OpenDataPlane · JannePeltonen · Nov 2, 2021 · nithind1988 · Dec 7, 2021 · nithind1988
diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h
@@ -123,11 +123,20 @@ typedef struct odp_ipsec_inbound_config_t {
 	 *
 	 *  When inbound SA lookup fails in the asynchronous mode,
 	 *  resulting IPSEC events are enqueued into this queue.
+	 *
+	 *  Ignored by odp_ipsec_inline_config().
 	 */
 	odp_queue_t default_queue;
 
 	/** Constraints for SPI values used with inbound SA lookup. Minimal
-	 *  SPI range and unique values may improve performance. */
+	 *  SPI range and unique values may improve performance.
+	 *
+	 *  In odp_ipsec_config() these fields specify the constraints
+	 *  to lookups done by look-a-side processing.
+	 *
+	 *  In odp_ipsec_inline_config() these fields specify the constraints
+	 *  to lookups done by inline processing in the particular pktio.
+	 */
 	struct {
 		/** Minimum SPI value for SA lookup. Default value is 0. */
 		uint32_t min_spi;
@@ -283,7 +292,15 @@ typedef struct odp_ipsec_test_capability_t {
  * IPSEC capability
  */
 typedef struct odp_ipsec_capability_t {
-	/** Maximum number of IPSEC SAs */
+	/** Maximum number of IPSEC SAs
+	 *
+	 *  In odp_ipsec_capability() this indicates the maximum total number
+	 *  of SAs, including inline SAs.
+	 *
+	 *  In odp_ipsec_inline_capability() this indicates the maximum number
+	 *  of SAs that can be created with the given SA scope (but SAs created
+	 *  with other SA scopes may lower the maximum value).
+	 */
 	uint32_t max_num_sa;
 
 	/** Synchronous IPSEC operation mode (ODP_IPSEC_OP_MODE_SYNC) support */
@@ -297,12 +314,18 @@ typedef struct odp_ipsec_capability_t {
 	/**
 	 * Inline inbound IPSEC operation mode (ODP_IPSEC_OP_MODE_INLINE)
 	 * support
+	 *
+	 * odp_ipsec_inline_capability() sets this to ODP_SUPPORT_NO if
+	 * inbound inline processing is not supported with the given SA scope.
 	 */
 	odp_support_t op_mode_inline_in;
 
 	/**
 	 * Inline outgoing IPSEC operation mode (ODP_IPSEC_OP_MODE_INLINE)
 	 * support
+	 *
+	 * odp_ipsec_inline_capability() sets this to ODP_SUPPORT_NO if
+	 * outbound inline processing is not supported with the given SA scope.
 	 */
 	odp_support_t op_mode_inline_out;
 
@@ -335,6 +358,10 @@ typedef struct odp_ipsec_capability_t {
 	/** Maximum number of different destination CoSes in classification
 	 *  pipelining. The same CoS may be used for many SAs. This is equal or
 	 *  less than 'max_cos' capability in classifier API.
+	 *
+	 *  In odp_ipsec_inline_capability() this indicates the maximum number
+	 *  of destination CoSes that can be used in the given SA scope
+	 *  (but SAs created with other SA scopes may lower the maximum value).
 	 */
 	uint32_t max_cls_cos;
 
@@ -426,19 +453,30 @@ typedef struct odp_ipsec_config_t {
 	/** Inbound IPSEC operation mode. Application selects which mode
 	 *  will be used for inbound IPSEC operations.
 	 *
+	 *  Ignored by odp_ipsec_inline_config().
+	 *
 	 *  @see odp_ipsec_in(), odp_ipsec_in_enq()
 	 */
 	odp_ipsec_op_mode_t inbound_mode;
 
 	/** Outbound IPSEC operation mode. Application selects which mode
 	 *  will be used for outbound IPSEC operations.
 	 *
+	 *  Ignored by odp_ipsec_inline_config().
+	 *
 	 *  @see odp_ipsec_out(), odp_ipsec_out_enq(), odp_ipsec_out_inline()
 	 */
 	odp_ipsec_op_mode_t outbound_mode;
 
 	/** Maximum number of IPSEC SAs that application will use
-	 * simultaneously */
+	 * simultaneously
+	 *
+	 * In odp_ipsec_config() this is the maximum total number of all SAs,
+	 * including inline SAs.
+	 *
+	 * In odp_ipsec_inline_config() this is the maximum number of inline
+	 * SAs that have the pktio in their scope.
+	 */
 	uint32_t max_num_sa;
 
 	/** IPSEC inbound processing configuration */
@@ -821,6 +859,40 @@ typedef enum odp_ipsec_ip_version_t {
 
 } odp_ipsec_ip_version_t;
 
+/**
+ * IPsec inline scope
+ *
+ * Defines the scope where an inline SA can be used. The scope includes
+ * one or more pktios for inline processing and optionally look-a-side
+ * processing using async IPsec operations.
+ *
+ * An inline SA may not be used outside its configured scope in async
+ * or outbound inline operations. Received packets are matched against
+ * the SA for inbound inline processing only in the pktios that are in
+ * the scope of the SA and if inbound inline processing has been enabled
+ * for the pktio.
+ *
+ * TODO: Do we require that the pktios have been configured at SA creation
+ * time and that the configuration does not change if an SA has it in its
+ * scope?
+ *
+ * It is implementation dependent which scopes are supported.
+ */
+typedef struct {
+	/** Number of pktios in the pktio array. Zero means all pktios.
+	 *  Default value is zero.
+	 */
+	int num_pktio;
+
+	/** Pointer to an array of num_pktio pktios. Ignored if num_pktio
+	 *  is zero.
+	 */
+	odp_pktio_t *pktio;
+
+	/** Enable look-a-side operations too. Default is false. */
+	odp_bool_t look_a_side;
+} odp_ipsec_inline_sa_scope_t;
+
 /**
  * IPSEC Security Association (SA) parameters
  */
@@ -870,6 +942,22 @@ typedef struct odp_ipsec_sa_param_t {
 	 */
 	uint32_t context_len;
 
+	/** Parameters specific to inline processing */
+	struct {
+		/** Enable inline processing for this SA
+		 *
+		 * Whether look-a-side async processing is also possible
+		 * depends on the scope parameter.
+		 *
+		 * Default value is false.
+		 */
+		odp_bool_t inline_enable;
+
+		/** Scope where this SA can be used. Ignored if inline
+		 * processing is not enabled. */
+		odp_ipsec_inline_sa_scope_t inline_scope;
+	} inline_param;
+
 	/** IPSEC SA direction dependent parameters */
 	struct {
 		/** Inbound specific parameters */
@@ -929,7 +1017,9 @@ typedef struct odp_ipsec_sa_param_t {
 			 *  the synchronous API function.
 			 *
 			 *  Fragments received through different SAs will not be
-			 *  reassembled into the same packet.
+			 *  reassembled into the same packet. Inline processed
+			 *  fragments that are received through different
+			 *  pktios may not be reassembled into the same packet.
 			 *
 			 *  IPsec statistics reflect IPsec processing before
 			 *  reassembly and thus count all individual fragments.
@@ -938,6 +1028,12 @@ typedef struct odp_ipsec_sa_param_t {
 			 *  reassembly was enabled in the global IPsec
 			 *  configuration.
 			 *
+			 *  Reassembly can always be enabled for an SA but
+			 *  whether ressemly is attempted depends on the global
+			 *  IPsec configuration in look-a-side processing and
+			 *  on pktio specific IPsec configuration in inline
+			 *  processing.
+			 *
 			 *  Default value is false.
 			 *
 			 *  @see odp_ipsec_config()
@@ -1088,7 +1184,9 @@ typedef struct odp_ipsec_sa_info_t {
 /**
  * Query IPSEC capabilities
  *
- * Outputs IPSEC capabilities on success.
+ * Outputs IPSEC capabilities on success. The capabilities returned are
+ * for look-a-side type synchronous and asynchronous processing. Use
+ * odp_ipsec_inline_capability() to query inline processing capabilities.
  *
  * @param[out] capa   Pointer to capability structure for output
  *
@@ -1097,6 +1195,18 @@ typedef struct odp_ipsec_sa_info_t {
  */
 int odp_ipsec_capability(odp_ipsec_capability_t *capa);
 
+/**
+ * Query capabilities for a given inline SA scope
+ *
+ * @param      scope  Inline SA scope
+ * @param[out] capa   Pointer to capability structure for output
+ *
+ * @retval 0 on success
+ * @retval <0 on failure
+ */
+int odp_ipsec_inline_capability(const odp_ipsec_inline_sa_scope_t *scope,
+				odp_ipsec_capability_t *capa);
+
 /**
  * Query supported IPSEC cipher algorithm capabilities
  *
@@ -1105,6 +1215,10 @@ int odp_ipsec_capability(odp_ipsec_capability_t *capa);
  * length. Use this information to select key lengths, etc cipher algorithm
  * options for SA creation (odp_ipsec_crypto_param_t).
  *
+ * The capabilities returned are for look-a-side type synchronous and
+ * asynchronous processing. Use odp_ipsec_inline_cipher_capability()
+ * to query inline processing capabilities.
+ *
  * @param      cipher       Cipher algorithm
  * @param[out] capa         Array of capability structures for output
  * @param      num          Maximum number of capability structures to output
@@ -1117,6 +1231,27 @@ int odp_ipsec_capability(odp_ipsec_capability_t *capa);
 int odp_ipsec_cipher_capability(odp_cipher_alg_t cipher,
 				odp_ipsec_cipher_capability_t capa[], int num);
 
+/**
+ * Query supported IPSEC cipher algorithm capabilities for inline processing
+ *
+ * This is similar to odp_ipsec_cipher_capability() but returns capabilities
+ * for a given inline SA scope.
+ *
+ * @param      scope        Inline SA scope
+ * @param      cipher       Cipher algorithm
+ * @param[out] capa         Array of capability structures for output
+ * @param      num          Maximum number of capability structures to output
+ *
+ * @return Number of capability structures for the algorithm. If this is larger
+ *         than 'num', only 'num' first structures were output and application
+ *         may call the function again with a larger value of 'num'.
+ * @retval <0 on failure
+ */
+int odp_ipsec_inline_cipher_capability(const odp_ipsec_inline_sa_scope_t *scope,
+				       odp_cipher_alg_t cipher,
+				       odp_ipsec_cipher_capability_t capa[],
+				       int num);
+
 /**
  * Query supported IPSEC authentication algorithm capabilities
  *
@@ -1125,6 +1260,10 @@ int odp_ipsec_cipher_capability(odp_cipher_alg_t cipher,
  * length. Use this information to select key lengths, etc authentication
  * algorithm options for SA creation (odp_ipsec_crypto_param_t).
  *
+ * The capabilities returned are for look-a-side type synchronous and
+ * asynchronous processing. Use odp_ipsec_inline_auth_capability()
+ * to query inline processing capabilities.
+ *
  * @param      auth         Authentication algorithm
  * @param[out] capa         Array of capability structures for output
  * @param      num          Maximum number of capability structures to output
@@ -1137,6 +1276,27 @@ int odp_ipsec_cipher_capability(odp_cipher_alg_t cipher,
 int odp_ipsec_auth_capability(odp_auth_alg_t auth,
 			      odp_ipsec_auth_capability_t capa[], int num);
 
+/**
+ * Query supported IPSEC cipher algorithm capabilities for inline processing
+ *
+ * This is similar to odp_ipsec_auth_capability() but returns capabilities
+ * for a given inline SA scope.
+ *
+ * @param      scope        Inline SA scope
+ * @param      auth         Authentication algorithm
+ * @param[out] capa         Array of capability structures for output
+ * @param      num          Maximum number of capability structures to output
+ *
+ * @return Number of capability structures for the algorithm. If this is larger
+ *         than 'num', only 'num' first structures were output and application
+ *         may call the function again with a larger value of 'num'.
+ * @retval <0 on failure
+ */
+int odp_ipsec_inline_auth_capability(const odp_ipsec_inline_sa_scope_t *scope,
+				     odp_auth_alg_t auth,
+				     odp_ipsec_cipher_capability_t capa[],
+				     int num);
+
 /**
  * Initialize IPSEC configuration options
  *
@@ -1164,6 +1324,30 @@ void odp_ipsec_config_init(odp_ipsec_config_t *config);
  */
 int odp_ipsec_config(const odp_ipsec_config_t *config);
 
+/**
+ * Inline IPsec config for a particular pktio.
+ *
+ * Ínitialize and configure IPsec for use in inline processing mode with
+ * a given pktio. This must be called after odp_ipsec_config() has been called
+ * with ODP_IPSEC_OP_MODE_INLINE inbound_mode or outbound_mode, after the
+ * pktio has been configured and before any inline SAs is created with
+ * a scope that includes the pktio.
+ *
+ * Calling this function multiple times for the same open pktio results in
+ * undefined behaviour.
+ *
+ * @param pktio    Inline-enabled open pktio for which the configuration is
+ *                 done
+ * @param config   Pointer to IPSEC configuration structure
+ *
+ * @retval 0 on success
+ * @retval <0 on failure
+ *
+ * @see odp_ipsec_inline_capability(), odp_ipsec_config_init()
+ */
+int odp_ipsec_inline_config(odp_pktio_t pktio,
+			    const odp_ipsec_config_t *config);
+
 /**
  * Initialize IPSEC SA parameters
  *
@@ -1471,9 +1655,10 @@ typedef struct odp_ipsec_in_param_t {
 typedef struct odp_ipsec_out_inline_param_t {
 	/** Packet output interface for inline outbound operation without TM
 	 *
-	 *  Outbound inline IPSEC operation uses this packet IO interface to
-	 *  output the packet after a successful IPSEC transformation. The pktio
-	 *  must have been configured to operate in inline IPSEC mode.
+	 *  Outbound inline IPsec operation uses this packet IO interface to
+	 *  output the packet after a successful IPsec transformation.
+	 *  The pktio must have been included in the inline scope of the
+	 *  SA and must have been configured to operate in inline IPsec mode.
 	 *
 	 *  The pktio must not have been configured with ODP_PKTOUT_MODE_TM.
 	 *  For IPSEC inline output to TM enabled interfaces set this field