From: Leon Romanovsky <leon@kernel.org>
To: Dima Chumak <dchumak@nvidia.com>
Cc: Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
Saeed Mahameed <saeedm@nvidia.com>,
netdev@vger.kernel.org, Jiri Pirko <jiri@nvidia.com>
Subject: Re: [PATCH net-next 2/4] net/mlx5: Implement devlink port function cmds to control ipsec_crypto
Date: Wed, 29 Mar 2023 11:01:47 +0300 [thread overview]
Message-ID: <20230329080147.GI831478@unreal> (raw)
In-Reply-To: <20230323111059.210634-3-dchumak@nvidia.com>
On Thu, Mar 23, 2023 at 01:10:57PM +0200, Dima Chumak wrote:
> Implement devlink port function commands to enable / disable IPsec
> crypto offloads. This is used to control the IPsec capability of the
> device.
>
> When ipsec_crypto is enabled for a VF, it prevents adding IPsec crypto
> offloads on the PF, because the two cannot be active simultaneously due
> to HW constraints. Conversely, if there are any active IPsec crypto
> offloads on the PF, it's not allowed to enable ipsec_crypto on a VF,
> until PF IPsec offloads are cleared.
>
> Signed-off-by: Dima Chumak <dchumak@nvidia.com>
> Reviewed-by: Jiri Pirko <jiri@nvidia.com>
> ---
> .../ethernet/mellanox/mlx5/switchdev.rst | 8 +
> .../net/ethernet/mellanox/mlx5/core/Makefile | 2 +-
> .../net/ethernet/mellanox/mlx5/core/devlink.c | 2 +
> .../mellanox/mlx5/core/en_accel/ipsec.c | 18 ++
> .../ethernet/mellanox/mlx5/core/esw/ipsec.c | 271 ++++++++++++++++++
> .../net/ethernet/mellanox/mlx5/core/eswitch.c | 29 ++
> .../net/ethernet/mellanox/mlx5/core/eswitch.h | 20 ++
> .../mellanox/mlx5/core/eswitch_offloads.c | 100 +++++++
> .../ethernet/mellanox/mlx5/core/lib/ipsec.h | 41 +++
> include/linux/mlx5/driver.h | 1 +
> include/linux/mlx5/mlx5_ifc.h | 3 +
> 11 files changed, 494 insertions(+), 1 deletion(-)
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec.c
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/lib/ipsec.h
<...>
> +static int esw_ipsec_vf_query(struct mlx5_core_dev *dev, struct mlx5_vport *vport, bool *crypto)
> +{
> + int query_sz = MLX5_ST_SZ_BYTES(query_hca_cap_out);
> + void *hca_cap = NULL, *query_cap = NULL;
> + bool ipsec_enabled;
> + int err;
> +
> + /* Querying IPsec caps only makes sense when generic ipsec_offload
> + * HCA cap is enabled
> + */
> + err = esw_ipsec_vf_query_generic(dev, vport->index, &ipsec_enabled);
> + if (err)
> + return err;
> + if (!ipsec_enabled) {
> + *crypto = false;
> + return 0;
> + }
> +
> + query_cap = kvzalloc(query_sz, GFP_KERNEL);
> + if (!query_cap)
> + return -ENOMEM;
> +
> + err = mlx5_vport_get_other_func_cap(dev, vport->index, query_cap, MLX5_CAP_IPSEC);
> + if (err)
> + goto out;
> +
> + hca_cap = MLX5_ADDR_OF(query_hca_cap_out, query_cap, capability);
> + *crypto = MLX5_GET(ipsec_cap, hca_cap, ipsec_crypto_offload);
This is very optimistic check to decide if crypto is supported/enabled or not.
Take a look on mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev)
implementation to take into account other capabilities too:
https://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git/tree/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c?h=wip/leon-for-next#n13
It will be nice if you can reuse existing MLX5_IPSEC_CAP_* enum andextend existing
mlx5_ipsec_device_caps() to query other vports.
Thanks
next prev parent reply other threads:[~2023-03-29 8:02 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-23 11:10 [PATCH net-next 0/4] devlink: Add port function attributes to enable/disable IPsec crypto and packet offloads Dima Chumak
2023-03-23 11:10 ` [PATCH net-next 1/4] devlink: Expose port function commands to control IPsec crypto offloads Dima Chumak
2023-03-23 11:10 ` [PATCH net-next 2/4] net/mlx5: Implement devlink port function cmds to control ipsec_crypto Dima Chumak
2023-03-23 21:49 ` kernel test robot
2023-03-29 8:01 ` Leon Romanovsky [this message]
2023-03-23 11:10 ` [PATCH net-next 3/4] devlink: Expose port function commands to control IPsec packet offloads Dima Chumak
2023-03-23 11:10 ` [PATCH net-next 4/4] net/mlx5: Implement devlink port function cmds to control ipsec_packet Dima Chumak
2023-03-23 11:13 ` [PATCH iproute2-next 1/3] Update kernel headers Dima Chumak
2023-03-23 11:13 ` [PATCH iproute2-next 2/3] devlink: Support setting port function ipsec_crypto cap Dima Chumak
2023-03-23 11:13 ` [PATCH iproute2-next 3/3] devlink: Support setting port function ipsec_packet cap Dima Chumak
2023-03-23 17:05 ` [PATCH net-next 0/4] devlink: Add port function attributes to enable/disable IPsec crypto and packet offloads Jakub Kicinski
2023-03-29 7:45 ` Leon Romanovsky
2023-03-29 17:09 ` Jakub Kicinski
2023-03-29 19:11 ` Leon Romanovsky
2023-03-23 17:23 ` Jakub Kicinski
2023-03-29 7:42 ` Dima Chumak
2023-03-29 17:05 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230329080147.GI831478@unreal \
--to=leon@kernel.org \
--cc=davem@davemloft.net \
--cc=dchumak@nvidia.com \
--cc=edumazet@google.com \
--cc=jiri@nvidia.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=saeedm@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.