From: Leon Romanovsky <leon@kernel.org>
To: Dima Chumak <dchumak@nvidia.com>
Cc: Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Pirko <jiri@resnulli.us>,
Saeed Mahameed <saeedm@nvidia.com>,
netdev@vger.kernel.org, Jiri Pirko <jiri@nvidia.com>
Subject: Re: [PATCH net-next 2/4] net/mlx5: Implement devlink port function cmds to control ipsec_crypto
Date: Wed, 29 Mar 2023 11:01:47 +0300 [thread overview]
Message-ID: <20230329080147.GI831478@unreal> (raw)
In-Reply-To: <20230323111059.210634-3-dchumak@nvidia.com>
On Thu, Mar 23, 2023 at 01:10:57PM +0200, Dima Chumak wrote:
> Implement devlink port function commands to enable / disable IPsec
> crypto offloads. This is used to control the IPsec capability of the
> device.
>
> When ipsec_crypto is enabled for a VF, it prevents adding IPsec crypto
> offloads on the PF, because the two cannot be active simultaneously due
> to HW constraints. Conversely, if there are any active IPsec crypto
> offloads on the PF, it's not allowed to enable ipsec_crypto on a VF,
> until PF IPsec offloads are cleared.
>
> Signed-off-by: Dima Chumak <dchumak@nvidia.com>
> Reviewed-by: Jiri Pirko <jiri@nvidia.com>
> ---
> .../ethernet/mellanox/mlx5/switchdev.rst | 8 +
> .../net/ethernet/mellanox/mlx5/core/Makefile | 2 +-
> .../net/ethernet/mellanox/mlx5/core/devlink.c | 2 +
> .../mellanox/mlx5/core/en_accel/ipsec.c | 18 ++
> .../ethernet/mellanox/mlx5/core/esw/ipsec.c | 271 ++++++++++++++++++
> .../net/ethernet/mellanox/mlx5/core/eswitch.c | 29 ++
> .../net/ethernet/mellanox/mlx5/core/eswitch.h | 20 ++
> .../mellanox/mlx5/core/eswitch_offloads.c | 100 +++++++
> .../ethernet/mellanox/mlx5/core/lib/ipsec.h | 41 +++
> include/linux/mlx5/driver.h | 1 +
> include/linux/mlx5/mlx5_ifc.h | 3 +
> 11 files changed, 494 insertions(+), 1 deletion(-)
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec.c
> create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/lib/ipsec.h
<...>
> +static int esw_ipsec_vf_query(struct mlx5_core_dev *dev, struct mlx5_vport *vport, bool *crypto)
> +{
> + int query_sz = MLX5_ST_SZ_BYTES(query_hca_cap_out);
> + void *hca_cap = NULL, *query_cap = NULL;
> + bool ipsec_enabled;
> + int err;
> +
> + /* Querying IPsec caps only makes sense when generic ipsec_offload
> + * HCA cap is enabled
> + */
> + err = esw_ipsec_vf_query_generic(dev, vport->index, &ipsec_enabled);
> + if (err)
> + return err;
> + if (!ipsec_enabled) {
> + *crypto = false;
> + return 0;
> + }
> +
> + query_cap = kvzalloc(query_sz, GFP_KERNEL);
> + if (!query_cap)
> + return -ENOMEM;
> +
> + err = mlx5_vport_get_other_func_cap(dev, vport->index, query_cap, MLX5_CAP_IPSEC);
> + if (err)
> + goto out;
> +
> + hca_cap = MLX5_ADDR_OF(query_hca_cap_out, query_cap, capability);
> + *crypto = MLX5_GET(ipsec_cap, hca_cap, ipsec_crypto_offload);
This is very optimistic check to decide if crypto is supported/enabled or not.
Take a look on mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev)
implementation to take into account other capabilities too:
https://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git/tree/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c?h=wip/leon-for-next#n13
It will be nice if you can reuse existing MLX5_IPSEC_CAP_* enum andextend existing
mlx5_ipsec_device_caps() to query other vports.
Thanks
next prev parent reply other threads:[~2023-03-29 8:02 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-23 11:10 [PATCH net-next 0/4] devlink: Add port function attributes to enable/disable IPsec crypto and packet offloads Dima Chumak
2023-03-23 11:10 ` [PATCH net-next 1/4] devlink: Expose port function commands to control IPsec crypto offloads Dima Chumak
2023-03-23 11:10 ` [PATCH net-next 2/4] net/mlx5: Implement devlink port function cmds to control ipsec_crypto Dima Chumak
2023-03-23 21:49 ` kernel test robot
2023-03-29 8:01 ` Leon Romanovsky [this message]
2023-03-23 11:10 ` [PATCH net-next 3/4] devlink: Expose port function commands to control IPsec packet offloads Dima Chumak
2023-03-23 11:10 ` [PATCH net-next 4/4] net/mlx5: Implement devlink port function cmds to control ipsec_packet Dima Chumak
2023-03-23 11:13 ` [PATCH iproute2-next 1/3] Update kernel headers Dima Chumak
2023-03-23 11:13 ` [PATCH iproute2-next 2/3] devlink: Support setting port function ipsec_crypto cap Dima Chumak
2023-03-23 11:13 ` [PATCH iproute2-next 3/3] devlink: Support setting port function ipsec_packet cap Dima Chumak
2023-03-23 17:05 ` [PATCH net-next 0/4] devlink: Add port function attributes to enable/disable IPsec crypto and packet offloads Jakub Kicinski
2023-03-29 7:45 ` Leon Romanovsky
2023-03-29 17:09 ` Jakub Kicinski
2023-03-29 19:11 ` Leon Romanovsky
2023-03-23 17:23 ` Jakub Kicinski
2023-03-29 7:42 ` Dima Chumak
2023-03-29 17:05 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230329080147.GI831478@unreal \
--to=leon@kernel.org \
--cc=davem@davemloft.net \
--cc=dchumak@nvidia.com \
--cc=edumazet@google.com \
--cc=jiri@nvidia.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=saeedm@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).