use C11 alignof

Replace use of __alignof__(e) (resp. __alignof__(T) with C11
alignof(typeof(e)) (resp. alignof(T)) to improve portability
between toolchains.

Signed-off-by: Tyler Retzlaff <roretzla

use C11 alignof

Replace use of __alignof__(e) (resp. __alignof__(T) with C11
alignof(typeof(e)) (resp. alignof(T)) to improve portability
between toolchains.

Signed-off-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
Acked-by: Morten Brørup <mb@smartsharesystems.com>
Acked-by: Chengwen Feng <fengchengwen@huawei.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Volodymyr Fialko <vfialko@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>

show more ...

security: add fallback security processing and Rx inject

Add alternate datapath API for security processing which would do Rx
injection (similar to loopback) after successful security processing.

W

security: add fallback security processing and Rx inject

Add alternate datapath API for security processing which would do Rx
injection (similar to loopback) after successful security processing.

With inline protocol offload, variable part of the session context
(AR windows, lifetime etc in case of IPsec), is not accessible to the
application. If packets are not getting processed in the inline path
due to non security reasons (such as outer fragmentation or rte_flow
packet steering limitations), then the packet cannot be security
processed as the session context is private to the PMD and security
library doesn't provide alternate APIs to make use of the same session.

Introduce new API and Rx injection as fallback mechanism to security
processing failures due to non-security reasons. For example, when there
is outer fragmentation and PMD doesn't support reassembly of outer
fragments, application would receive fragments which it can then
reassemble. Post successful reassembly, packet can be submitted for
security processing and Rx inject. The packets can be then received in
the application as normal inline protocol processed packets.

Same API can be leveraged in lookaside protocol offload mode to inject
packet to Rx. This would help in using rte_flow based packet parsing
after security processing. For example, with IPsec, this will help in
flow splitting after IPsec processing is done.

In both inline protocol capable ethdevs and lookaside protocol capable
cryptodevs, the packet would be received back in eth port & queue based
on rte_flow rules and packet parsing after security processing. The API
would behave like a loopback but with the additional security
processing.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: add TLS record processing

Add Transport Layer Security (TLS) and Datagram Transport Layer Security
(DTLS). The protocols provide communications privacy for L4 protocols
such as TCP & UDP.

security: add TLS record processing

Add Transport Layer Security (TLS) and Datagram Transport Layer Security
(DTLS). The protocols provide communications privacy for L4 protocols
such as TCP & UDP.

TLS (and DTLS) protocol is composed of two layers,
1. TLS Record Protocol
2. TLS Handshake Protocol

While TLS Handshake Protocol helps in establishing security parameters
by which client and server can communicate, TLS Record Protocol provides
the connection security. TLS Record Protocol leverages symmetric
cryptographic operations such as data encryption and authentication for
providing security to the communications.

Cryptodevs that are capable of offloading TLS Record Protocol may
perform other operations like IV generation, header insertion, atomic
sequence number updates and anti-replay window check in addition to
cryptographic transformations.

Support for TLS record protocol is added for TLS 1.2, TLS 1.3 and
DTLS 1.2.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
Acked-by: Harry van Haaren <harry.van.haaren@intel.com>

show more ...

security: hide security context

rte_security_ctx is used by all security APIs to identify
which device security_op it need to call and hence it should
be opaque to the application.
Hence, it is now

security: hide security context

rte_security_ctx is used by all security APIs to identify
which device security_op it need to call and hence it should
be opaque to the application.
Hence, it is now moved to internal header file and all
APIs will now take an opaque pointer for it.
The fast path inline APIs like set metadata need to get flags
from security_ctx. The flags are now retrieved using inline APIs
which use macros to get the offset of flags in security_ctx.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>

show more ...

security: introduce out-of-place inline ingress

Similar to out-of-place (OOP) processing support that exists for
Lookaside crypto/security sessions, Inline ingress security
sessions may also need ou

security: introduce out-of-place inline ingress

Similar to out-of-place (OOP) processing support that exists for
Lookaside crypto/security sessions, Inline ingress security
sessions may also need out of place processing in usecases
where original encrypted packet needs to be retained for post
processing. So for NIC's which have such a kind of HW support,
a new SA option is provided to indicate whether OOP needs to
be enabled on that Inline ingress security session or not.

Since for inline ingress sessions, packet is not received by
CPU until the processing is done, we can only have per-SA
option and not per-packet option like Lookaside sessions.

Also remove reserved_opts field from the rte_security_ipsec_sa_options
struct as mentioned in deprecation notice.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: add MACsec algo in capability index

This patch adds the MACsec algorithm field in security capability index
structure. This field is compared against the MACsec alg to return the
correct c

security: add MACsec algo in capability index

This patch adds the MACsec algorithm field in security capability index
structure. This field is compared against the MACsec alg to return the
correct capability.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: add direction in SA/SC configuration

MACsec SC/SA ids are created based on direction of the flow.
Hence, added the missing field for configuration and cleanup
of the SCs and SAs.

Signed-o

security: add direction in SA/SC configuration

MACsec SC/SA ids are created based on direction of the flow.
Hence, added the missing field for configuration and cleanup
of the SCs and SAs.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>

show more ...

rename telemetry u64 functions to uint versions

Within the DPDK code-base, replace all occurrences of
"rte_tel_data_add_array_u64" with "rte_tel_data_add_array_uint", and
similarly replace all occur

rename telemetry u64 functions to uint versions

Within the DPDK code-base, replace all occurrences of
"rte_tel_data_add_array_u64" with "rte_tel_data_add_array_uint", and
similarly replace all occurrences of "rte_tel_data_add_dict_u64" with
"rte_tel_data_add_dict_uint". This allows us to later mark the older
functions as deprecated without hitting warnings.

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Ciara Power <ciara.power@intel.com>

show more ...

telemetry: rename unsigned 64-bit enum value to uint

For telemetry data, rather than having unsigned 64-bit values and signed
32-bit values, we want to just have unsigned and signed values, each
sto

telemetry: rename unsigned 64-bit enum value to uint

For telemetry data, rather than having unsigned 64-bit values and signed
32-bit values, we want to just have unsigned and signed values, each
stored with the max bit-width i.e. 64-bits. To that end, we rename the
U64 enum entry to "UINT" to have a more generic name

For backward API-level compatibility, we can use a macro to alias the
old name to the new.

Suggested-by: Morten Brørup <mb@smartsharesystems.com>
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Morten Brørup <mb@smartsharesystems.com>
Acked-by: Tyler Retzlaff <roretzla@linux.microsoft.com>
Acked-by: Ciara Power <ciara.power@intel.com>

show more ...

security: hide session structure

Structure rte_security_session is moved to internal
headers which are not visible to applications.
The only field which should be used by app is opaque_data.
This fi

security: hide session structure

Structure rte_security_session is moved to internal
headers which are not visible to applications.
The only field which should be used by app is opaque_data.
This field can now be accessed via set/get APIs added in this
patch.
Subsequent changes in app and lib are made to compile the code.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Tested-by: Gagandeep Singh <g.singh@nxp.com>
Tested-by: David Coyle <david.coyle@intel.com>
Tested-by: Kevin O'Sullivan <kevin.osullivan@intel.com>

show more ...

security: remove private mempool usage

As per current design, rte_security_session_create()
unnecessarily use 2 mempool objects for a single session.

To address this, the API will now take only 1 m

security: remove private mempool usage

As per current design, rte_security_session_create()
unnecessarily use 2 mempool objects for a single session.

To address this, the API will now take only 1 mempool
object instead of 2. With this change, the library layer
will get the object from mempool and session priv data is
stored contiguously in the same mempool object.

User need to ensure that the mempool created in application
is big enough for session private data as well. This can be
ensured if the pool is created after getting size of session
priv data using API rte_security_session_get_size().

Since set and get pkt metadata for security sessions are now
made inline for Inline crypto/proto mode, a new member fast_mdata
is added to the rte_security_session.
To access opaque data and fast_mdata will be accessed via inline
APIs which can do pointer manipulations inside library from
session_private_data pointer coming from application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Tested-by: Gagandeep Singh <g.singh@nxp.com>
Tested-by: David Coyle <david.coyle@intel.com>
Tested-by: Kevin O'Sullivan <kevin.osullivan@intel.com>

show more ...

security: remove user data get API

The API rte_security_get_userdata() was being unused by most of
the drivers and it was retrieving userdata from mbuf dynamic field.
Hence, the API was removed and

security: remove user data get API

The API rte_security_get_userdata() was being unused by most of
the drivers and it was retrieving userdata from mbuf dynamic field.
Hence, the API was removed and the application can directly get the
userdata from dynamic field. This helps in removing extra checks
in datapath.

Signed-off-by: Srujana Challa <schalla@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: support MACsec

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one securit

security: support MACsec

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one security session and
send with the packet to process it. MACsec specifications suggest,
it has 3 different entities - SECY Entity, SC (secure channel) and
SA (security association). And same SA can be used by multiple SCs and
similarly many SECY can have same SCs. Hence, in order to support this
many to one relationships between all entities, 2 new APIs are created -
rte_security_macsec_sc_create and rte_security_macsec_sa_create.
Flow of execution of the APIs would be as
- rte_security_macsec_sa_create
- rte_security_macsec_sc_create
- rte_security_session_create (for secy)
And in case of inline protocol processing rte_flow can be created with
rte_security action. A new flow item will be added for MACsec header.
New APIs are also created for getting SC and SA stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>

show more ...

dev: hide driver object

Make rte_driver opaque for non internal users.
This will make extending this object possible without breaking the ABI.

Introduce a new driver header and move rte_driver defi

dev: hide driver object

Make rte_driver opaque for non internal users.
This will make extending this object possible without breaking the ABI.

Introduce a new driver header and move rte_driver definition.
Update drivers and library to use the internal header.

Some applications may have been dereferencing rte_driver objects, mark
this object's accessors as stable.

Signed-off-by: David Marchand <david.marchand@redhat.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Jay Jayatheerthan <jay.jayatheerthan@intel.com>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Abhinandan Gujjar <abhinandan.gujjar@intel.com>

show more ...

eal: deprecate RTE_FUNC_PTR_* macros

Those macros have no real value and are easily replaced with a simple
if() block.

Existing users have been converted using a new cocci script.
Deprecate them.

eal: deprecate RTE_FUNC_PTR_* macros

Those macros have no real value and are easily replaced with a simple
if() block.

Existing users have been converted using a new cocci script.
Deprecate them.

Signed-off-by: David Marchand <david.marchand@redhat.com>

show more ...

eal: remove unneeded includes from a public header

Do not include <ctype.h>, <errno.h>, and <stdlib.h> from <rte_common.h>,
because they are not used by this file.
Include the needed headers directl

eal: remove unneeded includes from a public header

Do not include <ctype.h>, <errno.h>, and <stdlib.h> from <rte_common.h>,
because they are not used by this file.
Include the needed headers directly from the files that need them.

Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
Acked-by: Bruce Richardson <bruce.richardson@intel.com>

show more ...

lib: remove unneeded header includes

These header includes have been flagged by the iwyu_tool
and removed.

Signed-off-by: Sean Morrissey <sean.morrissey@intel.com>

security: add telemetry endpoint for capabilities

Add telemetry endpoint for cryptodev security capabilities.
Details of endpoints added in documentation.

Signed-off-by: Gowrishankar Muthukrishnan

security: add telemetry endpoint for capabilities

Add telemetry endpoint for cryptodev security capabilities.
Details of endpoints added in documentation.

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

security: add option for faster user/meta data access

Currently rte_security_set_pkt_metadata() and rte_security_get_userdata()
methods to set pkt metadata on Inline outbound and get userdata
after

security: add option for faster user/meta data access

Currently rte_security_set_pkt_metadata() and rte_security_get_userdata()
methods to set pkt metadata on Inline outbound and get userdata
after Inline inbound processing is always driver specific callbacks.

For drivers that do not have much to do in the callbacks but just
to update metadata in rte_security dynamic field and get userdata
from rte_security dynamic field, having to just to PMD specific
callback is costly per packet operation. This patch provides
a mechanism to do the same in inline function and avoid function
pointer jump if a driver supports the same.

Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

lib: remove librte_ prefix from directory names

There is no reason for the DPDK libraries to all have 'librte_' prefix on
the directory names. This prefix makes the directory names longer and also
m

lib: remove librte_ prefix from directory names

There is no reason for the DPDK libraries to all have 'librte_' prefix on
the directory names. This prefix makes the directory names longer and also
makes it awkward to add features referring to individual libraries in the
build - should the lib names be specified with or without the prefix.
Therefore, we can just remove the library prefix and use the library's
unique name as the directory name, i.e. 'eal' rather than 'librte_eal'

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>

show more ...