Commit Graph

29534 Commits

Author SHA1 Message Date
Tejasree Kondoj
07d4bde1c0 common/cnxk: support tunnel header verification
Added support to verify tunnel header in IPsec inbound.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 17:49:10 +02:00
Tejasree Kondoj
f0b538a5f8 security: add option to configure tunnel header verification
Add option to indicate whether outer header verification
need to be done as part of inbound IPsec processing.

With inline IPsec processing, SA lookup would be happening
in the Rx path of rte_ethdev. When rte_flow is configured to
support more than one SA, SPI would be used to lookup SA.
In such cases, additional verification would be required to
ensure duplicate SPIs are not getting processed in the inline path.

For lookaside cases, the same option can be used by application
to offload tunnel verification to the PMD.

These verifications would help in averting possible DoS attacks.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 17:40:52 +02:00
Anoob Joseph
5d05af5557 examples/ipsec-secgw: clear soft expiry configuration
Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Also, soft expiry tracking can cause perf degradation with some PMDs.
Since a separate UT is available and the same setting in ipsec-secgw is
not verifying the functionality, remove the same by clearing life
configuration.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 14:16:37 +02:00
Anoob Joseph
6978f51ea7 test/crypto: add packet hard expiry cases
Add tests to validate packets hard expiry handling.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 14:15:56 +02:00
Anoob Joseph
4aa52f213c test/crypto: add packet soft expiry cases
Add tests to validate packets soft expiry handling.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 14:15:10 +02:00
Anoob Joseph
30ce834f2c crypto/octeontx2: add checks for life configuration
Lifetime tracking is not supported by hardware and is not implemented in
software either. Return failure when lifetime is configured.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 14:12:35 +02:00
Anoob Joseph
c4fcfaa742 common/cnxk: support lifetime configuration
Add support for SA lifetime configuration. Expiry can
be either in units of octets or packets.

Also, updated cryptodev dequeue path to update crypto op result to
indicate soft expiry.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 14:12:14 +02:00
Anoob Joseph
ad7515a39f security: add SA lifetime configuration
Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated to include new field, aux_flags, which can be
used to indicate cases such as soft expiry in case of lookaside
protocol operations.

In case of soft expiry, the packets are successfully IPsec processed but
the soft expiry would indicate that SA needs to be reconfigured. For
inline protocol capable ethdev, this would result in an eth event while
for lookaside protocol capable cryptodev, this can be communicated via
`rte_crypto_op.aux_flags` field.

In case of hard expiry, the packets will not be IPsec processed and
would result in error.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 14:11:29 +02:00
Anoob Joseph
0532f50c0e test/crypto: add outbound known vector cases for IV
Added outbound known vector test cases for IV generated
by app. The tests would be skipped on PMDs which do not
support IV provided by application.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 13:36:07 +02:00
Tejasree Kondoj
c7c7f34739 crypto/cnxk: add IV in SA in lookaside IPsec debug mode
Adding IV in SA in lookaside IPsec debug mode. It helps
to verify lookaside PMD using known outbound vectors in
lookaside autotest.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 13:36:07 +02:00
Anoob Joseph
63992166ba security: support user-specified IV
Enabled user to provide IV to be used per security
operation. This would be used with lookaside protocol
offload for comparing against known vectors.

By default, PMD would internally generate random IV.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2021-09-28 13:35:32 +02:00
Tejasree Kondoj
c823434174 test/crypto: add UDP-encapsulated IPsec cases
Added tests to verify UDP encapsulation with IPsec.
The tests have IPsec packets generated from plain packets
and verifies that UDP header is added. Subsequently, the
packets are decapsulated and then resultant packet is
verified by comparing against original packet.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
2021-09-28 09:47:20 +02:00
Tejasree Kondoj
cd928003d8 test/crypto: add IV gen cases for IPsec
Added cases to verify IV generated by PMD for lookaside IPsec.

The tests compare IV generated for a batch of packets and ensures that
IV is not getting repeated in the batch.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
2021-09-28 09:43:01 +02:00
Tejasree Kondoj
0f4531903a test/crypto: add lookaside IPsec ICV corrupt case
Add negative test to validate IPsec inbound processing failure with ICV
corruption. The tests would first do IPsec encapsulation and corrupt
ICV of the generated IPsec packet. Then the packet is submitted to IPsec
outbound processing for decapsulation. Test case would validate that PMD
returns an error in such cases.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
2021-09-28 09:41:46 +02:00
Anoob Joseph
6622d9c97e test/crypto: add combined mode IPsec cases
Add framework to test IPsec features with all supported
combinations of ciphers.

Combined mode tests are used to test all IPsec features against all
ciphers supported by the PMD. The framework is introduced to avoid
testing with any specific algo, thereby making it mandatory to be
supported. Also, testing with all supported combinations will help with
increasing coverage as well.

The tests would first do IPsec encapsulation and do sanity checks. Based
on flags, packet would be updated or additional checks are done,
followed by IPsec decapsulation. Since the encrypted packet is generated
by the test, known vectors are not required.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
2021-09-28 09:40:18 +02:00
Anoob Joseph
474f12024d test/crypto: add lookaside IPsec cases
Added test case for lookaside IPsec. Inbound known vector
tests are added.

Cipher list: AES-GCM 128, 192 & 256

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
2021-09-28 08:46:03 +02:00
Rebecca Troy
96fe84f42a test/compress: fix buffer overflow
Fixes stack buffer overflow bug in compressdev autotest, which
was caused by the use of buf_idx in the debug logs. Originally, buf_idx
was treated as an array instead of the reference of an integer.
This was fixed by replacing the use of buf_idx[priv_data->orig_idx] with
the variable i.

Fixes: 466a2c4bb5 ("test/compress: improve debug logs")
Fixes: 6bbc5a9236 ("test/compress: refactor unit tests")
Cc: stable@dpdk.org

Signed-off-by: Rebecca Troy <rebecca.troy@intel.com>
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
2021-09-28 08:43:57 +02:00
Michael Baum
be5aa65c26 crypto/mlx5: fix indirect mkey cleaning
The driver creates an indirect mkey per entry in the queue to manage the
crypto operation using the BSF fields.

The indirect mkeys were never released neither while error occurs in the
creation phase nor when the queue is released.

Clean the indirect mkeys in the above cases.

Fixes: c2a42d19d9 ("crypto/mlx5: add WQE set initialization")
Cc: stable@dpdk.org

Signed-off-by: Michael Baum <michaelba@nvidia.com>
Acked-by: Matan Azrad <matan@nvidia.com>
2021-09-28 08:43:57 +02:00
Tal Shnaiderman
427ec3346d crypto/mlx5: fix queue indexing
The crypto QP consumer (ci) and producer (pi) indexes are increased
with each successful enqueue/dequeue operations.

However the QP pi index is calculated with a wraparound the number
of elements while the QP ci does not.

This is causing incorrect engine calculation for encqueued WQ values
(wq->pi - wq->ci) and eventually the device stops accepting new enqueue
operations.

Fixed by removing the wraparound on QP pi and using a temp calculation
where wraparound values are needed.

Fixes: 8e196c08ab ("crypto/mlx5: support enqueue/dequeue operations")
Cc: stable@dpdk.org

Signed-off-by: Tal Shnaiderman <talshn@nvidia.com>
Acked-by: Matan Azrad <matan@nvidia.com>
2021-09-28 08:43:57 +02:00
David George
c9902a15bd common/cpt: rework pending queue
Replace pending queue with one that allows concurrent single producer and
single consumer. This relaxes the restriction of only allowing a single
lcore to operate on a given queue pair.

Signed-off-by: David George <david.george@sophos.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
2021-09-28 08:43:57 +02:00
Anoob Joseph
8131b7eb50 examples/ipsec-secgw: fix parsing of flow queue
Documentation specifies that flow port & queue is provided as,

<...> port 0 queue 0

But code is expecting the same as,

<...> port 0 0

Fix the above to match documentation.

Fixes: 8e693616fc ("examples/ipsec-secgw: enable flow based distribution")
Cc: stable@dpdk.org

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 08:43:57 +02:00
Kiran Kumar K
ba588ce3f9 test/crypto-perf: test asymmetric crypto throughput
Added support for asymmetric crypto perf throughput test.
Only modex is supported for now.

One new optype has been added.
	--optype modex

./dpdk-test-crypto-perf -c 0x3 -- --devtype crypto_cn9k --optype modex
 --ptest throughput

Signed-off-by: Kiran Kumar K <kirankumark@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 08:43:57 +02:00
Fan Zhang
b8a7a3d248 test/crypto: fix PDCP short MAC-I case
This patch fixes the PDCP short MAC-I test by removing them
from snow3g and kasumi test suite and move to PDCP test suite.
This is to prevent incorrect failure for crypto device not
support PDCP.

Fixes: c24489e479 ("test/crypto: support PDCP short MAC-I")

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
2021-09-28 08:43:57 +02:00
Nithin Dabilpuram
ea28ab889e examples/ipsec-secgw: update event mode inline path
Update mbuf.l2_len with L2 header size for outbound
inline processing.

This patch also fixes a bug in arg parsing.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 08:43:57 +02:00
Nithin Dabilpuram
d08dcd28c3 security: add option for faster user/meta data access
Currently rte_security_set_pkt_metadata() and rte_security_get_userdata()
methods to set pkt metadata on Inline outbound and get userdata
after Inline inbound processing is always driver specific callbacks.

For drivers that do not have much to do in the callbacks but just
to update metadata in rte_security dynamic field and get userdata
from rte_security dynamic field, having to just to PMD specific
callback is costly per packet operation. This patch provides
a mechanism to do the same in inline function and avoid function
pointer jump if a driver supports the same.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-28 08:43:47 +02:00
Nithin Dabilpuram
6d1f8c1319 mbuf: enforce semantics for Tx inline IPsec processing
Not all net PMD's/HW can parse packet and identify L2 header and
L3 header locations on Tx. This is inline with other Tx offloads
requirements such as L3 checksum, L4 checksum offload, etc,
where mbuf.l2_len, mbuf.l3_len etc, needs to be set for HW to be
able to generate checksum. Since Inline IPsec is also such a Tx
offload, some PMD's at least need mbuf.l2_len to be valid to
find L3 header and perform Outbound IPSec processing.

Hence, this patch updates documentation to enforce setting
mbuf.l2_len while setting PKT_TX_SEC_OFFLOAD in mbuf.ol_flags
for Inline IPsec Crypto / Protocol offload processing to
work on Tx.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-09-27 09:55:41 +02:00
Shijith Thotton
a0a388a897 eal: add macro to swap two variables
Add a macro to swap two variables
and updat common autotest for the same.

Signed-off-by: Shijith Thotton <sthotton@marvell.com>
Acked-by: Jerin Jacob <jerinj@marvell.com>
2021-09-27 18:33:45 +02:00
Julien Meunier
6ded44bce4 stack: fix reload head when pop fails
The previous commit 18effad9cf ("stack: reload head when pop fails")
only changed C11 implementation, not generic implementation.

List head must be loaded right before continue (when failed to find the
new head). Without this, one thread might keep trying and failing to pop
items without ever loading the new correct head.

Fixes: 3340202f59 ("stack: add lock-free implementation")
Cc: stable@dpdk.org

Signed-off-by: Julien Meunier <julien.meunier@nokia.com>
Acked-by: Olivier Matz <olivier.matz@6wind.com>
2021-09-27 17:28:55 +02:00
Xueming Li
6e914454d5 vdpa/mlx5: fix large VM memory region registration
When VM size is larger than 4G (u32) and memory region is larger than 4G,
the 32-bit GCD function overflowed and returned wrong value
that resulted in memory registration failure.

This patch calls 64-bit GCD function to avoid overflow.

Fixes: cc07a42da2 ("vdpa/mlx5: prepare memory regions")
Cc: stable@dpdk.org

Signed-off-by: Xueming Li <xuemingl@nvidia.com>
Reviewed-by: Matan Azrad <matan@nvidia.com>
2021-09-27 17:24:22 +02:00
Xueming Li
eb5636e879 sched: get 64-bit greatest common divisor
This patch adds new function that compute the greatest common
divisor of 64 bits, also changes the original 32 bits function
to call this new 64-bit version.

Cc: stable@dpdk.org

Signed-off-by: Xueming Li <xuemingl@nvidia.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
2021-09-27 17:24:16 +02:00
Cristian Dumitrescu
175d213bf8 pipeline: improve handling of learner action arguments
The arguments of actions that are learned are now specified as part of
the learn instruction as opposed to being statically specified as part
of the learner table configuration.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:18:49 +02:00
Cristian Dumitrescu
1c6571c837 pipeline: enable pipeline compilation
Commit the pipeline changes when the compilation process is
successful: change the table lookup instructions to execute the action
function for each action, replace the regular pipeline instructions
with the custom instructions.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:10:26 +02:00
Cristian Dumitrescu
f898a475c3 pipeline: build shared object for pipeline
Build the generated C file into a shared object library.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
Signed-off-by: Cunming Liang <cunming.liang@intel.com>
2021-09-27 12:10:20 +02:00
Cristian Dumitrescu
724f3ef422 pipeline: generate custom instruction functions
Generate a C function for each custom instruction, which essentially
consolidate multiple regular instructions into a single function call.
The pipeline program is split into groups of instructions, and a
custom instruction is generated for each group that has more than one
instruction. Special care is taken the instructions that can do thread
yield (RX, extern) and for those that can change the instruction
pointer (TX, near/far jump).

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:09:54 +02:00
Cristian Dumitrescu
d025528d74 pipeline: generate action functions
Generate a C function for each action. For most instructions, the
associated inline function is called directly. Special care is taken
for TX, jump and return instructions.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:09:45 +02:00
Cristian Dumitrescu
216bc906d0 pipeline: export pipeline instructions to file
Export the array of translated instructions to a C file. There is one
such array per action and one for the pipeline.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:09:26 +02:00
Cristian Dumitrescu
fc64098a1a pipeline: introduce pipeline compilation
Lay the foundation to generate C code for the pipeline: C functions
for actions and custom instructions are generated, built as shared
object library and loaded into the pipeline.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:09:15 +02:00
Cristian Dumitrescu
dfa9491a18 pipeline: introduce custom instructions
For better performance, the option to create custom instructions when
the program is translated and add them on-the-fly to the pipeline is
now provided. Multiple regular instructions can now be consolidated
into a single C function optimized by the C compiler directly.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:09:13 +02:00
Cristian Dumitrescu
5dc6a5f2e7 pipeline: introduce action functions
For better performance, the option to run a single function per action
is now provided, which requires a single function call per action that
can be better optimized by the C compiler, as opposed to one function
call per instruction. Special table lookup instructions are added to
to support this feature.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:09:11 +02:00
Cristian Dumitrescu
4bd025dc98 pipeline: enable persistent instruction meta-data
Save the instruction meta-data for later use instead of freeing it up
once the instruction translation is completed.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:03:23 +02:00
Cristian Dumitrescu
40baf712ef pipeline: create inline functions for instruction operands
Create inline functions to get the instruction operands.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:03:20 +02:00
Cristian Dumitrescu
0d5910ddcf pipeline: create inline functions for meter instructions
Create inline functions for the meter instructions.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:03:18 +02:00
Cristian Dumitrescu
c5d03ffda7 pipeline: create inline functions for register instructions
Create inline functions for the register instructions.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:03:16 +02:00
Cristian Dumitrescu
ed7567c9d7 pipeline: create inline functions for ALU instructions
Create inline functions for the ALU instructions.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:03:15 +02:00
Cristian Dumitrescu
fae7b2baa3 pipeline: create inline functions for DMA instruction
Create inline functions for the DMA instruction.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:03:13 +02:00
Cristian Dumitrescu
b82733ab25 pipeline: create inline functions for move instruction
Create inline functions for the move instruction.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:03:12 +02:00
Cristian Dumitrescu
4884264b17 pipeline: create inline functions for extern instruction
Create inline functions for the extern instruction.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:03:10 +02:00
Cristian Dumitrescu
d1a58ada1a pipeline: create inline functions for learn instruction
Create inline functions for the learn and forget instructions.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:03:09 +02:00
Cristian Dumitrescu
4565d7db70 pipeline: create inline functions for validate instruction
Create inline functions for the validate and invalidate instructions.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:03:07 +02:00
Cristian Dumitrescu
d60dbdc88a pipeline: create inline functions for emit instruction
Create inline functions for the emit instruction.

Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
2021-09-27 12:03:05 +02:00