From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C970C10F11 for ; Wed, 24 Apr 2019 10:40:34 +0000 (UTC) Received: from dpdk.org (dpdk.org [92.243.14.124]) by mail.kernel.org (Postfix) with ESMTP id A7D5C2084F for ; Wed, 24 Apr 2019 10:40:33 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A7D5C2084F Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dev-bounces@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 0AB251B509; Wed, 24 Apr 2019 12:40:33 +0200 (CEST) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id 6E3F81B427; Wed, 24 Apr 2019 12:40:31 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Apr 2019 03:40:30 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,389,1549958400"; d="scan'208";a="151932133" Received: from irsmsx153.ger.corp.intel.com ([163.33.192.75]) by FMSMGA003.fm.intel.com with ESMTP; 24 Apr 2019 03:40:29 -0700 Received: from irsmsx155.ger.corp.intel.com (163.33.192.3) by IRSMSX153.ger.corp.intel.com (163.33.192.75) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 24 Apr 2019 11:40:28 +0100 Received: from irsmsx108.ger.corp.intel.com ([169.254.11.82]) by irsmsx155.ger.corp.intel.com ([169.254.14.186]) with mapi id 14.03.0415.000; Wed, 24 Apr 2019 11:40:28 +0100 From: "Iremonger, Bernard" To: Akhil Goyal , "Ananyev, Konstantin" , "dev@dpdk.org" CC: "stable@dpdk.org" Thread-Topic: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto Thread-Index: AdT17cOXTZn2OC8PMkWGDcNcFHiBSwDz6F0AAARs74AAAF3hgAABIYcAACKO0gAACoECoA== Date: Wed, 24 Apr 2019 10:40:27 +0000 Message-ID: <8CEF83825BEC744B83065625E567D7C260D8CB2D@IRSMSX108.ger.corp.intel.com> References: <2601191342CEEE43887BDE71AB9772580148A9B0D4@irsmsx105.ger.corp.intel.com> <2601191342CEEE43887BDE71AB9772580148A9B10E@irsmsx105.ger.corp.intel.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzNiZWIyNWYtNjNkNi00MzE2LWJkNDMtNGUxMjRhN2FjZTJiIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoidkVBejhQRFZ5SjdMaDhRQWViQTNlV0dJN2dGTW9BTjhhQXpzSUdBWkt4UHVQUkg0YmtwV2lqTzJ2WHpNMkE3ZiJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.600.7 dlp-reaction: no-action x-originating-ip: [163.33.239.180] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH v4 1/2] examples/ipsec-secgw: fix 1st packet dropped for inline crypto X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Akhil > > > > > > Subject: RE: [PATCH v4 1/2] examples/ipsec-secgw: fix 1st > > > > > > packet > > dropped > > > > for > > > > > > inline crypto > > > > > > > > > > > > Hi Bernard, > > > > > > > > > > > > > - RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %= u on > > > > cryptodev " > > > > > > > - "%u qp %u\n", sa->spi, > > > > > > > - ipsec_ctx->tbl[cdev_id_qp].id, > > > > > > > - ipsec_ctx->tbl[cdev_id_qp].qp); > > > > > > > + if ((sa =3D=3D NULL) || (pool =3D=3D NULL)) > > > > > > > + return -EINVAL; > > > > > > > > > > > > > > - if (sa->type !=3D RTE_SECURITY_ACTION_TYPE_NONE) { > > > > > > > - struct rte_security_session_conf sess_conf = =3D { > > > > > > > + struct rte_security_session_conf sess_conf =3D { > > > > > > > .action_type =3D sa->type, > > > > > > > .protocol =3D RTE_SECURITY_PROTOCOL_I= PSEC, > > > > > > > {.ipsec =3D { @@ -90,247 +65,340 @@ > > > > > > > create_session(struct ipsec_ctx *ipsec_ctx, > > > > struct > > > > > > > ipsec_sa *sa) > > > > > > > } }, > > > > > > > .crypto_xform =3D sa->xforms, > > > > > > > .userdata =3D NULL, > > > > > > > - > > > > > > > }; > > > > > > > > > > > > > > - if (sa->type =3D=3D > > > > > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) > > > > > > > { > > > > > > > - struct rte_security_ctx *ctx =3D (str= uct rte_security_ctx *) > > > > > > > - rte_c= ryptodev_get_sec_ctx( > > > > > > > - ipsec= _ctx->tbl[cdev_id_qp].id); > > > > > > > - > > > > > > > - /* Set IPsec parameters in conf */ > > > > > > > - set_ipsec_conf(sa, &(sess_conf.ipsec)= ); > > > > > > > - > > > > > > > - sa->sec_session =3D rte_security_sess= ion_create(ctx, > > > > > > > - &sess_conf, ipsec_ctx= ->session_pool); > > > > > > > - if (sa->sec_session =3D=3D NULL) { > > > > > > > - RTE_LOG(ERR, IPSEC, > > > > > > > - "SEC Session init failed: err= : %d\n", ret); > > > > > > > - return -1; > > > > > > > - } > > > > > > > - } else if (sa->type =3D=3D > > > > RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) > > > > > > { > > > > > > > - struct rte_flow_error err; > > > > > > > - struct rte_security_ctx *ctx =3D (str= uct rte_security_ctx *) > > > > > > > - rte_e= th_dev_get_sec_ctx( > > > > > > > - sa->p= ortid); > > > > > > > - const struct rte_security_capability = *sec_cap; > > > > > > > - int ret =3D 0; > > > > > > > - > > > > > > > - sa->sec_session =3D rte_security_sess= ion_create(ctx, > > > > > > > - &sess_conf, ipsec_ctx= ->session_pool); > > > > > > > - if (sa->sec_session =3D=3D NULL) { > > > > > > > - RTE_LOG(ERR, IPSEC, > > > > > > > - "SEC Session init failed: err= : %d\n", ret); > > > > > > > - return -1; > > > > > > > - } > > > > > > > + if (sa->type =3D=3D > > > > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { > > > > > > > + ctx =3D (struct rte_security_ctx *) > > > > > > > + > > > > > > > + rte_eth_dev_get_sec_ctx(sa->portid); > > > > > > > > > > > > This is breaking the lookaside mode. Ctx was retrieved using > > > > > > the > > ipsec_ctx- > > > > >tbl > > > > > > struct rte_security_ctx *ctx =3D (struct rte_security_ctx *) > > > > > > rte_cryptodev_get_sec_ctx( > > > > > > ipsec_ctx->tbl[cdev_id_qp].id); > > > > > > > > > > > > I am looking into it, but I don't have time left to get it inte= grated in RC2. > > So > > > > this > > > > > > has to be pushed to RC3 > > > > > > > > > > It looks like there are multiple issues in this patch wrt > > > > > lookaside and none > > cases. > > > > Only the inline cases seem to be working. > > > > > > > > > > 1. the patch removes the cdev_mapping concept completely. > > > > > Cdev_id_qp is > > > > not getting used. > > > > > > > > Not exactly. > > > > cdev_id_qp is still setup, and is still used to decide to which > > > > crypto-dev to enqueuer the crypto-op: > > > > ipsec_enqueue(...) > > > > { > > > > ... > > > > enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop); > > > > > > I don't see anybody filling "sa->cdev_id_qp". Please let me know if > > > I have > > missed it somewhere. > > > It is memset to 0 I guess. > > > > > > Yep, true we lost it somewhere during the rework. > > > > > > > > > > > > > > > > > Same in ipsec_process(). > > > > > > > > For initialization, yes cdev_id_qp is not used anymore. > > > > As discussed here: > > > > > > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fmai= l > > s.dp > > > > dk.org%2Farchives%2Fdev%2F2019- > > > > > > > March%2F127725.html&data=3D02%7C01%7Cakhil.goyal%40nxp.com%7C04 > > > > > > > 194193cfc04c0b629008d6c7eea247%7C686ea1d3bc2b4c6fa92cd99c5c301635% > > > > > > > 7C0%7C0%7C636916225072561313&sdata=3Dga9IiqhYRWOz9QkRDIXNiigInk > > > > soVGgu1E5EetqvE%2FA%3D&reserved=3D0 > > > > > > > > I think the problem you are hitting with lookaside-proto is that > > > > for it we use 2 different values here: > > > > a) In create_sec_session we use portid (it also should be > > > > rte_cryptodev_get_sec_ctx() here) > > > > if (sa->type =3D=3D RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL= ) { > > > > ctx =3D (struct rte_security_ctx *) > > > > > > > > rte_eth_dev_get_sec_ctx(sa->portid); > > > It should be rte_cryptodev_get_sec_ctx in the first place. And it > > > needs a > > cdev_id as input based on the cdev mapping done while initializing > > > the cryptodev and neither the portid and nor cdev_id_qp. > > > > b) in enqueue() we use cdev_id_qp > > > > > > > > Right now these values could be different. > > > > As I understand we need to make sure that fro lookaside-proto > > > > cdev_id_qp > > =3D=3D > > > > portid provided by user, correct? > > > No it is not the case. Right now for lookaside there is no use of > > > portid in case > > of lookaside case. > > > As the cdev/qp/core mappings are managed internally and the user > > > cannot > > tweak it from cfg file. > > > > > > > > > Hmm, then at least that line is wrong here: > > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdoc= . > > dpdk > > > .org%2Fguides%2Fsample_app_ug%2Fipsec_secgw.html&data=3D02%7C01% > > > 7Cakhil.goyal%40nxp.com%7Cb1e931a9967943887a0c08d6c7f49d28%7C686ea > > > 1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C636916250754452306&sda > > > ta=3DtNjHCO0O2rfh8shhQXu93qrM0Hr0OZVXUVhMcsg53dw%3D&reserved=3D > > 0 > > > > sa out 5 cipher_algo aes-128-cbc cipher_key > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src > > 172.16.1.5 dst 172.16.2.5 \ type lookaside-protocol-offload port_id 4 > > > > And probably: > > "Port/device ID of the ethernet/crypto accelerator for which the SA is > > configured." > > Need to be rephrased to remove crypto accelerator notice. > Yes. >=20 > > > > Another question - why you guys don't consider using portid for lookasi= de- > proto? > > As I can see add_mapping(function that fills cdev_id_qp) doesn't > > bother to check which rte_security protocols are supported (only > > crypto capabilities are checked). > > So not sure does current code will work ok with a mix of lookaside- > > none/lookaside-proto devices. > > Forcing user to specify crypto-dev id for lookaside-proto (via portid > > or so) will simplify things significantly. > I will think about it. Actually initially when portid was introduced, the= intent was > same but it did not work well. > Because there may be a case of a cryptodev with multiple queues, so there= will > be a mapping done internally in the application and matching it with the = user > provided portid will be difficult. >=20 > I believe that this could be done but would need some rework. >=20 > > > > Konstantin Could we consider going back to the V2 version of this patch set which fixe= d the issue with the inline code and left the lookaside code unchanged? We are not in a position test any changes to the lookaside code. Regards, Bernard.