[PATCH net-next V2 00/17] Introduce MACsec skb_metadata_dst and mlx5 macsec offload

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Saeed Mahameed <saeed@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Eric Dumazet <edumazet@google.com>
Cc: Saeed Mahameed <saeedm@nvidia.com>,
	netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>
Subject: [PATCH net-next V2 00/17] Introduce MACsec skb_metadata_dst and mlx5 macsec offload
Date: Mon,  5 Sep 2022 22:21:12 -0700	[thread overview]
Message-ID: <20220906052129.104507-1-saeed@kernel.org> (raw)

From: Saeed Mahameed <saeedm@nvidia.com>

v1->v2:
   - attach mlx5 implementation patches.  

This patchset introduces MACsec skb_metadata_dst to lay the ground
for MACsec HW offload.

MACsec is an IEEE standard (IEEE 802.1AE) for MAC security.
It defines a way to establish a protocol independent connection
between two hosts with data confidentiality, authenticity and/or
integrity, using GCM-AES. MACsec operates on the Ethernet layer and
as such is a layer 2 protocol, which means it’s designed to secure
traffic within a layer 2 network, including DHCP or ARP requests.

Linux has a software implementation of the MACsec standard and
HW offloading support.
The offloading is re-using the logic, netlink API and data
structures of the existing MACsec software implementation.

For Tx:
In the current MACsec offload implementation, MACsec interfaces shares
the same MAC address by default.
Therefore, HW can't distinguish from which MACsec interface the traffic
originated from.

MACsec stack will use skb_metadata_dst to store the SCI value, which is
unique per MACsec interface, skb_metadat_dst will be used later by the
offloading device driver to associate the SKB with the corresponding
offloaded interface (SCI) to facilitate HW MACsec offload.

For Rx:
Like in the Tx changes, if there are more than one MACsec device with
the same MAC address as in the packet's destination MAC, the packet will
be forward only to one of the devices and not neccessarly to the desired one.

Offloading device driver sets the MACsec skb_metadata_dst sci
field with the appropriaate Rx SCI for each SKB so the MACsec rx handler
will know to which port to divert those skbs, instead of wrongly solely
relaying on dst MAC address comparison.

1) patch 1,2, Add support to skb_metadata_dst in MACsec code:
net/macsec: Add MACsec skb_metadata_dst Tx Data path support
net/macsec: Add MACsec skb_metadata_dst Rx Data path support

2) patch 3, Move some MACsec driver code for sharing with various
drivers that implements offload:
net/macsec: Move some code for sharing with various drivers that
implements offload

3) The rest of the patches introduce mlx5 implementation for macsec
offloads TX and RX via steering tables.
  a) TX, intercept skbs with macsec offlad mark in skb_metadata_dst and mark
the descriptor for offload.
  b) RX, intercept offloaded frames and prepare the proper
skb_metadata_dst to mark offloaded rx frames.

Lior Nahmanson (17):
  net/macsec: Add MACsec skb_metadata_dst Tx Data path support
  net/macsec: Add MACsec skb_metadata_dst Rx Data path support
  net/macsec: Move some code for sharing with various drivers that
    implements offload
  net/mlx5: Removed esp_id from struct mlx5_flow_act
  net/mlx5: Generalize Flow Context for new crypto fields
  net/mlx5: Introduce MACsec Connect-X offload hardware bits and
    structures
  net/mlx5: Add MACsec offload Tx command support
  net/mlx5: Add MACsec Tx tables support to fs_core
  net/mlx5e: Add MACsec TX steering rules
  net/mlx5e: Implement MACsec Tx data path using MACsec skb_metadata_dst
  net/mlx5e: Add MACsec offload Rx command support
  net/mlx5: Add MACsec Rx tables support to fs_core
  net/mlx5e: Add MACsec RX steering rules
  net/mlx5e: Implement MACsec Rx data path using MACsec skb_metadata_dst
  net/mlx5e: Add MACsec offload SecY support
  net/mlx5e: Add MACsec stats support for Rx/Tx flows
  net/mlx5e: Add support to configure more than one macsec offload
    device

 .../net/ethernet/mellanox/mlx5/core/Kconfig   |    8 +
 .../net/ethernet/mellanox/mlx5/core/Makefile  |    3 +
 drivers/net/ethernet/mellanox/mlx5/core/en.h  |    3 +
 .../mellanox/mlx5/core/en_accel/en_accel.h    |   15 +
 .../mellanox/mlx5/core/en_accel/ipsec_fs.c    |    9 +-
 .../mellanox/mlx5/core/en_accel/ipsec_rxtx.h  |    4 +-
 .../mellanox/mlx5/core/en_accel/macsec.c      | 1332 ++++++++++++++++
 .../mellanox/mlx5/core/en_accel/macsec.h      |   72 +
 .../mellanox/mlx5/core/en_accel/macsec_fs.c   | 1384 +++++++++++++++++
 .../mellanox/mlx5/core/en_accel/macsec_fs.h   |   47 +
 .../mlx5/core/en_accel/macsec_stats.c         |   72 +
 .../net/ethernet/mellanox/mlx5/core/en_main.c |    7 +
 .../net/ethernet/mellanox/mlx5/core/en_rx.c   |    4 +
 .../ethernet/mellanox/mlx5/core/en_stats.c    |    3 +
 .../ethernet/mellanox/mlx5/core/en_stats.h    |    1 +
 .../net/ethernet/mellanox/mlx5/core/en_tx.c   |    3 +-
 .../net/ethernet/mellanox/mlx5/core/fs_cmd.c  |    9 +-
 .../net/ethernet/mellanox/mlx5/core/fs_core.c |   31 +-
 drivers/net/ethernet/mellanox/mlx5/core/fw.c  |    7 +
 .../ethernet/mellanox/mlx5/core/lib/mlx5.h    |    1 +
 .../net/ethernet/mellanox/mlx5/core/main.c    |    1 +
 drivers/net/macsec.c                          |   54 +-
 include/linux/mlx5/device.h                   |    4 +
 include/linux/mlx5/fs.h                       |   12 +-
 include/linux/mlx5/mlx5_ifc.h                 |  111 +-
 include/linux/mlx5/qp.h                       |    1 +
 include/net/dst_metadata.h                    |   10 +
 include/net/macsec.h                          |   25 +
 28 files changed, 3180 insertions(+), 53 deletions(-)
 create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
 create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.h
 create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c
 create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.h
 create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_stats.c

-- 
2.37.2

next             reply	other threads:[~2022-09-06  5:21 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-06  5:21 Saeed Mahameed [this message]
2022-09-06  5:21 ` [PATCH net-next V2 01/17] net/macsec: Add MACsec skb_metadata_dst Tx Data path support Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 02/17] net/macsec: Add MACsec skb_metadata_dst Rx " Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 03/17] net/macsec: Move some code for sharing with various drivers that implements offload Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 04/17] net/mlx5: Removed esp_id from struct mlx5_flow_act Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 05/17] net/mlx5: Generalize Flow Context for new crypto fields Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 06/17] net/mlx5: Introduce MACsec Connect-X offload hardware bits and structures Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 07/17] net/mlx5: Add MACsec offload Tx command support Saeed Mahameed
2022-09-14 14:39   ` sundeep subbaraya
2022-09-14 20:38     ` Saeed Mahameed
2022-09-15  5:14       ` sundeep subbaraya
2022-09-15  5:20         ` sundeep subbaraya
2022-09-15  8:02           ` Antoine Tenart
2022-09-19  9:01             ` sundeep subbaraya
2022-09-19 13:26               ` Raed Salem
2022-09-20  8:14                 ` Antoine Tenart
2022-09-21 13:43                   ` sundeep subbaraya
2022-09-06  5:21 ` [PATCH net-next V2 08/17] net/mlx5: Add MACsec Tx tables support to fs_core Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 09/17] net/mlx5e: Add MACsec TX steering rules Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 10/17] net/mlx5e: Implement MACsec Tx data path using MACsec skb_metadata_dst Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 11/17] net/mlx5e: Add MACsec offload Rx command support Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 12/17] net/mlx5: Add MACsec Rx tables support to fs_core Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 13/17] net/mlx5e: Add MACsec RX steering rules Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 14/17] net/mlx5e: Implement MACsec Rx data path using MACsec skb_metadata_dst Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 15/17] net/mlx5e: Add MACsec offload SecY support Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 16/17] net/mlx5e: Add MACsec stats support for Rx/Tx flows Saeed Mahameed
2022-09-06  5:21 ` [PATCH net-next V2 17/17] net/mlx5e: Add support to configure more than one macsec offload device Saeed Mahameed
2022-09-07 13:20 ` [PATCH net-next V2 00/17] Introduce MACsec skb_metadata_dst and mlx5 macsec offload patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220906052129.104507-1-saeed@kernel.org \
    --to=saeed@kernel.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=saeedm@nvidia.com \
    --cc=tariqt@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).