From patchwork Thu Mar 9 08:56:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nithin Dabilpuram X-Patchwork-Id: 124891 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 25B1C41E2B; Thu, 9 Mar 2023 09:57:00 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 0EDCF40ED7; Thu, 9 Mar 2023 09:57:00 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id A096F400D7 for ; Thu, 9 Mar 2023 09:56:58 +0100 (CET) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3295OqKe018369; Thu, 9 Mar 2023 00:56:57 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=RpF5Ll8yJrY8uac7iL6x6nwU6/DPf75NU0Dxs1RV3qk=; b=YZlly3rAQ/6mx/ZjnCATAST2iIh+UezVubD+28ksQut68K0PJhkTbtSWr1leGViVCIEr zZrnd556I6XdRQpOJn11JDUf6U+Berkt4a9dqITv7G77OG7fiv1ciZe0FKDRi/Y0ES4G W0DdLELO+QEheWgM11/NCgbyXa6lpVVIdXwHE14famWQPqNUlGf5xi1IMlIxF3LIOb+Y SPL5KQdwO3R2Z55RNlRQwDQyr10Jsiar01VUoPqllQIcLrMOA2BGfylChFDLIxmpecvW KQc4SZHEr+rdQ8pEhPCnURqwO3Odq9snG9NwN//C1VjzMI5XVkXHSB2mNzZsOWBqFFeS eA== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3p6ff3gbfd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 09 Mar 2023 00:56:57 -0800 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Thu, 9 Mar 2023 00:56:55 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.42 via Frontend Transport; Thu, 9 Mar 2023 00:56:55 -0800 Received: from hyd1588t430.caveonetworks.com (unknown [10.29.52.204]) by maili.marvell.com (Postfix) with ESMTP id C69A35B693F; Thu, 9 Mar 2023 00:56:53 -0800 (PST) From: Nithin Dabilpuram To: Thomas Monjalon , Akhil Goyal CC: , , Nithin Dabilpuram Subject: [RFC 1/2] security: introduce out of place support for inline ingress Date: Thu, 9 Mar 2023 14:26:43 +0530 Message-ID: <20230309085645.1630826-1-ndabilpuram@marvell.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 9XpukHyeZIqDzEKRJiR7OkPReFvyve7e X-Proofpoint-GUID: 9XpukHyeZIqDzEKRJiR7OkPReFvyve7e X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-09_05,2023-03-08_03,2023-02-09_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Similar to out of place(OOP) processing support that exists for Lookaside crypto/security sessions, Inline ingress security sessions may also need out of place processing in usecases where original encrypted packet needs to be retained for post processing. So for NIC's which have such a kind of HW support, a new SA option is provided to indicate whether OOP needs to be enabled on that Inline ingress security session or not. Since for inline ingress sessions, packet is not received by CPU until the processing is done, we can only have per-SA option and not per-packet option like Lookaside sessions. In order to return the original encrypted packet mbuf, this patch adds a new mbuf dynamic field of 8B size containing pointer to original mbuf which will be populated for packets associated with Inline SA that has OOP enabled. Signed-off-by: Nithin Dabilpuram --- devtools/libabigail.abignore | 4 +++ lib/security/rte_security.c | 17 +++++++++++++ lib/security/rte_security.h | 39 +++++++++++++++++++++++++++++- lib/security/rte_security_driver.h | 8 ++++++ lib/security/version.map | 2 ++ 5 files changed, 69 insertions(+), 1 deletion(-) diff --git a/devtools/libabigail.abignore b/devtools/libabigail.abignore index 7a93de3ba1..9f52ffbf2e 100644 --- a/devtools/libabigail.abignore +++ b/devtools/libabigail.abignore @@ -34,3 +34,7 @@ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Temporary exceptions till next major ABI version ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; Ignore change to reserved opts for new SA option +[suppress_type] + name = rte_security_ipsec_sa_options diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c index e102c55e55..c2199dd8db 100644 --- a/lib/security/rte_security.c +++ b/lib/security/rte_security.c @@ -27,7 +27,10 @@ } while (0) #define RTE_SECURITY_DYNFIELD_NAME "rte_security_dynfield_metadata" +#define RTE_SECURITY_OOP_DYNFIELD_NAME "rte_security_oop_dynfield_metadata" + int rte_security_dynfield_offset = -1; +int rte_security_oop_dynfield_offset = -1; int rte_security_dynfield_register(void) @@ -42,6 +45,20 @@ rte_security_dynfield_register(void) return rte_security_dynfield_offset; } +int +rte_security_oop_dynfield_register(void) +{ + static const struct rte_mbuf_dynfield dynfield_desc = { + .name = RTE_SECURITY_OOP_DYNFIELD_NAME, + .size = sizeof(rte_security_oop_dynfield_t), + .align = __alignof__(rte_security_oop_dynfield_t), + }; + + rte_security_oop_dynfield_offset = + rte_mbuf_dynfield_register(&dynfield_desc); + return rte_security_oop_dynfield_offset; +} + void * rte_security_session_create(struct rte_security_ctx *instance, struct rte_security_session_conf *conf, diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 4bacf9fcd9..866cd4e8ee 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -275,6 +275,17 @@ struct rte_security_ipsec_sa_options { */ uint32_t ip_reassembly_en : 1; + /** Enable out of place processing on inline inbound packets. + * + * * 1: Enable driver to perform Out-of-place(OOP) processing for this inline + * inbound SA if supported by driver. PMD need to register mbuf + * dynamic field using rte_security_oop_dynfield_register() + * and security session creation would fail if dynfield is not + * registered successfully. + * * 0: Disable OOP processing for this session (default). + */ + uint32_t ingress_oop : 1; + /** Reserved bit fields for future extension * * User should ensure reserved_opts is cleared as it may change in @@ -282,7 +293,7 @@ struct rte_security_ipsec_sa_options { * * Note: Reduce number of bits in reserved_opts for every new option. */ - uint32_t reserved_opts : 17; + uint32_t reserved_opts : 16; }; /** IPSec security association direction */ @@ -812,6 +823,13 @@ typedef uint64_t rte_security_dynfield_t; /** Dynamic mbuf field for device-specific metadata */ extern int rte_security_dynfield_offset; +/** Out-of-Place(OOP) processing field type */ +typedef struct rte_mbuf *rte_security_oop_dynfield_t; +/** Dynamic mbuf field for pointer to original mbuf for + * OOP processing session. + */ +extern int rte_security_oop_dynfield_offset; + /** * @warning * @b EXPERIMENTAL: this API may change without prior notice @@ -834,6 +852,25 @@ rte_security_dynfield(struct rte_mbuf *mbuf) rte_security_dynfield_t *); } +/** + * @warning + * @b EXPERIMENTAL: this API may change without prior notice + * + * Get pointer to mbuf field for original mbuf pointer when + * Out-Of-Place(OOP) processing is enabled in security session. + * + * @param mbuf packet to access + * @return pointer to mbuf field + */ +__rte_experimental +static inline rte_security_oop_dynfield_t * +rte_security_oop_dynfield(struct rte_mbuf *mbuf) +{ + return RTE_MBUF_DYNFIELD(mbuf, + rte_security_oop_dynfield_offset, + rte_security_oop_dynfield_t *); +} + /** * @warning * @b EXPERIMENTAL: this API may change without prior notice diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h index 421e6f7780..91e7786ab7 100644 --- a/lib/security/rte_security_driver.h +++ b/lib/security/rte_security_driver.h @@ -190,6 +190,14 @@ typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id, __rte_internal int rte_security_dynfield_register(void); +/** + * @internal + * Register mbuf dynamic field for Security inline ingress Out-of-Place(OOP) + * processing. + */ +__rte_internal +int rte_security_oop_dynfield_register(void); + /** * Update the mbuf with provided metadata. * diff --git a/lib/security/version.map b/lib/security/version.map index 07dcce9ffb..59a95f40bd 100644 --- a/lib/security/version.map +++ b/lib/security/version.map @@ -23,10 +23,12 @@ EXPERIMENTAL { rte_security_macsec_sc_stats_get; rte_security_session_stats_get; rte_security_session_update; + rte_security_oop_dynfield_offset; }; INTERNAL { global: rte_security_dynfield_register; + rte_security_oop_dynfield_register; }; From patchwork Thu Mar 9 08:56:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nithin Dabilpuram X-Patchwork-Id: 124892 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 128EC41E2B; Thu, 9 Mar 2023 09:57:05 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 18E5941611; Thu, 9 Mar 2023 09:57:02 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 032C04113D for ; Thu, 9 Mar 2023 09:57:00 +0100 (CET) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3295Q7U8019720; Thu, 9 Mar 2023 00:57:00 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=ED58yXRpVo8NBkwI1Ya23HFzmyUEU7aKIlmkoB0IUpk=; b=JaEhexB7OzW8VLrVMhia6PmG26ieeilTv3Hytjocqqfh6DJDOPSFjir957f+xFyBclzi +RvUYh+rEwKLpixflMlsVn9hOTZ5AymNANAQdy79TDtBh74W4xgLKnMwdI8iV7pjjpZz GADWSBT+MKqfMFEbBKUOzpYY4w6sjazDvtbzhX1xbT3OAEWLtczohQXK/hKFd9WimPqN 5/lepIjnhUdup60O7hr27oCUbbEz/huBpDXmN9LX9YAF+j5nuWwZQ95ZQZOalhX4NAyS 25TayBBvDIbs1aqvYotedW3JSHL16U20rlkx9C4IbJwnDobtqKnR4/fzIYnpb0I6DA5X /w== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3p6ff3gbfr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 09 Mar 2023 00:57:00 -0800 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Thu, 9 Mar 2023 00:56:58 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.42 via Frontend Transport; Thu, 9 Mar 2023 00:56:58 -0800 Received: from hyd1588t430.caveonetworks.com (unknown [10.29.52.204]) by maili.marvell.com (Postfix) with ESMTP id 4ED585B6942; Thu, 9 Mar 2023 00:56:56 -0800 (PST) From: Nithin Dabilpuram To: Akhil Goyal , Fan Zhang CC: , , Nithin Dabilpuram Subject: [RFC 2/2] test/security: add unittest for inline ingress oop Date: Thu, 9 Mar 2023 14:26:44 +0530 Message-ID: <20230309085645.1630826-2-ndabilpuram@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230309085645.1630826-1-ndabilpuram@marvell.com> References: <20230309085645.1630826-1-ndabilpuram@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: dD8SZPEC8CDymqupc1ivuB7d-l9qde1y X-Proofpoint-GUID: dD8SZPEC8CDymqupc1ivuB7d-l9qde1y X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-09_05,2023-03-08_03,2023-02-09_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Add unittest for inline ingress out-of-place processing. Signed-off-by: Nithin Dabilpuram --- app/test/test_cryptodev_security_ipsec.c | 8 +++ app/test/test_cryptodev_security_ipsec.h | 1 + app/test/test_security_inline_proto.c | 85 ++++++++++++++++++++++++ 3 files changed, 94 insertions(+) diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 221edaa98d..f11bacb4d2 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -213,6 +213,14 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, } } + if (ipsec_xform->options.ingress_oop == 1 && + sec_cap->ipsec.options.ingress_oop == 0) { + if (!silent) + RTE_LOG(INFO, USER1, + "Inline Ingress OOP processing is not supported\n"); + return -ENOTSUP; + } + return 0; } diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 92e641ba0b..5606ec056d 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -110,6 +110,7 @@ struct ipsec_test_flags { bool ah; uint32_t plaintext_len; int nb_segs_in_mbuf; + bool inb_oop; }; struct crypto_param { diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c index 79858e559f..80bcdfc701 100644 --- a/app/test/test_security_inline_proto.c +++ b/app/test/test_security_inline_proto.c @@ -735,6 +735,51 @@ get_and_verify_incomplete_frags(struct rte_mbuf *mbuf, return ret; } +static int +verify_inbound_oop(struct ipsec_test_data *td, + bool silent, struct rte_mbuf *mbuf) +{ + int ret = TEST_SUCCESS, rc; + struct rte_mbuf *orig; + uint32_t len; + void *data; + + orig = *rte_security_oop_dynfield(mbuf); + if (!orig) { + if (!silent) + printf("\nUnable to get orig buffer OOP session"); + return TEST_FAILED; + } + + /* Skip Ethernet header comparison */ + rte_pktmbuf_adj(orig, RTE_ETHER_HDR_LEN); + + len = td->input_text.len; + if (orig->pkt_len != len) { + if (!silent) + printf("\nOriginal packet length mismatch, expected %u, got %u ", + len, orig->pkt_len); + ret = TEST_FAILED; + } + + data = rte_pktmbuf_mtod(orig, void *); + rc = memcmp(data, td->input_text.data, len); + if (rc) { + ret = TEST_FAILED; + if (silent) + goto exit; + + printf("TestCase %s line %d: %s\n", __func__, __LINE__, + "output text not as expected\n"); + + rte_hexdump(stdout, "expected", td->input_text.data, len); + rte_hexdump(stdout, "actual", data, len); + } +exit: + rte_pktmbuf_free(orig); + return ret; +} + static int test_ipsec_with_reassembly(struct reassembly_vector *vector, const struct ipsec_test_flags *flags) @@ -1115,6 +1160,12 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td, if (ret) return ret; + if (flags->inb_oop && rte_security_oop_dynfield_offset < 0) { + printf("\nDynamic field not available for inline inbound OOP"); + ret = TEST_FAILED; + goto out; + } + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { ret = create_default_flow(port_id); if (ret) @@ -1206,6 +1257,15 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td, goto out; } + if (flags->inb_oop) { + ret = verify_inbound_oop(td, silent, rx_pkts_burst[i]); + if (ret != TEST_SUCCESS) { + for ( ; i < nb_rx; i++) + rte_pktmbuf_free(rx_pkts_burst[i]); + goto out; + } + } + rte_pktmbuf_free(rx_pkts_burst[i]); rx_pkts_burst[i] = NULL; } @@ -1994,6 +2054,26 @@ test_ipsec_inline_proto_known_vec_inb(const void *test_data) return test_ipsec_inline_proto_process(&td_inb, NULL, 1, false, &flags); } +static int +test_ipsec_inline_proto_oop_inb(const void *test_data) +{ + const struct ipsec_test_data *td = test_data; + struct ipsec_test_flags flags; + struct ipsec_test_data td_inb; + + memset(&flags, 0, sizeof(flags)); + flags.inb_oop = true; + + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) + test_ipsec_td_in_from_out(td, &td_inb); + else + memcpy(&td_inb, td, sizeof(td_inb)); + + td_inb.ipsec_xform.options.ingress_oop = true; + + return test_ipsec_inline_proto_process(&td_inb, NULL, 1, false, &flags); +} + static int test_ipsec_inline_proto_display_list(const void *data __rte_unused) { @@ -3086,6 +3166,11 @@ static struct unit_test_suite inline_ipsec_testsuite = { "IPv4 Reassembly with burst of 4 fragments", ut_setup_inline_ipsec, ut_teardown_inline_ipsec, test_inline_ip_reassembly, &ipv4_4frag_burst_vector), + TEST_CASE_NAMED_WITH_DATA( + "Inbound Out-Of-Place processing", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_oop_inb, + &pkt_aes_128_gcm), TEST_CASES_END() /**< NULL terminate unit test array */ },