[v2,00/10] security: add software synchronous crypto process
Message ID | 20191007162850.60552-1-roy.fan.zhang@intel.com (mailing list archive) |
---|---|
Headers |
Return-Path: <dev-bounces@dpdk.org> X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 57F781C1BE; Mon, 7 Oct 2019 18:28:59 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id D92B51C1AA for <dev@dpdk.org>; Mon, 7 Oct 2019 18:28:57 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Oct 2019 09:28:56 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.67,268,1566889200"; d="scan'208";a="393081995" Received: from silpixa00398673.ir.intel.com (HELO silpixa00398673.ger.corp.intel.com) ([10.237.223.136]) by fmsmga005.fm.intel.com with ESMTP; 07 Oct 2019 09:28:55 -0700 From: Fan Zhang <roy.fan.zhang@intel.com> To: dev@dpdk.org Cc: konstantin.ananyev@intel.com, declan.doherty@intel.com, akhil.goyal@nxp.com, Fan Zhang <roy.fan.zhang@intel.com> Date: Mon, 7 Oct 2019 17:28:40 +0100 Message-Id: <20191007162850.60552-1-roy.fan.zhang@intel.com> X-Mailer: git-send-email 2.14.5 In-Reply-To: <20190906131330.40185-1-roy.fan.zhang@intel.com> References: <20190906131330.40185-1-roy.fan.zhang@intel.com> Subject: [dpdk-dev] [PATCH v2 00/10] security: add software synchronous crypto process X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions <dev.dpdk.org> List-Unsubscribe: <https://mails.dpdk.org/options/dev>, <mailto:dev-request@dpdk.org?subject=unsubscribe> List-Archive: <http://mails.dpdk.org/archives/dev/> List-Post: <mailto:dev@dpdk.org> List-Help: <mailto:dev-request@dpdk.org?subject=help> List-Subscribe: <https://mails.dpdk.org/listinfo/dev>, <mailto:dev-request@dpdk.org?subject=subscribe> Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org> |
Message
Fan Zhang
Oct. 7, 2019, 4:28 p.m. UTC
This RFC patch adds a way to rte_security to process symmetric crypto workload in bulk synchronously for SW crypto devices. Originally both SW and HW crypto PMDs works under rte_cryptodev to process the crypto workload asynchronously. This way provides uniformity to both PMD types but also introduce unnecessary performance penalty to SW PMDs such as extra SW ring enqueue/dequeue steps to "simulate" asynchronous working manner and unnecessary HW addresses computation. We introduce a new way for SW crypto devices that perform crypto operation synchronously with only fields required for the computation as input. In rte_security, a new action type "RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO" is introduced. This action type allows the burst of symmetric crypto workload using the same algorithm, key, and direction being processed by CPU cycles synchronously. This flexible action type does not require external hardware involvement. This patch also includes the announcement of a new API "rte_security_process_cpu_crypto_bulk". With this API the packet is sent to the crypto device for symmetric crypto processing. The device will encrypt or decrypt the buffer based on the session data specified and preprocessed in the security session. Different than the inline or lookaside modes, when the function exits, the user will expect the buffers are either processed successfully, or having the error number assigned to the appropriate index of the status array. The proof-of-concept AESNI-GCM and AESNI-MB SW PMDs are updated with the support of this new method. To demonstrate the performance gain with this method 2 simple performance evaluation apps under unit-test are added "app/test: security_aesni_gcm_perftest/security_aesni_mb_perftest". The users can freely compare their results against crypto perf application results. In the end, the ipsec library and ipsec-secgw sample application are also updated to support this feature. Several test scripts are added to the ipsec-secgw test-suite to prove the correctness of the implementation. v2: - changed API return from "void" to "int" - rework on ipsec library implementation. - fixed bugs in aesni-mb PMD. - fixed bugs in ipsec-secgw application. Fan Zhang (10): security: introduce CPU Crypto action type and API crypto/aesni_gcm: add rte_security handler app/test: add security cpu crypto autotest app/test: add security cpu crypto perftest crypto/aesni_mb: add rte_security handler app/test: add aesni_mb security cpu crypto autotest app/test: add aesni_mb security cpu crypto perftest ipsec: add rte_security cpu_crypto action support examples/ipsec-secgw: add security cpu_crypto action support doc: update security cpu process description app/test/Makefile | 1 + app/test/meson.build | 1 + app/test/test_security_cpu_crypto.c | 1326 ++++++++++++++++++++ doc/guides/cryptodevs/aesni_gcm.rst | 6 + doc/guides/cryptodevs/aesni_mb.rst | 7 + doc/guides/prog_guide/rte_security.rst | 112 +- doc/guides/rel_notes/release_19_11.rst | 7 + drivers/crypto/aesni_gcm/aesni_gcm_pmd.c | 97 +- drivers/crypto/aesni_gcm/aesni_gcm_pmd_ops.c | 95 ++ drivers/crypto/aesni_gcm/aesni_gcm_pmd_private.h | 23 + drivers/crypto/aesni_gcm/meson.build | 2 +- drivers/crypto/aesni_mb/meson.build | 2 +- drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 368 +++++- drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 92 +- drivers/crypto/aesni_mb/rte_aesni_mb_pmd_private.h | 21 +- examples/ipsec-secgw/ipsec.c | 35 + examples/ipsec-secgw/ipsec_process.c | 7 +- examples/ipsec-secgw/sa.c | 13 +- examples/ipsec-secgw/test/run_test.sh | 10 + .../test/trs_3descbc_sha1_common_defs.sh | 8 +- .../test/trs_3descbc_sha1_cpu_crypto_defs.sh | 5 + .../test/trs_aescbc_sha1_common_defs.sh | 8 +- .../test/trs_aescbc_sha1_cpu_crypto_defs.sh | 5 + .../test/trs_aesctr_sha1_common_defs.sh | 8 +- .../test/trs_aesctr_sha1_cpu_crypto_defs.sh | 5 + .../ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh | 5 + .../test/trs_aesgcm_mb_cpu_crypto_defs.sh | 7 + .../test/tun_3descbc_sha1_common_defs.sh | 8 +- .../test/tun_3descbc_sha1_cpu_crypto_defs.sh | 5 + .../test/tun_aescbc_sha1_common_defs.sh | 8 +- .../test/tun_aescbc_sha1_cpu_crypto_defs.sh | 5 + .../test/tun_aesctr_sha1_common_defs.sh | 8 +- .../test/tun_aesctr_sha1_cpu_crypto_defs.sh | 5 + .../ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh | 5 + .../test/tun_aesgcm_mb_cpu_crypto_defs.sh | 7 + lib/librte_ipsec/crypto.h | 24 + lib/librte_ipsec/esp_inb.c | 200 ++- lib/librte_ipsec/esp_outb.c | 369 +++++- lib/librte_ipsec/sa.c | 53 +- lib/librte_ipsec/sa.h | 29 + lib/librte_ipsec/ses.c | 4 +- lib/librte_security/rte_security.c | 11 + lib/librte_security/rte_security.h | 53 +- lib/librte_security/rte_security_driver.h | 22 + lib/librte_security/rte_security_version.map | 1 + 45 files changed, 2994 insertions(+), 99 deletions(-) create mode 100644 app/test/test_security_cpu_crypto.c create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_mb_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_mb_cpu_crypto_defs.sh