Branch: refs/heads/master Home: https://github.com/Linaro/odp Commit: f60d82e96b995e10217ab40b6ad9f9cba3a6cadb https://github.com/Linaro/odp/commit/f60d82e96b995e10217ab40b6ad9f9cba3a6cadb Author: Janne Peltonen <janne.pelto...@nokia.com> Date: 2018-10-10 (Wed, 10 Oct 2018)
Changed paths: M platform/linux-generic/odp_ipsec.c Log Message: ----------- linux-gen: ipsec: speed up random IV generation by thread-local buffering Outbound IPsec processing for SAs that require random IV is slow since the the OpenSSL based odp_random_data() is slow and not multi-thread scalable. Improve performance by not calling odp_random_data() for every packet but by getting random data for IVs from a thread local buffer that is filled by less frequent but larger odp_random_data requests. Signed-off-by: Janne Peltonen <janne.pelto...@nokia.com> Reviewed-by: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org> Reviewed-by: Bill Fischofer <bill.fischo...@linaro.org> Signed-off-by: Maxim Uvarov <maxim.uva...@linaro.org> Commit: 917a2bf7e8a41538f811889099738eb3979efc3a https://github.com/Linaro/odp/commit/917a2bf7e8a41538f811889099738eb3979efc3a Author: Janne Peltonen <janne.pelto...@nokia.com> Date: 2018-10-10 (Wed, 10 Oct 2018) Changed paths: M platform/linux-generic/include/odp_ipsec_internal.h M platform/linux-generic/odp_ipsec.c M platform/linux-generic/odp_ipsec_sad.c Log Message: ----------- linux-gen: ipsec: remove SA reference counting from outbound processing SA reference counting in IPsec output has severe performance penalty when the same SA is used in multiple threads. Remove SA reference counting from odp_ipsec_out() and odp_ipsec_out_enq() as it is actually unnecessary with applications adhering to the ODP API. The reference counting would prevent odp_ipsec_sa_disable() from completing if IPsec outbound processing for the same SA were still in progress in some other thread. With a correctly behaving ODP application such situation never occurs because the ODP API requires that odp_ipsec_sa_disable() must not be called at the same time as odp_ipsec_out() or odp_ipsec_out_enq() for the same SA. The disable call must thus happen after (in the C11 thread model sense, including memory ordering) any conflicting IPsec output call, which means that the ODP application must use appropriate synchronization mechanisms to ensure that all odp_ipsec_out()/odp_ipsec_out_enc() calls (for the SA) have completed before odp_ipsec_sa_disable() is called. Similarly, when an SA is created, the handle must not be used in other threads for output before the creation is complete and visible. This means that an ODP application must use proper synchronization mechanism when passing the handle of a newly created SA to another thread and before using it there. This in turns make the SA state check in ipsec_sa_lock() unnecessary when indirectly called through the IPsec output routines. Signed-off-by: Janne Peltonen <janne.pelto...@nokia.com> Reviewed-by: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org> Reviewed-by: Bill Fischofer <bill.fischo...@linaro.org> Signed-off-by: Maxim Uvarov <maxim.uva...@linaro.org> Commit: 23e4a06ea025492e33a9a0f759386133e9eef6ad https://github.com/Linaro/odp/commit/23e4a06ea025492e33a9a0f759386133e9eef6ad Author: Janne Peltonen <janne.pelto...@nokia.com> Date: 2018-10-10 (Wed, 10 Oct 2018) Changed paths: M platform/linux-generic/include/odp_ipsec_internal.h M platform/linux-generic/odp_ipsec.c M platform/linux-generic/odp_ipsec_sad.c Log Message: ----------- linux-gen: ipsec: separate hot r/w data from r/o data in an SA Group very frequently updated SA state together, separately from read-only data to reduce false sharing of cache lines and resulting cache missed (not done for tun_ipv4.hdr_id which should be removed). Signed-off-by: Janne Peltonen <janne.pelto...@nokia.com> Reviewed-by: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org> Reviewed-by: Bill Fischofer <bill.fischo...@linaro.org> Signed-off-by: Maxim Uvarov <maxim.uva...@linaro.org> Commit: 3b11463dc8f9ce6bdb95490eeda933e6b6be3534 https://github.com/Linaro/odp/commit/3b11463dc8f9ce6bdb95490eeda933e6b6be3534 Author: Janne Peltonen <janne.pelto...@nokia.com> Date: 2018-10-10 (Wed, 10 Oct 2018) Changed paths: M platform/linux-generic/include/odp_ipsec_internal.h M platform/linux-generic/odp_ipsec.c M platform/linux-generic/odp_ipsec_sad.c Log Message: ----------- linux-gen: ipsec: use sequence number counter for counter based IV Reduce frequently updated SA state by reusing 64-bit sequence number as a counter based IV instead of having a separate counter for it. Signed-off-by: Janne Peltonen <janne.pelto...@nokia.com> Reviewed-by: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org> Reviewed-by: Bill Fischofer <bill.fischo...@linaro.org> Signed-off-by: Maxim Uvarov <maxim.uva...@linaro.org> Commit: 71b674a18a4655ab17bb9ab851492f8c51a9b950 https://github.com/Linaro/odp/commit/71b674a18a4655ab17bb9ab851492f8c51a9b950 Author: Janne Peltonen <janne.pelto...@nokia.com> Date: 2018-10-10 (Wed, 10 Oct 2018) Changed paths: M test/validation/api/ipsec/ipsec.c Log Message: ----------- validation: ipsec: make output checking accept any IP ID value ODP implementation is free to choose the IP ID value in the outbound IP header. Make outbound validation check accept any IP ID value, not just the one in the test vector. Relax packet check for AH packets since IP ID is included in the ICV and the expected ICV cannot be easily calculated in the current api validation code. Fixes: https://bugs.linaro.org/show_bug.cgi?id=4017 Signed-off-by: Janne Peltonen <janne.pelto...@nokia.com> Reviewed-by: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org> Reviewed-by: Bill Fischofer <bill.fischo...@linaro.org> Signed-off-by: Maxim Uvarov <maxim.uva...@linaro.org> Commit: 0c6352e2d0f755c310692f5cf627801abf8ccb63 https://github.com/Linaro/odp/commit/0c6352e2d0f755c310692f5cf627801abf8ccb63 Author: Janne Peltonen <janne.pelto...@nokia.com> Date: 2018-10-10 (Wed, 10 Oct 2018) Changed paths: M platform/linux-generic/include/odp_ipsec_internal.h M platform/linux-generic/odp_ipsec.c M platform/linux-generic/odp_ipsec_sad.c Log Message: ----------- linux-gen: ipsec: use global IPv4 ID allocator for all tunnel SAs Change the per-SA IPv4 ID allocator to a global one for IPsec to reduce the risk of duplicate IPv4 IDs when there are multiple SAs between the same endpoints. Use zero IPv4 ID in atomic datagrams (RFC 6864). Fixes: https://bugs.linaro.org/show_bug.cgi?id=4013 Signed-off-by: Janne Peltonen <janne.pelto...@nokia.com> Reviewed-by: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org> Reviewed-by: Bill Fischofer <bill.fischo...@linaro.org> Signed-off-by: Maxim Uvarov <maxim.uva...@linaro.org> Commit: 577a58dddef4824f709f00b602543bde3f440ac7 https://github.com/Linaro/odp/commit/577a58dddef4824f709f00b602543bde3f440ac7 Author: Janne Peltonen <janne.pelto...@nokia.com> Date: 2018-10-10 (Wed, 10 Oct 2018) Changed paths: M platform/linux-generic/odp_ipsec_sad.c Log Message: ----------- linux-gen: ipsec: make IPv4 ID allocator scale better to multiple threads Allocate IPv4 ID to threads in blocks to avoid updating shared IPv4 ID variable for every packet. Keep free ID blocks in a ring to maximize the time before reusing a block. Signed-off-by: Janne Peltonen <janne.pelto...@nokia.com> Reviewed-by: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org> Reviewed-by: Bill Fischofer <bill.fischo...@linaro.org> Signed-off-by: Maxim Uvarov <maxim.uva...@linaro.org> Compare: https://github.com/Linaro/odp/compare/65f2959da164...577a58dddef4 **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/ Functionality will be removed from GitHub.com on January 31st, 2019.