Peng Zhang [Wed, 11 May 2022 01:15:53 +0000 (03:15 +0200)]
net/nfp: make sure MTU is never larger than mbuf size
Setting a MTU larger than mbuf size is not supported by the device but
not prohibited by the driver. This change adds a restriction to the
driver to prevent setting an MTU that is too large.
While at it define the minimum MTU in the device information to describe
the complete supported MTU range.
Fixes: d4a27a3 ("nfp: add basic features") Cc: stable@dpdk.org Signed-off-by: Peng Zhang <peng.zhang@corigine.com> Signed-off-by: Chaoyong He <chaoyong.he@corigine.com> Signed-off-by: Louis Peens <louis.peens@corigine.com> Signed-off-by: Niklas Söderlund <niklas.soderlund@corigine.com> Reviewed-by: Walter Heymans <walter.heymans@corigine.com> Reviewed-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
Jerin Jacob [Sun, 1 May 2022 14:46:37 +0000 (20:16 +0530)]
ethdev: add protocol based meter input color selection
Currently, meter object supports only DSCP based on input color table,
The patch enhance that to support VLAN based input color table,
color table based on inner field for the tunnel use case, and
support for fallback color per meter if packet based on a different field.
All of the above features are exposed through capability and added
additional capability to specify the implementation supports
more than one input color table per ethdev port.
Suggested-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com> Signed-off-by: Jerin Jacob <jerinj@marvell.com> Acked-by: Ray Kinsella <mdr@ashroe.eu> Acked-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com> Acked-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
Rahul Lakkireddy [Mon, 16 May 2022 19:34:39 +0000 (01:04 +0530)]
net/cxgbe: read firmware configuration file from filesystem
Add support to read firmware configuration file from
/lib/firmware/cxgb4/ path in the filesystem. The firmware
config file is used to enable or disable NIC features before
firmware initialization to help retrieve better debug data to
analyze firmware init failures. The config file can also
be used to redistribute resources, like queues, TCAMs, etc.,
from disabled physical functions (PFs) to main PF, before
firmware init.
net/cxgbe: track packets dropped by TP due to congestion
Transport Processor (TP) on the NIC delivers the incoming packets
from the wire to NIC's DMA engine to place the packets in Rx buffers.
TP sends signal towards the Multi-Port Switch (MPS) near the MAC when
the Rxqs run out of Rx buffers posted by driver. These MPS buffer drop
stats are already accounted for in imissed counters. However, if a
large number of Rxqs run out of Rx buffers simultaneously, then the
TP can start dropping packets by itself when there is heavy congestion
on the channel and hence could not inform to the MPS. So, track these
packets dropped by TP in imissed counters. Also add xstats for these
counters.
Kevin Laatz [Thu, 2 Jun 2022 15:13:39 +0000 (16:13 +0100)]
examples/l3fwd_power: add configuration options
Add CLI options to l3fwd_power to utilize the new power APIs introduced in
this patchset. These CLI options allow the user to configure the
heuritstics made available through the new API via the l3fwd_power
application options.
Signed-off-by: Kevin Laatz <kevin.laatz@intel.com> Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
Kevin Laatz [Thu, 2 Jun 2022 15:13:38 +0000 (16:13 +0100)]
power: add get/set min/max scaling frequencies API
Add new get/set API to allow the user or application to set the minimum
and maximum frequencies to use when scaling.
Previously, the frequency range was determined by the HW capabilities of
the CPU. With this new API, the user or application can constrain this
if required.
Signed-off-by: Kevin Laatz <kevin.laatz@intel.com> Acked-by: Ray Kinsella <mdr@ashroe.eu> Acked-by: Anatoly Burakov <anatoly.burakov@intel.com> Tested-by: David Hunt <david.hunt@intel.com>
Arek Kusztal [Wed, 1 Jun 2022 09:02:49 +0000 (10:02 +0100)]
cryptodev: add RSA padding salt length and label
- Added salt length and optional label.
Common parameters to PSS and OAEP padding for RSA.
- Changed RSA hash padding fields names.
Now it corresponds to the RSA documents.
Arek Kusztal [Wed, 1 Jun 2022 09:02:48 +0000 (10:02 +0100)]
cryptodev: clarify RSA verify with none padding
- Clarified where should output be stored of signature
decryption with padding none.
PMD is not able to know what padding algorithm was used,
therefore decrypted signature should be returned to the user.
- Removed incorrect big-endian constraints.
Not all data in RSA can be treated as big endian integer,
therefore some of the constraints were lifted.
Arek Kusztal [Wed, 1 Jun 2022 09:02:47 +0000 (10:02 +0100)]
cryptodev: move RSA padding into separate struct
- move RSA padding into separate struct.
More padding members should be added into padding,
therefore having separate struct for padding parameters will
make this more readable.
Arek Kusztal [Wed, 1 Jun 2022 09:02:45 +0000 (10:02 +0100)]
cryptodev: add asym operation flags
- Added flags to rte_crypto_asym_op struct.
It may be shared between different algorithms.
- Added Diffie-Hellman padding flags.
Diffie-Hellman padding is used in certain protocols,
in others, leading zero bytes need to be stripped.
Even same protocol may use a different approach - most
glaring example is TLS1.2 - TLS1.3.
For ease of use, and to avoid additional copy
on certain occasions, driver should be able to return both.
Arek Kusztal [Wed, 1 Jun 2022 09:02:44 +0000 (10:02 +0100)]
cryptodev: add public key verify option
- Added key exchange public key verify option.
For some elliptic curves public point in DH exchange
needs to be checked, if it lays on the curve.
Modular exponentiation needs certain checks as well,
though mathematically much easier.
This commit adds verify option to asym_op operations.
Arek Kusztal [Wed, 1 Jun 2022 09:02:43 +0000 (10:02 +0100)]
cryptodev: add elliptic curve Diffie-Hellman
- Added elliptic curve Diffie-Hellman parameters.
Point multiplication allows the user to process every phase of
ECDH, but for phase 1, user should not really care about the generator.
The user does not even need to know what the generator looks like,
therefore setting ec xform would make this work.
Arek Kusztal [Wed, 1 Jun 2022 09:02:42 +0000 (10:02 +0100)]
cryptodev: move DH type from xform to DH op
- Moved DH operation type to DH operation struct.
Operation type (PUBLIC_KEY_GENERATION, SHARED_SECRET) should
be free to choose for any operation. One xform/session should
be enough to perform both DH operations, if op_type would be xform
member, session would have to be created twice for the same
group. Similar problem would be observed in sessionless case.
Additionally, it will help extend DH to support Elliptic Curves.
- Changed order of Diffie-Hellman operation phases.
Now it corresponds with the order of operations.
Arek Kusztal [Wed, 1 Jun 2022 09:02:40 +0000 (10:02 +0100)]
cryptodev: remove DSA ephemeral key usage comment
Removed comment that stated DSA can be used with Diffie
Hellman ephemeral key.
DH and DSA integration allowed to use ephemeral keys for
random integer, but not for private keys.
Arek Kusztal [Wed, 1 Jun 2022 09:02:39 +0000 (10:02 +0100)]
cryptodev: separate key exchange operation enum
- Separated key exchange enum from asym op type.
Key exchange and asymmetric crypto operations like signatures,
encryption/decryption should not share same operation enum as
its use cases are unrelated and mutually exclusive.
Therefore op_type was separate into:
1) operation type
2) key exchange operation type
Arek Kusztal [Wed, 1 Jun 2022 09:02:38 +0000 (10:02 +0100)]
cryptodev: redefine elliptic curve group enum
- EC enum was renamed to rte_crypto_curve_id.
Elliptic curve enum name was incorrectly associated
with a group (it comes from the current tls registry name).
- Clarified comments about TLS deprecation.
Some curves included are deprecated with TLS 1.3.
Comments to address it were added.
- Clarified FFDH groups usage.
Elliptic curves IDs in TLS are placed in the same registry
as FFDH. Cryptodev does not assign specific groups, and
if specific groups would be assigned by DPDK, it cannot be
TLS SupportedGroups registry, as it would conflict with
other protocols like IPSec.
- Added IANA reference.
Only few selected curves are included in previously
referenced rfc8422. IANA reference is added instead.
- Removed UNKNOWN ec group.
There is no default value, and there is no UNKNOWN
elliptic curve.
Hernan Vargas [Fri, 20 May 2022 03:05:56 +0000 (22:05 -0500)]
baseband/fpga_5gnr_fec: remove filler from HARQ
Removed filler bits from HARQ calculation on the N3000 FPGA since these
are already taken out by the deratematching step.
The change is only an optimization with no functional impact, no change
required on stable branches.
Signed-off-by: Hernan Vargas <hernan.vargas@intel.com> Reviewed-by: Nicolas Chautru <nicolas.chautru@intel.com>
Hernan Vargas [Fri, 20 May 2022 03:05:53 +0000 (22:05 -0500)]
baseband/fpga_5gnr_fec: add FPGA mutex
Explicit FPGA mutex added when using the register interface for HARQ
memory preloading to prevent multiple threads from using the same
interface in parallel.
This featured is implemented through MMIO exposed per VF and common to
all queues.
Signed-off-by: Hernan Vargas <hernan.vargas@intel.com> Reviewed-by: Nicolas Chautru <nicolas.chautru@intel.com>
Gagandeep Singh [Fri, 20 May 2022 04:21:01 +0000 (09:51 +0530)]
test/crypto: fix driver name for DPAA raw API test
PMD name for DPAA raw buffer crypto driver test cases is
updated with correct name.
Fixes: cd8166c28cd1 ("test/crypto: add raw API test for dpaax") Cc: stable@dpdk.org Signed-off-by: Gagandeep Singh <g.singh@nxp.com> Acked-by: Akhil Goyal <gakhil@marvell.com>
crypto/qat: refactor asym algorithm macros and logs
This commit unifies macros for asymmetric parameters,
therefore making code easier to maintain.
It additionally changes some of PMD output logs that
right now can only be seen in debug mode.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
Kai Ji [Wed, 6 Apr 2022 13:45:27 +0000 (21:45 +0800)]
crypto/qat: fix offset and length assignment
This patch fix the cipher & auth offset and length values when convert
mbuf to vector chain for QAT build op.
Fixes: a815a04cea05 ("crypto/qat: support symmetric build op request") Cc: stable@dpdk.org Signed-off-by: Kai Ji <kai.ji@intel.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
The API of the OpenSSL library has changed with version 3.0. This results
in a lot of compiler warnings like
../dpdk/drivers/crypto/ccp/ccp_crypto.c:182:9:
warning: ‘SHA256_Transform’ is deprecated:
Since OpenSSL 3.0 [-Wdeprecated-declarations]
As many Linux distributions still use elder OpenSSL libraries we cannot
change the used API now. Instead define OPENSSL_API_COMPAT to indicate
that we are using the OpenSSL 1.1.0 API.
OPENSSL_API_COMPAT is introduced in *.c files and not in *.h files as some
*.c files directly include OpenSSL headers.
Fixes: d61f70b4c918 ("crypto/libcrypto: add driver for OpenSSL library") Cc: stable@dpdk.org Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Tested-by: Daxue Gao <daxuex.gao@intel.com> Tested-by: David Marchand <david.marchand@redhat.com> Acked-by: Kai Ji <kai.ji@intel.com>
Ciara Power [Wed, 11 May 2022 12:30:44 +0000 (12:30 +0000)]
crypto/ipsec_mb: support GCM SGL to aesni_mb
Add SGL support for GCM algorithm through JOB API.
This change supports IN-PLACE SGL, OOP SGL IN and LB OUT,
and OOP SGL IN and SGL OUT.
Feature flags are not added, as the PMD does not yet support SGL for
all other algorithms.
If an SGL op for an unsupported algorithm is being processed,
a NULL job is submitted instead.
Signed-off-by: Ciara Power <ciara.power@intel.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Akhil Goyal [Tue, 24 May 2022 07:22:14 +0000 (12:52 +0530)]
test/security: add more inline IPsec functional cases
Added more inline IPsec functional verification cases.
These cases do not have known vectors but are verified
using encap + decap test for all the algo combinations.
Signed-off-by: Akhil Goyal <gakhil@marvell.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Anoob Joseph <anoobj@marvell.com>
Akhil Goyal [Tue, 24 May 2022 07:22:13 +0000 (12:52 +0530)]
test/security: add inline IPsec reassembly cases
Added unit test cases for IP reassembly of inline IPsec
inbound scenarios.
In these cases, known test vectors of fragments are first
processed for inline outbound processing and then received
back on loopback interface for inbound processing along with
IP reassembly of the corresponding decrypted packets.
The resultant plain text reassembled packet is compared with
original unfragmented packet.
In this patch, cases are added for 2/4/5 fragments for both
IPv4 and IPv6 packets. A few negative test cases are also added
like incomplete fragments, out of place fragments, duplicate
fragments.
Signed-off-by: Akhil Goyal <gakhil@marvell.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Anoob Joseph <anoobj@marvell.com>
Akhil Goyal [Tue, 24 May 2022 07:22:10 +0000 (12:52 +0530)]
test/security: add cases for inline IPsec offload
A new test suite is added in test app to test inline IPsec protocol
offload. In this patch, predefined vectors from Lookaside IPsec test
are used to verify the IPsec functionality without the need of
external traffic generators. The sent packet is loopbacked onto the same
interface which is received and matched with the expected output.
The test suite can be updated further with other functional test cases.
In this patch encap only cases are added.
The testsuite can be run using:
RTE> inline_ipsec_autotest
Signed-off-by: Akhil Goyal <gakhil@marvell.com> Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Anoob Joseph <anoobj@marvell.com>
Akhil Goyal [Thu, 12 May 2022 12:45:24 +0000 (18:15 +0530)]
test/event: use new API to set event crypto metadata
Used the new API rte_cryptodev_set_session_event_mdata to set
event crypto metadata from the applications (app/test and
app/test-eventdev) instead of using session userdata.
Signed-off-by: Akhil Goyal <gakhil@marvell.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Abhinandan Gujjar <abhinandan.gujjar@intel.com> Acked-by: Anoob Joseph <anoobj@marvell.com>
Akhil Goyal [Thu, 12 May 2022 12:45:23 +0000 (18:15 +0530)]
crypto/octeontx: use new API for event metadata
For getting event crypto metadata from crypto_op,
the new API rte_cryptodev_get_session_event_mdata can be used
directly instead of getting userdata inside PMD.
Signed-off-by: Akhil Goyal <gakhil@marvell.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Abhinandan Gujjar <abhinandan.gujjar@intel.com> Acked-by: Anoob Joseph <anoobj@marvell.com>
Volodymyr Fialko [Thu, 12 May 2022 12:45:21 +0000 (18:15 +0530)]
cryptodev: add API to get/set event metadata
Currently, crypto session userdata is used to set event crypto
metadata from the application and the driver is dereferencing it
in driver which is not correct. User data is meant to be opaque
to the driver.
To support this, new API is added to get and set event crypto
metadata. The new API, rte_cryptodev_set_session_event_mdata,
allows setting event metadata in session private data which is
filled inside PMD using a new cryptodev op. This operation
can be performed on any of the PMD supported sessions
(sym/asym/security).
For SW abstraction of event crypto adapter to be used by
eventdev library, a new field is added in asymmetric crypto
session for now and for symmetric case, current implementation
of using userdata is used. Symmetric cases cannot be fixed now,
as it will be ABI breakage which will be resolved in DPDK 22.11.
Signed-off-by: Volodymyr Fialko <vfialko@marvell.com> Signed-off-by: Akhil Goyal <gakhil@marvell.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Abhinandan Gujjar <abhinandan.gujjar@intel.com> Acked-by: Anoob Joseph <anoobj@marvell.com>
Raja Zidane [Sun, 1 May 2022 12:13:11 +0000 (15:13 +0300)]
crypto/mlx5: support plain text keys
Using crypto devs requires the user to log in and the supplied DEK to be
encrypted with a KEK (keys encryption key).
KEK is burned once on the nic, along with credentials for users,
and for a user to log in, he is needed to supply his creds wrapped with
the KEK.
A device comes out of the Mellanox factory with a pre-defined import
method for each algorithm. The defined method could be wrapped
mode, so the device can be used as described above, or
plaintext mode, without the need to log in and wrap supplied DEKs.
Support crypto operations with the plaintext import method.
Signed-off-by: Raja Zidane <rzidane@nvidia.com> Acked-by: Matan Azrad <matan@nvidia.com>
Currently default value of promiscuous mode flag is true and
even there is command line argument to set it to true.
So it never is in non-promiscuous mode. Fix it by
changing default value to false.
examples/ipsec-secgw: create lookaside sessions at init
In event lookaside mode same session could be handled with multiple
cores, and session creation in datapath will cause situation where
multiple cores will try to create same session simultaneously.
To avoid such case and enable event lookaside mode in future, lookaside
sessions are now created at initialization in sa_add_rules().
All sessions(inline and lookaside) now created during init process, so
session pool information was removed from ipsec context. Core id was
added to obtain correct crypto device queue pair for the current core.
rte_flow_validate and rte_flow_create not always initialize flow error.
Using error.message in some error cases will cause read from
uninitialized memory.
Fixes: 6738c0a9569 ("examples/ipsec-secgw: support flow director") Cc: stable@dpdk.org Signed-off-by: Volodymyr Fialko <vfialko@marvell.com> Acked-by: Anoob Joseph <anoobj@marvell.com> Acked-by: Akhil Goyal <gakhil@marvell.com>
examples/ipsec-secgw: add poll mode worker for inline proto
Add separate worker thread when all SA's are of type
inline protocol offload and librte_ipsec is enabled
in order to make it more optimal for that case.
Current default worker supports all kinds of SA leading
to doing lot of per-packet checks and branching based on
SA type which can be of 5 types of SA's.
Also make a provision for choosing different poll mode workers
for different combinations of SA types with default being
existing poll mode worker that supports all kinds of SA's.
examples/ipsec-secgw: update eth header during route lookup
Update ethernet header during route lookup instead of doing
way later while performing Tx burst. Advantages to doing
is at route lookup is that no additional IP version checks
based on packet data are needed and packet data is already
in cache as route lookup is already consuming that data.
This is also useful for inline protocol offload cases
of v4inv6 or v6inv4 outbound tunnel operations as
packet data will not have any info about what is the tunnel
protocol.
examples/ipsec-secgw: get security context from lcore conf
Store security context pointer in lcore Rx queue config and
get it from there in fast path for better performance.
Currently rte_eth_dev_get_sec_ctx() which is meant to be control
path API is called per packet basis. For every call to that
API, ethdev port status is checked.
examples/ipsec-secgw: allow larger burst size for vectors
Allow larger burst size of vector event mode instead of restricting
to 32. Also restructure traffic type struct to have num pkts first
so that it is always in first cacheline. Also cache align
traffic type struct. Since MAX_PKT_BURST is not used by
vector event mode worker, define another macro for its burst
size so that poll mode perf is not effected.
examples/ipsec-secgw: use HW parsed packet type in poll mode
Use HW parsed packet type when ethdev supports necessary protocols.
If packet type is not supported, then register ethdev callbacks
for parse packet in SW. This is better for performance as it
effects fast path.
examples/ipsec-secgw: disable Tx checksum for inline
Enable Tx IPv4 checksum offload only when Tx inline crypto, lookaside
crypto/protocol or cpu crypto is needed.
For Tx Inline protocol offload, checksum computation
is implicitly taken care by HW.
Rahul Bhansali [Thu, 19 May 2022 13:28:30 +0000 (18:58 +0530)]
config/arm: disable SVE ACLE for CN10K
This disable the sve_acle flag for cn10k.
For native build, -Dplatform=cn10k will require to
get sve_acle flag parameter in the build.
Performance impact:-
With l3fwd example, lpm lookup performance increased
by ~21% if Neon is used instead of SVE. Hence, disabled
sve_acle flag for cn10k.
Rahul Bhansali [Thu, 19 May 2022 13:28:29 +0000 (18:58 +0530)]
config/arm: add SVE ACLE control flag
An additional check of control flag sve_acle for
RTE_HAS_SVE_ACLE macro to be part of the build.
If any SoC config doesn't have sve_acle flag parameter
then default it will be considered as true.
Signed-off-by: Rahul Bhansali <rbhansali@marvell.com> Reviewed-by: Chengwen Feng <fengchengwen@huawei.com> Reviewed-by: Juraj Linkeš <juraj.linkes@pantheon.tech> Acked-by: Ruifeng Wang <ruifeng.wang@arm.com>
Thomas Monjalon [Wed, 25 May 2022 09:53:07 +0000 (11:53 +0200)]
eal/ppc: undefine AltiVec keyword vector
The AltiVec header file is defining "vector", except in C++ build.
The keyword "vector" may conflict easily.
As a rule, it is better to use the alternative keyword "__vector".
The DPDK header file rte_altivec.h takes care of undefining "vector",
so the applications and dependencies are free to define the name "vector".
This is a compatibility breakage for applications which were using
the keyword "vector" for its AltiVec meaning.
Signed-off-by: Thomas Monjalon <thomas@monjalon.net> Tested-by: Ali Alnubani <alialnu@nvidia.com> Acked-by: Tyler Retzlaff <roretzla@linux.microsoft.com> Acked-by: Ray Kinsella <mdr@ashroe.eu>
Add support for hash functions that compute a signature for an array
of bytes read from a packet header or meta-data. Useful for flow
affinity-based load balancing.
Previously, on lookup hit, the hit key had its timer automatically
rearmed with the same timeout in order to prevent its expiration. Now,
a broader set of actions is available on lookup hit, which has to be
managed explicitly: the key can have its timer rearmed with the same
or with a different timeout, or the key timer can be left unmodified.
The latter option allows the key to expire naturally when the timer
eventually runs out, unless the key is hit again and its timer rearmed
at that point. Needed by the TCP connection tracking state machine.
Add support for packet recirculation. The current packet is flagged
for recirculation using the new "recirculate" instruction; on TX, this
flag causes the packet to execute the full pipeline again as if it was
a new packet, except the packet meta-data is preserved. The new
"recircid" instruction can be used to read the pass number in case the
packet goes several times through the pipeline.
The packet mirroring is configured through slots and sessions, with
the number of slots and sessions set at init.
The new "mirror" instruction assigns one of the existing sessions to a
specific slot, which results in scheduling a mirror operation for the
current packet to be executed later at the time the packet is either
transmitted or dropped.
Several copies of the same input packet can be mirrored to different
output ports by using multiple slots.
Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com> Signed-off-by: Kamalakannan R <kamalakannan.r@intel.com>
Add support for arguments to the default action of regular and learner
tables at initialization time. Until now, only default actions with no
arguments were accepted in the .spec file.
pipeline: fix emit instruction for invalid headers
Fix the emit instruction for the pathological case of all headers to
be emitted being invalid. In this case, the for loop was essentially
skipped and the last emitted header (or an invalid memory location)
getting corrupted by setting its size to 0 through the assignment to
ho->n_bytes right after the for loop.