1 /*- 2 * BSD LICENSE 3 * 4 * Copyright (c) Intel Corporation. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * * Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * * Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in 15 * the documentation and/or other materials provided with the 16 * distribution. 17 * * Neither the name of Intel Corporation nor the names of its 18 * contributors may be used to endorse or promote products derived 19 * from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 24 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 25 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 26 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 27 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 * DATA, OR PROFITS; OR BUSINESS INTERRUcryptoION) HOWEVER CAUSED AND ON ANY 29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 31 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 */ 33 34 #include "vbdev_crypto.h" 35 36 #include "spdk/env.h" 37 #include "spdk/endian.h" 38 #include "spdk/thread.h" 39 #include "spdk/bdev_module.h" 40 #include "spdk/log.h" 41 42 #include <rte_config.h> 43 #include <rte_bus_vdev.h> 44 #include <rte_crypto.h> 45 #include <rte_cryptodev.h> 46 #include <rte_cryptodev_pmd.h> 47 #include <rte_mbuf_dyn.h> 48 49 /* Used to store IO context in mbuf */ 50 static const struct rte_mbuf_dynfield rte_mbuf_dynfield_io_context = { 51 .name = "context_bdev_io", 52 .size = sizeof(uint64_t), 53 .align = __alignof__(uint64_t), 54 .flags = 0, 55 }; 56 static int g_mbuf_offset; 57 58 /* To add support for new device types, follow the examples of the following... 59 * Note that the string names are defined by the DPDK PMD in question so be 60 * sure to use the exact names. 61 */ 62 #define MAX_NUM_DRV_TYPES 2 63 64 /* The VF spread is the number of queue pairs between virtual functions, we use this to 65 * load balance the QAT device. 66 */ 67 #define QAT_VF_SPREAD 32 68 static uint8_t g_qat_total_qp = 0; 69 static uint8_t g_next_qat_index; 70 71 const char *g_driver_names[MAX_NUM_DRV_TYPES] = { AESNI_MB, QAT }; 72 73 /* Global list of available crypto devices. */ 74 struct vbdev_dev { 75 struct rte_cryptodev_info cdev_info; /* includes device friendly name */ 76 uint8_t cdev_id; /* identifier for the device */ 77 TAILQ_ENTRY(vbdev_dev) link; 78 }; 79 static TAILQ_HEAD(, vbdev_dev) g_vbdev_devs = TAILQ_HEAD_INITIALIZER(g_vbdev_devs); 80 81 /* Global list and lock for unique device/queue pair combos. We keep 1 list per supported PMD 82 * so that we can optimize per PMD where it make sense. For example, with QAT there an optimal 83 * pattern for assigning queue pairs where with AESNI there is not. 84 */ 85 struct device_qp { 86 struct vbdev_dev *device; /* ptr to crypto device */ 87 uint8_t qp; /* queue pair for this node */ 88 bool in_use; /* whether this node is in use or not */ 89 uint8_t index; /* used by QAT to load balance placement of qpairs */ 90 TAILQ_ENTRY(device_qp) link; 91 }; 92 static TAILQ_HEAD(, device_qp) g_device_qp_qat = TAILQ_HEAD_INITIALIZER(g_device_qp_qat); 93 static TAILQ_HEAD(, device_qp) g_device_qp_aesni_mb = TAILQ_HEAD_INITIALIZER(g_device_qp_aesni_mb); 94 static pthread_mutex_t g_device_qp_lock = PTHREAD_MUTEX_INITIALIZER; 95 96 97 /* In order to limit the number of resources we need to do one crypto 98 * operation per LBA (we use LBA as IV), we tell the bdev layer that 99 * our max IO size is something reasonable. Units here are in bytes. 100 */ 101 #define CRYPTO_MAX_IO (64 * 1024) 102 103 /* This controls how many ops will be dequeued from the crypto driver in one run 104 * of the poller. It is mainly a performance knob as it effectively determines how 105 * much work the poller has to do. However even that can vary between crypto drivers 106 * as the AESNI_MB driver for example does all the crypto work on dequeue whereas the 107 * QAT driver just dequeues what has been completed already. 108 */ 109 #define MAX_DEQUEUE_BURST_SIZE 64 110 111 /* When enqueueing, we need to supply the crypto driver with an array of pointers to 112 * operation structs. As each of these can be max 512B, we can adjust the CRYPTO_MAX_IO 113 * value in conjunction with the other defines to make sure we're not using crazy amounts 114 * of memory. All of these numbers can and probably should be adjusted based on the 115 * workload. By default we'll use the worst case (smallest) block size for the 116 * minimum number of array entries. As an example, a CRYPTO_MAX_IO size of 64K with 512B 117 * blocks would give us an enqueue array size of 128. 118 */ 119 #define MAX_ENQUEUE_ARRAY_SIZE (CRYPTO_MAX_IO / 512) 120 121 /* The number of MBUFS we need must be a power of two and to support other small IOs 122 * in addition to the limits mentioned above, we go to the next power of two. It is 123 * big number because it is one mempool for source and destination mbufs. It may 124 * need to be bigger to support multiple crypto drivers at once. 125 */ 126 #define NUM_MBUFS 32768 127 #define POOL_CACHE_SIZE 256 128 #define MAX_CRYPTO_VOLUMES 128 129 #define NUM_SESSIONS (2 * MAX_CRYPTO_VOLUMES) 130 #define SESS_MEMPOOL_CACHE_SIZE 0 131 uint8_t g_number_of_claimed_volumes = 0; 132 133 /* This is the max number of IOs we can supply to any crypto device QP at one time. 134 * It can vary between drivers. 135 */ 136 #define CRYPTO_QP_DESCRIPTORS 2048 137 138 /* Specific to AES_CBC. */ 139 #define AES_CBC_IV_LENGTH 16 140 #define AES_CBC_KEY_LENGTH 16 141 #define AES_XTS_KEY_LENGTH 16 /* XTS uses 2 keys, each of this size. */ 142 #define AESNI_MB_NUM_QP 64 143 144 /* Common for suported devices. */ 145 #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ 146 sizeof(struct rte_crypto_sym_op)) 147 #define QUEUED_OP_OFFSET (IV_OFFSET + AES_CBC_IV_LENGTH) 148 149 static void _complete_internal_io(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg); 150 static void _complete_internal_read(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg); 151 static void _complete_internal_write(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg); 152 static void vbdev_crypto_examine(struct spdk_bdev *bdev); 153 static int vbdev_crypto_claim(const char *bdev_name); 154 static void vbdev_crypto_submit_request(struct spdk_io_channel *ch, struct spdk_bdev_io *bdev_io); 155 156 /* List of crypto_bdev names and their base bdevs via configuration file. */ 157 struct bdev_names { 158 char *vbdev_name; /* name of the vbdev to create */ 159 char *bdev_name; /* base bdev name */ 160 161 /* Note, for dev/test we allow use of key in the config file, for production 162 * use, you must use an RPC to specify the key for security reasons. 163 */ 164 uint8_t *key; /* key per bdev */ 165 char *drv_name; /* name of the crypto device driver */ 166 char *cipher; /* AES_CBC or AES_XTS */ 167 uint8_t *key2; /* key #2 for AES_XTS, per bdev */ 168 TAILQ_ENTRY(bdev_names) link; 169 }; 170 static TAILQ_HEAD(, bdev_names) g_bdev_names = TAILQ_HEAD_INITIALIZER(g_bdev_names); 171 172 /* List of virtual bdevs and associated info for each. We keep the device friendly name here even 173 * though its also in the device struct because we use it early on. 174 */ 175 struct vbdev_crypto { 176 struct spdk_bdev *base_bdev; /* the thing we're attaching to */ 177 struct spdk_bdev_desc *base_desc; /* its descriptor we get from open */ 178 struct spdk_bdev crypto_bdev; /* the crypto virtual bdev */ 179 uint8_t *key; /* key per bdev */ 180 uint8_t *key2; /* for XTS */ 181 uint8_t *xts_key; /* key + key 2 */ 182 char *drv_name; /* name of the crypto device driver */ 183 char *cipher; /* cipher used */ 184 struct rte_cryptodev_sym_session *session_encrypt; /* encryption session for this bdev */ 185 struct rte_cryptodev_sym_session *session_decrypt; /* decryption session for this bdev */ 186 struct rte_crypto_sym_xform cipher_xform; /* crypto control struct for this bdev */ 187 TAILQ_ENTRY(vbdev_crypto) link; 188 struct spdk_thread *thread; /* thread where base device is opened */ 189 }; 190 static TAILQ_HEAD(, vbdev_crypto) g_vbdev_crypto = TAILQ_HEAD_INITIALIZER(g_vbdev_crypto); 191 192 /* Shared mempools between all devices on this system */ 193 static struct rte_mempool *g_session_mp = NULL; 194 static struct rte_mempool *g_session_mp_priv = NULL; 195 static struct spdk_mempool *g_mbuf_mp = NULL; /* mbuf mempool */ 196 static struct rte_mempool *g_crypto_op_mp = NULL; /* crypto operations, must be rte* mempool */ 197 198 /* For queueing up crypto operations that we can't submit for some reason */ 199 struct vbdev_crypto_op { 200 uint8_t cdev_id; 201 uint8_t qp; 202 struct rte_crypto_op *crypto_op; 203 struct spdk_bdev_io *bdev_io; 204 TAILQ_ENTRY(vbdev_crypto_op) link; 205 }; 206 #define QUEUED_OP_LENGTH (sizeof(struct vbdev_crypto_op)) 207 208 /* The crypto vbdev channel struct. It is allocated and freed on my behalf by the io channel code. 209 * We store things in here that are needed on per thread basis like the base_channel for this thread, 210 * and the poller for this thread. 211 */ 212 struct crypto_io_channel { 213 struct spdk_io_channel *base_ch; /* IO channel of base device */ 214 struct spdk_poller *poller; /* completion poller */ 215 struct device_qp *device_qp; /* unique device/qp combination for this channel */ 216 TAILQ_HEAD(, spdk_bdev_io) pending_cry_ios; /* outstanding operations to the crypto device */ 217 struct spdk_io_channel_iter *iter; /* used with for_each_channel in reset */ 218 TAILQ_HEAD(, vbdev_crypto_op) queued_cry_ops; /* queued for re-submission to CryptoDev */ 219 }; 220 221 /* This is the crypto per IO context that the bdev layer allocates for us opaquely and attaches to 222 * each IO for us. 223 */ 224 struct crypto_bdev_io { 225 int cryop_cnt_remaining; /* counter used when completing crypto ops */ 226 struct crypto_io_channel *crypto_ch; /* need to store for crypto completion handling */ 227 struct vbdev_crypto *crypto_bdev; /* the crypto node struct associated with this IO */ 228 struct spdk_bdev_io *orig_io; /* the original IO */ 229 struct spdk_bdev_io *read_io; /* the read IO we issued */ 230 int8_t bdev_io_status; /* the status we'll report back on the bdev IO */ 231 bool on_pending_list; 232 /* Used for the single contiguous buffer that serves as the crypto destination target for writes */ 233 uint64_t aux_num_blocks; /* num of blocks for the contiguous buffer */ 234 uint64_t aux_offset_blocks; /* block offset on media */ 235 void *aux_buf_raw; /* raw buffer that the bdev layer gave us for write buffer */ 236 struct iovec aux_buf_iov; /* iov representing aligned contig write buffer */ 237 238 /* for bdev_io_wait */ 239 struct spdk_bdev_io_wait_entry bdev_io_wait; 240 struct spdk_io_channel *ch; 241 }; 242 243 /* Called by vbdev_crypto_init_crypto_drivers() to init each discovered crypto device */ 244 static int 245 create_vbdev_dev(uint8_t index, uint16_t num_lcores) 246 { 247 struct vbdev_dev *device; 248 uint8_t j, cdev_id, cdrv_id; 249 struct device_qp *dev_qp; 250 struct device_qp *tmp_qp; 251 int rc; 252 TAILQ_HEAD(device_qps, device_qp) *dev_qp_head; 253 254 device = calloc(1, sizeof(struct vbdev_dev)); 255 if (!device) { 256 return -ENOMEM; 257 } 258 259 /* Get details about this device. */ 260 rte_cryptodev_info_get(index, &device->cdev_info); 261 cdrv_id = device->cdev_info.driver_id; 262 cdev_id = device->cdev_id = index; 263 264 /* Before going any further, make sure we have enough resources for this 265 * device type to function. We need a unique queue pair per core accross each 266 * device type to remain lockless.... 267 */ 268 if ((rte_cryptodev_device_count_by_driver(cdrv_id) * 269 device->cdev_info.max_nb_queue_pairs) < num_lcores) { 270 SPDK_ERRLOG("Insufficient unique queue pairs available for %s\n", 271 device->cdev_info.driver_name); 272 SPDK_ERRLOG("Either add more crypto devices or decrease core count\n"); 273 rc = -EINVAL; 274 goto err; 275 } 276 277 /* Setup queue pairs. */ 278 struct rte_cryptodev_config conf = { 279 .nb_queue_pairs = device->cdev_info.max_nb_queue_pairs, 280 .socket_id = SPDK_ENV_SOCKET_ID_ANY 281 }; 282 283 rc = rte_cryptodev_configure(cdev_id, &conf); 284 if (rc < 0) { 285 SPDK_ERRLOG("Failed to configure cryptodev %u\n", cdev_id); 286 rc = -EINVAL; 287 goto err; 288 } 289 290 struct rte_cryptodev_qp_conf qp_conf = { 291 .nb_descriptors = CRYPTO_QP_DESCRIPTORS, 292 .mp_session = g_session_mp, 293 .mp_session_private = g_session_mp_priv, 294 }; 295 296 /* Pre-setup all potential qpairs now and assign them in the channel 297 * callback. If we were to create them there, we'd have to stop the 298 * entire device affecting all other threads that might be using it 299 * even on other queue pairs. 300 */ 301 for (j = 0; j < device->cdev_info.max_nb_queue_pairs; j++) { 302 rc = rte_cryptodev_queue_pair_setup(cdev_id, j, &qp_conf, SOCKET_ID_ANY); 303 if (rc < 0) { 304 SPDK_ERRLOG("Failed to setup queue pair %u on " 305 "cryptodev %u\n", j, cdev_id); 306 rc = -EINVAL; 307 goto err; 308 } 309 } 310 311 rc = rte_cryptodev_start(cdev_id); 312 if (rc < 0) { 313 SPDK_ERRLOG("Failed to start device %u: error %d\n", 314 cdev_id, rc); 315 rc = -EINVAL; 316 goto err; 317 } 318 319 /* Select the right device/qp list based on driver name 320 * or error if it does not exist. 321 */ 322 if (strcmp(device->cdev_info.driver_name, QAT) == 0) { 323 dev_qp_head = (struct device_qps *)&g_device_qp_qat; 324 } else if (strcmp(device->cdev_info.driver_name, AESNI_MB) == 0) { 325 dev_qp_head = (struct device_qps *)&g_device_qp_aesni_mb; 326 } else { 327 rc = -EINVAL; 328 goto err; 329 } 330 331 /* Build up lists of device/qp combinations per PMD */ 332 for (j = 0; j < device->cdev_info.max_nb_queue_pairs; j++) { 333 dev_qp = calloc(1, sizeof(struct device_qp)); 334 if (!dev_qp) { 335 rc = -ENOMEM; 336 goto err_qp_alloc; 337 } 338 dev_qp->device = device; 339 dev_qp->qp = j; 340 dev_qp->in_use = false; 341 if (strcmp(device->cdev_info.driver_name, QAT) == 0) { 342 g_qat_total_qp++; 343 } 344 TAILQ_INSERT_TAIL(dev_qp_head, dev_qp, link); 345 } 346 347 /* Add to our list of available crypto devices. */ 348 TAILQ_INSERT_TAIL(&g_vbdev_devs, device, link); 349 350 return 0; 351 err_qp_alloc: 352 TAILQ_FOREACH_SAFE(dev_qp, dev_qp_head, link, tmp_qp) { 353 TAILQ_REMOVE(dev_qp_head, dev_qp, link); 354 free(dev_qp); 355 } 356 err: 357 free(device); 358 359 return rc; 360 } 361 362 /* This is called from the module's init function. We setup all crypto devices early on as we are unable 363 * to easily dynamically configure queue pairs after the drivers are up and running. So, here, we 364 * configure the max capabilities of each device and assign threads to queue pairs as channels are 365 * requested. 366 */ 367 static int 368 vbdev_crypto_init_crypto_drivers(void) 369 { 370 uint8_t cdev_count; 371 uint8_t cdev_id; 372 int i, rc = 0; 373 struct vbdev_dev *device; 374 struct vbdev_dev *tmp_dev; 375 struct device_qp *dev_qp; 376 unsigned int max_sess_size = 0, sess_size; 377 uint16_t num_lcores = rte_lcore_count(); 378 char aesni_args[32]; 379 380 /* Only the first call, via RPC or module init should init the crypto drivers. */ 381 if (g_session_mp != NULL) { 382 return 0; 383 } 384 385 /* We always init AESNI_MB */ 386 snprintf(aesni_args, sizeof(aesni_args), "max_nb_queue_pairs=%d", AESNI_MB_NUM_QP); 387 rc = rte_vdev_init(AESNI_MB, aesni_args); 388 if (rc) { 389 SPDK_ERRLOG("error creating virtual PMD %s\n", AESNI_MB); 390 return -EINVAL; 391 } 392 393 /* If we have no crypto devices, there's no reason to continue. */ 394 cdev_count = rte_cryptodev_count(); 395 if (cdev_count == 0) { 396 return 0; 397 } 398 399 g_mbuf_offset = rte_mbuf_dynfield_register(&rte_mbuf_dynfield_io_context); 400 if (g_mbuf_offset < 0) { 401 SPDK_ERRLOG("error registering dynamic field with DPDK\n"); 402 return -EINVAL; 403 } 404 405 /* 406 * Create global mempools, shared by all devices regardless of type. 407 */ 408 409 /* First determine max session size, most pools are shared by all the devices, 410 * so we need to find the global max sessions size. 411 */ 412 for (cdev_id = 0; cdev_id < cdev_count; cdev_id++) { 413 sess_size = rte_cryptodev_sym_get_private_session_size(cdev_id); 414 if (sess_size > max_sess_size) { 415 max_sess_size = sess_size; 416 } 417 } 418 419 g_session_mp_priv = rte_mempool_create("session_mp_priv", NUM_SESSIONS, max_sess_size, 420 SESS_MEMPOOL_CACHE_SIZE, 0, NULL, NULL, NULL, 421 NULL, SOCKET_ID_ANY, 0); 422 if (g_session_mp_priv == NULL) { 423 SPDK_ERRLOG("Cannot create private session pool max size 0x%x\n", max_sess_size); 424 return -ENOMEM; 425 } 426 427 g_session_mp = rte_cryptodev_sym_session_pool_create( 428 "session_mp", 429 NUM_SESSIONS, 0, SESS_MEMPOOL_CACHE_SIZE, 0, 430 SOCKET_ID_ANY); 431 if (g_session_mp == NULL) { 432 SPDK_ERRLOG("Cannot create session pool max size 0x%x\n", max_sess_size); 433 goto error_create_session_mp; 434 return -ENOMEM; 435 } 436 437 g_mbuf_mp = spdk_mempool_create("mbuf_mp", NUM_MBUFS, sizeof(struct rte_mbuf), 438 SPDK_MEMPOOL_DEFAULT_CACHE_SIZE, 439 SPDK_ENV_SOCKET_ID_ANY); 440 if (g_mbuf_mp == NULL) { 441 SPDK_ERRLOG("Cannot create mbuf pool\n"); 442 rc = -ENOMEM; 443 goto error_create_mbuf; 444 } 445 446 /* We use per op private data to store the IV and our own struct 447 * for queueing ops. 448 */ 449 g_crypto_op_mp = rte_crypto_op_pool_create("op_mp", 450 RTE_CRYPTO_OP_TYPE_SYMMETRIC, 451 NUM_MBUFS, 452 POOL_CACHE_SIZE, 453 AES_CBC_IV_LENGTH + QUEUED_OP_LENGTH, 454 rte_socket_id()); 455 456 if (g_crypto_op_mp == NULL) { 457 SPDK_ERRLOG("Cannot create op pool\n"); 458 rc = -ENOMEM; 459 goto error_create_op; 460 } 461 462 /* Init all devices */ 463 for (i = 0; i < cdev_count; i++) { 464 rc = create_vbdev_dev(i, num_lcores); 465 if (rc) { 466 goto err; 467 } 468 } 469 470 /* Assign index values to the QAT device qp nodes so that we can 471 * assign them for optimal performance. 472 */ 473 i = 0; 474 TAILQ_FOREACH(dev_qp, &g_device_qp_qat, link) { 475 dev_qp->index = i++; 476 } 477 478 return 0; 479 480 /* Error cleanup paths. */ 481 err: 482 TAILQ_FOREACH_SAFE(device, &g_vbdev_devs, link, tmp_dev) { 483 TAILQ_REMOVE(&g_vbdev_devs, device, link); 484 free(device); 485 } 486 rte_mempool_free(g_crypto_op_mp); 487 g_crypto_op_mp = NULL; 488 error_create_op: 489 spdk_mempool_free(g_mbuf_mp); 490 g_mbuf_mp = NULL; 491 error_create_mbuf: 492 rte_mempool_free(g_session_mp); 493 g_session_mp = NULL; 494 error_create_session_mp: 495 if (g_session_mp_priv != NULL) { 496 rte_mempool_free(g_session_mp_priv); 497 g_session_mp_priv = NULL; 498 } 499 return rc; 500 } 501 502 /* Following an encrypt or decrypt we need to then either write the encrypted data or finish 503 * the read on decrypted data. Do that here. 504 */ 505 static void 506 _crypto_operation_complete(struct spdk_bdev_io *bdev_io) 507 { 508 struct vbdev_crypto *crypto_bdev = SPDK_CONTAINEROF(bdev_io->bdev, struct vbdev_crypto, 509 crypto_bdev); 510 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 511 struct crypto_io_channel *crypto_ch = io_ctx->crypto_ch; 512 struct spdk_bdev_io *free_me = io_ctx->read_io; 513 int rc = 0; 514 515 TAILQ_REMOVE(&crypto_ch->pending_cry_ios, bdev_io, module_link); 516 517 if (bdev_io->type == SPDK_BDEV_IO_TYPE_READ) { 518 519 /* Complete the original IO and then free the one that we created 520 * as a result of issuing an IO via submit_request. 521 */ 522 if (io_ctx->bdev_io_status != SPDK_BDEV_IO_STATUS_FAILED) { 523 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_SUCCESS); 524 } else { 525 SPDK_ERRLOG("Issue with decryption on bdev_io %p\n", bdev_io); 526 rc = -EINVAL; 527 } 528 spdk_bdev_free_io(free_me); 529 530 } else if (bdev_io->type == SPDK_BDEV_IO_TYPE_WRITE) { 531 532 if (io_ctx->bdev_io_status != SPDK_BDEV_IO_STATUS_FAILED) { 533 /* Write the encrypted data. */ 534 rc = spdk_bdev_writev_blocks(crypto_bdev->base_desc, crypto_ch->base_ch, 535 &io_ctx->aux_buf_iov, 1, io_ctx->aux_offset_blocks, 536 io_ctx->aux_num_blocks, _complete_internal_write, 537 bdev_io); 538 } else { 539 SPDK_ERRLOG("Issue with encryption on bdev_io %p\n", bdev_io); 540 rc = -EINVAL; 541 } 542 543 } else { 544 SPDK_ERRLOG("Unknown bdev type %u on crypto operation completion\n", 545 bdev_io->type); 546 rc = -EINVAL; 547 } 548 549 if (rc) { 550 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 551 } 552 } 553 554 static int _crypto_operation(struct spdk_bdev_io *bdev_io, 555 enum rte_crypto_cipher_operation crypto_op, 556 void *aux_buf); 557 558 /* This is the poller for the crypto device. It uses a single API to dequeue whatever is ready at 559 * the device. Then we need to decide if what we've got so far (including previous poller 560 * runs) totals up to one or more complete bdev_ios and if so continue with the bdev_io 561 * accordingly. This means either completing a read or issuing a new write. 562 */ 563 static int 564 crypto_dev_poller(void *args) 565 { 566 struct crypto_io_channel *crypto_ch = args; 567 uint8_t cdev_id = crypto_ch->device_qp->device->cdev_id; 568 int i, num_dequeued_ops, num_enqueued_ops; 569 struct spdk_bdev_io *bdev_io = NULL; 570 struct crypto_bdev_io *io_ctx = NULL; 571 struct rte_crypto_op *dequeued_ops[MAX_DEQUEUE_BURST_SIZE]; 572 struct rte_crypto_op *mbufs_to_free[2 * MAX_DEQUEUE_BURST_SIZE]; 573 int num_mbufs = 0; 574 struct vbdev_crypto_op *op_to_resubmit; 575 576 /* Each run of the poller will get just what the device has available 577 * at the moment we call it, we don't check again after draining the 578 * first batch. 579 */ 580 num_dequeued_ops = rte_cryptodev_dequeue_burst(cdev_id, crypto_ch->device_qp->qp, 581 dequeued_ops, MAX_DEQUEUE_BURST_SIZE); 582 583 /* Check if operation was processed successfully */ 584 for (i = 0; i < num_dequeued_ops; i++) { 585 586 /* We don't know the order or association of the crypto ops wrt any 587 * partiular bdev_io so need to look at each and determine if it's 588 * the last one for it's bdev_io or not. 589 */ 590 bdev_io = (struct spdk_bdev_io *)*RTE_MBUF_DYNFIELD(dequeued_ops[i]->sym->m_src, g_mbuf_offset, 591 uint64_t *); 592 assert(bdev_io != NULL); 593 io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 594 595 if (dequeued_ops[i]->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { 596 SPDK_ERRLOG("error with op %d status %u\n", i, 597 dequeued_ops[i]->status); 598 /* Update the bdev status to error, we'll still process the 599 * rest of the crypto ops for this bdev_io though so they 600 * aren't left hanging. 601 */ 602 io_ctx->bdev_io_status = SPDK_BDEV_IO_STATUS_FAILED; 603 } 604 605 assert(io_ctx->cryop_cnt_remaining > 0); 606 607 /* Return the associated src and dst mbufs by collecting them into 608 * an array that we can use the bulk API to free after the loop. 609 */ 610 *RTE_MBUF_DYNFIELD(dequeued_ops[i]->sym->m_src, g_mbuf_offset, uint64_t *) = 0; 611 mbufs_to_free[num_mbufs++] = (void *)dequeued_ops[i]->sym->m_src; 612 if (dequeued_ops[i]->sym->m_dst) { 613 mbufs_to_free[num_mbufs++] = (void *)dequeued_ops[i]->sym->m_dst; 614 } 615 616 /* done encrypting, complete the bdev_io */ 617 if (--io_ctx->cryop_cnt_remaining == 0) { 618 619 /* If we're completing this with an outstanding reset we need 620 * to fail it. 621 */ 622 if (crypto_ch->iter) { 623 io_ctx->bdev_io_status = SPDK_BDEV_IO_STATUS_FAILED; 624 } 625 626 /* Complete the IO */ 627 _crypto_operation_complete(bdev_io); 628 } 629 } 630 631 /* Now bulk free both mbufs and crypto operations. */ 632 if (num_dequeued_ops > 0) { 633 rte_mempool_put_bulk(g_crypto_op_mp, 634 (void **)dequeued_ops, 635 num_dequeued_ops); 636 assert(num_mbufs > 0); 637 spdk_mempool_put_bulk(g_mbuf_mp, 638 (void **)mbufs_to_free, 639 num_mbufs); 640 } 641 642 /* Check if there are any pending crypto ops to process */ 643 while (!TAILQ_EMPTY(&crypto_ch->queued_cry_ops)) { 644 op_to_resubmit = TAILQ_FIRST(&crypto_ch->queued_cry_ops); 645 io_ctx = (struct crypto_bdev_io *)op_to_resubmit->bdev_io->driver_ctx; 646 num_enqueued_ops = rte_cryptodev_enqueue_burst(op_to_resubmit->cdev_id, 647 op_to_resubmit->qp, 648 &op_to_resubmit->crypto_op, 649 1); 650 if (num_enqueued_ops == 1) { 651 /* Make sure we don't put this on twice as one bdev_io is made up 652 * of many crypto ops. 653 */ 654 if (io_ctx->on_pending_list == false) { 655 TAILQ_INSERT_TAIL(&crypto_ch->pending_cry_ios, op_to_resubmit->bdev_io, module_link); 656 io_ctx->on_pending_list = true; 657 } 658 TAILQ_REMOVE(&crypto_ch->queued_cry_ops, op_to_resubmit, link); 659 } else { 660 /* if we couldn't get one, just break and try again later. */ 661 break; 662 } 663 } 664 665 /* If the channel iter is not NULL, we need to continue to poll 666 * until the pending list is empty, then we can move on to the 667 * next channel. 668 */ 669 if (crypto_ch->iter && TAILQ_EMPTY(&crypto_ch->pending_cry_ios)) { 670 SPDK_NOTICELOG("Channel %p has been quiesced.\n", crypto_ch); 671 spdk_for_each_channel_continue(crypto_ch->iter, 0); 672 crypto_ch->iter = NULL; 673 } 674 675 return num_dequeued_ops; 676 } 677 678 /* We're either encrypting on the way down or decrypting on the way back. */ 679 static int 680 _crypto_operation(struct spdk_bdev_io *bdev_io, enum rte_crypto_cipher_operation crypto_op, 681 void *aux_buf) 682 { 683 uint16_t num_enqueued_ops = 0; 684 uint32_t cryop_cnt = bdev_io->u.bdev.num_blocks; 685 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 686 struct crypto_io_channel *crypto_ch = io_ctx->crypto_ch; 687 uint8_t cdev_id = crypto_ch->device_qp->device->cdev_id; 688 uint32_t crypto_len = io_ctx->crypto_bdev->crypto_bdev.blocklen; 689 uint64_t total_length = bdev_io->u.bdev.num_blocks * crypto_len; 690 int rc; 691 uint32_t iov_index = 0; 692 uint32_t allocated = 0; 693 uint8_t *current_iov = NULL; 694 uint64_t total_remaining = 0; 695 uint64_t updated_length, current_iov_remaining = 0; 696 uint32_t crypto_index = 0; 697 uint32_t en_offset = 0; 698 struct rte_crypto_op *crypto_ops[MAX_ENQUEUE_ARRAY_SIZE]; 699 struct rte_mbuf *src_mbufs[MAX_ENQUEUE_ARRAY_SIZE]; 700 struct rte_mbuf *dst_mbufs[MAX_ENQUEUE_ARRAY_SIZE]; 701 int burst; 702 struct vbdev_crypto_op *op_to_queue; 703 uint64_t alignment = spdk_bdev_get_buf_align(&io_ctx->crypto_bdev->crypto_bdev); 704 705 assert((bdev_io->u.bdev.num_blocks * bdev_io->bdev->blocklen) <= CRYPTO_MAX_IO); 706 707 /* Get the number of source mbufs that we need. These will always be 1:1 because we 708 * don't support chaining. The reason we don't is because of our decision to use 709 * LBA as IV, there can be no case where we'd need >1 mbuf per crypto op or the 710 * op would be > 1 LBA. 711 */ 712 rc = spdk_mempool_get_bulk(g_mbuf_mp, (void **)&src_mbufs[0], cryop_cnt); 713 if (rc) { 714 SPDK_ERRLOG("ERROR trying to get src_mbufs!\n"); 715 return -ENOMEM; 716 } 717 718 /* Get the same amount but these buffers to describe the encrypted data location (dst). */ 719 if (crypto_op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { 720 rc = spdk_mempool_get_bulk(g_mbuf_mp, (void **)&dst_mbufs[0], cryop_cnt); 721 if (rc) { 722 SPDK_ERRLOG("ERROR trying to get dst_mbufs!\n"); 723 rc = -ENOMEM; 724 goto error_get_dst; 725 } 726 } 727 728 #ifdef __clang_analyzer__ 729 /* silence scan-build false positive */ 730 SPDK_CLANG_ANALYZER_PREINIT_PTR_ARRAY(crypto_ops, MAX_ENQUEUE_ARRAY_SIZE, 0x1000); 731 #endif 732 /* Allocate crypto operations. */ 733 allocated = rte_crypto_op_bulk_alloc(g_crypto_op_mp, 734 RTE_CRYPTO_OP_TYPE_SYMMETRIC, 735 crypto_ops, cryop_cnt); 736 if (allocated < cryop_cnt) { 737 SPDK_ERRLOG("ERROR trying to get crypto ops!\n"); 738 rc = -ENOMEM; 739 goto error_get_ops; 740 } 741 742 /* For encryption, we need to prepare a single contiguous buffer as the encryption 743 * destination, we'll then pass that along for the write after encryption is done. 744 * This is done to avoiding encrypting the provided write buffer which may be 745 * undesirable in some use cases. 746 */ 747 if (crypto_op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { 748 io_ctx->aux_buf_iov.iov_len = total_length; 749 io_ctx->aux_buf_raw = aux_buf; 750 io_ctx->aux_buf_iov.iov_base = (void *)(((uintptr_t)aux_buf + (alignment - 1)) & ~(alignment - 1)); 751 io_ctx->aux_offset_blocks = bdev_io->u.bdev.offset_blocks; 752 io_ctx->aux_num_blocks = bdev_io->u.bdev.num_blocks; 753 } 754 755 /* This value is used in the completion callback to determine when the bdev_io is 756 * complete. 757 */ 758 io_ctx->cryop_cnt_remaining = cryop_cnt; 759 760 /* As we don't support chaining because of a decision to use LBA as IV, construction 761 * of crypto operations is straightforward. We build both the op, the mbuf and the 762 * dst_mbuf in our local arrays by looping through the length of the bdev IO and 763 * picking off LBA sized blocks of memory from the IOVs as we walk through them. Each 764 * LBA sized chunk of memory will correspond 1:1 to a crypto operation and a single 765 * mbuf per crypto operation. 766 */ 767 total_remaining = total_length; 768 current_iov = bdev_io->u.bdev.iovs[iov_index].iov_base; 769 current_iov_remaining = bdev_io->u.bdev.iovs[iov_index].iov_len; 770 do { 771 uint8_t *iv_ptr; 772 uint64_t op_block_offset; 773 774 /* Set the mbuf elements address and length. Null out the next pointer. */ 775 src_mbufs[crypto_index]->buf_addr = current_iov; 776 src_mbufs[crypto_index]->data_len = updated_length = crypto_len; 777 /* TODO: Make this assignment conditional on QAT usage and add an assert. */ 778 src_mbufs[crypto_index]->buf_iova = spdk_vtophys((void *)current_iov, &updated_length); 779 src_mbufs[crypto_index]->next = NULL; 780 /* Store context in every mbuf as we don't know anything about completion order */ 781 *RTE_MBUF_DYNFIELD(src_mbufs[crypto_index], g_mbuf_offset, uint64_t *) = (uint64_t)bdev_io; 782 783 /* Set the IV - we use the LBA of the crypto_op */ 784 iv_ptr = rte_crypto_op_ctod_offset(crypto_ops[crypto_index], uint8_t *, 785 IV_OFFSET); 786 memset(iv_ptr, 0, AES_CBC_IV_LENGTH); 787 op_block_offset = bdev_io->u.bdev.offset_blocks + crypto_index; 788 rte_memcpy(iv_ptr, &op_block_offset, sizeof(uint64_t)); 789 790 /* Set the data to encrypt/decrypt length */ 791 crypto_ops[crypto_index]->sym->cipher.data.length = crypto_len; 792 crypto_ops[crypto_index]->sym->cipher.data.offset = 0; 793 794 /* link the mbuf to the crypto op. */ 795 crypto_ops[crypto_index]->sym->m_src = src_mbufs[crypto_index]; 796 if (crypto_op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { 797 crypto_ops[crypto_index]->sym->m_dst = src_mbufs[crypto_index]; 798 } else { 799 crypto_ops[crypto_index]->sym->m_dst = NULL; 800 } 801 802 /* For encrypt, point the destination to a buffer we allocate and redirect the bdev_io 803 * that will be used to process the write on completion to the same buffer. Setting 804 * up the en_buffer is a little simpler as we know the destination buffer is single IOV. 805 */ 806 if (crypto_op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { 807 808 /* Set the relevant destination en_mbuf elements. */ 809 dst_mbufs[crypto_index]->buf_addr = io_ctx->aux_buf_iov.iov_base + en_offset; 810 dst_mbufs[crypto_index]->data_len = updated_length = crypto_len; 811 /* TODO: Make this assignment conditional on QAT usage and add an assert. */ 812 dst_mbufs[crypto_index]->buf_iova = spdk_vtophys(dst_mbufs[crypto_index]->buf_addr, 813 &updated_length); 814 crypto_ops[crypto_index]->sym->m_dst = dst_mbufs[crypto_index]; 815 en_offset += crypto_len; 816 dst_mbufs[crypto_index]->next = NULL; 817 818 /* Attach the crypto session to the operation */ 819 rc = rte_crypto_op_attach_sym_session(crypto_ops[crypto_index], 820 io_ctx->crypto_bdev->session_encrypt); 821 if (rc) { 822 rc = -EINVAL; 823 goto error_attach_session; 824 } 825 826 } else { 827 /* Attach the crypto session to the operation */ 828 rc = rte_crypto_op_attach_sym_session(crypto_ops[crypto_index], 829 io_ctx->crypto_bdev->session_decrypt); 830 if (rc) { 831 rc = -EINVAL; 832 goto error_attach_session; 833 } 834 835 836 } 837 838 /* Subtract our running totals for the op in progress and the overall bdev io */ 839 total_remaining -= crypto_len; 840 current_iov_remaining -= crypto_len; 841 842 /* move our current IOV pointer accordingly. */ 843 current_iov += crypto_len; 844 845 /* move on to the next crypto operation */ 846 crypto_index++; 847 848 /* If we're done with this IOV, move to the next one. */ 849 if (current_iov_remaining == 0 && total_remaining > 0) { 850 iov_index++; 851 current_iov = bdev_io->u.bdev.iovs[iov_index].iov_base; 852 current_iov_remaining = bdev_io->u.bdev.iovs[iov_index].iov_len; 853 } 854 } while (total_remaining > 0); 855 856 /* Enqueue everything we've got but limit by the max number of descriptors we 857 * configured the crypto device for. 858 */ 859 burst = spdk_min(cryop_cnt, CRYPTO_QP_DESCRIPTORS); 860 num_enqueued_ops = rte_cryptodev_enqueue_burst(cdev_id, crypto_ch->device_qp->qp, 861 &crypto_ops[0], 862 burst); 863 864 /* Add this bdev_io to our outstanding list if any of its crypto ops made it. */ 865 if (num_enqueued_ops > 0) { 866 TAILQ_INSERT_TAIL(&crypto_ch->pending_cry_ios, bdev_io, module_link); 867 io_ctx->on_pending_list = true; 868 } 869 /* We were unable to enqueue everything but did get some, so need to decide what 870 * to do based on the status of the last op. 871 */ 872 if (num_enqueued_ops < cryop_cnt) { 873 switch (crypto_ops[num_enqueued_ops]->status) { 874 case RTE_CRYPTO_OP_STATUS_NOT_PROCESSED: 875 /* Queue them up on a linked list to be resubmitted via the poller. */ 876 for (crypto_index = num_enqueued_ops; crypto_index < cryop_cnt; crypto_index++) { 877 op_to_queue = (struct vbdev_crypto_op *)rte_crypto_op_ctod_offset(crypto_ops[crypto_index], 878 uint8_t *, QUEUED_OP_OFFSET); 879 op_to_queue->cdev_id = cdev_id; 880 op_to_queue->qp = crypto_ch->device_qp->qp; 881 op_to_queue->crypto_op = crypto_ops[crypto_index]; 882 op_to_queue->bdev_io = bdev_io; 883 TAILQ_INSERT_TAIL(&crypto_ch->queued_cry_ops, 884 op_to_queue, 885 link); 886 } 887 break; 888 default: 889 /* For all other statuses, set the io_ctx bdev_io status so that 890 * the poller will pick the failure up for the overall bdev status. 891 */ 892 io_ctx->bdev_io_status = SPDK_BDEV_IO_STATUS_FAILED; 893 if (num_enqueued_ops == 0) { 894 /* If nothing was enqueued, but the last one wasn't because of 895 * busy, fail it now as the poller won't know anything about it. 896 */ 897 _crypto_operation_complete(bdev_io); 898 rc = -EINVAL; 899 goto error_attach_session; 900 } 901 break; 902 } 903 } 904 905 return rc; 906 907 /* Error cleanup paths. */ 908 error_attach_session: 909 error_get_ops: 910 if (crypto_op == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { 911 spdk_mempool_put_bulk(g_mbuf_mp, (void **)&dst_mbufs[0], 912 cryop_cnt); 913 } 914 if (allocated > 0) { 915 rte_mempool_put_bulk(g_crypto_op_mp, (void **)crypto_ops, 916 allocated); 917 } 918 error_get_dst: 919 spdk_mempool_put_bulk(g_mbuf_mp, (void **)&src_mbufs[0], 920 cryop_cnt); 921 return rc; 922 } 923 924 /* This function is called after all channels have been quiesced following 925 * a bdev reset. 926 */ 927 static void 928 _ch_quiesce_done(struct spdk_io_channel_iter *i, int status) 929 { 930 struct crypto_bdev_io *io_ctx = spdk_io_channel_iter_get_ctx(i); 931 932 assert(TAILQ_EMPTY(&io_ctx->crypto_ch->pending_cry_ios)); 933 assert(io_ctx->orig_io != NULL); 934 935 spdk_bdev_io_complete(io_ctx->orig_io, SPDK_BDEV_IO_STATUS_SUCCESS); 936 } 937 938 /* This function is called per channel to quiesce IOs before completing a 939 * bdev reset that we received. 940 */ 941 static void 942 _ch_quiesce(struct spdk_io_channel_iter *i) 943 { 944 struct spdk_io_channel *ch = spdk_io_channel_iter_get_channel(i); 945 struct crypto_io_channel *crypto_ch = spdk_io_channel_get_ctx(ch); 946 947 crypto_ch->iter = i; 948 /* When the poller runs, it will see the non-NULL iter and handle 949 * the quiesce. 950 */ 951 } 952 953 /* Completion callback for IO that were issued from this bdev other than read/write. 954 * They have their own for readability. 955 */ 956 static void 957 _complete_internal_io(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg) 958 { 959 struct spdk_bdev_io *orig_io = cb_arg; 960 int status = success ? SPDK_BDEV_IO_STATUS_SUCCESS : SPDK_BDEV_IO_STATUS_FAILED; 961 962 if (bdev_io->type == SPDK_BDEV_IO_TYPE_RESET) { 963 struct crypto_bdev_io *orig_ctx = (struct crypto_bdev_io *)orig_io->driver_ctx; 964 965 assert(orig_io == orig_ctx->orig_io); 966 967 spdk_bdev_free_io(bdev_io); 968 969 spdk_for_each_channel(orig_ctx->crypto_bdev, 970 _ch_quiesce, 971 orig_ctx, 972 _ch_quiesce_done); 973 return; 974 } 975 976 spdk_bdev_io_complete(orig_io, status); 977 spdk_bdev_free_io(bdev_io); 978 } 979 980 /* Completion callback for writes that were issued from this bdev. */ 981 static void 982 _complete_internal_write(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg) 983 { 984 struct spdk_bdev_io *orig_io = cb_arg; 985 int status = success ? SPDK_BDEV_IO_STATUS_SUCCESS : SPDK_BDEV_IO_STATUS_FAILED; 986 struct crypto_bdev_io *orig_ctx = (struct crypto_bdev_io *)orig_io->driver_ctx; 987 988 spdk_bdev_io_put_aux_buf(orig_io, orig_ctx->aux_buf_raw); 989 990 spdk_bdev_io_complete(orig_io, status); 991 spdk_bdev_free_io(bdev_io); 992 } 993 994 /* Completion callback for reads that were issued from this bdev. */ 995 static void 996 _complete_internal_read(struct spdk_bdev_io *bdev_io, bool success, void *cb_arg) 997 { 998 struct spdk_bdev_io *orig_io = cb_arg; 999 struct crypto_bdev_io *orig_ctx = (struct crypto_bdev_io *)orig_io->driver_ctx; 1000 1001 if (success) { 1002 1003 /* Save off this bdev_io so it can be freed after decryption. */ 1004 orig_ctx->read_io = bdev_io; 1005 1006 if (!_crypto_operation(orig_io, RTE_CRYPTO_CIPHER_OP_DECRYPT, NULL)) { 1007 return; 1008 } else { 1009 SPDK_ERRLOG("ERROR decrypting\n"); 1010 } 1011 } else { 1012 SPDK_ERRLOG("ERROR on read prior to decrypting\n"); 1013 } 1014 1015 spdk_bdev_io_complete(orig_io, SPDK_BDEV_IO_STATUS_FAILED); 1016 spdk_bdev_free_io(bdev_io); 1017 } 1018 1019 static void 1020 vbdev_crypto_resubmit_io(void *arg) 1021 { 1022 struct spdk_bdev_io *bdev_io = (struct spdk_bdev_io *)arg; 1023 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 1024 1025 vbdev_crypto_submit_request(io_ctx->ch, bdev_io); 1026 } 1027 1028 static void 1029 vbdev_crypto_queue_io(struct spdk_bdev_io *bdev_io) 1030 { 1031 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 1032 int rc; 1033 1034 io_ctx->bdev_io_wait.bdev = bdev_io->bdev; 1035 io_ctx->bdev_io_wait.cb_fn = vbdev_crypto_resubmit_io; 1036 io_ctx->bdev_io_wait.cb_arg = bdev_io; 1037 1038 rc = spdk_bdev_queue_io_wait(bdev_io->bdev, io_ctx->crypto_ch->base_ch, &io_ctx->bdev_io_wait); 1039 if (rc != 0) { 1040 SPDK_ERRLOG("Queue io failed in vbdev_crypto_queue_io, rc=%d.\n", rc); 1041 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1042 } 1043 } 1044 1045 /* Callback for getting a buf from the bdev pool in the event that the caller passed 1046 * in NULL, we need to own the buffer so it doesn't get freed by another vbdev module 1047 * beneath us before we're done with it. 1048 */ 1049 static void 1050 crypto_read_get_buf_cb(struct spdk_io_channel *ch, struct spdk_bdev_io *bdev_io, 1051 bool success) 1052 { 1053 struct vbdev_crypto *crypto_bdev = SPDK_CONTAINEROF(bdev_io->bdev, struct vbdev_crypto, 1054 crypto_bdev); 1055 struct crypto_io_channel *crypto_ch = spdk_io_channel_get_ctx(ch); 1056 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 1057 int rc; 1058 1059 if (!success) { 1060 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1061 return; 1062 } 1063 1064 rc = spdk_bdev_readv_blocks(crypto_bdev->base_desc, crypto_ch->base_ch, bdev_io->u.bdev.iovs, 1065 bdev_io->u.bdev.iovcnt, bdev_io->u.bdev.offset_blocks, 1066 bdev_io->u.bdev.num_blocks, _complete_internal_read, 1067 bdev_io); 1068 if (rc != 0) { 1069 if (rc == -ENOMEM) { 1070 SPDK_DEBUGLOG(vbdev_crypto, "No memory, queue the IO.\n"); 1071 io_ctx->ch = ch; 1072 vbdev_crypto_queue_io(bdev_io); 1073 } else { 1074 SPDK_ERRLOG("ERROR on bdev_io submission!\n"); 1075 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1076 } 1077 } 1078 } 1079 1080 /* For encryption we don't want to encrypt the data in place as the host isn't 1081 * expecting us to mangle its data buffers so we need to encrypt into the bdev 1082 * aux buffer, then we can use that as the source for the disk data transfer. 1083 */ 1084 static void 1085 crypto_write_get_buf_cb(struct spdk_io_channel *ch, struct spdk_bdev_io *bdev_io, 1086 void *aux_buf) 1087 { 1088 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 1089 int rc = 0; 1090 1091 rc = _crypto_operation(bdev_io, RTE_CRYPTO_CIPHER_OP_ENCRYPT, aux_buf); 1092 if (rc != 0) { 1093 spdk_bdev_io_put_aux_buf(bdev_io, aux_buf); 1094 if (rc == -ENOMEM) { 1095 SPDK_DEBUGLOG(vbdev_crypto, "No memory, queue the IO.\n"); 1096 io_ctx->ch = ch; 1097 vbdev_crypto_queue_io(bdev_io); 1098 } else { 1099 SPDK_ERRLOG("ERROR on bdev_io submission!\n"); 1100 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1101 } 1102 } 1103 } 1104 1105 /* Called when someone submits IO to this crypto vbdev. For IO's not relevant to crypto, 1106 * we're simply passing it on here via SPDK IO calls which in turn allocate another bdev IO 1107 * and call our cpl callback provided below along with the original bdev_io so that we can 1108 * complete it once this IO completes. For crypto operations, we'll either encrypt it first 1109 * (writes) then call back into bdev to submit it or we'll submit a read and then catch it 1110 * on the way back for decryption. 1111 */ 1112 static void 1113 vbdev_crypto_submit_request(struct spdk_io_channel *ch, struct spdk_bdev_io *bdev_io) 1114 { 1115 struct vbdev_crypto *crypto_bdev = SPDK_CONTAINEROF(bdev_io->bdev, struct vbdev_crypto, 1116 crypto_bdev); 1117 struct crypto_io_channel *crypto_ch = spdk_io_channel_get_ctx(ch); 1118 struct crypto_bdev_io *io_ctx = (struct crypto_bdev_io *)bdev_io->driver_ctx; 1119 int rc = 0; 1120 1121 memset(io_ctx, 0, sizeof(struct crypto_bdev_io)); 1122 io_ctx->crypto_bdev = crypto_bdev; 1123 io_ctx->crypto_ch = crypto_ch; 1124 io_ctx->orig_io = bdev_io; 1125 io_ctx->bdev_io_status = SPDK_BDEV_IO_STATUS_SUCCESS; 1126 1127 switch (bdev_io->type) { 1128 case SPDK_BDEV_IO_TYPE_READ: 1129 spdk_bdev_io_get_buf(bdev_io, crypto_read_get_buf_cb, 1130 bdev_io->u.bdev.num_blocks * bdev_io->bdev->blocklen); 1131 break; 1132 case SPDK_BDEV_IO_TYPE_WRITE: 1133 /* Tell the bdev layer that we need an aux buf in addition to the data 1134 * buf already associated with the bdev. 1135 */ 1136 spdk_bdev_io_get_aux_buf(bdev_io, crypto_write_get_buf_cb); 1137 break; 1138 case SPDK_BDEV_IO_TYPE_UNMAP: 1139 rc = spdk_bdev_unmap_blocks(crypto_bdev->base_desc, crypto_ch->base_ch, 1140 bdev_io->u.bdev.offset_blocks, 1141 bdev_io->u.bdev.num_blocks, 1142 _complete_internal_io, bdev_io); 1143 break; 1144 case SPDK_BDEV_IO_TYPE_FLUSH: 1145 rc = spdk_bdev_flush_blocks(crypto_bdev->base_desc, crypto_ch->base_ch, 1146 bdev_io->u.bdev.offset_blocks, 1147 bdev_io->u.bdev.num_blocks, 1148 _complete_internal_io, bdev_io); 1149 break; 1150 case SPDK_BDEV_IO_TYPE_RESET: 1151 rc = spdk_bdev_reset(crypto_bdev->base_desc, crypto_ch->base_ch, 1152 _complete_internal_io, bdev_io); 1153 break; 1154 case SPDK_BDEV_IO_TYPE_WRITE_ZEROES: 1155 default: 1156 SPDK_ERRLOG("crypto: unknown I/O type %d\n", bdev_io->type); 1157 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1158 return; 1159 } 1160 1161 if (rc != 0) { 1162 if (rc == -ENOMEM) { 1163 SPDK_DEBUGLOG(vbdev_crypto, "No memory, queue the IO.\n"); 1164 io_ctx->ch = ch; 1165 vbdev_crypto_queue_io(bdev_io); 1166 } else { 1167 SPDK_ERRLOG("ERROR on bdev_io submission!\n"); 1168 spdk_bdev_io_complete(bdev_io, SPDK_BDEV_IO_STATUS_FAILED); 1169 } 1170 } 1171 } 1172 1173 /* We'll just call the base bdev and let it answer except for WZ command which 1174 * we always say we don't support so that the bdev layer will actually send us 1175 * real writes that we can encrypt. 1176 */ 1177 static bool 1178 vbdev_crypto_io_type_supported(void *ctx, enum spdk_bdev_io_type io_type) 1179 { 1180 struct vbdev_crypto *crypto_bdev = (struct vbdev_crypto *)ctx; 1181 1182 switch (io_type) { 1183 case SPDK_BDEV_IO_TYPE_WRITE: 1184 case SPDK_BDEV_IO_TYPE_UNMAP: 1185 case SPDK_BDEV_IO_TYPE_RESET: 1186 case SPDK_BDEV_IO_TYPE_READ: 1187 case SPDK_BDEV_IO_TYPE_FLUSH: 1188 return spdk_bdev_io_type_supported(crypto_bdev->base_bdev, io_type); 1189 case SPDK_BDEV_IO_TYPE_WRITE_ZEROES: 1190 /* Force the bdev layer to issue actual writes of zeroes so we can 1191 * encrypt them as regular writes. 1192 */ 1193 default: 1194 return false; 1195 } 1196 } 1197 1198 /* Callback for unregistering the IO device. */ 1199 static void 1200 _device_unregister_cb(void *io_device) 1201 { 1202 struct vbdev_crypto *crypto_bdev = io_device; 1203 1204 /* Done with this crypto_bdev. */ 1205 rte_cryptodev_sym_session_free(crypto_bdev->session_decrypt); 1206 rte_cryptodev_sym_session_free(crypto_bdev->session_encrypt); 1207 free(crypto_bdev->drv_name); 1208 if (crypto_bdev->key) { 1209 memset(crypto_bdev->key, 0, strnlen(crypto_bdev->key, (AES_CBC_KEY_LENGTH + 1))); 1210 free(crypto_bdev->key); 1211 } 1212 if (crypto_bdev->key2) { 1213 memset(crypto_bdev->key2, 0, strnlen(crypto_bdev->key2, (AES_XTS_KEY_LENGTH + 1))); 1214 free(crypto_bdev->key2); 1215 } 1216 if (crypto_bdev->xts_key) { 1217 memset(crypto_bdev->xts_key, 0, strnlen(crypto_bdev->xts_key, (AES_XTS_KEY_LENGTH * 2) + 1)); 1218 free(crypto_bdev->xts_key); 1219 } 1220 free(crypto_bdev->crypto_bdev.name); 1221 free(crypto_bdev); 1222 } 1223 1224 /* Wrapper for the bdev close operation. */ 1225 static void 1226 _vbdev_crypto_destruct(void *ctx) 1227 { 1228 struct spdk_bdev_desc *desc = ctx; 1229 1230 spdk_bdev_close(desc); 1231 } 1232 1233 /* Called after we've unregistered following a hot remove callback. 1234 * Our finish entry point will be called next. 1235 */ 1236 static int 1237 vbdev_crypto_destruct(void *ctx) 1238 { 1239 struct vbdev_crypto *crypto_bdev = (struct vbdev_crypto *)ctx; 1240 1241 /* Remove this device from the internal list */ 1242 TAILQ_REMOVE(&g_vbdev_crypto, crypto_bdev, link); 1243 1244 /* Unclaim the underlying bdev. */ 1245 spdk_bdev_module_release_bdev(crypto_bdev->base_bdev); 1246 1247 /* Close the underlying bdev on its same opened thread. */ 1248 if (crypto_bdev->thread && crypto_bdev->thread != spdk_get_thread()) { 1249 spdk_thread_send_msg(crypto_bdev->thread, _vbdev_crypto_destruct, crypto_bdev->base_desc); 1250 } else { 1251 spdk_bdev_close(crypto_bdev->base_desc); 1252 } 1253 1254 /* Unregister the io_device. */ 1255 spdk_io_device_unregister(crypto_bdev, _device_unregister_cb); 1256 1257 g_number_of_claimed_volumes--; 1258 1259 return 0; 1260 } 1261 1262 /* We supplied this as an entry point for upper layers who want to communicate to this 1263 * bdev. This is how they get a channel. We are passed the same context we provided when 1264 * we created our crypto vbdev in examine() which, for this bdev, is the address of one of 1265 * our context nodes. From here we'll ask the SPDK channel code to fill out our channel 1266 * struct and we'll keep it in our crypto node. 1267 */ 1268 static struct spdk_io_channel * 1269 vbdev_crypto_get_io_channel(void *ctx) 1270 { 1271 struct vbdev_crypto *crypto_bdev = (struct vbdev_crypto *)ctx; 1272 1273 /* The IO channel code will allocate a channel for us which consists of 1274 * the SPDK channel structure plus the size of our crypto_io_channel struct 1275 * that we passed in when we registered our IO device. It will then call 1276 * our channel create callback to populate any elements that we need to 1277 * update. 1278 */ 1279 return spdk_get_io_channel(crypto_bdev); 1280 } 1281 1282 /* This is the output for bdev_get_bdevs() for this vbdev */ 1283 static int 1284 vbdev_crypto_dump_info_json(void *ctx, struct spdk_json_write_ctx *w) 1285 { 1286 struct vbdev_crypto *crypto_bdev = (struct vbdev_crypto *)ctx; 1287 1288 spdk_json_write_name(w, "crypto"); 1289 spdk_json_write_object_begin(w); 1290 spdk_json_write_named_string(w, "base_bdev_name", spdk_bdev_get_name(crypto_bdev->base_bdev)); 1291 spdk_json_write_named_string(w, "name", spdk_bdev_get_name(&crypto_bdev->crypto_bdev)); 1292 spdk_json_write_named_string(w, "crypto_pmd", crypto_bdev->drv_name); 1293 spdk_json_write_named_string(w, "key", crypto_bdev->key); 1294 if (strcmp(crypto_bdev->cipher, AES_XTS) == 0) { 1295 spdk_json_write_named_string(w, "key2", crypto_bdev->key); 1296 } 1297 spdk_json_write_named_string(w, "cipher", crypto_bdev->cipher); 1298 spdk_json_write_object_end(w); 1299 return 0; 1300 } 1301 1302 static int 1303 vbdev_crypto_config_json(struct spdk_json_write_ctx *w) 1304 { 1305 struct vbdev_crypto *crypto_bdev; 1306 1307 TAILQ_FOREACH(crypto_bdev, &g_vbdev_crypto, link) { 1308 spdk_json_write_object_begin(w); 1309 spdk_json_write_named_string(w, "method", "bdev_crypto_create"); 1310 spdk_json_write_named_object_begin(w, "params"); 1311 spdk_json_write_named_string(w, "base_bdev_name", spdk_bdev_get_name(crypto_bdev->base_bdev)); 1312 spdk_json_write_named_string(w, "name", spdk_bdev_get_name(&crypto_bdev->crypto_bdev)); 1313 spdk_json_write_named_string(w, "crypto_pmd", crypto_bdev->drv_name); 1314 spdk_json_write_named_string(w, "key", crypto_bdev->key); 1315 if (strcmp(crypto_bdev->cipher, AES_XTS) == 0) { 1316 spdk_json_write_named_string(w, "key2", crypto_bdev->key); 1317 } 1318 spdk_json_write_named_string(w, "cipher", crypto_bdev->cipher); 1319 spdk_json_write_object_end(w); 1320 spdk_json_write_object_end(w); 1321 } 1322 return 0; 1323 } 1324 1325 /* Helper function for the channel creation callback. */ 1326 static void 1327 _assign_device_qp(struct vbdev_crypto *crypto_bdev, struct device_qp *device_qp, 1328 struct crypto_io_channel *crypto_ch) 1329 { 1330 pthread_mutex_lock(&g_device_qp_lock); 1331 if (strcmp(crypto_bdev->drv_name, QAT) == 0) { 1332 /* For some QAT devices, the optimal qp to use is every 32nd as this spreads the 1333 * workload out over the multiple virtual functions in the device. For the devices 1334 * where this isn't the case, it doesn't hurt. 1335 */ 1336 TAILQ_FOREACH(device_qp, &g_device_qp_qat, link) { 1337 if (device_qp->index != g_next_qat_index) { 1338 continue; 1339 } 1340 if (device_qp->in_use == false) { 1341 crypto_ch->device_qp = device_qp; 1342 device_qp->in_use = true; 1343 g_next_qat_index = (g_next_qat_index + QAT_VF_SPREAD) % g_qat_total_qp; 1344 break; 1345 } else { 1346 /* if the preferred index is used, skip to the next one in this set. */ 1347 g_next_qat_index = (g_next_qat_index + 1) % g_qat_total_qp; 1348 } 1349 } 1350 } else if (strcmp(crypto_bdev->drv_name, AESNI_MB) == 0) { 1351 TAILQ_FOREACH(device_qp, &g_device_qp_aesni_mb, link) { 1352 if (device_qp->in_use == false) { 1353 crypto_ch->device_qp = device_qp; 1354 device_qp->in_use = true; 1355 break; 1356 } 1357 } 1358 } 1359 pthread_mutex_unlock(&g_device_qp_lock); 1360 } 1361 1362 /* We provide this callback for the SPDK channel code to create a channel using 1363 * the channel struct we provided in our module get_io_channel() entry point. Here 1364 * we get and save off an underlying base channel of the device below us so that 1365 * we can communicate with the base bdev on a per channel basis. We also register the 1366 * poller used to complete crypto operations from the device. 1367 */ 1368 static int 1369 crypto_bdev_ch_create_cb(void *io_device, void *ctx_buf) 1370 { 1371 struct crypto_io_channel *crypto_ch = ctx_buf; 1372 struct vbdev_crypto *crypto_bdev = io_device; 1373 struct device_qp *device_qp = NULL; 1374 1375 crypto_ch->base_ch = spdk_bdev_get_io_channel(crypto_bdev->base_desc); 1376 crypto_ch->poller = SPDK_POLLER_REGISTER(crypto_dev_poller, crypto_ch, 0); 1377 crypto_ch->device_qp = NULL; 1378 1379 /* Assign a device/qp combination that is unique per channel per PMD. */ 1380 _assign_device_qp(crypto_bdev, device_qp, crypto_ch); 1381 assert(crypto_ch->device_qp); 1382 1383 /* We use this queue to track outstanding IO in our layer. */ 1384 TAILQ_INIT(&crypto_ch->pending_cry_ios); 1385 1386 /* We use this to queue up crypto ops when the device is busy. */ 1387 TAILQ_INIT(&crypto_ch->queued_cry_ops); 1388 1389 return 0; 1390 } 1391 1392 /* We provide this callback for the SPDK channel code to destroy a channel 1393 * created with our create callback. We just need to undo anything we did 1394 * when we created. 1395 */ 1396 static void 1397 crypto_bdev_ch_destroy_cb(void *io_device, void *ctx_buf) 1398 { 1399 struct crypto_io_channel *crypto_ch = ctx_buf; 1400 1401 pthread_mutex_lock(&g_device_qp_lock); 1402 crypto_ch->device_qp->in_use = false; 1403 pthread_mutex_unlock(&g_device_qp_lock); 1404 1405 spdk_poller_unregister(&crypto_ch->poller); 1406 spdk_put_io_channel(crypto_ch->base_ch); 1407 } 1408 1409 /* Create the association from the bdev and vbdev name and insert 1410 * on the global list. */ 1411 static int 1412 vbdev_crypto_insert_name(const char *bdev_name, const char *vbdev_name, 1413 const char *crypto_pmd, const char *key, 1414 const char *cipher, const char *key2) 1415 { 1416 struct bdev_names *name; 1417 int rc, j; 1418 bool found = false; 1419 1420 TAILQ_FOREACH(name, &g_bdev_names, link) { 1421 if (strcmp(vbdev_name, name->vbdev_name) == 0) { 1422 SPDK_ERRLOG("crypto bdev %s already exists\n", vbdev_name); 1423 return -EEXIST; 1424 } 1425 } 1426 1427 name = calloc(1, sizeof(struct bdev_names)); 1428 if (!name) { 1429 SPDK_ERRLOG("could not allocate bdev_names\n"); 1430 return -ENOMEM; 1431 } 1432 1433 name->bdev_name = strdup(bdev_name); 1434 if (!name->bdev_name) { 1435 SPDK_ERRLOG("could not allocate name->bdev_name\n"); 1436 rc = -ENOMEM; 1437 goto error_alloc_bname; 1438 } 1439 1440 name->vbdev_name = strdup(vbdev_name); 1441 if (!name->vbdev_name) { 1442 SPDK_ERRLOG("could not allocate name->vbdev_name\n"); 1443 rc = -ENOMEM; 1444 goto error_alloc_vname; 1445 } 1446 1447 name->drv_name = strdup(crypto_pmd); 1448 if (!name->drv_name) { 1449 SPDK_ERRLOG("could not allocate name->drv_name\n"); 1450 rc = -ENOMEM; 1451 goto error_alloc_dname; 1452 } 1453 for (j = 0; j < MAX_NUM_DRV_TYPES ; j++) { 1454 if (strcmp(crypto_pmd, g_driver_names[j]) == 0) { 1455 found = true; 1456 break; 1457 } 1458 } 1459 if (!found) { 1460 SPDK_ERRLOG("invalid crypto PMD type %s\n", crypto_pmd); 1461 rc = -EINVAL; 1462 goto error_invalid_pmd; 1463 } 1464 1465 name->key = strdup(key); 1466 if (!name->key) { 1467 SPDK_ERRLOG("could not allocate name->key\n"); 1468 rc = -ENOMEM; 1469 goto error_alloc_key; 1470 } 1471 if (strnlen(name->key, (AES_CBC_KEY_LENGTH + 1)) != AES_CBC_KEY_LENGTH) { 1472 SPDK_ERRLOG("invalid AES_CBC key length\n"); 1473 rc = -EINVAL; 1474 goto error_invalid_key; 1475 } 1476 1477 if (strncmp(cipher, AES_XTS, sizeof(AES_XTS)) == 0) { 1478 /* To please scan-build, input validation makes sure we can't 1479 * have this cipher without providing a key2. 1480 */ 1481 name->cipher = AES_XTS; 1482 assert(key2); 1483 if (strnlen(key2, (AES_XTS_KEY_LENGTH + 1)) != AES_XTS_KEY_LENGTH) { 1484 SPDK_ERRLOG("invalid AES_XTS key length\n"); 1485 rc = -EINVAL; 1486 goto error_invalid_key2; 1487 } 1488 1489 name->key2 = strdup(key2); 1490 if (!name->key2) { 1491 SPDK_ERRLOG("could not allocate name->key2\n"); 1492 rc = -ENOMEM; 1493 goto error_alloc_key2; 1494 } 1495 } else if (strncmp(cipher, AES_CBC, sizeof(AES_CBC)) == 0) { 1496 name->cipher = AES_CBC; 1497 } else { 1498 SPDK_ERRLOG("Invalid cipher: %s\n", cipher); 1499 rc = -EINVAL; 1500 goto error_cipher; 1501 } 1502 1503 TAILQ_INSERT_TAIL(&g_bdev_names, name, link); 1504 1505 return 0; 1506 1507 /* Error cleanup paths. */ 1508 error_cipher: 1509 free(name->key2); 1510 error_alloc_key2: 1511 error_invalid_key2: 1512 error_invalid_key: 1513 free(name->key); 1514 error_alloc_key: 1515 error_invalid_pmd: 1516 free(name->drv_name); 1517 error_alloc_dname: 1518 free(name->vbdev_name); 1519 error_alloc_vname: 1520 free(name->bdev_name); 1521 error_alloc_bname: 1522 free(name); 1523 return rc; 1524 } 1525 1526 /* RPC entry point for crypto creation. */ 1527 int 1528 create_crypto_disk(const char *bdev_name, const char *vbdev_name, 1529 const char *crypto_pmd, const char *key, 1530 const char *cipher, const char *key2) 1531 { 1532 int rc; 1533 1534 rc = vbdev_crypto_insert_name(bdev_name, vbdev_name, crypto_pmd, key, cipher, key2); 1535 if (rc) { 1536 return rc; 1537 } 1538 1539 rc = vbdev_crypto_claim(bdev_name); 1540 if (rc == -ENODEV) { 1541 SPDK_NOTICELOG("vbdev creation deferred pending base bdev arrival\n"); 1542 rc = 0; 1543 } 1544 1545 return rc; 1546 } 1547 1548 /* Called at driver init time, parses config file to prepare for examine calls, 1549 * also fully initializes the crypto drivers. 1550 */ 1551 static int 1552 vbdev_crypto_init(void) 1553 { 1554 int rc = 0; 1555 1556 /* Fully configure both SW and HW drivers. */ 1557 rc = vbdev_crypto_init_crypto_drivers(); 1558 if (rc) { 1559 SPDK_ERRLOG("Error setting up crypto devices\n"); 1560 } 1561 1562 return rc; 1563 } 1564 1565 /* Called when the entire module is being torn down. */ 1566 static void 1567 vbdev_crypto_finish(void) 1568 { 1569 struct bdev_names *name; 1570 struct vbdev_dev *device; 1571 struct device_qp *dev_qp; 1572 unsigned i; 1573 int rc; 1574 1575 while ((name = TAILQ_FIRST(&g_bdev_names))) { 1576 TAILQ_REMOVE(&g_bdev_names, name, link); 1577 free(name->drv_name); 1578 free(name->key); 1579 free(name->bdev_name); 1580 free(name->vbdev_name); 1581 free(name->key2); 1582 free(name); 1583 } 1584 1585 while ((device = TAILQ_FIRST(&g_vbdev_devs))) { 1586 struct rte_cryptodev *rte_dev; 1587 1588 TAILQ_REMOVE(&g_vbdev_devs, device, link); 1589 rte_cryptodev_stop(device->cdev_id); 1590 1591 assert(device->cdev_id < RTE_CRYPTO_MAX_DEVS); 1592 rte_dev = &rte_cryptodevs[device->cdev_id]; 1593 1594 if (rte_dev->dev_ops->queue_pair_release != NULL) { 1595 for (i = 0; i < device->cdev_info.max_nb_queue_pairs; i++) { 1596 rte_dev->dev_ops->queue_pair_release(rte_dev, i); 1597 } 1598 } 1599 free(device); 1600 } 1601 rc = rte_vdev_uninit(AESNI_MB); 1602 if (rc) { 1603 SPDK_ERRLOG("%d from rte_vdev_uninit\n", rc); 1604 } 1605 1606 while ((dev_qp = TAILQ_FIRST(&g_device_qp_qat))) { 1607 TAILQ_REMOVE(&g_device_qp_qat, dev_qp, link); 1608 free(dev_qp); 1609 } 1610 1611 while ((dev_qp = TAILQ_FIRST(&g_device_qp_aesni_mb))) { 1612 TAILQ_REMOVE(&g_device_qp_aesni_mb, dev_qp, link); 1613 free(dev_qp); 1614 } 1615 1616 rte_mempool_free(g_crypto_op_mp); 1617 spdk_mempool_free(g_mbuf_mp); 1618 rte_mempool_free(g_session_mp); 1619 if (g_session_mp_priv != NULL) { 1620 rte_mempool_free(g_session_mp_priv); 1621 } 1622 } 1623 1624 /* During init we'll be asked how much memory we'd like passed to us 1625 * in bev_io structures as context. Here's where we specify how 1626 * much context we want per IO. 1627 */ 1628 static int 1629 vbdev_crypto_get_ctx_size(void) 1630 { 1631 return sizeof(struct crypto_bdev_io); 1632 } 1633 1634 static void 1635 vbdev_crypto_base_bdev_hotremove_cb(struct spdk_bdev *bdev_find) 1636 { 1637 struct vbdev_crypto *crypto_bdev, *tmp; 1638 1639 TAILQ_FOREACH_SAFE(crypto_bdev, &g_vbdev_crypto, link, tmp) { 1640 if (bdev_find == crypto_bdev->base_bdev) { 1641 spdk_bdev_unregister(&crypto_bdev->crypto_bdev, NULL, NULL); 1642 } 1643 } 1644 } 1645 1646 /* Called when the underlying base bdev triggers asynchronous event such as bdev removal. */ 1647 static void 1648 vbdev_crypto_base_bdev_event_cb(enum spdk_bdev_event_type type, struct spdk_bdev *bdev, 1649 void *event_ctx) 1650 { 1651 switch (type) { 1652 case SPDK_BDEV_EVENT_REMOVE: 1653 vbdev_crypto_base_bdev_hotremove_cb(bdev); 1654 break; 1655 default: 1656 SPDK_NOTICELOG("Unsupported bdev event: type %d\n", type); 1657 break; 1658 } 1659 } 1660 1661 static void 1662 vbdev_crypto_write_config_json(struct spdk_bdev *bdev, struct spdk_json_write_ctx *w) 1663 { 1664 /* No config per bdev needed */ 1665 } 1666 1667 /* When we register our bdev this is how we specify our entry points. */ 1668 static const struct spdk_bdev_fn_table vbdev_crypto_fn_table = { 1669 .destruct = vbdev_crypto_destruct, 1670 .submit_request = vbdev_crypto_submit_request, 1671 .io_type_supported = vbdev_crypto_io_type_supported, 1672 .get_io_channel = vbdev_crypto_get_io_channel, 1673 .dump_info_json = vbdev_crypto_dump_info_json, 1674 .write_config_json = vbdev_crypto_write_config_json 1675 }; 1676 1677 static struct spdk_bdev_module crypto_if = { 1678 .name = "crypto", 1679 .module_init = vbdev_crypto_init, 1680 .get_ctx_size = vbdev_crypto_get_ctx_size, 1681 .examine_config = vbdev_crypto_examine, 1682 .module_fini = vbdev_crypto_finish, 1683 .config_json = vbdev_crypto_config_json 1684 }; 1685 1686 SPDK_BDEV_MODULE_REGISTER(crypto, &crypto_if) 1687 1688 static int 1689 vbdev_crypto_claim(const char *bdev_name) 1690 { 1691 struct bdev_names *name; 1692 struct vbdev_crypto *vbdev; 1693 struct vbdev_dev *device; 1694 struct spdk_bdev *bdev; 1695 bool found = false; 1696 int rc = 0; 1697 1698 if (g_number_of_claimed_volumes >= MAX_CRYPTO_VOLUMES) { 1699 SPDK_DEBUGLOG(vbdev_crypto, "Reached max number of claimed volumes\n"); 1700 rc = -EINVAL; 1701 goto error_vbdev_alloc; 1702 } 1703 g_number_of_claimed_volumes++; 1704 1705 /* Check our list of names from config versus this bdev and if 1706 * there's a match, create the crypto_bdev & bdev accordingly. 1707 */ 1708 TAILQ_FOREACH(name, &g_bdev_names, link) { 1709 if (strcmp(name->bdev_name, bdev_name) != 0) { 1710 continue; 1711 } 1712 SPDK_DEBUGLOG(vbdev_crypto, "Match on %s\n", bdev_name); 1713 1714 vbdev = calloc(1, sizeof(struct vbdev_crypto)); 1715 if (!vbdev) { 1716 SPDK_ERRLOG("could not allocate crypto_bdev\n"); 1717 rc = -ENOMEM; 1718 goto error_vbdev_alloc; 1719 } 1720 1721 vbdev->crypto_bdev.name = strdup(name->vbdev_name); 1722 if (!vbdev->crypto_bdev.name) { 1723 SPDK_ERRLOG("could not allocate crypto_bdev name\n"); 1724 rc = -ENOMEM; 1725 goto error_bdev_name; 1726 } 1727 1728 vbdev->key = strdup(name->key); 1729 if (!vbdev->key) { 1730 SPDK_ERRLOG("could not allocate crypto_bdev key\n"); 1731 rc = -ENOMEM; 1732 goto error_alloc_key; 1733 } 1734 1735 if (name->key2) { 1736 vbdev->key2 = strdup(name->key2); 1737 if (!vbdev->key2) { 1738 SPDK_ERRLOG("could not allocate crypto_bdev key2\n"); 1739 rc = -ENOMEM; 1740 goto error_alloc_key2; 1741 } 1742 } 1743 1744 vbdev->drv_name = strdup(name->drv_name); 1745 if (!vbdev->drv_name) { 1746 SPDK_ERRLOG("could not allocate crypto_bdev drv_name\n"); 1747 rc = -ENOMEM; 1748 goto error_drv_name; 1749 } 1750 1751 vbdev->crypto_bdev.product_name = "crypto"; 1752 1753 rc = spdk_bdev_open_ext(bdev_name, true, vbdev_crypto_base_bdev_event_cb, 1754 NULL, &vbdev->base_desc); 1755 if (rc) { 1756 if (rc != -ENODEV) { 1757 SPDK_ERRLOG("could not open bdev %s\n", bdev_name); 1758 } 1759 goto error_open; 1760 } 1761 1762 bdev = spdk_bdev_desc_get_bdev(vbdev->base_desc); 1763 vbdev->base_bdev = bdev; 1764 1765 vbdev->crypto_bdev.write_cache = bdev->write_cache; 1766 vbdev->cipher = AES_CBC; 1767 if (strcmp(vbdev->drv_name, QAT) == 0) { 1768 vbdev->crypto_bdev.required_alignment = 1769 spdk_max(spdk_u32log2(bdev->blocklen), bdev->required_alignment); 1770 SPDK_NOTICELOG("QAT in use: Required alignment set to %u\n", 1771 vbdev->crypto_bdev.required_alignment); 1772 if (strcmp(name->cipher, AES_CBC) == 0) { 1773 SPDK_NOTICELOG("QAT using cipher: AES_CBC\n"); 1774 } else { 1775 SPDK_NOTICELOG("QAT using cipher: AES_XTS\n"); 1776 vbdev->cipher = AES_XTS; 1777 /* DPDK expects they keys to be concatenated together. */ 1778 vbdev->xts_key = calloc(1, (AES_XTS_KEY_LENGTH * 2) + 1); 1779 if (vbdev->xts_key == NULL) { 1780 SPDK_ERRLOG("could not allocate memory for XTS key\n"); 1781 rc = -ENOMEM; 1782 goto error_xts_key; 1783 } 1784 memcpy(vbdev->xts_key, vbdev->key, AES_XTS_KEY_LENGTH); 1785 assert(name->key2); 1786 memcpy(vbdev->xts_key + AES_XTS_KEY_LENGTH, name->key2, AES_XTS_KEY_LENGTH + 1); 1787 } 1788 } else { 1789 vbdev->crypto_bdev.required_alignment = bdev->required_alignment; 1790 } 1791 /* Note: CRYPTO_MAX_IO is in units of bytes, optimal_io_boundary is 1792 * in units of blocks. 1793 */ 1794 if (bdev->optimal_io_boundary > 0) { 1795 vbdev->crypto_bdev.optimal_io_boundary = 1796 spdk_min((CRYPTO_MAX_IO / bdev->blocklen), bdev->optimal_io_boundary); 1797 } else { 1798 vbdev->crypto_bdev.optimal_io_boundary = (CRYPTO_MAX_IO / bdev->blocklen); 1799 } 1800 vbdev->crypto_bdev.split_on_optimal_io_boundary = true; 1801 vbdev->crypto_bdev.blocklen = bdev->blocklen; 1802 vbdev->crypto_bdev.blockcnt = bdev->blockcnt; 1803 1804 /* This is the context that is passed to us when the bdev 1805 * layer calls in so we'll save our crypto_bdev node here. 1806 */ 1807 vbdev->crypto_bdev.ctxt = vbdev; 1808 vbdev->crypto_bdev.fn_table = &vbdev_crypto_fn_table; 1809 vbdev->crypto_bdev.module = &crypto_if; 1810 TAILQ_INSERT_TAIL(&g_vbdev_crypto, vbdev, link); 1811 1812 spdk_io_device_register(vbdev, crypto_bdev_ch_create_cb, crypto_bdev_ch_destroy_cb, 1813 sizeof(struct crypto_io_channel), vbdev->crypto_bdev.name); 1814 1815 /* Save the thread where the base device is opened */ 1816 vbdev->thread = spdk_get_thread(); 1817 1818 rc = spdk_bdev_module_claim_bdev(bdev, vbdev->base_desc, vbdev->crypto_bdev.module); 1819 if (rc) { 1820 SPDK_ERRLOG("could not claim bdev %s\n", spdk_bdev_get_name(bdev)); 1821 goto error_claim; 1822 } 1823 1824 /* To init the session we have to get the cryptoDev device ID for this vbdev */ 1825 TAILQ_FOREACH(device, &g_vbdev_devs, link) { 1826 if (strcmp(device->cdev_info.driver_name, vbdev->drv_name) == 0) { 1827 found = true; 1828 break; 1829 } 1830 } 1831 if (found == false) { 1832 SPDK_ERRLOG("ERROR can't match crypto device driver to crypto vbdev!\n"); 1833 rc = -EINVAL; 1834 goto error_cant_find_devid; 1835 } 1836 1837 /* Get sessions. */ 1838 vbdev->session_encrypt = rte_cryptodev_sym_session_create(g_session_mp); 1839 if (NULL == vbdev->session_encrypt) { 1840 SPDK_ERRLOG("ERROR trying to create crypto session!\n"); 1841 rc = -EINVAL; 1842 goto error_session_en_create; 1843 } 1844 1845 vbdev->session_decrypt = rte_cryptodev_sym_session_create(g_session_mp); 1846 if (NULL == vbdev->session_decrypt) { 1847 SPDK_ERRLOG("ERROR trying to create crypto session!\n"); 1848 rc = -EINVAL; 1849 goto error_session_de_create; 1850 } 1851 1852 /* Init our per vbdev xform with the desired cipher options. */ 1853 vbdev->cipher_xform.type = RTE_CRYPTO_SYM_XFORM_CIPHER; 1854 vbdev->cipher_xform.cipher.iv.offset = IV_OFFSET; 1855 if (strcmp(name->cipher, AES_CBC) == 0) { 1856 vbdev->cipher_xform.cipher.key.data = vbdev->key; 1857 vbdev->cipher_xform.cipher.algo = RTE_CRYPTO_CIPHER_AES_CBC; 1858 vbdev->cipher_xform.cipher.key.length = AES_CBC_KEY_LENGTH; 1859 } else { 1860 vbdev->cipher_xform.cipher.key.data = vbdev->xts_key; 1861 vbdev->cipher_xform.cipher.algo = RTE_CRYPTO_CIPHER_AES_XTS; 1862 vbdev->cipher_xform.cipher.key.length = AES_XTS_KEY_LENGTH * 2; 1863 } 1864 vbdev->cipher_xform.cipher.iv.length = AES_CBC_IV_LENGTH; 1865 1866 vbdev->cipher_xform.cipher.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT; 1867 rc = rte_cryptodev_sym_session_init(device->cdev_id, vbdev->session_encrypt, 1868 &vbdev->cipher_xform, 1869 g_session_mp_priv ? g_session_mp_priv : g_session_mp); 1870 if (rc < 0) { 1871 SPDK_ERRLOG("ERROR trying to init encrypt session!\n"); 1872 rc = -EINVAL; 1873 goto error_session_init; 1874 } 1875 1876 vbdev->cipher_xform.cipher.op = RTE_CRYPTO_CIPHER_OP_DECRYPT; 1877 rc = rte_cryptodev_sym_session_init(device->cdev_id, vbdev->session_decrypt, 1878 &vbdev->cipher_xform, 1879 g_session_mp_priv ? g_session_mp_priv : g_session_mp); 1880 if (rc < 0) { 1881 SPDK_ERRLOG("ERROR trying to init decrypt session!\n"); 1882 rc = -EINVAL; 1883 goto error_session_init; 1884 } 1885 1886 rc = spdk_bdev_register(&vbdev->crypto_bdev); 1887 if (rc < 0) { 1888 SPDK_ERRLOG("ERROR trying to register bdev\n"); 1889 rc = -EINVAL; 1890 goto error_bdev_register; 1891 } 1892 SPDK_DEBUGLOG(vbdev_crypto, "registered io_device and virtual bdev for: %s\n", 1893 name->vbdev_name); 1894 break; 1895 } 1896 1897 return rc; 1898 1899 /* Error cleanup paths. */ 1900 error_bdev_register: 1901 error_session_init: 1902 rte_cryptodev_sym_session_free(vbdev->session_decrypt); 1903 error_session_de_create: 1904 rte_cryptodev_sym_session_free(vbdev->session_encrypt); 1905 error_session_en_create: 1906 error_cant_find_devid: 1907 error_claim: 1908 spdk_bdev_close(vbdev->base_desc); 1909 TAILQ_REMOVE(&g_vbdev_crypto, vbdev, link); 1910 spdk_io_device_unregister(vbdev, NULL); 1911 free(vbdev->xts_key); 1912 error_xts_key: 1913 error_open: 1914 free(vbdev->drv_name); 1915 error_drv_name: 1916 free(vbdev->key2); 1917 error_alloc_key2: 1918 free(vbdev->key); 1919 error_alloc_key: 1920 free(vbdev->crypto_bdev.name); 1921 error_bdev_name: 1922 free(vbdev); 1923 error_vbdev_alloc: 1924 g_number_of_claimed_volumes--; 1925 return rc; 1926 } 1927 1928 /* RPC entry for deleting a crypto vbdev. */ 1929 void 1930 delete_crypto_disk(struct spdk_bdev *bdev, spdk_delete_crypto_complete cb_fn, 1931 void *cb_arg) 1932 { 1933 struct bdev_names *name; 1934 1935 if (!bdev || bdev->module != &crypto_if) { 1936 cb_fn(cb_arg, -ENODEV); 1937 return; 1938 } 1939 1940 /* Remove the association (vbdev, bdev) from g_bdev_names. This is required so that the 1941 * vbdev does not get re-created if the same bdev is constructed at some other time, 1942 * unless the underlying bdev was hot-removed. 1943 */ 1944 TAILQ_FOREACH(name, &g_bdev_names, link) { 1945 if (strcmp(name->vbdev_name, bdev->name) == 0) { 1946 TAILQ_REMOVE(&g_bdev_names, name, link); 1947 free(name->bdev_name); 1948 free(name->vbdev_name); 1949 free(name->drv_name); 1950 free(name->key); 1951 free(name->key2); 1952 free(name); 1953 break; 1954 } 1955 } 1956 1957 /* Additional cleanup happens in the destruct callback. */ 1958 spdk_bdev_unregister(bdev, cb_fn, cb_arg); 1959 } 1960 1961 /* Because we specified this function in our crypto bdev function table when we 1962 * registered our crypto bdev, we'll get this call anytime a new bdev shows up. 1963 * Here we need to decide if we care about it and if so what to do. We 1964 * parsed the config file at init so we check the new bdev against the list 1965 * we built up at that time and if the user configured us to attach to this 1966 * bdev, here's where we do it. 1967 */ 1968 static void 1969 vbdev_crypto_examine(struct spdk_bdev *bdev) 1970 { 1971 vbdev_crypto_claim(spdk_bdev_get_name(bdev)); 1972 spdk_bdev_module_examine_done(&crypto_if); 1973 } 1974 1975 SPDK_LOG_REGISTER_COMPONENT(vbdev_crypto) 1976