[dpdk-dev,07/11] ethdev: add rte flow action for crypto

Message ID	20170914082651.26232-8-akhil.goyal@nxp.com (mailing list archive)
State	Superseded, archived
Headers	Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.168.50 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.168.50; helo=tx30smr01.am.freescale.net; From: Akhil Goyal <akhil.goyal@nxp.com> To: <dev@dpdk.org> CC: <declan.doherty@intel.com>, <pablo.de.lara.guarch@intel.com>, <hemant.agrawal@nxp.com>, <radu.nicolau@intel.com>, <borisp@mellanox.com>, <aviadye@mellanox.com>, <thomas@monjalon.net>, <sandeep.malik@nxp.com>, <jerin.jacob@caviumnetworks.com> Date: Thu, 14 Sep 2017 13:56:47 +0530 Message-ID: <20170914082651.26232-8-akhil.goyal@nxp.com> In-Reply-To: <20170914082651.26232-1-akhil.goyal@nxp.com> References: <20170914082651.26232-1-akhil.goyal@nxp.com> MIME-Version: 1.0 Content-Type: text/plain SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Sep 2017 08:29:36.6381 (UTC) Subject: [dpdk-dev] [PATCH 07/11] ethdev: add rte flow action for crypto Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>

Message ID

20170914082651.26232-8-akhil.goyal@nxp.com (mailing list archive)

State

Superseded, archived

Headers

Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not
	designate 192.88.168.50 as permitted sender)
	receiver=protection.outlook.com; 
	client-ip=192.88.168.50; helo=tx30smr01.am.freescale.net;
From: Akhil Goyal <akhil.goyal@nxp.com>
To: <dev@dpdk.org>
CC: <declan.doherty@intel.com>, <pablo.de.lara.guarch@intel.com>,
	<hemant.agrawal@nxp.com>, <radu.nicolau@intel.com>,
	<borisp@mellanox.com>, 
	<aviadye@mellanox.com>, <thomas@monjalon.net>, <sandeep.malik@nxp.com>,
	<jerin.jacob@caviumnetworks.com>
Date: Thu, 14 Sep 2017 13:56:47 +0530
Message-ID: <20170914082651.26232-8-akhil.goyal@nxp.com>
In-Reply-To: <20170914082651.26232-1-akhil.goyal@nxp.com>
References: <20170914082651.26232-1-akhil.goyal@nxp.com>
MIME-Version: 1.0
Content-Type: text/plain
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Sep 2017 08:29:36.6381
	(UTC)
X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e;
	Ip=[192.88.168.50]; 
	Helo=[tx30smr01.am.freescale.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR03MB2365
Subject: [dpdk-dev] [PATCH 07/11] ethdev: add rte flow action for crypto
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
	<mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
	<mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/Intel-compilation	success	Compilation OK

Commit Message

Akhil Goyal Sept. 14, 2017, 8:26 a.m. UTC

  From: Boris Pismenny <borisp@mellanox.com>

The crypto action is specified by an application to request
crypto offload for a flow.

Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
---
 lib/librte_ether/rte_flow.h | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

Comments

Jerin Jacob Sept. 21, 2017, 9:16 a.m. UTC | #1

-----Original Message-----
> Date: Thu, 14 Sep 2017 13:56:47 +0530
> From: Akhil Goyal <akhil.goyal@nxp.com>
> To: dev@dpdk.org
> CC: declan.doherty@intel.com, pablo.de.lara.guarch@intel.com,
>  hemant.agrawal@nxp.com, radu.nicolau@intel.com, borisp@mellanox.com,
>  aviadye@mellanox.com, thomas@monjalon.net, sandeep.malik@nxp.com,
>  jerin.jacob@caviumnetworks.com
> Subject: [PATCH 07/11] ethdev: add rte flow action for crypto
> X-Mailer: git-send-email 2.9.3
> 
> From: Boris Pismenny <borisp@mellanox.com>

Hi Boris,

> 
> The crypto action is specified by an application to request
> crypto offload for a flow.
> 
> Signed-off-by: Boris Pismenny <borisp@mellanox.com>
> Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> ---
>  lib/librte_ether/rte_flow.h | 30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
> 
> diff --git a/lib/librte_ether/rte_flow.h b/lib/librte_ether/rte_flow.h
> index ea08af6..dce92ca 100644
> --- a/lib/librte_ether/rte_flow.h
> +++ b/lib/librte_ether/rte_flow.h
> @@ -941,6 +941,13 @@ enum rte_flow_action_type {
>  	 * See struct rte_flow_action_vf.
>  	 */
>  	RTE_FLOW_ACTION_TYPE_VF,
> +	/**
> +	 * Redirects packets to security engine of current device for security
> +	 * processing as specified by security session.
> +	 *
> +	 * See struct rte_flow_action_security.
> +	 */
> +	RTE_FLOW_ACTION_TYPE_SECURITY
>  };
>  
>  /**
> @@ -1034,6 +1041,29 @@ struct rte_flow_action_vf {
>  };
>  
>  /**
> + * RTE_FLOW_ACTION_TYPE_SECURITY
> + *
> + * Perform security action on define flow as specified by security session.
> + * The security session specified in the action must be created on the same port
> + * as the flow action that is being specified.
> + *
> + * The ingress/egress flow attribute should match that specified in the

We do HW CAMs at ingress side to specify the action like
RTE_FLOW_ACTION_TYPE_SECURITY. But, egress side there is NO for HW CAM
for RTE_FLOW_ACTION_TYPE_SECURITY(meaning flow to SA lookup). If I
understand it correctly, Intel has the similar situation and that is the
reason for adding rte_security_set_pkt_metadata() to fix up something in
outbound or inbound. Is it a correct interpretation?

Something like below in ipsec-gw application for
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL outbound case.

296,6 +296,11 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct
ipsec_ctx *ipsec_ctx,
                       }
                        break;
                case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
+                       /* Some ports require SA for inline IPsec */
+                       if (sa->port_needs_md)
+                               rte_security_set_pkt_metadata(
+                                       sa->port_md_uid,
+                                       sa->sec_session, pkts[i], sa);
                        break;




> + * security session if the security session supports the definition of the
> + * direction.
> + *
> + * Multiple flows can be configured to use the same security session. For
> + * example if the security session specifies an egress IPsec SA, then multiple
> + * flows can be specified to that SA. In the case of an ingress IPsec SA then
> + * it is only valid to have a single flow to map to that security session.
> + *
> + *
> + * Non-terminating by default.
> + */
> +struct rte_flow_action_security {
> +	void *security_session; /**< Pointer to security session structure. */
> +};
> +
> +/**
>   * Definition of a single action.
>   *
>   * A list of actions is terminated by a END action.
> -- 
> 2.9.3
>

Boris Pismenny Sept. 21, 2017, 4:53 p.m. UTC | #2

Hi Jern,

> -----Original Message-----
> From: Jerin Jacob [mailto:jerin.jacob@caviumnetworks.com]
> Sent: Thursday, September 21, 2017 12:16
> To: Akhil Goyal <akhil.goyal@nxp.com>
> Cc: dev@dpdk.org; declan.doherty@intel.com;
> pablo.de.lara.guarch@intel.com; hemant.agrawal@nxp.com;
> radu.nicolau@intel.com; Boris Pismenny <borisp@mellanox.com>; Aviad
> Yehezkel <aviadye@mellanox.com>; Thomas Monjalon
> <thomas@monjalon.net>; sandeep.malik@nxp.com
> Subject: Re: [PATCH 07/11] ethdev: add rte flow action for crypto
> 
> -----Original Message-----
> > Date: Thu, 14 Sep 2017 13:56:47 +0530
> > From: Akhil Goyal <akhil.goyal@nxp.com>
> > To: dev@dpdk.org
> > CC: declan.doherty@intel.com, pablo.de.lara.guarch@intel.com,
> > hemant.agrawal@nxp.com, radu.nicolau@intel.com,
> borisp@mellanox.com,
> > aviadye@mellanox.com, thomas@monjalon.net,
> sandeep.malik@nxp.com,
> > jerin.jacob@caviumnetworks.com
> > Subject: [PATCH 07/11] ethdev: add rte flow action for crypto
> > X-Mailer: git-send-email 2.9.3
> >
> > From: Boris Pismenny <borisp@mellanox.com>
> 
> Hi Boris,
> 
> >
> > The crypto action is specified by an application to request crypto
> > offload for a flow.
> >
> > Signed-off-by: Boris Pismenny <borisp@mellanox.com>
> > Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
> > ---
> >  lib/librte_ether/rte_flow.h | 30 ++++++++++++++++++++++++++++++
> >  1 file changed, 30 insertions(+)
> >
> > diff --git a/lib/librte_ether/rte_flow.h b/lib/librte_ether/rte_flow.h
> > index ea08af6..dce92ca 100644
> > --- a/lib/librte_ether/rte_flow.h
> > +++ b/lib/librte_ether/rte_flow.h
> > @@ -941,6 +941,13 @@ enum rte_flow_action_type {
> >  	 * See struct rte_flow_action_vf.
> >  	 */
> >  	RTE_FLOW_ACTION_TYPE_VF,
> > +	/**
> > +	 * Redirects packets to security engine of current device for security
> > +	 * processing as specified by security session.
> > +	 *
> > +	 * See struct rte_flow_action_security.
> > +	 */
> > +	RTE_FLOW_ACTION_TYPE_SECURITY
> >  };
> >
> >  /**
> > @@ -1034,6 +1041,29 @@ struct rte_flow_action_vf {  };
> >
> >  /**
> > + * RTE_FLOW_ACTION_TYPE_SECURITY
> > + *
> > + * Perform security action on define flow as specified by security session.
> > + * The security session specified in the action must be created on
> > + the same port
> > + * as the flow action that is being specified.
> > + *
> > + * The ingress/egress flow attribute should match that specified in
> > + the
> 
> We do HW CAMs at ingress side to specify the action like
> RTE_FLOW_ACTION_TYPE_SECURITY. But, egress side there is NO for HW
> CAM for RTE_FLOW_ACTION_TYPE_SECURITY(meaning flow to SA lookup). If
> I understand it correctly, Intel has the similar situation and that is the reason
> for adding rte_security_set_pkt_metadata() to fix up something in outbound
> or inbound. Is it a correct interpretation?

Yes, that's correct. 

Please note that rte_flow is only the control path. It is called once per SA for setting
up offload. The data-path uses the security flags at mbuf->ol_flags and the metadata
that's required for some devices.

> 
> Something like below in ipsec-gw application for
> RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL outbound case.
> 
> 296,6 +296,11 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct
> ipsec_ctx *ipsec_ctx,
>                        }
>                         break;
>                 case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
> +                       /* Some ports require SA for inline IPsec */
> +                       if (sa->port_needs_md)
> +                               rte_security_set_pkt_metadata(
> +                                       sa->port_md_uid,
> +                                       sa->sec_session, pkts[i], sa);
>                         break;
> 
> 
> 
> 
> > + * security session if the security session supports the definition
> > +of the
> > + * direction.
> > + *
> > + * Multiple flows can be configured to use the same security session.
> > +For
> > + * example if the security session specifies an egress IPsec SA, then
> > +multiple
> > + * flows can be specified to that SA. In the case of an ingress IPsec
> > +SA then
> > + * it is only valid to have a single flow to map to that security session.
> > + *
> > + *
> > + * Non-terminating by default.
> > + */
> > +struct rte_flow_action_security {
> > +	void *security_session; /**< Pointer to security session structure.
> > +*/ };
> > +
> > +/**
> >   * Definition of a single action.
> >   *
> >   * A list of actions is terminated by a END action.
> > --
> > 2.9.3
> >

diff mbox

Patch

diff --git a/lib/librte_ether/rte_flow.h b/lib/librte_ether/rte_flow.h
index ea08af6..dce92ca 100644
--- a/lib/librte_ether/rte_flow.h
+++ b/lib/librte_ether/rte_flow.h
@@ -941,6 +941,13 @@  enum rte_flow_action_type {
 	 * See struct rte_flow_action_vf.
 	 */
 	RTE_FLOW_ACTION_TYPE_VF,
+	/**
+	 * Redirects packets to security engine of current device for security
+	 * processing as specified by security session.
+	 *
+	 * See struct rte_flow_action_security.
+	 */
+	RTE_FLOW_ACTION_TYPE_SECURITY
 };
 
 /**
@@ -1034,6 +1041,29 @@  struct rte_flow_action_vf {
 };
 
 /**
+ * RTE_FLOW_ACTION_TYPE_SECURITY
+ *
+ * Perform security action on define flow as specified by security session.
+ * The security session specified in the action must be created on the same port
+ * as the flow action that is being specified.
+ *
+ * The ingress/egress flow attribute should match that specified in the
+ * security session if the security session supports the definition of the
+ * direction.
+ *
+ * Multiple flows can be configured to use the same security session. For
+ * example if the security session specifies an egress IPsec SA, then multiple
+ * flows can be specified to that SA. In the case of an ingress IPsec SA then
+ * it is only valid to have a single flow to map to that security session.
+ *
+ *
+ * Non-terminating by default.
+ */
+struct rte_flow_action_security {
+	void *security_session; /**< Pointer to security session structure. */
+};
+
+/**
  * Definition of a single action.
  *
  * A list of actions is terminated by a END action.