security: use IPv6 address structure

For consistency with the rest of the code base, update
rte_security_ipsec_tunnel_param to use rte_ipv6_addr structures instead
of in6_addr.

Signed-off-by: Robin

security: use IPv6 address structure

For consistency with the rest of the code base, update
rte_security_ipsec_tunnel_param to use rte_ipv6_addr structures instead
of in6_addr.

Signed-off-by: Robin Jarry <rjarry@redhat.com>

show more ...

ipsec: use IPv6 address structure

Update rte_ipsec_sadv6_key to use rte_ipv6_addr structures instead of
uint8_t[16] arrays.

Signed-off-by: Robin Jarry <rjarry@redhat.com>

net: use IPv6 address structure for packet headers

The rte_ipv6_hdr uses ad-hoc uint8_t[16] arrays to represent addresses.
Replace these arrays with the newly added rte_ipv6_addr structure. Adapt
al

net: use IPv6 address structure for packet headers

The rte_ipv6_hdr uses ad-hoc uint8_t[16] arrays to represent addresses.
Replace these arrays with the newly added rte_ipv6_addr structure. Adapt
all code accordingly.

Signed-off-by: Robin Jarry <rjarry@redhat.com>

show more ...

examples: fix lcore ID restriction

Currently the config option allows lcore IDs up to 255,
irrespective of RTE_MAX_LCORES and needs to be fixed.

The patch fixes these constraints by allowing all
lc

examples: fix lcore ID restriction

Currently the config option allows lcore IDs up to 255,
irrespective of RTE_MAX_LCORES and needs to be fixed.

The patch fixes these constraints by allowing all
lcore IDs up to RTE_MAX_LCORES.

Fixes: af75078fece3 ("first public release")
Fixes: f88e7c175a68 ("examples/l3fwd-power: add high/regular perf cores options")
Fixes: 08bd1a174461 ("examples/l3fwd-graph: add graph-based l3fwd skeleton")
Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")
Fixes: 0e8f47491f09 ("examples/vm_power: add command to query CPU frequency")
Fixes: de3cfa2c9823 ("sched: initial import")
Cc: stable@dpdk.org

Signed-off-by: Sivaprasad Tummala <sivaprasad.tummala@amd.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
Acked-by: Morten Brørup <mb@smartsharesystems.com>
Acked-by: Ferruh Yigit <ferruh.yigit@amd.com>

show more ...

examples/ipsec-secgw: fix cryptodev to SA mapping

There are use cases where a SA should be able to use different
cryptodevs on different lcores, for example there can be cryptodevs
with just 1 qp pe

examples/ipsec-secgw: fix cryptodev to SA mapping

There are use cases where a SA should be able to use different
cryptodevs on different lcores, for example there can be cryptodevs
with just 1 qp per VF.
Hence, the check in create lookaside session function is relaxed.
Also added a check to verify that a CQP is available for the current lcore.

Fixes: a8ade12123c3 ("examples/ipsec-secgw: create lookaside sessions at init")
Cc: stable@dpdk.org

Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Tested-by: Ting-Kai Ku <ting-kai.ku@intel.com>
Acked-by: Ciara Power <ciara.power@intel.com>
Acked-by: Kai Ji <kai.ji@intel.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>

show more ...

security: hide security context

rte_security_ctx is used by all security APIs to identify
which device security_op it need to call and hence it should
be opaque to the application.
Hence, it is now

security: hide security context

rte_security_ctx is used by all security APIs to identify
which device security_op it need to call and hence it should
be opaque to the application.
Hence, it is now moved to internal header file and all
APIs will now take an opaque pointer for it.
The fast path inline APIs like set metadata need to get flags
from security_ctx. The flags are now retrieved using inline APIs
which use macros to get the offset of flags in security_ctx.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>

show more ...

examples/ipsec-secgw: allow single xform SA

Update check capabilities before session create to allow single xform SA
i.e. auth or cipher only

Fixes: a8781df86c14 ("examples/ipsec-secgw: check capab

examples/ipsec-secgw: allow single xform SA

Update check capabilities before session create to allow single xform SA
i.e. auth or cipher only

Fixes: a8781df86c14 ("examples/ipsec-secgw: check capabilities before session create")

Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Kai Ji <kai.ji@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: refactor inline capability check

In cases of inline IPsec, the supported ol_flags are
retrieved from security capability of device.
Now that capability checks are added before

examples/ipsec-secgw: refactor inline capability check

In cases of inline IPsec, the supported ol_flags are
retrieved from security capability of device.
Now that capability checks are added before creating the session,
ol_flags can be retrieved from the same function call.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Kai Ji <kai.ji@intel.com>

show more ...

examples/ipsec-secgw: check capabilities before session create

Currently, sessions are created without checking the device
capabilities, which may result in failure at a later stage.

Device capabil

examples/ipsec-secgw: check capabilities before session create

Currently, sessions are created without checking the device
capabilities, which may result in failure at a later stage.

Device capabilities are now checked before creating the
security/crypto session.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Kai Ji <kai.ji@intel.com>

show more ...

examples/ipsec-secgw: support per SA HW reassembly

This add the support of hardware reassembly per SA basis.
In SA rule, new parameter reassembly_en is added to enable
HW reassembly per SA.
For exam

examples/ipsec-secgw: support per SA HW reassembly

This add the support of hardware reassembly per SA basis.
In SA rule, new parameter reassembly_en is added to enable
HW reassembly per SA.
For example:
sa in <idx> aead_algo <algo> aead_key <key> mode ipv4-tunnel src <ip>
dst <ip> type inline-protocol-offload port_id <id> reassembly_en

Stats counter frag_dropped will represent the number of fragment
drop in case of reassembly failures.

Signed-off-by: Rahul Bhansali <rbhansali@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: add lookaside event mode

Added base support for lookaside event mode.
Events that are coming from ethdev will be enqueued
to the event crypto adapter, processed and
enqueued ba

examples/ipsec-secgw: add lookaside event mode

Added base support for lookaside event mode.
Events that are coming from ethdev will be enqueued
to the event crypto adapter, processed and
enqueued back to ethdev for the transmission.

Signed-off-by: Volodymyr Fialko <vfialko@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: remove private mempool usage

As per current design, rte_security_session_create()
unnecessarily use 2 mempool objects for a single session.

To address this, the API will now take only 1 m

security: remove private mempool usage

As per current design, rte_security_session_create()
unnecessarily use 2 mempool objects for a single session.

To address this, the API will now take only 1 mempool
object instead of 2. With this change, the library layer
will get the object from mempool and session priv data is
stored contiguously in the same mempool object.

User need to ensure that the mempool created in application
is big enough for session private data as well. This can be
ensured if the pool is created after getting size of session
priv data using API rte_security_session_get_size().

Since set and get pkt metadata for security sessions are now
made inline for Inline crypto/proto mode, a new member fast_mdata
is added to the rte_security_session.
To access opaque data and fast_mdata will be accessed via inline
APIs which can do pointer manipulations inside library from
session_private_data pointer coming from application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Tested-by: Gagandeep Singh <g.singh@nxp.com>
Tested-by: David Coyle <david.coyle@intel.com>
Tested-by: Kevin O'Sullivan <kevin.osullivan@intel.com>

show more ...

cryptodev: rework session framework

As per current design, rte_cryptodev_sym_session_create() and
rte_cryptodev_sym_session_init() use separate mempool objects
for a single session.
And structure rt

cryptodev: rework session framework

As per current design, rte_cryptodev_sym_session_create() and
rte_cryptodev_sym_session_init() use separate mempool objects
for a single session.
And structure rte_cryptodev_sym_session is not directly used
by the application, it may cause ABI breakage if the structure
is modified in future.

To address these two issues, the rte_cryptodev_sym_session_create
will take one mempool object that the session and session private
data are virtually/physically contiguous, and initializes both
fields. The API rte_cryptodev_sym_session_init is removed.

rte_cryptodev_sym_session_create will now return an opaque session
pointer which will be used by the app and other APIs.

In data path, opaque session pointer is attached to rte_crypto_op
and the PMD can call an internal library API to get the session
private data pointer based on the driver id.

Note: currently single session may be used by different device
drivers, given it is initialized by them. After the change the
session created by one device driver cannot be used or
reinitialized by another driver.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: Ruifeng Wang <ruifeng.wang@arm.com>
Acked-by: Kai Ji <kai.ji@intel.com>
Tested-by: Gagandeep Singh <g.singh@nxp.com>
Tested-by: David Coyle <david.coyle@intel.com>
Tested-by: Kevin O'Sullivan <kevin.osullivan@intel.com>

show more ...

examples/ipsec-secgw: create lookaside sessions at init

In event lookaside mode same session could be handled with multiple
cores, and session creation in datapath will cause situation where
multipl

examples/ipsec-secgw: create lookaside sessions at init

In event lookaside mode same session could be handled with multiple
cores, and session creation in datapath will cause situation where
multiple cores will try to create same session simultaneously.
To avoid such case and enable event lookaside mode in future, lookaside
sessions are now created at initialization in sa_add_rules().

All sessions(inline and lookaside) now created during init process, so
session pool information was removed from ipsec context. Core id was
added to obtain correct crypto device queue pair for the current core.

Signed-off-by: Volodymyr Fialko <vfialko@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: destroy lookaside sessions

Lookaside mode also creates security and crypto sessions that needs to
be destroyed after they are no longer used.

Signed-off-by: Volodymyr Fialko <

examples/ipsec-secgw: destroy lookaside sessions

Lookaside mode also creates security and crypto sessions that needs to
be destroyed after they are no longer used.

Signed-off-by: Volodymyr Fialko <vfialko@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: fix uninitialized memory access

rte_flow_validate and rte_flow_create not always initialize flow error.
Using error.message in some error cases will cause read from
uninitializ

examples/ipsec-secgw: fix uninitialized memory access

rte_flow_validate and rte_flow_create not always initialize flow error.
Using error.message in some error cases will cause read from
uninitialized memory.

Fixes: 6738c0a9569 ("examples/ipsec-secgw: support flow director")
Cc: stable@dpdk.org

Signed-off-by: Volodymyr Fialko <vfialko@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: define initial ESN value

New option added to the SA configuration arguments that
allows setting an arbitrary start value for ESN.

For example in the SA below ESN will be enabl

examples/ipsec-secgw: define initial ESN value

New option added to the SA configuration arguments that
allows setting an arbitrary start value for ESN.

For example in the SA below ESN will be enabled and first egress
IPsec packet will have the ESN value 10000:

sa out 15 cipher_algo null auth_algo null mode ipv4-tunnel \
src 172.16.1.5 dst 172.16.2.5 \
esn 10000

Signed-off-by: Declan Doherty <declan.doherty@intel.com>
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: support UDP encap for inline crypto

Enable UDP encapsulation for both transport and tunnel modes for the
inline crypto offload path.

Signed-off-by: Radu Nicolau <radu.nicolau@

examples/ipsec-secgw: support UDP encap for inline crypto

Enable UDP encapsulation for both transport and tunnel modes for the
inline crypto offload path.

Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: update inline session create

Rework create inline session function as to update the session
configuration parameters before create session is called.
Also updated the rss key a

examples/ipsec-secgw: update inline session create

Rework create inline session function as to update the session
configuration parameters before create session is called.
Also updated the rss key array size to prevent buffers overflows
with PMDs that copy more than 40 bytes.

Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: clear soft expiry configuration

Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Als

examples/ipsec-secgw: clear soft expiry configuration

Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Also, soft expiry tracking can cause perf degradation with some PMDs.
Since a separate UT is available and the same setting in ipsec-secgw is
not verifying the functionality, remove the same by clearing life
configuration.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: add SA lifetime configuration

Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated

security: add SA lifetime configuration

Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated to include new field, aux_flags, which can be
used to indicate cases such as soft expiry in case of lookaside
protocol operations.

In case of soft expiry, the packets are successfully IPsec processed but
the soft expiry would indicate that SA needs to be reconfigured. For
inline protocol capable ethdev, this would result in an eth event while
for lookaside protocol capable cryptodev, this can be communicated via
`rte_crypto_op.aux_flags` field.

In case of hard expiry, the packets will not be IPsec processed and
would result in error.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

examples/ipsec-secgw: support UDP encapsulation

Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Application has to add udp-encap option to sa config file
to enable UDP encapsulat

examples/ipsec-secgw: support UDP encapsulation

Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Application has to add udp-encap option to sa config file
to enable UDP encapsulation on the SA.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

show more ...

security: update session create API

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the nu

security: update session create API

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the number of
sessions needed and will also lead to wastage of memory as
session private data need more memory compared to session.
Hence the API is modified to take two mempool pointers
- one for session and one for private data.
This is very similar to crypto based session create APIs.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Reviewed-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Tested-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>

show more ...

examples/ipsec-secgw: add per-core packet statistics

Adding per core packet handling stats to analyze traffic distribution
when multiple cores are engaged.

Since aggregating the packet stats across

examples/ipsec-secgw: add per-core packet statistics

Adding per core packet handling stats to analyze traffic distribution
when multiple cores are engaged.

Since aggregating the packet stats across cores would affect
performance, keeping the feature disabled using compile time flags.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

examples/ipsec-secgw: support flow director

Support load distribution in security gateway application using
NIC load distribution feature (Flow Director).
Flow Director is used to redirect the speci

examples/ipsec-secgw: support flow director

Support load distribution in security gateway application using
NIC load distribution feature (Flow Director).
Flow Director is used to redirect the specified inbound ipsec flow
to a specified queue. This is achieved by extending the SA rule syntax
to support specification by adding new action_type of <flow-direction>
to a specified <port_id> <queue_id>.

Signed-off-by: Praveen Shetty <praveen.shetty@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...