[dpdk-dev] [PATCH v4 06/12] ethdev: support security APIs

Ananyev, Konstantin konstantin.ananyev at intel.com
Mon Oct 23 11:56:54 CEST 2017


Hi Akhil,

> 
> Hi Konstantin,
> 
> On 10/19/2017 2:53 PM, Ananyev, Konstantin wrote:
> > Hi guys,
> >
> >> -----Original Message-----
> >> From: Akhil Goyal [mailto:akhil.goyal at nxp.com]
> >> Sent: Saturday, October 14, 2017 11:17 PM
> >> To: dev at dpdk.org
> >> Cc: Doherty, Declan <declan.doherty at intel.com>; De Lara Guarch, Pablo <pablo.de.lara.guarch at intel.com>;
> hemant.agrawal at nxp.com;
> >> Nicolau, Radu <radu.nicolau at intel.com>; borisp at mellanox.com; aviadye at mellanox.com; thomas at monjalon.net;
> >> sandeep.malik at nxp.com; jerin.jacob at caviumnetworks.com; Mcnamara, John <john.mcnamara at intel.com>; Ananyev, Konstantin
> >> <konstantin.ananyev at intel.com>; shahafs at mellanox.com; olivier.matz at 6wind.com
> >> Subject: [PATCH v4 06/12] ethdev: support security APIs
> >>
> >> From: Declan Doherty <declan.doherty at intel.com>
> >>
> >> rte_flow_action type and ethdev updated to support rte_security
> >> sessions for crypto offload to ethernet device.
> >>
> >> Signed-off-by: Boris Pismenny <borisp at mellanox.com>
> >> Signed-off-by: Aviad Yehezkel <aviadye at mellanox.com>
> >> Signed-off-by: Radu Nicolau <radu.nicolau at intel.com>
> >> Signed-off-by: Declan Doherty <declan.doherty at intel.com>
> >> ---
> >>   lib/librte_ether/rte_ethdev.c           | 11 +++++++++++
> >>   lib/librte_ether/rte_ethdev.h           | 18 ++++++++++++++++--
> >>   lib/librte_ether/rte_ethdev_version.map |  1 +
> >>   3 files changed, 28 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/lib/librte_ether/rte_ethdev.c b/lib/librte_ether/rte_ethdev.c
> >> index 0b1e928..9520f1e 100644
> >> --- a/lib/librte_ether/rte_ethdev.c
> >> +++ b/lib/librte_ether/rte_ethdev.c
> >> @@ -301,6 +301,17 @@ rte_eth_dev_socket_id(uint16_t port_id)
> >>   	return rte_eth_devices[port_id].data->numa_node;
> >>   }
> >>
> >> +void *
> >> +rte_eth_dev_get_sec_ctx(uint8_t port_id)
> >> +{
> >> +	RTE_ETH_VALID_PORTID_OR_ERR_RET(port_id, NULL);
> >> +
> >> +	if (rte_eth_devices[port_id].data->dev_flags & RTE_ETH_DEV_SECURITY)
> >
> >
> > As you don't currently support MP, it is probably worth to add somewhere
> > (here or at PMD layer) check for process type.
> > Something like:
> > if (rte_eal_process_type() != RTE_PROC_PRIMARY)
> >         return NULL;
> > or so.
> > Konstantin
> >
> >
> The MP issue is resolved as per my understanding in the v4.

As I can see from v4 - MP is still not supported:

1. security_ctx is placed into rte_eth_dev_data (which is shared between multiple processes)
while it still contains a pointer to particular ops functions.
To support MP you'll probably need to split security_ctx into 2 parts: 
private to process (ops) and shared between processes (actual data),
or comeup with some other (smarter) way.  
2. At least ixgbe_dev_init() right now always blindly allocates new 
    security_ctx and overwrites  eth_dev->data->security_ctx with this new value.

I do remember that for you didn't plan to support MP for 17.11 anyway.
So I suggest for now just to make sure that secondary process wouldn't touch
that shared security_ctx in any way.
The easiest thing would probably be to move it from shared to private part of ethdev:
i.e. move void *security_ctx; from struct rte_eth_dev_data to struct rte_eth_dev
(you'll probably have to do it anyway later, because of #1)
and make sure it is initialized only for primary process.
Konstantin

> SO I believe this check is not required anymore. Do you see any issue in MP.
> 
> -Akhil


More information about the dev mailing list