@@ -10,6 +10,7 @@
#include <rte_crypto.h>
#include <rte_security.h>
#include <rte_cryptodev.h>
+#include <rte_ipsec.h>
#include <rte_ethdev.h>
#include <rte_mbuf.h>
#include <rte_hash.h>
@@ -51,6 +52,19 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
}
+static int32_t
+compute_cipher_offset(struct ipsec_sa *sa)
+{
+ int32_t offset;
+
+ if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM)
+ return 0;
+
+ offset = (sa->iv_len + sizeof(struct rte_esp_hdr));
+
+ return offset;
+}
+
int
create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
{
@@ -117,6 +131,25 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
"SEC Session init failed: err: %d\n", ret);
return -1;
}
+ } else if (sa->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
+ struct rte_security_ctx *ctx =
+ (struct rte_security_ctx *)
+ rte_cryptodev_get_sec_ctx(
+ ipsec_ctx->tbl[cdev_id_qp].id);
+
+ /* Set IPsec parameters in conf */
+ sess_conf.cpucrypto.cipher_offset =
+ compute_cipher_offset(sa);
+
+ set_ipsec_conf(sa, &(sess_conf.ipsec));
+ sa->security_ctx = ctx;
+ sa->sec_session = rte_security_session_create(ctx,
+ &sess_conf, ipsec_ctx->session_priv_pool);
+ if (sa->sec_session == NULL) {
+ RTE_LOG(ERR, IPSEC,
+ "SEC Session init failed: err: %d\n", ret);
+ return -1;
+ }
} else {
RTE_LOG(ERR, IPSEC, "Inline not supported\n");
return -1;
@@ -512,6 +545,8 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
sa->security_ctx,
sa->sec_session, pkts[i], NULL);
continue;
+ default:
+ continue;
}
RTE_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps);
@@ -101,7 +101,8 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx,
}
ss->crypto.ses = sa->crypto_session;
/* setup session action type */
- } else if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
+ } else if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL ||
+ sa->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
if (sa->sec_session == NULL) {
rc = create_lookaside_session(ctx, sa);
if (rc != 0)
@@ -227,8 +228,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
/* process packets inline */
else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
- sa->type ==
- RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
+ sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
+ sa->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
satp = rte_ipsec_sa_type(ips->sa);
@@ -570,6 +570,9 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
else if (strcmp(tokens[ti], "no-offload") == 0)
rule->type = RTE_SECURITY_ACTION_TYPE_NONE;
+ else if (strcmp(tokens[ti], "cpu-crypto") == 0)
+ rule->type =
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO;
else {
APP_CHECK(0, status, "Invalid input \"%s\"",
tokens[ti]);
@@ -624,10 +627,13 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
if (status->status < 0)
return;
- if ((rule->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0))
+ if ((rule->type != RTE_SECURITY_ACTION_TYPE_NONE && rule->type !=
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) &&
+ (portid_p == 0))
printf("Missing portid option, falling back to non-offload\n");
- if (!type_p || !portid_p) {
+ if (!type_p || (!portid_p && rule->type !=
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) {
rule->type = RTE_SECURITY_ACTION_TYPE_NONE;
rule->portid = -1;
}
@@ -709,6 +715,9 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
printf("lookaside-protocol-offload ");
break;
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ printf("cpu-crypto-accelerated");
+ break;
}
printf("\n");
}
@@ -32,15 +32,21 @@ usage()
}
LINUX_TEST="tun_aescbc_sha1 \
+tun_aescbc_sha1_cpu_crypto \
tun_aescbc_sha1_esn \
tun_aescbc_sha1_esn_atom \
tun_aesgcm \
+tun_aesgcm_cpu_crypto \
+tun_aesgcm_mb_cpu_crypto \
tun_aesgcm_esn \
tun_aesgcm_esn_atom \
trs_aescbc_sha1 \
+trs_aescbc_sha1_cpu_crypto \
trs_aescbc_sha1_esn \
trs_aescbc_sha1_esn_atom \
trs_aesgcm \
+trs_aesgcm_cpu_crypto \
+trs_aesgcm_mb_cpu_crypto \
trs_aesgcm_esn \
trs_aesgcm_esn_atom \
tun_aescbc_sha1_old \
@@ -49,17 +55,21 @@ trs_aescbc_sha1_old \
trs_aesgcm_old \
tun_aesctr_sha1 \
tun_aesctr_sha1_old \
+tun_aesctr_sha1_cpu_crypto \
tun_aesctr_sha1_esn \
tun_aesctr_sha1_esn_atom \
trs_aesctr_sha1 \
+trs_aesctr_sha1_cpu_crypto \
trs_aesctr_sha1_old \
trs_aesctr_sha1_esn \
trs_aesctr_sha1_esn_atom \
tun_3descbc_sha1 \
+tun_3descbc_sha1_cpu_crypto \
tun_3descbc_sha1_old \
tun_3descbc_sha1_esn \
tun_3descbc_sha1_esn_atom \
trs_3descbc_sha1 \
+trs_3descbc_sha1_cpu_crypto \
trs_3descbc_sha1_old \
trs_3descbc_sha1_esn \
trs_3descbc_sha1_esn_atom"
@@ -32,14 +32,14 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
sa in 9 cipher_algo 3des-cbc \
cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 7 cipher_algo 3des-cbc \
@@ -47,7 +47,7 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 9 cipher_algo 3des-cbc \
@@ -55,7 +55,7 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#Routing rules
rt ipv4 dst ${REMOTE_IPV4}/32 port 0
new file mode 100644
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_defs.sh
+
+SGW_CFG_XPRM='type cpu-crypto'
@@ -31,27 +31,27 @@ sa in 7 cipher_algo aes-128-cbc \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
sa in 9 cipher_algo aes-128-cbc \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 7 cipher_algo aes-128-cbc \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 9 cipher_algo aes-128-cbc \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#Routing rules
rt ipv4 dst ${REMOTE_IPV4}/32 port 0
new file mode 100644
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aescbc_sha1_defs.sh
+
+SGW_CFG_XPRM='type cpu-crypto'
@@ -31,27 +31,27 @@ sa in 7 cipher_algo aes-128-ctr \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
sa in 9 cipher_algo aes-128-ctr \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 7 cipher_algo aes-128-ctr \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#SA out rules
sa out 9 cipher_algo aes-128-ctr \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode transport
+mode transport ${SGW_CFG_XPRM}
#Routing rules
rt ipv4 dst ${REMOTE_IPV4}/32 port 0
new file mode 100644
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_defs.sh
+
+SGW_CFG_XPRM='type cpu-crypto'
new file mode 100644
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesgcm_defs.sh
+
+SGW_CFG_XPRM='type cpu-crypto'
new file mode 100644
@@ -0,0 +1,7 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesgcm_defs.sh
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+SGW_CFG_XPRM='type cpu-crypto'
@@ -32,14 +32,14 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM}
sa in 9 cipher_algo 3des-cbc \
cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM}
#SA out rules
sa out 7 cipher_algo 3des-cbc \
@@ -47,14 +47,14 @@ cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM}
sa out 9 cipher_algo 3des-cbc \
cipher_key \
de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM}
#Routing rules
rt ipv4 dst ${REMOTE_IPV4}/32 port 0
new file mode 100644
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_defs.sh
+
+SGW_CFG_XPRM='type cpu-crypto'
@@ -31,26 +31,26 @@ sa in 7 cipher_algo aes-128-cbc \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM}
sa in 9 cipher_algo aes-128-cbc \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM}
#SA out rules
sa out 7 cipher_algo aes-128-cbc \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM}
sa out 9 cipher_algo aes-128-cbc \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM}
#Routing rules
rt ipv4 dst ${REMOTE_IPV4}/32 port 0
new file mode 100644
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aescbc_sha1_defs.sh
+
+SGW_CFG_XPRM='type cpu-crypto'
@@ -31,26 +31,26 @@ sa in 7 cipher_algo aes-128-ctr \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM}
sa in 9 cipher_algo aes-128-ctr \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM}
#SA out rules
sa out 7 cipher_algo aes-128-ctr \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM}
sa out 9 cipher_algo aes-128-ctr \
cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
auth_algo sha1-hmac \
auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
-mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM}
#Routing rules
rt ipv4 dst ${REMOTE_IPV4}/32 port 0
new file mode 100644
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_defs.sh
+
+SGW_CFG_XPRM='type cpu-crypto'
new file mode 100644
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesgcm_defs.sh
+
+SGW_CFG_XPRM='type cpu-crypto'
new file mode 100644
@@ -0,0 +1,7 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesgcm_defs.sh
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+SGW_CFG_XPRM='type cpu-crypto'