Commit 016eb590 authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'macsec-offload-mlx5' 



Saeed Mahameed says:

====================
Introduce MACsec skb_metadata_dst and mlx5 macsec offload

v1->v2:
   - attach mlx5 implementation patches.

This patchset introduces MACsec skb_metadata_dst to lay the ground
for MACsec HW offload.

MACsec is an IEEE standard (IEEE 802.1AE) for MAC security.
It defines a way to establish a protocol independent connection
between two hosts with data confidentiality, authenticity and/or
integrity, using GCM-AES. MACsec operates on the Ethernet layer and
as such is a layer 2 protocol, which means it’s designed to secure
traffic within a layer 2 network, including DHCP or ARP requests.

Linux has a software implementation of the MACsec standard and
HW offloading support.
The offloading is re-using the logic, netlink API and data
structures of the existing MACsec software implementation.

For Tx:
In the current MACsec offload implementation, MACsec interfaces shares
the same MAC address by default.
Therefore, HW can't distinguish from which MACsec interface the traffic
originated from.

MACsec stack will use skb_metadata_dst to store the SCI value, which is
unique per MACsec interface, skb_metadat_dst will be used later by the
offloading device driver to associate the SKB with the corresponding
offloaded interface (SCI) to facilitate HW MACsec offload.

For Rx:
Like in the Tx changes, if there are more than one MACsec device with
the same MAC address as in the packet's destination MAC, the packet will
be forward only to one of the devices and not neccessarly to the desired one.

Offloading device driver sets the MACsec skb_metadata_dst sci
field with the appropriaate Rx SCI for each SKB so the MACsec rx handler
will know to which port to divert those skbs, instead of wrongly solely
relaying on dst MAC address comparison.

1) patch 1,2, Add support to skb_metadata_dst in MACsec code:
net/macsec: Add MACsec skb_metadata_dst Tx Data path support
net/macsec: Add MACsec skb_metadata_dst Rx Data path support

2) patch 3, Move some MACsec driver code for sharing with various
drivers that implements offload:
net/macsec: Move some code for sharing with various drivers that
implements offload

3) The rest of the patches introduce mlx5 implementation for macsec
offloads TX and RX via steering tables.
  a) TX, intercept skbs with macsec offlad mark in skb_metadata_dst and mark
the descriptor for offload.
  b) RX, intercept offloaded frames and prepare the proper
skb_metadata_dst to mark offloaded rx frames.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents da7d8e65 99d4dc66

drivers/net/ethernet/mellanox/mlx5/core/Kconfig

+8 −0
Original line number Diff line number Diff line
@@ -139,6 +139,14 @@ config MLX5_CORE_IPOIB 
	help

	  MLX5 IPoIB offloads & acceleration support.



config MLX5_EN_MACSEC

	bool "Connect-X support for MACSec offload"

	depends on MLX5_CORE_EN

	depends on MACSEC

	default n

	help

	  Build support for MACsec cryptography-offload acceleration in the NIC.



config MLX5_EN_IPSEC

	bool "Mellanox Technologies IPsec Connect-X support"

	depends on MLX5_CORE_EN

drivers/net/ethernet/mellanox/mlx5/core/Makefile

+3 −0
Original line number Diff line number Diff line
@@ -92,6 +92,9 @@ mlx5_core-$(CONFIG_MLX5_CORE_IPOIB) += ipoib/ipoib.o ipoib/ethtool.o ipoib/ipoib 
#

mlx5_core-$(CONFIG_MLX5_FPGA) += fpga/cmd.o fpga/core.o fpga/conn.o fpga/sdk.o



mlx5_core-$(CONFIG_MLX5_EN_MACSEC) += en_accel/macsec.o en_accel/macsec_fs.o \

				      en_accel/macsec_stats.o



mlx5_core-$(CONFIG_MLX5_EN_IPSEC) += en_accel/ipsec.o en_accel/ipsec_rxtx.o \

				     en_accel/ipsec_stats.o en_accel/ipsec_fs.o \

				     en_accel/ipsec_offload.o

drivers/net/ethernet/mellanox/mlx5/core/en.h

+3 −0
Original line number Diff line number Diff line
@@ -954,6 +954,9 @@ struct mlx5e_priv { 


	const struct mlx5e_profile *profile;

	void                      *ppriv;

#ifdef CONFIG_MLX5_EN_MACSEC

	struct mlx5e_macsec       *macsec;

#endif

#ifdef CONFIG_MLX5_EN_IPSEC

	struct mlx5e_ipsec        *ipsec;

#endif

drivers/net/ethernet/mellanox/mlx5/core/en_accel/en_accel.h

+15 −0
Original line number Diff line number Diff line
@@ -39,6 +39,7 @@ 
#include "en_accel/ipsec_rxtx.h"

#include "en_accel/ktls.h"

#include "en_accel/ktls_txrx.h"

#include <en_accel/macsec.h>

#include "en.h"

#include "en/txrx.h"
@@ -137,6 +138,15 @@ static inline bool mlx5e_accel_tx_begin(struct net_device *dev, 
	}

#endif



#ifdef CONFIG_MLX5_EN_MACSEC

	if (unlikely(mlx5e_macsec_skb_is_offload(skb))) {

		struct mlx5e_priv *priv = netdev_priv(dev);



		if (unlikely(!mlx5e_macsec_handle_tx_skb(priv->macsec, skb)))

			return false;

	}

#endif



	return true;

}
@@ -163,6 +173,11 @@ static inline void mlx5e_accel_tx_eseg(struct mlx5e_priv *priv, 
		mlx5e_ipsec_tx_build_eseg(priv, skb, eseg);

#endif



#ifdef CONFIG_MLX5_EN_MACSEC

	if (unlikely(mlx5e_macsec_skb_is_offload(skb)))

		mlx5e_macsec_tx_build_eseg(priv->macsec, skb, eseg);

#endif



#if IS_ENABLED(CONFIG_GENEVE)

	if (skb->encapsulation && skb->ip_summed == CHECKSUM_PARTIAL)

		mlx5e_tx_tunnel_accel(skb, eseg, ihs);

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c

+5 −4
Original line number Diff line number Diff line
@@ -388,7 +388,8 @@ static void setup_fte_common(struct mlx5_accel_esp_xfrm_attrs *attrs, 
		       0xff, 16);

	}



	flow_act->ipsec_obj_id = ipsec_obj_id;

	flow_act->crypto.type = MLX5_FLOW_CONTEXT_ENCRYPT_DECRYPT_TYPE_IPSEC;

	flow_act->crypto.obj_id = ipsec_obj_id;

	flow_act->flags |= FLOW_ACT_NO_APPEND;

}
@@ -444,7 +445,7 @@ static int rx_add_rule(struct mlx5e_priv *priv, 
	}



	flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST |

			  MLX5_FLOW_CONTEXT_ACTION_IPSEC_DECRYPT |

			  MLX5_FLOW_CONTEXT_ACTION_CRYPTO_DECRYPT |

			  MLX5_FLOW_CONTEXT_ACTION_MOD_HDR;

	dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;

	flow_act.modify_hdr = modify_hdr;
@@ -500,7 +501,7 @@ static int tx_add_rule(struct mlx5e_priv *priv, 
		 MLX5_ETH_WQE_FT_META_IPSEC);



	flow_act.action = MLX5_FLOW_CONTEXT_ACTION_ALLOW |

			  MLX5_FLOW_CONTEXT_ACTION_IPSEC_ENCRYPT;

			  MLX5_FLOW_CONTEXT_ACTION_CRYPTO_ENCRYPT;

	rule = mlx5_add_flow_rules(priv->ipsec->tx_fs->ft, spec, &flow_act, NULL, 0);

	if (IS_ERR(rule)) {

		err = PTR_ERR(rule);
@@ -576,7 +577,7 @@ int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec) 
	int err = -ENOMEM;



	ns = mlx5_get_flow_namespace(ipsec->mdev,

				     MLX5_FLOW_NAMESPACE_EGRESS_KERNEL);

				     MLX5_FLOW_NAMESPACE_EGRESS_IPSEC);

	if (!ns)

		return -EOPNOTSUPP;