Commit 89ae6573 authored by Steffen Klassert's avatar Steffen Klassert
Browse files

Merge branch 'Extend XFRM core to allow packet offload configuration' 

Leon Romanovsky says:

============
The following series extends XFRM core code to handle a new type of IPsec
offload - packet offload.

In this mode, the HW is going to be responsible for the whole data path,
so both policy and state should be offloaded.

IPsec packet offload is an improved version of IPsec crypto mode,
In packet mode, HW is responsible to trim/add headers in addition to
decrypt/encrypt. In this mode, the packet arrives to the stack as already
decrypted and vice versa for TX (exits to HW as not-encrypted).

Devices that implement IPsec packet offload mode offload policies too.
In the RX path, it causes the situation that HW can't effectively
handle mixed SW and HW priorities unless users make sure that HW offloaded
policies have higher priorities.

It means that we don't need to perform any search of inexact policies
and/or priority checks if HW policy was discovered. In such situation,
the HW will catch the packets anyway and HW can still implement inexact
lookups.

In case specific policy is not found, we will continue with packet lookup
and check for existence of HW policies in inexact list.

HW policies are added to the head of SPD to ensure fast lookup, as XFRM
iterates over all policies in the loop.

This simple solution allows us to achieve same benefits of separate HW/SW
policies databases without over-engineering the code to iterate and manage
two databases at the same path.

To not over-engineer the code, HW policies are treated as SW ones and
don't take into account netdev to allow reuse of the same priorities for
policies databases without over-engineering the code to iterate and manage
two databases at the same path.

To not over-engineer the code, HW policies are treated as SW ones and
don't take into account netdev to allow reuse of the same priorities for
different devices.
 * No software fallback
 * Fragments are dropped, both in RX and TX
 * No sockets policies
 * Only IPsec transport mode is implemented

================================================================================
Rekeying:

In order to support rekeying, as XFRM core is skipped, the HW/driver should
do the following:
 * Count the handled packets
 * Raise event that limits are reached
 * Drop packets once hard limit is occurred.

The XFRM core calls to newly introduced xfrm_dev_state_update_curlft()
function in order to perform sync between device statistics and internal
structures. On HW limit event, driver calls to xfrm_state_check_expire()
to allow XFRM core take relevant decisions.

This separation between control logic (in XFRM) and data plane allows us
to packet reuse SW stack.

================================================================================
Configuration:

iproute2: https://lore.kernel.org/netdev/cover.1652179360.git.leonro@nvidia.com/

Packet offload mode:
  ip xfrm state offload packet dev <if-name> dir <in|out>
  ip xfrm policy .... offload packet dev <if-name>
Crypto offload mode:
  ip xfrm state offload crypto dev <if-name> dir <in|out>
or (backward compatibility)
  ip xfrm state offload dev <if-name> dir <in|out>

================================================================================
Performance results:

TCP multi-stream, using iperf3 instance per-CPU.
+----------------------+--------+--------+--------+--------+---------+---------+
|                      | 1 CPU  | 2 CPUs | 4 CPUs | 8 CPUs | 16 CPUs | 32 CPUs |
|                      +--------+--------+--------+--------+---------+---------+
|                      |                   BW (Gbps)                           |
+----------------------+--------+--------+-------+---------+---------+---------+
| Baseline             | 27.9   | 59     | 93.1  | 92.8    | 93.7    | 94.4    |
+----------------------+--------+--------+-------+---------+---------+---------+
| Software IPsec       | 6      | 11.9   | 23.3  | 45.9    | 83.8    | 91.8    |
+----------------------+--------+--------+-------+---------+---------+---------+
| IPsec crypto offload | 15     | 29.7   | 58.5  | 89.6    | 90.4    | 90.8    |
+----------------------+--------+--------+-------+---------+---------+---------+
| IPsec packet offload | 28     | 57     | 90.7  | 91      | 91.3    | 91.9    |
+----------------------+--------+--------+-------+---------+---------+---------+

IPsec packet offload mode behaves as baseline and reaches linerate with same amount
of CPUs.

Setups details (similar for both sides):
* NIC: ConnectX6-DX dual port, 100 Gbps each.
  Single port used in the tests.
* CPU: Intel(R) Xeon(R) Platinum 8380 CPU @ 2.30GHz

================================================================================
Series together with mlx5 part:
https://git.kernel.org/pub/scm/linux/kernel/git/leon/linux-rdma.git/log/?h=xfrm-next

================================================================================
Changelog:

v10:
 * Added forgotten xdo_dev_state_del. Patch #4.
 * Moved changelog in cover letter to the end.
 * Added "if (xs->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {" line to newly
   added netronome IPsec support. Patch #2.
v9: https://lore.kernel.org/all/cover.1669547603.git.leonro@nvidia.com
 * Added acquire support
v8: https://lore.kernel.org/all/cover.1668753030.git.leonro@nvidia.com
 * Removed not-related blank line
 * Fixed typos in documentation
v7: https://lore.kernel.org/all/cover.1667997522.git.leonro@nvidia.com
As was discussed in IPsec workshop:
 * Renamed "full offload" to be "packet offload".
 * Added check that offloaded SA and policy have same device while sending packet
 * Added to SAD same optimization as was done for SPD to speed-up lookups.
v6: https://lore.kernel.org/all/cover.1666692948.git.leonro@nvidia.com
 * Fixed misplaced "!" in sixth patch.
v5: https://lore.kernel.org/all/cover.1666525321.git.leonro@nvidia.com
 * Rebased to latest ipsec-next.
 * Replaced HW priority patch with solution which mimics separated SPDs
   for SW and HW. See more description in this cover letter.
 * Dropped RFC tag, usecase, API and implementation are clear.
v4: https://lore.kernel.org/all/cover.1662295929.git.leonro@nvidia.com
 * Changed title from "PATCH" to "PATCH RFC" per-request.
 * Added two new patches: one to update hard/soft limits and another
   initial take on documentation.
 * Added more info about lifetime/rekeying flow to cover letter, see
   relevant section.
 * perf traces for crypto mode will come later.
v3: https://lore.kernel.org/all/cover.1661260787.git.leonro@nvidia.com
 * I didn't hear any suggestion what term to use instead of
   "packet offload", so left it as is. It is used in commit messages
   and documentation only and easy to rename.
 * Added performance data and background info to cover letter
 * Reused xfrm_output_resume() function to support multiple XFRM transformations
 * Add PMTU check in addition to driver .xdo_dev_offload_ok validation
 * Documentation is in progress, but not part of this series yet.
v2: https://lore.kernel.org/all/cover.1660639789.git.leonro@nvidia.com
 * Rebased to latest 6.0-rc1
 * Add an extra check in TX datapath patch to validate packets before
   forwarding to HW.
 * Added policy cleanup logic in case of netdev down event
v1: https://lore.kernel.org/all/cover.1652851393.git.leonro@nvidia.com
 * Moved comment to be before if (...) in third patch.
v0: https://lore.kernel.org/all/cover.1652176932.git.leonro@nvidia.com


-----------------------------------------------------------------------
============

Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parents 65e6af6c 2b7c72e0

Documentation/networking/xfrm_device.rst

+53 −9
Original line number Original line Diff line number Diff line
@@ -5,6 +5,7 @@ XFRM device - offloading the IPsec computations 
===============================================

===============================================





Shannon Nelson <shannon.nelson@oracle.com>

Shannon Nelson <shannon.nelson@oracle.com>

Leon Romanovsky <leonro@nvidia.com>









Overview

Overview
@@ -18,10 +19,21 @@ can radically increase throughput and decrease CPU utilization. The XFRM 
Device interface allows NIC drivers to offer to the stack access to the

Device interface allows NIC drivers to offer to the stack access to the

hardware offload.

hardware offload.





Right now, there are two types of hardware offload that kernel supports.

 * IPsec crypto offload:

   * NIC performs encrypt/decrypt

   * Kernel does everything else

 * IPsec packet offload:

   * NIC performs encrypt/decrypt

   * NIC does encapsulation

   * Kernel and NIC have SA and policy in-sync

   * NIC handles the SA and policies states

   * The Kernel talks to the keymanager



Userland access to the offload is typically through a system such as

Userland access to the offload is typically through a system such as

libreswan or KAME/raccoon, but the iproute2 'ip xfrm' command set can

libreswan or KAME/raccoon, but the iproute2 'ip xfrm' command set can

be handy when experimenting.  An example command might look something

be handy when experimenting.  An example command might look something

like this::

like this for crypto offload:





  ip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \

  ip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \

     reqid 0x07 replay-window 32 \

     reqid 0x07 replay-window 32 \
@@ -29,6 +41,17 @@ like this:: 
     sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp \

     sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp \

     offload dev eth4 dir in

     offload dev eth4 dir in





and for packet offload



  ip x s add proto esp dst 14.0.0.70 src 14.0.0.52 spi 0x07 mode transport \

     reqid 0x07 replay-window 32 \

     aead 'rfc4106(gcm(aes))' 0x44434241343332312423222114131211f4f3f2f1 128 \

     sel src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp \

     offload packet dev eth4 dir in



  ip x p add src 14.0.0.70 dst 14.0.0.52 offload packet dev eth4 dir in

  tmpl src 14.0.0.70 dst 14.0.0.52 proto esp reqid 10000 mode transport



Yes, that's ugly, but that's what shell scripts and/or libreswan are for.

Yes, that's ugly, but that's what shell scripts and/or libreswan are for.
@@ -40,17 +63,24 @@ Callbacks to implement 




  /* from include/linux/netdevice.h */

  /* from include/linux/netdevice.h */

  struct xfrmdev_ops {

  struct xfrmdev_ops {

        /* Crypto and Packet offload callbacks */

	int	(*xdo_dev_state_add) (struct xfrm_state *x);

	int	(*xdo_dev_state_add) (struct xfrm_state *x);

	void	(*xdo_dev_state_delete) (struct xfrm_state *x);

	void	(*xdo_dev_state_delete) (struct xfrm_state *x);

	void	(*xdo_dev_state_free) (struct xfrm_state *x);

	void	(*xdo_dev_state_free) (struct xfrm_state *x);

	bool	(*xdo_dev_offload_ok) (struct sk_buff *skb,

	bool	(*xdo_dev_offload_ok) (struct sk_buff *skb,

				       struct xfrm_state *x);

				       struct xfrm_state *x);

	void    (*xdo_dev_state_advance_esn) (struct xfrm_state *x);

	void    (*xdo_dev_state_advance_esn) (struct xfrm_state *x);



        /* Solely packet offload callbacks */

	void    (*xdo_dev_state_update_curlft) (struct xfrm_state *x);

	int	(*xdo_dev_policy_add) (struct xfrm_policy *x);

	void	(*xdo_dev_policy_delete) (struct xfrm_policy *x);

	void	(*xdo_dev_policy_free) (struct xfrm_policy *x);

  };

  };





The NIC driver offering ipsec offload will need to implement these

The NIC driver offering ipsec offload will need to implement callbacks

callbacks to make the offload available to the network stack's

relevant to supported offload to make the offload available to the network

XFRM subsystem.  Additionally, the feature bits NETIF_F_HW_ESP and

stack's XFRM subsystem. Additionally, the feature bits NETIF_F_HW_ESP and

NETIF_F_HW_ESP_TX_CSUM will signal the availability of the offload.

NETIF_F_HW_ESP_TX_CSUM will signal the availability of the offload.
@@ -79,7 +109,8 @@ and an indication of whether it is for Rx or Tx. The driver should 




		===========   ===================================

		===========   ===================================

		0             success

		0             success

		-EOPNETSUPP   offload not supported, try SW IPsec

		-EOPNETSUPP   offload not supported, try SW IPsec,

                              not applicable for packet offload mode

		other         fail the request

		other         fail the request

		===========   ===================================

		===========   ===================================
@@ -96,6 +127,7 @@ will serviceable. This can check the packet information to be sure the 
offload can be supported (e.g. IPv4 or IPv6, no IPv4 options, etc) and

offload can be supported (e.g. IPv4 or IPv6, no IPv4 options, etc) and

return true of false to signify its support.

return true of false to signify its support.





Crypto offload mode:

When ready to send, the driver needs to inspect the Tx packet for the

When ready to send, the driver needs to inspect the Tx packet for the

offload information, including the opaque context, and set up the packet

offload information, including the opaque context, and set up the packet

send accordingly::

send accordingly::
@@ -139,13 +171,25 @@ the stack in xfrm_input(). 
In ESN mode, xdo_dev_state_advance_esn() is called from xfrm_replay_advance_esn().

In ESN mode, xdo_dev_state_advance_esn() is called from xfrm_replay_advance_esn().

Driver will check packet seq number and update HW ESN state machine if needed.

Driver will check packet seq number and update HW ESN state machine if needed.





Packet offload mode:

HW adds and deletes XFRM headers. So in RX path, XFRM stack is bypassed if HW

reported success. In TX path, the packet lefts kernel without extra header

and not encrypted, the HW is responsible to perform it.



When the SA is removed by the user, the driver's xdo_dev_state_delete()

When the SA is removed by the user, the driver's xdo_dev_state_delete()

is asked to disable the offload.  Later, xdo_dev_state_free() is called

and xdo_dev_policy_delete() are asked to disable the offload.  Later,

from a garbage collection routine after all reference counts to the state

xdo_dev_state_free() and xdo_dev_policy_free() are called from a garbage

collection routine after all reference counts to the state and policy

have been removed and any remaining resources can be cleared for the

have been removed and any remaining resources can be cleared for the

offload state.  How these are used by the driver will depend on specific

offload state.  How these are used by the driver will depend on specific

hardware needs.

hardware needs.





As a netdev is set to DOWN the XFRM stack's netdev listener will call

As a netdev is set to DOWN the XFRM stack's netdev listener will call

xdo_dev_state_delete() and xdo_dev_state_free() on any remaining offloaded

xdo_dev_state_delete(), xdo_dev_policy_delete(), xdo_dev_state_free() and

states.
 
xdo_dev_policy_free() on any remaining offloaded states.



Outcome of HW handling packets, the XFRM core can't count hard, soft limits.

The HW/driver are responsible to perform it and provide accurate data when

xdo_dev_state_update_curlft() is called. In case of one of these limits

occuried, the driver needs to call to xfrm_state_check_expire() to make sure

that XFRM performs rekeying sequence.

drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c

+4 −0
Original line number Original line Diff line number Diff line
@@ -283,6 +283,10 @@ static int ch_ipsec_xfrm_add_state(struct xfrm_state *x) 
		pr_debug("Cannot offload xfrm states with geniv other than seqiv\n");

		pr_debug("Cannot offload xfrm states with geniv other than seqiv\n");

		return -EINVAL;

		return -EINVAL;

	}

	}

	if (x->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {

		pr_debug("Unsupported xfrm offload\n");

		return -EINVAL;

	}





	sa_entry = kzalloc(sizeof(*sa_entry), GFP_KERNEL);

	sa_entry = kzalloc(sizeof(*sa_entry), GFP_KERNEL);

	if (!sa_entry) {

	if (!sa_entry) {

drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c

+5 −0
Original line number Original line Diff line number Diff line
@@ -585,6 +585,11 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs) 
		return -EINVAL;

		return -EINVAL;

	}

	}





	if (xs->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {

		netdev_err(dev, "Unsupported ipsec offload type\n");

		return -EINVAL;

	}



	if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {

	if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {

		struct rx_sa rsa;

		struct rx_sa rsa;

drivers/net/ethernet/intel/ixgbevf/ipsec.c

+5 −0
Original line number Original line Diff line number Diff line
@@ -280,6 +280,11 @@ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs) 
		return -EINVAL;

		return -EINVAL;

	}

	}





	if (xs->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {

		netdev_err(dev, "Unsupported ipsec offload type\n");

		return -EINVAL;

	}



	if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {

	if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {

		struct rx_sa rsa;

		struct rx_sa rsa;

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c

+4 −0
Original line number Original line Diff line number Diff line
@@ -253,6 +253,10 @@ static inline int mlx5e_xfrm_validate_state(struct xfrm_state *x) 
		netdev_info(netdev, "Cannot offload xfrm states with geniv other than seqiv\n");

		netdev_info(netdev, "Cannot offload xfrm states with geniv other than seqiv\n");

		return -EINVAL;

		return -EINVAL;

	}

	}

	if (x->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {

		netdev_info(netdev, "Unsupported xfrm offload type\n");

		return -EINVAL;

	}

	return 0;

	return 0;

}

}