From: Akhil Goyal <akhil.goyal@nxp.com>
To: Bernard Iremonger <bernard.iremonger@intel.com>,
"dev@dpdk.org" <dev@dpdk.org>,
"konstantin.ananyev@intel.com" <konstantin.ananyev@intel.com>
Cc: "stable@dpdk.org" <stable@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto
Date: Tue, 23 Apr 2019 11:14:54 +0000 [thread overview]
Message-ID: <VI1PR04MB4893E33133A6B97BA2CE2067E6230@VI1PR04MB4893.eurprd04.prod.outlook.com> (raw)
In-Reply-To: <VI1PR04MB48935FACF4F7C3E71B6D549AE6260@VI1PR04MB4893.eurprd04.prod.outlook.com>
Hi Bernard,
> -----Original Message-----
> From: Akhil Goyal
> Sent: Thursday, April 18, 2019 7:21 PM
> To: Bernard Iremonger <bernard.iremonger@intel.com>; dev@dpdk.org;
> konstantin.ananyev@intel.com
> Cc: stable@dpdk.org
> Subject: RE: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for
> inline crypto
>
> Hi Bernard,
>
> > - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev "
> > - "%u qp %u\n", sa->spi,
> > - ipsec_ctx->tbl[cdev_id_qp].id,
> > - ipsec_ctx->tbl[cdev_id_qp].qp);
> > + if ((sa == NULL) || (pool == NULL))
> > + return -EINVAL;
> >
> > - if (sa->type != RTE_SECURITY_ACTION_TYPE_NONE) {
> > - struct rte_security_session_conf sess_conf = {
> > + struct rte_security_session_conf sess_conf = {
> > .action_type = sa->type,
> > .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
> > {.ipsec = {
> > @@ -90,247 +65,340 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct
> > ipsec_sa *sa)
> > } },
> > .crypto_xform = sa->xforms,
> > .userdata = NULL,
> > -
> > };
> >
> > - if (sa->type ==
> RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
> > {
> > - struct rte_security_ctx *ctx = (struct rte_security_ctx *)
> > - rte_cryptodev_get_sec_ctx(
> > - ipsec_ctx->tbl[cdev_id_qp].id);
> > -
> > - /* Set IPsec parameters in conf */
> > - set_ipsec_conf(sa, &(sess_conf.ipsec));
> > -
> > - sa->sec_session = rte_security_session_create(ctx,
> > - &sess_conf, ipsec_ctx->session_pool);
> > - if (sa->sec_session == NULL) {
> > - RTE_LOG(ERR, IPSEC,
> > - "SEC Session init failed: err: %d\n", ret);
> > - return -1;
> > - }
> > - } else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
> {
> > - struct rte_flow_error err;
> > - struct rte_security_ctx *ctx = (struct rte_security_ctx *)
> > - rte_eth_dev_get_sec_ctx(
> > - sa->portid);
> > - const struct rte_security_capability *sec_cap;
> > - int ret = 0;
> > -
> > - sa->sec_session = rte_security_session_create(ctx,
> > - &sess_conf, ipsec_ctx->session_pool);
> > - if (sa->sec_session == NULL) {
> > - RTE_LOG(ERR, IPSEC,
> > - "SEC Session init failed: err: %d\n", ret);
> > - return -1;
> > - }
> > + if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
> > + ctx = (struct rte_security_ctx *)
> > + rte_eth_dev_get_sec_ctx(sa->portid);
>
> This is breaking the lookaside mode. Ctx was retrieved using the ipsec_ctx->tbl
> struct rte_security_ctx *ctx = (struct rte_security_ctx *)
> rte_cryptodev_get_sec_ctx(
> ipsec_ctx->tbl[cdev_id_qp].id);
>
> I am looking into it, but I don't have time left to get it integrated in RC2. So this
> has to be pushed to RC3
It looks like there are multiple issues in this patch wrt lookaside and none cases. Only the inline cases seem to be working.
1. the patch removes the cdev_mapping concept completely. Cdev_id_qp is not getting used.
The port_id cannot be used in case of crypto, the mapping of cdev/qp/core is done differently for inbound and outbound ports which is missed in this patch.
2. crypto sessions are created using the session mempool and the private data is allocated using the session priv_mempool which is removed in this patch. This will break cases where the priv data is more than the size of sess_mp element size.
Also the security sessions need to be allocated using the session_priv_mp instead of the session_mp.
Please check this one.
http://patches.dpdk.org/patch/52981/
Ideally this issue should be resolved by adding another parameter in rte_security_session_create which can take another mempool pointer for private data allocation. But this cannot be done in this release as it would need a deprecation notice.
With the above issues I don't see your patch going in 19.05 release cycle.
Regards,
Akhil
>
>
>
> >
> > - sec_cap = rte_security_capabilities_get(ctx);
> > + /* Set IPsec parameters in conf */
> > + set_ipsec_conf(sa, &(sess_conf.ipsec));
> >
> > - /* iterate until ESP tunnel*/
> > - while (sec_cap->action !=
> > - RTE_SECURITY_ACTION_TYPE_NONE) {
> > + sa->sec_session = rte_security_session_create(ctx,
> > + &sess_conf, pool);
> > + if (sa->sec_session == NULL) {
> > + RTE_LOG(ERR, IPSEC,
> > + "SEC Session init failed: err: %d\n",
> > + ret);
> > + return -1;
> > + }
next prev parent reply other threads:[~2019-04-23 11:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-18 13:51 [dpdk-dev] [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Akhil Goyal
2019-04-18 14:58 ` Iremonger, Bernard
2019-04-18 15:23 ` Iremonger, Bernard
2019-04-23 11:14 ` Akhil Goyal [this message]
2019-04-23 13:21 ` Ananyev, Konstantin
2019-04-23 13:32 ` Akhil Goyal
2019-04-23 14:04 ` Ananyev, Konstantin
2019-04-24 6:34 ` Akhil Goyal
2019-04-24 10:40 ` Iremonger, Bernard
2019-05-13 14:29 ` Ananyev, Konstantin
2019-05-27 8:58 ` Iremonger, Bernard
-- strict thread matches above, loose matches on Subject: below --
2019-04-22 6:25 Akhil Goyal
2019-04-04 13:28 [PATCH v3 0/2] examples/ipsec-secgw: fix 1st pkt dropped Bernard Iremonger
2019-04-17 13:42 ` [dpdk-dev] [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Bernard Iremonger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=VI1PR04MB4893E33133A6B97BA2CE2067E6230@VI1PR04MB4893.eurprd04.prod.outlook.com \
--to=akhil.goyal@nxp.com \
--cc=bernard.iremonger@intel.com \
--cc=dev@dpdk.org \
--cc=konstantin.ananyev@intel.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.