Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/99892/?format=api
{ "id": 99892, "url": "https://patches.dpdk.org/api/patches/99892/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/patch/1632826799-454-2-git-send-email-anoobj@marvell.com/", "project": { "id": 1, "url": "https://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<1632826799-454-2-git-send-email-anoobj@marvell.com>", "list_archive_url": "https://inbox.dpdk.org/dev/1632826799-454-2-git-send-email-anoobj@marvell.com", "date": "2021-09-28T10:59:54", "name": "[v4,1/6] security: add SA lifetime configuration", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "a4da0af80dd7cad191c437e30208b331823cb5de", "submitter": { "id": 1205, "url": "https://patches.dpdk.org/api/people/1205/?format=api", "name": "Anoob Joseph", "email": "anoobj@marvell.com" }, "delegate": { "id": 6690, "url": "https://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "https://patches.dpdk.org/project/dpdk/patch/1632826799-454-2-git-send-email-anoobj@marvell.com/mbox/", "series": [ { "id": 19223, "url": "https://patches.dpdk.org/api/series/19223/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/list/?series=19223", "date": "2021-09-28T10:59:53", "name": "Add SA lifetime in security", "version": 4, "mbox": "https://patches.dpdk.org/series/19223/mbox/" } ], "comments": "https://patches.dpdk.org/api/patches/99892/comments/", "check": "warning", "checks": "https://patches.dpdk.org/api/patches/99892/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 5ED3CA0032;\n\tTue, 28 Sep 2021 13:00:21 +0200 (CEST)", "from [217.70.189.124] (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id A96FC410E5;\n\tTue, 28 Sep 2021 13:00:20 +0200 (CEST)", "from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com\n [67.231.148.174])\n by mails.dpdk.org (Postfix) with ESMTP id 4B60C410E4\n for <dev@dpdk.org>; Tue, 28 Sep 2021 13:00:19 +0200 (CEST)", "from pps.filterd (m0045849.ppops.net [127.0.0.1])\n by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id\n 18SAIiok021315;\n Tue, 28 Sep 2021 04:00:18 -0700", "from dc5-exch01.marvell.com ([199.233.59.181])\n by mx0a-0016f401.pphosted.com with ESMTP id 3bc16204d7-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);\n Tue, 28 Sep 2021 04:00:18 -0700", "from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com\n (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18;\n Tue, 28 Sep 2021 04:00:16 -0700", "from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com\n (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend\n Transport; Tue, 28 Sep 2021 04:00:16 -0700", "from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218])\n by maili.marvell.com (Postfix) with ESMTP id EEAD25B692D;\n Tue, 28 Sep 2021 04:00:12 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;\n h=from : to : cc :\n subject : date : message-id : in-reply-to : references : mime-version :\n content-transfer-encoding : content-type; s=pfpt0220;\n bh=1PIx7ux5EWl18Ba78owOg+LZIvBdA3rRvfEA10P0TMA=;\n b=MDJ8p6p799eBX4yjbTVKJU1HkJ+9TFGGvMryFljY46avT4yMqClfWtUK01kxSEVzNMl8\n JV33MobRegnXfneGHE/v8ybQxPf8vASu8M6Y6jfe1+tO9JOBkEv61sctq1RSHv/CORx/\n nepQBTmrtNQtpbF8ZG9FVN2CKqPsWdIsz2Fob0tg3rEg6YVZdz4A/lcJcC9npLN+zyxP\n G9SfbyU9WKn+JIi8tzPQocdf/HYcStFZwOCUYO8zmgoN9byKeF5sI0LupxTU/Q7Rfcn3\n luZ2paKS6iuTR9Fx6lAC2aNpuIMSZlwSSgmS7nAD2F3SpRyorxka8erwRnRz91oU2wj3 vw==", "From": "Anoob Joseph <anoobj@marvell.com>", "To": "Akhil Goyal <gakhil@marvell.com>, Declan Doherty\n <declan.doherty@intel.com>, Fan Zhang <roy.fan.zhang@intel.com>,\n \"Konstantin Ananyev\" <konstantin.ananyev@intel.com>", "CC": "Anoob Joseph <anoobj@marvell.com>, Jerin Jacob <jerinj@marvell.com>,\n Archana Muniganti <marchana@marvell.com>, Tejasree Kondoj\n <ktejasree@marvell.com>, Hemant Agrawal <hemant.agrawal@nxp.com>, \"Radu\n Nicolau\" <radu.nicolau@intel.com>,\n Ciara Power <ciara.power@intel.com>, Gagandeep Singh <g.singh@nxp.com>,\n <dev@dpdk.org>", "Date": "Tue, 28 Sep 2021 16:29:54 +0530", "Message-ID": "<1632826799-454-2-git-send-email-anoobj@marvell.com>", "X-Mailer": "git-send-email 2.7.4", "In-Reply-To": "<1632826799-454-1-git-send-email-anoobj@marvell.com>", "References": "<1632823662-384-1-git-send-email-anoobj@marvell.com>\n <1632826799-454-1-git-send-email-anoobj@marvell.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain", "X-Proofpoint-ORIG-GUID": "GqbW2-nzKM4CdSMqdoKMV8LpblnABm6u", "X-Proofpoint-GUID": "GqbW2-nzKM4CdSMqdoKMV8LpblnABm6u", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475\n definitions=2021-09-28_05,2021-09-28_01,2020-04-07_01", "Subject": "[dpdk-dev] [PATCH v4 1/6] security: add SA lifetime configuration", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Add SA lifetime configuration to register soft and hard expiry limits.\nExpiry can be in units of number of packets or bytes. Crypto op\nstatus is also updated to include new field, aux_flags, which can be\nused to indicate cases such as soft expiry in case of lookaside\nprotocol operations.\n\nIn case of soft expiry, the packets are successfully IPsec processed but\nthe soft expiry would indicate that SA needs to be reconfigured. For\ninline protocol capable ethdev, this would result in an eth event while\nfor lookaside protocol capable cryptodev, this can be communicated via\n`rte_crypto_op.aux_flags` field.\n\nIn case of hard expiry, the packets will not be IPsec processed and\nwould result in error.\n\nSigned-off-by: Anoob Joseph <anoobj@marvell.com>\nAcked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>\n\n---\n .../test_cryptodev_security_ipsec_test_vectors.h | 3 ---\n doc/guides/rel_notes/deprecation.rst | 5 ----\n doc/guides/rel_notes/release_21_11.rst | 13 ++++++++++\n examples/ipsec-secgw/ipsec.c | 2 +-\n examples/ipsec-secgw/ipsec.h | 2 +-\n lib/cryptodev/rte_crypto.h | 12 +++++++++-\n lib/security/rte_security.h | 28 ++++++++++++++++++++--\n 7 files changed, 52 insertions(+), 13 deletions(-)", "diff": "diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h\nindex ae9cd24..38ea43d 100644\n--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h\n+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h\n@@ -98,7 +98,6 @@ struct ipsec_test_data pkt_aes_128_gcm = {\n \t\t.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,\n \t\t.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,\n \t\t.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,\n-\t\t.esn_soft_limit = 0,\n \t\t.replay_win_sz = 0,\n \t},\n \n@@ -195,7 +194,6 @@ struct ipsec_test_data pkt_aes_192_gcm = {\n \t\t.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,\n \t\t.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,\n \t\t.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,\n-\t\t.esn_soft_limit = 0,\n \t\t.replay_win_sz = 0,\n \t},\n \n@@ -295,7 +293,6 @@ struct ipsec_test_data pkt_aes_256_gcm = {\n \t\t.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,\n \t\t.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,\n \t\t.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,\n-\t\t.esn_soft_limit = 0,\n \t\t.replay_win_sz = 0,\n \t},\n \ndiff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst\nindex 70ef45e..69fbde0 100644\n--- a/doc/guides/rel_notes/deprecation.rst\n+++ b/doc/guides/rel_notes/deprecation.rst\n@@ -275,8 +275,3 @@ Deprecation Notices\n * cmdline: ``cmdline`` structure will be made opaque to hide platform-specific\n content. On Linux and FreeBSD, supported prior to DPDK 20.11,\n original structure will be kept until DPDK 21.11.\n-\n-* cryptodev: The structure ``rte_crypto_op`` would be updated to reduce\n- reserved bytes to 2 (from 3), and use 1 byte to indicate warnings and other\n- information from the crypto/security operation. This field will be used to\n- communicate events such as soft expiry with IPsec in lookaside mode.\ndiff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst\nindex c93cc20..114631e 100644\n--- a/doc/guides/rel_notes/release_21_11.rst\n+++ b/doc/guides/rel_notes/release_21_11.rst\n@@ -152,6 +152,13 @@ API Changes\n as it is for drivers only and should be private to DPDK, and not\n installed for app use.\n \n+* cryptodev: use 1 reserved byte from ``rte_crypto_op`` for aux flags\n+\n+ * Updated the structure ``rte_crypto_op`` to reduce reserved bytes to\n+ 2 (from 3), and use 1 byte to indicate warnings and other information from\n+ the crypto/security operation. This field will be used to communicate events\n+ such as soft expiry with IPsec in lookaside mode.\n+\n \n ABI Changes\n -----------\n@@ -174,6 +181,12 @@ ABI Changes\n have much processing in PMD specific callbacks but just 64-bit set/get.\n This avoids a per pkt function pointer jump overhead for such PMD's.\n \n+* security: add IPsec SA lifetime configuration\n+\n+ * Added IPsec SA lifetime configuration to allow applications to configure\n+ soft and hard SA expiry limits. Limits can be either in units of packets or\n+ bytes.\n+\n \n Known Issues\n ------------\ndiff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c\nindex 5b032fe..4868294 100644\n--- a/examples/ipsec-secgw/ipsec.c\n+++ b/examples/ipsec-secgw/ipsec.c\n@@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)\n \t\t}\n \t\t/* TODO support for Transport */\n \t}\n-\tipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;\n+\tipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;\n \tipsec->replay_win_sz = app_sa_prm.window_size;\n \tipsec->options.esn = app_sa_prm.enable_esn;\n \tipsec->options.udp_encap = sa->udp_encap;\ndiff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h\nindex ae5058d..90c81c1 100644\n--- a/examples/ipsec-secgw/ipsec.h\n+++ b/examples/ipsec-secgw/ipsec.h\n@@ -23,7 +23,7 @@\n \n #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */\n \n-#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00\n+#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00\n \n #define IV_OFFSET\t\t(sizeof(struct rte_crypto_op) + \\\n \t\t\t\tsizeof(struct rte_crypto_sym_op))\ndiff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h\nindex fd5ef3a..a864f50 100644\n--- a/lib/cryptodev/rte_crypto.h\n+++ b/lib/cryptodev/rte_crypto.h\n@@ -65,6 +65,11 @@ enum rte_crypto_op_sess_type {\n \tRTE_CRYPTO_OP_SECURITY_SESSION\t/**< Security session crypto operation */\n };\n \n+/* Auxiliary flags related to IPsec offload with RTE_SECURITY */\n+\n+#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0)\n+/**< SA soft expiry limit has been reached */\n+\n /**\n * Cryptographic Operation.\n *\n@@ -93,7 +98,12 @@ struct rte_crypto_op {\n \t\t\t */\n \t\t\tuint8_t sess_type;\n \t\t\t/**< operation session type */\n-\t\t\tuint8_t reserved[3];\n+\t\t\tuint8_t aux_flags;\n+\t\t\t/**< Operation specific auxiliary/additional flags.\n+\t\t\t * These flags carry additional information from the\n+\t\t\t * operation. Processing of the same is optional.\n+\t\t\t */\n+\t\t\tuint8_t reserved[2];\n \t\t\t/**< Reserved bytes to fill 64 bits for\n \t\t\t * future additions\n \t\t\t */\ndiff --git a/lib/security/rte_security.h b/lib/security/rte_security.h\nindex f9e6591..88147e1 100644\n--- a/lib/security/rte_security.h\n+++ b/lib/security/rte_security.h\n@@ -217,6 +217,30 @@ enum rte_security_ipsec_sa_direction {\n };\n \n /**\n+ * Configure soft and hard lifetime of an IPsec SA\n+ *\n+ * Lifetime of an IPsec SA would specify the maximum number of packets or bytes\n+ * that can be processed. IPsec operations would start failing once any hard\n+ * limit is reached.\n+ *\n+ * Soft limits can be specified to generate notification when the SA is\n+ * approaching hard limits for lifetime. For inline operations, reaching soft\n+ * expiry limit would result in raising an eth event for the same. For lookaside\n+ * operations, this would result in a warning returned in\n+ * ``rte_crypto_op.aux_flags``.\n+ */\n+struct rte_security_ipsec_lifetime {\n+\tuint64_t packets_soft_limit;\n+\t/**< Soft expiry limit in number of packets */\n+\tuint64_t bytes_soft_limit;\n+\t/**< Soft expiry limit in bytes */\n+\tuint64_t packets_hard_limit;\n+\t/**< Soft expiry limit in number of packets */\n+\tuint64_t bytes_hard_limit;\n+\t/**< Soft expiry limit in bytes */\n+};\n+\n+/**\n * IPsec security association configuration data.\n *\n * This structure contains data required to create an IPsec SA security session.\n@@ -236,8 +260,8 @@ struct rte_security_ipsec_xform {\n \t/**< IPsec SA Mode - transport/tunnel */\n \tstruct rte_security_ipsec_tunnel_param tunnel;\n \t/**< Tunnel parameters, NULL for transport mode */\n-\tuint64_t esn_soft_limit;\n-\t/**< ESN for which the overflow event need to be raised */\n+\tstruct rte_security_ipsec_lifetime life;\n+\t/**< IPsec SA lifetime */\n \tuint32_t replay_win_sz;\n \t/**< Anti replay window size to enable sequence replay attack handling.\n \t * replay checking is disabled if the window size is 0.\n", "prefixes": [ "v4", "1/6" ] }