Patchwork [dpdk-dev,v3,1/9] cryptodev: add opaque userdata pointer into crypto sym session

login
register
mail settings
Submitter Ananyev, Konstantin
Date Dec. 6, 2018, 3:38 p.m.
Message ID <1544110714-4514-2-git-send-email-konstantin.ananyev@intel.com>
Download mbox | patch
Permalink /patch/674249/
State New
Headers show

Comments

Ananyev, Konstantin - Dec. 6, 2018, 3:38 p.m.
Add 'uint64_t opaque_data' inside struct rte_cryptodev_sym_session.
That allows upper layer to easily associate some user defined
data with the session.

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Acked-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com>
---
 lib/librte_cryptodev/rte_cryptodev.h | 2 ++
 1 file changed, 2 insertions(+)
Declan Doherty - Dec. 11, 2018, 5:24 p.m.
On 06/12/2018 3:38 PM, Konstantin Ananyev wrote:
> Add 'uint64_t opaque_data' inside struct rte_cryptodev_sym_session.
> That allows upper layer to easily associate some user defined
> data with the session.
> 
> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> Acked-by: Fiona Trahe <fiona.trahe@intel.com>
> Acked-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com>
> ---
>   lib/librte_cryptodev/rte_cryptodev.h | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/lib/librte_cryptodev/rte_cryptodev.h b/lib/librte_cryptodev/rte_cryptodev.h
> index 4099823f1..009860e7b 100644
> --- a/lib/librte_cryptodev/rte_cryptodev.h
> +++ b/lib/librte_cryptodev/rte_cryptodev.h
> @@ -954,6 +954,8 @@ rte_cryptodev_enqueue_burst(uint8_t dev_id, uint16_t qp_id,
>    * has a fixed algo, key, op-type, digest_len etc.
>    */
>   struct rte_cryptodev_sym_session {
> +	uint64_t opaque_data;
> +	/**< Opaque user defined data */
>   	__extension__ void *sess_private_data[0];
>   	/**< Private symmetric session material */
>   };
> 

Acked-by: Declan Doherty <declan.doherty@intel.com>
Ananyev, Konstantin - Dec. 14, 2018, 4:29 p.m.
This patch series depends on the patch:
http://patches.dpdk.org/patch/48044/
to be applied first.

v3 -> v4
 - Changes to adress Declan comments
 - Update docs

v2 -> v3
 - Several fixes for IPv6 support
 - Extra checks for input parameters in public APi functions 

v1 -> v2
 - Changes to get into account l2_len for outbound transport packets
   (Qi comments)
 - Several bug fixes
 - Some code restructured
 - Update MAINTAINERS file

RFCv2 -> v1
 - Changes per Jerin comments
 - Implement transport mode
 - Several bug fixes
 - UT largely reworked and extended

This patch introduces a new library within DPDK: librte_ipsec.
The aim is to provide DPDK native high performance library for IPsec
data-path processing.
The library is supposed to utilize existing DPDK crypto-dev and
security API to provide application with transparent IPsec
processing API.
The library is concentrated on data-path protocols processing
(ESP and AH), IKE protocol(s) implementation is out of scope
for that library.
Current patch introduces SA-level API.

SA (low) level API
==================

API described below operates on SA level.
It provides functionality that allows user for given SA to process
inbound and outbound IPsec packets.
To be more specific:
- for inbound ESP/AH packets perform decryption, authentication,
  integrity checking, remove ESP/AH related headers
- for outbound packets perform payload encryption, attach ICV,
  update/add IP headers, add ESP/AH headers/trailers,
  setup related mbuf felids (ol_flags, tx_offloads, etc.).
- initialize/un-initialize given SA based on user provided parameters.

The following functionality:
  - match inbound/outbound packets to particular SA
  - manage crypto/security devices
  - provide SAD/SPD related functionality
  - determine what crypto/security device has to be used
    for given packet(s)
is out of scope for SA-level API.

SA-level API is based on top of crypto-dev/security API and relies on
them
to perform actual cipher and integrity checking.
To have an ability to easily map crypto/security sessions into related
IPSec SA opaque userdata field was added into
rte_cryptodev_sym_session and rte_security_session structures.
That implies ABI change for both librte_crytpodev and librte_security.

Due to the nature of crypto-dev API (enqueue/deque model) we use
asynchronous API for IPsec packets destined to be processed
by crypto-device.
Expected API call sequence would be:
  /* enqueue for processing by crypto-device */
  rte_ipsec_pkt_crypto_prepare(...);
  rte_cryptodev_enqueue_burst(...);
  /* dequeue from crypto-device and do final processing (if any) */
  rte_cryptodev_dequeue_burst(...);
  rte_ipsec_pkt_crypto_group(...); /* optional */
  rte_ipsec_pkt_process(...);

Though for packets destined for inline processing no extra overhead
is required and synchronous API call: rte_ipsec_pkt_process()
is sufficient for that case.

Current implementation supports all four currently defined
rte_security types.
Though to accommodate future custom implementations function pointers
model is used for both for *crypto_prepare* and *process*
impelementations.

Konstantin Ananyev (10):
  cryptodev: add opaque userdata pointer into crypto sym session
  security: add opaque userdata pointer into security session
  net: add ESP trailer structure definition
  lib: introduce ipsec library
  ipsec: add SA data-path API
  ipsec: implement SA data-path API
  ipsec: rework SA replay window/SQN for MT environment
  ipsec: helper functions to group completed crypto-ops
  test/ipsec: introduce functional test
  doc: add IPsec library guide

 MAINTAINERS                            |    5 +
 config/common_base                     |    5 +
 doc/guides/prog_guide/index.rst        |    1 +
 doc/guides/prog_guide/ipsec_lib.rst    |   74 +
 doc/guides/rel_notes/release_19_02.rst |   10 +
 lib/Makefile                           |    2 +
 lib/librte_cryptodev/rte_cryptodev.h   |    2 +
 lib/librte_ipsec/Makefile              |   27 +
 lib/librte_ipsec/crypto.h              |  123 ++
 lib/librte_ipsec/iph.h                 |   84 +
 lib/librte_ipsec/ipsec_sqn.h           |  343 ++++
 lib/librte_ipsec/meson.build           |   10 +
 lib/librte_ipsec/pad.h                 |   45 +
 lib/librte_ipsec/rte_ipsec.h           |  153 ++
 lib/librte_ipsec/rte_ipsec_group.h     |  151 ++
 lib/librte_ipsec/rte_ipsec_sa.h        |  172 ++
 lib/librte_ipsec/rte_ipsec_version.map |   15 +
 lib/librte_ipsec/sa.c                  | 1407 +++++++++++++++
 lib/librte_ipsec/sa.h                  |   98 ++
 lib/librte_ipsec/ses.c                 |   45 +
 lib/librte_net/rte_esp.h               |   10 +-
 lib/librte_security/rte_security.h     |    2 +
 lib/meson.build                        |    2 +
 mk/rte.app.mk                          |    2 +
 test/test/Makefile                     |    3 +
 test/test/meson.build                  |    3 +
 test/test/test_ipsec.c                 | 2209 ++++++++++++++++++++++++
 27 files changed, 5002 insertions(+), 1 deletion(-)
 create mode 100644 doc/guides/prog_guide/ipsec_lib.rst
 create mode 100644 lib/librte_ipsec/Makefile
 create mode 100644 lib/librte_ipsec/crypto.h
 create mode 100644 lib/librte_ipsec/iph.h
 create mode 100644 lib/librte_ipsec/ipsec_sqn.h
 create mode 100644 lib/librte_ipsec/meson.build
 create mode 100644 lib/librte_ipsec/pad.h
 create mode 100644 lib/librte_ipsec/rte_ipsec.h
 create mode 100644 lib/librte_ipsec/rte_ipsec_group.h
 create mode 100644 lib/librte_ipsec/rte_ipsec_sa.h
 create mode 100644 lib/librte_ipsec/rte_ipsec_version.map
 create mode 100644 lib/librte_ipsec/sa.c
 create mode 100644 lib/librte_ipsec/sa.h
 create mode 100644 lib/librte_ipsec/ses.c
 create mode 100644 test/test/test_ipsec.c
akhil.goyal@nxp.com - Dec. 21, 2018, 1:32 p.m.
Hi Konstantin,

I am done with the review, will be running the code in early next week 
after I finish the review of changes in ipsec application.
key points for review were
  - some code may be generic and can be moved in appropriate files
  - documentation update
  - spell checks spacing etc.
  - some cases like cipher only need to be looked appropriately
  - test cases for lookaside and inline proto
  - checksum/ttl update

With these comments we cannot make this to RC1, but RC2 can be looked upon.

Thanks,
Akhil

On 12/14/2018 9:59 PM, Konstantin Ananyev wrote:
> This patch series depends on the patch:

> http://patches.dpdk.org/patch/48044/

> to be applied first.

>

> v3 -> v4

>   - Changes to adress Declan comments

>   - Update docs

>

> v2 -> v3

>   - Several fixes for IPv6 support

>   - Extra checks for input parameters in public APi functions

>

> v1 -> v2

>   - Changes to get into account l2_len for outbound transport packets

>     (Qi comments)

>   - Several bug fixes

>   - Some code restructured

>   - Update MAINTAINERS file

>

> RFCv2 -> v1

>   - Changes per Jerin comments

>   - Implement transport mode

>   - Several bug fixes

>   - UT largely reworked and extended

>

> This patch introduces a new library within DPDK: librte_ipsec.

> The aim is to provide DPDK native high performance library for IPsec

> data-path processing.

> The library is supposed to utilize existing DPDK crypto-dev and

> security API to provide application with transparent IPsec

> processing API.

> The library is concentrated on data-path protocols processing

> (ESP and AH), IKE protocol(s) implementation is out of scope

> for that library.

> Current patch introduces SA-level API.

>

> SA (low) level API

> ==================

>

> API described below operates on SA level.

> It provides functionality that allows user for given SA to process

> inbound and outbound IPsec packets.

> To be more specific:

> - for inbound ESP/AH packets perform decryption, authentication,

>    integrity checking, remove ESP/AH related headers

> - for outbound packets perform payload encryption, attach ICV,

>    update/add IP headers, add ESP/AH headers/trailers,

>    setup related mbuf felids (ol_flags, tx_offloads, etc.).

> - initialize/un-initialize given SA based on user provided parameters.

>

> The following functionality:

>    - match inbound/outbound packets to particular SA

>    - manage crypto/security devices

>    - provide SAD/SPD related functionality

>    - determine what crypto/security device has to be used

>      for given packet(s)

> is out of scope for SA-level API.

>

> SA-level API is based on top of crypto-dev/security API and relies on

> them

> to perform actual cipher and integrity checking.

> To have an ability to easily map crypto/security sessions into related

> IPSec SA opaque userdata field was added into

> rte_cryptodev_sym_session and rte_security_session structures.

> That implies ABI change for both librte_crytpodev and librte_security.

>

> Due to the nature of crypto-dev API (enqueue/deque model) we use

> asynchronous API for IPsec packets destined to be processed

> by crypto-device.

> Expected API call sequence would be:

>    /* enqueue for processing by crypto-device */

>    rte_ipsec_pkt_crypto_prepare(...);

>    rte_cryptodev_enqueue_burst(...);

>    /* dequeue from crypto-device and do final processing (if any) */

>    rte_cryptodev_dequeue_burst(...);

>    rte_ipsec_pkt_crypto_group(...); /* optional */

>    rte_ipsec_pkt_process(...);

>

> Though for packets destined for inline processing no extra overhead

> is required and synchronous API call: rte_ipsec_pkt_process()

> is sufficient for that case.

>

> Current implementation supports all four currently defined

> rte_security types.

> Though to accommodate future custom implementations function pointers

> model is used for both for *crypto_prepare* and *process*

> impelementations.

>

> Konstantin Ananyev (10):

>    cryptodev: add opaque userdata pointer into crypto sym session

>    security: add opaque userdata pointer into security session

>    net: add ESP trailer structure definition

>    lib: introduce ipsec library

>    ipsec: add SA data-path API

>    ipsec: implement SA data-path API

>    ipsec: rework SA replay window/SQN for MT environment

>    ipsec: helper functions to group completed crypto-ops

>    test/ipsec: introduce functional test

>    doc: add IPsec library guide

>

>   MAINTAINERS                            |    5 +

>   config/common_base                     |    5 +

>   doc/guides/prog_guide/index.rst        |    1 +

>   doc/guides/prog_guide/ipsec_lib.rst    |   74 +

>   doc/guides/rel_notes/release_19_02.rst |   10 +

>   lib/Makefile                           |    2 +

>   lib/librte_cryptodev/rte_cryptodev.h   |    2 +

>   lib/librte_ipsec/Makefile              |   27 +

>   lib/librte_ipsec/crypto.h              |  123 ++

>   lib/librte_ipsec/iph.h                 |   84 +

>   lib/librte_ipsec/ipsec_sqn.h           |  343 ++++

>   lib/librte_ipsec/meson.build           |   10 +

>   lib/librte_ipsec/pad.h                 |   45 +

>   lib/librte_ipsec/rte_ipsec.h           |  153 ++

>   lib/librte_ipsec/rte_ipsec_group.h     |  151 ++

>   lib/librte_ipsec/rte_ipsec_sa.h        |  172 ++

>   lib/librte_ipsec/rte_ipsec_version.map |   15 +

>   lib/librte_ipsec/sa.c                  | 1407 +++++++++++++++

>   lib/librte_ipsec/sa.h                  |   98 ++

>   lib/librte_ipsec/ses.c                 |   45 +

>   lib/librte_net/rte_esp.h               |   10 +-

>   lib/librte_security/rte_security.h     |    2 +

>   lib/meson.build                        |    2 +

>   mk/rte.app.mk                          |    2 +

>   test/test/Makefile                     |    3 +

>   test/test/meson.build                  |    3 +

>   test/test/test_ipsec.c                 | 2209 ++++++++++++++++++++++++

>   27 files changed, 5002 insertions(+), 1 deletion(-)

>   create mode 100644 doc/guides/prog_guide/ipsec_lib.rst

>   create mode 100644 lib/librte_ipsec/Makefile

>   create mode 100644 lib/librte_ipsec/crypto.h

>   create mode 100644 lib/librte_ipsec/iph.h

>   create mode 100644 lib/librte_ipsec/ipsec_sqn.h

>   create mode 100644 lib/librte_ipsec/meson.build

>   create mode 100644 lib/librte_ipsec/pad.h

>   create mode 100644 lib/librte_ipsec/rte_ipsec.h

>   create mode 100644 lib/librte_ipsec/rte_ipsec_group.h

>   create mode 100644 lib/librte_ipsec/rte_ipsec_sa.h

>   create mode 100644 lib/librte_ipsec/rte_ipsec_version.map

>   create mode 100644 lib/librte_ipsec/sa.c

>   create mode 100644 lib/librte_ipsec/sa.h

>   create mode 100644 lib/librte_ipsec/ses.c

>   create mode 100644 test/test/test_ipsec.c

>

Patch

diff --git a/lib/librte_cryptodev/rte_cryptodev.h b/lib/librte_cryptodev/rte_cryptodev.h
index 4099823f1..009860e7b 100644
--- a/lib/librte_cryptodev/rte_cryptodev.h
+++ b/lib/librte_cryptodev/rte_cryptodev.h
@@ -954,6 +954,8 @@  rte_cryptodev_enqueue_burst(uint8_t dev_id, uint16_t qp_id,
  * has a fixed algo, key, op-type, digest_len etc.
  */
 struct rte_cryptodev_sym_session {
+	uint64_t opaque_data;
+	/**< Opaque user defined data */
 	__extension__ void *sess_private_data[0];
 	/**< Private symmetric session material */
 };