Commit 84cb1b53 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge branch 'mlx5-next' of https://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux 

Leon Romanovsky says:

====================
mlx5-next changes

Following previous conversations [1] and our clear commitment to do
the TC work [2], please pull mlx5-next shared branch, which includes
low-level steering logic to allow RoCEv2 traffic to be encrypted/
decrypted through IPsec.

[1] https://lore.kernel.org/all/20230126230815.224239-1-saeed@kernel.org/
[2] https://lore.kernel.org/all/Y+Z7lVVWqnRBiPh2@nvidia.com/

* 'mlx5-next' of https://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux:
  net/mlx5: Configure IPsec steering for egress RoCEv2 traffic
  net/mlx5: Configure IPsec steering for ingress RoCEv2 traffic
  net/mlx5: Add IPSec priorities in RDMA namespaces
  net/mlx5: Implement new destination type TABLE_TYPE
  net/mlx5: Introduce new destination type TABLE_TYPE
====================

Link: https://lore.kernel.org/r/20230215095624.1365200-1-leon@kernel.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents ca0df43d 22551e77

drivers/net/ethernet/mellanox/mlx5/core/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -97,7 +97,7 @@ mlx5_core-$(CONFIG_MLX5_EN_MACSEC) += en_accel/macsec.o en_accel/macsec_fs.o \ 


mlx5_core-$(CONFIG_MLX5_EN_IPSEC) += en_accel/ipsec.o en_accel/ipsec_rxtx.o \

				     en_accel/ipsec_stats.o en_accel/ipsec_fs.o \

				     en_accel/ipsec_offload.o

				     en_accel/ipsec_offload.o lib/ipsec_fs_roce.o



mlx5_core-$(CONFIG_MLX5_EN_TLS) += en_accel/ktls_stats.o \

				   en_accel/fs_tcp.o en_accel/ktls.o en_accel/ktls_txrx.o \

drivers/net/ethernet/mellanox/mlx5/core/diag/fs_tracepoint.c

+4 −0
Original line number Diff line number Diff line
@@ -275,6 +275,10 @@ const char *parse_fs_dst(struct trace_seq *p, 
				 fs_dest_range_field_to_str(dst->range.field),

				 dst->range.min, dst->range.max);

		break;

	case MLX5_FLOW_DESTINATION_TYPE_TABLE_TYPE:

		trace_seq_printf(p, "flow_table_type=%u id:%u\n", dst->ft->type,

				 dst->ft->id);

		break;

	case MLX5_FLOW_DESTINATION_TYPE_NONE:

		trace_seq_printf(p, "none\n");

		break;

drivers/net/ethernet/mellanox/mlx5/core/en/fs.h

+1 −0
Original line number Diff line number Diff line
@@ -87,6 +87,7 @@ enum { 
	MLX5E_ACCEL_FS_POL_FT_LEVEL = MLX5E_INNER_TTC_FT_LEVEL + 1,

	MLX5E_ACCEL_FS_ESP_FT_LEVEL,

	MLX5E_ACCEL_FS_ESP_FT_ERR_LEVEL,

	MLX5E_ACCEL_FS_ESP_FT_ROCE_LEVEL,

#endif

};

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h

+2 −0
Original line number Diff line number Diff line
@@ -93,6 +93,7 @@ enum mlx5_ipsec_cap { 
	MLX5_IPSEC_CAP_CRYPTO		= 1 << 0,

	MLX5_IPSEC_CAP_ESN		= 1 << 1,

	MLX5_IPSEC_CAP_PACKET_OFFLOAD	= 1 << 2,

	MLX5_IPSEC_CAP_ROCE             = 1 << 3,

};



struct mlx5e_priv;
@@ -147,6 +148,7 @@ struct mlx5e_ipsec { 
	struct mlx5e_ipsec_tx *tx;

	struct mlx5e_ipsec_aso *aso;

	struct notifier_block nb;

	struct mlx5_ipsec_fs *roce;

};



struct mlx5e_ipsec_esn_state {

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c

+47 −7
Original line number Diff line number Diff line
@@ -6,6 +6,7 @@ 
#include "en/fs.h"

#include "ipsec.h"

#include "fs_core.h"

#include "lib/ipsec_fs_roce.h"



#define NUM_IPSEC_FTE BIT(15)
@@ -166,7 +167,8 @@ static int ipsec_miss_create(struct mlx5_core_dev *mdev, 
	return err;

}



static void rx_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx)

static void rx_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec,

		       struct mlx5e_ipsec_rx *rx, u32 family)

{

	mlx5_del_flow_rules(rx->pol.rule);

	mlx5_destroy_flow_group(rx->pol.group);
@@ -179,6 +181,8 @@ static void rx_destroy(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_rx *rx) 
	mlx5_del_flow_rules(rx->status.rule);

	mlx5_modify_header_dealloc(mdev, rx->status.modify_hdr);

	mlx5_destroy_flow_table(rx->ft.status);



	mlx5_ipsec_fs_roce_rx_destroy(ipsec->roce, family);

}



static int rx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec,
@@ -186,18 +190,35 @@ static int rx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, 
{

	struct mlx5_flow_namespace *ns = mlx5e_fs_get_ns(ipsec->fs, false);

	struct mlx5_ttc_table *ttc = mlx5e_fs_get_ttc(ipsec->fs, false);

	struct mlx5_flow_destination default_dest;

	struct mlx5_flow_destination dest[2];

	struct mlx5_flow_table *ft;

	int err;



	default_dest = mlx5_ttc_get_default_dest(ttc, family2tt(family));

	err = mlx5_ipsec_fs_roce_rx_create(mdev, ipsec->roce, ns, &default_dest,

					   family, MLX5E_ACCEL_FS_ESP_FT_ROCE_LEVEL,

					   MLX5E_NIC_PRIO);

	if (err)

		return err;



	ft = ipsec_ft_create(ns, MLX5E_ACCEL_FS_ESP_FT_ERR_LEVEL,

			     MLX5E_NIC_PRIO, 1);

	if (IS_ERR(ft))

		return PTR_ERR(ft);

	if (IS_ERR(ft)) {

		err = PTR_ERR(ft);

		goto err_fs_ft_status;

	}



	rx->ft.status = ft;



	dest[0] = mlx5_ttc_get_default_dest(ttc, family2tt(family));

	ft = mlx5_ipsec_fs_roce_ft_get(ipsec->roce, family);

	if (ft) {

		dest[0].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;

		dest[0].ft = ft;

	} else {

		dest[0] = default_dest;

	}



	dest[1].type = MLX5_FLOW_DESTINATION_TYPE_COUNTER;

	dest[1].counter_id = mlx5_fc_id(rx->fc->cnt);

	err = ipsec_status_rule(mdev, rx, dest);
@@ -245,6 +266,8 @@ static int rx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, 
	mlx5_modify_header_dealloc(mdev, rx->status.modify_hdr);

err_add:

	mlx5_destroy_flow_table(rx->ft.status);

err_fs_ft_status:

	mlx5_ipsec_fs_roce_rx_destroy(ipsec->roce, family);

	return err;

}
@@ -304,14 +327,15 @@ static void rx_ft_put(struct mlx5_core_dev *mdev, struct mlx5e_ipsec *ipsec, 
	mlx5_ttc_fwd_default_dest(ttc, family2tt(family));



	/* remove FT */

	rx_destroy(mdev, rx);

	rx_destroy(mdev, ipsec, rx, family);



out:

	mutex_unlock(&rx->ft.mutex);

}



/* IPsec TX flow steering */

static int tx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx)

static int tx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx,

		     struct mlx5_ipsec_fs *roce)

{

	struct mlx5_flow_destination dest = {};

	struct mlx5_flow_table *ft;
@@ -334,8 +358,15 @@ static int tx_create(struct mlx5_core_dev *mdev, struct mlx5e_ipsec_tx *tx) 
	err = ipsec_miss_create(mdev, tx->ft.pol, &tx->pol, &dest);

	if (err)

		goto err_pol_miss;



	err = mlx5_ipsec_fs_roce_tx_create(mdev, roce, tx->ft.pol);

	if (err)

		goto err_roce;

	return 0;



err_roce:

	mlx5_del_flow_rules(tx->pol.rule);

	mlx5_destroy_flow_group(tx->pol.group);

err_pol_miss:

	mlx5_destroy_flow_table(tx->ft.pol);

err_pol_ft:
@@ -353,9 +384,10 @@ static struct mlx5e_ipsec_tx *tx_ft_get(struct mlx5_core_dev *mdev, 
	if (tx->ft.refcnt)

		goto skip;



	err = tx_create(mdev, tx);

	err = tx_create(mdev, tx, ipsec->roce);

	if (err)

		goto out;



skip:

	tx->ft.refcnt++;

out:
@@ -374,6 +406,7 @@ static void tx_ft_put(struct mlx5e_ipsec *ipsec) 
	if (tx->ft.refcnt)

		goto out;



	mlx5_ipsec_fs_roce_tx_destroy(ipsec->roce);

	mlx5_del_flow_rules(tx->pol.rule);

	mlx5_destroy_flow_group(tx->pol.group);

	mlx5_destroy_flow_table(tx->ft.pol);
@@ -1031,6 +1064,9 @@ void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec) 
	if (!ipsec->tx)

		return;



	if (mlx5_ipsec_device_caps(ipsec->mdev) & MLX5_IPSEC_CAP_ROCE)

		mlx5_ipsec_fs_roce_cleanup(ipsec->roce);



	ipsec_fs_destroy_counters(ipsec);

	mutex_destroy(&ipsec->tx->ft.mutex);

	WARN_ON(ipsec->tx->ft.refcnt);
@@ -1047,6 +1083,7 @@ void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec) 


int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec)

{

	struct mlx5_core_dev *mdev = ipsec->mdev;

	struct mlx5_flow_namespace *ns;

	int err = -ENOMEM;
@@ -1076,6 +1113,9 @@ int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec) 
	mutex_init(&ipsec->rx_ipv6->ft.mutex);

	ipsec->tx->ns = ns;



	if (mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_ROCE)

		ipsec->roce = mlx5_ipsec_fs_roce_init(mdev);



	return 0;



err_counters: