[dpdk-dev] [PATCH v4 0/3] add SA config option for inner pkt csum

[dpdk-dev] [PATCH v4 0/3] add SA config option for inner pkt csum

[Archana Muniganti]

Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.

Changes in v4:
- Rebased to ToT
- Added documentation for per packet checksum(comment from Konstantin)

Changes in v3:
- Removed code unrelated to this series.

Changes in v2:
- Fixed release notes
- Added feature flag in default.ini and cn10k.ini
- Fixed test patch subject

Archana Muniganti (3):
  security: add SA config option for inner pkt csum
  crypto/cnxk: add inner checksum
  test/crypto: add inner checksum cases

 app/test/test_cryptodev.c                     |  34 +++
 app/test/test_cryptodev_security_ipsec.c      | 195 ++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h      |   2 +
 ...st_cryptodev_security_ipsec_test_vectors.h |   6 +
 doc/guides/cryptodevs/features/cn10k.ini      |   1 +
 doc/guides/cryptodevs/features/default.ini    |   1 +
 doc/guides/rel_notes/deprecation.rst          |   4 +-
 doc/guides/rel_notes/release_21_11.rst        |   6 +
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c     |  65 ++++--
 drivers/crypto/cnxk/cn10k_ipsec.c             |  49 ++++-
 drivers/crypto/cnxk/cn10k_ipsec.h             |   1 +
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h      |   9 +-
 drivers/crypto/cnxk/cnxk_cryptodev.c          |   3 +
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |   2 +
 lib/cryptodev/rte_cryptodev.h                 |   2 +
 lib/security/rte_security.h                   |  31 +++
 16 files changed, 391 insertions(+), 20 deletions(-)

-- 
2.22.0

[dpdk-dev] [PATCH v4 1/3] security: add SA config option for inner pkt csum

[Archana Muniganti]

Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 doc/guides/cryptodevs/features/default.ini |  1 +
 doc/guides/rel_notes/deprecation.rst       |  4 +--
 doc/guides/rel_notes/release_21_11.rst     |  4 +++
 lib/cryptodev/rte_cryptodev.h              |  2 ++
 lib/security/rte_security.h                | 31 ++++++++++++++++++++++
 5 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini
index c24814de98..96d95ddc81 100644
--- a/doc/guides/cryptodevs/features/default.ini
+++ b/doc/guides/cryptodevs/features/default.ini
@@ -33,6 +33,7 @@ Non-Byte aligned data  =
 Sym raw data path API  =
 Cipher multiple data units =
 Cipher wrapped key     =
+Inner checksum         =
 
 ;
 ; Supported crypto algorithms of a default crypto driver.
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 05fc2fdee7..8308e00ed4 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -232,8 +232,8 @@ Deprecation Notices
   IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
 
 * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
-  will be updated with new fields to support new features like IPsec inner
-  checksum, TSO in case of protocol offload.
+  will be updated with new fields to support new features like TSO in case of
+  protocol offload.
 
 * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
   ``hdr_l3_len`` to configure tunnel L3 header length.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 3ade7fe5ac..5480f05a99 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -196,6 +196,10 @@ ABI Changes
   ``rte_security_ipsec_xform`` to allow applications to configure SA soft
   and hard expiry limits. Limits can be either in number of packets or bytes.
 
+* security: The new options ``ip_csum_enable`` and ``l4_csum_enable`` were added
+  in structure ``rte_security_ipsec_sa_options`` to indicate whether inner
+  packet IPv4 header checksum and L4 checksum need to be offloaded to
+  security device.
 
 Known Issues
 ------------
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index bb01f0f195..d9271a6c45 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
 /**< Support operations on multiple data-units message */
 #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY		(1ULL << 26)
 /**< Support wrapped key in cipher xform  */
+#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM		(1ULL << 27)
+/**< Support inner checksum computation/verification */
 
 /**
  * Get the name of a crypto device feature flag
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index ab1a6e1f65..0c5636377e 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -230,6 +230,37 @@ struct rte_security_ipsec_sa_options {
 	 * * 0: Do not match UDP ports
 	 */
 	uint32_t udp_ports_verify : 1;
+
+	/** Compute/verify inner packet IPv4 header checksum in tunnel mode
+	 *
+	 * * 1: For outbound, compute inner packet IPv4 header checksum
+	 *      before tunnel encapsulation and for inbound, verify after
+	 *      tunnel decapsulation.
+	 * * 0: Inner packet IP header checksum is not computed/verified.
+	 *
+	 * The checksum verification status would be set in mbuf using
+	 * PKT_RX_IP_CKSUM_xxx flags.
+	 *
+	 * Inner IP checksum computation can also be enabled(per operation)
+	 * by setting the flag PKT_TX_IP_CKSUM in mbuf.
+	 */
+	uint32_t ip_csum_enable : 1;
+
+	/** Compute/verify inner packet L4 checksum in tunnel mode
+	 *
+	 * * 1: For outbound, compute inner packet L4 checksum before
+	 *      tunnel encapsulation and for inbound, verify after
+	 *      tunnel decapsulation.
+	 * * 0: Inner packet L4 checksum is not computed/verified.
+	 *
+	 * The checksum verification status would be set in mbuf using
+	 * PKT_RX_L4_CKSUM_xxx flags.
+	 *
+	 * Inner L4 checksum computation can also be enabled(per operation)
+	 * by setting the flags PKT_TX_TCP_CKSUM or PKT_TX_SCTP_CKSUM or
+	 * PKT_TX_UDP_CKSUM or PKT_TX_L4_MASK in mbuf.
+	 */
+	uint32_t l4_csum_enable : 1;
 };
 
 /** IPSec security association direction */
-- 
2.22.0

[dpdk-dev] [PATCH v4 2/3] crypto/cnxk: add inner checksum

[Archana Muniganti]

Add inner checksum support for cn10k.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 doc/guides/cryptodevs/features/cn10k.ini      |  1 +
 doc/guides/rel_notes/release_21_11.rst        |  1 +
 drivers/crypto/cnxk/cn10k_cryptodev_ops.c     | 65 +++++++++++++++----
 drivers/crypto/cnxk/cn10k_ipsec.c             | 49 +++++++++++++-
 drivers/crypto/cnxk/cn10k_ipsec.h             |  1 +
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h      |  9 ++-
 drivers/crypto/cnxk/cnxk_cryptodev.c          |  3 +
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  2 +
 8 files changed, 113 insertions(+), 18 deletions(-)

diff --git a/doc/guides/cryptodevs/features/cn10k.ini b/doc/guides/cryptodevs/features/cn10k.ini
index f5552feca3..9d08bd5c04 100644
--- a/doc/guides/cryptodevs/features/cn10k.ini
+++ b/doc/guides/cryptodevs/features/cn10k.ini
@@ -15,6 +15,7 @@ OOP SGL In SGL Out     = Y
 OOP LB  In LB  Out     = Y
 Symmetric sessionless  = Y
 Digest encrypted       = Y
+Inner checksum         = Y
 
 ;
 ; Supported crypto algorithms of 'cn10k' crypto driver.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 5480f05a99..576bc01a87 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -73,6 +73,7 @@ New Features
   * Added UDP encapsulation support in lookaside protocol (IPsec) for CN10K.
   * Added support for lookaside protocol (IPsec) offload for CN9K.
   * Added support for ZUC algorithm with 256 bit key length for CN10K.
+  * Added inner checksum support in lookaside protocol (IPsec) for CN10K.
 
 * **Added support for event crypto adapter on Marvell CN10K and CN9K.**
 
diff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
index 3caf05aab9..c25c8e67b2 100644
--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c
@@ -50,7 +50,7 @@ cn10k_cpt_sym_temp_sess_create(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op)
 
 static __rte_always_inline int __rte_hot
 cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
-		  struct cpt_inst_s *inst)
+		  struct cpt_inflight_req *infl_req, struct cpt_inst_s *inst)
 {
 	struct rte_crypto_sym_op *sym_op = op->sym;
 	union roc_ot_ipsec_sa_word2 *w2;
@@ -72,8 +72,10 @@ cpt_sec_inst_fill(struct rte_crypto_op *op, struct cn10k_sec_session *sess,
 
 	if (w2->s.dir == ROC_IE_SA_DIR_OUTBOUND)
 		ret = process_outb_sa(op, sa, inst);
-	else
+	else {
+		infl_req->op_flags |= CPT_OP_FLAGS_IPSEC_DIR_INBOUND;
 		ret = process_inb_sa(op, sa, inst);
+	}
 
 	return ret;
 }
@@ -122,7 +124,8 @@ cn10k_cpt_fill_inst(struct cnxk_cpt_qp *qp, struct rte_crypto_op *ops[],
 		if (op->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
 			sec_sess = get_sec_session_private_data(
 				sym_op->sec_session);
-			ret = cpt_sec_inst_fill(op, sec_sess, &inst[0]);
+			ret = cpt_sec_inst_fill(op, sec_sess, infl_req,
+						&inst[0]);
 			if (unlikely(ret))
 				return 0;
 			w7 = sec_sess->sa.inst.w7;
@@ -342,6 +345,49 @@ cn10k_cpt_sec_post_process(struct rte_crypto_op *cop,
 	m->pkt_len = m_len;
 }
 
+static inline void
+cn10k_cpt_sec_ucc_process(struct rte_crypto_op *cop,
+			  struct cpt_inflight_req *infl_req,
+			  const uint8_t uc_compcode)
+{
+	struct cn10k_sec_session *sess;
+	struct cn10k_ipsec_sa *sa;
+	struct rte_mbuf *mbuf;
+
+	if (uc_compcode == ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST)
+		cop->aux_flags = RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
+
+	if (!(infl_req->op_flags & CPT_OP_FLAGS_IPSEC_DIR_INBOUND))
+		return;
+
+	sess = get_sec_session_private_data(cop->sym->sec_session);
+	sa = &sess->sa;
+
+	mbuf = cop->sym->m_src;
+
+	switch (uc_compcode) {
+	case ROC_IE_OT_UCC_SUCCESS:
+		if (sa->ip_csum_enable)
+			mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+		break;
+	case ROC_IE_OT_UCC_SUCCESS_PKT_IP_BADCSUM:
+		mbuf->ol_flags |= PKT_RX_IP_CKSUM_BAD;
+		break;
+	case ROC_IE_OT_UCC_SUCCESS_PKT_L4_GOODCSUM:
+		mbuf->ol_flags |= PKT_RX_L4_CKSUM_GOOD;
+		if (sa->ip_csum_enable)
+			mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+		break;
+	case ROC_IE_OT_UCC_SUCCESS_PKT_L4_BADCSUM:
+		mbuf->ol_flags |= PKT_RX_L4_CKSUM_BAD;
+		if (sa->ip_csum_enable)
+			mbuf->ol_flags |= PKT_RX_IP_CKSUM_GOOD;
+		break;
+	default:
+		break;
+	}
+}
+
 static inline void
 cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
 			       struct rte_crypto_op *cop,
@@ -357,17 +403,8 @@ cn10k_cpt_dequeue_post_process(struct cnxk_cpt_qp *qp,
 	if (cop->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
 	    cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
 		if (likely(compcode == CPT_COMP_WARN)) {
-			if (unlikely(uc_compcode != ROC_IE_OT_UCC_SUCCESS)) {
-				/* Success with additional info */
-				switch (uc_compcode) {
-				case ROC_IE_OT_UCC_SUCCESS_SA_SOFTEXP_FIRST:
-					cop->aux_flags =
-						RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY;
-					break;
-				default:
-					break;
-				}
-			}
+			/* Success with additional info */
+			cn10k_cpt_sec_ucc_process(cop, infl_req, uc_compcode);
 			cn10k_cpt_sec_post_process(cop, res);
 		} else {
 			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index ebb2a7ec48..defc792aa8 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -37,6 +37,7 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 			   struct rte_crypto_sym_xform *crypto_xfrm,
 			   struct rte_security_session *sec_sess)
 {
+	union roc_ot_ipsec_outb_param1 param1;
 	struct roc_ot_ipsec_outb_sa *out_sa;
 	struct cnxk_ipsec_outb_rlens rlens;
 	struct cn10k_sec_session *sess;
@@ -83,7 +84,27 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt,
 	/* pre-populate CPT INST word 4 */
 	inst_w4.u64 = 0;
 	inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
-	inst_w4.s.param1 = 0;
+
+	param1.u16 = 0;
+
+	/* Disable IP checksum computation by default */
+	param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.ip_csum_enable) {
+		param1.s.ip_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+	}
+
+	/* Disable L4 checksum computation by default */
+	param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.l4_csum_enable) {
+		param1.s.l4_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+	}
+
+	inst_w4.s.param1 = param1.u16;
+
 	sa->inst.w4 = inst_w4.u64;
 
 	return 0;
@@ -95,6 +116,7 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
 			  struct rte_crypto_sym_xform *crypto_xfrm,
 			  struct rte_security_session *sec_sess)
 {
+	union roc_ot_ipsec_inb_param1 param1;
 	struct roc_ot_ipsec_inb_sa *in_sa;
 	struct cn10k_sec_session *sess;
 	struct cn10k_ipsec_sa *sa;
@@ -121,8 +143,29 @@ cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt,
 	inst_w4.u64 = 0;
 	inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC;
 
-	/* Disable checksum verification for now */
-	inst_w4.s.param1 = 7;
+	param1.u16 = 0;
+
+	/* Disable IP checksum verification by default */
+	param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.ip_csum_enable) {
+		param1.s.ip_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
+		sa->ip_csum_enable = true;
+	}
+
+	/* Disable L4 checksum verification by default */
+	param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
+
+	if (ipsec_xfrm->options.l4_csum_enable) {
+		param1.s.l4_csum_disable =
+			ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
+	}
+
+	param1.s.esp_trailer_disable = 1;
+
+	inst_w4.s.param1 = param1.u16;
+
 	sa->inst.w4 = inst_w4.u64;
 
 	return 0;
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.h b/drivers/crypto/cnxk/cn10k_ipsec.h
index 6f974b716d..86cd2483f5 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec.h
@@ -23,6 +23,7 @@ struct cn10k_ipsec_sa {
 	uint16_t max_extended_len;
 	uint16_t iv_offset;
 	uint8_t iv_length;
+	bool ip_csum_enable;
 };
 
 struct cn10k_sec_session {
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index 862476a72e..df1b0a3678 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -53,6 +53,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 {
 	struct rte_crypto_sym_op *sym_op = cop->sym;
 	struct rte_mbuf *m_src = sym_op->m_src;
+	uint64_t inst_w4_u64 = sess->inst.w4;
 
 	if (unlikely(rte_pktmbuf_tailroom(m_src) < sess->max_extended_len)) {
 		plt_dp_err("Not enough tail room");
@@ -68,8 +69,14 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn10k_ipsec_sa *sess,
 	}
 #endif
 
+	if (m_src->ol_flags & PKT_TX_IP_CKSUM)
+		inst_w4_u64 &= ~BIT_ULL(33);
+
+	if (m_src->ol_flags & PKT_TX_L4_MASK)
+		inst_w4_u64 &= ~BIT_ULL(32);
+
 	/* Prepare CPT instruction */
-	inst->w4.u64 = sess->inst.w4;
+	inst->w4.u64 = inst_w4_u64;
 	inst->w4.s.dlen = rte_pktmbuf_pkt_len(m_src);
 	inst->dptr = rte_pktmbuf_iova(m_src);
 	inst->rptr = inst->dptr;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.c b/drivers/crypto/cnxk/cnxk_cryptodev.c
index 5c7801ec48..d67de54a7b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.c
@@ -24,6 +24,9 @@ cnxk_cpt_default_ff_get(void)
 		      RTE_CRYPTODEV_FF_DIGEST_ENCRYPTED |
 		      RTE_CRYPTODEV_FF_SECURITY;
 
+	if (roc_model_is_cn10k())
+		ff |= RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM;
+
 	return ff;
 }
 
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 34eb441ab3..a227e6981c 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -961,6 +961,8 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
 			sec_cap->ipsec.options.tunnel_hdr_verify =
 				RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
 	}
+	sec_cap->ipsec.options.ip_csum_enable = 1;
+	sec_cap->ipsec.options.l4_csum_enable = 1;
 }
 
 static void
-- 
2.22.0

[dpdk-dev] [PATCH v4 3/3] test/crypto: add inner checksum cases

[Archana Muniganti]

This patch adds tests for inner IP and inner L4 checksum
in IPsec mode.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
 app/test/test_cryptodev.c                     |  34 +++
 app/test/test_cryptodev_security_ipsec.c      | 195 ++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h      |   2 +
 ...st_cryptodev_security_ipsec_test_vectors.h |   6 +
 doc/guides/rel_notes/release_21_11.rst        |   1 +
 5 files changed, 238 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index e6ceeb487f..65b64e1af0 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -18,6 +18,8 @@
 #include <rte_cryptodev.h>
 #include <rte_ip.h>
 #include <rte_string_fns.h>
+#include <rte_tcp.h>
+#include <rte_udp.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
 #include <rte_cryptodev_scheduler.h>
@@ -9299,6 +9301,30 @@ test_ipsec_proto_udp_ports_verify(const void *data __rte_unused)
 	return test_ipsec_proto_all(&flags);
 }
 
+static int
+test_ipsec_proto_inner_ip_csum(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.ip_csum = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_inner_l4_csum(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.l4_csum = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
 static int
 test_PDCP_PROTO_all(void)
 {
@@ -14255,6 +14281,14 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Tunnel src and dst addr verification",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_tunnel_src_dst_addr_verify),
+		TEST_CASE_NAMED_ST(
+			"Inner IP checksum",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_inner_ip_csum),
+		TEST_CASE_NAMED_ST(
+			"Inner L4 checksum",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_inner_l4_csum),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 764e77bbff..bcd9746c98 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -7,6 +7,7 @@
 #include <rte_esp.h>
 #include <rte_ip.h>
 #include <rte_security.h>
+#include <rte_tcp.h>
 #include <rte_udp.h>
 
 #include "test.h"
@@ -103,6 +104,22 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 		return -ENOTSUP;
 	}
 
+	if (ipsec_xform->options.ip_csum_enable == 1 &&
+	    sec_cap->ipsec.options.ip_csum_enable == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1,
+				"Inner IP checksum is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.l4_csum_enable == 1 &&
+	    sec_cap->ipsec.options.l4_csum_enable == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1,
+				"Inner L4 checksum is not supported\n");
+		return -ENOTSUP;
+	}
+
 	return 0;
 }
 
@@ -160,6 +177,56 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 	}
 }
 
+static bool
+is_ipv4(void *ip)
+{
+	struct rte_ipv4_hdr *ipv4 = ip;
+	uint8_t ip_ver;
+
+	ip_ver = (ipv4->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER;
+	if (ip_ver == IPVERSION)
+		return true;
+	else
+		return false;
+}
+
+static void
+test_ipsec_csum_init(void *ip, bool l3, bool l4)
+{
+	struct rte_ipv4_hdr *ipv4;
+	struct rte_tcp_hdr *tcp;
+	struct rte_udp_hdr *udp;
+	uint8_t next_proto;
+	uint8_t size;
+
+	if (is_ipv4(ip)) {
+		ipv4 = ip;
+		size = sizeof(struct rte_ipv4_hdr);
+		next_proto = ipv4->next_proto_id;
+
+		if (l3)
+			ipv4->hdr_checksum = 0;
+	} else {
+		size = sizeof(struct rte_ipv6_hdr);
+		next_proto = ((struct rte_ipv6_hdr *)ip)->proto;
+	}
+
+	if (l4) {
+		switch (next_proto) {
+		case IPPROTO_TCP:
+			tcp = (struct rte_tcp_hdr *)RTE_PTR_ADD(ip, size);
+			tcp->cksum = 0;
+			break;
+		case IPPROTO_UDP:
+			udp = (struct rte_udp_hdr *)RTE_PTR_ADD(ip, size);
+			udp->dgram_cksum = 0;
+			break;
+		default:
+			return;
+		}
+	}
+}
+
 void
 test_ipsec_td_prepare(const struct crypto_param *param1,
 		      const struct crypto_param *param2,
@@ -194,6 +261,17 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
 		if (flags->sa_expiry_pkts_soft)
 			td->ipsec_xform.life.packets_soft_limit =
 					IPSEC_TEST_PACKETS_MAX - 1;
+
+		if (flags->ip_csum) {
+			td->ipsec_xform.options.ip_csum_enable = 1;
+			test_ipsec_csum_init(&td->input_text.data, true, false);
+		}
+
+		if (flags->l4_csum) {
+			td->ipsec_xform.options.l4_csum_enable = 1;
+			test_ipsec_csum_init(&td->input_text.data, false, true);
+		}
+
 	}
 
 	RTE_SET_USED(param2);
@@ -230,6 +308,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 		td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
 			flags->tunnel_hdr_verify;
 
+		if (flags->ip_csum)
+			td_inb[i].ipsec_xform.options.ip_csum_enable = 1;
+
+		if (flags->l4_csum)
+			td_inb[i].ipsec_xform.options.l4_csum_enable = 1;
+
 		/* Clear outbound specific flags */
 		td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
 	}
@@ -305,12 +389,96 @@ test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
 	return TEST_SUCCESS;
 }
 
+static int
+test_ipsec_l3_csum_verify(struct rte_mbuf *m)
+{
+	uint16_t actual_cksum, expected_cksum;
+	struct rte_ipv4_hdr *ip;
+
+	ip = rte_pktmbuf_mtod(m, struct rte_ipv4_hdr *);
+
+	if (!is_ipv4((void *)ip))
+		return TEST_SKIPPED;
+
+	actual_cksum = ip->hdr_checksum;
+
+	ip->hdr_checksum = 0;
+
+	expected_cksum = rte_ipv4_cksum(ip);
+
+	if (actual_cksum != expected_cksum)
+		return TEST_FAILED;
+
+	return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_l4_csum_verify(struct rte_mbuf *m)
+{
+	uint16_t actual_cksum = 0, expected_cksum = 0;
+	struct rte_ipv4_hdr *ipv4;
+	struct rte_ipv6_hdr *ipv6;
+	struct rte_tcp_hdr *tcp;
+	struct rte_udp_hdr *udp;
+	void *ip, *l4;
+
+	ip = rte_pktmbuf_mtod(m, void *);
+
+	if (is_ipv4(ip)) {
+		ipv4 = ip;
+		l4 = RTE_PTR_ADD(ipv4, sizeof(struct rte_ipv4_hdr));
+
+		switch (ipv4->next_proto_id) {
+		case IPPROTO_TCP:
+			tcp = (struct rte_tcp_hdr *)l4;
+			actual_cksum = tcp->cksum;
+			tcp->cksum = 0;
+			expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+			break;
+		case IPPROTO_UDP:
+			udp = (struct rte_udp_hdr *)l4;
+			actual_cksum = udp->dgram_cksum;
+			udp->dgram_cksum = 0;
+			expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+			break;
+		default:
+			break;
+		}
+	} else {
+		ipv6 = ip;
+		l4 = RTE_PTR_ADD(ipv6, sizeof(struct rte_ipv6_hdr));
+
+		switch (ipv6->proto) {
+		case IPPROTO_TCP:
+			tcp = (struct rte_tcp_hdr *)l4;
+			actual_cksum = tcp->cksum;
+			tcp->cksum = 0;
+			expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+			break;
+		case IPPROTO_UDP:
+			udp = (struct rte_udp_hdr *)l4;
+			actual_cksum = udp->dgram_cksum;
+			udp->dgram_cksum = 0;
+			expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+			break;
+		default:
+			break;
+		}
+	}
+
+	if (actual_cksum != expected_cksum)
+		return TEST_FAILED;
+
+	return TEST_SUCCESS;
+}
+
 static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		     bool silent, const struct ipsec_test_flags *flags)
 {
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+	int ret;
 
 	/* For tests with status as error for test success, skip verification */
 	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
@@ -354,6 +522,33 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	len -= skip;
 	output_text += skip;
 
+	if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+				flags->ip_csum) {
+		if (m->ol_flags & PKT_RX_IP_CKSUM_GOOD)
+			ret = test_ipsec_l3_csum_verify(m);
+		else
+			ret = TEST_FAILED;
+
+		if (ret == TEST_FAILED)
+			printf("Inner IP checksum test failed\n");
+
+		return ret;
+	}
+
+	if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+				flags->l4_csum) {
+		if (m->ol_flags & PKT_RX_L4_CKSUM_GOOD)
+			ret = test_ipsec_l4_csum_verify(m);
+		else
+			ret = TEST_FAILED;
+
+		if (ret == TEST_FAILED)
+			printf("Inner L4 checksum test failed\n");
+
+		return ret;
+	}
+
+
 	if (memcmp(output_text, td->output_text.data + skip, len)) {
 		if (silent)
 			return TEST_FAILED;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 0416005520..7628d0c42a 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -56,6 +56,8 @@ struct ipsec_test_flags {
 	uint32_t tunnel_hdr_verify;
 	bool udp_encap;
 	bool udp_ports_verify;
+	bool ip_csum;
+	bool l4_csum;
 };
 
 struct crypto_param {
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index 4e147ec19c..bb95d00641 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -95,6 +95,8 @@ struct ipsec_test_data pkt_aes_128_gcm = {
 		.options.ecn = 0,
 		.options.stats = 0,
 		.options.tunnel_hdr_verify = 0,
+		.options.ip_csum_enable = 0,
+		.options.l4_csum_enable = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -192,6 +194,8 @@ struct ipsec_test_data pkt_aes_192_gcm = {
 		.options.ecn = 0,
 		.options.stats = 0,
 		.options.tunnel_hdr_verify = 0,
+		.options.ip_csum_enable = 0,
+		.options.l4_csum_enable = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -292,6 +296,8 @@ struct ipsec_test_data pkt_aes_256_gcm = {
 		.options.ecn = 0,
 		.options.stats = 0,
 		.options.tunnel_hdr_verify = 0,
+		.options.ip_csum_enable = 0,
+		.options.l4_csum_enable = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 576bc01a87..8d1752ef39 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -108,6 +108,7 @@ New Features
   * Added tests to validate packets soft expiry.
   * Added tests to validate packets hard expiry.
   * Added tests to verify tunnel header verification in IPsec inbound.
+  * Added tests to verify inner checksum.
 
 
 Removed Items
-- 
2.22.0

Re: [dpdk-dev] [PATCH v4 1/3] security: add SA config option for inner pkt csum

[Ananyev, Konstantin]

> 
> Add inner packet IPv4 hdr and L4 checksum enable options
> in conf. These will be used in case of protocol offload.
> Per SA, application could specify whether the
> checksum(compute/verify) can be offloaded to security device.
> 
> Signed-off-by: Archana Muniganti <marchana@marvell.com>
> ---
>  doc/guides/cryptodevs/features/default.ini |  1 +
>  doc/guides/rel_notes/deprecation.rst       |  4 +--
>  doc/guides/rel_notes/release_21_11.rst     |  4 +++
>  lib/cryptodev/rte_cryptodev.h              |  2 ++
>  lib/security/rte_security.h                | 31 ++++++++++++++++++++++
>  5 files changed, 40 insertions(+), 2 deletions(-)
> 
> diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini
> index c24814de98..96d95ddc81 100644
> --- a/doc/guides/cryptodevs/features/default.ini
> +++ b/doc/guides/cryptodevs/features/default.ini
> @@ -33,6 +33,7 @@ Non-Byte aligned data  =
>  Sym raw data path API  =
>  Cipher multiple data units =
>  Cipher wrapped key     =
> +Inner checksum         =
> 
>  ;
>  ; Supported crypto algorithms of a default crypto driver.
> diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
> index 05fc2fdee7..8308e00ed4 100644
> --- a/doc/guides/rel_notes/deprecation.rst
> +++ b/doc/guides/rel_notes/deprecation.rst
> @@ -232,8 +232,8 @@ Deprecation Notices
>    IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
> 
>  * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
> -  will be updated with new fields to support new features like IPsec inner
> -  checksum, TSO in case of protocol offload.
> +  will be updated with new fields to support new features like TSO in case of
> +  protocol offload.
> 
>  * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
>    ``hdr_l3_len`` to configure tunnel L3 header length.
> diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
> index 3ade7fe5ac..5480f05a99 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -196,6 +196,10 @@ ABI Changes
>    ``rte_security_ipsec_xform`` to allow applications to configure SA soft
>    and hard expiry limits. Limits can be either in number of packets or bytes.
> 
> +* security: The new options ``ip_csum_enable`` and ``l4_csum_enable`` were added
> +  in structure ``rte_security_ipsec_sa_options`` to indicate whether inner
> +  packet IPv4 header checksum and L4 checksum need to be offloaded to
> +  security device.
> 
>  Known Issues
>  ------------
> diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
> index bb01f0f195..d9271a6c45 100644
> --- a/lib/cryptodev/rte_cryptodev.h
> +++ b/lib/cryptodev/rte_cryptodev.h
> @@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
>  /**< Support operations on multiple data-units message */
>  #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY		(1ULL << 26)
>  /**< Support wrapped key in cipher xform  */
> +#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM		(1ULL << 27)
> +/**< Support inner checksum computation/verification */
> 
>  /**
>   * Get the name of a crypto device feature flag
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index ab1a6e1f65..0c5636377e 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -230,6 +230,37 @@ struct rte_security_ipsec_sa_options {
>  	 * * 0: Do not match UDP ports
>  	 */
>  	uint32_t udp_ports_verify : 1;
> +
> +	/** Compute/verify inner packet IPv4 header checksum in tunnel mode
> +	 *
> +	 * * 1: For outbound, compute inner packet IPv4 header checksum
> +	 *      before tunnel encapsulation and for inbound, verify after
> +	 *      tunnel decapsulation.
> +	 * * 0: Inner packet IP header checksum is not computed/verified.
> +	 *
> +	 * The checksum verification status would be set in mbuf using
> +	 * PKT_RX_IP_CKSUM_xxx flags.
> +	 *
> +	 * Inner IP checksum computation can also be enabled(per operation)
> +	 * by setting the flag PKT_TX_IP_CKSUM in mbuf.
> +	 */
> +	uint32_t ip_csum_enable : 1;
> +
> +	/** Compute/verify inner packet L4 checksum in tunnel mode
> +	 *
> +	 * * 1: For outbound, compute inner packet L4 checksum before
> +	 *      tunnel encapsulation and for inbound, verify after
> +	 *      tunnel decapsulation.
> +	 * * 0: Inner packet L4 checksum is not computed/verified.
> +	 *
> +	 * The checksum verification status would be set in mbuf using
> +	 * PKT_RX_L4_CKSUM_xxx flags.
> +	 *
> +	 * Inner L4 checksum computation can also be enabled(per operation)
> +	 * by setting the flags PKT_TX_TCP_CKSUM or PKT_TX_SCTP_CKSUM or
> +	 * PKT_TX_UDP_CKSUM or PKT_TX_L4_MASK in mbuf.
> +	 */
> +	uint32_t l4_csum_enable : 1;
>  };
> 
>  /** IPSec security association direction */
> --

Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

> 2.22.0

Re: [dpdk-dev] [PATCH v4 0/3] add SA config option for inner pkt csum

[Akhil Goyal]

> Add inner packet IPv4 hdr and L4 checksum enable options
> in conf. These will be used in case of protocol offload.
> Per SA, application could specify whether the
> checksum(compute/verify) can be offloaded to security device.
> 
> Changes in v4:
> - Rebased to ToT
> - Added documentation for per packet checksum(comment from Konstantin)
> 
> Changes in v3:
> - Removed code unrelated to this series.
> 
> Changes in v2:
> - Fixed release notes
> - Added feature flag in default.ini and cn10k.ini
> - Fixed test patch subject
> 
> Archana Muniganti (3):
>   security: add SA config option for inner pkt csum
>   crypto/cnxk: add inner checksum
>   test/crypto: add inner checksum cases
Series
Acked-by: Akhil Goyal <gakhil@mavell.com>

Applied to dpdk-next-crypto

Thanks.