security: add SA lifetime configuration

Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated to include new field, aux_flags, which can be
used to indicate cases such as soft expiry in case of lookaside
protocol operations.

In case of soft expiry, the packets are successfully IPsec processed but
the soft expiry would indicate that SA needs to be reconfigured. For
inline protocol capable ethdev, this would result in an eth event while
for lookaside protocol capable cryptodev, this can be communicated via
`rte_crypto_op.aux_flags` field.

In case of hard expiry, the packets will not be IPsec processed and
would result in error.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

app/test/test_cryptodev_security_ipsec_test_vectors.h

@@ -98,7 +98,6 @@ struct ipsec_test_data pkt_aes_128_gcm = {
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
-		.esn_soft_limit = 0,
 		.replay_win_sz = 0,
 	},
 
@@ -195,7 +194,6 @@ struct ipsec_test_data pkt_aes_192_gcm = {
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
-		.esn_soft_limit = 0,
 		.replay_win_sz = 0,
 	},
 
@@ -295,7 +293,6 @@ struct ipsec_test_data pkt_aes_256_gcm = {
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
-		.esn_soft_limit = 0,
 		.replay_win_sz = 0,
 	},
 

doc/guides/rel_notes/deprecation.rst

@@ -227,11 +227,6 @@ Deprecation Notices
   pointer for the private data to the application which can be attached
   to the packet while enqueuing.
 
-* security: The IPsec configuration structure
-  ``struct rte_security_ipsec_xform`` will be updated with new members to allow
-  SA lifetime configuration. A new structure would be introduced to replace the
-  current member, ``esn_soft_limit``.
-
 * security: The structure ``rte_security_ipsec_xform`` will be extended with
   multiple fields: source and destination port of UDP encapsulation,
   IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
@@ -275,8 +270,3 @@ Deprecation Notices
 * cmdline: ``cmdline`` structure will be made opaque to hide platform-specific
   content. On Linux and FreeBSD, supported prior to DPDK 20.11,
   original structure will be kept until DPDK 21.11.
-
-* cryptodev: The structure ``rte_crypto_op`` would be updated to reduce
-  reserved bytes to 2 (from 3), and use 1 byte to indicate warnings and other
-  information from the crypto/security operation. This field will be used to
-  communicate events such as soft expiry with IPsec in lookaside mode.

doc/guides/rel_notes/release_21_11.rst

@@ -147,6 +147,11 @@ API Changes
   as it is for drivers only and should be private to DPDK, and not
   installed for app use.
 
+* cryptodev: A ``reserved`` byte from structure ``rte_crypto_op`` was
+  renamed to ``aux_flags`` to indicate warnings and other information from
+  the crypto/security operation. This field will be used to communicate
+  events such as soft expiry with IPsec in lookaside mode.
+
 
 ABI Changes
 -----------
@@ -173,6 +178,11 @@ ABI Changes
   ``rte_security_ipsec_sa_options`` to disable IV generation inside PMD,
   so that application can provide its own IV and test known test vectors.
 
+* security: A new structure ``rte_security_ipsec_lifetime`` was added to
+  replace ``esn_soft_limit`` in IPsec configuration structure
+  ``rte_security_ipsec_xform`` to allow applications to configure SA soft
+  and hard expiry limits. Limits can be either in number of packets or bytes.
+
 
 Known Issues
 ------------

examples/ipsec-secgw/ipsec.c

@@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
 		}
 		/* TODO support for Transport */
 	}
-	ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
+	ipsec->life.packets_soft_limit = IPSEC_OFFLOAD_PKTS_SOFTLIMIT;
 	ipsec->replay_win_sz = app_sa_prm.window_size;
 	ipsec->options.esn = app_sa_prm.enable_esn;
 	ipsec->options.udp_encap = sa->udp_encap;

examples/ipsec-secgw/ipsec.h

@@ -23,7 +23,7 @@
 
 #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
 
-#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
+#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00
 
 #define IV_OFFSET		(sizeof(struct rte_crypto_op) + \
 				sizeof(struct rte_crypto_sym_op))

lib/cryptodev/rte_crypto.h

@@ -65,6 +65,11 @@ enum rte_crypto_op_sess_type {
 	RTE_CRYPTO_OP_SECURITY_SESSION	/**< Security session crypto operation */
 };
 
+/* Auxiliary flags related to IPsec offload with RTE_SECURITY */
+
+#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0)
+/**< SA soft expiry limit has been reached */
+
 /**
  * Cryptographic Operation.
  *
@@ -93,7 +98,12 @@ struct rte_crypto_op {
 			 */
 			uint8_t sess_type;
 			/**< operation session type */
-			uint8_t reserved[3];
+			uint8_t aux_flags;
+			/**< Operation specific auxiliary/additional flags.
+			 * These flags carry additional information from the
+			 * operation. Processing of the same is optional.
+			 */
+			uint8_t reserved[2];
 			/**< Reserved bytes to fill 64 bits for
 			 * future additions
 			 */

lib/security/rte_security.h

@@ -216,6 +216,30 @@ enum rte_security_ipsec_sa_direction {
 	/**< Verify digest and decrypt */
 };
 
+/**
+ * Configure soft and hard lifetime of an IPsec SA
+ *
+ * Lifetime of an IPsec SA would specify the maximum number of packets or bytes
+ * that can be processed. IPsec operations would start failing once any hard
+ * limit is reached.
+ *
+ * Soft limits can be specified to generate notification when the SA is
+ * approaching hard limits for lifetime. For inline operations, reaching soft
+ * expiry limit would result in raising an eth event for the same. For lookaside
+ * operations, this would result in a warning returned in
+ * ``rte_crypto_op.aux_flags``.
+ */
+struct rte_security_ipsec_lifetime {
+	uint64_t packets_soft_limit;
+	/**< Soft expiry limit in number of packets */
+	uint64_t bytes_soft_limit;
+	/**< Soft expiry limit in bytes */
+	uint64_t packets_hard_limit;
+	/**< Soft expiry limit in number of packets */
+	uint64_t bytes_hard_limit;
+	/**< Soft expiry limit in bytes */
+};
+
 /**
  * IPsec security association configuration data.
  *
@@ -236,8 +260,8 @@ struct rte_security_ipsec_xform {
 	/**< IPsec SA Mode - transport/tunnel */
 	struct rte_security_ipsec_tunnel_param tunnel;
 	/**< Tunnel parameters, NULL for transport mode */
-	uint64_t esn_soft_limit;
-	/**< ESN for which the overflow event need to be raised */
+	struct rte_security_ipsec_lifetime life;
+	/**< IPsec SA lifetime */
 	uint32_t replay_win_sz;
 	/**< Anti replay window size to enable sequence replay attack handling.
 	 * replay checking is disabled if the window size is 0.