Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/132176/?format=api
{ "id": 132176, "url": "http://patches.dpdk.org/api/patches/132176/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/20230929071636.796-1-anoobj@marvell.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20230929071636.796-1-anoobj@marvell.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20230929071636.796-1-anoobj@marvell.com", "date": "2023-09-29T07:16:34", "name": "[v2,1/2] security: add fallback security processing and Rx inject", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "5b9eef25e8f9cb49f363124641e06eadeb7ecc5d", "submitter": { "id": 1205, "url": "http://patches.dpdk.org/api/people/1205/?format=api", "name": "Anoob Joseph", "email": "anoobj@marvell.com" }, "delegate": { "id": 6690, "url": "http://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/20230929071636.796-1-anoobj@marvell.com/mbox/", "series": [ { "id": 29690, "url": "http://patches.dpdk.org/api/series/29690/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=29690", "date": "2023-09-29T07:16:34", "name": "[v2,1/2] security: add fallback security processing and Rx inject", "version": 2, "mbox": "http://patches.dpdk.org/series/29690/mbox/" } ], "comments": "http://patches.dpdk.org/api/patches/132176/comments/", "check": "success", "checks": "http://patches.dpdk.org/api/patches/132176/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id B237F4266D;\n\tFri, 29 Sep 2023 09:16:45 +0200 (CEST)", "from mails.dpdk.org (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 4556C40277;\n\tFri, 29 Sep 2023 09:16:45 +0200 (CEST)", "from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com\n [67.231.156.173])\n by mails.dpdk.org (Postfix) with ESMTP id AB75F4003C\n for <dev@dpdk.org>; Fri, 29 Sep 2023 09:16:43 +0200 (CEST)", "from pps.filterd (m0045851.ppops.net [127.0.0.1])\n by mx0b-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id\n 38T27RKT020566; Fri, 29 Sep 2023 00:16:42 -0700", "from dc5-exch02.marvell.com ([199.233.59.182])\n by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3tcrrs7axy-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);\n Fri, 29 Sep 2023 00:16:42 -0700", "from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com\n (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.48;\n Fri, 29 Sep 2023 00:16:40 -0700", "from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com\n (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.48 via Frontend\n Transport; Fri, 29 Sep 2023 00:16:40 -0700", "from BG-LT92004.corp.innovium.com (unknown [10.28.163.189])\n by maili.marvell.com (Postfix) with ESMTP id C439B5B6924;\n Fri, 29 Sep 2023 00:16:36 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;\n h=from : to : cc :\n subject : date : message-id : in-reply-to : references : mime-version :\n content-transfer-encoding : content-type; s=pfpt0220;\n bh=jzdSCSz1eVyYHHpTLmRypaycmW0lxi5YrDLmMMEHLyU=;\n b=BMAUGVmxMLv+eRd4n0BSYkqB45YDdG2LDAyvL/hcAu9Y4ZfJel1c45az+/pVSSnbWPQ8\n Uc9/ZE0h1EgWaolh5ImFibNJXuBuli57QDFOB4kjbvXYol3hi7pdjfQgmog/6nuieeLj\n wixwUi0ukc31ztQAM99XuOJD++dWdPVtTPTZ7+7lshvTliCEh1lQ6YYDSObTlATGfFDV\n Xx3I3gkOqDMMvT9XGH7dDRyl+t7xunudnw4rXpH0zRoG5KQRcmJaH5IUlxEWsYkl2R/7\n /u399P05iMiyofueX1dX93SRGtxd5WoQxk2veutN6sBSGpFFoIgKT+EboJz+L799PMrw iQ==", "From": "Anoob Joseph <anoobj@marvell.com>", "To": "Akhil Goyal <gakhil@marvell.com>, Jerin Jacob <jerinj@marvell.com>,\n Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>", "CC": "Hemant Agrawal <hemant.agrawal@nxp.com>, <dev@dpdk.org>, \"Vidya Sagar\n Velumuri\" <vvelumuri@marvell.com>,\n <david.coyle@intel.com>, <kai.ji@intel.com>,\n <kevin.osullivan@intel.com>, Ciara Power <ciara.power@intel.com>", "Subject": "[PATCH v2 1/2] security: add fallback security processing and Rx\n inject", "Date": "Fri, 29 Sep 2023 12:46:34 +0530", "Message-ID": "<20230929071636.796-1-anoobj@marvell.com>", "X-Mailer": "git-send-email 2.25.1", "In-Reply-To": "<20230811114510.576-1-anoobj@marvell.com>", "References": "<20230811114510.576-1-anoobj@marvell.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain", "X-Proofpoint-ORIG-GUID": "SqE9rEeCDUDoKPAZkd8j5w8FOHMgZlj_", "X-Proofpoint-GUID": "SqE9rEeCDUDoKPAZkd8j5w8FOHMgZlj_", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26\n definitions=2023-09-29_05,2023-09-28_03,2023-05-22_02", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org" }, "content": "Add alternate datapath API for security processing which would do Rx\ninjection (similar to loopback) after successful security processing.\n\nWith inline protocol offload, variable part of the session context\n(AR windows, lifetime etc in case of IPsec), is not accessible to the\napplication. If packets are not getting processed in the inline path\ndue to non security reasons (such as outer fragmentation or rte_flow\npacket steering limitations), then the packet cannot be security\nprocessed as the session context is private to the PMD and security\nlibrary doesn't provide alternate APIs to make use of the same session.\n\nIntroduce new API and Rx injection as fallback mechanism to security\nprocessing failures due to non-security reasons. For example, when there\nis outer fragmentation and PMD doesn't support reassembly of outer\nfragments, application would receive fragments which it can then\nreassemble. Post successful reassembly, packet can be submitted for\nsecurity processing and Rx inject. The packets can be then received in\nthe application as normal inline protocol processed packets.\n\nSame API can be leveraged in lookaside protocol offload mode to inject\npacket to Rx. This would help in using rte_flow based packet parsing\nafter security processing. For example, with IPsec, this will help in\ninner parsing and flow splitting after IPsec processing is done.\n\nIn both inline protocol capable ethdevs and lookaside protocol capable\ncryptodevs, the packet would be received back in eth port & queue based\non rte_flow rules and packet parsing after security processing. The API\nwould behave like a loopback but with the additional security\nprocessing.\n\nSigned-off-by: Anoob Joseph <anoobj@marvell.com>\nSigned-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>\n---\nv2:\n* Added a new API for configuring security device to do Rx inject to a specific\n ethdev port\n* Rebased\n\n doc/guides/cryptodevs/features/default.ini | 1 +\n lib/cryptodev/rte_cryptodev.h | 2 +\n lib/security/rte_security.c | 22 ++++++\n lib/security/rte_security.h | 85 ++++++++++++++++++++++\n lib/security/rte_security_driver.h | 44 +++++++++++\n lib/security/version.map | 3 +\n 6 files changed, 157 insertions(+)", "diff": "diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini\nindex 6f637fa7e2..f411d4bab7 100644\n--- a/doc/guides/cryptodevs/features/default.ini\n+++ b/doc/guides/cryptodevs/features/default.ini\n@@ -34,6 +34,7 @@ Sym raw data path API =\n Cipher multiple data units =\n Cipher wrapped key =\n Inner checksum =\n+Rx inject =\n \n ;\n ; Supported crypto algorithms of a default crypto driver.\ndiff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h\nindex 9f07e1ed2c..05aabb6526 100644\n--- a/lib/cryptodev/rte_cryptodev.h\n+++ b/lib/cryptodev/rte_cryptodev.h\n@@ -534,6 +534,8 @@ rte_cryptodev_asym_get_xform_string(enum rte_crypto_asym_xform_type xform_enum);\n /**< Support wrapped key in cipher xform */\n #define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM\t\t(1ULL << 27)\n /**< Support inner checksum computation/verification */\n+#define RTE_CRYPTODEV_FF_SECURITY_RX_INJECT\t\t(1ULL << 28)\n+/**< Support Rx injection after security processing */\n \n /**\n * Get the name of a crypto device feature flag\ndiff --git a/lib/security/rte_security.c b/lib/security/rte_security.c\nindex ab44bbe0f0..fa8d2bb7ce 100644\n--- a/lib/security/rte_security.c\n+++ b/lib/security/rte_security.c\n@@ -321,6 +321,28 @@ rte_security_capability_get(void *ctx, struct rte_security_capability_idx *idx)\n \treturn NULL;\n }\n \n+int\n+rte_security_rx_inject_configure(void *ctx, uint16_t port_id, bool enable)\n+{\n+\tstruct rte_security_ctx *instance = ctx;\n+\n+\tRTE_PTR_OR_ERR_RET(instance, -EINVAL);\n+\tRTE_PTR_OR_ERR_RET(instance->ops, -ENOTSUP);\n+\tRTE_PTR_OR_ERR_RET(instance->ops->rx_inject_configure, -ENOTSUP);\n+\n+\treturn instance->ops->rx_inject_configure(instance->device, port_id, enable);\n+}\n+\n+uint16_t\n+rte_security_inb_pkt_rx_inject(void *ctx, struct rte_mbuf **pkts, void **sess,\n+\t\t\t uint16_t nb_pkts)\n+{\n+\tstruct rte_security_ctx *instance = ctx;\n+\n+\treturn instance->ops->inb_pkt_rx_inject(instance->device, pkts,\n+\t\t\t\t\t\t(struct rte_security_session **)sess, nb_pkts);\n+}\n+\n static int\n security_handle_cryptodev_list(const char *cmd __rte_unused,\n \t\t\t const char *params __rte_unused,\ndiff --git a/lib/security/rte_security.h b/lib/security/rte_security.h\nindex c9cc7a45a6..fe8e8e9813 100644\n--- a/lib/security/rte_security.h\n+++ b/lib/security/rte_security.h\n@@ -1310,6 +1310,91 @@ const struct rte_security_capability *\n rte_security_capability_get(void *instance,\n \t\t\t struct rte_security_capability_idx *idx);\n \n+/**\n+ * @warning\n+ * @b EXPERIMENTAL: this API may change, or be removed, without prior notice\n+ *\n+ * Configure security device to inject packets to an ethdev port.\n+ *\n+ * This API must be called only when both security device and the ethdev is in\n+ * stopped state. The security device need to be configured before any packets\n+ * are submitted to ``rte_security_inb_pkt_rx_inject`` API.\n+ *\n+ * @param\tctx\t\tSecurity ctx\n+ * @param\tport_id\t\tPort identifier of the ethernet device to which\n+ *\t\t\t\tpackets need to be injected.\n+ * @param\tenable\t\tFlag to enable and disable connection between a\n+ *\t\t\t\tsecurity device and an ethdev port.\n+ * @return\n+ * - 0 if successful.\n+ * - -EINVAL if context NULL or port_id is invalid.\n+ * - -EBUSY if devices are not in stopped state.\n+ * - -ENOTSUP if security device does not support injecting to the ethdev\n+ * port.\n+ *\n+ * @see rte_security_inb_pkt_rx_inject\n+ */\n+__rte_experimental\n+int\n+rte_security_rx_inject_configure(void *ctx, uint16_t port_id, bool enable);\n+\n+/**\n+ * @warning\n+ * @b EXPERIMENTAL: this API may change, or be removed, without prior notice\n+ *\n+ * Perform security processing of packets and inject the processed packet to\n+ * ethdev Rx.\n+ *\n+ * Rx inject would behave similarly to ethdev loopback but with the additional\n+ * security processing. In case of ethdev loopback, application would be\n+ * submitting packets to ethdev Tx queues and would be received as is from\n+ * ethdev Rx queues. With Rx inject, packets would be received after security\n+ * processing from ethdev Rx queues.\n+ *\n+ * With inline protocol offload capable ethdevs, Rx injection can be used to\n+ * handle packets which failed the regular security Rx path. This can be due to\n+ * cases such as outer fragmentation, in which case applications can reassemble\n+ * the fragments and then subsequently submit for inbound processing and Rx\n+ * injection, so that packets are received as regular security processed\n+ * packets.\n+ *\n+ * With lookaside protocol offload capable cryptodevs, Rx injection can be used\n+ * to perform packet parsing after security processing. This would allow for\n+ * re-classification after security protocol processing is done (ie, inner\n+ * packet parsing). The ethdev queue on which the packet would be received would\n+ * be based on rte_flow rules matching the packet after security processing.\n+ *\n+ * The security device which is injecting packets to ethdev Rx need to be\n+ * configured using ``rte_security_rx_inject_configure`` with enable flag set\n+ * to `true` before any packets are submitted.\n+ *\n+ * If `hash.fdir.h` field is set in mbuf, it would be treated as the value for\n+ * `MARK` pattern for the subsequent rte_flow parsing. The packet would appear\n+ * as if it is received from `port` field in mbuf.\n+ *\n+ * Since the packet would be received back from ethdev Rx queues, it is expected\n+ * that application retains/adds L2 header with the mbuf field 'l2_len'\n+ * reflecting the size of L2 header in the packet.\n+ *\n+ * @param\tctx\t\tSecurity ctx\n+ * @param\tpkts\t\tThe address of an array of *nb_pkts* pointers to\n+ *\t\t\t\t*rte_mbuf* structures which contain the packets.\n+ * @param\tsess\t\tThe address of an array of *nb_pkts* pointers to\n+ *\t\t\t\tsecurity sessions corresponding to each packet.\n+ * @param\tnb_pkts\t\tThe maximum number of packets to process.\n+ *\n+ * @return\n+ * The number of packets successfully injected to ethdev Rx. The return\n+ * value can be less than the value of the *nb_pkts* parameter when the\n+ * PMD internal queues have been filled up.\n+ *\n+ * @see rte_security_rx_inject_configure\n+ */\n+__rte_experimental\n+uint16_t\n+rte_security_inb_pkt_rx_inject(void *ctx, struct rte_mbuf **pkts, void **sess,\n+\t\t\t uint16_t nb_pkts);\n+\n #ifdef __cplusplus\n }\n #endif\ndiff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h\nindex e5e1c4cfe8..62664dacdb 100644\n--- a/lib/security/rte_security_driver.h\n+++ b/lib/security/rte_security_driver.h\n@@ -257,6 +257,46 @@ typedef int (*security_set_pkt_metadata_t)(void *device,\n typedef const struct rte_security_capability *(*security_capabilities_get_t)(\n \t\tvoid *device);\n \n+/**\n+ * Configure security device to inject packets to an ethdev port.\n+ *\n+ * @param\tdevice\t\tCrypto/eth device pointer\n+ * @param\tport_id\t\tPort identifier of the ethernet device to which packets need to be\n+ *\t\t\t\tinjected.\n+ * @param\tenable\t\tFlag to enable and disable connection between a security device and\n+ *\t\t\t\tan ethdev port.\n+ * @return\n+ * - 0 if successful.\n+ * - -EINVAL if context NULL or port_id is invalid.\n+ * - -EBUSY if devices are not in stopped state.\n+ * - -ENOTSUP if security device does not support injecting to the ethdev port.\n+ */\n+typedef int (*security_rx_inject_configure)(void *device, uint16_t port_id, bool enable);\n+\n+/**\n+ * Perform security processing of packets and inject the processed packet to\n+ * ethdev Rx.\n+ *\n+ * Rx inject would behave similarly to ethdev loopback but with the additional\n+ * security processing.\n+ *\n+ * @param\tdevice\t\tCrypto/eth device pointer\n+ * @param\tpkts\t\tThe address of an array of *nb_pkts* pointers to\n+ *\t\t\t\t*rte_mbuf* structures which contain the packets.\n+ * @param\tsess\t\tThe address of an array of *nb_pkts* pointers to\n+ *\t\t\t\t*rte_security_session* structures corresponding\n+ *\t\t\t\tto each packet.\n+ * @param\tnb_pkts\t\tThe maximum number of packets to process.\n+ *\n+ * @return\n+ * The number of packets successfully injected to ethdev Rx. The return\n+ * value can be less than the value of the *nb_pkts* parameter when the\n+ * PMD internal queues have been filled up.\n+ */\n+typedef uint16_t (*security_inb_pkt_rx_inject)(void *device,\n+\t\tstruct rte_mbuf **pkts, struct rte_security_session **sess,\n+\t\tuint16_t nb_pkts);\n+\n /** Security operations function pointer table */\n struct rte_security_ops {\n \tsecurity_session_create_t session_create;\n@@ -285,6 +325,10 @@ struct rte_security_ops {\n \t/**< Get MACsec SC statistics. */\n \tsecurity_macsec_sa_stats_get_t macsec_sa_stats_get;\n \t/**< Get MACsec SA statistics. */\n+\tsecurity_rx_inject_configure rx_inject_configure;\n+\t/**< Rx inject configure. */\n+\tsecurity_inb_pkt_rx_inject inb_pkt_rx_inject;\n+\t/**< Perform security processing and do Rx inject. */\n };\n \n #ifdef __cplusplus\ndiff --git a/lib/security/version.map b/lib/security/version.map\nindex 86f976a302..e07fca33a1 100644\n--- a/lib/security/version.map\n+++ b/lib/security/version.map\n@@ -24,6 +24,9 @@ EXPERIMENTAL {\n \trte_security_session_stats_get;\n \trte_security_session_update;\n \trte_security_oop_dynfield_offset;\n+\n+\trte_security_rx_inject_configure;\n+\trte_security_inb_pkt_rx_inject;\n };\n \n INTERNAL {\n", "prefixes": [ "v2", "1/2" ] }