d/numam-dpdk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

examples/ipsec-secgw: fix first packet with inline crypto

Browse Source 
Inline crypto installs a flow rule in the NIC. This flow
rule must be installed before the first inbound packet is
received.

The create_session() function installs the flow rule,
create_session() has been refactored into create_inline_session()
and create_lookaside_session(). The create_inline_session() function
uses the socket_ctx data and is now called at initialisation in
sa_add_rules().

The max_session_size() function has been added to calculate memory
requirements.

The cryprodev_init() function has been refactored to drop calls to
rte_mempool_create() and to drop calculation of memory requirements.

The main() function has been refactored to call max_session_size() and
to call session_pool_init() and session_priv_pool_init() earlier.
The ports are started now before adding a flow rule in main().
The sa_init(), sp4_init(), sp6_init() and rt_init() functions are
now called after the ports have been started.

The rte_ipsec_session_prepare() function is called in fill_ipsec_session()
for inline which is called from the ipsec_sa_init() function.

Fixes: ec17993a14 ("examples/ipsec-secgw: support security offload")
Fixes: d299106e8e ("examples/ipsec-secgw: add IPsec sample application")
Cc: stable@dpdk.org

Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This commit is contained in:
Bernard Iremonger 2019-07-19 17:52:32 +05:30 committed by Akhil Goyal
parent 40dd1f42e1
commit 3a690d5a65
5 changed files with 423 additions and 374 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

244
examples/ipsec-secgw/ipsec-secgw.c
View File

@ -1803,7 +1803,7 @@ cryptodevs_init(void)
struct rte_cryptodev_config dev_conf;
struct rte_cryptodev_qp_conf qp_conf;
uint16_t idx, max_nb_qps, qp, i;
int16_t cdev_id, port_id;
int16_t cdev_id;
struct rte_hash_parameters params = { 0 };
const uint64_t mseg_flag = multi_seg_required() ?
@ -1829,45 +1829,6 @@ cryptodevs_init(void)
printf("lcore/cryptodev/qp mappings:\n");
uint32_t max_sess_sz = 0, sess_sz;
for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
void *sec_ctx;
/* Get crypto priv session size */
sess_sz = rte_cryptodev_sym_get_private_session_size(cdev_id);
if (sess_sz > max_sess_sz)
max_sess_sz = sess_sz;
/*
* If crypto device is security capable, need to check the
* size of security session as well.
*/
/* Get security context of the crypto device */
sec_ctx = rte_cryptodev_get_sec_ctx(cdev_id);
if (sec_ctx == NULL)
continue;
/* Get size of security session */
sess_sz = rte_security_session_get_size(sec_ctx);
if (sess_sz > max_sess_sz)
max_sess_sz = sess_sz;
}
RTE_ETH_FOREACH_DEV(port_id) {
void *sec_ctx;
if ((enabled_port_mask & (1 << port_id)) == 0)
continue;
sec_ctx = rte_eth_dev_get_sec_ctx(port_id);
if (sec_ctx == NULL)
continue;
sess_sz = rte_security_session_get_size(sec_ctx);
if (sess_sz > max_sess_sz)
max_sess_sz = sess_sz;
}
idx = 0;
for (cdev_id = 0; cdev_id < rte_cryptodev_count(); cdev_id++) {
struct rte_cryptodev_info cdev_info;
@ -1912,45 +1873,6 @@ cryptodevs_init(void)
"Device does not support at least %u "
"sessions", CDEV_MP_NB_OBJS);
if (!socket_ctx[dev_conf.socket_id].session_pool) {
char mp_name[RTE_MEMPOOL_NAMESIZE];
struct rte_mempool *sess_mp;
snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
"sess_mp_%u", dev_conf.socket_id);
sess_mp = rte_cryptodev_sym_session_pool_create(
mp_name, CDEV_MP_NB_OBJS,
0, CDEV_MP_CACHE_SZ, 0,
dev_conf.socket_id);
socket_ctx[dev_conf.socket_id].session_pool = sess_mp;
}
if (!socket_ctx[dev_conf.socket_id].session_priv_pool) {
char mp_name[RTE_MEMPOOL_NAMESIZE];
struct rte_mempool *sess_mp;
snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
"sess_mp_priv_%u", dev_conf.socket_id);
sess_mp = rte_mempool_create(mp_name,
CDEV_MP_NB_OBJS,
max_sess_sz,
CDEV_MP_CACHE_SZ,
0, NULL, NULL, NULL,
NULL, dev_conf.socket_id,
0);
socket_ctx[dev_conf.socket_id].session_priv_pool =
sess_mp;
}
if (!socket_ctx[dev_conf.socket_id].session_priv_pool ||
!socket_ctx[dev_conf.socket_id].session_pool)
rte_exit(EXIT_FAILURE,
"Cannot create session pool on socket %d\n",
dev_conf.socket_id);
else
printf("Allocated session pool on socket %d\n",
dev_conf.socket_id);
if (rte_cryptodev_configure(cdev_id, &dev_conf))
rte_panic("Failed to initialize cryptodev %u\n",
cdev_id);
@ -1971,39 +1893,6 @@ cryptodevs_init(void)
cdev_id);
}
/* create session pools for eth devices that implement security */
RTE_ETH_FOREACH_DEV(port_id) {
if ((enabled_port_mask & (1 << port_id)) &&
rte_eth_dev_get_sec_ctx(port_id)) {
int socket_id = rte_eth_dev_socket_id(port_id);
if (!socket_ctx[socket_id].session_priv_pool) {
char mp_name[RTE_MEMPOOL_NAMESIZE];
struct rte_mempool *sess_mp;
snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
"sess_mp_%u", socket_id);
sess_mp = rte_mempool_create(mp_name,
(CDEV_MP_NB_OBJS * 2),
max_sess_sz,
CDEV_MP_CACHE_SZ,
0, NULL, NULL, NULL,
NULL, socket_id,
0);
if (sess_mp == NULL)
rte_exit(EXIT_FAILURE,
"Cannot create session pool "
"on socket %d\n", socket_id);
else
printf("Allocated session pool "
"on socket %d\n", socket_id);
socket_ctx[socket_id].session_priv_pool =
sess_mp;
}
}
}
printf("\n");
return 0;
@ -2175,6 +2064,99 @@ port_init(uint16_t portid, uint64_t req_rx_offloads, uint64_t req_tx_offloads)
printf("\n");
}
static size_t
max_session_size(void)
{
size_t max_sz, sz;
void *sec_ctx;
int16_t cdev_id, port_id, n;
max_sz = 0;
n = rte_cryptodev_count();
for (cdev_id = 0; cdev_id != n; cdev_id++) {
sz = rte_cryptodev_sym_get_private_session_size(cdev_id);
if (sz > max_sz)
max_sz = sz;
/*
* If crypto device is security capable, need to check the
* size of security session as well.
*/
/* Get security context of the crypto device */
sec_ctx = rte_cryptodev_get_sec_ctx(cdev_id);
if (sec_ctx == NULL)
continue;
/* Get size of security session */
sz = rte_security_session_get_size(sec_ctx);
if (sz > max_sz)
max_sz = sz;
}
RTE_ETH_FOREACH_DEV(port_id) {
if ((enabled_port_mask & (1 << port_id)) == 0)
continue;
sec_ctx = rte_eth_dev_get_sec_ctx(port_id);
if (sec_ctx == NULL)
continue;
sz = rte_security_session_get_size(sec_ctx);
if (sz > max_sz)
max_sz = sz;
}
return max_sz;
}
static void
session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess_sz)
{
char mp_name[RTE_MEMPOOL_NAMESIZE];
struct rte_mempool *sess_mp;
snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
"sess_mp_%u", socket_id);
sess_mp = rte_cryptodev_sym_session_pool_create(
mp_name, CDEV_MP_NB_OBJS,
sess_sz, CDEV_MP_CACHE_SZ, 0,
socket_id);
ctx->session_pool = sess_mp;
if (ctx->session_pool == NULL)
rte_exit(EXIT_FAILURE,
"Cannot init session pool on socket %d\n", socket_id);
else
printf("Allocated session pool on socket %d\n", socket_id);
}
static void
session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id,
size_t sess_sz)
{
char mp_name[RTE_MEMPOOL_NAMESIZE];
struct rte_mempool *sess_mp;
snprintf(mp_name, RTE_MEMPOOL_NAMESIZE,
"sess_mp_priv_%u", socket_id);
sess_mp = rte_mempool_create(mp_name,
CDEV_MP_NB_OBJS,
sess_sz,
CDEV_MP_CACHE_SZ,
0, NULL, NULL, NULL,
NULL, socket_id,
0);
ctx->session_priv_pool = sess_mp;
if (ctx->session_priv_pool == NULL)
rte_exit(EXIT_FAILURE,
"Cannot init session priv pool on socket %d\n",
socket_id);
else
printf("Allocated session priv pool on socket %d\n",
socket_id);
}
static void
pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf)
{
@ -2398,9 +2380,11 @@ main(int32_t argc, char **argv)
{
int32_t ret;
uint32_t lcore_id;
uint32_t i;
uint8_t socket_id;
uint16_t portid;
uint64_t req_rx_offloads, req_tx_offloads;
size_t sess_sz;
/* init EAL */
ret = rte_eal_init(argc, argv);
@ -2428,7 +2412,8 @@ main(int32_t argc, char **argv)
nb_lcores = rte_lcore_count();
/* Replicate each context per socket */
sess_sz = max_session_size();
for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
if (rte_lcore_is_enabled(lcore_id) == 0)
continue;
@ -2438,20 +2423,14 @@ main(int32_t argc, char **argv)
else
socket_id = 0;
/* mbuf_pool is initialised by the pool_init() function*/
if (socket_ctx[socket_id].mbuf_pool)
continue;
/* initilaze SPD */
sp4_init(&socket_ctx[socket_id], socket_id);
sp6_init(&socket_ctx[socket_id], socket_id);
/* initilaze SAD */
sa_init(&socket_ctx[socket_id], socket_id);
rt_init(&socket_ctx[socket_id], socket_id);
pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF);
session_pool_init(&socket_ctx[socket_id], socket_id, sess_sz);
session_priv_pool_init(&socket_ctx[socket_id], socket_id,
sess_sz);
}
RTE_ETH_FOREACH_DEV(portid) {
@ -2469,7 +2448,11 @@ main(int32_t argc, char **argv)
if ((enabled_port_mask & (1 << portid)) == 0)
continue;
/* Start device */
/*
* Start device
* note: device must be started before a flow rule
* can be installed.
*/
ret = rte_eth_dev_start(portid);
if (ret < 0)
rte_exit(EXIT_FAILURE, "rte_eth_dev_start: "
@ -2494,6 +2477,19 @@ main(int32_t argc, char **argv)
rte_exit(EXIT_FAILURE, "failed at reassemble init");
}
/* Replicate each context per socket */
for (i = 0; i < NB_SOCKETS && i < rte_socket_count(); i++) {
socket_id = rte_socket_id_by_idx(i);
if ((socket_ctx[socket_id].mbuf_pool != NULL) &&
(socket_ctx[socket_id].sa_in == NULL) &&
(socket_ctx[socket_id].sa_out == NULL)) {
sa_init(&socket_ctx[socket_id], socket_id);
sp4_init(&socket_ctx[socket_id], socket_id);
sp6_init(&socket_ctx[socket_id], socket_id);
rt_init(&socket_ctx[socket_id], socket_id);
}
}
check_all_ports_link_status(enabled_port_mask);
/* launch per-lcore init on every lcore */

493
examples/ipsec-secgw/ipsec.c
View File

@ -40,7 +40,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
}
int
create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
{
struct rte_cryptodev_info cdev_info;
unsigned long cdev_id_qp = 0;
@ -53,19 +53,17 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
key.auth_algo = (uint8_t)sa->auth_algo;
key.aead_algo = (uint8_t)sa->aead_algo;
if (sa->type == RTE_SECURITY_ACTION_TYPE_NONE) {
ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
(void **)&cdev_id_qp);
if (ret < 0) {
RTE_LOG(ERR, IPSEC,
ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
(void **)&cdev_id_qp);
if (ret < 0) {
RTE_LOG(ERR, IPSEC,
"No cryptodev: core %u, cipher_algo %u, "
"auth_algo %u, aead_algo %u\n",
key.lcore_id,
key.cipher_algo,
key.auth_algo,
key.aead_algo);
return -1;
}
return -1;
}
RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev "
@ -107,218 +105,9 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
"SEC Session init failed: err: %d\n", ret);
return -1;
}
} else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
struct rte_flow_error err;
struct rte_security_ctx *ctx = (struct rte_security_ctx *)
rte_eth_dev_get_sec_ctx(
sa->portid);
const struct rte_security_capability *sec_cap;
int ret = 0;
sa->sec_session = rte_security_session_create(ctx,
&sess_conf, ipsec_ctx->session_priv_pool);
if (sa->sec_session == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
}
sec_cap = rte_security_capabilities_get(ctx);
/* iterate until ESP tunnel*/
while (sec_cap->action !=
RTE_SECURITY_ACTION_TYPE_NONE) {
if (sec_cap->action == sa->type &&
sec_cap->protocol ==
RTE_SECURITY_PROTOCOL_IPSEC &&
sec_cap->ipsec.mode ==
sess_conf.ipsec.mode &&
sec_cap->ipsec.direction == sa->direction)
break;
sec_cap++;
}
if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) {
RTE_LOG(ERR, IPSEC,
"No suitable security capability found\n");
return -1;
}
sa->ol_flags = sec_cap->ol_flags;
sa->security_ctx = ctx;
sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
if (IS_IP6(sa->flags)) {
sa->pattern[1].mask = &rte_flow_item_ipv6_mask;
sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV6;
sa->pattern[1].spec = &sa->ipv6_spec;
memcpy(sa->ipv6_spec.hdr.dst_addr,
sa->dst.ip.ip6.ip6_b, 16);
memcpy(sa->ipv6_spec.hdr.src_addr,
sa->src.ip.ip6.ip6_b, 16);
} else if (IS_IP4(sa->flags)) {
sa->pattern[1].mask = &rte_flow_item_ipv4_mask;
sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
sa->pattern[1].spec = &sa->ipv4_spec;
sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;
sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
}
sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
sa->pattern[2].spec = &sa->esp_spec;
sa->pattern[2].mask = &rte_flow_item_esp_mask;
sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
sa->action[0].conf = sa->sec_session;
sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
sa->attr.egress = (sa->direction ==
RTE_SECURITY_IPSEC_SA_DIR_EGRESS);
sa->attr.ingress = (sa->direction ==
RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
if (sa->attr.ingress) {
uint8_t rss_key[40];
struct rte_eth_rss_conf rss_conf = {
.rss_key = rss_key,
.rss_key_len = 40,
};
struct rte_eth_dev_info dev_info;
uint16_t queue[RTE_MAX_QUEUES_PER_PORT];
struct rte_flow_action_rss action_rss;
unsigned int i;
unsigned int j;
rte_eth_dev_info_get(sa->portid, &dev_info);
sa->action[2].type = RTE_FLOW_ACTION_TYPE_END;
/* Try RSS. */
sa->action[1].type = RTE_FLOW_ACTION_TYPE_RSS;
sa->action[1].conf = &action_rss;
rte_eth_dev_rss_hash_conf_get(sa->portid,
&rss_conf);
for (i = 0, j = 0;
i < dev_info.nb_rx_queues; ++i)
queue[j++] = i;
action_rss = (struct rte_flow_action_rss){
.types = rss_conf.rss_hf,
.key_len = rss_conf.rss_key_len,
.queue_num = j,
.key = rss_key,
.queue = queue,
};
ret = rte_flow_validate(sa->portid, &sa->attr,
sa->pattern, sa->action,
&err);
if (!ret)
goto flow_create;
/* Try Queue. */
sa->action[1].type = RTE_FLOW_ACTION_TYPE_QUEUE;
sa->action[1].conf =
&(struct rte_flow_action_queue){
.index = 0,
};
ret = rte_flow_validate(sa->portid, &sa->attr,
sa->pattern, sa->action,
&err);
/* Try End. */
sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
sa->action[1].conf = NULL;
ret = rte_flow_validate(sa->portid, &sa->attr,
sa->pattern, sa->action,
&err);
if (ret)
goto flow_create_failure;
} else if (sa->attr.egress &&
(sa->ol_flags &
RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) {
sa->action[1].type =
RTE_FLOW_ACTION_TYPE_PASSTHRU;
sa->action[2].type =
RTE_FLOW_ACTION_TYPE_END;
}
flow_create:
sa->flow = rte_flow_create(sa->portid,
&sa->attr, sa->pattern, sa->action, &err);
if (sa->flow == NULL) {
flow_create_failure:
RTE_LOG(ERR, IPSEC,
"Failed to create ipsec flow msg: %s\n",
err.message);
return -1;
}
} else if (sa->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
struct rte_security_ctx *ctx =
(struct rte_security_ctx *)
rte_eth_dev_get_sec_ctx(sa->portid);
const struct rte_security_capability *sec_cap;
if (ctx == NULL) {
RTE_LOG(ERR, IPSEC,
"Ethernet device doesn't have security features registered\n");
return -1;
}
/* Set IPsec parameters in conf */
set_ipsec_conf(sa, &(sess_conf.ipsec));
/* Save SA as userdata for the security session. When
* the packet is received, this userdata will be
* retrieved using the metadata from the packet.
*
* The PMD is expected to set similar metadata for other
* operations, like rte_eth_event, which are tied to
* security session. In such cases, the userdata could
* be obtained to uniquely identify the security
* parameters denoted.
*/
sess_conf.userdata = (void *) sa;
sa->sec_session = rte_security_session_create(ctx,
&sess_conf, ipsec_ctx->session_pool);
if (sa->sec_session == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
}
sec_cap = rte_security_capabilities_get(ctx);
if (sec_cap == NULL) {
RTE_LOG(ERR, IPSEC,
"No capabilities registered\n");
return -1;
}
/* iterate until ESP tunnel*/
while (sec_cap->action !=
RTE_SECURITY_ACTION_TYPE_NONE) {
if (sec_cap->action == sa->type &&
sec_cap->protocol ==
RTE_SECURITY_PROTOCOL_IPSEC &&
sec_cap->ipsec.mode ==
sess_conf.ipsec.mode &&
sec_cap->ipsec.direction == sa->direction)
break;
sec_cap++;
}
if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) {
RTE_LOG(ERR, IPSEC,
"No suitable security capability found\n");
return -1;
}
sa->ol_flags = sec_cap->ol_flags;
sa->security_ctx = ctx;
} else {
RTE_LOG(ERR, IPSEC, "Inline not supported\n");
return -1;
}
} else {
sa->crypto_session = rte_cryptodev_sym_session_create(
@ -330,11 +119,256 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id,
&cdev_info);
}
sa->cdev_id_qp = cdev_id_qp;
return 0;
}
int
create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
{
int32_t ret = 0;
struct rte_security_ctx *sec_ctx;
struct rte_security_session_conf sess_conf = {
.action_type = sa->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
{.ipsec = {
.spi = sa->spi,
.salt = sa->salt,
.options = { 0 },
.direction = sa->direction,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = (sa->flags == IP4_TUNNEL ||
sa->flags == IP6_TUNNEL) ?
RTE_SECURITY_IPSEC_SA_MODE_TUNNEL :
RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
} },
.crypto_xform = sa->xforms,
.userdata = NULL,
};
RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on port %u\n",
sa->spi, sa->portid);
if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
struct rte_flow_error err;
const struct rte_security_capability *sec_cap;
int ret = 0;
sec_ctx = (struct rte_security_ctx *)
rte_eth_dev_get_sec_ctx(
sa->portid);
if (sec_ctx == NULL) {
RTE_LOG(ERR, IPSEC,
" rte_eth_dev_get_sec_ctx failed\n");
return -1;
}
sa->sec_session = rte_security_session_create(sec_ctx,
&sess_conf, skt_ctx->session_pool);
if (sa->sec_session == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
}
sec_cap = rte_security_capabilities_get(sec_ctx);
/* iterate until ESP tunnel*/
while (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) {
if (sec_cap->action == sa->type &&
sec_cap->protocol ==
RTE_SECURITY_PROTOCOL_IPSEC &&
sec_cap->ipsec.mode ==
RTE_SECURITY_IPSEC_SA_MODE_TUNNEL &&
sec_cap->ipsec.direction == sa->direction)
break;
sec_cap++;
}
if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) {
RTE_LOG(ERR, IPSEC,
"No suitable security capability found\n");
return -1;
}
sa->ol_flags = sec_cap->ol_flags;
sa->security_ctx = sec_ctx;
sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
if (IS_IP6(sa->flags)) {
sa->pattern[1].mask = &rte_flow_item_ipv6_mask;
sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV6;
sa->pattern[1].spec = &sa->ipv6_spec;
memcpy(sa->ipv6_spec.hdr.dst_addr,
sa->dst.ip.ip6.ip6_b, 16);
memcpy(sa->ipv6_spec.hdr.src_addr,
sa->src.ip.ip6.ip6_b, 16);
} else if (IS_IP4(sa->flags)) {
sa->pattern[1].mask = &rte_flow_item_ipv4_mask;
sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
sa->pattern[1].spec = &sa->ipv4_spec;
sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;
sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
}
sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
sa->pattern[2].spec = &sa->esp_spec;
sa->pattern[2].mask = &rte_flow_item_esp_mask;
sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
sa->action[0].conf = sa->sec_session;
sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
sa->attr.egress = (sa->direction ==
RTE_SECURITY_IPSEC_SA_DIR_EGRESS);
sa->attr.ingress = (sa->direction ==
RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
if (sa->attr.ingress) {
uint8_t rss_key[40];
struct rte_eth_rss_conf rss_conf = {
.rss_key = rss_key,
.rss_key_len = 40,
};
struct rte_eth_dev_info dev_info;
uint16_t queue[RTE_MAX_QUEUES_PER_PORT];
struct rte_flow_action_rss action_rss;
unsigned int i;
unsigned int j;
rte_eth_dev_info_get(sa->portid, &dev_info);
sa->action[2].type = RTE_FLOW_ACTION_TYPE_END;
/* Try RSS. */
sa->action[1].type = RTE_FLOW_ACTION_TYPE_RSS;
sa->action[1].conf = &action_rss;
rte_eth_dev_rss_hash_conf_get(sa->portid, &rss_conf);
for (i = 0, j = 0; i < dev_info.nb_rx_queues; ++i)
queue[j++] = i;
action_rss = (struct rte_flow_action_rss){
.types = rss_conf.rss_hf,
.key_len = rss_conf.rss_key_len,
.queue_num = j,
.key = rss_key,
.queue = queue,
};
ret = rte_flow_validate(sa->portid, &sa->attr,
sa->pattern, sa->action,
&err);
if (!ret)
goto flow_create;
/* Try Queue. */
sa->action[1].type = RTE_FLOW_ACTION_TYPE_QUEUE;
sa->action[1].conf =
&(struct rte_flow_action_queue){
.index = 0,
};
ret = rte_flow_validate(sa->portid, &sa->attr,
sa->pattern, sa->action,
&err);
/* Try End. */
sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
sa->action[1].conf = NULL;
ret = rte_flow_validate(sa->portid, &sa->attr,
sa->pattern, sa->action,
&err);
if (ret)
goto flow_create_failure;
} else if (sa->attr.egress &&
(sa->ol_flags &
RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) {
sa->action[1].type =
RTE_FLOW_ACTION_TYPE_PASSTHRU;
sa->action[2].type =
RTE_FLOW_ACTION_TYPE_END;
}
flow_create:
sa->flow = rte_flow_create(sa->portid,
&sa->attr, sa->pattern, sa->action, &err);
if (sa->flow == NULL) {
flow_create_failure:
RTE_LOG(ERR, IPSEC,
"Failed to create ipsec flow msg: %s\n",
err.message);
return -1;
}
} else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
const struct rte_security_capability *sec_cap;
sec_ctx = (struct rte_security_ctx *)
rte_eth_dev_get_sec_ctx(sa->portid);
if (sec_ctx == NULL) {
RTE_LOG(ERR, IPSEC,
"Ethernet device doesn't have security features registered\n");
return -1;
}
/* Set IPsec parameters in conf */
set_ipsec_conf(sa, &(sess_conf.ipsec));
/* Save SA as userdata for the security session. When
* the packet is received, this userdata will be
* retrieved using the metadata from the packet.
*
* The PMD is expected to set similar metadata for other
* operations, like rte_eth_event, which are tied to
* security session. In such cases, the userdata could
* be obtained to uniquely identify the security
* parameters denoted.
*/
sess_conf.userdata = (void *) sa;
sa->sec_session = rte_security_session_create(sec_ctx,
&sess_conf, skt_ctx->session_pool);
if (sa->sec_session == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
}
sec_cap = rte_security_capabilities_get(sec_ctx);
if (sec_cap == NULL) {
RTE_LOG(ERR, IPSEC,
"No capabilities registered\n");
return -1;
}
/* iterate until ESP tunnel*/
while (sec_cap->action !=
RTE_SECURITY_ACTION_TYPE_NONE) {
if (sec_cap->action == sa->type &&
sec_cap->protocol ==
RTE_SECURITY_PROTOCOL_IPSEC &&
sec_cap->ipsec.mode ==
sess_conf.ipsec.mode &&
sec_cap->ipsec.direction == sa->direction)
break;
sec_cap++;
}
if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) {
RTE_LOG(ERR, IPSEC,
"No suitable security capability found\n");
return -1;
}
sa->ol_flags = sec_cap->ol_flags;
sa->security_ctx = sec_ctx;
}
sa->cdev_id_qp = 0;
return 0;
}
/*
* queue crypto-ops into PMD queue.
*/
@ -397,7 +431,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
rte_prefetch0(&priv->sym_cop);
if ((unlikely(sa->sec_session == NULL)) &&
create_session(ipsec_ctx, sa)) {
create_lookaside_session(ipsec_ctx, sa)) {
rte_pktmbuf_free(pkts[i]);
continue;
}
@ -416,7 +450,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
rte_prefetch0(&priv->sym_cop);
if ((unlikely(sa->crypto_session == NULL)) &&
create_session(ipsec_ctx, sa)) {
create_lookaside_session(ipsec_ctx, sa)) {
rte_pktmbuf_free(pkts[i]);
continue;
}
@ -431,12 +465,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
}
break;
case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
if ((unlikely(sa->sec_session == NULL)) &&
create_session(ipsec_ctx, sa)) {
rte_pktmbuf_free(pkts[i]);
continue;
}
RTE_ASSERT(sa->sec_session != NULL);
ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i];
if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
rte_security_set_pkt_metadata(
@ -444,17 +473,11 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
sa->sec_session, pkts[i], NULL);
continue;
case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:
RTE_ASSERT(sa->sec_session != NULL);
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
rte_prefetch0(&priv->sym_cop);
if ((unlikely(sa->sec_session == NULL)) &&
create_session(ipsec_ctx, sa)) {
rte_pktmbuf_free(pkts[i]);
continue;
}
rte_security_attach_session(&priv->cop,
sa->sec_session);

5
examples/ipsec-secgw/ipsec.h
View File

@ -338,6 +338,9 @@ void
enqueue_cop_burst(struct cdev_qp *cqp);
int
create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa);
create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa);
int
create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa);
#endif /* __IPSEC_H__ */

9
examples/ipsec-secgw/ipsec_process.c
View File

@ -95,22 +95,23 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx,
/* setup crypto section */
if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) {
if (sa->crypto_session == NULL) {
rc = create_session(ctx, sa);
rc = create_lookaside_session(ctx, sa);
if (rc != 0)
return rc;
}
ss->crypto.ses = sa->crypto_session;
/* setup session action type */
} else {
} else if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
if (sa->sec_session == NULL) {
rc = create_session(ctx, sa);
rc = create_lookaside_session(ctx, sa);
if (rc != 0)
return rc;
}
ss->security.ses = sa->sec_session;
ss->security.ctx = sa->security_ctx;
ss->security.ol_flags = sa->ol_flags;
}
} else
RTE_ASSERT(0);
rc = rte_ipsec_session_prepare(ss);
if (rc != 0)

46
examples/ipsec-secgw/sa.c
View File

@ -868,12 +868,14 @@ sa_add_address_inline_crypto(struct ipsec_sa *sa)
static int
sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
uint32_t nb_entries, uint32_t inbound)
uint32_t nb_entries, uint32_t inbound,
struct socket_ctx *skt_ctx)
{
struct ipsec_sa *sa;
uint32_t i, idx;
uint16_t iv_length, aad_length;
int inline_status;
int32_t rc;
/* for ESN upper 32 bits of SQN also need to be part of AAD */
aad_length = (app_sa_prm.enable_esn != 0) ? sizeof(uint32_t) : 0;
@ -936,6 +938,17 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
sa->xforms = &sa_ctx->xf[idx].a;
if (sa->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
sa->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
rc = create_inline_session(skt_ctx, sa);
if (rc != 0) {
RTE_LOG(ERR, IPSEC_ESP,
"create_inline_session() failed\n");
return -EINVAL;
}
}
print_one_sa_rule(sa, inbound);
} else {
switch (sa->cipher_algo) {
@ -1011,16 +1024,16 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
static inline int
sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
uint32_t nb_entries)
uint32_t nb_entries, struct socket_ctx *skt_ctx)
{
return sa_add_rules(sa_ctx, entries, nb_entries, 0);
return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx);
}
static inline int
sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
uint32_t nb_entries)
uint32_t nb_entries, struct socket_ctx *skt_ctx)
{
return sa_add_rules(sa_ctx, entries, nb_entries, 1);
return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx);
}
/*
@ -1086,10 +1099,12 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss,
return 0;
}
static void
static int
fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa,
const struct ipsec_sa *lsa)
{
int32_t rc = 0;
ss->sa = sa;
ss->type = lsa->type;
@ -1102,6 +1117,17 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa,
ss->security.ctx = lsa->security_ctx;
ss->security.ol_flags = lsa->ol_flags;
}
if (ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
if (ss->security.ses != NULL) {
rc = rte_ipsec_session_prepare(ss);
if (rc != 0)
memset(ss, 0, sizeof(*ss));
}
}
return rc;
}
/*
@ -1136,8 +1162,8 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size)
if (rc < 0)
return rc;
fill_ipsec_session(&lsa->ips, sa, lsa);
return 0;
rc = fill_ipsec_session(&lsa->ips, sa, lsa);
return rc;
}
/*
@ -1240,7 +1266,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id)
"context %s in socket %d\n", rte_errno,
name, socket_id);
sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in);
sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx);
if (app_sa_prm.enable != 0) {
rc = ipsec_satbl_init(ctx->sa_in, sa_in, nb_sa_in,
@ -1260,7 +1286,7 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id)
"context %s in socket %d\n", rte_errno,
name, socket_id);
sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out);
sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx);
if (app_sa_prm.enable != 0) {
rc = ipsec_satbl_init(ctx->sa_out, sa_out, nb_sa_out,