security: add SA config option for inner checksum

Add inner packet IPv4 hdr and L4 checksum enable options
in conf. These will be used in case of protocol offload.
Per SA, application could specify whether the
checksum(compute/verify) can be offloaded to security device.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini
index c24814de986ad6fbb0b11baf234844ccbdb6db79..96d95ddc8151e4138ea8aff9983c0212c464b9d9 100644 (file)
--- a/doc/guides/cryptodevs/features/default.ini
+++ b/doc/guides/cryptodevs/features/default.ini
@@ -33,6 +33,7 @@ Non-Byte aligned data  =
 Sym raw data path API  =
 Cipher multiple data units =
 Cipher wrapped key     =
+Inner checksum         =
 
 ;
 ; Supported crypto algorithms of a default crypto driver.

diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 97823a9564f62f90ec54358130dd567d40280d88..a4e86b31f536fabc3552ffdcb31b92d45c65e665 100644 (file)
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -209,8 +209,8 @@ Deprecation Notices
   IPsec payload MSS (Maximum Segment Size), and ESN (Extended Sequence Number).
 
 * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
-  will be updated with new fields to support new features like IPsec inner
-  checksum, TSO in case of protocol offload.
+  will be updated with new fields to support new features like TSO in case of
+  protocol offload.
 
 * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
   ``hdr_l3_len`` to configure tunnel L3 header length.

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 0dbf924b6727505b5d1a8a4fd3719986b54fbd24..aad7b1ff207a1ddb898d280d6f1cbc5a1469449d 100644 (file)
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -258,6 +258,11 @@ ABI Changes
   ``rte_security_ipsec_xform`` to allow applications to configure SA soft
   and hard expiry limits. Limits can be either in number of packets or bytes.
 
+* security: The new options ``ip_csum_enable`` and ``l4_csum_enable`` were added
+  in structure ``rte_security_ipsec_sa_options`` to indicate whether inner
+  packet IPv4 header checksum and L4 checksum need to be offloaded to
+  security device.
+
 * bbdev: Added capability related to more comprehensive CRC options,
   shifting values of the ``enum rte_bbdev_op_ldpcdec_flag_bitmasks``.
 

diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index d43905c46fb08574ebe64dab5f7c0481e8c51bef..cdd7168fba301297798da50179a5f5d21e9ace52 100644 (file)
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -479,6 +479,8 @@ rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
 /**< Support operations on multiple data-units message */
 #define RTE_CRYPTODEV_FF_CIPHER_WRAPPED_KEY            (1ULL << 26)
 /**< Support wrapped key in cipher xform  */
+#define RTE_CRYPTODEV_FF_SECURITY_INNER_CSUM           (1ULL << 27)
+/**< Support inner checksum computation/verification */
 
 /**
  * Get the name of a crypto device feature flag

diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 7b066e758bc81dc50c66baf6f4c885e190bb1063..7eb9f109ae4d3df6b8c54bfe17f60f335f9acc24 100644 (file)
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -227,6 +227,37 @@ struct rte_security_ipsec_sa_options {
         * * 0: Do not match UDP ports
         */
        uint32_t udp_ports_verify : 1;
+
+       /** Compute/verify inner packet IPv4 header checksum in tunnel mode
+        *
+        * * 1: For outbound, compute inner packet IPv4 header checksum
+        *      before tunnel encapsulation and for inbound, verify after
+        *      tunnel decapsulation.
+        * * 0: Inner packet IP header checksum is not computed/verified.
+        *
+        * The checksum verification status would be set in mbuf using
+        * PKT_RX_IP_CKSUM_xxx flags.
+        *
+        * Inner IP checksum computation can also be enabled(per operation)
+        * by setting the flag PKT_TX_IP_CKSUM in mbuf.
+        */
+       uint32_t ip_csum_enable : 1;
+
+       /** Compute/verify inner packet L4 checksum in tunnel mode
+        *
+        * * 1: For outbound, compute inner packet L4 checksum before
+        *      tunnel encapsulation and for inbound, verify after
+        *      tunnel decapsulation.
+        * * 0: Inner packet L4 checksum is not computed/verified.
+        *
+        * The checksum verification status would be set in mbuf using
+        * PKT_RX_L4_CKSUM_xxx flags.
+        *
+        * Inner L4 checksum computation can also be enabled(per operation)
+        * by setting the flags PKT_TX_TCP_CKSUM or PKT_TX_SCTP_CKSUM or
+        * PKT_TX_UDP_CKSUM or PKT_TX_L4_MASK in mbuf.
+        */
+       uint32_t l4_csum_enable : 1;
 };
 
 /** IPSec security association direction */