > > ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> > > > and hard expiry limits. Limits can be either in number of packets or bytes.
> > > >
> > > > +* security: The new options ``ip_csum_enable`` and
> > > > +``l4_csum_enable`` were added
> > > > + in structure ``rte_security_ipsec_sa_options`` to indicate
> > > > +whether inner
> > > > + packet IPv4 header checksum and L4 checksum need to be
> > > > +offloaded to
> > > > + security device.
> > > >
> > > > Known Issues
> > > > ------------
> > > > diff --git a/lib/cryptodev/rte_cryptodev.h
> > > > b/lib/cryptodev/rte_cryptodev.h index bb01f0f195..d9271a6c45
> > > > 100644
> > > > --- a/lib/cryptodev/rte_cryptodev.h
> > > > +++ b/lib/cryptodev/rte_cryptodev.h
> > > > @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> > > > rte_crypto_asym_xform_type *xform_enum, /**< Support operations
> > > > on
> > > multiple data-units message */
> > > > #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL
> << 26)
> > > > /**< Support wrapped key in cipher xform */
> > > > +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL
> > > << 27)
> > > > +/**< Support inner checksum computation/verification */
> > > >
> > > > /**
> > > > * Get the name of a crypto device feature flag diff --git
> > > > a/lib/security/rte_security.h b/lib/security/rte_security.h index
> > > > ab1a6e1f65..945f45ad76 100644
> > > > --- a/lib/security/rte_security.h
> > > > +++ b/lib/security/rte_security.h
> > > > @@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
> > > > * * 0: Do not match UDP ports
> > > > */
> > > > uint32_t udp_ports_verify : 1;
> > > > +
> > > > + /** Compute/verify inner packet IPv4 header checksum in tunnel mode
> > > > + *
> > > > + * * 1: For outbound, compute inner packet IPv4 header checksum
> > > > + * before tunnel encapsulation and for inbound, verify after
> > > > + * tunnel decapsulation.
> > > > + * * 0: Inner packet IP header checksum is not computed/verified.
> > > > + */
> > > > + uint32_t ip_csum_enable : 1;
> > > > +
> > > > + /** Compute/verify inner packet L4 checksum in tunnel mode
> > > > + *
> > > > + * * 1: For outbound, compute inner packet L4 checksum before
> > > > + * tunnel encapsulation and for inbound, verify after
> > > > + * tunnel decapsulation.
> > > > + * * 0: Inner packet L4 checksum is not computed/verified.
> > > > + */
> > > > + uint32_t l4_csum_enable : 1;
> > >
> > > As I understand these 2 new flags serve two purposes:
> > > 1. report HW/PMD ability to perform these offloads.
> > > 2. allow user to enable/disable this offload on SA basis.
> >
> > [Anoob] Correct
> >
> > >
> > > One question I have - how it will work on data-path?
> > > Would decision to perform these offloads be based on mbuf->ol_flags
> > > value (same as we doing for ethdev TX offloads)?
> > > Or some other approach is implied?
> >
> > [Anoob] There will be two settings. It can enabled per SA or enabled per
> packet.
>
> Ok, will it be documented somewhere?
> Or probably it already is, and I just missed/forgot it somehow?
[Anoob] Looks like we missed documenting this. Will update in the next version. Should we add documentation around SA options or around TX offload flags? I think it's better around SA options. Do you suggest either?
>
> > >
> > > > };
> > > >
> > > > /** IPSec security association direction */
> > > > --
> > > > 2.22.0
Hi Anoob,
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > Hi Anoob,
> >
> > > Hi Konstanin,
> > >
> > > Please see inline.
> > >
> > > Thanks,
> > > Anoob
> > >
> > > > -----Original Message-----
> > > > From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> > > > Sent: Wednesday, September 29, 2021 4:26 PM
> > > > To: Archana Muniganti <marchana@marvell.com>; Akhil Goyal
> > > > <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>; Zhang,
> > > > Roy Fan <roy.fan.zhang@intel.com>; hemant.agrawal@nxp.com
> > > > Cc: Anoob Joseph <anoobj@marvell.com>; Tejasree Kondoj
> > > > <ktejasree@marvell.com>; Ankur Dwivedi <adwivedi@marvell.com>; Jerin
> > > > Jacob Kollanukkaran <jerinj@marvell.com>; dev@dpdk.org
> > > > Subject: [EXT] RE: [PATCH v2 1/3] security: add SA config option for
> > > > inner pkt csum
> > > >
> > > > External Email
> > > >
> > > > --------------------------------------------------------------------
> > > > --
> > > > > Add inner packet IPv4 hdr and L4 checksum enable options in conf.
> > > > > These will be used in case of protocol offload.
> > > > > Per SA, application could specify whether the
> > > > > checksum(compute/verify) can be offloaded to security device.
> > > > >
> > > > > Signed-off-by: Archana Muniganti <marchana@marvell.com>
> > > > > ---
> > > > > doc/guides/cryptodevs/features/default.ini | 1 +
> > > > > doc/guides/rel_notes/deprecation.rst | 4 ++--
> > > > > doc/guides/rel_notes/release_21_11.rst | 4 ++++
> > > > > lib/cryptodev/rte_cryptodev.h | 2 ++
> > > > > lib/security/rte_security.h | 18 ++++++++++++++++++
> > > > > 5 files changed, 27 insertions(+), 2 deletions(-)
> > > > >
> > > > > diff --git a/doc/guides/cryptodevs/features/default.ini
> > > > > b/doc/guides/cryptodevs/features/default.ini
> > > > > index c24814de98..96d95ddc81 100644
> > > > > --- a/doc/guides/cryptodevs/features/default.ini
> > > > > +++ b/doc/guides/cryptodevs/features/default.ini
> > > > > @@ -33,6 +33,7 @@ Non-Byte aligned data = Sym raw data path API
> > > > > = Cipher multiple data units =
> > > > > Cipher wrapped key =
> > > > > +Inner checksum =
> > > > >
> > > > > ;
> > > > > ; Supported crypto algorithms of a default crypto driver.
> > > > > diff --git a/doc/guides/rel_notes/deprecation.rst
> > > > > b/doc/guides/rel_notes/deprecation.rst
> > > > > index 05fc2fdee7..8308e00ed4 100644
> > > > > --- a/doc/guides/rel_notes/deprecation.rst
> > > > > +++ b/doc/guides/rel_notes/deprecation.rst
> > > > > @@ -232,8 +232,8 @@ Deprecation Notices
> > > > > IPsec payload MSS (Maximum Segment Size), and ESN (Extended
> > > > > Sequence
> > > > Number).
> > > > >
> > > > > * security: The IPsec SA config options ``struct
> > > > > rte_security_ipsec_sa_options``
> > > > > - will be updated with new fields to support new features like
> > > > > IPsec inner
> > > > > - checksum, TSO in case of protocol offload.
> > > > > + will be updated with new fields to support new features like
> > > > > + TSO in case of protocol offload.
> > > > >
> > > > > * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new
> > field
> > > > > ``hdr_l3_len`` to configure tunnel L3 header length.
> > > > > diff --git a/doc/guides/rel_notes/release_21_11.rst
> > > > > b/doc/guides/rel_notes/release_21_11.rst
> > > > > index 8da851cccc..93d1b36889 100644
> > > > > --- a/doc/guides/rel_notes/release_21_11.rst
> > > > > +++ b/doc/guides/rel_notes/release_21_11.rst
> > > > > @@ -194,6 +194,10 @@ ABI Changes
> > > > > ``rte_security_ipsec_xform`` to allow applications to configure SA soft
> > > > > and hard expiry limits. Limits can be either in number of packets or bytes.
> > > > >
> > > > > +* security: The new options ``ip_csum_enable`` and
> > > > > +``l4_csum_enable`` were added
> > > > > + in structure ``rte_security_ipsec_sa_options`` to indicate
> > > > > +whether inner
> > > > > + packet IPv4 header checksum and L4 checksum need to be
> > > > > +offloaded to
> > > > > + security device.
> > > > >
> > > > > Known Issues
> > > > > ------------
> > > > > diff --git a/lib/cryptodev/rte_cryptodev.h
> > > > > b/lib/cryptodev/rte_cryptodev.h index bb01f0f195..d9271a6c45
> > > > > 100644
> > > > > --- a/lib/cryptodev/rte_cryptodev.h
> > > > > +++ b/lib/cryptodev/rte_cryptodev.h
> > > > > @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> > > > > rte_crypto_asym_xform_type *xform_enum, /**< Support operations
> > > > > on
> > > > multiple data-units message */
> > > > > #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL
> > << 26)
> > > > > /**< Support wrapped key in cipher xform */
> > > > > +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL
> > > > << 27)
> > > > > +/**< Support inner checksum computation/verification */
> > > > >
> > > > > /**
> > > > > * Get the name of a crypto device feature flag diff --git
> > > > > a/lib/security/rte_security.h b/lib/security/rte_security.h index
> > > > > ab1a6e1f65..945f45ad76 100644
> > > > > --- a/lib/security/rte_security.h
> > > > > +++ b/lib/security/rte_security.h
> > > > > @@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
> > > > > * * 0: Do not match UDP ports
> > > > > */
> > > > > uint32_t udp_ports_verify : 1;
> > > > > +
> > > > > + /** Compute/verify inner packet IPv4 header checksum in tunnel mode
> > > > > + *
> > > > > + * * 1: For outbound, compute inner packet IPv4 header checksum
> > > > > + * before tunnel encapsulation and for inbound, verify after
> > > > > + * tunnel decapsulation.
> > > > > + * * 0: Inner packet IP header checksum is not computed/verified.
> > > > > + */
> > > > > + uint32_t ip_csum_enable : 1;
> > > > > +
> > > > > + /** Compute/verify inner packet L4 checksum in tunnel mode
> > > > > + *
> > > > > + * * 1: For outbound, compute inner packet L4 checksum before
> > > > > + * tunnel encapsulation and for inbound, verify after
> > > > > + * tunnel decapsulation.
> > > > > + * * 0: Inner packet L4 checksum is not computed/verified.
> > > > > + */
> > > > > + uint32_t l4_csum_enable : 1;
> > > >
> > > > As I understand these 2 new flags serve two purposes:
> > > > 1. report HW/PMD ability to perform these offloads.
> > > > 2. allow user to enable/disable this offload on SA basis.
> > >
> > > [Anoob] Correct
> > >
> > > >
> > > > One question I have - how it will work on data-path?
> > > > Would decision to perform these offloads be based on mbuf->ol_flags
> > > > value (same as we doing for ethdev TX offloads)?
> > > > Or some other approach is implied?
> > >
> > > [Anoob] There will be two settings. It can enabled per SA or enabled per
> > packet.
> >
> > Ok, will it be documented somewhere?
> > Or probably it already is, and I just missed/forgot it somehow?
>
> [Anoob] Looks like we missed documenting this. Will update in the next version. Should we add documentation around SA options or around
> TX offload flags? I think it's better around SA options.
Same thought here.
Thanks
@@ -33,6 +33,7 @@ Non-Byte aligned data =
Sym raw data path API =
Cipher multiple data units =
Cipher wrapped key =
+Inner checksum =
;
; Supported crypto algorithms of a default crypto driver.
@@ -232,8 +232,8 @@ Deprecation Notices
IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
* security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
- will be updated with new fields to support new features like IPsec inner
- checksum, TSO in case of protocol offload.
+ will be updated with new fields to support new features like TSO in case of
+ protocol offload.
* ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
``hdr_l3_len`` to configure tunnel L3 header length.
@@ -194,6 +194,10 @@ ABI Changes
``rte_security_ipsec_xform`` to allow applications to configure SA soft
and hard expiry limits. Limits can be either in number of packets or bytes.
+* security: The new options ``ip_csum_enable`` and ``l4_csum_enable`` were added
+ in structure ``rte_security_ipsec_sa_options`` to indicate whether inner
+ packet IPv4 header checksum and L4 checksum need to be offloaded to
+ security device.
Known Issues
------------
@@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
/**< Support operations on multiple data-units message */
#define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26)
/**< Support wrapped key in cipher xform */
+#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27)
+/**< Support inner checksum computation/verification */
/**
* Get the name of a crypto device feature flag
@@ -230,6 +230,24 @@ struct rte_security_ipsec_sa_options {
* * 0: Do not match UDP ports
*/
uint32_t udp_ports_verify : 1;
+
+ /** Compute/verify inner packet IPv4 header checksum in tunnel mode
+ *
+ * * 1: For outbound, compute inner packet IPv4 header checksum
+ * before tunnel encapsulation and for inbound, verify after
+ * tunnel decapsulation.
+ * * 0: Inner packet IP header checksum is not computed/verified.
+ */
+ uint32_t ip_csum_enable : 1;
+
+ /** Compute/verify inner packet L4 checksum in tunnel mode
+ *
+ * * 1: For outbound, compute inner packet L4 checksum before
+ * tunnel encapsulation and for inbound, verify after
+ * tunnel decapsulation.
+ * * 0: Inner packet L4 checksum is not computed/verified.
+ */
+ uint32_t l4_csum_enable : 1;
};
/** IPSec security association direction */