[dpdk-dev] [PATCH] test/crypto-perf: support lookaside IPsec

From: Akhil Goyal <gakhil@marvell.com>
To: <dev@dpdk.org>
Cc: <anoobj@marvell.com>, <declan.doherty@intel.com>,
	<hemant.agrawal@nxp.com>, <matan@nvidia.com>,
	<konstantin.ananyev@intel.com>, <thomas@monjalon.net>,
	<roy.fan.zhang@intel.com>, <g.singh@nxp.com>,
	<ciara.power@intel.com>, <adwivedi@marvell.com>,
	Akhil Goyal <gakhil@marvell.com>
Subject: [dpdk-dev] [PATCH] test/crypto-perf: support lookaside IPsec
Date: Tue, 17 Aug 2021 23:18:49 +0530	[thread overview]
Message-ID: <20210817174849.1591235-1-gakhil@marvell.com> (raw)

Added support for lookaside IPsec protocol offload.
Supported cases:
-AEAD
-Cipher+auth

Command used for testing:
./dpdk-test-crypto-perf -c 0xf -- --devtype crypto_octeontx2 --ptest
throughput --optype ipsec --cipher-algo aes-cbc --pool-sz 16384
--cipher-op encrypt --cipher-key-sz 16 --cipher-iv-sz 16 --auth-algo
sha1-hmac --auth-op generate --digest-sz 16 --total-ops 10000000
--burst-sz 32 --buffer-sz 64,128,256,512,1024,1280,2048

./dpdk-test-crypto-perf -c 0xf -- --devtype crypto_octeontx2 --ptest
throughput --optype ipsec --aead-algo aes-gcm --pool-sz 16384
--aead-op encrypt --aead-key-sz 32 --aead-iv-sz 12 --aead-aad-sz 16
--digest-sz 16 --total-ops 10000000 --burst-sz 32
--buffer-sz 64,128,256,512,1024,1280,2048

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
This patch is rebased over following patch to
avoid conflict
https://mails.dpdk.org/archives/dev/2021-August/216795.html


 app/test-crypto-perf/cperf_ops.c             | 179 ++++++++++++++++---
 app/test-crypto-perf/cperf_options.h         |   1 +
 app/test-crypto-perf/cperf_options_parsing.c |   4 +
 app/test-crypto-perf/cperf_test_throughput.c |   3 +-
 app/test-crypto-perf/cperf_test_vectors.c    |   6 +-
 app/test-crypto-perf/main.c                  |   3 +-
 6 files changed, 165 insertions(+), 31 deletions(-)

diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
index 4b7d66edb2..b2073f0738 100644
--- a/app/test-crypto-perf/cperf_ops.c
+++ b/app/test-crypto-perf/cperf_ops.c
@@ -62,7 +62,13 @@ cperf_set_ops_security(struct rte_crypto_op **ops,
 		sym_op->m_src = (struct rte_mbuf *)((uint8_t *)ops[i] +
 							src_buf_offset);
 
-		if (options->op_type == CPERF_PDCP) {
+		if (options->op_type == CPERF_PDCP ||
+				options->op_type == CPERF_IPSEC) {
+			/* In case of IPsec, headroom is consumed by PMD,
+			 * hence resetting it.
+			 */
+			sym_op->m_src->data_off = options->headroom_sz;
+
 			sym_op->m_src->buf_len = options->segment_sz;
 			sym_op->m_src->data_len = options->test_buffer_size;
 			sym_op->m_src->pkt_len = sym_op->m_src->data_len;
@@ -565,6 +571,123 @@ cperf_set_ops_aead(struct rte_crypto_op **ops,
 	return 0;
 }
 
+static struct rte_cryptodev_sym_session *
+create_ipsec_session(struct rte_mempool *sess_mp,
+		struct rte_mempool *priv_mp,
+		uint8_t dev_id,
+		const struct cperf_options *options,
+		const struct cperf_test_vector *test_vector,
+		uint16_t iv_offset)
+{
+	struct rte_crypto_sym_xform xform = {0};
+	struct rte_crypto_sym_xform auth_xform = {0};
+
+	if (options->aead_algo != 0) {
+		/* Setup AEAD Parameters */
+		xform.type = RTE_CRYPTO_SYM_XFORM_AEAD;
+		xform.next = NULL;
+		xform.aead.algo = options->aead_algo;
+		xform.aead.op = options->aead_op;
+		xform.aead.iv.offset = iv_offset;
+		xform.aead.key.data = test_vector->aead_key.data;
+		xform.aead.key.length = test_vector->aead_key.length;
+		xform.aead.iv.length = test_vector->aead_iv.length;
+		xform.aead.digest_length = options->digest_sz;
+		xform.aead.aad_length = options->aead_aad_sz;
+	} else if (options->cipher_algo != 0 && options->auth_algo != 0) {
+		/* Setup Cipher Parameters */
+		xform.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+		xform.next = NULL;
+		xform.cipher.algo = options->cipher_algo;
+		xform.cipher.op = options->cipher_op;
+		xform.cipher.iv.offset = iv_offset;
+		xform.cipher.iv.length = test_vector->cipher_iv.length;
+		/* cipher different than null */
+		if (options->cipher_algo != RTE_CRYPTO_CIPHER_NULL) {
+			xform.cipher.key.data = test_vector->cipher_key.data;
+			xform.cipher.key.length =
+				test_vector->cipher_key.length;
+		} else {
+			xform.cipher.key.data = NULL;
+			xform.cipher.key.length = 0;
+		}
+
+		/* Setup Auth Parameters */
+		auth_xform.type = RTE_CRYPTO_SYM_XFORM_AUTH;
+		auth_xform.next = NULL;
+		auth_xform.auth.algo = options->auth_algo;
+		auth_xform.auth.op = options->auth_op;
+		auth_xform.auth.iv.offset = iv_offset +
+				xform.cipher.iv.length;
+		/* auth different than null */
+		if (options->auth_algo != RTE_CRYPTO_AUTH_NULL) {
+			auth_xform.auth.digest_length = options->digest_sz;
+			auth_xform.auth.key.length =
+						test_vector->auth_key.length;
+			auth_xform.auth.key.data = test_vector->auth_key.data;
+			auth_xform.auth.iv.length = test_vector->auth_iv.length;
+		} else {
+			auth_xform.auth.digest_length = 0;
+			auth_xform.auth.key.length = 0;
+			auth_xform.auth.key.data = NULL;
+			auth_xform.auth.iv.length = 0;
+		}
+
+		xform.next = &auth_xform;
+	} else {
+		return NULL;
+	}
+
+#define CPERF_IPSEC_SRC_IP	0x01010101
+#define CPERF_IPSEC_DST_IP	0x02020202
+#define CPERF_IPSEC_SALT	0x0
+#define CPERF_IPSEC_DEFTTL	64
+	struct rte_security_ipsec_tunnel_param tunnel = {
+		.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		{.ipv4 = {
+			.src_ip = { .s_addr = CPERF_IPSEC_SRC_IP},
+			.dst_ip = { .s_addr = CPERF_IPSEC_DST_IP},
+			.dscp = 0,
+			.df = 0,
+			.ttl = CPERF_IPSEC_DEFTTL,
+		} },
+	};
+	struct rte_security_session_conf sess_conf = {
+		.action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		{.ipsec = {
+			.spi = rte_lcore_id(),
+			/**< For testing sake, lcore_id is taken as SPI so that
+			 * for every core a different session is created.
+			 */
+			.salt = CPERF_IPSEC_SALT,
+			.options = { 0 },
+			.replay_win_sz = 0,
+			.direction =
+				((options->cipher_op ==
+					RTE_CRYPTO_CIPHER_OP_ENCRYPT) &&
+				(options->auth_op ==
+					RTE_CRYPTO_AUTH_OP_GENERATE)) ||
+				(options->aead_op ==
+					RTE_CRYPTO_AEAD_OP_ENCRYPT) ?
+				RTE_SECURITY_IPSEC_SA_DIR_EGRESS :
+				RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.tunnel = tunnel,
+		} },
+		.userdata = NULL,
+		.crypto_xform = &xform
+	};
+
+	struct rte_security_ctx *ctx = (struct rte_security_ctx *)
+				rte_cryptodev_get_sec_ctx(dev_id);
+
+	/* Create security session */
+	return (void *)rte_security_session_create(ctx,
+				&sess_conf, sess_mp, priv_mp);
+}
+
 static struct rte_cryptodev_sym_session *
 cperf_create_session(struct rte_mempool *sess_mp,
 	struct rte_mempool *priv_mp,
@@ -675,6 +798,12 @@ cperf_create_session(struct rte_mempool *sess_mp,
 		return (void *)rte_security_session_create(ctx,
 					&sess_conf, sess_mp, priv_mp);
 	}
+
+	if (options->op_type == CPERF_IPSEC) {
+		return create_ipsec_session(sess_mp, priv_mp, dev_id,
+				options, test_vector, iv_offset);
+	}
+
 	if (options->op_type == CPERF_DOCSIS) {
 		enum rte_security_docsis_direction direction;
 
@@ -872,44 +1001,40 @@ cperf_get_op_functions(const struct cperf_options *options,
 
 	op_fns->sess_create = cperf_create_session;
 
-	if (options->op_type == CPERF_ASYM_MODEX) {
-		op_fns->populate_ops = cperf_set_ops_asym;
-		return 0;
-	}
-
-	if (options->op_type == CPERF_AEAD) {
+	switch (options->op_type) {
+	case CPERF_AEAD:
 		op_fns->populate_ops = cperf_set_ops_aead;
-		return 0;
-	}
+		break;
 
-	if (options->op_type == CPERF_AUTH_THEN_CIPHER
-			|| options->op_type == CPERF_CIPHER_THEN_AUTH) {
+	case CPERF_AUTH_THEN_CIPHER:
+	case CPERF_CIPHER_THEN_AUTH:
 		op_fns->populate_ops = cperf_set_ops_cipher_auth;
-		return 0;
-	}
-	if (options->op_type == CPERF_AUTH_ONLY) {
+		break;
+	case CPERF_AUTH_ONLY:
 		if (options->auth_algo == RTE_CRYPTO_AUTH_NULL)
 			op_fns->populate_ops = cperf_set_ops_null_auth;
 		else
 			op_fns->populate_ops = cperf_set_ops_auth;
-		return 0;
-	}
-	if (options->op_type == CPERF_CIPHER_ONLY) {
+		break;
+	case CPERF_CIPHER_ONLY:
 		if (options->cipher_algo == RTE_CRYPTO_CIPHER_NULL)
 			op_fns->populate_ops = cperf_set_ops_null_cipher;
 		else
 			op_fns->populate_ops = cperf_set_ops_cipher;
-		return 0;
-	}
+		break;
+	case CPERF_ASYM_MODEX:
+		op_fns->populate_ops = cperf_set_ops_asym;
+		break;
 #ifdef RTE_LIB_SECURITY
-	if (options->op_type == CPERF_PDCP) {
+	case CPERF_PDCP:
+	case CPERF_IPSEC:
+	case CPERF_DOCSIS:
 		op_fns->populate_ops = cperf_set_ops_security;
-		return 0;
-	}
-	if (options->op_type == CPERF_DOCSIS) {
-		op_fns->populate_ops = cperf_set_ops_security;
-		return 0;
-	}
+		break;
 #endif
-	return -1;
+	default:
+		return -1;
+	}
+
+	return 0;
 }
diff --git a/app/test-crypto-perf/cperf_options.h b/app/test-crypto-perf/cperf_options.h
index f5ea2b90a5..031b238b20 100644
--- a/app/test-crypto-perf/cperf_options.h
+++ b/app/test-crypto-perf/cperf_options.h
@@ -80,6 +80,7 @@ enum cperf_op_type {
 	CPERF_AEAD,
 	CPERF_PDCP,
 	CPERF_DOCSIS,
+	CPERF_IPSEC,
 	CPERF_ASYM_MODEX
 };
 
diff --git a/app/test-crypto-perf/cperf_options_parsing.c b/app/test-crypto-perf/cperf_options_parsing.c
index fcff187257..63a82c7938 100644
--- a/app/test-crypto-perf/cperf_options_parsing.c
+++ b/app/test-crypto-perf/cperf_options_parsing.c
@@ -458,6 +458,10 @@ parse_op_type(struct cperf_options *opts, const char *arg)
 			cperf_op_type_strs[CPERF_DOCSIS],
 			CPERF_DOCSIS
 		},
+		{
+			cperf_op_type_strs[CPERF_IPSEC],
+			CPERF_IPSEC
+		},
 		{
 			cperf_op_type_strs[CPERF_ASYM_MODEX],
 			CPERF_ASYM_MODEX
diff --git a/app/test-crypto-perf/cperf_test_throughput.c b/app/test-crypto-perf/cperf_test_throughput.c
index 76fcda47ff..ca65c3c883 100644
--- a/app/test-crypto-perf/cperf_test_throughput.c
+++ b/app/test-crypto-perf/cperf_test_throughput.c
@@ -42,7 +42,8 @@ cperf_throughput_test_free(struct cperf_throughput_ctx *ctx)
 		}
 #ifdef RTE_LIB_SECURITY
 		else if (ctx->options->op_type == CPERF_PDCP ||
-			 ctx->options->op_type == CPERF_DOCSIS) {
+			 ctx->options->op_type == CPERF_DOCSIS ||
+			 ctx->options->op_type == CPERF_IPSEC) {
 			struct rte_security_ctx *sec_ctx =
 				(struct rte_security_ctx *)
 					rte_cryptodev_get_sec_ctx(ctx->dev_id);
diff --git a/app/test-crypto-perf/cperf_test_vectors.c b/app/test-crypto-perf/cperf_test_vectors.c
index 4bba405961..e944583089 100644
--- a/app/test-crypto-perf/cperf_test_vectors.c
+++ b/app/test-crypto-perf/cperf_test_vectors.c
@@ -448,7 +448,8 @@ cperf_test_vector_get_dummy(struct cperf_options *options)
 		t_vec->modex.elen = sizeof(perf_mod_e);
 	}
 
-	if (options->op_type ==	CPERF_PDCP) {
+	if (options->op_type ==	CPERF_PDCP ||
+			options->op_type == CPERF_IPSEC) {
 		if (options->cipher_algo == RTE_CRYPTO_CIPHER_NULL) {
 			t_vec->cipher_key.length = 0;
 			t_vec->ciphertext.data = plaintext;
@@ -579,7 +580,8 @@ cperf_test_vector_get_dummy(struct cperf_options *options)
 		t_vec->auth_iv.length = options->auth_iv_sz;
 	}
 
-	if (options->op_type == CPERF_AEAD) {
+	if (options->op_type == CPERF_AEAD ||
+			options->op_type == CPERF_IPSEC) {
 		t_vec->aead_key.length = options->aead_key_sz;
 		t_vec->aead_key.data = aead_key;
 
diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
index 390380898e..6fdb92fb7c 100644
--- a/app/test-crypto-perf/main.c
+++ b/app/test-crypto-perf/main.c
@@ -41,6 +41,7 @@ const char *cperf_op_type_strs[] = {
 	[CPERF_AEAD] = "aead",
 	[CPERF_PDCP] = "pdcp",
 	[CPERF_DOCSIS] = "docsis",
+	[CPERF_IPSEC] = "ipsec",
 	[CPERF_ASYM_MODEX] = "modex"
 };
 
@@ -278,9 +279,9 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
 			/* Fall through */
 		case CPERF_PDCP:
 		case CPERF_DOCSIS:
+		case CPERF_IPSEC:
 			/* Fall through */
 		default:
-
 			conf.ff_disable |= RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO;
 		}
 
-- 
2.25.1

