]> git.droids-corp.org - dpdk.git/commitdiff
security: switch metadata to dynamic mbuf field
authorThomas Monjalon <thomas@monjalon.net>
Mon, 26 Oct 2020 00:12:19 +0000 (01:12 +0100)
committerThomas Monjalon <thomas@monjalon.net>
Sat, 31 Oct 2020 15:13:11 +0000 (16:13 +0100)
The device-specific metadata was stored in the deprecated field udata64.
It is moved to a dynamic mbuf field in order to allow removal of udata64.

The name rte_security_dynfield is not very descriptive
but it should be replaced later by separate fields for each type of data
that drivers pass to the upper layer.

Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Acked-by: Haiyue Wang <haiyue.wang@intel.com>
14 files changed:
doc/guides/prog_guide/rte_security.rst
drivers/crypto/octeontx2/otx2_cryptodev_sec.c
drivers/net/ixgbe/ixgbe_ipsec.c
drivers/net/ixgbe/ixgbe_rxtx.c
drivers/net/octeontx2/otx2_ethdev.h
drivers/net/octeontx2/otx2_ethdev_sec.c
drivers/net/octeontx2/otx2_ethdev_sec_tx.h
drivers/net/octeontx2/otx2_rx.h
examples/ipsec-secgw/ipsec-secgw.c
examples/ipsec-secgw/ipsec_worker.c
lib/librte_security/rte_security.c
lib/librte_security/rte_security.h
lib/librte_security/rte_security_driver.h
lib/librte_security/version.map

index c64aef3de9cae532f6c63f3105a0eeca692d21c7..f72bc8a78fa6a5b58faac46c112ebd6cc2bfb639 100644 (file)
@@ -125,8 +125,9 @@ ESP/AH headers will be removed from the packet and the received packet
 will contains the decrypted packet only. The driver Rx path checks the
 descriptors and based on the crypto status sets additional flags in
 ``rte_mbuf.ol_flags`` field. The driver would also set device-specific
-metadata in ``rte_mbuf.udata64`` field. This will allow the application
-to identify the security processing done on the packet.
+metadata in ``RTE_SECURITY_DYNFIELD_NAME`` field.
+This will allow the application to identify the security processing
+done on the packet.
 
 .. note::
 
@@ -568,8 +569,8 @@ security session which processed the packet.
 
 .. note::
 
-    In case of inline processed packets, ``rte_mbuf.udata64`` field would be
-    used by the driver to relay information on the security processing
+    In case of inline processed packets, ``RTE_SECURITY_DYNFIELD_NAME`` field
+    would be used by the driver to relay information on the security processing
     associated with the packet. In ingress, the driver would set this in Rx
     path while in egress, ``rte_security_set_pkt_metadata()`` would perform a
     similar operation. The application is expected not to modify the field
index b80ec7bff2e4fb94c2be6ff0ac1dedba4ece8e6f..4e2a0e3afe52f691c80bdff9e3d0e89a61657240 100644 (file)
@@ -455,6 +455,9 @@ otx2_crypto_sec_session_create(void *device,
        if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
                return -ENOTSUP;
 
+       if (rte_security_dynfield_register() < 0)
+               return -rte_errno;
+
        if (rte_mempool_get(mempool, (void **)&priv)) {
                otx2_err("Could not allocate security session private data");
                return -ENOMEM;
@@ -514,7 +517,7 @@ otx2_crypto_sec_set_pkt_mdata(void *device __rte_unused,
                              struct rte_mbuf *m, void *params __rte_unused)
 {
        /* Set security session as the pkt metadata */
-       m->udata64 = (uint64_t)session;
+       *rte_security_dynfield(m) = (rte_security_dynfield_t)session;
 
        return 0;
 }
index 48f5082d49204b1c78acde43251981645363b8ba..62f2a5f764b00717e651aca241a0927251499196 100644 (file)
@@ -484,7 +484,8 @@ ixgbe_crypto_update_mb(void *device __rte_unused,
                        get_sec_session_private_data(session);
        if (ic_session->op == IXGBE_OP_AUTHENTICATED_ENCRYPTION) {
                union ixgbe_crypto_tx_desc_md *mdata =
-                       (union ixgbe_crypto_tx_desc_md *)&m->udata64;
+                       (union ixgbe_crypto_tx_desc_md *)
+                               rte_security_dynfield(m);
                mdata->enc = 1;
                mdata->sa_idx = ic_session->sa_index;
                mdata->pad_len = ixgbe_crypto_compute_pad_len(m);
@@ -751,5 +752,7 @@ ixgbe_ipsec_ctx_create(struct rte_eth_dev *dev)
                        return -ENOMEM;
                }
        }
+       if (rte_security_dynfield_register() < 0)
+               return -rte_errno;
        return 0;
 }
index 5f19972031dfa0afec9309b4568cccb5933a2a80..6cfbb582e21e652cab1f21001acc8c649ee8599c 100644 (file)
@@ -34,6 +34,7 @@
 #include <rte_mbuf.h>
 #include <rte_ether.h>
 #include <rte_ethdev_driver.h>
+#include <rte_security_driver.h>
 #include <rte_prefetch.h>
 #include <rte_udp.h>
 #include <rte_tcp.h>
@@ -694,7 +695,7 @@ ixgbe_xmit_pkts(void *tx_queue, struct rte_mbuf **tx_pkts,
                        if (use_ipsec) {
                                union ixgbe_crypto_tx_desc_md *ipsec_mdata =
                                        (union ixgbe_crypto_tx_desc_md *)
-                                                       &tx_pkt->udata64;
+                                               rte_security_dynfield(tx_pkt);
                                tx_offload.sa_idx = ipsec_mdata->sa_idx;
                                tx_offload.sec_pad_len = ipsec_mdata->pad_len;
                        }
@@ -859,7 +860,8 @@ ixgbe_xmit_pkts(void *tx_queue, struct rte_mbuf **tx_pkts,
                                }
 
                                ixgbe_set_xmit_ctx(txq, ctx_txd, tx_ol_req,
-                                       tx_offload, &tx_pkt->udata64);
+                                       tx_offload,
+                                       rte_security_dynfield(tx_pkt));
 
                                txe->last_id = tx_last;
                                tx_id = txe->next_id;
index b20f399a15641c4abfec2325d29cc2dfd4511054..3b9871f4dc4f72fb4cfbc2ce2fce7ac55bb6cb01 100644 (file)
@@ -13,6 +13,7 @@
 #include <rte_kvargs.h>
 #include <rte_mbuf.h>
 #include <rte_mempool.h>
+#include <rte_security_driver.h>
 #include <rte_string_fns.h>
 #include <rte_time.h>
 
index 4e0dd4e49eef052f0b53edbbca9ac95e0eeb0d16..1ee597ff6ed9bde5dc27e04e24a5b43587fbf918 100644 (file)
@@ -684,7 +684,7 @@ otx2_eth_sec_set_pkt_mdata(void *device __rte_unused,
                            struct rte_mbuf *m, void *params __rte_unused)
 {
        /* Set security session as the pkt metadata */
-       m->udata64 = (uint64_t)session;
+       *rte_security_dynfield(m) = (rte_security_dynfield_t)session;
 
        return 0;
 }
@@ -831,6 +831,9 @@ otx2_eth_sec_init(struct rte_eth_dev *eth_dev)
            !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
                return 0;
 
+       if (rte_security_dynfield_register() < 0)
+               return -rte_errno;
+
        nb_sa = dev->ipsec_in_max_spi;
        mz_sz = nb_sa * sa_width;
        in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
index 5bf8c199950117c5c4a699f9e7fb0b12a14956b5..284bcd536788b87ef6466b557317d9b5154ec0fc 100644 (file)
@@ -55,7 +55,7 @@ otx2_sec_event_tx(struct otx2_ssogws *ws, struct rte_event *ev,
                struct nix_iova_s nix_iova;
        } *sd;
 
-       priv = get_sec_session_private_data((void *)(m->udata64));
+       priv = get_sec_session_private_data((void *)(*rte_security_dynfield(m)));
        sess = &priv->ipsec.ip;
        sa = &sess->out_sa;
 
index f29a0542f94513abe0e1542f2bd380ddeda9dd1b..61a5c436ddb1541efdde1a2963383206d5f6d9d3 100644 (file)
@@ -241,7 +241,7 @@ nix_rx_sec_mbuf_update(const struct nix_cqe_hdr_s *cq, struct rte_mbuf *m,
        spi = cq->tag & 0xFFFFF;
 
        sa = nix_rx_sec_sa_get(lookup_mem, spi, m->port);
-       m->udata64 = (uint64_t)sa->userdata;
+       *rte_security_dynfield(m) = sa->udata64;
 
        data = rte_pktmbuf_mtod(m, char *);
 
index 2219148285de59453a12fe61656ad5bdb3915a44..bbe7ce48d908fe8c8b66acc754e64111676c1ebb 100644 (file)
@@ -426,7 +426,8 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
         * with the security session.
         */
 
-       if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD) {
+       if (pkt->ol_flags & PKT_RX_SEC_OFFLOAD &&
+                       rte_security_dynfield_is_registered()) {
                struct ipsec_sa *sa;
                struct ipsec_mbuf_metadata *priv;
                struct rte_security_ctx *ctx = (struct rte_security_ctx *)
@@ -436,10 +437,8 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
                /* Retrieve the userdata registered. Here, the userdata
                 * registered is the SA pointer.
                 */
-
-               sa = (struct ipsec_sa *)
-                               rte_security_get_userdata(ctx, pkt->udata64);
-
+               sa = (struct ipsec_sa *)rte_security_get_userdata(ctx,
+                               *rte_security_dynfield(pkt));
                if (sa == NULL) {
                        /* userdata could not be retrieved */
                        return;
index b6c851f2572b096c94bbbc1341120809eac5bd57..647e22df59842ccbc2d5328e7b7a64bc0fe93fbb 100644 (file)
@@ -208,7 +208,7 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
                                        "Inbound security offload failed\n");
                                goto drop_pkt_and_exit;
                        }
-                       sa = pkt->userdata;
+                       sa = *(struct ipsec_sa **)rte_security_dynfield(pkt);
                }
 
                /* Check if we have a match */
@@ -226,7 +226,7 @@ process_ipsec_ev_inbound(struct ipsec_ctx *ctx, struct route_table *rt,
                                        "Inbound security offload failed\n");
                                goto drop_pkt_and_exit;
                        }
-                       sa = pkt->userdata;
+                       sa = *(struct ipsec_sa **)rte_security_dynfield(pkt);
                }
 
                /* Check if we have a match */
@@ -357,7 +357,8 @@ process_ipsec_ev_outbound(struct ipsec_ctx *ctx, struct route_table *rt,
        }
 
        if (sess->security.ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
-               pkt->userdata = sess->security.ses;
+               *(struct rte_security_session **)rte_security_dynfield(pkt) =
+                               sess->security.ses;
 
        /* Mark the packet for Tx security offload */
        pkt->ol_flags |= PKT_TX_SEC_OFFLOAD;
@@ -465,7 +466,10 @@ ipsec_wrkr_non_burst_int_port_drv_mode(struct eh_event_link_info *links,
                        }
 
                        /* Save security session */
-                       pkt->userdata = sess_tbl[port_id];
+                       if (rte_security_dynfield_is_registered())
+                               *(struct rte_security_session **)
+                                       rte_security_dynfield(pkt) =
+                                               sess_tbl[port_id];
 
                        /* Mark the packet for Tx security offload */
                        pkt->ol_flags |= PKT_TX_SEC_OFFLOAD;
index ee4666026a53f8f0ce18ca12cbe0f5c37445f7b8..e8116d54474c86bfb05285490219ddc333b06ecb 100644 (file)
        RTE_PTR_OR_ERR_RET(p1->p2->p3, last_retval);                    \
 } while (0)
 
+#define RTE_SECURITY_DYNFIELD_NAME "rte_security_dynfield_metadata"
+int rte_security_dynfield_offset = -1;
+
+int
+rte_security_dynfield_register(void)
+{
+       static const struct rte_mbuf_dynfield dynfield_desc = {
+               .name = RTE_SECURITY_DYNFIELD_NAME,
+               .size = sizeof(rte_security_dynfield_t),
+               .align = __alignof__(rte_security_dynfield_t),
+       };
+       rte_security_dynfield_offset =
+               rte_mbuf_dynfield_register(&dynfield_desc);
+       return rte_security_dynfield_offset;
+}
+
 struct rte_security_session *
 rte_security_session_create(struct rte_security_ctx *instance,
                            struct rte_security_session_conf *conf,
index 271531af1251aabf7cd847160370b47effabdb5c..88d31de0a65e686ac245f87e836e3f8c21e2f50c 100644 (file)
@@ -27,6 +27,7 @@ extern "C" {
 #include <rte_common.h>
 #include <rte_crypto.h>
 #include <rte_mbuf.h>
+#include <rte_mbuf_dyn.h>
 #include <rte_memory.h>
 #include <rte_mempool.h>
 
@@ -451,6 +452,47 @@ int
 rte_security_session_destroy(struct rte_security_ctx *instance,
                             struct rte_security_session *sess);
 
+/** Device-specific metadata field type */
+typedef uint64_t rte_security_dynfield_t;
+/** Dynamic mbuf field for device-specific metadata */
+extern int rte_security_dynfield_offset;
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Get pointer to mbuf field for device-specific metadata.
+ *
+ * For performance reason, no check is done,
+ * the dynamic field may not be registered.
+ * @see rte_security_dynfield_is_registered
+ *
+ * @param      mbuf    packet to access
+ * @return pointer to mbuf field
+ */
+__rte_experimental
+static inline rte_security_dynfield_t *
+rte_security_dynfield(struct rte_mbuf *mbuf)
+{
+       return RTE_MBUF_DYNFIELD(mbuf,
+               rte_security_dynfield_offset,
+               rte_security_dynfield_t *);
+}
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Check whether the dynamic field is registered.
+ *
+ * @return true if rte_security_dynfield_register() has been called.
+ */
+__rte_experimental
+static inline bool rte_security_dynfield_is_registered(void)
+{
+       return rte_security_dynfield_offset >= 0;
+}
+
 /**
  *  Updates the buffer with device-specific defined metadata
  *
index 1b561f85289b7e1c997404a9c9e4935d8c4a4578..c5abb079901cab0725e00b1725277db901bda6f3 100644 (file)
@@ -89,6 +89,9 @@ typedef int (*security_session_stats_get_t)(void *device,
                struct rte_security_session *sess,
                struct rte_security_stats *stats);
 
+__rte_experimental
+int rte_security_dynfield_register(void);
+
 /**
  * Update the mbuf with provided metadata.
  *
index d84eec0a88c97232fb5588c1fd0c8821ccd36c68..22775558c88a12c0f86a8f41c347bbc55b872310 100644 (file)
@@ -15,6 +15,8 @@ DPDK_21 {
 EXPERIMENTAL {
        global:
 
+       rte_security_dynfield_offset;
+       rte_security_dynfield_register;
        rte_security_get_userdata;
        rte_security_session_stats_get;
        rte_security_session_update;