From patchwork Tue Oct 10 10:32:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 132459 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 7523F4234B; Tue, 10 Oct 2023 12:32:21 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 1952940297; Tue, 10 Oct 2023 12:32:21 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 6211240278 for ; Tue, 10 Oct 2023 12:32:19 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 39A94nbe014803; Tue, 10 Oct 2023 03:32:18 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=l8V2axBVipxecwTpQmMa1yvVcG2RUiKcdTn20IrWU8o=; b=UTELywLTXkymArFbSUPpGtcqTDl5cbBRtVcvq9cONmf6B1C5sLrHFVAOI0HEQKhlI3pq Arfl7qfr7tAVqBjVT3a+Glx/j916wr9sQQJI1SJPrEmT0Pem5TbKTQDyR24gEeUCwikB MybcMMQmWiu89D9QY6MwM2mz2qKjmbyqPq80wQqPoZe3BTI8zVf27cX94RpycmXPIZ3q 80j1GKW9js3iSFLAXqd+toHc7+YRS0dreUHFndqINPRTLQGgDEF2P8D1W6HRMlMElewQ 54daBsvG7Q2pl8DL9PZkFDkdSegmozVVCjxNljL7B8g7V5IJr1EIvHtCCHjuLA1vU4jz UQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3tkh7cfu9x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 10 Oct 2023 03:32:18 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 10 Oct 2023 03:32:16 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Tue, 10 Oct 2023 03:32:16 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189]) by maili.marvell.com (Postfix) with ESMTP id AD4873F70A8; Tue, 10 Oct 2023 03:32:12 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Jerin Jacob , Konstantin Ananyev CC: Hemant Agrawal , , "Vidya Sagar Velumuri" , , , , Ciara Power Subject: [PATCH v4 1/2] security: add fallback security processing and Rx inject Date: Tue, 10 Oct 2023 16:02:11 +0530 Message-ID: <20231010103212.1900-1-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230929153929.939-1-anoobj@marvell.com> References: <20230929153929.939-1-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: wTjAbZjeLqLfTg1dQSKVbOEuzE4uy5FK X-Proofpoint-ORIG-GUID: wTjAbZjeLqLfTg1dQSKVbOEuzE4uy5FK X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-10_05,2023-10-10_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Add alternate datapath API for security processing which would do Rx injection (similar to loopback) after successful security processing. With inline protocol offload, variable part of the session context (AR windows, lifetime etc in case of IPsec), is not accessible to the application. If packets are not getting processed in the inline path due to non security reasons (such as outer fragmentation or rte_flow packet steering limitations), then the packet cannot be security processed as the session context is private to the PMD and security library doesn't provide alternate APIs to make use of the same session. Introduce new API and Rx injection as fallback mechanism to security processing failures due to non-security reasons. For example, when there is outer fragmentation and PMD doesn't support reassembly of outer fragments, application would receive fragments which it can then reassemble. Post successful reassembly, packet can be submitted for security processing and Rx inject. The packets can be then received in the application as normal inline protocol processed packets. Same API can be leveraged in lookaside protocol offload mode to inject packet to Rx. This would help in using rte_flow based packet parsing after security processing. For example, with IPsec, this will help in flow splitting after IPsec processing is done. In both inline protocol capable ethdevs and lookaside protocol capable cryptodevs, the packet would be received back in eth port & queue based on rte_flow rules and packet parsing after security processing. The API would behave like a loopback but with the additional security processing. Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri Acked-by: Akhil Goyal --- v4: Updated release notes v3: * Resolved compilation error with 32 bit build v2: * Added a new API for configuring security device to do Rx inject to a specific ethdev port * Rebased doc/guides/cryptodevs/features/default.ini | 1 + doc/guides/rel_notes/release_23_11.rst | 19 +++++ lib/cryptodev/rte_cryptodev.h | 2 + lib/security/rte_security.c | 22 ++++++ lib/security/rte_security.h | 85 ++++++++++++++++++++++ lib/security/rte_security_driver.h | 44 +++++++++++ lib/security/version.map | 3 + 7 files changed, 176 insertions(+) diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini index 6f637fa7e2..f411d4bab7 100644 --- a/doc/guides/cryptodevs/features/default.ini +++ b/doc/guides/cryptodevs/features/default.ini @@ -34,6 +34,7 @@ Sym raw data path API = Cipher multiple data units = Cipher wrapped key = Inner checksum = +Rx inject = ; ; Supported crypto algorithms of a default crypto driver. diff --git a/doc/guides/rel_notes/release_23_11.rst b/doc/guides/rel_notes/release_23_11.rst index be51f00dbf..6853c907c9 100644 --- a/doc/guides/rel_notes/release_23_11.rst +++ b/doc/guides/rel_notes/release_23_11.rst @@ -107,6 +107,25 @@ New Features enhancements to ``rte_crypto_op`` fields to handle all datapath requirements of TLS and DTLS. The support is added for TLS 1.2, TLS 1.3 and DTLS 1.2. +* **Added support for rte_security Rx inject API.** + + Added Rx inject API to allow applications to submit packets for protocol + offload and have them injected back to ethdev Rx so that further ethdev Rx + actions (IP reassembly, packet parsing and flow lookups) can happen based on + inner packet. + + The API when implemented by an ethdev, may be used to process packets that the + application wants to process with inline protocol offload enabled rte_security + session. These can be packets that are received from other non-inline capable + ethdevs or can be packets that failed inline protocol offload (such as + receiving fragmented ESP packets in case of inline IPsec offload). + + The API when implemented by a cryptodev, can be used for injecting packets to + ethdev Rx after IPsec processing and take advantage of ethdev Rx processing + for the inner packet. The API helps application to avail ethdev Rx actions + based on inner packet while working with rte_security sessions which cannot + be accelerated in inline protocol offload mode. + * **Updated ipsec_mb crypto driver.** Added support for digest encrypted to AESNI_MB asynchronous crypto driver. diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h index 6c8f532797..be0698ce9f 100644 --- a/lib/cryptodev/rte_cryptodev.h +++ b/lib/cryptodev/rte_cryptodev.h @@ -559,6 +559,8 @@ rte_cryptodev_asym_get_xform_string(enum rte_crypto_asym_xform_type xform_enum); /**< Support wrapped key in cipher xform */ #define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM (1ULL << 27) /**< Support inner checksum computation/verification */ +#define RTE_CRYPTODEV_FF_SECURITY_RX_INJECT (1ULL << 28) +/**< Support Rx injection after security processing */ /** * Get the name of a crypto device feature flag diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c index 04872ec1a0..b082a29029 100644 --- a/lib/security/rte_security.c +++ b/lib/security/rte_security.c @@ -325,6 +325,28 @@ rte_security_capability_get(void *ctx, struct rte_security_capability_idx *idx) return NULL; } +int +rte_security_rx_inject_configure(void *ctx, uint16_t port_id, bool enable) +{ + struct rte_security_ctx *instance = ctx; + + RTE_PTR_OR_ERR_RET(instance, -EINVAL); + RTE_PTR_OR_ERR_RET(instance->ops, -ENOTSUP); + RTE_PTR_OR_ERR_RET(instance->ops->rx_inject_configure, -ENOTSUP); + + return instance->ops->rx_inject_configure(instance->device, port_id, enable); +} + +uint16_t +rte_security_inb_pkt_rx_inject(void *ctx, struct rte_mbuf **pkts, void **sess, + uint16_t nb_pkts) +{ + struct rte_security_ctx *instance = ctx; + + return instance->ops->inb_pkt_rx_inject(instance->device, pkts, + (struct rte_security_session **)sess, nb_pkts); +} + static int security_handle_cryptodev_list(const char *cmd __rte_unused, const char *params __rte_unused, diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 8279bed013..181aa28f5e 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -1455,6 +1455,91 @@ const struct rte_security_capability * rte_security_capability_get(void *instance, struct rte_security_capability_idx *idx); +/** + * @warning + * @b EXPERIMENTAL: this API may change, or be removed, without prior notice + * + * Configure security device to inject packets to an ethdev port. + * + * This API must be called only when both security device and the ethdev is in + * stopped state. The security device need to be configured before any packets + * are submitted to ``rte_security_inb_pkt_rx_inject`` API. + * + * @param ctx Security ctx + * @param port_id Port identifier of the ethernet device to which + * packets need to be injected. + * @param enable Flag to enable and disable connection between a + * security device and an ethdev port. + * @return + * - 0 if successful. + * - -EINVAL if context NULL or port_id is invalid. + * - -EBUSY if devices are not in stopped state. + * - -ENOTSUP if security device does not support injecting to the ethdev + * port. + * + * @see rte_security_inb_pkt_rx_inject + */ +__rte_experimental +int +rte_security_rx_inject_configure(void *ctx, uint16_t port_id, bool enable); + +/** + * @warning + * @b EXPERIMENTAL: this API may change, or be removed, without prior notice + * + * Perform security processing of packets and inject the processed packet to + * ethdev Rx. + * + * Rx inject would behave similarly to ethdev loopback but with the additional + * security processing. In case of ethdev loopback, application would be + * submitting packets to ethdev Tx queues and would be received as is from + * ethdev Rx queues. With Rx inject, packets would be received after security + * processing from ethdev Rx queues. + * + * With inline protocol offload capable ethdevs, Rx injection can be used to + * handle packets which failed the regular security Rx path. This can be due to + * cases such as outer fragmentation, in which case applications can reassemble + * the fragments and then subsequently submit for inbound processing and Rx + * injection, so that packets are received as regular security processed + * packets. + * + * With lookaside protocol offload capable cryptodevs, Rx injection can be used + * to perform packet parsing after security processing. This would allow for + * re-classification after security protocol processing is done (ie, inner + * packet parsing). The ethdev queue on which the packet would be received would + * be based on rte_flow rules matching the packet after security processing. + * + * The security device which is injecting packets to ethdev Rx need to be + * configured using ``rte_security_rx_inject_configure`` with enable flag set + * to `true` before any packets are submitted. + * + * If `hash.fdir.h` field is set in mbuf, it would be treated as the value for + * `MARK` pattern for the subsequent rte_flow parsing. The packet would appear + * as if it is received from `port` field in mbuf. + * + * Since the packet would be received back from ethdev Rx queues, it is expected + * that application retains/adds L2 header with the mbuf field 'l2_len' + * reflecting the size of L2 header in the packet. + * + * @param ctx Security ctx + * @param pkts The address of an array of *nb_pkts* pointers to + * *rte_mbuf* structures which contain the packets. + * @param sess The address of an array of *nb_pkts* pointers to + * security sessions corresponding to each packet. + * @param nb_pkts The maximum number of packets to process. + * + * @return + * The number of packets successfully injected to ethdev Rx. The return + * value can be less than the value of the *nb_pkts* parameter when the + * PMD internal queues have been filled up. + * + * @see rte_security_rx_inject_configure + */ +__rte_experimental +uint16_t +rte_security_inb_pkt_rx_inject(void *ctx, struct rte_mbuf **pkts, void **sess, + uint16_t nb_pkts); + #ifdef __cplusplus } #endif diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h index e5e1c4cfe8..62664dacdb 100644 --- a/lib/security/rte_security_driver.h +++ b/lib/security/rte_security_driver.h @@ -257,6 +257,46 @@ typedef int (*security_set_pkt_metadata_t)(void *device, typedef const struct rte_security_capability *(*security_capabilities_get_t)( void *device); +/** + * Configure security device to inject packets to an ethdev port. + * + * @param device Crypto/eth device pointer + * @param port_id Port identifier of the ethernet device to which packets need to be + * injected. + * @param enable Flag to enable and disable connection between a security device and + * an ethdev port. + * @return + * - 0 if successful. + * - -EINVAL if context NULL or port_id is invalid. + * - -EBUSY if devices are not in stopped state. + * - -ENOTSUP if security device does not support injecting to the ethdev port. + */ +typedef int (*security_rx_inject_configure)(void *device, uint16_t port_id, bool enable); + +/** + * Perform security processing of packets and inject the processed packet to + * ethdev Rx. + * + * Rx inject would behave similarly to ethdev loopback but with the additional + * security processing. + * + * @param device Crypto/eth device pointer + * @param pkts The address of an array of *nb_pkts* pointers to + * *rte_mbuf* structures which contain the packets. + * @param sess The address of an array of *nb_pkts* pointers to + * *rte_security_session* structures corresponding + * to each packet. + * @param nb_pkts The maximum number of packets to process. + * + * @return + * The number of packets successfully injected to ethdev Rx. The return + * value can be less than the value of the *nb_pkts* parameter when the + * PMD internal queues have been filled up. + */ +typedef uint16_t (*security_inb_pkt_rx_inject)(void *device, + struct rte_mbuf **pkts, struct rte_security_session **sess, + uint16_t nb_pkts); + /** Security operations function pointer table */ struct rte_security_ops { security_session_create_t session_create; @@ -285,6 +325,10 @@ struct rte_security_ops { /**< Get MACsec SC statistics. */ security_macsec_sa_stats_get_t macsec_sa_stats_get; /**< Get MACsec SA statistics. */ + security_rx_inject_configure rx_inject_configure; + /**< Rx inject configure. */ + security_inb_pkt_rx_inject inb_pkt_rx_inject; + /**< Perform security processing and do Rx inject. */ }; #ifdef __cplusplus diff --git a/lib/security/version.map b/lib/security/version.map index 86f976a302..e07fca33a1 100644 --- a/lib/security/version.map +++ b/lib/security/version.map @@ -24,6 +24,9 @@ EXPERIMENTAL { rte_security_session_stats_get; rte_security_session_update; rte_security_oop_dynfield_offset; + + rte_security_rx_inject_configure; + rte_security_inb_pkt_rx_inject; }; INTERNAL {