[GIT PULL] Please pull mlx5 MACsec RoCEv2 support

[GIT PULL] Please pull mlx5 MACsec RoCEv2 support

[Leon Romanovsky]

Hi,

This PR is collected from https://lore.kernel.org/all/cover.1691569414.git.leon@kernel.org
and contains patches to support mlx5 MACsec RoCEv2.

It is based on -rc4 and such has minor conflict with net-next due to existance of IPsec packet offlosd
in eswitch code and the resolution is to take both hunks.

diff --cc include/linux/mlx5/driver.h
index 25d0528f9219,3ec8155c405d..000000000000
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@@ -805,6 -806,11 +805,14 @@@ struct mlx5_core_dev 
  	u32                      vsc_addr;
  	struct mlx5_hv_vhca	*hv_vhca;
  	struct mlx5_thermal	*thermal;
+ 	u64			num_block_tc;
+ 	u64			num_block_ipsec;
+ #ifdef CONFIG_MLX5_MACSEC
+ 	struct mlx5_macsec_fs *macsec_fs;
+ #endif
  };
  
  struct mlx5_db {

----------------------------------------------------------------

From Patrisious:

This series extends previously added MACsec offload support
to cover RoCE traffic either.

In order to achieve that, we need configure MACsec with offload between
the two endpoints, like below:

REMOTE_MAC=10:70:fd:43:71:c0

* ip addr add 1.1.1.1/16 dev eth2
* ip link set dev eth2 up
* ip link add link eth2 macsec0 type macsec encrypt on
* ip macsec offload macsec0 mac
* ip macsec add macsec0 tx sa 0 pn 1 on key 00 dffafc8d7b9a43d5b9a3dfbbf6a30c16
* ip macsec add macsec0 rx port 1 address $REMOTE_MAC
* ip macsec add macsec0 rx port 1 address $REMOTE_MAC sa 0 pn 1 on key 01 ead3664f508eb06c40ac7104cdae4ce5
* ip addr add 10.1.0.1/16 dev macsec0
* ip link set dev macsec0 up

And in a similar manner on the other machine, while noting the keys order
would be reversed and the MAC address of the other machine.

RDMA traffic is separated through relevant GID entries and in case of IP ambiguity
issue - meaning we have a physical GIDs and a MACsec GIDs with the same IP/GID, we
disable our physical GID in order to force the user to only use the MACsec GID.

Thanks

----------------------------------------------------------------
The following changes since commit 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4:

  Linux 6.5-rc4 (2023-07-30 13:23:47 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux.git mlx5-next

for you to fetch changes up to 2d297d20ace8c544bcc74a2ed5f3536add3a7a69:

  RDMA/mlx5: Handles RoCE MACsec steering rules addition and deletion (2023-08-13 09:25:10 +0300)

----------------------------------------------------------------
Patrisious Haddad (14):
      macsec: add functions to get macsec real netdevice and check offload
      net/mlx5e: Move MACsec flow steering operations to be used as core library
      net/mlx5: Remove dependency of macsec flow steering on ethernet
      net/mlx5e: Rename MACsec flow steering functions/parameters to suit core naming style
      net/mlx5e: Move MACsec flow steering and statistics database from ethernet to core
      net/mlx5: Remove netdevice from MACsec steering
      net/mlx5: Maintain fs_id xarray per MACsec device inside macsec steering
      RDMA/mlx5: Implement MACsec gid addition and deletion
      net/mlx5: Add MACsec priorities in RDMA namespaces
      IB/core: Reorder GID delete code for RoCE
      net/mlx5: Configure MACsec steering for egress RoCEv2 traffic
      net/mlx5: Configure MACsec steering for ingress RoCEv2 traffic
      net/mlx5: Add RoCE MACsec steering infrastructure in core
      RDMA/mlx5: Handles RoCE MACsec steering rules addition and deletion

 drivers/infiniband/core/cache.c                    |    6 +-
 drivers/infiniband/hw/mlx5/Makefile                |    1 +
 drivers/infiniband/hw/mlx5/macsec.c                |  364 +++
 drivers/infiniband/hw/mlx5/macsec.h                |   29 +
 drivers/infiniband/hw/mlx5/main.c                  |   41 +-
 drivers/infiniband/hw/mlx5/mlx5_ib.h               |   17 +
 drivers/net/ethernet/mellanox/mlx5/core/Kconfig    |    2 +-
 drivers/net/ethernet/mellanox/mlx5/core/Makefile   |    2 +-
 drivers/net/ethernet/mellanox/mlx5/core/en.h       |    2 +-
 .../mellanox/mlx5/core/en_accel/en_accel.h         |    4 +-
 .../ethernet/mellanox/mlx5/core/en_accel/macsec.c  |  176 +-
 .../ethernet/mellanox/mlx5/core/en_accel/macsec.h  |   26 +-
 .../mellanox/mlx5/core/en_accel/macsec_fs.c        | 1393 -----------
 .../mellanox/mlx5/core/en_accel/macsec_fs.h        |   47 -
 .../mellanox/mlx5/core/en_accel/macsec_stats.c     |   22 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_stats.c |    2 +-
 drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c   |    1 +
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c  |   37 +-
 .../ethernet/mellanox/mlx5/core/lib/macsec_fs.c    | 2410 ++++++++++++++++++++
 .../ethernet/mellanox/mlx5/core/lib/macsec_fs.h    |   64 +
 drivers/net/macsec.c                               |   15 +
 include/linux/mlx5/device.h                        |    2 +
 include/linux/mlx5/driver.h                        |   51 +
 include/linux/mlx5/fs.h                            |    2 +
 include/linux/mlx5/macsec.h                        |   32 +
 include/net/macsec.h                               |    2 +
 26 files changed, 3121 insertions(+), 1629 deletions(-)
 create mode 100644 drivers/infiniband/hw/mlx5/macsec.c
 create mode 100644 drivers/infiniband/hw/mlx5/macsec.h
 delete mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c
 delete mode 100644 drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.h
 create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/lib/macsec_fs.c
 create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/lib/macsec_fs.h
 create mode 100644 include/linux/mlx5/macsec.h

Re: [GIT PULL] Please pull mlx5 MACsec RoCEv2 support

[Saeed Mahameed]

On 13 Aug 09:47, Leon Romanovsky wrote:
>Hi,
>
>This PR is collected from https://lore.kernel.org/all/cover.1691569414.git.leon@kernel.org
>and contains patches to support mlx5 MACsec RoCEv2.
>
>It is based on -rc4 and such has minor conflict with net-next due to existance of IPsec packet offlosd
>in eswitch code and the resolution is to take both hunks.

Hi Jakub, 

Are you planing to pull this into net-next? 

There's a very minor conflict as described below and I a would like to
avoid this on merge window.

Thanks,
Saeed.


>
>diff --cc include/linux/mlx5/driver.h
>index 25d0528f9219,3ec8155c405d..000000000000
>--- a/include/linux/mlx5/driver.h
>+++ b/include/linux/mlx5/driver.h
>@@@ -805,6 -806,11 +805,14 @@@ struct mlx5_core_dev
>  	u32                      vsc_addr;
>  	struct mlx5_hv_vhca	*hv_vhca;
>  	struct mlx5_thermal	*thermal;
>+ 	u64			num_block_tc;
>+ 	u64			num_block_ipsec;
>+ #ifdef CONFIG_MLX5_MACSEC
>+ 	struct mlx5_macsec_fs *macsec_fs;
>+ #endif

Re: [GIT PULL] Please pull mlx5 MACsec RoCEv2 support

[Jakub Kicinski]

On Wed, 16 Aug 2023 15:30:01 -0700 Saeed Mahameed wrote:
> Are you planing to pull this into net-next? 
> 
> There's a very minor conflict as described below and I a would like to
> avoid this on merge window.

I'm not planning not to pull it.
It's just a matter of trying to work down the queue from the highest
priority stuff. I have to limit the time I spent on ML & patch mgmt,
because it can easily consume 24h a day. And then stuff that's not 
the highest priority gets stuck for a little longer than it would 
in an ideal world :(

Re: [GIT PULL] Please pull mlx5 MACsec RoCEv2 support

[Jakub Kicinski]

On Sun, 13 Aug 2023 09:47:03 +0300 Leon Romanovsky wrote:
> This PR is collected from https://lore.kernel.org/all/cover.1691569414.git.leon@kernel.org
> and contains patches to support mlx5 MACsec RoCEv2.

+bool macsec_netdev_is_offloaded(struct net_device *dev)
+{
+       if (!dev)
+               return false;
+
+       return macsec_is_offloaded(macsec_priv(dev));
+}
+EXPORT_SYMBOL_GPL(macsec_netdev_is_offloaded);

No defensive programming, please, why are you checking that dev is NULL?

> It is based on -rc4 and such has minor conflict with net-next due to
> existance of IPsec packet offlosd in eswitch code and the resolution
> is to take both hunks.
> 
> diff --cc include/linux/mlx5/driver.h
> index 25d0528f9219,3ec8155c405d..000000000000
> --- a/include/linux/mlx5/driver.h
> +++ b/include/linux/mlx5/driver.h
> @@@ -805,6 -806,11 +805,14 @@@ struct mlx5_core_dev 
>   	u32                      vsc_addr;
>   	struct mlx5_hv_vhca	*hv_vhca;
>   	struct mlx5_thermal	*thermal;
> + 	u64			num_block_tc;
> + 	u64			num_block_ipsec;
> + #ifdef CONFIG_MLX5_MACSEC
> + 	struct mlx5_macsec_fs *macsec_fs;
> + #endif
>   };
>   
>   struct mlx5_db {

That's not how the resolution looks. Do the merge yourself, then show
the actual 3-way resolution.
-- 
pw-bot: cr

Re: [GIT PULL] Please pull mlx5 MACsec RoCEv2 support

[Leon Romanovsky]

On Fri, Aug 18, 2023 at 08:02:53PM -0700, Jakub Kicinski wrote:
> On Sun, 13 Aug 2023 09:47:03 +0300 Leon Romanovsky wrote:
> > This PR is collected from https://lore.kernel.org/all/cover.1691569414.git.leon@kernel.org
> > and contains patches to support mlx5 MACsec RoCEv2.
> 
> +bool macsec_netdev_is_offloaded(struct net_device *dev)
> +{
> +       if (!dev)
> +               return false;
> +
> +       return macsec_is_offloaded(macsec_priv(dev));
> +}
> +EXPORT_SYMBOL_GPL(macsec_netdev_is_offloaded);
> 
> No defensive programming, please, why are you checking that dev is NULL?

I missed that in CR, dev is always valid for all macsec_netdev_is_offloaded() callers

  240         ndev = rcu_dereference(attr->ndev);
  241         if (!ndev) {
  242                 rcu_read_unlock();
  243                 return -ENODEV;
  244         }
  245
  246         if (!netif_is_macsec(ndev) || !macsec_netdev_is_offloaded(ndev)) {
  247                 rcu_read_unlock();
  248                 return 0;
  249         }

> 
> > It is based on -rc4 and such has minor conflict with net-next due to
> > existance of IPsec packet offlosd in eswitch code and the resolution
> > is to take both hunks.
> > 
> > diff --cc include/linux/mlx5/driver.h
> > index 25d0528f9219,3ec8155c405d..000000000000
> > --- a/include/linux/mlx5/driver.h
> > +++ b/include/linux/mlx5/driver.h
> > @@@ -805,6 -806,11 +805,14 @@@ struct mlx5_core_dev 
> >   	u32                      vsc_addr;
> >   	struct mlx5_hv_vhca	*hv_vhca;
> >   	struct mlx5_thermal	*thermal;
> > + 	u64			num_block_tc;
> > + 	u64			num_block_ipsec;
> > + #ifdef CONFIG_MLX5_MACSEC
> > + 	struct mlx5_macsec_fs *macsec_fs;
> > + #endif
> >   };
> >   
> >   struct mlx5_db {
> 
> That's not how the resolution looks. Do the merge yourself, then show
> the actual 3-way resolution.

ok, will do.

Thanks