FD.io VPP  v19.04.4-rc0-5-ge88582fac
Vector Packet Processing
ipsec.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2017 Intel and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #ifndef __DPDK_IPSEC_H__
16 #define __DPDK_IPSEC_H__
17 
18 #include <vnet/vnet.h>
19 #include <vppinfra/cache.h>
20 #include <vnet/ipsec/ipsec.h>
21 
22 #undef always_inline
23 #include <rte_config.h>
24 #include <rte_crypto.h>
25 #include <rte_cryptodev.h>
26 
27 #if CLIB_DEBUG > 0
28 #define always_inline static inline
29 #else
30 #define always_inline static inline __attribute__ ((__always_inline__))
31 #endif
32 
33 #define DPDK_CRYPTO_N_QUEUE_DESC 2048
34 #define DPDK_CRYPTO_NB_SESS_OBJS 20000
35 
36 #define foreach_dpdk_crypto_input_next \
37  _(DROP, "error-drop") \
38  _(IP4_LOOKUP, "ip4-lookup") \
39  _(IP6_LOOKUP, "ip6-lookup") \
40  _(INTERFACE_OUTPUT, "interface-output") \
41  _(DECRYPT4_POST, "dpdk-esp4-decrypt-post") \
42  _(DECRYPT6_POST, "dpdk-esp6-decrypt-post")
43 
44 typedef enum
45 {
46 #define _(f,s) DPDK_CRYPTO_INPUT_NEXT_##f,
48 #undef _
51 
52 #define MAX_QP_PER_LCORE 16
53 
54 typedef struct
55 {
57  u32 iv[2];
60 
61 typedef struct
62 {
66  CLIB_ALIGN_MARK (mark0, 16);
68  u8 aad[16];
69  u8 icv[32]; /* XXX last 16B in next cache line */
71 
72 typedef struct
73 {
75  struct rte_crypto_op **ops;
76  u16 cipher_resource_idx[IPSEC_CRYPTO_N_ALG];
77  u16 auth_resource_idx[IPSEC_INTEG_N_ALG];
78  CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
80 
81 typedef struct
82 {
83  CLIB_ALIGN_MARK (pad, 8); /* align up to 8 bytes for 32bit builds */
84  char *name;
85  enum rte_crypto_sym_xform_type type;
93 } crypto_alg_t;
94 
95 typedef struct
96 {
99  u8 cipher_support[IPSEC_CRYPTO_N_ALG];
100  u8 auth_support[IPSEC_INTEG_N_ALG];
104  const char *name;
107 } crypto_dev_t;
108 
109 typedef struct
110 {
111  const char *name;
113 } crypto_drv_t;
114 
115 typedef struct
116 {
118  u8 remove;
123  u16 inflights[2];
125  u16 __unused;
126  struct rte_crypto_op *ops[VLIB_FRAME_SIZE];
128  CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
130 
131 typedef struct
132 {
134  struct rte_cryptodev_sym_session *session;
136 
137 typedef struct
138 {
139  struct rte_cryptodev_sym_session *session;
141  CLIB_ALIGN_MARK (pad, 16); /* align up to 16 bytes for 32bit builds */
143 
144 typedef struct
145 {
146  struct rte_mempool *crypto_op;
147  struct rte_mempool *session_h;
148  struct rte_mempool **session_drv;
156  /* Required for vec_validate_aligned */
157  CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
158 } crypto_data_t;
159 
160 typedef struct
161 {
169  u64 session_timeout; /* nsec */
172 
174 
175 static const u8 pad_data[] =
176  { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 0 };
177 
178 void crypto_auto_placement (void);
179 
180 clib_error_t *create_sym_session (struct rte_cryptodev_sym_session **session,
181  u32 sa_idx, crypto_resource_t * res,
183 
186 {
187  const u32 align = 4;
188  u32 op_size =
189  sizeof (struct rte_crypto_op) + sizeof (struct rte_crypto_sym_op);
190 
191  return ((op_size + align - 1) & ~(align - 1)) + sizeof (dpdk_op_priv_t);
192 }
193 
196 {
197  const u32 align = 16;
198  u32 offset;
199 
200  offset = sizeof (struct rte_crypto_op) + sizeof (struct rte_crypto_sym_op);
201  offset = (offset + align - 1) & ~(align - 1);
202 
203  return offset;
204 }
205 
207 crypto_op_get_priv (struct rte_crypto_op * op)
208 {
209  return (dpdk_op_priv_t *) (((u8 *) op) + crypto_op_get_priv_offset ());
210 }
211 
212 
214 add_session_by_drv_and_sa_idx (struct rte_cryptodev_sym_session *session,
215  crypto_data_t * data, u32 drv_id, u32 sa_idx)
216 {
220  sbd = vec_elt_at_index (data->session_by_drv_id_and_sa_index, sa_idx);
221  sbd->dev_mask |= 1L << drv_id;
222  sbd->session = session;
223 }
224 
225 static_always_inline struct rte_cryptodev_sym_session *
227 {
228  crypto_session_by_drv_t *sess_by_sa;
229  if (_vec_len (data->session_by_drv_id_and_sa_index) <= sa_idx)
230  return NULL;
231  sess_by_sa =
233  return (sess_by_sa->dev_mask & (1L << drv_id)) ? sess_by_sa->session : NULL;
234 }
235 
237 crypto_get_session (struct rte_cryptodev_sym_session ** session,
238  u32 sa_idx,
239  crypto_resource_t * res,
241 {
244  struct rte_cryptodev_sym_session *sess;
245 
246  data = vec_elt_at_index (dcm->data, res->numa);
247  sess = get_session_by_drv_and_sa_idx (data, res->drv_id, sa_idx);
248 
249  if (PREDICT_FALSE (!sess))
250  return create_sym_session (session, sa_idx, res, cwm, is_outbound);
251 
252  session[0] = sess;
253 
254  return NULL;
255 }
256 
259 {
260  u16 cipher_res = cwm->cipher_resource_idx[sa->crypto_alg];
261  u16 auth_res = cwm->auth_resource_idx[sa->integ_alg];
262  u8 is_aead;
263 
264  /* Not allowed to setup SA with no-aead-cipher/NULL or NULL/NULL */
265 
266  is_aead = ((sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) ||
267  (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) ||
268  (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_256));
269 
270  if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE)
271  return auth_res;
272 
273  if (cipher_res == auth_res)
274  return cipher_res;
275 
276  if (is_aead)
277  return cipher_res;
278 
279  return (u16) ~ 0;
280 }
281 
283 crypto_alloc_ops (u8 numa, struct rte_crypto_op ** ops, u32 n)
284 {
286  crypto_data_t *data = vec_elt_at_index (dcm->data, numa);
287  i32 ret;
288 
289  ret = rte_mempool_get_bulk (data->crypto_op, (void **) ops, n);
290 
291  /* *INDENT-OFF* */
292  data->crypto_op_get_failed += ! !ret;
293  /* *INDENT-ON* */
294 
295  return ret;
296 }
297 
299 crypto_free_ops (u8 numa, struct rte_crypto_op **ops, u32 n)
300 {
302  crypto_data_t *data = vec_elt_at_index (dcm->data, numa);
303 
304  if (!n)
305  return;
306 
307  rte_mempool_put_bulk (data->crypto_op, (void **) ops, n);
308 }
309 
312  u32 node_index, u32 error, u8 numa, u8 encrypt)
313 {
315  crypto_resource_t *res;
316  u16 *res_idx;
317 
318  /* *INDENT-OFF* */
319  vec_foreach (res_idx, cwm->resource_idx)
320  {
321  u16 enq, n_ops;
322  res = vec_elt_at_index (dcm->resource, res_idx[0]);
323 
324  if (!res->n_ops)
325  continue;
326 
327  n_ops = (DPDK_CRYPTO_N_QUEUE_DESC / 2) - res->inflights[encrypt];
328  n_ops = res->n_ops < n_ops ? res->n_ops : n_ops;
329  enq = rte_cryptodev_enqueue_burst (res->dev_id, res->qp_id,
330  res->ops, n_ops);
331  ASSERT (n_ops == enq);
332  res->inflights[encrypt] += enq;
333 
334  if (PREDICT_FALSE (enq < res->n_ops))
335  {
336  crypto_free_ops (numa, &res->ops[enq], res->n_ops - enq);
337  vlib_buffer_free (vm, &res->bi[enq], res->n_ops - enq);
338 
339  vlib_node_increment_counter (vm, node_index, error,
340  res->n_ops - enq);
341  }
342  res->n_ops = 0;
343  }
344  /* *INDENT-ON* */
345 }
346 
348 crypto_set_icb (dpdk_gcm_cnt_blk * icb, u32 salt, u32 seq, u32 seq_hi)
349 {
350  icb->salt = salt;
351  icb->iv[0] = seq;
352  icb->iv[1] = seq_hi;
353 }
354 
356 crypto_op_setup (u8 is_aead, struct rte_mbuf *mb0,
357  struct rte_crypto_op *op, void *session,
358  u32 cipher_off, u32 cipher_len,
359  u32 auth_off, u32 auth_len,
360  u8 * aad, u8 * digest, u64 digest_paddr)
361 {
362  struct rte_crypto_sym_op *sym_op;
363 
364  sym_op = (struct rte_crypto_sym_op *) (op + 1);
365 
366  sym_op->m_src = mb0;
367  sym_op->session = session;
368 
369  if (is_aead)
370  {
371  sym_op->aead.data.offset = cipher_off;
372  sym_op->aead.data.length = cipher_len;
373 
374  sym_op->aead.aad.data = aad;
375  sym_op->aead.aad.phys_addr =
376  op->phys_addr + (uintptr_t) aad - (uintptr_t) op;
377 
378  sym_op->aead.digest.data = digest;
379  sym_op->aead.digest.phys_addr = digest_paddr;
380  }
381  else
382  {
383  sym_op->cipher.data.offset = cipher_off;
384  sym_op->cipher.data.length = cipher_len;
385 
386  sym_op->auth.data.offset = auth_off;
387  sym_op->auth.data.length = auth_len;
388 
389  sym_op->auth.digest.data = digest;
390  sym_op->auth.digest.phys_addr = digest_paddr;
391  }
392 }
393 
394 #endif /* __DPDK_IPSEC_H__ */
395 
396 /*
397  * fd.io coding-style-patch-verification: ON
398  *
399  * Local Variables:
400  * eval: (c-set-style "gnu")
401  * End:
402  */
u32 alg
Definition: ipsec.h:86
static_always_inline void crypto_op_setup(u8 is_aead, struct rte_mbuf *mb0, struct rte_crypto_op *op, void *session, u32 cipher_off, u32 cipher_len, u32 auth_off, u32 auth_len, u8 *aad, u8 *digest, u64 digest_paddr)
Definition: ipsec.h:356
u8 pad[3]
log2 (size of the packing page block)
Definition: bihash_doc.h:61
#define CLIB_CACHE_LINE_ALIGN_MARK(mark)
Definition: cache.h:60
clib_error_t * create_sym_session(struct rte_cryptodev_sym_session **session, u32 sa_idx, crypto_resource_t *res, crypto_worker_main_t *cwm, u8 is_outbound)
Definition: ipsec.c:321
static void vlib_buffer_free(vlib_main_t *vm, u32 *buffers, u32 n_buffers)
Free buffers Frees the entire buffer chain for each buffer.
Definition: buffer_funcs.h:865
#define foreach_dpdk_crypto_input_next
Definition: ipsec.h:36
unsigned long u64
Definition: types.h:89
u64 crypto_op_get_failed
Definition: ipsec.h:151
#define NULL
Definition: clib.h:58
u64 session_h_failed
Definition: ipsec.h:152
static_always_inline i32 crypto_alloc_ops(u8 numa, struct rte_crypto_op **ops, u32 n)
Definition: ipsec.h:283
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:153
static_always_inline void crypto_set_icb(dpdk_gcm_cnt_blk *icb, u32 salt, u32 seq, u32 seq_hi)
Definition: ipsec.h:348
static_always_inline u32 crypto_op_get_priv_offset(void)
Definition: ipsec.h:195
struct rte_cryptodev_sym_session * session
Definition: ipsec.h:134
u8 disabled
Definition: ipsec.h:91
u8 data[128]
Definition: ipsec.api:248
#define vec_validate_aligned(V, I, A)
Make sure vector is long enough for given index (no header, specified alignment)
Definition: vec.h:450
unsigned char u8
Definition: types.h:56
dpdk_crypto_main_t dpdk_crypto_main
Definition: ipsec.c:25
u32 bi[VLIB_FRAME_SIZE]
Definition: ipsec.h:127
u16 * devs
Definition: ipsec.h:112
u16 * resource_idx
Definition: ipsec.h:74
#define DPDK_CRYPTO_N_QUEUE_DESC
Definition: ipsec.h:33
static_always_inline clib_error_t * crypto_get_session(struct rte_cryptodev_sym_session **session, u32 sa_idx, crypto_resource_t *res, crypto_worker_main_t *cwm, u8 is_outbound)
Definition: ipsec.h:237
static_always_inline void crypto_free_ops(u8 numa, struct rte_crypto_op **ops, u32 n)
Definition: ipsec.h:299
#define static_always_inline
Definition: clib.h:99
u16 cipher_resource_idx[IPSEC_CRYPTO_N_ALG]
Definition: ipsec.h:76
u8 resources
Definition: ipsec.h:92
static_always_inline void crypto_enqueue_ops(vlib_main_t *vm, crypto_worker_main_t *cwm, u32 node_index, u32 error, u8 numa, u8 encrypt)
Definition: ipsec.h:311
crypto_drv_t * drv
Definition: ipsec.h:168
#define vec_elt_at_index(v, i)
Get vector value at index i checking that i is in bounds.
u8 drv_id
Definition: ipsec.h:101
u16 * free_resources
Definition: ipsec.h:97
unsigned int u32
Definition: types.h:88
crypto_alg_t * auth_algs
Definition: ipsec.h:166
static const u8 pad_data[]
Definition: ipsec.h:175
#define VLIB_FRAME_SIZE
Definition: node.h:376
u32 iv[2]
Definition: ipsec.h:57
u8 trunc_size
Definition: ipsec.h:89
static_always_inline void add_session_by_drv_and_sa_idx(struct rte_cryptodev_sym_session *session, crypto_data_t *data, u32 drv_id, u32 sa_idx)
Definition: ipsec.h:214
u32 next
Definition: ipsec.h:63
struct rte_cryptodev_sym_session * session
Definition: ipsec.h:139
void crypto_auto_placement(void)
Definition: ipsec.c:749
clib_spinlock_t lockp
Definition: ipsec.h:155
u16 * used_resources
Definition: ipsec.h:98
static u8 iv[]
Definition: aes_cbc.c:24
crypto_alg_t * cipher_algs
Definition: ipsec.h:165
unsigned short u16
Definition: types.h:57
const char * name
Definition: ipsec.h:111
u64 features
Definition: ipsec.h:106
#define PREDICT_FALSE(x)
Definition: clib.h:111
u64 session_timeout
Definition: ipsec.h:169
static_always_inline u32 crypto_op_len(void)
Definition: ipsec.h:185
u8 encrypt
Definition: ipsec.h:65
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
Definition: node_funcs.h:1150
struct rte_mempool ** session_drv
Definition: ipsec.h:148
crypto_session_by_drv_t * session_by_drv_id_and_sa_index
Definition: ipsec.h:154
vlib_main_t * vm
Definition: buffer.c:312
dpdk_gcm_cnt_blk cb
Definition: ipsec.h:67
u8 is_outbound
Definition: ipsec.api:92
crypto_session_disposal_t * session_disposal
Definition: ipsec.h:149
dpdk_crypto_input_next_t
Definition: ipsec.h:44
u16 id
Definition: ipsec.h:103
u8 iv_len
Definition: ipsec.h:88
signed int i32
Definition: types.h:77
#define ASSERT(truth)
struct rte_mempool * crypto_op
Definition: ipsec.h:146
u32 max_qp
Definition: ipsec.h:105
u16 inflights[2]
Definition: ipsec.h:123
crypto_worker_main_t * workers_main
Definition: ipsec.h:162
u8 boundary
Definition: ipsec.h:90
crypto_resource_t * resource
Definition: ipsec.h:164
struct rte_mempool * session_h
Definition: ipsec.h:147
char * name
Definition: ipsec.h:84
#define CLIB_ALIGN_MARK(name, alignment)
Definition: clib.h:85
u64 * session_drv_failed
Definition: ipsec.h:153
u64 uword
Definition: types.h:112
uword * session_by_sa_index
Definition: ipsec.h:150
const char * name
Definition: ipsec.h:104
struct rte_crypto_op ** ops
Definition: ipsec.h:75
struct clib_bihash_value offset
template key/value backing page structure
crypto_dev_t * dev
Definition: ipsec.h:163
static_always_inline u16 get_resource(crypto_worker_main_t *cwm, ipsec_sa_t *sa)
Definition: ipsec.h:258
crypto_data_t * data
Definition: ipsec.h:167
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:150
u16 auth_resource_idx[IPSEC_INTEG_N_ALG]
Definition: ipsec.h:77
#define vec_foreach(var, vec)
Vector iterator.
static_always_inline struct rte_cryptodev_sym_session * get_session_by_drv_and_sa_idx(crypto_data_t *data, u32 drv_id, u32 sa_idx)
Definition: ipsec.h:226
u8 key_len
Definition: ipsec.h:87
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
struct rte_crypto_op * ops[VLIB_FRAME_SIZE]
Definition: ipsec.h:126
static_always_inline dpdk_op_priv_t * crypto_op_get_priv(struct rte_crypto_op *op)
Definition: ipsec.h:207