Re: [RFC 00/18] net: atlantic: MACSec support for AQC devices

[Antoine Tenart <antoine.tenart@bootlin.com>]

Hello Igor,

Thanks for sending this series!

Please Cc Sabrina Dubroca <sd@queasysnail.net> (the IEEE 802.1AE driver
author) on such series.

Antoine

On Fri, Feb 14, 2020 at 06:02:40PM +0300, Igor Russkikh wrote:
> This RFC patchset introduces MACSec HW offloading support in
> Marvell(Aquantia) AQC atlantic driver.
> 
> This implementation is a joint effort of Marvell developers on top of
> the work started by Antoine Tenart.
> 
> Several patches introduce backward-incompatible changes and are
> subject for discussion/drop:
> 
> 1) patch 0008:
>   multicast/broadcast when offloading is needed to handle ARP requests,
>   because they have broadcast destination address;
>   With this patch we also match and encrypt/decrypt packets between macsec
>   hw and realdev based on device's mac address.
>   This potentially can be used to support multiple macsec offloaded interfaces
>   on top of one realdev.
>   On some environments however this could lead to problems, e.g. bridge over
>   macsec configuration will expect packets with unknown src MAC
>   should come through macsec.
>   The patch is questionable, we've used it because our current hw setup and
>   requirements assumes decryption is only done based on mac address match.
>   This could be changed by encrypting/decripting all the traffic (except control).
> 
> 2) patch 0010:
>    HW offloading is enabled by default. This is a workaround for the fact
>    that macsec offload can't be configured at the moment of macsec device
>    creation. This causes side effects on atlantic device. The best way to
>    resolve this is to implement an option in ip tools to specify macsec
>    offload type immediately inside the command where it is created.
>    Such a comment was proposed in ip tools discussion.
> 
> 3) patch 0011:
>   real_dev features are now propagated to macsec device (when HW
>   offloading is enabled), otherwise feature set might lead to HW
>   reconfiguration during MACSec configuration.
>   Also, HW offloaded macsec should be able to keep LRO LSO features,
>   since they are transparent for macsec engine (at least in our hardware).
> 
> Antoine Tenart (4):
>   net: introduce the MACSEC netdev feature
>   net: add a reference to MACsec ops in net_device
>   net: macsec: allow to reference a netdev from a MACsec context
>   net: macsec: add support for offloading to the MAC
> 
> Dmitry Bogdanov (9):
>   net: macsec: init secy pointer in macsec_context
>   net: macsec: invoke mdo_upd_secy callback when mac address changed
>   net: macsec: allow multiple macsec devices with offload
>   net: macsec: add support for getting offloaded stats
>   net: atlantic: MACSec offload skeleton
>   net: atlantic: MACSec egress offload HW bindings
>   net: atlantic: MACSec egress offload implementation
>   net: atlantic: MACSec offload statistics HW bindings
>   net: atlantic: MACSec offload statistics implementation
> 
> Mark Starovoytov (5):
>   net: macsec: support multicast/broadcast when offloading
>   net: macsec: enable HW offloading by default (when available)
>   net: macsec: report real_dev features when HW offloading is enabled
>   net: atlantic: MACSec ingress offload HW bindings
>   net: atlantic: MACSec ingress offload implementation
> 
>  .../net/ethernet/aquantia/atlantic/Makefile   |    6 +-
>  .../ethernet/aquantia/atlantic/aq_ethtool.c   |  160 +-
>  .../net/ethernet/aquantia/atlantic/aq_hw.h    |    6 +
>  .../ethernet/aquantia/atlantic/aq_macsec.c    | 1842 +++++++++++
>  .../ethernet/aquantia/atlantic/aq_macsec.h    |  138 +
>  .../net/ethernet/aquantia/atlantic/aq_nic.c   |   21 +-
>  .../net/ethernet/aquantia/atlantic/aq_nic.h   |    6 +-
>  .../ethernet/aquantia/atlantic/aq_pci_func.c  |    5 +
>  .../aquantia/atlantic/hw_atl/hw_atl_utils.h   |   51 +-
>  .../atlantic/hw_atl/hw_atl_utils_fw2x.c       |   69 +
>  .../atlantic/macsec/MSS_Egress_registers.h    |   78 +
>  .../atlantic/macsec/MSS_Ingress_registers.h   |   82 +
>  .../aquantia/atlantic/macsec/macsec_api.c     | 2938 +++++++++++++++++
>  .../aquantia/atlantic/macsec/macsec_api.h     |  328 ++
>  .../aquantia/atlantic/macsec/macsec_struct.h  |  919 ++++++
>  drivers/net/macsec.c                          |  510 ++-
>  include/linux/netdev_features.h               |    3 +
>  include/linux/netdevice.h                     |    9 +
>  include/net/macsec.h                          |   29 +-
>  include/uapi/linux/if_link.h                  |    1 +
>  net/ethtool/common.c                          |    1 +
>  tools/include/uapi/linux/if_link.h            |    1 +
>  22 files changed, 7018 insertions(+), 185 deletions(-)
>  create mode 100644 drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
>  create mode 100644 drivers/net/ethernet/aquantia/atlantic/aq_macsec.h
>  create mode 100644 drivers/net/ethernet/aquantia/atlantic/macsec/MSS_Egress_registers.h
>  create mode 100644 drivers/net/ethernet/aquantia/atlantic/macsec/MSS_Ingress_registers.h
>  create mode 100644 drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
>  create mode 100644 drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.h
>  create mode 100644 drivers/net/ethernet/aquantia/atlantic/macsec/macsec_struct.h
> 
> -- 
> 2.17.1
> 

-- 
Antoine Ténart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com