[v2,01/10] security: introduce CPU Crypto action type and API
Checks
Commit Message
This patch introduce new RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO action type to
security library. The type represents performing crypto operation with CPU
cycles. The patch also includes a new API to process crypto operations in
bulk and the function pointers for PMDs.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
lib/librte_security/rte_security.c | 11 ++++++
lib/librte_security/rte_security.h | 53 +++++++++++++++++++++++++++-
lib/librte_security/rte_security_driver.h | 22 ++++++++++++
lib/librte_security/rte_security_version.map | 1 +
4 files changed, 86 insertions(+), 1 deletion(-)
Comments
Hi Fan,
>
> This patch introduce new RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO action type to
> security library. The type represents performing crypto operation with CPU
> cycles. The patch also includes a new API to process crypto operations in
> bulk and the function pointers for PMDs.
>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
> lib/librte_security/rte_security.c | 11 ++++++
> lib/librte_security/rte_security.h | 53 +++++++++++++++++++++++++++-
> lib/librte_security/rte_security_driver.h | 22 ++++++++++++
> lib/librte_security/rte_security_version.map | 1 +
> 4 files changed, 86 insertions(+), 1 deletion(-)
>
> diff --git a/lib/librte_security/rte_security.c b/lib/librte_security/rte_security.c
> index bc81ce15d..cdd1ee6af 100644
> --- a/lib/librte_security/rte_security.c
> +++ b/lib/librte_security/rte_security.c
> @@ -141,3 +141,14 @@ rte_security_capability_get(struct rte_security_ctx *instance,
>
> return NULL;
> }
> +
> +int
> +rte_security_process_cpu_crypto_bulk(struct rte_security_ctx *instance,
> + struct rte_security_session *sess,
> + struct rte_security_vec buf[], void *iv[], void *aad[],
> + void *digest[], int status[], uint32_t num)
> +{
> + RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->process_cpu_crypto_bulk, -1);
> + return instance->ops->process_cpu_crypto_bulk(sess, buf, iv,
> + aad, digest, status, num);
> +}
> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
> index aaafdfcd7..0caf5d697 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -18,6 +18,7 @@ extern "C" {
> #endif
>
> #include <sys/types.h>
> +#include <sys/uio.h>
>
> #include <netinet/in.h>
> #include <netinet/ip.h>
> @@ -289,6 +290,20 @@ struct rte_security_pdcp_xform {
> uint32_t hfn_ovrd;
> };
>
> +struct rte_security_cpu_crypto_xform {
> + /** For cipher/authentication crypto operation the authentication may
> + * cover more content then the cipher. E.g., for IPSec ESP encryption
> + * with AES-CBC and SHA1-HMAC, the encryption happens after the ESP
> + * header but whole packet (apart from MAC header) is authenticated.
> + * The cipher_offset field is used to deduct the cipher data pointer
> + * from the buffer to be processed.
> + *
> + * NOTE this parameter shall be ignored by AEAD algorithms, since it
> + * uses the same offset for cipher and authentication.
> + */
> + int32_t cipher_offset;
> +};
> +
> /**
> * Security session action type.
> */
> @@ -303,10 +318,14 @@ enum rte_security_session_action_type {
> /**< All security protocol processing is performed inline during
> * transmission
> */
> - RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
> + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> /**< All security protocol processing including crypto is performed
> * on a lookaside accelerator
> */
> + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
> + /**< Crypto processing for security protocol is processed by CPU
> + * synchronously
> + */
> };
>
> /** Security session protocol definition */
> @@ -332,6 +351,7 @@ struct rte_security_session_conf {
> struct rte_security_ipsec_xform ipsec;
> struct rte_security_macsec_xform macsec;
> struct rte_security_pdcp_xform pdcp;
> + struct rte_security_cpu_crypto_xform cpucrypto;
> };
> /**< Configuration parameters for security session */
> struct rte_crypto_sym_xform *crypto_xform;
> @@ -665,6 +685,37 @@ const struct rte_security_capability *
> rte_security_capability_get(struct rte_security_ctx *instance,
> struct rte_security_capability_idx *idx);
>
> +/**
> + * Security vector structure, contains pointer to vector array and the length
> + * of the array
> + */
> +struct rte_security_vec {
> + struct iovec *vec;
> + uint32_t num;
> +};
> +
> +/**
> + * Processing bulk crypto workload with CPU
> + *
> + * @param instance security instance.
> + * @param sess security session
> + * @param buf array of buffer SGL vectors
> + * @param iv array of IV pointers
> + * @param aad array of AAD pointers
> + * @param digest array of digest pointers
> + * @param status array of status for the function to return
> + * @param num number of elements in each array
> + * @return
> + * - On success, 0
> + * - On any failure, -1
I think it is much better to retrun number of successfully process entries
(or number of failed entries - whatever is your preference).
Then user can easily determine does he need to walk through status
(and if yes till what point) or not at all.
Sorry if I wasn't clear in my previous comment.
> + */
> +__rte_experimental
> +int
> +rte_security_process_cpu_crypto_bulk(struct rte_security_ctx *instance,
> + struct rte_security_session *sess,
> + struct rte_security_vec buf[], void *iv[], void *aad[],
> + void *digest[], int status[], uint32_t num);
> +
> #ifdef __cplusplus
> }
> #endif
> diff --git a/lib/librte_security/rte_security_driver.h b/lib/librte_security/rte_security_driver.h
> index 1b561f852..fe940fffa 100644
> --- a/lib/librte_security/rte_security_driver.h
> +++ b/lib/librte_security/rte_security_driver.h
> @@ -132,6 +132,26 @@ typedef int (*security_get_userdata_t)(void *device,
> typedef const struct rte_security_capability *(*security_capabilities_get_t)(
> void *device);
>
> +/**
> + * Process security operations in bulk using CPU accelerated method.
> + *
> + * @param sess Security session structure.
> + * @param buf Buffer to the vectors to be processed.
> + * @param iv IV pointers.
> + * @param aad AAD pointers.
> + * @param digest Digest pointers.
> + * @param status Array of status value.
> + * @param num Number of elements in each array.
> + * @return
> + * - On success, 0
> + * - On any failure, -1
> + */
> +
> +typedef int (*security_process_cpu_crypto_bulk_t)(
> + struct rte_security_session *sess,
> + struct rte_security_vec buf[], void *iv[], void *aad[],
> + void *digest[], int status[], uint32_t num);
> +
> /** Security operations function pointer table */
> struct rte_security_ops {
> security_session_create_t session_create;
> @@ -150,6 +170,8 @@ struct rte_security_ops {
> /**< Get userdata associated with session which processed the packet. */
> security_capabilities_get_t capabilities_get;
> /**< Get security capabilities. */
> + security_process_cpu_crypto_bulk_t process_cpu_crypto_bulk;
> + /**< Process data in bulk. */
> };
>
> #ifdef __cplusplus
> diff --git a/lib/librte_security/rte_security_version.map b/lib/librte_security/rte_security_version.map
> index 53267bf3c..2132e7a00 100644
> --- a/lib/librte_security/rte_security_version.map
> +++ b/lib/librte_security/rte_security_version.map
> @@ -18,4 +18,5 @@ EXPERIMENTAL {
> rte_security_get_userdata;
> rte_security_session_stats_get;
> rte_security_session_update;
> + rte_security_process_cpu_crypto_bulk;
> };
> --
> 2.14.5
@@ -141,3 +141,14 @@ rte_security_capability_get(struct rte_security_ctx *instance,
return NULL;
}
+
+int
+rte_security_process_cpu_crypto_bulk(struct rte_security_ctx *instance,
+ struct rte_security_session *sess,
+ struct rte_security_vec buf[], void *iv[], void *aad[],
+ void *digest[], int status[], uint32_t num)
+{
+ RTE_FUNC_PTR_OR_ERR_RET(*instance->ops->process_cpu_crypto_bulk, -1);
+ return instance->ops->process_cpu_crypto_bulk(sess, buf, iv,
+ aad, digest, status, num);
+}
@@ -18,6 +18,7 @@ extern "C" {
#endif
#include <sys/types.h>
+#include <sys/uio.h>
#include <netinet/in.h>
#include <netinet/ip.h>
@@ -289,6 +290,20 @@ struct rte_security_pdcp_xform {
uint32_t hfn_ovrd;
};
+struct rte_security_cpu_crypto_xform {
+ /** For cipher/authentication crypto operation the authentication may
+ * cover more content then the cipher. E.g., for IPSec ESP encryption
+ * with AES-CBC and SHA1-HMAC, the encryption happens after the ESP
+ * header but whole packet (apart from MAC header) is authenticated.
+ * The cipher_offset field is used to deduct the cipher data pointer
+ * from the buffer to be processed.
+ *
+ * NOTE this parameter shall be ignored by AEAD algorithms, since it
+ * uses the same offset for cipher and authentication.
+ */
+ int32_t cipher_offset;
+};
+
/**
* Security session action type.
*/
@@ -303,10 +318,14 @@ enum rte_security_session_action_type {
/**< All security protocol processing is performed inline during
* transmission
*/
- RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
+ RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
/**< All security protocol processing including crypto is performed
* on a lookaside accelerator
*/
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
+ /**< Crypto processing for security protocol is processed by CPU
+ * synchronously
+ */
};
/** Security session protocol definition */
@@ -332,6 +351,7 @@ struct rte_security_session_conf {
struct rte_security_ipsec_xform ipsec;
struct rte_security_macsec_xform macsec;
struct rte_security_pdcp_xform pdcp;
+ struct rte_security_cpu_crypto_xform cpucrypto;
};
/**< Configuration parameters for security session */
struct rte_crypto_sym_xform *crypto_xform;
@@ -665,6 +685,37 @@ const struct rte_security_capability *
rte_security_capability_get(struct rte_security_ctx *instance,
struct rte_security_capability_idx *idx);
+/**
+ * Security vector structure, contains pointer to vector array and the length
+ * of the array
+ */
+struct rte_security_vec {
+ struct iovec *vec;
+ uint32_t num;
+};
+
+/**
+ * Processing bulk crypto workload with CPU
+ *
+ * @param instance security instance.
+ * @param sess security session
+ * @param buf array of buffer SGL vectors
+ * @param iv array of IV pointers
+ * @param aad array of AAD pointers
+ * @param digest array of digest pointers
+ * @param status array of status for the function to return
+ * @param num number of elements in each array
+ * @return
+ * - On success, 0
+ * - On any failure, -1
+ */
+__rte_experimental
+int
+rte_security_process_cpu_crypto_bulk(struct rte_security_ctx *instance,
+ struct rte_security_session *sess,
+ struct rte_security_vec buf[], void *iv[], void *aad[],
+ void *digest[], int status[], uint32_t num);
+
#ifdef __cplusplus
}
#endif
@@ -132,6 +132,26 @@ typedef int (*security_get_userdata_t)(void *device,
typedef const struct rte_security_capability *(*security_capabilities_get_t)(
void *device);
+/**
+ * Process security operations in bulk using CPU accelerated method.
+ *
+ * @param sess Security session structure.
+ * @param buf Buffer to the vectors to be processed.
+ * @param iv IV pointers.
+ * @param aad AAD pointers.
+ * @param digest Digest pointers.
+ * @param status Array of status value.
+ * @param num Number of elements in each array.
+ * @return
+ * - On success, 0
+ * - On any failure, -1
+ */
+
+typedef int (*security_process_cpu_crypto_bulk_t)(
+ struct rte_security_session *sess,
+ struct rte_security_vec buf[], void *iv[], void *aad[],
+ void *digest[], int status[], uint32_t num);
+
/** Security operations function pointer table */
struct rte_security_ops {
security_session_create_t session_create;
@@ -150,6 +170,8 @@ struct rte_security_ops {
/**< Get userdata associated with session which processed the packet. */
security_capabilities_get_t capabilities_get;
/**< Get security capabilities. */
+ security_process_cpu_crypto_bulk_t process_cpu_crypto_bulk;
+ /**< Process data in bulk. */
};
#ifdef __cplusplus
@@ -18,4 +18,5 @@ EXPERIMENTAL {
rte_security_get_userdata;
rte_security_session_stats_get;
rte_security_session_update;
+ rte_security_process_cpu_crypto_bulk;
};