Fan Zhang [Thu, 4 Jul 2019 10:42:36 +0000 (11:42 +0100)]
examples/ipsec-secgw: support header reconstruction
This patch updates the ipsec-secgw application to support
header reconstruction. In addition a series of tests have
been added to prove the implementation's correctness.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Fan Zhang [Thu, 4 Jul 2019 10:42:35 +0000 (11:42 +0100)]
ipsec: support header construction
Add support for RFC 4301(5.1.2) to update of
Type of service field and Traffic class field
bits inside ipv4/ipv6 packets for outbound cases
and inbound cases which deals with the update of
the DSCP/ENC bits inside each of the fields.
Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Nicolas Chautru [Wed, 3 Jul 2019 15:24:07 +0000 (08:24 -0700)]
baseband/turbo_sw: extend for 5G
Implementation still based on Intel SDK libraries
optimized for AVX512 instructions set and 5GNR.
This can be also build for AVX2 for 4G capability or
without SDK dependency for maintenance.
Signed-off-by: Nicolas Chautru <nicolas.chautru@intel.com> Acked-by: Amr Mokhtar <amr.mokhtar@intel.com>
test/crypto: add scatter-gather tests for IP and OOP
This patch adds test cases for wireless in-place
and out-of-place auth-cipher operations with
scatter-gather lists as input and output mbufs.
Test cases include buffer appended digest
generation with encryption and buffer decryption
with appended digest verification.
It also adds cases where digest is encrypted
only partially.
test/crypto: add KASUMI test cases for auth-cipher
This patch adds test cases for kasumi in-place
and out-of-place auth-cipher operations. Test
cases include buffer appended digest generation
with encryption and buffer decryption with
appended digest verification.
This patch adds test cases for zuc in-place
and out-of-place auth-cipher operations. Test
cases include buffer appended digest generation
with encryption and buffer decryption with
appended digest verification.
test/crypto: add SNOW3G test cases for auth-cipher
This patch adds test cases for snow3g in-place
and out-of-place auth-cipher operations. Test
cases include buffer appended digest generation
with encryption and buffer decryption with
appended digest verification.
It also adds cases where digest is encrypted
only partially.
crypto/qat: extend support for digest-encrypted auth-cipher
This patch adds condition to be met when using
out-of-place auth-cipher operations. It checks
if the digest location overlaps with the data to
be encrypted or decrypted and if so, treats as a
digest-encrypted case.
Patch adds checking, if the digest is being
encrypted or decrypted partially and extends PMD
buffers accordingly.
It also adds feature flag for QuickAssist
Technology to emphasize it's support for digest
appended auth-cipher operations.
Some PMDs can only support digest being
encrypted separately in auth-cipher operations.
Thus it is required to add feature flag in PMD
to reflect if it does support digest-appended
both: digest generation with encryption and
decryption with digest verification.
This patch also adds information about new
feature flag to the release notes.
Signed-off-by: Damian Nowak <damianx.nowak@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com> Acked-by: Fiona Trahe <fiona.trahe@intel.com>
Junxiao Shi [Fri, 28 Jun 2019 19:11:03 +0000 (13:11 -0600)]
cryptodev: free memzone when releasing device
When a cryptodev is created in a primary process,
rte_cryptodev_data_alloc reserves a memzone.
However, this memzone was not released when the cryptodev
is uninitialized. After that, new cryptodev cannot be
created due to memzone name conflict.
This commit frees the memzone when a cryptodev is
uninitialized, fixing this bug. This approach is chosen
instead of keeping and reusing the old memzone, because
the new cryptodev could belong to a different NUMA socket.
Also, rte_cryptodev_data pointer is now properly recorded
in cryptodev_globals.data array.
Bugzilla ID: 105
Signed-off-by: Junxiao Shi <git@mail1.yoursunny.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
examples/ipsec-secgw: support fragmentation and reassembly
Add optional ability to fragment packet bigger then mtu,
and reassemble fragmented packet.
To minimize possible performance effect, reassembly is
implemented as RX callback.
To support these features ipsec-secgw relies on librte_ipsec ability
to handle multi-segment packets.
Also when reassemble/fragmentation support is enabled, attached
crypto devices have to support 'In Place SGL' offload capability.
To enable/disable this functionality, two new optional command-line
options are introduced:
--reassemble <val> - number of entries in reassemble table
--mtu <val> - MTU value for all attached ports
As separate '--mtu' option is introduced, '-j <val>' option is now used
to specify mbuf data buffer size only.
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
for packets smaller then 64B some NICs reports pkt_len=64B.
As ipsec-secgw (and librte_ipsec) relies on pkt_len value to determine
payload length, that causes problems for small packets.
To fix the issue, check that pkt_len matches values in IPv4/IPv6 header
and re-adjust pkt_len if necessary.
Mariusz Drost [Wed, 26 Jun 2019 13:26:17 +0000 (15:26 +0200)]
examples/ipsec-secgw: fix inline modes
Application ipsec-secgw is not working for IPv4 transport mode and for
IPv6 both transport and tunnel mode.
IPv6 tunnel mode is not working due to wrongly assigned fields of
security association patterns, as it was IPv4, during creation of
inline crypto session.
IPv6 and IPv4 transport mode is iterating through security capabilities
until it reaches tunnel, which causes session to be created as tunnel,
instead of transport. Another issue, is that config file does not
provide source and destination ip addresses for transport mode, which
are required by NIC to perform inline crypto. It uses default addresses
stored in security association (all zeroes), which causes dropped
packages.
To fix that, reorganization of code in create_session() is needed,
to behave appropriately to given protocol (IPv6/IPv4). Change in
iteration through security capabilities is also required, to check
for expected mode (not only tunnel).
For lack of addresses issue, some resolving mechanism is needed.
Approach is to store addresses in security association, as it is
for tunnel mode. Difference is that they are obtained from sp rules,
instead of config file. To do that, sp[4/6]_spi_present() function
is used to find addresses based on spi value, and then stored in
corresponding sa rule. This approach assumes, that every sp rule
for inline crypto have valid addresses, as well as range of addresses
is not supported.
New flags for ipsec_sa structure are required to distinguish between
IPv4 and IPv6 transport modes. Because of that, there is need to
change all checks done on these flags, so they work as expected.
Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") Cc: stable@dpdk.org Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Mariusz Drost [Wed, 26 Jun 2019 13:26:16 +0000 (15:26 +0200)]
net/ixgbe: fix IP type for crypto session
When ixgbe_crypto_add_sa() is called, it checks whether the ip type is
IPv6 or IPv4 to write correct addresses to the registers. Type itself
is never specified, and act as IPv4, which is the default value.
It causes lack of support for IPv6.
To fix that, ip type needs to be stored in device private data, based on
crypto session ip type field, before the checking is done.
Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") Cc: stable@dpdk.org Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Tomasz Jozwiak [Fri, 14 Jun 2019 20:56:45 +0000 (22:56 +0200)]
app/crypto-perf: check lcore job failure
Currently, there's no return status check from lcore's jobs.
In case of fail - crypto-perf tool returns success anyway.
This patch adds such a detection and returns proper status at the end.
Fixes: ce8af1a4398d ("app/crypto-perf: wait for cores launched by app") Cc: stable@dpdk.org Signed-off-by: Tomasz Jozwiak <tjozwiakgm@gmail.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tomasz Jozwiak [Fri, 14 Jun 2019 22:28:35 +0000 (00:28 +0200)]
app/crypto-perf: fix display once detection
This patch changes 'only_once' variable to 'display_once',
which should be atomic type due to fact, that all runner functions
can be executed in paraller way on different lcores.
Fixes: df52cb3b6e13 ("app/crypto-perf: move verify as single test type") Cc: stable@dpdk.org Signed-off-by: Tomasz Jozwiak <tjozwiakgm@gmail.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Nicolas Chautru [Wed, 19 Jun 2019 17:48:37 +0000 (10:48 -0700)]
doc: update turbo_sw build steps in bbdev guide
The documentation is clarified to point to steps on building the
SDK libraries which are now publicly available:
https://software.intel.com/en-us/articles/flexran-lte-and-5g-nr-fec-software-development-kit-modules
Lukasz Bartosik [Wed, 5 Jun 2019 15:31:27 +0000 (17:31 +0200)]
ipsec: include high order bytes of ESN in packet length
When esn is used then high-order 32 bits are included in ICV
calculation however are not transmitted. Update packet length
to be consistent with auth data offset and length before crypto
operation. High-order 32 bits of esn will be removed from packet
length in crypto post processing.
Add support for packets that consist of multiple segments.
Take into account that trailer bytes (padding, ESP tail, ICV)
can spawn across multiple segments.
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Added NULL algo tests into loop test mechanism used
by block cipher tests as easier to extend there.
Included chain, cipher-only and auth-only use-cases.
Extended to cover out-of-place use-cases and use-cases
where data length is not an 8-byte multiple.
Add new unittest-like mechanism which uses scapy to craft custom
packets and a set of assertions to check how ipsec-secgw example
application is processing them. Python3 with scapy module is
required by pkttest.sh to run test scripts.
A new mechanism is used to test IPv6 transport mode traffic with
header extensions (trs_ipv6opts.py).
Fix incomplete test log problem by disabling buffering of ipsec-secgw
standard output with stdbuf application.
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Using transport with IPv6 and header extensions requires calculating
total header length including extensions up to ESP header which is
achieved with iteratively parsing extensions when preparing traffic
for processing. Calculated l3_len is later used to determine SPI
field offset for an inbound traffic and to reconstruct L3 header by
librte_ipsec.
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
ipsec: fix transport mode for IPv6 with extensions
Reconstructing IPv6 header after encryption or decryption requires
updating 'next header' value in the preceding protocol header, which
is determined by parsing IPv6 header and iteratively looking for
next IPv6 header extension.
It is required that 'l3_len' in the mbuf metadata contains a total
length of the IPv6 header with header extensions up to ESP header.
Fixes: 4d7ea3e1459b ("ipsec: implement SA data-path API") Cc: stable@dpdk.org Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Anoob Joseph [Tue, 25 Jun 2019 05:39:24 +0000 (11:09 +0530)]
cryptodev: add feature flags to disable
Adding a new field, ff_disable, to allow applications to control the
features enabled on the crypto device. This would allow for efficient
usage of HW/SW offloads.
Signed-off-by: Anoob Joseph <anoobj@marvell.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Added info about socket id used by compression perf
test process and by the driver
Signed-off-by: Tomasz Cel <tomaszx.cel@intel.com> Signed-off-by: Fiona Trahe <fiona.trahe@intel.com> Acked-by: Artur Trybula <arturx.trybula@intel.com>
- Include list of supported adapters.
- Include list of supported features.
- Document requirements for vector mode PMD.
- Remove obsolete limitation (scatter rx has been supported for
some time).
- Fixed broken links.
When adding offloads from commandline, not only port
related configuration bits should be set, but also queue
related offloads configuration bits, or it will cause error.
For example, test in this process for ixgbe:
(1)./x86_64-native-linuxapp-gcc/app/testpmd -c 0x6 -n 4
-- -i --portmask=0x1 --port-topology=loop --disable-crc-strip
(2)port stop all
(3)port config all crc-strip on
(4)port start all
we will see "Fail to configure port 0 rx queues" of warning info.
Fixes: 0074d02fca21 ("app/testpmd: convert to new Rx offloads API") Cc: stable@dpdk.org Signed-off-by: Wei Zhao <wei.zhao1@intel.com> Acked-by: Bernard Iremonger <bernard.iremonger@intel.com>
Haiyue Wang [Tue, 25 Jun 2019 10:38:03 +0000 (18:38 +0800)]
app/testpmd: fix parsing RSS queue rule
Declare a local variable 'arg' to hold the pointer to ARGS_ENTRY_ARB,
otherwise, the pop 'arg' in 'parse_int' holds wrong data like 'arg->
offset = 5912737, arg->size = 0', this caused the parse failure.
If calling like 'push_args(ctx, ARGS_ENTRY_ARB..)', the below code for
assigning 'offset & size' will be missed for some gcc optimization.
The above assembly code is from this modification with:
gcc version 9.1.1 20190503 (Red Hat 9.1.1-1) (GCC)
Fedora release 30 (Thirty)
5.1.11-300.fc30.x86_64
Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration") Cc: stable@dpdk.org Signed-off-by: Haiyue Wang <haiyue.wang@intel.com> Reviewed-by: Xiaolong Ye <xiaolong.ye@intel.com> Acked-by: Bernard Iremonger <bernard.iremonger@intel.com>
Asaf Penso [Wed, 19 Jun 2019 09:52:45 +0000 (09:52 +0000)]
net/mlx5: fix condition for link update fallback
mlx5_link_update uses the newer ethtool command
ETHTOOL_GLINKSETTINGS to determine interface capabilities but falls
back to the older (deprecated) ETHTOOL_GSET command if the new
method fails for any reason.
The older method only supports reporting of capabilities up to 40G.
However, mlx5_link_update_unlocked_gs can return a failure for a
number of reasons (including the link being down).
Using the older method in cases of transient failure of the method
can result in reporting of reduced capabilities to the application.
The older method (mlx5_link_update_unlocked_gset) should only be
invoked if the newer method returns EOPNOTSUPP.
This commit removes the support of configuring the device E-switch
using TCF since it is now possible to configure it via DR (direct
verbs rules), and by that to also remove the PMD dependency in libmnl.
mlx5 implements mlx5_flow_null_drv_ops to be used when a specific
flow typei/driver is not available or invalid.
This routines return error without modifying the rte_flow_error
parameter passed to them which causes testpmd, for example, to crash.
This commit addresses the issue by modifying the rte_flow_error
parameter in theses routines.
Vivek Sharma [Sun, 30 Jun 2019 02:25:19 +0000 (07:55 +0530)]
net/octeontx2: support VLAN offloads
Support configuring VLAN offloads for an ethernet device and
dynamic promiscuous mode configuration for VLAN filters where
filters are updated according to promiscuous mode of the device.
Signed-off-by: Vivek Sharma <viveksharma@marvell.com> Acked-by: Jerin Jacob <jerinj@marvell.com>
git.droids-corp.org / dpdk.git / log