@@ -348,6 +348,18 @@ Metadata with L2 (1W/4B)
The vlan[0] is the innermost VLAN
The vlan[1] is the QinQ info
+NFP_NET_META_IPSEC
+The IPsec type requires 4 bit.
+The SA index value is 32 bit which need 1 data field.
+::
+
+ ----------------------------------------------------------------
+ 3 2 1 0
+ 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | sa_idx |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
TX
~~
@@ -363,3 +375,22 @@ NFP_NET_META_VLAN
^ ^
NOTE: | TCI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+NFP_NET_META_IPSEC
+The IPsec type requires 12 bit, because it requires three data fields.
+::
+
+ ----------------------------------------------------------------
+ 3 2 1 0
+ 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | sa_idx |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | nfp_ipsec_force_seq_low |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | nfp_ipsec_force_seq_hi |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The sa_idx is 32 bit which need 1 data field.
+ The nfp_ipsec_force_seq_low & nfp_ipsec_force_seq_hi is Anti-re-anti-count,
+ which is 64 bit need two data fields.
@@ -147,10 +147,13 @@ nfp_net_nfd3_set_meta_data(struct nfp_net_meta_raw *meta_data,
char *meta;
uint8_t layer = 0;
uint32_t meta_info;
+ uint32_t cap_extend;
struct nfp_net_hw *hw;
uint8_t vlan_layer = 0;
+ uint8_t ipsec_layer = 0;
hw = txq->hw;
+ cap_extend = nn_cfg_readl(hw, NFP_NET_CFG_CAP_WORD1);
if ((pkt->ol_flags & RTE_MBUF_F_TX_VLAN) != 0 &&
(hw->ctrl & NFP_NET_CFG_CTRL_TXVLAN_V2) != 0) {
@@ -160,6 +163,18 @@ nfp_net_nfd3_set_meta_data(struct nfp_net_meta_raw *meta_data,
meta_data->header |= NFP_NET_META_VLAN;
}
+ if ((pkt->ol_flags & RTE_MBUF_F_TX_SEC_OFFLOAD) != 0 &&
+ (cap_extend & NFP_NET_CFG_CTRL_IPSEC) != 0) {
+ uint32_t ipsec_type = NFP_NET_META_IPSEC |
+ NFP_NET_META_IPSEC << NFP_NET_META_FIELD_SIZE |
+ NFP_NET_META_IPSEC << (2 * NFP_NET_META_FIELD_SIZE);
+ if (meta_data->length == 0)
+ meta_data->length = NFP_NET_META_FIELD_SIZE;
+ uint8_t ipsec_offset = meta_data->length - NFP_NET_META_FIELD_SIZE;
+ meta_data->header |= (ipsec_type << ipsec_offset);
+ meta_data->length += 3 * NFP_NET_META_FIELD_SIZE;
+ }
+
if (meta_data->length == 0)
return;
@@ -180,6 +195,15 @@ nfp_net_nfd3_set_meta_data(struct nfp_net_meta_raw *meta_data,
nfp_net_set_meta_vlan(meta_data, pkt, layer);
vlan_layer++;
break;
+ case NFP_NET_META_IPSEC:
+ if (ipsec_layer > 2) {
+ PMD_DRV_LOG(ERR, "At most 3 layers of ipsec is supported for now.");
+ return;
+ }
+
+ nfp_net_set_meta_ipsec(meta_data, txq, pkt, layer, ipsec_layer);
+ ipsec_layer++;
+ break;
default:
PMD_DRV_LOG(ERR, "The metadata type not supported");
return;
@@ -177,13 +177,16 @@ nfp_net_nfdk_set_meta_data(struct rte_mbuf *pkt,
char *meta;
uint8_t layer = 0;
uint32_t meta_type;
+ uint32_t cap_extend;
struct nfp_net_hw *hw;
uint32_t header_offset;
uint8_t vlan_layer = 0;
+ uint8_t ipsec_layer = 0;
struct nfp_net_meta_raw meta_data;
memset(&meta_data, 0, sizeof(meta_data));
hw = txq->hw;
+ cap_extend = nn_cfg_readl(hw, NFP_NET_CFG_CAP_WORD1);
if ((pkt->ol_flags & RTE_MBUF_F_TX_VLAN) != 0 &&
(hw->ctrl & NFP_NET_CFG_CTRL_TXVLAN_V2) != 0) {
@@ -193,6 +196,18 @@ nfp_net_nfdk_set_meta_data(struct rte_mbuf *pkt,
meta_data.header |= NFP_NET_META_VLAN;
}
+ if ((pkt->ol_flags & RTE_MBUF_F_TX_SEC_OFFLOAD) != 0 &&
+ (cap_extend & NFP_NET_CFG_CTRL_IPSEC) != 0) {
+ uint32_t ipsec_type = NFP_NET_META_IPSEC |
+ NFP_NET_META_IPSEC << NFP_NET_META_FIELD_SIZE |
+ NFP_NET_META_IPSEC << (2 * NFP_NET_META_FIELD_SIZE);
+ if (meta_data.length == 0)
+ meta_data.length = NFP_NET_META_FIELD_SIZE;
+ uint8_t ipsec_offset = meta_data.length - NFP_NET_META_FIELD_SIZE;
+ meta_data.header |= (ipsec_type << ipsec_offset);
+ meta_data.length += 3 * NFP_NET_META_FIELD_SIZE;
+ }
+
if (meta_data.length == 0)
return;
@@ -215,6 +230,15 @@ nfp_net_nfdk_set_meta_data(struct rte_mbuf *pkt,
nfp_net_set_meta_vlan(&meta_data, pkt, layer);
vlan_layer++;
break;
+ case NFP_NET_META_IPSEC:
+ if (ipsec_layer > 2) {
+ PMD_DRV_LOG(ERR, "At most 3 layers of ipsec is supported for now.");
+ return;
+ }
+
+ nfp_net_set_meta_ipsec(&meta_data, txq, pkt, layer, ipsec_layer);
+ ipsec_layer++;
+ break;
default:
PMD_DRV_LOG(ERR, "The metadata type not supported");
return;
@@ -39,6 +39,7 @@
#define NFP_NET_META_HASH 1 /* next field carries hash type */
#define NFP_NET_META_VLAN 4
#define NFP_NET_META_PORTID 5
+#define NFP_NET_META_IPSEC 9
#define NFP_META_PORT_ID_CTRL ~0U
@@ -1161,6 +1161,47 @@ nfp_crypto_update_session(void *device __rte_unused,
return 0;
}
+static int
+nfp_security_set_pkt_metadata(void *device,
+ struct rte_security_session *session,
+ struct rte_mbuf *m,
+ void *params)
+{
+ int offset;
+ uint64_t *sqn;
+ struct nfp_net_hw *hw;
+ struct rte_eth_dev *eth_dev;
+ struct nfp_ipsec_session *priv_session;
+
+ sqn = params;
+ eth_dev = device;
+ priv_session = SECURITY_GET_SESS_PRIV(session);
+ hw = NFP_NET_DEV_PRIVATE_TO_HW(eth_dev->data->dev_private);
+
+ if (priv_session->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+ struct nfp_tx_ipsec_desc_msg *desc_md;
+
+ offset = hw->ipsec_data->pkt_dynfield_offset;
+ desc_md = RTE_MBUF_DYNFIELD(m, offset, struct nfp_tx_ipsec_desc_msg *);
+
+ if (priv_session->msg.ctrl_word.ext_seq != 0 && sqn != NULL) {
+ desc_md->esn.low = rte_cpu_to_be_32(*sqn);
+ desc_md->esn.hi = rte_cpu_to_be_32(*sqn >> 32);
+ } else if (priv_session->msg.ctrl_word.ext_seq != 0) {
+ desc_md->esn.low = rte_cpu_to_be_32(priv_session->ipsec.esn.low);
+ desc_md->esn.hi = rte_cpu_to_be_32(priv_session->ipsec.esn.hi);
+ } else {
+ desc_md->esn.low = rte_cpu_to_be_32(priv_session->ipsec.esn.value);
+ desc_md->esn.hi = 0;
+ }
+
+ desc_md->enc = 1;
+ desc_md->sa_idx = rte_cpu_to_be_32(priv_session->sa_index);
+ }
+
+ return 0;
+}
+
/**
* Get discards packet statistics for each SA
*
@@ -1255,6 +1296,7 @@ static const struct rte_security_ops nfp_security_ops = {
.session_update = nfp_crypto_update_session,
.session_get_size = nfp_security_session_get_size,
.session_stats_get = nfp_security_session_get_stats,
+ .set_pkt_metadata = nfp_security_set_pkt_metadata,
.capabilities_get = nfp_crypto_capabilities_get,
};
@@ -163,6 +163,12 @@ struct nfp_net_ipsec_data {
struct nfp_ipsec_session *sa_entries[NFP_NET_IPSEC_MAX_SA_CNT];
};
+enum nfp_ipsec_meta_layer {
+ NFP_IPSEC_META_SAIDX, /**< Order of SA index in metadata */
+ NFP_IPSEC_META_SEQLOW, /**< Order of Sequence Number (low 32bits) in metadata */
+ NFP_IPSEC_META_SEQHI, /**< Order of Sequence Number (high 32bits) in metadata */
+};
+
int nfp_ipsec_init(struct rte_eth_dev *dev);
void nfp_ipsec_uninit(struct rte_eth_dev *dev);
@@ -8,11 +8,13 @@
#include "nfp_rxtx.h"
#include <ethdev_pci.h>
+#include <rte_security.h>
#include "nfd3/nfp_nfd3.h"
#include "nfdk/nfp_nfdk.h"
#include "flower/nfp_flower.h"
+#include "nfp_ipsec.h"
#include "nfp_logs.h"
/* Maximum number of supported VLANs in parsed form packet metadata. */
@@ -25,8 +27,10 @@
* read-only after it have been recorded during parsing by nfp_net_parse_meta().
*
* @port_id: Port id value
+ * @sa_idx: IPsec SA index
* @hash: RSS hash value
* @hash_type: RSS hash type
+ * @ipsec_type: IPsec type
* @vlan_layer: The layers of VLAN info which are passed from nic.
* Only this number of entries of the @vlan array are valid.
*
@@ -44,8 +48,10 @@
*/
struct nfp_meta_parsed {
uint32_t port_id;
+ uint32_t sa_idx;
uint32_t hash;
uint8_t hash_type;
+ uint8_t ipsec_type;
uint8_t vlan_layer;
struct {
uint8_t offload;
@@ -304,6 +310,10 @@ nfp_net_parse_chained_meta(uint8_t *meta_base,
meta->vlan[meta->vlan_layer].tpid = NFP_NET_META_TPID(vlan_info);
++meta->vlan_layer;
break;
+ case NFP_NET_META_IPSEC:
+ meta->sa_idx = rte_be_to_cpu_32(*(rte_be32_t *)meta_offset);
+ meta->ipsec_type = meta_info & NFP_NET_META_FIELD_MASK;
+ break;
default:
/* Unsupported metadata can be a performance issue */
return false;
@@ -429,6 +439,39 @@ nfp_net_parse_meta_qinq(const struct nfp_meta_parsed *meta,
mb->ol_flags |= RTE_MBUF_F_RX_QINQ | RTE_MBUF_F_RX_QINQ_STRIPPED;
}
+/*
+ * Set mbuf IPsec Offload features based on metadata info.
+ *
+ * The IPsec Offload features is prepended to the mbuf ol_flags.
+ * Extract and decode metadata info and set the mbuf ol_flags.
+ */
+static void
+nfp_net_parse_meta_ipsec(struct nfp_meta_parsed *meta,
+ struct nfp_net_rxq *rxq,
+ struct rte_mbuf *mbuf)
+{
+ int offset;
+ uint32_t sa_idx;
+ struct nfp_net_hw *hw;
+ struct nfp_tx_ipsec_desc_msg *desc_md;
+
+ hw = rxq->hw;
+ sa_idx = meta->sa_idx;
+
+ if (meta->ipsec_type != NFP_NET_META_IPSEC)
+ return;
+
+ if (sa_idx >= NFP_NET_IPSEC_MAX_SA_CNT) {
+ mbuf->ol_flags |= RTE_MBUF_F_RX_SEC_OFFLOAD_FAILED;
+ } else {
+ mbuf->ol_flags |= RTE_MBUF_F_RX_SEC_OFFLOAD;
+ offset = hw->ipsec_data->pkt_dynfield_offset;
+ desc_md = RTE_MBUF_DYNFIELD(mbuf, offset, struct nfp_tx_ipsec_desc_msg *);
+ desc_md->sa_idx = sa_idx;
+ desc_md->enc = 0;
+ }
+}
+
/* nfp_net_parse_meta() - Parse the metadata from packet */
static void
nfp_net_parse_meta(struct nfp_net_rx_desc *rxds,
@@ -453,6 +496,7 @@ nfp_net_parse_meta(struct nfp_net_rx_desc *rxds,
nfp_net_parse_meta_hash(meta, rxq, mb);
nfp_net_parse_meta_vlan(meta, rxds, rxq, mb);
nfp_net_parse_meta_qinq(meta, rxq, mb);
+ nfp_net_parse_meta_ipsec(meta, rxq, mb);
} else {
PMD_RX_LOG(DEBUG, "RX chained metadata format is wrong!");
}
@@ -1035,6 +1079,36 @@ nfp_net_set_meta_vlan(struct nfp_net_meta_raw *meta_data,
meta_data->data[layer] = rte_cpu_to_be_32(tpid << 16 | vlan_tci);
}
+void
+nfp_net_set_meta_ipsec(struct nfp_net_meta_raw *meta_data,
+ struct nfp_net_txq *txq,
+ struct rte_mbuf *pkt,
+ uint8_t layer,
+ uint8_t ipsec_layer)
+{
+ int offset;
+ struct nfp_net_hw *hw;
+ struct nfp_tx_ipsec_desc_msg *desc_md;
+
+ hw = txq->hw;
+ offset = hw->ipsec_data->pkt_dynfield_offset;
+ desc_md = RTE_MBUF_DYNFIELD(pkt, offset, struct nfp_tx_ipsec_desc_msg *);
+
+ switch (ipsec_layer) {
+ case NFP_IPSEC_META_SAIDX:
+ meta_data->data[layer] = desc_md->sa_idx;
+ break;
+ case NFP_IPSEC_META_SEQLOW:
+ meta_data->data[layer] = desc_md->esn.low;
+ break;
+ case NFP_IPSEC_META_SEQHI:
+ meta_data->data[layer] = desc_md->esn.hi;
+ break;
+ default:
+ break;
+ }
+}
+
int
nfp_net_tx_queue_setup(struct rte_eth_dev *dev,
uint16_t queue_idx,
@@ -257,5 +257,10 @@ int nfp_net_tx_free_bufs(struct nfp_net_txq *txq);
void nfp_net_set_meta_vlan(struct nfp_net_meta_raw *meta_data,
struct rte_mbuf *pkt,
uint8_t layer);
+void nfp_net_set_meta_ipsec(struct nfp_net_meta_raw *meta_data,
+ struct nfp_net_txq *txq,
+ struct rte_mbuf *pkt,
+ uint8_t layer,
+ uint8_t ipsec_layer);
#endif /* _NFP_RXTX_H_ */