From c3a814be9dc769be942ff8029c7b6eccd4b3af05 Mon Sep 17 00:00:00 2001 From: Damjan Marion Date: Tue, 28 Feb 2017 19:22:22 +0100 Subject: dpdk: be a plugin Change-Id: I238258cdeb77035adc5e88903d824593d0a1da90 Signed-off-by: Damjan Marion --- src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md | 86 +++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md (limited to 'src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md') diff --git a/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md b/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md new file mode 100644 index 00000000..fed2fe0e --- /dev/null +++ b/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md @@ -0,0 +1,86 @@ +# VPP IPSec implementation using DPDK Cryptodev API {#dpdk_crypto_ipsec_doc} + +This document is meant to contain all related information about implementation and usability. + + +## VPP IPsec with DPDK Cryptodev + +DPDK Cryptodev is an asynchronous crypto API that supports both Hardware and Software implementations (for more details refer to [DPDK Cryptography Device Library documentation](http://dpdk.org/doc/guides/prog_guide/cryptodev_lib.html)). + +When DPDK support is enabled and there are enough Cryptodev resources for all workers, the node graph is reconfigured by adding and changing default next nodes. + +The following nodes are added: +* dpdk-crypto-input : polling input node, basically dequeuing from crypto devices. +* dpdk-esp-encrypt : internal node. +* dpdk-esp-decrypt : internal node. +* dpdk-esp-encrypt-post : internal node. +* dpdk-esp-decrypt-post : internal node. + +Set new default next nodes: +* for esp encryption: esp-encrypt -> dpdk-esp-encrypt +* for esp decryption: esp-decrypt -> dpdk-esp-decrypt + + +### How to enable VPP IPSec with DPDK Cryptodev support + +DPDK Cryptodev is supported in DPDK enabled VPP. +By default, only HW Cryptodev is supported but needs to be explicetly enabled with the following config option: + +``` +dpdk { + enable-cryptodev +} +``` + +To enable SW Cryptodev support (AESNI-MB-PMD and GCM-PMD), we need the following env option: + + vpp_uses_dpdk_cryptodev_sw=yes + +A couple of ways to achive this: +* uncomment/add it in the platforms config (ie. build-data/platforms/vpp.mk) +* set the option when building vpp (ie. make vpp_uses_dpdk_cryptodev_sw=yes build-release) + +When enabling SW Cryptodev support, it means that you need to pre-build the required crypto libraries needed by those SW Cryptodev PMDs. + + +### Crypto Resources allocation + +VPP allocates crypto resources based on a best effort approach: +* first allocate Hardware crypto resources, then Software. +* if there are not enough crypto resources for all workers, the graph node is not modifed, therefore the default VPP IPsec implementation based in OpenSSL is used. The following message is displayed: + + 0: dpdk_ipsec_init: not enough cryptodevs for ipsec + + +### Configuration example + +To enable DPDK Cryptodev the user just need to provide the startup.conf option +as mentioned previously. + +Example startup.conf: + +``` +dpdk { + socket-mem 1024,1024 + num-mbufs 131072 + dev 0000:81:00.0 + dev 0000:81:00.1 + enable-cryptodev + dev 0000:85:01.0 + dev 0000:85:01.1 + vdev cryptodev_aesni_mb_pmd,socket_id=1 + vdev cryptodev_aesni_mb_pmd,socket_id=1 +} +``` + +In the above configuration: +* 0000:85:01.0 and 0000:85:01.1 are crypto BDFs and they require the same driver binding as DPDK Ethernet devices but they do not support any extra configuration options. +* Two AESNI-MB Software Cryptodev PMDs are created in NUMA node 1. + +For further details refer to [DPDK Crypto Device Driver documentation](http://dpdk.org/doc/guides/cryptodevs/index.html) + +### Operational data + +The following CLI command displays the Cryptodev/Worker mapping: + + show crypto device mapping [verbose] -- cgit 1.2.3-korg From dfde53ae553f9d4c54882fb55a832cb0614834ea Mon Sep 17 00:00:00 2001 From: Billy McFall Date: Fri, 10 Mar 2017 14:49:15 -0500 Subject: VPP-279: Document changes for vnet/vnet/devices Add doxygen documentation for DPDK crypto CLI command. The move of DPDK to a plugin invalidated the local dir.dox. So moved dpdk/dir.dox to dpdk/device/dir.dox to fix. Change-Id: I229e2921c4b0cdd380021adb520cd2089a376afa Signed-off-by: Billy McFall --- src/plugins/dpdk/device/dir.dox | 27 +++++++++++ src/plugins/dpdk/dir.dox | 27 ----------- src/plugins/dpdk/ipsec/cli.c | 63 ++++++++++++++++++++++++- src/plugins/dpdk/ipsec/dir.dox | 13 ++++- src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md | 21 ++++++++- 5 files changed, 120 insertions(+), 31 deletions(-) create mode 100644 src/plugins/dpdk/device/dir.dox delete mode 100644 src/plugins/dpdk/dir.dox (limited to 'src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md') diff --git a/src/plugins/dpdk/device/dir.dox b/src/plugins/dpdk/device/dir.dox new file mode 100644 index 00000000..43e36753 --- /dev/null +++ b/src/plugins/dpdk/device/dir.dox @@ -0,0 +1,27 @@ +/* + * Copyright (c) 2017 Cisco and/or its affiliates. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* Doxygen directory documentation */ + +/** +@dir +@brief DPDK Abstraction Layer. + +This directory contains the source code for the DPDK abstraction layer. + +*/ +/*? %%clicmd:group_label DPDK and pcap tx %% ?*/ +/*? %%syscfg:group_label DPDK and pcap tx %% ?*/ diff --git a/src/plugins/dpdk/dir.dox b/src/plugins/dpdk/dir.dox deleted file mode 100644 index 43e36753..00000000 --- a/src/plugins/dpdk/dir.dox +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Copyright (c) 2017 Cisco and/or its affiliates. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/* Doxygen directory documentation */ - -/** -@dir -@brief DPDK Abstraction Layer. - -This directory contains the source code for the DPDK abstraction layer. - -*/ -/*? %%clicmd:group_label DPDK and pcap tx %% ?*/ -/*? %%syscfg:group_label DPDK and pcap tx %% ?*/ diff --git a/src/plugins/dpdk/ipsec/cli.c b/src/plugins/dpdk/ipsec/cli.c index 40cee39b..cd0a6037 100644 --- a/src/plugins/dpdk/ipsec/cli.c +++ b/src/plugins/dpdk/ipsec/cli.c @@ -136,11 +136,72 @@ done: return error; } +/*? + * This command is used to display the DPDK Crypto device data. See + * @ref dpdk_crypto_ipsec_doc for more details on initializing the + * DPDK Crypto device. + * + * @cliexpar + * Example of displaying the DPDK Crypto device data when disabled: + * @cliexstart{show crypto device mapping} + * DPDK Cryptodev support is disabled + * @cliexend + * Example of displaying the DPDK Crypto device data when enabled: + * @cliexstart{show crypto device mapping} + * worker crypto device id(type) + * 1 1(SW) + * 2 1(SW) + * @cliexend + * Example of displaying the DPDK Crypto device data when enabled with verbose: + * @cliexstart{show crypto device mapping verbose} + * worker cipher auth dir dev qp + * 1 AES_CTR AES-XCBC-MAC in 1 0 + * 1 AES_CTR HMAC-SHA384 in 1 0 + * 1 AES_CTR HMAC-SHA384 out 1 1 + * 1 AES_CBC HMAC-SHA512 in 1 0 + * 1 AES_CBC HMAC-SHA256 in 1 0 + * 1 AES_CBC AES-XCBC-MAC out 1 1 + * 1 AES_CTR AES-XCBC-MAC out 1 1 + * 1 AES_CBC HMAC-SHA256 out 1 1 + * 1 AES_CTR HMAC-SHA512 out 1 1 + * 1 AES_CTR HMAC-SHA256 in 1 0 + * 1 AES_CTR HMAC-SHA1 in 1 0 + * 1 AES_CBC HMAC-SHA512 out 1 1 + * 1 AES_CBC HMAC-SHA384 out 1 1 + * 1 AES_CTR HMAC-SHA1 out 1 1 + * 1 AES_CTR HMAC-SHA256 out 1 1 + * 1 AES_CBC HMAC-SHA1 in 1 0 + * 1 AES_CBC AES-XCBC-MAC in 1 0 + * 1 AES_CTR HMAC-SHA512 in 1 0 + * 1 AES_CBC HMAC-SHA1 out 1 1 + * 1 AES_CBC HMAC-SHA384 in 1 0 + * 2 AES_CTR AES-XCBC-MAC in 1 2 + * 2 AES_CTR HMAC-SHA384 in 1 2 + * 2 AES_CTR HMAC-SHA384 out 1 3 + * 2 AES_CBC HMAC-SHA512 in 1 2 + * 2 AES_CBC HMAC-SHA256 in 1 2 + * 2 AES_CBC AES-XCBC-MAC out 1 3 + * 2 AES_CTR AES-XCBC-MAC out 1 3 + * 2 AES_CBC HMAC-SHA256 out 1 3 + * 2 AES_CTR HMAC-SHA512 out 1 3 + * 2 AES_CTR HMAC-SHA256 in 1 2 + * 2 AES_CTR HMAC-SHA1 in 1 2 + * 2 AES_CBC HMAC-SHA512 out 1 3 + * 2 AES_CBC HMAC-SHA384 out 1 3 + * 2 AES_CTR HMAC-SHA1 out 1 3 + * 2 AES_CTR HMAC-SHA256 out 1 3 + * 2 AES_CBC HMAC-SHA1 in 1 2 + * 2 AES_CBC AES-XCBC-MAC in 1 2 + * 2 AES_CTR HMAC-SHA512 in 1 2 + * 2 AES_CBC HMAC-SHA1 out 1 3 + * 2 AES_CBC HMAC-SHA384 in 1 2 + * @cliexend +?*/ /* *INDENT-OFF* */ VLIB_CLI_COMMAND (lcore_cryptodev_map, static) = { .path = "show crypto device mapping", .short_help = - "show cryptodev device mapping ", + "show cryptodev device mapping [verbose]", .function = lcore_cryptodev_map_fn, }; /* *INDENT-ON* */ diff --git a/src/plugins/dpdk/ipsec/dir.dox b/src/plugins/dpdk/ipsec/dir.dox index ffebfc4d..05504541 100644 --- a/src/plugins/dpdk/ipsec/dir.dox +++ b/src/plugins/dpdk/ipsec/dir.dox @@ -1,5 +1,6 @@ /* * Copyright (c) 2016 Intel and/or its affiliates. + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -12,7 +13,15 @@ * See the License for the specific language governing permissions and * limitations under the License. */ + +/* Doxygen directory documentation */ + /** - @dir vnet/vnet/devices/dpdk/ipsec - @brief IPSec ESP encrypt/decrypt using DPDK Cryptodev API +@dir src/plugins/dpdk/ipsec +@brief IPSec ESP encrypt/decrypt using DPDK Cryptodev API. + +This directory contains the source code for the DPDK Crypto abstraction layer. + */ +/*? %%clicmd:group_label DPDK Crypto %% ?*/ +/*? %%syscfg:group_label DPDK Crypto %% ?*/ diff --git a/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md b/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md index fed2fe0e..b3d3cc48 100644 --- a/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md +++ b/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md @@ -40,7 +40,7 @@ A couple of ways to achive this: * uncomment/add it in the platforms config (ie. build-data/platforms/vpp.mk) * set the option when building vpp (ie. make vpp_uses_dpdk_cryptodev_sw=yes build-release) -When enabling SW Cryptodev support, it means that you need to pre-build the required crypto libraries needed by those SW Cryptodev PMDs. +When enabling SW Cryptodev support, it means that you need to pre-build the required crypto libraries needed by those SW Cryptodev PMDs. This requires nasm, see nasm section below. ### Crypto Resources allocation @@ -84,3 +84,22 @@ For further details refer to [DPDK Crypto Device Driver documentation](http://dp The following CLI command displays the Cryptodev/Worker mapping: show crypto device mapping [verbose] + + +### nasm + +Building the DPDK Crypto Libraries requires the open source project nasm (The Netwide +Assembler) to be installed. Recommended version of nasm is 2.12.02. Minimum supported +version of nasm is 2.11.06. Use the following command to determine the current nasm version: + + nasm -v + +CentOS 7.3 and earlier and Fedora 21 and earlier use unsupported versions +of nasm. Use the following set of commands to build a supported version: + + wget http://www.nasm.us/pub/nasm/releasebuilds/2.12.02/nasm-2.12.02.tar.bz2 + tar -xjvf nasm-2.12.02.tar.bz2 + cd nasm-2.12.02/ + ./configure + make + sudo make install -- cgit 1.2.3-korg From 63c7e14f2e62caa1246349cfe341a93176ec4a43 Mon Sep 17 00:00:00 2001 From: Sergio Gonzalez Monroy Date: Wed, 22 Mar 2017 16:11:06 +0000 Subject: dpdk: cryptodev support enabled by default This patch slightly modifes how to enable DPDK Cryptodev. The startup option 'enable-cryptodev' has been removed and unless not enough cryptodevs are found, DPDK cryptodev will be enabled by default. Change-Id: Ic0ac507802cdc0eeb51f065e04ec43a1885617cf Signed-off-by: Sergio Gonzalez Monroy --- src/plugins/dpdk/device/dpdk.h | 1 - src/plugins/dpdk/device/init.c | 3 --- src/plugins/dpdk/ipsec/cli.c | 3 +-- src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md | 18 +++++------------- src/plugins/dpdk/ipsec/ipsec.c | 10 +--------- src/plugins/dpdk/ipsec/ipsec.h | 1 + 6 files changed, 8 insertions(+), 28 deletions(-) (limited to 'src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md') diff --git a/src/plugins/dpdk/device/dpdk.h b/src/plugins/dpdk/device/dpdk.h index 90e93e75..82e5938a 100644 --- a/src/plugins/dpdk/device/dpdk.h +++ b/src/plugins/dpdk/device/dpdk.h @@ -323,7 +323,6 @@ typedef struct u8 *uio_driver_name; u8 no_multi_seg; u8 enable_tcp_udp_checksum; - u8 cryptodev; /* Required config parameters */ u8 coremask_set_manually; diff --git a/src/plugins/dpdk/device/init.c b/src/plugins/dpdk/device/init.c index 33ecde44..e20b2585 100755 --- a/src/plugins/dpdk/device/init.c +++ b/src/plugins/dpdk/device/init.c @@ -995,9 +995,6 @@ dpdk_config (vlib_main_t * vm, unformat_input_t * input) else if (unformat (input, "no-multi-seg")) conf->no_multi_seg = 1; - else if (unformat (input, "enable-cryptodev")) - conf->cryptodev = 1; - else if (unformat (input, "dev default %U", unformat_vlib_cli_sub_input, &sub_input)) { diff --git a/src/plugins/dpdk/ipsec/cli.c b/src/plugins/dpdk/ipsec/cli.c index 3ae8c9b8..a9314065 100644 --- a/src/plugins/dpdk/ipsec/cli.c +++ b/src/plugins/dpdk/ipsec/cli.c @@ -20,12 +20,11 @@ static void dpdk_ipsec_show_mapping (vlib_main_t * vm, u16 detail_display) { - dpdk_config_main_t *conf = &dpdk_config_main; dpdk_crypto_main_t *dcm = &dpdk_crypto_main; vlib_thread_main_t *tm = vlib_get_thread_main (); u32 i, skip_master; - if (!conf->cryptodev) + if (!dcm->enabled) { vlib_cli_output (vm, "DPDK Cryptodev support is disabled\n"); return; diff --git a/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md b/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md index b3d3cc48..5a9f9c6e 100644 --- a/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md +++ b/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md @@ -23,15 +23,7 @@ Set new default next nodes: ### How to enable VPP IPSec with DPDK Cryptodev support -DPDK Cryptodev is supported in DPDK enabled VPP. -By default, only HW Cryptodev is supported but needs to be explicetly enabled with the following config option: - -``` -dpdk { - enable-cryptodev -} -``` - +DPDK Cryptodev is supported in DPDK enabled VPP and by default only HW Cryptodev is supported. To enable SW Cryptodev support (AESNI-MB-PMD and GCM-PMD), we need the following env option: vpp_uses_dpdk_cryptodev_sw=yes @@ -47,15 +39,15 @@ When enabling SW Cryptodev support, it means that you need to pre-build the requ VPP allocates crypto resources based on a best effort approach: * first allocate Hardware crypto resources, then Software. -* if there are not enough crypto resources for all workers, the graph node is not modifed, therefore the default VPP IPsec implementation based in OpenSSL is used. The following message is displayed: +* if there are not enough crypto resources for all workers, the graph node is not modifed and the default VPP IPsec implementation based in OpenSSL is used. The following message is displayed: - 0: dpdk_ipsec_init: not enough cryptodevs for ipsec + 0: dpdk_ipsec_init: not enough Cryptodevs, default to OpenSSL IPsec ### Configuration example -To enable DPDK Cryptodev the user just need to provide the startup.conf option -as mentioned previously. +To enable DPDK Cryptodev the user just need to provide cryptodevs int the +startup.conf. Example startup.conf: diff --git a/src/plugins/dpdk/ipsec/ipsec.c b/src/plugins/dpdk/ipsec/ipsec.c index 5d8f4fba..7066564d 100644 --- a/src/plugins/dpdk/ipsec/ipsec.c +++ b/src/plugins/dpdk/ipsec/ipsec.c @@ -224,7 +224,6 @@ static uword dpdk_ipsec_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f) { - dpdk_config_main_t *conf = &dpdk_config_main; ipsec_main_t *im = &ipsec_main; dpdk_crypto_main_t *dcm = &dpdk_crypto_main; vlib_thread_main_t *tm = vlib_get_thread_main (); @@ -235,19 +234,12 @@ dpdk_ipsec_process (vlib_main_t * vm, vlib_node_runtime_t * rt, i32 dev_id, ret; u32 i, skip_master; - if (!conf->cryptodev) - { - clib_warning ("DPDK Cryptodev support is disabled, " - "default to OpenSSL IPsec"); - return 0; - } - if (check_cryptodev_queues () < 0) { - conf->cryptodev = 0; clib_warning ("not enough Cryptodevs, default to OpenSSL IPsec"); return 0; } + dcm->enabled = 1; vec_alloc (dcm->workers_main, tm->n_vlib_mains); _vec_len (dcm->workers_main) = tm->n_vlib_mains; diff --git a/src/plugins/dpdk/ipsec/ipsec.h b/src/plugins/dpdk/ipsec/ipsec.h index f0f793c0..d7940345 100644 --- a/src/plugins/dpdk/ipsec/ipsec.h +++ b/src/plugins/dpdk/ipsec/ipsec.h @@ -83,6 +83,7 @@ typedef struct { struct rte_mempool **cop_pools; crypto_worker_main_t *workers_main; + u8 enabled; } dpdk_crypto_main_t; dpdk_crypto_main_t dpdk_crypto_main; -- cgit 1.2.3-korg From 6be3255d4655c2ba81c9e4bc6b6f3b25e94ce57d Mon Sep 17 00:00:00 2001 From: Sergio Gonzalez Monroy Date: Mon, 14 Aug 2017 09:46:19 +0100 Subject: dpdk: cleanup unused build option *_uses_dpdk_cryptodev_sw Change-Id: I62939592bd3cb151e02c55a3f1ee6e7d1ce469cb Signed-off-by: Sergio Gonzalez Monroy --- build-data/packages/dpdk.mk | 5 ----- build-data/packages/vpp.mk | 3 --- build-data/platforms/vpp.mk | 1 - src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md | 15 ++++----------- 4 files changed, 4 insertions(+), 20 deletions(-) (limited to 'src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md') diff --git a/build-data/packages/dpdk.mk b/build-data/packages/dpdk.mk index ed89bb1b..ddfb8fd1 100644 --- a/build-data/packages/dpdk.mk +++ b/build-data/packages/dpdk.mk @@ -10,11 +10,6 @@ DPDK_MAKE_ARGS = -C $(call find_source_fn,$(PACKAGE_SOURCE)) \ DPDK_INSTALL_DIR=$(PACKAGE_INSTALL_DIR) \ DPDK_DEBUG=$(DPDK_DEBUG) -DPDK_CRYPTO_SW_PMD=$(strip $($(PLATFORM)_uses_dpdk_cryptodev_sw)) -ifneq ($(DPDK_CRYPTO_SW_PMD),) -DPDK_MAKE_ARGS += DPDK_CRYPTO_SW_PMD=y -endif - DPDK_MLX5_PMD=$(strip $($(PLATFORM)_uses_dpdk_mlx5_pmd)) ifneq ($(DPDK_MLX5_PMD),) DPDK_MAKE_ARGS += DPDK_MLX5_PMD=y diff --git a/build-data/packages/vpp.mk b/build-data/packages/vpp.mk index 1acc59b2..170f99c5 100644 --- a/build-data/packages/vpp.mk +++ b/build-data/packages/vpp.mk @@ -23,9 +23,6 @@ vpp_CPPFLAGS += $(call installed_includes_fn, dpdk)/dpdk vpp_LDFLAGS += $(call installed_libs_fn, dpdk) vpp_CPPFLAGS += -I/usr/include/dpdk endif -ifeq ($($(PLATFORM)_uses_dpdk_cryptodev_sw),yes) -vpp_configure_args += --with-dpdk-crypto-sw -endif ifeq ($($(PLATFORM)_uses_dpdk_mlx5_pmd),yes) vpp_configure_args += --with-dpdk-mlx5-pmd endif diff --git a/build-data/platforms/vpp.mk b/build-data/platforms/vpp.mk index acbe0e7f..77457174 100644 --- a/build-data/platforms/vpp.mk +++ b/build-data/platforms/vpp.mk @@ -39,7 +39,6 @@ vpp_uses_dpdk = yes vpp_root_packages = vpp # DPDK configuration parameters -# vpp_uses_dpdk_cryptodev_sw = yes # vpp_uses_dpdk_mlx5_pmd = yes # vpp_uses_external_dpdk = yes # vpp_dpdk_inc_dir = /usr/include/dpdk diff --git a/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md b/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md index 5a9f9c6e..b3dbd6ea 100644 --- a/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md +++ b/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md @@ -7,10 +7,10 @@ This document is meant to contain all related information about implementation a DPDK Cryptodev is an asynchronous crypto API that supports both Hardware and Software implementations (for more details refer to [DPDK Cryptography Device Library documentation](http://dpdk.org/doc/guides/prog_guide/cryptodev_lib.html)). -When DPDK support is enabled and there are enough Cryptodev resources for all workers, the node graph is reconfigured by adding and changing default next nodes. +When there are enough Cryptodev resources for all workers, the node graph is reconfigured by adding and changing the default next nodes. The following nodes are added: -* dpdk-crypto-input : polling input node, basically dequeuing from crypto devices. +* dpdk-crypto-input : polling input node, dequeuing from crypto devices. * dpdk-esp-encrypt : internal node. * dpdk-esp-decrypt : internal node. * dpdk-esp-encrypt-post : internal node. @@ -23,16 +23,9 @@ Set new default next nodes: ### How to enable VPP IPSec with DPDK Cryptodev support -DPDK Cryptodev is supported in DPDK enabled VPP and by default only HW Cryptodev is supported. -To enable SW Cryptodev support (AESNI-MB-PMD and GCM-PMD), we need the following env option: +When building DPDK with VPP, Cryptodev support is always enabled. - vpp_uses_dpdk_cryptodev_sw=yes - -A couple of ways to achive this: -* uncomment/add it in the platforms config (ie. build-data/platforms/vpp.mk) -* set the option when building vpp (ie. make vpp_uses_dpdk_cryptodev_sw=yes build-release) - -When enabling SW Cryptodev support, it means that you need to pre-build the required crypto libraries needed by those SW Cryptodev PMDs. This requires nasm, see nasm section below. +Additionally, on x86_64 platforms, DPDK is built with SW crypto support. ### Crypto Resources allocation -- cgit 1.2.3-korg From 324ad39c1d006122f4b08e8deea560e6be64937a Mon Sep 17 00:00:00 2001 From: Sergio Gonzalez Monroy Date: Thu, 31 Aug 2017 15:12:00 +0100 Subject: dpdk/ipsec: update doc regarding startup.conf Change-Id: Ie449072ab1efec081235b508f1def60a1287ff5f Signed-off-by: Sergio Gonzalez Monroy --- src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md') diff --git a/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md b/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md index b3dbd6ea..8ea77a6c 100644 --- a/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md +++ b/src/plugins/dpdk/ipsec/dpdk_crypto_ipsec_doc.md @@ -39,28 +39,25 @@ VPP allocates crypto resources based on a best effort approach: ### Configuration example -To enable DPDK Cryptodev the user just need to provide cryptodevs int the -startup.conf. +To enable DPDK Cryptodev the user just need to provide cryptodevs in the startup.conf. -Example startup.conf: +Below is an example startup.conf, it is not meant to be a default configuration: ``` dpdk { - socket-mem 1024,1024 - num-mbufs 131072 dev 0000:81:00.0 dev 0000:81:00.1 - enable-cryptodev dev 0000:85:01.0 dev 0000:85:01.1 - vdev cryptodev_aesni_mb_pmd,socket_id=1 - vdev cryptodev_aesni_mb_pmd,socket_id=1 + vdev crypto_aesni_mb0,socket_id=1 + vdev crypto_aesni_mb1,socket_id=1 } ``` In the above configuration: -* 0000:85:01.0 and 0000:85:01.1 are crypto BDFs and they require the same driver binding as DPDK Ethernet devices but they do not support any extra configuration options. -* Two AESNI-MB Software Cryptodev PMDs are created in NUMA node 1. +* 0000:81:01.0 and 0000:81:01.1 are Ethernet device BDFs. +* 0000:85:01.0 and 0000:85:01.1 are Crypto device BDFs and they require the same driver binding as DPDK Ethernet devices but they do not support any extra configuration options. +* Two AESNI-MB Software (Virtual) Cryptodev PMDs are created in NUMA node 1. For further details refer to [DPDK Crypto Device Driver documentation](http://dpdk.org/doc/guides/cryptodevs/index.html) -- cgit 1.2.3-korg