[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALHRZuq962PeU0OJ0pLrnW=tkaBd8T+iFSkT3mfWr2ArYKdO8A@mail.gmail.com>
Date: Wed, 14 Sep 2022 20:09:04 +0530
From: sundeep subbaraya <sundeep.lkml@...il.com>
To: Saeed Mahameed <saeed@...nel.org>, liorna@...dia.com
Cc: "David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Eric Dumazet <edumazet@...gle.com>,
Saeed Mahameed <saeedm@...dia.com>, netdev@...r.kernel.org,
Tariq Toukan <tariqt@...dia.com>,
Raed Salem <raeds@...dia.com>, antoine.tenart@...tlin.com
Subject: Re: [PATCH net-next V2 07/17] net/mlx5: Add MACsec offload Tx command support
Hi Saeed and Lior,
Your mdo_ops can fail in the commit phase and do not validate input
params in the prepare phase.
Is that okay? I am developing MACSEC offload driver for Marvell CN10K
and I had to write some clever code
to honour that :). Please someone help me understand why two phase
init was needed for offloading.
Thanks,
Sundeep
On Tue, Sep 6, 2022 at 11:20 AM Saeed Mahameed <saeed@...nel.org> wrote:
>
> From: Lior Nahmanson <liorna@...dia.com>
>
> This patch adds support for Connect-X MACsec offload Tx SA commands:
> add, update and delete.
>
> In Connect-X MACsec, a Security Association (SA) is added or deleted
> via allocating a HW context of an encryption/decryption key and
> a HW context of a matching SA (MACsec object).
>
> When new SA is added:
> - Use a separate crypto key HW context.
> - Create a separate MACsec context in HW to include the SA properties.
>
> Introduce a new compilation flag MLX5_EN_MACSEC for it.
>
> Follow-up patches will implement the Tx steering.
>
> Signed-off-by: Lior Nahmanson <liorna@...dia.com>
> Reviewed-by: Raed Salem <raeds@...dia.com>
> Signed-off-by: Raed Salem <raeds@...dia.com>
> Signed-off-by: Saeed Mahameed <saeedm@...dia.com>
> ---
> .../net/ethernet/mellanox/mlx5/core/Kconfig | 8 +
> .../net/ethernet/mellanox/mlx5/core/Makefile | 2 +
> drivers/net/ethernet/mellanox/mlx5/core/en.h | 3 +
> .../mellanox/mlx5/core/en_accel/macsec.c | 385 ++++++++++++++++++
> .../mellanox/mlx5/core/en_accel/macsec.h | 26 ++
> .../net/ethernet/mellanox/mlx5/core/en_main.c | 7 +
> drivers/net/ethernet/mellanox/mlx5/core/fw.c | 7 +
> .../ethernet/mellanox/mlx5/core/lib/mlx5.h | 1 +
> .../net/ethernet/mellanox/mlx5/core/main.c | 1 +
> 9 files changed, 440 insertions(+)
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.h
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/Kconfig b/drivers/net/ethernet/mellanox/mlx5/core/Kconfig
> index bfc0cd5ec423..26685fd0fdaa 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/Kconfig
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/Kconfig
> @@ -139,6 +139,14 @@ config MLX5_CORE_IPOIB
> help
> MLX5 IPoIB offloads & acceleration support.
>
> +config MLX5_EN_MACSEC
> + bool "Connect-X support for MACSec offload"
> + depends on MLX5_CORE_EN
> + depends on MACSEC
> + default n
> + help
> + Build support for MACsec cryptography-offload acceleration in the NIC.
> +
> config MLX5_EN_IPSEC
> bool "Mellanox Technologies IPsec Connect-X support"
> depends on MLX5_CORE_EN
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/Makefile b/drivers/net/ethernet/mellanox/mlx5/core/Makefile
> index a3773a8177ed..dd4b44a54712 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/Makefile
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/Makefile
> @@ -92,6 +92,8 @@ mlx5_core-$(CONFIG_MLX5_CORE_IPOIB) += ipoib/ipoib.o ipoib/ethtool.o ipoib/ipoib
> #
> mlx5_core-$(CONFIG_MLX5_FPGA) += fpga/cmd.o fpga/core.o fpga/conn.o fpga/sdk.o
>
> +mlx5_core-$(CONFIG_MLX5_EN_MACSEC) += en_accel/macsec.o
> +
> mlx5_core-$(CONFIG_MLX5_EN_IPSEC) += en_accel/ipsec.o en_accel/ipsec_rxtx.o \
> en_accel/ipsec_stats.o en_accel/ipsec_fs.o \
> en_accel/ipsec_offload.o
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
> index e464024481b4..13aac5131ff7 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
> @@ -954,6 +954,9 @@ struct mlx5e_priv {
>
> const struct mlx5e_profile *profile;
> void *ppriv;
> +#ifdef CONFIG_MLX5_EN_MACSEC
> + struct mlx5e_macsec *macsec;
> +#endif
> #ifdef CONFIG_MLX5_EN_IPSEC
> struct mlx5e_ipsec *ipsec;
> #endif
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
> new file mode 100644
> index 000000000000..f23ff25b2a1b
> --- /dev/null
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
> @@ -0,0 +1,385 @@
> +// SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB
> +/* Copyright (c) 2022, NVIDIA CORPORATION & AFFILIATES. All rights reserved. */
> +
> +#include <linux/mlx5/device.h>
> +#include <linux/mlx5/mlx5_ifc.h>
> +
> +#include "en.h"
> +#include "lib/mlx5.h"
> +#include "en_accel/macsec.h"
> +
> +#define MLX5_MACSEC_ASO_INC_SN 0x2
> +#define MLX5_MACSEC_ASO_REG_C_4_5 0x2
> +
> +struct mlx5e_macsec_sa {
> + bool active;
> + u8 assoc_num;
> + u32 macsec_obj_id;
> + u32 enc_key_id;
> + u32 next_pn;
> + sci_t sci;
> +};
> +
> +struct mlx5e_macsec {
> + struct mlx5e_macsec_sa *tx_sa[MACSEC_NUM_AN];
> + struct mutex lock; /* Protects mlx5e_macsec internal contexts */
> +
> + /* Global PD for MACsec object ASO context */
> + u32 aso_pdn;
> +
> + struct mlx5_core_dev *mdev;
> +};
> +
> +struct mlx5_macsec_obj_attrs {
> + u32 aso_pdn;
> + u32 next_pn;
> + __be64 sci;
> + u32 enc_key_id;
> + bool encrypt;
> +};
> +
> +static int mlx5e_macsec_create_object(struct mlx5_core_dev *mdev,
> + struct mlx5_macsec_obj_attrs *attrs,
> + u32 *macsec_obj_id)
> +{
> + u32 in[MLX5_ST_SZ_DW(create_macsec_obj_in)] = {};
> + u32 out[MLX5_ST_SZ_DW(general_obj_out_cmd_hdr)];
> + void *aso_ctx;
> + void *obj;
> + int err;
> +
> + obj = MLX5_ADDR_OF(create_macsec_obj_in, in, macsec_object);
> + aso_ctx = MLX5_ADDR_OF(macsec_offload_obj, obj, macsec_aso);
> +
> + MLX5_SET(macsec_offload_obj, obj, confidentiality_en, attrs->encrypt);
> + MLX5_SET(macsec_offload_obj, obj, dekn, attrs->enc_key_id);
> + MLX5_SET64(macsec_offload_obj, obj, sci, (__force u64)(attrs->sci));
> + MLX5_SET(macsec_offload_obj, obj, aso_return_reg, MLX5_MACSEC_ASO_REG_C_4_5);
> + MLX5_SET(macsec_offload_obj, obj, macsec_aso_access_pd, attrs->aso_pdn);
> +
> + MLX5_SET(macsec_aso, aso_ctx, valid, 0x1);
> + MLX5_SET(macsec_aso, aso_ctx, mode, MLX5_MACSEC_ASO_INC_SN);
> + MLX5_SET(macsec_aso, aso_ctx, mode_parameter, attrs->next_pn);
> +
> + /* general object fields set */
> + MLX5_SET(general_obj_in_cmd_hdr, in, opcode, MLX5_CMD_OP_CREATE_GENERAL_OBJECT);
> + MLX5_SET(general_obj_in_cmd_hdr, in, obj_type, MLX5_GENERAL_OBJECT_TYPES_MACSEC);
> +
> + err = mlx5_cmd_exec(mdev, in, sizeof(in), out, sizeof(out));
> + if (err) {
> + mlx5_core_err(mdev,
> + "MACsec offload: Failed to create MACsec object (err = %d)\n",
> + err);
> + return err;
> + }
> +
> + *macsec_obj_id = MLX5_GET(general_obj_out_cmd_hdr, out, obj_id);
> +
> + return err;
> +}
> +
> +static void mlx5e_macsec_destroy_object(struct mlx5_core_dev *mdev, u32 macsec_obj_id)
> +{
> + u32 in[MLX5_ST_SZ_DW(general_obj_in_cmd_hdr)] = {};
> + u32 out[MLX5_ST_SZ_DW(general_obj_out_cmd_hdr)];
> +
> + MLX5_SET(general_obj_in_cmd_hdr, in, opcode, MLX5_CMD_OP_DESTROY_GENERAL_OBJECT);
> + MLX5_SET(general_obj_in_cmd_hdr, in, obj_type, MLX5_GENERAL_OBJECT_TYPES_MACSEC);
> + MLX5_SET(general_obj_in_cmd_hdr, in, obj_id, macsec_obj_id);
> +
> + mlx5_cmd_exec(mdev, in, sizeof(in), out, sizeof(out));
> +}
> +
> +static void mlx5e_macsec_cleanup_object(struct mlx5e_macsec *macsec,
> + struct mlx5e_macsec_sa *sa)
> +{
> + mlx5e_macsec_destroy_object(macsec->mdev, sa->macsec_obj_id);
> +}
> +
> +static int mlx5e_macsec_init_object(struct macsec_context *ctx,
> + struct mlx5e_macsec_sa *sa,
> + bool encrypt)
> +{
> + struct mlx5e_priv *priv = netdev_priv(ctx->netdev);
> + struct mlx5e_macsec *macsec = priv->macsec;
> + struct mlx5_core_dev *mdev = priv->mdev;
> + struct mlx5_macsec_obj_attrs obj_attrs;
> + int err;
> +
> + obj_attrs.next_pn = sa->next_pn;
> + obj_attrs.sci = cpu_to_be64((__force u64)sa->sci);
> + obj_attrs.enc_key_id = sa->enc_key_id;
> + obj_attrs.encrypt = encrypt;
> + obj_attrs.aso_pdn = macsec->aso_pdn;
> +
> + err = mlx5e_macsec_create_object(mdev, &obj_attrs, &sa->macsec_obj_id);
> + if (err)
> + return err;
> +
> + return 0;
> +}
> +
> +static int mlx5e_macsec_add_txsa(struct macsec_context *ctx)
> +{
> + const struct macsec_tx_sc *tx_sc = &ctx->secy->tx_sc;
> + const struct macsec_tx_sa *ctx_tx_sa = ctx->sa.tx_sa;
> + struct mlx5e_priv *priv = netdev_priv(ctx->netdev);
> + const struct macsec_secy *secy = ctx->secy;
> + struct mlx5_core_dev *mdev = priv->mdev;
> + u8 assoc_num = ctx->sa.assoc_num;
> + struct mlx5e_macsec_sa *tx_sa;
> + struct mlx5e_macsec *macsec;
> + int err = 0;
> +
> + if (ctx->prepare)
> + return 0;
> +
> + mutex_lock(&priv->macsec->lock);
> +
> + macsec = priv->macsec;
> +
> + if (macsec->tx_sa[assoc_num]) {
> + netdev_err(ctx->netdev, "MACsec offload tx_sa: %d already exist\n", assoc_num);
> + err = -EEXIST;
> + goto out;
> + }
> +
> + tx_sa = kzalloc(sizeof(*tx_sa), GFP_KERNEL);
> + if (!tx_sa) {
> + err = -ENOMEM;
> + goto out;
> + }
> +
> + macsec->tx_sa[assoc_num] = tx_sa;
> +
> + tx_sa->active = ctx_tx_sa->active;
> + tx_sa->next_pn = ctx_tx_sa->next_pn_halves.lower;
> + tx_sa->sci = secy->sci;
> + tx_sa->assoc_num = assoc_num;
> +
> + err = mlx5_create_encryption_key(mdev, ctx->sa.key, secy->key_len,
> + MLX5_ACCEL_OBJ_MACSEC_KEY,
> + &tx_sa->enc_key_id);
> + if (err)
> + goto destroy_sa;
> +
> + if (!secy->operational ||
> + assoc_num != tx_sc->encoding_sa ||
> + !tx_sa->active)
> + goto out;
> +
> + err = mlx5e_macsec_init_object(ctx, tx_sa, tx_sc->encrypt);
> + if (err)
> + goto destroy_encryption_key;
> +
> + mutex_unlock(&macsec->lock);
> +
> + return 0;
> +
> +destroy_encryption_key:
> + mlx5_destroy_encryption_key(mdev, tx_sa->enc_key_id);
> +destroy_sa:
> + kfree(tx_sa);
> + macsec->tx_sa[assoc_num] = NULL;
> +out:
> + mutex_unlock(&macsec->lock);
> +
> + return err;
> +}
> +
> +static int mlx5e_macsec_upd_txsa(struct macsec_context *ctx)
> +{
> + const struct macsec_tx_sc *tx_sc = &ctx->secy->tx_sc;
> + const struct macsec_tx_sa *ctx_tx_sa = ctx->sa.tx_sa;
> + struct mlx5e_priv *priv = netdev_priv(ctx->netdev);
> + u8 assoc_num = ctx->sa.assoc_num;
> + struct mlx5e_macsec_sa *tx_sa;
> + struct mlx5e_macsec *macsec;
> + struct net_device *netdev;
> + int err = 0;
> +
> + if (ctx->prepare)
> + return 0;
> +
> + mutex_lock(&priv->macsec->lock);
> +
> + macsec = priv->macsec;
> + tx_sa = macsec->tx_sa[assoc_num];
> + netdev = ctx->netdev;
> +
> + if (!tx_sa) {
> + netdev_err(netdev, "MACsec offload: TX sa 0x%x doesn't exist\n", assoc_num);
> +
> + err = -EEXIST;
> + goto out;
> + }
> +
> + if (tx_sa->next_pn != ctx_tx_sa->next_pn_halves.lower) {
> + netdev_err(netdev, "MACsec offload: update TX sa %d PN isn't supported\n",
> + assoc_num);
> + err = -EINVAL;
> + goto out;
> + }
> +
> + if (tx_sa->active == ctx_tx_sa->active)
> + goto out;
> +
> + if (tx_sa->assoc_num != tx_sc->encoding_sa)
> + goto out;
> +
> + if (ctx_tx_sa->active) {
> + err = mlx5e_macsec_init_object(ctx, tx_sa, tx_sc->encrypt);
> + if (err)
> + goto out;
> + } else {
> + mlx5e_macsec_cleanup_object(macsec, tx_sa);
> + }
> +
> + tx_sa->active = ctx_tx_sa->active;
> +
> +out:
> + mutex_unlock(&macsec->lock);
> +
> + return err;
> +}
> +
> +static int mlx5e_macsec_del_txsa(struct macsec_context *ctx)
> +{
> + struct mlx5e_priv *priv = netdev_priv(ctx->netdev);
> + struct mlx5_core_dev *mdev = priv->mdev;
> + u8 assoc_num = ctx->sa.assoc_num;
> + struct mlx5e_macsec_sa *tx_sa;
> + struct mlx5e_macsec *macsec;
> + int err = 0;
> +
> + if (ctx->prepare)
> + return 0;
> +
> + mutex_lock(&priv->macsec->lock);
> +
> + macsec = priv->macsec;
> + tx_sa = macsec->tx_sa[ctx->sa.assoc_num];
> +
> + if (!tx_sa) {
> + netdev_err(ctx->netdev, "MACsec offload: TX sa 0x%x doesn't exist\n", assoc_num);
> + err = -EEXIST;
> + goto out;
> + }
> +
> + mlx5e_macsec_cleanup_object(macsec, tx_sa);
> +
> + mlx5_destroy_encryption_key(mdev, tx_sa->enc_key_id);
> +
> + kfree(tx_sa);
> + macsec->tx_sa[assoc_num] = NULL;
> +
> +out:
> + mutex_unlock(&macsec->lock);
> +
> + return err;
> +}
> +
> +static bool mlx5e_is_macsec_device(const struct mlx5_core_dev *mdev)
> +{
> + if (!(MLX5_CAP_GEN_64(mdev, general_obj_types) &
> + MLX5_GENERAL_OBJ_TYPES_CAP_MACSEC_OFFLOAD))
> + return false;
> +
> + if (!MLX5_CAP_GEN(mdev, log_max_dek))
> + return false;
> +
> + if (!MLX5_CAP_MACSEC(mdev, log_max_macsec_offload))
> + return false;
> +
> + if (!MLX5_CAP_FLOWTABLE_NIC_RX(mdev, macsec_decrypt) ||
> + !MLX5_CAP_FLOWTABLE_NIC_RX(mdev, reformat_remove_macsec))
> + return false;
> +
> + if (!MLX5_CAP_FLOWTABLE_NIC_TX(mdev, macsec_encrypt) ||
> + !MLX5_CAP_FLOWTABLE_NIC_TX(mdev, reformat_add_macsec))
> + return false;
> +
> + if (!MLX5_CAP_MACSEC(mdev, macsec_crypto_esp_aes_gcm_128_encrypt) &&
> + !MLX5_CAP_MACSEC(mdev, macsec_crypto_esp_aes_gcm_256_encrypt))
> + return false;
> +
> + if (!MLX5_CAP_MACSEC(mdev, macsec_crypto_esp_aes_gcm_128_decrypt) &&
> + !MLX5_CAP_MACSEC(mdev, macsec_crypto_esp_aes_gcm_256_decrypt))
> + return false;
> +
> + return true;
> +}
> +
> +static const struct macsec_ops macsec_offload_ops = {
> + .mdo_add_txsa = mlx5e_macsec_add_txsa,
> + .mdo_upd_txsa = mlx5e_macsec_upd_txsa,
> + .mdo_del_txsa = mlx5e_macsec_del_txsa,
> +};
> +
> +void mlx5e_macsec_build_netdev(struct mlx5e_priv *priv)
> +{
> + struct net_device *netdev = priv->netdev;
> +
> + if (!mlx5e_is_macsec_device(priv->mdev))
> + return;
> +
> + /* Enable MACsec */
> + mlx5_core_dbg(priv->mdev, "mlx5e: MACsec acceleration enabled\n");
> + netdev->macsec_ops = &macsec_offload_ops;
> + netdev->features |= NETIF_F_HW_MACSEC;
> + netif_keep_dst(netdev);
> +}
> +
> +int mlx5e_macsec_init(struct mlx5e_priv *priv)
> +{
> + struct mlx5_core_dev *mdev = priv->mdev;
> + struct mlx5e_macsec *macsec = NULL;
> + int err;
> +
> + if (!mlx5e_is_macsec_device(priv->mdev)) {
> + mlx5_core_dbg(mdev, "Not a MACsec offload device\n");
> + return 0;
> + }
> +
> + macsec = kzalloc(sizeof(*macsec), GFP_KERNEL);
> + if (!macsec)
> + return -ENOMEM;
> +
> + mutex_init(&macsec->lock);
> +
> + err = mlx5_core_alloc_pd(mdev, &macsec->aso_pdn);
> + if (err) {
> + mlx5_core_err(mdev,
> + "MACsec offload: Failed to alloc pd for MACsec ASO, err=%d\n",
> + err);
> + goto err_pd;
> + }
> +
> + priv->macsec = macsec;
> +
> + macsec->mdev = mdev;
> +
> + mlx5_core_dbg(mdev, "MACsec attached to netdevice\n");
> +
> + return 0;
> +
> +err_pd:
> + kfree(macsec);
> + return err;
> +}
> +
> +void mlx5e_macsec_cleanup(struct mlx5e_priv *priv)
> +{
> + struct mlx5e_macsec *macsec = priv->macsec;
> +
> + if (!macsec)
> + return;
> +
> + priv->macsec = NULL;
> +
> + mlx5_core_dealloc_pd(priv->mdev, macsec->aso_pdn);
> +
> + mutex_destroy(&macsec->lock);
> +
> + kfree(macsec);
> +}
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.h
> new file mode 100644
> index 000000000000..1ef1f3e3932f
> --- /dev/null
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.h
> @@ -0,0 +1,26 @@
> +/* SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB */
> +/* Copyright (c) 2022, NVIDIA CORPORATION & AFFILIATES. All rights reserved. */
> +
> +#ifndef __MLX5_EN_ACCEL_MACSEC_H__
> +#define __MLX5_EN_ACCEL_MACSEC_H__
> +
> +#ifdef CONFIG_MLX5_EN_MACSEC
> +
> +#include <linux/mlx5/driver.h>
> +#include <net/macsec.h>
> +
> +struct mlx5e_priv;
> +
> +void mlx5e_macsec_build_netdev(struct mlx5e_priv *priv);
> +int mlx5e_macsec_init(struct mlx5e_priv *priv);
> +void mlx5e_macsec_cleanup(struct mlx5e_priv *priv);
> +
> +#else
> +
> +static inline void mlx5e_macsec_build_netdev(struct mlx5e_priv *priv) {}
> +static inline int mlx5e_macsec_init(struct mlx5e_priv *priv) { return 0; }
> +static inline void mlx5e_macsec_cleanup(struct mlx5e_priv *priv) {}
> +
> +#endif /* CONFIG_MLX5_EN_MACSEC */
> +
> +#endif /* __MLX5_ACCEL_EN_MACSEC_H__ */
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> index 7c1a13738a58..905025a10a8a 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
> @@ -45,6 +45,7 @@
> #include "en_tc.h"
> #include "en_rep.h"
> #include "en_accel/ipsec.h"
> +#include "en_accel/macsec.h"
> #include "en_accel/en_accel.h"
> #include "en_accel/ktls.h"
> #include "lib/vxlan.h"
> @@ -4990,6 +4991,7 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev)
>
> netif_set_tso_max_size(netdev, GSO_MAX_SIZE);
> mlx5e_set_netdev_dev_addr(netdev);
> + mlx5e_macsec_build_netdev(priv);
> mlx5e_ipsec_build_netdev(priv);
> mlx5e_ktls_build_netdev(priv);
> }
> @@ -5053,6 +5055,10 @@ static int mlx5e_nic_init(struct mlx5_core_dev *mdev,
> }
> priv->fs = fs;
>
> + err = mlx5e_macsec_init(priv);
> + if (err)
> + mlx5_core_err(mdev, "MACsec initialization failed, %d\n", err);
> +
> err = mlx5e_ipsec_init(priv);
> if (err)
> mlx5_core_err(mdev, "IPSec initialization failed, %d\n", err);
> @@ -5070,6 +5076,7 @@ static void mlx5e_nic_cleanup(struct mlx5e_priv *priv)
> mlx5e_health_destroy_reporters(priv);
> mlx5e_ktls_cleanup(priv);
> mlx5e_ipsec_cleanup(priv);
> + mlx5e_macsec_cleanup(priv);
> mlx5e_fs_cleanup(priv->fs);
> }
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw.c b/drivers/net/ethernet/mellanox/mlx5/core/fw.c
> index 079fa44ada71..c63ce03e79e0 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/fw.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/fw.c
> @@ -273,6 +273,13 @@ int mlx5_query_hca_caps(struct mlx5_core_dev *dev)
> return err;
> }
>
> + if (MLX5_CAP_GEN_64(dev, general_obj_types) &
> + MLX5_GENERAL_OBJ_TYPES_CAP_MACSEC_OFFLOAD) {
> + err = mlx5_core_get_caps(dev, MLX5_CAP_MACSEC);
> + if (err)
> + return err;
> + }
> +
> return 0;
> }
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h b/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h
> index 2f536c5d30b1..032adb21ad4b 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h
> @@ -83,6 +83,7 @@ int mlx5_notifier_call_chain(struct mlx5_events *events, unsigned int event, voi
> enum {
> MLX5_ACCEL_OBJ_TLS_KEY = MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_TYPE_TLS,
> MLX5_ACCEL_OBJ_IPSEC_KEY = MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_TYPE_IPSEC,
> + MLX5_ACCEL_OBJ_MACSEC_KEY = MLX5_GENERAL_OBJECT_TYPE_ENCRYPTION_KEY_TYPE_MACSEC,
> };
>
> int mlx5_create_encryption_key(struct mlx5_core_dev *mdev,
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
> index c085b031abfc..1986f1c715b5 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
> @@ -1488,6 +1488,7 @@ static const int types[] = {
> MLX5_CAP_IPSEC,
> MLX5_CAP_PORT_SELECTION,
> MLX5_CAP_DEV_SHAMPO,
> + MLX5_CAP_MACSEC,
> };
>
> static void mlx5_hca_caps_free(struct mlx5_core_dev *dev)
> --
> 2.37.2
>
Powered by blists - more mailing lists