From patchwork Wed Oct 13 12:13:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101319 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 08EB3A0C55; Wed, 13 Oct 2021 14:25:31 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 3EF1E411BD; Wed, 13 Oct 2021 14:25:29 +0200 (CEST) Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mails.dpdk.org (Postfix) with ESMTP id 823BD411BD for ; Wed, 13 Oct 2021 14:25:27 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10135"; a="207528537" X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="207528537" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2021 05:25:27 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="524607691" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga001.jf.intel.com with ESMTP; 13 Oct 2021 05:25:23 -0700 From: Radu Nicolau To: Ray Kinsella , Akhil Goyal , Declan Doherty Cc: dev@dpdk.org, konstantin.ananyev@intel.com, vladimir.medvedkin@intel.com, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, anoobj@marvell.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Wed, 13 Oct 2021 13:13:22 +0100 Message-Id: <20211013121331.300245-2-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211013121331.300245-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211013121331.300245-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v9 01/10] security: add ESN field to ipsec_xform X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Update ipsec_xform definition to include ESN field. This allows the application to control the ESN starting value. Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Anoob Joseph Acked-by: Konstantin Ananyev --- doc/guides/rel_notes/deprecation.rst | 2 +- doc/guides/rel_notes/release_21_11.rst | 5 +++++ lib/security/rte_security.h | 8 ++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index a4e86b31f5..accb9c7d83 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -206,7 +206,7 @@ Deprecation Notices * security: The structure ``rte_security_ipsec_xform`` will be extended with multiple fields: source and destination port of UDP encapsulation, - IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number). + IPsec payload MSS (Maximum Segment Size). * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options`` will be updated with new fields to support new features like TSO in case of diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 54718ff367..f840586a20 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -265,6 +265,11 @@ ABI Changes packet IPv4 header checksum and L4 checksum need to be offloaded to security device. +* security: A new structure ``esn`` was added in structure + ``rte_security_ipsec_xform`` to set an initial ESN value. This permits + application to start from an arbitrary ESN value for debug and SA lifetime + enforcement purposes. + * bbdev: Added capability related to more comprehensive CRC options, shifting values of the ``enum rte_bbdev_op_ldpcdec_flag_bitmasks``. diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 7eb9f109ae..764ce83bca 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -318,6 +318,14 @@ struct rte_security_ipsec_xform { /**< Anti replay window size to enable sequence replay attack handling. * replay checking is disabled if the window size is 0. */ + union { + uint64_t value; + struct { + uint32_t low; + uint32_t hi; + }; + } esn; + /**< Extended Sequence Number */ }; /** From patchwork Wed Oct 13 12:13:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101320 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 73DF5A0C55; Wed, 13 Oct 2021 14:25:36 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 4872D411C3; Wed, 13 Oct 2021 14:25:33 +0200 (CEST) Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mails.dpdk.org (Postfix) with ESMTP id 8BC2C40E64 for ; Wed, 13 Oct 2021 14:25:31 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10135"; a="207528557" X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="207528557" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2021 05:25:31 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="524607698" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga001.jf.intel.com with ESMTP; 13 Oct 2021 05:25:27 -0700 From: Radu Nicolau To: Konstantin Ananyev , Bernard Iremonger , Vladimir Medvedkin Cc: dev@dpdk.org, mdr@ashroe.eu, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Wed, 13 Oct 2021 13:13:23 +0100 Message-Id: <20211013121331.300245-3-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211013121331.300245-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211013121331.300245-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v9 02/10] ipsec: add support for AEAD algorithms X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add support for AES_CCM, CHACHA20_POLY1305 and AES_GMAC. Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Konstantin Ananyev --- doc/guides/prog_guide/ipsec_lib.rst | 3 +- doc/guides/rel_notes/release_21_11.rst | 4 + lib/ipsec/crypto.h | 137 +++++++++++++++++++++++++ lib/ipsec/esp_inb.c | 66 +++++++++++- lib/ipsec/esp_outb.c | 70 ++++++++++++- lib/ipsec/sa.c | 54 +++++++++- lib/ipsec/sa.h | 6 ++ 7 files changed, 328 insertions(+), 12 deletions(-) diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst index 9f2b26072d..93e213bf36 100644 --- a/doc/guides/prog_guide/ipsec_lib.rst +++ b/doc/guides/prog_guide/ipsec_lib.rst @@ -313,7 +313,8 @@ Supported features * ESN and replay window. -* algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, HMAC-SHA1, NULL. +* algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, AES_CCM, CHACHA20_POLY1305, + AES_GMAC, HMAC-SHA1, NULL. Limitations diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index f840586a20..544d44b1a8 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -154,6 +154,10 @@ New Features * Added tests to verify tunnel header verification in IPsec inbound. * Added tests to verify inner checksum. +* **IPsec library new features.** + + * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES_GMAC. + Removed Items ------------- diff --git a/lib/ipsec/crypto.h b/lib/ipsec/crypto.h index 3d03034590..93d20aaaa0 100644 --- a/lib/ipsec/crypto.h +++ b/lib/ipsec/crypto.h @@ -21,6 +21,37 @@ struct aesctr_cnt_blk { uint32_t cnt; } __rte_packed; + /* + * CHACHA20-POLY1305 devices have some specific requirements + * for IV and AAD formats. + * Ideally that to be done by the driver itself. + */ + +struct aead_chacha20_poly1305_iv { + uint32_t salt; + uint64_t iv; + uint32_t cnt; +} __rte_packed; + +struct aead_chacha20_poly1305_aad { + uint32_t spi; + /* + * RFC 4106, section 5: + * Two formats of the AAD are defined: + * one for 32-bit sequence numbers, and one for 64-bit ESN. + */ + union { + uint32_t u32[2]; + uint64_t u64; + } sqn; + uint32_t align0; /* align to 16B boundary */ +} __rte_packed; + +struct chacha20_poly1305_esph_iv { + struct rte_esp_hdr esph; + uint64_t iv; +} __rte_packed; + /* * AES-GCM devices have some specific requirements for IV and AAD formats. * Ideally that to be done by the driver itself. @@ -51,6 +82,47 @@ struct gcm_esph_iv { uint64_t iv; } __rte_packed; + /* + * AES-CCM devices have some specific requirements for IV and AAD formats. + * Ideally that to be done by the driver itself. + */ +union aead_ccm_salt { + uint32_t salt; + struct inner { + uint8_t salt8[3]; + uint8_t ccm_flags; + } inner; +} __rte_packed; + + +struct aead_ccm_iv { + uint8_t ccm_flags; + uint8_t salt[3]; + uint64_t iv; + uint32_t cnt; +} __rte_packed; + +struct aead_ccm_aad { + uint8_t padding[18]; + uint32_t spi; + /* + * RFC 4309, section 5: + * Two formats of the AAD are defined: + * one for 32-bit sequence numbers, and one for 64-bit ESN. + */ + union { + uint32_t u32[2]; + uint64_t u64; + } sqn; + uint32_t align0; /* align to 16B boundary */ +} __rte_packed; + +struct ccm_esph_iv { + struct rte_esp_hdr esph; + uint64_t iv; +} __rte_packed; + + static inline void aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) { @@ -59,6 +131,16 @@ aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) ctr->cnt = rte_cpu_to_be_32(1); } +static inline void +aead_chacha20_poly1305_iv_fill(struct aead_chacha20_poly1305_iv + *chacha20_poly1305, + uint64_t iv, uint32_t salt) +{ + chacha20_poly1305->salt = salt; + chacha20_poly1305->iv = iv; + chacha20_poly1305->cnt = rte_cpu_to_be_32(1); +} + static inline void aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) { @@ -67,6 +149,21 @@ aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) gcm->cnt = rte_cpu_to_be_32(1); } +static inline void +aead_ccm_iv_fill(struct aead_ccm_iv *ccm, uint64_t iv, uint32_t salt) +{ + union aead_ccm_salt tsalt; + + tsalt.salt = salt; + ccm->ccm_flags = tsalt.inner.ccm_flags; + ccm->salt[0] = tsalt.inner.salt8[0]; + ccm->salt[1] = tsalt.inner.salt8[1]; + ccm->salt[2] = tsalt.inner.salt8[2]; + ccm->iv = iv; + ccm->cnt = rte_cpu_to_be_32(1); +} + + /* * RFC 4106, 5 AAD Construction * spi and sqn should already be converted into network byte order. @@ -86,6 +183,25 @@ aead_gcm_aad_fill(struct aead_gcm_aad *aad, rte_be32_t spi, rte_be64_t sqn, aad->align0 = 0; } +/* + * RFC 4309, 5 AAD Construction + * spi and sqn should already be converted into network byte order. + * Make sure that not used bytes are zeroed. + */ +static inline void +aead_ccm_aad_fill(struct aead_ccm_aad *aad, rte_be32_t spi, rte_be64_t sqn, + int esn) +{ + aad->spi = spi; + if (esn) + aad->sqn.u64 = sqn; + else { + aad->sqn.u32[0] = sqn_low32(sqn); + aad->sqn.u32[1] = 0; + } + aad->align0 = 0; +} + static inline void gen_iv(uint64_t iv[IPSEC_MAX_IV_QWORD], rte_be64_t sqn) { @@ -93,6 +209,27 @@ gen_iv(uint64_t iv[IPSEC_MAX_IV_QWORD], rte_be64_t sqn) iv[1] = 0; } + +/* + * RFC 7634, 2.1 AAD Construction + * spi and sqn should already be converted into network byte order. + * Make sure that not used bytes are zeroed. + */ +static inline void +aead_chacha20_poly1305_aad_fill(struct aead_chacha20_poly1305_aad *aad, + rte_be32_t spi, rte_be64_t sqn, + int esn) +{ + aad->spi = spi; + if (esn) + aad->sqn.u64 = sqn; + else { + aad->sqn.u32[0] = sqn_low32(sqn); + aad->sqn.u32[1] = 0; + } + aad->align0 = 0; +} + /* * Helper routine to copy IV * Right now we support only algorithms with IV length equals 0/8/16 bytes. diff --git a/lib/ipsec/esp_inb.c b/lib/ipsec/esp_inb.c index 2b1df6a032..d66c88f05d 100644 --- a/lib/ipsec/esp_inb.c +++ b/lib/ipsec/esp_inb.c @@ -63,6 +63,8 @@ inb_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aead_ccm_iv *ccm; + struct aead_chacha20_poly1305_iv *chacha20_poly1305; struct aesctr_cnt_blk *ctr; uint64_t *ivc, *ivp; uint32_t algo; @@ -83,6 +85,24 @@ inb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; + case ALGO_TYPE_AES_CCM: + sop_aead_prepare(sop, sa, icv, pofs, plen); + + /* fill AAD IV (located inside crypto op) */ + ccm = rte_crypto_op_ctod_offset(cop, struct aead_ccm_iv *, + sa->iv_ofs); + aead_ccm_iv_fill(ccm, ivp[0], sa->salt); + break; + case ALGO_TYPE_CHACHA20_POLY1305: + sop_aead_prepare(sop, sa, icv, pofs, plen); + + /* fill AAD IV (located inside crypto op) */ + chacha20_poly1305 = rte_crypto_op_ctod_offset(cop, + struct aead_chacha20_poly1305_iv *, + sa->iv_ofs); + aead_chacha20_poly1305_iv_fill(chacha20_poly1305, + ivp[0], sa->salt); + break; case ALGO_TYPE_AES_CBC: case ALGO_TYPE_3DES_CBC: sop_ciph_auth_prepare(sop, sa, icv, pofs, plen); @@ -91,6 +111,14 @@ inb_cop_prepare(struct rte_crypto_op *cop, ivc = rte_crypto_op_ctod_offset(cop, uint64_t *, sa->iv_ofs); copy_iv(ivc, ivp, sa->iv_len); break; + case ALGO_TYPE_AES_GMAC: + sop_ciph_auth_prepare(sop, sa, icv, pofs, plen); + + /* fill AAD IV (located inside crypto op) */ + gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, + sa->iv_ofs); + aead_gcm_iv_fill(gcm, ivp[0], sa->salt); + break; case ALGO_TYPE_AES_CTR: sop_ciph_auth_prepare(sop, sa, icv, pofs, plen); @@ -110,6 +138,8 @@ inb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb, uint32_t *pofs, uint32_t plen, void *iv) { struct aead_gcm_iv *gcm; + struct aead_ccm_iv *ccm; + struct aead_chacha20_poly1305_iv *chacha20_poly1305; struct aesctr_cnt_blk *ctr; uint64_t *ivp; uint32_t clen; @@ -120,9 +150,19 @@ inb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb, switch (sa->algo_type) { case ALGO_TYPE_AES_GCM: + case ALGO_TYPE_AES_GMAC: gcm = (struct aead_gcm_iv *)iv; aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; + case ALGO_TYPE_AES_CCM: + ccm = (struct aead_ccm_iv *)iv; + aead_ccm_iv_fill(ccm, ivp[0], sa->salt); + break; + case ALGO_TYPE_CHACHA20_POLY1305: + chacha20_poly1305 = (struct aead_chacha20_poly1305_iv *)iv; + aead_chacha20_poly1305_iv_fill(chacha20_poly1305, + ivp[0], sa->salt); + break; case ALGO_TYPE_AES_CBC: case ALGO_TYPE_3DES_CBC: copy_iv(iv, ivp, sa->iv_len); @@ -175,6 +215,8 @@ inb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, const union sym_op_data *icv) { struct aead_gcm_aad *aad; + struct aead_ccm_aad *caad; + struct aead_chacha20_poly1305_aad *chacha_aad; /* insert SQN.hi between ESP trailer and ICV */ if (sa->sqh_len != 0) @@ -184,9 +226,27 @@ inb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, * fill AAD fields, if any (aad fields are placed after icv), * right now we support only one AEAD algorithm: AES-GCM. */ - if (sa->aad_len != 0) { - aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); - aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); + switch (sa->algo_type) { + case ALGO_TYPE_AES_GCM: + if (sa->aad_len != 0) { + aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); + aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); + } + break; + case ALGO_TYPE_AES_CCM: + if (sa->aad_len != 0) { + caad = (struct aead_ccm_aad *)(icv->va + sa->icv_len); + aead_ccm_aad_fill(caad, sa->spi, sqc, IS_ESN(sa)); + } + break; + case ALGO_TYPE_CHACHA20_POLY1305: + if (sa->aad_len != 0) { + chacha_aad = (struct aead_chacha20_poly1305_aad *) + (icv->va + sa->icv_len); + aead_chacha20_poly1305_aad_fill(chacha_aad, + sa->spi, sqc, IS_ESN(sa)); + } + break; } } diff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c index 1e181cf2ce..a3f77469c3 100644 --- a/lib/ipsec/esp_outb.c +++ b/lib/ipsec/esp_outb.c @@ -63,6 +63,8 @@ outb_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aead_ccm_iv *ccm; + struct aead_chacha20_poly1305_iv *chacha20_poly1305; struct aesctr_cnt_blk *ctr; uint32_t algo; @@ -80,6 +82,15 @@ outb_cop_prepare(struct rte_crypto_op *cop, /* NULL case */ sop_ciph_auth_prepare(sop, sa, icv, hlen, plen); break; + case ALGO_TYPE_AES_GMAC: + /* GMAC case */ + sop_ciph_auth_prepare(sop, sa, icv, hlen, plen); + + /* fill AAD IV (located inside crypto op) */ + gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, + sa->iv_ofs); + aead_gcm_iv_fill(gcm, ivp[0], sa->salt); + break; case ALGO_TYPE_AES_GCM: /* AEAD (AES_GCM) case */ sop_aead_prepare(sop, sa, icv, hlen, plen); @@ -89,6 +100,26 @@ outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; + case ALGO_TYPE_AES_CCM: + /* AEAD (AES_CCM) case */ + sop_aead_prepare(sop, sa, icv, hlen, plen); + + /* fill AAD IV (located inside crypto op) */ + ccm = rte_crypto_op_ctod_offset(cop, struct aead_ccm_iv *, + sa->iv_ofs); + aead_ccm_iv_fill(ccm, ivp[0], sa->salt); + break; + case ALGO_TYPE_CHACHA20_POLY1305: + /* AEAD (CHACHA20_POLY) case */ + sop_aead_prepare(sop, sa, icv, hlen, plen); + + /* fill AAD IV (located inside crypto op) */ + chacha20_poly1305 = rte_crypto_op_ctod_offset(cop, + struct aead_chacha20_poly1305_iv *, + sa->iv_ofs); + aead_chacha20_poly1305_iv_fill(chacha20_poly1305, + ivp[0], sa->salt); + break; case ALGO_TYPE_AES_CTR: /* Cipher-Auth (AES-CTR *) case */ sop_ciph_auth_prepare(sop, sa, icv, hlen, plen); @@ -196,7 +227,9 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, const union sym_op_data *icv) { uint32_t *psqh; - struct aead_gcm_aad *aad; + struct aead_gcm_aad *gaad; + struct aead_ccm_aad *caad; + struct aead_chacha20_poly1305_aad *chacha20_poly1305_aad; /* insert SQN.hi between ESP trailer and ICV */ if (sa->sqh_len != 0) { @@ -208,9 +241,29 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, * fill IV and AAD fields, if any (aad fields are placed after icv), * right now we support only one AEAD algorithm: AES-GCM . */ + switch (sa->algo_type) { + case ALGO_TYPE_AES_GCM: if (sa->aad_len != 0) { - aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); - aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); + gaad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); + aead_gcm_aad_fill(gaad, sa->spi, sqc, IS_ESN(sa)); + } + break; + case ALGO_TYPE_AES_CCM: + if (sa->aad_len != 0) { + caad = (struct aead_ccm_aad *)(icv->va + sa->icv_len); + aead_ccm_aad_fill(caad, sa->spi, sqc, IS_ESN(sa)); + } + break; + case ALGO_TYPE_CHACHA20_POLY1305: + if (sa->aad_len != 0) { + chacha20_poly1305_aad = (struct aead_chacha20_poly1305_aad *) + (icv->va + sa->icv_len); + aead_chacha20_poly1305_aad_fill(chacha20_poly1305_aad, + sa->spi, sqc, IS_ESN(sa)); + } + break; + default: + break; } } @@ -418,6 +471,8 @@ outb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, uint32_t *pofs, { uint64_t *ivp = iv; struct aead_gcm_iv *gcm; + struct aead_ccm_iv *ccm; + struct aead_chacha20_poly1305_iv *chacha20_poly1305; struct aesctr_cnt_blk *ctr; uint32_t clen; @@ -426,6 +481,15 @@ outb_cpu_crypto_prepare(const struct rte_ipsec_sa *sa, uint32_t *pofs, gcm = iv; aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; + case ALGO_TYPE_AES_CCM: + ccm = iv; + aead_ccm_iv_fill(ccm, ivp[0], sa->salt); + break; + case ALGO_TYPE_CHACHA20_POLY1305: + chacha20_poly1305 = iv; + aead_chacha20_poly1305_iv_fill(chacha20_poly1305, + ivp[0], sa->salt); + break; case ALGO_TYPE_AES_CTR: ctr = iv; aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c index e59189d215..720e0f365b 100644 --- a/lib/ipsec/sa.c +++ b/lib/ipsec/sa.c @@ -47,6 +47,15 @@ fill_crypto_xform(struct crypto_xform *xform, uint64_t type, if (xfn != NULL) return -EINVAL; xform->aead = &xf->aead; + + /* GMAC has only auth */ + } else if (xf->type == RTE_CRYPTO_SYM_XFORM_AUTH && + xf->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { + if (xfn != NULL) + return -EINVAL; + xform->auth = &xf->auth; + xform->cipher = &xfn->cipher; + /* * CIPHER+AUTH xforms are expected in strict order, * depending on SA direction: @@ -247,12 +256,13 @@ esp_inb_init(struct rte_ipsec_sa *sa) sa->ctp.cipher.length = sa->icv_len + sa->ctp.cipher.offset; /* - * for AEAD and NULL algorithms we can assume that + * for AEAD algorithms we can assume that * auth and cipher offsets would be equal. */ switch (sa->algo_type) { case ALGO_TYPE_AES_GCM: - case ALGO_TYPE_NULL: + case ALGO_TYPE_AES_CCM: + case ALGO_TYPE_CHACHA20_POLY1305: sa->ctp.auth.raw = sa->ctp.cipher.raw; break; default: @@ -294,6 +304,8 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) switch (algo_type) { case ALGO_TYPE_AES_GCM: + case ALGO_TYPE_AES_CCM: + case ALGO_TYPE_CHACHA20_POLY1305: case ALGO_TYPE_AES_CTR: case ALGO_TYPE_NULL: sa->ctp.cipher.offset = hlen + sizeof(struct rte_esp_hdr) + @@ -305,15 +317,20 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) sa->ctp.cipher.offset = hlen + sizeof(struct rte_esp_hdr); sa->ctp.cipher.length = sa->iv_len; break; + case ALGO_TYPE_AES_GMAC: + sa->ctp.cipher.offset = 0; + sa->ctp.cipher.length = 0; + break; } /* - * for AEAD and NULL algorithms we can assume that + * for AEAD algorithms we can assume that * auth and cipher offsets would be equal. */ switch (algo_type) { case ALGO_TYPE_AES_GCM: - case ALGO_TYPE_NULL: + case ALGO_TYPE_AES_CCM: + case ALGO_TYPE_CHACHA20_POLY1305: sa->ctp.auth.raw = sa->ctp.cipher.raw; break; default: @@ -374,13 +391,39 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, sa->pad_align = IPSEC_PAD_AES_GCM; sa->algo_type = ALGO_TYPE_AES_GCM; break; + case RTE_CRYPTO_AEAD_AES_CCM: + /* RFC 4309 */ + sa->aad_len = sizeof(struct aead_ccm_aad); + sa->icv_len = cxf->aead->digest_length; + sa->iv_ofs = cxf->aead->iv.offset; + sa->iv_len = sizeof(uint64_t); + sa->pad_align = IPSEC_PAD_AES_CCM; + sa->algo_type = ALGO_TYPE_AES_CCM; + break; + case RTE_CRYPTO_AEAD_CHACHA20_POLY1305: + /* RFC 7634 & 8439*/ + sa->aad_len = sizeof(struct aead_chacha20_poly1305_aad); + sa->icv_len = cxf->aead->digest_length; + sa->iv_ofs = cxf->aead->iv.offset; + sa->iv_len = sizeof(uint64_t); + sa->pad_align = IPSEC_PAD_CHACHA20_POLY1305; + sa->algo_type = ALGO_TYPE_CHACHA20_POLY1305; + break; default: return -EINVAL; } + } else if (cxf->auth->algo == RTE_CRYPTO_AUTH_AES_GMAC) { + /* RFC 4543 */ + /* AES-GMAC is a special case of auth that needs IV */ + sa->pad_align = IPSEC_PAD_AES_GMAC; + sa->iv_len = sizeof(uint64_t); + sa->icv_len = cxf->auth->digest_length; + sa->iv_ofs = cxf->auth->iv.offset; + sa->algo_type = ALGO_TYPE_AES_GMAC; + } else { sa->icv_len = cxf->auth->digest_length; sa->iv_ofs = cxf->cipher->iv.offset; - sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; switch (cxf->cipher->algo) { case RTE_CRYPTO_CIPHER_NULL: @@ -414,6 +457,7 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, } } + sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; sa->udata = prm->userdata; sa->spi = rte_cpu_to_be_32(prm->ipsec_xform.spi); sa->salt = prm->ipsec_xform.salt; diff --git a/lib/ipsec/sa.h b/lib/ipsec/sa.h index 1bffe751f5..107ebd1519 100644 --- a/lib/ipsec/sa.h +++ b/lib/ipsec/sa.h @@ -19,7 +19,10 @@ enum { IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, + IPSEC_PAD_AES_CCM = IPSEC_PAD_DEFAULT, + IPSEC_PAD_CHACHA20_POLY1305 = IPSEC_PAD_DEFAULT, IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, + IPSEC_PAD_AES_GMAC = IPSEC_PAD_DEFAULT, }; /* iv sizes for different algorithms */ @@ -67,6 +70,9 @@ enum sa_algo_type { ALGO_TYPE_AES_CBC, ALGO_TYPE_AES_CTR, ALGO_TYPE_AES_GCM, + ALGO_TYPE_AES_CCM, + ALGO_TYPE_CHACHA20_POLY1305, + ALGO_TYPE_AES_GMAC, ALGO_TYPE_MAX }; From patchwork Wed Oct 13 12:13:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101321 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 1B273A0C55; Wed, 13 Oct 2021 14:25:42 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 50BF8411C8; Wed, 13 Oct 2021 14:25:36 +0200 (CEST) Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mails.dpdk.org (Postfix) with ESMTP id D1A71411C8 for ; Wed, 13 Oct 2021 14:25:34 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10135"; a="207528580" X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="207528580" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2021 05:25:34 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="524607705" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga001.jf.intel.com with ESMTP; 13 Oct 2021 05:25:31 -0700 From: Radu Nicolau To: Ray Kinsella , Akhil Goyal , Declan Doherty Cc: dev@dpdk.org, konstantin.ananyev@intel.com, vladimir.medvedkin@intel.com, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, anoobj@marvell.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Wed, 13 Oct 2021 13:13:24 +0100 Message-Id: <20211013121331.300245-4-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211013121331.300245-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211013121331.300245-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v9 03/10] security: add UDP params for IPsec NAT-T X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add support for specifying UDP port params for UDP encapsulation option. RFC3948 section-2.1 does not enforce using specific the UDP ports for UDP-Encapsulated ESP Header Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Anoob Joseph Acked-by: Konstantin Ananyev --- doc/guides/rel_notes/deprecation.rst | 5 ++--- doc/guides/rel_notes/release_21_11.rst | 4 ++++ lib/security/rte_security.h | 7 +++++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index accb9c7d83..6517e7821f 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -204,9 +204,8 @@ Deprecation Notices pointer for the private data to the application which can be attached to the packet while enqueuing. -* security: The structure ``rte_security_ipsec_xform`` will be extended with - multiple fields: source and destination port of UDP encapsulation, - IPsec payload MSS (Maximum Segment Size). +* security: The structure ``rte_security_ipsec_xform`` will be extended with: + new field: IPsec payload MSS (Maximum Segment Size). * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options`` will be updated with new fields to support new features like TSO in case of diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 544d44b1a8..1748c2db05 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -274,6 +274,10 @@ ABI Changes application to start from an arbitrary ESN value for debug and SA lifetime enforcement purposes. +* security: A new structure ``udp`` was added in structure + ``rte_security_ipsec_xform`` to allow setting the source and destination ports + for UDP encapsulated IPsec traffic. + * bbdev: Added capability related to more comprehensive CRC options, shifting values of the ``enum rte_bbdev_op_ldpcdec_flag_bitmasks``. diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 764ce83bca..17d0e95412 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -128,6 +128,11 @@ struct rte_security_ipsec_tunnel_param { }; }; +struct rte_security_ipsec_udp_param { + uint16_t sport; + uint16_t dport; +}; + /** * IPsec Security Association option flags */ @@ -326,6 +331,8 @@ struct rte_security_ipsec_xform { }; } esn; /**< Extended Sequence Number */ + struct rte_security_ipsec_udp_param udp; + /**< UDP parameters, ignored when udp_encap option not specified */ }; /** From patchwork Wed Oct 13 12:13:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101322 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2517EA0C55; Wed, 13 Oct 2021 14:25:49 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id AAECB41162; Wed, 13 Oct 2021 14:25:42 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 21C5540E64 for ; Wed, 13 Oct 2021 14:25:40 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10135"; a="214564500" X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="214564500" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2021 05:25:40 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="524607724" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga001.jf.intel.com with ESMTP; 13 Oct 2021 05:25:34 -0700 From: Radu Nicolau To: Konstantin Ananyev , Bernard Iremonger , Vladimir Medvedkin Cc: dev@dpdk.org, mdr@ashroe.eu, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Wed, 13 Oct 2021 13:13:25 +0100 Message-Id: <20211013121331.300245-5-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211013121331.300245-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211013121331.300245-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v9 04/10] ipsec: add support for NAT-T X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add support for the IPsec NAT-Traversal use case for Tunnel mode packets. Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Konstantin Ananyev --- doc/guides/prog_guide/ipsec_lib.rst | 2 ++ doc/guides/rel_notes/release_21_11.rst | 1 + lib/ipsec/esp_outb.c | 9 ++++++ lib/ipsec/rte_ipsec_sa.h | 9 +++++- lib/ipsec/sa.c | 39 ++++++++++++++++++++++---- 5 files changed, 54 insertions(+), 6 deletions(-) diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst index 93e213bf36..af51ff8131 100644 --- a/doc/guides/prog_guide/ipsec_lib.rst +++ b/doc/guides/prog_guide/ipsec_lib.rst @@ -313,6 +313,8 @@ Supported features * ESN and replay window. +* NAT-T / UDP encapsulated ESP. + * algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, AES_CCM, CHACHA20_POLY1305, AES_GMAC, HMAC-SHA1, NULL. diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 1748c2db05..e9fb169d44 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -157,6 +157,7 @@ New Features * **IPsec library new features.** * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES_GMAC. + * Added support for NAT-T / UDP encapsulated ESP Removed Items diff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c index a3f77469c3..0e3314b358 100644 --- a/lib/ipsec/esp_outb.c +++ b/lib/ipsec/esp_outb.c @@ -5,6 +5,7 @@ #include #include #include +#include #include #include @@ -185,6 +186,14 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc, /* copy tunnel pkt header */ rte_memcpy(ph, sa->hdr, sa->hdr_len); + /* if UDP encap is enabled update the dgram_len */ + if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) { + struct rte_udp_hdr *udph = (struct rte_udp_hdr *) + (ph - sizeof(struct rte_udp_hdr)); + udph->dgram_len = rte_cpu_to_be_16(mb->pkt_len - sqh_len - + sa->hdr_l3_off - sa->hdr_len); + } + /* update original and new ip header fields */ update_tun_outb_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen, mb->pkt_len - sqh_len, sa->hdr_l3_off, sqn_low16(sqc)); diff --git a/lib/ipsec/rte_ipsec_sa.h b/lib/ipsec/rte_ipsec_sa.h index cf51ad8338..3a22705055 100644 --- a/lib/ipsec/rte_ipsec_sa.h +++ b/lib/ipsec/rte_ipsec_sa.h @@ -78,6 +78,7 @@ struct rte_ipsec_sa_prm { * - for TUNNEL outer IP version (IPv4/IPv6) * - are SA SQN operations 'atomic' * - ESN enabled/disabled + * - NAT-T UDP encapsulated (TUNNEL mode only) * ... */ @@ -89,7 +90,8 @@ enum { RTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2, RTE_SATP_LOG2_ESN, RTE_SATP_LOG2_ECN, - RTE_SATP_LOG2_DSCP + RTE_SATP_LOG2_DSCP, + RTE_SATP_LOG2_NATT }; #define RTE_IPSEC_SATP_IPV_MASK (1ULL << RTE_SATP_LOG2_IPV) @@ -125,6 +127,11 @@ enum { #define RTE_IPSEC_SATP_DSCP_DISABLE (0ULL << RTE_SATP_LOG2_DSCP) #define RTE_IPSEC_SATP_DSCP_ENABLE (1ULL << RTE_SATP_LOG2_DSCP) +#define RTE_IPSEC_SATP_NATT_MASK (1ULL << RTE_SATP_LOG2_NATT) +#define RTE_IPSEC_SATP_NATT_DISABLE (0ULL << RTE_SATP_LOG2_NATT) +#define RTE_IPSEC_SATP_NATT_ENABLE (1ULL << RTE_SATP_LOG2_NATT) + + /** * get type of given SA * @return diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c index 720e0f365b..2830506385 100644 --- a/lib/ipsec/sa.c +++ b/lib/ipsec/sa.c @@ -5,6 +5,7 @@ #include #include #include +#include #include #include @@ -217,6 +218,10 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type) } else return -EINVAL; + /* check for UDP encapsulation flag */ + if (prm->ipsec_xform.options.udp_encap == 1) + tp |= RTE_IPSEC_SATP_NATT_ENABLE; + /* check for ESN flag */ if (prm->ipsec_xform.options.esn == 0) tp |= RTE_IPSEC_SATP_ESN_DISABLE; @@ -348,20 +353,36 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) /* * Init ESP outbound tunnel specific things. */ -static void +static int esp_outb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) { sa->proto = prm->tun.next_proto; sa->hdr_len = prm->tun.hdr_len; sa->hdr_l3_off = prm->tun.hdr_l3_off; + if (prm->tun.hdr_len > IPSEC_MAX_HDR_SIZE) + return -EINVAL; + memcpy(sa->hdr, prm->tun.hdr, prm->tun.hdr_len); + + /* insert UDP header if UDP encapsulation is inabled */ + if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) { + struct rte_udp_hdr *udph = (struct rte_udp_hdr *) + &sa->hdr[prm->tun.hdr_len]; + sa->hdr_len += sizeof(struct rte_udp_hdr); + if (sa->hdr_len > IPSEC_MAX_HDR_SIZE) + return -EINVAL; + udph->src_port = prm->ipsec_xform.udp.sport; + udph->dst_port = prm->ipsec_xform.udp.dport; + udph->dgram_cksum = 0; + } + /* update l2_len and l3_len fields for outbound mbuf */ sa->tx_offload.val = rte_mbuf_tx_offload(sa->hdr_l3_off, sa->hdr_len - sa->hdr_l3_off, 0, 0, 0, 0, 0); - memcpy(sa->hdr, prm->tun.hdr, sa->hdr_len); - esp_outb_init(sa, sa->hdr_len); + + return 0; } /* @@ -372,7 +393,8 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, const struct crypto_xform *cxf) { static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK | - RTE_IPSEC_SATP_MODE_MASK; + RTE_IPSEC_SATP_MODE_MASK | + RTE_IPSEC_SATP_NATT_MASK; if (prm->ipsec_xform.options.ecn) sa->tos_mask |= RTE_IPV4_HDR_ECN_MASK; @@ -475,10 +497,17 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS): esp_inb_init(sa); break; + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4 | + RTE_IPSEC_SATP_NATT_ENABLE): + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6 | + RTE_IPSEC_SATP_NATT_ENABLE): case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4): case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6): - esp_outb_tun_init(sa, prm); + if (esp_outb_tun_init(sa, prm)) + return -EINVAL; break; + case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS | + RTE_IPSEC_SATP_NATT_ENABLE): case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS): esp_outb_init(sa, 0); break; From patchwork Wed Oct 13 12:13:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101323 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4C25EA0C55; Wed, 13 Oct 2021 14:25:54 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id AFEE8410EB; Wed, 13 Oct 2021 14:25:45 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 3DB24411D1 for ; Wed, 13 Oct 2021 14:25:44 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10135"; a="214564505" X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="214564505" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2021 05:25:43 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="524607737" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga001.jf.intel.com with ESMTP; 13 Oct 2021 05:25:40 -0700 From: Radu Nicolau To: Olivier Matz Cc: dev@dpdk.org, mdr@ashroe.eu, konstantin.ananyev@intel.com, vladimir.medvedkin@intel.com, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Wed, 13 Oct 2021 13:13:26 +0100 Message-Id: <20211013121331.300245-6-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211013121331.300245-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211013121331.300245-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v9 05/10] mbuf: add IPsec ESP tunnel type X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add ESP tunnel type to the tunnel types list that can be specified for TSO or checksum on the inner part of tunnel packets. Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Akhil Goyal Acked-by: Olivier Matz --- lib/mbuf/rte_mbuf_core.h | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h index 9d8e3ddc86..4747c0c452 100644 --- a/lib/mbuf/rte_mbuf_core.h +++ b/lib/mbuf/rte_mbuf_core.h @@ -255,6 +255,7 @@ extern "C" { #define PKT_TX_TUNNEL_MPLSINUDP (0x5ULL << 45) #define PKT_TX_TUNNEL_VXLAN_GPE (0x6ULL << 45) #define PKT_TX_TUNNEL_GTP (0x7ULL << 45) +#define PKT_TX_TUNNEL_ESP (0x8ULL << 45) /** * Generic IP encapsulated tunnel type, used for TSO and checksum offload. * It can be used for tunnels which are not standards or listed above. From patchwork Wed Oct 13 12:13:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101324 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id AFC38A0C55; Wed, 13 Oct 2021 14:25:59 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id DF037411BE; Wed, 13 Oct 2021 14:25:50 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 466A2411BE for ; Wed, 13 Oct 2021 14:25:48 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10135"; a="214564516" X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="214564516" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2021 05:25:47 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="524607754" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga001.jf.intel.com with ESMTP; 13 Oct 2021 05:25:44 -0700 From: Radu Nicolau To: Konstantin Ananyev , Bernard Iremonger , Vladimir Medvedkin Cc: dev@dpdk.org, mdr@ashroe.eu, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Wed, 13 Oct 2021 13:13:27 +0100 Message-Id: <20211013121331.300245-7-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211013121331.300245-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211013121331.300245-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v9 06/10] ipsec: add transmit segmentation offload support X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add support for transmit segmentation offload to inline crypto processing mode. This offload is not supported by other offload modes, as at a minimum it requires inline crypto for IPsec to be supported on the network interface. Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang --- doc/guides/prog_guide/ipsec_lib.rst | 2 + doc/guides/rel_notes/release_21_11.rst | 1 + lib/ipsec/esp_outb.c | 120 +++++++++++++++++++------ 3 files changed, 97 insertions(+), 26 deletions(-) diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst index af51ff8131..fc0af5eadb 100644 --- a/doc/guides/prog_guide/ipsec_lib.rst +++ b/doc/guides/prog_guide/ipsec_lib.rst @@ -315,6 +315,8 @@ Supported features * NAT-T / UDP encapsulated ESP. +* TSO support (only for inline crypto mode) + * algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, AES_CCM, CHACHA20_POLY1305, AES_GMAC, HMAC-SHA1, NULL. diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index e9fb169d44..0a9c71d92e 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -158,6 +158,7 @@ New Features * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES_GMAC. * Added support for NAT-T / UDP encapsulated ESP + * Added support TSO offload support; only supported for inline crypto mode. Removed Items diff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c index 0e3314b358..d327c32a38 100644 --- a/lib/ipsec/esp_outb.c +++ b/lib/ipsec/esp_outb.c @@ -18,7 +18,7 @@ typedef int32_t (*esp_outb_prepare_t)(struct rte_ipsec_sa *sa, rte_be64_t sqc, const uint64_t ivp[IPSEC_MAX_IV_QWORD], struct rte_mbuf *mb, - union sym_op_data *icv, uint8_t sqh_len); + union sym_op_data *icv, uint8_t sqh_len, uint8_t tso); /* * helper function to fill crypto_sym op for cipher+auth algorithms. @@ -139,7 +139,7 @@ outb_cop_prepare(struct rte_crypto_op *cop, static inline int32_t outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc, const uint64_t ivp[IPSEC_MAX_IV_QWORD], struct rte_mbuf *mb, - union sym_op_data *icv, uint8_t sqh_len) + union sym_op_data *icv, uint8_t sqh_len, uint8_t tso) { uint32_t clen, hlen, l2len, pdlen, pdofs, plen, tlen; struct rte_mbuf *ml; @@ -157,11 +157,20 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc, /* number of bytes to encrypt */ clen = plen + sizeof(*espt); - clen = RTE_ALIGN_CEIL(clen, sa->pad_align); + + /* We don't need to pad/align packet when using TSO offload */ + if (!tso) + clen = RTE_ALIGN_CEIL(clen, sa->pad_align); + /* pad length + esp tail */ pdlen = clen - plen; - tlen = pdlen + sa->icv_len + sqh_len; + + /* We don't append ICV length when using TSO offload */ + if (!tso) + tlen = pdlen + sa->icv_len + sqh_len; + else + tlen = pdlen + sqh_len; /* do append and prepend */ ml = rte_pktmbuf_lastseg(mb); @@ -309,7 +318,7 @@ esp_outb_tun_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], /* try to update the packet itself */ rc = outb_tun_pkt_prepare(sa, sqc, iv, mb[i], &icv, - sa->sqh_len); + sa->sqh_len, 0); /* success, setup crypto op */ if (rc >= 0) { outb_pkt_xprepare(sa, sqc, &icv); @@ -336,7 +345,7 @@ esp_outb_tun_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], static inline int32_t outb_trs_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc, const uint64_t ivp[IPSEC_MAX_IV_QWORD], struct rte_mbuf *mb, - union sym_op_data *icv, uint8_t sqh_len) + union sym_op_data *icv, uint8_t sqh_len, uint8_t tso) { uint8_t np; uint32_t clen, hlen, pdlen, pdofs, plen, tlen, uhlen; @@ -358,11 +367,19 @@ outb_trs_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc, /* number of bytes to encrypt */ clen = plen + sizeof(*espt); - clen = RTE_ALIGN_CEIL(clen, sa->pad_align); + + /* We don't need to pad/align packet when using TSO offload */ + if (!tso) + clen = RTE_ALIGN_CEIL(clen, sa->pad_align); /* pad length + esp tail */ pdlen = clen - plen; - tlen = pdlen + sa->icv_len + sqh_len; + + /* We don't append ICV length when using TSO offload */ + if (!tso) + tlen = pdlen + sa->icv_len + sqh_len; + else + tlen = pdlen + sqh_len; /* do append and insert */ ml = rte_pktmbuf_lastseg(mb); @@ -452,7 +469,7 @@ esp_outb_trs_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], /* try to update the packet itself */ rc = outb_trs_pkt_prepare(sa, sqc, iv, mb[i], &icv, - sa->sqh_len); + sa->sqh_len, 0); /* success, setup crypto op */ if (rc >= 0) { outb_pkt_xprepare(sa, sqc, &icv); @@ -549,7 +566,7 @@ cpu_outb_pkt_prepare(const struct rte_ipsec_session *ss, gen_iv(ivbuf[k], sqc); /* try to update the packet itself */ - rc = prepare(sa, sqc, ivbuf[k], mb[i], &icv, sa->sqh_len); + rc = prepare(sa, sqc, ivbuf[k], mb[i], &icv, sa->sqh_len, 0); /* success, proceed with preparations */ if (rc >= 0) { @@ -660,6 +677,20 @@ inline_outb_mbuf_prepare(const struct rte_ipsec_session *ss, } } + +static inline int +esn_outb_nb_segments(struct rte_mbuf *m) +{ + if (m->ol_flags & (PKT_TX_TCP_SEG | PKT_TX_UDP_SEG)) { + uint16_t pkt_l3len = m->pkt_len - m->l2_len; + uint16_t segments = + (m->tso_segsz > 0 && pkt_l3len > m->tso_segsz) ? + (pkt_l3len + m->tso_segsz - 1) / m->tso_segsz : 1; + return segments; + } + return 1; /* no TSO */ +} + /* * process group of ESP outbound tunnel packets destined for * INLINE_CRYPTO type of device. @@ -669,29 +700,47 @@ inline_outb_tun_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], uint16_t num) { int32_t rc; - uint32_t i, k, n; + uint32_t i, k, n, nb_sqn; uint64_t sqn; rte_be64_t sqc; struct rte_ipsec_sa *sa; union sym_op_data icv; uint64_t iv[IPSEC_MAX_IV_QWORD]; uint32_t dr[num]; + uint16_t nb_segs[num]; sa = ss->sa; + nb_sqn = 0; + for (i = 0; i != num; i++) { + nb_segs[i] = esn_outb_nb_segments(mb[i]); + nb_sqn += nb_segs[i]; + /* setup outer l2 and l3 len for TSO */ + if (nb_segs[i] > 1) { + if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) + mb[i]->outer_l3_len = + sizeof(struct rte_ipv4_hdr); + else + mb[i]->outer_l3_len = + sizeof(struct rte_ipv6_hdr); + mb[i]->outer_l2_len = mb[i]->l2_len; + } + } - n = num; + n = nb_sqn; sqn = esn_outb_update_sqn(sa, &n); - if (n != num) + if (n != nb_sqn) rte_errno = EOVERFLOW; k = 0; - for (i = 0; i != n; i++) { + for (i = 0; i != num; i++) { - sqc = rte_cpu_to_be_64(sqn + i); + sqc = rte_cpu_to_be_64(sqn); gen_iv(iv, sqc); + sqn += nb_segs[i]; /* try to update the packet itself */ - rc = outb_tun_pkt_prepare(sa, sqc, iv, mb[i], &icv, 0); + rc = outb_tun_pkt_prepare(sa, sqc, iv, mb[i], &icv, 0, + nb_segs[i] > 1); k += (rc >= 0); @@ -703,8 +752,8 @@ inline_outb_tun_pkt_process(const struct rte_ipsec_session *ss, } /* copy not processed mbufs beyond good ones */ - if (k != n && k != 0) - move_bad_mbufs(mb, dr, n, n - k); + if (k != num && k != 0) + move_bad_mbufs(mb, dr, num, num - k); inline_outb_mbuf_prepare(ss, mb, k); return k; @@ -719,29 +768,48 @@ inline_outb_trs_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], uint16_t num) { int32_t rc; - uint32_t i, k, n; + uint32_t i, k, n, nb_sqn; uint64_t sqn; rte_be64_t sqc; struct rte_ipsec_sa *sa; union sym_op_data icv; uint64_t iv[IPSEC_MAX_IV_QWORD]; uint32_t dr[num]; + uint16_t nb_segs[num]; sa = ss->sa; + nb_sqn = 0; + /* Calculate number of sequence numbers required */ + for (i = 0; i != num; i++) { + nb_segs[i] = esn_outb_nb_segments(mb[i]); + nb_sqn += nb_segs[i]; + /* setup outer l2 and l3 len for TSO */ + if (nb_segs[i] > 1) { + if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) + mb[i]->outer_l3_len = + sizeof(struct rte_ipv4_hdr); + else + mb[i]->outer_l3_len = + sizeof(struct rte_ipv6_hdr); + mb[i]->outer_l2_len = mb[i]->l2_len; + } + } - n = num; + n = nb_sqn; sqn = esn_outb_update_sqn(sa, &n); - if (n != num) + if (n != nb_sqn) rte_errno = EOVERFLOW; k = 0; - for (i = 0; i != n; i++) { + for (i = 0; i != num; i++) { - sqc = rte_cpu_to_be_64(sqn + i); + sqc = rte_cpu_to_be_64(sqn); gen_iv(iv, sqc); + sqn += nb_segs[i]; /* try to update the packet itself */ - rc = outb_trs_pkt_prepare(sa, sqc, iv, mb[i], &icv, 0); + rc = outb_trs_pkt_prepare(sa, sqc, iv, mb[i], &icv, 0, + nb_segs[i] > 1); k += (rc >= 0); @@ -753,8 +821,8 @@ inline_outb_trs_pkt_process(const struct rte_ipsec_session *ss, } /* copy not processed mbufs beyond good ones */ - if (k != n && k != 0) - move_bad_mbufs(mb, dr, n, n - k); + if (k != num && k != 0) + move_bad_mbufs(mb, dr, num, num - k); inline_outb_mbuf_prepare(ss, mb, k); return k; From patchwork Wed Oct 13 12:13:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101325 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 31753A0C55; Wed, 13 Oct 2021 14:26:10 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 1F75B4115A; Wed, 13 Oct 2021 14:26:10 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id AAC0E40E64 for ; Wed, 13 Oct 2021 14:26:07 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10135"; a="214564526" X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="214564526" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2021 05:25:52 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="524607769" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga001.jf.intel.com with ESMTP; 13 Oct 2021 05:25:48 -0700 From: Radu Nicolau To: Konstantin Ananyev , Bernard Iremonger , Vladimir Medvedkin , Ray Kinsella Cc: dev@dpdk.org, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Wed, 13 Oct 2021 13:13:28 +0100 Message-Id: <20211013121331.300245-8-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211013121331.300245-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211013121331.300245-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v9 07/10] ipsec: add support for SA telemetry X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add telemetry support for ipsec SAs Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Konstantin Ananyev --- doc/guides/prog_guide/ipsec_lib.rst | 7 + doc/guides/rel_notes/release_21_11.rst | 1 + lib/ipsec/esp_inb.c | 18 +- lib/ipsec/esp_outb.c | 12 +- lib/ipsec/ipsec_telemetry.c | 244 +++++++++++++++++++++++++ lib/ipsec/meson.build | 6 +- lib/ipsec/rte_ipsec.h | 23 +++ lib/ipsec/sa.c | 10 +- lib/ipsec/sa.h | 9 + lib/ipsec/version.map | 9 + 10 files changed, 328 insertions(+), 11 deletions(-) create mode 100644 lib/ipsec/ipsec_telemetry.c diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst index fc0af5eadb..2a262f8c51 100644 --- a/doc/guides/prog_guide/ipsec_lib.rst +++ b/doc/guides/prog_guide/ipsec_lib.rst @@ -321,6 +321,13 @@ Supported features AES_GMAC, HMAC-SHA1, NULL. +Telemetry support +------------------ +Telemetry support implements SA details and IPsec packet add data counters +statistics. Per SA telemetry statistics can be enabled using +``rte_ipsec_telemetry_sa_add`` and disabled using +``rte_ipsec_telemetry_sa_del``. Note that these calls are not thread safe. + Limitations ----------- diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 0a9c71d92e..70932fc8a9 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -159,6 +159,7 @@ New Features * Added support for AEAD algorithms AES_CCM, CHACHA20_POLY1305 and AES_GMAC. * Added support for NAT-T / UDP encapsulated ESP * Added support TSO offload support; only supported for inline crypto mode. + * Added support for SA telemetry. Removed Items diff --git a/lib/ipsec/esp_inb.c b/lib/ipsec/esp_inb.c index d66c88f05d..6fbe468a61 100644 --- a/lib/ipsec/esp_inb.c +++ b/lib/ipsec/esp_inb.c @@ -15,7 +15,7 @@ #include "misc.h" #include "pad.h" -typedef uint16_t (*esp_inb_process_t)(const struct rte_ipsec_sa *sa, +typedef uint16_t (*esp_inb_process_t)(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t sqh_len); @@ -573,10 +573,10 @@ tun_process_step3(struct rte_mbuf *mb, uint64_t txof_msk, uint64_t txof_val) * *process* function for tunnel packets */ static inline uint16_t -tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], +tun_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t sqh_len) { - uint32_t adj, i, k, tl; + uint32_t adj, i, k, tl, bytes; uint32_t hl[num], to[num]; struct rte_esp_tail espt[num]; struct rte_mbuf *ml[num]; @@ -598,6 +598,7 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], process_step1(mb[i], tlen, &ml[i], &espt[i], &hl[i], &to[i]); k = 0; + bytes = 0; for (i = 0; i != num; i++) { adj = hl[i] + cofs; @@ -621,10 +622,13 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], tun_process_step3(mb[i], sa->tx_offload.msk, sa->tx_offload.val); k++; + bytes += mb[i]->pkt_len; } else dr[i - k] = i; } + sa->statistics.count += k; + sa->statistics.bytes += bytes; return k; } @@ -632,11 +636,11 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], * *process* function for tunnel packets */ static inline uint16_t -trs_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], +trs_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t sqh_len) { char *np; - uint32_t i, k, l2, tl; + uint32_t i, k, l2, tl, bytes; uint32_t hl[num], to[num]; struct rte_esp_tail espt[num]; struct rte_mbuf *ml[num]; @@ -656,6 +660,7 @@ trs_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], process_step1(mb[i], tlen, &ml[i], &espt[i], &hl[i], &to[i]); k = 0; + bytes = 0; for (i = 0; i != num; i++) { tl = tlen + espt[i].pad_len; @@ -674,10 +679,13 @@ trs_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], /* update mbuf's metadata */ trs_process_step3(mb[i]); k++; + bytes += mb[i]->pkt_len; } else dr[i - k] = i; } + sa->statistics.count += k; + sa->statistics.bytes += bytes; return k; } diff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c index d327c32a38..812ba1e5ec 100644 --- a/lib/ipsec/esp_outb.c +++ b/lib/ipsec/esp_outb.c @@ -623,7 +623,7 @@ uint16_t esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], uint16_t num) { - uint32_t i, k, icv_len, *icv; + uint32_t i, k, icv_len, *icv, bytes; struct rte_mbuf *ml; struct rte_ipsec_sa *sa; uint32_t dr[num]; @@ -632,6 +632,7 @@ esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], k = 0; icv_len = sa->icv_len; + bytes = 0; for (i = 0; i != num; i++) { if ((mb[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) == 0) { @@ -642,10 +643,13 @@ esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], icv = rte_pktmbuf_mtod_offset(ml, void *, ml->data_len - icv_len); remove_sqh(icv, icv_len); + bytes += mb[i]->pkt_len; k++; } else dr[i - k] = i; } + sa->statistics.count += k; + sa->statistics.bytes += bytes; /* handle unprocessed mbufs */ if (k != num) { @@ -665,16 +669,20 @@ static inline void inline_outb_mbuf_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], uint16_t num) { - uint32_t i, ol_flags; + uint32_t i, ol_flags, bytes; ol_flags = ss->security.ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA; + bytes = 0; for (i = 0; i != num; i++) { mb[i]->ol_flags |= PKT_TX_SEC_OFFLOAD; + bytes += mb[i]->pkt_len; if (ol_flags != 0) rte_security_set_pkt_metadata(ss->security.ctx, ss->security.ses, mb[i], NULL); } + ss->sa->statistics.count += num; + ss->sa->statistics.bytes += bytes; } diff --git a/lib/ipsec/ipsec_telemetry.c b/lib/ipsec/ipsec_telemetry.c new file mode 100644 index 0000000000..713da75f38 --- /dev/null +++ b/lib/ipsec/ipsec_telemetry.c @@ -0,0 +1,244 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(c) 2021 Intel Corporation + */ + +#include +#include +#include +#include "sa.h" + + +struct ipsec_telemetry_entry { + LIST_ENTRY(ipsec_telemetry_entry) next; + const struct rte_ipsec_sa *sa; +}; +static LIST_HEAD(ipsec_telemetry_head, ipsec_telemetry_entry) + ipsec_telemetry_list = LIST_HEAD_INITIALIZER(); + +static int +handle_telemetry_cmd_ipsec_sa_list(const char *cmd __rte_unused, + const char *params __rte_unused, + struct rte_tel_data *data) +{ + struct ipsec_telemetry_entry *entry; + rte_tel_data_start_array(data, RTE_TEL_U64_VAL); + + LIST_FOREACH(entry, &ipsec_telemetry_list, next) { + const struct rte_ipsec_sa *sa = entry->sa; + rte_tel_data_add_array_u64(data, rte_be_to_cpu_32(sa->spi)); + } + + return 0; +} + +/** + * Handle IPsec SA statistics telemetry request + * + * Return dict of SA's with dict of key/value counters + * + * { + * "SA_SPI_XX": {"count": 0, "bytes": 0, "errors": 0}, + * "SA_SPI_YY": {"count": 0, "bytes": 0, "errors": 0} + * } + * + */ +static int +handle_telemetry_cmd_ipsec_sa_stats(const char *cmd __rte_unused, + const char *params, + struct rte_tel_data *data) +{ + struct ipsec_telemetry_entry *entry; + const struct rte_ipsec_sa *sa; + uint32_t sa_spi = 0; + + if (params) { + sa_spi = rte_cpu_to_be_32((uint32_t)strtoul(params, NULL, 0)); + if (sa_spi == 0) + return -EINVAL; + } + + rte_tel_data_start_dict(data); + + LIST_FOREACH(entry, &ipsec_telemetry_list, next) { + char sa_name[64]; + sa = entry->sa; + static const char *name_pkt_cnt = "count"; + static const char *name_byte_cnt = "bytes"; + static const char *name_error_cnt = "errors"; + struct rte_tel_data *sa_data; + + /* If user provided SPI only get telemetry for that SA */ + if (sa_spi && (sa_spi != sa->spi)) + continue; + + /* allocate telemetry data struct for SA telemetry */ + sa_data = rte_tel_data_alloc(); + if (!sa_data) + return -ENOMEM; + + rte_tel_data_start_dict(sa_data); + + /* add telemetry key/values pairs */ + rte_tel_data_add_dict_u64(sa_data, name_pkt_cnt, + sa->statistics.count); + + rte_tel_data_add_dict_u64(sa_data, name_byte_cnt, + sa->statistics.bytes - + (sa->statistics.count * sa->hdr_len)); + + rte_tel_data_add_dict_u64(sa_data, name_error_cnt, + sa->statistics.errors.count); + + /* generate telemetry label */ + snprintf(sa_name, sizeof(sa_name), "SA_SPI_%i", + rte_be_to_cpu_32(sa->spi)); + + /* add SA telemetry to dictionary container */ + rte_tel_data_add_dict_container(data, sa_name, sa_data, 0); + } + + return 0; +} + +static int +handle_telemetry_cmd_ipsec_sa_details(const char *cmd __rte_unused, + const char *params, + struct rte_tel_data *data) +{ + struct ipsec_telemetry_entry *entry; + const struct rte_ipsec_sa *sa; + uint32_t sa_spi = 0; + + if (params) + sa_spi = rte_cpu_to_be_32((uint32_t)strtoul(params, NULL, 0)); + /* valid SPI needed */ + if (sa_spi == 0) + return -EINVAL; + + + rte_tel_data_start_dict(data); + + LIST_FOREACH(entry, &ipsec_telemetry_list, next) { + uint64_t mode; + sa = entry->sa; + if (sa_spi != sa->spi) + continue; + + /* add SA configuration key/values pairs */ + rte_tel_data_add_dict_string(data, "Type", + (sa->type & RTE_IPSEC_SATP_PROTO_MASK) == + RTE_IPSEC_SATP_PROTO_AH ? "AH" : "ESP"); + + rte_tel_data_add_dict_string(data, "Direction", + (sa->type & RTE_IPSEC_SATP_DIR_MASK) == + RTE_IPSEC_SATP_DIR_IB ? "Inbound" : "Outbound"); + + mode = sa->type & RTE_IPSEC_SATP_MODE_MASK; + + if (mode == RTE_IPSEC_SATP_MODE_TRANS) { + rte_tel_data_add_dict_string(data, "Mode", "Transport"); + } else { + rte_tel_data_add_dict_string(data, "Mode", "Tunnel"); + + if ((sa->type & RTE_IPSEC_SATP_NATT_MASK) == + RTE_IPSEC_SATP_NATT_ENABLE) { + if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) { + rte_tel_data_add_dict_string(data, + "Tunnel-Type", + "IPv4-UDP"); + } else if (sa->type & + RTE_IPSEC_SATP_MODE_TUNLV6) { + rte_tel_data_add_dict_string(data, + "Tunnel-Type", + "IPv4-UDP"); + } + } else { + if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) { + rte_tel_data_add_dict_string(data, + "Tunnel-Type", + "IPv4-UDP"); + } else if (sa->type & + RTE_IPSEC_SATP_MODE_TUNLV6) { + rte_tel_data_add_dict_string(data, + "Tunnel-Type", + "IPv4-UDP"); + } + } + } + + rte_tel_data_add_dict_string(data, + "extended-sequence-number", + (sa->type & RTE_IPSEC_SATP_ESN_MASK) == + RTE_IPSEC_SATP_ESN_ENABLE ? + "enabled" : "disabled"); + + if ((sa->type & RTE_IPSEC_SATP_DIR_MASK) == + RTE_IPSEC_SATP_DIR_IB) + + if (sa->sqn.inb.rsn[sa->sqn.inb.rdidx]) + rte_tel_data_add_dict_u64(data, + "sequence-number", + sa->sqn.inb.rsn[sa->sqn.inb.rdidx]->sqn); + else + rte_tel_data_add_dict_u64(data, + "sequence-number", 0); + else + rte_tel_data_add_dict_u64(data, "sequence-number", + sa->sqn.outb); + + rte_tel_data_add_dict_string(data, + "explicit-congestion-notification", + (sa->type & RTE_IPSEC_SATP_ECN_MASK) == + RTE_IPSEC_SATP_ECN_ENABLE ? + "enabled" : "disabled"); + + rte_tel_data_add_dict_string(data, + "copy-DSCP", + (sa->type & RTE_IPSEC_SATP_DSCP_MASK) == + RTE_IPSEC_SATP_DSCP_ENABLE ? + "enabled" : "disabled"); + } + + return 0; +} + + +int +rte_ipsec_telemetry_sa_add(const struct rte_ipsec_sa *sa) +{ + struct ipsec_telemetry_entry *entry = rte_zmalloc(NULL, + sizeof(struct ipsec_telemetry_entry), 0); + if (entry == NULL) + return -ENOMEM; + entry->sa = sa; + LIST_INSERT_HEAD(&ipsec_telemetry_list, entry, next); + return 0; +} + +void +rte_ipsec_telemetry_sa_del(const struct rte_ipsec_sa *sa) +{ + struct ipsec_telemetry_entry *entry; + LIST_FOREACH(entry, &ipsec_telemetry_list, next) { + if (sa == entry->sa) { + LIST_REMOVE(entry, next); + rte_free(entry); + return; + } + } +} + + +RTE_INIT(rte_ipsec_telemetry_init) +{ + rte_telemetry_register_cmd("/ipsec/sa/list", + handle_telemetry_cmd_ipsec_sa_list, + "Return list of IPsec SAs with telemetry enabled."); + rte_telemetry_register_cmd("/ipsec/sa/stats", + handle_telemetry_cmd_ipsec_sa_stats, + "Returns IPsec SA stastistics. Parameters: int sa_spi"); + rte_telemetry_register_cmd("/ipsec/sa/details", + handle_telemetry_cmd_ipsec_sa_details, + "Returns IPsec SA configuration. Parameters: int sa_spi"); +} + diff --git a/lib/ipsec/meson.build b/lib/ipsec/meson.build index 1497f573bb..ddb9ea1767 100644 --- a/lib/ipsec/meson.build +++ b/lib/ipsec/meson.build @@ -1,9 +1,11 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation -sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') +sources = files('esp_inb.c', 'esp_outb.c', + 'sa.c', 'ses.c', 'ipsec_sad.c', + 'ipsec_telemetry.c') headers = files('rte_ipsec.h', 'rte_ipsec_sa.h', 'rte_ipsec_sad.h') indirect_headers += files('rte_ipsec_group.h') -deps += ['mbuf', 'net', 'cryptodev', 'security', 'hash'] +deps += ['mbuf', 'net', 'cryptodev', 'security', 'hash', 'telemetry'] diff --git a/lib/ipsec/rte_ipsec.h b/lib/ipsec/rte_ipsec.h index dd60d95915..5308f250a7 100644 --- a/lib/ipsec/rte_ipsec.h +++ b/lib/ipsec/rte_ipsec.h @@ -158,6 +158,29 @@ rte_ipsec_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], return ss->pkt_func.process(ss, mb, num); } + +/** + * Enable per SA telemetry for a specific SA. + * Note that this function is not thread safe + * @param sa + * Pointer to the *rte_ipsec_sa* object that will have telemetry enabled. + * @return + * 0 on success, negative value otherwise. + */ +__rte_experimental +int +rte_ipsec_telemetry_sa_add(const struct rte_ipsec_sa *sa); + +/** + * Disable per SA telemetry for a specific SA. + * Note that this function is not thread safe + * @param sa + * Pointer to the *rte_ipsec_sa* object that will have telemetry disabled. + */ +__rte_experimental +void +rte_ipsec_telemetry_sa_del(const struct rte_ipsec_sa *sa); + #include #ifdef __cplusplus diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c index 2830506385..d767b2036a 100644 --- a/lib/ipsec/sa.c +++ b/lib/ipsec/sa.c @@ -656,19 +656,25 @@ uint16_t pkt_flag_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], uint16_t num) { - uint32_t i, k; + uint32_t i, k, bytes; uint32_t dr[num]; RTE_SET_USED(ss); k = 0; + bytes = 0; for (i = 0; i != num; i++) { - if ((mb[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) == 0) + if ((mb[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) == 0) { k++; + bytes += mb[i]->pkt_len; + } else dr[i - k] = i; } + ss->sa->statistics.count += k; + ss->sa->statistics.bytes += bytes; + /* handle unprocessed mbufs */ if (k != num) { rte_errno = EBADMSG; diff --git a/lib/ipsec/sa.h b/lib/ipsec/sa.h index 107ebd1519..6e59f18e16 100644 --- a/lib/ipsec/sa.h +++ b/lib/ipsec/sa.h @@ -132,6 +132,15 @@ struct rte_ipsec_sa { struct replay_sqn *rsn[REPLAY_SQN_NUM]; } inb; } sqn; + /* Statistics */ + struct { + uint64_t count; + uint64_t bytes; + struct { + uint64_t count; + uint64_t authentication_failed; + } errors; + } statistics; } __rte_cache_aligned; diff --git a/lib/ipsec/version.map b/lib/ipsec/version.map index ba8753eac4..0af27ffd60 100644 --- a/lib/ipsec/version.map +++ b/lib/ipsec/version.map @@ -19,3 +19,12 @@ DPDK_22 { local: *; }; + +EXPERIMENTAL { + global: + + # added in 21.11 + rte_ipsec_telemetry_sa_add; + rte_ipsec_telemetry_sa_del; + +}; From patchwork Wed Oct 13 12:13:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101326 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id C41FCA0C55; Wed, 13 Oct 2021 14:26:16 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C120D411D8; Wed, 13 Oct 2021 14:26:12 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 1AB4340E64 for ; Wed, 13 Oct 2021 14:26:08 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10135"; a="214564542" X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="214564542" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2021 05:25:55 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="524607789" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga001.jf.intel.com with ESMTP; 13 Oct 2021 05:25:52 -0700 From: Radu Nicolau To: Konstantin Ananyev , Bernard Iremonger , Vladimir Medvedkin Cc: dev@dpdk.org, mdr@ashroe.eu, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Wed, 13 Oct 2021 13:13:29 +0100 Message-Id: <20211013121331.300245-9-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211013121331.300245-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211013121331.300245-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v9 08/10] ipsec: add support for initial SQN value X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Update IPsec library to support initial SQN value. Signed-off-by: Declan Doherty Signed-off-by: Radu Nicolau Signed-off-by: Abhijit Sinha Signed-off-by: Daniel Martin Buckley Acked-by: Fan Zhang Acked-by: Konstantin Ananyev --- doc/guides/rel_notes/release_21_11.rst | 1 + lib/ipsec/sa.c | 18 +++++++++++------- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 70932fc8a9..4ae9fe54d5 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -160,6 +160,7 @@ New Features * Added support for NAT-T / UDP encapsulated ESP * Added support TSO offload support; only supported for inline crypto mode. * Added support for SA telemetry. + * Added support for setting a non default starting ESN value. Removed Items diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c index d767b2036a..d32f58dd1b 100644 --- a/lib/ipsec/sa.c +++ b/lib/ipsec/sa.c @@ -294,11 +294,11 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) * Init ESP outbound specific things. */ static void -esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) +esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen, uint64_t sqn) { uint8_t algo_type; - sa->sqn.outb = 1; + sa->sqn.outb = sqn > 1 ? sqn : 1; algo_type = sa->algo_type; @@ -380,7 +380,7 @@ esp_outb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) sa->tx_offload.val = rte_mbuf_tx_offload(sa->hdr_l3_off, sa->hdr_len - sa->hdr_l3_off, 0, 0, 0, 0, 0); - esp_outb_init(sa, sa->hdr_len); + esp_outb_init(sa, sa->hdr_len, prm->ipsec_xform.esn.value); return 0; } @@ -509,7 +509,7 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS | RTE_IPSEC_SATP_NATT_ENABLE): case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS): - esp_outb_init(sa, 0); + esp_outb_init(sa, 0, prm->ipsec_xform.esn.value); break; } @@ -520,15 +520,19 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, * helper function, init SA replay structure. */ static void -fill_sa_replay(struct rte_ipsec_sa *sa, uint32_t wnd_sz, uint32_t nb_bucket) +fill_sa_replay(struct rte_ipsec_sa *sa, uint32_t wnd_sz, uint32_t nb_bucket, + uint64_t sqn) { sa->replay.win_sz = wnd_sz; sa->replay.nb_bucket = nb_bucket; sa->replay.bucket_index_mask = nb_bucket - 1; sa->sqn.inb.rsn[0] = (struct replay_sqn *)(sa + 1); - if ((sa->type & RTE_IPSEC_SATP_SQN_MASK) == RTE_IPSEC_SATP_SQN_ATOM) + sa->sqn.inb.rsn[0]->sqn = sqn; + if ((sa->type & RTE_IPSEC_SATP_SQN_MASK) == RTE_IPSEC_SATP_SQN_ATOM) { sa->sqn.inb.rsn[1] = (struct replay_sqn *) ((uintptr_t)sa->sqn.inb.rsn[0] + rsn_size(nb_bucket)); + sa->sqn.inb.rsn[1]->sqn = sqn; + } } int @@ -604,7 +608,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, /* fill replay window related fields */ if (nb != 0) - fill_sa_replay(sa, wsz, nb); + fill_sa_replay(sa, wsz, nb, prm->ipsec_xform.esn.value); return sz; } From patchwork Wed Oct 13 12:13:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101327 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id A1C98A0C55; Wed, 13 Oct 2021 14:26:22 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id D2D57411C3; Wed, 13 Oct 2021 14:26:16 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id C22F140E64 for ; Wed, 13 Oct 2021 14:26:15 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10135"; a="214564558" X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="214564558" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2021 05:25:59 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="524607803" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga001.jf.intel.com with ESMTP; 13 Oct 2021 05:25:55 -0700 From: Radu Nicolau To: Ray Kinsella Cc: dev@dpdk.org, konstantin.ananyev@intel.com, vladimir.medvedkin@intel.com, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Wed, 13 Oct 2021 13:13:30 +0100 Message-Id: <20211013121331.300245-10-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211013121331.300245-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211013121331.300245-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v9 09/10] doc: remove unneeded ipsec new field deprecation X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The deprecation notice regarding extendig rte_ipsec_sa_prm with a new field hdr_l3_len is no longer applicable. Signed-off-by: Radu Nicolau --- doc/guides/rel_notes/deprecation.rst | 3 --- 1 file changed, 3 deletions(-) diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index 6517e7821f..d1bcd75327 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -211,9 +211,6 @@ Deprecation Notices will be updated with new fields to support new features like TSO in case of protocol offload. -* ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field - ``hdr_l3_len`` to configure tunnel L3 header length. - * eventdev: The file ``rte_eventdev_pmd.h`` will be renamed to ``eventdev_driver.h`` to make the driver interface as internal and the structures ``rte_eventdev_data``, ``rte_eventdev`` and ``rte_eventdevs`` will be moved to a new file named From patchwork Wed Oct 13 12:13:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Radu Nicolau X-Patchwork-Id: 101328 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 72509A0C55; Wed, 13 Oct 2021 14:26:27 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id BFE5D411D7; Wed, 13 Oct 2021 14:26:17 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 8564140E64 for ; Wed, 13 Oct 2021 14:26:16 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10135"; a="214564566" X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="214564566" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Oct 2021 05:26:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,370,1624345200"; d="scan'208";a="524607828" Received: from silpixa00400884.ir.intel.com ([10.243.22.82]) by orsmga001.jf.intel.com with ESMTP; 13 Oct 2021 05:25:59 -0700 From: Radu Nicolau To: Ray Kinsella Cc: dev@dpdk.org, konstantin.ananyev@intel.com, vladimir.medvedkin@intel.com, bruce.richardson@intel.com, roy.fan.zhang@intel.com, hemant.agrawal@nxp.com, gakhil@marvell.com, anoobj@marvell.com, declan.doherty@intel.com, abhijit.sinha@intel.com, daniel.m.buckley@intel.com, marchana@marvell.com, ktejasree@marvell.com, matan@nvidia.com, Radu Nicolau Date: Wed, 13 Oct 2021 13:13:31 +0100 Message-Id: <20211013121331.300245-11-radu.nicolau@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211013121331.300245-1-radu.nicolau@intel.com> References: <20210713133542.3550525-1-radu.nicolau@intel.com> <20211013121331.300245-1-radu.nicolau@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH v9 10/10] doc: remove unneeded security deprecation X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The new fields regarding TSO support were not implemented following feedback, it was decided to implement TSO support by using existing mbuf fields. Signed-off-by: Radu Nicolau --- doc/guides/rel_notes/deprecation.rst | 7 ------- 1 file changed, 7 deletions(-) diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index d1bcd75327..53ce7466c0 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -204,13 +204,6 @@ Deprecation Notices pointer for the private data to the application which can be attached to the packet while enqueuing. -* security: The structure ``rte_security_ipsec_xform`` will be extended with: - new field: IPsec payload MSS (Maximum Segment Size). - -* security: The IPsec SA config options ``struct rte_security_ipsec_sa_options`` - will be updated with new fields to support new features like TSO in case of - protocol offload. - * eventdev: The file ``rte_eventdev_pmd.h`` will be renamed to ``eventdev_driver.h`` to make the driver interface as internal and the structures ``rte_eventdev_data``, ``rte_eventdev`` and ``rte_eventdevs`` will be moved to a new file named