[05/15] security: switch metadata to dynamic mbuf field
Checks
Commit Message
The device-specific metadata was stored in the deprecated field udata64.
It is moved to a dynamic mbuf field in order to allow removal of udata64.
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
---
doc/guides/prog_guide/rte_security.rst | 9 +++++----
drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 5 ++++-
drivers/net/ixgbe/ixgbe_ipsec.c | 5 ++++-
drivers/net/ixgbe/ixgbe_rxtx.c | 6 ++++--
drivers/net/octeontx2/otx2_ethdev.h | 1 +
drivers/net/octeontx2/otx2_ethdev_sec.c | 5 ++++-
drivers/net/octeontx2/otx2_ethdev_sec_tx.h | 2 +-
drivers/net/octeontx2/otx2_rx.h | 2 +-
examples/ipsec-secgw/ipsec-secgw.c | 15 +++++++++-----
examples/ipsec-secgw/ipsec.h | 3 +++
examples/ipsec-secgw/ipsec_worker.c | 13 ++++++++----
lib/librte_security/rte_security.c | 10 ++++++++++
lib/librte_security/rte_security.h | 5 +++++
lib/librte_security/rte_security_driver.h | 20 +++++++++++++++++++
lib/librte_security/version.map | 2 ++
15 files changed, 83 insertions(+), 20 deletions(-)
Comments
On Mon, Oct 26, 2020 at 6:21 AM Thomas Monjalon <thomas@monjalon.net> wrote:
> diff --git a/lib/librte_security/rte_security_driver.h b/lib/librte_security/rte_security_driver.h
> index 1b561f8528..ba9691b4a0 100644
> --- a/lib/librte_security/rte_security_driver.h
> +++ b/lib/librte_security/rte_security_driver.h
> @@ -17,6 +17,8 @@
> extern "C" {
> #endif
>
> +#include <rte_mbuf_dyn.h>
> +
> #include "rte_security.h"
>
> /**
> @@ -89,6 +91,24 @@ typedef int (*security_session_stats_get_t)(void *device,
> struct rte_security_session *sess,
> struct rte_security_stats *stats);
>
> +/* Dynamic mbuf field for device-specific metadata */
> +static const struct rte_mbuf_dynfield rte_security_dynfield_desc = {
> + .name = RTE_SECURITY_DYNFIELD_NAME,
> + .size = sizeof(RTE_SECURITY_DYNFIELD_TYPE),
> + .align = __alignof__(RTE_SECURITY_DYNFIELD_TYPE),
> +};
Should be in rte_security.c?
> +extern int rte_security_dynfield_offset;
> +
> +__rte_experimental
> +int rte_security_dynfield_register(void);
> +
> +static inline RTE_SECURITY_DYNFIELD_TYPE *
> +rte_security_dynfield(struct rte_mbuf *mbuf)
> +{
> + return RTE_MBUF_DYNFIELD(mbuf,
> + rte_security_dynfield_offset, RTE_SECURITY_DYNFIELD_TYPE *);
> +}
> +
26/10/2020 11:41, David Marchand:
> On Mon, Oct 26, 2020 at 6:21 AM Thomas Monjalon <thomas@monjalon.net> wrote:
> > +/* Dynamic mbuf field for device-specific metadata */
> > +static const struct rte_mbuf_dynfield rte_security_dynfield_desc = {
> > + .name = RTE_SECURITY_DYNFIELD_NAME,
> > + .size = sizeof(RTE_SECURITY_DYNFIELD_TYPE),
> > + .align = __alignof__(RTE_SECURITY_DYNFIELD_TYPE),
> > +};
>
> Should be in rte_security.c?
Yes,
and the inline function below can be a simple macro.
> > +extern int rte_security_dynfield_offset;
> > +
> > +__rte_experimental
> > +int rte_security_dynfield_register(void);
> > +
> > +static inline RTE_SECURITY_DYNFIELD_TYPE *
> > +rte_security_dynfield(struct rte_mbuf *mbuf)
> > +{
> > + return RTE_MBUF_DYNFIELD(mbuf,
> > + rte_security_dynfield_offset, RTE_SECURITY_DYNFIELD_TYPE *);
> > +}
On 10/26/20 8:20 AM, Thomas Monjalon wrote:
> The device-specific metadata was stored in the deprecated field udata64.
> It is moved to a dynamic mbuf field in order to allow removal of udata64.
>
> Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
[snip]
> diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ipsec.c
> index 48f5082d49..0232db20ed 100644
> --- a/drivers/net/ixgbe/ixgbe_ipsec.c
> +++ b/drivers/net/ixgbe/ixgbe_ipsec.c
> @@ -484,7 +484,8 @@ ixgbe_crypto_update_mb(void *device __rte_unused,
> get_sec_session_private_data(session);
> if (ic_session->op == IXGBE_OP_AUTHENTICATED_ENCRYPTION) {
> union ixgbe_crypto_tx_desc_md *mdata =
> - (union ixgbe_crypto_tx_desc_md *)&m->udata64;
> + (union ixgbe_crypto_tx_desc_md *)
> + rte_security_dynfield(m);
IMHO alignment looks a bit confusing here, may be add one more
TAB?
> mdata->enc = 1;
> mdata->sa_idx = ic_session->sa_index;
> mdata->pad_len = ixgbe_crypto_compute_pad_len(m);
> @@ -751,5 +752,7 @@ ixgbe_ipsec_ctx_create(struct rte_eth_dev *dev)
> return -ENOMEM;
> }
> }
> + if (rte_security_dynfield_register() < 0)
> + return -rte_errno;
> return 0;
> }
[snip]
> diff --git a/examples/ipsec-secgw/ipsec_worker.c b/examples/ipsec-secgw/ipsec_worker.c
> index b6c851f257..72f698893d 100644
> --- a/examples/ipsec-secgw/ipsec_worker.c
> +++ b/examples/ipsec-secgw/ipsec_worker.c
> @@ -208,7 +208,8 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
> "Inbound security offload failed\n");
> goto drop_pkt_and_exit;
> }
> - sa = pkt->userdata;
> + sa = RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset,
> + struct ipsec_sa *);
I think it should be de-reference above, i.e.
sa = (struct ipsec_sa *)*RTE_MBUF_DYNFIELD(pkt,
security_dynfield_offset, RTE_SECURITY_DYNFIELD_TYPE *);
or just
sa = *RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset, struct ipsec_sa **);
and why not rte_security_dynfield()?
It all looks very fragile. May be at least add
RTE_BUILD_BUG_ON(sizeof(RTE_SECURITY_DYNFIELD_TYPE) ==
sizeof(ipsec_sa *));
and similar checks when an application or a library does
lookup for a dynamic field.
In general since lookup should not happen on data path,
may be lookup should return size of the field which must
be checked by the caller for consistency.
> }
>
> /* Check if we have a match */
> @@ -226,7 +227,8 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
> "Inbound security offload failed\n");
> goto drop_pkt_and_exit;
> }
> - sa = pkt->userdata;
> + sa = RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset,
> + struct ipsec_sa *);
same
> }
>
> /* Check if we have a match */
> @@ -357,7 +359,8 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
> }
>
> if (sess->security.ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
> - pkt->userdata = sess->security.ses;
> + *RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset,
> + struct rte_security_session **) = sess->security.ses;
rte_security_dynfield() ?
Is it really different types of value in one example
application? It looks like it should be different
dynamic fields. Otherwise, I don't understand how
to work with it.
In fact may be above is out of scope of the patch series...
>
> /* Mark the packet for Tx security offload */
> pkt->ol_flags |= PKT_TX_SEC_OFFLOAD;
> @@ -465,7 +468,9 @@ ipsec_wrkr_non_burst_int_port_drv_mode(struct eh_event_link_info *links,
> }
>
> /* Save security session */
> - pkt->userdata = sess_tbl[port_id];
> + *RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset,
> + struct rte_security_session **) =
> + sess_tbl[port_id];
rte_security_dynfield() ?
>
> /* Mark the packet for Tx security offload */
> pkt->ol_flags |= PKT_TX_SEC_OFFLOAD;
[snip]
26/10/2020 16:06, Andrew Rybchenko:
> On 10/26/20 8:20 AM, Thomas Monjalon wrote:
> > --- a/drivers/net/ixgbe/ixgbe_ipsec.c
> > +++ b/drivers/net/ixgbe/ixgbe_ipsec.c
> > - (union ixgbe_crypto_tx_desc_md *)&m->udata64;
> > + (union ixgbe_crypto_tx_desc_md *)
> > + rte_security_dynfield(m);
>
> IMHO alignment looks a bit confusing here, may be add one more
> TAB?
OK, no opinion
> [snip]
> > - sa = pkt->userdata;
> > + sa = RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset,
> > + struct ipsec_sa *);
>
> I think it should be de-reference above, i.e.
> sa = (struct ipsec_sa *)*RTE_MBUF_DYNFIELD(pkt,
> security_dynfield_offset, RTE_SECURITY_DYNFIELD_TYPE *);
> or just
> sa = *RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset, struct ipsec_sa **);
You're right something is wrong.
I should add a dereference.
> and why not rte_security_dynfield()?
Because I need good reviews from you and David :)
Will fix one and the other occurences.
I've prepared a v2 using a macro, but I think I will follow
your suggestion of having static inline functions.
> It all looks very fragile. May be at least add
> RTE_BUILD_BUG_ON(sizeof(RTE_SECURITY_DYNFIELD_TYPE) ==
> sizeof(ipsec_sa *));
> and similar checks when an application or a library does
> lookup for a dynamic field.
You mean adding this after the lookup in the app?
> In general since lookup should not happen on data path,
> may be lookup should return size of the field which must
> be checked by the caller for consistency.
It does. I can add a check.
> Is it really different types of value in one example
> application? It looks like it should be different
> dynamic fields. Otherwise, I don't understand how
> to work with it.
Yes, udata64 was a trash bin used to store different kind of data,
even inside librte_security.
> In fact may be above is out of scope of the patch series...
Yes, I think moving to a dedicated field is a first step.
Second step (not by me) will be to split in different fields.
> On Mon, Oct 26, 2020 at 6:21 AM Thomas Monjalon <thomas@monjalon.net>
> wrote:
> > diff --git a/lib/librte_security/rte_security_driver.h
> b/lib/librte_security/rte_security_driver.h
> > index 1b561f8528..ba9691b4a0 100644
> > --- a/lib/librte_security/rte_security_driver.h
> > +++ b/lib/librte_security/rte_security_driver.h
> > @@ -17,6 +17,8 @@
> > extern "C" {
> > #endif
> >
> > +#include <rte_mbuf_dyn.h>
> > +
> > #include "rte_security.h"
> >
> > /**
> > @@ -89,6 +91,24 @@ typedef int (*security_session_stats_get_t)(void
> *device,
> > struct rte_security_session *sess,
> > struct rte_security_stats *stats);
> >
> > +/* Dynamic mbuf field for device-specific metadata */
> > +static const struct rte_mbuf_dynfield rte_security_dynfield_desc = {
> > + .name = RTE_SECURITY_DYNFIELD_NAME,
> > + .size = sizeof(RTE_SECURITY_DYNFIELD_TYPE),
> > + .align = __alignof__(RTE_SECURITY_DYNFIELD_TYPE),
> > +};
>
> Should be in rte_security.c?
>
>
> > +extern int rte_security_dynfield_offset;
> > +
> > +__rte_experimental
> > +int rte_security_dynfield_register(void);
> > +
> > +static inline RTE_SECURITY_DYNFIELD_TYPE *
> > +rte_security_dynfield(struct rte_mbuf *mbuf)
> > +{
> > + return RTE_MBUF_DYNFIELD(mbuf,
> > + rte_security_dynfield_offset, RTE_SECURITY_DYNFIELD_TYPE *);
> > +}
code indentation -
Atleast one more tab before rte_security_dynfield_offset, RTE_SECURITY_DYNFIELD_TYPE *).
26/10/2020 17:49, Thomas Monjalon:
> 26/10/2020 16:06, Andrew Rybchenko:
> > On 10/26/20 8:20 AM, Thomas Monjalon wrote:
> > [snip]
> > > - sa = pkt->userdata;
> > > + sa = RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset,
> > > + struct ipsec_sa *);
> >
> > I think it should be de-reference above, i.e.
> > sa = (struct ipsec_sa *)*RTE_MBUF_DYNFIELD(pkt,
> > security_dynfield_offset, RTE_SECURITY_DYNFIELD_TYPE *);
> > or just
> > sa = *RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset, struct ipsec_sa **);
>
> You're right something is wrong.
> I should add a dereference.
>
> > and why not rte_security_dynfield()?
>
> Because I need good reviews from you and David :)
The initial idea was to have a field lookup in the app,
and to not rely on what drivers have registered.
After more thoughts, the lookup can be replaced with a check
rte_security_dynfield_is_registered(),
so rte_security_dynfield() can be used.
> Will fix one and the other occurences.
> I've prepared a v2 using a macro, but I think I will follow
> your suggestion of having static inline functions.
>
> > It all looks very fragile. May be at least add
> > RTE_BUILD_BUG_ON(sizeof(RTE_SECURITY_DYNFIELD_TYPE) ==
> > sizeof(ipsec_sa *));
> > and similar checks when an application or a library does
> > lookup for a dynamic field.
>
> You mean adding this after the lookup in the app?
I will remove the lookup, it is less fragile.
@@ -125,8 +125,9 @@ ESP/AH headers will be removed from the packet and the received packet
will contains the decrypted packet only. The driver Rx path checks the
descriptors and based on the crypto status sets additional flags in
``rte_mbuf.ol_flags`` field. The driver would also set device-specific
-metadata in ``rte_mbuf.udata64`` field. This will allow the application
-to identify the security processing done on the packet.
+metadata in ``RTE_SECURITY_DYNFIELD_NAME`` field.
+This will allow the application to identify the security processing
+done on the packet.
.. note::
@@ -568,8 +569,8 @@ security session which processed the packet.
.. note::
- In case of inline processed packets, ``rte_mbuf.udata64`` field would be
- used by the driver to relay information on the security processing
+ In case of inline processed packets, ``RTE_SECURITY_DYNFIELD_NAME`` field
+ would be used by the driver to relay information on the security processing
associated with the packet. In ingress, the driver would set this in Rx
path while in egress, ``rte_security_set_pkt_metadata()`` would perform a
similar operation. The application is expected not to modify the field
@@ -455,6 +455,9 @@ otx2_crypto_sec_session_create(void *device,
if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
return -ENOTSUP;
+ if (rte_security_dynfield_register() < 0)
+ return -rte_errno;
+
if (rte_mempool_get(mempool, (void **)&priv)) {
otx2_err("Could not allocate security session private data");
return -ENOMEM;
@@ -514,7 +517,7 @@ otx2_crypto_sec_set_pkt_mdata(void *device __rte_unused,
struct rte_mbuf *m, void *params __rte_unused)
{
/* Set security session as the pkt metadata */
- m->udata64 = (uint64_t)session;
+ *rte_security_dynfield(m) = (RTE_SECURITY_DYNFIELD_TYPE)session;
return 0;
}
@@ -484,7 +484,8 @@ ixgbe_crypto_update_mb(void *device __rte_unused,
get_sec_session_private_data(session);
if (ic_session->op == IXGBE_OP_AUTHENTICATED_ENCRYPTION) {
union ixgbe_crypto_tx_desc_md *mdata =
- (union ixgbe_crypto_tx_desc_md *)&m->udata64;
+ (union ixgbe_crypto_tx_desc_md *)
+ rte_security_dynfield(m);
mdata->enc = 1;
mdata->sa_idx = ic_session->sa_index;
mdata->pad_len = ixgbe_crypto_compute_pad_len(m);
@@ -751,5 +752,7 @@ ixgbe_ipsec_ctx_create(struct rte_eth_dev *dev)
return -ENOMEM;
}
}
+ if (rte_security_dynfield_register() < 0)
+ return -rte_errno;
return 0;
}
@@ -34,6 +34,7 @@
#include <rte_mbuf.h>
#include <rte_ether.h>
#include <rte_ethdev_driver.h>
+#include <rte_security_driver.h>
#include <rte_prefetch.h>
#include <rte_udp.h>
#include <rte_tcp.h>
@@ -694,7 +695,7 @@ ixgbe_xmit_pkts(void *tx_queue, struct rte_mbuf **tx_pkts,
if (use_ipsec) {
union ixgbe_crypto_tx_desc_md *ipsec_mdata =
(union ixgbe_crypto_tx_desc_md *)
- &tx_pkt->udata64;
+ rte_security_dynfield(tx_pkt);
tx_offload.sa_idx = ipsec_mdata->sa_idx;
tx_offload.sec_pad_len = ipsec_mdata->pad_len;
}
@@ -859,7 +860,8 @@ ixgbe_xmit_pkts(void *tx_queue, struct rte_mbuf **tx_pkts,
}
ixgbe_set_xmit_ctx(txq, ctx_txd, tx_ol_req,
- tx_offload, &tx_pkt->udata64);
+ tx_offload,
+ rte_security_dynfield(tx_pkt));
txe->last_id = tx_last;
tx_id = txe->next_id;
@@ -13,6 +13,7 @@
#include <rte_kvargs.h>
#include <rte_mbuf.h>
#include <rte_mempool.h>
+#include <rte_security_driver.h>
#include <rte_string_fns.h>
#include <rte_time.h>
@@ -684,7 +684,7 @@ otx2_eth_sec_set_pkt_mdata(void *device __rte_unused,
struct rte_mbuf *m, void *params __rte_unused)
{
/* Set security session as the pkt metadata */
- m->udata64 = (uint64_t)session;
+ *rte_security_dynfield(m) = (RTE_SECURITY_DYNFIELD_TYPE)session;
return 0;
}
@@ -831,6 +831,9 @@ otx2_eth_sec_init(struct rte_eth_dev *eth_dev)
!(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
return 0;
+ if (rte_security_dynfield_register() < 0)
+ return -rte_errno;
+
nb_sa = dev->ipsec_in_max_spi;
mz_sz = nb_sa * sa_width;
in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
@@ -55,7 +55,7 @@ otx2_sec_event_tx(struct otx2_ssogws *ws, struct rte_event *ev,
struct nix_iova_s nix_iova;
} *sd;
- priv = get_sec_session_private_data((void *)(m->udata64));
+ priv = get_sec_session_private_data((void *)(*rte_security_dynfield(m)));
sess = &priv->ipsec.ip;
sa = &sess->out_sa;
@@ -241,7 +241,7 @@ nix_rx_sec_mbuf_update(const struct nix_cqe_hdr_s *cq, struct rte_mbuf *m,
spi = cq->tag & 0xFFFFF;
sa = nix_rx_sec_sa_get(lookup_mem, spi, m->port);
- m->udata64 = (uint64_t)sa->userdata;
+ *rte_security_dynfield(m) = sa->udata64;
data = rte_pktmbuf_mtod(m, char *);
@@ -165,6 +165,8 @@ static uint32_t nb_lcores;
static uint32_t single_sa;
static uint32_t nb_bufs_in_pool;
+int security_dynfield_offset;
+
/*
* RX/TX HW offload capabilities to enable/use on ethernet ports.
* By default all capabilities are enabled.
@@ -426,7 +428,8 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
* with the security session.
*/
- if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD) {
+ if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD &&
+ security_dynfield_offset >= 0) {
struct ipsec_sa *sa;
struct ipsec_mbuf_metadata *priv;
struct rte_security_ctx *ctx = (struct rte_security_ctx *)
@@ -436,10 +439,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
/* Retrieve the userdata registered. Here, the userdata
* registered is the SA pointer.
*/
-
- sa = (struct ipsec_sa *)
- rte_security_get_userdata(ctx, pkt->udata64);
-
+ sa = (struct ipsec_sa *) rte_security_get_userdata(ctx,
+ *RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset,
+ RTE_SECURITY_DYNFIELD_TYPE *));
if (sa == NULL) {
/* userdata could not be retrieved */
return;
@@ -2898,6 +2900,9 @@ main(int32_t argc, char **argv)
}
printf("Number of mbufs in packet pool %d\n", nb_bufs_in_pool);
+ security_dynfield_offset =
+ rte_mbuf_dynfield_lookup(RTE_SECURITY_DYNFIELD_NAME, NULL);
+
RTE_ETH_FOREACH_DEV(portid) {
if ((enabled_port_mask & (1 << portid)) == 0)
continue;
@@ -8,6 +8,7 @@
#include <stdint.h>
#include <rte_byteorder.h>
+#include <rte_mbuf_dyn.h>
#include <rte_crypto.h>
#include <rte_security.h>
#include <rte_flow.h>
@@ -67,6 +68,8 @@ struct ip_addr {
#define MAX_KEY_SIZE 36
+extern int security_dynfield_offset;
+
/*
* application wide SA parameters
*/
@@ -208,7 +208,8 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
"Inbound security offload failed\n");
goto drop_pkt_and_exit;
}
- sa = pkt->userdata;
+ sa = RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset,
+ struct ipsec_sa *);
}
/* Check if we have a match */
@@ -226,7 +227,8 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
"Inbound security offload failed\n");
goto drop_pkt_and_exit;
}
- sa = pkt->userdata;
+ sa = RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset,
+ struct ipsec_sa *);
}
/* Check if we have a match */
@@ -357,7 +359,8 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
}
if (sess->security.ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
- pkt->userdata = sess->security.ses;
+ *RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset,
+ struct rte_security_session **) = sess->security.ses;
/* Mark the packet for Tx security offload */
pkt->ol_flags |= PKT_TX_SEC_OFFLOAD;
@@ -465,7 +468,9 @@ ipsec_wrkr_non_burst_int_port_drv_mode(struct eh_event_link_info *links,
}
/* Save security session */
- pkt->userdata = sess_tbl[port_id];
+ *RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset,
+ struct rte_security_session **) =
+ sess_tbl[port_id];
/* Mark the packet for Tx security offload */
pkt->ol_flags |= PKT_TX_SEC_OFFLOAD;
@@ -23,6 +23,16 @@
RTE_PTR_OR_ERR_RET(p1->p2->p3, last_retval); \
} while (0)
+int rte_security_dynfield_offset;
+
+int
+rte_security_dynfield_register(void)
+{
+ rte_security_dynfield_offset =
+ rte_mbuf_dynfield_register(&rte_security_dynfield_desc);
+ return rte_security_dynfield_offset;
+}
+
struct rte_security_session *
rte_security_session_create(struct rte_security_ctx *instance,
struct rte_security_session_conf *conf,
@@ -451,6 +451,11 @@ int
rte_security_session_destroy(struct rte_security_ctx *instance,
struct rte_security_session *sess);
+/** Device-specific metadata field name (for mbuf dynfield lookup) */
+#define RTE_SECURITY_DYNFIELD_NAME "rte_security_dynfield_metadata"
+/** Device-specific metadata field type */
+#define RTE_SECURITY_DYNFIELD_TYPE uint64_t
+
/**
* Updates the buffer with device-specific defined metadata
*
@@ -17,6 +17,8 @@
extern "C" {
#endif
+#include <rte_mbuf_dyn.h>
+
#include "rte_security.h"
/**
@@ -89,6 +91,24 @@ typedef int (*security_session_stats_get_t)(void *device,
struct rte_security_session *sess,
struct rte_security_stats *stats);
+/* Dynamic mbuf field for device-specific metadata */
+static const struct rte_mbuf_dynfield rte_security_dynfield_desc = {
+ .name = RTE_SECURITY_DYNFIELD_NAME,
+ .size = sizeof(RTE_SECURITY_DYNFIELD_TYPE),
+ .align = __alignof__(RTE_SECURITY_DYNFIELD_TYPE),
+};
+extern int rte_security_dynfield_offset;
+
+__rte_experimental
+int rte_security_dynfield_register(void);
+
+static inline RTE_SECURITY_DYNFIELD_TYPE *
+rte_security_dynfield(struct rte_mbuf *mbuf)
+{
+ return RTE_MBUF_DYNFIELD(mbuf,
+ rte_security_dynfield_offset, RTE_SECURITY_DYNFIELD_TYPE *);
+}
+
/**
* Update the mbuf with provided metadata.
*
@@ -15,6 +15,8 @@ DPDK_21 {
EXPERIMENTAL {
global:
+ rte_security_dynfield_offset;
+ rte_security_dynfield_register;
rte_security_get_userdata;
rte_security_session_stats_get;
rte_security_session_update;