ipsec: use sym_session_opaque_data for RTE_SECURITY_TYPE_CPU_CRYPTO
Checks
Commit Message
ipsec related processing in dpdk makes use of the crypto.ses opaque
data pointer. This patch updates rte_ipsec_session_prepare to set
ss->crypto.ses in the RTE_SECURITY_TYPE_CPU_CRYPTO case.
Signed-off-by: Garry Marshall <gazmarsh@meaningfulname.net>
---
lib/ipsec/ses.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Comments
> ipsec related processing in dpdk makes use of the crypto.ses opaque
> data pointer. This patch updates rte_ipsec_session_prepare to set
> ss->crypto.ses in the RTE_SECURITY_TYPE_CPU_CRYPTO case.
>
> Signed-off-by: Garry Marshall <gazmarsh@meaningfulname.net>
> ---
Konstantin/ Kai,
Is the below change ok for CPU crypto usecase? Please review and give ack.
Regards,
Akhil
> lib/ipsec/ses.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/ipsec/ses.c b/lib/ipsec/ses.c
> index d9ab1e6d2b..29eb5ff6ca 100644
> --- a/lib/ipsec/ses.c
> +++ b/lib/ipsec/ses.c
> @@ -44,7 +44,8 @@ rte_ipsec_session_prepare(struct rte_ipsec_session *ss)
>
> ss->pkt_func = fp;
>
> - if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE)
> + if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
> + ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
> rte_cryptodev_sym_session_opaque_data_set(ss->crypto.ses,
> (uintptr_t)ss);
> else
> --
> 2.39.2
>
>
> ipsec related processing in dpdk makes use of the crypto.ses opaque
> data pointer. This patch updates rte_ipsec_session_prepare to set
> ss->crypto.ses in the RTE_SECURITY_TYPE_CPU_CRYPTO case.
Hmm.. not sure why we need to do that for CPU_CRYPTO?
As I remember CPU_CRYPTO is synchronous operation and before calling
rte_ipsec_pkt_cpu_prepare() should already know ipsec session these
packets belong to.
Can you probably explain the logic behind this patch a bit more?
Konstantin
>
> Signed-off-by: Garry Marshall <gazmarsh@meaningfulname.net>
> ---
> lib/ipsec/ses.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/ipsec/ses.c b/lib/ipsec/ses.c
> index d9ab1e6d2b..29eb5ff6ca 100644
> --- a/lib/ipsec/ses.c
> +++ b/lib/ipsec/ses.c
> @@ -44,7 +44,8 @@ rte_ipsec_session_prepare(struct rte_ipsec_session *ss)
>
> ss->pkt_func = fp;
>
> - if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE)
> + if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
> + ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
> rte_cryptodev_sym_session_opaque_data_set(ss->crypto.ses,
> (uintptr_t)ss);
> else
> --
> 2.39.2
Hi Konstantin, Akhil,
The patch is based on an issue I encountered when using the CPU_CRYPTO
support - I was having problems where the ipsec session lookup was
failing / was inconsistent.
Examining the code in DPDK and looking for the use of
RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO I could see a reasonably
consistent pattern where if TYPE_NONE or TYPE_CPU_CRYPTO was set -
then the code was making use of ss->crypto.ses instead of
ss->security.ses.
For example - see examples/ipsec-secgw.c where the one_session_free
function has the following code:
if (ips->type == RTE_SECURITY_ACTION_TYPE_NONE ||
ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
/* Session has not been created */
if (ips->crypto.ses == NULL)
return 0;
ret = rte_cryptodev_sym_session_free(ips->crypto.dev_id,
ips->crypto.ses);
} else {
/* Session has not been created */
if (ips->security.ctx == NULL || ips->security.ses == NULL)
return 0;
ret = rte_security_session_destroy(ips->security.ctx,
ips->security.ses);
}
And similarly - if we look at the session_check function in lib/ipsec/ses.c:
if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
if (ss->crypto.ses == NULL)
return -EINVAL;
} else {
if (ss->security.ses == NULL)
return -EINVAL;
if ((ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
ss->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) &&
ss->security.ctx == NULL)
return -EINVAL;
}
Without the patch in rte_ipsec_session_prepare - for the
RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO type, then ss->crypto.ses will not
be set.
Regards,
Garry.
On Tue, Oct 31, 2023 at 1:09 AM Konstantin Ananyev
<konstantin.v.ananyev@yandex.ru> wrote:
>
> >
> >
> > ipsec related processing in dpdk makes use of the crypto.ses opaque
> > data pointer. This patch updates rte_ipsec_session_prepare to set
> > ss->crypto.ses in the RTE_SECURITY_TYPE_CPU_CRYPTO case.
>
>
> Hmm.. not sure why we need to do that for CPU_CRYPTO?
> As I remember CPU_CRYPTO is synchronous operation and before calling
> rte_ipsec_pkt_cpu_prepare() should already know ipsec session these
> packets belong to.
> Can you probably explain the logic behind this patch a bit more?
> Konstantin
>
> >
> > Signed-off-by: Garry Marshall <gazmarsh@meaningfulname.net>
> > ---
> > lib/ipsec/ses.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/lib/ipsec/ses.c b/lib/ipsec/ses.c
> > index d9ab1e6d2b..29eb5ff6ca 100644
> > --- a/lib/ipsec/ses.c
> > +++ b/lib/ipsec/ses.c
> > @@ -44,7 +44,8 @@ rte_ipsec_session_prepare(struct rte_ipsec_session *ss)
> >
> > ss->pkt_func = fp;
> >
> > - if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE)
> > + if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
> > + ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
> > rte_cryptodev_sym_session_opaque_data_set(ss->crypto.ses,
> > (uintptr_t)ss);
> > else
> > --
> > 2.39.2
Hi Garry,
> Hi Konstantin, Akhil,
>
> The patch is based on an issue I encountered when using the CPU_CRYPTO
> support - I was having problems where the ipsec session lookup was
> failing / was inconsistent.
>
> Examining the code in DPDK and looking for the use of
> RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO I could see a reasonably
> consistent pattern where if TYPE_NONE or TYPE_CPU_CRYPTO was set -
> then the code was making use of ss->crypto.ses instead of
> ss->security.ses.
>
> For example - see examples/ipsec-secgw.c where the one_session_free
> function has the following code:
>
> if (ips->type == RTE_SECURITY_ACTION_TYPE_NONE ||
> ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
> /* Session has not been created */
> if (ips->crypto.ses == NULL)
> return 0;
>
> ret = rte_cryptodev_sym_session_free(ips->crypto.dev_id,
> ips->crypto.ses);
> } else {
> /* Session has not been created */
> if (ips->security.ctx == NULL || ips->security.ses == NULL)
> return 0;
>
> ret = rte_security_session_destroy(ips->security.ctx,
> ips->security.ses);
> }
>
> And similarly - if we look at the session_check function in lib/ipsec/ses.c:
>
> if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
> ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
> if (ss->crypto.ses == NULL)
> return -EINVAL;
> } else {
> if (ss->security.ses == NULL)
> return -EINVAL;
> if ((ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
> ss->type ==
> RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) &&
> ss->security.ctx == NULL)
> return -EINVAL;
> }
Thanks for explanation.
Yes, I agree that TYPE_NONE and TYPE_CPU_CRYPTO both use crypto session
to keep/propagate crypto related pamaters.
What is not clear to me why for and TYPE_CPU_CRYPTO we need to store
pointer to rte_ipsec_session as opaque user data for crypto session.
As I remember, for lookaside crypto we need to do that to extract
related rte_ipsec_session pointer from crypto_op, after lookaside crypto device
finished the processing and sending sym-ops back to user.
But for CPU_CRYPTO it is not necessary, as all processing is synchronous and
user already has a pointer for related rte_ipsec_session.
We probably still can, but what is the benefit, who will use it?
Actually looking at the rte_ipsec_session_prepare() once again,
you probably right - it is a bug here, as we shouldn’t call rte_security_session_opaque_data_set()
for TYPE_CPU_CRYPTO.
So shouldn't it be like that:
ss->pkt_func = fp;
if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE)
rte_cryptodev_sym_session_opaque_data_set(ss->crypto.ses,
(uintptr_t)ss);
- else
+ else if (ss->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
rte_security_session_opaque_data_set(ss->security.ses, (uintptr_t)ss);
> Without the patch in rte_ipsec_session_prepare - for the
> RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO type, then ss->crypto.ses will not
> be set.
Hmm... not clear why?
AFAIK, ss->crypto.ses supposed to be set by user *before* calling rte_ipsec_session_prepare().
From lib/ipsec/rte_ipsec.h:
/**
* Checks that inside given rte_ipsec_session crypto/security fields
* are filled correctly and setups function pointers based on these values.
* Expects that all fields except IPsec processing function pointers
* (*pkt_func*) will be filled correctly by caller.
* @param ss
* Pointer to the *rte_ipsec_session* object
* @return
* - Zero if operation completed successfully.
* - -EINVAL if the parameters are invalid.
*/
int
rte_ipsec_session_prepare(struct rte_ipsec_session *ss);
>
> Regards,
>
> Garry.
>
>
> On Tue, Oct 31, 2023 at 1:09 AM Konstantin Ananyev
> <konstantin.v.ananyev@yandex.ru> wrote:
> >
> > >
> > >
> > > ipsec related processing in dpdk makes use of the crypto.ses opaque
> > > data pointer. This patch updates rte_ipsec_session_prepare to set
> > > ss->crypto.ses in the RTE_SECURITY_TYPE_CPU_CRYPTO case.
> >
> > Hmm.. not sure why we need to do that for CPU_CRYPTO?
> > As I remember CPU_CRYPTO is synchronous operation and before calling
> > rte_ipsec_pkt_cpu_prepare() should already know ipsec session these
> > packets belong to.
> > Can you probably explain the logic behind this patch a bit more?
> > Konstantin
> >
> > >
> > > Signed-off-by: Garry Marshall <gazmarsh@meaningfulname.net>
> > > ---
> > > lib/ipsec/ses.c | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/lib/ipsec/ses.c b/lib/ipsec/ses.c
> > > index d9ab1e6d2b..29eb5ff6ca 100644
> > > --- a/lib/ipsec/ses.c
> > > +++ b/lib/ipsec/ses.c
> > > @@ -44,7 +44,8 @@ rte_ipsec_session_prepare(struct rte_ipsec_session *ss)
> > >
> > > ss->pkt_func = fp;
> > >
> > > - if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE)
> > > + if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
> > > + ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
> > > rte_cryptodev_sym_session_opaque_data_set(ss->crypto.ses,
> > > (uintptr_t)ss);
> > > else
> > > --
> > > 2.39.2
Ah - thanks Konstantin - I will go back and review.
Regards,
Garry.
On Tue, Oct 31, 2023 at 5:53 PM Konstantin Ananyev
<konstantin.ananyev@huawei.com> wrote:
>
>
> Hi Garry,
>
> > Hi Konstantin, Akhil,
> >
> > The patch is based on an issue I encountered when using the CPU_CRYPTO
> > support - I was having problems where the ipsec session lookup was
> > failing / was inconsistent.
> >
> > Examining the code in DPDK and looking for the use of
> > RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO I could see a reasonably
> > consistent pattern where if TYPE_NONE or TYPE_CPU_CRYPTO was set -
> > then the code was making use of ss->crypto.ses instead of
> > ss->security.ses.
> >
> > For example - see examples/ipsec-secgw.c where the one_session_free
> > function has the following code:
> >
> > if (ips->type == RTE_SECURITY_ACTION_TYPE_NONE ||
> > ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
> > /* Session has not been created */
> > if (ips->crypto.ses == NULL)
> > return 0;
> >
> > ret = rte_cryptodev_sym_session_free(ips->crypto.dev_id,
> > ips->crypto.ses);
> > } else {
> > /* Session has not been created */
> > if (ips->security.ctx == NULL || ips->security.ses == NULL)
> > return 0;
> >
> > ret = rte_security_session_destroy(ips->security.ctx,
> > ips->security.ses);
> > }
> >
> > And similarly - if we look at the session_check function in lib/ipsec/ses.c:
> >
> > if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
> > ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
> > if (ss->crypto.ses == NULL)
> > return -EINVAL;
> > } else {
> > if (ss->security.ses == NULL)
> > return -EINVAL;
> > if ((ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
> > ss->type ==
> > RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) &&
> > ss->security.ctx == NULL)
> > return -EINVAL;
> > }
>
> Thanks for explanation.
> Yes, I agree that TYPE_NONE and TYPE_CPU_CRYPTO both use crypto session
> to keep/propagate crypto related pamaters.
> What is not clear to me why for and TYPE_CPU_CRYPTO we need to store
> pointer to rte_ipsec_session as opaque user data for crypto session.
> As I remember, for lookaside crypto we need to do that to extract
> related rte_ipsec_session pointer from crypto_op, after lookaside crypto device
> finished the processing and sending sym-ops back to user.
> But for CPU_CRYPTO it is not necessary, as all processing is synchronous and
> user already has a pointer for related rte_ipsec_session.
> We probably still can, but what is the benefit, who will use it?
>
> Actually looking at the rte_ipsec_session_prepare() once again,
> you probably right - it is a bug here, as we shouldn’t call rte_security_session_opaque_data_set()
> for TYPE_CPU_CRYPTO.
> So shouldn't it be like that:
>
> ss->pkt_func = fp;
>
> if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE)
> rte_cryptodev_sym_session_opaque_data_set(ss->crypto.ses,
> (uintptr_t)ss);
> - else
> + else if (ss->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
> rte_security_session_opaque_data_set(ss->security.ses, (uintptr_t)ss);
>
> > Without the patch in rte_ipsec_session_prepare - for the
> > RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO type, then ss->crypto.ses will not
> > be set.
>
> Hmm... not clear why?
> AFAIK, ss->crypto.ses supposed to be set by user *before* calling rte_ipsec_session_prepare().
> From lib/ipsec/rte_ipsec.h:
> /**
> * Checks that inside given rte_ipsec_session crypto/security fields
> * are filled correctly and setups function pointers based on these values.
> * Expects that all fields except IPsec processing function pointers
> * (*pkt_func*) will be filled correctly by caller.
> * @param ss
> * Pointer to the *rte_ipsec_session* object
> * @return
> * - Zero if operation completed successfully.
> * - -EINVAL if the parameters are invalid.
> */
> int
> rte_ipsec_session_prepare(struct rte_ipsec_session *ss);
>
> >
> > Regards,
> >
> > Garry.
> >
> >
> > On Tue, Oct 31, 2023 at 1:09 AM Konstantin Ananyev
> > <konstantin.v.ananyev@yandex.ru> wrote:
> > >
> > > >
> > > >
> > > > ipsec related processing in dpdk makes use of the crypto.ses opaque
> > > > data pointer. This patch updates rte_ipsec_session_prepare to set
> > > > ss->crypto.ses in the RTE_SECURITY_TYPE_CPU_CRYPTO case.
> > >
> > > Hmm.. not sure why we need to do that for CPU_CRYPTO?
> > > As I remember CPU_CRYPTO is synchronous operation and before calling
> > > rte_ipsec_pkt_cpu_prepare() should already know ipsec session these
> > > packets belong to.
> > > Can you probably explain the logic behind this patch a bit more?
> > > Konstantin
> > >
> > > >
> > > > Signed-off-by: Garry Marshall <gazmarsh@meaningfulname.net>
> > > > ---
> > > > lib/ipsec/ses.c | 3 ++-
> > > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/lib/ipsec/ses.c b/lib/ipsec/ses.c
> > > > index d9ab1e6d2b..29eb5ff6ca 100644
> > > > --- a/lib/ipsec/ses.c
> > > > +++ b/lib/ipsec/ses.c
> > > > @@ -44,7 +44,8 @@ rte_ipsec_session_prepare(struct rte_ipsec_session *ss)
> > > >
> > > > ss->pkt_func = fp;
> > > >
> > > > - if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE)
> > > > + if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
> > > > + ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
> > > > rte_cryptodev_sym_session_opaque_data_set(ss->crypto.ses,
> > > > (uintptr_t)ss);
> > > > else
> > > > --
> > > > 2.39.2
>
@@ -44,7 +44,8 @@ rte_ipsec_session_prepare(struct rte_ipsec_session *ss)
ss->pkt_func = fp;
- if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE)
+ if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE ||
+ ss->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)
rte_cryptodev_sym_session_opaque_data_set(ss->crypto.ses,
(uintptr_t)ss);
else