lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240905074928.GR4026@unreal>
Date: Thu, 5 Sep 2024 10:49:28 +0300
From: Leon Romanovsky <leon@...nel.org>
To: Feng Wang <wangfe@...gle.com>
Cc: Steffen Klassert <steffen.klassert@...unet.com>, netdev@...r.kernel.org,
	antony.antony@...unet.com
Subject: Re: [PATCH] xfrm: add SA information to the offloaded packet

On Wed, Sep 04, 2024 at 10:41:38AM -0700, Feng Wang wrote:
> Hi Leon,
> 
> I'm looking at the MLX5 driver to understand how the SA information is
> used. In mlx5e_ipsec_handle_tx_skb(), it appears we might leverage the
> current MLX5 implementation to verify the xfrm id.
> https://elixir.bootlin.com/linux/v6.10/source/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_rxtx.c#L271
> 
> During the mlx5e_xfrm_add_state() function, the xfrm ID (x->if_id) is
> passed to the driver along with the associated xfrm_state pointer.
> Therefore, by checking the if_id within the skb tx function like
> mlx5e_ipsec_handle_tx_skb(), we should be able to demonstrate the use
> case effectively.
> 
> What’s your opinion?

Packet offloaded packets don't pass mlx5e_ipsec_handle_tx_skb() because SKB is
treated as plain text and not encrypted.

In order to support this feature in mlx5, you will need to do two things:
1. Create rule which matches x->if_id in mlx5 flow steering, while
creating SAs (see tx_add_rule()->setup_fte_reg_a()).

This register is used in the transmit steering tables, and is loaded with
the value of flow_table_metadata field in the Ethernet Segment of the WQE.

2. Set x->if_id from SKB in flow_table_metadata to allow HW to catch
these packets. It means change mlx5e datapath to set this value from
SKB.

The first item is easy, just move setup_fte_reg_a() to the right place,
but the second one is more complex as whole packet offload assumption
that we are working with plain text packets.

I'm not even talking about eswitch mode, which will bring more
complexity.

Thanks

> 
> Thanks for your help.
> 
> Feng

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ