From: Parav Pandit <parav@nvidia.com>
To: Srujana Challa <schalla@marvell.com>,
"virtio-comment@lists.linux.dev" <virtio-comment@lists.linux.dev>
Cc: "mst@redhat.com" <mst@redhat.com>,
"pabeni@redhat.com" <pabeni@redhat.com>,
"jasowang@redhat.com" <jasowang@redhat.com>,
"sburla@marvell.com" <sburla@marvell.com>,
"ndabilpuram@marvell.com" <ndabilpuram@marvell.com>,
"jerinj@marvell.com" <jerinj@marvell.com>,
"kshankar@marvell.com" <kshankar@marvell.com>
Subject: RE: [PATCH v7 3/4] virtio-net: extend virtio_net_hdr for IPsec support
Date: Wed, 21 May 2025 06:32:37 +0000 [thread overview]
Message-ID: <CY8PR12MB7195D06326C4DE9F14C3F061DC9EA@CY8PR12MB7195.namprd12.prod.outlook.com> (raw)
In-Reply-To: <20250520121924.2169258-4-schalla@marvell.com>
> From: Srujana Challa <schalla@marvell.com>
> Sent: Tuesday, May 20, 2025 5:49 PM
>
> Add IPsec resource object identifiers to the virtio_net_hdr for identifying
> encryption/decryption operations on tx and rx side respectively, along with
> flags.
>
> Signed-off-by: Srujana Challa <schalla@marvell.com>
> Reviewed-by: Parav Pandit <parav@nvidia.com>
> ---
> device-types/net/description.tex | 52 ++++++++++++++++++++++++++++++--
> 1 file changed, 50 insertions(+), 2 deletions(-)
>
> diff --git a/device-types/net/description.tex b/device-
> types/net/description.tex
> index 105a002..a2a1753 100644
> --- a/device-types/net/description.tex
> +++ b/device-types/net/description.tex
> @@ -597,6 +597,9 @@ \subsection{Device Operation}\label{sec:Device
> Types / Network Device / Device O
> #define VIRTIO_NET_HDR_F_DATA_VALID 2
> #define VIRTIO_NET_HDR_F_RSC_INFO 4
> #define VIRTIO_NET_HDR_F_UDP_TUNNEL_CSUM 8
> +#define VIRTIO_NET_HDR_F_SECURITY 16
> +#define VIRTIO_NET_HDR_F_SECURITY_ERR 32 #define
> +VIRTIO_NET_HDR_F_SECURITY_SA_SOFT_EXPIRY_WARN 64
> u8 flags;
> #define VIRTIO_NET_HDR_GSO_NONE 0
> #define VIRTIO_NET_HDR_GSO_TCPV4 1
> @@ -618,7 +621,14 @@ \subsection{Device Operation}\label{sec:Device
> Types / Network Device / Device O
> le16 outer_th_offset (Only if VIRTIO_NET_F_HOST_UDP_TUNNEL_GSO
> or VIRTIO_NET_F_GUEST_UDP_TUNNEL_GSO negotiated)
> le16 inner_nh_offset; (Only if
> VIRTIO_NET_F_HOST_UDP_TUNNEL_GSO or
> VIRTIO_NET_F_GUEST_UDP_TUNNEL_GSO negotiated)
> le16 outer_nh_offset; /* Only if VIRTIO_NET_F_OUT_NET_HEADER
> negotiated */
> - u8 padding_reserved_2[6]; /* Only if VIRTIO_NET_F_OUT_NET_HEADER
> negotiated */
> + /* Only if VIRTIO_NET_F_OUT_NET_HEADER or VIRTIO_NET_F_IPSEC
> negotiated */
> + union {
> + u8 padding_reserved_2[6];
> + struct ipsec_resource_hdr {
> + le32 resource_id;
> + le16 resource_type;
> + } ipsec_resource_hdr;
> + };
> };
> \end{lstlisting}
>
> @@ -972,6 +982,15 @@ \subsubsection{Packet
> Transmission}\label{sec:Device Types / Network Device / De together with
> the VIRTIO_NET_HDR_F_GSO_UDP_TUNNEL_IPV4 bit or the
> VIRTIO_NET_HDR_F_GSO_UDP_TUNNEL_IPV6 bit in \field{gso_type}.
>
> +If the device supports \hyperref[par:Device Types / Network Device /
> +Device Operation / IPsec Operation]{IPsec Operation}, the driver may set
> VIRTIO_NET_HDR_F_SECURITY bit in \field{flags}, if so:
> +\begin{enumerate}
> +\item the driver MUST create IPsec Outbound resource object
> +\hyperref[par:Device Types / Crypto Device / Device Operation / IPsec
> +Service Operation / Resource objects /
> +VIRTIO-CRYPTO-RESOURCE-OBJ-IPSEC-ENC-
> SA]{VIRTIO_NET_RESOURCE_OBJ_IPSEC_
> +OUTB_SA} \item the driver MUST set \field{resource_id} to a valid IPsec
> +outbound
> + resource object ID.
> +\end{enumerate}
> +
> \devicenormative{\paragraph}{Packet Transmission}{Device Types / Network
> Device / Device Operation / Packet Transmission} The device MUST ignore
> \field{flag} bits that it does not recognize.
>
> @@ -1032,6 +1051,10 @@ \subsubsection{Packet
> Transmission}\label{sec:Device Types / Network Device / De
>
> If VIRTIO_NET_HDR_F_NEEDS_CSUM is not set, the device MUST NOT rely
> on the packet checksum being correct.
> +
> +If VIRTIO_NET_HDR_F_SECURITY bit in \field{flags} is not set, the
> +device MUST NOT use the \field{resource_id} and \field{resource_type}.
> +
> \paragraph{Packet Transmission Interrupt}\label{sec:Device Types / Network
> Device / Device Operation / Packet Transmission / Packet Transmission
> Interrupt}
>
> Often a driver will suppress transmission virtqueue interrupts @@ -1085,7
> +1108,7 @@ \subsubsection{Setting Up Receive Buffers}\label{sec:Device
> Types / Network Devi
>
> When calculating the size of \field{struct virtio_net_hdr}, the driver MUST
> consider all the fields inclusive up to \field{padding_reserved_2}, -i.e. 32
> bytes if VIRTIO_NET_F_OUT_NET_HEADER is negotiated or up to
> \field{inner_nh_offset}
> +i.e. 32 bytes if VIRTIO_NET_F_OUT_NET_HEADER or VIRTIO_NET_F_IPSEC is
> +negotiated or up to \field{inner_nh_offset}
> i.e. 24 bytes if VIRTIO_NET_F_HOST_UDP_TUNNEL_GSO is negotiated or up
> to \field{padding_reserved} i.e. 20 bytes if VIRTIO_NET_F_HASH_REPORT is
> negotiated, and 12 bytes if not.
>
> @@ -1341,6 +1364,21 @@ \subsubsection{Processing of Incoming
> Packets}\label{sec:Device Types / Network \field{flags}, the device MUST
> either provide a zero outer UDP header checksum or a fully checksummed
> outer UDP header.
>
> +The device MUST set the VIRTIO_NET_HDR_F_SECURITY bit in the
> +\field{flags} if the packet goes through the IPsec processing.
> +Otherwise, this bit MUST be cleared. The device MUST set or clear this
> +bit regardless of setting VIRTIO_NET_HDR_F_SECURITY_ERR or
> VIRTIO_NET_HDR_F_SECURITY_SA_SOFT_EXPIRY_WARN bit.
> +
> +The device MUST set the VIRTIO_NET_HDR_F_SECURITY_ERR bit in the
> +\field{flags} if any error is encountered during IPsec processing. Otherwise,
> this bit MUST be cleared.
> +The device MUST set or clear this bit regardless of setting
> +VIRTIO_NET_HDR_F_SECURITY_SA_SOFT_EXPIRY_WARN bit.
> +
> +The device MUST set the
> VIRTIO_NET_HDR_F_SECURITY_SA_SOFT_EXPIRY_WARN
> +bit in the \field{flags} if the SA associated with \field{resource_id}
> +reaches the SA lifetime soft limits configured in the \field{struct
> virtio_crypto_ipsec_lifetime}.
> +See \hyperref[par:Device Types / Crypto Device / Device Operation / IPsec
> Service Operation / Resource objects / VIRTIO-CRYPTO-RESOURCE-OBJ-IPSEC-
> OUTBOUND-SA]{VIRTIO_NET_RESOURCE_OBJ_IPSEC_OUTB_SA}.
> +
> \drivernormative{\paragraph}{Processing of Incoming Packets}{Device Types
> / Network Device / Device Operation / Processing of Incoming Packets} @@ -
> 1392,6 +1430,12 @@ \subsubsection{Processing of Incoming
> Packets}\label{sec:Device Types / Network
> VIRTIO_NET_HDR_GSO_UDP_TUNNEL_IPV6 in \field{gso_type} are not set,
> the driver MOST NOT accept the packet.
>
> +When VIRTIO_NET_HDR_F_SECURITY and
> VIRTIO_NET_HDR_F_SECURITY_ERR bits
> +are set in the \field{flags}, it indicates that the device experienced a
> processing error on the IPsec packet.
> +It need not be an 'error packet'. For example, a particular SA was not
> +offloaded or SA has reached the SA lifetime hard limits configured in the
> \field{struct virtio_crypto_ipsec_lifetime}.
> +So vnet_hdr will have both bits set.
> +
> \paragraph{Hash calculation for incoming packets} \label{sec:Device Types /
> Network Device / Device Operation / Processing of Incoming Packets / Hash
> calculation for incoming packets}
>
> @@ -3528,6 +3572,10 @@ \subsubsection{IPsec Operation}\label{sec:Device
> Types / Network Device / Device See \ref{sec:Device Types / Network Device
> / Device Operation / Flow filter} for details about flow filter.
>
> +Note that there is a small race condition where a SA object might be
> +destroyed while a recieve packet is still inflight. The driver SHOULD
> +handle this situation appropriately.
> +
> \paragraph{Device and driver capabilities} \label{par:Device Types / Network
> Device / Device Operation / IPsec Operation / Device and driver capabilities}
>
> --
> 2.25.1
Reviewed-by: Parav Pandit <parav@nvidia.com>
next prev parent reply other threads:[~2025-05-21 6:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-20 12:19 [PATCH v7 0/4] introduce IPsec Operation in virtio-net Srujana Challa
2025-05-20 12:19 ` [PATCH v7 1/4] virtio-net: Add IPsec operation, capabilities and resource objects Srujana Challa
2025-05-20 12:19 ` [PATCH v7 2/4] virtio-net: Add new flow filter selector and action for IPsec Srujana Challa
2025-05-20 12:19 ` [PATCH v7 3/4] virtio-net: extend virtio_net_hdr for IPsec support Srujana Challa
2025-05-21 6:32 ` Parav Pandit [this message]
2025-05-20 12:19 ` [PATCH v7 4/4] virtio-net: Add IPsec operation device and driver requirements Srujana Challa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CY8PR12MB7195D06326C4DE9F14C3F061DC9EA@CY8PR12MB7195.namprd12.prod.outlook.com \
--to=parav@nvidia.com \
--cc=jasowang@redhat.com \
--cc=jerinj@marvell.com \
--cc=kshankar@marvell.com \
--cc=mst@redhat.com \
--cc=ndabilpuram@marvell.com \
--cc=pabeni@redhat.com \
--cc=sburla@marvell.com \
--cc=schalla@marvell.com \
--cc=virtio-comment@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).