patch 'net/nfp: fix IPsec data endianness' has been queued to stable release 23.11.1
Xueming Li
xuemingl at nvidia.com
Sat Apr 13 14:49:22 CEST 2024
Hi,
FYI, your patch has been queued to stable release 23.11.1
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 04/15/24. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging
This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=5f75adca7e2ed0a0b264d6abda40ea81595d1c04
Thanks.
Xueming Li <xuemingl at nvidia.com>
---
>From 5f75adca7e2ed0a0b264d6abda40ea81595d1c04 Mon Sep 17 00:00:00 2001
From: Shihong Wang <shihong.wang at corigine.com>
Date: Mon, 11 Mar 2024 10:49:39 +0800
Subject: [PATCH] net/nfp: fix IPsec data endianness
Cc: Xueming Li <xuemingl at nvidia.com>
[ upstream commit 7e13f2dc603e406eaa099a0b45c099a9d9004dd0 ]
The algorithm key of the security framework is stored in the u8
array according to big-endian, and the driver algorithm key is
CPU-endian of u32, so it maybe need to convert the endianness order
to ensure that the value assigned to the driver is CPU-endian.
This patch removes the operation of converting IPsec Tx metadata
to big-endian to ensure that IPsec Tx metadata is CPU-endian.
Fixes: 547137405be7 ("net/nfp: initialize IPsec related content")
Fixes: 3d21da66c06b ("net/nfp: create security session")
Fixes: 310a1780581e ("net/nfp: support IPsec Rx and Tx offload")
Signed-off-by: Shihong Wang <shihong.wang at corigine.com>
Reviewed-by: Chaoyong He <chaoyong.he at corigine.com>
---
drivers/net/nfp/nfp_ipsec.c | 72 +++++++++++++++++++++++--------------
drivers/net/nfp/nfp_ipsec.h | 9 ++---
2 files changed, 47 insertions(+), 34 deletions(-)
diff --git a/drivers/net/nfp/nfp_ipsec.c b/drivers/net/nfp/nfp_ipsec.c
index 7ce9cca0b2..aebdbb2f48 100644
--- a/drivers/net/nfp/nfp_ipsec.c
+++ b/drivers/net/nfp/nfp_ipsec.c
@@ -18,6 +18,7 @@
#include "nfp_rxtx.h"
#define NFP_UDP_ESP_PORT 4500
+#define NFP_ESP_IV_LENGTH 8
static const struct rte_cryptodev_capabilities nfp_crypto_caps[] = {
{
@@ -521,7 +522,8 @@ nfp_aesgcm_iv_update(struct ipsec_add_sa *cfg,
char *save;
char *iv_b;
char *iv_str;
- uint8_t *cfg_iv;
+ const rte_be32_t *iv_value;
+ uint8_t cfg_iv[NFP_ESP_IV_LENGTH];
iv_str = strdup(iv_string);
if (iv_str == NULL) {
@@ -529,8 +531,6 @@ nfp_aesgcm_iv_update(struct ipsec_add_sa *cfg,
return;
}
- cfg_iv = (uint8_t *)cfg->aesgcm_fields.iv;
-
for (i = 0; i < iv_len; i++) {
iv_b = strtok_r(i ? NULL : iv_str, ",", &save);
if (iv_b == NULL)
@@ -539,8 +539,9 @@ nfp_aesgcm_iv_update(struct ipsec_add_sa *cfg,
cfg_iv[i] = strtoul(iv_b, NULL, 0);
}
- *(uint32_t *)cfg_iv = rte_be_to_cpu_32(*(uint32_t *)cfg_iv);
- *(uint32_t *)&cfg_iv[4] = rte_be_to_cpu_32(*(uint32_t *)&cfg_iv[4]);
+ iv_value = (const rte_be32_t *)(cfg_iv);
+ cfg->aesgcm_fields.iv[0] = rte_be_to_cpu_32(iv_value[0]);
+ cfg->aesgcm_fields.iv[1] = rte_be_to_cpu_32(iv_value[1]);
free(iv_str);
}
@@ -581,7 +582,7 @@ nfp_aead_map(struct rte_eth_dev *eth_dev,
uint32_t offset;
uint32_t device_id;
const char *iv_str;
- const uint32_t *key;
+ const rte_be32_t *key;
struct nfp_net_hw *net_hw;
net_hw = eth_dev->data->dev_private;
@@ -631,7 +632,7 @@ nfp_aead_map(struct rte_eth_dev *eth_dev,
return -EINVAL;
}
- key = (const uint32_t *)(aead->key.data);
+ key = (const rte_be32_t *)(aead->key.data);
/*
* The CHACHA20's key order needs to be adjusted based on hardware design.
@@ -643,16 +644,22 @@ nfp_aead_map(struct rte_eth_dev *eth_dev,
for (i = 0; i < key_length / sizeof(cfg->cipher_key[0]); i++) {
index = (i + offset) % (key_length / sizeof(cfg->cipher_key[0]));
- cfg->cipher_key[index] = rte_cpu_to_be_32(*key++);
+ cfg->cipher_key[index] = rte_be_to_cpu_32(key[i]);
}
/*
- * The iv of the FW is equal to ESN by default. Reading the
- * iv of the configuration information is not supported.
+ * The iv of the FW is equal to ESN by default. Only the
+ * aead algorithm can offload the iv of configuration and
+ * the length of iv cannot be greater than NFP_ESP_IV_LENGTH.
*/
iv_str = getenv("ETH_SEC_IV_OVR");
if (iv_str != NULL) {
iv_len = aead->iv.length;
+ if (iv_len > NFP_ESP_IV_LENGTH) {
+ PMD_DRV_LOG(ERR, "Unsupported length of iv data");
+ return -EINVAL;
+ }
+
nfp_aesgcm_iv_update(cfg, iv_len, iv_str);
}
@@ -669,7 +676,7 @@ nfp_cipher_map(struct rte_eth_dev *eth_dev,
int ret;
uint32_t i;
uint32_t device_id;
- const uint32_t *key;
+ const rte_be32_t *key;
struct nfp_net_hw *net_hw;
net_hw = eth_dev->data->dev_private;
@@ -703,14 +710,14 @@ nfp_cipher_map(struct rte_eth_dev *eth_dev,
return -EINVAL;
}
- key = (const uint32_t *)(cipher->key.data);
+ key = (const rte_be32_t *)(cipher->key.data);
if (key_length > sizeof(cfg->cipher_key)) {
PMD_DRV_LOG(ERR, "Insufficient space for offloaded key");
return -EINVAL;
}
for (i = 0; i < key_length / sizeof(cfg->cipher_key[0]); i++)
- cfg->cipher_key[i] = rte_cpu_to_be_32(*key++);
+ cfg->cipher_key[i] = rte_be_to_cpu_32(key[i]);
return 0;
}
@@ -805,7 +812,7 @@ nfp_auth_map(struct rte_eth_dev *eth_dev,
uint32_t i;
uint8_t key_length;
uint32_t device_id;
- const uint32_t *key;
+ const rte_be32_t *key;
struct nfp_net_hw *net_hw;
if (digest_length == 0) {
@@ -852,7 +859,7 @@ nfp_auth_map(struct rte_eth_dev *eth_dev,
return -EINVAL;
}
- key = (const uint32_t *)(auth->key.data);
+ key = (const rte_be32_t *)(auth->key.data);
key_length = auth->key.length;
if (key_length > sizeof(cfg->auth_key)) {
PMD_DRV_LOG(ERR, "Insufficient space for offloaded auth key!");
@@ -860,7 +867,7 @@ nfp_auth_map(struct rte_eth_dev *eth_dev,
}
for (i = 0; i < key_length / sizeof(cfg->auth_key[0]); i++)
- cfg->auth_key[i] = rte_cpu_to_be_32(*key++);
+ cfg->auth_key[i] = rte_be_to_cpu_32(key[i]);
return 0;
}
@@ -900,7 +907,7 @@ nfp_crypto_msg_build(struct rte_eth_dev *eth_dev,
return ret;
}
- cfg->aesgcm_fields.salt = rte_cpu_to_be_32(conf->ipsec.salt);
+ cfg->aesgcm_fields.salt = conf->ipsec.salt;
break;
case RTE_CRYPTO_SYM_XFORM_AUTH:
/* Only support Auth + Cipher for inbound */
@@ -965,7 +972,10 @@ nfp_ipsec_msg_build(struct rte_eth_dev *eth_dev,
struct rte_security_session_conf *conf,
struct nfp_ipsec_msg *msg)
{
+ int i;
int ret;
+ rte_be32_t *src_ip;
+ rte_be32_t *dst_ip;
struct ipsec_add_sa *cfg;
enum rte_security_ipsec_tunnel_type type;
@@ -1023,12 +1033,18 @@ nfp_ipsec_msg_build(struct rte_eth_dev *eth_dev,
type = conf->ipsec.tunnel.type;
cfg->ctrl_word.mode = NFP_IPSEC_MODE_TUNNEL;
if (type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
- cfg->src_ip.v4 = conf->ipsec.tunnel.ipv4.src_ip;
- cfg->dst_ip.v4 = conf->ipsec.tunnel.ipv4.dst_ip;
+ src_ip = (rte_be32_t *)&conf->ipsec.tunnel.ipv4.src_ip.s_addr;
+ dst_ip = (rte_be32_t *)&conf->ipsec.tunnel.ipv4.dst_ip.s_addr;
+ cfg->src_ip[0] = rte_be_to_cpu_32(src_ip[0]);
+ cfg->dst_ip[0] = rte_be_to_cpu_32(dst_ip[0]);
cfg->ipv6 = 0;
} else if (type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
- cfg->src_ip.v6 = conf->ipsec.tunnel.ipv6.src_addr;
- cfg->dst_ip.v6 = conf->ipsec.tunnel.ipv6.dst_addr;
+ src_ip = (rte_be32_t *)conf->ipsec.tunnel.ipv6.src_addr.s6_addr;
+ dst_ip = (rte_be32_t *)conf->ipsec.tunnel.ipv6.dst_addr.s6_addr;
+ for (i = 0; i < 4; i++) {
+ cfg->src_ip[i] = rte_be_to_cpu_32(src_ip[i]);
+ cfg->dst_ip[i] = rte_be_to_cpu_32(dst_ip[i]);
+ }
cfg->ipv6 = 1;
} else {
PMD_DRV_LOG(ERR, "Unsupported address family!");
@@ -1041,9 +1057,11 @@ nfp_ipsec_msg_build(struct rte_eth_dev *eth_dev,
cfg->ctrl_word.mode = NFP_IPSEC_MODE_TRANSPORT;
if (type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
memset(&cfg->src_ip, 0, sizeof(cfg->src_ip));
+ memset(&cfg->dst_ip, 0, sizeof(cfg->dst_ip));
cfg->ipv6 = 0;
} else if (type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
memset(&cfg->src_ip, 0, sizeof(cfg->src_ip));
+ memset(&cfg->dst_ip, 0, sizeof(cfg->dst_ip));
cfg->ipv6 = 1;
} else {
PMD_DRV_LOG(ERR, "Unsupported address family!");
@@ -1177,18 +1195,18 @@ nfp_security_set_pkt_metadata(void *device,
desc_md = RTE_MBUF_DYNFIELD(m, offset, struct nfp_tx_ipsec_desc_msg *);
if (priv_session->msg.ctrl_word.ext_seq != 0 && sqn != NULL) {
- desc_md->esn.low = rte_cpu_to_be_32(*sqn);
- desc_md->esn.hi = rte_cpu_to_be_32(*sqn >> 32);
+ desc_md->esn.low = (uint32_t)*sqn;
+ desc_md->esn.hi = (uint32_t)(*sqn >> 32);
} else if (priv_session->msg.ctrl_word.ext_seq != 0) {
- desc_md->esn.low = rte_cpu_to_be_32(priv_session->ipsec.esn.low);
- desc_md->esn.hi = rte_cpu_to_be_32(priv_session->ipsec.esn.hi);
+ desc_md->esn.low = priv_session->ipsec.esn.low;
+ desc_md->esn.hi = priv_session->ipsec.esn.hi;
} else {
- desc_md->esn.low = rte_cpu_to_be_32(priv_session->ipsec.esn.value);
+ desc_md->esn.low = priv_session->ipsec.esn.low;
desc_md->esn.hi = 0;
}
desc_md->enc = 1;
- desc_md->sa_idx = rte_cpu_to_be_32(priv_session->sa_index);
+ desc_md->sa_idx = priv_session->sa_index;
}
return 0;
diff --git a/drivers/net/nfp/nfp_ipsec.h b/drivers/net/nfp/nfp_ipsec.h
index d7a729398a..f7c4f3f225 100644
--- a/drivers/net/nfp/nfp_ipsec.h
+++ b/drivers/net/nfp/nfp_ipsec.h
@@ -36,11 +36,6 @@ struct sa_ctrl_word {
uint32_t spare2 :1; /**< Must be set to 0 */
};
-union nfp_ip_addr {
- struct in6_addr v6;
- struct in_addr v4;
-};
-
struct ipsec_add_sa {
uint32_t cipher_key[8]; /**< Cipher Key */
union {
@@ -60,8 +55,8 @@ struct ipsec_add_sa {
uint8_t spare1;
uint32_t soft_byte_cnt; /**< Soft lifetime byte count */
uint32_t hard_byte_cnt; /**< Hard lifetime byte count */
- union nfp_ip_addr src_ip; /**< Src IP addr */
- union nfp_ip_addr dst_ip; /**< Dst IP addr */
+ uint32_t src_ip[4]; /**< Src IP addr */
+ uint32_t dst_ip[4]; /**< Dst IP addr */
uint16_t natt_dst_port; /**< NAT-T UDP Header dst port */
uint16_t natt_src_port; /**< NAT-T UDP Header src port */
uint32_t soft_lifetime_limit; /**< Soft lifetime time limit */
--
2.34.1
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2024-04-13 20:43:07.508682352 +0800
+++ 0082-net-nfp-fix-IPsec-data-endianness.patch 2024-04-13 20:43:05.037753879 +0800
@@ -1 +1 @@
-From 7e13f2dc603e406eaa099a0b45c099a9d9004dd0 Mon Sep 17 00:00:00 2001
+From 5f75adca7e2ed0a0b264d6abda40ea81595d1c04 Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit 7e13f2dc603e406eaa099a0b45c099a9d9004dd0 ]
@@ -17 +19,0 @@
-Cc: stable at dpdk.org
@@ -27 +29 @@
-index 0bf146b9be..205d1d594c 100644
+index 7ce9cca0b2..aebdbb2f48 100644
@@ -30,2 +32,2 @@
-@@ -21,6 +21,7 @@
- #include "nfp_net_meta.h"
+@@ -18,6 +18,7 @@
+ #include "nfp_rxtx.h"
@@ -38 +40 @@
-@@ -524,7 +525,8 @@ nfp_aesgcm_iv_update(struct ipsec_add_sa *cfg,
+@@ -521,7 +522,8 @@ nfp_aesgcm_iv_update(struct ipsec_add_sa *cfg,
@@ -48 +50 @@
-@@ -532,8 +534,6 @@ nfp_aesgcm_iv_update(struct ipsec_add_sa *cfg,
+@@ -529,8 +531,6 @@ nfp_aesgcm_iv_update(struct ipsec_add_sa *cfg,
@@ -57 +59 @@
-@@ -542,8 +542,9 @@ nfp_aesgcm_iv_update(struct ipsec_add_sa *cfg,
+@@ -539,8 +539,9 @@ nfp_aesgcm_iv_update(struct ipsec_add_sa *cfg,
@@ -69 +71 @@
-@@ -584,7 +585,7 @@ nfp_aead_map(struct rte_eth_dev *eth_dev,
+@@ -581,7 +582,7 @@ nfp_aead_map(struct rte_eth_dev *eth_dev,
@@ -78 +80 @@
-@@ -634,7 +635,7 @@ nfp_aead_map(struct rte_eth_dev *eth_dev,
+@@ -631,7 +632,7 @@ nfp_aead_map(struct rte_eth_dev *eth_dev,
@@ -87 +89 @@
-@@ -646,16 +647,22 @@ nfp_aead_map(struct rte_eth_dev *eth_dev,
+@@ -643,16 +644,22 @@ nfp_aead_map(struct rte_eth_dev *eth_dev,
@@ -113 +115 @@
-@@ -672,7 +679,7 @@ nfp_cipher_map(struct rte_eth_dev *eth_dev,
+@@ -669,7 +676,7 @@ nfp_cipher_map(struct rte_eth_dev *eth_dev,
@@ -122 +124 @@
-@@ -706,14 +713,14 @@ nfp_cipher_map(struct rte_eth_dev *eth_dev,
+@@ -703,14 +710,14 @@ nfp_cipher_map(struct rte_eth_dev *eth_dev,
@@ -139 +141 @@
-@@ -808,7 +815,7 @@ nfp_auth_map(struct rte_eth_dev *eth_dev,
+@@ -805,7 +812,7 @@ nfp_auth_map(struct rte_eth_dev *eth_dev,
@@ -148 +150 @@
-@@ -855,7 +862,7 @@ nfp_auth_map(struct rte_eth_dev *eth_dev,
+@@ -852,7 +859,7 @@ nfp_auth_map(struct rte_eth_dev *eth_dev,
@@ -157 +159 @@
-@@ -863,7 +870,7 @@ nfp_auth_map(struct rte_eth_dev *eth_dev,
+@@ -860,7 +867,7 @@ nfp_auth_map(struct rte_eth_dev *eth_dev,
@@ -166 +168 @@
-@@ -903,7 +910,7 @@ nfp_crypto_msg_build(struct rte_eth_dev *eth_dev,
+@@ -900,7 +907,7 @@ nfp_crypto_msg_build(struct rte_eth_dev *eth_dev,
@@ -175 +177 @@
-@@ -968,7 +975,10 @@ nfp_ipsec_msg_build(struct rte_eth_dev *eth_dev,
+@@ -965,7 +972,10 @@ nfp_ipsec_msg_build(struct rte_eth_dev *eth_dev,
@@ -186 +188 @@
-@@ -1026,12 +1036,18 @@ nfp_ipsec_msg_build(struct rte_eth_dev *eth_dev,
+@@ -1023,12 +1033,18 @@ nfp_ipsec_msg_build(struct rte_eth_dev *eth_dev,
@@ -209 +211 @@
-@@ -1044,9 +1060,11 @@ nfp_ipsec_msg_build(struct rte_eth_dev *eth_dev,
+@@ -1041,9 +1057,11 @@ nfp_ipsec_msg_build(struct rte_eth_dev *eth_dev,
@@ -221 +223 @@
-@@ -1180,18 +1198,18 @@ nfp_security_set_pkt_metadata(void *device,
+@@ -1177,18 +1195,18 @@ nfp_security_set_pkt_metadata(void *device,
@@ -247 +249 @@
-index 4ef0e196be..8fdb7fd534 100644
+index d7a729398a..f7c4f3f225 100644
More information about the stable
mailing list