All of lore.kernel.org
 help / color / mirror / Atom feed
* [net-next v2 0/6][pull request] 10GbE Intel Wired LAN Driver Updates 2017-06-27
@ 2017-06-27  8:51 Jeff Kirsher
  2017-06-27  8:51 ` [net-next v2 1/6] ixgbe: Ensure MAC filter was added before setting MACVLAN Jeff Kirsher
                   ` (5 more replies)
  0 siblings, 6 replies; 14+ messages in thread
From: Jeff Kirsher @ 2017-06-27  8:51 UTC (permalink / raw)
  To: davem; +Cc: Jeff Kirsher, netdev, nhorman, sassmann, jogreene

This series contains updates to ixgbe only.

Tony provides majority of the changes, starting with adding a check to
ensure that adding a MAC filter was successful, before setting the
MACVLAN.  In order to receive notifications of link configurations of the
external PHY and support the configuration of the internal iXFI link on
X552 devices, Tony enables LASI interrupts.  Update the iXFI driver code
flow, since the MAC register NW_MNG_IF_SEL fields have been redefined for
X553 devices, so add MAC checks for iXFI flows.  Added additional checks
for flow control autonegotiation, since it is not support for X553 fiber
 and XFI devices.

Paul adds malicious driver detection (MDD) support for X550* devices.  MDD
is a hardware SR-IOV security feature which the driver enables by default,
and can be controlled by ethtool set-priv-flags parameter.

v2: removed unnecessary parens noticed by David Miller in patch 6 of the
    series.

The following are changes since commit 593814d1beae8ad91be6c90f95764e09fc7ca236:
  net/mlx4: fix spelling mistake: "coalesing" -> "coalescing"
and are available in the git repository at:
  git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue 10GbE

Paul Greenwalt (1):
  ixgbe: Add malicious driver detection support

Tony Nguyen (5):
  ixgbe: Ensure MAC filter was added before setting MACVLAN
  ixgbe: Enable LASI interrupts for X552 devices
  ixgbe: Update NW_MNG_IF_SEL support for X553
  ixgbe: Do not support flow control autonegotiation for X553
  ixgbe: Disable flow control for XFI

 drivers/net/ethernet/intel/ixgbe/ixgbe.h         |   3 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_common.c  |  30 ++-
 drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_nl.c  |  25 ++-
 drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c |  13 +-
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c    |   8 +-
 drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c   |  66 ++++++-
 drivers/net/ethernet/intel/ixgbe/ixgbe_type.h    |  12 +-
 drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c    | 240 +++++++++++++++++++----
 8 files changed, 340 insertions(+), 57 deletions(-)

-- 
2.12.2

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [net-next v2 1/6] ixgbe: Ensure MAC filter was added before setting MACVLAN
  2017-06-27  8:51 [net-next v2 0/6][pull request] 10GbE Intel Wired LAN Driver Updates 2017-06-27 Jeff Kirsher
@ 2017-06-27  8:51 ` Jeff Kirsher
  2017-06-27  8:51 ` [net-next v2 2/6] ixgbe: Enable LASI interrupts for X552 devices Jeff Kirsher
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 14+ messages in thread
From: Jeff Kirsher @ 2017-06-27  8:51 UTC (permalink / raw)
  To: davem; +Cc: Tony Nguyen, netdev, nhorman, sassmann, jogreene, Jeff Kirsher

From: Tony Nguyen <anthony.l.nguyen@intel.com>

This patch adds a check to ensure that adding the MAC filter was
successful before setting the MACVLAN.  If it was unsuccessful, propagate
the error.

Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
index 0760bd7eeb01..ca492876bd3d 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
@@ -681,6 +681,7 @@ static int ixgbe_set_vf_macvlan(struct ixgbe_adapter *adapter,
 {
 	struct list_head *pos;
 	struct vf_macvlans *entry;
+	s32 retval = 0;
 
 	if (index <= 1) {
 		list_for_each(pos, &adapter->vf_mvs.l) {
@@ -721,14 +722,15 @@ static int ixgbe_set_vf_macvlan(struct ixgbe_adapter *adapter,
 	if (!entry || !entry->free)
 		return -ENOSPC;
 
-	entry->free = false;
-	entry->is_macvlan = true;
-	entry->vf = vf;
-	memcpy(entry->vf_macvlan, mac_addr, ETH_ALEN);
-
-	ixgbe_add_mac_filter(adapter, mac_addr, vf);
+	retval = ixgbe_add_mac_filter(adapter, mac_addr, vf);
+	if (retval >= 0) {
+		entry->free = false;
+		entry->is_macvlan = true;
+		entry->vf = vf;
+		memcpy(entry->vf_macvlan, mac_addr, ETH_ALEN);
+	}
 
-	return 0;
+	return retval;
 }
 
 static inline void ixgbe_vf_reset_event(struct ixgbe_adapter *adapter, u32 vf)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [net-next v2 2/6] ixgbe: Enable LASI interrupts for X552 devices
  2017-06-27  8:51 [net-next v2 0/6][pull request] 10GbE Intel Wired LAN Driver Updates 2017-06-27 Jeff Kirsher
  2017-06-27  8:51 ` [net-next v2 1/6] ixgbe: Ensure MAC filter was added before setting MACVLAN Jeff Kirsher
@ 2017-06-27  8:51 ` Jeff Kirsher
  2017-06-27  8:51 ` [net-next v2 3/6] ixgbe: Update NW_MNG_IF_SEL support for X553 Jeff Kirsher
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 14+ messages in thread
From: Jeff Kirsher @ 2017-06-27  8:51 UTC (permalink / raw)
  To: davem; +Cc: Tony Nguyen, netdev, nhorman, sassmann, jogreene, Jeff Kirsher

From: Tony Nguyen <anthony.l.nguyen@intel.com>

Enable LASI interrupts on X552 devices in order to receive notifications of
link configurations of the external PHY and support the configuration of
the internal iXFI link since iXFI does not support auto-negotiation.  This
is not required for X553 devices; add a check to avoid enabling LASI
interrupts for X553 devices.

Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 31 +++++++++++++++++++--------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
index 72d84a065e34..aa34e0b131bb 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
@@ -2404,17 +2404,30 @@ static s32 ixgbe_enable_lasi_ext_t_x550em(struct ixgbe_hw *hw)
 	status = ixgbe_get_lasi_ext_t_x550em(hw, &lsc);
 
 	/* Enable link status change alarm */
-	status = hw->phy.ops.read_reg(hw, IXGBE_MDIO_PMA_TX_VEN_LASI_INT_MASK,
-				      MDIO_MMD_AN, &reg);
-	if (status)
-		return status;
 
-	reg |= IXGBE_MDIO_PMA_TX_VEN_LASI_INT_EN;
+	/* Enable the LASI interrupts on X552 devices to receive notifications
+	 * of the link configurations of the external PHY and correspondingly
+	 * support the configuration of the internal iXFI link, since iXFI does
+	 * not support auto-negotiation. This is not required for X553 devices
+	 * having KR support, which performs auto-negotiations and which is used
+	 * as the internal link to the external PHY. Hence adding a check here
+	 * to avoid enabling LASI interrupts for X553 devices.
+	 */
+	if (hw->mac.type != ixgbe_mac_x550em_a) {
+		status = hw->phy.ops.read_reg(hw,
+					    IXGBE_MDIO_PMA_TX_VEN_LASI_INT_MASK,
+					    MDIO_MMD_AN, &reg);
+		if (status)
+			return status;
+
+		reg |= IXGBE_MDIO_PMA_TX_VEN_LASI_INT_EN;
 
-	status = hw->phy.ops.write_reg(hw, IXGBE_MDIO_PMA_TX_VEN_LASI_INT_MASK,
-				       MDIO_MMD_AN, reg);
-	if (status)
-		return status;
+		status = hw->phy.ops.write_reg(hw,
+					    IXGBE_MDIO_PMA_TX_VEN_LASI_INT_MASK,
+					    MDIO_MMD_AN, reg);
+		if (status)
+			return status;
+	}
 
 	/* Enable high temperature failure and global fault alarms */
 	status = hw->phy.ops.read_reg(hw, IXGBE_MDIO_GLOBAL_INT_MASK,
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [net-next v2 3/6] ixgbe: Update NW_MNG_IF_SEL support for X553
  2017-06-27  8:51 [net-next v2 0/6][pull request] 10GbE Intel Wired LAN Driver Updates 2017-06-27 Jeff Kirsher
  2017-06-27  8:51 ` [net-next v2 1/6] ixgbe: Ensure MAC filter was added before setting MACVLAN Jeff Kirsher
  2017-06-27  8:51 ` [net-next v2 2/6] ixgbe: Enable LASI interrupts for X552 devices Jeff Kirsher
@ 2017-06-27  8:51 ` Jeff Kirsher
  2017-06-27  8:51 ` [net-next v2 4/6] ixgbe: Do not support flow control autonegotiation " Jeff Kirsher
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 14+ messages in thread
From: Jeff Kirsher @ 2017-06-27  8:51 UTC (permalink / raw)
  To: davem
  Cc: Tony Nguyen, netdev, nhorman, sassmann, jogreene, Paul Greenwalt,
	Jeff Kirsher

From: Tony Nguyen <anthony.l.nguyen@intel.com>

The MAC register NW_MNG_IF_SEL fields have been redefined for
X553. These changes impact the iXFI driver code flow. Since iXFI is
only supported in X552, add MAC checks for iXFI flows.

Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |  2 +-
 drivers/net/ethernet/intel/ixgbe/ixgbe_type.h |  4 ++--
 drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 14 +++++++++++---
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index f1dbdf26d8e1..4df921f8a48c 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -386,7 +386,7 @@ u32 ixgbe_read_reg(struct ixgbe_hw *hw, u32 reg)
 	if (ixgbe_removed(reg_addr))
 		return IXGBE_FAILED_READ_REG;
 	if (unlikely(hw->phy.nw_mng_if_sel &
-		     IXGBE_NW_MNG_IF_SEL_ENABLE_10_100M)) {
+		     IXGBE_NW_MNG_IF_SEL_SGMII_ENABLE)) {
 		struct ixgbe_adapter *adapter;
 		int i;
 
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
index 9c2460c5ef1b..ffa0ee5cd0f5 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
@@ -3778,8 +3778,8 @@ struct ixgbe_info {
 #define IXGBE_NW_MNG_IF_SEL_PHY_SPEED_1G	BIT(19)
 #define IXGBE_NW_MNG_IF_SEL_PHY_SPEED_2_5G	BIT(20)
 #define IXGBE_NW_MNG_IF_SEL_PHY_SPEED_10G	BIT(21)
-#define IXGBE_NW_MNG_IF_SEL_ENABLE_10_100M	BIT(23)
-#define IXGBE_NW_MNG_IF_SEL_INT_PHY_MODE	BIT(24)
+#define IXGBE_NW_MNG_IF_SEL_SGMII_ENABLE	BIT(25)
+#define IXGBE_NW_MNG_IF_SEL_INT_PHY_MODE	BIT(24) /* X552 only */
 #define IXGBE_NW_MNG_IF_SEL_MDIO_PHY_ADD_SHIFT	3
 #define IXGBE_NW_MNG_IF_SEL_MDIO_PHY_ADD	\
 				(0x1F << IXGBE_NW_MNG_IF_SEL_MDIO_PHY_ADD_SHIFT)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
index aa34e0b131bb..95adbda36235 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
@@ -1555,9 +1555,14 @@ static s32 ixgbe_restart_an_internal_phy_x550em(struct ixgbe_hw *hw)
  **/
 static s32 ixgbe_setup_ixfi_x550em(struct ixgbe_hw *hw, ixgbe_link_speed *speed)
 {
+	struct ixgbe_mac_info *mac = &hw->mac;
 	s32 status;
 	u32 reg_val;
 
+	/* iXFI is only supported with X552 */
+	if (mac->type != ixgbe_mac_X550EM_x)
+		return IXGBE_ERR_LINK_SETUP;
+
 	/* Disable AN and force speed to 10G Serial. */
 	status = ixgbe_read_iosf_sb_reg_x550(hw,
 					IXGBE_KRM_LINK_CTRL_1(hw->bus.lan_id),
@@ -1874,8 +1879,10 @@ static s32 ixgbe_setup_mac_link_t_X550em(struct ixgbe_hw *hw,
 	else
 		force_speed = IXGBE_LINK_SPEED_1GB_FULL;
 
-	/* If internal link mode is XFI, then setup XFI internal link. */
-	if (!(hw->phy.nw_mng_if_sel & IXGBE_NW_MNG_IF_SEL_INT_PHY_MODE)) {
+	/* If X552 and internal link mode is XFI, then setup XFI internal link.
+	 */
+	if (hw->mac.type == ixgbe_mac_X550EM_x &&
+	    !(hw->phy.nw_mng_if_sel & IXGBE_NW_MNG_IF_SEL_INT_PHY_MODE)) {
 		status = ixgbe_setup_ixfi_x550em(hw, &force_speed);
 
 		if (status)
@@ -2628,7 +2635,8 @@ static s32 ixgbe_setup_internal_phy_t_x550em(struct ixgbe_hw *hw)
 	if (hw->mac.ops.get_media_type(hw) != ixgbe_media_type_copper)
 		return IXGBE_ERR_CONFIG;
 
-	if (hw->phy.nw_mng_if_sel & IXGBE_NW_MNG_IF_SEL_INT_PHY_MODE) {
+	if (!(hw->mac.type == ixgbe_mac_X550EM_x &&
+	      !(hw->phy.nw_mng_if_sel & IXGBE_NW_MNG_IF_SEL_INT_PHY_MODE))) {
 		speed = IXGBE_LINK_SPEED_10GB_FULL |
 			IXGBE_LINK_SPEED_1GB_FULL;
 		return ixgbe_setup_kr_speed_x550em(hw, speed);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [net-next v2 4/6] ixgbe: Do not support flow control autonegotiation for X553
  2017-06-27  8:51 [net-next v2 0/6][pull request] 10GbE Intel Wired LAN Driver Updates 2017-06-27 Jeff Kirsher
                   ` (2 preceding siblings ...)
  2017-06-27  8:51 ` [net-next v2 3/6] ixgbe: Update NW_MNG_IF_SEL support for X553 Jeff Kirsher
@ 2017-06-27  8:51 ` Jeff Kirsher
  2017-06-27  8:51 ` [net-next v2 5/6] ixgbe: Disable flow control for XFI Jeff Kirsher
  2017-06-27  8:51 ` [net-next v2 6/6] ixgbe: Add malicious driver detection support Jeff Kirsher
  5 siblings, 0 replies; 14+ messages in thread
From: Jeff Kirsher @ 2017-06-27  8:51 UTC (permalink / raw)
  To: davem
  Cc: Tony Nguyen, netdev, nhorman, sassmann, jogreene, Emil Tantilov,
	Jeff Kirsher

From: Tony Nguyen <anthony.l.nguyen@intel.com>

Flow control autonegotiation is not supported for fiber on X553.  Add
device ID checks in ixgbe_device_supports_autoneg_fc() to return the
appropriate value.

Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
index 4e35e7017f3d..40ae7db468ea 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
@@ -79,13 +79,22 @@ bool ixgbe_device_supports_autoneg_fc(struct ixgbe_hw *hw)
 
 	switch (hw->phy.media_type) {
 	case ixgbe_media_type_fiber:
-		hw->mac.ops.check_link(hw, &speed, &link_up, false);
-		/* if link is down, assume supported */
-		if (link_up)
-			supported = speed == IXGBE_LINK_SPEED_1GB_FULL ?
+		/* flow control autoneg black list */
+		switch (hw->device_id) {
+		case IXGBE_DEV_ID_X550EM_A_SFP:
+		case IXGBE_DEV_ID_X550EM_A_SFP_N:
+			supported = false;
+			break;
+		default:
+			hw->mac.ops.check_link(hw, &speed, &link_up, false);
+			/* if link is down, assume supported */
+			if (link_up)
+				supported = speed == IXGBE_LINK_SPEED_1GB_FULL ?
 				true : false;
-		else
-			supported = true;
+			else
+				supported = true;
+		}
+
 		break;
 	case ixgbe_media_type_backplane:
 		supported = true;
@@ -111,6 +120,10 @@ bool ixgbe_device_supports_autoneg_fc(struct ixgbe_hw *hw)
 		break;
 	}
 
+	if (!supported)
+		hw_dbg(hw, "Device %x does not support flow control autoneg\n",
+		       hw->device_id);
+
 	return supported;
 }
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [net-next v2 5/6] ixgbe: Disable flow control for XFI
  2017-06-27  8:51 [net-next v2 0/6][pull request] 10GbE Intel Wired LAN Driver Updates 2017-06-27 Jeff Kirsher
                   ` (3 preceding siblings ...)
  2017-06-27  8:51 ` [net-next v2 4/6] ixgbe: Do not support flow control autonegotiation " Jeff Kirsher
@ 2017-06-27  8:51 ` Jeff Kirsher
  2017-06-27  8:51 ` [net-next v2 6/6] ixgbe: Add malicious driver detection support Jeff Kirsher
  5 siblings, 0 replies; 14+ messages in thread
From: Jeff Kirsher @ 2017-06-27  8:51 UTC (permalink / raw)
  To: davem
  Cc: Tony Nguyen, netdev, nhorman, sassmann, jogreene, Emil Tantilov,
	Jeff Kirsher

From: Tony Nguyen <anthony.l.nguyen@intel.com>

Flow control autonegotiation is not supported for XFI.  Make sure that
ixgbe_device_supports_autoneg_fc() returns false and
hw->fc.disable_fc_autoneg is set to true to avoid running the fc_autoneg
function for that device.

Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_common.c |  5 ++-
 drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c   | 57 ++++++++++++++-----------
 2 files changed, 35 insertions(+), 27 deletions(-)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
index 40ae7db468ea..2c19070d2a0b 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
@@ -97,7 +97,10 @@ bool ixgbe_device_supports_autoneg_fc(struct ixgbe_hw *hw)
 
 		break;
 	case ixgbe_media_type_backplane:
-		supported = true;
+		if (hw->device_id == IXGBE_DEV_ID_X550EM_X_XFI)
+			supported = false;
+		else
+			supported = true;
 		break;
 	case ixgbe_media_type_copper:
 		/* only some copper devices support flow control autoneg */
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
index 95adbda36235..19fbb2f28ea4 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
@@ -2843,7 +2843,7 @@ static s32 ixgbe_setup_fc_x550em(struct ixgbe_hw *hw)
 {
 	bool pause, asm_dir;
 	u32 reg_val;
-	s32 rc;
+	s32 rc = 0;
 
 	/* Validate the requested mode */
 	if (hw->fc.strict_ieee && hw->fc.requested_mode == ixgbe_fc_rx_pause) {
@@ -2886,32 +2886,37 @@ static s32 ixgbe_setup_fc_x550em(struct ixgbe_hw *hw)
 		return IXGBE_ERR_CONFIG;
 	}
 
-	if (hw->device_id != IXGBE_DEV_ID_X550EM_X_KR &&
-	    hw->device_id != IXGBE_DEV_ID_X550EM_A_KR &&
-	    hw->device_id != IXGBE_DEV_ID_X550EM_A_KR_L)
-		return 0;
-
-	rc = hw->mac.ops.read_iosf_sb_reg(hw,
-					  IXGBE_KRM_AN_CNTL_1(hw->bus.lan_id),
-					  IXGBE_SB_IOSF_TARGET_KR_PHY,
-					  &reg_val);
-	if (rc)
-		return rc;
-
-	reg_val &= ~(IXGBE_KRM_AN_CNTL_1_SYM_PAUSE |
-		     IXGBE_KRM_AN_CNTL_1_ASM_PAUSE);
-	if (pause)
-		reg_val |= IXGBE_KRM_AN_CNTL_1_SYM_PAUSE;
-	if (asm_dir)
-		reg_val |= IXGBE_KRM_AN_CNTL_1_ASM_PAUSE;
-	rc = hw->mac.ops.write_iosf_sb_reg(hw,
-					   IXGBE_KRM_AN_CNTL_1(hw->bus.lan_id),
-					   IXGBE_SB_IOSF_TARGET_KR_PHY,
-					   reg_val);
-
-	/* This device does not fully support AN. */
-	hw->fc.disable_fc_autoneg = true;
+	switch (hw->device_id) {
+	case IXGBE_DEV_ID_X550EM_X_KR:
+	case IXGBE_DEV_ID_X550EM_A_KR:
+	case IXGBE_DEV_ID_X550EM_A_KR_L:
+		rc = hw->mac.ops.read_iosf_sb_reg(hw,
+					    IXGBE_KRM_AN_CNTL_1(hw->bus.lan_id),
+					    IXGBE_SB_IOSF_TARGET_KR_PHY,
+					    &reg_val);
+		if (rc)
+			return rc;
 
+		reg_val &= ~(IXGBE_KRM_AN_CNTL_1_SYM_PAUSE |
+			     IXGBE_KRM_AN_CNTL_1_ASM_PAUSE);
+		if (pause)
+			reg_val |= IXGBE_KRM_AN_CNTL_1_SYM_PAUSE;
+		if (asm_dir)
+			reg_val |= IXGBE_KRM_AN_CNTL_1_ASM_PAUSE;
+		rc = hw->mac.ops.write_iosf_sb_reg(hw,
+					    IXGBE_KRM_AN_CNTL_1(hw->bus.lan_id),
+					    IXGBE_SB_IOSF_TARGET_KR_PHY,
+					    reg_val);
+
+		/* This device does not fully support AN. */
+		hw->fc.disable_fc_autoneg = true;
+		break;
+	case IXGBE_DEV_ID_X550EM_X_XFI:
+		hw->fc.disable_fc_autoneg = true;
+		break;
+	default:
+		break;
+	}
 	return rc;
 }
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 14+ messages in thread

* [net-next v2 6/6] ixgbe: Add malicious driver detection support
  2017-06-27  8:51 [net-next v2 0/6][pull request] 10GbE Intel Wired LAN Driver Updates 2017-06-27 Jeff Kirsher
                   ` (4 preceding siblings ...)
  2017-06-27  8:51 ` [net-next v2 5/6] ixgbe: Disable flow control for XFI Jeff Kirsher
@ 2017-06-27  8:51 ` Jeff Kirsher
  2017-06-27  9:07   ` Or Gerlitz
  5 siblings, 1 reply; 14+ messages in thread
From: Jeff Kirsher @ 2017-06-27  8:51 UTC (permalink / raw)
  To: davem; +Cc: Paul Greenwalt, netdev, nhorman, sassmann, jogreene, Jeff Kirsher

From: Paul Greenwalt <paul.greenwalt@intel.com>

Add malicious driver detection (MDD) support for X550, X550em_a,
and X550em_x devices.

MDD is a hardware SR-IOV security feature which the driver enables by
default, but can be controlled on|off by ethtool set-priv-flags
parameter. When enabled MDD disables a VF drivers transmit queue
when a malformed descriptor is detected. The PF will log the event
and re-enable the VF queue.

Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe.h         |   3 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_nl.c  |  25 +++-
 drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c |  13 ++-
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c    |   6 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c   |  50 ++++++++
 drivers/net/ethernet/intel/ixgbe/ixgbe_type.h    |   8 ++
 drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c    | 138 +++++++++++++++++++++++
 7 files changed, 241 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
index dd5578756ae0..2e9df66f6e18 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
@@ -563,6 +563,8 @@ struct ixgbe_mac_addr {
 #define IXGBE_TRY_LINK_TIMEOUT (4 * HZ)
 #define IXGBE_SFP_POLL_JIFFIES (2 * HZ)	/* SFP poll every 2 seconds */
 
+#define IXGBE_MDD_Q_BITMAP_DEPTH 2
+
 /* board specific private data structure */
 struct ixgbe_adapter {
 	unsigned long active_vlans[BITS_TO_LONGS(VLAN_N_VID)];
@@ -603,6 +605,7 @@ struct ixgbe_adapter {
 #define IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER	BIT(26)
 #define IXGBE_FLAG_DCB_CAPABLE			BIT(27)
 #define IXGBE_FLAG_GENEVE_OFFLOAD_CAPABLE	BIT(28)
+#define IXGBE_FLAG_MDD_ENABLED			BIT(29)
 
 	u32 flags2;
 #define IXGBE_FLAG2_RSC_CAPABLE			BIT(0)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_nl.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_nl.c
index 78c52375acc6..53f260dbfb5f 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_nl.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_nl.c
@@ -379,10 +379,22 @@ static u8 ixgbe_dcbnl_set_all(struct net_device *netdev)
 		} else {
 			hw->mac.ops.fc_enable(hw);
 		}
+		/* Disable MDD before updating SRRCTL, because modifying the
+		 * SRRCTL register while the queue is enabled will generate an
+		 * MDD event.
+		 */
+		if (adapter->num_vfs && hw->mac.ops.disable_mdd &&
+		    (adapter->flags & IXGBE_FLAG_MDD_ENABLED))
+			hw->mac.ops.disable_mdd(hw);
 
 		ixgbe_set_rx_drop_en(adapter);
 
-		ret = DCB_HW_CHG;
+		if (adapter->num_vfs && hw->mac.ops.enable_mdd &&
+		    (adapter->flags & IXGBE_FLAG_MDD_ENABLED))
+			hw->mac.ops.enable_mdd(hw);
+
+		if (ret != DCB_HW_CHG_RST)
+			ret = DCB_HW_CHG;
 	}
 
 #ifdef IXGBE_FCOE
@@ -634,8 +646,19 @@ static int ixgbe_dcbnl_ieee_setpfc(struct net_device *dev,
 	else
 		err = hw->mac.ops.fc_enable(hw);
 
+	/* Disable MDD before updating SRRCTL, because modifying the SRRCTL
+	 * register while the queue is enabled will generate an MDD event.
+	 */
+	if (adapter->num_vfs && hw->mac.ops.disable_mdd &&
+	    (adapter->flags & IXGBE_FLAG_MDD_ENABLED))
+		hw->mac.ops.disable_mdd(hw);
+
 	ixgbe_set_rx_drop_en(adapter);
 
+	if (adapter->num_vfs && hw->mac.ops.enable_mdd &&
+	    (adapter->flags & IXGBE_FLAG_MDD_ENABLED))
+		hw->mac.ops.enable_mdd(hw);
+
 	return err;
 }
 
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
index 72c565712a5f..e10a4d6d5391 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
@@ -157,6 +157,8 @@ static const char ixgbe_gstrings_test[][ETH_GSTRING_LEN] = {
 static const char ixgbe_priv_flags_strings[][ETH_GSTRING_LEN] = {
 #define IXGBE_PRIV_FLAGS_LEGACY_RX	BIT(0)
 	"legacy-rx",
+#define IXGBE_PRIV_FLAG_MDD_ENABLED	BIT(1)
+	"mdd",
 };
 
 #define IXGBE_PRIV_FLAGS_STR_LEN ARRAY_SIZE(ixgbe_priv_flags_strings)
@@ -3420,6 +3422,9 @@ static u32 ixgbe_get_priv_flags(struct net_device *netdev)
 	struct ixgbe_adapter *adapter = netdev_priv(netdev);
 	u32 priv_flags = 0;
 
+	if (adapter->flags & IXGBE_FLAG_MDD_ENABLED)
+		priv_flags |= IXGBE_PRIV_FLAG_MDD_ENABLED;
+
 	if (adapter->flags2 & IXGBE_FLAG2_RX_LEGACY)
 		priv_flags |= IXGBE_PRIV_FLAGS_LEGACY_RX;
 
@@ -3430,13 +3435,19 @@ static int ixgbe_set_priv_flags(struct net_device *netdev, u32 priv_flags)
 {
 	struct ixgbe_adapter *adapter = netdev_priv(netdev);
 	unsigned int flags2 = adapter->flags2;
+	unsigned int flags = adapter->flags;
+
+	flags &= ~IXGBE_FLAG_MDD_ENABLED;
+	if (priv_flags & IXGBE_PRIV_FLAG_MDD_ENABLED)
+		flags |= IXGBE_FLAG_MDD_ENABLED;
 
 	flags2 &= ~IXGBE_FLAG2_RX_LEGACY;
 	if (priv_flags & IXGBE_PRIV_FLAGS_LEGACY_RX)
 		flags2 |= IXGBE_FLAG2_RX_LEGACY;
 
-	if (flags2 != adapter->flags2) {
+	if (flags2 != adapter->flags2 || flags != adapter->flags) {
 		adapter->flags2 = flags2;
+		adapter->flags = flags;
 
 		/* reset interface to repopulate queues */
 		if (netif_running(netdev))
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index 4df921f8a48c..fcdbe498c598 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -6101,6 +6101,7 @@ static int ixgbe_sw_init(struct ixgbe_adapter *adapter,
 		adapter->flags &= ~IXGBE_FLAG_DCA_CAPABLE;
 #endif
 		adapter->flags |= IXGBE_FLAG_VXLAN_OFFLOAD_CAPABLE;
+		adapter->flags |= IXGBE_FLAG_MDD_ENABLED;
 		break;
 	default:
 		break;
@@ -7214,6 +7215,11 @@ static void ixgbe_watchdog_link_is_up(struct ixgbe_adapter *adapter)
 	netif_carrier_on(netdev);
 	ixgbe_check_vf_rate_limit(adapter);
 
+	/* Turn on malicious driver detection */
+	if (adapter->num_vfs && hw->mac.ops.enable_mdd &&
+	    (adapter->flags & IXGBE_FLAG_MDD_ENABLED))
+		hw->mac.ops.enable_mdd(hw);
+
 	/* enable transmits */
 	netif_tx_wake_all_queues(adapter->netdev);
 
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
index ca492876bd3d..6b822b6dd18a 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
@@ -257,6 +257,10 @@ int ixgbe_disable_sriov(struct ixgbe_adapter *adapter)
 	if (!(adapter->flags & IXGBE_FLAG_SRIOV_ENABLED))
 		return 0;
 
+	/* Turn off malicious driver detection */
+	if (hw->mac.ops.disable_mdd &&
+	    (!(adapter->flags & IXGBE_FLAG_MDD_ENABLED)))
+		hw->mac.ops.disable_mdd(hw);
 #ifdef CONFIG_PCI_IOV
 	/*
 	 * If our VFs are assigned we cannot shut down SR-IOV
@@ -1294,11 +1298,57 @@ static void ixgbe_rcv_ack_from_vf(struct ixgbe_adapter *adapter, u32 vf)
 		ixgbe_write_mbx(hw, &msg, 1, vf);
 }
 
+static void ixgbe_check_mdd_event(struct ixgbe_adapter *adapter)
+{
+	struct ixgbe_hw *hw = &adapter->hw;
+	u32 vf_bitmap[IXGBE_MDD_Q_BITMAP_DEPTH] = { 0 };
+	u32 j, i;
+	u32 ping;
+
+	if (!hw->mac.ops.mdd_event)
+		return;
+
+	/* Did we have a malicious event */
+	hw->mac.ops.mdd_event(hw, vf_bitmap);
+
+	/* Log any blocked queues and release lock */
+	for (i = 0; i < IXGBE_MDD_Q_BITMAP_DEPTH; i++) {
+		for (j = 0; j < 32 && vf_bitmap[i]; j++) {
+			u32 vf;
+
+			if (!(vf_bitmap[i] & (1 << j)))
+				continue;
+
+			/* The VF that malicious event occurred on */
+			vf = j + (i * 32);
+
+			dev_warn(&adapter->pdev->dev,
+				 "Malicious event on VF %d tx:%x rx:%x\n", vf,
+				 IXGBE_READ_REG(hw, IXGBE_LVMMC_TX),
+				 IXGBE_READ_REG(hw, IXGBE_LVMMC_RX));
+
+			/* restart the vf */
+			if (hw->mac.ops.restore_mdd_vf) {
+				hw->mac.ops.restore_mdd_vf(hw, vf);
+
+				/* get the VF to rebuild its queues */
+				adapter->vfinfo[vf].clear_to_send = 0;
+				ping = IXGBE_PF_CONTROL_MSG |
+				       IXGBE_VT_MSGTYPE_CTS;
+				ixgbe_write_mbx(hw, &ping, 1, vf);
+			}
+		}
+	}
+}
+
 void ixgbe_msg_task(struct ixgbe_adapter *adapter)
 {
 	struct ixgbe_hw *hw = &adapter->hw;
 	u32 vf;
 
+	if (adapter->flags & IXGBE_FLAG_MDD_ENABLED && adapter->vfinfo)
+		ixgbe_check_mdd_event(adapter);
+
 	for (vf = 0; vf < adapter->num_vfs; vf++) {
 		/* process any reset requests */
 		if (!ixgbe_check_for_rst(hw, vf))
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
index ffa0ee5cd0f5..9c2f851ab3bd 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
@@ -380,6 +380,8 @@ struct ixgbe_thermal_sensor_data {
 #define IXGBE_MRCTL(_i)      (0x0F600 + ((_i) * 4))
 #define IXGBE_VMRVLAN(_i)    (0x0F610 + ((_i) * 4))
 #define IXGBE_VMRVM(_i)      (0x0F630 + ((_i) * 4))
+#define IXGBE_LVMMC_RX		0x2FA8
+#define IXGBE_LVMMC_TX		0x8108
 #define IXGBE_WQBR_RX(_i)    (0x2FB0 + ((_i) * 4)) /* 4 total */
 #define IXGBE_WQBR_TX(_i)    (0x8130 + ((_i) * 4)) /* 4 total */
 #define IXGBE_L34T_IMIR(_i)  (0x0E800 + ((_i) * 4)) /*128 of these (0-127)*/
@@ -3462,6 +3464,12 @@ struct ixgbe_mac_operations {
 	s32 (*dmac_config_tcs)(struct ixgbe_hw *hw);
 	s32 (*read_iosf_sb_reg)(struct ixgbe_hw *, u32, u32, u32 *);
 	s32 (*write_iosf_sb_reg)(struct ixgbe_hw *, u32, u32, u32);
+
+	/* Malicious driver detection */
+	void (*disable_mdd)(struct ixgbe_hw *hw);
+	void (*enable_mdd)(struct ixgbe_hw *hw);
+	void (*mdd_event)(struct ixgbe_hw *hw, u32 *vf_bitmap);
+	void (*restore_mdd_vf)(struct ixgbe_hw *hw, u32 vf);
 };
 
 struct ixgbe_phy_operations {
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
index 19fbb2f28ea4..323616fba9ea 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
@@ -3533,6 +3533,140 @@ static void ixgbe_set_source_address_pruning_X550(struct ixgbe_hw *hw,
 }
 
 /**
+ *  ixgbe_disable_mdd_X550
+ *  @hw: pointer to hardware structure
+ *
+ *  Disable malicious driver detection
+ **/
+static void ixgbe_disable_mdd_X550(struct ixgbe_hw *hw)
+{
+	u32 reg;
+
+	/* Disable MDD for TX DMA and interrupt */
+	reg = IXGBE_READ_REG(hw, IXGBE_DMATXCTL);
+	reg &= ~(IXGBE_DMATXCTL_MDP_EN | IXGBE_DMATXCTL_MBINTEN);
+	IXGBE_WRITE_REG(hw, IXGBE_DMATXCTL, reg);
+
+	/* Disable MDD for RX and interrupt */
+	reg = IXGBE_READ_REG(hw, IXGBE_RDRXCTL);
+	reg &= ~(IXGBE_RDRXCTL_MDP_EN | IXGBE_RDRXCTL_MBINTEN);
+	IXGBE_WRITE_REG(hw, IXGBE_RDRXCTL, reg);
+}
+
+/**
+ *  ixgbe_enable_mdd_X550
+ *  @hw: pointer to hardware structure
+ *
+ *  Enable malicious driver detection
+ **/
+static void ixgbe_enable_mdd_X550(struct ixgbe_hw *hw)
+{
+	u32 reg;
+
+	/* Enable MDD for TX DMA and interrupt */
+	reg = IXGBE_READ_REG(hw, IXGBE_DMATXCTL);
+	reg |= (IXGBE_DMATXCTL_MDP_EN | IXGBE_DMATXCTL_MBINTEN);
+	IXGBE_WRITE_REG(hw, IXGBE_DMATXCTL, reg);
+
+	/* Enable MDD for RX and interrupt */
+	reg = IXGBE_READ_REG(hw, IXGBE_RDRXCTL);
+	reg |= (IXGBE_RDRXCTL_MDP_EN | IXGBE_RDRXCTL_MBINTEN);
+	IXGBE_WRITE_REG(hw, IXGBE_RDRXCTL, reg);
+}
+
+/**
+ *  ixgbe_restore_mdd_vf_X550
+ *  @hw: pointer to hardware structure
+ *  @vf: vf index
+ *
+ *  Restore VF that was disabled during malicious driver detection event
+ **/
+static void ixgbe_restore_mdd_vf_X550(struct ixgbe_hw *hw, u32 vf)
+{
+	u32 idx, reg, num_qs, start_q, bitmask;
+
+	/* Map VF to queues */
+	reg = IXGBE_READ_REG(hw, IXGBE_MRQC);
+	switch (reg & IXGBE_MRQC_MRQE_MASK) {
+	case IXGBE_MRQC_VMDQRT8TCEN:
+		num_qs = 8;  /* 16 VFs / pools */
+		bitmask = 0x000000FF;
+		break;
+	case IXGBE_MRQC_VMDQRSS32EN:
+	case IXGBE_MRQC_VMDQRT4TCEN:
+		num_qs = 4;  /* 32 VFs / pools */
+		bitmask = 0x0000000F;
+		break;
+	default:            /* 64 VFs / pools */
+		num_qs = 2;
+		bitmask = 0x00000003;
+		break;
+	}
+	start_q = vf * num_qs;
+
+	/* Release vf's queues by clearing WQBR_TX and WQBR_RX (RW1C) */
+	idx = start_q / 32;
+	reg = 0;
+	reg |= (bitmask << (start_q % 32));
+	IXGBE_WRITE_REG(hw, IXGBE_WQBR_TX(idx), reg);
+	IXGBE_WRITE_REG(hw, IXGBE_WQBR_RX(idx), reg);
+}
+
+/**
+ *  ixgbe_mdd_event_X550
+ *  @hw: pointer to hardware structure
+ *  @vf_bitmap: vf bitmap of malicious vfs
+ *
+ *  Handle malicious driver detection event.
+ **/
+static void ixgbe_mdd_event_X550(struct ixgbe_hw *hw, u32 *vf_bitmap)
+{
+	u32 wqbr;
+	u32 i, j, reg, q, shift, vf, idx;
+
+	/* figure out pool size for mapping to vf's */
+	reg = IXGBE_READ_REG(hw, IXGBE_MRQC);
+	switch (reg & IXGBE_MRQC_MRQE_MASK) {
+	case IXGBE_MRQC_VMDQRT8TCEN:
+		shift = 3;  /* 16 VFs / pools */
+		break;
+	case IXGBE_MRQC_VMDQRSS32EN:
+	case IXGBE_MRQC_VMDQRT4TCEN:
+		shift = 2;  /* 32 VFs / pools */
+		break;
+	default:
+		shift = 1;  /* 64 VFs / pools */
+		break;
+	}
+
+	/* Read WQBR_TX and WQBR_RX and check for malicious queues */
+	for (i = 0; i < 4; i++) {
+		wqbr = IXGBE_READ_REG(hw, IXGBE_WQBR_TX(i));
+		wqbr |= IXGBE_READ_REG(hw, IXGBE_WQBR_RX(i));
+
+		if (!wqbr)
+			continue;
+
+		/* Get malicious queue */
+		for (j = 0; j < 32 && wqbr; j++) {
+			if (!(wqbr & (1 << j)))
+				continue;
+
+			/* Get queue from bitmask */
+			q = j + (i * 32);
+
+			/* Map queue to vf */
+			vf = (q >> shift);
+
+			/* Set vf bit in vf_bitmap */
+			idx = vf / 32;
+			vf_bitmap[idx] |= (1 << (vf % 32));
+			wqbr &= ~(1 << j);
+		}
+	}
+}
+
+/**
  *  ixgbe_setup_fc_backplane_x550em_a - Set up flow control
  *  @hw: pointer to hardware structure
  *
@@ -3817,6 +3951,10 @@ static s32 ixgbe_write_phy_reg_x550a(struct ixgbe_hw *hw, u32 reg_addr,
 	.init_thermal_sensor_thresh	= NULL, \
 	.enable_rx			= &ixgbe_enable_rx_generic, \
 	.disable_rx			= &ixgbe_disable_rx_x550, \
+	.enable_mdd			= &ixgbe_enable_mdd_X550, \
+	.disable_mdd			= &ixgbe_disable_mdd_X550, \
+	.mdd_event			= &ixgbe_mdd_event_X550, \
+	.restore_mdd_vf			= &ixgbe_restore_mdd_vf_X550, \
 
 static const struct ixgbe_mac_operations mac_ops_X550 = {
 	X550_COMMON_MAC
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 14+ messages in thread

* Re: [net-next v2 6/6] ixgbe: Add malicious driver detection support
  2017-06-27  8:51 ` [net-next v2 6/6] ixgbe: Add malicious driver detection support Jeff Kirsher
@ 2017-06-27  9:07   ` Or Gerlitz
  2017-06-27 20:59     ` Tantilov, Emil S
  0 siblings, 1 reply; 14+ messages in thread
From: Or Gerlitz @ 2017-06-27  9:07 UTC (permalink / raw)
  To: Jeff Kirsher
  Cc: David Miller, Paul Greenwalt, Linux Netdev List, nhorman,
	sassmann, jogreene

On Tue, Jun 27, 2017 at 11:51 AM, Jeff Kirsher
<jeffrey.t.kirsher@intel.com> wrote:
> From: Paul Greenwalt <paul.greenwalt@intel.com>
>
> Add malicious driver detection (MDD) support for X550, X550em_a,
> and X550em_x devices.
>
> MDD is a hardware SR-IOV security feature which the driver enables by
> default, but can be controlled on|off by ethtool set-priv-flags

wait, we have the trusted vf concept, which you implement
(ixgbe_ndo_set_vf_trust)
so you can enable by default for all vfs and disable it for trusted
ones, why create
an ixgbe special config knob? IMHO we should max all possible efforts to avoid
priv ethtool flags usage.


Or.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* RE: [net-next v2 6/6] ixgbe: Add malicious driver detection support
  2017-06-27  9:07   ` Or Gerlitz
@ 2017-06-27 20:59     ` Tantilov, Emil S
  2017-06-27 21:07       ` Or Gerlitz
  0 siblings, 1 reply; 14+ messages in thread
From: Tantilov, Emil S @ 2017-06-27 20:59 UTC (permalink / raw)
  To: Or Gerlitz, Kirsher, Jeffrey T
  Cc: David Miller, Greenwalt, Paul, Linux Netdev List, nhorman,
	sassmann, jogreene

>-----Original Message-----
>From: netdev-owner@vger.kernel.org [mailto:netdev-owner@vger.kernel.org] On
>Behalf Of Or Gerlitz
>Sent: Tuesday, June 27, 2017 2:08 AM
>To: Kirsher, Jeffrey T <jeffrey.t.kirsher@intel.com>
>Cc: David Miller <davem@davemloft.net>; Greenwalt, Paul
><paul.greenwalt@intel.com>; Linux Netdev List <netdev@vger.kernel.org>;
>nhorman@redhat.com; sassmann@redhat.com; jogreene@redhat.com
>Subject: Re: [net-next v2 6/6] ixgbe: Add malicious driver detection
>support
>
>On Tue, Jun 27, 2017 at 11:51 AM, Jeff Kirsher
><jeffrey.t.kirsher@intel.com> wrote:
>> From: Paul Greenwalt <paul.greenwalt@intel.com>
>>
>> Add malicious driver detection (MDD) support for X550, X550em_a,
>> and X550em_x devices.
>>
>> MDD is a hardware SR-IOV security feature which the driver enables by
>> default, but can be controlled on|off by ethtool set-priv-flags
>
>wait, we have the trusted vf concept, which you implement
>(ixgbe_ndo_set_vf_trust)
>so you can enable by default for all vfs and disable it for trusted
>ones, why create[]  an ixgbe special config knob? IMHO we should max all possible efforts to
>avoid priv ethtool flags usage.

The "trusted" option was added to allow use cases that were not possible in the
default driver configuration for SRIOV (promiscuous mode, overriding the MAC).
While these modes can lead to issues (performance with promisc) they can still
be useful for certain configurations.

MDD is a completely different type of protection that incorporates checks for
queue context, Tx descriptors and out-of-bounds DMA/memory access that can
disrupt the operation of the interfaces. You can read more about it in the X550
datasheet (section 7.9.4.3 malicious Driver Detection):
https://www.intel.com/content/www/us/en/embedded/products/networking/ethernet-controller-x550-family-documentation.html

For that reason we do not want to make it part of the "trusted" option.

In addition MDD is a global setting and cannot be configured per-VF.

Thanks,
Emil


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next v2 6/6] ixgbe: Add malicious driver detection support
  2017-06-27 20:59     ` Tantilov, Emil S
@ 2017-06-27 21:07       ` Or Gerlitz
  2017-06-27 22:14         ` Tantilov, Emil S
  0 siblings, 1 reply; 14+ messages in thread
From: Or Gerlitz @ 2017-06-27 21:07 UTC (permalink / raw)
  To: Tantilov, Emil S
  Cc: Kirsher, Jeffrey T, David Miller, Greenwalt, Paul,
	Linux Netdev List, nhorman, sassmann, jogreene

On Tue, Jun 27, 2017 at 11:59 PM, Tantilov, Emil S
<emil.s.tantilov@intel.com> wrote:
>>-----Original Message-----
>>From: netdev-owner@vger.kernel.org [mailto:netdev-owner@vger.kernel.org] On
>>Behalf Of Or Gerlitz
>>Sent: Tuesday, June 27, 2017 2:08 AM
>>To: Kirsher, Jeffrey T <jeffrey.t.kirsher@intel.com>
>>Cc: David Miller <davem@davemloft.net>; Greenwalt, Paul
>><paul.greenwalt@intel.com>; Linux Netdev List <netdev@vger.kernel.org>;
>>nhorman@redhat.com; sassmann@redhat.com; jogreene@redhat.com
>>Subject: Re: [net-next v2 6/6] ixgbe: Add malicious driver detection
>>support
>>
>>On Tue, Jun 27, 2017 at 11:51 AM, Jeff Kirsher
>><jeffrey.t.kirsher@intel.com> wrote:
>>> From: Paul Greenwalt <paul.greenwalt@intel.com>
>>>
>>> Add malicious driver detection (MDD) support for X550, X550em_a,
>>> and X550em_x devices.
>>>
>>> MDD is a hardware SR-IOV security feature which the driver enables by
>>> default, but can be controlled on|off by ethtool set-priv-flags
>>
>>wait, we have the trusted vf concept, which you implement
>>(ixgbe_ndo_set_vf_trust)
>>so you can enable by default for all vfs and disable it for trusted
>>ones, why create[]  an ixgbe special config knob? IMHO we should max all possible efforts to
>>avoid priv ethtool flags usage.
>
> The "trusted" option was added to allow use cases that were not possible in the
> default driver configuration for SRIOV (promiscuous mode, overriding the MAC).
> While these modes can lead to issues (performance with promisc) they can still
> be useful for certain configurations.
>
> MDD is a completely different type of protection that incorporates checks for
> queue context, Tx descriptors and out-of-bounds DMA/memory access that can
> disrupt the operation of the interfaces. You can read more about it in the X550
> datasheet (section 7.9.4.3 malicious Driver Detection):
> https://www.intel.com/content/www/us/en/embedded/products/networking/ethernet-controller-x550-family-documentation.html
>
> For that reason we do not want to make it part of the "trusted" option.

you can extend the trusted option without breaking the UAPI, currently
it's one bit y/n, but you should have there at least seven more bits
to use.

> In addition MDD is a global setting and cannot be configured per-VF.

can you state more clearly why use think the right configuration knob
here is per driver ethtool private flag?

Or.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* RE: [net-next v2 6/6] ixgbe: Add malicious driver detection support
  2017-06-27 21:07       ` Or Gerlitz
@ 2017-06-27 22:14         ` Tantilov, Emil S
  2017-06-28 14:28           ` Or Gerlitz
  0 siblings, 1 reply; 14+ messages in thread
From: Tantilov, Emil S @ 2017-06-27 22:14 UTC (permalink / raw)
  To: Or Gerlitz
  Cc: Kirsher, Jeffrey T, David Miller, Greenwalt, Paul,
	Linux Netdev List, nhorman, sassmann, jogreene

>-----Original Message-----
>From: Or Gerlitz [mailto:gerlitz.or@gmail.com]
>Sent: Tuesday, June 27, 2017 2:07 PM
>To: Tantilov, Emil S <emil.s.tantilov@intel.com>
>Cc: Kirsher, Jeffrey T <jeffrey.t.kirsher@intel.com>; David Miller
><davem@davemloft.net>; Greenwalt, Paul <paul.greenwalt@intel.com>; Linux
>Netdev List <netdev@vger.kernel.org>; nhorman@redhat.com;
>sassmann@redhat.com; jogreene@redhat.com
>Subject: Re: [net-next v2 6/6] ixgbe: Add malicious driver detection
>support
>
>On Tue, Jun 27, 2017 at 11:59 PM, Tantilov, Emil S
><emil.s.tantilov@intel.com> wrote:
>>>-----Original Message-----
>>>From: netdev-owner@vger.kernel.org [mailto:netdev-owner@vger.kernel.org]
>On
>>>Behalf Of Or Gerlitz
>>>Sent: Tuesday, June 27, 2017 2:08 AM
>>>To: Kirsher, Jeffrey T <jeffrey.t.kirsher@intel.com>
>>>Cc: David Miller <davem@davemloft.net>; Greenwalt, Paul
>>><paul.greenwalt@intel.com>; Linux Netdev List <netdev@vger.kernel.org>;
>>>nhorman@redhat.com; sassmann@redhat.com; jogreene@redhat.com
>>>Subject: Re: [net-next v2 6/6] ixgbe: Add malicious driver detection
>>>support
>>>
>>>On Tue, Jun 27, 2017 at 11:51 AM, Jeff Kirsher
>>><jeffrey.t.kirsher@intel.com> wrote:
>>>> From: Paul Greenwalt <paul.greenwalt@intel.com>
>>>>
>>>> Add malicious driver detection (MDD) support for X550, X550em_a,
>>>> and X550em_x devices.
>>>>
>>>> MDD is a hardware SR-IOV security feature which the driver enables by
>>>> default, but can be controlled on|off by ethtool set-priv-flags
>>>
>>>wait, we have the trusted vf concept, which you implement
>>>(ixgbe_ndo_set_vf_trust)
>>>so you can enable by default for all vfs and disable it for trusted
>>>ones, why create[]  an ixgbe special config knob? IMHO we should max all
>possible efforts to
>>>avoid priv ethtool flags usage.
>>
>> The "trusted" option was added to allow use cases that were not possible in the
>> default driver configuration for SRIOV (promiscuous mode, overriding the MAC).
>> While these modes can lead to issues (performance with promisc) they can still
>> be useful for certain configurations.
>>
>> MDD is a completely different type of protection that incorporates checks for
>> queue context, Tx descriptors and out-of-bounds DMA/memory access that can
>> disrupt the operation of the interfaces. You can read more about it in the X550
>> datasheet (section 7.9.4.3 malicious Driver Detection):
>>
>https://www.intel.com/content/www/us/en/embedded/products/networking/ethern
>et-controller-x550-family-documentation.html
>>
>> For that reason we do not want to make it part of the "trusted" option.
>
>you can extend the trusted option without breaking the UAPI, currently
>it's one bit y/n, but you should have there at least seven more bits
>to use.
>
>> In addition MDD is a global setting and cannot be configured per-VF.
>
>can you state more clearly why use think the right configuration knob
>here is per driver ethtool private flag?

Mainly because I am not sure that other (non-Intel) drivers will benefit from
such an option. In normal operation this functionality should not cause issues
and if it doesn't we may be able to deprecate the private flag in the future.

On the other hand if the same/similar feature exists in other drivers then
it would perhaps make more sense to introduce a new option altogether.

Thanks,
Emil

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next v2 6/6] ixgbe: Add malicious driver detection support
  2017-06-27 22:14         ` Tantilov, Emil S
@ 2017-06-28 14:28           ` Or Gerlitz
  2017-06-29 18:28             ` David Miller
  0 siblings, 1 reply; 14+ messages in thread
From: Or Gerlitz @ 2017-06-28 14:28 UTC (permalink / raw)
  To: Tantilov, Emil S
  Cc: Kirsher, Jeffrey T, David Miller, Greenwalt, Paul,
	Linux Netdev List, nhorman, sassmann, jogreene

On Wed, Jun 28, 2017 at 1:14 AM, Tantilov, Emil S
<emil.s.tantilov@intel.com> wrote:

> Mainly because I am not sure that other (non-Intel) drivers will benefit from
> such an option. In normal operation this functionality should not cause issues
> and if it doesn't we may be able to deprecate the private flag in the future.

If you think this functionality makes sense any driver running over HW
implementing
it would like to be able to expose that and hence you better not use
private flag.

Are we sure the trust UAPI can't be extended for that matter?

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [net-next v2 6/6] ixgbe: Add malicious driver detection support
  2017-06-28 14:28           ` Or Gerlitz
@ 2017-06-29 18:28             ` David Miller
  2017-06-29 21:19               ` Tantilov, Emil S
  0 siblings, 1 reply; 14+ messages in thread
From: David Miller @ 2017-06-29 18:28 UTC (permalink / raw)
  To: gerlitz.or
  Cc: emil.s.tantilov, jeffrey.t.kirsher, paul.greenwalt, netdev,
	nhorman, sassmann, jogreene

From: Or Gerlitz <gerlitz.or@gmail.com>
Date: Wed, 28 Jun 2017 17:28:59 +0300

> On Wed, Jun 28, 2017 at 1:14 AM, Tantilov, Emil S
> <emil.s.tantilov@intel.com> wrote:
> 
>> Mainly because I am not sure that other (non-Intel) drivers will benefit from
>> such an option. In normal operation this functionality should not cause issues
>> and if it doesn't we may be able to deprecate the private flag in the future.
> 
> If you think this functionality makes sense any driver running over HW
> implementing
> it would like to be able to expose that and hence you better not use
> private flag.
> 
> Are we sure the trust UAPI can't be extended for that matter?

Yeah, we should probably make this a generic control if possible.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* RE: [net-next v2 6/6] ixgbe: Add malicious driver detection support
  2017-06-29 18:28             ` David Miller
@ 2017-06-29 21:19               ` Tantilov, Emil S
  0 siblings, 0 replies; 14+ messages in thread
From: Tantilov, Emil S @ 2017-06-29 21:19 UTC (permalink / raw)
  To: David Miller, gerlitz.or
  Cc: Kirsher, Jeffrey T, Greenwalt, Paul, netdev, nhorman, sassmann, jogreene

>-----Original Message-----
>From: David Miller [mailto:davem@davemloft.net]
>Sent: Thursday, June 29, 2017 11:28 AM
>To: gerlitz.or@gmail.com
>Cc: Tantilov, Emil S <emil.s.tantilov@intel.com>; Kirsher, Jeffrey T
><jeffrey.t.kirsher@intel.com>; Greenwalt, Paul <paul.greenwalt@intel.com>;
>netdev@vger.kernel.org; nhorman@redhat.com; sassmann@redhat.com;
>jogreene@redhat.com
>Subject: Re: [net-next v2 6/6] ixgbe: Add malicious driver detection
>support
>
>From: Or Gerlitz <gerlitz.or@gmail.com>
>Date: Wed, 28 Jun 2017 17:28:59 +0300
>
>> On Wed, Jun 28, 2017 at 1:14 AM, Tantilov, Emil S
>> <emil.s.tantilov@intel.com> wrote:
>>
>>> Mainly because I am not sure that other (non-Intel) drivers will benefit
>from
>>> such an option. In normal operation this functionality should not cause
>issues
>>> and if it doesn't we may be able to deprecate the private flag in the
>future.
>>
>> If you think this functionality makes sense any driver running over HW
>> implementing
>> it would like to be able to expose that and hence you better not use
>> private flag.

As I mentioned I don't know if this will be useful for other drivers.
The i40e driver enables it by default without possibility to disable it
and if this protection does not cause problems for ixgbe then we may not
need the option in the future. Because of this I wasn't sure if it's
worth polluting the tools with options that may end up not being 
needed/used at all.
 
>> Are we sure the trust UAPI can't be extended for that matter?
>
>Yeah, we should probably make this a generic control if possible.

MDD is set globally for the device, while the trusted option is set per VF.
So if we do end up adding an option it probably won't work as extension for
trusted.

Thanks,
Emil

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2017-06-29 21:20 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-27  8:51 [net-next v2 0/6][pull request] 10GbE Intel Wired LAN Driver Updates 2017-06-27 Jeff Kirsher
2017-06-27  8:51 ` [net-next v2 1/6] ixgbe: Ensure MAC filter was added before setting MACVLAN Jeff Kirsher
2017-06-27  8:51 ` [net-next v2 2/6] ixgbe: Enable LASI interrupts for X552 devices Jeff Kirsher
2017-06-27  8:51 ` [net-next v2 3/6] ixgbe: Update NW_MNG_IF_SEL support for X553 Jeff Kirsher
2017-06-27  8:51 ` [net-next v2 4/6] ixgbe: Do not support flow control autonegotiation " Jeff Kirsher
2017-06-27  8:51 ` [net-next v2 5/6] ixgbe: Disable flow control for XFI Jeff Kirsher
2017-06-27  8:51 ` [net-next v2 6/6] ixgbe: Add malicious driver detection support Jeff Kirsher
2017-06-27  9:07   ` Or Gerlitz
2017-06-27 20:59     ` Tantilov, Emil S
2017-06-27 21:07       ` Or Gerlitz
2017-06-27 22:14         ` Tantilov, Emil S
2017-06-28 14:28           ` Or Gerlitz
2017-06-29 18:28             ` David Miller
2017-06-29 21:19               ` Tantilov, Emil S

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.