1 /*- 2 * BSD LICENSE 3 * 4 * Copyright (c) Intel Corporation. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * * Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * * Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in 15 * the documentation and/or other materials provided with the 16 * distribution. 17 * * Neither the name of Intel Corporation nor the names of its 18 * contributors may be used to endorse or promote products derived 19 * from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 24 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 25 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 26 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 27 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUcryptoION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 31 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include "vbdev_crypto.h" 35 36 #include "spdk/env.h" 37 #include "spdk/conf.h" 38 #include "spdk/endian.h" 39 #include "spdk/io_channel.h" 40 #include "spdk/bdev_module.h" 41 #include "spdk_internal/log.h" 42 43 #include <rte_config.h> 44 #include <rte_version.h> 45 #include <rte_bus_vdev.h> 46 #include <rte_crypto.h> 47 #include <rte_cryptodev.h> 48 #include <rte_cryptodev_pmd.h> 49 50 /* To add support for new device types, follow the examples of the following... 51 * Note that the string names are defined by the DPDK PMD in question so be 52 * sure to use the exact names. 53 */ 54 #define MAX_NUM_DRV_TYPES 2 55 56 /* The VF spread is the number of queue pairs between virtual functions, we use this to 57 * load balance the QAT device. 58 */ 59 #define QAT_VF_SPREAD 32 60 static uint8_t g_qat_total_qp = 0; 61 static uint8_t g_next_qat_index; 62 63 const char *g_driver_names[MAX_NUM_DRV_TYPES] = { AESNI_MB, QAT }; 64 65 /* Global list of available crypto devices. */ 66 struct vbdev_dev { 67 struct rte_cryptodev_info cdev_info; /* includes device friendly name */ 68 uint8_t cdev_id; /* identifier for the device */ 69 TAILQ_ENTRY(vbdev_dev) link; 70 }; 71 static TAILQ_HEAD(, vbdev_dev) g_vbdev_devs = TAILQ_HEAD_INITIALIZER(g_vbdev_devs); 72 73 /* Global list and lock for unique device/queue pair combos. We keep 1 list per supported PMD 74 * so that we can optimize per PMD where it make sense. For example, with QAT there an optimal 75 * pattern for assigning queue pairs where with AESNI there is not. 76 */ 77 struct device_qp { 78 struct vbdev_dev *device; /* ptr to crypto device */ 79 uint8_t qp; /* queue pair for this node */ 80 bool in_use; /* whether this node is in use or not */ 81 uint8_t index; /* used by QAT to load balance placement of qpairs */ 82 TAILQ_ENTRY(device_qp) link; 83 }; 84 static TAILQ_HEAD(, device_qp) g_device_qp_qat = TAILQ_HEAD_INITIALIZER(g_device_qp_qat); 85 static TAILQ_HEAD(, device_qp) g_device_qp_aesni_mb = TAILQ_HEAD_INITIALIZER(g_device_qp_aesni_mb); 86 static pthread_mutex_t g_device_qp_lock = PTHREAD_MUTEX_INITIALIZER; 87 88 89 /* In order to limit the number of resources we need to do one crypto 90 * operation per LBA (we use LBA as IV), we tell the bdev layer that 91 * our max IO size is something reasonable. Units here are in bytes. 92 */ 93 #define CRYPTO_MAX_IO (64 * 1024) 94 95 /* This controls how many ops will be dequeued from the crypto driver in one run 96 * of the poller. It is mainly a performance knob as it effectively determines how 97 * much work the poller has to do. However even that can vary between crypto drivers 98 * as the AESNI_MB driver for example does all the crypto work on dequeue whereas the 99 * QAT driver just dequeues what has been completed already. 100 */ 101 #define MAX_DEQUEUE_BURST_SIZE 64 102 103 /* When enqueueing, we need to supply the crypto driver with an array of pointers to 104 * operation structs. As each of these can be max 512B, we can adjust the CRYPTO_MAX_IO 105 * value in conjunction with the other defines to make sure we're not using crazy amounts 106 * of memory. All of these numbers can and probably should be adjusted based on the 107 * workload. By default we'll use the worst case (smallest) block size for the 108 * minimum number of array entries. As an example, a CRYPTO_MAX_IO size of 64K with 512B 109 * blocks would give us an enqueue array size of 128. 110 */ 111 #define MAX_ENQUEUE_ARRAY_SIZE (CRYPTO_MAX_IO / 512) 112 113 /* The number of MBUFS we need must be a power of two and to support other small IOs 114 * in addition to the limits mentioned above, we go to the next power of two. It is 115 * big number because it is one mempool for source and destination mbufs. It may 116 * need to be bigger to support multiple crypto drivers at once. 117 */ 118 #define NUM_MBUFS 32768 119 #define POOL_CACHE_SIZE 256 120 #define MAX_CRYPTO_VOLUMES 128 121 #define NUM_SESSIONS (2 * MAX_CRYPTO_VOLUMES) 122 #define SESS_MEMPOOL_CACHE_SIZE 0 123 uint8_t g_number_of_claimed_volumes = 0; 124 125 /* This is the max number of IOs we can supply to any crypto device QP at one time. 126 * It can vary between drivers. 127 */ 128 #define CRYPTO_QP_DESCRIPTORS 2048 129 130 /* Specific to AES_CBC. */ 131 #define AES_CBC_IV_LENGTH 16 132 #define AES_CBC_KEY_LENGTH 16 133 #define AES_XTS_KEY_LENGTH 16 /* XTS uses 2 keys, each of this size. */ 134 135 /* Common for suported devices. */ 136 #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ 137 sizeof(struct rte_crypto_sym_op)) 138 #define QUEUED_OP_OFFSET (IV_OFFSET + AES_CBC_IV_LENGTH) 139 140 static void _complete_internal_io(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg); 141 static void _complete_internal_read(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg); 142 static void _complete_internal_write(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg); 143 static void vbdev_crypto_examine(struct spdk_bdev *bdev); 144 static int vbdev_crypto_claim(struct spdk_bdev *bdev); 145 static void vbdev_crypto_submit_request(struct spdk_io_channel *ch, struct spdk_bdev_io *bdev_io); 146 147 /* List of crypto_bdev names and their base bdevs via configuration file. */ 148 struct bdev_names { 149 char *vbdev_name; /* name of the vbdev to create */ 150 char *bdev_name; /* base bdev name */ 151 152 /* Note, for dev/test we allow use of key in the config file, for production 153 * use, you must use an RPC to specify the key for security reasons. 154 */ 155 uint8_t *key; /* key per bdev */ 156 char *drv_name; /* name of the crypto device driver */ 157 char *cipher; /* AES_CBC or AES_XTS */ 158 uint8_t *key2; /* key #2 for AES_XTS, per bdev */ 159 TAILQ_ENTRY(bdev_names) link; 160 }; 161 static TAILQ_HEAD(, bdev_names) g_bdev_names = TAILQ_HEAD_INITIALIZER(g_bdev_names); 162 163 /* List of virtual bdevs and associated info for each. We keep the device friendly name here even 164 * though its also in the device struct because we use it early on. 165 */ 166 struct vbdev_crypto { 167 struct spdk_bdev *base_bdev; /* the thing we're attaching to */ 168 struct spdk_bdev_desc *base_desc; /* its descriptor we get from open */ 169 struct spdk_bdev crypto_bdev; /* the crypto virtual bdev */ 170 uint8_t *key; /* key per bdev */ 171 char *drv_name; /* name of the crypto device driver */ 172 struct rte_cryptodev_sym_session *session_encrypt; /* encryption session for this bdev */ 173 struct rte_cryptodev_sym_session *session_decrypt; /* decryption session for this bdev */ 174 struct rte_crypto_sym_xform cipher_xform; /* crypto control struct for this bdev */ 175 TAILQ_ENTRY(vbdev_crypto) link; 176 }; 177 static TAILQ_HEAD(, vbdev_crypto) g_vbdev_crypto = TAILQ_HEAD_INITIALIZER(g_vbdev_crypto); 178 179 /* Shared mempools between all devices on this system */ 180 static struct rte_mempool *g_session_mp = NULL; 181 static struct rte_mempool *g_session_mp_priv = NULL; 182 static struct spdk_mempool *g_mbuf_mp = NULL; /* mbuf mempool */ 183 static struct rte_mempool *g_crypto_op_mp = NULL; /* crypto operations, must be rte* mempool */ 184 185 /* For queueing up crypto operations that we can't submit for some reason */ 186 struct vbdev_crypto_op { 187 uint8_t cdev_id; 188 uint8_t qp; 189 struct rte_crypto_op *crypto_op; 190 struct spdk_bdev_io *bdev_io; 191 TAILQ_ENTRY(vbdev_crypto_op) link; 192 }; 193 #define QUEUED_OP_LENGTH (sizeof(struct vbdev_crypto_op)) 194 195 /* The crypto vbdev channel struct. It is allocated and freed on my behalf by the io channel code. 196 * We store things in here that are needed on per thread basis like the base_channel for this thread, 197 * and the poller for this thread. 198 */ 199 struct crypto_io_channel { 200 struct spdk_io_channel *base_ch; /* IO channel of base device */ 201 struct spdk_poller *poller; /* completion poller */ 202 struct device_qp *device_qp; /* unique device/qp combination for this channel */ 203 TAILQ_HEAD(, spdk_bdev_io) pending_cry_ios; /* outstanding operations to the crypto device */ 204 struct spdk_io_channel_iter *iter; /* used with for_each_channel in reset */ 205 TAILQ_HEAD(, vbdev_crypto_op) queued_cry_ops; /* queued for re-submission to CryptoDev */ 206 }; 207 208 /* This is the crypto per IO context that the bdev layer allocates for us opaquely and attaches to 209 * each IO for us. 210 */ 211 struct crypto_bdev_io { 212 int cryop_cnt_remaining; /* counter used when completing crypto ops */ 213 struct crypto_io_channel *crypto_ch; /* need to store for crypto completion handling */ 214 struct vbdev_crypto *crypto_bdev; /* the crypto node struct associated with this IO */ 215 struct spdk_bdev_io *orig_io; /* the original IO */ 216 struct spdk_bdev_io *read_io; /* the read IO we issued */ 217 int8_t bdev_io_status; /* the status we'll report back on the bdev IO */ 218 bool on_pending_list; 219 /* Used for the single contiguous buffer that serves as the crypto destination target for writes */ 220 uint64_t aux_num_blocks; /* num of blocks for the contiguous buffer */ 221 uint64_t aux_offset_blocks; /* block offset on media */ 222 void *aux_buf_raw; /* raw buffer that the bdev layer gave us for write buffer */ 223 struct iovec aux_buf_iov; /* iov representing aligned contig write buffer */ 224 225 /* for bdev_io_wait */ 226 struct spdk_bdev_io_wait_entry bdev_io_wait; 227 struct spdk_io_channel *ch; 228 }; 229 230 /* Called by vbdev_crypto_init_crypto_drivers() to init each discovered crypto device */ 231 static int 232 create_vbdev_dev(uint8_t index, uint16_t num_lcores) 233 { 234 struct vbdev_dev *device; 235 uint8_t j, cdev_id, cdrv_id; 236 struct device_qp *dev_qp; 237 struct device_qp *tmp_qp; 238 int rc; 239 TAILQ_HEAD(device_qps, device_qp) *dev_qp_head; 240 241 device = calloc(1, sizeof(struct vbdev_dev)); 242 if (!device) { 243 return -ENOMEM; 244 } 245 246 /* Get details about this device. */ 247 rte_cryptodev_info_get(index, &device->cdev_info); 248 cdrv_id = device->cdev_info.driver_id; 249 cdev_id = device->cdev_id = index; 250 251 /* Before going any further, make sure we have enough resources for this 252 * device type to function. We need a unique queue pair per core accross each 253 * device type to remain lockless.... 254 */ 255 if ((rte_cryptodev_device_count_by_driver(cdrv_id) * 256 device->cdev_info.max_nb_queue_pairs) < num_lcores) { 257 SPDK_ERRLOG("Insufficient unique queue pairs available for %s\n", 258 device->cdev_info.driver_name); 259 SPDK_ERRLOG("Either add more crypto devices or decrease core count\n"); 260 rc = -EINVAL; 261 goto err; 262 } 263 264 /* Setup queue pairs. */ 265 struct rte_cryptodev_config conf = { 266 .nb_queue_pairs = device->cdev_info.max_nb_queue_pairs, 267 .socket_id = SPDK_ENV_SOCKET_ID_ANY 268 }; 269 270 rc = rte_cryptodev_configure(cdev_id, &conf); 271 if (rc < 0) { 272 SPDK_ERRLOG("Failed to configure cryptodev %u\n", cdev_id); 273 rc = -EINVAL; 274 goto err; 275 } 276 277 struct rte_cryptodev_qp_conf qp_conf = { 278 .nb_descriptors = CRYPTO_QP_DESCRIPTORS, 279 #if RTE_VERSION >= RTE_VERSION_NUM(19, 02, 0, 0) 280 .mp_session = g_session_mp, 281 .mp_session_private = g_session_mp_priv, 282 #endif 283 }; 284 285 /* Pre-setup all potential qpairs now and assign them in the channel 286 * callback. If we were to create them there, we'd have to stop the 287 * entire device affecting all other threads that might be using it 288 * even on other queue pairs. 289 */ 290 for (j = 0; j < device->cdev_info.max_nb_queue_pairs; j++) { 291 #if RTE_VERSION >= RTE_VERSION_NUM(19, 02, 0, 0) 292 rc = rte_cryptodev_queue_pair_setup(cdev_id, j, &qp_conf, SOCKET_ID_ANY); 293 #else 294 rc = rte_cryptodev_queue_pair_setup(cdev_id, j, &qp_conf, SOCKET_ID_ANY, 295 g_session_mp); 296 #endif 297 298 if (rc < 0) { 299 SPDK_ERRLOG("Failed to setup queue pair %u on " 300 "cryptodev %u\n", j, cdev_id); 301 rc = -EINVAL; 302 goto err; 303 } 304 } 305 306 rc = rte_cryptodev_start(cdev_id); 307 if (rc < 0) { 308 SPDK_ERRLOG("Failed to start device %u: error %d\n", 309 cdev_id, rc); 310 rc = -EINVAL; 311 goto err; 312 } 313 314 /* Select the right device/qp list based on driver name 315 * or error if it does not exist. 316 */ 317 if (strcmp(device->cdev_info.driver_name, QAT) == 0) { 318 dev_qp_head = (struct device_qps *)&g_device_qp_qat; 319 } else if (strcmp(device->cdev_info.driver_name, AESNI_MB) == 0) { 320 dev_qp_head = (struct device_qps *)&g_device_qp_aesni_mb; 321 } else { 322 rc = -EINVAL; 323 goto err; 324 } 325 326 /* Build up lists of device/qp combinations per PMD */ 327 for (j = 0; j < device->cdev_info.max_nb_queue_pairs; j++) { 328 dev_qp = calloc(1, sizeof(struct device_qp)); 329 if (!dev_qp) { 330 rc = -ENOMEM; 331 goto err_qp_alloc; 332 } 333 dev_qp->device = device; 334 dev_qp->qp = j; 335 dev_qp->in_use = false; 336 if (strcmp(device->cdev_info.driver_name, QAT) == 0) { 337 g_qat_total_qp++; 338 } 339 TAILQ_INSERT_TAIL(dev_qp_head, dev_qp, link); 340 } 341 342 /* Add to our list of available crypto devices. */ 343 TAILQ_INSERT_TAIL(&g_vbdev_devs, device, link); 344 345 return 0; 346 err_qp_alloc: 347 TAILQ_FOREACH_SAFE(dev_qp, dev_qp_head, link, tmp_qp) { 348 TAILQ_REMOVE(dev_qp_head, dev_qp, link); 349 free(dev_qp); 350 } 351 err: 352 free(device); 353 354 return rc; 355 } 356 357 /* This is called from the module's init function. We setup all crypto devices early on as we are unable 358 * to easily dynamically configure queue pairs after the drivers are up and running. So, here, we 359 * configure the max capabilities of each device and assign threads to queue pairs as channels are 360 * requested. 361 */ 362 static int 363 vbdev_crypto_init_crypto_drivers(void) 364 { 365 uint8_t cdev_count; 366 uint8_t cdev_id; 367 int i, rc = 0; 368 struct vbdev_dev *device; 369 struct vbdev_dev *tmp_dev; 370 struct device_qp *dev_qp; 371 unsigned int max_sess_size = 0, sess_size; 372 uint16_t num_lcores = rte_lcore_count(); 373 374 /* Only the first call, via RPC or module init should init the crypto drivers. */ 375 if (g_session_mp != NULL) { 376 return 0; 377 } 378 379 /* We always init AESNI_MB */ 380 rc = rte_vdev_init(AESNI_MB, NULL); 381 if (rc) { 382 SPDK_ERRLOG("error creating virtual PMD %s\n", AESNI_MB); 383 return -EINVAL; 384 } 385 386 /* If we have no crypto devices, there's no reason to continue. */ 387 cdev_count = rte_cryptodev_count(); 388 if (cdev_count == 0) { 389 return 0; 390 } 391 392 /* 393 * Create global mempools, shared by all devices regardless of type. 394 */ 395 396 /* First determine max session size, most pools are shared by all the devices, 397 * so we need to find the global max sessions size. 398 */ 399 for (cdev_id = 0; cdev_id < cdev_count; cdev_id++) { 400 sess_size = rte_cryptodev_sym_get_private_session_size(cdev_id); 401 if (sess_size > max_sess_size) { 402 max_sess_size = sess_size; 403 } 404 } 405 406 #if RTE_VERSION >= RTE_VERSION_NUM(19, 02, 0, 0) 407 g_session_mp_priv = rte_mempool_create("session_mp_priv", NUM_SESSIONS, max_sess_size, 408 SESS_MEMPOOL_CACHE_SIZE, 0, NULL, NULL, NULL, 409 NULL, SOCKET_ID_ANY, 0); 410 if (g_session_mp_priv == NULL) { 411 SPDK_ERRLOG("Cannot create private session pool max size 0x%x\n", max_sess_size); 412 return -ENOMEM; 413 } 414 415 g_session_mp = rte_cryptodev_sym_session_pool_create( 416 "session_mp", 417 NUM_SESSIONS, 0, SESS_MEMPOOL_CACHE_SIZE, 0, 418 SOCKET_ID_ANY); 419 #else 420 g_session_mp = rte_mempool_create("session_mp", NUM_SESSIONS, max_sess_size, 421 SESS_MEMPOOL_CACHE_SIZE, 422 0, NULL, NULL, NULL, NULL, SOCKET_ID_ANY, 0); 423 #endif 424 if (g_session_mp == NULL) { 425 SPDK_ERRLOG("Cannot create session pool max size 0x%x\n", max_sess_size); 426 goto error_create_session_mp; 427 return -ENOMEM; 428 } 429 430 g_mbuf_mp = spdk_mempool_create("mbuf_mp", NUM_MBUFS, sizeof(struct rte_mbuf), 431 SPDK_MEMPOOL_DEFAULT_CACHE_SIZE, 432 SPDK_ENV_SOCKET_ID_ANY); 433 if (g_mbuf_mp == NULL) { 434 SPDK_ERRLOG("Cannot create mbuf pool\n"); 435 rc = -ENOMEM; 436 goto error_create_mbuf; 437 } 438 439 /* We use per op private data to store the IV and our own struct 440 * for queueing ops. 441 */ 442 g_crypto_op_mp = rte_crypto_op_pool_create("op_mp", 443 RTE_CRYPTO_OP_TYPE_SYMMETRIC, 444 NUM_MBUFS, 445 POOL_CACHE_SIZE, 446 AES_CBC_IV_LENGTH + QUEUED_OP_LENGTH, 447 rte_socket_id()); 448 449 if (g_crypto_op_mp == NULL) { 450 SPDK_ERRLOG("Cannot create op pool\n"); 451 rc = -ENOMEM; 452 goto error_create_op; 453 } 454 455 /* Init all devices */ 456 for (i = 0; i < cdev_count; i++) { 457 rc = create_vbdev_dev(i, num_lcores); 458 if (rc) { 459 goto err; 460 } 461 } 462 463 /* Assign index values to the QAT device qp nodes so that we can 464 * assign them for optimal performance. 465 */ 466 i = 0; 467 TAILQ_FOREACH(dev_qp, &g_device_qp_qat, link) { 468 dev_qp->index = i++; 469 } 470 471 return 0; 472 473 /* Error cleanup paths. */ 474 err: 475 TAILQ_FOREACH_SAFE(device, &g_vbdev_devs, link, tmp_dev) { 476 TAILQ_REMOVE(&g_vbdev_devs, device, link); 477 free(device); 478 } 479 rte_mempool_free(g_crypto_op_mp); 480 g_crypto_op_mp = NULL; 481 error_create_op: 482 spdk_mempool_free(g_mbuf_mp); 483 g_mbuf_mp = NULL; 484 error_create_mbuf: 485 rte_mempool_free(g_session_mp); 486 g_session_mp = NULL; 487 error_create_session_mp: 488 if (g_session_mp_priv != NULL) { 489 rte_mempool_free(g_session_mp_priv); 490 g_session_mp_priv = NULL; 491 } 492 return rc; 493 } 494 495 /* Following an encrypt or decrypt we need to then either write the encrypted data or finish 496 * the read on decrypted data. Do that here. 497 */ 498 static void 499 _crypto_operation_complete(struct spdk_bdev_io *bdev_io) 500 { 501 struct vbdev_crypto *crypto_bdev = SPDK_CONTAINEROF(bdev_io->bdev, struct vbdev_crypto, 502 crypto_bdev); 503 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 504 struct crypto_io_channel *crypto_ch = io_ctx->crypto_ch; 505 struct spdk_bdev_io *free_me = io_ctx->read_io; 506 int rc = 0; 507 508 TAILQ_REMOVE(&crypto_ch->pending_cry_ios, bdev_io, module_link); 509 510 if (bdev_io->type == SPDK_BDEV_IO_TYPE_READ) { 511 512 /* Complete the original IO and then free the one that we created 513 * as a result of issuing an IO via submit_request. 514 */ 515 if (io_ctx->bdev_io_status != SPDK_BDEV_IO_STATUS_FAILED) { 516 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_SUCCESS); 517 } else { 518 SPDK_ERRLOG("Issue with decryption on bdev_io %p\n", bdev_io); 519 rc = -EINVAL; 520 } 521 spdk_bdev_free_io(free_me); 522 523 } else if (bdev_io->type == SPDK_BDEV_IO_TYPE_WRITE) { 524 525 if (io_ctx->bdev_io_status != SPDK_BDEV_IO_STATUS_FAILED) { 526 /* Write the encrypted data. */ 527 rc = spdk_bdev_writev_blocks(crypto_bdev->base_desc, crypto_ch->base_ch, 528 &io_ctx->aux_buf_iov, 1, io_ctx->aux_offset_blocks, 529 io_ctx->aux_num_blocks, _complete_internal_write, 530 bdev_io); 531 } else { 532 SPDK_ERRLOG("Issue with encryption on bdev_io %p\n", bdev_io); 533 rc = -EINVAL; 534 } 535 536 } else { 537 SPDK_ERRLOG("Unknown bdev type %u on crypto operation completion\n", 538 bdev_io->type); 539 rc = -EINVAL; 540 } 541 542 if (rc) { 543 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 544 } 545 } 546 547 static int _crypto_operation(struct spdk_bdev_io *bdev_io, 548 enum rte_crypto_cipher_operation crypto_op, 549 void *aux_buf); 550 551 /* This is the poller for the crypto device. It uses a single API to dequeue whatever is ready at 552 * the device. Then we need to decide if what we've got so far (including previous poller 553 * runs) totals up to one or more complete bdev_ios and if so continue with the bdev_io 554 * accordingly. This means either completing a read or issuing a new write. 555 */ 556 static int 557 crypto_dev_poller(void *args) 558 { 559 struct crypto_io_channel *crypto_ch = args; 560 uint8_t cdev_id = crypto_ch->device_qp->device->cdev_id; 561 int i, num_dequeued_ops, num_enqueued_ops; 562 struct spdk_bdev_io *bdev_io = NULL; 563 struct crypto_bdev_io *io_ctx = NULL; 564 struct rte_crypto_op *dequeued_ops[MAX_DEQUEUE_BURST_SIZE]; 565 struct rte_crypto_op *mbufs_to_free[2 * MAX_DEQUEUE_BURST_SIZE]; 566 int num_mbufs = 0; 567 struct vbdev_crypto_op *op_to_resubmit; 568 569 /* Each run of the poller will get just what the device has available 570 * at the moment we call it, we don't check again after draining the 571 * first batch. 572 */ 573 num_dequeued_ops = rte_cryptodev_dequeue_burst(cdev_id, crypto_ch->device_qp->qp, 574 dequeued_ops, MAX_DEQUEUE_BURST_SIZE); 575 576 /* Check if operation was processed successfully */ 577 for (i = 0; i < num_dequeued_ops; i++) { 578 579 /* We don't know the order or association of the crypto ops wrt any 580 * partiular bdev_io so need to look at each and determine if it's 581 * the last one for it's bdev_io or not. 582 */ 583 bdev_io = (struct spdk_bdev_io *)dequeued_ops[i]->sym->m_src->userdata; 584 assert(bdev_io != NULL); 585 io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 586 587 if (dequeued_ops[i]->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { 588 SPDK_ERRLOG("error with op %d status %u\n", i, 589 dequeued_ops[i]->status); 590 /* Update the bdev status to error, we'll still process the 591 * rest of the crypto ops for this bdev_io though so they 592 * aren't left hanging. 593 */ 594 io_ctx->bdev_io_status = SPDK_BDEV_IO_STATUS_FAILED; 595 } 596 597 assert(io_ctx->cryop_cnt_remaining > 0); 598 599 /* Return the associated src and dst mbufs by collecting them into 600 * an array that we can use the bulk API to free after the loop. 601 */ 602 dequeued_ops[i]->sym->m_src->userdata = NULL; 603 mbufs_to_free[num_mbufs++] = (void *)dequeued_ops[i]->sym->m_src; 604 if (dequeued_ops[i]->sym->m_dst) { 605 mbufs_to_free[num_mbufs++] = (void *)dequeued_ops[i]->sym->m_dst; 606 } 607 608 /* done encrypting, complete the bdev_io */ 609 if (--io_ctx->cryop_cnt_remaining == 0) { 610 611 /* If we're completing this with an outstanding reset we need 612 * to fail it. 613 */ 614 if (crypto_ch->iter) { 615 bdev_io->internal.status = SPDK_BDEV_IO_STATUS_FAILED; 616 } 617 618 /* Complete the IO */ 619 _crypto_operation_complete(bdev_io); 620 } 621 } 622 623 /* Now bulk free both mbufs and crypto operations. */ 624 if (num_dequeued_ops > 0) { 625 rte_mempool_put_bulk(g_crypto_op_mp, 626 (void **)dequeued_ops, 627 num_dequeued_ops); 628 assert(num_mbufs > 0); 629 spdk_mempool_put_bulk(g_mbuf_mp, 630 (void **)mbufs_to_free, 631 num_mbufs); 632 } 633 634 /* Check if there are any pending crypto ops to process */ 635 while (!TAILQ_EMPTY(&crypto_ch->queued_cry_ops)) { 636 op_to_resubmit = TAILQ_FIRST(&crypto_ch->queued_cry_ops); 637 io_ctx = (struct crypto_bdev_io *)op_to_resubmit->bdev_io->driver_ctx; 638 num_enqueued_ops = rte_cryptodev_enqueue_burst(op_to_resubmit->cdev_id, 639 op_to_resubmit->qp, 640 &op_to_resubmit->crypto_op, 641 1); 642 if (num_enqueued_ops == 1) { 643 /* Make sure we don't put this on twice as one bdev_io is made up 644 * of many crypto ops. 645 */ 646 if (io_ctx->on_pending_list == false) { 647 TAILQ_INSERT_TAIL(&crypto_ch->pending_cry_ios, op_to_resubmit->bdev_io, module_link); 648 io_ctx->on_pending_list = true; 649 } 650 TAILQ_REMOVE(&crypto_ch->queued_cry_ops, op_to_resubmit, link); 651 } else { 652 /* if we couldn't get one, just break and try again later. */ 653 break; 654 } 655 } 656 657 /* If the channel iter is not NULL, we need to continue to poll 658 * until the pending list is empty, then we can move on to the 659 * next channel. 660 */ 661 if (crypto_ch->iter && TAILQ_EMPTY(&crypto_ch->pending_cry_ios)) { 662 SPDK_NOTICELOG("Channel %p has been quiesced.\n", crypto_ch); 663 spdk_for_each_channel_continue(crypto_ch->iter, 0); 664 crypto_ch->iter = NULL; 665 } 666 667 return num_dequeued_ops; 668 } 669 670 /* We're either encrypting on the way down or decrypting on the way back. */ 671 static int 672 _crypto_operation(struct spdk_bdev_io *bdev_io, enum rte_crypto_cipher_operation crypto_op, 673 void *aux_buf) 674 { 675 uint16_t num_enqueued_ops = 0; 676 uint32_t cryop_cnt = bdev_io->u.bdev.num_blocks; 677 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 678 struct crypto_io_channel *crypto_ch = io_ctx->crypto_ch; 679 uint8_t cdev_id = crypto_ch->device_qp->device->cdev_id; 680 uint32_t crypto_len = io_ctx->crypto_bdev->crypto_bdev.blocklen; 681 uint64_t total_length = bdev_io->u.bdev.num_blocks * crypto_len; 682 int rc; 683 uint32_t iov_index = 0; 684 uint32_t allocated = 0; 685 uint8_t *current_iov = NULL; 686 uint64_t total_remaining = 0; 687 uint64_t updated_length, current_iov_remaining = 0; 688 uint32_t crypto_index = 0; 689 uint32_t en_offset = 0; 690 struct rte_crypto_op *crypto_ops[MAX_ENQUEUE_ARRAY_SIZE]; 691 struct rte_mbuf *src_mbufs[MAX_ENQUEUE_ARRAY_SIZE]; 692 struct rte_mbuf *dst_mbufs[MAX_ENQUEUE_ARRAY_SIZE]; 693 int burst; 694 struct vbdev_crypto_op *op_to_queue; 695 uint64_t alignment = spdk_bdev_get_buf_align(&io_ctx->crypto_bdev->crypto_bdev); 696 697 assert((bdev_io->u.bdev.num_blocks * bdev_io->bdev->blocklen) <= CRYPTO_MAX_IO); 698 699 /* Get the number of source mbufs that we need. These will always be 1:1 because we 700 * don't support chaining. The reason we don't is because of our decision to use 701 * LBA as IV, there can be no case where we'd need >1 mbuf per crypto op or the 702 * op would be > 1 LBA. 703 */ 704 rc = spdk_mempool_get_bulk(g_mbuf_mp, (void **)&src_mbufs[0], cryop_cnt); 705 if (rc) { 706 SPDK_ERRLOG("ERROR trying to get src_mbufs!\n"); 707 return -ENOMEM; 708 } 709 710 /* Get the same amount but these buffers to describe the encrypted data location (dst). */ 711 if (crypto_op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { 712 rc = spdk_mempool_get_bulk(g_mbuf_mp, (void **)&dst_mbufs[0], cryop_cnt); 713 if (rc) { 714 SPDK_ERRLOG("ERROR trying to get dst_mbufs!\n"); 715 rc = -ENOMEM; 716 goto error_get_dst; 717 } 718 } 719 720 #ifdef __clang_analyzer__ 721 /* silence scan-build false positive */ 722 SPDK_CLANG_ANALYZER_PREINIT_PTR_ARRAY(crypto_ops, MAX_ENQUEUE_ARRAY_SIZE, 0x1000); 723 #endif 724 /* Allocate crypto operations. */ 725 allocated = rte_crypto_op_bulk_alloc(g_crypto_op_mp, 726 RTE_CRYPTO_OP_TYPE_SYMMETRIC, 727 crypto_ops, cryop_cnt); 728 if (allocated < cryop_cnt) { 729 SPDK_ERRLOG("ERROR trying to get crypto ops!\n"); 730 rc = -ENOMEM; 731 goto error_get_ops; 732 } 733 734 /* For encryption, we need to prepare a single contiguous buffer as the encryption 735 * destination, we'll then pass that along for the write after encryption is done. 736 * This is done to avoiding encrypting the provided write buffer which may be 737 * undesirable in some use cases. 738 */ 739 if (crypto_op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { 740 io_ctx->aux_buf_iov.iov_len = total_length; 741 io_ctx->aux_buf_raw = aux_buf; 742 io_ctx->aux_buf_iov.iov_base = (void *)(((uintptr_t)aux_buf + (alignment - 1)) & ~(alignment - 1)); 743 io_ctx->aux_offset_blocks = bdev_io->u.bdev.offset_blocks; 744 io_ctx->aux_num_blocks = bdev_io->u.bdev.num_blocks; 745 } 746 747 /* This value is used in the completion callback to determine when the bdev_io is 748 * complete. 749 */ 750 io_ctx->cryop_cnt_remaining = cryop_cnt; 751 752 /* As we don't support chaining because of a decision to use LBA as IV, construction 753 * of crypto operations is straightforward. We build both the op, the mbuf and the 754 * dst_mbuf in our local arrays by looping through the length of the bdev IO and 755 * picking off LBA sized blocks of memory from the IOVs as we walk through them. Each 756 * LBA sized chunk of memory will correspond 1:1 to a crypto operation and a single 757 * mbuf per crypto operation. 758 */ 759 total_remaining = total_length; 760 current_iov = bdev_io->u.bdev.iovs[iov_index].iov_base; 761 current_iov_remaining = bdev_io->u.bdev.iovs[iov_index].iov_len; 762 do { 763 uint8_t *iv_ptr; 764 uint64_t op_block_offset; 765 766 /* Set the mbuf elements address and length. Null out the next pointer. */ 767 src_mbufs[crypto_index]->buf_addr = current_iov; 768 src_mbufs[crypto_index]->data_len = updated_length = crypto_len; 769 /* TODO: Make this assignment conditional on QAT usage and add an assert. */ 770 src_mbufs[crypto_index]->buf_iova = spdk_vtophys((void *)current_iov, &updated_length); 771 src_mbufs[crypto_index]->next = NULL; 772 /* Store context in every mbuf as we don't know anything about completion order */ 773 src_mbufs[crypto_index]->userdata = bdev_io; 774 775 /* Set the IV - we use the LBA of the crypto_op */ 776 iv_ptr = rte_crypto_op_ctod_offset(crypto_ops[crypto_index], uint8_t *, 777 IV_OFFSET); 778 memset(iv_ptr, 0, AES_CBC_IV_LENGTH); 779 op_block_offset = bdev_io->u.bdev.offset_blocks + crypto_index; 780 rte_memcpy(iv_ptr, &op_block_offset, sizeof(uint64_t)); 781 782 /* Set the data to encrypt/decrypt length */ 783 crypto_ops[crypto_index]->sym->cipher.data.length = crypto_len; 784 crypto_ops[crypto_index]->sym->cipher.data.offset = 0; 785 786 /* link the mbuf to the crypto op. */ 787 crypto_ops[crypto_index]->sym->m_src = src_mbufs[crypto_index]; 788 if (crypto_op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { 789 crypto_ops[crypto_index]->sym->m_dst = src_mbufs[crypto_index]; 790 } else { 791 crypto_ops[crypto_index]->sym->m_dst = NULL; 792 } 793 794 /* For encrypt, point the destination to a buffer we allocate and redirect the bdev_io 795 * that will be used to process the write on completion to the same buffer. Setting 796 * up the en_buffer is a little simpler as we know the destination buffer is single IOV. 797 */ 798 if (crypto_op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { 799 800 /* Set the relevant destination en_mbuf elements. */ 801 dst_mbufs[crypto_index]->buf_addr = io_ctx->aux_buf_iov.iov_base + en_offset; 802 dst_mbufs[crypto_index]->data_len = updated_length = crypto_len; 803 /* TODO: Make this assignment conditional on QAT usage and add an assert. */ 804 dst_mbufs[crypto_index]->buf_iova = spdk_vtophys(dst_mbufs[crypto_index]->buf_addr, 805 &updated_length); 806 crypto_ops[crypto_index]->sym->m_dst = dst_mbufs[crypto_index]; 807 en_offset += crypto_len; 808 dst_mbufs[crypto_index]->next = NULL; 809 810 /* Attach the crypto session to the operation */ 811 rc = rte_crypto_op_attach_sym_session(crypto_ops[crypto_index], 812 io_ctx->crypto_bdev->session_encrypt); 813 if (rc) { 814 rc = -EINVAL; 815 goto error_attach_session; 816 } 817 818 } else { 819 /* Attach the crypto session to the operation */ 820 rc = rte_crypto_op_attach_sym_session(crypto_ops[crypto_index], 821 io_ctx->crypto_bdev->session_decrypt); 822 if (rc) { 823 rc = -EINVAL; 824 goto error_attach_session; 825 } 826 827 828 } 829 830 /* Subtract our running totals for the op in progress and the overall bdev io */ 831 total_remaining -= crypto_len; 832 current_iov_remaining -= crypto_len; 833 834 /* move our current IOV pointer accordingly. */ 835 current_iov += crypto_len; 836 837 /* move on to the next crypto operation */ 838 crypto_index++; 839 840 /* If we're done with this IOV, move to the next one. */ 841 if (current_iov_remaining == 0 && total_remaining > 0) { 842 iov_index++; 843 current_iov = bdev_io->u.bdev.iovs[iov_index].iov_base; 844 current_iov_remaining = bdev_io->u.bdev.iovs[iov_index].iov_len; 845 } 846 } while (total_remaining > 0); 847 848 /* Enqueue everything we've got but limit by the max number of descriptors we 849 * configured the crypto device for. 850 */ 851 burst = spdk_min(cryop_cnt, CRYPTO_QP_DESCRIPTORS); 852 num_enqueued_ops = rte_cryptodev_enqueue_burst(cdev_id, crypto_ch->device_qp->qp, 853 &crypto_ops[0], 854 burst); 855 856 /* Add this bdev_io to our outstanding list if any of its crypto ops made it. */ 857 if (num_enqueued_ops > 0) { 858 TAILQ_INSERT_TAIL(&crypto_ch->pending_cry_ios, bdev_io, module_link); 859 io_ctx->on_pending_list = true; 860 } 861 /* We were unable to enqueue everything but did get some, so need to decide what 862 * to do based on the status of the last op. 863 */ 864 if (num_enqueued_ops < cryop_cnt) { 865 switch (crypto_ops[num_enqueued_ops]->status) { 866 case RTE_CRYPTO_OP_STATUS_NOT_PROCESSED: 867 /* Queue them up on a linked list to be resubmitted via the poller. */ 868 for (crypto_index = num_enqueued_ops; crypto_index < cryop_cnt; crypto_index++) { 869 op_to_queue = (struct vbdev_crypto_op *)rte_crypto_op_ctod_offset(crypto_ops[crypto_index], 870 uint8_t *, QUEUED_OP_OFFSET); 871 op_to_queue->cdev_id = cdev_id; 872 op_to_queue->qp = crypto_ch->device_qp->qp; 873 op_to_queue->crypto_op = crypto_ops[crypto_index]; 874 op_to_queue->bdev_io = bdev_io; 875 TAILQ_INSERT_TAIL(&crypto_ch->queued_cry_ops, 876 op_to_queue, 877 link); 878 } 879 break; 880 default: 881 /* For all other statuses, set the io_ctx bdev_io status so that 882 * the poller will pick the failure up for the overall bdev status. 883 */ 884 io_ctx->bdev_io_status = SPDK_BDEV_IO_STATUS_FAILED; 885 if (num_enqueued_ops == 0) { 886 /* If nothing was enqueued, but the last one wasn't because of 887 * busy, fail it now as the poller won't know anything about it. 888 */ 889 _crypto_operation_complete(bdev_io); 890 rc = -EINVAL; 891 goto error_attach_session; 892 } 893 break; 894 } 895 } 896 897 return rc; 898 899 /* Error cleanup paths. */ 900 error_attach_session: 901 error_get_ops: 902 if (crypto_op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { 903 spdk_mempool_put_bulk(g_mbuf_mp, (void **)&dst_mbufs[0], 904 cryop_cnt); 905 } 906 if (allocated > 0) { 907 rte_mempool_put_bulk(g_crypto_op_mp, (void **)crypto_ops, 908 allocated); 909 } 910 error_get_dst: 911 spdk_mempool_put_bulk(g_mbuf_mp, (void **)&src_mbufs[0], 912 cryop_cnt); 913 return rc; 914 } 915 916 /* This function is called after all channels have been quiesced following 917 * a bdev reset. 918 */ 919 static void 920 _ch_quiesce_done(struct spdk_io_channel_iter *i, int status) 921 { 922 struct crypto_bdev_io *io_ctx = spdk_io_channel_iter_get_ctx(i); 923 924 assert(TAILQ_EMPTY(&io_ctx->crypto_ch->pending_cry_ios)); 925 assert(io_ctx->orig_io != NULL); 926 927 spdk_bdev_io_complete(io_ctx->orig_io, SPDK_BDEV_IO_STATUS_SUCCESS); 928 } 929 930 /* This function is called per channel to quiesce IOs before completing a 931 * bdev reset that we received. 932 */ 933 static void 934 _ch_quiesce(struct spdk_io_channel_iter *i) 935 { 936 struct spdk_io_channel *ch = spdk_io_channel_iter_get_channel(i); 937 struct crypto_io_channel *crypto_ch = spdk_io_channel_get_ctx(ch); 938 939 crypto_ch->iter = i; 940 /* When the poller runs, it will see the non-NULL iter and handle 941 * the quiesce. 942 */ 943 } 944 945 /* Completion callback for IO that were issued from this bdev other than read/write. 946 * They have their own for readability. 947 */ 948 static void 949 _complete_internal_io(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg) 950 { 951 struct spdk_bdev_io *orig_io = cb_arg; 952 int status = success ? SPDK_BDEV_IO_STATUS_SUCCESS : SPDK_BDEV_IO_STATUS_FAILED; 953 954 if (bdev_io->type == SPDK_BDEV_IO_TYPE_RESET) { 955 struct crypto_bdev_io *orig_ctx = (struct crypto_bdev_io *)orig_io->driver_ctx; 956 957 assert(orig_io == orig_ctx->orig_io); 958 959 spdk_bdev_free_io(bdev_io); 960 961 spdk_for_each_channel(orig_ctx->crypto_bdev, 962 _ch_quiesce, 963 orig_ctx, 964 _ch_quiesce_done); 965 return; 966 } 967 968 spdk_bdev_io_complete(orig_io, status); 969 spdk_bdev_free_io(bdev_io); 970 } 971 972 /* Completion callback for writes that were issued from this bdev. */ 973 static void 974 _complete_internal_write(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg) 975 { 976 struct spdk_bdev_io *orig_io = cb_arg; 977 int status = success ? SPDK_BDEV_IO_STATUS_SUCCESS : SPDK_BDEV_IO_STATUS_FAILED; 978 struct crypto_bdev_io *orig_ctx = (struct crypto_bdev_io *)orig_io->driver_ctx; 979 980 spdk_bdev_io_put_aux_buf(orig_io, orig_ctx->aux_buf_raw); 981 982 spdk_bdev_io_complete(orig_io, status); 983 spdk_bdev_free_io(bdev_io); 984 } 985 986 /* Completion callback for reads that were issued from this bdev. */ 987 static void 988 _complete_internal_read(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg) 989 { 990 struct spdk_bdev_io *orig_io = cb_arg; 991 struct crypto_bdev_io *orig_ctx = (struct crypto_bdev_io *)orig_io->driver_ctx; 992 993 if (success) { 994 995 /* Save off this bdev_io so it can be freed after decryption. */ 996 orig_ctx->read_io = bdev_io; 997 998 if (!_crypto_operation(orig_io, RTE_CRYPTO_CIPHER_OP_DECRYPT, NULL)) { 999 return; 1000 } else { 1001 SPDK_ERRLOG("ERROR decrypting\n"); 1002 } 1003 } else { 1004 SPDK_ERRLOG("ERROR on read prior to decrypting\n"); 1005 } 1006 1007 spdk_bdev_io_complete(orig_io, SPDK_BDEV_IO_STATUS_FAILED); 1008 spdk_bdev_free_io(bdev_io); 1009 } 1010 1011 static void 1012 vbdev_crypto_resubmit_io(void *arg) 1013 { 1014 struct spdk_bdev_io *bdev_io = (struct spdk_bdev_io *)arg; 1015 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 1016 1017 vbdev_crypto_submit_request(io_ctx->ch, bdev_io); 1018 } 1019 1020 static void 1021 vbdev_crypto_queue_io(struct spdk_bdev_io *bdev_io) 1022 { 1023 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 1024 int rc; 1025 1026 io_ctx->bdev_io_wait.bdev = bdev_io->bdev; 1027 io_ctx->bdev_io_wait.cb_fn = vbdev_crypto_resubmit_io; 1028 io_ctx->bdev_io_wait.cb_arg = bdev_io; 1029 1030 rc = spdk_bdev_queue_io_wait(bdev_io->bdev, io_ctx->crypto_ch->base_ch, &io_ctx->bdev_io_wait); 1031 if (rc != 0) { 1032 SPDK_ERRLOG("Queue io failed in vbdev_crypto_queue_io, rc=%d.\n", rc); 1033 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1034 } 1035 } 1036 1037 /* Callback for getting a buf from the bdev pool in the event that the caller passed 1038 * in NULL, we need to own the buffer so it doesn't get freed by another vbdev module 1039 * beneath us before we're done with it. 1040 */ 1041 static void 1042 crypto_read_get_buf_cb(struct spdk_io_channel *ch, struct spdk_bdev_io *bdev_io, 1043 bool success) 1044 { 1045 struct vbdev_crypto *crypto_bdev = SPDK_CONTAINEROF(bdev_io->bdev, struct vbdev_crypto, 1046 crypto_bdev); 1047 struct crypto_io_channel *crypto_ch = spdk_io_channel_get_ctx(ch); 1048 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 1049 int rc; 1050 1051 if (!success) { 1052 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1053 return; 1054 } 1055 1056 rc = spdk_bdev_readv_blocks(crypto_bdev->base_desc, crypto_ch->base_ch, bdev_io->u.bdev.iovs, 1057 bdev_io->u.bdev.iovcnt, bdev_io->u.bdev.offset_blocks, 1058 bdev_io->u.bdev.num_blocks, _complete_internal_read, 1059 bdev_io); 1060 if (rc != 0) { 1061 if (rc == -ENOMEM) { 1062 SPDK_DEBUGLOG(SPDK_LOG_CRYPTO, "No memory, queue the IO.\n"); 1063 io_ctx->ch = ch; 1064 vbdev_crypto_queue_io(bdev_io); 1065 } else { 1066 SPDK_ERRLOG("ERROR on bdev_io submission!\n"); 1067 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1068 } 1069 } 1070 } 1071 1072 /* For encryption we don't want to encrypt the data in place as the host isn't 1073 * expecting us to mangle its data buffers so we need to encrypt into the bdev 1074 * aux buffer, then we can use that as the source for the disk data transfer. 1075 */ 1076 static void 1077 crypto_write_get_buf_cb(struct spdk_io_channel *ch, struct spdk_bdev_io *bdev_io, 1078 void *aux_buf) 1079 { 1080 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 1081 int rc = 0; 1082 1083 rc = _crypto_operation(bdev_io, RTE_CRYPTO_CIPHER_OP_ENCRYPT, aux_buf); 1084 if (rc != 0) { 1085 spdk_bdev_io_put_aux_buf(bdev_io, aux_buf); 1086 if (rc == -ENOMEM) { 1087 SPDK_DEBUGLOG(SPDK_LOG_CRYPTO, "No memory, queue the IO.\n"); 1088 io_ctx->ch = ch; 1089 vbdev_crypto_queue_io(bdev_io); 1090 } else { 1091 SPDK_ERRLOG("ERROR on bdev_io submission!\n"); 1092 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1093 } 1094 } 1095 } 1096 1097 /* Called when someone submits IO to this crypto vbdev. For IO's not relevant to crypto, 1098 * we're simply passing it on here via SPDK IO calls which in turn allocate another bdev IO 1099 * and call our cpl callback provided below along with the original bdev_io so that we can 1100 * complete it once this IO completes. For crypto operations, we'll either encrypt it first 1101 * (writes) then call back into bdev to submit it or we'll submit a read and then catch it 1102 * on the way back for decryption. 1103 */ 1104 static void 1105 vbdev_crypto_submit_request(struct spdk_io_channel *ch, struct spdk_bdev_io *bdev_io) 1106 { 1107 struct vbdev_crypto *crypto_bdev = SPDK_CONTAINEROF(bdev_io->bdev, struct vbdev_crypto, 1108 crypto_bdev); 1109 struct crypto_io_channel *crypto_ch = spdk_io_channel_get_ctx(ch); 1110 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 1111 int rc = 0; 1112 1113 memset(io_ctx, 0, sizeof(struct crypto_bdev_io)); 1114 io_ctx->crypto_bdev = crypto_bdev; 1115 io_ctx->crypto_ch = crypto_ch; 1116 io_ctx->orig_io = bdev_io; 1117 io_ctx->bdev_io_status = SPDK_BDEV_IO_STATUS_SUCCESS; 1118 1119 switch (bdev_io->type) { 1120 case SPDK_BDEV_IO_TYPE_READ: 1121 spdk_bdev_io_get_buf(bdev_io, crypto_read_get_buf_cb, 1122 bdev_io->u.bdev.num_blocks * bdev_io->bdev->blocklen); 1123 break; 1124 case SPDK_BDEV_IO_TYPE_WRITE: 1125 /* Tell the bdev layer that we need an aux buf in addition to the data 1126 * buf already associated with the bdev. 1127 */ 1128 spdk_bdev_io_get_aux_buf(bdev_io, crypto_write_get_buf_cb); 1129 break; 1130 case SPDK_BDEV_IO_TYPE_UNMAP: 1131 rc = spdk_bdev_unmap_blocks(crypto_bdev->base_desc, crypto_ch->base_ch, 1132 bdev_io->u.bdev.offset_blocks, 1133 bdev_io->u.bdev.num_blocks, 1134 _complete_internal_io, bdev_io); 1135 break; 1136 case SPDK_BDEV_IO_TYPE_FLUSH: 1137 rc = spdk_bdev_flush_blocks(crypto_bdev->base_desc, crypto_ch->base_ch, 1138 bdev_io->u.bdev.offset_blocks, 1139 bdev_io->u.bdev.num_blocks, 1140 _complete_internal_io, bdev_io); 1141 break; 1142 case SPDK_BDEV_IO_TYPE_RESET: 1143 rc = spdk_bdev_reset(crypto_bdev->base_desc, crypto_ch->base_ch, 1144 _complete_internal_io, bdev_io); 1145 break; 1146 case SPDK_BDEV_IO_TYPE_WRITE_ZEROES: 1147 default: 1148 SPDK_ERRLOG("crypto: unknown I/O type %d\n", bdev_io->type); 1149 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1150 return; 1151 } 1152 1153 if (rc != 0) { 1154 if (rc == -ENOMEM) { 1155 SPDK_DEBUGLOG(SPDK_LOG_CRYPTO, "No memory, queue the IO.\n"); 1156 io_ctx->ch = ch; 1157 vbdev_crypto_queue_io(bdev_io); 1158 } else { 1159 SPDK_ERRLOG("ERROR on bdev_io submission!\n"); 1160 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1161 } 1162 } 1163 } 1164 1165 /* We'll just call the base bdev and let it answer except for WZ command which 1166 * we always say we don't support so that the bdev layer will actually send us 1167 * real writes that we can encrypt. 1168 */ 1169 static bool 1170 vbdev_crypto_io_type_supported(void *ctx, enum spdk_bdev_io_type io_type) 1171 { 1172 struct vbdev_crypto *crypto_bdev = (struct vbdev_crypto *)ctx; 1173 1174 switch (io_type) { 1175 case SPDK_BDEV_IO_TYPE_WRITE: 1176 case SPDK_BDEV_IO_TYPE_UNMAP: 1177 case SPDK_BDEV_IO_TYPE_RESET: 1178 case SPDK_BDEV_IO_TYPE_READ: 1179 case SPDK_BDEV_IO_TYPE_FLUSH: 1180 return spdk_bdev_io_type_supported(crypto_bdev->base_bdev, io_type); 1181 case SPDK_BDEV_IO_TYPE_WRITE_ZEROES: 1182 /* Force the bdev layer to issue actual writes of zeroes so we can 1183 * encrypt them as regular writes. 1184 */ 1185 default: 1186 return false; 1187 } 1188 } 1189 1190 /* Callback for unregistering the IO device. */ 1191 static void 1192 _device_unregister_cb(void *io_device) 1193 { 1194 struct vbdev_crypto *crypto_bdev = io_device; 1195 1196 /* Done with this crypto_bdev. */ 1197 rte_cryptodev_sym_session_free(crypto_bdev->session_decrypt); 1198 rte_cryptodev_sym_session_free(crypto_bdev->session_encrypt); 1199 free(crypto_bdev->drv_name); 1200 free(crypto_bdev->key); 1201 free(crypto_bdev->crypto_bdev.name); 1202 free(crypto_bdev); 1203 } 1204 1205 /* Called after we've unregistered following a hot remove callback. 1206 * Our finish entry point will be called next. 1207 */ 1208 static int 1209 vbdev_crypto_destruct(void *ctx) 1210 { 1211 struct vbdev_crypto *crypto_bdev = (struct vbdev_crypto *)ctx; 1212 1213 /* Remove this device from the internal list */ 1214 TAILQ_REMOVE(&g_vbdev_crypto, crypto_bdev, link); 1215 1216 /* Unclaim the underlying bdev. */ 1217 spdk_bdev_module_release_bdev(crypto_bdev->base_bdev); 1218 1219 /* Close the underlying bdev. */ 1220 spdk_bdev_close(crypto_bdev->base_desc); 1221 1222 /* Unregister the io_device. */ 1223 spdk_io_device_unregister(crypto_bdev, _device_unregister_cb); 1224 1225 g_number_of_claimed_volumes--; 1226 1227 return 0; 1228 } 1229 1230 /* We supplied this as an entry point for upper layers who want to communicate to this 1231 * bdev. This is how they get a channel. We are passed the same context we provided when 1232 * we created our crypto vbdev in examine() which, for this bdev, is the address of one of 1233 * our context nodes. From here we'll ask the SPDK channel code to fill out our channel 1234 * struct and we'll keep it in our crypto node. 1235 */ 1236 static struct spdk_io_channel * 1237 vbdev_crypto_get_io_channel(void *ctx) 1238 { 1239 struct vbdev_crypto *crypto_bdev = (struct vbdev_crypto *)ctx; 1240 1241 /* The IO channel code will allocate a channel for us which consists of 1242 * the SPDK channel structure plus the size of our crypto_io_channel struct 1243 * that we passed in when we registered our IO device. It will then call 1244 * our channel create callback to populate any elements that we need to 1245 * update. 1246 */ 1247 return spdk_get_io_channel(crypto_bdev); 1248 } 1249 1250 /* This is the output for bdev_get_bdevs() for this vbdev */ 1251 static int 1252 vbdev_crypto_dump_info_json(void *ctx, struct spdk_json_write_ctx *w) 1253 { 1254 struct vbdev_crypto *crypto_bdev = (struct vbdev_crypto *)ctx; 1255 1256 spdk_json_write_name(w, "crypto"); 1257 spdk_json_write_object_begin(w); 1258 spdk_json_write_named_string(w, "base_bdev_name", spdk_bdev_get_name(crypto_bdev->base_bdev)); 1259 spdk_json_write_named_string(w, "name", spdk_bdev_get_name(&crypto_bdev->crypto_bdev)); 1260 spdk_json_write_named_string(w, "crypto_pmd", crypto_bdev->drv_name); 1261 spdk_json_write_named_string(w, "key", crypto_bdev->key); 1262 spdk_json_write_object_end(w); 1263 return 0; 1264 } 1265 1266 static int 1267 vbdev_crypto_config_json(struct spdk_json_write_ctx *w) 1268 { 1269 struct vbdev_crypto *crypto_bdev; 1270 1271 TAILQ_FOREACH(crypto_bdev, &g_vbdev_crypto, link) { 1272 spdk_json_write_object_begin(w); 1273 spdk_json_write_named_string(w, "method", "bdev_crypto_create"); 1274 spdk_json_write_named_object_begin(w, "params"); 1275 spdk_json_write_named_string(w, "base_bdev_name", spdk_bdev_get_name(crypto_bdev->base_bdev)); 1276 spdk_json_write_named_string(w, "name", spdk_bdev_get_name(&crypto_bdev->crypto_bdev)); 1277 spdk_json_write_named_string(w, "crypto_pmd", crypto_bdev->drv_name); 1278 spdk_json_write_named_string(w, "key", crypto_bdev->key); 1279 spdk_json_write_object_end(w); 1280 spdk_json_write_object_end(w); 1281 } 1282 return 0; 1283 } 1284 1285 /* Helper function for the channel creation callback. */ 1286 static void 1287 _assign_device_qp(struct vbdev_crypto *crypto_bdev, struct device_qp *device_qp, 1288 struct crypto_io_channel *crypto_ch) 1289 { 1290 pthread_mutex_lock(&g_device_qp_lock); 1291 if (strcmp(crypto_bdev->drv_name, QAT) == 0) { 1292 /* For some QAT devices, the optimal qp to use is every 32nd as this spreads the 1293 * workload out over the multiple virtual functions in the device. For the devices 1294 * where this isn't the case, it doesn't hurt. 1295 */ 1296 TAILQ_FOREACH(device_qp, &g_device_qp_qat, link) { 1297 if (device_qp->index != g_next_qat_index) { 1298 continue; 1299 } 1300 if (device_qp->in_use == false) { 1301 crypto_ch->device_qp = device_qp; 1302 device_qp->in_use = true; 1303 g_next_qat_index = (g_next_qat_index + QAT_VF_SPREAD) % g_qat_total_qp; 1304 break; 1305 } else { 1306 /* if the preferred index is used, skip to the next one in this set. */ 1307 g_next_qat_index = (g_next_qat_index + 1) % g_qat_total_qp; 1308 } 1309 } 1310 } else if (strcmp(crypto_bdev->drv_name, AESNI_MB) == 0) { 1311 TAILQ_FOREACH(device_qp, &g_device_qp_aesni_mb, link) { 1312 if (device_qp->in_use == false) { 1313 crypto_ch->device_qp = device_qp; 1314 device_qp->in_use = true; 1315 break; 1316 } 1317 } 1318 } 1319 pthread_mutex_unlock(&g_device_qp_lock); 1320 } 1321 1322 /* We provide this callback for the SPDK channel code to create a channel using 1323 * the channel struct we provided in our module get_io_channel() entry point. Here 1324 * we get and save off an underlying base channel of the device below us so that 1325 * we can communicate with the base bdev on a per channel basis. We also register the 1326 * poller used to complete crypto operations from the device. 1327 */ 1328 static int 1329 crypto_bdev_ch_create_cb(void *io_device, void *ctx_buf) 1330 { 1331 struct crypto_io_channel *crypto_ch = ctx_buf; 1332 struct vbdev_crypto *crypto_bdev = io_device; 1333 struct device_qp *device_qp = NULL; 1334 1335 crypto_ch->base_ch = spdk_bdev_get_io_channel(crypto_bdev->base_desc); 1336 crypto_ch->poller = spdk_poller_register(crypto_dev_poller, crypto_ch, 0); 1337 crypto_ch->device_qp = NULL; 1338 1339 /* Assign a device/qp combination that is unique per channel per PMD. */ 1340 _assign_device_qp(crypto_bdev, device_qp, crypto_ch); 1341 assert(crypto_ch->device_qp); 1342 1343 /* We use this queue to track outstanding IO in our layer. */ 1344 TAILQ_INIT(&crypto_ch->pending_cry_ios); 1345 1346 /* We use this to queue up crypto ops when the device is busy. */ 1347 TAILQ_INIT(&crypto_ch->queued_cry_ops); 1348 1349 return 0; 1350 } 1351 1352 /* We provide this callback for the SPDK channel code to destroy a channel 1353 * created with our create callback. We just need to undo anything we did 1354 * when we created. 1355 */ 1356 static void 1357 crypto_bdev_ch_destroy_cb(void *io_device, void *ctx_buf) 1358 { 1359 struct crypto_io_channel *crypto_ch = ctx_buf; 1360 1361 pthread_mutex_lock(&g_device_qp_lock); 1362 crypto_ch->device_qp->in_use = false; 1363 pthread_mutex_unlock(&g_device_qp_lock); 1364 1365 spdk_poller_unregister(&crypto_ch->poller); 1366 spdk_put_io_channel(crypto_ch->base_ch); 1367 } 1368 1369 /* Create the association from the bdev and vbdev name and insert 1370 * on the global list. */ 1371 static int 1372 vbdev_crypto_insert_name(const char *bdev_name, const char *vbdev_name, 1373 const char *crypto_pmd, const char *key, 1374 const char *cipher, const char *key2) 1375 { 1376 struct bdev_names *name; 1377 int rc, j; 1378 bool found = false; 1379 1380 TAILQ_FOREACH(name, &g_bdev_names, link) { 1381 if (strcmp(vbdev_name, name->vbdev_name) == 0) { 1382 SPDK_ERRLOG("crypto bdev %s already exists\n", vbdev_name); 1383 return -EEXIST; 1384 } 1385 } 1386 1387 name = calloc(1, sizeof(struct bdev_names)); 1388 if (!name) { 1389 SPDK_ERRLOG("could not allocate bdev_names\n"); 1390 return -ENOMEM; 1391 } 1392 1393 name->bdev_name = strdup(bdev_name); 1394 if (!name->bdev_name) { 1395 SPDK_ERRLOG("could not allocate name->bdev_name\n"); 1396 rc = -ENOMEM; 1397 goto error_alloc_bname; 1398 } 1399 1400 name->vbdev_name = strdup(vbdev_name); 1401 if (!name->vbdev_name) { 1402 SPDK_ERRLOG("could not allocate name->vbdev_name\n"); 1403 rc = -ENOMEM; 1404 goto error_alloc_vname; 1405 } 1406 1407 name->drv_name = strdup(crypto_pmd); 1408 if (!name->drv_name) { 1409 SPDK_ERRLOG("could not allocate name->drv_name\n"); 1410 rc = -ENOMEM; 1411 goto error_alloc_dname; 1412 } 1413 for (j = 0; j < MAX_NUM_DRV_TYPES ; j++) { 1414 if (strcmp(crypto_pmd, g_driver_names[j]) == 0) { 1415 found = true; 1416 break; 1417 } 1418 } 1419 if (!found) { 1420 SPDK_ERRLOG("invalid crypto PMD type %s\n", crypto_pmd); 1421 rc = -EINVAL; 1422 goto error_invalid_pmd; 1423 } 1424 1425 name->key = strdup(key); 1426 if (!name->key) { 1427 SPDK_ERRLOG("could not allocate name->key\n"); 1428 rc = -ENOMEM; 1429 goto error_alloc_key; 1430 } 1431 if (strlen(name->key) != AES_CBC_KEY_LENGTH) { 1432 SPDK_ERRLOG("invalid AES_CCB key length\n"); 1433 rc = -EINVAL; 1434 goto error_invalid_key; 1435 } 1436 1437 if (strncmp(cipher, AES_XTS, sizeof(AES_XTS)) == 0) { 1438 /* To please scan-build, input validation makes sure we can't 1439 * have this cipher without providing a key2. 1440 */ 1441 name->cipher = AES_XTS; 1442 assert(key2); 1443 if (strnlen(key2, (AES_XTS_KEY_LENGTH + 1)) != AES_XTS_KEY_LENGTH) { 1444 SPDK_ERRLOG("invalid AES_XTS key length\n"); 1445 rc = -EINVAL; 1446 goto error_invalid_key2; 1447 } 1448 1449 name->key2 = strdup(key2); 1450 if (!name->key2) { 1451 SPDK_ERRLOG("could not allocate name->key2\n"); 1452 rc = -ENOMEM; 1453 goto error_alloc_key2; 1454 } 1455 } else if (strncmp(cipher, AES_CBC, sizeof(AES_CBC)) == 0) { 1456 name->cipher = AES_CBC; 1457 } else { 1458 SPDK_ERRLOG("Invalid cipher: %s\n", cipher); 1459 rc = -EINVAL; 1460 goto error_cipher; 1461 } 1462 1463 TAILQ_INSERT_TAIL(&g_bdev_names, name, link); 1464 1465 return 0; 1466 1467 /* Error cleanup paths. */ 1468 error_alloc_key2: 1469 error_invalid_key2: 1470 error_cipher: 1471 error_invalid_key: 1472 free(name->key); 1473 error_alloc_key: 1474 error_invalid_pmd: 1475 free(name->drv_name); 1476 error_alloc_dname: 1477 free(name->vbdev_name); 1478 error_alloc_vname: 1479 free(name->bdev_name); 1480 error_alloc_bname: 1481 free(name); 1482 return rc; 1483 } 1484 1485 /* RPC entry point for crypto creation. */ 1486 int 1487 create_crypto_disk(const char *bdev_name, const char *vbdev_name, 1488 const char *crypto_pmd, const char *key, 1489 const char *cipher, const char *key2) 1490 { 1491 struct spdk_bdev *bdev = NULL; 1492 int rc = 0; 1493 1494 bdev = spdk_bdev_get_by_name(bdev_name); 1495 1496 rc = vbdev_crypto_insert_name(bdev_name, vbdev_name, crypto_pmd, key, cipher, key2); 1497 if (rc) { 1498 return rc; 1499 } 1500 1501 if (!bdev) { 1502 SPDK_NOTICELOG("vbdev creation deferred pending base bdev arrival\n"); 1503 return 0; 1504 } 1505 1506 rc = vbdev_crypto_claim(bdev); 1507 if (rc) { 1508 return rc; 1509 } 1510 1511 return rc; 1512 } 1513 1514 /* Called at driver init time, parses config file to prepare for examine calls, 1515 * also fully initializes the crypto drivers. 1516 */ 1517 static int 1518 vbdev_crypto_init(void) 1519 { 1520 struct spdk_conf_section *sp = NULL; 1521 const char *conf_bdev_name = NULL; 1522 const char *conf_vbdev_name = NULL; 1523 const char *crypto_pmd = NULL; 1524 int i; 1525 int rc = 0; 1526 const char *key = NULL; 1527 const char *cipher = NULL; 1528 const char *key2 = NULL; 1529 1530 /* Fully configure both SW and HW drivers. */ 1531 rc = vbdev_crypto_init_crypto_drivers(); 1532 if (rc) { 1533 SPDK_ERRLOG("Error setting up crypto devices\n"); 1534 return rc; 1535 } 1536 1537 sp = spdk_conf_find_section(NULL, "crypto"); 1538 if (sp == NULL) { 1539 return 0; 1540 } 1541 1542 for (i = 0; ; i++) { 1543 1544 if (!spdk_conf_section_get_nval(sp, "CRY", i)) { 1545 break; 1546 } 1547 1548 conf_bdev_name = spdk_conf_section_get_nmval(sp, "CRY", i, 0); 1549 if (!conf_bdev_name) { 1550 SPDK_ERRLOG("crypto configuration missing bdev name\n"); 1551 return -EINVAL; 1552 } 1553 1554 conf_vbdev_name = spdk_conf_section_get_nmval(sp, "CRY", i, 1); 1555 if (!conf_vbdev_name) { 1556 SPDK_ERRLOG("crypto configuration missing crypto_bdev name\n"); 1557 return -EINVAL; 1558 } 1559 1560 key = spdk_conf_section_get_nmval(sp, "CRY", i, 2); 1561 if (!key) { 1562 SPDK_ERRLOG("crypto configuration missing crypto_bdev key\n"); 1563 return -EINVAL; 1564 } 1565 SPDK_NOTICELOG("WARNING: You are storing your key in a plain text file!!\n"); 1566 1567 crypto_pmd = spdk_conf_section_get_nmval(sp, "CRY", i, 3); 1568 if (!crypto_pmd) { 1569 SPDK_ERRLOG("crypto configuration missing driver type\n"); 1570 return -EINVAL; 1571 } 1572 1573 /* These are optional. */ 1574 cipher = spdk_conf_section_get_nmval(sp, "CRY", i, 4); 1575 if (cipher == NULL) { 1576 cipher = AES_CBC; 1577 } 1578 key2 = spdk_conf_section_get_nmval(sp, "CRY", i, 5); 1579 1580 /* Note: config file options do not support QAT AES_XTS, use RPC */ 1581 rc = vbdev_crypto_insert_name(conf_bdev_name, conf_vbdev_name, 1582 crypto_pmd, key, cipher, key2); 1583 if (rc != 0) { 1584 return rc; 1585 } 1586 } 1587 1588 return rc; 1589 } 1590 1591 /* Called when the entire module is being torn down. */ 1592 static void 1593 vbdev_crypto_finish(void) 1594 { 1595 struct bdev_names *name; 1596 struct vbdev_dev *device; 1597 struct device_qp *dev_qp; 1598 unsigned i; 1599 int rc; 1600 1601 while ((name = TAILQ_FIRST(&g_bdev_names))) { 1602 TAILQ_REMOVE(&g_bdev_names, name, link); 1603 free(name->drv_name); 1604 free(name->key); 1605 free(name->bdev_name); 1606 free(name->vbdev_name); 1607 free(name->key2); 1608 free(name); 1609 } 1610 1611 while ((device = TAILQ_FIRST(&g_vbdev_devs))) { 1612 struct rte_cryptodev *rte_dev; 1613 1614 TAILQ_REMOVE(&g_vbdev_devs, device, link); 1615 rte_cryptodev_stop(device->cdev_id); 1616 1617 assert(device->cdev_id < RTE_CRYPTO_MAX_DEVS); 1618 rte_dev = &rte_cryptodevs[device->cdev_id]; 1619 1620 if (rte_dev->dev_ops->queue_pair_release != NULL) { 1621 for (i = 0; i < device->cdev_info.max_nb_queue_pairs; i++) { 1622 rte_dev->dev_ops->queue_pair_release(rte_dev, i); 1623 } 1624 } 1625 free(device); 1626 } 1627 rc = rte_vdev_uninit(AESNI_MB); 1628 if (rc) { 1629 SPDK_ERRLOG("%d from rte_vdev_uninit\n", rc); 1630 } 1631 1632 while ((dev_qp = TAILQ_FIRST(&g_device_qp_qat))) { 1633 TAILQ_REMOVE(&g_device_qp_qat, dev_qp, link); 1634 free(dev_qp); 1635 } 1636 1637 while ((dev_qp = TAILQ_FIRST(&g_device_qp_aesni_mb))) { 1638 TAILQ_REMOVE(&g_device_qp_aesni_mb, dev_qp, link); 1639 free(dev_qp); 1640 } 1641 1642 rte_mempool_free(g_crypto_op_mp); 1643 spdk_mempool_free(g_mbuf_mp); 1644 rte_mempool_free(g_session_mp); 1645 if (g_session_mp_priv != NULL) { 1646 rte_mempool_free(g_session_mp_priv); 1647 } 1648 } 1649 1650 /* During init we'll be asked how much memory we'd like passed to us 1651 * in bev_io structures as context. Here's where we specify how 1652 * much context we want per IO. 1653 */ 1654 static int 1655 vbdev_crypto_get_ctx_size(void) 1656 { 1657 return sizeof(struct crypto_bdev_io); 1658 } 1659 1660 /* Called when SPDK wants to save the current config of this vbdev module to 1661 * a file. 1662 */ 1663 static void 1664 vbdev_crypto_get_spdk_running_config(FILE *fp) 1665 { 1666 struct bdev_names *names = NULL; 1667 fprintf(fp, "\n[crypto]\n"); 1668 TAILQ_FOREACH(names, &g_bdev_names, link) { 1669 fprintf(fp, " crypto %s %s ", names->bdev_name, names->vbdev_name); 1670 fprintf(fp, "\n"); 1671 } 1672 1673 fprintf(fp, "\n"); 1674 } 1675 1676 /* Called when the underlying base bdev goes away. */ 1677 static void 1678 vbdev_crypto_examine_hotremove_cb(void *ctx) 1679 { 1680 struct vbdev_crypto *crypto_bdev, *tmp; 1681 struct spdk_bdev *bdev_find = ctx; 1682 1683 TAILQ_FOREACH_SAFE(crypto_bdev, &g_vbdev_crypto, link, tmp) { 1684 if (bdev_find == crypto_bdev->base_bdev) { 1685 spdk_bdev_unregister(&crypto_bdev->crypto_bdev, NULL, NULL); 1686 } 1687 } 1688 } 1689 1690 static void 1691 vbdev_crypto_write_config_json(struct spdk_bdev *bdev, struct spdk_json_write_ctx *w) 1692 { 1693 /* No config per bdev needed */ 1694 } 1695 1696 /* When we register our bdev this is how we specify our entry points. */ 1697 static const struct spdk_bdev_fn_table vbdev_crypto_fn_table = { 1698 .destruct = vbdev_crypto_destruct, 1699 .submit_request = vbdev_crypto_submit_request, 1700 .io_type_supported = vbdev_crypto_io_type_supported, 1701 .get_io_channel = vbdev_crypto_get_io_channel, 1702 .dump_info_json = vbdev_crypto_dump_info_json, 1703 .write_config_json = vbdev_crypto_write_config_json 1704 }; 1705 1706 static struct spdk_bdev_module crypto_if = { 1707 .name = "crypto", 1708 .module_init = vbdev_crypto_init, 1709 .config_text = vbdev_crypto_get_spdk_running_config, 1710 .get_ctx_size = vbdev_crypto_get_ctx_size, 1711 .examine_config = vbdev_crypto_examine, 1712 .module_fini = vbdev_crypto_finish, 1713 .config_json = vbdev_crypto_config_json 1714 }; 1715 1716 SPDK_BDEV_MODULE_REGISTER(crypto, &crypto_if) 1717 1718 static int 1719 vbdev_crypto_claim(struct spdk_bdev *bdev) 1720 { 1721 struct bdev_names *name; 1722 struct vbdev_crypto *vbdev; 1723 struct vbdev_dev *device; 1724 bool found = false; 1725 int rc = 0; 1726 void *tmp = NULL; 1727 1728 if (g_number_of_claimed_volumes >= MAX_CRYPTO_VOLUMES) { 1729 SPDK_DEBUGLOG(SPDK_LOG_CRYPTO, "Reached max number of claimed volumes\n"); 1730 rc = -EINVAL; 1731 goto error_vbdev_alloc; 1732 } 1733 g_number_of_claimed_volumes++; 1734 1735 /* Check our list of names from config versus this bdev and if 1736 * there's a match, create the crypto_bdev & bdev accordingly. 1737 */ 1738 TAILQ_FOREACH(name, &g_bdev_names, link) { 1739 if (strcmp(name->bdev_name, bdev->name) != 0) { 1740 continue; 1741 } 1742 SPDK_DEBUGLOG(SPDK_LOG_CRYPTO, "Match on %s\n", bdev->name); 1743 1744 vbdev = calloc(1, sizeof(struct vbdev_crypto)); 1745 if (!vbdev) { 1746 SPDK_ERRLOG("could not allocate crypto_bdev\n"); 1747 rc = -ENOMEM; 1748 goto error_vbdev_alloc; 1749 } 1750 1751 /* The base bdev that we're attaching to. */ 1752 vbdev->base_bdev = bdev; 1753 vbdev->crypto_bdev.name = strdup(name->vbdev_name); 1754 if (!vbdev->crypto_bdev.name) { 1755 SPDK_ERRLOG("could not allocate crypto_bdev name\n"); 1756 rc = -ENOMEM; 1757 goto error_bdev_name; 1758 } 1759 1760 vbdev->key = strdup(name->key); 1761 if (!vbdev->key) { 1762 SPDK_ERRLOG("could not allocate crypto_bdev key\n"); 1763 rc = -ENOMEM; 1764 goto error_alloc_key; 1765 } 1766 1767 vbdev->drv_name = strdup(name->drv_name); 1768 if (!vbdev->drv_name) { 1769 SPDK_ERRLOG("could not allocate crypto_bdev drv_name\n"); 1770 rc = -ENOMEM; 1771 goto error_drv_name; 1772 } 1773 1774 vbdev->crypto_bdev.product_name = "crypto"; 1775 vbdev->crypto_bdev.write_cache = bdev->write_cache; 1776 if (strcmp(vbdev->drv_name, QAT) == 0) { 1777 vbdev->crypto_bdev.required_alignment = 1778 spdk_max(spdk_u32log2(bdev->blocklen), bdev->required_alignment); 1779 SPDK_NOTICELOG("QAT in use: Required alignment set to %u\n", 1780 vbdev->crypto_bdev.required_alignment); 1781 if (strcmp(name->cipher, AES_CBC) == 0) { 1782 SPDK_NOTICELOG("QAT using cipher: AES_CBC\n"); 1783 } else { 1784 SPDK_NOTICELOG("QAT using cipher: AES_XTS\n"); 1785 /* DPDK expects they keys to be concatenated together. */ 1786 tmp = realloc(vbdev->key, (AES_XTS_KEY_LENGTH * 2) + 1); 1787 if (tmp == NULL) { 1788 SPDK_ERRLOG("could not reallocate memory for XTS keys\n"); 1789 rc = -ENOMEM; 1790 goto error_key_realloc; 1791 } 1792 vbdev->key = tmp; 1793 memcpy(vbdev->key + AES_XTS_KEY_LENGTH, name->key2, AES_XTS_KEY_LENGTH + 1); 1794 } 1795 } else { 1796 vbdev->crypto_bdev.required_alignment = bdev->required_alignment; 1797 } 1798 /* Note: CRYPTO_MAX_IO is in units of bytes, optimal_io_boundary is 1799 * in units of blocks. 1800 */ 1801 if (bdev->optimal_io_boundary > 0) { 1802 vbdev->crypto_bdev.optimal_io_boundary = 1803 spdk_min((CRYPTO_MAX_IO / bdev->blocklen), bdev->optimal_io_boundary); 1804 } else { 1805 vbdev->crypto_bdev.optimal_io_boundary = (CRYPTO_MAX_IO / bdev->blocklen); 1806 } 1807 vbdev->crypto_bdev.split_on_optimal_io_boundary = true; 1808 vbdev->crypto_bdev.blocklen = bdev->blocklen; 1809 vbdev->crypto_bdev.blockcnt = bdev->blockcnt; 1810 1811 /* This is the context that is passed to us when the bdev 1812 * layer calls in so we'll save our crypto_bdev node here. 1813 */ 1814 vbdev->crypto_bdev.ctxt = vbdev; 1815 vbdev->crypto_bdev.fn_table = &vbdev_crypto_fn_table; 1816 vbdev->crypto_bdev.module = &crypto_if; 1817 TAILQ_INSERT_TAIL(&g_vbdev_crypto, vbdev, link); 1818 1819 spdk_io_device_register(vbdev, crypto_bdev_ch_create_cb, crypto_bdev_ch_destroy_cb, 1820 sizeof(struct crypto_io_channel), vbdev->crypto_bdev.name); 1821 1822 rc = spdk_bdev_open(bdev, true, vbdev_crypto_examine_hotremove_cb, 1823 bdev, &vbdev->base_desc); 1824 if (rc) { 1825 SPDK_ERRLOG("could not open bdev %s\n", spdk_bdev_get_name(bdev)); 1826 goto error_open; 1827 } 1828 1829 rc = spdk_bdev_module_claim_bdev(bdev, vbdev->base_desc, vbdev->crypto_bdev.module); 1830 if (rc) { 1831 SPDK_ERRLOG("could not claim bdev %s\n", spdk_bdev_get_name(bdev)); 1832 goto error_claim; 1833 } 1834 1835 /* To init the session we have to get the cryptoDev device ID for this vbdev */ 1836 TAILQ_FOREACH(device, &g_vbdev_devs, link) { 1837 if (strcmp(device->cdev_info.driver_name, vbdev->drv_name) == 0) { 1838 found = true; 1839 break; 1840 } 1841 } 1842 if (found == false) { 1843 SPDK_ERRLOG("ERROR can't match crypto device driver to crypto vbdev!\n"); 1844 rc = -EINVAL; 1845 goto error_cant_find_devid; 1846 } 1847 1848 /* Get sessions. */ 1849 vbdev->session_encrypt = rte_cryptodev_sym_session_create(g_session_mp); 1850 if (NULL == vbdev->session_encrypt) { 1851 SPDK_ERRLOG("ERROR trying to create crypto session!\n"); 1852 rc = -EINVAL; 1853 goto error_session_en_create; 1854 } 1855 1856 vbdev->session_decrypt = rte_cryptodev_sym_session_create(g_session_mp); 1857 if (NULL == vbdev->session_decrypt) { 1858 SPDK_ERRLOG("ERROR trying to create crypto session!\n"); 1859 rc = -EINVAL; 1860 goto error_session_de_create; 1861 } 1862 1863 /* Init our per vbdev xform with the desired cipher options. */ 1864 vbdev->cipher_xform.type = RTE_CRYPTO_SYM_XFORM_CIPHER; 1865 vbdev->cipher_xform.cipher.key.data = vbdev->key; 1866 vbdev->cipher_xform.cipher.iv.offset = IV_OFFSET; 1867 if (strcmp(name->cipher, AES_CBC) == 0) { 1868 vbdev->cipher_xform.cipher.algo = RTE_CRYPTO_CIPHER_AES_CBC; 1869 vbdev->cipher_xform.cipher.key.length = AES_CBC_KEY_LENGTH; 1870 } else { 1871 vbdev->cipher_xform.cipher.algo = RTE_CRYPTO_CIPHER_AES_XTS; 1872 vbdev->cipher_xform.cipher.key.length = AES_XTS_KEY_LENGTH * 2; 1873 } 1874 vbdev->cipher_xform.cipher.iv.length = AES_CBC_IV_LENGTH; 1875 1876 vbdev->cipher_xform.cipher.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT; 1877 rc = rte_cryptodev_sym_session_init(device->cdev_id, vbdev->session_encrypt, 1878 &vbdev->cipher_xform, 1879 g_session_mp_priv ? g_session_mp_priv : g_session_mp); 1880 if (rc < 0) { 1881 SPDK_ERRLOG("ERROR trying to init encrypt session!\n"); 1882 rc = -EINVAL; 1883 goto error_session_init; 1884 } 1885 1886 vbdev->cipher_xform.cipher.op = RTE_CRYPTO_CIPHER_OP_DECRYPT; 1887 rc = rte_cryptodev_sym_session_init(device->cdev_id, vbdev->session_decrypt, 1888 &vbdev->cipher_xform, 1889 g_session_mp_priv ? g_session_mp_priv : g_session_mp); 1890 if (rc < 0) { 1891 SPDK_ERRLOG("ERROR trying to init decrypt session!\n"); 1892 rc = -EINVAL; 1893 goto error_session_init; 1894 } 1895 1896 rc = spdk_bdev_register(&vbdev->crypto_bdev); 1897 if (rc < 0) { 1898 SPDK_ERRLOG("ERROR trying to register bdev\n"); 1899 rc = -EINVAL; 1900 goto error_bdev_register; 1901 } 1902 SPDK_DEBUGLOG(SPDK_LOG_CRYPTO, "registered io_device and virtual bdev for: %s\n", 1903 name->vbdev_name); 1904 break; 1905 } 1906 1907 return rc; 1908 1909 /* Error cleanup paths. */ 1910 error_bdev_register: 1911 error_session_init: 1912 rte_cryptodev_sym_session_free(vbdev->session_decrypt); 1913 error_session_de_create: 1914 rte_cryptodev_sym_session_free(vbdev->session_encrypt); 1915 error_session_en_create: 1916 error_cant_find_devid: 1917 error_claim: 1918 spdk_bdev_close(vbdev->base_desc); 1919 error_open: 1920 TAILQ_REMOVE(&g_vbdev_crypto, vbdev, link); 1921 spdk_io_device_unregister(vbdev, NULL); 1922 free(vbdev->drv_name); 1923 error_key_realloc: 1924 error_drv_name: 1925 free(vbdev->key); 1926 error_alloc_key: 1927 free(vbdev->crypto_bdev.name); 1928 error_bdev_name: 1929 free(vbdev); 1930 error_vbdev_alloc: 1931 g_number_of_claimed_volumes--; 1932 return rc; 1933 } 1934 1935 /* RPC entry for deleting a crypto vbdev. */ 1936 void 1937 delete_crypto_disk(struct spdk_bdev *bdev, spdk_delete_crypto_complete cb_fn, 1938 void *cb_arg) 1939 { 1940 struct bdev_names *name; 1941 1942 if (!bdev || bdev->module != &crypto_if) { 1943 cb_fn(cb_arg, -ENODEV); 1944 return; 1945 } 1946 1947 /* Remove the association (vbdev, bdev) from g_bdev_names. This is required so that the 1948 * vbdev does not get re-created if the same bdev is constructed at some other time, 1949 * unless the underlying bdev was hot-removed. 1950 */ 1951 TAILQ_FOREACH(name, &g_bdev_names, link) { 1952 if (strcmp(name->vbdev_name, bdev->name) == 0) { 1953 TAILQ_REMOVE(&g_bdev_names, name, link); 1954 free(name->bdev_name); 1955 free(name->vbdev_name); 1956 free(name->drv_name); 1957 free(name->key); 1958 free(name->key2); 1959 free(name); 1960 break; 1961 } 1962 } 1963 1964 /* Additional cleanup happens in the destruct callback. */ 1965 spdk_bdev_unregister(bdev, cb_fn, cb_arg); 1966 } 1967 1968 /* Because we specified this function in our crypto bdev function table when we 1969 * registered our crypto bdev, we'll get this call anytime a new bdev shows up. 1970 * Here we need to decide if we care about it and if so what to do. We 1971 * parsed the config file at init so we check the new bdev against the list 1972 * we built up at that time and if the user configured us to attach to this 1973 * bdev, here's where we do it. 1974 */ 1975 static void 1976 vbdev_crypto_examine(struct spdk_bdev *bdev) 1977 { 1978 vbdev_crypto_claim(bdev); 1979 spdk_bdev_module_examine_done(&crypto_if); 1980 } 1981 1982 SPDK_LOG_REGISTER_COMPONENT("vbdev_crypto", SPDK_LOG_CRYPTO) 1983