/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#include <sys/types.h>
#include <netinet/in.h>
#include <rte_crypto.h>
#include <rte_security.h>
#include <rte_cryptodev.h>
+#include <rte_ipsec.h>
#include <rte_ethdev.h>
#include <rte_mbuf.h>
#include <rte_hash.h>
}
/* TODO support for Transport */
}
- ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
+ ipsec->options.udp_encap = sa->udp_encap;
}
int
-create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
- struct rte_ipsec_session *ips)
+create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[],
+ struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
+ struct rte_ipsec_session *ips)
{
+ uint16_t cdev_id = RTE_CRYPTO_MAX_DEVS;
struct rte_cryptodev_info cdev_info;
unsigned long cdev_id_qp = 0;
- int32_t ret = 0;
struct cdev_key key = { 0 };
+ struct ipsec_ctx *ipsec_ctx;
+ uint32_t lcore_id;
+ int32_t ret = 0;
- key.lcore_id = (uint8_t)rte_lcore_id();
+ RTE_LCORE_FOREACH(lcore_id) {
+ ipsec_ctx = ipsec_ctx_lcore[lcore_id];
- key.cipher_algo = (uint8_t)sa->cipher_algo;
- key.auth_algo = (uint8_t)sa->auth_algo;
- key.aead_algo = (uint8_t)sa->aead_algo;
+ /* Core is not bound to any cryptodev, skip it */
+ if (ipsec_ctx->cdev_map == NULL)
+ continue;
- ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
- (void **)&cdev_id_qp);
- if (ret < 0) {
- RTE_LOG(ERR, IPSEC,
- "No cryptodev: core %u, cipher_algo %u, "
- "auth_algo %u, aead_algo %u\n",
- key.lcore_id,
- key.cipher_algo,
- key.auth_algo,
- key.aead_algo);
- return -1;
+ /* Looking for cryptodev, which can handle this SA */
+ key.lcore_id = (uint8_t)lcore_id;
+ key.cipher_algo = (uint8_t)sa->cipher_algo;
+ key.auth_algo = (uint8_t)sa->auth_algo;
+ key.aead_algo = (uint8_t)sa->aead_algo;
+
+ ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
+ (void **)&cdev_id_qp);
+ if (ret == -ENOENT)
+ continue;
+ if (ret < 0) {
+ RTE_LOG(ERR, IPSEC,
+ "No cryptodev: core %u, cipher_algo %u, "
+ "auth_algo %u, aead_algo %u\n",
+ key.lcore_id,
+ key.cipher_algo,
+ key.auth_algo,
+ key.aead_algo);
+ return ret;
+ }
+
+ /* Verify that all cores are using same cryptodev for current
+ * algorithm combination, required by SA.
+ * Current cryptodev mapping process will map SA to the first
+ * cryptodev that matches requirements, so it's a double check,
+ * not an additional restriction.
+ */
+ if (cdev_id == RTE_CRYPTO_MAX_DEVS)
+ cdev_id = ipsec_ctx->tbl[cdev_id_qp].id;
+ else if (cdev_id != ipsec_ctx->tbl[cdev_id_qp].id) {
+ RTE_LOG(ERR, IPSEC,
+ "SA mapping to multiple cryptodevs is "
+ "not supported!");
+ return -EINVAL;
+ }
+
+ /* Store per core queue pair information */
+ sa->cqp[lcore_id] = &ipsec_ctx->tbl[cdev_id_qp];
+ }
+ if (cdev_id == RTE_CRYPTO_MAX_DEVS) {
+ RTE_LOG(WARNING, IPSEC, "No cores found to handle SA\n");
+ return 0;
}
- RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev "
- "%u qp %u\n", sa->spi,
- ipsec_ctx->tbl[cdev_id_qp].id,
- ipsec_ctx->tbl[cdev_id_qp].qp);
+ RTE_LOG(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev "
+ "%u\n", sa->spi, cdev_id);
- if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE &&
+ ips->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
struct rte_security_session_conf sess_conf = {
.action_type = ips->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
if (ips->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
struct rte_security_ctx *ctx = (struct rte_security_ctx *)
rte_cryptodev_get_sec_ctx(
- ipsec_ctx->tbl[cdev_id_qp].id);
+ cdev_id);
/* Set IPsec parameters in conf */
set_ipsec_conf(sa, &(sess_conf.ipsec));
ips->security.ses = rte_security_session_create(ctx,
- &sess_conf, ipsec_ctx->session_priv_pool);
+ &sess_conf, skt_ctx->session_pool,
+ skt_ctx->session_priv_pool);
if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
}
+ ips->security.ctx = ctx;
} else {
RTE_LOG(ERR, IPSEC, "Inline not supported\n");
return -1;
}
} else {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
+ struct rte_cryptodev_info info;
+
+ rte_cryptodev_info_get(cdev_id, &info);
+ if (!(info.feature_flags &
+ RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO))
+ return -ENOTSUP;
+
+ }
+ ips->crypto.dev_id = cdev_id;
ips->crypto.ses = rte_cryptodev_sym_session_create(
- ipsec_ctx->session_pool);
- rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,
+ skt_ctx->session_pool);
+ rte_cryptodev_sym_session_init(cdev_id,
ips->crypto.ses, sa->xforms,
- ipsec_ctx->session_priv_pool);
+ skt_ctx->session_priv_pool);
- rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id,
- &cdev_info);
+ rte_cryptodev_info_get(cdev_id, &cdev_info);
}
- sa->cdev_id_qp = cdev_id_qp;
-
return 0;
}
.options = { 0 },
.replay_win_sz = 0,
.direction = sa->direction,
- .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
- .mode = (sa->flags == IP4_TUNNEL ||
- sa->flags == IP6_TUNNEL) ?
- RTE_SECURITY_IPSEC_SA_MODE_TUNNEL :
- RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP
} },
.crypto_xform = sa->xforms,
.userdata = NULL,
};
+ if (IS_TRANSPORT(sa->flags)) {
+ sess_conf.ipsec.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT;
+ if (IS_IP4(sa->flags)) {
+ sess_conf.ipsec.tunnel.type =
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4;
+
+ sess_conf.ipsec.tunnel.ipv4.src_ip.s_addr =
+ sa->src.ip.ip4;
+ sess_conf.ipsec.tunnel.ipv4.dst_ip.s_addr =
+ sa->dst.ip.ip4;
+ } else if (IS_IP6(sa->flags)) {
+ sess_conf.ipsec.tunnel.type =
+ RTE_SECURITY_IPSEC_TUNNEL_IPV6;
+
+ memcpy(sess_conf.ipsec.tunnel.ipv6.src_addr.s6_addr,
+ sa->src.ip.ip6.ip6_b, 16);
+ memcpy(sess_conf.ipsec.tunnel.ipv6.dst_addr.s6_addr,
+ sa->dst.ip.ip6.ip6_b, 16);
+ }
+ } else if (IS_TUNNEL(sa->flags)) {
+ sess_conf.ipsec.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL;
+
+ if (IS_IP4(sa->flags)) {
+ sess_conf.ipsec.tunnel.type =
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4;
+
+ sess_conf.ipsec.tunnel.ipv4.src_ip.s_addr =
+ sa->src.ip.ip4;
+ sess_conf.ipsec.tunnel.ipv4.dst_ip.s_addr =
+ sa->dst.ip.ip4;
+ } else if (IS_IP6(sa->flags)) {
+ sess_conf.ipsec.tunnel.type =
+ RTE_SECURITY_IPSEC_TUNNEL_IPV6;
+
+ memcpy(sess_conf.ipsec.tunnel.ipv6.src_addr.s6_addr,
+ sa->src.ip.ip6.ip6_b, 16);
+ memcpy(sess_conf.ipsec.tunnel.ipv6.dst_addr.s6_addr,
+ sa->dst.ip.ip6.ip6_b, 16);
+ } else {
+ RTE_LOG(ERR, IPSEC, "invalid tunnel type\n");
+ return -1;
+ }
+ }
+
+ if (sa->udp_encap) {
+ sess_conf.ipsec.options.udp_encap = 1;
+ sess_conf.ipsec.udp.sport = htons(sa->udp.sport);
+ sess_conf.ipsec.udp.dport = htons(sa->udp.dport);
+ }
+
+ if (sa->esn > 0) {
+ sess_conf.ipsec.options.esn = 1;
+ sess_conf.ipsec.esn.value = sa->esn;
+ }
+
+
RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on port %u\n",
sa->spi, sa->portid);
}
ips->security.ses = rte_security_session_create(sec_ctx,
- &sess_conf, skt_ctx->session_pool);
+ &sess_conf, skt_ctx->session_pool,
+ skt_ctx->session_priv_pool);
if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
}
- sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
- sa->pattern[2].spec = &sa->esp_spec;
- sa->pattern[2].mask = &rte_flow_item_esp_mask;
sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
- sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
+ if (sa->udp_encap) {
+
+ sa->udp_spec.hdr.dst_port =
+ rte_cpu_to_be_16(sa->udp.dport);
+ sa->udp_spec.hdr.src_port =
+ rte_cpu_to_be_16(sa->udp.sport);
+
+ sa->pattern[2].mask = &rte_flow_item_udp_mask;
+ sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_UDP;
+ sa->pattern[2].spec = &sa->udp_spec;
+
+ sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_ESP;
+ sa->pattern[3].spec = &sa->esp_spec;
+ sa->pattern[3].mask = &rte_flow_item_esp_mask;
+
+ sa->pattern[4].type = RTE_FLOW_ITEM_TYPE_END;
+ } else {
+ sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
+ sa->pattern[2].spec = &sa->esp_spec;
+ sa->pattern[2].mask = &rte_flow_item_esp_mask;
+
+ sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
+ }
sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
sa->action[0].conf = ips->security.ses;
sa->attr.ingress = (sa->direction ==
RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
if (sa->attr.ingress) {
- uint8_t rss_key[40];
+ uint8_t rss_key[64];
struct rte_eth_rss_conf rss_conf = {
.rss_key = rss_key,
- .rss_key_len = 40,
+ .rss_key_len = sizeof(rss_key),
};
struct rte_eth_dev_info dev_info;
uint16_t queue[RTE_MAX_QUEUES_PER_PORT];
unsigned int i;
unsigned int j;
+ /* Don't create flow if default flow is created */
+ if (flow_info_tbl[sa->portid].rx_def_flow)
+ return 0;
+
ret = rte_eth_dev_info_get(sa->portid, &dev_info);
if (ret != 0) {
RTE_LOG(ERR, IPSEC,
sess_conf.userdata = (void *) sa;
ips->security.ses = rte_security_session_create(sec_ctx,
- &sess_conf, skt_ctx->session_pool);
+ &sess_conf, skt_ctx->session_pool,
+ skt_ctx->session_priv_pool);
if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
ips->security.ol_flags = sec_cap->ol_flags;
ips->security.ctx = sec_ctx;
}
- sa->cdev_id_qp = 0;
+
+ return 0;
+}
+
+int
+create_ipsec_esp_flow(struct ipsec_sa *sa)
+{
+ int ret = 0;
+ struct rte_flow_error err = {};
+ if (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+ RTE_LOG(ERR, IPSEC,
+ "No Flow director rule for Egress traffic\n");
+ return -1;
+ }
+ if (sa->flags == TRANSPORT) {
+ RTE_LOG(ERR, IPSEC,
+ "No Flow director rule for transport mode\n");
+ return -1;
+ }
+ sa->action[0].type = RTE_FLOW_ACTION_TYPE_QUEUE;
+ sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
+ sa->action[0].conf = &(struct rte_flow_action_queue) {
+ .index = sa->fdir_qid,
+ };
+ sa->attr.egress = 0;
+ sa->attr.ingress = 1;
+ if (IS_IP6(sa->flags)) {
+ sa->pattern[1].mask = &rte_flow_item_ipv6_mask;
+ sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV6;
+ sa->pattern[1].spec = &sa->ipv6_spec;
+ memcpy(sa->ipv6_spec.hdr.dst_addr,
+ sa->dst.ip.ip6.ip6_b, sizeof(sa->dst.ip.ip6.ip6_b));
+ memcpy(sa->ipv6_spec.hdr.src_addr,
+ sa->src.ip.ip6.ip6_b, sizeof(sa->src.ip.ip6.ip6_b));
+ sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
+ sa->pattern[2].spec = &sa->esp_spec;
+ sa->pattern[2].mask = &rte_flow_item_esp_mask;
+ sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
+ sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
+ } else if (IS_IP4(sa->flags)) {
+ sa->pattern[1].mask = &rte_flow_item_ipv4_mask;
+ sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
+ sa->pattern[1].spec = &sa->ipv4_spec;
+ sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;
+ sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
+ sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
+ sa->pattern[2].spec = &sa->esp_spec;
+ sa->pattern[2].mask = &rte_flow_item_esp_mask;
+ sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
+ sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
+ }
+ sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
+
+ ret = rte_flow_validate(sa->portid, &sa->attr, sa->pattern, sa->action,
+ &err);
+ if (ret < 0) {
+ RTE_LOG(ERR, IPSEC, "Flow validation failed %s\n", err.message);
+ return ret;
+ }
+
+ sa->flow = rte_flow_create(sa->portid, &sa->attr, sa->pattern,
+ sa->action, &err);
+ if (!sa->flow) {
+ RTE_LOG(ERR, IPSEC, "Flow creation failed %s\n", err.message);
+ return -1;
+ }
return 0;
}
cqp->id, cqp->qp, ret, len);
/* drop packets that we fail to enqueue */
for (i = ret; i < len; i++)
- rte_pktmbuf_free(cqp->buf[i]->sym->m_src);
+ free_pkts(&cqp->buf[i]->sym->m_src, 1);
}
cqp->in_flight += ret;
cqp->len = 0;
for (i = 0; i < nb_pkts; i++) {
if (unlikely(sas[i] == NULL)) {
- rte_pktmbuf_free(pkts[i]);
+ free_pkts(&pkts[i], 1);
continue;
}
rte_prefetch0(&priv->sym_cop);
- if ((unlikely(ips->security.ses == NULL)) &&
- create_lookaside_session(ipsec_ctx, sa, ips)) {
- rte_pktmbuf_free(pkts[i]);
+ if (unlikely(ips->security.ses == NULL)) {
+ free_pkts(&pkts[i], 1);
+ continue;
+ }
+
+ if (unlikely((pkts[i]->packet_type &
+ (RTE_PTYPE_TUNNEL_MASK |
+ RTE_PTYPE_L4_MASK)) ==
+ MBUF_PTYPE_TUNNEL_ESP_IN_UDP &&
+ sa->udp_encap != 1)) {
+ free_pkts(&pkts[i], 1);
continue;
}
rte_security_attach_session(&priv->cop,
ips->security.ses);
break;
+
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ RTE_LOG(ERR, IPSEC, "CPU crypto is not supported by the"
+ " legacy mode.");
+ free_pkts(&pkts[i], 1);
+ continue;
+
case RTE_SECURITY_ACTION_TYPE_NONE:
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
rte_prefetch0(&priv->sym_cop);
- if ((unlikely(ips->crypto.ses == NULL)) &&
- create_lookaside_session(ipsec_ctx, sa, ips)) {
- rte_pktmbuf_free(pkts[i]);
+ if (unlikely(ips->crypto.ses == NULL)) {
+ free_pkts(&pkts[i], 1);
continue;
}
ret = xform_func(pkts[i], sa, &priv->cop);
if (unlikely(ret)) {
- rte_pktmbuf_free(pkts[i]);
+ free_pkts(&pkts[i], 1);
continue;
}
break;
ret = xform_func(pkts[i], sa, &priv->cop);
if (unlikely(ret)) {
- rte_pktmbuf_free(pkts[i]);
+ free_pkts(&pkts[i], 1);
continue;
}
continue;
}
- RTE_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps);
- enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop);
+ enqueue_cop(sa->cqp[ipsec_ctx->lcore_id], &priv->cop);
}
}
sa = priv->sa;
ret = xform_func(pkt, sa, &priv->cop);
if (unlikely(ret)) {
- rte_pktmbuf_free(pkt);
+ free_pkts(&pkt, 1);
continue;
}
pkts[nb_pkts++] = pkt;
RTE_SECURITY_ACTION_TYPE_NONE) {
ret = xform_func(pkt, sa, cops[j]);
if (unlikely(ret)) {
- rte_pktmbuf_free(pkt);
+ free_pkts(&pkt, 1);
continue;
}
} else if (ipsec_get_action_type(sa) ==
RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
if (cops[j]->status) {
- rte_pktmbuf_free(pkt);
+ free_pkts(&pkt, 1);
continue;
}
}