Commit e8a292d6 authored by Steffen Klassert's avatar Steffen Klassert
Browse files

Merge branch 'mlx5 IPsec packet offload support (Part I)' 



Leon Romanovsky says:

============
This series follows previously sent "Extend XFRM core to allow packet
offload configuration" series [1].

It is first part with refactoring to mlx5 allow us natively extend
mlx5 IPsec logic to support both crypto and packet offloads.
============

Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parents 89ae6573 a8e05293

drivers/net/ethernet/mellanox/mlx5/core/en.h

+1 −0
Original line number Diff line number Diff line
@@ -1245,4 +1245,5 @@ int mlx5e_set_vf_rate(struct net_device *dev, int vf, int min_tx_rate, int max_t 
int mlx5e_get_vf_config(struct net_device *dev, int vf, struct ifla_vf_info *ivi);

int mlx5e_get_vf_stats(struct net_device *dev, int vf, struct ifla_vf_stats *vf_stats);

#endif

int mlx5e_create_mkey(struct mlx5_core_dev *mdev, u32 pdn, u32 *mkey);

#endif /* __MLX5_EN_H__ */

drivers/net/ethernet/mellanox/mlx5/core/en/tc/meter.c

+0 −1
Original line number Diff line number Diff line
@@ -162,7 +162,6 @@ mlx5e_tc_meter_modify(struct mlx5_core_dev *mdev, 
			   MLX5_ACCESS_ASO_OPC_MOD_FLOW_METER);



	aso_ctrl = &aso_wqe->aso_ctrl;

	memset(aso_ctrl, 0, sizeof(*aso_ctrl));

	aso_ctrl->data_mask_mode = MLX5_ASO_DATA_MASK_MODE_BYTEWISE_64BYTE << 6;

	aso_ctrl->condition_1_0_operand = MLX5_ASO_ALWAYS_TRUE |

					  MLX5_ASO_ALWAYS_TRUE << 4;

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c

+33 −17
Original line number Diff line number Diff line
@@ -162,28 +162,21 @@ mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry, 


	/* esn */

	if (sa_entry->esn_state.trigger) {

		attrs->flags |= MLX5_ACCEL_ESP_FLAGS_ESN_TRIGGERED;

		attrs->esn_trigger = true;

		attrs->esn = sa_entry->esn_state.esn;

		if (sa_entry->esn_state.overlap)

			attrs->flags |= MLX5_ACCEL_ESP_FLAGS_ESN_STATE_OVERLAP;

		attrs->esn_overlap = sa_entry->esn_state.overlap;

		attrs->replay_window = x->replay_esn->replay_window;

	}



	/* action */

	attrs->action = (x->xso.dir == XFRM_DEV_OFFLOAD_OUT) ?

				MLX5_ACCEL_ESP_ACTION_ENCRYPT :

				      MLX5_ACCEL_ESP_ACTION_DECRYPT;

	/* flags */

	attrs->flags |= (x->props.mode == XFRM_MODE_TRANSPORT) ?

			MLX5_ACCEL_ESP_FLAGS_TRANSPORT :

			MLX5_ACCEL_ESP_FLAGS_TUNNEL;



	attrs->dir = x->xso.dir;

	/* spi */

	attrs->spi = be32_to_cpu(x->id.spi);



	/* source , destination ips */

	memcpy(&attrs->saddr, x->props.saddr.a6, sizeof(attrs->saddr));

	memcpy(&attrs->daddr, x->id.daddr.a6, sizeof(attrs->daddr));

	attrs->is_ipv6 = (x->props.family != AF_INET);

	attrs->family = x->props.family;

	attrs->type = x->xso.type;

}



static inline int mlx5e_xfrm_validate_state(struct xfrm_state *x)
@@ -257,6 +250,17 @@ static inline int mlx5e_xfrm_validate_state(struct xfrm_state *x) 
		netdev_info(netdev, "Unsupported xfrm offload type\n");

		return -EINVAL;

	}

	if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET) {

		if (x->replay_esn && x->replay_esn->replay_window != 32 &&

		    x->replay_esn->replay_window != 64 &&

		    x->replay_esn->replay_window != 128 &&

		    x->replay_esn->replay_window != 256) {

			netdev_info(netdev,

				    "Unsupported replay window size %u\n",

				    x->replay_esn->replay_window);

			return -EINVAL;

		}

	}

	return 0;

}
@@ -303,7 +307,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x) 
	if (err)

		goto err_xfrm;



	err = mlx5e_accel_ipsec_fs_add_rule(priv, sa_entry);

	err = mlx5e_accel_ipsec_fs_add_rule(sa_entry);

	if (err)

		goto err_hw_ctx;
@@ -321,7 +325,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x) 
	goto out;



err_add_rule:

	mlx5e_accel_ipsec_fs_del_rule(priv, sa_entry);

	mlx5e_accel_ipsec_fs_del_rule(sa_entry);

err_hw_ctx:

	mlx5_ipsec_free_sa_ctx(sa_entry);

err_xfrm:
@@ -341,10 +345,9 @@ static void mlx5e_xfrm_del_state(struct xfrm_state *x) 
static void mlx5e_xfrm_free_state(struct xfrm_state *x)

{

	struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);

	struct mlx5e_priv *priv = netdev_priv(x->xso.dev);



	cancel_work_sync(&sa_entry->modify_work.work);

	mlx5e_accel_ipsec_fs_del_rule(priv, sa_entry);

	mlx5e_accel_ipsec_fs_del_rule(sa_entry);

	mlx5_ipsec_free_sa_ctx(sa_entry);

	kfree(sa_entry);

}
@@ -371,15 +374,26 @@ void mlx5e_ipsec_init(struct mlx5e_priv *priv) 
	if (!ipsec->wq)

		goto err_wq;



	if (mlx5_ipsec_device_caps(priv->mdev) &

	    MLX5_IPSEC_CAP_PACKET_OFFLOAD) {

		ret = mlx5e_ipsec_aso_init(ipsec);

		if (ret)

			goto err_aso;

	}



	ret = mlx5e_accel_ipsec_fs_init(ipsec);

	if (ret)

		goto err_fs_init;



	ipsec->fs = priv->fs;

	priv->ipsec = ipsec;

	netdev_dbg(priv->netdev, "IPSec attached to netdevice\n");

	return;



err_fs_init:

	if (mlx5_ipsec_device_caps(priv->mdev) & MLX5_IPSEC_CAP_PACKET_OFFLOAD)

		mlx5e_ipsec_aso_cleanup(ipsec);

err_aso:

	destroy_workqueue(ipsec->wq);

err_wq:

	kfree(ipsec);
@@ -395,6 +409,8 @@ void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv) 
		return;



	mlx5e_accel_ipsec_fs_cleanup(ipsec);

	if (mlx5_ipsec_device_caps(priv->mdev) & MLX5_IPSEC_CAP_PACKET_OFFLOAD)

		mlx5e_ipsec_aso_cleanup(ipsec);

	destroy_workqueue(ipsec->wq);

	kfree(ipsec);

	priv->ipsec = NULL;

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h

+26 −22
Original line number Diff line number Diff line
@@ -39,22 +39,11 @@ 
#include <linux/mlx5/device.h>

#include <net/xfrm.h>

#include <linux/idr.h>

#include "lib/aso.h"



#define MLX5E_IPSEC_SADB_RX_BITS 10

#define MLX5E_IPSEC_ESN_SCOPE_MID 0x80000000L



enum mlx5_accel_esp_flags {

	MLX5_ACCEL_ESP_FLAGS_TUNNEL            = 0,    /* Default */

	MLX5_ACCEL_ESP_FLAGS_TRANSPORT         = 1UL << 0,

	MLX5_ACCEL_ESP_FLAGS_ESN_TRIGGERED     = 1UL << 1,

	MLX5_ACCEL_ESP_FLAGS_ESN_STATE_OVERLAP = 1UL << 2,

};



enum mlx5_accel_esp_action {

	MLX5_ACCEL_ESP_ACTION_DECRYPT,

	MLX5_ACCEL_ESP_ACTION_ENCRYPT,

};



struct aes_gcm_keymat {

	u64   seq_iv;
@@ -66,7 +55,6 @@ struct aes_gcm_keymat { 
};



struct mlx5_accel_esp_xfrm_attrs {

	enum mlx5_accel_esp_action action;

	u32   esn;

	u32   spi;

	u32   flags;
@@ -82,12 +70,18 @@ struct mlx5_accel_esp_xfrm_attrs { 
		__be32 a6[4];

	} daddr;



	u8 is_ipv6;

	u8 dir : 2;

	u8 esn_overlap : 1;

	u8 esn_trigger : 1;

	u8 type : 2;

	u8 family;

	u32 replay_window;

};



enum mlx5_ipsec_cap {

	MLX5_IPSEC_CAP_CRYPTO		= 1 << 0,

	MLX5_IPSEC_CAP_ESN		= 1 << 1,

	MLX5_IPSEC_CAP_PACKET_OFFLOAD	= 1 << 2,

};



struct mlx5e_priv;
@@ -102,17 +96,26 @@ struct mlx5e_ipsec_sw_stats { 
	atomic64_t ipsec_tx_drop_trailer;

};



struct mlx5e_accel_fs_esp;

struct mlx5e_ipsec_rx;

struct mlx5e_ipsec_tx;



struct mlx5e_ipsec_aso {

	u8 ctx[MLX5_ST_SZ_BYTES(ipsec_aso)];

	dma_addr_t dma_addr;

	struct mlx5_aso *aso;

};



struct mlx5e_ipsec {

	struct mlx5_core_dev *mdev;

	DECLARE_HASHTABLE(sadb_rx, MLX5E_IPSEC_SADB_RX_BITS);

	spinlock_t sadb_rx_lock; /* Protects sadb_rx */

	struct mlx5e_ipsec_sw_stats sw_stats;

	struct workqueue_struct *wq;

	struct mlx5e_accel_fs_esp *rx_fs;

	struct mlx5e_ipsec_tx *tx_fs;

	struct mlx5e_flow_steering *fs;

	struct mlx5e_ipsec_rx *rx_ipv4;

	struct mlx5e_ipsec_rx *rx_ipv6;

	struct mlx5e_ipsec_tx *tx;

	struct mlx5e_ipsec_aso *aso;

};



struct mlx5e_ipsec_esn_state {
@@ -123,7 +126,7 @@ struct mlx5e_ipsec_esn_state { 


struct mlx5e_ipsec_rule {

	struct mlx5_flow_handle *rule;

	struct mlx5_modify_hdr *set_modify_hdr;

	struct mlx5_modify_hdr *modify_hdr;

};



struct mlx5e_ipsec_modify_state_work {
@@ -155,10 +158,8 @@ struct xfrm_state *mlx5e_ipsec_sadb_rx_lookup(struct mlx5e_ipsec *dev, 


void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec);

int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec);

int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_priv *priv,

				  struct mlx5e_ipsec_sa_entry *sa_entry);

void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_priv *priv,

				   struct mlx5e_ipsec_sa_entry *sa_entry);

int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry);

void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_ipsec_sa_entry *sa_entry);



int mlx5_ipsec_create_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);

void mlx5_ipsec_free_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
@@ -168,6 +169,9 @@ u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev); 
void mlx5_accel_esp_modify_xfrm(struct mlx5e_ipsec_sa_entry *sa_entry,

				const struct mlx5_accel_esp_xfrm_attrs *attrs);



int mlx5e_ipsec_aso_init(struct mlx5e_ipsec *ipsec);

void mlx5e_ipsec_aso_cleanup(struct mlx5e_ipsec *ipsec);



static inline struct mlx5_core_dev *

mlx5e_ipsec_sa2dev(struct mlx5e_ipsec_sa_entry *sa_entry)

{

drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c

+325 −304

File changed.

Preview size limit exceeded, changes collapsed.