| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Mar 2023 11:01:47 +0300
From: Leon Romanovsky <leon@...nel.org>
To: Dima Chumak <dchumak@...dia.com>
Cc: Jakub Kicinski <kuba@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>, Jiri Pirko <jiri@...nulli.us>,
Saeed Mahameed <saeedm@...dia.com>, netdev@...r.kernel.org,
Jiri Pirko <jiri@...dia.com>
Subject: Re: [PATCH net-next 2/4] net/mlx5: Implement devlink port function
cmds to control ipsec_crypto
On Thu, Mar 23, 2023 at 01:10:57PM +0200, Dima Chumak wrote:
> Implement devlink port function commands to enable / disable IPsec
> crypto offloads. This is used to control the IPsec capability of the
> device.
>
> When ipsec_crypto is enabled for a VF, it prevents adding IPsec crypto
> offloads on the PF, because the two cannot be active simultaneously due
> to HW constraints. Conversely, if there are any active IPsec crypto
> offloads on the PF, it's not allowed to enable ipsec_crypto on a VF,
> until PF IPsec offloads are cleared.
>
> Signed-off-by: Dima Chumak <dchumak@...dia.com>
> Reviewed-by: Jiri Pirko <jiri@...dia.com>
> ---
> .../ethernet/mellanox/mlx5/switchdev.rst | 8 +
> .../net/ethernet/mellanox/mlx5/core/Makefile | 2 +-
> .../net/ethernet/mellanox/mlx5/core/devlink.c | 2 +
> .../mellanox/mlx5/core/en_accel/ipsec.c | 18 ++
> .../ethernet/mellanox/mlx5/core/esw/ipsec.c | 271 ++++++++++++++++++
> .../net/ethernet/mellanox/mlx5/core/eswitch.c | 29 ++
> .../net/ethernet/mellanox/mlx5/core/eswitch.h | 20 ++
> .../mellanox/mlx5/core/eswitch_offloads.c | 100 +++++++
> .../ethernet/mellanox/mlx5/core/lib/ipsec.h | 41 +++
> include/linux/mlx5/driver.h | 1 +
> include/linux/mlx5/mlx5_ifc.h | 3 +
> 11 files changed, 494 insertions(+), 1 deletion(-)
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec.c
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/lib/ipsec.h
<...>
> +static int esw_ipsec_vf_query(struct mlx5_core_dev *dev, struct mlx5_vport *vport, bool *crypto)
> +{
> + int query_sz = MLX5_ST_SZ_BYTES(query_hca_cap_out);
> + void *hca_cap = NULL, *query_cap = NULL;
> + bool ipsec_enabled;
> + int err;
> +
> + /* Querying IPsec caps only makes sense when generic ipsec_offload
> + * HCA cap is enabled
> + */
> + err = esw_ipsec_vf_query_generic(dev, vport->index, &ipsec_enabled);
> + if (err)
> + return err;
> + if (!ipsec_enabled) {
> + *crypto = false;
> + return 0;
> + }
> +
> + query_cap = kvzalloc(query_sz, GFP_KERNEL);
> + if (!query_cap)
> + return -ENOMEM;
> +
> + err = mlx5_vport_get_other_func_cap(dev, vport->index, query_cap, MLX5_CAP_IPSEC);
> + if (err)
> + goto out;
> +
> + hca_cap = MLX5_ADDR_OF(query_hca_cap_out, query_cap, capability);
> + *crypto = MLX5_GET(ipsec_cap, hca_cap, ipsec_crypto_offload);
This is very optimistic check to decide if crypto is supported/enabled or not.
Take a look on mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev)
implementation to take into account other capabilities too:
https://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git/tree/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c?h=wip/leon-for-next#n13
It will be nice if you can reuse existing MLX5_IPSEC_CAP_* enum andextend existing
mlx5_ipsec_device_caps() to query other vports.
Thanks
Powered by blists - more mailing lists