summaryrefslogtreecommitdiffstats
path: root/src/plugins/dpdk/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2018-12-22crypto-input impprovement:Kingwel Xie1-74/+163
1. multi-loop, and new style with vlib_buffer_enqueue_to_next 2. add error counter for AUTH-FAILURE 3. buffer trace changed. now it supports 'trace add dpdk-crypto-input 10' just like the other input nodes Actual measurement shows >10 clocks per packets are saved, under QAT or openssl PMD case Change-Id: I6ea34e4ae3b08c381219ff6bc8adda2d927fbfd5 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-12-01dpdk-ipsec-mempool: allocate from dpdk mem specified by socket-mem in ↵Kingwel Xie1-22/+17
startup.conf otherwise, these pools will occupy an entire huge page for each even they are very small. Change-Id: I08919714de9b6cd4b8dddb546ca54364b56ec99f Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-11-30coding-style: missing coding-style-patchKingwel Xie1-168/+200
fix coding style Change-Id: I458d81fa80c509b71edb2021468a89715cb32ae3 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-11-29dpdk-ipsec-nodes multiarch: nodes are formatted in VLIB_NODE_FN styleKingwel Xie3-13/+21
crypto-input,esp encrypt/decrypt are indicated in CMakefiles Change-Id: I18ba851c1d4e5633d07c5de61cdaeae938e94982 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-11-15ipsec: infra for selecting backendsKlement Sekera1-37/+7
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-11-14Remove c-11 memcpy checks from perf-critical codeDave Barach2-7/+7
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1 Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-30dpdk: .function should be removed for mutiarch nodesDamjan Marion2-4/+0
Fixes debug build crash. Change-Id: Ia5c5da82beda5992f9e67456af9a4676b9b82722 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-10-29migrate ipsec to new multiarch infraKlement Sekera2-31/+10
Change-Id: Ibef46e068cd72415af28920b0146adf48105bf68 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-23Numa-aware, growable physical memory allocator (pmalloc)Damjan Marion1-12/+9
Change-Id: Ic4c46bc733afae8bf0d8146623ed15633928de30 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-10-23dpdk: add esp6 decrypt nodes, func declarationsMatthew Smith1-0/+30
The function dpdk_ipsec_process() attempts to initialize some globals that store node indexes after looking up the node dpdk-esp6-decrypt. No such node was declared, so a segv occurs after dereferencing the result of the lookup. Add a node function that invokes dpdk_esp_decrypt_inline() with is_ip6 set to 1. Add a declaration of node dpdk-esp6-decrypt that uses the node function. Change-Id: I31ce23a458c2d4181bf40cbc2118c4ef3b9baf97 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-10-23c11 safe string handling supportDave Barach1-3/+3
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-22ipsec fix missing node renamesKlement Sekera3-7/+11
Change-Id: I70bc5af646894811d373456ec66aa83f2d75a477 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-22ipsec: split ipsec nodes into ip4/ip6 nodesKlement Sekera3-71/+254
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra2-3/+3
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-08-13dpdk: support for DPDK 18.08Damjan Marion1-8/+0
Change-Id: If1b93341c222160b9a08f127620c024620e55c37 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-06-25dpdk: Enhancement to call crypto start api at initializationSachin Saxena1-0/+4
- Some crypto devices rely on rte_cryptodev_start() API to be called by application to enable a pre-configured H/W Crypto device. - NXP dpaa2 is one of the example. Change-Id: I2ad8ca0060604fb4e0541161e91bdebc6642f4da Signed-off-by: Sachin Saxena <sachin.saxena@nxp.com>
2018-06-21dpdk/ipsec: add support for UDP encap/decapRadu Nicolau2-17/+65
Change-Id: I024c1d398fcb51e5a20f9049d16a87b3b1ba0c20 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-06-07Add support for DPDK 18.05Damjan Marion1-0/+10
Change-Id: I205932bc727c990011bbbe1dc6c0cf5349d19806 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-05-30vppinfra: explicitely state for signed types that they are signedDamjan Marion4-6/+6
This fixes some compilation warnings with clang on AArch64. Change-Id: Idb941944e3f199f483c80e143a9e5163a031c4aa Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-05-22CSIT-928 dpdk/ipsec: performance improvementRadu Nicolau3-112/+114
Replace hash with a vector to improve performance. Plus other minor performance improvements. Change-Id: I3f0ebd909782ce3727f6360ce5ff5ddd131f8574 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-05-10Change the way IP header pointer is calculated in esp_decrypt nodesSzymon Sliwa1-1/+7
The pointer to IP header was derived from l3_hdr_offset, which would be ok, if l3_hdr_offset was valid. But it does not have to be, so it was a bad solution. Now the previous nodes mark whether it is a IPv6 or IPv4 packet tyle, and in esp_decrypt we count get ip header pointer by substracting the size of the ip header from the pointer to esp header (which lies in front of the ip header). Change-Id: I6d425b90931053711e8ce9126811b77ae6002a16 Signed-off-by: Szymon Sliwa <szs@semihalf.com>
2018-05-04ipsec: allow null/null for crypto/integ algorithms pairRadu Nicolau1-0/+1
Change-Id: Ic1e189c22e3d344d165e0eab05ccb667eef088a9 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-05-04Harmonize vec/pool_get_aligned object sizes and alignment requestsDave Barach1-0/+2
Object sizes must evenly divide alignment requests, or vice versa. Otherwise, only the first object will be aligned as requested. Three choices: add CLIB_CACHE_LINE_ALIGN_MARK(align_me) at the end of structures, manually pad to an even divisor or multiple of the alignment request, or use plain vectors/pools. static assert for enforcement. Change-Id: I41aa6ff1a58267301d32aaf4b9cd24678ac1c147 Signed-off-by: Dave Barach <dbarach@cisco.com>
2018-04-25ipsec: make crypto_worker_main_t a full cache line in sizeFlorin Coras1-0/+1
Change-Id: I927c9358915e03187cf7d3098c00b85b5ea2f92d Signed-off-by: Florin Coras <fcoras@cisco.com>
2018-04-10CSIT-895 dpdk/ipsec: add locks on session data hash updatesRadu Nicolau2-33/+40
Change-Id: I6400b77de388c01e85209e5dc5f11ccafb79a459 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-03-26plugins: dpdk: ipsec: fix l3 offsetSzymon Sliwa1-2/+1
Changes the source of the l3 offset to a more proper one, same as I5d9f41599ba8d8eb14ce2d9d523f82ea6e0fd10d. Change-Id: I5ff05d7d89507ecb378a2bd62f5b149189ca9e99 Signed-off-by: Szymon Sliwa <szs@semihalf.com>
2018-02-25Fix bug in dpdk_crypto_session_disposal()Matthew Smith1-0/+2
The expression to determine whether to delete a session from the disposal list only evaluates true if some, but not all, of the sessions in the list were freed. When all sessions in the list are freed, it evaluates false and the sessions are left in the list to be freed again later, which can result in a session pool element that was reallocated to a different SA being freed, breaking crypto for the newer SA. Add an 'else' that handles the case where all sessions were freed. Change-Id: I3ae54d5b3bfc3658bf406caa50646924baaae589 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-02-24Fix crypto session deletion crashMatthew Smith1-6/+9
When using a DPDK cryptodev with IPsec, deleting a session often results in a SEGV. A bad pointer is being passed to rte_cryptodev_sym_session_free(). Put the correct value on the crypto disposal list and add a check to determine whether the call to free the session is going to result in a crash before doing it. Change-Id: I8a6b0a594585ebcfa56b555ede7ef7d67e5e2b33 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-02-15dpdk: add support for DPDK 18.02, deprecate 17.08Damjan Marion1-4/+0
17.11 is still default. Change-Id: I524d232579db8a59c717c5d760398b6b7f811d03 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-01-18VPP-1122 dpdk/ipsec: fix transport mode pkt lenRadu Nicolau1-3/+7
Change-Id: I6eef2ca258ff5b4aa9b21b98543d814633e295af Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2017-12-05dpdk/ipsec: multiple fixesSergio Gonzalez Monroy5-105/+126
- fix ESP transport mode - safely free crypto sessions - use rte_mempool_virt2phy/rte_mempool_virt2iova - align DPDK QAT capabilities for IPsec usage (DPDK 17.08) - reserve 16B for aad (reference cryptodev doc) Change-Id: I3822a7456fb5a255c767f5a44a429f91a140fe64 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-11-20dpdk: add support for DPDK 17.11Damjan Marion5-145/+5
Also remove DPDK 17.05 support. Change-Id: I4f96cb3f002cd90b12d800d6904f2364d7c4e270 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-11-16dpdk/ipsec: use physmem when creating poolsSergio Gonzalez Monroy1-37/+49
Change-Id: Ic4f797cea6fa21fb29d646256210357cf5267b38 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-11-01dpdk/ipsec: align memorySergio Gonzalez Monroy2-5/+7
Change-Id: I2feb3e07c3070e8a525c539dd2feffa0dd1bca21 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-11-01dpdk/ipsec: fix digest physical addressSergio Gonzalez Monroy3-7/+7
VPP-1034 Change-Id: I02b4db9e52446ab8578df1f011dd27f39de64c70 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-10-24Add extern to *_main global variable declarations in header files.Dave Wallace2-1/+3
- Global variables declared in header files without the use of the 'extern' keword will result in multiple instances of the variable to be created by the compiler -- one for each different source file in which the the header file is included. This results in wasted memory allocated in the BSS segments as well as potentially introducing bugs in the application. Change-Id: I6ef1790b60a0bd9dd3994f8510723decf258b0cc Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2017-10-18ipsec: use boolean or vs. bitwise or to avoid compiler errorAndrew Yourtchenko2-6/+6
Ubuntu 17.04, gcc version 6.3.0 20170406 (Ubuntu 6.3.0-12ubuntu2), "make build" fails with the few of the errors below: error: suggest parentheses around comparison in operand of ‘|’ [-Werror=parentheses] is_aead = (sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128 | Solution: use the logical rather than the bitwise or. Change-Id: Iffcc1ed2e68b14b248159cb117593d32c623c553 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-10-14change format_get_indent() to use u32 instead of uwordGabriel Ganne3-4/+4
This follows commit d3c008d108aa2187d1a2afe2833b4de25ca2c2ab by Christophe Fontaine. Change-Id: I0c4df40df44be2ac0ab25817fa050a1f619eca4d Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
2017-10-12dpdk/ipsec: coverity fixesSergio Gonzalez Monroy3-8/+8
Change-Id: Ica3bc74ffbb1c0df4e198b0abff8df10cdeb2182 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-10-05dpdk/ipsec: rework plus improved cli commandsSergio Gonzalez Monroy7-1653/+2419
This patch reworks the DPDK ipsec implementation including the cryptodev management as well as replacing new cli commands for better usability. For the data path: - The dpdk-esp-encrypt-post node is not necessary anymore. - IPv4 packets in the decrypt path are sent to ip4-input-no-checksum instead of ip4-input. The DPDK cryptodev cli commands are replaced by the following new commands: - show dpdk crypto devices - show dpdk crypto placement [verbose] - set dpdk crypto placement (<device> <thread> | auto) - clear dpdk crypto placement <device> [<thread>] - show dpdk crypto pools Change-Id: I47324517ede82d3e6e0e9f9c71c1a3433714b27b Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-09-06dpdk/ipsec: fix setup when using master core onlySergio Gonzalez Monroy1-2/+3
Change-Id: I62b7aa896dfe218358f11a5197b1228a3dd67152 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-08-31dpdk/ipsec: update doc regarding startup.confSergio Gonzalez Monroy1-10/+7
Change-Id: Ie449072ab1efec081235b508f1def60a1287ff5f Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-08-25dpdk: bump to dpdk 17.08, remove support for dpdk 17.02Damjan Marion1-2/+4
Change-Id: I674fb1212e48693939045523df085326a4dd1809 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-08-25dpdk: required changes for 17.08Sergio Gonzalez Monroy6-206/+430
DPDK 17.08 breaks ethdev and cryptodev APIs. Address those changes while keeping backwards compatibility for DPDK 17.02 and 17.05. Change-Id: Idd6ac264d0d047fe586c41d4c4ca74e8fc778a54 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-08-14dpdk: cleanup unused build option *_uses_dpdk_cryptodev_swSergio Gonzalez Monroy1-11/+4
Change-Id: I62939592bd3cb151e02c55a3f1ee6e7d1ce469cb Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-06-09dpdk: fix ipsec coverity warningSergio Gonzalez Monroy1-2/+2
CID 170475 Change-Id: I9748dd56bdcb62e68d8f672e5b1619a3be400b8f Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-06-07dpdk: ipsec fixesSergio Gonzalez Monroy2-43/+43
- Fix buffer trace from esp_decrypt node - Fix VLIB_REGISTER_NODE macro format - Remove unnecessary code since we do not reconfigure graph unless requirements are met Change-Id: Ic1c2afffb8265e40a6ced0c8a58775c05fadc9e2 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-06-07dpdk: fix ipsec coverity warningsSergio Gonzalez Monroy1-2/+3
CID 161044 and 161045 Change-Id: I50a450e231e387f05e354e3b07dc777ab864d018 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-04-28dpdk: cryptodev support enabled by defaultSergio Gonzalez Monroy4-24/+8
This patch slightly modifes how to enable DPDK Cryptodev. The startup option 'enable-cryptodev' has been removed and unless not enough cryptodevs are found, DPDK cryptodev will be enabled by default. Change-Id: Ic0ac507802cdc0eeb51f065e04ec43a1885617cf Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-04-06Use thread local storage for thread indexDamjan Marion7-15/+16
This patch deprecates stack-based thread identification, Also removes requirement that thread stacks are adjacent. Finally, possibly annoying for some folks, it renames all occurences of cpu_index and cpu_number with thread index. Using word "cpu" is misleading here as thread can be migrated ti different CPU, and also it is not related to linux cpu index. Change-Id: I68cdaf661e701d2336fc953dcb9978d10a70f7c1 Signed-off-by: Damjan Marion <damarion@cisco.com>