Merge branch 'support-tunnel-mode-in-mlx5-ipsec-packet-offload'

#include <crypto/aead.h>

#include <linux/inetdevice.h>

#include <linux/netdevice.h>

#include <net/netevent.h>

#include "en.h"

#include "ipsec.h"

#include "ipsec_rxtx.h"

#define MLX5_IPSEC_RESCHED msecs_to_jiffies(1000)

#define MLX5E_IPSEC_TUNNEL_SA XA_MARK_1

static struct mlx5e_ipsec_sa_entry *to_ipsec_sa_entry(struct xfrm_state *x)

{

	attrs->lft.numb_rounds_soft = (u64)n;

}

static void mlx5e_ipsec_init_macs(struct mlx5e_ipsec_sa_entry *sa_entry,

				  struct mlx5_accel_esp_xfrm_attrs *attrs)

{

	struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry);

	struct xfrm_state *x = sa_entry->x;

	struct net_device *netdev;

	struct neighbour *n;

	u8 addr[ETH_ALEN];

	if (attrs->mode != XFRM_MODE_TUNNEL ||

	    attrs->type != XFRM_DEV_OFFLOAD_PACKET)

		return;

	netdev = x->xso.real_dev;

	mlx5_query_mac_address(mdev, addr);

	switch (attrs->dir) {

	case XFRM_DEV_OFFLOAD_IN:

		ether_addr_copy(attrs->dmac, addr);

		n = neigh_lookup(&arp_tbl, &attrs->saddr.a4, netdev);

		if (!n) {

			n = neigh_create(&arp_tbl, &attrs->saddr.a4, netdev);

			if (IS_ERR(n))

				return;

			neigh_event_send(n, NULL);

			attrs->drop = true;

			break;

		}

		neigh_ha_snapshot(addr, n, netdev);

		ether_addr_copy(attrs->smac, addr);

		break;

	case XFRM_DEV_OFFLOAD_OUT:

		ether_addr_copy(attrs->smac, addr);

		n = neigh_lookup(&arp_tbl, &attrs->daddr.a4, netdev);

		if (!n) {

			n = neigh_create(&arp_tbl, &attrs->daddr.a4, netdev);

			if (IS_ERR(n))

				return;

			neigh_event_send(n, NULL);

			attrs->drop = true;

			break;

		}

		neigh_ha_snapshot(addr, n, netdev);

		ether_addr_copy(attrs->dmac, addr);

		break;

	default:

		return;

	}

	neigh_release(n);

}

void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry,

					struct mlx5_accel_esp_xfrm_attrs *attrs)

{

	attrs->upspec.sport = ntohs(x->sel.sport);

	attrs->upspec.sport_mask = ntohs(x->sel.sport_mask);

	attrs->upspec.proto = x->sel.proto;

	attrs->mode = x->props.mode;

	mlx5e_ipsec_init_limits(sa_entry, attrs);

	mlx5e_ipsec_init_macs(sa_entry, attrs);

}

static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev,

		return -EINVAL;

	}

	if (x->props.mode != XFRM_MODE_TRANSPORT && x->props.mode != XFRM_MODE_TUNNEL) {

		NL_SET_ERR_MSG_MOD(extack, "Only transport and tunnel xfrm states may be offloaded");

		return -EINVAL;

	}

	switch (x->xso.type) {

	case XFRM_DEV_OFFLOAD_CRYPTO:

		if (!(mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_CRYPTO)) {

			return -EINVAL;

		}

		if (x->props.mode != XFRM_MODE_TRANSPORT &&

		    x->props.mode != XFRM_MODE_TUNNEL) {

			NL_SET_ERR_MSG_MOD(extack, "Only transport and tunnel xfrm states may be offloaded");

			return -EINVAL;

		}

		break;

	case XFRM_DEV_OFFLOAD_PACKET:

		if (!(mlx5_ipsec_device_caps(mdev) &

			return -EINVAL;

		}

		if (x->props.mode != XFRM_MODE_TRANSPORT) {

			NL_SET_ERR_MSG_MOD(extack, "Only transport xfrm states may be offloaded in packet mode");

		if (x->props.mode == XFRM_MODE_TUNNEL &&

		    !(mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL)) {

			NL_SET_ERR_MSG_MOD(extack, "Packet offload is not supported for tunnel mode");

			return -EINVAL;

		}

	sa_entry->set_iv_op = mlx5e_ipsec_set_iv;

}

static void mlx5e_ipsec_handle_netdev_event(struct work_struct *_work)

{

	struct mlx5e_ipsec_work *work =

		container_of(_work, struct mlx5e_ipsec_work, work);

	struct mlx5e_ipsec_sa_entry *sa_entry = work->sa_entry;

	struct mlx5e_ipsec_netevent_data *data = work->data;

	struct mlx5_accel_esp_xfrm_attrs *attrs;

	attrs = &sa_entry->attrs;

	switch (attrs->dir) {

	case XFRM_DEV_OFFLOAD_IN:

		ether_addr_copy(attrs->smac, data->addr);

		break;

	case XFRM_DEV_OFFLOAD_OUT:

		ether_addr_copy(attrs->dmac, data->addr);

		break;

	default:

		WARN_ON_ONCE(true);

	}

	attrs->drop = false;

	mlx5e_accel_ipsec_fs_modify(sa_entry);

}

static int mlx5_ipsec_create_work(struct mlx5e_ipsec_sa_entry *sa_entry)

{

	struct xfrm_state *x = sa_entry->x;

	struct mlx5e_ipsec_work *work;

	void *data = NULL;

	switch (x->xso.type) {

	case XFRM_DEV_OFFLOAD_CRYPTO:

		if (!(x->props.flags & XFRM_STATE_ESN))

			return 0;

		break;

	default:

	case XFRM_DEV_OFFLOAD_PACKET:

		if (x->props.mode != XFRM_MODE_TUNNEL)

			return 0;

		break;

	default:

		break;

	}

	work = kzalloc(sizeof(*work), GFP_KERNEL);

	if (!work)

		return -ENOMEM;

	work->data = kzalloc(sizeof(*sa_entry), GFP_KERNEL);

	if (!work->data) {

		kfree(work);

		return -ENOMEM;

	}

	switch (x->xso.type) {

	case XFRM_DEV_OFFLOAD_CRYPTO:

		data = kzalloc(sizeof(*sa_entry), GFP_KERNEL);

		if (!data)

			goto free_work;

		INIT_WORK(&work->work, mlx5e_ipsec_modify_state);

		break;

	case XFRM_DEV_OFFLOAD_PACKET:

		data = kzalloc(sizeof(struct mlx5e_ipsec_netevent_data),

			       GFP_KERNEL);

		if (!data)

			goto free_work;

		INIT_WORK(&work->work, mlx5e_ipsec_handle_netdev_event);

		break;

	default:

		break;

	}

	work->data = data;

	work->sa_entry = sa_entry;

	sa_entry->work = work;

	return 0;

free_work:

	kfree(work);

	return -ENOMEM;

}

static int mlx5e_ipsec_create_dwork(struct mlx5e_ipsec_sa_entry *sa_entry)

	if (err)

		goto err_hw_ctx;

	if (x->props.mode == XFRM_MODE_TUNNEL &&

	    x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&

	    !mlx5e_ipsec_fs_tunnel_enabled(sa_entry)) {

		NL_SET_ERR_MSG_MOD(extack, "Packet offload tunnel mode is disabled due to encap settings");

		err = -EINVAL;

		goto err_add_rule;

	}

	/* We use *_bh() variant because xfrm_timer_handler(), which runs

	 * in softirq context, can reach our state delete logic and we need

	 * xa_erase_bh() there.

	if (sa_entry->dwork)

		queue_delayed_work(ipsec->wq, &sa_entry->dwork->dwork,

				   MLX5_IPSEC_RESCHED);

	if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&

	    x->props.mode == XFRM_MODE_TUNNEL)

		xa_set_mark(&ipsec->sadb, sa_entry->ipsec_obj_id,

			    MLX5E_IPSEC_TUNNEL_SA);

out:

	x->xso.offload_handle = (unsigned long)sa_entry;

	return 0;

static void mlx5e_xfrm_del_state(struct xfrm_state *x)

{

	struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);

	struct mlx5_accel_esp_xfrm_attrs *attrs = &sa_entry->attrs;

	struct mlx5e_ipsec *ipsec = sa_entry->ipsec;

	struct mlx5e_ipsec_sa_entry *old;

	old = xa_erase_bh(&ipsec->sadb, sa_entry->ipsec_obj_id);

	WARN_ON(old != sa_entry);

	if (attrs->mode == XFRM_MODE_TUNNEL &&

	    attrs->type == XFRM_DEV_OFFLOAD_PACKET)

		/* Make sure that no ARP requests are running in parallel */

		flush_workqueue(ipsec->wq);

}

static void mlx5e_xfrm_free_state(struct xfrm_state *x)

	kfree(sa_entry);

}

static int mlx5e_ipsec_netevent_event(struct notifier_block *nb,

				      unsigned long event, void *ptr)

{

	struct mlx5_accel_esp_xfrm_attrs *attrs;

	struct mlx5e_ipsec_netevent_data *data;

	struct mlx5e_ipsec_sa_entry *sa_entry;

	struct mlx5e_ipsec *ipsec;

	struct neighbour *n = ptr;

	struct net_device *netdev;

	struct xfrm_state *x;

	unsigned long idx;

	if (event != NETEVENT_NEIGH_UPDATE || !(n->nud_state & NUD_VALID))

		return NOTIFY_DONE;

	ipsec = container_of(nb, struct mlx5e_ipsec, netevent_nb);

	xa_for_each_marked(&ipsec->sadb, idx, sa_entry, MLX5E_IPSEC_TUNNEL_SA) {

		attrs = &sa_entry->attrs;

		if (attrs->family == AF_INET) {

			if (!neigh_key_eq32(n, &attrs->saddr.a4) &&

			    !neigh_key_eq32(n, &attrs->daddr.a4))

				continue;

		} else {

			if (!neigh_key_eq128(n, &attrs->saddr.a4) &&

			    !neigh_key_eq128(n, &attrs->daddr.a4))

				continue;

		}

		x = sa_entry->x;

		netdev = x->xso.real_dev;

		data = sa_entry->work->data;

		neigh_ha_snapshot(data->addr, n, netdev);

		queue_work(ipsec->wq, &sa_entry->work->work);

	}

	return NOTIFY_DONE;

}

void mlx5e_ipsec_init(struct mlx5e_priv *priv)

{

	struct mlx5e_ipsec *ipsec;

			goto err_aso;

	}

	if (mlx5_ipsec_device_caps(priv->mdev) & MLX5_IPSEC_CAP_TUNNEL) {

		ipsec->netevent_nb.notifier_call = mlx5e_ipsec_netevent_event;

		ret = register_netevent_notifier(&ipsec->netevent_nb);

		if (ret)

			goto clear_aso;

	}

	ret = mlx5e_accel_ipsec_fs_init(ipsec);

	if (ret)

		goto err_fs_init;

	return;

err_fs_init:

	if (mlx5_ipsec_device_caps(priv->mdev) & MLX5_IPSEC_CAP_TUNNEL)

		unregister_netevent_notifier(&ipsec->netevent_nb);

clear_aso:

	if (mlx5_ipsec_device_caps(priv->mdev) & MLX5_IPSEC_CAP_PACKET_OFFLOAD)

		mlx5e_ipsec_aso_cleanup(ipsec);

err_aso:

		return;

	mlx5e_accel_ipsec_fs_cleanup(ipsec);

	if (mlx5_ipsec_device_caps(priv->mdev) & MLX5_IPSEC_CAP_TUNNEL)

		unregister_netevent_notifier(&ipsec->netevent_nb);

	if (mlx5_ipsec_device_caps(priv->mdev) & MLX5_IPSEC_CAP_PACKET_OFFLOAD)

		mlx5e_ipsec_aso_cleanup(ipsec);

	destroy_workqueue(ipsec->wq);

struct mlx5_accel_esp_xfrm_attrs {

	u32   spi;

	u32   flags;

	u32   mode;

	struct aes_gcm_keymat aes_gcm;

	union {

	u32 authsize;

	u32 reqid;

	struct mlx5_ipsec_lft lft;

	u8 smac[ETH_ALEN];

	u8 dmac[ETH_ALEN];

};

enum mlx5_ipsec_cap {

	MLX5_IPSEC_CAP_PACKET_OFFLOAD	= 1 << 2,

	MLX5_IPSEC_CAP_ROCE             = 1 << 3,

	MLX5_IPSEC_CAP_PRIO             = 1 << 4,

	MLX5_IPSEC_CAP_TUNNEL           = 1 << 5,

};

struct mlx5e_priv;

	void *data;

};

struct mlx5e_ipsec_netevent_data {

	u8 addr[ETH_ALEN];

};

struct mlx5e_ipsec_dwork {

	struct delayed_work dwork;

	struct mlx5e_ipsec_sa_entry *sa_entry;

	struct mlx5e_ipsec_tx *tx;

	struct mlx5e_ipsec_aso *aso;

	struct notifier_block nb;

	struct notifier_block netevent_nb;

	struct mlx5_ipsec_fs *roce;

};

int mlx5e_accel_ipsec_fs_add_pol(struct mlx5e_ipsec_pol_entry *pol_entry);

void mlx5e_accel_ipsec_fs_del_pol(struct mlx5e_ipsec_pol_entry *pol_entry);

void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry);

bool mlx5e_ipsec_fs_tunnel_enabled(struct mlx5e_ipsec_sa_entry *sa_entry);

int mlx5_ipsec_create_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);

void mlx5_ipsec_free_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);

#include <linux/netdevice.h>

#include "en.h"

#include "en/fs.h"

#include "eswitch.h"

#include "ipsec.h"

#include "fs_core.h"

#include "lib/ipsec_fs_roce.h"

#include "lib/fs_chains.h"

#define NUM_IPSEC_FTE BIT(15)

#define MLX5_REFORMAT_TYPE_ADD_ESP_TRANSPORT_SIZE 16

#define IPSEC_TUNNEL_DEFAULT_TTL 0x40

struct mlx5e_ipsec_fc {

	struct mlx5_fc *cnt;

	struct mlx5e_ipsec_rule status;

	struct mlx5e_ipsec_fc *fc;

	struct mlx5_fs_chains *chains;

	u8 allow_tunnel_mode : 1;

};

struct mlx5e_ipsec_tx {

	struct mlx5_flow_namespace *ns;

	struct mlx5e_ipsec_fc *fc;

	struct mlx5_fs_chains *chains;

	u8 allow_tunnel_mode : 1;

};

/* IPsec RX flow steering */

static struct mlx5_flow_table *ipsec_ft_create(struct mlx5_flow_namespace *ns,

					       int level, int prio,

					       int max_num_groups)

					       int max_num_groups, u32 flags)

{

	struct mlx5_flow_table_attr ft_attr = {};

	ft_attr.max_fte = NUM_IPSEC_FTE;

	ft_attr.level = level;

	ft_attr.prio = prio;

	ft_attr.flags = flags;

	return mlx5_create_auto_grouped_flow_table(ns, &ft_attr);

}

	mlx5_del_flow_rules(rx->sa.rule);

	mlx5_destroy_flow_group(rx->sa.group);

	mlx5_destroy_flow_table(rx->ft.sa);

	if (rx->allow_tunnel_mode)

		mlx5_eswitch_unblock_encap(mdev);

	mlx5_del_flow_rules(rx->status.rule);

	mlx5_modify_header_dealloc(mdev, rx->status.modify_hdr);

	mlx5_destroy_flow_table(rx->ft.status);

	struct mlx5_flow_destination default_dest;

	struct mlx5_flow_destination dest[2];

	struct mlx5_flow_table *ft;

	u32 flags = 0;

	int err;

	default_dest = mlx5_ttc_get_default_dest(ttc, family2tt(family));

		return err;

	ft = ipsec_ft_create(ns, MLX5E_ACCEL_FS_ESP_FT_ERR_LEVEL,

			     MLX5E_NIC_PRIO, 1);

			     MLX5E_NIC_PRIO, 1, 0);

	if (IS_ERR(ft)) {

		err = PTR_ERR(ft);

		goto err_fs_ft_status;

		goto err_add;

	/* Create FT */

	ft = ipsec_ft_create(ns, MLX5E_ACCEL_FS_ESP_FT_LEVEL, MLX5E_NIC_PRIO,

			     2);

	if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL)

		rx->allow_tunnel_mode = mlx5_eswitch_block_encap(mdev);

	if (rx->allow_tunnel_mode)

		flags = MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT;

	ft = ipsec_ft_create(ns, MLX5E_ACCEL_FS_ESP_FT_LEVEL, MLX5E_NIC_PRIO, 2,

			     flags);

	if (IS_ERR(ft)) {

		err = PTR_ERR(ft);

		goto err_fs_ft;

	}

	ft = ipsec_ft_create(ns, MLX5E_ACCEL_FS_POL_FT_LEVEL, MLX5E_NIC_PRIO,

			     2);

			     2, 0);

	if (IS_ERR(ft)) {

		err = PTR_ERR(ft);

		goto err_pol_ft;

err_fs:

	mlx5_destroy_flow_table(rx->ft.sa);

err_fs_ft:

	if (rx->allow_tunnel_mode)

		mlx5_eswitch_unblock_encap(mdev);

	mlx5_del_flow_rules(rx->status.rule);

	mlx5_modify_header_dealloc(mdev, rx->status.modify_hdr);

err_add:

}

/* IPsec TX flow steering */

static void tx_destroy(struct mlx5e_ipsec_tx *tx, struct mlx5_ipsec_fs *roce)

static void tx_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx,

		       struct mlx5_ipsec_fs *roce)

{

	mlx5_ipsec_fs_roce_tx_destroy(roce);

	if (tx->chains) {

	}

	mlx5_destroy_flow_table(tx->ft.sa);

	if (tx->allow_tunnel_mode)

		mlx5_eswitch_unblock_encap(mdev);

	mlx5_del_flow_rules(tx->status.rule);

	mlx5_destroy_flow_table(tx->ft.status);

}

{

	struct mlx5_flow_destination dest = {};

	struct mlx5_flow_table *ft;

	u32 flags = 0;

	int err;

	ft = ipsec_ft_create(tx->ns, 2, 0, 1);

	ft = ipsec_ft_create(tx->ns, 2, 0, 1, 0);

	if (IS_ERR(ft))

		return PTR_ERR(ft);

	tx->ft.status = ft;

	if (err)

		goto err_status_rule;

	ft = ipsec_ft_create(tx->ns, 1, 0, 4);

	if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL)

		tx->allow_tunnel_mode = mlx5_eswitch_block_encap(mdev);

	if (tx->allow_tunnel_mode)

		flags = MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT;

	ft = ipsec_ft_create(tx->ns, 1, 0, 4, flags);

	if (IS_ERR(ft)) {

		err = PTR_ERR(ft);

		goto err_sa_ft;

		goto connect_roce;

	}

	ft = ipsec_ft_create(tx->ns, 0, 0, 2);

	ft = ipsec_ft_create(tx->ns, 0, 0, 2, 0);

	if (IS_ERR(ft)) {

		err = PTR_ERR(ft);

		goto err_pol_ft;

err_pol_ft:

	mlx5_destroy_flow_table(tx->ft.sa);

err_sa_ft:

	if (tx->allow_tunnel_mode)

		mlx5_eswitch_unblock_encap(mdev);

	mlx5_del_flow_rules(tx->status.rule);

err_status_rule:

	mlx5_destroy_flow_table(tx->ft.status);

	if (--tx->ft.refcnt)

		return;

	tx_destroy(tx, ipsec->roce);

	tx_destroy(ipsec->mdev, tx, ipsec->roce);

}

static struct mlx5_flow_table *tx_ft_get_policy(struct mlx5_core_dev *mdev,

	return 0;

}

static int setup_pkt_reformat(struct mlx5_core_dev *mdev,

static int

setup_pkt_tunnel_reformat(struct mlx5_core_dev *mdev,

			  struct mlx5_accel_esp_xfrm_attrs *attrs,

			      struct mlx5_flow_act *flow_act)

			  struct mlx5_pkt_reformat_params *reformat_params)

{

	enum mlx5_flow_namespace_type ns_type = MLX5_FLOW_NAMESPACE_EGRESS;

	struct mlx5_pkt_reformat_params reformat_params = {};

	struct mlx5_pkt_reformat *pkt_reformat;

	u8 reformatbf[16] = {};

	__be32 spi;

	struct ip_esp_hdr *esp_hdr;

	struct ipv6hdr *ipv6hdr;

	struct ethhdr *eth_hdr;

	struct iphdr *iphdr;

	char *reformatbf;

	size_t bfflen;

	void *hdr;

	bfflen = sizeof(*eth_hdr);

	if (attrs->dir == XFRM_DEV_OFFLOAD_OUT) {

		bfflen += sizeof(*esp_hdr) + 8;

		switch (attrs->family) {

		case AF_INET:

			bfflen += sizeof(*iphdr);

			break;

		case AF_INET6:

			bfflen += sizeof(*ipv6hdr);

			break;

		default:

			return -EINVAL;

		}

	}

	if (attrs->dir == XFRM_DEV_OFFLOAD_IN) {

		reformat_params.type = MLX5_REFORMAT_TYPE_DEL_ESP_TRANSPORT;

		ns_type = MLX5_FLOW_NAMESPACE_KERNEL;

		goto cmd;

	reformatbf = kzalloc(bfflen, GFP_KERNEL);

	if (!reformatbf)

		return -ENOMEM;

	eth_hdr = (struct ethhdr *)reformatbf;

	switch (attrs->family) {

	case AF_INET:

		eth_hdr->h_proto = htons(ETH_P_IP);

		break;

	case AF_INET6:

		eth_hdr->h_proto = htons(ETH_P_IPV6);

		break;