lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f96ad9b0297a71e708481cb40954fc848709e024.camel@nvidia.com>
Date: Fri, 11 Jul 2025 12:59:18 +0000
From: Cosmin Ratiu <cratiu@...dia.com>
To: "corbet@....net" <corbet@....net>, "andrew+netdev@...n.ch"
	<andrew+netdev@...n.ch>, "davem@...emloft.net" <davem@...emloft.net>,
	"kuba@...nel.org" <kuba@...nel.org>, "horms@...nel.org" <horms@...nel.org>,
	"daniel.zahka@...il.com" <daniel.zahka@...il.com>, "edumazet@...gle.com"
	<edumazet@...gle.com>, "donald.hunter@...il.com" <donald.hunter@...il.com>,
	"pabeni@...hat.com" <pabeni@...hat.com>
CC: Boris Pismenny <borisp@...dia.com>, Jianbo Liu <jianbol@...dia.com>,
	"aleksander.lobakin@...el.com" <aleksander.lobakin@...el.com>,
	"kuniyu@...gle.com" <kuniyu@...gle.com>, "leon@...nel.org" <leon@...nel.org>,
	"toke@...hat.com" <toke@...hat.com>, Rahul Rameshbabu
	<rrameshbabu@...dia.com>, "willemb@...gle.com" <willemb@...gle.com>, Raed
 Salem <raeds@...dia.com>, Dragos Tatulea <dtatulea@...dia.com>,
	"ncardwell@...gle.com" <ncardwell@...gle.com>, "dsahern@...nel.org"
	<dsahern@...nel.org>, "sdf@...ichev.me" <sdf@...ichev.me>, Saeed Mahameed
	<saeedm@...dia.com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, Tariq
 Toukan <tariqt@...dia.com>, Patrisious Haddad <phaddad@...dia.com>,
	"jacob.e.keller@...el.com" <jacob.e.keller@...el.com>
Subject: Re: [PATCH v3 15/19] net/mlx5e: Add PSP steering in local NIC RX

On Wed, 2025-07-02 at 10:13 -0700, Daniel Zahka wrote:
> From: Raed Salem <raeds@...dia.com>
> 
> Introduce decrypt FT, the RX error FT, and the default rules.
> 
> The PSP (PSP) RX decrypt flow table is pointed by the TTC
> (Traffic Type Classifier) UDP steering rules.
> The decrypt flow table has two flow groups. The first flow group
> keeps the decrypt steering rule programmed always when PSP packet is
> recognized using the dedicated udp destination port number 1000, if
> packet is decrypted then a PSP marker is set in metadata_regB[30].
> The second flow group has a default rule to forward all non-offloaded
> PSP packet to the TTC UDP default RSS TIR.
> 
> The RX error flow table is the destination of the decrypt steering
> rules in
> the PSP RX decrypt flow table. It has two fixed rule one with single
> copy
> action that copies psp_syndrome to metadata_regB[23:29]. The PSP
> marker
> and syndrome is used to filter out non-psp packet and to return the
> PSP
> crypto offload status in Rx flow. The marker is used to identify such
> packet in driver so the driver could set SKB PSP metadata. The
> destination
> of RX error flow table is the TTC UDP default RSS TIR. The second
> rule will
> drop packets that failed to be decrypted (like in case illegal SPI or
> expired SPI is used).
> 
> Signed-off-by: Raed Salem <raeds@...dia.com>
> Signed-off-by: Rahul Rameshbabu <rrameshbabu@...dia.com>
> Signed-off-by: Daniel Zahka <daniel.zahka@...il.com>
> ---
> 
> Notes:
>     v1:
>     -
> https://lore.kernel.org/netdev/20240510030435.120935-13-kuba@kernel.org/
> 
>  .../net/ethernet/mellanox/mlx5/core/en/fs.h   |   2 +-
>  .../mellanox/mlx5/core/en_accel/psp_fs.c      | 481
> +++++++++++++++++-
>  2 files changed, 476 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h
> b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h
> index b5c3a2a9d2a5..35a7b2af83d9 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h
> @@ -83,7 +83,7 @@ enum {
>  #ifdef CONFIG_MLX5_EN_ARFS
>  	MLX5E_ARFS_FT_LEVEL = MLX5E_INNER_TTC_FT_LEVEL + 1,
>  #endif
> -#ifdef CONFIG_MLX5_EN_IPSEC
> +#if defined(CONFIG_MLX5_EN_IPSEC) || defined(CONFIG_MLX5_EN_PSP)
>  	MLX5E_ACCEL_FS_ESP_FT_LEVEL = MLX5E_INNER_TTC_FT_LEVEL + 1,
>  	MLX5E_ACCEL_FS_ESP_FT_ERR_LEVEL,
>  	MLX5E_ACCEL_FS_POL_FT_LEVEL,
> diff --git
> a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_fs.c
> b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_fs.c
> index cabbc8f0d84a..789d4373c1ad 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_fs.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_fs.c
> @@ -8,6 +8,12 @@
>  #include "en_accel/psp_fs.h"
>  #include "en_accel/psp.h"
>  
> +enum accel_fs_psp_type {
> +	ACCEL_FS_PSP4,
> +	ACCEL_FS_PSP6,
> +	ACCEL_FS_PSP_NUM_TYPES,
> +};
> +
>  struct mlx5e_psp_tx {
>  	struct mlx5_flow_namespace *ns;
>  	struct mlx5_flow_table *ft;
> @@ -17,14 +23,15 @@ struct mlx5e_psp_tx {
>  	u32 refcnt;
>  };
>  
> -struct mlx5e_psp_fs {
> -	struct mlx5_core_dev *mdev;
> -	struct mlx5e_psp_tx *tx_fs;
> -	struct mlx5e_flow_steering *fs;
> -};
> -
>  enum accel_psp_rule_action {
>  	ACCEL_PSP_RULE_ACTION_ENCRYPT,
> +	ACCEL_PSP_RULE_ACTION_DECRYPT,
> +};
> +
> +enum accel_psp_syndrome {
> +	PSP_OK = 0,
> +	PSP_ICV_FAIL,
> +	PSP_BAD_TRAILER,
>  };
>  
>  struct mlx5e_accel_psp_rule {
> @@ -32,6 +39,216 @@ struct mlx5e_accel_psp_rule {
>  	u8 action;
>  };
>  
> +struct mlx5e_psp_rx_err {
> +	struct mlx5_flow_table *ft;
> +	struct mlx5_flow_handle *rule;
> +	struct mlx5_flow_handle *drop_rule;
> +	struct mlx5_modify_hdr *copy_modify_hdr;
> +};
> +
> +struct mlx5e_accel_fs_psp_prot {
> +	struct mlx5_flow_table *ft;
> +	struct mlx5_flow_group *miss_group;
> +	struct mlx5_flow_handle *miss_rule;
> +	struct mlx5_flow_destination default_dest;
> +	struct mlx5e_psp_rx_err rx_err;
> +	u32 refcnt;
> +	struct mutex prot_mutex; /* protect ESP4/ESP6 protocol */
> +	struct mlx5_flow_handle *def_rule;
> +};
> +
> +struct mlx5e_accel_fs_psp {
> +	struct mlx5e_accel_fs_psp_prot
> fs_prot[ACCEL_FS_PSP_NUM_TYPES];
> +};
> +
> +struct mlx5e_psp_fs {
> +	struct mlx5_core_dev *mdev;
> +	struct mlx5e_psp_tx *tx_fs;
> +	/* Rx manage */
> +	struct mlx5e_flow_steering *fs;
> +	struct mlx5e_accel_fs_psp *rx_fs;
> +};
> +
> +/* PSP RX flow steering */
> +static enum mlx5_traffic_types fs_psp2tt(enum accel_fs_psp_type i)
> +{
> +	if (i == ACCEL_FS_PSP4)
> +		return MLX5_TT_IPV4_UDP;
> +
> +	return MLX5_TT_IPV6_UDP;
> +}
> +
> +static void accel_psp_fs_rx_err_del_rules(struct mlx5e_psp_fs *fs,
> +					  struct mlx5e_psp_rx_err
> *rx_err)
> +{
> +	if (rx_err->drop_rule) {
> +		mlx5_del_flow_rules(rx_err->drop_rule);
> +		rx_err->drop_rule = NULL;
> +	}
> +
> +	if (rx_err->rule) {
> +		mlx5_del_flow_rules(rx_err->rule);
> +		rx_err->rule = NULL;
> +	}
> +
> +	if (rx_err->copy_modify_hdr) {
> +		mlx5_modify_header_dealloc(fs->mdev, rx_err-
> >copy_modify_hdr);
> +		rx_err->copy_modify_hdr = NULL;
> +	}
> +}
> +
> +static void accel_psp_fs_rx_err_destroy_ft(struct mlx5e_psp_fs *fs,
> +					   struct mlx5e_psp_rx_err
> *rx_err)
> +{
> +	accel_psp_fs_rx_err_del_rules(fs, rx_err);
> +
> +	if (rx_err->ft) {
> +		mlx5_destroy_flow_table(rx_err->ft);
> +		rx_err->ft = NULL;
> +	}
> +}
> +
> +static void accel_psp_setup_syndrome_match(struct mlx5_flow_spec
> *spec,
> +					   enum accel_psp_syndrome
> syndrome)
> +{
> +	void *misc_params_2;
> +
> +	spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS_2;
> +	misc_params_2 = MLX5_ADDR_OF(fte_match_param, spec-
> >match_criteria, misc_parameters_2);
> +	MLX5_SET_TO_ONES(fte_match_set_misc2, misc_params_2,
> psp_syndrome);
> +	misc_params_2 = MLX5_ADDR_OF(fte_match_param, spec-
> >match_value, misc_parameters_2);
> +	MLX5_SET(fte_match_set_misc2, misc_params_2, psp_syndrome,
> syndrome);
> +}
> +
> +static int accel_psp_fs_rx_err_add_rule(struct mlx5e_psp_fs *fs,
> +					struct
> mlx5e_accel_fs_psp_prot *fs_prot,
> +					struct mlx5e_psp_rx_err
> *rx_err)
> +{
> +	u8 action[MLX5_UN_SZ_BYTES(set_add_copy_action_in_auto)] =
> {};
> +	struct mlx5_core_dev *mdev = fs->mdev;
> +	struct mlx5_flow_act flow_act = {};
> +	struct mlx5_modify_hdr *modify_hdr;
> +	struct mlx5_flow_handle *fte;
> +	struct mlx5_flow_spec *spec;
> +	int err = 0;
> +
> +	spec = kzalloc(sizeof(*spec), GFP_KERNEL);
> +	if (!spec)
> +		return -ENOMEM;
> +
> +	/* Action to copy 7 bit psp_syndrome to regB[23:29] */
> +	MLX5_SET(copy_action_in, action, action_type,
> MLX5_ACTION_TYPE_COPY);
> +	MLX5_SET(copy_action_in, action, src_field,
> MLX5_ACTION_IN_FIELD_PSP_SYNDROME);
> +	MLX5_SET(copy_action_in, action, src_offset, 0);
> +	MLX5_SET(copy_action_in, action, length, 7);
> +	MLX5_SET(copy_action_in, action, dst_field,
> MLX5_ACTION_IN_FIELD_METADATA_REG_B);
> +	MLX5_SET(copy_action_in, action, dst_offset, 23);
> +
> +	modify_hdr = mlx5_modify_header_alloc(mdev,
> MLX5_FLOW_NAMESPACE_KERNEL,
> +					      1, action);
> +	if (IS_ERR(modify_hdr)) {
> +		err = PTR_ERR(modify_hdr);
> +		mlx5_core_err(mdev,
> +			      "fail to alloc psp copy
> modify_header_id err=%d\n", err);
> +		goto out_spec;
> +	}
> +
> +	accel_psp_setup_syndrome_match(spec, PSP_OK);
> +	/* create fte */
> +	flow_act.action = MLX5_FLOW_CONTEXT_ACTION_MOD_HDR |
> +		MLX5_FLOW_CONTEXT_ACTION_FWD_DEST;
> +	flow_act.modify_hdr = modify_hdr;
> +	fte = mlx5_add_flow_rules(rx_err->ft, spec, &flow_act,
> +				  &fs_prot->default_dest, 1);
> +	if (IS_ERR(fte)) {
> +		err = PTR_ERR(fte);
> +		mlx5_core_err(mdev, "fail to add psp rx err copy
> rule err=%d\n", err);
> +		goto out;
> +	}
> +	rx_err->rule = fte;
> +
> +	/* add default drop rule */
> +	memset(spec, 0, sizeof(*spec));
> +	memset(&flow_act, 0, sizeof(flow_act));
> +	/* create fte */
> +	flow_act.action = MLX5_FLOW_CONTEXT_ACTION_DROP;
> +	fte = mlx5_add_flow_rules(rx_err->ft, spec, &flow_act, NULL,
> 0);
> +	if (IS_ERR(fte)) {
> +		err = PTR_ERR(fte);
> +		mlx5_core_err(mdev, "fail to add psp rx err drop
> rule err=%d\n", err);
> +		goto out_drop_rule;
> +	}
> +	rx_err->drop_rule = fte;
> +	rx_err->copy_modify_hdr = modify_hdr;
> +
> +	goto out_spec;
> +
> +out_drop_rule:
> +	mlx5_del_flow_rules(rx_err->rule);
> +	rx_err->rule = NULL;
> +out:
> +	mlx5_modify_header_dealloc(mdev, modify_hdr);
> +out_spec:
> +	kfree(spec);
> +	return err;
> +}
> +
> +static int accel_psp_fs_rx_err_create_ft(struct mlx5e_psp_fs *fs,
> +					 struct
> mlx5e_accel_fs_psp_prot *fs_prot,
> +					 struct mlx5e_psp_rx_err
> *rx_err)
> +{
> +	struct mlx5_flow_namespace *ns = mlx5e_fs_get_ns(fs->fs,
> false);
> +	struct mlx5_flow_table_attr ft_attr = {};
> +	struct mlx5_flow_table *ft;
> +	int err;
> +
> +	ft_attr.max_fte = 2;
> +	ft_attr.autogroup.max_num_groups = 2;
> +	ft_attr.level = MLX5E_ACCEL_FS_ESP_FT_ERR_LEVEL; //
> MLX5E_ACCEL_FS_TCP_FT_LEVEL
> +	ft_attr.prio = MLX5E_NIC_PRIO;
> +	ft = mlx5_create_auto_grouped_flow_table(ns, &ft_attr);
> +	if (IS_ERR(ft)) {
> +		err = PTR_ERR(ft);
> +		mlx5_core_err(fs->mdev, "fail to create psp rx
> inline ft err=%d\n", err);
> +		return err;
> +	}
> +
> +	rx_err->ft = ft;
> +	err = accel_psp_fs_rx_err_add_rule(fs, fs_prot, rx_err);
> +	if (err)
> +		goto out_err;
> +
> +	return 0;
> +
> +out_err:
> +	mlx5_destroy_flow_table(ft);
> +	rx_err->ft = NULL;
> +	return err;
> +}
> +
> +static void accel_psp_fs_rx_fs_destroy(struct
> mlx5e_accel_fs_psp_prot *fs_prot)
> +{
> +	if (fs_prot->def_rule) {
> +		mlx5_del_flow_rules(fs_prot->def_rule);
> +		fs_prot->def_rule = NULL;
> +	}
> +
> +	if (fs_prot->miss_rule) {
> +		mlx5_del_flow_rules(fs_prot->miss_rule);
> +		fs_prot->miss_rule = NULL;
> +	}
> +
> +	if (fs_prot->miss_group) {
> +		mlx5_destroy_flow_group(fs_prot->miss_group);
> +		fs_prot->miss_group = NULL;
> +	}
> +
> +	if (fs_prot->ft) {
> +		mlx5_destroy_flow_table(fs_prot->ft);
> +		fs_prot->ft = NULL;
> +	}
> +}
> +
>  static void setup_fte_udp_psp(struct mlx5_flow_spec *spec, u16
> udp_port)
>  {
>  	spec->match_criteria_enable |= MLX5_MATCH_OUTER_HEADERS;
> @@ -41,6 +258,251 @@ static void setup_fte_udp_psp(struct
> mlx5_flow_spec *spec, u16 udp_port)
>  	MLX5_SET(fte_match_set_lyr_2_4, spec->match_value,
> ip_protocol, IPPROTO_UDP);
>  }
>  
> +static int accel_psp_fs_rx_create_ft(struct mlx5e_psp_fs *fs,
> +				     struct mlx5e_accel_fs_psp_prot
> *fs_prot)
> +{
> +	struct mlx5_flow_namespace *ns = mlx5e_fs_get_ns(fs->fs,
> false);
> +	u8 action[MLX5_UN_SZ_BYTES(set_add_copy_action_in_auto)] =
> {};
> +	int inlen = MLX5_ST_SZ_BYTES(create_flow_group_in);
> +	struct mlx5_modify_hdr *modify_hdr = NULL;
> +	struct mlx5_flow_table_attr ft_attr = {};
> +	struct mlx5_flow_destination dest = {};
> +	struct mlx5_core_dev *mdev = fs->mdev;
> +	struct mlx5_flow_group *miss_group;
> +	MLX5_DECLARE_FLOW_ACT(flow_act);
> +	struct mlx5_flow_handle *rule;
> +	struct mlx5_flow_spec *spec;
> +	struct mlx5_flow_table *ft;
> +	u32 *flow_group_in;
> +	int err = 0;
> +
> +	flow_group_in = kvzalloc(inlen, GFP_KERNEL);
> +	spec = kvzalloc(sizeof(*spec), GFP_KERNEL);
> +	if (!flow_group_in || !spec) {
> +		err = -ENOMEM;
> +		goto out;
> +	}
> +
> +	/* Create FT */
> +	ft_attr.max_fte = 2;
> +	ft_attr.level = MLX5E_ACCEL_FS_ESP_FT_LEVEL;
> +	ft_attr.prio = MLX5E_NIC_PRIO;
> +	ft_attr.autogroup.num_reserved_entries = 1;
> +	ft_attr.autogroup.max_num_groups = 1;
> +	ft = mlx5_create_auto_grouped_flow_table(ns, &ft_attr);
> +	if (IS_ERR(ft)) {
> +		err = PTR_ERR(ft);
> +		mlx5_core_err(mdev, "fail to create psp rx ft
> err=%d\n", err);
> +		goto out_err;
> +	}
> +	fs_prot->ft = ft;
> +
> +	/* Create miss_group */
> +	MLX5_SET(create_flow_group_in, flow_group_in,
> start_flow_index, ft->max_fte - 1);
> +	MLX5_SET(create_flow_group_in, flow_group_in,
> end_flow_index, ft->max_fte - 1);
> +	miss_group = mlx5_create_flow_group(ft, flow_group_in);
> +	if (IS_ERR(miss_group)) {
> +		err = PTR_ERR(miss_group);
> +		mlx5_core_err(mdev, "fail to create psp rx
> miss_group err=%d\n", err);
> +		goto out_err;
> +	}
> +	fs_prot->miss_group = miss_group;
> +
> +	/* Create miss rule */
> +	rule = mlx5_add_flow_rules(ft, spec, &flow_act, &fs_prot-
> >default_dest, 1);
> +	if (IS_ERR(rule)) {
> +		err = PTR_ERR(rule);
> +		mlx5_core_err(mdev, "fail to create psp rx miss_rule
> err=%d\n", err);
> +		goto out_err;
> +	}
> +	fs_prot->miss_rule = rule;
> +
> +	/* Add default Rx psp rule */
> +	setup_fte_udp_psp(spec, PSP_DEFAULT_UDP_PORT);
> +	flow_act.crypto.type =
> MLX5_FLOW_CONTEXT_ENCRYPT_DECRYPT_TYPE_PSP;
> +	/* Set bit[31, 30] PSP marker */
> +	/* Set bit[29-23] psp_syndrome is set in error FT */
> +#define MLX5E_PSP_MARKER_BIT (BIT(30) | BIT(31))
> +	MLX5_SET(set_action_in, action, action_type,
> MLX5_ACTION_TYPE_SET);
> +	MLX5_SET(set_action_in, action, field,
> MLX5_ACTION_IN_FIELD_METADATA_REG_B);
> +	MLX5_SET(set_action_in, action, data, MLX5E_PSP_MARKER_BIT);
> +	MLX5_SET(set_action_in, action, offset, 0);
> +	MLX5_SET(set_action_in, action, length, 32);
> +
> +	modify_hdr = mlx5_modify_header_alloc(mdev,
> MLX5_FLOW_NAMESPACE_KERNEL, 1, action);
> +	if (IS_ERR(modify_hdr)) {
> +		err = PTR_ERR(modify_hdr);
> +		mlx5_core_err(mdev, "fail to alloc psp set
> modify_header_id err=%d\n", err);
> +		modify_hdr = NULL;
> +		goto out_err;
> +	}
> +
> +	flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST |
> +			  MLX5_FLOW_CONTEXT_ACTION_CRYPTO_DECRYPT |
> +			  MLX5_FLOW_CONTEXT_ACTION_MOD_HDR;
> +	flow_act.modify_hdr = modify_hdr;
> +	dest.type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;
> +	dest.ft = fs_prot->rx_err.ft;
> +	rule = mlx5_add_flow_rules(fs_prot->ft, spec, &flow_act,
> &dest, 1);
> +	if (IS_ERR(rule)) {
> +		err = PTR_ERR(rule);
> +		mlx5_core_err(mdev,
> +			      "fail to add psp rule Rx dycrption,
> err=%d, flow_act.action = %#04X\n",

Nit: Typo here, s/dycrption/decryption/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ