From: Saeed Mahameed <saeed@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>
Cc: Saeed Mahameed <saeedm@nvidia.com>,
netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>,
Emeel Hakim <ehakim@nvidia.com>, Raed Salem <raeds@nvidia.com>
Subject: [PATCH net-next V2 10/10] net/mlx5e: Support MACsec offload replay window
Date: Wed, 14 Sep 2022 17:27:13 +0100 [thread overview]
Message-ID: <20220914162713.203571-11-saeed@kernel.org> (raw)
In-Reply-To: <20220914162713.203571-1-saeed@kernel.org>
From: Emeel Hakim <ehakim@nvidia.com>
Support setting replay window size for MACsec offload.
Currently supported window size of 32, 64, 128 and 256
bit. Other values will be returned as invalid parameter.
Reviewed-by: Raed Salem <raeds@nvidia.com>
Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
---
.../mellanox/mlx5/core/en_accel/macsec.c | 47 +++++++++++++++----
1 file changed, 39 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
index ec3dd9966da4..a74354e17e83 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
@@ -153,6 +153,8 @@ struct mlx5_macsec_obj_attrs {
struct mlx5e_macsec_epn_state epn_state;
salt_t salt;
__be32 ssci;
+ bool replay_protect;
+ u32 replay_window;
};
struct mlx5_aso_ctrl_param {
@@ -220,6 +222,35 @@ static void mlx5e_macsec_aso_dereg_mr(struct mlx5_core_dev *mdev, struct mlx5e_m
kfree(umr);
}
+static int macsec_set_replay_protection(struct mlx5_macsec_obj_attrs *attrs, void *aso_ctx)
+{
+ u8 window_sz;
+
+ if (!attrs->replay_protect)
+ return 0;
+
+ switch (attrs->replay_window) {
+ case 256:
+ window_sz = MLX5_MACSEC_ASO_REPLAY_WIN_256BIT;
+ break;
+ case 128:
+ window_sz = MLX5_MACSEC_ASO_REPLAY_WIN_128BIT;
+ break;
+ case 64:
+ window_sz = MLX5_MACSEC_ASO_REPLAY_WIN_64BIT;
+ break;
+ case 32:
+ window_sz = MLX5_MACSEC_ASO_REPLAY_WIN_32BIT;
+ break;
+ default:
+ return -EINVAL;
+ }
+ MLX5_SET(macsec_aso, aso_ctx, window_size, window_sz);
+ MLX5_SET(macsec_aso, aso_ctx, mode, MLX5_MACSEC_ASO_REPLAY_PROTECTION);
+
+ return 0;
+}
+
static int mlx5e_macsec_create_object(struct mlx5_core_dev *mdev,
struct mlx5_macsec_obj_attrs *attrs,
bool is_tx,
@@ -253,15 +284,18 @@ static int mlx5e_macsec_create_object(struct mlx5_core_dev *mdev,
salt_p = MLX5_ADDR_OF(macsec_offload_obj, obj, salt);
for (i = 0; i < 3 ; i++)
memcpy((u32 *)salt_p + i, &attrs->salt.bytes[4 * (2 - i)], 4);
- if (!is_tx)
- MLX5_SET(macsec_aso, aso_ctx, mode, MLX5_MACSEC_ASO_REPLAY_PROTECTION);
} else {
MLX5_SET64(macsec_offload_obj, obj, sci, (__force u64)(attrs->sci));
}
MLX5_SET(macsec_aso, aso_ctx, valid, 0x1);
- if (is_tx)
+ if (is_tx) {
MLX5_SET(macsec_aso, aso_ctx, mode, MLX5_MACSEC_ASO_INC_SN);
+ } else {
+ err = macsec_set_replay_protection(attrs, aso_ctx);
+ if (err)
+ return err;
+ }
/* general object fields set */
MLX5_SET(general_obj_in_cmd_hdr, in, opcode, MLX5_CMD_OP_CREATE_GENERAL_OBJECT);
@@ -343,6 +377,8 @@ static int mlx5e_macsec_init_sa(struct macsec_context *ctx,
}
memcpy(&obj_attrs.salt, &key->salt, sizeof(key->salt));
+ obj_attrs.replay_window = ctx->secy->replay_window;
+ obj_attrs.replay_protect = ctx->secy->replay_protect;
err = mlx5e_macsec_create_object(mdev, &obj_attrs, is_tx, &sa->macsec_obj_id);
if (err)
@@ -438,11 +474,6 @@ static bool mlx5e_macsec_secy_features_validate(struct macsec_context *ctx)
return false;
}
- if (secy->replay_protect) {
- netdev_err(netdev, "MACsec offload: replay protection is not supported\n");
- return false;
- }
-
return true;
}
--
2.37.3
next prev parent reply other threads:[~2022-09-14 16:29 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-14 16:27 [PATCH net-next V2 00/10] mlx5 MACSec Extended packet number and replay window offload Saeed Mahameed
2022-09-14 16:27 ` [PATCH net-next V2 01/10] net: macsec: Expose extended packet number (EPN) properties to macsec offload Saeed Mahameed
2022-09-14 16:27 ` [PATCH net-next V2 02/10] net/mlx5: Fix fields name prefix in MACsec Saeed Mahameed
2022-09-14 16:27 ` [PATCH net-next V2 03/10] net/mlx5e: Fix MACsec initialization error path Saeed Mahameed
2022-09-14 16:27 ` [PATCH net-next V2 04/10] net/mlx5e: Fix MACsec initial packet number Saeed Mahameed
2022-09-14 16:27 ` [PATCH net-next V2 05/10] net/mlx5: Add ifc bits for MACsec extended packet number (EPN) and replay protection Saeed Mahameed
2022-09-14 16:27 ` [PATCH net-next V2 06/10] net/mlx5e: Expose memory key creation (mkey) function Saeed Mahameed
2022-09-14 16:27 ` [PATCH net-next V2 07/10] net/mlx5e: Create advanced steering operation (ASO) object for MACsec Saeed Mahameed
2022-09-14 16:27 ` [PATCH net-next V2 08/10] net/mlx5e: Move MACsec initialization from profile init stage to profile enable stage Saeed Mahameed
2022-09-14 16:27 ` [PATCH net-next V2 09/10] net/mlx5e: Support MACsec offload extended packet number (EPN) Saeed Mahameed
2022-09-14 16:27 ` Saeed Mahameed [this message]
2022-09-20 20:41 ` [PATCH net-next V2 00/10] mlx5 MACSec Extended packet number and replay window offload Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220914162713.203571-11-saeed@kernel.org \
--to=saeed@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ehakim@nvidia.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=raeds@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).