Sample controller applications for a given DPL programs are installed by the dpl-rt-controller-samples package at the /opt/dpl_rt_controller/samples/ directory.

Warning Building the sample applications requires meson utility. Make sure it is available on your system. To install meson on Ubuntu, run: Copy Copied! sudo apt update sudo apt install meson

Follow these steps to build and run a sample application:

Connect to the DPU. Make sure the DPL Runtime Service is up and running. See DPL Container Deployment for more details. Navigate to the desired sample application directory (one of the folders under /opt/dpl_rt_controller/samples/ on the DPU). Compile the provided DPL program (e.g., hello_world.p4 ) found at the sample's directory. See Compiling DPL Applications for more details. Copy the DPL program compilation output directory ( _out ) to a local path on the DPU. Note The compilation output directory contains the required C header files ( <program name>_dpl_shm.h and <program name>_dpl_shm_id.h ) for compiling the sample controller application. Compile the C sample application: Copy Copied! cd /opt/dpl_rt_controller/samples/<sample_name> meson /tmp/build -Dsample_programs_out=<PATH_TO_DPL_PROGRAM_COMPILATION_OUT_FOLDER> ninja -C /tmp/build Note Replace the <PATH_TO_DPL_PROGRAM_COMPILATION_OUT_FOLDER> with the path to the local directory containing the DPL program compilation output folder (where the required C header files ( <program name>_dpl_shm.h and <program name>_dpl_shm_id.h ) are found). Note For the PSP sample, the meson option -Dsample_programs_out=... is not required and will be ignored. Info The binary dpl_sample_<sample_name> is created under /tmp/build/ . Run the sample application using a privileged user. For example: Copy Copied! sudo /tmp/build/dpl_sample_basic 1000 <path-to-p4info.txt> <path-to-dplconfig>

This sample demonstrates how to manage entries on a High Update Rate table as well as a regular table.

The sample logic includes:

Connecting to dpl_rtd over gRPC. Loading a DPL program. Connecting to dpl_rtd over SHM (Shared Memory). Adding entry to a regular table. Adding entry to a High Update Rate table. Reading entries counter. Deleting entries. Displaying statistics. Disconnecting and destroying all structures.

References:

/opt/dpl_rt_controller/samples/basic/basic_sample.cc

/opt/dpl_rt_controller/samples/basic/basic_main.cc

/opt/dpl_rt_controller/samples/basic/hello_world.p4

/opt/dpl_rt_controller/samples/basic/meson_options.txt

/opt/dpl_rt_controller/samples/basic/meson.build

This sample demonstrates how to use the generic dpl_rt_controller APIs to manage regular P4Runtime tables when High Update Rate tables are neither required nor defined in the DPL program.

The sample logic includes:

Connecting to dpl_rtd over gRPC. Loading a DPL program. Creating dpl_rt_controller device without SHM support. Adding entry to a regular table. Reading entries counter. Deleting entries. Disconnecting and destroying all structures.

References:

/opt/dpl_rt_controller/samples/grpc_only/grpc_only_sample.cc

/opt/dpl_rt_controller/samples/grpc_only/grpc_only_main.cc

/opt/dpl_rt_controller/samples/grpc_only/grpc_only.p4

/opt/dpl_rt_controller/samples/grpc_only/meson_options.txt

/opt/dpl_rt_controller/samples/grpc_only/meson.build

The sample logic includes:

Connecting to dpl_rtd over gRPC. Loading a DPL program. Connecting to dpl_rtd over SHM (SHared Memory). Adding 2 entries to a regular table (gRPC) with very long timeout. Adding 2 entries to a High Update Rate table (SHM) very long timeout. Waiting for couple of seconds to see if entries expire (shouldn't). Querying for stale entries (should find any). Modifying idle timeout for one gRPC entry and one SHM entry. Querying for stale entries (should find two). Deleting all entries. Displaying statistics. Disconnecting and destroying all structures.

References:

/opt/dpl_rt_controller/samples/idle_timeout/idle_timeout_sample.cc

/opt/dpl_rt_controller/samples/idle_timeout/idle_timeout_main.cc

/opt/dpl_rt_controller/samples/idle_timeout/idle_timeout.p4

/opt/dpl_rt_controller/samples/idle_timeout/meson_options.txt

/opt/dpl_rt_controller/samples/idle_timeout/meson.build

This sample demonstrates how to manage a TCP connection state, including adding entries to track connections and retrieving the connection's acknowledgement (ACK) number and sequence (SEQ) number of the last packet that hit the TCP state object.

The sample logic includes:

Connecting to dpl_rtd over gRPC. Loading a DPL program. Connecting to dpl_rtd over SHM (SHared Memory). Setting up DPDK for packet processing and table entry management (addition/deletion). Printing statistics and current TCP state object info. Disconnecting and destroying all structures.

References:

/opt/dpl_rt_controller/samples/tcp_state/tcp_state.p4

/opt/dpl_rt_controller/samples/tcp_state/tcp_state_sample.cc

/opt/dpl_rt_controller/samples/tcp_state/tcp_state_main.cc

/opt/dpl_rt_controller/samples/tcp_state/meson_options.txt

/opt/dpl_rt_controller/samples/tcp_state/meson.build

This sample application provides PSP (PSP Security Protocol) cryptographic key management for DOCA Pipeline Language (DPL) Service. It enables hardware-based key generation using MLX5 DevX API, gRPC-based key exchange, and direct DEK (Data Encryption Key) programming to the NIC hardware.

While PSP key exchange is outside the scope of DOCA Pipeline Language itself, this PSP sample application, together with the supplied DPL program, allows a complete end-to-end workflow for PSP key exchange and encrypted traffic forwarding.

Note In its current implementation, the PSP Sample application only programs the remote DEKs, which enables one-way communication from the client (sender) to the server (receiver).

psp_main.cpp - Main application providing CLI interface and orchestrating the entire key generation, key exchange and key programming workflow

Key Generator - Generates pairs of encryption PSP key + Security Parameter Index (SPI) using MLX5 DevX API

gRPC Client - Initiates key exchange requests to remote PSP gateways

gRPC Server - Responds to key exchange requests from remote clients

DEK Modifier - Programs PSP Data Encryption Keys (DEKs) to NIC hardware via DPL RT Controller

psp_key_generator.h/.cpp - Hardware key generation via MLX5 DevX API

psp_key_exchange_client.h/.cpp - gRPC client for key exchange

psp_key_exchange_server.h/.cpp - gRPC server for key exchange

psp_dek_modifier.h/.cpp - DEK programming via DPL RT Controller

psp_main.cpp - Main application with CLI

mlx5_ifc_psp.h - MLX5 interface structures for PSP operations

grpc/psp_gateway.proto - gRPC protocol definition

The provided DPL program psp.p4 is designed for use on both client and server sides, implementing bidirectional PSP processing pipelines.

Note The example DPL program currently uses NvPSPVersion.V0_AES_GCM_128 (PSP version 0) in the encapsulation actions. For production use with different PSP versions, the program can be modified accordingly.

Note The example DPL program includes a constant, PSP_ENCAP_SRC_MAC .

The program uses the ingress port to automatically determine packet direction:

TX Direction (miss on direction_table): Packets from VFs are processed by the encapsulation pipeline

RX Direction (hit on direction_table): Packets from wire ports are processed by the decapsulation pipeline

Handles outgoing traffic from the host to the network.

Match Criteria:

IPv4 source address (exact match)

IPv4 destination address (exact match)

Actions:

PSP Encapsulation: Adds PSP header and trailer to outgoing packets

PSP Encryption: Encrypts the packet using the programmed DEK object (referenced by sa_index )

Forwarding:

Matched packets: Encrypted and forwarded to wire port (port 0)

Unmatched packets: Forwarded to VF #3 (non-PSP traffic)

Handles incoming PSP traffic from the network.

Match Criteria:

PSP Security Parameters Index (SPI) from the PSP header (exact match)

Processing Flow:

PSP Detection: Check if packet has a valid PSP header

Decryption: Hardware automatically decrypts the packet payload (key is derived from SPI)

Syndrome Check: Examine std_meta.psp_syndrome field to verify decryption status

Action (based on Status):

Decryption Success (syndrome.miss):

PSP header and trailer are removed (decapsulation)

Original inner packet is forwarded to VF #1

Decryption Failure (syndrome.hit):

Increment indirect counter at index matching the syndrome value (see PSP Syndrome Values for error types)

Forward error packet to VF #2 for inspection

Non-PSP Traffic:

Forward to VF #3 (passthrough)

When decryption fails, the std_meta.psp_syndrome field is set to indicate the failure reason. The program monitors these syndromes using an indirect counter whose index corresponds to the syndrome value:

NvPSPStatus.ICV_FAIL - Authentication failure NvPSPStatus.BAD_TRAILER - Trailer overlaps with headers NvPSPStatus.BAD_CONTEXT - Corrupted context/keys NvPSPStatus.GENERAL_ERROR - General error

Note You can query the indirect counter using P4 Runtime Shell to monitor decryption failures: ce = counter_entry["psp.decap.syndrome_counter"] ce.read((lambda ce: print(ce))) This helps diagnose PSP-related issues such as key mismatches, packet corruption, or configuration problems.

Before loading the DPL application and using the PSP sample application, ensure the following services and components are properly set up:

DPL Compiler - Required to compile the DPL program. Refer to Compiling DPL Applications in the DOCA documentation for installation and usage instructions.

DPL Runtime Service - Must be running and configured on the BlueField (Arm side). See the DPL Runtime Service documentation and DPL Container Deployment page for setup instructions.

DPL Development Container - Required on the host system along with the p4runtime_sh.sh launch script. See the DPL Installation Guide for installation details.

The dpl_sample_psp executable operates in client/server mode for PSP key exchange with automatic DEK programming.

-m, --mode <client|server> - Operation mode

-P, --port <port> - Listen port (default: 50051)

--ib-device <name> - IB device for key generation (default: auto-detect first mlx5 device)

-p, --peer <ip:port> - Remote PSP gateway address (key exchange server)

-n, --num-pairs <n> - Number of key/SPI pairs to exchange (default: 1)

-v, --psp-version <0|1> - PSP version: 0=AES-GCM-128, 1=AES-GCM-256 (default: 0)

-d, --device-id <id> - DPL device ID (default: 1000)

-r, --dpl-rtd <address> - DPL RTD service address (default: localhost:9559)

-I, --p4info <path> - Path to P4Info file (optional, must be specified with --program-blob )

-b, --program-blob <path> - Path to program blob (optional, must be specified with --p4info )

-e, --psp-extern <name> - PSP extern instance name (default: my_psp)

Note Both --p4info and --program-blob must be provided together to load a DPL program, or both can be omitted to connect without loading a program.

This subsection provides a complete end-to-end workflow for PSP key exchange and encrypted traffic forwarding.

Compile your PSP-enabled DPL program using the DPL compiler:

Copy Copied! dplp4c.sh --target doca psp.p4

By default, this generates the following files in the _out/ directory:

psp.dplconfig - Program blob

psp.p4info.txt - P4Info file describing the program's tables and actions

On both client and server systems, start the DPL Runtime Service (refer to Prerequisites subsection for details). The DPL Runtime Agent listens on port 9559 by default.

Start the server-side PSP sample application (adjust paths to match your compilation output directory from Step 1):

Copy Copied! ./dpl_sample_psp \ --mode server \ --port 50051 \ --device- id 1000 \ --dpl-rtd localhost:9559 \ --p4info _out/psp.p4info.txt \ --program-blob _out/psp.dplconfig \ --psp-extern psp_crypto \ --ib-device mlx5_0

The server will:

Connect to the local DPL Runtime Agent

Load the program blob and P4Info files

Listen for key exchange requests on port 50051

Start the client-side PSP key sample application (adjust paths to match your compilation output directory from Step 1):

Copy Copied! ./dpl_sample_psp \ --mode client \ --peer 192.168.1.100:50051 \ --device- id 1000 \ --dpl-rtd localhost:9559 \ --p4info _out/psp.p4info.txt \ --program-blob _out/psp.dplconfig \ --psp-extern psp_crypto \ --num-pairs 2 \ --ib-device mlx5_0

The client will:

Generate hardware-based key+SPI pairs Initiate out-of-band gRPC key exchange with the server Receive keys from the server (matching the requested PSP version) Automatically program DEKs to the local DPL Runtime Agent

After key exchange completes, the client-side sample application exits. To allow P4 RT Shell access, stop the server-side sample application (e.g., Ctrl+C in its terminal or a similar termination method).

Use P4 Runtime Shell (supplied with the DPL Development Container, see Prerequisites) to connect to the DPL Runtime Service and insert table entries:

Copy Copied! ./p4runtime_sh.sh -a 192.168.1.100:9559 -d 1000

Note You may need to stop the PSP sample application on the server to allow P4 RT Shell to connect to the device, as only one P4 Runtime client can connect at a time.





On Client (Sender) Side - PSP Encapsulation Table, insert a traffic matching entry to apply PSP encapsulation and encryption. Replace the assignments of spi and sa_index with the specific remote SPI (decimal) and DEK index (decimal) received from the key exchange process:

Copy Copied! te = table_entry[ "psp.encap.encap_table" ](action = "psp.encap.encrypt_tunnel" ) te.match[ "headers.ipv4.dst_addr" ] = "2.2.2.2" te.match[ "headers.ipv4.src_addr" ] = "1.1.1.1" te.action[ "dst_addr" ] = "ff:ff:ff:ff:ff:ff" te.action[ "src_addr" ] = "00:22:33:44:55:66" te.action[ "src_ip" ] = "1.1.1.1" te.action[ "dst_ip" ] = "2.2.2.2" te.action[ "spi" ] = "66" te.action[ "sa_index" ] = "3" te.insert() te.read( lambda te: print (te))

On Server (Receiver) Side - PSP Decapsulation Table, insert an entry to match the SPI and apply PSP decapsulation. Replace the assignment of security_parameters_index with the same remote SPI received from the key exchange process:

Copy Copied! te = table_entry[ "psp.decap.decap_table" ](action = "decap" ) te.match[ "headers.psp.security_parameters_index" ] = "66" te.action[ "dst_addr" ] = "ff:ff:ff:ff:ff:ff" te.action[ "src_addr" ] = "00:22:33:44:55:66" te.insert() te.read( lambda te: print (te))

Note Verify that the SPI is synchronized across both entries, using one of the remote SPI values obtained from Step 4. On the sender side, set sa_index to the DEK index that pairs with that specific remote SPI.





On the server side, capture traffic on the first Virtual Function (VF).

For example, using tcpdump:

Copy Copied! sudo tcpdump -i <vf_interface> -vvv -X

Replace <vf_interface> with your VF's interface name (e.g., eth8 ).

On the client side, send a test packet to a VF as an ingress port.

For example, using Scapy packet manipulation tool :

Copy Copied! from scapy. all import * sendp( Ether(src = "00:11:11:11:11:11" , dst = "00:22:22:22:22:22" ) / IP(src = "1.1.1.1" , dst = "2.2.2.2" ) / Raw(load = b '\xCA\xFE\x12\x34' ), iface = 'eth8' )

Replace eth8 with the interface name of the first VF.

Expected Behavior:

On Client (Sender):

Original packet is matched against the encapsulation table

PSP header and trailer are added

Packet payload is encrypted using the programmed DEK

Encrypted packet is forwarded to the wire

On Server (Receiver):

Incoming PSP packet is matched by SPI against the decapsulation table

Hardware automatically decrypts the packet using the derived key

If decryption succeeds, PSP header and trailer are removed and the resulting packet is forwarded to VF #1

If decryption fails, the packet will be forwarded to VF #2 and the indirect counter associated with the PSP Syndrome will be incremented (see "Processing Flow" above)

If the packet is not PSP, it will be forwarded to VF #3

In tcpdump on the receiver side, you should see the original unencrypted packet (after successful decapsulation) arrive at the VF #1 interface.

This sample demonstrates the capabilities of the controller to control a VxLAN gateway program with High Update Rate tables, and counters.

The sample logic includes:

Connecting to dpl_rtd over gRPC. Loading a DPL program. Connecting to dpl_rtd over SHM (SHared Memory). Adding entries from 'gateway.entries.json' file to High Update Rate tables. Printing counters and entries at key press. Disconnecting and destroying all structures.

References: