From patchwork Mon Oct 26 05:20:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Monjalon X-Patchwork-Id: 82150 X-Patchwork-Delegate: thomas@monjalon.net Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3754DA04B5; Mon, 26 Oct 2020 06:23:10 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id AA78C2C2D; Mon, 26 Oct 2020 06:21:36 +0100 (CET) Received: from new4-smtp.messagingengine.com (new4-smtp.messagingengine.com [66.111.4.230]) by dpdk.org (Postfix) with ESMTP id B87012BFA for ; Mon, 26 Oct 2020 06:21:31 +0100 (CET) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailnew.nyi.internal (Postfix) with ESMTP id 6BC2F5802A2; Mon, 26 Oct 2020 01:21:31 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Mon, 26 Oct 2020 01:21:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=monjalon.net; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=fm2; bh=OWrkoTX/X0Rzz 8o+aktmMAbwfqAxU9wa1m3sTAXUkwk=; b=d9N6+zmoiybLS9iyrzBaaKRBd7i+w vqgvrICQSB4zPXXAsrT9dkLHyBignGVgyIEoHLOyYlwtT54De0zM8hdEDIU+o02f nFHLzApwkbHKXs84mhaKlccu5J9wrLEgrpcg9dtrmeP5+NsFtTYxoXktb+iuQRi3 jNKPLtUimjEMoGtivbx2WEsvMMqJ5s3i9ydb6uvH7Z7ixmVoe0HqPXwlIu8yqJSe iSgyRkaZvk17MUam0KDUfPNbW0B+zQS0Kik/z4UbwH7GDKpwvLv8FMTYd9pfKCOf F6lEIET9Pq9RJ60SaFA0kXcChew9YfN0aPBBpPngipiXMQnNXY/Jg8TDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=OWrkoTX/X0Rzz8o+aktmMAbwfqAxU9wa1m3sTAXUkwk=; b=McyRkQu6 +UT3amWdm1AypYtoT997yzEGXoIFeEmdeYo7oBZZXAIRxL8twjx/kwahwWhyovpw k37XTs5BtcfaZ1FI5+yn1KN35mv32fUQS0CAB1HGrF1e0wdLUqsyYKsUEaNAsOzf SbzJ/BP6F2e7DW4CEN8J0qL6yQOE01hbi29lVQBI4TlD9zx7RTk8iXRVge2vSS+B p//x2zkatstVHisjiu0z6uRP/KgIhYiaBhQhJgz2/qvEzk36Uf4DYQzc9LCsiCXf X+MqkTBJpWdcLqPyGfZZjR0bIbuvn+IjYVZrZeGqfvmNwajR48J7dK1zBnSaV39b A3pKcSvtMC28cA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrkeehgdekgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomhepvfhhohhmrghs ucfoohhnjhgrlhhonhcuoehthhhomhgrshesmhhonhhjrghlohhnrdhnvghtqeenucggtf frrghtthgvrhhnpedvhefgiedvjeegtdevheefhfetleefgfeivefgffevfeejgedtgfeu tdehtdegveenucfkphepjeejrddufeegrddvtdefrddukeegnecuvehluhhsthgvrhfuih iivgepfeenucfrrghrrghmpehmrghilhhfrhhomhepthhhohhmrghssehmohhnjhgrlhho nhdrnhgvth X-ME-Proxy: Received: from xps.monjalon.net (184.203.134.77.rev.sfr.net [77.134.203.184]) by mail.messagingengine.com (Postfix) with ESMTPA id 2D0893064610; Mon, 26 Oct 2020 01:21:29 -0400 (EDT) From: Thomas Monjalon To: dev@dpdk.org Cc: ferruh.yigit@intel.com, david.marchand@redhat.com, bruce.richardson@intel.com, olivier.matz@6wind.com, andrew.rybchenko@oktetlabs.ru, akhil.goyal@nxp.com, Declan Doherty , Ankur Dwivedi , Anoob Joseph , Jeff Guo , Haiyue Wang , Jerin Jacob , Nithin Dabilpuram , Kiran Kumar K , Radu Nicolau , Ray Kinsella , Neil Horman Date: Mon, 26 Oct 2020 06:20:55 +0100 Message-Id: <20201026052105.1561859-6-thomas@monjalon.net> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201026052105.1561859-1-thomas@monjalon.net> References: <20201026052105.1561859-1-thomas@monjalon.net> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 05/15] security: switch metadata to dynamic mbuf field X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The device-specific metadata was stored in the deprecated field udata64. It is moved to a dynamic mbuf field in order to allow removal of udata64. Signed-off-by: Thomas Monjalon --- doc/guides/prog_guide/rte_security.rst | 9 +++++---- drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 5 ++++- drivers/net/ixgbe/ixgbe_ipsec.c | 5 ++++- drivers/net/ixgbe/ixgbe_rxtx.c | 6 ++++-- drivers/net/octeontx2/otx2_ethdev.h | 1 + drivers/net/octeontx2/otx2_ethdev_sec.c | 5 ++++- drivers/net/octeontx2/otx2_ethdev_sec_tx.h | 2 +- drivers/net/octeontx2/otx2_rx.h | 2 +- examples/ipsec-secgw/ipsec-secgw.c | 15 +++++++++----- examples/ipsec-secgw/ipsec.h | 3 +++ examples/ipsec-secgw/ipsec_worker.c | 13 ++++++++---- lib/librte_security/rte_security.c | 10 ++++++++++ lib/librte_security/rte_security.h | 5 +++++ lib/librte_security/rte_security_driver.h | 20 +++++++++++++++++++ lib/librte_security/version.map | 2 ++ 15 files changed, 83 insertions(+), 20 deletions(-) diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst index c64aef3de9..f72bc8a78f 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -125,8 +125,9 @@ ESP/AH headers will be removed from the packet and the received packet will contains the decrypted packet only. The driver Rx path checks the descriptors and based on the crypto status sets additional flags in ``rte_mbuf.ol_flags`` field. The driver would also set device-specific -metadata in ``rte_mbuf.udata64`` field. This will allow the application -to identify the security processing done on the packet. +metadata in ``RTE_SECURITY_DYNFIELD_NAME`` field. +This will allow the application to identify the security processing +done on the packet. .. note:: @@ -568,8 +569,8 @@ security session which processed the packet. .. note:: - In case of inline processed packets, ``rte_mbuf.udata64`` field would be - used by the driver to relay information on the security processing + In case of inline processed packets, ``RTE_SECURITY_DYNFIELD_NAME`` field + would be used by the driver to relay information on the security processing associated with the packet. In ingress, the driver would set this in Rx path while in egress, ``rte_security_set_pkt_metadata()`` would perform a similar operation. The application is expected not to modify the field diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c index b80ec7bff2..2e5e73143b 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c @@ -455,6 +455,9 @@ otx2_crypto_sec_session_create(void *device, if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) return -ENOTSUP; + if (rte_security_dynfield_register() < 0) + return -rte_errno; + if (rte_mempool_get(mempool, (void **)&priv)) { otx2_err("Could not allocate security session private data"); return -ENOMEM; @@ -514,7 +517,7 @@ otx2_crypto_sec_set_pkt_mdata(void *device __rte_unused, struct rte_mbuf *m, void *params __rte_unused) { /* Set security session as the pkt metadata */ - m->udata64 = (uint64_t)session; + *rte_security_dynfield(m) = (RTE_SECURITY_DYNFIELD_TYPE)session; return 0; } diff --git a/drivers/net/ixgbe/ixgbe_ipsec.c b/drivers/net/ixgbe/ixgbe_ipsec.c index 48f5082d49..0232db20ed 100644 --- a/drivers/net/ixgbe/ixgbe_ipsec.c +++ b/drivers/net/ixgbe/ixgbe_ipsec.c @@ -484,7 +484,8 @@ ixgbe_crypto_update_mb(void *device __rte_unused, get_sec_session_private_data(session); if (ic_session->op == IXGBE_OP_AUTHENTICATED_ENCRYPTION) { union ixgbe_crypto_tx_desc_md *mdata = - (union ixgbe_crypto_tx_desc_md *)&m->udata64; + (union ixgbe_crypto_tx_desc_md *) + rte_security_dynfield(m); mdata->enc = 1; mdata->sa_idx = ic_session->sa_index; mdata->pad_len = ixgbe_crypto_compute_pad_len(m); @@ -751,5 +752,7 @@ ixgbe_ipsec_ctx_create(struct rte_eth_dev *dev) return -ENOMEM; } } + if (rte_security_dynfield_register() < 0) + return -rte_errno; return 0; } diff --git a/drivers/net/ixgbe/ixgbe_rxtx.c b/drivers/net/ixgbe/ixgbe_rxtx.c index 5f19972031..5e7ea001f3 100644 --- a/drivers/net/ixgbe/ixgbe_rxtx.c +++ b/drivers/net/ixgbe/ixgbe_rxtx.c @@ -34,6 +34,7 @@ #include #include #include +#include #include #include #include @@ -694,7 +695,7 @@ ixgbe_xmit_pkts(void *tx_queue, struct rte_mbuf **tx_pkts, if (use_ipsec) { union ixgbe_crypto_tx_desc_md *ipsec_mdata = (union ixgbe_crypto_tx_desc_md *) - &tx_pkt->udata64; + rte_security_dynfield(tx_pkt); tx_offload.sa_idx = ipsec_mdata->sa_idx; tx_offload.sec_pad_len = ipsec_mdata->pad_len; } @@ -859,7 +860,8 @@ ixgbe_xmit_pkts(void *tx_queue, struct rte_mbuf **tx_pkts, } ixgbe_set_xmit_ctx(txq, ctx_txd, tx_ol_req, - tx_offload, &tx_pkt->udata64); + tx_offload, + rte_security_dynfield(tx_pkt)); txe->last_id = tx_last; tx_id = txe->next_id; diff --git a/drivers/net/octeontx2/otx2_ethdev.h b/drivers/net/octeontx2/otx2_ethdev.h index b20f399a15..3b9871f4dc 100644 --- a/drivers/net/octeontx2/otx2_ethdev.h +++ b/drivers/net/octeontx2/otx2_ethdev.h @@ -13,6 +13,7 @@ #include #include #include +#include #include #include diff --git a/drivers/net/octeontx2/otx2_ethdev_sec.c b/drivers/net/octeontx2/otx2_ethdev_sec.c index 4e0dd4e49e..78c5bbeb99 100644 --- a/drivers/net/octeontx2/otx2_ethdev_sec.c +++ b/drivers/net/octeontx2/otx2_ethdev_sec.c @@ -684,7 +684,7 @@ otx2_eth_sec_set_pkt_mdata(void *device __rte_unused, struct rte_mbuf *m, void *params __rte_unused) { /* Set security session as the pkt metadata */ - m->udata64 = (uint64_t)session; + *rte_security_dynfield(m) = (RTE_SECURITY_DYNFIELD_TYPE)session; return 0; } @@ -831,6 +831,9 @@ otx2_eth_sec_init(struct rte_eth_dev *eth_dev) !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY)) return 0; + if (rte_security_dynfield_register() < 0) + return -rte_errno; + nb_sa = dev->ipsec_in_max_spi; mz_sz = nb_sa * sa_width; in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port); diff --git a/drivers/net/octeontx2/otx2_ethdev_sec_tx.h b/drivers/net/octeontx2/otx2_ethdev_sec_tx.h index 5bf8c19995..284bcd5367 100644 --- a/drivers/net/octeontx2/otx2_ethdev_sec_tx.h +++ b/drivers/net/octeontx2/otx2_ethdev_sec_tx.h @@ -55,7 +55,7 @@ otx2_sec_event_tx(struct otx2_ssogws *ws, struct rte_event *ev, struct nix_iova_s nix_iova; } *sd; - priv = get_sec_session_private_data((void *)(m->udata64)); + priv = get_sec_session_private_data((void *)(*rte_security_dynfield(m))); sess = &priv->ipsec.ip; sa = &sess->out_sa; diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h index f29a0542f9..61a5c436dd 100644 --- a/drivers/net/octeontx2/otx2_rx.h +++ b/drivers/net/octeontx2/otx2_rx.h @@ -241,7 +241,7 @@ nix_rx_sec_mbuf_update(const struct nix_cqe_hdr_s *cq, struct rte_mbuf *m, spi = cq->tag & 0xFFFFF; sa = nix_rx_sec_sa_get(lookup_mem, spi, m->port); - m->udata64 = (uint64_t)sa->userdata; + *rte_security_dynfield(m) = sa->udata64; data = rte_pktmbuf_mtod(m, char *); diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index 2219148285..b68d1212ba 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -165,6 +165,8 @@ static uint32_t nb_lcores; static uint32_t single_sa; static uint32_t nb_bufs_in_pool; +int security_dynfield_offset; + /* * RX/TX HW offload capabilities to enable/use on ethernet ports. * By default all capabilities are enabled. @@ -426,7 +428,8 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) * with the security session. */ - if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD) { + if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD && + security_dynfield_offset >= 0) { struct ipsec_sa *sa; struct ipsec_mbuf_metadata *priv; struct rte_security_ctx *ctx = (struct rte_security_ctx *) @@ -436,10 +439,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) /* Retrieve the userdata registered. Here, the userdata * registered is the SA pointer. */ - - sa = (struct ipsec_sa *) - rte_security_get_userdata(ctx, pkt->udata64); - + sa = (struct ipsec_sa *) rte_security_get_userdata(ctx, + *RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset, + RTE_SECURITY_DYNFIELD_TYPE *)); if (sa == NULL) { /* userdata could not be retrieved */ return; @@ -2898,6 +2900,9 @@ main(int32_t argc, char **argv) } printf("Number of mbufs in packet pool %d\n", nb_bufs_in_pool); + security_dynfield_offset = + rte_mbuf_dynfield_lookup(RTE_SECURITY_DYNFIELD_NAME, NULL); + RTE_ETH_FOREACH_DEV(portid) { if ((enabled_port_mask & (1 << portid)) == 0) continue; diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 7031e28c46..49cd6ce923 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -8,6 +8,7 @@ #include #include +#include #include #include #include @@ -67,6 +68,8 @@ struct ip_addr { #define MAX_KEY_SIZE 36 +extern int security_dynfield_offset; + /* * application wide SA parameters */ diff --git a/examples/ipsec-secgw/ipsec_worker.c b/examples/ipsec-secgw/ipsec_worker.c index b6c851f257..72f698893d 100644 --- a/examples/ipsec-secgw/ipsec_worker.c +++ b/examples/ipsec-secgw/ipsec_worker.c @@ -208,7 +208,8 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt, "Inbound security offload failed\n"); goto drop_pkt_and_exit; } - sa = pkt->userdata; + sa = RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset, + struct ipsec_sa *); } /* Check if we have a match */ @@ -226,7 +227,8 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt, "Inbound security offload failed\n"); goto drop_pkt_and_exit; } - sa = pkt->userdata; + sa = RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset, + struct ipsec_sa *); } /* Check if we have a match */ @@ -357,7 +359,8 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt, } if (sess->security.ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) - pkt->userdata = sess->security.ses; + *RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset, + struct rte_security_session **) = sess->security.ses; /* Mark the packet for Tx security offload */ pkt->ol_flags |= PKT_TX_SEC_OFFLOAD; @@ -465,7 +468,9 @@ ipsec_wrkr_non_burst_int_port_drv_mode(struct eh_event_link_info *links, } /* Save security session */ - pkt->userdata = sess_tbl[port_id]; + *RTE_MBUF_DYNFIELD(pkt, security_dynfield_offset, + struct rte_security_session **) = + sess_tbl[port_id]; /* Mark the packet for Tx security offload */ pkt->ol_flags |= PKT_TX_SEC_OFFLOAD; diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c index ee4666026a..9b5f9b72aa 100644 --- a/lib/librte_security/rte_security.c +++ b/lib/librte_security/rte_security.c @@ -23,6 +23,16 @@ RTE_PTR_OR_ERR_RET(p1->p2->p3, last_retval); \ } while (0) +int rte_security_dynfield_offset; + +int +rte_security_dynfield_register(void) +{ + rte_security_dynfield_offset = + rte_mbuf_dynfield_register(&rte_security_dynfield_desc); + return rte_security_dynfield_offset; +} + struct rte_security_session * rte_security_session_create(struct rte_security_ctx *instance, struct rte_security_session_conf *conf, diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index 271531af12..c3647151e5 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -451,6 +451,11 @@ int rte_security_session_destroy(struct rte_security_ctx *instance, struct rte_security_session *sess); +/** Device-specific metadata field name (for mbuf dynfield lookup) */ +#define RTE_SECURITY_DYNFIELD_NAME "rte_security_dynfield_metadata" +/** Device-specific metadata field type */ +#define RTE_SECURITY_DYNFIELD_TYPE uint64_t + /** * Updates the buffer with device-specific defined metadata * diff --git a/lib/librte_security/rte_security_driver.h b/lib/librte_security/rte_security_driver.h index 1b561f8528..ba9691b4a0 100644 --- a/lib/librte_security/rte_security_driver.h +++ b/lib/librte_security/rte_security_driver.h @@ -17,6 +17,8 @@ extern "C" { #endif +#include + #include "rte_security.h" /** @@ -89,6 +91,24 @@ typedef int (*security_session_stats_get_t)(void *device, struct rte_security_session *sess, struct rte_security_stats *stats); +/* Dynamic mbuf field for device-specific metadata */ +static const struct rte_mbuf_dynfield rte_security_dynfield_desc = { + .name = RTE_SECURITY_DYNFIELD_NAME, + .size = sizeof(RTE_SECURITY_DYNFIELD_TYPE), + .align = __alignof__(RTE_SECURITY_DYNFIELD_TYPE), +}; +extern int rte_security_dynfield_offset; + +__rte_experimental +int rte_security_dynfield_register(void); + +static inline RTE_SECURITY_DYNFIELD_TYPE * +rte_security_dynfield(struct rte_mbuf *mbuf) +{ + return RTE_MBUF_DYNFIELD(mbuf, + rte_security_dynfield_offset, RTE_SECURITY_DYNFIELD_TYPE *); +} + /** * Update the mbuf with provided metadata. * diff --git a/lib/librte_security/version.map b/lib/librte_security/version.map index d84eec0a88..22775558c8 100644 --- a/lib/librte_security/version.map +++ b/lib/librte_security/version.map @@ -15,6 +15,8 @@ DPDK_21 { EXPERIMENTAL { global: + rte_security_dynfield_offset; + rte_security_dynfield_register; rte_security_get_userdata; rte_security_session_stats_get; rte_security_session_update;