From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 542C2C282DA for ; Wed, 17 Apr 2019 11:52:06 +0000 (UTC) Received: from dpdk.org (dpdk.org [92.243.14.124]) by mail.kernel.org (Postfix) with ESMTP id 8B38E20835 for ; Wed, 17 Apr 2019 11:52:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=nxp.com header.i=@nxp.com header.b="LZtJTx65" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8B38E20835 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=nxp.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dev-bounces@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 00F741B5FF; Wed, 17 Apr 2019 13:52:03 +0200 (CEST) Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50043.outbound.protection.outlook.com [40.107.5.43]) by dpdk.org (Postfix) with ESMTP id 236D41B5EE; Wed, 17 Apr 2019 13:52:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=J2WXFcpdgrhtNQo6oNWtfrYFqE3rtNUJJ9+Ecb5inw0=; b=LZtJTx65TmNOwxgwFbcjAjGtvAaKE8KCSQvh6PXJ+7vJjQL8JxZwAIobIH2SOVPyMZs5vihONN/xYwv+pHBp2NHcVmMNoidMbIWIDp+/A7KYkn2lbTw1EJV66bpFAKMr8jicucebZJoMmgRjM+Rvx3zDu75LLcC6zUBQQScq0qI= Received: from VI1PR04MB4893.eurprd04.prod.outlook.com (20.177.49.154) by VI1PR04MB4334.eurprd04.prod.outlook.com (52.134.122.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1792.18; Wed, 17 Apr 2019 11:51:59 +0000 Received: from VI1PR04MB4893.eurprd04.prod.outlook.com ([fe80::98b0:84a6:1c08:57c7]) by VI1PR04MB4893.eurprd04.prod.outlook.com ([fe80::98b0:84a6:1c08:57c7%3]) with mapi id 15.20.1792.021; Wed, 17 Apr 2019 11:51:59 +0000 From: Akhil Goyal To: Bernard Iremonger , "dev@dpdk.org" , "konstantin.ananyev@intel.com" CC: "stable@dpdk.org" Thread-Topic: [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Thread-Index: AQHU6upJFZ9bJSR6jk6jYFkHNfg+IaZAUDWA Date: Wed, 17 Apr 2019 11:51:59 +0000 Message-ID: References: <1551970666-23557-1-git-send-email-bernard.iremonger@intel.com> <1554384495-7936-2-git-send-email-bernard.iremonger@intel.com> In-Reply-To: <1554384495-7936-2-git-send-email-bernard.iremonger@intel.com> Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=akhil.goyal@nxp.com; x-originating-ip: [92.120.1.65] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 8f92df94-44a6-456a-7456-08d6c32b1977 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600140)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:VI1PR04MB4334; x-ms-traffictypediagnostic: VI1PR04MB4334: x-microsoft-antispam-prvs: x-forefront-prvs: 0010D93EFE x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(396003)(346002)(366004)(136003)(189003)(199004)(106356001)(5024004)(102836004)(9686003)(2906002)(3846002)(71200400001)(55016002)(6436002)(14454004)(7736002)(6506007)(2501003)(4326008)(229853002)(71190400001)(99286004)(6116002)(186003)(66066001)(53936002)(256004)(11346002)(2201001)(305945005)(446003)(7696005)(486006)(14444005)(53946003)(30864003)(6246003)(25786009)(26005)(44832011)(68736007)(74316002)(476003)(478600001)(86362001)(76176011)(33656002)(81166006)(316002)(81156014)(8676002)(52536014)(8936002)(97736004)(5660300002)(105586002)(110136005)(559001)(579004)(569006); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR04MB4334; H:VI1PR04MB4893.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: T4Kq1E7o1MsUeQ8MmDYG3koLrlYivr59UAbqucRoQFRAolJLvU7D5Gg3a4sGW/6KsCTBkqZhFgiQHTBDTrD0AuRkez9xuULrUAD8M+JzQeO6aZBOwTIC06edmc//hOnz0wxugzVPH93WYbycAsHLWtNkCdA3ZfOsNrOQOTEceKBYrPm3kidAkhoVEt9Ppt+2c14d8l6N+HlT1U2TrEQKbsKJo8pp9IZ/c/UpT8jtsmeIknH6ryPX+T3F0bB3K4dxUp+vdVg2dtrl+TbhqiASYcroEfZFEgniIS+167na4reqPVRsgXTE8FPwo5tQ70y7nJysHHT4InKV+QXtn9H1c+aqU/kLZAY7SCoVEN1G7zvtXAa3I5UlnHnPdDfe7h1SD7H3dSy7uBxNPQYVTwtsj75RxQ1w+rn3j+SfkdWt31U= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8f92df94-44a6-456a-7456-08d6c32b1977 X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Apr 2019 11:51:59.6061 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB4334 Subject: Re: [dpdk-dev] [PATCH v3 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" >=20 > Inline crypto installs a flow rule in the NIC. This flow > rule must be installed before the first inbound packet is > received. >=20 > The create_session() function installs the flow rule. >=20 > Refactor ipsec-secgw.c, sa.c, ipsec.h and ipsec.c to create > sessions at startup to fix the issue of the first packet > being dropped for inline crypto. >=20 > The create_session() function is now called at initialisation in > sa_add_rules() which is called from sa_init(). > The return code for add_rules is checked. > Calls to create_session() in other functions are dropped. >=20 > Add crypto_devid_fill() in ipsec-secgw.c > Add max_session_size() in ipsec-secgw.c > Add check_cryptodev_capability() in ipsec.c > Add check_cryptodev_aead_capability() in ipsec.c > Add create_sec_session() and create_crypto_session() in ipsec.c >=20 > The crypto_dev_fill() function has been added to find the > enabled crypto devices. >=20 > The max_session_size() function has been added to calculate memory > requirements. >=20 > The check_cryptodev_capability() and check_cryptodev_aead_capability() > functions have been added to check that the SA is supported by the > crypto device. >=20 > The create_session() function is refactored to use the > create_sec_session() and create_crypto_session() functions. >=20 > The cryprodev_init() function has been refactored to drop calls to > rte_mempool_create() and to drop calculation of memory requirements. >=20 > The main() function has been refactored to call crypto_devid_fill() > and max_session_size() and to call session_pool_init() and > session_priv_pool_init(). > The ports are started now before adding a flow rule in main(). > The sa_init(), sp4_init(), sp6_init() and rt_init() functions are > now called after the ports have been started. >=20 > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application"= ) > Cc: stable@dpdk.org >=20 > Signed-off-by: Bernard Iremonger > --- > examples/ipsec-secgw/ipsec-secgw.c | 271 +++++++++-------- > examples/ipsec-secgw/ipsec.c | 569 +++++++++++++++++++----------= ------ > examples/ipsec-secgw/ipsec.h | 10 +- > examples/ipsec-secgw/ipsec_process.c | 38 +-- > examples/ipsec-secgw/sa.c | 42 ++- > 5 files changed, 495 insertions(+), 435 deletions(-) >=20 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > secgw/ipsec-secgw.c > index ffbd00b..cc8bb57 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -182,6 +182,14 @@ struct lcore_params { > uint8_t lcore_id; > } __rte_cache_aligned; >=20 > +/* > + * Number of enabled crypto devices > + * This number is needed when checking crypto device capabilities > + */ > +uint8_t crypto_dev_num; > +/* array of crypto device ID's */ > +uint8_t crypto_devid[RTE_CRYPTO_MAX_DEVS]; > + > static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS]; >=20 > static struct lcore_params *lcore_params; > @@ -1623,13 +1631,27 @@ check_cryptodev_mask(uint8_t cdev_id) > return -1; > } >=20 > +static void > +crypto_devid_fill(void) > +{ > + uint32_t i, n; > + > + n =3D rte_cryptodev_count(); > + > + for (i =3D 0; i !=3D n; i++) { > + if (check_cryptodev_mask(i) =3D=3D 0) > + crypto_devid[crypto_dev_num++] =3D i; > + } > +} > + > static int32_t > cryptodevs_init(void) > { > struct rte_cryptodev_config dev_conf; > struct rte_cryptodev_qp_conf qp_conf; > uint16_t idx, max_nb_qps, qp, i; > - int16_t cdev_id, port_id; > + int16_t cdev_id; > + uint32_t dev_max_sess; > struct rte_hash_parameters params =3D { 0 }; >=20 > params.entries =3D CDEV_MAP_ENTRIES; > @@ -1652,45 +1674,6 @@ cryptodevs_init(void) >=20 > printf("lcore/cryptodev/qp mappings:\n"); >=20 > - uint32_t max_sess_sz =3D 0, sess_sz; > - for (cdev_id =3D 0; cdev_id < rte_cryptodev_count(); cdev_id++) { > - void *sec_ctx; > - > - /* Get crypto priv session size */ > - sess_sz =3D rte_cryptodev_sym_get_private_session_size(cdev_id); > - if (sess_sz > max_sess_sz) > - max_sess_sz =3D sess_sz; > - > - /* > - * If crypto device is security capable, need to check the > - * size of security session as well. > - */ > - > - /* Get security context of the crypto device */ > - sec_ctx =3D rte_cryptodev_get_sec_ctx(cdev_id); > - if (sec_ctx =3D=3D NULL) > - continue; > - > - /* Get size of security session */ > - sess_sz =3D rte_security_session_get_size(sec_ctx); > - if (sess_sz > max_sess_sz) > - max_sess_sz =3D sess_sz; > - } > - RTE_ETH_FOREACH_DEV(port_id) { > - void *sec_ctx; > - > - if ((enabled_port_mask & (1 << port_id)) =3D=3D 0) > - continue; > - > - sec_ctx =3D rte_eth_dev_get_sec_ctx(port_id); > - if (sec_ctx =3D=3D NULL) > - continue; > - > - sess_sz =3D rte_security_session_get_size(sec_ctx); > - if (sess_sz > max_sess_sz) > - max_sess_sz =3D sess_sz; > - } > - > idx =3D 0; > for (cdev_id =3D 0; cdev_id < rte_cryptodev_count(); cdev_id++) { > struct rte_cryptodev_info cdev_info; > @@ -1722,51 +1705,12 @@ cryptodevs_init(void) > dev_conf.socket_id =3D rte_cryptodev_socket_id(cdev_id); > dev_conf.nb_queue_pairs =3D qp; >=20 > - uint32_t dev_max_sess =3D cdev_info.sym.max_nb_sessions; > + dev_max_sess =3D cdev_info.sym.max_nb_sessions; > if (dev_max_sess !=3D 0 && dev_max_sess < CDEV_MP_NB_OBJS) > rte_exit(EXIT_FAILURE, > "Device does not support at least %u " > "sessions", CDEV_MP_NB_OBJS); >=20 > - if (!socket_ctx[dev_conf.socket_id].session_pool) { > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > - struct rte_mempool *sess_mp; > - > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > - "sess_mp_%u", dev_conf.socket_id); > - sess_mp =3D rte_cryptodev_sym_session_pool_create( > - mp_name, CDEV_MP_NB_OBJS, > - 0, CDEV_MP_CACHE_SZ, 0, > - dev_conf.socket_id); > - socket_ctx[dev_conf.socket_id].session_pool =3D > sess_mp; > - } > - > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool) { > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > - struct rte_mempool *sess_mp; > - > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > - "sess_mp_priv_%u", > dev_conf.socket_id); > - sess_mp =3D rte_mempool_create(mp_name, > - CDEV_MP_NB_OBJS, > - max_sess_sz, > - CDEV_MP_CACHE_SZ, > - 0, NULL, NULL, NULL, > - NULL, dev_conf.socket_id, > - 0); > - socket_ctx[dev_conf.socket_id].session_priv_pool =3D > - sess_mp; > - } > - > - if (!socket_ctx[dev_conf.socket_id].session_priv_pool || > - !socket_ctx[dev_conf.socket_id].session_pool) > - rte_exit(EXIT_FAILURE, > - "Cannot create session pool on socket %d\n", > - dev_conf.socket_id); > - else > - printf("Allocated session pool on socket %d\n", > - dev_conf.socket_id); > - > if (rte_cryptodev_configure(cdev_id, &dev_conf)) > rte_panic("Failed to initialize cryptodev %u\n", > cdev_id); > @@ -1787,38 +1731,6 @@ cryptodevs_init(void) > cdev_id); > } >=20 > - /* create session pools for eth devices that implement security */ > - RTE_ETH_FOREACH_DEV(port_id) { > - if ((enabled_port_mask & (1 << port_id)) && > - rte_eth_dev_get_sec_ctx(port_id)) { > - int socket_id =3D rte_eth_dev_socket_id(port_id); > - > - if (!socket_ctx[socket_id].session_pool) { > - char mp_name[RTE_MEMPOOL_NAMESIZE]; > - struct rte_mempool *sess_mp; > - > - snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > - "sess_mp_%u", socket_id); > - sess_mp =3D rte_mempool_create(mp_name, > - (CDEV_MP_NB_OBJS * 2), > - max_sess_sz, > - CDEV_MP_CACHE_SZ, > - 0, NULL, NULL, NULL, > - NULL, socket_id, > - 0); > - if (sess_mp =3D=3D NULL) > - rte_exit(EXIT_FAILURE, > - "Cannot create session pool " > - "on socket %d\n", socket_id); > - else > - printf("Allocated session pool " > - "on socket %d\n", socket_id); > - socket_ctx[socket_id].session_pool =3D sess_mp; > - } > - } > - } > - > - > printf("\n"); >=20 > return 0; > @@ -1984,6 +1896,98 @@ port_init(uint16_t portid, uint64_t req_rx_offload= s, > uint64_t req_tx_offloads) > printf("\n"); > } >=20 > +static size_t > +max_session_size(void) > +{ > + size_t max_sz, sz; > + void *sec_ctx; > + int16_t cdev_id, port_id, n; > + > + max_sz =3D 0; > + n =3D rte_cryptodev_count(); > + for (cdev_id =3D 0; cdev_id !=3D n; cdev_id++) { > + sz =3D rte_cryptodev_sym_get_private_session_size(cdev_id); > + if (sz > max_sz) > + max_sz =3D sz; > + /* > + * If crypto device is security capable, need to check the > + * size of security session as well. > + */ > + > + /* Get security context of the crypto device */ > + sec_ctx =3D rte_cryptodev_get_sec_ctx(cdev_id); > + if (sec_ctx =3D=3D NULL) > + continue; > + > + /* Get size of security session */ > + sz =3D rte_security_session_get_size(sec_ctx); > + if (sz > max_sz) > + max_sz =3D sz; > + } > + > + RTE_ETH_FOREACH_DEV(port_id) { > + if ((enabled_port_mask & (1 << port_id)) =3D=3D 0) > + continue; > + > + sec_ctx =3D rte_eth_dev_get_sec_ctx(port_id); > + if (sec_ctx =3D=3D NULL) > + continue; > + > + sz =3D rte_security_session_get_size(sec_ctx); > + if (sz > max_sz) > + max_sz =3D sz; > + } > + > + return max_sz; > +} > + > +static void > +session_pool_init(struct socket_ctx *ctx, int32_t socket_id, size_t sess= _sz) > +{ > + char mp_name[RTE_MEMPOOL_NAMESIZE]; > + struct rte_mempool *sess_mp; > + > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > + "sess_mp_%u", socket_id); > + sess_mp =3D rte_cryptodev_sym_session_pool_create( > + mp_name, CDEV_MP_NB_OBJS, > + sess_sz, CDEV_MP_CACHE_SZ, 0, > + socket_id); > + ctx->session_pool =3D sess_mp; > + > + if (ctx->session_pool =3D=3D NULL) > + rte_exit(EXIT_FAILURE, > + "Cannot init session pool on socket %d\n", socket_id); > + else > + printf("Allocated session pool on socket %d\n", socket_id); > +} > + > +static void > +session_priv_pool_init(struct socket_ctx *ctx, int32_t socket_id, > + size_t sess_sz) > +{ > + char mp_name[RTE_MEMPOOL_NAMESIZE]; > + struct rte_mempool *sess_mp; > + > + snprintf(mp_name, RTE_MEMPOOL_NAMESIZE, > + "sess_mp_priv_%u", socket_id); > + sess_mp =3D rte_mempool_create(mp_name, > + CDEV_MP_NB_OBJS, > + sess_sz, > + CDEV_MP_CACHE_SZ, > + 0, NULL, NULL, NULL, > + NULL, socket_id, > + 0); > + ctx->session_priv_pool =3D sess_mp; > + if (ctx->session_priv_pool =3D=3D NULL) > + rte_exit(EXIT_FAILURE, > + "Cannot init session priv pool on socket %d\n", > + socket_id); > + else > + printf("Allocated session priv pool on socket %d\n", > + socket_id); > +} > + > static void > pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf) > { > @@ -2064,9 +2068,11 @@ main(int32_t argc, char **argv) > { > int32_t ret; > uint32_t lcore_id; > + uint32_t i; > uint8_t socket_id; > uint16_t portid; > uint64_t req_rx_offloads, req_tx_offloads; > + size_t sess_sz; >=20 > /* init EAL */ > ret =3D rte_eal_init(argc, argv); > @@ -2094,7 +2100,10 @@ main(int32_t argc, char **argv) >=20 > nb_lcores =3D rte_lcore_count(); >=20 > - /* Replicate each context per socket */ > + crypto_devid_fill(); > + > + sess_sz =3D max_session_size(); > + > for (lcore_id =3D 0; lcore_id < RTE_MAX_LCORE; lcore_id++) { > if (rte_lcore_is_enabled(lcore_id) =3D=3D 0) > continue; > @@ -2104,20 +2113,17 @@ main(int32_t argc, char **argv) > else > socket_id =3D 0; >=20 > + /* mbuf_pool is initialised by the pool_init() function*/ > if (socket_ctx[socket_id].mbuf_pool) > continue; >=20 > - /* initilaze SPD */ > - sp4_init(&socket_ctx[socket_id], socket_id); > - > - sp6_init(&socket_ctx[socket_id], socket_id); > - > - /* initilaze SAD */ > - sa_init(&socket_ctx[socket_id], socket_id); > - > - rt_init(&socket_ctx[socket_id], socket_id); > - > pool_init(&socket_ctx[socket_id], socket_id, NB_MBUF); > + session_pool_init(&socket_ctx[socket_id], socket_id, sess_sz); > + session_priv_pool_init(&socket_ctx[socket_id], socket_id, > + sess_sz); > + > + if (!numa_on) > + break; > } >=20 > RTE_ETH_FOREACH_DEV(portid) { > @@ -2135,7 +2141,11 @@ main(int32_t argc, char **argv) > if ((enabled_port_mask & (1 << portid)) =3D=3D 0) > continue; >=20 > - /* Start device */ > + /* > + * Start device > + * note: device must be started before a flow rule > + * can be installed. > + */ > ret =3D rte_eth_dev_start(portid); > if (ret < 0) > rte_exit(EXIT_FAILURE, "rte_eth_dev_start: " > @@ -2153,6 +2163,19 @@ main(int32_t argc, char **argv) > RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback, > NULL); > } >=20 > + /* Replicate each context per socket */ > + for (i =3D 0; i < NB_SOCKETS && i < rte_socket_count(); i++) { > + socket_id =3D rte_socket_id_by_idx(i); > + if ((socket_ctx[socket_id].mbuf_pool !=3D NULL) && > + (socket_ctx[socket_id].sa_in =3D=3D NULL) && > + (socket_ctx[socket_id].sa_out =3D=3D NULL)) { > + sa_init(&socket_ctx[socket_id], socket_id); > + sp4_init(&socket_ctx[socket_id], socket_id); > + sp6_init(&socket_ctx[socket_id], socket_id); > + rt_init(&socket_ctx[socket_id], socket_id); > + } > + } > + > check_all_ports_link_status(enabled_port_mask); >=20 > /* launch per-lcore init on every lcore */ > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index 4352cb8..e31d472 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -39,42 +39,17 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > rte_security_ipsec_xform *ipsec) > ipsec->esn_soft_limit =3D IPSEC_OFFLOAD_ESN_SOFTLIMIT; > } >=20 > -int > -create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) > +static int > +create_sec_session(struct ipsec_sa *sa, struct rte_mempool *pool) > { > - struct rte_cryptodev_info cdev_info; > - unsigned long cdev_id_qp =3D 0; > + const struct rte_security_capability *sec_cap; > + struct rte_security_ctx *ctx; > int32_t ret =3D 0; > - struct cdev_key key =3D { 0 }; > - > - key.lcore_id =3D (uint8_t)rte_lcore_id(); > - > - key.cipher_algo =3D (uint8_t)sa->cipher_algo; > - key.auth_algo =3D (uint8_t)sa->auth_algo; > - key.aead_algo =3D (uint8_t)sa->aead_algo; > - > - if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_NONE) { > - ret =3D rte_hash_lookup_data(ipsec_ctx->cdev_map, &key, > - (void **)&cdev_id_qp); > - if (ret < 0) { > - RTE_LOG(ERR, IPSEC, > - "No cryptodev: core %u, cipher_algo %u, " > - "auth_algo %u, aead_algo %u\n", > - key.lcore_id, > - key.cipher_algo, > - key.auth_algo, > - key.aead_algo); > - return -1; > - } > - } >=20 > - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev > " > - "%u qp %u\n", sa->spi, > - ipsec_ctx->tbl[cdev_id_qp].id, > - ipsec_ctx->tbl[cdev_id_qp].qp); > + if ((sa =3D=3D NULL) || (pool =3D=3D NULL)) > + return -EINVAL; >=20 > - if (sa->type !=3D RTE_SECURITY_ACTION_TYPE_NONE) { > - struct rte_security_session_conf sess_conf =3D { > + struct rte_security_session_conf sess_conf =3D { > .action_type =3D sa->type, > .protocol =3D RTE_SECURITY_PROTOCOL_IPSEC, > {.ipsec =3D { > @@ -90,247 +65,340 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct > ipsec_sa *sa) > } }, > .crypto_xform =3D sa->xforms, > .userdata =3D NULL, > - > }; >=20 > - if (sa->type =3D=3D > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { > - struct rte_security_ctx *ctx =3D (struct rte_security_ctx *) > - > rte_cryptodev_get_sec_ctx( > - ipsec_ctx- > >tbl[cdev_id_qp].id); > - > - /* Set IPsec parameters in conf */ > - set_ipsec_conf(sa, &(sess_conf.ipsec)); > - > - sa->sec_session =3D rte_security_session_create(ctx, > - &sess_conf, ipsec_ctx->session_pool); > - if (sa->sec_session =3D=3D NULL) { > - RTE_LOG(ERR, IPSEC, > - "SEC Session init failed: err: %d\n", ret); > - return -1; > - } > - } else if (sa->type =3D=3D > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > - struct rte_flow_error err; > - struct rte_security_ctx *ctx =3D (struct rte_security_ctx *) > - > rte_eth_dev_get_sec_ctx( > - sa->portid); > - const struct rte_security_capability *sec_cap; > - int ret =3D 0; > - > - sa->sec_session =3D rte_security_session_create(ctx, > - &sess_conf, ipsec_ctx->session_pool); > - if (sa->sec_session =3D=3D NULL) { > - RTE_LOG(ERR, IPSEC, > - "SEC Session init failed: err: %d\n", ret); > - return -1; > - } > + if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { > + ctx =3D (struct rte_security_ctx *) > + rte_eth_dev_get_sec_ctx(sa->portid); >=20 > - sec_cap =3D rte_security_capabilities_get(ctx); > + /* Set IPsec parameters in conf */ > + set_ipsec_conf(sa, &(sess_conf.ipsec)); >=20 > - /* iterate until ESP tunnel*/ > - while (sec_cap->action !=3D > - RTE_SECURITY_ACTION_TYPE_NONE) > { > + sa->sec_session =3D rte_security_session_create(ctx, > + &sess_conf, pool); > + if (sa->sec_session =3D=3D NULL) { > + RTE_LOG(ERR, IPSEC, > + "SEC Session init failed: err: %d\n", > + ret); > + return -1; > + } > + } else if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { > + struct rte_flow_error err; > + ctx =3D (struct rte_security_ctx *) > + rte_eth_dev_get_sec_ctx(sa->portid); > + sa->sec_session =3D rte_security_session_create(ctx, > + &sess_conf, pool); > + if (sa->sec_session =3D=3D NULL) { > + RTE_LOG(ERR, IPSEC, "SEC Session init failed\n"); > + return -1; > + } >=20 > - if (sec_cap->action =3D=3D sa->type && > - sec_cap->protocol =3D=3D > - RTE_SECURITY_PROTOCOL_IPSEC && > - sec_cap->ipsec.mode =3D=3D > - > RTE_SECURITY_IPSEC_SA_MODE_TUNNEL && > - sec_cap->ipsec.direction =3D=3D sa->direction) > - break; > - sec_cap++; > - } > + sec_cap =3D rte_security_capabilities_get(ctx); > + > + /* iterate until ESP tunnel*/ > + while (sec_cap->action !=3D RTE_SECURITY_ACTION_TYPE_NONE) > { > + if (sec_cap->action =3D=3D sa->type && > + sec_cap->protocol =3D=3D > + RTE_SECURITY_PROTOCOL_IPSEC && > + sec_cap->ipsec.mode =3D=3D > + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL && > + sec_cap->ipsec.direction =3D=3D sa->direction) > + break; > + sec_cap++; > + } >=20 > - if (sec_cap->action =3D=3D > RTE_SECURITY_ACTION_TYPE_NONE) { > - RTE_LOG(ERR, IPSEC, > + if (sec_cap->action =3D=3D RTE_SECURITY_ACTION_TYPE_NONE) { > + RTE_LOG(ERR, IPSEC, > "No suitable security capability found\n"); > return -1; > - } > + } >=20 > - sa->ol_flags =3D sec_cap->ol_flags; > - sa->security_ctx =3D ctx; > - sa->pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; > - > - sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; > - sa->pattern[1].mask =3D &rte_flow_item_ipv4_mask; > - if (sa->flags & IP6_TUNNEL) { > - sa->pattern[1].spec =3D &sa->ipv6_spec; > - memcpy(sa->ipv6_spec.hdr.dst_addr, > - sa->dst.ip.ip6.ip6_b, 16); > - memcpy(sa->ipv6_spec.hdr.src_addr, > - sa->src.ip.ip6.ip6_b, 16); > - } else { > - sa->pattern[1].spec =3D &sa->ipv4_spec; > - sa->ipv4_spec.hdr.dst_addr =3D sa->dst.ip.ip4; > - sa->ipv4_spec.hdr.src_addr =3D sa->src.ip.ip4; > - } > + sa->ol_flags =3D sec_cap->ol_flags; > + sa->security_ctx =3D ctx; > + sa->pattern[0].type =3D RTE_FLOW_ITEM_TYPE_ETH; > + > + sa->pattern[1].type =3D RTE_FLOW_ITEM_TYPE_IPV4; > + sa->pattern[1].mask =3D &rte_flow_item_ipv4_mask; > + if (sa->flags & IP6_TUNNEL) { > + sa->pattern[1].spec =3D &sa->ipv6_spec; > + memcpy(sa->ipv6_spec.hdr.dst_addr, > + sa->dst.ip.ip6.ip6_b, 16); > + memcpy(sa->ipv6_spec.hdr.src_addr, > + sa->src.ip.ip6.ip6_b, 16); > + } else { > + sa->pattern[1].spec =3D &sa->ipv4_spec; > + sa->ipv4_spec.hdr.dst_addr =3D sa->dst.ip.ip4; > + sa->ipv4_spec.hdr.src_addr =3D sa->src.ip.ip4; > + } >=20 > - sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > - sa->pattern[2].spec =3D &sa->esp_spec; > - sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > - sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); > + sa->pattern[2].type =3D RTE_FLOW_ITEM_TYPE_ESP; > + sa->pattern[2].spec =3D &sa->esp_spec; > + sa->pattern[2].mask =3D &rte_flow_item_esp_mask; > + sa->esp_spec.hdr.spi =3D rte_cpu_to_be_32(sa->spi); >=20 > - sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; > + sa->pattern[3].type =3D RTE_FLOW_ITEM_TYPE_END; >=20 > - sa->action[0].type =3D > RTE_FLOW_ACTION_TYPE_SECURITY; > - sa->action[0].conf =3D sa->sec_session; > + sa->action[0].type =3D RTE_FLOW_ACTION_TYPE_SECURITY; > + sa->action[0].conf =3D sa->sec_session; >=20 > - sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_END; > + sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_END; >=20 > - sa->attr.egress =3D (sa->direction =3D=3D > + sa->attr.egress =3D (sa->direction =3D=3D >=20 > RTE_SECURITY_IPSEC_SA_DIR_EGRESS); > - sa->attr.ingress =3D (sa->direction =3D=3D > + sa->attr.ingress =3D (sa->direction =3D=3D >=20 > RTE_SECURITY_IPSEC_SA_DIR_INGRESS); > - if (sa->attr.ingress) { > - uint8_t rss_key[40]; > - struct rte_eth_rss_conf rss_conf =3D { > - .rss_key =3D rss_key, > - .rss_key_len =3D 40, > - }; > - struct rte_eth_dev *eth_dev; > - uint16_t > queue[RTE_MAX_QUEUES_PER_PORT]; > - struct rte_flow_action_rss action_rss; > - unsigned int i; > - unsigned int j; > - > - sa->action[2].type =3D > RTE_FLOW_ACTION_TYPE_END; > - /* Try RSS. */ > - sa->action[1].type =3D > RTE_FLOW_ACTION_TYPE_RSS; > - sa->action[1].conf =3D &action_rss; > - eth_dev =3D ctx->device; > - rte_eth_dev_rss_hash_conf_get(sa->portid, > - &rss_conf); > - for (i =3D 0, j =3D 0; > - i < eth_dev->data->nb_rx_queues; ++i) > - if (eth_dev->data->rx_queues[i]) > - queue[j++] =3D i; > + if (sa->attr.ingress) { > + uint8_t rss_key[40]; > + struct rte_eth_rss_conf rss_conf =3D { > + .rss_key =3D rss_key, > + .rss_key_len =3D 40, > + }; > + struct rte_eth_dev *eth_dev; > + uint16_t queue[RTE_MAX_QUEUES_PER_PORT]; > + struct rte_flow_action_rss action_rss; > + unsigned int i; > + unsigned int j; > + > + sa->action[2].type =3D RTE_FLOW_ACTION_TYPE_END; > + /* Try RSS. */ > + sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_RSS; > + sa->action[1].conf =3D &action_rss; > + eth_dev =3D ctx->device; > + rte_eth_dev_rss_hash_conf_get(sa->portid, > + &rss_conf); > + for (i =3D 0, j =3D 0; i < eth_dev->data->nb_rx_queues; > + ++i) > + if (eth_dev->data->rx_queues[i]) > + queue[j++] =3D i; Compilation error /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c: In function '= create_sec_session': /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c:169:4: error: = this 'for' clause does not guard... [-Werror=3Dmisleading-indentation] for (i =3D 0, j =3D 0; i < eth_dev->data->nb_rx_queues; ^~~ /home/akhil/up/dpdk-next-crypto/examples/ipsec-secgw/ipsec.c:173:5: note: .= ..this statement, but the latter is misleadingly indented as if it is guard= ed by the 'for' action_rss =3D (struct rte_flow_action_rss){ ^~~~~~~~~~ > action_rss =3D (struct rte_flow_action_rss){ > .types =3D rss_conf.rss_hf, > .key_len =3D rss_conf.rss_key_len, > .queue_num =3D j, > .key =3D rss_key, > .queue =3D queue, > - }; > - ret =3D rte_flow_validate(sa->portid, &sa->attr, > - sa->pattern, sa- > >action, > - &err); > - if (!ret) > - goto flow_create; > - /* Try Queue. */ > - sa->action[1].type =3D > RTE_FLOW_ACTION_TYPE_QUEUE; > - sa->action[1].conf =3D > - &(struct rte_flow_action_queue){ > - .index =3D 0, > - }; > - ret =3D rte_flow_validate(sa->portid, &sa->attr, > - sa->pattern, sa- > >action, > - &err); > - /* Try End. */ > - sa->action[1].type =3D > RTE_FLOW_ACTION_TYPE_END; > - sa->action[1].conf =3D NULL; > - ret =3D rte_flow_validate(sa->portid, &sa->attr, > + }; > + ret =3D rte_flow_validate(sa->portid, &sa->attr, > + sa->pattern, sa->action, > + &err); > + if (!ret) > + goto flow_create; > + /* Try Queue. */ > + sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_QUEUE; > + sa->action[1].conf =3D > + &(struct rte_flow_action_queue){ > + .index =3D 0, > + }; > + ret =3D rte_flow_validate(sa->portid, &sa->attr, > + sa->pattern, sa->action, > + &err); > + /* Try End. */ > + sa->action[1].type =3D RTE_FLOW_ACTION_TYPE_END; > + sa->action[1].conf =3D NULL; > + ret =3D rte_flow_validate(sa->portid, &sa->attr, > sa->pattern, sa- > >action, > &err); > - if (ret) > - goto flow_create_failure; > - } else if (sa->attr.egress && > - (sa->ol_flags & > - RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) > { > - sa->action[1].type =3D > - RTE_FLOW_ACTION_TYPE_PASSTHRU; > - sa->action[2].type =3D > - RTE_FLOW_ACTION_TYPE_END; > - } > + if (ret) > + goto flow_create_failure; > + } else if (sa->attr.egress && > + (sa->ol_flags & > + RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) { > + sa->action[1].type =3D > + RTE_FLOW_ACTION_TYPE_PASSTHRU; > + sa->action[2].type =3D > + RTE_FLOW_ACTION_TYPE_END; > + } > flow_create: > - sa->flow =3D rte_flow_create(sa->portid, > - &sa->attr, sa->pattern, sa->action, &err); > - if (sa->flow =3D=3D NULL) { > + sa->flow =3D rte_flow_create(sa->portid, > + &sa->attr, sa->pattern, sa->action, &err); > + if (sa->flow =3D=3D NULL) { > flow_create_failure: > - RTE_LOG(ERR, IPSEC, > - "Failed to create ipsec flow msg: %s\n", > - err.message); > - return -1; > - } > - } else if (sa->type =3D=3D > - > RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { > - struct rte_security_ctx *ctx =3D > - (struct rte_security_ctx *) > - rte_eth_dev_get_sec_ctx(sa->portid); > - const struct rte_security_capability *sec_cap; > - > - if (ctx =3D=3D NULL) { > - RTE_LOG(ERR, IPSEC, > - "Ethernet device doesn't have security features > registered\n"); > - return -1; > - } > + RTE_LOG(ERR, IPSEC, > + "Failed to create ipsec flow msg: %s\n", > + err.message); > + return -1; > + } > + } else if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) > { > + struct rte_security_ctx *ctx =3D > + (struct rte_security_ctx *) > + rte_eth_dev_get_sec_ctx(sa->portid); > + const struct rte_security_capability *sec_cap; >=20 > - /* Set IPsec parameters in conf */ > - set_ipsec_conf(sa, &(sess_conf.ipsec)); > - > - /* Save SA as userdata for the security session. When > - * the packet is received, this userdata will be > - * retrieved using the metadata from the packet. > - * > - * The PMD is expected to set similar metadata for > other > - * operations, like rte_eth_event, which are tied to > - * security session. In such cases, the userdata could > - * be obtained to uniquely identify the security > - * parameters denoted. > - */ > - > - sess_conf.userdata =3D (void *) sa; > - > - sa->sec_session =3D rte_security_session_create(ctx, > - &sess_conf, ipsec_ctx->session_pool); > - if (sa->sec_session =3D=3D NULL) { > - RTE_LOG(ERR, IPSEC, > - "SEC Session init failed: err: %d\n", ret); > - return -1; > - } > + if (ctx =3D=3D NULL) { > + RTE_LOG(ERR, IPSEC, > + "Ethernet device doesn't have security features > registered\n"); > + return -1; > + } > + > + /* Set IPsec parameters in conf */ > + set_ipsec_conf(sa, &(sess_conf.ipsec)); > + > + /* Save SA as userdata for the security session. When > + * the packet is received, this userdata will be > + * retrieved using the metadata from the packet. > + * > + * The PMD is expected to set similar metadata for other > + * operations, like rte_eth_event, which are tied to > + * security session. In such cases, the userdata could > + * be obtained to uniquely identify the security > + * parameters denoted. > + */ > + > + sess_conf.userdata =3D (void *) sa; > + > + sa->sec_session =3D rte_security_session_create(ctx, > + &sess_conf, pool); > + if (sa->sec_session =3D=3D NULL) { > + RTE_LOG(ERR, IPSEC, > + "SEC Session init failed: err: %d\n", ret); > + return -1; > + } >=20 > - sec_cap =3D rte_security_capabilities_get(ctx); > + sec_cap =3D rte_security_capabilities_get(ctx); >=20 > - if (sec_cap =3D=3D NULL) { > - RTE_LOG(ERR, IPSEC, > - "No capabilities registered\n"); > - return -1; > - } > + if (sec_cap =3D=3D NULL) { > + RTE_LOG(ERR, IPSEC, > + "No capabilities registered\n"); > + return -1; > + } >=20 > - /* iterate until ESP tunnel*/ > - while (sec_cap->action !=3D > + /* iterate until ESP tunnel*/ > + while (sec_cap->action !=3D > RTE_SECURITY_ACTION_TYPE_NONE) > { >=20 > - if (sec_cap->action =3D=3D sa->type && > - sec_cap->protocol =3D=3D > - RTE_SECURITY_PROTOCOL_IPSEC && > - sec_cap->ipsec.mode =3D=3D > - > RTE_SECURITY_IPSEC_SA_MODE_TUNNEL && > - sec_cap->ipsec.direction =3D=3D sa->direction) > - break; > - sec_cap++; > - } > + if (sec_cap->action =3D=3D sa->type && > + sec_cap->protocol =3D=3D > + RTE_SECURITY_PROTOCOL_IPSEC && > + sec_cap->ipsec.mode =3D=3D > + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL && > + sec_cap->ipsec.direction =3D=3D sa->direction) > + break; > + sec_cap++; > + } >=20 > - if (sec_cap->action =3D=3D > RTE_SECURITY_ACTION_TYPE_NONE) { > - RTE_LOG(ERR, IPSEC, > - "No suitable security capability found\n"); > - return -1; > - } > + if (sec_cap->action =3D=3D RTE_SECURITY_ACTION_TYPE_NONE) { > + RTE_LOG(ERR, IPSEC, > + "No suitable security capability found\n"); > + return -1; > + } > + > + sa->ol_flags =3D sec_cap->ol_flags; > + sa->security_ctx =3D ctx; > + } else > + return -EINVAL; > + return 0; > +} > + > +#define CDEV_IV_SIZE 12 > + > +static int > +check_cryptodev_aead_capablity(const struct ipsec_sa *ss, uint8_t dev_id= ) > +{ > + struct rte_cryptodev_sym_capability_idx cap_idx; > + const struct rte_cryptodev_symmetric_capability *cap; >=20 > - sa->ol_flags =3D sec_cap->ol_flags; > - sa->security_ctx =3D ctx; > + cap_idx.type =3D RTE_CRYPTO_SYM_XFORM_AEAD; > + cap_idx.algo.aead =3D ss->aead_algo; > + > + cap =3D rte_cryptodev_sym_capability_get(dev_id, &cap_idx); > + if (cap =3D=3D NULL) > + return -ENOENT; > + > + return rte_cryptodev_sym_capability_check_aead(cap, > + ss->cipher_key_len, > + ss->digest_len, > + ss->aad_len, > + CDEV_IV_SIZE); > +} > + > +static int > +check_cryptodev_capablity(const struct ipsec_sa *ss, uint8_t dev_id) > +{ > + struct rte_cryptodev_sym_capability_idx cap_idx; > + const struct rte_cryptodev_symmetric_capability *cap; > + uint16_t auth_iv_len; > + int rc =3D -1; > + > + if (ss =3D=3D NULL) > + return rc; > + > + if (ss->aead_algo =3D=3D RTE_CRYPTO_AEAD_AES_GCM) > + return check_cryptodev_aead_capablity(ss, dev_id); > + > + auth_iv_len =3D 0; > + > + cap_idx.type =3D RTE_CRYPTO_SYM_XFORM_AUTH; > + cap_idx.algo.auth =3D ss->auth_algo; > + cap =3D rte_cryptodev_sym_capability_get(dev_id, &cap_idx); > + if (cap !=3D NULL) { > + rc =3D rte_cryptodev_sym_capability_check_auth( > + cap, ss->auth_key_len, ss->digest_len, > + auth_iv_len); > + if (rc =3D=3D 0) { > + cap_idx.type =3D RTE_CRYPTO_SYM_XFORM_CIPHER; > + cap_idx.algo.cipher =3D ss->cipher_algo; > + cap =3D rte_cryptodev_sym_capability_get(dev_id, > + &cap_idx); > + if (cap !=3D NULL) > + rc =3D > rte_cryptodev_sym_capability_check_cipher( > + cap, ss->cipher_key_len, > + ss->iv_len); > } > - } else { > - sa->crypto_session =3D rte_cryptodev_sym_session_create( > - ipsec_ctx->session_pool); > - rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id, > - sa->crypto_session, sa->xforms, > - ipsec_ctx->session_priv_pool); > - > - rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id, > - &cdev_info); > } > - sa->cdev_id_qp =3D cdev_id_qp; >=20 > - return 0; > + return rc; > +} > + > +static int > +create_crypto_session(struct ipsec_sa *sa, struct rte_mempool *pool) > +{ > + int32_t rc; > + uint32_t devnum, i; > + struct rte_cryptodev_sym_session *s; > + uint8_t devid[RTE_CRYPTO_MAX_DEVS]; > + > + /* check which cryptodevs support SA */ > + devnum =3D 0; > + for (i =3D 0; i < crypto_dev_num; i++) { > + rc =3D check_cryptodev_capablity(sa, crypto_devid[i]); > + if (rc =3D=3D 0) > + devid[devnum++] =3D crypto_devid[i]; > + } > + > + if (devnum =3D=3D 0) > + return -ENODEV; > + > + s =3D rte_cryptodev_sym_session_create(pool); > + if (s =3D=3D NULL) > + return -ENOMEM; > + > + /* initialize SA crypto session for all supported devices */ > + for (i =3D 0; i !=3D devnum; i++) { > + rc =3D rte_cryptodev_sym_session_init(devid[i], s, sa->xforms, > + pool); > + if (rc !=3D 0) > + break; > + } > + > + if (i =3D=3D devnum) { > + sa->crypto_session =3D s; > + return 0; > + } > + > + /* failure, do cleanup */ > + while (i-- !=3D 0) > + rte_cryptodev_sym_session_clear(devid[i], s); > + > + rte_cryptodev_sym_session_free(s); > + return rc; > +} > + > +int > +create_session(struct ipsec_sa *sa, struct rte_mempool *pool) > +{ > + if (sa->type !=3D RTE_SECURITY_ACTION_TYPE_NONE) > + return create_sec_session(sa, pool); > + else > + return create_crypto_session(sa, pool); > } >=20 > /* > @@ -393,13 +461,6 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct > ipsec_ctx *ipsec_ctx, > priv->cop.status =3D > RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; >=20 > rte_prefetch0(&priv->sym_cop); > - > - if ((unlikely(sa->sec_session =3D=3D NULL)) && > - create_session(ipsec_ctx, sa)) { > - rte_pktmbuf_free(pkts[i]); > - continue; > - } > - > sym_cop =3D get_sym_cop(&priv->cop); > sym_cop->m_src =3D pkts[i]; >=20 > @@ -412,13 +473,6 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct > ipsec_ctx *ipsec_ctx, > priv->cop.status =3D > RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; >=20 > rte_prefetch0(&priv->sym_cop); > - > - if ((unlikely(sa->crypto_session =3D=3D NULL)) && > - create_session(ipsec_ctx, sa)) { > - rte_pktmbuf_free(pkts[i]); > - continue; > - } > - > rte_crypto_op_attach_sym_session(&priv->cop, > sa->crypto_session); >=20 > @@ -429,12 +483,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct > ipsec_ctx *ipsec_ctx, > } > break; > case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL: > - if ((unlikely(sa->sec_session =3D=3D NULL)) && > - create_session(ipsec_ctx, sa)) { > - rte_pktmbuf_free(pkts[i]); > - continue; > - } > - > + RTE_ASSERT(sa->sec_session !=3D NULL); > ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] =3D pkts[i]; > if (sa->ol_flags & > RTE_SECURITY_TX_OLOAD_NEED_MDATA) > rte_security_set_pkt_metadata( > @@ -442,17 +491,11 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct > ipsec_ctx *ipsec_ctx, > sa->sec_session, pkts[i], NULL); > continue; > case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: > + RTE_ASSERT(sa->sec_session !=3D NULL); > priv->cop.type =3D RTE_CRYPTO_OP_TYPE_SYMMETRIC; > priv->cop.status =3D > RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; >=20 > rte_prefetch0(&priv->sym_cop); > - > - if ((unlikely(sa->sec_session =3D=3D NULL)) && > - create_session(ipsec_ctx, sa)) { > - rte_pktmbuf_free(pkts[i]); > - continue; > - } > - > rte_security_attach_session(&priv->cop, > sa->sec_session); >=20 > diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h > index 99f49d6..804330c 100644 > --- a/examples/ipsec-secgw/ipsec.h > +++ b/examples/ipsec-secgw/ipsec.h > @@ -83,6 +83,14 @@ struct app_sa_prm { >=20 > extern struct app_sa_prm app_sa_prm; >=20 > +/* > + * Number of enabled crypto devices > + * This number is needed when checking crypto device capabilities > + */ > +extern uint8_t crypto_dev_num; > +/* array of crypto device ID's */ > +extern uint8_t crypto_devid[RTE_CRYPTO_MAX_DEVS]; > + > struct ipsec_sa { > struct rte_ipsec_session ips; /* one session per sa for now */ > uint32_t spi; > @@ -306,6 +314,6 @@ void > enqueue_cop_burst(struct cdev_qp *cqp); >=20 > int > -create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa); > +create_session(struct ipsec_sa *sa, struct rte_mempool *pool); >=20 > #endif /* __IPSEC_H__ */ > diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec- > secgw/ipsec_process.c > index 3f9cacb..0df6969 100644 > --- a/examples/ipsec-secgw/ipsec_process.c > +++ b/examples/ipsec-secgw/ipsec_process.c > @@ -86,39 +86,6 @@ enqueue_cop_bulk(struct cdev_qp *cqp, struct > rte_crypto_op *cop[], uint32_t num) > cqp->len =3D len; > } >=20 > -static inline int > -fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx, > - struct ipsec_sa *sa) > -{ > - int32_t rc; > - > - /* setup crypto section */ > - if (ss->type =3D=3D RTE_SECURITY_ACTION_TYPE_NONE) { > - if (sa->crypto_session =3D=3D NULL) { > - rc =3D create_session(ctx, sa); > - if (rc !=3D 0) > - return rc; > - } > - ss->crypto.ses =3D sa->crypto_session; > - /* setup session action type */ > - } else { > - if (sa->sec_session =3D=3D NULL) { > - rc =3D create_session(ctx, sa); > - if (rc !=3D 0) > - return rc; > - } > - ss->security.ses =3D sa->sec_session; > - ss->security.ctx =3D sa->security_ctx; > - ss->security.ol_flags =3D sa->ol_flags; > - } > - > - rc =3D rte_ipsec_session_prepare(ss); > - if (rc !=3D 0) > - memset(ss, 0, sizeof(*ss)); > - > - return rc; > -} > - > /* > * group input packets byt the SA they belong to. > */ > @@ -219,9 +186,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_tra= ffic > *trf) >=20 > ips =3D &sa->ips; >=20 > - /* no valid HW session for that SA, try to create one */ > - if (sa =3D=3D NULL || (ips->crypto.ses =3D=3D NULL && > - fill_ipsec_session(ips, ctx, sa) !=3D 0)) > + /* no valid HW session for that SA */ > + if (sa =3D=3D NULL || ips->crypto.ses =3D=3D NULL) > k =3D 0; >=20 > /* process packets inline */ > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index a7298a3..0f36f5b 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -774,14 +774,14 @@ check_eth_dev_caps(uint16_t portid, uint32_t > inbound) > return 0; > } >=20 > - > static int > sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries, uint32_t inbound) > + uint32_t nb_entries, uint32_t inbound, struct socket_ctx *skt_ctx) > { > struct ipsec_sa *sa; > uint32_t i, idx; > uint16_t iv_length, aad_length; > + int32_t rc; >=20 > /* for ESN upper 32 bits of SQN also need to be part of AAD */ > aad_length =3D (app_sa_prm.enable_esn !=3D 0) ? sizeof(uint32_t) : 0; > @@ -902,6 +902,12 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct > ipsec_sa entries[], >=20 > print_one_sa_rule(sa, inbound); > } > + rc =3D create_session(sa, skt_ctx->session_pool); > + if (rc !=3D 0) { > + RTE_LOG(ERR, IPSEC_ESP, > + "create_session() failed\n"); > + return -EINVAL; > + } > } >=20 > return 0; > @@ -909,16 +915,16 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct > ipsec_sa entries[], >=20 > static inline int > sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries) > + uint32_t nb_entries, struct socket_ctx *skt_ctx) > { > - return sa_add_rules(sa_ctx, entries, nb_entries, 0); > + return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx); > } >=20 > static inline int > sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], > - uint32_t nb_entries) > + uint32_t nb_entries, struct socket_ctx *skt_ctx) > { > - return sa_add_rules(sa_ctx, entries, nb_entries, 1); > + return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx); > } >=20 > /* > @@ -1012,10 +1018,12 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, > const struct ipsec_sa *ss, > return 0; > } >=20 > -static void > +static int > fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa= , > const struct ipsec_sa *lsa) > { > + int32_t rc =3D 0; > + > ss->sa =3D sa; > ss->type =3D lsa->type; >=20 > @@ -1028,6 +1036,12 @@ fill_ipsec_session(struct rte_ipsec_session *ss, s= truct > rte_ipsec_sa *sa, > ss->security.ctx =3D lsa->security_ctx; > ss->security.ol_flags =3D lsa->ol_flags; > } > + > + rc =3D rte_ipsec_session_prepare(ss); > + if (rc !=3D 0) > + memset(ss, 0, sizeof(*ss)); > + > + return rc; > } >=20 > /* > @@ -1062,8 +1076,8 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipse= c_sa > *sa, uint32_t sa_size) > if (rc < 0) > return rc; >=20 > - fill_ipsec_session(&lsa->ips, sa, lsa); > - return 0; > + rc =3D fill_ipsec_session(&lsa->ips, sa, lsa); > + return rc; > } >=20 > /* > @@ -1141,7 +1155,10 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) > "context %s in socket %d\n", rte_errno, > name, socket_id); >=20 > - sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in); > + rc =3D sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx); > + if (rc !=3D 0) > + rte_exit(EXIT_FAILURE, > + "failed to add inbound rules\n"); >=20 > if (app_sa_prm.enable !=3D 0) { > rc =3D ipsec_satbl_init(ctx->sa_in, sa_in, nb_sa_in, > @@ -1161,7 +1178,10 @@ sa_init(struct socket_ctx *ctx, int32_t socket_id) > "context %s in socket %d\n", rte_errno, > name, socket_id); >=20 > - sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out); > + rc =3D sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx); > + if (rc !=3D 0) > + rte_exit(EXIT_FAILURE, > + "failed to add outbound rules\n"); >=20 > if (app_sa_prm.enable !=3D 0) { > rc =3D ipsec_satbl_init(ctx->sa_out, sa_out, nb_sa_out, > -- > 2.7.4