| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YzVWsOP1R/FGPYgF@unreal>
Date: Thu, 29 Sep 2022 11:26:24 +0300
From: Leon Romanovsky <leon@...nel.org>
To: Simon Horman <simon.horman@...igine.com>
Cc: David Miller <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
oss-drivers@...igine.com,
Huanhuan Wang <huanhuan.wang@...igine.com>
Subject: Re: [PATCH net-next v2 3/3] nfp: implement xfrm callbacks and expose
ipsec offload feature to upper layer
On Tue, Sep 27, 2022 at 12:27:07PM +0200, Simon Horman wrote:
> From: Huanhuan Wang <huanhuan.wang@...igine.com>
>
> Xfrm callbacks are implemented to offload SA info into firmware
> by mailbox. It supports 16K SA info in total.
>
> Expose ipsec offload feature to upper layer, this feature will
> signal the availability of the offload.
>
> Based on initial work of Norm Bagley <norman.bagley@...ronome.com>.
>
> Signed-off-by: Huanhuan Wang <huanhuan.wang@...igine.com>
> Signed-off-by: Simon Horman <simon.horman@...igine.com>
> ---
> .../net/ethernet/netronome/nfp/crypto/ipsec.c | 562 +++++++++++++++++-
> .../ethernet/netronome/nfp/nfp_net_common.c | 6 +
> .../net/ethernet/netronome/nfp/nfp_net_ctrl.h | 4 +-
> 3 files changed, 568 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c b/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c
> index 658fcba8e733..a81e6cde4ea8 100644
> --- a/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c
> +++ b/drivers/net/ethernet/netronome/nfp/crypto/ipsec.c
> @@ -17,6 +17,77 @@
> #define NFP_NET_IPSEC_MAX_SA_CNT (16 * 1024) /* Firmware support a maximum of 16K sa offload */
> #define OFFLOAD_HANDLE_ERROR 0xffffffff
>
> +/* IPsec config message cmd codes */
> +enum nfp_ipsec_cfg_mssg_cmd_codes {
> + NFP_IPSEC_CFG_MSSG_ADD_SA, /* Add a new SA */
> + NFP_IPSEC_CFG_MSSG_INV_SA, /* Invalidate an existing SA */
> + NFP_IPSEC_CFG_MSSG_MODIFY_SA, /* Modify an existing SA */
> + NFP_IPSEC_CFG_MSSG_GET_SA_STATS, /* Report SA counters, flags, etc. */
> + NFP_IPSEC_CFG_MSSG_GET_SEQ_NUMS, /* Allocate sequence numbers */
> + NFP_IPSEC_CFG_MSSG_LAST
> +};
> +
> +/* IPsec config message response codes */
> +enum nfp_ipsec_cfg_mssg_rsp_codes {
> + NFP_IPSEC_CFG_MSSG_OK,
> + NFP_IPSEC_CFG_MSSG_FAILED,
> + NFP_IPSEC_CFG_MSSG_SA_VALID,
> + NFP_IPSEC_CFG_MSSG_SA_HASH_ADD_FAILED,
> + NFP_IPSEC_CFG_MSSG_SA_HASH_DEL_FAILED,
> + NFP_IPSEC_CFG_MSSG_SA_INVALID_CMD
> +};
> +
> +/* Protocol */
> +enum nfp_ipsec_sa_prot {
> + NFP_IPSEC_PROTOCOL_AH = 0,
> + NFP_IPSEC_PROTOCOL_ESP = 1
> +};
> +
> +/* Mode */
> +enum nfp_ipsec_sa_mode {
> + NFP_IPSEC_PROTMODE_TRANSPORT = 0,
> + NFP_IPSEC_PROTMODE_TUNNEL = 1
> +};
> +
> +/* Cipher types */
> +enum nfp_ipsec_sa_cipher {
> + NFP_IPSEC_CIPHER_NULL,
> + NFP_IPSEC_CIPHER_3DES,
> + NFP_IPSEC_CIPHER_AES128,
> + NFP_IPSEC_CIPHER_AES192,
> + NFP_IPSEC_CIPHER_AES256,
> + NFP_IPSEC_CIPHER_AES128_NULL,
> + NFP_IPSEC_CIPHER_AES192_NULL,
> + NFP_IPSEC_CIPHER_AES256_NULL,
> + NFP_IPSEC_CIPHER_CHACHA20
> +};
> +
> +/* Cipher modes */
> +enum nfp_ipsec_sa_cipher_mode {
> + NFP_IPSEC_CIMODE_ECB,
> + NFP_IPSEC_CIMODE_CBC,
> + NFP_IPSEC_CIMODE_CFB,
> + NFP_IPSEC_CIMODE_OFB,
> + NFP_IPSEC_CIMODE_CTR
> +};
> +
> +/* Hash types */
> +enum nfp_ipsec_sa_hash_type {
> + NFP_IPSEC_HASH_NONE,
> + NFP_IPSEC_HASH_MD5_96,
> + NFP_IPSEC_HASH_SHA1_96,
> + NFP_IPSEC_HASH_SHA256_96,
> + NFP_IPSEC_HASH_SHA384_96,
> + NFP_IPSEC_HASH_SHA512_96,
> + NFP_IPSEC_HASH_MD5_128,
> + NFP_IPSEC_HASH_SHA1_80,
> + NFP_IPSEC_HASH_SHA256_128,
> + NFP_IPSEC_HASH_SHA384_192,
> + NFP_IPSEC_HASH_SHA512_256,
> + NFP_IPSEC_HASH_GF128_128,
> + NFP_IPSEC_HASH_POLY1305_128
> +};
> +
> /* IPSEC_CFG_MSSG_ADD_SA */
> struct nfp_ipsec_cfg_add_sa {
> u32 ciph_key[8]; /* Cipher Key */
> @@ -71,6 +142,73 @@ struct nfp_ipsec_cfg_add_sa {
> uint32_t tfc_padding :16; /* Traffic Flow Confidential Pad */
> };
>
> +/* IPSEC_CFG_MSSG_INV_SA */
> +struct nfp_ipsec_cfg_inv_sa {
> + u32 spare6;
> +};
> +
> +/* IPSEC_CFG_MSSG_GET_SA_STATS */
> +struct nfp_ipsec_cfg_get_sa_stats {
> + u32 seq_lo; /* Sequence Number (low 32bits) */
> + u32 seq_high; /* Sequence Number (high 32bits) */
> + u32 arw_counter_lo; /* Anti-replay wndw cntr */
> + u32 arw_counter_high; /* Anti-replay wndw cntr */
> + u32 arw_bitmap_lo; /* Anti-replay wndw bitmap */
> + u32 arw_bitmap_high; /* Anti-replay wndw bitmap */
> + uint32_t reserved1:1;
> + uint32_t soft_lifetime_byte_cnt_exceeded :1; /* Soft cnt_exceeded */
> + uint32_t hard_lifetime_byte_cnt_exceeded :1; /* Hard cnt_exceeded */
> + uint32_t soft_lifetime_time_limit_exceeded :1; /* Soft cnt_exceeded */
> + uint32_t hard_lifetime_time_limit_exceeded :1; /* Hard cnt_exceeded */
> + uint32_t spare7:27;
> + u32 lifetime_byte_count;
> + u32 pkt_count;
> + u32 discards_auth; /* Auth failures */
> + u32 discards_unsupported; /* Unsupported crypto mode */
> + u32 discards_alignment; /* Alignment error */
> + u32 discards_hard_bytelimit; /* Byte Count limit */
> + u32 discards_seq_num_wrap; /* Sequ Number wrap */
> + u32 discards_pmtu_limit_exceeded; /* PMTU Limit */
> + u32 discards_arw_old_seq; /* Anti-Replay seq small */
> + u32 discards_arw_replay; /* Anti-Replay seq rcvd */
> + u32 discards_ctrl_word; /* Bad SA Control word */
> + u32 discards_ip_hdr_len; /* Hdr offset from too high */
> + u32 discards_eop_buf; /* No EOP buffer */
> + u32 ipv4_id_counter; /* IPv4 ID field counter */
> + u32 discards_isl_fail; /* Inbound SPD Lookup failure */
> + u32 discards_ext_not_found; /* Ext header end */
> + u32 discards_max_ext_hdrs; /* Max ext header */
> + u32 discards_non_ext_hdrs; /* Non-extension headers */
> + u32 discards_ext_hdr_too_big; /* Ext header chain */
> + u32 discards_hard_timelimit; /* Time Limit */
> +};
> +
> +/* IPSEC_CFG_MSSG_GET_SEQ_NUMS */
> +struct ipsec_cfg_get_seq_nums {
> + u32 seq_nums; /* Sequence numbers to allocate */
> + u32 seq_num_low; /* Rtrn start seq num 31:00 */
> + u32 seq_num_hi; /* Rtrn start seq num 63:32 */
> +};
> +
> +/* IPSEC_CFG_MSSG */
> +struct nfp_ipsec_cfg_mssg {
> + union {
> + struct{
> + uint32_t cmd:16; /* One of nfp_ipsec_cfg_mssg_cmd_codes */
> + uint32_t rsp:16; /* One of nfp_ipsec_cfg_mssg_rsp_codes */
> + uint32_t sa_idx:16; /* SA table index */
> + uint32_t spare0:16;
> + union {
> + struct nfp_ipsec_cfg_add_sa cfg_add_sa;
> + struct nfp_ipsec_cfg_inv_sa cfg_inv_sa;
> + struct nfp_ipsec_cfg_get_sa_stats cfg_get_stats;
> + struct ipsec_cfg_get_seq_nums cfg_get_seq_nums;
> + };
> + };
> + u32 raw[64];
> + };
> +};
> +
> struct nfp_net_ipsec_sa_data {
> struct nfp_ipsec_cfg_add_sa nfp_sa;
> struct xfrm_state *x;
> @@ -84,22 +222,442 @@ struct nfp_net_ipsec_data {
> struct mutex lock; /* Protects nfp_net_ipsec_data struct */
> };
>
> +static int nfp_ipsec_cfg_cmd_issue(struct nfp_net *nn, int type, int saidx,
> + struct nfp_ipsec_cfg_mssg *msg)
> +{
> + int i, msg_size, ret;
> +
> + msg->cmd = type;
> + msg->sa_idx = saidx;
> + msg->rsp = 0;
> + msg_size = ARRAY_SIZE(msg->raw);
> +
> + for (i = 0; i < msg_size; i++)
> + nn_writel(nn, NFP_NET_CFG_MBOX_VAL + 4 * i, msg->raw[i]);
> +
> + ret = nfp_net_mbox_reconfig(nn, NFP_NET_CFG_MBOX_CMD_IPSEC);
> + if (ret < 0)
> + return ret;
> +
> + /* For now we always read the whole message response back */
> + for (i = 0; i < msg_size; i++)
> + msg->raw[i] = nn_readl(nn, NFP_NET_CFG_MBOX_VAL + 4 * i);
> +
> + switch (msg->rsp) {
> + case NFP_IPSEC_CFG_MSSG_OK:
> + return 0;
> + case NFP_IPSEC_CFG_MSSG_SA_INVALID_CMD:
> + return -EINVAL;
> + case NFP_IPSEC_CFG_MSSG_SA_VALID:
> + return -EEXIST;
> + case NFP_IPSEC_CFG_MSSG_FAILED:
> + case NFP_IPSEC_CFG_MSSG_SA_HASH_ADD_FAILED:
> + case NFP_IPSEC_CFG_MSSG_SA_HASH_DEL_FAILED:
> + return -EIO;
> + default:
> + return -EDOM;
> + }
> +}
> +
> +static int set_aes_keylen(struct nfp_ipsec_cfg_add_sa *cfg, int alg, int keylen)
> +{
> + if (alg == SADB_X_EALG_NULL_AES_GMAC) {
> + if (keylen == 128)
> + cfg->ctrl_word.cipher = NFP_IPSEC_CIPHER_AES128_NULL;
> + else if (keylen == 192)
> + cfg->ctrl_word.cipher = NFP_IPSEC_CIPHER_AES192_NULL;
> + else if (keylen == 256)
> + cfg->ctrl_word.cipher = NFP_IPSEC_CIPHER_AES256_NULL;
> + else
> + return -EINVAL;
> + } else {
> + if (keylen == 128)
> + cfg->ctrl_word.cipher = NFP_IPSEC_CIPHER_AES128;
> + else if (keylen == 192)
> + cfg->ctrl_word.cipher = NFP_IPSEC_CIPHER_AES192;
> + else if (keylen == 256)
> + cfg->ctrl_word.cipher = NFP_IPSEC_CIPHER_AES256;
> + else
> + return -EINVAL;
> + }
> +
> + return 0;
> +}
> +
> static int nfp_net_xfrm_add_state(struct xfrm_state *x)
> {
> - return -EOPNOTSUPP;
> + int i, key_len, trunc_len, err = 0, saidx = -1;
> + struct net_device *netdev = x->xso.dev;
> + struct nfp_net_ipsec_sa_data *sa_data;
> + struct nfp_ipsec_cfg_add_sa *cfg;
> + struct nfp_net_ipsec_data *ipd;
> + struct nfp_ipsec_cfg_mssg msg;
struct nfp_ipsec_cfg_mssg msg = {};
and memset below will be redundant.
> + struct nfp_net *nn;
> + __be32 *p;
> +
> + nn = netdev_priv(netdev);
> + ipd = nn->ipsec_data;
> + cfg = &msg.cfg_add_sa;
> +
> + nn_dbg(nn, "XFRM add state!\n");
ftrace can give it, you don't need add prints for functions entry/exit.
> + mutex_lock(&ipd->lock);
> +
> + if (ipd->sa_free_cnt == 0) {
> + nn_err(nn, "No space for xfrm offload\n");
> + err = -ENOSPC;
Why don't you return EOPNOTSUPP?
> + goto error;
> + }
> +
> + saidx = ipd->sa_free_stack[ipd->sa_free_cnt - 1];
> + sa_data = &ipd->sa_entries[saidx];
> + memset(&msg, 0, sizeof(msg));
Redundant.
> +
> + /* General */
> + switch (x->props.mode) {
> + case XFRM_MODE_TUNNEL:
> + cfg->ctrl_word.mode = NFP_IPSEC_PROTMODE_TUNNEL;
> + break;
> + case XFRM_MODE_TRANSPORT:
> + cfg->ctrl_word.mode = NFP_IPSEC_PROTMODE_TRANSPORT;
> + break;
> + default:
> + nn_err(nn, "Unsupported mode for xfrm offload\n");
> + err = -EINVAL;
> + goto error;
> + }
> +
> + switch (x->id.proto) {
> + case IPPROTO_ESP:
> + cfg->ctrl_word.proto = NFP_IPSEC_PROTOCOL_ESP;
> + break;
> + case IPPROTO_AH:
> + cfg->ctrl_word.proto = NFP_IPSEC_PROTOCOL_AH;
> + break;
> + default:
> + nn_err(nn, "Unsupported protocol for xfrm offload\n");
> + err = -EINVAL;
> + goto error;
> + }
> +
> + if (x->props.flags & XFRM_STATE_ESN) {
> + nn_err(nn, "Unsupported XFRM_REPLAY_MODE_ESN for xfrm offload\n");
> + err = -EINVAL;
> + goto error;
> + }
> +
> + cfg->ctrl_word.ena_arw = 0;
> + cfg->ctrl_word.ext_arw = 0;
> + cfg->spi = ntohl(x->id.spi);
> +
> + /* Hash/Authentication */
> + if (x->aalg)
> + trunc_len = x->aalg->alg_trunc_len;
> + else
> + trunc_len = 0;
> +
> + switch (x->props.aalgo) {
> + case SADB_AALG_NONE:
> + if (x->aead) {
> + trunc_len = -1;
> + } else {
> + nn_err(nn, "Unsupported authentication algorithm\n");
> + err = -EINVAL;
> + goto error;
> + }
> + break;
> + case SADB_X_AALG_NULL:
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_NONE;
> + trunc_len = -1;
> + break;
> + case SADB_AALG_MD5HMAC:
> + if (trunc_len == 96)
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_MD5_96;
> + else if (trunc_len == 128)
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_MD5_128;
> + else
> + trunc_len = 0;
> + break;
> + case SADB_AALG_SHA1HMAC:
> + if (trunc_len == 96)
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA1_96;
> + else if (trunc_len == 80)
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA1_80;
> + else
> + trunc_len = 0;
> + break;
> + case SADB_X_AALG_SHA2_256HMAC:
> + if (trunc_len == 96)
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA256_96;
> + else if (trunc_len == 128)
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA256_128;
> + else
> + trunc_len = 0;
> + break;
> + case SADB_X_AALG_SHA2_384HMAC:
> + if (trunc_len == 96)
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA384_96;
> + else if (trunc_len == 192)
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA384_192;
> + else
> + trunc_len = 0;
> + break;
> + case SADB_X_AALG_SHA2_512HMAC:
> + if (trunc_len == 96)
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA512_96;
> + else if (trunc_len == 256)
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA512_256;
> + else
> + trunc_len = 0;
> + break;
> + default:
> + nn_err(nn, "Unsupported authentication algorithm\n");
> + err = -EINVAL;
> + goto error;
> + }
> +
> + if (!trunc_len) {
> + nn_err(nn, "Unsupported authentication algorithm trunc length\n");
> + err = -EINVAL;
> + goto error;
> + }
> +
> + if (x->aalg) {
> + p = (__be32 *)x->aalg->alg_key;
> + key_len = DIV_ROUND_UP(x->aalg->alg_key_len, BITS_PER_BYTE);
> + if (key_len > sizeof(cfg->auth_key)) {
> + nn_err(nn, "Insufficient space for offloaded auth key\n");
> + err = -EINVAL;
> + goto error;
> + }
> + for (i = 0; i < key_len / sizeof(cfg->auth_key[0]) ; i++)
> + cfg->auth_key[i] = ntohl(*p++);
> + }
> + /* Encryption */
> + switch (x->props.ealgo) {
> + case SADB_EALG_NONE:
> + case SADB_EALG_NULL:
> + cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CBC;
> + cfg->ctrl_word.cipher = NFP_IPSEC_CIPHER_NULL;
> + break;
> + case SADB_EALG_3DESCBC:
> + cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CBC;
> + cfg->ctrl_word.cipher = NFP_IPSEC_CIPHER_3DES;
> + break;
> + case SADB_X_EALG_AES_GCM_ICV16:
> + case SADB_X_EALG_NULL_AES_GMAC:
> + if (!x->aead) {
> + nn_err(nn, "Invalid AES key data\n");
> + err = -EINVAL;
> + goto error;
> + }
> +
> + if (x->aead->alg_icv_len != 128) {
> + nn_err(nn, "ICV must be 128bit with SADB_X_EALG_AES_GCM_ICV16\n");
> + err = -EINVAL;
> + goto error;
> + }
> + cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CTR;
> + cfg->ctrl_word.hash = NFP_IPSEC_HASH_GF128_128;
> +
> + /* Aead->alg_key_len includes 32-bit salt */
> + if (set_aes_keylen(cfg, x->props.ealgo, x->aead->alg_key_len - 32)) {
> + nn_err(nn, "Unsupported AES key length %d\n", x->aead->alg_key_len);
> + err = -EINVAL;
> + goto error;
> + }
> + break;
> + case SADB_X_EALG_AESCBC:
> + cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CBC;
> + if (!x->ealg) {
> + nn_err(nn, "Invalid AES key data\n");
> + err = -EINVAL;
> + goto error;
> + }
> + if (set_aes_keylen(cfg, x->props.ealgo, x->ealg->alg_key_len) < 0) {
> + nn_err(nn, "Unsupported AES key length %d\n", x->ealg->alg_key_len);
> + err = -EINVAL;
> + goto error;
> + }
> + break;
> + default:
> + nn_err(nn, "Unsupported encryption algorithm for offload\n");
> + err = -EINVAL;
> + goto error;
> + }
> +
> + if (x->aead) {
> + int salt_len = 4;
> +
> + p = (__be32 *)x->aead->alg_key;
> + key_len = DIV_ROUND_UP(x->aead->alg_key_len, BITS_PER_BYTE);
> + key_len -= salt_len;
> +
> + if (key_len > sizeof(cfg->ciph_key)) {
> + nn_err(nn, "Insufficient space for offloaded key\n");
> + err = -EINVAL;
> + goto error;
> + }
> +
> + for (i = 0; i < key_len / sizeof(cfg->ciph_key[0]) ; i++)
> + cfg->ciph_key[i] = ntohl(*p++);
> +
> + /* Load up the salt */
> + for (i = 0; i < salt_len; i++)
> + cfg->auth_key[i] = ntohl(*p++);
> + }
> +
> + if (x->ealg) {
> + p = (__be32 *)x->ealg->alg_key;
> + key_len = DIV_ROUND_UP(x->ealg->alg_key_len, BITS_PER_BYTE);
> +
> + if (key_len > sizeof(cfg->ciph_key)) {
> + nn_err(nn, "Insufficient space for offloaded key\n");
> + err = -EINVAL;
> + goto error;
> + }
> + for (i = 0; i < key_len / sizeof(cfg->ciph_key[0]) ; i++)
> + cfg->ciph_key[i] = ntohl(*p++);
> + }
> + /* IP related info */
> + switch (x->props.family) {
> + case AF_INET:
> + cfg->ipv6 = 0;
> + cfg->src_ip[0] = ntohl(x->props.saddr.a4);
> + cfg->dst_ip[0] = ntohl(x->id.daddr.a4);
> + break;
> + case AF_INET6:
> + cfg->ipv6 = 1;
> + for (i = 0; i < 4; i++) {
> + cfg->src_ip[i] = ntohl(x->props.saddr.a6[i]);
> + cfg->dst_ip[i] = ntohl(x->id.daddr.a6[i]);
> + }
> + break;
> + default:
> + nn_err(nn, "Unsupported address family\n");
> + err = -EINVAL;
> + goto error;
> + }
> +
> + /* Maximum nic ipsec code could handle. Other limits may apply. */
> + cfg->pmtu_limit = 0xffff;
> +
> + /* Host will generate the sequence numbers so that if packets get
> + * fragmented in host, sequence numbers will stay in sync.
> + */
> + cfg->ctrl_word.gen_seq = 0;
> +
> + cfg->ctrl_word.encap_dsbl = 1;
> +
> + /* Sa direction */
> + cfg->ctrl_word.dir = x->xso.dir;
> +
> + /* Allocate saidx and commit the Sa */
> + ipd->sa_free_cnt -= 1;
> + sa_data->invalidated = 0;
> + sa_data->x = x;
> + x->xso.offload_handle = saidx + 1;
> + err = nfp_ipsec_cfg_cmd_issue(nn, NFP_IPSEC_CFG_MSSG_ADD_SA, saidx, &msg);
> + if (err) {
> + nn_err(nn, "Failed to issue ipsec command err ret=%d\n", err);
> + goto error;
> + }
> +
> + mutex_unlock(&ipd->lock);
> +
> + nn_dbg(nn, "Successfully offload saidx %d\n", saidx);
> + return 0;
> +error:
> + if (saidx < 0) {
> + ipd->sa_free_stack[ipd->sa_free_cnt] = saidx;
> + ipd->sa_free_cnt++;
> + }
> + mutex_unlock(&ipd->lock);
> + x->xso.offload_handle = OFFLOAD_HANDLE_ERROR;
If everything is wired correctly, XFRM core won't never call to driver
with invalid state.
The failure here means that state is not crypto offloaded.
> + return err;
> +}
> +
> +static void xfrm_invalidate(struct nfp_net *nn, unsigned int saidx, int is_del)
> +{
> + struct nfp_net_ipsec_data *ipd = nn->ipsec_data;
> + struct nfp_net_ipsec_sa_data *sa_data;
> + struct nfp_ipsec_cfg_mssg msg;
> + int err;
> +
> + sa_data = &ipd->sa_entries[saidx];
> + if (!sa_data->invalidated) {
> + err = nfp_ipsec_cfg_cmd_issue(nn, NFP_IPSEC_CFG_MSSG_INV_SA, saidx, &msg);
> + if (err)
> + nn_warn(nn, "Failed to invalidate SA in hardware\n");
> + sa_data->invalidated = 1;
> + } else if (is_del) {
> + nn_warn(nn, "Unexpected invalidate state for offloaded saidx %d\n", saidx);
You definitely need to clean all these not-possible flows.
> + }
> }
>
> static void nfp_net_xfrm_del_state(struct xfrm_state *x)
> {
> + struct net_device *netdev = x->xso.dev;
> + struct nfp_net_ipsec_data *ipd;
> + struct nfp_net *nn;
> +
> + nn = netdev_priv(netdev);
> + ipd = nn->ipsec_data;
> +
> + nn_dbg(nn, "XFRM del state!\n");
> +
> + if (x->xso.offload_handle == OFFLOAD_HANDLE_ERROR) {
> + nn_err(nn, "Invalid xfrm offload handle\n");
> + return;
> + }
> +
> + mutex_lock(&ipd->lock);
> + xfrm_invalidate(nn, x->xso.offload_handle - 1, 1);
> + mutex_unlock(&ipd->lock);
> }
>
> static void nfp_net_xfrm_free_state(struct xfrm_state *x)
> {
> + struct net_device *netdev = x->xso.dev;
> + struct nfp_net_ipsec_data *ipd;
> + struct nfp_net *nn;
> + int saidx;
> +
> + nn = netdev_priv(netdev);
> + ipd = nn->ipsec_data;
> +
> + nn_dbg(nn, "XFRM free state!\n");
> +
> + if (x->xso.offload_handle == OFFLOAD_HANDLE_ERROR) {
> + nn_err(nn, "Invalid xfrm offload handle\n");
> + return;
> + }
> +
> + mutex_lock(&ipd->lock);
> + saidx = x->xso.offload_handle - 1;
> + xfrm_invalidate(nn, saidx, 0);
> + ipd->sa_entries[saidx].x = NULL;
> + /* Return saidx to free list */
> + ipd->sa_free_stack[ipd->sa_free_cnt] = saidx;
> + ipd->sa_free_cnt++;
> +
> + mutex_unlock(&ipd->lock);
> }
>
> static bool nfp_net_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
> {
> - return false;
> + if (x->props.family == AF_INET) {
> + /* Offload with IPv4 options is not supported yet */
> + if (ip_hdr(skb)->ihl != 5)
> + return false;
> + } else if (x->props.family == AF_INET6) {
> + /* Offload with IPv6 extension headers is not support yet */
> + if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))
> + return false;
> + } else {
> + return false;
> + }
> +
> + return true;
This return is unreachable.
> }
>
> static const struct xfrmdev_ops nfp_net_ipsec_xfrmdev_ops = {
> diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
> index 040c0c2aad80..0e48e2887278 100644
> --- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
> +++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
> @@ -2375,6 +2375,12 @@ static void nfp_net_netdev_init(struct nfp_net *nn)
> }
> if (nn->cap & NFP_NET_CFG_CTRL_RSS_ANY)
> netdev->hw_features |= NETIF_F_RXHASH;
> +
> +#ifdef CONFIG_NFP_NET_IPSEC
> + if (nn->cap_w1 & NFP_NET_CFG_CTRL_IPSEC)
> + netdev->hw_features |= NETIF_F_HW_ESP | NETIF_F_HW_ESP_TX_CSUM;
> +#endif
> +
> if (nn->cap & NFP_NET_CFG_CTRL_VXLAN) {
> if (nn->cap & NFP_NET_CFG_CTRL_LSO) {
> netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL |
> diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ctrl.h b/drivers/net/ethernet/netronome/nfp/nfp_net_ctrl.h
> index fff05496152d..b7e62d1186ca 100644
> --- a/drivers/net/ethernet/netronome/nfp/nfp_net_ctrl.h
> +++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ctrl.h
> @@ -399,14 +399,14 @@
> */
> #define NFP_NET_CFG_MBOX_BASE 0x1800
> #define NFP_NET_CFG_MBOX_VAL_MAX_SZ 0x1F8
> -
> +#define NFP_NET_CFG_MBOX_VAL 0x1808
> #define NFP_NET_CFG_MBOX_SIMPLE_CMD 0x0
> #define NFP_NET_CFG_MBOX_SIMPLE_RET 0x4
> #define NFP_NET_CFG_MBOX_SIMPLE_VAL 0x8
>
> #define NFP_NET_CFG_MBOX_CMD_CTAG_FILTER_ADD 1
> #define NFP_NET_CFG_MBOX_CMD_CTAG_FILTER_KILL 2
> -
> +#define NFP_NET_CFG_MBOX_CMD_IPSEC 3
> #define NFP_NET_CFG_MBOX_CMD_PCI_DSCP_PRIOMAP_SET 5
> #define NFP_NET_CFG_MBOX_CMD_TLV_CMSG 6
>
> --
> 2.30.2
>
Powered by blists - more mailing lists