Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/65540/?format=api
{ "id": 65540, "url": "http://patches.dpdk.org/api/patches/65540/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/20200204131258.17632-7-marcinx.smoczynski@intel.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20200204131258.17632-7-marcinx.smoczynski@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20200204131258.17632-7-marcinx.smoczynski@intel.com", "date": "2020-02-04T13:12:56", "name": "[v6,6/8] examples/ipsec-secgw: cpu crypto support", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "7f9160078614a03c20b027830a32f6e453bd550a", "submitter": { "id": 1293, "url": "http://patches.dpdk.org/api/people/1293/?format=api", "name": "Marcin Smoczynski", "email": "marcinx.smoczynski@intel.com" }, "delegate": { "id": 6690, "url": "http://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/20200204131258.17632-7-marcinx.smoczynski@intel.com/mbox/", "series": [ { "id": 8413, "url": "http://patches.dpdk.org/api/series/8413/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=8413", "date": "2020-02-04T13:12:50", "name": "Introduce CPU crypto mode", "version": 6, "mbox": "http://patches.dpdk.org/series/8413/mbox/" } ], "comments": "http://patches.dpdk.org/api/patches/65540/comments/", "check": "fail", "checks": "http://patches.dpdk.org/api/patches/65540/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from dpdk.org (dpdk.org [92.243.14.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 3D4B4A0534;\n\tTue, 4 Feb 2020 14:14:12 +0100 (CET)", "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id 2D7AD1C1CC;\n\tTue, 4 Feb 2020 14:13:20 +0100 (CET)", "from mga07.intel.com (mga07.intel.com [134.134.136.100])\n by dpdk.org (Postfix) with ESMTP id 10D271C1BC\n for <dev@dpdk.org>; Tue, 4 Feb 2020 14:13:17 +0100 (CET)", "from fmsmga005.fm.intel.com ([10.253.24.32])\n by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n 04 Feb 2020 05:13:17 -0800", "from msmoczyx-mobl.ger.corp.intel.com ([10.103.102.190])\n by fmsmga005.fm.intel.com with ESMTP; 04 Feb 2020 05:13:16 -0800" ], "X-Amp-Result": "SKIPPED(no attachment in message)", "X-Amp-File-Uploaded": "False", "X-ExtLoop1": "1", "X-IronPort-AV": "E=Sophos;i=\"5.70,401,1574150400\"; d=\"scan'208\";a=\"429800450\"", "From": "Marcin Smoczynski <marcinx.smoczynski@intel.com>", "To": "akhil.goyal@nxp.com, konstantin.ananyev@intel.com,\n roy.fan.zhang@intel.com,\n declan.doherty@intel.com, radu.nicolau@intel.com,\n pablo.de.lara.guarch@intel.com", "Cc": "dev@dpdk.org,\n\tMarcin Smoczynski <marcinx.smoczynski@intel.com>", "Date": "Tue, 4 Feb 2020 14:12:56 +0100", "Message-Id": "<20200204131258.17632-7-marcinx.smoczynski@intel.com>", "X-Mailer": "git-send-email 2.21.0.windows.1", "In-Reply-To": "<20200204131258.17632-1-marcinx.smoczynski@intel.com>", "References": "<20200128142220.16644-1-marcinx.smoczynski@intel.com>\n <20200204131258.17632-1-marcinx.smoczynski@intel.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Subject": "[dpdk-dev] [PATCH v6 6/8] examples/ipsec-secgw: cpu crypto support", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Add support for CPU accelerated crypto. 'cpu-crypto' SA type has\nbeen introduced in configuration allowing to use abovementioned\nacceleration.\n\nLegacy mode is not currently supported.\n\nSigned-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>\nSigned-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>\nAcked-by: Fan Zhang <roy.fan.zhang@intel.com>\n---\n examples/ipsec-secgw/ipsec.c | 25 ++++-\n examples/ipsec-secgw/ipsec_process.c | 136 +++++++++++++++++----------\n examples/ipsec-secgw/sa.c | 30 ++++--\n 3 files changed, 131 insertions(+), 60 deletions(-)", "diff": "diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c\nindex d4b57121a..6e8120702 100644\n--- a/examples/ipsec-secgw/ipsec.c\n+++ b/examples/ipsec-secgw/ipsec.c\n@@ -1,5 +1,5 @@\n /* SPDX-License-Identifier: BSD-3-Clause\n- * Copyright(c) 2016-2017 Intel Corporation\n+ * Copyright(c) 2016-2020 Intel Corporation\n */\n #include <sys/types.h>\n #include <netinet/in.h>\n@@ -10,6 +10,7 @@\n #include <rte_crypto.h>\n #include <rte_security.h>\n #include <rte_cryptodev.h>\n+#include <rte_ipsec.h>\n #include <rte_ethdev.h>\n #include <rte_mbuf.h>\n #include <rte_hash.h>\n@@ -86,7 +87,8 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,\n \t\t\tipsec_ctx->tbl[cdev_id_qp].id,\n \t\t\tipsec_ctx->tbl[cdev_id_qp].qp);\n \n-\tif (ips->type != RTE_SECURITY_ACTION_TYPE_NONE) {\n+\tif (ips->type != RTE_SECURITY_ACTION_TYPE_NONE &&\n+\t\tips->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {\n \t\tstruct rte_security_session_conf sess_conf = {\n \t\t\t.action_type = ips->type,\n \t\t\t.protocol = RTE_SECURITY_PROTOCOL_IPSEC,\n@@ -126,6 +128,18 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,\n \t\t\treturn -1;\n \t\t}\n \t} else {\n+\t\tif (ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {\n+\t\t\tstruct rte_cryptodev_info info;\n+\t\t\tuint16_t cdev_id;\n+\n+\t\t\tcdev_id = ipsec_ctx->tbl[cdev_id_qp].id;\n+\t\t\trte_cryptodev_info_get(cdev_id, &info);\n+\t\t\tif (!(info.feature_flags &\n+\t\t\t\tRTE_CRYPTODEV_FF_SYM_CPU_CRYPTO))\n+\t\t\t\treturn -ENOTSUP;\n+\n+\t\t\tips->crypto.dev_id = cdev_id;\n+\t\t}\n \t\tips->crypto.ses = rte_cryptodev_sym_session_create(\n \t\t\t\tipsec_ctx->session_pool);\n \t\trte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,\n@@ -476,6 +490,13 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,\n \t\t\trte_security_attach_session(&priv->cop,\n \t\t\t\tips->security.ses);\n \t\t\tbreak;\n+\n+\t\tcase RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:\n+\t\t\tRTE_LOG(ERR, IPSEC, \"CPU crypto is not supported by the\"\n+\t\t\t\t\t\" legacy mode.\");\n+\t\t\trte_pktmbuf_free(pkts[i]);\n+\t\t\tcontinue;\n+\n \t\tcase RTE_SECURITY_ACTION_TYPE_NONE:\n \n \t\t\tpriv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;\ndiff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c\nindex 2eb5c8b34..bb2f2b82d 100644\n--- a/examples/ipsec-secgw/ipsec_process.c\n+++ b/examples/ipsec-secgw/ipsec_process.c\n@@ -1,5 +1,5 @@\n /* SPDX-License-Identifier: BSD-3-Clause\n- * Copyright(c) 2016-2017 Intel Corporation\n+ * Copyright(c) 2016-2020 Intel Corporation\n */\n #include <sys/types.h>\n #include <netinet/in.h>\n@@ -92,7 +92,8 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx,\n \tint32_t rc;\n \n \t/* setup crypto section */\n-\tif (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {\n+\tif (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||\n+\t\t\tss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {\n \t\tRTE_ASSERT(ss->crypto.ses == NULL);\n \t\trc = create_lookaside_session(ctx, sa, ss);\n \t\tif (rc != 0)\n@@ -215,6 +216,62 @@ ipsec_prepare_crypto_group(struct ipsec_ctx *ctx, struct ipsec_sa *sa,\n \treturn k;\n }\n \n+/*\n+ * helper routine for inline and cpu(synchronous) processing\n+ * this is just to satisfy inbound_sa_check() and get_hop_for_offload_pkt().\n+ * Should be removed in future.\n+ */\n+static inline void\n+prep_process_group(void *sa, struct rte_mbuf *mb[], uint32_t cnt)\n+{\n+\tuint32_t j;\n+\tstruct ipsec_mbuf_metadata *priv;\n+\n+\tfor (j = 0; j != cnt; j++) {\n+\t\tpriv = get_priv(mb[j]);\n+\t\tpriv->sa = sa;\n+\t}\n+}\n+\n+/*\n+ * finish processing of packets successfully decrypted by an inline processor\n+ */\n+static uint32_t\n+ipsec_process_inline_group(struct rte_ipsec_session *ips, void *sa,\n+\tstruct ipsec_traffic *trf, struct rte_mbuf *mb[], uint32_t cnt)\n+{\n+\tuint64_t satp;\n+\tuint32_t k;\n+\n+\t/* get SA type */\n+\tsatp = rte_ipsec_sa_type(ips->sa);\n+\tprep_process_group(sa, mb, cnt);\n+\n+\tk = rte_ipsec_pkt_process(ips, mb, cnt);\n+\tcopy_to_trf(trf, satp, mb, k);\n+\treturn k;\n+}\n+\n+/*\n+ * process packets synchronously\n+ */\n+static uint32_t\n+ipsec_process_cpu_group(struct rte_ipsec_session *ips, void *sa,\n+\tstruct ipsec_traffic *trf, struct rte_mbuf *mb[], uint32_t cnt)\n+{\n+\tuint64_t satp;\n+\tuint32_t k;\n+\n+\t/* get SA type */\n+\tsatp = rte_ipsec_sa_type(ips->sa);\n+\tprep_process_group(sa, mb, cnt);\n+\n+\tk = rte_ipsec_pkt_cpu_prepare(ips, mb, cnt);\n+\tk = rte_ipsec_pkt_process(ips, mb, k);\n+\tcopy_to_trf(trf, satp, mb, k);\n+\treturn k;\n+}\n+\n /*\n * Process ipsec packets.\n * If packet belong to SA that is subject of inline-crypto,\n@@ -225,10 +282,8 @@ ipsec_prepare_crypto_group(struct ipsec_ctx *ctx, struct ipsec_sa *sa,\n void\n ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)\n {\n-\tuint64_t satp;\n-\tuint32_t i, j, k, n;\n+\tuint32_t i, k, n;\n \tstruct ipsec_sa *sa;\n-\tstruct ipsec_mbuf_metadata *priv;\n \tstruct rte_ipsec_group *pg;\n \tstruct rte_ipsec_session *ips;\n \tstruct rte_ipsec_group grp[RTE_DIM(trf->ipsec.pkts)];\n@@ -236,10 +291,17 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)\n \tn = sa_group(trf->ipsec.saptr, trf->ipsec.pkts, grp, trf->ipsec.num);\n \n \tfor (i = 0; i != n; i++) {\n+\n \t\tpg = grp + i;\n \t\tsa = ipsec_mask_saptr(pg->id.ptr);\n \n-\t\tips = ipsec_get_primary_session(sa);\n+\t\t/* fallback to cryptodev with RX packets which inline\n+\t\t * processor was unable to process\n+\t\t */\n+\t\tif (sa != NULL)\n+\t\t\tips = (pg->id.val & IPSEC_SA_OFFLOAD_FALLBACK_FLAG) ?\n+\t\t\t\tipsec_get_fallback_session(sa) :\n+\t\t\t\tipsec_get_primary_session(sa);\n \n \t\t/* no valid HW session for that SA, try to create one */\n \t\tif (sa == NULL || (ips->crypto.ses == NULL &&\n@@ -247,50 +309,26 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)\n \t\t\tk = 0;\n \n \t\t/* process packets inline */\n-\t\telse if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||\n-\t\t\t\tips->type ==\n-\t\t\t\tRTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {\n-\n-\t\t\t/* get SA type */\n-\t\t\tsatp = rte_ipsec_sa_type(ips->sa);\n-\n-\t\t\t/*\n-\t\t\t * This is just to satisfy inbound_sa_check()\n-\t\t\t * and get_hop_for_offload_pkt().\n-\t\t\t * Should be removed in future.\n-\t\t\t */\n-\t\t\tfor (j = 0; j != pg->cnt; j++) {\n-\t\t\t\tpriv = get_priv(pg->m[j]);\n-\t\t\t\tpriv->sa = sa;\n+\t\telse {\n+\t\t\tswitch (ips->type) {\n+\t\t\t/* enqueue packets to crypto dev */\n+\t\t\tcase RTE_SECURITY_ACTION_TYPE_NONE:\n+\t\t\tcase RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:\n+\t\t\t\tk = ipsec_prepare_crypto_group(ctx, sa, ips,\n+\t\t\t\t\tpg->m, pg->cnt);\n+\t\t\t\tbreak;\n+\t\t\tcase RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:\n+\t\t\tcase RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:\n+\t\t\t\tk = ipsec_process_inline_group(ips, sa,\n+\t\t\t\t\ttrf, pg->m, pg->cnt);\n+\t\t\t\tbreak;\n+\t\t\tcase RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:\n+\t\t\t\tk = ipsec_process_cpu_group(ips, sa,\n+\t\t\t\t\ttrf, pg->m, pg->cnt);\n+\t\t\t\tbreak;\n+\t\t\tdefault:\n+\t\t\t\tk = 0;\n \t\t\t}\n-\n-\t\t\t/* fallback to cryptodev with RX packets which inline\n-\t\t\t * processor was unable to process\n-\t\t\t */\n-\t\t\tif (pg->id.val & IPSEC_SA_OFFLOAD_FALLBACK_FLAG) {\n-\t\t\t\t/* offload packets to cryptodev */\n-\t\t\t\tstruct rte_ipsec_session *fallback;\n-\n-\t\t\t\tfallback = ipsec_get_fallback_session(sa);\n-\t\t\t\tif (fallback->crypto.ses == NULL &&\n-\t\t\t\t\tfill_ipsec_session(fallback, ctx, sa)\n-\t\t\t\t\t!= 0)\n-\t\t\t\t\tk = 0;\n-\t\t\t\telse\n-\t\t\t\t\tk = ipsec_prepare_crypto_group(ctx, sa,\n-\t\t\t\t\t\tfallback, pg->m, pg->cnt);\n-\t\t\t} else {\n-\t\t\t\t/* finish processing of packets successfully\n-\t\t\t\t * decrypted by an inline processor\n-\t\t\t\t */\n-\t\t\t\tk = rte_ipsec_pkt_process(ips, pg->m, pg->cnt);\n-\t\t\t\tcopy_to_trf(trf, satp, pg->m, k);\n-\n-\t\t\t}\n-\t\t/* enqueue packets to crypto dev */\n-\t\t} else {\n-\t\t\tk = ipsec_prepare_crypto_group(ctx, sa, ips, pg->m,\n-\t\t\t\tpg->cnt);\n \t\t}\n \n \t\t/* drop packets that cannot be enqueued/processed */\ndiff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c\nindex c75a5a15f..e9e8d624c 100644\n--- a/examples/ipsec-secgw/sa.c\n+++ b/examples/ipsec-secgw/sa.c\n@@ -1,5 +1,5 @@\n /* SPDX-License-Identifier: BSD-3-Clause\n- * Copyright(c) 2016-2017 Intel Corporation\n+ * Copyright(c) 2016-2020 Intel Corporation\n */\n \n /*\n@@ -586,6 +586,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,\n \t\t\t\tRTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;\n \t\t\telse if (strcmp(tokens[ti], \"no-offload\") == 0)\n \t\t\t\tips->type = RTE_SECURITY_ACTION_TYPE_NONE;\n+\t\t\telse if (strcmp(tokens[ti], \"cpu-crypto\") == 0)\n+\t\t\t\tips->type = RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO;\n \t\t\telse {\n \t\t\t\tAPP_CHECK(0, status, \"Invalid input \\\"%s\\\"\",\n \t\t\t\t\t\ttokens[ti]);\n@@ -679,10 +681,12 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,\n \tif (status->status < 0)\n \t\treturn;\n \n-\tif ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0))\n+\tif ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE && ips->type !=\n+\t\t\tRTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) && (portid_p == 0))\n \t\tprintf(\"Missing portid option, falling back to non-offload\\n\");\n \n-\tif (!type_p || !portid_p) {\n+\tif (!type_p || (!portid_p && ips->type !=\n+\t\t\tRTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) {\n \t\tips->type = RTE_SECURITY_ACTION_TYPE_NONE;\n \t\trule->portid = -1;\n \t}\n@@ -768,15 +772,25 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)\n \tcase RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:\n \t\tprintf(\"lookaside-protocol-offload \");\n \t\tbreak;\n+\tcase RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:\n+\t\tprintf(\"cpu-crypto-accelerated\");\n+\t\tbreak;\n \t}\n \n \tfallback_ips = &sa->sessions[IPSEC_SESSION_FALLBACK];\n \tif (fallback_ips != NULL && sa->fallback_sessions > 0) {\n \t\tprintf(\"inline fallback: \");\n-\t\tif (fallback_ips->type == RTE_SECURITY_ACTION_TYPE_NONE)\n+\t\tswitch (fallback_ips->type) {\n+\t\tcase RTE_SECURITY_ACTION_TYPE_NONE:\n \t\t\tprintf(\"lookaside-none\");\n-\t\telse\n+\t\t\tbreak;\n+\t\tcase RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:\n+\t\t\tprintf(\"cpu-crypto-accelerated\");\n+\t\t\tbreak;\n+\t\tdefault:\n \t\t\tprintf(\"invalid\");\n+\t\t\tbreak;\n+\t\t}\n \t}\n \tprintf(\"\\n\");\n }\n@@ -975,7 +989,6 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n \t\t\t\treturn -EINVAL;\n \t\t}\n \n-\n \t\tswitch (WITHOUT_TRANSPORT_VERSION(sa->flags)) {\n \t\tcase IP4_TUNNEL:\n \t\t\tsa->src.ip.ip4 = rte_cpu_to_be_32(sa->src.ip.ip4);\n@@ -1026,7 +1039,6 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n \t\t\t\t\treturn -EINVAL;\n \t\t\t\t}\n \t\t\t}\n-\t\t\tprint_one_sa_rule(sa, inbound);\n \t\t} else {\n \t\t\tswitch (sa->cipher_algo) {\n \t\t\tcase RTE_CRYPTO_CIPHER_NULL:\n@@ -1091,9 +1103,9 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],\n \t\t\tsa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;\n \t\t\tsa_ctx->xf[idx].b.next = NULL;\n \t\t\tsa->xforms = &sa_ctx->xf[idx].a;\n-\n-\t\t\tprint_one_sa_rule(sa, inbound);\n \t\t}\n+\n+\t\tprint_one_sa_rule(sa, inbound);\n \t}\n \n \treturn 0;\n", "prefixes": [ "v6", "6/8" ] }