From patchwork Thu Jun 24 10:28:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 94791 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id C7232A0547; Thu, 24 Jun 2021 12:29:15 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id AF06E4069C; Thu, 24 Jun 2021 12:29:15 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 6C6164069C for ; Thu, 24 Jun 2021 12:29:13 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15OAABPP005356; Thu, 24 Jun 2021 03:29:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=ys6EQUhApBTtR6Kyz5xJwkvEfpRRMy/Hcm0igxC3aHs=; b=Yyey0z6crcqR/73B1AzIAFZagLbE1/JD3GiicFZTp3UYlEEBkBHt5y3n95AtkZcLKzd5 HcVJ1iFTwa/9eEMhJmUPQItU4VgOMNzc+EyhFkRvV4WrjYjfMDlWOR9+ESpF6B+ACA/g WyGvtvDpEoMsvxorcp20iuZg+DjZ0UGvRJiiA+QhE7taciNeFiF4woROXCj045u8Kaff Z3dK10d4JmMYO/73sd86txa44CP9cqd38lslIXdiWqWiz0xrPHrYDwGLWCooHshuz9i1 3uamZTovg+0ac/otL2qmm9aNwquz6JBZ2cQCN2/H9OUl1ubs7nbdF5ABAN6in8HcehaI 2Q== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 39cgc89sfs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 24 Jun 2021 03:29:11 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Thu, 24 Jun 2021 03:29:10 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Thu, 24 Jun 2021 03:29:10 -0700 Received: from localhost.localdomain (unknown [10.28.36.185]) by maili.marvell.com (Postfix) with ESMTP id 4FEAC5B6953; Thu, 24 Jun 2021 03:29:07 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , Nithin Dabilpuram , "Akhil Goyal" Date: Thu, 24 Jun 2021 15:58:47 +0530 Message-ID: <20210624102848.3878788-1-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: -qz50a8GRKIiBuG2ezKytFlMsKjHekyH X-Proofpoint-GUID: -qz50a8GRKIiBuG2ezKytFlMsKjHekyH X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-06-24_06:2021-06-24, 2021-06-24 signatures=0 Subject: [dpdk-dev] [PATCH 1/2] security: enforce semantics for Tx inline processing X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Nithin Dabilpuram For Tx inline processing, when RTE_SECURITY_TX_OLOAD_NEED_MDATA is set, rte_security_set_pkt_metadata() needs to be called for pkts to associate a Security session with a mbuf before submitting to Ethdev Tx. This is apart from setting PKT_TX_SEC_OFFLOAD in mbuf.ol_flags. rte_security_set_pkt_metadata() is also used to set some opaque metadata in mbuf for PMD's use. This patch updates documentation that rte_security_set_pkt_metadata() should be called only with mbuf containing Layer 3 and above data. This behaviour is consistent with existing PMD's such as ixgbe. On Tx, not all net PMD's/HW can parse packet and identify L2 header and L3 header locations on Tx. This is inline with other Tx offloads requirements such as L3 checksum, L4 checksum offload, etc, where mbuf.l2_len, mbuf.l3_len etc, needs to be set for HW to be able to generate checksum. Since Inline IPSec is also such a Tx offload, some PMD's at least need mbuf.l2_len to be valid to find L3 header and perform Outbound IPSec processing. Hence, this patch updates documentation to enforce setting mbuf.l2_len while setting PKT_TX_SEC_OFFLOAD in mbuf.ol_flags for Inline IPSec Crypto / Protocol offload processing to work on Tx. Signed-off-by: Nithin Dabilpuram Reviewed-by: Akhil Goyal --- doc/guides/nics/features.rst | 2 ++ doc/guides/prog_guide/rte_security.rst | 6 +++++- lib/mbuf/rte_mbuf_core.h | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/guides/nics/features.rst b/doc/guides/nics/features.rst index 403c2b03a..414baf14f 100644 --- a/doc/guides/nics/features.rst +++ b/doc/guides/nics/features.rst @@ -430,6 +430,7 @@ of protocol operations. See Security library and PMD documentation for more deta * **[uses] rte_eth_rxconf,rte_eth_rxmode**: ``offloads:DEV_RX_OFFLOAD_SECURITY``, * **[uses] rte_eth_txconf,rte_eth_txmode**: ``offloads:DEV_TX_OFFLOAD_SECURITY``. +* **[uses] mbuf**: ``mbuf.l2_len``. * **[implements] rte_security_ops**: ``session_create``, ``session_update``, ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, ``capabilities_get``. * **[provides] rte_eth_dev_info**: ``rx_offload_capa,rx_queue_offload_capa:DEV_RX_OFFLOAD_SECURITY``, @@ -451,6 +452,7 @@ protocol operations. See security library and PMD documentation for more details * **[uses] rte_eth_rxconf,rte_eth_rxmode**: ``offloads:DEV_RX_OFFLOAD_SECURITY``, * **[uses] rte_eth_txconf,rte_eth_txmode**: ``offloads:DEV_TX_OFFLOAD_SECURITY``. +* **[uses] mbuf**: ``mbuf.l2_len``. * **[implements] rte_security_ops**: ``session_create``, ``session_update``, ``session_stats_get``, ``session_destroy``, ``set_pkt_metadata``, ``get_userdata``, ``capabilities_get``. diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst index f72bc8a78..7b68c698d 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -560,7 +560,11 @@ created by the application is attached to the security session by the API For Inline Crypto and Inline protocol offload, device specific defined metadata is updated in the mbuf using ``rte_security_set_pkt_metadata()`` if -``DEV_TX_OFFLOAD_SEC_NEED_MDATA`` is set. +``RTE_SECURITY_TX_OLOAD_NEED_MDATA`` is set. ``rte_security_set_pkt_metadata()`` +should be called on mbuf only with Layer 3 and above data present and +``mbuf.data_off`` should be pointing to Layer 3 Header. Once called, +Layer 3 and above data cannot be modified or moved around unless +``rte_security_set_pkt_metadata()`` is called again. For inline protocol offloaded ingress traffic, the application can register a pointer, ``userdata`` , in the security session. When the packet is received, diff --git a/lib/mbuf/rte_mbuf_core.h b/lib/mbuf/rte_mbuf_core.h index bb38d7f58..9d8e3ddc8 100644 --- a/lib/mbuf/rte_mbuf_core.h +++ b/lib/mbuf/rte_mbuf_core.h @@ -228,6 +228,8 @@ extern "C" { /** * Request security offload processing on the TX packet. + * To use Tx security offload, the user needs to fill l2_len in mbuf + * indicating L2 header size and where L3 header starts. */ #define PKT_TX_SEC_OFFLOAD (1ULL << 43) From patchwork Thu Jun 24 10:28:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 94792 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id EC883A0547; Thu, 24 Jun 2021 12:29:22 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 2EF5240DDE; Thu, 24 Jun 2021 12:29:18 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 3144B410DD for ; Thu, 24 Jun 2021 12:29:17 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15OAAM6N011087; Thu, 24 Jun 2021 03:29:16 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=QlfrsWRStjqmRl+LbQjn9SPp9/z/xVQV4ThDDvZ13zU=; b=j46UFS8EA25RWXnfIiJ/TslUQHcwLu4zclUgVPqe3RX7xv9urvcS/dBRuK1R3rSIcMRQ A0mMggEAvEvqRbV0dqi6zd0JQHR+lTrWNU3qnsLzuwtCbrWqE/0KKQA7mwLu1rhkrlTu lWvEvK/UrC7ZVHoyTqZEhpGfrOV+jYhAMyyIZoybV344lAxdTTfg1wRR2f5m/TJQNKi5 9oUqnLRKxqGCcDp4BOnhWf3/lRBoqOmTnbHfD2+mpJH6nk7qNHq+g0O9t37+6jN8qmbK E1o73nbvSFsbWlM6FM+hj7D78m6R9kSgfDpb6NbvKZwLWhtQQwOKjLPWj8sDL8+W0/YN SA== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com with ESMTP id 39cg2n9q2k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 24 Jun 2021 03:29:15 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Thu, 24 Jun 2021 03:29:13 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Thu, 24 Jun 2021 03:29:13 -0700 Received: from localhost.localdomain (unknown [10.28.36.185]) by maili.marvell.com (Postfix) with ESMTP id D475C5B6954; Thu, 24 Jun 2021 03:29:10 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , Nithin Dabilpuram , "Akhil Goyal" Date: Thu, 24 Jun 2021 15:58:48 +0530 Message-ID: <20210624102848.3878788-2-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210624102848.3878788-1-gakhil@marvell.com> References: <20210624102848.3878788-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: UKqUCewX1F_utkTAsVZoLD3stJ2r0CXu X-Proofpoint-GUID: UKqUCewX1F_utkTAsVZoLD3stJ2r0CXu X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-06-24_06:2021-06-24, 2021-06-24 signatures=0 Subject: [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: modify event mode inline path X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Nithin Dabilpuram Align event mode path for Tx inline IPsec processing to adhere to security spec. Call rte_security_set_pkt_metadata() only with mbuf containing L3 header and above. Also update mbuf.l2_len with L2 header size. This patch also fixes a bug in arg parsing. Signed-off-by: Nithin Dabilpuram Reviewed-by: Akhil Goyal --- examples/ipsec-secgw/ipsec-secgw.c | 2 ++ examples/ipsec-secgw/ipsec_worker.c | 50 +++++++++++++++++++++-------- 2 files changed, 38 insertions(+), 14 deletions(-) diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index f252d3498..7ad94cb82 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -1495,6 +1495,8 @@ parse_portmask(const char *portmask) char *end = NULL; unsigned long pm; + errno = 0; + /* parse hexadecimal string */ pm = strtoul(portmask, &end, 16); if ((portmask[0] == '\0') || (end == NULL) || (*end != '\0')) diff --git a/examples/ipsec-secgw/ipsec_worker.c b/examples/ipsec-secgw/ipsec_worker.c index 647e22df5..401fd6186 100644 --- a/examples/ipsec-secgw/ipsec_worker.c +++ b/examples/ipsec-secgw/ipsec_worker.c @@ -12,6 +12,11 @@ #include "ipsec-secgw.h" #include "ipsec_worker.h" +struct port_drv_mode_data { + struct rte_security_session *sess; + struct rte_security_ctx *ctx; +}; + static inline enum pkt_type process_ipsec_get_pkt_type(struct rte_mbuf *pkt, uint8_t **nlp) { @@ -43,6 +48,8 @@ update_mac_addrs(struct rte_mbuf *pkt, uint16_t portid) { struct rte_ether_hdr *ethhdr; + pkt->l2_len = RTE_ETHER_HDR_LEN; + ethhdr = rte_pktmbuf_mtod(pkt, struct rte_ether_hdr *); memcpy(ðhdr->s_addr, ðaddr_tbl[portid].src, RTE_ETHER_ADDR_LEN); memcpy(ðhdr->d_addr, ðaddr_tbl[portid].dst, RTE_ETHER_ADDR_LEN); @@ -60,7 +67,8 @@ ipsec_event_pre_forward(struct rte_mbuf *m, unsigned int port_id) static inline void prepare_out_sessions_tbl(struct sa_ctx *sa_out, - struct rte_security_session **sess_tbl, uint16_t size) + struct port_drv_mode_data *data, + uint16_t size) { struct rte_ipsec_session *pri_sess; struct ipsec_sa *sa; @@ -95,9 +103,10 @@ prepare_out_sessions_tbl(struct sa_ctx *sa_out, } /* Use only first inline session found for a given port */ - if (sess_tbl[sa->portid]) + if (data[sa->portid].sess) continue; - sess_tbl[sa->portid] = pri_sess->security.ses; + data[sa->portid].sess = pri_sess->security.ses; + data[sa->portid].ctx = pri_sess->security.ctx; } } @@ -356,9 +365,11 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt, goto drop_pkt_and_exit; } - if (sess->security.ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) - *(struct rte_security_session **)rte_security_dynfield(pkt) = - sess->security.ses; + /* Remove L2 header before metadata set */ + rte_pktmbuf_adj(pkt, RTE_ETHER_HDR_LEN); + + rte_security_set_pkt_metadata(sess->security.ctx, + sess->security.ses, pkt, NULL); /* Mark the packet for Tx security offload */ pkt->ol_flags |= PKT_TX_SEC_OFFLOAD; @@ -366,6 +377,9 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt, /* Get the port to which this pkt need to be submitted */ port_id = sa->portid; + /* Add L2 header for processing */ + rte_pktmbuf_prepend(pkt, RTE_ETHER_HDR_LEN); + send_pkt: /* Update mac addresses */ update_mac_addrs(pkt, port_id); @@ -398,7 +412,7 @@ static void ipsec_wrkr_non_burst_int_port_drv_mode(struct eh_event_link_info *links, uint8_t nb_links) { - struct rte_security_session *sess_tbl[RTE_MAX_ETHPORTS] = { NULL }; + struct port_drv_mode_data data[RTE_MAX_ETHPORTS]; unsigned int nb_rx = 0; struct rte_mbuf *pkt; struct rte_event ev; @@ -412,6 +426,8 @@ ipsec_wrkr_non_burst_int_port_drv_mode(struct eh_event_link_info *links, return; } + memset(&data, 0, sizeof(struct port_drv_mode_data)); + /* Get core ID */ lcore_id = rte_lcore_id(); @@ -422,8 +438,8 @@ ipsec_wrkr_non_burst_int_port_drv_mode(struct eh_event_link_info *links, * Prepare security sessions table. In outbound driver mode * we always use first session configured for a given port */ - prepare_out_sessions_tbl(socket_ctx[socket_id].sa_out, sess_tbl, - RTE_MAX_ETHPORTS); + prepare_out_sessions_tbl(socket_ctx[socket_id].sa_out, data, + RTE_MAX_ETHPORTS); RTE_LOG(INFO, IPSEC, "Launching event mode worker (non-burst - Tx internal port - " @@ -460,19 +476,25 @@ ipsec_wrkr_non_burst_int_port_drv_mode(struct eh_event_link_info *links, if (!is_unprotected_port(port_id)) { - if (unlikely(!sess_tbl[port_id])) { + if (unlikely(!data[port_id].sess)) { rte_pktmbuf_free(pkt); continue; } + /* Remove L2 header before metadata set */ + rte_pktmbuf_adj(pkt, RTE_ETHER_HDR_LEN); + /* Save security session */ - if (rte_security_dynfield_is_registered()) - *(struct rte_security_session **) - rte_security_dynfield(pkt) = - sess_tbl[port_id]; + rte_security_set_pkt_metadata(data[port_id].ctx, + data[port_id].sess, pkt, + NULL); /* Mark the packet for Tx security offload */ pkt->ol_flags |= PKT_TX_SEC_OFFLOAD; + + /* Add L2 header for processing */ + rte_pktmbuf_prepend(pkt, RTE_ETHER_HDR_LEN); + pkt->l2_len = RTE_ETHER_HDR_LEN; } /*