[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20191213154844.635389-1-antoine.tenart@bootlin.com>
Date: Fri, 13 Dec 2019 16:48:29 +0100
From: Antoine Tenart <antoine.tenart@...tlin.com>
To: davem@...emloft.net, sd@...asysnail.net, andrew@...n.ch,
f.fainelli@...il.com, hkallweit1@...il.com
Cc: Antoine Tenart <antoine.tenart@...tlin.com>,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
thomas.petazzoni@...tlin.com, alexandre.belloni@...tlin.com,
allan.nielsen@...rochip.com, camelia.groza@....com,
Simon.Edelhaus@...antia.com, Igor.Russkikh@...antia.com,
jakub.kicinski@...ronome.com
Subject: [PATCH net-next v3 00/15] net: macsec: initial support for hardware offloading
Hello,
td;dr: When applying this series, do not apply patches 12 to 14.
This series intends to add support for offloading MACsec transformations
to hardware enabled devices. The series adds the necessary
infrastructure for offloading MACsec configurations to hardware drivers,
in patches 1 to 6; then introduces MACsec offloading support in the
Microsemi MSCC PHY driver, in patches 7 to 11.
The remaining 4 patches, 12 to 14, are *not* part of the series but
provide the mandatory changes needed to support offloading MACsec
operations to a MAC driver. Those patches are provided for anyone
willing to add support for offloading MACsec operations to a MAC, and
should be part of the first series adding a MAC as a MACsec offloading
provider.
The series can also be found at:
https://github.com/atenart/linux/tree/net-next/macsec
IProute2 modifications can be found at:
https://github.com/atenart/iproute2/tree/macsec
MACsec hardware offloading infrastructure
-----------------------------------------
Linux has a software implementation of the MACsec standard. There are
hardware engines supporting MACsec operations, such as the Intel ixgbe
NIC and some Microsemi PHYs (the one we use in this series). This means
the MACsec offloading infrastructure should support networking PHY and
MAC drivers. Note that MAC driver preliminary support is part of this
series, but should not be merged before we actually have a provider for
this.
We do intend in this series to re-use the logic, netlink API and data
structures of the existing MACsec software implementation. This allows
not to duplicate definitions and structure storing the same information;
as well as using the same userspace tools to configure both software or
hardware offloaded MACsec flows (with `ip macsec`).
When adding a new MACsec virtual interface the existing logic is kept:
offloading is disabled by default. A user driven configuration choice is
needed to switch to offloading mode (a patch in iproute2 is needed for
this). A single MACsec interface can be offloaded for now, and some
limitations are there: no flow can be moved from one implementation to
the other so the decision needs to be done before configuring the
interface.
MACsec offloading ops are called in 2 steps: a preparation one, and a
commit one. The first step is allowed to fail and should be used to
check if a provided configuration is compatible with a given MACsec
capable hardware. The second step is not allowed to fail and should
only be used to enable a given MACsec configuration.
A limitation as of now is the counters and statistics are not reported
back from the hardware to the software MACsec implementation. This
isn't an issue when using offloaded MACsec transformations, but it
should be added in the future so that the MACsec state can be reported
to the user (which would also improve the debug).
Microsemi PHY MACsec support
-----------------------------------
In order to add support for the MACsec offloading feature in the
Microsemi MSCC PHY driver, the __phy_read_page and __phy_write_page
helpers had to be exported. This is because the initialization of the
PHY is done while holding the MDIO bus lock, and we need to change the
page to configure the MACsec block.
The support itself is then added in three patches. The first one adds
support for configuring the MACsec block within the PHY, so that it is
up, running and available for future configuration, but is not doing any
modification on the traffic passing through the PHY. The second patch
implements the phy_device MACsec ops in the Microsemi MSCC PHY driver,
and introduce helpers to configure MACsec transformations and flows to
match specific packets. The last one adds support for PN rollover.
Thanks!
Antoine
Since v2:
- Allow selection the offloading from userspace, defaulting to the
software implementation when adding a new MACsec interface. The
offloading mode is now also reported through netlink.
- Added support for letting MKA packets in and out when using MACsec
(there are rules to let them bypass the MACsec h/w engine within the
PHY).
- Added support for PN rollover (following what's currently done in
the software implementation: the flow is disabled).
- Split patches to remove MAC offloading support for now, as there are
no current provider for this (patches are still included).
- Improved a few parts of the MACsec support within the MSCC PHY
driver (e.g. default rules now block non-MACsec traffic, depending
on the configuration).
- Many cosmetic fixes & small improvements.
Since v1:
- Reworked the MACsec offloading API, moving from a single helper
called for all MACsec configuration operations, to a per-operation
function that is provided by the underlying hardware drivers.
- Those functions now contain a verb to describe the configuration
action they're offloading.
- Improved the error handling in the MACsec genl helpers to revert
the configuration to its previous state when the offloading call
failed.
- Reworked the file inclusions.
Antoine Tenart (15):
net: macsec: move some definitions in a dedicated header
net: macsec: introduce the macsec_context structure
net: macsec: introduce MACsec ops
net: phy: add MACsec ops in phy_device
net: macsec: hardware offloading infrastructure
net: macsec: add nla support for changing the offloading selection
net: phy: export __phy_read_page/__phy_write_page
net: phy: mscc: macsec initialization
net: phy: mscc: macsec support
net: macsec: PN wrap callback
net: phy: mscc: PN rollover support
net: introduce the MACSEC netdev feature
net: add a reference to MACsec ops in net_device
net: macsec: allow to reference a netdev from a MACsec context
net: macsec: add support for offloading to the MAC
drivers/net/macsec.c | 781 +++++++++++++-----
drivers/net/phy/Kconfig | 2 +
drivers/net/phy/mscc.c | 1183 +++++++++++++++++++++++++++-
drivers/net/phy/mscc_fc_buffer.h | 64 ++
drivers/net/phy/mscc_mac.h | 159 ++++
drivers/net/phy/mscc_macsec.h | 266 +++++++
drivers/net/phy/phy-core.c | 6 +-
include/linux/netdev_features.h | 3 +
include/linux/netdevice.h | 9 +
include/linux/phy.h | 12 +
include/net/macsec.h | 228 ++++++
include/uapi/linux/if_link.h | 8 +
include/uapi/linux/if_macsec.h | 14 +-
net/ethtool/common.c | 1 +
tools/include/uapi/linux/if_link.h | 8 +
15 files changed, 2555 insertions(+), 189 deletions(-)
create mode 100644 drivers/net/phy/mscc_fc_buffer.h
create mode 100644 drivers/net/phy/mscc_mac.h
create mode 100644 drivers/net/phy/mscc_macsec.h
create mode 100644 include/net/macsec.h
--
2.23.0
Powered by blists - more mailing lists