From patchwork Thu Sep 30 12:58:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Archana Muniganti X-Patchwork-Id: 100093 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 1A0E1A0C41; Thu, 30 Sep 2021 14:58:53 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 01D7D410EF; Thu, 30 Sep 2021 14:58:53 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id BD6EC4067E for ; Thu, 30 Sep 2021 14:58:51 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18UAAG67028249; Thu, 30 Sep 2021 05:58:50 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=Fj5s2Xg+KniugQTnWr3X4fxSoA6fnpA8VKvvJEE38bg=; b=AKVfgam2FmiT+Ou5m38b6aM7P39P6few7gcDhndJJHImV0YXU5gjidtktaQ33ciYoLRe jjoOXCTUNMDC3QzbtCnBbJRLnMlolSMhIBNLkhD7sho+LrwGZs9Pwhh7ID8WDTcBHio7 21E93OzIUAG3qCRlYICHfnel2glX7qdEkb785oVcpMsruqq1AQFeLyMlLmA7JJVZympf 7GHeIUzLf1gH2knByN0m7CuFf46dD1bwmSKtpMbtLGRe/K3eLKRzpufMVnpFMliCVonW Au7ZlZc0hvIBcw6nbENhdE2gii/+XHhOBHJjq84J1X/95XouNBbMofjja4XNQ49uiXMp 5w== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com with ESMTP id 3bd3g3accm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 30 Sep 2021 05:58:50 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Thu, 30 Sep 2021 05:58:47 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Thu, 30 Sep 2021 05:58:47 -0700 Received: from hyd1409.caveonetworks.com.com (unknown [10.29.45.15]) by maili.marvell.com (Postfix) with ESMTP id 5C99D3F706D; Thu, 30 Sep 2021 05:58:44 -0700 (PDT) From: Archana Muniganti To: , , , , CC: Archana Muniganti , , , , , Date: Thu, 30 Sep 2021 18:28:30 +0530 Message-ID: <20210930125832.15807-2-marchana@marvell.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20210930125832.15807-1-marchana@marvell.com> References: <20210930125832.15807-1-marchana@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: pJegdvJ-wXwBbTNz8-OQ4FDzmIKAbTt3 X-Proofpoint-ORIG-GUID: pJegdvJ-wXwBbTNz8-OQ4FDzmIKAbTt3 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-30_04,2021-09-30_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v4 1/3] security: add SA config option for inner pkt csum X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add inner packet IPv4 hdr and L4 checksum enable options in conf. These will be used in case of protocol offload. Per SA, application could specify whether the checksum(compute/verify) can be offloaded to security device. Signed-off-by: Archana Muniganti Acked-by: Konstantin Ananyev --- doc/guides/cryptodevs/features/default.ini | 1 + doc/guides/rel_notes/deprecation.rst | 4 +-- doc/guides/rel_notes/release_21_11.rst | 4 +++ lib/cryptodev/rte_cryptodev.h | 2 ++ lib/security/rte_security.h | 31 ++++++++++++++++++++++ 5 files changed, 40 insertions(+), 2 deletions(-) diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini index c24814de98..96d95ddc81 100644 --- a/doc/guides/cryptodevs/features/default.ini +++ b/doc/guides/cryptodevs/features/default.ini @@ -33,6 +33,7 @@ Non-Byte aligned data = Sym raw data path API = Cipher multiple data units = Cipher wrapped key = +Inner checksum = ; ; Supported crypto algorithms of a default crypto driver. diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index 05fc2fdee7..8308e00ed4 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -232,8 +232,8 @@ Deprecation Notices IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number). * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options`` - will be updated with new fields to support new features like IPsec inner - checksum, TSO in case of protocol offload. + will be updated with new fields to support new features like TSO in case of + protocol offload. * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field ``hdr_l3_len`` to configure tunnel L3 header length. diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 3ade7fe5ac..5480f05a99 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -196,6 +196,10 @@ ABI Changes ``rte_security_ipsec_xform`` to allow applications to configure SA soft and hard expiry limits. Limits can be either in number of packets or bytes. +* security: The new options ``ip_csum_enable`` and ``l4_csum_enable`` were added + in structure ``rte_security_ipsec_sa_options`` to indicate whether inner + packet IPv4 header checksum and L4 checksum need to be offloaded to + security device. Known Issues ------------ diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h index bb01f0f195..d9271a6c45 100644 --- a/lib/cryptodev/rte_cryptodev.h +++ b/lib/cryptodev/rte_cryptodev.h @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum, /**< Support operations on multiple data-units message */ #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY (1ULL << 26) /**< Support wrapped key in cipher xform */ +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27) +/**< Support inner checksum computation/verification */ /** * Get the name of a crypto device feature flag diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index ab1a6e1f65..0c5636377e 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -230,6 +230,37 @@ struct rte_security_ipsec_sa_options { * * 0: Do not match UDP ports */ uint32_t udp_ports_verify : 1; + + /** Compute/verify inner packet IPv4 header checksum in tunnel mode + * + * * 1: For outbound, compute inner packet IPv4 header checksum + * before tunnel encapsulation and for inbound, verify after + * tunnel decapsulation. + * * 0: Inner packet IP header checksum is not computed/verified. + * + * The checksum verification status would be set in mbuf using + * PKT_RX_IP_CKSUM_xxx flags. + * + * Inner IP checksum computation can also be enabled(per operation) + * by setting the flag PKT_TX_IP_CKSUM in mbuf. + */ + uint32_t ip_csum_enable : 1; + + /** Compute/verify inner packet L4 checksum in tunnel mode + * + * * 1: For outbound, compute inner packet L4 checksum before + * tunnel encapsulation and for inbound, verify after + * tunnel decapsulation. + * * 0: Inner packet L4 checksum is not computed/verified. + * + * The checksum verification status would be set in mbuf using + * PKT_RX_L4_CKSUM_xxx flags. + * + * Inner L4 checksum computation can also be enabled(per operation) + * by setting the flags PKT_TX_TCP_CKSUM or PKT_TX_SCTP_CKSUM or + * PKT_TX_UDP_CKSUM or PKT_TX_L4_MASK in mbuf. + */ + uint32_t l4_csum_enable : 1; }; /** IPSec security association direction */ From patchwork Thu Sep 30 12:58:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Archana Muniganti X-Patchwork-Id: 100094 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id C5070A0C41; Thu, 30 Sep 2021 14:59:00 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5BC4D410E5; Thu, 30 Sep 2021 14:58:55 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id DEED5410FA for ; Thu, 30 Sep 2021 14:58:53 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18U2Z2CD027771; Thu, 30 Sep 2021 05:58:52 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=DH9xMTQqyDBlRmgu9rUjcxv4HFZG/y8MZhY8aYUitj8=; b=inx16d8HnHQfghwAXsegWARtKcqjscxE5s29sveHBxtADVtFd9nkE3HofnNCDNUE4jQI CiHo/HUOuI6p9t4fQEDDujKY3jo5HWUBxRkaSnm4M41Qa1FPrsbXNCrhIjSIgOjQE0wf 2H9I+Ua+cV821g9+kfzcLzgAbTPxB7PjmrcmwkqOor3vhZYPj2bg5dlXJk6QXsUIe5xM febSPefEUqTl7o/WiDmVMEzgj8mb58jCu+0yw0+i3S6zg4o2k8xmL4y+YDlFgzFNAwSr VFyL0azSx65ChHq7bv5rI6EHG9vKQX2ieRxnWYBnFZ4L7+CBwcmDuH+ehl0cMEPqi/n/ yA== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 3bd47dt9jq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 30 Sep 2021 05:58:52 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Thu, 30 Sep 2021 05:58:51 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Thu, 30 Sep 2021 05:58:51 -0700 Received: from hyd1409.caveonetworks.com.com (unknown [10.29.45.15]) by maili.marvell.com (Postfix) with ESMTP id 5DCB43F7067; Thu, 30 Sep 2021 05:58:48 -0700 (PDT) From: Archana Muniganti To: , , , , CC: Archana Muniganti , , , , , Date: Thu, 30 Sep 2021 18:28:31 +0530 Message-ID: <20210930125832.15807-3-marchana@marvell.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20210930125832.15807-1-marchana@marvell.com> References: <20210930125832.15807-1-marchana@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: kJsT0mhha-g-PsMSKbWrdM0Ora-cX9KM X-Proofpoint-ORIG-GUID: kJsT0mhha-g-PsMSKbWrdM0Ora-cX9KM X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-30_04,2021-09-30_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v4 2/3] crypto/cnxk: add inner checksum X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add inner checksum support for cn10k. Signed-off-by: Archana Muniganti --- doc/guides/cryptodevs/features/cn10k.ini | 1 + doc/guides/rel_notes/release_21_11.rst | 1 + drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 65 +++++++++++++++---- drivers/crypto/cnxk/cn10k_ipsec.c | 49 +++++++++++++- drivers/crypto/cnxk/cn10k_ipsec.h | 1 + drivers/crypto/cnxk/cn10k_ipsec_la_ops.h | 9 ++- drivers/crypto/cnxk/cnxk_cryptodev.c | 3 + .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 2 + 8 files changed, 113 insertions(+), 18 deletions(-) diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini index f5552feca3..9d08bd5c04 100644 --- a/doc/guides/cryptodevs/features/cn10k.ini +++ b/doc/guides/cryptodevs/features/cn10k.ini @@ -15,6 +15,7 @@ OOP SGL In SGL Out = Y OOP LB In LB Out = Y Symmetric sessionless = Y Digest encrypted = Y +Inner checksum = Y ; ; Supported crypto algorithms of 'cn10k' crypto driver. diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 5480f05a99..576bc01a87 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -73,6 +73,7 @@ New Features * Added UDP encapsulation support in lookaside protocol (IPsec) for CN10K. * Added support for lookaside protocol (IPsec) offload for CN9K. * Added support for ZUC algorithm with 256 bit key length for CN10K. + * Added inner checksum support in lookaside protocol (IPsec) for CN10K. * **Added support for event crypto adapter on Marvell CN10K and CN9K.** diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c index 3caf05aab9..c25c8e67b2 100644 --- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c +++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c @@ -50,7 +50,7 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op) static __rte_always_inline int __rte_hot cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess, - struct cpt_inst_s *inst) + struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst) { struct rte_crypto_sym_op *sym_op = op->sym; union roc_ot_ipsec_sa_word2 *w2; @@ -72,8 +72,10 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess, if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND) ret = process_outb_sa(op, sa, inst); - else + else { + infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND; ret = process_inb_sa(op, sa, inst); + } return ret; } @@ -122,7 +124,8 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[], if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { sec_sess = get_sec_session_private_data( sym_op->sec_session); - ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]); + ret = cpt_sec_inst_fill(op, sec_sess, infl_req, + &inst[0]); if (unlikely(ret)) return 0; w7 = sec_sess->sa.inst.w7; @@ -342,6 +345,49 @@ cn10k_cpt_sec_post_process(struct rte_crypto_op *cop, m->pkt_len = m_len; } +static inline void +cn10k_cpt_sec_ucc_process(struct rte_crypto_op *cop, + struct cpt_inflight_req *infl_req, + const uint8_t uc_compcode) +{ + struct cn10k_sec_session *sess; + struct cn10k_ipsec_sa *sa; + struct rte_mbuf *mbuf; + + if (uc_compcode == ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST) + cop->aux_flags = RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY; + + if (!(infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND)) + return; + + sess = get_sec_session_private_data(cop->sym->sec_session); + sa = &sess->sa; + + mbuf = cop->sym->m_src; + + switch (uc_compcode) { + case ROC_IE_OT_UCC_SUCCESS: + if (sa->ip_csum_enable) + mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD; + break; + case ROC_IE_OT_UCC_SUCCESS_PKT_IP_BADCSUM: + mbuf->ol_flags |= PKT_RX_IP_CKSUM_BAD; + break; + case ROC_IE_OT_UCC_SUCCESS_PKT_L4_GOODCSUM: + mbuf->ol_flags |= PKT_RX_L4_CKSUM_GOOD; + if (sa->ip_csum_enable) + mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD; + break; + case ROC_IE_OT_UCC_SUCCESS_PKT_L4_BADCSUM: + mbuf->ol_flags |= PKT_RX_L4_CKSUM_BAD; + if (sa->ip_csum_enable) + mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD; + break; + default: + break; + } +} + static inline void cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, struct rte_crypto_op *cop, @@ -357,17 +403,8 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp, if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC && cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) { if (likely(compcode == CPT_COMP_WARN)) { - if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) { - /* Success with additional info */ - switch (uc_compcode) { - case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST: - cop->aux_flags = - RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY; - break; - default: - break; - } - } + /* Success with additional info */ + cn10k_cpt_sec_ucc_process(cop, infl_req, uc_compcode); cn10k_cpt_sec_post_process(cop, res); } else { cop->status = RTE_CRYPTO_OP_STATUS_ERROR; diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c index ebb2a7ec48..defc792aa8 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.c +++ b/drivers/crypto/cnxk/cn10k_ipsec.c @@ -37,6 +37,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct rte_crypto_sym_xform *crypto_xfrm, struct rte_security_session *sec_sess) { + union roc_ot_ipsec_outb_param1 param1; struct roc_ot_ipsec_outb_sa *out_sa; struct cnxk_ipsec_outb_rlens rlens; struct cn10k_sec_session *sess; @@ -83,7 +84,27 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, /* pre-populate CPT INST word 4 */ inst_w4.u64 = 0; inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC; - inst_w4.s.param1 = 0; + + param1.u16 = 0; + + /* Disable IP checksum computation by default */ + param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE; + + if (ipsec_xfrm->options.ip_csum_enable) { + param1.s.ip_csum_disable = + ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE; + } + + /* Disable L4 checksum computation by default */ + param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE; + + if (ipsec_xfrm->options.l4_csum_enable) { + param1.s.l4_csum_disable = + ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE; + } + + inst_w4.s.param1 = param1.u16; + sa->inst.w4 = inst_w4.u64; return 0; @@ -95,6 +116,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, struct rte_crypto_sym_xform *crypto_xfrm, struct rte_security_session *sec_sess) { + union roc_ot_ipsec_inb_param1 param1; struct roc_ot_ipsec_inb_sa *in_sa; struct cn10k_sec_session *sess; struct cn10k_ipsec_sa *sa; @@ -121,8 +143,29 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, inst_w4.u64 = 0; inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC; - /* Disable checksum verification for now */ - inst_w4.s.param1 = 7; + param1.u16 = 0; + + /* Disable IP checksum verification by default */ + param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE; + + if (ipsec_xfrm->options.ip_csum_enable) { + param1.s.ip_csum_disable = + ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE; + sa->ip_csum_enable = true; + } + + /* Disable L4 checksum verification by default */ + param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE; + + if (ipsec_xfrm->options.l4_csum_enable) { + param1.s.l4_csum_disable = + ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE; + } + + param1.s.esp_trailer_disable = 1; + + inst_w4.s.param1 = param1.u16; + sa->inst.w4 = inst_w4.u64; return 0; diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h index 6f974b716d..86cd2483f5 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec.h +++ b/drivers/crypto/cnxk/cn10k_ipsec.h @@ -23,6 +23,7 @@ struct cn10k_ipsec_sa { uint16_t max_extended_len; uint16_t iv_offset; uint8_t iv_length; + bool ip_csum_enable; }; struct cn10k_sec_session { diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h index 862476a72e..df1b0a3678 100644 --- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h +++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h @@ -53,6 +53,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess, { struct rte_crypto_sym_op *sym_op = cop->sym; struct rte_mbuf *m_src = sym_op->m_src; + uint64_t inst_w4_u64 = sess->inst.w4; if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) { plt_dp_err("Not enough tail room"); @@ -68,8 +69,14 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess, } #endif + if (m_src->ol_flags & PKT_TX_IP_CKSUM) + inst_w4_u64 &= ~BIT_ULL(33); + + if (m_src->ol_flags & PKT_TX_L4_MASK) + inst_w4_u64 &= ~BIT_ULL(32); + /* Prepare CPT instruction */ - inst->w4.u64 = sess->inst.w4; + inst->w4.u64 = inst_w4_u64; inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src); inst->dptr = rte_pktmbuf_iova(m_src); inst->rptr = inst->dptr; diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.c b/drivers/crypto/cnxk/cnxk_cryptodev.c index 5c7801ec48..d67de54a7b 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev.c @@ -24,6 +24,9 @@ cnxk_cpt_default_ff_get(void) RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED | RTE_CRYPTODEV_FF_SECURITY; + if (roc_model_is_cn10k()) + ff |= RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM; + return ff; } diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 34eb441ab3..a227e6981c 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -961,6 +961,8 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap) sec_cap->ipsec.options.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; } + sec_cap->ipsec.options.ip_csum_enable = 1; + sec_cap->ipsec.options.l4_csum_enable = 1; } static void From patchwork Thu Sep 30 12:58:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Archana Muniganti X-Patchwork-Id: 100095 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BC452A0C41; Thu, 30 Sep 2021 14:59:06 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8BDC64111A; Thu, 30 Sep 2021 14:58:59 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 691A1410F0 for ; Thu, 30 Sep 2021 14:58:57 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18U2Z27F027786; Thu, 30 Sep 2021 05:58:56 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=kQSHfylpFpOvTEfdays9TU5O3HyJId/63ld59xNuuT0=; b=SpL5vTkfAE+8JKDlVxMaXOl0NXLPwNcQ0Toakg61Nc7O6NuteBqq7rBSjChYIe2MpBBz sfxsVCAh9Ay8adZVWOEDpz5weJC6HxmIAX7P6E7vzzTfmqp2JO7pjxRLFdstk9aMndt0 JVhrc0y1ZntakC7o/S1toYWlgdA2kODuhdqwMjcowNjbQ4O6jRC8w4SU2PynjRV62PE+ BpMKkvPY+PNXMrKVh0fAXeMJg093gkGIDo8+7FNWt/+bvjyfB2XnmY/l3cRjX9l37h+C XbJ7BuoTHG7Pf7ybWIPs8BWCC0ZZly8nsB3UiRt7Irfw1P3H7D3BUinN8/cNySCZ9tK7 1A== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com with ESMTP id 3bd47dt9k4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 30 Sep 2021 05:58:56 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Thu, 30 Sep 2021 05:58:54 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Thu, 30 Sep 2021 05:58:54 -0700 Received: from hyd1409.caveonetworks.com.com (unknown [10.29.45.15]) by maili.marvell.com (Postfix) with ESMTP id E62163F7068; Thu, 30 Sep 2021 05:58:51 -0700 (PDT) From: Archana Muniganti To: , , , , CC: Archana Muniganti , , , , , Date: Thu, 30 Sep 2021 18:28:32 +0530 Message-ID: <20210930125832.15807-4-marchana@marvell.com> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20210930125832.15807-1-marchana@marvell.com> References: <20210930125832.15807-1-marchana@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: Gov9QjiBUR7GS9Nd1sTlpnhyGgRvzGeK X-Proofpoint-ORIG-GUID: Gov9QjiBUR7GS9Nd1sTlpnhyGgRvzGeK X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-30_04,2021-09-30_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v4 3/3] test/crypto: add inner checksum cases X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" This patch adds tests for inner IP and inner L4 checksum in IPsec mode. Signed-off-by: Archana Muniganti --- app/test/test_cryptodev.c | 34 +++ app/test/test_cryptodev_security_ipsec.c | 195 ++++++++++++++++++ app/test/test_cryptodev_security_ipsec.h | 2 + ...st_cryptodev_security_ipsec_test_vectors.h | 6 + doc/guides/rel_notes/release_21_11.rst | 1 + 5 files changed, 238 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index e6ceeb487f..65b64e1af0 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -18,6 +18,8 @@ #include #include #include +#include +#include #ifdef RTE_CRYPTO_SCHEDULER #include @@ -9299,6 +9301,30 @@ test_ipsec_proto_udp_ports_verify(const void *data __rte_unused) return test_ipsec_proto_all(&flags); } +static int +test_ipsec_proto_inner_ip_csum(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ip_csum = true; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_inner_l4_csum(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.l4_csum = true; + + return test_ipsec_proto_all(&flags); +} + static int test_PDCP_PROTO_all(void) { @@ -14255,6 +14281,14 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Tunnel src and dst addr verification", ut_setup_security, ut_teardown, test_ipsec_proto_tunnel_src_dst_addr_verify), + TEST_CASE_NAMED_ST( + "Inner IP checksum", + ut_setup_security, ut_teardown, + test_ipsec_proto_inner_ip_csum), + TEST_CASE_NAMED_ST( + "Inner L4 checksum", + ut_setup_security, ut_teardown, + test_ipsec_proto_inner_l4_csum), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 764e77bbff..bcd9746c98 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include "test.h" @@ -103,6 +104,22 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, return -ENOTSUP; } + if (ipsec_xform->options.ip_csum_enable == 1 && + sec_cap->ipsec.options.ip_csum_enable == 0) { + if (!silent) + RTE_LOG(INFO, USER1, + "Inner IP checksum is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.l4_csum_enable == 1 && + sec_cap->ipsec.options.l4_csum_enable == 0) { + if (!silent) + RTE_LOG(INFO, USER1, + "Inner L4 checksum is not supported\n"); + return -ENOTSUP; + } + return 0; } @@ -160,6 +177,56 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, } } +static bool +is_ipv4(void *ip) +{ + struct rte_ipv4_hdr *ipv4 = ip; + uint8_t ip_ver; + + ip_ver = (ipv4->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER; + if (ip_ver == IPVERSION) + return true; + else + return false; +} + +static void +test_ipsec_csum_init(void *ip, bool l3, bool l4) +{ + struct rte_ipv4_hdr *ipv4; + struct rte_tcp_hdr *tcp; + struct rte_udp_hdr *udp; + uint8_t next_proto; + uint8_t size; + + if (is_ipv4(ip)) { + ipv4 = ip; + size = sizeof(struct rte_ipv4_hdr); + next_proto = ipv4->next_proto_id; + + if (l3) + ipv4->hdr_checksum = 0; + } else { + size = sizeof(struct rte_ipv6_hdr); + next_proto = ((struct rte_ipv6_hdr *)ip)->proto; + } + + if (l4) { + switch (next_proto) { + case IPPROTO_TCP: + tcp = (struct rte_tcp_hdr *)RTE_PTR_ADD(ip, size); + tcp->cksum = 0; + break; + case IPPROTO_UDP: + udp = (struct rte_udp_hdr *)RTE_PTR_ADD(ip, size); + udp->dgram_cksum = 0; + break; + default: + return; + } + } +} + void test_ipsec_td_prepare(const struct crypto_param *param1, const struct crypto_param *param2, @@ -194,6 +261,17 @@ test_ipsec_td_prepare(const struct crypto_param *param1, if (flags->sa_expiry_pkts_soft) td->ipsec_xform.life.packets_soft_limit = IPSEC_TEST_PACKETS_MAX - 1; + + if (flags->ip_csum) { + td->ipsec_xform.options.ip_csum_enable = 1; + test_ipsec_csum_init(&td->input_text.data, true, false); + } + + if (flags->l4_csum) { + td->ipsec_xform.options.l4_csum_enable = 1; + test_ipsec_csum_init(&td->input_text.data, false, true); + } + } RTE_SET_USED(param2); @@ -230,6 +308,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], td_inb[i].ipsec_xform.options.tunnel_hdr_verify = flags->tunnel_hdr_verify; + if (flags->ip_csum) + td_inb[i].ipsec_xform.options.ip_csum_enable = 1; + + if (flags->l4_csum) + td_inb[i].ipsec_xform.options.l4_csum_enable = 1; + /* Clear outbound specific flags */ td_inb[i].ipsec_xform.options.iv_gen_disable = 0; } @@ -305,12 +389,96 @@ test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td) return TEST_SUCCESS; } +static int +test_ipsec_l3_csum_verify(struct rte_mbuf *m) +{ + uint16_t actual_cksum, expected_cksum; + struct rte_ipv4_hdr *ip; + + ip = rte_pktmbuf_mtod(m, struct rte_ipv4_hdr *); + + if (!is_ipv4((void *)ip)) + return TEST_SKIPPED; + + actual_cksum = ip->hdr_checksum; + + ip->hdr_checksum = 0; + + expected_cksum = rte_ipv4_cksum(ip); + + if (actual_cksum != expected_cksum) + return TEST_FAILED; + + return TEST_SUCCESS; +} + +static int +test_ipsec_l4_csum_verify(struct rte_mbuf *m) +{ + uint16_t actual_cksum = 0, expected_cksum = 0; + struct rte_ipv4_hdr *ipv4; + struct rte_ipv6_hdr *ipv6; + struct rte_tcp_hdr *tcp; + struct rte_udp_hdr *udp; + void *ip, *l4; + + ip = rte_pktmbuf_mtod(m, void *); + + if (is_ipv4(ip)) { + ipv4 = ip; + l4 = RTE_PTR_ADD(ipv4, sizeof(struct rte_ipv4_hdr)); + + switch (ipv4->next_proto_id) { + case IPPROTO_TCP: + tcp = (struct rte_tcp_hdr *)l4; + actual_cksum = tcp->cksum; + tcp->cksum = 0; + expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4); + break; + case IPPROTO_UDP: + udp = (struct rte_udp_hdr *)l4; + actual_cksum = udp->dgram_cksum; + udp->dgram_cksum = 0; + expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4); + break; + default: + break; + } + } else { + ipv6 = ip; + l4 = RTE_PTR_ADD(ipv6, sizeof(struct rte_ipv6_hdr)); + + switch (ipv6->proto) { + case IPPROTO_TCP: + tcp = (struct rte_tcp_hdr *)l4; + actual_cksum = tcp->cksum; + tcp->cksum = 0; + expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4); + break; + case IPPROTO_UDP: + udp = (struct rte_udp_hdr *)l4; + actual_cksum = udp->dgram_cksum; + udp->dgram_cksum = 0; + expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4); + break; + default: + break; + } + } + + if (actual_cksum != expected_cksum) + return TEST_FAILED; + + return TEST_SUCCESS; +} + static int test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, bool silent, const struct ipsec_test_flags *flags) { uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); uint32_t skip, len = rte_pktmbuf_pkt_len(m); + int ret; /* For tests with status as error for test success, skip verification */ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && @@ -354,6 +522,33 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, len -= skip; output_text += skip; + if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + flags->ip_csum) { + if (m->ol_flags & PKT_RX_IP_CKSUM_GOOD) + ret = test_ipsec_l3_csum_verify(m); + else + ret = TEST_FAILED; + + if (ret == TEST_FAILED) + printf("Inner IP checksum test failed\n"); + + return ret; + } + + if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + flags->l4_csum) { + if (m->ol_flags & PKT_RX_L4_CKSUM_GOOD) + ret = test_ipsec_l4_csum_verify(m); + else + ret = TEST_FAILED; + + if (ret == TEST_FAILED) + printf("Inner L4 checksum test failed\n"); + + return ret; + } + + if (memcmp(output_text, td->output_text.data + skip, len)) { if (silent) return TEST_FAILED; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 0416005520..7628d0c42a 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -56,6 +56,8 @@ struct ipsec_test_flags { uint32_t tunnel_hdr_verify; bool udp_encap; bool udp_ports_verify; + bool ip_csum; + bool l4_csum; }; struct crypto_param { diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index 4e147ec19c..bb95d00641 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -95,6 +95,8 @@ struct ipsec_test_data pkt_aes_128_gcm = { .options.ecn = 0, .options.stats = 0, .options.tunnel_hdr_verify = 0, + .options.ip_csum_enable = 0, + .options.l4_csum_enable = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -192,6 +194,8 @@ struct ipsec_test_data pkt_aes_192_gcm = { .options.ecn = 0, .options.stats = 0, .options.tunnel_hdr_verify = 0, + .options.ip_csum_enable = 0, + .options.l4_csum_enable = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -292,6 +296,8 @@ struct ipsec_test_data pkt_aes_256_gcm = { .options.ecn = 0, .options.stats = 0, .options.tunnel_hdr_verify = 0, + .options.ip_csum_enable = 0, + .options.l4_csum_enable = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 576bc01a87..8d1752ef39 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -108,6 +108,7 @@ New Features * Added tests to validate packets soft expiry. * Added tests to validate packets hard expiry. * Added tests to verify tunnel header verification in IPsec inbound. + * Added tests to verify inner checksum. Removed Items