[PATCH iproute2-next V3 0/2] devlink: Add port function attributes for ipsec

[PATCH iproute2-next V3 0/2] devlink: Add port function attributes for ipsec

[Tariq Toukan]

Hi,
Please, see kernel series [1] for the overview of these changes.

[1] https://lore.kernel.org/netdev/20230825062836.103744-1-saeed@kernel.org/

Regards,
Tariq

---
v2 -> v3:
 - Updated cover letter.
 - Rebased to latest iproute2-next.
   As a result, dropped existing kernel headers patch.

v1 -> v2:
 - Updated cover letter, no other changes in devlink user-space patches

Dima Chumak (2):
  devlink: Support setting port function ipsec_crypto cap
  devlink: Support setting port function ipsec_packet cap

 devlink/devlink.c       | 34 ++++++++++++++++++++++++++++++++++
 man/man8/devlink-port.8 | 26 ++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

-- 
2.34.1

[PATCH iproute2-next V3 1/2] devlink: Support setting port function ipsec_crypto cap

[Tariq Toukan]

From: Dima Chumak <dchumak@nvidia.com>

Support port function commands to enable / disable IPsec crypto
offloads, this is used to control the port IPsec device capabilities.

When IPsec crypto capability is disabled for a function of the port
(default), function cannot offload IPsec operation. When enabled, IPsec
operation can be offloaded by the function of the port.

Enabling IPsec crypto offloads lets the kernel to delegate XFRM state
processing and encrypt/decrypt operation to the device hardware.

Example of a PCI VF port which supports IPsec crypto offloads:

$ devlink port show pci/0000:06:00.0/1
    pci/0000:06:00.0/1: type eth netdev enp6s0pf0vf0 flavour pcivf pfnum 0 vfnum 0
	function:
	hw_addr 00:00:00:00:00:00 roce enable ipsec_crypto disable

$ devlink port function set pci/0000:06:00.0/1 ipsec_crypto enable

$ devlink port show pci/0000:06:00.0/1
    pci/0000:06:00.0/1: type eth netdev enp6s0pf0vf0 flavour pcivf pfnum 0 vfnum 0
	function:
	hw_addr 00:00:00:00:00:00 roce enable ipsec_crypto enable

Signed-off-by: Dima Chumak <dchumak@nvidia.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
---
 devlink/devlink.c       | 18 ++++++++++++++++++
 man/man8/devlink-port.8 | 13 +++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/devlink/devlink.c b/devlink/devlink.c
index d1795f616ca0..7852a47fc98a 100644
--- a/devlink/devlink.c
+++ b/devlink/devlink.c
@@ -2271,6 +2271,18 @@ static int dl_argv_parse(struct dl *dl, uint64_t o_required,
 			if (mig)
 				opts->port_fn_caps.value |= DEVLINK_PORT_FN_CAP_MIGRATABLE;
 			o_found |= DL_OPT_PORT_FN_CAPS;
+		} else if (dl_argv_match(dl, "ipsec_crypto") &&
+			   (o_all & DL_OPT_PORT_FN_CAPS)) {
+			bool ipsec_crypto;
+
+			dl_arg_inc(dl);
+			err = dl_argv_bool(dl, &ipsec_crypto);
+			if (err)
+				return err;
+			opts->port_fn_caps.selector |= DEVLINK_PORT_FN_CAP_IPSEC_CRYPTO;
+			if (ipsec_crypto)
+				opts->port_fn_caps.value |= DEVLINK_PORT_FN_CAP_IPSEC_CRYPTO;
+			o_found |= DL_OPT_PORT_FN_CAPS;
 		} else {
 			pr_err("Unknown option \"%s\"\n", dl_argv(dl));
 			return -EINVAL;
@@ -4644,6 +4656,7 @@ static void cmd_port_help(void)
 	pr_err("       devlink port unsplit DEV/PORT_INDEX\n");
 	pr_err("       devlink port function set DEV/PORT_INDEX [ hw_addr ADDR ] [ state { active | inactive } ]\n");
 	pr_err("                      [ roce { enable | disable } ] [ migratable { enable | disable } ]\n");
+	pr_err("                      [ ipsec_crypto { enable | disable } ]\n");
 	pr_err("       devlink port function rate { help | show | add | del | set }\n");
 	pr_err("       devlink port param set DEV/PORT_INDEX name PARAMETER value VALUE cmode { permanent | driverinit | runtime }\n");
 	pr_err("       devlink port param show [DEV/PORT_INDEX name PARAMETER]\n");
@@ -4769,6 +4782,10 @@ static void pr_out_port_function(struct dl *dl, struct nlattr **tb_port)
 			print_string(PRINT_ANY, "migratable", " migratable %s",
 				     port_fn_caps->value & DEVLINK_PORT_FN_CAP_MIGRATABLE ?
 				     "enable" : "disable");
+		if (port_fn_caps->selector & DEVLINK_PORT_FN_CAP_IPSEC_CRYPTO)
+			print_string(PRINT_ANY, "ipsec_crypto", " ipsec_crypto %s",
+				     port_fn_caps->value & DEVLINK_PORT_FN_CAP_IPSEC_CRYPTO ?
+				     "enable" : "disable");
 	}
 
 	if (!dl->json_output)
@@ -4960,6 +4977,7 @@ static void cmd_port_function_help(void)
 {
 	pr_err("Usage: devlink port function set DEV/PORT_INDEX [ hw_addr ADDR ] [ state { active | inactive } ]\n");
 	pr_err("                      [ roce { enable | disable } ] [ migratable { enable | disable } ]\n");
+	pr_err("                      [ ipsec_crypto { enable | disable } ]\n");
 	pr_err("       devlink port function rate { help | show | add | del | set }\n");
 }
 
diff --git a/man/man8/devlink-port.8 b/man/man8/devlink-port.8
index 56049f7349a8..534d2cbe8fa9 100644
--- a/man/man8/devlink-port.8
+++ b/man/man8/devlink-port.8
@@ -77,6 +77,9 @@ devlink-port \- devlink port configuration
 .RI "[ "
 .BR migratable " { " enable " | " disable " }"
 .RI "]"
+.RI "[ "
+.BR ipsec_crypto " { " enable " | " disable " }"
+.RI "]"
 
 .ti -8
 .BR "devlink port function rate "
@@ -222,6 +225,11 @@ Set the RoCE capability of the function.
 .BR migratable " { " enable " | " disable  " } "
 Set the migratable capability of the function.
 
+.TP
+.BR ipsec_crypto " { " enable " | " disable  " } "
+Set the IPsec crypto offload capability of the function. Controls XFRM state
+crypto operation (Encrypt/Decrypt) offload.
+
 .ti -8
 .SS devlink port del - delete a devlink port
 .PP
@@ -351,6 +359,11 @@ devlink port function set pci/0000:01:00.0/1 migratable enable
 This will enable the migratable functionality of the function.
 .RE
 .PP
+devlink port function set pci/0000:01:00.0/1 ipsec_crypto enable
+.RS 4
+This will enable the IPsec crypto offload functionality of the function.
+.RE
+.PP
 devlink port function set pci/0000:01:00.0/1 hw_addr 00:00:00:11:22:33 state active
 .RS 4
 Configure hardware address and also active the function. When a function is
-- 
2.34.1

[PATCH iproute2-next V3 2/2] devlink: Support setting port function ipsec_packet cap

[Tariq Toukan]

From: Dima Chumak <dchumak@nvidia.com>

Support port function commands to enable / disable IPsec packet
offloads, this is used to control the port IPsec device capabilities.

When IPsec packet capability is disabled for a function of the port
(default), function cannot offload IPsec operation. When enabled, IPsec
operation can be offloaded by the function of the port.

Enabling IPsec packet offloads lets the kernel to delegate
encrypt/decrypt operations, as well as encapsulation and SA/policy and
state to the device hardware.

Example of a PCI VF port which supports IPsec packet offloads:

$ devlink port show pci/0000:06:00.0/1
    pci/0000:06:00.0/1: type eth netdev enp6s0pf0vf0 flavour pcivf pfnum 0 vfnum 0
	function:
	hw_addr 00:00:00:00:00:00 roce enable ipsec_crypto disable ipsec_packet disable

$ devlink port function set pci/0000:06:00.0/1 ipsec_packet enable

$ devlink port show pci/0000:06:00.0/1
    pci/0000:06:00.0/1: type eth netdev enp6s0pf0vf0 flavour pcivf pfnum 0 vfnum 0
	function:
	hw_addr 00:00:00:00:00:00 roce enable ipsec_crypto disable ipsec_packet enable

Signed-off-by: Dima Chumak <dchumak@nvidia.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
---
 devlink/devlink.c       | 20 ++++++++++++++++++--
 man/man8/devlink-port.8 | 13 +++++++++++++
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/devlink/devlink.c b/devlink/devlink.c
index 7852a47fc98a..3baad355759e 100644
--- a/devlink/devlink.c
+++ b/devlink/devlink.c
@@ -2283,6 +2283,18 @@ static int dl_argv_parse(struct dl *dl, uint64_t o_required,
 			if (ipsec_crypto)
 				opts->port_fn_caps.value |= DEVLINK_PORT_FN_CAP_IPSEC_CRYPTO;
 			o_found |= DL_OPT_PORT_FN_CAPS;
+		} else if (dl_argv_match(dl, "ipsec_packet") &&
+			   (o_all & DL_OPT_PORT_FN_CAPS)) {
+			bool ipsec_packet;
+
+			dl_arg_inc(dl);
+			err = dl_argv_bool(dl, &ipsec_packet);
+			if (err)
+				return err;
+			opts->port_fn_caps.selector |= DEVLINK_PORT_FN_CAP_IPSEC_PACKET;
+			if (ipsec_packet)
+				opts->port_fn_caps.value |= DEVLINK_PORT_FN_CAP_IPSEC_PACKET;
+			o_found |= DL_OPT_PORT_FN_CAPS;
 		} else {
 			pr_err("Unknown option \"%s\"\n", dl_argv(dl));
 			return -EINVAL;
@@ -4656,7 +4668,7 @@ static void cmd_port_help(void)
 	pr_err("       devlink port unsplit DEV/PORT_INDEX\n");
 	pr_err("       devlink port function set DEV/PORT_INDEX [ hw_addr ADDR ] [ state { active | inactive } ]\n");
 	pr_err("                      [ roce { enable | disable } ] [ migratable { enable | disable } ]\n");
-	pr_err("                      [ ipsec_crypto { enable | disable } ]\n");
+	pr_err("                      [ ipsec_crypto { enable | disable } ] [ ipsec_packet { enable | disable } ]\n");
 	pr_err("       devlink port function rate { help | show | add | del | set }\n");
 	pr_err("       devlink port param set DEV/PORT_INDEX name PARAMETER value VALUE cmode { permanent | driverinit | runtime }\n");
 	pr_err("       devlink port param show [DEV/PORT_INDEX name PARAMETER]\n");
@@ -4786,6 +4798,10 @@ static void pr_out_port_function(struct dl *dl, struct nlattr **tb_port)
 			print_string(PRINT_ANY, "ipsec_crypto", " ipsec_crypto %s",
 				     port_fn_caps->value & DEVLINK_PORT_FN_CAP_IPSEC_CRYPTO ?
 				     "enable" : "disable");
+		if (port_fn_caps->selector & DEVLINK_PORT_FN_CAP_IPSEC_PACKET)
+			print_string(PRINT_ANY, "ipsec_packet", " ipsec_packet %s",
+				     port_fn_caps->value & DEVLINK_PORT_FN_CAP_IPSEC_PACKET ?
+				     "enable" : "disable");
 	}
 
 	if (!dl->json_output)
@@ -4977,7 +4993,7 @@ static void cmd_port_function_help(void)
 {
 	pr_err("Usage: devlink port function set DEV/PORT_INDEX [ hw_addr ADDR ] [ state { active | inactive } ]\n");
 	pr_err("                      [ roce { enable | disable } ] [ migratable { enable | disable } ]\n");
-	pr_err("                      [ ipsec_crypto { enable | disable } ]\n");
+	pr_err("                      [ ipsec_crypto { enable | disable } ] [ ipsec_packet { enable | disable } ]\n");
 	pr_err("       devlink port function rate { help | show | add | del | set }\n");
 }
 
diff --git a/man/man8/devlink-port.8 b/man/man8/devlink-port.8
index 534d2cbe8fa9..70d8837eabc0 100644
--- a/man/man8/devlink-port.8
+++ b/man/man8/devlink-port.8
@@ -80,6 +80,9 @@ devlink-port \- devlink port configuration
 .RI "[ "
 .BR ipsec_crypto " { " enable " | " disable " }"
 .RI "]"
+.RI "[ "
+.BR ipsec_packet " { " enable " | " disable " }"
+.RI "]"
 
 .ti -8
 .BR "devlink port function rate "
@@ -230,6 +233,11 @@ Set the migratable capability of the function.
 Set the IPsec crypto offload capability of the function. Controls XFRM state
 crypto operation (Encrypt/Decrypt) offload.
 
+.TP
+.BR ipsec_packet " { " enable " | " disable  " } "
+Set the IPsec packet offload capability of the function. Controls XFRM state
+and policy offload (Encrypt/Decrypt operation and IPsec encapsulation).
+
 .ti -8
 .SS devlink port del - delete a devlink port
 .PP
@@ -364,6 +372,11 @@ devlink port function set pci/0000:01:00.0/1 ipsec_crypto enable
 This will enable the IPsec crypto offload functionality of the function.
 .RE
 .PP
+devlink port function set pci/0000:01:00.0/1 ipsec_packet enable
+.RS 4
+This will enable the IPsec packet offload functionality of the function.
+.RE
+.PP
 devlink port function set pci/0000:01:00.0/1 hw_addr 00:00:00:11:22:33 state active
 .RS 4
 Configure hardware address and also active the function. When a function is
-- 
2.34.1

Re: [PATCH iproute2-next V3 1/2] devlink: Support setting port function ipsec_crypto cap

[David Ahern]

On 10/2/23 4:43 AM, Tariq Toukan wrote:
> From: Dima Chumak <dchumak@nvidia.com>
> 
> Support port function commands to enable / disable IPsec crypto
> offloads, this is used to control the port IPsec device capabilities.
> 
> When IPsec crypto capability is disabled for a function of the port
> (default), function cannot offload IPsec operation. When enabled, IPsec
> operation can be offloaded by the function of the port.
> 
> Enabling IPsec crypto offloads lets the kernel to delegate XFRM state
> processing and encrypt/decrypt operation to the device hardware.
> 
> Example of a PCI VF port which supports IPsec crypto offloads:
> 
> $ devlink port show pci/0000:06:00.0/1
>     pci/0000:06:00.0/1: type eth netdev enp6s0pf0vf0 flavour pcivf pfnum 0 vfnum 0
> 	function:
> 	hw_addr 00:00:00:00:00:00 roce enable ipsec_crypto disable
> 
> $ devlink port function set pci/0000:06:00.0/1 ipsec_crypto enable
> 
> $ devlink port show pci/0000:06:00.0/1
>     pci/0000:06:00.0/1: type eth netdev enp6s0pf0vf0 flavour pcivf pfnum 0 vfnum 0
> 	function:
> 	hw_addr 00:00:00:00:00:00 roce enable ipsec_crypto enable
> 

Why not just 'ipsec' instead of 'ipsec_crypto'? What value does the
extra '_crypto' provide?

Re: [PATCH iproute2-next V3 1/2] devlink: Support setting port function ipsec_crypto cap

[Leon Romanovsky]

On Tue, Oct 03, 2023 at 08:46:51AM -0600, David Ahern wrote:
> On 10/2/23 4:43 AM, Tariq Toukan wrote:
> > From: Dima Chumak <dchumak@nvidia.com>
> > 
> > Support port function commands to enable / disable IPsec crypto
> > offloads, this is used to control the port IPsec device capabilities.
> > 
> > When IPsec crypto capability is disabled for a function of the port
> > (default), function cannot offload IPsec operation. When enabled, IPsec
> > operation can be offloaded by the function of the port.
> > 
> > Enabling IPsec crypto offloads lets the kernel to delegate XFRM state
> > processing and encrypt/decrypt operation to the device hardware.
> > 
> > Example of a PCI VF port which supports IPsec crypto offloads:
> > 
> > $ devlink port show pci/0000:06:00.0/1
> >     pci/0000:06:00.0/1: type eth netdev enp6s0pf0vf0 flavour pcivf pfnum 0 vfnum 0
> > 	function:
> > 	hw_addr 00:00:00:00:00:00 roce enable ipsec_crypto disable
> > 
> > $ devlink port function set pci/0000:06:00.0/1 ipsec_crypto enable
> > 
> > $ devlink port show pci/0000:06:00.0/1
> >     pci/0000:06:00.0/1: type eth netdev enp6s0pf0vf0 flavour pcivf pfnum 0 vfnum 0
> > 	function:
> > 	hw_addr 00:00:00:00:00:00 roce enable ipsec_crypto enable
> > 
> 
> Why not just 'ipsec' instead of 'ipsec_crypto'? What value does the
> extra '_crypto' provide?

There are two IPsec offloaded modes: crypto offload and packet offload.
They need to be separated and can operate independently as these modes
per-SA/policy. 

To make it more clear to users, we are using ipsec_crypto to be
explicit.

Thanks

> 
> 
> 

Re: [PATCH iproute2-next V3 0/2] devlink: Add port function attributes for ipsec

[patchwork-bot+netdevbpf]

Hello:

This series was applied to iproute2/iproute2-next.git (main)
by David Ahern <dsahern@kernel.org>:

On Mon, 2 Oct 2023 13:43:47 +0300 you wrote:
> Hi,
> Please, see kernel series [1] for the overview of these changes.
> 
> [1] https://lore.kernel.org/netdev/20230825062836.103744-1-saeed@kernel.org/
> 
> Regards,
> Tariq
> 
> [...]

Here is the summary with links:
  - [iproute2-next,V3,1/2] devlink: Support setting port function ipsec_crypto cap
    https://git.kernel.org/pub/scm/network/iproute2/iproute2-next.git/commit/?id=27fd1bfa1b5f
  - [iproute2-next,V3,2/2] devlink: Support setting port function ipsec_packet cap
    https://git.kernel.org/pub/scm/network/iproute2/iproute2-next.git/commit/?id=994e80e9c9fb

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html