From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59ADFC282DD for ; Tue, 23 Apr 2019 13:21:49 +0000 (UTC) Received: from dpdk.org (dpdk.org [92.243.14.124]) by mail.kernel.org (Postfix) with ESMTP id E59EB20645 for ; Tue, 23 Apr 2019 13:21:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E59EB20645 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dev-bounces@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id DC97D1B3EC; Tue, 23 Apr 2019 15:21:46 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id 45B291DB9; Tue, 23 Apr 2019 15:21:45 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Apr 2019 06:21:40 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,385,1549958400"; d="scan'208";a="133656583" Received: from irsmsx108.ger.corp.intel.com ([163.33.3.3]) by orsmga007.jf.intel.com with ESMTP; 23 Apr 2019 06:21:38 -0700 Received: from irsmsx105.ger.corp.intel.com ([169.254.7.31]) by IRSMSX108.ger.corp.intel.com ([169.254.11.82]) with mapi id 14.03.0415.000; Tue, 23 Apr 2019 14:21:37 +0100 From: "Ananyev, Konstantin" To: Akhil Goyal , "Iremonger, Bernard" , "dev@dpdk.org" CC: "stable@dpdk.org" Thread-Topic: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Thread-Index: AdT17cOXAWgCos0Egk2F6sufGT2n9wDz6F0AAATiOqA= Date: Tue, 23 Apr 2019 13:21:37 +0000 Message-ID: <2601191342CEEE43887BDE71AB9772580148A9B0D4@irsmsx105.ger.corp.intel.com> References: In-Reply-To: Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZDUzMDk0ZjEtM2JiNy00YWJjLWI2ZTktZjI0Zjg4NDYyMzA2IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoid0xpNDNhTDhCOTJFXC9xWDJHRmt3WXRwZDd3NERNaUZtREkwV20zQ2NKZllPcHJCRWJ2SnRUaTZkaU9uRVFcL0w0In0= x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.600.7 dlp-reaction: no-action x-originating-ip: [163.33.239.180] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Akhil, >=20 > > -----Original Message----- > > From: Akhil Goyal > > Sent: Thursday, April 18, 2019 7:21 PM > > To: Bernard Iremonger ; dev@dpdk.org; > > konstantin.ananyev@intel.com > > Cc: stable@dpdk.org > > Subject: RE: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet droppe= d for > > inline crypto > > > > Hi Bernard, > > > > > - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on cry= ptodev " > > > - "%u qp %u\n", sa->spi, > > > - ipsec_ctx->tbl[cdev_id_qp].id, > > > - ipsec_ctx->tbl[cdev_id_qp].qp); > > > + if ((sa =3D=3D NULL) || (pool =3D=3D NULL)) > > > + return -EINVAL; > > > > > > - if (sa->type !=3D RTE_SECURITY_ACTION_TYPE_NONE) { > > > - struct rte_security_session_conf sess_conf =3D { > > > + struct rte_security_session_conf sess_conf =3D { > > > .action_type =3D sa->type, > > > .protocol =3D RTE_SECURITY_PROTOCOL_IPSEC, > > > {.ipsec =3D { > > > @@ -90,247 +65,340 @@ create_session(struct ipsec_ctx *ipsec_ctx, str= uct > > > ipsec_sa *sa) > > > } }, > > > .crypto_xform =3D sa->xforms, > > > .userdata =3D NULL, > > > - > > > }; > > > > > > - if (sa->type =3D=3D > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) > > > { > > > - struct rte_security_ctx *ctx =3D (struct rte_= security_ctx *) > > > - rte_cryptodev= _get_sec_ctx( > > > - ipsec_ctx->tb= l[cdev_id_qp].id); > > > - > > > - /* Set IPsec parameters in conf */ > > > - set_ipsec_conf(sa, &(sess_conf.ipsec)); > > > - > > > - sa->sec_session =3D rte_security_session_crea= te(ctx, > > > - &sess_conf, ipsec_ctx->sessio= n_pool); > > > - if (sa->sec_session =3D=3D NULL) { > > > - RTE_LOG(ERR, IPSEC, > > > - "SEC Session init failed: err: %d\n",= ret); > > > - return -1; > > > - } > > > - } else if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_I= NLINE_CRYPTO) > > { > > > - struct rte_flow_error err; > > > - struct rte_security_ctx *ctx =3D (struct rte_= security_ctx *) > > > - rte_eth_dev_g= et_sec_ctx( > > > - sa->portid); > > > - const struct rte_security_capability *sec_cap= ; > > > - int ret =3D 0; > > > - > > > - sa->sec_session =3D rte_security_session_crea= te(ctx, > > > - &sess_conf, ipsec_ctx->sessio= n_pool); > > > - if (sa->sec_session =3D=3D NULL) { > > > - RTE_LOG(ERR, IPSEC, > > > - "SEC Session init failed: err: %d\n",= ret); > > > - return -1; > > > - } > > > + if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOC= OL) { > > > + ctx =3D (struct rte_security_ctx *) > > > + rte_eth_dev_get_sec_ctx(sa->portid); > > > > This is breaking the lookaside mode. Ctx was retrieved using the ipsec_= ctx->tbl > > struct rte_security_ctx *ctx =3D (struct rte_security_ctx *) > > rte_cryptodev_get_sec_ctx( > > ipsec_ctx->tbl[cdev_id_qp].id); > > > > I am looking into it, but I don't have time left to get it integrated i= n RC2. So this > > has to be pushed to RC3 >=20 > It looks like there are multiple issues in this patch wrt lookaside and n= one cases. Only the inline cases seem to be working. >=20 > 1. the patch removes the cdev_mapping concept completely. Cdev_id_qp is n= ot getting used. Not exactly. cdev_id_qp is still setup, and is still used to decide to which crypto-dev = to enqueuer the crypto-op: ipsec_enqueue(...) { ... enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop); Same in ipsec_process(). For initialization, yes cdev_id_qp is not used anymore. As discussed here: https://mails.dpdk.org/archives/dev/2019-March/127725.html I think the problem you are hitting with lookaside-proto is that for it we use 2 different values here:=20 a) In create_sec_session we use portid (it also should be rte_cryptodev_get= _sec_ctx() here) if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { ctx =3D (struct rte_security_ctx *) rte_eth_dev_get_sec_ctx(sa->portid); b) in enqueue() we use cdev_id_qp Right now these values could be different. As I understand we need to make sure that fro lookaside-proto cdev_id_qp = =3D=3D portid provided by user, correct? > The port_id cannot be used in case of crypto, the mapping of cdev/qp/= core is done differently for inbound and outbound ports which is > missed in this patch. >=20 > 2. crypto sessions are created using the session mempool and the private = data is allocated using the session priv_mempool which is > removed in this patch. This will break cases where the priv data is more = than the size of sess_mp element size. > Also the security sessions need to be allocated using the session_pri= v_mp instead of the session_mp. > Please check this one. > http://patches.dpdk.org/patch/52981/ Yes, I think you right, we need to use sess_private_pool here. >=20 > Ideally this issue should be resolved by adding another parameter in rte_= security_session_create which can take another mempool pointer > for private data allocation. But this cannot be done in this release as i= t would need a deprecation notice. >=20 > With the above issues I don't see your patch going in 19.05 release cycle= . >=20 > Regards, > Akhil >=20 > > > > > > > > > > > > - sec_cap =3D rte_security_capabilities_get(ctx= ); > > > + /* Set IPsec parameters in conf */ > > > + set_ipsec_conf(sa, &(sess_conf.ipsec)); > > > > > > - /* iterate until ESP tunnel*/ > > > - while (sec_cap->action !=3D > > > - RTE_SECURITY_ACTION_TYPE_NONE= ) { > > > + sa->sec_session =3D rte_security_session_create(ctx, > > > + &sess_conf, pool); > > > + if (sa->sec_session =3D=3D NULL) { > > > + RTE_LOG(ERR, IPSEC, > > > + "SEC Session init failed: err: %d\n", > > > + ret); > > > + return -1; > > > + }