1 /*
2 * Copyright (c) 2017 Mellanox Technologies. All rights reserved.
3 *
4 * This software is available to you under a choice of one of two
5 * licenses. You may choose to be licensed under the terms of the GNU
6 * General Public License (GPL) Version 2, available from the file
7 * COPYING in the main directory of this source tree, or the
8 * OpenIB.org BSD license below:
9 *
10 * Redistribution and use in source and binary forms, with or
11 * without modification, are permitted provided that the following
12 * conditions are met:
13 *
14 * - Redistributions of source code must retain the above
15 * copyright notice, this list of conditions and the following
16 * disclaimer.
17 *
18 * - Redistributions in binary form must reproduce the above
19 * copyright notice, this list of conditions and the following
20 * disclaimer in the documentation and/or other materials
21 * provided with the distribution.
22 *
23 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
25 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
26 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
27 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
28 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
29 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
30 * SOFTWARE.
31 *
32 */
33
34 #include <crypto/internal/geniv.h>
35 #include <crypto/aead.h>
36 #include <linux/inetdevice.h>
37 #include <linux/netdevice.h>
38 #include <net/netevent.h>
39
40 #include "en.h"
41 #include "eswitch.h"
42 #include "ipsec.h"
43 #include "ipsec_rxtx.h"
44 #include "en_rep.h"
45
46 #define MLX5_IPSEC_RESCHED msecs_to_jiffies(1000)
47 #define MLX5E_IPSEC_TUNNEL_SA XA_MARK_1
48
to_ipsec_sa_entry(struct xfrm_state * x)49 static struct mlx5e_ipsec_sa_entry *to_ipsec_sa_entry(struct xfrm_state *x)
50 {
51 return (struct mlx5e_ipsec_sa_entry *)x->xso.offload_handle;
52 }
53
to_ipsec_pol_entry(struct xfrm_policy * x)54 static struct mlx5e_ipsec_pol_entry *to_ipsec_pol_entry(struct xfrm_policy *x)
55 {
56 return (struct mlx5e_ipsec_pol_entry *)x->xdo.offload_handle;
57 }
58
mlx5e_ipsec_handle_tx_limit(struct work_struct * _work)59 static void mlx5e_ipsec_handle_tx_limit(struct work_struct *_work)
60 {
61 struct mlx5e_ipsec_dwork *dwork =
62 container_of(_work, struct mlx5e_ipsec_dwork, dwork.work);
63 struct mlx5e_ipsec_sa_entry *sa_entry = dwork->sa_entry;
64 struct xfrm_state *x = sa_entry->x;
65
66 if (sa_entry->attrs.drop)
67 return;
68
69 spin_lock_bh(&x->lock);
70 if (x->km.state == XFRM_STATE_EXPIRED) {
71 sa_entry->attrs.drop = true;
72 spin_unlock_bh(&x->lock);
73
74 mlx5e_accel_ipsec_fs_modify(sa_entry);
75 return;
76 }
77
78 if (x->km.state != XFRM_STATE_VALID) {
79 spin_unlock_bh(&x->lock);
80 return;
81 }
82
83 xfrm_state_check_expire(x);
84 spin_unlock_bh(&x->lock);
85
86 queue_delayed_work(sa_entry->ipsec->wq, &dwork->dwork,
87 MLX5_IPSEC_RESCHED);
88 }
89
mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry * sa_entry)90 static bool mlx5e_ipsec_update_esn_state(struct mlx5e_ipsec_sa_entry *sa_entry)
91 {
92 struct xfrm_state *x = sa_entry->x;
93 u32 seq_bottom = 0;
94 u32 esn, esn_msb;
95 u8 overlap;
96
97 switch (x->xso.type) {
98 case XFRM_DEV_OFFLOAD_PACKET:
99 switch (x->xso.dir) {
100 case XFRM_DEV_OFFLOAD_IN:
101 esn = x->replay_esn->seq;
102 esn_msb = x->replay_esn->seq_hi;
103 break;
104 case XFRM_DEV_OFFLOAD_OUT:
105 esn = x->replay_esn->oseq;
106 esn_msb = x->replay_esn->oseq_hi;
107 break;
108 default:
109 WARN_ON(true);
110 return false;
111 }
112 break;
113 case XFRM_DEV_OFFLOAD_CRYPTO:
114 /* Already parsed by XFRM core */
115 esn = x->replay_esn->seq;
116 break;
117 default:
118 WARN_ON(true);
119 return false;
120 }
121
122 overlap = sa_entry->esn_state.overlap;
123
124 if (esn >= x->replay_esn->replay_window)
125 seq_bottom = esn - x->replay_esn->replay_window + 1;
126
127 if (x->xso.type == XFRM_DEV_OFFLOAD_CRYPTO)
128 esn_msb = xfrm_replay_seqhi(x, htonl(seq_bottom));
129
130 if (sa_entry->esn_state.esn_msb)
131 sa_entry->esn_state.esn = esn;
132 else
133 /* According to RFC4303, section "3.3.3. Sequence Number Generation",
134 * the first packet sent using a given SA will contain a sequence
135 * number of 1.
136 */
137 sa_entry->esn_state.esn = max_t(u32, esn, 1);
138 sa_entry->esn_state.esn_msb = esn_msb;
139
140 if (unlikely(overlap && seq_bottom < MLX5E_IPSEC_ESN_SCOPE_MID)) {
141 sa_entry->esn_state.overlap = 0;
142 return true;
143 } else if (unlikely(!overlap &&
144 (seq_bottom >= MLX5E_IPSEC_ESN_SCOPE_MID))) {
145 sa_entry->esn_state.overlap = 1;
146 return true;
147 }
148
149 return false;
150 }
151
mlx5e_ipsec_init_limits(struct mlx5e_ipsec_sa_entry * sa_entry,struct mlx5_accel_esp_xfrm_attrs * attrs)152 static void mlx5e_ipsec_init_limits(struct mlx5e_ipsec_sa_entry *sa_entry,
153 struct mlx5_accel_esp_xfrm_attrs *attrs)
154 {
155 struct xfrm_state *x = sa_entry->x;
156 s64 start_value, n;
157
158 attrs->lft.hard_packet_limit = x->lft.hard_packet_limit;
159 attrs->lft.soft_packet_limit = x->lft.soft_packet_limit;
160 if (x->lft.soft_packet_limit == XFRM_INF)
161 return;
162
163 /* Compute hard limit initial value and number of rounds.
164 *
165 * The counting pattern of hardware counter goes:
166 * value -> 2^31-1
167 * 2^31 | (2^31-1) -> 2^31-1
168 * 2^31 | (2^31-1) -> 2^31-1
169 * [..]
170 * 2^31 | (2^31-1) -> 0
171 *
172 * The pattern is created by using an ASO operation to atomically set
173 * bit 31 after the down counter clears bit 31. This is effectively an
174 * atomic addition of 2**31 to the counter.
175 *
176 * We wish to configure the counter, within the above pattern, so that
177 * when it reaches 0, it has hit the hard limit. This is defined by this
178 * system of equations:
179 *
180 * hard_limit == start_value + n * 2^31
181 * n >= 0
182 * start_value < 2^32, start_value >= 0
183 *
184 * These equations are not single-solution, there are often two choices:
185 * hard_limit == start_value + n * 2^31
186 * hard_limit == (start_value+2^31) + (n-1) * 2^31
187 *
188 * The algorithm selects the solution that keeps the counter value
189 * above 2^31 until the final iteration.
190 */
191
192 /* Start by estimating n and compute start_value */
193 n = attrs->lft.hard_packet_limit / BIT_ULL(31);
194 start_value = attrs->lft.hard_packet_limit - n * BIT_ULL(31);
195
196 /* Choose the best of the two solutions: */
197 if (n >= 1)
198 n -= 1;
199
200 /* Computed values solve the system of equations: */
201 start_value = attrs->lft.hard_packet_limit - n * BIT_ULL(31);
202
203 /* The best solution means: when there are multiple iterations we must
204 * start above 2^31 and count down to 2**31 to get the interrupt.
205 */
206 attrs->lft.hard_packet_limit = lower_32_bits(start_value);
207 attrs->lft.numb_rounds_hard = (u64)n;
208
209 /* Compute soft limit initial value and number of rounds.
210 *
211 * The soft_limit is achieved by adjusting the counter's
212 * interrupt_value. This is embedded in the counting pattern created by
213 * hard packet calculations above.
214 *
215 * We wish to compute the interrupt_value for the soft_limit. This is
216 * defined by this system of equations:
217 *
218 * soft_limit == start_value - soft_value + n * 2^31
219 * n >= 0
220 * soft_value < 2^32, soft_value >= 0
221 * for n == 0 start_value > soft_value
222 *
223 * As with compute_hard_n_value() the equations are not single-solution.
224 * The algorithm selects the solution that has:
225 * 2^30 <= soft_limit < 2^31 + 2^30
226 * for the interior iterations, which guarantees a large guard band
227 * around the counter hard limit and next interrupt.
228 */
229
230 /* Start by estimating n and compute soft_value */
231 n = (x->lft.soft_packet_limit - attrs->lft.hard_packet_limit) / BIT_ULL(31);
232 start_value = attrs->lft.hard_packet_limit + n * BIT_ULL(31) -
233 x->lft.soft_packet_limit;
234
235 /* Compare against constraints and adjust n */
236 if (n < 0)
237 n = 0;
238 else if (start_value >= BIT_ULL(32))
239 n -= 1;
240 else if (start_value < 0)
241 n += 1;
242
243 /* Choose the best of the two solutions: */
244 start_value = attrs->lft.hard_packet_limit + n * BIT_ULL(31) - start_value;
245 if (n != attrs->lft.numb_rounds_hard && start_value < BIT_ULL(30))
246 n += 1;
247
248 /* Note that the upper limit of soft_value happens naturally because we
249 * always select the lowest soft_value.
250 */
251
252 /* Computed values solve the system of equations: */
253 start_value = attrs->lft.hard_packet_limit + n * BIT_ULL(31) - start_value;
254
255 /* The best solution means: when there are multiple iterations we must
256 * not fall below 2^30 as that would get too close to the false
257 * hard_limit and when we reach an interior iteration for soft_limit it
258 * has to be far away from 2**32-1 which is the counter reset point
259 * after the +2^31 to accommodate latency.
260 */
261 attrs->lft.soft_packet_limit = lower_32_bits(start_value);
262 attrs->lft.numb_rounds_soft = (u64)n;
263 }
264
mlx5e_ipsec_init_macs(struct mlx5e_ipsec_sa_entry * sa_entry,struct mlx5_accel_esp_xfrm_attrs * attrs)265 static void mlx5e_ipsec_init_macs(struct mlx5e_ipsec_sa_entry *sa_entry,
266 struct mlx5_accel_esp_xfrm_attrs *attrs)
267 {
268 struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry);
269 struct xfrm_state *x = sa_entry->x;
270 struct net_device *netdev;
271 struct neighbour *n;
272 u8 addr[ETH_ALEN];
273 const void *pkey;
274 u8 *dst, *src;
275
276 if (attrs->mode != XFRM_MODE_TUNNEL ||
277 attrs->type != XFRM_DEV_OFFLOAD_PACKET)
278 return;
279
280 netdev = x->xso.real_dev;
281
282 mlx5_query_mac_address(mdev, addr);
283 switch (attrs->dir) {
284 case XFRM_DEV_OFFLOAD_IN:
285 src = attrs->dmac;
286 dst = attrs->smac;
287 pkey = &attrs->saddr.a4;
288 break;
289 case XFRM_DEV_OFFLOAD_OUT:
290 src = attrs->smac;
291 dst = attrs->dmac;
292 pkey = &attrs->daddr.a4;
293 break;
294 default:
295 return;
296 }
297
298 ether_addr_copy(src, addr);
299 n = neigh_lookup(&arp_tbl, pkey, netdev);
300 if (!n) {
301 n = neigh_create(&arp_tbl, pkey, netdev);
302 if (IS_ERR(n))
303 return;
304 neigh_event_send(n, NULL);
305 attrs->drop = true;
306 } else {
307 neigh_ha_snapshot(addr, n, netdev);
308 ether_addr_copy(dst, addr);
309 }
310 neigh_release(n);
311 }
312
mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry * sa_entry,struct mlx5_accel_esp_xfrm_attrs * attrs)313 void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry,
314 struct mlx5_accel_esp_xfrm_attrs *attrs)
315 {
316 struct xfrm_state *x = sa_entry->x;
317 struct aes_gcm_keymat *aes_gcm = &attrs->aes_gcm;
318 struct aead_geniv_ctx *geniv_ctx;
319 struct crypto_aead *aead;
320 unsigned int crypto_data_len, key_len;
321 int ivsize;
322
323 memset(attrs, 0, sizeof(*attrs));
324
325 /* key */
326 crypto_data_len = (x->aead->alg_key_len + 7) / 8;
327 key_len = crypto_data_len - 4; /* 4 bytes salt at end */
328
329 memcpy(aes_gcm->aes_key, x->aead->alg_key, key_len);
330 aes_gcm->key_len = key_len * 8;
331
332 /* salt and seq_iv */
333 aead = x->data;
334 geniv_ctx = crypto_aead_ctx(aead);
335 ivsize = crypto_aead_ivsize(aead);
336 memcpy(&aes_gcm->seq_iv, &geniv_ctx->salt, ivsize);
337 memcpy(&aes_gcm->salt, x->aead->alg_key + key_len,
338 sizeof(aes_gcm->salt));
339
340 attrs->authsize = crypto_aead_authsize(aead) / 4; /* in dwords */
341
342 /* iv len */
343 aes_gcm->icv_len = x->aead->alg_icv_len;
344
345 attrs->dir = x->xso.dir;
346
347 /* esn */
348 if (x->props.flags & XFRM_STATE_ESN) {
349 attrs->replay_esn.trigger = true;
350 attrs->replay_esn.esn = sa_entry->esn_state.esn;
351 attrs->replay_esn.esn_msb = sa_entry->esn_state.esn_msb;
352 attrs->replay_esn.overlap = sa_entry->esn_state.overlap;
353 if (attrs->dir == XFRM_DEV_OFFLOAD_OUT)
354 goto skip_replay_window;
355
356 switch (x->replay_esn->replay_window) {
357 case 32:
358 attrs->replay_esn.replay_window =
359 MLX5_IPSEC_ASO_REPLAY_WIN_32BIT;
360 break;
361 case 64:
362 attrs->replay_esn.replay_window =
363 MLX5_IPSEC_ASO_REPLAY_WIN_64BIT;
364 break;
365 case 128:
366 attrs->replay_esn.replay_window =
367 MLX5_IPSEC_ASO_REPLAY_WIN_128BIT;
368 break;
369 case 256:
370 attrs->replay_esn.replay_window =
371 MLX5_IPSEC_ASO_REPLAY_WIN_256BIT;
372 break;
373 default:
374 WARN_ON(true);
375 return;
376 }
377 }
378
379 skip_replay_window:
380 /* spi */
381 attrs->spi = be32_to_cpu(x->id.spi);
382
383 /* source , destination ips */
384 memcpy(&attrs->saddr, x->props.saddr.a6, sizeof(attrs->saddr));
385 memcpy(&attrs->daddr, x->id.daddr.a6, sizeof(attrs->daddr));
386 attrs->family = x->props.family;
387 attrs->type = x->xso.type;
388 attrs->reqid = x->props.reqid;
389 attrs->upspec.dport = ntohs(x->sel.dport);
390 attrs->upspec.dport_mask = ntohs(x->sel.dport_mask);
391 attrs->upspec.sport = ntohs(x->sel.sport);
392 attrs->upspec.sport_mask = ntohs(x->sel.sport_mask);
393 attrs->upspec.proto = x->sel.proto;
394 attrs->mode = x->props.mode;
395
396 mlx5e_ipsec_init_limits(sa_entry, attrs);
397 mlx5e_ipsec_init_macs(sa_entry, attrs);
398
399 if (x->encap) {
400 attrs->encap = true;
401 attrs->sport = x->encap->encap_sport;
402 attrs->dport = x->encap->encap_dport;
403 }
404 }
405
mlx5e_xfrm_validate_state(struct mlx5_core_dev * mdev,struct xfrm_state * x,struct netlink_ext_ack * extack)406 static int mlx5e_xfrm_validate_state(struct mlx5_core_dev *mdev,
407 struct xfrm_state *x,
408 struct netlink_ext_ack *extack)
409 {
410 if (x->props.aalgo != SADB_AALG_NONE) {
411 NL_SET_ERR_MSG_MOD(extack, "Cannot offload authenticated xfrm states");
412 return -EINVAL;
413 }
414 if (x->props.ealgo != SADB_X_EALG_AES_GCM_ICV16) {
415 NL_SET_ERR_MSG_MOD(extack, "Only AES-GCM-ICV16 xfrm state may be offloaded");
416 return -EINVAL;
417 }
418 if (x->props.calgo != SADB_X_CALG_NONE) {
419 NL_SET_ERR_MSG_MOD(extack, "Cannot offload compressed xfrm states");
420 return -EINVAL;
421 }
422 if (x->props.flags & XFRM_STATE_ESN &&
423 !(mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_ESN)) {
424 NL_SET_ERR_MSG_MOD(extack, "Cannot offload ESN xfrm states");
425 return -EINVAL;
426 }
427 if (x->props.family != AF_INET &&
428 x->props.family != AF_INET6) {
429 NL_SET_ERR_MSG_MOD(extack, "Only IPv4/6 xfrm states may be offloaded");
430 return -EINVAL;
431 }
432 if (x->id.proto != IPPROTO_ESP) {
433 NL_SET_ERR_MSG_MOD(extack, "Only ESP xfrm state may be offloaded");
434 return -EINVAL;
435 }
436 if (x->encap) {
437 if (!(mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_ESPINUDP)) {
438 NL_SET_ERR_MSG_MOD(extack, "Encapsulation is not supported");
439 return -EINVAL;
440 }
441
442 if (x->encap->encap_type != UDP_ENCAP_ESPINUDP) {
443 NL_SET_ERR_MSG_MOD(extack, "Encapsulation other than UDP is not supported");
444 return -EINVAL;
445 }
446
447 if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET) {
448 NL_SET_ERR_MSG_MOD(extack, "Encapsulation is supported in packet offload mode only");
449 return -EINVAL;
450 }
451
452 if (x->props.mode != XFRM_MODE_TRANSPORT) {
453 NL_SET_ERR_MSG_MOD(extack, "Encapsulation is supported in transport mode only");
454 return -EINVAL;
455 }
456 }
457 if (!x->aead) {
458 NL_SET_ERR_MSG_MOD(extack, "Cannot offload xfrm states without aead");
459 return -EINVAL;
460 }
461 if (x->aead->alg_icv_len != 128) {
462 NL_SET_ERR_MSG_MOD(extack, "Cannot offload xfrm states with AEAD ICV length other than 128bit");
463 return -EINVAL;
464 }
465 if ((x->aead->alg_key_len != 128 + 32) &&
466 (x->aead->alg_key_len != 256 + 32)) {
467 NL_SET_ERR_MSG_MOD(extack, "Cannot offload xfrm states with AEAD key length other than 128/256 bit");
468 return -EINVAL;
469 }
470 if (x->tfcpad) {
471 NL_SET_ERR_MSG_MOD(extack, "Cannot offload xfrm states with tfc padding");
472 return -EINVAL;
473 }
474 if (!x->geniv) {
475 NL_SET_ERR_MSG_MOD(extack, "Cannot offload xfrm states without geniv");
476 return -EINVAL;
477 }
478 if (strcmp(x->geniv, "seqiv")) {
479 NL_SET_ERR_MSG_MOD(extack, "Cannot offload xfrm states with geniv other than seqiv");
480 return -EINVAL;
481 }
482
483 if (x->sel.proto != IPPROTO_IP && x->sel.proto != IPPROTO_UDP &&
484 x->sel.proto != IPPROTO_TCP) {
485 NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");
486 return -EINVAL;
487 }
488
489 if (x->props.mode != XFRM_MODE_TRANSPORT && x->props.mode != XFRM_MODE_TUNNEL) {
490 NL_SET_ERR_MSG_MOD(extack, "Only transport and tunnel xfrm states may be offloaded");
491 return -EINVAL;
492 }
493
494 switch (x->xso.type) {
495 case XFRM_DEV_OFFLOAD_CRYPTO:
496 if (!(mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_CRYPTO)) {
497 NL_SET_ERR_MSG_MOD(extack, "Crypto offload is not supported");
498 return -EINVAL;
499 }
500
501 break;
502 case XFRM_DEV_OFFLOAD_PACKET:
503 if (!(mlx5_ipsec_device_caps(mdev) &
504 MLX5_IPSEC_CAP_PACKET_OFFLOAD)) {
505 NL_SET_ERR_MSG_MOD(extack, "Packet offload is not supported");
506 return -EINVAL;
507 }
508
509 if (x->props.mode == XFRM_MODE_TUNNEL &&
510 !(mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_TUNNEL)) {
511 NL_SET_ERR_MSG_MOD(extack, "Packet offload is not supported for tunnel mode");
512 return -EINVAL;
513 }
514
515 if (x->replay_esn && x->xso.dir == XFRM_DEV_OFFLOAD_IN &&
516 x->replay_esn->replay_window != 32 &&
517 x->replay_esn->replay_window != 64 &&
518 x->replay_esn->replay_window != 128 &&
519 x->replay_esn->replay_window != 256) {
520 NL_SET_ERR_MSG_MOD(extack, "Unsupported replay window size");
521 return -EINVAL;
522 }
523
524 if (!x->props.reqid) {
525 NL_SET_ERR_MSG_MOD(extack, "Cannot offload without reqid");
526 return -EINVAL;
527 }
528
529 if (x->lft.hard_byte_limit != XFRM_INF ||
530 x->lft.soft_byte_limit != XFRM_INF) {
531 NL_SET_ERR_MSG_MOD(extack, "Device doesn't support limits in bytes");
532 return -EINVAL;
533 }
534
535 if (x->lft.soft_packet_limit >= x->lft.hard_packet_limit &&
536 x->lft.hard_packet_limit != XFRM_INF) {
537 /* XFRM stack doesn't prevent such configuration :(. */
538 NL_SET_ERR_MSG_MOD(extack, "Hard packet limit must be greater than soft one");
539 return -EINVAL;
540 }
541
542 if (!x->lft.soft_packet_limit || !x->lft.hard_packet_limit) {
543 NL_SET_ERR_MSG_MOD(extack, "Soft/hard packet limits can't be 0");
544 return -EINVAL;
545 }
546 break;
547 default:
548 NL_SET_ERR_MSG_MOD(extack, "Unsupported xfrm offload type");
549 return -EINVAL;
550 }
551 return 0;
552 }
553
mlx5e_ipsec_modify_state(struct work_struct * _work)554 static void mlx5e_ipsec_modify_state(struct work_struct *_work)
555 {
556 struct mlx5e_ipsec_work *work =
557 container_of(_work, struct mlx5e_ipsec_work, work);
558 struct mlx5e_ipsec_sa_entry *sa_entry = work->sa_entry;
559 struct mlx5_accel_esp_xfrm_attrs *attrs;
560
561 attrs = &((struct mlx5e_ipsec_sa_entry *)work->data)->attrs;
562
563 mlx5_accel_esp_modify_xfrm(sa_entry, attrs);
564 }
565
mlx5e_ipsec_set_esn_ops(struct mlx5e_ipsec_sa_entry * sa_entry)566 static void mlx5e_ipsec_set_esn_ops(struct mlx5e_ipsec_sa_entry *sa_entry)
567 {
568 struct xfrm_state *x = sa_entry->x;
569
570 if (x->xso.type != XFRM_DEV_OFFLOAD_CRYPTO ||
571 x->xso.dir != XFRM_DEV_OFFLOAD_OUT)
572 return;
573
574 if (x->props.flags & XFRM_STATE_ESN) {
575 sa_entry->set_iv_op = mlx5e_ipsec_set_iv_esn;
576 return;
577 }
578
579 sa_entry->set_iv_op = mlx5e_ipsec_set_iv;
580 }
581
mlx5e_ipsec_handle_netdev_event(struct work_struct * _work)582 static void mlx5e_ipsec_handle_netdev_event(struct work_struct *_work)
583 {
584 struct mlx5e_ipsec_work *work =
585 container_of(_work, struct mlx5e_ipsec_work, work);
586 struct mlx5e_ipsec_sa_entry *sa_entry = work->sa_entry;
587 struct mlx5e_ipsec_netevent_data *data = work->data;
588 struct mlx5_accel_esp_xfrm_attrs *attrs;
589
590 attrs = &sa_entry->attrs;
591
592 switch (attrs->dir) {
593 case XFRM_DEV_OFFLOAD_IN:
594 ether_addr_copy(attrs->smac, data->addr);
595 break;
596 case XFRM_DEV_OFFLOAD_OUT:
597 ether_addr_copy(attrs->dmac, data->addr);
598 break;
599 default:
600 WARN_ON_ONCE(true);
601 }
602 attrs->drop = false;
603 mlx5e_accel_ipsec_fs_modify(sa_entry);
604 }
605
mlx5_ipsec_create_work(struct mlx5e_ipsec_sa_entry * sa_entry)606 static int mlx5_ipsec_create_work(struct mlx5e_ipsec_sa_entry *sa_entry)
607 {
608 struct xfrm_state *x = sa_entry->x;
609 struct mlx5e_ipsec_work *work;
610 void *data = NULL;
611
612 switch (x->xso.type) {
613 case XFRM_DEV_OFFLOAD_CRYPTO:
614 if (!(x->props.flags & XFRM_STATE_ESN))
615 return 0;
616 break;
617 case XFRM_DEV_OFFLOAD_PACKET:
618 if (x->props.mode != XFRM_MODE_TUNNEL)
619 return 0;
620 break;
621 default:
622 break;
623 }
624
625 work = kzalloc(sizeof(*work), GFP_KERNEL);
626 if (!work)
627 return -ENOMEM;
628
629 switch (x->xso.type) {
630 case XFRM_DEV_OFFLOAD_CRYPTO:
631 data = kzalloc(sizeof(*sa_entry), GFP_KERNEL);
632 if (!data)
633 goto free_work;
634
635 INIT_WORK(&work->work, mlx5e_ipsec_modify_state);
636 break;
637 case XFRM_DEV_OFFLOAD_PACKET:
638 data = kzalloc(sizeof(struct mlx5e_ipsec_netevent_data),
639 GFP_KERNEL);
640 if (!data)
641 goto free_work;
642
643 INIT_WORK(&work->work, mlx5e_ipsec_handle_netdev_event);
644 break;
645 default:
646 break;
647 }
648
649 work->data = data;
650 work->sa_entry = sa_entry;
651 sa_entry->work = work;
652 return 0;
653
654 free_work:
655 kfree(work);
656 return -ENOMEM;
657 }
658
mlx5e_ipsec_create_dwork(struct mlx5e_ipsec_sa_entry * sa_entry)659 static int mlx5e_ipsec_create_dwork(struct mlx5e_ipsec_sa_entry *sa_entry)
660 {
661 struct xfrm_state *x = sa_entry->x;
662 struct mlx5e_ipsec_dwork *dwork;
663
664 if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
665 return 0;
666
667 if (x->xso.dir != XFRM_DEV_OFFLOAD_OUT)
668 return 0;
669
670 if (x->lft.soft_packet_limit == XFRM_INF &&
671 x->lft.hard_packet_limit == XFRM_INF)
672 return 0;
673
674 dwork = kzalloc(sizeof(*dwork), GFP_KERNEL);
675 if (!dwork)
676 return -ENOMEM;
677
678 dwork->sa_entry = sa_entry;
679 INIT_DELAYED_WORK(&dwork->dwork, mlx5e_ipsec_handle_tx_limit);
680 sa_entry->dwork = dwork;
681 return 0;
682 }
683
mlx5e_xfrm_add_state(struct xfrm_state * x,struct netlink_ext_ack * extack)684 static int mlx5e_xfrm_add_state(struct xfrm_state *x,
685 struct netlink_ext_ack *extack)
686 {
687 struct mlx5e_ipsec_sa_entry *sa_entry = NULL;
688 struct net_device *netdev = x->xso.real_dev;
689 struct mlx5e_ipsec *ipsec;
690 struct mlx5e_priv *priv;
691 gfp_t gfp;
692 int err;
693
694 priv = netdev_priv(netdev);
695 if (!priv->ipsec)
696 return -EOPNOTSUPP;
697
698 ipsec = priv->ipsec;
699 gfp = (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ) ? GFP_ATOMIC : GFP_KERNEL;
700 sa_entry = kzalloc(sizeof(*sa_entry), gfp);
701 if (!sa_entry)
702 return -ENOMEM;
703
704 sa_entry->x = x;
705 sa_entry->ipsec = ipsec;
706 /* Check if this SA is originated from acquire flow temporary SA */
707 if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ)
708 goto out;
709
710 err = mlx5e_xfrm_validate_state(priv->mdev, x, extack);
711 if (err)
712 goto err_xfrm;
713
714 if (!mlx5_eswitch_block_ipsec(priv->mdev)) {
715 err = -EBUSY;
716 goto err_xfrm;
717 }
718
719 /* check esn */
720 if (x->props.flags & XFRM_STATE_ESN)
721 mlx5e_ipsec_update_esn_state(sa_entry);
722 else
723 /* According to RFC4303, section "3.3.3. Sequence Number Generation",
724 * the first packet sent using a given SA will contain a sequence
725 * number of 1.
726 */
727 sa_entry->esn_state.esn = 1;
728
729 mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &sa_entry->attrs);
730
731 err = mlx5_ipsec_create_work(sa_entry);
732 if (err)
733 goto unblock_ipsec;
734
735 err = mlx5e_ipsec_create_dwork(sa_entry);
736 if (err)
737 goto release_work;
738
739 /* create hw context */
740 err = mlx5_ipsec_create_sa_ctx(sa_entry);
741 if (err)
742 goto release_dwork;
743
744 err = mlx5e_accel_ipsec_fs_add_rule(sa_entry);
745 if (err)
746 goto err_hw_ctx;
747
748 if (x->props.mode == XFRM_MODE_TUNNEL &&
749 x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
750 !mlx5e_ipsec_fs_tunnel_enabled(sa_entry)) {
751 NL_SET_ERR_MSG_MOD(extack, "Packet offload tunnel mode is disabled due to encap settings");
752 err = -EINVAL;
753 goto err_add_rule;
754 }
755
756 /* We use *_bh() variant because xfrm_timer_handler(), which runs
757 * in softirq context, can reach our state delete logic and we need
758 * xa_erase_bh() there.
759 */
760 err = xa_insert_bh(&ipsec->sadb, sa_entry->ipsec_obj_id, sa_entry,
761 GFP_KERNEL);
762 if (err)
763 goto err_add_rule;
764
765 mlx5e_ipsec_set_esn_ops(sa_entry);
766
767 if (sa_entry->dwork)
768 queue_delayed_work(ipsec->wq, &sa_entry->dwork->dwork,
769 MLX5_IPSEC_RESCHED);
770
771 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
772 x->props.mode == XFRM_MODE_TUNNEL) {
773 xa_lock_bh(&ipsec->sadb);
774 __xa_set_mark(&ipsec->sadb, sa_entry->ipsec_obj_id,
775 MLX5E_IPSEC_TUNNEL_SA);
776 xa_unlock_bh(&ipsec->sadb);
777 }
778
779 out:
780 x->xso.offload_handle = (unsigned long)sa_entry;
781 return 0;
782
783 err_add_rule:
784 mlx5e_accel_ipsec_fs_del_rule(sa_entry);
785 err_hw_ctx:
786 mlx5_ipsec_free_sa_ctx(sa_entry);
787 release_dwork:
788 kfree(sa_entry->dwork);
789 release_work:
790 if (sa_entry->work)
791 kfree(sa_entry->work->data);
792 kfree(sa_entry->work);
793 unblock_ipsec:
794 mlx5_eswitch_unblock_ipsec(priv->mdev);
795 err_xfrm:
796 kfree(sa_entry);
797 NL_SET_ERR_MSG_WEAK_MOD(extack, "Device failed to offload this state");
798 return err;
799 }
800
mlx5e_xfrm_del_state(struct xfrm_state * x)801 static void mlx5e_xfrm_del_state(struct xfrm_state *x)
802 {
803 struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);
804 struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
805 struct mlx5e_ipsec_sa_entry *old;
806
807 if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ)
808 return;
809
810 old = xa_erase_bh(&ipsec->sadb, sa_entry->ipsec_obj_id);
811 WARN_ON(old != sa_entry);
812 }
813
mlx5e_xfrm_free_state(struct xfrm_state * x)814 static void mlx5e_xfrm_free_state(struct xfrm_state *x)
815 {
816 struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);
817 struct mlx5e_ipsec *ipsec = sa_entry->ipsec;
818
819 if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ)
820 goto sa_entry_free;
821
822 if (sa_entry->work)
823 cancel_work_sync(&sa_entry->work->work);
824
825 if (sa_entry->dwork)
826 cancel_delayed_work_sync(&sa_entry->dwork->dwork);
827
828 mlx5e_accel_ipsec_fs_del_rule(sa_entry);
829 mlx5_ipsec_free_sa_ctx(sa_entry);
830 kfree(sa_entry->dwork);
831 if (sa_entry->work)
832 kfree(sa_entry->work->data);
833 kfree(sa_entry->work);
834 mlx5_eswitch_unblock_ipsec(ipsec->mdev);
835 sa_entry_free:
836 kfree(sa_entry);
837 }
838
mlx5e_ipsec_netevent_event(struct notifier_block * nb,unsigned long event,void * ptr)839 static int mlx5e_ipsec_netevent_event(struct notifier_block *nb,
840 unsigned long event, void *ptr)
841 {
842 struct mlx5_accel_esp_xfrm_attrs *attrs;
843 struct mlx5e_ipsec_netevent_data *data;
844 struct mlx5e_ipsec_sa_entry *sa_entry;
845 struct mlx5e_ipsec *ipsec;
846 struct neighbour *n = ptr;
847 struct net_device *netdev;
848 struct xfrm_state *x;
849 unsigned long idx;
850
851 if (event != NETEVENT_NEIGH_UPDATE || !(n->nud_state & NUD_VALID))
852 return NOTIFY_DONE;
853
854 ipsec = container_of(nb, struct mlx5e_ipsec, netevent_nb);
855 xa_for_each_marked(&ipsec->sadb, idx, sa_entry, MLX5E_IPSEC_TUNNEL_SA) {
856 attrs = &sa_entry->attrs;
857
858 if (attrs->family == AF_INET) {
859 if (!neigh_key_eq32(n, &attrs->saddr.a4) &&
860 !neigh_key_eq32(n, &attrs->daddr.a4))
861 continue;
862 } else {
863 if (!neigh_key_eq128(n, &attrs->saddr.a4) &&
864 !neigh_key_eq128(n, &attrs->daddr.a4))
865 continue;
866 }
867
868 x = sa_entry->x;
869 netdev = x->xso.real_dev;
870 data = sa_entry->work->data;
871
872 neigh_ha_snapshot(data->addr, n, netdev);
873 queue_work(ipsec->wq, &sa_entry->work->work);
874 }
875
876 return NOTIFY_DONE;
877 }
878
mlx5e_ipsec_init(struct mlx5e_priv * priv)879 void mlx5e_ipsec_init(struct mlx5e_priv *priv)
880 {
881 struct mlx5e_ipsec *ipsec;
882 int ret = -ENOMEM;
883
884 if (!mlx5_ipsec_device_caps(priv->mdev)) {
885 netdev_dbg(priv->netdev, "Not an IPSec offload device\n");
886 return;
887 }
888
889 ipsec = kzalloc(sizeof(*ipsec), GFP_KERNEL);
890 if (!ipsec)
891 return;
892
893 xa_init_flags(&ipsec->sadb, XA_FLAGS_ALLOC);
894 ipsec->mdev = priv->mdev;
895 ipsec->wq = alloc_workqueue("mlx5e_ipsec: %s", WQ_UNBOUND, 0,
896 priv->netdev->name);
897 if (!ipsec->wq)
898 goto err_wq;
899
900 if (mlx5_ipsec_device_caps(priv->mdev) &
901 MLX5_IPSEC_CAP_PACKET_OFFLOAD) {
902 ret = mlx5e_ipsec_aso_init(ipsec);
903 if (ret)
904 goto err_aso;
905 }
906
907 if (mlx5_ipsec_device_caps(priv->mdev) & MLX5_IPSEC_CAP_TUNNEL) {
908 ipsec->netevent_nb.notifier_call = mlx5e_ipsec_netevent_event;
909 ret = register_netevent_notifier(&ipsec->netevent_nb);
910 if (ret)
911 goto clear_aso;
912 }
913
914 ipsec->is_uplink_rep = mlx5e_is_uplink_rep(priv);
915 ret = mlx5e_accel_ipsec_fs_init(ipsec);
916 if (ret)
917 goto err_fs_init;
918
919 ipsec->fs = priv->fs;
920 priv->ipsec = ipsec;
921 netdev_dbg(priv->netdev, "IPSec attached to netdevice\n");
922 return;
923
924 err_fs_init:
925 if (mlx5_ipsec_device_caps(priv->mdev) & MLX5_IPSEC_CAP_TUNNEL)
926 unregister_netevent_notifier(&ipsec->netevent_nb);
927 clear_aso:
928 if (mlx5_ipsec_device_caps(priv->mdev) & MLX5_IPSEC_CAP_PACKET_OFFLOAD)
929 mlx5e_ipsec_aso_cleanup(ipsec);
930 err_aso:
931 destroy_workqueue(ipsec->wq);
932 err_wq:
933 kfree(ipsec);
934 mlx5_core_err(priv->mdev, "IPSec initialization failed, %d\n", ret);
935 return;
936 }
937
mlx5e_ipsec_cleanup(struct mlx5e_priv * priv)938 void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv)
939 {
940 struct mlx5e_ipsec *ipsec = priv->ipsec;
941
942 if (!ipsec)
943 return;
944
945 mlx5e_accel_ipsec_fs_cleanup(ipsec);
946 if (ipsec->netevent_nb.notifier_call) {
947 unregister_netevent_notifier(&ipsec->netevent_nb);
948 ipsec->netevent_nb.notifier_call = NULL;
949 }
950 if (ipsec->aso)
951 mlx5e_ipsec_aso_cleanup(ipsec);
952 destroy_workqueue(ipsec->wq);
953 kfree(ipsec);
954 priv->ipsec = NULL;
955 }
956
mlx5e_ipsec_offload_ok(struct sk_buff * skb,struct xfrm_state * x)957 static bool mlx5e_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
958 {
959 if (x->props.family == AF_INET) {
960 /* Offload with IPv4 options is not supported yet */
961 if (ip_hdr(skb)->ihl > 5)
962 return false;
963 } else {
964 /* Offload with IPv6 extension headers is not support yet */
965 if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))
966 return false;
967 }
968
969 return true;
970 }
971
mlx5e_xfrm_advance_esn_state(struct xfrm_state * x)972 static void mlx5e_xfrm_advance_esn_state(struct xfrm_state *x)
973 {
974 struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);
975 struct mlx5e_ipsec_work *work = sa_entry->work;
976 struct mlx5e_ipsec_sa_entry *sa_entry_shadow;
977 bool need_update;
978
979 need_update = mlx5e_ipsec_update_esn_state(sa_entry);
980 if (!need_update)
981 return;
982
983 sa_entry_shadow = work->data;
984 memset(sa_entry_shadow, 0x00, sizeof(*sa_entry_shadow));
985 mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &sa_entry_shadow->attrs);
986 queue_work(sa_entry->ipsec->wq, &work->work);
987 }
988
mlx5e_xfrm_update_curlft(struct xfrm_state * x)989 static void mlx5e_xfrm_update_curlft(struct xfrm_state *x)
990 {
991 struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);
992 struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule;
993 u64 packets, bytes, lastuse;
994
995 lockdep_assert(lockdep_is_held(&x->lock) ||
996 lockdep_is_held(&dev_net(x->xso.real_dev)->xfrm.xfrm_cfg_mutex));
997
998 if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ)
999 return;
1000
1001 mlx5_fc_query_cached(ipsec_rule->fc, &bytes, &packets, &lastuse);
1002 x->curlft.packets += packets;
1003 x->curlft.bytes += bytes;
1004 }
1005
mlx5e_xfrm_validate_policy(struct mlx5_core_dev * mdev,struct xfrm_policy * x,struct netlink_ext_ack * extack)1006 static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev,
1007 struct xfrm_policy *x,
1008 struct netlink_ext_ack *extack)
1009 {
1010 struct xfrm_selector *sel = &x->selector;
1011
1012 if (x->type != XFRM_POLICY_TYPE_MAIN) {
1013 NL_SET_ERR_MSG_MOD(extack, "Cannot offload non-main policy types");
1014 return -EINVAL;
1015 }
1016
1017 /* Please pay attention that we support only one template */
1018 if (x->xfrm_nr > 1) {
1019 NL_SET_ERR_MSG_MOD(extack, "Cannot offload more than one template");
1020 return -EINVAL;
1021 }
1022
1023 if (x->xdo.dir != XFRM_DEV_OFFLOAD_IN &&
1024 x->xdo.dir != XFRM_DEV_OFFLOAD_OUT) {
1025 NL_SET_ERR_MSG_MOD(extack, "Cannot offload forward policy");
1026 return -EINVAL;
1027 }
1028
1029 if (!x->xfrm_vec[0].reqid && sel->proto == IPPROTO_IP &&
1030 addr6_all_zero(sel->saddr.a6) && addr6_all_zero(sel->daddr.a6)) {
1031 NL_SET_ERR_MSG_MOD(extack, "Unsupported policy with reqid 0 without at least one of upper protocol or ip addr(s) different than 0");
1032 return -EINVAL;
1033 }
1034
1035 if (x->xdo.type != XFRM_DEV_OFFLOAD_PACKET) {
1036 NL_SET_ERR_MSG_MOD(extack, "Unsupported xfrm offload type");
1037 return -EINVAL;
1038 }
1039
1040 if (x->selector.proto != IPPROTO_IP &&
1041 x->selector.proto != IPPROTO_UDP &&
1042 x->selector.proto != IPPROTO_TCP) {
1043 NL_SET_ERR_MSG_MOD(extack, "Device does not support upper protocol other than TCP/UDP");
1044 return -EINVAL;
1045 }
1046
1047 if (x->priority) {
1048 if (!(mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_PRIO)) {
1049 NL_SET_ERR_MSG_MOD(extack, "Device does not support policy priority");
1050 return -EINVAL;
1051 }
1052
1053 if (x->priority == U32_MAX) {
1054 NL_SET_ERR_MSG_MOD(extack, "Device does not support requested policy priority");
1055 return -EINVAL;
1056 }
1057 }
1058
1059 if (x->xdo.type == XFRM_DEV_OFFLOAD_PACKET &&
1060 !(mlx5_ipsec_device_caps(mdev) & MLX5_IPSEC_CAP_PACKET_OFFLOAD)) {
1061 NL_SET_ERR_MSG_MOD(extack, "Packet offload is not supported");
1062 return -EINVAL;
1063 }
1064
1065 return 0;
1066 }
1067
1068 static void
mlx5e_ipsec_build_accel_pol_attrs(struct mlx5e_ipsec_pol_entry * pol_entry,struct mlx5_accel_pol_xfrm_attrs * attrs)1069 mlx5e_ipsec_build_accel_pol_attrs(struct mlx5e_ipsec_pol_entry *pol_entry,
1070 struct mlx5_accel_pol_xfrm_attrs *attrs)
1071 {
1072 struct xfrm_policy *x = pol_entry->x;
1073 struct xfrm_selector *sel;
1074
1075 sel = &x->selector;
1076 memset(attrs, 0, sizeof(*attrs));
1077
1078 memcpy(&attrs->saddr, sel->saddr.a6, sizeof(attrs->saddr));
1079 memcpy(&attrs->daddr, sel->daddr.a6, sizeof(attrs->daddr));
1080 attrs->family = sel->family;
1081 attrs->dir = x->xdo.dir;
1082 attrs->action = x->action;
1083 attrs->type = XFRM_DEV_OFFLOAD_PACKET;
1084 attrs->reqid = x->xfrm_vec[0].reqid;
1085 attrs->upspec.dport = ntohs(sel->dport);
1086 attrs->upspec.dport_mask = ntohs(sel->dport_mask);
1087 attrs->upspec.sport = ntohs(sel->sport);
1088 attrs->upspec.sport_mask = ntohs(sel->sport_mask);
1089 attrs->upspec.proto = sel->proto;
1090 attrs->prio = x->priority;
1091 }
1092
mlx5e_xfrm_add_policy(struct xfrm_policy * x,struct netlink_ext_ack * extack)1093 static int mlx5e_xfrm_add_policy(struct xfrm_policy *x,
1094 struct netlink_ext_ack *extack)
1095 {
1096 struct net_device *netdev = x->xdo.real_dev;
1097 struct mlx5e_ipsec_pol_entry *pol_entry;
1098 struct mlx5e_priv *priv;
1099 int err;
1100
1101 priv = netdev_priv(netdev);
1102 if (!priv->ipsec) {
1103 NL_SET_ERR_MSG_MOD(extack, "Device doesn't support IPsec packet offload");
1104 return -EOPNOTSUPP;
1105 }
1106
1107 err = mlx5e_xfrm_validate_policy(priv->mdev, x, extack);
1108 if (err)
1109 return err;
1110
1111 pol_entry = kzalloc(sizeof(*pol_entry), GFP_KERNEL);
1112 if (!pol_entry)
1113 return -ENOMEM;
1114
1115 pol_entry->x = x;
1116 pol_entry->ipsec = priv->ipsec;
1117
1118 if (!mlx5_eswitch_block_ipsec(priv->mdev)) {
1119 err = -EBUSY;
1120 goto ipsec_busy;
1121 }
1122
1123 mlx5e_ipsec_build_accel_pol_attrs(pol_entry, &pol_entry->attrs);
1124 err = mlx5e_accel_ipsec_fs_add_pol(pol_entry);
1125 if (err)
1126 goto err_fs;
1127
1128 x->xdo.offload_handle = (unsigned long)pol_entry;
1129 return 0;
1130
1131 err_fs:
1132 mlx5_eswitch_unblock_ipsec(priv->mdev);
1133 ipsec_busy:
1134 kfree(pol_entry);
1135 NL_SET_ERR_MSG_MOD(extack, "Device failed to offload this policy");
1136 return err;
1137 }
1138
mlx5e_xfrm_del_policy(struct xfrm_policy * x)1139 static void mlx5e_xfrm_del_policy(struct xfrm_policy *x)
1140 {
1141 struct mlx5e_ipsec_pol_entry *pol_entry = to_ipsec_pol_entry(x);
1142
1143 mlx5e_accel_ipsec_fs_del_pol(pol_entry);
1144 mlx5_eswitch_unblock_ipsec(pol_entry->ipsec->mdev);
1145 }
1146
mlx5e_xfrm_free_policy(struct xfrm_policy * x)1147 static void mlx5e_xfrm_free_policy(struct xfrm_policy *x)
1148 {
1149 struct mlx5e_ipsec_pol_entry *pol_entry = to_ipsec_pol_entry(x);
1150
1151 kfree(pol_entry);
1152 }
1153
1154 static const struct xfrmdev_ops mlx5e_ipsec_xfrmdev_ops = {
1155 .xdo_dev_state_add = mlx5e_xfrm_add_state,
1156 .xdo_dev_state_delete = mlx5e_xfrm_del_state,
1157 .xdo_dev_state_free = mlx5e_xfrm_free_state,
1158 .xdo_dev_offload_ok = mlx5e_ipsec_offload_ok,
1159 .xdo_dev_state_advance_esn = mlx5e_xfrm_advance_esn_state,
1160
1161 .xdo_dev_state_update_curlft = mlx5e_xfrm_update_curlft,
1162 .xdo_dev_policy_add = mlx5e_xfrm_add_policy,
1163 .xdo_dev_policy_delete = mlx5e_xfrm_del_policy,
1164 .xdo_dev_policy_free = mlx5e_xfrm_free_policy,
1165 };
1166
mlx5e_ipsec_build_netdev(struct mlx5e_priv * priv)1167 void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv)
1168 {
1169 struct mlx5_core_dev *mdev = priv->mdev;
1170 struct net_device *netdev = priv->netdev;
1171
1172 if (!mlx5_ipsec_device_caps(mdev))
1173 return;
1174
1175 mlx5_core_info(mdev, "mlx5e: IPSec ESP acceleration enabled\n");
1176
1177 netdev->xfrmdev_ops = &mlx5e_ipsec_xfrmdev_ops;
1178 netdev->features |= NETIF_F_HW_ESP;
1179 netdev->hw_enc_features |= NETIF_F_HW_ESP;
1180
1181 if (!MLX5_CAP_ETH(mdev, swp_csum)) {
1182 mlx5_core_dbg(mdev, "mlx5e: SWP checksum not supported\n");
1183 return;
1184 }
1185
1186 netdev->features |= NETIF_F_HW_ESP_TX_CSUM;
1187 netdev->hw_enc_features |= NETIF_F_HW_ESP_TX_CSUM;
1188
1189 if (!MLX5_CAP_ETH(mdev, swp_lso)) {
1190 mlx5_core_dbg(mdev, "mlx5e: ESP LSO not supported\n");
1191 return;
1192 }
1193
1194 netdev->gso_partial_features |= NETIF_F_GSO_ESP;
1195 mlx5_core_dbg(mdev, "mlx5e: ESP GSO capability turned on\n");
1196 netdev->features |= NETIF_F_GSO_ESP;
1197 netdev->hw_features |= NETIF_F_GSO_ESP;
1198 netdev->hw_enc_features |= NETIF_F_GSO_ESP;
1199 }
1200